cobaltstrike | 66db3cd7af0658ab917154f0537914b2c24de4275a1c5b4687bc705c7504548e

Analysis

max time kernel
141s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
16-09-2024 06:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

2f273e0ff73ff2f837e8f88becb5138f
SHA1

543d30916a241f667992f377eaa18dcbff07145e
SHA256

66db3cd7af0658ab917154f0537914b2c24de4275a1c5b4687bc705c7504548e
SHA512

35a1edd1e6e4372aefba4893610a6ee394f277acb89c0b77dafb446f0125ebc37ad6968914f9bb3689fbd7e268a7fcbe612d1af89ef799a2582afa0376b7b483
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lU5

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000f000000012782-3.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016cc4-13.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd7-10.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016ca5-22.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ce0-32.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ce8-37.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016d04-44.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193a8-51.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193d1-59.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193e6-66.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000193f0-79.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001945c-83.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001948d-90.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194e2-102.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c2-112.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001958b-107.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c6-122.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c8-129.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195ca-134.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c7-126.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195c4-117.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 44 IoCs

miner

resource	yara_rule
behavioral1/memory/2216-33-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2680-35-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2412-47-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/1928-50-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/532-54-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2700-64-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2904-62-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2276-61-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/2412-71-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2216-70-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/476-69-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2844-78-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/2652-82-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2096-89-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2412-88-0x0000000002370000-0x00000000026C1000-memory.dmp	xmrig
behavioral1/memory/2748-110-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/2412-106-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/2412-138-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2524-139-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2412-142-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2652-147-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2412-155-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig
behavioral1/memory/1664-161-0x000000013F750000-0x000000013FAA1000-memory.dmp	xmrig
behavioral1/memory/1080-163-0x000000013F690000-0x000000013F9E1000-memory.dmp	xmrig
behavioral1/memory/2028-167-0x000000013F6F0000-0x000000013FA41000-memory.dmp	xmrig
behavioral1/memory/1760-166-0x000000013F330000-0x000000013F681000-memory.dmp	xmrig
behavioral1/memory/1956-164-0x000000013FDC0000-0x0000000140111000-memory.dmp	xmrig
behavioral1/memory/1620-162-0x000000013FE50000-0x00000001401A1000-memory.dmp	xmrig
behavioral1/memory/2772-160-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/780-165-0x000000013FA10000-0x000000013FD61000-memory.dmp	xmrig
behavioral1/memory/2412-168-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/532-216-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	xmrig
behavioral1/memory/2276-218-0x000000013FB20000-0x000000013FE71000-memory.dmp	xmrig
behavioral1/memory/476-223-0x000000013F320000-0x000000013F671000-memory.dmp	xmrig
behavioral1/memory/2216-225-0x000000013F650000-0x000000013F9A1000-memory.dmp	xmrig
behavioral1/memory/2680-227-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/2844-231-0x000000013F510000-0x000000013F861000-memory.dmp	xmrig
behavioral1/memory/1928-233-0x000000013F5E0000-0x000000013F931000-memory.dmp	xmrig
behavioral1/memory/2904-237-0x000000013F500000-0x000000013F851000-memory.dmp	xmrig
behavioral1/memory/2700-239-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2524-242-0x000000013F130000-0x000000013F481000-memory.dmp	xmrig
behavioral1/memory/2652-246-0x000000013F540000-0x000000013F891000-memory.dmp	xmrig
behavioral1/memory/2096-248-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2748-260-0x000000013F710000-0x000000013FA61000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
532	bJiiUmf.exe
2276	EtNXofW.exe
476	UZKqhwd.exe
2216	CtWqGPq.exe
2680	UxgVTvU.exe
2844	GcOjnUB.exe
1928	sHeEnSs.exe
2904	BbYYlJE.exe
2700	YrQywin.exe
2524	IEdfZdh.exe
2652	ByrrgKK.exe
2096	VxNHFTr.exe
2748	FfDLYvy.exe
2772	TDTkcNw.exe
1664	KAsCzUW.exe
1620	kEXicmx.exe
1080	CVFfSqB.exe
1956	bzvMqBR.exe
780	aYzOEFu.exe
1760	bYdNhrf.exe
2028	lTIgiZT.exe

