cobaltstrike | 1bcf1fd648833fe8a1b58152244e7dd91fc647407a79f3aff42687d2c545bca7

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 11:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

41eed92c8f49d1f95bce5e8d2bd6be1b
SHA1

bc73ca31586ed05d7934a055ede6149ef3a27e37
SHA256

1bcf1fd648833fe8a1b58152244e7dd91fc647407a79f3aff42687d2c545bca7
SHA512

5d707fe2b13c7b202dca7fe6ade749d1db8d426b733342be864c6b31fae17d968e134160e57bea2bd7cfde15838313b0662e0de3c3df3fe41e04d4175d0282c2
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lUf:Q+u56utgpPF8u/7f

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023317-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023360-10.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002335e-11.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023361-23.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022a85-29.dat	cobalt_reflective_dll
behavioral2/files/0x000e00000002335a-50.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023366-53.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002336a-71.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023369-79.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023367-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023363-67.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023364-55.dat	cobalt_reflective_dll
behavioral2/files/0x0002000000022a8b-41.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023376-85.dat	cobalt_reflective_dll
behavioral2/files/0x000a00000002337a-91.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002337b-96.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a8-101.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001e6cf-123.dat	cobalt_reflective_dll
behavioral2/files/0x00020000000229a3-127.dat	cobalt_reflective_dll
behavioral2/files/0x00020000000229a4-134.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6aa-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3624-0-0x00007FF6E59C0000-0x00007FF6E5D14000-memory.dmp	xmrig
behavioral2/files/0x000c000000023317-5.dat	xmrig
behavioral2/files/0x0008000000023360-10.dat	xmrig
behavioral2/files/0x000800000002335e-11.dat	xmrig
behavioral2/memory/3908-7-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp	xmrig
behavioral2/memory/4400-18-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp	xmrig
behavioral2/memory/4460-12-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp	xmrig
behavioral2/files/0x0008000000023361-23.dat	xmrig
behavioral2/memory/3516-24-0x00007FF745800000-0x00007FF745B54000-memory.dmp	xmrig
behavioral2/files/0x0003000000022a85-29.dat	xmrig
behavioral2/memory/1848-33-0x00007FF660380000-0x00007FF6606D4000-memory.dmp	xmrig
behavioral2/files/0x000e00000002335a-50.dat	xmrig
behavioral2/files/0x0008000000023366-53.dat	xmrig
behavioral2/files/0x000800000002336a-71.dat	xmrig
behavioral2/memory/3912-74-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023369-79.dat	xmrig
behavioral2/memory/4000-78-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp	xmrig
behavioral2/memory/3624-75-0x00007FF6E59C0000-0x00007FF6E5D14000-memory.dmp	xmrig
behavioral2/files/0x0008000000023367-73.dat	xmrig
behavioral2/memory/116-72-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023363-67.dat	xmrig
behavioral2/memory/5104-61-0x00007FF696120000-0x00007FF696474000-memory.dmp	xmrig
behavioral2/memory/3664-57-0x00007FF6621D0000-0x00007FF662524000-memory.dmp	xmrig
behavioral2/files/0x0008000000023364-55.dat	xmrig
behavioral2/memory/4124-54-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp	xmrig
behavioral2/memory/4636-46-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp	xmrig
behavioral2/files/0x0002000000022a8b-41.dat	xmrig
behavioral2/memory/4616-40-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp	xmrig
behavioral2/files/0x0009000000023376-85.dat	xmrig
behavioral2/files/0x000a00000002337a-91.dat	xmrig
behavioral2/files/0x000800000002337b-96.dat	xmrig
behavioral2/files/0x000200000001e6a8-101.dat	xmrig
behavioral2/memory/4460-100-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp	xmrig
behavioral2/memory/4236-105-0x00007FF7E7E60000-0x00007FF7E81B4000-memory.dmp	xmrig
behavioral2/memory/4216-115-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp	xmrig
behavioral2/files/0x000400000001e6cf-123.dat	xmrig
behavioral2/files/0x00020000000229a3-127.dat	xmrig
behavioral2/memory/4636-132-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp	xmrig
behavioral2/files/0x00020000000229a4-134.dat	xmrig
behavioral2/memory/4040-133-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp	xmrig
behavioral2/memory/4124-131-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp	xmrig
