Analysis Overview
SHA256
ad054e33da8cc51d62113c63a681aebc22d9f6fb6bad7f5d3ba9e169ccb14547
Threat Level: Known bad
The file 2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:48
Reported
2024-10-25 11:51
Platform
win7-20240903-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lJqUJam.exe | N/A |
| N/A | N/A | C:\Windows\System\XGfLbjT.exe | N/A |
| N/A | N/A | C:\Windows\System\nkdUTMS.exe | N/A |
| N/A | N/A | C:\Windows\System\mDiCSAb.exe | N/A |
| N/A | N/A | C:\Windows\System\pQnbZXX.exe | N/A |
| N/A | N/A | C:\Windows\System\TIVEZIg.exe | N/A |
| N/A | N/A | C:\Windows\System\eSUCTWn.exe | N/A |
| N/A | N/A | C:\Windows\System\LVHRhbf.exe | N/A |
| N/A | N/A | C:\Windows\System\jAKCSHX.exe | N/A |
| N/A | N/A | C:\Windows\System\aYfaJbS.exe | N/A |
| N/A | N/A | C:\Windows\System\sMBdoIS.exe | N/A |
| N/A | N/A | C:\Windows\System\MSPrUnY.exe | N/A |
| N/A | N/A | C:\Windows\System\pdnhsvY.exe | N/A |
| N/A | N/A | C:\Windows\System\geqRiEv.exe | N/A |
| N/A | N/A | C:\Windows\System\kKYxBfy.exe | N/A |
| N/A | N/A | C:\Windows\System\fJAwrrg.exe | N/A |
| N/A | N/A | C:\Windows\System\eHsWQCG.exe | N/A |
| N/A | N/A | C:\Windows\System\jjSTDYB.exe | N/A |
| N/A | N/A | C:\Windows\System\YturTBA.exe | N/A |
| N/A | N/A | C:\Windows\System\VovBvjq.exe | N/A |
| N/A | N/A | C:\Windows\System\SsfrPvj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\lJqUJam.exe
C:\Windows\System\lJqUJam.exe
C:\Windows\System\XGfLbjT.exe
C:\Windows\System\XGfLbjT.exe
C:\Windows\System\nkdUTMS.exe
C:\Windows\System\nkdUTMS.exe
C:\Windows\System\mDiCSAb.exe
C:\Windows\System\mDiCSAb.exe
C:\Windows\System\pQnbZXX.exe
C:\Windows\System\pQnbZXX.exe
C:\Windows\System\TIVEZIg.exe
C:\Windows\System\TIVEZIg.exe
C:\Windows\System\eSUCTWn.exe
C:\Windows\System\eSUCTWn.exe
C:\Windows\System\LVHRhbf.exe
C:\Windows\System\LVHRhbf.exe
C:\Windows\System\pdnhsvY.exe
C:\Windows\System\pdnhsvY.exe
C:\Windows\System\jAKCSHX.exe
C:\Windows\System\jAKCSHX.exe
C:\Windows\System\geqRiEv.exe
C:\Windows\System\geqRiEv.exe
C:\Windows\System\aYfaJbS.exe
C:\Windows\System\aYfaJbS.exe
C:\Windows\System\eHsWQCG.exe
C:\Windows\System\eHsWQCG.exe
C:\Windows\System\sMBdoIS.exe
C:\Windows\System\sMBdoIS.exe
C:\Windows\System\jjSTDYB.exe
C:\Windows\System\jjSTDYB.exe
C:\Windows\System\MSPrUnY.exe
C:\Windows\System\MSPrUnY.exe
C:\Windows\System\YturTBA.exe
C:\Windows\System\YturTBA.exe
C:\Windows\System\kKYxBfy.exe
C:\Windows\System\kKYxBfy.exe
C:\Windows\System\VovBvjq.exe
C:\Windows\System\VovBvjq.exe
C:\Windows\System\fJAwrrg.exe
C:\Windows\System\fJAwrrg.exe
C:\Windows\System\SsfrPvj.exe
C:\Windows\System\SsfrPvj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2276-0-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2276-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\lJqUJam.exe
| MD5 | f0e45977647a88c7ed72a55f6bc46c4e |
| SHA1 | 0b78b644aeca2b58c7a92e982fcbf52653cccd5d |
| SHA256 | 4e38e9fefc81d601be7645a27df8d30c94852045650b4c5ef5f4a3a177d15d3c |
| SHA512 | dba765fc09783263cc9d2c81e69a303ced096b3b6bf4d2468047baf43ddab9367eef64592c58f85ddbf154e109ac7e06111661314ae9226246eb4094bce05ee9 |
C:\Windows\system\nkdUTMS.exe
| MD5 | 33556b07a50503467922f4d95a494497 |
| SHA1 | 0088186ede7b5fce62d3ab5c411b1b2ca7e60b5e |
| SHA256 | eb1517f474d3ffdfe3d98785c339667dd14e05d2a73e629bba494ab04e86e970 |
| SHA512 | 4df64472cccb31ceadc2465ce1e1d56c26bbce2cce05d00c623f96039072e26e9cf2f3c40cecc3f644983beb2040a517897dbb7a220deddf7eb0a03719344462 |
