Analysis Overview
SHA256
a46c616f9f113294a8bbe7db4c3d5102805abbab78d747a3a6752ce2a15006b6
Threat Level: Known bad
The file 2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Xmrig family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 04:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 04:34
Reported
2024-10-27 04:36
Platform
win7-20241010-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FCERGWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\gtxAIvM.exe | N/A |
| N/A | N/A | C:\Windows\System\uPPyebN.exe | N/A |
| N/A | N/A | C:\Windows\System\mquPQIX.exe | N/A |
| N/A | N/A | C:\Windows\System\KXMYMgK.exe | N/A |
| N/A | N/A | C:\Windows\System\CKuHHgU.exe | N/A |
| N/A | N/A | C:\Windows\System\TAZVylb.exe | N/A |
| N/A | N/A | C:\Windows\System\bGQssQH.exe | N/A |
| N/A | N/A | C:\Windows\System\WSCqWsH.exe | N/A |
| N/A | N/A | C:\Windows\System\lYRZdRa.exe | N/A |
| N/A | N/A | C:\Windows\System\fwGhAPA.exe | N/A |
| N/A | N/A | C:\Windows\System\lEYykPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fOPiDzY.exe | N/A |
| N/A | N/A | C:\Windows\System\hjPquFn.exe | N/A |
| N/A | N/A | C:\Windows\System\zRMvMXv.exe | N/A |
| N/A | N/A | C:\Windows\System\XkcILPv.exe | N/A |
| N/A | N/A | C:\Windows\System\SdVxgiL.exe | N/A |
| N/A | N/A | C:\Windows\System\QqtTUTW.exe | N/A |
| N/A | N/A | C:\Windows\System\YmKNfUq.exe | N/A |
| N/A | N/A | C:\Windows\System\dSUBEmy.exe | N/A |
| N/A | N/A | C:\Windows\System\uQkshDF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FCERGWZ.exe
C:\Windows\System\FCERGWZ.exe
C:\Windows\System\uPPyebN.exe
C:\Windows\System\uPPyebN.exe
C:\Windows\System\gtxAIvM.exe
C:\Windows\System\gtxAIvM.exe
C:\Windows\System\mquPQIX.exe
C:\Windows\System\mquPQIX.exe
C:\Windows\System\KXMYMgK.exe
C:\Windows\System\KXMYMgK.exe
C:\Windows\System\CKuHHgU.exe
C:\Windows\System\CKuHHgU.exe
C:\Windows\System\TAZVylb.exe
C:\Windows\System\TAZVylb.exe
C:\Windows\System\WSCqWsH.exe
C:\Windows\System\WSCqWsH.exe
C:\Windows\System\bGQssQH.exe
C:\Windows\System\bGQssQH.exe
C:\Windows\System\lYRZdRa.exe
C:\Windows\System\lYRZdRa.exe
C:\Windows\System\fwGhAPA.exe
C:\Windows\System\fwGhAPA.exe
C:\Windows\System\lEYykPZ.exe
C:\Windows\System\lEYykPZ.exe
C:\Windows\System\fOPiDzY.exe
C:\Windows\System\fOPiDzY.exe
C:\Windows\System\hjPquFn.exe
C:\Windows\System\hjPquFn.exe
C:\Windows\System\zRMvMXv.exe
C:\Windows\System\zRMvMXv.exe
C:\Windows\System\XkcILPv.exe
C:\Windows\System\XkcILPv.exe
C:\Windows\System\SdVxgiL.exe
C:\Windows\System\SdVxgiL.exe
C:\Windows\System\YmKNfUq.exe
C:\Windows\System\YmKNfUq.exe
C:\Windows\System\QqtTUTW.exe
C:\Windows\System\QqtTUTW.exe
C:\Windows\System\uQkshDF.exe
C:\Windows\System\uQkshDF.exe
C:\Windows\System\dSUBEmy.exe
C:\Windows\System\dSUBEmy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2844-0-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2844-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\FCERGWZ.exe
| MD5 | 24780d04fa54332fb9896c4518e943e1 |
| SHA1 | 065ee74b69c31f78c05636f40757883cf4fff4b5 |
| SHA256 | 0e3cb2a990f5777f7c187bc1f5e5d60e3942e1b313ac6a9c342048abe3d8ec36 |
| SHA512 | 584ad8507016bd82854497f30e0ea7e400d9fbbbd7dab038eac43d0b88f4283799eb2b23425e110569dc69fffa5feb1fdd3815af16d8558030d6ce7f2c0f1226 |
memory/2844-10-0x000000013F220000-0x000000013F571000-memory.dmp
C:\Windows\system\mquPQIX.exe
| MD5 | e9883eb7aab545627b9bf2afd1da6d8c |
