cobaltstrike | 4c4776dee5ffc86a5b19db43a7ccaac8254a599e1e4eb5796d481c69f2e379df

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 07:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

7a52c26e02c8afe47dbc7fabaee8bdc8
SHA1

77cb7c4524e8b9f9153c2eb999715e99fbb976e9
SHA256

4c4776dee5ffc86a5b19db43a7ccaac8254a599e1e4eb5796d481c69f2e379df
SHA512

075d95962153daf08318a9d197e98295a02705d180a6635055975fc5e483f9a6d5afca41e6d07e6fb6d5c5e3f221a6766cc5bc716f4182bfad1678b24dce4640
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lV:RWWBibf56utgpPFotBER/mQ32lUB

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\CtlqHIU.exe	cobalt_reflective_dll
C:\Windows\System\rJMBEzO.exe	cobalt_reflective_dll
C:\Windows\System\jKlnLtG.exe	cobalt_reflective_dll
C:\Windows\System\uxNgQNj.exe	cobalt_reflective_dll
C:\Windows\System\dskmOsE.exe	cobalt_reflective_dll
C:\Windows\System\pUwbKGx.exe	cobalt_reflective_dll
C:\Windows\System\VdgdBXv.exe	cobalt_reflective_dll
C:\Windows\System\XrwYCxu.exe	cobalt_reflective_dll
C:\Windows\System\rGsXdSp.exe	cobalt_reflective_dll
C:\Windows\System\bXtVowe.exe	cobalt_reflective_dll
C:\Windows\System\vMKhJjp.exe	cobalt_reflective_dll
C:\Windows\System\bVtKXyR.exe	cobalt_reflective_dll
C:\Windows\System\itdCDCj.exe	cobalt_reflective_dll
C:\Windows\System\auSeiBo.exe	cobalt_reflective_dll
C:\Windows\System\hPhKdYx.exe	cobalt_reflective_dll
C:\Windows\System\kgGJLIH.exe	cobalt_reflective_dll
C:\Windows\System\aabtBQn.exe	cobalt_reflective_dll
C:\Windows\System\vVqIOIb.exe	cobalt_reflective_dll
C:\Windows\System\lrBpJnb.exe	cobalt_reflective_dll
C:\Windows\System\OwGUabU.exe	cobalt_reflective_dll
C:\Windows\System\zpgUEAY.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1508-58-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp	xmrig
behavioral2/memory/1668-67-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp	xmrig
behavioral2/memory/2600-73-0x00007FF698670000-0x00007FF6989C1000-memory.dmp	xmrig
behavioral2/memory/4636-82-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp	xmrig
behavioral2/memory/2612-83-0x00007FF66BE20000-0x00007FF66C171000-memory.dmp	xmrig
behavioral2/memory/2320-86-0x00007FF6B4190000-0x00007FF6B44E1000-memory.dmp	xmrig
behavioral2/memory/944-91-0x00007FF636FF0000-0x00007FF637341000-memory.dmp	xmrig
behavioral2/memory/4916-96-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	xmrig
behavioral2/memory/3460-87-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	xmrig
behavioral2/memory/876-101-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp	xmrig
behavioral2/memory/2208-114-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp	xmrig
behavioral2/memory/4768-127-0x00007FF622120000-0x00007FF622471000-memory.dmp	xmrig
behavioral2/memory/4220-111-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp	xmrig
behavioral2/memory/2236-100-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp	xmrig
behavioral2/memory/1508-140-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp	xmrig
behavioral2/memory/3704-153-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp	xmrig
behavioral2/memory/8-156-0x00007FF7902B0000-0x00007FF790601000-memory.dmp	xmrig
behavioral2/memory/948-158-0x00007FF628ED0000-0x00007FF629221000-memory.dmp	xmrig
behavioral2/memory/4888-159-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp	xmrig
behavioral2/memory/3392-160-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp	xmrig
behavioral2/memory/5100-163-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp	xmrig
behavioral2/memory/3972-162-0x00007FF773350000-0x00007FF7736A1000-memory.dmp	xmrig
behavioral2/memory/708-164-0x00007FF79D430000-0x00007FF79D781000-memory.dmp	xmrig
behavioral2/memory/1508-161-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp	xmrig
behavioral2/memory/1668-214-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp	xmrig
behavioral2/memory/2600-216-0x00007FF698670000-0x00007FF6989C1000-memory.dmp	xmrig
behavioral2/memory/4636-218-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp	xmrig
behavioral2/memory/3460-227-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	xmrig
behavioral2/memory/944-229-0x00007FF636FF0000-0x00007FF637341000-memory.dmp	xmrig
behavioral2/memory/4916-231-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	xmrig
behavioral2/memory/2236-233-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp	xmrig
behavioral2/memory/4220-235-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp	xmrig
behavioral2/memory/2208-238-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp	xmrig
behavioral2/memory/876-240-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp	xmrig
behavioral2/memory/4768-242-0x00007FF622120000-0x00007FF622471000-memory.dmp	xmrig
behavioral2/memory/2612-246-0x00007FF66BE20000-0x00007FF66C171000-memory.dmp	xmrig
behavioral2/memory/2320-248-0x00007FF6B4190000-0x00007FF6B44E1000-memory.dmp	xmrig
behavioral2/memory/3704-252-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp	xmrig
behavioral2/memory/8-254-0x00007FF7902B0000-0x00007FF790601000-memory.dmp	xmrig
behavioral2/memory/948-260-0x00007FF628ED0000-0x00007FF629221000-memory.dmp	xmrig
behavioral2/memory/3392-262-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp	xmrig
behavioral2/memory/4888-264-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp	xmrig
behavioral2/memory/3972-268-0x00007FF773350000-0x00007FF7736A1000-memory.dmp	xmrig
behavioral2/memory/5100-270-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp	xmrig
behavioral2/memory/708-272-0x00007FF79D430000-0x00007FF79D781000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

