cobaltstrike | 5fc747c3008aa2ab87523b9242cc0f104a4f1df79d3789e871f49d994ac1dc03

Analysis

max time kernel
133s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

ba68ae26a3c58fdb4162cc4c2ee13012
SHA1

46952a1c36a3c3f6bc908dd28e471f036f127ae9
SHA256

5fc747c3008aa2ab87523b9242cc0f104a4f1df79d3789e871f49d994ac1dc03
SHA512

779d76b6ddf33b6c4a0755962809629b928d86978a7e2d674538d3cf1827f5c916f25c61ea92f00d214938f8c30abcad058f110b4f81fed84cd675cc69dc0834
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUm:E+b56utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000a000000012033-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d07-9.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015d19-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d30-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d48-23.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c9b-51.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019220-103.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191fd-93.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190c9-85.dat	cobalt_reflective_dll
behavioral1/files/0x0014000000018657-80.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001878d-76.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001867d-57.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019238-113.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-112.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f3-100.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190c6-90.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d70-50.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000015da1-72.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000186c8-66.dat	cobalt_reflective_dll
behavioral1/files/0x000d000000018662-65.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000015d68-64.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 49 IoCs

miner

resource	yara_rule
behavioral1/memory/2224-0-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/files/0x000a000000012033-3.dat	xmrig
behavioral1/files/0x0008000000015d07-9.dat	xmrig
behavioral1/memory/2068-16-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/files/0x0008000000015d19-15.dat	xmrig
behavioral1/files/0x0007000000015d30-20.dat	xmrig
behavioral1/memory/1864-24-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/files/0x0007000000015d48-23.dat	xmrig
behavioral1/memory/2268-117-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016c9b-51.dat	xmrig
behavioral1/files/0x0005000000019220-103.dat	xmrig
behavioral1/memory/2524-97-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2180-95-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/files/0x00050000000191fd-93.dat	xmrig
behavioral1/files/0x00060000000190c9-85.dat	xmrig
behavioral1/files/0x0014000000018657-80.dat	xmrig
behavioral1/memory/2860-77-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/files/0x000500000001878d-76.dat	xmrig
behavioral1/memory/2896-60-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/files/0x000500000001867d-57.dat	xmrig
behavioral1/memory/2080-120-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig
behavioral1/memory/2224-119-0x000000013FBF0000-0x000000013FF44000-memory.dmp	xmrig
behavioral1/memory/2876-118-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/files/0x0005000000019238-113.dat	xmrig
behavioral1/files/0x0005000000019217-112.dat	xmrig
behavioral1/files/0x00050000000191f3-100.dat	xmrig
behavioral1/files/0x00060000000190c6-90.dat	xmrig
behavioral1/files/0x0007000000015d70-50.dat	xmrig
behavioral1/memory/2756-75-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/files/0x0008000000015da1-72.dat	xmrig
behavioral1/memory/2224-71-0x0000000002340000-0x0000000002694000-memory.dmp	xmrig
behavioral1/memory/2400-68-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/files/0x00050000000186c8-66.dat	xmrig
behavioral1/files/0x000d000000018662-65.dat	xmrig
behavioral1/files/0x0007000000015d68-64.dat	xmrig
behavioral1/memory/2892-42-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/2224-134-0x000000013F800000-0x000000013FB54000-memory.dmp	xmrig
behavioral1/memory/2068-136-0x000000013FAE0000-0x000000013FE34000-memory.dmp	xmrig
behavioral1/memory/2892-137-0x000000013FCD0000-0x0000000140024000-memory.dmp	xmrig
behavioral1/memory/1864-138-0x000000013F140000-0x000000013F494000-memory.dmp	xmrig
behavioral1/memory/2896-139-0x000000013F540000-0x000000013F894000-memory.dmp	xmrig
behavioral1/memory/2400-140-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2860-141-0x000000013F710000-0x000000013FA64000-memory.dmp	xmrig
behavioral1/memory/2756-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2524-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	xmrig
behavioral1/memory/2180-144-0x000000013F030000-0x000000013F384000-memory.dmp	xmrig
behavioral1/memory/2876-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp	xmrig
behavioral1/memory/2268-145-0x000000013F660000-0x000000013F9B4000-memory.dmp	xmrig
behavioral1/memory/2080-147-0x000000013F170000-0x000000013F4C4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2068	fntKBBp.exe
2892	vuLvKZs.exe
1864	uUHgTIc.exe
2896	pCDFiVT.exe
2400	edNgqBm.exe
2756	nrFPWBF.exe
2860	RlOAEDG.exe
2268	rYlmAKW.exe
2180	cSrknCU.exe
2524	DjdSXbp.exe
2876	rymamcw.exe
2080	rYRcABB.exe
320	cEvOtCU.exe
484	KbWHhFu.exe
1240	tBxzabu.exe
2940	bPlIYiw.exe
2656	MtAbBVn.exe
2660	JzcAecJ.exe
1484	NKVRSSE.exe
2980	RzezDzp.exe
2152	IvVtowK.exe

