Analysis Overview
SHA256
25476d0e8bc30105d04b4cbebb6f35bfd67aab9a3f3ec39c0d5d5d28ac871d14
Threat Level: Known bad
The file 2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
xmrig
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 06:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 06:44
Reported
2024-10-27 06:46
Platform
win7-20241023-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VWtMnGB.exe | N/A |
| N/A | N/A | C:\Windows\System\aRmmTRA.exe | N/A |
| N/A | N/A | C:\Windows\System\zEJKxbB.exe | N/A |
| N/A | N/A | C:\Windows\System\CEwlwrr.exe | N/A |
| N/A | N/A | C:\Windows\System\PCRZOXO.exe | N/A |
| N/A | N/A | C:\Windows\System\PeuyzFE.exe | N/A |
| N/A | N/A | C:\Windows\System\xPaHSYa.exe | N/A |
| N/A | N/A | C:\Windows\System\sowPrZc.exe | N/A |
| N/A | N/A | C:\Windows\System\hzgAzzF.exe | N/A |
| N/A | N/A | C:\Windows\System\DnoeiQa.exe | N/A |
| N/A | N/A | C:\Windows\System\npviuaS.exe | N/A |
| N/A | N/A | C:\Windows\System\wKwjVrG.exe | N/A |
| N/A | N/A | C:\Windows\System\CtlJZgI.exe | N/A |
| N/A | N/A | C:\Windows\System\ndcMFbn.exe | N/A |
| N/A | N/A | C:\Windows\System\fQatnDL.exe | N/A |
| N/A | N/A | C:\Windows\System\btLndnr.exe | N/A |
| N/A | N/A | C:\Windows\System\qccQXQx.exe | N/A |
| N/A | N/A | C:\Windows\System\KcsGaGr.exe | N/A |
| N/A | N/A | C:\Windows\System\RXThbFM.exe | N/A |
| N/A | N/A | C:\Windows\System\WRccnXE.exe | N/A |
| N/A | N/A | C:\Windows\System\clDqlub.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\VWtMnGB.exe
C:\Windows\System\VWtMnGB.exe
C:\Windows\System\aRmmTRA.exe
C:\Windows\System\aRmmTRA.exe
C:\Windows\System\zEJKxbB.exe
C:\Windows\System\zEJKxbB.exe
C:\Windows\System\CEwlwrr.exe
C:\Windows\System\CEwlwrr.exe
C:\Windows\System\PCRZOXO.exe
C:\Windows\System\PCRZOXO.exe
C:\Windows\System\PeuyzFE.exe
C:\Windows\System\PeuyzFE.exe
C:\Windows\System\xPaHSYa.exe
C:\Windows\System\xPaHSYa.exe
C:\Windows\System\sowPrZc.exe
C:\Windows\System\sowPrZc.exe
C:\Windows\System\hzgAzzF.exe
C:\Windows\System\hzgAzzF.exe
C:\Windows\System\DnoeiQa.exe
C:\Windows\System\DnoeiQa.exe
C:\Windows\System\npviuaS.exe
C:\Windows\System\npviuaS.exe
C:\Windows\System\wKwjVrG.exe
C:\Windows\System\wKwjVrG.exe
C:\Windows\System\CtlJZgI.exe
C:\Windows\System\CtlJZgI.exe
C:\Windows\System\fQatnDL.exe
C:\Windows\System\fQatnDL.exe
C:\Windows\System\ndcMFbn.exe
C:\Windows\System\ndcMFbn.exe
C:\Windows\System\btLndnr.exe
C:\Windows\System\btLndnr.exe
C:\Windows\System\qccQXQx.exe
C:\Windows\System\qccQXQx.exe
C:\Windows\System\KcsGaGr.exe
C:\Windows\System\KcsGaGr.exe
C:\Windows\System\RXThbFM.exe
C:\Windows\System\RXThbFM.exe
C:\Windows\System\WRccnXE.exe
C:\Windows\System\WRccnXE.exe
C:\Windows\System\clDqlub.exe
C:\Windows\System\clDqlub.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2320-0-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2320-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\VWtMnGB.exe
| MD5 | bba9377d72745cd8b306f780adf44315 |
| SHA1 | 36a5f6f6a99419efae6f0f87e0355a8634ddf43c |
| SHA256 | 4e9fdef7f6c88799ecabe27198c6ecbb3473e42e6bb6f6ba938a1490da99be06 |
| SHA512 | a970ef5a5ef8f25e44c7de4ae7d6e241e1edd8ad38df452943c44bbb39098833ecf2c8658b7d825bf27738a8f6ac6ba3231e6c0944d1d4a5dde1eabf11c5ce0b |
\Windows\system\aRmmTRA.exe
| MD5 | e85e663f8bde30a61870682577e1f2d3 |
| SHA1 | c5be3b44941aae73747137c0766b2d328a38eefa |
| SHA256 | 45bab920ba83d986d176ea15a52b87c9ebb048dba74aec664aaef01d81a6b167 |
| SHA512 | cbb9490340997e2cdced00187f6ba2de521afd041afee9db05945e6bdfb060138276972735200fa16d1af4296def1b5ebb035a50c6b7c29c6659d3739f0454f0 |
