Analysis Overview
SHA256
0cf3ef2b5d3a03e167031cf19840724f03214ba8cb1e9a59754fcfe2e5492e03
Threat Level: Known bad
The file 2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
xmrig
XMRig Miner payload
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 06:36
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 06:36
Reported
2024-10-27 06:39
Platform
win7-20240903-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xKXzxeU.exe | N/A |
| N/A | N/A | C:\Windows\System\ECkJcZu.exe | N/A |
| N/A | N/A | C:\Windows\System\qvkQGJj.exe | N/A |
| N/A | N/A | C:\Windows\System\LdJmUfT.exe | N/A |
| N/A | N/A | C:\Windows\System\mScyrVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\auceimw.exe | N/A |
| N/A | N/A | C:\Windows\System\giCHNao.exe | N/A |
| N/A | N/A | C:\Windows\System\evlPuaC.exe | N/A |
| N/A | N/A | C:\Windows\System\BTeuGMf.exe | N/A |
| N/A | N/A | C:\Windows\System\kGPCbHm.exe | N/A |
| N/A | N/A | C:\Windows\System\pfWrJyu.exe | N/A |
| N/A | N/A | C:\Windows\System\YIwiDVC.exe | N/A |
| N/A | N/A | C:\Windows\System\eoqcsTs.exe | N/A |
| N/A | N/A | C:\Windows\System\dLeOTWK.exe | N/A |
| N/A | N/A | C:\Windows\System\vqdBgrO.exe | N/A |
| N/A | N/A | C:\Windows\System\WlPwiDI.exe | N/A |
| N/A | N/A | C:\Windows\System\lzGuYrd.exe | N/A |
| N/A | N/A | C:\Windows\System\vWvbGmR.exe | N/A |
| N/A | N/A | C:\Windows\System\lyWLPoO.exe | N/A |
| N/A | N/A | C:\Windows\System\KZGpPCH.exe | N/A |
| N/A | N/A | C:\Windows\System\aNvEFfO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xKXzxeU.exe
C:\Windows\System\xKXzxeU.exe
C:\Windows\System\ECkJcZu.exe
C:\Windows\System\ECkJcZu.exe
C:\Windows\System\qvkQGJj.exe
C:\Windows\System\qvkQGJj.exe
C:\Windows\System\LdJmUfT.exe
C:\Windows\System\LdJmUfT.exe
C:\Windows\System\mScyrVQ.exe
C:\Windows\System\mScyrVQ.exe
C:\Windows\System\auceimw.exe
C:\Windows\System\auceimw.exe
C:\Windows\System\giCHNao.exe
C:\Windows\System\giCHNao.exe
C:\Windows\System\evlPuaC.exe
C:\Windows\System\evlPuaC.exe
C:\Windows\System\BTeuGMf.exe
C:\Windows\System\BTeuGMf.exe
C:\Windows\System\kGPCbHm.exe
C:\Windows\System\kGPCbHm.exe
C:\Windows\System\pfWrJyu.exe
C:\Windows\System\pfWrJyu.exe
C:\Windows\System\YIwiDVC.exe
C:\Windows\System\YIwiDVC.exe
C:\Windows\System\eoqcsTs.exe
C:\Windows\System\eoqcsTs.exe
C:\Windows\System\dLeOTWK.exe
C:\Windows\System\dLeOTWK.exe
C:\Windows\System\vqdBgrO.exe
C:\Windows\System\vqdBgrO.exe
C:\Windows\System\WlPwiDI.exe
C:\Windows\System\WlPwiDI.exe
C:\Windows\System\lzGuYrd.exe
C:\Windows\System\lzGuYrd.exe
C:\Windows\System\vWvbGmR.exe
C:\Windows\System\vWvbGmR.exe
C:\Windows\System\lyWLPoO.exe
C:\Windows\System\lyWLPoO.exe
C:\Windows\System\KZGpPCH.exe
C:\Windows\System\KZGpPCH.exe
C:\Windows\System\aNvEFfO.exe
C:\Windows\System\aNvEFfO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2528-0-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2528-1-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\xKXzxeU.exe
| MD5 | 371f7858d0344090b4b652ff1f80e841 |
| SHA1 | e22ef271601e96f83b914a660033ea8b2dd62d62 |
| SHA256 | df4a2b7a856981ab42003068e9fe806c322c989a0e0f994afd308436689d768f |
| SHA512 | 11043dfd3ec5425a7f7c5f6a9ed1367d6c5cd48df5d94d9695051a7baea9f5ab6abe03e4078415a8f4a066174924fdd34b10c0997377b851b4503f64f65c0a45 |
memory/2528-18-0x000000013F0C0000-0x000000013F411000-memory.dmp
C:\Windows\system\qvkQGJj.exe
| MD5 | b95797d5ffc568039177d52d473a0ca9 |
| SHA1 | e67ea937cfcce1cfdba3743b5d563c821ed922a7 |
| SHA256 | 7c2c91fd11f1a31216fdc78b8dddf7be6329feace494b3da1aab002bfc0f9100 |
