Analysis Overview
SHA256
953fed62f0a7328e96c4626e0bac4f00e3a427040f4467724b1c8a5ce1c76e8b
Threat Level: Known bad
The file 2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 04:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 04:24
Reported
2024-10-27 04:27
Platform
win7-20240903-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\teMeySE.exe | N/A |
| N/A | N/A | C:\Windows\System\cgZNoeu.exe | N/A |
| N/A | N/A | C:\Windows\System\YUVGoGI.exe | N/A |
| N/A | N/A | C:\Windows\System\lWXUrRn.exe | N/A |
| N/A | N/A | C:\Windows\System\DoMKlNY.exe | N/A |
| N/A | N/A | C:\Windows\System\LpKndmh.exe | N/A |
| N/A | N/A | C:\Windows\System\CflhmPh.exe | N/A |
| N/A | N/A | C:\Windows\System\DetTUXU.exe | N/A |
| N/A | N/A | C:\Windows\System\NLIHibS.exe | N/A |
| N/A | N/A | C:\Windows\System\YoFKoxN.exe | N/A |
| N/A | N/A | C:\Windows\System\ofELQEa.exe | N/A |
| N/A | N/A | C:\Windows\System\cMSsmFY.exe | N/A |
| N/A | N/A | C:\Windows\System\mLAGNuy.exe | N/A |
| N/A | N/A | C:\Windows\System\VhjLvwx.exe | N/A |
| N/A | N/A | C:\Windows\System\KQytjBi.exe | N/A |
| N/A | N/A | C:\Windows\System\rtzAjIR.exe | N/A |
| N/A | N/A | C:\Windows\System\QyjKxfH.exe | N/A |
| N/A | N/A | C:\Windows\System\SgDgCeH.exe | N/A |
| N/A | N/A | C:\Windows\System\cFlzpLS.exe | N/A |
| N/A | N/A | C:\Windows\System\XOhWrlW.exe | N/A |
| N/A | N/A | C:\Windows\System\uGdnmAF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\teMeySE.exe
C:\Windows\System\teMeySE.exe
C:\Windows\System\cgZNoeu.exe
C:\Windows\System\cgZNoeu.exe
C:\Windows\System\YUVGoGI.exe
C:\Windows\System\YUVGoGI.exe
C:\Windows\System\DoMKlNY.exe
C:\Windows\System\DoMKlNY.exe
C:\Windows\System\lWXUrRn.exe
C:\Windows\System\lWXUrRn.exe
C:\Windows\System\LpKndmh.exe
C:\Windows\System\LpKndmh.exe
C:\Windows\System\CflhmPh.exe
C:\Windows\System\CflhmPh.exe
C:\Windows\System\ofELQEa.exe
C:\Windows\System\ofELQEa.exe
C:\Windows\System\DetTUXU.exe
C:\Windows\System\DetTUXU.exe
C:\Windows\System\rtzAjIR.exe
C:\Windows\System\rtzAjIR.exe
C:\Windows\System\NLIHibS.exe
C:\Windows\System\NLIHibS.exe
C:\Windows\System\QyjKxfH.exe
C:\Windows\System\QyjKxfH.exe
C:\Windows\System\YoFKoxN.exe
C:\Windows\System\YoFKoxN.exe
C:\Windows\System\SgDgCeH.exe
C:\Windows\System\SgDgCeH.exe
C:\Windows\System\cMSsmFY.exe
C:\Windows\System\cMSsmFY.exe
C:\Windows\System\cFlzpLS.exe
C:\Windows\System\cFlzpLS.exe
C:\Windows\System\mLAGNuy.exe
C:\Windows\System\mLAGNuy.exe
C:\Windows\System\XOhWrlW.exe
C:\Windows\System\XOhWrlW.exe
C:\Windows\System\VhjLvwx.exe
C:\Windows\System\VhjLvwx.exe
C:\Windows\System\uGdnmAF.exe
C:\Windows\System\uGdnmAF.exe
C:\Windows\System\KQytjBi.exe
C:\Windows\System\KQytjBi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2408-0-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2408-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\teMeySE.exe
| MD5 | 26a61a9f07bcd6f5c018fbdfe64f314c |
| SHA1 | bea605197b15ddc643c4b04892c0bdb0e3981b0b |
| SHA256 | bd255431a9840c21ecbc204c3a210e9c6495d5adcd7b826915078e890e377fa9 |
| SHA512 | 40fc56c95295e55d5ef0a60e2ee50106ac04e306b98920fc9550e79a98cd424729f194b2d6e853c9d57bfc8dcee434091ea87a1dc193bc4f8e6c07c7330990c9 |
C:\Windows\system\cgZNoeu.exe
| MD5 | 1dacca90c6c3c39691a55cf77f5e77b1 |
| SHA1 | 4eaa397d1e4bf00a0397e0c7bc823a2636833d51 |
| SHA256 | a65b00d1195a66badea1020b130f51b393db780e87de63b42feb4ef8393aabad |