memory/2320-16-0x000000013FA20000-0x000000013FD71000-memory.dmp
\Windows\system\CEwlwrr.exe
| MD5 | 8497d754fcf5311238c021680dc72b41 |
| SHA1 | 7b27828a0ff1760311f8acf782cfa985f887cfeb |
| SHA256 | 1d4dfd65d7f4edc16298321e2f855f0176c8f9154caf877623c8c5824dd298b8 |
| SHA512 | 44d2e83d7a601abc755a84cec83c79de8a35eb40cd62e8ec3a67f0db2fe42be0831d49f18f1467fbaef38d24bd1b82b2cc17585bae81793768fddb0c752d8253 |
memory/2320-28-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
C:\Windows\system\zEJKxbB.exe
| MD5 | 83583e03634beb31b9c5f87a70b0fb44 |
| SHA1 | b4d3528258d816f84ab055639b74f3ca3da3ed74 |
| SHA256 | f09676004c55d6c11d781298b6a4d212f27feace4b65377296f5e4c880f82cd1 |
| SHA512 | 94e947d32ecb0916984ce2c16d61cdc27983a2cae2a57532209187c441caa8ce4da20b4e338dce1c210a0aa669c9ce1d5bea791beb4ae43cf0130af3bb4e8626 |
memory/2304-27-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/1924-24-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2572-14-0x000000013FA20000-0x000000013FD71000-memory.dmp
\Windows\system\PeuyzFE.exe
| MD5 | 3bc41bc1d6181af5e821ea3cc24627b7 |
| SHA1 | 3e5329745b29302d2a50ce58316e9705d1bfdedd |
| SHA256 | 54d533c853b67c0361519458771bdc8fb4254187e5a979ff16d5cbe73a1dbb6f |
| SHA512 | 3734dfcd0b060c0910dd29b2a2fa07ecc8736704abd1c39c57adad0c927d257a227c906d4f46de70ebc596fcace97df163b8b434e2e4a2bade686bdfdb085181 |
memory/2320-40-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/3048-34-0x000000013FB90000-0x000000013FEE1000-memory.dmp
C:\Windows\system\PCRZOXO.exe
| MD5 | 8b8bc9d56c117132540d03dfa90e4e19 |
| SHA1 | 13b607c9a44154ca2cec08f7548cde83dee6bfbf |
| SHA256 | e62f7e0b90de5bde8900912b3354ca938a9b73429bb31a4183ee7201327dc28a |
| SHA512 | 0e4372db586eff6201b13c5e17454777637c3426c378abb535362f0cea01c596ce0d4cb5e5c461f49d58e346c7c320b63fff530bf025095110300dfcc48b85c3 |
memory/2320-30-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/1800-41-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2320-37-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2080-13-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2320-50-0x000000013F6E0000-0x000000013FA31000-memory.dmp
\Windows\system\xPaHSYa.exe
| MD5 | 05f9dbc43ae2192b4e2982cc178bcd44 |
| SHA1 | 23916f26dc257548899019ac8be93207457da61a |
| SHA256 | 7261026b82fd53600dc0a185b6730d86db17ee7716f430e63b2a7ba5e9b92b3b |
| SHA512 | 094a9e394b90254bc4e4ce5d02577fccaad91bb56a0b69ca9a01d443622689fed910d7f7f1d874c7f81f5c9e2fcf74fb9eaca6f058942c4b95b37ccb08b5090d |
memory/2936-48-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2080-44-0x000000013F930000-0x000000013FC81000-memory.dmp
\Windows\system\sowPrZc.exe
| MD5 | 8e93280a751e79b18e8928ae815eb522 |
| SHA1 | cc73c249e17bc32e37eb9bfba185943752666b89 |
| SHA256 | 15aa174bda50c68ee2e57712f299b4e73d737eb0cd7d109fcc87f30c2b20a009 |
| SHA512 | 066a6d2aa63d3f9b4eb18bed82a72f0efad004c6d0d49d7029fc297e2630717b0ada46ee2bc9c419af654f5efee07a1a1c4f8abb5f4c64510ec751b7a8edbbf5 |
memory/1924-55-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2728-56-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2304-59-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/3048-68-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2320-72-0x00000000022D0000-0x0000000002621000-memory.dmp
\Windows\system\wKwjVrG.exe
| MD5 | 62e60f26087f6677eb2a5d4a5c62e626 |
| SHA1 | 06e05340a7ba0b48ee22b62238cb33459656d3e1 |
| SHA256 | 39125a7ee5dabc16d1d52848fc77739476907c930ba8b3ef87f2e4b664d0d5ec |