| SHA512 | e9ef32ea27958193780a1f5ff7013c5f216c35fd979828642b75b6910dcecbdda3cb1cd80789018cc56cacb4ea3abeb2dcadc8d611de161ecb8fff279b211938 |
memory/2200-28-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2400-27-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2528-24-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\LdJmUfT.exe
| MD5 | 7f81ad3e09f64d48b72e51b4d63a542e |
| SHA1 | 8d44a00fa9cd03fbf89c98c52ff0af35b262d86e |
| SHA256 | 2a9ba666d6bbf5c1277098e8a6ea6306177c2ae45f45db49f9dc202df66900d3 |
| SHA512 | 9a8131abbfa7566058ce7ce6dca37cc3d38d16db292d9977b5b9ec3d5284293e2e11d9243021c18d64d6e6d3e72840c0bd3588d7792f6caf4115c3a10bd14c5c |
memory/1480-14-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2256-13-0x000000013F060000-0x000000013F3B1000-memory.dmp
C:\Windows\system\ECkJcZu.exe
| MD5 | de907d46ef0d40f3694c372273425190 |
| SHA1 | 411c9f74ca8295034fb89bc2b24308859efd4ca3 |
| SHA256 | b3cd730342045eb6d772d9fb50511039d9bdb5f2cd61e4a08710018e8e2e6567 |
| SHA512 | a2297a5028bc1b9a514b329e7f503bfeb70234d9449310d7c1b12f47f5eb8e8b042ae1755b0a67ff1e6be428493a770b5c2328a70f01e2c45521ad8658a32e8c |
C:\Windows\system\auceimw.exe
| MD5 | 7f3188f9339576517c0329dbe3b10991 |
| SHA1 | d803e0408e1f6ef742c7bbca2a3416acdf3ce233 |
| SHA256 | 39a4d59bd663129050164728ed71d74792b49b92f25db1fc9dd5e6144a61b3ca |
| SHA512 | 32980f5f986361a5c046bcbd980a9c63d9568180854f1b1dfce632de41584f922dab21c78f0ebef3b73b6d9bf7e178106d8332ae2a349c3b9876f332a96ec63c |
memory/2776-41-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2528-40-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2528-37-0x000000013FE80000-0x00000001401D1000-memory.dmp
\Windows\system\evlPuaC.exe
| MD5 | f3128509fa09fd3fc85f683054ef794c |
| SHA1 | 4227f51a56d8cef512b73b856514e6c7f92bb863 |
| SHA256 | c6d584efb93cf2ce13fdab31272b08dd584a9ac439615084b509fe99bbd8cc8f |
| SHA512 | f1ca86806681c84d7525cab956339a486046ee4e6305388fef446319dc35d5ef5e247336eda00f26bb969df7ae05c3d4a3f2b1d07a5fdefb88bcccd3e6215a27 |
memory/2712-49-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2432-54-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\giCHNao.exe
| MD5 | 819a5e53a61025da86efb548a23ad547 |
| SHA1 | 918353fb7c526c67d0bfc73c81b2ec89e816cfd5 |
| SHA256 | 6c6b8f7f53cbbbb26c9ffcc276025dee62a0eb543784ed43e178df37fffe61c3 |
| SHA512 | d25911e0b6cbfc1c3fc9f1ca0c5b020964e7cf44de925fbda3e368647acd711fc4331b17008b6b934e714bbf0873a1d942003b58f093eb8f966dd7730da24508 |
C:\Windows\system\kGPCbHm.exe
| MD5 | 696b0225d00834e1bbdf53c710ba6413 |
| SHA1 | 0291d196e2b27e660b0e7eb002c135a4dc4941d4 |
| SHA256 | e303676973f485db950793ef3c57258163ef2450b79c2fe22d9106de94c07d00 |
| SHA512 | 1185989c1aa4e9bb1d1ff839d82d692c60f259691194aad93858ad3fdbcb2845abae7d0361cc114d4f623ceba9ca447b86b94ec0a87c7b8b0ff28183e834a0f7 |
memory/2596-60-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2584-71-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\BTeuGMf.exe
| MD5 | e7649f80ccdeace49f104753b92838fa |
| SHA1 | c787fa20eecd1e6c41a3b95d4b95da7b27450d07 |
| SHA256 | 6bca63bd9595f09d029cd2c974a2cbc858d90047c74209c6d9eb5806dfafa86c |
| SHA512 | fb54edc1537886d9b6b1899aa93c84d3d3bf335773da07b1c50fcd0fce4f86623764c1984787e609fbc06949db849a1d5c642bc0503ad638b01ad6fff5b230df |
memory/860-67-0x000000013F300000-0x000000013F651000-memory.dmp
\Windows\system\YIwiDVC.exe
| MD5 | da90b6b3f38e134226f9df0f640d735c |
| SHA1 | 1c9be681b6566cb04e304cb1744662d2365a940e |
| SHA256 | 96f371b26d8c5bcbad07cfc146959f7ec52bc627e92b67d3115d6de9b88dd7a0 |
