cobaltstrike | 0dd9b62ece79eb25fd02d73d49b8e657fa37ca7fa834bf41d9b15eb284eef06a

Analysis

max time kernel
144s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-12-2024 19:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bfb5e6e2de5e6b0c4dea88ac5de97e43
SHA1

6a5b1590ddb323018e89cec1e29b4c88a5f8ce29
SHA256

0dd9b62ece79eb25fd02d73d49b8e657fa37ca7fa834bf41d9b15eb284eef06a
SHA512

c304ccbad984fc658b3577c1585596da8664402db4c6836595867bc8681a6ec33b106be769fdd4e5ee90d27c812cb5e567d7fa1f7f98299f5ef125284bb9d257
SSDEEP

49152:ROdWCCi7/raN56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6le:RWWBib+56utgpPFotBER/mQ32lUq

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c0000000122e0-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016a47-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c3d-10.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd3-38.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d0b-46.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173e4-61.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016cfe-67.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173aa-70.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018678-119.dat	cobalt_reflective_dll
behavioral1/files/0x001500000001866d-114.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018690-122.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174ac-104.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001752f-109.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001747b-94.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001748f-99.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017403-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017409-89.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173fb-75.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001650a-79.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ca2-33.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c58-27.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral1/memory/2468-15-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2340-40-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/2504-36-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2504-127-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2644-132-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2764-133-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2816-137-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2812-136-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2548-135-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2180-131-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2840-130-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2592-139-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/1424-142-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/1904-144-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/1996-148-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2348-147-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/1464-146-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2864-149-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/1800-145-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2192-141-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/3040-140-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2028-143-0x000000013F520000-0x000000013F871000-memory.dmp	xmrig
behavioral1/memory/2204-138-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2504-153-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/2504-154-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	xmrig
behavioral1/memory/2468-214-0x000000013F850000-0x000000013FBA1000-memory.dmp	xmrig
behavioral1/memory/2340-213-0x000000013F8F0000-0x000000013FC41000-memory.dmp	xmrig
behavioral1/memory/2180-216-0x000000013FEB0000-0x0000000140201000-memory.dmp	xmrig
behavioral1/memory/2764-218-0x000000013F770000-0x000000013FAC1000-memory.dmp	xmrig
behavioral1/memory/2840-220-0x000000013F6B0000-0x000000013FA01000-memory.dmp	xmrig
behavioral1/memory/2812-222-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2204-224-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2816-239-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2592-241-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/2548-237-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/3040-243-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/2192-245-0x000000013FB70000-0x000000013FEC1000-memory.dmp	xmrig
behavioral1/memory/1424-247-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2644-258-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2340	ELYxeUn.exe
2468	uwsNswG.exe
2840	XepjTje.exe
2180	sSnYtGg.exe
2644	MJnOHOn.exe
2764	OVOsinj.exe
2812	GAaJUBx.exe
2204	ZipcMZM.exe
2548	BtYcuSA.exe
2816	sGQudmM.exe
2592	jgeaMIn.exe
3040	yJVgPQp.exe
2192	wVTQGQg.exe
1424	dVUpgOA.exe
2028	XWiaMet.exe
1904	zfWtOGh.exe
1800	jDePlQu.exe
1464	SMovKoE.exe
2348	lRaZEFw.exe
1996	mLSNhpc.exe
2864	dXNiYXv.exe