CtlqHIU.exejKlnLtG.exerJMBEzO.exeuxNgQNj.exedskmOsE.exepUwbKGx.exeVdgdBXv.exeXrwYCxu.exerGsXdSp.exevMKhJjp.exebXtVowe.exebVtKXyR.exeitdCDCj.exehPhKdYx.exeauSeiBo.exekgGJLIH.exeaabtBQn.exezpgUEAY.exevVqIOIb.exeOwGUabU.exelrBpJnb.exe

pid	process
1668	CtlqHIU.exe
2600	jKlnLtG.exe
4636	rJMBEzO.exe
3460	uxNgQNj.exe
944	dskmOsE.exe
4916	pUwbKGx.exe
2236	VdgdBXv.exe
876	XrwYCxu.exe
4220	rGsXdSp.exe
2208	vMKhJjp.exe
4768	bXtVowe.exe
2612	bVtKXyR.exe
2320	itdCDCj.exe
3704	hPhKdYx.exe
8	auSeiBo.exe
948	kgGJLIH.exe
4888	aabtBQn.exe
3392	zpgUEAY.exe
3972	vVqIOIb.exe
5100	OwGUabU.exe
708	lrBpJnb.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1508-0-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp	upx
C:\Windows\System\CtlqHIU.exe	upx
C:\Windows\System\rJMBEzO.exe	upx
behavioral2/memory/1668-10-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp	upx
C:\Windows\System\jKlnLtG.exe	upx
behavioral2/memory/4636-17-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp	upx
behavioral2/memory/2600-12-0x00007FF698670000-0x00007FF6989C1000-memory.dmp	upx
C:\Windows\System\uxNgQNj.exe	upx
behavioral2/memory/3460-25-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	upx
C:\Windows\System\dskmOsE.exe	upx
behavioral2/memory/4916-36-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	upx
C:\Windows\System\pUwbKGx.exe	upx
C:\Windows\System\VdgdBXv.exe	upx
behavioral2/memory/2236-43-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp	upx
C:\Windows\System\XrwYCxu.exe	upx
behavioral2/memory/876-50-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp	upx
C:\Windows\System\rGsXdSp.exe	upx
behavioral2/memory/1508-58-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp	upx
behavioral2/memory/2208-59-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp	upx
C:\Windows\System\bXtVowe.exe	upx
behavioral2/memory/1668-67-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp	upx
behavioral2/memory/4768-68-0x00007FF622120000-0x00007FF622471000-memory.dmp	upx
C:\Windows\System\vMKhJjp.exe	upx
behavioral2/memory/4220-52-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp	upx
behavioral2/memory/944-30-0x00007FF636FF0000-0x00007FF637341000-memory.dmp	upx
behavioral2/memory/2600-73-0x00007FF698670000-0x00007FF6989C1000-memory.dmp	upx
C:\Windows\System\bVtKXyR.exe	upx
C:\Windows\System\itdCDCj.exe	upx
behavioral2/memory/4636-82-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp	upx
behavioral2/memory/2612-83-0x00007FF66BE20000-0x00007FF66C171000-memory.dmp	upx
behavioral2/memory/2320-86-0x00007FF6B4190000-0x00007FF6B44E1000-memory.dmp	upx
behavioral2/memory/944-91-0x00007FF636FF0000-0x00007FF637341000-memory.dmp	upx
behavioral2/memory/4916-96-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp	upx
C:\Windows\System\auSeiBo.exe	upx
behavioral2/memory/8-97-0x00007FF7902B0000-0x00007FF790601000-memory.dmp	upx
behavioral2/memory/3704-95-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp	upx
C:\Windows\System\hPhKdYx.exe	upx
behavioral2/memory/3460-87-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp	upx
behavioral2/memory/876-101-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp	upx
C:\Windows\System\kgGJLIH.exe	upx
C:\Windows\System\aabtBQn.exe	upx
behavioral2/memory/2208-114-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp	upx
behavioral2/memory/4888-116-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp	upx
C:\Windows\System\vVqIOIb.exe	upx
behavioral2/memory/3392-121-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp	upx
behavioral2/memory/5100-136-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp	upx
C:\Windows\System\lrBpJnb.exe	upx
behavioral2/memory/708-137-0x00007FF79D430000-0x00007FF79D781000-memory.dmp	upx
C:\Windows\System\OwGUabU.exe	upx
behavioral2/memory/3972-132-0x00007FF773350000-0x00007FF7736A1000-memory.dmp	upx
behavioral2/memory/4768-127-0x00007FF622120000-0x00007FF622471000-memory.dmp	upx
C:\Windows\System\zpgUEAY.exe	upx
behavioral2/memory/4220-111-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp	upx
behavioral2/memory/948-105-0x00007FF628ED0000-0x00007FF629221000-memory.dmp	upx
behavioral2/memory/2236-100-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp	upx
behavioral2/memory/1508-140-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp	upx