memory/2276-21-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2296-24-0x000000013F120000-0x000000013F471000-memory.dmp
C:\Windows\system\XGfLbjT.exe
| MD5 | 035e0f3c76df22ff1726441672398d41 |
| SHA1 | d228fc26ded41082c4fbcf57c2cfce39f9273e53 |
| SHA256 | f37d82bcd0eede2200d7e23002dfb81e67bd06e13e7880ce829044e296f5e47b |
| SHA512 | 2b580154fac1f191a1d6ee3de870cfbc843cca2797d92b179064b44bf134efbabb382f247d0a09302c336d96356fa3b6cb1dd0a3727c5d056e16f70ffe577c7a |
memory/2840-28-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2276-14-0x000000013F150000-0x000000013F4A1000-memory.dmp
\Windows\system\TIVEZIg.exe
| MD5 | 88838683d9edf7a50d177eee3bc12d4f |
| SHA1 | ebbb2579639f4152e906b64267d46903bb3434cb |
| SHA256 | 61b4c8d5f1f3681ada37347b10829acf5927a5026e76bd86d48720574d1f686e |
| SHA512 | 93242dc4abdab4856e2cb76b3e070d5340a718bfb5c2b106e1890b3da3b8fac85ec276177f07269edfc4e0b653b58a47bf334f7b28d780cb2feb2542ba94df7f |
memory/2796-41-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1740-52-0x000000013F150000-0x000000013F4A1000-memory.dmp
C:\Windows\system\LVHRhbf.exe
| MD5 | 8ac97163b1fcdc1ed1020abe7cdbecdc |
| SHA1 | efbdfda7bb58ae66846a96b45356e556270b8ad1 |
| SHA256 | dea1408061660ac07ff4c5b6df9c0cb62bdc35f098a34bce91739eab396e0c65 |
| SHA512 | 8fb3ba6482d35b11559f8739aa25eee949a98ee8b6d7d67ecaff46701f4db8d9e28346204746bc4c97e6c2ad5df0e1bb8ffe0ec282e6932defafc1e6638d810c |
memory/2732-56-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2672-49-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2276-48-0x000000013FE00000-0x0000000140151000-memory.dmp
C:\Windows\system\eSUCTWn.exe
| MD5 | f34a0786b0037bfe8c90e55ae6fe731c |
| SHA1 | 1493beb3786785b57ebfbb884ea6926c9b0d2a8e |
| SHA256 | 02fee98e1894d95a39a96f40b92e1518cbafdd741745e7bfe42f9fe6d520a74e |
| SHA512 | 248006ee5c3e5f2f1d8be524c82bb4cb89c339c1127cf4784d05c3c0c5439e9df17e8ef3c450a143adbb58f4029644d394d0e1222e0d7c60c7a978b116b91fbf |
memory/2276-53-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2684-34-0x000000013F030000-0x000000013F381000-memory.dmp
C:\Windows\system\pQnbZXX.exe
| MD5 | aea81937c63660acee9809e0805668b1 |
| SHA1 | fba948022ff79ead96bbdee3526aa725619c4d1f |
| SHA256 | dee2e7f9402e014826152dd77523d288ff6bba798e17ae400353a0279f4230b6 |
| SHA512 | ad28ea62d847218c33226733277fe5b5c3ae24f06c2b19238da633e1ae94f5033ca5b9b65525668399433d6c75a6e06b91b8444c67b0d529c637d8945a4cd2ed |
memory/2276-30-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2276-38-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\mDiCSAb.exe
| MD5 | 8688ec9fdef55a09ac16c6a1a7677a5f |
| SHA1 | 6d05830c7bbf86aee1a6d708f5d034ef643db627 |
| SHA256 | 40f9952927f1add61dfe8beea252a867bc4e16a20722447fd6d3cb97f30bbf47 |
| SHA512 | cc7a4f7f795042f5547dae4d0fd8723a489e0ac3b4a30e05996cf276ef0a17f2f6bfd4f66c413cc2886aff52c3c368438136a201666b754f700a360473d50d79 |
memory/2276-22-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2296-59-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1896-20-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1740-18-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2276-9-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2840-60-0x000000013FBF0000-0x000000013FF41000-memory.dmp
C:\Windows\system\aYfaJbS.exe
| MD5 | f3af4f9da05c5a8c010b707e8f237339 |
| SHA1 | 94df784f38649f44aff9fe9820c3b3c8993e0f7b |
| SHA256 | 34f885408b35383caa214fb1407f23cd2c86aaafab17e92f8a1c201f4fb23f47 |
| SHA512 | 840e29d4d874bb9f11c8c8e8459f573f93e9bb2a37d24ccadc32235c15773d261269627c481f0c04a802495dc710a8e8525f9e06e10a376a300944cea4198ce5 |
