cobaltstrike | 92d5395b13668f9bf257678bd2faee874441d9e84c4ab2bf089a071fabdb95ca

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 10:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

d4fd4d5bb3cb8d844562a6dededdd8e6
SHA1

5edcf2cc3c7da634575ae48535061d07636ea531
SHA256

92d5395b13668f9bf257678bd2faee874441d9e84c4ab2bf089a071fabdb95ca
SHA512

bee2d00b692d531419832276b5720d0d53b71ba496a290ee68ddf364ce267aacbd7c0125b9e7cc52e50d62cfca6df2cd668f16598bac6410dbb2bd4aa2842887
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUm:T+856utgpPF8u/7m

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0009000000023452-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023458-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-31.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-39.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-50.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-59.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-67.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-53.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-24.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-14.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-73.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db76-87.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db77-93.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001db78-95.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a5-101.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023453-122.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-126.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-138.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-136.dat	cobalt_reflective_dll
behavioral2/files/0x000200000001e6a7-118.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/4600-0-0x00007FF6E7900000-0x00007FF6E7C54000-memory.dmp	xmrig
behavioral2/files/0x0009000000023452-4.dat	xmrig
behavioral2/memory/2020-8-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023458-29.dat	xmrig
behavioral2/files/0x000700000002345a-31.dat	xmrig
behavioral2/files/0x0007000000023459-39.dat	xmrig
behavioral2/memory/2140-41-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp	xmrig
behavioral2/files/0x000700000002345d-50.dat	xmrig
behavioral2/memory/684-52-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp	xmrig
behavioral2/files/0x000700000002345e-59.dat	xmrig
behavioral2/memory/5060-69-0x00007FF793410000-0x00007FF793764000-memory.dmp	xmrig
behavioral2/files/0x000700000002345f-67.dat	xmrig
behavioral2/memory/4600-66-0x00007FF6E7900000-0x00007FF6E7C54000-memory.dmp	xmrig
behavioral2/memory/5024-62-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp	xmrig
behavioral2/files/0x000700000002345c-53.dat	xmrig
behavioral2/memory/2748-51-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-45.dat	xmrig
behavioral2/memory/2612-34-0x00007FF781260000-0x00007FF7815B4000-memory.dmp	xmrig
behavioral2/memory/2700-32-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp	xmrig
behavioral2/memory/2808-27-0x00007FF622FF0000-0x00007FF623344000-memory.dmp	xmrig
behavioral2/memory/1340-25-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023457-24.dat	xmrig
behavioral2/memory/2228-18-0x00007FF7352D0000-0x00007FF735624000-memory.dmp	xmrig
behavioral2/files/0x0007000000023456-14.dat	xmrig
behavioral2/files/0x0007000000023460-73.dat	xmrig
behavioral2/memory/2228-74-0x00007FF7352D0000-0x00007FF735624000-memory.dmp	xmrig
behavioral2/memory/2256-78-0x00007FF7C0880000-0x00007FF7C0BD4000-memory.dmp	xmrig
behavioral2/memory/2700-83-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp	xmrig
behavioral2/memory/2808-82-0x00007FF622FF0000-0x00007FF623344000-memory.dmp	xmrig
behavioral2/files/0x000400000001db76-87.dat	xmrig
behavioral2/files/0x000400000001db77-93.dat	xmrig
behavioral2/files/0x000400000001db78-95.dat	xmrig
behavioral2/files/0x000200000001e6a5-101.dat	xmrig
behavioral2/memory/2140-102-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp	xmrig
behavioral2/memory/1708-106-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp	xmrig
behavioral2/memory/684-114-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp	xmrig
behavioral2/files/0x0008000000023453-122.dat	xmrig
behavioral2/files/0x0007000000023461-126.dat	xmrig
behavioral2/memory/432-125-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp	xmrig
behavioral2/memory/1500-134-0x00007FF7922D0000-0x00007FF792624000-memory.dmp	xmrig
behavioral2/files/0x0007000000023463-138.dat	xmrig
behavioral2/files/0x0007000000023462-136.dat	xmrig
behavioral2/memory/2408-135-0x00007FF602060000-0x00007FF6023B4000-memory.dmp	xmrig
