cobaltstrike | 753ea8599407c2911eeb8a4c0ca7d2e42c2acf48c243c73dc897e6b30c1164d6

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

a64f900f8c8fd8eb3980780baa453963
SHA1

4fe0f7b602dd7b2ccfe1fc67945178d7e16e40d7
SHA256

753ea8599407c2911eeb8a4c0ca7d2e42c2acf48c243c73dc897e6b30c1164d6
SHA512

b4837acb35a879901a5f08f09fe5e8747db8d82d3e8481dcf265b9df75bd31d852fabd7d84634c30ae27582f27502c51301f0be1b5fa560425d24041cefe01d4
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lUW:Q+856utgpPF8u/7W

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\PcAYjDR.exe	cobalt_reflective_dll
C:\Windows\System\GLUXrIk.exe	cobalt_reflective_dll
C:\Windows\System\iDqxRiM.exe	cobalt_reflective_dll
C:\Windows\System\nSZthDA.exe	cobalt_reflective_dll
C:\Windows\System\FupWIzg.exe	cobalt_reflective_dll
C:\Windows\System\HamPsJs.exe	cobalt_reflective_dll
C:\Windows\System\PetqGua.exe	cobalt_reflective_dll
C:\Windows\System\kyQlzQf.exe	cobalt_reflective_dll
C:\Windows\System\aQdrpMW.exe	cobalt_reflective_dll
C:\Windows\System\NwtGIVr.exe	cobalt_reflective_dll
C:\Windows\System\UlBVHPU.exe	cobalt_reflective_dll
C:\Windows\System\aFXEaKZ.exe	cobalt_reflective_dll
C:\Windows\System\yJUhabn.exe	cobalt_reflective_dll
C:\Windows\System\ybNuExg.exe	cobalt_reflective_dll
C:\Windows\System\qyWBSEo.exe	cobalt_reflective_dll
C:\Windows\System\HEnWxvb.exe	cobalt_reflective_dll
C:\Windows\System\PwEROJN.exe	cobalt_reflective_dll
C:\Windows\System\DyffNnw.exe	cobalt_reflective_dll
C:\Windows\System\ADSnqIm.exe	cobalt_reflective_dll
C:\Windows\System\JJdwZTo.exe	cobalt_reflective_dll
C:\Windows\System\uxBocMP.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2564-0-0x00007FF6B9610000-0x00007FF6B9964000-memory.dmp	xmrig
C:\Windows\System\PcAYjDR.exe	xmrig
behavioral2/memory/3844-7-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp	xmrig
C:\Windows\System\GLUXrIk.exe	xmrig
behavioral2/memory/1972-26-0x00007FF763080000-0x00007FF7633D4000-memory.dmp	xmrig
C:\Windows\System\iDqxRiM.exe	xmrig
C:\Windows\System\nSZthDA.exe	xmrig
C:\Windows\System\FupWIzg.exe	xmrig
behavioral2/memory/3220-22-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp	xmrig
behavioral2/memory/3192-14-0x00007FF690150000-0x00007FF6904A4000-memory.dmp	xmrig
behavioral2/memory/3724-32-0x00007FF754560000-0x00007FF7548B4000-memory.dmp	xmrig
C:\Windows\System\HamPsJs.exe	xmrig
C:\Windows\System\PetqGua.exe	xmrig
behavioral2/memory/3656-48-0x00007FF6920C0000-0x00007FF692414000-memory.dmp	xmrig
C:\Windows\System\kyQlzQf.exe	xmrig
behavioral2/memory/2772-44-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp	xmrig
behavioral2/memory/5076-38-0x00007FF614FB0000-0x00007FF615304000-memory.dmp	xmrig
C:\Windows\System\aQdrpMW.exe	xmrig
C:\Windows\System\NwtGIVr.exe	xmrig
C:\Windows\System\UlBVHPU.exe	xmrig
C:\Windows\System\aFXEaKZ.exe	xmrig
C:\Windows\System\yJUhabn.exe	xmrig
behavioral2/memory/4544-100-0x00007FF66A5A0000-0x00007FF66A8F4000-memory.dmp	xmrig
C:\Windows\System\ybNuExg.exe	xmrig
C:\Windows\System\qyWBSEo.exe	xmrig
C:\Windows\System\HEnWxvb.exe	xmrig
C:\Windows\System\PwEROJN.exe	xmrig
C:\Windows\System\DyffNnw.exe	xmrig
behavioral2/memory/3416-126-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp	xmrig
behavioral2/memory/2772-125-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp	xmrig
C:\Windows\System\ADSnqIm.exe	xmrig
behavioral2/memory/1624-120-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp	xmrig
behavioral2/memory/4528-118-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp	xmrig
behavioral2/memory/696-107-0x00007FF736520000-0x00007FF736874000-memory.dmp	xmrig
behavioral2/memory/1972-106-0x00007FF763080000-0x00007FF7633D4000-memory.dmp	xmrig
behavioral2/memory/1032-103-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp	xmrig
behavioral2/memory/4448-102-0x00007FF617310000-0x00007FF617664000-memory.dmp	xmrig
C:\Windows\System\JJdwZTo.exe	xmrig
C:\Windows\System\uxBocMP.exe	xmrig
behavioral2/memory/3556-81-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp	xmrig
behavioral2/memory/3220-80-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp	xmrig
behavioral2/memory/3192-79-0x00007FF690150000-0x00007FF6904A4000-memory.dmp	xmrig
behavioral2/memory/4368-75-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp	xmrig
behavioral2/memory/3296-71-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp	xmrig
behavioral2/memory/3844-70-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp	xmrig
behavioral2/memory/4224-63-0x00007FF75A100000-0x00007FF75A454000-memory.dmp	xmrig
behavioral2/memory/2564-62-0x00007FF6B9610000-0x00007FF6B9964000-memory.dmp	xmrig
behavioral2/memory/1532-56-0x00007FF62BCB0000-0x00007FF62C004000-memory.dmp	xmrig
behavioral2/memory/1960-133-0x00007FF664D80000-0x00007FF6650D4000-memory.dmp	xmrig
behavioral2/memory/3656-134-0x00007FF6920C0000-0x00007FF692414000-memory.dmp	xmrig
behavioral2/memory/4224-135-0x00007FF75A100000-0x00007FF75A454000-memory.dmp	xmrig
behavioral2/memory/4368-136-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp	xmrig
behavioral2/memory/3296-137-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp	xmrig
behavioral2/memory/3556-138-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp	xmrig
behavioral2/memory/1032-139-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp	xmrig
behavioral2/memory/696-140-0x00007FF736520000-0x00007FF736874000-memory.dmp	xmrig
behavioral2/memory/1624-141-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp	xmrig
behavioral2/memory/4528-142-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp	xmrig
behavioral2/memory/3416-143-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp	xmrig
behavioral2/memory/3844-144-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp	xmrig
behavioral2/memory/3192-145-0x00007FF690150000-0x00007FF6904A4000-memory.dmp	xmrig
behavioral2/memory/3220-146-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp	xmrig
behavioral2/memory/3724-148-0x00007FF754560000-0x00007FF7548B4000-memory.dmp	xmrig
behavioral2/memory/1972-147-0x00007FF763080000-0x00007FF7633D4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

