cobaltstrike | f3fb7a63911e578afc464b351d66438d50672775f983abd7acba179dd3384b15

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

0e3c29e5e3d7e67267937ca50445c5b3
SHA1

2d314157bec446f8fe40a45ca46f9d71e22e41af
SHA256

f3fb7a63911e578afc464b351d66438d50672775f983abd7acba179dd3384b15
SHA512

7bd097a70595ffda6ea1badb11887f496f69845350905cb313486bfc986df69064f6d6a62bf3a1ffa955f48a2d84ea2e761925fedcfecabfb22f04208379c3fa
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lM:RWWBibd56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c9c-4.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca0-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca1-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca2-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca3-30.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca4-35.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c9d-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca5-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca6-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca7-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca9-73.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ca8-72.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caa-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cab-88.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cad-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cac-94.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cae-108.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023caf-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb1-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb2-130.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cb3-133.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/3696-17-0x00007FF796360000-0x00007FF7966B1000-memory.dmp	xmrig
behavioral2/memory/3984-60-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp	xmrig
behavioral2/memory/3884-68-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp	xmrig
behavioral2/memory/5020-106-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp	xmrig
behavioral2/memory/2060-104-0x00007FF67BB70000-0x00007FF67BEC1000-memory.dmp	xmrig
behavioral2/memory/3700-129-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp	xmrig
behavioral2/memory/4796-126-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp	xmrig
behavioral2/memory/2972-101-0x00007FF653620000-0x00007FF653971000-memory.dmp	xmrig
behavioral2/memory/1116-95-0x00007FF62A160000-0x00007FF62A4B1000-memory.dmp	xmrig
behavioral2/memory/2164-53-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	xmrig
behavioral2/memory/3536-40-0x00007FF608E40000-0x00007FF609191000-memory.dmp	xmrig
behavioral2/memory/2164-135-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	xmrig
behavioral2/memory/2156-142-0x00007FF739890000-0x00007FF739BE1000-memory.dmp	xmrig
behavioral2/memory/1108-143-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp	xmrig
behavioral2/memory/1744-144-0x00007FF747060000-0x00007FF7473B1000-memory.dmp	xmrig
behavioral2/memory/3460-145-0x00007FF7051C0000-0x00007FF705511000-memory.dmp	xmrig
behavioral2/memory/3476-153-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp	xmrig
behavioral2/memory/3888-154-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp	xmrig
behavioral2/memory/3224-158-0x00007FF63E140000-0x00007FF63E491000-memory.dmp	xmrig
behavioral2/memory/4356-159-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp	xmrig
behavioral2/memory/4180-161-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp	xmrig
behavioral2/memory/4740-162-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp	xmrig
behavioral2/memory/4816-160-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	xmrig
behavioral2/memory/2164-163-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	xmrig
behavioral2/memory/3984-215-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp	xmrig
behavioral2/memory/3696-217-0x00007FF796360000-0x00007FF7966B1000-memory.dmp	xmrig
behavioral2/memory/3884-219-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp	xmrig
behavioral2/memory/2972-221-0x00007FF653620000-0x00007FF653971000-memory.dmp	xmrig
behavioral2/memory/5020-223-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp	xmrig
behavioral2/memory/3536-227-0x00007FF608E40000-0x00007FF609191000-memory.dmp	xmrig
behavioral2/memory/4796-229-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp	xmrig
behavioral2/memory/3700-239-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp	xmrig
behavioral2/memory/1108-241-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp	xmrig
behavioral2/memory/2156-243-0x00007FF739890000-0x00007FF739BE1000-memory.dmp	xmrig
behavioral2/memory/1744-245-0x00007FF747060000-0x00007FF7473B1000-memory.dmp	xmrig
behavioral2/memory/3460-247-0x00007FF7051C0000-0x00007FF705511000-memory.dmp	xmrig
behavioral2/memory/2060-249-0x00007FF67BB70000-0x00007FF67BEC1000-memory.dmp	xmrig
behavioral2/memory/1116-256-0x00007FF62A160000-0x00007FF62A4B1000-memory.dmp	xmrig
behavioral2/memory/3476-260-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp	xmrig
behavioral2/memory/3888-259-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp	xmrig
behavioral2/memory/3224-262-0x00007FF63E140000-0x00007FF63E491000-memory.dmp	xmrig
behavioral2/memory/4356-264-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp	xmrig
behavioral2/memory/4816-266-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	xmrig
behavioral2/memory/4180-268-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp	xmrig
behavioral2/memory/4740-270-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ypxFAYe.exeSgkcAdT.exeBkezGYi.exepPbtlhw.exeMEyAhKw.exeOvmZEAK.exeVqpXYgZ.exeuINJrXJ.exeKxOpdrm.exezTgApIx.exepsjgeUQ.exeZRbhSJv.exeioNTLbk.exepanljpg.exeUWMoBsZ.exegMXqFnT.exeQTlnwjK.exeIrWIeym.exeZYHGrqJ.exeBlHqilo.exeHFPVoum.exe