behavioral2/memory/5060-133-0x00007FF793410000-0x00007FF793764000-memory.dmp	xmrig
behavioral2/memory/5024-124-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp	xmrig
behavioral2/memory/1496-120-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp	xmrig
behavioral2/files/0x000200000001e6a7-118.dat	xmrig
behavioral2/memory/3508-115-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp	xmrig
behavioral2/memory/2748-110-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp	xmrig
behavioral2/memory/2744-99-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp	xmrig
behavioral2/memory/2612-98-0x00007FF781260000-0x00007FF7815B4000-memory.dmp	xmrig
behavioral2/memory/1004-90-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp	xmrig
behavioral2/memory/3932-84-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp	xmrig
behavioral2/memory/1340-77-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp	xmrig
behavioral2/memory/2020-72-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp	xmrig
behavioral2/memory/3932-140-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp	xmrig
behavioral2/memory/1004-141-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp	xmrig
behavioral2/memory/2744-142-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp	xmrig
behavioral2/memory/1708-143-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp	xmrig
behavioral2/memory/3508-144-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp	xmrig
behavioral2/memory/1496-145-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp	xmrig
behavioral2/memory/432-146-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp	xmrig
behavioral2/memory/1500-147-0x00007FF7922D0000-0x00007FF792624000-memory.dmp	xmrig
behavioral2/memory/2408-148-0x00007FF602060000-0x00007FF6023B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2020	uKuPZFR.exe
2228	mwcWXJv.exe
1340	QrAVyXy.exe
2808	ahMxtfV.exe
2700	fGxVZsJ.exe
2612	HSpDJle.exe
2140	MxIqGCm.exe
2748	KRxslnc.exe
684	UNhEkGQ.exe
5024	OGNHjXq.exe
5060	qcDBQlH.exe
2256	JLRejxF.exe
3932	KTmlJCy.exe
1004	iHkfcMt.exe
2744	NpolWUZ.exe
1708	KNRnrnW.exe
3508	XEihejn.exe
1496	sIZAIEQ.exe
432	iduyonI.exe
1500	LVALnLO.exe
2408	VthVNdC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4600-0-0x00007FF6E7900000-0x00007FF6E7C54000-memory.dmp	upx
behavioral2/files/0x0009000000023452-4.dat	upx
behavioral2/memory/2020-8-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp	upx
behavioral2/files/0x0007000000023458-29.dat	upx
behavioral2/files/0x000700000002345a-31.dat	upx
behavioral2/files/0x0007000000023459-39.dat	upx
behavioral2/memory/2140-41-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp	upx
behavioral2/files/0x000700000002345d-50.dat	upx
behavioral2/memory/684-52-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp	upx
behavioral2/files/0x000700000002345e-59.dat	upx
behavioral2/memory/5060-69-0x00007FF793410000-0x00007FF793764000-memory.dmp	upx
behavioral2/files/0x000700000002345f-67.dat	upx
behavioral2/memory/4600-66-0x00007FF6E7900000-0x00007FF6E7C54000-memory.dmp	upx
behavioral2/memory/5024-62-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp	upx
behavioral2/files/0x000700000002345c-53.dat	upx
behavioral2/memory/2748-51-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp	upx
behavioral2/files/0x000700000002345b-45.dat	upx
behavioral2/memory/2612-34-0x00007FF781260000-0x00007FF7815B4000-memory.dmp	upx
behavioral2/memory/2700-32-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp	upx
behavioral2/memory/2808-27-0x00007FF622FF0000-0x00007FF623344000-memory.dmp	upx
behavioral2/memory/1340-25-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp	upx
behavioral2/files/0x0007000000023457-24.dat	upx
behavioral2/memory/2228-18-0x00007FF7352D0000-0x00007FF735624000-memory.dmp	upx
behavioral2/files/0x0007000000023456-14.dat	upx
behavioral2/files/0x0007000000023460-73.dat	upx
behavioral2/memory/2228-74-0x00007FF7352D0000-0x00007FF735624000-memory.dmp	upx
behavioral2/memory/2256-78-0x00007FF7C0880000-0x00007FF7C0BD4000-memory.dmp	upx
behavioral2/memory/2700-83-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp	upx
behavioral2/memory/2808-82-0x00007FF622FF0000-0x00007FF623344000-memory.dmp	upx
behavioral2/files/0x000400000001db76-87.dat	upx
behavioral2/files/0x000400000001db77-93.dat	upx
behavioral2/files/0x000400000001db78-95.dat	upx
behavioral2/files/0x000200000001e6a5-101.dat	upx
behavioral2/memory/2140-102-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp	upx
behavioral2/memory/1708-106-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp	upx
behavioral2/memory/684-114-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp	upx
