cobaltstrike | 9fa4e2529dc9247f9cd14cbf4775cfdb7090491cbdcdcda3bc261398897f91aa

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/12/2024, 17:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

5c5aaf76cda30cd97b1f28bfc00c5824
SHA1

a2a19a2c0601b4114f1a9b9bedcbdb3d705375e7
SHA256

9fa4e2529dc9247f9cd14cbf4775cfdb7090491cbdcdcda3bc261398897f91aa
SHA512

b0db66d9d299cba14d072fe2fff4307e0892d8fb58a3ec263a37b19c710c455e3daefa4afdf902da37215dff916a5f7d0cc18ed4b23823892f47fe5b534842a0
SSDEEP

98304:oemTLkNdfE0pZrt56utgpPFotBER/mQ32lU2:T+856utgpPF8u/72

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x000c000000023b8e-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c87-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c88-21.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c89-25.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8a-34.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8b-41.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8c-49.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8d-52.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8e-59.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c8f-63.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c84-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c92-93.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c91-89.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c90-79.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c86-12.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c96-106.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c97-112.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c98-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c93-101.dat	cobalt_reflective_dll
behavioral2/files/0x000400000001e733-136.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c99-130.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/3972-0-0x00007FF771AD0000-0x00007FF771E24000-memory.dmp	xmrig
behavioral2/files/0x000c000000023b8e-5.dat	xmrig
behavioral2/memory/1832-8-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c87-11.dat	xmrig
behavioral2/memory/1960-13-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c88-21.dat	xmrig
behavioral2/files/0x0007000000023c89-25.dat	xmrig
behavioral2/files/0x0007000000023c8a-34.dat	xmrig
behavioral2/files/0x0007000000023c8b-41.dat	xmrig
behavioral2/memory/4424-31-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp	xmrig
behavioral2/memory/2500-45-0x00007FF650EC0000-0x00007FF651214000-memory.dmp	xmrig
behavioral2/memory/2300-47-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c8c-49.dat	xmrig
behavioral2/files/0x0007000000023c8d-52.dat	xmrig
behavioral2/files/0x0007000000023c8e-59.dat	xmrig
behavioral2/files/0x0007000000023c8f-63.dat	xmrig
behavioral2/memory/2796-75-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp	xmrig
behavioral2/memory/1780-82-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c84-85.dat	xmrig
behavioral2/memory/2204-92-0x00007FF68B370000-0x00007FF68B6C4000-memory.dmp	xmrig
behavioral2/memory/3352-96-0x00007FF657CF0000-0x00007FF658044000-memory.dmp	xmrig
behavioral2/memory/5096-97-0x00007FF7395B0000-0x00007FF739904000-memory.dmp	xmrig
behavioral2/memory/768-95-0x00007FF7F94D0000-0x00007FF7F9824000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c92-93.dat	xmrig
behavioral2/memory/3332-91-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c91-89.dat	xmrig
behavioral2/memory/1960-87-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c90-79.dat	xmrig
behavioral2/memory/1972-67-0x00007FF78C0F0000-0x00007FF78C444000-memory.dmp	xmrig
behavioral2/memory/1832-66-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp	xmrig
behavioral2/memory/3972-65-0x00007FF771AD0000-0x00007FF771E24000-memory.dmp	xmrig
behavioral2/memory/2256-62-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp	xmrig
behavioral2/memory/2140-43-0x00007FF78CFE0000-0x00007FF78D334000-memory.dmp	xmrig
behavioral2/memory/5096-26-0x00007FF7395B0000-0x00007FF739904000-memory.dmp	xmrig
behavioral2/memory/3332-19-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp	xmrig
behavioral2/files/0x0008000000023c86-12.dat	xmrig
behavioral2/files/0x0007000000023c96-106.dat	xmrig
behavioral2/files/0x0007000000023c97-112.dat	xmrig
behavioral2/memory/3336-113-0x00007FF6EE8D0000-0x00007FF6EEC24000-memory.dmp	xmrig
behavioral2/memory/2300-120-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c98-123.dat	xmrig
behavioral2/memory/1592-122-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp	xmrig
behavioral2/memory/2256-121-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp	xmrig
behavioral2/memory/4848-116-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp	xmrig
behavioral2/memory/1328-104-0x00007FF75E3F0000-0x00007FF75E744000-memory.dmp	xmrig
behavioral2/memory/4424-103-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c93-101.dat	xmrig
behavioral2/memory/2796-128-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp	xmrig
behavioral2/memory/3048-135-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp	xmrig
behavioral2/files/0x000400000001e733-136.dat	xmrig
behavioral2/memory/1780-133-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp	xmrig
behavioral2/memory/4492-132-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp	xmrig
behavioral2/files/0x0007000000023c99-130.dat	xmrig
