cobaltstrike | 77bdf30a3d17efa47d9ed0bb786e84f4223adcf6089e9bc5b5fa91a7becf7b0c

Analysis

max time kernel
146s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

41417e29135f4e7f95970a163f87ca6c
SHA1

123c09e91e0fdff4afac1a96ad0b4952e280ea04
SHA256

77bdf30a3d17efa47d9ed0bb786e84f4223adcf6089e9bc5b5fa91a7becf7b0c
SHA512

4596db4f0eea55f3cef924816ede3a1b55622ac5c325c28f474aaf20698bdf0dc231f3ee0ec95d65b6c852eea2eb780f19b80acf05dd29cfd3fbb223bba9eb01
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lm:RWWBibd56utgpPFotBER/mQ32lUK

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\UVfRJdv.exe	cobalt_reflective_dll
C:\Windows\System\tzQxDYL.exe	cobalt_reflective_dll
C:\Windows\System\AKvpUNd.exe	cobalt_reflective_dll
C:\Windows\System\LmUSnxC.exe	cobalt_reflective_dll
C:\Windows\System\SHRkYRp.exe	cobalt_reflective_dll
C:\Windows\System\GsqkVts.exe	cobalt_reflective_dll
C:\Windows\System\XxbJQtr.exe	cobalt_reflective_dll
C:\Windows\System\vUFzOWw.exe	cobalt_reflective_dll
C:\Windows\System\hQaydez.exe	cobalt_reflective_dll
C:\Windows\System\aWQSZlm.exe	cobalt_reflective_dll
C:\Windows\System\LmKiVqY.exe	cobalt_reflective_dll
C:\Windows\System\ABXStvj.exe	cobalt_reflective_dll
C:\Windows\System\VGKoSeB.exe	cobalt_reflective_dll
C:\Windows\System\zRnnKkh.exe	cobalt_reflective_dll
C:\Windows\System\WZtBTyT.exe	cobalt_reflective_dll
C:\Windows\System\sPdTNTM.exe	cobalt_reflective_dll
C:\Windows\System\ynlZTEr.exe	cobalt_reflective_dll
C:\Windows\System\gomaKHZ.exe	cobalt_reflective_dll
C:\Windows\System\frCgUME.exe	cobalt_reflective_dll
C:\Windows\System\AUYKRBD.exe	cobalt_reflective_dll
C:\Windows\System\xaIRDHn.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1124-25-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp	xmrig
behavioral2/memory/4404-32-0x00007FF6660B0000-0x00007FF666401000-memory.dmp	xmrig
behavioral2/memory/1652-69-0x00007FF6E0E40000-0x00007FF6E1191000-memory.dmp	xmrig
behavioral2/memory/1376-67-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp	xmrig
behavioral2/memory/3832-64-0x00007FF6E0CA0000-0x00007FF6E0FF1000-memory.dmp	xmrig
behavioral2/memory/2672-57-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp	xmrig
behavioral2/memory/1016-48-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	xmrig
behavioral2/memory/1124-76-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp	xmrig
behavioral2/memory/1128-135-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	xmrig
behavioral2/memory/4976-136-0x00007FF79CE90000-0x00007FF79D1E1000-memory.dmp	xmrig
behavioral2/memory/1712-132-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp	xmrig
behavioral2/memory/4628-128-0x00007FF642960000-0x00007FF642CB1000-memory.dmp	xmrig
behavioral2/memory/372-75-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp	xmrig
behavioral2/memory/1016-138-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	xmrig
behavioral2/memory/3980-149-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp	xmrig
behavioral2/memory/4628-155-0x00007FF642960000-0x00007FF642CB1000-memory.dmp	xmrig
behavioral2/memory/2956-157-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	xmrig
behavioral2/memory/1828-154-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp	xmrig
behavioral2/memory/2060-153-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp	xmrig
behavioral2/memory/3788-152-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	xmrig
behavioral2/memory/4692-151-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp	xmrig
behavioral2/memory/3696-146-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp	xmrig
behavioral2/memory/4648-150-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp	xmrig
behavioral2/memory/4860-145-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp	xmrig
behavioral2/memory/2560-160-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp	xmrig
behavioral2/memory/1016-167-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	xmrig
behavioral2/memory/2672-195-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp	xmrig
behavioral2/memory/1376-197-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp	xmrig
behavioral2/memory/372-199-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp	xmrig
behavioral2/memory/1124-208-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp	xmrig
behavioral2/memory/4404-214-0x00007FF6660B0000-0x00007FF666401000-memory.dmp	xmrig
behavioral2/memory/1712-217-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp	xmrig
behavioral2/memory/4860-224-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp	xmrig
behavioral2/memory/3696-226-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp	xmrig
behavioral2/memory/3832-228-0x00007FF6E0CA0000-0x00007FF6E0FF1000-memory.dmp	xmrig
behavioral2/memory/1652-230-0x00007FF6E0E40000-0x00007FF6E1191000-memory.dmp	xmrig
behavioral2/memory/3980-232-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp	xmrig
behavioral2/memory/4648-242-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp	xmrig
behavioral2/memory/3788-246-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	xmrig
behavioral2/memory/2060-244-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp	xmrig
behavioral2/memory/4692-248-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp	xmrig
behavioral2/memory/1828-250-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp	xmrig
behavioral2/memory/1128-254-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	xmrig
behavioral2/memory/2956-256-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	xmrig
behavioral2/memory/4976-258-0x00007FF79CE90000-0x00007FF79D1E1000-memory.dmp	xmrig
behavioral2/memory/2560-260-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp	xmrig
behavioral2/memory/4628-264-0x00007FF642960000-0x00007FF642CB1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

