cobaltstrike | d083da103cb8ca0f31aa35c3de3a769cf81f2d1817ce30db11a4f3ad4e699c14

Analysis

max time kernel
146s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 06:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

6546cbc9dc745a7fd678f2ea209913ff
SHA1

34b65b1112d4bac792ff2c1a5feaa86b7e3b4936
SHA256

d083da103cb8ca0f31aa35c3de3a769cf81f2d1817ce30db11a4f3ad4e699c14
SHA512

638cd6a9a59735e16fc450d62c840117f88a9c002b11d0ecee6e56db332adf5188a03bb5fa7a1fab1cdd91534bfff0351d8283cdf9f1705a9653d7d60165d875
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lU0:E+b56utgpPF8u/70

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0007000000012117-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d18-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d21-11.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d31-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d42-41.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001873d-103.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019261-141.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019282-144.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001925e-136.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019023-131.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000187a5-126.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878f-121.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018784-116.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018728-98.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186fd-89.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ee-80.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d68-65.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186ea-73.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d5e-58.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4a-50.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016cec-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral1/memory/2528-0-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000012117-3.dat	xmrig
behavioral1/memory/2528-6-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d18-9.dat	xmrig
behavioral1/memory/1980-14-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d21-11.dat	xmrig
behavioral1/memory/2184-21-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2528-18-0x00000000022D0000-0x0000000002624000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d31-22.dat	xmrig
behavioral1/memory/2748-28-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2528-35-0x000000013F460000-0x000000013F7B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d42-41.dat	xmrig
behavioral1/memory/2892-43-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2380-42-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/2648-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2668-60-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2632-67-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/files/0x000500000001873d-103.dat	xmrig
behavioral1/files/0x0005000000019261-141.dat	xmrig
behavioral1/files/0x0005000000019282-144.dat	xmrig
behavioral1/files/0x000500000001925e-136.dat	xmrig
behavioral1/memory/1872-148-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/files/0x0006000000019023-131.dat	xmrig
behavioral1/files/0x00050000000187a5-126.dat	xmrig
behavioral1/files/0x000500000001878f-121.dat	xmrig
behavioral1/files/0x0005000000018784-116.dat	xmrig
behavioral1/memory/2072-149-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/1908-109-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2632-108-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/1844-100-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/2668-99-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/files/0x0005000000018728-98.dat	xmrig
behavioral1/memory/2720-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2720-91-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig
behavioral1/memory/2648-90-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/files/0x00050000000186fd-89.dat	xmrig
behavioral1/memory/2072-82-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2892-81-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/files/0x00050000000186ee-80.dat	xmrig
behavioral1/memory/2748-66-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/files/0x0008000000016d68-65.dat	xmrig
behavioral1/memory/1844-153-0x000000013FE70000-0x00000001401C4000-memory.dmp	xmrig
behavioral1/memory/1872-75-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2904-74-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/files/0x00050000000186ea-73.dat	xmrig
behavioral1/memory/2184-59-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d5e-58.dat	xmrig
behavioral1/memory/1980-51-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/files/0x0007000000016d4a-50.dat	xmrig
behavioral1/memory/2904-36-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/files/0x0008000000016cec-34.dat	xmrig
behavioral1/memory/1908-155-0x000000013F150000-0x000000013F4A4000-memory.dmp	xmrig
behavioral1/memory/2380-157-0x000000013FA10000-0x000000013FD64000-memory.dmp	xmrig
behavioral1/memory/1980-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2748-159-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2184-160-0x000000013F560000-0x000000013F8B4000-memory.dmp	xmrig
behavioral1/memory/2904-161-0x000000013F830000-0x000000013FB84000-memory.dmp	xmrig
behavioral1/memory/2892-162-0x000000013F810000-0x000000013FB64000-memory.dmp	xmrig
behavioral1/memory/2648-163-0x000000013F6C0000-0x000000013FA14000-memory.dmp	xmrig
behavioral1/memory/2668-164-0x000000013F0C0000-0x000000013F414000-memory.dmp	xmrig
behavioral1/memory/2632-165-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/1872-166-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2072-167-0x000000013FD70000-0x00000001400C4000-memory.dmp	xmrig
behavioral1/memory/2720-168-0x000000013F9F0000-0x000000013FD44000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2380	JkaGhgM.exe
1980	ONjcGsw.exe
2184	iigGSro.exe
2748	bTiiXVs.exe
2904	rvaDSsc.exe
2892	rCOibZd.exe
2648	yVqTtNd.exe
2668	pxmAGiV.exe
2632	UAjrXWz.exe
1872	cxfLPoR.exe
2072	VZKIcIt.exe
2720	waiyMFH.exe
1844	hVNKyaj.exe
1908	OxBCnrU.exe
1892	OhidWKR.exe
2688	ZDaHrDM.exe
2936	pYCbMko.exe
2504	MHhozTz.exe
2508	NCVLPfc.exe
2028	WAofIoQ.exe
1208	xpspNjD.exe

