Analysis Overview
SHA256
1779f5062e13aa3ea7ea63d70f7b6f72ba2f75347f1b745e24be4550d64a9ed8
Threat Level: Known bad
The file 2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:22
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:22
Reported
2024-11-09 15:24
Platform
win7-20240708-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IDpGLKC.exe | N/A |
| N/A | N/A | C:\Windows\System\SwbzUPU.exe | N/A |
| N/A | N/A | C:\Windows\System\dNWTGpi.exe | N/A |
| N/A | N/A | C:\Windows\System\bKukUms.exe | N/A |
| N/A | N/A | C:\Windows\System\FJaXWnG.exe | N/A |
| N/A | N/A | C:\Windows\System\uoKxvSW.exe | N/A |
| N/A | N/A | C:\Windows\System\HvEySNn.exe | N/A |
| N/A | N/A | C:\Windows\System\McumCBW.exe | N/A |
| N/A | N/A | C:\Windows\System\PLnCbpJ.exe | N/A |
| N/A | N/A | C:\Windows\System\wedVZRx.exe | N/A |
| N/A | N/A | C:\Windows\System\aMnewsV.exe | N/A |
| N/A | N/A | C:\Windows\System\aDGJuqI.exe | N/A |
| N/A | N/A | C:\Windows\System\TIoeqvN.exe | N/A |
| N/A | N/A | C:\Windows\System\dxMJMTi.exe | N/A |
| N/A | N/A | C:\Windows\System\OEwvBPs.exe | N/A |
| N/A | N/A | C:\Windows\System\OEUASsz.exe | N/A |
| N/A | N/A | C:\Windows\System\YyxcBlu.exe | N/A |
| N/A | N/A | C:\Windows\System\vzwBHbX.exe | N/A |
| N/A | N/A | C:\Windows\System\NkILxiL.exe | N/A |
| N/A | N/A | C:\Windows\System\HkdCARn.exe | N/A |
| N/A | N/A | C:\Windows\System\SCvVvum.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\IDpGLKC.exe
C:\Windows\System\IDpGLKC.exe
C:\Windows\System\SwbzUPU.exe
C:\Windows\System\SwbzUPU.exe
C:\Windows\System\dNWTGpi.exe
C:\Windows\System\dNWTGpi.exe
C:\Windows\System\bKukUms.exe
C:\Windows\System\bKukUms.exe
C:\Windows\System\FJaXWnG.exe
C:\Windows\System\FJaXWnG.exe
C:\Windows\System\uoKxvSW.exe
C:\Windows\System\uoKxvSW.exe
C:\Windows\System\HvEySNn.exe
C:\Windows\System\HvEySNn.exe
C:\Windows\System\McumCBW.exe
C:\Windows\System\McumCBW.exe
C:\Windows\System\PLnCbpJ.exe
C:\Windows\System\PLnCbpJ.exe
C:\Windows\System\wedVZRx.exe
C:\Windows\System\wedVZRx.exe
C:\Windows\System\aMnewsV.exe
C:\Windows\System\aMnewsV.exe
C:\Windows\System\aDGJuqI.exe
C:\Windows\System\aDGJuqI.exe
C:\Windows\System\TIoeqvN.exe
C:\Windows\System\TIoeqvN.exe
C:\Windows\System\dxMJMTi.exe
C:\Windows\System\dxMJMTi.exe
C:\Windows\System\OEwvBPs.exe
C:\Windows\System\OEwvBPs.exe
C:\Windows\System\OEUASsz.exe
C:\Windows\System\OEUASsz.exe
C:\Windows\System\YyxcBlu.exe
C:\Windows\System\YyxcBlu.exe
C:\Windows\System\vzwBHbX.exe
C:\Windows\System\vzwBHbX.exe
C:\Windows\System\NkILxiL.exe
C:\Windows\System\NkILxiL.exe
C:\Windows\System\HkdCARn.exe
C:\Windows\System\HkdCARn.exe
C:\Windows\System\SCvVvum.exe
C:\Windows\System\SCvVvum.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2356-0-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2356-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\IDpGLKC.exe
| MD5 | 5599940dcca3d471d5b6bf520dcf7e67 |
| SHA1 | 17dd9c68ea71e4d4632fd25aa6f890d017ff4667 |
| SHA256 | 899bfecf74e0ba939f81b734f547611a3bf8625f63ab2d19041f6cb4d087b342 |
| SHA512 | dad4cf70819526cd00671a771cd473e9fd428ff925ee749b03a889628f3f82f9e1fc888d38793876a1351e6ec1bf0abd2ffd46adea8d918362f450e3a717fa73 |
C:\Windows\system\SwbzUPU.exe
| MD5 | f947824e44b51cac2b1790391514db0c |
| SHA1 | 113b1a6467ea360d8623271dc55aa82813e3ea60 |
| SHA256 | b0f45c700a21bf5ff8fd3f9f628909d7120fe8436f1ed1dbb0ed329ad6ac56ea |