Loads dropped DLL 21 IoCs

pid	Process
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2412-0-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/files/0x000f000000012782-3.dat	upx
behavioral1/files/0x0009000000016cc4-13.dat	upx
behavioral1/memory/2276-15-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/532-11-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/2412-6-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/files/0x0007000000016cd7-10.dat	upx
behavioral1/memory/476-21-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/files/0x0009000000016ca5-22.dat	upx
behavioral1/memory/2216-33-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/files/0x0007000000016ce0-32.dat	upx
behavioral1/memory/2680-35-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/files/0x0007000000016ce8-37.dat	upx
behavioral1/memory/2844-43-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2412-47-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/files/0x0009000000016d04-44.dat	upx
behavioral1/memory/1928-50-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/files/0x00050000000193a8-51.dat	upx
behavioral1/memory/532-54-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/files/0x00050000000193d1-59.dat	upx
behavioral1/memory/2700-64-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2904-62-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2276-61-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/files/0x00050000000193e6-66.dat	upx
behavioral1/memory/2524-74-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2216-70-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/476-69-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/files/0x00050000000193f0-79.dat	upx
behavioral1/memory/2844-78-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/2652-82-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/files/0x000500000001945c-83.dat	upx
behavioral1/memory/2096-89-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/files/0x000500000001948d-90.dat	upx
behavioral1/files/0x00050000000194e2-102.dat	upx
behavioral1/memory/2748-110-0x000000013F710000-0x000000013FA61000-memory.dmp	upx
behavioral1/files/0x00050000000195c2-112.dat	upx
behavioral1/files/0x000500000001958b-107.dat	upx
behavioral1/files/0x00050000000195c6-122.dat	upx
behavioral1/files/0x00050000000195c8-129.dat	upx
behavioral1/files/0x00050000000195ca-134.dat	upx
behavioral1/files/0x00050000000195c7-126.dat	upx
behavioral1/files/0x00050000000195c4-117.dat	upx
behavioral1/memory/2524-139-0x000000013F130000-0x000000013F481000-memory.dmp	upx
behavioral1/memory/2412-142-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2652-147-0x000000013F540000-0x000000013F891000-memory.dmp	upx
behavioral1/memory/1664-161-0x000000013F750000-0x000000013FAA1000-memory.dmp	upx
behavioral1/memory/1080-163-0x000000013F690000-0x000000013F9E1000-memory.dmp	upx
behavioral1/memory/2028-167-0x000000013F6F0000-0x000000013FA41000-memory.dmp	upx
behavioral1/memory/1760-166-0x000000013F330000-0x000000013F681000-memory.dmp	upx
behavioral1/memory/1956-164-0x000000013FDC0000-0x0000000140111000-memory.dmp	upx
behavioral1/memory/1620-162-0x000000013FE50000-0x00000001401A1000-memory.dmp	upx
behavioral1/memory/2772-160-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/780-165-0x000000013FA10000-0x000000013FD61000-memory.dmp	upx
behavioral1/memory/2412-168-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/532-216-0x000000013F6A0000-0x000000013F9F1000-memory.dmp	upx
behavioral1/memory/2276-218-0x000000013FB20000-0x000000013FE71000-memory.dmp	upx
behavioral1/memory/476-223-0x000000013F320000-0x000000013F671000-memory.dmp	upx
behavioral1/memory/2216-225-0x000000013F650000-0x000000013F9A1000-memory.dmp	upx
behavioral1/memory/2680-227-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/2844-231-0x000000013F510000-0x000000013F861000-memory.dmp	upx
behavioral1/memory/1928-233-0x000000013F5E0000-0x000000013F931000-memory.dmp	upx
behavioral1/memory/2904-237-0x000000013F500000-0x000000013F851000-memory.dmp	upx
behavioral1/memory/2700-239-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/memory/2524-242-0x000000013F130000-0x000000013F481000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bJiiUmf.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CtWqGPq.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GcOjnUB.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sHeEnSs.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KAsCzUW.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bYdNhrf.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bzvMqBR.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UZKqhwd.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BbYYlJE.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YrQywin.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IEdfZdh.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ByrrgKK.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VxNHFTr.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FfDLYvy.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kEXicmx.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aYzOEFu.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EtNXofW.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UxgVTvU.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TDTkcNw.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CVFfSqB.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lTIgiZT.exe	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 532	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2412 wrote to memory of 532	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2412 wrote to memory of 532	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2412 wrote to memory of 2276	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2412 wrote to memory of 2276	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2412 wrote to memory of 2276	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2412 wrote to memory of 476	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2412 wrote to memory of 476	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2412 wrote to memory of 476	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2412 wrote to memory of 2216	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2412 wrote to memory of 2216	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2412 wrote to memory of 2216	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2412 