cobaltstrike | 753ea8599407c2911eeb8a4c0ca7d2e42c2acf48c243c73dc897e6b30c1164d6

Analysis

max time kernel
145s
max time network
152s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

a64f900f8c8fd8eb3980780baa453963
SHA1

4fe0f7b602dd7b2ccfe1fc67945178d7e16e40d7
SHA256

753ea8599407c2911eeb8a4c0ca7d2e42c2acf48c243c73dc897e6b30c1164d6
SHA512

b4837acb35a879901a5f08f09fe5e8747db8d82d3e8481dcf265b9df75bd31d852fabd7d84634c30ae27582f27502c51301f0be1b5fa560425d24041cefe01d4
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUW:Q+856utgpPF8u/7W

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
\Windows\system\ZZYWffu.exe	cobalt_reflective_dll
\Windows\system\HTAfyCD.exe	cobalt_reflective_dll
C:\Windows\system\xNbLzfq.exe	cobalt_reflective_dll
C:\Windows\system\VaKgsqR.exe	cobalt_reflective_dll
C:\Windows\system\OSafqyd.exe	cobalt_reflective_dll
C:\Windows\system\ewhadXE.exe	cobalt_reflective_dll
\Windows\system\ocYhymA.exe	cobalt_reflective_dll
\Windows\system\FYlobha.exe	cobalt_reflective_dll
\Windows\system\MEokPGc.exe	cobalt_reflective_dll
\Windows\system\tVlmaHu.exe	cobalt_reflective_dll
C:\Windows\system\JptCppA.exe	cobalt_reflective_dll
\Windows\system\YNMkiWU.exe	cobalt_reflective_dll
C:\Windows\system\PiVpTuM.exe	cobalt_reflective_dll
\Windows\system\meCocUD.exe	cobalt_reflective_dll
C:\Windows\system\IJCCwGc.exe	cobalt_reflective_dll
C:\Windows\system\PkKZWUu.exe	cobalt_reflective_dll
C:\Windows\system\HtTddJs.exe	cobalt_reflective_dll
C:\Windows\system\oAvKgYl.exe	cobalt_reflective_dll
C:\Windows\system\ZCfOhrh.exe	cobalt_reflective_dll
C:\Windows\system\cahnqkG.exe	cobalt_reflective_dll
C:\Windows\system\XhsVsJm.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 63 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1704-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
\Windows\system\ZZYWffu.exe	xmrig
behavioral1/memory/2068-9-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
\Windows\system\HTAfyCD.exe	xmrig
C:\Windows\system\xNbLzfq.exe	xmrig
C:\Windows\system\VaKgsqR.exe	xmrig
behavioral1/memory/2964-27-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2124-26-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
C:\Windows\system\OSafqyd.exe	xmrig
C:\Windows\system\ewhadXE.exe	xmrig
behavioral1/memory/2592-43-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2660-37-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/2668-31-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
\Windows\system\ocYhymA.exe	xmrig
\Windows\system\FYlobha.exe	xmrig
\Windows\system\MEokPGc.exe	xmrig
behavioral1/memory/2708-68-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/1704-74-0x000000013F7D0000-0x000000013FB24000-memory.dmp	xmrig
behavioral1/memory/1612-76-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/1704-72-0x0000000002320000-0x0000000002674000-memory.dmp	xmrig
\Windows\system\tVlmaHu.exe	xmrig
C:\Windows\system\JptCppA.exe	xmrig
