cobaltstrike | b18c5ff567e71dd847562e298d89731550ddd7bc13cdf98182ead29a7f4e1269

Analysis

max time kernel
134s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

daff17c684f844bb75ab147401f0e246
SHA1

7a5fe0567b0bb803abf35fb1ffb95c6d6902d269
SHA256

b18c5ff567e71dd847562e298d89731550ddd7bc13cdf98182ead29a7f4e1269
SHA512

b524418c6a937d656e300f2a3d9fe8ecc5bd995579d35201fd5b7292f44504fce960b484641be516220858dc4085acbcf158d05ab3edd2fa8265698c8198ff14
SSDEEP

98304:demTLkNdfE0pZ3u56utgpPFotBER/mQ32lUS:E+b56utgpPF8u/7S

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x0009000000012281-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d58-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d4f-8.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016da7-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016de4-36.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016dd0-34.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001904c-79.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019259-92.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001926c-108.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019275-104.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019268-95.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019240-84.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f6-74.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000190e1-67.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016edb-59.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016de8-58.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018f65-57.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016eb8-49.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d0d-43.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019217-82.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d2-81.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 53 IoCs

miner

resource	yara_rule
behavioral1/memory/1480-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/files/0x0009000000012281-3.dat	xmrig
behavioral1/files/0x0007000000016d58-10.dat	xmrig
behavioral1/files/0x0008000000016d4f-8.dat	xmrig
behavioral1/memory/1480-6-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/files/0x0008000000016da7-22.dat	xmrig
behavioral1/memory/2320-21-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2792-29-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2092-19-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2184-35-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/files/0x0007000000016de4-36.dat	xmrig
behavioral1/files/0x0007000000016dd0-34.dat	xmrig
behavioral1/files/0x000600000001904c-79.dat	xmrig
behavioral1/files/0x0005000000019259-92.dat	xmrig
behavioral1/files/0x000500000001926c-108.dat	xmrig
behavioral1/memory/1480-115-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/2632-91-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/files/0x0005000000019275-104.dat	xmrig
behavioral1/files/0x0005000000019268-95.dat	xmrig
behavioral1/memory/2940-89-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/files/0x0005000000019240-84.dat	xmrig
behavioral1/files/0x00050000000191f6-74.dat	xmrig
behavioral1/files/0x00060000000190e1-67.dat	xmrig
behavioral1/memory/2092-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/files/0x0008000000016edb-59.dat	xmrig
behavioral1/files/0x0007000000016de8-58.dat	xmrig
behavioral1/files/0x0006000000018f65-57.dat	xmrig
behavioral1/memory/2320-137-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/files/0x0008000000016eb8-49.dat	xmrig
behavioral1/files/0x0009000000016d0d-43.dat	xmrig
behavioral1/memory/3068-113-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2404-111-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2724-109-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig
behavioral1/memory/2660-106-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/files/0x0005000000019217-82.dat	xmrig
behavioral1/files/0x00050000000191d2-81.dat	xmrig
behavioral1/memory/2792-138-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2812-56-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/1480-41-0x000000013F080000-0x000000013F3D4000-memory.dmp	xmrig
behavioral1/memory/2184-139-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2812-140-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/1480-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp	xmrig
behavioral1/memory/3068-144-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2092-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2792-146-0x000000013FE10000-0x0000000140164000-memory.dmp	xmrig
behavioral1/memory/2320-147-0x000000013F240000-0x000000013F594000-memory.dmp	xmrig
behavioral1/memory/2184-148-0x000000013FCB0000-0x0000000140004000-memory.dmp	xmrig
behavioral1/memory/2812-149-0x000000013F2D0000-0x000000013F624000-memory.dmp	xmrig
behavioral1/memory/2940-151-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2632-150-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2660-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	xmrig
behavioral1/memory/2404-154-0x000000013F780000-0x000000013FAD4000-memory.dmp	xmrig
behavioral1/memory/2724-153-0x000000013FD40000-0x0000000140094000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3068	IVBZYdF.exe
2092	EaznoOw.exe
2320	fWfYumn.exe
2792	CnKRUUo.exe
2184	TMLxSqm.exe
2812	lvwFAKP.exe
2940	fBPbcwx.exe
2632	cubrOOp.exe
2660	KaMiUNG.exe
2724	KXjwQAu.exe
2404	anZewPn.exe
1636	tvcLUIC.exe
1996	GJAdcwu.exe
2840	dJDzees.exe
2852	lOMclaj.exe
2768	VKXhDDd.exe
2636	PepqtpD.exe
2648	zakSGMT.exe
1492	jrvOpxu.exe
2592	DgVTnum.exe
1548	PvOpUbn.exe

