cobaltstrike | 0c9dc7e1727e86a482de0a82a32175a8774f23e162861c0ee13095985e0baf50

Analysis

max time kernel
139s
max time network
152s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
24-06-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

33aef5f2f2b2addb213a26da2689869d
SHA1

4ea67994be0a828a3e545825f66c2aab7004020e
SHA256

0c9dc7e1727e86a482de0a82a32175a8774f23e162861c0ee13095985e0baf50
SHA512

2b7e558088b901011e2da547f316120f208793cdc3d01c82bc2f554f87a9643a95e811be64c40edcab2ba7c77e8f6004b48b700daf25233c4899437e2e2a6fbd
SSDEEP

98304:BemTLkNdfE0pZrT56utgpPFotBER/mQ32lU/:Q+u56utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
C:\Windows\system\FieMEWh.exe	cobalt_reflective_dll
C:\Windows\system\YVIjdnt.exe	cobalt_reflective_dll
\Windows\system\PipbXgw.exe	cobalt_reflective_dll
\Windows\system\VBqDcrc.exe	cobalt_reflective_dll
C:\Windows\system\nxrjleu.exe	cobalt_reflective_dll
C:\Windows\system\QxyTQXI.exe	cobalt_reflective_dll
\Windows\system\XHZUSFX.exe	cobalt_reflective_dll
C:\Windows\system\YeEBYez.exe	cobalt_reflective_dll
C:\Windows\system\cbaqSeq.exe	cobalt_reflective_dll
\Windows\system\LghlSbd.exe	cobalt_reflective_dll
C:\Windows\system\JiCZLbz.exe	cobalt_reflective_dll
C:\Windows\system\SwkYuSl.exe	cobalt_reflective_dll
C:\Windows\system\onboXDN.exe	cobalt_reflective_dll
C:\Windows\system\rfCowPG.exe	cobalt_reflective_dll
C:\Windows\system\awLmLnP.exe	cobalt_reflective_dll
C:\Windows\system\CYFDfrs.exe	cobalt_reflective_dll
C:\Windows\system\Oppebaf.exe	cobalt_reflective_dll
C:\Windows\system\aJAOfGa.exe	cobalt_reflective_dll
C:\Windows\system\LUQOEiQ.exe	cobalt_reflective_dll
C:\Windows\system\eKIGtPT.exe	cobalt_reflective_dll
C:\Windows\system\GcCGHrf.exe	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 56 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1904-2-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
C:\Windows\system\FieMEWh.exe	xmrig
C:\Windows\system\YVIjdnt.exe	xmrig
behavioral1/memory/2980-15-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
\Windows\system\PipbXgw.exe	xmrig
\Windows\system\VBqDcrc.exe	xmrig
behavioral1/memory/2704-23-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2144-11-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2844-30-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
C:\Windows\system\nxrjleu.exe	xmrig
C:\Windows\system\QxyTQXI.exe	xmrig
\Windows\system\XHZUSFX.exe	xmrig
C:\Windows\system\YeEBYez.exe	xmrig
C:\Windows\system\cbaqSeq.exe	xmrig
\Windows\system\LghlSbd.exe	xmrig
C:\Windows\system\JiCZLbz.exe	xmrig
C:\Windows\system\SwkYuSl.exe	xmrig
C:\Windows\system\onboXDN.exe	xmrig
C:\Windows\system\rfCowPG.exe	xmrig
C:\Windows\system\awLmLnP.exe	xmrig
C:\Windows\system\CYFDfrs.exe	xmrig
C:\Windows\system\Oppebaf.exe	xmrig
C:\Windows\system\aJAOfGa.exe	xmrig
C:\Windows\system\LUQOEiQ.exe	xmrig
C:\Windows\system\eKIGtPT.exe	xmrig
C:\Windows\system\GcCGHrf.exe	xmrig
behavioral1/memory/2628-119-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/1904-117-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/2664-116-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2468-121-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/2508-125-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2528-123-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2192-128-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/1736-133-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/1360-131-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig
behavioral1/memory/860-130-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/2928-126-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/1904-120-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/1904-134-0x000000013F160000-0x000000013F4B4000-memory.dmp	xmrig
behavioral1/memory/2144-135-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2980-137-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2844-138-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2144-139-0x000000013F930000-0x000000013FC84000-memory.dmp	xmrig
behavioral1/memory/2704-141-0x000000013F6D0000-0x000000013FA24000-memory.dmp	xmrig
behavioral1/memory/2980-140-0x000000013FB20000-0x000000013FE74000-memory.dmp	xmrig
behavioral1/memory/2844-142-0x000000013FC70000-0x000000013FFC4000-memory.dmp	xmrig
behavioral1/memory/2664-143-0x000000013FBB0000-0x000000013FF04000-memory.dmp	xmrig
behavioral1/memory/2628-144-0x000000013FB00000-0x000000013FE54000-memory.dmp	xmrig
behavioral1/memory/2468-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp	xmrig
behavioral1/memory/1736-146-0x000000013F5E0000-0x000000013F934000-memory.dmp	xmrig
behavioral1/memory/2528-147-0x000000013F270000-0x000000013F5C4000-memory.dmp	xmrig
behavioral1/memory/2508-148-0x000000013FF50000-0x00000001402A4000-memory.dmp	xmrig
behavioral1/memory/2928-149-0x000000013F220000-0x000000013F574000-memory.dmp	xmrig
behavioral1/memory/2192-150-0x000000013F620000-0x000000013F974000-memory.dmp	xmrig
behavioral1/memory/860-151-0x000000013F1E0000-0x000000013F534000-memory.dmp	xmrig
behavioral1/memory/1360-152-0x000000013FE60000-0x00000001401B4000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

