cobaltstrike | afcda3850c50b8399fa32b11cc6b0ba797573b74a330bd37270282cf647ef08d

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-11-2024 01:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
Size

5.2MB
MD5

455f65ae3c93ffc33301cdb091a6eaee
SHA1

f632952563c1262f81fd14699b8479b7d6c7fe40
SHA256

afcda3850c50b8399fa32b11cc6b0ba797573b74a330bd37270282cf647ef08d
SHA512

a4dbfbee11755a1d4e4933aff79060e939cd8c34b516a11e4d0c78a397858c95500d3308805d6c4b7c4a610d60ca8ba704fe6602ee01c5efa309c53f5518631d
SSDEEP

49152:ROdWCCi7/ras56uL3pgrCEdMKPFotsgEBr6GjvzW+UBA3Gd7po52xWKQY2v2V6lH:RWWBibf56utgpPFotBER/mQ32lU7

Score

10^/10

cobaltstrike xmrig 0 backdoor miner trojan upx

Malware Config

Extracted

Family

cobaltstrike

Botnet

http://ns7.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns8.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

http://ns9.softline.top:443/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books

Attributes

access_type
512
beacon_type
256
create_remote_thread
768
crypto_scheme
256
host
ns7.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns8.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books,ns9.softline.top,/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books
http_header1
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAUSG9zdDogd3d3LmFtYXpvbi5jb20AAAAHAAAAAAAAAAMAAAACAAAADnNlc3Npb24tdG9rZW49AAAAAgAAAAxza2luPW5vc2tpbjsAAAABAAAALGNzbS1oaXQ9cy0yNEtVMTFCQjgyUlpTWUdKM0JES3wxNDE5ODk5MDEyOTk2AAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
http_header2
AAAACgAAAAtBY2NlcHQ6ICovKgAAAAoAAAAWQ29udGVudC1UeXBlOiB0ZXh0L3htbAAAAAoAAAAgWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVlc3QAAAAKAAAAFEhvc3Q6IHd3dy5hbWF6b24uY29tAAAACQAAAApzej0xNjB4NjAwAAAACQAAABFvZT1vZT1JU08tODg1OS0xOwAAAAcAAAAAAAAABQAAAAJzbgAAAAkAAAAGcz0zNzE3AAAACQAAACJkY19yZWY9aHR0cCUzQSUyRiUyRnd3dy5hbWF6b24uY29tAAAABwAAAAEAAAADAAAABAAAAAAAAA==
http_method1
GET
http_method2
POST
maxdns
255
pipe_name
\\%s\pipe\msagent_%x
polling_time
5000
port_number
443
sc_process32
%windir%\syswow64\rundll32.exe
sc_process64
%windir%\sysnative\rundll32.exe
state_machine
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDI579oVVII0cYncGonU6vTWyFhqmq8w5QwvI8qsoWeV68Ngy+MjNPX2crcSVVWKQ3j09FII28KTmoE1XFVjEXF3WytRSlDe1OKfOAHX3XYkS9LcUAy0eRl2h4a73hrg1ir/rpisNT6hHtYaK3tmH8DgW/n1XfTfbWk1MZ7cXQHWQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
unknown1
4096
unknown2
AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
uri
/N4215/adj/amzn.us.sr.aps
user_agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
watermark
0

Signatures

Cobalt Strike reflective loader 21 IoCs

Detects the reflective loader used by Cobalt Strike.

Processes:

resource	yara_rule
behavioral2/files/0x0008000000023c5f-5.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c64-9.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c65-27.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c68-42.dat	cobalt_reflective_dll
behavioral2/files/0x0008000000023c60-71.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c72-114.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c75-123.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c74-120.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c73-117.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c71-109.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6e-107.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c70-105.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6d-85.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6f-83.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6c-82.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6a-63.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c6b-64.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c69-62.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c67-39.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c66-33.dat	cobalt_reflective_dll
behavioral2/files/0x0007000000023c63-16.dat	cobalt_reflective_dll