| SHA512 | 825bf2bea952808202282f5de5165e6b821c47d539499a167f25768e64d30684861bf906461b4390161e666ccee4c90c6b09b91f2cdf3adbbb11fb66071afafb |
\Windows\system\dNWTGpi.exe
| MD5 | 9b17f7b119c8622e44dcd15d27c175b2 |
| SHA1 | 3621ff705882466768b33ddaff46b1f5594645f6 |
| SHA256 | 311ea20eb01a3df22efa7d668c4e99ba7b51f84a1141c9dbed2e6029e1811b9e |
| SHA512 | 80906e232b44fe40f5e55fc772d44236326d04c03ef0a8bcb2d61b0be02c2433c01d90751c20cf2a4f5adbccef3a4a1d9ca789f2595c0435bd8ff8e5b5a30d24 |
\Windows\system\bKukUms.exe
| MD5 | 432c26aeffe8af28bf7145e1e56a1f17 |
| SHA1 | 181c4f31c22ae83593db8767418b7dc58c27cb30 |
| SHA256 | 5b1d1f4e7405fdcde3813dfa61f890f3c73ed491a539c8b9d25db1b8ddec5c92 |
| SHA512 | 63c8702fd1d23da5092b6142ffc2e5a86cef6b967cfd436c8bf0547928080470c63bc408dc800a55d095335e649d1b5aaf771dde6fe03069129673f4f9226425 |
C:\Windows\system\FJaXWnG.exe
| MD5 | 81996a5ab63caf3cb9358f39fd767765 |
| SHA1 | 15fefc58886182044b0fc920a55ef985f3c1e865 |
| SHA256 | e6a2306f722d9019bce12edff4322bf8d3bafe7677ccb8d2587d53654ce34598 |
| SHA512 | 6e7a246cfbb893cc6f196f04b82821025a8ce958ba202bf1a3e97269ad67a851e082d86baf49048c0e163fa8caf3afb55defdd5fc7682a577d6583e40c10b574 |
C:\Windows\system\uoKxvSW.exe
| MD5 | 99fe509e9b7317478d5cd5f75d4c83fb |
| SHA1 | 28352956c2f2e799c01f05344c34be19bfd90459 |
| SHA256 | cb8b051bd0dea6c6c7501738de4ea92b6a7f04285c5321ae8163f5e3a9921a2c |
| SHA512 | c61d202c5a099eea046b478ba276ec8f2ac778f96bca7f00a653998dc11458649c54c14750f4cd92c170c39ebabcdd6b51c42eafce7aa104bdaae0a967484be4 |
C:\Windows\system\HvEySNn.exe
| MD5 | 522ee1913ea2b9f0a078a7a3da3b33fd |
| SHA1 | b96bfc146531f7a4ec8762d1470bcf41e6e7d54c |
| SHA256 | 73a4d910b5277882deaf92a87fb002dce612b2b2339d8dd2df886358df0ffdf6 |
| SHA512 | e1a96ab5fa646ee9c836cd223f93aa176edaaf96c2b828ee31af7c0b0f75f7a757bb71fedb93ee9b8c4d789fa53f27065b6df39f1a700c3b76e64f1b9de08fb1 |
C:\Windows\system\McumCBW.exe
| MD5 | b9694ecc039e0f680be84e2081606afb |
| SHA1 | f80c9188084079e27c8eaeb2289788396290243e |
| SHA256 | 898119c7682c742d05669e332edbf1c82fb5f0ef49a14807ae298ae12c17b2ed |
| SHA512 | 72780d6c98ff14566d0652e9d89847d8356b3a5d39238e236cbf6e9382999b2bce6c0fc798a317396f51499f6d750c8dad1c3ccd3549dd9e672b9dc8e03541ac |
C:\Windows\system\wedVZRx.exe
| MD5 | d80dd90547fc608e63da6c794b14cfe7 |
| SHA1 | 306b400b5abfcc4b43fc7107e8f7c3565f0bdda7 |
| SHA256 | 169e5418b2dec632f022e45a5576ab71a6870946fc6e616340ca96190feda6d3 |
| SHA512 | fcc66c32bcf80b65687f2b725809810ae2c871fabe0b18daf92dec5698d649d775ad7026428d1ea08bbf9e603633794b0e98e81b834bb45c3659e10fae159f39 |
C:\Windows\system\TIoeqvN.exe
| MD5 | f9da1af59764f9f7f39e0e787a5d7aeb |
| SHA1 | f9092f35fb45d78eb91f0d238324aaba60d7b6b2 |
| SHA256 | 333007b57bcb290e18be1294a1d3a6cf2ba62ebd6857996236456ffea818d7cc |
| SHA512 | 828d434236ee1772e4d6405851768935673227fed4eaf78787d7aeefebe932d81e36a6389dd0380fd944ad28a2c0a23b9230174c1159c5c0c2e2c080d2e33bde |
C:\Windows\system\dxMJMTi.exe
| MD5 | 8ec15098f15abb59fa3141aa2acfe0b4 |
| SHA1 | 52c3877a1568936695880aa919f4e1f9def5136c |
| SHA256 | 67cb5d6937ece434e08ea2ce3e4de04cd9c1acdc2a2451a4020666adf51966b7 |
| SHA512 | 02105ed8c07196bde75b64eb94972ad84305dde295ed78cb08441c67687092a0e4ad65449b5d2d0d028d206568da4fb2eaaaab221b5f7f103e13ccbbd6f73f9c |
C:\Windows\system\OEUASsz.exe
| MD5 | c451e975b795d7088a0fac9e680602e0 |
| SHA1 | 28e1a931fdbbb96e653cbc09f72ac0e9ac6ddb8c |
| SHA256 | b572cae9079525ff318c5e032dbd1e6f3ea5451bad708e1605c757b46cf63244 |
