cobaltstrike | f3a45bdb0fe93a4775e8f62538b1084401fb41b166bb8518dde97285a425c034

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

37e20ebb8ae1e4ac216ffef9051d47c4
SHA1

48743e8d78fc3d896a7e98097c9dedd03fed3d83
SHA256

f3a45bdb0fe93a4775e8f62538b1084401fb41b166bb8518dde97285a425c034
SHA512

0a338392d8586cb750c631b05f5f3b8ed2f915a2116599ba61d666b453393392a565c9073e569b7ce39ac0c05538451763e59717088d6f4082a4c79710df12f2
SSDEEP

98304:oemTLkNdfE0pZrx56utgpPFotBER/mQ32lUR:T+o56utgpPF8u/7R

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023474-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023479-10.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023478-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347a-22.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023475-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347b-34.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347c-41.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347d-49.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347e-56.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002347f-61.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023481-67.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023482-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023483-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023484-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023486-101.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023487-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023485-97.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023488-115.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023489-122.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348b-136.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002348a-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2988-0-0x00007FF6E00C0000-0x00007FF6E0414000-memory.dmp	xmrig
behavioral2/files/0x0008000000023474-5.dat	xmrig
behavioral2/memory/3960-8-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp	xmrig
behavioral2/files/0x0007000000023479-10.dat	xmrig
behavioral2/files/0x0007000000023478-11.dat	xmrig
behavioral2/memory/3544-12-0x00007FF6615F0000-0x00007FF661944000-memory.dmp	xmrig
behavioral2/memory/2216-20-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp	xmrig
behavioral2/files/0x000700000002347a-22.dat	xmrig
behavioral2/memory/4392-24-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp	xmrig
behavioral2/files/0x0008000000023475-29.dat	xmrig
behavioral2/files/0x000700000002347b-34.dat	xmrig
behavioral2/files/0x000700000002347c-41.dat	xmrig
behavioral2/memory/4376-40-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp	xmrig
behavioral2/memory/4636-43-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp	xmrig
behavioral2/files/0x000700000002347d-49.dat	xmrig
behavioral2/memory/1772-47-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp	xmrig
behavioral2/memory/2988-54-0x00007FF6E00C0000-0x00007FF6E0414000-memory.dmp	xmrig
behavioral2/files/0x000700000002347e-56.dat	xmrig
behavioral2/memory/2192-55-0x00007FF627200000-0x00007FF627554000-memory.dmp	xmrig
behavioral2/memory/4544-32-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	xmrig
behavioral2/memory/3960-58-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp	xmrig
behavioral2/files/0x000700000002347f-61.dat	xmrig
behavioral2/memory/2528-63-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023481-67.dat	xmrig
behavioral2/memory/3544-62-0x00007FF6615F0000-0x00007FF661944000-memory.dmp	xmrig
behavioral2/memory/2216-71-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp	xmrig
behavioral2/memory/984-72-0x00007FF6A1AB0000-0x00007FF6A1E04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023482-75.dat	xmrig
behavioral2/memory/2560-78-0x00007FF63F440000-0x00007FF63F794000-memory.dmp	xmrig
behavioral2/memory/4392-82-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp	xmrig
behavioral2/files/0x0007000000023483-83.dat	xmrig
behavioral2/files/0x0007000000023484-88.dat	xmrig
behavioral2/memory/3120-85-0x00007FF79E520000-0x00007FF79E874000-memory.dmp	xmrig
behavioral2/memory/4376-95-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023486-101.dat	xmrig
behavioral2/memory/4296-103-0x00007FF719980000-0x00007FF719CD4000-memory.dmp	xmrig
behavioral2/memory/1772-107-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023487-111.dat	xmrig
behavioral2/memory/4564-108-0x00007FF685740000-0x00007FF685A94000-memory.dmp	xmrig
behavioral2/memory/4636-102-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023485-97.dat	xmrig
behavioral2/memory/4104-96-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp	xmrig
