cobaltstrike | c4931b0c9169da8f10f0b5f9e93be3ab97b708f218ed08eecebac7d88fa5219e

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-06-2024 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

facbf4258598ba435cd254d9dd00270a
SHA1

3ff6c09a53c50e59901a70f38f98caee769f6f5d
SHA256

c4931b0c9169da8f10f0b5f9e93be3ab97b708f218ed08eecebac7d88fa5219e
SHA512

2fd047d266e18ecc91c8dd81563d5334b73fca5baa65c00eef9f18493afa2f6eafbe947bd7ac4662be59ef5b272b79a457be9ffa56eb49906bc1d852b1179962
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUs:Q+856utgpPF8u/7s

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\pVFVnBx.exe	cobalt_reflective_dll
C:\Windows\System\LbLJjZd.exe	cobalt_reflective_dll
C:\Windows\System\EAtZYgm.exe	cobalt_reflective_dll
C:\Windows\System\JiUgRBV.exe	cobalt_reflective_dll
C:\Windows\System\uqPBaZu.exe	cobalt_reflective_dll
C:\Windows\System\JpHzPmI.exe	cobalt_reflective_dll
C:\Windows\System\nrcJMmP.exe	cobalt_reflective_dll
C:\Windows\System\GCdPALE.exe	cobalt_reflective_dll
C:\Windows\System\gCQRnca.exe	cobalt_reflective_dll
C:\Windows\System\VqNNWAy.exe	cobalt_reflective_dll
C:\Windows\System\yPkriQW.exe	cobalt_reflective_dll
C:\Windows\System\KxmnWLo.exe	cobalt_reflective_dll
C:\Windows\System\KFDHgCH.exe	cobalt_reflective_dll
C:\Windows\System\pnPLTsL.exe	cobalt_reflective_dll
C:\Windows\System\MDTEtKa.exe	cobalt_reflective_dll
C:\Windows\System\COgCAhj.exe	cobalt_reflective_dll
C:\Windows\System\pZBgwYI.exe	cobalt_reflective_dll
C:\Windows\System\jGXyrnZ.exe	cobalt_reflective_dll
C:\Windows\System\nJiFnEG.exe	cobalt_reflective_dll
C:\Windows\System\sKDadii.exe	cobalt_reflective_dll
C:\Windows\System\DEHhtpq.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4656-0-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp	xmrig
C:\Windows\System\pVFVnBx.exe	xmrig
behavioral2/memory/1912-7-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp	xmrig
C:\Windows\System\LbLJjZd.exe	xmrig
C:\Windows\System\EAtZYgm.exe	xmrig
behavioral2/memory/392-14-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp	xmrig
behavioral2/memory/1692-22-0x00007FF6934C0000-0x00007FF693814000-memory.dmp	xmrig
C:\Windows\System\JiUgRBV.exe	xmrig
behavioral2/memory/3948-28-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp	xmrig
C:\Windows\System\uqPBaZu.exe	xmrig
behavioral2/memory/3092-33-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp	xmrig
C:\Windows\System\JpHzPmI.exe	xmrig
behavioral2/memory/4588-38-0x00007FF635C30000-0x00007FF635F84000-memory.dmp	xmrig
C:\Windows\System\nrcJMmP.exe	xmrig
behavioral2/memory/828-45-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp	xmrig
C:\Windows\System\GCdPALE.exe	xmrig
C:\Windows\System\gCQRnca.exe	xmrig
C:\Windows\System\VqNNWAy.exe	xmrig
C:\Windows\System\yPkriQW.exe	xmrig
behavioral2/memory/1912-72-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp	xmrig
behavioral2/memory/1020-78-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp	xmrig
behavioral2/memory/392-82-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp	xmrig
C:\Windows\System\KxmnWLo.exe	xmrig
behavioral2/memory/1032-79-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp	xmrig
C:\Windows\System\KFDHgCH.exe	xmrig
behavioral2/memory/4960-73-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp	xmrig
behavioral2/memory/4512-63-0x00007FF715FB0000-0x00007FF716304000-memory.dmp	xmrig
behavioral2/memory/4656-62-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp	xmrig
behavioral2/memory/3652-58-0x00007FF719550000-0x00007FF7198A4000-memory.dmp	xmrig
behavioral2/memory/1540-50-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp	xmrig
C:\Windows\System\pnPLTsL.exe	xmrig
behavioral2/memory/4160-92-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp	xmrig
C:\Windows\System\MDTEtKa.exe	xmrig
C:\Windows\System\COgCAhj.exe	xmrig
C:\Windows\System\pZBgwYI.exe	xmrig
behavioral2/memory/4496-116-0x00007FF6824C0000-0x00007FF682814000-memory.dmp	xmrig
C:\Windows\System\jGXyrnZ.exe	xmrig
C:\Windows\System\nJiFnEG.exe	xmrig
behavioral2/memory/2252-128-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp	xmrig
behavioral2/memory/4512-129-0x00007FF715FB0000-0x00007FF716304000-memory.dmp	xmrig
behavioral2/memory/1808-127-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp	xmrig
behavioral2/memory/3652-125-0x00007FF719550000-0x00007FF7198A4000-memory.dmp	xmrig
behavioral2/memory/1540-124-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp	xmrig
behavioral2/memory/4468-121-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp	xmrig
behavioral2/memory/4208-112-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp	xmrig
behavioral2/memory/2116-105-0x00007FF643060000-0x00007FF6433B4000-memory.dmp	xmrig
C:\Windows\System\sKDadii.exe	xmrig
behavioral2/memory/3572-96-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp	xmrig
C:\Windows\System\DEHhtpq.exe	xmrig
behavioral2/memory/4960-134-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp	xmrig
behavioral2/memory/1020-135-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp	xmrig
behavioral2/memory/1032-136-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp	xmrig
behavioral2/memory/3572-137-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp	xmrig
behavioral2/memory/2116-138-0x00007FF643060000-0x00007FF6433B4000-memory.dmp	xmrig
behavioral2/memory/1808-139-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp	xmrig
behavioral2/memory/2252-140-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp	xmrig
behavioral2/memory/1912-141-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp	xmrig
behavioral2/memory/392-142-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp	xmrig
behavioral2/memory/1692-143-0x00007FF6934C0000-0x00007FF693814000-memory.dmp	xmrig
behavioral2/memory/3948-144-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp	xmrig
behavioral2/memory/3092-145-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp	xmrig
behavioral2/memory/4588-146-0x00007FF635C30000-0x00007FF635F84000-memory.dmp	xmrig
behavioral2/memory/828-147-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp	xmrig
behavioral2/memory/1540-148-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