behavioral2/memory/4616-130-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp	xmrig
behavioral2/memory/4860-126-0x00007FF6983B0000-0x00007FF698704000-memory.dmp	xmrig
behavioral2/memory/4736-125-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	xmrig
behavioral2/memory/1848-122-0x00007FF660380000-0x00007FF6606D4000-memory.dmp	xmrig
behavioral2/memory/3516-121-0x00007FF745800000-0x00007FF745B54000-memory.dmp	xmrig
behavioral2/files/0x000200000001e6aa-118.dat	xmrig
behavioral2/memory/2968-113-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp	xmrig
behavioral2/memory/4400-110-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp	xmrig
behavioral2/memory/4980-109-0x00007FF64C800000-0x00007FF64CB54000-memory.dmp	xmrig
behavioral2/memory/3048-104-0x00007FF721FC0000-0x00007FF722314000-memory.dmp	xmrig
behavioral2/memory/3908-82-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp	xmrig
behavioral2/memory/3664-137-0x00007FF6621D0000-0x00007FF662524000-memory.dmp	xmrig
behavioral2/memory/5104-138-0x00007FF696120000-0x00007FF696474000-memory.dmp	xmrig
behavioral2/memory/116-139-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp	xmrig
behavioral2/memory/3912-140-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp	xmrig
behavioral2/memory/4000-141-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp	xmrig
behavioral2/memory/2968-142-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp	xmrig
behavioral2/memory/4216-143-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp	xmrig
behavioral2/memory/4736-144-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	xmrig
behavioral2/memory/4860-145-0x00007FF6983B0000-0x00007FF698704000-memory.dmp	xmrig
behavioral2/memory/4040-146-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp	xmrig
behavioral2/memory/3908-147-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp	xmrig
behavioral2/memory/4460-148-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3908	dEOMghR.exe
4460	yizRoHv.exe
4400	epsaETJ.exe
3516	EWWYfTU.exe
1848	sXEwRcI.exe
4616	uzFIteq.exe
4636	ePLozob.exe
4124	TGIFWOv.exe
5104	LGXJvbW.exe
3664	RLFrUPY.exe
116	ApkkUiD.exe
4000	Gmphqxd.exe
3912	RCtTRSZ.exe
3048	zwPSCKP.exe
4980	IZXSeoX.exe
4236	eJyTtsP.exe
2968	NDjAZuW.exe
4216	RxllTjJ.exe
4736	EywZzEE.exe
4860	wzDGSNh.exe
4040	ojckvhj.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3624-0-0x00007FF6E59C0000-0x00007FF6E5D14000-memory.dmp	upx
behavioral2/files/0x000c000000023317-5.dat	upx
behavioral2/files/0x0008000000023360-10.dat	upx
behavioral2/files/0x000800000002335e-11.dat	upx
behavioral2/memory/3908-7-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp	upx
behavioral2/memory/4400-18-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp	upx
behavioral2/memory/4460-12-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp	upx
behavioral2/files/0x0008000000023361-23.dat	upx
behavioral2/memory/3516-24-0x00007FF745800000-0x00007FF745B54000-memory.dmp	upx
behavioral2/files/0x0003000000022a85-29.dat	upx
behavioral2/memory/1848-33-0x00007FF660380000-0x00007FF6606D4000-memory.dmp	upx
behavioral2/files/0x000e00000002335a-50.dat	upx
behavioral2/files/0x0008000000023366-53.dat	upx
behavioral2/files/0x000800000002336a-71.dat	upx
behavioral2/memory/3912-74-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp	upx
behavioral2/files/0x0008000000023369-79.dat	upx
behavioral2/memory/4000-78-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp	upx
behavioral2/memory/3624-75-0x00007FF6E59C0000-0x00007FF6E5D14000-memory.dmp	upx
behavioral2/files/0x0008000000023367-73.dat	upx
behavioral2/memory/116-72-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp	upx
behavioral2/files/0x0008000000023363-67.dat	upx
behavioral2/memory/5104-61-0x00007FF696120000-0x00007FF696474000-memory.dmp	upx
behavioral2/memory/3664-57-0x00007FF6621D0000-0x00007FF662524000-memory.dmp	upx
behavioral2/files/0x0008000000023364-55.dat	upx
behavioral2/memory/4124-54-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp	upx
behavioral2/memory/4636-46-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp	upx
behavioral2/files/0x0002000000022a8b-41.dat	upx
behavioral2/memory/4616-40-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp	upx
behavioral2/files/0x0009000000023376-85.dat	upx
behavioral2/files/0x000a00000002337a-91.dat	upx
behavioral2/files/0x000800000002337b-96.dat	upx
behavioral2/files/0x000200000001e6a8-101.dat	upx
behavioral2/memory/4460-100-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp	upx
behavioral2/memory/4236-105-0x00007FF7E7E60000-0x00007FF7E81B4000-memory.dmp	upx
behavioral2/memory/4216-115-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp	upx
behavioral2/files/0x000400000001e6cf-123.dat	upx
