cobaltstrike | 8c57a86c036d6fa9437a5de41735da9503ec2e89562a2c4e632aee27e9d762a6

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/09/2024, 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

3efa1d5f2b80db6cc8cd441f2a79ceaa
SHA1

5ca7ae4126f461989651a8ca4aecb7b0c79a19d9
SHA256

8c57a86c036d6fa9437a5de41735da9503ec2e89562a2c4e632aee27e9d762a6
SHA512

9cd9a96d57821f6c64e7b6511ff2a98e328d9b03efb22b3fb9e58196461c654e1327048e25e4885a25bdeee7a83e660f680d42c1a4035cddd8afd5570200efe0
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUn:T+856utgpPF8u/7n

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00070000000235d5-10.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d6-17.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235d4-9.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d7-22.dat	cobalt_reflective_dll
behavioral2/files/0x00080000000235d2-28.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d9-41.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235d8-36.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235da-48.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235db-55.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235dc-60.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235dd-67.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235de-71.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235df-81.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e1-88.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e2-96.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e4-102.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e7-114.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e8-120.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e9-127.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e6-126.dat	cobalt_reflective_dll
behavioral2/files/0x00070000000235e5-122.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3420-0-0x00007FF752490000-0x00007FF7527E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000235d5-10.dat	xmrig
behavioral2/memory/2380-8-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp	xmrig
behavioral2/memory/3772-14-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	xmrig
behavioral2/files/0x00070000000235d6-17.dat	xmrig
behavioral2/memory/1644-18-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp	xmrig
behavioral2/files/0x00080000000235d4-9.dat	xmrig
behavioral2/files/0x00070000000235d7-22.dat	xmrig
behavioral2/memory/2548-24-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp	xmrig
behavioral2/files/0x00080000000235d2-28.dat	xmrig
behavioral2/memory/1056-31-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp	xmrig
behavioral2/files/0x00070000000235d9-41.dat	xmrig
behavioral2/memory/1448-40-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp	xmrig
behavioral2/memory/5028-42-0x00007FF716880000-0x00007FF716BD4000-memory.dmp	xmrig
behavioral2/files/0x00070000000235d8-36.dat	xmrig
behavioral2/memory/3420-45-0x00007FF752490000-0x00007FF7527E4000-memory.dmp	xmrig
behavioral2/files/0x00070000000235da-48.dat	xmrig
behavioral2/memory/4552-52-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp	xmrig
behavioral2/files/0x00070000000235db-55.dat	xmrig
behavioral2/files/0x00070000000235dc-60.dat	xmrig
behavioral2/memory/1644-62-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp	xmrig
behavioral2/files/0x00070000000235dd-67.dat	xmrig
behavioral2/memory/4156-69-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp	xmrig
behavioral2/files/0x00070000000235de-71.dat	xmrig
behavioral2/memory/4180-74-0x00007FF609D40000-0x00007FF60A094000-memory.dmp	xmrig
behavioral2/memory/2548-73-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp	xmrig
behavioral2/memory/1960-63-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp	xmrig
behavioral2/memory/4232-56-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp	xmrig
behavioral2/memory/2380-50-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp	xmrig
behavioral2/files/0x00070000000235df-81.dat	xmrig
behavioral2/files/0x00070000000235e1-88.dat	xmrig
behavioral2/memory/1448-89-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp	xmrig
behavioral2/memory/1740-92-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp	xmrig
behavioral2/memory/4840-83-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp	xmrig
behavioral2/memory/1056-82-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp	xmrig
behavioral2/memory/5028-93-0x00007FF716880000-0x00007FF716BD4000-memory.dmp	xmrig
behavioral2/files/0x00070000000235e2-96.dat	xmrig
behavioral2/memory/4700-97-0x00007FF625EB0000-0x00007FF626204000-memory.dmp	xmrig
behavioral2/files/0x00070000000235e4-102.dat	xmrig
behavioral2/memory/3508-105-0x00007FF6DB410000-0x00007FF6DB764000-memory.dmp	xmrig
behavioral2/files/0x00070000000235e7-114.dat	xmrig
behavioral2/files/0x00070000000235e8-120.dat	xmrig
behavioral2/files/0x00070000000235e9-127.dat	xmrig
behavioral2/files/0x00070000000235e6-126.dat	xmrig
behavioral2/files/0x00070000000235e5-122.dat	xmrig
behavioral2/memory/4232-117-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp	xmrig
behavioral2/memory/4320-118-0x00007FF632A20000-0x00007FF632D74000-memory.dmp	xmrig
behavioral2/memory/3872-132-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp	xmrig
behavioral2/memory/4024-134-0x00007FF6E80F0000-0x00007FF6E8444000-memory.dmp	xmrig
behavioral2/memory/1960-135-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp	xmrig
behavioral2/memory/3004-133-0x00007FF72E690000-0x00007FF72E9E4000-memory.dmp	xmrig
behavioral2/memory/220-136-0x00007FF79ED40000-0x00007FF79F094000-memory.dmp	xmrig
behavioral2/memory/4156-137-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp	xmrig
behavioral2/memory/4180-138-0x00007FF609D40000-0x00007FF60A094000-memory.dmp	xmrig
behavioral2/memory/4840-139-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp	xmrig
behavioral2/memory/1740-140-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp	xmrig
behavioral2/memory/4700-141-0x00007FF625EB0000-0x00007FF626204000-memory.dmp	xmrig
behavioral2/memory/3872-142-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp	xmrig
behavioral2/memory/4320-143-0x00007FF632A20000-0x00007FF632D74000-memory.dmp	xmrig