behavioral2/memory/4848-138-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp	xmrig
behavioral2/memory/1592-139-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp	xmrig
behavioral2/memory/4492-140-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp	xmrig
behavioral2/memory/3048-141-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp	xmrig
behavioral2/memory/1832-142-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp	xmrig
behavioral2/memory/1960-143-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp	xmrig
behavioral2/memory/3332-144-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp	xmrig
behavioral2/memory/5096-145-0x00007FF7395B0000-0x00007FF739904000-memory.dmp	xmrig
behavioral2/memory/2140-146-0x00007FF78CFE0000-0x00007FF78D334000-memory.dmp	xmrig
behavioral2/memory/4424-148-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp	xmrig
behavioral2/memory/2500-147-0x00007FF650EC0000-0x00007FF651214000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
1832	fRbWjDs.exe
1960	BcFjxRm.exe
3332	yZdzFSO.exe
5096	YEGtbrZ.exe
4424	tCFlSbf.exe
2140	GkmUayi.exe
2500	sBgjkGP.exe
2300	IaHHhmC.exe
2256	griPmbm.exe
1972	majjRSf.exe
2796	VgWGIAQ.exe
1780	dFrKBZa.exe
768	jhYSuWP.exe
2204	UqDxeVM.exe
3352	CFxtres.exe
1328	YSEpYya.exe
3336	CPXPTEe.exe
4848	ZvvXKwG.exe
1592	ZEqoATv.exe
4492	mQqtDeH.exe
3048	TywFOck.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3972-0-0x00007FF771AD0000-0x00007FF771E24000-memory.dmp	upx
behavioral2/files/0x000c000000023b8e-5.dat	upx
behavioral2/memory/1832-8-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-11.dat	upx
behavioral2/memory/1960-13-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp	upx
behavioral2/files/0x0007000000023c88-21.dat	upx
behavioral2/files/0x0007000000023c89-25.dat	upx
behavioral2/files/0x0007000000023c8a-34.dat	upx
behavioral2/files/0x0007000000023c8b-41.dat	upx
behavioral2/memory/4424-31-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp	upx
behavioral2/memory/2500-45-0x00007FF650EC0000-0x00007FF651214000-memory.dmp	upx
behavioral2/memory/2300-47-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp	upx
behavioral2/files/0x0007000000023c8c-49.dat	upx
behavioral2/files/0x0007000000023c8d-52.dat	upx
behavioral2/files/0x0007000000023c8e-59.dat	upx
behavioral2/files/0x0007000000023c8f-63.dat	upx
behavioral2/memory/2796-75-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp	upx
behavioral2/memory/1780-82-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp	upx
behavioral2/files/0x0008000000023c84-85.dat	upx
behavioral2/memory/2204-92-0x00007FF68B370000-0x00007FF68B6C4000-memory.dmp	upx
behavioral2/memory/3352-96-0x00007FF657CF0000-0x00007FF658044000-memory.dmp	upx
behavioral2/memory/5096-97-0x00007FF7395B0000-0x00007FF739904000-memory.dmp	upx
behavioral2/memory/768-95-0x00007FF7F94D0000-0x00007FF7F9824000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-93.dat	upx
behavioral2/memory/3332-91-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp	upx
behavioral2/files/0x0007000000023c91-89.dat	upx
behavioral2/memory/1960-87-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp	upx
behavioral2/files/0x0007000000023c90-79.dat	upx
behavioral2/memory/1972-67-0x00007FF78C0F0000-0x00007FF78C444000-memory.dmp	upx
behavioral2/memory/1832-66-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp	upx
behavioral2/memory/3972-65-0x00007FF771AD0000-0x00007FF771E24000-memory.dmp	upx
behavioral2/memory/2256-62-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp	upx
behavioral2/memory/2140-43-0x00007FF78CFE0000-0x00007FF78D334000-memory.dmp	upx
behavioral2/memory/5096-26-0x00007FF7395B0000-0x00007FF739904000-memory.dmp	upx
behavioral2/memory/3332-19-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp	upx
behavioral2/files/0x0008000000023c86-12.dat	upx
behavioral2/files/0x0007000000023c96-106.dat	upx
behavioral2/files/0x0007000000023c97-112.dat	upx
behavioral2/memory/3336-113-0x00007FF6EE8D0000-0x00007FF6EEC24000-memory.dmp	upx
behavioral2/memory/2300-120-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-123.dat	upx
behavioral2/memory/1592-122-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp	upx
behavioral2/memory/2256-121-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp	upx
behavioral2/memory/4848-116-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp	upx
behavioral2/memory/1328-104-0x00007FF75E3F0000-0x00007FF75E744000-memory.dmp	upx
behavioral2/memory/4424-103-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-101.dat	upx
behavioral2/memory/2796-128-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp	upx
behavioral2/memory/3048-135-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp	upx
behavioral2/files/0x000400000001e733-136.dat	upx
behavioral2/memory/1780-133-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp	upx
behavioral2/memory/4492-132-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp	upx
behavioral2/files/0x0007000000023c99-130.dat	upx
behavioral2/memory/4848-138-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp	upx
behavioral2/memory/1592-139-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp	upx
behavioral2/memory/4492-140-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp	upx
behavioral2/memory/3048-141-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp	upx
