Analysis Overview
SHA256
a395987f48e112b908c89dac8364840a31dae010403d2889ddf2eaddfff85c29
Threat Level: Known bad
The file 2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Cobaltstrike family
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:54
Reported
2024-08-06 11:57
Platform
win7-20240708-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jJxbTSz.exe | N/A |
| N/A | N/A | C:\Windows\System\ojVbzpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nGLaOtH.exe | N/A |
| N/A | N/A | C:\Windows\System\GsKNOBR.exe | N/A |
| N/A | N/A | C:\Windows\System\FyJMxlT.exe | N/A |
| N/A | N/A | C:\Windows\System\mGznUdA.exe | N/A |
| N/A | N/A | C:\Windows\System\oFiedFK.exe | N/A |
| N/A | N/A | C:\Windows\System\MDQRSxT.exe | N/A |
| N/A | N/A | C:\Windows\System\RbVWxoS.exe | N/A |
| N/A | N/A | C:\Windows\System\kgMfenE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZexJNCW.exe | N/A |
| N/A | N/A | C:\Windows\System\DygLeSO.exe | N/A |
| N/A | N/A | C:\Windows\System\YQvbivR.exe | N/A |
| N/A | N/A | C:\Windows\System\fQTpVDO.exe | N/A |
| N/A | N/A | C:\Windows\System\Emropju.exe | N/A |
| N/A | N/A | C:\Windows\System\PCcahrv.exe | N/A |
| N/A | N/A | C:\Windows\System\YdyFFpK.exe | N/A |
| N/A | N/A | C:\Windows\System\pOjmaqa.exe | N/A |
| N/A | N/A | C:\Windows\System\sXmJALr.exe | N/A |
| N/A | N/A | C:\Windows\System\rOOXktf.exe | N/A |
| N/A | N/A | C:\Windows\System\poXinzs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\jJxbTSz.exe
C:\Windows\System\jJxbTSz.exe
C:\Windows\System\ojVbzpZ.exe
C:\Windows\System\ojVbzpZ.exe
C:\Windows\System\GsKNOBR.exe
C:\Windows\System\GsKNOBR.exe
C:\Windows\System\nGLaOtH.exe
C:\Windows\System\nGLaOtH.exe
C:\Windows\System\FyJMxlT.exe
C:\Windows\System\FyJMxlT.exe
C:\Windows\System\mGznUdA.exe
C:\Windows\System\mGznUdA.exe
C:\Windows\System\oFiedFK.exe
C:\Windows\System\oFiedFK.exe
C:\Windows\System\MDQRSxT.exe
C:\Windows\System\MDQRSxT.exe
C:\Windows\System\RbVWxoS.exe
C:\Windows\System\RbVWxoS.exe
C:\Windows\System\kgMfenE.exe
C:\Windows\System\kgMfenE.exe
C:\Windows\System\ZexJNCW.exe
C:\Windows\System\ZexJNCW.exe
C:\Windows\System\YQvbivR.exe
C:\Windows\System\YQvbivR.exe
C:\Windows\System\DygLeSO.exe
C:\Windows\System\DygLeSO.exe
C:\Windows\System\fQTpVDO.exe
C:\Windows\System\fQTpVDO.exe
C:\Windows\System\pOjmaqa.exe
C:\Windows\System\pOjmaqa.exe
C:\Windows\System\Emropju.exe
C:\Windows\System\Emropju.exe
C:\Windows\System\sXmJALr.exe
C:\Windows\System\sXmJALr.exe
C:\Windows\System\PCcahrv.exe
C:\Windows\System\PCcahrv.exe
C:\Windows\System\rOOXktf.exe
C:\Windows\System\rOOXktf.exe
C:\Windows\System\YdyFFpK.exe
C:\Windows\System\YdyFFpK.exe
C:\Windows\System\poXinzs.exe
C:\Windows\System\poXinzs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1992-0-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1992-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\jJxbTSz.exe
| MD5 | 1cf65f6369e6f80f18ab8bac2e97ca5e |
| SHA1 | fb9c8144bf590d9f05e92d9884d2c7201cbb0c1b |
| SHA256 | c39833a822cb741c1ade099e5238b9bed924a6fd58086c3631891a95c57f919e |
| SHA512 | 754dfec7af6d199668daa465a3ff6d90e5382aa28f5908667408b8ef0fdb616691a3a7784cc6d0a948cf037082b1c69e48b177e58127da49e757cf1675f8ba77 |