\Windows\system\geqRiEv.exe
| MD5 | 1aa0b4416dd2289ca3668c0643ee8602 |
| SHA1 | 4c12bdf9062d86f65b2e52a3d0ad7724513c0122 |
| SHA256 | 84651f7c9490f044b67f8a4ee3e869b96043d39bcabe5dae9942310d6e5fb658 |
| SHA512 | c707b642eb12341376b30a809dfadb7de3754196ec03a788822c105070bec247b598ab39d1a90b39b5c16896d8ba727538b67dd8b8a2373c4688dbdf7ba9f611 |
C:\Windows\system\pdnhsvY.exe
| MD5 | c6dd4b3e67ade7ac7e0333a073dc40f1 |
| SHA1 | c5350bc5138d58506ab3e064699824068e0a7305 |
| SHA256 | 06dac664d3ca18fa5b60d3943bb140767a2591da5d2e4be672ad3a296a2ae1f7 |
| SHA512 | f2b56e17276c54a259fb59d9002d4a1666ed85478ea6decb922cb8575910a32614fe8105d8dffbab37b54bf0c212daaa88c513344175115d731c010bfe31baff |
memory/2684-121-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2276-125-0x000000013F190000-0x000000013F4E1000-memory.dmp
C:\Windows\system\YturTBA.exe
| MD5 | c629f96ae55fce7a8af2878fdcbe7d6d |
| SHA1 | 04f1e969072833b296b15f7608e35e5d2c44ed94 |
| SHA256 | dbdcd3069fff0e0e043254d817ddf5775376eae322fb7a37545af98c1303e94c |
| SHA512 | 1277846740a2908fa4f864a67b6c06c329b3e5f1380f68f2d63046c8b69593329b63d821405f68d7a98d7a9447eacc506f1cf1d37651aceb00eb02823e765bac |
\Windows\system\SsfrPvj.exe
| MD5 | b2194f3b22f0e3c435b54baaf427f6e0 |
| SHA1 | 146539d4a2f6a17680f36d41db4c173103f69dd5 |
| SHA256 | 391931caa722628fc9dcc849639028be4c57a3fd82232d27e0ad81e943cbd9b2 |
| SHA512 | c7e30db9b545feec3a4de72d7f4c7229b3f8319500e31118c685a4a1c4c3a594ac1768e489d96925d2487bc59c6420d346975e6c16905ca46c55bfa2d2bea0e6 |
\Windows\system\VovBvjq.exe
| MD5 | 29382ef7177500e2a6d61d4d0e408357 |
| SHA1 | f8d98975ed68cfca5ede0decfd594941bad64f2e |
| SHA256 | 4a1161bb87038c4900b797f286c0251e56e494b47d7d6f1f8bc453508490c7cb |
| SHA512 | 4d5c0891ad19790e99c855daf62807dbbea23c9185b87ae1e7fb97cd6ad16496fab01e4108ff25ac6bff5e6c49a7d6ec3922493edab3b3deea1583b2c5751f51 |
memory/1440-97-0x000000013FD60000-0x00000001400B1000-memory.dmp
C:\Windows\system\MSPrUnY.exe
| MD5 | e84c1e9ce955511f1df5f1fcf30cc60b |
| SHA1 | ca357419a70e3c0bc93a7dde902f062b3ef589a7 |
| SHA256 | adee1480fa02648c4e0c42d27033e3bf91a7a0cfc1260a717eb3ca18339bee9e |
| SHA512 | 398b41a65fe364ef4d7fe7bbaedc3a84af3d23beef340d64d0aa3877778cd1119bbd769bac942afd0c7d7d87983be80cab31dfcb7b8b508e05d64d187e59f5ea |
memory/2828-94-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2616-90-0x000000013F390000-0x000000013F6E1000-memory.dmp
\Windows\system\jjSTDYB.exe
| MD5 | f941821966c92bcf0392e6e1c0432860 |
| SHA1 | 160834ab524a10cf58472296ca351cda8bf04d5b |
| SHA256 | e126cebafe98c7d335420f61b04a40ca65feb623eec1d604373a093d5f99f969 |
| SHA512 | 7bb3849d5e706787a0a01d0b4f19ec05b275171d2ac2ca14fa80514d3d426ae18720718bda33bce638d784626666d5556f654932147783f0275a812817846da9 |
\Windows\system\eHsWQCG.exe
| MD5 | 4be0d273b2c5ec12e8e2ca36e78c7b83 |
| SHA1 | 92848e964719f02f027880322568f8a0cc5f41dd |
| SHA256 | 168046c457e8fbf42a887765dbbdc190ed5a2c8ec60deebd54218ab1334ca67e |
| SHA512 | f27641a39002264ae1d1daa56ad4d82fb89747fc537df726443715db1e90d526a1689a4c850069402518e21992ab09c7b30a673b5a06dafb357ebba85b6d5106 |
memory/2276-126-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2276-124-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2276-119-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2796-137-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\fJAwrrg.exe
| MD5 | 2e39fc3a74f8712f6150c65983fc70f6 |
| SHA1 | c32de3271b681f8d205682b84371feda9b6059c6 |
| SHA256 | dbc445401cb8bb5b56a43bfa178ddb1a9af24dc3fa32ae32cbe0d03b10b8015e |
