cobaltstrike | 371dad4a401af27bf5a2892f82b7188dd6cb6699eab4d52f4a63488f057c257a

Analysis

max time kernel
140s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/09/2024, 21:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

1e704c5a02c28daf09f6b372a21b8b0a
SHA1

4bf1d901a18d71211f3a9d58f30220f7def73998
SHA256

371dad4a401af27bf5a2892f82b7188dd6cb6699eab4d52f4a63488f057c257a
SHA512

a942d73362a0c76583c2ffa1a9aec29847a753dd21e26197459c32f2f4e22aeaaa128ab5ab0d849f517839814837ec5fd65c1a3a308f8d3d619da6c049712ccb
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lc:RWWBibf56utgpPFotBER/mQ32lUQ

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x000c0000000122e0-3.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016a47-7.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016c58-22.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016c3d-20.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016cd3-37.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017403-114.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018678-125.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016cfe-43.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001747b-122.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000018690-129.dat	cobalt_reflective_dll
behavioral1/files/0x001500000001866d-117.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173aa-107.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000174ac-102.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000017409-82.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173fb-70.dat	cobalt_reflective_dll
behavioral1/files/0x00060000000173e4-69.dat	cobalt_reflective_dll
behavioral1/files/0x000900000001650a-59.dat	cobalt_reflective_dll
behavioral1/files/0x0008000000016d0b-55.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001752f-112.dat	cobalt_reflective_dll
behavioral1/files/0x000600000001748f-90.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000016ca2-34.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 39 IoCs

miner

resource	yara_rule
behavioral1/memory/2340-19-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2504-41-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2200-94-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2376-67-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2504-104-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2428-103-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2300-99-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2780-98-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2688-137-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2476-53-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2592-80-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/2972-138-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2504-139-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/2588-141-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/2504-142-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2156-147-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig
behavioral1/memory/3032-152-0x000000013F9B0000-0x000000013FD01000-memory.dmp	xmrig
behavioral1/memory/2920-164-0x000000013F8D0000-0x000000013FC21000-memory.dmp	xmrig
behavioral1/memory/2504-165-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/1492-163-0x000000013F250000-0x000000013F5A1000-memory.dmp	xmrig
behavioral1/memory/952-162-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/1984-161-0x000000013F300000-0x000000013F651000-memory.dmp	xmrig
behavioral1/memory/1800-160-0x000000013F100000-0x000000013F451000-memory.dmp	xmrig
behavioral1/memory/2724-158-0x000000013F460000-0x000000013F7B1000-memory.dmp	xmrig
behavioral1/memory/2708-156-0x000000013F310000-0x000000013F661000-memory.dmp	xmrig
behavioral1/memory/2540-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp	xmrig
behavioral1/memory/2504-166-0x000000013FB90000-0x000000013FEE1000-memory.dmp	xmrig
behavioral1/memory/2340-228-0x000000013F680000-0x000000013F9D1000-memory.dmp	xmrig
behavioral1/memory/2476-230-0x000000013FFC0000-0x0000000140311000-memory.dmp	xmrig
behavioral1/memory/2428-232-0x000000013FDD0000-0x0000000140121000-memory.dmp	xmrig
behavioral1/memory/2300-234-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2688-236-0x000000013F2F0000-0x000000013F641000-memory.dmp	xmrig
behavioral1/memory/2972-238-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/2376-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp	xmrig
behavioral1/memory/2588-244-0x000000013FEC0000-0x0000000140211000-memory.dmp	xmrig
behavioral1/memory/2592-243-0x000000013F940000-0x000000013FC91000-memory.dmp	xmrig
behavioral1/memory/2200-246-0x000000013F7D0000-0x000000013FB21000-memory.dmp	xmrig
behavioral1/memory/2780-248-0x000000013F660000-0x000000013F9B1000-memory.dmp	xmrig
behavioral1/memory/2156-255-0x000000013F6E0000-0x000000013FA31000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2476	JEnjWBg.exe
2340	cEOnrnA.exe
2300	tLYyBFT.exe
2428	tWdIasx.exe
2688	ZFgmzhr.exe
2972	VTnbcMG.exe
2376	loHsmpX.exe
2588	tYqmsKd.exe
2592	pkNYDVo.exe
2200	rAmOxas.exe
2780	LqbpxAi.exe
2156	CbWpFft.exe
3032	wfrlYnL.exe
1984	ANbLKhv.exe
2540	OkmNPeb.exe
2708	NhfQXxU.exe
2724	ziPSpwC.exe
1492	LZZYdXN.exe
1800	OXHauQU.exe
952	dKzwcts.exe
2920	HkydVDi.exe

