cobaltstrike | 6b43a9c364befb360b7d01c9383624412613c557f04da49a99ecc08a3c941276

Analysis

max time kernel
143s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0305d5e34684137e29bebc0409fae550
SHA1

eff60feb95ec1d923eb332090bbd6d3ddb6137cc
SHA256

6b43a9c364befb360b7d01c9383624412613c557f04da49a99ecc08a3c941276
SHA512

496cc1b0d038af767fd5946e5883422f4c702c4add51e2d23080a4f68cdd86d2ce47bda3bd7ed7b08bd23b7e971ca0251e63eff1e04534c48b0502a8d1c5d84a
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibd56utgpPFotBER/mQ32lUi

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fb-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d49-13.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d71-12.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016f45-21.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017342-27.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000017349-38.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001919c-57.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191df-85.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191ad-66.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016ce8-47.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191d1-78.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191cf-74.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018741-60.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000017355-56.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019214-109.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000191f8-108.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019219-118.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019232-128.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019345-135.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001921d-126.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019329-132.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/1680-30-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/2816-75-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2108-84-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2480-96-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/1908-68-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2556-87-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/1680-86-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2900-76-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2176-97-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2712-65-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2748-59-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/2100-54-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2404-98-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2748-100-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/1680-115-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2716-139-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2008-143-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/1680-141-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/3000-153-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2540-158-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/860-159-0x000000013FB00000-0x000000013FE51000-memory.dmp	xmrig
behavioral1/memory/2620-162-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1800-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp	xmrig
behavioral1/memory/2860-165-0x000000013F4E0000-0x000000013F831000-memory.dmp	xmrig
behavioral1/memory/264-161-0x000000013F900000-0x000000013FC51000-memory.dmp	xmrig
behavioral1/memory/2104-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	xmrig
behavioral1/memory/1680-166-0x000000013FCB0000-0x0000000140001000-memory.dmp	xmrig
behavioral1/memory/1908-217-0x000000013F160000-0x000000013F4B1000-memory.dmp	xmrig
behavioral1/memory/2108-219-0x000000013F440000-0x000000013F791000-memory.dmp	xmrig
behavioral1/memory/2176-232-0x000000013F0D0000-0x000000013F421000-memory.dmp	xmrig
behavioral1/memory/2480-234-0x000000013F810000-0x000000013FB61000-memory.dmp	xmrig
behavioral1/memory/2404-231-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2100-236-0x000000013F2B0000-0x000000013F601000-memory.dmp	xmrig
behavioral1/memory/2816-240-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2712-238-0x000000013F720000-0x000000013FA71000-memory.dmp	xmrig
behavioral1/memory/2900-242-0x000000013FE90000-0x00000001401E1000-memory.dmp	xmrig
behavioral1/memory/2556-244-0x000000013F5B0000-0x000000013F901000-memory.dmp	xmrig
behavioral1/memory/2748-246-0x000000013FA50000-0x000000013FDA1000-memory.dmp	xmrig
behavioral1/memory/3000-257-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/2008-256-0x000000013F3B0000-0x000000013F701000-memory.dmp	xmrig
behavioral1/memory/2716-259-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1908	aZDwvKt.exe
2108	yYblLzQ.exe
2480	raVWzib.exe
2176	vcGGZEo.exe
2404	ELOGEiw.exe
2100	XwxYCkm.exe
2748	XAbrual.exe
2816	PYNraeq.exe
2712	IkCCmtf.exe
2900	ukkBPCh.exe
2556	fyuqLQO.exe
2716	ApRShnN.exe
2008	bRAsZSD.exe
3000	gFYwXgF.exe
2540	fTtylgS.exe
860	DsyhShP.exe
264	PXEJrpj.exe
2620	BwBgctg.exe
1800	NlFvYtY.exe
2104	fXnmqwJ.exe
2860	JgKYAuF.exe