| SHA512 | 7b6e3d77c020717f7d67fbae74e91ec40b25385f0e62f9eb92347b51390a2eec33964e06301fa97800218522f4167b7d20816bd24cde3b0599131395d00f4b2f |
C:\Windows\system\kKYxBfy.exe
| MD5 | a8faf545966615446a3aeeff7f19d893 |
| SHA1 | 32a1aeb1cdc296ab053ceb4252cd2ea6733cd5c9 |
| SHA256 | 2103892727c1589b3884f893360dfe777ad8a720e55c016624570ae6487638b3 |
| SHA512 | 7dbf2157d6633eb75e5693d3a46d3034324bef2fc017f06182c550bed478b67fa3b69713ee5699aa787a3ab9656313972b84fb4ac879ba84521850dfd2cdfcf7 |
memory/2280-113-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2276-110-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2276-82-0x000000013FA00000-0x000000013FD51000-memory.dmp
C:\Windows\system\sMBdoIS.exe
| MD5 | e761aaa557e601a176c9d2480146c04e |
| SHA1 | 32056fd56ca0b107e2917887e190bbe2ff86610d |
| SHA256 | 63640fc3a695bf653da2ef66f2548d5b88430fbc28fc6dd365cabecb7707e061 |
| SHA512 | 2c6126dc896a05f18bd350d308ee92a788db25a30a3fe470301a5933cb23cd4447a93c60beff4f6b4326b89ec4c6a14b9cc4dc7b33b38a07194cbef097982e2d |
C:\Windows\system\jAKCSHX.exe
| MD5 | d17f3b77fcaf4e335142cc388b316e20 |
| SHA1 | 9a4aeefea16d0bfa00ba6ad95796d076aa26cd7f |
| SHA256 | 2deb6a9fb02407621fd3dabc75bbaedaa2bad5d5293d4b8cae049f4be2fd049a |
| SHA512 | afd6df0f33e4b82c60a89148b5a8d0143f3e5573081586d8235e50934afc023b5476c8834f9fe9bb7f8c11ccffd94c0189021686d77d8fa893e904634d3bfb15 |
memory/2672-138-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2276-139-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2732-141-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2276-140-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2296-144-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2616-150-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2276-151-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/3040-154-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2552-152-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/536-156-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1232-161-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2276-165-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2856-164-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2016-163-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1984-162-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2772-160-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2876-158-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2276-166-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/1896-220-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1740-222-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2684-224-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2840-226-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2796-228-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2672-230-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2296-232-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2732-234-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2828-249-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1440-252-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2616-253-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2280-255-0x000000013F2D0000-0x000000013F621000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:48
Reported
2024-10-25 11:51
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\puSzbBf.exe | N/A |
| N/A | N/A | C:\Windows\System\sxZTdKI.exe | N/A |
| N/A | N/A | C:\Windows\System\WbEzkXV.exe | N/A |
| N/A | N/A | C:\Windows\System\NCUUncM.exe | N/A |