\Windows\system\nGLaOtH.exe
| MD5 | a810fd829a91e91bffbd995087b83ee1 |
| SHA1 | 21a35daf546f4acb79da92b4d27247fe51ec6974 |
| SHA256 | 5a044410df687c8829059c57c8dd530e000c7fc27fc40cf05618e77c50752821 |
| SHA512 | 2a8e7474350cb9fefa81cf9795272b930e2a85c1a55124c0a7351bde233c0737b763c423535b3c0280cd7d333b45354f693b3faa3ed6d21b34da3ed4b330f830 |
\Windows\system\GsKNOBR.exe
| MD5 | 1f4bae9581cc90cafe8709885d437e38 |
| SHA1 | 1fe596bf9b7f5d2437959dd879e1e06fbc87cd86 |
| SHA256 | bcb96fbc158bdf70120a689d6e3b4b7a86ace74b5b5815f867226c4885acad16 |
| SHA512 | 1a7114de427efe6c78d02efc36ab6aca4409a9f6fa773c8c366bf46f46288936b514b550971c35b70635b2cae122d0a8d2f1d8f788fc834e06585d14c34e82b4 |
memory/2096-24-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2928-35-0x000000013F170000-0x000000013F4C1000-memory.dmp
\Windows\system\mGznUdA.exe
| MD5 | 3ee53e7819714c9cc446e4cf6801e72c |
| SHA1 | 24e56f45b11c2f5dbccb6bb944664eb37a9be8c7 |
| SHA256 | 1e95b71bf1ea93e89a21c1f927ffb4e7695b9b9f886d7ad6a6651bb8eb66f09a |
| SHA512 | b243582b0cdf20de00c9600291c9256c9ec6495ef4704852d85a107bb9061b9b4de0281233f01f0e855542df16b058430f063bb3aff021edbf4a96dabd4e3d68 |
memory/1992-37-0x000000013F240000-0x000000013F591000-memory.dmp
C:\Windows\system\FyJMxlT.exe
| MD5 | b6f037e3875e3beacedb89c51de6ee96 |
| SHA1 | ff28c65fc43259fd138cd1ed654d5d7b0119f378 |
| SHA256 | a1588d0d94df73e3ad06e8c3cc1649a942671c8ae8c0d8d469a2e58bafbfc1ea |
| SHA512 | e1d1892442d3426ea267bcaf794ce98d8f11206809c4f1cfe077edd74e80578ec90990fbdf7ec45ae76988a6e7d4504a10c2598f44e88ca05c88659340ce2f6a |
memory/2824-42-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2404-33-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2068-32-0x000000013F4D0000-0x000000013F821000-memory.dmp
C:\Windows\system\oFiedFK.exe
| MD5 | 748e4f9701110c28bff8f3e8f608fd19 |
| SHA1 | f13be73ad7a33d2098a1032f71fa38ec3c80d664 |
| SHA256 | 009678a800982e96aac9878594a2f354bcce67d45e96e967c3db7b0d32154466 |
| SHA512 | 8cc10fa6ef6de6c7d87ca19312ae0f4aceb543aa02fbc9068ffb14997cd4bf1f90b7ef1a37dc8fa3341e59d04de154e61095280522d1609fc58cffdad2119b8d |
memory/2764-47-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/1992-31-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1992-27-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1992-25-0x0000000002320000-0x0000000002671000-memory.dmp
memory/1992-16-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\ojVbzpZ.exe
| MD5 | 69271f177c0e2703674d8c088cfd2caa |
| SHA1 | af5762d1470bd3bcb27295e6256140f454410720 |
| SHA256 | c64ac2e06b4e912ddbb7a705f700e77320a96f91ec432bd001b76a4abc490e54 |
| SHA512 | 65cc2114a8b6f7b4905a0ce28edbd66004419c916a5dc405f3dc8f103f8a38732c02326a2266739d1a36134043d7a5ade5d2ca7aa8190066d48edb722cad99a9 |
memory/2376-8-0x000000013FE30000-0x0000000140181000-memory.dmp
\Windows\system\MDQRSxT.exe
| MD5 | 942f2e610fdd840ce432373bb54fa59f |
| SHA1 | 9bb738f63f32d065c0fa3026f29188e5ccac09a6 |
| SHA256 | 6e96ebbf33f6b9f6f4a95572a3c74fb4ff41088412995ddf55592cee4002d131 |
| SHA512 | 2b238dde67df2452a3ccfc138ce097bb1b1649fcf91a6630428c5cab691955a91a5c3dbe6344a9d8b3f94bf2780acf37ab89a7b35bc4722367edb6172e7843ed |