behavioral2/memory/3704-153-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp	upx
behavioral2/memory/8-156-0x00007FF7902B0000-0x00007FF790601000-memory.dmp	upx
behavioral2/memory/948-158-0x00007FF628ED0000-0x00007FF629221000-memory.dmp	upx
behavioral2/memory/4888-159-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp	upx
behavioral2/memory/3392-160-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp	upx
behavioral2/memory/5100-163-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp	upx
behavioral2/memory/3972-162-0x00007FF773350000-0x00007FF7736A1000-memory.dmp	upx
behavioral2/memory/708-164-0x00007FF79D430000-0x00007FF79D781000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\zpgUEAY.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rJMBEzO.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxNgQNj.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rGsXdSp.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vMKhJjp.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kgGJLIH.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pUwbKGx.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bXtVowe.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bVtKXyR.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\itdCDCj.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hPhKdYx.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CtlqHIU.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dskmOsE.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VdgdBXv.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XrwYCxu.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OwGUabU.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jKlnLtG.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auSeiBo.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aabtBQn.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vVqIOIb.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lrBpJnb.exe	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1508 wrote to memory of 1668	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	CtlqHIU.exe
PID 1508 wrote to memory of 1668	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	CtlqHIU.exe
PID 1508 wrote to memory of 2600	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	jKlnLtG.exe
PID 1508 wrote to memory of 2600	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	jKlnLtG.exe
PID 1508 wrote to memory of 4636	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	rJMBEzO.exe
PID 1508 wrote to memory of 4636	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	rJMBEzO.exe
PID 1508 wrote to memory of 3460	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	uxNgQNj.exe
PID 1508 wrote to memory of 3460	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	uxNgQNj.exe
PID 1508 wrote to memory of 944	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	dskmOsE.exe
PID 1508 wrote to memory of 944	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	dskmOsE.exe
PID 1508 wrote to memory of 4916	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	pUwbKGx.exe
PID 1508 wrote to memory of 4916	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	pUwbKGx.exe
PID 1508 wrote to memory of 2236	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	VdgdBXv.exe
PID 1508 wrote to memory of 2236	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	VdgdBXv.exe
PID 1508 wrote to memory of 876	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	XrwYCxu.exe
PID 1508 wrote to memory of 876	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	XrwYCxu.exe
PID 1508 wrote to memory of 4220	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	rGsXdSp.exe
PID 1508 wrote to memory of 4220	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	rGsXdSp.exe
PID 1508 wrote to memory of 2208	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	vMKhJjp.exe
PID 1508 wrote to memory of 2208	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	vMKhJjp.exe
PID 1508 wrote to memory of 4768	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	bXtVowe.exe
PID 1508 wrote to memory of 4768	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	bXtVowe.exe
