cobaltstrike | 37ce220f5f5211f6c465e45cf956b35d60a73c035869e83088968b6fc5435196

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a18a628dfa0d1b814c8467e32199d5f0
SHA1

40b0479dd4c8875993418838ec5a1568dde9d2c2
SHA256

37ce220f5f5211f6c465e45cf956b35d60a73c035869e83088968b6fc5435196
SHA512

a5ad9b0d0e5fa17c47c50e64331d56b62df6c87087b041a996da4cf1552c995be2425e6b36e7bfa3e30029ad717889fee72facf4de4ff8c42fac8bf05d41ec5e
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibf56utgpPFotBER/mQ32lUY

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023b17-4.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7b-14.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7a-15.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7c-23.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7d-28.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7e-36.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b7f-40.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b80-48.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b81-53.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b82-56.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b83-65.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b84-74.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b85-86.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b86-88.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b87-97.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b89-106.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8a-113.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8b-119.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8c-124.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b88-103.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023b8d-128.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1548-44-0x00007FF7CA480000-0x00007FF7CA7D1000-memory.dmp	xmrig
behavioral2/memory/2000-7-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp	xmrig
behavioral2/memory/5032-62-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	xmrig
behavioral2/memory/4488-71-0x00007FF62E0E0000-0x00007FF62E431000-memory.dmp	xmrig
behavioral2/memory/1596-70-0x00007FF670160000-0x00007FF6704B1000-memory.dmp	xmrig
behavioral2/memory/2000-67-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp	xmrig
behavioral2/memory/536-64-0x00007FF6625E0000-0x00007FF662931000-memory.dmp	xmrig
behavioral2/memory/4508-78-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp	xmrig
behavioral2/memory/4972-84-0x00007FF6833F0000-0x00007FF683741000-memory.dmp	xmrig
behavioral2/memory/3644-89-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp	xmrig
behavioral2/memory/4348-95-0x00007FF7E1A80000-0x00007FF7E1DD1000-memory.dmp	xmrig
behavioral2/memory/1768-93-0x00007FF765B10000-0x00007FF765E61000-memory.dmp	xmrig
behavioral2/memory/4064-79-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp	xmrig
behavioral2/memory/5020-131-0x00007FF6000B0000-0x00007FF600401000-memory.dmp	xmrig
behavioral2/memory/5116-130-0x00007FF60E750000-0x00007FF60EAA1000-memory.dmp	xmrig
behavioral2/memory/208-132-0x00007FF634E60000-0x00007FF6351B1000-memory.dmp	xmrig
behavioral2/memory/916-133-0x00007FF6E8310000-0x00007FF6E8661000-memory.dmp	xmrig
behavioral2/memory/952-134-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp	xmrig
behavioral2/memory/1904-135-0x00007FF7EA280000-0x00007FF7EA5D1000-memory.dmp	xmrig
behavioral2/memory/4720-136-0x00007FF77CCA0000-0x00007FF77CFF1000-memory.dmp	xmrig
behavioral2/memory/5032-137-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	xmrig
behavioral2/memory/4064-149-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp	xmrig
behavioral2/memory/1572-150-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp	xmrig
behavioral2/memory/3128-154-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp	xmrig
behavioral2/memory/4392-153-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp	xmrig
behavioral2/memory/5032-160-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	xmrig
behavioral2/memory/2000-211-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp	xmrig
behavioral2/memory/1596-216-0x00007FF670160000-0x00007FF6704B1000-memory.dmp	xmrig
behavioral2/memory/4508-218-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp	xmrig
behavioral2/memory/4972-220-0x00007FF6833F0000-0x00007FF683741000-memory.dmp	xmrig
behavioral2/memory/3644-222-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp	xmrig
behavioral2/memory/1768-224-0x00007FF765B10000-0x00007FF765E61000-memory.dmp	xmrig
behavioral2/memory/1548-226-0x00007FF7CA480000-0x00007FF7CA7D1000-memory.dmp	xmrig
behavioral2/memory/5020-232-0x00007FF6000B0000-0x00007FF600401000-memory.dmp	xmrig
behavioral2/memory/536-234-0x00007FF6625E0000-0x00007FF662931000-memory.dmp	xmrig
behavioral2/memory/952-236-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp	xmrig
behavioral2/memory/4488-238-0x00007FF62E0E0000-0x00007FF62E431000-memory.dmp	xmrig
behavioral2/memory/4064-242-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp	xmrig
behavioral2/memory/4348-251-0x00007FF7E1A80000-0x00007FF7E1DD1000-memory.dmp	xmrig
behavioral2/memory/1572-253-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp	xmrig
behavioral2/memory/4392-255-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp	xmrig
behavioral2/memory/3128-257-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp	xmrig
behavioral2/memory/5116-259-0x00007FF60E750000-0x00007FF60EAA1000-memory.dmp	xmrig
behavioral2/memory/1904-261-0x00007FF7EA280000-0x00007FF7EA5D1000-memory.dmp	xmrig
behavioral2/memory/4720-263-0x00007FF77CCA0000-0x00007FF77CFF1000-memory.dmp	xmrig
behavioral2/memory/208-265-0x00007FF634E60000-0x00007FF6351B1000-memory.dmp	xmrig
behavioral2/memory/916-267-0x00007FF6E8310000-0x00007FF6E8661000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