memory/1992-55-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/780-56-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1992-61-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1992-63-0x000000013F210000-0x000000013F561000-memory.dmp
C:\Windows\system\RbVWxoS.exe
| MD5 | fbec11f635d5cdfa92ef9d1e6045d86f |
| SHA1 | 5e2961976b899ad0c0706f443c0a719e582c2a43 |
| SHA256 | 9766b3cba12972cedba3308992c593b10097fd3171d0d10d250f846b31828156 |
| SHA512 | 78723bfd6b684f5bcbec2e4405519c5450bd1d06987c7245010d6c8604c87072f76d95ef87be915df56aaf8c9c01be348c7379550ba07510ee753318adc257c4 |
memory/2476-64-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2376-65-0x000000013FE30000-0x0000000140181000-memory.dmp
C:\Windows\system\kgMfenE.exe
| MD5 | 46ad5cfc6cec631c94a672f4d4ccba47 |
| SHA1 | 4472981b05b09790dbc05e7d9d58addf2c466f2a |
| SHA256 | b09a2d88b02cd8a7887ceacde3c90ce1511edec695cf326ef2f60ca5e6a972c5 |
| SHA512 | 73aaa6ed81a8f11e54201bb9e22ec1ed7bd84fc52f47ef43d1823de68ce7f2ccf179179778d6606c71f7dba62db812337960edb8de23b2ef8114c5836510d0c4 |
memory/2624-72-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1992-71-0x000000013F520000-0x000000013F871000-memory.dmp
C:\Windows\system\ZexJNCW.exe
| MD5 | 6251a36e3d33701541f84fe84b3dc689 |
| SHA1 | 25ddd75f69bdb41b0ae77a192496c4c9278262a5 |
| SHA256 | e03224ee742e7ab9f90bfcb6f5d093b3844b373f3172214a832b0d810cca95a9 |
| SHA512 | 1de530dd4f7dfb75cd6b935ebab5697237140f00977bd0c05ff916422e76034f1704fedabc77233a68c4e92eb9e274e90dd8bf076d035b338bfd9ff036285cce |
\Windows\system\DygLeSO.exe
| MD5 | 58101e12a412df5900c3d89445ae0de5 |
| SHA1 | 5b91e4e415217ec4bba01eb96e6c1b2a56d02b35 |
| SHA256 | 1b70d7cc010052ae3f59436063418343aa60d5276efc3476ad41481c53130586 |
| SHA512 | f2e35e0b3dac04cf10385676bcc647c8a11f95e0188ad176aeff2c7595750aecdc58271b347b594aef889501c638330c5e30578cca8ac4eb8d2878426e8c9755 |
\Windows\system\YQvbivR.exe
| MD5 | e519a115dcbbb7b07bbd76d20bdb4e55 |
| SHA1 | 92949e7c023a8378bfef0d36fa5b54f9186b1cce |
| SHA256 | a8b8a4b3b9f93fe3df2c2c96bcc616fbb083e1f10c02d6e103f595e2b0ee48d6 |
| SHA512 | c4fe15741abfabf2cd8f1555aea1b28ffcb264881b8c8da27f56d1da64371ed23b49e5aca2622fb0f9f4bda58ae6e143b01bbb640750d2ffd63496cba09a3670 |
C:\Windows\system\fQTpVDO.exe
| MD5 | 5a81031a2f7450c99e5a31a078d9c18b |
| SHA1 | 349c28466f3fad49021455c2ca906e575923438e |
| SHA256 | 2fa22571fe22f5ec9ad67473f30a589987f654d6ece81a48b21e6f72181ad3ae |
| SHA512 | 6527cb20da03a793db03385e88975fc8871d02b731dc91f8628fca28b7e61b759775fc1b38d832c4eb9bb65538532a16639fd25a5b542ef0544eb2f947544863 |
memory/1992-103-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2928-122-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1992-125-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
C:\Windows\system\pOjmaqa.exe
| MD5 | 21c302bc7cb99c5612c3e11a5419f048 |
| SHA1 | 77f3ca7776841da8ef1f02593c132fc001a419ad |
| SHA256 | 2d68b7b711e8694fd01575dfa3f78991413e7bbbb07a9632d4e1db5a8d676e24 |
| SHA512 | 0ce4d0f20e5d5e79e1f529247b0e36e4095c12da5dd30893580ee1fec6ccaa716614e23fc6c82ccf565c88e92fe27c4b075cd009dca5a3f182156b076dae95fa |
\Windows\system\rOOXktf.exe
| MD5 | d90df82ec0e6143fc673eddea478df1d |
| SHA1 | cb6027965d4cf828c9c53b29167cfaef5b1c7914 |
