Analysis Overview
SHA256
46db20bf6710d9377378815384347b99f0d2327e4ea9306289aff17deccef1aa
Threat Level: Known bad
The file 2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 06:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 06:52
Reported
2024-06-29 06:55
Platform
win7-20240221-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oQcqWnH.exe | N/A |
| N/A | N/A | C:\Windows\System\RmNclhF.exe | N/A |
| N/A | N/A | C:\Windows\System\WHCylDx.exe | N/A |
| N/A | N/A | C:\Windows\System\YHPdtZU.exe | N/A |
| N/A | N/A | C:\Windows\System\eIrFuFX.exe | N/A |
| N/A | N/A | C:\Windows\System\EpQpzBa.exe | N/A |
| N/A | N/A | C:\Windows\System\GvAmuHo.exe | N/A |
| N/A | N/A | C:\Windows\System\GHLJtmO.exe | N/A |
| N/A | N/A | C:\Windows\System\iJgCCYz.exe | N/A |
| N/A | N/A | C:\Windows\System\APXyfcS.exe | N/A |
| N/A | N/A | C:\Windows\System\kRVUsKo.exe | N/A |
| N/A | N/A | C:\Windows\System\DjNcrsm.exe | N/A |
| N/A | N/A | C:\Windows\System\nJPRxyv.exe | N/A |
| N/A | N/A | C:\Windows\System\nnzBmsr.exe | N/A |
| N/A | N/A | C:\Windows\System\tQNVxzF.exe | N/A |
| N/A | N/A | C:\Windows\System\VkhVleG.exe | N/A |
| N/A | N/A | C:\Windows\System\rkmlofP.exe | N/A |
| N/A | N/A | C:\Windows\System\mWDnVYQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PxCuwlW.exe | N/A |
| N/A | N/A | C:\Windows\System\gTyxIkj.exe | N/A |
| N/A | N/A | C:\Windows\System\jKVPDjR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\oQcqWnH.exe
C:\Windows\System\oQcqWnH.exe
C:\Windows\System\RmNclhF.exe
C:\Windows\System\RmNclhF.exe
C:\Windows\System\WHCylDx.exe
C:\Windows\System\WHCylDx.exe
C:\Windows\System\YHPdtZU.exe
C:\Windows\System\YHPdtZU.exe
C:\Windows\System\eIrFuFX.exe
C:\Windows\System\eIrFuFX.exe
C:\Windows\System\EpQpzBa.exe
C:\Windows\System\EpQpzBa.exe
C:\Windows\System\GvAmuHo.exe
C:\Windows\System\GvAmuHo.exe
C:\Windows\System\GHLJtmO.exe
C:\Windows\System\GHLJtmO.exe
C:\Windows\System\iJgCCYz.exe
C:\Windows\System\iJgCCYz.exe
C:\Windows\System\APXyfcS.exe
C:\Windows\System\APXyfcS.exe
C:\Windows\System\kRVUsKo.exe
C:\Windows\System\kRVUsKo.exe
C:\Windows\System\rkmlofP.exe
C:\Windows\System\rkmlofP.exe
C:\Windows\System\DjNcrsm.exe
C:\Windows\System\DjNcrsm.exe
C:\Windows\System\mWDnVYQ.exe
C:\Windows\System\mWDnVYQ.exe
C:\Windows\System\nJPRxyv.exe
C:\Windows\System\nJPRxyv.exe
C:\Windows\System\PxCuwlW.exe
C:\Windows\System\PxCuwlW.exe
C:\Windows\System\nnzBmsr.exe
C:\Windows\System\nnzBmsr.exe
C:\Windows\System\gTyxIkj.exe
C:\Windows\System\gTyxIkj.exe
C:\Windows\System\tQNVxzF.exe
C:\Windows\System\tQNVxzF.exe
C:\Windows\System\jKVPDjR.exe
C:\Windows\System\jKVPDjR.exe
C:\Windows\System\VkhVleG.exe
C:\Windows\System\VkhVleG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2296-0-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2296-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\oQcqWnH.exe
| MD5 | 1410ec25b2e3c1a0fb930bfbbe607f83 |
| SHA1 | 25fff6d4440d9f71be2a9ead3f923dd7c0f33459 |
| SHA256 | 458be003522a51baa2076986c7291209dcafa93445152fd21c358e3dea8418b2 |
| SHA512 | 9177a6e22046005acb62ef4abd59c4b50592444505518ed17df6ac047244af2425d9dbbde1f368f470b37f1155e244714a4d4f1701967dfe9e5f4a4766683f11 |
memory/1796-9-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\RmNclhF.exe
| MD5 | b930756a18dd03bc5ae9b67524087106 |
| SHA1 | 1d091c494081f5229df34d92b944e30b581282c4 |
