Analysis Overview
SHA256
f4e34a310e209cda8c05991ca933c2c54aae34f99a269534dbea1ea0495ea60d
Threat Level: Known bad
The file 2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:43
Reported
2024-10-25 11:45
Platform
win7-20240903-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jPKltco.exe | N/A |
| N/A | N/A | C:\Windows\System\mBwbXJY.exe | N/A |
| N/A | N/A | C:\Windows\System\tpVoeqD.exe | N/A |
| N/A | N/A | C:\Windows\System\OCDZoGw.exe | N/A |
| N/A | N/A | C:\Windows\System\XSKGkOV.exe | N/A |
| N/A | N/A | C:\Windows\System\LplFxea.exe | N/A |
| N/A | N/A | C:\Windows\System\OkcEBNe.exe | N/A |
| N/A | N/A | C:\Windows\System\CQDCvQW.exe | N/A |
| N/A | N/A | C:\Windows\System\FIDPGuy.exe | N/A |
| N/A | N/A | C:\Windows\System\HNwpgiM.exe | N/A |
| N/A | N/A | C:\Windows\System\zwDRwie.exe | N/A |
| N/A | N/A | C:\Windows\System\QhmhGlU.exe | N/A |
| N/A | N/A | C:\Windows\System\TgxVVZm.exe | N/A |
| N/A | N/A | C:\Windows\System\zLumjuj.exe | N/A |
| N/A | N/A | C:\Windows\System\rcYfxvl.exe | N/A |
| N/A | N/A | C:\Windows\System\vJovBAx.exe | N/A |
| N/A | N/A | C:\Windows\System\lexlksp.exe | N/A |
| N/A | N/A | C:\Windows\System\anKlcIM.exe | N/A |
| N/A | N/A | C:\Windows\System\BbFRkvU.exe | N/A |
| N/A | N/A | C:\Windows\System\QluPupV.exe | N/A |
| N/A | N/A | C:\Windows\System\tBVMUYa.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\jPKltco.exe
C:\Windows\System\jPKltco.exe
C:\Windows\System\mBwbXJY.exe
C:\Windows\System\mBwbXJY.exe
C:\Windows\System\tpVoeqD.exe
C:\Windows\System\tpVoeqD.exe
C:\Windows\System\OCDZoGw.exe
C:\Windows\System\OCDZoGw.exe
C:\Windows\System\XSKGkOV.exe
C:\Windows\System\XSKGkOV.exe
C:\Windows\System\LplFxea.exe
C:\Windows\System\LplFxea.exe
C:\Windows\System\OkcEBNe.exe
C:\Windows\System\OkcEBNe.exe
C:\Windows\System\CQDCvQW.exe
C:\Windows\System\CQDCvQW.exe
C:\Windows\System\FIDPGuy.exe
C:\Windows\System\FIDPGuy.exe
C:\Windows\System\zwDRwie.exe
C:\Windows\System\zwDRwie.exe
C:\Windows\System\HNwpgiM.exe
C:\Windows\System\HNwpgiM.exe
C:\Windows\System\QhmhGlU.exe
C:\Windows\System\QhmhGlU.exe
C:\Windows\System\TgxVVZm.exe
C:\Windows\System\TgxVVZm.exe
C:\Windows\System\vJovBAx.exe
C:\Windows\System\vJovBAx.exe
C:\Windows\System\zLumjuj.exe
C:\Windows\System\zLumjuj.exe
C:\Windows\System\lexlksp.exe
C:\Windows\System\lexlksp.exe
C:\Windows\System\rcYfxvl.exe
C:\Windows\System\rcYfxvl.exe
C:\Windows\System\QluPupV.exe
C:\Windows\System\QluPupV.exe
C:\Windows\System\anKlcIM.exe
C:\Windows\System\anKlcIM.exe
C:\Windows\System\tBVMUYa.exe
C:\Windows\System\tBVMUYa.exe
C:\Windows\System\BbFRkvU.exe
C:\Windows\System\BbFRkvU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1868-0-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1868-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\jPKltco.exe
| MD5 | ee661a74c92017e2f3711b914f34b74f |
| SHA1 | 12801fc71de9bcef44e77d1b75329476e82bad96 |
| SHA256 | 547536721ce399221561a2546022c10bc31ee2500e082b25b69ef3a62d70f596 |
| SHA512 | 488249d5dbef5f771f7e71fe628f777b77a76d9327645d23c60de38015775dea9b03b7713bf9fa3682a1dea7c7cafe0728d4d113ea721c2320dbaf341e46e639 |
C:\Windows\system\mBwbXJY.exe
| MD5 | 7c74c3423b444d4d06f0a7618b10b891 |
| SHA1 | 3b17794af26ec509f3a72cd247853da13d1388ba |
| SHA256 | 872b41861ffca6a6c6e8f89bf4d7442a725740cfabb4ae940115adeb5a401551 |
| SHA512 | 58621cc346b5d022f7c6d4d7eea6362c9dc7c0fd76d5e80612a66787603438edee87aaaefcc8a847fb2d6bd9daaac81ecae7a4c383ef09ea178d69e37374612d |