Loads dropped DLL 21 IoCs

pid	Process
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1680-0-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/files/0x00080000000120fb-3.dat	upx
behavioral1/memory/1908-9-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/files/0x0008000000016d49-13.dat	upx
behavioral1/files/0x0008000000016d71-12.dat	upx
behavioral1/memory/2108-14-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/files/0x0007000000016f45-21.dat	upx
behavioral1/memory/2176-26-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/files/0x0007000000017342-27.dat	upx
behavioral1/memory/2480-20-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2404-31-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/1680-30-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/files/0x0007000000017349-38.dat	upx
behavioral1/files/0x000500000001919c-57.dat	upx
behavioral1/memory/2816-75-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/files/0x00050000000191df-85.dat	upx
behavioral1/files/0x00050000000191ad-66.dat	upx
behavioral1/memory/2008-94-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/files/0x0009000000016ce8-47.dat	upx
behavioral1/memory/2108-84-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/files/0x00050000000191d1-78.dat	upx
behavioral1/memory/2480-96-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/1908-68-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2716-93-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2556-87-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx
behavioral1/memory/2900-76-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/files/0x00050000000191cf-74.dat	upx
behavioral1/memory/2176-97-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2712-65-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/files/0x0007000000018741-60.dat	upx
behavioral1/memory/2748-59-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/files/0x0009000000017355-56.dat	upx
behavioral1/memory/2100-54-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/2404-98-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2748-100-0x000000013FA50000-0x000000013FDA1000-memory.dmp	upx
behavioral1/files/0x0005000000019214-109.dat	upx
behavioral1/files/0x00050000000191f8-108.dat	upx
behavioral1/files/0x0005000000019219-118.dat	upx
behavioral1/files/0x0005000000019232-128.dat	upx
behavioral1/files/0x0005000000019345-135.dat	upx
behavioral1/files/0x000500000001921d-126.dat	upx
behavioral1/files/0x0005000000019329-132.dat	upx
behavioral1/memory/2716-139-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2008-143-0x000000013F3B0000-0x000000013F701000-memory.dmp	upx
behavioral1/memory/1680-141-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/3000-153-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/2540-158-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/860-159-0x000000013FB00000-0x000000013FE51000-memory.dmp	upx
behavioral1/memory/2620-162-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/1800-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp	upx
behavioral1/memory/2860-165-0x000000013F4E0000-0x000000013F831000-memory.dmp	upx
behavioral1/memory/264-161-0x000000013F900000-0x000000013FC51000-memory.dmp	upx
behavioral1/memory/2104-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp	upx
behavioral1/memory/1680-166-0x000000013FCB0000-0x0000000140001000-memory.dmp	upx
behavioral1/memory/1908-217-0x000000013F160000-0x000000013F4B1000-memory.dmp	upx
behavioral1/memory/2108-219-0x000000013F440000-0x000000013F791000-memory.dmp	upx
behavioral1/memory/2176-232-0x000000013F0D0000-0x000000013F421000-memory.dmp	upx
behavioral1/memory/2480-234-0x000000013F810000-0x000000013FB61000-memory.dmp	upx
behavioral1/memory/2404-231-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2100-236-0x000000013F2B0000-0x000000013F601000-memory.dmp	upx
behavioral1/memory/2816-240-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2712-238-0x000000013F720000-0x000000013FA71000-memory.dmp	upx
behavioral1/memory/2900-242-0x000000013FE90000-0x00000001401E1000-memory.dmp	upx
behavioral1/memory/2556-244-0x000000013F5B0000-0x000000013F901000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\aZDwvKt.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vcGGZEo.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XAbrual.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyuqLQO.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwBgctg.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fTtylgS.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DsyhShP.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\raVWzib.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ELOGEiw.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XwxYCkm.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PYNraeq.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ApRShnN.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bRAsZSD.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PXEJrpj.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yYblLzQ.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ukkBPCh.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IkCCmtf.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NlFvYtY.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fXnmqwJ.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JgKYAuF.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gFYwXgF.exe	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 1908	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1680 wrote to memory of 1908	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1680 wrote to memory of 1908	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1680 wrote to memory of 2108	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1680 wrote to memory of 2108	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1680 wrote to memory of 2108	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1680 wrote to memory of 2480	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1680 wrote to memory of 2480	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1680 wrote to memory of 2480	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1680 wrote to memory of 2176	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1680 wrote to memory of 2176	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1680 wrote to memory of 2176	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1680 wrote