Analysis Overview
SHA256
c490c4b3257dd8e4ffd0d88f2925c918b5981b48f0b4f9a90078dfac7b190253
Threat Level: Known bad
The file 2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-10 15:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 15:47
Reported
2024-11-10 15:50
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jwSTRpL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNBAOaf.exe | N/A |
| N/A | N/A | C:\Windows\System\zBwcUpW.exe | N/A |
| N/A | N/A | C:\Windows\System\yzDPuuV.exe | N/A |
| N/A | N/A | C:\Windows\System\HugMGdK.exe | N/A |
| N/A | N/A | C:\Windows\System\eyvWyCX.exe | N/A |
| N/A | N/A | C:\Windows\System\DOFgpul.exe | N/A |
| N/A | N/A | C:\Windows\System\cCuOanw.exe | N/A |
| N/A | N/A | C:\Windows\System\eVdmJhq.exe | N/A |
| N/A | N/A | C:\Windows\System\czjKqIi.exe | N/A |
| N/A | N/A | C:\Windows\System\nILWVJc.exe | N/A |
| N/A | N/A | C:\Windows\System\RfDeGLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\hzgSRNz.exe | N/A |
| N/A | N/A | C:\Windows\System\SRQAbSA.exe | N/A |
| N/A | N/A | C:\Windows\System\HZojLuH.exe | N/A |
| N/A | N/A | C:\Windows\System\yRQwXgw.exe | N/A |
| N/A | N/A | C:\Windows\System\NVZROtJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KpWEqCb.exe | N/A |
| N/A | N/A | C:\Windows\System\UgCDztf.exe | N/A |
| N/A | N/A | C:\Windows\System\zaXJqRO.exe | N/A |
| N/A | N/A | C:\Windows\System\vLMuxYo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\jwSTRpL.exe
C:\Windows\System\jwSTRpL.exe
C:\Windows\System\ZNBAOaf.exe
C:\Windows\System\ZNBAOaf.exe
C:\Windows\System\zBwcUpW.exe
C:\Windows\System\zBwcUpW.exe
C:\Windows\System\yzDPuuV.exe
C:\Windows\System\yzDPuuV.exe
C:\Windows\System\HugMGdK.exe
C:\Windows\System\HugMGdK.exe
C:\Windows\System\eyvWyCX.exe
C:\Windows\System\eyvWyCX.exe
C:\Windows\System\DOFgpul.exe
C:\Windows\System\DOFgpul.exe
C:\Windows\System\cCuOanw.exe
C:\Windows\System\cCuOanw.exe
C:\Windows\System\eVdmJhq.exe
C:\Windows\System\eVdmJhq.exe
C:\Windows\System\czjKqIi.exe
C:\Windows\System\czjKqIi.exe
C:\Windows\System\nILWVJc.exe
C:\Windows\System\nILWVJc.exe
C:\Windows\System\RfDeGLZ.exe
C:\Windows\System\RfDeGLZ.exe
C:\Windows\System\hzgSRNz.exe
C:\Windows\System\hzgSRNz.exe
C:\Windows\System\SRQAbSA.exe
C:\Windows\System\SRQAbSA.exe
C:\Windows\System\HZojLuH.exe
C:\Windows\System\HZojLuH.exe
C:\Windows\System\yRQwXgw.exe
C:\Windows\System\yRQwXgw.exe
C:\Windows\System\NVZROtJ.exe
C:\Windows\System\NVZROtJ.exe
C:\Windows\System\KpWEqCb.exe
C:\Windows\System\KpWEqCb.exe
C:\Windows\System\UgCDztf.exe
C:\Windows\System\UgCDztf.exe
C:\Windows\System\zaXJqRO.exe
C:\Windows\System\zaXJqRO.exe
C:\Windows\System\vLMuxYo.exe
C:\Windows\System\vLMuxYo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1020-0-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp
memory/1020-1-0x0000027002770000-0x0000027002780000-memory.dmp
C:\Windows\System\jwSTRpL.exe
| MD5 | d8c2f21b45570bd29539274d5d84239d |
| SHA1 | 6fe12f77e8db6074751e8b68996d079fd79faa9c |
| SHA256 | 12d55a24a91dcd56bc1f80b6bf282b81f0d344386f639d04787b8baf3db60f4b |
| SHA512 | ef605362bd20f835d7f667d691ded45c6d23c7d8d109fcf70123265932fc087fe36cf5bba66d73190511c342a7c3d9984dc7906b87594435fed700c3a783eb7e |
memory/2364-6-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp
C:\Windows\System\zBwcUpW.exe
| MD5 | 54d00dd9b2673e1486b4397c45d71f98 |
| SHA1 | 2525894b7cf397a7f9f1975b876422fe1e0a4a2a |
| SHA256 | ff77dec173683acb671292ea620fdd42f02a38e78b2c6bdc617dda05f8e6c4a7 |
