cobaltstrike | 3007bcbbfa8bd045255d21be82e1cc2d508f55c7cb59a8fce58723a7cdbf95a4

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 13:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

88d79f7146d818176b1702acaf25cfff
SHA1

9c15d5ccdf013ae7d0bed21b2a8af7a401093abb
SHA256

3007bcbbfa8bd045255d21be82e1cc2d508f55c7cb59a8fce58723a7cdbf95a4
SHA512

1398fea9f2a2871b8816a8026182a3f7aab43e3d3d7bfbb128822993ee17d36779bda908cd9b8609a052df3f18f37ca69e50d0f39da968835f5c87165232dde0
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU7:T+856utgpPF8u/77

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\mzvrmQD.exe	cobalt_reflective_dll
C:\Windows\System\tFUcoKg.exe	cobalt_reflective_dll
C:\Windows\System\ETfKZhr.exe	cobalt_reflective_dll
C:\Windows\System\zmPejiR.exe	cobalt_reflective_dll
C:\Windows\System\TSzKPnL.exe	cobalt_reflective_dll
C:\Windows\System\MOMUIqc.exe	cobalt_reflective_dll
C:\Windows\System\MZttsFk.exe	cobalt_reflective_dll
C:\Windows\System\RulEPda.exe	cobalt_reflective_dll
C:\Windows\System\ykqcwyn.exe	cobalt_reflective_dll
C:\Windows\System\auKqQdU.exe	cobalt_reflective_dll
C:\Windows\System\qOpijXw.exe	cobalt_reflective_dll
C:\Windows\System\BVhAhnM.exe	cobalt_reflective_dll
C:\Windows\System\nUTaKfK.exe	cobalt_reflective_dll
C:\Windows\System\xbwImuj.exe	cobalt_reflective_dll
C:\Windows\System\ppsfdlT.exe	cobalt_reflective_dll
C:\Windows\System\fzYlPJD.exe	cobalt_reflective_dll
C:\Windows\System\DtrNdRY.exe	cobalt_reflective_dll
C:\Windows\System\UgRrSKC.exe	cobalt_reflective_dll
C:\Windows\System\lByumgi.exe	cobalt_reflective_dll
C:\Windows\System\gBqyVFp.exe	cobalt_reflective_dll
C:\Windows\System\fLAXtdg.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4792-0-0x00007FF7A0E00000-0x00007FF7A1154000-memory.dmp	xmrig
C:\Windows\System\mzvrmQD.exe	xmrig
behavioral2/memory/4344-8-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp	xmrig
C:\Windows\System\tFUcoKg.exe	xmrig
C:\Windows\System\ETfKZhr.exe	xmrig
behavioral2/memory/4388-14-0x00007FF630920000-0x00007FF630C74000-memory.dmp	xmrig
behavioral2/memory/228-20-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp	xmrig
C:\Windows\System\zmPejiR.exe	xmrig
behavioral2/memory/1120-26-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp	xmrig
C:\Windows\System\TSzKPnL.exe	xmrig
behavioral2/memory/1624-30-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp	xmrig
C:\Windows\System\MOMUIqc.exe	xmrig
behavioral2/memory/1748-36-0x00007FF649230000-0x00007FF649584000-memory.dmp	xmrig
C:\Windows\System\MZttsFk.exe	xmrig
behavioral2/memory/2204-44-0x00007FF649030000-0x00007FF649384000-memory.dmp	xmrig
C:\Windows\System\RulEPda.exe	xmrig
behavioral2/memory/5012-50-0x00007FF6790A0000-0x00007FF6793F4000-memory.dmp	xmrig
behavioral2/memory/4792-54-0x00007FF7A0E00000-0x00007FF7A1154000-memory.dmp	xmrig
C:\Windows\System\ykqcwyn.exe	xmrig
behavioral2/memory/4672-55-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp	xmrig
behavioral2/memory/4344-58-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp	xmrig
C:\Windows\System\auKqQdU.exe	xmrig
behavioral2/memory/4388-62-0x00007FF630920000-0x00007FF630C74000-memory.dmp	xmrig
behavioral2/memory/720-63-0x00007FF65D430000-0x00007FF65D784000-memory.dmp	xmrig
behavioral2/memory/228-69-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp	xmrig
behavioral2/memory/2868-70-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp	xmrig
C:\Windows\System\qOpijXw.exe	xmrig
C:\Windows\System\BVhAhnM.exe	xmrig
behavioral2/memory/1624-77-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp	xmrig
behavioral2/memory/1748-84-0x00007FF649230000-0x00007FF649584000-memory.dmp	xmrig
C:\Windows\System\nUTaKfK.exe	xmrig
C:\Windows\System\xbwImuj.exe	xmrig
C:\Windows\System\ppsfdlT.exe	xmrig
behavioral2/memory/5052-85-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp	xmrig
behavioral2/memory/2060-80-0x00007FF7325E0000-0x00007FF732934000-memory.dmp	xmrig
behavioral2/memory/1120-73-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp	xmrig
C:\Windows\System\fzYlPJD.exe	xmrig
C:\Windows\System\DtrNdRY.exe	xmrig
C:\Windows\System\UgRrSKC.exe	xmrig
C:\Windows\System\lByumgi.exe	xmrig
C:\Windows\System\gBqyVFp.exe	xmrig
C:\Windows\System\fLAXtdg.exe	xmrig
behavioral2/memory/4756-127-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp	xmrig
behavioral2/memory/3480-129-0x00007FF6403A0000-0x00007FF6406F4000-memory.dmp	xmrig
behavioral2/memory/4768-128-0x00007FF606B10000-0x00007FF606E64000-memory.dmp	xmrig
behavioral2/memory/3428-130-0x00007FF743E30000-0x00007FF744184000-memory.dmp	xmrig
behavioral2/memory/928-131-0x00007FF7C1E50000-0x00007FF7C21A4000-memory.dmp	xmrig
behavioral2/memory/2276-132-0x00007FF6B4A30000-0x00007FF6B4D84000-memory.dmp	xmrig
behavioral2/memory/624-134-0x00007FF792910000-0x00007FF792C64000-memory.dmp	xmrig
behavioral2/memory/3040-133-0x00007FF785A60000-0x00007FF785DB4000-memory.dmp	xmrig
behavioral2/memory/4672-135-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp	xmrig
behavioral2/memory/720-136-0x00007FF65D430000-0x00007FF65D784000-memory.dmp	xmrig
behavioral2/memory/2868-137-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp	xmrig
behavioral2/memory/2060-138-0x00007FF7325E0000-0x00007FF732934000-memory.dmp	xmrig
behavioral2/memory/5052-139-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp	xmrig
behavioral2/memory/4756-140-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp	xmrig
behavioral2/memory/4344-141-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp	xmrig
behavioral2/memory/4388-142-0x00007FF630920000-0x00007FF630C74000-memory.dmp	xmrig
behavioral2/memory/228-143-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp	xmrig
behavioral2/memory/1120-144-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp	xmrig
behavioral2/memory/1624-145-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp	xmrig
behavioral2/memory/1748-146-0x00007FF649230000-0x00007FF649584000-memory.dmp	xmrig
behavioral2/memory/2204-147-0x00007FF649030000-0x00007FF649384000-memory.dmp	xmrig
behavioral2/memory/5012-148-0x00007FF6790A0000-0x00007FF6793F4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

