Analysis Overview
SHA256
0139dde88261ac9988a420784da0be96b907b70f761d2ac455aed87b45fa737f
Threat Level: Known bad
The file 2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 09:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 09:48
Reported
2024-08-05 09:51
Platform
win7-20240729-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YtOnRKT.exe | N/A |
| N/A | N/A | C:\Windows\System\cHtrFwy.exe | N/A |
| N/A | N/A | C:\Windows\System\KHyrpJq.exe | N/A |
| N/A | N/A | C:\Windows\System\QyRkIGn.exe | N/A |
| N/A | N/A | C:\Windows\System\pXTkuhM.exe | N/A |
| N/A | N/A | C:\Windows\System\EPyPkcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DdCRauJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gCidrhp.exe | N/A |
| N/A | N/A | C:\Windows\System\eadlUlg.exe | N/A |
| N/A | N/A | C:\Windows\System\ruIoRff.exe | N/A |
| N/A | N/A | C:\Windows\System\shEiLQf.exe | N/A |
| N/A | N/A | C:\Windows\System\ULmXEsY.exe | N/A |
| N/A | N/A | C:\Windows\System\vGQjyrm.exe | N/A |
| N/A | N/A | C:\Windows\System\eHwTKwv.exe | N/A |
| N/A | N/A | C:\Windows\System\GeWVWgk.exe | N/A |
| N/A | N/A | C:\Windows\System\PdmNRyi.exe | N/A |
| N/A | N/A | C:\Windows\System\MFOQRmG.exe | N/A |
| N/A | N/A | C:\Windows\System\SPRFDPT.exe | N/A |
| N/A | N/A | C:\Windows\System\IbunImf.exe | N/A |
| N/A | N/A | C:\Windows\System\yWLXDXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\vdZspAU.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YtOnRKT.exe
C:\Windows\System\YtOnRKT.exe
C:\Windows\System\cHtrFwy.exe
C:\Windows\System\cHtrFwy.exe
C:\Windows\System\KHyrpJq.exe
C:\Windows\System\KHyrpJq.exe
C:\Windows\System\QyRkIGn.exe
C:\Windows\System\QyRkIGn.exe
C:\Windows\System\pXTkuhM.exe
C:\Windows\System\pXTkuhM.exe
C:\Windows\System\EPyPkcZ.exe
C:\Windows\System\EPyPkcZ.exe
C:\Windows\System\DdCRauJ.exe
C:\Windows\System\DdCRauJ.exe
C:\Windows\System\gCidrhp.exe
C:\Windows\System\gCidrhp.exe
C:\Windows\System\eadlUlg.exe
C:\Windows\System\eadlUlg.exe
C:\Windows\System\ruIoRff.exe
C:\Windows\System\ruIoRff.exe
C:\Windows\System\shEiLQf.exe
C:\Windows\System\shEiLQf.exe
C:\Windows\System\ULmXEsY.exe
C:\Windows\System\ULmXEsY.exe
C:\Windows\System\vGQjyrm.exe
C:\Windows\System\vGQjyrm.exe
C:\Windows\System\eHwTKwv.exe
C:\Windows\System\eHwTKwv.exe
C:\Windows\System\GeWVWgk.exe
C:\Windows\System\GeWVWgk.exe
C:\Windows\System\PdmNRyi.exe
C:\Windows\System\PdmNRyi.exe
C:\Windows\System\MFOQRmG.exe
C:\Windows\System\MFOQRmG.exe
C:\Windows\System\SPRFDPT.exe
C:\Windows\System\SPRFDPT.exe
C:\Windows\System\IbunImf.exe
C:\Windows\System\IbunImf.exe
C:\Windows\System\yWLXDXQ.exe
C:\Windows\System\yWLXDXQ.exe
C:\Windows\System\vdZspAU.exe
C:\Windows\System\vdZspAU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/400-0-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/400-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\YtOnRKT.exe
| MD5 | dd35b9111dad5d1121506e60b8b952a7 |
| SHA1 | 9d710dcbc91adf9185c59268b5fe7807845fb044 |
| SHA256 | d644f31568812f4a62ffa3ffeef2b045e39730e1d2ba239cb6552cdb4b1f0c85 |
| SHA512 | 71e5c3ab86c5a735712c49716342a97cd5c691d02f84ff473ce56cdb39875c0c3aa428b6cc319ed25c9921b77a26681fcbee724387c8e8a217af566d521c18b1 |
C:\Windows\system\cHtrFwy.exe
| MD5 | c967c4408677aaac3dd3c1d61af0a09b |
| SHA1 | 14f27aadc921ae58c2d1dd005894b8a7ccb8d87f |
| SHA256 | d4c8cb091a2df780f9ae9db4c461e300cfd1f31190272858b5432bf234e2006d |