Loads dropped DLL 21 IoCs

pid	Process
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2528-0-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0007000000012117-3.dat	upx
behavioral1/memory/2528-6-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/files/0x0008000000016d18-9.dat	upx
behavioral1/memory/1980-14-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x0008000000016d21-11.dat	upx
behavioral1/memory/2184-21-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/files/0x0008000000016d31-22.dat	upx
behavioral1/memory/2748-28-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2528-35-0x000000013F460000-0x000000013F7B4000-memory.dmp	upx
behavioral1/files/0x0007000000016d42-41.dat	upx
behavioral1/memory/2892-43-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2380-42-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/2648-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2668-60-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2632-67-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/files/0x000500000001873d-103.dat	upx
behavioral1/files/0x0005000000019261-141.dat	upx
behavioral1/files/0x0005000000019282-144.dat	upx
behavioral1/files/0x000500000001925e-136.dat	upx
behavioral1/memory/1872-148-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/files/0x0006000000019023-131.dat	upx
behavioral1/files/0x00050000000187a5-126.dat	upx
behavioral1/files/0x000500000001878f-121.dat	upx
behavioral1/files/0x0005000000018784-116.dat	upx
behavioral1/memory/2072-149-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/1908-109-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2632-108-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/1844-100-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/2668-99-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/files/0x0005000000018728-98.dat	upx
behavioral1/memory/2720-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2720-91-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/2648-90-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/files/0x00050000000186fd-89.dat	upx
behavioral1/memory/2072-82-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2892-81-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/files/0x00050000000186ee-80.dat	upx
behavioral1/memory/2748-66-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/files/0x0008000000016d68-65.dat	upx
behavioral1/memory/1844-153-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx
behavioral1/memory/1872-75-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2904-74-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/files/0x00050000000186ea-73.dat	upx
behavioral1/memory/2184-59-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/files/0x0007000000016d5e-58.dat	upx
behavioral1/memory/1980-51-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/files/0x0007000000016d4a-50.dat	upx
behavioral1/memory/2904-36-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/files/0x0008000000016cec-34.dat	upx
behavioral1/memory/1908-155-0x000000013F150000-0x000000013F4A4000-memory.dmp	upx
behavioral1/memory/2380-157-0x000000013FA10000-0x000000013FD64000-memory.dmp	upx
behavioral1/memory/1980-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2748-159-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2184-160-0x000000013F560000-0x000000013F8B4000-memory.dmp	upx
behavioral1/memory/2904-161-0x000000013F830000-0x000000013FB84000-memory.dmp	upx
behavioral1/memory/2892-162-0x000000013F810000-0x000000013FB64000-memory.dmp	upx
behavioral1/memory/2648-163-0x000000013F6C0000-0x000000013FA14000-memory.dmp	upx
behavioral1/memory/2668-164-0x000000013F0C0000-0x000000013F414000-memory.dmp	upx
behavioral1/memory/2632-165-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/1872-166-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2072-167-0x000000013FD70000-0x00000001400C4000-memory.dmp	upx
behavioral1/memory/2720-168-0x000000013F9F0000-0x000000013FD44000-memory.dmp	upx
behavioral1/memory/1844-169-0x000000013FE70000-0x00000001401C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\rvaDSsc.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yVqTtNd.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VZKIcIt.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OhidWKR.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MHhozTz.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NCVLPfc.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JkaGhgM.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iigGSro.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UAjrXWz.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ONjcGsw.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pxmAGiV.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cxfLPoR.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hVNKyaj.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WAofIoQ.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xpspNjD.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bTiiXVs.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rCOibZd.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZDaHrDM.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pYCbMko.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\waiyMFH.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OxBCnrU.exe	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 2380	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2528 wrote to memory of 2380	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2528 wrote to memory of 2380	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2528 wrote to memory of 1980	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2528 wrote to memory of 1980	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2528 wrote to memory of 1980	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2528 wrote to memory of 2184	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2528 wrote to memory of 2184	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2528 wrote to memory of 2184	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2528 wrote to memory of 2748	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2528 wrote to memory of 2748	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2528 wrote to memory of 2748	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2528 wrote to memory of 2904	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2528 