cobaltstrike | a224586321ce9f7af806d0b98b4b01549bd62d07922790cf3442b46ed42f1dd6

Analysis

max time kernel
139s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 09:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

11d5375756487c3ef8a7ad019aa6b8ba
SHA1

c40cc01dd03b918f82a4fb9ba25258c45dd6a3cf
SHA256

a224586321ce9f7af806d0b98b4b01549bd62d07922790cf3442b46ed42f1dd6
SHA512

91d2f2256e5cf2cd01b7b8424b6d6a4a0e083826e89953491807ebc808f126620e56f386e437f4d25ae9d953f695d4a38b3fd2cb3dc01111c3c2338a7359dd1e
SSDEEP

98304:oemTLkNdfE0pZrx56utgpPFotBER/mQ32lUz:T+o56utgpPF8u/7z

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x00090000000233ff-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023464-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023468-17.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023469-23.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346b-34.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346c-40.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346a-30.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002346d-47.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023465-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023470-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023472-76.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023471-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023473-81.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023474-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-125.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-130.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-121.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023477-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023476-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023475-100.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/1084-0-0x00007FF7D0830000-0x00007FF7D0B84000-memory.dmp	xmrig
behavioral2/files/0x00090000000233ff-5.dat	xmrig
behavioral2/memory/4620-8-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023464-10.dat	xmrig
behavioral2/files/0x0007000000023468-17.dat	xmrig
behavioral2/files/0x0007000000023469-23.dat	xmrig
behavioral2/files/0x000700000002346b-34.dat	xmrig
behavioral2/files/0x000700000002346c-40.dat	xmrig
behavioral2/memory/3036-43-0x00007FF7DC5E0000-0x00007FF7DC934000-memory.dmp	xmrig
behavioral2/memory/4520-42-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp	xmrig
behavioral2/memory/468-39-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002346a-30.dat	xmrig
behavioral2/memory/1592-25-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp	xmrig
behavioral2/memory/5004-18-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp	xmrig
behavioral2/memory/4480-16-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp	xmrig
behavioral2/files/0x000700000002346d-47.dat	xmrig
behavioral2/files/0x0008000000023465-51.dat	xmrig
behavioral2/memory/4664-57-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023470-59.dat	xmrig
behavioral2/memory/3492-66-0x00007FF64F650000-0x00007FF64F9A4000-memory.dmp	xmrig
behavioral2/memory/4620-71-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp	xmrig
behavioral2/memory/4932-75-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp	xmrig
behavioral2/files/0x0007000000023472-76.dat	xmrig
behavioral2/memory/4480-74-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp	xmrig
behavioral2/memory/2716-73-0x00007FF7150C0000-0x00007FF715414000-memory.dmp	xmrig
behavioral2/files/0x0007000000023471-67.dat	xmrig
behavioral2/memory/1084-64-0x00007FF7D0830000-0x00007FF7D0B84000-memory.dmp	xmrig
behavioral2/memory/3988-48-0x00007FF731920000-0x00007FF731C74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023473-81.dat	xmrig
behavioral2/memory/468-85-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp	xmrig
behavioral2/memory/1644-86-0x00007FF6B2C40000-0x00007FF6B2F94000-memory.dmp	xmrig
behavioral2/memory/1592-84-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp	xmrig
behavioral2/memory/5004-78-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023474-89.dat	xmrig
behavioral2/memory/4272-104-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp	xmrig
behavioral2/memory/4664-117-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp	xmrig
behavioral2/files/0x0007000000023478-125.dat	xmrig
behavioral2/files/0x000700000002347a-130.dat	xmrig
behavioral2/files/0x000700000002347b-128.dat	xmrig
behavioral2/memory/2088-122-0x00007FF7241D0000-0x00007FF724524000-memory.dmp	xmrig
behavioral2/files/0x0007000000023479-121.dat	xmrig
behavioral2/memory/3060-114-0x00007FF79B0B0000-0x00007FF79B404000-memory.dmp	xmrig