wrote to memory of 2680	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2412 wrote to memory of 2680	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2412 wrote to memory of 2680	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2412 wrote to memory of 2844	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2412 wrote to memory of 2844	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2412 wrote to memory of 2844	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2412 wrote to memory of 1928	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2412 wrote to memory of 1928	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2412 wrote to memory of 1928	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2412 wrote to memory of 2904	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2412 wrote to memory of 2904	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2412 wrote to memory of 2904	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2412 wrote to memory of 2700	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2412 wrote to memory of 2700	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2412 wrote to memory of 2700	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2412 wrote to memory of 2524	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2412 wrote to memory of 2524	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2412 wrote to memory of 2524	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2412 wrote to memory of 2652	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2412 wrote to memory of 2652	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2412 wrote to memory of 2652	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2412 wrote to memory of 2096	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2412 wrote to memory of 2096	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2412 wrote to memory of 2096	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2412 wrote to memory of 2748	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2412 wrote to memory of 2748	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2412 wrote to memory of 2748	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2412 wrote to memory of 2772	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2412 wrote to memory of 2772	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2412 wrote to memory of 2772	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2412 wrote to memory of 1664	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2412 wrote to memory of 1664	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2412 wrote to memory of 1664	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2412 wrote to memory of 1620	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2412 wrote to memory of 1620	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2412 wrote to memory of 1620	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2412 wrote to memory of 1080	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2412 wrote to memory of 1080	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2412 wrote to memory of 1080	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2412 wrote to memory of 1956	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2412 wrote to memory of 1956	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2412 wrote to memory of 1956	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2412 wrote to memory of 780	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2412 wrote to memory of 780	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2412 wrote to memory of 780	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2412 wrote to memory of 1760	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2412 wrote to memory of 1760	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2412 wrote to memory of 1760	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2412 wrote to memory of 2028	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2412 wrote to memory of 2028	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2412 wrote to memory of 2028	2412	2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-16_2f273e0ff73ff2f837e8f88becb5138f_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\System\bJiiUmf.exe
  C:\Windows\System\bJiiUmf.exe
  2⤵
  - Executes dropped EXE
  PID:532
- C:\Windows\System\EtNXofW.exe
  C:\Windows\System\EtNXofW.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\UZKqhwd.exe
  C:\Windows\System\UZKqhwd.exe
  2⤵
  - Executes dropped EXE
  PID:476
- C:\Windows\System\CtWqGPq.exe
  C:\Windows\System\CtWqGPq.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\UxgVTvU.exe
  C:\Windows\System\UxgVTvU.exe
  2⤵
  - Executes dropped EXE
  PID:2680
- C:\Windows\System\GcOjnUB.exe
  C:\Windows\System\GcOjnUB.exe
  2⤵
  - Executes dropped EXE
  PID:2844
- C:\Windows\System\sHeEnSs.exe
  C:\Windows\System\sHeEnSs.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\BbYYlJE.exe
  C:\Windows\System\BbYYlJE.exe
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\Windows\System\YrQywin.exe
  C:\Windows\System\YrQywin.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\IEdfZdh.exe
  C:\Windows\System\IEdfZdh.exe
  2⤵
  - Executes dropped EXE
  PID:2524
- C:\Windows\System\ByrrgKK.exe
  C:\Windows\System\ByrrgKK.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\VxNHFTr.exe
  C:\Windows\System\VxNHFTr.exe
  2⤵
  - Executes dropped EXE
  PID:2096
- C:\Windows\System\FfDLYvy.exe
  C:\Windows\System\FfDLYvy.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\TDTkcNw.exe
  C:\Windows\System\TDTkcNw.exe
  2⤵
  - Executes dropped EXE
  PID:2772
- C:\Windows\System\KAsCzUW.exe
  C:\Windows\System\KAsCzUW.exe
  2⤵
  - Executes dropped EXE
  PID:1664
- C:\Windows\System\kEXicmx.exe
  C:\Windows\System\kEXicmx.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\CVFfSqB.exe
  C:\Windows\System\CVFfSqB.exe
  2⤵
  - Executes dropped EXE
  PID:1080
- C:\Windows\System\bzvMqBR.exe
  C:\Windows\System\bzvMqBR.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\aYzOEFu.exe
  C:\Windows\System\aYzOEFu.exe
  2⤵
  - Executes dropped EXE
  PID:780
- C:\Windows\System\bYdNhrf.exe
  C:\Windows\System\bYdNhrf.exe
  2⤵
  - Executes dropped EXE
  PID:1760
- C:\Windows\System\lTIgiZT.exe
  C:\Windows\System\lTIgiZT.exe
  2⤵
  - Executes dropped EXE
  PID:2028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ByrrgKK.exe