| SHA512 | f1e31b4919cb9f47a60c2e0190a8152527964b69930b226c7007c5a04758c49f6b1265a110bb35aad94b216daba8d1ecacdf34e7d9fc766f41232e6b07f2607a |
memory/400-10-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\KHyrpJq.exe
| MD5 | 761c50445548d969f5858758dee5ba3b |
| SHA1 | 52c7581f6fb67051378d1dab94fbc5b01afcdc5f |
| SHA256 | f9d9685300ae78c08f57d2255db4832678f0441dfdb8e6ea1b3b6e2103fa369f |
| SHA512 | 86740b32a7f97ff26106e97ceea8efc3096ed54e0357698a2bcc1563c881e750ebc9729a3b09357bcdefd280e2a5cb387133c816b6b9fecc2c32b83a66bc9b98 |
C:\Windows\system\QyRkIGn.exe
| MD5 | ec109eea81d85b2182522aa114abf97d |
| SHA1 | efd634fecd25d8b96308e5737ebf22a9d1aa3643 |
| SHA256 | a55eee968ad26e432cf90e149c1431493d120b02d5accb6c96cb866e1c8222b3 |
| SHA512 | 16eba19f58341a54a2629f84fb676baf5abb89474035fc3dc444c35889eb4a4c682ee4d43788dd53e87f2fd49cc226aad0426636a7926d3cd2d8680f47735482 |
C:\Windows\system\pXTkuhM.exe
| MD5 | 0311fc49115635485a583afd621c701b |
| SHA1 | 5ac7a87846b5e9893c3e28ec283370ccf114eca5 |
| SHA256 | 251a2cfb6e2749ffedb1d2ecdc29e5f1eab4ffb030f09fb3e4cc0ef74094d950 |
| SHA512 | 7d1e7d6386cb605c9ef62ecad5b046eee300cd61f9fd64f1bb0c20e66bfa25fc64ef9547fe86813c6ed5108eaaa53fea6c57aca633d80509b61e9558f77480a8 |
C:\Windows\system\EPyPkcZ.exe
| MD5 | a9ca099581febaf704a5887217b838a9 |
| SHA1 | 740e3677636cc595c20ca6c8f9363e7c12a32691 |
| SHA256 | d53818ef1ba53a699c3b05825b324a08337bea3111db47b85c3836bae4f82951 |
| SHA512 | 8aad9455344b926b5abc83ca51d5c21a686f74cce7bef97b3a1373ebd50bac5e1ec6e97c57414be119e77af59528376f45d19143e926dd95ce9c42b0c13cbab8 |
C:\Windows\system\DdCRauJ.exe
| MD5 | 48530fe23d83e008827a8940b6194e4c |
| SHA1 | 9ab3091df11b9240546e67f5cf2e124c87658e5d |
| SHA256 | 1992e493ef1d4f8e6204c37951be5c5dcf440a8cff9b9f22dc51aa978d9e7887 |
| SHA512 | 01d27dfc20c75197233dbd252dd4c537c37a29484e7bf62ecb02ef0e5cf310b87421ca73883c74e6818c16c711d9c79330647d5a415fa93a5d30072ca9e364a5 |
C:\Windows\system\eadlUlg.exe
| MD5 | 156f4019a14753a7cfefb01f38e96782 |
| SHA1 | 43e2a5f5dc9424cab922a3d5371d2fdc15a7d330 |
| SHA256 | 558790c22fa1a7d06287c9fe3f8e058cdccaf7b6347b807b681ffb29b911ebad |
| SHA512 | e8e52db729035831edd1b6ab1576299b2abfffc1cdaef5185928ebcdb81a3f80ae468c8e90699537fbcdf7ea211f89c0b01893e533b1e85464e0df90bd7cae63 |
C:\Windows\system\vGQjyrm.exe
| MD5 | 1f667da604f1e7b593f3c26bc653c942 |
| SHA1 | a2efd7c2d2047fde1b5b8d64a01a437fe41b2d95 |
| SHA256 | e4e60775677d91f1e02bf822898e10e9e6b129ec2b0abed9887c634c2d51e65e |
| SHA512 | 57fe87cbd0a6ae3fc269180fe98c98ddd11a9ad2848f666e3d776c5efb317e3833d11043862f98d3788862e8b61d24d527d1f914a9424573ef5bbfb6bf5f7514 |
C:\Windows\system\GeWVWgk.exe
| MD5 | 16f10df314b8d5d564af6bc657665d75 |
| SHA1 | 32a78ed54c80512df35b1ff4f4f866bd6f6c252a |
| SHA256 | 78b55b2d3bb1c49cc65a3f6d6c4c22ca9466362113bcfbd62a3e43f7636af79f |
| SHA512 | a6fd7bfeb781caeda61d290b25e0af1f6767ed5f5bc59889d885131185d6598fe677aeb658c3f527d64141bf1d93dab296f312937e6c6b77a894f27a85a3a1e7 |
memory/316-78-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2840-92-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1740-111-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/400-110-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/400-109-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2648-108-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/400-107-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2756-106-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/400-104-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/3000-103-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/400-102-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2628-101-0x000000013F430000-0x000000013F781000-memory.dmp