behavioral2/files/0x00020000000229a3-127.dat	upx
behavioral2/memory/4636-132-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp	upx
behavioral2/files/0x00020000000229a4-134.dat	upx
behavioral2/memory/4040-133-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp	upx
behavioral2/memory/4124-131-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp	upx
behavioral2/memory/4616-130-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp	upx
behavioral2/memory/4860-126-0x00007FF6983B0000-0x00007FF698704000-memory.dmp	upx
behavioral2/memory/4736-125-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	upx
behavioral2/memory/1848-122-0x00007FF660380000-0x00007FF6606D4000-memory.dmp	upx
behavioral2/memory/3516-121-0x00007FF745800000-0x00007FF745B54000-memory.dmp	upx
behavioral2/files/0x000200000001e6aa-118.dat	upx
behavioral2/memory/2968-113-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp	upx
behavioral2/memory/4400-110-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp	upx
behavioral2/memory/4980-109-0x00007FF64C800000-0x00007FF64CB54000-memory.dmp	upx
behavioral2/memory/3048-104-0x00007FF721FC0000-0x00007FF722314000-memory.dmp	upx
behavioral2/memory/3908-82-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp	upx
behavioral2/memory/3664-137-0x00007FF6621D0000-0x00007FF662524000-memory.dmp	upx
behavioral2/memory/5104-138-0x00007FF696120000-0x00007FF696474000-memory.dmp	upx
behavioral2/memory/116-139-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp	upx
behavioral2/memory/3912-140-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp	upx
behavioral2/memory/4000-141-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp	upx
behavioral2/memory/2968-142-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp	upx
behavioral2/memory/4216-143-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp	upx
behavioral2/memory/4736-144-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp	upx
behavioral2/memory/4860-145-0x00007FF6983B0000-0x00007FF698704000-memory.dmp	upx
behavioral2/memory/4040-146-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp	upx
behavioral2/memory/3908-147-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp	upx
behavioral2/memory/4460-148-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\sXEwRcI.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ePLozob.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ApkkUiD.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RCtTRSZ.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RxllTjJ.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Gmphqxd.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojckvhj.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\epsaETJ.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EWWYfTU.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uzFIteq.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TGIFWOv.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LGXJvbW.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RLFrUPY.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yizRoHv.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eJyTtsP.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dEOMghR.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zwPSCKP.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IZXSeoX.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NDjAZuW.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EywZzEE.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wzDGSNh.exe	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3624 wrote to memory of 3908	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3624 wrote to memory of 3908	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3624 wrote to memory of 4460	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3624 wrote to memory of 4460	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3624 wrote to memory of 4400	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3624 wrote to memory of 4400	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3624 wrote to memory of 3516	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3624 wrote to memory of 3516	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3624 wrote to memory of 1848	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3624 wrote to memory of 1848	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3624 wrote to memory of 4616	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3624 wrote to memory of 4616	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3624 wrote to memory of 4124	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3624 wrote to memory of 4124	