Loads dropped DLL 21 IoCs

pid	Process
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/files/0x000c0000000122e0-3.dat	upx
behavioral1/files/0x0007000000016a47-11.dat	upx
behavioral1/memory/2468-15-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/2340-13-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2504-6-0x0000000002430000-0x0000000002781000-memory.dmp	upx
behavioral1/files/0x0008000000016c3d-10.dat	upx
behavioral1/memory/2840-22-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2180-28-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/files/0x0007000000016cd3-38.dat	upx
behavioral1/memory/2764-50-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/files/0x0008000000016d0b-46.dat	upx
behavioral1/files/0x00060000000173e4-61.dat	upx
behavioral1/files/0x0008000000016cfe-67.dat	upx
behavioral1/files/0x00060000000173aa-70.dat	upx
behavioral1/files/0x0009000000018678-119.dat	upx
behavioral1/files/0x001500000001866d-114.dat	upx
behavioral1/files/0x0005000000018690-122.dat	upx
behavioral1/files/0x00060000000174ac-104.dat	upx
behavioral1/files/0x000600000001752f-109.dat	upx
behavioral1/files/0x000600000001747b-94.dat	upx
behavioral1/files/0x000600000001748f-99.dat	upx
behavioral1/files/0x0006000000017403-84.dat	upx
behavioral1/files/0x0006000000017409-89.dat	upx
behavioral1/files/0x00060000000173fb-75.dat	upx
behavioral1/files/0x000900000001650a-79.dat	upx
behavioral1/memory/2812-55-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2204-64-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2644-34-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/files/0x0007000000016ca2-33.dat	upx
behavioral1/memory/2340-40-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2504-36-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/files/0x0007000000016c58-27.dat	upx
behavioral1/memory/2504-127-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2644-132-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/memory/2764-133-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2816-137-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/2812-136-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2548-135-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/2180-131-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2840-130-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2592-139-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/1424-142-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/1904-144-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/1996-148-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2348-147-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/1464-146-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2864-149-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/1800-145-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2192-141-0x000000013FB70000-0x000000013FEC1000-memory.dmp	upx
behavioral1/memory/3040-140-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2028-143-0x000000013F520000-0x000000013F871000-memory.dmp	upx
behavioral1/memory/2204-138-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2504-154-0x000000013FAA0000-0x000000013FDF1000-memory.dmp	upx
behavioral1/memory/2468-214-0x000000013F850000-0x000000013FBA1000-memory.dmp	upx
behavioral1/memory/2340-213-0x000000013F8F0000-0x000000013FC41000-memory.dmp	upx
behavioral1/memory/2180-216-0x000000013FEB0000-0x0000000140201000-memory.dmp	upx
behavioral1/memory/2764-218-0x000000013F770000-0x000000013FAC1000-memory.dmp	upx
behavioral1/memory/2840-220-0x000000013F6B0000-0x000000013FA01000-memory.dmp	upx
behavioral1/memory/2812-222-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2204-224-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2816-239-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/2592-241-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/2548-237-0x000000013F240000-0x000000013F591000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\dVUpgOA.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zfWtOGh.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XepjTje.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJnOHOn.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZipcMZM.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yJVgPQp.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wVTQGQg.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lRaZEFw.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dXNiYXv.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sSnYtGg.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BtYcuSA.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jgeaMIn.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XWiaMet.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jDePlQu.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SMovKoE.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mLSNhpc.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ELYxeUn.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GAaJUBx.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sGQudmM.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uwsNswG.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OVOsinj.exe	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2340	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2340	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2340	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2468	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2468	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2468	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2840	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2840	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2840	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2180	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2180	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2180	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2644	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2644	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2644	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2764	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2764	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2764	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2548	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2548	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2548	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2812	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 2812	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 2812	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 2816	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2816	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2816	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2204	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2204	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2204	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2592	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2592	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2592	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 3040	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 3040	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 3040	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 2192	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 2192	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 2192	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 1424	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 1424	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 1424	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 2028	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 2028	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 2028	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 1904	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 1904	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 1904	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 1800	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 1800	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 1800	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 1464	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 1464	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 1464	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 2348	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 2348	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 2348	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 1996	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 1996	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 1996	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 2864	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2504 wrote to memory of 2864	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2504 wrote to memory of 2864	2504	2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-25_bfb5e6e2de5e6b0c4dea88ac5de97e43_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\System\ELYxeUn.exe
  C:\Windows\System\ELYxeUn.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\uwsNswG.exe
  C:\Windows\System\uwsNswG.exe
  2⤵
  - Executes dropped EXE
  PID:2468
- C:\Windows\System\XepjTje.exe
  C:\Windows\System\XepjTje.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\sSnYtGg.exe
  C:\Windows\System\sSnYtGg.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\MJnOHOn.exe
  C:\Windows\System\MJnOHOn.exe
  2⤵
  - Executes dropped EXE
  PID:2644
- C:\Windows\System\OVOsinj.exe
  C:\Windows\System\OVOsinj.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\BtYcuSA.exe
  C:\Windows\System\BtYcuSA.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\GAaJUBx.exe
  C:\Windows\System\GAaJUBx.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\sGQudmM.exe
  C:\Windows\System\sGQudmM.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\ZipcMZM.exe
  C:\Windows\System\ZipcMZM.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\jgeaMIn.exe
  C:\Windows\System\jgeaMIn.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\yJVgPQp.exe
  C:\Windows\System\yJVgPQp.exe
  2⤵
  - Executes dropped EXE
  PID:3040
- C:\Windows\System\wVTQGQg.exe
  C:\Windows\System\wVTQGQg.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\dVUpgOA.exe
  C:\Windows\System\dVUpgOA.exe
  2⤵
  - Executes dropped EXE
  PID:1424
- C:\Windows\System\XWiaMet.exe
  C:\Windows\System\XWiaMet.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\zfWtOGh.exe
  C:\Windows\System\zfWtOGh.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\jDePlQu.exe
  C:\Windows\System\jDePlQu.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\SMovKoE.exe
  C:\Windows\System\SMovKoE.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\lRaZEFw.exe
  C:\Windows\System\lRaZEFw.exe
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\System\mLSNhpc.exe
  C:\Windows\System\mLSNhpc.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\dXNiYXv.exe
  C:\Windows\System\dXNiYXv.exe
  2⤵
  - Executes dropped EXE
  PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BtYcuSA.exe

