cobaltstrike | 097996579fa1845bf2c7c5c7240f2d2dbe5f72a0c006c222b13584af537ae6ee

Analysis

max time kernel
141s
max time network
135s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-11-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

286627607bfc6de4d3c57942a38bf36b
SHA1

b8ffe75761737eee7c7c3a883bff0e6f48e7f426
SHA256

097996579fa1845bf2c7c5c7240f2d2dbe5f72a0c006c222b13584af537ae6ee
SHA512

5cee6f799af7684ce02cbc3907d6a9d806131aa3ffb0a31a947def77164850708fe91597957c4d0564cd83a3a8e5bebc90887c09d6575aa439d57617069cfa7b
SSDEEP

49152:ROdWCCi7/rai56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lb:RWWBibd56utgpPFotBER/mQ32lU3

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\GZveMDC.exe	cobalt_reflective_dll
C:\Windows\system\ckwczBu.exe	cobalt_reflective_dll
\Windows\system\RnkBasv.exe	cobalt_reflective_dll
C:\Windows\system\XJGiDyF.exe	cobalt_reflective_dll
C:\Windows\system\XFAnLrz.exe	cobalt_reflective_dll
C:\Windows\system\HjSQPPQ.exe	cobalt_reflective_dll
\Windows\system\svUcKJc.exe	cobalt_reflective_dll
\Windows\system\PaTAuwa.exe	cobalt_reflective_dll
C:\Windows\system\nyjGIeY.exe	cobalt_reflective_dll
\Windows\system\CuWNNsV.exe	cobalt_reflective_dll
C:\Windows\system\gvodiRW.exe	cobalt_reflective_dll
C:\Windows\system\eJZLwrO.exe	cobalt_reflective_dll
C:\Windows\system\GifCfdU.exe	cobalt_reflective_dll
C:\Windows\system\rnZNNwC.exe	cobalt_reflective_dll
C:\Windows\system\JGJHcbG.exe	cobalt_reflective_dll
C:\Windows\system\ynLDNXI.exe	cobalt_reflective_dll
C:\Windows\system\CpSjGzR.exe	cobalt_reflective_dll
C:\Windows\system\hYjbFfT.exe	cobalt_reflective_dll
C:\Windows\system\OnrlZdQ.exe	cobalt_reflective_dll
C:\Windows\system\zGclLvt.exe	cobalt_reflective_dll
\Windows\system\fqERWgc.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 41 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/2272-37-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/1972-38-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2004-22-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2580-100-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2696-138-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2272-139-0x00000000022B0000-0x0000000002601000-memory.dmp	xmrig
behavioral1/memory/2792-140-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2820-93-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2796-142-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig
behavioral1/memory/2108-77-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2592-144-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig
behavioral1/memory/2712-85-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/1296-155-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2272-146-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/1236-165-0x000000013F3C0000-0x000000013F711000-memory.dmp	xmrig
behavioral1/memory/308-164-0x000000013FD70000-0x00000001400C1000-memory.dmp	xmrig
behavioral1/memory/2384-163-0x000000013F220000-0x000000013F571000-memory.dmp	xmrig
behavioral1/memory/1988-162-0x000000013F0F0000-0x000000013F441000-memory.dmp	xmrig
behavioral1/memory/1148-168-0x000000013FF60000-0x00000001402B1000-memory.dmp	xmrig
behavioral1/memory/1752-167-0x000000013FCC0000-0x0000000140011000-memory.dmp	xmrig
behavioral1/memory/1688-166-0x000000013F920000-0x000000013FC71000-memory.dmp	xmrig
behavioral1/memory/2272-61-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2480-39-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2656-35-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/2272-34-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2652-31-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2272-169-0x000000013F610000-0x000000013F961000-memory.dmp	xmrig
behavioral1/memory/2652-221-0x000000013F6C0000-0x000000013FA11000-memory.dmp	xmrig
behavioral1/memory/2004-220-0x000000013FD80000-0x00000001400D1000-memory.dmp	xmrig
behavioral1/memory/2656-232-0x000000013F5C0000-0x000000013F911000-memory.dmp	xmrig
behavioral1/memory/1972-234-0x000000013FC50000-0x000000013FFA1000-memory.dmp	xmrig
behavioral1/memory/2480-236-0x000000013FF40000-0x0000000140291000-memory.dmp	xmrig
behavioral1/memory/2712-238-0x000000013F470000-0x000000013F7C1000-memory.dmp	xmrig
behavioral1/memory/2108-240-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	xmrig
behavioral1/memory/2820-242-0x000000013FFE0000-0x0000000140331000-memory.dmp	xmrig
behavioral1/memory/2696-244-0x000000013FA30000-0x000000013FD81000-memory.dmp	xmrig
behavioral1/memory/2580-246-0x000000013FA40000-0x000000013FD91000-memory.dmp	xmrig
behavioral1/memory/2792-248-0x000000013F3E0000-0x000000013F731000-memory.dmp	xmrig
behavioral1/memory/2796-258-0x000000013F8C0000-0x000000013FC11000-memory.dmp	xmrig
behavioral1/memory/1296-262-0x000000013FF90000-0x00000001402E1000-memory.dmp	xmrig
behavioral1/memory/2592-260-0x000000013F930000-0x000000013FC81000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