FieMEWh.exeYVIjdnt.exePipbXgw.exeVBqDcrc.exenxrjleu.exeQxyTQXI.exeXHZUSFX.exeGcCGHrf.exeYeEBYez.execbaqSeq.exeeKIGtPT.exeJiCZLbz.exeLghlSbd.exeaJAOfGa.exeLUQOEiQ.exeCYFDfrs.exeOppebaf.exeSwkYuSl.exeawLmLnP.exeonboXDN.exerfCowPG.exe

pid	process
2144	FieMEWh.exe
2980	YVIjdnt.exe
2704	PipbXgw.exe
2844	VBqDcrc.exe
2664	nxrjleu.exe
1736	QxyTQXI.exe
2628	XHZUSFX.exe
2468	GcCGHrf.exe
2528	YeEBYez.exe
2508	cbaqSeq.exe
2928	eKIGtPT.exe
2192	JiCZLbz.exe
860	LghlSbd.exe
1360	aJAOfGa.exe
2652	LUQOEiQ.exe
2760	CYFDfrs.exe
1720	Oppebaf.exe
2360	SwkYuSl.exe
2424	awLmLnP.exe
1532	onboXDN.exe
356	rfCowPG.exe

Loads dropped DLL 21 IoCs

Processes:

2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

pid	process
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1904-2-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
C:\Windows\system\FieMEWh.exe	upx
C:\Windows\system\YVIjdnt.exe	upx
behavioral1/memory/2980-15-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
\Windows\system\PipbXgw.exe	upx
\Windows\system\VBqDcrc.exe	upx
behavioral1/memory/2704-23-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2144-11-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2844-30-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
C:\Windows\system\nxrjleu.exe	upx
C:\Windows\system\QxyTQXI.exe	upx
\Windows\system\XHZUSFX.exe	upx
C:\Windows\system\YeEBYez.exe	upx
C:\Windows\system\cbaqSeq.exe	upx
\Windows\system\LghlSbd.exe	upx
C:\Windows\system\JiCZLbz.exe	upx
C:\Windows\system\SwkYuSl.exe	upx
C:\Windows\system\onboXDN.exe	upx
C:\Windows\system\rfCowPG.exe	upx
C:\Windows\system\awLmLnP.exe	upx
C:\Windows\system\CYFDfrs.exe	upx
C:\Windows\system\Oppebaf.exe	upx
C:\Windows\system\aJAOfGa.exe	upx
C:\Windows\system\LUQOEiQ.exe	upx
C:\Windows\system\eKIGtPT.exe	upx
C:\Windows\system\GcCGHrf.exe	upx
behavioral1/memory/2628-119-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/2664-116-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2468-121-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/2508-125-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2528-123-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2192-128-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/1736-133-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/1360-131-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx
behavioral1/memory/860-130-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/2928-126-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/1904-134-0x000000013F160000-0x000000013F4B4000-memory.dmp	upx
behavioral1/memory/2144-135-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2980-137-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2844-138-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2144-139-0x000000013F930000-0x000000013FC84000-memory.dmp	upx
behavioral1/memory/2704-141-0x000000013F6D0000-0x000000013FA24000-memory.dmp	upx
behavioral1/memory/2980-140-0x000000013FB20000-0x000000013FE74000-memory.dmp	upx
behavioral1/memory/2844-142-0x000000013FC70000-0x000000013FFC4000-memory.dmp	upx
behavioral1/memory/2664-143-0x000000013FBB0000-0x000000013FF04000-memory.dmp	upx
behavioral1/memory/2628-144-0x000000013FB00000-0x000000013FE54000-memory.dmp	upx
behavioral1/memory/2468-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp	upx
behavioral1/memory/1736-146-0x000000013F5E0000-0x000000013F934000-memory.dmp	upx
behavioral1/memory/2528-147-0x000000013F270000-0x000000013F5C4000-memory.dmp	upx
behavioral1/memory/2508-148-0x000000013FF50000-0x00000001402A4000-memory.dmp	upx
behavioral1/memory/2928-149-0x000000013F220000-0x000000013F574000-memory.dmp	upx
behavioral1/memory/2192-150-0x000000013F620000-0x000000013F974000-memory.dmp	upx
behavioral1/memory/860-151-0x000000013F1E0000-0x000000013F534000-memory.dmp	upx
behavioral1/memory/1360-152-0x000000013FE60000-0x00000001401B4000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	process
File created	C:\Windows\System\QxyTQXI.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GcCGHrf.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eKIGtPT.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LghlSbd.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SwkYuSl.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\onboXDN.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YVIjdnt.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\PipbXgw.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nxrjleu.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\FieMEWh.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VBqDcrc.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YeEBYez.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\aJAOfGa.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\LUQOEiQ.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CYFDfrs.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\rfCowPG.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XHZUSFX.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cbaqSeq.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JiCZLbz.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\Oppebaf.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\awLmLnP.exe	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process
Token: SeLockMemoryPrivilege	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 63 IoCs

Processes:

