Analysis Overview
SHA256
9bd8e2de1d92fd326b3e8314dd7dd793599cf03f73413998febb72731bf07e2a
Threat Level: Known bad
The file 2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:46
Reported
2024-10-25 11:49
Platform
win7-20240903-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KkLfGFM.exe | N/A |
| N/A | N/A | C:\Windows\System\QdudlAd.exe | N/A |
| N/A | N/A | C:\Windows\System\OxufWsI.exe | N/A |
| N/A | N/A | C:\Windows\System\aNafrgt.exe | N/A |
| N/A | N/A | C:\Windows\System\QBgFWac.exe | N/A |
| N/A | N/A | C:\Windows\System\dsLOwQj.exe | N/A |
| N/A | N/A | C:\Windows\System\jNwpEeP.exe | N/A |
| N/A | N/A | C:\Windows\System\MbvTmkn.exe | N/A |
| N/A | N/A | C:\Windows\System\sGSvfuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GQIrzJi.exe | N/A |
| N/A | N/A | C:\Windows\System\hHJaMWr.exe | N/A |
| N/A | N/A | C:\Windows\System\mkoLIzy.exe | N/A |
| N/A | N/A | C:\Windows\System\rGHKhBf.exe | N/A |
| N/A | N/A | C:\Windows\System\RoaCGdL.exe | N/A |
| N/A | N/A | C:\Windows\System\YDqQKQx.exe | N/A |
| N/A | N/A | C:\Windows\System\ceDUBlj.exe | N/A |
| N/A | N/A | C:\Windows\System\SUVPotj.exe | N/A |
| N/A | N/A | C:\Windows\System\uhSEQgy.exe | N/A |
| N/A | N/A | C:\Windows\System\jMxAtqj.exe | N/A |
| N/A | N/A | C:\Windows\System\DTwjbuw.exe | N/A |
| N/A | N/A | C:\Windows\System\ycAfikw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QdudlAd.exe
C:\Windows\System\QdudlAd.exe
C:\Windows\System\KkLfGFM.exe
C:\Windows\System\KkLfGFM.exe
C:\Windows\System\aNafrgt.exe
C:\Windows\System\aNafrgt.exe
C:\Windows\System\OxufWsI.exe
C:\Windows\System\OxufWsI.exe
C:\Windows\System\QBgFWac.exe
C:\Windows\System\QBgFWac.exe
C:\Windows\System\dsLOwQj.exe
C:\Windows\System\dsLOwQj.exe
C:\Windows\System\jNwpEeP.exe
C:\Windows\System\jNwpEeP.exe
C:\Windows\System\MbvTmkn.exe
C:\Windows\System\MbvTmkn.exe
C:\Windows\System\sGSvfuQ.exe
C:\Windows\System\sGSvfuQ.exe
C:\Windows\System\GQIrzJi.exe
C:\Windows\System\GQIrzJi.exe
C:\Windows\System\hHJaMWr.exe
C:\Windows\System\hHJaMWr.exe
C:\Windows\System\mkoLIzy.exe
C:\Windows\System\mkoLIzy.exe
C:\Windows\System\rGHKhBf.exe
C:\Windows\System\rGHKhBf.exe
C:\Windows\System\RoaCGdL.exe
C:\Windows\System\RoaCGdL.exe
C:\Windows\System\YDqQKQx.exe
C:\Windows\System\YDqQKQx.exe
C:\Windows\System\ceDUBlj.exe
C:\Windows\System\ceDUBlj.exe
C:\Windows\System\uhSEQgy.exe
C:\Windows\System\uhSEQgy.exe
C:\Windows\System\SUVPotj.exe
C:\Windows\System\SUVPotj.exe
C:\Windows\System\jMxAtqj.exe
C:\Windows\System\jMxAtqj.exe
C:\Windows\System\DTwjbuw.exe
C:\Windows\System\DTwjbuw.exe
C:\Windows\System\ycAfikw.exe
C:\Windows\System\ycAfikw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2120-0-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2120-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\QdudlAd.exe
| MD5 | dd025472bba6e592e623479fe42e09b0 |
| SHA1 | 4d3ba66432eab299a77aca8a5c29a97628f233e5 |
| SHA256 | 926d84c12512578cf3769f8fa64d101dc6ffe65dd4e2bc205ae9a85ea14dd351 |
| SHA512 | b958f5e1a41a0736ae397e4ec059ccdecbcf4535a631ec95ca6c4b0ef20ed6811f3a291c6fe365f64ca7d30b64cd85bf487a70d4ecc5ad2742db18bd8a995360 |
C:\Windows\system\KkLfGFM.exe
| MD5 | 189ab21b01ed3377a51be3c575939e9b |
| SHA1 | cb364a0880c9ceeeda0188bdf2bb57e191648994 |
| SHA256 | 94e18a3d7e11b7b0a058db1157314c4d27e492f5500c623a89f6888ec1617850 |
| SHA512 | 75cac9e295b2ab2c9b86ce1aefbe5ecd2f6eeae64a9cb553f2d14e665999a14f7525edaf7a411579aff7a2cb5930c138a7052f084c1148faee89437fcdcf67e7 |
\Windows\system\aNafrgt.exe
| MD5 | 8c44a9ffb7fba9db9c20f8f9f55d24c3 |