memory/2084-18-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/1868-22-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/2876-21-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1868-30-0x000000013FBB0000-0x000000013FF01000-memory.dmp
C:\Windows\system\OCDZoGw.exe
| MD5 | d2a824f36cd199bed093a83ab6c70287 |
| SHA1 | ac93e4e7fd8d1e278fc4de4de42ea4a4ba45bc10 |
| SHA256 | a6ffd972f97f009f7e9907a589e52e2792f403280e637749e5486029ead9604f |
| SHA512 | 4052da3ac0c7aa6bb8709a609c8093ba273e18cb2dc6c2f7f9630adb0716e4f2a0c99c73652ec117a1f2f9cfe263e709fa64de7bade115eec8ee55aab6c28013 |
memory/2828-42-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2892-49-0x000000013F480000-0x000000013F7D1000-memory.dmp
\Windows\system\CQDCvQW.exe
| MD5 | 3fc2d5cd38bd16952cd7c3fa0b520b38 |
| SHA1 | 2c23db20edaf8727308653bfcb471bb654c32de4 |
| SHA256 | 01d72746ff41eb2865e6dd18d722b44c6c91b0208260b1b777acff1673b2b6e5 |
| SHA512 | 3127fa369378768069e0a2c83f04d35f199f2c285e7f5d16847c9afa0b34e88baacccbf013616f94f57e159b44a54874bd702c134788848cb7672ed8585d2a71 |
memory/1868-51-0x000000013FD20000-0x0000000140071000-memory.dmp
C:\Windows\system\OkcEBNe.exe
| MD5 | b95891d0606679c864400a22b4950d60 |
| SHA1 | 5d244a2fe84408576f0e4fd523db10d06dda6c6e |
| SHA256 | 2e6d69108db639f9fac14c3662fe15d45e572d764a08e382a45b3789f6ce292b |
| SHA512 | 41d6b83001cc5a0ce0898404aba3ce7e8194ac4c0c5a50576d94aba5b29628b446f557925ab0fcdc15bda572b1bdd9f3abc3499e1fd8190c2108c5e7fa3f7f6c |
C:\Windows\system\LplFxea.exe
| MD5 | d27c656e403b2dfbc03b61ad90c09d86 |
| SHA1 | 3d3b40e5ac7ebc3290df42b506534469b23a2a10 |
| SHA256 | 0c1df84c0257a98cf10f86b224da98cd2f1c75a002df8a46c25c2eebdb05ed0c |
| SHA512 | e9903ee877937a2b64a25ed7e85062c7a874fb696139a0dbc58ab2cdc2d22f40d350286caa1cb846c827604df93637879efa232aeecf27811ef7f82da8357fbf |
memory/1868-40-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/1868-39-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2772-36-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2460-35-0x000000013FBB0000-0x000000013FF01000-memory.dmp
C:\Windows\system\XSKGkOV.exe
| MD5 | 118ee54ba7aadd1b6e7af63cb5607ba5 |
| SHA1 | fbaf1212fc28a9a40e9e3b6dca253ce5c6ccd51a |
| SHA256 | f79f55a4e96c879e004809115a72ada3c062fab0e9522576751d7a2948aed8c0 |
| SHA512 | d8c079d2495623e889d9a7f7d1b3e5fe05f184638747b00f115d3c03d43c4896a8761b84b5b6d91db3ffb8c40786424ea9a9c6e2c409bf10cf4da3ddf4ea8184 |
memory/1868-20-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/1588-19-0x000000013F510000-0x000000013F861000-memory.dmp
C:\Windows\system\tpVoeqD.exe
| MD5 | f2b7bbba2137a4730ad3339f98bfbf3d |
| SHA1 | d1fd0252319cfa265c086ff8d6d131bfcc8c7da7 |
| SHA256 | 39ceb5bef61cd96e53384f4e5614f4fe4f82013eea1bf80581d2e2340040ef51 |
| SHA512 | eead57e920f6ab437f1d02a922a581b699262c9b0f01009da31b39225cbe8953cc70074ddac1d4ccfa9d6516e688ec31060255a89f09d423efbd22521f4eb431 |
memory/2084-56-0x000000013FA90000-0x000000013FDE1000-memory.dmp
\Windows\system\HNwpgiM.exe
| MD5 | 515428d38df05f04e1ef52bf21544f81 |
| SHA1 | 29661eac7a1d70d3555fa669e9fda1b6aa36e53d |
| SHA256 | 00bd4395b1e57f881d5438e4ce98b95263a1ca052bfb3d898f36ddf55f8537cf |
| SHA512 | 152e43da44ebaecae7ccde561889adad432f725e11033bbac2c37e2369ac0a3081bd7a81fee3fcfb77596857d39947549ef59fd1a47110433b66fa6a9fefd1fb |
C:\Windows\system\FIDPGuy.exe
| MD5 | 8e9bcd1b0fdfcf021114c004b432349d |
| SHA1 | 27f8e71d6b0bd77dfc7b0f625fd5dbf8237745ca |
| SHA256 | e3c8a54f463d8da430a6b66e8aeb0172b3b935d3aa93747903d78f32f54a7f18 |
| SHA512 | f01a60c247ca86bf6bc6f8578be61258c193935b5e7e7195b124a3e5a0883be79b648870e324c695692015487024ea1b1b774a59ddee4655521a45c4d55f2174 |
