Analysis Overview
SHA256
2ce5ebfbde3351433e28dd5a8385785eca67a35cd0057197db4c03876119ac03
Threat Level: Known bad
The file 2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-10 15:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 15:54
Reported
2024-11-10 15:57
Platform
win7-20241010-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zorbmdl.exe | N/A |
| N/A | N/A | C:\Windows\System\pkNPkoq.exe | N/A |
| N/A | N/A | C:\Windows\System\JDrYxqq.exe | N/A |
| N/A | N/A | C:\Windows\System\gQzAoUI.exe | N/A |
| N/A | N/A | C:\Windows\System\rMiFinj.exe | N/A |
| N/A | N/A | C:\Windows\System\emBTqIV.exe | N/A |
| N/A | N/A | C:\Windows\System\aDKqWjL.exe | N/A |
| N/A | N/A | C:\Windows\System\GEuaWYn.exe | N/A |
| N/A | N/A | C:\Windows\System\fdKNbBO.exe | N/A |
| N/A | N/A | C:\Windows\System\psMYNHG.exe | N/A |
| N/A | N/A | C:\Windows\System\uzfafvA.exe | N/A |
| N/A | N/A | C:\Windows\System\MCYNErB.exe | N/A |
| N/A | N/A | C:\Windows\System\BprvZOC.exe | N/A |
| N/A | N/A | C:\Windows\System\IaILOVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mHLvhmq.exe | N/A |
| N/A | N/A | C:\Windows\System\YQhVYBe.exe | N/A |
| N/A | N/A | C:\Windows\System\xXfADhG.exe | N/A |
| N/A | N/A | C:\Windows\System\hXotPbT.exe | N/A |
| N/A | N/A | C:\Windows\System\WBTnFIo.exe | N/A |
| N/A | N/A | C:\Windows\System\noJUgmu.exe | N/A |
| N/A | N/A | C:\Windows\System\ueqXhna.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zorbmdl.exe
C:\Windows\System\zorbmdl.exe
C:\Windows\System\pkNPkoq.exe
C:\Windows\System\pkNPkoq.exe
C:\Windows\System\JDrYxqq.exe
C:\Windows\System\JDrYxqq.exe
C:\Windows\System\gQzAoUI.exe
C:\Windows\System\gQzAoUI.exe
C:\Windows\System\rMiFinj.exe
C:\Windows\System\rMiFinj.exe
C:\Windows\System\emBTqIV.exe
C:\Windows\System\emBTqIV.exe
C:\Windows\System\aDKqWjL.exe
C:\Windows\System\aDKqWjL.exe
C:\Windows\System\GEuaWYn.exe
C:\Windows\System\GEuaWYn.exe
C:\Windows\System\fdKNbBO.exe
C:\Windows\System\fdKNbBO.exe
C:\Windows\System\psMYNHG.exe
C:\Windows\System\psMYNHG.exe
C:\Windows\System\uzfafvA.exe
C:\Windows\System\uzfafvA.exe
C:\Windows\System\MCYNErB.exe
C:\Windows\System\MCYNErB.exe
C:\Windows\System\BprvZOC.exe
C:\Windows\System\BprvZOC.exe
C:\Windows\System\IaILOVZ.exe
C:\Windows\System\IaILOVZ.exe
C:\Windows\System\mHLvhmq.exe
C:\Windows\System\mHLvhmq.exe
C:\Windows\System\YQhVYBe.exe
C:\Windows\System\YQhVYBe.exe
C:\Windows\System\xXfADhG.exe
C:\Windows\System\xXfADhG.exe
C:\Windows\System\hXotPbT.exe
C:\Windows\System\hXotPbT.exe
C:\Windows\System\WBTnFIo.exe
C:\Windows\System\WBTnFIo.exe
C:\Windows\System\noJUgmu.exe
C:\Windows\System\noJUgmu.exe
C:\Windows\System\ueqXhna.exe
C:\Windows\System\ueqXhna.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2884-0-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2884-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\zorbmdl.exe
| MD5 | cd3ce4ca39915c7e37b7e21894420687 |
| SHA1 | 35deb79b7567451ca8f01294cd15ae9e903e6b8f |
| SHA256 | 006e37dfe3842df3bc9eba66aaec2df8c7489dba26fb1611fac8949d5f8a6dc0 |
| SHA512 | 4c86bd023271a47a4ebac9ae742ca52b8cc2b3f991ec0ca2dfd5f0a78bd95ab38fabcfb63129f2d4d0759c618b50ccaa3f898b4d35c81345a61d1017dfec56fe |
memory/2792-7-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2884-5-0x000000013F060000-0x000000013F3B1000-memory.dmp
C:\Windows\system\pkNPkoq.exe
| MD5 | 7a6e4deb12248ef85f235db6eaa3c02e |
| SHA1 | ddcf2fd56189829f4b8e7ae8c1d750735ebb8890 |