MAnSqhm.exeMgnqGIl.exeojFmUfS.exehfHTNkX.exereQUwOo.exehesvJuL.exeUsuAbsx.exeeNYuCYu.exeeIcfmds.exeLfcltov.exelsxXPXG.exevdjvbKJ.exeYOheMPN.exexLYLhGD.exezMevdBY.exevlxpKAY.exeoRxMKpI.exeljlvkDY.exevcTreCS.exeGemlfYp.exeNMYZFtp.exe

pid	Process
2000	MAnSqhm.exe
1596	MgnqGIl.exe
4508	ojFmUfS.exe
4972	hfHTNkX.exe
3644	reQUwOo.exe
1768	hesvJuL.exe
1548	UsuAbsx.exe
5020	eNYuCYu.exe
952	eIcfmds.exe
536	Lfcltov.exe
4488	lsxXPXG.exe
4064	vdjvbKJ.exe
1572	YOheMPN.exe
4348	xLYLhGD.exe
4392	zMevdBY.exe
3128	vlxpKAY.exe
5116	oRxMKpI.exe
1904	ljlvkDY.exe
4720	vcTreCS.exe
208	GemlfYp.exe
916	NMYZFtp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5032-0-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	upx
behavioral2/files/0x000c000000023b17-4.dat	upx
behavioral2/files/0x000a000000023b7b-14.dat	upx
behavioral2/files/0x000a000000023b7a-15.dat	upx
behavioral2/memory/1596-17-0x00007FF670160000-0x00007FF6704B1000-memory.dmp	upx
behavioral2/files/0x000a000000023b7c-23.dat	upx
behavioral2/files/0x000a000000023b7d-28.dat	upx
behavioral2/memory/3644-30-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-36.dat	upx
behavioral2/files/0x000a000000023b7f-40.dat	upx
behavioral2/memory/1768-43-0x00007FF765B10000-0x00007FF765E61000-memory.dmp	upx
behavioral2/memory/1548-44-0x00007FF7CA480000-0x00007FF7CA7D1000-memory.dmp	upx
behavioral2/memory/4972-24-0x00007FF6833F0000-0x00007FF683741000-memory.dmp	upx
behavioral2/memory/4508-18-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp	upx
behavioral2/memory/2000-7-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp	upx
behavioral2/files/0x000a000000023b80-48.dat	upx
behavioral2/memory/5020-49-0x00007FF6000B0000-0x00007FF600401000-memory.dmp	upx
behavioral2/files/0x000a000000023b81-53.dat	upx
behavioral2/files/0x000a000000023b82-56.dat	upx
behavioral2/memory/5032-62-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-65.dat	upx
behavioral2/memory/4488-71-0x00007FF62E0E0000-0x00007FF62E431000-memory.dmp	upx
behavioral2/memory/1596-70-0x00007FF670160000-0x00007FF6704B1000-memory.dmp	upx
behavioral2/memory/2000-67-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp	upx
behavioral2/memory/536-64-0x00007FF6625E0000-0x00007FF662931000-memory.dmp	upx
behavioral2/memory/952-60-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp	upx
behavioral2/files/0x000a000000023b84-74.dat	upx
behavioral2/memory/4508-78-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp	upx
behavioral2/memory/4972-84-0x00007FF6833F0000-0x00007FF683741000-memory.dmp	upx
behavioral2/files/0x000a000000023b85-86.dat	upx
behavioral2/files/0x000a000000023b86-88.dat	upx
behavioral2/memory/3644-89-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-97.dat	upx
behavioral2/memory/4392-100-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-106.dat	upx
behavioral2/memory/3128-109-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp	upx
behavioral2/files/0x000a000000023b8a-113.dat	upx
behavioral2/files/0x000a000000023b8b-119.dat	upx
behavioral2/files/0x000a000000023b8c-124.dat	upx
behavioral2/files/0x000a000000023b88-103.dat	upx
behavioral2/memory/4348-95-0x00007FF7E1A80000-0x00007FF7E1DD1000-memory.dmp	upx
behavioral2/memory/1768-93-0x00007FF765B10000-0x00007FF765E61000-memory.dmp	upx
behavioral2/memory/1572-87-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp	upx
behavioral2/memory/4064-79-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-128.dat	upx
behavioral2/memory/5020-131-0x00007FF6000B0000-0x00007FF600401000-memory.dmp	upx
behavioral2/memory/5116-130-0x00007FF60E750000-0x00007FF60EAA1000-memory.dmp	upx
behavioral2/memory/208-132-0x00007FF634E60000-0x00007FF6351B1000-memory.dmp	upx
behavioral2/memory/916-133-0x00007FF6E8310000-0x00007FF6E8661000-memory.dmp	upx
behavioral2/memory/952-134-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp	upx
behavioral2/memory/1904-135-0x00007FF7EA280000-0x00007FF7EA5D1000-memory.dmp	upx
behavioral2/memory/4720-136-0x00007FF77CCA0000-0x00007FF77CFF1000-memory.dmp	upx
