cobaltstrike | b5d3be6cba78aee7ba3df63bfb8b2c6a84024c2718969866e9061ce58e54616a

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

bcf1415bacf01105d7ddad34bc6b69d1
SHA1

0084f4c8996a69b7eea02abb74f49c4d9b41863c
SHA256

b5d3be6cba78aee7ba3df63bfb8b2c6a84024c2718969866e9061ce58e54616a
SHA512

0540bbd2a39debffc8aa5da0a1e6a1af383f7912f2e5306750dc0e6ebab2070ea32c58b44c29e11625107a660f8a0ee526b869527294db75bf42329a70c93c49
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l8:RWWBibd56utgpPFotBER/mQ32lUo

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000b00000001225c-6.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001660b-12.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016ace-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c10-21.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016fc9-40.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c23-33.dat	cobalt_reflective_dll
behavioral1/files/0x0002000000018334-45.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019480-49.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019489-52.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019515-89.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019547-94.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001957c-99.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195a7-104.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000195a9-109.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001950f-84.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194eb-71.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019490-65.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ef-77.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194a3-68.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001948c-59.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c1a-30.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

resource	yara_rule
behavioral1/memory/2756-19-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2448-20-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2656-112-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2208-115-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2852-114-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2828-116-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/1160-118-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2488-120-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2664-122-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/108-133-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2712-130-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2216-128-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2208-127-0x0000000002160000-0x00000000024B1000-memory.dmp	xmrig
behavioral1/memory/2208-135-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/1848-126-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2724-124-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/2480-137-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/2208-121-0x0000000002160000-0x00000000024B1000-memory.dmp	xmrig
behavioral1/memory/2992-154-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2460-155-0x000000013FB50000-0x000000013FEA1000-memory.dmp	xmrig
behavioral1/memory/2964-153-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2360-152-0x000000013F3F0000-0x000000013F741000-memory.dmp	xmrig
behavioral1/memory/2580-151-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	xmrig
behavioral1/memory/2380-149-0x000000013FCF0000-0x0000000140041000-memory.dmp	xmrig
behavioral1/memory/2920-156-0x000000013F110000-0x000000013F461000-memory.dmp	xmrig
behavioral1/memory/2208-157-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2208-159-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/2448-209-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2756-211-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2656-218-0x000000013FE70000-0x00000001401C1000-memory.dmp	xmrig
behavioral1/memory/2480-222-0x000000013F550000-0x000000013F8A1000-memory.dmp	xmrig
behavioral1/memory/1160-230-0x000000013F730000-0x000000013FA81000-memory.dmp	xmrig
behavioral1/memory/2852-228-0x000000013F890000-0x000000013FBE1000-memory.dmp	xmrig
behavioral1/memory/2828-226-0x000000013F970000-0x000000013FCC1000-memory.dmp	xmrig
behavioral1/memory/2488-234-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	xmrig
behavioral1/memory/2664-233-0x000000013FE10000-0x0000000140161000-memory.dmp	xmrig
behavioral1/memory/2724-236-0x000000013F7B0000-0x000000013FB01000-memory.dmp	xmrig
behavioral1/memory/1848-238-0x000000013FF80000-0x00000001402D1000-memory.dmp	xmrig
behavioral1/memory/2712-241-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/2216-246-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/108-255-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2448	bEcfXeR.exe
2480	HYHmKHb.exe
2756	CCNcfEA.exe
2656	SEhdVco.exe
2852	FGqIPkj.exe
2828	wKfJqkA.exe
1160	zIMbDgp.exe
2488	UUdwsdh.exe
2664	tHJzUSO.exe
2724	BHlYABo.exe
1848	PdEHQPf.exe
2216	tVsRmUj.exe
2712	KYyqeKj.exe
108	yHmVkcF.exe
2380	ZmESdcM.exe
2580	QNVWsnb.exe
2360	RwggbvE.exe
2964	BBLteiz.exe
2992	sOxfcvR.exe
2460	bCAyVEF.exe
2920	UUrKlEt.exe

