cobaltstrike | 13ebf18b68e3bf15c5b430dc28f63231b298b2e2e07fdaf5e3a48af3d6213ae0

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

5a4def2d7bcf7a9199f6af08fe675d6c
SHA1

ddd09c2822affa73f747706cd7ac4997a18a8cf0
SHA256

13ebf18b68e3bf15c5b430dc28f63231b298b2e2e07fdaf5e3a48af3d6213ae0
SHA512

ecf5974e47b1f60fa026086b4018d79e9cd0d384535aa58deb13ce437bb211ee7b37fe2cf34de0e93d749be037ffd591c5ce88c689b398adbbbe1f63a1cfb137
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibf56utgpPFotBER/mQ32lUN

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0009000000023bcf-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c02-9.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c01-10.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c03-23.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c04-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-36.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd0-40.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c25-70.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c26-82.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c44-99.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c48-105.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c28-113.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c54-118.dat	cobalt_reflective_dll
behavioral2/files/0x0016000000023c3e-111.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c27-109.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c3d-104.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c24-85.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c23-74.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1d-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0b-62.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-45.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/5036-127-0x00007FF60DB60000-0x00007FF60DEB1000-memory.dmp	xmrig
behavioral2/memory/3892-126-0x00007FF774C70000-0x00007FF774FC1000-memory.dmp	xmrig
behavioral2/memory/4976-123-0x00007FF6E7810000-0x00007FF6E7B61000-memory.dmp	xmrig
behavioral2/memory/2972-122-0x00007FF792060000-0x00007FF7923B1000-memory.dmp	xmrig
behavioral2/memory/944-121-0x00007FF684E00000-0x00007FF685151000-memory.dmp	xmrig
behavioral2/memory/3772-117-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp	xmrig
behavioral2/memory/4380-116-0x00007FF666290000-0x00007FF6665E1000-memory.dmp	xmrig
behavioral2/memory/1744-87-0x00007FF7F04B0000-0x00007FF7F0801000-memory.dmp	xmrig
behavioral2/memory/3040-59-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp	xmrig
behavioral2/memory/3492-52-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp	xmrig
behavioral2/memory/1168-41-0x00007FF6FA070000-0x00007FF6FA3C1000-memory.dmp	xmrig
behavioral2/memory/468-133-0x00007FF618140000-0x00007FF618491000-memory.dmp	xmrig
behavioral2/memory/3492-139-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp	xmrig
behavioral2/memory/4940-140-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp	xmrig
behavioral2/memory/4020-147-0x00007FF793560000-0x00007FF7938B1000-memory.dmp	xmrig
behavioral2/memory/2044-146-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp	xmrig
behavioral2/memory/3604-152-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp	xmrig
behavioral2/memory/3920-150-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp	xmrig
behavioral2/memory/216-141-0x00007FF73E440000-0x00007FF73E791000-memory.dmp	xmrig
behavioral2/memory/4996-144-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp	xmrig
behavioral2/memory/1180-138-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp	xmrig
behavioral2/memory/3152-135-0x00007FF782A20000-0x00007FF782D71000-memory.dmp	xmrig
behavioral2/memory/4340-134-0x00007FF654C40000-0x00007FF654F91000-memory.dmp	xmrig
behavioral2/memory/3040-130-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp	xmrig
behavioral2/memory/3772-202-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp	xmrig
behavioral2/memory/468-206-0x00007FF618140000-0x00007FF618491000-memory.dmp	xmrig
behavioral2/memory/944-211-0x00007FF684E00000-0x00007FF685151000-memory.dmp	xmrig
behavioral2/memory/4340-209-0x00007FF654C40000-0x00007FF654F91000-memory.dmp	xmrig
behavioral2/memory/3152-212-0x00007FF782A20000-0x00007FF782D71000-memory.dmp	xmrig
behavioral2/memory/1168-226-0x00007FF6FA070000-0x00007FF6FA3C1000-memory.dmp	xmrig
behavioral2/memory/3492-228-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp	xmrig
behavioral2/memory/1180-230-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp	xmrig
behavioral2/memory/4940-236-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp	xmrig
behavioral2/memory/216-235-0x00007FF73E440000-0x00007FF73E791000-memory.dmp	xmrig
behavioral2/memory/1744-233-0x00007FF7F04B0000-0x00007FF7F0801000-memory.dmp	xmrig
behavioral2/memory/4996-251-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp	xmrig
behavioral2/memory/3892-258-0x00007FF774C70000-0x00007FF774FC1000-memory.dmp	xmrig
behavioral2/memory/4020-257-0x00007FF793560000-0x00007FF7938B1000-memory.dmp	xmrig
behavioral2/memory/2972-254-0x00007FF792060000-0x00007FF7923B1000-memory.dmp	xmrig
behavioral2/memory/3920-252-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp	xmrig
behavioral2/memory/2044-249-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp	xmrig
behavioral2/memory/5036-246-0x00007FF60DB60000-0x00007FF60DEB1000-memory.dmp	xmrig
behavioral2/memory/4976-245-0x00007FF6E7810000-0x00007FF6E7B61000-memory.dmp	xmrig
behavioral2/memory/4380-238-0x00007FF666290000-0x00007FF6665E1000-memory.dmp	xmrig
behavioral2/memory/3604-263-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