behavioral2/memory/3988-112-0x00007FF731920000-0x00007FF731C74000-memory.dmp	xmrig
behavioral2/files/0x0007000000023477-109.dat	xmrig
behavioral2/files/0x0007000000023476-101.dat	xmrig
behavioral2/files/0x0007000000023475-100.dat	xmrig
behavioral2/memory/4852-106-0x00007FF670650000-0x00007FF6709A4000-memory.dmp	xmrig
behavioral2/memory/1948-91-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp	xmrig
behavioral2/memory/4520-90-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp	xmrig
behavioral2/memory/2004-134-0x00007FF671310000-0x00007FF671664000-memory.dmp	xmrig
behavioral2/memory/1464-132-0x00007FF707540000-0x00007FF707894000-memory.dmp	xmrig
behavioral2/memory/3828-136-0x00007FF66C880000-0x00007FF66CBD4000-memory.dmp	xmrig
behavioral2/memory/4932-137-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp	xmrig
behavioral2/memory/4272-139-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp	xmrig
behavioral2/memory/1948-138-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp	xmrig
behavioral2/memory/2088-140-0x00007FF7241D0000-0x00007FF724524000-memory.dmp	xmrig
behavioral2/memory/1464-141-0x00007FF707540000-0x00007FF707894000-memory.dmp	xmrig
behavioral2/memory/4620-142-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp	xmrig
behavioral2/memory/4480-143-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp	xmrig
behavioral2/memory/5004-144-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp	xmrig
behavioral2/memory/1592-145-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp	xmrig
behavioral2/memory/3036-146-0x00007FF7DC5E0000-0x00007FF7DC934000-memory.dmp	xmrig
behavioral2/memory/468-147-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp	xmrig
behavioral2/memory/4520-148-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4620	WWkQFoM.exe
4480	jzSsXee.exe
5004	CzpGLxc.exe
1592	cCusSCk.exe
468	qbzTbXK.exe
3036	cvQLUPm.exe
4520	nZxrkhu.exe
3988	gIdrbAO.exe
4664	UaEJjqi.exe
3492	LrQAlQU.exe
2716	FNSTrJJ.exe
4932	QsxiaEN.exe
1644	IVMvffc.exe
1948	fQorgKf.exe
4272	yaOCrbn.exe
4852	CQkAQuI.exe
3060	MEEQTLr.exe
2088	MnmtiUU.exe
1464	OTzsYTZ.exe
3828	CHzyzxX.exe
2004	UXdrwvA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1084-0-0x00007FF7D0830000-0x00007FF7D0B84000-memory.dmp	upx
behavioral2/files/0x00090000000233ff-5.dat	upx
behavioral2/memory/4620-8-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp	upx
behavioral2/files/0x0008000000023464-10.dat	upx
behavioral2/files/0x0007000000023468-17.dat	upx
behavioral2/files/0x0007000000023469-23.dat	upx
behavioral2/files/0x000700000002346b-34.dat	upx
behavioral2/files/0x000700000002346c-40.dat	upx
behavioral2/memory/3036-43-0x00007FF7DC5E0000-0x00007FF7DC934000-memory.dmp	upx
behavioral2/memory/4520-42-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp	upx
behavioral2/memory/468-39-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp	upx
behavioral2/files/0x000700000002346a-30.dat	upx
behavioral2/memory/1592-25-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp	upx
behavioral2/memory/5004-18-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp	upx
behavioral2/memory/4480-16-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp	upx
behavioral2/files/0x000700000002346d-47.dat	upx
behavioral2/files/0x0008000000023465-51.dat	upx
behavioral2/memory/4664-57-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp	upx
behavioral2/files/0x0007000000023470-59.dat	upx
behavioral2/memory/3492-66-0x00007FF64F650000-0x00007FF64F9A4000-memory.dmp	upx
behavioral2/memory/4620-71-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp	upx
behavioral2/memory/4932-75-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp	upx
behavioral2/files/0x0007000000023472-76.dat	upx
behavioral2/memory/4480-74-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp	upx
behavioral2/memory/2716-73-0x00007FF7150C0000-0x00007FF715414000-memory.dmp	upx
behavioral2/files/0x0007000000023471-67.dat	upx
behavioral2/memory/1084-64-0x00007FF7D0830000-0x00007FF7D0B84000-memory.dmp	upx
behavioral2/memory/3988-48-0x00007FF731920000-0x00007FF731C74000-memory.dmp	upx
behavioral2/files/0x0007000000023473-81.dat	upx
behavioral2/memory/468-85-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp	upx
behavioral2/memory/1644-86-0x00007FF6B2C40000-0x00007FF6B2F94000-memory.dmp	upx
behavioral2/memory/1592-84-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp	upx
behavioral2/memory/5004-78-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp	upx
behavioral2/files/0x0007000000023474-89.dat	upx
behavioral2/memory/4272-104-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp	upx
