cobaltstrike | 4f1226493549e0ce0f1f0cdd610e10e23cc3567c4d288c3ded01b6d3bde03158

Analysis

max time kernel
143s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 13:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.9MB
MD5

87bc4af00864ad0fcef1f6ebf31c7094
SHA1

b9399f5eace3b1517176743c8ea78aa37ea91c2b
SHA256

4f1226493549e0ce0f1f0cdd610e10e23cc3567c4d288c3ded01b6d3bde03158
SHA512

f521c7afa9eb24009cae308d56f6c997750bbd6507d5acd02ad0c53a14afc39d726fa21c5301d10132ddbd5eeaf784880999df2e9365bbf91390d1fcac1cf64d
SSDEEP

98304:BemTLkNdfE0pZrt56utgpPFotBER/mQ32lU/:Q+856utgpPF8u/7/

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

resource	yara_rule
behavioral2/files/0x0008000000023452-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023457-11.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023456-12.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023453-23.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023459-26.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345a-35.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345c-44.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345d-55.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345e-57.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023460-75.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023461-79.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023462-87.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345f-70.dat	cobalt_reflective_dll
behavioral2/files/0x000700000002345b-47.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023463-93.dat	cobalt_reflective_dll
behavioral2/files/0x000600000002270e-102.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023381-115.dat	cobalt_reflective_dll
behavioral2/files/0x0009000000023386-123.dat	cobalt_reflective_dll
behavioral2/files/0x000a000000023387-127.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023464-136.dat	cobalt_reflective_dll
behavioral2/files/0x0003000000022d07-105.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 64 IoCs

miner

resource	yara_rule
behavioral2/memory/2736-0-0x00007FF62C910000-0x00007FF62CC64000-memory.dmp	xmrig
behavioral2/files/0x0008000000023452-5.dat	xmrig
behavioral2/memory/4744-7-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023457-11.dat	xmrig
behavioral2/memory/3308-14-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp	xmrig
behavioral2/files/0x0007000000023456-12.dat	xmrig
behavioral2/memory/756-19-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp	xmrig
behavioral2/files/0x0008000000023453-23.dat	xmrig
behavioral2/files/0x0007000000023459-26.dat	xmrig
behavioral2/memory/1112-24-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp	xmrig
behavioral2/memory/3928-27-0x00007FF723600000-0x00007FF723954000-memory.dmp	xmrig
behavioral2/files/0x000700000002345a-35.dat	xmrig
behavioral2/files/0x000700000002345c-44.dat	xmrig
behavioral2/files/0x000700000002345d-55.dat	xmrig
behavioral2/files/0x000700000002345e-57.dat	xmrig
behavioral2/memory/1876-65-0x00007FF7EF660000-0x00007FF7EF9B4000-memory.dmp	xmrig
behavioral2/memory/3696-69-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023460-75.dat	xmrig
behavioral2/files/0x0007000000023461-79.dat	xmrig
behavioral2/files/0x0007000000023462-87.dat	xmrig
behavioral2/memory/884-86-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp	xmrig
behavioral2/memory/4584-81-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp	xmrig
behavioral2/memory/3308-80-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp	xmrig
behavioral2/memory/4688-74-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp	xmrig
behavioral2/memory/4744-73-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp	xmrig
behavioral2/files/0x000700000002345f-70.dat	xmrig
behavioral2/memory/2736-66-0x00007FF62C910000-0x00007FF62CC64000-memory.dmp	xmrig
behavioral2/memory/2536-61-0x00007FF687980000-0x00007FF687CD4000-memory.dmp	xmrig
behavioral2/memory/4772-58-0x00007FF7A4920000-0x00007FF7A4C74000-memory.dmp	xmrig
behavioral2/memory/4100-53-0x00007FF63E210000-0x00007FF63E564000-memory.dmp	xmrig
behavioral2/files/0x000700000002345b-47.dat	xmrig
behavioral2/memory/4128-36-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp	xmrig
behavioral2/memory/756-90-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023463-93.dat	xmrig
behavioral2/files/0x000600000002270e-102.dat	xmrig
behavioral2/memory/4668-100-0x00007FF6405E0000-0x00007FF640934000-memory.dmp	xmrig
behavioral2/memory/1112-98-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp	xmrig
behavioral2/memory/3928-103-0x00007FF723600000-0x00007FF723954000-memory.dmp	xmrig
behavioral2/memory/4100-111-0x00007FF63E210000-0x00007FF63E564000-memory.dmp	xmrig
behavioral2/memory/4128-110-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp	xmrig
behavioral2/files/0x000a000000023381-115.dat	xmrig
behavioral2/memory/4412-122-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp	xmrig
behavioral2/files/0x0009000000023386-123.dat	xmrig
behavioral2/files/0x000a000000023387-127.dat	xmrig
behavioral2/memory/3256-129-0x00007FF614950000-0x00007FF614CA4000-memory.dmp	xmrig
behavioral2/memory/4688-134-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp	xmrig
behavioral2/files/0x0007000000023464-136.dat	xmrig
behavioral2/memory/4312-135-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp	xmrig
behavioral2/memory/3696-128-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp	xmrig
behavioral2/memory/672-118-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp	xmrig
behavioral2/memory/548-114-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp	xmrig
behavioral2/memory/3476-108-0x00007FF748080000-0x00007FF7483D4000-memory.dmp	xmrig
behavioral2/files/0x0003000000022d07-105.dat	xmrig
behavioral2/memory/4584-138-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp	xmrig
behavioral2/memory/884-139-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp	xmrig
behavioral2/memory/3476-140-0x00007FF748080000-0x00007FF7483D4000-memory.dmp	xmrig
behavioral2/memory/672-141-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp	xmrig
behavioral2/memory/4412-142-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp	xmrig
behavioral2/memory/3256-143-0x00007FF614950000-0x00007FF614CA4000-memory.dmp	xmrig
behavioral2/memory/4312-144-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp	xmrig
behavioral2/memory/4744-145-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp	xmrig
behavioral2/memory/3308-146-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp	xmrig
behavioral2/memory/756-147-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp	xmrig
behavioral2/memory/1112-148-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