pid	Process
3984	ypxFAYe.exe
3696	SgkcAdT.exe
3884	BkezGYi.exe
2972	pPbtlhw.exe
5020	MEyAhKw.exe
3536	OvmZEAK.exe
4796	VqpXYgZ.exe
3700	uINJrXJ.exe
2156	KxOpdrm.exe
1108	zTgApIx.exe
1744	psjgeUQ.exe
3460	ZRbhSJv.exe
2060	ioNTLbk.exe
1116	panljpg.exe
3476	UWMoBsZ.exe
3888	gMXqFnT.exe
3224	QTlnwjK.exe
4356	IrWIeym.exe
4816	ZYHGrqJ.exe
4180	BlHqilo.exe
4740	HFPVoum.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2164-0-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	upx
behavioral2/files/0x0008000000023c9c-4.dat	upx
behavioral2/memory/3984-10-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp	upx
behavioral2/files/0x0007000000023ca0-11.dat	upx
behavioral2/files/0x0007000000023ca1-9.dat	upx
behavioral2/memory/3884-21-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-27.dat	upx
behavioral2/files/0x0007000000023ca3-30.dat	upx
behavioral2/memory/5020-32-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp	upx
behavioral2/memory/2972-23-0x00007FF653620000-0x00007FF653971000-memory.dmp	upx
behavioral2/memory/3696-17-0x00007FF796360000-0x00007FF7966B1000-memory.dmp	upx
behavioral2/files/0x0007000000023ca4-35.dat	upx
behavioral2/files/0x0008000000023c9d-41.dat	upx
behavioral2/files/0x0007000000023ca5-47.dat	upx
behavioral2/files/0x0007000000023ca6-51.dat	upx
behavioral2/files/0x0007000000023ca7-59.dat	upx
behavioral2/memory/3984-60-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-73.dat	upx
behavioral2/files/0x0007000000023ca8-72.dat	upx
behavioral2/memory/1744-71-0x00007FF747060000-0x00007FF7473B1000-memory.dmp	upx
behavioral2/memory/3884-68-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp	upx
behavioral2/files/0x0007000000023caa-83.dat	upx
behavioral2/files/0x0007000000023cab-88.dat	upx
behavioral2/files/0x0007000000023cad-91.dat	upx
behavioral2/files/0x0007000000023cac-94.dat	upx
behavioral2/memory/3476-96-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp	upx
behavioral2/memory/5020-106-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-108.dat	upx
behavioral2/memory/3224-107-0x00007FF63E140000-0x00007FF63E491000-memory.dmp	upx
behavioral2/memory/2060-104-0x00007FF67BB70000-0x00007FF67BEC1000-memory.dmp	upx
behavioral2/files/0x0007000000023caf-114.dat	upx
behavioral2/files/0x0007000000023cb1-118.dat	upx
behavioral2/files/0x0007000000023cb2-130.dat	upx
behavioral2/files/0x0007000000023cb3-133.dat	upx
behavioral2/memory/4740-132-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp	upx
behavioral2/memory/3700-129-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp	upx
behavioral2/memory/4180-128-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp	upx
behavioral2/memory/4796-126-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp	upx
behavioral2/memory/4816-121-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	upx
behavioral2/memory/4356-113-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp	upx
behavioral2/memory/2972-101-0x00007FF653620000-0x00007FF653971000-memory.dmp	upx
behavioral2/memory/3888-100-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp	upx
behavioral2/memory/1116-95-0x00007FF62A160000-0x00007FF62A4B1000-memory.dmp	upx
behavioral2/memory/3460-93-0x00007FF7051C0000-0x00007FF705511000-memory.dmp	upx
behavioral2/memory/1108-62-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp	upx
behavioral2/memory/2156-56-0x00007FF739890000-0x00007FF739BE1000-memory.dmp	upx
behavioral2/memory/2164-53-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	upx
behavioral2/memory/3700-48-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp	upx
behavioral2/memory/4796-45-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp	upx
behavioral2/memory/3536-40-0x00007FF608E40000-0x00007FF609191000-memory.dmp	upx
behavioral2/memory/2164-135-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	upx
behavioral2/memory/2156-142-0x00007FF739890000-0x00007FF739BE1000-memory.dmp	upx
behavioral2/memory/1108-143-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp	upx
behavioral2/memory/1744-144-0x00007FF747060000-0x00007FF7473B1000-memory.dmp	upx
behavioral2/memory/3460-145-0x00007FF7051C0000-0x00007FF705511000-memory.dmp	upx
behavioral2/memory/3476-153-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp	upx
behavioral2/memory/3888-154-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp	upx
behavioral2/memory/3224-158-0x00007FF63E140000-0x00007FF63E491000-memory.dmp	upx
behavioral2/memory/4356-159-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp	upx
behavioral2/memory/4180-161-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp	upx
behavioral2/memory/4740-162-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp	upx
behavioral2/memory/4816-160-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp	upx
behavioral2/memory/2164-163-0x00007FF708350000-0x00007FF7086A1000-memory.dmp	upx