behavioral2/memory/5032-137-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	upx
behavioral2/memory/4064-149-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp	upx
behavioral2/memory/1572-150-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp	upx
behavioral2/memory/3128-154-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp	upx
behavioral2/memory/4392-153-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp	upx
behavioral2/memory/5032-160-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp	upx
behavioral2/memory/2000-211-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp	upx
behavioral2/memory/1596-216-0x00007FF670160000-0x00007FF6704B1000-memory.dmp	upx
behavioral2/memory/4508-218-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp	upx
behavioral2/memory/4972-220-0x00007FF6833F0000-0x00007FF683741000-memory.dmp	upx
behavioral2/memory/3644-222-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp	upx
behavioral2/memory/1768-224-0x00007FF765B10000-0x00007FF765E61000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\hfHTNkX.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Lfcltov.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vlxpKAY.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GemlfYp.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NMYZFtp.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xLYLhGD.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oRxMKpI.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ljlvkDY.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MgnqGIl.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ojFmUfS.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eIcfmds.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lsxXPXG.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vdjvbKJ.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UsuAbsx.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eNYuCYu.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YOheMPN.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zMevdBY.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vcTreCS.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MAnSqhm.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\reQUwOo.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hesvJuL.exe	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 5032 wrote to memory of 2000	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5032 wrote to memory of 2000	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 5032 wrote to memory of 1596	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5032 wrote to memory of 1596	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 5032 wrote to memory of 4508	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5032 wrote to memory of 4508	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5032 wrote to memory of 4972	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5032 wrote to memory of 4972	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5032 wrote to memory of 3644	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5032 wrote to memory of 3644	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5032 wrote to memory of 1768	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5032 wrote to memory of 1768	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5032 wrote to memory of 1548	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5032 wrote to memory of 1548	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5032 wrote to memory of 5020	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5032 wrote to memory of 5020	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 5032 wrote to memory of 952	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5032 wrote to memory of 952	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5032 wrote to memory of 536	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5032 wrote to memory of 536	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5032 wrote to memory of 4488	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5032 