cobaltstrike | 2bcc0e839e5f635ad4097a3087a7114fc6d5abfd370250757fcff344532a4f12

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 18:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

8d34ad706736c6bbd6418706aa8d3fcd
SHA1

51cc3720b63358c95b3afcae9c9c588399ac30d4
SHA256

2bcc0e839e5f635ad4097a3087a7114fc6d5abfd370250757fcff344532a4f12
SHA512

6ca5fc8c75599dbc2d63f9a34018b0db7370dcd3a3c26b0dd8edb08cd83417aea2640d992bda271c4dfe8ee4a1dc59e7d827c9ad9c1f3e4cabf79e4ef117f238
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUs:T+856utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023619-4.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361d-11.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361e-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023621-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023620-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023622-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023623-42.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023625-53.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023624-56.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023626-65.dat	cobalt_reflective_dll
behavioral2/files/0x000800000002361a-78.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023628-84.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023627-80.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002361f-29.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362b-95.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362d-115.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362e-122.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362f-128.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023630-132.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023629-105.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002362c-113.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2680-0-0x00007FF74C880000-0x00007FF74CBD4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023619-4.dat	xmrig
behavioral2/files/0x000700000002361d-11.dat	xmrig
behavioral2/memory/3460-14-0x00007FF7063C0000-0x00007FF706714000-memory.dmp	xmrig
behavioral2/files/0x000700000002361e-23.dat	xmrig
behavioral2/files/0x0007000000023621-27.dat	xmrig
behavioral2/files/0x0007000000023620-30.dat	xmrig
behavioral2/files/0x0007000000023622-39.dat	xmrig
behavioral2/files/0x0007000000023623-42.dat	xmrig
behavioral2/files/0x0007000000023625-53.dat	xmrig
behavioral2/files/0x0007000000023624-56.dat	xmrig
behavioral2/memory/2336-62-0x00007FF763C30000-0x00007FF763F84000-memory.dmp	xmrig
behavioral2/files/0x0007000000023626-65.dat	xmrig
behavioral2/files/0x000800000002361a-78.dat	xmrig
behavioral2/memory/448-86-0x00007FF68C140000-0x00007FF68C494000-memory.dmp	xmrig
behavioral2/files/0x0007000000023628-84.dat	xmrig
behavioral2/memory/944-83-0x00007FF6E5C30000-0x00007FF6E5F84000-memory.dmp	xmrig
behavioral2/memory/2204-82-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp	xmrig
behavioral2/files/0x0007000000023627-80.dat	xmrig
behavioral2/memory/1036-72-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp	xmrig
behavioral2/memory/4424-61-0x00007FF630A20000-0x00007FF630D74000-memory.dmp	xmrig
behavioral2/memory/2760-58-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	xmrig
behavioral2/memory/1236-55-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp	xmrig
behavioral2/memory/4556-54-0x00007FF755870000-0x00007FF755BC4000-memory.dmp	xmrig
behavioral2/memory/1648-52-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	xmrig
behavioral2/memory/2164-51-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp	xmrig
behavioral2/memory/3356-31-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp	xmrig
behavioral2/files/0x000700000002361f-29.dat	xmrig
behavioral2/memory/1360-7-0x00007FF692C00000-0x00007FF692F54000-memory.dmp	xmrig
behavioral2/files/0x000700000002362b-95.dat	xmrig
behavioral2/files/0x000700000002362d-115.dat	xmrig
behavioral2/files/0x000700000002362e-122.dat	xmrig
behavioral2/files/0x000700000002362f-128.dat	xmrig
behavioral2/files/0x0007000000023630-132.dat	xmrig
behavioral2/memory/980-131-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp	xmrig
behavioral2/memory/1016-130-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp	xmrig
behavioral2/memory/1236-127-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp	xmrig
behavioral2/memory/2164-126-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp	xmrig
behavioral2/memory/3356-121-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp	xmrig
behavioral2/memory/3460-119-0x00007FF7063C0000-0x00007FF706714000-memory.dmp	xmrig
behavioral2/memory/4976-118-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp	xmrig
behavioral2/memory/2960-111-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp	xmrig
behavioral2/memory/1360-109-0x00007FF692C00000-0x00007FF692F54000-memory.dmp	xmrig
behavioral2/files/0x0007000000023629-105.dat	xmrig
behavioral2/files/0x000700000002362c-113.dat	xmrig
behavioral2/memory/1348-102-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp	xmrig
behavioral2/memory/3076-101-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp	xmrig
behavioral2/memory/2680-96-0x00007FF74C880000-0x00007FF74CBD4000-memory.dmp	xmrig
behavioral2/memory/1732-92-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp	xmrig
behavioral2/memory/1036-134-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp	xmrig