| SHA512 | 8c26ebea1f93e18536d1908b463941fb7e2005452ddb525b87857ec6891cdc74c6d14fed307ceeb2d629e91062c55aa53aa17e2ebc257d45ab5373e74435c036 |
C:\Windows\system\hzgAzzF.exe
| MD5 | 3ee0d1cbd13179c61d358709bd6fb716 |
| SHA1 | 85ab74e07da2f9308fc159f556415ac83129c348 |
| SHA256 | 4ab5795805562eb41ea4a74f0e4b00269a311872096e8c52fce7a8260133837f |
| SHA512 | 3fc38349eb1514244aa857a91c2b8525f37c2b011d57bc407982977129594833b6aee450813541d1a8897334ac06c621104afa427ac9dd01ca5c4d3dfa3e1aa4 |
\Windows\system\npviuaS.exe
| MD5 | d1eea845370eed2c614cbfb0ba8d3bd8 |
| SHA1 | aeb4b00dbd036c6a1ff91d00e44ff7e66f8afb9b |
| SHA256 | 6144b8fca8a46d6e863524561fa0d8fc93260bbd49b2f4558a82c14e93ffe89a |
| SHA512 | 3fbdca41b429ec8d014ff920002ef4a9b55e117ba49d5061fd92abb925c4ba56cd6e1e7c4e5ee58a5ce7915ca9b77825c4c53c014ee7c60001d9fd346b08946f |
memory/2616-88-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/1800-86-0x000000013FF50000-0x00000001402A1000-memory.dmp
\Windows\system\CtlJZgI.exe
| MD5 | 188c04d3eef156c9bd6103d77b6d8ef8 |
| SHA1 | 07e5bb0008415974ef7ab965e2b652cef615b8a4 |
| SHA256 | 26fd8ef14ef540d5fb576ab70f679702ecf9e683a773dcc3f566fea69c985a2f |
| SHA512 | ae6785143704ee3a55015c16dcce95bdded212717b8b3b4c4cf891c0d0f317d071ee328cc6f81e6f52e7570c682356872da0dfd3aed7d549b0dbe25f19c5f915 |
memory/2728-103-0x000000013F6E0000-0x000000013FA31000-memory.dmp
\Windows\system\fQatnDL.exe
| MD5 | 1ed23a4c03e18cb87e82b3f4c6f75c8c |
| SHA1 | 9856793e633ab5e22d01f60472ec6576f26576ab |
| SHA256 | 0cbaa1ef1784e70e3c73456194fc9064e107ec62eb88837d0ab1ead1a6983bbf |
| SHA512 | fd68bf208ff218b9ac40de2fdc3ce23e0da31c2e3511afc61ce8f2afc80b2e18fb0ba4311167df6a60f22a72cb90a285676920be868835a12c0d7bf14fa48c0b |
C:\Windows\system\qccQXQx.exe
| MD5 | e2d71d8d731d2b5a954ccd2f63dccdfe |
| SHA1 | e31f35efbc8f9e4528310c8e73c9df974128725c |
| SHA256 | b05452cb68dcc7a989961d7b12c38cb30f7efd1c74d97baa331602f19d47206b |
| SHA512 | 8ed7aab0c77dbed43562f8bc4402249c09286b413d27b4c62d7174cdc5f44414e43405247c97a1aaa6e5e162e817b7e5eab0b3dba7dc6e869788ccf3ede05c9a |
C:\Windows\system\KcsGaGr.exe
| MD5 | 4114122921c139f9f0c312954b5c207c |
| SHA1 | 641f0adffa4af2600c2574d055ae2b7355f322aa |
| SHA256 | f22945a879580997eded105e3c4bf4e7682326ce518a025cc727ae24d2f2f04c |
| SHA512 | 6f558986e3c480479fa69ab0d82f764630ee1eeb08500bda83b02cecf2a775e99d643eec84a29fd96be62a3a4be1c09647c0dbcb06ff869d2342ef6806dfae45 |
C:\Windows\system\RXThbFM.exe
| MD5 | 73f64cfb42cc8780f30dff90c53956f8 |
| SHA1 | 1ee6e3f176248cc5d2494872a81af270b4d5cfdc |
| SHA256 | 568ed4f7c0e5624056f73087e3436f5c500c4154a50251f08727699261a0ac93 |
| SHA512 | b7c23ff1285792d7f022ac58b7a2bc64af42c59242e00fe6770e998f0f8d08ff1c1f0ea801528ca36ac2bb1fdecdf7533d8d14f298d495cb823cb60101079d5f |
C:\Windows\system\WRccnXE.exe
| MD5 | 47833f7bf8e79130be5d3b7c2ae611cf |
| SHA1 | bbb55c9b1fea07c6a43f877ef8b252f3ad6a1743 |
| SHA256 | 1f585dd15914c906bc44e96a9f43892c8080384132f915240fd2053fd642fa79 |
| SHA512 | fef48f690f7a12b340741cdbd0122784292485ac76082191ce91e4bc13fb87699bb89e9f48063d37efa31210d97b498a909293d7de9092cd7134c27979ce798d |
C:\Windows\system\clDqlub.exe
| MD5 | bb4410b585a098a413c9c0671eeb3e58 |
| SHA1 | 622c44d197f0c6d26b2350f8f7c462895474bef7 |
| SHA256 | 6c570e919ab81f1ad8ca40c4eca1f7930a79d3e6bf1e564db9c741206b09f715 |
| SHA512 | a28abb28d0faf38e6f2630e32c656d233a383487966641c832a1be6a090099ca6771f5d4e27f66c415123685d51069da9f70527b918cc1e0ca69d9ad0cc4e018 |
C:\Windows\system\btLndnr.exe
| MD5 | 89e2989c71080140100d87e98a36c881 |
| SHA1 | 5484229ef67d614f60893de2ec3e4e72cc8c0a82 |
