cobaltstrike | 9b760cb95a5b9f632b856e419b02f7ecf7d5d1bb599cb10730d2134357280b04

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 20:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5054368619cbd5c917be75a46dab33d5
SHA1

6814d2a4d14998747ff22f24d32dc2655f5b9759
SHA256

9b760cb95a5b9f632b856e419b02f7ecf7d5d1bb599cb10730d2134357280b04
SHA512

01415d643ccaac875b7cb995daf97c4da6b51c9894199d47b52eb0b7a499e104ce2bb2a9e80fc1eb91c9d289c51ead9724efc00a58f1006f2a05613ca975c449
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lC:RWWBibf56utgpPFotBER/mQ32lUW

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0008000000012117-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016855-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c62-11.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c84-55.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018f53-89.dat	cobalt_reflective_dll
behavioral1/files/0x000d00000001866e-84.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017525-83.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017487-82.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018c1a-78.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018687-68.dat	cobalt_reflective_dll
behavioral1/files/0x0014000000018663-60.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174a2-52.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d25-47.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd1-46.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017472-42.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d36-33.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cfc-104.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001903b-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018c26-101.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018792-87.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173fc-50.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 37 IoCs

miner

resource	yara_rule
behavioral1/memory/308-80-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2744-116-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/636-113-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig
behavioral1/memory/2960-131-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2920-112-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2496-107-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2732-100-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2960-99-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/3052-94-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2964-133-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2292-132-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2292-13-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2972-134-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2964-20-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/2960-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/984-141-0x000000013F580000-0x000000013F8D1000-memory.dmp	xmrig
behavioral1/memory/2296-143-0x000000013FE30000-0x0000000140181000-memory.dmp	xmrig
behavioral1/memory/2616-149-0x000000013FB40000-0x000000013FE91000-memory.dmp	xmrig
behavioral1/memory/1616-156-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2248-155-0x000000013F070000-0x000000013F3C1000-memory.dmp	xmrig
behavioral1/memory/3000-154-0x000000013FDA0000-0x00000001400F1000-memory.dmp	xmrig
behavioral1/memory/2624-153-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2576-152-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2812-147-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2796-145-0x000000013F670000-0x000000013F9C1000-memory.dmp	xmrig
behavioral1/memory/2752-151-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2960-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2292-205-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2964-226-0x000000013F210000-0x000000013F561000-memory.dmp	xmrig
behavioral1/memory/3052-228-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2972-230-0x000000013F4B0000-0x000000013F801000-memory.dmp	xmrig
behavioral1/memory/2732-232-0x000000013FAF0000-0x000000013FE41000-memory.dmp	xmrig
behavioral1/memory/2496-236-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/308-234-0x000000013FA90000-0x000000013FDE1000-memory.dmp	xmrig
behavioral1/memory/2920-242-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2744-240-0x000000013F2C0000-0x000000013F611000-memory.dmp	xmrig
behavioral1/memory/636-238-0x000000013FC20000-0x000000013FF71000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2292	RJCyLcC.exe
2964	psSYEID.exe
2972	VJqXPxU.exe
308	WndpdMT.exe
3052	YMRsOFY.exe
2732	gJdXXIW.exe
2496	sBaUflL.exe
2744	IHmrlop.exe
2920	BWJZWqX.exe
636	CphPWry.exe
2576	dHIWPDD.exe
3000	zYqYYKE.exe
1616	boYnJXd.exe
984	YEmXyFD.exe
2296	yvovIbP.exe
2796	gsrGGne.exe
2812	drJiymt.exe
2616	ptINtNl.exe
2752	lTvynCc.exe
2624	TmPJhVQ.exe
2248	QtfTbHv.exe

