Analysis Overview
SHA256
ec0342c224d1a630bac0247fcd10a2300d53d93c16cf8e30604a7fda933131b7
Threat Level: Known bad
The file 2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
Xmrig family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:54
Reported
2024-10-25 11:56
Platform
win7-20240903-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uopnPaT.exe | N/A |
| N/A | N/A | C:\Windows\System\tVHcKMP.exe | N/A |
| N/A | N/A | C:\Windows\System\BytHjrL.exe | N/A |
| N/A | N/A | C:\Windows\System\QuRPZQm.exe | N/A |
| N/A | N/A | C:\Windows\System\EbjHOXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\NoZxtwd.exe | N/A |
| N/A | N/A | C:\Windows\System\SAYbfNI.exe | N/A |
| N/A | N/A | C:\Windows\System\LduQRtn.exe | N/A |
| N/A | N/A | C:\Windows\System\ISCWzMh.exe | N/A |
| N/A | N/A | C:\Windows\System\lOLSMhD.exe | N/A |
| N/A | N/A | C:\Windows\System\JboAAAe.exe | N/A |
| N/A | N/A | C:\Windows\System\KJWWyLq.exe | N/A |
| N/A | N/A | C:\Windows\System\ELahDtr.exe | N/A |
| N/A | N/A | C:\Windows\System\aIwWGhH.exe | N/A |
| N/A | N/A | C:\Windows\System\EihacFP.exe | N/A |
| N/A | N/A | C:\Windows\System\vPliCSL.exe | N/A |
| N/A | N/A | C:\Windows\System\qdYIpDh.exe | N/A |
| N/A | N/A | C:\Windows\System\wQkQiIA.exe | N/A |
| N/A | N/A | C:\Windows\System\jeQImhV.exe | N/A |
| N/A | N/A | C:\Windows\System\bqEVcys.exe | N/A |
| N/A | N/A | C:\Windows\System\MeLwrat.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\uopnPaT.exe
C:\Windows\System\uopnPaT.exe
C:\Windows\System\tVHcKMP.exe
C:\Windows\System\tVHcKMP.exe
C:\Windows\System\BytHjrL.exe
C:\Windows\System\BytHjrL.exe
C:\Windows\System\QuRPZQm.exe
C:\Windows\System\QuRPZQm.exe
C:\Windows\System\EbjHOXJ.exe
C:\Windows\System\EbjHOXJ.exe
C:\Windows\System\NoZxtwd.exe
C:\Windows\System\NoZxtwd.exe
C:\Windows\System\SAYbfNI.exe
C:\Windows\System\SAYbfNI.exe
C:\Windows\System\JboAAAe.exe
C:\Windows\System\JboAAAe.exe
C:\Windows\System\LduQRtn.exe
C:\Windows\System\LduQRtn.exe
C:\Windows\System\KJWWyLq.exe
C:\Windows\System\KJWWyLq.exe
C:\Windows\System\ISCWzMh.exe
C:\Windows\System\ISCWzMh.exe
C:\Windows\System\aIwWGhH.exe
C:\Windows\System\aIwWGhH.exe
C:\Windows\System\lOLSMhD.exe
C:\Windows\System\lOLSMhD.exe
C:\Windows\System\EihacFP.exe
C:\Windows\System\EihacFP.exe
C:\Windows\System\ELahDtr.exe
C:\Windows\System\ELahDtr.exe
C:\Windows\System\vPliCSL.exe
C:\Windows\System\vPliCSL.exe
C:\Windows\System\qdYIpDh.exe
C:\Windows\System\qdYIpDh.exe
C:\Windows\System\wQkQiIA.exe
C:\Windows\System\wQkQiIA.exe
C:\Windows\System\jeQImhV.exe
C:\Windows\System\jeQImhV.exe
C:\Windows\System\bqEVcys.exe
C:\Windows\System\bqEVcys.exe
C:\Windows\System\MeLwrat.exe
C:\Windows\System\MeLwrat.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/292-0-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/292-1-0x0000000001B20000-0x0000000001B30000-memory.dmp
C:\Windows\system\uopnPaT.exe
| MD5 | 0e5ceb496e9a3c38d993cbd6e32c697a |
| SHA1 | 5b2c5302d12eddfdbc5fc1504d3a4a67f8059060 |
| SHA256 | 90660d1886dc93acf0190a7c568ca02c6628b7e61bbbd151f94cdcb59c37d75d |
| SHA512 | 2c1dcf9976568bdbc989bbf37da5f28aaefc525409f7d73b98b4ca22e5412ddf6fd73c65f148bb0a0746ebcdbc26d84eca7c8bd838ef2f88f5b35c5ef7fa13b2 |
\Windows\system\tVHcKMP.exe
| MD5 | 4f524459545cf016503d2054d1c7959e |
| SHA1 | 0e463fc0652b90493e13ee98a248c7f73ef43088 |
| SHA256 | 2755afff209b154379c02882c530992f37e3696a5ca05b3d48a05fd581940b8c |