memory/400-100-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\SPRFDPT.exe
| MD5 | 7a0934434fec4294a2f8ac9447f28970 |
| SHA1 | 4f5fbc85b5555e4c7d7c1e05018a5c0f5bc818fe |
| SHA256 | d06c28813d83ac9369b305c1dee8b3006898881cc8dc62259c226ceb000b0d74 |
| SHA512 | d8a3053a84900b13c0d74d84ad562e2c6bb395e95f69f1df46f407b684ba8407ffa411c7bb743a2f7b7d8273cb8b8d991b22ebf5e647bdef757e707668347d49 |
C:\Windows\system\yWLXDXQ.exe
| MD5 | d078063dccc65b6cb4d593e0a951b826 |
| SHA1 | 398c929d55df426f93a0c84a7c847b7d6bb0dd07 |
| SHA256 | e4e694e4404cf689f70e70f473a65f7cd138e80ec0c1179ea7bf63a9517b7cc6 |
| SHA512 | 102b284c5d28e7ecd701752e12e9feeb1d3ee8e3a6491ecf2d0cbfebc5db14be718528bd9da6e71de77e386e0c3516dcad9e71560965b5b41ccf2fec75de1a8a |
C:\Windows\system\vdZspAU.exe
| MD5 | ebd4dae49467190ec708f5a8635ed128 |
| SHA1 | c136b45ade04e3a5d958a0491a53ca40ee341c67 |
| SHA256 | 80eabb6615b4923b5c8cdd844cf88895b6d9dfbe41fb56a805cbb829521e388d |
| SHA512 | 55ac694db4993707db3edf55f21ae0f0af19eba8f3a8c86fcf3f274e11614aa43a0b0ffe23ffab8c8a3f80d9ff8e9cb5b85d0ba3c2c71935d1c06b53c7a01685 |
C:\Windows\system\IbunImf.exe
| MD5 | e53c14640dfbbc8d3b55719008c69dba |
| SHA1 | 0515466056153bedd91b520eaaf222186def4907 |
| SHA256 | 862481926ba8442f3b82d623578ae06c0c868b696079cae58f193137e75f5182 |
| SHA512 | 0d8d5cbd42b6ef2224f3d03c46659b094ffcfcb54a0b7cc96c885128808c382ae8f39781dad147bdaffcf50642f77e40c58351ed6dd36beb6de2c90428fa1062 |
C:\Windows\system\MFOQRmG.exe
| MD5 | 13b3faf727d4a166eb908f58e813d45c |
| SHA1 | 85dc4ad737e062e71fe56101578f6c48713ccc33 |
| SHA256 | 442cb836cfd5704c72073d2b8dab8c7c652a9988a840ca4b39e8c80f5adca047 |
| SHA512 | 1682152fc350d40bf88837f9cae903b769f382f0f95ecccac7863de6717fb9c69bc587d3b12eecd5e16199706334e225a81ecb74e4401b40bb34fa77097985fd |
memory/2300-99-0x000000013F340000-0x000000013F691000-memory.dmp
memory/400-98-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2808-97-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/400-96-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\PdmNRyi.exe
| MD5 | 57d1a0f6d8281bed16bd712d016d0b8c |
| SHA1 | bbfdead8e0eca366ea173c5fb9728c6d5a854a99 |
| SHA256 | da4a76011c1cbeeb8d1b040c87ebe9e3c5ca8c05f315132cfeee2d40ed30fd26 |
| SHA512 | ec2d46961185a9ef86492c4a0b5f17c005705145cb2c9dead607b9bdb85cca40faada0e65e5bb0d3ef3171f9457b3c68fd360fb7344056d8e441820ab88861bd |
memory/2748-94-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/400-93-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/400-90-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2804-89-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/400-86-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2192-85-0x000000013F420000-0x000000013F771000-memory.dmp
memory/400-84-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2312-83-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/400-82-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/3028-80-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/400-79-0x000000013F940000-0x000000013FC91000-memory.dmp
C:\Windows\system\eHwTKwv.exe
| MD5 | a1a21eba3bc40aedd4292be70d67939c |
| SHA1 | b80b288881835546521083306530e674a1fc11f6 |
