cobaltstrike | 91447a35c1b34f07248deba36d39944e026b5c3868622904147cf4ff00aac751

Analysis

max time kernel
139s
max time network
149s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22/09/2024, 11:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

fa7220b45b4dfe8a0dd9422ef3bf3746
SHA1

0e59ec2631589e23ae0bd01b8b5231517400b4cc
SHA256

91447a35c1b34f07248deba36d39944e026b5c3868622904147cf4ff00aac751
SHA512

b14a3d72ba995504490f07e850c6d0017ceffccb58090ede72f02726d41896abb2d328a50f64e44660ab8e05f1a6d14bc8687060459bd4eeecb460850da9c2c8
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lUC:T+856utgpPF8u/7C

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral1/files/0x00080000000120fd-3.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000186ca-7.dat	cobalt_reflective_dll
behavioral1/files/0x00070000000186d9-15.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018710-21.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018766-26.dat	cobalt_reflective_dll
behavioral1/files/0x0006000000018780-30.dat	cobalt_reflective_dll
behavioral1/files/0x0007000000018b62-36.dat	cobalt_reflective_dll
behavioral1/files/0x0009000000018bf3-41.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001960c-50.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961e-60.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019667-65.dat	cobalt_reflective_dll
behavioral1/files/0x00050000000196a1-70.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c57-95.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cba-100.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019cca-105.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3e-90.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c3c-86.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019c34-80.dat	cobalt_reflective_dll
behavioral1/files/0x0005000000019926-75.dat	cobalt_reflective_dll
behavioral1/files/0x000500000001961c-56.dat	cobalt_reflective_dll
behavioral1/files/0x000700000001933b-45.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 55 IoCs

miner

resource	yara_rule
behavioral1/memory/1756-0-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/files/0x00080000000120fd-3.dat	xmrig
behavioral1/files/0x00070000000186ca-7.dat	xmrig
behavioral1/files/0x00070000000186d9-15.dat	xmrig
behavioral1/files/0x0007000000018710-21.dat	xmrig
behavioral1/files/0x0006000000018766-26.dat	xmrig
behavioral1/files/0x0006000000018780-30.dat	xmrig
behavioral1/files/0x0007000000018b62-36.dat	xmrig
behavioral1/files/0x0009000000018bf3-41.dat	xmrig
behavioral1/files/0x000500000001960c-50.dat	xmrig
behavioral1/files/0x000500000001961e-60.dat	xmrig
behavioral1/files/0x0005000000019667-65.dat	xmrig
behavioral1/files/0x00050000000196a1-70.dat	xmrig
behavioral1/files/0x0005000000019c57-95.dat	xmrig
behavioral1/files/0x0005000000019cba-100.dat	xmrig
behavioral1/files/0x0005000000019cca-105.dat	xmrig
behavioral1/files/0x0005000000019c3e-90.dat	xmrig
behavioral1/files/0x0005000000019c3c-86.dat	xmrig
behavioral1/files/0x0005000000019c34-80.dat	xmrig
behavioral1/files/0x0005000000019926-75.dat	xmrig
behavioral1/files/0x000500000001961c-56.dat	xmrig
behavioral1/files/0x000700000001933b-45.dat	xmrig
behavioral1/memory/2132-107-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/1756-110-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2748-115-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/1756-114-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2928-119-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/memory/2128-121-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2924-123-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2636-127-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2152-132-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2052-130-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig
behavioral1/memory/2716-129-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/1756-128-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2412-125-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig
behavioral1/memory/1756-124-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig
behavioral1/memory/2648-117-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2900-113-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/2768-111-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2732-109-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/1756-135-0x000000013FF30000-0x0000000140284000-memory.dmp	xmrig
behavioral1/memory/2152-138-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2732-139-0x000000013F890000-0x000000013FBE4000-memory.dmp	xmrig
behavioral1/memory/2132-140-0x000000013F020000-0x000000013F374000-memory.dmp	xmrig
behavioral1/memory/2648-143-0x000000013F4E0000-0x000000013F834000-memory.dmp	xmrig
behavioral1/memory/2748-142-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/2900-141-0x000000013F3E0000-0x000000013F734000-memory.dmp	xmrig
behavioral1/memory/2928-145-0x000000013F680000-0x000000013F9D4000-memory.dmp	xmrig
behavioral1/memory/2768-144-0x000000013F910000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/2128-146-0x000000013F730000-0x000000013FA84000-memory.dmp	xmrig
behavioral1/memory/2924-147-0x000000013F900000-0x000000013FC54000-memory.dmp	xmrig
behavioral1/memory/2412-148-0x000000013F120000-0x000000013F474000-memory.dmp	xmrig
behavioral1/memory/2636-149-0x000000013F530000-0x000000013F884000-memory.dmp	xmrig
behavioral1/memory/2716-150-0x000000013F8C0000-0x000000013FC14000-memory.dmp	xmrig
behavioral1/memory/2052-151-0x000000013FC00000-0x000000013FF54000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
2152	WFVqNjS.exe
2132	DaCoYpC.exe
2732	GqRHloh.exe
2768	JfnJXnd.exe
2900	WKFfFRE.exe
2748	BYIBqIM.exe
2648	HoYVaPg.exe
2928	oFSKWNu.exe
2128	KPlooga.exe
2924	GpGkHIX.exe
2412	NYfLaTh.exe
2636	aaSBcnk.exe
2716	OwtgqOe.exe
2052	BwPCUBK.exe
2268	PyymETs.exe
2472	MOPFqAa.exe
2340	sgdqEZp.exe
2968	QDvRzul.exe
1148	CAcNdva.exe
2964	lgSAiId.exe
2700	fqlPZGD.exe