C:\Windows\system\rcYfxvl.exe
| MD5 | 12602110b6d4056523ba77fef7772eaf |
| SHA1 | 6f78356a51fb5b7ef5db5e78d5e8c1fb34231300 |
| SHA256 | 46626d6ae35c2c850d7cd921b284c814519c4461a42798e6e902140e578306e3 |
| SHA512 | 4725bea12447a580a47587342e405b379f9ca52585660b484b54a61f193758150fa21ae7d395175a5d92e999ba4652d1b9e2fe3b9cfcda6042a8ac2730502b8e |
C:\Windows\system\lexlksp.exe
| MD5 | 9f9d8fa978db48f8b34b062ac1789df2 |
| SHA1 | 02f76457b65db4b2e12c1fa131d783d7c5269d81 |
| SHA256 | 99a1bcd863747492f66762550dfd1a2612dfcb08da24aa824b655ae6d73e8267 |
| SHA512 | a3847b71d23aef0716bad73a63d627981e3b57a904358f805232e182151b90a0b2061dfde70a24ec34c0e8a0db3ab15d8f20d6da637801c4128d392fcd9b1fcc |
memory/2700-122-0x000000013F340000-0x000000013F691000-memory.dmp
\Windows\system\tBVMUYa.exe
| MD5 | b12ccc5c31457e6458d9042eb61720ab |
| SHA1 | 60ea34a82bcdd22e728c00d650eb6d5a70ba7e67 |
| SHA256 | 4b269e75baa59a66b32a062dec745b6fb6f4afa9b259ec4e81c3ee42499309bf |
| SHA512 | 234eaf096f22d8a33d854d6f5ce178b116b366ef9e3068199cd8570da88097efa1a3665ac383853ba2f6cb40a30cbd226e69fc11edab94cc11ad10dce91c31f4 |
C:\Windows\system\vJovBAx.exe
| MD5 | 4ffe387750519f7f625098bfa63e739f |
| SHA1 | 2f35fcf21e66915df677a6288686631ce9da219d |
| SHA256 | 1c2e2db42e7a4233da25b3333d6aa9ad6e19bca8e8b0f8c3ab8f1261ce0ec81f |
| SHA512 | 9fa3eea41c5cdd72e4411b6eecf7047cb5b243cf8aa7bebc200f531829399d5297e677852cc94ed055ec0d9875be404ba78be4bd98baea3fce8bd70eeb5fa9e4 |
\Windows\system\QluPupV.exe
| MD5 | d5d11fcc85a8a4122a1f306afc1b81aa |
| SHA1 | 6eba264966ce1f9226e17194ebf9fe7bb54971bc |
| SHA256 | 755f5bec351b0b14a866152092fe18b912523871b6684f74884e789cdfe8cd37 |
| SHA512 | 902b38161e44eb0eb21d5df4e35753a79ae7b2e8bce49fb0dfba4a7e24afe568468dc4e766e37ad8b992896dd788670b25adbf090455975c8923c52a873b9510 |
memory/2656-92-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/1868-88-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/2772-137-0x000000013F9F0000-0x000000013FD41000-memory.dmp
C:\Windows\system\QhmhGlU.exe
| MD5 | 4889fc202495f6cb1a91d8a10b44954b |
| SHA1 | 4c25f0060fa0922c437269034fd3f004eb5a8870 |
| SHA256 | b39d111e7fb2b6b552f829e217455b998e4134db6f17e19ba33b8695a64423a8 |
| SHA512 | 2f14dd9603372ccc462898cebe28e5015f90c2654a1dda1ea079acb089c5e1545ea319094b38842c6ba7c40e3774dc2afa2169e9bea8e4c29b2c985631bf1ae8 |
memory/1868-81-0x000000013FEB0000-0x0000000140201000-memory.dmp
C:\Windows\system\zwDRwie.exe
| MD5 | f9f4486c4c520134fee3db856fd59d8b |
| SHA1 | 63b0fe447972435648ab2f3bf28d97e86f4f53d1 |
| SHA256 | c7a8c39e8e47bfcdf97f47f43b9519a1a202afd1522afde4b7563093059b29e3 |
| SHA512 | 8fd64abf4df5630fa1cce7eec6618907514a7ff5592717effeadce46d8a9a7990ccefe1b83c553217e97a82a85823b5eb56c1adee5b8c1e2cd1132b51005998b |
memory/1868-138-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1868-131-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/1868-130-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2668-129-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1868-128-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/1868-127-0x0000000002360000-0x00000000026B1000-memory.dmp
C:\Windows\system\BbFRkvU.exe
| MD5 | 4d2f3e124f36a8285197faaf539a0762 |
| SHA1 | 937436a24e131e5d08951d5d599664fdfd77c0f8 |
| SHA256 | 8f65a4588855ba1731da8844342514d83b85cad92d1b5a4a35eb602122ff5503 |
| SHA512 | 4e4bb83587a9cd3b2430f699250dae0a2ae8858a199f5a7e388de08b208db2b7cc37432c1ad25c0e7ddcfd45bbf38fc38ed7bd4f7f1c1ae470ebe5b22ff5ff05 |
