Analysis Overview
SHA256
777d44c6731dc80ad0a28d9f8f68b33cfd30b0d575614a1d873bc8dd306c4db2
Threat Level: Known bad
The file 2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:24
Reported
2024-11-09 15:26
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qCYNAky.exe | N/A |
| N/A | N/A | C:\Windows\System\YyVzPKv.exe | N/A |
| N/A | N/A | C:\Windows\System\TnHBJsO.exe | N/A |
| N/A | N/A | C:\Windows\System\LkZNiKo.exe | N/A |
| N/A | N/A | C:\Windows\System\dQZBltq.exe | N/A |
| N/A | N/A | C:\Windows\System\sySWomU.exe | N/A |
| N/A | N/A | C:\Windows\System\wdSQhFs.exe | N/A |
| N/A | N/A | C:\Windows\System\nIDRJWl.exe | N/A |
| N/A | N/A | C:\Windows\System\MvYzBCR.exe | N/A |
| N/A | N/A | C:\Windows\System\raECuRM.exe | N/A |
| N/A | N/A | C:\Windows\System\tIAgvWq.exe | N/A |
| N/A | N/A | C:\Windows\System\YOwWovx.exe | N/A |
| N/A | N/A | C:\Windows\System\kcRgREk.exe | N/A |
| N/A | N/A | C:\Windows\System\yUIxVRV.exe | N/A |
| N/A | N/A | C:\Windows\System\CSWADbW.exe | N/A |
| N/A | N/A | C:\Windows\System\kguCWCv.exe | N/A |
| N/A | N/A | C:\Windows\System\KdjXVtU.exe | N/A |
| N/A | N/A | C:\Windows\System\fRSFLAy.exe | N/A |
| N/A | N/A | C:\Windows\System\yOUQVvF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZasNeGp.exe | N/A |
| N/A | N/A | C:\Windows\System\EjBEUBH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\qCYNAky.exe
C:\Windows\System\qCYNAky.exe
C:\Windows\System\YyVzPKv.exe
C:\Windows\System\YyVzPKv.exe
C:\Windows\System\TnHBJsO.exe
C:\Windows\System\TnHBJsO.exe
C:\Windows\System\LkZNiKo.exe
C:\Windows\System\LkZNiKo.exe
C:\Windows\System\dQZBltq.exe
C:\Windows\System\dQZBltq.exe
C:\Windows\System\sySWomU.exe
C:\Windows\System\sySWomU.exe
C:\Windows\System\wdSQhFs.exe
C:\Windows\System\wdSQhFs.exe
C:\Windows\System\nIDRJWl.exe
C:\Windows\System\nIDRJWl.exe
C:\Windows\System\MvYzBCR.exe
C:\Windows\System\MvYzBCR.exe
C:\Windows\System\raECuRM.exe
C:\Windows\System\raECuRM.exe
C:\Windows\System\tIAgvWq.exe
C:\Windows\System\tIAgvWq.exe
C:\Windows\System\YOwWovx.exe
C:\Windows\System\YOwWovx.exe
C:\Windows\System\yUIxVRV.exe
C:\Windows\System\yUIxVRV.exe
C:\Windows\System\kcRgREk.exe
C:\Windows\System\kcRgREk.exe
C:\Windows\System\CSWADbW.exe
C:\Windows\System\CSWADbW.exe
C:\Windows\System\kguCWCv.exe
C:\Windows\System\kguCWCv.exe
C:\Windows\System\KdjXVtU.exe
C:\Windows\System\KdjXVtU.exe
C:\Windows\System\fRSFLAy.exe
C:\Windows\System\fRSFLAy.exe
C:\Windows\System\yOUQVvF.exe
C:\Windows\System\yOUQVvF.exe
C:\Windows\System\ZasNeGp.exe
C:\Windows\System\ZasNeGp.exe
C:\Windows\System\EjBEUBH.exe
C:\Windows\System\EjBEUBH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3084-0-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp
memory/3084-1-0x0000025D315C0000-0x0000025D315D0000-memory.dmp
C:\Windows\System\qCYNAky.exe
| MD5 | a5435a4af7e523aa02ffb15c774c0bf3 |
| SHA1 | 7f5255a3c65fc60a302a363d7bb7521cde2eea28 |
| SHA256 | c9fa4ec95b3f39e41e57f7344a6ac1e78c4971f9143193cb4b704aebe5326dfd |
| SHA512 | 8dc32339c76816373a524108d38325b63122eb421bac69d9be5804d5c888a6a8bd072f05af329982d86180f80ee104bb7183796819033e086db94052bdbd0beb |
memory/976-9-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp
C:\Windows\System\TnHBJsO.exe
| MD5 | c80f237c04aac3eb5949252cbbc97b9f |
| SHA1 | d22805cc69008720c4d7bc5436ad3739e66bcce8 |
| SHA256 | 5458e4a5e814edfbf3c2ddd72d4bd4a6e8751ff7aed62144c94efd27c4d35f83 |
| SHA512 | 623f7ebefff823718d3110c5713d8762ea3268bdc0d59bb690b328f36e22b9076f1fcd4015bda0e64f30eefa2c72077fc06bd7f7bc2c07e6e2019ba87e79630a |