behavioral2/memory/2204-135-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp	xmrig
behavioral2/memory/448-136-0x00007FF68C140000-0x00007FF68C494000-memory.dmp	xmrig
behavioral2/memory/1732-137-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp	xmrig
behavioral2/memory/3076-138-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp	xmrig
behavioral2/memory/1348-139-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp	xmrig
behavioral2/memory/2960-140-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp	xmrig
behavioral2/memory/4976-141-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp	xmrig
behavioral2/memory/1016-142-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp	xmrig
behavioral2/memory/980-143-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp	xmrig
behavioral2/memory/1360-144-0x00007FF692C00000-0x00007FF692F54000-memory.dmp	xmrig
behavioral2/memory/3460-145-0x00007FF7063C0000-0x00007FF706714000-memory.dmp	xmrig
behavioral2/memory/3356-146-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp	xmrig
behavioral2/memory/2760-147-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	xmrig
behavioral2/memory/1648-148-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1360	vuBFPLk.exe
3460	Ointooc.exe
3356	LLryJJB.exe
2760	ugYEfOz.exe
2164	HNqJljO.exe
1648	ZOlEiCz.exe
4424	pbNWges.exe
4556	YFLfSCl.exe
1236	ZubXqCx.exe
2336	dGKPKmj.exe
1036	TZckqaS.exe
2204	stquNAY.exe
944	ZoordHv.exe
448	zGVWROe.exe
1732	pZeukVU.exe
3076	YQBDpgq.exe
2960	QMbPbue.exe
1348	AuCgZTc.exe
4976	lcAQUQp.exe
1016	GMlPtxS.exe
980	xOBMlvr.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2680-0-0x00007FF74C880000-0x00007FF74CBD4000-memory.dmp	upx
behavioral2/files/0x0008000000023619-4.dat	upx
behavioral2/files/0x000700000002361d-11.dat	upx
behavioral2/memory/3460-14-0x00007FF7063C0000-0x00007FF706714000-memory.dmp	upx
behavioral2/files/0x000700000002361e-23.dat	upx
behavioral2/files/0x0007000000023621-27.dat	upx
behavioral2/files/0x0007000000023620-30.dat	upx
behavioral2/files/0x0007000000023622-39.dat	upx
behavioral2/files/0x0007000000023623-42.dat	upx
behavioral2/files/0x0007000000023625-53.dat	upx
behavioral2/files/0x0007000000023624-56.dat	upx
behavioral2/memory/2336-62-0x00007FF763C30000-0x00007FF763F84000-memory.dmp	upx
behavioral2/files/0x0007000000023626-65.dat	upx
behavioral2/files/0x000800000002361a-78.dat	upx
behavioral2/memory/448-86-0x00007FF68C140000-0x00007FF68C494000-memory.dmp	upx
behavioral2/files/0x0007000000023628-84.dat	upx
behavioral2/memory/944-83-0x00007FF6E5C30000-0x00007FF6E5F84000-memory.dmp	upx
behavioral2/memory/2204-82-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp	upx
behavioral2/files/0x0007000000023627-80.dat	upx
behavioral2/memory/1036-72-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp	upx
behavioral2/memory/4424-61-0x00007FF630A20000-0x00007FF630D74000-memory.dmp	upx
behavioral2/memory/2760-58-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	upx
behavioral2/memory/1236-55-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp	upx
behavioral2/memory/4556-54-0x00007FF755870000-0x00007FF755BC4000-memory.dmp	upx
behavioral2/memory/1648-52-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	upx
behavioral2/memory/2164-51-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp	upx
behavioral2/memory/3356-31-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp	upx
behavioral2/files/0x000700000002361f-29.dat	upx
behavioral2/memory/1360-7-0x00007FF692C00000-0x00007FF692F54000-memory.dmp	upx
behavioral2/files/0x000700000002362b-95.dat	upx
behavioral2/files/0x000700000002362d-115.dat	upx
behavioral2/files/0x000700000002362e-122.dat	upx
behavioral2/files/0x000700000002362f-128.dat	upx
behavioral2/files/0x0007000000023630-132.dat	upx
behavioral2/memory/980-131-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp	upx
behavioral2/memory/1016-130-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp	upx
behavioral2/memory/1236-127-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp	upx
behavioral2/memory/2164-126-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp	upx
behavioral2/memory/3356-121-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp	upx
behavioral2/memory/3460-119-0x00007FF7063C0000-0x00007FF706714000-memory.dmp	upx
behavioral2/memory/4976-118-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp	upx
behavioral2/memory/2960-111-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp	upx
behavioral2/memory/1360-109-0x00007FF692C00000-0x00007FF692F54000-memory.dmp	upx
behavioral2/files/0x0007000000023629-105.dat	upx
behavioral2/files/0x000700000002362c-113.dat	upx
behavioral2/memory/1348-102-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp	upx
behavioral2/memory/3076-101-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp	upx
behavioral2/memory/2680-96-0x00007FF74C880000-0x00007FF74CBD4000-memory.dmp	upx
behavioral2/memory/1732-92-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp	upx
behavioral2/memory/1036-134-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp	upx
behavioral2/memory/2204-135-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp	upx
behavioral2/memory/448-136-0x00007FF68C140000-0x00007FF68C494000-memory.dmp	upx
behavioral2/memory/1732-137-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp	upx
behavioral2/memory/3076-138-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp	upx
behavioral2/memory/1348-139-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp	upx