| SHA512 | a4664ccff64585dee81a68d6a205318425c492c3655c82e26ee9dc2c7139a480ffcf48b38eb91c61c0b4283552e1d830e5e46d17cc0709eb7f7c722e706fc9ee |
\Windows\system\YUVGoGI.exe
| MD5 | 5bdd8c815e5ff3c64e53fbda1771bcf9 |
| SHA1 | 13a9efb409450971b5d562212ded57bdf607d5c2 |
| SHA256 | 92ef1ae4025ed2bab0f74edfd61ee412e8e9f651bdf4a86b0a55981df3e65f1d |
| SHA512 | 8badd66506acbb4e846dabdf014e9493ab9a9a81c16ce40e590b1adae111aecec9ab0ad271b07914d00f2af76f9263be3d649be206a755aa09b6ca4685785202 |
C:\Windows\system\DoMKlNY.exe
| MD5 | da43c3e997d2194576fa701a548983d8 |
| SHA1 | 872729bad82b910454833e3696c6e8a94acd798c |
| SHA256 | d2ff29464414e804a279fd0d843ee1889899727a74189b500a43546204520293 |
| SHA512 | b1fa1d06c04a86a9febbc5d6e8107ce682f6fb1634b6c20c8c5076bb2bdfc37eb233e1a5dd8104cdb505a7b3c3a46116255d482b02b1f05b92fa53bf44788569 |
C:\Windows\system\lWXUrRn.exe
| MD5 | fe8b72a4d7b97e41067d3e290780720a |
| SHA1 | 71270bd6be92ceab7d98b862dde965b0f401a165 |
| SHA256 | 99bc1e9b4fbf3bfd5724b58cee7a58c92cac4d3918032c351ca7bba537429daa |
| SHA512 | 0853feec1a68d8cdaafff34f413dba045e1c53b40596df78df5bfc9190b7b4a498140e8322a7f5b1a95107a5a38804375d7bbb6ab8a2e64afb939558b3c0d09f |
memory/2408-21-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/316-17-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2408-36-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2408-38-0x000000013FC30000-0x000000013FF81000-memory.dmp
\Windows\system\LpKndmh.exe
| MD5 | 71e0d42cdc3afd21c4f53aa5f90ad2a2 |
| SHA1 | 4d9316707882df8eaff70ccfa4bf3b30072bc0f2 |
| SHA256 | cb41c0e396cebfbeab8d93677acbb0e3a67c41537ee97bcaf618d690acb65f2c |
| SHA512 | f1354722b74553b0129f17d1313028e20cf683126160196bf5c9bb25bb1763e9fa619317f93493d1a06cc05e823e6478e2fbc07d26f483faf45d3f6b77425e67 |
memory/2420-35-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1312-34-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2936-33-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2408-32-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2580-31-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2408-29-0x000000013F110000-0x000000013F461000-memory.dmp
\Windows\system\CflhmPh.exe
| MD5 | e08a0e28ad491ba53fc52425020dd268 |
| SHA1 | 211ce4310bcfbd8da4ab175e0379d48cd1d4f3b0 |
| SHA256 | 9455bbed00843d64babc2f7222971cf65723393b36b177c37905b4653ee856ef |
| SHA512 | 69a8f5000ba9802ef74d6a9bc640f58ffb17e91f68ff0c423be16bd657655c8b6f4b5987d721b9af93de50bf7fce2b2fd29670e73cb77736ab6d20e0cc8fa784 |
C:\Windows\system\cFlzpLS.exe
| MD5 | d43dddecb96438c2c270e7f3f5ffe8b6 |
| SHA1 | a801d16058f75823ebf73592176ad674a5a42530 |
| SHA256 | fed125c0e0914db0dcf74fab0d29c9bf14159709c9f10d196f63897473c33638 |
| SHA512 | 75956c96b8597af8dd8730202174488325a000f38f15f0461d3352d65428681f14fad224ef74ec985b9289d5672c2ee889e591b2f6d37e09e3fdb1d016660c1d |
\Windows\system\XOhWrlW.exe
| MD5 | 9a81f6c839ac113329452392e7054895 |
| SHA1 | d4eacbdf1dd93bfff6c352970233e43d0226692d |
| SHA256 | becaec44230d38a2c6018cf2ceb28d612fd3891d96df25971fc8f2185a55f28e |
| SHA512 | 7d030ea895cf23007b2f330de4f562febbe8f59e935e04d7fffe54c411dfbde2aecbab270b0ef0baf0876f7fe48ada4dd27c77b05b594ae463b8d600c24ec1d3 |
\Windows\system\uGdnmAF.exe
| MD5 | b0fe780ee924607fb845deaac435d8c0 |
| SHA1 | c3b178b0e3cb96f4980ff7b96f58eaeb52d2b4ab |
| SHA256 | 05f2d53fe92515949e87c79f1e6a46f89e7da97c803eede8822b56ddeacf9cc1 |
| SHA512 | d0673ddf2b6d0998a864cb65f76011d0b03dddaa87408571ac07b1f4618c4d1fb6fd4ee3e3fb3efdb97846bbc39098e6a8b8e55b8ebf0fa50c826176fe0d5830 |
