cobaltstrike | 6c9682f9e441d85408c1d77da6d564f36c25c2b194029ebae78e51d830f2a3a0

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 02:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

27eb0f5bc3c0ec0c074dc8f0f92b35e4
SHA1

b63c8a244ba6701fefdafaec97e1ee7bfbe9bcd9
SHA256

6c9682f9e441d85408c1d77da6d564f36c25c2b194029ebae78e51d830f2a3a0
SHA512

aa9f77adc960213d1fb4b979f1c986cc2e46a0db0022d5d5e133534a5476e185bd0f51733caf0d72777dbba426ab050928fe9b4fa79abac54aeb77190b8c1053
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lN:RWWBibd56utgpPFotBER/mQ32lUB

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023cdd-8.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce1-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce2-16.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce3-21.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023cde-29.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce4-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce6-45.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce7-51.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce8-65.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce9-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf0-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf3-118.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf2-116.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cf1-111.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cef-104.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cee-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ced-91.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cec-87.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ceb-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023cea-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023ce5-44.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/940-71-0x00007FF69D620000-0x00007FF69D971000-memory.dmp	xmrig
behavioral2/memory/4596-77-0x00007FF6E85D0000-0x00007FF6E8921000-memory.dmp	xmrig
behavioral2/memory/5020-70-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	xmrig
behavioral2/memory/5020-121-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	xmrig
behavioral2/memory/852-132-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp	xmrig
behavioral2/memory/3252-133-0x00007FF769480000-0x00007FF7697D1000-memory.dmp	xmrig
behavioral2/memory/704-136-0x00007FF68CB50000-0x00007FF68CEA1000-memory.dmp	xmrig
behavioral2/memory/2036-134-0x00007FF6D3000000-0x00007FF6D3351000-memory.dmp	xmrig
behavioral2/memory/116-131-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp	xmrig
behavioral2/memory/2132-128-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp	xmrig
behavioral2/memory/4320-127-0x00007FF7251D0000-0x00007FF725521000-memory.dmp	xmrig
behavioral2/memory/2852-126-0x00007FF768860000-0x00007FF768BB1000-memory.dmp	xmrig
behavioral2/memory/2236-125-0x00007FF668FC0000-0x00007FF669311000-memory.dmp	xmrig
behavioral2/memory/396-123-0x00007FF720B10000-0x00007FF720E61000-memory.dmp	xmrig
behavioral2/memory/3340-124-0x00007FF725CC0000-0x00007FF726011000-memory.dmp	xmrig
behavioral2/memory/3176-129-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp	xmrig
behavioral2/memory/824-120-0x00007FF6DBA80000-0x00007FF6DBDD1000-memory.dmp	xmrig
behavioral2/memory/4996-138-0x00007FF6A4B20000-0x00007FF6A4E71000-memory.dmp	xmrig
behavioral2/memory/4464-142-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	xmrig
behavioral2/memory/1548-140-0x00007FF764FA0000-0x00007FF7652F1000-memory.dmp	xmrig
behavioral2/memory/4088-141-0x00007FF65CA40000-0x00007FF65CD91000-memory.dmp	xmrig
behavioral2/memory/2724-137-0x00007FF7E8780000-0x00007FF7E8AD1000-memory.dmp	xmrig
behavioral2/memory/2692-139-0x00007FF609E80000-0x00007FF60A1D1000-memory.dmp	xmrig
behavioral2/memory/5020-143-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	xmrig
behavioral2/memory/940-192-0x00007FF69D620000-0x00007FF69D971000-memory.dmp	xmrig
behavioral2/memory/396-194-0x00007FF720B10000-0x00007FF720E61000-memory.dmp	xmrig
behavioral2/memory/3340-199-0x00007FF725CC0000-0x00007FF726011000-memory.dmp	xmrig
behavioral2/memory/2236-201-0x00007FF668FC0000-0x00007FF669311000-memory.dmp	xmrig
behavioral2/memory/2852-212-0x00007FF768860000-0x00007FF768BB1000-memory.dmp	xmrig
behavioral2/memory/4320-215-0x00007FF7251D0000-0x00007FF725521000-memory.dmp	xmrig
behavioral2/memory/2132-217-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp	xmrig
behavioral2/memory/4596-221-0x00007FF6E85D0000-0x00007FF6E8921000-memory.dmp	xmrig
behavioral2/memory/3176-220-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp	xmrig
behavioral2/memory/3252-228-0x00007FF769480000-0x00007FF7697D1000-memory.dmp	xmrig
behavioral2/memory/116-230-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp	xmrig
behavioral2/memory/2036-234-0x00007FF6D3000000-0x00007FF6D3351000-memory.dmp	xmrig
behavioral2/memory/824-233-0x00007FF6DBA80000-0x00007FF6DBDD1000-memory.dmp	xmrig
behavioral2/memory/852-237-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp	xmrig
behavioral2/memory/2692-250-0x00007FF609E80000-0x00007FF60A1D1000-memory.dmp	xmrig
behavioral2/memory/4088-247-0x00007FF65CA40000-0x00007FF65CD91000-memory.dmp	xmrig
behavioral2/memory/4464-245-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	xmrig
behavioral2/memory/704-241-0x00007FF68CB50000-0x00007FF68CEA1000-memory.dmp	xmrig
behavioral2/memory/4996-239-0x00007FF6A4B20000-0x00007FF6A4E71000-memory.dmp	xmrig
behavioral2/memory/1548-249-0x00007FF764FA0000-0x00007FF7652F1000-memory.dmp	xmrig
behavioral2/memory/2724-243-0x00007FF7E8780000-0x00007FF7E8AD1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