behavioral2/files/0x0008000000023453-122.dat	upx
behavioral2/files/0x0007000000023461-126.dat	upx
behavioral2/memory/432-125-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp	upx
behavioral2/memory/1500-134-0x00007FF7922D0000-0x00007FF792624000-memory.dmp	upx
behavioral2/files/0x0007000000023463-138.dat	upx
behavioral2/files/0x0007000000023462-136.dat	upx
behavioral2/memory/2408-135-0x00007FF602060000-0x00007FF6023B4000-memory.dmp	upx
behavioral2/memory/5060-133-0x00007FF793410000-0x00007FF793764000-memory.dmp	upx
behavioral2/memory/5024-124-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp	upx
behavioral2/memory/1496-120-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp	upx
behavioral2/files/0x000200000001e6a7-118.dat	upx
behavioral2/memory/3508-115-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp	upx
behavioral2/memory/2748-110-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp	upx
behavioral2/memory/2744-99-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp	upx
behavioral2/memory/2612-98-0x00007FF781260000-0x00007FF7815B4000-memory.dmp	upx
behavioral2/memory/1004-90-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp	upx
behavioral2/memory/3932-84-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp	upx
behavioral2/memory/1340-77-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp	upx
behavioral2/memory/2020-72-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp	upx
behavioral2/memory/3932-140-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp	upx
behavioral2/memory/1004-141-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp	upx
behavioral2/memory/2744-142-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp	upx
behavioral2/memory/1708-143-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp	upx
behavioral2/memory/3508-144-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp	upx
behavioral2/memory/1496-145-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp	upx
behavioral2/memory/432-146-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp	upx
behavioral2/memory/1500-147-0x00007FF7922D0000-0x00007FF792624000-memory.dmp	upx
behavioral2/memory/2408-148-0x00007FF602060000-0x00007FF6023B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\NpolWUZ.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KNRnrnW.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HSpDJle.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KRxslnc.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qcDBQlH.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KTmlJCy.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OGNHjXq.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JLRejxF.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iHkfcMt.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XEihejn.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uKuPZFR.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QrAVyXy.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ahMxtfV.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UNhEkGQ.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LVALnLO.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VthVNdC.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mwcWXJv.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MxIqGCm.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sIZAIEQ.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iduyonI.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fGxVZsJ.exe	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 4600 wrote to memory of 2020	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4600 wrote to memory of 2020	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4600 wrote to memory of 2228	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4600 wrote to memory of 2228	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4600 wrote to memory of 1340	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4600 wrote to memory of 1340	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4600 wrote to memory of 2808	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4600 wrote to memory of 2808	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4600 wrote to memory of 2700	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4600 wrote to memory of 2700	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4600 wrote to memory of 2612	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4600 wrote to memory of 2612	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4600 wrote to memory of 2140	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4600 wrote to memory of 2140	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4600 