cobaltstrike | 256a6694427a368e630801789b5fb52e3d99719f3fb7bbda904fbd56769586a6

Analysis

max time kernel
142s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 10:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

f0dbce2a9ee77cc36d383f5d622231bc
SHA1

35f451a6f446662ca30d2f55bcf99fae597a56b7
SHA256

256a6694427a368e630801789b5fb52e3d99719f3fb7bbda904fbd56769586a6
SHA512

2cd8257bf6c2b78995ff0a5cf5fbd3b87f6350b922661622b9a6ffd4aed8306d6644bc3012709695382077133554a58bd5b4a395f2ff754d8e708ab527d5cf2b
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lE:RWWBibf56utgpPFotBER/mQ32lUA

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral1/files/0x000a00000001225a-3.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c81-10.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c89-16.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d33-28.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016cf8-39.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016b17-29.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000019408-67.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194a7-77.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019494-72.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000016db3-65.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d46-50.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016d4a-57.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194b4-95.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194e2-115.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194da-112.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194d4-108.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194ea-118.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194f2-125.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000194f6-128.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019501-136.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019503-139.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 42 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2180-19-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2696-42-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2340-45-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2800-44-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2836-43-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2340-38-0x0000000002310000-0x0000000002661000-memory.dmp	xmrig
behavioral1/memory/2712-36-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2032-54-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/2180-58-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2872-85-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/2340-89-0x0000000002310000-0x0000000002661000-memory.dmp	xmrig
behavioral1/memory/1988-90-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/2616-92-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/1928-111-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2724-99-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/1840-142-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2340-143-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2652-146-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/1832-158-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1248-161-0x000000013FBD0000-0x000000013FF21000-memory.dmp	xmrig
behavioral1/memory/1264-162-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2340-164-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/1564-169-0x000000013FDF0000-0x0000000140141000-memory.dmp	xmrig
behavioral1/memory/1324-168-0x000000013FC80000-0x000000013FFD1000-memory.dmp	xmrig
behavioral1/memory/1932-167-0x000000013F290000-0x000000013F5E1000-memory.dmp	xmrig
behavioral1/memory/1316-166-0x000000013F870000-0x000000013FBC1000-memory.dmp	xmrig
behavioral1/memory/2884-165-0x000000013F2E0000-0x000000013F631000-memory.dmp	xmrig
behavioral1/memory/2340-186-0x000000013FF20000-0x0000000140271000-memory.dmp	xmrig
behavioral1/memory/2032-216-0x000000013F1D0000-0x000000013F521000-memory.dmp	xmrig
behavioral1/memory/2180-223-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2696-226-0x000000013FB80000-0x000000013FED1000-memory.dmp	xmrig
behavioral1/memory/2712-227-0x000000013FB30000-0x000000013FE81000-memory.dmp	xmrig
behavioral1/memory/2836-229-0x000000013FD50000-0x00000001400A1000-memory.dmp	xmrig
behavioral1/memory/2800-237-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2872-239-0x000000013F820000-0x000000013FB71000-memory.dmp	xmrig
behavioral1/memory/1988-241-0x000000013FDB0000-0x0000000140101000-memory.dmp	xmrig
behavioral1/memory/2724-243-0x000000013FD60000-0x00000001400B1000-memory.dmp	xmrig
behavioral1/memory/2616-245-0x000000013FE00000-0x0000000140151000-memory.dmp	xmrig
behavioral1/memory/1840-249-0x000000013F260000-0x000000013F5B1000-memory.dmp	xmrig
behavioral1/memory/2652-247-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/1832-255-0x000000013F240000-0x000000013F591000-memory.dmp	xmrig
behavioral1/memory/1928-257-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

