cobaltstrike | 3bb19b9c626ed3dbf919bc1d90f1211009d085103dc615e4b085e73aa1c4bf02

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 03:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

4d7d807b7bbbee79245a6e6b042c00d0
SHA1

edd9dec3a4c6def0e06be448137f8940b69f9c67
SHA256

3bb19b9c626ed3dbf919bc1d90f1211009d085103dc615e4b085e73aa1c4bf02
SHA512

35e8d789e519069eee5f0eecd55b6085bda3743dd78d15dd1383f3e88ea03e187188b615292f7300a2d9813f2b72b4727d6631d82d9ddaa68f5e27b850309664
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6l5:RWWBibd56utgpPFotBER/mQ32lU9

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\tJRWcMa.exe	cobalt_reflective_dll
C:\Windows\System\THrlvXE.exe	cobalt_reflective_dll
C:\Windows\System\ztzKmaB.exe	cobalt_reflective_dll
C:\Windows\System\FzKudhq.exe	cobalt_reflective_dll
C:\Windows\System\RnZtrpn.exe	cobalt_reflective_dll
C:\Windows\System\CktKnyG.exe	cobalt_reflective_dll
C:\Windows\System\rMEvEkf.exe	cobalt_reflective_dll
C:\Windows\System\YHMxiAJ.exe	cobalt_reflective_dll
C:\Windows\System\glXLKUk.exe	cobalt_reflective_dll
C:\Windows\System\daJOmse.exe	cobalt_reflective_dll
C:\Windows\System\XifoVBX.exe	cobalt_reflective_dll
C:\Windows\System\NeCxrqC.exe	cobalt_reflective_dll
C:\Windows\System\upmUUTo.exe	cobalt_reflective_dll
C:\Windows\System\FTRdScC.exe	cobalt_reflective_dll
C:\Windows\System\gQqvKhx.exe	cobalt_reflective_dll
C:\Windows\System\OgePuRo.exe	cobalt_reflective_dll
C:\Windows\System\cAooReF.exe	cobalt_reflective_dll
C:\Windows\System\oqLQIAB.exe	cobalt_reflective_dll
C:\Windows\System\RcLMPZl.exe	cobalt_reflective_dll
C:\Windows\System\vHpxRky.exe	cobalt_reflective_dll
C:\Windows\System\peksqvI.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 45 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1960-92-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp	xmrig
behavioral2/memory/976-128-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp	xmrig
behavioral2/memory/2268-123-0x00007FF7864A0000-0x00007FF7867F1000-memory.dmp	xmrig
behavioral2/memory/4408-116-0x00007FF766E00000-0x00007FF767151000-memory.dmp	xmrig
behavioral2/memory/1752-115-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp	xmrig
behavioral2/memory/1556-98-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp	xmrig
behavioral2/memory/3024-78-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	xmrig
behavioral2/memory/1620-36-0x00007FF6A11C0000-0x00007FF6A1511000-memory.dmp	xmrig
behavioral2/memory/3024-134-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	xmrig
behavioral2/memory/1108-145-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp	xmrig
behavioral2/memory/1412-147-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp	xmrig
behavioral2/memory/4792-151-0x00007FF726D40000-0x00007FF727091000-memory.dmp	xmrig
behavioral2/memory/1860-154-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp	xmrig
behavioral2/memory/4512-153-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp	xmrig
behavioral2/memory/3624-150-0x00007FF634250000-0x00007FF6345A1000-memory.dmp	xmrig
behavioral2/memory/3160-148-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp	xmrig
behavioral2/memory/4852-146-0x00007FF611800000-0x00007FF611B51000-memory.dmp	xmrig
behavioral2/memory/888-155-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp	xmrig
behavioral2/memory/3932-144-0x00007FF6582B0000-0x00007FF658601000-memory.dmp	xmrig
behavioral2/memory/4016-143-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp	xmrig
behavioral2/memory/4540-142-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp	xmrig
behavioral2/memory/3720-149-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp	xmrig
behavioral2/memory/4664-141-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp	xmrig
behavioral2/memory/3024-156-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	xmrig
behavioral2/memory/1960-209-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp	xmrig
behavioral2/memory/1556-211-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp	xmrig
behavioral2/memory/1752-213-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp	xmrig
behavioral2/memory/1620-224-0x00007FF6A11C0000-0x00007FF6A1511000-memory.dmp	xmrig
behavioral2/memory/4408-228-0x00007FF766E00000-0x00007FF767151000-memory.dmp	xmrig
behavioral2/memory/4016-233-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp	xmrig
behavioral2/memory/4664-238-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp	xmrig
behavioral2/memory/1108-240-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp	xmrig
behavioral2/memory/4540-237-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp	xmrig
behavioral2/memory/976-235-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp	xmrig
behavioral2/memory/3932-230-0x00007FF6582B0000-0x00007FF658601000-memory.dmp	xmrig
behavioral2/memory/4852-255-0x00007FF611800000-0x00007FF611B51000-memory.dmp	xmrig
behavioral2/memory/1412-260-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp	xmrig
behavioral2/memory/888-263-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp	xmrig
behavioral2/memory/1860-261-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp	xmrig
behavioral2/memory/4512-257-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp	xmrig
behavioral2/memory/3160-253-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp	xmrig
behavioral2/memory/3720-252-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp	xmrig
behavioral2/memory/4792-250-0x00007FF726D40000-0x00007FF727091000-memory.dmp	xmrig
behavioral2/memory/2268-248-0x00007FF7864A0000-0x00007FF7867F1000-memory.dmp	xmrig
behavioral2/memory/3624-246-0x00007FF634250000-0x00007FF6345A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

