cobaltstrike | 93bde989d9ecc1f99eec668819aeac5b97cafa12b1bfd5098d68e03f0df0b0f1

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2024 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

b7e1714ec7fbbc72672716a1e63f7e6e
SHA1

2b81fb1a8acb9bc2dd157c39d045b349c4d17cb6
SHA256

93bde989d9ecc1f99eec668819aeac5b97cafa12b1bfd5098d68e03f0df0b0f1
SHA512

15577d4aa7e9014c8912da8d8990cd1d410e2488cbfdb98d215e1528d70d7cfb228dd7bcc461c0ee6f85cbdb5dad71bf30d3613884d16fe226abe16ee9c3fee9
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lO:RWWBibf56utgpPFotBER/mQ32lUa

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x000c000000023b5f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c01-15.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c02-18.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c04-30.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0b-42.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c0a-61.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023bd0-73.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c25-80.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c27-92.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c44-102.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c54-121.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c48-118.dat	cobalt_reflective_dll
behavioral2/files/0x0016000000023c3e-112.dat	cobalt_reflective_dll
behavioral2/files/0x000b000000023c3d-106.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c28-94.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c26-83.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c24-77.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c23-67.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c1d-56.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c09-36.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c03-24.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 47 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2140-87-0x00007FF783270000-0x00007FF7835C1000-memory.dmp	xmrig
behavioral2/memory/1524-117-0x00007FF61E290000-0x00007FF61E5E1000-memory.dmp	xmrig
behavioral2/memory/2068-124-0x00007FF6FF7F0000-0x00007FF6FFB41000-memory.dmp	xmrig
behavioral2/memory/1992-127-0x00007FF6E2AF0000-0x00007FF6E2E41000-memory.dmp	xmrig
behavioral2/memory/3520-126-0x00007FF6136E0000-0x00007FF613A31000-memory.dmp	xmrig
behavioral2/memory/3640-125-0x00007FF6F1CE0000-0x00007FF6F2031000-memory.dmp	xmrig
behavioral2/memory/5104-123-0x00007FF695940000-0x00007FF695C91000-memory.dmp	xmrig
behavioral2/memory/1804-120-0x00007FF666870000-0x00007FF666BC1000-memory.dmp	xmrig
behavioral2/memory/324-100-0x00007FF739DA0000-0x00007FF73A0F1000-memory.dmp	xmrig
behavioral2/memory/1704-91-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp	xmrig
behavioral2/memory/1696-82-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp	xmrig
behavioral2/memory/3672-41-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	xmrig
behavioral2/memory/1956-28-0x00007FF612E40000-0x00007FF613191000-memory.dmp	xmrig
behavioral2/memory/3924-26-0x00007FF6EC190000-0x00007FF6EC4E1000-memory.dmp	xmrig
behavioral2/memory/4292-128-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	xmrig
behavioral2/memory/1980-129-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp	xmrig
behavioral2/memory/2816-134-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp	xmrig
behavioral2/memory/4556-135-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp	xmrig
behavioral2/memory/1696-137-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp	xmrig
behavioral2/memory/2976-144-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	xmrig
behavioral2/memory/1448-147-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp	xmrig
behavioral2/memory/1704-142-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp	xmrig
behavioral2/memory/4392-136-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp	xmrig
behavioral2/memory/1644-130-0x00007FF781050000-0x00007FF7813A1000-memory.dmp	xmrig
behavioral2/memory/4292-150-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	xmrig
behavioral2/memory/4292-172-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	xmrig
behavioral2/memory/1980-204-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp	xmrig
behavioral2/memory/1644-206-0x00007FF781050000-0x00007FF7813A1000-memory.dmp	xmrig
behavioral2/memory/3924-208-0x00007FF6EC190000-0x00007FF6EC4E1000-memory.dmp	xmrig
behavioral2/memory/1956-224-0x00007FF612E40000-0x00007FF613191000-memory.dmp	xmrig
behavioral2/memory/2816-230-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp	xmrig
behavioral2/memory/3672-229-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	xmrig
behavioral2/memory/4556-232-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp	xmrig
behavioral2/memory/1696-234-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp	xmrig
behavioral2/memory/4392-226-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp	xmrig
behavioral2/memory/1704-239-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp	xmrig
behavioral2/memory/5104-242-0x00007FF695940000-0x00007FF695C91000-memory.dmp	xmrig
behavioral2/memory/1524-244-0x00007FF61E290000-0x00007FF61E5E1000-memory.dmp	xmrig
behavioral2/memory/2068-247-0x00007FF6FF7F0000-0x00007FF6FFB41000-memory.dmp	xmrig
behavioral2/memory/2140-241-0x00007FF783270000-0x00007FF7835C1000-memory.dmp	xmrig
behavioral2/memory/324-237-0x00007FF739DA0000-0x00007FF73A0F1000-memory.dmp	xmrig
behavioral2/memory/1804-248-0x00007FF666870000-0x00007FF666BC1000-memory.dmp	xmrig
behavioral2/memory/1992-252-0x00007FF6E2AF0000-0x00007FF6E2E41000-memory.dmp	xmrig
behavioral2/memory/2976-258-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	xmrig
behavioral2/memory/3640-256-0x00007FF6F1CE0000-0x00007FF6F2031000-memory.dmp	xmrig
behavioral2/memory/3520-250-0x00007FF6136E0000-0x00007FF613A31000-memory.dmp	xmrig
behavioral2/memory/1448-254-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