behavioral2/memory/2380-144-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp	xmrig
behavioral2/memory/3772-145-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	xmrig
behavioral2/memory/1644-146-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp	xmrig
behavioral2/memory/2548-147-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp	xmrig
behavioral2/memory/1056-148-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2380	BilCFOz.exe
3772	EClycsy.exe
1644	shHHJGq.exe
2548	KKQPWFu.exe
1056	eVRtsag.exe
1448	BJrmLQQ.exe
5028	wBXGIXe.exe
4552	iVyMAKN.exe
4232	tUUoasu.exe
1960	LRCfaEi.exe
4156	CJgPAEZ.exe
4180	UpwnovA.exe
4840	kIvgkte.exe
1740	JsYamst.exe
4700	JiqmYos.exe
3508	vOTGIXq.exe
4320	kersRkc.exe
3872	mEaxvki.exe
3004	MJyAhUd.exe
220	IqIhvIZ.exe
4024	MVUHffe.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3420-0-0x00007FF752490000-0x00007FF7527E4000-memory.dmp	upx
behavioral2/files/0x00070000000235d5-10.dat	upx
behavioral2/memory/2380-8-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp	upx
behavioral2/memory/3772-14-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	upx
behavioral2/files/0x00070000000235d6-17.dat	upx
behavioral2/memory/1644-18-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp	upx
behavioral2/files/0x00080000000235d4-9.dat	upx
behavioral2/files/0x00070000000235d7-22.dat	upx
behavioral2/memory/2548-24-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp	upx
behavioral2/files/0x00080000000235d2-28.dat	upx
behavioral2/memory/1056-31-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp	upx
behavioral2/files/0x00070000000235d9-41.dat	upx
behavioral2/memory/1448-40-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp	upx
behavioral2/memory/5028-42-0x00007FF716880000-0x00007FF716BD4000-memory.dmp	upx
behavioral2/files/0x00070000000235d8-36.dat	upx
behavioral2/memory/3420-45-0x00007FF752490000-0x00007FF7527E4000-memory.dmp	upx
behavioral2/files/0x00070000000235da-48.dat	upx
behavioral2/memory/4552-52-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp	upx
behavioral2/files/0x00070000000235db-55.dat	upx
behavioral2/files/0x00070000000235dc-60.dat	upx
behavioral2/memory/1644-62-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp	upx
behavioral2/files/0x00070000000235dd-67.dat	upx
behavioral2/memory/4156-69-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp	upx
behavioral2/files/0x00070000000235de-71.dat	upx
behavioral2/memory/4180-74-0x00007FF609D40000-0x00007FF60A094000-memory.dmp	upx
behavioral2/memory/2548-73-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp	upx
behavioral2/memory/1960-63-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp	upx
behavioral2/memory/4232-56-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp	upx
behavioral2/memory/2380-50-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp	upx
behavioral2/files/0x00070000000235df-81.dat	upx
behavioral2/files/0x00070000000235e1-88.dat	upx
behavioral2/memory/1448-89-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp	upx
behavioral2/memory/1740-92-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp	upx
behavioral2/memory/4840-83-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp	upx
behavioral2/memory/1056-82-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp	upx
behavioral2/memory/5028-93-0x00007FF716880000-0x00007FF716BD4000-memory.dmp	upx
behavioral2/files/0x00070000000235e2-96.dat	upx
behavioral2/memory/4700-97-0x00007FF625EB0000-0x00007FF626204000-memory.dmp	upx
behavioral2/files/0x00070000000235e4-102.dat	upx
behavioral2/memory/3508-105-0x00007FF6DB410000-0x00007FF6DB764000-memory.dmp	upx
behavioral2/files/0x00070000000235e7-114.dat	upx
behavioral2/files/0x00070000000235e8-120.dat	upx
behavioral2/files/0x00070000000235e9-127.dat	upx
behavioral2/files/0x00070000000235e6-126.dat	upx
behavioral2/files/0x00070000000235e5-122.dat	upx
behavioral2/memory/4232-117-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp	upx
behavioral2/memory/4320-118-0x00007FF632A20000-0x00007FF632D74000-memory.dmp	upx
behavioral2/memory/3872-132-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp	upx
behavioral2/memory/4024-134-0x00007FF6E80F0000-0x00007FF6E8444000-memory.dmp	upx
behavioral2/memory/1960-135-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp	upx
behavioral2/memory/3004-133-0x00007FF72E690000-0x00007FF72E9E4000-memory.dmp	upx
behavioral2/memory/220-136-0x00007FF79ED40000-0x00007FF79F094000-memory.dmp	upx
behavioral2/memory/4156-137-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp	upx
behavioral2/memory/4180-138-0x00007FF609D40000-0x00007FF60A094000-memory.dmp	upx
behavioral2/memory/4840-139-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp	upx
behavioral2/memory/1740-140-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp	upx
behavioral2/memory/4700-141-0x00007FF625EB0000-0x00007FF626204000-memory.dmp	upx
behavioral2/memory/3872-142-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp	upx
behavioral2/memory/4320-143-0x00007FF632A20000-0x00007FF632D74000-memory.dmp	upx
behavioral2/memory/2380-144-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp	upx
behavioral2/memory/3772-145-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp	upx
behavioral2/memory/1644-146-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp	upx
behavioral2/memory/2548-147-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp	upx