Loads dropped DLL 21 IoCs

pid	Process
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 47 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2224-0-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/files/0x000a000000012033-3.dat	upx
behavioral1/files/0x0008000000015d07-9.dat	upx
behavioral1/memory/2068-16-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/files/0x0008000000015d19-15.dat	upx
behavioral1/files/0x0007000000015d30-20.dat	upx
behavioral1/memory/1864-24-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/files/0x0007000000015d48-23.dat	upx
behavioral1/memory/2268-117-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/files/0x0008000000016c9b-51.dat	upx
behavioral1/files/0x0005000000019220-103.dat	upx
behavioral1/memory/2524-97-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2180-95-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/files/0x00050000000191fd-93.dat	upx
behavioral1/files/0x00060000000190c9-85.dat	upx
behavioral1/files/0x0014000000018657-80.dat	upx
behavioral1/memory/2860-77-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/files/0x000500000001878d-76.dat	upx
behavioral1/memory/2896-60-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/files/0x000500000001867d-57.dat	upx
behavioral1/memory/2080-120-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx
behavioral1/memory/2876-118-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/files/0x0005000000019238-113.dat	upx
behavioral1/files/0x0005000000019217-112.dat	upx
behavioral1/files/0x00050000000191f3-100.dat	upx
behavioral1/files/0x00060000000190c6-90.dat	upx
behavioral1/files/0x0007000000015d70-50.dat	upx
behavioral1/memory/2756-75-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/files/0x0008000000015da1-72.dat	upx
behavioral1/memory/2400-68-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/files/0x00050000000186c8-66.dat	upx
behavioral1/files/0x000d000000018662-65.dat	upx
behavioral1/files/0x0007000000015d68-64.dat	upx
behavioral1/memory/2892-42-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/2224-134-0x000000013F800000-0x000000013FB54000-memory.dmp	upx
behavioral1/memory/2068-136-0x000000013FAE0000-0x000000013FE34000-memory.dmp	upx
behavioral1/memory/2892-137-0x000000013FCD0000-0x0000000140024000-memory.dmp	upx
behavioral1/memory/1864-138-0x000000013F140000-0x000000013F494000-memory.dmp	upx
behavioral1/memory/2896-139-0x000000013F540000-0x000000013F894000-memory.dmp	upx
behavioral1/memory/2400-140-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2860-141-0x000000013F710000-0x000000013FA64000-memory.dmp	upx
behavioral1/memory/2756-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2524-143-0x000000013FFF0000-0x0000000140344000-memory.dmp	upx
behavioral1/memory/2180-144-0x000000013F030000-0x000000013F384000-memory.dmp	upx
behavioral1/memory/2876-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp	upx
behavioral1/memory/2268-145-0x000000013F660000-0x000000013F9B4000-memory.dmp	upx
behavioral1/memory/2080-147-0x000000013F170000-0x000000013F4C4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bPlIYiw.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pCDFiVT.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYlmAKW.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cSrknCU.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cEvOtCU.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NKVRSSE.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KbWHhFu.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fntKBBp.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uUHgTIc.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rymamcw.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MtAbBVn.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vuLvKZs.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\edNgqBm.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rYRcABB.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JzcAecJ.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RzezDzp.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nrFPWBF.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RlOAEDG.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DjdSXbp.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tBxzabu.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IvVtowK.exe	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2068	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2224 wrote to memory of 2068	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2224 wrote to memory of 2068	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2224 wrote to memory of 2892	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2224 wrote to memory of 2892	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2224 wrote to memory of 2892	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2224 wrote to memory of 1864	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2224 wrote to memory of 1864	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2224 wrote to memory of 1864	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2224 wrote to memory of 2896	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2224 wrote to memory of 2896	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2224 wrote to memory of 2896	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2224 wrote to memory of 2400	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2224 wrote to memory of 2400	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2224 wrote to memory of 2400	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2224 wrote to memory of 2268	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2224 wrote to memory of 2268	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2224 wrote to memory of 2268	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2224 wrote to memory of 2756	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2224 