PcAYjDR.exeGLUXrIk.exeFupWIzg.exenSZthDA.exeiDqxRiM.exeHamPsJs.exePetqGua.exekyQlzQf.exeaQdrpMW.exeNwtGIVr.exeuxBocMP.exeUlBVHPU.exeJJdwZTo.exeaFXEaKZ.exeyJUhabn.exeybNuExg.exeqyWBSEo.exeHEnWxvb.exeADSnqIm.exePwEROJN.exeDyffNnw.exe

pid	process
3844	PcAYjDR.exe
3192	GLUXrIk.exe
3220	FupWIzg.exe
1972	nSZthDA.exe
3724	iDqxRiM.exe
5076	HamPsJs.exe
2772	PetqGua.exe
3656	kyQlzQf.exe
1532	aQdrpMW.exe
4224	NwtGIVr.exe
3296	uxBocMP.exe
4368	UlBVHPU.exe
3556	JJdwZTo.exe
4544	aFXEaKZ.exe
4448	yJUhabn.exe
1032	ybNuExg.exe
696	qyWBSEo.exe
4528	HEnWxvb.exe
1624	ADSnqIm.exe
3416	PwEROJN.exe
1960	DyffNnw.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2564-0-0x00007FF6B9610000-0x00007FF6B9964000-memory.dmp	upx
C:\Windows\System\PcAYjDR.exe	upx
behavioral2/memory/3844-7-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp	upx
C:\Windows\System\GLUXrIk.exe	upx
behavioral2/memory/1972-26-0x00007FF763080000-0x00007FF7633D4000-memory.dmp	upx
C:\Windows\System\iDqxRiM.exe	upx
C:\Windows\System\nSZthDA.exe	upx
C:\Windows\System\FupWIzg.exe	upx
behavioral2/memory/3220-22-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp	upx
behavioral2/memory/3192-14-0x00007FF690150000-0x00007FF6904A4000-memory.dmp	upx
behavioral2/memory/3724-32-0x00007FF754560000-0x00007FF7548B4000-memory.dmp	upx
C:\Windows\System\HamPsJs.exe	upx
C:\Windows\System\PetqGua.exe	upx
behavioral2/memory/3656-48-0x00007FF6920C0000-0x00007FF692414000-memory.dmp	upx
C:\Windows\System\kyQlzQf.exe	upx
behavioral2/memory/2772-44-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp	upx
behavioral2/memory/5076-38-0x00007FF614FB0000-0x00007FF615304000-memory.dmp	upx
C:\Windows\System\aQdrpMW.exe	upx
C:\Windows\System\NwtGIVr.exe	upx
C:\Windows\System\UlBVHPU.exe	upx
C:\Windows\System\aFXEaKZ.exe	upx
C:\Windows\System\yJUhabn.exe	upx
behavioral2/memory/4544-100-0x00007FF66A5A0000-0x00007FF66A8F4000-memory.dmp	upx
C:\Windows\System\ybNuExg.exe	upx
C:\Windows\System\qyWBSEo.exe	upx
C:\Windows\System\HEnWxvb.exe	upx
C:\Windows\System\PwEROJN.exe	upx
C:\Windows\System\DyffNnw.exe	upx
behavioral2/memory/3416-126-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp	upx
behavioral2/memory/2772-125-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp	upx
C:\Windows\System\ADSnqIm.exe	upx
behavioral2/memory/1624-120-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp	upx
behavioral2/memory/4528-118-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp	upx
behavioral2/memory/696-107-0x00007FF736520000-0x00007FF736874000-memory.dmp	upx
behavioral2/memory/1972-106-0x00007FF763080000-0x00007FF7633D4000-memory.dmp	upx
behavioral2/memory/1032-103-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp	upx
behavioral2/memory/4448-102-0x00007FF617310000-0x00007FF617664000-memory.dmp	upx
C:\Windows\System\JJdwZTo.exe	upx
C:\Windows\System\uxBocMP.exe	upx
behavioral2/memory/3556-81-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp	upx
behavioral2/memory/3220-80-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp	upx
behavioral2/memory/3192-79-0x00007FF690150000-0x00007FF6904A4000-memory.dmp	upx
behavioral2/memory/4368-75-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp	upx
behavioral2/memory/3296-71-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp	upx
behavioral2/memory/3844-70-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp	upx
behavioral2/memory/4224-63-0x00007FF75A100000-0x00007FF75A454000-memory.dmp	upx
behavioral2/memory/2564-62-0x00007FF6B9610000-0x00007FF6B9964000-memory.dmp	upx
behavioral2/memory/1532-56-0x00007FF62BCB0000-0x00007FF62C004000-memory.dmp	upx
behavioral2/memory/1960-133-0x00007FF664D80000-0x00007FF6650D4000-memory.dmp	upx
behavioral2/memory/3656-134-0x00007FF6920C0000-0x00007FF692414000-memory.dmp	upx
behavioral2/memory/4224-135-0x00007FF75A100000-0x00007FF75A454000-memory.dmp	upx
behavioral2/memory/4368-136-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp	upx
behavioral2/memory/3296-137-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp	upx
behavioral2/memory/3556-138-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp	upx
behavioral2/memory/1032-139-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp	upx
behavioral2/memory/696-140-0x00007FF736520000-0x00007FF736874000-memory.dmp	upx
behavioral2/memory/1624-141-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp	upx
behavioral2/memory/4528-142-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp	upx
behavioral2/memory/3416-143-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp	upx
behavioral2/memory/3844-144-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp	upx
behavioral2/memory/3192-145-0x00007FF690150000-0x00007FF6904A4000-memory.dmp	upx
behavioral2/memory/3220-146-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp	upx
behavioral2/memory/3724-148-0x00007FF754560000-0x00007FF7548B4000-memory.dmp	upx