| SHA256 | a3d22b110938287d08a2f2927b97ba11dea67ca31594ef0657c29e4fa5d8e82d |
| SHA512 | 4d3caafaa2038f01a0eba1dc30d97d4bbacc069d77dd606e3af246428db799ec7d5caba52e03d5aea2a2b61550e3fffe0527a2a47372d29473d4530ab00edd60 |
\Windows\system\poXinzs.exe
| MD5 | c75392f690180727434e0170153ea57a |
| SHA1 | 582c26c7c8bb3e57f242d02efba7fd2772aee945 |
| SHA256 | 67b6f7b16a9de86a1f54f424d3840b60c7cc66253a7446f1936997bdf2aed990 |
| SHA512 | 2ccae5c17727ac435cdf9fc68fa1cf9349575ed1259cfda4d95b108e73599dbbca700651fe9794ecdb96be73e4e305807510934f7f403063e9d2e2cc9d4a429c |
C:\Windows\system\Emropju.exe
| MD5 | f991e097309a9c4d9de7c6628d735e07 |
| SHA1 | fa2f583ba0041863107a2a3804939a07f2f2d266 |
| SHA256 | 94c0eacbfd4dd676ed6506deda20f71a3ef7ce3aa72b27d2727a15c8de89a9a9 |
| SHA512 | ec0567ed16e83551fdd6e5ce45780fef4d0eb68cbc88dd10883c41836b7ba50779811e1def3bcf61897355eddbc8dd2f428635d7fc01e7c4c8e30b4794c3acbf |
\Windows\system\sXmJALr.exe
| MD5 | 10f0d556df8c592352af2640fb9f121f |
| SHA1 | 7a1e34e39543d2443a6bace6bb52803c935aeb7d |
| SHA256 | 5845c410bf25c3a750aca5ebfa3f336db2bcbd2954d41701860f1367816e4313 |
| SHA512 | 83c7b122abe8e96c35485a33af17e998987ba1806b8ff424be8052049c57c5e5b7b71588ce5efcc7bd0fd762e7e08c3f071f525adcd2674219d9ce28e081e09f |
C:\Windows\system\YdyFFpK.exe
| MD5 | 72f7703471fad33b1b8f518a9a4e3c84 |
| SHA1 | 62de07dd84cbb9ddf281ecf9b8b3c87ec64483ba |
| SHA256 | deafc3388226bf157dc78d5900a7e478f52ee48371368020699e1f90833c8d1e |
| SHA512 | b5d04c32964c6ec255b1e7fdf60e7bf23b1b01d561966bd0d85411508d9fafa91995643ad7a0407f8a68c324c8fa80cddbee4b69876d4ed9087e4e3f89b47c92 |
C:\Windows\system\PCcahrv.exe
| MD5 | 04ff372d8eab7e06760ae3cf87699a44 |
| SHA1 | 6d3e0ee4cdde2e10f57f49ab27467dcca5d21bbe |
| SHA256 | d64bcbda9819ee306dce9d8e617b7ce56110bfea33f05e013d1892134101d78e |
| SHA512 | 5de2c05d6673cf2aabe1c03edb8c0853254c194d07bf8550312b7c9fd5ce5eec1470ec31e4b5a85236b420e4f5ff7331b2423ade28edd56c5d4ac25b2260b11b |
memory/2352-121-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1992-97-0x0000000002320000-0x0000000002671000-memory.dmp
memory/1996-96-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2784-95-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1992-94-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2504-87-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1992-135-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2824-137-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2764-138-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/1992-139-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2504-150-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2508-155-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1208-157-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1976-160-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/1992-161-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1652-159-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/636-158-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/292-156-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2880-154-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/1992-162-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1992-163-0x0000000002320000-0x0000000002671000-memory.dmp