Loads dropped DLL 21 IoCs

pid	Process
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 51 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1756-0-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/files/0x00080000000120fd-3.dat	upx
behavioral1/files/0x00070000000186ca-7.dat	upx
behavioral1/files/0x00070000000186d9-15.dat	upx
behavioral1/files/0x0007000000018710-21.dat	upx
behavioral1/files/0x0006000000018766-26.dat	upx
behavioral1/files/0x0006000000018780-30.dat	upx
behavioral1/files/0x0007000000018b62-36.dat	upx
behavioral1/files/0x0009000000018bf3-41.dat	upx
behavioral1/files/0x000500000001960c-50.dat	upx
behavioral1/files/0x000500000001961e-60.dat	upx
behavioral1/files/0x0005000000019667-65.dat	upx
behavioral1/files/0x00050000000196a1-70.dat	upx
behavioral1/files/0x0005000000019c57-95.dat	upx
behavioral1/files/0x0005000000019cba-100.dat	upx
behavioral1/files/0x0005000000019cca-105.dat	upx
behavioral1/files/0x0005000000019c3e-90.dat	upx
behavioral1/files/0x0005000000019c3c-86.dat	upx
behavioral1/files/0x0005000000019c34-80.dat	upx
behavioral1/files/0x0005000000019926-75.dat	upx
behavioral1/files/0x000500000001961c-56.dat	upx
behavioral1/files/0x000700000001933b-45.dat	upx
behavioral1/memory/2132-107-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2748-115-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2928-119-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/memory/2128-121-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2924-123-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2636-127-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2152-132-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2052-130-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx
behavioral1/memory/2716-129-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2412-125-0x000000013F120000-0x000000013F474000-memory.dmp	upx
behavioral1/memory/2648-117-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2900-113-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/2768-111-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2732-109-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/1756-135-0x000000013FF30000-0x0000000140284000-memory.dmp	upx
behavioral1/memory/2152-138-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2732-139-0x000000013F890000-0x000000013FBE4000-memory.dmp	upx
behavioral1/memory/2132-140-0x000000013F020000-0x000000013F374000-memory.dmp	upx
behavioral1/memory/2648-143-0x000000013F4E0000-0x000000013F834000-memory.dmp	upx
behavioral1/memory/2748-142-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/2900-141-0x000000013F3E0000-0x000000013F734000-memory.dmp	upx
behavioral1/memory/2928-145-0x000000013F680000-0x000000013F9D4000-memory.dmp	upx
behavioral1/memory/2768-144-0x000000013F910000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/2128-146-0x000000013F730000-0x000000013FA84000-memory.dmp	upx
behavioral1/memory/2924-147-0x000000013F900000-0x000000013FC54000-memory.dmp	upx
behavioral1/memory/2412-148-0x000000013F120000-0x000000013F474000-memory.dmp	upx
behavioral1/memory/2636-149-0x000000013F530000-0x000000013F884000-memory.dmp	upx
behavioral1/memory/2716-150-0x000000013F8C0000-0x000000013FC14000-memory.dmp	upx
behavioral1/memory/2052-151-0x000000013FC00000-0x000000013FF54000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\WFVqNjS.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NYfLaTh.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aaSBcnk.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BwPCUBK.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CAcNdva.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oFSKWNu.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KPlooga.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OwtgqOe.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sgdqEZp.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDvRzul.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\lgSAiId.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fqlPZGD.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\DaCoYpC.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GqRHloh.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JfnJXnd.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WKFfFRE.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BYIBqIM.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HoYVaPg.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GpGkHIX.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PyymETs.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\MOPFqAa.exe	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2152	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1756 wrote to memory of 2152	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1756 wrote to memory of 2152	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	30
PID 1756 wrote to memory of 2132	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1756 wrote to memory of 2132	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1756 wrote to memory of 2132	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	31
PID 1756 wrote to memory of 2732	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1756 wrote to memory of 2732	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1756 wrote to memory of 2732	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	32
PID 1756 wrote to memory of 2768	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1756 wrote to memory of 2768	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1756 wrote to memory of 2768	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	33
PID 1756 wrote to memory of 2900	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1756 wrote to memory of 2900	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1756 wrote to memory of 2900	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	34
PID 1756 wrote to memory of 2748	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1756 wrote to memory of 2748	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1756 wrote to memory of 2748	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	35
