cobaltstrike | 5aca7945f321a72ac9cda60eab60e01077c097bc7cbd7c6e37bbf4e7850d5b76

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-01-2025 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

74b8e0b0f49f2ed1e0f24a3c4d2af36e
SHA1

117e9f0de002eb08aaed0e2098c70c1b58e5b581
SHA256

5aca7945f321a72ac9cda60eab60e01077c097bc7cbd7c6e37bbf4e7850d5b76
SHA512

184d18b4389bf63bd0f374c5675f6fcb011b2c838bc3f8b2285c8726d3215969156d255036e5b75ed611218226c327a19f43048b661dfcdf78e07b7c4b423114
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:Q+856utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000a000000023c4f-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023ca8-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb5-10.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023cb2-22.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb8-28.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb9-35.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cba-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbc-55.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbd-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbb-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbe-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cbf-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc0-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc1-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc8-133.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc7-135.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc6-131.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc5-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc4-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc3-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cc2-99.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2220-0-0x00007FF663750000-0x00007FF663AA4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023c4f-4.dat	xmrig
behavioral2/memory/464-8-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp	xmrig
behavioral2/files/0x000a000000023ca8-11.dat	xmrig
behavioral2/memory/3672-12-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb5-10.dat	xmrig
behavioral2/memory/4176-19-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp	xmrig
behavioral2/files/0x0009000000023cb2-22.dat	xmrig
behavioral2/memory/4904-24-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cb8-28.dat	xmrig
behavioral2/files/0x0007000000023cb9-35.dat	xmrig
behavioral2/files/0x0007000000023cba-41.dat	xmrig
behavioral2/memory/396-42-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	xmrig
behavioral2/memory/4860-48-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp	xmrig
behavioral2/memory/2452-54-0x00007FF730160000-0x00007FF7304B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbc-55.dat	xmrig
behavioral2/memory/2220-59-0x00007FF663750000-0x00007FF663AA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbd-61.dat	xmrig
behavioral2/memory/536-60-0x00007FF60E420000-0x00007FF60E774000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbb-51.dat	xmrig
behavioral2/memory/1976-36-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp	xmrig
behavioral2/memory/4744-30-0x00007FF674290000-0x00007FF6745E4000-memory.dmp	xmrig
behavioral2/memory/464-64-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cbe-67.dat	xmrig
behavioral2/files/0x0007000000023cbf-76.dat	xmrig
behavioral2/memory/4904-82-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc0-84.dat	xmrig
behavioral2/memory/1120-83-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp	xmrig
behavioral2/memory/100-73-0x00007FF742540000-0x00007FF742894000-memory.dmp	xmrig
behavioral2/memory/4176-72-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp	xmrig
behavioral2/memory/628-70-0x00007FF690CB0000-0x00007FF691004000-memory.dmp	xmrig
behavioral2/memory/4744-89-0x00007FF674290000-0x00007FF6745E4000-memory.dmp	xmrig
behavioral2/memory/4788-91-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc1-88.dat	xmrig
behavioral2/memory/1460-97-0x00007FF627470000-0x00007FF6277C4000-memory.dmp	xmrig
behavioral2/memory/1144-104-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp	xmrig
behavioral2/memory/4056-111-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp	xmrig
behavioral2/memory/2452-117-0x00007FF730160000-0x00007FF7304B4000-memory.dmp	xmrig
behavioral2/memory/536-126-0x00007FF60E420000-0x00007FF60E774000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc8-133.dat	xmrig
behavioral2/memory/2512-137-0x00007FF61D380000-0x00007FF61D6D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc7-135.dat	xmrig
behavioral2/memory/628-134-0x00007FF690CB0000-0x00007FF691004000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc6-131.dat	xmrig
behavioral2/memory/708-130-0x00007FF697000000-0x00007FF697354000-memory.dmp	xmrig
behavioral2/memory/348-129-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc5-121.dat	xmrig
behavioral2/memory/2652-120-0x00007FF676990000-0x00007FF676CE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc4-114.dat	xmrig
behavioral2/memory/4860-110-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc3-107.dat	xmrig
behavioral2/memory/396-103-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023cc2-99.dat	xmrig
behavioral2/memory/1976-96-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp	xmrig
behavioral2/memory/3672-68-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp	xmrig
behavioral2/memory/100-140-0x00007FF742540000-0x00007FF742894000-memory.dmp	xmrig
behavioral2/memory/1120-141-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp	xmrig
behavioral2/memory/4788-142-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp	xmrig
behavioral2/memory/1460-143-0x00007FF627470000-0x00007FF6277C4000-memory.dmp	xmrig
behavioral2/memory/1144-144-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp	xmrig
behavioral2/memory/4056-145-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp	xmrig
