cobaltstrike | 7669205c5a9d3853792ff640a7aa52045f6b3e387618ee24b1402c9236e3267b

Analysis

max time kernel
140s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27-12-2024 20:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a4105353cb4e931dd44836ec40bee483
SHA1

4aeb1979841731cb0063ffb88297e6bcab340161
SHA256

7669205c5a9d3853792ff640a7aa52045f6b3e387618ee24b1402c9236e3267b
SHA512

a504ab3ef408972d7e8fe69f43ef3c5bb68b0dcbaaefe9885f32c9240019fd502a3d2eb2edf777dbfbcaa150676e95ebb686091f6156dd87930641d06a64e0ed
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lp:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120ff-6.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cf1-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d0d-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d64-25.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d6d-26.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019030-96.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019228-117.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019241-126.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925c-133.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019234-124.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015cc0-110.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001920f-115.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001903d-106.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d68-88.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018d63-81.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018bcd-75.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018761-64.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000015d7f-58.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015dc3-54.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d75-35.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d50-21.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 40 IoCs

miner

resource	yara_rule
behavioral1/memory/2516-59-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2760-65-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2648-72-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/2196-92-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2516-93-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2508-98-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/1684-101-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2632-139-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2296-85-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2744-71-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2796-70-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2892-62-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2720-56-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2180-53-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2352-48-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2504-40-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2508-36-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2516-140-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2988-160-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	xmrig
behavioral1/memory/2708-161-0x000000013F190000-0x000000013F4E1000-memory.dmp	xmrig
behavioral1/memory/2672-158-0x000000013F5D0000-0x000000013F921000-memory.dmp	xmrig
behavioral1/memory/2164-156-0x000000013FE20000-0x0000000140171000-memory.dmp	xmrig
behavioral1/memory/2932-159-0x000000013FC40000-0x000000013FF91000-memory.dmp	xmrig
behavioral1/memory/2880-157-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2456-155-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2516-162-0x000000013F910000-0x000000013FC61000-memory.dmp	xmrig
behavioral1/memory/2508-221-0x000000013FD30000-0x0000000140081000-memory.dmp	xmrig
behavioral1/memory/2504-223-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2720-226-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2352-229-0x000000013F410000-0x000000013F761000-memory.dmp	xmrig
behavioral1/memory/2180-227-0x000000013F990000-0x000000013FCE1000-memory.dmp	xmrig
behavioral1/memory/2892-231-0x000000013F060000-0x000000013F3B1000-memory.dmp	xmrig
behavioral1/memory/2760-233-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2796-235-0x000000013F050000-0x000000013F3A1000-memory.dmp	xmrig
behavioral1/memory/2744-237-0x000000013F380000-0x000000013F6D1000-memory.dmp	xmrig
behavioral1/memory/2648-239-0x000000013F980000-0x000000013FCD1000-memory.dmp	xmrig
behavioral1/memory/2296-241-0x000000013F530000-0x000000013F881000-memory.dmp	xmrig
behavioral1/memory/2196-243-0x000000013F630000-0x000000013F981000-memory.dmp	xmrig
behavioral1/memory/2632-254-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/1684-255-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2508	iRoyFEB.exe
2504	BlSKfUm.exe
2352	FarjEqp.exe
2180	RYEJgfo.exe
2720	UDrRlnG.exe
2892	hCxMqsz.exe
2760	sIjaEBH.exe
2796	kJLBNlS.exe
2744	CXfPGoH.exe
2648	TfBGxWZ.exe
2632	sUPaagj.exe
2296	kjVDuhg.exe
2196	VkEdZaw.exe
1684	fuzQhFE.exe
2456	nGgBXhD.exe
2164	tgQxeOQ.exe
2880	rLCJxiW.exe
2672	KIwoQUX.exe
2932	Zpkvueg.exe
2708	yPCtQXB.exe
2988	EjDjAqz.exe