memory/2408-71-0x0000000002490000-0x00000000027E1000-memory.dmp
\Windows\system\SgDgCeH.exe
| MD5 | 207f67b5783cf49254aafeb6ae2f71ec |
| SHA1 | 872f90b22bbde8645014973bcd3ce3d18e782951 |
| SHA256 | 67345099cf9d01a1ce95957c552a09deec3975136f08fcc52b730b1aba43dcac |
| SHA512 | 91e92dbee0c75ba7ce36761fc73bb4d7bd80755f931d051023d15eef790f7e438765a43ac8d488dc456d0b3dacd44b8f8914188c5d354366c1dbefd96964a399 |
\Windows\system\QyjKxfH.exe
| MD5 | b35a1b27d350ee2784ba1a07d0dd4ff0 |
| SHA1 | 9a7b8fd0e533b246f24c9dfc17a9d111833bb21f |
| SHA256 | e8f22ed647aca1662ee94ef780e01c7d8a147a64c1b942eeb4247291199e321c |
| SHA512 | 637018d97aeeeaffb6103b306eb12e0e3d11c27c028b9ff80d093363988b1f6e75632572b557d369eb2acd47df5e92de82591fc10ba992b35096336698c6c927 |
\Windows\system\rtzAjIR.exe
| MD5 | 66766dff4a1788949c11868aca7f9ef8 |
| SHA1 | 185e243b9ebf24707be57b713400428ac86f45ba |
| SHA256 | 940fdcb9a1b87e6b4216c2ba77ca47a02831f1031904f19771748c7a6aaf99f0 |
| SHA512 | 4917346d796788d86508db8162e15ca949b96910e49d1c78d74d72ac15b05bf07186c46cd526eb63afbb86db61a9056e0d48904fb90558bc6f4fb36d71c8fd95 |
memory/2408-131-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2408-118-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/3028-117-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/3044-116-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2648-115-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2408-133-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/316-132-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2408-114-0x0000000002490000-0x00000000027E1000-memory.dmp
memory/2408-113-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2748-112-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2408-108-0x000000013F3C0000-0x000000013F711000-memory.dmp
C:\Windows\system\KQytjBi.exe
| MD5 | c9d1a6db4f2c687b9ee7fb8b2fd84407 |
| SHA1 | f17c1b0396b60644178de34cdc76f2f5b53bb19a |
| SHA256 | 3b47d44a46cd03fcbf7d78ecbace79ba1838d76a16e762544998625752240481 |
| SHA512 | d3bd30c890030aab864d5fd615dc72706c3ba01e5055b64464fbe70dccd39aa305c637ca6b65c4504a3fc37e50c45e2b7cc51bfa36bf9f12d2cdeb47ef411cd6 |
C:\Windows\system\VhjLvwx.exe
| MD5 | ba4189a8b1f721642e5c6117ace640bc |
| SHA1 | e13c1cbb29f446a51f7f7b101f531f09eae940d1 |
| SHA256 | ed984d8966248c9a3b0a9caaf960ba61fa426028eb620c406625979f0a21b1c2 |
| SHA512 | 3ae16e0a3e256b299181c6e780fa5fd1b04674deb47773f0dc9702dd085fe18b91eabb9e612ed1efa8ca3918b8e2f454c24f65e5229fb40c59363c1ab7404a9c |
C:\Windows\system\mLAGNuy.exe
| MD5 | 0ecf63c79129f652497e80738c2af6fc |
| SHA1 | 674f942e368a375d8b8956778bbf9bc18a3df244 |
| SHA256 | 8c231fda2d8e5060e7007e930b71c5fe10bf30879f9f89f9563407b55b49d11d |
| SHA512 | 8a0cc20b859b52615ecdff3b97f0cae16b2804f0136b73989ee5f9c8f3c6cc303d2455bf5e9a49ab749fd61adb75440c144cb78c25ee17da8017bb23dc116860 |
C:\Windows\system\cMSsmFY.exe
| MD5 | 07156cfdb1c08a003013e30dee9a3a39 |
| SHA1 | af32afcd4c82f707157389f9c0a8bd05b1ecf6fb |
| SHA256 | 99171ae3e072498a099364e4c8fd811c2b5dc88dfebe24b70cec0b72e3725ced |
| SHA512 | 633b78180aa4bdd9fe599a13eff897c9d304a245da013ef4dca552949d79532d777b9741cbd44212ca04d194365ff52ba954253ddf2e337aaeefd865d499c278 |
memory/2408-102-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2408-100-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2408-99-0x000000013FF70000-0x00000001402C1000-memory.dmp
