Analysis Overview
SHA256
88eae1f65df3bde5e241391c85236ae6fe363d504700ee94accf27e78ca0aedc
Threat Level: Known bad
The file 2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
xmrig
XMRig Miner payload
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:25
Reported
2024-11-09 15:28
Platform
win7-20240903-en
Max time kernel
140s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VJWpOqK.exe | N/A |
| N/A | N/A | C:\Windows\System\LJUAzVh.exe | N/A |
| N/A | N/A | C:\Windows\System\icYwDbi.exe | N/A |
| N/A | N/A | C:\Windows\System\cvjtXSW.exe | N/A |
| N/A | N/A | C:\Windows\System\MLbWaOG.exe | N/A |
| N/A | N/A | C:\Windows\System\aTqHEQp.exe | N/A |
| N/A | N/A | C:\Windows\System\gzwOSQG.exe | N/A |
| N/A | N/A | C:\Windows\System\yuaYuxY.exe | N/A |
| N/A | N/A | C:\Windows\System\psYJGFP.exe | N/A |
| N/A | N/A | C:\Windows\System\WXTMfir.exe | N/A |
| N/A | N/A | C:\Windows\System\zBDOCZY.exe | N/A |
| N/A | N/A | C:\Windows\System\oAIqThX.exe | N/A |
| N/A | N/A | C:\Windows\System\ySgPuxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fYyRkpD.exe | N/A |
| N/A | N/A | C:\Windows\System\EZaAKhP.exe | N/A |
| N/A | N/A | C:\Windows\System\RwFaHFq.exe | N/A |
| N/A | N/A | C:\Windows\System\drytJZL.exe | N/A |
| N/A | N/A | C:\Windows\System\YCQYQSQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ybZILko.exe | N/A |
| N/A | N/A | C:\Windows\System\SmKJGAL.exe | N/A |
| N/A | N/A | C:\Windows\System\cXgCUym.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\VJWpOqK.exe
C:\Windows\System\VJWpOqK.exe
C:\Windows\System\LJUAzVh.exe
C:\Windows\System\LJUAzVh.exe
C:\Windows\System\icYwDbi.exe
C:\Windows\System\icYwDbi.exe
C:\Windows\System\MLbWaOG.exe
C:\Windows\System\MLbWaOG.exe
C:\Windows\System\cvjtXSW.exe
C:\Windows\System\cvjtXSW.exe
C:\Windows\System\gzwOSQG.exe
C:\Windows\System\gzwOSQG.exe
C:\Windows\System\aTqHEQp.exe
C:\Windows\System\aTqHEQp.exe
C:\Windows\System\EZaAKhP.exe
C:\Windows\System\EZaAKhP.exe
C:\Windows\System\yuaYuxY.exe
C:\Windows\System\yuaYuxY.exe
C:\Windows\System\RwFaHFq.exe
C:\Windows\System\RwFaHFq.exe
C:\Windows\System\psYJGFP.exe
C:\Windows\System\psYJGFP.exe
C:\Windows\System\drytJZL.exe
C:\Windows\System\drytJZL.exe
C:\Windows\System\WXTMfir.exe
C:\Windows\System\WXTMfir.exe
C:\Windows\System\YCQYQSQ.exe
C:\Windows\System\YCQYQSQ.exe
C:\Windows\System\zBDOCZY.exe
C:\Windows\System\zBDOCZY.exe
C:\Windows\System\ybZILko.exe
C:\Windows\System\ybZILko.exe
C:\Windows\System\oAIqThX.exe
C:\Windows\System\oAIqThX.exe
C:\Windows\System\SmKJGAL.exe
C:\Windows\System\SmKJGAL.exe
C:\Windows\System\ySgPuxZ.exe
C:\Windows\System\ySgPuxZ.exe
C:\Windows\System\cXgCUym.exe
C:\Windows\System\cXgCUym.exe
C:\Windows\System\fYyRkpD.exe
C:\Windows\System\fYyRkpD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2788-0-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2788-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\VJWpOqK.exe
| MD5 | e24ff8912283b7808a7bcec79834a014 |
| SHA1 | 4dcaaa95a1d3e8b75280e6b825c1ba29a00b6e34 |
| SHA256 | 67707683d8bccea9d1cc6b4f00206267320b34f6569633acdf0f4de1ed4af05a |
| SHA512 | ba64eeb8168dc39e7f571a9264cb239cb7d1f2143352cfa2613c0f787ad51e3a9b0c328e0ca78682ac4b4ef70517961c1baa09b766d1e013d93d2874f071a651 |
memory/2728-10-0x000000013FC40000-0x000000013FF91000-memory.dmp
C:\Windows\system\MLbWaOG.exe
| MD5 | c074fa3cd318ce575ed17a54806d044c |