| SHA512 | fcc537af6c978c245ea13d55a3dc7592569ee5692deb0bfaa1ecfcbab529e787dcfaa773bea8027098d203ac5985386c989ba2d0236631b3e555bcc6f49b3820 |
memory/1248-84-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2712-83-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2732-78-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2776-77-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2528-73-0x000000013F540000-0x000000013F891000-memory.dmp
\Windows\system\pfWrJyu.exe
| MD5 | bada9e67a265951cd06a910bc6737999 |
| SHA1 | f01976a93655f324f106f05e088be11f4ccca8b9 |
| SHA256 | 78b3e2044b597acee24a3930ec62bef0aa6581e28e4aa9c41d067f4c4246fbba |
| SHA512 | c2c42df516b32d07437dc7112815d3bc03abc04c13f2862032ae8e79f1ca3e32e3e067e4f4e824952478dde4716445a6181d230c3b70a10fcd91fba791efe54c |
memory/2528-97-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2856-102-0x000000013FE40000-0x0000000140191000-memory.dmp
C:\Windows\system\aNvEFfO.exe
| MD5 | 6b00fb2bc54bcf175a88cd652508791c |
| SHA1 | c30c06b02469d9e73cd04f19be15820c287d54c4 |
| SHA256 | 3a0ec6eb52ab2fc8d875fa9ac87323da511837a5f3d167b08fca0ffc369bb772 |
| SHA512 | a5a7b62899a2388256543cae6a9c2f0dcd4e940bbaad8b8e8e66d2d6aa4108278e50505e9e2f40157208f4344837ca06ffa6b4b6c71e8ca225969defd6b2a13f |
C:\Windows\system\KZGpPCH.exe
| MD5 | 813e84e97b06d48065e74404392ea46b |
| SHA1 | 4c9e2144e737f1874e29b3d07fe3ecb8a81f352a |
| SHA256 | 31d6e95263977e5d0c1b3e0aafaf493eeeb7c496b2a864f5a62410301c58bb14 |
| SHA512 | 7d35de4304badf96c6f393fffbf0a59503ed35845449bb816065fa3f6f115ad63971602c3503c7bb2ed201d683c141a42ef927656af898e84d3cd42ebe2e5df3 |
C:\Windows\system\lyWLPoO.exe
| MD5 | 6a65f4cbf72803435e93da8a62b35bcf |
| SHA1 | 0da980bf7035a37e5df2b194cafd025ae3f1eb68 |
| SHA256 | 6b5c19fa7f48f85a9273451f893b95741038d035956acec1cebe7035d416f55d |
| SHA512 | 2d7e613ee98d6d2c9e3a32161f020c4a37f783f0ea1f13b36c0ffaae0ff9f6f841df638be765f96381c46a39169e5b69eab4f40404d58a561e3b49df56c766c9 |
C:\Windows\system\lzGuYrd.exe
| MD5 | 1ae82876564c61d2de80365d5a1f4272 |
| SHA1 | 318d8b44906143578ea7d593f031ee19b6167843 |
| SHA256 | 6d617d75c2cbbe6361c6685d3bad17d25766911f4a7d500d18e05e3dcb37e31d |
| SHA512 | c2b72cb588f5d6dc6934fa329f1f59f50042c958ab9b709cb2ecddaf5c2b1e0eb07794bed167c9ee884330237a0e922305bd6b94bef832371cb217dfbc93de16 |
memory/2584-142-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\vWvbGmR.exe
| MD5 | eafb26be9d30f0c1c80ab19d85c1bbbb |
| SHA1 | c889537bf5b2161619e5087fe5a9f3c98666cab8 |
| SHA256 | ac163ad479e2ae4c3877c215001f118ca3f02b14e8b35328cc4291491476ef2b |
| SHA512 | 6c45a78dc5ce62a24596075bdc4a52298be1b45e4400a1fef6e6d916cd9ef540fba872089234ee6e9a9b46e5518e219c68d0fe1a2867b9281a959dd2b9718908 |
C:\Windows\system\vqdBgrO.exe
| MD5 | 53b73836f2a78edb04842186e778b802 |
| SHA1 | 4fccf941a5ca377298ce306d6f41d73275a85971 |
| SHA256 | 3a5b53468233974d1a44515c577f584293aabeb4538bc3fd93036ef907be4f96 |
| SHA512 | d167a74b1347bd805f7217e0c988b7c200778590b54dfba40024094ec872bf46b6726bfd4816b858b276a1e9542a039a4f40100b0bfabaa43d8816cdf14a3ed0 |
C:\Windows\system\WlPwiDI.exe
| MD5 | b598a0304387f64fb924fcec12340dcc |
| SHA1 | 1a0a009ccecaea7e92340e205441dbc1e1b88bd4 |
| SHA256 | d3ab0396cfb7e9608a3d6b397f25a345876c2bce31e043b3aa6152dfb9aa6f37 |
| SHA512 | 32edc0f9de87b0a88a3551a22358780a0e564160be790afe9e1ed678a22aaa5c2e3597075dcb7c6b3b54a82c0d7695b9cac4bea36636650b222064ea1373e690 |
memory/2528-143-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2528-108-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2528-107-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2596-101-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1948-94-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2432-93-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\eoqcsTs.exe