Loads dropped DLL 21 IoCs

pid	Process
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1480-0-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/files/0x0009000000012281-3.dat	upx
behavioral1/files/0x0007000000016d58-10.dat	upx
behavioral1/files/0x0008000000016d4f-8.dat	upx
behavioral1/memory/1480-6-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/files/0x0008000000016da7-22.dat	upx
behavioral1/memory/2320-21-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2792-29-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2092-19-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2184-35-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/files/0x0007000000016de4-36.dat	upx
behavioral1/files/0x0007000000016dd0-34.dat	upx
behavioral1/files/0x000600000001904c-79.dat	upx
behavioral1/files/0x0005000000019259-92.dat	upx
behavioral1/files/0x000500000001926c-108.dat	upx
behavioral1/memory/2632-91-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/files/0x0005000000019275-104.dat	upx
behavioral1/files/0x0005000000019268-95.dat	upx
behavioral1/memory/2940-89-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/files/0x0005000000019240-84.dat	upx
behavioral1/files/0x00050000000191f6-74.dat	upx
behavioral1/files/0x00060000000190e1-67.dat	upx
behavioral1/memory/2092-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/files/0x0008000000016edb-59.dat	upx
behavioral1/files/0x0007000000016de8-58.dat	upx
behavioral1/files/0x0006000000018f65-57.dat	upx
behavioral1/memory/2320-137-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/files/0x0008000000016eb8-49.dat	upx
behavioral1/files/0x0009000000016d0d-43.dat	upx
behavioral1/memory/3068-113-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2404-111-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2724-109-0x000000013FD40000-0x0000000140094000-memory.dmp	upx
behavioral1/memory/2660-106-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/files/0x0005000000019217-82.dat	upx
behavioral1/files/0x00050000000191d2-81.dat	upx
behavioral1/memory/2792-138-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2812-56-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/1480-41-0x000000013F080000-0x000000013F3D4000-memory.dmp	upx
behavioral1/memory/2184-139-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2812-140-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/3068-144-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2092-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2792-146-0x000000013FE10000-0x0000000140164000-memory.dmp	upx
behavioral1/memory/2320-147-0x000000013F240000-0x000000013F594000-memory.dmp	upx
behavioral1/memory/2184-148-0x000000013FCB0000-0x0000000140004000-memory.dmp	upx
behavioral1/memory/2812-149-0x000000013F2D0000-0x000000013F624000-memory.dmp	upx
behavioral1/memory/2940-151-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2632-150-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2660-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp	upx
behavioral1/memory/2404-154-0x000000013F780000-0x000000013FAD4000-memory.dmp	upx
behavioral1/memory/2724-153-0x000000013FD40000-0x0000000140094000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\IVBZYdF.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CnKRUUo.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TMLxSqm.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VKXhDDd.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jrvOpxu.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tvcLUIC.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dJDzees.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zakSGMT.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DgVTnum.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PvOpUbn.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lvwFAKP.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fBPbcwx.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cubrOOp.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PepqtpD.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KXjwQAu.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GJAdcwu.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EaznoOw.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fWfYumn.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lOMclaj.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KaMiUNG.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\anZewPn.exe	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 3068	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1480 wrote to memory of 3068	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1480 wrote to memory of 3068	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1480 wrote to memory of 2092	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1480 wrote to memory of 2092	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1480 wrote to memory of 2092	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1480 wrote to memory of 2320	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1480 wrote to memory of 2320	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1480 wrote to memory of 2320	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1480 wrote to memory of 2792	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1480 wrote to memory of 2792	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1480 wrote to memory of 2792	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1480 wrote to memory of 2184	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1480 wrote to memory of 2184	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1480 wrote to memory of 2184	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1480 wrote to memory of 2812	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1480 wrote to memory of 2812	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1480 wrote to memory of 2812	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1480 