pid	Process
4744	xwskJmx.exe
3308	NPuzwDf.exe
756	vqcrMqZ.exe
1112	QzSdaKt.exe
3928	oEsUxwy.exe
4128	bhUeRfW.exe
4100	WVzZVex.exe
2536	xaLmAaN.exe
4772	KGouTMo.exe
1876	iApyDlL.exe
3696	NPYktbv.exe
4688	hDzYWUI.exe
4584	BHXyzKm.exe
884	JgodHzF.exe
4668	RzErsCm.exe
3476	gTBPUiC.exe
548	kmiydiq.exe
672	VXXFeun.exe
4412	vEFhHIS.exe
3256	nwDwGxN.exe
4312	SCcrIZB.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2736-0-0x00007FF62C910000-0x00007FF62CC64000-memory.dmp	upx
behavioral2/files/0x0008000000023452-5.dat	upx
behavioral2/memory/4744-7-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp	upx
behavioral2/files/0x0007000000023457-11.dat	upx
behavioral2/memory/3308-14-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp	upx
behavioral2/files/0x0007000000023456-12.dat	upx
behavioral2/memory/756-19-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp	upx
behavioral2/files/0x0008000000023453-23.dat	upx
behavioral2/files/0x0007000000023459-26.dat	upx
behavioral2/memory/1112-24-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp	upx
behavioral2/memory/3928-27-0x00007FF723600000-0x00007FF723954000-memory.dmp	upx
behavioral2/files/0x000700000002345a-35.dat	upx
behavioral2/files/0x000700000002345c-44.dat	upx
behavioral2/files/0x000700000002345d-55.dat	upx
behavioral2/files/0x000700000002345e-57.dat	upx
behavioral2/memory/1876-65-0x00007FF7EF660000-0x00007FF7EF9B4000-memory.dmp	upx
behavioral2/memory/3696-69-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp	upx
behavioral2/files/0x0007000000023460-75.dat	upx
behavioral2/files/0x0007000000023461-79.dat	upx
behavioral2/files/0x0007000000023462-87.dat	upx
behavioral2/memory/884-86-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp	upx
behavioral2/memory/4584-81-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp	upx
behavioral2/memory/3308-80-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp	upx
behavioral2/memory/4688-74-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp	upx
behavioral2/memory/4744-73-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp	upx
behavioral2/files/0x000700000002345f-70.dat	upx
behavioral2/memory/2736-66-0x00007FF62C910000-0x00007FF62CC64000-memory.dmp	upx
behavioral2/memory/2536-61-0x00007FF687980000-0x00007FF687CD4000-memory.dmp	upx
behavioral2/memory/4772-58-0x00007FF7A4920000-0x00007FF7A4C74000-memory.dmp	upx
behavioral2/memory/4100-53-0x00007FF63E210000-0x00007FF63E564000-memory.dmp	upx
behavioral2/files/0x000700000002345b-47.dat	upx
behavioral2/memory/4128-36-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp	upx
behavioral2/memory/756-90-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp	upx
behavioral2/files/0x0007000000023463-93.dat	upx
behavioral2/files/0x000600000002270e-102.dat	upx
behavioral2/memory/4668-100-0x00007FF6405E0000-0x00007FF640934000-memory.dmp	upx
behavioral2/memory/1112-98-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp	upx
behavioral2/memory/3928-103-0x00007FF723600000-0x00007FF723954000-memory.dmp	upx
behavioral2/memory/4100-111-0x00007FF63E210000-0x00007FF63E564000-memory.dmp	upx
behavioral2/memory/4128-110-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp	upx
behavioral2/files/0x000a000000023381-115.dat	upx
behavioral2/memory/4412-122-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp	upx
behavioral2/files/0x0009000000023386-123.dat	upx
behavioral2/files/0x000a000000023387-127.dat	upx
behavioral2/memory/3256-129-0x00007FF614950000-0x00007FF614CA4000-memory.dmp	upx
behavioral2/memory/4688-134-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp	upx
behavioral2/files/0x0007000000023464-136.dat	upx
behavioral2/memory/4312-135-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp	upx
behavioral2/memory/3696-128-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp	upx
behavioral2/memory/672-118-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp	upx
behavioral2/memory/548-114-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp	upx
behavioral2/memory/3476-108-0x00007FF748080000-0x00007FF7483D4000-memory.dmp	upx
behavioral2/files/0x0003000000022d07-105.dat	upx
behavioral2/memory/4584-138-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp	upx
behavioral2/memory/884-139-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp	upx
behavioral2/memory/3476-140-0x00007FF748080000-0x00007FF7483D4000-memory.dmp	upx
behavioral2/memory/672-141-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp	upx
behavioral2/memory/4412-142-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp	upx
behavioral2/memory/3256-143-0x00007FF614950000-0x00007FF614CA4000-memory.dmp	upx
behavioral2/memory/4312-144-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp	upx
behavioral2/memory/4744-145-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp	upx
behavioral2/memory/3308-146-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp	upx
behavioral2/memory/756-147-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp	upx
behavioral2/memory/1112-148-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