Filesize
5.2MB

MD5
5041ec08d112df315b33e7e6f2d1b7ce

SHA1
d80b34f1688209699172aed476e2545a07185f2b

SHA256
07c0b13832883f3601b748b5b9cc09f47d6ce0d9e4ec0face7eba8a5d6cec9ba

SHA512
adbdc59827fd463e2d740b11e21268d99d48b9ad5b5f208ed2e6203a55ba20b8f018cbbdf7f36dbd9584a42d7cc382fd39e56ac2ca02853261ca9e0a265c3e0c

Download Submit
C:\Windows\system\CVFfSqB.exe

Filesize
5.2MB

MD5
fbd8890f2dd644111ecd0d21f13cbec8

SHA1
5e2035146968edec09a28197061f12c259951263

SHA256
76c0407a8d9544b916a5e083540cbbe2a61954a40070013c8e502eb2f2727198

SHA512
ed042866c0b1c60f783ea71f946ef9f927269e88df270aa4fbca3ba536af2673072ab068c4c83e3a6b67008bffc231464fb3d426ecfcdcf2100cf5e428234dd8

Download Submit
C:\Windows\system\EtNXofW.exe

Filesize
5.2MB

MD5
d9290a60503c361937fdaf8c0052532c

SHA1
181bbf310b0bffbeda457b5d9e351b084955bf71

SHA256
2b95699ec2b387503c3bbf0073f16d13ea449f61b5b6d1c3afd576ff8ef872db

SHA512
681ff55988de3c485dd7cf9ecffb3b205ce85542a64065fdaddda966be9d9af01fd7843564bf0ed38f2424e88224a6721c56293fadb3532338d4a2b35f19ea3d

Download Submit
C:\Windows\system\KAsCzUW.exe

Filesize
5.2MB

MD5
370c929edfa901c5a48e59528a4e97cf

SHA1
5203e354a00bac52e419ad550b16c272409808db

SHA256
0dc6388b3efff824e935cb218d2bf63a87216c7e980ee87b9956b06cef5005a4

SHA512
b76dab491be90abb2c8eb899ff06d1503fd59daee844616a21dc64960e4288288da0c6113a1975ece3644e8feedf70242d3747acdb3aaf8a5282869b693b1811

Download Submit
C:\Windows\system\TDTkcNw.exe

Filesize
5.2MB

MD5
25addf5490198ca57dfd0e2b79e35201

SHA1
77354ff3aa75a25e0a1752383e45fe19340d8cf5

SHA256
abde091aa1745319bc08f3810538b9fd7968138212d2ef50253615e38c06fd08

SHA512
6c652abf6779d9bf492edd27faf1ab6ab643eb37f6376a46e694e7fa41e2c786935b4c5edad48aab1d9e39e081516b4a78e11c32033bb49492e31440a246fc85