| SHA256 | 441a9d9af5fcf0e2132a8081e487990338b838787019d55be69899ef62d576de |
| SHA512 | fdaac2978f3769160f46b496e8f4f117c0983203010f22d76e5c2c25d3d0ec7dcfbdbd51ade8ae29a94fff9b98ce3eceea62c864aa60042af1a2c5e8c6304ef4 |
C:\Windows\system\JDrYxqq.exe
| MD5 | cae0435c7a3918ee0415aaf79d9825dc |
| SHA1 | 4b77fe346bcf1f48caae88a2f9579f3f62d06e18 |
| SHA256 | 006bcb50297a6c3de3e1f634f570830872b1f18f879b0e680ca963cafc8d2f84 |
| SHA512 | d50914dfe0968489c5820aed781dfae4d9fab06b3bd05a8a753767d8cefa3d9beb6b4fcd06158473aa59db013b285325fcc57e0d5867e873fbe59e4b2bbaa63c |
C:\Windows\system\gQzAoUI.exe
| MD5 | 5de0d7fe042f8441c6ec434f9c7ccd20 |
| SHA1 | ea9470b516476e3408ae13ca7cc8ca499cbc35eb |
| SHA256 | 09974cd19e3343e5b67a75b8d41ead52e340a7400f9b76acb36939fb18f2b5b0 |
| SHA512 | 62741ec08cc0b945e61fcc359299dd4fe6ee979985df0153dd5eea44c5f25a8322de46306596156b53399624fbce5494e6099a97027520642ef6bb3063bab4e4 |
C:\Windows\system\rMiFinj.exe
| MD5 | 950c5de929fa26dc89c2015cc7c3a8fb |
| SHA1 | a357635d97721cb3ccf5337568398442f5735171 |
| SHA256 | 772b190acae0e9303bace5d06e379f7fe5d89a33b035d1b3c8315db57d5c49c8 |
| SHA512 | 2556aca363a5a87ccaed607bfb7c07ba9cc15cc541dc68e822ece42bfa1587062aa7511e221aa963484e766a988291320c3c91b35f8db6a3262d33b5df229aab |
C:\Windows\system\emBTqIV.exe
| MD5 | fda18903f4bacce83c31dc705fd69a6b |
| SHA1 | 49ebf0ce9dbfab8bd03773d2d831187478a22034 |
| SHA256 | 34f6d2b440e9a73beda069859e2dd1f697b5ce92550cdfd308bef9774b618bd5 |
| SHA512 | 7932f129adfadc9af1685bdf5e5735893887ceb5da6ff0becf3d51277fce5f928aa3408c132c4a655fd6a466fc8d270a69358b2d128f63cfc3df598ea70c7cdb |
\Windows\system\GEuaWYn.exe
| MD5 | 771dc6aa5f94d4e9adb4b5b5b160c840 |
| SHA1 | 5e3c280aa921714329cf1e8feeb542565ecb4498 |
| SHA256 | fa92cdc3b813a212995f470ec77939512b8fb104b2e3596b082f28f9cd5578a1 |
| SHA512 | 887d24a2823a962231c1f074eb13b05439995311b9c053aa9ef268b74be5956c590c42914164e7d55a919c9987186cd7067555c6e08702586e245fd7530fe233 |
C:\Windows\system\fdKNbBO.exe
| MD5 | 6ff2599397d27d0fa9765c0734ff4c01 |
| SHA1 | c308db0ddb7bcffb0b78266e05d4bc806ff2e272 |
| SHA256 | 9d82f23055a744c1f941f11f590c4ca65f3d64b9bca61805f04e13c30964b108 |
| SHA512 | 305dfc002a7f7728beb49b033f7515dbaa21974113e4be89e944c4dddf9cbdd4f8a75829f3fe60260b11bc83be1d6e19c8f1ad5f08730a1bf4640a76824988af |
C:\Windows\system\psMYNHG.exe
| MD5 | 8bfe54def89bab8e174687a831c21456 |
| SHA1 | 0c9dcda6e6c6229b84db09b1f792831c4f85d0af |
| SHA256 | 8e41d5330222ed369f6d6aa0621b1430eeb37f16175ca007e7899a232a2d2864 |
| SHA512 | 32fa2e127fcedffa2dcf5415a70180c9903bcbea9ee8920980285bf1eac814234797f708cddd9ad60ac99dfebfc52ad096f12d79140ace15b88b431c18548861 |
C:\Windows\system\aDKqWjL.exe
| MD5 | 2b097fa8c5d2ab4d5857fe8c2a950c0c |
| SHA1 | 99cbdbf09d268f8836bc3b0245ee4b38f2a86b67 |
| SHA256 | 6af997923d2fe9ad7d5cf4a98ea1b2aedc6117ec1b324bea954c29dad70d2fe8 |
| SHA512 | 8066482a3d19931d359144fea8aa682a10c8f32c16ce244d27fca6763b32d392c9efb67c4e0f0973d0410fb6fe6ea87f1bfc5ba8208550bde025642f520e96be |
C:\Windows\system\uzfafvA.exe
| MD5 | 720570066be2182ee8a01a3cea02510f |
| SHA1 | 55c874c987e8011f3b66a4630d33791712152683 |
| SHA256 | 380521ce4fef3e5f42b5dd477a80a061143acacf44091bb2f41d1d9e8760a0b9 |
| SHA512 | 1b99ab8f7522613c2848bf66bfc25aa2f436e4cd5e0e49e3775d30b9be39dfe1466e051045338aef7c8e3b06004c08bc07d29d8865ceb64938f900caa0e964c4 |
C:\Windows\system\MCYNErB.exe
| MD5 | f4b1785aaa532313f70e4317ce9ac6a3 |
| SHA1 | 42852aba1cd4027233177fb3d50481c9ad435322 |
| SHA256 | 5afb5509e65bffd164cd2fb822e3f0966075235aec2b9e0e4e5298047bf45d06 |