memory/2460-125-0x000000013FBB0000-0x000000013FF01000-memory.dmp
C:\Windows\system\anKlcIM.exe
| MD5 | 9777d0a05aeb2efbe04adf73315d21cc |
| SHA1 | fa0d18c91193c43332af9112dac10842475ce4e0 |
| SHA256 | eaa4216637717e8e0a24645ead3f479b5786c6dec4acd6815c3ccc7e4beaaa1d |
| SHA512 | 6707b264ba98796c65bf9d90107a79c9557e485be68c467f6ce5520856222b3af44396330a1294f700b51ae38c37237389359b8ba2a725d78d2598bc0a9efc84 |
memory/2828-139-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/1868-104-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1868-101-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/1868-100-0x000000013FA20000-0x000000013FD71000-memory.dmp
C:\Windows\system\zLumjuj.exe
| MD5 | 7fd6c474b9b485daaa7a157dd08e81f0 |
| SHA1 | c242b11a759700e730abf76d97a2038020691e06 |
| SHA256 | a13102f2455545568fda5adb26111bd0b62261f6780473867ad5e2855f73b307 |
| SHA512 | b8f05374d676b52113f3d60d7eb765fd8c054f4c3d2327e6f66e53b5d14f73628391636ee51801c4cb1cff3f44c81b4a981b2ef1c0a57f2336c3de57fac8673f |
C:\Windows\system\TgxVVZm.exe
| MD5 | f9e9c7cce10330d2c97272d1fd53b66c |
| SHA1 | ee65f797002fad4ef247cb61539952b3285a00b8 |
| SHA256 | c21e172ad866b6aed80d58da3a9ffeedb54682148b6e9f94a6b52fac6460be62 |
| SHA512 | 3847dd5441e5bd45d8fbfffc7410b189ac412ecfd65bd584cab4ccd9da611ceb9edfb5096fcfcfa1f209c88b746ab7df526a65cb67fa86adb10461a4900d93fa |
memory/2896-87-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2912-58-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/1868-55-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1868-140-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2912-147-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/1868-150-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/2700-153-0x000000013F340000-0x000000013F691000-memory.dmp
memory/1868-164-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2900-162-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2524-163-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2944-161-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/596-160-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1928-159-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2980-158-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1484-157-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/1036-156-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/1876-155-0x000000013F630000-0x000000013F981000-memory.dmp
memory/1868-165-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2084-213-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2876-222-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1588-223-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2460-227-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2772-226-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2828-229-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2892-231-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2912-243-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2896-245-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2656-247-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2668-249-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2700-254-0x000000013F340000-0x000000013F691000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:43
Reported
2024-10-25 11:45
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mreQECg.exe | N/A |
| N/A | N/A | C:\Windows\System\HkqbZsN.exe | N/A |
| N/A | N/A | C:\Windows\System\cgETvJO.exe | N/A |
| N/A | N/A | C:\Windows\System\oChjBqi.exe | N/A |