PID 1508 wrote to memory of 2612	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	bVtKXyR.exe
PID 1508 wrote to memory of 2612	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	bVtKXyR.exe
PID 1508 wrote to memory of 2320	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	itdCDCj.exe
PID 1508 wrote to memory of 2320	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	itdCDCj.exe
PID 1508 wrote to memory of 8	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	auSeiBo.exe
PID 1508 wrote to memory of 8	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	auSeiBo.exe
PID 1508 wrote to memory of 3704	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	hPhKdYx.exe
PID 1508 wrote to memory of 3704	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	hPhKdYx.exe
PID 1508 wrote to memory of 948	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	kgGJLIH.exe
PID 1508 wrote to memory of 948	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	kgGJLIH.exe
PID 1508 wrote to memory of 4888	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	aabtBQn.exe
PID 1508 wrote to memory of 4888	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	aabtBQn.exe
PID 1508 wrote to memory of 3392	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	zpgUEAY.exe
PID 1508 wrote to memory of 3392	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	zpgUEAY.exe
PID 1508 wrote to memory of 3972	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	vVqIOIb.exe
PID 1508 wrote to memory of 3972	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	vVqIOIb.exe
PID 1508 wrote to memory of 5100	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	OwGUabU.exe
PID 1508 wrote to memory of 5100	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	OwGUabU.exe
PID 1508 wrote to memory of 708	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	lrBpJnb.exe
PID 1508 wrote to memory of 708	1508	2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe	lrBpJnb.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_7a52c26e02c8afe47dbc7fabaee8bdc8_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\System\CtlqHIU.exe
  C:\Windows\System\CtlqHIU.exe
  2⤵
  - Executes dropped EXE
  PID:1668
- C:\Windows\System\jKlnLtG.exe
  C:\Windows\System\jKlnLtG.exe
  2⤵
  - Executes dropped EXE
  PID:2600
- C:\Windows\System\rJMBEzO.exe
  C:\Windows\System\rJMBEzO.exe
  2⤵
  - Executes dropped EXE
  PID:4636
- C:\Windows\System\uxNgQNj.exe
  C:\Windows\System\uxNgQNj.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\dskmOsE.exe
  C:\Windows\System\dskmOsE.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\pUwbKGx.exe
  C:\Windows\System\pUwbKGx.exe
  2⤵
  - Executes dropped EXE
  PID:4916
- C:\Windows\System\VdgdBXv.exe
  C:\Windows\System\VdgdBXv.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\XrwYCxu.exe
  C:\Windows\System\XrwYCxu.exe
  2⤵
  - Executes dropped EXE
  PID:876
- C:\Windows\System\rGsXdSp.exe
  C:\Windows\System\rGsXdSp.exe
  2⤵
  - Executes dropped EXE
  PID:4220
- C:\Windows\System\vMKhJjp.exe
  C:\Windows\System\vMKhJjp.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Windows\System\bXtVowe.exe
  C:\Windows\System\bXtVowe.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\bVtKXyR.exe
  C:\Windows\System\bVtKXyR.exe
  2⤵
  - Executes dropped EXE
  PID:2612
- C:\Windows\System\itdCDCj.exe
  C:\Windows\System\itdCDCj.exe
  2⤵
  - Executes dropped EXE
  PID:2320
- C:\Windows\System\auSeiBo.exe
  C:\Windows\System\auSeiBo.exe
  2⤵
  - Executes dropped EXE
  PID:8
- C:\Windows\System\hPhKdYx.exe
  C:\Windows\System\hPhKdYx.exe
  2⤵
  - Executes dropped EXE
  PID:3704
- C:\Windows\System\kgGJLIH.exe
  C:\Windows\System\kgGJLIH.exe
  2⤵
  - Executes dropped EXE
  PID:948
- C:\Windows\System\aabtBQn.exe
  C:\Windows\System\aabtBQn.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Windows\System\zpgUEAY.exe
  C:\Windows\System\zpgUEAY.exe
  2⤵
  - Executes dropped EXE
  PID:3392
- C:\Windows\System\vVqIOIb.exe
  C:\Windows\System\vVqIOIb.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Windows\System\OwGUabU.exe
  C:\Windows\System\OwGUabU.exe
  2⤵
  - Executes dropped EXE
  PID:5100
- C:\Windows\System\lrBpJnb.exe
  C:\Windows\System\lrBpJnb.exe
  2⤵
  - Executes dropped EXE
  PID:708