behavioral2/memory/1972-147-0x00007FF763080000-0x00007FF7633D4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\PcAYjDR.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FupWIzg.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NwtGIVr.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JJdwZTo.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aFXEaKZ.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qyWBSEo.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HEnWxvb.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UlBVHPU.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yJUhabn.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nSZthDA.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HamPsJs.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PetqGua.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kyQlzQf.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aQdrpMW.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uxBocMP.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PwEROJN.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GLUXrIk.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iDqxRiM.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ybNuExg.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADSnqIm.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DyffNnw.exe	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2564 wrote to memory of 3844	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PcAYjDR.exe
PID 2564 wrote to memory of 3844	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PcAYjDR.exe
PID 2564 wrote to memory of 3192	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	GLUXrIk.exe
PID 2564 wrote to memory of 3192	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	GLUXrIk.exe
PID 2564 wrote to memory of 3220	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	FupWIzg.exe
PID 2564 wrote to memory of 3220	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	FupWIzg.exe
PID 2564 wrote to memory of 1972	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	nSZthDA.exe
PID 2564 wrote to memory of 1972	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	nSZthDA.exe
PID 2564 wrote to memory of 3724	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	iDqxRiM.exe
PID 2564 wrote to memory of 3724	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	iDqxRiM.exe
PID 2564 wrote to memory of 5076	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HamPsJs.exe
PID 2564 wrote to memory of 5076	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HamPsJs.exe
PID 2564 wrote to memory of 2772	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PetqGua.exe
PID 2564 wrote to memory of 2772	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PetqGua.exe
PID 2564 wrote to memory of 3656	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	kyQlzQf.exe
PID 2564 wrote to memory of 3656	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	kyQlzQf.exe
PID 2564 wrote to memory of 1532	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	aQdrpMW.exe
PID 2564 wrote to memory of 1532	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	aQdrpMW.exe
PID 2564 wrote to memory of 4224	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	NwtGIVr.exe
PID 2564 wrote to memory of 4224	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	NwtGIVr.exe
PID 2564 wrote to memory of 3296	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	uxBocMP.exe
PID 2564 wrote to memory of 3296	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	uxBocMP.exe
PID 2564 wrote to memory of 4368	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	UlBVHPU.exe
PID 2564 wrote to memory of 4368	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	UlBVHPU.exe
PID 2564 wrote to memory of 3556	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	JJdwZTo.exe
PID 2564 wrote to memory of 3556	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	JJdwZTo.exe
PID 2564 wrote to memory of 4448	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	yJUhabn.exe
PID 2564 wrote to memory of 4448	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	yJUhabn.exe
PID 2564 wrote to memory of 4544	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	aFXEaKZ.exe
PID 2564 wrote to memory of 4544	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	aFXEaKZ.exe
PID 2564 wrote to memory of 1032	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ybNuExg.exe
PID 2564 wrote to memory of 1032	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ybNuExg.exe
PID 2564 wrote to memory of 696	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	qyWBSEo.exe
PID 2564 wrote to memory of 696	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	qyWBSEo.exe
PID 2564 wrote to memory of 4528	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HEnWxvb.exe
PID 2564 wrote to memory of 4528	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	HEnWxvb.exe
PID 2564 wrote to memory of 1624	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ADSnqIm.exe
PID 2564 wrote to memory of 1624	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	ADSnqIm.exe
PID 2564 wrote to memory of 3416	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PwEROJN.exe
PID 2564 wrote to memory of 3416	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	PwEROJN.exe
PID 2564 wrote to memory of 1960	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	DyffNnw.exe
PID 2564 wrote to memory of 1960	2564	2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe	DyffNnw.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_a64f900f8c8fd8eb3980780baa453963_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2564