cCYtNMd.exeyWAadXP.execNPGLAd.exeQjiKxDr.exeLYAeezd.exeQwVGBBX.exeKzDHCre.exeADhJAnQ.exeiXgSHXB.exemZIHBnc.exeHXLDKOB.exeyXFTNiq.exepbNzvfu.exeeWsOgvV.exenxLoJQL.exeramlzIU.exeonUbymU.exeemeOOfn.exenGWtHeq.exeetiBCqa.exeHUARZBu.exe

pid	Process
1980	cCYtNMd.exe
1644	yWAadXP.exe
3924	cNPGLAd.exe
1956	QjiKxDr.exe
3672	LYAeezd.exe
2816	QwVGBBX.exe
4392	KzDHCre.exe
4556	ADhJAnQ.exe
1696	iXgSHXB.exe
1524	mZIHBnc.exe
1804	HXLDKOB.exe
5104	yXFTNiq.exe
2140	pbNzvfu.exe
1704	eWsOgvV.exe
324	nxLoJQL.exe
2976	ramlzIU.exe
2068	onUbymU.exe
3640	emeOOfn.exe
1448	nGWtHeq.exe
3520	etiBCqa.exe
1992	HUARZBu.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4292-0-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	upx
behavioral2/files/0x000c000000023b5f-5.dat	upx
behavioral2/files/0x0008000000023c01-15.dat	upx
behavioral2/files/0x0008000000023c02-18.dat	upx
behavioral2/files/0x0008000000023c04-30.dat	upx
behavioral2/files/0x0008000000023c0b-42.dat	upx
behavioral2/files/0x0008000000023c0a-61.dat	upx
behavioral2/files/0x0009000000023bd0-73.dat	upx
behavioral2/files/0x0008000000023c25-80.dat	upx
behavioral2/memory/2140-87-0x00007FF783270000-0x00007FF7835C1000-memory.dmp	upx
behavioral2/files/0x0008000000023c27-92.dat	upx
behavioral2/files/0x0008000000023c44-102.dat	upx
behavioral2/memory/1524-117-0x00007FF61E290000-0x00007FF61E5E1000-memory.dmp	upx
behavioral2/memory/2068-124-0x00007FF6FF7F0000-0x00007FF6FFB41000-memory.dmp	upx
behavioral2/memory/1992-127-0x00007FF6E2AF0000-0x00007FF6E2E41000-memory.dmp	upx
behavioral2/memory/3520-126-0x00007FF6136E0000-0x00007FF613A31000-memory.dmp	upx
behavioral2/memory/3640-125-0x00007FF6F1CE0000-0x00007FF6F2031000-memory.dmp	upx
behavioral2/memory/5104-123-0x00007FF695940000-0x00007FF695C91000-memory.dmp	upx
behavioral2/files/0x0008000000023c54-121.dat	upx
behavioral2/memory/1804-120-0x00007FF666870000-0x00007FF666BC1000-memory.dmp	upx
behavioral2/files/0x0008000000023c48-118.dat	upx
behavioral2/files/0x0016000000023c3e-112.dat	upx
behavioral2/memory/1448-111-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp	upx
behavioral2/files/0x000b000000023c3d-106.dat	upx
behavioral2/memory/2976-105-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	upx
behavioral2/memory/324-100-0x00007FF739DA0000-0x00007FF73A0F1000-memory.dmp	upx
behavioral2/files/0x0008000000023c28-94.dat	upx
behavioral2/memory/1704-91-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp	upx
behavioral2/files/0x0008000000023c26-83.dat	upx
behavioral2/memory/1696-82-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp	upx
behavioral2/files/0x0008000000023c24-77.dat	upx
behavioral2/files/0x0008000000023c23-67.dat	upx
behavioral2/memory/4556-57-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp	upx
behavioral2/files/0x0008000000023c1d-56.dat	upx
behavioral2/memory/4392-45-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp	upx
behavioral2/memory/3672-41-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	upx
behavioral2/files/0x0008000000023c09-36.dat	upx
behavioral2/memory/2816-32-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp	upx
behavioral2/memory/1956-28-0x00007FF612E40000-0x00007FF613191000-memory.dmp	upx
behavioral2/memory/3924-26-0x00007FF6EC190000-0x00007FF6EC4E1000-memory.dmp	upx
behavioral2/files/0x0008000000023c03-24.dat	upx
behavioral2/memory/1644-12-0x00007FF781050000-0x00007FF7813A1000-memory.dmp	upx
behavioral2/memory/1980-6-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp	upx
behavioral2/memory/4292-128-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	upx
behavioral2/memory/1980-129-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp	upx
behavioral2/memory/2816-134-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp	upx
behavioral2/memory/4556-135-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp	upx
behavioral2/memory/1696-137-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp	upx
behavioral2/memory/2976-144-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp	upx
behavioral2/memory/1448-147-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp	upx