behavioral2/memory/800-89-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp	xmrig
behavioral2/files/0x0007000000023488-115.dat	xmrig
behavioral2/memory/2192-116-0x00007FF627200000-0x00007FF627554000-memory.dmp	xmrig
behavioral2/files/0x0007000000023489-122.dat	xmrig
behavioral2/memory/2528-130-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp	xmrig
behavioral2/files/0x000700000002348b-136.dat	xmrig
behavioral2/memory/1936-135-0x00007FF762DE0000-0x00007FF763134000-memory.dmp	xmrig
behavioral2/files/0x000700000002348a-133.dat	xmrig
behavioral2/memory/1516-131-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp	xmrig
behavioral2/memory/2332-123-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp	xmrig
behavioral2/memory/4520-119-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp	xmrig
behavioral2/memory/2560-138-0x00007FF63F440000-0x00007FF63F794000-memory.dmp	xmrig
behavioral2/memory/800-139-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp	xmrig
behavioral2/memory/4104-140-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp	xmrig
behavioral2/memory/4296-141-0x00007FF719980000-0x00007FF719CD4000-memory.dmp	xmrig
behavioral2/memory/4564-142-0x00007FF685740000-0x00007FF685A94000-memory.dmp	xmrig
behavioral2/memory/4520-143-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp	xmrig
behavioral2/memory/2332-144-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp	xmrig
behavioral2/memory/1516-145-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp	xmrig
behavioral2/memory/1936-146-0x00007FF762DE0000-0x00007FF763134000-memory.dmp	xmrig
behavioral2/memory/3960-147-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp	xmrig
behavioral2/memory/3544-148-0x00007FF6615F0000-0x00007FF661944000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
3960	phMXCbz.exe
3544	tMDmyrN.exe
2216	URbNKHr.exe
4392	UJpydIP.exe
4544	EXJeOXv.exe
4376	rOzJXeR.exe
4636	zgEGDWE.exe
1772	LIszgrW.exe
2192	hZEYPIu.exe
2528	uXOiMDz.exe
984	YvMjbwb.exe
2560	itnzCXt.exe
3120	gDcUfcy.exe
800	WMLyctG.exe
4104	ZicUuqC.exe
4296	ilJWIJz.exe
4564	OqfiKEa.exe
4520	fEoSRnH.exe
2332	OTcBtCN.exe
1516	ambeNEu.exe
1936	GFuSOkm.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2988-0-0x00007FF6E00C0000-0x00007FF6E0414000-memory.dmp	upx
behavioral2/files/0x0008000000023474-5.dat	upx
behavioral2/memory/3960-8-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp	upx
behavioral2/files/0x0007000000023479-10.dat	upx
behavioral2/files/0x0007000000023478-11.dat	upx
behavioral2/memory/3544-12-0x00007FF6615F0000-0x00007FF661944000-memory.dmp	upx
behavioral2/memory/2216-20-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp	upx
behavioral2/files/0x000700000002347a-22.dat	upx
behavioral2/memory/4392-24-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp	upx
behavioral2/files/0x0008000000023475-29.dat	upx
behavioral2/files/0x000700000002347b-34.dat	upx
behavioral2/files/0x000700000002347c-41.dat	upx
behavioral2/memory/4376-40-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp	upx
behavioral2/memory/4636-43-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp	upx
behavioral2/files/0x000700000002347d-49.dat	upx
behavioral2/memory/1772-47-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp	upx
behavioral2/memory/2988-54-0x00007FF6E00C0000-0x00007FF6E0414000-memory.dmp	upx
behavioral2/files/0x000700000002347e-56.dat	upx
behavioral2/memory/2192-55-0x00007FF627200000-0x00007FF627554000-memory.dmp	upx
behavioral2/memory/4544-32-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp	upx
behavioral2/memory/3960-58-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp	upx
behavioral2/files/0x000700000002347f-61.dat	upx
behavioral2/memory/2528-63-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp	upx
behavioral2/files/0x0007000000023481-67.dat	upx
behavioral2/memory/3544-62-0x00007FF6615F0000-0x00007FF661944000-memory.dmp	upx
behavioral2/memory/2216-71-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp	upx
behavioral2/memory/984-72-0x00007FF6A1AB0000-0x00007FF6A1E04000-memory.dmp	upx
behavioral2/files/0x0007000000023482-75.dat	upx
behavioral2/memory/2560-78-0x00007FF63F440000-0x00007FF63F794000-memory.dmp	upx
behavioral2/memory/4392-82-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp	upx
behavioral2/files/0x0007000000023483-83.dat	upx
behavioral2/files/0x0007000000023484-88.dat	upx
behavioral2/memory/3120-85-0x00007FF79E520000-0x00007FF79E874000-memory.dmp	upx
behavioral2/memory/4376-95-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp	upx
behavioral2/files/0x0007000000023486-101.dat	upx