behavioral2/memory/3984-215-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\HFPVoum.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SgkcAdT.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZRbhSJv.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ioNTLbk.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zTgApIx.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\panljpg.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QTlnwjK.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OvmZEAK.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqpXYgZ.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxOpdrm.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZYHGrqJ.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ypxFAYe.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MEyAhKw.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UWMoBsZ.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\psjgeUQ.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gMXqFnT.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IrWIeym.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BlHqilo.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BkezGYi.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pPbtlhw.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uINJrXJ.exe	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 2164 wrote to memory of 3984	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2164 wrote to memory of 3984	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 2164 wrote to memory of 3696	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2164 wrote to memory of 3696	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2164 wrote to memory of 3884	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2164 wrote to memory of 3884	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2164 wrote to memory of 2972	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2164 wrote to memory of 2972	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2164 wrote to memory of 5020	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2164 wrote to memory of 5020	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 2164 wrote to memory of 3536	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2164 wrote to memory of 3536	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 2164 wrote to memory of 4796	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2164 wrote to memory of 4796	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2164 wrote to memory of 3700	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2164 wrote to memory of 3700	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 2164 wrote to memory of 2156	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2164 wrote to memory of 2156	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2164 wrote to memory of 1108	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2164 wrote to memory of 1108	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2164 wrote to memory of 1744	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2164 wrote to memory of 1744	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2164 wrote to memory of 3460	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2164 wrote to memory of 3460	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2164 wrote to memory of 2060	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2164 wrote to memory of 2060	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2164 wrote to memory of 1116	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2164 wrote to memory of 1116	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2164 wrote to memory of 3476	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2164 wrote to memory of 3476	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2164 wrote to memory of 3888	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2164 wrote to memory of 3888	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2164 wrote to memory of 3224	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2164 wrote to memory of 3224	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2164 wrote to memory of 4356	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2164 wrote to memory of 4356	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 2164 wrote to memory of 4816	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2164 wrote to memory of 4816	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 2164 wrote to memory of 4180	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2164 wrote to memory of 4180	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2164 wrote to memory of 4740	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2164 wrote to memory of 4740	2164	2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe	104