| MD5 | ce8ec242af27db62d8a4e53d8091ee8a |
| SHA1 | b8260724f92fbd302cedcdb551764029e023ae9f |
| SHA256 | 2c3dfc8433179ff6918870de90b4791afaf651ba08d08e66252239c8c113fef0 |
| SHA512 | ec7279eb5c7c4461b9f304d60115562eb4df7aefc860795e0c928628f3468c6f44d99594dc2a26c2f0e75a33ddf61527b5bf75d6140973fad8d85c422b45df67 |
memory/2732-144-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2528-90-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2528-89-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\dLeOTWK.exe
| MD5 | 80f43f0ec3043456e8bbbf9b2e9e4596 |
| SHA1 | d98aa36dad090bf1f6e70ad94192cd3a1da4fb84 |
| SHA256 | 0489fed0844beb7a8db84f9bc08dcc928ac97994098d826997627717455d83c8 |
| SHA512 | 071e56aeb5fc8322e524bd4df6273ccd6229ad4864dfa858c244818aa36d2faef79717c7078f79d40e353ded0db4f99e9ccea9e6cdf7a46eca263a657155f231 |
memory/2528-98-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2528-63-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2528-57-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2528-51-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2256-46-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/860-34-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\mScyrVQ.exe
| MD5 | 9b0157ba7ccdd3ce9eb3667ec1f5238a |
| SHA1 | d835f6fa3e8eeb656a464cebb9fdbdf11179e3d1 |
| SHA256 | ba5635d9700c8dfec9895e812c6e8ee0ba9c06e96594538092532433e8d22522 |
| SHA512 | 0cb4781280965f0b4e951a8afc71d88e3025b756a58bc2d8531cf3ad85d386499db4bc2c538de2aa8006f1dda58e2dce5489e5cc51c1820767312debab87581c |
memory/2528-30-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1248-145-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2528-146-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/1948-147-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2528-148-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2528-151-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2856-160-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2528-169-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2876-170-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1920-168-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/304-167-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1976-166-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1692-165-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2868-171-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/1628-172-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2528-173-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/1480-227-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2256-228-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2400-231-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2200-232-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/860-234-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2776-236-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2432-244-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2584-247-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2712-246-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2732-249-0x000000013F540000-0x000000013F891000-memory.dmp
memory/1248-251-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2596-253-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2856-264-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/1948-266-0x000000013F790000-0x000000013FAE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 06:36