to memory of 2404	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1680 wrote to memory of 2404	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1680 wrote to memory of 2404	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1680 wrote to memory of 2100	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1680 wrote to memory of 2100	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1680 wrote to memory of 2100	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1680 wrote to memory of 2748	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1680 wrote to memory of 2748	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1680 wrote to memory of 2748	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1680 wrote to memory of 2816	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1680 wrote to memory of 2816	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1680 wrote to memory of 2816	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1680 wrote to memory of 2900	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1680 wrote to memory of 2900	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1680 wrote to memory of 2900	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1680 wrote to memory of 2712	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1680 wrote to memory of 2712	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1680 wrote to memory of 2712	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1680 wrote to memory of 2716	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1680 wrote to memory of 2716	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1680 wrote to memory of 2716	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1680 wrote to memory of 2556	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1680 wrote to memory of 2556	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1680 wrote to memory of 2556	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1680 wrote to memory of 3000	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1680 wrote to memory of 3000	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1680 wrote to memory of 3000	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1680 wrote to memory of 2008	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1680 wrote to memory of 2008	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1680 wrote to memory of 2008	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1680 wrote to memory of 2540	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1680 wrote to memory of 2540	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1680 wrote to memory of 2540	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1680 wrote to memory of 860	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1680 wrote to memory of 860	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1680 wrote to memory of 860	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1680 wrote to memory of 264	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1680 wrote to memory of 264	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1680 wrote to memory of 264	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1680 wrote to memory of 2620	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1680 wrote to memory of 2620	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1680 wrote to memory of 2620	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1680 wrote to memory of 1800	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1680 wrote to memory of 1800	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1680 wrote to memory of 1800	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1680 wrote to memory of 2104	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1680 wrote to memory of 2104	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1680 wrote to memory of 2104	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1680 wrote to memory of 2860	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1680 wrote to memory of 2860	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 1680 wrote to memory of 2860	1680	2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_0305d5e34684137e29bebc0409fae550_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Windows\System\aZDwvKt.exe
  C:\Windows\System\aZDwvKt.exe
  2⤵
  - Executes dropped EXE
  PID:1908
- C:\Windows\System\yYblLzQ.exe
  C:\Windows\System\yYblLzQ.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\raVWzib.exe
  C:\Windows\System\raVWzib.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\vcGGZEo.exe
  C:\Windows\System\vcGGZEo.exe
  2⤵
  - Executes dropped EXE
  PID:2176
- C:\Windows\System\ELOGEiw.exe
  C:\Windows\System\ELOGEiw.exe
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\Windows\System\XwxYCkm.exe
  C:\Windows\System\XwxYCkm.exe
  2⤵
  - Executes dropped EXE
  PID:2100
- C:\Windows\System\XAbrual.exe
  C:\Windows\System\XAbrual.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\PYNraeq.exe
  C:\Windows\System\PYNraeq.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\ukkBPCh.exe
  C:\Windows\System\ukkBPCh.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\IkCCmtf.exe
  C:\Windows\System\IkCCmtf.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\ApRShnN.exe
  C:\Windows\System\ApRShnN.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\fyuqLQO.exe
  C:\Windows\System\fyuqLQO.exe
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\Windows\System\gFYwXgF.exe
  C:\Windows\System\gFYwXgF.exe
  2⤵
  - Executes dropped EXE
  PID:3000
- C:\Windows\System\bRAsZSD.exe
  C:\Windows\System\bRAsZSD.exe
  2⤵
  - Executes dropped EXE
  PID:2008
- C:\Windows\System\fTtylgS.exe
  C:\Windows\System\fTtylgS.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\DsyhShP.exe
  C:\Windows\System\DsyhShP.exe
  2⤵
  - Executes dropped EXE
  PID:860
- C:\Windows\System\PXEJrpj.exe
  C:\Windows\System\PXEJrpj.exe
  2⤵
  - Executes dropped EXE
  PID:264
- C:\Windows\System\BwBgctg.exe
  C:\Windows\System\BwBgctg.exe
  2⤵
  - Executes dropped EXE
  PID:2620
- C:\Windows\System\NlFvYtY.exe
  C:\Windows\System\NlFvYtY.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\fXnmqwJ.exe
  C:\Windows\System\fXnmqwJ.exe
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\Windows\System\JgKYAuF.exe
  C:\Windows\System\JgKYAuF.exe
  2⤵
  - Executes dropped EXE
  PID:2860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BwBgctg.exe