behavioral2/memory/1056-148-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\LRCfaEi.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UpwnovA.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JsYamst.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vOTGIXq.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iVyMAKN.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EClycsy.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\shHHJGq.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KKQPWFu.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mEaxvki.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BilCFOz.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kIvgkte.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kersRkc.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MJyAhUd.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MVUHffe.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CJgPAEZ.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BJrmLQQ.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wBXGIXe.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tUUoasu.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiqmYos.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IqIhvIZ.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eVRtsag.exe	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 2380	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3420 wrote to memory of 2380	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3420 wrote to memory of 3772	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3420 wrote to memory of 3772	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3420 wrote to memory of 1644	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3420 wrote to memory of 1644	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3420 wrote to memory of 2548	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3420 wrote to memory of 2548	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3420 wrote to memory of 1056	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3420 wrote to memory of 1056	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3420 wrote to memory of 1448	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3420 wrote to memory of 1448	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3420 wrote to memory of 5028	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3420 wrote to memory of 5028	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3420 wrote to memory of 4552	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3420 wrote to memory of 4552	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3420 wrote to memory of 4232	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3420 wrote to memory of 4232	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3420 wrote to memory of 1960	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3420 wrote to memory of 1960	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3420 wrote to memory of 4156	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3420 wrote to memory of 4156	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3420 wrote to memory of 4180	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3420 wrote to memory of 4180	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3420 wrote to memory of 4840	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3420 wrote to memory of 4840	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3420 wrote to memory of 1740	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3420 wrote to memory of 1740	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3420 wrote to memory of 4700	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3420 wrote to memory of 4700	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3420 wrote to memory of 3508	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3420 wrote to memory of 3508	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3420 wrote to memory of 4320	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3420 wrote to memory of 4320	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3420 wrote to memory of 3872	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3420 wrote to memory of 3872	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 3420 wrote to memory of 3004	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3420 wrote to memory of 3004	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 3420 wrote to memory of 220	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3420 wrote to memory of 220	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 3420 wrote to memory of 4024	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 3420 wrote to memory of 4024	3420	2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_3efa1d5f2b80db6cc8cd441f2a79ceaa_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\System\BilCFOz.exe
  C:\Windows\System\BilCFOz.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\EClycsy.exe
  C:\Windows\System\EClycsy.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\shHHJGq.exe
  C:\Windows\System\shHHJGq.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\KKQPWFu.exe
  C:\Windows\System\KKQPWFu.exe
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\Windows\System\eVRtsag.exe
  C:\Windows\System\eVRtsag.exe
  2⤵
  - Executes dropped EXE
  PID:1056
- C:\Windows\System\BJrmLQQ.exe
  C:\Windows\System\BJrmLQQ.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\wBXGIXe.exe
  C:\Windows\System\wBXGIXe.exe
  2⤵
  - Executes dropped EXE
  PID:5028
- C:\Windows\System\iVyMAKN.exe
  C:\Windows\System\iVyMAKN.exe
  2⤵
  - Executes dropped EXE
  PID:4552
- C:\Windows\System\tUUoasu.exe
  C:\Windows\System\tUUoasu.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Windows\System\LRCfaEi.exe
  C:\Windows\System\LRCfaEi.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\CJgPAEZ.exe
  C:\Windows\System\CJgPAEZ.exe
  2⤵
  - Executes dropped EXE
  PID:4156
- C:\Windows\System\UpwnovA.exe
  C:\Windows\System\UpwnovA.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\kIvgkte.exe
  C:\Windows\System\kIvgkte.exe
  2⤵
  - Executes dropped EXE
  PID:4840
- C:\Windows\System\JsYamst.exe
  C:\Windows\System\JsYamst.exe
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\Windows\System\JiqmYos.exe
  C:\Windows\System\JiqmYos.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Windows\System\vOTGIXq.exe
  C:\Windows\System\vOTGIXq.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\kersRkc.exe
  C:\Windows\System\kersRkc.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\mEaxvki.exe
  C:\Windows\System\mEaxvki.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Windows\System\MJyAhUd.exe
  C:\Windows\System\MJyAhUd.exe
  2⤵
  - Executes dropped EXE
  PID:3004
- C:\Windows\System\IqIhvIZ.exe
  C:\Windows\System\IqIhvIZ.exe
  2⤵
  - Executes dropped EXE
  PID:220
- C:\Windows\System\MVUHffe.exe
  C:\Windows\System\MVUHffe.exe
  2⤵
  - Executes dropped EXE
  PID:4024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=3884 /prefetch:8
1⤵
PID:4456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BJrmLQQ.exe