| SHA512 | 0616036685b6fe47f4ed3a87c365f7e2ef2251c5e9082b64303cc4a918a52e92ea032c6581dad64c9d68d448acc9a2f44a4ca6afc7d6eb4275dec255f0e75c31 |
C:\Windows\System\ZNBAOaf.exe
| MD5 | df8db4c85906e38ffb787547f2918352 |
| SHA1 | ca4e23fcef91600b1ba2fc7bfdd55fc5843a6ab4 |
| SHA256 | 6aa9bffdbd0142e524549dfa9eacfb3e8a0585f398ac70c4aea1fbf72837023d |
| SHA512 | 0c855bb26bff16df03e392c5058d363bf7c9127b5ccb9c0ca9bc1d54ceef1f6b3dfbb1c931ad28a4701799ee83298d54700b70a147d533d433a0a53f78f5c6b7 |
memory/2616-12-0x00007FF682000000-0x00007FF682351000-memory.dmp
C:\Windows\System\yzDPuuV.exe
| MD5 | 692a1968b756c94a01c829bbf7586c21 |
| SHA1 | 132146df5a43122e7c4def41cc9ea5febc777533 |
| SHA256 | 4e3a00c29ccaaaed98fd1220576f216f7af8a77f7a4652878ab092bafa27a48f |
| SHA512 | feebfd8ccc69d8108d5b432344f6b8d519037f3e61cb021a63174c7946a09def69001810eedc842bae855054ceac1a2249e78d874d145fbcca10b7a76edf103b |
memory/264-31-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp
C:\Windows\System\DOFgpul.exe
| MD5 | 607c3585b10a2f988b3565bc816144a3 |
| SHA1 | e4b773e2d24a4271981e87eef911cafc7ee3403e |
| SHA256 | 9de468ba1571d5325e212acc188676c1caa0f8a29726d126269e7254d174be6f |
| SHA512 | 438e29b0298ababc87ddd3b773ab891b0f3eddb00d0be5f042587bc947bf50b6dd49ffa93c1a0687d67eef47332fb3d45a47e0f3dc1691f41eb742a139f9ee33 |
C:\Windows\System\cCuOanw.exe
| MD5 | b009aa3f4132f226f9f4dcd774667c12 |
| SHA1 | 318948067a773112a06eed6916e17b22be828af4 |
| SHA256 | 09109a9a1e6ece28704ad2eda2d2eb6bb043d33108934a5088978b44fae63658 |
| SHA512 | a3b1799e1e8b500ba9a2e78824c2914bf84704bd7cb2aa2474f4842c5e28847e8846aeaec716f27991e8ed13773678ae56cab13ec39fa4ab006ff6a07ddd7ab7 |
C:\Windows\System\nILWVJc.exe
| MD5 | 8b2528aa12fb8bbf6977c04521011fd9 |
| SHA1 | d2800bc7dcdc677c7871da584ecedff074b38725 |
| SHA256 | f970824bc7ee2aa3e9c4742bd2f8517a96eea5bdcf16a48d13c9e1bae66608fb |
| SHA512 | 144108401f40c2abb9c77dde3a9757f123b934fc4dd807a3786e44444c4a3ffe230c489239ed15ff45ebf423ced375da4fd0f45d6f62dfa90377220e242478c6 |
memory/1336-62-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp
C:\Windows\System\SRQAbSA.exe
| MD5 | 5c58cf265797d79d4e05b89b39c8270d |
| SHA1 | b912dcc8154466e508c2da0b29acbcbb29236ed6 |
| SHA256 | 961d11307b8cd70b2a78d7b96c508307bc7b15136ce5671d6e85544efc4f0f63 |
| SHA512 | e9007b85765e85a42c6761753e614f8564699a190d59dec60cf1cce86b31e85d901ffdd1a749a40b85d0db62c597291eaa11fae714ac30629b6b98eba97e2cc0 |
memory/3300-84-0x00007FF692050000-0x00007FF6923A1000-memory.dmp
C:\Windows\System\hzgSRNz.exe
| MD5 | 4dad28b94b24fdef04b5150880110563 |
| SHA1 | 9d034a13e11b301deef3af329f597412a6963a5d |
| SHA256 | adbcc6c6dda0d9fecf5b640e233f29352c7e239f43b7bc86ce30ab62127d4def |
| SHA512 | 9bbb20af2e5b03c805578e35afcbd84ee942a8e20ba46ce89daa4e016b0ad80ab8010339ee98c5c98139beb1c3b1be1ffef4465adce9dc2d7e8fdd18f1ba6a23 |
C:\Windows\System\NVZROtJ.exe
| MD5 | f500bf7aa2ca2d835164ce9a191d24a4 |
| SHA1 | a68959d34d378dc5ef6b418dbea87d4cdd647cb0 |
| SHA256 | 6917079efb07db81c6b3537f68880dcdd97608d40df87c946ec2579236249005 |
| SHA512 | d7bbf2a19fc11266cda85a1e3409fbddc8154f69b239d2b0758a88417ba0582d326170a5433a99b338b0f8f37fcbb891790b1a480fb8f5cb1763402c58018074 |
memory/32-104-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp
memory/3224-103-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp
memory/544-102-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp
memory/1968-100-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp
C:\Windows\System\yRQwXgw.exe
| MD5 | 1202ffa04af4db451e722b3444ffb84c |
| SHA1 | 22f85a756e0189922dcb8ab43a93e2a30f3ecdb1 |
| SHA256 | 53384c939acbdeca1f50b5fa7bebe473e35168acaca3f173da4223bfcb525e3e |
| SHA512 | 1eb310c84415cd259e9f180d4f222abda7529f9254911038d4974171ab79ac8d6b7b7d81d345c410e2582bae6c62177341b3a6b40521e7cbd7db68d431f32317 |
C:\Windows\System\HZojLuH.exe
| MD5 | b9d8c46cc26854d2128b44fd570707ed |
| SHA1 | ae17bf9d4a1239e7b2b9bdef374cb95d402783ac |
| SHA256 | 021339981794f5ce7bf99dddb70a86c23d3fadfd265f1f6ea94a38d417a4ad6b |
| SHA512 | cbe4c994a2ce2f8e7819e57b6b4ad37101bb636f5d8e707deb5e9dd1bab1df86a7c4ef88ddfbe1206af74bf0104b5de4123946cb03850c449f4d64bc098215ca |
memory/3552-94-0x00007FF695200000-0x00007FF695551000-memory.dmp
memory/3672-93-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp
memory/3980-88-0x00007FF745050000-0x00007FF7453A1000-memory.dmp
memory/3696-87-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp
C:\Windows\System\RfDeGLZ.exe
| MD5 | 95511bf425568eac8bb82dc420b94ee3 |
| SHA1 | 4536015b6d6fee487009e51b5437847050d41dc9 |
| SHA256 | a0d2764b43f2fc05ce51616f89d212fe5ed0713df9945f789a8201b0e24b19ff |
| SHA512 | 1c9fb6aee1b06a0848f3fc606dba706cd9abf02353d8823d2b71889c941b43b40c8a1056490e2a0e0e5b31bf90175298c56181fa3556552c1996354d84719293 |
memory/1892-83-0x00007FF761B00000-0x00007FF761E51000-memory.dmp
memory/3236-74-0x00007FF746570000-0x00007FF7468C1000-memory.dmp
C:\Windows\System\czjKqIi.exe
| MD5 | feda346c902e5bf533def20ab0174610 |
| SHA1 | c3459188160d23928a3267c03fc2b3539bedf9f8 |
| SHA256 | 026df1d5c42fd19d6a62d8abf9011070438e09be5d8b76d9e9bfbf1107c7e48d |
| SHA512 | a5ccb49b96711affec3cfe51113531cefbb1d0e4f041352b31db75ee4c27ac8db8555bec501d6f78b406e54473db864481bf752679141f2d57e15807b6286515 |
C:\Windows\System\eVdmJhq.exe
| MD5 | 3cd385f9bf1c2fe5553fd18d5a3458fa |
| SHA1 | 6955712f2c7b8ede1e77adde0d2c81ae274858f0 |
| SHA256 | 2f9baffc1608eab36d705d635ddc3f04a479dea4648821f31fe43ba38fc72239 |
| SHA512 | fa33e78d624f5b60d5651ecba36b4dfe94d29083c3b9cb120ea7b6f603d299da825d95917a54148226e391a230a8f1f97c551cb566c99cf1fc68c9013962b889 |
C:\Windows\System\eyvWyCX.exe
| MD5 | 66ea212009d6528e232fc87c160cee3e |
| SHA1 | fdf8332c92a155324a329ef7127b71b020a84faa |
| SHA256 | c56a4136de065e1d080d3bd00cf0350cba8d449a919aa10466b42df34e6ca278 |
| SHA512 | f3902139ce6242d8b75237f247e7b66b3bd48260e86ee35dfc1288338cff88fe65a508ec633160d1ea88d0a6f99dfb247d987fd71683b33057112d152284d4e7 |
C:\Windows\System\HugMGdK.exe
| MD5 | 89df7e3e328e768247d401219a31d082 |
| SHA1 | cf734edbfb2a20025e27607992d04b131405fdc2 |
| SHA256 | acba578adfd8ad7bc43991055b183593b56ef38fdc872695f022548c77a7267b |
| SHA512 | 6e60b9ab4a22144cea29ae93928232038f823261825804e62a69f608f80c6d46f119732bd2e7a19ae1886c412b33411aab48111ec066965fc2ea665c3af31df7 |
memory/1712-30-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp
memory/3260-20-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp
memory/1020-105-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp
memory/3980-120-0x00007FF745050000-0x00007FF7453A1000-memory.dmp
C:\Windows\System\UgCDztf.exe
| MD5 | d8f50fce33dc693d9217d3a050d63afe |
| SHA1 | 50250bce6a7b1fec39674abfa565e31950331a60 |
| SHA256 | b410310eb43f0868af8423eb91e47867262ea351334edaca2a450799b5775b10 |
| SHA512 | de578d8d5da30759280f80eb4b0077be141248e4e57672a923fd1448e49f15aae0cb0097fb24d8ab362a23b8e78e9b9ce39f4a48d6d547b8feb9d2a4dcffdd2b |
