cobaltstrike | faf768feca324a2b2b4d68694de66721fb381d2043d51a218dd77b55be4a1e0c

Analysis

max time kernel
140s
max time network
138s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-01-2025 22:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b860258632d157f379d4686fad8c4c62
SHA1

48ab204263be068280cabef1d332c9595484c46a
SHA256

faf768feca324a2b2b4d68694de66721fb381d2043d51a218dd77b55be4a1e0c
SHA512

0d2480d406789dcfc7f1fb1fdd367b78a05c6e9462eb71afc436849290ae6ad6fc1e62bc61da28befcf65b9322f1d4ca7b59300215a7c152245a817c5b86ed33
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUd

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0009000000016d64-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d69-10.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000170f8-45.dat	cobalt_reflective_dll
behavioral1/files/0x000f000000016d3f-40.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001756b-55.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c3-90.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c6-111.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960c-121.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001975a-132.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019761-136.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019643-127.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c7-114.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195bd-81.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c5-97.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c1-89.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195bb-75.dat	cobalt_reflective_dll
behavioral1/files/0x00080000000186b7-69.dat	cobalt_reflective_dll
behavioral1/files/0x0002000000018334-59.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016fe5-34.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d70-28.dat	cobalt_reflective_dll
behavioral1/files/0x000a000000012254-6.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral1/memory/2948-15-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2588-14-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2948-71-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/1796-138-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/1816-109-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig
behavioral1/memory/2164-107-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/1380-106-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2108-101-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/2980-99-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/2164-140-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2184-146-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2164-145-0x00000000022C0000-0x0000000002611000-memory.dmp	xmrig
behavioral1/memory/2716-72-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/2164-78-0x00000000022C0000-0x0000000002611000-memory.dmp	xmrig
behavioral1/memory/2888-77-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2560-67-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2764-66-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2800-161-0x000000013F5F0000-0x000000013F941000-memory.dmp	xmrig
behavioral1/memory/2364-160-0x000000013FC10000-0x000000013FF61000-memory.dmp	xmrig
behavioral1/memory/3024-163-0x000000013F170000-0x000000013F4C1000-memory.dmp	xmrig
behavioral1/memory/2772-162-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2164-159-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/1564-158-0x000000013F350000-0x000000013F6A1000-memory.dmp	xmrig
behavioral1/memory/1468-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2164-52-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2732-51-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/1528-164-0x000000013FD90000-0x00000001400E1000-memory.dmp	xmrig
behavioral1/memory/2164-62-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/3028-37-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2164-165-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2948-221-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2588-219-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2888-223-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2980-225-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	xmrig
behavioral1/memory/3028-227-0x000000013F400000-0x000000013F751000-memory.dmp	xmrig
behavioral1/memory/2732-232-0x000000013F700000-0x000000013FA51000-memory.dmp	xmrig
behavioral1/memory/1796-234-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2560-236-0x000000013FF50000-0x00000001402A1000-memory.dmp	xmrig
behavioral1/memory/2764-238-0x000000013FA20000-0x000000013FD71000-memory.dmp	xmrig
behavioral1/memory/2716-240-0x000000013FD20000-0x0000000140071000-memory.dmp	xmrig
behavioral1/memory/2184-250-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/1380-254-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/2108-253-0x000000013FBE0000-0x000000013FF31000-memory.dmp	xmrig
behavioral1/memory/1816-256-0x000000013FC60000-0x000000013FFB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2588	AsFVWhx.exe
2948	VMRvzDI.exe
2888	HNvbwYp.exe
2980	EbPxcVs.exe
3028	MKrngex.exe
1796	bgjUZip.exe
2732	nZaSxlx.exe
2764	zyDQYCt.exe
2560	DvbxURJ.exe
2716	FrudxIk.exe
2184	zuBKzWt.exe
2108	lIrfSZb.exe
1380	rPiftFg.exe
1816	rPLqQjG.exe
1468	dfinSIi.exe
1564	PZvOeju.exe
2364	FlZXlqq.exe
2800	tDfVocQ.exe
2772	IzSulno.exe
3024	kKtKaUc.exe
1528	CZGnaxs.exe