wrote to memory of 4488	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5032 wrote to memory of 4064	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5032 wrote to memory of 4064	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5032 wrote to memory of 1572	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5032 wrote to memory of 1572	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5032 wrote to memory of 4348	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5032 wrote to memory of 4348	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5032 wrote to memory of 4392	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5032 wrote to memory of 4392	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5032 wrote to memory of 3128	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5032 wrote to memory of 3128	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5032 wrote to memory of 5116	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5032 wrote to memory of 5116	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5032 wrote to memory of 1904	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5032 wrote to memory of 1904	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5032 wrote to memory of 4720	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5032 wrote to memory of 4720	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5032 wrote to memory of 208	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5032 wrote to memory of 208	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5032 wrote to memory of 916	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 5032 wrote to memory of 916	5032	2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_a18a628dfa0d1b814c8467e32199d5f0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\System\MAnSqhm.exe
  C:\Windows\System\MAnSqhm.exe
  2⤵
  - Executes dropped EXE
  PID:2000
- C:\Windows\System\MgnqGIl.exe
  C:\Windows\System\MgnqGIl.exe
  2⤵
  - Executes dropped EXE
  PID:1596
- C:\Windows\System\ojFmUfS.exe
  C:\Windows\System\ojFmUfS.exe
  2⤵
  - Executes dropped EXE
  PID:4508
- C:\Windows\System\hfHTNkX.exe
  C:\Windows\System\hfHTNkX.exe
  2⤵
  - Executes dropped EXE
  PID:4972
- C:\Windows\System\reQUwOo.exe
  C:\Windows\System\reQUwOo.exe
  2⤵
  - Executes dropped EXE
  PID:3644
- C:\Windows\System\hesvJuL.exe
  C:\Windows\System\hesvJuL.exe
  2⤵
  - Executes dropped EXE
  PID:1768
- C:\Windows\System\UsuAbsx.exe
  C:\Windows\System\UsuAbsx.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\eNYuCYu.exe
  C:\Windows\System\eNYuCYu.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\eIcfmds.exe
  C:\Windows\System\eIcfmds.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\Lfcltov.exe
  C:\Windows\System\Lfcltov.exe
  2⤵
  - Executes dropped EXE
  PID:536
- C:\Windows\System\lsxXPXG.exe
  C:\Windows\System\lsxXPXG.exe
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\Windows\System\vdjvbKJ.exe
  C:\Windows\System\vdjvbKJ.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\YOheMPN.exe
  C:\Windows\System\YOheMPN.exe
  2⤵
  - Executes dropped EXE
  PID:1572
- C:\Windows\System\xLYLhGD.exe
  C:\Windows\System\xLYLhGD.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Windows\System\zMevdBY.exe
  C:\Windows\System\zMevdBY.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\vlxpKAY.exe
  C:\Windows\System\vlxpKAY.exe
  2⤵
  - Executes dropped EXE
  PID:3128
- C:\Windows\System\oRxMKpI.exe
  C:\Windows\System\oRxMKpI.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\ljlvkDY.exe
  C:\Windows\System\ljlvkDY.exe
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\System\vcTreCS.exe
  C:\Windows\System\vcTreCS.exe
  2⤵
  - Executes dropped EXE
  PID:4720
- C:\Windows\System\GemlfYp.exe
  C:\Windows\System\GemlfYp.exe
  2⤵
  - Executes dropped EXE
  PID:208
- C:\Windows\System\NMYZFtp.exe
  C:\Windows\System\NMYZFtp.exe
  2⤵
  - Executes dropped EXE
  PID:916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\GemlfYp.exe