behavioral1/memory/2916-82-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
\Windows\system\YNMkiWU.exe	xmrig
behavioral1/memory/2788-48-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/760-90-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
C:\Windows\system\PiVpTuM.exe	xmrig
\Windows\system\meCocUD.exe	xmrig
C:\Windows\system\IJCCwGc.exe	xmrig
C:\Windows\system\PkKZWUu.exe	xmrig
C:\Windows\system\HtTddJs.exe	xmrig
C:\Windows\system\oAvKgYl.exe	xmrig
behavioral1/memory/2788-136-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
C:\Windows\system\ZCfOhrh.exe	xmrig
behavioral1/memory/1704-89-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
C:\Windows\system\cahnqkG.exe	xmrig
behavioral1/memory/1704-87-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/1932-98-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/2660-96-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
C:\Windows\system\XhsVsJm.exe	xmrig
behavioral1/memory/1148-81-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2540-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/1612-137-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/2916-138-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
behavioral1/memory/1704-139-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/760-140-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/1932-142-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/1704-141-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig
behavioral1/memory/1704-143-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2068-144-0x000000013F100000-0x000000013F454000-memory.dmp	xmrig
behavioral1/memory/2124-145-0x000000013FAD0000-0x000000013FE24000-memory.dmp	xmrig
behavioral1/memory/2668-146-0x000000013F1B0000-0x000000013F504000-memory.dmp	xmrig
behavioral1/memory/2964-147-0x000000013F230000-0x000000013F584000-memory.dmp	xmrig
behavioral1/memory/2592-149-0x000000013F2F0000-0x000000013F644000-memory.dmp	xmrig
behavioral1/memory/2660-148-0x000000013F090000-0x000000013F3E4000-memory.dmp	xmrig
behavioral1/memory/2788-150-0x000000013F350000-0x000000013F6A4000-memory.dmp	xmrig
behavioral1/memory/2708-151-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/2540-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	xmrig
behavioral1/memory/1612-153-0x000000013F640000-0x000000013F994000-memory.dmp	xmrig
behavioral1/memory/1148-154-0x000000013FF60000-0x00000001402B4000-memory.dmp	xmrig
behavioral1/memory/2916-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp	xmrig
behavioral1/memory/760-156-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/1932-157-0x000000013FB80000-0x000000013FED4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ZZYWffu.exeHTAfyCD.exexNbLzfq.exeVaKgsqR.exeewhadXE.exeOSafqyd.exetVlmaHu.exeocYhymA.exeFYlobha.exeMEokPGc.exeYNMkiWU.exeJptCppA.execahnqkG.exeXhsVsJm.exePiVpTuM.exeZCfOhrh.exeoAvKgYl.exeHtTddJs.exePkKZWUu.exeIJCCwGc.exemeCocUD.exe

