cobaltstrike | fa898d29c2098544aff71ed3b9bb3822d4df6fa3a728d813be2e720079d09274

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 02:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

a6016ee33ea98acdaee2212d168ebbf7
SHA1

2e40871d784432083befe800b876925109c0d5df
SHA256

fa898d29c2098544aff71ed3b9bb3822d4df6fa3a728d813be2e720079d09274
SHA512

0f5143c0407a9a9cbaf6d7d470ee57cdd356de93d486e8df3a37caea5f2b44e8f26e5625837a250682da4f600959f61c06bd55dff3e460d8b51e6977bb4dea8c
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lr:RWWBibf56utgpPFotBER/mQ32lU/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\System\qlemXxI.exe	cobalt_reflective_dll
C:\Windows\System\FNjpzET.exe	cobalt_reflective_dll
C:\Windows\System\QdYRJqg.exe	cobalt_reflective_dll
C:\Windows\System\jSjaGQK.exe	cobalt_reflective_dll
C:\Windows\System\fhtFPwd.exe	cobalt_reflective_dll
C:\Windows\System\kMxYvhQ.exe	cobalt_reflective_dll
C:\Windows\System\lvuthOv.exe	cobalt_reflective_dll
C:\Windows\System\uDELMmV.exe	cobalt_reflective_dll
C:\Windows\System\aPoBHLU.exe	cobalt_reflective_dll
C:\Windows\System\pxHSCTG.exe	cobalt_reflective_dll
C:\Windows\System\qhpFMKB.exe	cobalt_reflective_dll
C:\Windows\System\TUaSvmy.exe	cobalt_reflective_dll
C:\Windows\System\WNLYoWQ.exe	cobalt_reflective_dll
C:\Windows\System\eTMYsqr.exe	cobalt_reflective_dll
C:\Windows\System\XWpZQiu.exe	cobalt_reflective_dll
C:\Windows\System\qIzHTRR.exe	cobalt_reflective_dll
C:\Windows\System\lWOblkl.exe	cobalt_reflective_dll
C:\Windows\System\mfXXCGp.exe	cobalt_reflective_dll
C:\Windows\System\iYtPJPE.exe	cobalt_reflective_dll
C:\Windows\System\xUdFQFW.exe	cobalt_reflective_dll
C:\Windows\System\QfeOCfR.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/732-75-0x00007FF73DA30000-0x00007FF73DD81000-memory.dmp	xmrig
behavioral2/memory/3204-76-0x00007FF785C70000-0x00007FF785FC1000-memory.dmp	xmrig
behavioral2/memory/3168-72-0x00007FF637430000-0x00007FF637781000-memory.dmp	xmrig
behavioral2/memory/2036-56-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	xmrig
behavioral2/memory/2344-41-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp	xmrig
behavioral2/memory/2408-82-0x00007FF719170000-0x00007FF7194C1000-memory.dmp	xmrig
behavioral2/memory/4516-119-0x00007FF6FC8F0000-0x00007FF6FCC41000-memory.dmp	xmrig
behavioral2/memory/1380-114-0x00007FF6C8900000-0x00007FF6C8C51000-memory.dmp	xmrig
behavioral2/memory/4364-102-0x00007FF7544F0000-0x00007FF754841000-memory.dmp	xmrig
behavioral2/memory/1856-84-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	xmrig
behavioral2/memory/4820-81-0x00007FF602610000-0x00007FF602961000-memory.dmp	xmrig
behavioral2/memory/3344-133-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp	xmrig
behavioral2/memory/2344-134-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp	xmrig
behavioral2/memory/3252-138-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp	xmrig
behavioral2/memory/1540-135-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp	xmrig
behavioral2/memory/3416-137-0x00007FF790310000-0x00007FF790661000-memory.dmp	xmrig
behavioral2/memory/1200-136-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp	xmrig
behavioral2/memory/5084-132-0x00007FF79A120000-0x00007FF79A471000-memory.dmp	xmrig
behavioral2/memory/2448-142-0x00007FF7108A0000-0x00007FF710BF1000-memory.dmp	xmrig
behavioral2/memory/1716-143-0x00007FF678EE0000-0x00007FF679231000-memory.dmp	xmrig
behavioral2/memory/2144-144-0x00007FF74B0D0000-0x00007FF74B421000-memory.dmp	xmrig
behavioral2/memory/2036-145-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	xmrig
behavioral2/memory/4184-155-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp	xmrig
behavioral2/memory/2828-151-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp	xmrig
behavioral2/memory/2036-167-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	xmrig
behavioral2/memory/3168-195-0x00007FF637430000-0x00007FF637781000-memory.dmp	xmrig
behavioral2/memory/1856-197-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	xmrig
behavioral2/memory/4820-199-0x00007FF602610000-0x00007FF602961000-memory.dmp	xmrig
behavioral2/memory/2408-210-0x00007FF719170000-0x00007FF7194C1000-memory.dmp	xmrig
behavioral2/memory/3344-221-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp	xmrig
behavioral2/memory/2344-222-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp	xmrig
behavioral2/memory/1540-224-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp	xmrig
behavioral2/memory/732-226-0x00007FF73DA30000-0x00007FF73DD81000-memory.dmp	xmrig
behavioral2/memory/3416-228-0x00007FF790310000-0x00007FF790661000-memory.dmp	xmrig
behavioral2/memory/1200-230-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp	xmrig
behavioral2/memory/3252-234-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp	xmrig
behavioral2/memory/3204-233-0x00007FF785C70000-0x00007FF785FC1000-memory.dmp	xmrig
behavioral2/memory/4364-239-0x00007FF7544F0000-0x00007FF754841000-memory.dmp	xmrig
behavioral2/memory/4516-247-0x00007FF6FC8F0000-0x00007FF6FCC41000-memory.dmp	xmrig
behavioral2/memory/1380-251-0x00007FF6C8900000-0x00007FF6C8C51000-memory.dmp	xmrig
behavioral2/memory/5084-250-0x00007FF79A120000-0x00007FF79A471000-memory.dmp	xmrig
behavioral2/memory/2448-257-0x00007FF7108A0000-0x00007FF710BF1000-memory.dmp	xmrig
behavioral2/memory/4184-255-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp	xmrig
behavioral2/memory/2144-259-0x00007FF74B0D0000-0x00007FF74B421000-memory.dmp	xmrig
behavioral2/memory/2828-253-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp	xmrig
behavioral2/memory/1716-261-0x00007FF678EE0000-0x00007FF679231000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