C:\Windows\System\YyVzPKv.exe
| MD5 | 4c577a516b61feec48fe838c7a75eea5 |
| SHA1 | 613dc08fa9cfe4247f6f10c6b2437f159cf396b7 |
| SHA256 | 3ee1cd0cf3a7805b45246ba7d6b3e6af016a85f42ad3a984e2bee76ad2ffb4f4 |
| SHA512 | 46f2d32d464b9cb4a053dbda83246e7c360eb7b61e4ac993f80c4abe27993cc1a3241e249eb5c7e37cd54d7cee352c1a4a96507d6e9a29793a5d368a67394aac |
memory/3016-18-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp
C:\Windows\System\LkZNiKo.exe
| MD5 | 5eef210b8795684a7c52c80ec9da6ecc |
| SHA1 | 05b314f3d2236d0dc3fdf72d3b2f234fe1eb96eb |
| SHA256 | cc6adf77cee877ce76d72691474e9f048a5baf158253a4204f42d37c660c5d02 |
| SHA512 | dc889d939e9bded9278d32e83ef1057722b7856262f99e0ac7eabbd8271843dd67b1ab28c20436818ae2734485c063ee50039dc7ae0180cbb42a2f564a44b700 |
C:\Windows\System\dQZBltq.exe
| MD5 | 17709c4f5e9bcdabeb309773a9002753 |
| SHA1 | 8ffb33ed9035fc4e1e910f9ff4b169e8722028ee |
| SHA256 | c624d800959e796ad9e7e59e089622dae27130985657eaa452555d1f33b68216 |
| SHA512 | 0a3adf929ca898e0d9e4e4a7f2423e67ca44279a0b5776b3ea3d1753538a3336f84f165fec059f015cef7ea37ddb8ff0ce8edd36f9673c33f148948270646b7a |
memory/752-30-0x00007FF74D540000-0x00007FF74D891000-memory.dmp
memory/2536-24-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp
memory/1844-14-0x00007FF670630000-0x00007FF670981000-memory.dmp
C:\Windows\System\sySWomU.exe
| MD5 | 498c87ffa12483517f740eb401b2ad35 |
| SHA1 | 00cb3ae1fb80f69d4bce00d1edbbb634cb2bd51c |
| SHA256 | 0a3d819eb160b680da0776204f4e7a2041132c64f6a188f2d9644ccfcd2fddef |
| SHA512 | 7786948dac6b6d8c54e12d9e915fce5887006b66a5bd19dd83cd247b70e7f9a125941e60a3d18f7e58540efa298e64ec44b4a8deb5290437d2317398d5d17799 |
memory/2424-40-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp
C:\Windows\System\nIDRJWl.exe
| MD5 | b51d4791237705022a68a907bda4d14e |
| SHA1 | 0cbd87d251562eef1d2527c3b412c8d42c37e831 |
| SHA256 | 9087a5acc14da017336715b9ef6e0fb9bd9aace249bf9e44734568f8df001989 |
| SHA512 | 194f631dd6ac9271074fe1e7bc8d75f398112332c91a5dac6bcac8d59df00c44dabb1aa9d5814163aa4c16240e651991e71bc1adc59802ea698d3a9629dc9b4c |
C:\Windows\System\raECuRM.exe
| MD5 | 5c948a8981011a500e5f4c15de3b7722 |
| SHA1 | f1ab8082b1cf1d739302e576d5e04753896cbbb3 |
| SHA256 | e8797eda33b89d0d977905f0c44af8c438d86d50fe3b6bf3580291f5eb500b0b |
| SHA512 | 74f0d2aaa0234bcfd2ace5ae53c6710585e44c91c7ccb58e1b4509f76b46ded80b080cbe3829d823082b19f338ce8f37ebdc706cc44c68fd974a07a5a00fb7b5 |
memory/4960-60-0x00007FF762480000-0x00007FF7627D1000-memory.dmp
C:\Windows\System\tIAgvWq.exe
| MD5 | 808464319ec81dc11501d30caf0b008e |
| SHA1 | 0c1d300fb527d2471e289bd73407dfc589c9dce1 |
| SHA256 | 57e4a492fd8a42d0baaf51547653733a355e9ce70b65d6d0dc88c7e992c1a3ff |
| SHA512 | 7eb10ab79d03626bcdf1e765d245b80f4187b8b099c6ca74743dd5dae0a908ec1f8fbf370ca770d2845aafd091e1c296348c13d5f0e59d3835796be2c94bb75f |
memory/32-74-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp
memory/976-77-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp
memory/3060-83-0x00007FF794630000-0x00007FF794981000-memory.dmp
C:\Windows\System\yUIxVRV.exe
| MD5 | 64b341a9fb40d7d921fb567f77568ff9 |
| SHA1 | e9aadd91d68f01f32eec724a0d62697e6097e020 |
| SHA256 | 57eead5eac9860c084b37ad4137c1d7a17081dd02c8d0adf3a24d995568a4a12 |
| SHA512 | 5ca1061d77b040b316933b8d9def5eff7253aa3f6797b3273e16755509671f7efdbfee605e1d1b2b43e5e9075434eb01c84fadc6c0dc3a18a2fda01c739a163f |
memory/3016-93-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp
C:\Windows\System\kguCWCv.exe