Loads dropped DLL 21 IoCs

pid	Process
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2504-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/files/0x000c0000000122e0-3.dat	upx
behavioral1/memory/2504-6-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/files/0x0007000000016a47-7.dat	upx
behavioral1/files/0x0007000000016c58-22.dat	upx
behavioral1/memory/2340-19-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2300-21-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2428-29-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/files/0x0008000000016c3d-20.dat	upx
behavioral1/memory/2476-18-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/files/0x0007000000016cd3-37.dat	upx
behavioral1/memory/2504-41-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2688-35-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2200-94-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx
behavioral1/files/0x0006000000017403-114.dat	upx
behavioral1/files/0x0009000000018678-125.dat	upx
behavioral1/files/0x0008000000016cfe-43.dat	upx
behavioral1/memory/2376-67-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/files/0x000600000001747b-122.dat	upx
behavioral1/files/0x0005000000018690-129.dat	upx
behavioral1/files/0x001500000001866d-117.dat	upx
behavioral1/files/0x00060000000173aa-107.dat	upx
behavioral1/memory/2428-103-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/files/0x00060000000174ac-102.dat	upx
behavioral1/memory/2156-101-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/2300-99-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2780-98-0x000000013F660000-0x000000013F9B1000-memory.dmp	upx
behavioral1/files/0x0006000000017409-82.dat	upx
behavioral1/memory/2588-74-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/files/0x00060000000173fb-70.dat	upx
behavioral1/files/0x00060000000173e4-69.dat	upx
behavioral1/memory/2688-137-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/files/0x000900000001650a-59.dat	upx
behavioral1/files/0x0008000000016d0b-55.dat	upx
behavioral1/memory/2476-53-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2972-47-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/files/0x000600000001752f-112.dat	upx
behavioral1/files/0x000600000001748f-90.dat	upx
behavioral1/files/0x0007000000016ca2-34.dat	upx
behavioral1/memory/2592-80-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/2972-138-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2588-141-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/2504-142-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2156-147-0x000000013F6E0000-0x000000013FA31000-memory.dmp	upx
behavioral1/memory/3032-152-0x000000013F9B0000-0x000000013FD01000-memory.dmp	upx
behavioral1/memory/2920-164-0x000000013F8D0000-0x000000013FC21000-memory.dmp	upx
behavioral1/memory/1492-163-0x000000013F250000-0x000000013F5A1000-memory.dmp	upx
behavioral1/memory/952-162-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
behavioral1/memory/1984-161-0x000000013F300000-0x000000013F651000-memory.dmp	upx
behavioral1/memory/1800-160-0x000000013F100000-0x000000013F451000-memory.dmp	upx
behavioral1/memory/2724-158-0x000000013F460000-0x000000013F7B1000-memory.dmp	upx
behavioral1/memory/2708-156-0x000000013F310000-0x000000013F661000-memory.dmp	upx
behavioral1/memory/2540-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp	upx
behavioral1/memory/2504-166-0x000000013FB90000-0x000000013FEE1000-memory.dmp	upx
behavioral1/memory/2340-228-0x000000013F680000-0x000000013F9D1000-memory.dmp	upx
behavioral1/memory/2476-230-0x000000013FFC0000-0x0000000140311000-memory.dmp	upx
behavioral1/memory/2428-232-0x000000013FDD0000-0x0000000140121000-memory.dmp	upx
behavioral1/memory/2300-234-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2688-236-0x000000013F2F0000-0x000000013F641000-memory.dmp	upx
behavioral1/memory/2972-238-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/2376-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp	upx
behavioral1/memory/2588-244-0x000000013FEC0000-0x0000000140211000-memory.dmp	upx
behavioral1/memory/2592-243-0x000000013F940000-0x000000013FC91000-memory.dmp	upx
behavioral1/memory/2200-246-0x000000013F7D0000-0x000000013FB21000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\tWdIasx.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZFgmzhr.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tYqmsKd.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pkNYDVo.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NhfQXxU.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ziPSpwC.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CbWpFft.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\loHsmpX.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wfrlYnL.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OkmNPeb.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rAmOxas.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LZZYdXN.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cEOnrnA.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OXHauQU.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JEnjWBg.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tLYyBFT.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VTnbcMG.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LqbpxAi.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ANbLKhv.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dKzwcts.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HkydVDi.exe	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2340	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2340	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2340	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 2504 wrote to memory of 2476	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2476	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2476	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 2504 wrote to memory of 2300	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2300	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2300	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 2504 wrote to memory of 2428	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2428	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2428	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 2504 wrote to memory of 2688	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2688	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2688	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 2504 wrote to memory of 2972	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2972	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2972	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 2504 wrote to memory of 2156	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2156	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2156	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 2504 wrote to memory of 2376	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 2376	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 2376	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 2504 wrote to memory of 3032	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 3032	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 3032	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 2504 wrote to memory of 2588	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2588	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2588	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 2504 wrote to memory of 2540	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2540	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2540	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 2504 wrote to memory of 2592	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 2592	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 2592	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 2504 wrote to memory of 2708	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 2708	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 2708	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 2504 wrote to memory of 2200	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 2200	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 2200	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 2504 wrote to memory of 2724	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 2724	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 2724	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 2504 wrote to memory of 2780	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 2780	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 2780	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 2504 wrote to memory of 1800	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 1800	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 1800	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 2504 wrote to memory of 1984	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 1984	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 1984	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 2504 wrote to memory of 952	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 952	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 952	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 2504 wrote to memory of 1492	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 1492	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 1492	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	51
PID 2504 wrote to memory of 2920	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2504 wrote to memory of 2920	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	52
PID 2504 wrote to memory of 2920	2504	2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe	52