Download Submit
C:\Windows\system\UZKqhwd.exe

Filesize
5.2MB

MD5
1590ab5fbb8d8ce89e1885f4ae7ce9d1

SHA1
c1990b8b240273125f7c88ec6af25c73ab8027ae

SHA256
dfe718f6ae0c96c0c2d32a4c00514c1b608df372225ff4a53aef1f27ff6e1c39

SHA512
af6022fd53212ae4c0d5ad71568e2510ed2ae755a66f907e7c8351561052dc6940dc5a195cb217d230ae1e041f55d6c566d77d594f38fbbf435753608f4ef665

Download Submit
C:\Windows\system\UxgVTvU.exe

Filesize
5.2MB

MD5
1494a896045771e67a5ae5657bb8635a

SHA1
d32ecc0a8467e5244d40e0b0a43c88d2c5b53ddc

SHA256
ed5afcdf20f45210171ab9253bd2f1791d4157bd1aacaef941a3bf5e6475b2b1

SHA512
a3bca9fca4a9641bcf81c8f711247893cb42207cf19fc7b8fac034021f13fb4dc7732956f1a9ac2ce2a41d0620c8b9f6e086838704144789877b0431c44a3aab

Download Submit
C:\Windows\system\YrQywin.exe

Filesize
5.2MB

MD5
4504c2b19ed3fd3846c3123d5578aab1

SHA1
3b9695c8db2aab5e8f63e75bbfd2a5f6779b4259

SHA256
a96fdc90ead1fb3f9cdcf33a2b1d6346f6529ea8626830add6b701e01dbfd7f2

SHA512
2412615e8128f2a396b542320ed4c5831df67b50dfcc74e0532fc1088b95b595115a89c4f8538d032d03f7ea8bc47659a19ddb41d3e53a186940496e3d3defdf

Download Submit
C:\Windows\system\aYzOEFu.exe

Filesize
5.2MB

MD5
ee2ab24c16a4adaedfd701422ef2ac03

SHA1
801b86832314efbcf49179dd633fbe486e49877f

SHA256
c8b4c8eff527053443a7e802f329145ec3e28fe8b4b72aa6b24542ed1dc5dbcc

SHA512
2750709ae2d79c0113ea294f0efeef28fccccde2cb1f5c6d20b10447520d553ce4fc28d03c334c9ca459f865516a4cd9355f7a575ce0ee9aa763176916392b2d

Download Submit
C:\Windows\system\bzvMqBR.exe

Filesize
5.2MB

MD5
df2305504bcf22e05f8097f8de7411ad

SHA1
4ccc0cffcb8c72d0ef07396d22b432365a8fb4ff

SHA256
78dec6f61f47f534fa2400bb3a57d0c37981ace752ab375fb5fb263d534dbac3

SHA512
0798914f16a60d8062efbd42294219f8e52bd18657e4173bf292a7da2dc269a0ad891cdd8ff2d4644b806c71464d2efea46ff632abfde50206b1a51157847438

Download Submit
C:\Windows\system\kEXicmx.exe

Filesize
5.2MB

MD5
284a954f14db553450316a84ce286f74

SHA1
102b1bb0bd50bbe613bf35cf3cf3cbb94ab17a77

SHA256
070bf597d16cd2b23cfdc5f797f5695f96568371da10589149e77bfa2a20be33

SHA512
c97c2eb4f36c30a597ced2deee3c8db38b721b07e64e511e42589894f2a78530e1552dcb8f8c64aef4c5cd45fcf1fff479ed6196708e2b6d9fc5a5cf57eb462b