pid	process
2068	ZZYWffu.exe
2124	HTAfyCD.exe
2964	xNbLzfq.exe
2668	VaKgsqR.exe
2660	ewhadXE.exe
2592	OSafqyd.exe
2788	tVlmaHu.exe
2708	ocYhymA.exe
2540	FYlobha.exe
1612	MEokPGc.exe
1148	YNMkiWU.exe
2916	JptCppA.exe
760	cahnqkG.exe
1932	XhsVsJm.exe
1372	PiVpTuM.exe
2768	ZCfOhrh.exe
2196	oAvKgYl.exe
2756	HtTddJs.exe
2384	PkKZWUu.exe
2420	IJCCwGc.exe
1972	meCocUD.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 57 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1704-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
\Windows\system\ZZYWffu.exe	upx
behavioral1/memory/2068-9-0x000000013F100000-0x000000013F454000-memory.dmp	upx
\Windows\system\HTAfyCD.exe	upx
C:\Windows\system\xNbLzfq.exe	upx
C:\Windows\system\VaKgsqR.exe	upx
behavioral1/memory/2964-27-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2124-26-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
C:\Windows\system\OSafqyd.exe	upx
C:\Windows\system\ewhadXE.exe	upx
behavioral1/memory/2592-43-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2660-37-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/2668-31-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
\Windows\system\ocYhymA.exe	upx
\Windows\system\FYlobha.exe	upx
\Windows\system\MEokPGc.exe	upx
behavioral1/memory/2708-68-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1704-74-0x000000013F7D0000-0x000000013FB24000-memory.dmp	upx
behavioral1/memory/1612-76-0x000000013F640000-0x000000013F994000-memory.dmp	upx
\Windows\system\tVlmaHu.exe	upx
C:\Windows\system\JptCppA.exe	upx
behavioral1/memory/2916-82-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
\Windows\system\YNMkiWU.exe	upx
behavioral1/memory/2788-48-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/760-90-0x000000013F220000-0x000000013F574000-memory.dmp	upx
C:\Windows\system\PiVpTuM.exe	upx
\Windows\system\meCocUD.exe	upx
C:\Windows\system\IJCCwGc.exe	upx
C:\Windows\system\PkKZWUu.exe	upx
C:\Windows\system\HtTddJs.exe	upx
C:\Windows\system\oAvKgYl.exe	upx
behavioral1/memory/2788-136-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
C:\Windows\system\ZCfOhrh.exe	upx
C:\Windows\system\cahnqkG.exe	upx
behavioral1/memory/1932-98-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/memory/2660-96-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
C:\Windows\system\XhsVsJm.exe	upx
behavioral1/memory/1148-81-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2540-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1612-137-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/2916-138-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
behavioral1/memory/760-140-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/1932-142-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx
behavioral1/memory/2068-144-0x000000013F100000-0x000000013F454000-memory.dmp	upx
behavioral1/memory/2124-145-0x000000013FAD0000-0x000000013FE24000-memory.dmp	upx
behavioral1/memory/2668-146-0x000000013F1B0000-0x000000013F504000-memory.dmp	upx
behavioral1/memory/2964-147-0x000000013F230000-0x000000013F584000-memory.dmp	upx
behavioral1/memory/2592-149-0x000000013F2F0000-0x000000013F644000-memory.dmp	upx
behavioral1/memory/2660-148-0x000000013F090000-0x000000013F3E4000-memory.dmp	upx
behavioral1/memory/2788-150-0x000000013F350000-0x000000013F6A4000-memory.dmp	upx
behavioral1/memory/2708-151-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/2540-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp	upx
behavioral1/memory/1612-153-0x000000013F640000-0x000000013F994000-memory.dmp	upx
behavioral1/memory/1148-154-0x000000013FF60000-0x00000001402B4000-memory.dmp	upx
behavioral1/memory/2916-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp	upx
behavioral1/memory/760-156-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/1932-157-0x000000013FB80000-0x000000013FED4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\ZZYWffu.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ocYhymA.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YNMkiWU.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XhsVsJm.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tVlmaHu.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JptCppA.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MEokPGc.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PiVpTuM.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PkKZWUu.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IJCCwGc.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xNbLzfq.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VaKgsqR.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ewhadXE.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OSafqyd.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FYlobha.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cahnqkG.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\meCocUD.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HTAfyCD.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZCfOhrh.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oAvKgYl.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HtTddJs.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1704 wrote to memory of 2068	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ZZYWffu.exe
PID 1704 wrote to memory of 2068	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ZZYWffu.exe
PID 1704 wrote to memory of 2068	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ZZYWffu.exe
PID 1704 wrote to memory of 2124	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HTAfyCD.exe
PID 1704 wrote to memory of 2124	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HTAfyCD.exe
PID 1704 wrote to memory of 2124	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HTAfyCD.exe