| SHA1 | 8d385b40dd2fe89d1602c60a27a8daa6631abbad |
| SHA256 | de4a1906a467c566c8a9857e25eb8cf566512ea6f63ac0307b26868ca9f75fb3 |
| SHA512 | ee7bf78b9c40390f81fa5f9ef221e951ccedc229d98b943202b1ff383fedda92e5f0179e3280e0dbbc1180fdead84902b918cf657e0d04247e2c1b3abe5c7ee4 |
memory/2788-45-0x000000013F4F0000-0x000000013F841000-memory.dmp
C:\Windows\system\yuaYuxY.exe
| MD5 | 5469a09a890985a65bfa9fee437736cd |
| SHA1 | 150e855c179f729b4cdb492d106f4c3a2c38b18d |
| SHA256 | 35ffab64153c235bc6cfac84a02147c97dba443f488558116dd03da738edaeb9 |
| SHA512 | 4239bf0ea6a641812196df2fbbe028eae7ee189f2221b9a9f7d8b785a834d90f6d21580c8db9821c0e67ef32afbfd781cc2d1de87edb3181ebe330d0cf8f1f2f |
C:\Windows\system\cvjtXSW.exe
| MD5 | 99b106685cc0b1d79274ab37c8ebe294 |
| SHA1 | 65b65a497c84b6f5a3ec518533f0a519272d9c1b |
| SHA256 | 402f33c2c421fb2272d0b5228f3b6b8931cb0ddbe58431d4123eae3a5ff96f40 |
| SHA512 | 605ab87b6f5116d11d3ac274f37d17d7755741a08501603dde6c2042097d1204fd31c8cb61df4f1bee047cced6f31fd9a7c3d673196c9a7d82d1566ec25f69f4 |
C:\Windows\system\aTqHEQp.exe
| MD5 | d3414c80dcf4dd76e9faae1a01321529 |
| SHA1 | 491da15d8a144cc4c26a112bd2c9dd874e0a166a |
| SHA256 | bed4914f0201f7ef2329f7a94208664f957034b16e35cd9621b6ba465c70b59b |
| SHA512 | a5f87c6f5f322503ade11b91f262fd5267c38ff09ef70254870dafdb2ef93f6b7dd0fab0413da4cb9218275abaeef1fcb551229998620972c279ead0707d7b29 |
memory/2788-18-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\LJUAzVh.exe
| MD5 | 878a3b27e6bba68534eaf2389ce80288 |
| SHA1 | e331700bac04191173d62f354af1d5f71e35a5a7 |
| SHA256 | a39803ae62bf9ecbbcb3b5ee34cf6492798191ff61277e9abf6f3c029f4c517a |
| SHA512 | 7c9185d1322f179df9584edfa61d5bbf4179208feacf8df43c19be755b6aaa44159eefc47a5ad458e7f1d009b87166fe70d814bf59d2f43bd9d7b9310440dafc |
C:\Windows\system\icYwDbi.exe
| MD5 | eafe27086f4515c1da2a57d3184109ed |
| SHA1 | a9bc4023cac56ed4f5f41fb5ee7385de52b798de |
| SHA256 | e323f296d43819916f3804e34dd0a330c49c7f351e13d790c882f9e29d50a821 |
| SHA512 | 03351f195b83b57b9e5cb4c19a720816c3f0e52a6a67848485820a4f718ed9649be7c6e456f824f11ed2b919acb34119db37120bafc370995468b044fa89e205 |
C:\Windows\system\drytJZL.exe
| MD5 | dffe9f4613d4258556091657c4d672ec |
| SHA1 | b0d9c09871695d7156ef90eb9dedd7555191b1b0 |
| SHA256 | 7a855b3ab05b37c1c1eb204ac0cfac857fc30e1cb11b5a6b5b7571e3ad089c54 |
| SHA512 | dc5c156c39fa8613df4055253327bdc18206cc7cca42e152a595bb505a5082b3b6425862030689a09c4eb567b80edd8185b6a13d8f9bceb2fa19de4370e8d0a8 |
\Windows\system\SmKJGAL.exe
| MD5 | ea592ca8a43248cf3f99f623ead29d47 |
| SHA1 | 902e8052b5af3fd40c4fb9c74cb5439e700d8e66 |
| SHA256 | 2796b5f95a20095104e12fea6242ab619fccf955c50fdf997c9878f1abe5b4f8 |
| SHA512 | 6da5fb1be496b118d374fe23bdf864ed9509e62b1bfd2f90a93c31284676527aed7d65cbf6d592a6abfebc5d45c1bf6b9fa1952d8676899149381f7ee3a72388 |
\Windows\system\cXgCUym.exe
| MD5 | a9203d911c13d046e2d24180e5325f94 |
| SHA1 | c90c6746ae5798402bf3b02ed7c9aed18527e2ac |
| SHA256 | 11069e1c724d0c5aea68e0dd503172c9463e3a18b1f4ad6bf28427af2b925487 |
| SHA512 | 3591272f62f5681c21426be4e7bd1efd91c0c2d2afa92225aa2b4f47fa40dd5ea5bff37b344f16b2098c90aac9ee4a9d09c19a0064eeba32c8fed0767c4dbc11 |
\Windows\system\ybZILko.exe
| MD5 | 474dd548ba6ea989894dd4601c0f3e9b |
| SHA1 | a3f1733cd9cc18f03047901f217ac8fd5a6b7345 |
| SHA256 | 7e2836376d9d11dc441260c59f33fca85bd1e4e8dbefce1e6537f73f59a9d5dd |