mzvrmQD.exetFUcoKg.exeETfKZhr.exezmPejiR.exeTSzKPnL.exeMOMUIqc.exeMZttsFk.exeRulEPda.exeykqcwyn.exeauKqQdU.exeqOpijXw.exeBVhAhnM.exenUTaKfK.exexbwImuj.exeppsfdlT.exefzYlPJD.exeDtrNdRY.exefLAXtdg.exeUgRrSKC.exelByumgi.exegBqyVFp.exe

pid	process
4344	mzvrmQD.exe
4388	tFUcoKg.exe
228	ETfKZhr.exe
1120	zmPejiR.exe
1624	TSzKPnL.exe
1748	MOMUIqc.exe
2204	MZttsFk.exe
5012	RulEPda.exe
4672	ykqcwyn.exe
720	auKqQdU.exe
2868	qOpijXw.exe
2060	BVhAhnM.exe
5052	nUTaKfK.exe
4756	xbwImuj.exe
624	ppsfdlT.exe
4768	fzYlPJD.exe
3480	DtrNdRY.exe
3428	fLAXtdg.exe
928	UgRrSKC.exe
2276	lByumgi.exe
3040	gBqyVFp.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4792-0-0x00007FF7A0E00000-0x00007FF7A1154000-memory.dmp	upx
C:\Windows\System\mzvrmQD.exe	upx
behavioral2/memory/4344-8-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp	upx
C:\Windows\System\tFUcoKg.exe	upx
C:\Windows\System\ETfKZhr.exe	upx
behavioral2/memory/4388-14-0x00007FF630920000-0x00007FF630C74000-memory.dmp	upx
behavioral2/memory/228-20-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp	upx
C:\Windows\System\zmPejiR.exe	upx
behavioral2/memory/1120-26-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp	upx
C:\Windows\System\TSzKPnL.exe	upx
behavioral2/memory/1624-30-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp	upx
C:\Windows\System\MOMUIqc.exe	upx
behavioral2/memory/1748-36-0x00007FF649230000-0x00007FF649584000-memory.dmp	upx
C:\Windows\System\MZttsFk.exe	upx
behavioral2/memory/2204-44-0x00007FF649030000-0x00007FF649384000-memory.dmp	upx
C:\Windows\System\RulEPda.exe	upx
behavioral2/memory/5012-50-0x00007FF6790A0000-0x00007FF6793F4000-memory.dmp	upx
behavioral2/memory/4792-54-0x00007FF7A0E00000-0x00007FF7A1154000-memory.dmp	upx
C:\Windows\System\ykqcwyn.exe	upx
behavioral2/memory/4672-55-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp	upx
behavioral2/memory/4344-58-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp	upx
C:\Windows\System\auKqQdU.exe	upx
behavioral2/memory/4388-62-0x00007FF630920000-0x00007FF630C74000-memory.dmp	upx
behavioral2/memory/720-63-0x00007FF65D430000-0x00007FF65D784000-memory.dmp	upx
behavioral2/memory/228-69-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp	upx
behavioral2/memory/2868-70-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp	upx
C:\Windows\System\qOpijXw.exe	upx
C:\Windows\System\BVhAhnM.exe	upx
behavioral2/memory/1624-77-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp	upx
behavioral2/memory/1748-84-0x00007FF649230000-0x00007FF649584000-memory.dmp	upx
C:\Windows\System\nUTaKfK.exe	upx
C:\Windows\System\xbwImuj.exe	upx
C:\Windows\System\ppsfdlT.exe	upx
behavioral2/memory/5052-85-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp	upx
behavioral2/memory/2060-80-0x00007FF7325E0000-0x00007FF732934000-memory.dmp	upx
behavioral2/memory/1120-73-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp	upx
C:\Windows\System\fzYlPJD.exe	upx
C:\Windows\System\DtrNdRY.exe	upx
C:\Windows\System\UgRrSKC.exe	upx
C:\Windows\System\lByumgi.exe	upx
C:\Windows\System\gBqyVFp.exe	upx
C:\Windows\System\fLAXtdg.exe	upx
behavioral2/memory/4756-127-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp	upx
behavioral2/memory/3480-129-0x00007FF6403A0000-0x00007FF6406F4000-memory.dmp	upx
behavioral2/memory/4768-128-0x00007FF606B10000-0x00007FF606E64000-memory.dmp	upx
behavioral2/memory/3428-130-0x00007FF743E30000-0x00007FF744184000-memory.dmp	upx
behavioral2/memory/928-131-0x00007FF7C1E50000-0x00007FF7C21A4000-memory.dmp	upx
behavioral2/memory/2276-132-0x00007FF6B4A30000-0x00007FF6B4D84000-memory.dmp	upx
behavioral2/memory/624-134-0x00007FF792910000-0x00007FF792C64000-memory.dmp	upx
behavioral2/memory/3040-133-0x00007FF785A60000-0x00007FF785DB4000-memory.dmp	upx
behavioral2/memory/4672-135-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp	upx
behavioral2/memory/720-136-0x00007FF65D430000-0x00007FF65D784000-memory.dmp	upx
behavioral2/memory/2868-137-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp	upx
behavioral2/memory/2060-138-0x00007FF7325E0000-0x00007FF732934000-memory.dmp	upx
behavioral2/memory/5052-139-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp	upx
behavioral2/memory/4756-140-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp	upx