tJRWcMa.exepeksqvI.exevHpxRky.exeTHrlvXE.exeFzKudhq.exeztzKmaB.exeRnZtrpn.exeCktKnyG.exerMEvEkf.exeYHMxiAJ.exeRcLMPZl.exeoqLQIAB.exeglXLKUk.execAooReF.exedaJOmse.exeFTRdScC.exeOgePuRo.exegQqvKhx.exeXifoVBX.exeupmUUTo.exeNeCxrqC.exe

pid	process
1960	tJRWcMa.exe
1556	peksqvI.exe
1752	vHpxRky.exe
1620	THrlvXE.exe
4408	FzKudhq.exe
976	ztzKmaB.exe
4664	RnZtrpn.exe
4540	CktKnyG.exe
4016	rMEvEkf.exe
3932	YHMxiAJ.exe
1108	RcLMPZl.exe
4852	oqLQIAB.exe
1412	glXLKUk.exe
3160	cAooReF.exe
3720	daJOmse.exe
3624	FTRdScC.exe
4792	OgePuRo.exe
2268	gQqvKhx.exe
4512	XifoVBX.exe
1860	upmUUTo.exe
888	NeCxrqC.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3024-0-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	upx
C:\Windows\System\tJRWcMa.exe	upx
behavioral2/memory/1960-7-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp	upx
C:\Windows\System\THrlvXE.exe	upx
C:\Windows\System\ztzKmaB.exe	upx
C:\Windows\System\FzKudhq.exe	upx
C:\Windows\System\RnZtrpn.exe	upx
C:\Windows\System\CktKnyG.exe	upx
C:\Windows\System\rMEvEkf.exe	upx
C:\Windows\System\YHMxiAJ.exe	upx
C:\Windows\System\glXLKUk.exe	upx
behavioral2/memory/1412-83-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp	upx
behavioral2/memory/1960-92-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp	upx
C:\Windows\System\daJOmse.exe	upx
C:\Windows\System\XifoVBX.exe	upx
behavioral2/memory/1860-133-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp	upx
C:\Windows\System\NeCxrqC.exe	upx
C:\Windows\System\upmUUTo.exe	upx
behavioral2/memory/976-128-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp	upx
behavioral2/memory/4512-127-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp	upx
behavioral2/memory/888-124-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp	upx
behavioral2/memory/2268-123-0x00007FF7864A0000-0x00007FF7867F1000-memory.dmp	upx
C:\Windows\System\FTRdScC.exe	upx
C:\Windows\System\gQqvKhx.exe	upx
behavioral2/memory/4408-116-0x00007FF766E00000-0x00007FF767151000-memory.dmp	upx
behavioral2/memory/1752-115-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp	upx
behavioral2/memory/3624-113-0x00007FF634250000-0x00007FF6345A1000-memory.dmp	upx
C:\Windows\System\OgePuRo.exe	upx
behavioral2/memory/4792-107-0x00007FF726D40000-0x00007FF727091000-memory.dmp	upx
behavioral2/memory/3160-99-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp	upx
behavioral2/memory/1556-98-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp	upx
behavioral2/memory/3720-91-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp	upx
C:\Windows\System\cAooReF.exe	upx
C:\Windows\System\oqLQIAB.exe	upx
behavioral2/memory/4852-82-0x00007FF611800000-0x00007FF611B51000-memory.dmp	upx
behavioral2/memory/3024-78-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	upx
behavioral2/memory/1108-70-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp	upx
C:\Windows\System\RcLMPZl.exe	upx
behavioral2/memory/3932-61-0x00007FF6582B0000-0x00007FF658601000-memory.dmp	upx
behavioral2/memory/4016-53-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp	upx
behavioral2/memory/4540-46-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp	upx
behavioral2/memory/4664-42-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp	upx
behavioral2/memory/976-38-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp	upx
behavioral2/memory/1620-36-0x00007FF6A11C0000-0x00007FF6A1511000-memory.dmp	upx
behavioral2/memory/4408-30-0x00007FF766E00000-0x00007FF767151000-memory.dmp	upx
behavioral2/memory/1752-26-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp	upx
C:\Windows\System\vHpxRky.exe	upx
C:\Windows\System\peksqvI.exe	upx
behavioral2/memory/1556-15-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp	upx
behavioral2/memory/3024-134-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp	upx
behavioral2/memory/1108-145-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp	upx
behavioral2/memory/1412-147-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp	upx
behavioral2/memory/4792-151-0x00007FF726D40000-0x00007FF727091000-memory.dmp	upx
behavioral2/memory/1860-154-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp	upx
behavioral2/memory/4512-153-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp	upx