wrote to memory of 2840	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1480 wrote to memory of 2840	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1480 wrote to memory of 2840	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1480 wrote to memory of 2940	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1480 wrote to memory of 2940	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1480 wrote to memory of 2940	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1480 wrote to memory of 2852	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1480 wrote to memory of 2852	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1480 wrote to memory of 2852	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1480 wrote to memory of 2632	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1480 wrote to memory of 2632	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1480 wrote to memory of 2632	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1480 wrote to memory of 2768	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1480 wrote to memory of 2768	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1480 wrote to memory of 2768	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1480 wrote to memory of 2660	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1480 wrote to memory of 2660	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1480 wrote to memory of 2660	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1480 wrote to memory of 2636	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1480 wrote to memory of 2636	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1480 wrote to memory of 2636	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1480 wrote to memory of 2724	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1480 wrote to memory of 2724	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1480 wrote to memory of 2724	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1480 wrote to memory of 2648	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1480 wrote to memory of 2648	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1480 wrote to memory of 2648	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1480 wrote to memory of 2404	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1480 wrote to memory of 2404	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1480 wrote to memory of 2404	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1480 wrote to memory of 1492	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1480 wrote to memory of 1492	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1480 wrote to memory of 1492	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1480 wrote to memory of 1636	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1480 wrote to memory of 1636	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1480 wrote to memory of 1636	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1480 wrote to memory of 2592	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1480 wrote to memory of 2592	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1480 wrote to memory of 2592	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1480 wrote to memory of 1996	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1480 wrote to memory of 1996	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1480 wrote to memory of 1996	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1480 wrote to memory of 1548	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1480 wrote to memory of 1548	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1480 wrote to memory of 1548	1480	2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2025-01-29_daff17c684f844bb75ab147401f0e246_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\System\IVBZYdF.exe
  C:\Windows\System\IVBZYdF.exe
  2⤵
  - Executes dropped EXE
  PID:3068
- C:\Windows\System\EaznoOw.exe
  C:\Windows\System\EaznoOw.exe
  2⤵
  - Executes dropped EXE
  PID:2092
- C:\Windows\System\fWfYumn.exe
  C:\Windows\System\fWfYumn.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\CnKRUUo.exe
  C:\Windows\System\CnKRUUo.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\TMLxSqm.exe
  C:\Windows\System\TMLxSqm.exe
  2⤵
  - Executes dropped EXE
  PID:2184
- C:\Windows\System\lvwFAKP.exe
  C:\Windows\System\lvwFAKP.exe
  2⤵
  - Executes dropped EXE
  PID:2812
- C:\Windows\System\dJDzees.exe
  C:\Windows\System\dJDzees.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Windows\System\fBPbcwx.exe
  C:\Windows\System\fBPbcwx.exe
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\Windows\System\lOMclaj.exe
  C:\Windows\System\lOMclaj.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\cubrOOp.exe
  C:\Windows\System\cubrOOp.exe
  2⤵
  - Executes dropped EXE
  PID:2632
- C:\Windows\System\VKXhDDd.exe
  C:\Windows\System\VKXhDDd.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\KaMiUNG.exe
  C:\Windows\System\KaMiUNG.exe
  2⤵
  - Executes dropped EXE
  PID:2660
- C:\Windows\System\PepqtpD.exe
  C:\Windows\System\PepqtpD.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\KXjwQAu.exe
  C:\Windows\System\KXjwQAu.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\zakSGMT.exe
  C:\Windows\System\zakSGMT.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\anZewPn.exe
  C:\Windows\System\anZewPn.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\jrvOpxu.exe
  C:\Windows\System\jrvOpxu.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\tvcLUIC.exe
  C:\Windows\System\tvcLUIC.exe
  2⤵
  - Executes dropped EXE
  PID:1636
- C:\Windows\System\DgVTnum.exe
  C:\Windows\System\DgVTnum.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\GJAdcwu.exe
  C:\Windows\System\GJAdcwu.exe
  2⤵
  - Executes dropped EXE
  PID:1996
- C:\Windows\System\PvOpUbn.exe
  C:\Windows\System\PvOpUbn.exe
  2⤵
  - Executes dropped EXE
  PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\GJAdcwu.exe