behavioral2/memory/4296-103-0x00007FF719980000-0x00007FF719CD4000-memory.dmp	upx
behavioral2/memory/1772-107-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp	upx
behavioral2/files/0x0007000000023487-111.dat	upx
behavioral2/memory/4564-108-0x00007FF685740000-0x00007FF685A94000-memory.dmp	upx
behavioral2/memory/4636-102-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp	upx
behavioral2/files/0x0007000000023485-97.dat	upx
behavioral2/memory/4104-96-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp	upx
behavioral2/memory/800-89-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp	upx
behavioral2/files/0x0007000000023488-115.dat	upx
behavioral2/memory/2192-116-0x00007FF627200000-0x00007FF627554000-memory.dmp	upx
behavioral2/files/0x0007000000023489-122.dat	upx
behavioral2/memory/2528-130-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp	upx
behavioral2/files/0x000700000002348b-136.dat	upx
behavioral2/memory/1936-135-0x00007FF762DE0000-0x00007FF763134000-memory.dmp	upx
behavioral2/files/0x000700000002348a-133.dat	upx
behavioral2/memory/1516-131-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp	upx
behavioral2/memory/2332-123-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp	upx
behavioral2/memory/4520-119-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp	upx
behavioral2/memory/2560-138-0x00007FF63F440000-0x00007FF63F794000-memory.dmp	upx
behavioral2/memory/800-139-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp	upx
behavioral2/memory/4104-140-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp	upx
behavioral2/memory/4296-141-0x00007FF719980000-0x00007FF719CD4000-memory.dmp	upx
behavioral2/memory/4564-142-0x00007FF685740000-0x00007FF685A94000-memory.dmp	upx
behavioral2/memory/4520-143-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp	upx
behavioral2/memory/2332-144-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp	upx
behavioral2/memory/1516-145-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp	upx
behavioral2/memory/1936-146-0x00007FF762DE0000-0x00007FF763134000-memory.dmp	upx
behavioral2/memory/3960-147-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp	upx
behavioral2/memory/3544-148-0x00007FF6615F0000-0x00007FF661944000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\OqfiKEa.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\URbNKHr.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvMjbwb.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WMLyctG.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ilJWIJz.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OTcBtCN.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ambeNEu.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tMDmyrN.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zgEGDWE.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itnzCXt.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LIszgrW.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZicUuqC.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fEoSRnH.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GFuSOkm.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\phMXCbz.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EXJeOXv.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rOzJXeR.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gDcUfcy.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UJpydIP.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZEYPIu.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uXOiMDz.exe	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3960	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2988 wrote to memory of 3960	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2988 wrote to memory of 3544	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2988 wrote to memory of 3544	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2988 wrote to memory of 2216	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2988 wrote to memory of 2216	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2988 wrote to memory of 4392	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2988 wrote to memory of 4392	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2988 wrote to memory of 4544	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2988 wrote to memory of 4544	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2988 wrote to memory of 4376	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2988 wrote to memory of 4376	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2988 wrote to memory of 4636	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2988 wrote to memory of 4636	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2988 