| SHA512 | b57b02c588cc3ac3e5162b7591f38f62d80b82bc7915c714abf9808f87dc1d782286d7a7a411212eb796b1e3df6460d946de129e44fa2db265cab4d4b0143319 |
memory/2572-68-0x000000013FBC0000-0x000000013FF11000-memory.dmp
\Windows\system\YCQYQSQ.exe
| MD5 | 233eac07ce2dff66de27def69c31cc12 |
| SHA1 | c0a6fb0a56f35371a69fe4aa4212cde19fe0ff32 |
| SHA256 | f870c98a9586c3884f843f36bbf254707565e1924603f6a5a46557e99d6c526b |
| SHA512 | 04a934301b6b47dde433fce5a8903e38b1c16b592e89bbbc29e7a863489f59cd7fd9ffff99530e371c4f1e98a90c168b7e0bc38334a45e4a1768260860eab0b7 |
C:\Windows\system\psYJGFP.exe
| MD5 | 15f969c9f870ad90f941e36f8d0c5d67 |
| SHA1 | 8ac039eebb61b9eb40b32118920bc3c96b3527de |
| SHA256 | 423f5099779b2c42b749e96a01a852f036008a34360fcd43d2773825326a502e |
| SHA512 | d3cf26048e3719e89316dba2abfcf07bfe581b6de94753bbfbe976f75156fc66e83bb9bbc5b84ec99c4ede8d654064c33e7c5143986aa877ce643fdfa6175377 |
memory/2788-60-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2604-54-0x000000013FDE0000-0x0000000140131000-memory.dmp
\Windows\system\RwFaHFq.exe
| MD5 | fd5f2a55506a417122506e4183797d9b |
| SHA1 | b9a72bad0ddcdc652ad0a509d3433db256caae5a |
| SHA256 | 91deaf64aa29fb00001defc02f9a6057a127ce7d854dda84cdb3ce011d29d3f0 |
| SHA512 | 45ec085f8bf0fb3db95737c80ff50a4cdc0325701289eb9eb04a0eec35a0e3ab899878a4343e2e7849aaccf93864492be2ecefad221ddda77e4d58ce3abbd4d7 |
memory/2788-40-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\gzwOSQG.exe
| MD5 | e15e31fab1f2e1a8fd61b99977e1ba8a |
| SHA1 | 91b109697c7d285e899d3255f77bc5f790bc26f5 |
| SHA256 | 911bbee589aeda9e408dee3beae98c5de5bbce9f6d8ca811cba2dcc2765bcc0d |
| SHA512 | 9d642c95232c43fd62cd014ada35f7688909b989184675da5ffd6c79ebeb63d04c4905c0e6d889891c4fe10c571bcd5730ff9c35af6f7b018b95dfb724e67526 |
memory/2864-116-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2788-115-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/3032-27-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2788-114-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2592-113-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2788-112-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2856-111-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2244-110-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2788-109-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2788-108-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2788-107-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2788-105-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\EZaAKhP.exe
| MD5 | 47f00e57df7c7aee70da990e64715100 |
| SHA1 | 6750b1b5b24c8d67158f1894fc0d2c8bd2ffb250 |
| SHA256 | 020b5a202fbf0dfa44a2927b143d83342915a29642140566453029017813a4e0 |
| SHA512 | bfe72aa94bb1ea55a29a7d9ff869ad5b10f47361ab1244b5fbe638210a139110af330affd2c858974db563d8c789ce6d0689111dff63c091269536556cd05214 |
memory/2008-102-0x000000013F910000-0x000000013FC61000-memory.dmp
C:\Windows\system\fYyRkpD.exe
| MD5 | 3c18790021cb4f278b8804159cc1db19 |
| SHA1 | a7c4edf3ef6bcc772f9432615cde874c3f741181 |
| SHA256 | 5c6b1537676f1ea6ae3153262470eb32232cc2691dd38eaaa95d29106b73a08c |
| SHA512 | 9a6a22fcd25e0786a362171bb76b3faf2066da4f4372d77807aa9b4fa3f4c1504e1ab44f03155a94b90a6b0db597a9f598b22d909335dd9ec0a71f8be68cfbcc |
memory/2736-96-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2788-90-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