behavioral2/memory/1704-142-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp	upx
behavioral2/memory/4392-136-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp	upx
behavioral2/memory/1644-130-0x00007FF781050000-0x00007FF7813A1000-memory.dmp	upx
behavioral2/memory/4292-150-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	upx
behavioral2/memory/4292-172-0x00007FF740280000-0x00007FF7405D1000-memory.dmp	upx
behavioral2/memory/1980-204-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp	upx
behavioral2/memory/1644-206-0x00007FF781050000-0x00007FF7813A1000-memory.dmp	upx
behavioral2/memory/3924-208-0x00007FF6EC190000-0x00007FF6EC4E1000-memory.dmp	upx
behavioral2/memory/1956-224-0x00007FF612E40000-0x00007FF613191000-memory.dmp	upx
behavioral2/memory/2816-230-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp	upx
behavioral2/memory/3672-229-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp	upx
behavioral2/memory/4556-232-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp	upx
behavioral2/memory/1696-234-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp	upx
behavioral2/memory/4392-226-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\iXgSHXB.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mZIHBnc.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pbNzvfu.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ramlzIU.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LYAeezd.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ADhJAnQ.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HXLDKOB.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nGWtHeq.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\etiBCqa.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yWAadXP.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KzDHCre.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\emeOOfn.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HUARZBu.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cNPGLAd.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\onUbymU.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QwVGBBX.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yXFTNiq.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eWsOgvV.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nxLoJQL.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cCYtNMd.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QjiKxDr.exe	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 4292 wrote to memory of 1980	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4292 wrote to memory of 1980	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 4292 wrote to memory of 1644	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4292 wrote to memory of 1644	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 4292 wrote to memory of 3924	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4292 wrote to memory of 3924	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 4292 wrote to memory of 1956	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4292 wrote to memory of 1956	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 4292 wrote to memory of 3672	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4292 wrote to memory of 3672	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 4292 wrote to memory of 2816	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4292 wrote to memory of 2816	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 4292 wrote to memory of 4556	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4292 wrote to memory of 4556	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 4292 wrote to memory of 4392	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4292 wrote to memory of 4392	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 4292 wrote to memory of 1696	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4292 wrote to memory of 1696	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 4292 wrote to memory of 1524	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4292 wrote to memory of 1524	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 4292 wrote