C:\Windows\System\PcAYjDR.exe
C:\Windows\System\PcAYjDR.exe
2⤵
- Executes dropped EXE
PID:3844

C:\Windows\System\GLUXrIk.exe
C:\Windows\System\GLUXrIk.exe
2⤵
- Executes dropped EXE
PID:3192

C:\Windows\System\FupWIzg.exe
C:\Windows\System\FupWIzg.exe
2⤵
- Executes dropped EXE
PID:3220

C:\Windows\System\nSZthDA.exe
C:\Windows\System\nSZthDA.exe
2⤵
- Executes dropped EXE
PID:1972

C:\Windows\System\iDqxRiM.exe
C:\Windows\System\iDqxRiM.exe
2⤵
- Executes dropped EXE
PID:3724

C:\Windows\System\HamPsJs.exe
C:\Windows\System\HamPsJs.exe
2⤵
- Executes dropped EXE
PID:5076

C:\Windows\System\PetqGua.exe
C:\Windows\System\PetqGua.exe
2⤵
- Executes dropped EXE
PID:2772

C:\Windows\System\kyQlzQf.exe
C:\Windows\System\kyQlzQf.exe
2⤵
- Executes dropped EXE
PID:3656

C:\Windows\System\aQdrpMW.exe
C:\Windows\System\aQdrpMW.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\System\NwtGIVr.exe
C:\Windows\System\NwtGIVr.exe
2⤵
- Executes dropped EXE
PID:4224

C:\Windows\System\uxBocMP.exe
C:\Windows\System\uxBocMP.exe
2⤵
- Executes dropped EXE
PID:3296

C:\Windows\System\UlBVHPU.exe
C:\Windows\System\UlBVHPU.exe
2⤵
- Executes dropped EXE
PID:4368

C:\Windows\System\JJdwZTo.exe
C:\Windows\System\JJdwZTo.exe
2⤵
- Executes dropped EXE
PID:3556

C:\Windows\System\yJUhabn.exe
C:\Windows\System\yJUhabn.exe
2⤵
- Executes dropped EXE
PID:4448

C:\Windows\System\aFXEaKZ.exe
C:\Windows\System\aFXEaKZ.exe
2⤵
- Executes dropped EXE
PID:4544