Cobaltstrike
Detected malicious payload which is part of Cobaltstrike.
trojan backdoor cobaltstrike
Cobaltstrike family
cobaltstrike
Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 46 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/2940-128-0x00007FF702250000-0x00007FF7025A1000-memory.dmp	xmrig
behavioral2/memory/1108-127-0x00007FF782550000-0x00007FF7828A1000-memory.dmp	xmrig
behavioral2/memory/3132-126-0x00007FF6C3FF0000-0x00007FF6C4341000-memory.dmp	xmrig
behavioral2/memory/1352-125-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	xmrig
behavioral2/memory/4064-119-0x00007FF758F60000-0x00007FF7592B1000-memory.dmp	xmrig
behavioral2/memory/5116-113-0x00007FF637590000-0x00007FF6378E1000-memory.dmp	xmrig
behavioral2/memory/4640-97-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp	xmrig
behavioral2/memory/1352-129-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	xmrig
behavioral2/memory/4940-134-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	xmrig
behavioral2/memory/5080-135-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp	xmrig
behavioral2/memory/232-139-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp	xmrig
behavioral2/memory/1644-138-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp	xmrig
behavioral2/memory/968-137-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp	xmrig
behavioral2/memory/1884-133-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp	xmrig
behavioral2/memory/4492-132-0x00007FF793260000-0x00007FF7935B1000-memory.dmp	xmrig
behavioral2/memory/5020-130-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp	xmrig
behavioral2/memory/4424-136-0x00007FF790140000-0x00007FF790491000-memory.dmp	xmrig
behavioral2/memory/4380-141-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp	xmrig
behavioral2/memory/4800-149-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp	xmrig
behavioral2/memory/800-145-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp	xmrig
behavioral2/memory/4640-144-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp	xmrig
behavioral2/memory/2344-143-0x00007FF794780000-0x00007FF794AD1000-memory.dmp	xmrig
behavioral2/memory/4880-142-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp	xmrig
behavioral2/memory/636-131-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	xmrig
behavioral2/memory/1352-151-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	xmrig
behavioral2/memory/5020-211-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp	xmrig
behavioral2/memory/636-213-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	xmrig
behavioral2/memory/4492-215-0x00007FF793260000-0x00007FF7935B1000-memory.dmp	xmrig
behavioral2/memory/1884-217-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp	xmrig
behavioral2/memory/4940-219-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	xmrig
behavioral2/memory/5080-221-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp	xmrig
behavioral2/memory/4424-223-0x00007FF790140000-0x00007FF790491000-memory.dmp	xmrig
behavioral2/memory/968-232-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp	xmrig
behavioral2/memory/1644-234-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp	xmrig
behavioral2/memory/232-236-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp	xmrig
behavioral2/memory/3132-240-0x00007FF6C3FF0000-0x00007FF6C4341000-memory.dmp	xmrig
behavioral2/memory/4380-239-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp	xmrig
behavioral2/memory/4880-244-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp	xmrig
behavioral2/memory/4640-243-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp	xmrig
behavioral2/memory/4064-254-0x00007FF758F60000-0x00007FF7592B1000-memory.dmp	xmrig
behavioral2/memory/4800-252-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp	xmrig
behavioral2/memory/2344-258-0x00007FF794780000-0x00007FF794AD1000-memory.dmp	xmrig
behavioral2/memory/800-257-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp	xmrig
behavioral2/memory/2940-256-0x00007FF702250000-0x00007FF7025A1000-memory.dmp	xmrig
behavioral2/memory/5116-250-0x00007FF637590000-0x00007FF6378E1000-memory.dmp	xmrig
behavioral2/memory/1108-248-0x00007FF782550000-0x00007FF7828A1000-memory.dmp	xmrig

Executes dropped EXE 21 IoCs

Processes:

cgibjBN.exesQVaZOO.exeenpqkHk.exeApcMHBz.execffucdt.exeNmZNQtB.exeHAbhrIu.exeauKcwPv.exeoXXybrZ.exegTnUUUO.execbQkNMg.exewVmOGCF.exehZzewzh.exeXotFhdX.exeiWRFnHY.exeliPPgXZ.exeeIiKOyj.exeQDqwzpM.exeExlsjtW.exegokCmZS.exepSTeRSF.exe