ckwczBu.exeGZveMDC.exeRnkBasv.exeXJGiDyF.exeXFAnLrz.exefqERWgc.exezGclLvt.exeHjSQPPQ.exeOnrlZdQ.exesvUcKJc.exeCpSjGzR.exehYjbFfT.exeJGJHcbG.exePaTAuwa.exeGifCfdU.exeynLDNXI.exeeJZLwrO.exernZNNwC.exegvodiRW.exenyjGIeY.exeCuWNNsV.exe

pid	process
2652	ckwczBu.exe
2004	GZveMDC.exe
2656	RnkBasv.exe
1972	XJGiDyF.exe
2480	XFAnLrz.exe
2108	fqERWgc.exe
2712	zGclLvt.exe
2820	HjSQPPQ.exe
2580	OnrlZdQ.exe
2696	svUcKJc.exe
2792	CpSjGzR.exe
2796	hYjbFfT.exe
2592	JGJHcbG.exe
1296	PaTAuwa.exe
1988	GifCfdU.exe
2384	ynLDNXI.exe
308	eJZLwrO.exe
1236	rnZNNwC.exe
1688	gvodiRW.exe
1752	nyjGIeY.exe
1148	CuWNNsV.exe

Loads dropped DLL 21 IoCs

Processes:

2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2272-0-0x000000013F610000-0x000000013F961000-memory.dmp	upx
C:\Windows\system\GZveMDC.exe	upx
C:\Windows\system\ckwczBu.exe	upx
\Windows\system\RnkBasv.exe	upx
C:\Windows\system\XJGiDyF.exe	upx
C:\Windows\system\XFAnLrz.exe	upx
behavioral1/memory/1972-38-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2108-41-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2004-22-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
C:\Windows\system\HjSQPPQ.exe	upx
behavioral1/memory/2712-47-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
\Windows\system\svUcKJc.exe	upx
behavioral1/memory/2696-69-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
\Windows\system\PaTAuwa.exe	upx
behavioral1/memory/1296-101-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2580-100-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
C:\Windows\system\nyjGIeY.exe	upx
\Windows\system\CuWNNsV.exe	upx
C:\Windows\system\gvodiRW.exe	upx
behavioral1/memory/2696-138-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx
C:\Windows\system\eJZLwrO.exe	upx
C:\Windows\system\GifCfdU.exe	upx
C:\Windows\system\rnZNNwC.exe	upx
behavioral1/memory/2792-140-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2592-94-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
behavioral1/memory/2820-93-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
C:\Windows\system\JGJHcbG.exe	upx
C:\Windows\system\ynLDNXI.exe	upx
behavioral1/memory/2796-142-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2792-78-0x000000013F3E0000-0x000000013F731000-memory.dmp	upx
behavioral1/memory/2108-77-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2592-144-0x000000013F930000-0x000000013FC81000-memory.dmp	upx
C:\Windows\system\CpSjGzR.exe	upx
behavioral1/memory/2796-86-0x000000013F8C0000-0x000000013FC11000-memory.dmp	upx
behavioral1/memory/2712-85-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/1296-155-0x000000013FF90000-0x00000001402E1000-memory.dmp	upx
behavioral1/memory/2272-146-0x000000013F610000-0x000000013F961000-memory.dmp	upx
C:\Windows\system\hYjbFfT.exe	upx
behavioral1/memory/1236-165-0x000000013F3C0000-0x000000013F711000-memory.dmp	upx
behavioral1/memory/308-164-0x000000013FD70000-0x00000001400C1000-memory.dmp	upx
behavioral1/memory/2384-163-0x000000013F220000-0x000000013F571000-memory.dmp	upx
behavioral1/memory/1988-162-0x000000013F0F0000-0x000000013F441000-memory.dmp	upx
behavioral1/memory/2580-63-0x000000013FA40000-0x000000013FD91000-memory.dmp	upx
behavioral1/memory/1148-168-0x000000013FF60000-0x00000001402B1000-memory.dmp	upx
behavioral1/memory/1752-167-0x000000013FCC0000-0x0000000140011000-memory.dmp	upx
behavioral1/memory/1688-166-0x000000013F920000-0x000000013FC71000-memory.dmp	upx
behavioral1/memory/2272-61-0x000000013F610000-0x000000013F961000-memory.dmp	upx
C:\Windows\system\OnrlZdQ.exe	upx
C:\Windows\system\zGclLvt.exe	upx
behavioral1/memory/2820-54-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
\Windows\system\fqERWgc.exe	upx
behavioral1/memory/2480-39-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/2656-35-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/2652-31-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/2272-169-0x000000013F610000-0x000000013F961000-memory.dmp	upx
behavioral1/memory/2652-221-0x000000013F6C0000-0x000000013FA11000-memory.dmp	upx
behavioral1/memory/2004-220-0x000000013FD80000-0x00000001400D1000-memory.dmp	upx
behavioral1/memory/2656-232-0x000000013F5C0000-0x000000013F911000-memory.dmp	upx
behavioral1/memory/1972-234-0x000000013FC50000-0x000000013FFA1000-memory.dmp	upx
behavioral1/memory/2480-236-0x000000013FF40000-0x0000000140291000-memory.dmp	upx
behavioral1/memory/2712-238-0x000000013F470000-0x000000013F7C1000-memory.dmp	upx
behavioral1/memory/2108-240-0x000000013F4A0000-0x000000013F7F1000-memory.dmp	upx
behavioral1/memory/2820-242-0x000000013FFE0000-0x0000000140331000-memory.dmp	upx