Filesize
5.9MB

MD5
eb91e953a392b2fe43ffc470d065ea44

SHA1
0cb3b4545ab5bdd1f35f950f7fb980f98fa79297

SHA256
ce249dbc3ebe4a6755d0c7efb90071a40964d9d734c5ffe1841c4f91ec9c2c31

SHA512
3f5b8307353c6df4162b5ac35e681c762081eef627106076f41457a27514eaa885155128e0bdf6619a015765004433a339738c7b14dec96dc649871713c54924

Download Submit
C:\Windows\System\BilCFOz.exe

Filesize
5.9MB

MD5
39ac259f72df33db4e5c6c3cd86f6c4a

SHA1
28c1888af7cc1f9ce971de58c377669a3a32366e

SHA256
b182dd6fca1e06c5976c24ae7eb0c03eac9a12cc2ea26ab75b53699dbc16b057

SHA512
2b392fab858acf9f81e8242a80b518c8e095853179427dae9f9a4c86e9c2dfe4f38171341fa68bc4920d683064ba7faa75b04f80009686e8d718774df60ff19c

Download Submit
C:\Windows\System\CJgPAEZ.exe

Filesize
5.9MB

MD5
edd5b90a644d2e783261a6a6947540d3

SHA1
0c387091d31658383e72ad907e548c20e55cbf2f

SHA256
ad821c1c14e4fe263d4007362efb3aaf4813714376b6f1094b7784a94bbd2ca9

SHA512
887d4571bcd6c0ee7ad3d0041c24a057d9ba43b5d064bd2bcdd27ef82818d5f08dfcb4e7add35055519d9137e7478964f7e358904da7f532f9882c44d3c06da4