UVfRJdv.exetzQxDYL.exeAKvpUNd.exeLmUSnxC.exeSHRkYRp.exeGsqkVts.exeXxbJQtr.exevUFzOWw.exehQaydez.exeaWQSZlm.exeLmKiVqY.exeABXStvj.exeVGKoSeB.exexaIRDHn.exeAUYKRBD.exefrCgUME.exezRnnKkh.exeWZtBTyT.exegomaKHZ.exeynlZTEr.exesPdTNTM.exe

pid	process
2672	UVfRJdv.exe
1376	tzQxDYL.exe
372	AKvpUNd.exe
1124	LmUSnxC.exe
4404	SHRkYRp.exe
1712	GsqkVts.exe
4860	XxbJQtr.exe
3696	vUFzOWw.exe
3832	hQaydez.exe
1652	aWQSZlm.exe
3980	LmKiVqY.exe
4648	ABXStvj.exe
4692	VGKoSeB.exe
3788	xaIRDHn.exe
2060	AUYKRBD.exe
1828	frCgUME.exe
1128	zRnnKkh.exe
2956	WZtBTyT.exe
4628	gomaKHZ.exe
4976	ynlZTEr.exe
2560	sPdTNTM.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1016-0-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	upx
C:\Windows\System\UVfRJdv.exe	upx
behavioral2/memory/2672-7-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp	upx
C:\Windows\System\tzQxDYL.exe	upx
behavioral2/memory/1376-13-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp	upx
C:\Windows\System\AKvpUNd.exe	upx
behavioral2/memory/372-18-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp	upx
C:\Windows\System\LmUSnxC.exe	upx
behavioral2/memory/1124-25-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp	upx
C:\Windows\System\SHRkYRp.exe	upx
behavioral2/memory/4404-32-0x00007FF6660B0000-0x00007FF666401000-memory.dmp	upx
C:\Windows\System\GsqkVts.exe	upx
behavioral2/memory/1712-36-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp	upx
C:\Windows\System\XxbJQtr.exe	upx
C:\Windows\System\vUFzOWw.exe	upx
C:\Windows\System\hQaydez.exe	upx
C:\Windows\System\aWQSZlm.exe	upx
behavioral2/memory/1652-69-0x00007FF6E0E40000-0x00007FF6E1191000-memory.dmp	upx
behavioral2/memory/3980-70-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp	upx
C:\Windows\System\LmKiVqY.exe	upx
behavioral2/memory/1376-67-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp	upx
behavioral2/memory/3832-64-0x00007FF6E0CA0000-0x00007FF6E0FF1000-memory.dmp	upx
behavioral2/memory/2672-57-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp	upx
behavioral2/memory/3696-49-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp	upx
behavioral2/memory/1016-48-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	upx
behavioral2/memory/4860-41-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp	upx
behavioral2/memory/1124-76-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp	upx
C:\Windows\System\ABXStvj.exe	upx
C:\Windows\System\VGKoSeB.exe	upx
behavioral2/memory/4692-92-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp	upx
behavioral2/memory/2060-95-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp	upx
behavioral2/memory/3788-100-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	upx
C:\Windows\System\zRnnKkh.exe	upx
C:\Windows\System\WZtBTyT.exe	upx
behavioral2/memory/1828-120-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp	upx
C:\Windows\System\sPdTNTM.exe	upx
C:\Windows\System\ynlZTEr.exe	upx
behavioral2/memory/1128-135-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp	upx
behavioral2/memory/4976-136-0x00007FF79CE90000-0x00007FF79D1E1000-memory.dmp	upx
behavioral2/memory/1712-132-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp	upx
behavioral2/memory/2560-129-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp	upx
behavioral2/memory/4628-128-0x00007FF642960000-0x00007FF642CB1000-memory.dmp	upx
behavioral2/memory/2956-124-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	upx
C:\Windows\System\gomaKHZ.exe	upx
C:\Windows\System\frCgUME.exe	upx
C:\Windows\System\AUYKRBD.exe	upx
C:\Windows\System\xaIRDHn.exe	upx
behavioral2/memory/4648-87-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp	upx
behavioral2/memory/372-75-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp	upx
behavioral2/memory/1016-138-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	upx
behavioral2/memory/3980-149-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp	upx
behavioral2/memory/4628-155-0x00007FF642960000-0x00007FF642CB1000-memory.dmp	upx
behavioral2/memory/2956-157-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp	upx
behavioral2/memory/1828-154-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp	upx
behavioral2/memory/2060-153-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp	upx