wrote to memory of 2904	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2528 wrote to memory of 2904	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2528 wrote to memory of 2892	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2528 wrote to memory of 2892	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2528 wrote to memory of 2892	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2528 wrote to memory of 2648	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2528 wrote to memory of 2648	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2528 wrote to memory of 2648	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2528 wrote to memory of 2668	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2528 wrote to memory of 2668	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2528 wrote to memory of 2668	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2528 wrote to memory of 2632	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2528 wrote to memory of 2632	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2528 wrote to memory of 2632	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2528 wrote to memory of 1872	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2528 wrote to memory of 1872	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2528 wrote to memory of 1872	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2528 wrote to memory of 2072	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2528 wrote to memory of 2072	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2528 wrote to memory of 2072	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2528 wrote to memory of 2720	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2528 wrote to memory of 2720	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2528 wrote to memory of 2720	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2528 wrote to memory of 1844	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2528 wrote to memory of 1844	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2528 wrote to memory of 1844	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2528 wrote to memory of 1908	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2528 wrote to memory of 1908	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2528 wrote to memory of 1908	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2528 wrote to memory of 1892	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2528 wrote to memory of 1892	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2528 wrote to memory of 1892	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2528 wrote to memory of 2688	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2528 wrote to memory of 2688	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2528 wrote to memory of 2688	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2528 wrote to memory of 2936	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2528 wrote to memory of 2936	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2528 wrote to memory of 2936	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2528 wrote to memory of 2504	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2528 wrote to memory of 2504	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2528 wrote to memory of 2504	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2528 wrote to memory of 2508	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2528 wrote to memory of 2508	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2528 wrote to memory of 2508	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2528 wrote to memory of 2028	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2528 wrote to memory of 2028	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2528 wrote to memory of 2028	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2528 wrote to memory of 1208	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2528 wrote to memory of 1208	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2528 wrote to memory of 1208	2528	2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-28_6546cbc9dc745a7fd678f2ea209913ff_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\System\JkaGhgM.exe
  C:\Windows\System\JkaGhgM.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\ONjcGsw.exe
  C:\Windows\System\ONjcGsw.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\iigGSro.exe
  C:\Windows\System\iigGSro.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\bTiiXVs.exe
  C:\Windows\System\bTiiXVs.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\rvaDSsc.exe
  C:\Windows\System\rvaDSsc.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\rCOibZd.exe
  C:\Windows\System\rCOibZd.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\yVqTtNd.exe
  C:\Windows\System\yVqTtNd.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\pxmAGiV.exe
  C:\Windows\System\pxmAGiV.exe
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\Windows\System\UAjrXWz.exe
  C:\Windows\System\UAjrXWz.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\cxfLPoR.exe
  C:\Windows\System\cxfLPoR.exe
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\System\VZKIcIt.exe
  C:\Windows\System\VZKIcIt.exe
  2⤵
  - Executes dropped EXE
  PID:2072
- C:\Windows\System\waiyMFH.exe
  C:\Windows\System\waiyMFH.exe
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\Windows\System\hVNKyaj.exe
  C:\Windows\System\hVNKyaj.exe
  2⤵
  - Executes dropped EXE
  PID:1844
- C:\Windows\System\OxBCnrU.exe
  C:\Windows\System\OxBCnrU.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\OhidWKR.exe
  C:\Windows\System\OhidWKR.exe
  2⤵
  - Executes dropped EXE
  PID:1892
- C:\Windows\System\ZDaHrDM.exe
  C:\Windows\System\ZDaHrDM.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\pYCbMko.exe
  C:\Windows\System\pYCbMko.exe
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\Windows\System\MHhozTz.exe
  C:\Windows\System\MHhozTz.exe
  2⤵
  - Executes dropped EXE
  PID:2504
- C:\Windows\System\NCVLPfc.exe
  C:\Windows\System\NCVLPfc.exe
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Windows\System\WAofIoQ.exe
  C:\Windows\System\WAofIoQ.exe
  2⤵
  - Executes dropped EXE
  PID:2028
- C:\Windows\System\xpspNjD.exe
  C:\Windows\System\xpspNjD.exe
  2⤵
  - Executes dropped EXE
  PID:1208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\MHhozTz.exe