| SHA256 | 53903e223d97f905835664b50f713c4cdba883ac7e862813a494bbfa0c4897f8 |
| SHA512 | bd7ffd24bdc53f1397244024e63e4cbb9eaa3387a992dbcec6e34c9ce5b080316086ee0de9d195492adc2bc8c2d282f637db90be48fcc1446f768eb069bf7d7f |
memory/2160-15-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2296-14-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2296-8-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\WHCylDx.exe
| MD5 | a02ad3dc4dd1e25cd9c684ef20b8f1e4 |
| SHA1 | c3c16367510edcdfc721cb262e1be4fb09aec7dd |
| SHA256 | e8279b45ebc08e394316a2471cff50af2b106b5ca6282a35298c6799ea56dfff |
| SHA512 | 301fe73fbee978a0aa2730744585e421b5cb7e890d98a3e3113e281335fcfe7609ef9ed6222f77ace0b05bc591e5a0d8f36dc5cd89b7c430f50cc3bb50cc9209 |
C:\Windows\system\YHPdtZU.exe
| MD5 | 522763e0247557f6f56d5e09db6b803e |
| SHA1 | b28096f78bd1a04906a64bfddc2ecf99be9f9ba4 |
| SHA256 | 5e93bfeb538ac190e516d6c035373d60254d963d6f81a1b63d65e9c0992298f4 |
| SHA512 | 9cf138dedadaac7cebb9cc704f635e77ec8c782f51efba58e042bfb5b5cf2d074169f0ddc7eea0198a728a16543fd64a90fcc4f308161fc88b4b26835838ed23 |
memory/2296-32-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2132-29-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2296-28-0x00000000023D0000-0x0000000002724000-memory.dmp
\Windows\system\eIrFuFX.exe
| MD5 | e234666534f6c4b24ecf573afb9d5259 |
| SHA1 | ccf7b07caa074f7e0f1a4c2187be809d401ee87a |
| SHA256 | ae7ed4f7d36fe4959291606111398f52cad7f13fbfb4f548101ebb3a8368ad99 |
| SHA512 | 775c9c5fcdb94ad2e5bca4e4f3615d564bfe64e2f376a2e6590b0dcfca0810abe020aade06cfd5fbc4851ca6b8c15b35ba229f3ff6bfe7cf7ae4491ad8bfff5e |
memory/1896-21-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2296-20-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2544-36-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\GvAmuHo.exe
| MD5 | f6ef56895d67142b34cc492ad628f36f |
| SHA1 | c68450ff83dde7111b0ed3385cd8d07b5febf353 |
| SHA256 | e091c6e32b207442cfd696368bf5b31a7351d2d47c82f0fae275c50c4879f375 |
| SHA512 | 9f83c5268082acb157f3e9c096813c055d450646c247722f7c761bc0492960e97a5a5333361ba2e58e37614e8c019992ea291087648c8b5881414e48c3b2b2be |
\Windows\system\APXyfcS.exe
| MD5 | d822465a226a1be3020bdf3c78b946a0 |
| SHA1 | a3afa4efc8229c8989c3536ff2e286da6e979783 |
| SHA256 | bd91b3a07c3ad0dd209b433b08a4ef0ae096bddec90da8a53edb0c67479667ea |
| SHA512 | 1ecf19de49d0ba611cad6961cf07a375faa5ebadce74fe78024ff6ac82bd1c155233c3fe29428632d081beae48fd977ce3bcc8e032b22586b4ceed648b15352c |
C:\Windows\system\VkhVleG.exe
| MD5 | ea3878f5be5c355310dfb3ee8a7d53b2 |
| SHA1 | 06d81d5a86cfec3975e57d413a6ceb0dc4937e26 |
| SHA256 | 817d7186bfb1ce66ca1176e64415d8b3c4010fee441220dffdec0ae1fb24d356 |
| SHA512 | c5b8f4062b70f4a264d0da4ff20adccc75a64a584eb3e99612d186e716190db5709a664b4727906c4404448374a5577d22d2be31cf76e31a42752525427a490f |
memory/2296-102-0x000000013FDB0000-0x0000000140104000-memory.dmp
\Windows\system\jKVPDjR.exe
| MD5 | d186bd8cd6a1b9079f5482c1fc4d9142 |
| SHA1 | 22cb61aeea08e1a4ed6b22019cb54ece86567e37 |
| SHA256 | ad7e00b3e932e779c2a5bc5314bdee3cdea19aadfc3c7109113fe13e7b9c892d |
| SHA512 | e716358276034cd36d4a38dd01f080980176aadcc0f54cd7aa60cb4d7094bc27ceebaf39c5690ccac43fb2c95c39b12de42967b0c0aec7fe8943bccc7d2c3ba3 |
\Windows\system\gTyxIkj.exe
| MD5 | b8b5188ecd1e13dbd89ceb3ecd8cbc97 |