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CtlqHIU.exe

Filesize
5.2MB

MD5
fe473729485d20146fab6584a210f115

SHA1
e8675b133611d6323c66c501fc52f2c8903fd0e5

SHA256
86fa0e3caa385aa8fee2c1cc2ce30c5b91e01f066accec9296640c415297a7eb

SHA512
9bb9cee13ed80bcbb328208a9a340c7023ac3e3b22d43113d6c3dfe2662ccbdce75619e122886ef407addb3cfaeaab79ba08d296d7a65d3454cb3dfea97b6f24

Download Submit
C:\Windows\System\OwGUabU.exe

Filesize
5.2MB

MD5
d6d0a30eac8418a4de54c15dee096f47

SHA1
28760671298346c1fb3cd3cad800735d45f00aeb

SHA256
a2b38e74c5d1722df16af9d9ab5f0707a6276fc02fa823ba8e723eba81f6f281

SHA512
67c9213f1db36b287bcafde8b4d1966c359dafd5fea5821276f989b36a31c5817c76b6cc3956f62c0474e8247e863c52a266ed2308a185c427007602ea25f9d7

Download Submit
C:\Windows\System\VdgdBXv.exe

Filesize
5.2MB

MD5
e42386689d85dbf0a09b8b352152616b

SHA1
d544d5249d33773e0969e7e5ea8a969b802fc97a

SHA256
ff4c618a05b2442ba32423930e22de825f273b9b03b4e40c0177dcc49cfb5195

SHA512
afc040cc0e03972afee40df6e573c41cd7443cece5aaa93fc074860b0b1bc45693d8aad6296b4cdb8e1b6b989e03fc7a56857405f186316058cf4ed049d244ba

Download Submit
C:\Windows\System\XrwYCxu.exe

Filesize
5.2MB

MD5
5096957491ecd56c51a50d64158f838c

SHA1
e6e538c0cf5f0c64109f4fc585b5e176b6b66871

SHA256
02067a1d9c82f0c6d4eed7961ac74e9bb303c7f68582da9e77266eb610b5ea05

SHA512
aebc1e6bbddd76139eea8b67d7fd0330010349e5f7dc1b73a499a52a75f4c613981c6f43b9a4344fcb3b898144b46abc61e8672aecbdfcd071f740e09d06d52a

Download Submit
C:\Windows\System\aabtBQn.exe

Filesize
5.2MB

MD5
2e290ee25f228831716d5f2324596bda

SHA1
0315a493d50d2b2ec81d3095889c4c1aff7684bd

SHA256
5160e31ab4ba39cb57bad71717202a9dc9bf3b3683f1022fcec566b7daf6fa75

SHA512
1bc1a573c675342409037e383931aef23f4f601894f86ea8d62a87c10b8a63d635291e71969cf936a386b45634b51494a781538cf51607b85681a5d995cd19a0

Download Submit
C:\Windows\System\auSeiBo.exe

Filesize
5.2MB

MD5
cdf66c54d5da671d98882807068f36a0

SHA1
c1dc96c3fbd22678a54c426364bc6c731c4b6682

SHA256
c94694e4bbbb3a9d49fa08737a183a3fa69a0199ad57a3dfce5000330e982c38

SHA512
d0b6ea4ac58790d24cf90818a737e3a5455bd511186a6833303a21dc838708a3850d2213a56d28de2a645fbb6fa2fc95e5a6e5c63014350fb9dbe3c03984667a

Download Submit
C:\Windows\System\bVtKXyR.exe

Filesize
5.2MB

MD5
00491ab12681cf11f6df10d74e82c510

SHA1
83bd4f2f26d662e7d5aa9e39e01c89ea98e3dca9

SHA256
d5d4819ea015bba9d4a723f5fb0f1b0b7e41f16838aeac6b82a48ce0e3569cf4

SHA512
91614c888e48236f6326a36ce5eab3dea229c8ec065ff7340b3e0548904b42ba5c4b7e0a05a631dbc0137c37d756217557975565e3951095e754f6be7f357a9d

Download Submit
C:\Windows\System\bXtVowe.exe

Filesize
5.2MB

MD5
280cb34a323506ad0b2b9f13414028a5

SHA1
8cb11ca7dbcdc172313a2598c9d78fc925be263e

SHA256
556355d8d2ca0e3150c48d5ef3ccd9ac6d4db81d7b1150366850a98ea8337df8

SHA512
22ef3683eee181296bb2bdb14836a0930d5ddb66a1df1b78b9d21bc15f3f9deea2374914a382df833909977b8edd820302e650317245dfbf1ec4cb90efa9e33e