DLhoqVZ.exepbsAKuW.exeLDeqIEs.exeXFWHgHT.exeAQbvhLK.exekAAQzny.exeSrjbbhT.exeLCnbtoj.exeELRwcys.exexKzFPdG.exeYkLUyrB.exeVnnPzeh.exexyGYqsW.exenHnPmcD.exetdMLumW.exeOVxlYcK.exeQTczeBD.exeosrbuZR.exeaFFvYma.exeNtFJXAI.exeVCQlzKd.exe

pid	Process
940	DLhoqVZ.exe
396	pbsAKuW.exe
3340	LDeqIEs.exe
2236	XFWHgHT.exe
2852	AQbvhLK.exe
4320	kAAQzny.exe
2132	SrjbbhT.exe
3176	LCnbtoj.exe
4596	ELRwcys.exe
116	xKzFPdG.exe
852	YkLUyrB.exe
3252	VnnPzeh.exe
2036	xyGYqsW.exe
824	nHnPmcD.exe
704	tdMLumW.exe
2724	OVxlYcK.exe
4996	QTczeBD.exe
2692	osrbuZR.exe
1548	aFFvYma.exe
4088	NtFJXAI.exe
4464	VCQlzKd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5020-0-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	upx
behavioral2/files/0x0008000000023cdd-8.dat	upx
behavioral2/memory/940-11-0x00007FF69D620000-0x00007FF69D971000-memory.dmp	upx
behavioral2/files/0x0007000000023ce1-12.dat	upx
behavioral2/files/0x0007000000023ce2-16.dat	upx
behavioral2/memory/3340-18-0x00007FF725CC0000-0x00007FF726011000-memory.dmp	upx
behavioral2/memory/396-17-0x00007FF720B10000-0x00007FF720E61000-memory.dmp	upx
behavioral2/files/0x0007000000023ce3-21.dat	upx
behavioral2/memory/2236-25-0x00007FF668FC0000-0x00007FF669311000-memory.dmp	upx
behavioral2/files/0x0008000000023cde-29.dat	upx
behavioral2/memory/2852-32-0x00007FF768860000-0x00007FF768BB1000-memory.dmp	upx
behavioral2/files/0x0007000000023ce4-34.dat	upx
behavioral2/files/0x0007000000023ce6-45.dat	upx
behavioral2/files/0x0007000000023ce7-51.dat	upx
behavioral2/files/0x0007000000023ce8-65.dat	upx
behavioral2/memory/940-71-0x00007FF69D620000-0x00007FF69D971000-memory.dmp	upx
behavioral2/memory/852-81-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp	upx
behavioral2/files/0x0007000000023ce9-89.dat	upx
behavioral2/files/0x0007000000023cf0-107.dat	upx
behavioral2/files/0x0007000000023cf3-118.dat	upx
behavioral2/files/0x0007000000023cf2-116.dat	upx
behavioral2/files/0x0007000000023cf1-111.dat	upx
behavioral2/files/0x0007000000023cef-104.dat	upx
behavioral2/files/0x0007000000023cee-93.dat	upx
behavioral2/files/0x0007000000023ced-91.dat	upx
behavioral2/files/0x0007000000023cec-87.dat	upx
behavioral2/files/0x0007000000023ceb-85.dat	upx
behavioral2/files/0x0007000000023cea-83.dat	upx
behavioral2/memory/4596-77-0x00007FF6E85D0000-0x00007FF6E8921000-memory.dmp	upx
behavioral2/memory/5020-70-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	upx
behavioral2/memory/116-64-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp	upx
behavioral2/memory/3176-59-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp	upx
behavioral2/memory/2132-49-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp	upx
behavioral2/files/0x0007000000023ce5-44.dat	upx
behavioral2/memory/4320-37-0x00007FF7251D0000-0x00007FF725521000-memory.dmp	upx
behavioral2/memory/5020-121-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	upx
behavioral2/memory/852-132-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp	upx
behavioral2/memory/3252-133-0x00007FF769480000-0x00007FF7697D1000-memory.dmp	upx
behavioral2/memory/704-136-0x00007FF68CB50000-0x00007FF68CEA1000-memory.dmp	upx
behavioral2/memory/2036-134-0x00007FF6D3000000-0x00007FF6D3351000-memory.dmp	upx
behavioral2/memory/116-131-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp	upx
behavioral2/memory/2132-128-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp	upx
behavioral2/memory/4320-127-0x00007FF7251D0000-0x00007FF725521000-memory.dmp	upx
behavioral2/memory/2852-126-0x00007FF768860000-0x00007FF768BB1000-memory.dmp	upx
behavioral2/memory/2236-125-0x00007FF668FC0000-0x00007FF669311000-memory.dmp	upx
behavioral2/memory/396-123-0x00007FF720B10000-0x00007FF720E61000-memory.dmp	upx
behavioral2/memory/3340-124-0x00007FF725CC0000-0x00007FF726011000-memory.dmp	upx
behavioral2/memory/3176-129-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp	upx
behavioral2/memory/824-120-0x00007FF6DBA80000-0x00007FF6DBDD1000-memory.dmp	upx
behavioral2/memory/4996-138-0x00007FF6A4B20000-0x00007FF6A4E71000-memory.dmp	upx
behavioral2/memory/4464-142-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp	upx
behavioral2/memory/1548-140-0x00007FF764FA0000-0x00007FF7652F1000-memory.dmp	upx
behavioral2/memory/4088-141-0x00007FF65CA40000-0x00007FF65CD91000-memory.dmp	upx
behavioral2/memory/2724-137-0x00007FF7E8780000-0x00007FF7E8AD1000-memory.dmp	upx
behavioral2/memory/2692-139-0x00007FF609E80000-0x00007FF60A1D1000-memory.dmp	upx
behavioral2/memory/5020-143-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp	upx
behavioral2/memory/940-192-0x00007FF69D620000-0x00007FF69D971000-memory.dmp	upx
behavioral2/memory/396-194-0x00007FF720B10000-0x00007FF720E61000-memory.dmp	upx
behavioral2/memory/3340-199-0x00007FF725CC0000-0x00007FF726011000-memory.dmp	upx
behavioral2/memory/2236-201-0x00007FF668FC0000-0x00007FF669311000-memory.dmp	upx
behavioral2/memory/2852-212-0x00007FF768860000-0x00007FF768BB1000-memory.dmp	upx
behavioral2/memory/4320-215-0x00007FF7251D0000-0x00007FF725521000-memory.dmp	upx