Filesize
5.2MB

MD5
cd87fff434bf2f45cab9989db7a74fb5

SHA1
ba376aed250d39504aee2b3c9c619a5624e2a78e

SHA256
933c1a0830841bfeea492bd2dc8584a3b28d893bc47a5d6a8bbedd72a1c4e5d5

SHA512
b802e03e60d6f6837613c853fc7967c66b7a95a2d141bcc9b1917a7b3cda6f1ce4bf7fb76305306e81aeecb8cd8bab099a528556a956e5e5cc3bb2efd2231450

Download Submit
C:\Windows\system\IkCCmtf.exe

Filesize
5.2MB

MD5
a1392cb778a13f9cf8a2497b35f27070

SHA1
4b52a8b4eb10a5fd447cb1e24865d952a9b33dd0

SHA256
32a0e873f0624d3803a91c05b27d51b0697feb8a94bd6a2774c51d4af0ab2344

SHA512
7913a15bb42081a19c56785e0c6e2efd713c76df772fa4887546811c4348412235001c275fb7ea231d3968f975b0df52d5e41526df9771fac3ca7d6b6470afe9

Download Submit
C:\Windows\system\NlFvYtY.exe

Filesize
5.2MB

MD5
e3b1f625c30f7e0664e75e1ab03ebb46

SHA1
671007c5e9da139d1d2e8432ec215b780265a135

SHA256
6df37d5ad60d1aeb20a9f81f0c3bc36d6b22ce485cea6f5cc1356a604c443778

SHA512
4ac59299bc72844700a717f7af421baa86d1dfdfd9868d38f2f88668d0b55d5f684087f5484d25023093a83388e65e70f64c39545ae49fce079472d43066a6a0

Download Submit
C:\Windows\system\PXEJrpj.exe

Filesize
5.2MB

MD5
224ada454034ea9928752d59e725d893

SHA1
8392519296ca67cf1bb9a8559cb13253542e0056

SHA256
0a7d2f40ddbb33e35b19c9c57ef00b7e1d6e1e216bd3644e24b206f6216864f0

SHA512
a62f1c4e46bf6b4e488ba8b6a59d1bdb01cf821e212bb877020044e344d0cc95ed3c7975f9d63cf525bf43174c6d87e46618038788963887a2874f981da421a7

Download Submit
C:\Windows\system\PYNraeq.exe

Filesize
5.2MB

MD5
23fcf7c504b96afbd65ff42d7c0ee975

SHA1
e6b59891a40b953c7aa18bdfcc1a2d21c561a933

SHA256
709496a27be590021209118c9aed0816526098496afb9125b605b5392d026209

SHA512
5ef7d8ec50309055ec0b2fc853ab1eed80ba3d3cecede85b1abbf569b3c80ba32ba12d6c239b1a0b416b1281817c5233f3db910f30f535b936251f5a9a1b482b