wrote to memory of 1772	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2988 wrote to memory of 1772	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2988 wrote to memory of 2192	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2988 wrote to memory of 2192	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2988 wrote to memory of 2528	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2988 wrote to memory of 2528	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2988 wrote to memory of 984	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2988 wrote to memory of 984	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2988 wrote to memory of 2560	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2988 wrote to memory of 2560	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2988 wrote to memory of 3120	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2988 wrote to memory of 3120	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2988 wrote to memory of 800	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2988 wrote to memory of 800	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2988 wrote to memory of 4104	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2988 wrote to memory of 4104	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2988 wrote to memory of 4296	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2988 wrote to memory of 4296	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2988 wrote to memory of 4564	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2988 wrote to memory of 4564	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2988 wrote to memory of 4520	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2988 wrote to memory of 4520	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2988 wrote to memory of 2332	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2988 wrote to memory of 2332	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2988 wrote to memory of 1516	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2988 wrote to memory of 1516	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2988 wrote to memory of 1936	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2988 wrote to memory of 1936	2988	2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-21_37e20ebb8ae1e4ac216ffef9051d47c4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\System\phMXCbz.exe
  C:\Windows\System\phMXCbz.exe
  2⤵
  - Executes dropped EXE
  PID:3960
- C:\Windows\System\tMDmyrN.exe
  C:\Windows\System\tMDmyrN.exe
  2⤵
  - Executes dropped EXE
  PID:3544
- C:\Windows\System\URbNKHr.exe
  C:\Windows\System\URbNKHr.exe
  2⤵
  - Executes dropped EXE
  PID:2216
- C:\Windows\System\UJpydIP.exe
  C:\Windows\System\UJpydIP.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\EXJeOXv.exe
  C:\Windows\System\EXJeOXv.exe
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Windows\System\rOzJXeR.exe
  C:\Windows\System\rOzJXeR.exe
  2⤵
  - Executes dropped EXE
  PID:4376
- C:\Windows\System\zgEGDWE.exe
  C:\Windows\System\zgEGDWE.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\LIszgrW.exe
  C:\Windows\System\LIszgrW.exe
  2⤵
  - Executes dropped EXE
  PID:1772
- C:\Windows\System\hZEYPIu.exe
  C:\Windows\System\hZEYPIu.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Windows\System\uXOiMDz.exe
  C:\Windows\System\uXOiMDz.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Windows\System\YvMjbwb.exe
  C:\Windows\System\YvMjbwb.exe
  2⤵
  - Executes dropped EXE
  PID:984
- C:\Windows\System\itnzCXt.exe
  C:\Windows\System\itnzCXt.exe
  2⤵
  - Executes dropped EXE
  PID:2560
- C:\Windows\System\gDcUfcy.exe
  C:\Windows\System\gDcUfcy.exe
  2⤵
  - Executes dropped EXE
  PID:3120
- C:\Windows\System\WMLyctG.exe
  C:\Windows\System\WMLyctG.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\ZicUuqC.exe
  C:\Windows\System\ZicUuqC.exe
  2⤵
  - Executes dropped EXE
  PID:4104
- C:\Windows\System\ilJWIJz.exe
  C:\Windows\System\ilJWIJz.exe
  2⤵
  - Executes dropped EXE
  PID:4296
- C:\Windows\System\OqfiKEa.exe
  C:\Windows\System\OqfiKEa.exe
  2⤵
  - Executes dropped EXE
  PID:4564
- C:\Windows\System\fEoSRnH.exe
  C:\Windows\System\fEoSRnH.exe
  2⤵
  - Executes dropped EXE
  PID:4520
- C:\Windows\System\OTcBtCN.exe
  C:\Windows\System\OTcBtCN.exe
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\Windows\System\ambeNEu.exe
  C:\Windows\System\ambeNEu.exe
  2⤵
  - Executes dropped EXE
  PID:1516
- C:\Windows\System\GFuSOkm.exe
  C:\Windows\System\GFuSOkm.exe
  2⤵
  - Executes dropped EXE
  PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EXJeOXv.exe