| N/A | N/A | C:\Windows\System\FrkWvFa.exe | N/A |
| N/A | N/A | C:\Windows\System\VZAsvpt.exe | N/A |
| N/A | N/A | C:\Windows\System\oDRnLEx.exe | N/A |
| N/A | N/A | C:\Windows\System\ecsVelB.exe | N/A |
| N/A | N/A | C:\Windows\System\rOfEgVS.exe | N/A |
| N/A | N/A | C:\Windows\System\CqWqVrq.exe | N/A |
| N/A | N/A | C:\Windows\System\ayaQpCA.exe | N/A |
| N/A | N/A | C:\Windows\System\vbbLbLA.exe | N/A |
| N/A | N/A | C:\Windows\System\lPJikHz.exe | N/A |
| N/A | N/A | C:\Windows\System\UZHIung.exe | N/A |
| N/A | N/A | C:\Windows\System\iPDRyml.exe | N/A |
| N/A | N/A | C:\Windows\System\VpEwjWa.exe | N/A |
| N/A | N/A | C:\Windows\System\puIipWn.exe | N/A |
| N/A | N/A | C:\Windows\System\pHDwJwM.exe | N/A |
| N/A | N/A | C:\Windows\System\HWnGlBP.exe | N/A |
| N/A | N/A | C:\Windows\System\uBiaool.exe | N/A |
| N/A | N/A | C:\Windows\System\VmnOXyI.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_66512785f2fd362ce92ea065d9043361_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\puSzbBf.exe
C:\Windows\System\puSzbBf.exe
C:\Windows\System\sxZTdKI.exe
C:\Windows\System\sxZTdKI.exe
C:\Windows\System\WbEzkXV.exe
C:\Windows\System\WbEzkXV.exe
C:\Windows\System\NCUUncM.exe
C:\Windows\System\NCUUncM.exe
C:\Windows\System\FrkWvFa.exe
C:\Windows\System\FrkWvFa.exe
C:\Windows\System\VZAsvpt.exe
C:\Windows\System\VZAsvpt.exe
C:\Windows\System\oDRnLEx.exe
C:\Windows\System\oDRnLEx.exe
C:\Windows\System\ecsVelB.exe
C:\Windows\System\ecsVelB.exe
C:\Windows\System\rOfEgVS.exe
C:\Windows\System\rOfEgVS.exe
C:\Windows\System\vbbLbLA.exe
C:\Windows\System\vbbLbLA.exe
C:\Windows\System\CqWqVrq.exe
C:\Windows\System\CqWqVrq.exe
C:\Windows\System\ayaQpCA.exe
C:\Windows\System\ayaQpCA.exe
C:\Windows\System\lPJikHz.exe
C:\Windows\System\lPJikHz.exe
C:\Windows\System\UZHIung.exe
C:\Windows\System\UZHIung.exe
C:\Windows\System\iPDRyml.exe
C:\Windows\System\iPDRyml.exe
C:\Windows\System\VpEwjWa.exe
C:\Windows\System\VpEwjWa.exe
C:\Windows\System\puIipWn.exe
C:\Windows\System\puIipWn.exe
C:\Windows\System\pHDwJwM.exe
C:\Windows\System\pHDwJwM.exe
C:\Windows\System\HWnGlBP.exe
C:\Windows\System\HWnGlBP.exe
C:\Windows\System\uBiaool.exe
C:\Windows\System\uBiaool.exe
C:\Windows\System\VmnOXyI.exe
C:\Windows\System\VmnOXyI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 70.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/668-0-0x00007FF78C530000-0x00007FF78C881000-memory.dmp
memory/668-1-0x0000021DC9AD0000-0x0000021DC9AE0000-memory.dmp
C:\Windows\System\puSzbBf.exe
| MD5 | 5138306d4ce66c75834ebda8ddf89b45 |
| SHA1 | a4af81841481edfcfc555c1e789039c9b06072cf |
| SHA256 | 22cefdefb1bf019a824a2f86b6f958efdc7e9b1312db3491308d8360d64e0422 |
| SHA512 | 3e92b147e173008373b09419557c4748f1a39c329f13f880b749515b28a48373d4afab006257d526cdae9e85b2d59359723f004faada0770de5c602d7fff4cf7 |
C:\Windows\System\WbEzkXV.exe
| MD5 | e20e483f3bbd064c72ee612c81d204b5 |
| SHA1 | f392638acc7ffba97445528b1456cbb868bb3187 |
| SHA256 | a0e4a28b8219e7504a737a734fcbfc5c04e2540dbf662b0d5896d61269fa2f1c |
| SHA512 | 3c9fadf06746b450c4dfb07c52b578c7567a98ed3e1f5f73321e90c383ac4c45c94abd9ce6fce75d5bbd5a652fd49cd918f7f67136b2fff24e35ddef23f6a051 |
memory/5064-24-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp
memory/4804-40-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp
C:\Windows\System\oDRnLEx.exe
| MD5 | 3459bf2ed24965688377eee7ef106914 |
| SHA1 | b7e2d9591a3bb0650d6b7c1b98478bfbf4167595 |
| SHA256 | 8bc9f953f071f3f8d4dc60eb24a09539f2a0b49ecbed2dbf902804aa9b609bcd |