| SHA256 | 459ac8425b211cb86e2c4c3d79602c29cb1585fbeaa5561e331a04bbc5e2d206 |
| SHA512 | 60f597203e8eb3b7109cb1a2fcd8f993d14c1e6206106c529dda1a237d969c5ef9c748af3b70f8c327db34f510393b18bb2253c32f3b45291916050f705af41e |
memory/2320-140-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2320-111-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2320-109-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\ndcMFbn.exe
| MD5 | f640cc207e6cfa229aa6aca1a7d30c91 |
| SHA1 | 573d4067441a2555178bd87e99b8e95e4084e455 |
| SHA256 | f336e04cf14c5126bd36ce28611d73c6adb8e83101dd3c3ad296645c3afccb03 |
| SHA512 | 78b7c4d959e5ccbcf1e00332370b0b9c78e0aed6f4ad6298ce405ce4bbc3fea4a9d3274fa06717fe27a6f78bedb032eb2bb5f3937600c8c11f63a54dc1c30a8d |
memory/2320-107-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2440-95-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2320-91-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2936-90-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2760-85-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2320-141-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2664-83-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2320-82-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2320-79-0x000000013F2C0000-0x000000013F611000-memory.dmp
C:\Windows\system\DnoeiQa.exe
| MD5 | d72187433cbbe4389623c096738eec96 |
| SHA1 | 5e2014733bd71926a57b2bde1a69642e2784d077 |
| SHA256 | 99589e6ab6115eecfb8d0968c90383665756c66736ac484767a59f7bd66e86f0 |
| SHA512 | fa0700cdc72ff6b893d627580ea9042846c578ab94a48949ad06d27a827b7bf2fcee3ebb774f732276af9a650191767d53ced078abbb41d536126caf0ccfae0a |
memory/2960-76-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2320-142-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2320-143-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2616-150-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2320-153-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2440-154-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2320-155-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2712-162-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1908-163-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2980-167-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1964-168-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2096-165-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2840-164-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/848-161-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2056-166-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2320-169-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2572-220-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2080-222-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2304-225-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/1924-226-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/3048-228-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1800-233-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2728-235-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2936-237-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2960-247-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2664-251-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2760-250-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2440-253-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2616-255-0x000000013F290000-0x000000013F5E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 06:44
Reported
2024-10-27 06:46