Download Submit
\Windows\system\BbYYlJE.exe

Filesize
5.2MB

MD5
5fad0ac90ec9b7bf412efa19db2d1cfb

SHA1
22a111a0b4415d04dba9a96a996e5d9aed3e05f8

SHA256
f37b9e797b9a493bdf6e352225b8815b44801291ee43d5cbf41db7cc9fdd4fd3

SHA512
24a74cd337f7255fdd1e759c4ce8f7364ab7c809b00a451186e37c511de1f3f39acaacf91295142821bb2c17b3a6ed3cbf91fce3aa497cb7490d6d2ce92566d1

Download Submit
\Windows\system\CtWqGPq.exe

Filesize
5.2MB

MD5
dfa1c9be4fe525ffd55ccdaf3008b2fe

SHA1
8b073a073c0a02fd3a9fd2fcecd1b1293b527244

SHA256
0a24b6115e5e77659fe8677e5561f0867423afc6d14c2dbfc9be75e1cc569b8b

SHA512
674d2c5b142953cdeb59122c69d2315e7703750f818bf103357fceb842d66ddb3739659c377f027b9916c63cd136f2ea3af89291fd25110d76de0a7330ffe3d8

Download Submit
\Windows\system\FfDLYvy.exe

Filesize
5.2MB

MD5
f133803f22fa41c29326f6907fe38afe

SHA1
594150e380afcd5fb56e04eafa1d93eb60ffc634

SHA256
21f9b9ce8443e7a6927ceff43225bed3c0f7685a9636e83584575709b136bfc8

SHA512
9ce188386facad694f4623070b197a81b1feea37e08d349b9ed7ce99ad1b3b79370b708e1506c5185a9837d21f2166a04019264b8601e706b59977289369d0c2

Download Submit
\Windows\system\GcOjnUB.exe

Filesize
5.2MB

MD5
b1dda3b56a6c2a70f35c267b25278bf4

SHA1
54ab7127e0f927aca3370f7140aa7ce60a2143ec

SHA256
81d20d20b0472666e05965c89cbdafd7514e15c236008fb140429c6accb75f4a

SHA512
37a0a0a118e6f3ee2d0a121f02ff4214ac64a3f1c881cb327ad3ac92e8520204d121319663b494e63911dc0dfafb79e6233fb728d522c1a2b620f69ea30e201c

Download Submit
\Windows\system\IEdfZdh.exe

Filesize
5.2MB

MD5
be3df4aabcb04747d4f3632e6be6c32e

SHA1
2430654cd5c1d34add2ecf94e2608e379e8c31c9

SHA256
3d0dbba801c055e2e3dbe1f520993ffcfa2df1d1d241448d9296f4e664043f22

SHA512
5239e2e001fb7dfc9e63baff3eacff4829ef521ee2ee0af05374cb3ecb6128cef1a65080a3bb0dfb19e9724c1761d2c7c05e4f49af96d6c3356f90cba3fac013

Download Submit
\Windows\system\VxNHFTr.exe

Filesize
5.2MB

MD5
aab4acab392fec886dee7aa20b0a3fb0

SHA1
f2fdb727c76dff78761c46f04c73ce2ae89f897a

SHA256
4fe7e074179cfa8d0e895b3b24489ffa191e5e4a09709cf17788d0a7b06d9ec4

SHA512
b67ac3f54dc3b9c3352b22973d98c4acd7f5b388ad14174f4936df56a06bba1e99aa44da78c7349a2ef71467c69dd99a29cec1e3a21a5995fc01e4e61308419d

Download Submit
\Windows\system\bJiiUmf.exe

Filesize
5.2MB

MD5
a77daac9f3f64d9a8965d43524248cc8

SHA1
f4ba7ebcfbdcb194a13df56d85641411796b2c03

SHA256
6b1bca7c8ad1e385bb0abf248674475849cd62633461508d2d8e63056ea0ea6a

SHA512
fc42f4d3ee16e6c22d4f9727951364fd26890671654d010887e91ff63a96cabfe190119e6a4a864ae2afa4cf3e81244fdfc5b1d492d7bfc407f81d56df015898