| SHA1 | 529f40f25fbc29d37e0b42d46104f60c43d79e54 |
| SHA256 | e3a6f8e75918ec3afc1977476f4033aa6d83a931a092a0b5d32dd7fd27f6a492 |
| SHA512 | fcdfc6e2d6d49c29e1a613e4a2d6238197879796c177aee2fcc8da1f55fb22fefebf7f7273fb4af3c5c994b8657b7e3a09bae5d98b015cf5e57964a90dea3c87 |
C:\Windows\system\OxufWsI.exe
| MD5 | 02387e2a734c020dcf0df7904e866a1c |
| SHA1 | 2637984f4d92bc0462c0c9f4a31b05a284e071d8 |
| SHA256 | aa9c880e114845b4e5d4aafac0dc277b2422d7cb0b67b2da443b9a1f12342663 |
| SHA512 | 932be74e93ff490ab81890d76301eae7fd14e1190105db0faed4b3bef83aa9223f3525be90078f5ba6e41955b3ffb2e9df886b0996a8106c746dece3d0c7da66 |
memory/3004-29-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2120-12-0x00000000023C0000-0x0000000002711000-memory.dmp
memory/2976-28-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2344-26-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2120-23-0x00000000023C0000-0x0000000002711000-memory.dmp
memory/2120-21-0x00000000023C0000-0x0000000002711000-memory.dmp
memory/2120-6-0x00000000023C0000-0x0000000002711000-memory.dmp
\Windows\system\dsLOwQj.exe
| MD5 | e9187230eb440806057b075004506e44 |
| SHA1 | cd6048f6db9cb8a28caf9b902fb92b051042cdb6 |
| SHA256 | b994dedf31bca3367d62a4a9e4175f47ae4a05dee05ee292d5123fe2cb933106 |
| SHA512 | faa0247fe68636443c88325de2a4e112a5b95e2f4042875839501a6e7fa0c383e71539c30e2b921a024ae30d5489b7adf74e76113a8be4fd156d9c3380aa1dc0 |
memory/2200-41-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2120-31-0x000000013FB20000-0x000000013FE71000-memory.dmp
\Windows\system\QBgFWac.exe
| MD5 | 77d51b4de19fbb38c809e30b894af765 |
| SHA1 | 657d1313ee61956d9aca2c556dec108cb446edbf |
| SHA256 | d5b3d236e75528a5d7530ea3bf9c67cf8b42ca018250c1f3fca3002724d43bc2 |
| SHA512 | 450b88f9c3093208d9795526f875e7d1f3e8d9bc26245e9643b77eb865595ce1b74149020ce61ed349ac605bea39ec0aeddbdea902804acc7d4093186a664814 |
memory/2120-38-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2760-35-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2712-51-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2120-50-0x00000000023C0000-0x0000000002711000-memory.dmp
memory/2120-49-0x000000013F1E0000-0x000000013F531000-memory.dmp
C:\Windows\system\jNwpEeP.exe
| MD5 | 1bbd1eb71217a6562ad6300a40e11662 |
| SHA1 | 9ec3d053b8d209da18cb8dc19cddf3b100ba9bcf |
| SHA256 | 84d08dcb72a202d7e16d141f81f00072b17d90408400e6d9433f44e6cd8c1a32 |
| SHA512 | ad4cfebda61fd445291e530d439924f2fe80b952fe2c5bfc93fbf4cd6902d27e52854c7299b4713d091a801f62618374a9cdee1d94fabb603bddd864c0816114 |
memory/2120-45-0x000000013F800000-0x000000013FB51000-memory.dmp
\Windows\system\MbvTmkn.exe
| MD5 | e394f7fcd6046ddf136e019334d5b63f |
| SHA1 | 94ec2abade8542ab2c8125cd63b23c355652c2bf |
| SHA256 | e48b7b440c354ca579255bf6f09fede2aad57c0635362bffae5c7649da6bcefa |
| SHA512 | 19eb7897f2e87b1f4512ae1b28082243e7b3ba3924ba9fa70347fe1cda706ab994657dcee150d33c39a00001ef340edd0833db7684ca8c2d1bc09b88e00c5615 |
memory/2960-56-0x000000013F3E0000-0x000000013F731000-memory.dmp
\Windows\system\sGSvfuQ.exe
| MD5 | 258b5740001aae64eccccede232aa45b |
| SHA1 | 84dffcc3c64bc6e86c7366141d6b1fc6aa296931 |
| SHA256 | 430447edb4ef9b6f41807dbe663be8e210733ab2abe3bac76afec28d77f685f7 |
| SHA512 | 459e1e1b91bca435f628359d6213d0451938bbb796167f8c3858774125b8f982ee0c0507480f39a72fec5c593933df85c324f6587ab69edfda8311b1f2f1f672 |
memory/2888-59-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2348-66-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2120-64-0x00000000023C0000-0x0000000002711000-memory.dmp
\Windows\system\GQIrzJi.exe