| SHA256 | 6c5e9ccfad0225e344f8efdae9081dd9988f2ef7f8f0fcd23f7fa7b6aea06826 |
| SHA512 | 1ff46cc474eba5b9f8c976e5cf464a26e315760e6f4c25ad671dea544dd32f178f030996d193355d1567e3085f13931e931697736fec042cf5e303bd5620092d |
C:\Windows\system\ULmXEsY.exe
| MD5 | 1a88db7e5403bb2d509270c2d089a2bd |
| SHA1 | e0ad533e7aa050a45572f5ed19b8cd25e50ad08f |
| SHA256 | 7ee473a6348ad0ae3f3adf81e787c27212986c391fd5043ec17e84a7e133f573 |
| SHA512 | b711b095fa1e47ef6da8aca7e5d781a900886d925c293c92f6a7b90f19f80371c3bbcdcf11f4cb393cf59063a0dce7011d74b25e9c1a65ce2aff7df3d26aef1f |
C:\Windows\system\shEiLQf.exe
| MD5 | 234924307eca8bcdd47b4024c3db53ed |
| SHA1 | ed9fd4a807e0542461f9ed2e891c84905f7e0f5b |
| SHA256 | 667466e9a041d759283c9b4cf27d08328c63ca8235a286a1bd20368d5f1c84de |
| SHA512 | e34bcab83fd7e183dd5f290320df1acee9f30f14a60fecdf6da4bb039b11ee589c1c990592dc96f76d8fc6169627d7b9882cb169f21c4a2ba9b2e37e3d1cfd39 |
C:\Windows\system\ruIoRff.exe
| MD5 | bf4efe38db702aa9cf5d44c57e7ebaa1 |
| SHA1 | 6c6ec8b351c44a2e20e5c818e03fc551074e1506 |
| SHA256 | 672355c026a838a39d5dbebdd03e2c8e60660f8363fd1db89f5d8d6c79de5dc1 |
| SHA512 | 6c292906bf2158602702eb6cde4564defe80d457ee24f001a2af6bf6805d85b13e93f8457e3e5af81601e20294eeae9a526aa326399bdf96332e047c41687900 |
C:\Windows\system\gCidrhp.exe
| MD5 | e9bdc7399201725ffe4ba8c243d76e07 |
| SHA1 | fed114396174dd164ad249c4d8cdcbdd5535006f |
| SHA256 | e27468230ba33ca2a4aea131a0ac9b5ec792045b7b7c335562ca2fe3c4d8a9e0 |
| SHA512 | aceb1cbd8691a4fc0785f0ab5c31775f74cd86bf65e104b3d9ff569da4f2816c021a2b26ef0f92484192c76e5433ba970cff335b19189cc6f20abdb9b367362a |
memory/400-136-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/316-137-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2604-151-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2924-155-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2988-157-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2984-156-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2856-154-0x000000013F130000-0x000000013F481000-memory.dmp
memory/1520-153-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2324-152-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/400-158-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/400-167-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/400-166-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/316-205-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/3028-224-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2192-226-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2840-228-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2312-247-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/3000-244-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2300-242-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2748-239-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/2628-236-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2804-235-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/1740-232-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2808-231-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2756-241-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2648-250-0x000000013F710000-0x000000013FA61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 09:48
Reported
2024-08-05 09:51
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YtOnRKT.exe | N/A |
| N/A | N/A | C:\Windows\System\cHtrFwy.exe | N/A |