C:\Windows\system\ySgPuxZ.exe
| MD5 | 750beb9ac50832be04a041955c235d79 |
| SHA1 | 3593e737d3fa190bb5f343d78974b77719468ef0 |
| SHA256 | cc49a4f0bfb86ed95432de65b0234e4bf72e9fd5ca18c6f8d86d24efe32f4207 |
| SHA512 | ad8dc50d786fb0aa86fc0f3d7355e58f3879e26df57abcaacec07e499177949b2e5f4e366803bd0a3dba2c6c61b2bb865e51a58c01a4b53332507b92d5b5c5e7 |
C:\Windows\system\oAIqThX.exe
| MD5 | 4598acc714b6c46b975b4ec2b9556317 |
| SHA1 | 23be7fe9520dfeb4bc4317c37cd3f0fbadecaa7a |
| SHA256 | 0b05da4f1abae73eaa2fd3ee45b8c1ef5e7e0ef2ced54b7db4956fcc785350f1 |
| SHA512 | f6262a3077b65af66a503abdb884be30878003ad6663427e02ca12e1b5e4bde8152d1112384adec69d2455c7a2cd20bb92e6fcf271f094d6d60522981be1e3a6 |
C:\Windows\system\zBDOCZY.exe
| MD5 | 9b11d23178f1a26dc521a84ec3255c6c |
| SHA1 | c7f19b4cf6d7c06a7966006b672b212c4bb62306 |
| SHA256 | d5c10f16beb367ac62efe564220dae68d2adb52bb125c9636ea56ef1065be690 |
| SHA512 | 44454975db8d45135c6ed5eef8bc75df9dcc83b458fc005421227b04864edc977576955f6a634a5e8df7617b07c3e6ceecc84043854b2616b1a6353a94dbdbb2 |
C:\Windows\system\WXTMfir.exe
| MD5 | baacf1f888ba380f075cef016cefded2 |
| SHA1 | fd18bf8d5b6dd9bfda5ba5df6c8b7357ac8bf0b3 |
| SHA256 | 8472843d34246ec91953b5f4f3736d48184428d91c8fe8473be375fad6131b22 |
| SHA512 | 053fdacfd8d88b0bf35718ac0b8aee946e13f49af30e00550c8d8abe0e59f6dff3786960dd37619e350a142fb80267d7b6d37d8fcedfded7f70259cfbc2283e2 |
memory/2788-129-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2728-130-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2604-131-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2788-132-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2952-152-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2880-151-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2556-150-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2908-149-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2932-148-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/1808-147-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2260-146-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2980-144-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/776-142-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2600-140-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/1356-153-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2788-154-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2788-155-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2728-217-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2856-221-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/3032-220-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2572-224-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2604-227-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2736-231-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2592-230-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2008-226-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2864-233-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2244-240-0x000000013F290000-0x000000013F5E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:25
Reported
2024-11-09 15:28
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FzJZpND.exe | N/A |
| N/A | N/A | C:\Windows\System\ciAspRk.exe | N/A |
| N/A | N/A | C:\Windows\System\XRcxdTT.exe | N/A |
| N/A | N/A | C:\Windows\System\WEaGhXL.exe | N/A |