pVFVnBx.exeLbLJjZd.exeEAtZYgm.exeJiUgRBV.exeuqPBaZu.exeJpHzPmI.exenrcJMmP.exeGCdPALE.exegCQRnca.exeVqNNWAy.exeKFDHgCH.exeyPkriQW.exeKxmnWLo.exepnPLTsL.exeDEHhtpq.exeMDTEtKa.exesKDadii.exeCOgCAhj.exepZBgwYI.exejGXyrnZ.exenJiFnEG.exe

pid	process
1912	pVFVnBx.exe
392	LbLJjZd.exe
1692	EAtZYgm.exe
3948	JiUgRBV.exe
3092	uqPBaZu.exe
4588	JpHzPmI.exe
828	nrcJMmP.exe
1540	GCdPALE.exe
3652	gCQRnca.exe
4512	VqNNWAy.exe
4960	KFDHgCH.exe
1020	yPkriQW.exe
1032	KxmnWLo.exe
4160	pnPLTsL.exe
3572	DEHhtpq.exe
2116	MDTEtKa.exe
4208	sKDadii.exe
4496	COgCAhj.exe
4468	pZBgwYI.exe
1808	jGXyrnZ.exe
2252	nJiFnEG.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4656-0-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp	upx
C:\Windows\System\pVFVnBx.exe	upx
behavioral2/memory/1912-7-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp	upx
C:\Windows\System\LbLJjZd.exe	upx
C:\Windows\System\EAtZYgm.exe	upx
behavioral2/memory/392-14-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp	upx
behavioral2/memory/1692-22-0x00007FF6934C0000-0x00007FF693814000-memory.dmp	upx
C:\Windows\System\JiUgRBV.exe	upx
behavioral2/memory/3948-28-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp	upx
C:\Windows\System\uqPBaZu.exe	upx
behavioral2/memory/3092-33-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp	upx
C:\Windows\System\JpHzPmI.exe	upx
behavioral2/memory/4588-38-0x00007FF635C30000-0x00007FF635F84000-memory.dmp	upx
C:\Windows\System\nrcJMmP.exe	upx
behavioral2/memory/828-45-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp	upx
C:\Windows\System\GCdPALE.exe	upx
C:\Windows\System\gCQRnca.exe	upx
C:\Windows\System\VqNNWAy.exe	upx
C:\Windows\System\yPkriQW.exe	upx
behavioral2/memory/1912-72-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp	upx
behavioral2/memory/1020-78-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp	upx
behavioral2/memory/392-82-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp	upx
C:\Windows\System\KxmnWLo.exe	upx
behavioral2/memory/1032-79-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp	upx
C:\Windows\System\KFDHgCH.exe	upx
behavioral2/memory/4960-73-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp	upx
behavioral2/memory/4512-63-0x00007FF715FB0000-0x00007FF716304000-memory.dmp	upx
behavioral2/memory/4656-62-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp	upx
behavioral2/memory/3652-58-0x00007FF719550000-0x00007FF7198A4000-memory.dmp	upx
behavioral2/memory/1540-50-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp	upx
C:\Windows\System\pnPLTsL.exe	upx
behavioral2/memory/4160-92-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp	upx
C:\Windows\System\MDTEtKa.exe	upx
C:\Windows\System\COgCAhj.exe	upx
C:\Windows\System\pZBgwYI.exe	upx
behavioral2/memory/4496-116-0x00007FF6824C0000-0x00007FF682814000-memory.dmp	upx
C:\Windows\System\jGXyrnZ.exe	upx
C:\Windows\System\nJiFnEG.exe	upx
behavioral2/memory/2252-128-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp	upx
behavioral2/memory/4512-129-0x00007FF715FB0000-0x00007FF716304000-memory.dmp	upx
behavioral2/memory/1808-127-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp	upx
behavioral2/memory/3652-125-0x00007FF719550000-0x00007FF7198A4000-memory.dmp	upx
behavioral2/memory/1540-124-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp	upx
behavioral2/memory/4468-121-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp	upx
behavioral2/memory/4208-112-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp	upx
behavioral2/memory/2116-105-0x00007FF643060000-0x00007FF6433B4000-memory.dmp	upx
C:\Windows\System\sKDadii.exe	upx
behavioral2/memory/3572-96-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp	upx
C:\Windows\System\DEHhtpq.exe	upx
behavioral2/memory/4960-134-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp	upx
behavioral2/memory/1020-135-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp	upx
behavioral2/memory/1032-136-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp	upx
behavioral2/memory/3572-137-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp	upx
behavioral2/memory/2116-138-0x00007FF643060000-0x00007FF6433B4000-memory.dmp	upx
behavioral2/memory/1808-139-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp	upx
behavioral2/memory/2252-140-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp	upx
behavioral2/memory/1912-141-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp	upx
behavioral2/memory/392-142-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp	upx
behavioral2/memory/1692-143-0x00007FF6934C0000-0x00007FF693814000-memory.dmp	upx
behavioral2/memory/3948-144-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp	upx
behavioral2/memory/3092-145-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp	upx
behavioral2/memory/4588-146-0x00007FF635C30000-0x00007FF635F84000-memory.dmp	upx
behavioral2/memory/828-147-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp	upx