Loads dropped DLL 21 IoCs

pid	Process
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2164-0-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/files/0x0009000000016d64-8.dat	upx
behavioral1/memory/2948-15-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2588-14-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/files/0x0008000000016d69-10.dat	upx
behavioral1/memory/2980-29-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/files/0x00070000000170f8-45.dat	upx
behavioral1/files/0x000f000000016d3f-40.dat	upx
behavioral1/files/0x000700000001756b-55.dat	upx
behavioral1/memory/2948-71-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/files/0x00050000000195c3-90.dat	upx
behavioral1/files/0x00050000000195c6-111.dat	upx
behavioral1/files/0x000500000001960c-121.dat	upx
behavioral1/files/0x000500000001975a-132.dat	upx
behavioral1/files/0x0005000000019761-136.dat	upx
behavioral1/files/0x0005000000019643-127.dat	upx
behavioral1/memory/1796-138-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/1816-109-0x000000013FC60000-0x000000013FFB1000-memory.dmp	upx
behavioral1/memory/1380-106-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/files/0x00050000000195c7-114.dat	upx
behavioral1/files/0x00050000000195bd-81.dat	upx
behavioral1/memory/2108-101-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx
behavioral1/memory/2980-99-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/files/0x00050000000195c5-97.dat	upx
behavioral1/files/0x00050000000195c1-89.dat	upx
behavioral1/memory/2164-140-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2184-146-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2716-72-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/2184-79-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2888-77-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/files/0x00050000000195bb-75.dat	upx
behavioral1/files/0x00080000000186b7-69.dat	upx
behavioral1/memory/2560-67-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2764-66-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2800-161-0x000000013F5F0000-0x000000013F941000-memory.dmp	upx
behavioral1/memory/2364-160-0x000000013FC10000-0x000000013FF61000-memory.dmp	upx
behavioral1/memory/3024-163-0x000000013F170000-0x000000013F4C1000-memory.dmp	upx
behavioral1/memory/2772-162-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/1564-158-0x000000013F350000-0x000000013F6A1000-memory.dmp	upx
behavioral1/memory/1468-156-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/2732-51-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/1796-49-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/1528-164-0x000000013FD90000-0x00000001400E1000-memory.dmp	upx
behavioral1/memory/2164-62-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/files/0x0002000000018334-59.dat	upx
behavioral1/memory/3028-37-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/files/0x0007000000016fe5-34.dat	upx
behavioral1/files/0x0008000000016d70-28.dat	upx
behavioral1/memory/2888-26-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/files/0x000a000000012254-6.dat	upx
behavioral1/memory/2164-165-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2948-221-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2588-219-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2888-223-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2980-225-0x000000013F1A0000-0x000000013F4F1000-memory.dmp	upx
behavioral1/memory/3028-227-0x000000013F400000-0x000000013F751000-memory.dmp	upx
behavioral1/memory/2732-232-0x000000013F700000-0x000000013FA51000-memory.dmp	upx
behavioral1/memory/1796-234-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2560-236-0x000000013FF50000-0x00000001402A1000-memory.dmp	upx
behavioral1/memory/2764-238-0x000000013FA20000-0x000000013FD71000-memory.dmp	upx
behavioral1/memory/2716-240-0x000000013FD20000-0x0000000140071000-memory.dmp	upx
behavioral1/memory/2184-250-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/1380-254-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/memory/2108-253-0x000000013FBE0000-0x000000013FF31000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\AsFVWhx.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MKrngex.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lIrfSZb.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rPiftFg.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rPLqQjG.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VMRvzDI.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FrudxIk.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zuBKzWt.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dfinSIi.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tDfVocQ.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FlZXlqq.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IzSulno.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HNvbwYp.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZaSxlx.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zyDQYCt.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DvbxURJ.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PZvOeju.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EbPxcVs.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bgjUZip.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kKtKaUc.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CZGnaxs.exe	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2164 wrote to memory of 2588	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2164 wrote to memory of 2588	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2164 wrote to memory of 2588	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2164 wrote to memory of 2948	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2164 wrote to memory of 2948	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2164 wrote to memory of 2948	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2164 wrote to memory of 2888	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2164 wrote to memory of 2888	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2164 wrote to memory of 2888	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2164 wrote to memory of 2980	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2164 wrote to memory of 2980	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2164 wrote to memory of 2980	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2164 wrote to memory