Loads dropped DLL 21 IoCs

pid	Process
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 61 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2208-0-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/files/0x000b00000001225c-6.dat	upx
behavioral1/files/0x000900000001660b-12.dat	upx
behavioral1/files/0x0008000000016ace-16.dat	upx
behavioral1/memory/2756-19-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/files/0x0007000000016c10-21.dat	upx
behavioral1/files/0x0008000000016fc9-40.dat	upx
behavioral1/files/0x0007000000016c23-33.dat	upx
behavioral1/files/0x0002000000018334-45.dat	upx
behavioral1/files/0x0006000000019480-49.dat	upx
behavioral1/files/0x0005000000019489-52.dat	upx
behavioral1/files/0x0005000000019515-89.dat	upx
behavioral1/files/0x0005000000019547-94.dat	upx
behavioral1/files/0x000500000001957c-99.dat	upx
behavioral1/files/0x00050000000195a7-104.dat	upx
behavioral1/files/0x00050000000195a9-109.dat	upx
behavioral1/files/0x000500000001950f-84.dat	upx
behavioral1/files/0x00050000000194eb-71.dat	upx
behavioral1/files/0x0005000000019490-65.dat	upx
behavioral1/files/0x00050000000194ef-77.dat	upx
behavioral1/files/0x00050000000194a3-68.dat	upx
behavioral1/files/0x000500000001948c-59.dat	upx
behavioral1/files/0x0007000000016c1a-30.dat	upx
behavioral1/memory/2448-20-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2480-111-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2656-112-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/2852-114-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2828-116-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/memory/1160-118-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2488-120-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2664-122-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/108-133-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2712-130-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2216-128-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/2208-135-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/1848-126-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/memory/2724-124-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/2480-137-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/2992-154-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2460-155-0x000000013FB50000-0x000000013FEA1000-memory.dmp	upx
behavioral1/memory/2964-153-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2360-152-0x000000013F3F0000-0x000000013F741000-memory.dmp	upx
behavioral1/memory/2580-151-0x000000013FCA0000-0x000000013FFF1000-memory.dmp	upx
behavioral1/memory/2380-149-0x000000013FCF0000-0x0000000140041000-memory.dmp	upx
behavioral1/memory/2920-156-0x000000013F110000-0x000000013F461000-memory.dmp	upx
behavioral1/memory/2208-157-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2208-159-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2448-209-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2756-211-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2656-218-0x000000013FE70000-0x00000001401C1000-memory.dmp	upx
behavioral1/memory/2480-222-0x000000013F550000-0x000000013F8A1000-memory.dmp	upx
behavioral1/memory/1160-230-0x000000013F730000-0x000000013FA81000-memory.dmp	upx
behavioral1/memory/2852-228-0x000000013F890000-0x000000013FBE1000-memory.dmp	upx
behavioral1/memory/2828-226-0x000000013F970000-0x000000013FCC1000-memory.dmp	upx
behavioral1/memory/2488-234-0x000000013F3A0000-0x000000013F6F1000-memory.dmp	upx
behavioral1/memory/2664-233-0x000000013FE10000-0x0000000140161000-memory.dmp	upx
behavioral1/memory/2724-236-0x000000013F7B0000-0x000000013FB01000-memory.dmp	upx
behavioral1/memory/1848-238-0x000000013FF80000-0x00000001402D1000-memory.dmp	upx
behavioral1/memory/2712-241-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/2216-246-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/108-255-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\bCAyVEF.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUrKlEt.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SEhdVco.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BHlYABo.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sOxfcvR.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zIMbDgp.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wKfJqkA.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tHJzUSO.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PdEHQPf.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KYyqeKj.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yHmVkcF.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bEcfXeR.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CCNcfEA.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FGqIPkj.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QNVWsnb.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RwggbvE.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BBLteiz.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZmESdcM.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HYHmKHb.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UUdwsdh.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVsRmUj.exe	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 2448	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2208 wrote to memory of 2448	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2208 wrote to memory of 2448	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2208 wrote to memory of 2480	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2208 wrote to memory of 2480	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2208 wrote to memory of 2480	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2208 wrote to memory of 2756	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2208 wrote to memory of 2756	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2208 wrote to memory of 2756	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2208 wrote to memory of 2656	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2208 wrote to memory of 2656	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2208 wrote to memory of 2656	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2208 wrote to memory of 2852	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2208 wrote to memory of 2852	