Filesize
5.9MB

MD5
52f0e351fca8419256e55e9c2ac81aed

SHA1
544d7bc6ac35b61e84d9aab5cd830cb6d3fa2078

SHA256
aecc65460f2c82b17e2e7a834880347e57199912a0f602145691ca65304c7d0b

SHA512
d5f7e39edf463a74d0aa0ea7982f378d8c4f6e9fa1a22e698bf7925d87b816d048025c21801a961be409b2c35bac79395dcc692414136818f345cbfb75e5dbeb

Download Submit
C:\Windows\system\NCVLPfc.exe

Filesize
5.9MB

MD5
dda506436c490b0b405049d7e9ba87c8

SHA1
aa5a1b2c4173f1b844ceed1f436b0fd6177055ae

SHA256
e620331a73152e413c0cf37bd3008648cbf80f66160ff53ebf2da79914922e9c

SHA512
499df7ec0dceb647b6234cde5cca618f86ae7e001caeab130b0f02c6aff651e1692c06dbb0160062f98f13ae563be626f20dd9772b3d8610166cee1c1a1299a0

Download Submit
C:\Windows\system\OhidWKR.exe

Filesize
5.9MB

MD5
bd4a9efb80367ecc5e802dd760eee902

SHA1
170058a73a999d8139569d874f65fe64fcbbd45b

SHA256
ed86767326ed69ba0cae1bc0fd3f452b70c48c83d5fa20be34864ff8ad1b130f

SHA512
9ca4fdf53f7c89867d6c9001fcaac148d0a07a50762f14eef03d8fe4906ae9537efc3eb818ee9f0a5d31c04ceabcf1899a405ad6ce395298d60fd40a272d486b

Download Submit
C:\Windows\system\UAjrXWz.exe

Filesize
5.9MB

MD5
bbae8e54fabdb2fb5a2abbda6d2ca508

SHA1
cfe875d4ead93184265c3b10ff42f0639d3d4705

SHA256
454fcf6536de981ab0155aad825f064425751596958a13d53f988b566aaa8bbd

SHA512
271a6a24ff4d02f7baabef63641f9b854d814dcd15c60f753cf7ba1a8d23ffa3b35ff6c77c0e04e7e9b0304286af9b09e2e3bcf10a051f3db1677952ca3f20e8