C:\Users\Admin\AppData\Local\Temp\2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_0e3c29e5e3d7e67267937ca50445c5b3_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164
- C:\Windows\System\ypxFAYe.exe
  C:\Windows\System\ypxFAYe.exe
  2⤵
  - Executes dropped EXE
  PID:3984
- C:\Windows\System\SgkcAdT.exe
  C:\Windows\System\SgkcAdT.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\BkezGYi.exe
  C:\Windows\System\BkezGYi.exe
  2⤵
  - Executes dropped EXE
  PID:3884
- C:\Windows\System\pPbtlhw.exe
  C:\Windows\System\pPbtlhw.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\MEyAhKw.exe
  C:\Windows\System\MEyAhKw.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\OvmZEAK.exe
  C:\Windows\System\OvmZEAK.exe
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System\VqpXYgZ.exe
  C:\Windows\System\VqpXYgZ.exe
  2⤵
  - Executes dropped EXE
  PID:4796
- C:\Windows\System\uINJrXJ.exe
  C:\Windows\System\uINJrXJ.exe
  2⤵
  - Executes dropped EXE
  PID:3700
- C:\Windows\System\KxOpdrm.exe
  C:\Windows\System\KxOpdrm.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\zTgApIx.exe
  C:\Windows\System\zTgApIx.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\psjgeUQ.exe
  C:\Windows\System\psjgeUQ.exe
  2⤵
  - Executes dropped EXE
  PID:1744
- C:\Windows\System\ZRbhSJv.exe
  C:\Windows\System\ZRbhSJv.exe
  2⤵
  - Executes dropped EXE
  PID:3460
- C:\Windows\System\ioNTLbk.exe
  C:\Windows\System\ioNTLbk.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\panljpg.exe
  C:\Windows\System\panljpg.exe
  2⤵
  - Executes dropped EXE
  PID:1116
- C:\Windows\System\UWMoBsZ.exe
  C:\Windows\System\UWMoBsZ.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\gMXqFnT.exe
  C:\Windows\System\gMXqFnT.exe
  2⤵
  - Executes dropped EXE
  PID:3888
- C:\Windows\System\QTlnwjK.exe
  C:\Windows\System\QTlnwjK.exe
  2⤵
  - Executes dropped EXE
  PID:3224
- C:\Windows\System\IrWIeym.exe
  C:\Windows\System\IrWIeym.exe
  2⤵
  - Executes dropped EXE
  PID:4356
- C:\Windows\System\ZYHGrqJ.exe
  C:\Windows\System\ZYHGrqJ.exe
  2⤵
  - Executes dropped EXE
  PID:4816
- C:\Windows\System\BlHqilo.exe
  C:\Windows\System\BlHqilo.exe
  2⤵
  - Executes dropped EXE
  PID:4180
- C:\Windows\System\HFPVoum.exe
  C:\Windows\System\HFPVoum.exe
  2⤵
  - Executes dropped EXE
  PID:4740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BkezGYi.exe

