Analysis Overview
SHA256
7818509911bf43dbd4c52a0dd9f6b86bd8d1411c6b7cf01776cbd5cf92ab5b00
Threat Level: Known bad
The file 2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:24
Reported
2024-11-09 15:27
Platform
win7-20240903-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HxOETFH.exe | N/A |
| N/A | N/A | C:\Windows\System\EoqqzdV.exe | N/A |
| N/A | N/A | C:\Windows\System\TVGMhFP.exe | N/A |
| N/A | N/A | C:\Windows\System\xQmWDiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\xzWGXGt.exe | N/A |
| N/A | N/A | C:\Windows\System\eXFvOuc.exe | N/A |
| N/A | N/A | C:\Windows\System\SFmkboW.exe | N/A |
| N/A | N/A | C:\Windows\System\hOhrXDG.exe | N/A |
| N/A | N/A | C:\Windows\System\XvLICHS.exe | N/A |
| N/A | N/A | C:\Windows\System\uAzbfYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qgFxSVD.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhmojfE.exe | N/A |
| N/A | N/A | C:\Windows\System\mlRwUCU.exe | N/A |
| N/A | N/A | C:\Windows\System\CStYORd.exe | N/A |
| N/A | N/A | C:\Windows\System\uRMuVKR.exe | N/A |
| N/A | N/A | C:\Windows\System\nwrDnxt.exe | N/A |
| N/A | N/A | C:\Windows\System\nYojjxl.exe | N/A |
| N/A | N/A | C:\Windows\System\sTlawHk.exe | N/A |
| N/A | N/A | C:\Windows\System\olVJyyz.exe | N/A |
| N/A | N/A | C:\Windows\System\YTDRltK.exe | N/A |
| N/A | N/A | C:\Windows\System\nVyHBfq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\HxOETFH.exe
C:\Windows\System\HxOETFH.exe
C:\Windows\System\EoqqzdV.exe
C:\Windows\System\EoqqzdV.exe
C:\Windows\System\TVGMhFP.exe
C:\Windows\System\TVGMhFP.exe
C:\Windows\System\xQmWDiZ.exe
C:\Windows\System\xQmWDiZ.exe
C:\Windows\System\xzWGXGt.exe
C:\Windows\System\xzWGXGt.exe
C:\Windows\System\eXFvOuc.exe
C:\Windows\System\eXFvOuc.exe
C:\Windows\System\SFmkboW.exe
C:\Windows\System\SFmkboW.exe
C:\Windows\System\hOhrXDG.exe
C:\Windows\System\hOhrXDG.exe
C:\Windows\System\XvLICHS.exe
C:\Windows\System\XvLICHS.exe
C:\Windows\System\uAzbfYZ.exe
C:\Windows\System\uAzbfYZ.exe
C:\Windows\System\qgFxSVD.exe
C:\Windows\System\qgFxSVD.exe
C:\Windows\System\ZhmojfE.exe
C:\Windows\System\ZhmojfE.exe
C:\Windows\System\mlRwUCU.exe
C:\Windows\System\mlRwUCU.exe
C:\Windows\System\CStYORd.exe
C:\Windows\System\CStYORd.exe
C:\Windows\System\uRMuVKR.exe
C:\Windows\System\uRMuVKR.exe
C:\Windows\System\nwrDnxt.exe
C:\Windows\System\nwrDnxt.exe
C:\Windows\System\nYojjxl.exe
C:\Windows\System\nYojjxl.exe
C:\Windows\System\sTlawHk.exe
C:\Windows\System\sTlawHk.exe
C:\Windows\System\olVJyyz.exe
C:\Windows\System\olVJyyz.exe
C:\Windows\System\YTDRltK.exe
C:\Windows\System\YTDRltK.exe
C:\Windows\System\nVyHBfq.exe
C:\Windows\System\nVyHBfq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1288-0-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1288-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HxOETFH.exe
| MD5 | 1f3c0d6fbb68e676b8a7644e022ff56f |
| SHA1 | 85da49bf84ca0b6f6ed9a42203ab5e2fb9a66d06 |
| SHA256 | 33400915621389c9ac4bc29c85e6aa26571e24e75b4f87d09b0b4bd536bf7c38 |
| SHA512 | 3996e1a05dfb876d50866734cbc7ff22c3d2d0d4a541e55d02a6479c0386f63bddd30d55d60a9761ab5f544e2a3a77b67d3f11b87ee26b632603f047eebdb2ab |
C:\Windows\system\EoqqzdV.exe
| MD5 | 75d9f8b6ee08c4ff9296bcd40304f0f4 |
| SHA1 | cfb1c8f435d64ff141acee1cdd68bfef622487b7 |
| SHA256 | c85620645f188ab52a86f91ec9528885cc865a6833804cdae518c898e39f2ddf |