behavioral2/memory/2652-146-0x00007FF676990000-0x00007FF676CE4000-memory.dmp	xmrig
behavioral2/memory/348-147-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp	xmrig
behavioral2/memory/708-148-0x00007FF697000000-0x00007FF697354000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
464	GFbXipg.exe
3672	BIHPTny.exe
4176	VEOiYEP.exe
4904	PWXDLDr.exe
4744	TbNIAIq.exe
1976	BHFwrDv.exe
396	QUJhpqq.exe
4860	LyjWjwI.exe
2452	EBCFsfM.exe
536	YEqjaOK.exe
628	IESvKvN.exe
100	UwLQTAk.exe
1120	gmqtzse.exe
4788	ccQhhaT.exe
1460	SEFALNu.exe
1144	pzLVBDc.exe
4056	NNufoXq.exe
2652	hspWPhy.exe
348	LJRGBid.exe
708	ImHiuiT.exe
2512	TLRBJlH.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2220-0-0x00007FF663750000-0x00007FF663AA4000-memory.dmp	upx
behavioral2/files/0x000a000000023c4f-4.dat	upx
behavioral2/memory/464-8-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp	upx
behavioral2/files/0x000a000000023ca8-11.dat	upx
behavioral2/memory/3672-12-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-10.dat	upx
behavioral2/memory/4176-19-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp	upx
behavioral2/files/0x0009000000023cb2-22.dat	upx
behavioral2/memory/4904-24-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-28.dat	upx
behavioral2/files/0x0007000000023cb9-35.dat	upx
behavioral2/files/0x0007000000023cba-41.dat	upx
behavioral2/memory/396-42-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	upx
behavioral2/memory/4860-48-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp	upx
behavioral2/memory/2452-54-0x00007FF730160000-0x00007FF7304B4000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-55.dat	upx
behavioral2/memory/2220-59-0x00007FF663750000-0x00007FF663AA4000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-61.dat	upx
behavioral2/memory/536-60-0x00007FF60E420000-0x00007FF60E774000-memory.dmp	upx
behavioral2/files/0x0007000000023cbb-51.dat	upx
behavioral2/memory/1976-36-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp	upx
behavioral2/memory/4744-30-0x00007FF674290000-0x00007FF6745E4000-memory.dmp	upx
behavioral2/memory/464-64-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-67.dat	upx
behavioral2/files/0x0007000000023cbf-76.dat	upx
behavioral2/memory/4904-82-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp	upx
behavioral2/files/0x0007000000023cc0-84.dat	upx
behavioral2/memory/1120-83-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp	upx
behavioral2/memory/100-73-0x00007FF742540000-0x00007FF742894000-memory.dmp	upx
behavioral2/memory/4176-72-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp	upx
behavioral2/memory/628-70-0x00007FF690CB0000-0x00007FF691004000-memory.dmp	upx
behavioral2/memory/4744-89-0x00007FF674290000-0x00007FF6745E4000-memory.dmp	upx
behavioral2/memory/4788-91-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-88.dat	upx
behavioral2/memory/1460-97-0x00007FF627470000-0x00007FF6277C4000-memory.dmp	upx
behavioral2/memory/1144-104-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp	upx
behavioral2/memory/4056-111-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp	upx
behavioral2/memory/2452-117-0x00007FF730160000-0x00007FF7304B4000-memory.dmp	upx
behavioral2/memory/536-126-0x00007FF60E420000-0x00007FF60E774000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-133.dat	upx
behavioral2/memory/2512-137-0x00007FF61D380000-0x00007FF61D6D4000-memory.dmp	upx
behavioral2/files/0x0007000000023cc7-135.dat	upx
behavioral2/memory/628-134-0x00007FF690CB0000-0x00007FF691004000-memory.dmp	upx
behavioral2/files/0x0007000000023cc6-131.dat	upx
behavioral2/memory/708-130-0x00007FF697000000-0x00007FF697354000-memory.dmp	upx
behavioral2/memory/348-129-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp	upx
behavioral2/files/0x0007000000023cc5-121.dat	upx
behavioral2/memory/2652-120-0x00007FF676990000-0x00007FF676CE4000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-114.dat	upx
behavioral2/memory/4860-110-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-107.dat	upx
behavioral2/memory/396-103-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-99.dat	upx
behavioral2/memory/1976-96-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp	upx
behavioral2/memory/3672-68-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp	upx
behavioral2/memory/100-140-0x00007FF742540000-0x00007FF742894000-memory.dmp	upx
behavioral2/memory/1120-141-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp	upx
behavioral2/memory/4788-142-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp	upx
behavioral2/memory/1460-143-0x00007FF627470000-0x00007FF6277C4000-memory.dmp	upx
behavioral2/memory/1144-144-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp	upx
behavioral2/memory/4056-145-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp	upx
behavioral2/memory/2652-146-0x00007FF676990000-0x00007FF676CE4000-memory.dmp	upx
behavioral2/memory/348-147-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp	upx
behavioral2/memory/708-148-0x00007FF697000000-0x00007FF697354000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\EBCFsfM.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gmqtzse.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hspWPhy.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ImHiuiT.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LyjWjwI.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IESvKvN.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BIHPTny.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PWXDLDr.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BHFwrDv.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QUJhpqq.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LJRGBid.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VEOiYEP.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TbNIAIq.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UwLQTAk.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SEFALNu.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NNufoXq.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TLRBJlH.