Filesize
5.9MB

MD5
38ffda825295ff92086a4242df9d6c36

SHA1
19371ad8e185f39379fb297c3fd2d3d72a901c00

SHA256
98bf6f0b324c42a5b759ae9a611a66c2733357b34b17dc858a7e810d52c695da

SHA512
8eb07fd960b6b7df411fd23e1841f2d38f882bf0bca7c4aa00372ae0f3c8b5e046686d3dbf4a63db624f03672fd9b8b0c620ac03872cdfe96231c949f9b6af20

Download Submit
C:\Windows\system\KXjwQAu.exe

Filesize
5.9MB

MD5
27868a4700c8db9cf0c660643d68f712

SHA1
385c3581f09c61a96e4a8f5d33bd8d9cd8e9df3a

SHA256
472ecf2de89277be66f8963ad80f81a0869f7eb38c04f63cec6a9673483a66bd

SHA512
bc260652c03c7d8d374120d87f6b24f0aab364d927852b5c7eaf08f57a84fc8119a18e0791a9828b288bc740ff47a3bcc512ae072fcc7dbe5974aa543ac086e2

Download Submit
C:\Windows\system\KaMiUNG.exe

Filesize
5.9MB

MD5
92f39e0b9472e2d9b908052f4b4ace35

SHA1
bdac2b2965ce376129a0fda8664e3d23dc6a48c9

SHA256
6f935647fcc821e41930e2dfa659550fb7d60ae651a67e351f2931e5191cfa31

SHA512
241852fca8c53aa5092e5c73a775b626deb1962c0f77bc6b2b33ecd5f871704d85fa49892b19fe0c11fab880df68504c0a285f5d24278a69465167e974ddea3d

Download Submit
C:\Windows\system\TMLxSqm.exe

Filesize
5.9MB

MD5
1a160f8924c0a27fa4977124224971fd

SHA1
f1d0a2af279931b8f356fb124a10f45b5a4b0b4f

SHA256
07b75fb0514da3b4f28f1b4389f4c998a14430d74d96f54ae07ea02dd613f879

SHA512
1ad60075ca5d57ce627e86fd2846f81b0ae732c28aecadec06780eedf6b1f2cbe7d0f36069a8683d413a1a771d0d59467b456fb7547af6092542817e2c1c7cb8

Download Submit
C:\Windows\system\anZewPn.exe

Filesize
5.9MB

MD5
a35ef2447c4318351a8a2e898f5e6170

SHA1
4de164efc785b4b89ea9a5bc1d3af1de682ed390

SHA256
6a3dd1bb47b32ee4210fd1803ce8f785dc863dc632c30314af9d9ce88294166b

SHA512
69dcb5b44e1450f5ba214f22b81e64d110e575386f6d69a89dc2fd1bedc6799cb82570f451ac8d93b3657d2f79b8685f4b2281d4f6c0b2857ba783bcc3374643

Download Submit
C:\Windows\system\cubrOOp.exe

Filesize
5.9MB

MD5
3f19af014995b3edb1e7579246860793

SHA1
99248a9e9269c4ca26fb16fc3892faf78dbac7bd

SHA256
8f3ae59d1580dae936d208c5eaf3f00135fcbe2aa3d99666186d2f5bc841f2ed

SHA512
d129b9f747000f64cdcc3932ab4b983aa1789bba8d4d7c8263cf2fe7d5b9bf8a702c04e30ca7393da20bfe966edd583ae31f4b292e8838f723c5a4aaec3fca4b

Download Submit
C:\Windows\system\fBPbcwx.exe

Filesize
5.9MB

MD5
187547cb4296d026ac98bb348c7721a2

SHA1
407def8d57e3fe2f9216e8658826ff6f271487cd

SHA256
c9b4108d2cec077ab1011fcf9be15e7020b326188c2e878acad3acca9a1ca78c

SHA512
a6f32cb21ac78591dd2b98f5ea51b5b3f7b5aad02c87be9e68015ca154948dc576db9f931d87a88ed06c258b026245958e889f1f002f044bb8d28f155a3424d8

Download Submit
C:\Windows\system\fWfYumn.exe

Filesize
5.9MB

MD5
c2ffe73f5ae05cdd86b8feb69f01f184

SHA1
4f153c747f45ff7efcedd9268ff010f7e12530aa

SHA256
b1a9b0254d04db3ae5420f5d5754b2e35e35ad4fe20b2b93a0f6170815d9af89

SHA512
057bfb78c8e2a9a5eb17c82967bcce7984a1b558be0d92956949b99aa43304137f5bc43391c8d0c50571f6a6d4f001bb2cac60e6f2c95beccdef5c1e2e8dd86e

Download Submit
\Windows\system\CnKRUUo.exe

Filesize
5.9MB

MD5
2796060097f6ac9e2e16e523a5fdcec7

SHA1
79d26f63adb0c8bc8f911bd9bfc78ca8f0e1e672

SHA256
d733809733d0bf18b5fc63234fb841860b2c55e29ef6985722d203e1ba72cbb1

SHA512
92b058511b7fbaa9ae284680d5b2adbea076626dc1af864a8778614204bf46b911635a683f207113688c1aae97bbbc6a5d57ba36eb8c390b0030e1423f2ea9c8