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2208 wrote to memory of 2852	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2208 wrote to memory of 2828	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2208 wrote to memory of 2828	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2208 wrote to memory of 2828	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2208 wrote to memory of 1160	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2208 wrote to memory of 1160	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2208 wrote to memory of 1160	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2208 wrote to memory of 2488	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2208 wrote to memory of 2488	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2208 wrote to memory of 2488	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2208 wrote to memory of 2664	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2208 wrote to memory of 2664	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2208 wrote to memory of 2664	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2208 wrote to memory of 2724	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2208 wrote to memory of 2724	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2208 wrote to memory of 2724	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2208 wrote to memory of 1848	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2208 wrote to memory of 1848	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2208 wrote to memory of 1848	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2208 wrote to memory of 2216	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2208 wrote to memory of 2216	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2208 wrote to memory of 2216	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2208 wrote to memory of 2712	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2208 wrote to memory of 2712	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2208 wrote to memory of 2712	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2208 wrote to memory of 2380	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2208 wrote to memory of 2380	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2208 wrote to memory of 2380	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2208 wrote to memory of 108	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2208 wrote to memory of 108	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2208 wrote to memory of 108	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2208 wrote to memory of 2580	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2208 wrote to memory of 2580	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2208 wrote to memory of 2580	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2208 wrote to memory of 2360	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2208 wrote to memory of 2360	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2208 wrote to memory of 2360	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2208 wrote to memory of 2964	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2208 wrote to memory of 2964	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2208 wrote to memory of 2964	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2208 wrote to memory of 2992	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2208 wrote to memory of 2992	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2208 wrote to memory of 2992	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2208 wrote to memory of 2460	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2208 wrote to memory of 2460	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2208 wrote to memory of 2460	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2208 wrote to memory of 2920	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2208 wrote to memory of 2920	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2208 wrote to memory of 2920	2208	2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-19_bcf1415bacf01105d7ddad34bc6b69d1_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\System\bEcfXeR.exe
  C:\Windows\System\bEcfXeR.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\HYHmKHb.exe
  C:\Windows\System\HYHmKHb.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\CCNcfEA.exe
  C:\Windows\System\CCNcfEA.exe
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\Windows\System\SEhdVco.exe
  C:\Windows\System\SEhdVco.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\FGqIPkj.exe
  C:\Windows\System\FGqIPkj.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\wKfJqkA.exe
  C:\Windows\System\wKfJqkA.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\zIMbDgp.exe
  C:\Windows\System\zIMbDgp.exe
  2⤵
  - Executes dropped EXE
  PID:1160
- C:\Windows\System\UUdwsdh.exe
  C:\Windows\System\UUdwsdh.exe
  2⤵
  - Executes dropped EXE
  PID:2488
- C:\Windows\System\tHJzUSO.exe
  C:\Windows\System\tHJzUSO.exe
  2⤵
  - Executes dropped EXE
  PID:2664
- C:\Windows\System\BHlYABo.exe
  C:\Windows\System\BHlYABo.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\PdEHQPf.exe
  C:\Windows\System\PdEHQPf.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\tVsRmUj.exe
  C:\Windows\System\tVsRmUj.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\KYyqeKj.exe
  C:\Windows\System\KYyqeKj.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\ZmESdcM.exe
  C:\Windows\System\ZmESdcM.exe
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\System\yHmVkcF.exe
  C:\Windows\System\yHmVkcF.exe
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Windows\System\QNVWsnb.exe
  C:\Windows\System\QNVWsnb.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\RwggbvE.exe
  C:\Windows\System\RwggbvE.exe
  2⤵
  - Executes dropped EXE
  PID:2360
- C:\Windows\System\BBLteiz.exe
  C:\Windows\System\BBLteiz.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\sOxfcvR.exe
  C:\Windows\System\sOxfcvR.exe
  2⤵
  - Executes dropped EXE
  PID:2992
- C:\Windows\System\bCAyVEF.exe
  C:\Windows\System\bCAyVEF.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\System\UUrKlEt.exe
  C:\Windows\System\UUrKlEt.exe
  2⤵
  - Executes dropped EXE
  PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BBLteiz.exe