Download Submit
C:\Windows\system\VZKIcIt.exe

Filesize
5.9MB

MD5
88a735d510a7c5cc91714b2f665cc3f5

SHA1
7feee6974c8ee04d571cb6d57d5519041768c71c

SHA256
da41f62f3ef18382310dd5f7e4c1fe6a4d28e9f2049e17304f82bbe666f03597

SHA512
4db2cf4d2e43288353800db50bcd395d926b67fa90555985a0e057a0aaa2039eda0ce907634a934b33096f5ae3063322d2808e3c692334ef4ff7aeb30dfd7a65

Download Submit
C:\Windows\system\WAofIoQ.exe

Filesize
5.9MB

MD5
4f7de7cde8f680950f6c3526e9b88dff

SHA1
04e3a1cacd84c7a418c694c6e64ade007150ed3b

SHA256
5f16478c19b352c10cc0cd79cf83cc5262c8506963ffb4e1b87baee3e0d670cb

SHA512
c0fd38162ead36aff3628cf803e25c14296d5b315a56ea8268cb8401e45eb63584a05a8b257b012b23be60fb8bee2d974a3e4d8065f67abd2583dd34603bc4de

Download Submit
C:\Windows\system\ZDaHrDM.exe

Filesize
5.9MB

MD5
64c98b407a1589136516003fe2242c67

SHA1
3d4a3042d677141963296bd3b5ba7bdfd42bbabe

SHA256
f460da7224ec565dbfa199da7164eb8397f25212f9c363811a8b462a7ebc57f6

SHA512
7629d084276b1cc5e7879d6554a9d86a7b2f79d006972290a3d11a930f85addc6d2de66781ffef048b7273e2217fff6b5428b2b98bc3f4368c0aacf927d0d137

Download Submit
C:\Windows\system\cxfLPoR.exe

Filesize
5.9MB

MD5
06916e4b34edc69d922b6645efd64c20

SHA1
9b2029c59ca4f5d3552471e1605cc6ce6b1f74a7

SHA256
a5eeeac1ae7c3ce385593584e3ff8a38e6f0897e74e854e12e93139a053b39b2

SHA512
33d366c832b94351b1be498a74a5b751b16cf1827c38424572b0008e8526c3971ade7cd9efd676a4f7a774d3ff85e1e1f8efab5addbf4fc28e7ca8e5db99c8c1

Download Submit
C:\Windows\system\hVNKyaj.exe

Filesize
5.9MB

MD5
aa123ecb7848b64a4344989ed284fb7c

SHA1
b2f81d74eee1723d991a54caa578d13e539a169f

SHA256
36b82c9db705890e473fa3daac650813b70b563092ff5ca7813640260c0bccac

SHA512
9c4359c2c4f9cd87716f1d31b4d16dc8eef260912d5cc18072d88bbb3804af5fc63808a36dfe885cd4ba61104cf75d132615130b1f728c31157fab26930b6025

Download Submit
C:\Windows\system\iigGSro.exe

Filesize
5.9MB

MD5
1a5506132d5f1725d39963ab9024e26a

SHA1
71eafa84f590c7968e6954d654cc57f93cd16016

SHA256
3145d2d247a66cdff144eb3a0a638fcb552bf0a73688e0da37edf212525133cb

SHA512
f3717413d8497d98b763e6bbb871da9b0ce1fc7f194d2f2e664df23ca684aa1d2076c76f560ad15dcb0f48f713eb5a49dea04d971bde22bd6e2b8b6b28d24910

Download Submit
C:\Windows\system\pYCbMko.exe

Filesize
5.9MB

MD5
71de019b955b86cd07d8eaceb32e6a0a

SHA1
251ca1ca0f6c8b24dd42e1f5a9a54d166d029614

SHA256
5a64d92e5cde7ce8c898fbfa5c44b5e055c4c349b72e4ce5a3e4684567b4b09e

SHA512
f712850c74c5f7dec9d69fa598adcc1b27cfb4c796db6f4ec56899ee774721d02dd2196644d5421b2661bd9d7205604cebbc4c9ed4e072cc75570692a389bfc4