wrote to memory of 2756	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2224 wrote to memory of 2756	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2224 wrote to memory of 2876	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2224 wrote to memory of 2876	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2224 wrote to memory of 2876	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2224 wrote to memory of 2860	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2224 wrote to memory of 2860	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2224 wrote to memory of 2860	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2224 wrote to memory of 2080	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2224 wrote to memory of 2080	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2224 wrote to memory of 2080	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2224 wrote to memory of 2180	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2224 wrote to memory of 2180	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2224 wrote to memory of 2180	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2224 wrote to memory of 2656	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2224 wrote to memory of 2656	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2224 wrote to memory of 2656	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2224 wrote to memory of 2524	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2224 wrote to memory of 2524	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2224 wrote to memory of 2524	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2224 wrote to memory of 2660	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2224 wrote to memory of 2660	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2224 wrote to memory of 2660	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2224 wrote to memory of 320	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2224 wrote to memory of 320	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2224 wrote to memory of 320	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2224 wrote to memory of 1484	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2224 wrote to memory of 1484	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2224 wrote to memory of 1484	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2224 wrote to memory of 484	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2224 wrote to memory of 484	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2224 wrote to memory of 484	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2224 wrote to memory of 2980	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2224 wrote to memory of 2980	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2224 wrote to memory of 2980	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2224 wrote to memory of 1240	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2224 wrote to memory of 1240	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2224 wrote to memory of 1240	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2224 wrote to memory of 2152	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2224 wrote to memory of 2152	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2224 wrote to memory of 2152	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2224 wrote to memory of 2940	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2224 wrote to memory of 2940	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2224 wrote to memory of 2940	2224	2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-28_ba68ae26a3c58fdb4162cc4c2ee13012_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\System\fntKBBp.exe
  C:\Windows\System\fntKBBp.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\vuLvKZs.exe
  C:\Windows\System\vuLvKZs.exe
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Windows\System\uUHgTIc.exe
  C:\Windows\System\uUHgTIc.exe
  2⤵
  - Executes dropped EXE
  PID:1864
- C:\Windows\System\pCDFiVT.exe
  C:\Windows\System\pCDFiVT.exe
  2⤵
  - Executes dropped EXE
  PID:2896
- C:\Windows\System\edNgqBm.exe
  C:\Windows\System\edNgqBm.exe
  2⤵
  - Executes dropped EXE
  PID:2400
- C:\Windows\System\rYlmAKW.exe
  C:\Windows\System\rYlmAKW.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\nrFPWBF.exe
  C:\Windows\System\nrFPWBF.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\rymamcw.exe
  C:\Windows\System\rymamcw.exe
  2⤵
  - Executes dropped EXE
  PID:2876
- C:\Windows\System\RlOAEDG.exe
  C:\Windows\System\RlOAEDG.exe
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Windows\System\rYRcABB.exe
  C:\Windows\System\rYRcABB.exe
  2⤵
  - Executes dropped EXE
  PID:2080
- C:\Windows\System\cSrknCU.exe
  C:\Windows\System\cSrknCU.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\MtAbBVn.exe
  C:\Windows\System\MtAbBVn.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\DjdSXbp.exe
  C:\Windows\System\DjdSXbp.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\JzcAecJ.exe
  C:\Windows\System\JzcAecJ.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\cEvOtCU.exe
  C:\Windows\System\cEvOtCU.exe
  2⤵
  - Executes dropped EXE
  PID:320
- C:\Windows\System\NKVRSSE.exe
  C:\Windows\System\NKVRSSE.exe
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\Windows\System\KbWHhFu.exe
  C:\Windows\System\KbWHhFu.exe
  2⤵
  - Executes dropped EXE
  PID:484
- C:\Windows\System\RzezDzp.exe
  C:\Windows\System\RzezDzp.exe
  2⤵
  - Executes dropped EXE
  PID:2980
- C:\Windows\System\tBxzabu.exe
  C:\Windows\System\tBxzabu.exe
  2⤵
  - Executes dropped EXE
  PID:1240
- C:\Windows\System\IvVtowK.exe
  C:\Windows\System\IvVtowK.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\bPlIYiw.exe
  C:\Windows\System\bPlIYiw.exe
  2⤵
  - Executes dropped EXE
  PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\DjdSXbp.exe