PID 1704 wrote to memory of 2964	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	xNbLzfq.exe
PID 1704 wrote to memory of 2964	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	xNbLzfq.exe
PID 1704 wrote to memory of 2964	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	xNbLzfq.exe
PID 1704 wrote to memory of 2668	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	VaKgsqR.exe
PID 1704 wrote to memory of 2668	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	VaKgsqR.exe
PID 1704 wrote to memory of 2668	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	VaKgsqR.exe
PID 1704 wrote to memory of 2660	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ewhadXE.exe
PID 1704 wrote to memory of 2660	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ewhadXE.exe
PID 1704 wrote to memory of 2660	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ewhadXE.exe
PID 1704 wrote to memory of 2592	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	OSafqyd.exe
PID 1704 wrote to memory of 2592	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	OSafqyd.exe
PID 1704 wrote to memory of 2592	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	OSafqyd.exe
PID 1704 wrote to memory of 2788	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	tVlmaHu.exe
PID 1704 wrote to memory of 2788	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	tVlmaHu.exe
PID 1704 wrote to memory of 2788	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	tVlmaHu.exe
PID 1704 wrote to memory of 2708	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ocYhymA.exe
PID 1704 wrote to memory of 2708	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ocYhymA.exe
PID 1704 wrote to memory of 2708	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ocYhymA.exe
PID 1704 wrote to memory of 1148	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	YNMkiWU.exe
PID 1704 wrote to memory of 1148	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	YNMkiWU.exe
PID 1704 wrote to memory of 1148	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	YNMkiWU.exe
PID 1704 wrote to memory of 2540	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	FYlobha.exe
PID 1704 wrote to memory of 2540	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	FYlobha.exe
PID 1704 wrote to memory of 2540	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	FYlobha.exe
PID 1704 wrote to memory of 2916	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	JptCppA.exe
PID 1704 wrote to memory of 2916	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	JptCppA.exe
PID 1704 wrote to memory of 2916	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	JptCppA.exe
PID 1704 wrote to memory of 1612	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	MEokPGc.exe
PID 1704 wrote to memory of 1612	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	MEokPGc.exe
PID 1704 wrote to memory of 1612	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	MEokPGc.exe
PID 1704 wrote to memory of 760	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	cahnqkG.exe
PID 1704 wrote to memory of 760	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	cahnqkG.exe
PID 1704 wrote to memory of 760	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	cahnqkG.exe
PID 1704 wrote to memory of 1932	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	XhsVsJm.exe
PID 1704 wrote to memory of 1932	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	XhsVsJm.exe
PID 1704 wrote to memory of 1932	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	XhsVsJm.exe
PID 1704 wrote to memory of 1372	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PiVpTuM.exe
PID 1704 wrote to memory of 1372	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PiVpTuM.exe
PID 1704 wrote to memory of 1372	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PiVpTuM.exe
PID 1704 wrote to memory of 2768	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ZCfOhrh.exe
PID 1704 wrote to memory of 2768	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ZCfOhrh.exe
PID 1704 wrote to memory of 2768	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ZCfOhrh.exe
PID 1704 wrote to memory of 2196	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	oAvKgYl.exe
PID 1704 wrote to memory of 2196	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	oAvKgYl.exe
PID 1704 wrote to memory of 2196	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	oAvKgYl.exe
PID 1704 wrote to memory of 2756	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HtTddJs.exe
PID 1704 wrote to memory of 2756	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HtTddJs.exe
PID 1704 wrote to memory of 2756	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HtTddJs.exe
PID 1704 wrote to memory of 2384	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PkKZWUu.exe
PID 1704 wrote to memory of 2384	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PkKZWUu.exe
PID 1704 wrote to memory of 2384	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PkKZWUu.exe
PID 1704 wrote to memory of 2420	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	IJCCwGc.exe
PID 1704 wrote to memory of 2420	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	IJCCwGc.exe
PID 1704 wrote to memory of 2420	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	IJCCwGc.exe
PID 1704 wrote to memory of 1972	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	meCocUD.exe
PID 1704 wrote to memory of 1972	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	meCocUD.exe
PID 1704 wrote to memory of 1972	1704	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	meCocUD.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\System\ZZYWffu.exe
C:\Windows\System\ZZYWffu.exe
2⤵
- Executes dropped EXE
PID:2068