behavioral2/memory/1832-142-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp	upx
behavioral2/memory/1960-143-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp	upx
behavioral2/memory/3332-144-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp	upx
behavioral2/memory/5096-145-0x00007FF7395B0000-0x00007FF739904000-memory.dmp	upx
behavioral2/memory/2140-146-0x00007FF78CFE0000-0x00007FF78D334000-memory.dmp	upx
behavioral2/memory/4424-148-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp	upx
behavioral2/memory/2500-147-0x00007FF650EC0000-0x00007FF651214000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\YSEpYya.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\tCFlSbf.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\IaHHhmC.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\griPmbm.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\jhYSuWP.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CPXPTEe.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\YEGtbrZ.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\GkmUayi.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VgWGIAQ.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\UqDxeVM.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZvvXKwG.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ZEqoATv.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\mQqtDeH.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BcFjxRm.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sBgjkGP.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\majjRSf.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\CFxtres.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\fRbWjDs.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\yZdzFSO.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\dFrKBZa.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\TywFOck.exe	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 1832	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3972 wrote to memory of 1832	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 3972 wrote to memory of 1960	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3972 wrote to memory of 1960	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 3972 wrote to memory of 3332	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3972 wrote to memory of 3332	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 3972 wrote to memory of 5096	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3972 wrote to memory of 5096	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 3972 wrote to memory of 4424	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3972 wrote to memory of 4424	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 3972 wrote to memory of 2140	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3972 wrote to memory of 2140	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 3972 wrote to memory of 2500	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3972 wrote to memory of 2500	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 3972 wrote to memory of 2300	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3972 wrote to memory of 2300	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 3972 wrote to memory of 2256	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3972 wrote to memory of 2256	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 3972 wrote to memory of 1972	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3972 wrote to memory of 1972	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 3972 wrote to memory of 2796	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3972 wrote to memory of 2796	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 3972 wrote to memory of 1780	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3972 wrote to memory of 1780	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 3972 wrote to memory of 768	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3972 wrote to memory of 768	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 3972 wrote to memory of 2204	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3972 wrote to memory of 2204	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 3972 wrote to memory of 3352	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3972 wrote to memory of 3352	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 3972 wrote to memory of 1328	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3972 wrote to memory of 1328	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 3972 wrote to memory of 3336	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3972 wrote to memory of 3336	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 3972 wrote to memory of 4848	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3972 wrote to memory of 4848	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 3972 wrote to memory of 1592	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3972 wrote to memory of 1592	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 3972 wrote to memory of 4492	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3972 wrote to memory of 4492	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 3972 wrote to memory of 3048	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 3972 wrote to memory of 3048	3972	2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe	105