| SHA512 | bdffc09131b9132b1c3c29595e071043dd9a0cb0a2fcc35a64aa7ca74daf3995189e1df8e5f9d2997d1596716d037a14215bf1ccec90c90759890705369c7492 |
C:\Windows\system\BytHjrL.exe
| MD5 | cc1e07fef40c026c81b672857e0061b4 |
| SHA1 | 4032913c26b8baf27a8ee6c621d2b1f565e71269 |
| SHA256 | 4e5bd6faf0a9406036393327c78480d491329c114988251b44e866aeadfaf03e |
| SHA512 | cfae571cf82daa175996ff3013b2c49c6c890b2de860cdcab633f2d370d40620ba28d391aa6384cbd7a35ba7de59fc66c89b1871d78892e8c31d0d67832621f5 |
C:\Windows\system\QuRPZQm.exe
| MD5 | 4bb06c7ca9e040b371c3b93743ba9bea |
| SHA1 | f260c921941a06287c61e9b0e68ba02cbc93ab26 |
| SHA256 | 2e57b09758dab8214a39f63d36ce9412d3dff1bc76082d3892a53869af588a09 |
| SHA512 | 786152181a7fc00efdfb6497cd947d62776a126596f713a145bca36eca641d6d2b814213966f92051475034dddec9b568d70f125614594fedc186ef61adb0279 |
\Windows\system\EbjHOXJ.exe
| MD5 | 7deb020b9dda341b7622aec9e4c9a501 |
| SHA1 | b96cabda5ed4514c9700dbf1bf9ef7a1da15dacd |
| SHA256 | 23175bafc4e53944fe06d0cf0357e387c7b0ac3969661c3b0907c8ceb4fe941a |
| SHA512 | e249ad010e7c6bcd61f48f925b858a2d5b504fbdee11f5e70c64f532e8c750f86780be35654f778a92a7eccfff49a3663072f9e252711ccc3e5eac303e7a54fd |
memory/292-30-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2480-28-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/292-26-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/292-25-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/1516-24-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/292-22-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/3068-21-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/1720-19-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2268-34-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2928-47-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/292-46-0x000000013F820000-0x000000013FB71000-memory.dmp
C:\Windows\system\SAYbfNI.exe
| MD5 | e1102971e54471ac10e009b3889662f6 |
| SHA1 | cc5b86bdda039518dabd9c49e61843221aa333f5 |
| SHA256 | ffaf153ded326e64a35a2e031dc4a23145ef689f8acf26631d4bc2f57ab49e3a |
| SHA512 | 90e97df6c3e61ce0451aa850d2b7b853a83c5eda1641f67c1d0f5dcf84686eeecd9cc6d1d09f4c2992c3672f050735ac675c8820737c84019aee8274c66fdab1 |
C:\Windows\system\NoZxtwd.exe
| MD5 | 5951316e699f53c2a437c81d63aafab8 |
| SHA1 | b52ca8aca8b313f33685615fbc8e525ac1c774bb |
| SHA256 | 5be6ca348390ce2cc7f1ed679b176d98f12592dc0ee80af16f9209f7853e7c5e |
| SHA512 | 300ac210ebd527dbe1585337e70923075cceb766d05e3e18e163bac3103204b94ae16950952d1ee4ac82569ef7ccdfa606b682ff0881a2ff1c010df26a18b0fe |
C:\Windows\system\ELahDtr.exe
| MD5 | 9557de245950a7931f123443a80c5dd1 |
| SHA1 | 070214181e357b566502d99daeab491e2d940b3c |
| SHA256 | 5ee8451b7d379fca1472e5c94812b2059996fe28b1e11a08d0df4101a7d348e3 |
| SHA512 | 17b4fe2ca64adf80d38ce810f3952fb2334fab7d0c599d6b8dd21d5f01b8d72ac538f39e1e6bd8f02823d3b9ad332a24a6dadae21c1750cb5e7222ac034ac6d1 |
\Windows\system\EihacFP.exe
| MD5 | 9760991c2814533f8223c88fa1e5426b |
| SHA1 | 0f487660697ee1c30c11c4d8d7cb38bd47d7bd86 |
| SHA256 | d0380f5260a864938c082a38e712c24526a2a0d4f8ea97ccb11b32d1944e1479 |
| SHA512 | 0776843532351bd245f4c7c0420e8be68ab527edfa2d49b9c072b3e38099713fb4808d643e535e0df5b097e7a2f9fb74427e34d013270f062e86d63b6c91190d |
memory/2636-103-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\qdYIpDh.exe
| MD5 | a701ec6312d960b7a0396323699d38e1 |
| SHA1 | 8b02870de586b2531cc30c8defb2d4cf49921d4d |
| SHA256 | 6e1737a27b04119eb378db056dcc6e6b0fef5d45b3e1e314a6ae306ad2064b9b |