description	ioc	Process
File created	C:\Windows\System\oEsUxwy.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\RzErsCm.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\kmiydiq.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\SCcrIZB.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vqcrMqZ.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\bhUeRfW.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\WVzZVex.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xaLmAaN.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NPYktbv.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gTBPUiC.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\VXXFeun.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\xwskJmx.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\KGouTMo.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\JgodHzF.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\nwDwGxN.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QzSdaKt.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iApyDlL.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hDzYWUI.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\BHXyzKm.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\vEFhHIS.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NPuzwDf.exe	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 4744	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2736 wrote to memory of 4744	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 2736 wrote to memory of 3308	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2736 wrote to memory of 3308	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 2736 wrote to memory of 756	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2736 wrote to memory of 756	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 2736 wrote to memory of 1112	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2736 wrote to memory of 1112	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 2736 wrote to memory of 3928	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2736 wrote to memory of 3928	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 2736 wrote to memory of 4128	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2736 wrote to memory of 4128	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 2736 wrote to memory of 4100	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2736 wrote to memory of 4100	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 2736 wrote to memory of 2536	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2736 wrote to memory of 2536	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 2736 wrote to memory of 4772	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2736 wrote to memory of 4772	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 2736 wrote to memory of 1876	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2736 wrote to memory of 1876	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 2736 wrote to memory of 3696	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2736 wrote to memory of 3696	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 2736 wrote to memory of 4688	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2736 wrote to memory of 4688	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 2736 wrote to memory of 4584	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2736 wrote to memory of 4584	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 2736 wrote to memory of 884	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2736 wrote to memory of 884	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 2736 wrote to memory of 4668	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2736 wrote to memory of 4668	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 2736 wrote to memory of 3476	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2736 wrote to memory of 3476	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	104
PID 2736 wrote to memory of 548	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2736 wrote to memory of 548	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	105
PID 2736 wrote to memory of 672	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2736 wrote to memory of 672	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	106
PID 2736 wrote to memory of 4412	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2736 wrote to memory of 4412	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	107
PID 2736 wrote to memory of 3256	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2736 wrote to memory of 3256	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	109
PID 2736 wrote to memory of 4312	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	110
PID 2736 wrote to memory of 4312	2736	2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe	110