C:\Windows\System\KpWEqCb.exe
| MD5 | ede7f241a1b1a4f30eaa92849a8d4541 |
| SHA1 | e49228e13bbcb804e6f37745957ec570e2f3ce6f |
| SHA256 | a24fea66cda3f6b8112ce86b376671cfff2cb2e555b1e46e01888f58834703a2 |
| SHA512 | a20c4b090cb78faf65f1b331cfe22301e2082dbb1eadf9cacb881c0628d9d32180b3e6f82f223aa9a5567fc6fb076d72696e864e38319e485bfac05491f6967d |
memory/1968-129-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp
memory/3552-128-0x00007FF695200000-0x00007FF695551000-memory.dmp
memory/3672-127-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp
memory/3260-109-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp
memory/2364-106-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp
memory/1336-113-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp
memory/264-112-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp
memory/1712-111-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp
memory/2616-108-0x00007FF682000000-0x00007FF682351000-memory.dmp
C:\Windows\System\zaXJqRO.exe
| MD5 | fb2ff3ac017367d4e073b1bcf5f512c0 |
| SHA1 | c2af5b040d8261288e457ff71373333f49449414 |
| SHA256 | 7def57faef0364eafb47033c3fa2cf9dcf5026fa8ac61e62b4e690e324d4f97d |
| SHA512 | e20bb723fdec5fcf62fef727818423b917677b9d7e67b02b81bc17466ce9b4742bceef92f1cfe9eeb9def58c9cef4d95cf7c900dc236cc337b22773f6c3a4c3e |
C:\Windows\System\vLMuxYo.exe
| MD5 | d345d826ffe47407ea8755e8cd30b7be |
| SHA1 | dad54e11fee29d6e62ea613a86c9b931ab091240 |
| SHA256 | 141f4b45b68d931927eb74c00279e36266bdf5fa5e7542f5e1e43631325d5385 |
| SHA512 | 2adda326dc2377118c651aed6c18677be55eb9165001ac9813228c8e8546d4bc8eaa6900638727fa99d0a36195982305f92fd29cec62e01c9cad5fa06b0aec87 |
memory/1632-141-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp
memory/1220-140-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp
memory/3280-135-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp
memory/2944-134-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp
memory/1020-146-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp
memory/1020-147-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp
memory/2944-165-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp
memory/3280-166-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp
memory/1632-168-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp
memory/1220-167-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp
memory/1020-169-0x00007FF62EBD0000-0x00007FF62EF21000-memory.dmp
memory/2364-209-0x00007FF786E60000-0x00007FF7871B1000-memory.dmp
memory/2616-211-0x00007FF682000000-0x00007FF682351000-memory.dmp
memory/3260-213-0x00007FF691BD0000-0x00007FF691F21000-memory.dmp
memory/1712-216-0x00007FF71DA20000-0x00007FF71DD71000-memory.dmp
memory/264-217-0x00007FF6AFF20000-0x00007FF6B0271000-memory.dmp
memory/1336-223-0x00007FF6AF8B0000-0x00007FF6AFC01000-memory.dmp
memory/544-222-0x00007FF6CF410000-0x00007FF6CF761000-memory.dmp
memory/3236-220-0x00007FF746570000-0x00007FF7468C1000-memory.dmp
memory/1892-227-0x00007FF761B00000-0x00007FF761E51000-memory.dmp
memory/3300-229-0x00007FF692050000-0x00007FF6923A1000-memory.dmp
memory/3696-231-0x00007FF6C7DD0000-0x00007FF6C8121000-memory.dmp
memory/3224-233-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp
memory/1968-236-0x00007FF7CC060000-0x00007FF7CC3B1000-memory.dmp
memory/3980-243-0x00007FF745050000-0x00007FF7453A1000-memory.dmp
memory/3552-242-0x00007FF695200000-0x00007FF695551000-memory.dmp