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFbXipg.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YEqjaOK.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ccQhhaT.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pzLVBDc.exe	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 464	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2220 wrote to memory of 464	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2220 wrote to memory of 3672	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2220 wrote to memory of 3672	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2220 wrote to memory of 4176	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2220 wrote to memory of 4176	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2220 wrote to memory of 4904	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2220 wrote to memory of 4904	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2220 wrote to memory of 4744	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2220 wrote to memory of 4744	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2220 wrote to memory of 1976	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2220 wrote to memory of 1976	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2220 wrote to memory of 396	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2220 wrote to memory of 396	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2220 wrote to memory of 4860	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2220 wrote to memory of 4860	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2220 wrote to memory of 2452	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2220 wrote to memory of 2452	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2220 wrote to memory of 536	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2220 wrote to memory of 536	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2220 wrote to memory of 628	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2220 wrote to memory of 628	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2220 wrote to memory of 100	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2220 wrote to memory of 100	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2220 wrote to memory of 1120	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2220 wrote to memory of 1120	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2220 wrote to memory of 4788	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2220 wrote to memory of 4788	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2220 wrote to memory of 1460	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2220 wrote to memory of 1460	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2220 wrote to memory of 1144	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2220 wrote to memory of 1144	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2220 wrote to memory of 4056	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2220 wrote to memory of 4056	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2220 wrote to memory of 2652	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2220 wrote to memory of 2652	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2220 wrote to memory of 348	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2220 wrote to memory of 348	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2220 wrote to memory of 708	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2220 wrote to memory of 708	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2220 wrote to memory of 2512	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2220 wrote to memory of 2512	2220	2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-02_74b8e0b0f49f2ed1e0f24a3c4d2af36e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\System\GFbXipg.exe
  C:\Windows\System\GFbXipg.exe
  2⤵
  - Executes dropped EXE
  PID:464
- C:\Windows\System\BIHPTny.exe
  C:\Windows\System\BIHPTny.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\VEOiYEP.exe
  C:\Windows\System\VEOiYEP.exe
  2⤵
  - Executes dropped EXE
  PID:4176
- C:\Windows\System\PWXDLDr.exe
  C:\Windows\System\PWXDLDr.exe
  2⤵
  - Executes dropped EXE
  PID:4904
- C:\Windows\System\TbNIAIq.exe
  C:\Windows\System\TbNIAIq.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\BHFwrDv.exe
  C:\Windows\System\BHFwrDv.exe
  2⤵
  - Executes dropped EXE
  PID:1976
- C:\Windows\System\QUJhpqq.exe
  C:\Windows\System\QUJhpqq.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\LyjWjwI.exe
  C:\Windows\System\LyjWjwI.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\EBCFsfM.exe
  C:\Windows\System\EBCFsfM.exe
  2⤵
  - Executes dropped EXE
  PID:2452
- C:\Windows\System\YEqjaOK.exe
  C:\Windows\System\YEqjaOK.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\IESvKvN.exe
  C:\Windows\System\IESvKvN.exe
  2⤵
  - Executes dropped EXE
  PID:628
- C:\Windows\System\UwLQTAk.exe
  C:\Windows\System\UwLQTAk.exe
  2⤵
  - Executes dropped EXE
  PID:100
- C:\Windows\System\gmqtzse.exe
  C:\Windows\System\gmqtzse.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\ccQhhaT.exe
  C:\Windows\System\ccQhhaT.exe
  2⤵
  - Executes dropped EXE
  PID:4788
- C:\Windows\System\SEFALNu.exe
  C:\Windows\System\SEFALNu.exe
  2⤵
  - Executes dropped EXE
  PID:1460
- C:\Windows\System\pzLVBDc.exe
  C:\Windows\System\pzLVBDc.exe
  2⤵
  - Executes dropped EXE
  PID:1144
- C:\Windows\System\NNufoXq.exe
  C:\Windows\System\NNufoXq.exe
  2⤵
  - Executes dropped EXE
  PID:4056
- C:\Windows\System\hspWPhy.exe
  C:\Windows\System\hspWPhy.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\LJRGBid.exe
  C:\Windows\System\LJRGBid.exe
  2⤵
  - Executes dropped EXE
  PID:348
- C:\Windows\System\ImHiuiT.exe
  C:\Windows\System\ImHiuiT.exe
  2⤵
  - Executes dropped EXE
  PID:708
- C:\Windows\System\TLRBJlH.exe
  C:\Windows\System\TLRBJlH.exe
  2⤵
  - Executes dropped EXE
  PID:2512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BHFwrDv.exe