| SHA512 | 4b5fd78ae0ecc5d89674a401be56b0fa8a58828530bfa4fbae01478403903143868cd3dadeded6830332e1a204150d6b523437c24cc7b0601e43862126c66b87 |
\Windows\system\TVGMhFP.exe
| MD5 | c583bbf7bb169ef958fb424719ba0ef3 |
| SHA1 | 659973b2d3b7a149e52ba161e176e0d8d796d7db |
| SHA256 | 1ce45faf96e7e34ae2ed232ef327192a08b65b9f1a87321d1365c40857cc762d |
| SHA512 | 4d80be4a77f1c84726cbf8fee3d9960fcf7887833ba432d89dcf5b0ec76aeeb7b5afd00c38d50a0e4aca2e3b9bc0ca7a913283259d1b8017311b798421ad93c9 |
C:\Windows\system\xQmWDiZ.exe
| MD5 | 7b979870fdb997dd339566821030eea9 |
| SHA1 | 5247998354e1074618273b207a9eeb4ca45ecf12 |
| SHA256 | e908572e4dc9acd6d0d438895a7f9978083b31a1861668bf7bb5adac51f289b1 |
| SHA512 | 44a436f3861c9d7823d1629c385d809a13a9ed109c717eacd7e8d98d437b6a2c93053e674a398db44a670adbffe94cbe83a3609297677d094b3f1a1322c0eecf |
C:\Windows\system\eXFvOuc.exe
| MD5 | b345295ae20cc32de203879aec9678c8 |
| SHA1 | 81612bf42e7471f2bfc48f5be2fcc5023a5f60d4 |
| SHA256 | 0bfc540cb08ce30d77af1c09def2e9b833545076898b264648eb306d3d366723 |
| SHA512 | 4a5804aaa2f04fb9957fee88860c4aa3730937174a2d706db8cd10d944dcc941c537c1cd2dc7947d22330847fb0a553d5a1a7518d26f549ef265a86e3246c745 |
C:\Windows\system\xzWGXGt.exe
| MD5 | eaa0ae91c5d6761782be1ce5ec7fd279 |
| SHA1 | df7ec38897dc04661e54ee60af0df8d0a8833129 |
| SHA256 | ddfc8cb01cf0216e42ddbb1ecef08e2c0f08829df5ebdc96e3fecbfd451be3a1 |
| SHA512 | 68e04fe5292aa735307220d52866fe3e27be4e40c71f568f02a22eab677a5e1213bad6dbc4f0fbd3a254bb61af031a7f47df2561609992cd8057fe89b03a20cb |
C:\Windows\system\SFmkboW.exe
| MD5 | fb372ecc10cc1dcbe765f36cc3e2abd7 |
| SHA1 | 44b0d1efa55344cabee92141149700923f106133 |
| SHA256 | cab9c689363ec9006aad7df2d20ddc6250e3b39eb9c8c25da8230611e1792e59 |
| SHA512 | da1b12c7c5313a219de9d20e1d56de7850fc28796cab3fb2220da6fd1d3f4704aef592079ef52a926e6e97ecea5ad0ba8547529ee5e03f6036e2a4192209b6f4 |
C:\Windows\system\hOhrXDG.exe
| MD5 | 61ce55cfbded86bd66a003fad0d6df12 |
| SHA1 | ded9123f061f4cf894e197c8da5b45efd21b10a8 |
| SHA256 | 4ca3654b360cbc4b71333f6876b84e0ccba7fea77cbf59e9d88fa57196577d84 |
| SHA512 | 6cf671b00a2d723b762f3288b63e27a424f7bbfcd941a27e740936fc3662df2ddedee46507ac4485e4c0b485c89273bb9e3e036475ccfffe908bc17b2885f6ba |
C:\Windows\system\uAzbfYZ.exe
| MD5 | 406b7f223bc665e22ccff1c924e175fd |
| SHA1 | 5b59c6b997ad54026884d3fca36c9bfc2962e729 |
| SHA256 | 79fadcaa8603404aaac0c863028adfb6f93ec779a179e508beb0a1fe0cd85323 |
| SHA512 | 45e46bd35543d3d4ce57eddda80158a4ce4e35fa9782ecba53b968d0725a832428087dba2c612862808be6d072db71b9f817facb766aeb0050fd8815c3d7167b |
C:\Windows\system\ZhmojfE.exe
| MD5 | cf793b469000aeaecae1d8c3d4de183f |
| SHA1 | 8c8ef4b5963d8a7f5c10db4519e366075e70d11c |
| SHA256 | 39329046ecc18db7e304daeca6b61da9a4b1f03d25074caf86f146b4db81be4e |
| SHA512 | 733eac2a4a1405a8efb768a256cb1bbdacbcc4815993147bc156838efd5633672b3a5859c4fb2f1e5ec834ca11edcd83d38f4b1d1b6ef75674c24761f50d645d |
C:\Windows\system\olVJyyz.exe
| MD5 | 7e4407c11cf671f68a98c025acfcd39b |
| SHA1 | 7d7565d5cd81ef8e58e799487d3a937adafe0a52 |
| SHA256 | 48148dd17abbf3de71e08ab3f0fe368fe7c6813c297a0ce283c8bbd4ab4bdf2c |
| SHA512 | 4115a5d3bac47a33c75cc396bf1e8930491c5fefcfae8a9a9188e423c2456f1999cd8d4e1e2a6d80a630f8ba70553dd8f97c07c1576ac837e5bdc8d09fe4e47a |
C:\Windows\system\nVyHBfq.exe
| MD5 | 14fb8eb7344730a6a28c6a7130d910af |
| SHA1 | 3dc5d9c2ee5b2abf61717d5a0fc79f79455161a7 |
| SHA256 | 69e2ef1d84bb08f70a4e09424dbfc51dfecb60fda5057aa5742cf085db628785 |