C:\Windows\System\ybNuExg.exe
C:\Windows\System\ybNuExg.exe
2⤵
- Executes dropped EXE
PID:1032

C:\Windows\System\qyWBSEo.exe
C:\Windows\System\qyWBSEo.exe
2⤵
- Executes dropped EXE
PID:696

C:\Windows\System\HEnWxvb.exe
C:\Windows\System\HEnWxvb.exe
2⤵
- Executes dropped EXE
PID:4528

C:\Windows\System\ADSnqIm.exe
C:\Windows\System\ADSnqIm.exe
2⤵
- Executes dropped EXE
PID:1624

C:\Windows\System\PwEROJN.exe
C:\Windows\System\PwEROJN.exe
2⤵
- Executes dropped EXE
PID:3416

C:\Windows\System\DyffNnw.exe
C:\Windows\System\DyffNnw.exe
2⤵
- Executes dropped EXE
PID:1960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADSnqIm.exe
Filesize
5.9MB

MD5
d92b7cd00602ba27612455ea8bb75b07

SHA1
92cfd178538b9f78e23b5554b7f034c7d280a19d

SHA256
edf65ee3c77516586f659b86eb1239707e16cffba626d5461d513db21bdd5d97

SHA512
588e7c511b9d94ee19d91e2cd8d3f7e7cc072e78c4900c7f595c55477e4feeeab3c092fe09542fdfa8994e9ea6f0a9368f731b34cf6df846757447e36d9cf0e7

Download Submit
C:\Windows\System\DyffNnw.exe
Filesize
5.9MB

MD5
c327851a3522b4a23eace60c5590874d

SHA1
98ba69912403365df1f6f78b7c76305adcf3e8ec

SHA256
92614ab1cf6e466609aaea50c518110d0837573e63b297ee9ce4002f2d85e406

SHA512
a68a03fc4ce3b1b53b372a25620934fcc1ed95cc3e9296f4a588c45df882be44b77fb378c5f7a6927f4a6edabf5ec7e331b39f8fc42aa2ab803dc66671badaa2

Download Submit
C:\Windows\System\FupWIzg.exe
Filesize
5.9MB

MD5
f524df8780c6e731bc95733f8e171d49

SHA1
ec73160441c4f0c6a59072f9d278b7c49e08c522

SHA256
bc185a792553579fb4b86f0a8ec82df4cbf63911f1ec1a8312c1a8977ecaa0cb

SHA512
c89e1e8a0d4c445ee99f76ce94da556e84225963869b64473f919f7b9014fa91d2e773461e1657ae002d6892884acc51cf7c4cadf6ab1628d2cab4d06c61d9e2

Download Submit
C:\Windows\System\GLUXrIk.exe
Filesize
5.9MB

MD5
9b3afa172844a4849ed8df4cf75f1d91

SHA1
41c20f072c9f630fef5427cad05cafa70d65d133

SHA256
9290a6d761d5b940d816b9efbf2f8c8a1e4f608423af10683e9fcf54776ff2cf

SHA512
cf0657f4fd8398ae80df29001cfb1bf30f170a88d620f7a99d6ece5303e54f8cedb697b06b1f5e7fec9fe9855514e2fcc34e7b83bbe6646ad26b13518b508e11

Download Submit
C:\Windows\System\HEnWxvb.exe
Filesize
5.9MB

MD5
7e3c6d407a1d7636a587cca0ff4b5f7f

SHA1
521a1808ebf2d7d50f7050c7a3a6b2e4522e4548

SHA256
2c986335dd584ba96cecd70dbf10c94b706dc4824357e66d70dbfc7300f34687

SHA512
43868d00cb117af75d18686d0d4ec3888cac3a9cc6e00fb8b8c711fbb21a62e81c53d691560fe9096e19a28c3caeeabf9b6308213d2d9dcc2cc1a084c7c6646b

Download Submit
C:\Windows\System\HamPsJs.exe
Filesize
5.9MB

MD5
4131923deab26fcefd1b06ddd6c59dc4

SHA1
6b851959d14e85431b12f7733364ba5ae9d7bf52

SHA256
bdf80c3e7a5bb717e70242a670554ad168579177c7a9c76f3563526fe0c16852

SHA512
8f04175ee0c4bfff49f03162043e1363ab1192e1b92133cae9e9ce9c662ae47b7b037983dd4fd6c8e0c1aa5e2549e8857b0c165ee73934902f96f3b6cfcceccf

Download Submit
C:\Windows\System\JJdwZTo.exe
Filesize
5.9MB

MD5
3698237ddfc47f87e8de479326a87c27

SHA1
1d8fbc6e9f52b88248a8e5b0a1e5cb7316edb76c

SHA256
94952af76bc96f0b9bebfcc57a1721753aff049c400b792f0d7b4a2fccf707ea

SHA512
af3f6a98ed7ed488189d2e9ffce9e4144c98455edf5ed9a36f98c11158d1f1453556deaff86046807a14f0fe9b6c6214c19bb284bf3e345c1b33dccc0035affd