Download Submit
C:\Windows\System\EClycsy.exe

Filesize
5.9MB

MD5
cfc3bf02500bdc34407897c9a80f6a02

SHA1
f1b67e1168ddf9d1fe9138269e2455b8d89eed52

SHA256
ae510b42ec7ba58f9475830005ffdd87a3ec94ac4b28ebb46f5bee7aa741a3d2

SHA512
0e7ec573727efb1cb21743b96a51171d85ed8a07a2503a8c45c2e3d85e95eb384c486d7ff3135744c276aac60873ff2111226136b88b1390b29a0dd2215226a5

Download Submit
C:\Windows\System\IqIhvIZ.exe

Filesize
5.9MB

MD5
99e32d3b3289245df632c141fa8e7fa8

SHA1
ec7d2870810a8a2b112f81c4714afa9b9606dc01

SHA256
2759c19dd9c317c111fdf563b4c7f576448de1c033b5b739f85c70692bbe9ebb

SHA512
8b1895d8e418c7297e6f48619444ba9b6282578caa1a79499ea49e188854ce56cbde8cb07cd4698e30c104f0dbaf81ee9f6638896bf0a11b0589d241b8d322b4

Download Submit
C:\Windows\System\JiqmYos.exe

Filesize
5.9MB

MD5
f39ae3736d89a6dcc732e95b05dd6426

SHA1
a59f6fc7aa48d3ee538f64f044ecded6527b2bd3

SHA256
2145ff6cf2e404c03244c9b2546a1141398476bf2e50254f64715759a114f19d

SHA512
61255020cbe0b2ac1ccde8f5d8b55e137317972a7dba4c86e5b786156797f6ce4dd45470db8e5ac8b97c3b18cae5ac47faefaaed729f401f32c677b5646511d1

Download Submit
C:\Windows\System\JsYamst.exe

Filesize
5.9MB

MD5
88356719cb7c402ac49e30e146fd1f65

SHA1
f4414ca839bfa6b82eb71a11c0fc8a093702b775

SHA256
fbbec743114f17b6611e5db7e57f452e9944fc6ecc2496155793f980f1af3f5f

SHA512
c6900d22f6805ae78f42041edb32efd3b23506782cd61ac8b8ad86d005926ac4d7c54915d00ef4c02a0b7ff4410dc7f1b7c497a4a875cdec973576dc1ef29886

Download Submit
C:\Windows\System\KKQPWFu.exe

Filesize
5.9MB

MD5
5b9b10731d8780d9d0dd8ca52f537565

SHA1
21560dcd9ad62f2d2bcdaab5a90de9c079551bda

SHA256
1666b40e801e16468821a0c0290dd6de903bda90243c059467b4a26ed330489d

SHA512
71ca502c455914d477e32ed035ff05e4c58a982d24003af8673ee92754ed2c168d7fea221d28e33dcfb3fede985e9f0387428ef78df24148393a600c04847857

Download Submit
C:\Windows\System\LRCfaEi.exe

Filesize
5.9MB

MD5
8b1bb052adb908a14cbda5ac502a79d4

SHA1
a8cbbc6550f2deec86094e202c4497a5e00812de

SHA256
387f66680571a157b3bafba494497a0ac351c30f37008f603bdd1c2687de4ba2

SHA512
ddb7fdf264b99dc5ccb29b242fa76d9d2100351a91d054cf5d119965750b43a7a9a47350326dec47ea2672f22fa51024ad6d420f9ae6ede202ba4d65e33fea1d

Download Submit
C:\Windows\System\MJyAhUd.exe

Filesize
5.9MB

MD5
647d7db88a8272ef26988e6de04da52d

SHA1
1740bb9e2ea47521ed1beddea246db7c98f92ff2

SHA256
978e1f7ccbe4efced5dd642efec3a1a9650f35583a860b498403b6f2c064f1b5

SHA512
3e5b6f9db2ca09fdef46f8dcd0c3fad75cfd6b0caec3af89a7ddd8c0985e9845c8381ba0af9671fcc8517b9df52033a209ae5b3fb2bd02adb10070b24feac6f3