| N/A | N/A | C:\Windows\System\AAGScWh.exe | N/A |
| N/A | N/A | C:\Windows\System\MozXkMx.exe | N/A |
| N/A | N/A | C:\Windows\System\dOMyzfD.exe | N/A |
| N/A | N/A | C:\Windows\System\HZoMRyw.exe | N/A |
| N/A | N/A | C:\Windows\System\vkAshwW.exe | N/A |
| N/A | N/A | C:\Windows\System\uCnTVkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\aVTFLCp.exe | N/A |
| N/A | N/A | C:\Windows\System\lYUxqSe.exe | N/A |
| N/A | N/A | C:\Windows\System\ypaxTyt.exe | N/A |
| N/A | N/A | C:\Windows\System\nMhblTg.exe | N/A |
| N/A | N/A | C:\Windows\System\NUjiKMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\xxufLXq.exe | N/A |
| N/A | N/A | C:\Windows\System\JoPHGWP.exe | N/A |
| N/A | N/A | C:\Windows\System\YEcuJob.exe | N/A |
| N/A | N/A | C:\Windows\System\MWnEZzb.exe | N/A |
| N/A | N/A | C:\Windows\System\NhTItIN.exe | N/A |
| N/A | N/A | C:\Windows\System\iELWOvP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_9a9650bf9cbb13e69544fcac21a4d2be_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FzJZpND.exe
C:\Windows\System\FzJZpND.exe
C:\Windows\System\ciAspRk.exe
C:\Windows\System\ciAspRk.exe
C:\Windows\System\XRcxdTT.exe
C:\Windows\System\XRcxdTT.exe
C:\Windows\System\WEaGhXL.exe
C:\Windows\System\WEaGhXL.exe
C:\Windows\System\AAGScWh.exe
C:\Windows\System\AAGScWh.exe
C:\Windows\System\MozXkMx.exe
C:\Windows\System\MozXkMx.exe
C:\Windows\System\dOMyzfD.exe
C:\Windows\System\dOMyzfD.exe
C:\Windows\System\HZoMRyw.exe
C:\Windows\System\HZoMRyw.exe
C:\Windows\System\vkAshwW.exe
C:\Windows\System\vkAshwW.exe
C:\Windows\System\uCnTVkJ.exe
C:\Windows\System\uCnTVkJ.exe
C:\Windows\System\aVTFLCp.exe
C:\Windows\System\aVTFLCp.exe
C:\Windows\System\lYUxqSe.exe
C:\Windows\System\lYUxqSe.exe
C:\Windows\System\ypaxTyt.exe
C:\Windows\System\ypaxTyt.exe
C:\Windows\System\nMhblTg.exe
C:\Windows\System\nMhblTg.exe
C:\Windows\System\NUjiKMZ.exe
C:\Windows\System\NUjiKMZ.exe
C:\Windows\System\xxufLXq.exe
C:\Windows\System\xxufLXq.exe
C:\Windows\System\JoPHGWP.exe
C:\Windows\System\JoPHGWP.exe
C:\Windows\System\YEcuJob.exe
C:\Windows\System\YEcuJob.exe
C:\Windows\System\MWnEZzb.exe
C:\Windows\System\MWnEZzb.exe
C:\Windows\System\NhTItIN.exe
C:\Windows\System\NhTItIN.exe
C:\Windows\System\iELWOvP.exe
C:\Windows\System\iELWOvP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2800-0-0x00007FF723860000-0x00007FF723BB1000-memory.dmp
memory/2800-1-0x0000021EE4910000-0x0000021EE4920000-memory.dmp
C:\Windows\System\FzJZpND.exe
| MD5 | 699ba62cb974acc9c6042cfc72820d95 |
| SHA1 | b9d78ccd0dbf4af843d1e5b7657164fb504912aa |
| SHA256 | be0750169aa83bc09a8ac8986e772dee708e356171075bac5a5c87b51f3336e2 |
| SHA512 | f1867fe06b9f6a6e130e63916f82776e0f64c68cc97886c71a604e8b3cdef7478c0b5fc178eada9d163e8632578e0a137a7f2efa6363e8f30778778bcb709981 |
C:\Windows\System\ciAspRk.exe
| MD5 | cfe78632a8b65b003ce352c599f8158e |
| SHA1 | eb35a720f95fdedf237a48117e22dab2f66b0ace |
| SHA256 | 14c9200c4004a6028fdfbc88565ff0a9f762299cee6eda697477f333e652b6bc |
| SHA512 | a2820b4b396bd563b5d5bdd23f208ad58754a7a0feada71af5d86dbf8ae04758634ac5e6d750cd34a009211b8bd65ffe7e972600609e0afcac46966dd03ae09d |
C:\Windows\System\WEaGhXL.exe
| MD5 | 79ca5d474d2fa787ac993735cc5f275d |
| SHA1 | 04636e24bd498218e9772ab853e515a92cc24df3 |
| SHA256 | 981b1de08a859a173f7a7f1fd33ed5c33d90584212497476b1d9a65756c078eb |