| MD5 | 1a5076b3f5eeea334266e49f52effa0a |
| SHA1 | 87d15eb14fd585509d66bfe9f4af0c5c9cd8686d |
| SHA256 | 34c357011e099f0096ac8855e6d848ce56fceb7222286a38b190b460c4071434 |
| SHA512 | 2d9660138954b8384490231d6baf2df590221843ab659c091f3538c301d8c5a681241e94b2d0667fd5a1bdc92d2b6b39dd3bda5daba27c82c3a806fc042b8f69 |
memory/2760-72-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2548-73-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2120-70-0x00000000023C0000-0x0000000002711000-memory.dmp
\Windows\system\hHJaMWr.exe
| MD5 | b20f3111483101de215aa90aa8c9f566 |
| SHA1 | 5f7ae6756ad7bee6849d328168cc09a85e38ac83 |
| SHA256 | 12a176c60c36278d27164c0c80d06d8f55a0bf79ce318b98c7d8b47a1c517912 |
| SHA512 | 03825584ff516d73782a714ff784a24db2ce93ad52940a7f8e43d2ef104011dca6d7bbfcf4530968d8f885e0709a7c1f62a0c5d2deec31ff489f3c6e7a09507d |
memory/2980-81-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2200-80-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2120-77-0x00000000023C0000-0x0000000002711000-memory.dmp
\Windows\system\mkoLIzy.exe
| MD5 | 8af275f30d752f3455c448f0231c5d60 |
| SHA1 | 0e534c87a61066be055f449d08f3dda004c41046 |
| SHA256 | c7dca2ac16c60ff580e92913c594c3ec4eaa99dc4a710dbee1418966e51ceed2 |
| SHA512 | 8b7fa8a3ba43f2bfae94f9ea7246820eea326e691b80579aa5b25037de67d95ed783c96a078fc2e7a34a59c68794869224215f0ddd15788b93bbf80b72d85a2f |
memory/2712-86-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2996-89-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2888-94-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1700-97-0x000000013F6F0000-0x000000013FA41000-memory.dmp
C:\Windows\system\rGHKhBf.exe
| MD5 | 60831d30c07d4befef05fee997b8c473 |
| SHA1 | 3faa8dae04edb268b0f5eacdacc11eed3b180c0f |
| SHA256 | 2a1c53d42b2aa4a93735aee7bb45f24957da7fc6e61eec0e1e33057f4132b980 |
| SHA512 | eaef674c41538e488724891fa1b92ad82e3499708db4436266192f7de86f246db8f5ccb2e2d87541ad223b99620c62869b5e72397986ac20f7720db4b03ec15d |
memory/2120-91-0x00000000023C0000-0x0000000002711000-memory.dmp
memory/2120-83-0x000000013FE30000-0x0000000140181000-memory.dmp
C:\Windows\system\RoaCGdL.exe
| MD5 | e9b65c50f0cc30482b5fd4b368f1a251 |
| SHA1 | 2cd8d6db9fcc32ee5573623657f6f3246eefcc0e |
| SHA256 | c7c5162be65e39a6b79e8d3ab608e216a139386c2907f2f1c9fe92cf76b7b9d6 |
| SHA512 | 6fb32127701c8410d2f951569d3cb43b4dd17ef9d8294103cffcad231494b5da669c833bd9cdd183db2b0eabd192a3f073edb87f6051de77895c5644fa609961 |
C:\Windows\system\SUVPotj.exe
| MD5 | bf61f45a45a828f994c1f768985177cd |
| SHA1 | 394f3bd759995a2b6b9ce8f0e684c571fc2e618e |
| SHA256 | 755d86c56191575cb3dba4b95eb9d81a09b4ec2de44bba0d5512a77b5a2db801 |
| SHA512 | ca379440e2ce73d879c26c078a18de3f0d248aab1aaed7707c240b6e8dd312f22be3df4b835f1ba6db78c65e64db3d1007794bf3a2eca56ade0da8c9f57225ba |
C:\Windows\system\uhSEQgy.exe
| MD5 | bb0c5dc94c5ed591d468516640ce70f5 |
| SHA1 | 59525d9444acdbd5b4d0a89286d9b23779d8d9d4 |
| SHA256 | b4114d62aad4e47fe6f62c83748f0af258fb0e6645af030f8d91a384f9521f51 |
| SHA512 | 0b9244fa99982e252bea21d8d608782434609366aa2561d85d6a03fe007463e966d057569f14fbabc659866733afbe4a15da4e01e76ba0ae893b0e7ed1e25fd9 |
C:\Windows\system\YDqQKQx.exe
| MD5 | 5ddcae08ed93dbb60b6f2e7d3c2ab63f |
| SHA1 | f0e4f85de3949738b77d45f96ffc19960c256409 |
| SHA256 | cac0238ffeba1da452ec82ff63ea571e1778107aeaf24dd7afb98a5699d4cb5a |
| SHA512 | a9b38ffc22e13c10234b7704ab870cff53eb223cb6473802d7ed9d72fe3d5372170d98ad9c953bf20d88a8d794a5e001bd51810a25fffe9256e4fa1e42bd63d9 |
memory/2120-107-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2120-106-0x00000000023C0000-0x0000000002711000-memory.dmp