behavioral2/memory/3624-150-0x00007FF634250000-0x00007FF6345A1000-memory.dmp	upx
behavioral2/memory/3160-148-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp	upx
behavioral2/memory/4852-146-0x00007FF611800000-0x00007FF611B51000-memory.dmp	upx
behavioral2/memory/888-155-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp	upx
behavioral2/memory/3932-144-0x00007FF6582B0000-0x00007FF658601000-memory.dmp	upx
behavioral2/memory/4016-143-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp	upx
behavioral2/memory/4540-142-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp	upx
behavioral2/memory/3720-149-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp	upx
behavioral2/memory/4664-141-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\FzKudhq.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ztzKmaB.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rMEvEkf.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\glXLKUk.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cAooReF.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\peksqvI.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oqLQIAB.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FTRdScC.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YHMxiAJ.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OgePuRo.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gQqvKhx.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\upmUUTo.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NeCxrqC.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\THrlvXE.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vHpxRky.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnZtrpn.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CktKnyG.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RcLMPZl.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\daJOmse.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XifoVBX.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tJRWcMa.exe	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 3024 wrote to memory of 1960	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	tJRWcMa.exe
PID 3024 wrote to memory of 1960	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	tJRWcMa.exe
PID 3024 wrote to memory of 1556	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	peksqvI.exe
PID 3024 wrote to memory of 1556	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	peksqvI.exe
PID 3024 wrote to memory of 1752	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vHpxRky.exe
PID 3024 wrote to memory of 1752	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	vHpxRky.exe
PID 3024 wrote to memory of 1620	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	THrlvXE.exe
PID 3024 wrote to memory of 1620	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	THrlvXE.exe
PID 3024 wrote to memory of 4408	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FzKudhq.exe
PID 3024 wrote to memory of 4408	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FzKudhq.exe
PID 3024 wrote to memory of 976	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ztzKmaB.exe
PID 3024 wrote to memory of 976	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	ztzKmaB.exe
PID 3024 wrote to memory of 4664	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	RnZtrpn.exe
PID 3024 wrote to memory of 4664	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	RnZtrpn.exe
PID 3024 wrote to memory of 4540	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	CktKnyG.exe
PID 3024 wrote to memory of 4540	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	CktKnyG.exe
PID 3024 wrote to memory of 4016	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	rMEvEkf.exe
PID 3024 wrote to memory of 4016	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	rMEvEkf.exe
PID 3024 wrote to memory of 3932	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	YHMxiAJ.exe
PID 3024 wrote to memory of 3932	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	YHMxiAJ.exe
PID 3024 wrote to memory of 1108	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	RcLMPZl.exe
PID 3024 wrote to memory of 1108	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	RcLMPZl.exe