| MD5 | f2fd5e6c1f663d7e65f3013922b807f8 |
| SHA1 | fc56b09f265295c931b8b699eb19d63cb6a11208 |
| SHA256 | 98f18e5a8d33337b73cb89c25290b4f2f33db0ce4885454d6cb05459602cd016 |
| SHA512 | 7585c670a2c8ed1ef59883d1196f4b0ec8e659f4db802e14dae09a9ea95518116c4a0afb5a3326ecd20a5c83ec90f4dcc7f7d2cfda7061d99510bc593f5467ad |
C:\Windows\System\KdjXVtU.exe
| MD5 | 7330adc77c291701db4450b42a276046 |
| SHA1 | 7351f955f74e201d35a9d4be6f49c8e95f233fe5 |
| SHA256 | b3038074f677124c3448296952888c440053a90550b9f1656c596a8e5f7ed1d1 |
| SHA512 | b8706ceefd8ebeef033989d758dcc5eccae42457d403d42b2ecc9be6aebd99c91fbe2f10f31d0109ceaa9a29fe703975dd32a46c0bf8dc62cd5680b14252351c |
C:\Windows\System\fRSFLAy.exe
| MD5 | adb0516d191abb689db40ba7c04f4856 |
| SHA1 | 706a2fb4092780794ca385d40744703670b3b0b0 |
| SHA256 | 86ee5913c3b522c38d6204912816d6a4b762b30fab3a266e8cf9076e4095ef0a |
| SHA512 | f33b1e3b9735e85cbc41a7b2ca04dc008c4e86f4b1d58922577954393aefb66e7490415ae8569ae5de73856a945f1d5e5e772706f3af7b9674a193e7ef8abff4 |
C:\Windows\System\ZasNeGp.exe
| MD5 | 4494d5afb8b1b4b651a562ae7083960a |
| SHA1 | 22c831f4184b88fd705b69c51730a2e6724c8890 |
| SHA256 | 5d77e30b1c2077be1762624921d27d7facec28a53b2f82784ae87a97bab945f8 |
| SHA512 | 5e9c1f0d09d58bbb4c4cdab6be6caea32af10a40eae251ae802358184a1da5e1d3c8c1d506861b62dc352a4d6e9cb6d0e3ee1e057b51ab8aac5a95991d77f31d |
C:\Windows\System\EjBEUBH.exe
| MD5 | 4cf96cb4d528f7b5ecb9997f7d203325 |
| SHA1 | bdafc296244acda0f3d788794a06478b0b5503d0 |
| SHA256 | c516a48f2c7db70e933795600cad7ab98edacd8ca6d0e5db18c07d739f242ae2 |
| SHA512 | 3854337135c953985925d0f33227033ec354fc57ab81e1fbbbe8b28d5c243eba970f7a8c4e10908435cbe0e4279a3e12381ec2a6ac3a1c852348ab9392fbd4fe |
memory/4088-134-0x00007FF756EC0000-0x00007FF757211000-memory.dmp
memory/32-133-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp
memory/4596-129-0x00007FF741400000-0x00007FF741751000-memory.dmp
memory/2412-128-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp
C:\Windows\System\yOUQVvF.exe
| MD5 | 0e15b32a3b642c94f8f0ae8f9e7f39ab |
| SHA1 | 49077cc6372ee8fcdeab4b7641a7a934d8ceef03 |
| SHA256 | 25c27d394c70ad99d05787959d74d3cae7f2d4f3b5c81d6b18e9cc6ec8d3802d |
| SHA512 | 49d1aef8abf5885dfa5ce7c85a3b621794b0eb9bc5ed6359115b18d3dab3433acb25ef51c20c11765449c3fc72c9439360e23f172be7c96a613aa23aa864ea7e |
memory/4984-123-0x00007FF603F30000-0x00007FF604281000-memory.dmp
memory/4916-122-0x00007FF797510000-0x00007FF797861000-memory.dmp
memory/3568-115-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp
memory/3116-114-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp
memory/752-110-0x00007FF74D540000-0x00007FF74D891000-memory.dmp
memory/4624-103-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp
memory/2536-100-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp
C:\Windows\System\CSWADbW.exe
| MD5 | 36ee7c37918de24ec39b4c46d6acee9b |
| SHA1 | a5250d9ae2d190bf63831db90d4f9618b71b7799 |
| SHA256 | 067ad2e7fd65c4d200684dab68ca0b37c5bd602092874db1609fd3d58af2f354 |
| SHA512 | d22eae05dd0f0fc026055b806816ca8be7c4559a3040dcebe7d288f6aafaab193efa6a7f594c4b00ed2fcce6cf3998e33acd6b1af3894a46269aacfac546a877 |
memory/1728-94-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp
C:\Windows\System\kcRgREk.exe
| MD5 | 152393789d05cd98e6224c84d2bb2616 |
| SHA1 | e96872e0ff03d008317bf31d485f60f967d6738e |
| SHA256 | adb9332a4ecefd2fca65967d1fb8c675aa2136f1dc76df01bac4ce44024b340e |
| SHA512 | 28abf84b9e401dbe0c8ce3dd17b95b062aa5da4c1389b7cd1a41fde75d5f2450d072a3cad336d01532c31af40e96042adc88f1756d838cff1366a1e842ad2a87 |