C:\Users\Admin\AppData\Local\Temp\2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-13_5c5aaf76cda30cd97b1f28bfc00c5824_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\System\fRbWjDs.exe
  C:\Windows\System\fRbWjDs.exe
  2⤵
  - Executes dropped EXE
  PID:1832
- C:\Windows\System\BcFjxRm.exe
  C:\Windows\System\BcFjxRm.exe
  2⤵
  - Executes dropped EXE
  PID:1960
- C:\Windows\System\yZdzFSO.exe
  C:\Windows\System\yZdzFSO.exe
  2⤵
  - Executes dropped EXE
  PID:3332
- C:\Windows\System\YEGtbrZ.exe
  C:\Windows\System\YEGtbrZ.exe
  2⤵
  - Executes dropped EXE
  PID:5096
- C:\Windows\System\tCFlSbf.exe
  C:\Windows\System\tCFlSbf.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\GkmUayi.exe
  C:\Windows\System\GkmUayi.exe
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\Windows\System\sBgjkGP.exe
  C:\Windows\System\sBgjkGP.exe
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\Windows\System\IaHHhmC.exe
  C:\Windows\System\IaHHhmC.exe
  2⤵
  - Executes dropped EXE
  PID:2300
- C:\Windows\System\griPmbm.exe
  C:\Windows\System\griPmbm.exe
  2⤵
  - Executes dropped EXE
  PID:2256
- C:\Windows\System\majjRSf.exe
  C:\Windows\System\majjRSf.exe
  2⤵
  - Executes dropped EXE
  PID:1972
- C:\Windows\System\VgWGIAQ.exe
  C:\Windows\System\VgWGIAQ.exe
  2⤵
  - Executes dropped EXE
  PID:2796
- C:\Windows\System\dFrKBZa.exe
  C:\Windows\System\dFrKBZa.exe
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\Windows\System\jhYSuWP.exe
  C:\Windows\System\jhYSuWP.exe
  2⤵
  - Executes dropped EXE
  PID:768
- C:\Windows\System\UqDxeVM.exe
  C:\Windows\System\UqDxeVM.exe
  2⤵
  - Executes dropped EXE
  PID:2204
- C:\Windows\System\CFxtres.exe
  C:\Windows\System\CFxtres.exe
  2⤵
  - Executes dropped EXE
  PID:3352
- C:\Windows\System\YSEpYya.exe
  C:\Windows\System\YSEpYya.exe
  2⤵
  - Executes dropped EXE
  PID:1328
- C:\Windows\System\CPXPTEe.exe
  C:\Windows\System\CPXPTEe.exe
  2⤵
  - Executes dropped EXE
  PID:3336
- C:\Windows\System\ZvvXKwG.exe
  C:\Windows\System\ZvvXKwG.exe
  2⤵
  - Executes dropped EXE
  PID:4848
- C:\Windows\System\ZEqoATv.exe
  C:\Windows\System\ZEqoATv.exe
  2⤵
  - Executes dropped EXE
  PID:1592
- C:\Windows\System\mQqtDeH.exe
  C:\Windows\System\mQqtDeH.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\TywFOck.exe
  C:\Windows\System\TywFOck.exe
  2⤵
  - Executes dropped EXE
  PID:3048