C:\Windows\system\ceDUBlj.exe
| MD5 | 7b2b71adeb52507a36fcc31403c8dd31 |
| SHA1 | 32171ca8af05823f968bc22f3f647e8127223ec0 |
| SHA256 | 49c2c84e170a800779a6966efab2fdefa679d5a3dfdce81b5a04af761aa28d83 |
| SHA512 | 2816fc170191c1990eb9f02f1d810794b6041bd1f8f465713e728873a0cddf6ae67b8884c592b2c70e1bdfca4663025f3e293f23486ab21ef098b046aa4c5e2c |
memory/1644-102-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2120-99-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2548-127-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2120-128-0x00000000023C0000-0x0000000002711000-memory.dmp
C:\Windows\system\jMxAtqj.exe
| MD5 | f8d90a28471b0fc29d83bc68d64cc448 |
| SHA1 | 578282f0848fc878edae008fb92a526f2a835628 |
| SHA256 | 39252b734cf67e5127c6239ab3a68f4953510b483b1e0eaaac3901749fe234b3 |
| SHA512 | 2f40a4f1de72146ba9a699ffe8a17ceba28426f202d5d800556c25144241ee08fd705bc0fd3707ee7ba3b49ad4cc708cb70cf5971e89f9039066222547acd717 |
C:\Windows\system\DTwjbuw.exe
| MD5 | d04ffed4e2c95ac963902983535a4934 |
| SHA1 | 3d80ddb6db3b92203802219c435db034def7249e |
| SHA256 | d70d0441c0e964001bc56ccaa3dbea2b395b21907f0737e3fbbb675b8ffb6c0e |
| SHA512 | 2e1491932dfbd63c412368252613d3fa3f64832c9b785dedb636f3aa79dd340dbf1d8bc7ace1d1d004ee6c8903563d344decdce77766d68ca088131cb75d4947 |
memory/2980-140-0x000000013F460000-0x000000013F7B1000-memory.dmp
C:\Windows\system\ycAfikw.exe
| MD5 | faefe76c74cf04f80cd5825b01c4be82 |
| SHA1 | f189fcb06e791edcc108995641d94efb87151f85 |
| SHA256 | dce9ee0a64b0e124cc689c88e1b81433f91adb65ebe5db209f2d2db63e0a6526 |
| SHA512 | 2a7e303731446c61065b6bf79b067231f3a49d3633c967ed524688399d6d962701850348a22d8dd21afd9eee53ac47cc59e26702c844ed08e89c510bdde1e8c6 |
memory/2120-145-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2996-146-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2120-147-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2120-148-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/1700-156-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/1644-163-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2332-166-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2120-169-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/1688-168-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1676-167-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/1956-165-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/1144-170-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2820-172-0x000000013F420000-0x000000013F771000-memory.dmp
memory/1516-171-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2120-173-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2960-223-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2344-225-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/3004-228-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2976-229-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2760-234-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2200-236-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2712-242-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2888-244-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2348-246-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2548-248-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2980-252-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2996-254-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1644-261-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1700-265-0x000000013F6F0000-0x000000013FA41000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:46