Loads dropped DLL 21 IoCs

pid	Process
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 62 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2516-0-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/files/0x00080000000120ff-6.dat	upx
behavioral1/files/0x0008000000015cf1-12.dat	upx
behavioral1/files/0x0008000000015d0d-13.dat	upx
behavioral1/files/0x0007000000015d64-25.dat	upx
behavioral1/files/0x0007000000015d6d-26.dat	upx
behavioral1/memory/2760-65-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/2648-72-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/memory/2196-92-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2516-93-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/files/0x0006000000019030-96.dat	upx
behavioral1/memory/2508-98-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/files/0x0005000000019228-117.dat	upx
behavioral1/files/0x0005000000019241-126.dat	upx
behavioral1/files/0x000500000001925c-133.dat	upx
behavioral1/files/0x0005000000019234-124.dat	upx
behavioral1/files/0x0008000000015cc0-110.dat	upx
behavioral1/files/0x000500000001920f-115.dat	upx
behavioral1/memory/1684-101-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/files/0x000600000001903d-106.dat	upx
behavioral1/memory/2632-139-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2296-85-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/files/0x0006000000018d68-88.dat	upx
behavioral1/files/0x0006000000018d63-81.dat	upx
behavioral1/memory/2632-78-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2744-71-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2796-70-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/files/0x0006000000018bcd-75.dat	upx
behavioral1/files/0x0005000000018761-64.dat	upx
behavioral1/memory/2892-62-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/files/0x0009000000015d7f-58.dat	upx
behavioral1/memory/2720-56-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/files/0x0008000000015dc3-54.dat	upx
behavioral1/memory/2180-53-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2352-48-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2504-40-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2508-36-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/files/0x0007000000015d75-35.dat	upx
behavioral1/files/0x0008000000015d50-21.dat	upx
behavioral1/memory/2516-140-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2988-160-0x000000013F5A0000-0x000000013F8F1000-memory.dmp	upx
behavioral1/memory/2708-161-0x000000013F190000-0x000000013F4E1000-memory.dmp	upx
behavioral1/memory/2672-158-0x000000013F5D0000-0x000000013F921000-memory.dmp	upx
behavioral1/memory/2164-156-0x000000013FE20000-0x0000000140171000-memory.dmp	upx
behavioral1/memory/2932-159-0x000000013FC40000-0x000000013FF91000-memory.dmp	upx
behavioral1/memory/2880-157-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2456-155-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/2516-162-0x000000013F910000-0x000000013FC61000-memory.dmp	upx
behavioral1/memory/2508-221-0x000000013FD30000-0x0000000140081000-memory.dmp	upx
behavioral1/memory/2504-223-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2720-226-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2352-229-0x000000013F410000-0x000000013F761000-memory.dmp	upx
behavioral1/memory/2180-227-0x000000013F990000-0x000000013FCE1000-memory.dmp	upx
behavioral1/memory/2892-231-0x000000013F060000-0x000000013F3B1000-memory.dmp	upx
behavioral1/memory/2760-233-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/2796-235-0x000000013F050000-0x000000013F3A1000-memory.dmp	upx
behavioral1/memory/2744-237-0x000000013F380000-0x000000013F6D1000-memory.dmp	upx
behavioral1/memory/2648-239-0x000000013F980000-0x000000013FCD1000-memory.dmp	upx
behavioral1/memory/2296-241-0x000000013F530000-0x000000013F881000-memory.dmp	upx
behavioral1/memory/2196-243-0x000000013F630000-0x000000013F981000-memory.dmp	upx
behavioral1/memory/2632-254-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/1684-255-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sUPaagj.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VkEdZaw.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KIwoQUX.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Zpkvueg.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EjDjAqz.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sIjaEBH.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kJLBNlS.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TfBGxWZ.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tgQxeOQ.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FarjEqp.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CXfPGoH.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RYEJgfo.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UDrRlnG.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hCxMqsz.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kjVDuhg.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGgBXhD.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rLCJxiW.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iRoyFEB.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BlSKfUm.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yPCtQXB.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fuzQhFE.exe	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2516 wrote to memory of 2508	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2516 wrote to memory of 2508	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2516 wrote to memory of 2508	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2516 wrote to memory of 2504	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2516 wrote to memory of 2504	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2516 wrote to memory of 2504	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2516 wrote to memory of 2352	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2516 wrote to memory of 2352	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2516 wrote to memory of 2352	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2516 wrote to memory of 2180	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2516 wrote to memory of 2180	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2516 wrote to memory of 2180	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2516 wrote to memory of 2720	