memory/644-85-0x00007FF6875F0000-0x00007FF687941000-memory.dmp
memory/1844-84-0x00007FF670630000-0x00007FF670981000-memory.dmp
memory/3188-80-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp
memory/3976-76-0x00007FF718820000-0x00007FF718B71000-memory.dmp
C:\Windows\System\YOwWovx.exe
| MD5 | 45ae0640e800c5d09cc35e1d21240f27 |
| SHA1 | e6652fd165cf32e5c84953f6754d9f521ec5e82b |
| SHA256 | 4beff2c068feac7498d5a29374aa83250b3103202d50cd2390e9f3682f66d292 |
| SHA512 | 1c6a4f0ed86c2714ee8309fa6212aafb0b54c1bb25e5c0a5f8f9f55869879ee6887abd0ca8e16c22cda74ddcb2863dac37f4dc8771a757cb68c304813bd71828 |
memory/3084-61-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp
C:\Windows\System\MvYzBCR.exe
| MD5 | 9fcb88b35aa520aabee5e6ee9f5b297a |
| SHA1 | 4a6bab462413ab5a2e6058b0015ac42cb6eb9cc2 |
| SHA256 | dee4d2b2e1fc1aeb8613fbf5910e7e1ce283ff382523e94c3bb031cd6f195be8 |
| SHA512 | e1e7561e81dba390db5f6ee2e13132fda941b83751c2c434a03b851d8194b3480e31671fd0da02c38f844925284fd2915464bfb334dfe18b36ba3f4794617f3c |
C:\Windows\System\wdSQhFs.exe
| MD5 | c29fb264942a93efa869d7b6fdedc65b |
| SHA1 | 384fdeee1edeb286e909e204e12d5ffe6d7de7c5 |
| SHA256 | 1cb447c7ea498abd9f72709485638b602cf849f11f4149e073ce6e471a8cdac7 |
| SHA512 | dc531cdf8769b8d3edb0836c7d3bff62e00ac23ba5bcead57de9d2cd221a1ec2441bc56ea37df2ce1d5f89be37db1927ea4bff12c48b59f7e053be5c3b92b920 |
memory/4984-47-0x00007FF603F30000-0x00007FF604281000-memory.dmp
memory/2412-45-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp
memory/3084-137-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp
memory/3060-150-0x00007FF794630000-0x00007FF794981000-memory.dmp
memory/4624-153-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp
memory/3568-155-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp
memory/3084-159-0x00007FF7F93A0000-0x00007FF7F96F1000-memory.dmp
memory/4916-156-0x00007FF797510000-0x00007FF797861000-memory.dmp
memory/4088-158-0x00007FF756EC0000-0x00007FF757211000-memory.dmp
memory/4596-157-0x00007FF741400000-0x00007FF741751000-memory.dmp
memory/3116-154-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp
memory/1728-152-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp
memory/644-151-0x00007FF6875F0000-0x00007FF687941000-memory.dmp
memory/976-211-0x00007FF73F3A0000-0x00007FF73F6F1000-memory.dmp
memory/1844-213-0x00007FF670630000-0x00007FF670981000-memory.dmp
memory/3016-216-0x00007FF7D98F0000-0x00007FF7D9C41000-memory.dmp
memory/2536-217-0x00007FF71D390000-0x00007FF71D6E1000-memory.dmp
memory/752-219-0x00007FF74D540000-0x00007FF74D891000-memory.dmp
memory/2424-223-0x00007FF6D0400000-0x00007FF6D0751000-memory.dmp
memory/2412-234-0x00007FF7DFC50000-0x00007FF7DFFA1000-memory.dmp
memory/4960-236-0x00007FF762480000-0x00007FF7627D1000-memory.dmp
memory/4984-238-0x00007FF603F30000-0x00007FF604281000-memory.dmp
memory/3188-241-0x00007FF7DEE30000-0x00007FF7DF181000-memory.dmp
memory/3976-242-0x00007FF718820000-0x00007FF718B71000-memory.dmp
memory/3060-251-0x00007FF794630000-0x00007FF794981000-memory.dmp
memory/4624-252-0x00007FF78FCD0000-0x00007FF790021000-memory.dmp
memory/3116-258-0x00007FF78D910000-0x00007FF78DC61000-memory.dmp
memory/644-256-0x00007FF6875F0000-0x00007FF687941000-memory.dmp
memory/3568-260-0x00007FF700C60000-0x00007FF700FB1000-memory.dmp
memory/1728-254-0x00007FF7D4E10000-0x00007FF7D5161000-memory.dmp
memory/32-246-0x00007FF76ACE0000-0x00007FF76B031000-memory.dmp