behavioral2/memory/2960-140-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp	upx
behavioral2/memory/4976-141-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp	upx
behavioral2/memory/1016-142-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp	upx
behavioral2/memory/980-143-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp	upx
behavioral2/memory/1360-144-0x00007FF692C00000-0x00007FF692F54000-memory.dmp	upx
behavioral2/memory/3460-145-0x00007FF7063C0000-0x00007FF706714000-memory.dmp	upx
behavioral2/memory/3356-146-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp	upx
behavioral2/memory/2760-147-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp	upx
behavioral2/memory/1648-148-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\ZubXqCx.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YQBDpgq.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lcAQUQp.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Ointooc.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ugYEfOz.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HNqJljO.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZOlEiCz.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbNWges.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QMbPbue.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AuCgZTc.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xOBMlvr.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LLryJJB.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YFLfSCl.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dGKPKmj.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGVWROe.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pZeukVU.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GMlPtxS.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vuBFPLk.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TZckqaS.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\stquNAY.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZoordHv.exe	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 1360	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2680 wrote to memory of 1360	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2680 wrote to memory of 3460	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2680 wrote to memory of 3460	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2680 wrote to memory of 3356	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2680 wrote to memory of 3356	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2680 wrote to memory of 2760	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2680 wrote to memory of 2760	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2680 wrote to memory of 2164	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2680 wrote to memory of 2164	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2680 wrote to memory of 1648	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2680 wrote to memory of 1648	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2680 wrote to memory of 4424	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2680 wrote to memory of 4424	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2680 wrote to memory of 4556	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2680 wrote to memory of 4556	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2680 wrote to memory of 1236	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2680 wrote to memory of 1236	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2680 wrote to memory of 2336	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2680 wrote to memory of 2336	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2680 wrote to memory of 1036	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2680 wrote to memory of 1036	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2680 wrote to memory of 2204	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2680 wrote to memory of 2204	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2680 wrote to memory of 944	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2680 wrote to memory of 944	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2680 wrote to memory of 448	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2680 wrote to memory of 448	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2680 wrote to memory of 1732	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2680 wrote to memory of 1732	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2680 wrote to memory of 3076	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2680 wrote to memory of 3076	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2680 wrote to memory of 2960	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2680 wrote to memory of 2960	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2680 wrote to memory of 1348	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2680 wrote to memory of 1348	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	108
PID 2680 wrote to memory of 4976	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2680 wrote to memory of 4976	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2680 wrote to memory of 1016	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2680 wrote to memory of 1016	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2680 wrote to memory of 980	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	111
PID 2680 wrote to memory of 980	2680	2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe	111