Download Submit
C:\Windows\System\dskmOsE.exe

Filesize
5.2MB

MD5
15916fa1047386474bc484af661cfde5

SHA1
cb4e8da327a2558bafa1b169818d38c84b79ff75

SHA256
ad6835a233c43ce1b1c8cab4d5ee0b657f3d92a5b782ca133e42d617cadf5ced

SHA512
4ae0b96d35a046e849d0b33766517d8aab7452fc5418b7edc875d550d6ae47d5de31238b4bd0fee9492491d8316216eb763480e7f1fc616636b369a6413d00a6

Download Submit
C:\Windows\System\hPhKdYx.exe

Filesize
5.2MB

MD5
bdf682db3b967a9523591f2d9a3c1d5c

SHA1
c0ac1d8321e2d8649dd506d37bbd5ec757e426d6

SHA256
98a4dcf509489d1d1d93e5cd3def92b80a69e12aec6fe0827fabe89da2cf2ad1

SHA512
bd0d1b7d0b43e32fa4bbdab530825d68ac1daf90508d35664dba2c84b5bd2957ff9f47feaaeb38a4b084935f1a20c9a28d388e51f9f602e010799e46083ef7a0

Download Submit
C:\Windows\System\itdCDCj.exe

Filesize
5.2MB

MD5
4e22a80ca20667d9568263989edd414c

SHA1
ae39e08a3f8d41e7f489eaf6a9e9f3baef459e28

SHA256
475c2e649c6a71890739445015254969208eb64c0becdb6f04141258e2d91cbb

SHA512
05450289b9d24e0e5d7292f177078934211c907d6145ae5881ed9674532ecdd4662ad4ad47263a44968e45f5d2105ad51deb9d7ad614bd7de58a245b67148fe5

Download Submit
C:\Windows\System\jKlnLtG.exe

Filesize
5.2MB

MD5
d62f55271fc012d272fa73a2132cf457

SHA1
ee7221c63b4d030e0b6c73dbbb3db3e2a8c57ab2

SHA256
c69c78f62e9ab50633c3c708cbf42428bc09a0f862239f6425e438042d77045a

SHA512
e1b58cc5fc82fb2ede52cb76b201d062d01a479d088927ddb65c16a9da01a0b4aed44d7a53aad12e5ca7dc6bc2da4c3b7578301822be1535c488a8555d95e96a

Download Submit
C:\Windows\System\kgGJLIH.exe

Filesize
5.2MB

MD5
51f740153489befb24b59c9db62869bb

SHA1
e5396c169ba9ff7b3e60ba2d7c94f0eb4e8e76f5

SHA256
6c3feccd26869d175bb6f99c95505173b1648e6608d9642d4938b4aa8b990460

SHA512
ad695fa9e8970bf82578cda68db126e0306aef9458451070c6524f4ea6065d876ea88ec30cd0703f1e304d21d40794df2c4ccfa6b025c2ebfc5e02cba6205a5f

Download Submit
C:\Windows\System\lrBpJnb.exe

Filesize
5.2MB

MD5
169d5b16554d0354a6b595f9ada6eacf

SHA1
e5c5887421d336f65364779398f91983fae2239d

SHA256
cb73b40e1df98209b8739779815449a4b1677c42124207478062a0085d376b12

SHA512
475e464a3f3a3f400bcd0df66fe7242bac59b6b44176b8aaffaeb29a54b4b6375590a24047c31a749da02026d0a01a93be43e5d4bf272769b19b381005bfed8f

Download Submit
C:\Windows\System\pUwbKGx.exe

Filesize
5.2MB

MD5
da015ec8b30dd5b86251a1b18ed739db

SHA1
d33fa5d63b360f470d2bbe38f222c13c80b6a45e

SHA256
5b0ea58cb49be8d319bb767f37773233211f0048a32506f71c45acb0deea889c

SHA512
b4ee9a14e07f6fcfb0b842fbb090dd8ece9f5fdf5ae0422fd91576053e3e3d57549ec5a05494b2d66536c1002330fdbe85a1ad0df18935ad3601c2e858f0dfe6

Download Submit
C:\Windows\System\rGsXdSp.exe

Filesize
5.2MB

MD5
b539812a8c81df8e6e9fdba43df281a7

SHA1
dc54ecd5a0ca5d618de0610fe37b95496ec7759c

SHA256
456f3e68520580a249a87c7e1fa729f303a302cf2714d837f2465fce3c437e52

SHA512
151813d59ce0d42f09d2ada7e57adb198180024f85fb175eae3e1442976c3a6058d3cc3504638619f51a02dc013d183c7727b179616c5144492b414cf6b0b074