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2516 wrote to memory of 2720	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2516 wrote to memory of 2720	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2516 wrote to memory of 2760	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2516 wrote to memory of 2760	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2516 wrote to memory of 2760	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2516 wrote to memory of 2892	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2516 wrote to memory of 2892	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2516 wrote to memory of 2892	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2516 wrote to memory of 2744	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2516 wrote to memory of 2744	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2516 wrote to memory of 2744	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2516 wrote to memory of 2796	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2516 wrote to memory of 2796	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2516 wrote to memory of 2796	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2516 wrote to memory of 2648	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2516 wrote to memory of 2648	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2516 wrote to memory of 2648	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2516 wrote to memory of 2632	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2516 wrote to memory of 2632	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2516 wrote to memory of 2632	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2516 wrote to memory of 2296	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2516 wrote to memory of 2296	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2516 wrote to memory of 2296	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2516 wrote to memory of 2196	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2516 wrote to memory of 2196	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2516 wrote to memory of 2196	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2516 wrote to memory of 1684	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2516 wrote to memory of 1684	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2516 wrote to memory of 1684	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2516 wrote to memory of 2456	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2516 wrote to memory of 2456	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2516 wrote to memory of 2456	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2516 wrote to memory of 2164	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2516 wrote to memory of 2164	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2516 wrote to memory of 2164	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2516 wrote to memory of 2880	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2516 wrote to memory of 2880	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2516 wrote to memory of 2880	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2516 wrote to memory of 2672	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2516 wrote to memory of 2672	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2516 wrote to memory of 2672	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2516 wrote to memory of 2932	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2516 wrote to memory of 2932	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2516 wrote to memory of 2932	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2516 wrote to memory of 2988	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2516 wrote to memory of 2988	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2516 wrote to memory of 2988	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2516 wrote to memory of 2708	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2516 wrote to memory of 2708	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2516 wrote to memory of 2708	2516	2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-27_a4105353cb4e931dd44836ec40bee483_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516
- C:\Windows\System\iRoyFEB.exe
  C:\Windows\System\iRoyFEB.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\BlSKfUm.exe
  C:\Windows\System\BlSKfUm.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\FarjEqp.exe
  C:\Windows\System\FarjEqp.exe
  2⤵
  - Executes dropped EXE
  PID:2352
- C:\Windows\System\RYEJgfo.exe
  C:\Windows\System\RYEJgfo.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\UDrRlnG.exe
  C:\Windows\System\UDrRlnG.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\sIjaEBH.exe
  C:\Windows\System\sIjaEBH.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\hCxMqsz.exe
  C:\Windows\System\hCxMqsz.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\CXfPGoH.exe
  C:\Windows\System\CXfPGoH.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\kJLBNlS.exe
  C:\Windows\System\kJLBNlS.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\TfBGxWZ.exe
  C:\Windows\System\TfBGxWZ.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\sUPaagj.exe
  C:\Windows\System\sUPaagj.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\kjVDuhg.exe
  C:\Windows\System\kjVDuhg.exe
  2⤵
  - Executes dropped EXE
  PID:2296
- C:\Windows\System\VkEdZaw.exe
  C:\Windows\System\VkEdZaw.exe
  2⤵
  - Executes dropped EXE
  PID:2196
- C:\Windows\System\fuzQhFE.exe
  C:\Windows\System\fuzQhFE.exe
  2⤵
  - Executes dropped EXE
  PID:1684
- C:\Windows\System\nGgBXhD.exe
  C:\Windows\System\nGgBXhD.exe
  2⤵
  - Executes dropped EXE
  PID:2456
- C:\Windows\System\tgQxeOQ.exe
  C:\Windows\System\tgQxeOQ.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\rLCJxiW.exe
  C:\Windows\System\rLCJxiW.exe
  2⤵
  - Executes dropped EXE
  PID:2880
- C:\Windows\System\KIwoQUX.exe
  C:\Windows\System\KIwoQUX.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\Zpkvueg.exe
  C:\Windows\System\Zpkvueg.exe
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\Windows\System\EjDjAqz.exe
  C:\Windows\System\EjDjAqz.exe
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\Windows\System\yPCtQXB.exe
  C:\Windows\System\yPCtQXB.exe
  2⤵
  - Executes dropped EXE
  PID:2708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BlSKfUm.exe