C:\Windows\System\HTAfyCD.exe
C:\Windows\System\HTAfyCD.exe
2⤵
- Executes dropped EXE
PID:2124

C:\Windows\System\xNbLzfq.exe
C:\Windows\System\xNbLzfq.exe
2⤵
- Executes dropped EXE
PID:2964

C:\Windows\System\VaKgsqR.exe
C:\Windows\System\VaKgsqR.exe
2⤵
- Executes dropped EXE
PID:2668

C:\Windows\System\ewhadXE.exe
C:\Windows\System\ewhadXE.exe
2⤵
- Executes dropped EXE
PID:2660

C:\Windows\System\OSafqyd.exe
C:\Windows\System\OSafqyd.exe
2⤵
- Executes dropped EXE
PID:2592

C:\Windows\System\tVlmaHu.exe
C:\Windows\System\tVlmaHu.exe
2⤵
- Executes dropped EXE
PID:2788

C:\Windows\System\ocYhymA.exe
C:\Windows\System\ocYhymA.exe
2⤵
- Executes dropped EXE
PID:2708

C:\Windows\System\YNMkiWU.exe
C:\Windows\System\YNMkiWU.exe
2⤵
- Executes dropped EXE
PID:1148

C:\Windows\System\FYlobha.exe
C:\Windows\System\FYlobha.exe
2⤵
- Executes dropped EXE
PID:2540

C:\Windows\System\JptCppA.exe
C:\Windows\System\JptCppA.exe
2⤵
- Executes dropped EXE
PID:2916

C:\Windows\System\MEokPGc.exe
C:\Windows\System\MEokPGc.exe
2⤵
- Executes dropped EXE
PID:1612

C:\Windows\System\cahnqkG.exe
C:\Windows\System\cahnqkG.exe
2⤵
- Executes dropped EXE
PID:760

C:\Windows\System\XhsVsJm.exe
C:\Windows\System\XhsVsJm.exe
2⤵
- Executes dropped EXE
PID:1932

C:\Windows\System\PiVpTuM.exe
C:\Windows\System\PiVpTuM.exe
2⤵
- Executes dropped EXE
PID:1372

C:\Windows\System\ZCfOhrh.exe
C:\Windows\System\ZCfOhrh.exe
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\System\oAvKgYl.exe
C:\Windows\System\oAvKgYl.exe
2⤵
- Executes dropped EXE
PID:2196

C:\Windows\System\HtTddJs.exe
C:\Windows\System\HtTddJs.exe
2⤵
- Executes dropped EXE
PID:2756

C:\Windows\System\PkKZWUu.exe
C:\Windows\System\PkKZWUu.exe
2⤵
- Executes dropped EXE
PID:2384

C:\Windows\System\IJCCwGc.exe
C:\Windows\System\IJCCwGc.exe
2⤵
- Executes dropped EXE
PID:2420

C:\Windows\System\meCocUD.exe
C:\Windows\System\meCocUD.exe
2⤵
- Executes dropped EXE
PID:1972

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\HtTddJs.exe
Filesize
5.9MB

MD5
17527264e3e74312df3bbd772e42900e

SHA1
c7ca3f6b8e0969ffe8d8f511457d7f0345c86caf

SHA256
d7fa0f3d5809a43f05797ecf3116c051f4399747b3c75716c2e54c47634cde9a

SHA512
32eb49854c980db64d16d5b0065ca9ed63b600ae1c747ae58d72631361f3f06d6b1d2d27606d7d5d96b73761b0036c152a37a5007f146e2a09894325a2968ee5

Download Submit
C:\Windows\system\IJCCwGc.exe
Filesize
5.9MB

MD5
1402b288766cdd1c994f129096b7438f

SHA1
4145f44222b7e09c0a825fcc9aee46ce6a40137e

SHA256
6f1bf97d1a643422b192fafe6ccc01ead5226b8b9fa324a6411162235af71f15

SHA512
d13eb0e9abaa92c8e2c7efccb6ff50a9085804a99140238f6179b873077a78e0a71391c09a7f41b72f32bda57510e009ead6884e07bf9d42fb43c7f14b2169f9

Download Submit
C:\Windows\system\JptCppA.exe
Filesize
5.9MB

MD5
c6a3d6df6befabeb451f4ff2e6db218c

SHA1
39eac6239e301604ba71a6063af1b383d5ba44c0

SHA256
78fe133f348337b56ae4538f3581c4a99d7bb67e6e001b64dd6a68b0de85ea21

SHA512
1229e1dec698f84b5079f11b106640769ae5b96e5ddb3dd29772fbbc9b0b9dedea0dc7ee13dbdc6affc89dcfeac58b91501f8e1ac389651970ffde2bb6beafc7

Download Submit
C:\Windows\system\OSafqyd.exe
Filesize
5.9MB

MD5
02dfeaaeb7a8cb5bf92ca179fb6f4ae5

SHA1
7d43f29c7a43848e634c2471942eeb938139e6ec

SHA256
5f16ddadcb372d8de9603590c845f7c0a5d6610f87ef047c37b1a784ee0a1bb7

SHA512
1b8b380260646c6e055cd603bbbaa3018b73c5be0c9211ecd5e86b0ec97386caa6177e150f580b9e6a309007ded080a8c3a244c096083342f4e11abef0c57b77