Download Submit
\Windows\system\bYdNhrf.exe

Filesize
5.2MB

MD5
6929257add2304753a560f2b9c177e50

SHA1
0705d1132f67b5ba847b2d184566126d76a56c01

SHA256
18744be816768af15ee9c12ea4f4520cfb695eaeefd8d755f6c6f802690358a6

SHA512
e452a587619b561467d8907d1ebadebe806a933a89eac2b17abfe75f726a8da32369c3ef14e78c1d063d96546bfa109ae2df0e7e63d948199e4f2989111dd71a

Download Submit
\Windows\system\lTIgiZT.exe

Filesize
5.2MB

MD5
d25bd066de6de8884dd5c8250c0ca536

SHA1
39ccbc515e79a96d22c378847960b2e2f848f2f7

SHA256
a5c43325b87355006782e14665a86e6bcd2385e36f78d52c2cd1021b6171f229

SHA512
8ed8b8639cf63aea20c478d0905cbfd176f658482eb80ce0a9a9f018cbec7a9ae3166e3e3b2e7d522eba44ff65153b981bc9fd730d0ec544bf2906ae9a2bc073

Download Submit
\Windows\system\sHeEnSs.exe

Filesize
5.2MB

MD5
18e98ad0661e9fd14ab18167c6ac18be

SHA1
6786e54591b6006ab25f894646785cec343e480c

SHA256
e1205666a770e62ed51c15a0f4b72ce5dda7d47b48419dade66e40481562bd68

SHA512
a9f5979197604e2238a1253266628e208126c5a9c4f1feadb8c6bb470e1eb7cacdf73ec02ccaa4dad04160f14a1968d4b6975b7c5654530090f5df79725d63b1

Download Submit
memory/476-69-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/476-223-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/476-21-0x000000013F320000-0x000000013F671000-memory.dmp

Filesize
3.3MB

Download
memory/532-216-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/532-11-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/532-54-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/780-165-0x000000013FA10000-0x000000013FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1080-163-0x000000013F690000-0x000000013F9E1000-memory.dmp

Filesize
3.3MB

Download
memory/1620-162-0x000000013FE50000-0x00000001401A1000-memory.dmp

Filesize
3.3MB

Download
memory/1664-161-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/1760-166-0x000000013F330000-0x000000013F681000-memory.dmp

Filesize
3.3MB

Download
memory/1928-50-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1928-233-0x000000013F5E0000-0x000000013F931000-memory.dmp

Filesize
3.3MB

Download
memory/1956-164-0x000000013FDC0000-0x0000000140111000-memory.dmp

Filesize
3.3MB

Download
memory/2028-167-0x000000013F6F0000-0x000000013FA41000-memory.dmp

Filesize
3.3MB

Download
memory/2096-89-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2096-248-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/2216-225-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-70-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-33-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2276-61-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2276-218-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2276-15-0x000000013FB20000-0x000000013FE71000-memory.dmp

Filesize
3.3MB

Download
memory/2412-36-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2412-80-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2412-27-0x000000013F650000-0x000000013F9A1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-0-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-6-0x000000013F6A0000-0x000000013F9F1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-93-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2412-14-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-47-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/2412-106-0x000000013F750000-0x000000013FAA1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-105-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-138-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2412-65-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-141-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2412-142-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-168-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-150-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-155-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2412-157-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-88-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-71-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2412-108-0x0000000002370000-0x00000000026C1000-memory.dmp

Filesize
3.3MB

Download
memory/2412-40-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2524-74-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2524-242-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2524-139-0x000000013F130000-0x000000013F481000-memory.dmp

Filesize
3.3MB

Download
memory/2652-147-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2652-246-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2652-82-0x000000013F540000-0x000000013F891000-memory.dmp

Filesize
3.3MB

Download
memory/2680-227-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2680-35-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2700-239-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2700-64-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-110-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2748-260-0x000000013F710000-0x000000013FA61000-memory.dmp

Filesize
3.3MB

Download
memory/2772-160-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2844-231-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2844-78-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2844-43-0x000000013F510000-0x000000013F861000-memory.dmp

Filesize
3.3MB

Download
memory/2904-237-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download
memory/2904-62-0x000000013F500000-0x000000013F851000-memory.dmp

Filesize
3.3MB

Download