Download Submit
C:\Windows\system\XAbrual.exe

Filesize
5.2MB

MD5
e61fca63684bb623dde0c260309938a3

SHA1
36e4d21720b1cd08047893f98d2964d5d556e5e2

SHA256
eca3b63d621a0d38ccfbde7587decce7e062b2bf950bcd48a9ff13f850eb3a3f

SHA512
63917bb0ea3f71c78527a0400ee0bf4bb26cd45861bdcef282cab474db0f449a5428c0c21d891065a31b7d21b92cb0044c1a47dbc355a72e756aa795b5690ec6

Download Submit
C:\Windows\system\XwxYCkm.exe

Filesize
5.2MB

MD5
dd2fa08a79ef2839aa87b3c407e1e1e5

SHA1
fc1f297a8642932f7ef3453e8007ed6f55a0687b

SHA256
1d4cf71f6edd4e4f8972c0fb853c47382435fe122c205b7b35ed6c779721ced7

SHA512
490c3f8a7e203ba4bb0ac6dbe8cbfc5f2a02435e4065cc6fda04b46e1086080daba27dfc54fc6ad9b04246fc4327f3d01da05f3a503acf50804d5d140d431a35

Download Submit
C:\Windows\system\fTtylgS.exe

Filesize
5.2MB

MD5
fa5c22139ccd0b079b221739384a8a95

SHA1
5853f22259037f82417fceec5c488eecc65a088a

SHA256
bf21595074f2061d626f5e1680f723072ba8f19a95a213e78f11873e9ccd8716

SHA512
75d78299360e0d740e10495f4c715fe16dceabf098c3355c01282b72fb9c674af11d6b1a812d56e11acbb755a22105345d0043da838a400ed4f690b1b6d1cd25

Download Submit
C:\Windows\system\fXnmqwJ.exe

Filesize
5.2MB

MD5
e67922c1d36efc601eb257b4548f811c

SHA1
c220c8dbbd99516a45b07fa7272d9f6e4fd2e0b4

SHA256
20acdb79c50518db38da7b7ba60687c3b8d724bd773173f2adf28d5d3748d833

SHA512
aad7872a49148826364d4f499964626606cf78c105db127c6b86fc8e48fedcb654c9bebe2a25fff3713d42613dc838c712cca1bfe84261a837575b91759ee99c

Download Submit
C:\Windows\system\fyuqLQO.exe

Filesize
5.2MB

MD5
9054421d511629f99269377e30cd511e

SHA1
0ac1701ae787c7c1375d65fd0c9ec54dc5ffb047

SHA256
d0216e84d0711e7f14b3b7eda8113f830e7ceddf7d3c841ca9afea615cc17b67

SHA512
49c010e95252e765bc143e766dd8b1d3d5e541bc4e554f9523f38247992fa4e85547f01fe48e8c54bb52c6e8780cbda2b478dc5f35c6d66beb19a0e3aca9c054

Download Submit
C:\Windows\system\raVWzib.exe

Filesize
5.2MB

MD5
0e21e523035957a4f9cb594004098d22

SHA1
94600cd169decac9d129ea4e53b9ce0f1edce38e

SHA256
2f78224d1d528f9ff7f9c3bb3f895a33ae337160234b8468a190ddc78fc21476

SHA512
2510fa00049c6eac289f32c575c8d84de545dc9bb8fca6f4799142e1f2ecfed498f20df1156b0656d347f7b321ba26ecb689aac33abc9fda3ed3dc64f7650bbb

Download Submit
C:\Windows\system\ukkBPCh.exe

Filesize
5.2MB

MD5
60bd48cca574fac53dd9e089b43b2cfb

SHA1
dcb08b9dbc1649bac6164d8b5348020417ce8c7b

SHA256
32c2002a090e0c3105532e787db89281b1c3553618f260421d8c2d18aa7adb2c

SHA512
59415176bd0f03029e3d317c896e4881e098909f9bc765c7535c163ea3d8ad343aa766c514515c9e76e36fced18adc746978c3b3dedd09218051b697842e36dc