| SHA512 | bea6aa3077675230ce17d77f99197132655094878b91250fdf2fa86573c916359f9f079b8a1742399d3913e952a2b2c091e0e0dd3612be601f0156c73ec97925 |
C:\Windows\system\IaILOVZ.exe
| MD5 | 5f48226a9603328fca0777142327bb13 |
| SHA1 | b93850eb0b5ed3861a2c579b2f0395820a94bb7a |
| SHA256 | d525c983bf691e6208ef88e14ccccb130fd6cbcb5d04d22aa8fb9d5808baaab8 |
| SHA512 | 77557bf5c342caece916cc8898e6b041913c614afca1d034fbdf446c6aa40d393a7b47cf0345d957165a4696196cc20c27d9004ca3734fabe47bbbdf8cf81135 |
C:\Windows\system\hXotPbT.exe
| MD5 | 5a02d1ccce321ce9f99222941d3d892f |
| SHA1 | 86e704068ab43721b38899528f21020d345ad140 |
| SHA256 | 713e0f90fdbabc151a1207c905e4966e056a806e82025d31c5074751a6b509a4 |
| SHA512 | af5e80d94a4d365a879afc01dce9a82412fac0a532621675d9e5d18a1875960c543e141a4e485058d2848c38f7b941633c0656caae17d75c749fd92b3c5bb4e3 |
C:\Windows\system\noJUgmu.exe
| MD5 | 00ccefef449b3f11fb007077dfb42247 |
| SHA1 | 3d22f7a4bf8ab8185ef6043fc29520e4cb96c4b8 |
| SHA256 | edcb1649b289e90d184b3de179677d183cd4c8a3bc6758b6d37a60d602c14b4c |
| SHA512 | c16d5ac5c70bf2c913dc67f94f5065553f864669844b87b87d2dbc4f1e2734424aa43aa8eb06c6bd775066297972a2b16db98602e525e4609e14c19abd7f5550 |
\Windows\system\ueqXhna.exe
| MD5 | 2bde6b4b3a887a8d62eb8c6efc69f9e6 |
| SHA1 | b89670fd040249beb65b09765e2c93df61128eae |
| SHA256 | 3ca29c3b1424437d23cfced34c601b21543a6b0b604e15051e3d3395757d0c74 |
| SHA512 | 2f1de97551bc6f8e3e224889bdad94edcedd147e5534ff986ce0308db7ede1206366f716696d6c182b7ab5de31561479ce9ce8db21090be7714ad024461e6126 |
C:\Windows\system\WBTnFIo.exe
| MD5 | a06784ef18a10ddd05e52be2bb7a1d38 |
| SHA1 | 8ff899d2f0ec7ad56e41a1c5c088fb6a16127ca7 |
| SHA256 | 61d4c21395ca497b93daa00c59d1f5f07d4adf02404f6a648d856d1aa5898451 |
| SHA512 | a067a0d91730ba1bcd98480d21d69488c3312f1b70a7d2a66507d6d7668aaa1636ab3e44252f531d1aa2ec97428c484bfcef5ec05ca5f24de95c4f92256dd899 |
C:\Windows\system\xXfADhG.exe
| MD5 | 9aad230bf05836cc34c8e4d4163d421f |
| SHA1 | 08a5c9fec69a8bcc4bf8a2f5a9f9d9985aa8d15a |
| SHA256 | 44be162032bf96cb3480d3f0e142dbd9c18cd82e7fc3e48c1450e3095d3511d5 |
| SHA512 | dccac1c3bd8c16c6faf075ee8444f9ff962e1de63a3e3927cdedfa1f9ea89297d0c33dd0b6134cd90d88e79cb10595018fdf03e9f42a92da50eabe5d35b724c3 |
C:\Windows\system\YQhVYBe.exe
| MD5 | 851fbdd5547d3946ba6b2c90fc18e72a |
| SHA1 | d4ce9023fdb208a25ed37330346f44473e9ffa60 |
| SHA256 | bb471370ebf2c8b67bcaf9ba27e85bd32c814173243fa8a6916c1bf856769970 |
| SHA512 | 0a8055cfc495806c425f3461d5c4b651edc5c901560e4353f71203e305060d76618bc59f0914afdfc1d0845b3c72784fd825551687f54844eaf845b243c1bc6f |
C:\Windows\system\mHLvhmq.exe
| MD5 | c887eee10654c34481ac58e00b8575e1 |
| SHA1 | 35b2fb3fe7199fe89ac5a0ba94ba99950904b08d |
| SHA256 | 7ea60ab1eb3079920f7c38c1a9440eb51914a343b21c42b92c161e918c770dd1 |
| SHA512 | 716dfacecc59380911e5ae2e058c76f36c93e7833197bd3569c87c3a025eb8ddd10641534fa6134b2b4d5c5aab45e40fa576cedd6374cbb945f56e26e85cec15 |
C:\Windows\system\BprvZOC.exe
| MD5 | 2686e7edace988b7c755415f0cf37c76 |
| SHA1 | f5c9cfbcf8abfc1aefba24a1450f09c43c7b9aaa |
| SHA256 | b6b8d72da8330f8652eaee936b2a21401c51060a8b5fd5f86b853b165b0223ae |
| SHA512 | b821c2134ea003af0525fd8dcb45fb10c1c274fb763f60ed8a78e1699d9434473d852ce5ee1b5e7a41d866caf7811abbd8a59b35964077a5f7156adfd1c4bf02 |