Filesize
5.9MB

MD5
0f7738e33e2010cf356e24777d91ba47

SHA1
e701f163580e1379b74186a988dab643460a0468

SHA256
27eb298541c420d5914b2679dcae9136f9e12cd26da2a2fcf82cc398f7cf255e

SHA512
01523ca10f2498eb3de1f8ebd4f740905d2cc6442840577bc61dd2982eea536424141cd13cf84f3f933c2797b819eddc58c9a60e5b82c713365d4d9b88b6668a

Download Submit
C:\Windows\System\BIHPTny.exe

Filesize
5.9MB

MD5
3a8b3dda5c11142e8d24af911ed6c4ab

SHA1
5d7e6d550bab2e9191666c80842782d9ecdf99cf

SHA256
1e56ec7b368fec4c00dfc1d06d69f1a99b3c187311f2599c04e745b46f2ca9f3

SHA512
937609d9240eb027f2172b9792dbb42555d9a2759a5fb48e44e251c90586a0825e1e529d262a2f89f2a2e50e5b6e78c12583a590f4a6a87ad4354cfa45871ff8

Download Submit
C:\Windows\System\EBCFsfM.exe

Filesize
5.9MB

MD5
c6c33d7620993607b941d322632f6fdf

SHA1
74e0730635de20d15009ea2146e7ec8f305d0c7b

SHA256
5c786f86373475ae1b80051d4e947da5faae5ecb00227f8033b31307da2c1193

SHA512
94b36c038362df2d4169d788eb3fa467ef355bb71e43033cf03c68c6c2a37c043d9ff8cf5edacc9cc3d5c85cee08fc4eea6ca533378245ba91990e68d968e5ca