2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	process	target process
PID 1904 wrote to memory of 2144	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	FieMEWh.exe
PID 1904 wrote to memory of 2144	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	FieMEWh.exe
PID 1904 wrote to memory of 2144	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	FieMEWh.exe
PID 1904 wrote to memory of 2980	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	YVIjdnt.exe
PID 1904 wrote to memory of 2980	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	YVIjdnt.exe
PID 1904 wrote to memory of 2980	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	YVIjdnt.exe
PID 1904 wrote to memory of 2704	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	PipbXgw.exe
PID 1904 wrote to memory of 2704	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	PipbXgw.exe
PID 1904 wrote to memory of 2704	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	PipbXgw.exe
PID 1904 wrote to memory of 2844	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	VBqDcrc.exe
PID 1904 wrote to memory of 2844	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	VBqDcrc.exe
PID 1904 wrote to memory of 2844	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	VBqDcrc.exe
PID 1904 wrote to memory of 2664	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	nxrjleu.exe
PID 1904 wrote to memory of 2664	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	nxrjleu.exe
PID 1904 wrote to memory of 2664	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	nxrjleu.exe
PID 1904 wrote to memory of 2628	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	XHZUSFX.exe
PID 1904 wrote to memory of 2628	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	XHZUSFX.exe
PID 1904 wrote to memory of 2628	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	XHZUSFX.exe
PID 1904 wrote to memory of 1736	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	QxyTQXI.exe
PID 1904 wrote to memory of 1736	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	QxyTQXI.exe
PID 1904 wrote to memory of 1736	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	QxyTQXI.exe
PID 1904 wrote to memory of 2468	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	GcCGHrf.exe
PID 1904 wrote to memory of 2468	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	GcCGHrf.exe
PID 1904 wrote to memory of 2468	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	GcCGHrf.exe
PID 1904 wrote to memory of 2528	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	YeEBYez.exe
PID 1904 wrote to memory of 2528	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	YeEBYez.exe
PID 1904 wrote to memory of 2528	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	YeEBYez.exe
PID 1904 wrote to memory of 2508	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	cbaqSeq.exe
PID 1904 wrote to memory of 2508	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	cbaqSeq.exe
PID 1904 wrote to memory of 2508	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	cbaqSeq.exe
PID 1904 wrote to memory of 2928	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	eKIGtPT.exe
PID 1904 wrote to memory of 2928	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	eKIGtPT.exe
PID 1904 wrote to memory of 2928	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	eKIGtPT.exe
PID 1904 wrote to memory of 2192	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	JiCZLbz.exe
PID 1904 wrote to memory of 2192	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	JiCZLbz.exe