| SHA1 | 7a0058d3fcd57481a7752125c8228dca2d9162d5 |
| SHA256 | 0aeef98a7da22b309c79affabf88f93a9d366cb7778c08f2fffdc3497c18fe73 |
| SHA512 | 6aa86962a64c6ad9c9d8dbf191d2c02398bb6bfb921cd1b4dcb272f2dff2885febda4d6af38dbc204cb9d4920f38dd51a5c20a96193424faa30634e92dabe681 |
\Windows\system\KXMYMgK.exe
| MD5 | a700391fd0cfc51210806172c640c508 |
| SHA1 | d02ddc1df5cde07734b6565038c58dc675478ba2 |
| SHA256 | fd45bb7fd764593bcf80ccfb8473b120b1232ad033cdefbda2f4b6ad062f6325 |
| SHA512 | caf548aae7b4792dc9b033b7055c9689eff79b8958a8b619ee884738d306f8c6e449b6ce17b65eb412d661693aaec413eb7888974098ce57efd882325530dd99 |
\Windows\system\uPPyebN.exe
| MD5 | 2974c589845eb2ee30f5573ad29e1b96 |
| SHA1 | 3e6efb718ac159b39d792b1f0f4082af77978083 |
| SHA256 | 96fac8588bdeebe012a989cadf66033f55dac67911034873b866c73f55c8c032 |
| SHA512 | c17e497af08f0f89a37432dd4ba8997abadd99c63e50f15b6115d179fdc418c07f38f27234c7d46af5113a844b8a678d7291748fb14fb0693ebf5a0a1188216c |
memory/352-18-0x000000013F220000-0x000000013F571000-memory.dmp
C:\Windows\system\gtxAIvM.exe
| MD5 | d489716cb29ebdfc60c6cfd8a6b188e3 |
| SHA1 | 35b0b385c224e5c0afe0e2aec22a1bbe4f33e652 |
| SHA256 | 083858a645f2d2425021ec643c4b87a1473e99e1f019467dfa9a35c918a7cd5c |
| SHA512 | 5ea29534e4785213585fbb3e65617db9eaf7c008881253402cf0b294543c001b7828ca9677eb895ec7088ea19de15b4293c683a206f07cd45c2e0df65ce6ad3b |
C:\Windows\system\bGQssQH.exe
| MD5 | ae6832fcb7959b0dc1ca1631a1992f89 |
| SHA1 | eda30ff684152438814dd1c90480fd41d01846bb |
| SHA256 | a49f27c230370150e0c850e27ca61851f22fd91d083e811502f3675c14b880fd |
| SHA512 | 756f5f8f40abb25b6c423853942c0d02c6267fcaab0c77e4a1a9b9f323779a60dd590df868048a8c86b2b8b0ab431ecb6deca9a97bb0dc933834855d2976d3ea |
C:\Windows\system\CKuHHgU.exe
| MD5 | b22e0308ecb73dc9720a7cc276e4b02c |
| SHA1 | 1f7fffac0c9935f866755864ab695f14dce7551d |
| SHA256 | 3e4dcc6b7d2dda614d05bc73d281a6d5de28c624c1e2a1dd0bc699c392134765 |
| SHA512 | f21fd67c34077e60964adf3b537e734898a10d9c36ac24d2820aef8c1bd4130b6870e5317f2a3c50c83839a6f5cce5ac45e79257ec576ce7cea4ecb9c60c326b |
\Windows\system\WSCqWsH.exe
| MD5 | efe7bec85b58b687bb25db45cc406904 |
| SHA1 | 2fe982772c6292bdc70bc5afb5c0281e7eb7d10d |
| SHA256 | 05892bf5977c7e5002bca7cd9dbc48c6f470e099167b6caa5bb722ee89b63cf4 |
| SHA512 | b6b0aafd22600f874768fc25c73c9d3a04c80817be3fe2aac9710e880d2f4f3d4461ac355abe0227b9df0f81ae9654136d28a02abec4795a91c62dcac27f44f5 |
C:\Windows\system\fwGhAPA.exe
| MD5 | 326161f2f7355037ba09175dffa6202f |
| SHA1 | dac8aba9cccec2feeafbfbcdd45dd4b764ab504e |
| SHA256 | 6fb2dc6dd4b28d17f8650a2e9256024bea0f20cf0ea96c68f5446c917b12d298 |
| SHA512 | d140089823a66d348a03f5819242273f0d922bb402b9f4f18a6d8f137d7674c58581dbaa276ecaeb2797a1006a3c3c6a2b8a2238cfd2e9d7caf2146861bf397e |
C:\Windows\system\hjPquFn.exe
| MD5 | f67d36177ed462bbe17bf4c2919f7590 |
| SHA1 | d4d59cb97fd4bda3df2031c205cea54454f0af1b |
| SHA256 | ca7a9cd772cb3df92e8ee95694c279472308faddaa409fab23269c59c66388db |
| SHA512 | d4395db13c4c07b85af52e9f8a6205219f9ff66a94940345587b03d15f4fcdece90aa4c12cd4e16e043720bfb572c2550075b3be64be41131aaaa9b094920997 |
\Windows\system\dSUBEmy.exe
| MD5 | 71f14efef63ec9c2b2cf52668336e096 |
| SHA1 | 2a4d6f43b7c5887ceba69498ca10e5564d66eef3 |
| SHA256 | e847f3a2cf56593cd85932f163e54469536053dc3243af1906056b51e1844e2b |
| SHA512 | bcffde4acc857ebc2ecf3000c6ace845402bff5a824dc1108f85df19619b5acc997fc3d89a0d1cbcbbf68ad78140b568edd4e3d60c32ab8c625a50b0c8973244 |