behavioral2/memory/1540-148-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\LbLJjZd.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GCdPALE.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VqNNWAy.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yPkriQW.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pnPLTsL.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\COgCAhj.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pZBgwYI.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pVFVnBx.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiUgRBV.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JpHzPmI.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nrcJMmP.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DEHhtpq.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MDTEtKa.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nJiFnEG.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uqPBaZu.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KFDHgCH.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sKDadii.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EAtZYgm.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gCQRnca.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KxmnWLo.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jGXyrnZ.exe	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4656 wrote to memory of 1912	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	pVFVnBx.exe
PID 4656 wrote to memory of 1912	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	pVFVnBx.exe
PID 4656 wrote to memory of 392	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	LbLJjZd.exe
PID 4656 wrote to memory of 392	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	LbLJjZd.exe
PID 4656 wrote to memory of 1692	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	EAtZYgm.exe
PID 4656 wrote to memory of 1692	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	EAtZYgm.exe
PID 4656 wrote to memory of 3948	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	JiUgRBV.exe
PID 4656 wrote to memory of 3948	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	JiUgRBV.exe
PID 4656 wrote to memory of 3092	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	uqPBaZu.exe
PID 4656 wrote to memory of 3092	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	uqPBaZu.exe
PID 4656 wrote to memory of 4588	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	JpHzPmI.exe
PID 4656 wrote to memory of 4588	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	JpHzPmI.exe
PID 4656 wrote to memory of 828	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	nrcJMmP.exe
PID 4656 wrote to memory of 828	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	nrcJMmP.exe
PID 4656 wrote to memory of 1540	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	GCdPALE.exe
PID 4656 wrote to memory of 1540	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	GCdPALE.exe
PID 4656 wrote to memory of 3652	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	gCQRnca.exe
PID 4656 wrote to memory of 3652	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	gCQRnca.exe
PID 4656 wrote to memory of 4512	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	VqNNWAy.exe
PID 4656 wrote to memory of 4512	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	VqNNWAy.exe
PID 4656 wrote to memory of 4960	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	KFDHgCH.exe
PID 4656 wrote to memory of 4960	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	KFDHgCH.exe
PID 4656 wrote to memory of 1020	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	yPkriQW.exe
PID 4656 wrote to memory of 1020	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	yPkriQW.exe
PID 4656 wrote to memory of 1032	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	KxmnWLo.exe
PID 4656 wrote to memory of 1032	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	KxmnWLo.exe
PID 4656 wrote to memory of 4160	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	pnPLTsL.exe
PID 4656 wrote to memory of 4160	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	pnPLTsL.exe
PID 4656 wrote to memory of 3572	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	DEHhtpq.exe
PID 4656 wrote to memory of 3572	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	DEHhtpq.exe
PID 4656 wrote to memory of 2116	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	MDTEtKa.exe
PID 4656 wrote to memory of 2116	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	MDTEtKa.exe
PID 4656 wrote to memory of 4208	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	sKDadii.exe
PID 4656 wrote to memory of 4208	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	sKDadii.exe
PID 4656 wrote to memory of 4496	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	COgCAhj.exe
PID 4656 wrote to memory of 4496	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	COgCAhj.exe
PID 4656 wrote to memory of 4468	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	pZBgwYI.exe
PID 4656 wrote to memory of 4468	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	pZBgwYI.exe
PID 4656 wrote to memory of 1808	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	jGXyrnZ.exe
PID 4656 wrote to memory of 1808	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	jGXyrnZ.exe
PID 4656 wrote to memory of 2252	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	nJiFnEG.exe
PID 4656 wrote to memory of 2252	4656	2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe	nJiFnEG.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\System\pVFVnBx.exe
C:\Windows\System\pVFVnBx.exe
2⤵
- Executes dropped EXE
PID:1912