Download Submit
C:\Windows\System\MVUHffe.exe

Filesize
5.9MB

MD5
50a471f507a2ff811206d2cbe8a2606c

SHA1
fff595926f56eda226e7b284c407a6c16d86cd16

SHA256
8d7586cd3e6e3a3aceba3f530e5f20213d7a6bff2fe64fd7802326fd9721135b

SHA512
0241184ca99a17e3bd3feb305950a17afee2e0a71fafca210193d9c8d19d5684d174c00f0a27bf4a56c1234c19887f2876b87973d9a250fda0ff56b9d6cd883d

Download Submit
C:\Windows\System\UpwnovA.exe

Filesize
5.9MB

MD5
512d5425adcc290028ff65b41e59c707

SHA1
e029c1e1a5c178cd7d2d142b9968ad7e06817920

SHA256
13e557fdacb96eb4c71d1c904cb9c78387aabd7d875e5b4eafb3281292d73ea3

SHA512
4ebf9115b1ea7085f139c88fc5fb2c7fd7a146df14a1e01680fca435c73e439253e243000f83255e16a1eb217d4da7e8f52b23fcfaac539f1bcd4dfd3a4479e6

Download Submit
C:\Windows\System\eVRtsag.exe

Filesize
5.9MB

MD5
e39197de5133ad75baf63400d83a2e45

SHA1
b42bb91aa3c4a77877f422df5556c92405d97202

SHA256
9b212b62c485c965de3092c6ed335d3beeaac57a89b68da96bd16fbea4aeb909

SHA512
538f34767bd66d323f43f83117c79136fd071c563abd47d651dcc9a8b8754e4637512da3e8b9a7c2c62a50735a7e105ff84def09d56eaac37ae03061438e6dd5

Download Submit
C:\Windows\System\iVyMAKN.exe

Filesize
5.9MB

MD5
a26983a82cdaff60c9891c81726a01c4

SHA1
e52896d1dcbfabf96b54a3242e23a35c6faa4d4e

SHA256
11e2e28a4ccac06ed1e087b057d60a54dfdc97171a0d16253ecf8a8ecc44f1a1

SHA512
f349e111c7ec420ac7cea03a1d4584146b1ce73dd6b774dbcd9ab2e73a4eba988ef52b220ebc935e5c11354abf90f0b1a4fbda91485ee68e873a21d146394d87

Download Submit
C:\Windows\System\kIvgkte.exe

Filesize
5.9MB

MD5
ebfa599476e104bab3d2456d4d7f8669

SHA1
e85e9a00b641d2914a762e5334f6ec2a160056f4

SHA256
235571249f1013e6daee6fb0faf7df8571db1e4f7f05f46c82724a1ea15262c8

SHA512
648af59ec1a1f9f71c2cfedb59a5d2267c554c10c13bacc708d6d9727914ba04d7b34272cd0937135cf2fb44404e92a127f67ee5251684b489f58b1a57ba5152

Download Submit
C:\Windows\System\kersRkc.exe

Filesize
5.9MB

MD5
f1e169c8eabc484e5d3dde7e506f1da5

SHA1
6e5c59377ba30f6ef63da56dfe082028186b6d41

SHA256
27cf0292c74f3bfb8f7b6e7f3f6c71fae65ebc6639cdd0319eadbfc758b7026c

SHA512
944b7b92d26fe4c8d18079620464d3517e935c4cb0969326058c19a398ed262fd0db8e77289fae2713ff37df9c134b476ecb276a97d7df781c17388c58becec7

Download Submit
C:\Windows\System\mEaxvki.exe

Filesize
5.9MB

MD5
a940b59c62bc446ac2dbac60f5da7df6

SHA1
78f009008f412efd1fc7ae0567594ff182ee2c63

SHA256
3b2138142404ffd063edb06a0ee838434c5f54c8b66eaa44bb89bbaede289505

SHA512
9e12e546ad00141164324de20357bc51b9ca71489ff3ab30515eeeea216660f3894cdfd0a5322cd8e6616f53c55ab0ae5eb07a196abdd319a35cf86b3d3f60a2