memory/32-240-0x00007FF734F80000-0x00007FF7352D1000-memory.dmp
memory/3672-238-0x00007FF6E7EF0000-0x00007FF6E8241000-memory.dmp
memory/3280-254-0x00007FF6F6B10000-0x00007FF6F6E61000-memory.dmp
memory/1220-255-0x00007FF7C7860000-0x00007FF7C7BB1000-memory.dmp
memory/1632-259-0x00007FF6F60A0000-0x00007FF6F63F1000-memory.dmp
memory/2944-258-0x00007FF7488C0000-0x00007FF748C11000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 15:47
Reported
2024-11-10 15:50
Platform
win7-20241010-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gUygyPS.exe | N/A |
| N/A | N/A | C:\Windows\System\EeHBMrq.exe | N/A |
| N/A | N/A | C:\Windows\System\YRUxDXT.exe | N/A |
| N/A | N/A | C:\Windows\System\jLjRlwP.exe | N/A |
| N/A | N/A | C:\Windows\System\tlIwFEc.exe | N/A |
| N/A | N/A | C:\Windows\System\YzaFZSc.exe | N/A |
| N/A | N/A | C:\Windows\System\coQikUL.exe | N/A |
| N/A | N/A | C:\Windows\System\JnJTdcS.exe | N/A |
| N/A | N/A | C:\Windows\System\bteXdHw.exe | N/A |
| N/A | N/A | C:\Windows\System\QofFaWh.exe | N/A |
| N/A | N/A | C:\Windows\System\jrIGpIF.exe | N/A |
| N/A | N/A | C:\Windows\System\IYSBgEF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNHwacj.exe | N/A |
| N/A | N/A | C:\Windows\System\qLKVVnd.exe | N/A |
| N/A | N/A | C:\Windows\System\ItMmIff.exe | N/A |
| N/A | N/A | C:\Windows\System\ptjsQwt.exe | N/A |
| N/A | N/A | C:\Windows\System\wVMitYd.exe | N/A |
| N/A | N/A | C:\Windows\System\NsrFhdV.exe | N/A |
| N/A | N/A | C:\Windows\System\izByBbG.exe | N/A |
| N/A | N/A | C:\Windows\System\kqpfBVJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kSFXpNX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_45570f7a4ec67a7cca656d40d222696a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\gUygyPS.exe
C:\Windows\System\gUygyPS.exe
C:\Windows\System\EeHBMrq.exe
C:\Windows\System\EeHBMrq.exe
C:\Windows\System\YRUxDXT.exe
C:\Windows\System\YRUxDXT.exe
C:\Windows\System\YzaFZSc.exe
C:\Windows\System\YzaFZSc.exe
C:\Windows\System\jLjRlwP.exe
C:\Windows\System\jLjRlwP.exe
C:\Windows\System\coQikUL.exe
C:\Windows\System\coQikUL.exe
C:\Windows\System\tlIwFEc.exe
C:\Windows\System\tlIwFEc.exe
C:\Windows\System\JnJTdcS.exe
C:\Windows\System\JnJTdcS.exe
C:\Windows\System\bteXdHw.exe
C:\Windows\System\bteXdHw.exe
C:\Windows\System\IYSBgEF.exe
C:\Windows\System\IYSBgEF.exe
C:\Windows\System\QofFaWh.exe
C:\Windows\System\QofFaWh.exe
C:\Windows\System\ZNHwacj.exe
C:\Windows\System\ZNHwacj.exe
C:\Windows\System\jrIGpIF.exe
C:\Windows\System\jrIGpIF.exe
C:\Windows\System\qLKVVnd.exe
C:\Windows\System\qLKVVnd.exe
C:\Windows\System\ItMmIff.exe
C:\Windows\System\ItMmIff.exe
C:\Windows\System\ptjsQwt.exe
C:\Windows\System\ptjsQwt.exe
C:\Windows\System\wVMitYd.exe
C:\Windows\System\wVMitYd.exe
C:\Windows\System\NsrFhdV.exe
C:\Windows\System\NsrFhdV.exe
C:\Windows\System\izByBbG.exe
C:\Windows\System\izByBbG.exe
C:\Windows\System\kqpfBVJ.exe
C:\Windows\System\kqpfBVJ.exe
C:\Windows\System\kSFXpNX.exe
C:\Windows\System\kSFXpNX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2932-0-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2932-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\gUygyPS.exe
| MD5 | 1154e35513db8e8cae76415062e0a101 |
| SHA1 | a3be51eb262de1a567d158114e77ce464383d768 |
| SHA256 | f0d9fe32ecae6da5a9989bda077726ff41448f8bfc7b66b4d60643879952c117 |
| SHA512 | bae29efc1f87880faeb20086416d88e21ad020f0d7deb6c4960f651ab47b8504beffdc440d0b3f8a9f98507fef48a0413c5538559317d103a2a2a50cb7716b14 |