| SHA1 | c1aeb2b9d3f7ad5bb7da36238df895992fc5efea |
| SHA256 | 48835c8352aaae6fda89755aff5c7f51c2702fda5c6d133e53b4e7a3cf70be5d |
| SHA512 | 254c1b504db9d4e76877e3c80c4b3611c706c97d65db2e4e1c196ec6976b60cf25670c5eed5825f208f881b5f2535949190836e0f732b48a48abb6824b03e15c |
memory/2296-81-0x000000013F590000-0x000000013F8E4000-memory.dmp
\Windows\system\PxCuwlW.exe
| MD5 | d7a7a7dece8a41d1152a0b5c361b3315 |
| SHA1 | 0ea8bad229cac81edb317460770ea5d4b2b35d1c |
| SHA256 | 22232f9ccdd36867f0c5920206d335620bc5abe0ce3d7c28c432b72b687033bb |
| SHA512 | 57a9d34e116e9f83657f787af6acc28a9df5d2fc4ed6fed80780ef4fbe30d324ab86417411ed5dece1be776e9e0ca17297deb7d4385a0bbc3ff472396bf4bba5 |
\Windows\system\mWDnVYQ.exe
| MD5 | 39c96fea199518e84e79a998424e82bd |
| SHA1 | 787b474919200c7359bce582e3d1f644b9ab3248 |
| SHA256 | 0be37ff46d8de49b199d9c2ed4be296bcf0bce83b2d05c4b926d0e36be49d0cc |
| SHA512 | 1a771178809f9d8907ae8285591baff2e8ee3ecb097cac3358806dd45c1798e21e8a3b2d4ee6b660735c8bf9cf74bd477130ced82b70c0a3f2ee762f2e972fac |
\Windows\system\rkmlofP.exe
| MD5 | 443e4745472701fd4310826d528c0715 |
| SHA1 | f8e03f41d1dafdcb21284cfa74cfdb0558f0b623 |
| SHA256 | 28ec6b5965b820cfd8bc388d4971567d3bbfdfd1d373edfc625e1009e5184d38 |
| SHA512 | 657d365994a63d9c64926a9306afe0fd3424cfb82953925a53dcf119c88b94e0620c0f3954d601062b8269a8dac98101fc810acbfeab31ce4468427748a02a02 |
C:\Windows\system\tQNVxzF.exe
| MD5 | 0aaa715eb941cd2775a8f58dab76021d |
| SHA1 | 56e5b63600c38158062800c3d05ed7a16d3b1a13 |
| SHA256 | e1f7d044d473ecbc01f25ef49f08c8d7c63fc2ff4452a254b8e306a5359e19de |
| SHA512 | 57d4f1a89e862cc31e931d9bd0123cd4858a47c9f6e1d4d62a7e7bcb8670ed024138d18be549fc566508086a51354f139e1fcabb7b3624233fc02066a6f5e943 |
memory/2132-132-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2296-131-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\nnzBmsr.exe
| MD5 | f7f886c923733518b8bf979bddafdd3b |
| SHA1 | 8719798c5c4e772b66fb00ffbe863618d2e87cb6 |
| SHA256 | 566cfeca2aa4d4ec5a9f7083654c71c8c57147cb6f0041b7d7b8b1e13d7026ff |
| SHA512 | 9be67856e2898c27fb0444feedcdb12948e11dd3d8cc961ae758897e5632e01cc582c5ef6494b3459029fef66923b94933bb4fb281cb1fc08eb97fbc2ce7fdb3 |
C:\Windows\system\nJPRxyv.exe
| MD5 | d80b0f329ae6c0dd2878f5c25b27cab6 |
| SHA1 | b91396b5143393979e9e2173a03d5217f2a482ce |
| SHA256 | 4c6a99b81fec1e69f2e23ea713e1fff136326bbad008a438b3c7dbc6ec2f05c3 |
| SHA512 | d920c861a677d50ccc5a9ea88a052cb414cdf79da16af50892f64f924828895b59fc511a904af8e8115714f9d3338ef043f2edc91316d0d9cac3b9da4d1ae3a2 |
C:\Windows\system\DjNcrsm.exe
| MD5 | 7a711754d3b8de6bcb590bb55dfccdaa |
| SHA1 | 58c169584585321b191319833b919b833f8bf640 |
| SHA256 | ea2797642fcdc5579f164f93c8f819ecd766008c924e1855f63c5db451e9c7b5 |
| SHA512 | 954cca87fd3afdeabe32e2504fae274ad12a25590cf55f0f45a4b6621e706a11df29cf5bab32f59620814cb7420d60e990620e8611e3542ef8172e180bf80669 |
C:\Windows\system\kRVUsKo.exe
| MD5 | 54239978b418ab73d4f22577f4e98c36 |
| SHA1 | 8e9a7a932d6ddcad6c9686ceceb3f9dc050dbed3 |
| SHA256 | 8f78c0a64d204cc8fd4bd2e7d92b5838e74adf66f7282f08e4c501dd67e42316 |
| SHA512 | 2e0c112ecebfaf1141a727dc6a3748eb42bf44ba67327867af1cea6226c39e65e7848157cb954fff22003f8bca441613b2e55e0c9d2037bc5b976efeef2d9494 |