of 3028	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2164 wrote to memory of 3028	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2164 wrote to memory of 3028	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2164 wrote to memory of 1796	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2164 wrote to memory of 1796	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2164 wrote to memory of 1796	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2164 wrote to memory of 2732	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2164 wrote to memory of 2732	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2164 wrote to memory of 2732	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2164 wrote to memory of 2764	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2164 wrote to memory of 2764	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2164 wrote to memory of 2764	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2164 wrote to memory of 2560	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2164 wrote to memory of 2560	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2164 wrote to memory of 2560	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2164 wrote to memory of 2716	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2164 wrote to memory of 2716	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2164 wrote to memory of 2716	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2164 wrote to memory of 2184	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2164 wrote to memory of 2184	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2164 wrote to memory of 2184	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2164 wrote to memory of 2108	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2164 wrote to memory of 2108	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2164 wrote to memory of 2108	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2164 wrote to memory of 1380	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2164 wrote to memory of 1380	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2164 wrote to memory of 1380	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2164 wrote to memory of 1468	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2164 wrote to memory of 1468	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2164 wrote to memory of 1468	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2164 wrote to memory of 1816	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2164 wrote to memory of 1816	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2164 wrote to memory of 1816	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2164 wrote to memory of 1564	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2164 wrote to memory of 1564	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2164 wrote to memory of 1564	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2164 wrote to memory of 2364	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2164 wrote to memory of 2364	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2164 wrote to memory of 2364	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2164 wrote to memory of 2800	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2164 wrote to memory of 2800	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2164 wrote to memory of 2800	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2164 wrote to memory of 2772	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2164 wrote to memory of 2772	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2164 wrote to memory of 2772	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2164 wrote to memory of 3024	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2164 wrote to memory of 3024	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2164 wrote to memory of 3024	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2164 wrote to memory of 1528	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2164 wrote to memory of 1528	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2164 wrote to memory of 1528	2164	2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-21_b860258632d157f379d4686fad8c4c62_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System\AsFVWhx.exe
  C:\Windows\System\AsFVWhx.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\VMRvzDI.exe
  C:\Windows\System\VMRvzDI.exe
  2⤵
  - Executes dropped EXE
  PID:2948
- C:\Windows\System\HNvbwYp.exe
  C:\Windows\System\HNvbwYp.exe
  2⤵
  - Executes dropped EXE
  PID:2888
- C:\Windows\System\EbPxcVs.exe
  C:\Windows\System\EbPxcVs.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\MKrngex.exe
  C:\Windows\System\MKrngex.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Windows\System\bgjUZip.exe
  C:\Windows\System\bgjUZip.exe
  2⤵
  - Executes dropped EXE
  PID:1796
- C:\Windows\System\nZaSxlx.exe
  C:\Windows\System\nZaSxlx.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\zyDQYCt.exe
  C:\Windows\System\zyDQYCt.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Windows\System\DvbxURJ.exe
  C:\Windows\System\DvbxURJ.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\FrudxIk.exe
  C:\Windows\System\FrudxIk.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\zuBKzWt.exe
  C:\Windows\System\zuBKzWt.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\lIrfSZb.exe
  C:\Windows\System\lIrfSZb.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\rPiftFg.exe
  C:\Windows\System\rPiftFg.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\dfinSIi.exe
  C:\Windows\System\dfinSIi.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- C:\Windows\System\rPLqQjG.exe
  C:\Windows\System\rPLqQjG.exe
  2⤵
  - Executes dropped EXE
  PID:1816
- C:\Windows\System\PZvOeju.exe
  C:\Windows\System\PZvOeju.exe
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\Windows\System\FlZXlqq.exe
  C:\Windows\System\FlZXlqq.exe
  2⤵
  - Executes dropped EXE
  PID:2364
- C:\Windows\System\tDfVocQ.exe
  C:\Windows\System\tDfVocQ.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\IzSulno.exe
  C:\Windows\System\IzSulno.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\kKtKaUc.exe
  C:\Windows\System\kKtKaUc.exe
  2⤵
  - Executes dropped EXE
  PID:3024
- C:\Windows\System\CZGnaxs.exe
  C:\Windows\System\CZGnaxs.exe
  2⤵
  - Executes dropped EXE
  PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\AsFVWhx.exe