behavioral2/memory/2132-217-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp	upx
behavioral2/memory/4596-221-0x00007FF6E85D0000-0x00007FF6E8921000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\NtFJXAI.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VCQlzKd.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LCnbtoj.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YkLUyrB.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xyGYqsW.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aFFvYma.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kAAQzny.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ELRwcys.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OVxlYcK.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LDeqIEs.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SrjbbhT.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nHnPmcD.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tdMLumW.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xKzFPdG.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VnnPzeh.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QTczeBD.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\osrbuZR.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DLhoqVZ.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbsAKuW.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFWHgHT.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\AQbvhLK.exe	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 5020 wrote to memory of 940	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5020 wrote to memory of 940	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 5020 wrote to memory of 396	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5020 wrote to memory of 396	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 5020 wrote to memory of 3340	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5020 wrote to memory of 3340	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 5020 wrote to memory of 2236	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5020 wrote to memory of 2236	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 5020 wrote to memory of 2852	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5020 wrote to memory of 2852	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 5020 wrote to memory of 4320	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5020 wrote to memory of 4320	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 5020 wrote to memory of 2132	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5020 wrote to memory of 2132	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 5020 wrote to memory of 3176	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5020 wrote to memory of 3176	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 5020 wrote to memory of 4596	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5020 wrote to memory of 4596	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 5020 wrote to memory of 116	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5020 wrote to memory of 116	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 5020 wrote to memory of 852	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5020 wrote to memory of 852	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 5020 wrote to memory of 3252	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5020 wrote to memory of 3252	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 5020 wrote to memory of 2036	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5020 wrote to memory of 2036	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 5020 wrote to memory of 824	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5020 wrote to memory of 824	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 5020 wrote to memory of 704	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5020 wrote to memory of 704	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 5020 wrote to memory of 2724	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5020 wrote to memory of 2724	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 5020 wrote to memory of 4996	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5020 wrote to memory of 4996	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 5020 wrote to memory of 2692	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5020 wrote to memory of 2692	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 5020 wrote to memory of 1548	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5020 wrote to memory of 1548	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 5020 wrote to memory of 4088	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5020 wrote to memory of 4088	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 5020 wrote to memory of 4464	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 5020 wrote to memory of 4464	5020	2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe	107