C:\Users\Admin\AppData\Local\Temp\2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-25_8d34ad706736c6bbd6418706aa8d3fcd_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\System\vuBFPLk.exe
  C:\Windows\System\vuBFPLk.exe
  2⤵
  - Executes dropped EXE
  PID:1360
- C:\Windows\System\Ointooc.exe
  C:\Windows\System\Ointooc.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\LLryJJB.exe
  C:\Windows\System\LLryJJB.exe
  2⤵
  - Executes dropped EXE
  PID:3356
- C:\Windows\System\ugYEfOz.exe
  C:\Windows\System\ugYEfOz.exe
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\Windows\System\HNqJljO.exe
  C:\Windows\System\HNqJljO.exe
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\Windows\System\ZOlEiCz.exe
  C:\Windows\System\ZOlEiCz.exe
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\Windows\System\pbNWges.exe
  C:\Windows\System\pbNWges.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\YFLfSCl.exe
  C:\Windows\System\YFLfSCl.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\ZubXqCx.exe
  C:\Windows\System\ZubXqCx.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\dGKPKmj.exe
  C:\Windows\System\dGKPKmj.exe
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System\TZckqaS.exe
  C:\Windows\System\TZckqaS.exe
  2⤵
  - Executes dropped EXE
  PID:1036
- C:\Windows\System\stquNAY.exe
  C:\Windows\System\stquNAY.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\ZoordHv.exe
  C:\Windows\System\ZoordHv.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\zGVWROe.exe
  C:\Windows\System\zGVWROe.exe
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Windows\System\pZeukVU.exe
  C:\Windows\System\pZeukVU.exe
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\Windows\System\YQBDpgq.exe
  C:\Windows\System\YQBDpgq.exe
  2⤵
  - Executes dropped EXE
  PID:3076
- C:\Windows\System\QMbPbue.exe
  C:\Windows\System\QMbPbue.exe
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\Windows\System\AuCgZTc.exe
  C:\Windows\System\AuCgZTc.exe
  2⤵
  - Executes dropped EXE
  PID:1348
- C:\Windows\System\lcAQUQp.exe
  C:\Windows\System\lcAQUQp.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\GMlPtxS.exe
  C:\Windows\System\GMlPtxS.exe
  2⤵
  - Executes dropped EXE
  PID:1016
- C:\Windows\System\xOBMlvr.exe
  C:\Windows\System\xOBMlvr.exe
  2⤵
  - Executes dropped EXE
  PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4216,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:4840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AuCgZTc.exe