Filesize
5.2MB

MD5
e5a12306432fa3c88f9ecca78fb72818

SHA1
787e335b5254f0fbb5c080065e94a3612abd522a

SHA256
a284f2b70f52847e603bf3a4f263104a0a1bcf99d4be6c93825c6b866cfe28bc

SHA512
277e10f088384893a98cfb1ca899a662baecaf62b4b648c742f19aef9361c0364325000b9537fe08d3e2cbfbbb440a607d39e0c7546f926f1154ca9ddd77c2ce

Download Submit
C:\Windows\System\BlHqilo.exe

Filesize
5.2MB

MD5
cacd8f0cf70b19530bb13ad585cc3ec7

SHA1
8fb62e601e192cc240c73ebdfff319db51889f97

SHA256
a07d7299fc3fda20bbd006135cf3d8ff2c5aabc702951a220668ca0ac52c5996

SHA512
c68cf08cef7440e125079f422b29ba7bb2e9eb26a09de4dcb9b6c448d193845ccad887de29212bf83e011fb9d28f99fe23f15d69639d1a4e641e8273e0c505b5

Download Submit
C:\Windows\System\HFPVoum.exe

Filesize
5.2MB

MD5
77834fdd9a048d73f8bad987139d843c

SHA1
860e2c38f2741bfa2c73b2ca25be188cf4f73254

SHA256
b7f4ed94849ae594c56660d49d577bfcd9cf3e4919d15573925a82a19e37bd6a

SHA512
68cbafc26f2add1344bd95667d05c4430af30e3b02434ae19feabc37dfb936593d35378a5631c231f38c3e6fe9f30963e9cc80c8be453f2a7bb006e64b7ad02a

Download Submit
C:\Windows\System\IrWIeym.exe

Filesize
5.2MB

MD5
10adaaa83a348493822946063a4a4262

SHA1
dc90be94418ca57c90c15b3f01a9b9802b20f2e4

SHA256
ee0c4a1779f41d3ac85898ee0c028804ad416834612f064411c75ad02a1ae55b

SHA512
6cd09e9d80e1bbea9edc277cc82c7d7f41662d2578796e485b376262af391370590bc357a63d5d8d503b58ef9f07f70ee606a707fcc4c9612699d251b84e1ae3

Download Submit
C:\Windows\System\KxOpdrm.exe

Filesize
5.2MB

MD5
83794141292aaa79b6d3c9a99d4de76d

SHA1
61dfcf92362805d1c43f9c3dc1ec88b81ca10bad

SHA256
d38fe7327b3c97cfb88c35e129212eef9390c046dde1a6e95511cd88ea8d1988

SHA512
93f5e42d39ad36bdc25b4561acebd757f5b0692be268d803b63279b9c445c997521c57c8bba3a1888c403800585500b25d63b62ed029593ebccfb12255b3bf93

Download Submit
C:\Windows\System\MEyAhKw.exe

Filesize
5.2MB

MD5
3ad2fb1784fcd29cfd68b277e2e14741

SHA1
09bf904c9cc3a5decb45565732c2c1a20f2fa503

SHA256
e8bdbd167e7a3aa93850b30c46d7fc500ccdd8b73724e315e0ca7c8f6f919529

SHA512
ed80b8854da67d831540456ab99bcbeea90f68b20d85c71a74558d8e940174c805c7a21e9aaff4da25e586793893adf4fc4df7e1ded90ae70eb2531bd14b5b1e

Download Submit
C:\Windows\System\OvmZEAK.exe

Filesize
5.2MB

MD5
97574ea35a114a43c74c09c7d7a7d89d

SHA1
ebc722c05e076b18c66bb2c3f97c8e6f09597a8a

SHA256
e9830a1889d48c44d4f67fd79a9dc69e877c9730b95dcab1c97cdf77fc88a486

SHA512
5b4817c800fce07920fff28bd39f9fe02e3ff32bc1370da048868c871cd6d37282c9e58dfb6ddabdd85fe03ecc3145dbca688c90dbb370b6249ea70397f10dfa

Download Submit
C:\Windows\System\QTlnwjK.exe

Filesize
5.2MB

MD5
5d042984e6c271a5847bba795821c6a1

SHA1
6681543bcab00da11be63e8271bb90c5e69f54d0

SHA256
ef6fbe5810763446862836317989944d1b82fbafb84bb4d93a4eb9edf74ff047

SHA512
6832ce7fd12047af253ea127ffd9575a96811cb07e20207a6d102706d12e69257aabf48d339c3b44b0bea6862325bf7b40c0e3bd7f4db4ba6f2f35e7fd331cf1

Download Submit
C:\Windows\System\SgkcAdT.exe

Filesize
5.2MB

MD5
06ff4b96ad78b33372cacfc6bde2134d

SHA1
00465c9ede8c31b0dc26c8c27fa3309254786c7d

SHA256
f5321bdecd1bf91b557ab5bf6a10f76d20ca61731dd17ecb297b96bd2b1e1055

SHA512
0140344e3ba09562d090bf48077409d9f1f841fd5c3e0f743862af8d5a8ad5f213c0fd74b850af88b4edf55bb09b1159d6ad82f064323a409f71b51919736012

Download Submit
C:\Windows\System\UWMoBsZ.exe

Filesize
5.2MB

MD5
2855eeb0b3b76618d0d42f2cf6021e08

SHA1
df390f9a1194120fdd52fcfb8d174501d5cfc9f8

SHA256
39df9cc4c34d5d1f1a87f5030ab1164b169e0a528fce84f96854fc14d89b0b2d

SHA512
a382158a71e13fdaf50bef7f6a59f9df14164fea646b62f92c80df0016ea4bae4d036569e271dff34c282faf3f4bcaa38434384e396713e46da59b9141e9fccd