behavioral1/memory/2696-244-0x000000013FA30000-0x000000013FD81000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\rnZNNwC.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gvodiRW.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nyjGIeY.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ckwczBu.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\OnrlZdQ.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\svUcKJc.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hYjbFfT.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eJZLwrO.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CuWNNsV.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XFAnLrz.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RnkBasv.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JGJHcbG.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PaTAuwa.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GifCfdU.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GZveMDC.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fqERWgc.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XJGiDyF.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\zGclLvt.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CpSjGzR.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HjSQPPQ.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ynLDNXI.exe	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 2272 wrote to memory of 2652	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	ckwczBu.exe
PID 2272 wrote to memory of 2652	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	ckwczBu.exe
PID 2272 wrote to memory of 2652	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	ckwczBu.exe
PID 2272 wrote to memory of 2004	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	GZveMDC.exe
PID 2272 wrote to memory of 2004	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	GZveMDC.exe
PID 2272 wrote to memory of 2004	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	GZveMDC.exe
PID 2272 wrote to memory of 2480	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	XFAnLrz.exe
PID 2272 wrote to memory of 2480	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	XFAnLrz.exe
PID 2272 wrote to memory of 2480	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	XFAnLrz.exe
PID 2272 wrote to memory of 2656	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	RnkBasv.exe
PID 2272 wrote to memory of 2656	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	RnkBasv.exe
PID 2272 wrote to memory of 2656	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	RnkBasv.exe
PID 2272 wrote to memory of 2108	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	fqERWgc.exe
PID 2272 wrote to memory of 2108	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	fqERWgc.exe
PID 2272 wrote to memory of 2108	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	fqERWgc.exe
PID 2272 wrote to memory of 1972	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	XJGiDyF.exe
PID 2272 wrote to memory of 1972	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	XJGiDyF.exe
PID 2272 wrote to memory of 1972	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	XJGiDyF.exe
PID 2272 wrote to memory of 2712	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	zGclLvt.exe
PID 2272 wrote to memory of 2712	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	zGclLvt.exe
PID 2272 wrote to memory of 2712	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	zGclLvt.exe
PID 2272 wrote to memory of 2820	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	HjSQPPQ.exe
PID 2272 wrote to memory of 2820	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	HjSQPPQ.exe
PID 2272 wrote to memory of 2820	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	HjSQPPQ.exe
PID 2272 wrote to memory of 2580	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	OnrlZdQ.exe
PID 2272 wrote to memory of 2580	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	OnrlZdQ.exe
PID 2272 wrote to memory of 2580	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	OnrlZdQ.exe
PID 2272 wrote to memory of 2696	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	svUcKJc.exe
PID 2272 wrote to memory of 2696	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	svUcKJc.exe
PID 2272 wrote to memory of 2696	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	svUcKJc.exe
PID 2272 wrote to memory of 2792	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	CpSjGzR.exe
PID 2272 wrote to memory of 2792	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	CpSjGzR.exe
PID 2272 wrote to memory of 2792	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	CpSjGzR.exe
PID 2272 wrote to memory of 2796	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	hYjbFfT.exe
PID 2272 wrote to memory of 2796	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	hYjbFfT.exe
PID 2272 wrote to memory of 2796	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	hYjbFfT.exe
PID 2272 wrote to memory of 2592	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	JGJHcbG.exe
PID 2272 wrote to memory of 2592	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	JGJHcbG.exe