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3624 wrote to memory of 4636	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3624 wrote to memory of 4636	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3624 wrote to memory of 5104	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3624 wrote to memory of 5104	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3624 wrote to memory of 3664	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3624 wrote to memory of 3664	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3624 wrote to memory of 116	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3624 wrote to memory of 116	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3624 wrote to memory of 4000	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3624 wrote to memory of 4000	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3624 wrote to memory of 3912	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3624 wrote to memory of 3912	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3624 wrote to memory of 3048	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3624 wrote to memory of 3048	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3624 wrote to memory of 4980	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3624 wrote to memory of 4980	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3624 wrote to memory of 4236	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3624 wrote to memory of 4236	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3624 wrote to memory of 2968	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3624 wrote to memory of 2968	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3624 wrote to memory of 4216	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3624 wrote to memory of 4216	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3624 wrote to memory of 4736	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3624 wrote to memory of 4736	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3624 wrote to memory of 4860	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3624 wrote to memory of 4860	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 3624 wrote to memory of 4040	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 3624 wrote to memory of 4040	3624	2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_41eed92c8f49d1f95bce5e8d2bd6be1b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624
- C:\Windows\System\dEOMghR.exe
  C:\Windows\System\dEOMghR.exe
  2⤵
  - Executes dropped EXE
  PID:3908
- C:\Windows\System\yizRoHv.exe
  C:\Windows\System\yizRoHv.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Windows\System\epsaETJ.exe
  C:\Windows\System\epsaETJ.exe
  2⤵
  - Executes dropped EXE
  PID:4400
- C:\Windows\System\EWWYfTU.exe
  C:\Windows\System\EWWYfTU.exe
  2⤵
  - Executes dropped EXE
  PID:3516
- C:\Windows\System\sXEwRcI.exe
  C:\Windows\System\sXEwRcI.exe
  2⤵
  - Executes dropped EXE
  PID:1848
- C:\Windows\System\uzFIteq.exe
  C:\Windows\System\uzFIteq.exe
  2⤵
  - Executes dropped EXE
  PID:4616
- C:\Windows\System\TGIFWOv.exe
  C:\Windows\System\TGIFWOv.exe
  2⤵
  - Executes dropped EXE
  PID:4124
- C:\Windows\System\ePLozob.exe
  C:\Windows\System\ePLozob.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\LGXJvbW.exe
  C:\Windows\System\LGXJvbW.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\RLFrUPY.exe
  C:\Windows\System\RLFrUPY.exe
  2⤵
  - Executes dropped EXE
  PID:3664
- C:\Windows\System\ApkkUiD.exe
  C:\Windows\System\ApkkUiD.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\Gmphqxd.exe
  C:\Windows\System\Gmphqxd.exe
  2⤵
  - Executes dropped EXE
  PID:4000
- C:\Windows\System\RCtTRSZ.exe
  C:\Windows\System\RCtTRSZ.exe
  2⤵
  - Executes dropped EXE
  PID:3912
- C:\Windows\System\zwPSCKP.exe
  C:\Windows\System\zwPSCKP.exe
  2⤵
  - Executes dropped EXE
  PID:3048
- C:\Windows\System\IZXSeoX.exe
  C:\Windows\System\IZXSeoX.exe
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\Windows\System\eJyTtsP.exe
  C:\Windows\System\eJyTtsP.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Windows\System\NDjAZuW.exe
  C:\Windows\System\NDjAZuW.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\RxllTjJ.exe
  C:\Windows\System\RxllTjJ.exe
  2⤵
  - Executes dropped EXE
  PID:4216
- C:\Windows\System\EywZzEE.exe
  C:\Windows\System\EywZzEE.exe
  2⤵
  - Executes dropped EXE
  PID:4736
- C:\Windows\System\wzDGSNh.exe
  C:\Windows\System\wzDGSNh.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\ojckvhj.exe
  C:\Windows\System\ojckvhj.exe
  2⤵
  - Executes dropped EXE
  PID:4040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ApkkUiD.exe