to memory of 1804	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4292 wrote to memory of 1804	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 4292 wrote to memory of 5104	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4292 wrote to memory of 5104	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 4292 wrote to memory of 2140	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4292 wrote to memory of 2140	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 4292 wrote to memory of 1704	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4292 wrote to memory of 1704	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 4292 wrote to memory of 324	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4292 wrote to memory of 324	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 4292 wrote to memory of 2976	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4292 wrote to memory of 2976	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 4292 wrote to memory of 2068	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4292 wrote to memory of 2068	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 4292 wrote to memory of 3640	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4292 wrote to memory of 3640	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 4292 wrote to memory of 1448	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4292 wrote to memory of 1448	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 4292 wrote to memory of 3520	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4292 wrote to memory of 3520	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 4292 wrote to memory of 1992	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 4292 wrote to memory of 1992	4292	2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-23_b7e1714ec7fbbc72672716a1e63f7e6e_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\System\cCYtNMd.exe
  C:\Windows\System\cCYtNMd.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Windows\System\yWAadXP.exe
  C:\Windows\System\yWAadXP.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\cNPGLAd.exe
  C:\Windows\System\cNPGLAd.exe
  2⤵
  - Executes dropped EXE
  PID:3924
- C:\Windows\System\QjiKxDr.exe
  C:\Windows\System\QjiKxDr.exe
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\Windows\System\LYAeezd.exe
  C:\Windows\System\LYAeezd.exe
  2⤵
  - Executes dropped EXE
  PID:3672
- C:\Windows\System\QwVGBBX.exe
  C:\Windows\System\QwVGBBX.exe
  2⤵
  - Executes dropped EXE
  PID:2816
- C:\Windows\System\ADhJAnQ.exe
  C:\Windows\System\ADhJAnQ.exe
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\Windows\System\KzDHCre.exe
  C:\Windows\System\KzDHCre.exe
  2⤵
  - Executes dropped EXE
  PID:4392
- C:\Windows\System\iXgSHXB.exe
  C:\Windows\System\iXgSHXB.exe
  2⤵
  - Executes dropped EXE
  PID:1696
- C:\Windows\System\mZIHBnc.exe
  C:\Windows\System\mZIHBnc.exe
  2⤵
  - Executes dropped EXE
  PID:1524
- C:\Windows\System\HXLDKOB.exe
  C:\Windows\System\HXLDKOB.exe
  2⤵
  - Executes dropped EXE
  PID:1804
- C:\Windows\System\yXFTNiq.exe
  C:\Windows\System\yXFTNiq.exe
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Windows\System\pbNzvfu.exe
  C:\Windows\System\pbNzvfu.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\eWsOgvV.exe
  C:\Windows\System\eWsOgvV.exe
  2⤵
  - Executes dropped EXE
  PID:1704
- C:\Windows\System\nxLoJQL.exe
  C:\Windows\System\nxLoJQL.exe
  2⤵
  - Executes dropped EXE
  PID:324
- C:\Windows\System\ramlzIU.exe
  C:\Windows\System\ramlzIU.exe
  2⤵
  - Executes dropped EXE
  PID:2976
- C:\Windows\System\onUbymU.exe
  C:\Windows\System\onUbymU.exe
  2⤵
  - Executes dropped EXE
  PID:2068
- C:\Windows\System\emeOOfn.exe
  C:\Windows\System\emeOOfn.exe
  2⤵
  - Executes dropped EXE
  PID:3640
- C:\Windows\System\nGWtHeq.exe
  C:\Windows\System\nGWtHeq.exe
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Windows\System\etiBCqa.exe
  C:\Windows\System\etiBCqa.exe
  2⤵
  - Executes dropped EXE
  PID:3520
- C:\Windows\System\HUARZBu.exe
  C:\Windows\System\HUARZBu.exe
  2⤵
  - Executes dropped EXE
  PID:1992