| N/A | N/A | C:\Windows\System\nBHtFnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OHPtLMm.exe | N/A |
| N/A | N/A | C:\Windows\System\YVZotDn.exe | N/A |
| N/A | N/A | C:\Windows\System\dXpysas.exe | N/A |
| N/A | N/A | C:\Windows\System\HkvenMA.exe | N/A |
| N/A | N/A | C:\Windows\System\LfUaFmH.exe | N/A |
| N/A | N/A | C:\Windows\System\dhcOTdH.exe | N/A |
| N/A | N/A | C:\Windows\System\IziXmUK.exe | N/A |
| N/A | N/A | C:\Windows\System\aoNgqeg.exe | N/A |
| N/A | N/A | C:\Windows\System\YWuaHYM.exe | N/A |
| N/A | N/A | C:\Windows\System\yjekeIT.exe | N/A |
| N/A | N/A | C:\Windows\System\uKlqATs.exe | N/A |
| N/A | N/A | C:\Windows\System\IdeOTRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NhZODOb.exe | N/A |
| N/A | N/A | C:\Windows\System\LMKxTad.exe | N/A |
| N/A | N/A | C:\Windows\System\AtDqQdf.exe | N/A |
| N/A | N/A | C:\Windows\System\MVMgsyl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_08d9c58acde848aa8bfa633343558c6b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mreQECg.exe
C:\Windows\System\mreQECg.exe
C:\Windows\System\HkqbZsN.exe
C:\Windows\System\HkqbZsN.exe
C:\Windows\System\cgETvJO.exe
C:\Windows\System\cgETvJO.exe
C:\Windows\System\oChjBqi.exe
C:\Windows\System\oChjBqi.exe
C:\Windows\System\nBHtFnQ.exe
C:\Windows\System\nBHtFnQ.exe
C:\Windows\System\OHPtLMm.exe
C:\Windows\System\OHPtLMm.exe
C:\Windows\System\YVZotDn.exe
C:\Windows\System\YVZotDn.exe
C:\Windows\System\dXpysas.exe
C:\Windows\System\dXpysas.exe
C:\Windows\System\HkvenMA.exe
C:\Windows\System\HkvenMA.exe
C:\Windows\System\LfUaFmH.exe
C:\Windows\System\LfUaFmH.exe
C:\Windows\System\dhcOTdH.exe
C:\Windows\System\dhcOTdH.exe
C:\Windows\System\IziXmUK.exe
C:\Windows\System\IziXmUK.exe
C:\Windows\System\aoNgqeg.exe
C:\Windows\System\aoNgqeg.exe
C:\Windows\System\YWuaHYM.exe
C:\Windows\System\YWuaHYM.exe
C:\Windows\System\yjekeIT.exe
C:\Windows\System\yjekeIT.exe
C:\Windows\System\uKlqATs.exe
C:\Windows\System\uKlqATs.exe
C:\Windows\System\IdeOTRQ.exe
C:\Windows\System\IdeOTRQ.exe
C:\Windows\System\NhZODOb.exe
C:\Windows\System\NhZODOb.exe
C:\Windows\System\LMKxTad.exe
C:\Windows\System\LMKxTad.exe
C:\Windows\System\AtDqQdf.exe
C:\Windows\System\AtDqQdf.exe
C:\Windows\System\MVMgsyl.exe
C:\Windows\System\MVMgsyl.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3488-0-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp
memory/3488-1-0x00000168BE8A0000-0x00000168BE8B0000-memory.dmp
C:\Windows\System\mreQECg.exe
| MD5 | 2f4f11716419523ebe57e50c21d6f65e |
| SHA1 | 86c9c793b38cd7249d647a4cdfdd5e7333084cf4 |
| SHA256 | a87764ee35af9a05ff5c808c418bb5cba4d616c9ef0c3f83165c45a0ebbec8fe |
| SHA512 | e5f3539a2ba34a8c64ef67f5e33ad05d20e52779553bc29f43c6838374269071240701be32fcff87da0e4f13818e40ef0ea5ac3c03de5d08a4d31b5cae431715 |
memory/2420-7-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp
C:\Windows\System\HkqbZsN.exe
| MD5 | 7fa95c123891770905e1bbb518cd5b8f |
| SHA1 | de3cb0291d96c769b3f3edae4b3b6b5f206298c4 |
| SHA256 | 6d4203c50ab1c38d60fb3356be6614b64ac29da350ac5b76095ef0ccddfe4034 |
| SHA512 | f2b7d8b101d7b63e7c80673dcfd6bde9748a53b10d62bda8336e731a7bb39aeaee59fb951a97c1489c05abfbcc19c208ccd219005e4d1bed28955310ccff078e |
C:\Windows\System\cgETvJO.exe
| MD5 | dba1befb3e7791bb88e7ab6ed25e481a |
| SHA1 | c6868af175bdc7b8ec4bc8c7265e1bab4fc4489d |
| SHA256 | debda88bdec95ea58b6341677b1592912a0c42727950386bc93df7f99a681037 |
| SHA512 | ed2395056d8de0a87e7fb377cb30eb554bc9c9603652bd37122eb5fa275d26b54a98c21578ffedf029f553966edd4028a414f343a23914c1aab0acd993ade6b6 |