Download Submit
\Windows\system\DgVTnum.exe

Filesize
5.9MB

MD5
c33d4c4444b27fb575758450203d2b8a

SHA1
7b0864da7d0a726335bf58faecb51a560a6bf3b3

SHA256
76d574e12a75b1c3f53ba810a6504d82b7940496e10c74360f964b7d60157605

SHA512
967d5bda72b6aae7c6a20d9723404a085778236cd2599b1a470fdd6e7f05269d43046da33b9ddab4c0493edd8173c0ede963fcb48bdf28b6ee807a2c071778af

Download Submit
\Windows\system\EaznoOw.exe

Filesize
5.9MB

MD5
78eb575921297529d29c0b04c665681d

SHA1
5d4344ec183bb33d94cf0e2fa4c4aea36c812208

SHA256
155bfe0d41b55bd06430e2d52ba6ee3b0e1125e5baffff62fcbdf400c0d3298f

SHA512
5ef2b604f54212bf600cd68589c5f4ac1c718a9f168c3f0e9656185dc2717202d9b2fb4d7a6fea7da306aaae921c3dd8db860c292274ff908744a24a51fefc12

Download Submit
\Windows\system\IVBZYdF.exe

Filesize
5.9MB

MD5
8611c839f730b88fd0d5e690e340b865

SHA1
e76d548ab40d632f1e931cc41e3c2e76aaf62677

SHA256
5d3c12446108cce640316a66c510984beb2e20b78d99e0c506b4277adb768eea

SHA512
c0f0eed7584bd0078dcf8a37e7d6dc9d53d600c4b5a45e8a35f72f00d51fc8ec139d97b45a6a972f5ba3867d786ddba5c9b9f5c6cbc729bcb76a57616c467746

Download Submit
\Windows\system\PepqtpD.exe

Filesize
5.9MB

MD5
07534e38fe073631f4e71e734df8a31c

SHA1
3efba6092bed477b0324f32baa151a1ced7b76d4

SHA256
38bc796101c18f6a7530a7babc7eb8edb75549ed479685e68b3a4a0e322fa7a2

SHA512
dff64f3025c78e778a02dccc74c2af50416c9a6d535621bef6a7248c1ea7e958c160e92297e937b240d72a01738865d13e830dd292f1a2689fcc932a70c4bf9a

Download Submit
\Windows\system\PvOpUbn.exe

Filesize
5.9MB

MD5
8c6bcadc49e0a2ffa2ba8a227e85ba48

SHA1
f8d34a113ea17fcd8707f59712ff31a4e104f4ba

SHA256
97ec9af446a0d1e38ec39d89fd2de2a606e4f6a603b5174fb57c560d63ec60e3

SHA512
06d3dec216182c1ea0dc70e60922fef41fc3038b0f4a5e99d0c0281803ec9ae0301708fe07bddfe191d9e5e020aa6bb3a7747ce80793ed456f512e201cdb5f1b

Download Submit
\Windows\system\VKXhDDd.exe

Filesize
5.9MB

MD5
c5c0bfad93f74a4f99235a8353e5c8f7

SHA1
f4bc9959458d3307a9fa0de1cfd8a24f0ced0d92

SHA256
2f22159d821f6f3c9ba7ebddea3651e471fef93e728af1d44cbf3e8478d9081c

SHA512
d2c4194fa5c6ffeabd7b0202c28555d8a8743952abb3c9c43b893c8a1858359a6117e5bf370eee8943fc635066cf7e8989cf0ff8daef6bb8ed20a012c7e8f716

Download Submit
\Windows\system\dJDzees.exe

Filesize
5.9MB

MD5
aa2969711ef82ed7596f6563f0f7ae9a

SHA1
e14061634e3f23af1cbd88505e375ac23878bd93

SHA256
88ff0bcb89a4caf15b4bce30aa437e6f1c7a7363ac80a4ee948a700eccddab03

SHA512
e70945f30e06ae549c39a128a40cedf4c147ebf4beae0188871d9637ebfd938a6aeb3e9c963b3e6d832c78caa4f91420522ba4878b95ff1a05be3af557a09330

Download Submit
\Windows\system\jrvOpxu.exe

Filesize
5.9MB

MD5
007bf4a144ca903d17099ce656dfebb8

SHA1
0af1d1543d506906c5863a3f327c3f4f894e24ae

SHA256
2ba8a4ebe6fbfb3bc936100cced05adc6649024b8381b7f6e31529331cbe91be

SHA512
a1454a631380588b84bd8598aba1172ce04282e7ca1612eaaeee10b4046fd0f2f36788856fefe6d06fd8e7cd503524a0407c70b8d859665408517aec47de0e85