memory/2332-9-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2932-8-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
C:\Windows\system\EeHBMrq.exe
| MD5 | f47b39ec41d9d1d5beef148de58ec782 |
| SHA1 | 26d7f6d4f46d9f3f20fad4409568772b16c15811 |
| SHA256 | ae5206e5d0f087f1231777db6421bb1afcc41497c5de1847c2a1194574506781 |
| SHA512 | 6df5a296ad2f21538ee0bd1cc00c8dcb251e1ee7cbaba4cd8256d6414a0d2c14a20cb1271bfe39de8f22abac33c58870de013507e9778f7489868351b775cc22 |
C:\Windows\system\YRUxDXT.exe
| MD5 | aa85b800c4da91c6c7b354c2383bb994 |
| SHA1 | 39deba03bd9b70d73cad090a0cfba1640f5d930c |
| SHA256 | b19ebc0f5cb8897c3c96cab1f80373492382b64973fcbfadbcf951f0f7bce0f9 |
| SHA512 | bbb98852a8457c106f47ff704e3d9b3fa6922c6f196833d96b94d0f53f82765913544450946f41220f010e7a88ba1d1cfc20cebfea746aa0f8b3bde7689992e0 |
C:\Windows\system\jLjRlwP.exe
| MD5 | d6e62b5dd83d35bd255e2f029230d354 |
| SHA1 | 2c58ce2e8b8d70ea26216b327bd30f406711fe9d |
| SHA256 | c7585d581dbb0daa9530870bb5a30e6e0057991b50ff1db3364dd036915da7c5 |
| SHA512 | 980296e718a9268e8f175085967506e8e42b9562a54e250e839bcefeb35964a399fb7712b84968283d72381a374585ca5bd064d1952635ed6f790b9dc5050e02 |
memory/2724-57-0x000000013F5B0000-0x000000013F901000-memory.dmp
\Windows\system\IYSBgEF.exe
| MD5 | 14f90809360a939d44d73c6247a4478e |
| SHA1 | 6ecc9c0154a22ad361d9ae1c50faf728f94e1003 |
| SHA256 | 18f7473d941029fe82188089ec4c3e89a97a83c89f2b39556af7af3edf0c3a79 |
| SHA512 | 7e552ba919393d0732ad016d2247bd94555ef7406aeb2c4918cd43c925c9569b83b12eb7e2e4d7c13e0e533da70588ca1059525805d820fb2bc3d678fbe8cbd6 |
memory/2932-91-0x000000013F540000-0x000000013F891000-memory.dmp
C:\Windows\system\qLKVVnd.exe
| MD5 | b7a481c6da5332364180fc85f9a78a20 |
| SHA1 | 3b6f4c0ba3bd620c51d763710780df3a5ea6bc1e |
| SHA256 | b016b939c9c139e22fd1ad11db32a1dc2d5ba80808be8cf57642be2e719c957c |
| SHA512 | 406ce270be67a69b8d6ca9f728930bdeca82506104637098b706863357f27d592bab8a999dd29d788275203711fedb7009846a59e5b3c4fb438de175ba89f6de |
memory/2932-105-0x00000000021D0000-0x0000000002521000-memory.dmp
C:\Windows\system\wVMitYd.exe
| MD5 | 01c5fb61e1109377c09007f52ecdcfa2 |
| SHA1 | 73cecde72253291604a53ec4bce11323a936b416 |
| SHA256 | 2044eb01e3d0d80d52accdd38f75a0abe0bb7b41e33dd0db87ef1af6cb964789 |
| SHA512 | 9015777737ec920d18a1a1152fffa6f2b2ecf34e2042b28ce17866082f8c536aafd5b318d5b3bd7433fd70b7e40291b9d656212dc586a94608c34a134786731d |
C:\Windows\system\kqpfBVJ.exe
| MD5 | 61a2413463a7fd067c66483222124f80 |
| SHA1 | acf0d744a929d2d491c5bdc422b4c935aafe9499 |
| SHA256 | 91a4b552b9ae5ccd4a6f9f2983bae47886ae68a4b055db66176a0e340bccdc28 |
| SHA512 | 52e2e180e07085e68507c46b6c84b310c50f3c3ced422c63a8e3831cad22e815c6ef49ce5268da589b6203c85405030f551591e46c96b009113b50be3bdb68d7 |
C:\Windows\system\kSFXpNX.exe
| MD5 | 58080a693b2883ba5e23f9c6bafd000f |
| SHA1 | 4615d399cae5faae0cc09095e7ebdd04489b6da5 |
| SHA256 | 9e37232d6f4bce4e99a2e9abdad491c67cf052b548b366e8b11ab8e2ac86f464 |
| SHA512 | b3bd2ab938523279b4e6e72af356685f60454d2b9fcd4f588a2ca5c66358ffd326e05410e813187f85b1a7bc916142162e9e85c1d5d393430fe79b3010a5f010 |
C:\Windows\system\izByBbG.exe
| MD5 | 9dd85975dd7c6867726b9579aa526293 |
| SHA1 | 9f67ee4db1f5093d56a4d40404e709d509bfe346 |
| SHA256 | df359165f1cc67db709541f0dff53e99cb001790f9a62d496ac985d10a0d370a |
| SHA512 | b856c9bd5176cad498b2994523d83cfffee0d0afdfd68883e1096c20b37c167b97162171cdb4c3dc738de7d4ab36bb085acc431223020730b9ff662858c90d62 |