xHCSGQR.exeTbVmpab.exedJfJFCQ.exeJtMckdx.exeOfyWKjO.exeQOqqlMB.exelcdJqZF.exektdFBMl.exeSzoaBFA.exeYvWFrmN.exeHkJFskP.exemSgpGTc.exeGjfofOC.exeNtkJkYW.exeMQoobPH.exeXINxFqa.exeNvgADYu.exeEitbLXY.exeNCkejxB.exeZyTQxjB.exeHERKfcv.exe

pid	Process
3772	xHCSGQR.exe
944	TbVmpab.exe
468	dJfJFCQ.exe
4340	JtMckdx.exe
3152	OfyWKjO.exe
1168	QOqqlMB.exe
1180	lcdJqZF.exe
3492	ktdFBMl.exe
4940	SzoaBFA.exe
216	YvWFrmN.exe
1744	HkJFskP.exe
4380	mSgpGTc.exe
4996	GjfofOC.exe
2972	NtkJkYW.exe
2044	MQoobPH.exe
4976	XINxFqa.exe
4020	NvgADYu.exe
3892	EitbLXY.exe
3920	NCkejxB.exe
5036	ZyTQxjB.exe
3604	HERKfcv.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3040-0-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp	upx
behavioral2/files/0x0009000000023bcf-5.dat	upx
behavioral2/memory/3772-7-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp	upx
behavioral2/files/0x0008000000023c02-9.dat	upx
behavioral2/files/0x0008000000023c01-10.dat	upx
behavioral2/memory/944-15-0x00007FF684E00000-0x00007FF685151000-memory.dmp	upx
behavioral2/files/0x0008000000023c03-23.dat	upx
behavioral2/files/0x0008000000023c04-30.dat	upx
behavioral2/memory/3152-29-0x00007FF782A20000-0x00007FF782D71000-memory.dmp	upx
behavioral2/memory/4340-25-0x00007FF654C40000-0x00007FF654F91000-memory.dmp	upx
behavioral2/memory/468-16-0x00007FF618140000-0x00007FF618491000-memory.dmp	upx
behavioral2/files/0x0008000000023c09-36.dat	upx
behavioral2/files/0x0009000000023bd0-40.dat	upx
behavioral2/memory/216-67-0x00007FF73E440000-0x00007FF73E791000-memory.dmp	upx
behavioral2/files/0x0008000000023c25-70.dat	upx
behavioral2/files/0x0008000000023c26-82.dat	upx
behavioral2/files/0x0008000000023c44-99.dat	upx
behavioral2/files/0x0008000000023c48-105.dat	upx
behavioral2/files/0x0008000000023c28-113.dat	upx
behavioral2/memory/3604-128-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp	upx
behavioral2/memory/5036-127-0x00007FF60DB60000-0x00007FF60DEB1000-memory.dmp	upx
behavioral2/memory/3892-126-0x00007FF774C70000-0x00007FF774FC1000-memory.dmp	upx
behavioral2/memory/4976-123-0x00007FF6E7810000-0x00007FF6E7B61000-memory.dmp	upx
behavioral2/memory/2972-122-0x00007FF792060000-0x00007FF7923B1000-memory.dmp	upx
behavioral2/memory/944-121-0x00007FF684E00000-0x00007FF685151000-memory.dmp	upx
behavioral2/files/0x0008000000023c54-118.dat	upx
behavioral2/memory/3772-117-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp	upx
behavioral2/memory/4380-116-0x00007FF666290000-0x00007FF6665E1000-memory.dmp	upx
behavioral2/files/0x0016000000023c3e-111.dat	upx
behavioral2/files/0x0008000000023c27-109.dat	upx
behavioral2/memory/3920-106-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp	upx
behavioral2/files/0x000b000000023c3d-104.dat	upx
behavioral2/memory/4020-103-0x00007FF793560000-0x00007FF7938B1000-memory.dmp	upx
behavioral2/memory/2044-96-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp	upx
behavioral2/memory/4996-94-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp	upx
behavioral2/memory/1744-87-0x00007FF7F04B0000-0x00007FF7F0801000-memory.dmp	upx
behavioral2/files/0x0008000000023c24-85.dat	upx
behavioral2/memory/4940-78-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp	upx
behavioral2/files/0x0008000000023c23-74.dat	upx
behavioral2/files/0x0008000000023c1d-63.dat	upx
behavioral2/files/0x0008000000023c0b-62.dat	upx
behavioral2/memory/3040-59-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp	upx
behavioral2/memory/3492-52-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp	upx
behavioral2/memory/1180-48-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp	upx
behavioral2/files/0x0008000000023c0a-45.dat	upx
behavioral2/memory/1168-41-0x00007FF6FA070000-0x00007FF6FA3C1000-memory.dmp	upx
behavioral2/memory/468-133-0x00007FF618140000-0x00007FF618491000-memory.dmp	upx
behavioral2/memory/3492-139-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp	upx
behavioral2/memory/4940-140-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp	upx
behavioral2/memory/4020-147-0x00007FF793560000-0x00007FF7938B1000-memory.dmp	upx
behavioral2/memory/2044-146-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp	upx