memory/1896-112-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2296-110-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2296-109-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2296-108-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2296-107-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2296-106-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2160-105-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2296-98-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2296-96-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2480-65-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2296-59-0x000000013F1F0000-0x000000013F544000-memory.dmp
C:\Windows\system\iJgCCYz.exe
| MD5 | c1337ef562233465fa4116c35f1ff8cb |
| SHA1 | c068361acd8bcf782edb54e648aa9e221c87c4cb |
| SHA256 | d532101733cb8f33c91fe0c002fac95fdfd1eac02351e2b62caf41a57ecd9575 |
| SHA512 | e0248e875d556536947b19b5b3c30ac491f98fa67569cef7b77000606bc65b38db17b789355b56ecaa6da2192ec79257822e9a42e0ed2183bbfc0678c9cd7f8e |
memory/2544-133-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2368-54-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2296-53-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\GHLJtmO.exe
| MD5 | f6504a6343dc30210331f9d50e99a314 |
| SHA1 | 30006eee7aeee25be2d82502df1757200d8126b0 |
| SHA256 | b9918a48b99c1ecdcce6a2c7acc9ac27b80e5be9f08db7a644368308d20b8387 |
| SHA512 | d860605fef81f0bdfe5ddbdd5586f980122bc8ad84cc92c5bf9905ddc4995451989f7df0b582d915088c643273ad4670374c3706c7da22c4643abd08216cdb23 |
memory/2572-134-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2520-48-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2296-47-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2572-42-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2296-41-0x000000013F9F0000-0x000000013FD44000-memory.dmp
C:\Windows\system\EpQpzBa.exe
| MD5 | 429b9910cf50747b1c5d181a5f8f85aa |
| SHA1 | 777abb895113aa083801cb2ad449d09ee56d05f2 |
| SHA256 | 978e4d08af4b4ccb9e7bc91c9b87151a82458013c3416bef8f190d65b9bc6978 |
| SHA512 | 91eafdde5c669afff8baabc435c3c9908030f40176c1122d08123f646acb12758b1768f6ea0512416cac1a7d2ed94daf7e62afb24258e65448bac68a58ac5b08 |
memory/2520-135-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2480-137-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2368-136-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2296-143-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2296-144-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1796-145-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1896-146-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2160-147-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2132-148-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2368-152-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2480-153-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2544-151-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2520-150-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2572-149-0x000000013F9F0000-0x000000013FD44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 06:52
Reported
2024-06-29 06:55
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rBwVoOA.exe | N/A |
| N/A | N/A | C:\Windows\System\lVHkoIu.exe | N/A |
| N/A | N/A | C:\Windows\System\FzldCOB.exe | N/A |
| N/A | N/A | C:\Windows\System\GPtoOJG.exe | N/A |
| N/A | N/A | C:\Windows\System\ujozQfa.exe | N/A |
| N/A | N/A | C:\Windows\System\OGvdNjm.exe | N/A |