Reported
2024-10-25 11:49
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QdudlAd.exe | N/A |
| N/A | N/A | C:\Windows\System\KkLfGFM.exe | N/A |
| N/A | N/A | C:\Windows\System\aNafrgt.exe | N/A |
| N/A | N/A | C:\Windows\System\OxufWsI.exe | N/A |
| N/A | N/A | C:\Windows\System\QBgFWac.exe | N/A |
| N/A | N/A | C:\Windows\System\dsLOwQj.exe | N/A |
| N/A | N/A | C:\Windows\System\jNwpEeP.exe | N/A |
| N/A | N/A | C:\Windows\System\MbvTmkn.exe | N/A |
| N/A | N/A | C:\Windows\System\sGSvfuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GQIrzJi.exe | N/A |
| N/A | N/A | C:\Windows\System\hHJaMWr.exe | N/A |
| N/A | N/A | C:\Windows\System\mkoLIzy.exe | N/A |
| N/A | N/A | C:\Windows\System\rGHKhBf.exe | N/A |
| N/A | N/A | C:\Windows\System\RoaCGdL.exe | N/A |
| N/A | N/A | C:\Windows\System\YDqQKQx.exe | N/A |
| N/A | N/A | C:\Windows\System\ceDUBlj.exe | N/A |
| N/A | N/A | C:\Windows\System\uhSEQgy.exe | N/A |
| N/A | N/A | C:\Windows\System\SUVPotj.exe | N/A |
| N/A | N/A | C:\Windows\System\jMxAtqj.exe | N/A |
| N/A | N/A | C:\Windows\System\DTwjbuw.exe | N/A |
| N/A | N/A | C:\Windows\System\ycAfikw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_27044029b7bc7f2761e7d8103b26ddd8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QdudlAd.exe
C:\Windows\System\QdudlAd.exe
C:\Windows\System\KkLfGFM.exe
C:\Windows\System\KkLfGFM.exe
C:\Windows\System\aNafrgt.exe
C:\Windows\System\aNafrgt.exe
C:\Windows\System\OxufWsI.exe
C:\Windows\System\OxufWsI.exe
C:\Windows\System\QBgFWac.exe
C:\Windows\System\QBgFWac.exe
C:\Windows\System\dsLOwQj.exe
C:\Windows\System\dsLOwQj.exe
C:\Windows\System\jNwpEeP.exe
C:\Windows\System\jNwpEeP.exe
C:\Windows\System\MbvTmkn.exe
C:\Windows\System\MbvTmkn.exe
C:\Windows\System\sGSvfuQ.exe
C:\Windows\System\sGSvfuQ.exe
C:\Windows\System\GQIrzJi.exe
C:\Windows\System\GQIrzJi.exe
C:\Windows\System\hHJaMWr.exe
C:\Windows\System\hHJaMWr.exe
C:\Windows\System\mkoLIzy.exe
C:\Windows\System\mkoLIzy.exe
C:\Windows\System\rGHKhBf.exe
C:\Windows\System\rGHKhBf.exe
C:\Windows\System\RoaCGdL.exe
C:\Windows\System\RoaCGdL.exe
C:\Windows\System\YDqQKQx.exe
C:\Windows\System\YDqQKQx.exe
C:\Windows\System\ceDUBlj.exe
C:\Windows\System\ceDUBlj.exe
C:\Windows\System\uhSEQgy.exe
C:\Windows\System\uhSEQgy.exe
C:\Windows\System\SUVPotj.exe
C:\Windows\System\SUVPotj.exe
C:\Windows\System\jMxAtqj.exe
C:\Windows\System\jMxAtqj.exe
C:\Windows\System\DTwjbuw.exe
C:\Windows\System\DTwjbuw.exe
C:\Windows\System\ycAfikw.exe
C:\Windows\System\ycAfikw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4416-0-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp
memory/4416-1-0x00000201EF090000-0x00000201EF0A0000-memory.dmp
C:\Windows\System\QdudlAd.exe
| MD5 | dd025472bba6e592e623479fe42e09b0 |
| SHA1 | 4d3ba66432eab299a77aca8a5c29a97628f233e5 |
| SHA256 | 926d84c12512578cf3769f8fa64d101dc6ffe65dd4e2bc205ae9a85ea14dd351 |
| SHA512 | b958f5e1a41a0736ae397e4ec059ccdecbcf4535a631ec95ca6c4b0ef20ed6811f3a291c6fe365f64ca7d30b64cd85bf487a70d4ecc5ad2742db18bd8a995360 |
C:\Windows\System\KkLfGFM.exe
| MD5 | 189ab21b01ed3377a51be3c575939e9b |
| SHA1 | cb364a0880c9ceeeda0188bdf2bb57e191648994 |
| SHA256 | 94e18a3d7e11b7b0a058db1157314c4d27e492f5500c623a89f6888ec1617850 |
| SHA512 | 75cac9e295b2ab2c9b86ce1aefbe5ecd2f6eeae64a9cb553f2d14e665999a14f7525edaf7a411579aff7a2cb5930c138a7052f084c1148faee89437fcdcf67e7 |
memory/452-15-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp
memory/2960-18-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp
C:\Windows\System\dsLOwQj.exe
| MD5 | e9187230eb440806057b075004506e44 |
| SHA1 | cd6048f6db9cb8a28caf9b902fb92b051042cdb6 |
| SHA256 | b994dedf31bca3367d62a4a9e4175f47ae4a05dee05ee292d5123fe2cb933106 |
| SHA512 | faa0247fe68636443c88325de2a4e112a5b95e2f4042875839501a6e7fa0c383e71539c30e2b921a024ae30d5489b7adf74e76113a8be4fd156d9c3380aa1dc0 |
memory/4448-35-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp
memory/4660-37-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp
C:\Windows\System\jNwpEeP.exe
| MD5 | 1bbd1eb71217a6562ad6300a40e11662 |
| SHA1 | 9ec3d053b8d209da18cb8dc19cddf3b100ba9bcf |
| SHA256 | 84d08dcb72a202d7e16d141f81f00072b17d90408400e6d9433f44e6cd8c1a32 |
| SHA512 | ad4cfebda61fd445291e530d439924f2fe80b952fe2c5bfc93fbf4cd6902d27e52854c7299b4713d091a801f62618374a9cdee1d94fabb603bddd864c0816114 |
C:\Windows\System\QBgFWac.exe
| MD5 | 77d51b4de19fbb38c809e30b894af765 |
| SHA1 | 657d1313ee61956d9aca2c556dec108cb446edbf |
| SHA256 | d5b3d236e75528a5d7530ea3bf9c67cf8b42ca018250c1f3fca3002724d43bc2 |
| SHA512 | 450b88f9c3093208d9795526f875e7d1f3e8d9bc26245e9643b77eb865595ce1b74149020ce61ed349ac605bea39ec0aeddbdea902804acc7d4093186a664814 |
memory/4220-33-0x00007FF627890000-0x00007FF627BE1000-memory.dmp
C:\Windows\System\OxufWsI.exe
| MD5 | 02387e2a734c020dcf0df7904e866a1c |
| SHA1 | 2637984f4d92bc0462c0c9f4a31b05a284e071d8 |
| SHA256 | aa9c880e114845b4e5d4aafac0dc277b2422d7cb0b67b2da443b9a1f12342663 |
| SHA512 | 932be74e93ff490ab81890d76301eae7fd14e1190105db0faed4b3bef83aa9223f3525be90078f5ba6e41955b3ffb2e9df886b0996a8106c746dece3d0c7da66 |
memory/4428-25-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp
C:\Windows\System\aNafrgt.exe
| MD5 | 8c44a9ffb7fba9db9c20f8f9f55d24c3 |
| SHA1 | 529f40f25fbc29d37e0b42d46104f60c43d79e54 |
| SHA256 | e3a6f8e75918ec3afc1977476f4033aa6d83a931a092a0b5d32dd7fd27f6a492 |
| SHA512 | fcdfc6e2d6d49c29e1a613e4a2d6238197879796c177aee2fcc8da1f55fb22fefebf7f7273fb4af3c5c994b8657b7e3a09bae5d98b015cf5e57964a90dea3c87 |
memory/4884-10-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp
C:\Windows\System\MbvTmkn.exe
| MD5 | e394f7fcd6046ddf136e019334d5b63f |
| SHA1 | 94ec2abade8542ab2c8125cd63b23c355652c2bf |
| SHA256 | e48b7b440c354ca579255bf6f09fede2aad57c0635362bffae5c7649da6bcefa |
| SHA512 | 19eb7897f2e87b1f4512ae1b28082243e7b3ba3924ba9fa70347fe1cda706ab994657dcee150d33c39a00001ef340edd0833db7684ca8c2d1bc09b88e00c5615 |
memory/2992-49-0x00007FF752390000-0x00007FF7526E1000-memory.dmp
C:\Windows\System\sGSvfuQ.exe
| MD5 | 258b5740001aae64eccccede232aa45b |
| SHA1 | 84dffcc3c64bc6e86c7366141d6b1fc6aa296931 |
| SHA256 | 430447edb4ef9b6f41807dbe663be8e210733ab2abe3bac76afec28d77f685f7 |
| SHA512 | 459e1e1b91bca435f628359d6213d0451938bbb796167f8c3858774125b8f982ee0c0507480f39a72fec5c593933df85c324f6587ab69edfda8311b1f2f1f672 |
C:\Windows\System\GQIrzJi.exe
| MD5 | 1a5076b3f5eeea334266e49f52effa0a |
| SHA1 | 87d15eb14fd585509d66bfe9f4af0c5c9cd8686d |
| SHA256 | 34c357011e099f0096ac8855e6d848ce56fceb7222286a38b190b460c4071434 |
| SHA512 | 2d9660138954b8384490231d6baf2df590221843ab659c091f3538c301d8c5a681241e94b2d0667fd5a1bdc92d2b6b39dd3bda5daba27c82c3a806fc042b8f69 |
memory/4140-63-0x00007FF7100E0000-0x00007FF710431000-memory.dmp
memory/452-62-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp
C:\Windows\System\hHJaMWr.exe
| MD5 | b20f3111483101de215aa90aa8c9f566 |
| SHA1 | 5f7ae6756ad7bee6849d328168cc09a85e38ac83 |
| SHA256 | 12a176c60c36278d27164c0c80d06d8f55a0bf79ce318b98c7d8b47a1c517912 |