Download Submit
C:\Windows\System\GFbXipg.exe

Filesize
5.9MB

MD5
181d5619342819c68df680063f73967f

SHA1
b1b222f8d4a9a7fc7a743493e1b3a717ed0270cf

SHA256
b1f5c06d0ee0eafad16ecb6817094cd7361d0e692a558173bd2af80f79e9f755

SHA512
7390d6c305ea725647e3e474b0a8b615b39cf7ee2919edd3828b230a0f9127010a4a1b201aee15acc7c7b5186539ec7ff27be8f6f4bad3d1b7aaf80e9c21617c

Download Submit
C:\Windows\System\IESvKvN.exe

Filesize
5.9MB

MD5
390ca3b54da7bf4d497e0570c76a3138

SHA1
61e991b72e54f44287f17289e58a45bff6899fab

SHA256
b21d8dc0e721c759db8e90ff60d85a382a25ca0b7b65cec2eebb79f853384334

SHA512
5f5196410b77a90649511d9a3ac4bc5ad0e1e130bdc14915284be961b7785661cf7153d88db3b0ef3b3f0ff04dd03c34a54c19557b53034c2cfdd3e565e7f904

Download Submit
C:\Windows\System\ImHiuiT.exe

Filesize
5.9MB

MD5
657e54cc9badbd335e3262445cc3f060

SHA1
553f4694cd924817ec3026683ca5aa1733cc9c5c

SHA256
9bf345676f97bf5ff2a4adc09b0d3b103c1841ef5be3875561d98962defae4a9

SHA512
1e0fdae59f8b47ce37204ea09bb81914bd6d7e14415c61450a334c9d8fdd0baafa03499f4c7e87325465b8cc8712eae83c084f488b1e3710101219f35c41dbe0

Download Submit
C:\Windows\System\LJRGBid.exe

Filesize
5.9MB

MD5
d24b39cc8e84acba6fcd44f7e208beb0

SHA1
6d35ed728342320479c9c8f3aa8374ccf95d7a66

SHA256
bc67230abf529dfa15fd46c2c35592fad2835669bc9f2bdbb83a5889aad8c40a

SHA512
0c4353b240ac22ac0355958f5d7fba7c95d9036e00a7137407916aeff69bf82b9074ff0b8aa98221a8e802adbffe83fa8cd604b3bde4177ef0c28bed2a4c9cd8

Download Submit
C:\Windows\System\LyjWjwI.exe

Filesize
5.9MB

MD5
c28134a9b8a23912038a678141288c78

SHA1
69de0a595de7e1d7b33825edb4801c91ab3d9ea8

SHA256
8c3081085ded407b90a821c3cfa8041da62d98de9bca3adcc0cf4e765e0ac671

SHA512
51142c84966cb472da8dd3c564527114194fac0f80274ccd09d52d350fe4f71eba267847bf7486014af0d27a59cbfc1c5137fab70968b0052a2e82328d46dc60

Download Submit
C:\Windows\System\NNufoXq.exe

Filesize
5.9MB

MD5
a0e67cfe181cedd840b8897081ac982c

SHA1
97b3b948e375c686316453dc3f28a0f732caae07

SHA256
66c8cba5523ef0e3b969aa55a1a79b79428d891f878d02bf88d8ae89779bb0e4

SHA512
c73819d6440aef855f0e61ea0d5a94e4263b9bdafe6808a151d58e5dbc40592c5ab7d7578de65a234bf33cc9bf81914d9b172f346794c81fabefad6186391625

Download Submit
C:\Windows\System\PWXDLDr.exe

Filesize
5.9MB

MD5
5719d5fce7af89a0cce825eef494ac30

SHA1
7364722d5c679b5a8859167eae41e242bd29cf29

SHA256
de85e4d520aba26a12c02a141c29c1e1e72cd47a508e053f056629aeeeef6d3b

SHA512
9b0c9a7e3302ff8b1ca479675109d03dd7595bf004b5721924595c25aed6fecf04c0eabb56094ece8f5d4d91b0aad7ebaaa0f298c48e7121fc9cfea738771719