pid	Process
5020	cgibjBN.exe
636	sQVaZOO.exe
4492	enpqkHk.exe
1884	ApcMHBz.exe
4940	cffucdt.exe
5080	NmZNQtB.exe
4424	HAbhrIu.exe
1644	auKcwPv.exe
968	oXXybrZ.exe
232	gTnUUUO.exe
4380	cbQkNMg.exe
4880	wVmOGCF.exe
3132	hZzewzh.exe
4640	XotFhdX.exe
800	iWRFnHY.exe
2344	liPPgXZ.exe
5116	eIiKOyj.exe
1108	QDqwzpM.exe
4064	ExlsjtW.exe
4800	gokCmZS.exe
2940	pSTeRSF.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1352-0-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	upx
behavioral2/files/0x0008000000023c5f-5.dat	upx
behavioral2/memory/5020-7-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp	upx
behavioral2/files/0x0007000000023c64-9.dat	upx
behavioral2/memory/636-15-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	upx
behavioral2/files/0x0007000000023c65-27.dat	upx
behavioral2/memory/4940-32-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	upx
behavioral2/files/0x0007000000023c68-42.dat	upx
behavioral2/memory/232-57-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp	upx
behavioral2/files/0x0008000000023c60-71.dat	upx
behavioral2/memory/4880-75-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp	upx
behavioral2/memory/800-103-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-114.dat	upx
behavioral2/files/0x0007000000023c75-123.dat	upx
behavioral2/memory/2940-128-0x00007FF702250000-0x00007FF7025A1000-memory.dmp	upx
behavioral2/memory/1108-127-0x00007FF782550000-0x00007FF7828A1000-memory.dmp	upx
behavioral2/memory/3132-126-0x00007FF6C3FF0000-0x00007FF6C4341000-memory.dmp	upx
behavioral2/memory/1352-125-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	upx
behavioral2/memory/4800-122-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp	upx
behavioral2/files/0x0007000000023c74-120.dat	upx
behavioral2/memory/4064-119-0x00007FF758F60000-0x00007FF7592B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c73-117.dat	upx
behavioral2/memory/5116-113-0x00007FF637590000-0x00007FF6378E1000-memory.dmp	upx
behavioral2/memory/2344-112-0x00007FF794780000-0x00007FF794AD1000-memory.dmp	upx
behavioral2/files/0x0007000000023c71-109.dat	upx
behavioral2/files/0x0007000000023c6e-107.dat	upx
behavioral2/memory/4640-97-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp	upx
behavioral2/memory/4380-95-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp	upx
behavioral2/files/0x0007000000023c70-105.dat	upx
behavioral2/files/0x0007000000023c6d-85.dat	upx
behavioral2/files/0x0007000000023c6f-83.dat	upx
behavioral2/files/0x0007000000023c6c-82.dat	upx
behavioral2/files/0x0007000000023c6a-63.dat	upx
behavioral2/memory/1644-72-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-64.dat	upx
behavioral2/files/0x0007000000023c69-62.dat	upx
behavioral2/memory/968-54-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp	upx
behavioral2/memory/4424-46-0x00007FF790140000-0x00007FF790491000-memory.dmp	upx
behavioral2/files/0x0007000000023c67-39.dat	upx
behavioral2/memory/5080-37-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp	upx
behavioral2/files/0x0007000000023c66-33.dat	upx
behavioral2/memory/1884-29-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp	upx
behavioral2/memory/4492-17-0x00007FF793260000-0x00007FF7935B1000-memory.dmp	upx
behavioral2/files/0x0007000000023c63-16.dat	upx
behavioral2/memory/1352-129-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	upx
behavioral2/memory/4940-134-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp	upx
behavioral2/memory/5080-135-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp	upx
behavioral2/memory/232-139-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp	upx
behavioral2/memory/1644-138-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp	upx
behavioral2/memory/968-137-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp	upx
behavioral2/memory/1884-133-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp	upx
behavioral2/memory/4492-132-0x00007FF793260000-0x00007FF7935B1000-memory.dmp	upx
behavioral2/memory/5020-130-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp	upx
behavioral2/memory/4424-136-0x00007FF790140000-0x00007FF790491000-memory.dmp	upx
behavioral2/memory/4380-141-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp	upx
behavioral2/memory/4800-149-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp	upx
behavioral2/memory/800-145-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp	upx
behavioral2/memory/4640-144-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp	upx
behavioral2/memory/2344-143-0x00007FF794780000-0x00007FF794AD1000-memory.dmp	upx
behavioral2/memory/4880-142-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp	upx
behavioral2/memory/636-131-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	upx
behavioral2/memory/1352-151-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp	upx
behavioral2/memory/5020-211-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp	upx
behavioral2/memory/636-213-0x00007FF76D320000-0x00007FF76D671000-memory.dmp	upx

Drops file in Windows directory 21 IoCs

Processes:

2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe

description	ioc	Process
File created	C:\Windows\System\enpqkHk.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\HAbhrIu.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\hZzewzh.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\liPPgXZ.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\eIiKOyj.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\pSTeRSF.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\iWRFnHY.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\QDqwzpM.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ApcMHBz.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cffucdt.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\oXXybrZ.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cbQkNMg.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\wVmOGCF.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\XotFhdX.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gokCmZS.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\cgibjBN.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\sQVaZOO.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\NmZNQtB.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\auKcwPv.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\gTnUUUO.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
File created	C:\Windows\System\ExlsjtW.exe	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process
Token: SeLockMemoryPrivilege	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
Token: SeLockMemoryPrivilege	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe

description	pid	Process	procid_target
PID 1352 wrote to memory of 5020	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1352 wrote to memory of 5020	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	83
PID 1352 wrote to memory of 636	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1352 wrote to memory of 636	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	84
PID 1352 wrote to memory of 4492	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1352 wrote to memory of 4492	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	85
PID 1352 wrote to memory of 1884	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1352 wrote to memory of 1884	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	86
PID 1352 wrote to memory of 4940	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1352 wrote to memory of 4940	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	87
PID 1352 wrote to memory of 5080	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1352 wrote to memory of 5080	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	88
PID 1352 wrote to memory of 4424	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1352 wrote to memory of 4424	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	89
PID 1352 wrote to memory of 968	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1352 wrote to memory of 968	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	90
PID 1352 wrote to memory of 1644	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1352 wrote to memory of 1644	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	91
PID 1352 wrote to memory of 232	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1352 wrote to memory of 232	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	92
PID 1352 wrote to memory of 3132	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1352 wrote to memory of 3132	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	93
PID 1352 wrote to memory of 4380	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1352 wrote to memory of 4380	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	94
PID 1352 wrote to memory of 4880	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1352 wrote to memory of 4880	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	95
PID 1352 wrote to memory of 2344	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1352 wrote to memory of 2344	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	96
PID 1352 wrote to memory of 4640	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1352 wrote to memory of 4640	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	97
PID 1352 wrote to memory of 800	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1352 wrote to memory of 800	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	98
PID 1352 wrote to memory of 5116	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1352 wrote to memory of 5116	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	99
PID 1352 wrote to memory of 1108	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1352 wrote to memory of 1108	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	100
PID 1352 wrote to memory of 4064	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1352 wrote to memory of 4064	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	101
PID 1352 wrote to memory of 4800	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1352 wrote to memory of 4800	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	102
PID 1352 wrote to memory of 2940	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	103
PID 1352 wrote to memory of 2940	1352	2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe	103

C:\Users\Admin\AppData\Local\Temp\2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-25_455f65ae3c93ffc33301cdb091a6eaee_cobalt-strike_cobaltstrike_poet-rat.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Windows\System\cgibjBN.exe
  C:\Windows\System\cgibjBN.exe
  2⤵
  - Executes dropped EXE
  PID:5020
- C:\Windows\System\sQVaZOO.exe
  C:\Windows\System\sQVaZOO.exe
  2⤵
  - Executes dropped EXE
  PID:636
- C:\Windows\System\enpqkHk.exe
  C:\Windows\System\enpqkHk.exe
  2⤵
  - Executes dropped EXE
  PID:4492
- C:\Windows\System\ApcMHBz.exe
  C:\Windows\System\ApcMHBz.exe
  2⤵
  - Executes dropped EXE
  PID:1884
- C:\Windows\System\cffucdt.exe
  C:\Windows\System\cffucdt.exe
  2⤵
  - Executes dropped EXE
  PID:4940
- C:\Windows\System\NmZNQtB.exe
  C:\Windows\System\NmZNQtB.exe
  2⤵
  - Executes dropped EXE
  PID:5080
- C:\Windows\System\HAbhrIu.exe
  C:\Windows\System\HAbhrIu.exe
  2⤵
  - Executes dropped EXE
  PID:4424
- C:\Windows\System\oXXybrZ.exe
  C:\Windows\System\oXXybrZ.exe
  2⤵
  - Executes dropped EXE
  PID:968
- C:\Windows\System\auKcwPv.exe
  C:\Windows\System\auKcwPv.exe
  2⤵
  - Executes dropped EXE
  PID:1644
- C:\Windows\System\gTnUUUO.exe
  C:\Windows\System\gTnUUUO.exe
  2⤵
  - Executes dropped EXE
  PID:232
- C:\Windows\System\hZzewzh.exe
  C:\Windows\System\hZzewzh.exe
  2⤵
  - Executes dropped EXE
  PID:3132
- C:\Windows\System\cbQkNMg.exe
  C:\Windows\System\cbQkNMg.exe
  2⤵
  - Executes dropped EXE
  PID:4380
- C:\Windows\System\wVmOGCF.exe
  C:\Windows\System\wVmOGCF.exe
  2⤵
  - Executes dropped EXE
  PID:4880
- C:\Windows\System\liPPgXZ.exe
  C:\Windows\System\liPPgXZ.exe
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\Windows\System\XotFhdX.exe
  C:\Windows\System\XotFhdX.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Windows\System\iWRFnHY.exe
  C:\Windows\System\iWRFnHY.exe
  2⤵
  - Executes dropped EXE
  PID:800
- C:\Windows\System\eIiKOyj.exe
  C:\Windows\System\eIiKOyj.exe
  2⤵
  - Executes dropped EXE
  PID:5116
- C:\Windows\System\QDqwzpM.exe
  C:\Windows\System\QDqwzpM.exe
  2⤵
  - Executes dropped EXE
  PID:1108
- C:\Windows\System\ExlsjtW.exe
  C:\Windows\System\ExlsjtW.exe
  2⤵
  - Executes dropped EXE
  PID:4064
- C:\Windows\System\gokCmZS.exe
  C:\Windows\System\gokCmZS.exe
  2⤵
  - Executes dropped EXE
  PID:4800
- C:\Windows\System\pSTeRSF.exe
  C:\Windows\System\pSTeRSF.exe
  2⤵
  - Executes dropped EXE
  PID:2940