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BcFjxRm.exe

Filesize
5.9MB

MD5
b4c660f12a888d2961b2cd887c9888bd

SHA1
177b0b4a52725b643eaba7636ac82400da70a397

SHA256
7bc49d243ed340154bb71149dcf3f3a25be52ae7edb386b85addac135b44ddcf

SHA512
215200de2d8e7e9fa7afa2aa3010bb6a930a1c1e6b269a59245864b654eba3610a76c13b00ac32aff6f9e515dfdd3bb8dac4b7384a5333cc8de2625185abf86e

Download Submit
C:\Windows\System\CFxtres.exe

Filesize
5.9MB

MD5
deedda0600628e863a9aa8a3ae96b3e3

SHA1
cbf65e4c9e4b6d1a3582b7e1008b86cc776fe39d

SHA256
484f3f268fb1e424859a88dfb49d214a1e79baa0eb261401f8fa21a1c1bfc2fc

SHA512
a3da847b670461f64551848b4024b7cd2de2dfdf68283f23fa8295a8521cf2a46110e1ce95eba26df3956e883ff8bc0569fc3ce3e7ae92010d8359d062a91e58

Download Submit
C:\Windows\System\CPXPTEe.exe

Filesize
5.9MB

MD5
a8b426bf9351cf60ec5615fed0d041ad

SHA1
185bcfc8d279687212dc2057a5191e88731dcd72

SHA256
62b706a0808b5fba2a1c21f778c814f66b6180471f2d8ed5edfaee2c8657765f

SHA512
78d7bb90a4557305069c9c75d7460144fa9366adb73910c47e88a1d15ece479fc9d4124b132eec603047150f431b5b59c4438df71bb20388bb33311e59731536

Download Submit
C:\Windows\System\GkmUayi.exe

Filesize
5.9MB

MD5
e6756bec94b2e8fbf3cc30a7c60bbbf2

SHA1
cc9b31430db632c69b87e632b123453953b244b3

SHA256
a1a4dce4482188514fb209857c4408833cd4f2cda2bf92fc28ff8c9e9b020907

SHA512
821779b43ba3cfca380cf206c082bf7fbe5855223a51a165442f4560068bfdee588c7676ff7ddf9726c7201d7130f685b6d27d31c1bd622e5a5a61360e27f972

Download Submit
C:\Windows\System\IaHHhmC.exe

Filesize
5.9MB

MD5
e5a22b769392458a51a9c56d91939325

SHA1
13399f8112bcfa0d023642fbfb2839fb8f9349da

SHA256
51d6166acb0bb1e91fb3f836ffdeda3c30e0bb238c99c68ee05730e722d0ea24

SHA512
9072e6d2925fdb1003022c3c188ea3eb787e15bfd961413bec7ceb77f44391d43c8b210a50b469f6a8cd3fe145d60a263eea16131dab341bc43aec65e2554d77

Download Submit
C:\Windows\System\TywFOck.exe

Filesize
5.9MB

MD5
1ce7ce7defb124b5637108c412bff301

SHA1
5ab4e557bf9cdafe375246632590b37ef95f21c3

SHA256
1a9ee74783ec073cc610acabc49ace8ed1ce5056e067d3f7222f59ba0c1ec8ae

SHA512
c07891d487d4a938de08d4bf45fb79c0775675a945589edc88eea80697d28a6d031d135151dc8fc7ffa024fbdd72811d0558951a27f5672dc9d03d4bd3cc1afd

Download Submit
C:\Windows\System\UqDxeVM.exe

Filesize
5.9MB

MD5
b5db44a9a280caf04c205533ccc97d69

SHA1
461db6497d27aef5de27949d417f8ca66297f527

SHA256
ca89b64b61eea0124eda9d6cff8f2b7f3002b5fbd574de51f150562c8f0fda9d

SHA512
ab964c9b420dc59ad6a83b0fbb331dd6dfd58ba4521f265e9e63288eb7e18def1c4b7ac2504f362d61652c9f12649ecee02613e5ce9fb7564b5b3980b1da1936

Download Submit
C:\Windows\System\VgWGIAQ.exe

Filesize
5.9MB

MD5
3c7104ed0628ae59f40f00262cfa8f4a

SHA1
06bddb1d8b0f67488299b0477b39420eed9fe1ca

SHA256
3967e26bfdc2bfbd767c1df3a9e9726e114d6fa41a0d2dd006f043876e7290be

SHA512
1e7a92177296c4fec89a1622a905a4d06cfe13d1b0f00a85b54c2f69e116ef97e2c3a92f508cfc5204abdbaa6fcf3b50f154415c2b71b630e4d3da4374cbcd39

Download Submit
C:\Windows\System\YEGtbrZ.exe

Filesize
5.9MB

MD5
72ab0edb6afc400129485a4ac27ce22f

SHA1
6d7c4056e6bb6bfd28974bbbca90f07005941a93

SHA256
8aa2ba7230fc3891fb1b69b29eb2e23bb0f9e5d852d8978b40349a865830972e

SHA512
4ce129c3a388e5fb0a7bbea23f1bbc48fb0efbaafa06097054b37f1e7e38985fcf282591859000dd752334deca2ecea9b76c856427ddb2a1d283ad30b13ea2ad