Filesize
5.9MB

MD5
70f2be84153809514587cb7f0a35e3fc

SHA1
f2efcd0d6e40063f36742e7352538bf4223e7531

SHA256
7fae277f0831bcd39780a081680b9bc280f211cf526649e23bc1eafcbe6d83d5

SHA512
002aef80c937261ee7fa73a492ebf329262dda571cad0243205be6bb938677eb90a5ef8696761a29890550744a03e1a50481bb59e2245c33a1d9e41c086c430e

Download Submit
C:\Windows\system\KbWHhFu.exe

Filesize
5.9MB

MD5
65d39e35a405dda8769354ab8f3a53b0

SHA1
99a0b6ccf45f5671e2681f2eccfb6e91e2057613

SHA256
4f9f03039007f026dfbcd631c0fae560a0061538be3d1a260788fac36240d95b

SHA512
ac330fa0aef27bf253dc6478dd841f0901e4f72b19f3d175231a8ed7e02c0f4fda7a276c12a7869198fe97b45b6a540404a80db908909687cbef189467028ccd

Download Submit
C:\Windows\system\RlOAEDG.exe

Filesize
5.9MB

MD5
014b32a6c9996a9ae34a2f6b77aa62fa

SHA1
6607109e684b3889a2c13667519334b9d1507e25

SHA256
8d163d8c4532c87aa120d09d4da1b42fc918360d3d130a574c8e6f3f6990c1b0

SHA512
a3c4a1405822d1577fd5f1bc2891e3a9faef6d56d7c07c6e411148eb4bdd23e544f2f406e99c922b714c18a09d091e15a19078398681aae943c120e2064cb556

Download Submit
C:\Windows\system\bPlIYiw.exe

Filesize
5.9MB

MD5
37226beb11c4c6badf7eb5fd88ccbc04

SHA1
f05d53abf193109abcbeaebaacc2447219805768

SHA256
900fde47b6a6b64bc0e340fe9e51744dddb82f88bf313efc77a2ebede0c9f10f

SHA512
27c7c6d010d205530fa68872d9d6cb1e612f891288c7cf5d0348737a586b55cd5e2c77b95bfbda3c07339e384e67789b761c3223a6c9a97e30cf29eab81a234b