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System\ApcMHBz.exe

Filesize
5.2MB

MD5
fc4691b83bf3e8681487868604554195

SHA1
77394217bc2fbba1472649d072527cdab511ce64

SHA256
13195c9b60d38cb747f89fda30d330d6773107b4c6d24fc65237cd2392006793

SHA512
addcaeb98696f8809ab4c53c77165c776db3acb83232ce128b4c7e353998451a2a4c722de680739ee74e90eac13c71d224dda553c64e636df1c82d5a940d6ddd

Download Submit
C:\Windows\System\ExlsjtW.exe

Filesize
5.2MB

MD5
657ffbaf0c0511783f35de9980d2dd14

SHA1
9f2f32f302fbaf893acb824cb1c833810b051c7e

SHA256
6de3f43c68136723bf1a1633f61c5955777aced80a154b3e2affef00ad8ad975

SHA512
b8768957165fd18cc3bf50d58c1fc123673cee80a42a7a7ee8ebd4d6bae456ab4c6eb84f1d5f034700cec50d6f81c513c7c631496c8c7713f5bd70a8afb9debb

Download Submit
C:\Windows\System\HAbhrIu.exe

Filesize
5.2MB

MD5
9a8d990f38094270bf9db36ee1867666

SHA1
b739ba4cc8844720b2e461553ba6aaba66e54684

SHA256
a22fe8825889c8c234b9c11f53b6ebf22fb2f00f12835ffa4509ea3b7b8cfde3

SHA512
225304b38f20c01a9aeb9efb0dea94eb67465458b1504f57398aaa18bc4ecd5a8ce581638d421b3d2bfd34f8122d994061e2de4fa67e2932e9be6f5f4f994075

Download Submit
C:\Windows\System\NmZNQtB.exe

Filesize
5.2MB

MD5
101ba08578db01c06f3d46c70077fd81

SHA1
6d7f8e6b951e5ab42cdcdbc6bc1beea0f318b53d

SHA256
7d8d78b62ff55a57444cce2fc350c1256b8b32c1c7d5eb3bac562f5eb2732cff

SHA512
a546e4b0ccb813473cf047ddeba931a09ec8b2684e8d50ea2302ed744dc2198aaa5f5c48bd8aa2e5d6a54e5e39e4ea28b51940676a3b8d0e61e7ef38fb5c86fa

Download Submit
C:\Windows\System\QDqwzpM.exe

Filesize
5.2MB

MD5
90b3b84ed522f484bd9f66a00daa5b0c

SHA1
eebf4b890c7cd9b9cedb27e51e61ea19bdab156c

SHA256
75b535b63ecd09764ef5bd43dd59e0dc420d75c71c27279930b0d431558f059f

SHA512
14553060ad6acd2f106137256bfe3ba54bbff0bd63a6c60e0c713273fa448c17cb831750cdfc09e8a943c6636d53e8969e4f2c23b62cb47314ee02c0d2ef539f

Download Submit
C:\Windows\System\XotFhdX.exe

Filesize
5.2MB

MD5
472307c612297970d100b4561dd58110

SHA1
302d441368266f8635dc81735caaec202b20216f

SHA256
e50e261ce174df161134bee3a6c8c3e15afb3a874f3843f81193bc5f8ec12487

SHA512
33daa18379943b93c247203de781d8c6827cf6b02137daeb13d0ef774fb8f987ffc387b2a3d81575b6e052b6488d6380165449ba3b7ec27f3b006eb47b7cefa4

Download Submit
C:\Windows\System\auKcwPv.exe

Filesize
5.2MB

MD5
0b9c814f14fefb1b78ed3d86c68f50d6

SHA1
deb6aea66aa3075b2d929bf18e954b48eb86f7a7

SHA256
ef3d559d3ea9eed7c7f82294a25d2e8320e544b9d8fa91a26ddebde7e6b6f006

SHA512
5994f3ae36fa87002d4ad1e55ee26ffade7736dde2f0b9641ec172e6510f7acf115c291a32e49e82f8e9cb64d87fa14761c1e8e150407c8cdb6d79ed458233cf