memory/4088-266-0x00007FF756EC0000-0x00007FF757211000-memory.dmp
memory/4916-264-0x00007FF797510000-0x00007FF797861000-memory.dmp
memory/4596-263-0x00007FF741400000-0x00007FF741751000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:24
Reported
2024-11-09 15:26
Platform
win7-20240903-en
Max time kernel
141s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nSvihJO.exe | N/A |
| N/A | N/A | C:\Windows\System\EHbzNbG.exe | N/A |
| N/A | N/A | C:\Windows\System\svfWshL.exe | N/A |
| N/A | N/A | C:\Windows\System\llvuNiD.exe | N/A |
| N/A | N/A | C:\Windows\System\FhcGQMn.exe | N/A |
| N/A | N/A | C:\Windows\System\ipoiaEI.exe | N/A |
| N/A | N/A | C:\Windows\System\msdopXj.exe | N/A |
| N/A | N/A | C:\Windows\System\VtRVMMI.exe | N/A |
| N/A | N/A | C:\Windows\System\JKhkUkP.exe | N/A |
| N/A | N/A | C:\Windows\System\XzmtlNj.exe | N/A |
| N/A | N/A | C:\Windows\System\WoUHIbv.exe | N/A |
| N/A | N/A | C:\Windows\System\rLrlBMb.exe | N/A |
| N/A | N/A | C:\Windows\System\YoAgIMO.exe | N/A |
| N/A | N/A | C:\Windows\System\IXLBLZO.exe | N/A |
| N/A | N/A | C:\Windows\System\LmlCINu.exe | N/A |
| N/A | N/A | C:\Windows\System\bAGyPas.exe | N/A |
| N/A | N/A | C:\Windows\System\uVWozYp.exe | N/A |
| N/A | N/A | C:\Windows\System\iUnFCbk.exe | N/A |
| N/A | N/A | C:\Windows\System\NgUDWco.exe | N/A |
| N/A | N/A | C:\Windows\System\tqthMqi.exe | N/A |
| N/A | N/A | C:\Windows\System\KiKjiJk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_7d06c0ae9c73b6a8407c4b1746360d76_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\nSvihJO.exe
C:\Windows\System\nSvihJO.exe
C:\Windows\System\EHbzNbG.exe
C:\Windows\System\EHbzNbG.exe
C:\Windows\System\svfWshL.exe
C:\Windows\System\svfWshL.exe
C:\Windows\System\llvuNiD.exe
C:\Windows\System\llvuNiD.exe
C:\Windows\System\FhcGQMn.exe
C:\Windows\System\FhcGQMn.exe
C:\Windows\System\ipoiaEI.exe
C:\Windows\System\ipoiaEI.exe
C:\Windows\System\msdopXj.exe
C:\Windows\System\msdopXj.exe
C:\Windows\System\VtRVMMI.exe
C:\Windows\System\VtRVMMI.exe
C:\Windows\System\JKhkUkP.exe
C:\Windows\System\JKhkUkP.exe
C:\Windows\System\XzmtlNj.exe
C:\Windows\System\XzmtlNj.exe
C:\Windows\System\WoUHIbv.exe
C:\Windows\System\WoUHIbv.exe
C:\Windows\System\YoAgIMO.exe
C:\Windows\System\YoAgIMO.exe
C:\Windows\System\rLrlBMb.exe
C:\Windows\System\rLrlBMb.exe
C:\Windows\System\IXLBLZO.exe
C:\Windows\System\IXLBLZO.exe
C:\Windows\System\LmlCINu.exe
C:\Windows\System\LmlCINu.exe
C:\Windows\System\bAGyPas.exe
C:\Windows\System\bAGyPas.exe
C:\Windows\System\uVWozYp.exe
C:\Windows\System\uVWozYp.exe
C:\Windows\System\iUnFCbk.exe
C:\Windows\System\iUnFCbk.exe
C:\Windows\System\NgUDWco.exe
C:\Windows\System\NgUDWco.exe
C:\Windows\System\KiKjiJk.exe
C:\Windows\System\KiKjiJk.exe
C:\Windows\System\tqthMqi.exe
C:\Windows\System\tqthMqi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2716-0-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2716-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\nSvihJO.exe
| MD5 | bfff38e495f36b2fdc4f9b37d5ba84da |
| SHA1 | b88381c90b5b6cb8fda0761fc276b225a5adde3f |
| SHA256 | 175f17fed6c01820e7f621f6976f8fde9dda0f5da70b6db45bcf8863459a4ee8 |
| SHA512 | 5ea89d3f5a12dd7c45e56cb72fff3ed6ce148dacc60ae2188b504afe99587e668f1c92d1b49f53c879287e97f71f40faf42f8678b05a4554071ac2150f19e923 |
\Windows\system\EHbzNbG.exe
| MD5 | 5c9855da31f15e9c4b2fb3600ebd2acb |
| SHA1 | 1ca0fbac318fbcc0501b19ac435c12e07396bb81 |
| SHA256 | 17311adfb389af311f7120247450f6cfb3396aba7554380995fc6475d4d733d4 |