Filesize
5.9MB

MD5
1792ca0e576f942028f47dd3f357e79b

SHA1
fc8657cb79ba4917eea0ac148822fd43508667ad

SHA256
c77286673fc722da481ccfbdc5a46e0edf981dc260dc633336a9291a17467206

SHA512
fd7f07bd04c702d8ddb6dbf7cf31e9604395e124301ba770a422d2da964183d162ce6cf8de67e0ba892e3c82f60bcfa83dab1348afb1401518f0bc50b24d9175

Download Submit
C:\Windows\System\GFuSOkm.exe

Filesize
5.9MB

MD5
2649a80de4a818dae6e8137e0eb58915

SHA1
8aeae28355dcb8d6e4626d39c8411ccfb34ae56d

SHA256
3d03417e364e48eafd6e8cb4eac25e586ef1356fcee8b142eb3da6ef7efa4d7d

SHA512
87eff3d31564f47515f4692ace5c7dfa7d1a88076024487bfe8ee78dc3ff23fab735452659b9e4d7b4fde34098b6638fd47292d6475a2a226d92a25eb221af26

Download Submit
C:\Windows\System\LIszgrW.exe

Filesize
5.9MB

MD5
fe484b3a338786dd93551264aca05287

SHA1
9ad1519c2950abd910e20f9a4a045262a23c80ad

SHA256
07ac36855bdd4348eadaa42931cbdd56dfba2e64fc1e0660a929d50905c656f2

SHA512
94c639426e06d9c99f5835868c04d52b110d917c50a81dfd23823462eb1d23a25e42c8f1a5e6476c94ea7547c8457c4435a692b99a2a2b1f9601a9db04385dc0

Download Submit
C:\Windows\System\OTcBtCN.exe

Filesize
5.9MB

MD5
91e025f533618bd2401dd12e118a2fe0

SHA1
673caeb1134d718da4312e7a10c5680708311f64

SHA256
f60b0a616b5ba228c5dfd9437dd8329fbc269ef12e93796476c0c815b4f3c3eb

SHA512
bafdfc28724e8003285049b6c270c339467ededd4d31bc1dbc6031b2fa46f42d67d24d4894c4b49682836756189c4f62aa0ee5eb3de1009051ca6125e4f12cf5

Download Submit
C:\Windows\System\OqfiKEa.exe

Filesize
5.9MB

MD5
43186ea176956a7c79c811846839c89b

SHA1
df520232459a8312631b346d899f4a5948fcc78f

SHA256
a17dd04117680768399ddd65865e5671c5ec773006cafcedfe40d76d2b4df91d

SHA512
d6b781844d17618068b6d13e94b4ac7ea0f2911c2e43c093e469aec62c301116238f5fb90d50f530b17895733c6320fdd7f912e21425cc3b647d2885dddc55d0

Download Submit
C:\Windows\System\UJpydIP.exe

Filesize
5.9MB

MD5
1f3492c9f562e4389a4daf8fe675a984

SHA1
b8e8e8f6f39c6545fe72d0a574677f08e6232bf1

SHA256
f33e5a67bcec407b62dc68897268d3614dc23bf2b83810eb229c524aca88f213

SHA512
a79f092d2b9fd3f0088de4bec9fd5bb02d445f221fe42772d73b6964e77eaca237434003bd3bc0b879739975a609928f8c787e3bddb08eb05ab289db266c5901

Download Submit
C:\Windows\System\URbNKHr.exe

Filesize
5.9MB

MD5
23e8981ce2e7c5b5518af48846c237a6

SHA1
8e52e7296d9a0a6eb1c1a171fef30696f08816b4

SHA256
0d1b7233337fc344c76d18332a98a0cf88ddaa790427793c602948a989624c71

SHA512
b17f43587ec01be00aa9122fa39b71167b0aceb159f53d8e21ba97f4b5ce84f293de6a6382cd21139932890269c4fa401f5037ad13b9de081af8a2f1a927147c

Download Submit
C:\Windows\System\WMLyctG.exe

Filesize
5.9MB

MD5
cdd10aa74f9a00ce526284b702ea9f1e

SHA1
0e8b341344d3c33ecdcfdef2d3a707550a240eb9

SHA256
4114fce5c957eeeb21eb3a64a3d0c3d09aca2c939a709c4bb87ebc834124a58d

SHA512
6e4813f4143f13d1b3d28296af7913fa21238c9331489d9f92b2b13a165641783bf58ae78f402e499a4056f214b24c23855139090b79040cdfa254b3ecdd4981

Download Submit
C:\Windows\System\YvMjbwb.exe

Filesize
5.9MB

MD5
40a580d5724f9f334efb0255bd9488c9

SHA1
63cf845af6d4a3627a613f277f0b3093ca54d61f

SHA256
1ebcc37084f28681ca837cf532a61ff98b988dbdbc0d94113d0c4590277320c7

SHA512
1c1a69d1c4f58704c1d4afa179b1553dba6f025bf1ee54bfb58a1fc7210b995c67ab735bcf8af3b30e51299dde8f9b0b73864f78e082e03db2bfab9e3882d896

Download Submit
C:\Windows\System\ZicUuqC.exe

Filesize
5.9MB

MD5
53a65f66e27c622c22756ec4d99eb340

SHA1
4ee783a86f5c5d5ed1002153eacc617c53c9d26d

SHA256
2c655112650f0f9a75e43289ee9227dc2e085c1b95ce5978acb83b9b4a2f5e27

SHA512
3aed9489ff3831eb199c11f3df23a885d181b731728c512336f23be60d34bdde017f14c672279270155313fcdfc08b3a8621770b9c5df3b747b6796479219c44