| SHA512 | 49d37b5eeb1feb282aebed1ef3e0683103815d02cb0eff4fcce085a4913ca93da36fd0939764bd46870f8e7ab1380f3cb6bf6ab3aca494514b538a433cd31d31 |
C:\Windows\system\wQkQiIA.exe
| MD5 | f4c4945ed3c0b4f9e388a79770ab10fa |
| SHA1 | 93287f21925b810f5bde41010ce6d3341d78e014 |
| SHA256 | fc95bb3dccc1bd55c336d332403349567d503f8386f0af1f6d2f0cf098289d7a |
| SHA512 | bd82da1b162856391605e06940538ab73e62c94c134e06274f3a0aa13fda42c1f54c6d3cdfb1de0c6af9986e416229b57e4d9e30708a661d071e8f3651dcf371 |
C:\Windows\system\bqEVcys.exe
| MD5 | 98ea70399574a2336093603a1933d205 |
| SHA1 | 70b1508bf1a852abf9af55ade2b6203d969546f6 |
| SHA256 | 69dfddcf922fc66bda0d3b281681c809dd838f4da4ee90ec81111b8363f1ecd5 |
| SHA512 | ce247ceed782dea5038862a8ed6978efbab8e2f52403c66aeba5e66251bdfb83adffd9d8e5f9990711b36a30376fa6b15c1d351fafead659cc1056889ee60a98 |
C:\Windows\system\MeLwrat.exe
| MD5 | 23e2b05e2a8f520c6f4bfc1a890844b7 |
| SHA1 | 2c155b44229d784000872277fe662e124ee59171 |
| SHA256 | c4eb6160a685f4ce44b975c8345f779192d2eb73356c710093d66f23e6de735d |
| SHA512 | b7ec885a5cc78c59bea16b1427a907a9eb50d38a4f2341d8a22ebca0774b6fd3e8d537ae49f6b8cfc11c6cc521769c775346508edf131f698766e55134bd76fa |
C:\Windows\system\jeQImhV.exe
| MD5 | a2c3499eecc7c3254a40bd02024a0fcf |
| SHA1 | 82948a8814ac1c34a99f6661bed40152e3d85c9a |
| SHA256 | 6aba69cbdae8b18e1d0349bb89183dd91821fa4fd9e7b03ba1ebe3f381376f76 |
| SHA512 | bc780b4db49e29abffb2ee574f1c7c765236438114c5be26778c9d4002446118b5ca8334f5a894b75a7f4d04d8dcdedf74df866aeaf84ea6bf455d6f0a9f121f |
C:\Windows\system\vPliCSL.exe
| MD5 | 41b9263c2f73dcce1e7fc399af2f350a |
| SHA1 | 4ac04956e3abd65fb47c73246b23c76dac939e40 |
| SHA256 | 42801e7fa760f60a5f8988834b22a7d7996f53e0dc60fab013081d8fece834ba |
| SHA512 | 0e47ec7fd563913faf45f51c2085d04f6658b47d8dfb8a2cff8c6c1bc5bede1fc8e575d93d70b8f2a65cee4691657d130732ff3058a73ef145e41aefdbc3d4b5 |
memory/2480-107-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2724-106-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2268-136-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/1032-105-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/292-104-0x000000013F8E0000-0x000000013FC31000-memory.dmp
C:\Windows\system\KJWWyLq.exe
| MD5 | a4d1808246109627d507ded297a09413 |
| SHA1 | 5d51e8adda0c77c0b34bfa24e4bd5b31c8c633d9 |
| SHA256 | 7da72d5ec26585b03fcf87a5ba07ad14c4d9a3068b906adcd1b21c6acb47a002 |
| SHA512 | 85fe715e78be8ded0cb364c17b1bb1750c2850e2829e45f4f6878d28be73fef9764b5e549e3be41a1675cef44ed2a20fa5943e000d146a434f685619323310e9 |
C:\Windows\system\JboAAAe.exe
| MD5 | 1416fcd95e06587104a9ac9a2fe1e1f6 |
| SHA1 | 1322de14f66fa0405f68221598d85caf50aeeed9 |
| SHA256 | 5193c2ccc1dd52fafd0e4b838e877f261f37d80cdef8605ea2602fb20fabb1ce |
| SHA512 | 2bf75eb384a6ac5f9b6c5c6f2ae4fb86a467508f666082c937eed130b71ea75b8968376d8c7c71013a03dd2114e2ff18aacda3a33a2d4b3a64112b206324b040 |
memory/2628-87-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/3068-86-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/3028-137-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2640-85-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1720-84-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/292-83-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/292-81-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/292-80-0x00000000022C0000-0x0000000002611000-memory.dmp
C:\Windows\system\lOLSMhD.exe
| MD5 | b3ccef4da09ae5cda7bf48b4430c64e7 |
| SHA1 | 324f4034c0dc6c49b0db7d0ecbf38048b7a5bd8b |