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ADhJAnQ.exe

Filesize
5.2MB

MD5
f1d2d8ffd6acd3ad211a36f05461c02b

SHA1
41882e816ec67e11eeb8f0c853ab535d163182fd

SHA256
4562f9e721be5bd82ff4b3f501d0bef7ff589689339196a1520b19f7044203ed

SHA512
346e40569464078f621bcd0a97076e1af9445a31ae30cd4bb86631fee26f0ef2182f77f7b941a77b3b6b4d6ea276d11c064643bc50f06b2565e489910109f022

Download Submit
C:\Windows\System\HUARZBu.exe

Filesize
5.2MB

MD5
522c0ac4face6e37909cd1553cf9449e

SHA1
5b36dd9b3ff2c921457472748e3f282acbdfa556

SHA256
a06a748dc6810870d610613b938de090cb58a7885e2ef89be5fefa5f658f946b

SHA512
61122f7440a612a1a9db62f53ac8a084dd893e602feada1f874fbe9eba93d994bc95ab9e93a3c69b6ab01826dbb8460cfab2828714dcdb1f21744ad08bae0943

Download Submit
C:\Windows\System\HXLDKOB.exe

Filesize
5.2MB

MD5
a4d590c8aeda25dd708a4acccf7969c6

SHA1
e6f4ae9225e0ae4e165a1f3fc01df5873b1a1e1d

SHA256
b9bc6c84ca0f0b0dbcff009098b68438b7e24fd96ac1d7b0b08d3f3c5b996d32

SHA512
a5214c8850bba9ed151bd064679e616ca15cc64c30c808abb787a741780c7d4c0970d1fdd27150c1e1b645bd935daa1b86b4f5f5cdc2f9bd13603ee20cabe468

Download Submit
C:\Windows\System\KzDHCre.exe

Filesize
5.2MB

MD5
b845648afdcbba6d0b96ed551e4700d0

SHA1
569833492aa2aeed7b768cffa59ac845462121d2

SHA256
61f9174b9e29f8a2ac54caa34b742090157f4240246806e5f04b820b461393e3

SHA512
d1e8d2b3ab6372e56afe18b64f6f3bf534b663aff99e2e593c2eb3b71b0370564c497bafac74083eb43fc358c942324ea81583eaa4a6882d82cef7e4abfdb00c

Download Submit
C:\Windows\System\LYAeezd.exe

Filesize
5.2MB

MD5
99f13e9c9dbcd3dbdcc2e9d43c490890

SHA1
502cf1a43cfde3b451ec9d97470c3fdde8e86f36

SHA256
54743f3f52cfc5b68a3fc837cd832a6158e8b03dcb980cec4f4a47acdc7846a7

SHA512
ccef160b2790dd4c2cef3ea0f4f886600d30a9e73bb911f934a44d8f32b68da195161c38e89ebc97dc9d4162d6a38e2ab0b330a71163a361cbec2e772db7d1e2

Download Submit
C:\Windows\System\QjiKxDr.exe

Filesize
5.2MB

MD5
888465e7edfd5b17ff53cd8df7790343

SHA1
d8004860e6252b3be14cefd7c2878fe093b18132

SHA256
cc162f4af441251bec1d9cf03d6a54b8c4b85786d0678e5d0c73cb311d07158f

SHA512
71d4a975ece51bed86fe64d28a60516e7f4c2b83ff4a66f0da372ff73892667dd08a9421524b603d082a139193b455f21ad4975cdb6ad8adfe10c20154da6200

Download Submit
C:\Windows\System\QwVGBBX.exe

Filesize
5.2MB

MD5
e5655df6d9a9b70d6fd0e0d728c4a21d

SHA1
aec126287d6d388c493e306ebacb4c05f49c4028

SHA256
59b752453d129a060de6561ee14c3cec0995e18f0b08b3c41cd471fa8f0f9030

SHA512
c2b57557f5945dbb742145eadc6d46d84dd737c488ff04d91d77156d21409e2c283de742ca8fb4985612e81e46dff1dd12233fd5b38e300cf74b6261db0ef9d5

Download Submit
C:\Windows\System\cCYtNMd.exe

Filesize
5.2MB

MD5
4e2a3a9d7e23fbc8eaca14b9e6691597

SHA1
89bb3b8d23b957c44efefad621ffccbbfeaebaeb

SHA256
664184297b64727f2af589434fdf7ea4de5d06f3005211ca5b5ea0dfec3c8343

SHA512
ded0e07b208958444767011fa7e872df98ba6403200332b31eb882c3007a7ed913e0024f98070beb2f7d5d6ae9e434bce5c14610d0664280f1e51fc1163b5acb