qlemXxI.exeFNjpzET.exeQdYRJqg.exejSjaGQK.exefhtFPwd.exekMxYvhQ.exelvuthOv.exeuDELMmV.exeqhpFMKB.exeaPoBHLU.exeTUaSvmy.exepxHSCTG.exeWNLYoWQ.exeQfeOCfR.exeeTMYsqr.exeqIzHTRR.exeXWpZQiu.exemfXXCGp.exelWOblkl.exexUdFQFW.exeiYtPJPE.exe

pid	process
3168	qlemXxI.exe
1856	FNjpzET.exe
4820	QdYRJqg.exe
2408	jSjaGQK.exe
3344	fhtFPwd.exe
2344	kMxYvhQ.exe
1540	lvuthOv.exe
1200	uDELMmV.exe
3416	qhpFMKB.exe
3252	aPoBHLU.exe
732	TUaSvmy.exe
3204	pxHSCTG.exe
4364	WNLYoWQ.exe
4516	QfeOCfR.exe
2828	eTMYsqr.exe
1380	qIzHTRR.exe
5084	XWpZQiu.exe
2448	mfXXCGp.exe
4184	lWOblkl.exe
2144	xUdFQFW.exe
1716	iYtPJPE.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2036-0-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	upx
C:\Windows\System\qlemXxI.exe	upx
behavioral2/memory/3168-6-0x00007FF637430000-0x00007FF637781000-memory.dmp	upx
C:\Windows\System\FNjpzET.exe	upx
behavioral2/memory/1856-13-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	upx
C:\Windows\System\QdYRJqg.exe	upx
behavioral2/memory/4820-18-0x00007FF602610000-0x00007FF602961000-memory.dmp	upx
C:\Windows\System\jSjaGQK.exe	upx
behavioral2/memory/2408-26-0x00007FF719170000-0x00007FF7194C1000-memory.dmp	upx
C:\Windows\System\fhtFPwd.exe	upx
C:\Windows\System\kMxYvhQ.exe	upx
C:\Windows\System\lvuthOv.exe	upx
C:\Windows\System\uDELMmV.exe	upx
C:\Windows\System\aPoBHLU.exe	upx
C:\Windows\System\pxHSCTG.exe	upx
behavioral2/memory/3252-70-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp	upx
behavioral2/memory/732-75-0x00007FF73DA30000-0x00007FF73DD81000-memory.dmp	upx
behavioral2/memory/3204-76-0x00007FF785C70000-0x00007FF785FC1000-memory.dmp	upx
behavioral2/memory/3168-72-0x00007FF637430000-0x00007FF637781000-memory.dmp	upx
behavioral2/memory/3416-64-0x00007FF790310000-0x00007FF790661000-memory.dmp	upx
C:\Windows\System\qhpFMKB.exe	upx
C:\Windows\System\TUaSvmy.exe	upx
behavioral2/memory/2036-56-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	upx
behavioral2/memory/1200-50-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp	upx
behavioral2/memory/1540-45-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp	upx
behavioral2/memory/2344-41-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp	upx
behavioral2/memory/3344-31-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp	upx
behavioral2/memory/2408-82-0x00007FF719170000-0x00007FF7194C1000-memory.dmp	upx
C:\Windows\System\WNLYoWQ.exe	upx
C:\Windows\System\eTMYsqr.exe	upx
C:\Windows\System\XWpZQiu.exe	upx
C:\Windows\System\qIzHTRR.exe	upx
C:\Windows\System\lWOblkl.exe	upx
C:\Windows\System\mfXXCGp.exe	upx
behavioral2/memory/4516-119-0x00007FF6FC8F0000-0x00007FF6FCC41000-memory.dmp	upx
C:\Windows\System\iYtPJPE.exe	upx
C:\Windows\System\xUdFQFW.exe	upx
behavioral2/memory/4184-118-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp	upx
behavioral2/memory/1380-114-0x00007FF6C8900000-0x00007FF6C8C51000-memory.dmp	upx
behavioral2/memory/2828-107-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp	upx
behavioral2/memory/4364-102-0x00007FF7544F0000-0x00007FF754841000-memory.dmp	upx
C:\Windows\System\QfeOCfR.exe	upx
behavioral2/memory/1856-84-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	upx
behavioral2/memory/4820-81-0x00007FF602610000-0x00007FF602961000-memory.dmp	upx
behavioral2/memory/3344-133-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp	upx
behavioral2/memory/2344-134-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp	upx
behavioral2/memory/3252-138-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp	upx
behavioral2/memory/1540-135-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp	upx
behavioral2/memory/3416-137-0x00007FF790310000-0x00007FF790661000-memory.dmp	upx
behavioral2/memory/1200-136-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp	upx
behavioral2/memory/5084-132-0x00007FF79A120000-0x00007FF79A471000-memory.dmp	upx
behavioral2/memory/2448-142-0x00007FF7108A0000-0x00007FF710BF1000-memory.dmp	upx
behavioral2/memory/1716-143-0x00007FF678EE0000-0x00007FF679231000-memory.dmp	upx
behavioral2/memory/2144-144-0x00007FF74B0D0000-0x00007FF74B421000-memory.dmp	upx
behavioral2/memory/2036-145-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	upx
behavioral2/memory/4184-155-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp	upx