| SHA512 | fe4d78d70458f46b8f91371b7ee01b86ff3f8ecb024f362afc96df1f6bb66b9ca73b12f8d751b9cf0b8b96fc3284b3cf126c2616e6531ec903e3ad947e5e28f2 |
C:\Windows\System\XRcxdTT.exe
| MD5 | 52866630a4b6071a0c79d3b00bbc227a |
| SHA1 | 06f844973ead2131bb8ab5fcdafa464c4178cc1a |
| SHA256 | 45fb5875754236e5f977792cfd1e209f7a78a727d3416ab83ed2fc9b9aed7533 |
| SHA512 | 7054d82d34e7638cc190774bb5bad31abb1885ac0615d8b736a4fc27589c0ef4a99424afd20c5e962ed897abba9fd1c02c52fdbbce26c6a4098bc05263353560 |
C:\Windows\System\HZoMRyw.exe
| MD5 | f4a34ad88eb8f1bf02b7f8f7f95458c2 |
| SHA1 | 9eb39dad8d254b88a47241f5bdd3bd0bd13dae16 |
| SHA256 | d73bf7398ddabc7bae8a15b748a381dcfb5c4ac627c96300516b2ec37395af73 |
| SHA512 | b1c5807597556904f5e473334d2ea09bc4b37e2a70a6018f3a147db6f66b8af1f03b8cdc8c20ec13467733087e5f72b71019a3e5f153b6c0cf7b24e9939e69b1 |
C:\Windows\System\aVTFLCp.exe
| MD5 | 7785fd754fc0f56cebad930f5ab78545 |
| SHA1 | 18fc34ecbe460cb174d4e7a27fbfb85a4842e5ce |
| SHA256 | ee3ef1eebf5f678529e39ddfa1a931d099ba91d4dafc9fddcd5d0d5134f5d9de |
| SHA512 | 1477266f46c586a4927ec8e0f9a407460bb4dcb7e65287b73f617723b9ce5405fb510a6e4ba9c83881cdab8e88967ec5de67a3a5f867b86765c086bb153d48c3 |
C:\Windows\System\ypaxTyt.exe
| MD5 | f49a786de988d848f2e390434fbad217 |
| SHA1 | 59447a2f547a8dd0d44d0bb710c6d103a7efb95b |
| SHA256 | f799e42d138fbdba459ac6f83393d276c58c1ca9cd4ba7d4bc03b128a14acbd5 |
| SHA512 | 797119fe6031650246e6e0e5b4d3cb95e9c1a51580c2b5f61a4ee296e5e94401f302a86d3a9796e9bb9c962a693a18183df6b20bb0adb498ffc47b2428cd0275 |
C:\Windows\System\nMhblTg.exe
| MD5 | a7cbb354417f7347cdc7a94c0696e4d8 |
| SHA1 | 7f0bb3165cadc043d1348f5a2fdaa3ad65dfd55c |
| SHA256 | ed5c0dd203a8e213f0e5460a47b387fa758010ee2c06600273873b227cd92568 |
| SHA512 | 5a5895a6371b8b53b0408a99c5200b6a1e028cf3e7c948adb6c948e51cd1ca9192615273125bdf1fa40772f1dce1e4ea8784d40903661f29120dbdf457230f13 |
memory/1048-82-0x00007FF76A000000-0x00007FF76A351000-memory.dmp
memory/1904-86-0x00007FF739620000-0x00007FF739971000-memory.dmp
memory/3656-88-0x00007FF774700000-0x00007FF774A51000-memory.dmp
memory/5052-87-0x00007FF773020000-0x00007FF773371000-memory.dmp
C:\Windows\System\lYUxqSe.exe
| MD5 | 6efac1268b14e7529a1714ade6bbea8a |
| SHA1 | 3b0a875f686ef6926b17c060720d57494b1b4a7b |
| SHA256 | 82737e7f4b2158f280bcbad27b6d28008390391ad6c7a479d1d0e3d65dc7e8b6 |
| SHA512 | 0f9bf3525543c1037fdf8e1dc1f5ab73a954b26c8383768ad4039ac5c57b094c2e7eeb5cd0380204ac89367948c8f30568b1d82258e03488bca77293c89d128e |
C:\Windows\System\JoPHGWP.exe
| MD5 | 4a7e2f88dfc1f39d9a8fefdacdb3fc2c |
| SHA1 | 04beb5cc44de8ec9fcf9c6ce7d29138e6b55f94f |
| SHA256 | 34d935287660551f50bb24c458a4cfbedfd4669dde87c89fc9e9bf0ae05d36b0 |
| SHA512 | 47e9ede1f714275d4500125c4efbb01e152f9e32a4b76a8477be42defb7bd29ab1a41dc355cf391d2a79af6150ca56c650538cf87e1bb796bcd4cf812ed2804b |
C:\Windows\System\iELWOvP.exe
| MD5 | fbf681e13cc3b490c7197ed604e42827 |
| SHA1 | 68bf52f52f5563deca2309342262cec317ffac85 |
| SHA256 | bf3f5d2416c6e9c17e93a0da46bafc392d6a1885c76e219616f23511a9419aec |
| SHA512 | 3fb7ef44aae73f63fa3a0c3ba43c1321761016e1d94a8747d400b4aae172f5380bab014c5d6800287c23c30aa1ed3b51fad9bb9838f6bda0ae7529048139a962 |
C:\Windows\System\NhTItIN.exe
| MD5 | d79d90df88c7f129a247704a8f30435c |
| SHA1 | b7fc5b51542454c83b745ee249a83d5951a492bb |
| SHA256 | 4d3ce7739d027ddc8f6a3d56d3b890504fbc3852951e4482035810f72d3eb5cf |