Download Submit
C:\Windows\System\ambeNEu.exe

Filesize
5.9MB

MD5
10c62cd1cf78c548f19b95cb555f8da0

SHA1
9054f544208dd5e06329bb0beb2db4c5c3780310

SHA256
b76b43681d1967a95ddc44ed3314dc71f329a8fff03946101049e5e29c07d284

SHA512
02711e872ab456a222c14f2ef6e27d586432362d47478a5126ea8a6395e5cbc13f69d1ad1ef1e8499fc3981f16095f1d07ce089e67dc82bbffc631615552ef50

Download Submit
C:\Windows\System\fEoSRnH.exe

Filesize
5.9MB

MD5
954e34f94c980e0ee26560aa2c5704d7

SHA1
bc832beda3cd48ceedb2f671cd411ff4b90e88ab

SHA256
b26a1715eca577f9b19ba27d9c226cc0faca5499010b35dd5d48d11cd7a9595a

SHA512
199c330f37644b06db08d282758cae83377c64c6b7ef74e56c91a2aff3e1347e4e2396865616162bbfcc23f67ec005f0b9e645d366bee49b6647e1508e26f005

Download Submit
C:\Windows\System\gDcUfcy.exe

Filesize
5.9MB

MD5
990c2b55edb465a9c8bfbd61b3dc930f

SHA1
2ee542e3a499b50805a9174ab521a868e5048977

SHA256
ddafce1489099ea8188fc66ad7c2668d91b413bcefee2b1df650034cd0ef5246

SHA512
545d9ca12420532de7af0dc71aa2d6b3a48bb24b77bad795c30559089ff3b21f7462b71e3ed29dfb70847f3a504f1e363d839d4a2836c8fd9653f88f9e59e47b

Download Submit
C:\Windows\System\hZEYPIu.exe

Filesize
5.9MB

MD5
068863bff0835ca08c194670a863838d

SHA1
f269a44287a33cd17c48d9022981dec20f049080

SHA256
428651598087f8217401fafdb963123563a8eccd213b6bb53630c5683f8f5e89

SHA512
9fda3415c06ddb5be12217558a72d7728a9f9c5f445c5e05ffabbcefb37328ab7e0d02d9af2b847ab2475f9ca27e30beca20235c4cdbc732d458827eac9898c8

Download Submit
C:\Windows\System\ilJWIJz.exe

Filesize
5.9MB

MD5
e596f1c8f2a9f213a42c2f16a53a7ae5

SHA1
9003375b5a2b65c05ed5eb91227c6cdef40e6f78

SHA256
13a68962597fa10a89cd27d248f5f662d1839f9bb2617af7e1391dfffd4f6c57

SHA512
a4668d088bfb92625f38dc5c4920cb117850c6036bf57a2d5f52918fa73bd2b6ca6b01fff9e48f8274eb65bc2881c798663a5bea8a132dc2d9510420a9a03494

Download Submit
C:\Windows\System\itnzCXt.exe

Filesize
5.9MB

MD5
64e71cf551fd89a3fa9d02d3fb9d5214

SHA1
7df6439ad6a721b93447a408e6dd2506e803bbd8

SHA256
77c990fe00b16d3d95363a0864bb45d50797addf6ae43888c64a36b0f86f4083

SHA512
93876ed59201d6efb01c2ce5ea32ea2c253a9ea3fcc4645600b2b4dd8299c11b34f3b434d00facfca3157508f29a444b25b77ccce62ab7349decc39c7acd4d8e

Download Submit
C:\Windows\System\phMXCbz.exe

Filesize
5.9MB

MD5
cb5392a5041d2ca2df60c4bc2927a318

SHA1
0a68afeb98f1d03deb0313364b0f716ae15919ba

SHA256
0ce42032de3bc901b48636e065b22b3359764b2d51c64a39cf11d5852f6dfad4

SHA512
8d8a12a4b2cc976331bc595b0bf41d2e05170e477a5f01b5c2eb3ad306d0294717c8b3e4350fff0b77bb4b354c8ee54949afa6a23b43a70d22423bdd534759b5