behavioral2/memory/2828-151-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp	upx
behavioral2/memory/2036-167-0x00007FF676090000-0x00007FF6763E1000-memory.dmp	upx
behavioral2/memory/3168-195-0x00007FF637430000-0x00007FF637781000-memory.dmp	upx
behavioral2/memory/1856-197-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp	upx
behavioral2/memory/4820-199-0x00007FF602610000-0x00007FF602961000-memory.dmp	upx
behavioral2/memory/2408-210-0x00007FF719170000-0x00007FF7194C1000-memory.dmp	upx
behavioral2/memory/3344-221-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp	upx
behavioral2/memory/2344-222-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\XWpZQiu.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mfXXCGp.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QdYRJqg.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jSjaGQK.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lvuthOv.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pxHSCTG.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xUdFQFW.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qhpFMKB.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WNLYoWQ.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QfeOCfR.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lWOblkl.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qIzHTRR.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\qlemXxI.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fhtFPwd.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TUaSvmy.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eTMYsqr.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iYtPJPE.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FNjpzET.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kMxYvhQ.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\uDELMmV.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aPoBHLU.exe	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2036 wrote to memory of 3168	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	qlemXxI.exe
PID 2036 wrote to memory of 3168	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	qlemXxI.exe
PID 2036 wrote to memory of 1856	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	FNjpzET.exe
PID 2036 wrote to memory of 1856	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	FNjpzET.exe
PID 2036 wrote to memory of 4820	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	QdYRJqg.exe
PID 2036 wrote to memory of 4820	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	QdYRJqg.exe
PID 2036 wrote to memory of 2408	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	jSjaGQK.exe
PID 2036 wrote to memory of 2408	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	jSjaGQK.exe
PID 2036 wrote to memory of 3344	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	fhtFPwd.exe
PID 2036 wrote to memory of 3344	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	fhtFPwd.exe
PID 2036 wrote to memory of 2344	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	kMxYvhQ.exe
PID 2036 wrote to memory of 2344	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	kMxYvhQ.exe
PID 2036 wrote to memory of 1540	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	lvuthOv.exe
PID 2036 wrote to memory of 1540	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	lvuthOv.exe
PID 2036 wrote to memory of 1200	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	uDELMmV.exe
PID 2036 wrote to memory of 1200	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	uDELMmV.exe
PID 2036 wrote to memory of 3416	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	qhpFMKB.exe
PID 2036 wrote to memory of 3416	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	qhpFMKB.exe
PID 2036 wrote to memory of 3252	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	aPoBHLU.exe
PID 2036 wrote to memory of 3252	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	aPoBHLU.exe
PID 2036 wrote to memory of 732	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	TUaSvmy.exe
PID 2036 wrote to memory of 732	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	TUaSvmy.exe
PID 2036 wrote to memory of 3204	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	pxHSCTG.exe