TkaJXga.exeDFckSwC.exeeGPTcMc.exemratAyw.exeEsoxBiq.exeieKhCZG.exernTWrUq.exeZwBBhDK.exeQkfNKXF.exetMxWJSm.exefyvEfbO.exeWpifvDb.exeuxVvKNy.exeggrUqHb.exeyWHvMct.exeyugazVH.exeoSyxNdN.exeIAgnpnB.exewXYbrOM.exeUFtJExH.exemlHzfWs.exe

pid	Process
2032	TkaJXga.exe
2180	DFckSwC.exe
2712	eGPTcMc.exe
2696	mratAyw.exe
2836	EsoxBiq.exe
2800	ieKhCZG.exe
2872	rnTWrUq.exe
1988	ZwBBhDK.exe
2616	QkfNKXF.exe
2724	tMxWJSm.exe
1840	fyvEfbO.exe
2652	WpifvDb.exe
1832	uxVvKNy.exe
1928	ggrUqHb.exe
1248	yWHvMct.exe
1264	yugazVH.exe
2884	oSyxNdN.exe
1316	IAgnpnB.exe
1932	wXYbrOM.exe
1324	UFtJExH.exe
1564	mlHzfWs.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

pid	Process
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2340-0-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/files/0x000a00000001225a-3.dat	upx
behavioral1/memory/2340-6-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/2032-8-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/files/0x0008000000016c81-10.dat	upx
behavioral1/files/0x0008000000016c89-16.dat	upx
behavioral1/memory/2180-19-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/files/0x0007000000016d33-28.dat	upx
behavioral1/memory/2696-42-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2340-45-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2800-44-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2836-43-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/files/0x0008000000016cf8-39.dat	upx
behavioral1/memory/2712-36-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/files/0x0009000000016b17-29.dat	upx
behavioral1/memory/2032-54-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/2180-58-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/1988-59-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/2872-51-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/files/0x0006000000019408-67.dat	upx
behavioral1/files/0x00050000000194a7-77.dat	upx
behavioral1/memory/2616-66-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/memory/2652-86-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/2724-76-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/files/0x0005000000019494-72.dat	upx
behavioral1/memory/2872-85-0x000000013F820000-0x000000013FB71000-memory.dmp	upx
behavioral1/files/0x0009000000016db3-65.dat	upx
behavioral1/memory/2340-79-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/files/0x0007000000016d46-50.dat	upx
behavioral1/files/0x0007000000016d4a-57.dat	upx
behavioral1/memory/1988-90-0x000000013FDB0000-0x0000000140101000-memory.dmp	upx
behavioral1/memory/2616-92-0x000000013FE00000-0x0000000140151000-memory.dmp	upx
behavioral1/files/0x00050000000194b4-95.dat	upx
behavioral1/memory/1832-102-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/files/0x00050000000194e2-115.dat	upx
behavioral1/files/0x00050000000194da-112.dat	upx
behavioral1/memory/1928-111-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/files/0x00050000000194d4-108.dat	upx
behavioral1/memory/2724-99-0x000000013FD60000-0x00000001400B1000-memory.dmp	upx
behavioral1/files/0x00050000000194ea-118.dat	upx
behavioral1/files/0x00050000000194f2-125.dat	upx
behavioral1/files/0x00050000000194f6-128.dat	upx
behavioral1/files/0x0005000000019501-136.dat	upx
behavioral1/files/0x0005000000019503-139.dat	upx
behavioral1/memory/1840-142-0x000000013F260000-0x000000013F5B1000-memory.dmp	upx
behavioral1/memory/2340-143-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2652-146-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
behavioral1/memory/1832-158-0x000000013F240000-0x000000013F591000-memory.dmp	upx
behavioral1/memory/1248-161-0x000000013FBD0000-0x000000013FF21000-memory.dmp	upx
behavioral1/memory/1264-162-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2340-164-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/1564-169-0x000000013FDF0000-0x0000000140141000-memory.dmp	upx
behavioral1/memory/1324-168-0x000000013FC80000-0x000000013FFD1000-memory.dmp	upx
behavioral1/memory/1932-167-0x000000013F290000-0x000000013F5E1000-memory.dmp	upx
behavioral1/memory/1316-166-0x000000013F870000-0x000000013FBC1000-memory.dmp	upx
behavioral1/memory/2884-165-0x000000013F2E0000-0x000000013F631000-memory.dmp	upx
behavioral1/memory/2340-186-0x000000013FF20000-0x0000000140271000-memory.dmp	upx
behavioral1/memory/2032-216-0x000000013F1D0000-0x000000013F521000-memory.dmp	upx
behavioral1/memory/2180-223-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2696-226-0x000000013FB80000-0x000000013FED1000-memory.dmp	upx
behavioral1/memory/2712-227-0x000000013FB30000-0x000000013FE81000-memory.dmp	upx
behavioral1/memory/2836-229-0x000000013FD50000-0x00000001400A1000-memory.dmp	upx
behavioral1/memory/2800-237-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/2872-239-0x000000013F820000-0x000000013FB71000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\QkfNKXF.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tMxWJSm.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oSyxNdN.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IAgnpnB.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\EsoxBiq.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZwBBhDK.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ggrUqHb.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yugazVH.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mratAyw.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fyvEfbO.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxVvKNy.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ieKhCZG.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DFckSwC.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eGPTcMc.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rnTWrUq.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WpifvDb.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yWHvMct.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wXYbrOM.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UFtJExH.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TkaJXga.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mlHzfWs.exe	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 2340 wrote to memory of 2032	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2340 wrote to memory of 2032	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2340 wrote to memory of 2032	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 2340 wrote to memory of 2180	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2340 wrote to memory of 2180	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2340 wrote to memory of 2180	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2340 wrote to memory of 2696	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2340 wrote to memory of 2696	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2340 wrote to memory of 2696	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2340 wrote to memory of 2712	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2340 wrote to memory of 2712	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2340 wrote to memory of 2712	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2340 wrote to memory of 2800	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2340 wrote to memory of 2800	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2340 wrote to memory of 2800	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2340 wrote to memory of 2836	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2340 wrote to memory of 2836	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2340 wrote to memory of 2836	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2340 wrote to memory of 2872	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2340 wrote to memory of 2872	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2340 wrote to memory of 2872	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2340 wrote to memory of 1988	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2340 wrote to memory of 1988	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2340 wrote to memory of 1988	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2340 wrote to memory of 2616	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2340 wrote to memory of 2616	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2340 wrote to memory of 2616	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2340 wrote to memory of 2724	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2340 wrote to memory of 2724	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2340 wrote to memory of 2724	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2340 wrote to memory of 2652	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2340 wrote to memory of 2652	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2340 wrote to memory of 2652	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2340 wrote to memory of 1840	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2340 wrote to memory of 1840	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2340 wrote to memory of 1840	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2340 wrote to memory of 1832	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2340 wrote to memory of 1832	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2340 wrote to memory of 1832	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2340 wrote to memory of 1928	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2340 wrote to memory of 1928	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2340 wrote to memory of 1928	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2340 wrote to memory of 1248	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2340 wrote to memory of 1248	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2340 wrote to memory of 1248	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2340 wrote to memory of 1264	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2340 wrote to memory of 1264	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2340 wrote to memory of 1264	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2340 wrote to memory of 2884	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2340 wrote to memory of 2884	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2340 wrote to memory of 2884	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2340 wrote to memory of 1316	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2340 wrote to memory of 1316	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2340 wrote to memory of 1316	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2340 wrote to memory of 1932	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2340 wrote to memory of 1932	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2340 wrote to memory of 1932	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2340 wrote to memory of 1324	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2340 wrote to memory of 1324	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2340 wrote to memory of 1324	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2340 wrote to memory of 1564	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2340 wrote to memory of 1564	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2340 wrote to memory of 1564	2340	2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe	51