Reported
2024-10-27 06:39
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\REEvpab.exe | N/A |
| N/A | N/A | C:\Windows\System\HLxZxNg.exe | N/A |
| N/A | N/A | C:\Windows\System\cpQuocK.exe | N/A |
| N/A | N/A | C:\Windows\System\bsnFqyA.exe | N/A |
| N/A | N/A | C:\Windows\System\moCTHqA.exe | N/A |
| N/A | N/A | C:\Windows\System\wXDJfYR.exe | N/A |
| N/A | N/A | C:\Windows\System\fYdIJAb.exe | N/A |
| N/A | N/A | C:\Windows\System\uKIysLq.exe | N/A |
| N/A | N/A | C:\Windows\System\GNvyzoj.exe | N/A |
| N/A | N/A | C:\Windows\System\TZHSWgD.exe | N/A |
| N/A | N/A | C:\Windows\System\aPGTrEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QBXVDDS.exe | N/A |
| N/A | N/A | C:\Windows\System\JmrCQAc.exe | N/A |
| N/A | N/A | C:\Windows\System\qHLrMtQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gDafbKx.exe | N/A |
| N/A | N/A | C:\Windows\System\gvidqzI.exe | N/A |
| N/A | N/A | C:\Windows\System\hLFMPXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mIPqLPP.exe | N/A |
| N/A | N/A | C:\Windows\System\QcPciEV.exe | N/A |
| N/A | N/A | C:\Windows\System\ozBMmoc.exe | N/A |
| N/A | N/A | C:\Windows\System\jaiWjkb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_b3d35da5da48e4ced28158bef6ea655c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\REEvpab.exe
C:\Windows\System\REEvpab.exe
C:\Windows\System\HLxZxNg.exe
C:\Windows\System\HLxZxNg.exe
C:\Windows\System\cpQuocK.exe
C:\Windows\System\cpQuocK.exe
C:\Windows\System\bsnFqyA.exe
C:\Windows\System\bsnFqyA.exe
C:\Windows\System\moCTHqA.exe
C:\Windows\System\moCTHqA.exe
C:\Windows\System\wXDJfYR.exe
C:\Windows\System\wXDJfYR.exe
C:\Windows\System\fYdIJAb.exe
C:\Windows\System\fYdIJAb.exe
C:\Windows\System\uKIysLq.exe
C:\Windows\System\uKIysLq.exe
C:\Windows\System\GNvyzoj.exe
C:\Windows\System\GNvyzoj.exe
C:\Windows\System\TZHSWgD.exe
C:\Windows\System\TZHSWgD.exe
C:\Windows\System\aPGTrEQ.exe
C:\Windows\System\aPGTrEQ.exe
C:\Windows\System\QBXVDDS.exe
C:\Windows\System\QBXVDDS.exe
C:\Windows\System\JmrCQAc.exe
C:\Windows\System\JmrCQAc.exe
C:\Windows\System\qHLrMtQ.exe
C:\Windows\System\qHLrMtQ.exe
C:\Windows\System\gDafbKx.exe
C:\Windows\System\gDafbKx.exe
C:\Windows\System\gvidqzI.exe
C:\Windows\System\gvidqzI.exe
C:\Windows\System\hLFMPXQ.exe
C:\Windows\System\hLFMPXQ.exe
C:\Windows\System\mIPqLPP.exe
C:\Windows\System\mIPqLPP.exe
C:\Windows\System\QcPciEV.exe
C:\Windows\System\QcPciEV.exe
C:\Windows\System\ozBMmoc.exe
C:\Windows\System\ozBMmoc.exe
C:\Windows\System\jaiWjkb.exe
C:\Windows\System\jaiWjkb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 214.143.182.52.in-addr.arpa | udp |
Files
memory/4492-0-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp
memory/4492-1-0x00000239FAE70000-0x00000239FAE80000-memory.dmp
C:\Windows\System\REEvpab.exe
| MD5 | f72cbbbf686f81ebabc23252ac7aeb7b |
| SHA1 | 87098c09a2f829563841e118ec1efb288398f718 |
| SHA256 | 0e4c733ad4d8c0bd6392065baeba831fa40198a0216e6e35938bbadeb690f852 |
| SHA512 | fe6df8794bde67896d38b563ffc84d0f18892f492e7120d7874e31d534f5d8a4e2a8a3e487e8d271ee80f9fc6ac8bbd36c6421820706e588cbe62e5dbcf7512b |
memory/4520-7-0x00007FF734400000-0x00007FF734751000-memory.dmp
C:\Windows\System\cpQuocK.exe
| MD5 | 905edd8c977a24a4a54272327e33d76d |
| SHA1 | 36387748787931d9b83d686ddf43dd697a96afe1 |
| SHA256 | a457e9d615583800831490ec65216a208ada7671f3f3383e1c0ab354d02e4700 |
| SHA512 | 33bad3aded3495005c53461159d3bff9452585e0fa14dba5c368f78d3055f3f5203179e6492630633207e2cf7888c56b2ecb93b9faa8a465a8cebf50b316305a |