PID 2272 wrote to memory of 2592	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	JGJHcbG.exe
PID 2272 wrote to memory of 1296	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	PaTAuwa.exe
PID 2272 wrote to memory of 1296	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	PaTAuwa.exe
PID 2272 wrote to memory of 1296	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	PaTAuwa.exe
PID 2272 wrote to memory of 1988	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	GifCfdU.exe
PID 2272 wrote to memory of 1988	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	GifCfdU.exe
PID 2272 wrote to memory of 1988	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	GifCfdU.exe
PID 2272 wrote to memory of 2384	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	ynLDNXI.exe
PID 2272 wrote to memory of 2384	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	ynLDNXI.exe
PID 2272 wrote to memory of 2384	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	ynLDNXI.exe
PID 2272 wrote to memory of 308	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	eJZLwrO.exe
PID 2272 wrote to memory of 308	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	eJZLwrO.exe
PID 2272 wrote to memory of 308	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	eJZLwrO.exe
PID 2272 wrote to memory of 1236	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	rnZNNwC.exe
PID 2272 wrote to memory of 1236	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	rnZNNwC.exe
PID 2272 wrote to memory of 1236	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	rnZNNwC.exe
PID 2272 wrote to memory of 1688	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	gvodiRW.exe
PID 2272 wrote to memory of 1688	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	gvodiRW.exe
PID 2272 wrote to memory of 1688	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	gvodiRW.exe
PID 2272 wrote to memory of 1752	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	nyjGIeY.exe
PID 2272 wrote to memory of 1752	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	nyjGIeY.exe
PID 2272 wrote to memory of 1752	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	nyjGIeY.exe
PID 2272 wrote to memory of 1148	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	CuWNNsV.exe
PID 2272 wrote to memory of 1148	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	CuWNNsV.exe
PID 2272 wrote to memory of 1148	2272	2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe	CuWNNsV.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-20_286627607bfc6de4d3c57942a38bf36b_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\System\ckwczBu.exe
  C:\Windows\System\ckwczBu.exe
  2⤵
  - Executes dropped EXE
  PID:2652
- C:\Windows\System\GZveMDC.exe
  C:\Windows\System\GZveMDC.exe
  2⤵
  - Executes dropped EXE
  PID:2004
- C:\Windows\System\XFAnLrz.exe
  C:\Windows\System\XFAnLrz.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Windows\System\RnkBasv.exe
  C:\Windows\System\RnkBasv.exe
  2⤵
  - Executes dropped EXE
  PID:2656
- C:\Windows\System\fqERWgc.exe
  C:\Windows\System\fqERWgc.exe
  2⤵
  - Executes dropped EXE
  PID:2108
- C:\Windows\System\XJGiDyF.exe
  C:\Windows\System\XJGiDyF.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\zGclLvt.exe
  C:\Windows\System\zGclLvt.exe
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\Windows\System\HjSQPPQ.exe
  C:\Windows\System\HjSQPPQ.exe
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\Windows\System\OnrlZdQ.exe
  C:\Windows\System\OnrlZdQ.exe
  2⤵
  - Executes dropped EXE
  PID:2580
- C:\Windows\System\svUcKJc.exe
  C:\Windows\System\svUcKJc.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- C:\Windows\System\CpSjGzR.exe
  C:\Windows\System\CpSjGzR.exe
  2⤵
  - Executes dropped EXE
  PID:2792
- C:\Windows\System\hYjbFfT.exe
  C:\Windows\System\hYjbFfT.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\JGJHcbG.exe
  C:\Windows\System\JGJHcbG.exe
  2⤵
  - Executes dropped EXE
  PID:2592
- C:\Windows\System\PaTAuwa.exe
  C:\Windows\System\PaTAuwa.exe
  2⤵
  - Executes dropped EXE
  PID:1296
- C:\Windows\System\GifCfdU.exe
  C:\Windows\System\GifCfdU.exe
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\Windows\System\ynLDNXI.exe
  C:\Windows\System\ynLDNXI.exe
  2⤵
  - Executes dropped EXE
  PID:2384
- C:\Windows\System\eJZLwrO.exe
  C:\Windows\System\eJZLwrO.exe
  2⤵
  - Executes dropped EXE
  PID:308
- C:\Windows\System\rnZNNwC.exe
  C:\Windows\System\rnZNNwC.exe
  2⤵
  - Executes dropped EXE
  PID:1236
- C:\Windows\System\gvodiRW.exe
  C:\Windows\System\gvodiRW.exe
  2⤵
  - Executes dropped EXE
  PID:1688
- C:\Windows\System\nyjGIeY.exe
  C:\Windows\System\nyjGIeY.exe
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\Windows\System\CuWNNsV.exe
  C:\Windows\System\CuWNNsV.exe
  2⤵
  - Executes dropped EXE
  PID:1148