behavioral2/memory/4344-141-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp	upx
behavioral2/memory/4388-142-0x00007FF630920000-0x00007FF630C74000-memory.dmp	upx
behavioral2/memory/228-143-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp	upx
behavioral2/memory/1120-144-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp	upx
behavioral2/memory/1624-145-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp	upx
behavioral2/memory/1748-146-0x00007FF649230000-0x00007FF649584000-memory.dmp	upx
behavioral2/memory/2204-147-0x00007FF649030000-0x00007FF649384000-memory.dmp	upx
behavioral2/memory/5012-148-0x00007FF6790A0000-0x00007FF6793F4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ykqcwyn.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BVhAhnM.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tFUcoKg.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ETfKZhr.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOMUIqc.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ppsfdlT.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DtrNdRY.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fLAXtdg.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lByumgi.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mzvrmQD.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zmPejiR.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auKqQdU.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gBqyVFp.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MZttsFk.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qOpijXw.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xbwImuj.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fzYlPJD.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UgRrSKC.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TSzKPnL.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RulEPda.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nUTaKfK.exe	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 4792 wrote to memory of 4344	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	mzvrmQD.exe
PID 4792 wrote to memory of 4344	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	mzvrmQD.exe
PID 4792 wrote to memory of 4388	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	tFUcoKg.exe
PID 4792 wrote to memory of 4388	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	tFUcoKg.exe
PID 4792 wrote to memory of 228	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	ETfKZhr.exe
PID 4792 wrote to memory of 228	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	ETfKZhr.exe
PID 4792 wrote to memory of 1120	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	zmPejiR.exe
PID 4792 wrote to memory of 1120	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	zmPejiR.exe
PID 4792 wrote to memory of 1624	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	TSzKPnL.exe
PID 4792 wrote to memory of 1624	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	TSzKPnL.exe
PID 4792 wrote to memory of 1748	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	MOMUIqc.exe
PID 4792 wrote to memory of 1748	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	MOMUIqc.exe
PID 4792 wrote to memory of 2204	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	MZttsFk.exe
PID 4792 wrote to memory of 2204	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	MZttsFk.exe
PID 4792 wrote to memory of 5012	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	RulEPda.exe
PID 4792 wrote to memory of 5012	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	RulEPda.exe
PID 4792 wrote to memory of 4672	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	ykqcwyn.exe
PID 4792 wrote to memory of 4672	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	ykqcwyn.exe
PID 4792 wrote to memory of 720	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	auKqQdU.exe
PID 4792 wrote to memory of 720	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	auKqQdU.exe
PID 4792 wrote to memory of 2868	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	qOpijXw.exe
PID 4792 wrote to memory of 2868	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	qOpijXw.exe
PID 4792 wrote to memory of 2060	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	BVhAhnM.exe