C:\Users\Admin\AppData\Local\Temp\2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_27eb0f5bc3c0ec0c074dc8f0f92b35e4_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020
- C:\Windows\System\DLhoqVZ.exe
  C:\Windows\System\DLhoqVZ.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\System\pbsAKuW.exe
  C:\Windows\System\pbsAKuW.exe
  2⤵
  - Executes dropped EXE
  PID:396
- C:\Windows\System\LDeqIEs.exe
  C:\Windows\System\LDeqIEs.exe
  2⤵
  - Executes dropped EXE
  PID:3340
- C:\Windows\System\XFWHgHT.exe
  C:\Windows\System\XFWHgHT.exe
  2⤵
  - Executes dropped EXE
  PID:2236
- C:\Windows\System\AQbvhLK.exe
  C:\Windows\System\AQbvhLK.exe
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Windows\System\kAAQzny.exe
  C:\Windows\System\kAAQzny.exe
  2⤵
  - Executes dropped EXE
  PID:4320
- C:\Windows\System\SrjbbhT.exe
  C:\Windows\System\SrjbbhT.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\LCnbtoj.exe
  C:\Windows\System\LCnbtoj.exe
  2⤵
  - Executes dropped EXE
  PID:3176
- C:\Windows\System\ELRwcys.exe
  C:\Windows\System\ELRwcys.exe
  2⤵
  - Executes dropped EXE
  PID:4596
- C:\Windows\System\xKzFPdG.exe
  C:\Windows\System\xKzFPdG.exe
  2⤵
  - Executes dropped EXE
  PID:116
- C:\Windows\System\YkLUyrB.exe
  C:\Windows\System\YkLUyrB.exe
  2⤵
  - Executes dropped EXE
  PID:852
- C:\Windows\System\VnnPzeh.exe
  C:\Windows\System\VnnPzeh.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\xyGYqsW.exe
  C:\Windows\System\xyGYqsW.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Windows\System\nHnPmcD.exe
  C:\Windows\System\nHnPmcD.exe
  2⤵
  - Executes dropped EXE
  PID:824
- C:\Windows\System\tdMLumW.exe
  C:\Windows\System\tdMLumW.exe
  2⤵
  - Executes dropped EXE
  PID:704
- C:\Windows\System\OVxlYcK.exe
  C:\Windows\System\OVxlYcK.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\QTczeBD.exe
  C:\Windows\System\QTczeBD.exe
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Windows\System\osrbuZR.exe
  C:\Windows\System\osrbuZR.exe
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\Windows\System\aFFvYma.exe
  C:\Windows\System\aFFvYma.exe
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\Windows\System\NtFJXAI.exe
  C:\Windows\System\NtFJXAI.exe
  2⤵
  - Executes dropped EXE
  PID:4088
- C:\Windows\System\VCQlzKd.exe
  C:\Windows\System\VCQlzKd.exe
  2⤵
  - Executes dropped EXE
  PID:4464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\AQbvhLK.exe

Filesize
5.2MB

MD5
15e8eaf273a030014fbfcb2b90c852f0

SHA1
c443ed70f6ca8e12bd049cd1b9b01b15e7bf5cbf

SHA256
8373dfe37e56979e01957b8c48ac66cbbcbee00676b1010d30b48260297cc3c6

SHA512
6e3bbfc41b7e93de4258503dc67c3cf0b0758403453dea0123d12165181caab2029a0bc53c5180d01bbb48a2544b8e9f9242392b8df362e66cdf0904e211dcc9