Filesize
5.2MB

MD5
741f979197c9f6f8752b812324030342

SHA1
788a1420d63dc632909e67444170e50f43ed4519

SHA256
efe948c9a332e6d0f637b25cff7b6c0cde1331cdaf52b36d996ac03cf9605e0c

SHA512
58b4de3ebcd3467eb2129ece84a757e8774598ddb34eeb43955547b3f18306f243212482f3fdd74fd381b9eae71c3389c938d187a32b8c529dc878ab920a112c

Download Submit
C:\Windows\system\CXfPGoH.exe

Filesize
5.2MB

MD5
2de8d4f7426df3d742157887e9d47e27

SHA1
822de3d748c7d5f868d387c63ce77636290c60ae

SHA256
805701acbef51e881f48494d6fecf725cd8e0b338f9324afb07f94338b2d27b8

SHA512
b805a695b50bcb07976f7853dba3188cedfa222ce712268fecfac16bdaaa37e62b796e00be25656a1ab277f5bf4e57614ec2992674c7c3a340ea9efd564dc824

Download Submit
C:\Windows\system\RYEJgfo.exe

Filesize
5.2MB

MD5
f9214d63c0c14595b2dd30b616432d03

SHA1
f6fd1508e8164c847216aae8898782c77f31af02

SHA256
27f097a6f1033c25e7bd78bafdcb0ff8303c2d0c9100f713c40d65bd1d2da2ef

SHA512
00881fa7062119b7528580b78f0828018407c914f03b55f3a17aae6bc1690cba2a95c83047b0c466948a0736b846c9813b2b23bd9ae502b7ba231f9152a7cc17

Download Submit
C:\Windows\system\TfBGxWZ.exe

Filesize
5.2MB

MD5
9bfdbe084169b900ae62d498cd99fa11

SHA1
4db0038140adf9db84d41443f9cd98858e3ed072

SHA256
4d69f71db898a32e3240e1a1d8891e45490be53916e07e6916f2d777f9e9cf9a

SHA512
97ad572c459797a6797bed4ff499c1e20e566ae427a2450b67138b5f3fbcf2e1ed632b1793cefe150dde1eb483a9a3e70f86f7ec077984c859d82522f5663fa7

Download Submit
C:\Windows\system\UDrRlnG.exe

Filesize
5.2MB

MD5
20cc23dda7ba6f0dec3bff620f5c5eb2

SHA1
4eeb2ae86e49bb4df187e6fc902f7fe442dcb678

SHA256
b2e1f5596aee91751ba49e129921a49a7f4484488def5726a5f012732e4d8c61

SHA512
1089e09028292c48f5490c26b864dac16e4a7c087e74a4beaa288a99551a1eac1d86941a96cee6d92fe2f3bee168a43345e4e25cd2d3d3962f77cf09339712e3