wrote to memory of 2748	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4600 wrote to memory of 2748	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4600 wrote to memory of 684	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4600 wrote to memory of 684	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4600 wrote to memory of 5024	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4600 wrote to memory of 5024	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4600 wrote to memory of 5060	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4600 wrote to memory of 5060	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4600 wrote to memory of 2256	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4600 wrote to memory of 2256	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4600 wrote to memory of 3932	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4600 wrote to memory of 3932	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4600 wrote to memory of 1004	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4600 wrote to memory of 1004	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4600 wrote to memory of 2744	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4600 wrote to memory of 2744	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4600 wrote to memory of 1708	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4600 wrote to memory of 1708	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4600 wrote to memory of 3508	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4600 wrote to memory of 3508	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4600 wrote to memory of 1496	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4600 wrote to memory of 1496	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4600 wrote to memory of 432	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4600 wrote to memory of 432	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4600 wrote to memory of 1500	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4600 wrote to memory of 1500	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 4600 wrote to memory of 2408	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 4600 wrote to memory of 2408	4600	2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_d4fd4d5bb3cb8d844562a6dededdd8e6_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600
- C:\Windows\System\uKuPZFR.exe
  C:\Windows\System\uKuPZFR.exe
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\Windows\System\mwcWXJv.exe
  C:\Windows\System\mwcWXJv.exe
  2⤵
  - Executes dropped EXE
  PID:2228
- C:\Windows\System\QrAVyXy.exe
  C:\Windows\System\QrAVyXy.exe
  2⤵
  - Executes dropped EXE
  PID:1340
- C:\Windows\System\ahMxtfV.exe
  C:\Windows\System\ahMxtfV.exe
  2⤵
  - Executes dropped EXE
  PID:2808
- C:\Windows\System\fGxVZsJ.exe
  C:\Windows\System\fGxVZsJ.exe
  2⤵
  - Executes dropped EXE
  PID:2700
- C:\Windows\System\HSpDJle.exe
  C:\Windows\System\HSpDJle.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\MxIqGCm.exe
  C:\Windows\System\MxIqGCm.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\KRxslnc.exe
  C:\Windows\System\KRxslnc.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\UNhEkGQ.exe
  C:\Windows\System\UNhEkGQ.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Windows\System\OGNHjXq.exe
  C:\Windows\System\OGNHjXq.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\System\qcDBQlH.exe
  C:\Windows\System\qcDBQlH.exe
  2⤵
  - Executes dropped EXE
  PID:5060
- C:\Windows\System\JLRejxF.exe
  C:\Windows\System\JLRejxF.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\KTmlJCy.exe
  C:\Windows\System\KTmlJCy.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\iHkfcMt.exe
  C:\Windows\System\iHkfcMt.exe
  2⤵
  - Executes dropped EXE
  PID:1004
- C:\Windows\System\NpolWUZ.exe
  C:\Windows\System\NpolWUZ.exe
  2⤵
  - Executes dropped EXE
  PID:2744
- C:\Windows\System\KNRnrnW.exe
  C:\Windows\System\KNRnrnW.exe
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\Windows\System\XEihejn.exe
  C:\Windows\System\XEihejn.exe
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Windows\System\sIZAIEQ.exe
  C:\Windows\System\sIZAIEQ.exe
  2⤵
  - Executes dropped EXE
  PID:1496
- C:\Windows\System\iduyonI.exe
  C:\Windows\System\iduyonI.exe
  2⤵
  - Executes dropped EXE
  PID:432
- C:\Windows\System\LVALnLO.exe
  C:\Windows\System\LVALnLO.exe
  2⤵
  - Executes dropped EXE
  PID:1500
- C:\Windows\System\VthVNdC.exe
  C:\Windows\System\VthVNdC.exe
  2⤵
  - Executes dropped EXE
  PID:2408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\HSpDJle.exe