behavioral2/memory/3788-152-0x00007FF7231E0000-0x00007FF723531000-memory.dmp	upx
behavioral2/memory/4692-151-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp	upx
behavioral2/memory/3696-146-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp	upx
behavioral2/memory/4648-150-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp	upx
behavioral2/memory/4860-145-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp	upx
behavioral2/memory/2560-160-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp	upx
behavioral2/memory/1016-167-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp	upx
behavioral2/memory/2672-195-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp	upx
behavioral2/memory/1376-197-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\AKvpUNd.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SHRkYRp.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ABXStvj.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UVfRJdv.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hQaydez.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AUYKRBD.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gomaKHZ.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WZtBTyT.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ynlZTEr.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sPdTNTM.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LmKiVqY.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tzQxDYL.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LmUSnxC.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GsqkVts.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XxbJQtr.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vUFzOWw.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aWQSZlm.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VGKoSeB.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xaIRDHn.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\frCgUME.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zRnnKkh.exe	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1016 wrote to memory of 2672	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	UVfRJdv.exe
PID 1016 wrote to memory of 2672	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	UVfRJdv.exe
PID 1016 wrote to memory of 1376	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	tzQxDYL.exe
PID 1016 wrote to memory of 1376	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	tzQxDYL.exe
PID 1016 wrote to memory of 372	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	AKvpUNd.exe
PID 1016 wrote to memory of 372	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	AKvpUNd.exe
PID 1016 wrote to memory of 1124	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	LmUSnxC.exe
PID 1016 wrote to memory of 1124	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	LmUSnxC.exe
PID 1016 wrote to memory of 4404	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	SHRkYRp.exe
PID 1016 wrote to memory of 4404	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	SHRkYRp.exe
PID 1016 wrote to memory of 1712	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	GsqkVts.exe
PID 1016 wrote to memory of 1712	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	GsqkVts.exe
PID 1016 wrote to memory of 4860	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	XxbJQtr.exe
PID 1016 wrote to memory of 4860	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	XxbJQtr.exe
PID 1016 wrote to memory of 3696	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	vUFzOWw.exe
PID 1016 wrote to memory of 3696	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	vUFzOWw.exe
PID 1016 wrote to memory of 3832	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	hQaydez.exe
PID 1016 wrote to memory of 3832	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	hQaydez.exe
PID 1016 wrote to memory of 1652	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	aWQSZlm.exe
PID 1016 wrote to memory of 1652	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	aWQSZlm.exe
PID 1016 wrote to memory of 3980	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	LmKiVqY.exe
PID 1016 wrote to memory of 3980	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	LmKiVqY.exe
PID 1016 wrote to memory of 4648	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	ABXStvj.exe