Filesize
5.2MB

MD5
10364e5956e3e34b5a80eb2c24db8a61

SHA1
a89240fec332065de033cc597750404ca7bd8f47

SHA256
929497239d206f0c3a3ade40baf751877354f910743d6f3075dc1bb2354c14c5

SHA512
aa2a07feea7e4cc7ca2afde60b1f26af1f3d9c5d72f8bf80e4ba7b4d3575261a7d1be185c5e9e4a2158de56ab0ef4f56e9a0667c41bb35cc9be77e18812bc620

Download Submit
C:\Windows\system\CCNcfEA.exe

Filesize
5.2MB

MD5
6f8c4a13270fb6b43dc8ac70e631d356

SHA1
50538582c74b7ea6f7fb926d9fea074a2d1c3367

SHA256
04c6e8f93c91db25eb1b15811820138ad56efd33289f85d95a316053af90223e

SHA512
2c88f5d181775b8a4c6d1c2afb6c6babe0a9dff1e024bba18cb3c1a56ac6fdc150cc59e84ba35766465c745ff5c9fa785cbca1311e5a0c61e7c32b6cc8cae826

Download Submit
C:\Windows\system\FGqIPkj.exe

Filesize
5.2MB

MD5
18e257d85216103657f7f55d1e1cd56b

SHA1
105bb563692ddf6e18b16da9628431d70aea407e

SHA256
84d0611cfc7f19bb24e2580f0c898fd484bc1d47ef685d7be17b3ff0a8d8aff4

SHA512
fe849636a6c94a358e6222dbd4a9003bf51f98ef87e7e190cc63592cdb3fba91ebe17763abde2e1265094b745bc4d5b0ef383297deb379a046aa5878f10908fc

Download Submit
C:\Windows\system\HYHmKHb.exe

Filesize
5.2MB

MD5
86c6e25bf40685491845016235aa9255

SHA1
caee91b8c4d16c28e466c7f3018c32bdce7282ea

SHA256
b7715b6d5eb03f75726f2ab167c3dc5f1cb062ff267f5270efc8fce74f7538dc

SHA512
3fbfe61338d11bf11691dfeea6a4bc2461ecfd446b72b1163c77f15493bcb762413ded0cc5e19e49327d3cdf69064ea50f4c2899e496bc63f671186ba0c8bed7

Download Submit
C:\Windows\system\KYyqeKj.exe

Filesize
5.2MB

MD5
fcd3692d1bac592bc11497f22cd3bfbd

SHA1
e29408b09b908ceb020f17565f7bb41c5f12cd85

SHA256
4335c157ae8c205bf626fb708068138acc2b7c7b9d6e8b6b8e4b5249ff7a0cc4

SHA512
7ae880ad82a04221cb166213fb7164fe1e4cae0a8c88be5d6c6dedb994a4ce3786d874e939fc98327c6bcff0e3ce9a726aa50ff3920c5f21580ec1bf04e327be

Download Submit
C:\Windows\system\PdEHQPf.exe

Filesize
5.2MB

MD5
e769853e74895e02a2d62eb2a8b28ed2

SHA1
dc11cd39b6c9c2f13f3fc4670f9620e285248221

SHA256
d368e32f93e7f2823df888def3419b72be14b49e4fc99d17054f3d7e291da78e

SHA512
d406760e20636cfb2c1ad76107980f2bbd6bf6e02fe52f7df2ddf2d7c1f6aa7376cfb73087832cb8803121458ab48c7298672ac47539aa30e5b888fc8df3dd23

Download Submit
C:\Windows\system\QNVWsnb.exe

Filesize
5.2MB

MD5
a6812f3008b7527dcf19799eb3536af8

SHA1
0d2f2d91ec4693413d7137dfeb59ab337137c41a

SHA256
add2f1bef5fd987545911ae558e1825dc2a4dd14614c44217087338a745129c0

SHA512
11e8fc0414eb9272cb5fbe6eb7dd0c567bb7911faa2bd74090c417c4bb8226df5394357629d9880c2edd8602e93ef807bde3af0cd9a9edafa005814193f41405

Download Submit
C:\Windows\system\RwggbvE.exe

Filesize
5.2MB

MD5
c9f39f6ac768c75c1289ed73e53a3c9c

SHA1
600fd8ec32e9e01e911fe5d65399a51f36c166df

SHA256
d4e182963fb3020cc3bc0cddf9d6fa9617810ef47eb03d596e1ab2f9020a66fe

SHA512
208e66764653b6bd6f8bcdea30f21a7978dbd17631bc29720037b152d183e702e860f6c3a63089e8ab6739eae33b6b099faa8128746a3163002aea8443c0f0ab

Download Submit
C:\Windows\system\UUdwsdh.exe

Filesize
5.2MB

MD5
bc1090f7f76e18ee1b26a6a50dfd8346

SHA1
701346f2c2953b53767f419e735e63efccb3747a

SHA256
8fc041370d99d4f6e0cfdbc9703910c8833e5fab2e32f9a2a6cae8cf3666f4f7

SHA512
4a9426077da14a6b6ec20706b042ab7583f157f93335fc4321c3b6711a3a016f5d1af90d621146e1d692844e760b55cf44abe34ac08d77706be63f91c2c185f9