Loads dropped DLL 21 IoCs

pid	Process
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2960-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/files/0x0008000000012117-6.dat	upx
behavioral1/files/0x0008000000016855-8.dat	upx
behavioral1/files/0x0008000000016c62-11.dat	upx
behavioral1/files/0x0007000000016c84-55.dat	upx
behavioral1/files/0x0006000000018f53-89.dat	upx
behavioral1/files/0x000d00000001866e-84.dat	upx
behavioral1/files/0x0006000000017525-83.dat	upx
behavioral1/files/0x0006000000017487-82.dat	upx
behavioral1/memory/308-80-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/files/0x0006000000018c1a-78.dat	upx
behavioral1/memory/2972-74-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/files/0x0005000000018687-68.dat	upx
behavioral1/files/0x0014000000018663-60.dat	upx
behavioral1/files/0x00060000000174a2-52.dat	upx
behavioral1/files/0x0009000000016d25-47.dat	upx
behavioral1/files/0x0007000000016cd1-46.dat	upx
behavioral1/files/0x0006000000017472-42.dat	upx
behavioral1/files/0x0008000000016d36-33.dat	upx
behavioral1/memory/2744-116-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/636-113-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx
behavioral1/memory/2960-131-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2920-112-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2496-107-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/files/0x0007000000016cfc-104.dat	upx
behavioral1/files/0x000600000001903b-102.dat	upx
behavioral1/files/0x0006000000018c26-101.dat	upx
behavioral1/memory/2732-100-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/3052-94-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/files/0x0005000000018792-87.dat	upx
behavioral1/memory/2964-133-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2292-132-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/files/0x00060000000173fc-50.dat	upx
behavioral1/memory/2292-13-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2972-134-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2964-20-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/2960-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/984-141-0x000000013F580000-0x000000013F8D1000-memory.dmp	upx
behavioral1/memory/2296-143-0x000000013FE30000-0x0000000140181000-memory.dmp	upx
behavioral1/memory/2616-149-0x000000013FB40000-0x000000013FE91000-memory.dmp	upx
behavioral1/memory/1616-156-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2248-155-0x000000013F070000-0x000000013F3C1000-memory.dmp	upx
behavioral1/memory/3000-154-0x000000013FDA0000-0x00000001400F1000-memory.dmp	upx
behavioral1/memory/2624-153-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2576-152-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2812-147-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2796-145-0x000000013F670000-0x000000013F9C1000-memory.dmp	upx
behavioral1/memory/2752-151-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2960-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2292-205-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2964-226-0x000000013F210000-0x000000013F561000-memory.dmp	upx
behavioral1/memory/3052-228-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2972-230-0x000000013F4B0000-0x000000013F801000-memory.dmp	upx
behavioral1/memory/2732-232-0x000000013FAF0000-0x000000013FE41000-memory.dmp	upx
behavioral1/memory/2496-236-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/308-234-0x000000013FA90000-0x000000013FDE1000-memory.dmp	upx
behavioral1/memory/2920-242-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2744-240-0x000000013F2C0000-0x000000013F611000-memory.dmp	upx
behavioral1/memory/636-238-0x000000013FC20000-0x000000013FF71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gsrGGne.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zYqYYKE.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QtfTbHv.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\psSYEID.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YEmXyFD.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YMRsOFY.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yvovIbP.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gJdXXIW.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dHIWPDD.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TmPJhVQ.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\boYnJXd.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WndpdMT.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IHmrlop.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lTvynCc.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RJCyLcC.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sBaUflL.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\drJiymt.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BWJZWqX.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ptINtNl.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CphPWry.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VJqXPxU.exe	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 2292	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2960 wrote to memory of 2292	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2960 wrote to memory of 2292	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2960 wrote to memory of 2964	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2960 wrote to memory of 2964	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2960 wrote to memory of 2964	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2960 wrote to memory of 2972	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2960 wrote to memory of 2972	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2960 wrote to memory of 2972	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2960 wrote to memory of 2496	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2960 wrote to memory of 2496	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2960 wrote to memory of 2496	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2960 wrote to memory of 308	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2960 wrote to memory of 308	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2960 wrote to memory of 308	