Filesize
5.9MB

MD5
cb585b17590d58411ad4f27006f20a78

SHA1
e907d1fb32c2951ad4334b0e4f9259bc0d680623

SHA256
e53082e6d7d15e621aa7840087eb3bc1a7090e1672503f9b6a32c63e19d5f6e4

SHA512
f0eb9328bc2ca19ff7fd3ff1aa4d97fc0bbe2b0d40d3d5719d104fc33446cd128b8a10fd7dd62f755a4b7dcb00e6a785da6f2d30c45d095444bb309b21ff4703

Download Submit
C:\Windows\System\EWWYfTU.exe

Filesize
5.9MB

MD5
50f1d114f7f20dfe57679348bdfee3f9

SHA1
03505a0194d794ec10ca9e24abaadb9749e516dd

SHA256
626343f30e462c4ff8284548d687e2ae36c2686541289933472484f46f7ffb34

SHA512
d0110304a5968fa5aa3c09b1ac3976e6d691910c864cd4aadd93636bcbc0a5146418071f89e45690278fe6c066933c0393337d416bbf92253856d9321f1fe8ef

Download Submit
C:\Windows\System\EywZzEE.exe

Filesize
5.9MB

MD5
0aa41a93c75ef8d0fa71758d8c4f502c

SHA1
50b4a2228f232d91b2c6ec153e4e540285870017

SHA256
aa5eddbeb04b047d5bc5c79d93cadc3972f5b1e2f331e22772be1b7c37754adc

SHA512
44893056b3c337f55ec9607da25c9e52290e3f1d9aa3d80bba90e32f65178bd1fa37053e2ffdd288c328ef48f37ddaf9a61858b1780b3f91e7be37d5c5f2a180

Download Submit
C:\Windows\System\Gmphqxd.exe

Filesize
5.9MB

MD5
e86e566b9a69bd7da99b09222172f87a

SHA1
c4eabdec65a92fd677e516060d09f9dbda312d4e

SHA256
7571951bac3ee9e9eca74c0a3d69f8fcf21354d735f2ff2402ebd2d3cf636097

SHA512
362acea80f63036ca85a3d9ac01d35dacd594df144df8d167c3cb2abc2871160edbe481a4bbcfb35d327878bec26ed83e0d33fff0190ee11d764f70d8d341081

Download Submit
C:\Windows\System\IZXSeoX.exe

Filesize
5.9MB

MD5
424a1fd27d4ea8658a928722fd373ca9

SHA1
5773e4fb806ad9f81ea77c92564296543af279c5

SHA256
a08bc08966d199788d3f91b1ea147b67ece7c07e764ea9e04fb0003961a66f01

SHA512
21c98dadfd6f682fde9227d302f6cab1da9ab12d94c635d1cb7d0f8e94d91d85291d41729f71a61f121ce02171a32b597c3c48a3df9fcd4f180b52ce800c9303

Download Submit
C:\Windows\System\LGXJvbW.exe

Filesize
5.9MB

MD5
d0fdfc85aca1487092a93035fb9965f8

SHA1
4aaf13cd0368f94f70c843b78ea4fde40abfa693

SHA256
170c5920b36de4dae19436be9aa347b3cea1efe4c0b2980598a120651d5b1788

SHA512
4445f92ec4c72ae53611be405bea861d5b91d95287e0ae82fa0da763fb86f246ddf257fe5842a1d34e95b9b39cef8320e546a6c8954e5dc6742f2bfc6fc44a50

Download Submit
C:\Windows\System\NDjAZuW.exe

Filesize
5.9MB

MD5
f04a41416d254851ae908c35e2dd7804

SHA1
70bf4b09b8098d070dd57ae72244abdb8f8a9def

SHA256
04c99ddd25fc0ae6e65487d9119fb77629f63a814b6959221f5bec1e16c7aab9

SHA512
a78416ddb565385dbade477dbdce4f8bb9e7a4a20a8986b352e5b2aa5bcb9f193889f084caef0468168612d13ae185d38b97ac2e0f43382675dba9b3da3635f5

Download Submit
C:\Windows\System\RCtTRSZ.exe

Filesize
5.9MB

MD5
f28f8b64f98f8ee1d466fe7f85dd3fec

SHA1
95a6e8c59207bfad6380b52590dd539bc4dd208a

SHA256
bcae983412a8e8b30be7742638d82d99b6578fc19052b4ba8e83402ce1be1a71

SHA512
bc73dfd0a08f6f9a7a5e4795729b4b671c0adca035553246e3a132af6a4d99ee68072cfa8411ec867129fdaec291df5a07b417292fc5cb1e57f53e4df2ec3aab

Download Submit
C:\Windows\System\RLFrUPY.exe

Filesize
5.9MB

MD5
3f4f24fdec1fc2f7e33d50e7dd061453

SHA1
3093568661d63bc7038ff8f16dc8bc4022afae95

SHA256
ef285a47697d35b49086c14edd761b1a994c255c30327b4fc4e27e08a3797ebd

SHA512
33317bbdde35d8251ffd0fe2cfaed4e654a98a35ca093f31d916fe2684dbd0dc96dd5673ac2d51116e427e2893c5ba3c1d0782be6f51391be4d86b6f9dd995f1