C:\Users\Admin\AppData\Local\Temp\2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-17_f0dbce2a9ee77cc36d383f5d622231bc_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Windows\System\TkaJXga.exe
  C:\Windows\System\TkaJXga.exe
  2⤵
  - Executes dropped EXE
  PID:2032
- C:\Windows\System\DFckSwC.exe
  C:\Windows\System\DFckSwC.exe
  2⤵
  - Executes dropped EXE
  PID:2180
- C:\Windows\System\mratAyw.exe
  C:\Windows\System\mratAyw.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\eGPTcMc.exe
  C:\Windows\System\eGPTcMc.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\ieKhCZG.exe
  C:\Windows\System\ieKhCZG.exe
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\Windows\System\EsoxBiq.exe
  C:\Windows\System\EsoxBiq.exe
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\Windows\System\rnTWrUq.exe
  C:\Windows\System\rnTWrUq.exe
  2⤵
  - Executes dropped EXE
  PID:2872
- C:\Windows\System\ZwBBhDK.exe
  C:\Windows\System\ZwBBhDK.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\QkfNKXF.exe
  C:\Windows\System\QkfNKXF.exe
  2⤵
  - Executes dropped EXE
  PID:2616
- C:\Windows\System\tMxWJSm.exe
  C:\Windows\System\tMxWJSm.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\WpifvDb.exe
  C:\Windows\System\WpifvDb.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\fyvEfbO.exe
  C:\Windows\System\fyvEfbO.exe
  2⤵
  - Executes dropped EXE
  PID:1840
- C:\Windows\System\uxVvKNy.exe
  C:\Windows\System\uxVvKNy.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\ggrUqHb.exe
  C:\Windows\System\ggrUqHb.exe
  2⤵
  - Executes dropped EXE
  PID:1928
- C:\Windows\System\yWHvMct.exe
  C:\Windows\System\yWHvMct.exe
  2⤵
  - Executes dropped EXE
  PID:1248
- C:\Windows\System\yugazVH.exe
  C:\Windows\System\yugazVH.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Windows\System\oSyxNdN.exe
  C:\Windows\System\oSyxNdN.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\Windows\System\IAgnpnB.exe
  C:\Windows\System\IAgnpnB.exe
  2⤵
  - Executes dropped EXE
  PID:1316
- C:\Windows\System\wXYbrOM.exe
  C:\Windows\System\wXYbrOM.exe
  2⤵
  - Executes dropped EXE
  PID:1932
- C:\Windows\System\UFtJExH.exe
  C:\Windows\System\UFtJExH.exe
  2⤵
  - Executes dropped EXE
  PID:1324
- C:\Windows\System\mlHzfWs.exe
  C:\Windows\System\mlHzfWs.exe
  2⤵
  - Executes dropped EXE
  PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\IAgnpnB.exe