Download Submit
C:\Windows\System\rOzJXeR.exe

Filesize
5.9MB

MD5
455f2c47e8204fd5d7e3fc49c6571c7c

SHA1
ab54b7cd5f2ffaf90d680c7c5e5454af580e7721

SHA256
4d8dd2576947ee0333c6dea9208421b181fc045e55631869083b06fd4118a6e5

SHA512
4fe8751b117d43c4a7dbe5853ae0c53813a62d0eacf98e28f46a5e652e91dca939127715c8e09b44d81d65d59d829767dbd1103dd9ee7aa8f35c7421b7d587c2

Download Submit
C:\Windows\System\tMDmyrN.exe

Filesize
5.9MB

MD5
81f6ab5c203adb147ffa4ad148f506fe

SHA1
b0b21025ae4470988e78f0393fff8725aa6df8fe

SHA256
a8e4c0184f6691e64ce5781056ed9afd7081054770e4c12fc52b4c6cd74428ed

SHA512
9fab54ee92d679b8cbb803035e957cf8da697e4e8bbfbb7a52ecc38aff5f3726a3fc4c64f3d986323b6aeb4ab7beff619b1eacadf1bb3a7dfc4aaddb458bc96d

Download Submit
C:\Windows\System\uXOiMDz.exe

Filesize
5.9MB

MD5
c3685442dcad00563049f720a3dcd7ac

SHA1
2727d2f45363be866ca0a401125b4994c2bd0ab7

SHA256
9ab9ad7e74adf9d1907d71fdbac9e6f886f1ab8b9b283abc5cd3b156ebad0817

SHA512
63091ee9158d07822b92ff120546f8bc66c5374090f1c9fa482e4b78acd433788cc6965676d13be952cecabb10e722b19f502508f4819aba07aa574e51f1f344

Download Submit
C:\Windows\System\zgEGDWE.exe

Filesize
5.9MB

MD5
094f6eea4d1abb8b5e5fc6eb2a5c2a56

SHA1
23fd6fcb1a699df560e86b7ef1e72805cf01bdc7

SHA256
1ada9907b47a85bf5f5b542b719928d22f3b11e1d554c38527e86e1e8ef7aa4a

SHA512
06515e044281cfdc3d9ab9ff09c6dd7644f71072d8589f2c2556198d27ff4cd18561ec8c64b7de1a7f78189c4981897ad4da4b6877e31b674ef3c9a1beaa7b60

Download Submit
memory/800-160-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp

Filesize
3.3MB

Download
memory/800-89-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp

Filesize
3.3MB

Download
memory/800-139-0x00007FF7F6B10000-0x00007FF7F6E64000-memory.dmp

Filesize
3.3MB

Download
memory/984-72-0x00007FF6A1AB0000-0x00007FF6A1E04000-memory.dmp

Filesize
3.3MB

Download
memory/984-156-0x00007FF6A1AB0000-0x00007FF6A1E04000-memory.dmp

Filesize
3.3MB

Download
memory/1516-131-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1516-166-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1516-145-0x00007FF69BC80000-0x00007FF69BFD4000-memory.dmp

Filesize
3.3MB

Download
memory/1772-107-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp

Filesize
3.3MB

Download
memory/1772-47-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp

Filesize
3.3MB

Download
memory/1772-154-0x00007FF6C6900000-0x00007FF6C6C54000-memory.dmp

Filesize
3.3MB

Download
memory/1936-135-0x00007FF762DE0000-0x00007FF763134000-memory.dmp

Filesize
3.3MB

Download
memory/1936-167-0x00007FF762DE0000-0x00007FF763134000-memory.dmp

Filesize
3.3MB

Download
memory/1936-146-0x00007FF762DE0000-0x00007FF763134000-memory.dmp

Filesize
3.3MB

Download
memory/2192-55-0x00007FF627200000-0x00007FF627554000-memory.dmp

Filesize
3.3MB

Download
memory/2192-116-0x00007FF627200000-0x00007FF627554000-memory.dmp

Filesize
3.3MB

Download
memory/2192-155-0x00007FF627200000-0x00007FF627554000-memory.dmp

Filesize
3.3MB

Download
memory/2216-20-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp

Filesize
3.3MB

Download
memory/2216-71-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp

Filesize
3.3MB

Download
memory/2216-149-0x00007FF69D7B0000-0x00007FF69DB04000-memory.dmp

Filesize
3.3MB

Download
memory/2332-144-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp

Filesize
3.3MB

Download
memory/2332-123-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp

Filesize
3.3MB

Download
memory/2332-165-0x00007FF668BC0000-0x00007FF668F14000-memory.dmp

Filesize
3.3MB

Download
memory/2528-157-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-130-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-63-0x00007FF6E5480000-0x00007FF6E57D4000-memory.dmp