C:\Windows\system\ofELQEa.exe
| MD5 | 7ce954f7f1455cf2a60f2a5130b67630 |
| SHA1 | 358fe9a1ffb78a77ce7e67c91024c485b1457d21 |
| SHA256 | da2d73a514147dbdb677ab7dd30bd73667505083a51451fb9282a11b4545bae7 |
| SHA512 | 2c584cd9d639276976bf029fd2cc9b8a380ed627310eef36b781ad6abf7b24c6e2cc36408831fed06b0e922f57054cfd235af3015058bf4aafe66279234e1e27 |
C:\Windows\system\YoFKoxN.exe
| MD5 | 32bf994f3314905c4a45bc78e8758cd7 |
| SHA1 | a23a4febcd5f984af7f893f09118308cf6a2f932 |
| SHA256 | b75cdbbf49c2f2b74329043c4aa97f1341101641a2059963ecd3a3f65170eb8e |
| SHA512 | c6153dffebc94c8ace5da588dd1e64ed56bba0629432040ddbc4ce33fa36c9fce9410cfabfdfc8e413a50094f254da9ad945c26c9299425048184a63235b9e35 |
C:\Windows\system\NLIHibS.exe
| MD5 | 74257ca37b69cd8939e7648018e727bf |
| SHA1 | cf4598b75b8b387dfe4753010fd352f524a3a176 |
| SHA256 | ca7fab838cf50cfbce223d7b9284e8111f48b68e43ec8129a92a654c48c820f5 |
| SHA512 | 6028507c6bbe689114f0782ef0744075e91a22072ebb621fe6fc6207e5ae413823e106229aaa244ed39b3f9d2f4741e1ca2833c4480aff61b97793c0a11ede0a |
C:\Windows\system\DetTUXU.exe
| MD5 | af6fb51512a626b416b284bbe48ec92a |
| SHA1 | be77c73ae373a0e2916200e9d239df784878030c |
| SHA256 | 9e10cd9a2deed9ad89001ca4c85e1c8f35df8ac8311ec4c6b74dd1a3c41a03cc |
| SHA512 | 0124f610eaa68b55092f5a9d722d3e0afd83445740ccd629880edf4bd77fad8672d9500efad7251f39fca3b6ab7928a40e4fab57ab3e3e393cc255f2eaeec7d9 |
memory/2408-50-0x0000000002490000-0x00000000027E1000-memory.dmp
memory/1768-48-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2408-134-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1768-141-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2188-143-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2752-145-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2632-151-0x000000013F230000-0x000000013F581000-memory.dmp
memory/564-156-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2976-155-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2572-154-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2512-153-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2560-152-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/2520-150-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2760-149-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2628-147-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2408-157-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/316-209-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2580-211-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2936-215-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2420-214-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1312-217-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1768-234-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/3028-236-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2748-238-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/3044-240-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2648-244-0x000000013FF70000-0x00000001402C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 04:24
Reported
2024-10-27 04:27
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mRQLVRU.exe | N/A |
| N/A | N/A | C:\Windows\System\vGlFjMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GkLwGdC.exe | N/A |
| N/A | N/A | C:\Windows\System\DgxhDJt.exe | N/A |
| N/A | N/A | C:\Windows\System\wMdeBKq.exe | N/A |