PID 3024 wrote to memory of 4852	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	oqLQIAB.exe
PID 3024 wrote to memory of 4852	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	oqLQIAB.exe
PID 3024 wrote to memory of 1412	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	glXLKUk.exe
PID 3024 wrote to memory of 1412	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	glXLKUk.exe
PID 3024 wrote to memory of 3160	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	cAooReF.exe
PID 3024 wrote to memory of 3160	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	cAooReF.exe
PID 3024 wrote to memory of 3720	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	daJOmse.exe
PID 3024 wrote to memory of 3720	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	daJOmse.exe
PID 3024 wrote to memory of 3624	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FTRdScC.exe
PID 3024 wrote to memory of 3624	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	FTRdScC.exe
PID 3024 wrote to memory of 4792	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	OgePuRo.exe
PID 3024 wrote to memory of 4792	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	OgePuRo.exe
PID 3024 wrote to memory of 2268	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	gQqvKhx.exe
PID 3024 wrote to memory of 2268	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	gQqvKhx.exe
PID 3024 wrote to memory of 4512	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	XifoVBX.exe
PID 3024 wrote to memory of 4512	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	XifoVBX.exe
PID 3024 wrote to memory of 1860	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	upmUUTo.exe
PID 3024 wrote to memory of 1860	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	upmUUTo.exe
PID 3024 wrote to memory of 888	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	NeCxrqC.exe
PID 3024 wrote to memory of 888	3024	2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe	NeCxrqC.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-21_4d7d807b7bbbee79245a6e6b042c00d0_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\System\tJRWcMa.exe
  C:\Windows\System\tJRWcMa.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\peksqvI.exe
  C:\Windows\System\peksqvI.exe
  2⤵
  - Executes dropped EXE
  PID:1556
- C:\Windows\System\vHpxRky.exe
  C:\Windows\System\vHpxRky.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\THrlvXE.exe
  C:\Windows\System\THrlvXE.exe
  2⤵
  - Executes dropped EXE
  PID:1620
- C:\Windows\System\FzKudhq.exe
  C:\Windows\System\FzKudhq.exe
  2⤵
  - Executes dropped EXE
  PID:4408
- C:\Windows\System\ztzKmaB.exe
  C:\Windows\System\ztzKmaB.exe
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\System\RnZtrpn.exe
  C:\Windows\System\RnZtrpn.exe
  2⤵
  - Executes dropped EXE
  PID:4664
- C:\Windows\System\CktKnyG.exe
  C:\Windows\System\CktKnyG.exe
  2⤵
  - Executes dropped EXE
  PID:4540
- C:\Windows\System\rMEvEkf.exe
  C:\Windows\System\rMEvEkf.exe
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Windows\System\YHMxiAJ.exe
  C:\Windows\System\YHMxiAJ.exe
  2⤵
  - Executes dropped EXE
  PID:3932
- C:\Windows\System\RcLMPZl.exe
  C:\Windows\System\RcLMPZl.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\oqLQIAB.exe
  C:\Windows\System\oqLQIAB.exe
  2⤵
  - Executes dropped EXE
  PID:4852
- C:\Windows\System\glXLKUk.exe
  C:\Windows\System\glXLKUk.exe
  2⤵
  - Executes dropped EXE
  PID:1412
- C:\Windows\System\cAooReF.exe
  C:\Windows\System\cAooReF.exe
  2⤵
  - Executes dropped EXE
  PID:3160
- C:\Windows\System\daJOmse.exe
  C:\Windows\System\daJOmse.exe
  2⤵
  - Executes dropped EXE
  PID:3720
- C:\Windows\System\FTRdScC.exe
  C:\Windows\System\FTRdScC.exe
  2⤵
  - Executes dropped EXE
  PID:3624
- C:\Windows\System\OgePuRo.exe
  C:\Windows\System\OgePuRo.exe
  2⤵
  - Executes dropped EXE
  PID:4792
- C:\Windows\System\gQqvKhx.exe
  C:\Windows\System\gQqvKhx.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\XifoVBX.exe
  C:\Windows\System\XifoVBX.exe
  2⤵
  - Executes dropped EXE
  PID:4512
- C:\Windows\System\upmUUTo.exe
  C:\Windows\System\upmUUTo.exe
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\Windows\System\NeCxrqC.exe
  C:\Windows\System\NeCxrqC.exe
  2⤵
  - Executes dropped EXE
  PID:888