Download Submit
C:\Windows\system\VkEdZaw.exe

Filesize
5.2MB

MD5
5bf4d29c10ebc779262a4cb14f8f5526

SHA1
dd0d9c07253b9c94f6e54e4fd87cc8a3f0d406c2

SHA256
62dd55004151e8bfad1e0bf25c9257390cf43807b2900e1b9ca67866fa46c9cd

SHA512
ca9cc8c501d5eb322b82626f89af3e6244a6b800f84289c4751fa0e595aa6449226d8567e2d7004ae75dbb0cfc9423586a55c4b6e5487049265719587b4cd50d

Download Submit
C:\Windows\system\Zpkvueg.exe

Filesize
5.2MB

MD5
34354c8ab9a85b234997cf923499cd23

SHA1
8d2a085bab48928561021ac4ce66c9fdadf81219

SHA256
49aa5f174ccc82bb6b7f1c8e216a8becf9c40d96f908d91ae8b4bf0a1bffc383

SHA512
8e3b74b7d413c6e0fb68a29ce6384082c9c89a3dfdbdcccc1e5047c02b20148b79c95cbee21decec8c63dbc4830f013a647b3c7303182eca64f8d0b1e85ad2fa

Download Submit
C:\Windows\system\fuzQhFE.exe

Filesize
5.2MB

MD5
64a57d9d178d446b2298cb18cea8393b

SHA1
0215cfd81f095ab42e20f00efa2446702760ff33

SHA256
5541808be14bc2b09b890432f3ffa673bb9a901cb75995151c96e2f4e1abeed7

SHA512
ff5d5038f59131d7bf9b2b34972468d4f97a0ab5a3acee2e7e3ddaf221b67715196c37a252c47540a3b87c497facaac308ea6f6b9aa891523538588a9aa3d659

Download Submit
C:\Windows\system\hCxMqsz.exe

Filesize
5.2MB

MD5
2eb159780051a681629835671230a59a

SHA1
37a2d9a88b78bbd8945c8ad97b61ce8d55a22c92

SHA256
87ec9a90bfb522e2375228f721bbab0bf10fae8c21b08249e0be4504de9d0a46

SHA512
6dfa6f0cc134cf529cdfe0c05aaeca7304eb01cc157345330717633bf74dfe3a2deb524bb1730c4c6c5be1920e48a7e9122eac2e80336f9f96c0afaf85fa4e29

Download Submit
C:\Windows\system\iRoyFEB.exe

Filesize
5.2MB

MD5
2ed052f0c9171dd48550454ec5f9665d

SHA1
905533b829eebba501467980afd4cb19c1ad7b59

SHA256
6b28fce4d79729156b657dd14e97533438c8264f910dd9ff713daa6e33869b07

SHA512
ffb0f6775734818d3fb5468856adf1519a38c1fc8653b00e4ad2fd76dda0ac27601caf43e989d8f21b8ea4bc13a9bf5422b95c282b606c1d040cf6fa7ddf2d0c

Download Submit
C:\Windows\system\kJLBNlS.exe

Filesize
5.2MB

MD5
e2d5a8783dcf76d7cbe9340d1d4faa1c

SHA1
19e4d61b0d5f47a7b0a977774a07ba933f93ca23

SHA256
fb9230ac63a4875f782ab11b23592446c5b94a6ac2ca2d6bae75bce92872f494

SHA512
6ee44e8a78342358253cb4a910e7e932351d8a9d6ca6bf01a677a02ceb1d59126fc7d0b5da2e1ab3e7c1fcef6b4fe7e501c1b07b688d235678b72d2a7c9f1549

Download Submit
C:\Windows\system\kjVDuhg.exe

Filesize
5.2MB

MD5
b25ce2ea7d7904f6aed57ef8251e2ebe

SHA1
a8bbbdd2bac9adce860fd492d9c05505f64455ef

SHA256
7067c9c6acf43e630d5f1b9fdd12e0785440ab4f3ca2a54eccf9a687962ae0b7

SHA512
ce2d7d8d664dad40fd72264808ad1cf2c47ae2f0b606e1c3d670110ec2b53d99d1d6a10ec5293144b57afaf2f6e009945231f1fd88387bab4a73ab944167d0e3