PID 1016 wrote to memory of 4648	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	ABXStvj.exe
PID 1016 wrote to memory of 4692	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	VGKoSeB.exe
PID 1016 wrote to memory of 4692	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	VGKoSeB.exe
PID 1016 wrote to memory of 3788	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	xaIRDHn.exe
PID 1016 wrote to memory of 3788	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	xaIRDHn.exe
PID 1016 wrote to memory of 2060	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	AUYKRBD.exe
PID 1016 wrote to memory of 2060	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	AUYKRBD.exe
PID 1016 wrote to memory of 1828	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	frCgUME.exe
PID 1016 wrote to memory of 1828	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	frCgUME.exe
PID 1016 wrote to memory of 4628	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	gomaKHZ.exe
PID 1016 wrote to memory of 4628	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	gomaKHZ.exe
PID 1016 wrote to memory of 1128	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	zRnnKkh.exe
PID 1016 wrote to memory of 1128	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	zRnnKkh.exe
PID 1016 wrote to memory of 2956	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	WZtBTyT.exe
PID 1016 wrote to memory of 2956	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	WZtBTyT.exe
PID 1016 wrote to memory of 4976	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	ynlZTEr.exe
PID 1016 wrote to memory of 4976	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	ynlZTEr.exe
PID 1016 wrote to memory of 2560	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	sPdTNTM.exe
PID 1016 wrote to memory of 2560	1016	2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe	sPdTNTM.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_41417e29135f4e7f95970a163f87ca6c_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\System\UVfRJdv.exe
  C:\Windows\System\UVfRJdv.exe
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\System\tzQxDYL.exe
  C:\Windows\System\tzQxDYL.exe
  2⤵
  - Executes dropped EXE
  PID:1376
- C:\Windows\System\AKvpUNd.exe
  C:\Windows\System\AKvpUNd.exe
  2⤵
  - Executes dropped EXE
  PID:372
- C:\Windows\System\LmUSnxC.exe
  C:\Windows\System\LmUSnxC.exe
  2⤵
  - Executes dropped EXE
  PID:1124
- C:\Windows\System\SHRkYRp.exe
  C:\Windows\System\SHRkYRp.exe
  2⤵
  - Executes dropped EXE
  PID:4404
- C:\Windows\System\GsqkVts.exe
  C:\Windows\System\GsqkVts.exe
  2⤵
  - Executes dropped EXE
  PID:1712
- C:\Windows\System\XxbJQtr.exe
  C:\Windows\System\XxbJQtr.exe
  2⤵
  - Executes dropped EXE
  PID:4860
- C:\Windows\System\vUFzOWw.exe
  C:\Windows\System\vUFzOWw.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\hQaydez.exe
  C:\Windows\System\hQaydez.exe
  2⤵
  - Executes dropped EXE
  PID:3832
- C:\Windows\System\aWQSZlm.exe
  C:\Windows\System\aWQSZlm.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Windows\System\LmKiVqY.exe
  C:\Windows\System\LmKiVqY.exe
  2⤵
  - Executes dropped EXE
  PID:3980
- C:\Windows\System\ABXStvj.exe
  C:\Windows\System\ABXStvj.exe
  2⤵
  - Executes dropped EXE
  PID:4648
- C:\Windows\System\VGKoSeB.exe
  C:\Windows\System\VGKoSeB.exe
  2⤵
  - Executes dropped EXE
  PID:4692
- C:\Windows\System\xaIRDHn.exe
  C:\Windows\System\xaIRDHn.exe
  2⤵
  - Executes dropped EXE
  PID:3788
- C:\Windows\System\AUYKRBD.exe
  C:\Windows\System\AUYKRBD.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\frCgUME.exe
  C:\Windows\System\frCgUME.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- C:\Windows\System\gomaKHZ.exe
  C:\Windows\System\gomaKHZ.exe
  2⤵
  - Executes dropped EXE
  PID:4628
- C:\Windows\System\zRnnKkh.exe
  C:\Windows\System\zRnnKkh.exe
  2⤵
  - Executes dropped EXE
  PID:1128
- C:\Windows\System\WZtBTyT.exe
  C:\Windows\System\WZtBTyT.exe
  2⤵
  - Executes dropped EXE
  PID:2956
- C:\Windows\System\ynlZTEr.exe
  C:\Windows\System\ynlZTEr.exe
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\Windows\System\sPdTNTM.exe
  C:\Windows\System\sPdTNTM.exe
  2⤵
  - Executes dropped EXE
  PID:2560