PID 1756 wrote to memory of 2648	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1756 wrote to memory of 2648	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1756 wrote to memory of 2648	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	36
PID 1756 wrote to memory of 2928	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1756 wrote to memory of 2928	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1756 wrote to memory of 2928	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	37
PID 1756 wrote to memory of 2128	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1756 wrote to memory of 2128	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1756 wrote to memory of 2128	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	38
PID 1756 wrote to memory of 2924	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1756 wrote to memory of 2924	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1756 wrote to memory of 2924	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	39
PID 1756 wrote to memory of 2412	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1756 wrote to memory of 2412	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1756 wrote to memory of 2412	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	40
PID 1756 wrote to memory of 2636	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1756 wrote to memory of 2636	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1756 wrote to memory of 2636	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	41
PID 1756 wrote to memory of 2716	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1756 wrote to memory of 2716	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1756 wrote to memory of 2716	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	42
PID 1756 wrote to memory of 2052	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1756 wrote to memory of 2052	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1756 wrote to memory of 2052	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	43
PID 1756 wrote to memory of 2268	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1756 wrote to memory of 2268	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1756 wrote to memory of 2268	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	44
PID 1756 wrote to memory of 2472	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1756 wrote to memory of 2472	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1756 wrote to memory of 2472	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	45
PID 1756 wrote to memory of 2340	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1756 wrote to memory of 2340	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1756 wrote to memory of 2340	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	46
PID 1756 wrote to memory of 2968	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1756 wrote to memory of 2968	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1756 wrote to memory of 2968	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	47
PID 1756 wrote to memory of 1148	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1756 wrote to memory of 1148	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1756 wrote to memory of 1148	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	48
PID 1756 wrote to memory of 2964	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1756 wrote to memory of 2964	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1756 wrote to memory of 2964	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	49
PID 1756 wrote to memory of 2700	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1756 wrote to memory of 2700	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	50
PID 1756 wrote to memory of 2700	1756	2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-22_fa7220b45b4dfe8a0dd9422ef3bf3746_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\System\WFVqNjS.exe
  C:\Windows\System\WFVqNjS.exe
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\Windows\System\DaCoYpC.exe
  C:\Windows\System\DaCoYpC.exe
  2⤵
  - Executes dropped EXE
  PID:2132
- C:\Windows\System\GqRHloh.exe
  C:\Windows\System\GqRHloh.exe
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\Windows\System\JfnJXnd.exe
  C:\Windows\System\JfnJXnd.exe
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\Windows\System\WKFfFRE.exe
  C:\Windows\System\WKFfFRE.exe
  2⤵
  - Executes dropped EXE
  PID:2900
- C:\Windows\System\BYIBqIM.exe
  C:\Windows\System\BYIBqIM.exe
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\Windows\System\HoYVaPg.exe
  C:\Windows\System\HoYVaPg.exe
  2⤵
  - Executes dropped EXE
  PID:2648
- C:\Windows\System\oFSKWNu.exe
  C:\Windows\System\oFSKWNu.exe
  2⤵
  - Executes dropped EXE
  PID:2928
- C:\Windows\System\KPlooga.exe
  C:\Windows\System\KPlooga.exe
  2⤵
  - Executes dropped EXE
  PID:2128
- C:\Windows\System\GpGkHIX.exe
  C:\Windows\System\GpGkHIX.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Windows\System\NYfLaTh.exe
  C:\Windows\System\NYfLaTh.exe
  2⤵
  - Executes dropped EXE
  PID:2412
- C:\Windows\System\aaSBcnk.exe
  C:\Windows\System\aaSBcnk.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Windows\System\OwtgqOe.exe
  C:\Windows\System\OwtgqOe.exe
  2⤵
  - Executes dropped EXE
  PID:2716
- C:\Windows\System\BwPCUBK.exe
  C:\Windows\System\BwPCUBK.exe
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\Windows\System\PyymETs.exe
  C:\Windows\System\PyymETs.exe
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\Windows\System\MOPFqAa.exe
  C:\Windows\System\MOPFqAa.exe
  2⤵
  - Executes dropped EXE
  PID:2472
- C:\Windows\System\sgdqEZp.exe
  C:\Windows\System\sgdqEZp.exe
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\Windows\System\QDvRzul.exe
  C:\Windows\System\QDvRzul.exe
  2⤵
  - Executes dropped EXE
  PID:2968
- C:\Windows\System\CAcNdva.exe
  C:\Windows\System\CAcNdva.exe
  2⤵
  - Executes dropped EXE
  PID:1148
- C:\Windows\System\lgSAiId.exe
  C:\Windows\System\lgSAiId.exe
  2⤵
  - Executes dropped EXE
  PID:2964
- C:\Windows\System\fqlPZGD.exe
  C:\Windows\System\fqlPZGD.exe
  2⤵
  - Executes dropped EXE
  PID:2700