Download Submit
C:\Windows\System\cbQkNMg.exe

Filesize
5.2MB

MD5
f42e76c27571b8b5d06c8352fd815a1e

SHA1
19a161fd24f1bbdcc8c5df77424223f449892e22

SHA256
9fa6b5799fa979942a53fe8851893c33d1cab38df4dc662c5ee32a2c47b7f301

SHA512
7a1b9c0e78d2586a02e88c64e1bb16b378782376a7f80f28a45a77a6658ee6a4908b152a436775ccf2e10c312e1870e706796bd1597ae57a8e8d541e8085b5bd

Download Submit
C:\Windows\System\cffucdt.exe

Filesize
5.2MB

MD5
d817e8a2479cabd35571dcd62092d0e4

SHA1
75c7434451b5d95ca4a5e0049d7d48fe869e2fc3

SHA256
d8d360fcedfcd20272420a893c4343293a4db4df36372c13ab544713ba973482

SHA512
72b33b804c7252bf372dd9d0197c72f20b80d7eefcf8affb0b6b2f230dfedddbd9bb3c1300134429af4a46c3cb2ae1bff8e13843b84f06538e4d3cb2b91d7b46

Download Submit
C:\Windows\System\cgibjBN.exe

Filesize
5.2MB

MD5
cb206645b9c369bc3e8370c14ce628ea

SHA1
dc00ba219f3bdd35ed917f3c49e8abecb293928f

SHA256
cfdb3beb81a4fa31c6466fd813e6ede0f525f1852d0f2d9a46e19efcca9fa380

SHA512
29e64371ad4b7269084e61f2d4c63c905e85bb9da455599a6ad9b817112e997dbaf3440016f53b3da5714aa8ce6cfcdd7de5c18701ae5bc01c685e404a6de75a

Download Submit
C:\Windows\System\eIiKOyj.exe

Filesize
5.2MB

MD5
e1315442060b2be66f39128a0edc1b8e

SHA1
6d4d1ce6a49b559170e7874127cd5f9bd0d263e9

SHA256
cee10e9101b2a65cc28b4f9a7d75e0e92feb641eb75fb8c84c98bd5805ccf6fb

SHA512
115c2b4a53d59045658213e7f2cde7e019de73e995d1dc462a936e374f3a8b3e4fde538311c71f126d4605c1563573127bdfed15dfb8dea78d70bd81074c1adf

Download Submit
C:\Windows\System\enpqkHk.exe

Filesize
5.2MB

MD5
a980379ce83283aa09c7d5dfa11d8da9

SHA1
c740c9d74bd648f8e2a7948a90d010b0127c15fd

SHA256
bfda0270bb8ca5543a4cb957bf27d6fefe42215afd529afa44f7e7afe8231a1e

SHA512
43a9ddd6d82b254c42a63ed868e90d2d3f0b13e71d9582b477e37d41654f4d5118025fa77c4279ca8a3886954b4b8c0d5786ef3ce9397f4fec9f30e466e1ef7c

Download Submit
C:\Windows\System\gTnUUUO.exe

Filesize
5.2MB

MD5
39089de3a49a642ad8f66b014830ff38

SHA1
5276b0e294710f6c234716c5226334d992f15871

SHA256
71d2299397bd959086b4e47c3bb30e63100ea87207166661054f4d9abe412c47

SHA512
bbc5a74a90c898d909e49c08c12bc459be348eb38ab98423bf39f5612ab792b94005b814698dbba98b55ee5b168245725185ffcda182bb4a48dbe3942448b229

Download Submit
C:\Windows\System\gokCmZS.exe

Filesize
5.2MB

MD5
2d24a6deabf28cfe434fd76e4e401706

SHA1
9d6e64c37dae23bc79e4815e5df04c36e97a7447

SHA256
87a3d5ca3a103ce699ca46104c065e99fb502eddb73c6151b395e6a63b717a74

SHA512
37ff3d4c7ae3bfb6d0a49a92570d5db2c5f357a833e4143fa7c6b192bff6fafe4c0ce91c7b4be4131d947e92c1362b2a1b36436cf8af90ee14f63d0461930862

Download Submit
C:\Windows\System\hZzewzh.exe

Filesize
5.2MB

MD5
9012c3fbfb924f8cccbc34e5cf0b0f11

SHA1
cbf616a362132ad6241c47b58e1fbd98f550a5a1

SHA256
80f1830d63da9ac3111fc7e3b46feaf9f9970af434a49eec2ac4a2ebcf9d1c94

SHA512
08d54d479fe3b83d3dcb2da90c89c004d803e7d182a19a0822cbef3c94b92c0bd5e27d8c76d3d7eaffe1cab209ac6ec768cb92999d563c1b4b0eaa7fe0986da0