behavioral2/memory/4664-117-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp	upx
behavioral2/files/0x0007000000023478-125.dat	upx
behavioral2/files/0x000700000002347a-130.dat	upx
behavioral2/files/0x000700000002347b-128.dat	upx
behavioral2/memory/2088-122-0x00007FF7241D0000-0x00007FF724524000-memory.dmp	upx
behavioral2/files/0x0007000000023479-121.dat	upx
behavioral2/memory/3060-114-0x00007FF79B0B0000-0x00007FF79B404000-memory.dmp	upx
behavioral2/memory/3988-112-0x00007FF731920000-0x00007FF731C74000-memory.dmp	upx
behavioral2/files/0x0007000000023477-109.dat	upx
behavioral2/files/0x0007000000023476-101.dat	upx
behavioral2/files/0x0007000000023475-100.dat	upx
behavioral2/memory/4852-106-0x00007FF670650000-0x00007FF6709A4000-memory.dmp	upx
behavioral2/memory/1948-91-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp	upx
behavioral2/memory/4520-90-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp	upx
behavioral2/memory/2004-134-0x00007FF671310000-0x00007FF671664000-memory.dmp	upx
behavioral2/memory/1464-132-0x00007FF707540000-0x00007FF707894000-memory.dmp	upx
behavioral2/memory/3828-136-0x00007FF66C880000-0x00007FF66CBD4000-memory.dmp	upx
behavioral2/memory/4932-137-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp	upx
behavioral2/memory/4272-139-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp	upx
behavioral2/memory/1948-138-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp	upx
behavioral2/memory/2088-140-0x00007FF7241D0000-0x00007FF724524000-memory.dmp	upx
behavioral2/memory/1464-141-0x00007FF707540000-0x00007FF707894000-memory.dmp	upx
behavioral2/memory/4620-142-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp	upx
behavioral2/memory/4480-143-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp	upx
behavioral2/memory/5004-144-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp	upx
behavioral2/memory/1592-145-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp	upx
behavioral2/memory/3036-146-0x00007FF7DC5E0000-0x00007FF7DC934000-memory.dmp	upx
behavioral2/memory/468-147-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp	upx
behavioral2/memory/4520-148-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\gIdrbAO.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MEEQTLr.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IVMvffc.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fQorgKf.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yaOCrbn.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MnmtiUU.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jzSsXee.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qbzTbXK.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UaEJjqi.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QsxiaEN.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CQkAQuI.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OTzsYTZ.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CHzyzxX.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WWkQFoM.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cCusSCk.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cvQLUPm.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNSTrJJ.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UXdrwvA.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CzpGLxc.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nZxrkhu.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LrQAlQU.exe	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1084 wrote to memory of 4620	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1084 wrote to memory of 4620	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1084 wrote to memory of 4480	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1084 wrote to memory of 4480	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1084 wrote to memory of 5004	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1084 wrote to memory of 5004	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1084 wrote to memory of 1592	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1084 wrote to memory of 1592	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1084 wrote to memory of 468	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1084 wrote to memory of 468	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1084 wrote to memory of 3036	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1084 wrote to memory of 3036	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1084 wrote to memory of 4520	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1084 wrote to memory of 4520	