| SHA512 | 03825584ff516d73782a714ff784a24db2ce93ad52940a7f8e43d2ef104011dca6d7bbfcf4530968d8f885e0709a7c1f62a0c5d2deec31ff489f3c6e7a09507d |
C:\Windows\System\mkoLIzy.exe
| MD5 | 8af275f30d752f3455c448f0231c5d60 |
| SHA1 | 0e534c87a61066be055f449d08f3dda004c41046 |
| SHA256 | c7dca2ac16c60ff580e92913c594c3ec4eaa99dc4a710dbee1418966e51ceed2 |
| SHA512 | 8b7fa8a3ba43f2bfae94f9ea7246820eea326e691b80579aa5b25037de67d95ed783c96a078fc2e7a34a59c68794869224215f0ddd15788b93bbf80b72d85a2f |
memory/3220-83-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp
C:\Windows\System\rGHKhBf.exe
| MD5 | 60831d30c07d4befef05fee997b8c473 |
| SHA1 | 3faa8dae04edb268b0f5eacdacc11eed3b180c0f |
| SHA256 | 2a1c53d42b2aa4a93735aee7bb45f24957da7fc6e61eec0e1e33057f4132b980 |
| SHA512 | eaef674c41538e488724891fa1b92ad82e3499708db4436266192f7de86f246db8f5ccb2e2d87541ad223b99620c62869b5e72397986ac20f7720db4b03ec15d |
memory/4428-82-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp
memory/4636-78-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp
memory/2960-77-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp
memory/3688-69-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp
memory/4884-60-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp
memory/2236-55-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp
memory/4416-54-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp
C:\Windows\System\RoaCGdL.exe
| MD5 | e9b65c50f0cc30482b5fd4b368f1a251 |
| SHA1 | 2cd8d6db9fcc32ee5573623657f6f3246eefcc0e |
| SHA256 | c7c5162be65e39a6b79e8d3ab608e216a139386c2907f2f1c9fe92cf76b7b9d6 |
| SHA512 | 6fb32127701c8410d2f951569d3cb43b4dd17ef9d8294103cffcad231494b5da669c833bd9cdd183db2b0eabd192a3f073edb87f6051de77895c5644fa609961 |
memory/1816-96-0x00007FF704B30000-0x00007FF704E81000-memory.dmp
C:\Windows\System\YDqQKQx.exe
| MD5 | 5ddcae08ed93dbb60b6f2e7d3c2ab63f |
| SHA1 | f0e4f85de3949738b77d45f96ffc19960c256409 |
| SHA256 | cac0238ffeba1da452ec82ff63ea571e1778107aeaf24dd7afb98a5699d4cb5a |
| SHA512 | a9b38ffc22e13c10234b7704ab870cff53eb223cb6473802d7ed9d72fe3d5372170d98ad9c953bf20d88a8d794a5e001bd51810a25fffe9256e4fa1e42bd63d9 |
memory/4660-98-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp
memory/3248-95-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp
memory/4448-90-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp
memory/4220-88-0x00007FF627890000-0x00007FF627BE1000-memory.dmp
C:\Windows\System\ceDUBlj.exe
| MD5 | 7b2b71adeb52507a36fcc31403c8dd31 |
| SHA1 | 32171ca8af05823f968bc22f3f647e8127223ec0 |
| SHA256 | 49c2c84e170a800779a6966efab2fdefa679d5a3dfdce81b5a04af761aa28d83 |
| SHA512 | 2816fc170191c1990eb9f02f1d810794b6041bd1f8f465713e728873a0cddf6ae67b8884c592b2c70e1bdfca4663025f3e293f23486ab21ef098b046aa4c5e2c |
C:\Windows\System\uhSEQgy.exe
| MD5 | bb0c5dc94c5ed591d468516640ce70f5 |
| SHA1 | 59525d9444acdbd5b4d0a89286d9b23779d8d9d4 |
| SHA256 | b4114d62aad4e47fe6f62c83748f0af258fb0e6645af030f8d91a384f9521f51 |
| SHA512 | 0b9244fa99982e252bea21d8d608782434609366aa2561d85d6a03fe007463e966d057569f14fbabc659866733afbe4a15da4e01e76ba0ae893b0e7ed1e25fd9 |
C:\Windows\System\SUVPotj.exe
| MD5 | bf61f45a45a828f994c1f768985177cd |
| SHA1 | 394f3bd759995a2b6b9ce8f0e684c571fc2e618e |
| SHA256 | 755d86c56191575cb3dba4b95eb9d81a09b4ec2de44bba0d5512a77b5a2db801 |
| SHA512 | ca379440e2ce73d879c26c078a18de3f0d248aab1aaed7707c240b6e8dd312f22be3df4b835f1ba6db78c65e64db3d1007794bf3a2eca56ade0da8c9f57225ba |
C:\Windows\System\DTwjbuw.exe
| MD5 | d04ffed4e2c95ac963902983535a4934 |
| SHA1 | 3d80ddb6db3b92203802219c435db034def7249e |