| SHA512 | 800c16067a8e615d06091cb1ea30cd29d751eb81b97ed597e970428e4a16520ca9838203c65fc97485d93ce08d6cbe32258cd6af84bd0740ec6a91fedb67ab72 |
\Windows\system\svfWshL.exe
| MD5 | 4097379e418f506e4cab1e2200fa5d6b |
| SHA1 | 2e2a7c1426558df3d8dfb97784eeaedf30c5b927 |
| SHA256 | d5057f3d88c32943e0ade247d68e4036f70f11f5fa4569d58d9e11d53564af41 |
| SHA512 | eb622f1147e4f24a59addc9fbd2dba0a2d05009f2af7e77038b46394e611c5fc05679efcf8b9bb7c53df4bf9545f7bd4e1f8699d0836fd2adb2255a99abd9d82 |
\Windows\system\llvuNiD.exe
| MD5 | 0a54d5e11bcd14101e2537a56ed6d6be |
| SHA1 | 23e7daaac04d0aec6036999fc5d7b991c986cfaa |
| SHA256 | 96796b3d4562c82c6b9c90725cef74fef5daa406a6ade465db66ef2eae79172e |
| SHA512 | 240aeda3ed11e42308d4fbf91989a1c88d221f977b09422b693c482fc2576320d643680ea5a3e708c453259086380cadef3b963132608aa9465f15ed4e4b8eef |
memory/2676-22-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2900-29-0x000000013F740000-0x000000013FA91000-memory.dmp
C:\Windows\system\FhcGQMn.exe
| MD5 | 999a13ed4c008900cb168f491e4965b1 |
| SHA1 | 7a9af4744d9d0ec9c03d18ce8af6dc35ad0e5894 |
| SHA256 | 55e97836c00c562087a245735c89e42663ada1e59ce995465ec2e6699af62dde |
| SHA512 | 85cceb6db12d6873ec21b4382695266962e3babfd78fba5f44579d5c285431ff2bb3c4882f5174dac2e8c6e9c18deb16d8014c7e2dbfa4762899e2e553e550e0 |
memory/2844-37-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2672-44-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2716-42-0x000000013FA70000-0x000000013FDC1000-memory.dmp
C:\Windows\system\ipoiaEI.exe
| MD5 | d3f602dc95992e685fd9f30146226d06 |
| SHA1 | b73b06022f58750358aef673e2bff0e404591be2 |
| SHA256 | fe965d7d362124ab9e95676c0b4bdc61c9ee902f3a18700bb3886c27e8047c97 |
| SHA512 | 2503abbbe5e877211b4f5ab2c5fe37eb9de2c94b3b3251e9ff01477eda2d03301aee013b77093422f307cbbbf2e7e4110bc55ca9e3ecd7130319a01c8118e368 |
\Windows\system\msdopXj.exe
| MD5 | 0d859b18a245c197b8ee4f60d6f03230 |
| SHA1 | f7b727e6ad6bd5f1a87d93372df615209fd37a60 |
| SHA256 | ee8cad6aa55b3d973d03f7e56416866ba874a2586b31fa5217a32c09f2cd4003 |
| SHA512 | d070c64c9fc7248e082ab673ed0ac51c207005d9e4e8aac5a15b63055c7e4014775ecaadc7d5b4bb9792ba07b9df26282fad5cdeaebd5f042a1ed29f9888bc18 |
memory/2752-49-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2716-54-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\VtRVMMI.exe
| MD5 | 5892465b3369af382d38c84e50a0a6cb |
| SHA1 | f712cfd96e429e3f4a547c8227339670e2dd722d |
| SHA256 | a4b7b1775f4c7805c1428a517f21338f9e8b5dcf39347a50c349e07709a365ca |
| SHA512 | 67051d115d5e0179aeb0f84ac7eece6c29eabe1ae0a1ebd47664903a37c048fd5d1812ef4bdd4a105a0c33969d7014a28852368a0bfc024231e52fdefa0da946 |
C:\Windows\system\JKhkUkP.exe
| MD5 | f6f10912291702acc4db7f7e091b6cf6 |
| SHA1 | 9ff70a2c9f2f0424395ad7b1b9a47f51cb977d83 |
| SHA256 | 8a1bb2538fb45a1377b51fff59dee2746fd11cf758dc8f1189242c20ef38403b |
| SHA512 | ca981f0f68ecebe9358a1530e6e680571ae1fecdf82996fe4622f9b90ccc7b666512f5d89cd9248bfb3225504eebc6b1e6fe777b02cad80cbd699931355662ae |
memory/1312-65-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2716-68-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2900-67-0x000000013F740000-0x000000013FA91000-memory.dmp
\Windows\system\XzmtlNj.exe
| MD5 | 07575673a99761f940b6833e278f0bfe |
| SHA1 | bc2039b856d5c111b86f814d7d8b04520276b167 |
| SHA256 | 0e55f5794f1c8cbe3f5a19c2e562469ee12a698060c11e378647b5dec99f543d |
| SHA512 | 6a2460138c35977af41c6da6a5bfd87edc909a75d7510d891638d6151a5be80f36e8dd07fcab8d574b2c4894d9ac1f66aff84eb9fe57725f20611e7a4179bf8d |