| SHA256 | 983df2aa88178975061538b8ac336ce09014414ce14f0a138a6bbb1f0ef1b9ed |
| SHA512 | b35d420b0fe24c2d3548e266c2545a9488143d246fb6f730fb7fad4c34a61ec294b9cd026ada0a976bfa8aabced5e3facc7af378e4479b43ec70e54cb5ef1456 |
memory/2784-78-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/292-77-0x000000013FAD0000-0x000000013FE21000-memory.dmp
C:\Windows\system\LduQRtn.exe
| MD5 | 9c6aaec13d9ccebd67a2f1427cbae307 |
| SHA1 | 127af0957c5ef9fe4525cbe47c45202c468b8916 |
| SHA256 | 5972f9c49c27ed4c611c1a2136229144a2050408d36a5c8487934a4ac8b657a3 |
| SHA512 | aa9682e16f189100cfddd43e815c6c49d0dc27886805d6e98f1aa0889f37a62f9c31e9b34276d20ee97d1e46d674f9bf12cdcac8153190988709cba3b7caa94a |
\Windows\system\aIwWGhH.exe
| MD5 | 31149ce6cf527deff420cf6347534985 |
| SHA1 | 9bf435bdd20d4a33d9bea9388d06382d9a13a08b |
| SHA256 | abfa7a5c8c17d1db2430b28e20ebc7d0648bf6a2ac5f70f0a93a12440426afc2 |
| SHA512 | d5503eb35a12fc93c85b4c2c7d08b769a759191c088056b998bdfbda5e1bc657e2779ce29d5eb9130713abd893abe86bf47c7ded5f1786e777f1e2363c36981b |
memory/292-59-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2728-101-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2928-138-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/292-71-0x000000013FD70000-0x00000001400C1000-memory.dmp
C:\Windows\system\ISCWzMh.exe
| MD5 | fb288315066c890d37a91bc644c6af76 |
| SHA1 | 024a5c042638229987d53a006d350181ce04268d |
| SHA256 | 122ec1f1fa9dc6b5acee2f997ce326547a5ba8214ea3983a50176e133706c93f |
| SHA512 | d81ef79aba5770d3861610d454fe092d2752d91642a78af364b899837b6fe2e258da3fa41ff7c89a1db810d7fbc98d3ad45678013fc8ea303263629f77d9cbba |
memory/3028-41-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/292-139-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1472-156-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/636-160-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2368-159-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/1244-158-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1304-157-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2924-155-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2732-153-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/292-161-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1720-212-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1516-214-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/3068-216-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2480-228-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2268-230-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2928-232-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/3028-234-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2784-236-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2640-238-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2628-240-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2636-242-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1032-244-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2728-246-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2724-254-0x000000013F390000-0x000000013F6E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:54
Reported
2024-10-25 11:56
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xYRTiBL.exe | N/A |
| N/A | N/A | C:\Windows\System\OEBkNnE.exe | N/A |
| N/A | N/A | C:\Windows\System\kqUmsBO.exe | N/A |
| N/A | N/A | C:\Windows\System\quvZurg.exe | N/A |
| N/A | N/A | C:\Windows\System\UKgCkED.exe | N/A |