C:\Windows\System\LbLJjZd.exe
C:\Windows\System\LbLJjZd.exe
2⤵
- Executes dropped EXE
PID:392

C:\Windows\System\EAtZYgm.exe
C:\Windows\System\EAtZYgm.exe
2⤵
- Executes dropped EXE
PID:1692

C:\Windows\System\JiUgRBV.exe
C:\Windows\System\JiUgRBV.exe
2⤵
- Executes dropped EXE
PID:3948

C:\Windows\System\uqPBaZu.exe
C:\Windows\System\uqPBaZu.exe
2⤵
- Executes dropped EXE
PID:3092

C:\Windows\System\JpHzPmI.exe
C:\Windows\System\JpHzPmI.exe
2⤵
- Executes dropped EXE
PID:4588

C:\Windows\System\nrcJMmP.exe
C:\Windows\System\nrcJMmP.exe
2⤵
- Executes dropped EXE
PID:828

C:\Windows\System\GCdPALE.exe
C:\Windows\System\GCdPALE.exe
2⤵
- Executes dropped EXE
PID:1540

C:\Windows\System\gCQRnca.exe
C:\Windows\System\gCQRnca.exe
2⤵
- Executes dropped EXE
PID:3652

C:\Windows\System\VqNNWAy.exe
C:\Windows\System\VqNNWAy.exe
2⤵
- Executes dropped EXE
PID:4512

C:\Windows\System\KFDHgCH.exe
C:\Windows\System\KFDHgCH.exe
2⤵
- Executes dropped EXE
PID:4960

C:\Windows\System\yPkriQW.exe
C:\Windows\System\yPkriQW.exe
2⤵
- Executes dropped EXE
PID:1020

C:\Windows\System\KxmnWLo.exe
C:\Windows\System\KxmnWLo.exe
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\System\pnPLTsL.exe
C:\Windows\System\pnPLTsL.exe
2⤵
- Executes dropped EXE
PID:4160