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CpSjGzR.exe

Filesize
5.2MB

MD5
805063bb03fa950e549609f0ddfcfad8

SHA1
5e19615c8cea9db29d1ac92fb61106a29da96f35

SHA256
c9a38dee6d0436c6deb04e47e0a1ad2009474c345eba7dbae6d9649ee627556c

SHA512
1c1a21345b50eb0260a72d1d129adce239048d345f8cb1910161cc63bad3cbfe79425edd7e51df82c2def265dac8173f68ef9e62919937710b430ffe0204363d

Download Submit
C:\Windows\system\GZveMDC.exe

Filesize
5.2MB

MD5
b53c4f1f0b7d055ea30303b1ef56ebb8

SHA1
7ee6745b46be0361e758e364a1fe281d073cffb0

SHA256
7d31109edfcb7de692a1a78dcf4877c98d930e33fd71980fdd80dea94f861040

SHA512
4305fc31b26e0a9c77e1cda77901d9d6eb78c535f595b2642b38a9a78b66311db0538678625bdbfb65af86ee50d4a25f3571f759347569f87c4419a76d80ccb6

Download Submit
C:\Windows\system\GifCfdU.exe

Filesize
5.2MB

MD5
121b2686c58e2c829b1b5ed8e598fd57

SHA1
f274c1967ccd9558b6895449c7274644284208fb

SHA256
da941b91501115af139294750bd3189ac450e5c356c47fb4acbbb678f699547d

SHA512
894b895007b2f937942509ecf47fd26a731e4369c9856db4918641673913a65361636f578cf6a3d686a62a1983d5ff25ca4608df2c5ac43bf0a9a2b2cfa22c95

Download Submit
C:\Windows\system\HjSQPPQ.exe

Filesize
5.2MB

MD5
b66b13a99dd0861296427cb1a0277757

SHA1
2e82e69c8770fa6434fff35c8d545ea813f2b287

SHA256
2d4ad42eba9073b25ae7fbb0c85e9e057498ae3df3172a836283d8175ddd37ec

SHA512
29b28a4cdc2e9fbad64c1552fe03043eb7989b8a73b65ea33a81a2289dcc78d8dcea054bbfd08febb0bac65d8ccb6d63e201969e088cc121e4992ef062aa41c6