PID 1904 wrote to memory of 2192	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	JiCZLbz.exe
PID 1904 wrote to memory of 860	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	LghlSbd.exe
PID 1904 wrote to memory of 860	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	LghlSbd.exe
PID 1904 wrote to memory of 860	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	LghlSbd.exe
PID 1904 wrote to memory of 1360	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	aJAOfGa.exe
PID 1904 wrote to memory of 1360	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	aJAOfGa.exe
PID 1904 wrote to memory of 1360	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	aJAOfGa.exe
PID 1904 wrote to memory of 2652	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	LUQOEiQ.exe
PID 1904 wrote to memory of 2652	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	LUQOEiQ.exe
PID 1904 wrote to memory of 2652	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	LUQOEiQ.exe
PID 1904 wrote to memory of 2760	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	CYFDfrs.exe
PID 1904 wrote to memory of 2760	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	CYFDfrs.exe
PID 1904 wrote to memory of 2760	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	CYFDfrs.exe
PID 1904 wrote to memory of 1720	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	Oppebaf.exe
PID 1904 wrote to memory of 1720	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	Oppebaf.exe
PID 1904 wrote to memory of 1720	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	Oppebaf.exe
PID 1904 wrote to memory of 2360	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	SwkYuSl.exe
PID 1904 wrote to memory of 2360	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	SwkYuSl.exe
PID 1904 wrote to memory of 2360	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	SwkYuSl.exe
PID 1904 wrote to memory of 2424	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	awLmLnP.exe
PID 1904 wrote to memory of 2424	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	awLmLnP.exe
PID 1904 wrote to memory of 2424	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	awLmLnP.exe
PID 1904 wrote to memory of 1532	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	onboXDN.exe
PID 1904 wrote to memory of 1532	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	onboXDN.exe
PID 1904 wrote to memory of 1532	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	onboXDN.exe
PID 1904 wrote to memory of 356	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	rfCowPG.exe
PID 1904 wrote to memory of 356	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	rfCowPG.exe
PID 1904 wrote to memory of 356	1904	2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe	rfCowPG.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-24_33aef5f2f2b2addb213a26da2689869d_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Windows\System\FieMEWh.exe
C:\Windows\System\FieMEWh.exe
2⤵
- Executes dropped EXE
PID:2144

C:\Windows\System\YVIjdnt.exe
C:\Windows\System\YVIjdnt.exe
2⤵
- Executes dropped EXE
PID:2980

C:\Windows\System\PipbXgw.exe
C:\Windows\System\PipbXgw.exe
2⤵
- Executes dropped EXE
PID:2704

C:\Windows\System\VBqDcrc.exe
C:\Windows\System\VBqDcrc.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\System\nxrjleu.exe
C:\Windows\System\nxrjleu.exe
2⤵
- Executes dropped EXE
PID:2664

C:\Windows\System\XHZUSFX.exe
C:\Windows\System\XHZUSFX.exe
2⤵
- Executes dropped EXE
PID:2628

C:\Windows\System\QxyTQXI.exe
C:\Windows\System\QxyTQXI.exe
2⤵
- Executes dropped EXE
PID:1736