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ABXStvj.exe

Filesize
5.2MB

MD5
55e880112d77aba66c88fdbe0c11f6fc

SHA1
b64507fa4460ec44af592fc86e758459144a74da

SHA256
52b880afc936d289eece03ebf489e91b49743ef0b24c142041ea46818c0d8d97

SHA512
f7a88a357038510b4028773ff11dc07687ba6d528ad84d94e9bc2fbd186e9eb123e364b7045daf975c1a71b6e22f0b77a1ea84039dc204759b88488c2967ac23

Download Submit
C:\Windows\System\AKvpUNd.exe

Filesize
5.2MB

MD5
5eaaa5ec04cbf477ac00d1c2ae89e41f

SHA1
5ea2fc4c043ca9a5fa3dff7795cd4e4e5848f7d3

SHA256
fba72ce15b838f84c05d0aa575ec6730828aef8114cee66e5daec8436787e474

SHA512
75462f8dfd60669e228a0ef3395699f9f837e5c50b85a8ab954c7efb5a4a43a7550163aac366f94277d1e608aa2253e243788ae3a1bcfb51cabc82aac6c4088e

Download Submit
C:\Windows\System\AUYKRBD.exe

Filesize
5.2MB

MD5
42e256b11bed25e127bcacb4275342af

SHA1
8b8e3ae7c314672ce9174c4e64b404bf06f1e64d

SHA256
84684b3d201ce17a19e36f21ebe286a4142dec16ed72efd119423006c7e80c72

SHA512
c206c6050b389c259d54a87477aa231fd09ce42823046a55df40960225af018d17beae1318c4d6a74c27129323538a40a2b2470eed3a01361a59d35195d02995

Download Submit
C:\Windows\System\GsqkVts.exe

Filesize
5.2MB

MD5
b06656de2fc0cb60405cd4b1b2083df0

SHA1
a3455b948f071d781d86f898d5d79e954a19d6ca

SHA256
d6a9bf4afa590f6da8bcef22e6e76467905aa996ff90a6635773215120841a69

SHA512
9cf63687abd48f615f988c3c8a4eb6df5b27ef2fe4fa91f0c4dd9182c2489788f9f528572bbacbf7089f0e7b02c1670f8312c80113ae36f37d024d5d8ca74522

Download Submit
C:\Windows\System\LmKiVqY.exe

Filesize
5.2MB

MD5
f4d0b5e5fed1153e371c97e5f4d72bf3

SHA1
15f0b1781caccdfe02230c2f7ed8e6fb4893882c

SHA256
58caaa4b6cd9858a13ccbe0153bf8aaaed1fc52b9a85b062be5f37164d483c25

SHA512
592d24c30b85884dcad7b4fec96a5122fbefaec72a150dd48e7114f0c925b255c07f93972668c71aaf79df776714ffdf30ebcaf8221bf1354582d75295b1c282

Download Submit
C:\Windows\System\LmUSnxC.exe

Filesize
5.2MB

MD5
9899f63e72945f1a7cd1e0d22cf06bb5

SHA1
102fba0abd2277632478970dbfe598e76bd7ea57

SHA256
04ab7a2007a8b8f570bc130d06444d9be751542cd787bd985a7f262cf8922bf2

SHA512
61897c90d7e570ec0909e652ff16a2ee37471d70ea1ebeed546525d5ed1ad7ddc342a80dac3988e386890e99a54717f666d81b258dc6a89badaca7747514f41f

Download Submit
C:\Windows\System\SHRkYRp.exe

Filesize
5.2MB

MD5
bc35da36473a1a57e157647a6dd75284

SHA1
8a053c441e25eaaec5d694942019ba9f3bf7d80f

SHA256
7c1c002ae8eeabd926e82951ee8fac645e3d89b5d66ccf16f9b63165dd5513cc

SHA512
f8548dc06ce632baea7825737bcdd70e68099725503c185ad22cfb5ef1aaeaee2a4bce21618f071cf2e5ea832a2c8ecf7aa3dfa9f5cd40d042f63ebb01dac4ac

Download Submit
C:\Windows\System\UVfRJdv.exe

Filesize
5.2MB

MD5
ec8abf5e081fb587424497e1465f75c5

SHA1
1da21cbbf64e23ad0f2a55bde764679eff84cebe

SHA256
7e1ffa3082360c0d24e314888596e5cd3bbe26b45a1bfd83bc762785297cfa52

SHA512
541d87aea140895560e1a7a0d538e09247f0d47184e2d5229bbc0722b0cbfc4e77712e0683b3546367a5d5491dede66f7335248731c1e5bd5a537549a2f8eebb