Filesize
5.2MB

MD5
070a68db70570a366b7b3c3c8913ed1b

SHA1
a792fafb1d9e92876fd6c396dc7c62c523adb857

SHA256
88f3ba735c8a217642d1986b2eb83f822ba309832416e8ba3effd1fd533de5e7

SHA512
97b1eecd5c36d904fbe558240bc19ea0aacc42345fb242a061d731d51970768981ef823cd5d020b4ecd7e0498967fdd545624f346dd1d2024efc36e43d550c1b

Download Submit
C:\Windows\system\MJnOHOn.exe

Filesize
5.2MB

MD5
33c156ba76004d96c41654766e24e862

SHA1
8bf8fd70aef0cf3ed1cbba5ac9b611c07677023c

SHA256
2e4d786b5c4d7d59c28a3a75ec4dd44853aca7194f5b2c19980ed7faf7d9924e

SHA512
d1b27b3f3c159415122b36d80d55f57a796aa5902c879cf139f82a5eb4799ed0e297a6f9df2074440ec390a6ff781fad1c8faed8d24165b3390c60c93d9fe190

Download Submit
C:\Windows\system\OVOsinj.exe

Filesize
5.2MB

MD5
5479ec9c7d45a7240bfbbbdcd0b94f87

SHA1
ce67a64eccbf42d9860b5f35a42636d509b1e4d5

SHA256
1dc9afd395fdd651a63e75fe7bfd6f9595d5585eef66d1ed2c9a5b53d2d05b80

SHA512
342013f2b8f0592e79e8743543280ccb816065be67a8e87b140a0795dd3b6bc338541603a5b68faf336e4cce6d1a3ba09a1c34912b257e6eec40d78044a7d91d

Download Submit
C:\Windows\system\SMovKoE.exe

Filesize
5.2MB

MD5
89cc8e2a476c15431431db428c242ec1

SHA1
0d45d9211050c6df20e5403dba2f2d2fd209889e

SHA256
e7a8956106f54029d7efb3545ad84b50061933e958c9008345bac1ba9fd8d60d

SHA512
1ef5fee1d9ea700e79fc0bf63a7bdbec35f7a7980abcbb48d5769f1e3cd254d13ea9f26cff69f28e601bc96bf6b2fcf611f80d8bf8f490a247f35f908d0ff4c3