C:\Windows\System\GcCGHrf.exe
C:\Windows\System\GcCGHrf.exe
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\System\YeEBYez.exe
C:\Windows\System\YeEBYez.exe
2⤵
- Executes dropped EXE
PID:2528

C:\Windows\System\cbaqSeq.exe
C:\Windows\System\cbaqSeq.exe
2⤵
- Executes dropped EXE
PID:2508

C:\Windows\System\eKIGtPT.exe
C:\Windows\System\eKIGtPT.exe
2⤵
- Executes dropped EXE
PID:2928

C:\Windows\System\JiCZLbz.exe
C:\Windows\System\JiCZLbz.exe
2⤵
- Executes dropped EXE
PID:2192

C:\Windows\System\LghlSbd.exe
C:\Windows\System\LghlSbd.exe
2⤵
- Executes dropped EXE
PID:860

C:\Windows\System\aJAOfGa.exe
C:\Windows\System\aJAOfGa.exe
2⤵
- Executes dropped EXE
PID:1360

C:\Windows\System\LUQOEiQ.exe
C:\Windows\System\LUQOEiQ.exe
2⤵
- Executes dropped EXE
PID:2652

C:\Windows\System\CYFDfrs.exe
C:\Windows\System\CYFDfrs.exe
2⤵
- Executes dropped EXE
PID:2760

C:\Windows\System\Oppebaf.exe
C:\Windows\System\Oppebaf.exe
2⤵
- Executes dropped EXE
PID:1720

C:\Windows\System\SwkYuSl.exe
C:\Windows\System\SwkYuSl.exe
2⤵
- Executes dropped EXE
PID:2360

C:\Windows\System\awLmLnP.exe
C:\Windows\System\awLmLnP.exe
2⤵
- Executes dropped EXE
PID:2424

C:\Windows\System\onboXDN.exe
C:\Windows\System\onboXDN.exe
2⤵
- Executes dropped EXE
PID:1532

C:\Windows\System\rfCowPG.exe
C:\Windows\System\rfCowPG.exe
2⤵
- Executes dropped EXE
PID:356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\system\CYFDfrs.exe
Filesize
5.9MB

MD5
cc931e54cfef7c66445250c446c2fb03

SHA1
a23cf361c9a4905ef84440f9b2a1e50c719121fa

SHA256
d15b09aab437c3fa6171aeca7540c8080b84c64ed7cc85827bb9af1545709272

SHA512
7b06892f2fcdfa5cb23f757924ac9d8d8b9779de2a26b7340072ae63170796e0cde1aef1a802493aef8378c47720be5b91877e6c19b8912f77f63f3503a1267c

Download Submit
C:\Windows\system\FieMEWh.exe
Filesize
5.9MB

MD5
f83afcd502a373f25811f698a7881960

SHA1
16e4916b45189c4aef036ce6fe8d4caed4756fe7

SHA256
aa6e2b1b4baaeaa5d4ac251a0a5fedf3d231f8a56d41cabfa593c760ad0f1fd5

SHA512
c8530e6d02d128fe397a092bb38b12bbdf1c04233a7ec8f058ae5f92a3c70c7134babc2cc8764513f785a7cf13f72ce70e5c770af313ca5f6f33cd2c57367ccd

Download Submit
C:\Windows\system\GcCGHrf.exe
Filesize
5.9MB

MD5
6174a09d1dce1e434e0965db6a6dfe55

SHA1
4d36f854c4ccdda9d7f7a306c78a2a85e299cfbc

SHA256
2c6c5283fbbbe4751179d606092cd69f75ae5b33f953b864cedd97ba32c3fa39

SHA512
e25b48bd1c5fa2636327ed05907dbd6f7d5bff80ff6523333ccc1772fb90ec9411ab84d2798f62299ef8cb4b2d78f6647facb99fbb565487fb903fa4ac20af78

Download Submit
C:\Windows\system\JiCZLbz.exe
Filesize
5.9MB

MD5
eb7d782393d5bd46b2a54b6388024968

SHA1
5f02bc009e50a2a7df5b92c6db86315bde02e6a6

SHA256
cd8eb98ec1ee3a4bd739470800e9306bb8c5b66999b487113335e4ca1465e424

SHA512
f989064891bcdb3b9f5deb7043e114e69e014912fd5637c6e9cc999da7039f7715687572e07b6daf21da2dae1fb2bca100d04febc751075b4c744a11f2428df3