Download Submit
C:\Windows\system\cEvOtCU.exe

Filesize
5.9MB

MD5
276a9f3c812c2acced8e9653d520a82b

SHA1
5acee35dfe747b961392a4d4a83feb066301e024

SHA256
0a7b4ac2aa02f4933c290f58d93e77590b89a43de855fa47bb26e0e01ec959e0

SHA512
6185ea452c496a2bddf5a91c855d4ed999fdb3ac0f4dbbe11f19fcfee90e3c74137c5f5e687c6a65b5c9c545257ff68dbcd015196fe4ebb85f005ba20abed3c9

Download Submit
C:\Windows\system\cSrknCU.exe

Filesize
5.9MB

MD5
4b0abd940ab33f82e931838fffff07b5

SHA1
d8084820befb28097e77cbf3236042da73bd618a

SHA256
237ba8f266ee608f38b77010af236456d776d275d51e3cf65f9ad6051878e29a

SHA512
4e5dd31bced5cdb772d874e98d2b7a0bab862dc6467f58d8199e1dcf444ca15fa62354b187e9c1e21c9643abaf9581308a9144449607a52d43b5e2e1463e5d62

Download Submit
C:\Windows\system\nrFPWBF.exe

Filesize
5.9MB

MD5
526424c9ccbd90805f91a54fa9587588

SHA1
fb49682c3722142f938e4efc0911a6557194faf1

SHA256
b2ff38989f782c2027bfa18de839f7ce2fcabb4f9278e1ecec2964eda49e0cb1

SHA512
e4550021ffc06c4c4d6405d616652494e685c6cc8ae356c6dd9544282c9725e8fd28316571b8c0a3c2cef55a33b805f29a7f1f6d0fab3123e3740590210ca3e3

Download Submit
C:\Windows\system\rYRcABB.exe

Filesize
5.9MB

MD5
66c8f2031af752438bd2057e536d6cd1

SHA1
5e1f429564071756a42b25b87985d23440390ccb

SHA256
6a9c25f9feac2977689aa4e59a5e069601c026e37374983cc2fee94026cf04c2

SHA512
99556ef1937e9134cf102d1b290062dc981a02b7b92dcd6bab0ccb8fbd93acbecf51f0ef4319e50c4d02554b3dade8a27f2dabb20d8e5256581b4166f51d3512

Download Submit
C:\Windows\system\rYlmAKW.exe

Filesize
5.9MB

MD5
fae5e68d739a5ba95ea998697f2f7328

SHA1
74345f5638a178f0a2063edbd68c9db53167ec9c

SHA256
c3ce4046a584ef402a9bf7888769b84df446666cf8984ff8c7800912f8c52032

SHA512
ec90edfb32bcea9735b9294dfa47bbcfb2d58b1d09f7a37e4e6637ac25e52f1662f1cb92d28848e8b07f87f1310206a165008bf4d9d4e77ea25a645c2694faa1

Download Submit
C:\Windows\system\rymamcw.exe

Filesize
5.9MB

MD5
adab395065f457c5efb3d3fe2f2996bc

SHA1
4791b7e4403374ead2da570bb606dbc368a06fcc

SHA256
ff1aed85631919758c12abd4f6a0e6bf9831b8e37113ce21ebaaae176740baf8

SHA512
bb05fe6656b7ea2242c22b71162b0f0f589b6a8c46ae95b72d36f2be0f49f61edff0115e789f1863a483b430da1b8f180d3fd12a81d3e51311e394be777cd6fe

Download Submit
C:\Windows\system\tBxzabu.exe

Filesize
5.9MB

MD5
dcbd34e50a44beb4146685903a3cf04b

SHA1
e5a187132cd6ad0cdb1bbab4be07c1b5445374e3

SHA256
8a22879f35b4c30b2d4ce6cfa88719697750584b1ba7d1d492d272bdf8c71cd8

SHA512
9b8534e4f5de6e8a6c5db428b13a1d839dd2b89544125096e094756834f78c6033657cc11db2fd15c96354dc12f30d8f28f43a29df8d0d6745e23dfc1880b8e8