Download Submit
C:\Windows\system\UUrKlEt.exe

Filesize
5.2MB

MD5
87960f2e9e00410e82cbc01f72d59e5e

SHA1
49a01c8b13cff206afc0a3fd75fce065e9a9b898

SHA256
b9cd64102decea1a78269144a14d26fa001c1c9e2709e75d45baa1832318cedd

SHA512
01c28b59de2a083e93806681302cdc3ddf2ae84bbfb566b073a515c27bec0916bf3fe4126005855a8c1e406294c84fcffe0ce101e1161a7a289ea041aa57d12e

Download Submit
C:\Windows\system\bCAyVEF.exe

Filesize
5.2MB

MD5
3ec2e622a6b9e8fcc9a90a0842895578

SHA1
bbbad49c9ac628542c5c061b937f586c464e1890

SHA256
77a608d299062838ff7c7ffb5bf81417dddba35cf352254b030cd1e3e31f4cd3

SHA512
2b47e7bc01d71e78a86c12b9a13d27e03ce837cc5fa35e4db6ab16dc75665c408947a3d5a014e96328e500644ce4c6cfe549ee69ff40311ce2fde3cfbe290047

Download Submit
C:\Windows\system\bEcfXeR.exe

Filesize
5.2MB

MD5
e7b55ce38009ae741cf7c9ac4f55adf1

SHA1
1f870b754154cdb51b9607692617bba907e90f67

SHA256
c1ccb486a2e8e52030fccb48cd4ffb6dfc7456c400481f564ad81b6b24c43e7b

SHA512
c4b4c94643c51d3c2803d1a0d9b28d8f5c90a63febdd4fccff6acd4945713991424001bd604d768ff4209573163f39e34053d7bfcb1510dee34cf6f2eac867fa

Download Submit
C:\Windows\system\sOxfcvR.exe

Filesize
5.2MB

MD5
6e5fedbe80f31e3d04ad02c4ebcf5575

SHA1
70de5fc9fb0cf175efb7d5d4ddfe2fd392079545

SHA256
2f6837935a91845ffb30777291976427c038ac658902547623732d2f07f5abfd

SHA512
4a99d0b18e5eb17e0736861da80a46b111a48a0c2937bf5430306e1eb16cf400aba478fb089012b52059c65dc7c1080867b0d02759bd34659cf27a7f0fdb514b

Download Submit
C:\Windows\system\tHJzUSO.exe

Filesize
5.2MB

MD5
0c9dc1c44808fd3e8e812b89a2f1556d

SHA1
739e4ecf4dafaad5aeaeb43551ba1142951d97d0

SHA256
0f7b5f894856a83289525526bf009b57bbc1680f5bac9a6334fee15ec4d5642d

SHA512
603ca538f696d5a6489c2e7c0e9cc2290e2703d31a1ce9b46d064d53d2cc47cf25165f835569ac229132b88b4b7a5d986f75dde30e7303711b59d9741672168a

Download Submit
C:\Windows\system\tVsRmUj.exe

Filesize
5.2MB

MD5
48c4620920934875515ef3cfc58bb16f

SHA1
e24623934385c9f6d2384c6144d9b50fbf53913a

SHA256
4b9922d06a20b481a1599e24a53ff526a6451ebc40d121b52ed4ed2e9ab565b6

SHA512
01c76f3f3a47d32bf2753511d24303c126046d6b7f5940611c3e950ce6443bdb45d066f8e7e7f4d109997422761625ae4de913dff5c033ab78d930711467e8fc

Download Submit
C:\Windows\system\wKfJqkA.exe

Filesize
5.2MB

MD5
9e8b4b95721ccddbae86c64eca67b6e1

SHA1
b309edab66ba9e9c1ea987a0a3364ead2d532265

SHA256
7f81c11875f6a1f5baf87af394d6cf5ce1742838d95a746562b4229c4a477b1b

SHA512
b99140bd5aed27e529de858442a817321e390ff57067c865bc8a1d1fa9a2fd2872d6c1d5b5a5e983a0d31c5b647bf938f064793cfe2d5d577c01a566645a4b48

Download Submit
C:\Windows\system\yHmVkcF.exe

Filesize
5.2MB

MD5
8a1f27c06a03426028827a24751b8b85

SHA1
33ac669f14a37514bdcc1c490a88c23ebfd4044c

SHA256
ad472e71abfcd6e598872575124ac1b5c1a7ebc65fc86b0a2a804721017f74f9

SHA512
be4e0f89b8781e663d7ab78faeeb8ba0d0c89d5c582344d38aebb6288497086e5655c06e7d0dbc06d5acc4fc6b13ea74507e1556f7d3da70ee61229fc14f8628