Download Submit
C:\Windows\system\LUQOEiQ.exe
Filesize
5.9MB

MD5
284d214c9734438aee4d84400206acd8

SHA1
6d745c0c2645d37e15a99a4c01786264d5700888

SHA256
f80b65fe6f064b84d6c1bf92d68714a909b2b08e9381bd561c0b79e723d2b9a8

SHA512
8f844855ddeaedd34c1cbf7c1a0df6b3f166b3f92722b90226a32a865b9fb1b5488aa19646df07b70f2b2fabfbc198f9924342f3e573b4e8bee0e9438d08bab6

Download Submit
C:\Windows\system\Oppebaf.exe
Filesize
5.9MB

MD5
debfb0a307199a61ab0e8fb1f457e727

SHA1
22514efe50b58ae6642c7b1d8f7d6cf883911b3e

SHA256
aa322094a2fa0d6ff5701306e4370ba62bfab4dd856ef502525905587bf4e593

SHA512
983e15199a7ef9c0742d61733641d1eb2019c4974c6cecaba100a511d7ddccc419dae5ba22e44ba95fa77deb98215afdb381cf1c60374e1f68b9566ddb2f4a73

Download Submit
C:\Windows\system\QxyTQXI.exe
Filesize
5.9MB

MD5
49796eeae6ecfa369a0660cc8647454f

SHA1
d8ef5c81bfeea22d23efd5eab38199558af497d1

SHA256
76c6fa5b9212ec3936d3224cfff4823e06ec41677e7fd34ce5f8bfb7df82563d

SHA512
eebcdee285d4ea152570ae8fb5e1b4dbb9ba90094315b0687dae8a274bf43692c3fbeab899b4a8f14c6882658eeffeba03102556c278673af6449457fca998d9

Download Submit
C:\Windows\system\SwkYuSl.exe
Filesize
5.9MB

MD5
2a4bafb2d937c84f4e93160739b023eb

SHA1
c81665c87b9fcb2485bf04559c137a8f395dda70

SHA256
518b9868e966c421ede31efaaf3c3d05858567aab2b5a751b88fad8cb53ddda2

SHA512
a03106878c6071c075343e01a379bda5edc75415c55b511a23387c587e35a57c3b1f8d1ba599ae6e78470fb5be599bee9eca25ba1c0f84ab499546c24f66f708

Download Submit
C:\Windows\system\YVIjdnt.exe
Filesize
5.9MB

MD5
1f114a42a603c2ed7c68e812f119f780

SHA1
e8cb2651cadf338ae79ea37df69fd9957447ac99

SHA256
efd114c302a08e1bb34b0613ed57f49b19bb06d870370276d5a4f22f6b87ddf3

SHA512
bf2fbbf111d826602040142390a2678ff1fc5e61ed63053b83bf44d0a2b953351144d15dc0b1544d58eb1dc71963f50e0afc79ce26bf1fb431a2daf9fdfecbf0

Download Submit
C:\Windows\system\YeEBYez.exe
Filesize
5.9MB

MD5
4128a4d72f691223740094437683b546

SHA1
2879e1181cf166aa731209d2f82e442f95e8c68a

SHA256
7d043aed34918d814f5f9ec58f467f5da3f45782892456e6bde3c95394fa0e1d

SHA512
587ac95a44ff12509a4946b0b100dfb74a8b886ba157412fcc2121ec90abf976497a97c796d7e33e5119c013092a9708fa1a8cad6fded45312d92b8bea4965f1

Download Submit
C:\Windows\system\aJAOfGa.exe
Filesize
5.9MB

MD5
eba621737c08e7f10126c814930be184

SHA1
0a276fa0b76cf53b373885bd45c55e8a96f05906

SHA256
d34b5a4e852c415a43aa110af5133c9fece2465dd2dba00df2716ee60b9ebae0

SHA512
eed358cfc6115f8b02225300c318c34bc4c5bcd369facd81705c5fee9b1478a05d3b5f6abd82f4aad8569d113e5c083f75a3f5b7a748a28f9bac6f562d8e6638