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\CktKnyG.exe

Filesize
5.2MB

MD5
38ef412c5a7d83f4ccf68165746ad0f2

SHA1
cafd1f34a0adc9cf88dc78b92d710cb47be722aa

SHA256
b714cfdc0dd9b4535836e9b81792137facd62e0897450f6735df3b5bf51e3bcb

SHA512
6417c80d39b139eb9a9d002bdf2ba01a9ad25238ab63a6a63a284a3cdd5a1b7cd3d9f578cdfc5860ce67cf90d457260a38d51c1281b658cc922fc41b130e0931

Download Submit
C:\Windows\System\FTRdScC.exe

Filesize
5.2MB

MD5
7ee198fcafdc8304c68a9c600c7082f1

SHA1
37934ea9c9acc1af875c8e3268c04c24520f6654

SHA256
d2bc6c8e173ae281a21ac77a4f8a37426bd30ee674c0f482a40d687e6a6378d1

SHA512
1dbda7c6afc46528c947ddcaa6133ded5b99d9e693876a089dc2bddca691a455b6b0a2a1e3d356d66af9450875af2506c5bfe0f671f737086a6147ee2f7b9226

Download Submit
C:\Windows\System\FzKudhq.exe

Filesize
5.2MB

MD5
cef9a0bdf165938d1924a226ada4f68d

SHA1
9d07de69c15e757a9bec46d60af1a1a27f3ef8f1

SHA256
737c2f843b9da058277c66154601fbdfd37559883f3f9c69e6ff55e395803c93

SHA512
386b296e171e5939eac0916f5f09954772e4491a8051ec9f3bdf15f142d1fbb167605f8ffe3c1ecba1593f60bd43a63933a33218a02037d37d4f7b1238764d69

Download Submit
C:\Windows\System\NeCxrqC.exe

Filesize
5.2MB

MD5
e068b9e97a7460d3ee4663ce49a8b425

SHA1
3a7e127b6b12f1d045b8ad663a1f9a1464c18e81

SHA256
10bf96608a4c7fccf38e4542cf767e1077014332e9f32196bb3e86498a2329ea

SHA512
2582d30cab504be86b2c9d17faa255646b3c342ca5ef67bb7fd0cbd2d85100d84709250fa8fb338dc82609b54b86fc39d92acff336af1dc42d64b7181c7b3909

Download Submit
C:\Windows\System\OgePuRo.exe

Filesize
5.2MB

MD5
404e4c951c426e996c7ed9ba178bb361

SHA1
5f4075dc45c143fe0799f4a5dda1cbb3809ceacc

SHA256
945252acd8f0066233a98ed40459aa83edc3d8a2742299a2ee35bee3fb369e72

SHA512
710cd0c1c9a97f0896bb095854044307ec666dbd30d2c28748121cbe351b47bd5a5d1ce7c3886ecf2d1c94a523ead71e993d9cf6a4c2c8493453a5a4df5dff5a

Download Submit
C:\Windows\System\RcLMPZl.exe

Filesize
5.2MB

MD5
e61ac00475d2e3afa1ba15656a0567df

SHA1
dd0e021c470abb595ab23b6c3c67513abd18568b

SHA256
9d4b6b5f888194a76dd2d806d0b77ae81f5fd0262ede8f2b6153faaddbec3769

SHA512
b2779a769a66805b2ff61c708a5489ff0f0f6359e19faed1f20b2f7cc121638fa3a2c43eefcce405a62f08b0e71a4653abd4a900f20e547d598ec7faa9faf456

Download Submit
C:\Windows\System\RnZtrpn.exe

Filesize
5.2MB

MD5
dc311ffe59c837429d5ff5c34f335abf

SHA1
c8055c5ef318392a0714c4b366971a8eec3347ed

SHA256
fa81494dfc69716d9bec367ecf12dd7d43f889e5a9ce55629ba71767381fbd76

SHA512
74c6d7c46ab74744c35692ab6c55d18c3585e559974d8f7119f09e362394f20cfa81898de9838b4047ea0c857bd6fd56407204405c1ce6652f78dc6406815ca3

Download Submit
C:\Windows\System\THrlvXE.exe

Filesize
5.2MB

MD5
a869601359a49242d8b70e7a77ef2c1e

SHA1
0be8cc1a8a63603e27f83ee0c18ce7c2941b6333

SHA256
667ec5c7884212e9f2859edb22c7448ff63a1ea5f1b41ad04a6513bf59751378

SHA512
15881eee97a1c786d1a3170512f4a7118278fa403208737086cf2007c9616655789ef16f2cc5da0382a30f796aba09386208c5b14dace5d3ce9d65a32008d7a7