C:\Users\Admin\AppData\Local\Temp\2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-14_87bc4af00864ad0fcef1f6ebf31c7094_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\System\xwskJmx.exe
  C:\Windows\System\xwskJmx.exe
  2⤵
  - Executes dropped EXE
  PID:4744
- C:\Windows\System\NPuzwDf.exe
  C:\Windows\System\NPuzwDf.exe
  2⤵
  - Executes dropped EXE
  PID:3308
- C:\Windows\System\vqcrMqZ.exe
  C:\Windows\System\vqcrMqZ.exe
  2⤵
  - Executes dropped EXE
  PID:756
- C:\Windows\System\QzSdaKt.exe
  C:\Windows\System\QzSdaKt.exe
  2⤵
  - Executes dropped EXE
  PID:1112
- C:\Windows\System\oEsUxwy.exe
  C:\Windows\System\oEsUxwy.exe
  2⤵
  - Executes dropped EXE
  PID:3928
- C:\Windows\System\bhUeRfW.exe
  C:\Windows\System\bhUeRfW.exe
  2⤵
  - Executes dropped EXE
  PID:4128
- C:\Windows\System\WVzZVex.exe
  C:\Windows\System\WVzZVex.exe
  2⤵
  - Executes dropped EXE
  PID:4100
- C:\Windows\System\xaLmAaN.exe
  C:\Windows\System\xaLmAaN.exe
  2⤵
  - Executes dropped EXE
  PID:2536
- C:\Windows\System\KGouTMo.exe
  C:\Windows\System\KGouTMo.exe
  2⤵
  - Executes dropped EXE
  PID:4772
- C:\Windows\System\iApyDlL.exe
  C:\Windows\System\iApyDlL.exe
  2⤵
  - Executes dropped EXE
  PID:1876
- C:\Windows\System\NPYktbv.exe
  C:\Windows\System\NPYktbv.exe
  2⤵
  - Executes dropped EXE
  PID:3696
- C:\Windows\System\hDzYWUI.exe
  C:\Windows\System\hDzYWUI.exe
  2⤵
  - Executes dropped EXE
  PID:4688
- C:\Windows\System\BHXyzKm.exe
  C:\Windows\System\BHXyzKm.exe
  2⤵
  - Executes dropped EXE
  PID:4584
- C:\Windows\System\JgodHzF.exe
  C:\Windows\System\JgodHzF.exe
  2⤵
  - Executes dropped EXE
  PID:884
- C:\Windows\System\RzErsCm.exe
  C:\Windows\System\RzErsCm.exe
  2⤵
  - Executes dropped EXE
  PID:4668
- C:\Windows\System\gTBPUiC.exe
  C:\Windows\System\gTBPUiC.exe
  2⤵
  - Executes dropped EXE
  PID:3476
- C:\Windows\System\kmiydiq.exe
  C:\Windows\System\kmiydiq.exe
  2⤵
  - Executes dropped EXE
  PID:548
- C:\Windows\System\VXXFeun.exe
  C:\Windows\System\VXXFeun.exe
  2⤵
  - Executes dropped EXE
  PID:672
- C:\Windows\System\vEFhHIS.exe
  C:\Windows\System\vEFhHIS.exe
  2⤵
  - Executes dropped EXE
  PID:4412
- C:\Windows\System\nwDwGxN.exe
  C:\Windows\System\nwDwGxN.exe
  2⤵
  - Executes dropped EXE
  PID:3256
- C:\Windows\System\SCcrIZB.exe
  C:\Windows\System\SCcrIZB.exe
  2⤵
  - Executes dropped EXE
  PID:4312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\BHXyzKm.exe

Filesize
5.9MB

MD5
b2b08dfc295418f74e99d4ea7f828c7b

SHA1
f88e27b3c6da4ac575d29ff2aeab29b217ce9f74

SHA256
d565b8504cff898a98e696a195a1ec529c2d3ee957ba969d7cd44f40c2f9ec37

SHA512
79e7842b36f54c4570608343495d7e713c96632f018ec9bb509c64102c9ff0fe1330a4946ff23cbcc8c22a28e7f6f17b96332bf32e3041e70ccb338c42e178cb