Download Submit
C:\Windows\system\awLmLnP.exe
Filesize
5.9MB

MD5
276ff26df372d0b56d612d4e122364fb

SHA1
47f934789e6c7c74e92dbf993da481157c789f19

SHA256
3b1bf43885655a7f6b996ea5db71863af1d79f5b4dee9a26c8bc2ac59bc3b3ae

SHA512
b7bb11b90cb04a20772e11fd27dbaaee5764000bf898b2f8e244851042df1bef31c9fc258ba163036ddda0726188ffb092ec438a0279600ec87eb60aadf051a6

Download Submit
C:\Windows\system\cbaqSeq.exe
Filesize
5.9MB

MD5
c21af64581fdb68c4fb7430144d09b4f

SHA1
2aef61c34d3f79aa0d70f199a7bb91987bbf2c4e

SHA256
b19540aaed6416878805e15afb8e7b430bd5c3aae46be0a79edd665e54ff7357

SHA512
8aee564712ff61ff1c8faaeb86e6ed4cc308f383bf15453348e6248b8753331f9f4010e1bdb82c6c986ca06acf8c0fea7d625be494be63f55aa957a7b60932fc

Download Submit
C:\Windows\system\eKIGtPT.exe
Filesize
5.9MB

MD5
f0020253b1f43bb8ef3d9afe9ee5642d

SHA1
8e6e4976d54a08a9be51d58551fc3311968e1de4

SHA256
cf3e24268fb3d94dcd2ef3aad0a86b78b607c382e0587399cb16f49a21654fc0

SHA512
7f19b01c5d786863f44302959650c0c1e9a3575ee6c905e518299910711dccc8fbc0ea9ed32e467a8385f6c74402f15a72dd75e237a1c7a0034a7cddc315424e

Download Submit
C:\Windows\system\nxrjleu.exe
Filesize
5.9MB

MD5
3788fc4a5a5c133ea224c5bc467d0c2b

SHA1
1d0e7d6c14eb8c2ef992e3bbbc4353793efd710f

SHA256
d8f43714e97b5a4cb423d0470f7b8bfb8bb55c6bf7204d2c9d6ab94d56e194fb

SHA512
4c05bfa9d7ab6b389c3fb67848f482c0dc07da7f14aa03eb708e64c3a0ffe29c66ce1c0ac7697f668ae5371290e54bf3588688206b5cf1679ba1f18d738f7612

Download Submit
C:\Windows\system\onboXDN.exe
Filesize
5.9MB

MD5
b1d1216e5e74a0accd1c4a51deb587df

SHA1
11180c61b95d99849a8d897c078bb3d0fd2a73c3

SHA256
ff2d486e80c254c348f9aeced56b00e323bbc3fe8b9ab25b87352507d916bb53

SHA512
f8016e6c78d9ac3e03ad32b6f21f02f9da70f13262df7df68b97e0162856d629a5f4b1c668735c8b8a84022674e2c7041d4f40026d82689d15f6ff1dc21422e9

Download Submit
C:\Windows\system\rfCowPG.exe
Filesize
5.9MB

MD5
bfeaf82a73f7029ac074695380947966

SHA1
cdaed0055da8f8cf12c97b3b9b6db195b3589763

SHA256
26b045533f0218769ad1b15c7bb0495b6aecf6b0be3f212872974cbc8675ab4f

SHA512
733c534b8cff251ab418c284f62db661155d683a314be32329940b80997c922304eee394efbdad76c000542560a9a65ef93ec5036e9b54795055de75de5e0bec

Download Submit
\Windows\system\LghlSbd.exe
Filesize
5.9MB

MD5
99572c78a21d261d1c69d28184d584c4

SHA1
9c8960879c5c98c6626e315a3f5b97f2f4f460c3

SHA256
e71d71fe35a51a74cc38b78d0eab357f24950257cc1ee7b313801d3a9e6e6990

SHA512
3957a7142eb923f5c8dc6a1d87e43db378bdd9d9a408577139f8960ac180ac05aec10750a876a27c58c7418f3e5a77b16164f8c59e17e213c92322e1d608aa34