Download Submit
C:\Windows\System\XifoVBX.exe

Filesize
5.2MB

MD5
98431afb393b5f81c1b148eec3c4d09a

SHA1
c93ff6bca8d9c471db3f3f80adc08684a86ba82b

SHA256
8caaf6d5a8a8162b586bb8239adcbced7c93fc32d645083abf18b75884855177

SHA512
db8b60bf2a92d67f42aa9cf94cc78bd8d87b26716eb28ccf07167e2d2cce6885a4ce117b5bb59759d18c92de31da769fc5553a4159f7c259c08a60560627134d

Download Submit
C:\Windows\System\YHMxiAJ.exe

Filesize
5.2MB

MD5
32d60075e13f87183bd62453e328deb9

SHA1
6cdcf88dcfdd560b888c64a796b4346a6499ad57

SHA256
26144ea821f2fee2fc5284fc48287fd346a3c7c670c104bdcd818eaecd4761c8

SHA512
309bc6c7ff3fe4e667a069da916c17d0548050936e33adb15c0cf938147561bb92d35288c8f95b0da6e6cab6afa36b3a903db3e9e1ed08f4ee9c04c269b47841

Download Submit
C:\Windows\System\cAooReF.exe

Filesize
5.2MB

MD5
f07ac7d518d8e481247b50c89e653c1e

SHA1
4ca063498d6f0cf52861409164d7357a1b2193a2

SHA256
7ba54826ddd97c94e1279102f13ac9ad12751b4728c895252e2d2a225ddb2c22

SHA512
2c607fa0d8d5b8b41de4b49712ed4f8991cd1e25d5cd1ffd64083da85fa939b2fd4d6798f0187f8242e67e8f775f6d037e299fae0aa90701079e361ab3fd4c08

Download Submit
C:\Windows\System\daJOmse.exe

Filesize
5.2MB

MD5
2548f48326223e70ee3b58d3441663d8

SHA1
369890860e3db56fc6eaad22a2f73debb16a096d

SHA256
7c7c3b7e3305a778d11f2ed234cd3dd2b98725d14cc11ef36c7a9ea7ac700349

SHA512
dcfb226d5fb9fc9b2f3fe0d5264e11c03aa700713f5b4f9b3207f6d41e5aee958eacf35396a8cbb1101767699b9065fc4e16ad0a30e04948dc5c85808e62df58

Download Submit
C:\Windows\System\gQqvKhx.exe

Filesize
5.2MB

MD5
63f16759b26176d35bcfd932dd38b83b

SHA1
aa95f9cd2966170d2ebe2cdd0fd6790c37d6dcf1

SHA256
9b752311436d596f16d86e7a8bde40466243aa04f760b8381554134a7ac621f3

SHA512
6ad225cc745bf0daa8693fe5f28581cd065645f3ac0c62819ea8f2d251de8292ce46ba44fb0f781a5be5c81ff4cf8f543ac8f3b2ca07ee912a7d2ad7433b50c7

Download Submit
C:\Windows\System\glXLKUk.exe

Filesize
5.2MB

MD5
004deaa881e092a6fec107fa62d065e0

SHA1
5fc4fe955c4e40050a8fad51451d59bc809fea86

SHA256
7d10dabad2f2666280fcddebfcacedfbc0e497094c3651d6da4c742cbdec79f6

SHA512
62a331cafdafa8d8b9929d32cd8c2ebb0a5e9fb251239755590c445ad93face3f9a561a936cd88679e59cfd824066e29e65281a7a67d785400986fc850d8cf9f

Download Submit
C:\Windows\System\oqLQIAB.exe

Filesize
5.2MB

MD5
b55c47a4134169b5a375dfcef7c94a5c

SHA1
b69f66c37cce8b722e22caf1486c134eeed88994

SHA256
46495bf751afe532c0ccabd97b6341884173eef488547b986dbd6f2e71b03fa6

SHA512
e3b356ca2960005c71ca8c45f66b450e6fc54060bb477133c43437d6bdbb0a83e698bfc9bedc96465f5ad18a01a70894bcc984a92c33e94b2921851af58d0545