C:\Users\Admin\AppData\Local\Temp\2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-20_1e704c5a02c28daf09f6b372a21b8b0a_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\System\cEOnrnA.exe
  C:\Windows\System\cEOnrnA.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\JEnjWBg.exe
  C:\Windows\System\JEnjWBg.exe
  2⤵
  - Executes dropped EXE
  PID:2476
- C:\Windows\System\tLYyBFT.exe
  C:\Windows\System\tLYyBFT.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\tWdIasx.exe
  C:\Windows\System\tWdIasx.exe
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\Windows\System\ZFgmzhr.exe
  C:\Windows\System\ZFgmzhr.exe
  2⤵
  - Executes dropped EXE
  PID:2688
- C:\Windows\System\VTnbcMG.exe
  C:\Windows\System\VTnbcMG.exe
  2⤵
  - Executes dropped EXE
  PID:2972
- C:\Windows\System\CbWpFft.exe
  C:\Windows\System\CbWpFft.exe
  2⤵
  - Executes dropped EXE
  PID:2156
- C:\Windows\System\loHsmpX.exe
  C:\Windows\System\loHsmpX.exe
  2⤵
  - Executes dropped EXE
  PID:2376
- C:\Windows\System\wfrlYnL.exe
  C:\Windows\System\wfrlYnL.exe
  2⤵
  - Executes dropped EXE
  PID:3032
- C:\Windows\System\tYqmsKd.exe
  C:\Windows\System\tYqmsKd.exe
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\Windows\System\OkmNPeb.exe
  C:\Windows\System\OkmNPeb.exe
  2⤵
  - Executes dropped EXE
  PID:2540
- C:\Windows\System\pkNYDVo.exe
  C:\Windows\System\pkNYDVo.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\NhfQXxU.exe
  C:\Windows\System\NhfQXxU.exe
  2⤵
  - Executes dropped EXE
  PID:2708
- C:\Windows\System\rAmOxas.exe
  C:\Windows\System\rAmOxas.exe
  2⤵
  - Executes dropped EXE
  PID:2200
- C:\Windows\System\ziPSpwC.exe
  C:\Windows\System\ziPSpwC.exe
  2⤵
  - Executes dropped EXE
  PID:2724
- C:\Windows\System\LqbpxAi.exe
  C:\Windows\System\LqbpxAi.exe
  2⤵
  - Executes dropped EXE
  PID:2780
- C:\Windows\System\OXHauQU.exe
  C:\Windows\System\OXHauQU.exe
  2⤵
  - Executes dropped EXE
  PID:1800
- C:\Windows\System\ANbLKhv.exe
  C:\Windows\System\ANbLKhv.exe
  2⤵
  - Executes dropped EXE
  PID:1984
- C:\Windows\System\dKzwcts.exe
  C:\Windows\System\dKzwcts.exe
  2⤵
  - Executes dropped EXE
  PID:952
- C:\Windows\System\LZZYdXN.exe
  C:\Windows\System\LZZYdXN.exe
  2⤵
  - Executes dropped EXE
  PID:1492
- C:\Windows\System\HkydVDi.exe
  C:\Windows\System\HkydVDi.exe
  2⤵
  - Executes dropped EXE
  PID:2920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\ANbLKhv.exe