| N/A | N/A | C:\Windows\System\QYyOmxx.exe | N/A |
| N/A | N/A | C:\Windows\System\ZOEFqps.exe | N/A |
| N/A | N/A | C:\Windows\System\kmfZiqB.exe | N/A |
| N/A | N/A | C:\Windows\System\UqoHogv.exe | N/A |
| N/A | N/A | C:\Windows\System\HlBlfFj.exe | N/A |
| N/A | N/A | C:\Windows\System\rKhbUNx.exe | N/A |
| N/A | N/A | C:\Windows\System\KsdnTyY.exe | N/A |
| N/A | N/A | C:\Windows\System\PbJSbDf.exe | N/A |
| N/A | N/A | C:\Windows\System\mpAOBNW.exe | N/A |
| N/A | N/A | C:\Windows\System\YUryLVZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DwNkIWW.exe | N/A |
| N/A | N/A | C:\Windows\System\mQVxQJx.exe | N/A |
| N/A | N/A | C:\Windows\System\eyNioRW.exe | N/A |
| N/A | N/A | C:\Windows\System\yDDtrfW.exe | N/A |
| N/A | N/A | C:\Windows\System\gdhkthX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_34c58f7611fe77771485847b601c483a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\rBwVoOA.exe
C:\Windows\System\rBwVoOA.exe
C:\Windows\System\lVHkoIu.exe
C:\Windows\System\lVHkoIu.exe
C:\Windows\System\FzldCOB.exe
C:\Windows\System\FzldCOB.exe
C:\Windows\System\GPtoOJG.exe
C:\Windows\System\GPtoOJG.exe
C:\Windows\System\ujozQfa.exe
C:\Windows\System\ujozQfa.exe
C:\Windows\System\OGvdNjm.exe
C:\Windows\System\OGvdNjm.exe
C:\Windows\System\QYyOmxx.exe
C:\Windows\System\QYyOmxx.exe
C:\Windows\System\ZOEFqps.exe
C:\Windows\System\ZOEFqps.exe
C:\Windows\System\kmfZiqB.exe
C:\Windows\System\kmfZiqB.exe
C:\Windows\System\UqoHogv.exe
C:\Windows\System\UqoHogv.exe
C:\Windows\System\HlBlfFj.exe
C:\Windows\System\HlBlfFj.exe
C:\Windows\System\rKhbUNx.exe
C:\Windows\System\rKhbUNx.exe
C:\Windows\System\KsdnTyY.exe
C:\Windows\System\KsdnTyY.exe
C:\Windows\System\PbJSbDf.exe
C:\Windows\System\PbJSbDf.exe
C:\Windows\System\mpAOBNW.exe
C:\Windows\System\mpAOBNW.exe
C:\Windows\System\YUryLVZ.exe
C:\Windows\System\YUryLVZ.exe
C:\Windows\System\DwNkIWW.exe
C:\Windows\System\DwNkIWW.exe
C:\Windows\System\mQVxQJx.exe
C:\Windows\System\mQVxQJx.exe
C:\Windows\System\eyNioRW.exe
C:\Windows\System\eyNioRW.exe
C:\Windows\System\yDDtrfW.exe
C:\Windows\System\yDDtrfW.exe
C:\Windows\System\gdhkthX.exe
C:\Windows\System\gdhkthX.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3884,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3740 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2232-0-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp
memory/2232-1-0x000002969A4D0000-0x000002969A4E0000-memory.dmp
C:\Windows\System\rBwVoOA.exe
| MD5 | fecf40a92437c8d2668bfbd8e4db5134 |
| SHA1 | 995e231884edc0a26e3be50771adecfdcfd84f12 |
| SHA256 | 97bdcdeb726dff3e63e7d161079a3b12e8bfa289e3c155968656a6018f8bbde9 |
| SHA512 | 22928daf561cd9d2646ec5e7f40b64807c9d82b27a6b8bc72935fb05657307f237d81215f4cf5cfe85dcd0256f4353f12047841d00fac445942b8ee278c04841 |
memory/3796-6-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp
C:\Windows\System\lVHkoIu.exe
| MD5 | 51ec5969ec165429cb514a6c0462e918 |
| SHA1 | d000cf6cd61d7678fa15157e71df14574e5f5e49 |
| SHA256 | e15723dd3fc82067522eaff359155033579f898a09ef18ec906ae37974c37e2b |
| SHA512 | 041fab45ff7249e335b2662c1b7243454e5b6d3e0cd4cedaeed1ab56b0cd7ce6b3c23b33c9616da7d9cfda9857be0ee4c430d799c280929564cbe0bbc34df0d4 |
C:\Windows\System\FzldCOB.exe
| MD5 | 4838cd7afe2aab943ff3a0dbdf33a8af |
| SHA1 | 11e3fbe6024be203b02ea60f0787b190914ef40e |