C:\Windows\System\HLxZxNg.exe
| MD5 | c226c4a793e532cdddbcb6eab02e65ff |
| SHA1 | 48d06c9d3d6c09efacf2941ce94c7a10219684b5 |
| SHA256 | 3a170fb3ea26aec8ef6992bf35bba6169413e8573b8e28828c42e92fbdb733d7 |
| SHA512 | 252bc14c6e634dd9030a8e87249b2c42eb3d1c3af15a2bc68c1900367b501d62492335897d46a7ba51b19086058c9b7842d15b6a3789d2ae3537021afef9ffcc |
memory/1140-12-0x00007FF737ED0000-0x00007FF738221000-memory.dmp
memory/1728-18-0x00007FF74A310000-0x00007FF74A661000-memory.dmp
memory/5020-24-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp
C:\Windows\System\bsnFqyA.exe
| MD5 | 14bf91da3603fd349bbba121711563d6 |
| SHA1 | 4858e142b233c8931b95a3a427b2fdf94b83765f |
| SHA256 | a4eb03c8520a239adb4eb50031ddc4465dd1f72c43fa5ac723239991d22b47ef |
| SHA512 | e8d7d75f583c37e16177250f69843b6d14d9dda92610a7c7573547cc903947997dffa7226b087651800ae2daea52bb1b91405cafbe1d549d65073d77366bffe4 |
C:\Windows\System\moCTHqA.exe
| MD5 | 7c426409871a0240fca054e04bdeefd7 |
| SHA1 | 2c4964a4ff6d4ee2f867c30bd0a312fde8010c47 |
| SHA256 | 87153fedc1ae604f1e8f91bdc43648eacceed42d072c3b12722a98e5dc986836 |
| SHA512 | e209b3f876d90dee7ef1f772df7d5f60530326f64a622f480aa92e733d266c1cb6858d3f0ca585d963d06590fb59f4734bdf75c078ff3d52527f5abc18daf950 |
memory/5028-29-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp
C:\Windows\System\wXDJfYR.exe
| MD5 | 5c15806a07c61df9d50ff0550d289a3c |
| SHA1 | c38a4049cabc1d9b82542015e1f59ee88ec64a15 |
| SHA256 | ad19fee7173c6b17fb1d5b7224a68fb1ef9a651db67a8e496f8f3b504991f091 |
| SHA512 | 26636242647ff7002623712ae2a25fb1d89478471b8510f201888d5c7ac7936046eba6d3b4fd070dc6232770f07da1b0bfd68bc6a5acbdd12add9e41e3253380 |
memory/4480-36-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp
C:\Windows\System\uKIysLq.exe
| MD5 | 80e8b9e21d517d54922ccd579c0be708 |
| SHA1 | 6aee4de544e97e36134c1dc6c38ce681b15db545 |
| SHA256 | ceaa3dfb352966fc5d146eaa8654a5fe37e57cc8d109c7b4d15e46b807e65002 |
| SHA512 | 7b745636846987e2c46e215dafac67edc92bf972c568cf334897611d736998d8ae57b6fad561d3cd2d422bec921f3b7dccc9f8b4688f149239b905d2f0d7f7d3 |
C:\Windows\System\GNvyzoj.exe
| MD5 | d1919ecff259ac1a2229e3eaec8782de |
| SHA1 | 2e5a06074b25cb410fc962ab71edce4068176cb6 |
| SHA256 | 844cd34f68b5195a0ab4ac7391fe986946d5e3c0e9cff05108f417da837973e3 |
| SHA512 | 2cafb29ca50fb91bff52bda82fc1d9b21fd0be64ca8ef0d9b2ea45885cd7c6cf84cebce3c28934532ce8a645808b6c51949ab4756160ed883242645baa7c01f3 |
memory/4520-54-0x00007FF734400000-0x00007FF734751000-memory.dmp
C:\Windows\System\TZHSWgD.exe
| MD5 | c5b64e1c51e0f8243f0028ba24a592ec |
| SHA1 | 55640b9098fd8c70a0c06f3639a22d35392a19a4 |
| SHA256 | 8561678b78ab3e32b2820b2883fe9eb69b1d6390baebf131f24fbd2cada15b87 |
| SHA512 | a00b00c8d11ca190372b8fefa006b3a4d986c4fa71401ccbfd1de7e52bd5de0591e2917ec6e124237ae7dfcd970a0a933d7c1734a98d60f09905bc3204795718 |
memory/2672-64-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp
memory/1728-63-0x00007FF74A310000-0x00007FF74A661000-memory.dmp
memory/1140-62-0x00007FF737ED0000-0x00007FF738221000-memory.dmp
memory/4456-55-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp
memory/4980-52-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp
memory/4492-48-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp
memory/3608-45-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp
C:\Windows\System\fYdIJAb.exe
| MD5 | 87fab2e9d189500aff27ae2950946e42 |
| SHA1 | 1e1ab35d64ef66c9b40b6d9c7c64aa2dee4a9e5e |
| SHA256 | 7e2b97e76f54ed393a37cbd9238693ec596c4db2db6d6941c6ef93d0dbeb8b08 |