PID 2036 wrote to memory of 3204	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	pxHSCTG.exe
PID 2036 wrote to memory of 4364	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	WNLYoWQ.exe
PID 2036 wrote to memory of 4364	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	WNLYoWQ.exe
PID 2036 wrote to memory of 4516	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	QfeOCfR.exe
PID 2036 wrote to memory of 4516	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	QfeOCfR.exe
PID 2036 wrote to memory of 2828	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	eTMYsqr.exe
PID 2036 wrote to memory of 2828	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	eTMYsqr.exe
PID 2036 wrote to memory of 1380	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	qIzHTRR.exe
PID 2036 wrote to memory of 1380	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	qIzHTRR.exe
PID 2036 wrote to memory of 5084	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	XWpZQiu.exe
PID 2036 wrote to memory of 5084	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	XWpZQiu.exe
PID 2036 wrote to memory of 2448	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	mfXXCGp.exe
PID 2036 wrote to memory of 2448	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	mfXXCGp.exe
PID 2036 wrote to memory of 4184	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	lWOblkl.exe
PID 2036 wrote to memory of 4184	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	lWOblkl.exe
PID 2036 wrote to memory of 2144	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	xUdFQFW.exe
PID 2036 wrote to memory of 2144	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	xUdFQFW.exe
PID 2036 wrote to memory of 1716	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	iYtPJPE.exe
PID 2036 wrote to memory of 1716	2036	2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe	iYtPJPE.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-18_a6016ee33ea98acdaee2212d168ebbf7_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Windows\System\qlemXxI.exe
  C:\Windows\System\qlemXxI.exe
  2⤵
  - Executes dropped EXE
  PID:3168
- C:\Windows\System\FNjpzET.exe
  C:\Windows\System\FNjpzET.exe
  2⤵
  - Executes dropped EXE
  PID:1856
- C:\Windows\System\QdYRJqg.exe
  C:\Windows\System\QdYRJqg.exe
  2⤵
  - Executes dropped EXE
  PID:4820
- C:\Windows\System\jSjaGQK.exe
  C:\Windows\System\jSjaGQK.exe
  2⤵
  - Executes dropped EXE
  PID:2408
- C:\Windows\System\fhtFPwd.exe
  C:\Windows\System\fhtFPwd.exe
  2⤵
  - Executes dropped EXE
  PID:3344
- C:\Windows\System\kMxYvhQ.exe
  C:\Windows\System\kMxYvhQ.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\lvuthOv.exe
  C:\Windows\System\lvuthOv.exe
  2⤵
  - Executes dropped EXE
  PID:1540
- C:\Windows\System\uDELMmV.exe
  C:\Windows\System\uDELMmV.exe
  2⤵
  - Executes dropped EXE
  PID:1200
- C:\Windows\System\qhpFMKB.exe
  C:\Windows\System\qhpFMKB.exe
  2⤵
  - Executes dropped EXE
  PID:3416
- C:\Windows\System\aPoBHLU.exe
  C:\Windows\System\aPoBHLU.exe
  2⤵
  - Executes dropped EXE
  PID:3252
- C:\Windows\System\TUaSvmy.exe
  C:\Windows\System\TUaSvmy.exe
  2⤵
  - Executes dropped EXE
  PID:732
- C:\Windows\System\pxHSCTG.exe
  C:\Windows\System\pxHSCTG.exe
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Windows\System\WNLYoWQ.exe
  C:\Windows\System\WNLYoWQ.exe
  2⤵
  - Executes dropped EXE
  PID:4364
- C:\Windows\System\QfeOCfR.exe
  C:\Windows\System\QfeOCfR.exe
  2⤵
  - Executes dropped EXE
  PID:4516
- C:\Windows\System\eTMYsqr.exe
  C:\Windows\System\eTMYsqr.exe
  2⤵
  - Executes dropped EXE
  PID:2828
- C:\Windows\System\qIzHTRR.exe
  C:\Windows\System\qIzHTRR.exe
  2⤵
  - Executes dropped EXE
  PID:1380
- C:\Windows\System\XWpZQiu.exe
  C:\Windows\System\XWpZQiu.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Windows\System\mfXXCGp.exe
  C:\Windows\System\mfXXCGp.exe
  2⤵
  - Executes dropped EXE
  PID:2448
- C:\Windows\System\lWOblkl.exe
  C:\Windows\System\lWOblkl.exe
  2⤵
  - Executes dropped EXE
  PID:4184
- C:\Windows\System\xUdFQFW.exe
  C:\Windows\System\xUdFQFW.exe
  2⤵
  - Executes dropped EXE
  PID:2144
- C:\Windows\System\iYtPJPE.exe
  C:\Windows\System\iYtPJPE.exe
  2⤵
  - Executes dropped EXE
  PID:1716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\FNjpzET.exe