Download Submit
C:\Windows\System\YSEpYya.exe

Filesize
5.9MB

MD5
461b425f349c63b0ca284d70037223f3

SHA1
53c458b5d2f7983bff139e2409fd8a94a8317071

SHA256
b9a593fdd5ccfc8cc135c32bc9d39c676c817d893986f0b92d7b2d793cab908f

SHA512
85f8ac9f32af92cd01b896fa29b17196703e8401ead66e1c3ba23d36fe39620b1e648cdab53e858a2c60ea5dfe75958623fabb508815c416c201cded5344a8d2

Download Submit
C:\Windows\System\ZEqoATv.exe

Filesize
5.9MB

MD5
d06212913bea4bb657f9789e2291d1a9

SHA1
75b429c6909bc3cf272091e5c68c73698f428929

SHA256
539c395eb4c4f4e07efa200361f97660ea4ca70ab484ee89400b674f2f3dc377

SHA512
baa2c227ad8d8550d77f57cf920cfeda3bc430e9f4ed36e223ebe45ca3a261b748aaa7ab720119a72839506af8990632e1e8531aabc441a5b63340c33d0a2aa4

Download Submit
C:\Windows\System\ZvvXKwG.exe

Filesize
5.9MB

MD5
93e36afea18d525fe0520b53768d5edd

SHA1
e7b0dc9fc3a55b9c3ab4c2fff4a3e1b8078a6b82

SHA256
743c2c8a5a454feab75b3d29e0ce57d1ec181b13b783fb0d8df9395dbc9cee43

SHA512
48a1610d95b33f0534a9a68046e5428d0becbf15069b3e57153853ab0d91845f5d2947c6f074ec58e7c043909d8f9b995e601611332efac33d11685c416e8c7e

Download Submit
C:\Windows\System\dFrKBZa.exe

Filesize
5.9MB

MD5
3504e5409d8b9fa1744f3a98c8b821b3

SHA1
f9e1de794ae8c146c5421812255f876c869640e8

SHA256
4495af59097366e3f5ffcd67d41841d63de5b240d4c1aa826030f189bd038232

SHA512
4c2ee2cece3f0664deee0325fc85914640c10b92267913d4bacbcc0fcda4da63bb46bc58ab6810e6e1241f127c4e453be605ca88d883f5ffc30f92b0f9fd341b

Download Submit
C:\Windows\System\fRbWjDs.exe

Filesize
5.9MB

MD5
93a36c94d6b89f9d4cec0f2bc4cb6849

SHA1
98c8180132457cf84f69e6c3516a5eb21c8bc61a

SHA256
b4626ca6b398fafec3cff989be1eb299d5aa67ece91e1c67d6458fa0eabc3c47

SHA512
46ebff3e8acf8582f8154f4aeee575e238a44d7ef57451650611aeacad8899854c5c25588be59010202e460c7b555af39e3ce8532421d07cf4a086a8e5840281

Download Submit
C:\Windows\System\griPmbm.exe

Filesize
5.9MB

MD5
28ca18fc62e5b9fe25c56052af072cbb

SHA1
8531e84ee8e57b3659bddf140e866d6334fcb49c

SHA256
6392d02cd8c02051830aff154a4a03943d55dffcacb38cdc1f9bb4937d156351

SHA512
aee0026dea066d48060b4d79d766390b6baa8aa50c55c0daa6b45a21e8dfcc5603c0590354444a870627f60e7a5786bfa9aaa48904dc2b5f5ea043593d6d3ead

Download Submit
C:\Windows\System\jhYSuWP.exe

Filesize
5.9MB

MD5
87ec26d9c78db8be3ae1a380481c38c7

SHA1
59bc9d505fa96fa43637b0bd6d15ad338b2cc7a4

SHA256
1cdfd563e69c21962bb21bc5eb2faa71e956c5541b3f07892500934842b7b2ea

SHA512
139b07ea4f8a0fed5c8e6aac37d41a563025a524d072ed3dcff1a767afe3a965b3519fa7b6ebd93b27dd6a29d4efa97ed5a587cfcfdd3903268b55076df26e8f