PID 4792 wrote to memory of 2060	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	BVhAhnM.exe
PID 4792 wrote to memory of 5052	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	nUTaKfK.exe
PID 4792 wrote to memory of 5052	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	nUTaKfK.exe
PID 4792 wrote to memory of 4756	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	xbwImuj.exe
PID 4792 wrote to memory of 4756	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	xbwImuj.exe
PID 4792 wrote to memory of 624	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	ppsfdlT.exe
PID 4792 wrote to memory of 624	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	ppsfdlT.exe
PID 4792 wrote to memory of 4768	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	fzYlPJD.exe
PID 4792 wrote to memory of 4768	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	fzYlPJD.exe
PID 4792 wrote to memory of 3480	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	DtrNdRY.exe
PID 4792 wrote to memory of 3480	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	DtrNdRY.exe
PID 4792 wrote to memory of 3428	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	fLAXtdg.exe
PID 4792 wrote to memory of 3428	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	fLAXtdg.exe
PID 4792 wrote to memory of 928	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	UgRrSKC.exe
PID 4792 wrote to memory of 928	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	UgRrSKC.exe
PID 4792 wrote to memory of 2276	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	lByumgi.exe
PID 4792 wrote to memory of 2276	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	lByumgi.exe
PID 4792 wrote to memory of 3040	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	gBqyVFp.exe
PID 4792 wrote to memory of 3040	4792	2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe	gBqyVFp.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_88d79f7146d818176b1702acaf25cfff_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4792
- C:\Windows\System\mzvrmQD.exe
  C:\Windows\System\mzvrmQD.exe
  2⤵
  - Executes dropped EXE
  PID:4344
- C:\Windows\System\tFUcoKg.exe
  C:\Windows\System\tFUcoKg.exe
  2⤵
  - Executes dropped EXE
  PID:4388
- C:\Windows\System\ETfKZhr.exe
  C:\Windows\System\ETfKZhr.exe
  2⤵
  - Executes dropped EXE
  PID:228
- C:\Windows\System\zmPejiR.exe
  C:\Windows\System\zmPejiR.exe
  2⤵
  - Executes dropped EXE
  PID:1120
- C:\Windows\System\TSzKPnL.exe
  C:\Windows\System\TSzKPnL.exe
  2⤵
  - Executes dropped EXE
  PID:1624
- C:\Windows\System\MOMUIqc.exe
  C:\Windows\System\MOMUIqc.exe
  2⤵
  - Executes dropped EXE
  PID:1748
- C:\Windows\System\MZttsFk.exe
  C:\Windows\System\MZttsFk.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\RulEPda.exe
  C:\Windows\System\RulEPda.exe
  2⤵
  - Executes dropped EXE
  PID:5012
- C:\Windows\System\ykqcwyn.exe
  C:\Windows\System\ykqcwyn.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Windows\System\auKqQdU.exe
  C:\Windows\System\auKqQdU.exe
  2⤵
  - Executes dropped EXE
  PID:720
- C:\Windows\System\qOpijXw.exe
  C:\Windows\System\qOpijXw.exe
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\Windows\System\BVhAhnM.exe
  C:\Windows\System\BVhAhnM.exe
  2⤵
  - Executes dropped EXE
  PID:2060
- C:\Windows\System\nUTaKfK.exe
  C:\Windows\System\nUTaKfK.exe
  2⤵
  - Executes dropped EXE
  PID:5052
- C:\Windows\System\xbwImuj.exe
  C:\Windows\System\xbwImuj.exe
  2⤵
  - Executes dropped EXE
  PID:4756
- C:\Windows\System\ppsfdlT.exe
  C:\Windows\System\ppsfdlT.exe
  2⤵
  - Executes dropped EXE
  PID:624
- C:\Windows\System\fzYlPJD.exe
  C:\Windows\System\fzYlPJD.exe
  2⤵
  - Executes dropped EXE
  PID:4768
- C:\Windows\System\DtrNdRY.exe
  C:\Windows\System\DtrNdRY.exe
  2⤵
  - Executes dropped EXE
  PID:3480
- C:\Windows\System\fLAXtdg.exe
  C:\Windows\System\fLAXtdg.exe
  2⤵
  - Executes dropped EXE
  PID:3428
- C:\Windows\System\UgRrSKC.exe
  C:\Windows\System\UgRrSKC.exe
  2⤵
  - Executes dropped EXE
  PID:928
- C:\Windows\System\lByumgi.exe
  C:\Windows\System\lByumgi.exe
  2⤵
  - Executes dropped EXE
  PID:2276
- C:\Windows\System\gBqyVFp.exe
  C:\Windows\System\gBqyVFp.exe
  2⤵
  - Executes dropped EXE
  PID:3040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BVhAhnM.exe