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eTJKjae.exe | N/A |
| N/A | N/A | C:\Windows\System\caSuaKT.exe | N/A |
| N/A | N/A | C:\Windows\System\rfCzoOT.exe | N/A |
| N/A | N/A | C:\Windows\System\lMqZzWH.exe | N/A |
| N/A | N/A | C:\Windows\System\LnIKSLG.exe | N/A |
| N/A | N/A | C:\Windows\System\WOiOpCo.exe | N/A |
| N/A | N/A | C:\Windows\System\TOSEumu.exe | N/A |
| N/A | N/A | C:\Windows\System\wRLLqvx.exe | N/A |
| N/A | N/A | C:\Windows\System\fwHusQD.exe | N/A |
| N/A | N/A | C:\Windows\System\uXfDJcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KgowPDD.exe | N/A |
| N/A | N/A | C:\Windows\System\nljyViO.exe | N/A |
| N/A | N/A | C:\Windows\System\NSpspFa.exe | N/A |
| N/A | N/A | C:\Windows\System\EorhFsS.exe | N/A |
| N/A | N/A | C:\Windows\System\cFixHKi.exe | N/A |
| N/A | N/A | C:\Windows\System\LUUIHhr.exe | N/A |
| N/A | N/A | C:\Windows\System\omCaskv.exe | N/A |
| N/A | N/A | C:\Windows\System\JRZOHUQ.exe | N/A |
| N/A | N/A | C:\Windows\System\hMMTHJU.exe | N/A |
| N/A | N/A | C:\Windows\System\HeZGVNK.exe | N/A |
| N/A | N/A | C:\Windows\System\LSTzAbh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_d1b1378f02ba6a988d970e2a7bc1d661_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\eTJKjae.exe
C:\Windows\System\eTJKjae.exe
C:\Windows\System\caSuaKT.exe
C:\Windows\System\caSuaKT.exe
C:\Windows\System\rfCzoOT.exe
C:\Windows\System\rfCzoOT.exe
C:\Windows\System\lMqZzWH.exe
C:\Windows\System\lMqZzWH.exe
C:\Windows\System\LnIKSLG.exe
C:\Windows\System\LnIKSLG.exe
C:\Windows\System\WOiOpCo.exe
C:\Windows\System\WOiOpCo.exe
C:\Windows\System\TOSEumu.exe
C:\Windows\System\TOSEumu.exe
C:\Windows\System\wRLLqvx.exe
C:\Windows\System\wRLLqvx.exe
C:\Windows\System\fwHusQD.exe
C:\Windows\System\fwHusQD.exe
C:\Windows\System\uXfDJcJ.exe
C:\Windows\System\uXfDJcJ.exe
C:\Windows\System\KgowPDD.exe
C:\Windows\System\KgowPDD.exe
C:\Windows\System\nljyViO.exe
C:\Windows\System\nljyViO.exe
C:\Windows\System\NSpspFa.exe
C:\Windows\System\NSpspFa.exe
C:\Windows\System\EorhFsS.exe
C:\Windows\System\EorhFsS.exe
C:\Windows\System\cFixHKi.exe
C:\Windows\System\cFixHKi.exe
C:\Windows\System\LUUIHhr.exe
C:\Windows\System\LUUIHhr.exe
C:\Windows\System\omCaskv.exe
C:\Windows\System\omCaskv.exe
C:\Windows\System\JRZOHUQ.exe
C:\Windows\System\JRZOHUQ.exe
C:\Windows\System\hMMTHJU.exe
C:\Windows\System\hMMTHJU.exe
C:\Windows\System\HeZGVNK.exe
C:\Windows\System\HeZGVNK.exe
C:\Windows\System\LSTzAbh.exe
C:\Windows\System\LSTzAbh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4232-0-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp
memory/4232-1-0x000001A703060000-0x000001A703070000-memory.dmp
C:\Windows\System\eTJKjae.exe
| MD5 | af6ade01546970237fb6412937110730 |
| SHA1 | a6244651a78c862d452294e1ef69ed9920a85ee1 |
| SHA256 | 75204497a3f48159ce480e7edd98b88447606e64b558b21e5dae8589d8239ec9 |
| SHA512 | 6f85ee2c86639b60c22319b91c4cb81fef3b1eb56d1edc5a53ebf6be15d1191e94ae70c0fc86c3f652afef41b313eb5ad20fb0b3000813d73054e8476cd397c0 |
memory/2660-8-0x00007FF71A530000-0x00007FF71A881000-memory.dmp
C:\Windows\System\caSuaKT.exe
| MD5 | 188a80ecf98ace53cdbbc0700992e33d |
| SHA1 | d6ab1327faf60f57b18b25545e33d02b0afe21c8 |
| SHA256 | b5e8bcb41a7d70aa30c39e3032bfa2f5baf2f5cba0461be299e647b60e056c0a |
| SHA512 | 3ce261ed9d09396cf7b2153db0e3684d874e5272a110b4b06d73baabd5e4164ad3d2c2ff75618b407a3ab88fd8f0c74e2b206426dc4aa384300e0d235d737fc5 |
memory/4116-17-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp
C:\Windows\System\rfCzoOT.exe
| MD5 | 8f4fcc97a3d28f623f2255d32fd36665 |