memory/2792-111-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2708-118-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/1952-122-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1060-124-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2152-126-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2884-125-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1816-127-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2884-130-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2288-132-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2884-133-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/1584-134-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2400-136-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2300-139-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2884-140-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2884-142-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2884-143-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2884-144-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2884-141-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2884-138-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2884-137-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2884-135-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2884-131-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2060-129-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2884-128-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2392-123-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/396-121-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2532-120-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1276-119-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2668-117-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1240-116-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2172-115-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/3052-114-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2828-113-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2920-112-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2884-110-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2884-109-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2884-145-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2884-155-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2884-165-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2884-170-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2792-200-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2920-202-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/3052-204-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1240-216-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2532-219-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2708-220-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2828-222-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2668-229-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1276-227-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/396-230-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2172-226-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/1952-232-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1060-241-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2392-234-0x000000013F5B0000-0x000000013F901000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 15:54
Reported
2024-11-10 15:57
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jeeKNAe.exe | N/A |
| N/A | N/A | C:\Windows\System\GJtzZct.exe | N/A |
| N/A | N/A | C:\Windows\System\zsvZXhS.exe | N/A |
| N/A | N/A | C:\Windows\System\qByjvmM.exe | N/A |
| N/A | N/A | C:\Windows\System\HRFefzB.exe | N/A |