C:\Windows\System\DEHhtpq.exe
C:\Windows\System\DEHhtpq.exe
2⤵
- Executes dropped EXE
PID:3572

C:\Windows\System\MDTEtKa.exe
C:\Windows\System\MDTEtKa.exe
2⤵
- Executes dropped EXE
PID:2116

C:\Windows\System\sKDadii.exe
C:\Windows\System\sKDadii.exe
2⤵
- Executes dropped EXE
PID:4208

C:\Windows\System\COgCAhj.exe
C:\Windows\System\COgCAhj.exe
2⤵
- Executes dropped EXE
PID:4496

C:\Windows\System\pZBgwYI.exe
C:\Windows\System\pZBgwYI.exe
2⤵
- Executes dropped EXE
PID:4468

C:\Windows\System\jGXyrnZ.exe
C:\Windows\System\jGXyrnZ.exe
2⤵
- Executes dropped EXE
PID:1808

C:\Windows\System\nJiFnEG.exe
C:\Windows\System\nJiFnEG.exe
2⤵
- Executes dropped EXE
PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\COgCAhj.exe
Filesize
5.9MB

MD5
b7c6e641a96cc5ac471dc908cb945861

SHA1
e9a67770284f2b97b5381bda11f271c3aa14e8a4

SHA256
f8c228888b0966029f0b88ddab9a13e298c0ab4a6210ad285ca7daac42928d00

SHA512
ea746377d65706edfc10429c969f57e9716a6f9dc74cae2465a3e4f103d88cbe35c91f568f7cb8fe47399e412c12aca5d9a1307e62190dbfe562dc0148fc9606

Download Submit
C:\Windows\System\DEHhtpq.exe
Filesize
5.9MB

MD5
eb83ff4b7c34c75b39773db4d4b9ad22

SHA1
70e632a22ada4eb9a52c1a3032b49dc919b0a19c

SHA256
6f0a2cf73ef7e2e87c5b982d1a6229fd9b83f093fea65ae65b0d9d8f3f5e17ed

SHA512
7c882e7328c25f268444730c740611f232bb6e6366142bba1468a53b85f10d71e2f87b16dd57768d3b028430055879a4abd17f8ac70d9c1ad4551ca6ed35f5a8

Download Submit
C:\Windows\System\EAtZYgm.exe
Filesize
5.9MB

MD5
2a4128de3f58a330f9b7271e020fd67d

SHA1
2e5a0f42ca90732e702097f90c068d5d1d7c013c

SHA256
44edbe91e877bdd5697db7a94ffb8ab2b789f6040c3afe5092580d27a565244b

SHA512
0da927d6906a0d4ddf42a3de3b4b62ca01c3361d1b342641f53aac630d542c94c67049cc0258be4e136d9e0beb9a1d0aceec962be2740e23442fb99e5b7125df

Download Submit
C:\Windows\System\GCdPALE.exe
Filesize
5.9MB

MD5
d49203160f3fb2fe99b88c6b9ba0ef04

SHA1
7dcd9180b60006814e9fd47b2b583393115b7b17

SHA256
e4fbc815134b15f1e887e2438e0893da932397b0c6ad0010125932275f80c227

SHA512
50269cfe1c9c91fbc61e0998fd27dd918eac937d52f0f3cabf3fde94cb30e5b1df83c98be2c91b3eddc70399180f5aa201692a95384344d0854c0ce11233cca7

Download Submit
C:\Windows\System\JiUgRBV.exe
Filesize
5.9MB

MD5
66f4d81e853e1dbe339c6816df0f3e5e

SHA1
69b3757299a6bfa1161e9e9963b697d0d618dcce

SHA256
b96b510156e20145187548be01f6d13244663999e14bf9a3dc61eb3652e6baa5

SHA512
c477bdfc92f1c7704f095b7f36b0e32dc65569e5a36233ebf5d0a4ad3faf268490b34fc806a3d0b17625577b81fa9d6e12a2612bd64cec9ec617a4aa2de637da

Download Submit
C:\Windows\System\JpHzPmI.exe
Filesize
5.9MB

MD5
87e96e8e6301c36e3d8c591da0961a56

SHA1
a654bd2e84cbc3af6b0ad4628897620320f19c78

SHA256
830fa537ee2d356fedb8387e25daf401569a7a4687ad8e72c791173c188521c0

SHA512
d0aa6fc64c9bafe0821217e2316363f22509fe38c44ab98fc7cac66ce5eeebfdc8ee58f5bc96667b6b053cd7c732acb4872d2ad9a0309de4ea6e5f8c245c5494