Filesize
5.9MB

MD5
259b1285df31374033a4aaf29b88be9f

SHA1
4ef65266e1efa6c487dd664bde9cb59c0371aca7

SHA256
ca434f07bc5fe220417466f6d793608a51513549842add5367f6a3937410bfe3

SHA512
59286ab2118ddbfaf80d7ee98c58330b346e4aed079bf2d9eb2a0beb092cdfce443aab884a2ba5cc1692b97052f1441973243d23903578f35b618442fbca0f4f

Download Submit
C:\Windows\System\GMlPtxS.exe

Filesize
5.9MB

MD5
e97872c2f92f38e97a33c3f7d8c50d31

SHA1
9c556782c87bff1bd2a9ab940e64891487ac743a

SHA256
cce892c44b9c5bbd61b6fe1736f93d6a2cefdb39707c4286752ef5fdbb8d3fdd

SHA512
831463cede7f6e062284658d3a4297772aaa2fbf1a2bb097b550850ed92e4bb2b88ab8329e806cf67d84c899880b4f435c1712051db497df3d30cee557b2322b

Download Submit
C:\Windows\System\HNqJljO.exe

Filesize
5.9MB

MD5
557bfbd49795e0dc1ff5a19bda0cf206

SHA1
0c5ddc7e58156b92acf1ce6426c08cb56ae3bec1

SHA256
1c36ab06baf08657390944ce71cddde618781cc23ac7c2da24e95100ca7530e2

SHA512
b8867cdf3ca28f18369ef9257535825e5d78007380ee0cdf1d9c51aab9ca08d7f36e382014b57e336323357d35662bfc3f17d0dade9951cef38c565dea3a81f9

Download Submit
C:\Windows\System\LLryJJB.exe

Filesize
5.9MB

MD5
891cd176c1eba7106bea8dfa8b6a3a8b

SHA1
9428b7ad57e4b728ad993fb89a2cb7da49209e12

SHA256
c6936f9aa83faf60606660bad72043fa866cb1f767ca9db996538798fa91ce72

SHA512
dff5e9fd983ebdcff5fbbd1ed005651212d3da5fcab8be1aa85d5ba4678cbfa49ae8792e9d9f7888c13be93f7b9b0052303964b8cc8f9ad656df4c1ebd23f9cc

Download Submit
C:\Windows\System\Ointooc.exe

Filesize
5.9MB

MD5
10d971829dd8491e140b3ab8b71dfb87

SHA1
801335c826f6ff267679a9374ccb2d519b320350

SHA256
518668684a12abd010f42fd5fbe90a8b5433e5cfd48605be184da06e306cda97

SHA512
a0218416ea7c658501a5f9537f90ef8738f2a046c96cd28960d41628f0d37fc4fefc51c7a2d206b49361cba458e3365b3570e5bd0e3f6fa8e4c87f13cfa05c8f

Download Submit
C:\Windows\System\QMbPbue.exe

Filesize
5.9MB

MD5
5f5b8aefcf9c36a56cae83718bc0bcda

SHA1
6b863eea1bf4443cb8f917580749628fc8dce036

SHA256
a77b8e528dd0f7eb6eba3d12d14571a08dae85a83f1ca5f9c4baa304c9d79f81

SHA512
2fbacec9669af974adfc5c1c41b508709ece0f0afee6873afb90a6fa884894dc8f53530cf5f635e0d84984c1808951a755651412cf3598111ab9c38a963cdb50

Download Submit
C:\Windows\System\TZckqaS.exe

Filesize
5.9MB

MD5
afdec7a24877d71a1f1db848b420f7da

SHA1
6aa9a97d935944fe191160dd68676239b5ecc83b

SHA256
2506677d95933bc7b38c587d3b464450214f6fd62c6f52e9c6edc02bcf14d8ce

SHA512
85607d12c67904e13088bf0ae6a5916479fa73fbd97d4a75df6605fd2d39545092e0f1129abfabe357e0d648218eb7c27cb3fd8f32d8f6950f616edba4007d60

Download Submit
C:\Windows\System\YFLfSCl.exe

Filesize
5.9MB

MD5
3d7b081768b6bfa1f9ff59bcbbf93f5b

SHA1
f41f94512417c3f2992595fb7ecfe897356f49ea

SHA256
c79a93c15b2d7dee9104ef1b628e027e07d401201cb6a14a1efaca2ab14e7f7f

SHA512
19830184f7ed79b8e600e30824ffd9c0898f11844f5b75edc0ca39ce29fd160fdcb28566914a8c56bfb668b783e35fe313b6da6ed2b9f2e0f95355e5a3998b55

Download Submit
C:\Windows\System\YQBDpgq.exe

Filesize
5.9MB

MD5
ba6d49927717368343767ab1377a6cc9

SHA1
562fb0c21bc9a86fe2aef0be1830baa618f68900

SHA256
2f9c97fbf0ff59905d81eede5bc1ef3330b8e2a0a5e782d7735c1aa5cd7d4416

SHA512
f970efff746f54df5b837c5690fbf2f740038c799c146e1b930e7f6a68f682edca301051f1479af49c09400eb5a52cb027d6a7f54be23483411c936df660876b