Download Submit
C:\Windows\system\zIMbDgp.exe

Filesize
5.2MB

MD5
4249a1ceda5b676d6780bd45ad702925

SHA1
046650fb0a1c5ef6f40026ba8ad5985a56ae07ba

SHA256
bf5ff85eb9ac62ce36781dff30de78670d461477b82272e9af12fb46d79271e9

SHA512
689d4bd1f9dba88ffd0a9867c739a2da6f0b91a66813d1f5b73f15d776de9fdb239fb0ee0432bbb2c26301eb42786d0520c13837634c3423a70a063022a739df

Download Submit
\Windows\system\BHlYABo.exe

Filesize
5.2MB

MD5
316413e3de31771902bb52ac187ae8a4

SHA1
b32fc4636e09e116ccd6398b67d0153e5f619060

SHA256
8a25ced2b2e153ffc6bede6688f3833d86539c3b0feefd22055da259d17c7d82

SHA512
fe3caa504d58f4796518090727381c8b7b58d3e894cd308a40e6cd7b7ca30ce8d1056421b4f4bd3267de3319a52b4bb1e56c7c532a965d6a617d733a222f81e6

Download Submit
\Windows\system\SEhdVco.exe

Filesize
5.2MB

MD5
c7ec9f2a0b3bc7d77ac93b29e94267e2

SHA1
da04d442a2c42363bd24f16ef4bda392f2af86a1

SHA256
8b6302204cd07032a4d95074f1e04c5ac87c519dd7a99e6f7f95e483b45e1b14

SHA512
2ad79de45b9642054fe5208cdb637ff498e51904799b49bac89cb0fe9f0f95f32092fe242f731326504af9ec8cd54e234cafc8fb7ecd9fc904700a638a482a8a

Download Submit
\Windows\system\ZmESdcM.exe

Filesize
5.2MB

MD5
db59bb85f5a9b35f3c8f2b9b043e97fd

SHA1
e06d30828b2f6f815e20469342b4a62f519c1dd6

SHA256
d9440c683d464355b537dcfa74e47d3cb6abf31fbfc5c361f8a7561ec09991f7

SHA512
86136a08b4958aa0649aef600315b9b006c37d1db529115ff8da1b10811d023679b9ebed7f73770a89e7f2c9eaa7a15535c83ba7a3e6ebe6cbd02c509da5bde1

Download Submit
memory/108-255-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/108-133-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/1160-118-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/1160-230-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/1848-238-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/1848-126-0x000000013FF80000-0x00000001402D1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-134-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-119-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-113-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-115-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-1-0x00000000002F0000-0x0000000000300000-memory.dmp

Filesize
64KB

Download
memory/2208-10-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2208-117-0x000000013F730000-0x000000013FA81000-memory.dmp

Filesize
3.3MB

Download
memory/2208-159-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2208-158-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-157-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2208-18-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-0-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2208-132-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-131-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-121-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-129-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2208-123-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2208-127-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2208-135-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2208-125-0x0000000002160000-0x00000000024B1000-memory.dmp

Filesize
3.3MB

Download
memory/2216-246-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2216-128-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2360-152-0x000000013F3F0000-0x000000013F741000-memory.dmp

Filesize
3.3MB

Download
memory/2380-149-0x000000013FCF0000-0x0000000140041000-memory.dmp

Filesize
3.3MB

Download
memory/2448-209-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2448-20-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2460-155-0x000000013FB50000-0x000000013FEA1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-137-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-222-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2480-111-0x000000013F550000-0x000000013F8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-120-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2488-234-0x000000013F3A0000-0x000000013F6F1000-memory.dmp

Filesize
3.3MB

Download
memory/2580-151-0x000000013FCA0000-0x000000013FFF1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-218-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2656-112-0x000000013FE70000-0x00000001401C1000-memory.dmp

Filesize
3.3MB

Download
memory/2664-233-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2664-122-0x000000013FE10000-0x0000000140161000-memory.dmp

Filesize
3.3MB

Download
memory/2712-130-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2712-241-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2724-236-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2724-124-0x000000013F7B0000-0x000000013FB01000-memory.dmp

Filesize
3.3MB

Download
memory/2756-211-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2756-19-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2828-226-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-116-0x000000013F970000-0x000000013FCC1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-228-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-114-0x000000013F890000-0x000000013FBE1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-156-0x000000013F110000-0x000000013F461000-memory.dmp

Filesize
3.3MB

Download
memory/2964-153-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2992-154-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download