\Windows\system\uQkshDF.exe
| MD5 | 981691877ffa1091b24a07b8d25099bb |
| SHA1 | 98312efe4e17eba2e2e6a0cc90b0ce679dc5bb2a |
| SHA256 | ed007f5ca81ec7734d2eb973b64300852ed8060ce99a67b154209da0386ba948 |
| SHA512 | f27586c87ec86fb7a1eba2952fb24b11a7af17453ed05295ce1d6ccbafc59451cde1de5aa7a3de066f85eef1c4e67989bfbff8fabfe97f5de8cf4d8b82f247c7 |
\Windows\system\YmKNfUq.exe
| MD5 | 0c519caca025c08a4bdc3fae769e211a |
| SHA1 | 2d60768c9db5c648464f1ce73720ec0cbde0618b |
| SHA256 | 390b57f4e4abea5f37c609bb3c2902623afcb0968292cf28bc16b2658a6db835 |
| SHA512 | b5f6ed59436be08cecfd7677a978d8fcbca54c5bc725b74fd3c38455cd7266ef53b28a9d3e0f81e7cb598b0ba84bb81b307ffaf7ef8f9a79169557e1035cfcc6 |
C:\Windows\system\XkcILPv.exe
| MD5 | 9ba22371af9d21f406c8f747b76db6ef |
| SHA1 | a3fa3c0c7dc5d37957e21d5f5cfcf61080ec52a1 |
| SHA256 | 8031ae297bbd2135a75757908676613467122a8c6138aab4db0b77c6d2a7251d |
| SHA512 | 7c3da549da715c6f1573b0eab14bb73b727212152df46f934f657d5812627251f55f53b09aed0874026700b1ac897fd04a8580f68c14f17f9be2947364c9bbd7 |
C:\Windows\system\QqtTUTW.exe
| MD5 | 01817b7f4d80ad1d4cfd2535bcb3dd09 |
| SHA1 | 3c164d02d6286a188485cc041215be691b68922c |
| SHA256 | 91b9749dc9a8b6a40b19265ef367b1fe9e2774ff8ae19efd5695f97a3c61e406 |
| SHA512 | 193b8d9480ccb106fb4ea03748b262af03fa74f935708e6a17b6d07cfdef21b05130ae4f644b8b8571992c1dc808f007f6e4ef5051d2456970ef9713bd942931 |
C:\Windows\system\SdVxgiL.exe
| MD5 | b928fada5199c9b4453ffc43380fb6d9 |
| SHA1 | 91b15727d1b8dfe3a5a7a7ffde28fb38dc4bdd0f |
| SHA256 | 9f67ebab94c4ef4980178d7b4a3de5653c97db69843f94240956cff5a2b8ee9f |
| SHA512 | c72280d7f2bb79fc47f589e6ba13a2a27aa24064ef3fde04f6fff794dbfee6a253347c5f2f7356ed6c6dec3865d82cece7bf91e6e46bc298f23b2a4f18964cb3 |
C:\Windows\system\zRMvMXv.exe
| MD5 | f89e7166da7ddb7837634965df2465d2 |
| SHA1 | fa8f73e89ae783fa42635a7ecc111056bcad0766 |
| SHA256 | d11c6bdf821659b84eb1ee0d2f01ece288547958b1936c39e2f8195e7c7ef97e |
| SHA512 | c39536f8c16bf2969ee85ef9825ebcd87cf386aa0dbde851380b3e74f156d9e82da4ecaaa4f2a6304bd635bbcc0caaa23fbe607c198b691e306f9fcfc1c11056 |
C:\Windows\system\fOPiDzY.exe
| MD5 | b9ab7b711203669c1b727597803878a7 |
| SHA1 | 55fb2c0b60777fcff1c17a6fa50fbe7df2c624d1 |
| SHA256 | 996f06985f5185340d73ff20c39d8b3aa0bf50d28712a40667112f133502e0af |
| SHA512 | 558d25b1a1730c6e9150b17c78854cb7cb149444f0f4cbbb3db0289aa773689c488ced7102fb1313dd2d8f52a47a674d27071a0b26db5622fc86ab0518c238ec |
C:\Windows\system\lEYykPZ.exe
| MD5 | a008ab2033cbb5c08fb5ca667cde6cfd |
| SHA1 | 58643eb09ae57910a9356027565818381d9cda50 |
| SHA256 | 7ff62d19057c597277bd41010e8bcad9a870a09204d90451791e7913a169002e |
| SHA512 | 6ed64b8778d2b7d65dfea8c922797503dfef19f07b727df6fb4c76cb16a5ed7ca94b6e3cad17bf75e965af4c5fbb5212f5425e7508e72ac554800c4c71e24438 |
C:\Windows\system\lYRZdRa.exe
| MD5 | 4d3b248f11fc550481c611530a2e3a1b |
| SHA1 | 7393d113d53f07e82225161dd92603a8265695eb |
| SHA256 | 28c5cffa1d67cae91544bde228ac8a63a34a128d3764338cf37482eb4c5f88bc |
| SHA512 | 122ddc9398a23ac99cd370e0e4686131ddf0659401f22e66d4e8b4c9a321f52719176113131a1355a5b9271ff0c0d9fad0acb5ade853fcd17d442c06c7b5e370 |
C:\Windows\system\TAZVylb.exe
| MD5 | ca16c460c0974be6f60f72ab5c016799 |
| SHA1 | 028cde7accc894ae71881cad604ba1c23d04fe50 |
| SHA256 | 0bc940c7669f66dbfb241ce765b5944115597c94452eae1ab2b59b8566933b78 |
| SHA512 | 4ef877a36f931f98f83b9b29aec6a4f97c2d8a6c63980bc632aa907936377630327165647696817bc7e343d69d09d91253fb7e2dae085dae6b93cf80a6753e8e |