Filesize
5.2MB

MD5
53738c4ed976913a8b1475495530240b

SHA1
c3aadc3277cf82962233807bc1c0a133e7fae9a6

SHA256
0fb9b2d780c6e83b9467387b7613aa03a8f11d6fe93ac3f1b6da0e51bcc73d41

SHA512
3fa8101f4b869b5ceca727a0ded7e5e0c674e4d10a0d0389f082f995acb121bc0fbe60f1881db916c14120e1c70392414fa5ad7066277798b9fbda83d4dd2409

Download Submit
C:\Windows\system\QkfNKXF.exe

Filesize
5.2MB

MD5
cee58bc47ba30dfd3619528991542860

SHA1
dd4ab934650f4366850f556fe965af9bf48b38c2

SHA256
5acac1d9b47707e4b70f8b3d0928e811565054fccee828df242e40072c7404c9

SHA512
b9fbf7f662083930e9efbee91b9ae06d753a8f97b4c3147cfb1acef4069fdd45d92faf087232eacb32232418f6aae7a8ba885ee98d883fe4b3685a6a219efaef

Download Submit
C:\Windows\system\UFtJExH.exe

Filesize
5.2MB

MD5
66563d82408b2507b5c748e93567260a

SHA1
1ba6a7fb3075fdad34c07841122e67f5713aef86

SHA256
b9ff1accb309b4deab62e2a5b48a3fe57c92897d6f52a6cf83fe80c7f9a9437f

SHA512
5726c7458c8f34e4ba232d98a65cd8fb6c4787f71e7c546a9c5b1a9a81417787707637422fa018edca4a273819e48464e93acca9851078245b76907338195022

Download Submit
C:\Windows\system\ZwBBhDK.exe

Filesize
5.2MB

MD5
9f99e98a3371ec9944fdd22c252e634d

SHA1
1f76b993730f0f24c8f07e2b8af9027cfeac5313

SHA256
5c34ab2308684dbc814a22f798fee937056cfb8d2f832fb7ed53753e0845769b

SHA512
6caf20e8af75abae9e239f24af32958e7abf0d5a009d32b1a46bf0311f85fc77b879ee22c98dd2df77576d359bd5ed3dbdabc3af77d57b6d88214327234c601e