Download Submit
C:\Windows\system\PiVpTuM.exe
Filesize
5.9MB

MD5
151b077dd275578e466287c880b016a9

SHA1
5c41df1eff71ec844285b60a093747a4a9b17a99

SHA256
d3f2086e7feb751e87ab0301a84ad676e6391e3008d645768396a6d66e92dc90

SHA512
9eacca5c731b61cedf9bf94fe84fb466dab2f91517e264304ed65b95f73582c00cb98b4c99064a9e83bfedb9bf478db08d2201e3e756a4faf78826106005592b

Download Submit
C:\Windows\system\PkKZWUu.exe
Filesize
5.9MB

MD5
ae32d6f2554df1d9443c2a77b24232e0

SHA1
0b489bd3f3dc8f38f2db428df3c8748253068f39

SHA256
3a71694f8060bcb4a9fe2fb1109c714e932714645bbc99db1ea06b2d6b616840

SHA512
66497b3a9cc0b66396b68237d6d26533f171fa75385de4fc21b1f2bda453ab9ba0eba9db06a3132229ee3aec6bc57d32a2c6032e7bebe67fc6c874a5f1e7dbd3

Download Submit
C:\Windows\system\VaKgsqR.exe
Filesize
5.9MB

MD5
c23663f559beeda1d7ddc571890a2dad

SHA1
fdf6c74471cd89f9ebc6db559a073a6716de48b0

SHA256
1b1124ae8652028d889acb393ca16408c395d548797c1e0419f14a3794c86681

SHA512
af07ae2553abd93194e04bcf14cd0249b9dfa3808ac4bc4d44be5b7a93dd579a3250bd3720de386bb044543958d29b41f9b5e2be7296fbd9ab4a401039259651

Download Submit
C:\Windows\system\XhsVsJm.exe
Filesize
5.9MB

MD5
1d1910cd22b982560e80480e955ae320

SHA1
cf4df2d69f24db4af6503047fd8dcfd5ff958fe1

SHA256
4208e7f5bd6d5db1313bc6ad26517b643c436b04f574cca3751fa49cb8e35842

SHA512
378de9ef3641880747abfb51aec6f0a3b159cf51064b8ead63eccc862e6de924b680683eaf90263aabbabba1014dc0a61bb2297bc4ff0b320ffae2453b7a1181

Download Submit
C:\Windows\system\ZCfOhrh.exe
Filesize
5.9MB

MD5
576859928f08f1eab910aa3d6a1315fa

SHA1
856aff95c80135d8b1d3e18a49b9ee5b6fd7af90

SHA256
268d7c96e46719d340069dab64fa5efaeabbd11a3772f915f9f2a703f1e37925

SHA512
c73eb19a0c1416ce0307196c0dcc36079f8e885ff03ab353e827694e281745c6be1c9382ba488d8fdce25da42f668b52055875dccef9272fb3465f0023b0e4b6

Download Submit
C:\Windows\system\cahnqkG.exe
Filesize
5.9MB

MD5
b3d98f0fbea10dec7db91e17f142ce8a

SHA1
ec6b2cbabd1963a8d8bcd6f58e01968d2a6a6e64

SHA256
d55fa7a2549696e642c7c6289a738ebc6c9077010777e9cf208f9357d128c0e4

SHA512
16b1861ad288b957a37f6df62c4aa19ef37ed8d3e87c2e51f6f80c55a2d47b9d88c29110a419ecaa4ade46503092727e24bc749085ccc1699c29f352415953f6

Download Submit
C:\Windows\system\ewhadXE.exe
Filesize
5.9MB

MD5
78dfd80cdff38e3f01ac0d5590a0be40

SHA1
ad417f1b867212a0619f6b14dad4a536836975ef

SHA256
9c603dc69aa90857cd84487e2abbbb21dc46c7fb8c270b0289802b5e27282a11

SHA512
cc499aa1f87a59d330f9bf06d571160d1582fa7050faaed68d9959e220f710915a842992b9e9761d57229c8af89b8c232a2aa1c4eef539d12f760bef75d9bdab