Download Submit
C:\Windows\system\JGJHcbG.exe

Filesize
5.2MB

MD5
8d2b2fd063110e5aa7bc15c0bc3ca711

SHA1
60cd86340791cd7ccd683cb78e63837e06a14eed

SHA256
51e630091f0c218a9072f26adcec3acaad70df021c3d810a80610e626f32f93d

SHA512
75e4936d93118d8cc739c46c3bd17749f587f8f58f9a6ffccf24228b9d332469cb0810e33638f9dea6647b59a230cda11c64f3d78572260d5a3ff60b5cb23977

Download Submit
C:\Windows\system\OnrlZdQ.exe

Filesize
5.2MB

MD5
a5eab2de20cf92d840417a6ce71cb93f

SHA1
ffc003b47fbec785234ed9bc7937a8d76f956ab3

SHA256
6a3f903890bfbe30edbd176ac7d4eba35c7af6348880212b6d1325497de0edcb

SHA512
302a6452b08a19595b82bc6bcadd90431a915a5d15b4c08aaa58033f436891d4bbe47411a3a787b597105b852096b0268c080b23551ead5f2d13c92735daa24b

Download Submit
C:\Windows\system\XFAnLrz.exe

Filesize
5.2MB

MD5
ff60ba2857a75f1ac9c4c4943b7bfa2f

SHA1
2162a8a2f4fdf45e53887ffdd4b970978b897a8e

SHA256
1c1364a927edc4ce92babfb2729b0fe7fcf00530ed55eda6a450b9297456e7a6

SHA512
9ff1d8bb57727ae6791fbd9dddc11f26f36de51dd3410a6fbbf93fdaf44bddf4bca26a02677b7022866a9b3b7a8c664e3522c6925f7aafce3552a86c53103661

Download Submit
C:\Windows\system\XJGiDyF.exe

Filesize
5.2MB

MD5
d032664fe1c9433d7e9b79c015fcf707

SHA1
0d1078fb83544370144f0f98fdd83ee7b2c77e38

SHA256
df58858331825299ffd306b276d1f7eb21b6e421bf4bacd0fa4e13c7bcd79f37

SHA512
b91da2f59a6b85a6c3872c0a2f72a87f1510e3534fd4fbf8e70bc5d4a12d6eaa6c61612578ec93ed8d4e7bd81ba71951def5f1f6dbd655f379f7190dfb0fdeb7

Download Submit
C:\Windows\system\ckwczBu.exe

Filesize
5.2MB

MD5
c6926b74828cfc8ffe4c765c0a66b9dc

SHA1
57c04572ff07fbe103de1e3585d7976c231ac250

SHA256
de7220c0a657a26199baf5509d4adb45bafcdc82f684c4be33738a06d6f3f39b

SHA512
ee403ae6b2db06ede12f4b653a9119fad30f9b23f5c1230867c0312d654b4eef59925b762f0196da3a2b3b3895d1330d0032708fe5e365780471b229a949eb61

Download Submit
C:\Windows\system\eJZLwrO.exe

Filesize
5.2MB

MD5
4b00870e32eb7d843727b3477cf48a7d

SHA1
a83922df79909428ecae8cb073c5a29a1bb1b827

SHA256
31d9ab11901df3d17a7c7d3d98ed531767475e4e66d9e639e24ab242e97f9985

SHA512
d85ea0524bf09fed89ac94cddaead0357ec20f4ec984dc33b023e05eac11de54b5fb1e80100a7d816e39cd7fd6e420d4383d114a2735f05062d35598dde3ded4

Download Submit
C:\Windows\system\gvodiRW.exe

Filesize
5.2MB

MD5
fe9057d7aa740140678c7c87e66f262a

SHA1
d6a6cd0de9fe53ae96a6100d53269526d2debe14

SHA256
c86760e5e1f5e90c01d7ccf6d2516df0030a51495cd01ed310a66770a5d2f554

SHA512
f04f4b78f3f0298651bed5a782c96209ed42a850d87ec1b21b8c86a1a491dde839b869d5875a6f3f7129bd973b3832ea12731db13216cb4a4b8d11e5b07dc6f5

Download Submit
C:\Windows\system\hYjbFfT.exe

Filesize
5.2MB

MD5
bb3d962aa0a46ddb9aeb50c27a458ad8

SHA1
110373a780eb87e04a29ee2fd236833f55a1a092

SHA256
1434138a7e5fc2d6518d9a411aedac980dec09acae4e61f25380a906061dec73

SHA512
b8526b7b462ea6b27ef9343b72f819b74acfb7e6848ec5efd363f9a5a90826dea64d9b7cec356fdc61b155d336eddb9a2a27121333be3ffe76861fc22a616ff1