Download Submit
C:\Windows\system\XWiaMet.exe

Filesize
5.2MB

MD5
c73a4566192f121bc8115b6bc56476b5

SHA1
aee2594318de42b7d5a481742588c9b92f44a17b

SHA256
1eaaf3c5b8fb187b0bd95c41fbc1a6f0e8747ef93f1cf26c97748e0b06d39cac

SHA512
f1a1ef05134ea8f5c5aa17f475ca61842f91dddd9ec77e384d59ef050e8518a0a3fc1e0b1ded0c6ee2c66a6aad246efd4aaae0bdca2cdff80261882497b5aaac

Download Submit
C:\Windows\system\XepjTje.exe

Filesize
5.2MB

MD5
790b4a5e99ac356b0499bf30fa07e116

SHA1
87b93e90ec63e6d7b27ca5195937ab96f3b850d8

SHA256
69e98d0c2c3b62af6e5ef7ffc91ee93b39b94549d0e96e802d8374e02fb946f8

SHA512
e7ac09b29954fcf66812a6dedfbae989f2c47ef06fd8e471dcf09732d71abfe3194f15dfea729cc14a1e2c496f8e94449cb70460ae7c8432b9bd517013c9b389

Download Submit
C:\Windows\system\ZipcMZM.exe

Filesize
5.2MB

MD5
3b60462e74dae114971236a1b1ad2ef1

SHA1
4569be0d4df91d610358bd65c882b56fa6db88be

SHA256
d7905e3685d613bacba2a72bad5f3047d6d718b64155f55b08af34eaa1230552

SHA512
541d21041cb0047b9cfb5945cee43d858f43fe16c49abd510015d51d4c17c85cb29c2bb9e0f757fb0bbe4b63b77fd3535eac43b6af72a4642b593d8ca424a526

Download Submit
C:\Windows\system\dVUpgOA.exe

Filesize
5.2MB

MD5
390bd4c498a81043a9c5eb113ea07d0d

SHA1
c122e46d347e729911b412055065b3bc17de08f3

SHA256
a1109718fc4535f4e9c81fd049fe640c476536d60001ca73c4ec5a5e4c834982

SHA512
c0ec623e87751c026cac3e81d2e987e230b00c97661c2b0f74c71581a954e4a883ae9597d9df6bb910015ab45650fb061d21315c33668a93b2b0bb89d7d77a3d

Download Submit
C:\Windows\system\jDePlQu.exe

Filesize
5.2MB

MD5
e524ee138b6eaf093ae4913e8fc27fe6

SHA1
8a066a852bed6ab155c9f488735761b1dc0cf01f

SHA256
dedd0347bf649324c4eaf8f85e2ce52df19a9cac3d1858c304a1774b246cc1f8

SHA512
3cd39eb1fa94f2960938f42c0e509a59237d337a327cc8e659138852269a697d1cd96526b3d28fdebbf72de358dd9bbae6d1b6711e65cb3c7c9516ff28932e57

Download Submit
C:\Windows\system\jgeaMIn.exe

Filesize
5.2MB

MD5
8e40544954f607c23cd4682f4182eebc

SHA1
fd55fef93ec281e6a7e37154e5bbfb1e4f3a9445

SHA256
bf42c57b4414a4da5502980ce6e758941a59942fe671fb3464a88fd6e478a72e

SHA512
9193b62bb068f0486df6334aa63512798956cc4fb1a591a109c545c76f3bcbb5a58c0afa9bebb4592bc1bffa5789e1c7313f9b76761bd5b9edf7fb39a0b42807