behavioral2/memory/3604-152-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp	upx
behavioral2/memory/3920-150-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp	upx
behavioral2/memory/216-141-0x00007FF73E440000-0x00007FF73E791000-memory.dmp	upx
behavioral2/memory/4996-144-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp	upx
behavioral2/memory/1180-138-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp	upx
behavioral2/memory/3152-135-0x00007FF782A20000-0x00007FF782D71000-memory.dmp	upx
behavioral2/memory/4340-134-0x00007FF654C40000-0x00007FF654F91000-memory.dmp	upx
behavioral2/memory/3040-130-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp	upx
behavioral2/memory/3772-202-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp	upx
behavioral2/memory/468-206-0x00007FF618140000-0x00007FF618491000-memory.dmp	upx
behavioral2/memory/944-211-0x00007FF684E00000-0x00007FF685151000-memory.dmp	upx
behavioral2/memory/4340-209-0x00007FF654C40000-0x00007FF654F91000-memory.dmp	upx
behavioral2/memory/3152-212-0x00007FF782A20000-0x00007FF782D71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\mSgpGTc.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NCkejxB.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZyTQxjB.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HERKfcv.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dJfJFCQ.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkJFskP.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ktdFBMl.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YvWFrmN.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GjfofOC.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NtkJkYW.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NvgADYu.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XINxFqa.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TbVmpab.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OfyWKjO.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EitbLXY.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SzoaBFA.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MQoobPH.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QOqqlMB.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lcdJqZF.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xHCSGQR.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JtMckdx.exe	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 3040 wrote to memory of 3772	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3040 wrote to memory of 3772	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 3040 wrote to memory of 944	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3040 wrote to memory of 944	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3040 wrote to memory of 468	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3040 wrote to memory of 468	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3040 wrote to memory of 4340	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3040 wrote to memory of 4340	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3040 wrote to memory of 3152	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3040 wrote to memory of 3152	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3040 wrote to memory of 1168	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3040 wrote to memory of 1168	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3040 wrote to memory of 1180	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3040 wrote to memory of 1180	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3040 wrote to memory of 3492	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3040 wrote to memory of 3492	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3040 wrote to memory of 4940	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3040 wrote to memory of 4940	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3040 wrote to memory of 216	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3040 wrote to memory of 216	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3040 wrote to memory