Filesize
5.2MB

MD5
50cec1f2b6b736399150280383075561

SHA1
9ce13b1aba45bf325ffa5798f2316eabc9bd12c9

SHA256
d431dc58d8a2e7b960fac7a126123eb07248121a40017e5b40bb4b8443a9b787

SHA512
0ebd3d20c97224f1fef4b61e324e2e9874ecfe41aea8961baa0621fc7686bc6f97d042db5396d871e3c5ebbe2682696301659456d69db7d415f2d670e2642ccb

Download Submit
C:\Windows\system\LZZYdXN.exe

Filesize
5.2MB

MD5
42a23a4436fb55ae9425c30ee2e38955

SHA1
cd6b2fb8eed8f0baec9e6a0c393791ad60c80998

SHA256
3d9c2b7e00b0d7765f5810c31fde2029c8885ee7e27baaffcb750307e55524e9

SHA512
0030e5034d689ad54222e28524c80bf7c4af09683cb74de225a8595fd37c86289418d030222efceca1e22293543c4a85d6429009a2c80163ff78c77a7d6bbe70

Download Submit
C:\Windows\system\LqbpxAi.exe

Filesize
5.2MB

MD5
558f2abadb976a7002394e681d2ac399

SHA1
559b6280290775a0804de39ca479aaa6a345286c

SHA256
a4993cc81f89fb8fb3b492f6abece78b0b033c68572b8b3349ad5e97285f2117

SHA512
276957852169c6c3de8f2ca399dc41778c4d6b0c23f0e76db1ade61292d840c9f239a0ca50720d53d6eecbd333634e615be08132d36e8b4281fef5275eb4edbb

Download Submit
C:\Windows\system\NhfQXxU.exe

Filesize
5.2MB

MD5
f4e949a9d182cc1f04fff2d0b829ba25

SHA1
435bf0a323354f496f82c8178fadc3868b513376

SHA256
ff6fef931ba45770a03608fe8036fc4647ae2fc00de178a94c161387c733a8b1

SHA512
c9b14bea7725a418d00f0ce8528d4ce5bcb671fd5d5012b8e90a5ff4a60992e37ab6e6ae31575338234e3f8f2190716832a6915a4cac8988670cb8f882cd4e06

Download Submit
C:\Windows\system\ZFgmzhr.exe

Filesize
5.2MB

MD5
8e1df6b05a5df4469974395b21c67262

SHA1
93e24e816994b17bed1ef1873d803fe1365bc6d1

SHA256
95b506ff8f5871e13962cb54735e56362886b3c5d583e8e6c473b107d0d8eb17

SHA512
9f121dc9b81b7ca48ab892b31d36f3fc8af5f98557b7eb98e4b0b7751beab8c802878d29c1496113c4247c319e79f43fe0b5c0fafa6a663ce3869c19b449b527