| SHA512 | 3fa066be402587e2442faa2505f8c099b8469a6a015adbda995dfc79e02a6795bf1d9e980a1aee7590ef6cbf502a30c19113fa2d7b41999509b3044788f3c061 |
C:\Windows\system\SCvVvum.exe
| MD5 | ad1967d1a407a386476ed0b6acd6e24f |
| SHA1 | 961e3a9b42cb5052c8cfc1275af7156e2b726728 |
| SHA256 | d15934e76a7923a2b3d3a641b44241c13dc9c03c10e73d8fce4f3b8d613bfe5f |
| SHA512 | 7276f70eaeb62709a5ee45bb713eb6ed2cf560e339088a1dd218c7ac8209aec0cbd0702442933554074e6599a3a64c3485aba28a37a13c20a4b3ef7cb6b151f3 |
C:\Windows\system\HkdCARn.exe
| MD5 | f3175beba23f1c86b29b5c2db6637f58 |
| SHA1 | 3d11df98ca08bf8fe7a2f6c79d6f81ce9b274448 |
| SHA256 | fe3c0e832ca3ff0b8809d65fe3a7483ae4e8b4efbd01f74fcbd84095c1c967c4 |
| SHA512 | 9aee3fd31a1b6bcb510be4069181610347072603da37b073d3d979c11ca8fad330d81988b9646f7f861dec942ed189c8678016d708a8246e4ecb0167481d43f9 |
C:\Windows\system\NkILxiL.exe
| MD5 | 2f636cb6123e85bb785c62568fee5ba6 |
| SHA1 | bb279d151e0fb93ae90c7791e6915456ab1501d2 |
| SHA256 | 9a445f54aad952acafeacd1f16374d356dd4f8983425f3c605411178cb2e0376 |
| SHA512 | 94e19db507e068f272919760e4d6112afdac7b2e5edd55dee942e70c3e108c67e0c42d46c5804ffd2e1f22b64406de0e3ee8a21d49da8b1c63256cd744d3958b |
C:\Windows\system\vzwBHbX.exe
| MD5 | 38bd21c747ed2216037bb1d961b85e8c |
| SHA1 | 602f194ed136ff8fbd3a0e35b36a4e1a16040389 |
| SHA256 | 1e78f8ecbbd7a057dc03a31c6620ad91e40c6326b73845a9f662a0b71c809d8f |
| SHA512 | 220104f5c1f3e9eb290984578842c6d46dbee8f1afd3b82cbc52bfaf88ca7ab6b0106755fb062b88187774e699863017aab4b5d65ecb11cb12a94eb8ae14b24f |
memory/2356-107-0x0000000002260000-0x00000000025B1000-memory.dmp
C:\Windows\system\YyxcBlu.exe
| MD5 | 278dc1c97e575b2a7620460a2226bf59 |
| SHA1 | 7f1f81e5ea2eea3346b5167c15ef41ea1fbf0ae8 |
| SHA256 | 5698ae9c834d1fac047429c1653eaa1f645a583e1bfd558176b80a059775b018 |
| SHA512 | 3163680a8338faba7ebcbcaf9b3f70cf47b2a4e10b1d6843f802d4a6884352ef9f851ba7932184fe399a0d9139150bb8775080ae2498d1f41d45c4e397a277c0 |
C:\Windows\system\OEwvBPs.exe
| MD5 | 35e99bbfcbfb0637769ffe397f0aaac0 |
| SHA1 | dbcd3145b765a5ad578648fcaf5adcabd56e6632 |
| SHA256 | 22852b83cd3a02a6c2dcef762926ade129a828b92533bf922e4d06773ee7a625 |
| SHA512 | 98043cd117c58bae37ff8906a00ceee06540dda1836fd0b5717e056e95bf4f88652f57a02cbbdfe8d82441f805ddb8e114c0c5187f3952aa5d02fa52337f6500 |
C:\Windows\system\aDGJuqI.exe
| MD5 | 2b1adef429434598553e453d599b4716 |
| SHA1 | 3406613718d6513eac84468a869336cd98342eb7 |
| SHA256 | b3c95e319d2c245fd2f8ae4e702f3f1049604e7564d63f93e7597ecf018c55d4 |
| SHA512 | 76f95c3b1c34d6cbfd9fd0335bfdd3215ba3ade0402807b9c40074c4cb4f9790c733a41dd76ab677b636348a77397f9d0b48c1e333f4c024c4456d0ac4f9a334 |
C:\Windows\system\aMnewsV.exe
| MD5 | c2b74ae5ebc425224624ffc6e69f8269 |
| SHA1 | 27ef0c0f55a21a9a6b5ebe92469f2b0fa98d7676 |
| SHA256 | a147c3f8c1164becb5edcc3169fad53162304c15f989a739d86ce5d1ef7fe449 |
| SHA512 | 78a9871239b72c51912e6647a87870a9b174d0597b736fc072f6c239f0f8460c2ac02f8567b22010dd9782a23aa871d9ba59fa56cf810f76781e8fde81ad0953 |
C:\Windows\system\PLnCbpJ.exe
| MD5 | 7496664793efe8e39c30ebda39febc28 |
| SHA1 | 1354525a5c7faaf704338407f61fa12a23acc541 |
| SHA256 | e886895457688cb127c91cdc6603b3952772d31c61bf4ec32e011906aeb3c6e1 |
| SHA512 | 34942c8ab46f3338bf5f28838ae97920f982c5caa75f368bd8b8205af0956dac637b6e7c22694c355b0973297c1ea657e4ff0ea447fc4cd3cd34477322113d25 |