Download Submit
C:\Windows\System\QUJhpqq.exe

Filesize
5.9MB

MD5
90a03cfa343c471923987136a7192582

SHA1
d19a9797782df9e3f76ae9bdfc5a5c4b2284e83a

SHA256
df4594c301f0dbcf23611e5422a2ceaa45277fd3928e5352e1b2ba000b4b092b

SHA512
e241e03698ab17ddc22477050f52ae91e3cbae6589885c9ee302d2e42e6e66e5950e11b6319d0335073cd4d2fc292874a3c2266dbfd60011aad84a0a688a3f92

Download Submit
C:\Windows\System\SEFALNu.exe

Filesize
5.9MB

MD5
73dcd1912879cf46cad1cc8d01ca967f

SHA1
1d67095dd3833911937b22d677d815fd26694d91

SHA256
304011bfcf6089aeeb43532b48940bd8f2bc70cf1243624755797d0585436d59

SHA512
19b32ec0af0d4c09c8d0929731954784f11159daa8bcc89ef6d33c092d57ccaf65ce8f8c96bdaf336d6114b655b85a00ba859f22e03567dc0a3435d42887f68d

Download Submit
C:\Windows\System\TLRBJlH.exe

Filesize
5.9MB

MD5
6d6d1d12beae136f41ea758058d652b0

SHA1
01cbdc144095d0d12056d7e8ec523b18af098c5f

SHA256
9804b7e74c7eddb531b4339f7fed08a60ecd0bd93e260ddf375709c47a00e04a

SHA512
bc62223019c4c7b4ae22cbc2784f6eac09e4fed46518dca0eb703f90c56286624b631f261432aa41a50392ce2a8976dc2cbefaace63d2739b3f1c353c684d229

Download Submit
C:\Windows\System\TbNIAIq.exe

Filesize
5.9MB

MD5
605bdaa6c6b8ae81e7f786f72ee63485

SHA1
0c220ebc082d5263987ccc6f0372b7396d5ed7d9

SHA256
07fa46164a21b8bd75a0a1aaaceebefbddb4fe5efab3a5fd3bf42c55823b885a

SHA512
1f6262af8f578f138dcab58ccbf72dfc53ce163645f3d44a3658c7ec4b7da26503879f11176b7b9b65ac533ab2d4bd1b1eb61cd3fca01e40d71a93f20246577e

Download Submit
C:\Windows\System\UwLQTAk.exe

Filesize
5.9MB

MD5
2bfffbefafb5e65ded7dfd8272f6b361

SHA1
e8dffcac934bd5a07db2dbcf58e195682a826d10

SHA256
15e02e17d388516a46c7c8aa80b02d916012aaedb9ca6f9846d91be026f84731

SHA512
40f0296b9419873c07dd4456c2e07733dbd42a956d370a20655c2ab2d4223e61248f2ffdabcbece633e8d8a220928847bc42a31d0d0e96a8c298225481777c7f

Download Submit
C:\Windows\System\VEOiYEP.exe

Filesize
5.9MB

MD5
5b00b9c295a07667275b83fdac01c67f

SHA1
e69dd750df3f46b6dfe6dfed04657f0bf71a4b86

SHA256
ed99545e4b326677364b4de65c0664cd3207f74de266780aad9921f15fcb0812

SHA512
640e7e61982ced1d4a35ab2eb8f65233099ea9e88c0b4a5680b7a9cf73117f60b25f032b32e6ba63bc0744f98d6c8f04c6cac0bb139cf253712ead7f9c69828b

Download Submit
C:\Windows\System\YEqjaOK.exe

Filesize
5.9MB

MD5
8dde0b99be6f81cee2224ad4aff45674

SHA1
8bba019410c6eb9845146c041f748a5cd511e636

SHA256
5d355af159cd1d68cac058fe1dac6c1f1a704920cf724e8a43208d6ec4155bf3

SHA512
9d0baf696a103466043c345b5555322e5751911473c7ddd0c92e4b75df304e7b7f6de4d62596d8c1cb4b632baa66282f7decc5641b6d009d1e705ce684e9a623