of 1744	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3040 wrote to memory of 1744	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3040 wrote to memory of 4380	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3040 wrote to memory of 4380	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3040 wrote to memory of 4996	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3040 wrote to memory of 4996	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3040 wrote to memory of 2972	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3040 wrote to memory of 2972	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3040 wrote to memory of 2044	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3040 wrote to memory of 2044	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3040 wrote to memory of 4020	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3040 wrote to memory of 4020	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3040 wrote to memory of 4976	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3040 wrote to memory of 4976	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3040 wrote to memory of 3892	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3040 wrote to memory of 3892	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3040 wrote to memory of 3920	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3040 wrote to memory of 3920	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3040 wrote to memory of 5036	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3040 wrote to memory of 5036	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3040 wrote to memory of 3604	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3040 wrote to memory of 3604	3040	2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_5a4def2d7bcf7a9199f6af08fe675d6c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040
- C:\Windows\System\xHCSGQR.exe
  C:\Windows\System\xHCSGQR.exe
  2⤵
  - Executes dropped EXE
  PID:3772
- C:\Windows\System\TbVmpab.exe
  C:\Windows\System\TbVmpab.exe
  2⤵
  - Executes dropped EXE
  PID:944
- C:\Windows\System\dJfJFCQ.exe
  C:\Windows\System\dJfJFCQ.exe
  2⤵
  - Executes dropped EXE
  PID:468
- C:\Windows\System\JtMckdx.exe
  C:\Windows\System\JtMckdx.exe
  2⤵
  - Executes dropped EXE
  PID:4340
- C:\Windows\System\OfyWKjO.exe
  C:\Windows\System\OfyWKjO.exe
  2⤵
  - Executes dropped EXE
  PID:3152
- C:\Windows\System\QOqqlMB.exe
  C:\Windows\System\QOqqlMB.exe
  2⤵
  - Executes dropped EXE
  PID:1168
- C:\Windows\System\lcdJqZF.exe
  C:\Windows\System\lcdJqZF.exe
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Windows\System\ktdFBMl.exe
  C:\Windows\System\ktdFBMl.exe
  2⤵
  - Executes dropped EXE
  PID:3492
- C:\Windows\System\SzoaBFA.exe
  C:\Windows\System\SzoaBFA.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\YvWFrmN.exe
  C:\Windows\System\YvWFrmN.exe
  2⤵
  - Executes dropped EXE
  PID:216
- C:\Windows\System\HkJFskP.exe
  C:\Windows\System\HkJFskP.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\mSgpGTc.exe
  C:\Windows\System\mSgpGTc.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\GjfofOC.exe
  C:\Windows\System\GjfofOC.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\NtkJkYW.exe
  C:\Windows\System\NtkJkYW.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\MQoobPH.exe
  C:\Windows\System\MQoobPH.exe
  2⤵
  - Executes dropped EXE
  PID:2044
- C:\Windows\System\NvgADYu.exe
  C:\Windows\System\NvgADYu.exe
  2⤵
  - Executes dropped EXE
  PID:4020
- C:\Windows\System\XINxFqa.exe
  C:\Windows\System\XINxFqa.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\EitbLXY.exe
  C:\Windows\System\EitbLXY.exe
  2⤵
  - Executes dropped EXE
  PID:3892
- C:\Windows\System\NCkejxB.exe
  C:\Windows\System\NCkejxB.exe
  2⤵
  - Executes dropped EXE
  PID:3920
- C:\Windows\System\ZyTQxjB.exe
  C:\Windows\System\ZyTQxjB.exe
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\Windows\System\HERKfcv.exe
  C:\Windows\System\HERKfcv.exe
  2⤵
  - Executes dropped EXE
  PID:3604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\EitbLXY.exe