| SHA512 | 5e980774f3c13ddd278478698d8d0cb21324466729be3bd6ee32029ab89de6592f07af1870fd661dd80037ddf13f894c3659a42a5d6732bf561bbcbc5ceda57b |
C:\Windows\system\YTDRltK.exe
| MD5 | 72d570fd112371301be709f468dd1828 |
| SHA1 | 74c5ad0e85f259fbfe63d99783b8978b791bdd05 |
| SHA256 | 78a7f543138c218a3fdbeb79eb895b83af2e4fe1f13345666743fbeeecb2821e |
| SHA512 | 3fe833418626a52a2b6c0361c7296e1d01bf63c6396fbf86837a826499cc00bd6a48904feb792cb55c94a394c7f92357b6d5094bd68609aca5b123bd01a09ee9 |
C:\Windows\system\sTlawHk.exe
| MD5 | 9d15e0205ff855f524c4a4a261ba6402 |
| SHA1 | c1faada06e8a3e027ba17c036cf6068e3e13cb40 |
| SHA256 | f47bd556aebaace413f7ebadb412c020a2417c0175c5bf6e7f61a2ae419c5c05 |
| SHA512 | 5fa81c54263cbfb9a7abf752eb3a56e18422b5bce0336ef35dd53db2d187e3fc20010d73766561ad4ac9bd4dc8232321d62f0e2644335b73155829a71374511a |
C:\Windows\system\nYojjxl.exe
| MD5 | 746c9f272bfd41e4b6c7d4d4bc948143 |
| SHA1 | e773984cbced13a852c1ad90867ee0360ff3c300 |
| SHA256 | 8f1ac0a6aed55bebbba1a067b00b0123576df397e51c81a9013c254dc33a4aff |
| SHA512 | 01be93d21b9dd491f56d618420d88d40b1fa5b8cd08774e2cfd27a07326bcf4784eb7a8b1689b1253c72ec1566f74b88da43e70d2f473c522bb9dfb64f76a398 |
C:\Windows\system\nwrDnxt.exe
| MD5 | 2c1a68361c621f07098153a3f6a19a0d |
| SHA1 | cf68fa666c039d913d555f7f1d67775701e69d6d |
| SHA256 | 6ce3875b06db0aedd1288f22ee543fb1d400423a2b3ea0d8e4ebd17c4e048734 |
| SHA512 | 90f994f857fbe9ec3830a87d33c5550bc04a1c7b43952118b2c7d359d5af549bb499c950252cd6b59065ec1180eb86b1ebf401408715a5bd986f6b91426401c9 |
C:\Windows\system\uRMuVKR.exe
| MD5 | 37e2a32beec44de3c2618d6fa7d86f36 |
| SHA1 | 5197f9876536de9b24181925997d0e759d63de2a |
| SHA256 | 89453932d002975009b62a3ef8b9f2f28f7d11582ffec2e2bc6890b209d99cdf |
| SHA512 | 5343b239dbd2dac05a117614d82b2f33bdffb964b5f450b68ab232ab215fbd29e690dd7d4c23a3c4068ae881883e13e9fd8af72b8ee58b1907556b5b7f9eaeab |
C:\Windows\system\CStYORd.exe
| MD5 | a109f0ac6039c673ee97827b203a336d |
| SHA1 | 5a0b8d853d7000d6298d4840a748dcb4a93f036a |
| SHA256 | 6f5e718de307e0e0d19f1f507cb0b66d360d9263b655e7c966a3dccec72ab6de |
| SHA512 | 4467213636f0f0d2a802f32eeb6e67518d3886acd4e07f0589d2b392e23800b00c4b3996248f6d7d197310695d74a4a7435df8a27ab05d722da76958b95af292 |
C:\Windows\system\mlRwUCU.exe
| MD5 | 88d56ad7890d6164451b6c345e705968 |
| SHA1 | 166659d3f29234f740bd8d37b08c10446c465b4b |
| SHA256 | b50c0aa86c20b2628ad33792a329225cb7d4c77ad823fc90192fa189ee7afa96 |
| SHA512 | 2e99709f3437ada6571f0c40e0c1cb4061b323cd9c009851e51657abb5f202e5ffe4cd3dca78ae036f40d304cb643b19fff18bd13c9507a4e86ae7fcaed67a38 |
C:\Windows\system\qgFxSVD.exe
| MD5 | 755f056e071c65e684aa4d6fda0bcbe7 |
| SHA1 | 526ade43447814a09f6567de368dfbab13972579 |
| SHA256 | 688b1f7dd1187f1dc5d0c0f7b2a9184c0a43f0d2d1d47d9d8746cd1ec51df2da |
| SHA512 | eacad5bc3758adc6b643680c5079cc7bb27517f6b9dc7756d5c15bcd6e7a3839f4ca92b66de7124a186216e0671563142fed39c95686ca57a7f5d39bc7692f91 |
C:\Windows\system\XvLICHS.exe
| MD5 | 9955b1382d218bab49b0c050766f6900 |
| SHA1 | 1f57206d171a25c804c46c0d3a7992ce29dd012a |
| SHA256 | 200b2e42566348793c8ea3f78ed63bbd86b5e9144e8469b5484c5ca80342b7ee |
| SHA512 | a9929f0119841b1836d28b17efb3e074890e31bad0574b17942fe5598dd865e0cbb6de9c499096c62a5dea28a5aca47601d78670eea69f6b1a04fd6dcdc9551c |
memory/2892-107-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/3056-108-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2540-110-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/1288-111-0x0000000002210000-0x0000000002561000-memory.dmp