Filesize
5.2MB

MD5
ac4fe8cfdd5d494871402ac39b1aef7b

SHA1
f6e83a759e5f325fb9fdde0ab411485dbb56b352

SHA256
faa81d4bb05cef7acca1f61be1ec56573ebea923603138e3f186887d5ccb303b

SHA512
cc380fabaaa6702359d5f5c3928780262a92919dadc271e77950d4f4c3ea512a5302b2054b0386d41e0a7dab5e672484a4524219f5a7269b3e06925dd8309d11

Download Submit
C:\Windows\System\QdYRJqg.exe

Filesize
5.2MB

MD5
37eef460e5dd5a6e856d027e94c18d90

SHA1
28b8f6acf34cb0b032663d804b80127dd2452ec9

SHA256
94e4235cae9633152d0b134033dbb5ca17e7a656e87670c2f52f478d684013aa

SHA512
3736460e873dd6f01e7e6f0e98391382ec192c1a86b541c50bb0e9795209f6d02ea21c3d80a74683cc4a848f1af8f942870f940e6b9bf56a66448f766f13f555

Download Submit
C:\Windows\System\QfeOCfR.exe

Filesize
5.2MB

MD5
93b67bd18288cebbb46c47622eb4a055

SHA1
db513bd6b05ee5171eaefff571b663c990e83c6f

SHA256
e3a88f1b7837ce4d2f52603662e10553ca567eae3075e3cbef033454fd9fc5c3

SHA512
3ad22b0f86c7d5aa9f1181378b75001520a0784dd8dbf5c77eb69d69838a6e733d40fd201f0e3df01ba94af90c641030fa50e51ee66960182c8f4326f4689616

Download Submit
C:\Windows\System\TUaSvmy.exe

Filesize
5.2MB

MD5
24cf354d52c00a3cce9597ad321c7f35

SHA1
db9ec87ddbccfff422fdaf138dc369d13ae84042

SHA256
caa7e61489fd45026ff16af866259f21b910f318f627b0a8ec04bc7d0af85262

SHA512
f7a4c7837688d8d2845a807706d00f37e86475d1225762c8a6f011377fcc8e65d1c38a75218239c17a022d1a8ab7c47cb19855b7b0b4a6ca8c8977d5179a2bab

Download Submit
C:\Windows\System\WNLYoWQ.exe

Filesize
5.2MB

MD5
0ec19d0f8c4ef051dd95b83bbf69a581

SHA1
65d824597afcf20a9d290f6b646e06c484eb53ba

SHA256
f58ebad3943a8fa188a9b1c9d4570a8d61bdffb76138bf98cd202ebefa739993

SHA512
dd1f30b186ae9ae0261b052b38dd2c09319ed260ffaffba338c08daaad7894387dbaeb1d6dd5a1cbaac1499dafd37fe7deeec96f5728aee3197f0daf56c08930

Download Submit
C:\Windows\System\XWpZQiu.exe

Filesize
5.2MB

MD5
b3662fb5ae40e5c2c6f440dbe77d0267

SHA1
2de9e672c975c0e5033766089da585209a12a52a

SHA256
07cf66cacaf66035ed6650467e095b47b6af4c43b83ea698a459b965eb35265c

SHA512
aa80e1ee03b6c5f023a8f50345011b1955c7ede96ca4c1a0fcfe12fb1d9b6b3f5e11f970868359e70f5c949af12eebaa815a01687122d4a54c41a308ae1d7a75

Download Submit
C:\Windows\System\aPoBHLU.exe

Filesize
5.2MB

MD5
2f9ef5c56bef638d38446d80abf5a9d1

SHA1
9be2442f95cb076978bce395a3b5bfb78dbb903a

SHA256
bcafa0e1c7b8dc93e5cd66056c92a863a92f5952bd8a51e4aa495c9f74311d4a

SHA512
86aa1a1bea5586996460c89471f9e983e34fd63c812003d619907e415b8575cb5297aa2f8279140a2a85377adef0245dd3719c6b97d4e760b92436f3381c2413