Download Submit
C:\Windows\System\mQqtDeH.exe

Filesize
5.9MB

MD5
57b3fcadfd6a97fa181d4a54710134a6

SHA1
94252a7555316c356ae449047b7fa42aebf49a99

SHA256
fdefc26c98c66c1b6b447106da6cc5ae3d007a4a35a81a5331f1a46d9235c858

SHA512
66a3b5a1d66a0bd2aa3ea4ea21aafffda2694d7168dc494cfd1c65c2b160454ec343bac47f99705a6f26788da55ca52a6b285b9bb832761a6fc52808a00f20e2

Download Submit
C:\Windows\System\majjRSf.exe

Filesize
5.9MB

MD5
94e2ee35a66939cabb8bd634ae190f4d

SHA1
494231ff813921555fc45898a083e01ce27afd10

SHA256
e84eedabae68799aba43c468fc67e621078299aa1bc4ce890c861eb4fea5f0a9

SHA512
0da68d26dcc158e1799d70d95ae56fb1ef36eb997c2294386b42dc997d763e3baccc51c3979c02a11dfbeb74dd486bdcc9b76e6e283d045f2b86bb4a3976d32a

Download Submit
C:\Windows\System\sBgjkGP.exe

Filesize
5.9MB

MD5
276d5d5e32949fe37f95959669c441f0

SHA1
b1a6227e9376180021bd48e4b3b4eb002b49d3f3

SHA256
a9ff91ce997071f5e88147b9ddb71f1259926a2fcee3809f4362d9173c3ef229

SHA512
ccef2b1622f62340babb7b90289165db6d90157bfbe2e0a6ae368ea6a146b88ddfab65a2e2d85db3c2ce4ce79ef8198d2848d23dadf4befe0e78b352abc3a56f

Download Submit
C:\Windows\System\tCFlSbf.exe

Filesize
5.9MB

MD5
65553dc842ccb0f8803b77b01035a98f

SHA1
461fba573e7d6fc0a6431e13f773d6f4011fcc9c

SHA256
ff471050d032c87c354183d77c47a44d40703768fbb7a426600bccba909172c3

SHA512
eb2d4767855652e27c221b1857d6d0173a3779e6c57139e965e65d58c3002cf7bd75543abf84889c22630044902ea9872e882f8a984a0f46701f9501ab1cd7b8

Download Submit
C:\Windows\System\yZdzFSO.exe

Filesize
5.9MB

MD5
e560887c983c8e1b9c156c12d8daab9f

SHA1
f001c9184a0903b05dc37b8a3685706bb0a24664

SHA256
f0c57175aa8751c4abd3655c94229069ccabba3ebfb0535c8df8a578756ef38a

SHA512
a64a755633f8be839d18583e98db30cb42a7bc7eb1c0f5a0cdb0b3c6a42f10e643782ad09d17df8ef7fc8cc7f16dd630d18c30b8990bebe629ac1f354399509a

Download Submit
memory/768-156-0x00007FF7F94D0000-0x00007FF7F9824000-memory.dmp

Filesize
3.3MB

Download
memory/768-95-0x00007FF7F94D0000-0x00007FF7F9824000-memory.dmp

Filesize
3.3MB

Download
memory/1328-104-0x00007FF75E3F0000-0x00007FF75E744000-memory.dmp

Filesize
3.3MB

Download
memory/1328-157-0x00007FF75E3F0000-0x00007FF75E744000-memory.dmp

Filesize
3.3MB

Download
memory/1592-122-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1592-139-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1592-160-0x00007FF6BF750000-0x00007FF6BFAA4000-memory.dmp