Download Submit
C:\Windows\System\cNPGLAd.exe

Filesize
5.2MB

MD5
3015e782c8bb88d8d230a15b8af64cd3

SHA1
d732e35721d4115dc57f9df135f9b0c2858ff300

SHA256
dbe932dda623266e49027ee76468258c65cf130bf2493b62d488689ab6775ac1

SHA512
210e12c51381e5a092258cf95ea7e055203c005d23200a7fc3e33c4f35fa8b7419704e8a9207c306eb469977e2a72c55c90524929665c02d64d5c03a838130b5

Download Submit
C:\Windows\System\eWsOgvV.exe

Filesize
5.2MB

MD5
a4196a3ae4c51bc63cc6f3d54d6f0793

SHA1
ad89cb975fb90ebbaf13cfebab5fadad780364c0

SHA256
afa9e14b08901617016ceb9b6f81df107468b20e8b2b84230713af29789f4ad8

SHA512
e565ac3d04dc23dd396f84195d58042a6c9da273af7b9f53e19b54cbc99a060a461da3c127441121ac1c3ed7f045cd230d41b24e2a25221b59c7ab5fd041e656

Download Submit
C:\Windows\System\emeOOfn.exe

Filesize
5.2MB

MD5
0fea2551f184948195287e4d47520ff0

SHA1
b0e749a99e7a8d3bbc3fbffa5327fcfee2307db8

SHA256
cf1b83293f1ed81bd80723a7ea88099129027ccca4ac7531267a12ef493b4293

SHA512
4673fb592eadf478969ada2379ad10495eca93afe82eb978f7dc8746af93aff4678bbc6942e9d97d8339864400ffe0c04375e27e17110888b54efe26c5bb1248

Download Submit
C:\Windows\System\etiBCqa.exe

Filesize
5.2MB

MD5
1625b8c3af771f94b8baeb69e228ec6a

SHA1
b0b094d2d2927f3d18b43ed660b6f25a29c901d3

SHA256
e1450223c4d2d54ecd899c7558f66ce604dc3e1e925bb00e56eb16c4e9050960

SHA512
14a99a326c6b3e4159e3303804159a5e9897085f0b753fe53835b70d6bf7cdfab8e04244848cc98536a19eb456392795f4db7988315d24cc2483560734482e7e

Download Submit
C:\Windows\System\iXgSHXB.exe

Filesize
5.2MB

MD5
f576cfb8329a928f20a5f9a949dcf01d

SHA1
6c0a684fdbae3f1688188b610d6931812538f911

SHA256
21956d683c474d79bcfee8461e61fc01c50fd8611def4647579d9512a6168275

SHA512
06f0e83a1e8f5ebd3753b9a69597d97f81a41ba410a41d946da20b35b2edbb016828bf9aba85928d114bd67cd6d404bd120c0a5c0619fc1364d0038431ea2119

Download Submit
C:\Windows\System\mZIHBnc.exe

Filesize
5.2MB

MD5
a7f4a8186c6490a90f02078c03743d43

SHA1
83f178fece66128dbfd01f997b38c9707b243e14

SHA256
54696d6e5b25d9e2afb5adc33c278d77795b839c364ce3a8f95fc1971a8500c6

SHA512
98bf7d17fdedee8ff3f6458c76e62cd993478898ed395be76a2c33610283bf0e724b6db50d2cc069129ada822208c5d21d252d8771854fcae053866eb04aed11

Download Submit
C:\Windows\System\nGWtHeq.exe

Filesize
5.2MB

MD5
b1099d7b2546b1fa09014e2416ea4ca4

SHA1
d441eea1eafadcbe006b1c771366ea3364a54fb3

SHA256
8bc5d79f0775d9c3fdfb08013d6b2446c872b1a0db8ec3611a0077a4548f35ee

SHA512
0ef1a1c5f05db0f9b1d7dce6e6cd5dc163778cd21caab8ecce8ce0da2b7a04276dca84ed7848728b03bf6f086735db7ef2744102982c401932ab64654d9f52a8