Download Submit
C:\Windows\system\uUHgTIc.exe

Filesize
5.9MB

MD5
7dba7f0348feebe7ded6a447d95e0f8e

SHA1
5d7d79a22d2bf6163f602fc8c924cf3d93d724c7

SHA256
b1a80c926f70503428a776277b7ce6fa0a413d4b5d48a0207b2df1abe50009be

SHA512
2c8c123b3a12b51753d419bd839a0b00d98fd0ecbef188019593d6d8731ba542f2758163a1c7e60ff1bad43015e67706141aeb00b1e7c4055297b2001ce6abd5

Download Submit
C:\Windows\system\vuLvKZs.exe

Filesize
5.9MB

MD5
334efad0dc1389af154cea5247292fa7

SHA1
4e7f06b989deb240d6aa1929894a0317508ab6d8

SHA256
4a7c40d8f1d85ae051cd7dea94d2579b51dfa15c196b213bc24cbc0de56791a1

SHA512
221ff91adcf9135704eabd0566fa7fdee8e3a435b80e19b2451ad3b9c9e01a02b0972f574f21b0a1a74a45ea3ea378120103775967736ce7ac0f0cd952003756

Download Submit
\Windows\system\IvVtowK.exe

Filesize
5.9MB

MD5
ab2384c874084de9efd8fe65daa9610a

SHA1
9fea68393819f6a10e9087828b295149dd25a7e2

SHA256
993ddb1483337d60fa0156b001de1fa78368b9eb85c0c5366e08662f618549b3

SHA512
76baf862295ddbd3d39909b8ada2ca431b84c4cc918efc206a116ca0596f0c7a203a69a7e6c6e6e18bfbd5f3468c65f8f2964dd6b2ef14e4279a32cc37136e3d

Download Submit
\Windows\system\JzcAecJ.exe

Filesize
5.9MB

MD5
456bb008c84cce17be2ad4375cf66023

SHA1
64dd86c495e8062f4d7358270d5fa62b1fd746d4

SHA256
b24827646af1332d5860b12aabb77f23a8d49c750999b80e1bd2e7e03eb12e4c

SHA512
4c576de520c284b8986e8f82c068fb4b08fcbeaa882279c2bb865106edcd771845eb54734136d7a3364c6a7a8150e6f96ea154a35f276693c8f3d143885d77d2

Download Submit
\Windows\system\MtAbBVn.exe

Filesize
5.9MB

MD5
d262eb7e8a1a2389b54da1597a24250b

SHA1
135e06df1eb1bd3090bf0e70f6b15b83e3f032c4

SHA256
132f986387eb3fd6de1afee3f0a1fa5be1dd95210e7f1e4e4caf77dcfe530e06

SHA512
fab57bfdb2e994cae124c2a1a9755dac855833a90edec8e3b940e5d7038ef46ee263da140dd83361cec8c820fb77efb44d77a3fc6881d82b57bf6b379d68014a

Download Submit
\Windows\system\NKVRSSE.exe

Filesize
5.9MB

MD5
85b3fccc13d2ad36c529c84694512938

SHA1
d895a30996aadfd75ed2da2ad99f54959d36b9ee

SHA256
be5853c930e063d9e9ac6f48d54d9adfc713ac40d352c23b6ab0584838b3cee5

SHA512
7a48fe6f15e770e46567c954555047017088a0f6c7064201f6f219a86c329e62a2286947cb0b13b85ade110c10b447e42dc56d96be5ae00826d13579cae7ff44

Download Submit
\Windows\system\RzezDzp.exe

Filesize
5.9MB

MD5
256d6c93fa93736442438ec827fa34c3

SHA1
c4867e9fc66943fd29967e5e1697582cd4b4317f

SHA256
9790b94605e582eb9749f59c2d228d66472ed8e3213d22f1044db28d780aabe1

SHA512
c4791c58091eeaf19667b76e1dec7bd4c599fb0fec2a87267778887da753d0989408d00511cb10342b5e5d45cf6e62780e4dad38f7ba65f1ccf7d7213c4bec0e