| SHA512 | befb6bf1ab07b3047948f007e4d60f2c535e753af1c2e85cb01941e7be1a07b4a6d1bbc4e74a217ae658083df5790038361268c734fd6b216d429a51b1debb7f |
C:\Windows\System\ayaQpCA.exe
| MD5 | c2fff0624a0922854bf1407929bb42f1 |
| SHA1 | 93c28b132cb0963b39b78bd563acf677945e57f3 |
| SHA256 | 47f4208998d35cef828f2ded900cdc6fe1fe6288301307400c514018cec07a9c |
| SHA512 | 44384a7aa6116284490e642fe485c77e015e7408e91e4c4c6d502d7c680ada5a0e2a59848fde6c58bf971ba9f8d322843953c1f44f748d72c5a42a7705fbb850 |
C:\Windows\System\rOfEgVS.exe
| MD5 | 9caef132c400b88b3fd749202ef5a20d |
| SHA1 | e28b1d4d77381974cdfbe050486df244101c9c83 |
| SHA256 | 7b901927357e955acb6961251b4856cfcf4d3e1be15e7051e9958c708641a91a |
| SHA512 | 10448c3b58d2b12c3a14606638f6cde1e50e689dcdded49bcad4399709a766e235fa7af463fe5db0f6b97ab874df3e57f50045424a2c444b2bae4bfd2ecb8772 |
C:\Windows\System\lPJikHz.exe
| MD5 | b28467580b1edbd35fe92b8793dc3083 |
| SHA1 | c65a06ffb4f14691c8b12c5d3038696ada532015 |
| SHA256 | eef7571232c7de38bc65b8bff4354c93f8cd8210b844ae14ec4c97b3df3f6841 |
| SHA512 | 1037e95ff3389a46b4deb1e7499b09337bd4f70a1ba879e380f037a317d7af35ac3daac166674825f881d0e1577f7abc8ac8cd26db37a0da0d0a706830629895 |
memory/2772-94-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp
C:\Windows\System\iPDRyml.exe
| MD5 | 06b4a4da1fe320b51118af44b38ff3d7 |
| SHA1 | 7d63a8992e250044ba6cebc991d9fba5dc588e8e |
| SHA256 | 39a0f85bc356c775b0b7c99a50abec6b95ba1e92879496c7354e5693f8f8b693 |
| SHA512 | e6013a1022777d202fb6a7f89d031684269027e9b31938bddd86f61a0a95c207f46896df826f902fd5f1a313cf2281265dbae3f70497adbc4ac3bea39a78d7ee |
C:\Windows\System\puIipWn.exe
| MD5 | 231551b4a4a5a0e747bdbd95222bb46d |
| SHA1 | 24965bfdccb22403ce431b34915e3a808e35c767 |
| SHA256 | a658619dfb03bd26cf4ee727cdf0b904e4826e34bf3594beeeb27e1e6c0afe2b |
| SHA512 | cefdd021e80bdb39103d08ad4821416d13ba61f5bca3fdd0ea479b9010922e19d99def1482bd9ada1ea9e8ac66f3ed1448e04cf0c469cb5e80e37153669e433f |
C:\Windows\System\VpEwjWa.exe
| MD5 | 236ff1fea40bf27fee4754da0ba0c63d |
| SHA1 | 4519802102551ef6bdc6a93a001da3dad13c8c02 |
| SHA256 | 3a811106a0291e7200999d7d5a5d04ccd083a706847d2952992fffdc83d353e4 |
| SHA512 | e7913557f09eb518cf3dfabb4d7e65c5268afb0bfbd63536d3301bacecfc07b74328663cb8ddd1ea3447dcdb8efbe3ae61ddef73a38b56b555b3b9307e5d7ed9 |
memory/1924-95-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp
memory/3336-93-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp
C:\Windows\System\UZHIung.exe
| MD5 | c4ed4aa36a58341943d8c4057f2f3775 |
| SHA1 | d611ddb8309da1d92778662a81af50b67b7cb6a3 |
| SHA256 | 5a3e682e8c6ffcf4405af777a71b6a7635e240de7bea25b4b87a771dd7ea9512 |
| SHA512 | 540a3b4390f9cfa89d83b4cf7377ab40cb1d8b3a4ade94207b3de2d4337f2c3998d2158644922017562cf2f2b6cb1918dd43d68c33aa6b1b2eb049f55d6ad071 |
memory/3236-91-0x00007FF666520000-0x00007FF666871000-memory.dmp
C:\Windows\System\vbbLbLA.exe
| MD5 | 2edab1c0fda98f5538df574e904daa16 |
| SHA1 | 3465b0ecc8c8aa773ff3700a65ffc9ebe814a8dc |
| SHA256 | e4ecd918fe826caae2be454bf64ae38f00c00b05135445037913cf075dda13c6 |
| SHA512 | 0ce759d8309eb42160b88ab84a1b1a00539c1f81dcd3918df161a2ec9474301ec5688a59d412a512af70996770029d59f948e312dd794964a88c8b651f0d830a |
memory/4080-88-0x00007FF7890E0000-0x00007FF789431000-memory.dmp
memory/848-87-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp
C:\Windows\System\CqWqVrq.exe
| MD5 | b95e72c402b6dc743466c71c5fc3de98 |
| SHA1 | 18964d9077a8b3ee7cb866d944d32c06a0c0add0 |
| SHA256 | 3e1f014c5bb42b1b5c1cd465626f58c7571245fedabdcddb76d8bb127b427f03 |