Download Submit
C:\Windows\system\yYblLzQ.exe

Filesize
5.2MB

MD5
f97a28b6cd0cdae04259c6b4709b089e

SHA1
a661eb14da348322698e7218d5d78c53166b6d60

SHA256
eeecf143ec6a07ef777063b9057bcac35eb4fea597e16d6d85f082c2e813647e

SHA512
6b1a742059eae074e52055b96fa4869467d39d5e744216c162013eae1a59f407cb915ad37572407fead4586deec0ea54cb50fd69d45dbefe66612cd7ec88af88

Download Submit
\Windows\system\ApRShnN.exe

Filesize
5.2MB

MD5
8b5b1c918f5b8a12dcc2c8f89bc654f8

SHA1
4d9f6bfef7552bcc12efb9eaf800b221f4934966

SHA256
430e1699900e6809aa05b456e8caaf284ddf94c1da0be7d78b316d4a79a8914a

SHA512
3d33b28a9f03ef0e8b438461dd318fb04bd1092b0702d6f2dad78b6c743100f4c526b81423eb1f231cce3f5efe1486084a965bced2cceb05f27ba657eb60308a

Download Submit
\Windows\system\DsyhShP.exe

Filesize
5.2MB

MD5
a3b66711d32bb4b8e9d748dfd51d4ba1

SHA1
3eb3d9e434309f869fb278722a4b8b7bf44dce69

SHA256
4fe82bfd7e74925c0d71a2a90ec6043986c3145760ed439b867ca8b0a8a9985e

SHA512
ac5e2360f6275f14f74b98710c9478522c8536874ebf6062b7a1a0d5d13447ef8af4f868eaba5b46fd5cb93c1acb820a05cf0dd36bcb68daa5a325383a2f4ac0

Download Submit
\Windows\system\ELOGEiw.exe

Filesize
5.2MB

MD5
6024ccb8f7fe12514a229102e196622f

SHA1
e74ed0b642ad2431de39d677d1588eeb095c6ed5

SHA256
42b98c5ebe45ceccaf14930c6e4cad7afaa2e6ee292995822a602825969314a8

SHA512
8aa5d7d8c0dc402662535c28bc9fd6faa2dc105f6d1c345539e8636a2ad0e1fb8159f88d7b34a1996e748a2f73468f5f981ac2b7d16ec0a7fe143e0e73e35b69

Download Submit
\Windows\system\JgKYAuF.exe

Filesize
5.2MB

MD5
88da14a38acd9114309faf48b1298009

SHA1
5d748a45c0c8292bf76245d62794ceae1ed9e228

SHA256
e6b43749ab487698820606c9e38eabc43c6bd234fd469042cdba0a35c3a60412

SHA512
06d721f89ff63a126c5fc73666f6973f41e4fd83dc70babddb00f97de15b3da9f1e9cdf7d58e5aec4265d5925760139a05bd5cbec8dc0c136a8568ae7fc278f6

Download Submit
\Windows\system\aZDwvKt.exe

Filesize
5.2MB

MD5
6bc720dec03bcb3e1c40bd5a2591d5ea

SHA1
d60638043dd8b55c1d4699b4f09fe547309ce8bd

SHA256
43d4fbd220065522a8eeceac431837abd58cf595c60c48175edadf9de781f4b1

SHA512
b961953733cfaade96dd9c131bdc45cc1d1083a1326aed6b3220c8e1b0bb258f4816025be39e5d9453930b03ef3ec87503398c3b2f415f72cd8e176a1e2cda85

Download Submit
\Windows\system\bRAsZSD.exe

Filesize
5.2MB

MD5
cfe4b6977f223519f0c5792537b984e6

SHA1
3918558055acae3d762897f19e1154803f18671c

SHA256
e9b67f596c185ce1c2e1823a2949c84ba405cdd7299ee52bd391ac346fd48b57

SHA512
4bb9f3c7552fdf2a1cc537f0ad13a9d4ba2517eb4b4c37e12dab0394fedcf8be644a01c4a78e5043f15d39e9feda4f0a65465a94d2309554b05c61808ef9262d