Download Submit
\Windows\system\lOMclaj.exe

Filesize
5.9MB

MD5
ff4927b64fc906ae7592debe2d30095d

SHA1
ed46d7043ac0d7ca5ed60f0f9ff5175baade9bd9

SHA256
ca3d8ff9e526f72832521c062fb3ad3d90c84feddaa9fbe89271d7b28656e3ab

SHA512
9a80a99af8b0cb268c0d8e7c3c7df035296bb8c6b684bc7dee17a2893ef9d171048b86859e2d15b2877b6dd88137574e781b5db4ff1b9da15cb903d87372bef3

Download Submit
\Windows\system\lvwFAKP.exe

Filesize
5.9MB

MD5
f091f6e6e3494786dd1b39aefadef663

SHA1
bdb42379c353624852f05ee681a706afa6b2a780

SHA256
69c468d59b87c6e1ef76a14a9e979b1e5fbf8c528e22a81ebdc80f609c2c6cd4

SHA512
9fdf541cab64a4cc8d4deaa7959bf987a53514dcac59937e7f8820c57dae5154721c52bf8f5ed18aa1c36396291b12e7466e36fc7ac8b23c4d72468b362cc375

Download Submit
\Windows\system\tvcLUIC.exe

Filesize
5.9MB

MD5
c4c3d21c64cb34e9a04780504c1ea330

SHA1
0dd58f870638e9a56d0b42d5906875cbd41d2a34

SHA256
bc6194ae560052d0880ffa91d2406edb1b8c29be9fe83cc68905abae632f8309

SHA512
06640d2748c7603306a13a572016ba28301e5be7b7a4f2f597919dd4a28acee078c26a26dacb920e8759627e0b8385d562d0454937ec0f958e23c3f9c38e6af9

Download Submit
\Windows\system\zakSGMT.exe

Filesize
5.9MB

MD5
508a6bd879f311c87eabf146a7e5bb25

SHA1
199f2b9e10e3d33a5466f24f95da328cca7018f0

SHA256
3930b2e4260dc8083cd2290c63999c7d2a27e4e5b8afc99572dc8443824a2f01

SHA512
fd67c84528c2419ae180f426161d726d2521cf504e0fa18195e20b4614ca115e68fef504026c20de43040c97d6041f4d073d1833ba71efa4559b290e735f8e93

Download Submit
memory/1480-31-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/1480-116-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/1480-119-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-37-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-98-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/1480-97-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-142-0x000000013F700000-0x000000013FA54000-memory.dmp

Filesize
3.3MB

Download
memory/1480-41-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-25-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/1480-77-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-17-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-73-0x000000013F980000-0x000000013FCD4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-115-0x000000013FB60000-0x000000013FEB4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-135-0x0000000002280000-0x00000000025D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-15-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1480-6-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-112-0x000000013F580000-0x000000013F8D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/1480-0-0x000000013F080000-0x000000013F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-114-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/1480-118-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/1480-117-0x000000013F490000-0x000000013F7E4000-memory.dmp

Filesize
3.3MB

Download
memory/2092-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2092-19-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2092-145-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2184-148-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2184-35-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2184-139-0x000000013FCB0000-0x0000000140004000-memory.dmp

Filesize
3.3MB

Download
memory/2320-147-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2320-21-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2320-137-0x000000013F240000-0x000000013F594000-memory.dmp

Filesize
3.3MB

Download
memory/2404-154-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2404-111-0x000000013F780000-0x000000013FAD4000-memory.dmp

Filesize
3.3MB

Download
memory/2632-91-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2632-150-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2660-106-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-152-0x000000013FB70000-0x000000013FEC4000-memory.dmp

Filesize
3.3MB

Download
memory/2724-153-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2724-109-0x000000013FD40000-0x0000000140094000-memory.dmp

Filesize
3.3MB

Download
memory/2792-29-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2792-146-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2792-138-0x000000013FE10000-0x0000000140164000-memory.dmp

Filesize
3.3MB

Download
memory/2812-140-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2812-56-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2812-149-0x000000013F2D0000-0x000000013F624000-memory.dmp

Filesize
3.3MB

Download
memory/2940-89-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2940-151-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/3068-113-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/3068-144-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download