| SHA256 | d70d0441c0e964001bc56ccaa3dbea2b395b21907f0737e3fbbb675b8ffb6c0e |
| SHA512 | 2e1491932dfbd63c412368252613d3fa3f64832c9b785dedb636f3aa79dd340dbf1d8bc7ace1d1d004ee6c8903563d344decdce77766d68ca088131cb75d4947 |
memory/3476-135-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp
memory/1764-140-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp
C:\Windows\System\ycAfikw.exe
| MD5 | faefe76c74cf04f80cd5825b01c4be82 |
| SHA1 | f189fcb06e791edcc108995641d94efb87151f85 |
| SHA256 | dce9ee0a64b0e124cc689c88e1b81433f91adb65ebe5db209f2d2db63e0a6526 |
| SHA512 | 2a7e303731446c61065b6bf79b067231f3a49d3633c967ed524688399d6d962701850348a22d8dd21afd9eee53ac47cc59e26702c844ed08e89c510bdde1e8c6 |
C:\Windows\System\jMxAtqj.exe
| MD5 | f8d90a28471b0fc29d83bc68d64cc448 |
| SHA1 | 578282f0848fc878edae008fb92a526f2a835628 |
| SHA256 | 39252b734cf67e5127c6239ab3a68f4953510b483b1e0eaaac3901749fe234b3 |
| SHA512 | 2f40a4f1de72146ba9a699ffe8a17ceba28426f202d5d800556c25144241ee08fd705bc0fd3707ee7ba3b49ad4cc708cb70cf5971e89f9039066222547acd717 |
memory/3828-130-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp
memory/2992-129-0x00007FF752390000-0x00007FF7526E1000-memory.dmp
memory/5000-121-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp
memory/4952-143-0x00007FF798E30000-0x00007FF799181000-memory.dmp
memory/2236-145-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp
memory/1692-146-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp
memory/4636-149-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp
memory/3248-151-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp
memory/3220-150-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp
memory/3688-148-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp
memory/4140-147-0x00007FF7100E0000-0x00007FF710431000-memory.dmp
memory/1816-152-0x00007FF704B30000-0x00007FF704E81000-memory.dmp
memory/5000-153-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp
memory/4416-154-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp
memory/3476-164-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp
memory/1764-166-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp
memory/4416-176-0x00007FF7E78D0000-0x00007FF7E7C21000-memory.dmp
memory/4884-207-0x00007FF7AB0A0000-0x00007FF7AB3F1000-memory.dmp
memory/452-209-0x00007FF7716C0000-0x00007FF771A11000-memory.dmp
memory/2960-211-0x00007FF61FDF0000-0x00007FF620141000-memory.dmp
memory/4428-213-0x00007FF72C6E0000-0x00007FF72CA31000-memory.dmp
memory/4220-215-0x00007FF627890000-0x00007FF627BE1000-memory.dmp
memory/4448-217-0x00007FF79A280000-0x00007FF79A5D1000-memory.dmp
memory/4660-219-0x00007FF7758C0000-0x00007FF775C11000-memory.dmp
memory/2992-228-0x00007FF752390000-0x00007FF7526E1000-memory.dmp
memory/2236-235-0x00007FF7E8930000-0x00007FF7E8C81000-memory.dmp
memory/4140-237-0x00007FF7100E0000-0x00007FF710431000-memory.dmp
memory/3688-239-0x00007FF740FA0000-0x00007FF7412F1000-memory.dmp
memory/4636-241-0x00007FF63C5A0000-0x00007FF63C8F1000-memory.dmp
memory/3220-243-0x00007FF66DB60000-0x00007FF66DEB1000-memory.dmp
memory/3248-247-0x00007FF6A4A80000-0x00007FF6A4DD1000-memory.dmp
memory/1816-249-0x00007FF704B30000-0x00007FF704E81000-memory.dmp
memory/3828-259-0x00007FF6EAF80000-0x00007FF6EB2D1000-memory.dmp
memory/5000-258-0x00007FF73DB10000-0x00007FF73DE61000-memory.dmp
memory/4952-262-0x00007FF798E30000-0x00007FF799181000-memory.dmp
memory/3476-264-0x00007FF7CD0D0000-0x00007FF7CD421000-memory.dmp
memory/1692-265-0x00007FF7159C0000-0x00007FF715D11000-memory.dmp
memory/1764-267-0x00007FF7FEE40000-0x00007FF7FF191000-memory.dmp