Download Submit
C:\Windows\System\ZOlEiCz.exe

Filesize
5.9MB

MD5
ebcf4d02b6004ec86781e034b593d98c

SHA1
03a3871ef743625a172e22181419543f64bfc0e7

SHA256
ee39a9e8069aa9acd6ddce7c933dd86d032ad75df51f98c3567c04ce55790a3f

SHA512
b0a6afc49fe5f615635017032d29a290ca27fe5f8bb4198dc42822d260ccc873a555614214916cecddd2838067221b8cae6b4212167a5564b2679f63e94481a0

Download Submit
C:\Windows\System\ZoordHv.exe

Filesize
5.9MB

MD5
f1300c713f14cf32f16c5d7e65745fdd

SHA1
f3765c18308cc28eb4e89b0c16b1e3a7e2e3beed

SHA256
cacddc70992c6eea00d40267b835d61b35d1e57c981290fdc4bf7d07a859ea42

SHA512
c0c30442b7dc65124e5995e0401c9afbbdff45fb2ccbb72e2847cf62bf6d5f6eee97b3773e9e9bedfccb35e07df149c4e93f328ae1092a5d846fba9380a6b7ff

Download Submit
C:\Windows\System\ZubXqCx.exe

Filesize
5.9MB

MD5
31f86ae259ad1660d14134d89dd431ff

SHA1
04899b06c8d285ec457f89664c906d445468de88

SHA256
37aec9ace855b7bc24531b472f30cdb992e32ab480f76f3b254f3fc985cfe7ba

SHA512
520bf805891f33e1a00bdcb2a3c83db93e3b52c07597b4081421b0f2d96c721cbc7af47400938a5f43c7532c81ad259182b6a7f4d4fe2fefb624854efbac90f0

Download Submit
C:\Windows\System\dGKPKmj.exe

Filesize
5.9MB

MD5
dece93ea0f02e1587bc5c3bdda9bf5fe

SHA1
0dd8c3ab6f41cf31c0ba22b72fc5665ef489ab1e

SHA256
05a350fd2bf35e785fb45e7faf35e509e906bc7a62536503ded57750d7281fd9

SHA512
4940bca7fe3d6910334fe42635519641c6bf992346c5f76e1bbc69757b30345bd1954e39635a976a1c2beae720ae11c31521100fa05f5974f14af7d5113a88a5

Download Submit
C:\Windows\System\lcAQUQp.exe

Filesize
5.9MB

MD5
372da97021e54fd77ee77b369b856d78

SHA1
27d28044931a6874419988d1f05aa0ed0f3d9c57

SHA256
52084e6f9ac183eab5364c67444ea68bd5e039add9dcf444509543b08bf5bf82

SHA512
a89e5547c5619e4d2ee252eda87e71688f06bf1996215b898505e2faeea5b373103ba98d4293d14f16600b90dc8ddf14801b2a178dc966e8fe1aeb77575874df

Download Submit
C:\Windows\System\pZeukVU.exe

Filesize
5.9MB

MD5
455dbac8c08a87068ad23644d4f680e0

SHA1
c16f880b09264e4785e62aa1dfe7253f4d092aa4

SHA256
f7584a03252928772d5bb010e4ad728be09d45460ee09549c9642fc80a356ab6

SHA512
3d4ce35abdce2e9ecbb68e5742270f05b4d3a0fa9395885ae747c4b32df50446c308e1016117df5072721e10e8b96a55c3815f84f6964a36ce2c3f1b541f3570

Download Submit
C:\Windows\System\pbNWges.exe

Filesize
5.9MB

MD5
3a9400e2583498ea9c17f8d59e0fdfb8

SHA1
cac966674fb89abb5708b08faeab5b0ec0848670

SHA256
1f065fae93f7c870bb15461c7deb8538a00897e1fb3f60d379ca977f2b2ff7b8

SHA512
82141f96809d20f277f19aee936c5e618654bc79964cd322d458c79f4068ee2ae1221911f5854c4bd26e7e35201813deeb594612383b20049dda24ac9b7ff83f

Download Submit
C:\Windows\System\stquNAY.exe

Filesize
5.9MB

MD5
e64e6350a17e44fc8a712693c2fd6776

SHA1
82e4e438080b82ee0061b5faf0d53170601f321d

SHA256
aad5250f9df2a29ba9b329412024a3f901c58fd4289f94dbc47e8754b8601ca2

SHA512
c3e6f1533262025fb5b6c6d6f80e12ee0f1769f196dc52b6669b1b7fc67b3df0daf9317adc86f76e381cbde6101ec506fd0f0f47734918ae92c5ce8ca6326d69