Download Submit
C:\Windows\system\loHsmpX.exe

Filesize
5.2MB

MD5
d1b97842df9a1567f5a49341ea166e7a

SHA1
38c0b2a699f5bacfa62b40a30cf41a2e2d91b33f

SHA256
8d2651b530ff7de900e8b352527b72698b741075fad4d267f4524681e89643b1

SHA512
0520b67a0e2eaa65d446a258f2720a247c124980fec85d39f324f47b0dc9bee92d8962feea7eae5e9e0414f70b40c1e3206b18622060c68b81f0487f0e60d4e5

Download Submit
C:\Windows\system\pkNYDVo.exe

Filesize
5.2MB

MD5
20d337f65dd0a1a66391bddeb1d24ea0

SHA1
4cc9a3345f369364d3410b838c9e65087ac683cb

SHA256
4fdbc9540229d908603f7f44ebcddb00b2ef404848e61d14abad9c0a03061bc1

SHA512
096032d452a42a8d7dfe0de12ddd1b392ff6154cd56866919980f8f8d98f73ff21829268bb67662768b80774809ea92cb0818c761783f5e9ccc21aa911e1cb5e

Download Submit
C:\Windows\system\rAmOxas.exe

Filesize
5.2MB

MD5
6b773b8fbc5f289a2d1346860cb33ac0

SHA1
d2a713ac61d7e5bd3e5563f09d4282a8c32eaa1a

SHA256
f1b3a0c9c1ded797d0d77ae047dc7e10e1780dc15a9c9902cf970ee5093a5840

SHA512
3d014cf73a6b23a10554ac5a8dc889644ef300639c8e940bba056b5da43286cda40f7b444c1982714959704437b3a69f369d179bdde506a2f58a0a9e5d792445

Download Submit
C:\Windows\system\tLYyBFT.exe

Filesize
5.2MB

MD5
29c55fafb98ba7a66ccf54ebfc2836c8

SHA1
8854fa84403490cdf0cbbb38cbc43a35c377d601

SHA256
e4906e58d5d014d78a2d35fae5a04df5c98a57353b5024bfab219b16a7746db6

SHA512
aa997d89e09ffa5a75f3c3ac90962b4630d6a4e7ff597d3753247873d40efc793607ca83ddc939ad4fd17537b84c4d29d15f4573a6551b4ff501394f3675fd74

Download Submit
C:\Windows\system\tYqmsKd.exe

Filesize
5.2MB

MD5
662d24bf6c28e1f40da3c0250dfbc91e

SHA1
3ec69994b07e4ac19233095049650417c6d39403

SHA256
53da7668baabf7ceb9ae7e96c106060c8f23af618c055b03681ce71acde33740

SHA512
ad7ad6f8d1113d0657c1209c48fe89918b82f23650a7a907885d43eeaae110eea89259e0f04de2ac0fcafed49bba3f102b1e83a2954642f7ffb9ad4c5d907744

Download Submit
C:\Windows\system\wfrlYnL.exe

Filesize
5.2MB

MD5
13614b06016acd60c8042ca9db4e95ac

SHA1
8829917afe65f3873f079dc0c0a1ae308046d70c

SHA256
badeeec7ecd890a56ed62dc842bb0123fcade6e7183680c98f29d5d2faf1d5e5

SHA512
7db69137f361e1037dd06aece8079983f27adc96d66dfe4d39d95b4ce77bd71525f262f486e0bee2c65da45f5a2bd8baa3d1fe243dff64ef43c3dfde9576bdc5

Download Submit
C:\Windows\system\ziPSpwC.exe

Filesize
5.2MB

MD5
772b9c301da7848cd2c85c27904710a6

SHA1
31e4297ab32c57698ec447bce4f4c2a470dbbe9c

SHA256
615f944576051950fa009362cf8fbf4fe1980ebafac1a92a023361b3bb0a560f

SHA512
291115d8a39476f74b6bb7bc01fcc6ccbb91886af9ab7953f0743d6d3a9b7e943d775cc48305f8775f371076188fa805c7d88660bd9054b29321f4c64112643b