memory/1000-120-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2844-119-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2496-118-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2844-117-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2452-116-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/1000-114-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/352-110-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2844-109-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/1984-108-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2960-121-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2640-128-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2752-137-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2708-129-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2844-147-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2844-150-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2844-149-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2844-148-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2796-146-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2844-145-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2084-144-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2816-143-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2676-142-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2844-141-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2844-140-0x0000000002300000-0x0000000002651000-memory.dmp
memory/2652-139-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2844-138-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1788-136-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2492-135-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/3068-134-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2600-133-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2532-132-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2636-131-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2108-130-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2844-151-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2844-157-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2844-174-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/352-204-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2452-206-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/1984-208-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2496-210-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2652-222-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2676-224-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2960-226-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2816-228-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2084-230-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2796-232-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2640-234-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2708-236-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2108-238-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1000-255-0x000000013F7D0000-0x000000013FB21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 04:34
Reported
2024-10-27 04:36
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FCERGWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\uPPyebN.exe | N/A |
| N/A | N/A | C:\Windows\System\gtxAIvM.exe | N/A |
| N/A | N/A | C:\Windows\System\mquPQIX.exe | N/A |
| N/A | N/A | C:\Windows\System\KXMYMgK.exe | N/A |
| N/A | N/A | C:\Windows\System\CKuHHgU.exe | N/A |
| N/A | N/A | C:\Windows\System\TAZVylb.exe | N/A |
| N/A | N/A | C:\Windows\System\WSCqWsH.exe | N/A |
| N/A | N/A | C:\Windows\System\bGQssQH.exe | N/A |
| N/A | N/A | C:\Windows\System\lYRZdRa.exe | N/A |
| N/A | N/A | C:\Windows\System\fwGhAPA.exe | N/A |
| N/A | N/A | C:\Windows\System\lEYykPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fOPiDzY.exe | N/A |
| N/A | N/A | C:\Windows\System\hjPquFn.exe | N/A |
| N/A | N/A | C:\Windows\System\zRMvMXv.exe | N/A |
| N/A | N/A | C:\Windows\System\XkcILPv.exe | N/A |
| N/A | N/A | C:\Windows\System\SdVxgiL.exe | N/A |
| N/A | N/A | C:\Windows\System\YmKNfUq.exe | N/A |
| N/A | N/A | C:\Windows\System\QqtTUTW.exe | N/A |
| N/A | N/A | C:\Windows\System\uQkshDF.exe | N/A |
| N/A | N/A | C:\Windows\System\dSUBEmy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_df2cd50a48bf0ed8b685da5e003b78cb_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FCERGWZ.exe
C:\Windows\System\FCERGWZ.exe
C:\Windows\System\uPPyebN.exe
C:\Windows\System\uPPyebN.exe
C:\Windows\System\gtxAIvM.exe
C:\Windows\System\gtxAIvM.exe
C:\Windows\System\mquPQIX.exe
C:\Windows\System\mquPQIX.exe
C:\Windows\System\KXMYMgK.exe
C:\Windows\System\KXMYMgK.exe
C:\Windows\System\CKuHHgU.exe
C:\Windows\System\CKuHHgU.exe
C:\Windows\System\TAZVylb.exe
C:\Windows\System\TAZVylb.exe
C:\Windows\System\WSCqWsH.exe
C:\Windows\System\WSCqWsH.exe
C:\Windows\System\bGQssQH.exe
C:\Windows\System\bGQssQH.exe
C:\Windows\System\lYRZdRa.exe
C:\Windows\System\lYRZdRa.exe
C:\Windows\System\fwGhAPA.exe
C:\Windows\System\fwGhAPA.exe
C:\Windows\System\lEYykPZ.exe
C:\Windows\System\lEYykPZ.exe
C:\Windows\System\fOPiDzY.exe
C:\Windows\System\fOPiDzY.exe
C:\Windows\System\hjPquFn.exe
C:\Windows\System\hjPquFn.exe
C:\Windows\System\zRMvMXv.exe
C:\Windows\System\zRMvMXv.exe
C:\Windows\System\XkcILPv.exe
C:\Windows\System\XkcILPv.exe
C:\Windows\System\SdVxgiL.exe
C:\Windows\System\SdVxgiL.exe
C:\Windows\System\YmKNfUq.exe
C:\Windows\System\YmKNfUq.exe
C:\Windows\System\QqtTUTW.exe
C:\Windows\System\QqtTUTW.exe
C:\Windows\System\uQkshDF.exe
C:\Windows\System\uQkshDF.exe
C:\Windows\System\dSUBEmy.exe
C:\Windows\System\dSUBEmy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5000-0-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp
memory/5000-1-0x0000022F03560000-0x0000022F03570000-memory.dmp
C:\Windows\System\gtxAIvM.exe
| MD5 | d489716cb29ebdfc60c6cfd8a6b188e3 |
| SHA1 | 35b0b385c224e5c0afe0e2aec22a1bbe4f33e652 |
| SHA256 | 083858a645f2d2425021ec643c4b87a1473e99e1f019467dfa9a35c918a7cd5c |
| SHA512 | 5ea29534e4785213585fbb3e65617db9eaf7c008881253402cf0b294543c001b7828ca9677eb895ec7088ea19de15b4293c683a206f07cd45c2e0df65ce6ad3b |
C:\Windows\System\mquPQIX.exe
| MD5 | e9883eb7aab545627b9bf2afd1da6d8c |
| SHA1 | 7a0058d3fcd57481a7752125c8228dca2d9162d5 |
| SHA256 | 0aeef98a7da22b309c79affabf88f93a9d366cb7778c08f2fffdc3497c18fe73 |
| SHA512 | 6aa86962a64c6ad9c9d8dbf191d2c02398bb6bfb921cd1b4dcb272f2dff2885febda4d6af38dbc204cb9d4920f38dd51a5c20a96193424faa30634e92dabe681 |
C:\Windows\System\uPPyebN.exe
| MD5 | 2974c589845eb2ee30f5573ad29e1b96 |
| SHA1 | 3e6efb718ac159b39d792b1f0f4082af77978083 |
| SHA256 | 96fac8588bdeebe012a989cadf66033f55dac67911034873b866c73f55c8c032 |