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\BYIBqIM.exe

Filesize
5.9MB

MD5
dae92730349257bebe902b6487c7cc6e

SHA1
a227fdc519d9834b56f31a01362b8627c26b6b20

SHA256
96711b7e73b1140233c7015122f3f2ee8b75ab51bbf15d5039cedb32c43e572f

SHA512
de14aa53ad8df72e8f7a690bff1cb4c1556fe9621b8cc2b133698b4855e7f76beba3df795904e861c7d2acea17022ef388fdcb08f3ef8b24bbb0ccae6ed06887

Download Submit
C:\Windows\system\BwPCUBK.exe

Filesize
5.9MB

MD5
51d9a3fed8317e07414af58dcb1289ac

SHA1
94c5c86cb554b0adb64133ff85e618b0add7cebf

SHA256
6bd496ea7c56a24d8756775966425a2a9875ee20f9b280250ae99d8ead960fa6

SHA512
30a4e4c823f6972a4cfef5e5bf2a549490c70ef8271af998720f84c84ffeac04c2dbd5e1410bcf8ca3849d614e21a63c146861259e4dcba2e747bd4b0f118e84

Download Submit
C:\Windows\system\CAcNdva.exe

Filesize
6.0MB

MD5
a711dbaf57702136589d6c89b3369765

SHA1
13ae6887e9be91539171f19a87ae7d21667f2eb7

SHA256
b279560a772aaf776162de1dcb121195bbac0a51ae4c0c472f9d8d089e115b30

SHA512
a25069a4f28e93c4c91d53788d1495fd0425dd877c108a81c7c7dfadccaa95cc64356df251206e0332c8c06ffe04344c7468d71a5f36da871240a05b7328aab2