| N/A | N/A | C:\Windows\System\KHyrpJq.exe | N/A |
| N/A | N/A | C:\Windows\System\QyRkIGn.exe | N/A |
| N/A | N/A | C:\Windows\System\pXTkuhM.exe | N/A |
| N/A | N/A | C:\Windows\System\EPyPkcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DdCRauJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gCidrhp.exe | N/A |
| N/A | N/A | C:\Windows\System\eadlUlg.exe | N/A |
| N/A | N/A | C:\Windows\System\ruIoRff.exe | N/A |
| N/A | N/A | C:\Windows\System\shEiLQf.exe | N/A |
| N/A | N/A | C:\Windows\System\ULmXEsY.exe | N/A |
| N/A | N/A | C:\Windows\System\vGQjyrm.exe | N/A |
| N/A | N/A | C:\Windows\System\eHwTKwv.exe | N/A |
| N/A | N/A | C:\Windows\System\GeWVWgk.exe | N/A |
| N/A | N/A | C:\Windows\System\PdmNRyi.exe | N/A |
| N/A | N/A | C:\Windows\System\MFOQRmG.exe | N/A |
| N/A | N/A | C:\Windows\System\SPRFDPT.exe | N/A |
| N/A | N/A | C:\Windows\System\IbunImf.exe | N/A |
| N/A | N/A | C:\Windows\System\yWLXDXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\vdZspAU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_a0f384cbd9c5699ccd5b98c3c9128bd6_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YtOnRKT.exe
C:\Windows\System\YtOnRKT.exe
C:\Windows\System\cHtrFwy.exe
C:\Windows\System\cHtrFwy.exe
C:\Windows\System\KHyrpJq.exe
C:\Windows\System\KHyrpJq.exe
C:\Windows\System\QyRkIGn.exe
C:\Windows\System\QyRkIGn.exe
C:\Windows\System\pXTkuhM.exe
C:\Windows\System\pXTkuhM.exe
C:\Windows\System\EPyPkcZ.exe
C:\Windows\System\EPyPkcZ.exe
C:\Windows\System\DdCRauJ.exe
C:\Windows\System\DdCRauJ.exe
C:\Windows\System\gCidrhp.exe
C:\Windows\System\gCidrhp.exe
C:\Windows\System\eadlUlg.exe
C:\Windows\System\eadlUlg.exe
C:\Windows\System\ruIoRff.exe
C:\Windows\System\ruIoRff.exe
C:\Windows\System\shEiLQf.exe
C:\Windows\System\shEiLQf.exe
C:\Windows\System\ULmXEsY.exe
C:\Windows\System\ULmXEsY.exe
C:\Windows\System\vGQjyrm.exe
C:\Windows\System\vGQjyrm.exe
C:\Windows\System\eHwTKwv.exe
C:\Windows\System\eHwTKwv.exe
C:\Windows\System\GeWVWgk.exe
C:\Windows\System\GeWVWgk.exe
C:\Windows\System\PdmNRyi.exe
C:\Windows\System\PdmNRyi.exe
C:\Windows\System\MFOQRmG.exe
C:\Windows\System\MFOQRmG.exe
C:\Windows\System\SPRFDPT.exe
C:\Windows\System\SPRFDPT.exe
C:\Windows\System\IbunImf.exe
C:\Windows\System\IbunImf.exe
C:\Windows\System\yWLXDXQ.exe
C:\Windows\System\yWLXDXQ.exe
C:\Windows\System\vdZspAU.exe
C:\Windows\System\vdZspAU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 175.117.168.52.in-addr.arpa | udp |
Files
memory/4720-0-0x00007FF797970000-0x00007FF797CC1000-memory.dmp
memory/4720-1-0x000001870A2D0000-0x000001870A2E0000-memory.dmp
C:\Windows\System\YtOnRKT.exe
| MD5 | dd35b9111dad5d1121506e60b8b952a7 |
| SHA1 | 9d710dcbc91adf9185c59268b5fe7807845fb044 |
| SHA256 | d644f31568812f4a62ffa3ffeef2b045e39730e1d2ba239cb6552cdb4b1f0c85 |
| SHA512 | 71e5c3ab86c5a735712c49716342a97cd5c691d02f84ff473ce56cdb39875c0c3aa428b6cc319ed25c9921b77a26681fcbee724387c8e8a217af566d521c18b1 |
C:\Windows\System\cHtrFwy.exe
| MD5 | c967c4408677aaac3dd3c1d61af0a09b |
| SHA1 | 14f27aadc921ae58c2d1dd005894b8a7ccb8d87f |
| SHA256 | d4c8cb091a2df780f9ae9db4c461e300cfd1f31190272858b5432bf234e2006d |
| SHA512 | f1e31b4919cb9f47a60c2e0190a8152527964b69930b226c7007c5a04758c49f6b1265a110bb35aad94b216daba8d1ecacdf34e7d9fc766f41232e6b07f2607a |
memory/1144-8-0x00007FF64EBE0000-0x00007FF64EF31000-memory.dmp
C:\Windows\System\KHyrpJq.exe
| MD5 | 761c50445548d969f5858758dee5ba3b |