Filesize
5.9MB

MD5
07eea6eb14c0e5c1f053ed95db03f97f

SHA1
77eec941b0a08e7b149225828df4af1b8a7ebc9d

SHA256
11c0d2e3d291478f8930a3d8d037a9c3c4f337aed43e21af7ae00fd510799a22

SHA512
2912cca15f95a226ea03fc226e52945830f98b8fa0970b83979ba4a1b1666569af0b5708755c5e0604120fbd1a5a34cecbfc27cc2a8d0751cf1fe80766a67dbe

Download Submit
C:\Windows\System\JLRejxF.exe

Filesize
5.9MB

MD5
a9b33a899dbdb70bc25900723f66e30e

SHA1
fb4ab1f3ac96c04b86ac80f4834851cf93c11bed

SHA256
7ea7ff3f62e3ab7979487955c9dec0a9ee6710682ddc6a556fc0d68b1a0a6b64

SHA512
0bf2d4fc6d333e1b9fac1c7ebf34346d1bd7776295a289f26c05971f910e005d000773cbecb22f752d15dab7c48454f2766a4829bf5b6b0d2c04fcf5bbd82114

Download Submit
C:\Windows\System\KNRnrnW.exe

Filesize
6.0MB

MD5
fc5a3d7f393bc749768f2219c9910c6f

SHA1
bfa3e564f17e70cbce2d7ba6371b7e5369d2aa2c

SHA256
ff5473b4ebf64fecda574ca27ab6adcdf4b244dc3ff188d8562039c5e31eb859

SHA512
bb309c2b57c70b69645a5e6a9885e3c38f2d3eab6715ae0593d2fbd54b5c5fe3d97a9dad7d63b715bb14c49df6c4155d0aeb1126ad1e9da621f9b77e1de47b37

Download Submit
C:\Windows\System\KRxslnc.exe

Filesize
5.9MB

MD5
5ad3c351bb2be22085f0bd3ad63c986b

SHA1
93fb5f553735a12fb34bb0b967844cd87882df91

SHA256
d751957f52767862e02adb75a72f6553821f9faaa6f16524981f1f76fedf10c2

SHA512
1cf5e08724b78453085fe1fba482b6b0a2dac8c8f529a18f15e43b7d73c9d3618e0da78aab31c653de22a1593c28cf06ceb201de58b0f6564a04d41b5e602fbc

Download Submit
C:\Windows\System\KTmlJCy.exe

Filesize
5.9MB

MD5
90dd31b5c4fe033426dccf06860c1f02

SHA1
f14e49ac536108497a3ec7ce725f0115ac659323

SHA256
cc2a238b6b6765a0ee89b4e042444500acd6149fb04d202b4150ebd9457e5c73

SHA512
04850b9a42b2785353fa8b873c28267f3529165847fa1b1e4ebb0328e937625be31645fe403b31515773c9c50a8c677e294de30e63799c6f775687cfbe10c657

Download Submit
C:\Windows\System\LVALnLO.exe

Filesize
6.0MB

MD5
37fc44c4635fcb694a1314f9c26996f5

SHA1
4b3eb8b8f4536af3b1db3c3b80a1d690a346cd5b

SHA256
4732de5dd592f491575df30e48fdb3e18c121a022222b1411c0ee6f33d79f69d

SHA512
036c3045536ec67d7b5969048350e7679047d9966fb139dfa727969c161efa61c4bfe288941647893f9ec1c30ea843592a8f4f65fd23e2d3c61d0fde31859a1e

Download Submit
C:\Windows\System\MxIqGCm.exe

Filesize
5.9MB

MD5
ebef956d9d99fde140880adb4502a87f

SHA1
21ef41a55074cb383e4408bcf529c3a7c350d982

SHA256
004acf92f9d0094f22a65784277a932c5974a8affcdd6e3ddd74754f03c63e8d

SHA512
6ae4d932a4fd8737a08af1cbd5ed374ec98d874fe5c4c12cd854c33e981adadccc1d125ca04e22492030d0d09648e91baf70168befa18d8451b7ec6c296fbdea

Download Submit
C:\Windows\System\NpolWUZ.exe

Filesize
6.0MB

MD5
dbca62980a4cc116497927a9183e0f39

SHA1
5d54639befbf730c0ae457ea0311b327a4335782

SHA256
6120946d3b2130325dbacbc7fe9e56273e437b63f24ae71a17355b7996f54a2d

SHA512
fef8e4993afa991c4ed6c0e465e6e76090730d3544b5cf5ddc2ef5f004cde3e8215ff8009df9315d20a9d013c8e5cf11a3a893f8e302e0fc51786a6353ae68e7

Download Submit
C:\Windows\System\OGNHjXq.exe

Filesize
5.9MB

MD5
08a2d53b21cca727be8196f80ee62abd

SHA1
4d7ab9c82c9e8c01c1b2f72e75c1b2f5a16c543e

SHA256
542961c8ed59b09e677073a00123a07495ecc86c3a7e2bb72d100e8c93c5a034

SHA512
3bef3046f6a753704768c80f687a44c87f8b3f9f2df1f06d773e99542d75888a60b824b72a1175a276f92691517fe6a7a0550470e52b523bcecfac13b7034554