Download Submit
C:\Windows\system\nGgBXhD.exe

Filesize
5.2MB

MD5
f07e5c12b86756d9f47bc297de643ac6

SHA1
e92aa97360d161fe01df33cc2707897c2e8df199

SHA256
bee6b7eb8ce8f34a2d3840161ba35144bcccf757130fd8af14b21236ddefdb2e

SHA512
1fc6bb1c7e61088e4d0b68db93389deab65f9e3dd697eab8fc1c057396dbb772801b9166932d03a3e82378eb4103748a01b8c572fcaea498597bccb2ca6bcea2

Download Submit
C:\Windows\system\rLCJxiW.exe

Filesize
5.2MB

MD5
3fba1fd0e21990760bb0d882e1914ba6

SHA1
59f018f95526775b633814a8a5f70434e61cb76d

SHA256
48298a84bce47ee3a0d0e3cf38ab818c57d26a43fc4f83fb5edc6c7b1b2f161f

SHA512
c00412a8b8a4e2449f2da80546ee7a2d36659d75d4b2989d9e9132f8b2f250a19a39266b1295ec388fa4607881841781650ad3f9379aa758e6534aa1f79d56e5

Download Submit
C:\Windows\system\sUPaagj.exe

Filesize
5.2MB

MD5
3af3a58ece131ad128d9fcd1f600c1f8

SHA1
3367735da46e54c3f692693e003eb78970948729

SHA256
f13eb05b17f20ddf87be0301412eaa619f6b5c880f354bc1059fcb4802821299

SHA512
363a15a4a530d0367b07a47e27db1edf6852f2841e485a32c057db8619711e89efbf6c3c1fa0f0f231ed4643f79be77a5c1a4a99e33624c7c7c791728f0e07c2

Download Submit
C:\Windows\system\tgQxeOQ.exe

Filesize
5.2MB

MD5
6667848def5e87f6e65cb85f604ddd99

SHA1
faf3b8b3eabaa97ddde46ac9b01b2c0658e999e6

SHA256
ce5899ed37159af709276d2a8b8ac385cd2f19f2b21ef8dbed6e49f933a398b1

SHA512
422d5401778c1a9b9eb00ca195ffc5fcb21b2b4c05da5be8759cef3bcc4f49fa35e88db8454978fc20540a43b2c7c26a7a3ca82761fed95fdba58591d906baae

Download Submit
C:\Windows\system\yPCtQXB.exe

Filesize
5.2MB

MD5
4888187ce5fee3a33561ca33c211f10c

SHA1
6c054ca83474f73b7d11ea1affd232d52ce0ed53

SHA256
152f966c454faba680698d32d0f74d7251b36e7549508b87816eed5f90656363

SHA512
dd1bc62b092612df5b9b34d64446832dad94060ba9f72ae55e1bfb2772d9df5c739a7aa489970c093e4853253af20a3e74c01a76f4da0c75d7d3bc10fe211d2d

Download Submit
\Windows\system\EjDjAqz.exe

Filesize
5.2MB

MD5
08c6ba24d67330a9fd3cfd2cefdec24d

SHA1
758a15e3f7221ec68b09196db695cf25caa880a0

SHA256
4c0713b7a78f97b1a1fd43db706f546b19e5cdaae0e2c811dc9c34e02e6d5e05

SHA512
634558475179ce7efe1543751d7bbdba41e38801309d882ead8173d6c85648ad2113af8b33a47381c4abf3af21ba2b082ddd9aaf1a1eed4eadbc9bc7659622e7

Download Submit
\Windows\system\FarjEqp.exe

Filesize
5.2MB

MD5
7475f2be78d48eae1de195ddd5be428e

SHA1
7c17349257b64778b6d2414d5a6121a0f8fca8d9

SHA256
8b11c2ff68b3d0f8f20adcae16b9dfe53b97dfe22fb87a710ceec8e37f84fb43

SHA512
c2ca7fd92bea1305daebf1764d6e29f1c26c50f628de7d3c05f3eb82758a9bd0c0730f3774e7ae61c272cd7115fd6ccc553f6314825a6a881dd315bd0b26d131