Filesize
5.9MB

MD5
e66161c8d02996438745d2338f1a36b5

SHA1
4c3007086d16341d74b6f69edfdbebf2049595f3

SHA256
581a6431f6765774dbedf05a29aa0598cdbb618805bf8d5888e8ddb27f4dfdba

SHA512
ca5d110ff276e9f525d504f8e77b25808365d9cbf2ea34fd0481b529124e20c7b30ad5575b088e10375dcd491cf166133869bec7ebda764a3a6faaa4aa4a3f76

Download Submit
C:\Windows\System\DtrNdRY.exe

Filesize
5.9MB

MD5
204fbb1d3dbcef4187c87509d5605e3b

SHA1
b308788f7462dbff8c4ae14a41834633003e8add

SHA256
060d9c03d141e7bd0bb9459f7ac1b641b67954998de65225e85f62b8b0339e10

SHA512
ef8834063ab197f52e9534d045db0d9ef0b2ae48e37849d9231f8d19b6bc0c246c4e7622d9e4f80f72878a0d79e99a03b5a52ea170dbffaffacaf2c654e4ba78

Download Submit
C:\Windows\System\ETfKZhr.exe

Filesize
5.9MB

MD5
82e8e51bd9598723b75aad8a15b449d2

SHA1
046cafac1f0cc4bdfad0be52a1276993d39a64ec

SHA256
ef25ce8b5a896a74dfe97ed4c87746333206486c3fbe16acfc35edaa221778ff

SHA512
dee2581e1322c2cd17bd5a1097a78d08790800cf383c03a4151dc70847fd67ad80ae3ee634dbcdeec39791af94734780ab9b2541af523be4fa934f573a87c7d4

Download Submit
C:\Windows\System\MOMUIqc.exe

Filesize
5.9MB

MD5
3f883862b175458463e59cd24150c138

SHA1
5b52166f903e25fe2fcab612fbe4a9eecac145aa

SHA256
b6fd559913c65cf4d37a65a79ec6a2977e3a2f3365a6e35d9a53234380aaacab

SHA512
1b64a203b580c5794389f93d0cc451b44654d95a7ac4e0e07115aaf0b2e76474da1b7134049694183fea07fc598d1a5b992f6c5a96d00f5f227809293fe865b2

Download Submit
C:\Windows\System\MZttsFk.exe

Filesize
5.9MB

MD5
c98a563ece2c08a5999e99586a8486ba

SHA1
8eacbc246615b6aa7e8b03667878563a94f6ebc1

SHA256
1fbdfc46eaa496c63f560de3752d89cdbb7f0fc65c29560fb351cd8ebf9425df

SHA512
45ad1028443767064d9e6ce068778bb5d47e577d5576905deadbd861d921f852ed2bbf979bbeaa8014348a1f97cfbb1a212d440ada09522cfcb3f5d407435002

Download Submit
C:\Windows\System\RulEPda.exe

Filesize
5.9MB

MD5
0c8313244103ed5322a61f8fbe673226

SHA1
9866742418984d6c9f064885c3689c28f8eb0686

SHA256
2f864c97da9edd01518044630a1cd0b6b73e6490445c8aa2b865cb270459d9de

SHA512
95911863ff667f1a490ac73210abed46eb1dc7f48b1493b13c7d313ea5a9dbbf782d844c83b036328378824c6be4c15dbfac08aff9f404d4c0b65a8bf89c14f3

Download Submit
C:\Windows\System\TSzKPnL.exe

Filesize
5.9MB

MD5
531608a45c3db3d3337282ad26e1010c

SHA1
a84a0be25a589f65b63c70cc5a36294462f441b9

SHA256
4d3394a8df21c3bd053c3a75ca77885cc81fef096b7a6cb2f8c642ba8c612a14

SHA512
ea7489a001f1948cda6cb5f1962202444c32d6f2dabd7d516b8f58c28d54d3a03933605f6a2668691cb7991c3a3471df2097f365abff1f22f6365362e262550a