| SHA512 | c17e497af08f0f89a37432dd4ba8997abadd99c63e50f15b6115d179fdc418c07f38f27234c7d46af5113a844b8a678d7291748fb14fb0693ebf5a0a1188216c |
C:\Windows\System\KXMYMgK.exe
| MD5 | a700391fd0cfc51210806172c640c508 |
| SHA1 | d02ddc1df5cde07734b6565038c58dc675478ba2 |
| SHA256 | fd45bb7fd764593bcf80ccfb8473b120b1232ad033cdefbda2f4b6ad062f6325 |
| SHA512 | caf548aae7b4792dc9b033b7055c9689eff79b8958a8b619ee884738d306f8c6e449b6ce17b65eb412d661693aaec413eb7888974098ce57efd882325530dd99 |
memory/1184-28-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp
C:\Windows\System\WSCqWsH.exe
| MD5 | efe7bec85b58b687bb25db45cc406904 |
| SHA1 | 2fe982772c6292bdc70bc5afb5c0281e7eb7d10d |
| SHA256 | 05892bf5977c7e5002bca7cd9dbc48c6f470e099167b6caa5bb722ee89b63cf4 |
| SHA512 | b6b0aafd22600f874768fc25c73c9d3a04c80817be3fe2aac9710e880d2f4f3d4461ac355abe0227b9df0f81ae9654136d28a02abec4795a91c62dcac27f44f5 |
C:\Windows\System\bGQssQH.exe
| MD5 | ae6832fcb7959b0dc1ca1631a1992f89 |
| SHA1 | eda30ff684152438814dd1c90480fd41d01846bb |
| SHA256 | a49f27c230370150e0c850e27ca61851f22fd91d083e811502f3675c14b880fd |
| SHA512 | 756f5f8f40abb25b6c423853942c0d02c6267fcaab0c77e4a1a9b9f323779a60dd590df868048a8c86b2b8b0ab431ecb6deca9a97bb0dc933834855d2976d3ea |
C:\Windows\System\lYRZdRa.exe
| MD5 | 4d3b248f11fc550481c611530a2e3a1b |
| SHA1 | 7393d113d53f07e82225161dd92603a8265695eb |
| SHA256 | 28c5cffa1d67cae91544bde228ac8a63a34a128d3764338cf37482eb4c5f88bc |
| SHA512 | 122ddc9398a23ac99cd370e0e4686131ddf0659401f22e66d4e8b4c9a321f52719176113131a1355a5b9271ff0c0d9fad0acb5ade853fcd17d442c06c7b5e370 |
memory/1500-71-0x00007FF681FE0000-0x00007FF682331000-memory.dmp
C:\Windows\System\fwGhAPA.exe
| MD5 | 326161f2f7355037ba09175dffa6202f |
| SHA1 | dac8aba9cccec2feeafbfbcdd45dd4b764ab504e |
| SHA256 | 6fb2dc6dd4b28d17f8650a2e9256024bea0f20cf0ea96c68f5446c917b12d298 |
| SHA512 | d140089823a66d348a03f5819242273f0d922bb402b9f4f18a6d8f137d7674c58581dbaa276ecaeb2797a1006a3c3c6a2b8a2238cfd2e9d7caf2146861bf397e |
C:\Windows\System\hjPquFn.exe
| MD5 | f67d36177ed462bbe17bf4c2919f7590 |
| SHA1 | d4d59cb97fd4bda3df2031c205cea54454f0af1b |
| SHA256 | ca7a9cd772cb3df92e8ee95694c279472308faddaa409fab23269c59c66388db |
| SHA512 | d4395db13c4c07b85af52e9f8a6205219f9ff66a94940345587b03d15f4fcdece90aa4c12cd4e16e043720bfb572c2550075b3be64be41131aaaa9b094920997 |
memory/1744-105-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp
memory/3556-113-0x00007FF721DD0000-0x00007FF722121000-memory.dmp
memory/5024-121-0x00007FF637B10000-0x00007FF637E61000-memory.dmp
memory/1440-127-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp
C:\Windows\System\dSUBEmy.exe
| MD5 | 71f14efef63ec9c2b2cf52668336e096 |
| SHA1 | 2a4d6f43b7c5887ceba69498ca10e5564d66eef3 |
| SHA256 | e847f3a2cf56593cd85932f163e54469536053dc3243af1906056b51e1844e2b |
| SHA512 | bcffde4acc857ebc2ecf3000c6ace845402bff5a824dc1108f85df19619b5acc997fc3d89a0d1cbcbbf68ad78140b568edd4e3d60c32ab8c625a50b0c8973244 |
memory/5048-124-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp
memory/4344-120-0x00007FF6785E0000-0x00007FF678931000-memory.dmp
C:\Windows\System\uQkshDF.exe
| MD5 | 981691877ffa1091b24a07b8d25099bb |
| SHA1 | 98312efe4e17eba2e2e6a0cc90b0ce679dc5bb2a |
| SHA256 | ed007f5ca81ec7734d2eb973b64300852ed8060ce99a67b154209da0386ba948 |
| SHA512 | f27586c87ec86fb7a1eba2952fb24b11a7af17453ed05295ce1d6ccbafc59451cde1de5aa7a3de066f85eef1c4e67989bfbff8fabfe97f5de8cf4d8b82f247c7 |