| N/A | N/A | C:\Windows\System\GPBDtXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\iRrUCrO.exe | N/A |
| N/A | N/A | C:\Windows\System\DQhLWsb.exe | N/A |
| N/A | N/A | C:\Windows\System\HRCpIfY.exe | N/A |
| N/A | N/A | C:\Windows\System\LjQiQzM.exe | N/A |
| N/A | N/A | C:\Windows\System\VnwJAtc.exe | N/A |
| N/A | N/A | C:\Windows\System\QysedPq.exe | N/A |
| N/A | N/A | C:\Windows\System\LYZnAmh.exe | N/A |
| N/A | N/A | C:\Windows\System\NOkWqTW.exe | N/A |
| N/A | N/A | C:\Windows\System\fHwxncM.exe | N/A |
| N/A | N/A | C:\Windows\System\KCQiTsV.exe | N/A |
| N/A | N/A | C:\Windows\System\MKhgWEn.exe | N/A |
| N/A | N/A | C:\Windows\System\cVfOTwD.exe | N/A |
| N/A | N/A | C:\Windows\System\zZrmOKH.exe | N/A |
| N/A | N/A | C:\Windows\System\QdNftHv.exe | N/A |
| N/A | N/A | C:\Windows\System\ndrHcns.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_ba2cfae820b48b90488536770b7d5b73_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mRQLVRU.exe
C:\Windows\System\mRQLVRU.exe
C:\Windows\System\vGlFjMQ.exe
C:\Windows\System\vGlFjMQ.exe
C:\Windows\System\GkLwGdC.exe
C:\Windows\System\GkLwGdC.exe
C:\Windows\System\DgxhDJt.exe
C:\Windows\System\DgxhDJt.exe
C:\Windows\System\wMdeBKq.exe
C:\Windows\System\wMdeBKq.exe
C:\Windows\System\GPBDtXJ.exe
C:\Windows\System\GPBDtXJ.exe
C:\Windows\System\iRrUCrO.exe
C:\Windows\System\iRrUCrO.exe
C:\Windows\System\DQhLWsb.exe
C:\Windows\System\DQhLWsb.exe
C:\Windows\System\HRCpIfY.exe
C:\Windows\System\HRCpIfY.exe
C:\Windows\System\LjQiQzM.exe
C:\Windows\System\LjQiQzM.exe
C:\Windows\System\VnwJAtc.exe
C:\Windows\System\VnwJAtc.exe
C:\Windows\System\QysedPq.exe
C:\Windows\System\QysedPq.exe
C:\Windows\System\LYZnAmh.exe
C:\Windows\System\LYZnAmh.exe
C:\Windows\System\NOkWqTW.exe
C:\Windows\System\NOkWqTW.exe
C:\Windows\System\fHwxncM.exe
C:\Windows\System\fHwxncM.exe
C:\Windows\System\KCQiTsV.exe
C:\Windows\System\KCQiTsV.exe
C:\Windows\System\MKhgWEn.exe
C:\Windows\System\MKhgWEn.exe
C:\Windows\System\cVfOTwD.exe
C:\Windows\System\cVfOTwD.exe
C:\Windows\System\zZrmOKH.exe
C:\Windows\System\zZrmOKH.exe
C:\Windows\System\QdNftHv.exe
C:\Windows\System\QdNftHv.exe
C:\Windows\System\ndrHcns.exe
C:\Windows\System\ndrHcns.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4516-0-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp
memory/4516-1-0x00000205CFE60000-0x00000205CFE70000-memory.dmp
C:\Windows\System\mRQLVRU.exe
| MD5 | 41ec2fc56131d536fb6389562c289205 |
| SHA1 | f0fb645c218089b483d2051e365b035e3bd836f3 |
| SHA256 | a56518c1a7bed7091dde2a35111aa668e71d8f91117ddc259e669b035a8c2acd |
| SHA512 | 50e3c459acde9acf9472c52374ba4210ea774d37f4a80d98db2b02f8e3b210d3c1344fc9df8c7cae13d283b968d7ba44dbc3025b5cfa6b1fc2d266dcdf8f40e6 |
C:\Windows\System\GkLwGdC.exe
| MD5 | 0fbeb471a644231f4410d7d29fade268 |
| SHA1 | afbead12b0fe5b8167640cf1c8623a2a62e8ab57 |
| SHA256 | a37303f66b38b3e1291767ca42f8cb5afa9e3a804b3c8dc69c9b22d47210a761 |
| SHA512 | 65393efa2b57848f4de1f04504873d989955ab5e44fb813fdc2bf5057f4927294eebcfcb607af49fd2b692ac3160f665318fd7f6c7982a5a83ff615cf2c5978c |
memory/372-7-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp
C:\Windows\System\vGlFjMQ.exe
| MD5 | 49e4ea8d05e643feee9bba73735c958f |
| SHA1 | ff7ed2156b905fb87a00b16e5ee66f3ea476de55 |
| SHA256 | 9e59ce1675204e88c2479a73357ac92b4068470a4ad0695e1239d2ac8d3a5a42 |
| SHA512 | 219d2f7b375d5593deb30b2f1d372e7ea8565d3d4024a3fc81e8e1e85a26ac8466ae7567f339468247fc267ad510267f290786cc4e462034ddb8e0a03828b98f |