memory/1288-114-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/1288-119-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2768-124-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1288-123-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1288-127-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2648-130-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1288-129-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2888-128-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2268-126-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1288-125-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2852-122-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1288-121-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2812-120-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2308-118-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2704-117-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1288-116-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2184-115-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/796-113-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/1964-112-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1288-109-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/1288-131-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2784-147-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2892-132-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/3028-151-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/3052-152-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2688-150-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2632-149-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2860-148-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2916-146-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/1288-153-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1288-154-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2892-221-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2540-223-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/796-225-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2888-233-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2768-231-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2812-229-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2704-227-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2852-247-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2648-251-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2268-249-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1964-243-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/2184-241-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2308-245-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/3056-239-0x000000013FB10000-0x000000013FE61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:24
Reported
2024-11-09 15:27
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ecfXdcy.exe | N/A |
| N/A | N/A | C:\Windows\System\bgxGPsE.exe | N/A |
| N/A | N/A | C:\Windows\System\nHMVhql.exe | N/A |
| N/A | N/A | C:\Windows\System\vfvImcs.exe | N/A |
| N/A | N/A | C:\Windows\System\OEtWJIX.exe | N/A |
| N/A | N/A | C:\Windows\System\CRLOYNJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jgKOQwK.exe | N/A |
| N/A | N/A | C:\Windows\System\HkyfTzY.exe | N/A |