Filesize
5.2MB

MD5
8dff218d4a59192351692f33e8983b55

SHA1
7ab7939d05936f3160d8c70eebf40492590af61b

SHA256
fdfc638f06a1603c31b4510bcb7fc0ac76a78b8b4bae6890506d20959891f46d

SHA512
fedd8e6970a04470dd085227759b48f10469f39c333c75b5cb16a4f12f321e9fc8f31142c965472282c45f885dd6d75371b89b400000f8347eb20c0521bedb52

Download Submit
C:\Windows\system\CZGnaxs.exe

Filesize
5.2MB

MD5
01639c67f053bf033492b3c1e51a7729

SHA1
b386c197aa85a25c9e0fcb3a269290209d241a5d

SHA256
ede66d2678cfc5725c7d8dc15073f61c2393dfc219b32e84e41ad2d69c234ae4

SHA512
437b30c134f2977c4169a251924398cb803627a4fa39392f1d4fff47850ac55864b84e9f7e26ca78d7fd9c09e5b86f94b071766889ebc46c1afd19ba92b01872

Download Submit
C:\Windows\system\DvbxURJ.exe

Filesize
5.2MB

MD5
f7500e87d89b508001cd58e6f7479580

SHA1
ab652be21bf7fcaa3c944fab08f1b807c0fe1139

SHA256
5fd6c6fac8b0bdabb0aea43bdf05a8388d0dfdd08e41dc8c8b5962ad3b5cf526

SHA512
36eb38494a9ed6ddd709119608b483ba42aecfca226dfc01348848d4a84ac8fb430d18ff9684905ed4dc3978f87f1cd3d3655f99951f82640383ea13b324b0f6

Download Submit
C:\Windows\system\EbPxcVs.exe

Filesize
5.2MB

MD5
e570e78fe3446e71d39ed6ac7c916e10

SHA1
1a44aa67430bccfb481598902e508e215f6a43fb

SHA256
26d599113e03f05935a76c1603de5817d63fb26be670ac5444b95b2c47e41a71

SHA512
1a41ace335e397c04fd5b052e76b43c53a531216d50bd7628ee2c7e4700a1113afeb01447b65efbcca3d66201f1a8ccacea4fa819f9c04577f2e976357cdb25c

Download Submit
C:\Windows\system\FlZXlqq.exe

Filesize
5.2MB

MD5
e1a6cd0af06efc7f1a64378625cd7732

SHA1
756f8813de91ec751f6bae5ecc88bf8b87c39128

SHA256
82d005dc0bcbafc7dbcff9dfecf1415fba1176e5dc3251adb020e4526f6fbdb5

SHA512
2b9e637a08da937982b6eec6af6d3e02d5c773fd63ba7f621f8453603e35a61f2d5cdd1eae030dae3e947eecce58766d28dd3283e0f509aade96d2a770b5b4f0