Download Submit
C:\Windows\System\RxllTjJ.exe

Filesize
5.9MB

MD5
952740280696d8a0528a4a3260460d59

SHA1
19654cecf39b97ae6be27bfdd5149ced240ed056

SHA256
e02b29f77096a201658f279f9bc2f08e2ddd49e0753a6e4fce3e8c704f3dfc86

SHA512
4546364795b88f207ce05040e3a915365d97078d419814b0d5ea628d98c7501736609a45a53d255543af40f7a77df34ec758f8e4a04b8527aca9ff90035efec4

Download Submit
C:\Windows\System\TGIFWOv.exe

Filesize
5.9MB

MD5
d5ec012887fdadfe348ac1d4eb7f43e1

SHA1
a69f4af85d3c743ceb1c1df340344e05ab764f9a

SHA256
6f8c129d3671ebb22425c1eb7be04536fec9900e12e0f67bd99ff70316ca5cf7

SHA512
f8c63553ecd21f0b0bc88e2a8f7d2c7c1f686b2874c5a033db4de7bc64523303353732d95fdb0c0476678976da84614e883ee963aced56c49bcb7c8b407b09d0

Download Submit
C:\Windows\System\dEOMghR.exe

Filesize
5.9MB

MD5
a316b02ba2d4f46190c481ee5fbf1527

SHA1
d50bab99c10cfbd3c158f2916f9a10714280e55a

SHA256
1e87b8cd13058eccbe7b49093a4c164b907fbc592475432cf5ca0356302221db

SHA512
f66092004dffe682e53cdcd17e064d3b9157cdf4a83b51ab843f66cd5164b6e589ca8f9d0745bbda20855d0bc87e433c48a4a43dab9386596b4ea4daa26146da

Download Submit
C:\Windows\System\eJyTtsP.exe

Filesize
5.9MB

MD5
4a4df9bfc5ff58bf1e6507f3515fa37a

SHA1
e3a16174e449fe781344022559018d24e01a8e84

SHA256
72b10cd1afade7b790788157758ebc9550200b04e7964b76bf77684bc6ff7ada

SHA512
d85506c4998c6d072b126457ab23976bf64d19262308acf49dd157d38df934d2f293eb3389754ab84a57d284f63918c3c304852788995ac52ae961840084d4e1

Download Submit
C:\Windows\System\ePLozob.exe

Filesize
5.9MB

MD5
4d8d726f136b7c758f2bedd60cba1229

SHA1
bf3d9dcc4a8be5e42ab015f4c337a37a6845042a

SHA256
36665677f2afda241c3cd3dcd3109843637013e60fc07759a411f3f49920bd38

SHA512
1acaea09db9925966083b0550657a5e17724c05b97bc73518da936b2dfd0d8aa08052a3cf239682ac2c5e6f82acb7cfec5fcb89b076485c0c4187342428c1d48

Download Submit
C:\Windows\System\epsaETJ.exe

Filesize
5.9MB

MD5
e2d83aa84e033848e120528ce3285e32

SHA1
c3862b7ba5ddd8fe3c4937f65fd918a45cb97413

SHA256
3319fbfb1a96839933e39b95dac740a628a4730d055c5ec6f568923a9c80bb0d

SHA512
290fe4339a0cad2b0d65ed5bdb381b0e370e549074a665b250076b0b2175680cc3b77365c5d3ae4c7de1aa4f5a5e97473d3bf9c7609dfc53342183a6a74c8ad0

Download Submit
C:\Windows\System\ojckvhj.exe

Filesize
5.9MB

MD5
0960d20a82fc19fad1d50573d94148ae

SHA1
e50aa6c2bd91f3a922700aca06c1d58d29250618

SHA256
a7c4c5b2e3be9461d0e4e01c5e0a439663fede9aa9aa1548a40ffb4580d160c1

SHA512
0d3e0dbae7377f03c1463ddf9f5115f8ca25651a2fd1e6512735088a261b3278123348da1fcb077df6ebc386f99d1ef6741d1b0927b216bf7dedcb060c8046d6

Download Submit
C:\Windows\System\sXEwRcI.exe

Filesize
5.9MB

MD5
da55c7a8481b412327f8d69162b79ce8

SHA1
d851787159d46cd6b26faa89bc0e045aff50f00b

SHA256
1cfdb0761f06f0a1073e14ba91319681b87e0bdf6535515b742d4d06e927bb99

SHA512
211277a049a9acf27b4f9fab7289ff2ea7bf0747121dac917ceb522d8c501afd6d1954f39c3ec9c96da6b6aaf59abc6ef57b4839ee24d59c244bcfbb8dc6241f