Download Submit
C:\Windows\System\JgodHzF.exe

Filesize
5.9MB

MD5
a8b538583fe13d9a9dc284cfe226fa9c

SHA1
27306def583513d0ee77c47d0e05e5c6edf4b2e8

SHA256
be0d60f90a63d284e6b4e5c7a8119a9c7073e5ae3de8e5a86d5835a8b5bd631a

SHA512
65c77e2c9434650a55cde40feaf89b7e4af3966cdb98cd25d1cf360cbd43cfbf5559d6c37f6e5ebca53044208fb9985ca9a6aa93356c6b741d82c04bb7534edc

Download Submit
C:\Windows\System\KGouTMo.exe

Filesize
5.9MB

MD5
ed594760cc709a7e33d50f221f22fe89

SHA1
8e2138a9319aeca764b2d951451445614116cef1

SHA256
3fe17d9f249786710109e22febf79f37e4c50d2fde440aaba1eaa51d5fd49439

SHA512
8d22a4741ebf6659accb06001493e7a8995c22e2af681d322909a685647f6c3eb9570d31b56f3ccb3060e970e612e8d9d8226047f4fe22eb714c0ac8f629a4cb

Download Submit
C:\Windows\System\NPYktbv.exe

Filesize
5.9MB

MD5
93da4890537f54580ee0e33c2c9f3651

SHA1
91b72c7e3261b08bab56806afb42b4e24f7cdbb8

SHA256
c4b33b1f48bfb2ef4d19ee89cdb53a4aaa4fc82a0561527b6f694661f4eef012

SHA512
09e05c50cb20412c6568d5c4bf9173bc144bcfa6195e1de328841837f1d0cbb9f3465ff308dc078e47413e9dc9c80142ee747e634a44a870f4c54bb62e81e411

Download Submit
C:\Windows\System\NPuzwDf.exe

Filesize
5.9MB

MD5
e5e7cb9b11d0f6aaffeebe8c656d2e8c

SHA1
80ec1085ee46c3eb8f4ea23b5d96091f1f4134e9

SHA256
08963f14fca688f983097850b6fa162f85f0d2b3842424e366c0f7040008b0c2

SHA512
689d866b90a69f9b7c1b50385b64352a8ae6d7b0c93c539aabcc125670de9cb72872cce553a338222a95126cb877264a65cbabff796822abf538c6d7410eb63c

Download Submit
C:\Windows\System\QzSdaKt.exe

Filesize
5.9MB

MD5
35eff043b2a32136b02b660bc499e639

SHA1
1be52c17383154b69538bc1a25b39d30df07a0bd

SHA256
5297be04a45e6a0f54dc691ea036db71e4abef3826edfb3166ebe74bf3a86356

SHA512
12391d87b303d450fa2be0d2f198081048918d2bf2518f42a1fca1e46999b85c971453bf2d3146075d92972485ad11f45e5b37ea9433a3de18b855dc60c568c7

Download Submit
C:\Windows\System\RzErsCm.exe

Filesize
5.9MB

MD5
67d789c000802e62a89c8f74e94ac0b1

SHA1
04fa3081110d20a779b8a03ab55d3d7385773f73

SHA256
d9f72e6a4da769cb0456e4bf01af84b7d6adbf1df622863ee456c38f67c715ef

SHA512
aa19c2e0f4f00d04d5d2ea75303f68c6f08cba90635c2498cdf2432e67d2e707e5688a5b2cb36a66cb765a08407cd8b023b7f7581680878375104dc092f1d49e

Download Submit
C:\Windows\System\SCcrIZB.exe

Filesize
5.9MB

MD5
d7654008564584bba1355cc4c4c5cb50

SHA1
88777ff3d8daa01f95fd2a8c9727bb81d66a9208

SHA256
8e81be28ca7f4ffbdcbb77448693da20102d680cf1164b66fa1a562e354fcc6e

SHA512
787de2a90dfadffdd7911cd42aacd5c5f38a6c4baa79343b16810b0a6a1857e3ae40572562f586e9516b7d745924dfc34dc633050b02f262f4034889989215a8