| N/A | N/A | C:\Windows\System\PxElHep.exe | N/A |
| N/A | N/A | C:\Windows\System\cdVLYuS.exe | N/A |
| N/A | N/A | C:\Windows\System\ciZwxCz.exe | N/A |
| N/A | N/A | C:\Windows\System\NNmfyLp.exe | N/A |
| N/A | N/A | C:\Windows\System\eronHPT.exe | N/A |
| N/A | N/A | C:\Windows\System\meiumHc.exe | N/A |
| N/A | N/A | C:\Windows\System\airEmQp.exe | N/A |
| N/A | N/A | C:\Windows\System\sPceonp.exe | N/A |
| N/A | N/A | C:\Windows\System\gnvFqke.exe | N/A |
| N/A | N/A | C:\Windows\System\DjKfyzb.exe | N/A |
| N/A | N/A | C:\Windows\System\EuZmSCO.exe | N/A |
| N/A | N/A | C:\Windows\System\GeerTYM.exe | N/A |
| N/A | N/A | C:\Windows\System\tNGYyhO.exe | N/A |
| N/A | N/A | C:\Windows\System\cEQVkAm.exe | N/A |
| N/A | N/A | C:\Windows\System\rbmzQux.exe | N/A |
| N/A | N/A | C:\Windows\System\XYSTzlS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_f356f53568f3fe623d3db7149a57d2f0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xYRTiBL.exe
C:\Windows\System\xYRTiBL.exe
C:\Windows\System\OEBkNnE.exe
C:\Windows\System\OEBkNnE.exe
C:\Windows\System\kqUmsBO.exe
C:\Windows\System\kqUmsBO.exe
C:\Windows\System\quvZurg.exe
C:\Windows\System\quvZurg.exe
C:\Windows\System\UKgCkED.exe
C:\Windows\System\UKgCkED.exe
C:\Windows\System\PxElHep.exe
C:\Windows\System\PxElHep.exe
C:\Windows\System\cdVLYuS.exe
C:\Windows\System\cdVLYuS.exe
C:\Windows\System\ciZwxCz.exe
C:\Windows\System\ciZwxCz.exe
C:\Windows\System\NNmfyLp.exe
C:\Windows\System\NNmfyLp.exe
C:\Windows\System\eronHPT.exe
C:\Windows\System\eronHPT.exe
C:\Windows\System\meiumHc.exe
C:\Windows\System\meiumHc.exe
C:\Windows\System\airEmQp.exe
C:\Windows\System\airEmQp.exe
C:\Windows\System\sPceonp.exe
C:\Windows\System\sPceonp.exe
C:\Windows\System\gnvFqke.exe
C:\Windows\System\gnvFqke.exe
C:\Windows\System\DjKfyzb.exe
C:\Windows\System\DjKfyzb.exe
C:\Windows\System\EuZmSCO.exe
C:\Windows\System\EuZmSCO.exe
C:\Windows\System\GeerTYM.exe
C:\Windows\System\GeerTYM.exe
C:\Windows\System\tNGYyhO.exe
C:\Windows\System\tNGYyhO.exe
C:\Windows\System\cEQVkAm.exe
C:\Windows\System\cEQVkAm.exe
C:\Windows\System\rbmzQux.exe
C:\Windows\System\rbmzQux.exe
C:\Windows\System\XYSTzlS.exe
C:\Windows\System\XYSTzlS.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1764-0-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp
memory/1764-1-0x000001840C080000-0x000001840C090000-memory.dmp
C:\Windows\System\xYRTiBL.exe
| MD5 | d72baa11ff66cd7b80fda0b3a6c3fb56 |
| SHA1 | a9c1e3c51f79ff1a8f7e90ad2ef773cd3ac890b2 |
| SHA256 | 587b64e656ebd1880359c552c5aaaee39a4784692e3099d83ca9cd82d3e9c6fe |
| SHA512 | b74b2db2adcba74c81a1cd33a2645cd1d99ed6c97e2ad55cdd18b2d689bef6279214afdac120927c197a331a99684fd085b9e36d0016fb72af41019b050a17f8 |
C:\Windows\System\kqUmsBO.exe
| MD5 | cc7bc87fd84d3e17b69acf6dca12c500 |
| SHA1 | c9ef9983a2c65716b067bee4cffc885d1e6fb0f6 |
| SHA256 | 9c548010736ba021333b47941c0061dd687ddb2e898bcdbb0a0f33f52b9d7600 |
| SHA512 | b4304ad8e49f3697980dafe84d735e162d0193a926ce8bd2a60c1b9268c71fc0687e49c73debd17e077c70e8f33faa0f6129237bf637e9eed168634aef882f90 |
memory/4712-6-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp
memory/2152-17-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp
memory/1832-19-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp
C:\Windows\System\cdVLYuS.exe
| MD5 | f45e4930751bf4bcab51af034d4eff9d |
| SHA1 | 97cac6ba912653ae55874b9025f043bbfbf4f534 |
| SHA256 | 7a56278e674f1c42b8df4800b08bb2e6a13291bac208af97ae1ecd32f5e5a3df |