Download Submit
C:\Windows\system\FrudxIk.exe

Filesize
5.2MB

MD5
4715c583ab156e38969f6388a6c9525d

SHA1
bb4babef190f2f8b4caf1dcd8785dde03ffc3679

SHA256
88140e397e192a0c9dd3f677ccee5cafff79020070da9f7ab6e36f5f6f9f8286

SHA512
62148a2ec4f135f918d4de177b02aaef3e867a889db4a79d2d0de404d361c5c07dc0f49148bc5c8a5237bc529574c83c66911ff090fad3b6357618a1ef6eea65

Download Submit
C:\Windows\system\HNvbwYp.exe

Filesize
5.2MB

MD5
ffeca5efdf02774e12a8e5a041072829

SHA1
f006c84233d3712b5319aaf1d906d4c33af55d77

SHA256
08cc01833dfbffb918c989efb693a0cf0188bb7a26919d6ac7a2d45220835d65

SHA512
fdf9beda8ea26c8a19af773c694c92993820c23c3fb9d0a4ea1c3b3e90dad87716fc49c6b1740fbed2ea792f030245ea66aaea98a7bd6be4a909ddc1d7c7b36f

Download Submit
C:\Windows\system\IzSulno.exe

Filesize
5.2MB

MD5
58c6cdab3e255725971ce15445c1ed61

SHA1
bfc2012ed3d544577da47052d68f18e92e992d4d

SHA256
9922b0e8cfcc8ae49228bea76aea26550e1fec6a0bc7f373d2983dfa87836393

SHA512
df97126b9168c3bbef4284cdbacced0dab04f78be9587b9282b85469191d0e0140199418148b7660fd6be831b5bf24716a285cc7717a9f92db0d56443b351f85

Download Submit
C:\Windows\system\MKrngex.exe

Filesize
5.2MB

MD5
6c7649c60bc63d8c4778bbc2ef8ab232

SHA1
2b7b6e02e0eb687266fb6dd2c458c3bff8a0490e

SHA256
a65d2fcf1d727fc6ffe13c6bec89de3203f9c689151ae7f092bd03afb1b308e5

SHA512
62c4e98dc5bd54992a74c9f419820dd449a37cd63ec87c5d2b25cb567706933b8f5d5363884f44b94a635deb07eb25f00208418684ba8f43b65ea3c9622fe349

Download Submit
C:\Windows\system\PZvOeju.exe

Filesize
5.2MB

MD5
31d216f1f521ea847845016e849d7fe9

SHA1
59d999fe543d59ed55889060b6d625c8929ab6ed

SHA256
459ae73059e12badf30830b2c0cc31e84b484cbf977b9bb9915860a2b2d3c7bc

SHA512
0ef61a6f68d76c200ecf4f5a7c1f3e8d574355c088806dd04b1c8ac8e4ddbecfd871a73a106ecdc6ca88c9a776fac64424a74bf2860fba729be4df3c133d2049

Download Submit
C:\Windows\system\bgjUZip.exe

Filesize
5.2MB

MD5
e0583669d9c26247d4accd18fd1fcf9a

SHA1
99c27296690d0019c7dccf7d9853db7eae0ea242

SHA256
20a1778736ddad9f05b123b1de32c7863983b2ff1709006d13f235440c1908de

SHA512
be954c4e7021f69b15a592c80937b494567efdabe1e5377962262e042ba9cb7be220d488e4f53542011857c633bc336d19f70e04e4c2d055c826264f54281829

Download Submit
C:\Windows\system\kKtKaUc.exe

Filesize
5.2MB

MD5
8b20c496a7391882a0bb8ad289ab5fc3

SHA1
22fdbb4b88fa1997c86676f5440546bfe1f38f1d

SHA256
3fa5eed5beed87f5abc5cad873de946d8ea52267eed09d4d85549656861b67b8

SHA512
5642e552f0d80fac1910a0176b51720eaa9d048e0dff8af4fe5167580cd9531ac0488d78e959cb3c20d1fac27b05ce6575151065b795bdec2a4956c9cdeb18e8