| SHA512 | e6db7fcb76d07aa1aa1114f2cb809457aa4ea14222c5c28dba20f5471d261a96fd7b5ec30161476de0321c0e28ba2c6352dcd035a7949b1778f9bdedb4d4a573 |
C:\Windows\System\MWnEZzb.exe
| MD5 | d3a2adaeaf73eaa5280dca3a4d2fce10 |
| SHA1 | bbe93c6b279946d646562973af8bf01f8c460ef6 |
| SHA256 | 53f2626195a90392330ec15bda88a519503f40c21ba485d1f68558c2cdcf46e7 |
| SHA512 | 4866a21a98563d557b08718188958210940ad578771bc8b88ce8ae9bc296860abeb7b70e6722594133b4a2011269f09f19c53559e6bdb2513ee64389bc26db73 |
C:\Windows\System\YEcuJob.exe
| MD5 | 45f738f8b03305d29666d026975a4336 |
| SHA1 | d9dd5cdab90ad7c8c531b904ff2d0fcfcac8f467 |
| SHA256 | 7e9fe80f397f78e224660d0f15e25284dfeb102cf383d4b35654079393fb6ad8 |
| SHA512 | 15b84507db7ada1fbb0e89dec7ac5f0cfcdb722708beb000982f1d6c98aff663827de8abac9874e90e39e652ad8fe9cf37500f17a42b370475a114c44d6c2590 |
C:\Windows\System\NUjiKMZ.exe
| MD5 | f9b2a5a6be619d9c690500d57056dd3d |
| SHA1 | 60d03bb5542458b6e15931a908b8b70da64567ab |
| SHA256 | 5e9701b8f9004c78624aa075df9ff27c308b42b4ca18d69afeef5c1c20835ca3 |
| SHA512 | a28442f86a2d7c4b74c06bc9fa7953dcc62adcd0af475ef874fb21f91302d6539f143033d6b84bf37db943ace5eba3adf75907ae80c89b9b367fefbbfe5a8cc7 |
C:\Windows\System\xxufLXq.exe
| MD5 | 3b0dddc60d4627926d87e8db1fee5648 |
| SHA1 | 7e0673387c27f4512738726600f1557014f2db5e |
| SHA256 | a0b0fc1ff7c549a89fd075a313c939cd3e23ad6f61300c1189ec57676eec2c7c |
| SHA512 | 13c0886629ff6aff9661fb849bb8b6b75002ae6b94205e6af5d086c1f890ebd93bf627c2c202b80a4ee43631a84e7c86602cf38b1064c423c8171931f0a63c0e |
memory/1816-85-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp
memory/3828-84-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp
memory/4008-81-0x00007FF676950000-0x00007FF676CA1000-memory.dmp
memory/2468-80-0x00007FF6012E0000-0x00007FF601631000-memory.dmp
memory/4220-68-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp
C:\Windows\System\MozXkMx.exe
| MD5 | 185430f4fe040d296c9e89098bb3d98f |
| SHA1 | b4b71f86733995c45449136cb3bdd2cae1ed5074 |
| SHA256 | b501f3fda4a4186f3e5c0a7e770ef3dc092fb385a9da5c6b85d07a2abe6664ca |
| SHA512 | 782dc1c834480a60c5fd22b823b31d1177842027f12462f972e4ed33de12dc59cb3c66e4bc4d5e7d2fd3cf4c4d9ad456e3ee64d073c0e55577362f6e9a1ab271 |
C:\Windows\System\uCnTVkJ.exe
| MD5 | 57f6426c2fd926f558f4ecd05c875c89 |
| SHA1 | 7487b0a735b400f19baa6535200c8a90011c4083 |
| SHA256 | 000e19b1202a19604a6e0c90208de76eece1c0f008acea0fd101c2adc74341fa |
| SHA512 | ad50de7923357fae00a7dbf2349c6927340c26ee65913c0c0092239c5e89648df5baf4c5fbebc4f3c998724272d8efabb98c05b8dc5fe0d2f241863d2fe2f0f4 |
memory/2344-54-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp
C:\Windows\System\vkAshwW.exe
| MD5 | 13c690843dd34cd0625d282e53057fb9 |
| SHA1 | 1a22f8f5fbbc189605cda72ce86eca0f3e8357d9 |
| SHA256 | 736f5712f132178d171d9d3000c33bedb80c6809adb0676c2ffe87ba561f2ecb |
| SHA512 | c95879ca319d19a1956a0e472337769e3d31b05ad0bc0d14b3a648f8033a0970d9964297f807779436ba773af323f4f7edfc46c8afcddf854ce60aebb0d03302 |
memory/1412-44-0x00007FF677800000-0x00007FF677B51000-memory.dmp
C:\Windows\System\dOMyzfD.exe
| MD5 | 59f5b4c6f91a678866c2c3ee67ebfb79 |
| SHA1 | bda792c32ed67be7650eb628d6e5770f27389172 |
| SHA256 | 13dc008204d1d1fcbf595270e0a79be0dc3245247b55e07f557c6c70781b9af3 |
| SHA512 | 798623a6ab68f346923b520a57f19990076795f6dc0b93468d3e421c7a3e69898fc4ef2df70442613a6acf6b957859c1bfd47091566a6fb3f43340caa231b55f |
C:\Windows\System\AAGScWh.exe