C:\Windows\System\QqtTUTW.exe
| MD5 | 01817b7f4d80ad1d4cfd2535bcb3dd09 |
| SHA1 | 3c164d02d6286a188485cc041215be691b68922c |
| SHA256 | 91b9749dc9a8b6a40b19265ef367b1fe9e2774ff8ae19efd5695f97a3c61e406 |
| SHA512 | 193b8d9480ccb106fb4ea03748b262af03fa74f935708e6a17b6d07cfdef21b05130ae4f644b8b8571992c1dc808f007f6e4ef5051d2456970ef9713bd942931 |
C:\Windows\System\YmKNfUq.exe
| MD5 | 0c519caca025c08a4bdc3fae769e211a |
| SHA1 | 2d60768c9db5c648464f1ce73720ec0cbde0618b |
| SHA256 | 390b57f4e4abea5f37c609bb3c2902623afcb0968292cf28bc16b2658a6db835 |
| SHA512 | b5f6ed59436be08cecfd7677a978d8fcbca54c5bc725b74fd3c38455cd7266ef53b28a9d3e0f81e7cb598b0ba84bb81b307ffaf7ef8f9a79169557e1035cfcc6 |
memory/532-112-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp
C:\Windows\System\SdVxgiL.exe
| MD5 | b928fada5199c9b4453ffc43380fb6d9 |
| SHA1 | 91b15727d1b8dfe3a5a7a7ffde28fb38dc4bdd0f |
| SHA256 | 9f67ebab94c4ef4980178d7b4a3de5653c97db69843f94240956cff5a2b8ee9f |
| SHA512 | c72280d7f2bb79fc47f589e6ba13a2a27aa24064ef3fde04f6fff794dbfee6a253347c5f2f7356ed6c6dec3865d82cece7bf91e6e46bc298f23b2a4f18964cb3 |
C:\Windows\System\fOPiDzY.exe
| MD5 | b9ab7b711203669c1b727597803878a7 |
| SHA1 | 55fb2c0b60777fcff1c17a6fa50fbe7df2c624d1 |
| SHA256 | 996f06985f5185340d73ff20c39d8b3aa0bf50d28712a40667112f133502e0af |
| SHA512 | 558d25b1a1730c6e9150b17c78854cb7cb149444f0f4cbbb3db0289aa773689c488ced7102fb1313dd2d8f52a47a674d27071a0b26db5622fc86ab0518c238ec |
C:\Windows\System\XkcILPv.exe
| MD5 | 9ba22371af9d21f406c8f747b76db6ef |
| SHA1 | a3fa3c0c7dc5d37957e21d5f5cfcf61080ec52a1 |
| SHA256 | 8031ae297bbd2135a75757908676613467122a8c6138aab4db0b77c6d2a7251d |
| SHA512 | 7c3da549da715c6f1573b0eab14bb73b727212152df46f934f657d5812627251f55f53b09aed0874026700b1ac897fd04a8580f68c14f17f9be2947364c9bbd7 |
memory/1696-104-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp
C:\Windows\System\zRMvMXv.exe
| MD5 | f89e7166da7ddb7837634965df2465d2 |
| SHA1 | fa8f73e89ae783fa42635a7ecc111056bcad0766 |
| SHA256 | d11c6bdf821659b84eb1ee0d2f01ece288547958b1936c39e2f8195e7c7ef97e |
| SHA512 | c39536f8c16bf2969ee85ef9825ebcd87cf386aa0dbde851380b3e74f156d9e82da4ecaaa4f2a6304bd635bbcc0caaa23fbe607c198b691e306f9fcfc1c11056 |
memory/828-96-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp
memory/3436-95-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp
C:\Windows\System\lEYykPZ.exe
| MD5 | a008ab2033cbb5c08fb5ca667cde6cfd |
| SHA1 | 58643eb09ae57910a9356027565818381d9cda50 |
| SHA256 | 7ff62d19057c597277bd41010e8bcad9a870a09204d90451791e7913a169002e |
| SHA512 | 6ed64b8778d2b7d65dfea8c922797503dfef19f07b727df6fb4c76cb16a5ed7ca94b6e3cad17bf75e965af4c5fbb5212f5425e7508e72ac554800c4c71e24438 |
memory/3196-80-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp
memory/5116-68-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp
memory/1796-64-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp
memory/1004-57-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp
memory/2000-56-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp
C:\Windows\System\TAZVylb.exe
| MD5 | ca16c460c0974be6f60f72ab5c016799 |
| SHA1 | 028cde7accc894ae71881cad604ba1c23d04fe50 |
| SHA256 | 0bc940c7669f66dbfb241ce765b5944115597c94452eae1ab2b59b8566933b78 |
| SHA512 | 4ef877a36f931f98f83b9b29aec6a4f97c2d8a6c63980bc632aa907936377630327165647696817bc7e343d69d09d91253fb7e2dae085dae6b93cf80a6753e8e |
C:\Windows\System\CKuHHgU.exe