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2960 wrote to memory of 984	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2960 wrote to memory of 984	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2960 wrote to memory of 984	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2960 wrote to memory of 3052	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2960 wrote to memory of 3052	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2960 wrote to memory of 3052	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2960 wrote to memory of 2296	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2960 wrote to memory of 2296	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2960 wrote to memory of 2296	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2960 wrote to memory of 2732	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2960 wrote to memory of 2732	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2960 wrote to memory of 2732	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2960 wrote to memory of 2796	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2960 wrote to memory of 2796	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2960 wrote to memory of 2796	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2960 wrote to memory of 2744	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2960 wrote to memory of 2744	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2960 wrote to memory of 2744	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2960 wrote to memory of 2812	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2960 wrote to memory of 2812	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2960 wrote to memory of 2812	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2960 wrote to memory of 2920	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2960 wrote to memory of 2920	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2960 wrote to memory of 2920	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2960 wrote to memory of 2616	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2960 wrote to memory of 2616	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2960 wrote to memory of 2616	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2960 wrote to memory of 636	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2960 wrote to memory of 636	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2960 wrote to memory of 636	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2960 wrote to memory of 2752	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2960 wrote to memory of 2752	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2960 wrote to memory of 2752	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2960 wrote to memory of 2576	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2960 wrote to memory of 2576	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2960 wrote to memory of 2576	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2960 wrote to memory of 2624	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2960 wrote to memory of 2624	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2960 wrote to memory of 2624	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2960 wrote to memory of 3000	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2960 wrote to memory of 3000	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2960 wrote to memory of 3000	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2960 wrote to memory of 2248	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2960 wrote to memory of 2248	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2960 wrote to memory of 2248	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2960 wrote to memory of 1616	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2960 wrote to memory of 1616	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2960 wrote to memory of 1616	2960	2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_5054368619cbd5c917be75a46dab33d5_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Windows\System\RJCyLcC.exe
  C:\Windows\System\RJCyLcC.exe
  2⤵
  - Executes dropped EXE
  PID:2292
- C:\Windows\System\psSYEID.exe
  C:\Windows\System\psSYEID.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\VJqXPxU.exe
  C:\Windows\System\VJqXPxU.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\sBaUflL.exe
  C:\Windows\System\sBaUflL.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Windows\System\WndpdMT.exe
  C:\Windows\System\WndpdMT.exe
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\System\YEmXyFD.exe
  C:\Windows\System\YEmXyFD.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\YMRsOFY.exe
  C:\Windows\System\YMRsOFY.exe
  2⤵
  - Executes dropped EXE
  PID:3052
- C:\Windows\System\yvovIbP.exe
  C:\Windows\System\yvovIbP.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\gJdXXIW.exe
  C:\Windows\System\gJdXXIW.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\gsrGGne.exe
  C:\Windows\System\gsrGGne.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\IHmrlop.exe
  C:\Windows\System\IHmrlop.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\drJiymt.exe
  C:\Windows\System\drJiymt.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\BWJZWqX.exe
  C:\Windows\System\BWJZWqX.exe
  2⤵
  - Executes dropped EXE
  PID:2920
- C:\Windows\System\ptINtNl.exe
  C:\Windows\System\ptINtNl.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\CphPWry.exe
  C:\Windows\System\CphPWry.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\lTvynCc.exe
  C:\Windows\System\lTvynCc.exe
  2⤵
  - Executes dropped EXE
  PID:2752
- C:\Windows\System\dHIWPDD.exe
  C:\Windows\System\dHIWPDD.exe
  2⤵
  - Executes dropped EXE
  PID:2576
- C:\Windows\System\TmPJhVQ.exe
  C:\Windows\System\TmPJhVQ.exe
  2⤵
  - Executes dropped EXE
  PID:2624
- C:\Windows\System\zYqYYKE.exe
  C:\Windows\System\zYqYYKE.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\QtfTbHv.exe
  C:\Windows\System\QtfTbHv.exe
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\Windows\System\boYnJXd.exe
  C:\Windows\System\boYnJXd.exe
  2⤵
  - Executes dropped EXE
  PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BWJZWqX.exe