Filesize
5.2MB

MD5
f0dbb26bc279155ad176128650f374ff

SHA1
db128dba96ea797ed8be918ce0ac4101b29f124c

SHA256
7a5865e72016fcb8e252bb56cc97e949612af87b76350b7e7bc6b17f5e6d3042

SHA512
d6d614a1d716a943db5567bcffb8f8b1fb1940e8e518d0315334211d0be42e63ef2c64f89493e2e89b9ccb8d6247b52975dface55ab69104373bb5ba5e41d2d8

Download Submit
C:\Windows\System\Lfcltov.exe

Filesize
5.2MB

MD5
2f2fdb31d7d3f98b87b8bf53937a3b2b

SHA1
657824be7eac7c05fdac736e536b6fb1842abb46

SHA256
5a99d8a7af1e48ae8fd019d6d2f5cdb4f82dc0e1fe52fcfb8735b7e3ac7e93e9

SHA512
b0662db7b3b9380aa6d8e016fddd2ccbceddb8b8528d5b7588b8ae9f58f87b1e12d0222ce66f3a6bf666816a1b361b8761f72fd52c7a572b36a5e20256ff457c

Download Submit
C:\Windows\System\MAnSqhm.exe

Filesize
5.2MB

MD5
71ac0bdf9242ace21f0ad3869c6029c9

SHA1
cf8e59880fc06b913e474f00065d84d2e9080818

SHA256
0dfbf67b39fd1d9feef73561f93f59ef1c42a789951fa738b8f496c614328bef

SHA512
86b79caf76a5da8a4bb6ae4e3dc7a6905e865d3a442b844e34d97d2072975328ece0340dd4a7d41bfcc28d9c0b4b4e8832ecd32e3e6a204f8df8470b591798a3

Download Submit
C:\Windows\System\MgnqGIl.exe

Filesize
5.2MB

MD5
ad26e0a4e6510fb862dcceb03c6b594f

SHA1
4aa78491689d16391accf86e8e944d5ee575ddf5

SHA256
57c2928a2f8c9e980e45d65e2ca0227e95dc3d700ed1c5183409e33557d22c3b

SHA512
57177ba023345d61d078ee1bef03b798f2978fa4f3f5a538f3c9286317e31deec3a8dea6c5844048678e0844009dc0a1b743006e11b874711bc973503c2739a7

Download Submit
C:\Windows\System\NMYZFtp.exe

Filesize
5.2MB

MD5
ffab1d7343df40b738cf68ddf55d68ec

SHA1
fe4936177d5545ed0017334229aa6158bb180e81

SHA256
cd62465480fa196cba7edee813ea3b824da1369125eeec6572523de5d49c99bb

SHA512
382920d9441a52dca27f0053388fbf8d6184059410651f6c365da68d722886e44ca29a9034dd9df2e46f3ebfdd8369ff919e837229cdbfa8c68a6f37fd4dafa6

Download Submit
C:\Windows\System\UsuAbsx.exe

Filesize
5.2MB

MD5
dc779b012ae087264659ae09e09f838f

SHA1
cf046e8c663554a5f061ae40b7fc3d1e3bf79d9b

SHA256
85ac3c8460b411b242b92b19f0f66020b6029679ea19b4480803bb241cd9f11f

SHA512
410b6118ba7a667d763878a0355b7a31940af2be11fece8f9643d33f9a656b20b76e4b264f6544f8728216d823000136175f1604d69e482b6d10ab355f752cf8

Download Submit
C:\Windows\System\YOheMPN.exe

Filesize
5.2MB

MD5
435883b62e830ec949e19ee109afa9ff

SHA1
06dd76a8ccab02d9bc64842ee83039316ca9bbf7

SHA256
2e597d8c9621a0675209c8698afccfd219574e1e662204c786826d70e3158dd3

SHA512
4de94477eb2db056595f42c9b1dd2dbc690287cb1240a4e5664c2e72554c101359ca088dadd1f04d2e27f709dec8071ce622140547ac4b6ae34ce89b7144e331

Download Submit
C:\Windows\System\eIcfmds.exe

Filesize
5.2MB

MD5
b9069d79e2a6c8b7e2bb755e76865a2c

SHA1
587f79829b3d83cd259dc600b02724287aba0b75

SHA256
62c3abc730ae3d7b86fd0c1055e55aa93d0357c3046b48bdf1a12a9061f72a21

SHA512
1beb91f6babe54d90a0b2228471cfb12542443d8fb538f9d88e93f9ab0a6fe63d548f31c2d4798de7efbdb6b13189c0f7f8ba6bae9c67db5181920000933efb9