Download Submit
C:\Windows\System\NwtGIVr.exe
Filesize
5.9MB

MD5
dd10ac2b515f5ca4b920f96f23fe6cdd

SHA1
d6d229ac60bb0a2e4280457003c0cc57d0b4153e

SHA256
5f742c4236c228fa8792150c1b32f642fc78b97a8925c4612f8d45df6dc127ed

SHA512
113d5814a7426c02ae84ce60aca0753f41cde6a2eb389a72c81dfe7ba230d3227e23e742f615ec3a36ec8bcf1e5461fb670349e277953945824f92317b16c50d

Download Submit
C:\Windows\System\PcAYjDR.exe
Filesize
5.9MB

MD5
426a8cfde2784061bba227afbee6adf9

SHA1
07416ef4aabfc66f8f79a9a82276fce9f190138f

SHA256
cee6465f4477eb7a593518142e22a9acabfdcad24c0722c99bdc434ec18125d0

SHA512
6f223aceb9e2fd9d72a670c4f40baae2b0786e97ae1c9a03db552921bf9385629a2c203f96ca090b096d9598d708677f775dd1e46b1993451da47aa160c12b36

Download Submit
C:\Windows\System\PetqGua.exe
Filesize
5.9MB

MD5
5d0e83a334a51960188e603661302ad3

SHA1
d9da1b2de38aa40cc4cb1b9102ce110f8078f8a2

SHA256
2f8d3822b817baae3e8726050d5ac5ded2d01387a54a43f62f9beb2d0b991fc4

SHA512
e248b33cc394938e655164d864503984e9f4c0ed6182edacf1ec4cb8417c65e2f218dca76166bd9b66a4bbda63ea33370be2220e45f133c6862fcaf42bcbf72b

Download Submit
C:\Windows\System\PwEROJN.exe
Filesize
5.9MB

MD5
2db3fa69db23c2415345a8e42b1d7372

SHA1
8fb5d3b1a300e11879bb5683c1f53a153e82f4e3

SHA256
79c24e6432a8f662592846a5f9d36958158fa3d7ad6c790a92730f9f121ac0bc

SHA512
0a6ec319cbd730937ffa2757e5272d88691aab70c41cd91fb3fdf700bfa216bddc6fc4a6ad3856bbe15eaef3014ff6a879fd4acb85e855b23bf81c4930f56ad1

Download Submit
C:\Windows\System\UlBVHPU.exe
Filesize
5.9MB

MD5
d33f79ca07684f336423e9eb35c98309

SHA1
8d96db7dad5ce519622cd0d587fa49ce672d7913

SHA256
ae78605ec390438104f0ede87e93eadd7cdd723eac07b65b4b6483e959f0f1e0

SHA512
a2650b46a95e20a393f32002fdfe814ba08b660c4106f84d02aef71ae1fa7d15eb18a4c85651d8feb1107323be149844d37d25b567f8ee52b3f9252b905625fa

Download Submit
C:\Windows\System\aFXEaKZ.exe
Filesize
5.9MB

MD5
972327296b9e9ed7399f4c7ee5d32bbf

SHA1
55d11d2ea204b3aa553c1c61145df92a156ec76a

SHA256
97c885ae6e3cf431cf31091986bf80ede03b34a9fb06c4494c6157f01c29c473

SHA512
6349dafdf23776d9ba8869ba7faaa5658559eb870d551a7ee0266f58a73798d800125c29471089f2561f3eb60558509523efaddcbdf611ad9457c4237abb9a50

Download Submit
C:\Windows\System\aQdrpMW.exe
Filesize
5.9MB

MD5
a93f3d8afa4f069174b2b991a0778682

SHA1
2b195524b6462635baeba6ea2edf029d1599c494

SHA256
cb7fce795d49ca034c6d2bc446a2a9c51a27684dcd573b23a8d7ac0f0ef40cd1

SHA512
946f9c6b84617bc49c83a82f6b9cf6201d1e2410e759cee89a296de0aa820878dce55d741701440b78fd432d117336d7129fa13881c5db95295d0c817e9bf2a8

Download Submit
C:\Windows\System\iDqxRiM.exe
Filesize
5.9MB

MD5
3b5ae7b12cca826986dead834975863b

SHA1
beb7c695792a84eafe9306f8015237fbea20b097

SHA256
501ee466a11dfa02b5e804a4593ee45c6563a2e0ec7614ce5ab1827d463c3017

SHA512
adfcc468d4dc9b58e90d081eaeffb998bace366ecb8a607fe93e5773d99873157ee2a18cf95c5c78f5862f3da87e7fb70e0651c3d4b3b927dff7da22e84c2d31