memory/4524-12-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp
memory/4612-20-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp
C:\Windows\System\wMdeBKq.exe
| MD5 | 3591026ef9fe2232a8cee7850b34f944 |
| SHA1 | 1546702addf32c7a3107264902b272f0235c9579 |
| SHA256 | ff29eac87170eece6e7d2b654415f43704fa050ecf5004ac3d8ffd69c4ed4eb6 |
| SHA512 | 0fa218b59771445a08be01345df7fc0d3ee46071f625b3657dea10d3ebfbccbf15973874acbf7c1c687ef761d4be738369d660a04a8831d073fe3aeddde39b72 |
memory/2780-26-0x00007FF737950000-0x00007FF737CA1000-memory.dmp
C:\Windows\System\DgxhDJt.exe
| MD5 | e7ab49e273cc6abfec5ba44e0657b222 |
| SHA1 | 7c87fe9a470d0cff16d2678e9b6ba2a2fa788283 |
| SHA256 | 24af2bf4e2f2d01a4df9f45684785e190379ea157e2662fea346967d875ed835 |
| SHA512 | f1af31fc5849664683f4c564d6fbdd03ed8378a70634288924c7882fb2117e4756960afab2042fe8bca5e7e9aea4f544947b87a69dfb630db582e3ab7325af0d |
C:\Windows\System\GPBDtXJ.exe
| MD5 | 5bd69306bfe3a3bb3dd7b1946bb97557 |
| SHA1 | 1de90c05b54a18757e054ebae9dca2034ade5d20 |
| SHA256 | ebbba21aa8ada1b3b226cd1e0a2060152b6042ae1491766b202a794844210091 |
| SHA512 | 5e255ba9cd0559ef5ce1532c96d298681cc3f9fd5ee1b73b61f3ac25448dc9bf3df43dee1699398b3c3a8cf6fa5780fb1ad35c29adfc55646ac1b4c68393efe8 |
memory/2964-35-0x00007FF78B600000-0x00007FF78B951000-memory.dmp
C:\Windows\System\iRrUCrO.exe
| MD5 | 4ce1915625b6b9ca3e07c1373bbf3cd7 |
| SHA1 | 393982f93d4fcd8a3ec19c1f0273e19120b95c08 |
| SHA256 | 7b065bb2eea17c40a5d9a1c85ca3f7dfec037296f8a896a358e621761f1c1a9f |
| SHA512 | 9030b64ff1e4bd40f6366cb334682cd759e6e13034511a75f15b9480c32d46cdc97846a8c3b6672229b54fdb456a20ff0c949a076e2a578766a0aefbd23ea0e3 |
C:\Windows\System\HRCpIfY.exe
| MD5 | 84200ff8311afd0d50c67a30e139911a |
| SHA1 | c05cc42b768356e0a2c0615329b0824c103df9c0 |
| SHA256 | 56d2a047bc0f123e1b006042958dea1b681ef744c42bee2fbf4098193f4405dc |
| SHA512 | 27306e01381f89b8cfad5863a815edee7fe7de3570c66568947791d0c274866ae9f5b4b67442ccadd755087681ec88835f107034279133b55115a641545d7dc4 |
memory/2364-51-0x00007FF74A320000-0x00007FF74A671000-memory.dmp
memory/4516-60-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp
C:\Windows\System\VnwJAtc.exe
| MD5 | e5c90b80ac23cd41376519717edf380a |
| SHA1 | b409fb49d2cf05bd2f4206bb30fd260568f2ec68 |
| SHA256 | 6f9a455a7a91f3fe33f6659418f220a1533f564eb83f300f5be44c2aefefdca6 |
| SHA512 | 594c95cc93102c4f3a00f7ae1eed0c9107ee9d27f5287df1457e8ddcfe7aebcb3633866dfb7bac8ec98923fffe787823a570eecf81b55571a97be37002dbdca7 |
memory/4744-67-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp
memory/372-66-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp
C:\Windows\System\LjQiQzM.exe
| MD5 | 28c2a268709f39979e61fa35b569b919 |
| SHA1 | df03f63deb6c1ba0d1dc9f6ead12fcb1030d0356 |
| SHA256 | db3904f18d71ba50820db0cccd4cc274637fb53d5455f336cb9beddcf8627ca8 |
| SHA512 | 48099b94dac5d219bc4e8d58ad705d37d54240e100715d0e114b008501fdc237c9302e8e1a926f21c00a8bbd21e6b11051d0abc5cd053d3a211887b52f91ceb5 |
memory/1604-62-0x00007FF7655F0000-0x00007FF765941000-memory.dmp
C:\Windows\System\DQhLWsb.exe
| MD5 | cf441bfa7e65c48abdc919b69694f922 |
| SHA1 | ad5874b4a5881ecefdada7f0fd18e4024f6ef765 |
| SHA256 | d92152641b93e00afbbe8c37c2e0069b1aece73a3b7789eff664bc7700d2ecd4 |
| SHA512 | e93c4678e183fb37dabaa308957ac1ba8eeb7d524e40088f7361a64c8f3d23a1188bd46713b52e9a68f7f5c553c8ab73a0ec698f7fa646035732d130479a708d |