Download Submit
C:\Windows\System\VqpXYgZ.exe

Filesize
5.2MB

MD5
5db899ea72f78e694c4c104a5569dc80

SHA1
754e08b5b49907545a722b7024531f3ed3064a73

SHA256
cc013c4f15d8dc908bc2c13f23739f131c4cd1b3a13dfa9fec580fdb53cb764b

SHA512
d73c6f95bf8c96b736efbececa9a72be9ed3a4809cdb85bf4c8fb4f9667c057af08720571a12b0dae0cf3a9a424085aaf3f8250ff9652d67e36be567c238a6c1

Download Submit
C:\Windows\System\ZRbhSJv.exe

Filesize
5.2MB

MD5
b0016d98cf087f006c196af6bbad2600

SHA1
dca5ef41267d7475ac4c27f5811d8d68203c52f9

SHA256
38c9b75497a519578304eea6b36213ec958f93920436aa5a20096594ace3910a

SHA512
17444c179484a1f5f5fe7d610321ddbf6cf7a63bfecc2278f42839a780ce162e2804868de097bb5da89ff6807e234970a1a9df5d15244dc53e7ba2ac635f7182

Download Submit
C:\Windows\System\ZYHGrqJ.exe

Filesize
5.2MB

MD5
7f8b6e30949b9956c3b22f24e9f6b58b

SHA1
7165add07f4e8dd269a354381724e79dee08e491

SHA256
da2e0559680fdbeb408d19cbeb1077708d8c93475b883f1821b7d9b0b16555c3

SHA512
83a500d532619fce29a5d218683419e3a4b30368796a278cbfef40a60b221277eb7fe2c0c3a7f801281db012f8a0cbfec2c3df78030b11a3f65b8d7465a6fd69

Download Submit
C:\Windows\System\gMXqFnT.exe

Filesize
5.2MB

MD5
5cbca7a868a85996bd569386596e08a9

SHA1
12dd44b6e1474ac185da9db196a3b1b6474c96e4

SHA256
9477b8fddea49cd1e920e532c47956a4f0f63d5b5ed106c0457ce4943ecc753a

SHA512
8c19cdc70bd17d7ecd37cce887a58592c0f94293e97202aac8fc27f6a1fb5c28ddffcb7dfc04059a91d5b46a314e50c416511453c556b33359507f0d82f71d71

Download Submit
C:\Windows\System\ioNTLbk.exe

Filesize
5.2MB

MD5
fc1f8fbc2bbdd27c8012dc20e76ab9ee

SHA1
89ce5c1cf6774bece200b4741250fc82919af646

SHA256
e8d88ae83c1ed6cef9709af6d3ea4e23aa7a549867afdf327d8a18f0d3868d1d

SHA512
4b9326dba01f10855cbd015de27837865d6bc7e9471c101830fd267d085a7dcec2171cda5d267b4a41b9623629b3aac8535fca3188d1e87e7d937826e0f0ca62

Download Submit
C:\Windows\System\pPbtlhw.exe

Filesize
5.2MB

MD5
1d8b507a97fa05bf09271923eda35491

SHA1
16428348366e6d0bc6b488074c6bdc6791ab4461

SHA256
348e64716c6b4e5efbe42f2669522dc40df0368482e17dafb6a92360ffccc3cc

SHA512
79fd8e314074c906a6ec8584726befef34765908ce46dffd50116ac8d096eaccdef891581fcff2e93855e5aa7b73692aa07eaa82414f98aeef12635913745022

Download Submit
C:\Windows\System\panljpg.exe

Filesize
5.2MB

MD5
b121c5e6aa0a49b2a5d0c058858b5e8a

SHA1
41b9ff32b79031c7c64a3e2b82bdbe3c6b444149

SHA256
ebeae982d67549910871c2591a51491e7033ecac433f578adcd5a82a21d2480c

SHA512
f6751fd42ed3c2100ca65196404c7c9dff853545a0d39e87aaa6588c7d35a8813804babb90ed55bdbc6dd4f2cfa83b1828ff8292fba55a5b5c4b0032739e8025