Download Submit
C:\Windows\System\uzFIteq.exe

Filesize
5.9MB

MD5
d4aec796ccfe0c1f548529a94a01c5f8

SHA1
40c4370a59074ca55949fb2832c4bfa6d3e41aa3

SHA256
fbe9081efbeb14e0b2ebf146d793890b32d868d806ee91f341dbc17c6296278f

SHA512
812a1e156a66fb5c2a4e6b7cd14cffebfab113af151c6fc063bee078c4a014031afcc71aaa5d1ac5c71794ed521d009d0055141af2fa3a654765100fe2072c60

Download Submit
C:\Windows\System\wzDGSNh.exe

Filesize
5.9MB

MD5
e1f840281e0fd2d3eedd5b24f112a7f3

SHA1
037778828faf8a3c234e64fd93ee8ef26e629270

SHA256
46f4c5fb0ebb077fcaaba9bb61480cf0c3705f7a3527be311495afca71930cbf

SHA512
bbee0471a23f3bf951dd26391930a7d08144d783ff5d22e4b7c376cfc7cd5de5da1f9e3c8672d517a4a68a31ce89214c6b8020ecf11105b7af72823415bc3fb0

Download Submit
C:\Windows\System\yizRoHv.exe

Filesize
5.9MB

MD5
dd643a5ea59228fa190ae8864ba7165e

SHA1
aaa243d4d3d2f22e6c18583aaa9a94e440063566

SHA256
648def2425efb4d24ac516a4519aa4bc66bba4c42aab264d810e226ea549cb83

SHA512
0da1866cdfda8267e39592e88300921b856f8115949676e1c8e48090b13afd885df1e23d286653995c2eee98517cae2c8bb2f0f99730197cf78aba69cdc0ec80

Download Submit
C:\Windows\System\zwPSCKP.exe

Filesize
5.9MB

MD5
613e0e87574cbf393832457a347d4564

SHA1
7c8fd476de377565cc2883def6fd3c52a085a24b

SHA256
ad9d03c75140291ffd574bbc61faf1175ec302292bdd6f9abf5a2e67e33f52ac

SHA512
7b9a0611c18e624adf71d6aa6c11f1a368c59497a6ee770cb5330a0d70cd248676886c38f7b82ec6ce8d3541fe333d7e5208afd78f41b9320da0b4035a3ee506

Download Submit
memory/116-158-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp

Filesize
3.3MB

Download
memory/116-72-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp

Filesize
3.3MB

Download
memory/116-139-0x00007FF7A3360000-0x00007FF7A36B4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-151-0x00007FF660380000-0x00007FF6606D4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-33-0x00007FF660380000-0x00007FF6606D4000-memory.dmp