Download Submit
C:\Windows\System\eNYuCYu.exe

Filesize
5.2MB

MD5
f384d5b3d72ad0961d3509d8a2f7e47d

SHA1
95afaf9c64e0ca555549ccb80a579840e1ddf1d4

SHA256
c53a8ab5b81408945348e5364cfd507ae1278672351e6c6c10358569b6dfbfdd

SHA512
ba250835ab1f7586ca01f82c6c6609dab13b8e7540a03afae5839c8833fa53553fc45c12cb5dcf48a468cfc4c3d5c91937a2bc5467efda231ed2d9114441fa60

Download Submit
C:\Windows\System\hesvJuL.exe

Filesize
5.2MB

MD5
7db24d173baf33b6230937b53de50622

SHA1
a3d9344aff0074de2269d78a3f8f9b68cf46f04f

SHA256
36d2ffb4f746d157c62fb1cff3c917bcc6620a9146717f2d9643958bbf50fd91

SHA512
ae669b7c52e577648bb7302e9fc41fd8d7b28795325c3cc279ee0eafc6be7a7159e9e1f202a3efc67fe7a18ec95f241443da0facdf78db0ef03f920f5f1dad8a

Download Submit
C:\Windows\System\hfHTNkX.exe

Filesize
5.2MB

MD5
c07c31438412a16592c6c3c1dac872bd

SHA1
1ea31290b59ee195c8d72fb30105933e549c7256

SHA256
6b7d09562c1623934cb757ebab7cd31f79595168d63a3df85a36d27408fcf298

SHA512
2917daeba3c9fa07c58ac79d36f479e899e9ec089cf668285bae78fa036a6e86c133834a94fc52142106454204bd7b6acbbe2d1493710439274a9fcedf5d56d5

Download Submit
C:\Windows\System\ljlvkDY.exe

Filesize
5.2MB

MD5
65a53f561c1514d81c965b0eb6f4e062

SHA1
a212afe04fce25732785e4c11c972180f5ce25fd

SHA256
83ba94d634da9a155666d526b35202b01bfa8422442754e8295dfbbbf182705b

SHA512
754133b59fb6975baf89dce8f50568e58a3b0d8782ec835f4de627e5516849f5159dea79ca1c01ee4cab435566f721a682bc07486c6e9e7196dc1a4a6efd21d3

Download Submit
C:\Windows\System\lsxXPXG.exe

Filesize
5.2MB

MD5
dab728d33112bfdbaf8bea6b86fd9af0

SHA1
455eec423e260dbdf6e1108672f2f92c4894dd0c

SHA256
ceee3b014d360b477403a648dbf6e29e4854567e75942aa99597fd66928b8ccf

SHA512
9d940cd38df0b8c30d58a53e2f0c1ab48cb7594c6d82fb667fbd09b6ab8414c46e6bb6b815fa13e8b24090b39b86828e9523eb47f2f18c1c65ce5db4465e64c7

Download Submit
C:\Windows\System\oRxMKpI.exe

Filesize
5.2MB

MD5
4151bcba12501ce0874ea1cd9dbf6373

SHA1
e39843224f85cb862d8cd9c1e1baffbd436d6a9b

SHA256
4875fdb3ef1fa9e3e8d8b2fe45605ad6758e3438afa9c9c241f54d9aa244c1a4

SHA512
ff9115bdcf70862d064352cc20580e561f2952f570312d24b24322d8a9cf39416d0da1bca4af16670bd7a1b8992539030f33f0e5a27d3f32b3d5773e4c6d0f11

Download Submit
C:\Windows\System\ojFmUfS.exe

Filesize
5.2MB

MD5
a605955c344e5f72c1b553f96e1940f7

SHA1
5f01b44cc487da672e8082939d39a8d91946aadb

SHA256
f0d66b4710a754fa3381075036ea7788fe4dc37df4b3776808a7f79908df38d6

SHA512
5cace13a3d76f2f4615e2dc18675f3d443be50d0f6ae83a0a342dc51a527360436c71b86c12d4ed0b5d01264a79fb430d832a9f65a786759baf3e3563bfe097f

Download Submit
C:\Windows\System\reQUwOo.exe

Filesize
5.2MB

MD5
eae1624581ed7d15a1a09a6f90f40089

SHA1
6ab1b8b8ad3261ecba53706c46f603d6cfa7dbb9

SHA256
e971850a5081cd67fe0606dddc5d329a2b34c0452a6f2dfee2f0139f357ab885

SHA512
1f66d4973c3e1df0b033001578e702eb93deb672905760924c072e84e12fab3990775b3e60d93432e4d724d300ffe39458dc189e8bee6fb348f4ebfb43cf3bbe