Download Submit
\Windows\system\PipbXgw.exe
Filesize
5.9MB

MD5
737a33a26b63240e3c65ebb5a7d07540

SHA1
e33e9ef53d98b8478b0ea0ac38c35b0f7c15b880

SHA256
1f781cc094844c7ec3d6704da1bf62f96ced895cea01261593131696d9454778

SHA512
734f4bbb6711ee823f7e6f51c3992083cd7882365896a186447745931f973ad8fca0f4d81e0c10708056a1a2ec9798720ab4008968c1e080f62ff979b3a176a5

Download Submit
\Windows\system\VBqDcrc.exe
Filesize
5.9MB

MD5
6a48025c3b8a19728a85c14a0678cc23

SHA1
f044a7cdea5159ab406df6d5f8686f353eed2bcf

SHA256
74f5b13afacccb0bf5a3aaf61a1d7e2fb9013345e423b424ded49be504c58155

SHA512
0c9e992e6a70bacbc441e24ec24069b79b824ddf41df1edfd539fbd178eec9e3cdec9a3afcc6a2cc6d9d568b057f533b841f2efd1cf95102f1b6414c3f0be5b5

Download Submit
\Windows\system\XHZUSFX.exe
Filesize
5.9MB

MD5
8803389a628c720c8dbcd257c4d88591

SHA1
1d4b9cea7bc32442b30134076e08ca1a3204d285

SHA256
8e1035de03c9c8db61341ceaa393fc2f77ede271603e501374bf925308dc99ba

SHA512
27c9ce9bdc2a886e23c39fe0b5052188303358642f391c33d84b8b57d86a51edb74963b330a0f465dcabeba4e625753ff9121627838e36076b5dc6cfc3f48113

Download Submit
memory/860-130-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/860-151-0x000000013F1E0000-0x000000013F534000-memory.dmp

Filesize
3.3MB

Download
memory/1360-131-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/1360-152-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/1736-133-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1736-146-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1904-117-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/1904-122-0x0000000002360000-0x00000000026B4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-2-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-13-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/1904-115-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/1904-136-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1904-118-0x000000013F5E0000-0x000000013F934000-memory.dmp

Filesize
3.3MB

Download
memory/1904-0-0x0000000000300000-0x0000000000310000-memory.dmp

Filesize
64KB

Download
memory/1904-134-0x000000013F160000-0x000000013F4B4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-120-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/1904-127-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/1904-124-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-12-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/1904-129-0x000000013FE60000-0x00000001401B4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-132-0x000000013FA60000-0x000000013FDB4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-25-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/1904-22-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2144-135-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2144-11-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2144-139-0x000000013F930000-0x000000013FC84000-memory.dmp

Filesize
3.3MB

Download
memory/2192-128-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2192-150-0x000000013F620000-0x000000013F974000-memory.dmp

Filesize
3.3MB

Download
memory/2468-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/2468-121-0x000000013F8D0000-0x000000013FC24000-memory.dmp

Filesize
3.3MB

Download
memory/2508-148-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2508-125-0x000000013FF50000-0x00000001402A4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-147-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2528-123-0x000000013F270000-0x000000013F5C4000-memory.dmp

Filesize
3.3MB

Download
memory/2628-119-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2628-144-0x000000013FB00000-0x000000013FE54000-memory.dmp

Filesize
3.3MB

Download
memory/2664-143-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2664-116-0x000000013FBB0000-0x000000013FF04000-memory.dmp

Filesize
3.3MB

Download
memory/2704-141-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2704-23-0x000000013F6D0000-0x000000013FA24000-memory.dmp

Filesize
3.3MB

Download
memory/2844-142-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-138-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2844-30-0x000000013FC70000-0x000000013FFC4000-memory.dmp

Filesize
3.3MB

Download
memory/2928-149-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2928-126-0x000000013F220000-0x000000013F574000-memory.dmp

Filesize
3.3MB

Download
memory/2980-140-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2980-15-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download
memory/2980-137-0x000000013FB20000-0x000000013FE74000-memory.dmp

Filesize
3.3MB

Download