Download Submit
C:\Windows\System\QrAVyXy.exe

Filesize
5.9MB

MD5
aa69a6f163945e84927dd98ed338b6af

SHA1
934cc505d83772b440bb8d3fa23dff343c502102

SHA256
abba0f18cd64081ca268b5441aae45fcb5a679387fa3fd3bed0c3f4c60a36ac2

SHA512
fc9f1f978aac6ee3ee6a26c4c3ebef002423283e9e7f10e2753036e0e2e89f6857cd21416898764c995864e68523366afd5368793c48861b37fa74178219988d

Download Submit
C:\Windows\System\UNhEkGQ.exe

Filesize
5.9MB

MD5
0ccdcc3e6d04f0019bf1d9108b0c291b

SHA1
cae3ecb6f41e16afd06c5687f23f533b67100cdf

SHA256
4538045e92c49698bb52a9fea19e8c018a811722ecf8b741394bdb91d3d6d669

SHA512
827c6c88a49adbc4d10ac1b5ae7c2bb7d187ea349ce3700d7cbbe0533853053d2deff7856dccd12d09b58bb70001ecbfea879204cd4dee329694669a835aca0d

Download Submit
C:\Windows\System\VthVNdC.exe

Filesize
6.0MB

MD5
cfca704a6293811b320958fd950b3b4a

SHA1
735db0d627a9ff41d96031877f505225731e1571

SHA256
680d756463622862ae9ee4c5426169d9103e9ea7570b6c41f2a25cdf197a0f15

SHA512
7b778d3d47e26c4dc0e319a2fd92c1dbd47b6cb7d875c4b5ee90b34e5753f9a40ef9eca52f4d354908e644119358e82afe4cd69d5c217751360e6747516f16e5

Download Submit
C:\Windows\System\XEihejn.exe

Filesize
6.0MB

MD5
8e265721975b930b3a2112edea41e7bc

SHA1
18e73e6be72e717bb389ab1387dfc3ef562291ad

SHA256
3558ae374d387567a8939a1dba591d8d5c2653bd3d25c8f4501f4fba0a6dbf1b

SHA512
1c18cf9c6c14cd753a3aeed5fa5584808ad4c04af2444b1b8153c9c5517c280af9d9a817b98a8d4df9ed9593d3d5ff61a17fe00835447d084d800ce1073d5461

Download Submit
C:\Windows\System\ahMxtfV.exe

Filesize
5.9MB

MD5
c1706126be500325aa8be9f145ef831c

SHA1
f72124ec3e490d17ee82ce8826f48da98974398e

SHA256
2d15ed70d8afa4a75322afdde360b2611daefb99029639e1cb1420db7a24084f

SHA512
e893c42c4abbf84c480615cd9cd7583ea2cc2a5d2ea21c1287aa7519e45145820e2507292e20940fe4fe9cd2958860ced3b7ffcfa02603791885cfa5e0d171ef

Download Submit
C:\Windows\System\fGxVZsJ.exe

Filesize
5.9MB

MD5
d39facecf41d24c5da7d0625c34957d0

SHA1
2824dc71ce2fda8ce7db91a61dbc54be1e2cae95

SHA256
a135a738e86e24cad1c64218cffea3d9783b07a6a757feba8d6673d6bd9e9151

SHA512
2b7215117c242f119295c466eb6f8cfebf0b1892e8ebc663a4f28b4a9ad623a353f009c3dac245678ce81211d6fec9e6b7f48e4ac52287a9ed133e8822f49d3a

Download Submit
C:\Windows\System\iHkfcMt.exe

Filesize
5.9MB

MD5
45a361ed3cf30b821c848928251252b0

SHA1
fcd8b61c9489ab20c355baef612b936a4e137f2c

SHA256
9fefbd54bfd99d020b80aaf94dbb307c17fc31304c125edc12ff9cd86e36ec13

SHA512
66f5c65757d1053fef2bc3c30d54a3b8a7935935c17fff9f846fd27ec814a53b582fac9dd01679ccd95d8446e0eabaf25229e56845160661120b2212a1cb7ee2