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1084 wrote to memory of 3988	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1084 wrote to memory of 3988	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1084 wrote to memory of 4664	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1084 wrote to memory of 4664	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1084 wrote to memory of 3492	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1084 wrote to memory of 3492	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1084 wrote to memory of 2716	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1084 wrote to memory of 2716	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1084 wrote to memory of 4932	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1084 wrote to memory of 4932	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1084 wrote to memory of 1644	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1084 wrote to memory of 1644	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1084 wrote to memory of 1948	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1084 wrote to memory of 1948	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1084 wrote to memory of 4272	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1084 wrote to memory of 4272	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1084 wrote to memory of 4852	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1084 wrote to memory of 4852	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1084 wrote to memory of 3060	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1084 wrote to memory of 3060	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1084 wrote to memory of 2088	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1084 wrote to memory of 2088	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1084 wrote to memory of 1464	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1084 wrote to memory of 1464	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1084 wrote to memory of 2004	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1084 wrote to memory of 2004	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 1084 wrote to memory of 3828	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 1084 wrote to memory of 3828	1084	2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_11d5375756487c3ef8a7ad019aa6b8ba_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1084
- C:\Windows\System\WWkQFoM.exe
  C:\Windows\System\WWkQFoM.exe
  2⤵
  - Executes dropped EXE
  PID:4620
- C:\Windows\System\jzSsXee.exe
  C:\Windows\System\jzSsXee.exe
  2⤵
  - Executes dropped EXE
  PID:4480
- C:\Windows\System\CzpGLxc.exe
  C:\Windows\System\CzpGLxc.exe
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Windows\System\cCusSCk.exe
  C:\Windows\System\cCusSCk.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\qbzTbXK.exe
  C:\Windows\System\qbzTbXK.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\cvQLUPm.exe
  C:\Windows\System\cvQLUPm.exe
  2⤵
  - Executes dropped EXE
  PID:3036
- C:\Windows\System\nZxrkhu.exe
  C:\Windows\System\nZxrkhu.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\gIdrbAO.exe
  C:\Windows\System\gIdrbAO.exe
  2⤵
  - Executes dropped EXE
  PID:3988
- C:\Windows\System\UaEJjqi.exe
  C:\Windows\System\UaEJjqi.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\LrQAlQU.exe
  C:\Windows\System\LrQAlQU.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\FNSTrJJ.exe
  C:\Windows\System\FNSTrJJ.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\QsxiaEN.exe
  C:\Windows\System\QsxiaEN.exe
  2⤵
  - Executes dropped EXE
  PID:4932
- C:\Windows\System\IVMvffc.exe
  C:\Windows\System\IVMvffc.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\fQorgKf.exe
  C:\Windows\System\fQorgKf.exe
  2⤵
  - Executes dropped EXE
  PID:1948
- C:\Windows\System\yaOCrbn.exe
  C:\Windows\System\yaOCrbn.exe
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\Windows\System\CQkAQuI.exe
  C:\Windows\System\CQkAQuI.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\MEEQTLr.exe
  C:\Windows\System\MEEQTLr.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Windows\System\MnmtiUU.exe
  C:\Windows\System\MnmtiUU.exe
  2⤵
  - Executes dropped EXE
  PID:2088
- C:\Windows\System\OTzsYTZ.exe
  C:\Windows\System\OTzsYTZ.exe
  2⤵
  - Executes dropped EXE
  PID:1464
- C:\Windows\System\UXdrwvA.exe
  C:\Windows\System\UXdrwvA.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\CHzyzxX.exe
  C:\Windows\System\CHzyzxX.exe
  2⤵
  - Executes dropped EXE
  PID:3828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CHzyzxX.exe