Download Submit
C:\Windows\System\ccQhhaT.exe

Filesize
5.9MB

MD5
f9c48dc74fe3629cf704811465151a60

SHA1
6448eeafd663f9bbd248d40564e8bfe6f9639d77

SHA256
b73e95eb6ac06343a955940e58fad8e86a6f30b224f397fbe95f165d67b304fb

SHA512
07748ed7e02b04acc19e1c383b8800a46794610fd8755fc55a45e911807ee64dfe33e5cf9b29e556916794604581390bf92ba52a04c9ff6854331e2fe3f0c82f

Download Submit
C:\Windows\System\gmqtzse.exe

Filesize
5.9MB

MD5
4de9ad19ec68d2ff53b39122f395331c

SHA1
7af0ab5d515dfdc4788716ef6519fdc3f9e399d3

SHA256
7510cf3f16229a4d86a3f74c94fb14db5e85cb8f49ec174f7fdaf6ddbb23b434

SHA512
60f01e489f5abb15a5518ec5e8b8fea357d4f01effc22761d72ceef012fe8eff2387ccb441bb4f0416b58bd7547b36df39edc7b7107b11b8e94c8821fea7ccf0

Download Submit
C:\Windows\System\hspWPhy.exe

Filesize
5.9MB

MD5
35859bf01d999c78a8c452bfc75ac327

SHA1
2ddb20af8aa0a3e78f975ff8b03535c94f75fbfa

SHA256
d98391b0e849fa24adfcd1aecc947add8ce8aa75898c6678cd568e8886534280

SHA512
5c4d1c64b8e5e556bf3d0f6b66e29b6e691ecf2a0f3e1b5e4f042b7cd579278ec90b4d540e1b5d5493e8b31d5cc690e3edf9932140d7216c5cc8357780120823

Download Submit
C:\Windows\System\pzLVBDc.exe

Filesize
5.9MB

MD5
44edbfbfc49221584a54505ddb9ce2b9

SHA1
471edc808e40d1880a7693d02e008adfa81cca5f

SHA256
02ad69dc4950183b93e30598f5e1eeb5b358fda941efe580e75be26dadacf25c

SHA512
9e6ac323a997ea41d460981a17b7f2ef48486146b743854987a452394601a711703364ef76cfab5890e910a2323654f5e48954f22501b177cccc0ad22bbe297b

Download Submit
memory/100-160-0x00007FF742540000-0x00007FF742894000-memory.dmp

Filesize
3.3MB

Download
memory/100-140-0x00007FF742540000-0x00007FF742894000-memory.dmp

Filesize
3.3MB

Download
memory/100-73-0x00007FF742540000-0x00007FF742894000-memory.dmp

Filesize
3.3MB

Download
memory/348-129-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp

Filesize
3.3MB

Download
memory/348-168-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp

Filesize
3.3MB

Download
memory/348-147-0x00007FF6D6750000-0x00007FF6D6AA4000-memory.dmp

Filesize
3.3MB

Download
memory/396-156-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/396-42-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/396-103-0x00007FF69F150000-0x00007FF69F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/464-64-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp

Filesize
3.3MB

Download
memory/464-150-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp

Filesize
3.3MB

Download
memory/464-8-0x00007FF79E250000-0x00007FF79E5A4000-memory.dmp

Filesize
3.3MB

Download
memory/536-159-0x00007FF60E420000-0x00007FF60E774000-memory.dmp

Filesize
3.3MB

Download
memory/536-60-0x00007FF60E420000-0x00007FF60E774000-memory.dmp

Filesize
3.3MB

Download
memory/536-126-0x00007FF60E420000-0x00007FF60E774000-memory.dmp

Filesize
3.3MB

Download
memory/628-161-0x00007FF690CB0000-0x00007FF691004000-memory.dmp

Filesize
3.3MB

Download
memory/628-134-0x00007FF690CB0000-0x00007FF691004000-memory.dmp

Filesize
3.3MB

Download
memory/628-70-0x00007FF690CB0000-0x00007FF691004000-memory.dmp

Filesize
3.3MB

Download
memory/708-148-0x00007FF697000000-0x00007FF697354000-memory.dmp

Filesize
3.3MB

Download
memory/708-130-0x00007FF697000000-0x00007FF697354000-memory.dmp

Filesize
3.3MB

Download
memory/708-169-0x00007FF697000000-0x00007FF697354000-memory.dmp

Filesize
3.3MB

Download
memory/1120-162-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp

Filesize
3.3MB

Download
memory/1120-83-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp

Filesize
3.3MB

Download
memory/1120-141-0x00007FF73F4F0000-0x00007FF73F844000-memory.dmp

Filesize
3.3MB

Download
memory/1144-144-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp

Filesize
3.3MB

Download
memory/1144-165-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp

Filesize
3.3MB

Download
memory/1144-104-0x00007FF6E31F0000-0x00007FF6E3544000-memory.dmp

Filesize
3.3MB

Download
memory/1460-97-0x00007FF627470000-0x00007FF6277C4000-memory.dmp

Filesize
3.3MB

Download
memory/1460-143-0x00007FF627470000-0x00007FF6277C4000-memory.dmp

Filesize
3.3MB

Download
memory/1460-164-0x00007FF627470000-0x00007FF6277C4000-memory.dmp

Filesize
3.3MB

Download
memory/1976-155-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp

Filesize
3.3MB

Download
memory/1976-96-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp

Filesize
3.3MB

Download
memory/1976-36-0x00007FF6DBB00000-0x00007FF6DBE54000-memory.dmp

Filesize
3.3MB

Download
memory/2220-59-0x00007FF663750000-0x00007FF663AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2220-1-0x000001FE4DA20000-0x000001FE4DA30000-memory.dmp

Filesize
64KB

Download
memory/2220-0-0x00007FF663750000-0x00007FF663AA4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-158-0x00007FF730160000-0x00007FF7304B4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-54-0x00007FF730160000-0x00007FF7304B4000-memory.dmp

Filesize
3.3MB

Download
memory/2452-117-0x00007FF730160000-0x00007FF7304B4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-149-0x00007FF61D380000-0x00007FF61D6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-137-0x00007FF61D380000-0x00007FF61D6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2512-170-0x00007FF61D380000-0x00007FF61D6D4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-146-0x00007FF676990000-0x00007FF676CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-167-0x00007FF676990000-0x00007FF676CE4000-memory.dmp

Filesize
3.3MB

Download
memory/2652-120-0x00007FF676990000-0x00007FF676CE4000-memory.dmp

Filesize
3.3MB

Download
memory/3672-12-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp

Filesize
3.3MB

Download
memory/3672-68-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp

Filesize
3.3MB

Download
memory/3672-151-0x00007FF6A7030000-0x00007FF6A7384000-memory.dmp

Filesize
3.3MB

Download
memory/4056-111-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp

Filesize
3.3MB

Download
memory/4056-166-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp

Filesize
3.3MB

Download
memory/4056-145-0x00007FF7EEAF0000-0x00007FF7EEE44000-memory.dmp

Filesize
3.3MB

Download
memory/4176-152-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp

Filesize
3.3MB

Download
memory/4176-72-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp

Filesize
3.3MB

Download
memory/4176-19-0x00007FF6FF310000-0x00007FF6FF664000-memory.dmp

Filesize
3.3MB

Download
memory/4744-154-0x00007FF674290000-0x00007FF6745E4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-30-0x00007FF674290000-0x00007FF6745E4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-89-0x00007FF674290000-0x00007FF6745E4000-memory.dmp

Filesize
3.3MB

Download
memory/4788-163-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4788-91-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4788-142-0x00007FF738B60000-0x00007FF738EB4000-memory.dmp

Filesize
3.3MB

Download
memory/4860-110-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp

Filesize
3.3MB

Download
memory/4860-157-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp

Filesize
3.3MB

Download
memory/4860-48-0x00007FF64DF40000-0x00007FF64E294000-memory.dmp

Filesize
3.3MB

Download
memory/4904-153-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp

Filesize
3.3MB

Download
memory/4904-24-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp

Filesize
3.3MB

Download
memory/4904-82-0x00007FF65A950000-0x00007FF65ACA4000-memory.dmp

Filesize
3.3MB

Download