Download Submit
C:\Windows\system\oAvKgYl.exe
Filesize
5.9MB

MD5
cde82ec121e255b6f77d134208b8f5ea

SHA1
fcd7ef71acdda6e0d40f52ff004264b6ff7d30db

SHA256
582e2ff48bb0a1459d9f20990667c298c2f624b607e748f29182fc472623b417

SHA512
5d6f1758e18dc29c29704086d1747b4789933c29c882183a29f2a0981ba9836bf16e9d7858597d7b8c74ca67ec601d8676564d82464ffc95ac56d18347549cf7

Download Submit
C:\Windows\system\xNbLzfq.exe
Filesize
5.9MB

MD5
7838f1dae7211b9d234b88b5ea121d8f

SHA1
b0d6fa6941264888f9af109d71be119caf0e56f0

SHA256
d9af08fb0e0e655911a961358b24fe9caac747e718ecb2c5023c5dbee0348d29

SHA512
93620082a4992832a0a3bb09ee46730ee640e34ebb8c05c2f1043a9996de4288aae5852973a3ec38e47de1da67018d6a92694cdea9e5f2ed2aca08f643cd9fdb

Download Submit
\Windows\system\FYlobha.exe
Filesize
5.9MB

MD5
5fecb2b25b8a3564f63008c527d07a31

SHA1
515331baf2456e5ab54ab2a503a26d75d58f1686

SHA256
ceee38e9af86a97037c5bb576b2474dce8e9827032c2bb69e749f5c87a579979

SHA512
975eda4556a1c845fd082d2e4400d5b7615af198b2970dffeaa730d6809782dce4a8b2d9d4b44cf8824aae4181f91a610793dd5ece3df3be5dceca70b5e52b6a

Download Submit
\Windows\system\HTAfyCD.exe
Filesize
5.9MB

MD5
2140b40fc3a4a0122f36abb004c08349

SHA1
47580ffd756f016836fb9fd9a48ebf33b91a1efb

SHA256
9eae51ab13cefd82f9a1059fb5261123921743c4e3986f97c33a70491759710c

SHA512
67ddb768bbc03c499a87dd969e77807999664034acba96c1cb6d25d48511a3b501aa10333cc226fe9a7631239c274528cf5ccab20dabdeafc3ffc7297d7b8405

Download Submit
\Windows\system\MEokPGc.exe
Filesize
5.9MB

MD5
38282aa800f20442be39c123421a7c50

SHA1
dee22043ebde418f9cb37ce875b4be4e907bb268

SHA256
77b02c4ec76af283894cb337b93d06eb69142ee8c77fd593d68afa2815b7c01f

SHA512
5af46fb770eb1b0d8b84ba656b9c8ebca0ab18f4f3a08631ac632fcd50985645eab88bfbdba9d138b51fb391d2ab1c00f5cad849a9359e55942447dc4c3e71af

Download Submit
\Windows\system\YNMkiWU.exe
Filesize
5.9MB

MD5
2a7eaac0d339c8e4e5c1e415c1e72b7e

SHA1
d630a7c9911f16bf79d1f55499cb0cde1d111d2a

SHA256
8b335994025fc783f89051a629d61680c96e69ab6903823432c10ad3b151af67

SHA512
f8df9b24190a6d12ffcf3391e96d94fb18773163fe4f7cd79a02e25d54aab655eaed99918aa9db909102a0981e299cc4dd21286861ac60c53f5811f61466b0d3

Download Submit
\Windows\system\ZZYWffu.exe
Filesize
5.9MB

MD5
f93d32b3d4a1d890855d23f933b643ed

SHA1
928c3a3a22898499ced893de28fa1fe5264cc046

SHA256
4a43f48b8ed1d84ec31eaf2db39f6880c13ef80d0c8dba8bac31ad52e42732d9

SHA512
76718d4f5872e3780148e61ebf1601bb83f16bccc424e8285d23b520e09cb285956d14037e3d16a1142acae07828022af306c959ff90a0d6bb6bee94d5abf676