Download Submit
C:\Windows\System\eTMYsqr.exe

Filesize
5.2MB

MD5
22f9f6e921a41d23198723a67eb9d4cc

SHA1
43a4ebb755b32177ec3ea8e723bc90452bc69747

SHA256
0e81c8384ef1d852124f1c9f0d37c3da8aad6457b938b66db4dc4c263f5f1b87

SHA512
d7c343d3cb6c9959dc6def7c37d10b0b25fdb741b52a35df5668f806a9933a19d205da041036f9e6be86970d6892cc36b8cef93df508183118886d9ccdf6bf02

Download Submit
C:\Windows\System\fhtFPwd.exe

Filesize
5.2MB

MD5
6b1b2d89d737a0ba7eb82b35b752b594

SHA1
1b67812f88b29e46de9ebef46ec04850183d29c8

SHA256
f4925ec266665d0111a0663515d94bc9e890047a61485d3c4e3c270e6a132943

SHA512
016ac3cd32516eb35bc4df03e4f130036d3159d3988abf3586efae204874a5169382eb6a215271afb8c7d58ed86097580be3d4589f76cf741998310eb03ef4d1

Download Submit
C:\Windows\System\iYtPJPE.exe

Filesize
5.2MB

MD5
98120d709a09d0dea7dd0e1bdfc01e48

SHA1
ba17c45a1265f580bd87e51620f0a0a9e2aac14e

SHA256
646eaffb32785d76c43c46c67aabae866dd9d0a27e670647a4949d7050148a72

SHA512
c09e8e7bfb5e8771fbe991343de785929bf60b63580481fb321339416026c164f6b0cbb785115032c8c40502272eb5b41bff027764b255b3c51b4f9ae0fe7e71

Download Submit
C:\Windows\System\jSjaGQK.exe

Filesize
5.2MB

MD5
81f68a7d1fea174e47c8d3f6aaa1abf4

SHA1
05ef5454732227f72f4d066bfdff5763ccccf4c6

SHA256
35dbbb40884849c9b569b32dc53f7262e6dc7900ed7fd03e04b0e5d44e65cf39

SHA512
fcea9fafbc000037268db60d8da6c7b96a0721a93c747c864e827caf05a5b127393c77ba745267eac3cd1db8566d89b5c3c71b4b4d3b600e41d37768cc68f405

Download Submit
C:\Windows\System\kMxYvhQ.exe

Filesize
5.2MB

MD5
26ff4caac891bf499b6c6a9986c6bac7

SHA1
f55e033bbd84cbc0fa25dc7133f3cedb3412b63d

SHA256
44399abc5f0bd11046d6b47ff0f0e761aa415b9ede8fcbb44f2db839ca250ef8

SHA512
fe5b4b323d6915e17d2c931233b2eda127f2fa6d4a679e4ddd6044dfbff05edc45e87325240b39c7cf9c3dfa3aea22a46992e511a0adfb37403879f878255d0c

Download Submit
C:\Windows\System\lWOblkl.exe

Filesize
5.2MB

MD5
f085922c7ed2bb878812cf422ba947b6

SHA1
27224c08a086cbfbd6e34afa407a7e3e22f0343f

SHA256
65e940ad5a16d3e08a3cd21f9ecd332f3e4eaef05dd8d2bd40eb4b9f1a6554bf

SHA512
b8c8f77862057d3cf73cd745c60e4e87da33d24a732ad5151b70681fd6da97ed1c40e43424a8097dcc3ed921c6c36a4e2fd4d17040fcd5bab53321620660bf50

Download Submit
C:\Windows\System\lvuthOv.exe

Filesize
5.2MB

MD5
14d72fcebb8fe8fbf06bc69073d93faa

SHA1
c3abbeb6bb66602a8ec9975f7f4bd5dcb6961f2f

SHA256
711a3180a34362334f35d858ecb1db3f507615ce69701065677c8ac64aad9fb6

SHA512
a5ee045915ebd2c8e56da20a849bd69aad4de29d518c642b7e9411aac987c26a72b89348db3dd86789c8e41e3c8cd4cbbbd13fdb3c207d312f6a5c1553dc1383

Download Submit
C:\Windows\System\mfXXCGp.exe

Filesize
5.2MB

MD5
337b88fd8f843d05fcff03666b475021

SHA1
bb9b4dd010ec802492d1f54ca96a83c7e197b601

SHA256
8a68607514cfd19ef23c657d0aeba2c3a6604caa8b4887a9929c84e11b6d1fb9

SHA512
dc80da95f3a6531df9264866769fe80a01ed9d7222145134535b580774c40443514767c28c0827c33ac8e06b1fbcc378872541205b88850c01ecbb0c4ed54309