Filesize
5.9MB

MD5
e15c0ad19eef6a0b0be80d7feb0e9fa8

SHA1
c72bcd2bda8bc13244d666e14f0185e7a0e30776

SHA256
54734e785d2b3233621876060a7cff455eb3fc5f304f50cc9e0ea6149396144c

SHA512
2aae43e861cc0642c41b283fe99aef08f4232c0a73593badbfb8506e3db90223a12b1893d21b657bea12e1783bc78ae3a4a87c0e4c7ebf99f39c325e28067d78

Download Submit
C:\Windows\System\CQkAQuI.exe

Filesize
5.9MB

MD5
7eb8d5f522f8162fce0ecf356398b6fc

SHA1
c180dc3e34fc0f793fc6edf1ec2a253f3acc4697

SHA256
2ee15f10d5c660e6b4653c05939c94979e147f1bdffa3aa01d25cbed3a29fad3

SHA512
4a22fd3cafcff5524f3f4669fb6af3bd60a13f8450f2b4bfbeba21ee61479918db20f4b319eab992b13ba65b19526ebdafe989c8ca68f15e18920b3c4058ef0a

Download Submit
C:\Windows\System\CzpGLxc.exe

Filesize
5.9MB

MD5
2b4fb74e4cd4aa740a1cdd84f4241c26

SHA1
fa54651f39c84c17b3e2d1bcdb4833d38c7e5941

SHA256
b0f1100ba24254633028843aa7976d2bb59837c86a0c020967d26c6525ddd28d

SHA512
030bcce78cfe7c1fb462411fbf224c462ed817e941a860ea396eb9d1395e77096962161ee611a6fc719ea6181d862ee16421fc8c6acae3084f52b63efc2ec938

Download Submit
C:\Windows\System\FNSTrJJ.exe

Filesize
5.9MB

MD5
3ee41898023b4c151409c4981d529978

SHA1
fda99ffb63522df5fb3d8e1263961d98633ddc45

SHA256
0c8b62747afa19f4dfb80c4c7b40e810804737411f493cee038046c68d1e5700

SHA512
d8f99fc1254fcb8b21969daee86de5dac1f905a4b448ad6c37c4547b81300a78ba596d3aee72daa170641827b0f6a7a879d1bde574d983ba58a6b52ae5513bd7

Download Submit
C:\Windows\System\IVMvffc.exe

Filesize
5.9MB

MD5
621119c844cdfb980087ebe46ccda833

SHA1
ccee0e1aa327c9690d3a85f7adda57b34f63dd99

SHA256
50cde9f387f056e9fa40edd310771000dc3714984ab3dfb008ad6eda6023f9aa

SHA512
6daf0fff0d85a89eb562257a7abc372b5c299d19a53b7699561ce95f5c9f4c0fa9b09dd1652952907be3767bf22c28c7c82ea3e7c8918dbe25faa894c6881446

Download Submit
C:\Windows\System\LrQAlQU.exe

Filesize
5.9MB

MD5
b9c68e9aabedb38a8eed1e1fe14bab3f

SHA1
a686e9cb9b25146d734b4b9dca2ee6391c3c33e2

SHA256
a507f209aa87c8f29aed2b446ce65fd946d8766cbf34d19e9902d260f590cbeb

SHA512
af77f5de961a15ba6a1ae0b504af6141cfa555edfe3b2226ff967136ffc96c36b7f1e17236f5863a465089dbb6149caf909fcfdd87b226ee222704d7cb1dfec8

Download Submit
C:\Windows\System\MEEQTLr.exe

Filesize
5.9MB

MD5
68b07662f66094fb2e32746961be2410

SHA1
423d5119dc449fa6481c74d0a6ca984aa89fb084

SHA256
daa40c2925e5e55813d63e0cee319b2210a17231f431d374c8f2e72e5afbfd4c

SHA512
59af3037a7c0e8efb0d174be04a917b94da8011a4c995a3870b2f4282f1436706453356dae40e5562964310381775f700ee38501f30e674005d07a94f6700d5d

Download Submit
C:\Windows\System\MnmtiUU.exe

Filesize
5.9MB

MD5
71c1b305381a474d65ace93e48166dd0

SHA1
a572a4d8b0012b5371aae394c3d881b1a60d82ec

SHA256
ff9e08efb40ae27cfe28d17d2a90740513f765b983ea7488fc70fa62fd49c293

SHA512
fa9f0cfbaef9983ba5ed71b3f46c8e326c6be7de766d3afc96efc14fb4a8f934092903415cd4850f05ea7bd010bd5cb6903f5d29a5d5ffa1e733f4044649d327

Download Submit
C:\Windows\System\OTzsYTZ.exe

Filesize
5.9MB

MD5
f3b38aba65a0685ec847cbc5e1285b0b

SHA1
3e6b31fb2c030f8410ae31526e2dbd67b2f6c565

SHA256
462cb2a1ba1f614acf41dbc0f2528c789245b2b46bd0b0c4786e2617f08c1a09

SHA512
7e90c7edf65492c548833ed641c53cea65e24dd7941a89aa906c800bad4c7e3f2f40bde9972e99d9d549b7c3ad8ace88b648383580335ca75f77ce615fd0c5c8