| SHA256 | ddaebbe9ef02194a4555cc47ff427f668111b676713b6ed19f8fc66090860357 |
| SHA512 | 940fdbfc6d1eda3ce11074965d1f5bbe9a0210c3858fba169b6349f2ddff6670d7ffcb9f2c38730f3888c5c69542cfec0cc6119527adb53c936d6fea95729c4d |
memory/3808-22-0x00007FF601560000-0x00007FF6018B4000-memory.dmp
C:\Windows\System\GPtoOJG.exe
| MD5 | 9430e3d88081745a46025820bcd9dc38 |
| SHA1 | b3f955dec83ea96214bb5b2951aeb3eff14c3379 |
| SHA256 | f3d13e13c0556a13ff154b0e8aff4ab0426c3165cff192a3cae7a16ec958d530 |
| SHA512 | f2c19f4440b114205f973fae59b93bc993f6fbb663bb487ea1fbdbbb4699ec5eba4c008ee55882fef3e1253790246e04da4644f549e7cc7b8a71951c256dd9d8 |
memory/3840-15-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp
C:\Windows\System\ujozQfa.exe
| MD5 | 581179be07588649de5ff844df00b2e8 |
| SHA1 | 0dbc24bba53cad01f7043c7f7c949dd9071be5b1 |
| SHA256 | 23fc83b6faf4cf1aeccf3e6f2c2bd537c230de27815ab7e6fa2c641516699159 |
| SHA512 | c8cb5148ebd1785657abb566d6b512b3ae76456830fa6749983f532f712aa270c531530465cc972946e8411c7b832844c8101e9547e1fbda932deff178e28d4c |
memory/1584-28-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp
memory/3016-40-0x00007FF767440000-0x00007FF767794000-memory.dmp
memory/4996-45-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp
C:\Windows\System\ZOEFqps.exe
| MD5 | d7191d982f97e457642c82cf516290a8 |
| SHA1 | d8b8ac47f39078186223454f10a85ffc7860a392 |
| SHA256 | f091eb94eed425fc9fffeaae15eaf298d7c826b2b16f0873b7e9f74b8e961fdf |
| SHA512 | 40dfec078203e955a9baba1de274a2fe2d858bef01d15cdd7b1b9262951efab5c722c467f83aa9c0ba1bdf82696cd2dd12bca4624d03ff5401f1ca6791109c83 |
C:\Windows\System\QYyOmxx.exe
| MD5 | 0c2fed6726b5d1ef9b72e072ccb8ce3b |
| SHA1 | e0eb26a352f25b79424a0cb8725efff7d19288f6 |
| SHA256 | 58906124a785576e2661f73f02ffbb927014cff46e14375d90b185f5d53ef8fd |
| SHA512 | dd1f9d8de1f35288e0d406293eb43303dee9b3ced9fa3783d6288b471ab3444b1355e08e880685b0e86563c01ba310f80fe6bfc645eb697ab8e7587a99db6e58 |
memory/3800-46-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp
C:\Windows\System\OGvdNjm.exe
| MD5 | 48f0748963bbddbfd95e44cbc179d646 |
| SHA1 | 3ad3c6ec3f59d19c3d68e5ad25415ed5b2f8ebf0 |
| SHA256 | fc7c9e16cfe14316b673ace00c583bfb3ccc5e563d2e6dc36a1442eed13ceee1 |
| SHA512 | e1aa52de5a59f674e8af7cac9071b5de5a7f0a34de7cd8e6411a4b930de006ee45db6173e517627866ec527e336d224c868ea5200b03fdfa5fde16d04be0597b |
memory/4784-33-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp
C:\Windows\System\kmfZiqB.exe
| MD5 | b125430a1ad3ae4a8e2c8febd9f55f5c |
| SHA1 | 44d4e364af9f4187b12c1577b389c4fb2746e18a |
| SHA256 | 1f81f357fcc77b675a64bd2c6b3b18792f827753e162dcd4a4c22ba61cb22cc3 |
| SHA512 | e1e5a4279175059aebd37bc98ed88fff048e5a99c81eb89994616ea89383f3c214c7ffa63f1e1e2929cf6d47c430a8fc400c69acc7889bdc6ca1e58d49129810 |
memory/780-55-0x00007FF6393C0000-0x00007FF639714000-memory.dmp
C:\Windows\System\UqoHogv.exe
| MD5 | b9fce04f88059efeb4b50538c96ae971 |
| SHA1 | a8791066e880832583617ff67dbbf1df81ec6432 |
| SHA256 | 2f62f2f192458ee774ba2ca9f1c8424ef1ff0206c6a8394c795718c0fc5ebd8e |
| SHA512 | 62e4ec0b88e7518c7fff206cdc2dd7661b855ccbb1fc4b8d30b8398aca7814cec32cdcb11d572162c67b77180381b26ad3f5ec3cecf3ad27d34091ba746c619c |
memory/4216-62-0x00007FF600530000-0x00007FF600884000-memory.dmp
C:\Windows\System\HlBlfFj.exe
| MD5 | a568c3f70baeebbca5979afd1cbca28f |
| SHA1 | 135ac08c7b8703c93d534cac4c2bf0a3c166d077 |