Download Submit
C:\Windows\System\pxHSCTG.exe

Filesize
5.2MB

MD5
18fc45f5f8fa8a97eacd76b8b321d451

SHA1
0d5d5bcf52687f0e5e1bc9ec1f270541da0477ac

SHA256
dcb3ea177f62fa192c1429213311825f4520a73aa66ecb830b00f5fea22f8ead

SHA512
8b090bd0774bbb7a393455d758c368d40150a8429a163afdafea8484731cd2498daaed9ebfdd8f2f22f78042f68fb7082886e6fd14304b2ca4eb2d619d53cd08

Download Submit
C:\Windows\System\qIzHTRR.exe

Filesize
5.2MB

MD5
5069c9b3df57a26a1624a23786ba81be

SHA1
80e557c69afe9b5b6171c87ad1ebe6b79760b1d2

SHA256
685b66841ee121a221841c797346c4cfde67a66b74a457815115097ed6ec43e5

SHA512
2e250a6e90f88c6e18977fdea182bb11a0c16ccb08835116a09c04283c7e235aad2866198d04a646e5c84704efca9750eb023fe5599046f0f097e57a203a371d

Download Submit
C:\Windows\System\qhpFMKB.exe

Filesize
5.2MB

MD5
9e4ab472d54c93248c87d0ae6b24c4a0

SHA1
e0ce9e2623e813710ec5fdd87f670af7657d8bcc

SHA256
26442bef6ed6f3c4e751ff19fbd61638120d02ed436de3f0668f457d37d289ea

SHA512
65147c6e36457086a9cae7fe21be89f7ec07631e095e468926b48c4f27099132538f839642767754eb66dab984712b16a4a71625db0eb74bc6a318efcd5f3173

Download Submit
C:\Windows\System\qlemXxI.exe

Filesize
5.2MB

MD5
b2dd651f17e24fd531d6dc07a262a694

SHA1
f26c7f8be7f06a63295c5ab4ff4fe3c3ce36ff2e

SHA256
9816735be9bade99c758d1adeaf853a7ca2b6fadb5047e6dd2b1bdb8c635ce10

SHA512
c8eadb6f3e52611052ee0df3fbf90cb3af60dab17e4ffea850b22b4c53e24d64e078f16dd26f50579e407715d10c81c00c9ebab2b4ff1f807d444ec4bd02be22

Download Submit
C:\Windows\System\uDELMmV.exe

Filesize
5.2MB

MD5
3748b6423f2beb13eb5d17e3fd2a4bc0

SHA1
06771218ddfba177def4b481f75745e59cf82141

SHA256
df0aeb72e86381e4861b42663630193bbab40e7e810f5fb02156259c97b675d5

SHA512
1e7edbd2ef7448266dae34f7ada79fbe2794a5e6f6bb4ad474dc68157846e37e58cb92b7d77bd356e321d1b9b3e64f93fa3358abd5c706c68195715287a3b48e

Download Submit
C:\Windows\System\xUdFQFW.exe

Filesize
5.2MB

MD5
09fc57f114e11b70ec36315d464ca6b8

SHA1
2e2cb2ebdf34a29dbbf3d67e947aeb165ba1f0ba

SHA256
6cfc2c1ffae03a7c8f02d6860af41365cf62011bb069fc71d017a425fcf42afb

SHA512
b7a6833d1e65b17ba9e97b4b0ec844c4e025322c6d136de54f034a3058132e062b1eee5746d414c042178dbcee78ccd315e9f27af7613ffb3e6b8aa70d501478

Download Submit
memory/732-75-0x00007FF73DA30000-0x00007FF73DD81000-memory.dmp

Filesize
3.3MB

Download
memory/732-226-0x00007FF73DA30000-0x00007FF73DD81000-memory.dmp

Filesize
3.3MB

Download
memory/1200-50-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp

Filesize
3.3MB

Download
memory/1200-136-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp

Filesize
3.3MB

Download
memory/1200-230-0x00007FF7D3DC0000-0x00007FF7D4111000-memory.dmp

Filesize
3.3MB

Download
memory/1380-251-0x00007FF6C8900000-0x00007FF6C8C51000-memory.dmp

Filesize
3.3MB

Download
memory/1380-114-0x00007FF6C8900000-0x00007FF6C8C51000-memory.dmp

Filesize
3.3MB

Download
memory/1540-45-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp

Filesize
3.3MB

Download
memory/1540-135-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp

Filesize
3.3MB

Download
memory/1540-224-0x00007FF799DE0000-0x00007FF79A131000-memory.dmp

Filesize
3.3MB

Download
memory/1716-261-0x00007FF678EE0000-0x00007FF679231000-memory.dmp

Filesize
3.3MB

Download
memory/1716-143-0x00007FF678EE0000-0x00007FF679231000-memory.dmp

Filesize
3.3MB

Download
memory/1856-197-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp

Filesize
3.3MB

Download
memory/1856-13-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp

Filesize
3.3MB

Download
memory/1856-84-0x00007FF649EF0000-0x00007FF64A241000-memory.dmp

Filesize
3.3MB

Download
memory/2036-145-0x00007FF676090000-0x00007FF6763E1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-56-0x00007FF676090000-0x00007FF6763E1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-0-0x00007FF676090000-0x00007FF6763E1000-memory.dmp