Download Submit
C:\Windows\System\QsxiaEN.exe

Filesize
5.9MB

MD5
ac32c171fcac7a40d4fd69e2461e60fb

SHA1
fddb61cff84f20dd638b5b53f9c7f33b12eec8b8

SHA256
3e2e8f8fab22fa5d8143f7003d77b08bd24392d7f1a58e3416934d2917a89fa3

SHA512
4fc938d45d8f4ed7db460dc129df718e2f288cfe03d71f834f36f1950b0deaad18a7bd5c24029a24db20f3c6836c55b2be30bfa5ba6c40b5392cccecad57e611

Download Submit
C:\Windows\System\UXdrwvA.exe

Filesize
5.9MB

MD5
9a14819b8f60bf163de081f9f21cdba7

SHA1
56909ffb614187147bb51f34a043afe77d020ea9

SHA256
89f0806ececbb27ddb36736f008ec2b4a22ae953f985018142721f534e39d1c0

SHA512
d1414dfd1ae0e50b9b9e3e770c761f413db229adcfe6868fff0b7fc45131f59334cace28b38996ddac3b3f5f423ac53a6cafe6fd6d2e9315ab6d66c0b41b19a6

Download Submit
C:\Windows\System\UaEJjqi.exe

Filesize
5.9MB

MD5
0a01d8dd27aac520b983d373f2b5b965

SHA1
d4047777ad26b95104723177ca200bf503ebc540

SHA256
7c70f056a100860424e65fadcf982b30c0cf8e32eb0e04bc92a10866ca32d4c2

SHA512
ecdf202a1c64670ee651782dbc5f1fa3f2ff03187a0548d2e9673699aba625070cd432f15ab6572c176d927f216035ba05c804ad163d0c24e7eb881db536d1a3

Download Submit
C:\Windows\System\WWkQFoM.exe

Filesize
5.9MB

MD5
a695529a5653ba987cd7e373093669e7

SHA1
493f83fdf53bcaeeedb99b5594ac7da58069902e

SHA256
c16aa27215a84ffdbae676c2005f3b1f7d69667c163c52829949509323db6b96

SHA512
c647aa1196aa53833c17d9473c741c14c525110ab4b61780c66f77a94c077f1ca99e7b448f59fdcd204c739564562588082c3dc18f662e5d8bcc80e5947f3477

Download Submit
C:\Windows\System\cCusSCk.exe

Filesize
5.9MB

MD5
e4238414f0c62ac1ec34f7fca4b53b59

SHA1
a580b34cb7d46ad68735ea5295b358591902b954

SHA256
f9dd5612e069f42e9c3e6373c27a1d9c48a152491209a2642082fd74f08ad082

SHA512
beebbdf882a65126a88726d0a5b3430f6a89a933b7a070695acfecc54510e9c538556243798d26c81dcae107c7805980c5f27ef84e39cf459b483078b5c624cc

Download Submit
C:\Windows\System\cvQLUPm.exe

Filesize
5.9MB

MD5
e574fa01be92b089cba07dce4856e671

SHA1
1383ca405214bfed00f445a1fc8ca7662129bc51

SHA256
08f9dc59d025c9a6f635046b1dec3920585cda788fef84c27e1b7ec9d43605f0

SHA512
790ae79c59e7f3c8995b801f89cc498ec64c0d08b8636bbc5ea931b3785e8fa032810d4b9718bbb35159de96869274f76693259f80a3d5acb27a324309b60fb9

Download Submit
C:\Windows\System\fQorgKf.exe

Filesize
5.9MB

MD5
5b34812e56a71177853fdfbf00ca3439

SHA1
ca4ce1655c3e99b4a0d51323bad54e2c1c5992a0

SHA256
0467da391325bff851b4d5c298595664a1339317ec49b477e1be53791097d5a5

SHA512
4ff912afb87015a6ed7ce716aae5b1ffb02f2533fc31323abda7d5eaea204e8129fc027144fced62c8eaef7f4ed2a21f6edef61a43730b7e61a5c7e27d10486f