Download Submit
C:\Windows\System\iWRFnHY.exe

Filesize
5.2MB

MD5
ff0722f43c5d03d20c5262e1ab045d6f

SHA1
d0e560d75dc0653da5cb1fe99c1c38a8004553d3

SHA256
77280ca06618afb1d6a7a977c8e6c2241ccae0e5665294b15f410495e1f2df70

SHA512
87041cc4663bfd51bace0878b780092ae865fcca831d1669f0bfea50d85108e08627148707ca2a9797b9d5fd18bf5f764f739623489b8f59b880131dcc615b11

Download Submit
C:\Windows\System\liPPgXZ.exe

Filesize
5.2MB

MD5
fb88ae26c265ccf2f5ebab57bf87fcb6

SHA1
b53ae9c5d1c81bd226b935bb1a8b92815639e5b7

SHA256
382d30efe8cdada2b9e3c42de8429c7f364877c91db6a2f3fb8b56bc47c5c47d

SHA512
9cc950fe698100ba25f568e8a3f3fe43e103d9ae8758738fade351bcb755bc238feb5d393ab216170087d8eddb74ff967c1448582a69618143275b0df47e8e3d

Download Submit
C:\Windows\System\oXXybrZ.exe

Filesize
5.2MB

MD5
e7667a9dcddb064ca29aca23163fb4ea

SHA1
5949e7d12c23a88b7eee04421ff4c90a3c16d057

SHA256
46a4339d4d474b98080849d4e2b68269c7c32fef020753145b7fc5ddc217d5e6

SHA512
82d885ce7883d18960e0a3526a69ea2eac81a21f4e594a1b6c3c1731ff1424bdf79d596f03e30bf6a6cd084abfdeaad5c83712b400cbd545be2b8932c3255b7c

Download Submit
C:\Windows\System\pSTeRSF.exe

Filesize
5.2MB

MD5
ad90b8e42fb945209193fc98c3500c25

SHA1
2e95b3fd4b864d55a0f9673303f7652fb3efbbc2

SHA256
2cbe8b00bb8670835b97e53fae98b816d19b5f871300651a593383b587b22681

SHA512
ef16985a2608254771d0cc0307ef8d6bc6e41967cf1fa56b6f816d5957d7b72a86008a317e796584239990bab58cb55fc068e434cdc87877f120de0776486ccb

Download Submit
C:\Windows\System\sQVaZOO.exe

Filesize
5.2MB

MD5
8b5ec82b83c07304a5d3e30f688f31a6

SHA1
bd4075c9752f0771bc6c2336bb1b03c6756a489c

SHA256
41b17b63b352c0ed638f0dedabf8ca1bcdff98a82c1e847d43878dbb83de03fd

SHA512
0b747e17149e39b5f03f94918d924dd01aa4909b738cca1fb4cbadf47494d78be47330d3877bd02b939c784a1561fcedb9529c7fd8a0b3a815748d740a77c4db

Download Submit
C:\Windows\System\wVmOGCF.exe

Filesize
5.2MB

MD5
a2a6838e1a17d874b3d324d6e479f038

SHA1
5f5927d241ef3a718dd57da48402cd3f836099ea

SHA256
631e699d122c9e76486254eeb71019d39e03110451ba10801fd8e607d8ca540f

SHA512
2e6f0c42c8a4141b3076eff95704fee622862a7d84c7124aac60042a3492b4a554ed01a18b5a6ca7f976cc57a6cdb17d1035d567691bff0a6adabfe005008e2f

Download Submit
memory/232-139-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp

Filesize
3.3MB

Download
memory/232-57-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp

Filesize
3.3MB

Download
memory/232-236-0x00007FF6D8FF0000-0x00007FF6D9341000-memory.dmp

Filesize
3.3MB

Download
memory/636-213-0x00007FF76D320000-0x00007FF76D671000-memory.dmp

Filesize
3.3MB

Download
memory/636-15-0x00007FF76D320000-0x00007FF76D671000-memory.dmp

Filesize
3.3MB

Download
memory/636-131-0x00007FF76D320000-0x00007FF76D671000-memory.dmp

Filesize
3.3MB

Download
memory/800-145-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp

Filesize
3.3MB

Download
memory/800-257-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp

Filesize
3.3MB

Download
memory/800-103-0x00007FF6E0440000-0x00007FF6E0791000-memory.dmp

Filesize
3.3MB

Download
memory/968-54-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp

Filesize
3.3MB

Download
memory/968-137-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp

Filesize
3.3MB

Download
memory/968-232-0x00007FF7F49D0000-0x00007FF7F4D21000-memory.dmp

Filesize
3.3MB

Download
memory/1108-127-0x00007FF782550000-0x00007FF7828A1000-memory.dmp

Filesize
3.3MB

Download
memory/1108-248-0x00007FF782550000-0x00007FF7828A1000-memory.dmp

Filesize
3.3MB

Download
memory/1352-151-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp

Filesize
3.3MB

Download
memory/1352-1-0x00000287C2BC0000-0x00000287C2BD0000-memory.dmp

Filesize
64KB

Download
memory/1352-125-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp

Filesize
3.3MB

Download
memory/1352-0-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp

Filesize
3.3MB

Download
memory/1352-129-0x00007FF6BADE0000-0x00007FF6BB131000-memory.dmp

Filesize
3.3MB

Download
memory/1644-72-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-234-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1644-138-0x00007FF749A70000-0x00007FF749DC1000-memory.dmp

Filesize
3.3MB

Download
memory/1884-29-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp

Filesize
3.3MB

Download
memory/1884-217-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp

Filesize
3.3MB

Download
memory/1884-133-0x00007FF7A86E0000-0x00007FF7A8A31000-memory.dmp

Filesize
3.3MB

Download
memory/2344-112-0x00007FF794780000-0x00007FF794AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-143-0x00007FF794780000-0x00007FF794AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2344-258-0x00007FF794780000-0x00007FF794AD1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-256-0x00007FF702250000-0x00007FF7025A1000-memory.dmp

Filesize
3.3MB

Download
memory/2940-128-0x00007FF702250000-0x00007FF7025A1000-memory.dmp

Filesize
3.3MB

Download
memory/3132-126-0x00007FF6C3FF0000-0x00007FF6C4341000-memory.dmp

Filesize
3.3MB

Download
memory/3132-240-0x00007FF6C3FF0000-0x00007FF6C4341000-memory.dmp

Filesize
3.3MB

Download
memory/4064-119-0x00007FF758F60000-0x00007FF7592B1000-memory.dmp

Filesize
3.3MB

Download
memory/4064-254-0x00007FF758F60000-0x00007FF7592B1000-memory.dmp

Filesize
3.3MB

Download
memory/4380-141-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp

Filesize
3.3MB

Download
memory/4380-239-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp

Filesize
3.3MB

Download
memory/4380-95-0x00007FF7E5CD0000-0x00007FF7E6021000-memory.dmp

Filesize
3.3MB

Download
memory/4424-223-0x00007FF790140000-0x00007FF790491000-memory.dmp

Filesize
3.3MB

Download
memory/4424-136-0x00007FF790140000-0x00007FF790491000-memory.dmp

Filesize
3.3MB

Download
memory/4424-46-0x00007FF790140000-0x00007FF790491000-memory.dmp

Filesize
3.3MB

Download
memory/4492-215-0x00007FF793260000-0x00007FF7935B1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-17-0x00007FF793260000-0x00007FF7935B1000-memory.dmp

Filesize
3.3MB

Download
memory/4492-132-0x00007FF793260000-0x00007FF7935B1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-97-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-243-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp

Filesize
3.3MB

Download
memory/4640-144-0x00007FF68AA80000-0x00007FF68ADD1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-122-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-252-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp

Filesize
3.3MB

Download
memory/4800-149-0x00007FF7C8180000-0x00007FF7C84D1000-memory.dmp

Filesize
3.3MB

Download
memory/4880-142-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp

Filesize
3.3MB

Download
memory/4880-75-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp

Filesize
3.3MB

Download
memory/4880-244-0x00007FF68CC40000-0x00007FF68CF91000-memory.dmp

Filesize
3.3MB

Download
memory/4940-32-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp

Filesize
3.3MB

Download
memory/4940-134-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp

Filesize
3.3MB

Download
memory/4940-219-0x00007FF7618D0000-0x00007FF761C21000-memory.dmp

Filesize
3.3MB

Download
memory/5020-130-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp

Filesize
3.3MB

Download
memory/5020-211-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp

Filesize
3.3MB

Download
memory/5020-7-0x00007FF7BE9F0000-0x00007FF7BED41000-memory.dmp

Filesize
3.3MB

Download
memory/5080-135-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp

Filesize
3.3MB

Download
memory/5080-221-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp

Filesize
3.3MB

Download
memory/5080-37-0x00007FF69FF30000-0x00007FF6A0281000-memory.dmp

Filesize
3.3MB

Download
memory/5116-113-0x00007FF637590000-0x00007FF6378E1000-memory.dmp

Filesize
3.3MB

Download
memory/5116-250-0x00007FF637590000-0x00007FF6378E1000-memory.dmp

Filesize
3.3MB

Download