C:\Windows\system\NsrFhdV.exe
| MD5 | d7a5e751a81c3c1b09a336584a95807b |
| SHA1 | e79bc985c53d424d0ee7909c1841e67d6ff60e07 |
| SHA256 | efeb2db5c0ccd4140bcc30d4cb569c7ed783b176b2321d8b145fc149baec75d9 |
| SHA512 | 920b5ea84f0d058dfd43173c3d4914bce95b42555e8cdfe6bbd679fd61e5bd070e826c167153e200f4f8bebf11ae44f26bc27acb7d68e17e78d348f853d14b0b |
memory/2344-135-0x000000013FF20000-0x0000000140271000-memory.dmp
C:\Windows\system\ptjsQwt.exe
| MD5 | 0664f3e6efd9fc268df8d42b560050bc |
| SHA1 | 673a98d0a8e49791f57180e8949d1132a273e10d |
| SHA256 | cd4589c081b6d19ec31ed00d605d89af2950d2377c6c3cd9bc5e8b4c8c9536f3 |
| SHA512 | 7890c1e9cb00d2f42aac8c804f71fb295a533679df2922e2b7da4f5df86a9e3971060337bbae3e77c12d7405be51f9ec2748c9219ea64fb98d25f2d442cab5bd |
memory/2948-104-0x000000013F190000-0x000000013F4E1000-memory.dmp
C:\Windows\system\ItMmIff.exe
| MD5 | 2c6faa5094ad0a9918433acd313fec35 |
| SHA1 | ff95dce56de2e8a785de3a1b7181a61bfa589aec |
| SHA256 | 23b2fe16736d247165cb94db588dd50bd8ea248934a377c3d3f5c6e20c825356 |
| SHA512 | f4b3f250ef0b7ac669e8e4046e69effe2f7ddd219a63fee66dc4395e99474cb6f400ba059a9bdecee5749235d8c443aff449c22697e14905b6c58e74e51de3d1 |
memory/592-98-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2932-97-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2016-90-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2288-89-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2888-88-0x000000013F290000-0x000000013F5E1000-memory.dmp
\Windows\system\ZNHwacj.exe
| MD5 | a630c4531dab21b806782cb015dda367 |
| SHA1 | 3207c65bfde87283275a952251b3b1a3747ea8a3 |
| SHA256 | 75053e5675213b9413fe63bf2e1190d154fc0d080ab23a59fb4fc08da8294e08 |
| SHA512 | e70074169ddffd135314d2ecbeb50844260a430bf92df51a970e9b5ca882de65be903f461c1bef26331425dc187e83b7cda4b6c35b268a0480620ee664caed99 |
memory/2344-65-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1800-84-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2200-83-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2932-81-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/3064-56-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2840-55-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2732-53-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2904-51-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2948-47-0x000000013F190000-0x000000013F4E1000-memory.dmp
C:\Windows\system\jrIGpIF.exe
| MD5 | 6d6c32faee31d9c330aaa45840589f9d |
| SHA1 | 362e56d3eb8bc58b22332e443b31738084fccf50 |
| SHA256 | 55ea776f95ff134a88cf32af0a14ccf4689c306477b426b850a4df19a8d4c249 |
| SHA512 | 042390b87a2ad96ee502828053bf121df92a48a23d50f72668de05697c309c8fe73e8d540e4d8cfb18c36b0e364e328821c5a429ab39c2862645033d2337d966 |
C:\Windows\system\QofFaWh.exe
| MD5 | 357aeca07b2ee6a38422d54a60ca3217 |
| SHA1 | 24069402d09b73f0b0705ac5b7ddb604f04dd126 |
| SHA256 | 56673e6969025f53a356c6e2e91f4e508fcc75f779803154d36a4afb3663a87a |
| SHA512 | 50db3cfee9c2abc7ee769dbd8e3f2227914a0c604e7063142ba11268fdc5b795cb6736d8beaacf5b4347096b1329e050923ea2c159226e38f1368f2f4c9ab32e |
memory/2932-77-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2932-76-0x000000013FE60000-0x00000001401B1000-memory.dmp
C:\Windows\system\bteXdHw.exe
| MD5 | 691c760c3c2ac9db013a00d3f180f6cc |
| SHA1 | e280d8395192d3f25e84539d53c6808d9ac0688f |
| SHA256 | 950a61bf43f9a47d498f0889329b50170cccefa23702fe0b1e2977dbc35715ed |
| SHA512 | d9cac517492975655bf3ffcf1eadd42034ca457ad743f2eba8bca80e82bea23aa295f430edee3774f2887603ac6719da07143ee9fb33503cbe146794fadf9f82 |