| SHA256 | 8a087506427b8699f41df18fcec0be5e490ec57202b5b6275403c1516ac8bc00 |
| SHA512 | 75d43eafb1133826e596b06f956de7766e37eb27948a82684af253b56f644c577d3ba952bdfedad6b7e7c2cf14d2621a061ee80da7529cc067374ff226c5aecb |
memory/4892-70-0x00007FF727F00000-0x00007FF728254000-memory.dmp
C:\Windows\System\rKhbUNx.exe
| MD5 | 7d3118afe26b261a9015d2a346a529aa |
| SHA1 | 643df85bec1c8683ea4d664bd59d8fd22d6119f2 |
| SHA256 | 7eec7f7bca2f6a95674c4a5ab7a79bf1e792528730c0141ecf3bb8979f9f24dc |
| SHA512 | ab51fa09dd487063b5649d132b3fd3b2b5bfb3303fd5f23a1df29753e3d3fcd80e5a55578aa809d38acfec158d253d1ba41d254a94723d44f38d9aad5ccbbd4e |
C:\Windows\System\KsdnTyY.exe
| MD5 | cac48a2fe4c9bf1e45a8a3ef154e9e5f |
| SHA1 | 3d47e18e41a990239024bace9551d8b031c6425a |
| SHA256 | 932859cd0771e7d6d0eb855cea8e1490571fee29f6a740db192f0c73cdff0546 |
| SHA512 | e8f9e4f5cb60471482554d6894744b5693c1eb7162cff01ab4951df9fd5fecdb44cadd43c5f19409bc7482414dafb58615593c76b10d1d039ab111f503f65562 |
C:\Windows\System\PbJSbDf.exe
| MD5 | 5b4bab83ca16baaa48d78539cad427f5 |
| SHA1 | c69c6860d0e522db865d54727454af28c4b2e677 |
| SHA256 | 86ed7a6853e103da7171282fb98998ff8371c4d9918d178a31567194c026afcd |
| SHA512 | ba5fbd1f8cd8de90cb9d39dab501ea25802e719e50619fc0ba994edea817b700dcded4f5c4207f78160f12b83dea5ace9c3a7fd7a5c0a11d4ca39185439eccc1 |
memory/1996-86-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp
memory/2316-87-0x00007FF787570000-0x00007FF7878C4000-memory.dmp
memory/3840-84-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp
memory/1788-74-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp
memory/3796-73-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp
memory/2232-68-0x00007FF6E8D40000-0x00007FF6E9094000-memory.dmp
C:\Windows\System\mpAOBNW.exe
| MD5 | 353477ef5d18fe926cabcb7809c29722 |
| SHA1 | 7f7ba1ddf39b0780ba581082ecc9915f4a350e8e |
| SHA256 | 37676bd5bb79be3e18f434869558630fd2ad1c62b8f26fc7551dd06860586be1 |
| SHA512 | 7583b23e476000ca84c9e0e9e0f210fb3c469a838d57938668f58525a7d9fe59f25d25c48537fe2bd295e11d70a7c5fe3d800ef0af181beb07d20583214eab25 |
memory/4520-93-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp
C:\Windows\System\YUryLVZ.exe
| MD5 | 8b81efb559d43c8ca0d9d0a5b86985bc |
| SHA1 | 4745b5ebf58778dcd50a3f625799daabbeb3c623 |
| SHA256 | cb8a3ff7c38ac2288f9f5deb4fcbacfe8a16e56f8cbe3732a6eef6f1255a2933 |
| SHA512 | 8bbee59ed5bf0fe50163256e3637693011a54601aa3e8660bf3e2c2e29a4b7e1b02d460d0412372cbb39fd46807774215f2b6ca88500a4fefccfc337fc9e36cd |
C:\Windows\System\DwNkIWW.exe
| MD5 | 08993f2ab8dc700537c7f67b9466d05a |
| SHA1 | dabda4ec4946b1e36d07100610aeca3d0cfbb6bd |
| SHA256 | 71252077d596bdb453ea304dfffeaadc55e3c83ef5f13b52ab10e702eebb25ac |
| SHA512 | 8d511f43c8dd3a5f5b15fa3ed192a128043677293778e9ddec3d038d29b4fd9f7200e49b3eb627ce3fab56ab576bafa773e6358721df4ccdf4c4bc95275979be |
C:\Windows\System\mQVxQJx.exe
| MD5 | 3ca2949388d308c061b550b41e7316c4 |
| SHA1 | ded3b2d497a5217d749fba68daff45b7bfdb6c4b |
| SHA256 | a35091262af023cae42c04a44659976cc878bff5e8760b83f79771c63d22b035 |
| SHA512 | 3c6f12aaf8da81648eb6144f9f0f5263e7b312f7f5a58e5a3693cd307cb4b383dab6fffa456b3747333b7d60f8cf83fa575b233039bd274aaf06f601c908a210 |
C:\Windows\System\eyNioRW.exe
| MD5 | 435f1d15f5e672f9464739de9ecbf0f4 |
| SHA1 | 372216f89d60dbd0150645b3e21ea337ceeec829 |
| SHA256 | e77bca6bef807fbdd0ef6aa32725579b76eead9667de9f59372e3f5e6591fc72 |