Download Submit
C:\Windows\system\GpGkHIX.exe

Filesize
5.9MB

MD5
14504a07aaea1088f332fdc482a30f13

SHA1
d92c7e05f5323b744d50dd898c87ebd89c86b1b4

SHA256
2b40a85669e5bdde577e67850abf6cf54aaf9ac75e5168c4c7bd39ba83535b7c

SHA512
128cbc587bef10fcb52a6a5f1df83e0b44c0bfb2fe574715553e9b9a135102c33187ca1fe671c85fed3c6840f9201327fb8d58742aaf29b81d187ed188a5e79c

Download Submit
C:\Windows\system\GqRHloh.exe

Filesize
5.9MB

MD5
8ac337c4bceeb8a315c2d4a7a0e0cee8

SHA1
9791e51e956ce4718d261c8b015625b779e8617e

SHA256
617dfa2ecd1829ea17ea4cd4f1b99d67424ac4c7bfd9e46b8f5ded64f3174f2b

SHA512
bab8454b0936a81e4f75a5eab0a2766d4087a18e8313f4cac6ca253ddbc39fca9e8bf99d006c292f4dba347b46a5b6684660d8284dbcfa58bc3296a3c9ed3f76

Download Submit
C:\Windows\system\HoYVaPg.exe

Filesize
5.9MB

MD5
8214c4cc8a50c6afcec74118646f9733

SHA1
7717bd14d8c793b16ac355b09ceb510850baf412

SHA256
6bbb5d3c88fddc2a64ea29ef56b35df7b8a184cfbde3b24d611a10f8677ee73a

SHA512
a1ea2cfb14bdda841737747e8242c23472c16934775c1aec764f0394e6de7afcbc8b637f683dac7476ef97755e66df145c57c884da0b4d9fcf2e85a5ad9014b9

Download Submit
C:\Windows\system\JfnJXnd.exe

Filesize
5.9MB

MD5
1964e7e5d4a80155d90e5175d7b41e6a

SHA1
b5367d6ac27536c400746f8b5337c4e76090e9ae

SHA256
e05fa1418f6c9c96103b4a1432f695126c3063d9b3fb25e662b0ae3ae80ad58a

SHA512
9911405f33a7a525310440652f676821edd408e8ce92c4c5ca1adc4640fffea217b726d672f175b656e68a95c48c7cdef59f440f22633643d05793412bad69c4

Download Submit
C:\Windows\system\KPlooga.exe

Filesize
5.9MB

MD5
7fcfe0124f8f8c7dd9f78647cdf21250

SHA1
8964e4912fae4f31555a0da5e28a1cc480cb72df

SHA256
0d1def540453298a982c00099de624fb63fb67850cbc54ff467dcf41090a3496

SHA512
6e28a3f149549d7c23fc8e8e52e80209aa7c59859d9e865fc1f4509ce415b1599398ddf4da80e40c87e1f54cc297c9805bc569fd4eaa1e85c3693a2c96111c71

Download Submit
C:\Windows\system\MOPFqAa.exe

Filesize
6.0MB

MD5
92bb196ed9ae1928c17b27da993e5ed3

SHA1
19e06f3445219db5bf922118b4f5db5990eeec2a

SHA256
ccd341fde1128e1bb6d19a1689d47acba540c0d7c0e322e907409656e375d828

SHA512
0a25d65d579cfd433010724bf6ab5eeb996acabe3a4855273a2e37a5ecfe54067284f17a3a3b3a227bac3453693e583dd68db824f1c295c8aaab858985f54ed1

Download Submit
C:\Windows\system\NYfLaTh.exe

Filesize
5.9MB

MD5
849b3b1747f7f21abc2f945a81433e41

SHA1
d97c60bdc00288214bfb4c60687f93c15de881a2

SHA256
a165b74a4515a598065cb7fe49d8de2ede78ef80d56d414411d93cadaec50f9d

SHA512
41a783435a2c5d52e71fe7afac93a7ec9b3d96c6582d69cc79a9a4e3f6e2796cbe5c17ca74f53701ae2e56f86b247cc361bf2b56678ee23280718365f3449184