| SHA512 | aa856f3a99dcabc242d42238d7dedff1625bca81e20d52e6c9beecd97f09037173dbfacdaf1872dc1ca53adf23848210be65dfb01088b3acf2049b9ea0df0307 |
memory/928-77-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp
memory/2316-67-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp
memory/2020-59-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp
memory/1260-56-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp
C:\Windows\System\ecsVelB.exe
| MD5 | 329db940195b0a1d0046fbcf68060e75 |
| SHA1 | a2910f0e912e9a63ae56657ed221d7de5671a60e |
| SHA256 | f8199ac1f26b1651c6a4fa42b50056291ec4950b2c0c16ba4f154690e4062698 |
| SHA512 | d1d18388a4461ed5c221f27a5f820725b5a1ffa12382056779edafb1610ebeb18561f163068304fc403210d167759064adb24feedf42c4f51ebc70aba2173716 |
memory/3068-44-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp
memory/2492-41-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp
C:\Windows\System\NCUUncM.exe
| MD5 | 98a27e5aa4d1f0608705a1741cb85c40 |
| SHA1 | f2c84d62540d2068f472d24397fb8411483cdcdc |
| SHA256 | 88edecd8e1cdd61ceb5477785248c08cdf1eb52ef3b30a9624c4bace1cad8b5d |
| SHA512 | 468e5ae625998164ae8533f1c2fe2ed90b3f052c9896628cc1192b2d23adc3341625addd6e5c1755da8904113e7db638d9bbca69c18807bd75728cfd368a204a |
C:\Windows\System\FrkWvFa.exe
| MD5 | 54c8fc95d3c8f9258b6eb318f8063d08 |
| SHA1 | 550ece6923644b37c990f683ff9402019b599c70 |
| SHA256 | 327b9ea5b23e0427b8720daa885193bbb1e23f3eec13270808096bcd09b47959 |
| SHA512 | 81e76ac58f096bd9bc7f7989491dee8f1936da674f84610101c16e04f112541c9b939505893c24c59232e0044918eae4e83db2ce89bf3a73ce54ab10ea8859c9 |
C:\Windows\System\VZAsvpt.exe
| MD5 | fa959285d6c2edabfc5580695c752ea7 |
| SHA1 | d55b67dab1fa9f6c8574aebe9026e28fc456daa8 |
| SHA256 | 2b3e6ac5b3cbd0d439d3393b81e7af55aa71f07081682ad0e242b3f2796b1e28 |
| SHA512 | 9e8cd90a413e38dd5f3385faf5e2a73eb51c2cc7d5c1d1b96b0e841330f87a3bb9efeaaa7dd03b17e6059eba014257e2be43e70993b5f3225b13343fccbd9027 |
memory/1272-30-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp
C:\Windows\System\sxZTdKI.exe
| MD5 | 9f66a830cdf14420812d683e908d5a63 |
| SHA1 | b57ab6204c9a0f2b69516a09d5784c709bd1edc8 |
| SHA256 | 98c89b4685e8f84bfac0cf83b1dc0c177f636c4cd0d008cf149eddf31d5f1fc7 |
| SHA512 | 49f19c7a7fa90f7f7ecf2483d4b5e0df5c72788da58941662da45db6b0e18dbd3b847add0af73d0c9516020770ee134459ac4188c9b6fc51502b6fee864f37b2 |
memory/2184-16-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp
memory/4272-8-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp
C:\Windows\System\HWnGlBP.exe
| MD5 | f4567a1cde5b314500238290d3f59549 |
| SHA1 | 53f5226244c6455fdf4b44942ecd09ac69ae0255 |
| SHA256 | f6f1bfaca0edcb6ca50b3563ddff48b1863853fa6126f57a3e670310ebc2f83e |
| SHA512 | 03ce9b4b0801477801d58ed7b111b617440ac67646f5fa31395d35b2ea7e754cd285a6c26ee7276c6fd032b77ca1881a6c32be87ba947e7dff07ff2929a05f57 |
C:\Windows\System\uBiaool.exe
| MD5 | effdd6786d1ec3fc9671df52bee1160c |
| SHA1 | 8c2ce5c342a7acf18e31db5ba2518c6149b0d20a |
| SHA256 | faa1b141ceba85197e7b8cfada5e66bb474992b5548f8f7d81c163146d780979 |
| SHA512 | 725bbaddb7535757384f954cf321c0233d885f819ace5f78af0505a77ba0100e38c59540de98cfa0c9b1f8b8f8862473c2d089d5d95dbdb72b0fe8de0021fea0 |
memory/5000-121-0x00007FF746FD0000-0x00007FF747321000-memory.dmp
memory/4272-119-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp
C:\Windows\System\VmnOXyI.exe
| MD5 | e54c2949f7f101998f1de75ea6e10e4a |
| SHA1 | 04e9cafad66007c7f6afef8ce28a4da34215ad58 |
| SHA256 | 1e50e0ddfafda86190ff72eaf772167f102d6cf7c1740d9593cc2c639c9aed88 |