Download Submit
C:\Windows\System\ugYEfOz.exe

Filesize
5.9MB

MD5
a4bf466b0e2b3b02ae4a99f512d6ecba

SHA1
847a2fdca0740898b03c667437cbcab183ac63bc

SHA256
59bf186b5aed0d2dd99e04aa77e92184ca8f2179c3b873b35414cfad2573d944

SHA512
98cedf26ccb78654752333021a134a0132d202bbceaa4bae8fef0c82ca44bd6f6f486655ef9e0c412c9c986c91f69af11368e157815699b46e0dd0e112c5a89c

Download Submit
C:\Windows\System\vuBFPLk.exe

Filesize
5.9MB

MD5
4082a5ec8b318bf3a1ac43a15b615bc6

SHA1
fa09fef86e038d4b9579e1fe23625a7117480b48

SHA256
ee1e3f650229758d3a6286791a7e1833bd7a64c709e7138e71e92993d50f85af

SHA512
ad98d22818093a8a3af44703f4b45155486b03c1a591a666f8c9681b72fa1bec61a5533b21ae390e0331eebb0b706961537ef133b7a1bb24ffac5c2e10a51692

Download Submit
C:\Windows\System\xOBMlvr.exe

Filesize
5.9MB

MD5
8ee8f32d7e9b5578966cc0e1d2879ff6

SHA1
dc7f3edea2f89a7496935ec8507cf2c733bfcfa0

SHA256
8da0cf8953e949289a7be20fdbfcfcec9e05ae37ba0f150b7692a0d17ead8471

SHA512
9fdf4f7db7e507bc90ed8ee196858203443f26af058a576f00df498082e1d74c2ad2d41bb501315db3fe4869beff1ccfc3d31591e630e062a49bb5d02688c93b

Download Submit
C:\Windows\System\zGVWROe.exe

Filesize
5.9MB

MD5
65beb6d7360852e43c8af74810ca5979

SHA1
b6dee1e47cdd4aaaacd7f26e4b765d6e0d9f963d

SHA256
aedcc6a4cefb7d368c84f289ef74e72e5c156884854f1db7e2a1bbe302716f0c

SHA512
21097aec15bd9c3d947ac432d8f6a752459667512f79383d312e5241526782d736d95f9eee2f6027ebb6b1ebcdb4d47931a4d48f8d64e3a5a51ac77efff07edd