Download Submit
\Windows\system\edNgqBm.exe

Filesize
5.9MB

MD5
21e7617f608c4fb78d64b0c8a5ae7037

SHA1
652bf4286488aab73bf3a7bdec7fd22574a56643

SHA256
569587249c2ad8cb350cdb34ff4d6cb1627666dcb285b42514a30698f8b91711

SHA512
9d6ef7782402eeb4b9685ad43598079a7c7da39896fab0cd5835e1c1faaf85dc474fa1e0152cd9aae453c01b83b8fb437c86c4ab315352ce9fe5462b75ff9fd7

Download Submit
\Windows\system\fntKBBp.exe

Filesize
5.9MB

MD5
f4cd4e99b74c68375902e70797f4ed55

SHA1
90d0b6d3c8a8331700841f6374be2d79b2a4f2b3

SHA256
62150fcf35ae60a30061c1a22e4d537c292dfa2a57db444e87c651ea865e3962

SHA512
db88623e5c6a13c1a26a6fcc58388f76f37b9b1809e6853dcbe83b8545c1a5f3f23a0425368751c8af2c5dc3bb1da55ac176e714c1b275f07fef2287216676f9

Download Submit
\Windows\system\pCDFiVT.exe

Filesize
5.9MB

MD5
3f5ee1731e5bfdacbd80c35ed9b9a31f

SHA1
db4729102c575cc6e4e70b7daec498272ffdbed6

SHA256
474d2dfe8894ecf49394ea4058f43634103e8a0aad524479cb3752d9bae73733

SHA512
d395e627ed1b0d0f104a0b76f9aa56916b2e7131eb8954e2d2180285a6bfae968f8e21f9dab994500a654180606e7353da00b68384c82cae7cfd6c8fb3fa5474

Download Submit
memory/1864-138-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/1864-24-0x000000013F140000-0x000000013F494000-memory.dmp

Filesize
3.3MB

Download
memory/2068-136-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2068-16-0x000000013FAE0000-0x000000013FE34000-memory.dmp

Filesize
3.3MB

Download
memory/2080-147-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2080-120-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2180-144-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2180-95-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2224-71-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2224-33-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2224-78-0x000000013F030000-0x000000013F384000-memory.dmp

Filesize
3.3MB

Download
memory/2224-109-0x000000013F3C0000-0x000000013F714000-memory.dmp

Filesize
3.3MB

Download
memory/2224-115-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2224-92-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2224-116-0x000000013F170000-0x000000013F4C4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-135-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2224-134-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2224-73-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2224-119-0x000000013FBF0000-0x000000013FF44000-memory.dmp

Filesize
3.3MB

Download
memory/2224-0-0x000000013F800000-0x000000013FB54000-memory.dmp

Filesize
3.3MB

Download
memory/2224-133-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2224-19-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2224-121-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-1-0x00000000001F0000-0x0000000000200000-memory.dmp

Filesize
64KB

Download
memory/2224-30-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2224-106-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2224-46-0x0000000002340000-0x0000000002694000-memory.dmp

Filesize
3.3MB

Download
memory/2268-117-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2268-145-0x000000013F660000-0x000000013F9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2400-140-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2400-68-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/2524-97-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2524-143-0x000000013FFF0000-0x0000000140344000-memory.dmp

Filesize
3.3MB

Download
memory/2756-142-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2756-75-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2860-141-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2860-77-0x000000013F710000-0x000000013FA64000-memory.dmp

Filesize
3.3MB

Download
memory/2876-146-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2876-118-0x000000013F8B0000-0x000000013FC04000-memory.dmp

Filesize
3.3MB

Download
memory/2892-137-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2892-42-0x000000013FCD0000-0x0000000140024000-memory.dmp

Filesize
3.3MB

Download
memory/2896-60-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download
memory/2896-139-0x000000013F540000-0x000000013F894000-memory.dmp

Filesize
3.3MB

Download