Download Submit
C:\Windows\System\KFDHgCH.exe
Filesize
5.9MB

MD5
3af1ddfd18b4ecd47b19297aeabc893c

SHA1
a10f718afd4f32b1fea11526f2cb52431369efc1

SHA256
5bc913fafee7b55fda1accdffa58e5b786a52137f5f15ce8e474a36c64ea1db0

SHA512
6c25d98d9e737b961d68469e5736dd0d394399664818f281aa6e1a07b17ef1da290d74d041abf6c14a8fcf0e9e250a8bd64bac2668a40c4bb36091944ae52d09

Download Submit
C:\Windows\System\KxmnWLo.exe
Filesize
5.9MB

MD5
4cfa7ef7f7c5ac0f1b74cbfed5f1fefb

SHA1
3976d5845d4d0a9307ba734e148d11556b2c685d

SHA256
530260916d149b2235950919b83529e3ee6ec84aac93c8f6572bd716cfc7a8fc

SHA512
fac3766408190cf68759c1b040079179e8d7527dbe50fb07739df541f5de16fc487cbe62da17ed31875235cac2d65ec23003f7900fb80e367cc4d1dfd2b60da8

Download Submit
C:\Windows\System\LbLJjZd.exe
Filesize
5.9MB

MD5
393bcdd69f0a17c58320bb13c7a49a24

SHA1
8ed3ed6ea37c878920637156da9b8f75b460e7de

SHA256
916c2594325dfa58b65a79133aa4f1f3a47acdfd0a08ce24da858a1bcb110c3b

SHA512
c38608cab6cc2c4707baa2782f82a63776845403e6d5efece976e23ce3aacb36f34ade2745c162a4fa07a0df5d71b8995f300d09d1a85e39c3a54bbef45f1d66

Download Submit
C:\Windows\System\MDTEtKa.exe
Filesize
5.9MB

MD5
199fcbd5ad1b9686d080282846ebb5ea

SHA1
36edf29efedf3c1f650d925b9e9f2629d1cd5766

SHA256
d895f3e741c79ec9031020b68c89bf2da3017c5a16a545606a2d84b6e683d8d2

SHA512
dc8ff0979e089102a2ccf63754359cfd00b742924884fcff92195648fa4e87d763bd624d6524475f9bf40d7761e8b6643aef09639bc7361979442901aaecd2b4

Download Submit
C:\Windows\System\VqNNWAy.exe
Filesize
5.9MB

MD5
41f04889c933a49a45a95735753d135b

SHA1
02f278281a669a45da128f970e4ea8bf1a0ddb33

SHA256
1af0a6c9b359c05607fa670368dbc735633c4c099f3066cc330a694a9d2d78e1

SHA512
690f636f1e0e8f363f8375306e293988c2d76286b1897d285a3e4767d6f3d7d974b81f1b0f320d328d59fc86c5955cf16b71dc79c9e95c7a1dbb6b799f4158e7

Download Submit
C:\Windows\System\gCQRnca.exe
Filesize
5.9MB

MD5
51a184102a353690074dca64207f4282

SHA1
1e2c9fbb5b525985a93b05d93096b47a8e058afb

SHA256
7f8cd6d70ac4c43ba5bb3749e40305f520a11a010cf9601e556c6efc4575992b

SHA512
725c700c2190492df95ebeef5281263b892d23c94e431090bc72f049e11450cad12e44b0a0c9f6a9f86908b0b9532701a6c9ac73d180a69b0aad79add6dd89e7

Download Submit
C:\Windows\System\jGXyrnZ.exe
Filesize
5.9MB

MD5
78e836fed31e7f094ab868b12397d9bd

SHA1
5b5f370a2dbe0aafa3b1151ddde2304be5df739f

SHA256
a169bd3f7225f2a408d70303bd9d028d4b70576a4bfadd37952a4146af6d6127

SHA512
a0328de15042581c2e2f53dd3219d1d1ae245d06893027b270d845dbe42ca2f34d62612a6f1c60ee84cd0942e131f5ed8faf8dae3390b9dbf2fd0ef2d837bfa8