Download Submit
C:\Windows\system\lRaZEFw.exe

Filesize
5.2MB

MD5
7c6c21f5ce18dae27fe4374b0a27530a

SHA1
07961e5d21c8b30cb8711ea10b78acb31ef29211

SHA256
55aa74b45cea88348b17812854197d111e9130ba699ca47f26d73084f48a9b0b

SHA512
9c0da963dcb43f858f84481e7a3109b3a9d64fcd7a9632f15447d7197e84c5974eb25714e2cf36b885c9c4701d6c53efe4dfee6262a335ee4f107dd6ac9fed48

Download Submit
C:\Windows\system\mLSNhpc.exe

Filesize
5.2MB

MD5
efc06f701615ebfa082c91b616a23c50

SHA1
7fc3f45ddc0620e2ed7aaf0f4972ea7df7c37328

SHA256
7b9d0a437528f791dfaed8af1bd4cf215d608ce918a28d694b9a4d1755a5d6b9

SHA512
89a1194e71e421f096ff24030d3f6b80c14d891c0560243716ab6627296514a7e007f60fc40902f37d5971cdef88ebf01615c36e8acb5169a04c97b511d3d0fc

Download Submit
C:\Windows\system\sGQudmM.exe

Filesize
5.2MB

MD5
d202b1da11ecab5830a5805bb42e3625

SHA1
eb73f8fe4b18e36df42566ad688e2320bd970e64

SHA256
9ba3847ddd3fd1117830732bbf60f5d6d81fe3bacf2d98cb38fd96aaa0a3fad3

SHA512
64a53995cd0dc011a54ada518a9f2b14ae0493def3adf5272a595f947624fb94e4b338eb4bbca6005d8000a42e9a9d3ab0301473a8c1510216e4500f3ca97c62

Download Submit
C:\Windows\system\sSnYtGg.exe

Filesize
5.2MB

MD5
9f6c312fcc207ce6df0734420adeb903

SHA1
51033cb24d8bf36c30f9a265606f5f0000109cbd

SHA256
500f61da584d6b99d31a80f1063eca35b0ee795ebdfd786ba7db33c884030482

SHA512
1e5983a2d11dbc8ff3afbd538e0b8914b0babf867bf2ad83761753dd5b463f61dc6bcdbb19111196878d0bc4e841277c563d174482a58fbede0a5aec5739314e

Download Submit
C:\Windows\system\uwsNswG.exe

Filesize
5.2MB

MD5
b8e5da3c0d73e5f3d9206ade72fc2f7c

SHA1
e8dfc97ebb0bd1b8fed5b7335cd5b863f37067f9

SHA256
3a0f5952e0c138ffc72adbd470a01ad2729794c84136edff17ea200871b2ce1a

SHA512
f6670907ab22c95b58de1385520828f37ac668ad925ba3fd6cfba7d3a92d7394a79ea51227640bc9b6b18f6c02bed274bab4a40f25d1f7f0e3d822461f939889

Download Submit
C:\Windows\system\wVTQGQg.exe

Filesize
5.2MB

MD5
4a69acb4574cc3c678e8ecb7cec90b07

SHA1
8319603bed538f57da6e88152f7f5fd896ea6df4

SHA256
5aeba0811f9074714a1d4b9b6924275c5185635b9db342c144185025895aabad

SHA512
c976382541a23844da8148c422ea1e9aabf800b8f80ba49f65543ec9694c1fab565e72634765ebfed465bea91cbc5b1e9bd6fd351395621f70ed50c97406711e

Download Submit
C:\Windows\system\yJVgPQp.exe

Filesize
5.2MB

MD5
b2ad1b89d7e9535ea7a2bec8081578a4

SHA1
f7ba76d0fa67464a028b3b3af756c6e548d2fce1

SHA256
8c89d5ed4ad0b02e474ff14fb35fe60be0087ed5dc4cd01dcaac07618498bd69

SHA512
29d40a6a18b16fe373f7fe944f2fc355b0934baff4dc1f9c275070333b4774917dd705be1792be2e59ef0e0728b6cbae93be3dd000543c51c275ee1e8b812932