Filesize
3.3MB

Download
memory/1848-122-0x00007FF660380000-0x00007FF6606D4000-memory.dmp

Filesize
3.3MB

Download
memory/2968-164-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp

Filesize
3.3MB

Download
memory/2968-113-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp

Filesize
3.3MB

Download
memory/2968-142-0x00007FF6F09F0000-0x00007FF6F0D44000-memory.dmp

Filesize
3.3MB

Download
memory/3048-104-0x00007FF721FC0000-0x00007FF722314000-memory.dmp

Filesize
3.3MB

Download
memory/3048-160-0x00007FF721FC0000-0x00007FF722314000-memory.dmp

Filesize
3.3MB

Download
memory/3516-24-0x00007FF745800000-0x00007FF745B54000-memory.dmp

Filesize
3.3MB

Download
memory/3516-150-0x00007FF745800000-0x00007FF745B54000-memory.dmp

Filesize
3.3MB

Download
memory/3516-121-0x00007FF745800000-0x00007FF745B54000-memory.dmp

Filesize
3.3MB

Download
memory/3624-0-0x00007FF6E59C0000-0x00007FF6E5D14000-memory.dmp

Filesize
3.3MB

Download
memory/3624-75-0x00007FF6E59C0000-0x00007FF6E5D14000-memory.dmp

Filesize
3.3MB

Download
memory/3624-1-0x0000025657080000-0x0000025657090000-memory.dmp

Filesize
64KB

Download
memory/3664-57-0x00007FF6621D0000-0x00007FF662524000-memory.dmp

Filesize
3.3MB

Download
memory/3664-137-0x00007FF6621D0000-0x00007FF662524000-memory.dmp

Filesize
3.3MB

Download
memory/3664-156-0x00007FF6621D0000-0x00007FF662524000-memory.dmp

Filesize
3.3MB

Download
memory/3908-82-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp

Filesize
3.3MB

Download
memory/3908-7-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp

Filesize
3.3MB

Download
memory/3908-147-0x00007FF7318D0000-0x00007FF731C24000-memory.dmp

Filesize
3.3MB

Download
memory/3912-159-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp

Filesize
3.3MB

Download
memory/3912-140-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp

Filesize
3.3MB

Download
memory/3912-74-0x00007FF6E1360000-0x00007FF6E16B4000-memory.dmp

Filesize
3.3MB

Download
memory/4000-78-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp

Filesize
3.3MB

Download
memory/4000-141-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp

Filesize
3.3MB

Download
memory/4000-157-0x00007FF6CC4C0000-0x00007FF6CC814000-memory.dmp

Filesize
3.3MB

Download
memory/4040-146-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp

Filesize
3.3MB

Download
memory/4040-166-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp

Filesize
3.3MB

Download
memory/4040-133-0x00007FF7A4220000-0x00007FF7A4574000-memory.dmp

Filesize
3.3MB

Download
memory/4124-54-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp

Filesize
3.3MB

Download
memory/4124-131-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp

Filesize
3.3MB

Download
memory/4124-155-0x00007FF684D70000-0x00007FF6850C4000-memory.dmp

Filesize
3.3MB

Download
memory/4216-163-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp

Filesize
3.3MB

Download
memory/4216-143-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp

Filesize
3.3MB

Download
memory/4216-115-0x00007FF7A3240000-0x00007FF7A3594000-memory.dmp

Filesize
3.3MB

Download
memory/4236-162-0x00007FF7E7E60000-0x00007FF7E81B4000-memory.dmp

Filesize
3.3MB

Download
memory/4236-105-0x00007FF7E7E60000-0x00007FF7E81B4000-memory.dmp

Filesize
3.3MB

Download
memory/4400-18-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4400-110-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4400-149-0x00007FF7CD5A0000-0x00007FF7CD8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4460-100-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp

Filesize
3.3MB

Download
memory/4460-12-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp

Filesize
3.3MB

Download
memory/4460-148-0x00007FF7C9FD0000-0x00007FF7CA324000-memory.dmp

Filesize
3.3MB

Download
memory/4616-40-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp

Filesize
3.3MB

Download
memory/4616-130-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp

Filesize
3.3MB

Download
memory/4616-152-0x00007FF61EFC0000-0x00007FF61F314000-memory.dmp

Filesize
3.3MB

Download
memory/4636-46-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp

Filesize
3.3MB

Download
memory/4636-153-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp

Filesize
3.3MB

Download
memory/4636-132-0x00007FF7F1F20000-0x00007FF7F2274000-memory.dmp

Filesize
3.3MB

Download
memory/4736-144-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp

Filesize
3.3MB

Download
memory/4736-167-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp

Filesize
3.3MB

Download
memory/4736-125-0x00007FF7BCB10000-0x00007FF7BCE64000-memory.dmp

Filesize
3.3MB

Download
memory/4860-126-0x00007FF6983B0000-0x00007FF698704000-memory.dmp

Filesize
3.3MB

Download
memory/4860-145-0x00007FF6983B0000-0x00007FF698704000-memory.dmp

Filesize
3.3MB

Download
memory/4860-165-0x00007FF6983B0000-0x00007FF698704000-memory.dmp

Filesize
3.3MB

Download
memory/4980-161-0x00007FF64C800000-0x00007FF64CB54000-memory.dmp

Filesize
3.3MB

Download
memory/4980-109-0x00007FF64C800000-0x00007FF64CB54000-memory.dmp

Filesize
3.3MB

Download
memory/5104-138-0x00007FF696120000-0x00007FF696474000-memory.dmp

Filesize
3.3MB

Download
memory/5104-154-0x00007FF696120000-0x00007FF696474000-memory.dmp

Filesize
3.3MB

Download
memory/5104-61-0x00007FF696120000-0x00007FF696474000-memory.dmp

Filesize
3.3MB

Download