Download Submit
C:\Windows\System\psjgeUQ.exe

Filesize
5.2MB

MD5
964e62886fb0703b3ea5a3f3000b10b8

SHA1
54c1e0141c4017bfd99a4a2c5a5698ebc8d22efe

SHA256
c02ce7090fb77b938d4e044095b1c56b098135f515832999f40bcc65b6fcb84c

SHA512
0a591c6506afabf1181823593368ff85f5fe0f5e0bb1562ed401a6efcd5f9652332ac8299bb352642f111d9cd331e27539dc6b65b8d9e9169174958f291b1006

Download Submit
C:\Windows\System\uINJrXJ.exe

Filesize
5.2MB

MD5
4dba0a9e4caf0d4cbd91a609f2307942

SHA1
859d17ff653f65496ef1a41a26cbe2e823107d47

SHA256
3065a5ea5e8a489f5d983d93000fc94ffff18ee260a9fe400e198cdfee43a904

SHA512
30167b23474145daecc88336077bdcc4ce5f8d011e8cd59158987b6f5904b2c9849c19dc921540648830dbf5932b62a05bc1d98285a5fb82615c3e3025074391

Download Submit
C:\Windows\System\ypxFAYe.exe

Filesize
5.2MB

MD5
1d20158d084218d5898a77ef7918eae5

SHA1
3fc615248cb0c03677a9efaa1ead44d4c3c855cc

SHA256
a46d0ab4177993c74c32aa125d61d6f7bdc9ec062cdce54c07471c41ed1dca45

SHA512
52fc3124d5af8e5f1658ea78f97381684161d950c36ee0c320ad51e003b30477c5ce40d892cf2231377472aaf05e40a8824d2d759b695fba5030c0366fd143c5

Download Submit
C:\Windows\System\zTgApIx.exe

Filesize
5.2MB

MD5
fd99a9a3cd62f8c7d91043d837e06b55

SHA1
5b4f8ce9616a64088f9576eebb0dc7948ca0ae23

SHA256
97097f31579751675ab3a7a31bade95c2a2e888137092ff13e4054c037653c6e

SHA512
4cc1de4e5b04cfa018055902e92a66a3bb5f748ca813fac7c9420e33e426f4df0acdf8b4a5c2116fa46a32945387dcdf08efbfab1627a735a277d3aa689f3c63

Download Submit
memory/1108-62-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp

Filesize
3.3MB

Download
memory/1108-143-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp

Filesize
3.3MB

Download
memory/1108-241-0x00007FF6DB9C0000-0x00007FF6DBD11000-memory.dmp

Filesize
3.3MB

Download
memory/1116-256-0x00007FF62A160000-0x00007FF62A4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1116-95-0x00007FF62A160000-0x00007FF62A4B1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-245-0x00007FF747060000-0x00007FF7473B1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-144-0x00007FF747060000-0x00007FF7473B1000-memory.dmp

Filesize
3.3MB

Download
memory/1744-71-0x00007FF747060000-0x00007FF7473B1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-104-0x00007FF67BB70000-0x00007FF67BEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-249-0x00007FF67BB70000-0x00007FF67BEC1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-142-0x00007FF739890000-0x00007FF739BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-243-0x00007FF739890000-0x00007FF739BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2156-56-0x00007FF739890000-0x00007FF739BE1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-135-0x00007FF708350000-0x00007FF7086A1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-163-0x00007FF708350000-0x00007FF7086A1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-0-0x00007FF708350000-0x00007FF7086A1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-53-0x00007FF708350000-0x00007FF7086A1000-memory.dmp