Download Submit
C:\Windows\System\VXXFeun.exe

Filesize
5.9MB

MD5
6b319993ca73d6de727ba56322332889

SHA1
9bd9a52a89bf646353fbdf17b6ddbbf960bf1409

SHA256
5d95f1f5ecd53d37bb5ca869a6fc2ca6478987b641c243bcba2b93137731a8a2

SHA512
b86a0334728cb031fca746338c76e4a8b61543189f3ed4c28e0399f888ca330d1fb202dbf42393f846b118a6cfae2acdc58ad74620e1a991316a441ed0e19b9d

Download Submit
C:\Windows\System\WVzZVex.exe

Filesize
5.9MB

MD5
756bbdcf7ed83923a5ef2714b5cec4e1

SHA1
b13f520bc645aa6eccdcc565b99c1eb0592bf708

SHA256
743f5fcde019b6643c3db037784a75063cf5d7e81c2a4b64f7dc04c3e968b7c8

SHA512
a83a7d3b9597b2cae1010c8fbf87f1b697026af8b9b28b20dce88cfbf1528d6350956adf84762ac35e2b553c2a9d66abf7b800a818b99559eafe26697811512c

Download Submit
C:\Windows\System\bhUeRfW.exe

Filesize
5.9MB

MD5
3a92eda1ecbc4770ccfcedfdfdc5a589

SHA1
5c0359a3960c2d578250472f605eb82ef46acdfd

SHA256
55a345904d433e023bc28acf82507dc395505a2dcd8f5014692b560917d95294

SHA512
a2a03336828fe1f2144aae8f609b65788e652a47e4e5716b354d733edbac3dc301357b35656b2d9f62cf21c3e35270d0adc3354be273d43d731dbba6a6320c81

Download Submit
C:\Windows\System\gTBPUiC.exe

Filesize
5.9MB

MD5
58f5d06f5a49cc4c5ccc70b24f9c2309

SHA1
18f0b766ee804c5841b4e0a43529152bc4a8a4b1

SHA256
192890811e14a3d23a7ecc8173796f77d76dfb98184e22e17722851946158c0f

SHA512
5bba6dd466452ed10a050e9d67795b6c85b7fb387286966aa56fd0cdbf345db2b32bf0a14437d03d63c145e9b2840d1ae7b1560b018b3a5b72d27715867cdd0f

Download Submit
C:\Windows\System\hDzYWUI.exe

Filesize
5.9MB

MD5
5e34e50d32cea15e36cc7d66728ccd0d

SHA1
07ae83c16eee74a8d99df3fdc260b48e8fffbbc4

SHA256
a1d83bba777d2d18082d59b38a3d23176a516b4964596ee3d23e64a6a28739ac

SHA512
55d8a4444da3050239e4aeb351b98a50ffadadf41358b7715a96d243d2ee4d361df5baa3d9ad312e420527294617cd08606292ed2f15cfcddbab9854f2da3cac

Download Submit
C:\Windows\System\iApyDlL.exe

Filesize
5.9MB

MD5
a1206093b68c5bada07aa8b28d22ed80

SHA1
db3cfcb6661a333bce328a7e5e8b04c3f679cd95

SHA256
faf960b738089b472fde7ab9e6fa3d7532fe977c1c772ff348a9ceedf297067d

SHA512
a6e29bb944bbcee7597ed57c4d85dbadbd55d33dc9aed139ef3228c972f5ae5a59150a7f489cdd0359fbeab5860b9aa07ebdeafb233558a4681e0105a0586970

Download Submit
C:\Windows\System\kmiydiq.exe

Filesize
5.9MB

MD5
0e31372bba0abe12825430bcf425e0ac

SHA1
0f094f3c61b53e06b8a0f82bcbffdf5bec90b72a

SHA256
58d5ddfbec3354c24130fcb3c03cf483fd81009f1d4c787de1c83f04792a7b25

SHA512
8e0aef7a732075dcae9e045226e49dfbe5f33f4a3c6733fb4450ddcdce7e391c5810e4b28e014e94690369ec9ddfffd420291b91dbea63efe3b6d565cc0363e2

Download Submit
C:\Windows\System\nwDwGxN.exe

Filesize
5.9MB

MD5
5376cf0623e2316d805dd6f0b81622fd

SHA1
1c0c638e658996c30f7ba89e9b9bc659863897a6

SHA256
fc9385529d766aec57268cf70359a3b62ffb71f0e1a129f7381937d3528eb56f

SHA512
fe22de7b2bec3e517c7f571a5a86138a6d98555f1a1f660e93c8491d190767ad6e9e1a41e09b65b8fdc8f9cbd0ecf99bec7f69ce3157a9b5c81699397af8cc95