Filesize
3.3MB

Download
memory/2036-1-0x000001DC17460000-0x000001DC17470000-memory.dmp

Filesize
64KB

Download
memory/2036-167-0x00007FF676090000-0x00007FF6763E1000-memory.dmp

Filesize
3.3MB

Download
memory/2144-259-0x00007FF74B0D0000-0x00007FF74B421000-memory.dmp

Filesize
3.3MB

Download
memory/2144-144-0x00007FF74B0D0000-0x00007FF74B421000-memory.dmp

Filesize
3.3MB

Download
memory/2344-222-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-134-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-41-0x00007FF6AD550000-0x00007FF6AD8A1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-210-0x00007FF719170000-0x00007FF7194C1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-26-0x00007FF719170000-0x00007FF7194C1000-memory.dmp

Filesize
3.3MB

Download
memory/2408-82-0x00007FF719170000-0x00007FF7194C1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-257-0x00007FF7108A0000-0x00007FF710BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2448-142-0x00007FF7108A0000-0x00007FF710BF1000-memory.dmp

Filesize
3.3MB

Download
memory/2828-107-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp

Filesize
3.3MB

Download
memory/2828-253-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp

Filesize
3.3MB

Download
memory/2828-151-0x00007FF68B1F0000-0x00007FF68B541000-memory.dmp

Filesize
3.3MB

Download
memory/3168-72-0x00007FF637430000-0x00007FF637781000-memory.dmp

Filesize
3.3MB

Download
memory/3168-6-0x00007FF637430000-0x00007FF637781000-memory.dmp

Filesize
3.3MB

Download
memory/3168-195-0x00007FF637430000-0x00007FF637781000-memory.dmp

Filesize
3.3MB

Download
memory/3204-76-0x00007FF785C70000-0x00007FF785FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3204-233-0x00007FF785C70000-0x00007FF785FC1000-memory.dmp

Filesize
3.3MB

Download
memory/3252-70-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp

Filesize
3.3MB

Download
memory/3252-138-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp

Filesize
3.3MB

Download
memory/3252-234-0x00007FF7A7DF0000-0x00007FF7A8141000-memory.dmp

Filesize
3.3MB

Download
memory/3344-31-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp

Filesize
3.3MB

Download
memory/3344-133-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp

Filesize
3.3MB

Download
memory/3344-221-0x00007FF6A8FF0000-0x00007FF6A9341000-memory.dmp

Filesize
3.3MB

Download
memory/3416-64-0x00007FF790310000-0x00007FF790661000-memory.dmp

Filesize
3.3MB

Download
memory/3416-228-0x00007FF790310000-0x00007FF790661000-memory.dmp

Filesize
3.3MB

Download
memory/3416-137-0x00007FF790310000-0x00007FF790661000-memory.dmp

Filesize
3.3MB

Download
memory/4184-255-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp

Filesize
3.3MB

Download
memory/4184-118-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp

Filesize
3.3MB

Download
memory/4184-155-0x00007FF62C9F0000-0x00007FF62CD41000-memory.dmp

Filesize
3.3MB

Download
memory/4364-102-0x00007FF7544F0000-0x00007FF754841000-memory.dmp

Filesize
3.3MB

Download
memory/4364-239-0x00007FF7544F0000-0x00007FF754841000-memory.dmp

Filesize
3.3MB

Download
memory/4516-247-0x00007FF6FC8F0000-0x00007FF6FCC41000-memory.dmp

Filesize
3.3MB

Download
memory/4516-119-0x00007FF6FC8F0000-0x00007FF6FCC41000-memory.dmp

Filesize
3.3MB

Download
memory/4820-199-0x00007FF602610000-0x00007FF602961000-memory.dmp

Filesize
3.3MB

Download
memory/4820-18-0x00007FF602610000-0x00007FF602961000-memory.dmp

Filesize
3.3MB

Download
memory/4820-81-0x00007FF602610000-0x00007FF602961000-memory.dmp

Filesize
3.3MB

Download
memory/5084-250-0x00007FF79A120000-0x00007FF79A471000-memory.dmp

Filesize
3.3MB

Download
memory/5084-132-0x00007FF79A120000-0x00007FF79A471000-memory.dmp

Filesize
3.3MB

Download