| N/A | N/A | C:\Windows\System\dRUbbBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\FuAzjCT.exe | N/A |
| N/A | N/A | C:\Windows\System\ybVqnGU.exe | N/A |
| N/A | N/A | C:\Windows\System\RAIJPvC.exe | N/A |
| N/A | N/A | C:\Windows\System\XkqbVxy.exe | N/A |
| N/A | N/A | C:\Windows\System\kcnfNTG.exe | N/A |
| N/A | N/A | C:\Windows\System\eCBNMAk.exe | N/A |
| N/A | N/A | C:\Windows\System\GeyoJVw.exe | N/A |
| N/A | N/A | C:\Windows\System\rtBtwGE.exe | N/A |
| N/A | N/A | C:\Windows\System\gCcpJJo.exe | N/A |
| N/A | N/A | C:\Windows\System\EwGmIhf.exe | N/A |
| N/A | N/A | C:\Windows\System\SdgSxck.exe | N/A |
| N/A | N/A | C:\Windows\System\HctwnwU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9193a68334f3d0ceb7c720348d7cb892_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ecfXdcy.exe
C:\Windows\System\ecfXdcy.exe
C:\Windows\System\bgxGPsE.exe
C:\Windows\System\bgxGPsE.exe
C:\Windows\System\nHMVhql.exe
C:\Windows\System\nHMVhql.exe
C:\Windows\System\vfvImcs.exe
C:\Windows\System\vfvImcs.exe
C:\Windows\System\OEtWJIX.exe
C:\Windows\System\OEtWJIX.exe
C:\Windows\System\CRLOYNJ.exe
C:\Windows\System\CRLOYNJ.exe
C:\Windows\System\jgKOQwK.exe
C:\Windows\System\jgKOQwK.exe
C:\Windows\System\HkyfTzY.exe
C:\Windows\System\HkyfTzY.exe
C:\Windows\System\dRUbbBQ.exe
C:\Windows\System\dRUbbBQ.exe
C:\Windows\System\FuAzjCT.exe
C:\Windows\System\FuAzjCT.exe
C:\Windows\System\ybVqnGU.exe
C:\Windows\System\ybVqnGU.exe
C:\Windows\System\RAIJPvC.exe
C:\Windows\System\RAIJPvC.exe
C:\Windows\System\XkqbVxy.exe
C:\Windows\System\XkqbVxy.exe
C:\Windows\System\kcnfNTG.exe
C:\Windows\System\kcnfNTG.exe
C:\Windows\System\eCBNMAk.exe
C:\Windows\System\eCBNMAk.exe
C:\Windows\System\GeyoJVw.exe
C:\Windows\System\GeyoJVw.exe
C:\Windows\System\rtBtwGE.exe
C:\Windows\System\rtBtwGE.exe
C:\Windows\System\gCcpJJo.exe
C:\Windows\System\gCcpJJo.exe
C:\Windows\System\EwGmIhf.exe
C:\Windows\System\EwGmIhf.exe
C:\Windows\System\SdgSxck.exe
C:\Windows\System\SdgSxck.exe
C:\Windows\System\HctwnwU.exe
C:\Windows\System\HctwnwU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4124-0-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp
memory/4124-1-0x0000026955AD0000-0x0000026955AE0000-memory.dmp
C:\Windows\System\ecfXdcy.exe
| MD5 | 6b00dd20b7e29bd0fcedbb5e639bbcfe |
| SHA1 | d4f9ff082b9b9a2a61bc45aaf767ebadb212bb35 |
| SHA256 | d23e28bcff0c5e612a043b95898cfbdf294bc32c4b87847b7ec5d368f502bc35 |
| SHA512 | 14213750797c440b25fdbfd1f9006b87b00b563fc59f3ef41236711faa13e4ec84c6b70dee4b363e589dd775d79eb04916b928869e550a4afb7d30e05ef43d28 |
C:\Windows\System\bgxGPsE.exe
| MD5 | de73c83c1fa09b3eb6c06ef40bc4048d |
| SHA1 | 5c7c9b9baa695af5f883b2995166bab6bc4c9a82 |
| SHA256 | 91c243aee0275c8a94cc9118adfcca697b5a07016f1735f2882b5ccac28d9feb |
| SHA512 | 2544a403cbfcffd5f24a0e04f3d6901ba93e71c86153d56d7122f00450d1b7a4bb8b1e3306d5a27982f5d51610391067617ffd038afc7d81f27973fba6d47cfe |
memory/3516-17-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp
C:\Windows\System\vfvImcs.exe
| MD5 | 67606f9bce5cd626e545014d02e1a2eb |
| SHA1 | 3eb497f324f8dd3e6f0c27d7a1b75082b00653f7 |
| SHA256 | 861ddec5ada85dc55bf1cf76ec0da876a1c013c02d93b09b72b1937670398d15 |
| SHA512 | dd4c07475fa501486d6951f71e15d265a968ab3b3ba46cb259420bd0c3711b51c99d48c4a4fc1b00910fc0a1e64035896f82d8de5303f16230953624dfcee22f |
C:\Windows\System\OEtWJIX.exe
| MD5 | 6bcdcac667f7b0c4567f9d53d0b31a44 |
| SHA1 | 02971a2a7172a0c683f9543e78ddc1039d93dca2 |