Filesize
3.3MB

Download
memory/2164-1-0x0000025C3C810000-0x0000025C3C820000-memory.dmp

Filesize
64KB

Download
memory/2972-101-0x00007FF653620000-0x00007FF653971000-memory.dmp

Filesize
3.3MB

Download
memory/2972-221-0x00007FF653620000-0x00007FF653971000-memory.dmp

Filesize
3.3MB

Download
memory/2972-23-0x00007FF653620000-0x00007FF653971000-memory.dmp

Filesize
3.3MB

Download
memory/3224-107-0x00007FF63E140000-0x00007FF63E491000-memory.dmp

Filesize
3.3MB

Download
memory/3224-262-0x00007FF63E140000-0x00007FF63E491000-memory.dmp

Filesize
3.3MB

Download
memory/3224-158-0x00007FF63E140000-0x00007FF63E491000-memory.dmp

Filesize
3.3MB

Download
memory/3460-93-0x00007FF7051C0000-0x00007FF705511000-memory.dmp

Filesize
3.3MB

Download
memory/3460-247-0x00007FF7051C0000-0x00007FF705511000-memory.dmp

Filesize
3.3MB

Download
memory/3460-145-0x00007FF7051C0000-0x00007FF705511000-memory.dmp

Filesize
3.3MB

Download
memory/3476-96-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp

Filesize
3.3MB

Download
memory/3476-153-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp

Filesize
3.3MB

Download
memory/3476-260-0x00007FF74DFF0000-0x00007FF74E341000-memory.dmp

Filesize
3.3MB

Download
memory/3536-227-0x00007FF608E40000-0x00007FF609191000-memory.dmp

Filesize
3.3MB

Download
memory/3536-40-0x00007FF608E40000-0x00007FF609191000-memory.dmp

Filesize
3.3MB

Download
memory/3696-17-0x00007FF796360000-0x00007FF7966B1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-217-0x00007FF796360000-0x00007FF7966B1000-memory.dmp

Filesize
3.3MB

Download
memory/3700-48-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp

Filesize
3.3MB

Download
memory/3700-129-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp

Filesize
3.3MB

Download
memory/3700-239-0x00007FF6B6AF0000-0x00007FF6B6E41000-memory.dmp

Filesize
3.3MB

Download
memory/3884-219-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp

Filesize
3.3MB

Download
memory/3884-68-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp

Filesize
3.3MB

Download
memory/3884-21-0x00007FF7A79E0000-0x00007FF7A7D31000-memory.dmp

Filesize
3.3MB

Download
memory/3888-154-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp

Filesize
3.3MB

Download
memory/3888-259-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp

Filesize
3.3MB

Download
memory/3888-100-0x00007FF74E2E0000-0x00007FF74E631000-memory.dmp

Filesize
3.3MB

Download
memory/3984-215-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp

Filesize
3.3MB

Download
memory/3984-60-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp

Filesize
3.3MB

Download
memory/3984-10-0x00007FF7D7F30000-0x00007FF7D8281000-memory.dmp

Filesize
3.3MB

Download
memory/4180-128-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp

Filesize
3.3MB

Download
memory/4180-161-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp

Filesize
3.3MB

Download
memory/4180-268-0x00007FF6EC5E0000-0x00007FF6EC931000-memory.dmp

Filesize
3.3MB

Download
memory/4356-264-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp

Filesize
3.3MB

Download
memory/4356-113-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp

Filesize
3.3MB

Download
memory/4356-159-0x00007FF62AFB0000-0x00007FF62B301000-memory.dmp

Filesize
3.3MB

Download
memory/4740-162-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp

Filesize
3.3MB

Download
memory/4740-132-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp

Filesize
3.3MB

Download
memory/4740-270-0x00007FF7A58E0000-0x00007FF7A5C31000-memory.dmp

Filesize
3.3MB

Download
memory/4796-229-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp

Filesize
3.3MB

Download
memory/4796-45-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp

Filesize
3.3MB

Download
memory/4796-126-0x00007FF7E7620000-0x00007FF7E7971000-memory.dmp

Filesize
3.3MB

Download
memory/4816-121-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp

Filesize
3.3MB

Download
memory/4816-266-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp

Filesize
3.3MB

Download
memory/4816-160-0x00007FF6EA540000-0x00007FF6EA891000-memory.dmp

Filesize
3.3MB

Download
memory/5020-32-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-223-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-106-0x00007FF74F660000-0x00007FF74F9B1000-memory.dmp

Filesize
3.3MB

Download