Download Submit
C:\Windows\System\oEsUxwy.exe

Filesize
5.9MB

MD5
54e18e145cd71b9f38f38deb514987f9

SHA1
a15c019eb19a0273d478d21eebd7975f0a3820ed

SHA256
980ee2e4bf1a30f3a8c40d6860ebfc297dfa3e582c1a4960760354d1013928a7

SHA512
eeaa89f5142ce603f66503b94d57b500dc51a38e69fb1070056d2a48784242a584e65371f14f8afd2949e4e6246b2e7d1d7452f2d2bce4f6e9dd71dd11da89bf

Download Submit
C:\Windows\System\vEFhHIS.exe

Filesize
5.9MB

MD5
ab2e0e70c87b7c34acc105b48ff52ca6

SHA1
f85929da5558419560102bbb7c051eeb4773e0f5

SHA256
5ee7ac9205ea52b2dc94cede6104a78fe5e74f55e4b3e123c85c84b98c5ec47b

SHA512
ef76c2813d962d190506cdde1ba0a30e1dc41eca4500095843d72397e1ab7cdd50c6355a8db9a9ac284d5c77034b0142c97cc3c39c8cbbb28ad0c82008e4850d

Download Submit
C:\Windows\System\vqcrMqZ.exe

Filesize
5.9MB

MD5
5ff7f8a4e7864b4adf4395304ca8658e

SHA1
1f272acecd89613d25bdff7093dac862cabb0875

SHA256
b906f2c07759448bc6154984d521b1f3cd7a3a0be088ceecef38306fa91bd824

SHA512
66246c3b4eda6e963c333c41526452014af205733715820b1d79477a8104d0a0ab3e961b2dd0e84f37446a89072605a648e1e64a0c483ff43062dc5ee366daea

Download Submit
C:\Windows\System\xaLmAaN.exe

Filesize
5.9MB

MD5
cb232c8b1b4b87762be4bce0e788dc03

SHA1
352fa79fd207e4594da55eaf239bb53b3471239f

SHA256
ae3532435dabfe23693b3d63417f3ad8b7dcb33e0f0d856b875afd7f8614d976

SHA512
b21062096e85a172c6fd6cad3be0fe9c65d13edeb2b92d5b43c7b99a3bcbce59bba9daa4b4164145d24d2dba0d6f139755756d2f32f8b2b3052c95ae83961df3

Download Submit
C:\Windows\System\xwskJmx.exe

Filesize
5.9MB

MD5
12032823235ce7c3058943f4218a0b5a

SHA1
5733188e339a3447f51b0f088754f103bb0c7cca

SHA256
b157ebb5221b8d18554f6a7087a32b8917e3a1d170b310b439acfa0a91ee854e

SHA512
a589817fe77b8c9838beee43c356a5962bb2e2477081d22d21bb11b59fe6e321aa2d60849993639c9f53ca65c225d11172efc4e28845699ae210d83a6176d2cb

Download Submit
memory/548-161-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp

Filesize
3.3MB

Download
memory/548-114-0x00007FF7B1430000-0x00007FF7B1784000-memory.dmp

Filesize
3.3MB

Download
memory/672-141-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp

Filesize
3.3MB

Download
memory/672-163-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp

Filesize
3.3MB

Download
memory/672-118-0x00007FF665A70000-0x00007FF665DC4000-memory.dmp

Filesize
3.3MB

Download
memory/756-147-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp

Filesize
3.3MB

Download
memory/756-19-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp

Filesize
3.3MB

Download
memory/756-90-0x00007FF6B6080000-0x00007FF6B63D4000-memory.dmp

Filesize
3.3MB

Download
memory/884-139-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp

Filesize
3.3MB

Download
memory/884-157-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp

Filesize
3.3MB

Download
memory/884-86-0x00007FF7A72A0000-0x00007FF7A75F4000-memory.dmp

Filesize
3.3MB

Download
memory/1112-24-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp

Filesize
3.3MB

Download
memory/1112-98-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp

Filesize
3.3MB

Download
memory/1112-148-0x00007FF6A6D10000-0x00007FF6A7064000-memory.dmp

Filesize
3.3MB

Download
memory/1876-154-0x00007FF7EF660000-0x00007FF7EF9B4000-memory.dmp

Filesize
3.3MB

Download
memory/1876-65-0x00007FF7EF660000-0x00007FF7EF9B4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-61-0x00007FF687980000-0x00007FF687CD4000-memory.dmp