Filesize
5.2MB

MD5
ddeba20df04a71599e932ad6e4fb3688

SHA1
c47adda364e5e2d8fa7512eb8a868ab425036d38

SHA256
da5a0d5408ba4d3337214505ad10ba0a8739a6866feadbbe8fc5e0aab1b90fe1

SHA512
8ea5a65cb6fe582c540fc78c9b0ab9101ee07b02d2a5ffbb551e63e7eb7fb635faa93d486cb8f3c24cb56dec49903452250be6211dfc3cee2136d4d9568796e9

Download Submit
C:\Windows\System\GjfofOC.exe

Filesize
5.2MB

MD5
6fa7cccd377ffd493d85dc6ee47d1f2e

SHA1
70b043cfa6c19c9e3b3d02396da371cc5996f8fa

SHA256
1bb06ea20a3cb54068a3fa7cbb15775465bf4d5e03fd7099f7e32168259b31d7

SHA512
6a228286e479189b3d2f8f527b71116e7dd519d6da3469598507ffc40e216e4811382eddd3709953a46a3ffeecdc8f84573e65185721b39ee6eb763f2d5b970f

Download Submit
C:\Windows\System\HERKfcv.exe

Filesize
5.2MB

MD5
34911f78f17420ee4b5a3263ef984ea2

SHA1
2bf78e938d41b72f1912687f1540f038f011ca41

SHA256
f41c4945077ce6d99c2568b6c2ac3809f12359f6c1f288a63493d46e3d9212d8

SHA512
26b1f38e8b4aeee2a7727a31ba710ddacc12927d5aa0614d3df277db0c8bda629371e8872cdbbf8702f2adab4cf6ff5ff9d8344a0ceafda46d61389e9ffe5893

Download Submit
C:\Windows\System\HkJFskP.exe

Filesize
5.2MB

MD5
1bab42bc17ad40610d9b872f1e57eea1

SHA1
d3eeed3753dc1607b432fa4464bf04cca52226de

SHA256
d6cad0d7bc6d2c121fc50026523c5b7749a39daf31521ee157b7cdb33e56b8b4

SHA512
6f5c843e2cc171d99d1d9e90c786ae445501e1fef524c6d1034a2e912396a82a64a4e42ebe1236e7fb51a2c0c59aa0b30f5da503cb3400a961c47c2d97e93622

Download Submit
C:\Windows\System\JtMckdx.exe

Filesize
5.2MB

MD5
56f20fcf0502b8727cb5c478d0cf30f8

SHA1
f2960d9035b791937e4b6587bb488c5401f74a0e

SHA256
2224445ce856fc2c0dd149ac64c73609e3dab1a22bdc4de56c18e0a65f645507

SHA512
bcce47f7484e4fe86a8068cfa7b7045ceba0f10f1a0f593d514aef94d1860a761830df7ccca0a20bcc5c6e9ea8c9b3cbcd2495aa7e0c9d363ad5c99d10a0c756

Download Submit
C:\Windows\System\MQoobPH.exe

Filesize
5.2MB

MD5
214e9fa781faf1dbbfb813be7c4d646b

SHA1
fbfd5392213e89ec2d50b8e0785bd81a11479c8f

SHA256
5f511683fac9ce819ff27f3f9079258f2df3523fd363df4378dd9ba3c9b82a7f

SHA512
9a35ab1be8f64c22d8029377fb579175ae22c5f97534baded78b718f175a1b2952b0fc3c8bbc89afa51c2da232623a748411823de2c6a2b104ba7242be5865b5

Download Submit
C:\Windows\System\NCkejxB.exe

Filesize
5.2MB

MD5
dbb011f7d8f62aa46bed1559626ba269

SHA1
44a8899a71ddd8b3b519b1e8ca42a4f78f2fd9db

SHA256
e395558f987c7be29fa8ac4822c3aba9b77f017d3e95ee64224928d86d5de6a5

SHA512
82128fa2eaf684019d411d1440b93e35ba7e02eb4c186afe98e4efdca83ade98dcc81564f75bda8d33252a96fb3b492d250bfced1d84dc1987d707b25ac15881

Download Submit
C:\Windows\System\NtkJkYW.exe

Filesize
5.2MB

MD5
c92f9474937ad516752843de5b37bdd5

SHA1
aca4838b6910a231d27c7833742ab1765a44709f

SHA256
50ace71a37615462d2833e1b38db609804f09bf1f1d43ebbcb40a9faf88de3cb

SHA512
213ad3ba819623d2384cb496de18f80d789d59ec515ecafcb511319d4715ced5ca6b90c23b26720b94a09df3032bbbccb0f55677a64b14f99b567a4b896c125b

Download Submit
C:\Windows\System\NvgADYu.exe

Filesize
5.2MB

MD5
e0887453432dbd0d5ff5f3b49d5e8ad3

SHA1
46023ebc72ffbd7733b5d42b521fc434291231b7

SHA256
ea278193e97fc51903ecbce98af9bac4c8e88a1148cbf5854e5f4f451a58f95e

SHA512
d9cc880042d26a847677577fdad9c746010d59c850c1e88178bb0b52719fb2d97a71889dda752d04bd5dd1dc90ba747cdb06317f113bcd879091db7f3b53e43e