Download Submit
C:\Windows\System\shHHJGq.exe

Filesize
5.9MB

MD5
9ba244f7835c581739856ac0af656605

SHA1
77c1b680c344881c6c5bd6adac5b2525b2d8b21f

SHA256
bbecac270169a51ff2aa3d2a6951ad1a7c0b951f09ba069036d19b3a14c02071

SHA512
4e1fe0d20b656f51e1486e97d87f39051e5024d876c9dcbe0ca6f57c113b96f95da59da34ab2a325bfbf2cf928c7bff3cf50eedb4086fa696d0811dba5b28ac8

Download Submit
C:\Windows\System\tUUoasu.exe

Filesize
5.9MB

MD5
a63eb82503f9c46a48871ca93d596bb3

SHA1
eebdde86f5888973e6962465466d126919ab9000

SHA256
b53a2192765817cbb37c6ac5b3924793412c1445b51a06d86efd02fa813c690d

SHA512
6abada4f8c9fb86282fd57295719a8e86f798863fd0245297b60a093e46fa899c7cd7097880fc381d08e75ff3a8a2f9b7a4595e85979f9b879e0bf30c996ba0c

Download Submit
C:\Windows\System\vOTGIXq.exe

Filesize
5.9MB

MD5
bfc69813d1fd01fc4c89cf2b7dcf0b26

SHA1
0b2b0b7a9f09ce019962b36b4f7b403a23fe0f63

SHA256
2e2566767859249cdca259262eb8e0f7132b6ec4618c8d67308aec9e2ea021c0

SHA512
df9e8795c8027871683e1b8ad7b47cf488d5d1df363ef08149fa70373ba2b305fda21ace375efe921edc19dde3ceddc8e231978e922eb32e8f82cf9449c2a785

Download Submit
C:\Windows\System\wBXGIXe.exe

Filesize
5.9MB

MD5
45e2eb700e384eb782293f73f2fc8d23

SHA1
85f42b532b61ce5577f1f3466fdf2001a7f3d73f

SHA256
a221a9600d356e11cb68cafdf4cc956342830dc8a3b97281eac2e5d026e66641

SHA512
2142684b3e58692a8a1197752917f95e8c7b72322c8e96b8608d85f8e7a1b1278b2fa105e7a9dfc8399c0ab2716c172855fb81742f39baaee4b6e0a1ad9e7a72