Download Submit
C:\Windows\System\rJMBEzO.exe

Filesize
5.2MB

MD5
fc01433dd317da033e7d8774bb8fbf8a

SHA1
05393fb2356e9fd2ddfa6680008e7d79142949a7

SHA256
6720c586f48fdcfdd2800040c020d93083fb813df00119fd52a96ce62df7b78c

SHA512
cec99507cc62019adc09df0db37ba19db838fac6ec130f41ae0bd4347d1034247fad28916900bda8e59c0c76957ec4f18ec16251be488965a8a57744f653893f

Download Submit
C:\Windows\System\uxNgQNj.exe

Filesize
5.2MB

MD5
e1f13876bf97ded2762653a33b11afcc

SHA1
433e31a236a9df3f07da9f09e4fbd9be24939448

SHA256
9e16deca2f12a942a601eb492d14562f35208d0f0dace293b5dc52d88989c98a

SHA512
07b528ff6f01f92793cac51aafcdfddd59864b10f849908dc094aee6991b7cb57fa114814f47f1aff299d5380856135121c989d5fd0f2feb6227f00c5d7842ab

Download Submit
C:\Windows\System\vMKhJjp.exe

Filesize
5.2MB

MD5
4a2092722e03715eb403df40262db789

SHA1
0d3420daaaf4f724c05f8171dfb15878bd87bd75

SHA256
0f474e0010f4aa8fe61eaa37bc6d29361b5a92af3f4890886a710a27cc83f5d7

SHA512
9975989b38404e341a378c6a2bae30fb0887b4cacb8fc4eb9a24db5d198646d47f68f2b582264dfaec535b04eb50d073e698939b7b73aebe6988220162d970fd

Download Submit
C:\Windows\System\vVqIOIb.exe

Filesize
5.2MB

MD5
59d971865a49d5a016c7dd85992226ad

SHA1
d3d29fa31030c244b045c6e3f8133a5c3f109082

SHA256
73e27ccdaabf9dfc7bfcf0d9137f90b5e2e5aaa9f2a4d18743252f5a7f230828

SHA512
878158b178422a870dc66bdef79a4bb10476c4e5fc1dffce0415cb537fcba1fb07304e4289c4bb426aff4a3d2de891728c442618781e6fef3b8caee8dbf111c8

Download Submit
C:\Windows\System\zpgUEAY.exe

Filesize
5.2MB

MD5
2cc4d8b53d598baf66b3c6ec22fa73e8

SHA1
e8eb206051d9e5b3404243d91792e309563f90a8

SHA256
5c1296f3854e16f72422c8d2998c51416cbf3d246a2020e22c2e8ef07f7e55af

SHA512
f13383c2bda756bccc1b92e97acc373c372ca69cc27a6acc4287ffa746524e164b1e1f8017c33776de840fbbe0fbaa02be9d3d55aa5baf8c722fca5b81088c9b