Download Submit
C:\Windows\System\DLhoqVZ.exe

Filesize
5.2MB

MD5
55a2a1bf7a53b27c72741c10bc4ecbff

SHA1
a08dc7417601c367a3c70b36f45526df236e436b

SHA256
01a8062b78399e73950e756df863187a39601c69c9575f3ee7de465356bb3502

SHA512
fd6f873d044160aa4bf2960e6562f54eb5af1cb5d32dba6162e922b98e513442a0ec1a86d31263e2d34a35e418cf08fa02997eea038aa44929a09668f78882f4

Download Submit
C:\Windows\System\ELRwcys.exe

Filesize
5.2MB

MD5
e6635a89501266fb31684ac2c89f3266

SHA1
8d25cfd6b3c21fbad99fb3695bdea346a3ab720d

SHA256
f0053c04a09614664a80e06cc7133ba5325b6f65863d57947c35543b232e42e6

SHA512
99be6836b6db9cd3f21ce0024f6b6d49d7d06df3e766a01d514c5e9638baddcf5787a6be07d05ea5694812cf8071f1b63e7532ff69bd396d53b2b0e21a246b00

Download Submit
C:\Windows\System\LCnbtoj.exe

Filesize
5.2MB

MD5
3526138d5f31106eec09a906d93ed5c7

SHA1
5c739c0531a7d7778c006be29236ec93195d633e

SHA256
a0a69af513f8b9c181d5ca7f9f3065c78dabdd12ac269faf4fa2d918a149bfa7

SHA512
b15ef5aa51399d2ec4656a11f3c80ad0eea78477cd94bd46a82b63239900f6c26875f9c316e04d7e72d57ae2a5db5fdc9327fb710b897f99abf57f73ab0231d7

Download Submit
C:\Windows\System\LDeqIEs.exe

Filesize
5.2MB

MD5
d270c340d0c6970866dc3ff3ee4a6daa

SHA1
91f1ae9e7abd70798874160acf69d4cb355324f8

SHA256
c4ee774cd64a06a33fbb124a77643016d8fbe5acd6fbfbc7d1709247a4ab68c2

SHA512
6572528b0702b29b972f44b1753f48e62b04686e9a8b0ae07a8a02fe854e5a0d2ffa20fbb806b25f5317c479d1cf6d03650adc7b07183f0e9cf06c42800cd636

Download Submit
C:\Windows\System\NtFJXAI.exe

Filesize
5.2MB

MD5
a96b3dcd66f0274724d32b368ac38178

SHA1
9097bfc33979599a3f02dea4be58d04b8979f80b

SHA256
ee0b31cde8ed1fc844187310ea4ed6a58a80d7995e7884d745642a4af792dbde

SHA512
8cb3512d9ebe96cb86c8ffddac3ed52532c464ca5ca3e5115ce160eeb29647085de68a16737abe5cf7254a8edd03448f98deaf9c3535914d5654de0a15dd3027

Download Submit
C:\Windows\System\OVxlYcK.exe

Filesize
5.2MB

MD5
c01c9fb4cc7ee5af0302b7b38470dbc5

SHA1
ebaada33c6107de7e7a42498407378e0e6cff251

SHA256
3c41e85a8d0c7e85050dc3c477cd9a3902585545280b5e737cb3bb21c30ba5fe

SHA512
af50f12ee672a137e3a716b45ebc122ee58e1248a141ae7f607049352db79a053f6acbe966ed474db982e32e0b599ef9b93f780ff8f6a16d80c6b160b966baf6

Download Submit
C:\Windows\System\QTczeBD.exe

Filesize
5.2MB

MD5
31761e969101afd347c99dcb9374cfdb

SHA1
d8926aead15076bfd0b4177e54d023ba544fb2c4

SHA256
83af92c1cfe9898f4b26762c4a0195e657beeb11c4bc8f60b9dc3ab3bd2022a5

SHA512
9b8c3545e4647bd15e57a7f4ec9b114a723df4c072c63ca8bf09a844fcb4b127fdece72c5ceffc468c9aa529a40cc3643db74ddb895e9dfa41cbce306ebabf65