Download Submit
C:\Windows\System\VGKoSeB.exe

Filesize
5.2MB

MD5
39c2a94dc6c18cceae5b424dfe70645e

SHA1
e4cb02b2e9c92390843ca56e78ac11e50684a289

SHA256
7502088b9012c6a1e3a88a36c63f249ae64e3362824f3e085ee5f8258910586a

SHA512
0b59ce7b56f6b60ae6c4e705f5d9b37b60fa22aab5986cad9451e56eb606fdfd995501fae03d9863f851cf174a855c92ee9cfec0c180c25a120e043c6365a900

Download Submit
C:\Windows\System\WZtBTyT.exe

Filesize
5.2MB

MD5
7ec1a015c5155a840a606310669b82b2

SHA1
53b6da077ccb0e0c0d12924b8bf176858f5c12ea

SHA256
2f78afc3aad9f2fdefaca65ea17141b584d5abee32660be8151bf71e636de490

SHA512
4ab61ccf83b689c395164922adca5a07bf3dedf23c4246fe329b32d993c75195f0cae4e056b2e2e34370a1632bc81e683ea703567f700cd961b4f496a9a45834

Download Submit
C:\Windows\System\XxbJQtr.exe

Filesize
5.2MB

MD5
d5951c5c1d302f2ba569f3b16642fc6c

SHA1
b5ad68579cff9c64504821658ff4ed9881aa5a1a

SHA256
1f32a43e373d7c4e7b19a0d64711428c902d12ffa8c48c25364c686eb32e55ce

SHA512
a036efd04f1daa863795f806f17cd16b1823ff4e6033555d4b5657915d80f9a96719a9219ecddd94736eb8c1c22891e9bdd3573691e71ea2f9aae79ea6c01fe6

Download Submit
C:\Windows\System\aWQSZlm.exe

Filesize
5.2MB

MD5
c37198f9ef38008703b51da95f29f5b3

SHA1
3899034b4233de155bd2e732e7bea3c7080d394e

SHA256
cafa05b211dfe26e6b5ac11fc5a36c4040631299554d503805d51dd57bda2292

SHA512
656212a713d62010be839f56cf0ae4574dbfe5afb525666fdf8f63b64f41452ec3c2bcf4465df3640eef56b8667d4f3581bab3edb865051c92773a63bb0cd056

Download Submit
C:\Windows\System\frCgUME.exe

Filesize
5.2MB

MD5
241ba9ef02666619d85f63733ecbb1af

SHA1
e453a5419bca4e7db6c3c5e626cc0b4219d25ad1

SHA256
cc850e97548c38acbbfb51f45a988db8326eb2f80a5aa73cee7a62f53a6e8893

SHA512
b8fd5db8419377d0e2ddedf07ca5ff4a793aa01d3b3b2292165cefacc8f8af705c7652c30f9c50e6d1cc0d25ba1613351acfb932572d0c825cd2df14fb94cbb4

Download Submit
C:\Windows\System\gomaKHZ.exe

Filesize
5.2MB

MD5
912fe40230e1cb9bba03c67860299d31

SHA1
7a61f9b15a6b3c77dd9270f1ff62c310d7fd8491

SHA256
2b89dac05fcf3bec691789d77f7a71f4116207a9a629140d31fadbddb98cb8f3

SHA512
e667472a363aaebad722dd888698d3817e61fd699e1d856348608b2165e947ec20a804d6cc06f13e2b049e2c4a906fc9130fc4c6d3e256a5e1448d197868f911

Download Submit
C:\Windows\System\hQaydez.exe

Filesize
5.2MB

MD5
a6cf890aaad9b4640066446aeb73092a

SHA1
c658070cca4d05f615f5828308113b4728f025df

SHA256
bbc9538308cb0617dcc7e1b111de3519d2e1e88d611309b8bee68e3796b3465b

SHA512
3224df23baa917ecd35bedac8aa1c32d456bfc5d7a7745ae649dba9b4240400e6d74a082f43000ab49bf0c6d96c9d212a84250240bdcf45b75a9994fa504d479