| N/A | N/A | C:\Windows\System\LTEcIwE.exe | N/A |
| N/A | N/A | C:\Windows\System\cqYZSrg.exe | N/A |
| N/A | N/A | C:\Windows\System\QEImdxU.exe | N/A |
| N/A | N/A | C:\Windows\System\dTsiWzU.exe | N/A |
| N/A | N/A | C:\Windows\System\SzmabeS.exe | N/A |
| N/A | N/A | C:\Windows\System\fkTWcsh.exe | N/A |
| N/A | N/A | C:\Windows\System\UjuZksc.exe | N/A |
| N/A | N/A | C:\Windows\System\dIHoUeN.exe | N/A |
| N/A | N/A | C:\Windows\System\erZVkWp.exe | N/A |
| N/A | N/A | C:\Windows\System\zazXphj.exe | N/A |
| N/A | N/A | C:\Windows\System\emDsXog.exe | N/A |
| N/A | N/A | C:\Windows\System\RMnQifx.exe | N/A |
| N/A | N/A | C:\Windows\System\fpzeSPb.exe | N/A |
| N/A | N/A | C:\Windows\System\dFablLy.exe | N/A |
| N/A | N/A | C:\Windows\System\XGwbNwe.exe | N/A |
| N/A | N/A | C:\Windows\System\pCCcCse.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_b7320ad651a87776f1ab8f515a98f465_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\jeeKNAe.exe
C:\Windows\System\jeeKNAe.exe
C:\Windows\System\GJtzZct.exe
C:\Windows\System\GJtzZct.exe
C:\Windows\System\zsvZXhS.exe
C:\Windows\System\zsvZXhS.exe
C:\Windows\System\qByjvmM.exe
C:\Windows\System\qByjvmM.exe
C:\Windows\System\HRFefzB.exe
C:\Windows\System\HRFefzB.exe
C:\Windows\System\LTEcIwE.exe
C:\Windows\System\LTEcIwE.exe
C:\Windows\System\cqYZSrg.exe
C:\Windows\System\cqYZSrg.exe
C:\Windows\System\QEImdxU.exe
C:\Windows\System\QEImdxU.exe
C:\Windows\System\dTsiWzU.exe
C:\Windows\System\dTsiWzU.exe
C:\Windows\System\SzmabeS.exe
C:\Windows\System\SzmabeS.exe
C:\Windows\System\fkTWcsh.exe
C:\Windows\System\fkTWcsh.exe
C:\Windows\System\UjuZksc.exe
C:\Windows\System\UjuZksc.exe
C:\Windows\System\dIHoUeN.exe
C:\Windows\System\dIHoUeN.exe
C:\Windows\System\erZVkWp.exe
C:\Windows\System\erZVkWp.exe
C:\Windows\System\zazXphj.exe
C:\Windows\System\zazXphj.exe
C:\Windows\System\emDsXog.exe
C:\Windows\System\emDsXog.exe
C:\Windows\System\RMnQifx.exe
C:\Windows\System\RMnQifx.exe
C:\Windows\System\fpzeSPb.exe
C:\Windows\System\fpzeSPb.exe
C:\Windows\System\dFablLy.exe
C:\Windows\System\dFablLy.exe
C:\Windows\System\XGwbNwe.exe
C:\Windows\System\XGwbNwe.exe
C:\Windows\System\pCCcCse.exe
C:\Windows\System\pCCcCse.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/4480-0-0x00007FF796330000-0x00007FF796681000-memory.dmp
memory/4480-1-0x0000024068D70000-0x0000024068D80000-memory.dmp
C:\Windows\System\jeeKNAe.exe
| MD5 | 9ba8f42f48c81e4c0a0ead8659d9f466 |
| SHA1 | cb36d707b12eef000506bc1da8eb787ddd07c5f1 |
| SHA256 | 218a1e63a2965155c694206f591ae16d797221ac96346ea4b089c583fa477429 |
| SHA512 | beb3629785d806e9d887982370cff0e2eb2f18088a029d678607d93fe1cd9aee47039aab506fff1928d77e06f747d7d7460a8fbfa119bad056be8767879d953b |
C:\Windows\System\zsvZXhS.exe
| MD5 | 3b77a5b8cc8e71f37e4223dc7fee4173 |
| SHA1 | d69c4ed183b89f8dfc4f955a37715851695c172c |
| SHA256 | aa9a03920057d1d6f17f389d1ae8b00f050c619f57e1a3537e6ba6fde2a3aaec |
| SHA512 | 2882153983b3fabc139eb18f885b6b52da94fa2a29ba279712d2411a6ab32a7c796a6211aa2c5b38241d1d1675b7ead0ad36fa5748c1661504eb221501632d98 |
C:\Windows\System\qByjvmM.exe
| MD5 | 3cb50921a7ef4122c123f616f1b39aa9 |
| SHA1 | c98734c6d0459df4db4db41aac4a4557224b375e |
| SHA256 | fd815343424931793e15c3d6ab0ced70d7abd14c571443b580b0d8b1d5d0649c |
| SHA512 | 07be1471ae1c1b3efe4a08a9c464a8527cf6c820570750d53cf6f7e7a3347e3bcf2b75a05aa06534ebc847901b1b2d5511fd632db314c11d55b5b4966d40836c |
C:\Windows\System\HRFefzB.exe