Download Submit
C:\Windows\system\eGPTcMc.exe

Filesize
5.2MB

MD5
0608993981d689071359c9b139367ffa

SHA1
22797e211fc39e0625416f0d6b120cd2334b99e3

SHA256
d89ce87e0ecbf7467f3fc571bd194cb42e01e5b7f61a5a31481a59fa26e48e1c

SHA512
18d4c8cc2859401e2103b5a09a1970bbb8bcbae74f3055bb95e681a5b2181a787a9ec93467d90501efcae2f0140b70cb48894c0b59512306e697437ef3177fb8

Download Submit
C:\Windows\system\ggrUqHb.exe

Filesize
5.2MB

MD5
94d8afa7aba91b7624b1e55dfa7c014c

SHA1
7642bbd8d8ee5c46ab97fbb37333546c8a1ba033

SHA256
1e34737a10097029d0e25430a01cf219d707b6d12be81968cd17d34b555a78af

SHA512
e7b212b14f5f960ba8f0107ec0b5ec6cb07a4dc35a5632e88313c1e4502ddc09e89a84e5bad2cb9a70c3dd2a3d4d730f6e3eb5bb708bd0b3ef1c5ce754843f64

Download Submit
C:\Windows\system\ieKhCZG.exe

Filesize
5.2MB

MD5
32cc83b39c97c34f9e08e3c9a117ecec

SHA1
922c060c901acec37e9c09035402d064ac351d69

SHA256
849449d930523920069761b0e5a780f672110b5a104f8f758e669a3657eee534

SHA512
4480fa4cea74f8af3bab8c893f74ba2693552aae5edbb2f9a97f073f4f8105945c223123a42b4ea53f47de3a7f5c26c6e300abf1318b045becd3b9e2b651be50

Download Submit
C:\Windows\system\mlHzfWs.exe

Filesize
5.2MB

MD5
7899a3f5c6e6fc7f9546fedb75307eec

SHA1
2a698279d8150ff7db8a915a3f5f9c03e406a22c

SHA256
31f132131e6fa928fbbc458473eedbbd91ebd279b7f0911c292847adbc213092

SHA512
06d11fb69dcb85ae6d89e38f5580d1b45cdd10ed7a50e0aa6e16bb73932c45e7adb266cadc1a101fb83f859c73ec6835eb34846ed1efef687836072f94a04653

Download Submit
C:\Windows\system\rnTWrUq.exe

Filesize
5.2MB

MD5
273dfc9609864a4a6e873a80fa0d9186

SHA1
5a0bf9688d0d925c2962bd4eee8f6d47c89e47ae

SHA256
a3c5ce6ced11daf61b289355abf37a6346349e7ce19c7461da1e1143945b3ca6

SHA512
1cebf9bff11aa501723db79783c0bdf629d6dc895545d4847686b3ada7c093e72a680de51adeab9b6362e24355b3d720f0136074c968938f7c79e0058db5b699

Download Submit
C:\Windows\system\yWHvMct.exe

Filesize
5.2MB

MD5
8ab7d1e5fc0618d19ed8d2a06f5de7eb

SHA1
9b412949be0108bfa0dc14e24b6ba9363c5bd917

SHA256
1c8c3ee9639d831dc1e5fa57047a9976599ed7cf877e18c90395f7b4af784ff6

SHA512
f2977cafbdfbe43c7e7c8a88d7738a53c4bd2acd47869f9048cadcadf5ec491cadb12fdd06f8984ea07aa0f9beb9e8fccf4d810029331399942593953ce92dc6

Download Submit
C:\Windows\system\yugazVH.exe

Filesize
5.2MB

MD5
a756434d7b716010e09503005bcea49e

SHA1
5ea517896862eb7d3066f99c8f5e42cef9461473

SHA256
ab649dc8ee149fed2f1c88b444a8fca8e9b099d34da1a59fe4749b436dce62c3

SHA512
046b4c6f121db4933b2026b99f99a1573380920e50ef8e4f640712ad3b309f3f71ef08d1777e903dd95ddcb67f41ee8b94c9462028392fa89e6c0bb7e63fa166