| SHA1 | 52c7581f6fb67051378d1dab94fbc5b01afcdc5f |
| SHA256 | f9d9685300ae78c08f57d2255db4832678f0441dfdb8e6ea1b3b6e2103fa369f |
| SHA512 | 86740b32a7f97ff26106e97ceea8efc3096ed54e0357698a2bcc1563c881e750ebc9729a3b09357bcdefd280e2a5cb387133c816b6b9fecc2c32b83a66bc9b98 |
memory/2884-14-0x00007FF7224B0000-0x00007FF722801000-memory.dmp
memory/2404-20-0x00007FF7B1CD0000-0x00007FF7B2021000-memory.dmp
C:\Windows\System\QyRkIGn.exe
| MD5 | ec109eea81d85b2182522aa114abf97d |
| SHA1 | efd634fecd25d8b96308e5737ebf22a9d1aa3643 |
| SHA256 | a55eee968ad26e432cf90e149c1431493d120b02d5accb6c96cb866e1c8222b3 |
| SHA512 | 16eba19f58341a54a2629f84fb676baf5abb89474035fc3dc444c35889eb4a4c682ee4d43788dd53e87f2fd49cc226aad0426636a7926d3cd2d8680f47735482 |
memory/2984-28-0x00007FF7B46A0000-0x00007FF7B49F1000-memory.dmp
C:\Windows\System\pXTkuhM.exe
| MD5 | 0311fc49115635485a583afd621c701b |
| SHA1 | 5ac7a87846b5e9893c3e28ec283370ccf114eca5 |
| SHA256 | 251a2cfb6e2749ffedb1d2ecdc29e5f1eab4ffb030f09fb3e4cc0ef74094d950 |
| SHA512 | 7d1e7d6386cb605c9ef62ecad5b046eee300cd61f9fd64f1bb0c20e66bfa25fc64ef9547fe86813c6ed5108eaaa53fea6c57aca633d80509b61e9558f77480a8 |
memory/552-30-0x00007FF6FA180000-0x00007FF6FA4D1000-memory.dmp
C:\Windows\System\EPyPkcZ.exe
| MD5 | a9ca099581febaf704a5887217b838a9 |
| SHA1 | 740e3677636cc595c20ca6c8f9363e7c12a32691 |
| SHA256 | d53818ef1ba53a699c3b05825b324a08337bea3111db47b85c3836bae4f82951 |
| SHA512 | 8aad9455344b926b5abc83ca51d5c21a686f74cce7bef97b3a1373ebd50bac5e1ec6e97c57414be119e77af59528376f45d19143e926dd95ce9c42b0c13cbab8 |
memory/920-52-0x00007FF790D30000-0x00007FF791081000-memory.dmp
C:\Windows\System\gCidrhp.exe
| MD5 | e9bdc7399201725ffe4ba8c243d76e07 |
| SHA1 | fed114396174dd164ad249c4d8cdcbdd5535006f |
| SHA256 | e27468230ba33ca2a4aea131a0ac9b5ec792045b7b7c335562ca2fe3c4d8a9e0 |
| SHA512 | aceb1cbd8691a4fc0785f0ab5c31775f74cd86bf65e104b3d9ff569da4f2816c021a2b26ef0f92484192c76e5433ba970cff335b19189cc6f20abdb9b367362a |
C:\Windows\System\vGQjyrm.exe
| MD5 | 1f667da604f1e7b593f3c26bc653c942 |
| SHA1 | a2efd7c2d2047fde1b5b8d64a01a437fe41b2d95 |
| SHA256 | e4e60775677d91f1e02bf822898e10e9e6b129ec2b0abed9887c634c2d51e65e |
| SHA512 | 57fe87cbd0a6ae3fc269180fe98c98ddd11a9ad2848f666e3d776c5efb317e3833d11043862f98d3788862e8b61d24d527d1f914a9424573ef5bbfb6bf5f7514 |
C:\Windows\System\eHwTKwv.exe
| MD5 | a1a21eba3bc40aedd4292be70d67939c |
| SHA1 | b80b288881835546521083306530e674a1fc11f6 |
| SHA256 | 6c5e9ccfad0225e344f8efdae9081dd9988f2ef7f8f0fcd23f7fa7b6aea06826 |
| SHA512 | 1ff46cc474eba5b9f8c976e5cf464a26e315760e6f4c25ad671dea544dd32f178f030996d193355d1567e3085f13931e931697736fec042cf5e303bd5620092d |
memory/992-79-0x00007FF7A7DE0000-0x00007FF7A8131000-memory.dmp
C:\Windows\System\IbunImf.exe
| MD5 | e53c14640dfbbc8d3b55719008c69dba |
| SHA1 | 0515466056153bedd91b520eaaf222186def4907 |
| SHA256 | 862481926ba8442f3b82d623578ae06c0c868b696079cae58f193137e75f5182 |
| SHA512 | 0d8d5cbd42b6ef2224f3d03c46659b094ffcfcb54a0b7cc96c885128808c382ae8f39781dad147bdaffcf50642f77e40c58351ed6dd36beb6de2c90428fa1062 |
memory/3284-102-0x00007FF633E20000-0x00007FF634171000-memory.dmp
C:\Windows\System\SPRFDPT.exe
| MD5 | 7a0934434fec4294a2f8ac9447f28970 |
| SHA1 | 4f5fbc85b5555e4c7d7c1e05018a5c0f5bc818fe |
| SHA256 | d06c28813d83ac9369b305c1dee8b3006898881cc8dc62259c226ceb000b0d74 |