Download Submit
memory/8-254-0x00007FF7902B0000-0x00007FF790601000-memory.dmp

Filesize
3.3MB

Download
memory/8-97-0x00007FF7902B0000-0x00007FF790601000-memory.dmp

Filesize
3.3MB

Download
memory/8-156-0x00007FF7902B0000-0x00007FF790601000-memory.dmp

Filesize
3.3MB

Download
memory/708-137-0x00007FF79D430000-0x00007FF79D781000-memory.dmp

Filesize
3.3MB

Download
memory/708-272-0x00007FF79D430000-0x00007FF79D781000-memory.dmp

Filesize
3.3MB

Download
memory/708-164-0x00007FF79D430000-0x00007FF79D781000-memory.dmp

Filesize
3.3MB

Download
memory/876-240-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp

Filesize
3.3MB

Download
memory/876-50-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp

Filesize
3.3MB

Download
memory/876-101-0x00007FF6DA680000-0x00007FF6DA9D1000-memory.dmp

Filesize
3.3MB

Download
memory/944-30-0x00007FF636FF0000-0x00007FF637341000-memory.dmp

Filesize
3.3MB

Download
memory/944-229-0x00007FF636FF0000-0x00007FF637341000-memory.dmp

Filesize
3.3MB

Download
memory/944-91-0x00007FF636FF0000-0x00007FF637341000-memory.dmp

Filesize
3.3MB

Download
memory/948-260-0x00007FF628ED0000-0x00007FF629221000-memory.dmp

Filesize
3.3MB

Download
memory/948-105-0x00007FF628ED0000-0x00007FF629221000-memory.dmp

Filesize
3.3MB

Download
memory/948-158-0x00007FF628ED0000-0x00007FF629221000-memory.dmp

Filesize
3.3MB

Download
memory/1508-58-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp

Filesize
3.3MB

Download
memory/1508-161-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp

Filesize
3.3MB

Download
memory/1508-140-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp

Filesize
3.3MB

Download
memory/1508-0-0x00007FF7A1510000-0x00007FF7A1861000-memory.dmp

Filesize
3.3MB

Download
memory/1508-1-0x000001C143230000-0x000001C143240000-memory.dmp

Filesize
64KB

Download
memory/1668-67-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp

Filesize
3.3MB

Download
memory/1668-214-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp

Filesize
3.3MB

Download
memory/1668-10-0x00007FF7BB1D0000-0x00007FF7BB521000-memory.dmp

Filesize
3.3MB

Download
memory/2208-114-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp

Filesize
3.3MB

Download
memory/2208-238-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp

Filesize
3.3MB

Download
memory/2208-59-0x00007FF7D5540000-0x00007FF7D5891000-memory.dmp

Filesize
3.3MB

Download
memory/2236-233-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp

Filesize
3.3MB

Download
memory/2236-43-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp

Filesize
3.3MB

Download
memory/2236-100-0x00007FF689CB0000-0x00007FF68A001000-memory.dmp

Filesize
3.3MB

Download
memory/2320-86-0x00007FF6B4190000-0x00007FF6B44E1000-memory.dmp

Filesize
3.3MB

Download
memory/2320-248-0x00007FF6B4190000-0x00007FF6B44E1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-12-0x00007FF698670000-0x00007FF6989C1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-73-0x00007FF698670000-0x00007FF6989C1000-memory.dmp

Filesize
3.3MB

Download
memory/2600-216-0x00007FF698670000-0x00007FF6989C1000-memory.dmp

Filesize
3.3MB

Download
memory/2612-246-0x00007FF66BE20000-0x00007FF66C171000-memory.dmp

Filesize
3.3MB

Download
memory/2612-83-0x00007FF66BE20000-0x00007FF66C171000-memory.dmp

Filesize
3.3MB

Download
memory/3392-121-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp

Filesize
3.3MB

Download
memory/3392-262-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp

Filesize
3.3MB

Download
memory/3392-160-0x00007FF7D07F0000-0x00007FF7D0B41000-memory.dmp

Filesize
3.3MB

Download
memory/3460-25-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp

Filesize
3.3MB

Download
memory/3460-227-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp

Filesize
3.3MB

Download
memory/3460-87-0x00007FF6A6EE0000-0x00007FF6A7231000-memory.dmp

Filesize
3.3MB

Download
memory/3704-153-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp

Filesize
3.3MB

Download
memory/3704-252-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp

Filesize
3.3MB

Download
memory/3704-95-0x00007FF6A7DD0000-0x00007FF6A8121000-memory.dmp

Filesize
3.3MB

Download
memory/3972-162-0x00007FF773350000-0x00007FF7736A1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-268-0x00007FF773350000-0x00007FF7736A1000-memory.dmp

Filesize
3.3MB

Download
memory/3972-132-0x00007FF773350000-0x00007FF7736A1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-52-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-111-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp

Filesize
3.3MB

Download
memory/4220-235-0x00007FF6864A0000-0x00007FF6867F1000-memory.dmp

Filesize
3.3MB

Download
memory/4636-82-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp

Filesize
3.3MB

Download
memory/4636-218-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp

Filesize
3.3MB

Download
memory/4636-17-0x00007FF7EBC30000-0x00007FF7EBF81000-memory.dmp

Filesize
3.3MB

Download
memory/4768-68-0x00007FF622120000-0x00007FF622471000-memory.dmp

Filesize
3.3MB

Download
memory/4768-242-0x00007FF622120000-0x00007FF622471000-memory.dmp

Filesize
3.3MB

Download
memory/4768-127-0x00007FF622120000-0x00007FF622471000-memory.dmp

Filesize
3.3MB

Download
memory/4888-159-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-264-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp

Filesize
3.3MB

Download
memory/4888-116-0x00007FF7D2470000-0x00007FF7D27C1000-memory.dmp

Filesize
3.3MB

Download
memory/4916-36-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp

Filesize
3.3MB

Download
memory/4916-231-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp

Filesize
3.3MB

Download
memory/4916-96-0x00007FF7A6210000-0x00007FF7A6561000-memory.dmp

Filesize
3.3MB

Download
memory/5100-163-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-270-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp

Filesize
3.3MB

Download
memory/5100-136-0x00007FF64EC50000-0x00007FF64EFA1000-memory.dmp

Filesize
3.3MB

Download