Download Submit
\Windows\system\DFckSwC.exe

Filesize
5.2MB

MD5
0190c032a7de2ea1c418fd045cf2381e

SHA1
4d867ee19d4beedf0300adc8515ca9aaa94aa950

SHA256
6c46257516a06c29017846d5df4bc81d9f4d5149c73b6d929cb34e82ea3e45a2

SHA512
0a4c3a657b3a563286bf37199c0be929e77b38294f31c9fc8d0f72d2afd74157056169551c07aa0a35c9e8cb5a7b81d6cf8c4ab55232d04b3f47a012e8cc46ce

Download Submit
\Windows\system\EsoxBiq.exe

Filesize
5.2MB

MD5
9225abb8724b85caa1dffdbf5dbd987d

SHA1
82757b3ff7f22d79b0eca78a02ae5ac2cbb6f3e5

SHA256
c2475d5657de9cf005e3e63d06607cdf4bf407e036710aeb813d288293fbb0ff

SHA512
3243bff02f2af6b89ddc6c5539631ee3381c69f37736fcef49a2af5ae5889b6c8b0fbdb5bcfabf2b8501e5ca15931c4b3b210686006bc3bf48278bb40e3ec5fa

Download Submit
\Windows\system\TkaJXga.exe

Filesize
5.2MB

MD5
144efce6573c714e064d2a560a8f0205

SHA1
abf65a1c198da5f52dd9e6627b4dc5bac6426f2d

SHA256
2eefbeb6c31c4b068175d66903a31ba8175be14b014ca3810cdb1857d43a0558

SHA512
9af0858387ad3331ca87c16f83f9e2dad5c70e7c32ddedd9bee3bcb748a10143e480fdf5b63a4d72ba6ad804e8f23c08c85cb0156964f27f672fee1946d22b89

Download Submit
\Windows\system\WpifvDb.exe

Filesize
5.2MB

MD5
272ab3f40a87fdf782605edaf65760e4

SHA1
54cc1854cbb7b8f238646e3d5247e7e78950d95b

SHA256
04152a791bee25ecccdaafe52c8d768a4b59a72f822e0fcdf19718e08c03a3d7

SHA512
5c01f54a4a46684f529072a2166842b675313dd0eb62233fd95ce000011d03380dbad42db49c52a2687de792e9d14d9d5bc63eaec6a165397984d1eaf69de468

Download Submit
\Windows\system\fyvEfbO.exe

Filesize
5.2MB

MD5
a114f8c6b02cf8aeefacb17c2fcae783

SHA1
c5c8c892d2362388060ab2a8ae56b905b11cd820

SHA256
10addf05371266ffcdf311dc8d23c4582f056b7e89cc93f0b0c6b833790f1b1f

SHA512
fd9e866245105faea3175552b69da36a33724492e8c341378983b17b87052e5eb25ec99062dfe17f62b9af5432108d6d12829d2d2555fb130e0cea5873f0a968

Download Submit
\Windows\system\mratAyw.exe

Filesize
5.2MB

MD5
9e2e6040d32daa8886e16389c5bff3f6

SHA1
15cd207c353b5e3b48e67f4c023e8aeeb3d40c9c

SHA256
fa24f6af68f50de78f3434d819f68b640e0de58a3a798f310e88cc3e82e3d50b

SHA512
4219c377f0060917538bede92e37a866e52162cb29dd9cb0967085e83a2130919efa2cd234bb92856e726e1a05cc58b06491d572cce22f29a5ae0e48f6311a23

Download Submit
\Windows\system\oSyxNdN.exe

Filesize
5.2MB

MD5
05ab09d3083eed7a78d2f4e655f90fe8

SHA1
d6291e2840e46911e13aa5950bc2f3e9c15b2da6

SHA256
c2d0e413b5c28fed75cb32df33e9c1ee6361bf9932419b68a3a4aaed702821cd

SHA512
a02a61e01f9803a26b034cc6beb2c2dd9a3bea9b5a6ccab497be4513eebfa53d21d510f06f51c5ae31c064499bd130503a08c61292df235b6251cbf3612dc67a

Download Submit
\Windows\system\tMxWJSm.exe

Filesize
5.2MB

MD5
5cb5b29cc3aa206bedff72226cd612c9

SHA1
942b2b964f426e1c593593816e1a39fe3bef6a31

SHA256
6786ec5b4abef82d64fcdc0b5f3e4ad62e1baa776814baf2fda4a2641dfaf285

SHA512
ae553073600c526b606feef919c2cc872cd1cc766cf3c8d0b5710beb049404db08eaddab446f7c6bd5d5e460835a1544b8e8353e852dc70535ce72bfb50a18f8