Download Submit
C:\Windows\System\kyQlzQf.exe
Filesize
5.9MB

MD5
f4f06eb6e90f33ec5f5bd5b081dddc38

SHA1
82614298d1affcf042609b61fef0d6128db9870d

SHA256
a80cad1af9f26f86cd144e4187541c3a185398ab0f50efef2e43948f5f8d465c

SHA512
769cd67ed92d3e0ddf87af1bd214ab2693d88bfd4d61af826c9ad082385e65964518ab0b528fc51c45114536b5a164128206f4e026f919ddd7fcfcfe40dbbf50

Download Submit
C:\Windows\System\nSZthDA.exe
Filesize
5.9MB

MD5
fd6650a1b96ad7ccb3c7f5ffc50ca2a5

SHA1
bc2156b9ccb7bcf5aff53725343e9c89c8f3793b

SHA256
29f3e5517541391ae889544a5d35d5904354151a1f51c402d5bce1b04fdc13e0

SHA512
e981af9b2c03608f42602081fa1b70c44ac56407f9b7d932f1a1bf55b87e6c88a2d26ccd63dfd6a5ba0affe0b43e340c98ab30d0a258a7e88ad1832038660c2e

Download Submit
C:\Windows\System\qyWBSEo.exe
Filesize
5.9MB

MD5
37607ac13ca77cf82b4f06746b16347e

SHA1
5a04913a0f8eaa58472c81833d50af229c971822

SHA256
eede1897968855f0d3c6d5566970253effc6df1c6cfc454e06996247d42e3f03

SHA512
30c7a2a0e9efa57eeb84be0915f457ea7a34f81374782c5273f7bc4dc8e8aaa7589960d1b046984b7e797a7c69bc731814f3d70472a457dd06ac74fb88e7d236

Download Submit
C:\Windows\System\uxBocMP.exe
Filesize
5.9MB

MD5
cc98a490d07e5a5890111c13f01d020a

SHA1
40cdc57e8b59a2697d45da7d245a0d866908c198

SHA256
769987ce88f94e39950929c06f75858aeaba07aef9d6e547d278790ac079a960

SHA512
fc242f642defb8c419bbaa6c593f63f9e632292c0ea217cd4354dcbc90b95ad57ff2ab758cba6df6f8ecb5f1d676c0735ce308300caae5fe9c43c8c9d81d11f2

Download Submit
C:\Windows\System\yJUhabn.exe
Filesize
5.9MB

MD5
b611872e7c0405dbe19e780e8e69e36f

SHA1
154d78ac21499c8eaadccc5d3be9d0961ab62174

SHA256
cff82d7fa510fce0eedb13bcc908e10cacc38a88d356704f08409bc0cf34ed4f

SHA512
2b76af5618593400f9c505e6e868b701c20609bd31ffa7598f19d54ad314657d0bc0bcf440be12b7daf7e381fa403c9825ea303bb975bcb4b8ea7c4c934b4afc

Download Submit
C:\Windows\System\ybNuExg.exe
Filesize
5.9MB

MD5
dc446621a6de9f8b241852c249cd691b

SHA1
097d1f4b00096d10d3d12734fed5a99cc6d9403e

SHA256
7bc6ca62be5724dd6a8a1010d2738802caf0d5d1a6fbcc8698602021e04debad

SHA512
e681d9f9917ad08a417f86b47200043f27109a43ce11ecfc43680ca1f7330a2202f8714a1498b115705a4dc74e3e6c0d1e8043325ccf72acd990d6be1329cfe7

Download Submit
memory/696-161-0x00007FF736520000-0x00007FF736874000-memory.dmp

Filesize
3.3MB

Download
memory/696-140-0x00007FF736520000-0x00007FF736874000-memory.dmp

Filesize
3.3MB

Download
memory/696-107-0x00007FF736520000-0x00007FF736874000-memory.dmp

Filesize
3.3MB

Download
memory/1032-139-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp

Filesize
3.3MB

Download
memory/1032-159-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp

Filesize
3.3MB

Download
memory/1032-103-0x00007FF7A4730000-0x00007FF7A4A84000-memory.dmp

Filesize
3.3MB

Download
memory/1532-152-0x00007FF62BCB0000-0x00007FF62C004000-memory.dmp

Filesize
3.3MB

Download
memory/1532-56-0x00007FF62BCB0000-0x00007FF62C004000-memory.dmp

Filesize
3.3MB

Download
memory/1624-120-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp

Filesize
3.3MB

Download
memory/1624-141-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp

Filesize
3.3MB

Download
memory/1624-163-0x00007FF66BF00000-0x00007FF66C254000-memory.dmp

Filesize
3.3MB

Download
memory/1960-164-0x00007FF664D80000-0x00007FF6650D4000-memory.dmp

Filesize
3.3MB

Download
memory/1960-133-0x00007FF664D80000-0x00007FF6650D4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-147-0x00007FF763080000-0x00007FF7633D4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-26-0x00007FF763080000-0x00007FF7633D4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-106-0x00007FF763080000-0x00007FF7633D4000-memory.dmp