Download Submit
memory/220-160-0x00007FF79ED40000-0x00007FF79F094000-memory.dmp

Filesize
3.3MB

Download
memory/220-136-0x00007FF79ED40000-0x00007FF79F094000-memory.dmp

Filesize
3.3MB

Download
memory/1056-148-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp

Filesize
3.3MB

Download
memory/1056-31-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp

Filesize
3.3MB

Download
memory/1056-82-0x00007FF7FB3B0000-0x00007FF7FB704000-memory.dmp

Filesize
3.3MB

Download
memory/1448-89-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp

Filesize
3.3MB

Download
memory/1448-40-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp

Filesize
3.3MB

Download
memory/1448-149-0x00007FF79F0F0000-0x00007FF79F444000-memory.dmp

Filesize
3.3MB

Download
memory/1644-18-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp

Filesize
3.3MB

Download
memory/1644-146-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp

Filesize
3.3MB

Download
memory/1644-62-0x00007FF6AF700000-0x00007FF6AFA54000-memory.dmp

Filesize
3.3MB

Download
memory/1740-140-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp

Filesize
3.3MB

Download
memory/1740-92-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp

Filesize
3.3MB

Download
memory/1740-157-0x00007FF6DACD0000-0x00007FF6DB024000-memory.dmp

Filesize
3.3MB

Download
memory/1960-63-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp

Filesize
3.3MB

Download
memory/1960-135-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp

Filesize
3.3MB

Download
memory/1960-153-0x00007FF6596E0000-0x00007FF659A34000-memory.dmp

Filesize
3.3MB

Download
memory/2380-144-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp

Filesize
3.3MB

Download
memory/2380-8-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp

Filesize
3.3MB

Download
memory/2380-50-0x00007FF626BE0000-0x00007FF626F34000-memory.dmp

Filesize
3.3MB

Download
memory/2548-147-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp

Filesize
3.3MB

Download
memory/2548-24-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp

Filesize
3.3MB

Download
memory/2548-73-0x00007FF7BE730000-0x00007FF7BEA84000-memory.dmp

Filesize
3.3MB

Download
memory/3004-133-0x00007FF72E690000-0x00007FF72E9E4000-memory.dmp

Filesize
3.3MB

Download
memory/3004-164-0x00007FF72E690000-0x00007FF72E9E4000-memory.dmp

Filesize
3.3MB

Download
memory/3420-0-0x00007FF752490000-0x00007FF7527E4000-memory.dmp

Filesize
3.3MB

Download
memory/3420-45-0x00007FF752490000-0x00007FF7527E4000-memory.dmp

Filesize
3.3MB

Download
memory/3420-1-0x00000276F78A0000-0x00000276F78B0000-memory.dmp

Filesize
64KB

Download
memory/3508-159-0x00007FF6DB410000-0x00007FF6DB764000-memory.dmp

Filesize
3.3MB

Download
memory/3508-105-0x00007FF6DB410000-0x00007FF6DB764000-memory.dmp

Filesize
3.3MB

Download
memory/3772-14-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp

Filesize
3.3MB

Download
memory/3772-145-0x00007FF6AF4B0000-0x00007FF6AF804000-memory.dmp

Filesize
3.3MB

Download
memory/3872-163-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3872-132-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp

Filesize
3.3MB

Download
memory/3872-142-0x00007FF6CE660000-0x00007FF6CE9B4000-memory.dmp

Filesize
3.3MB

Download
memory/4024-162-0x00007FF6E80F0000-0x00007FF6E8444000-memory.dmp

Filesize
3.3MB

Download
memory/4024-134-0x00007FF6E80F0000-0x00007FF6E8444000-memory.dmp

Filesize
3.3MB

Download
memory/4156-137-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-69-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp

Filesize
3.3MB

Download
memory/4156-154-0x00007FF68C170000-0x00007FF68C4C4000-memory.dmp

Filesize
3.3MB

Download
memory/4180-74-0x00007FF609D40000-0x00007FF60A094000-memory.dmp

Filesize
3.3MB

Download
memory/4180-155-0x00007FF609D40000-0x00007FF60A094000-memory.dmp

Filesize
3.3MB

Download
memory/4180-138-0x00007FF609D40000-0x00007FF60A094000-memory.dmp

Filesize
3.3MB

Download
memory/4232-152-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp

Filesize
3.3MB

Download
memory/4232-56-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp

Filesize
3.3MB

Download
memory/4232-117-0x00007FF65DFC0000-0x00007FF65E314000-memory.dmp

Filesize
3.3MB

Download
memory/4320-161-0x00007FF632A20000-0x00007FF632D74000-memory.dmp

Filesize
3.3MB

Download
memory/4320-118-0x00007FF632A20000-0x00007FF632D74000-memory.dmp

Filesize
3.3MB

Download
memory/4320-143-0x00007FF632A20000-0x00007FF632D74000-memory.dmp

Filesize
3.3MB

Download
memory/4552-151-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp

Filesize
3.3MB

Download
memory/4552-52-0x00007FF7A8D00000-0x00007FF7A9054000-memory.dmp

Filesize
3.3MB

Download
memory/4700-141-0x00007FF625EB0000-0x00007FF626204000-memory.dmp

Filesize
3.3MB

Download
memory/4700-97-0x00007FF625EB0000-0x00007FF626204000-memory.dmp

Filesize
3.3MB

Download
memory/4700-158-0x00007FF625EB0000-0x00007FF626204000-memory.dmp

Filesize
3.3MB

Download
memory/4840-83-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-156-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp

Filesize
3.3MB

Download
memory/4840-139-0x00007FF6C9860000-0x00007FF6C9BB4000-memory.dmp

Filesize
3.3MB

Download
memory/5028-42-0x00007FF716880000-0x00007FF716BD4000-memory.dmp

Filesize
3.3MB

Download
memory/5028-150-0x00007FF716880000-0x00007FF716BD4000-memory.dmp

Filesize
3.3MB

Download
memory/5028-93-0x00007FF716880000-0x00007FF716BD4000-memory.dmp

Filesize
3.3MB

Download