Download Submit
\Windows\system\gFYwXgF.exe

Filesize
5.2MB

MD5
ba4245101e88dedce618e5f689588c24

SHA1
b9a1ecec83603e7a420c48d67b77e5c008a861d6

SHA256
02d93fe2ae2f39f9b569c04c9e059e5a8ccc9625f0ef2eff6135e2848793f711

SHA512
c9a7ca80e5a9d461fb0b75ba615835cf1b5133f6e71e69ac08aa7167e9ccf3315ab5a4cdd6ef54abc54f10d44cdc48af126e71833d4edb6105f6b3f4f0f1ad9e

Download Submit
\Windows\system\vcGGZEo.exe

Filesize
5.2MB

MD5
1f31fc8fb1500be49b91a5a0a61e77c3

SHA1
6b53380a239a4bc6d7f68ef2d77eb7d720016db7

SHA256
3d7c0f63f5a2b2cabbfdb00d1b5240c9f4ee19c65fa56136d302c66df186656a

SHA512
d980abe0de91a092f2f95668837a503766e7a5ebcbea08e9e408415657875eb2f3ed64ca9dc9ca411f2cfe6b5b3b193a3872303918ef70d3db40627ea0d9a563

Download Submit
memory/264-161-0x000000013F900000-0x000000013FC51000-memory.dmp

Filesize
3.3MB

Download
memory/860-159-0x000000013FB00000-0x000000013FE51000-memory.dmp

Filesize
3.3MB

Download
memory/1680-58-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-0-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/1680-160-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1680-7-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-82-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1680-30-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/1680-115-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/1680-24-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/1680-86-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1680-77-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1680-104-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/1680-92-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/1680-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/1680-99-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1680-64-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/1680-166-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/1680-48-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/1680-141-0x000000013FCB0000-0x0000000140001000-memory.dmp

Filesize
3.3MB

Download
memory/1680-73-0x0000000002230000-0x0000000002581000-memory.dmp

Filesize
3.3MB

Download
memory/1800-163-0x000000013FAE0000-0x000000013FE31000-memory.dmp

Filesize
3.3MB

Download
memory/1908-68-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-9-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1908-217-0x000000013F160000-0x000000013F4B1000-memory.dmp

Filesize
3.3MB

Download
memory/2008-143-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2008-256-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2008-94-0x000000013F3B0000-0x000000013F701000-memory.dmp

Filesize
3.3MB

Download
memory/2100-54-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2100-236-0x000000013F2B0000-0x000000013F601000-memory.dmp

Filesize
3.3MB

Download
memory/2104-164-0x000000013F7A0000-0x000000013FAF1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-219-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2108-14-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2108-84-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2176-26-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2176-232-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2176-97-0x000000013F0D0000-0x000000013F421000-memory.dmp

Filesize
3.3MB

Download
memory/2404-31-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2404-231-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2404-98-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2480-96-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2480-20-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2480-234-0x000000013F810000-0x000000013FB61000-memory.dmp

Filesize
3.3MB

Download
memory/2540-158-0x000000013F440000-0x000000013F791000-memory.dmp

Filesize
3.3MB

Download
memory/2556-244-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2556-87-0x000000013F5B0000-0x000000013F901000-memory.dmp

Filesize
3.3MB

Download
memory/2620-162-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2712-65-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2712-238-0x000000013F720000-0x000000013FA71000-memory.dmp

Filesize
3.3MB

Download
memory/2716-259-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2716-139-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2716-93-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/2748-59-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-100-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2748-246-0x000000013FA50000-0x000000013FDA1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-75-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-240-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2860-165-0x000000013F4E0000-0x000000013F831000-memory.dmp

Filesize
3.3MB

Download
memory/2900-242-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/2900-76-0x000000013FE90000-0x00000001401E1000-memory.dmp

Filesize
3.3MB

Download
memory/3000-257-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/3000-153-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download