Download Submit
C:\Windows\System\vcTreCS.exe

Filesize
5.2MB

MD5
f4b0931643e58d73e2b1448d8e3e26a3

SHA1
8ba358e34eb3238f1923af194e8c5991334f4fdf

SHA256
e615dee6220630e03243778c8379e8f7992084f7fa7abf7e63e6141186b993af

SHA512
4ecf1719551711f916ea196898e8be359dd1b3c60fd085817f6dc8e547c156e27560992ee0818f4ec1b4c3639debb630c42a6157a63a8e41e093affd270f668b

Download Submit
C:\Windows\System\vdjvbKJ.exe

Filesize
5.2MB

MD5
782d1667de4f449a1ec9472ada38cb5b

SHA1
798b251bdff477782c680cfd131b759beefe9778

SHA256
3705399abb45aa01a933ee85096fa262893e41b0554ff3c8f4d81876980e2558

SHA512
767e18d80422bd1f31ef5b958281dbd7b4e16c41d7ed88090cf7fcde51d9d27829c41350bd666092c4aaa0a923f7ce2eacceeddc7387649f9ca235fd6bb4a67a

Download Submit
C:\Windows\System\vlxpKAY.exe

Filesize
5.2MB

MD5
8db9c6979b5a391a6d0d34b5d564c5c6

SHA1
3c570db6e820d5afbaf22b599cb55053fa1894a2

SHA256
7c14b7b9aa192963da35d39a38dbab88755ae1612f2a72f1ff35f342d1934ca5

SHA512
2732ddc7065ad9aeebd728c5419e04dbc0c5e392a207f4994aab8255c9568644f487241e464ca32bc90e01d932daa4a0129b65d0d335d8b2500cffec1c8151b1

Download Submit
C:\Windows\System\xLYLhGD.exe

Filesize
5.2MB

MD5
d371a6179346f01ffd8b5318f30dec00

SHA1
26a6305f56a36643a7a6fa9e8863cd9c34939f79

SHA256
e0d05387b693883fa67e6f17a216f3a3351b3d4eb256d7d4fbbdc82245e82430

SHA512
35f54c95c9e3e20c49fc77fceb8f6f4870452e24e8a3b6bf3544436a620ec092470feb1e324ecffd9ac96f31fb3ca91470c534729acc6d824ad11cf9b92f07fa

Download Submit
C:\Windows\System\zMevdBY.exe

Filesize
5.2MB

MD5
87729437aef018c07ee4dbd4043f6ef1

SHA1
18f0259ef936d24125c9874852d9cea96d461b87

SHA256
b9086c6e54ad42ba6db650c5d740ef1ba9e57d7b270559e68f315d34a500b8f6

SHA512
94b986a200df36f43e53f27407a6b0d7c8abbe22f7b1662c1d1809d1dd874bdc086c02cd4387a85caf41a203011549850ad1d6fc04f53d6ffa0b462009dfae5c

Download Submit
memory/208-265-0x00007FF634E60000-0x00007FF6351B1000-memory.dmp

Filesize
3.3MB

Download
memory/208-132-0x00007FF634E60000-0x00007FF6351B1000-memory.dmp

Filesize
3.3MB

Download
memory/536-234-0x00007FF6625E0000-0x00007FF662931000-memory.dmp

Filesize
3.3MB

Download
memory/536-64-0x00007FF6625E0000-0x00007FF662931000-memory.dmp

Filesize
3.3MB

Download
memory/916-267-0x00007FF6E8310000-0x00007FF6E8661000-memory.dmp

Filesize
3.3MB

Download
memory/916-133-0x00007FF6E8310000-0x00007FF6E8661000-memory.dmp

Filesize
3.3MB

Download
memory/952-236-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp

Filesize
3.3MB

Download
memory/952-134-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp

Filesize
3.3MB

Download
memory/952-60-0x00007FF70FB80000-0x00007FF70FED1000-memory.dmp

Filesize
3.3MB

Download
memory/1548-44-0x00007FF7CA480000-0x00007FF7CA7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1548-226-0x00007FF7CA480000-0x00007FF7CA7D1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-150-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-87-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1572-253-0x00007FF7C8750000-0x00007FF7C8AA1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-17-0x00007FF670160000-0x00007FF6704B1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-216-0x00007FF670160000-0x00007FF6704B1000-memory.dmp