Download Submit
\Windows\system\KIwoQUX.exe

Filesize
5.2MB

MD5
68ad1fe822db80b7001674303acfeb7c

SHA1
e9a5fa043823ff49b4fe687bb6ad5eb988735ea1

SHA256
09e6415a4184130d9680a5eb98c41784f365d4aec155fabae8530560b3f02bc4

SHA512
1b502f6850779cdf64349b152c98e49a4c74e44c4dd6d3368fac0d9297b063bf8b5cacfb08dda83212786091036812e418f5c0681958783fc99d068a45cd8f12

Download Submit
\Windows\system\sIjaEBH.exe

Filesize
5.2MB

MD5
2485221332a9d5136f26d43ea623d320

SHA1
7f668109be1e8a63e424f62e13f58311a47800e4

SHA256
529cc57e1554cf6938e726187477935abb364c0154b158a005e83f29921fbef1

SHA512
e062b475f5e7e8f504f5106af4e20b941ccd14a614096831bcdd4a383388bfcae47804424d847315060b285f23bcade1df7a4d4a9820e1b0173a1dc405b277e4

Download Submit
memory/1684-101-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/1684-255-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2164-156-0x000000013FE20000-0x0000000140171000-memory.dmp

Filesize
3.3MB

Download
memory/2180-53-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-227-0x000000013F990000-0x000000013FCE1000-memory.dmp

Filesize
3.3MB

Download
memory/2196-243-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2196-92-0x000000013F630000-0x000000013F981000-memory.dmp

Filesize
3.3MB

Download
memory/2296-241-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2296-85-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2352-48-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2352-229-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2456-155-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2504-40-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2504-223-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2508-98-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2508-221-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2508-36-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2516-45-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-67-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-77-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-84-0x000000013F530000-0x000000013F881000-memory.dmp

Filesize
3.3MB

Download
memory/2516-63-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-138-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-60-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2516-7-0x000000013FD30000-0x0000000140081000-memory.dmp

Filesize
3.3MB

Download
memory/2516-55-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2516-102-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-107-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-91-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-162-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2516-41-0x000000013F410000-0x000000013F761000-memory.dmp

Filesize
3.3MB

Download
memory/2516-59-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2516-93-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2516-68-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-140-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2516-69-0x0000000002350000-0x00000000026A1000-memory.dmp

Filesize
3.3MB

Download
memory/2516-0-0x000000013F910000-0x000000013FC61000-memory.dmp

Filesize
3.3MB

Download
memory/2632-254-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2632-139-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2632-78-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2648-72-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2648-239-0x000000013F980000-0x000000013FCD1000-memory.dmp

Filesize
3.3MB

Download
memory/2672-158-0x000000013F5D0000-0x000000013F921000-memory.dmp

Filesize
3.3MB

Download
memory/2708-161-0x000000013F190000-0x000000013F4E1000-memory.dmp

Filesize
3.3MB

Download
memory/2720-226-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2720-56-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2744-71-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2744-237-0x000000013F380000-0x000000013F6D1000-memory.dmp

Filesize
3.3MB

Download
memory/2760-65-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2760-233-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2796-70-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2796-235-0x000000013F050000-0x000000013F3A1000-memory.dmp

Filesize
3.3MB

Download
memory/2880-157-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2892-62-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2892-231-0x000000013F060000-0x000000013F3B1000-memory.dmp

Filesize
3.3MB

Download
memory/2932-159-0x000000013FC40000-0x000000013FF91000-memory.dmp

Filesize
3.3MB

Download
memory/2988-160-0x000000013F5A0000-0x000000013F8F1000-memory.dmp

Filesize
3.3MB

Download