memory/2276-12-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp
memory/232-18-0x00007FF654830000-0x00007FF654B81000-memory.dmp
C:\Windows\System\nBHtFnQ.exe
| MD5 | beef062ae233e56124b6b12db672a618 |
| SHA1 | 97769465b1154c05a98163a2517bfcc93b7b3958 |
| SHA256 | cdccf741f6a1f46053d79fa8b80707681dece4330af1db2697674eaa079fd3eb |
| SHA512 | 516ba6640a604f0132af0ab01f09e9c6511b22505c6ead0b7377bafa812babf18fb3ed0d361b42218f8ace2009ac06ca8604613ad8c6d3639b9314c506d41709 |
memory/5064-24-0x00007FF603470000-0x00007FF6037C1000-memory.dmp
C:\Windows\System\oChjBqi.exe
| MD5 | 88a77514059a4bf12161adbe8fd3126e |
| SHA1 | 73f017689cec5412400a37765147c47fd378cf75 |
| SHA256 | 21306f179ce2909e4cb2b5964287ede1bdc1097c603496ec9478eb80653d2c72 |
| SHA512 | 611a09bb702fabb0f3e7e9300f07663601a7cb7679ed6a0aa51a5be10d6960faa2c2b94131e48be371459f3597c546fd5b4d41d04db8a31038bb0c3ae30f781b |
C:\Windows\System\YVZotDn.exe
| MD5 | 82c10b5fdb3f702320702abeed7d54e6 |
| SHA1 | 20432d2a6f589b2bbc208f98a27b383ee7866d8e |
| SHA256 | 1533c7a6bb7333515609819c9113ec9a5bae4c07330c2322feabcfac1a9687f4 |
| SHA512 | cb9605816cb3d4e8d36ff0e908ef838aacefaf849642be7c6f10e0c1e04a52bb4f96d1475cfedceb87e52f1043ac78834509109d9049c6972f180488261c64bf |
C:\Windows\System\OHPtLMm.exe
| MD5 | 824d66c69cf88e080c5165f7404c6eef |
| SHA1 | d73c7139e12121eb07dbcb782a0d2d76beda51ef |
| SHA256 | 2ffc36ee6deee1b759c0218bbdd7e03b9e7bd4596c895e9cc020524e5a80b06f |
| SHA512 | 03b58440949919c2047e2142b53e798bbae2053ff50a02dedbb4ed2de0877aecf7c7631890cb74dd22c09fae314c1d1dba2c027678340f8901752f7944d3c59e |
C:\Windows\System\dXpysas.exe
| MD5 | 32a7077f7d55c82d803f9d1836079722 |
| SHA1 | eac938cf4d4827a32bf2959468173ae08869be9a |
| SHA256 | fc5949383b6d21d644e3d77500f540b4c87c53afddfd1a245b2da53c5fd9800f |
| SHA512 | bfa7ab1114e1e082f0ca995b6c3a28e3f8bcd0aa9286317ef6d049d16a843fa5cbb962beed28c6c3f8d52c43d1029b3fd46b285e4bc55f19bc36e22e04b46188 |
C:\Windows\System\dhcOTdH.exe
| MD5 | 1c2115e6cf285527e81e4442863ca6c5 |
| SHA1 | 51d0db905b54d575477bbfbc69f3609d3deacae2 |
| SHA256 | 89a0ee2f8580808c05e5105e930bb7367d5edf4a8a090e6a60496baf2569dc59 |
| SHA512 | 59b674d5720a801894976c9acc9030f01aeffa0f6b891f5845ffdf21d30c2638e910e7540ed32ad67b5b3caacc093697c39c3b9176ef5f61a230284e35e7ce61 |
memory/4536-81-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp
C:\Windows\System\yjekeIT.exe
| MD5 | 2a1a596804f4b2a29c78562f66424e32 |
| SHA1 | 3914b8546cfd185137cee519ec62eafaafccebd9 |
| SHA256 | da2914cc0f30faa6f3b4b9b61220cd3c405006c3b4606d20c8c369a5f81527d2 |
| SHA512 | 452bf5756cd36aed09e1eed2b62d32da4cc185f02600251fb6a489d9be927647f5ab5c3ac42fe232fcd653cd453e8ed8af981cef6abb671afae9c592f2ddee55 |
C:\Windows\System\YWuaHYM.exe
| MD5 | 0a8e5cf6de7ee2c86c2b309d4275c5eb |
| SHA1 | b149cd6fc9b56de4bb98e0f244d4e6a19e58b54d |
| SHA256 | c7e89d2f1b4b6f75d299563d9cae512abe8e5543bb6e8baca7cea0eb07fbf99b |
| SHA512 | e9b8ccd6f1a039d9f2bbb4044fbeb64ebf937adafde03260af93decc1f67b392251eb3f792abe3b621379522cdfbfc8a84b09e0c68e063cae835eb1408cf51a8 |
memory/3708-105-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp
C:\Windows\System\NhZODOb.exe
| MD5 | 7495709b70e6bf93d2394aba7e74a805 |
| SHA1 | ab980f47fd92ab31c4035a6e8ca09a9c2c4cd340 |
| SHA256 | 5eaf251a1ead51784db78ff1801a8ed21b2abf971c718979a1197a0fcb13614e |
| SHA512 | cb3588a714e78eeff8fab1ab35d711eafb0509d484f98174a5d5056c84d0f7dd302e6386a94bbca06ae56693c70c58cd1a2616c7c3cac6238051c196a6c56e89 |
C:\Windows\System\IdeOTRQ.exe
| MD5 | e59f27b4b8c9cbd15289fe68e41e1a37 |