Download Submit
C:\Windows\System\gIdrbAO.exe

Filesize
5.9MB

MD5
817de7b71f18f2a499664374f59ae0c5

SHA1
dddbfaa68edfca410acfeb33b65aa81c16e80d36

SHA256
2c9eb6e8a0faa87c22c45b11e60c69cf791246f9a567a38d6bc0ac5da1c69cb1

SHA512
a6459f412bcd5b9ee2bf89a916559574fe266d1ead08ab1cbd3bfeeb84da29ff392f289ba8493d26cb31246db29fdf95cab37bdeac2f1156b7d27b077eb5ecea

Download Submit
C:\Windows\System\jzSsXee.exe

Filesize
5.9MB

MD5
919d43f08aa0a6e9e31e8f0abd78ca19

SHA1
1b586ac2d377c01359eed8668ed0738b16b75c8f

SHA256
7abf8f4995ff6e07acb31d451091d51cc27e7ce0e8ecb19fe2cc7c1c03152e78

SHA512
8b2dc8783f60cdf4d2a19a6e0b82e0d133ce29fc0d8f8eaf0f9508a6ba2c7928134631137ea7604869e3204b64352f9894b046c899e2a0472c7bfa176badb75c

Download Submit
C:\Windows\System\nZxrkhu.exe

Filesize
5.9MB

MD5
9fb0fdff1c292024fa72c785cc741bae

SHA1
2ffe812641bd066717ee867e133652ee9c7827e0

SHA256
ce1f9c313e70b74639a1479eb0c8beccc5e8b21f124878a1e48f4d9c8f57bf66

SHA512
37cf07f5f0950ff5c7816804dd7208102ab6e1c49bebc285f562bb434fa3e67c8702f08523ad3e6a8f15445a4736c317845cb9ca26db1f2e546e25df8b84a0dc

Download Submit
C:\Windows\System\qbzTbXK.exe

Filesize
5.9MB

MD5
4a113c901c74d87e18f3a6abed715ae0

SHA1
e340e444e08548d80591649bf1610151ae99497a

SHA256
604b82f3e43fa890d8a7a2b5765d1e427063b3975cf004357464fab65e617d6b

SHA512
4006f1f20239854d35270c7e03fe4d5f12fc9147a4829cf662227a451c872c6010c8772a900a4780bb96385c99e35ed2bb0f864ba9d68f6e53f92cf1818c5c6f

Download Submit
C:\Windows\System\yaOCrbn.exe

Filesize
5.9MB

MD5
05152e4314ef9cfc1906abf709275396

SHA1
33baeef16de1305c3af22811b0c8e636be60404f

SHA256
e8d4cd5074bc011e8a136134ccaf6bf35ecca33751136b02b72ccdcfcde62b11

SHA512
6056771439c3ec56a72ea3c75c4d7a4ff0390528931af188f4a161abe62122f78c03ef42bcd9e796b75b376489c745a6bee81aebf182fa1355b8213327cb9cc4

Download Submit
memory/468-147-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/468-39-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/468-85-0x00007FF61F080000-0x00007FF61F3D4000-memory.dmp