memory/2052-108-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2356-109-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1956-110-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2356-113-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2356-115-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2028-114-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1096-112-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2356-111-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2060-116-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2456-119-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2356-118-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/3044-117-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2356-120-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2792-122-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2172-121-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2940-128-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2528-130-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2356-129-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2356-127-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2780-126-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2356-125-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2820-123-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2944-124-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2356-131-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2576-150-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2608-152-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2632-151-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/1404-149-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2728-148-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2748-147-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2220-146-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2356-153-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2356-154-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2356-155-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1956-225-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2528-223-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2820-232-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2172-230-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2780-234-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1096-242-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2060-246-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2940-253-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2944-251-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2456-244-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2792-248-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2052-240-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/3044-228-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2028-226-0x000000013F590000-0x000000013F8E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:22
Reported
2024-11-09 15:24
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LoSldln.exe | N/A |
| N/A | N/A | C:\Windows\System\mfVzWzR.exe | N/A |
| N/A | N/A | C:\Windows\System\JKYvpNe.exe | N/A |
| N/A | N/A | C:\Windows\System\MxxyPAl.exe | N/A |
| N/A | N/A | C:\Windows\System\WkPRsMB.exe | N/A |
| N/A | N/A | C:\Windows\System\wxplRzi.exe | N/A |
| N/A | N/A | C:\Windows\System\JgtaKCw.exe | N/A |
| N/A | N/A | C:\Windows\System\frfqzLz.exe | N/A |