Download Submit
\Windows\system\uxVvKNy.exe

Filesize
5.2MB

MD5
818a4ba27b148367e4eaedf661bbfe2c

SHA1
0be7326840bf69ea449ae5c04d65c26c757971ba

SHA256
9e6065338bc3447bd6bab1bf57247088459a5e2356c36ac67463ba81cd4b30e5

SHA512
3079b167b8106f2f531851dc4c3757add8a4fe8f1c72c232f94f5f8dcfdde41ab7c709739b2550a0540c83a8938ec69fb6fbc369426be185deda028b1d4f2bfc

Download Submit
\Windows\system\wXYbrOM.exe

Filesize
5.2MB

MD5
37b2e112d4c18348074b4857b98fffde

SHA1
bbb271ef07f93b1d2ae9d3d82645c49398b1b9c8

SHA256
364bb084a8fcef44fabc080f479b0caf25cb04268a25340662a771bf85a0109c

SHA512
db525464cdc96fce984c648b7621119e5772809a923bbc78617e2e632c4eeb77363cf9a9da3cd77a669e94d57030b665858e00f7e89141e975b3ab70962a2c58

Download Submit
memory/1248-161-0x000000013FBD0000-0x000000013FF21000-memory.dmp

Filesize
3.3MB

Download
memory/1264-162-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download
memory/1316-166-0x000000013F870000-0x000000013FBC1000-memory.dmp

Filesize
3.3MB

Download
memory/1324-168-0x000000013FC80000-0x000000013FFD1000-memory.dmp

Filesize
3.3MB

Download
memory/1564-169-0x000000013FDF0000-0x0000000140141000-memory.dmp

Filesize
3.3MB

Download
memory/1832-158-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1832-102-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1832-255-0x000000013F240000-0x000000013F591000-memory.dmp

Filesize
3.3MB

Download
memory/1840-142-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1840-249-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/1928-111-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/1928-257-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/1932-167-0x000000013F290000-0x000000013F5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-59-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/1988-241-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/1988-90-0x000000013FDB0000-0x0000000140101000-memory.dmp

Filesize
3.3MB

Download
memory/2032-54-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2032-216-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2032-8-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2180-58-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-19-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2180-223-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-32-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2340-94-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-78-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2340-38-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-79-0x000000013F260000-0x000000013F5B1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-63-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-1-0x0000000000180000-0x0000000000190000-memory.dmp

Filesize
64KB

Download
memory/2340-6-0x000000013F1D0000-0x000000013F521000-memory.dmp

Filesize
3.3MB

Download
memory/2340-109-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download
memory/2340-20-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-14-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-82-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2340-186-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2340-164-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2340-68-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-0-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2340-47-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2340-143-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2340-91-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-45-0x000000013FF20000-0x0000000140271000-memory.dmp

Filesize
3.3MB

Download
memory/2340-89-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-163-0x0000000002310000-0x0000000002661000-memory.dmp

Filesize
3.3MB

Download
memory/2340-27-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2616-92-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2616-245-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2616-66-0x000000013FE00000-0x0000000140151000-memory.dmp

Filesize
3.3MB

Download
memory/2652-86-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2652-146-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2652-247-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2696-42-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2696-226-0x000000013FB80000-0x000000013FED1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-36-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2712-227-0x000000013FB30000-0x000000013FE81000-memory.dmp

Filesize
3.3MB

Download
memory/2724-76-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-99-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2724-243-0x000000013FD60000-0x00000001400B1000-memory.dmp

Filesize
3.3MB

Download
memory/2800-237-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2800-44-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2836-229-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2836-43-0x000000013FD50000-0x00000001400A1000-memory.dmp

Filesize
3.3MB

Download
memory/2872-239-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2872-51-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2872-85-0x000000013F820000-0x000000013FB71000-memory.dmp

Filesize
3.3MB

Download
memory/2884-165-0x000000013F2E0000-0x000000013F631000-memory.dmp

Filesize
3.3MB

Download