memory/972-50-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp
memory/2184-44-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp
memory/2204-43-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp
memory/4524-70-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp
C:\Windows\System\QysedPq.exe
| MD5 | f0452a0a7130ef39a2095cbb0494b57f |
| SHA1 | d1cc189f678a795fc3d4a324bf0ac967ca77f313 |
| SHA256 | eaa6ed4b56dc6285f413a27835b8b3bbf7a45bee29f7c9432b6acb75dab3df3b |
| SHA512 | c07dbe7c95c3a41ed4bebcf57034a174c8f8e171f73290500abb94e506a2614637df7036fbad8fbbe80e4c77173e1b35cebda77404b77564f4f41ef6ca474faf |
memory/3732-75-0x00007FF635B10000-0x00007FF635E61000-memory.dmp
C:\Windows\System\LYZnAmh.exe
| MD5 | 04aa99884df19bc2a35ef0303678996f |
| SHA1 | 08e4f84b64886d110596e884000af0ae3dd23494 |
| SHA256 | 9f0a0fd1972997f1cea5e31518a8a67fe168d0d98ae864c8b4e1d9c4db00069a |
| SHA512 | aa663002b0808b99f488fc86db7f40fd12f7e0b8a13d7f59dd533b12ac5e2ab129c397d605b330eb7acd0bd5f232c51507be09304cbb35b0f3074d2b1f3164aa |
memory/2820-86-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp
C:\Windows\System\fHwxncM.exe
| MD5 | aa7ea32bb0ffeb0c891eb76e3f5822da |
| SHA1 | f58f65830c9cd91d137313cf642a67bd0140323f |
| SHA256 | 971983d40235071bdfeb193040e9c1c681f97ccad1bc730c4c8543b290e823ce |
| SHA512 | 8f43d0a06274080ff3cc3f51c93ff2cfdda50cca3e6e20e09ad998992a8d098a5e20aeedbeea9896a3e6efe8d41d5887e7a94470643f86cdf76255cc3444b51b |
C:\Windows\System\NOkWqTW.exe
| MD5 | 84951bceaaf1a164418d439bfe8dea24 |
| SHA1 | 0ba5a3f1a613267d9dc52a1788ae6066e27cd073 |
| SHA256 | 4fbcbcbd36a28bbdb3f9f7e28ec58e3197804259638946690cf6b9f42b73210f |
| SHA512 | e2573decc80e3b68b44df1dd3ded48221ec6f4a193be649a8b38abd7c5c28bf5527e57478da1c26f190fc5a1b05c9f7248352d68a6cd5fb347f2762ee5a5781e |
memory/4316-95-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp
C:\Windows\System\MKhgWEn.exe
| MD5 | da3d556930b03ea63f54d1e77f313345 |
| SHA1 | bd77a2e54d1044ae1302c29d676698eb1b40ec26 |
| SHA256 | 318e48ed9e7305c55ebd954e283e073392e61b3b4e7a5db3c74d492d16293923 |
| SHA512 | 09fe4903913a16f56a44abd2adecfb3418aa24177b1b8f0b6b5268d522a1fb22c8f39f70b8a0a04f887553ee46f247fcac94aabbe2d804ec7f323f56fd3c20e3 |
memory/2964-113-0x00007FF78B600000-0x00007FF78B951000-memory.dmp
memory/4820-116-0x00007FF74A220000-0x00007FF74A571000-memory.dmp
memory/4992-118-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp
memory/5112-120-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp
memory/2184-119-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp
memory/2708-117-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp
C:\Windows\System\zZrmOKH.exe
| MD5 | 8207ad73776225da657854da82fed1df |
| SHA1 | d7db7b1a2fbd171360162e062f2f56138b792bd0 |
| SHA256 | 15f4f5f95494c7f93d222098a2214f2771c2cfcba641dd8e121e0f134622bef4 |
| SHA512 | 61b66a547622a1c8437982a084da266889c6f160b02eee7fe9cb46ed4f95ed76a18de94e94868ff36f6b0957edf6e74b6613c2e74a88ef59cc1d81010a1735dc |
memory/512-114-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp
C:\Windows\System\cVfOTwD.exe
| MD5 | 222f22dea2210524fb9beab7a35f83f0 |
| SHA1 | 9d148d8b5f651dfb0480ed749870931a45ccb5e9 |
| SHA256 | 732af093dc0be8eea3b1d8294739de4416988f59b30027ecfdad5240e02e075b |
| SHA512 | 20efc86e4e58d88b5ca5eae0ab5775cc18cab8de8ed26d800bac494bc80a105008ee7fe05a05b5b55e7b0f1bc74936afece9fd830c4672a3eb73d08121c17490 |
C:\Windows\System\KCQiTsV.exe
| MD5 | 1eaeb46198548a7b0ac38f28bc432f98 |