| N/A | N/A | C:\Windows\System\RnfaPPL.exe | N/A |
| N/A | N/A | C:\Windows\System\INueiWa.exe | N/A |
| N/A | N/A | C:\Windows\System\wYUDrnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\SdCzaQr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZQEqSIz.exe | N/A |
| N/A | N/A | C:\Windows\System\FCRoSyF.exe | N/A |
| N/A | N/A | C:\Windows\System\FchlEVU.exe | N/A |
| N/A | N/A | C:\Windows\System\fcIEibC.exe | N/A |
| N/A | N/A | C:\Windows\System\ozKLfGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\svTBQAc.exe | N/A |
| N/A | N/A | C:\Windows\System\HJIYnBl.exe | N/A |
| N/A | N/A | C:\Windows\System\WVLgxOs.exe | N/A |
| N/A | N/A | C:\Windows\System\VvDkDFD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_3241f9591762f228184ac39e29ff0abe_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LoSldln.exe
C:\Windows\System\LoSldln.exe
C:\Windows\System\mfVzWzR.exe
C:\Windows\System\mfVzWzR.exe
C:\Windows\System\MxxyPAl.exe
C:\Windows\System\MxxyPAl.exe
C:\Windows\System\JKYvpNe.exe
C:\Windows\System\JKYvpNe.exe
C:\Windows\System\WkPRsMB.exe
C:\Windows\System\WkPRsMB.exe
C:\Windows\System\wxplRzi.exe
C:\Windows\System\wxplRzi.exe
C:\Windows\System\JgtaKCw.exe
C:\Windows\System\JgtaKCw.exe
C:\Windows\System\frfqzLz.exe
C:\Windows\System\frfqzLz.exe
C:\Windows\System\RnfaPPL.exe
C:\Windows\System\RnfaPPL.exe
C:\Windows\System\INueiWa.exe
C:\Windows\System\INueiWa.exe
C:\Windows\System\wYUDrnQ.exe
C:\Windows\System\wYUDrnQ.exe
C:\Windows\System\SdCzaQr.exe
C:\Windows\System\SdCzaQr.exe
C:\Windows\System\ZQEqSIz.exe
C:\Windows\System\ZQEqSIz.exe
C:\Windows\System\FCRoSyF.exe
C:\Windows\System\FCRoSyF.exe
C:\Windows\System\FchlEVU.exe
C:\Windows\System\FchlEVU.exe
C:\Windows\System\fcIEibC.exe
C:\Windows\System\fcIEibC.exe
C:\Windows\System\ozKLfGZ.exe
C:\Windows\System\ozKLfGZ.exe
C:\Windows\System\svTBQAc.exe
C:\Windows\System\svTBQAc.exe
C:\Windows\System\HJIYnBl.exe
C:\Windows\System\HJIYnBl.exe
C:\Windows\System\WVLgxOs.exe
C:\Windows\System\WVLgxOs.exe
C:\Windows\System\VvDkDFD.exe
C:\Windows\System\VvDkDFD.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2280-0-0x00007FF793E10000-0x00007FF794161000-memory.dmp
memory/2280-1-0x00000221656A0000-0x00000221656B0000-memory.dmp
C:\Windows\System\LoSldln.exe
| MD5 | beb5c8bc890ed76b7564803474bfdf76 |
| SHA1 | 7c406d7a72fa2495fc06aa3958ddd50feb69ecec |
| SHA256 | e4f2015e52472e62a65f2ca15ab04e725b162402b0a6a78dc92f0eae8be51555 |
| SHA512 | b01a16d2bbdbbc5e747eb6295297a93c7ab17032aabfa6b1a44543214f5d1d28b3eb6611d13e5adad5dacd402ce478e84bc92be6eac00f2148a5e801015bc2ea |
memory/1932-10-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp
memory/4332-16-0x00007FF7141C0000-0x00007FF714511000-memory.dmp
C:\Windows\System\WkPRsMB.exe
| MD5 | 3ebc5b384b2f8c8349a4a6dd188f48e1 |
| SHA1 | 4aa42f471a47b76a3cd849dc1bb713d224727b28 |
| SHA256 | 5b5e456d4d7e84913d6d89c5a16ea3e63f983b3e428b2d8f39f3b6f37b9c3ae5 |
| SHA512 | f005321cfacff9ac2be761dbfc3362fb33112bdef35fe76af03db0bbf5db64f5be958423ca57acdc7ce4780e84f576a65bd13a11806a7ed57baaf4943ad5bbb2 |
C:\Windows\System\wxplRzi.exe
| MD5 | cd996253967ea5a84793328214f4c075 |
| SHA1 | 26730756341dfef09f9f4d5a404092768c342e76 |
| SHA256 | cc83f3f015bbb5d3e341f924496a782c9092cdd2196a8ccdfa4355ddeb8b11ac |
| SHA512 | a2a1cfd2e4d87f0b578c90117940b22dbbebba6d995c65e2c6eedfb9b26c2cd61655a66229867ae1cddd11583e70d71f96d4aa56c6739d70b7894b9cfd1e7559 |
C:\Windows\System\JgtaKCw.exe