Download Submit
C:\Windows\System\SrjbbhT.exe

Filesize
5.2MB

MD5
a02e28f4a51397934414868b94e9e5e2

SHA1
d0a4a9697d4af1ada1d7052a57a3653c567a2654

SHA256
8a44961d000b42b8550cc414d9f6c946d85c6f9094ed8ed0d4592da201bd3b25

SHA512
43db6a1b25d3f7e51be22e0e2373c184c6de62b336d8c1399ea475bd3067ae147160db475669c1edcb2ca88654d7958ed6756e3bf1d9caf0a5c658a599f26207

Download Submit
C:\Windows\System\VCQlzKd.exe

Filesize
5.2MB

MD5
994bfde43b537fb1c6403f4778d7eac1

SHA1
ff131feb9fa816e5789e439d9aedd4e7f5838c53

SHA256
1e52a61ddfc97d12280e273ef27bf8675aefeb2dde3439e69ac34a4ccc687536

SHA512
d2ea9410b6f716576524ed49ee86940aa1c587ccf49d188fc931a30f57b0a974f514a86975956b4d92c008282c1ccfceea2cf035d05f7a325fa6662284f5799c

Download Submit
C:\Windows\System\VnnPzeh.exe

Filesize
5.2MB

MD5
5e14d74ffd5dc89ed4de55ef007fb2b3

SHA1
554cca0d6040517939febfebdfa8ab21f9d9c24b

SHA256
1bfe3cacaf7cf4d266bde26d91a6c5197d20a557329d29e1b7a429d20cf97e93

SHA512
0d383ce47b5bca0ba69626736f856debfb77f32d71aea12ed87908937c3b0b6f77a1cf75affbbc6e5a70dd469582fe36b61c980280ded4f9de88f3df4bbf5041

Download Submit
C:\Windows\System\XFWHgHT.exe

Filesize
5.2MB

MD5
f91023cc214282989977e6b3cfb5c193

SHA1
91a49ecbb32471350ca01bd1c2a9d00142177753

SHA256
32d9f892abd6a0bb014264b4a0034bea878d1df8ab6ec3a6026085c0365ae9c9

SHA512
981d46ceb8b0899f2b9c5d139cf716ea7f92d5411d303d1a543dc587b6b7b6cb8900c94d7b23d23cc99dba03d8181c4db2d17b49e22d75d53739069c59dd5c8a

Download Submit
C:\Windows\System\YkLUyrB.exe

Filesize
5.2MB

MD5
30408b2e4f303b75fb08f7a739bc2c8b

SHA1
d49677bd10c9705c1876610609bea382544c30fa

SHA256
e170ccdab9a70f63a7d1e08c86e3a038e0512e8b1f3f851b992f5892a5a9e912

SHA512
fb84639267d4c38226ee7a92aa2383608470d4c68c34031178ee0b67b789485a206394c4413e74696922471624fdb66ee205911ba6db7088b7f11a656dde2912

Download Submit
C:\Windows\System\aFFvYma.exe

Filesize
5.2MB

MD5
2e9f2a3424dfd519235b27714b33276d

SHA1
6dfb09cf38eb7faecdcf7c5efc0e73b6bae944be

SHA256
40dbbd8ecb2f97440e5f3e6c5f795769684bda5e715fdf9517eef0fbae4e5cc1

SHA512
30588d43193267e3475b7cb879ffdf8852f426123f129e94a26d1064be3502336d13cca368053da7edd255e31e06f6e7d90de04396498e1657acc1f9d841dfbb

Download Submit
C:\Windows\System\kAAQzny.exe

Filesize
5.2MB

MD5
47ce8a6c09f070e3598bfa75666557e9

SHA1
7b44907cd67ba516341a2eb4865911c38fe9d395

SHA256
4779bb4d8f5abb2a3151829e1deb00382512d70cb7ff4ebac9bf482c3a9049b1

SHA512
3af3c33087dab89b4a842697a7568b8ec554aae64df48e9ed6b5d22fa77e9c011532dd70b6ae2a1684b129e651dc3d72b396fff2504b9a4efa5444dd16ccd69e

Download Submit
C:\Windows\System\nHnPmcD.exe

Filesize
5.2MB

MD5
efd1a4e73371e7153ca0f56ea24a2e54

SHA1
5613a53742dff72acda7b39205e6d133cffed44e

SHA256
a4bab7678a47e587b855176ea9a0ca7472ad7eeef1dd354084c835663ca06e3f

SHA512
9c793df27dba8423fd820b12bc0b8817711e6e50fc6b09b84e418bf2e89a7af999c5766c3341b1c2751feadd3128d0cae1f0f526189f8720cbf9834e285ad1ab