Download Submit
\Windows\system\CbWpFft.exe

Filesize
5.2MB

MD5
b3652d819d3d7406173b689482d4d1ba

SHA1
91cea10cac307f8b1952d9469b466db57c24c621

SHA256
d4ac41f32ec2ca34d9eab09d4d70e2021458fa365b9a2b14dca85bfb58b07555

SHA512
a2d74e53298ee49e2e7cb405c9ba0550323774e077b2fd86b22f0586828d7e022cc2934daeb6479d47d5d6ce697a058f57ebce8c62a21d87cb4ad9b635d1ca86

Download Submit
\Windows\system\HkydVDi.exe

Filesize
5.2MB

MD5
530a22ff0eb20ff99f02a87ed4826a6c

SHA1
ab9d098ffb620f19f14d5a2d956401529aaa565c

SHA256
ad96b35ecc86d7f7b8eae7e3cb24c0de8d7393c03c79a1855fb9c12993ffaedc

SHA512
6e5dd177734c3c62b76b91be82a401ae135f76ec39156bf7496966dc7f9f7ced113aff36ff30977e695677b93a0a9a0236cbe295ee376883bd9efcc4790bd504

Download Submit
\Windows\system\JEnjWBg.exe

Filesize
5.2MB

MD5
9c3662eca6dd9d56e0678843b9393da6

SHA1
5040398c417618fbfd2762a4b6c1e8b261684e18

SHA256
bd8564b9b0e2ec9cab7fe2abd3bd10d5f492d97f4841f1cceac7717a887666f0

SHA512
2900be69f8f26c362a3a4e0133c0b99a1a515872020b15bf56ac3b7297364ee39965c63800dc768fa0b9f2b0c8cf423da71ebbbc24c9537b1ce37da47a2f910a

Download Submit
\Windows\system\OXHauQU.exe

Filesize
5.2MB

MD5
150ea50e69380b0796d676c5f7c131e6

SHA1
2158fca5d8e1706d40a8796939c73d93267f1db9

SHA256
8806ef6b730d4ddaf6fa594d1636553c03d4533a8300daebb4e3d72fdb0159ba

SHA512
e44e65690e3c3242bb93f62f583d1a22269ec2c39827c8a4f3e7a5df27fc076ed5921f0c9eaba720a2bf6fc79f336ae981cd629b023b2b645e7db68e82c2b7c6

Download Submit
\Windows\system\OkmNPeb.exe

Filesize
5.2MB

MD5
5d6ebfb38c2ae6ee67a1d1c34fcebc0b

SHA1
941571e28917bffe62412184b2b870fcb77c5cbb

SHA256
a6f37ea9333a871bdf11a02d65ab44fec2b27eed826961bffe9131a291f4a4e9

SHA512
d36694f49118a7f2c377183ee251f7abc71f87ccf6f4bc0e7bfde6c6fd871aa841b5a430ec15fba5bf9598832fca4106c4c84f781e59468a675a70590920e7f4

Download Submit
\Windows\system\VTnbcMG.exe

Filesize
5.2MB

MD5
6b5d924d122d1419baf00a253f6d9c19

SHA1
7669fcaa4f7ddef7484f0b51091828142c4375fe

SHA256
217f53ceef8e24bfd88dcd4247e121a134690465f5304c7ec6b18c6df74e5703

SHA512
4a269a0336ff783f99ac0b9cb0346cd1c484aac41cb5682f118fdc457edf3333fa1a533d9b043c7a57dcc554ed4c800633226176a86dff769e57191c1f2f0574

Download Submit
\Windows\system\cEOnrnA.exe

Filesize
5.2MB

MD5
721cf4ac147d13cbb8e7f1d6e449167b

SHA1
7bd21a2eb34e0ceb7157bd2705c4d50d1c916d65

SHA256
fad494d2974802e06bc01bac765b2fb1853aa0e1bc3384cba6fce3e17f8e2c8d

SHA512
870bd997f48942ed2227f201afafa60116ed62deb2fbb4a3567f3a03cc81736397f0421968aa989c29d0d323559cc9ce229aeb871946b5c07ceb9d546d785f28