| SHA512 | 0d69e10c0b10a5ff0ad4c4b5e0c6683d541c032435b74b5437fb7e700c0bae2305faf7e6f4dfe93030fea01e6eab11f622207126c0b64e2f51d4debdf84ef806 |
C:\Windows\System\UKgCkED.exe
| MD5 | ed953f1af87f9db21e729959bc8c5724 |
| SHA1 | 7176a82d003c102d484547b1d0ce2a93edc36e77 |
| SHA256 | ebcbbf4c5be2f5387c8bd2848e69605cc3beabb0f33abebd40883276353dc4b3 |
| SHA512 | 54839ab729bb3c8d8ed2d925a06229102fbbee9204c867b3cf2b8463f6aaca4d5eac3dfe4cb24eac3740ea5c2f47e7c2ebe98db98fab555c4c3a615b90df0665 |
C:\Windows\System\PxElHep.exe
| MD5 | db3e270ff2de41e5bdae44e3c4b9fbdc |
| SHA1 | de596da86f9ba11294888c2b0de02218428748f2 |
| SHA256 | 15dabc74d7ced974dc22e715842a4960285bf4d2504ea84a2b1dbe2750272841 |
| SHA512 | 5390ad86c5cab669e28050f458d653bb72cce82d952998c7c7d297a845318faff43c1b34e006ef422e73da21e24e48064c112dc50ba586757bdf20177e340597 |
memory/3576-50-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp
C:\Windows\System\ciZwxCz.exe
| MD5 | 0d1044c05834ec94897c4e2aee0a96c8 |
| SHA1 | 811626a07ff16790939e5ccb6f9c4b6f6f82d48a |
| SHA256 | e1370a21ace2cced062039316a9525a0abf481eec6f2856adba1bb1f356a2e96 |
| SHA512 | 45f6a5c10edd4ced8b74adbcaa48ffc98167a09039aed4d07f4eb8917669814d172b27f76a42201d16f94762521c6449aae135a4e0350a7b736960669ed0f523 |
memory/4744-63-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp
C:\Windows\System\EuZmSCO.exe
| MD5 | 8b319825fee8efd68608a28571d21ea6 |
| SHA1 | 5a982fd1e726dad82030730d464ff604dc0d1bc5 |
| SHA256 | e0c34f3307272ee9be693b4ab34899ea00acb62355cb81a28a84068cb2c5514c |
| SHA512 | 3e14c4cd44fe931f5ffeedadbfda76cb89f122c54fe47b788d3fd585fe941b914994d5f5cd5bd2626dde8fef828503db1e513e521a4a6cd2cd9876b98dacdb6c |
memory/2732-90-0x00007FF644950000-0x00007FF644CA1000-memory.dmp
memory/1832-97-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp
C:\Windows\System\tNGYyhO.exe
| MD5 | cdb8dcede5ae2bc322d9dcfecb07cd7a |
| SHA1 | ce5937dd608063746bced7a496aac5c3998bae2e |
| SHA256 | d319687a2394d00359ef6059b93341b76fc1ece0b32782127fd4284d3a05e42b |
| SHA512 | f43512e54c992c3c33711ab83fb5656b77b62032dc79196a993dfabf82a77d96e53dff9fcc74347d0ceba1fc32ab14ee65baf9087de4dbe06f9fa91eb8b103f9 |
memory/1820-130-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp
memory/4712-129-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp
C:\Windows\System\XYSTzlS.exe
| MD5 | 0ef9c51f8c314b1b635691aded2454b5 |
| SHA1 | 9baf6c6a260201cd32836cbfc2f2d259fd86a06b |
| SHA256 | 2786b7cdebc17916d2920e578303499200ab3cd3aadef6f8350f17b83d210324 |
| SHA512 | 10fe6c88e20a8bd32409f67d65ee60e1748b3b8e56e690c6f17a20c6b229ec3f90a38caf9c202b1a0de0d71cbda057f2e6a3ab143766e3d7d123fd1d4fadf1e4 |
C:\Windows\System\rbmzQux.exe
| MD5 | 2ec8e702a090c1a41b714c015a32afba |
| SHA1 | f9d919216e0c5b2cce122e4e9506431c95ba4ef2 |
| SHA256 | ded9b9f2d5b6808c3621967b8032676b457e999206834d48154bf033b456359b |
| SHA512 | 20e2bebcd0913648a2e03b3f0e198b02f94418741a0c442bd4a9dc239d51d0c002578c822832fb45447eabfb1f97a945ff04f4a7ac29b748346518f6f096b4d6 |
C:\Windows\System\cEQVkAm.exe
| MD5 | 076a503b8e98484fffbd38304c38a1e0 |
| SHA1 | 9191fceceab4e6db04de93b8139e44409365136c |
| SHA256 | 6c4e31ec88f3cb8063db266dfe2633b32d74d4b3c2bb707be8f5fca766c900ad |
| SHA512 | c6d61ebcf30942042835d366f16f65c3e2d48a1759678f48c7f91fb921929d2d616acdf4899fe72bceccc70c84f54c3452613440cd9a4b29fe1c3e2ac0cf5102 |
memory/1632-122-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp
memory/928-121-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp
C:\Windows\System\GeerTYM.exe
| MD5 | 1918521bdf85d4cbfc739919d78eb9b6 |
| SHA1 | 351ffdc2103f47d292d8ec8d6d918f951cef5f46 |
| SHA256 | dda23a39930458db3764e0a432eb3480780b3b62c28076e4674ef385368258d7 |
| SHA512 | 399fbf8645851673a64ffb8998c2ac36fc85c838b8996c607fd20ba5f44c33d1e383047a2a9e0995513fc2acdf0412e0365cb51122f2d9d3bbbc7c62b29932bb |
memory/1152-116-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp
memory/3240-115-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp
memory/1764-111-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp
memory/2976-103-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp
memory/2460-96-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp
C:\Windows\System\DjKfyzb.exe
| MD5 | 6b68202c1eb383b2789d7b7788fc566b |
| SHA1 | 5299a754fb626ae651520e32a1557d0a8b8b77b4 |
| SHA256 | 1e2a4d72889b9f8a2777d6a421f68734143996ce9b18ee6f64b19b6d58d43d8c |
| SHA512 | fd5d0c5f8388387ffe94d034ec53e7e5c5b89844097dbdbebe9ad8d53d0b01b9a6534878f1dbefa60dde7b0201d253daa55a538ffb6f6e80455333286c214118 |
C:\Windows\System\gnvFqke.exe
| MD5 | 83f2593e966952c9c438b22f45a92867 |
| SHA1 | 94f25ef12a1da5c03fe33df6d4e7ca75d69f6643 |
| SHA256 | cdb9f472e667da78142661369e30be4ab3b0c27eb5a5ea45883956ecb7485722 |
| SHA512 | 5786b8532b4b662fad021415da00016f1777dde7880f7428f1f02315220750d039b3dd82963207123a3051591f18356e6dd77b2b7473147ea6133de71213068a |
C:\Windows\System\airEmQp.exe
| MD5 | 9e8474b04eb89821351fcce6cc3c6d87 |
| SHA1 | 789471e83557dad4e5f5c0d393624a15bb532ee4 |
| SHA256 | d1a93d76012501e7be3145bd485795d1b497e694a47286e5ecf0ef848ff0c9cc |
| SHA512 | 46bde7a59c3168a0c16286433430fe43cdafc0ff27e6cdc7afc7ffe0a817eaa1df75f82cc786a376916b2b634f20f72c1e7c035937249a9c60696c55dd66a11d |
C:\Windows\System\sPceonp.exe
| MD5 | dc88eda7c096224a449a99b083b8db11 |
| SHA1 | 53eff5c672ff2edb73b71af969728f0010dc5b3f |
| SHA256 | 04e77dc00098d938b08b0d4d08d77b0e2f78cbec1f23f7378c5046cd85a43c28 |
| SHA512 | be26015e7bccdcdbea0d58fa58a6cc1ff1e805709aae145e2cb34761d4f3255c5a3f873f348881776765b98261ac570ffa5c384e9b5e57f86f4e6bdc9a2b7f72 |
C:\Windows\System\meiumHc.exe
| MD5 | 6a6641cb6f89f0da18c0ff25b3869701 |
| SHA1 | 23bcb0aaf62c17c813bcc4bdbe312021ae8e4cdc |
| SHA256 | 9ff8b9ca387fc4d7439fc5e4eed0547f66d221220fb9ae597bee97e13c989a5a |
| SHA512 | 09feb0f4bbf4c3ef00b03ea43ec4c74ad4e1ebe1f06cfce4c9a6e549cccca3a3de84aed41c57926d95d6ab9c826f047e3ce299ce1637a37cf290a3ae4b1d2e8e |
memory/5084-83-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp
memory/4676-82-0x00007FF734A20000-0x00007FF734D71000-memory.dmp
C:\Windows\System\eronHPT.exe
| MD5 | 99038c48fc31504fedfb657ac3f30ba3 |
| SHA1 | 905dd45ea404beb8fde89ed9d6392ff103925f4f |
| SHA256 | c94a9fd3b3746cb05443c2cdf49f7ec6e7b8311b1b395c1116880595c6c53014 |
| SHA512 | 7178bcbd4e2b744d2f7082efbe5d18ea9ca9abd9736736ef3e57286bf783ea1ead08f22a377c99e5f48e9561a36908b3d27260e4157fdd7a7653d5c7cf70d91d |
memory/2156-74-0x00007FF715620000-0x00007FF715971000-memory.dmp
C:\Windows\System\NNmfyLp.exe
| MD5 | e9cf726d638199ad20b026381fe1f435 |
| SHA1 | f26c26e69de06316ad796445f361ab975ca5beab |
| SHA256 | 94f641c5c73a94f9c6cd35dedb140582184516461d7f98ae4c924e8b245a8806 |
| SHA512 | 8a40f2c4497df757fd3e7dbd539b8b181ca16e6a327da8e75962291b8543f4f96cbc3d2f72aa7fa74f2c3dea577fefdb8836a56d08c73d6a4352e91d996d2bd3 |
memory/4048-54-0x00007FF775180000-0x00007FF7754D1000-memory.dmp
memory/2400-46-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp
memory/2832-45-0x00007FF766730000-0x00007FF766A81000-memory.dmp
memory/2260-33-0x00007FF720DF0000-0x00007FF721141000-memory.dmp
memory/4836-29-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp
C:\Windows\System\quvZurg.exe
| MD5 | dfc0c2e2f06acc1fd8c9aab4be6c7c77 |
| SHA1 | c846b87fe7d1dea7fd987eb8400b00bdc1f9485a |
| SHA256 | 0a39ed404ad491e55f066cd2d2cd40c94590bd33361040a8c3c23f5d65ff79cd |
| SHA512 | 04c9425055c39d632eb45f1dd6aa1fbf0079a22ae2bd521106cc9e32d7e23eb9cc1757bf7d56ad28fee7e19371555cfaf6307b75c08c5bc49aa0dd0c6c365a11 |
C:\Windows\System\OEBkNnE.exe
| MD5 | 6877319d6a4581cb6638f9bb483b8948 |
| SHA1 | 4f88c3e88a4966e4ceab3f54757ffbaf71363252 |
| SHA256 | d28e64625188244d1350ddb809fc256dc8f887d72d9bdf5961eca2b07e12ad59 |
| SHA512 | 551df79ecc84e8d0fa9f333724b761b58c7ece75e6b3b4eea1b9af329f300f0544240ccca1ba7b089aeb35269691bd3145ba7b766498fac1aabcd38b5527665b |
memory/1764-131-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp
memory/4744-142-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp
memory/5084-146-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp
memory/928-151-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp
memory/1152-149-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp
memory/3240-148-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp
memory/4676-144-0x00007FF734A20000-0x00007FF734D71000-memory.dmp
memory/2156-141-0x00007FF715620000-0x00007FF715971000-memory.dmp
memory/4048-140-0x00007FF775180000-0x00007FF7754D1000-memory.dmp
memory/2400-139-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp
memory/2260-137-0x00007FF720DF0000-0x00007FF721141000-memory.dmp
memory/4836-135-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp
memory/2152-133-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp
memory/2732-147-0x00007FF644950000-0x00007FF644CA1000-memory.dmp
memory/3576-138-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp
memory/2832-136-0x00007FF766730000-0x00007FF766A81000-memory.dmp
memory/1632-152-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp
memory/1764-153-0x00007FF6AF1A0000-0x00007FF6AF4F1000-memory.dmp
memory/4712-203-0x00007FF70B0B0000-0x00007FF70B401000-memory.dmp
memory/2152-217-0x00007FF6BF8B0000-0x00007FF6BFC01000-memory.dmp
memory/1832-219-0x00007FF69C360000-0x00007FF69C6B1000-memory.dmp
memory/2260-222-0x00007FF720DF0000-0x00007FF721141000-memory.dmp
memory/4836-225-0x00007FF7877C0000-0x00007FF787B11000-memory.dmp
memory/2832-224-0x00007FF766730000-0x00007FF766A81000-memory.dmp
memory/3576-227-0x00007FF71EB30000-0x00007FF71EE81000-memory.dmp
memory/4676-230-0x00007FF734A20000-0x00007FF734D71000-memory.dmp
memory/4048-235-0x00007FF775180000-0x00007FF7754D1000-memory.dmp
memory/2460-239-0x00007FF6FC3D0000-0x00007FF6FC721000-memory.dmp
memory/2732-243-0x00007FF644950000-0x00007FF644CA1000-memory.dmp
memory/2976-241-0x00007FF7C2E30000-0x00007FF7C3181000-memory.dmp
memory/2400-237-0x00007FF6D9470000-0x00007FF6D97C1000-memory.dmp
memory/2156-234-0x00007FF715620000-0x00007FF715971000-memory.dmp
memory/4744-231-0x00007FF6A1930000-0x00007FF6A1C81000-memory.dmp
memory/1152-257-0x00007FF6C7500000-0x00007FF6C7851000-memory.dmp
memory/1820-255-0x00007FF70DDC0000-0x00007FF70E111000-memory.dmp
memory/1632-260-0x00007FF6389D0000-0x00007FF638D21000-memory.dmp
memory/3240-258-0x00007FF7BF300000-0x00007FF7BF651000-memory.dmp
memory/928-253-0x00007FF72DBC0000-0x00007FF72DF11000-memory.dmp
memory/5084-251-0x00007FF7CF230000-0x00007FF7CF581000-memory.dmp