Filesize
5.2MB

MD5
b27ced397efd92f4c650270ac270e6e1

SHA1
dd84acd8f30407f78944018e45d6abd9c762b156

SHA256
769c0b72942c4338940e963b62927891e97375670583aba14be6f180f887ba22

SHA512
956267bc3e79d45dd99d6d944e903567b70531113df8e7c7973cd8e1b81c6ef247834bf59ba414331a6a3bfaed16ef031fcb5292f8ad12f18af20ba04fd0b4f8

Download Submit
C:\Windows\system\CphPWry.exe

Filesize
5.2MB

MD5
d3abfd3d53be1e48e0891b4a90f57e62

SHA1
b7d7144b630c12b05eff038d2505052cceb5ff43

SHA256
5d9e712cfcd3527aeaedfd27869c373251241125eae36f97b6ca7c599ea82c86

SHA512
6c105fd14b4a51d051b18cd23f7d9d336deb8ff7ed087d4e79b42697ad8db0ae6dd4353aa4fb23205dc240e5974d9795b5832dbc0ed26cfceb606e46b1c3ffc5

Download Submit
C:\Windows\system\IHmrlop.exe

Filesize
5.2MB

MD5
54a5afbe3f39afec6f5a1c195b7573d1

SHA1
256aa7e2d61b84cb152da8f260a0b29041cc72ec

SHA256
7311896de9577ce4624e7470047c49fe83b185df899a3c2a3d43d7e4eaa04323

SHA512
4a3ac63059d30d9ff432d051a0bb15214bbbced591233266377c4528463cf80880993d18ace2a2acee805243a5ee65cb810c5d2b79305b5c0dbdeb88ffe929b0

Download Submit
C:\Windows\system\RJCyLcC.exe

Filesize
5.2MB

MD5
19b1e4f637a099564331d8e5fda38b8b

SHA1
f8d23bff1322a96ef0e5dc89ff186c3895a9ee7c

SHA256
8a8ef98313ad5dac54f04ed760f22819ccc4e258cb4b24184f257e2de2c18cab

SHA512
e0ac1c6c5112aeccb7135bcc8c10359c53bd6deb90372ed368fcdec1977d7bdf9747c068ba5bf38997b911409addcfbe14d53e1f3237750f5d65b04999f4599e

Download Submit
C:\Windows\system\VJqXPxU.exe

Filesize
5.2MB

MD5
bb9723d11ee02d9effe30fae04567a84

SHA1
ac41ec2672fc8ff55ce11ad955a063e021ed040d

SHA256
47ff886ef3c7420ef776c270a92353edc70446367115db5296615e8ff4067229

SHA512
e88c5b2d53199be3f93c137caf04057421dc51d97c579548b641deb295f29a17f91fdeff1626f3ec2b4b73310f454b7a65b902334b6a7c552477cf610399f29f

Download Submit
C:\Windows\system\WndpdMT.exe

Filesize
5.2MB

MD5
a0246efb4145c068f895b11050116014

SHA1
36c49a8ed4aaa7bc14e8c5486f3eeb0fc2bc564a

SHA256
7b12f46078625b18cbcf2d61c3de71ee8de6d8299dd828a80e479d04bbbbd631

SHA512
69811eefbf5397eac5657e730be4fed91daeb4994a61f97a34629ec7de915778cbc0ad3217eb8784032e5dd59a393ecea914aa7fb2b761a697ee3b04df4cd0da

Download Submit
C:\Windows\system\YEmXyFD.exe

Filesize
5.2MB

MD5
af86a17f21f9c7428598121e89714832

SHA1
700e923be9c4f7a3f70b26599389850388441f9a

SHA256
f9d48bd1420414dead232a71a0a9bc37bb29d0e7d799d6ee1caefde372cfdc85

SHA512
cceb7d32ab873bcadfdeb9b1a964c9325166adfb1912bf5d23d486a70c6fdd4e0a7550a88ef89d556ae7a4784e3b1228757ee8f85b3771e2abc332a8cbc5a355

Download Submit
C:\Windows\system\YMRsOFY.exe

Filesize
5.2MB

MD5
bf3ccb4b0f662b2d89dab4d179664837

SHA1
77bcbf7bc0646b8e87629c917815caf41d1b9ea2

SHA256
9f7f9ca56ce99144917c3a6a7b993ec770eff7481ee7110ddff4b4b80180b237

SHA512
6df63ae4c6b60e4d0776d92270623c28cf906e5ba5d6a58bc7cf792ddfe653c87e5c0590de36f9fab1112efc9a8dbfee777464699eb102491704610ecb73b40d

Download Submit
C:\Windows\system\boYnJXd.exe

Filesize
5.2MB

MD5
9120164fccb96e1d96625a092276c16f

SHA1
67e444ff9b17aa7ca4b3591703df9e9e9a3a5f31

SHA256
a8c1df5c728748f824b9afc382512a61c63a6bdae596b9d5082e3422b8f13872

SHA512
68f7b4705229dae09b764ac60924c5b3852dfca78a85127a60b861c822bc24c11528c123e634dc2876987b656ef8512fcb4b070fe12ebcdc9534864a4d37315b