| SHA512 | d6bb5abf108a01df1ccb22e5a8a311fe341c41206151b2aa64af76f06a944afff85efe2a72fd72f7ecf7751bacfa4f94e1ce96fbc8bfa97b74c414bb53835b31 |
memory/3500-124-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp
memory/4600-122-0x00007FF72C600000-0x00007FF72C951000-memory.dmp
memory/668-116-0x00007FF78C530000-0x00007FF78C881000-memory.dmp
memory/4252-113-0x00007FF659330000-0x00007FF659681000-memory.dmp
C:\Windows\System\pHDwJwM.exe
| MD5 | f91ceff39e1aa3b5475611bcaa802ae8 |
| SHA1 | 9137aec9e098b370eb93183d77a09ae08e9581f6 |
| SHA256 | 8eae35bd9055ae1117c22d489008cdff3bef5bd01a019ba2d6e9af8a158c38fc |
| SHA512 | 7fd5392c13372520ffb82df434a247102d2450bc277045c2a5bd42d79cf42181d25699075eefa75ad5b7f818792b3beb66c77d21b1d13cc42b16eb0b4ef41c80 |
memory/668-130-0x00007FF78C530000-0x00007FF78C881000-memory.dmp
memory/2184-131-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp
memory/4804-133-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp
memory/1272-132-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp
memory/3068-138-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp
memory/1260-140-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp
memory/2492-142-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp
memory/3236-150-0x00007FF666520000-0x00007FF666871000-memory.dmp
memory/3336-151-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp
memory/1924-149-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp
memory/4252-152-0x00007FF659330000-0x00007FF659681000-memory.dmp
memory/848-147-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp
memory/928-145-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp
memory/4080-148-0x00007FF7890E0000-0x00007FF789431000-memory.dmp
memory/2316-146-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp
memory/2772-144-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp
memory/2020-143-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp
memory/5000-153-0x00007FF746FD0000-0x00007FF747321000-memory.dmp
memory/4600-157-0x00007FF72C600000-0x00007FF72C951000-memory.dmp
memory/3500-158-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp
memory/668-159-0x00007FF78C530000-0x00007FF78C881000-memory.dmp
memory/4272-222-0x00007FF6167E0000-0x00007FF616B31000-memory.dmp
memory/5064-224-0x00007FF6DEDA0000-0x00007FF6DF0F1000-memory.dmp
memory/2184-226-0x00007FF6A3A00000-0x00007FF6A3D51000-memory.dmp
memory/4804-228-0x00007FF6ABD60000-0x00007FF6AC0B1000-memory.dmp
memory/1272-230-0x00007FF6E17C0000-0x00007FF6E1B11000-memory.dmp
memory/3068-232-0x00007FF6D5300000-0x00007FF6D5651000-memory.dmp
memory/2492-234-0x00007FF7E1A90000-0x00007FF7E1DE1000-memory.dmp
memory/1260-236-0x00007FF64BCE0000-0x00007FF64C031000-memory.dmp
memory/2020-239-0x00007FF60CBB0000-0x00007FF60CF01000-memory.dmp
memory/928-241-0x00007FF7B69F0000-0x00007FF7B6D41000-memory.dmp
memory/2316-243-0x00007FF762B90000-0x00007FF762EE1000-memory.dmp
memory/4080-247-0x00007FF7890E0000-0x00007FF789431000-memory.dmp
memory/848-251-0x00007FF7363A0000-0x00007FF7366F1000-memory.dmp
memory/1924-250-0x00007FF65C3E0000-0x00007FF65C731000-memory.dmp
memory/3236-253-0x00007FF666520000-0x00007FF666871000-memory.dmp
memory/3336-255-0x00007FF6EF570000-0x00007FF6EF8C1000-memory.dmp
memory/2772-246-0x00007FF61C950000-0x00007FF61CCA1000-memory.dmp
memory/4252-260-0x00007FF659330000-0x00007FF659681000-memory.dmp
memory/3500-262-0x00007FF774D80000-0x00007FF7750D1000-memory.dmp
memory/4600-264-0x00007FF72C600000-0x00007FF72C951000-memory.dmp
memory/5000-267-0x00007FF746FD0000-0x00007FF747321000-memory.dmp