| SHA256 | 2119b8436c94b199aebd9e3e9e07c22cfdb815cff1a68ad0b825d02b93a68767 |
| SHA512 | 52d56dc2cc881129e1389a8c41ed4332512e3fb63b12948930e92478dad3b72362d55775b66dec479a52fc556286b7873c0add7742faac12057ff5a4b06db3ec |
memory/736-33-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp
C:\Windows\System\HkyfTzY.exe
| MD5 | b24f51b4f81548b86604098d77bf08ef |
| SHA1 | ac31f440d0414cd0784905ea6bf684a413b8aa1f |
| SHA256 | f7d1328c37dc038954c05e12b52734c2a6acf5a0cbe3c2b7969fb04f5fee9efd |
| SHA512 | 1ad28dc3f6e415c007b3ad1620cf45d66605b6079b6ad13cd9b49e1b768b6e5bbfb619d66c00367f8ad4197d45318af754923c9d41d7cba9898a660bc23bcdf4 |
memory/2552-54-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp
C:\Windows\System\FuAzjCT.exe
| MD5 | 068ac44dc5829f6394a7466bd74182cf |
| SHA1 | d1fce9662ea4d5d023dc65728f990100480f3ba9 |
| SHA256 | ef45bc4f2787f802a15631fd327720cf3f3909141a2608bf7d4a5e9410e03e1f |
| SHA512 | efabaf095791c406251dfd4c19b8f05448ddbb4dfbc05a9c59053ffe02ace826e06535068c4640a0e4c996abeaca104d9030a130623a2b897961658a02732451 |
C:\Windows\System\RAIJPvC.exe
| MD5 | aa6417ceee1274a6fe7a0cdfba708849 |
| SHA1 | c68f49548d63263970cd3312e1500043ac2fce92 |
| SHA256 | 2ccbe7c9ff39493685c1245ba4b4be53d069acc4bcd532eea993971b480e9c21 |
| SHA512 | 3b6363e7795408a560bb8c4eaffa205b87e49e7fc0b12bef932439f76074af5b45622aae4964dbeb15d656053192e0849a94695894150ec48b2c54d23a50188e |
C:\Windows\System\XkqbVxy.exe
| MD5 | 2289e9b213f47516b9f91f1b7f5c99ad |
| SHA1 | eeca393520d52a1d21094f8f5823aee5db8635fc |
| SHA256 | 454ebe42e10ee9bb67c9e04086e57ceb52c67183575d7a510d98ebc82a3bbfc9 |
| SHA512 | 666634aad478f128287908f766012612a92fc14c1bc92bafac3df83bb78b93311f862603994a698d5c13b39ced643e2d96e5bade7fad8fb7c74312ad4793dc3f |
memory/3496-78-0x00007FF7852E0000-0x00007FF785631000-memory.dmp
memory/3464-77-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp
C:\Windows\System\ybVqnGU.exe
| MD5 | a516f5db3fc37c8b11b9064ba99c675f |
| SHA1 | 52e6b850e72e1afa6e60daf638b02d2bb6f76ab0 |
| SHA256 | 7a283eb5aa5269db10a139aeb44f6cbc4f497bef2e35b8c2d558d5aab96cbdae |
| SHA512 | 0564e05c8c0e40488f4c3e70319e5b83d21f14c77b8a7430297a9e622b815bf5c31075e94cb4ca08e3f34280af9f31fe3a233372a581d2f65299c62dbd1d0408 |
memory/3840-71-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp
C:\Windows\System\dRUbbBQ.exe
| MD5 | b3c342a32b54727ed0a736fd48a57a4f |
| SHA1 | cc266f687023dd6836be3f0a59848cba96d3c825 |
| SHA256 | f71bb44cb82ed044c4507e1ea7a88eab012e672c7ebe15bd0b850b843d2af2cb |
| SHA512 | 9b6bb2008f72a793a8065f9fb132deec9daf6e8047e75678c04dae869706bf62785a007fc499f40caaba172d9d009ffbb09b20e598bd4592db1c4a2df5141ae1 |
memory/3036-63-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp
memory/4376-62-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp
C:\Windows\System\jgKOQwK.exe
| MD5 | 3cec5109ed778b986a3980eeb623ce8b |
| SHA1 | 7ac5c9590bd96b364f47fe60b7d0a9873b171e9d |
| SHA256 | cced47bc76729252822b924b9b4141a3e55063909ba992ec0623b33cd82886c3 |
| SHA512 | 598946bd6eb9eda3edff5a75435b6792b2bc57736c021ef763fe79b855d79eca1b4470a4949b80b5395613f92625ff0615cea649d0aa1e1a52dcec610ff13ba9 |
memory/1168-42-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp
C:\Windows\System\CRLOYNJ.exe
| MD5 | cb6b41a0490e185861806561eb6b69c3 |
| SHA1 | 075299abdab5a8d097325a62c73a311afd0437ea |
| SHA256 | b1e6829ed4103153a857848250607d041f1f761c683a0b3abedb9f0db293a5c6 |