Download Submit
C:\Windows\System\OfyWKjO.exe

Filesize
5.2MB

MD5
a1e579c78ac6c68ed7cc1c8005035947

SHA1
67b220762138c9c3cd4590e8e5b495f270e14e92

SHA256
acc266671ca5d1c542e9be93d1f4dd07f26f95fc24643aa1614c8fb2d3155fa9

SHA512
6be6a5a56b5a58e1bc3837850f8e3ee59cbdd6cf719dc8b29725607d4b6cee0d8f41453d8ac9b629448e5765f62b1e51ad95a9bfcda92dc45118ef000de64963

Download Submit
C:\Windows\System\QOqqlMB.exe

Filesize
5.2MB

MD5
7a11bd18230097876008af3a2c92174d

SHA1
93e8c717e2081d80efe2e12783f78e03caeeff21

SHA256
d55cbe9d7143516edec2e5d9ed55d5a227bf80ac5c751a7d1ba7a2c35a55ee08

SHA512
fdb4e86f4d3ff3b01ab54280b615c2010020abdba66628581342b04bbb32bf3741a4ea784e98a5cf1cf424b9b82028ca4b53b265c3f75df574a9afbfdd87467c

Download Submit
C:\Windows\System\SzoaBFA.exe

Filesize
5.2MB

MD5
3c48bd97f76849bbf9acfc8d72caf5dd

SHA1
1019a900ec683dbb10b3e867455c05e915cd5d66

SHA256
070d3c9a821ace8c5ca7e9b05361dab02c4f969f3356c9f705714554ffa8c3ce

SHA512
0cf89bc21a232e1dd6f07115af159dc8c7c3665c07547f259c8a51514ef7c4f722c39a3a822bece07ffed70d4e3d7e9ebeb6081cbd491314aabbe955c9f8851d

Download Submit
C:\Windows\System\TbVmpab.exe

Filesize
5.2MB

MD5
e01c43baf94cfec44e207f934d813aec

SHA1
7a96218f5f2a1c8523f6583f5cf2943e3387f050

SHA256
af6833f03c2c0c1dbed3a7e8e1f17103b68d92443048c6dadbd4d0c681109206

SHA512
09f5a0676ef13b029cda2c7d62af9e21e556db6f06b29ea1a3cbe1447ba5de095c29a4a49335e03b88a80bb2096e6999598ee24688a900a48bd93061e99f9cd3

Download Submit
C:\Windows\System\XINxFqa.exe

Filesize
5.2MB

MD5
61a05d66bfa4154727a25cf44e93e9db

SHA1
7ecc508b2560b6fa67a7a0bd59e9a0d8aa624076

SHA256
c90c109d7cee9da92d19244b19f7a1b3c47f474a347c8ab37739546315f58f76

SHA512
b57269f1ecf9fcc7adb3f696374905576fecd7875a47b7a49c9ca976ba2e870999a7ea74f83d35548411857389478064b7d8e5cfd5da95cb0fdaf16c2e88e813

Download Submit
C:\Windows\System\YvWFrmN.exe

Filesize
5.2MB

MD5
2a11f773aae9791ab4a0c34c59832435

SHA1
cf02e29cd99f8adc9792cb86296af632a18c46b6

SHA256
29ff274a268326303133f29ece2755a59d574b63f4028d303cfbd4cb5842edac

SHA512
ac9d085a5e197ab35fd7b273dd3f1ce16465bb5e4a9a8519a6e80e6143a24a5ca0233fd6ca0f94e8b406e35929200a38aec22344742508d7df49305164dcfbf7

Download Submit
C:\Windows\System\ZyTQxjB.exe

Filesize
5.2MB

MD5
6c93c443a5dc3df9721baf86a41f5214

SHA1
7dec5d6eab9696845583395b5c47a9aa787fccbe

SHA256
1416a9cb35c6f1dace6d8b5370b59f453733bfc0d6589f2638fbbebc6d1ea142

SHA512
eec45957cdd7156ccbe04a6b0925eb1c21f457bec32e080e6363c2c2ee44b048e9f31a007940efa72347f18adbf9303ca9ac6cdcfdc6691fc6d804ce4ec7edac