Download Submit
C:\Windows\system\nyjGIeY.exe

Filesize
5.2MB

MD5
ccd888710d5cf7a03a4b3eae45cfa0a9

SHA1
ac9d258e90ec289196f98a60b1e9f90165b532d1

SHA256
1ae928e60bf186ac8da316a0897f4735eae06de436228daed09f042e49192957

SHA512
6f90ae0f2d861ecb54042518d5946b271ccefae72d7073dba916a954fb78d86fea12bbffe3adf75228cd045fc2c53dca5417322d8eed286b20bfd00a256a1244

Download Submit
C:\Windows\system\rnZNNwC.exe

Filesize
5.2MB

MD5
9dc527ddb197431cf9cadfa46ef035d9

SHA1
c4604101cfabfd155f2650eb722a9b1776957aaa

SHA256
9731a58f59f1a8957f1716ed3f60f89402106ae1dbbf88731d4d67a9fe1c8b44

SHA512
021d6c92c9cc50481f50be5965d01176992fb1de30b1ea6a22dcd7975925c404b97333abbb938a696723c10cfeadbc12a672e801efe91df6614fe730998e3201

Download Submit
C:\Windows\system\ynLDNXI.exe

Filesize
5.2MB

MD5
36068d90ae0ee07d51dc6e9620bd23ee

SHA1
7d96ec2a594dd8d74037cf387f1fe01bafa50716

SHA256
2bff593498d064fcec73bf9458c3c8c0a9d896c84433976cfb9aff66624c2421

SHA512
1a1b7e8fc6d3d956ee59a6a141820c012f16ba5e62b3efea8cbc45a8a9228cb345f0783f7406b83a13330eaf3aba17694df47c0a111d74b0b07af40752cc6809

Download Submit
C:\Windows\system\zGclLvt.exe

Filesize
5.2MB

MD5
6c9950460335ab6d8af2d7d666419821

SHA1
3c10da4e47591e826089b19b857a6ff94e424773

SHA256
be5c00fc7461a09b0c6e46fee31e9be9cb4758fcee45a29465f4f659b85f02f9

SHA512
b545d943a7a62634d166c943d13964c6b28d1babbe3e046d713cd131f29bba9f478718a68cd64c751a44ffde5d4bda9074779da4dc5c367e0f0d6d3bf5e9434b

Download Submit
\Windows\system\CuWNNsV.exe

Filesize
5.2MB

MD5
61b658fcfdc37f4512143d1123a1655b

SHA1
ee58543c83eabfa5aaa3de903723c5b3c8b6a120

SHA256
c108b4d38291b44be49651048971cd8dfffc57f77433f6bb7cfde4dcc802015c

SHA512
7cc0b96b071d647da71a444ae9ff88f561be752a2cdf552ebd2d843e3a3ee1cdb256e733e91cf30c689384aa62018b2a9c8bd6a5f78f1aab02f9c72868c793c9

Download Submit
\Windows\system\PaTAuwa.exe

Filesize
5.2MB

MD5
4e9373fadcb870d3c714ee6c33496566

SHA1
763700073986ed9093a783766e05b914aa3838f8

SHA256
b0ee5e845d2f67d9a49b6c11384737a0c29e70cb4a45b0133df23931404c662e

SHA512
021a72fb21f23cd531de72163a0ef9ab6df2c2ade2dd6d3fca18095c64d42d31e59433abba029c8faeb03237c395be4f5e1a098df38e91350788cb177d17f1f7

Download Submit
\Windows\system\RnkBasv.exe

Filesize
5.2MB

MD5
623ec155960b63327a44fe37739dc79e

SHA1
5fb040e6538f2d405811a6deeed8ed8ed1e6c46d

SHA256
58d3d8f5b02e5dd3818ff229220f8a8ffad8b3a9bcaebf61118026fdebb4cc86

SHA512
e56172aa438e66aa27733a87455bb3b1303992d90cf25ac51457bcb05e84db5db9a976d8406d4b3ac7638599df0223c4f3108d908bdfb2206b4540b9abf2b8bd