| SHA512 | d8a3053a84900b13c0d74d84ad562e2c6bb395e95f69f1df46f407b684ba8407ffa411c7bb743a2f7b7d8273cb8b8d991b22ebf5e647bdef757e707668347d49 |
memory/4708-122-0x00007FF657C00000-0x00007FF657F51000-memory.dmp
memory/1388-128-0x00007FF7D20E0000-0x00007FF7D2431000-memory.dmp
memory/4720-127-0x00007FF797970000-0x00007FF797CC1000-memory.dmp
C:\Windows\System\vdZspAU.exe
| MD5 | ebd4dae49467190ec708f5a8635ed128 |
| SHA1 | c136b45ade04e3a5d958a0491a53ca40ee341c67 |
| SHA256 | 80eabb6615b4923b5c8cdd844cf88895b6d9dfbe41fb56a805cbb829521e388d |
| SHA512 | 55ac694db4993707db3edf55f21ae0f0af19eba8f3a8c86fcf3f274e11614aa43a0b0ffe23ffab8c8a3f80d9ff8e9cb5b85d0ba3c2c71935d1c06b53c7a01685 |
C:\Windows\System\yWLXDXQ.exe
| MD5 | d078063dccc65b6cb4d593e0a951b826 |
| SHA1 | 398c929d55df426f93a0c84a7c847b7d6bb0dd07 |
| SHA256 | e4e694e4404cf689f70e70f473a65f7cd138e80ec0c1179ea7bf63a9517b7cc6 |
| SHA512 | 102b284c5d28e7ecd701752e12e9feeb1d3ee8e3a6491ecf2d0cbfebc5db14be718528bd9da6e71de77e386e0c3516dcad9e71560965b5b41ccf2fec75de1a8a |
memory/472-121-0x00007FF710300000-0x00007FF710651000-memory.dmp
memory/3972-120-0x00007FF607610000-0x00007FF607961000-memory.dmp
memory/1756-115-0x00007FF6BB520000-0x00007FF6BB871000-memory.dmp
memory/1712-114-0x00007FF705160000-0x00007FF7054B1000-memory.dmp
C:\Windows\System\MFOQRmG.exe
| MD5 | 13b3faf727d4a166eb908f58e813d45c |
| SHA1 | 85dc4ad737e062e71fe56101578f6c48713ccc33 |
| SHA256 | 442cb836cfd5704c72073d2b8dab8c7c652a9988a840ca4b39e8c80f5adca047 |
| SHA512 | 1682152fc350d40bf88837f9cae903b769f382f0f95ecccac7863de6717fb9c69bc587d3b12eecd5e16199706334e225a81ecb74e4401b40bb34fa77097985fd |
C:\Windows\System\PdmNRyi.exe
| MD5 | 57d1a0f6d8281bed16bd712d016d0b8c |
| SHA1 | bbfdead8e0eca366ea173c5fb9728c6d5a854a99 |
| SHA256 | da4a76011c1cbeeb8d1b040c87ebe9e3c5ca8c05f315132cfeee2d40ed30fd26 |
| SHA512 | ec2d46961185a9ef86492c4a0b5f17c005705145cb2c9dead607b9bdb85cca40faada0e65e5bb0d3ef3171f9457b3c68fd360fb7344056d8e441820ab88861bd |
C:\Windows\System\GeWVWgk.exe
| MD5 | 16f10df314b8d5d564af6bc657665d75 |
| SHA1 | 32a78ed54c80512df35b1ff4f4f866bd6f6c252a |
| SHA256 | 78b55b2d3bb1c49cc65a3f6d6c4c22ca9466362113bcfbd62a3e43f7636af79f |
| SHA512 | a6fd7bfeb781caeda61d290b25e0af1f6767ed5f5bc59889d885131185d6598fe677aeb658c3f527d64141bf1d93dab296f312937e6c6b77a894f27a85a3a1e7 |
memory/4420-101-0x00007FF7FD0F0000-0x00007FF7FD441000-memory.dmp
memory/3692-94-0x00007FF769560000-0x00007FF7698B1000-memory.dmp
C:\Windows\System\ULmXEsY.exe
| MD5 | 1a88db7e5403bb2d509270c2d089a2bd |
| SHA1 | e0ad533e7aa050a45572f5ed19b8cd25e50ad08f |
| SHA256 | 7ee473a6348ad0ae3f3adf81e787c27212986c391fd5043ec17e84a7e133f573 |
| SHA512 | b711b095fa1e47ef6da8aca7e5d781a900886d925c293c92f6a7b90f19f80371c3bbcdcf11f4cb393cf59063a0dce7011d74b25e9c1a65ce2aff7df3d26aef1f |
memory/1308-76-0x00007FF7D3660000-0x00007FF7D39B1000-memory.dmp
C:\Windows\System\shEiLQf.exe
| MD5 | 234924307eca8bcdd47b4024c3db53ed |
| SHA1 | ed9fd4a807e0542461f9ed2e891c84905f7e0f5b |
| SHA256 | 667466e9a041d759283c9b4cf27d08328c63ca8235a286a1bd20368d5f1c84de |
| SHA512 | e34bcab83fd7e183dd5f290320df1acee9f30f14a60fecdf6da4bb039b11ee589c1c990592dc96f76d8fc6169627d7b9882cb169f21c4a2ba9b2e37e3d1cfd39 |
memory/4852-71-0x00007FF75BF20000-0x00007FF75C271000-memory.dmp
memory/1196-70-0x00007FF6EF230000-0x00007FF6EF581000-memory.dmp
C:\Windows\System\ruIoRff.exe
| MD5 | bf4efe38db702aa9cf5d44c57e7ebaa1 |
| SHA1 | 6c6ec8b351c44a2e20e5c818e03fc551074e1506 |