| SHA512 | 08c4409bc5f40d452ab136891da636d78df8735b6aab3c325b0d89caeae0199b304e9749bb483431436f8e844d62ba7f94e13c56805fb7c7d070d08d3aa0aae8 |
memory/4872-35-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp
memory/952-30-0x00007FF604FB0000-0x00007FF605301000-memory.dmp
C:\Windows\System\nHMVhql.exe
| MD5 | d68c0d9033da7434ad845009dae2fab9 |
| SHA1 | 47625fc1f7458da417af79a1f6807da090e96902 |
| SHA256 | 4a8232d7a80f2e83457412a0645f509ae80d8bce9445f297a2afbf21a6ec6e2a |
| SHA512 | 8de74bca1e9139b2cb84d9add14084f21ba02683cac652bab9acda8214403d8d1b213f5d7f900290a37c6d4ed5861abc47f2425dfabe817283a4c185f0e665fb |
memory/3508-24-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp
memory/3476-8-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp
memory/4124-81-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp
memory/3516-82-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp
C:\Windows\System\kcnfNTG.exe
| MD5 | 86e796ea6ed803909bf5d1f2bbbdbae8 |
| SHA1 | 8b809421a993fb253a4a119df01dad6340e0ff79 |
| SHA256 | 2d96191fc0a9dfbac5c9768b77737f472969699bcc297b464e3dea9c17960dea |
| SHA512 | c902d923e0daf71d88b092baf131258fdab5e2d035cddd38ecfcbaba5a426f89729bead13c60b34a812da5360149f3264167b95cb1f8f8eff3632ff7e6935eca |
C:\Windows\System\GeyoJVw.exe
| MD5 | 9708a421f6288ec3d60fbe122e6f4dc1 |
| SHA1 | 5b83ef7a45b9a661e932c0c84c46a3ade036b1eb |
| SHA256 | d2b5751ff5dc279c3b13e55eff058713fa2b7e93312a3b2c50440ce735c49f3c |
| SHA512 | 63d2dfa8951d7a9f50289f9165ac719e42b322cd947df3fad59a05c55faebb654fbd6683833865c872ffa047c58a23312b0d3c3d32c5f3c8ac79b2240af93954 |
C:\Windows\System\gCcpJJo.exe
| MD5 | 97208122e80b494b718b3ccf1fcc1efc |
| SHA1 | c9ecf7967680283b74bcbb888968c5b14581215b |
| SHA256 | 15776b12b13025adca2f4d51af23b121034d8c98e554062995199b22926ac1f2 |
| SHA512 | d5bc0c39e12fe62561168e1d0d4983e0b0c45f805836ca203788dc38d32b2c0fa866fc98989bd9068bcee9103e7e412aedda827a9d26869fc03bf586422ff1cc |
C:\Windows\System\SdgSxck.exe
| MD5 | 3c24f5907d8cb7a9eb6d519ba4cf6bbb |
| SHA1 | 6585929ca677939c615b83249fe6ce49d57ea69d |
| SHA256 | 17a18275aa2b92a627b997abc97718824ef2704c7a0580eaaf70613d575936d1 |
| SHA512 | 1cd06c0703061cb6f9fad824b199f74d4779320b2c138c82388b7a19765633f32f598d2e727b8436e6a5e51a38754d178715bee7db9c5c1a111992852e703284 |
C:\Windows\System\EwGmIhf.exe
| MD5 | bf9359a89381a7fe947fff95fa7e74ac |
| SHA1 | e2befc314f3997aac0571469043817d685600ba6 |
| SHA256 | 486a21aa0346bb686ee26cf3ad283490cd0b4005579d63f894dc01dca9e0b6c6 |
| SHA512 | c78360e2c909e07371618db278b686533ea30a4abbb5075a8fd18b2966d270d98bf53357957b81c863f075d2c7560ec0e8a67e6c5725e6df946ca9807da9ebca |
C:\Windows\System\HctwnwU.exe
| MD5 | 7f3a293cfaedc5f0dac69f1c86f8e074 |
| SHA1 | a3c70b20a398fd8b0c7a5db64bcd363397140c80 |
| SHA256 | a07c0024d53afbcc7b6f871e420d8e4708ca6d6e01351535f0b275d12a263e48 |
| SHA512 | b68ddde69692defa7c23a22731f9ff89d0ef3e7e8e3b77207c43c884aae2a4f6ef7f0c6ee398583f0a533e6385739118f688e1b9b76516461eeccfb67896c36f |
memory/1648-131-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp
memory/4872-130-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp
memory/1308-126-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp
memory/4192-121-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp
memory/736-120-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp
memory/4500-116-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp
memory/4004-115-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp
memory/460-109-0x00007FF750F20000-0x00007FF751271000-memory.dmp
memory/952-108-0x00007FF604FB0000-0x00007FF605301000-memory.dmp
C:\Windows\System\rtBtwGE.exe
| MD5 | 9e2f7b936416590442714adb75c2afdd |
| SHA1 | e9b31199bedb202bc1230e4e084b4fefb5c37c05 |
| SHA256 | b02b2ef8f262af275a1cf5df2ef43ae7555796b660b83753d5b8e47503130a57 |
| SHA512 | 1c6f9b09ebbd9740e97152ad9e48ef94594f2cae5f67bc544c51e16b51e76030392acfce00bc4d01bb175cc763c2f081e7f86f41c0d14450ea5fc2aebdc88fad |
C:\Windows\System\eCBNMAk.exe
| MD5 | fa7b4d48c5f9a3ac66bfa30bbb8ae7e7 |
| SHA1 | e2821954144caac07ce9ee1e27a6012d3200bd65 |
| SHA256 | 0753c925e167480c6d632c9cd262d56c7c19ae2d225025b31014960e60c346dd |
| SHA512 | bea4a935fc1e14ebbadafdae3a7c0705c18fecce4e539b3caadc85525533928aa99b51d35325db250549433cc6b163b199432f790f84d36ab8dc5ac20748ab96 |
memory/3508-103-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp
memory/1908-102-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp
memory/4936-97-0x00007FF60E630000-0x00007FF60E981000-memory.dmp
memory/3476-86-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp
memory/4376-145-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp
memory/1168-150-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp
memory/3496-148-0x00007FF7852E0000-0x00007FF785631000-memory.dmp
memory/3036-147-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp
memory/2552-143-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp
memory/4124-134-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp
memory/4936-149-0x00007FF60E630000-0x00007FF60E981000-memory.dmp
memory/4004-153-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp
memory/4124-154-0x00007FF630C50000-0x00007FF630FA1000-memory.dmp
memory/1308-159-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp
memory/1648-160-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp
memory/4192-157-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp
memory/4500-161-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp
memory/3476-209-0x00007FF60A820000-0x00007FF60AB71000-memory.dmp
memory/3516-221-0x00007FF7A0E00000-0x00007FF7A1151000-memory.dmp
memory/3508-223-0x00007FF7A4A60000-0x00007FF7A4DB1000-memory.dmp
memory/952-225-0x00007FF604FB0000-0x00007FF605301000-memory.dmp
memory/736-227-0x00007FF7D0590000-0x00007FF7D08E1000-memory.dmp
memory/4872-229-0x00007FF65B730000-0x00007FF65BA81000-memory.dmp
memory/1168-231-0x00007FF7F6E00000-0x00007FF7F7151000-memory.dmp
memory/2552-234-0x00007FF674C80000-0x00007FF674FD1000-memory.dmp
memory/3840-237-0x00007FF6FE770000-0x00007FF6FEAC1000-memory.dmp
memory/4376-236-0x00007FF636D90000-0x00007FF6370E1000-memory.dmp
memory/3036-241-0x00007FF7D7DC0000-0x00007FF7D8111000-memory.dmp
memory/3464-240-0x00007FF66A350000-0x00007FF66A6A1000-memory.dmp
memory/3496-243-0x00007FF7852E0000-0x00007FF785631000-memory.dmp
memory/4936-253-0x00007FF60E630000-0x00007FF60E981000-memory.dmp
memory/1908-255-0x00007FF6C74D0000-0x00007FF6C7821000-memory.dmp
memory/460-258-0x00007FF750F20000-0x00007FF751271000-memory.dmp
memory/4004-259-0x00007FF62BA50000-0x00007FF62BDA1000-memory.dmp
memory/1648-264-0x00007FF62B830000-0x00007FF62BB81000-memory.dmp
memory/4192-265-0x00007FF77AE40000-0x00007FF77B191000-memory.dmp
memory/4500-261-0x00007FF659C60000-0x00007FF659FB1000-memory.dmp
memory/1308-267-0x00007FF608AC0000-0x00007FF608E11000-memory.dmp