Download Submit
C:\Windows\system\pxmAGiV.exe

Filesize
5.9MB

MD5
111d0cd05df9335ed1632b4d84d618c5

SHA1
0c8786dbf1cfa1bd0bd12bea0eb5526af604cce7

SHA256
8acea69242c038f911ad7f0abd9d2c7b36cae823baf580b191b0dd52b5535f7e

SHA512
f1c23566b1b341456960c573c57d4f03c6b886fea63f309913c9f75d8c45f522c5f6e9a5ab3fa6054f870edcbedc7590135524ebc74b83134158318952709abd

Download Submit
C:\Windows\system\rCOibZd.exe

Filesize
5.9MB

MD5
8e9422e3dba71398830c6e315cb92e76

SHA1
ada284345052357c2c727db89112993dac681295

SHA256
e4a397054d0471a7efdbff4a7610fb80496049f4d60b3eed6059671afdbf71e9

SHA512
3e7dae0293e35eb5ffefc8e673a97696b5ed285356a57ebb075fdfc16deefcd0462ac7a7c5474f999833aa9597f8ad0192905e43e9819063d318a02fda44890a

Download Submit
C:\Windows\system\rvaDSsc.exe

Filesize
5.9MB

MD5
999faa5b9e60d5fb10f153fc78046dfa

SHA1
05461994b0136a825d974cd16ed77647512c49b0

SHA256
4ba0e88adfc6c7a6429e5b76f9f750e2c92e9b534e8cfd8fe6375a47f82eb376

SHA512
05aebcc744c9512d22bd6f3be15dea47ebe95830f7722f849266efdddbe16715bd7085fe8e59c9873cf280bbe9777144a9fd3a0acb084157808b209a0ce8e2ea

Download Submit
C:\Windows\system\waiyMFH.exe

Filesize
5.9MB

MD5
c6e3d66796d143117c6e293f610fc5ea

SHA1
b94d9b2606e92986d68d942a7b5e82fdce17b70f

SHA256
8348cf9b9475e619a986bb943f216e804145941629cc42cfe5c4d4aae695f77a

SHA512
1397b651ed5f026797d1876d96074020c1658a0ffbef04254f1235229dbbbcc998d4e360b5e43302e234244618075ed84a4958583c9e41ba3e00a6aea7832d6a

Download Submit
C:\Windows\system\yVqTtNd.exe

Filesize
5.9MB

MD5
48505482948829d3aaff6e4cea331a2d

SHA1
681f740a30730284ebc6f946a34895644177ed23

SHA256
1d9d3fde33c5a95f8bb863144560675cc75b63b78806bb07fc23d7055ce239f9

SHA512
254319aaa3520f36229f0c6ed315d7f841231bdd3a8e58cc4a90d5affdaff99b3f806d8cb1e13e4b8a302cf1d353706b1fb185e40512af0726ef6ec9950cdc63

Download Submit
\Windows\system\JkaGhgM.exe

Filesize
5.9MB

MD5
907a9c498ac479a4b4f0ee9b9f0f3c56

SHA1
b926edb04d6f91de8ce868b66dcb0d717545e70a

SHA256
8823b536092ea0b0067d110f64cab0cd6ba712e2f0a2378d6eab8895ae287a37

SHA512
9d7b63d7f23b12548fb89a8b92ca25f8664d149408962de0fce3c6320b6fb1a843c8be5b71b903b2121f4fff14e5961ad30fe76e6cbd4ba64bff6b6765a96b01

Download Submit
\Windows\system\ONjcGsw.exe

Filesize
5.9MB

MD5
72379bab4527fed3aa099706c4c42dd4

SHA1
35d7c406a9701abde064e0d6bd9f288ed15d8203

SHA256
23a561db96ea256e6a288837ca02772ab47c905b2a58de02518ab869c1b4b850

SHA512
d1da573f4ec097425faf029dd91160fd21c5e79ad0343a1f052d401c4d6a21fceeb87ab84792594fa9ed0e22a5188798a4fea513e81cc80121889bb476a512e0