Download Submit
\Windows\system\dKzwcts.exe

Filesize
5.2MB

MD5
5c56add8f6ffb185e3d8967fe269444f

SHA1
a8a5ee1f4a0e8a056ba7d4cc6b83765e8c9f0082

SHA256
f27fdd76c2891461652b0d5895fca69c35560c75fdace9d4ccf7b320cd8be954

SHA512
1e14f414283324f6dd7fef3a417fc30960339a83136b04efd85c4d5a9fe3833623533bd3af5ed6befcacac27f4bac8e0eaacda488f4cacbab9b48f6d65b57821

Download Submit
\Windows\system\tWdIasx.exe

Filesize
5.2MB

MD5
9752ac089bcf5392558cfd480d5724ff

SHA1
36c7d4aefdfb90a671ff45e799aeef313398a8b5

SHA256
300b901dd63d1a2070486755babc5c057907b1684ffd24559e2acb189ce4bf8d

SHA512
b9d45927675dd2f085f063e9f088cd599c8e481efb5ce4c69d6bd6af9c7b281c0a5e7e86fc637307393fd1707c0155dabf3e1e9db9416741f6470993469446ad

Download Submit
memory/952-162-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/1492-163-0x000000013F250000-0x000000013F5A1000-memory.dmp

Filesize
3.3MB

Download
memory/1800-160-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/1984-161-0x000000013F300000-0x000000013F651000-memory.dmp

Filesize
3.3MB

Download
memory/2156-101-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2156-255-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2156-147-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2200-246-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2200-94-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2300-234-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2300-99-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2300-21-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2340-228-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2340-19-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2376-67-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2376-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp

Filesize
3.3MB

Download
memory/2428-29-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2428-103-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2428-232-0x000000013FDD0000-0x0000000140121000-memory.dmp

Filesize
3.3MB

Download
memory/2476-230-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2476-18-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2476-53-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2504-62-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2504-165-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2504-1-0x0000000000270000-0x0000000000280000-memory.dmp

Filesize
64KB

Download
memory/2504-0-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-92-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2504-71-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2504-89-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2504-6-0x000000013F680000-0x000000013F9D1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-25-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2504-12-0x000000013FFC0000-0x0000000140311000-memory.dmp

Filesize
3.3MB

Download
memory/2504-31-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2504-38-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2504-139-0x000000013F6E0000-0x000000013FA31000-memory.dmp

Filesize
3.3MB

Download
memory/2504-140-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2504-41-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-142-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-97-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-91-0x00000000021E0000-0x0000000002531000-memory.dmp

Filesize
3.3MB

Download
memory/2504-166-0x000000013FB90000-0x000000013FEE1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-93-0x000000013F7D0000-0x000000013FB21000-memory.dmp

Filesize
3.3MB

Download
memory/2504-95-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2504-104-0x000000013F100000-0x000000013F451000-memory.dmp

Filesize
3.3MB

Download
memory/2540-154-0x000000013F9E0000-0x000000013FD31000-memory.dmp

Filesize
3.3MB

Download
memory/2588-141-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2588-74-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2588-244-0x000000013FEC0000-0x0000000140211000-memory.dmp

Filesize
3.3MB

Download
memory/2592-80-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2592-243-0x000000013F940000-0x000000013FC91000-memory.dmp

Filesize
3.3MB

Download
memory/2688-236-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2688-35-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2688-137-0x000000013F2F0000-0x000000013F641000-memory.dmp

Filesize
3.3MB

Download
memory/2708-156-0x000000013F310000-0x000000013F661000-memory.dmp

Filesize
3.3MB

Download
memory/2724-158-0x000000013F460000-0x000000013F7B1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-98-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2780-248-0x000000013F660000-0x000000013F9B1000-memory.dmp

Filesize
3.3MB

Download
memory/2920-164-0x000000013F8D0000-0x000000013FC21000-memory.dmp

Filesize
3.3MB

Download
memory/2972-238-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2972-138-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/2972-47-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/3032-152-0x000000013F9B0000-0x000000013FD01000-memory.dmp

Filesize
3.3MB

Download