Download Submit
C:\Windows\System\UgRrSKC.exe

Filesize
5.9MB

MD5
a47eca540f2d7cf995fd9bab85e29d2f

SHA1
99f5523367638fc630e96fb60fcd35161497c2a9

SHA256
8bd553f4d9d9ad7c633e29e0c3a4f5fb73b726a40a6f256243e28610f3865658

SHA512
dc59a9a6c01a1adde28ad0a3dc4eb301d0360f81ddbd9b8fd06acea38e8722a0d49bfe979ba7fd71b900ce74444d233fcc61090b673db109fa83fc6cdf014f6d

Download Submit
C:\Windows\System\auKqQdU.exe

Filesize
5.9MB

MD5
f5fc288edc18899f1872fdc1f8b59cab

SHA1
3b46d2b19a41cd6090cea9350e00ee8f2f4f6b5f

SHA256
baea460279578cf47fa220cb8732b65fc8233cb8b8282c1f741c9b6edd6097e4

SHA512
72f712d133c3b1c1973cbd3bff3d59d2bc0e9e7261ee8285b197e78ab987da712c8f7fafe29afe8f2a31087d30595a06bd619160f90cb9ec3673a2f6d6ccb741

Download Submit
C:\Windows\System\fLAXtdg.exe

Filesize
5.9MB

MD5
39d0333bd437f5a82a4ba42967106a8e

SHA1
392c2edcf510e2e6804b8d8ec87ae2f06d1ad8f6

SHA256
1461dff006082d1102c54a8eb45da8f022efdebc2a973ce04640733a3fe32993

SHA512
0882d68245dfd02de5568db0bda996b7f1a7fa3d22daee966adad24d9310f350cbc69fc7833f467cd4e2f10e1d7280f4531a08b452497516ad9a3468e7190e78

Download Submit
C:\Windows\System\fzYlPJD.exe

Filesize
5.9MB

MD5
ba666aaf0f07fc714effe43a02e5c218

SHA1
3dda6f2cf7766631641b2fe7069956213ed6e1bd

SHA256
7a021d06e693232267f5204f466575735b8bc0abc883a3d5bd779c9d9ef6a8e8

SHA512
25b6193d524a01f5483defc3cbb04fd1165582b0d9c821f5e3fb863625ac5f6f03d355266b3f50efcdf664f872de417f0c278be5c4c452ad598bede10578ee8d

Download Submit
C:\Windows\System\gBqyVFp.exe

Filesize
5.9MB

MD5
7f1a89ce60169dd669fbdb1d71f15a95

SHA1
121205142355245f979ce31d3601939fbd7467e7

SHA256
b9e3acee43eb50501d54dac74b128a3052e9a1508d6b6c260455bc6e2949a1f7

SHA512
5987ffabb96f288fb2222e7a321f28c8ca61a85f2465c4e18ceaf665b8f95a4fc75b7305aa60a01b149078425dd99a05afbc28118f1fddb0066f6f152d1040cf

Download Submit
C:\Windows\System\lByumgi.exe

Filesize
5.9MB

MD5
704efd98d90fdf2b411c32590d39ee1e

SHA1
67c00cb7af2929cb3cc6562a5be0027ab85fc839

SHA256
2dd39195c3ce322eec5e1e46cb5857b12e414812fc291f4d897cca79a6ade924

SHA512
794afea3273862aefc08c24ef44853d66f1307762cca9fbdc3fa190a03bd4dbfa042df3ddccbbbc917316b4ad19211f281aae2db16f586e6bf2f09c07490848c

Download Submit
C:\Windows\System\mzvrmQD.exe

Filesize
5.9MB

MD5
ad90acf9f89a9601dbf8eed09dbf5165

SHA1
84b3db1d46f8671f2025d4818934d8b53e073458

SHA256
dbcb0298bca3304e8fa8dceebd8c2c88af1fc38360f827ac38b07e3a0f8814fe

SHA512
d903d2e921df32b80cd494f7658ac1bcf07235afee30d99682b14c87cce889db595fa9df748069cebdf46ec8f0edae69f13e6e776717ea8b10d6267724eebaaa

Download Submit
C:\Windows\System\nUTaKfK.exe

Filesize
5.9MB

MD5
cf59c45a50fda8620332658cb8eff8ee

SHA1
0d51bee1e5f8a9cd506a595050d59adfb69e6158

SHA256
a1fb962b73088b4bfd082ab2f347f4e98eae5a1dafa75e63622475709af64acf

SHA512
5b0ecfd4f4d684c00f96978763c154f08be9fa1c26a6936ef7f9bd3a42dfadc2832cd67a48a1cf090e9f2967a6ae420115ab052072b12e2dd5505577611f9f72