Filesize
3.3MB

Download
memory/1780-82-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp

Filesize
3.3MB

Download
memory/1780-153-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp

Filesize
3.3MB

Download
memory/1780-133-0x00007FF627D60000-0x00007FF6280B4000-memory.dmp

Filesize
3.3MB

Download
memory/1832-66-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp

Filesize
3.3MB

Download
memory/1832-8-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp

Filesize
3.3MB

Download
memory/1832-142-0x00007FF6D1FE0000-0x00007FF6D2334000-memory.dmp

Filesize
3.3MB

Download
memory/1960-143-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp

Filesize
3.3MB

Download
memory/1960-13-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp

Filesize
3.3MB

Download
memory/1960-87-0x00007FF7D6A80000-0x00007FF7D6DD4000-memory.dmp

Filesize
3.3MB

Download
memory/1972-67-0x00007FF78C0F0000-0x00007FF78C444000-memory.dmp

Filesize
3.3MB

Download
memory/1972-151-0x00007FF78C0F0000-0x00007FF78C444000-memory.dmp

Filesize
3.3MB

Download
memory/2140-146-0x00007FF78CFE0000-0x00007FF78D334000-memory.dmp

Filesize
3.3MB

Download
memory/2140-43-0x00007FF78CFE0000-0x00007FF78D334000-memory.dmp

Filesize
3.3MB

Download
memory/2204-155-0x00007FF68B370000-0x00007FF68B6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2204-92-0x00007FF68B370000-0x00007FF68B6C4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-149-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-121-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2256-62-0x00007FF7BF950000-0x00007FF7BFCA4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-150-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-120-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp

Filesize
3.3MB

Download
memory/2300-47-0x00007FF7BA890000-0x00007FF7BABE4000-memory.dmp

Filesize
3.3MB

Download
memory/2500-45-0x00007FF650EC0000-0x00007FF651214000-memory.dmp

Filesize
3.3MB

Download
memory/2500-147-0x00007FF650EC0000-0x00007FF651214000-memory.dmp

Filesize
3.3MB

Download
memory/2796-75-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp

Filesize
3.3MB

Download
memory/2796-152-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp

Filesize
3.3MB

Download
memory/2796-128-0x00007FF6D2BE0000-0x00007FF6D2F34000-memory.dmp

Filesize
3.3MB

Download
memory/3048-162-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp

Filesize
3.3MB

Download
memory/3048-135-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp

Filesize
3.3MB

Download
memory/3048-141-0x00007FF7F8420000-0x00007FF7F8774000-memory.dmp

Filesize
3.3MB

Download
memory/3332-19-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp

Filesize
3.3MB

Download
memory/3332-144-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp

Filesize
3.3MB

Download
memory/3332-91-0x00007FF76CBB0000-0x00007FF76CF04000-memory.dmp

Filesize
3.3MB

Download
memory/3336-113-0x00007FF6EE8D0000-0x00007FF6EEC24000-memory.dmp

Filesize
3.3MB

Download
memory/3336-158-0x00007FF6EE8D0000-0x00007FF6EEC24000-memory.dmp

Filesize
3.3MB

Download
memory/3352-96-0x00007FF657CF0000-0x00007FF658044000-memory.dmp

Filesize
3.3MB

Download
memory/3352-154-0x00007FF657CF0000-0x00007FF658044000-memory.dmp

Filesize
3.3MB

Download
memory/3972-0-0x00007FF771AD0000-0x00007FF771E24000-memory.dmp

Filesize
3.3MB

Download
memory/3972-65-0x00007FF771AD0000-0x00007FF771E24000-memory.dmp

Filesize
3.3MB

Download
memory/3972-1-0x00000195E24E0000-0x00000195E24F0000-memory.dmp

Filesize
64KB

Download
memory/4424-31-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp

Filesize
3.3MB

Download
memory/4424-148-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp

Filesize
3.3MB

Download
memory/4424-103-0x00007FF6E34E0000-0x00007FF6E3834000-memory.dmp

Filesize
3.3MB

Download
memory/4492-140-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp

Filesize
3.3MB

Download
memory/4492-132-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp

Filesize
3.3MB

Download
memory/4492-161-0x00007FF7A6410000-0x00007FF7A6764000-memory.dmp

Filesize
3.3MB

Download
memory/4848-116-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp

Filesize
3.3MB

Download
memory/4848-138-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp

Filesize
3.3MB

Download
memory/4848-159-0x00007FF6B4BD0000-0x00007FF6B4F24000-memory.dmp

Filesize
3.3MB

Download
memory/5096-97-0x00007FF7395B0000-0x00007FF739904000-memory.dmp

Filesize
3.3MB

Download
memory/5096-145-0x00007FF7395B0000-0x00007FF739904000-memory.dmp

Filesize
3.3MB

Download
memory/5096-26-0x00007FF7395B0000-0x00007FF739904000-memory.dmp

Filesize
3.3MB

Download