Download Submit
C:\Windows\system\dHIWPDD.exe

Filesize
5.2MB

MD5
9656b302f166dfa62fed16567c2b0b7e

SHA1
adf44a94c0a14ef61e666e048e7f6f72faa324a0

SHA256
d3d1f892ba6de84c2432d2d2ebbc4c6b29a9b267fba183a8170f13c70c2b2f27

SHA512
6e0dc53f8fa514f42bf422ea834e3603d7f7c28959f125a680b9ce49157b64326adb0bd9db48bebc7d58cf34de0b2624914f3b1471dfff748a44a9b85edf4add

Download Submit
C:\Windows\system\gJdXXIW.exe

Filesize
5.2MB

MD5
97ac9c77621dbe3e3259512de10442ba

SHA1
3fc2a54226d495a67ba49bb8408e71639020795b

SHA256
68c92cd85f16da3887ff26815b2c6f4b9206b1165ec7476951d21c21cd666273

SHA512
7e886b8b2a9dd6ec098c99553f2ecc0525d9c78bc11ec13563329607a9c4bb2f83340d086bcc9732400b8bccda2fbb437e683e3ac1cd8d8448543725db2cb95d

Download Submit
C:\Windows\system\sBaUflL.exe

Filesize
5.2MB

MD5
82fa6bac9bd9ec38b5cdc3f0f3568c64

SHA1
fd043348fbde0d899374559e3453065933eb966d

SHA256
a2612841e4b68307b221d10ac135f3127c8a631df98ed7a3ea05e241158035b2

SHA512
a6453741194004bf37a6bc684a8b535b8731e302103616d9e3553a976ea80d61ea747263c21b89b08b50acbe22dc25a5e06c622ff9f09da336b8fed9c9552037

Download Submit
C:\Windows\system\zYqYYKE.exe

Filesize
5.2MB

MD5
11dac5cfee990dc48a6853a566adad9d

SHA1
5b11f10e75d410ee46fcc3c1fabd4c61c2118a3f

SHA256
4a7572126a866edf21b75c82ec4e0c59d63a257040d4f9c283ebd4119e3dc385

SHA512
9288f7270efb12a2fd9db13016a02c94c1c36b86462c082d9c0c8f5f7d81d2db684dce2f92d49862b249b48da17d07d631c9601c3d299e7f124d35830a75f69e

Download Submit
\Windows\system\QtfTbHv.exe

Filesize
5.2MB

MD5
fe545c48f493d4257788e9f94c7a66c8

SHA1
d8161996cf85eef716d5f2a4118968056ee6d6f2

SHA256
e99a05304bbac251dd3f94abf0e9dd46b25ed3e2bdc2d00bc817b6ffbe705d16

SHA512
111bc1b288c31ae9735f14ee316b4fd9876d74c803e225c9d9a38fa7aef51baa0c349cf41e401f0468d22a7f205f44871fbf1feaad56303a67e26ff087a58e88

Download Submit
\Windows\system\TmPJhVQ.exe

Filesize
5.2MB

MD5
9c0feca6ff4dbbdf7e038faec2df9421

SHA1
24ce35ba37b135e3a9e838666a24311edd5bc8c0

SHA256
f910a087a3474f7a2b63fb5dca65a972897a5a6bd71f3682c30ba79fc2f0d108

SHA512
a9d2bea6bf7e6539350631ab1dd6e7cef035ad136fd085b496689fa1408bf01fa0cb94ecb2fb8122be5d9e8ad2bccb7dc9add189cd8d39fad8b2aa8dc2d7452e

Download Submit
\Windows\system\drJiymt.exe

Filesize
5.2MB

MD5
fda5ef64bb07572487def94ecdba0e65

SHA1
e6ebaca1a629b863faa4f6723d63ecb0c6048391

SHA256
0a099ae37d3ace46eb2d28310cfa5f1b6cc12a8d4ffaae465e9325772ba8b2e0

SHA512
268a820d68511b117371156dcf74637da5865ea9de44e5985d9f2673be8138fbf91f6d87b4e936d05518fc336cab21fdcc0fefc5205fcbaf1e9dc99e98f0e816

Download Submit
\Windows\system\gsrGGne.exe

Filesize
5.2MB

MD5
e05b5bcbda8fa5374f53f1827a309c68

SHA1
84ccb0733f61459d3037c1f49d2a8007f5dc298e

SHA256
228715bf1c6eec46f058fa67babdda4f32555f2423485a6aeb04aa58316c5c75

SHA512
17c0439cdb2bdaa49d9778040eeaf6575cc6b5cf159d251e57d3c6b882fdc2547256ef72343ff6caec9f29f2266671ba0a13237e84ff8db379999fb052d193a9