Download Submit
C:\Windows\System\nxLoJQL.exe

Filesize
5.2MB

MD5
94d48fa98fa1d4090194f5dee6fbc010

SHA1
847c00b7686a35dd7dcbae0fa2d6fba5fe8b4b8c

SHA256
2887d129cfb9bd05e204577c592d136535bb71506ea8afb77d5294bf126d8558

SHA512
718c987eb033e2f13f47fe5d695ad12b4bb66635436c7e458f76246b51e154625f5fafd9bf5be865e1b9381d351b64ec5cf2d80935cf5675270c8b997385861e

Download Submit
C:\Windows\System\onUbymU.exe

Filesize
5.2MB

MD5
8e691b0ce30175ef90f42f0ee0ecd612

SHA1
c78e0bfff210e7b918912e4f78816621bc558497

SHA256
3dad8546dd3fad5432264403ea55d034acb78509cd608c8275170fe892e9a388

SHA512
98ae01aeaa4f0e384646b21ad68ee4e730fd24962696ac6e9044ff612ec4127da4cc993c78927e9cecf4b595a28ff0959440c855ecb5f649217c79a827f9c0b5

Download Submit
C:\Windows\System\pbNzvfu.exe

Filesize
5.2MB

MD5
60bd26d74ad478471925e3d7c16fafbe

SHA1
50956f43bde80f3e5bfb5e03bd9430cc28875179

SHA256
0dbcaa7a8d2d1bac1addc9e552d9fcc0796ee0c539119d06ed113d2625b23cbb

SHA512
dbc628da833c1e2122b05e4367890085bd617e60c95e91b552faa2c3cfe32b339315cb13601ba32f43ff9115fbb2e1e42597d565b0604e36ed28360aba8b527d

Download Submit
C:\Windows\System\ramlzIU.exe

Filesize
5.2MB

MD5
9cc4acc589727393c895384d170ea16b

SHA1
3bc5e67a7507f2f5fd57bfa7d00c9a6f2027d28f

SHA256
7022007a552c0f5de0578397188e92793a1856d658eab8a868a43165409fc2a8

SHA512
cfc1f52c630e5adf6fb175905db519942826b6d13a20c3aeb53b1bebe96eb8c4bbdc634795c50825ab7e00bb2592857264a7e3bd23d4786589d097c78ad6e381

Download Submit
C:\Windows\System\yWAadXP.exe

Filesize
5.2MB

MD5
040967063e969db316e8936c61aed3c5

SHA1
0f1598a2516171a6a264c1ee81e362d6694ba9bf

SHA256
fde4635de193fbf91e1cda7c3d0a6b8e5eb775c688f10d2880605aa18b928190

SHA512
60201b019c3174e9f58892772ee0beb7a69cf71612036b9930d00da4e82022ea4c424ed1b78356d8939fb25c7708d7efed0d7ae6870b48e4796d3156cb1abbd2

Download Submit
C:\Windows\System\yXFTNiq.exe

Filesize
5.2MB

MD5
0dfe2c88724c8478c3833c83fa2cf739

SHA1
d87bd91383ffb497ffae4781cf22f446ff80477f

SHA256
b5136cd6e3b5985689ff2c29c938583b9453a0e87510f317af9fe5a7fa8b4ffa

SHA512
410915f5d0da7db1fcbc2523c80f0d466879568311866b7d399add1754fec1311e30922f9b0a1bda5c6f3c5af5b5d17f1966afe09b09d75984f4453fab54b8d1

Download Submit
memory/324-100-0x00007FF739DA0000-0x00007FF73A0F1000-memory.dmp

Filesize
3.3MB

Download
memory/324-237-0x00007FF739DA0000-0x00007FF73A0F1000-memory.dmp

Filesize
3.3MB

Download
memory/1448-254-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp

Filesize
3.3MB

Download
memory/1448-147-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp

Filesize
3.3MB

Download
memory/1448-111-0x00007FF78D0C0000-0x00007FF78D411000-memory.dmp

Filesize
3.3MB

Download
memory/1524-244-0x00007FF61E290000-0x00007FF61E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1524-117-0x00007FF61E290000-0x00007FF61E5E1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-130-0x00007FF781050000-0x00007FF7813A1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-206-0x00007FF781050000-0x00007FF7813A1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-12-0x00007FF781050000-0x00007FF7813A1000-memory.dmp