Download Submit
C:\Windows\system\zfWtOGh.exe

Filesize
5.2MB

MD5
ff8fe3ecdb173801956a567e43c6dfeb

SHA1
e49b129e8f87c3ca0741057ab9248c0e761f090e

SHA256
5fa296dcd3ecd04372eb6fa90be1f2e809b76947e52c61218809edc610fb763e

SHA512
1c114f6f0d7ee40b861476dda4676ec22c10d469906bfabd7e89744aba9a1e75a464b6a9634f8e643bade1ac857d9bdc30bca533ff5f6379cdc0b7920d45cf70

Download Submit
\Windows\system\ELYxeUn.exe

Filesize
5.2MB

MD5
c373544a27eed0dce1bb21755daf2457

SHA1
4e5920d6c591a67ca4ec644d7f7a5889bb7d1e1d

SHA256
6930603259e87c6b77ae20b5dfd03ccc35bea515580ef001f5267f998357b6ff

SHA512
6e71876f6889bfe3218ce767fcb96d8993747d50cbf1cadd08e03473286f3694c63d3990d8376d538ed1d4e0ff0c75dc93e5c3f288b5da4d2e1ad6cb6942f881

Download Submit
\Windows\system\GAaJUBx.exe

Filesize
5.2MB

MD5
513750403fbbba93bdf260420878d9f6

SHA1
854fef2c4b157eba70ec5783a28d46cf992303b4

SHA256
a9304c9442c4449966792350cd308a91eaad7e739fff9269f9a658324ca0f825

SHA512
0d804f08d064344f7d3d60ee8f75be44978ce3d69c1e089a2354c7682696e34d1e58eec90848dd618989d4c823df529df8197380faaa6b3c7b89deb3e9f099ac

Download Submit
\Windows\system\dXNiYXv.exe

Filesize
5.2MB

MD5
55c9d0860de6924161a51ddd64554470

SHA1
9012c757331322affa6e279ad2d8353f402a6414

SHA256
e09ebc3571d1699ecd80f5e89de23da21b99ff89a7cdcb27d291d93c4b89a774

SHA512
5a988829b36b88a75d05eb56d02071eae9facc2c7a2926ceb36b3ea6c012feb2ecffb35eefbadc672db82eaef8d81a05eb2ba277909d20b7a49da301cffe2293

Download Submit
memory/1424-142-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/1424-247-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/1464-146-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/1800-145-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/1904-144-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1996-148-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2028-143-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2180-131-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2180-28-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2180-216-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2192-141-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2192-245-0x000000013FB70000-0x000000013FEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2204-64-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2204-224-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2204-138-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2340-213-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2340-40-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2340-13-0x000000013F8F0000-0x000000013FC41000-memory.dmp

Filesize
3.3MB

Download
memory/2348-147-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2468-214-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2468-15-0x000000013F850000-0x000000013FBA1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-151-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-154-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-16-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-62-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-59-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2504-176-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2504-159-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2504-153-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2504-39-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-36-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-18-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2504-127-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-24-0x000000013FEB0000-0x0000000140201000-memory.dmp

Filesize
3.3MB

Download
memory/2504-63-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2504-6-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2504-150-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2504-54-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2504-30-0x0000000002430000-0x0000000002781000-memory.dmp

Filesize
3.3MB

Download
memory/2504-152-0x000000013F520000-0x000000013F871000-memory.dmp

Filesize
3.3MB

Download
memory/2504-0-0x000000013FAA0000-0x000000013FDF1000-memory.dmp

Filesize
3.3MB

Download
memory/2548-135-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2548-237-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/2592-139-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2592-241-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2644-132-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-258-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2644-34-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-50-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-133-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2764-218-0x000000013F770000-0x000000013FAC1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-136-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2812-222-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2812-55-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2816-137-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-239-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2840-22-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2840-220-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2840-130-0x000000013F6B0000-0x000000013FA01000-memory.dmp

Filesize
3.3MB

Download
memory/2864-149-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/3040-243-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/3040-140-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download