Download Submit
\Windows\system\lTvynCc.exe

Filesize
5.2MB

MD5
94cdfcadbadf8416b327c7723496ee80

SHA1
2be5c8fb863b19dd4b83c670e859ea686f2531ba

SHA256
2ea3c1ec9d503678d52a11081286ffa19ea5f78865b871cfc2f2c3a576718db1

SHA512
2fdd8d7cfa00f8281a552f66a45310b18d08dbb6be4a04b214b021fd259435665e29ee4dbd4ee9529d35d6bd856791262155637e5644a63baddb7c99f8e9bcdd

Download Submit
\Windows\system\psSYEID.exe

Filesize
5.2MB

MD5
ac65d5d7035b8d15dea4e108af36b16d

SHA1
d8e1e318ef26dc6c2213d52c58efbe3b2f87ae3b

SHA256
ce2bad0d86a7e8e5be16e4908c354bdc3164f98b47aa3819749d694c9e782382

SHA512
65cb0059e71869e3456201b89c711d0a4ee90acd0dbf528195a3c25aca21abe80164a28181dab49529a8504986f9a44789a13f1794126dbbf0b348eccb05c714

Download Submit
\Windows\system\ptINtNl.exe

Filesize
5.2MB

MD5
604e72e21ed5aaff92355b905c7e785a

SHA1
72fab9c49163599719aaa096c77a89a36bf20cb7

SHA256
c2bd32f6f9cbaae3f4412d44c04d34d827db35843de10552d115cc6146638396

SHA512
8cc8246c364fd8f5eaea2c556f7383654f204da012919b36c672541e5b41a7da7d6d6d0528b787b3484654a869b9875dfe3ebd3d50b6000a30adc8dec2d965ff

Download Submit
\Windows\system\yvovIbP.exe

Filesize
5.2MB

MD5
42783ac44190e2f7e643a39d39fe28f1

SHA1
65501d51bf81cb4a1859ca9fd6cc2f496a8700aa

SHA256
8e4253b9dcc779fefad628c640a8d38ec81fbf45ceb6d03910de47bf97e829af

SHA512
78672f8ceae0936ec6d98ba88ddcab5f0f9d0be671e9f4fd99af7f02b25c2f2c7586b9b31a15cf4c481ba7cdcb9319d952c9503876e51909d2d4c80c9f538dff

Download Submit
memory/308-80-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/308-234-0x000000013FA90000-0x000000013FDE1000-memory.dmp

Filesize
3.3MB

Download
memory/636-238-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/636-113-0x000000013FC20000-0x000000013FF71000-memory.dmp

Filesize
3.3MB

Download
memory/984-141-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/1616-156-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2248-155-0x000000013F070000-0x000000013F3C1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-132-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-13-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2292-205-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2296-143-0x000000013FE30000-0x0000000140181000-memory.dmp

Filesize
3.3MB

Download
memory/2496-107-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2496-236-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2576-152-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2616-149-0x000000013FB40000-0x000000013FE91000-memory.dmp

Filesize
3.3MB

Download
memory/2624-153-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2732-232-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2732-100-0x000000013FAF0000-0x000000013FE41000-memory.dmp

Filesize
3.3MB

Download
memory/2744-116-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2744-240-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2752-151-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2796-145-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2812-147-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2920-112-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2920-242-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2960-131-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-21-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2960-62-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2960-37-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-135-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-22-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2960-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2960-35-0x000000013F580000-0x000000013F8D1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-115-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2960-99-0x000000013F2C0000-0x000000013F611000-memory.dmp

Filesize
3.3MB

Download
memory/2960-111-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2960-28-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2960-41-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-114-0x000000013F670000-0x000000013F9C1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-103-0x00000000022A0000-0x00000000025F1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-109-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/2960-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2960-110-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2964-226-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2964-133-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2964-20-0x000000013F210000-0x000000013F561000-memory.dmp

Filesize
3.3MB

Download
memory/2972-230-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2972-74-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/2972-134-0x000000013F4B0000-0x000000013F801000-memory.dmp

Filesize
3.3MB

Download
memory/3000-154-0x000000013FDA0000-0x00000001400F1000-memory.dmp

Filesize
3.3MB

Download
memory/3052-228-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/3052-94-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download