memory/2716-64-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2716-56-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2596-55-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2716-36-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2716-27-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2716-26-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2788-25-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2716-24-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2736-23-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2716-19-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2596-94-0x000000013F630000-0x000000013F981000-memory.dmp
\Windows\system\YoAgIMO.exe
| MD5 | 8aa5188472899096d6449766f0cb79dd |
| SHA1 | db05b97c99c997934d31d1c7642a603caaebb050 |
| SHA256 | 6c3ba50851bc57536118fe253ef946f801e1382aaa7a3be3f8496eb982781fe6 |
| SHA512 | 5258d11d729a5903f281e730aceaa5d66d48f2a2ceac80146b8606e2961a01f9f56f863e37381021ff93571b4aac928b84c4f5bf3eef134ed6dc5e72fb460073 |
memory/2716-108-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\bAGyPas.exe
| MD5 | a095a3a0b7fab481cddabc04e725b376 |
| SHA1 | b57bd27399003eb0593ac6f3ae8c6948810ae08d |
| SHA256 | 8e5156bce06ffc9f2548cbbe9f398e5c2680e3075518641db7c1cb713c7d2f56 |
| SHA512 | 3de184e4d46f00cb2bc7d09af9e7e8e28da958f18db4211a4be6423b33db93f2ad9deb8602576904d0d7baebe70e32f656841424e34e3ef1d9015f1c64fbfcb5 |
C:\Windows\system\NgUDWco.exe
| MD5 | 842fdd3aec0fc263050dcf3112dd1982 |
| SHA1 | 6212b94d0850ad35cdc965025d89e69586be85d7 |
| SHA256 | 27a8e25c3b9f211140517cf2f9fc29fb0323f7788f631970c29465d43c9df11b |
| SHA512 | fadcf2c5d375d7cb6fc18bc8e161d4e8544ecb0d678a563883a0cf447b3d08aaf8621d587a673b458d5de9a7f070f6076d4212b1005a1bd152417eab04f1c7b3 |
\Windows\system\KiKjiJk.exe
| MD5 | acdef8ed343001f1a4d8e91d1455c67e |
| SHA1 | 3840c13b75c597ab82e36073a575cf34b09ff5fa |
| SHA256 | 97b5d7ffdaa5ffc84624581fc7a3f8d0821e606ca1c5e417fbff908f87b8c422 |
| SHA512 | d037c9d33b9f046cdefe14f420677529d18928dfae336fee68cce0563268a3a5a5694c125603c44ccf1601fc3406a65aa7be5ce1b11af1c02799778763a8e9d1 |
C:\Windows\system\iUnFCbk.exe
| MD5 | 2cbc0f8e3ee063baaf634d7c92910466 |
| SHA1 | a994538b7bb96cd0bc653609c66d609e2b24db55 |
| SHA256 | 27de94b8f5512dc84337342f55efd21506fe5d718066dc32b588c335d958c5ec |
| SHA512 | 4ace9818d09fc0b365e71310470d06521553168c646cd93dfbcedb92de5c57a11f1660f37629af67c972023ff51fe8154450e54d148496281ca48955d814a751 |
C:\Windows\system\tqthMqi.exe
| MD5 | 726177a965b370f7e896dd75fb003b37 |
| SHA1 | f9026cbee2d0c15f21814895a72ef3dcba396129 |
| SHA256 | 1c9c5330e61514749ef6679a6a5423e752cfaa3f8cca08f0357fac50bf1b58bf |
| SHA512 | 75fd93f91be2bfdbb0985d1596d77dbded1b4fcabed93c5eee7a064129202f3a329d2bec24abc0b543b40c36001a6c8fe8702ed96e030d4fdd9d912ab7b9108e |
C:\Windows\system\uVWozYp.exe
| MD5 | 23523987e153f5fb850173610a8d006c |
| SHA1 | d652a6fd3bc5c6af41852bbfa8f9c636dd785b31 |
| SHA256 | d65c60944590d7d8a6f637d380ccca38b095177968d52d8ee14ef68c66990907 |
| SHA512 | b71b3c959607e30f647d8fe9263696325e2a2fd2a29e31ff58669086660f17320ef46a97fb8e991ee26d331b01c4112465043dae372356be930b17e3784f1a2e |
memory/2872-140-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2716-109-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/1892-102-0x000000013F020000-0x000000013F371000-memory.dmp
C:\Windows\system\IXLBLZO.exe
| MD5 | 48f45f5c9e8986c2bc4d469b7b950b48 |
| SHA1 | a85c9d53a868dbb711513844d3aa77ef9d4454ef |
| SHA256 | b4d117cd0b51e71ea1db47f53129942a6e4dad6ff4ba29190c39b9cdeea9f286 |