| MD5 | b22e0308ecb73dc9720a7cc276e4b02c |
| SHA1 | 1f7fffac0c9935f866755864ab695f14dce7551d |
| SHA256 | 3e4dcc6b7d2dda614d05bc73d281a6d5de28c624c1e2a1dd0bc699c392134765 |
| SHA512 | f21fd67c34077e60964adf3b537e734898a10d9c36ac24d2820aef8c1bd4130b6870e5317f2a3c50c83839a6f5cce5ac45e79257ec576ce7cea4ecb9c60c326b |
memory/1340-43-0x00007FF638DE0000-0x00007FF639131000-memory.dmp
memory/928-39-0x00007FF73F500000-0x00007FF73F851000-memory.dmp
memory/704-23-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp
memory/4256-10-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp
C:\Windows\System\FCERGWZ.exe
| MD5 | 24780d04fa54332fb9896c4518e943e1 |
| SHA1 | 065ee74b69c31f78c05636f40757883cf4fff4b5 |
| SHA256 | 0e3cb2a990f5777f7c187bc1f5e5d60e3942e1b313ac6a9c342048abe3d8ec36 |
| SHA512 | 584ad8507016bd82854497f30e0ea7e400d9fbbbd7dab038eac43d0b88f4283799eb2b23425e110569dc69fffa5feb1fdd3815af16d8558030d6ce7f2c0f1226 |
memory/1340-133-0x00007FF638DE0000-0x00007FF639131000-memory.dmp
memory/5000-128-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp
memory/2000-135-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp
memory/5116-140-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp
memory/1796-138-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp
memory/1184-132-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp
memory/704-130-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp
memory/4256-129-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp
memory/3436-139-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp
memory/3556-148-0x00007FF721DD0000-0x00007FF722121000-memory.dmp
memory/1440-149-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp
memory/532-147-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp
memory/1696-143-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp
memory/1744-145-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp
memory/5000-150-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp
memory/5000-151-0x00007FF75CDF0000-0x00007FF75D141000-memory.dmp
memory/4256-202-0x00007FF711E80000-0x00007FF7121D1000-memory.dmp
memory/704-216-0x00007FF7EA700000-0x00007FF7EAA51000-memory.dmp
memory/928-222-0x00007FF73F500000-0x00007FF73F851000-memory.dmp
memory/1184-224-0x00007FF6D69B0000-0x00007FF6D6D01000-memory.dmp
memory/1340-226-0x00007FF638DE0000-0x00007FF639131000-memory.dmp
memory/1500-230-0x00007FF681FE0000-0x00007FF682331000-memory.dmp
memory/2000-228-0x00007FF69CF80000-0x00007FF69D2D1000-memory.dmp
memory/3196-233-0x00007FF7F3920000-0x00007FF7F3C71000-memory.dmp
memory/1004-236-0x00007FF69DEC0000-0x00007FF69E211000-memory.dmp
memory/1796-234-0x00007FF63A860000-0x00007FF63ABB1000-memory.dmp
memory/828-240-0x00007FF730B70000-0x00007FF730EC1000-memory.dmp
memory/1696-239-0x00007FF7B5230000-0x00007FF7B5581000-memory.dmp
memory/5048-252-0x00007FF6E78E0000-0x00007FF6E7C31000-memory.dmp
memory/5024-251-0x00007FF637B10000-0x00007FF637E61000-memory.dmp
memory/4344-248-0x00007FF6785E0000-0x00007FF678931000-memory.dmp
memory/1744-247-0x00007FF7A4680000-0x00007FF7A49D1000-memory.dmp
memory/3436-245-0x00007FF7F5060000-0x00007FF7F53B1000-memory.dmp
memory/5116-243-0x00007FF7AEDE0000-0x00007FF7AF131000-memory.dmp
memory/3556-257-0x00007FF721DD0000-0x00007FF722121000-memory.dmp
memory/1440-255-0x00007FF7C5760000-0x00007FF7C5AB1000-memory.dmp
memory/532-258-0x00007FF7DF1B0000-0x00007FF7DF501000-memory.dmp