Download Submit
\Windows\system\meCocUD.exe
Filesize
5.9MB

MD5
b6173588f2ad5b1edec56e34fdebe0ba

SHA1
a3e6bf1846434958e07339672dbbd8c8b5a01cfe

SHA256
4e3b03bd92f29cae92fc3a5b5e8515db82ba761bba9b3dea0bd486bc6f206486

SHA512
94c9782f07985d2ff1d55ed787aff74f0181cabc4d805431b219e42c70735228371e89de0693967c17f4f91bc03f9b6ac9834d4cf2e375fbd3822506b6927f2a

Download Submit
\Windows\system\ocYhymA.exe
Filesize
5.9MB

MD5
1289e635cffd5d629c44f5ad998a7a05

SHA1
01f88a34e9ad27a9f3637146a9a6d7846842d9f8

SHA256
3c3c05d1b2ad31be12fb610c0ca2f7386a1773000f8f19d256131da3a9a630be

SHA512
10cb98bf45f788e40fd8c9738e8b5260a07c8c03c15f65cc3928a74305e6dd3d9b8bc19277029e0e1aaff948bfaf7f58b2a18f11bf4c6bf6f719ab7ea1a57487

Download Submit
\Windows\system\tVlmaHu.exe
Filesize
5.9MB

MD5
a42f50668942efea45392ea2bd9d8565

SHA1
424dd59b7a7b97e51d05a12b1e2a209e98a22201

SHA256
eb782b4d55fa99e80e93da5b02ffde6275a986004ae4f44eb22cedc6cb44c867

SHA512
b28e5c59a65b971af3d2f91077551e90cf417a52413204a94b38237528b378f4d3ce07aec34441553de73202b864ef22c225fd547eb13ef8b0ab011c60b0f374

Download Submit
memory/760-156-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/760-140-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/760-90-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/1148-154-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/1148-81-0x000000013FF60000-0x00000001402B4000-memory.dmp

Filesize
3.3MB

Download
memory/1612-76-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/1612-153-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/1612-137-0x000000013F640000-0x000000013F994000-memory.dmp

Filesize
3.3MB

Download
memory/1704-139-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/1704-55-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1704-97-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-72-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1704-75-0x0000000002320000-0x0000000002674000-memory.dmp

Filesize
3.3MB

Download
memory/1704-74-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/1704-8-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/1704-143-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1704-141-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-19-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/1704-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp

Filesize
3.3MB

Download
memory/1704-135-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-33-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/1704-102-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1704-89-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1704-41-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/1704-87-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/1704-32-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/1932-157-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1932-98-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/1932-142-0x000000013FB80000-0x000000013FED4000-memory.dmp

Filesize
3.3MB

Download
memory/2068-144-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2068-9-0x000000013F100000-0x000000013F454000-memory.dmp

Filesize
3.3MB

Download
memory/2124-26-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2124-145-0x000000013FAD0000-0x000000013FE24000-memory.dmp

Filesize
3.3MB

Download
memory/2540-152-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2540-70-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2592-43-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2592-149-0x000000013F2F0000-0x000000013F644000-memory.dmp

Filesize
3.3MB

Download
memory/2660-37-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-96-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2660-148-0x000000013F090000-0x000000013F3E4000-memory.dmp

Filesize
3.3MB

Download
memory/2668-31-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2668-146-0x000000013F1B0000-0x000000013F504000-memory.dmp

Filesize
3.3MB

Download
memory/2708-68-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2708-151-0x000000013F2A0000-0x000000013F5F4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-150-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-136-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2788-48-0x000000013F350000-0x000000013F6A4000-memory.dmp

Filesize
3.3MB

Download
memory/2916-138-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/2916-155-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/2916-82-0x000000013F7B0000-0x000000013FB04000-memory.dmp

Filesize
3.3MB

Download
memory/2964-147-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download
memory/2964-27-0x000000013F230000-0x000000013F584000-memory.dmp

Filesize
3.3MB

Download