Download Submit
C:\Windows\system\OwtgqOe.exe

Filesize
5.9MB

MD5
d0eb4917f582d2b32c7f51894d956895

SHA1
9d120bce71056a3cf50bd7b36e66e4b9dd99fb57

SHA256
41b9832c5035207767e0066dadf9a896560eaefe7f41ba3fc9f13cfd75c7bfdc

SHA512
d5533272d2bbc548ac8000919f3f72c32b299720f0129b7d4418d4a5dec45f0fd70537b61fc10a24241e56685d76d9bfdbb6c54fec7f633ce3ce9db5743f8be9

Download Submit
C:\Windows\system\PyymETs.exe

Filesize
5.9MB

MD5
06eaf906ee3ae0b32d512fffa88607ff

SHA1
4ee771d1fd1f30f1d64c3f745dd6918c63e40fe0

SHA256
3ace90e13aedfcedde2d3bcb4f28ef2af01f34277e5cf7a52dd0cfd60c32eb88

SHA512
3ee4b4ad4f446bd210d19747d49f564a8c21a44c6cce572d3a3624ecea23eedc64f17925453cd878403638b22e71dd4dd6b8a124de479819fe330229f9d5dfc3

Download Submit
C:\Windows\system\QDvRzul.exe

Filesize
6.0MB

MD5
f665796fb455e9f5eda75858e7c0f5d4

SHA1
c02786b2961973fe2150f99182b1d0e512b52384

SHA256
5096079b71a373e9fd14029753e5bdfd75ec06c4fbede034879e8119b6da10a9

SHA512
4aa28e6b93be303e9aaf025e2541b87361cc7935437b3d315522d5025b8ca9ff0fc618480d1767e10b7d17cf44f3951ae37723e286f9369d67910777685ae884

Download Submit
C:\Windows\system\WKFfFRE.exe

Filesize
5.9MB

MD5
1a2706fa71af238c07b6363ca5433056

SHA1
be663f5253a88a15b9aae94079e2f0b11f2ec29e

SHA256
10ba5181f5a1223b65f31f31e5af89874535badb92405abb035282bb332cea41

SHA512
e65c59fc5b85d0d713696331fb3d0267b94b023652f791c254c4377776a350f64def81ff2f13e7aef63ad5f25eb75de229bd7b070421622a2dfb5e790789e63a

Download Submit
C:\Windows\system\aaSBcnk.exe

Filesize
5.9MB

MD5
523b2a3de31b0c5378c353228eb9d08f

SHA1
a056ef5df058fb63118a98684730e056964c6c52

SHA256
4b6d6b64c3314e1b01f00c596f43cddcaed02d849403d86496103c3f5e48fe1f

SHA512
d206ce3fcded8f1dad1b9483c222f58c51909ae3afdb8a5624d20f3deb9b7ea0be932ac7538ad5ae211ac25d1f3e0e7e04ebb5631899151adefa84a5abda4c26

Download Submit
C:\Windows\system\fqlPZGD.exe

Filesize
6.0MB

MD5
be4e74598de103a73ccb1d8de1f9b297

SHA1
7b4b4859d7a4bc8104ea4bee544ed356921c167c

SHA256
a8f7996e2afc003200f4bf26f4ff9d80c1eb6b0a45ef89ed0956f9858d580436

SHA512
26d2a776461bcd041a3fe65e7527ef23e656467355d16b09e6e5bebde9a70c85401129636752370f1924aedbc9ae7ae6aa2ad7ba207b9327a9d8141071f3708b

Download Submit
C:\Windows\system\lgSAiId.exe

Filesize
6.0MB

MD5
5d515ad842388af0341b9a93ab1bed1e

SHA1
40f4fc531447c729bd39805b9d5141dadaa50a9c

SHA256
deb06b00a476b988934719abd4c4c6d2f8e53c6e69e4e5cf92c2929ac2e3277e

SHA512
dd1c64fd1dd25cf3022f884db6f5de6b76e60574f50b5cc7ffe34cc085b260a023e549b8485602ab3281f4404fab11f76de4beb358830be02a42fa4a8d13e537

Download Submit
C:\Windows\system\oFSKWNu.exe

Filesize
5.9MB

MD5
49257eb9f3ae7e1ee281436bc7e30473

SHA1
90af0364b3ee7211e66ae3d49919e4b6dce98ad9

SHA256
d8ffda49bd7e12c069169724520f563eb4aacc773f0af943421a1198cd0083b6

SHA512
e2b3f9ce0e19ee33b60d8ab138a7e9bcc90b3c3b4a787741634bdc71411ecd2d8d307c7a50587dfc0ab94d82cf9887d448774f25e8f54cdf7a57c197c6e0248e