| SHA1 | 4acddd906f5bd94b314d7e6105397f49425a3c9f |
| SHA256 | d50358feed4d6902fe3036450f8233759a3ec879f55b2dc0f6eb26be8feebd28 |
| SHA512 | 5f0c77e6bef0080d222902a9ea2733831cd4bdce171736232b29dcd4e4c4a3442641e727a35fda67df1c52b0f0cc1e9b618e6c0f4313c145ada39eb10a0b32d9 |
C:\Windows\System\lMqZzWH.exe
| MD5 | c5b8ea1f4c44e11b5a9b230e7d141dcd |
| SHA1 | 2e84a37d9df036d0c38a44867b37990f29ffe532 |
| SHA256 | bafadf1b2955106832f4fa84143390a7fb937b547f8c6297cea02c2d303ad5f5 |
| SHA512 | 69f06fa801f8914aadb2f8e90aa1a8f4c1a69f98dc7b9a7b2513f5de2e9715324b9546dfb6d4d3b6774f76092da076a309508ee005c3984dbe7689b8a7abe794 |
memory/3016-27-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp
memory/4064-29-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp
C:\Windows\System\WOiOpCo.exe
| MD5 | 61706d96cdc7ecac81a0b6ead9f2cf83 |
| SHA1 | daa3ee5b5e2a46fa5ad9c9eaf7f13b1fd757105c |
| SHA256 | 2bebc59fd9dd16a5cf539bb5d717ed95603d27bec59abc19211582451b6e346a |
| SHA512 | 30855b477bf77bb48d46f42109feaf94726f278aabd76cbd06fb8810f9a6975726fe0081219bf8ad2735aa5e5cb7845963c3462bda946207f47c7851d6da28c0 |
C:\Windows\System\TOSEumu.exe
| MD5 | 6978241ab22a6163026f28138f7ab81a |
| SHA1 | 6c2e15b7b1b068d4a6221d6991a1e7e062f7707f |
| SHA256 | 5776031cda5eded2eff4a0c83a1fa47ebd1fafe5d120e2fc24c7c1b4db3d889b |
| SHA512 | a67dbe202ed7466e0e4ef8b9cf1d88ded57acf47be77baf2096e4e7233a0b60f65eaaba1288faf78ddf42dc978528bb2bfcd9ba7a66f2be8f66cd0967e9620b8 |
memory/1272-55-0x00007FF683060000-0x00007FF6833B1000-memory.dmp
memory/4232-71-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp
C:\Windows\System\NSpspFa.exe
| MD5 | 56b61729e58617b403f15a051b3a569f |
| SHA1 | 02b807440ad41a387db057f43edbd4931f2ac62c |
| SHA256 | 2d1a04532a31039d63f0a9d4cd2b8437614a822a401997dd56fcf7733b5717f2 |
| SHA512 | 601a3fd4eff16e893da265676973c0194d4527459c8bc93347d50904be8b17a301dda53486286d34e1fcef6c73d3e2880bcdf13c730088f5fbd9ceee18572adf |
C:\Windows\System\JRZOHUQ.exe
| MD5 | 8850f5d5d50b724ac02eaa1cf898460f |
| SHA1 | 6e555dd8a79b895479752a83db7fd7ed7dd2da5c |
| SHA256 | b9471ad9ce6379e01967c6fb7fc019d67f51c2ac52944aa1016f8d8d38098efb |
| SHA512 | e8382fe0347442cf423948e07dc30e3c6adf6da69851146337b733550bbe6ecc87fa7b017f267c8d8b25909b72a54f05da8500fd4d8f198e43f0f7377066746b |
C:\Windows\System\LUUIHhr.exe
| MD5 | 925602a9d3ead9e366a404336f3185cf |
| SHA1 | bdbae2e2ccf6dfa65c9f6b5f50f5c8c63036a9e7 |
| SHA256 | 362b6d2d60742ac9c91efad72e12574f69b6823aac099af1e9101f1b71f9d262 |
| SHA512 | 32495e25d3a0977254da9888a4160e777f6b0c3182199eae93ee2d4dba707eada006384c902dbcf13581214f73aa48c1ecb1e948d79ab6020e6a7de7c6e5db32 |
memory/468-109-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp
C:\Windows\System\omCaskv.exe
| MD5 | 886b926a87ec9e9f23b921798a21babc |
| SHA1 | 6e4dfd1f0e4a07f21a86704667f5cdd121d32815 |
| SHA256 | bdf8037f6adc59c73daa00a8154f90d51f82536c9476def86ed2dd8e7db0260c |
| SHA512 | ba8ccafb0176723f359d7f62b917c2718b0b92b83fe4e24db88a19a35115dacc45116506f9d790212b1c6f275b9de472399f8bde5dd49cd78a932b88c8cf406d |
memory/5040-105-0x00007FF771760000-0x00007FF771AB1000-memory.dmp
memory/4116-104-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp
memory/2660-103-0x00007FF71A530000-0x00007FF71A881000-memory.dmp
memory/4448-102-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp
memory/1316-101-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp
memory/2860-99-0x00007FF6861E0000-0x00007FF686531000-memory.dmp
memory/2980-98-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp
C:\Windows\System\EorhFsS.exe