memory/2932-136-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2932-152-0x00000000021D0000-0x0000000002521000-memory.dmp
memory/1752-151-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/792-150-0x000000013F170000-0x000000013F4C1000-memory.dmp
C:\Windows\system\JnJTdcS.exe
| MD5 | e9daabb2a9402e5ee394b071906b6987 |
| SHA1 | 394a04bcfd021018c3bda73731869989a88a5ffc |
| SHA256 | 5bee7de41bdb6d0e0105afb7d49989dd09272ee858e07f85d2e6cfe72ed46f5d |
| SHA512 | 24dec39cc10d511fc007284dc9d5ebd74d2f846badbeabb84308fcc3200cbb101a559f42af9fcf880cf9e38cdec06b3c8b25242c0a5fca6954e0997f5b3a5f84 |
C:\Windows\system\coQikUL.exe
| MD5 | 7b8ce52c5b0655bebe11cc332d75b6d9 |
| SHA1 | 47c43111339c62f078b6967e2ea2d21cde2a369c |
| SHA256 | 9e957b9f399d17f9c1e91a00f7817653ca7c95981b7bc2e90e32a54980894d3f |
| SHA512 | e0f176d03dddb8c90b2233bf3d7bc90b8b830c8b265f4b0cb39d17650134252209ab4ba7ae5184ce904d73e9fa84806f7c8a02d4cd7ffcf889dc556ba97e1152 |
C:\Windows\system\YzaFZSc.exe
| MD5 | d1b99e9e471abde89b9349a80eba13c2 |
| SHA1 | cf7d6e50ea58c45c6f82172960da5a76fcb94482 |
| SHA256 | 31bb27d859de46ca0f9f30b778c70164398b4aa64a1c53b47f923325444578f1 |
| SHA512 | 0e6ac47e17d1908f47d31ada4b444d4f78c0489afc4dc1a40c84ac2d1cf97729f78f68e34f12e9c035d8c16f9796e34f134849f891d476ac832b1fce7788689d |
C:\Windows\system\tlIwFEc.exe
| MD5 | c6cca7431c3c661d47366ad95195bd97 |
| SHA1 | 999cdda9e82cb970f930ebcaf75d7ec6fc50b4c0 |
| SHA256 | e71150849c85564e4ad75822b8e615041fee77d0af05672fb7c3a021ffd4e82c |
| SHA512 | 4555c63af82d38f7f2c2e35d023a844870bbc86bd35fc0aebbbc0da0706c4ae68fca015473ca9e955bd9243f21e05a7b9b99da11dcda0ac3d0b7a0c575e9ef64 |
memory/1904-157-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1596-156-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2500-155-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/1568-154-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2124-153-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2932-39-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2932-38-0x00000000021D0000-0x0000000002521000-memory.dmp
memory/2932-37-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2932-28-0x00000000021D0000-0x0000000002521000-memory.dmp
memory/2888-21-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2932-33-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2932-17-0x00000000021D0000-0x0000000002521000-memory.dmp
memory/2932-159-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2016-171-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2332-218-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2888-220-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2904-222-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2948-224-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2732-226-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2840-228-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2724-232-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/3064-230-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2344-234-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2200-236-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/1800-238-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2288-240-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/592-242-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2016-260-0x000000013FA50000-0x000000013FDA1000-memory.dmp