| MD5 | 4cb6b11f1ccd33ce7e6e27feec563838 |
| SHA1 | c0094ff42973599caabdbe34072cbea49f03f188 |
| SHA256 | 8aa5bdfd7523f8ad90214e27fdeca9d031266d27cbd1e009f1d3f0723522a6f4 |
| SHA512 | d699405f9ae85e26d931b7c80ebef2f2eac2dd87110b08baeb3b66bc32d24422d5fe0ad6910b3b091fa11dbab659e8e258c05aba8357baad4349e8d90636871b |
memory/1868-30-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp
memory/844-23-0x00007FF670620000-0x00007FF670971000-memory.dmp
memory/1576-18-0x00007FF673510000-0x00007FF673861000-memory.dmp
memory/892-17-0x00007FF652920000-0x00007FF652C71000-memory.dmp
C:\Windows\System\GJtzZct.exe
| MD5 | effc0dbc74b21a4d8eed552d24d704fa |
| SHA1 | bb4b8fa60788fb689d7b41b34a1f5c68aa40ed3d |
| SHA256 | e8680bfffbb37874dfff19f76431806314cddaa0ccadf9cc53cecf4c1331114b |
| SHA512 | f764ecf9a1d82ae2a2efdd537a1924514e395a2d4f4661b68170cd94aeac6af97f7d4d0699995f118d4167e0c06b6f3ccd87bcf2599d55fa60aff4cff096873d |
memory/3456-10-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp
C:\Windows\System\LTEcIwE.exe
| MD5 | fe507d945f44e00d9066f58603c6df8b |
| SHA1 | c5e202db738091df1e10211fa66c8b669ea1b0b5 |
| SHA256 | 25b96c3707f3eb38c76d5744aed0a2637b785b0798be746b5925d160f9fa58a9 |
| SHA512 | 21a97c8977adc241836c9059a62a885fe1a0667428df6311b1f2e6e67f603b2474042752885e4b41d333e38a8b1699481d7e97cbbfda97f29cc9290f60382f31 |
memory/2912-36-0x00007FF663E20000-0x00007FF664171000-memory.dmp
C:\Windows\System\cqYZSrg.exe
| MD5 | 361d19ebfa58e553ada5b77299f8e4aa |
| SHA1 | 7dc5a1dcbdaec4baa98e6e775617f598f194a6dc |
| SHA256 | bced33ded90e32cc7992fcaefc6143129c92138e2eac99a0d3129527ce956cd1 |
| SHA512 | 0c39351d106046c0b07620a4b62ad4eef7d850e48e7fa725c2a78ce2cee4f48fcc80bbecbeff38cfe601592cd6179da5adea7ae24a25c5db139bc8f1299aa8d9 |
memory/2284-42-0x00007FF750C10000-0x00007FF750F61000-memory.dmp
memory/4264-48-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp
C:\Windows\System\SzmabeS.exe
| MD5 | 02ee8eaa2499211d87c4fda7220561f4 |
| SHA1 | 787b09a2a136dfbf39be3404355eafa7bb46e8ef |
| SHA256 | 596d089685b92787e39a2e2deccc293e40d23b3531abe8898e8c4d50b97db6f7 |
| SHA512 | 7d102dcf78fd9e073d02b3018a5e7bf61356876e07e7a63442a88e2afb15b466d628545bff49a040f4d4b6a94db8081737fc1db1bc5828dc8f565b6b60b100b9 |
memory/1628-61-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp
memory/892-66-0x00007FF652920000-0x00007FF652C71000-memory.dmp
C:\Windows\System\fkTWcsh.exe
| MD5 | d8d3b0e2ff017d2395c6f28677bce614 |
| SHA1 | 94b36ce9e78352eb3e6dec6ec757481fd2493551 |
| SHA256 | 083649ed1b0e53cb17e340ed9d21a6ef9748c0f922f3ced99237c3cce9ba86ed |
| SHA512 | f9028da4a2976e953a37d9c1250ca8c4e109eea428118655d6f91b72fc4ecfb7aaf7aac9019cbe18f92182ccebce7a37452ae6438823290ce17076a7a9bed836 |
memory/3016-69-0x00007FF603290000-0x00007FF6035E1000-memory.dmp
memory/1200-67-0x00007FF624C20000-0x00007FF624F71000-memory.dmp
C:\Windows\System\dTsiWzU.exe
| MD5 | ab69ff42fbb5f88dbb4a411ebd7f49df |
| SHA1 | 1d94cf36f4d19568c6519fec11ea23b7fa39e336 |
| SHA256 | 062eb8c505bcf1a098ad3be884e19bbe0ab922960e90a03a384c68003d27a8a7 |
| SHA512 | a6862d586985f66fc5d4bc1f98d3e3a1f9ea77d0c7fff3bbb22501bd3dc53097af920de5207833be28434ff0f53e820bb3a80299939a6b26701f39890a7ead4c |
memory/3456-55-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp
memory/4480-54-0x00007FF796330000-0x00007FF796681000-memory.dmp
C:\Windows\System\QEImdxU.exe
| MD5 | e97af8476c7d49be6ac8727dc8bad9da |
| SHA1 | 46c3c9a5502f8c50a39ead8ae0de7ec8f6072b70 |
| SHA256 | b08818b6ce3b062b83de1abd3c08aa98c690d3cc1f04ac22dc24c465661a9cc7 |