Download Submit
\Windows\system\OxBCnrU.exe

Filesize
5.9MB

MD5
a39bd6b5a669be4689cbb772e03bf042

SHA1
e20f7cf93ae77862250c09dc357c6e6cf2bb45a5

SHA256
0d0f8311d7fa55b88cb453a7da80ba3b802ee6cad724371fcd62ab9e924b8d5a

SHA512
d490f23e78091f7c936baf6ed9a24dedae8ed88a4e981c02d3bfbe2c90fb5b2ff7fb013b3813adde87a6280787e5cbdea1ae002d4907fab823d8f03d0d40039e

Download Submit
\Windows\system\bTiiXVs.exe

Filesize
5.9MB

MD5
38356dc0d39bc038885d50734e35c225

SHA1
c2d59ae6c04034d004f278c846c6d67cccb2dd5b

SHA256
2f99ff785aa5acc100c196c8ca6f482b4ef4545c7f9b1f1ea715b744a503b19a

SHA512
75f2d41ee2b8aa3b40190a007918cd1f7dcb4304f362033cdc2788c15be5d3dc941b4e42efb78d7af813b80f1c83b47f9be2ea978db4470155b5e2873a420383

Download Submit
\Windows\system\xpspNjD.exe

Filesize
5.9MB

MD5
6c5156cd272b218a3c07451068c94893

SHA1
55ba130722b8b27c59287915c1283b2c9dceed57

SHA256
3a1da06f9313961f972f8737e4f62c66efbcbd831edbc529b48304918cad24dd

SHA512
b44feaadb2fe84e7560dd04ef02f4feb969233e05a8205857e06f5920e79763af9f0288d10a7f122a13b0f2a5da50359e934b2fb054c67dd4bbe20b96aa5c44d

Download Submit
memory/1844-100-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-153-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/1844-169-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/1872-166-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1872-148-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1872-75-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1908-170-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-109-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/1908-155-0x000000013F150000-0x000000013F4A4000-memory.dmp

Filesize
3.3MB

Download
memory/1980-51-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1980-14-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1980-158-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2072-167-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-149-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2072-82-0x000000013FD70000-0x00000001400C4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-21-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-59-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2184-160-0x000000013F560000-0x000000013F8B4000-memory.dmp

Filesize
3.3MB

Download
memory/2380-42-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2380-157-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2528-96-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-55-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2528-0-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2528-95-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2528-6-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2528-12-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2528-104-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2528-87-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2528-152-0x000000013FE70000-0x00000001401C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-150-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2528-18-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-105-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-23-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-35-0x000000013F460000-0x000000013F7B4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-113-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2528-114-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-156-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-86-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-71-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2528-31-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2528-63-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2528-154-0x00000000022D0000-0x0000000002624000-memory.dmp

Filesize
3.3MB

Download
memory/2528-39-0x000000013FA10000-0x000000013FD64000-memory.dmp

Filesize
3.3MB

Download
memory/2528-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2632-165-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2632-67-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2632-108-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2648-90-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2648-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2648-163-0x000000013F6C0000-0x000000013FA14000-memory.dmp

Filesize
3.3MB

Download
memory/2668-60-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2668-99-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2668-164-0x000000013F0C0000-0x000000013F414000-memory.dmp

Filesize
3.3MB

Download
memory/2720-91-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2720-151-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2720-168-0x000000013F9F0000-0x000000013FD44000-memory.dmp

Filesize
3.3MB

Download
memory/2748-28-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2748-66-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2748-159-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2892-81-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2892-43-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2892-162-0x000000013F810000-0x000000013FB64000-memory.dmp

Filesize
3.3MB

Download
memory/2904-36-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2904-74-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download
memory/2904-161-0x000000013F830000-0x000000013FB84000-memory.dmp

Filesize
3.3MB

Download