Filesize
3.3MB

Download
memory/1596-70-0x00007FF670160000-0x00007FF6704B1000-memory.dmp

Filesize
3.3MB

Download
memory/1768-43-0x00007FF765B10000-0x00007FF765E61000-memory.dmp

Filesize
3.3MB

Download
memory/1768-224-0x00007FF765B10000-0x00007FF765E61000-memory.dmp

Filesize
3.3MB

Download
memory/1768-93-0x00007FF765B10000-0x00007FF765E61000-memory.dmp

Filesize
3.3MB

Download
memory/1904-261-0x00007FF7EA280000-0x00007FF7EA5D1000-memory.dmp

Filesize
3.3MB

Download
memory/1904-135-0x00007FF7EA280000-0x00007FF7EA5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2000-211-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp

Filesize
3.3MB

Download
memory/2000-7-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp

Filesize
3.3MB

Download
memory/2000-67-0x00007FF7DF010000-0x00007FF7DF361000-memory.dmp

Filesize
3.3MB

Download
memory/3128-154-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp

Filesize
3.3MB

Download
memory/3128-109-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp

Filesize
3.3MB

Download
memory/3128-257-0x00007FF6E3CF0000-0x00007FF6E4041000-memory.dmp

Filesize
3.3MB

Download
memory/3644-89-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp

Filesize
3.3MB

Download
memory/3644-222-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp

Filesize
3.3MB

Download
memory/3644-30-0x00007FF7B0400000-0x00007FF7B0751000-memory.dmp

Filesize
3.3MB

Download
memory/4064-79-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4064-149-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4064-242-0x00007FF68D910000-0x00007FF68DC61000-memory.dmp

Filesize
3.3MB

Download
memory/4348-251-0x00007FF7E1A80000-0x00007FF7E1DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4348-95-0x00007FF7E1A80000-0x00007FF7E1DD1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-100-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-255-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-153-0x00007FF701C80000-0x00007FF701FD1000-memory.dmp

Filesize
3.3MB

Download
memory/4488-238-0x00007FF62E0E0000-0x00007FF62E431000-memory.dmp

Filesize
3.3MB

Download
memory/4488-71-0x00007FF62E0E0000-0x00007FF62E431000-memory.dmp

Filesize
3.3MB

Download
memory/4508-78-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-18-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp

Filesize
3.3MB

Download
memory/4508-218-0x00007FF6C8F80000-0x00007FF6C92D1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-136-0x00007FF77CCA0000-0x00007FF77CFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4720-263-0x00007FF77CCA0000-0x00007FF77CFF1000-memory.dmp

Filesize
3.3MB

Download
memory/4972-24-0x00007FF6833F0000-0x00007FF683741000-memory.dmp

Filesize
3.3MB

Download
memory/4972-220-0x00007FF6833F0000-0x00007FF683741000-memory.dmp

Filesize
3.3MB

Download
memory/4972-84-0x00007FF6833F0000-0x00007FF683741000-memory.dmp

Filesize
3.3MB

Download
memory/5020-49-0x00007FF6000B0000-0x00007FF600401000-memory.dmp

Filesize
3.3MB

Download
memory/5020-232-0x00007FF6000B0000-0x00007FF600401000-memory.dmp

Filesize
3.3MB

Download
memory/5020-131-0x00007FF6000B0000-0x00007FF600401000-memory.dmp

Filesize
3.3MB

Download
memory/5032-137-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-160-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-0-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5032-1-0x000002D1769A0000-0x000002D1769B0000-memory.dmp

Filesize
64KB

Download
memory/5032-62-0x00007FF71C680000-0x00007FF71C9D1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-130-0x00007FF60E750000-0x00007FF60EAA1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-259-0x00007FF60E750000-0x00007FF60EAA1000-memory.dmp

Filesize
3.3MB

Download