Filesize
3.3MB

Download
memory/2560-78-0x00007FF63F440000-0x00007FF63F794000-memory.dmp

Filesize
3.3MB

Download
memory/2560-158-0x00007FF63F440000-0x00007FF63F794000-memory.dmp

Filesize
3.3MB

Download
memory/2560-138-0x00007FF63F440000-0x00007FF63F794000-memory.dmp

Filesize
3.3MB

Download
memory/2988-1-0x0000021E23270000-0x0000021E23280000-memory.dmp

Filesize
64KB

Download
memory/2988-0-0x00007FF6E00C0000-0x00007FF6E0414000-memory.dmp

Filesize
3.3MB

Download
memory/2988-54-0x00007FF6E00C0000-0x00007FF6E0414000-memory.dmp

Filesize
3.3MB

Download
memory/3120-159-0x00007FF79E520000-0x00007FF79E874000-memory.dmp

Filesize
3.3MB

Download
memory/3120-85-0x00007FF79E520000-0x00007FF79E874000-memory.dmp

Filesize
3.3MB

Download
memory/3544-148-0x00007FF6615F0000-0x00007FF661944000-memory.dmp

Filesize
3.3MB

Download
memory/3544-12-0x00007FF6615F0000-0x00007FF661944000-memory.dmp

Filesize
3.3MB

Download
memory/3544-62-0x00007FF6615F0000-0x00007FF661944000-memory.dmp

Filesize
3.3MB

Download
memory/3960-147-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp

Filesize
3.3MB

Download
memory/3960-8-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp

Filesize
3.3MB

Download
memory/3960-58-0x00007FF6CBD40000-0x00007FF6CC094000-memory.dmp

Filesize
3.3MB

Download
memory/4104-161-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp

Filesize
3.3MB

Download
memory/4104-96-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp

Filesize
3.3MB

Download
memory/4104-140-0x00007FF7026D0000-0x00007FF702A24000-memory.dmp

Filesize
3.3MB

Download
memory/4296-141-0x00007FF719980000-0x00007FF719CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4296-103-0x00007FF719980000-0x00007FF719CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4296-162-0x00007FF719980000-0x00007FF719CD4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-40-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-152-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4376-95-0x00007FF7CE2A0000-0x00007FF7CE5F4000-memory.dmp

Filesize
3.3MB

Download
memory/4392-150-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp

Filesize
3.3MB

Download
memory/4392-24-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp

Filesize
3.3MB

Download
memory/4392-82-0x00007FF7B6E40000-0x00007FF7B7194000-memory.dmp

Filesize
3.3MB

Download
memory/4520-119-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp

Filesize
3.3MB

Download
memory/4520-143-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp

Filesize
3.3MB

Download
memory/4520-164-0x00007FF77CEB0000-0x00007FF77D204000-memory.dmp

Filesize
3.3MB

Download
memory/4544-32-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp

Filesize
3.3MB

Download
memory/4544-151-0x00007FF6FF5C0000-0x00007FF6FF914000-memory.dmp

Filesize
3.3MB

Download
memory/4564-163-0x00007FF685740000-0x00007FF685A94000-memory.dmp

Filesize
3.3MB

Download
memory/4564-142-0x00007FF685740000-0x00007FF685A94000-memory.dmp

Filesize
3.3MB

Download
memory/4564-108-0x00007FF685740000-0x00007FF685A94000-memory.dmp

Filesize
3.3MB

Download
memory/4636-43-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp

Filesize
3.3MB

Download
memory/4636-102-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp

Filesize
3.3MB

Download
memory/4636-153-0x00007FF60C870000-0x00007FF60CBC4000-memory.dmp

Filesize
3.3MB

Download