Filesize
3.3MB

Download
memory/2564-1-0x0000025FE78A0000-0x0000025FE78B0000-memory.dmp

Filesize
64KB

Download
memory/2564-0-0x00007FF6B9610000-0x00007FF6B9964000-memory.dmp

Filesize
3.3MB

Download
memory/2564-62-0x00007FF6B9610000-0x00007FF6B9964000-memory.dmp

Filesize
3.3MB

Download
memory/2772-151-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-44-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp

Filesize
3.3MB

Download
memory/2772-125-0x00007FF64BF70000-0x00007FF64C2C4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-145-0x00007FF690150000-0x00007FF6904A4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-79-0x00007FF690150000-0x00007FF6904A4000-memory.dmp

Filesize
3.3MB

Download
memory/3192-14-0x00007FF690150000-0x00007FF6904A4000-memory.dmp

Filesize
3.3MB

Download
memory/3220-80-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp

Filesize
3.3MB

Download
memory/3220-146-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp

Filesize
3.3MB

Download
memory/3220-22-0x00007FF612F60000-0x00007FF6132B4000-memory.dmp

Filesize
3.3MB

Download
memory/3296-71-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3296-137-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3296-155-0x00007FF6B3970000-0x00007FF6B3CC4000-memory.dmp

Filesize
3.3MB

Download
memory/3416-126-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp

Filesize
3.3MB

Download
memory/3416-160-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp

Filesize
3.3MB

Download
memory/3416-143-0x00007FF77FCF0000-0x00007FF780044000-memory.dmp

Filesize
3.3MB

Download
memory/3556-81-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3556-157-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3556-138-0x00007FF61BA70000-0x00007FF61BDC4000-memory.dmp

Filesize
3.3MB

Download
memory/3656-150-0x00007FF6920C0000-0x00007FF692414000-memory.dmp

Filesize
3.3MB

Download
memory/3656-48-0x00007FF6920C0000-0x00007FF692414000-memory.dmp

Filesize
3.3MB

Download
memory/3656-134-0x00007FF6920C0000-0x00007FF692414000-memory.dmp

Filesize
3.3MB

Download
memory/3724-148-0x00007FF754560000-0x00007FF7548B4000-memory.dmp

Filesize
3.3MB

Download
memory/3724-32-0x00007FF754560000-0x00007FF7548B4000-memory.dmp

Filesize
3.3MB

Download
memory/3844-144-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp

Filesize
3.3MB

Download
memory/3844-7-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp

Filesize
3.3MB

Download
memory/3844-70-0x00007FF731BD0000-0x00007FF731F24000-memory.dmp

Filesize
3.3MB

Download
memory/4224-63-0x00007FF75A100000-0x00007FF75A454000-memory.dmp

Filesize
3.3MB

Download
memory/4224-135-0x00007FF75A100000-0x00007FF75A454000-memory.dmp

Filesize
3.3MB

Download
memory/4224-153-0x00007FF75A100000-0x00007FF75A454000-memory.dmp

Filesize
3.3MB

Download
memory/4368-75-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp

Filesize
3.3MB

Download
memory/4368-154-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp

Filesize
3.3MB

Download
memory/4368-136-0x00007FF773BF0000-0x00007FF773F44000-memory.dmp

Filesize
3.3MB

Download
memory/4448-158-0x00007FF617310000-0x00007FF617664000-memory.dmp

Filesize
3.3MB

Download
memory/4448-102-0x00007FF617310000-0x00007FF617664000-memory.dmp

Filesize
3.3MB

Download
memory/4528-118-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp

Filesize
3.3MB

Download
memory/4528-142-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp

Filesize
3.3MB

Download
memory/4528-162-0x00007FF7AC320000-0x00007FF7AC674000-memory.dmp

Filesize
3.3MB

Download
memory/4544-156-0x00007FF66A5A0000-0x00007FF66A8F4000-memory.dmp

Filesize
3.3MB

Download
memory/4544-100-0x00007FF66A5A0000-0x00007FF66A8F4000-memory.dmp

Filesize
3.3MB

Download
memory/5076-38-0x00007FF614FB0000-0x00007FF615304000-memory.dmp

Filesize
3.3MB

Download
memory/5076-149-0x00007FF614FB0000-0x00007FF615304000-memory.dmp

Filesize
3.3MB

Download