Download Submit
\Windows\system\fqERWgc.exe

Filesize
5.2MB

MD5
90ddc284a630dd2c43034b5eb4d98624

SHA1
bdd49f79bd8f42482e91b58c27a56b50bc7847ea

SHA256
c8838c2e8a5176f732f9580d528388bcf2df4a971382d01f5a1343658f3a0910

SHA512
e03d9311b257f239ebee7d31f6a58993cee70a289f438ae67e4b2b3ff66bdd69356f05dbb4727ebcfed5c513bb42109c6064e23ae522ca708d1e3eb48d1bdb1f

Download Submit
\Windows\system\svUcKJc.exe

Filesize
5.2MB

MD5
251bc827dcf6b95c8eecfdde708def34

SHA1
4246fd36968f738208a36eac0067147c7232022a

SHA256
871ffeb46d68ad41971a75286d1e1d9f85984aa4baef421693f6ce85ada5b75c

SHA512
b5e8b6c56c3f753c7e776c9bd896efe9136beeab34f101ce41e9e20f2571b8ec139449e92b19a2c4d7c38afe554952541c6ec71b703f85f8a63c06f55b93e5a4

Download Submit
memory/308-164-0x000000013FD70000-0x00000001400C1000-memory.dmp

Filesize
3.3MB

Download
memory/1148-168-0x000000013FF60000-0x00000001402B1000-memory.dmp

Filesize
3.3MB

Download
memory/1236-165-0x000000013F3C0000-0x000000013F711000-memory.dmp

Filesize
3.3MB

Download
memory/1296-101-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-155-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/1296-262-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/1688-166-0x000000013F920000-0x000000013FC71000-memory.dmp

Filesize
3.3MB

Download
memory/1752-167-0x000000013FCC0000-0x0000000140011000-memory.dmp

Filesize
3.3MB

Download
memory/1972-234-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1972-38-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/1988-162-0x000000013F0F0000-0x000000013F441000-memory.dmp

Filesize
3.3MB

Download
memory/2004-220-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2004-22-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-77-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-41-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2108-240-0x000000013F4A0000-0x000000013F7F1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-97-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-43-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-1-0x0000000000080000-0x0000000000090000-memory.dmp

Filesize
64KB

Download
memory/2272-72-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-145-0x000000013FF90000-0x00000001402E1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-0-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2272-37-0x000000013FC50000-0x000000013FFA1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-14-0x000000013FD80000-0x00000001400D1000-memory.dmp

Filesize
3.3MB

Download
memory/2272-143-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-146-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2272-88-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-81-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-169-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2272-141-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-29-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-34-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2272-51-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2272-65-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2272-58-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2272-139-0x00000000022B0000-0x0000000002601000-memory.dmp

Filesize
3.3MB

Download
memory/2272-61-0x000000013F610000-0x000000013F961000-memory.dmp

Filesize
3.3MB

Download
memory/2384-163-0x000000013F220000-0x000000013F571000-memory.dmp

Filesize
3.3MB

Download
memory/2480-236-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2480-39-0x000000013FF40000-0x0000000140291000-memory.dmp

Filesize
3.3MB

Download
memory/2580-63-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2580-246-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2580-100-0x000000013FA40000-0x000000013FD91000-memory.dmp

Filesize
3.3MB

Download
memory/2592-144-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2592-94-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2592-260-0x000000013F930000-0x000000013FC81000-memory.dmp

Filesize
3.3MB

Download
memory/2652-221-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2652-31-0x000000013F6C0000-0x000000013FA11000-memory.dmp

Filesize
3.3MB

Download
memory/2656-35-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2656-232-0x000000013F5C0000-0x000000013F911000-memory.dmp

Filesize
3.3MB

Download
memory/2696-69-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2696-244-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2696-138-0x000000013FA30000-0x000000013FD81000-memory.dmp

Filesize
3.3MB

Download
memory/2712-47-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-85-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2712-238-0x000000013F470000-0x000000013F7C1000-memory.dmp

Filesize
3.3MB

Download
memory/2792-140-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/2792-78-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/2792-248-0x000000013F3E0000-0x000000013F731000-memory.dmp

Filesize
3.3MB

Download
memory/2796-86-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2796-258-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2796-142-0x000000013F8C0000-0x000000013FC11000-memory.dmp

Filesize
3.3MB

Download
memory/2820-54-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2820-242-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download
memory/2820-93-0x000000013FFE0000-0x0000000140331000-memory.dmp

Filesize
3.3MB

Download