Download Submit
C:\Windows\system\nZaSxlx.exe

Filesize
5.2MB

MD5
db22658e454975f361f91f0e93e3d428

SHA1
77d3fca23fb10e8a3e978c9ceb3efb3ffa9eb26a

SHA256
c58a23314788cc75837ce48d01effff2d7e76c8ef06dcd105579dfbcb1378956

SHA512
7f354705affc6dfc39e45a2d75b46fe2dd79331d2357a9876d2e9a55f6fcb0535c9811648e49981ec64ca99209f5773f8e88e4f29149950d4859888aa80a114a

Download Submit
C:\Windows\system\rPLqQjG.exe

Filesize
5.2MB

MD5
763c3b8134a932c307dc23c65a7e13f3

SHA1
f3c8804129e665d0d5b7204f06d3fa87aa0eaa76

SHA256
031a86245713caf6f3cc6ec27833720c5b973b7c16423885653f5bb3bc255a33

SHA512
a11d083ba5da5d658b4963f64e1ce6b1c62ada2896fcd1c279bf7e50d8d8c44ea78fc14686f176ce7a4d5810cca6c3279ba958ecb97103563396543d6af9d49f

Download Submit
C:\Windows\system\rPiftFg.exe

Filesize
5.2MB

MD5
2370dec458158fbb32c01e259840a598

SHA1
3388f638c551af9af619f0f3836ab4a17b8b009c

SHA256
fd46aa1318c6e89c4527d8eb333a47f0e53354e82ed2544dfa2d92ff7586eedd

SHA512
22ff82781671077fc36fa1b4de368fa2349d1c438ba73ec5316497c06eb753e10b5dec6fbb9cdb0bbe7a9e01a86fd50615e2cd868e7f79174651e24e731791d8

Download Submit
C:\Windows\system\tDfVocQ.exe

Filesize
5.2MB

MD5
7f09bb1830d4fea21bf308255d393e34

SHA1
a4eb304d0851976e8abc291181d977813e30563b

SHA256
62b9b192406f216c3077c2cebef6db74eb9b34631543e7523d82741d99a5a71d

SHA512
5577f5dea604998112f04905abc6d21538a041e87147da9f10e95f5238275938fc61c9d7c51e2b7fdb58ae56dcaba248a969cb09ea9565dd7b13dc86bd2ea21f

Download Submit
C:\Windows\system\zuBKzWt.exe

Filesize
5.2MB

MD5
27b3a79fed263322376694dce3d55fcf

SHA1
f31bfbba6a87b31b864bf102d3640adfb5a9e297

SHA256
12b97fdb0f4ada8a40a45e555992b4027b0bed2f3304e5fd14248daee392f9cf

SHA512
1c86155b90f49ee38e39d21dd50dd350d7919929544218c302565e4a6ae3031fe5d830172e785fbcb9fff035582e51a772e237739dbe5870a54fbcfbe00e1285

Download Submit
C:\Windows\system\zyDQYCt.exe

Filesize
5.2MB

MD5
1351061d9c7a5b11bc7fdd6566bc783a

SHA1
3516ce35581e095a7423f924f8ade31744a13e8a

SHA256
af542dcbb16688c1103586d3b45b8976d4420096e8ba4f18191855d0c86310b3

SHA512
89022007313257c75a6839add1479a84324f30399807d780f37c5d446acb6c5a05a06f220d9d5b5d149c3a4ec5113ee29715332b076dcc54994ea0476e0c70d4