Download Submit
C:\Windows\System\ppsfdlT.exe

Filesize
5.9MB

MD5
5321f8e074bc7cbb80abacb4841c62e7

SHA1
3c5c958e6e4f8433e5034e3b3d991e95e09c0115

SHA256
0ba7d848330ced98f113e03ea95a71559cff42823d89c754f383578d748c9fd0

SHA512
7905e3406cdc35caa57b7a215b2ed8d15ee61cd44509515a387728b78d41ee118a2de84b721b32d67121d24e1e49659935a1690e148e5fc55ed2223dc581e963

Download Submit
C:\Windows\System\qOpijXw.exe

Filesize
5.9MB

MD5
7bddac3af6257014874c5e42497e7b01

SHA1
42cb03d94ce2c559765ce8a6559738b8fb2aa4b8

SHA256
254c43d496dd076358cb896824c756b837f8d238746f31c5f56fa2274fa6504b

SHA512
d23da51c48091cfe09e13490d2367369ae4a934c540484111331f5930cce38bc7ac55a24510258d3793bf6b65123d6ff47665e847be72a3a1039bd43379e8a62

Download Submit
C:\Windows\System\tFUcoKg.exe

Filesize
5.9MB

MD5
0f25b4ba5526efd934fe4b14ee0c7936

SHA1
4b77ace518d639e58d720fa8eac88a4ab3ca5b8e

SHA256
b9f0e80fe8e65bdabeb669dba60edaf52ba5a054a6818084b2d4f708173da361

SHA512
047a925da9f53769e09a93a774f507dd01b8cc7cf8159fb44b5c7e99ed530292ee2939983494d73f16f70448e6d67a73e745b09bf7907481acec2ee69cefd4a5

Download Submit
C:\Windows\System\xbwImuj.exe

Filesize
5.9MB

MD5
60a0133fa2dfe3c7d12c7e6719e7842a

SHA1
05cb2bcce0a8420d30d5be9abbad9a18c40f044b

SHA256
58bb4da841f756b6cbfeb10b5e96dbc003185557f77be3a7f1d93fc767302743

SHA512
0e319093bb07b5a184af243329c8389b30a9a98118e0768bb6e84ad1f458449d0cee9487c8d91b7e3f1b17c3e89844066af6f2a19e1d7a1e3bf0d4b2a1956ccc

Download Submit
C:\Windows\System\ykqcwyn.exe

Filesize
5.9MB

MD5
d6355b8bebdcc08e7d2054c701ebd0d7

SHA1
0410ca127785eae4ae951fa59e907f790eec09cf

SHA256
f984efb2d12ddb26c6527130c5a00c265a98dc0c469652bfef1630dcc295f4d2

SHA512
e17ddd668628d91225dc9937255a41bb912501a437d769d835b95592e28abb30c015d805ac7a751eaae06c771cc27446422d2b8857aaeff97fa28b0b2cf1bc65

Download Submit
C:\Windows\System\zmPejiR.exe

Filesize
5.9MB

MD5
d48485b64c31ed1a4a0018338f6d07d5

SHA1
02efd72a8e9d76584010bfee47f72febda873217

SHA256
8f134b3e552fe70e0cf80989cd8cc5e59120be938f5d5bbf5ca7ff997c6a971f

SHA512
64494d7ca1e3d0478c8500b68d391ea0ba0877ffa8945b7f266c21fa059bda13436b084b66f6ecaedf4f8ebdfb5fe3f1471ea4e6a215f10bd34c5d7c5ee3a6fc

Download Submit
memory/228-143-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp

Filesize
3.3MB

Download
memory/228-69-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp

Filesize
3.3MB

Download
memory/228-20-0x00007FF7AEF50000-0x00007FF7AF2A4000-memory.dmp

Filesize
3.3MB

Download
memory/624-154-0x00007FF792910000-0x00007FF792C64000-memory.dmp

Filesize
3.3MB

Download
memory/624-134-0x00007FF792910000-0x00007FF792C64000-memory.dmp

Filesize
3.3MB

Download
memory/720-63-0x00007FF65D430000-0x00007FF65D784000-memory.dmp

Filesize
3.3MB

Download
memory/720-136-0x00007FF65D430000-0x00007FF65D784000-memory.dmp

Filesize
3.3MB

Download
memory/720-150-0x00007FF65D430000-0x00007FF65D784000-memory.dmp

Filesize
3.3MB

Download
memory/928-159-0x00007FF7C1E50000-0x00007FF7C21A4000-memory.dmp

Filesize
3.3MB

Download
memory/928-131-0x00007FF7C1E50000-0x00007FF7C21A4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-73-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-144-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp

Filesize
3.3MB

Download
memory/1120-26-0x00007FF6CA570000-0x00007FF6CA8C4000-memory.dmp

Filesize
3.3MB

Download
memory/1624-30-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp

Filesize
3.3MB

Download
memory/1624-145-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp

Filesize
3.3MB

Download
memory/1624-77-0x00007FF75CDB0000-0x00007FF75D104000-memory.dmp

Filesize
3.3MB

Download
memory/1748-84-0x00007FF649230000-0x00007FF649584000-memory.dmp

Filesize
3.3MB

Download
memory/1748-146-0x00007FF649230000-0x00007FF649584000-memory.dmp

Filesize
3.3MB

Download
memory/1748-36-0x00007FF649230000-0x00007FF649584000-memory.dmp

Filesize
3.3MB

Download
memory/2060-152-0x00007FF7325E0000-0x00007FF732934000-memory.dmp

Filesize
3.3MB

Download
memory/2060-138-0x00007FF7325E0000-0x00007FF732934000-memory.dmp

Filesize
3.3MB

Download
memory/2060-80-0x00007FF7325E0000-0x00007FF732934000-memory.dmp

Filesize
3.3MB

Download
memory/2204-147-0x00007FF649030000-0x00007FF649384000-memory.dmp

Filesize
3.3MB

Download
memory/2204-44-0x00007FF649030000-0x00007FF649384000-memory.dmp

Filesize
3.3MB

Download
memory/2276-161-0x00007FF6B4A30000-0x00007FF6B4D84000-memory.dmp

Filesize
3.3MB

Download
memory/2276-132-0x00007FF6B4A30000-0x00007FF6B4D84000-memory.dmp

Filesize
3.3MB

Download
memory/2868-137-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp

Filesize
3.3MB

Download
memory/2868-151-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp

Filesize
3.3MB

Download
memory/2868-70-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp

Filesize
3.3MB

Download
memory/3040-160-0x00007FF785A60000-0x00007FF785DB4000-memory.dmp

Filesize
3.3MB

Download
memory/3040-133-0x00007FF785A60000-0x00007FF785DB4000-memory.dmp

Filesize
3.3MB

Download
memory/3428-130-0x00007FF743E30000-0x00007FF744184000-memory.dmp

Filesize
3.3MB

Download
memory/3428-158-0x00007FF743E30000-0x00007FF744184000-memory.dmp

Filesize
3.3MB

Download
memory/3480-129-0x00007FF6403A0000-0x00007FF6406F4000-memory.dmp

Filesize
3.3MB

Download
memory/3480-157-0x00007FF6403A0000-0x00007FF6406F4000-memory.dmp

Filesize
3.3MB

Download
memory/4344-8-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp

Filesize
3.3MB

Download
memory/4344-141-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp

Filesize
3.3MB

Download
memory/4344-58-0x00007FF6D04C0000-0x00007FF6D0814000-memory.dmp

Filesize
3.3MB

Download
memory/4388-142-0x00007FF630920000-0x00007FF630C74000-memory.dmp

Filesize
3.3MB

Download
memory/4388-14-0x00007FF630920000-0x00007FF630C74000-memory.dmp

Filesize
3.3MB

Download
memory/4388-62-0x00007FF630920000-0x00007FF630C74000-memory.dmp

Filesize
3.3MB

Download
memory/4672-135-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp

Filesize
3.3MB

Download
memory/4672-149-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp

Filesize
3.3MB

Download
memory/4672-55-0x00007FF6D7ED0000-0x00007FF6D8224000-memory.dmp

Filesize
3.3MB

Download
memory/4756-140-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp

Filesize
3.3MB

Download
memory/4756-155-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp

Filesize
3.3MB

Download
memory/4756-127-0x00007FF641D80000-0x00007FF6420D4000-memory.dmp

Filesize
3.3MB

Download
memory/4768-128-0x00007FF606B10000-0x00007FF606E64000-memory.dmp

Filesize
3.3MB

Download
memory/4768-156-0x00007FF606B10000-0x00007FF606E64000-memory.dmp

Filesize
3.3MB

Download
memory/4792-54-0x00007FF7A0E00000-0x00007FF7A1154000-memory.dmp

Filesize
3.3MB

Download
memory/4792-0-0x00007FF7A0E00000-0x00007FF7A1154000-memory.dmp

Filesize
3.3MB

Download
memory/4792-1-0x00000175404D0000-0x00000175404E0000-memory.dmp

Filesize
64KB

Download
memory/5012-148-0x00007FF6790A0000-0x00007FF6793F4000-memory.dmp

Filesize
3.3MB

Download
memory/5012-50-0x00007FF6790A0000-0x00007FF6793F4000-memory.dmp

Filesize
3.3MB

Download
memory/5052-153-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

Filesize
3.3MB

Download
memory/5052-85-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

Filesize
3.3MB

Download
memory/5052-139-0x00007FF70FF80000-0x00007FF7102D4000-memory.dmp

Filesize
3.3MB

Download