Download Submit
C:\Windows\System\dJfJFCQ.exe

Filesize
5.2MB

MD5
a84bf1539e366cc91695223b19a96174

SHA1
edb003edbcaad33a76e6de56bf7fdb4c72b84c2d

SHA256
62318284ab7de62052ded3bb62795358ae097dbfe63042ce60750363d2f27276

SHA512
fd7414db01c89bb5680a0482a1616e17e7d1a31e60733c61674285c3e8cde7c41b792666fe12a4d879410bb3b27c418e9e236629bc909cf801ceeea7b7e35400

Download Submit
C:\Windows\System\ktdFBMl.exe

Filesize
5.2MB

MD5
62e884ec704df20db3432327f1fef51e

SHA1
3e32ed037fc31b0548fde521c3bcd40a1686db8a

SHA256
92e6257752b0aa8eb8171dc51b6c52017e169d688ad5029cd431c2379d87c60c

SHA512
d0f2440a86fae658a8d96e06ee7fef1d74e3628d163872abfc55456194bfb62473a72ce987ba1b463bd9318e8788b9c29478eff77a45227a7f661e60e6e114f0

Download Submit
C:\Windows\System\lcdJqZF.exe

Filesize
5.2MB

MD5
fe65b3c1291662039bcc55143f27a582

SHA1
fa7a419c6b3983290e964a38c0bcc3abcc8aadf0

SHA256
e2a424f92bb3fadaa6de1d52e5b44ea936ba785618a42f181f4b360cbf546a1d

SHA512
aa1a5f5dc5a47cbb248c06d95bd810fe7fdda4a8264f7a274178efa0e95ccfe518bd69f7f0cab779d51285f1e9663fa671668ba05087e96d0c8aeece6a59210b

Download Submit
C:\Windows\System\mSgpGTc.exe

Filesize
5.2MB

MD5
95687fe9b34d127df879d02d7b7a6dbf

SHA1
7cf19bf8e06dc783f29dbfa11ef92e956be2f374

SHA256
6a0646c2fd014acaa7194cc73157ba2c9674d3838be6a0202f533b470ba625eb

SHA512
2668a2950cf798decc41b3d7f3689405b10cb4d6b94fb2e36e195a76cc487d534b443a34bb4b52a383c743df632e304869cbbc6027777b589e92753bec125fdd

Download Submit
C:\Windows\System\xHCSGQR.exe

Filesize
5.2MB

MD5
df69bf88911c01d5cd267b1b479ba6f3

SHA1
11461deea464fd6366fb89a112cd5fe2bab7797d

SHA256
7fcd1ef75adfa30647b011817fed8986dd95b67bfe9b894bd6b851d2d1079b0f

SHA512
630427ad692e0869e725726f1b5ed8905022c623b13d0858bc2f9d633c88c96b2cb65dcfe92ffac372d56a7e24558aad06ef59e1101e20bb4f7e27aa62838900

Download Submit
memory/216-235-0x00007FF73E440000-0x00007FF73E791000-memory.dmp

Filesize
3.3MB

Download
memory/216-141-0x00007FF73E440000-0x00007FF73E791000-memory.dmp

Filesize
3.3MB

Download
memory/216-67-0x00007FF73E440000-0x00007FF73E791000-memory.dmp

Filesize
3.3MB

Download
memory/468-16-0x00007FF618140000-0x00007FF618491000-memory.dmp

Filesize
3.3MB

Download
memory/468-206-0x00007FF618140000-0x00007FF618491000-memory.dmp

Filesize
3.3MB

Download
memory/468-133-0x00007FF618140000-0x00007FF618491000-memory.dmp

Filesize
3.3MB

Download
memory/944-15-0x00007FF684E00000-0x00007FF685151000-memory.dmp

Filesize
3.3MB

Download
memory/944-121-0x00007FF684E00000-0x00007FF685151000-memory.dmp

Filesize
3.3MB

Download
memory/944-211-0x00007FF684E00000-0x00007FF685151000-memory.dmp

Filesize
3.3MB

Download
memory/1168-226-0x00007FF6FA070000-0x00007FF6FA3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1168-41-0x00007FF6FA070000-0x00007FF6FA3C1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-138-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-230-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp

Filesize
3.3MB

Download
memory/1180-48-0x00007FF7519A0000-0x00007FF751CF1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-87-0x00007FF7F04B0000-0x00007FF7F0801000-memory.dmp

Filesize
3.3MB

Download
memory/1744-233-0x00007FF7F04B0000-0x00007FF7F0801000-memory.dmp

Filesize
3.3MB

Download
memory/2044-146-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-96-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp

Filesize
3.3MB

Download
memory/2044-249-0x00007FF7D5F90000-0x00007FF7D62E1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-122-0x00007FF792060000-0x00007FF7923B1000-memory.dmp

Filesize
3.3MB

Download
memory/2972-254-0x00007FF792060000-0x00007FF7923B1000-memory.dmp

Filesize
3.3MB

Download
memory/3040-130-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp

Filesize
3.3MB

Download
memory/3040-59-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp

Filesize
3.3MB

Download
memory/3040-1-0x00000216B72A0000-0x00000216B72B0000-memory.dmp

Filesize
64KB

Download
memory/3040-0-0x00007FF7CFBC0000-0x00007FF7CFF11000-memory.dmp

Filesize
3.3MB

Download
memory/3152-29-0x00007FF782A20000-0x00007FF782D71000-memory.dmp

Filesize
3.3MB

Download
memory/3152-212-0x00007FF782A20000-0x00007FF782D71000-memory.dmp

Filesize
3.3MB

Download
memory/3152-135-0x00007FF782A20000-0x00007FF782D71000-memory.dmp

Filesize
3.3MB

Download
memory/3492-52-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp

Filesize
3.3MB

Download
memory/3492-228-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp

Filesize
3.3MB

Download
memory/3492-139-0x00007FF6BACD0000-0x00007FF6BB021000-memory.dmp

Filesize
3.3MB

Download
memory/3604-152-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp

Filesize
3.3MB

Download
memory/3604-128-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp

Filesize
3.3MB

Download
memory/3604-263-0x00007FF77A8D0000-0x00007FF77AC21000-memory.dmp

Filesize
3.3MB

Download
memory/3772-202-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp

Filesize
3.3MB

Download
memory/3772-117-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp

Filesize
3.3MB

Download
memory/3772-7-0x00007FF7DAC30000-0x00007FF7DAF81000-memory.dmp

Filesize
3.3MB

Download
memory/3892-126-0x00007FF774C70000-0x00007FF774FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3892-258-0x00007FF774C70000-0x00007FF774FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3920-106-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3920-252-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3920-150-0x00007FF775C70000-0x00007FF775FC1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-103-0x00007FF793560000-0x00007FF7938B1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-147-0x00007FF793560000-0x00007FF7938B1000-memory.dmp

Filesize
3.3MB

Download
memory/4020-257-0x00007FF793560000-0x00007FF7938B1000-memory.dmp

Filesize
3.3MB

Download
memory/4340-134-0x00007FF654C40000-0x00007FF654F91000-memory.dmp

Filesize
3.3MB

Download
memory/4340-25-0x00007FF654C40000-0x00007FF654F91000-memory.dmp

Filesize
3.3MB

Download
memory/4340-209-0x00007FF654C40000-0x00007FF654F91000-memory.dmp

Filesize
3.3MB

Download
memory/4380-238-0x00007FF666290000-0x00007FF6665E1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-116-0x00007FF666290000-0x00007FF6665E1000-memory.dmp

Filesize
3.3MB

Download
memory/4940-236-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp

Filesize
3.3MB

Download
memory/4940-78-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp

Filesize
3.3MB

Download
memory/4940-140-0x00007FF66F9D0000-0x00007FF66FD21000-memory.dmp

Filesize
3.3MB

Download
memory/4976-245-0x00007FF6E7810000-0x00007FF6E7B61000-memory.dmp

Filesize
3.3MB

Download
memory/4976-123-0x00007FF6E7810000-0x00007FF6E7B61000-memory.dmp

Filesize
3.3MB

Download
memory/4996-251-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-144-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/4996-94-0x00007FF6FDB90000-0x00007FF6FDEE1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-127-0x00007FF60DB60000-0x00007FF60DEB1000-memory.dmp

Filesize
3.3MB

Download
memory/5036-246-0x00007FF60DB60000-0x00007FF60DEB1000-memory.dmp

Filesize
3.3MB

Download