Download Submit
C:\Windows\System\peksqvI.exe

Filesize
5.2MB

MD5
ea34f9af3c03352a195059c252169bdf

SHA1
bc467c898f2eabc3a1916d5fe710bd9e78c44f6a

SHA256
dc53a48020e1fcd8f9b9ade02e7e02027377467ace6d4be22db11a179174f60a

SHA512
3b6e352c91e625973d8a65e981fa39906bfff12c2ac7e4e9563015fe64c3ab95ef90cd188f3f556181124e1e9d284ac787a9ef95603a8b1f806dd1afa2b02d7b

Download Submit
C:\Windows\System\rMEvEkf.exe

Filesize
5.2MB

MD5
d1a4aa059be313c3b0311c7496499161

SHA1
f03859ab03e5dba2b7cc99e9f25eecbc1daaf285

SHA256
a5ab2f82474265022e01e2ecf6607234fad82ba71f7c6814ba2fee3f4bff3e4c

SHA512
f146d90042b67fd667e6eda33b1f71d7fa83f489150f2bbee68a509f91c3b3659d18dec1fc7f558bf7c92800530decf517fe4f49abc243809b6ed179b8af8352

Download Submit
C:\Windows\System\tJRWcMa.exe

Filesize
5.2MB

MD5
f592cd9296ccc4d190207407d3db7a9a

SHA1
6eb4f9e38e46299f972885e84bc82b6f3fba3849

SHA256
80148c723380a3c1dcb96eddc49e2530dc83838e8dcc2bc5e410e13a8c191f84

SHA512
681b201b4d15e915a4d47a4bb4b7e4c438c1b1916da7e27929bc88e12661e4c0be2fe685b2f0c85be2d05cc036e40a7b59bbc4b9400662005e9dcd4ee6597695

Download Submit
C:\Windows\System\upmUUTo.exe

Filesize
5.2MB

MD5
7c468c3e13846ac2e8c6515ee53b28f0

SHA1
230c7ded768665ba11ade981ad166d905f0fbee8

SHA256
3ddaf27650d912326d010d1aa80d37936cb1547c784e884c5e05dd45519d22a8

SHA512
19bd9d150f730fbc0b2674133a420985a59c27f30293603261d9aa541506e6d08c1d34237544492d1208c5a94b78d59f8d866e70343ae202c32ab9a524ef516e

Download Submit
C:\Windows\System\vHpxRky.exe

Filesize
5.2MB

MD5
7fa01f302eb9319befe93acb3a36c130

SHA1
b4ef40dd4168c5ebf83115bf49a2d6a32eec2c0e

SHA256
b483e467607180dfa9021fe714060b5c7d056cac7e7dfff995e50ef600d186d7

SHA512
878deae6b80e075fb2441defab40348f48a21b81c3da4b5da27211a53f031ce41692672addef26be4417cfb898d97bc6841c383231eb90bec04e06e11834b487

Download Submit
C:\Windows\System\ztzKmaB.exe

Filesize
5.2MB

MD5
ff9a08a05ed3baed97fde638d1fc7425

SHA1
3c26e816000ad23c1cf2565aaae2781a006ef013

SHA256
195c08649c5e7115e274d9a052acec0b13132d38f580b7756ed279688a9c6c5e

SHA512
cf9d30233d25b7d7dcd49b0ab4e9fb25dba0316dde75ae5b5207c565344bae2b2c019cb012e34d8cc30375dd788deba9afe71c184897ef10ba6d5ad8c1e25fa6

Download Submit
memory/888-155-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp

Filesize
3.3MB

Download
memory/888-124-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp

Filesize
3.3MB

Download
memory/888-263-0x00007FF6FCB30000-0x00007FF6FCE81000-memory.dmp

Filesize
3.3MB

Download
memory/976-235-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp

Filesize
3.3MB

Download
memory/976-128-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp

Filesize
3.3MB

Download
memory/976-38-0x00007FF7C5C90000-0x00007FF7C5FE1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-240-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp

Filesize
3.3MB

Download
memory/1108-70-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp

Filesize
3.3MB

Download
memory/1108-145-0x00007FF7727B0000-0x00007FF772B01000-memory.dmp

Filesize
3.3MB

Download
memory/1412-147-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-260-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1412-83-0x00007FF7848A0000-0x00007FF784BF1000-memory.dmp