| MD5 | d09ddcdcec8b62a9a3afe9cc2e49aa0a |
| SHA1 | 3e675e3bf745775357c150fd101adce4df80691b |
| SHA256 | be0ab50d99b5aa1430e3030f581d000e0b0a266670dcf18af1670520747d9d18 |
| SHA512 | 6fa4583a5b406e4de9e550937924b4dc6f75bdb9d8cdc59b57a28ca6194ec2baae5a760caa6f1108412e58a8804f2a3f2eab7ebba2bdbe60305365b92faf7b37 |
C:\Windows\System\RnfaPPL.exe
| MD5 | 4f4a60afb64c870807eb730daabe0263 |
| SHA1 | 81199712b1a0efd9a8ca021ff043d4e67da1541e |
| SHA256 | 40c58455bf223a19407fcdef0ff560acd103d4a8676283c04951c2f1f3fee180 |
| SHA512 | a94d7d9010edad8a14bd3aa4d369bac68b0fdea8d87c3b82d79b97d4340d4ebdfea18792249778ec7c4f170fd9d47d3627026b6f7c2554c74b041f6fe415e9af |
memory/2828-58-0x00007FF763EF0000-0x00007FF764241000-memory.dmp
C:\Windows\System\wYUDrnQ.exe
| MD5 | 72daedb0c94860ed587178c5596b1814 |
| SHA1 | cd3cdc2f2c3b4ec22f90a46d2609a9e0273043da |
| SHA256 | b824b5f4a145e751eda144689f40fbec486856e024117c8cec96f21935398e9f |
| SHA512 | a05d129e7f0605d98cf94569197bb0c7ca75515f644bd343bc32d78d2965047a1eea7e75eb28f9835657a76a5607a28881d58f688ea86d920d754157f92eef12 |
C:\Windows\System\SdCzaQr.exe
| MD5 | 1a3f27488c2d32a68426b44a2688bc50 |
| SHA1 | 08384fdb25eb859fdd976f5b70fa3ac96eef08d8 |
| SHA256 | ed6ce41a4eb38211b4965172b679870f4c4378e3ea6d527b27286f430d210113 |
| SHA512 | ab38350bd2d36803464fc4604d26770bcc2ad07bc6c208bf99054ecd962d4b3b91bff16590060b05eb429c396aff9ae01dc979cd17ff4c88640958d01291be71 |
memory/2856-86-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp
C:\Windows\System\FchlEVU.exe
| MD5 | 7b46f34f929bef1c6b09e33103b44ad3 |
| SHA1 | b73d53a9b4054d69d6690d31b9855106d3d19581 |
| SHA256 | 1dfa7805cf52b58e2652493a440e302b1b5301c24ec5ff2aa4662227cee5650f |
| SHA512 | 462232a7a618b1ba73bac0ddbbfc5868e6c08afd086645101736bba34d1a8579b618d57e36c303c79a9016556a40bfedbd983792a53655b633b3b077f806b3e8 |
C:\Windows\System\fcIEibC.exe
| MD5 | 16c6598f788d521f1959fd2c56d31da1 |
| SHA1 | a6da37aacb516006e952eab6c6a7eac4f94704f4 |
| SHA256 | c05cf3feea43517612193153a740e9ee4eb632908ed56c8151e6a698f4bfe863 |
| SHA512 | 73d0b0f1bf9507eb7463fcba4be75d7a2a0dc2dcf7d2432b15465c8377dc25e5964d215e7d67446d9c84b8967de2911975df80ddcdcb42f045d5318712750350 |
memory/2188-105-0x00007FF768030000-0x00007FF768381000-memory.dmp
C:\Windows\System\ozKLfGZ.exe
| MD5 | 8ae898bba8cc917e18e061ab32db2a8a |
| SHA1 | e47ca94bc8d6f6edf06389a4379c12b19f6bd529 |
| SHA256 | 8b23781f41713d890d0a2d84a6c4e1d8e5c2663f0581ba9ae5f92071b0f46cdf |
| SHA512 | 9f0a6c07f5ea13b563b935625cc0ffbf2c5142bb3f3b99babf76fcfeb89683f9562f1c9746cfaa3eb3595067a6eedee1f29e4a7c9d7df0d24a86c64078a96c22 |
C:\Windows\System\svTBQAc.exe
| MD5 | b78c2522777d0f89a2de5226460c8957 |
| SHA1 | 1aa0b7d5d2171c7c66dc417c31447ced3d3c6835 |
| SHA256 | fd3a5c759a2ebe9acb892fd3e1fc8169745e8a83085235b37c9937220a9a5448 |
| SHA512 | e0c0cf4fde44e50bf200c7ca6d8920b912f3130fc2c984c22dd3d6ed48a0082f520d709c7819e76a764bdbb3f195680f56e3db2b7a75672e895145cdce825ec1 |
memory/1548-108-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp
memory/4236-104-0x00007FF615650000-0x00007FF6159A1000-memory.dmp
memory/1932-101-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp
memory/2280-98-0x00007FF793E10000-0x00007FF794161000-memory.dmp
C:\Windows\System\FCRoSyF.exe
| MD5 | 9210e94d9e8cbe0d0c5925482b0888aa |
| SHA1 | 083ac05a9a7723c532d0d7769d989f896c444477 |
| SHA256 | 2bcd3a13d67015f782143c233a199c30445f2e1f6ff32043ad134e497e2478c6 |