Filesize
3.3MB

Download
memory/1696-82-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp

Filesize
3.3MB

Download
memory/1696-234-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp

Filesize
3.3MB

Download
memory/1696-137-0x00007FF66B5B0000-0x00007FF66B901000-memory.dmp

Filesize
3.3MB

Download
memory/1704-91-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1704-142-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1704-239-0x00007FF60FA10000-0x00007FF60FD61000-memory.dmp

Filesize
3.3MB

Download
memory/1804-248-0x00007FF666870000-0x00007FF666BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1804-120-0x00007FF666870000-0x00007FF666BC1000-memory.dmp

Filesize
3.3MB

Download
memory/1956-28-0x00007FF612E40000-0x00007FF613191000-memory.dmp

Filesize
3.3MB

Download
memory/1956-224-0x00007FF612E40000-0x00007FF613191000-memory.dmp

Filesize
3.3MB

Download
memory/1980-204-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp

Filesize
3.3MB

Download
memory/1980-6-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp

Filesize
3.3MB

Download
memory/1980-129-0x00007FF7B4C10000-0x00007FF7B4F61000-memory.dmp

Filesize
3.3MB

Download
memory/1992-252-0x00007FF6E2AF0000-0x00007FF6E2E41000-memory.dmp

Filesize
3.3MB

Download
memory/1992-127-0x00007FF6E2AF0000-0x00007FF6E2E41000-memory.dmp

Filesize
3.3MB

Download
memory/2068-247-0x00007FF6FF7F0000-0x00007FF6FFB41000-memory.dmp

Filesize
3.3MB

Download
memory/2068-124-0x00007FF6FF7F0000-0x00007FF6FFB41000-memory.dmp

Filesize
3.3MB

Download
memory/2140-241-0x00007FF783270000-0x00007FF7835C1000-memory.dmp

Filesize
3.3MB

Download
memory/2140-87-0x00007FF783270000-0x00007FF7835C1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-134-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-230-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp

Filesize
3.3MB

Download
memory/2816-32-0x00007FF7F3E60000-0x00007FF7F41B1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-144-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-105-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/2976-258-0x00007FF7EC280000-0x00007FF7EC5D1000-memory.dmp

Filesize
3.3MB

Download
memory/3520-250-0x00007FF6136E0000-0x00007FF613A31000-memory.dmp

Filesize
3.3MB

Download
memory/3520-126-0x00007FF6136E0000-0x00007FF613A31000-memory.dmp

Filesize
3.3MB

Download
memory/3640-125-0x00007FF6F1CE0000-0x00007FF6F2031000-memory.dmp

Filesize
3.3MB

Download
memory/3640-256-0x00007FF6F1CE0000-0x00007FF6F2031000-memory.dmp

Filesize
3.3MB

Download
memory/3672-229-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp

Filesize
3.3MB

Download
memory/3672-41-0x00007FF7BEA40000-0x00007FF7BED91000-memory.dmp

Filesize
3.3MB

Download
memory/3924-208-0x00007FF6EC190000-0x00007FF6EC4E1000-memory.dmp

Filesize
3.3MB

Download
memory/3924-26-0x00007FF6EC190000-0x00007FF6EC4E1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-150-0x00007FF740280000-0x00007FF7405D1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-1-0x00000165A29E0000-0x00000165A29F0000-memory.dmp

Filesize
64KB

Download
memory/4292-172-0x00007FF740280000-0x00007FF7405D1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-0-0x00007FF740280000-0x00007FF7405D1000-memory.dmp

Filesize
3.3MB

Download
memory/4292-128-0x00007FF740280000-0x00007FF7405D1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-136-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-45-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4392-226-0x00007FF6EAD70000-0x00007FF6EB0C1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-135-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-232-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/4556-57-0x00007FF66FA70000-0x00007FF66FDC1000-memory.dmp

Filesize
3.3MB

Download
memory/5104-242-0x00007FF695940000-0x00007FF695C91000-memory.dmp

Filesize
3.3MB

Download
memory/5104-123-0x00007FF695940000-0x00007FF695C91000-memory.dmp

Filesize
3.3MB

Download