| SHA512 | 38498e770ee0ee51131ed0521df6077eae24cc5833ac6185773014386d0459078f2055afa5bc164f65b375a43ed1fc345b33aae76d4ee39141d18dee0c0954c4 |
C:\Windows\system\LmlCINu.exe
| MD5 | 9d9a75631f50955663e4783de814a3f5 |
| SHA1 | 8e42dc09b81d2446b3527de577008a6b4858e094 |
| SHA256 | d222e52a0ad5ba81310e38189e3fcccf18eac6e7903fe07827fa75439bf69053 |
| SHA512 | c2df211344058466832bfef1146047e2213ff75ccdbae69e792db14c1943edaf28686298d213e9bef241f241c56ba272e4195590e4fcb2b52054358e89393cc1 |
memory/2572-96-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2488-92-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2716-91-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2752-90-0x000000013F890000-0x000000013FBE1000-memory.dmp
C:\Windows\system\rLrlBMb.exe
| MD5 | 96947ec401985778eae4af026b8949df |
| SHA1 | 777eeb169b490ee4e685a5d44590f39074e7e502 |
| SHA256 | e096bef5de17d59c8819f4a6a462d594282f151d970afdaca1451edd5567febb |
| SHA512 | e42d37ddd5d5177f4dd1b5b8b45f356332eb3b3334e810ccfc50d1e524d0a801df749c3f0358d249f8c161eb56f6e0ff9b83b4b9b0f26d0335d9945b1a4ac42e |
memory/2672-69-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2716-88-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/3032-87-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2716-79-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2872-77-0x000000013F1F0000-0x000000013F541000-memory.dmp
C:\Windows\system\WoUHIbv.exe
| MD5 | 703349b9d571fbfbdb2f91a0a4a2584a |
| SHA1 | 7f519f450cffcb84e1ffe4a2a4431fc2b95cd13e |
| SHA256 | d2e01be4da8637d7b54933a17a8005d6ec34b37f75dfb32aa39686a9c9c4503d |
| SHA512 | 9f99b5976f2b5e49e0e9d8f97d689e9b73df60ae521cc9003fb5d0590d8abed4e259452bb30391aad2f561b6151a7f19092c0b0e62085986fc8924803502e784 |
memory/2716-141-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/2488-142-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2572-151-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2716-143-0x000000013F410000-0x000000013F761000-memory.dmp
memory/1892-155-0x000000013F020000-0x000000013F371000-memory.dmp
memory/1180-161-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2100-164-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2856-163-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2824-162-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/780-160-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2716-165-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/1524-166-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1912-167-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2716-168-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2676-219-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2736-223-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2788-222-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2900-225-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2844-228-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2672-234-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2752-236-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/1312-239-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2596-240-0x000000013F630000-0x000000013F981000-memory.dmp
memory/3032-245-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2872-247-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2572-259-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2488-258-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1892-268-0x000000013F020000-0x000000013F371000-memory.dmp