Filesize
3.3MB

Download
memory/2536-152-0x00007FF687980000-0x00007FF687CD4000-memory.dmp

Filesize
3.3MB

Download
memory/2736-66-0x00007FF62C910000-0x00007FF62CC64000-memory.dmp

Filesize
3.3MB

Download
memory/2736-0-0x00007FF62C910000-0x00007FF62CC64000-memory.dmp

Filesize
3.3MB

Download
memory/2736-1-0x0000024F730B0000-0x0000024F730C0000-memory.dmp

Filesize
64KB

Download
memory/3256-129-0x00007FF614950000-0x00007FF614CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3256-143-0x00007FF614950000-0x00007FF614CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3256-164-0x00007FF614950000-0x00007FF614CA4000-memory.dmp

Filesize
3.3MB

Download
memory/3308-146-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp

Filesize
3.3MB

Download
memory/3308-14-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp

Filesize
3.3MB

Download
memory/3308-80-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp

Filesize
3.3MB

Download
memory/3476-160-0x00007FF748080000-0x00007FF7483D4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-108-0x00007FF748080000-0x00007FF7483D4000-memory.dmp

Filesize
3.3MB

Download
memory/3476-140-0x00007FF748080000-0x00007FF7483D4000-memory.dmp

Filesize
3.3MB

Download
memory/3696-155-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp

Filesize
3.3MB

Download
memory/3696-69-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp

Filesize
3.3MB

Download
memory/3696-128-0x00007FF727D70000-0x00007FF7280C4000-memory.dmp

Filesize
3.3MB

Download
memory/3928-149-0x00007FF723600000-0x00007FF723954000-memory.dmp

Filesize
3.3MB

Download
memory/3928-27-0x00007FF723600000-0x00007FF723954000-memory.dmp

Filesize
3.3MB

Download
memory/3928-103-0x00007FF723600000-0x00007FF723954000-memory.dmp

Filesize
3.3MB

Download
memory/4100-111-0x00007FF63E210000-0x00007FF63E564000-memory.dmp

Filesize
3.3MB

Download
memory/4100-53-0x00007FF63E210000-0x00007FF63E564000-memory.dmp

Filesize
3.3MB

Download
memory/4100-151-0x00007FF63E210000-0x00007FF63E564000-memory.dmp

Filesize
3.3MB

Download
memory/4128-150-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp

Filesize
3.3MB

Download
memory/4128-36-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp

Filesize
3.3MB

Download
memory/4128-110-0x00007FF6A3CB0000-0x00007FF6A4004000-memory.dmp

Filesize
3.3MB

Download
memory/4312-165-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp

Filesize
3.3MB

Download
memory/4312-144-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp

Filesize
3.3MB

Download
memory/4312-135-0x00007FF7C87E0000-0x00007FF7C8B34000-memory.dmp

Filesize
3.3MB

Download
memory/4412-122-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-162-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp

Filesize
3.3MB

Download
memory/4412-142-0x00007FF6A6E70000-0x00007FF6A71C4000-memory.dmp

Filesize
3.3MB

Download
memory/4584-138-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp

Filesize
3.3MB

Download
memory/4584-81-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp

Filesize
3.3MB

Download
memory/4584-158-0x00007FF68D820000-0x00007FF68DB74000-memory.dmp

Filesize
3.3MB

Download
memory/4668-100-0x00007FF6405E0000-0x00007FF640934000-memory.dmp

Filesize
3.3MB

Download
memory/4668-159-0x00007FF6405E0000-0x00007FF640934000-memory.dmp

Filesize
3.3MB

Download
memory/4688-74-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4688-134-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4688-156-0x00007FF71CE60000-0x00007FF71D1B4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-73-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-145-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp

Filesize
3.3MB

Download
memory/4744-7-0x00007FF7DF9A0000-0x00007FF7DFCF4000-memory.dmp

Filesize
3.3MB

Download
memory/4772-58-0x00007FF7A4920000-0x00007FF7A4C74000-memory.dmp

Filesize
3.3MB

Download
memory/4772-153-0x00007FF7A4920000-0x00007FF7A4C74000-memory.dmp

Filesize
3.3MB

Download