| SHA512 | 2e18aa81ecba8ca1314a41adc3844f833ac71da5e96e37c20f199b9810572abf0d7da5de58a924d502797e357a427c695fb4e4c0efea80863791baaef61948d8 |
memory/1080-116-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp
memory/1944-106-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp
memory/4784-105-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp
memory/724-103-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp
C:\Windows\System\yDDtrfW.exe
| MD5 | ec04335931b849983e2b31caa2612f60 |
| SHA1 | 90b0c54425f41dc75bec9b87c8325d9511bc5a12 |
| SHA256 | cdf3f62fb65045e98f9d1d6e38e18cc45b3b5435e1e384c680af5901ad82e35f |
| SHA512 | f6a3d12839472b2dec72e39e91ca1ce2328b2af7cd3bc5bf58d97719cf6f01519f3150e43e3c70f09c95bb3a048720e6a3cc5b0986fca2f5b13bd66e80e0b96a |
memory/4996-126-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp
memory/3800-130-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp
C:\Windows\System\gdhkthX.exe
| MD5 | ee1216742feb4c37ca339c6da9cc978f |
| SHA1 | 0a0c2ff03cf5317a4e1efc621793957f36290115 |
| SHA256 | f623517d7a3d92286800a6595a22daa45d68f6b38047eca342df978fc905db3c |
| SHA512 | fbf7e2587c9f89f760dc76b2b4754c79b28b152d4e7280e644814b96875e26d68a9202a29821ce4428fae83e73b06d307041951d7263ffdfa2386c45a514e1cf |
memory/3220-132-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp
memory/780-134-0x00007FF6393C0000-0x00007FF639714000-memory.dmp
memory/4120-133-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp
memory/1564-131-0x00007FF6514E0000-0x00007FF651834000-memory.dmp
memory/1788-135-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp
memory/2316-136-0x00007FF787570000-0x00007FF7878C4000-memory.dmp
memory/4520-137-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp
memory/724-138-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp
memory/1944-139-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp
memory/1080-140-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp
memory/3796-141-0x00007FF7D0880000-0x00007FF7D0BD4000-memory.dmp
memory/3808-142-0x00007FF601560000-0x00007FF6018B4000-memory.dmp
memory/3840-143-0x00007FF6C42B0000-0x00007FF6C4604000-memory.dmp
memory/1584-144-0x00007FF60C2B0000-0x00007FF60C604000-memory.dmp
memory/4784-145-0x00007FF7A31A0000-0x00007FF7A34F4000-memory.dmp
memory/3016-146-0x00007FF767440000-0x00007FF767794000-memory.dmp
memory/3800-148-0x00007FF7E3EE0000-0x00007FF7E4234000-memory.dmp
memory/4996-147-0x00007FF6BE890000-0x00007FF6BEBE4000-memory.dmp
memory/780-149-0x00007FF6393C0000-0x00007FF639714000-memory.dmp
memory/4216-150-0x00007FF600530000-0x00007FF600884000-memory.dmp
memory/4892-151-0x00007FF727F00000-0x00007FF728254000-memory.dmp
memory/1788-152-0x00007FF7BEC40000-0x00007FF7BEF94000-memory.dmp
memory/1996-153-0x00007FF6D1AC0000-0x00007FF6D1E14000-memory.dmp
memory/2316-154-0x00007FF787570000-0x00007FF7878C4000-memory.dmp
memory/4520-155-0x00007FF710E90000-0x00007FF7111E4000-memory.dmp
memory/724-156-0x00007FF60ECA0000-0x00007FF60EFF4000-memory.dmp
memory/1944-157-0x00007FF6A61A0000-0x00007FF6A64F4000-memory.dmp
memory/1564-159-0x00007FF6514E0000-0x00007FF651834000-memory.dmp
memory/1080-158-0x00007FF79B910000-0x00007FF79BC64000-memory.dmp
memory/3220-160-0x00007FF77FC70000-0x00007FF77FFC4000-memory.dmp
memory/4120-161-0x00007FF6E9D50000-0x00007FF6EA0A4000-memory.dmp