| SHA512 | 657437d3ea4a2b8c9f828b06963f8d74fee6154cbee5048d4147456fe71e3d9cdf4f925eea31910d0571582d3f0c693860964c130f0745f28fe79a0006318cc4 |
memory/1576-72-0x00007FF673510000-0x00007FF673861000-memory.dmp
C:\Windows\System\UjuZksc.exe
| MD5 | 9cdd7f376ad33a2a317af7415c9f14f7 |
| SHA1 | 2e68ae76623efe82fa2649723dccd4e0c2853840 |
| SHA256 | c53c122384336736e889552341b3d2c71c90546e2d3e408ebfd7835ab65425d0 |
| SHA512 | 579765dc056764341beb57fc75ee1fa83ded37b8908049e02bc0860561142c6f6b197f02eed4cb18b2bb78008afe52c00a3620a3c108e3f4147c5485061f3b1c |
C:\Windows\System\dIHoUeN.exe
| MD5 | 1489aa8a774f18946a5c10a19b922cfe |
| SHA1 | 76504be4ecc338f1ae685b100b5fdafa7d19ac75 |
| SHA256 | aab30e32da7a2c26b01504410c70c915ce38938222595f96674104ec4baa4c86 |
| SHA512 | 7bed9b72b236f5543888eca3e5e99efbd0dd30d8be7bb770f0fdf2abcc7636df33de41a3be98d13d01615939cbeea54e83725082ea544a565fa22f60a31284e4 |
memory/1868-81-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp
C:\Windows\System\erZVkWp.exe
| MD5 | 640eee1b01e1819a288731e04509c034 |
| SHA1 | 48c9f57091f6ecc80dbc9b2dbaec1134c90fdcfc |
| SHA256 | 2034927e33e72a757858cc64177ded349b603677ce5b3f73eff2ada7543767b6 |
| SHA512 | fd3ef4f7c41bd24747e4b3214285518ebc2d72e17441ea5b9f45d9d4dfb96e0ab3410ec56607ad918f7fcf3db60c3a27c24ae03d9c90797dbc92907662d17a66 |
C:\Windows\System\zazXphj.exe
| MD5 | 893b567bbc5b42a50cc79ef45cb228f3 |
| SHA1 | cb6db005ea5d190f32734d11341863e63c91e2e5 |
| SHA256 | 3b21bb387ae78d1f4fd40e2fafe7d451828dfc2692fce63edd19dadc9145054c |
| SHA512 | 842f5e88a0539014736656ade9844b6405ddce68b20866e62a643c1bdce95477991b588b78c7fa9b97ad65a98442951de71c6dbe834ebf3139db2f59d8cc04cd |
memory/2284-97-0x00007FF750C10000-0x00007FF750F61000-memory.dmp
C:\Windows\System\emDsXog.exe
| MD5 | eff32b361b81eca9c562d82545d7ddab |
| SHA1 | f59ef507e095b069a434c9b89d7bac544d960481 |
| SHA256 | abcd460441b5e3ad56be45524a440239468e7746037f9afb359a32f6ef74f840 |
| SHA512 | f177178730561adafba330ac5d95a77c431a6c6f77ec8dca15e932c870e6a94335536d6d3bb1c0f9f8f43ac5168d4aa27c176f85bcf02d2b118319bb632b877a |
memory/4264-104-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp
C:\Windows\System\RMnQifx.exe
| MD5 | 20ccf8dcbdbb64a175af76ce2c29aec8 |
| SHA1 | 1b78f05a53b45f003748698c81f6016cea25ba3b |
| SHA256 | d03f0f06a9988d95e77b904bc2dd85670d8de6d000f43ac2f4d579ec47f54db5 |
| SHA512 | 185a5a9ac5d2d256a9d469709ff0dc8a96174368d9feb35e8ebe05533d4c2454943eb71b8538984816d1a8e6c948b8cc1f8d30362eb02502e8d9c498fb94333e |
memory/1628-120-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp
memory/2312-124-0x00007FF708F20000-0x00007FF709271000-memory.dmp
C:\Windows\System\XGwbNwe.exe
| MD5 | 7637e585df42e05f803d7c325b99a74d |
| SHA1 | ae7555d9e779e75d6f139ee14491e8766151dda2 |
| SHA256 | 3424bbc52454895430a296e026d69d6c1b9db4c139cbbc4f052daed31116d829 |
| SHA512 | b9f95601730680396765301baf187bf0425c917d6707cfb8d54dea09615f05cd5a814cd357069ca8a1754e74133fb555836b3b41077924c41df77be2d93c883a |
memory/1116-134-0x00007FF7954C0000-0x00007FF795811000-memory.dmp
C:\Windows\System\pCCcCse.exe
| MD5 | 8ecb5a9905030da2cce9679315118d09 |
| SHA1 | ee8f37d65e1a697e22975bf78293e799e785fdbc |
| SHA256 | efba3f48db88aca2dd334f723541a88baa4bd0f62e525766f6ed33ae7b802290 |
| SHA512 | 179a4462b144d145fad98f01b9ac162e34cfe762b58880cea2818ac9d01f0a096656f4729f8a51e481e2e4a9e0d742b8356c003ff39af57c2b3fbd2923767745 |
memory/1792-142-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp
memory/3688-141-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp
memory/3016-137-0x00007FF603290000-0x00007FF6035E1000-memory.dmp
C:\Windows\System\dFablLy.exe
| MD5 | aad50f5f5a0cf50a0456a775f56bc1a0 |
| SHA1 | 215eae9e455b2128161e6b582ee61c2c1ba6dd13 |
| SHA256 | b6fb99e1972eb4550b73d0156f1f3760399a60ab148baab838f4180becd21c75 |
| SHA512 | 8812d4e6c81fdb2a81abe255df43048debb78bdb208a7302174855fc680a6565738cb2b915ccba2d3b33b92f6c6a91a88e1818f5759480fac6fd1c8d6ea9ebec |
C:\Windows\System\fpzeSPb.exe
| MD5 | 885b8f8f5aeeee15af15294ba112d684 |
| SHA1 | 7fc6935b5059e5fc6b43a277be880c9a3d9d61a9 |
| SHA256 | e4187c1d9dc702b770ecdf4c93e237cdafe52c852bb6f6e9160c1e75493f45b6 |
| SHA512 | 96fd39c93813d9a5283766ce14a9c33b60f8a236ee6b7d14434e1896413263b461352198911d1ba09f5795dce35150ed497ed4acb47d4cc2801fc27cd463571c |
memory/2176-110-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp
memory/3888-106-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp
memory/3908-98-0x00007FF781830000-0x00007FF781B81000-memory.dmp
memory/2912-96-0x00007FF663E20000-0x00007FF664171000-memory.dmp
memory/2200-90-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp
memory/464-84-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp
memory/3460-83-0x00007FF604900000-0x00007FF604C51000-memory.dmp
memory/844-76-0x00007FF670620000-0x00007FF670971000-memory.dmp
memory/464-152-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp
memory/2200-154-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp
memory/2312-164-0x00007FF708F20000-0x00007FF709271000-memory.dmp
memory/4480-155-0x00007FF796330000-0x00007FF796681000-memory.dmp
memory/1792-167-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp
memory/3688-166-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp
memory/1116-165-0x00007FF7954C0000-0x00007FF795811000-memory.dmp
memory/2176-163-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp
memory/3888-162-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp
memory/3908-161-0x00007FF781830000-0x00007FF781B81000-memory.dmp
memory/4480-179-0x00007FF796330000-0x00007FF796681000-memory.dmp
memory/3456-215-0x00007FF798FA0000-0x00007FF7992F1000-memory.dmp
memory/892-217-0x00007FF652920000-0x00007FF652C71000-memory.dmp
memory/1576-219-0x00007FF673510000-0x00007FF673861000-memory.dmp
memory/844-221-0x00007FF670620000-0x00007FF670971000-memory.dmp
memory/1868-223-0x00007FF7BBD20000-0x00007FF7BC071000-memory.dmp
memory/2912-227-0x00007FF663E20000-0x00007FF664171000-memory.dmp
memory/2284-233-0x00007FF750C10000-0x00007FF750F61000-memory.dmp
memory/1200-236-0x00007FF624C20000-0x00007FF624F71000-memory.dmp
memory/4264-237-0x00007FF66A740000-0x00007FF66AA91000-memory.dmp
memory/1628-239-0x00007FF791BB0000-0x00007FF791F01000-memory.dmp
memory/3016-241-0x00007FF603290000-0x00007FF6035E1000-memory.dmp
memory/3460-249-0x00007FF604900000-0x00007FF604C51000-memory.dmp
memory/464-251-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp
memory/2200-253-0x00007FF62A970000-0x00007FF62ACC1000-memory.dmp
memory/3908-255-0x00007FF781830000-0x00007FF781B81000-memory.dmp
memory/3888-261-0x00007FF6C50B0000-0x00007FF6C5401000-memory.dmp
memory/2176-263-0x00007FF75EA00000-0x00007FF75ED51000-memory.dmp
memory/2312-265-0x00007FF708F20000-0x00007FF709271000-memory.dmp
memory/1116-267-0x00007FF7954C0000-0x00007FF795811000-memory.dmp
memory/1792-269-0x00007FF7BF100000-0x00007FF7BF451000-memory.dmp
memory/3688-271-0x00007FF777E90000-0x00007FF7781E1000-memory.dmp