| SHA512 | 16a7f0749c15ddbbf8db0d2fa2c5bbb1c453b69cf2cae3f82d57badf407b5d294e9eb72383d1aa2df0daf6a44b098f9b77bcab49ea364ea8ce3e60470955ce43 |
C:\Windows\System\aPGTrEQ.exe
| MD5 | 52675f4ab5ec8513ecf507c4655ddf78 |
| SHA1 | 88d9bc40a590c61629d1f99e3976b6c5ca2666d8 |
| SHA256 | 97652f2ea3c8997cdfd6651bb6792de47cf3793f9a5d3436572ff12d480246b8 |
| SHA512 | a4d462dc312fd877b21f0f009f8ec8995c11c8ef0158da0c185ca82739922e747ed279a0be005a8548ba3d302375a7ca22c8c1137c11c49c436198d3edb118f0 |
C:\Windows\System\QBXVDDS.exe
| MD5 | b3eed2f9b9ea32596f62d0d423013b16 |
| SHA1 | b5c01f9f5f4002c0dc1215a80b9ab88df9578050 |
| SHA256 | 5f044e86bd5dc982d9c8420999581da80be04e22bf6014bb5ffd2051b4283671 |
| SHA512 | f755349df980420421e232b2795b1bbdddc81db068f2de19dcfd3a98b1f0ebd88f1b58d770d2abb2fef55ebefd2cf34d5ba693d8a805f1dd6df34cd1341e526b |
memory/2780-77-0x00007FF767870000-0x00007FF767BC1000-memory.dmp
C:\Windows\System\JmrCQAc.exe
| MD5 | 0e811e25105f06fd703efa76094a0172 |
| SHA1 | dc191ce7141d0fbac06b45fb56e56a51baedd8d1 |
| SHA256 | d5e68ae252262decf21e93f9225a7bf0d28e2931f76f7337082b0373dc2fd755 |
| SHA512 | e66de1ec15525152d9839136d36cbb275be84e879200d8f284029c30764bde31cdc5013f6e419008053afa6fa8f9e75cf718cf10335bd893ababd7fba38e0e9e |
memory/3616-85-0x00007FF642050000-0x00007FF6423A1000-memory.dmp
C:\Windows\System\qHLrMtQ.exe
| MD5 | bdad01dd6d071e03cc2455a246989d10 |
| SHA1 | 83729ffdab11661c3008387d16ec3ea016150193 |
| SHA256 | faf9df1e168f7916ef4920cea772288bc349227a51ab29eae0dbebfa0b0da30b |
| SHA512 | ad216c516a3e82343e3f60aa87b3b7fe9d975ca70e9526c3e5a6ee5a8c53203f750be3294d74fe2578b10b3d1904dc0c2ff9023ba433e02a32e958f42f61617f |
memory/4868-90-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp
memory/5028-83-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp
memory/3648-75-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp
memory/5020-71-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp
C:\Windows\System\gDafbKx.exe
| MD5 | ef6109cccfca1d7c1191ca99413f1ee7 |
| SHA1 | 10fca5f9b551c0220f63fb4368a0dcb15893acfd |
| SHA256 | c54fc13d73d517517dbc77c6a31d815892bebd34785a89e6334f04ee98c00e40 |
| SHA512 | b05ad0be48c86fed176ea687f1a287467744b25ca69486dcf189720413c3928692180184af38308bb7d0791f685cd412df762ea996b3f022a62246a5dfedf06c |
C:\Windows\System\gvidqzI.exe
| MD5 | 5545fd5d54df4b4e9920dcf7b9402e18 |
| SHA1 | 081113b1ccc72803bf213229241f02ae66533247 |
| SHA256 | 4c8bbea5e8e3bc6912c4e317b90f555cab16c765a77f03c76d73169c0b0528d9 |
| SHA512 | 3f8da1a573570300959f478ffdac77376da57882e141289394fcf522770f852771e35411029eae60cfffc049d77f129ad48795c98f9f5d745e0feb62e79f32ab |
memory/4980-111-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp
memory/1112-113-0x00007FF796EE0000-0x00007FF797231000-memory.dmp
memory/3608-108-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp
memory/3440-107-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp
memory/4480-104-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp
memory/3288-123-0x00007FF625010000-0x00007FF625361000-memory.dmp
C:\Windows\System\mIPqLPP.exe
| MD5 | 36b8c4f1c36996fb3c1a722975fb3cc6 |
| SHA1 | e35f73f534b3b7581b37c0d3d84b80570361c033 |
| SHA256 | e5f2e79ec221efe355dddf4c0d7db9dd8555f1d9511e4fb69e224683fbdb90e1 |
| SHA512 | 1888a905fbde245a96206e4ff61b0b6b8bab9634ecb54b035643f9bcf1a2b80b8470ff4e7190a6c1aa3861c98074526f9a44f3bc02e509fc9a3beb745d4d7fad |
C:\Windows\System\QcPciEV.exe
| MD5 | 789a05f9b6e8e7345afe1642e8d37d32 |
| SHA1 | c97e923274732b6ce834aeede176c5bb5b31f17d |
| SHA256 | aa9985456e9723b411ee231494b3626c40e741aca0bceb6b105fbe09c6dda859 |