| MD5 | 88e14b4a9c24c25d5d3c64159542384c |
| SHA1 | 8eeff1bd5a2138ffb06422beeb9bebbbdc01066e |
| SHA256 | be42dd3c1eed5bb5eab7202c0109610aa145966c770e275f70958b177a11feac |
| SHA512 | efc9c4595eb23ab0f96e19eed9368f6153063ed68e3a23ff9be1bd5ed4915eca7467fc8071512fb9ad45b24cd36b0056ecf4824e4a412f9c1521e92829d1f6c7 |
memory/4972-32-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp
memory/3616-24-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp
memory/4528-23-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp
memory/4940-13-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp
memory/1004-6-0x00007FF727240000-0x00007FF727591000-memory.dmp
memory/1112-127-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp
memory/1592-126-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp
memory/2136-125-0x00007FF773850000-0x00007FF773BA1000-memory.dmp
memory/2144-124-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp
memory/1668-123-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp
memory/1004-129-0x00007FF727240000-0x00007FF727591000-memory.dmp
memory/4940-130-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp
memory/2800-131-0x00007FF723860000-0x00007FF723BB1000-memory.dmp
memory/2800-128-0x00007FF723860000-0x00007FF723BB1000-memory.dmp
memory/3616-133-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp
memory/1412-135-0x00007FF677800000-0x00007FF677B51000-memory.dmp
memory/5052-143-0x00007FF773020000-0x00007FF773371000-memory.dmp
memory/3656-145-0x00007FF774700000-0x00007FF774A51000-memory.dmp
memory/4008-142-0x00007FF676950000-0x00007FF676CA1000-memory.dmp
memory/2468-141-0x00007FF6012E0000-0x00007FF601631000-memory.dmp
memory/4972-134-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp
memory/1048-144-0x00007FF76A000000-0x00007FF76A351000-memory.dmp
memory/4220-139-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp
memory/4528-132-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp
memory/2800-151-0x00007FF723860000-0x00007FF723BB1000-memory.dmp
memory/1004-211-0x00007FF727240000-0x00007FF727591000-memory.dmp
memory/4940-213-0x00007FF7C1A20000-0x00007FF7C1D71000-memory.dmp
memory/4528-216-0x00007FF71DBA0000-0x00007FF71DEF1000-memory.dmp
memory/3616-217-0x00007FF7FD160000-0x00007FF7FD4B1000-memory.dmp
memory/2344-221-0x00007FF68AEE0000-0x00007FF68B231000-memory.dmp
memory/4972-220-0x00007FF6ADDD0000-0x00007FF6AE121000-memory.dmp
memory/1412-235-0x00007FF677800000-0x00007FF677B51000-memory.dmp
memory/1904-232-0x00007FF739620000-0x00007FF739971000-memory.dmp
memory/4220-236-0x00007FF6E9B60000-0x00007FF6E9EB1000-memory.dmp
memory/1816-230-0x00007FF7FD920000-0x00007FF7FDC71000-memory.dmp
memory/3828-238-0x00007FF7AA8F0000-0x00007FF7AAC41000-memory.dmp
memory/3656-241-0x00007FF774700000-0x00007FF774A51000-memory.dmp
memory/4008-242-0x00007FF676950000-0x00007FF676CA1000-memory.dmp
memory/2468-245-0x00007FF6012E0000-0x00007FF601631000-memory.dmp
memory/1048-248-0x00007FF76A000000-0x00007FF76A351000-memory.dmp
memory/1668-250-0x00007FF7FAAC0000-0x00007FF7FAE11000-memory.dmp
memory/1112-252-0x00007FF63E0A0000-0x00007FF63E3F1000-memory.dmp
memory/5052-246-0x00007FF773020000-0x00007FF773371000-memory.dmp
memory/2144-254-0x00007FF7185A0000-0x00007FF7188F1000-memory.dmp
memory/2136-256-0x00007FF773850000-0x00007FF773BA1000-memory.dmp
memory/1592-258-0x00007FF7EF010000-0x00007FF7EF361000-memory.dmp