Download Submit
C:\Windows\System\nJiFnEG.exe
Filesize
5.9MB

MD5
3d874dcc0e7ef7a861ac5993bade7aef

SHA1
a60a5bad5deeb922e16c4794e03ed8cb9fe7ae15

SHA256
f1cc7ac401b903c4e40fc67e37331d52ec49ef68c48834e9a06fdb2fa4989865

SHA512
0ea03321fb054ba3defa9297c22bef80942f5f3e49e2893637cd0ec7ad10ccd12bac0e071b02811d63a5df53bcdc438a087d2acc325c91a18cfa92c2be3a017a

Download Submit
C:\Windows\System\nrcJMmP.exe
Filesize
5.9MB

MD5
1696ba875fd731db368e3a5b93e14343

SHA1
43116988fcb1f60e126329cec2bca87093dcdc24

SHA256
9774320237e96520097acf1155cddd95789642b24f2f38f5f4e8492c3f613636

SHA512
b9a6740667185710727662a498dba55e6be8de90ce7fa5b65950c04bb666500520ce9da3f8cfade8843f3d0a6ed0941dc77d899860a9a422dfd6cd14569f803d

Download Submit
C:\Windows\System\pVFVnBx.exe
Filesize
5.9MB

MD5
0cb8236fa760807baf70dfb52e810fcc

SHA1
92bcd12ba5211aadcfeff1f8bcc4684bc965cb7b

SHA256
eb5cddbd9fdcf864d80c63096865da7c29940479d497027f5801b5057dd17fb1

SHA512
ef717dafe3adecd4c377aaa40a7dc3707f495447f7180ee4ad00987c2fdf0dd71cf328b95004385ce61147feea8e9956b2da02de17ef11d2fa0f814a447cd5fa

Download Submit
C:\Windows\System\pZBgwYI.exe
Filesize
5.9MB

MD5
17072263cd5231ae3a43267230a732ab

SHA1
04523bb50aad4e95058ccd2e25daa529c39ec0f7

SHA256
30d4075ce85b427dc87642d69be7d5f802fd010d6a701b0c15b47229833e98bd

SHA512
bf2f9192fd270ddb410d7c0a8eb0a564c12b071a1979d0c8335a07cbac3c10cc30366fac5ec5b00c4150cba84ef5cb406af728ee7ca6f7ae37ff88c896274ab7

Download Submit
C:\Windows\System\pnPLTsL.exe
Filesize
5.9MB

MD5
a60911704dc961348a94596e47ecf61c

SHA1
cbc7d93725d1011c72cf399ed18e624d3cfe4099

SHA256
465d9954a11a6bd0acdfc91ed25926ce748a8f3f8f652eccf0e982a46285da4b

SHA512
08f01106b2fd5f6cd641cab857c63e8396db54de8edc4248e6536233ca385eb375c5b038b99a0c141bf4b93d6d88fa8535e478c9d2740638fe537584de2ac359

Download Submit
C:\Windows\System\sKDadii.exe
Filesize
5.9MB

MD5
8e2713b04b3c4ec0fdd5d772e6eb62e5

SHA1
3f0a1c0bf1f07a4a80511ac29962e34ed83cd29b

SHA256
951c08882e255f0be9f13d9689f0ac903673764908fe48d5802927d6431076a8

SHA512
8ce56d38c958ced2e1eaf0af69aad6e61ad3a6fdb59eb3ddd8c803b4b9a25e65086d236b7a1725abb31e0bc978654167bb66beae6db7fadcff7bfcc037cd9623

Download Submit
C:\Windows\System\uqPBaZu.exe
Filesize
5.9MB

MD5
f654450369542b9308a5d8e5d342f2fe

SHA1
e4757071c965536e34a120f48d38c48c3a95a51e

SHA256
e4e15d95d06879464b20203de427a58d696a83e019cc75998373b6c7a0cbf5c5

SHA512
da70d57e563cfb18c70ce84ab12e7c788fa05c885ff386e83d4fc5a8d97f94e76128193dba771f26fe38d8ef792a94e37f032bc0f9d2946b53976e4d2bd97fab