Download Submit
C:\Windows\System\iduyonI.exe

Filesize
6.0MB

MD5
f60b76619241958f523e9772a2d837ff

SHA1
ad35555fef75bbd82eccf1a1562e7b0f84e40027

SHA256
471d6c4ac1407f2a2c1a975976a5f9e8f4a8f6992596aed66d48124f36e70f97

SHA512
d1917cd7f9fccdd2c0ab5cfbc7c77f6ca5a2f85ecf4d87307e56a8c5db590209748d050a63d9612c86470ca9e42fc20a60356fa2e73ebd40520ba015c4ebdee1

Download Submit
C:\Windows\System\mwcWXJv.exe

Filesize
5.9MB

MD5
7b50e2a7ab3348fcdf585b578af882d9

SHA1
62dc0513706f9d24c15a2303a43821d487d326f7

SHA256
6f3b11895dfcea2b70dedfa9bcee01d03a183f48594a9659842fe072ad166175

SHA512
12fe096d2e24dee26777a3ff1288798b5126f1ae8fdbff71c7772e14985f5fd8dfb0a07c3e90d398c1f63d18015773f962f8d3c31917883b5d78cf0483690786

Download Submit
C:\Windows\System\qcDBQlH.exe

Filesize
5.9MB

MD5
8956cc0aac6c1a68a65c2653a218ef81

SHA1
5b5b334e34213c029584397b63659d202ed6e542

SHA256
f01e14f6f4c3e0c0e6b898be6d87f17120aa16ee27ad8aedcfe4e606adc346db

SHA512
8fe53d8f37f36f891b94366cf4cf1a1c037a7fe93b61b8b8adbf8cd4ef3eb2d0094f529be1024080e33ecee2f4959394798b6a2083238853436cbe8d1957e6b4

Download Submit
C:\Windows\System\sIZAIEQ.exe

Filesize
6.0MB

MD5
e0c47bf216645369e180c177c8b99556

SHA1
7947ef8a331a313d94762d885346a822bd66406b

SHA256
4bc76d0d90e93ad9fdf613266ec585752d1d95e035e59778d7a84f116bf0d906

SHA512
5ccf7453a03393a2993495c8751ece3ebe2b8fca99011288ce8dea7ef53ccb4fb0a7f91893152dfc8abad02de9bc095ac9fec2f5bc09df87548e5b3ca2494af6

Download Submit
C:\Windows\System\uKuPZFR.exe

Filesize
5.9MB

MD5
742076c8d96fb605214598552801bd9c

SHA1
33b8694c8a2c79fc7e65bcb29df828f4cc75153a

SHA256
883c6ee1c7a44abe8c7511f1169465a508a81ca05914edd36ae786d78cf4fef4

SHA512
b97bc59e98af9700e929638bc7c635c1e8ebbde509e68bf3360f0539a76cad62a1327e495fb14578e5f3c3f46930903d0948a67efe95eb0f351b5aea3c2e6019

Download Submit
memory/432-146-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp

Filesize
3.3MB

Download
memory/432-125-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp

Filesize
3.3MB

Download
memory/432-168-0x00007FF6EF310000-0x00007FF6EF664000-memory.dmp

Filesize
3.3MB

Download
memory/684-157-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp

Filesize
3.3MB

Download
memory/684-114-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp

Filesize
3.3MB

Download
memory/684-52-0x00007FF728BC0000-0x00007FF728F14000-memory.dmp

Filesize
3.3MB

Download
memory/1004-90-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1004-141-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1004-162-0x00007FF7D1A90000-0x00007FF7D1DE4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-25-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-77-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1340-151-0x00007FF6C7950000-0x00007FF6C7CA4000-memory.dmp

Filesize
3.3MB

Download
memory/1496-120-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp

Filesize
3.3MB

Download
memory/1496-166-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp

Filesize
3.3MB

Download
memory/1496-145-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp

Filesize
3.3MB

Download
memory/1500-134-0x00007FF7922D0000-0x00007FF792624000-memory.dmp

Filesize
3.3MB

Download
memory/1500-147-0x00007FF7922D0000-0x00007FF792624000-memory.dmp

Filesize
3.3MB

Download
memory/1500-169-0x00007FF7922D0000-0x00007FF792624000-memory.dmp

Filesize
3.3MB

Download
memory/1708-106-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp

Filesize
3.3MB

Download
memory/1708-143-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp

Filesize
3.3MB

Download
memory/1708-164-0x00007FF7F8DC0000-0x00007FF7F9114000-memory.dmp

Filesize
3.3MB

Download
memory/2020-8-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-72-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp

Filesize
3.3MB

Download
memory/2020-149-0x00007FF6594A0000-0x00007FF6597F4000-memory.dmp

Filesize
3.3MB

Download
memory/2140-154-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp

Filesize
3.3MB

Download
memory/2140-102-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp

Filesize
3.3MB

Download
memory/2140-41-0x00007FF6958F0000-0x00007FF695C44000-memory.dmp

Filesize
3.3MB

Download
memory/2228-18-0x00007FF7352D0000-0x00007FF735624000-memory.dmp

Filesize
3.3MB

Download
memory/2228-150-0x00007FF7352D0000-0x00007FF735624000-memory.dmp

Filesize
3.3MB

Download
memory/2228-74-0x00007FF7352D0000-0x00007FF735624000-memory.dmp

Filesize
3.3MB

Download
memory/2256-160-0x00007FF7C0880000-0x00007FF7C0BD4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-78-0x00007FF7C0880000-0x00007FF7C0BD4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-148-0x00007FF602060000-0x00007FF6023B4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-167-0x00007FF602060000-0x00007FF6023B4000-memory.dmp

Filesize
3.3MB

Download
memory/2408-135-0x00007FF602060000-0x00007FF6023B4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-98-0x00007FF781260000-0x00007FF7815B4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-153-0x00007FF781260000-0x00007FF7815B4000-memory.dmp

Filesize
3.3MB

Download
memory/2612-34-0x00007FF781260000-0x00007FF7815B4000-memory.dmp

Filesize
3.3MB

Download
memory/2700-83-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp

Filesize
3.3MB

Download
memory/2700-155-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp

Filesize
3.3MB

Download
memory/2700-32-0x00007FF6DFBF0000-0x00007FF6DFF44000-memory.dmp

Filesize
3.3MB

Download
memory/2744-163-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-142-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2744-99-0x00007FF63A160000-0x00007FF63A4B4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-51-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp

Filesize
3.3MB

Download
memory/2748-110-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp

Filesize
3.3MB

Download
memory/2748-156-0x00007FF6856D0000-0x00007FF685A24000-memory.dmp

Filesize
3.3MB

Download
memory/2808-152-0x00007FF622FF0000-0x00007FF623344000-memory.dmp

Filesize
3.3MB

Download
memory/2808-27-0x00007FF622FF0000-0x00007FF623344000-memory.dmp

Filesize
3.3MB

Download
memory/2808-82-0x00007FF622FF0000-0x00007FF623344000-memory.dmp

Filesize
3.3MB

Download
memory/3508-115-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp

Filesize
3.3MB

Download
memory/3508-165-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp

Filesize
3.3MB

Download
memory/3508-144-0x00007FF7E19C0000-0x00007FF7E1D14000-memory.dmp

Filesize
3.3MB

Download
memory/3932-140-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp

Filesize
3.3MB

Download
memory/3932-161-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp

Filesize
3.3MB

Download
memory/3932-84-0x00007FF7FA940000-0x00007FF7FAC94000-memory.dmp

Filesize
3.3MB

Download
memory/4600-66-0x00007FF6E7900000-0x00007FF6E7C54000-memory.dmp

Filesize
3.3MB

Download
memory/4600-1-0x000001BF22480000-0x000001BF22490000-memory.dmp

Filesize
64KB

Download
memory/4600-0-0x00007FF6E7900000-0x00007FF6E7C54000-memory.dmp

Filesize
3.3MB

Download
memory/5024-159-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-62-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp

Filesize
3.3MB

Download
memory/5024-124-0x00007FF6C54A0000-0x00007FF6C57F4000-memory.dmp

Filesize
3.3MB

Download
memory/5060-158-0x00007FF793410000-0x00007FF793764000-memory.dmp

Filesize
3.3MB

Download
memory/5060-69-0x00007FF793410000-0x00007FF793764000-memory.dmp

Filesize
3.3MB

Download
memory/5060-133-0x00007FF793410000-0x00007FF793764000-memory.dmp

Filesize
3.3MB

Download