Download Submit
\Windows\system\VMRvzDI.exe

Filesize
5.2MB

MD5
a8fcd36a503b896c9f90b5627fd19dbb

SHA1
fbf3731d58673e46fce93bf3d3885b2e177b4c22

SHA256
d1fc112363204e46235c4858cd9e41c8f8fde6578ff5aaa0f4fbcdd255975d35

SHA512
bf2c01185b521a0a247a35f9183f869e87f7e218893276ad6f3972b47187f7c7db37532aaf27c8bd14dedf28576dfbd1519d908e6b1e18874760c487a34a4ca8

Download Submit
\Windows\system\dfinSIi.exe

Filesize
5.2MB

MD5
d7e30f82015f5ab18cf9b775d4fef712

SHA1
bf4bad57fb41802e16805531d028ad6d03ebdbf8

SHA256
610b98e72c71533845cb913942bf91df25df09ca453c81c3f7d4d46574ffa269

SHA512
2ec20b98add83922c2a8eedf2074fe2afe5af9c9d6c0432ae5def7704d6f7bf5a6b10913172181bbaf24d1dbb67c88e0e678e46d1877b416c30196b0a55f9d0a

Download Submit
\Windows\system\lIrfSZb.exe

Filesize
5.2MB

MD5
61143db0e6583e7927f88600b07778ce

SHA1
2c41a21ff92a012b9aaf1af683dfd2f54ffe5ab4

SHA256
046e348223b6310bb60922b46d9f2256113ad285d1aa649f3932c1e39708d422

SHA512
c4f7d07a762a7eb8ce2a2ddd6ae53ba19d2c335da9be996a40f47e91599cab1c5227dbe16e0820527dd9ecf5590032cad0619b085dabec9550f2bc69be1ab686

Download Submit
memory/1380-106-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1380-254-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1468-156-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1528-164-0x000000013FD90000-0x00000001400E1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-158-0x000000013F350000-0x000000013F6A1000-memory.dmp

Filesize
3.3MB

Download
memory/1796-138-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1796-49-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1796-234-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1816-109-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/1816-256-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-253-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2108-101-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2164-62-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2164-108-0x000000013FC60000-0x000000013FFB1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-100-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2164-140-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2164-0-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2164-145-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2164-1-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2164-53-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2164-78-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2164-7-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2164-107-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-102-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2164-68-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2164-36-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2164-165-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2164-13-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2164-52-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2164-27-0x00000000022C0000-0x0000000002611000-memory.dmp

Filesize
3.3MB

Download
memory/2164-24-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2164-159-0x000000013FBE0000-0x000000013FF31000-memory.dmp

Filesize
3.3MB

Download
memory/2164-139-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2184-79-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2184-250-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2184-146-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/2364-160-0x000000013FC10000-0x000000013FF61000-memory.dmp

Filesize
3.3MB

Download
memory/2560-67-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-236-0x000000013FF50000-0x00000001402A1000-memory.dmp

Filesize
3.3MB

Download
memory/2588-14-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2588-219-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2716-240-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2716-72-0x000000013FD20000-0x0000000140071000-memory.dmp

Filesize
3.3MB

Download
memory/2732-51-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2732-232-0x000000013F700000-0x000000013FA51000-memory.dmp

Filesize
3.3MB

Download
memory/2764-238-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2764-66-0x000000013FA20000-0x000000013FD71000-memory.dmp

Filesize
3.3MB

Download
memory/2772-162-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2800-161-0x000000013F5F0000-0x000000013F941000-memory.dmp

Filesize
3.3MB

Download
memory/2888-26-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2888-77-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2888-223-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/2948-221-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2948-71-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2948-15-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2980-29-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-225-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/2980-99-0x000000013F1A0000-0x000000013F4F1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-163-0x000000013F170000-0x000000013F4C1000-memory.dmp

Filesize
3.3MB

Download
memory/3028-227-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download
memory/3028-37-0x000000013F400000-0x000000013F751000-memory.dmp

Filesize
3.3MB

Download