Download Submit
C:\Windows\System\yPkriQW.exe
Filesize
5.9MB

MD5
9507f5a39180c1c4d2661f0ab6ad018a

SHA1
411fc4fd24d7ea4c3244e0064755d8006c5b1ac2

SHA256
8af81b4a2a52e273af2d4d5c5329e143586eba0bc482a05f2d92bdeaa4ed8fdf

SHA512
961438d62ba77a16ad1216c5b84a7bf6324a9c59cdf62d9789d7abfffe4d8f5f442b62410e0929ac1f9a3d68763450c38a2fc996ec81afd799a19d6e5f886f5d

Download Submit
memory/392-82-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp

Filesize
3.3MB

Download
memory/392-14-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp

Filesize
3.3MB

Download
memory/392-142-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp

Filesize
3.3MB

Download
memory/828-45-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp

Filesize
3.3MB

Download
memory/828-147-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp

Filesize
3.3MB

Download
memory/1020-78-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp

Filesize
3.3MB

Download
memory/1020-135-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp

Filesize
3.3MB

Download
memory/1020-151-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp

Filesize
3.3MB

Download
memory/1032-136-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp

Filesize
3.3MB

Download
memory/1032-153-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp

Filesize
3.3MB

Download
memory/1032-79-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp

Filesize
3.3MB

Download
memory/1540-50-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp

Filesize
3.3MB

Download
memory/1540-148-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp

Filesize
3.3MB

Download
memory/1540-124-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp

Filesize
3.3MB

Download
memory/1692-143-0x00007FF6934C0000-0x00007FF693814000-memory.dmp

Filesize
3.3MB

Download
memory/1692-22-0x00007FF6934C0000-0x00007FF693814000-memory.dmp

Filesize
3.3MB

Download
memory/1808-139-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1808-161-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1808-127-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp

Filesize
3.3MB

Download
memory/1912-141-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-72-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp

Filesize
3.3MB

Download
memory/1912-7-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-105-0x00007FF643060000-0x00007FF6433B4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-138-0x00007FF643060000-0x00007FF6433B4000-memory.dmp

Filesize
3.3MB

Download
memory/2116-159-0x00007FF643060000-0x00007FF6433B4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-128-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-160-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/2252-140-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp

Filesize
3.3MB

Download
memory/3092-145-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp

Filesize
3.3MB

Download
memory/3092-33-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp

Filesize
3.3MB

Download
memory/3572-96-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp

Filesize
3.3MB

Download
memory/3572-137-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp

Filesize
3.3MB

Download
memory/3572-155-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-125-0x00007FF719550000-0x00007FF7198A4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-149-0x00007FF719550000-0x00007FF7198A4000-memory.dmp

Filesize
3.3MB

Download
memory/3652-58-0x00007FF719550000-0x00007FF7198A4000-memory.dmp

Filesize
3.3MB

Download
memory/3948-28-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp

Filesize
3.3MB

Download
memory/3948-144-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp

Filesize
3.3MB

Download
memory/4160-92-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp

Filesize
3.3MB

Download
memory/4160-154-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp

Filesize
3.3MB

Download
memory/4208-112-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp

Filesize
3.3MB

Download
memory/4208-156-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp

Filesize
3.3MB

Download
memory/4468-158-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp

Filesize
3.3MB

Download
memory/4468-121-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp

Filesize
3.3MB

Download
memory/4496-157-0x00007FF6824C0000-0x00007FF682814000-memory.dmp

Filesize
3.3MB

Download
memory/4496-116-0x00007FF6824C0000-0x00007FF682814000-memory.dmp

Filesize
3.3MB

Download
memory/4512-150-0x00007FF715FB0000-0x00007FF716304000-memory.dmp

Filesize
3.3MB

Download
memory/4512-129-0x00007FF715FB0000-0x00007FF716304000-memory.dmp

Filesize
3.3MB

Download
memory/4512-63-0x00007FF715FB0000-0x00007FF716304000-memory.dmp

Filesize
3.3MB

Download
memory/4588-38-0x00007FF635C30000-0x00007FF635F84000-memory.dmp

Filesize
3.3MB

Download
memory/4588-146-0x00007FF635C30000-0x00007FF635F84000-memory.dmp

Filesize
3.3MB

Download
memory/4656-62-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp

Filesize
3.3MB

Download
memory/4656-1-0x000001E0951C0000-0x000001E0951D0000-memory.dmp

Filesize
64KB

Download
memory/4656-0-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp

Filesize
3.3MB

Download
memory/4960-152-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp

Filesize
3.3MB

Download
memory/4960-134-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp

Filesize
3.3MB

Download
memory/4960-73-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp

Filesize
3.3MB

Download