| MD5 | d635b33c67eaf598e4ff9b27281e5cdf |
| SHA1 | 15132dd008e21cff75eb273461f9bb1aa684e1da |
| SHA256 | d5731cf0ed4273ed7b5f2468f37ac60fb2b12cbb844bb274f5234d1cbf4bbcc9 |
| SHA512 | 394a3ea82714d6553e972c748c3053eb200697342adb431c504d1114aadea605772d26a5c1036746e36a7f0ec29d91b6bb03ccf15054238fca447d1d36d892c7 |
memory/4124-87-0x00007FF631D00000-0x00007FF632051000-memory.dmp
C:\Windows\System\cFixHKi.exe
| MD5 | 9205cc1f4be3d5eeebfc497852bed321 |
| SHA1 | ec513fad660440e1cd970be14058b84735164ea9 |
| SHA256 | 8268910baaea6d069683975da0f566c3b8061f305db23cfa3711ba882078da72 |
| SHA512 | bf8d680d4ece284e7b7b94bbf659ec36b2c4743aad1f4484e481e47da284de7920523962062c54f8d60beb46db108c6ea624f03edb997203d34c0d85c0d7dbb8 |
C:\Windows\System\nljyViO.exe
| MD5 | cf527c2a434065cf984df8e93027857b |
| SHA1 | cae80891491f40c458b224b4cb827581bcc984be |
| SHA256 | 57106d90214c028d751969b7355cca45a4010eae9ab99338d27a365b459f951a |
| SHA512 | c499aa20ab5d5463e7223d23b06f6e93adec1315c443cdea0fec86435c96ad4c36256e2cdcf493558d1c5404b6afbd69b344681e9990dc7208a3e5be05c4427f |
memory/3592-80-0x00007FF689890000-0x00007FF689BE1000-memory.dmp
C:\Windows\System\KgowPDD.exe
| MD5 | 3229ba6c46608ed83f496fa329f7bec6 |
| SHA1 | ffe9b3b34a90aa1102933f3a392bcd7c2476e2a6 |
| SHA256 | 00f31e8fe142258dce08614601e4f24aed57e50209cbcba2c5d7b9ae1601377f |
| SHA512 | ed711da86039a94329336087ab906f1b062522fb6c8c34282e38e55de6e36a7f1be4f1a8812af39de62e76a193715c7dd2fabea21fb317b4e06bada33d09dc06 |
C:\Windows\System\uXfDJcJ.exe
| MD5 | 2220adb418f76484378d42aabb9f3e9a |
| SHA1 | 257b802efe1a332bc082cdf996a1ea53a079cd3f |
| SHA256 | 1f6c8b389e84e1ae0c855ee0207924346625e2c6c32fe3b751c735f81ffa06b4 |
| SHA512 | e8ff13f457aaebcfabdd5ede33dedd0209043a0e50f59f9c4f045702a5203a9b2a64e62394ac11d37dd3fa56ef2f4f969d184110f221ac3923e7c3b9904ec92f |
C:\Windows\System\fwHusQD.exe
| MD5 | e0dfa4ad43ed0aeafbb444f74d4618da |
| SHA1 | 769f15fef0c6452ea35b6eea0721f2386741778b |
| SHA256 | af509f84790740402ef491b83e30ca3121dbdd76fd400ff8a38006b984aeda45 |
| SHA512 | c0de574a78e20e9efd752ea16254f45e23af7e1b2c16cc2599277e9a226e37a3cd6b9892f3c4538019c19916454941f505e6c658707577e2cc99e13bd6218cf4 |
C:\Windows\System\wRLLqvx.exe
| MD5 | a75f5bbde698aeb4a98dba83c490b0bf |
| SHA1 | 6f0288bb1edadf9a75953a291bcc840e29b386b8 |
| SHA256 | bdd8870abd6550e1cb88da9c0debc97ad15fde689fa636c017892180d48fe3fd |
| SHA512 | 0590e0c51b935e0d16058aa971a7e30e60afd6853ed75d9b289941131b99ecb1c13808e0fc7a0beb563f1e96593475609d7f1b74b8d8d670dab34f8d6f23b4e2 |
memory/2948-56-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp
memory/2192-53-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp
memory/1848-41-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp
memory/2640-37-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp
C:\Windows\System\LnIKSLG.exe
| MD5 | c6e95377072358030e1c9ec11ae3b4ff |
| SHA1 | 040a012a25fc978c9fbc5ab6870ca8ea1d63fb4f |
| SHA256 | 842dfb0bcdc0f03f1bd7709778fdc5268eff3026bfd51e8f041984bb38ccb289 |
| SHA512 | 311bd9b95bb878723a4cf3d853d4fd55f686b59729e0b9552206191262611f3faf0e70fa7f1b77a951ddcfaf2f88159e171ab1f37fcdabb24622a8b553c70435 |
memory/2008-19-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp
C:\Windows\System\hMMTHJU.exe
| MD5 | f3020f3fa78d1a28d9de72da3c4bc563 |
| SHA1 | affecacaa25493e1c18a2d97009c099569f04003 |
| SHA256 | f09b8a2e7367fb2fd2e7cb6ce6658f84e8993f3b8cf941437fd9adc1013082cc |
| SHA512 | ee46a106f584b138fcd9cee6227eefedff34f042e2d79a1189953f57b747f2214142f5f7aa341b422f28f72d3d53e9f6ebddc79ceabdcb1cbb00b5b40b48bdc1 |