| SHA1 | 99a04cf88405c25ebca45dc4e6c87edf47a8c061 |
| SHA256 | db48dff3b1549635c73eed4647c66daae1bcd526e5194dc5913e190d31188fdb |
| SHA512 | 90e318565e56897c261dd5ad6340ac02ecdfed7a473502e33e04997c363c131450c55189887d7e2a52fc79e6030d605ef8fa8baaf76e75e994fc6b8a7a0dabe4 |
memory/4452-135-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp
C:\Windows\System\MVMgsyl.exe
| MD5 | 9fc7c87738741b6a62327d43c1f51b27 |
| SHA1 | a48fb8463620532849ad4e4c241c48f02aa459ad |
| SHA256 | e41073bf463188b52c760a67e907cee5189fd987b8fe248e2ad2a46f02bbb474 |
| SHA512 | 6859af333d2c13ea958ed062d0531f58dd8ee7dbcfe299ee94cf8bef7835c170541f5c2a72a41d7e57b0aa8028119bed5701f1933e44dc28d4c3ea5bcc81aaa7 |
memory/4032-136-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp
C:\Windows\System\AtDqQdf.exe
| MD5 | ee74e5150d2bee55dd3f2adee815c364 |
| SHA1 | 333d343c9d79cc44a842d96c541b3fefea7efdae |
| SHA256 | f6ea05a25812d2be72d1b9e225774e81c71d9ed59224658a37f542f4a7f1abd1 |
| SHA512 | b6d4bf682dcf536d30dfe84ba776238b4965d79d01dd16afaaf08f7441a6bfb6216c9c85e3e9343ca3f89e6df17016c36bf014ccf7b76842176e96cc56e4039e |
memory/792-131-0x00007FF70A410000-0x00007FF70A761000-memory.dmp
memory/2488-129-0x00007FF630680000-0x00007FF6309D1000-memory.dmp
C:\Windows\System\LMKxTad.exe
| MD5 | 1c79aa03db1f8aa129c79aec32c85ee9 |
| SHA1 | 003f442abd5d6d0ee86afc0e96d2622e199937fe |
| SHA256 | f894ce64399ddd4ab9de3f572da5a8a955062598de77c0322a1f6f4bde007d8c |
| SHA512 | 2744dabd63bf8c43a7a75fa45bfff12cd22183c849e597bac04285a8f3f1dfa94a677a8111e63b87b86a8a392aa230aad9db22a98f78f0f639b0b7f3f6084bc2 |
memory/4920-121-0x00007FF694ED0000-0x00007FF695221000-memory.dmp
memory/3792-120-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp
memory/4776-116-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp
memory/3096-115-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp
C:\Windows\System\uKlqATs.exe
| MD5 | fe53d4d456f45e03d7f74ba0764625c9 |
| SHA1 | bdd8b46d9ae5e6025e6f4fa07efbaf709ac859a7 |
| SHA256 | 13edcfa8db68c4385bba9a2bb420172b2a1d0ed72d3c3a988a36c1b36eb0a430 |
| SHA512 | f9a33cd33d0ad6c0396d5d220cf21ea6b17a7c3b27d3d062b84464b08e8f54816a8146f3c177e90ef03315b13f27faeadc2d2c4e79cde83708442fc104e49598 |
memory/3756-110-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp
memory/4764-109-0x00007FF620690000-0x00007FF6209E1000-memory.dmp
memory/4824-104-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp
memory/460-96-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp
memory/4928-95-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp
memory/5064-92-0x00007FF603470000-0x00007FF6037C1000-memory.dmp
memory/848-91-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp
C:\Windows\System\aoNgqeg.exe
| MD5 | aa72faaa3fb1c68ab723e8fef2bc646b |
| SHA1 | f1a8a4bb02cedb98c3a46067ce72d381c13a9d61 |
| SHA256 | b9e9f94f4c3ac80e06bf081fc59c43e35c5f2582552b372c8b1f1c6dc4d5b3eb |
| SHA512 | d374c8c1c9c900a7529558bb3e6f67321d017bfc44401016f89f23a0fa7445df7b87b92e8f344f3e78a317f0084302e7436ffd6219386ffcd7e9992a7a18f8fe |
C:\Windows\System\IziXmUK.exe
| MD5 | 3161485ebcc7622034e6dc9eba1dc3ac |
| SHA1 | c9abc717488f0608c945d9c62e92701684a0a12b |
| SHA256 | 1d667d3720f9dc03cdee282adcddef825ff75dbc6c972186c96f6d14d6c773e6 |
| SHA512 | d27dee0311fb1be670c1092eb1b76a10123512248df8ee28172986eb3bc181e13c7e79982ed50f38d86d20171dae7c6b0ef17dae745899d03cc1a89b5244ef68 |
memory/2480-85-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp
memory/232-80-0x00007FF654830000-0x00007FF654B81000-memory.dmp
memory/2276-79-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp
memory/4452-72-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp
memory/2420-71-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp
C:\Windows\System\LfUaFmH.exe
| MD5 | 5a838f2a87e3f0c898309c9e62fb3f8f |
| SHA1 | 2313f6de7fef974293d5a74edfa088a1abdca741 |
| SHA256 | baccb1560000b518812297acf9a9f8f09b2ce9479e2b50c9bb8144d9e43c97ac |
| SHA512 | a802cb0b6174bb03a8069bbd7162d21494b3ac730572b662159f5e9d81ab664569b7e2a3c4f1a0dac872ce96990853efcd73f0d209c50d3559e6d4cfffbbe01c |
memory/2488-66-0x00007FF630680000-0x00007FF6309D1000-memory.dmp
C:\Windows\System\HkvenMA.exe
| MD5 | 9f9fc86adedbebd711ee775cd153aac0 |
| SHA1 | 02d267efc592ae8db0cb80556846c3e59a49e3d5 |
| SHA256 | 8225fe011fe84059e7a826fca5f66146094a49f80c955ae78e958881511ad71f |
| SHA512 | 7d526ee45bfc4399e0c5d41984905d707efeb8941145c2481ec3c3ca80c1f83745831a0eb5cf4e5535c1cfbeed896c6a0b67aca20e1a1ef4e2a5e8b6082d248a |
memory/3488-60-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp
memory/3792-59-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp
memory/3756-53-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp
memory/3708-41-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp
memory/4824-34-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp
memory/460-28-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp
memory/3488-140-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp
memory/2480-147-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp
memory/4536-146-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp
memory/4928-157-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp
memory/4764-158-0x00007FF620690000-0x00007FF6209E1000-memory.dmp
memory/848-159-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp
memory/4920-162-0x00007FF694ED0000-0x00007FF695221000-memory.dmp
memory/792-163-0x00007FF70A410000-0x00007FF70A761000-memory.dmp
memory/4776-161-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp
memory/3096-160-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp
memory/4032-164-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp
memory/3488-165-0x00007FF72E6D0000-0x00007FF72EA21000-memory.dmp
memory/2420-214-0x00007FF77F7F0000-0x00007FF77FB41000-memory.dmp
memory/2276-216-0x00007FF6C3800000-0x00007FF6C3B51000-memory.dmp
memory/232-225-0x00007FF654830000-0x00007FF654B81000-memory.dmp
memory/5064-227-0x00007FF603470000-0x00007FF6037C1000-memory.dmp
memory/4824-229-0x00007FF62DA60000-0x00007FF62DDB1000-memory.dmp
memory/460-231-0x00007FF6E5330000-0x00007FF6E5681000-memory.dmp
memory/3708-233-0x00007FF7E3550000-0x00007FF7E38A1000-memory.dmp
memory/3756-245-0x00007FF6E0190000-0x00007FF6E04E1000-memory.dmp
memory/3792-247-0x00007FF7A3090000-0x00007FF7A33E1000-memory.dmp
memory/2488-249-0x00007FF630680000-0x00007FF6309D1000-memory.dmp
memory/4452-251-0x00007FF62B810000-0x00007FF62BB61000-memory.dmp
memory/4536-253-0x00007FF6DF6C0000-0x00007FF6DFA11000-memory.dmp
memory/2480-255-0x00007FF7EC360000-0x00007FF7EC6B1000-memory.dmp
memory/848-257-0x00007FF6B1130000-0x00007FF6B1481000-memory.dmp
memory/4928-259-0x00007FF7E2CA0000-0x00007FF7E2FF1000-memory.dmp
memory/3096-261-0x00007FF6F43E0000-0x00007FF6F4731000-memory.dmp
memory/4920-263-0x00007FF694ED0000-0x00007FF695221000-memory.dmp
memory/4776-265-0x00007FF6CCB90000-0x00007FF6CCEE1000-memory.dmp
memory/792-268-0x00007FF70A410000-0x00007FF70A761000-memory.dmp
memory/4032-270-0x00007FF7C8CE0000-0x00007FF7C9031000-memory.dmp
memory/4764-273-0x00007FF620690000-0x00007FF6209E1000-memory.dmp