| SHA512 | 373aaedd8858132d61150f9f7a11c163d7f753965ed5a6be242c8598159b1d2e64f7e1d9cbcec030e15b2c00ec03a37cafa1846b51d55031ac00af613ef3b955 |
C:\Windows\System\ZQEqSIz.exe
| MD5 | d4b58045d49ec046a82ed8a0cde194a2 |
| SHA1 | bb8812d0bd88f11a038bcce9c4a01d9bc20ab1b3 |
| SHA256 | fc96166a66a22a58641bb6542d8502d08ca04fede8c417168935732730410c4f |
| SHA512 | 4edca5a65589c0066345d7e51235c1e4692351a1f4130e4bea0b13b6925598ff4d79769baa9883e7410d3509426079b6f531124fe8e01177ec1d32016b0d55a8 |
memory/3588-85-0x00007FF741860000-0x00007FF741BB1000-memory.dmp
memory/4604-84-0x00007FF665CD0000-0x00007FF666021000-memory.dmp
memory/4004-76-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp
memory/3092-66-0x00007FF628E20000-0x00007FF629171000-memory.dmp
C:\Windows\System\INueiWa.exe
| MD5 | 26619f64677c7ffa27488013a48ddfc4 |
| SHA1 | d92b1821cf72ae314a63b21afaf8b0a31b66fbb6 |
| SHA256 | 7963e93756b3571f0522788628361f0eb40677651432c1115afb6e01df1f24da |
| SHA512 | 9332a3c491841f9f9bb42d4ad3b6904ac13956fedf4bc92dd066ac41f4170cbb8b1a4ea38134e07e49d2ecacde56c097f414881be52e85f73c90878003d5e832 |
memory/3744-60-0x00007FF697640000-0x00007FF697991000-memory.dmp
memory/4932-59-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp
memory/2564-57-0x00007FF675430000-0x00007FF675781000-memory.dmp
memory/4228-46-0x00007FF627A00000-0x00007FF627D51000-memory.dmp
C:\Windows\System\frfqzLz.exe
| MD5 | aab930dc24292fa2bb7b0e88b7d60d7c |
| SHA1 | 76008109ed3198d2c2783a092a3245c572d82435 |
| SHA256 | 63fc5f916c209f1925d0a1a3f5a86ed269c1b27cb59503802c837456066acb8a |
| SHA512 | 920e8afd54cf0d6bbc45a72848fecd197aa7a5f4f9b9d793523093a5cf896eab40a767ca7ac99cc18b463feb5b3e5848213f7450b080b3151f7f51c22af0a09f |
memory/1944-37-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp
memory/2548-33-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp
C:\Windows\System\MxxyPAl.exe
| MD5 | d736dbe8c9732a15f8ca54195778284f |
| SHA1 | 65df3c627621823ea00ebc87b1fae5600f70028c |
| SHA256 | c6f68a629143c7fc215d56afbc6d8d6ffbbc689b99ba93ab2401729a1d0cff1f |
| SHA512 | 713795a63c819641fb1f1273bf91ff0479eb67af350248460ed282a90aa801edabbe3ebc016ad90f496c87a87e42cefe9a5b8a2d7c90c546c55d149e3eea8200 |
C:\Windows\System\JKYvpNe.exe
| MD5 | 187251a65843dbf5f9476bf03fadc6f2 |
| SHA1 | 3e72258ce1cd068d1a7fa018cd10d2dcc686d32d |
| SHA256 | fe0ed7d0904a438e518c5301e5db841937472505d3df3c22492838274d5f38ed |
| SHA512 | b6b1dd17fe9f92d9f2365b011570817f3be732dfc13f2ae04ff26859929998521ce261582226c3ccf8727c6fc768b25039d6646867dbf75412f3fcb758825b86 |
memory/768-24-0x00007FF768D00000-0x00007FF769051000-memory.dmp
C:\Windows\System\mfVzWzR.exe
| MD5 | ab2695f0868d880a13499163421a118f |
| SHA1 | 5e3596beb1c1bd2a7e473e6c35e4f6dbf31478c3 |
| SHA256 | 73c0cf6840197444aa8016095a0191bc1d6c74df24ff66c3b505ed9c17e0ca17 |
| SHA512 | bdcd0a3c68eecb7d43b0bd3f03867d3c41b3b3397d2279fa86cb430d1481246b33a7491c387637ff952cbeafdbb3a88b575b0ca179bc8ebb3f598ad9340171d6 |
memory/4332-113-0x00007FF7141C0000-0x00007FF714511000-memory.dmp
memory/1944-115-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp
memory/2548-114-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp
memory/768-121-0x00007FF768D00000-0x00007FF769051000-memory.dmp
C:\Windows\System\HJIYnBl.exe
| MD5 | f17c61eb66a037f60d85830e476d8ada |
| SHA1 | eee01317375dc0767bc3085b3f2562df149ab68e |
| SHA256 | 2f5cfc2c71cda0ec2b5bd8298f7bc9600eddaf40babbcba08682053da1489677 |