Download Submit
memory/448-86-0x00007FF68C140000-0x00007FF68C494000-memory.dmp

Filesize
3.3MB

Download
memory/448-154-0x00007FF68C140000-0x00007FF68C494000-memory.dmp

Filesize
3.3MB

Download
memory/448-136-0x00007FF68C140000-0x00007FF68C494000-memory.dmp

Filesize
3.3MB

Download
memory/944-83-0x00007FF6E5C30000-0x00007FF6E5F84000-memory.dmp

Filesize
3.3MB

Download
memory/944-157-0x00007FF6E5C30000-0x00007FF6E5F84000-memory.dmp

Filesize
3.3MB

Download
memory/980-143-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp

Filesize
3.3MB

Download
memory/980-131-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp

Filesize
3.3MB

Download
memory/980-161-0x00007FF74B450000-0x00007FF74B7A4000-memory.dmp

Filesize
3.3MB

Download
memory/1016-142-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp

Filesize
3.3MB

Download
memory/1016-130-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp

Filesize
3.3MB

Download
memory/1016-162-0x00007FF6E76F0000-0x00007FF6E7A44000-memory.dmp

Filesize
3.3MB

Download
memory/1036-72-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp

Filesize
3.3MB

Download
memory/1036-155-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp

Filesize
3.3MB

Download
memory/1036-134-0x00007FF7C4800000-0x00007FF7C4B54000-memory.dmp

Filesize
3.3MB

Download
memory/1236-55-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp

Filesize
3.3MB

Download
memory/1236-127-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp

Filesize
3.3MB

Download
memory/1236-152-0x00007FF6DFEC0000-0x00007FF6E0214000-memory.dmp

Filesize
3.3MB

Download
memory/1348-160-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp

Filesize
3.3MB

Download
memory/1348-139-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp

Filesize
3.3MB

Download
memory/1348-102-0x00007FF6D4800000-0x00007FF6D4B54000-memory.dmp

Filesize
3.3MB

Download
memory/1360-144-0x00007FF692C00000-0x00007FF692F54000-memory.dmp

Filesize
3.3MB

Download
memory/1360-7-0x00007FF692C00000-0x00007FF692F54000-memory.dmp

Filesize
3.3MB

Download
memory/1360-109-0x00007FF692C00000-0x00007FF692F54000-memory.dmp

Filesize
3.3MB

Download
memory/1648-52-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp

Filesize
3.3MB

Download
memory/1648-148-0x00007FF62FFB0000-0x00007FF630304000-memory.dmp

Filesize
3.3MB

Download
memory/1732-163-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-92-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/1732-137-0x00007FF60F5A0000-0x00007FF60F8F4000-memory.dmp

Filesize
3.3MB

Download
memory/2164-151-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp

Filesize
3.3MB

Download
memory/2164-51-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp

Filesize
3.3MB

Download
memory/2164-126-0x00007FF6AFBC0000-0x00007FF6AFF14000-memory.dmp

Filesize
3.3MB

Download
memory/2204-156-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp

Filesize
3.3MB

Download
memory/2204-135-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp

Filesize
3.3MB

Download
memory/2204-82-0x00007FF6FD500000-0x00007FF6FD854000-memory.dmp

Filesize
3.3MB

Download
memory/2336-153-0x00007FF763C30000-0x00007FF763F84000-memory.dmp

Filesize
3.3MB

Download
memory/2336-62-0x00007FF763C30000-0x00007FF763F84000-memory.dmp

Filesize
3.3MB

Download
memory/2680-0-0x00007FF74C880000-0x00007FF74CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-96-0x00007FF74C880000-0x00007FF74CBD4000-memory.dmp

Filesize
3.3MB

Download
memory/2680-1-0x000001F0356C0000-0x000001F0356D0000-memory.dmp

Filesize
64KB

Download
memory/2760-147-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

Filesize
3.3MB

Download
memory/2760-58-0x00007FF7647A0000-0x00007FF764AF4000-memory.dmp

Filesize
3.3MB

Download
memory/2960-140-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp

Filesize
3.3MB

Download
memory/2960-159-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp

Filesize
3.3MB

Download
memory/2960-111-0x00007FF678AD0000-0x00007FF678E24000-memory.dmp

Filesize
3.3MB

Download
memory/3076-101-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp

Filesize
3.3MB

Download
memory/3076-138-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp

Filesize
3.3MB

Download
memory/3076-158-0x00007FF64B970000-0x00007FF64BCC4000-memory.dmp

Filesize
3.3MB

Download
memory/3356-146-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp

Filesize
3.3MB

Download
memory/3356-31-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp

Filesize
3.3MB

Download
memory/3356-121-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp

Filesize
3.3MB

Download
memory/3460-119-0x00007FF7063C0000-0x00007FF706714000-memory.dmp

Filesize
3.3MB

Download
memory/3460-145-0x00007FF7063C0000-0x00007FF706714000-memory.dmp

Filesize
3.3MB

Download
memory/3460-14-0x00007FF7063C0000-0x00007FF706714000-memory.dmp

Filesize
3.3MB

Download
memory/4424-61-0x00007FF630A20000-0x00007FF630D74000-memory.dmp

Filesize
3.3MB

Download
memory/4424-149-0x00007FF630A20000-0x00007FF630D74000-memory.dmp

Filesize
3.3MB

Download
memory/4556-54-0x00007FF755870000-0x00007FF755BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4556-150-0x00007FF755870000-0x00007FF755BC4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-164-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-118-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp

Filesize
3.3MB

Download
memory/4976-141-0x00007FF7E3090000-0x00007FF7E33E4000-memory.dmp

Filesize
3.3MB

Download