Filesize
3.3MB

Download
memory/1556-15-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp

Filesize
3.3MB

Download
memory/1556-211-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp

Filesize
3.3MB

Download
memory/1556-98-0x00007FF69D940000-0x00007FF69DC91000-memory.dmp

Filesize
3.3MB

Download
memory/1620-224-0x00007FF6A11C0000-0x00007FF6A1511000-memory.dmp

Filesize
3.3MB

Download
memory/1620-36-0x00007FF6A11C0000-0x00007FF6A1511000-memory.dmp

Filesize
3.3MB

Download
memory/1752-26-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-115-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1752-213-0x00007FF7F1C60000-0x00007FF7F1FB1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-154-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-133-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp

Filesize
3.3MB

Download
memory/1860-261-0x00007FF705D50000-0x00007FF7060A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-209-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-7-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1960-92-0x00007FF60C250000-0x00007FF60C5A1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-248-0x00007FF7864A0000-0x00007FF7867F1000-memory.dmp

Filesize
3.3MB

Download
memory/2268-123-0x00007FF7864A0000-0x00007FF7867F1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-0-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-78-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-156-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3024-1-0x0000028A4B830000-0x0000028A4B840000-memory.dmp

Filesize
64KB

Download
memory/3024-134-0x00007FF63F4A0000-0x00007FF63F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/3160-253-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp

Filesize
3.3MB

Download
memory/3160-148-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp

Filesize
3.3MB

Download
memory/3160-99-0x00007FF6C8840000-0x00007FF6C8B91000-memory.dmp

Filesize
3.3MB

Download
memory/3624-113-0x00007FF634250000-0x00007FF6345A1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-150-0x00007FF634250000-0x00007FF6345A1000-memory.dmp

Filesize
3.3MB

Download
memory/3624-246-0x00007FF634250000-0x00007FF6345A1000-memory.dmp

Filesize
3.3MB

Download
memory/3720-252-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3720-149-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3720-91-0x00007FF60F820000-0x00007FF60FB71000-memory.dmp

Filesize
3.3MB

Download
memory/3932-61-0x00007FF6582B0000-0x00007FF658601000-memory.dmp

Filesize
3.3MB

Download
memory/3932-144-0x00007FF6582B0000-0x00007FF658601000-memory.dmp

Filesize
3.3MB

Download
memory/3932-230-0x00007FF6582B0000-0x00007FF658601000-memory.dmp

Filesize
3.3MB

Download
memory/4016-143-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-233-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp

Filesize
3.3MB

Download
memory/4016-53-0x00007FF744D70000-0x00007FF7450C1000-memory.dmp

Filesize
3.3MB

Download
memory/4408-116-0x00007FF766E00000-0x00007FF767151000-memory.dmp

Filesize
3.3MB

Download
memory/4408-30-0x00007FF766E00000-0x00007FF767151000-memory.dmp

Filesize
3.3MB

Download
memory/4408-228-0x00007FF766E00000-0x00007FF767151000-memory.dmp

Filesize
3.3MB

Download
memory/4512-257-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp

Filesize
3.3MB

Download
memory/4512-153-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp

Filesize
3.3MB

Download
memory/4512-127-0x00007FF6A4DF0000-0x00007FF6A5141000-memory.dmp

Filesize
3.3MB

Download
memory/4540-46-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp

Filesize
3.3MB

Download
memory/4540-237-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp

Filesize
3.3MB

Download
memory/4540-142-0x00007FF63CEF0000-0x00007FF63D241000-memory.dmp

Filesize
3.3MB

Download
memory/4664-238-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp

Filesize
3.3MB

Download
memory/4664-141-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp

Filesize
3.3MB

Download
memory/4664-42-0x00007FF6BBA20000-0x00007FF6BBD71000-memory.dmp

Filesize
3.3MB

Download
memory/4792-151-0x00007FF726D40000-0x00007FF727091000-memory.dmp

Filesize
3.3MB

Download
memory/4792-250-0x00007FF726D40000-0x00007FF727091000-memory.dmp

Filesize
3.3MB

Download
memory/4792-107-0x00007FF726D40000-0x00007FF727091000-memory.dmp

Filesize
3.3MB

Download
memory/4852-255-0x00007FF611800000-0x00007FF611B51000-memory.dmp

Filesize
3.3MB

Download
memory/4852-146-0x00007FF611800000-0x00007FF611B51000-memory.dmp

Filesize
3.3MB

Download
memory/4852-82-0x00007FF611800000-0x00007FF611B51000-memory.dmp

Filesize
3.3MB

Download