Download Submit
C:\Windows\System\sPdTNTM.exe

Filesize
5.2MB

MD5
f589820fdd745f0cce47e1ed320f7463

SHA1
bfdca98b3b59e25c201399895ac1c6e898047c92

SHA256
c1fd052a57b92640511d6c0f67507854de3ae3915a5408db74a66440b6cd81a9

SHA512
343e44655aa208dd9b9600ce593de5813f4b1f21ec342c9e05a4a5d771b1134c360a201d921e9829bbc85a60015735349137eaff5bdee6716d19bc888bf91a94

Download Submit
C:\Windows\System\tzQxDYL.exe

Filesize
5.2MB

MD5
6b5a1c42aaf5cc76aa581751717c681e

SHA1
357e290f2e2e942cf2dac0b0d57a21e4edd0c8f5

SHA256
fa443583ce683c6f33e3e24973018c4c096a1c5ccd3558b675146f8dae47a0db

SHA512
b013a8d1ccd2324cbaf1e0ed63d2fa1b18050e59e4ef48ab1864e5058ee2ebe894adfab3d12275ea302b6059463828c3eadd811b8c2f2792a5093ce5f2109075

Download Submit
C:\Windows\System\vUFzOWw.exe

Filesize
5.2MB

MD5
09d9f8843cd6e6d4291df54b7be484bb

SHA1
ff9be699d0bfa45565e4644f9e0c3c155d077e9a

SHA256
290f824e044ae95f6cbfa75e6cd16436fe32cd81cb1852b6f410716affd81ce0

SHA512
3cee593ab3f1171e967c948d4605eb753e2943591c7130e7a67826a3c5e4fdd54669ee5eabf9bd0e96881f4f623fbafe8abca901ac72894470785db1d3c9e3fc

Download Submit
C:\Windows\System\xaIRDHn.exe

Filesize
5.2MB

MD5
fbde943e714db45ca027cdd43f6643ea

SHA1
7a40ca269fb40abd9fccb1c92eada5533d208d6a

SHA256
c991f2899750b368201156c21ef660b05365895689d5ea9fcd18c62d5f3aedab

SHA512
a85cea32cb6ea9ee10421f1ecc4d3d2d4b0e3566004fecb1c8056c9435a8b0f676ed9a18e7dc914be202fcf1dd24cd65ac56f05ad4ef39d59db59b4a049351f1

Download Submit
C:\Windows\System\ynlZTEr.exe

Filesize
5.2MB

MD5
a1479ef313a11c8650dd8f99385072da

SHA1
0a7071d155215e2b0bbb56f73d44e8574c87a636

SHA256
884a74c177b5f481dc2dadf3cf325174fa16a331f54947ffc0fbc5bb1273f2c8

SHA512
13591cc0ce707aadd177c842fcba147743d6b8e8811adf7123534805fe738bd56e3592a44b85fbce482f9eb1c1d6b9594c21ad2f1be777bfe1a2fd7dc1c8ba35

Download Submit
C:\Windows\System\zRnnKkh.exe

Filesize
5.2MB

MD5
76a5676807d8ebac30fe988c19d2454a

SHA1
f1475df45744baeee9b1cd23d1a156a9ccd9ace5

SHA256
7cf801bb99a1e7e53d597876ce9e594ab68629ec743bf77c8a1b73843a1d5de7

SHA512
bffed7eb0d92896087dbaa486a45794dd684af2cc1d18ef7d2fd59e5aec7e2c7ea89e7112df97d0d2cd88d87c126e3470bf080b97146ad3c769482c21d72fbb7

Download Submit
memory/372-75-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/372-18-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/372-199-0x00007FF769D70000-0x00007FF76A0C1000-memory.dmp

Filesize
3.3MB

Download
memory/1016-1-0x00000203D6CD0000-0x00000203D6CE0000-memory.dmp

Filesize
64KB

Download
memory/1016-0-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp

Filesize
3.3MB

Download
memory/1016-48-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp

Filesize
3.3MB

Download
memory/1016-138-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp

Filesize
3.3MB

Download
memory/1016-167-0x00007FF6DDDF0000-0x00007FF6DE141000-memory.dmp

Filesize
3.3MB

Download
memory/1124-208-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp

Filesize
3.3MB

Download
memory/1124-76-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp

Filesize
3.3MB

Download
memory/1124-25-0x00007FF6E9370000-0x00007FF6E96C1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-135-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp

Filesize
3.3MB

Download
memory/1128-254-0x00007FF7C6E80000-0x00007FF7C71D1000-memory.dmp

Filesize
3.3MB

Download
memory/1376-197-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp

Filesize
3.3MB

Download
memory/1376-67-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp

Filesize
3.3MB

Download
memory/1376-13-0x00007FF6A71D0000-0x00007FF6A7521000-memory.dmp

Filesize
3.3MB

Download
memory/1652-69-0x00007FF6E0E40000-0x00007FF6E1191000-memory.dmp

Filesize
3.3MB

Download
memory/1652-230-0x00007FF6E0E40000-0x00007FF6E1191000-memory.dmp

Filesize
3.3MB

Download
memory/1712-217-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp

Filesize
3.3MB

Download
memory/1712-132-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp

Filesize
3.3MB

Download
memory/1712-36-0x00007FF7C3120000-0x00007FF7C3471000-memory.dmp

Filesize
3.3MB

Download
memory/1828-154-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-120-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp

Filesize
3.3MB

Download
memory/1828-250-0x00007FF6B2460000-0x00007FF6B27B1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-244-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-153-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2060-95-0x00007FF61E480000-0x00007FF61E7D1000-memory.dmp

Filesize
3.3MB

Download
memory/2560-129-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp

Filesize
3.3MB

Download
memory/2560-160-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp

Filesize
3.3MB

Download
memory/2560-260-0x00007FF66E5F0000-0x00007FF66E941000-memory.dmp

Filesize
3.3MB

Download
memory/2672-7-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp

Filesize
3.3MB

Download
memory/2672-57-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp

Filesize
3.3MB

Download
memory/2672-195-0x00007FF6FCEE0000-0x00007FF6FD231000-memory.dmp

Filesize
3.3MB

Download
memory/2956-157-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-124-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp

Filesize
3.3MB

Download
memory/2956-256-0x00007FF6CAE50000-0x00007FF6CB1A1000-memory.dmp

Filesize
3.3MB

Download
memory/3696-226-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp

Filesize
3.3MB

Download
memory/3696-49-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp

Filesize
3.3MB

Download
memory/3696-146-0x00007FF60EE10000-0x00007FF60F161000-memory.dmp

Filesize
3.3MB

Download
memory/3788-246-0x00007FF7231E0000-0x00007FF723531000-memory.dmp

Filesize
3.3MB

Download
memory/3788-152-0x00007FF7231E0000-0x00007FF723531000-memory.dmp

Filesize
3.3MB

Download
memory/3788-100-0x00007FF7231E0000-0x00007FF723531000-memory.dmp

Filesize
3.3MB

Download
memory/3832-228-0x00007FF6E0CA0000-0x00007FF6E0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3832-64-0x00007FF6E0CA0000-0x00007FF6E0FF1000-memory.dmp

Filesize
3.3MB

Download
memory/3980-232-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp

Filesize
3.3MB

Download
memory/3980-149-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp

Filesize
3.3MB

Download
memory/3980-70-0x00007FF7D68D0000-0x00007FF7D6C21000-memory.dmp

Filesize
3.3MB

Download
memory/4404-32-0x00007FF6660B0000-0x00007FF666401000-memory.dmp

Filesize
3.3MB

Download
memory/4404-214-0x00007FF6660B0000-0x00007FF666401000-memory.dmp

Filesize
3.3MB

Download
memory/4628-264-0x00007FF642960000-0x00007FF642CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-128-0x00007FF642960000-0x00007FF642CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4628-155-0x00007FF642960000-0x00007FF642CB1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-242-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-87-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4648-150-0x00007FF72D990000-0x00007FF72DCE1000-memory.dmp

Filesize
3.3MB

Download
memory/4692-248-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp

Filesize
3.3MB

Download
memory/4692-151-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp

Filesize
3.3MB

Download
memory/4692-92-0x00007FF7AB8C0000-0x00007FF7ABC11000-memory.dmp

Filesize
3.3MB

Download
memory/4860-145-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-224-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4860-41-0x00007FF7C9C90000-0x00007FF7C9FE1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-136-0x00007FF79CE90000-0x00007FF79D1E1000-memory.dmp

Filesize
3.3MB

Download
memory/4976-258-0x00007FF79CE90000-0x00007FF79D1E1000-memory.dmp

Filesize
3.3MB

Download