Filesize
3.3MB

Download
memory/1084-64-0x00007FF7D0830000-0x00007FF7D0B84000-memory.dmp

Filesize
3.3MB

Download
memory/1084-0-0x00007FF7D0830000-0x00007FF7D0B84000-memory.dmp

Filesize
3.3MB

Download
memory/1084-1-0x0000020954D40000-0x0000020954D50000-memory.dmp

Filesize
64KB

Download
memory/1464-141-0x00007FF707540000-0x00007FF707894000-memory.dmp

Filesize
3.3MB

Download
memory/1464-132-0x00007FF707540000-0x00007FF707894000-memory.dmp

Filesize
3.3MB

Download
memory/1464-162-0x00007FF707540000-0x00007FF707894000-memory.dmp

Filesize
3.3MB

Download
memory/1592-84-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp

Filesize
3.3MB

Download
memory/1592-145-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp

Filesize
3.3MB

Download
memory/1592-25-0x00007FF6EFDE0000-0x00007FF6F0134000-memory.dmp

Filesize
3.3MB

Download
memory/1644-86-0x00007FF6B2C40000-0x00007FF6B2F94000-memory.dmp

Filesize
3.3MB

Download
memory/1644-154-0x00007FF6B2C40000-0x00007FF6B2F94000-memory.dmp

Filesize
3.3MB

Download
memory/1948-91-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp

Filesize
3.3MB

Download
memory/1948-138-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp

Filesize
3.3MB

Download
memory/1948-155-0x00007FF7C4810000-0x00007FF7C4B64000-memory.dmp

Filesize
3.3MB

Download
memory/2004-134-0x00007FF671310000-0x00007FF671664000-memory.dmp

Filesize
3.3MB

Download
memory/2004-160-0x00007FF671310000-0x00007FF671664000-memory.dmp

Filesize
3.3MB

Download
memory/2088-140-0x00007FF7241D0000-0x00007FF724524000-memory.dmp

Filesize
3.3MB

Download
memory/2088-122-0x00007FF7241D0000-0x00007FF724524000-memory.dmp

Filesize
3.3MB

Download
memory/2088-159-0x00007FF7241D0000-0x00007FF724524000-memory.dmp

Filesize
3.3MB

Download
memory/2716-152-0x00007FF7150C0000-0x00007FF715414000-memory.dmp

Filesize
3.3MB

Download
memory/2716-73-0x00007FF7150C0000-0x00007FF715414000-memory.dmp

Filesize
3.3MB

Download
memory/3036-43-0x00007FF7DC5E0000-0x00007FF7DC934000-memory.dmp

Filesize
3.3MB

Download
memory/3036-146-0x00007FF7DC5E0000-0x00007FF7DC934000-memory.dmp

Filesize
3.3MB

Download
memory/3060-114-0x00007FF79B0B0000-0x00007FF79B404000-memory.dmp

Filesize
3.3MB

Download
memory/3060-158-0x00007FF79B0B0000-0x00007FF79B404000-memory.dmp

Filesize
3.3MB

Download
memory/3492-66-0x00007FF64F650000-0x00007FF64F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/3492-151-0x00007FF64F650000-0x00007FF64F9A4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-161-0x00007FF66C880000-0x00007FF66CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/3828-136-0x00007FF66C880000-0x00007FF66CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/3988-112-0x00007FF731920000-0x00007FF731C74000-memory.dmp

Filesize
3.3MB

Download
memory/3988-48-0x00007FF731920000-0x00007FF731C74000-memory.dmp

Filesize
3.3MB

Download
memory/3988-149-0x00007FF731920000-0x00007FF731C74000-memory.dmp

Filesize
3.3MB

Download
memory/4272-139-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp

Filesize
3.3MB

Download
memory/4272-104-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp

Filesize
3.3MB

Download
memory/4272-157-0x00007FF66DF20000-0x00007FF66E274000-memory.dmp

Filesize
3.3MB

Download
memory/4480-143-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp

Filesize
3.3MB

Download
memory/4480-74-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp

Filesize
3.3MB

Download
memory/4480-16-0x00007FF61F8B0000-0x00007FF61FC04000-memory.dmp

Filesize
3.3MB

Download
memory/4520-42-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp

Filesize
3.3MB

Download
memory/4520-148-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp

Filesize
3.3MB

Download
memory/4520-90-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp

Filesize
3.3MB

Download
memory/4620-142-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-71-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp

Filesize
3.3MB

Download
memory/4620-8-0x00007FF7B8270000-0x00007FF7B85C4000-memory.dmp

Filesize
3.3MB

Download
memory/4664-117-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp

Filesize
3.3MB

Download
memory/4664-57-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp

Filesize
3.3MB

Download
memory/4664-150-0x00007FF6DA6F0000-0x00007FF6DAA44000-memory.dmp

Filesize
3.3MB

Download
memory/4852-156-0x00007FF670650000-0x00007FF6709A4000-memory.dmp

Filesize
3.3MB

Download
memory/4852-106-0x00007FF670650000-0x00007FF6709A4000-memory.dmp

Filesize
3.3MB

Download
memory/4932-153-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp

Filesize
3.3MB

Download
memory/4932-137-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp

Filesize
3.3MB

Download
memory/4932-75-0x00007FF6E2ED0000-0x00007FF6E3224000-memory.dmp

Filesize
3.3MB

Download
memory/5004-18-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-144-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp

Filesize
3.3MB

Download
memory/5004-78-0x00007FF6EDAA0000-0x00007FF6EDDF4000-memory.dmp

Filesize
3.3MB

Download