| SHA512 | 54fb9b1a1043283dfe93bde18ff81088fd9b0faa2c399a9803bf7e2941d3b24654f67ffc385e28cd4d4542e4402b24c2778c08a647b99534bbe8e3caddd7b8ba |
memory/2780-138-0x00007FF767870000-0x00007FF767BC1000-memory.dmp
C:\Windows\System\ozBMmoc.exe
| MD5 | edd7c433e42ee7473657fa3e6a9db27a |
| SHA1 | 63a7bad2107b5706474440b31ce480d41cecd7d9 |
| SHA256 | 96ceb81fcc33d049947a10be5a002622a8c6e6ae1dc9cc58726393cc8f2ed4a1 |
| SHA512 | a23eb6a87fb0f7a6eff484599a3d90a02d0160febacd8db23dc8c0f4b2d57c013eeae8fb00d1dcd70af61ceb6b0ff48fb77338d9b309f12f9bf7b79fffdc49ab |
memory/1640-139-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp
memory/4924-132-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp
memory/1388-126-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp
memory/2672-125-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp
memory/4456-120-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp
C:\Windows\System\hLFMPXQ.exe
| MD5 | c4d1afaeacdfbb0bae4c3ce5f59f61a9 |
| SHA1 | 4f2268e3993d127269307f29b64bbca21c8ee3c1 |
| SHA256 | 0e8ba8f3352e52c6c808187866ed1157308c81423b26d769f15437bd8052f45a |
| SHA512 | 3176f6f63a8ddb3b9c5120717f7b4bb5ea82fa3d0e07620ddffc85de189b35f4698aca220f883eef04e59175ee6f055b86182495652d1b58fdb4478fcd99314a |
memory/3160-152-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp
memory/4868-153-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp
memory/3616-150-0x00007FF642050000-0x00007FF6423A1000-memory.dmp
C:\Windows\System\jaiWjkb.exe
| MD5 | 9b80ca68c41d236bee400b74bce759f6 |
| SHA1 | 745e6d218103a5dde73da619c1ac7f5c3f05680f |
| SHA256 | 62a1cb7134826e3824d12f67b7df53b058778642c355c0b7d2d97409b70b8ff9 |
| SHA512 | 902fdf43dde008fb753a59a9a53093cdbe7c4ef101713c811368c4c8bbd5c040bd92eeb937e81917cb0989bfe4ecddfa117a3c9e9f88a6afc96d070a996edf06 |
memory/4492-157-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp
memory/1112-159-0x00007FF796EE0000-0x00007FF797231000-memory.dmp
memory/1388-168-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp
memory/1640-171-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp
memory/4924-173-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp
memory/4492-183-0x00007FF6CF400000-0x00007FF6CF751000-memory.dmp
memory/4520-212-0x00007FF734400000-0x00007FF734751000-memory.dmp
memory/1140-214-0x00007FF737ED0000-0x00007FF738221000-memory.dmp
memory/1728-216-0x00007FF74A310000-0x00007FF74A661000-memory.dmp
memory/5020-218-0x00007FF7BDF90000-0x00007FF7BE2E1000-memory.dmp
memory/5028-223-0x00007FF7F73F0000-0x00007FF7F7741000-memory.dmp
memory/4480-234-0x00007FF73A6E0000-0x00007FF73AA31000-memory.dmp
memory/3608-236-0x00007FF7F84A0000-0x00007FF7F87F1000-memory.dmp
memory/2672-239-0x00007FF7A5850000-0x00007FF7A5BA1000-memory.dmp
memory/4456-242-0x00007FF768F60000-0x00007FF7692B1000-memory.dmp
memory/4980-241-0x00007FF79F3F0000-0x00007FF79F741000-memory.dmp
memory/3648-248-0x00007FF75DD10000-0x00007FF75E061000-memory.dmp
memory/2780-250-0x00007FF767870000-0x00007FF767BC1000-memory.dmp
memory/3616-252-0x00007FF642050000-0x00007FF6423A1000-memory.dmp
memory/4868-254-0x00007FF7CFC10000-0x00007FF7CFF61000-memory.dmp
memory/3440-259-0x00007FF77D890000-0x00007FF77DBE1000-memory.dmp
memory/1112-261-0x00007FF796EE0000-0x00007FF797231000-memory.dmp
memory/3288-267-0x00007FF625010000-0x00007FF625361000-memory.dmp
memory/1388-269-0x00007FF6D4D90000-0x00007FF6D50E1000-memory.dmp
memory/4924-271-0x00007FF6A72B0000-0x00007FF6A7601000-memory.dmp
memory/1640-273-0x00007FF725AF0000-0x00007FF725E41000-memory.dmp
memory/3160-275-0x00007FF6CFD80000-0x00007FF6D00D1000-memory.dmp