memory/2008-119-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp
C:\Windows\System\HeZGVNK.exe
| MD5 | 5ae99ebac97340823a9790e5fef8c38b |
| SHA1 | 47aad008c47850d6006e64cf8b0a68640ff2b616 |
| SHA256 | df111c848b3e1d38f128ee51f12452b0317ff8f6c1a1cefc9d1fd79c052a616a |
| SHA512 | 6cce6e420970b3152d6c795d78819a311fa1311ab02838b6c784c7714444425584474cf25665986690653fd41cbadceb6e77c1a99702e9776aa7a5f7a36b33df |
C:\Windows\System\LSTzAbh.exe
| MD5 | ceaeb28848711d83ca3b8b4414839e40 |
| SHA1 | 93a0d970f23918d444cf722c560c10dd3cfce232 |
| SHA256 | 1cf3b4539dcbff47aaf39000d12e133e279e45d871f2ea6a76f282291121c735 |
| SHA512 | aad28cd5c7014f7e0a444257355e90e4c150c708257301cb99af3001b1f35ae9510d06074853e79c0d1386abbc9976db9b4bc45ef7dc2f93522c231e13dde3c9 |
memory/1760-133-0x00007FF680D00000-0x00007FF681051000-memory.dmp
memory/4064-130-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp
memory/4092-129-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp
memory/2824-125-0x00007FF632490000-0x00007FF6327E1000-memory.dmp
memory/3016-122-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp
memory/2192-142-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp
memory/2640-145-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp
memory/2948-144-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp
memory/1848-141-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp
memory/4232-134-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp
memory/1272-143-0x00007FF683060000-0x00007FF6833B1000-memory.dmp
memory/4124-147-0x00007FF631D00000-0x00007FF632051000-memory.dmp
memory/468-153-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp
memory/4448-152-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp
memory/1316-151-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp
memory/3592-146-0x00007FF689890000-0x00007FF689BE1000-memory.dmp
memory/4092-154-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp
memory/1760-159-0x00007FF680D00000-0x00007FF681051000-memory.dmp
memory/4232-155-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp
memory/4232-178-0x00007FF7E9580000-0x00007FF7E98D1000-memory.dmp
memory/2660-221-0x00007FF71A530000-0x00007FF71A881000-memory.dmp
memory/4116-223-0x00007FF69BE50000-0x00007FF69C1A1000-memory.dmp
memory/2008-225-0x00007FF7A5EF0000-0x00007FF7A6241000-memory.dmp
memory/4064-228-0x00007FF62EB30000-0x00007FF62EE81000-memory.dmp
memory/3016-229-0x00007FF7ABC20000-0x00007FF7ABF71000-memory.dmp
memory/2640-232-0x00007FF6B9DC0000-0x00007FF6BA111000-memory.dmp
memory/1848-233-0x00007FF7D36D0000-0x00007FF7D3A21000-memory.dmp
memory/1272-237-0x00007FF683060000-0x00007FF6833B1000-memory.dmp
memory/2192-236-0x00007FF6A6BB0000-0x00007FF6A6F01000-memory.dmp
memory/2948-239-0x00007FF62DF20000-0x00007FF62E271000-memory.dmp
memory/3592-243-0x00007FF689890000-0x00007FF689BE1000-memory.dmp
memory/2860-245-0x00007FF6861E0000-0x00007FF686531000-memory.dmp
memory/2980-247-0x00007FF67EA30000-0x00007FF67ED81000-memory.dmp
memory/4124-250-0x00007FF631D00000-0x00007FF632051000-memory.dmp
memory/5040-251-0x00007FF771760000-0x00007FF771AB1000-memory.dmp
memory/1316-253-0x00007FF61F5C0000-0x00007FF61F911000-memory.dmp
memory/4448-255-0x00007FF6A4E00000-0x00007FF6A5151000-memory.dmp
memory/468-257-0x00007FF6E1880000-0x00007FF6E1BD1000-memory.dmp
memory/2824-263-0x00007FF632490000-0x00007FF6327E1000-memory.dmp
memory/4092-265-0x00007FF6B6920000-0x00007FF6B6C71000-memory.dmp
memory/1760-267-0x00007FF680D00000-0x00007FF681051000-memory.dmp