| SHA256 | 672355c026a838a39d5dbebdd03e2c8e60660f8363fd1db89f5d8d6c79de5dc1 |
| SHA512 | 6c292906bf2158602702eb6cde4564defe80d457ee24f001a2af6bf6805d85b13e93f8457e3e5af81601e20294eeae9a526aa326399bdf96332e047c41687900 |
C:\Windows\System\eadlUlg.exe
| MD5 | 156f4019a14753a7cfefb01f38e96782 |
| SHA1 | 43e2a5f5dc9424cab922a3d5371d2fdc15a7d330 |
| SHA256 | 558790c22fa1a7d06287c9fe3f8e058cdccaf7b6347b807b681ffb29b911ebad |
| SHA512 | e8e52db729035831edd1b6ab1576299b2abfffc1cdaef5185928ebcdb81a3f80ae468c8e90699537fbcdf7ea211f89c0b01893e533b1e85464e0df90bd7cae63 |
memory/4276-59-0x00007FF7C7E40000-0x00007FF7C8191000-memory.dmp
C:\Windows\System\DdCRauJ.exe
| MD5 | 48530fe23d83e008827a8940b6194e4c |
| SHA1 | 9ab3091df11b9240546e67f5cf2e124c87658e5d |
| SHA256 | 1992e493ef1d4f8e6204c37951be5c5dcf440a8cff9b9f22dc51aa978d9e7887 |
| SHA512 | 01d27dfc20c75197233dbd252dd4c537c37a29484e7bf62ecb02ef0e5cf310b87421ca73883c74e6818c16c711d9c79330647d5a415fa93a5d30072ca9e364a5 |
memory/4120-38-0x00007FF6C8A10000-0x00007FF6C8D61000-memory.dmp
memory/3692-141-0x00007FF769560000-0x00007FF7698B1000-memory.dmp
memory/1712-147-0x00007FF705160000-0x00007FF7054B1000-memory.dmp
memory/1756-148-0x00007FF6BB520000-0x00007FF6BB871000-memory.dmp
memory/3284-146-0x00007FF633E20000-0x00007FF634171000-memory.dmp
memory/4852-142-0x00007FF75BF20000-0x00007FF75C271000-memory.dmp
memory/1196-140-0x00007FF6EF230000-0x00007FF6EF581000-memory.dmp
memory/4276-137-0x00007FF7C7E40000-0x00007FF7C8191000-memory.dmp
memory/4120-135-0x00007FF6C8A10000-0x00007FF6C8D61000-memory.dmp
memory/2984-133-0x00007FF7B46A0000-0x00007FF7B49F1000-memory.dmp
memory/920-136-0x00007FF790D30000-0x00007FF791081000-memory.dmp
memory/552-134-0x00007FF6FA180000-0x00007FF6FA4D1000-memory.dmp
memory/2404-132-0x00007FF7B1CD0000-0x00007FF7B2021000-memory.dmp
memory/1144-130-0x00007FF64EBE0000-0x00007FF64EF31000-memory.dmp
memory/4720-129-0x00007FF797970000-0x00007FF797CC1000-memory.dmp
memory/4708-150-0x00007FF657C00000-0x00007FF657F51000-memory.dmp
memory/4720-151-0x00007FF797970000-0x00007FF797CC1000-memory.dmp
memory/1144-200-0x00007FF64EBE0000-0x00007FF64EF31000-memory.dmp
memory/2884-202-0x00007FF7224B0000-0x00007FF722801000-memory.dmp
memory/2404-204-0x00007FF7B1CD0000-0x00007FF7B2021000-memory.dmp
memory/2984-206-0x00007FF7B46A0000-0x00007FF7B49F1000-memory.dmp
memory/552-208-0x00007FF6FA180000-0x00007FF6FA4D1000-memory.dmp
memory/4120-210-0x00007FF6C8A10000-0x00007FF6C8D61000-memory.dmp
memory/920-212-0x00007FF790D30000-0x00007FF791081000-memory.dmp
memory/4276-214-0x00007FF7C7E40000-0x00007FF7C8191000-memory.dmp
memory/1308-216-0x00007FF7D3660000-0x00007FF7D39B1000-memory.dmp
memory/992-218-0x00007FF7A7DE0000-0x00007FF7A8131000-memory.dmp
memory/1196-220-0x00007FF6EF230000-0x00007FF6EF581000-memory.dmp
memory/4852-224-0x00007FF75BF20000-0x00007FF75C271000-memory.dmp
memory/3692-223-0x00007FF769560000-0x00007FF7698B1000-memory.dmp
memory/4420-226-0x00007FF7FD0F0000-0x00007FF7FD441000-memory.dmp
memory/3972-230-0x00007FF607610000-0x00007FF607961000-memory.dmp
memory/472-229-0x00007FF710300000-0x00007FF710651000-memory.dmp
memory/3284-232-0x00007FF633E20000-0x00007FF634171000-memory.dmp
memory/1712-234-0x00007FF705160000-0x00007FF7054B1000-memory.dmp
memory/1388-240-0x00007FF7D20E0000-0x00007FF7D2431000-memory.dmp
memory/1756-238-0x00007FF6BB520000-0x00007FF6BB871000-memory.dmp
memory/4708-237-0x00007FF657C00000-0x00007FF657F51000-memory.dmp