Download Submit
C:\Windows\System\osrbuZR.exe

Filesize
5.2MB

MD5
f03341629515a315bb6dd11ad6c4210e

SHA1
40b5325c4ed78f65c04e402eccac663f930d2d87

SHA256
7c00850a4b240d63c8ad0a375988b4740f7549b146a5398ca14b9fc8c6ee283e

SHA512
846d05c50198e6b2126e755c74b8c4acbe4f2749bfbb2961d765d591ab8dd651c81a435354b83b0182f78cf1c237c36c54086a7a23ece353e4c028d2ee01f238

Download Submit
C:\Windows\System\pbsAKuW.exe

Filesize
5.2MB

MD5
8fef031b8e86557caefe8c5e3f16fd7f

SHA1
4727808f82fd542ab980cfea50320c8121695d75

SHA256
61350733e7ec3230b6d75aa19a800b36e178bb68df8a9cdac671bc24b4db7a58

SHA512
025769719214a0981a0549131004d92aa843c3689684eebf1cf5b810867344e378d9fa9ce1b847596fa9c745baf67ead8893c7dc3ebcecb3ba3462de1ff46b00

Download Submit
C:\Windows\System\tdMLumW.exe

Filesize
5.2MB

MD5
87326fa7ac8b8a8ba1d090f086b386b7

SHA1
68f1b0aa041eb95b82e90d6edef02f699b7ae8df

SHA256
93365b809e15851ef2388e67f46e8489b8ff47f8a9db2083616ad428c03fef4a

SHA512
c3b05c0a525fc5df421bd358b8f5eb4275da1c164af77be6ef7317ee377e902d242cf1ea60877ed1484c17bfeb503826ef1a216396cb348f3931d02292010d0e

Download Submit
C:\Windows\System\xKzFPdG.exe

Filesize
5.2MB

MD5
6041d750827b04eb656fc07f13a99826

SHA1
d1a3b3f3911f6f5ab0e275bb1f559dbbf49880de

SHA256
2d9d9f71bafb06ca5df10eae138198ca7987a117bc9638e221e5fec5e6b19316

SHA512
a1840f96fd5234a33fc562cd4d5c0825f47d23517ff097c6419e203744fc1945b16d6c2ef30e963baae3e9ba6c3fa8d2b78b0c674cb89dbb26660be2c1140ba4

Download Submit
C:\Windows\System\xyGYqsW.exe

Filesize
5.2MB

MD5
166a9dcfe5feb278d157ec46f88b3560

SHA1
a6f7bfba2eece95d18a9879cb63a9b099143f874

SHA256
f79cac37f6c725a767506d54020089b61ebb7bfad8ffd71f5de986bb03e730d6

SHA512
a101ec7e4d38e2e762b18ffa57c7364966ba0b5e6210c91e71f6a735850d0a73409089272456c894e13a9958f93dfe2c9cc18d95c5ee6e9ace218c4222e12c6c

Download Submit
memory/116-131-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp

Filesize
3.3MB

Download
memory/116-64-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp

Filesize
3.3MB

Download
memory/116-230-0x00007FF6E7F60000-0x00007FF6E82B1000-memory.dmp

Filesize
3.3MB

Download
memory/396-123-0x00007FF720B10000-0x00007FF720E61000-memory.dmp

Filesize
3.3MB

Download
memory/396-194-0x00007FF720B10000-0x00007FF720E61000-memory.dmp

Filesize
3.3MB

Download
memory/396-17-0x00007FF720B10000-0x00007FF720E61000-memory.dmp

Filesize
3.3MB

Download
memory/704-241-0x00007FF68CB50000-0x00007FF68CEA1000-memory.dmp

Filesize
3.3MB

Download
memory/704-136-0x00007FF68CB50000-0x00007FF68CEA1000-memory.dmp

Filesize
3.3MB

Download
memory/824-120-0x00007FF6DBA80000-0x00007FF6DBDD1000-memory.dmp

Filesize
3.3MB

Download
memory/824-233-0x00007FF6DBA80000-0x00007FF6DBDD1000-memory.dmp

Filesize
3.3MB

Download
memory/852-132-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp

Filesize
3.3MB

Download
memory/852-81-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp

Filesize
3.3MB

Download
memory/852-237-0x00007FF7858B0000-0x00007FF785C01000-memory.dmp

Filesize
3.3MB

Download
memory/940-192-0x00007FF69D620000-0x00007FF69D971000-memory.dmp

Filesize
3.3MB

Download
memory/940-71-0x00007FF69D620000-0x00007FF69D971000-memory.dmp

Filesize
3.3MB

Download
memory/940-11-0x00007FF69D620000-0x00007FF69D971000-memory.dmp

Filesize
3.3MB

Download
memory/1548-140-0x00007FF764FA0000-0x00007FF7652F1000-memory.dmp

Filesize
3.3MB

Download
memory/1548-249-0x00007FF764FA0000-0x00007FF7652F1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-234-0x00007FF6D3000000-0x00007FF6D3351000-memory.dmp

Filesize
3.3MB

Download
memory/2036-134-0x00007FF6D3000000-0x00007FF6D3351000-memory.dmp

Filesize
3.3MB

Download
memory/2132-128-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp

Filesize
3.3MB

Download
memory/2132-217-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp

Filesize
3.3MB

Download
memory/2132-49-0x00007FF6478C0000-0x00007FF647C11000-memory.dmp

Filesize
3.3MB

Download
memory/2236-125-0x00007FF668FC0000-0x00007FF669311000-memory.dmp

Filesize
3.3MB

Download
memory/2236-201-0x00007FF668FC0000-0x00007FF669311000-memory.dmp

Filesize
3.3MB

Download
memory/2236-25-0x00007FF668FC0000-0x00007FF669311000-memory.dmp

Filesize
3.3MB

Download
memory/2692-250-0x00007FF609E80000-0x00007FF60A1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2692-139-0x00007FF609E80000-0x00007FF60A1D1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-137-0x00007FF7E8780000-0x00007FF7E8AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-243-0x00007FF7E8780000-0x00007FF7E8AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-126-0x00007FF768860000-0x00007FF768BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-212-0x00007FF768860000-0x00007FF768BB1000-memory.dmp

Filesize
3.3MB

Download
memory/2852-32-0x00007FF768860000-0x00007FF768BB1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-220-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-59-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp

Filesize
3.3MB

Download
memory/3176-129-0x00007FF6B85A0000-0x00007FF6B88F1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-228-0x00007FF769480000-0x00007FF7697D1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-133-0x00007FF769480000-0x00007FF7697D1000-memory.dmp

Filesize
3.3MB

Download
memory/3340-199-0x00007FF725CC0000-0x00007FF726011000-memory.dmp

Filesize
3.3MB

Download
memory/3340-18-0x00007FF725CC0000-0x00007FF726011000-memory.dmp

Filesize
3.3MB

Download
memory/3340-124-0x00007FF725CC0000-0x00007FF726011000-memory.dmp

Filesize
3.3MB

Download
memory/4088-247-0x00007FF65CA40000-0x00007FF65CD91000-memory.dmp

Filesize
3.3MB

Download
memory/4088-141-0x00007FF65CA40000-0x00007FF65CD91000-memory.dmp

Filesize
3.3MB

Download
memory/4320-127-0x00007FF7251D0000-0x00007FF725521000-memory.dmp

Filesize
3.3MB

Download
memory/4320-37-0x00007FF7251D0000-0x00007FF725521000-memory.dmp

Filesize
3.3MB

Download
memory/4320-215-0x00007FF7251D0000-0x00007FF725521000-memory.dmp

Filesize
3.3MB

Download
memory/4464-142-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4464-245-0x00007FF75ED50000-0x00007FF75F0A1000-memory.dmp

Filesize
3.3MB

Download
memory/4596-77-0x00007FF6E85D0000-0x00007FF6E8921000-memory.dmp

Filesize
3.3MB

Download
memory/4596-221-0x00007FF6E85D0000-0x00007FF6E8921000-memory.dmp

Filesize
3.3MB

Download
memory/4996-138-0x00007FF6A4B20000-0x00007FF6A4E71000-memory.dmp

Filesize
3.3MB

Download
memory/4996-239-0x00007FF6A4B20000-0x00007FF6A4E71000-memory.dmp

Filesize
3.3MB

Download
memory/5020-0-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-121-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-143-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp

Filesize
3.3MB

Download
memory/5020-1-0x000001599EEC0000-0x000001599EED0000-memory.dmp

Filesize
64KB

Download
memory/5020-70-0x00007FF721C60000-0x00007FF721FB1000-memory.dmp

Filesize
3.3MB

Download