| SHA512 | e4f9ec02592cd54bb321658e2712161d78a98d411e59ea95a98137140e62f527892fd2c57388132c97fd04352aea345445aef1a27f169d11b885f148de4e60e9 |
C:\Windows\System\VvDkDFD.exe
| MD5 | 4698615ce9b4964c4d57a6c2d7450e5c |
| SHA1 | 3719d3222f94e3fb93ac6be76214618358a2ab85 |
| SHA256 | 29a2b2c76e8a43270eb3adf575c6dd91d7a3fd004c63e6c3c30f6d3927bee7be |
| SHA512 | 5e01811e90a665e4bbd8bc61cf5e30a2c624030f0525132099373b189df421ab3c0a9c7ba128b9ab1a347b7a22e1142923283fb554f52784e4c7d0888170c3d0 |
memory/2828-129-0x00007FF763EF0000-0x00007FF764241000-memory.dmp
C:\Windows\System\WVLgxOs.exe
| MD5 | 61374cb464cb28eb3489a1bcaf87b8c4 |
| SHA1 | f43417477b2b960a49b8d0a610f50ca3632f266c |
| SHA256 | 385f84a9330af5bd7bd3ade3ab95b418b506e5d45304c7275a42bbcf06bfc9f8 |
| SHA512 | 68bd73264dcdeec7481c6d3b71117b7519474d66435b2c21cae6f56416c76a112fc5d3a5ee48f9b5cd125029547dc9991056bf7fe61cc12ed0bd83e87654bdd4 |
memory/1592-131-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp
memory/1192-128-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp
memory/1732-127-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp
memory/4228-124-0x00007FF627A00000-0x00007FF627D51000-memory.dmp
memory/2280-136-0x00007FF793E10000-0x00007FF794161000-memory.dmp
memory/3092-144-0x00007FF628E20000-0x00007FF629171000-memory.dmp
memory/2856-152-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp
memory/4236-153-0x00007FF615650000-0x00007FF6159A1000-memory.dmp
memory/4604-158-0x00007FF665CD0000-0x00007FF666021000-memory.dmp
memory/1732-157-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp
memory/4004-156-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp
memory/2188-155-0x00007FF768030000-0x00007FF768381000-memory.dmp
memory/1548-154-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp
memory/3588-151-0x00007FF741860000-0x00007FF741BB1000-memory.dmp
memory/1192-159-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp
memory/1592-160-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp
memory/2280-161-0x00007FF793E10000-0x00007FF794161000-memory.dmp
memory/4332-218-0x00007FF7141C0000-0x00007FF714511000-memory.dmp
memory/1932-220-0x00007FF62A590000-0x00007FF62A8E1000-memory.dmp
memory/768-222-0x00007FF768D00000-0x00007FF769051000-memory.dmp
memory/1944-225-0x00007FF7178F0000-0x00007FF717C41000-memory.dmp
memory/2548-226-0x00007FF6B7970000-0x00007FF6B7CC1000-memory.dmp
memory/4228-231-0x00007FF627A00000-0x00007FF627D51000-memory.dmp
memory/2564-232-0x00007FF675430000-0x00007FF675781000-memory.dmp
memory/4932-229-0x00007FF65D800000-0x00007FF65DB51000-memory.dmp
memory/3744-234-0x00007FF697640000-0x00007FF697991000-memory.dmp
memory/3092-245-0x00007FF628E20000-0x00007FF629171000-memory.dmp
memory/4604-252-0x00007FF665CD0000-0x00007FF666021000-memory.dmp
memory/2856-251-0x00007FF6A9770000-0x00007FF6A9AC1000-memory.dmp
memory/3588-254-0x00007FF741860000-0x00007FF741BB1000-memory.dmp
memory/2828-248-0x00007FF763EF0000-0x00007FF764241000-memory.dmp
memory/4004-247-0x00007FF7D3F00000-0x00007FF7D4251000-memory.dmp
memory/1548-257-0x00007FF62B5B0000-0x00007FF62B901000-memory.dmp
memory/2188-260-0x00007FF768030000-0x00007FF768381000-memory.dmp
memory/4236-259-0x00007FF615650000-0x00007FF6159A1000-memory.dmp
memory/1732-264-0x00007FF647A60000-0x00007FF647DB1000-memory.dmp
memory/1192-266-0x00007FF7BB030000-0x00007FF7BB381000-memory.dmp
memory/1592-269-0x00007FF674F80000-0x00007FF6752D1000-memory.dmp