| SHA1 | d56a60055b82fafbd061cfcbfb8fd5c5304df8c8 |
| SHA256 | 3b2b674d1f08387582d88b5a73b10d996a7ad511ab4eae2d975e877e01dd7edd |
| SHA512 | 77e5f11d0160855e61fc7a9037035c2c20309edc118a8c1f213e8de99f484c28873def1c47900743064025ef77573e5e30fdd8f8fdb7a2042fbcb20024999dc3 |
memory/2204-89-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp
memory/2780-88-0x00007FF737950000-0x00007FF737CA1000-memory.dmp
memory/4612-82-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp
memory/972-133-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp
memory/4744-136-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp
C:\Windows\System\QdNftHv.exe
| MD5 | 0e0fe668542a1061d86b2dd76e73d6f1 |
| SHA1 | e32a8003022eb8cffa3eade5d370773be5f42f2e |
| SHA256 | c87fcda703358ba8aba9491f78c10e582154a4b5a4bad5c9d3c731e518f5da43 |
| SHA512 | a987a530985e57dc489afb4c7ef66c9ee7c81b3e7dd96b1a21ba6066bbbbcfe5fcc143827b9e06d4ef360aa367c1e0133cf2f9e8d5669c65929f2769745a2c02 |
C:\Windows\System\ndrHcns.exe
| MD5 | cc366d2d8d4077fff8e6b550dd1bce99 |
| SHA1 | 3772aa184281ec10fb1510688b19e05bd82d73b5 |
| SHA256 | 940c0aaca5802dcf9e402b97ea02d823c406f434d92963236c3b47d6a8999817 |
| SHA512 | f3d36acd66084b12946f1074e706404d2f330ff2c910d34c5d08975534f95c5659691cbba2dc1989801a08be610a7b09e7540bd42d0597a5c24e02fe1b5c1c31 |
memory/4496-147-0x00007FF611980000-0x00007FF611CD1000-memory.dmp
memory/3372-144-0x00007FF639440000-0x00007FF639791000-memory.dmp
memory/1604-135-0x00007FF7655F0000-0x00007FF765941000-memory.dmp
memory/2364-134-0x00007FF74A320000-0x00007FF74A671000-memory.dmp
memory/3732-148-0x00007FF635B10000-0x00007FF635E61000-memory.dmp
memory/2820-149-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp
memory/2708-156-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp
memory/5112-157-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp
memory/4516-158-0x00007FF7219E0000-0x00007FF721D31000-memory.dmp
memory/3372-162-0x00007FF639440000-0x00007FF639791000-memory.dmp
memory/4496-173-0x00007FF611980000-0x00007FF611CD1000-memory.dmp
memory/372-209-0x00007FF6F5060000-0x00007FF6F53B1000-memory.dmp
memory/4524-211-0x00007FF66A930000-0x00007FF66AC81000-memory.dmp
memory/4612-221-0x00007FF68DD50000-0x00007FF68E0A1000-memory.dmp
memory/2780-223-0x00007FF737950000-0x00007FF737CA1000-memory.dmp
memory/2964-227-0x00007FF78B600000-0x00007FF78B951000-memory.dmp
memory/2204-226-0x00007FF6E7CD0000-0x00007FF6E8021000-memory.dmp
memory/972-231-0x00007FF6A1AB0000-0x00007FF6A1E01000-memory.dmp
memory/2184-234-0x00007FF7DD820000-0x00007FF7DDB71000-memory.dmp
memory/1604-235-0x00007FF7655F0000-0x00007FF765941000-memory.dmp
memory/2364-230-0x00007FF74A320000-0x00007FF74A671000-memory.dmp
memory/4744-239-0x00007FF6C8130000-0x00007FF6C8481000-memory.dmp
memory/3732-246-0x00007FF635B10000-0x00007FF635E61000-memory.dmp
memory/2820-248-0x00007FF6E3DC0000-0x00007FF6E4111000-memory.dmp
memory/4316-253-0x00007FF67B6D0000-0x00007FF67BA21000-memory.dmp
memory/512-255-0x00007FF62BD10000-0x00007FF62C061000-memory.dmp
memory/4992-257-0x00007FF6C6D20000-0x00007FF6C7071000-memory.dmp
memory/4820-259-0x00007FF74A220000-0x00007FF74A571000-memory.dmp
memory/5112-261-0x00007FF7F4BC0000-0x00007FF7F4F11000-memory.dmp
memory/2708-263-0x00007FF78B5D0000-0x00007FF78B921000-memory.dmp
memory/3372-268-0x00007FF639440000-0x00007FF639791000-memory.dmp
memory/4496-270-0x00007FF611980000-0x00007FF611CD1000-memory.dmp