Download Submit
C:\Windows\system\sgdqEZp.exe

Filesize
6.0MB

MD5
70ee705393ee49caa73091f1f91e34d8

SHA1
d51ae94535074985d3cf06b125c50a1bd137df09

SHA256
d47edda1b5f670ec390c470f1dfc354f7cc25beac43e18fc85479352c6c497a6

SHA512
f65e4248aa3197ab243daca668fa2b81970ec3e59ee7da613d9d2c7ac1fa6db458e2c139d6291107f8dd74fd8cd95dd19685c9b39406fa3aae9944aeef1c3b91

Download Submit
\Windows\system\DaCoYpC.exe

Filesize
5.9MB

MD5
19ad791a197640ebeb022d9b346f11c5

SHA1
d9b997f84b156dc83b16635aa358a92fe58a334a

SHA256
5f99188dce7fbcabe4686c6a2e5b6bcd080e0fdeb7fed0176d6b7eda0c640439

SHA512
c9dae39c626da1e5eeff18b03e9087587721f8898df8429a3738a2866fbce6463894cbfe341854e4e1b7bd35350c548ce954037902cf6be04592eb23f3f3a949

Download Submit
\Windows\system\WFVqNjS.exe

Filesize
5.9MB

MD5
8b26e7dfd9cff898c6d6fd549bd3d12d

SHA1
645482da3f31fe9eb0aa76aedca7feac90a80960

SHA256
6570c790ff75b82436dc2f0cc2d8a85e4bc251e329b8bf5250c6324ae2e1876c

SHA512
7ef9eaabd3e9f727a0a6eb57db357cef7ae58240e0813695f128fe18770ee4a22f743b44caf1cac0c22607cc817f183e58322bef59b480386ee5b07aaf20433b

Download Submit
memory/1756-133-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/1756-134-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-112-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/1756-108-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-110-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1756-120-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/1756-114-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/1756-118-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-122-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/1756-124-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/1756-135-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/1756-137-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/1756-1-0x00000000000F0000-0x0000000000100000-memory.dmp

Filesize
64KB

Download
memory/1756-116-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/1756-0-0x000000013FF30000-0x0000000140284000-memory.dmp

Filesize
3.3MB

Download
memory/1756-131-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1756-126-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/1756-136-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/1756-128-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2052-130-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2052-151-0x000000013FC00000-0x000000013FF54000-memory.dmp

Filesize
3.3MB

Download
memory/2128-121-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2128-146-0x000000013F730000-0x000000013FA84000-memory.dmp

Filesize
3.3MB

Download
memory/2132-140-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2132-107-0x000000013F020000-0x000000013F374000-memory.dmp

Filesize
3.3MB

Download
memory/2152-132-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2152-138-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2412-148-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2412-125-0x000000013F120000-0x000000013F474000-memory.dmp

Filesize
3.3MB

Download
memory/2636-149-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2636-127-0x000000013F530000-0x000000013F884000-memory.dmp

Filesize
3.3MB

Download
memory/2648-143-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2648-117-0x000000013F4E0000-0x000000013F834000-memory.dmp

Filesize
3.3MB

Download
memory/2716-129-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2716-150-0x000000013F8C0000-0x000000013FC14000-memory.dmp

Filesize
3.3MB

Download
memory/2732-139-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2732-109-0x000000013F890000-0x000000013FBE4000-memory.dmp

Filesize
3.3MB

Download
memory/2748-115-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2748-142-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2768-144-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2768-111-0x000000013F910000-0x000000013FC64000-memory.dmp

Filesize
3.3MB

Download
memory/2900-113-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2900-141-0x000000013F3E0000-0x000000013F734000-memory.dmp

Filesize
3.3MB

Download
memory/2924-147-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2924-123-0x000000013F900000-0x000000013FC54000-memory.dmp

Filesize
3.3MB

Download
memory/2928-145-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download
memory/2928-119-0x000000013F680000-0x000000013F9D4000-memory.dmp

Filesize
3.3MB

Download