memory/1992-164-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1992-173-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1992-174-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1992-188-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2376-213-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2096-215-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2068-219-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2404-218-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2928-221-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2764-224-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2824-225-0x000000013F240000-0x000000013F591000-memory.dmp
memory/780-227-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2476-242-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2624-244-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2504-246-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2352-249-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2784-250-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1996-252-0x000000013F090000-0x000000013F3E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:54
Reported
2024-08-06 11:57
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mmROltr.exe | N/A |
| N/A | N/A | C:\Windows\System\ISObBQO.exe | N/A |
| N/A | N/A | C:\Windows\System\pklsYMU.exe | N/A |
| N/A | N/A | C:\Windows\System\VGosjVs.exe | N/A |
| N/A | N/A | C:\Windows\System\WhGHSLN.exe | N/A |
| N/A | N/A | C:\Windows\System\wQebiKU.exe | N/A |
| N/A | N/A | C:\Windows\System\nKBVPHw.exe | N/A |
| N/A | N/A | C:\Windows\System\LLMldGU.exe | N/A |
| N/A | N/A | C:\Windows\System\yqfOVvT.exe | N/A |
| N/A | N/A | C:\Windows\System\vHennrh.exe | N/A |
| N/A | N/A | C:\Windows\System\vydhAxR.exe | N/A |
| N/A | N/A | C:\Windows\System\YqrSWdA.exe | N/A |
| N/A | N/A | C:\Windows\System\JHwWygI.exe | N/A |
| N/A | N/A | C:\Windows\System\zeZTbil.exe | N/A |
| N/A | N/A | C:\Windows\System\omTkdxC.exe | N/A |
| N/A | N/A | C:\Windows\System\NJgsEKx.exe | N/A |
| N/A | N/A | C:\Windows\System\JYssWgW.exe | N/A |
| N/A | N/A | C:\Windows\System\MzzipPB.exe | N/A |
| N/A | N/A | C:\Windows\System\kvOkbME.exe | N/A |
| N/A | N/A | C:\Windows\System\nVgaBlP.exe | N/A |
| N/A | N/A | C:\Windows\System\AifFnKR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_70dc739f2045a9bdda86af2b0af68d5f_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mmROltr.exe
C:\Windows\System\mmROltr.exe
C:\Windows\System\ISObBQO.exe
C:\Windows\System\ISObBQO.exe
C:\Windows\System\pklsYMU.exe
C:\Windows\System\pklsYMU.exe
C:\Windows\System\VGosjVs.exe
C:\Windows\System\VGosjVs.exe
C:\Windows\System\WhGHSLN.exe
C:\Windows\System\WhGHSLN.exe
C:\Windows\System\wQebiKU.exe
C:\Windows\System\wQebiKU.exe
C:\Windows\System\yqfOVvT.exe
C:\Windows\System\yqfOVvT.exe
C:\Windows\System\nKBVPHw.exe
C:\Windows\System\nKBVPHw.exe
C:\Windows\System\LLMldGU.exe
C:\Windows\System\LLMldGU.exe
C:\Windows\System\vHennrh.exe
C:\Windows\System\vHennrh.exe
C:\Windows\System\vydhAxR.exe
C:\Windows\System\vydhAxR.exe
C:\Windows\System\YqrSWdA.exe
C:\Windows\System\YqrSWdA.exe
C:\Windows\System\JHwWygI.exe
C:\Windows\System\JHwWygI.exe
C:\Windows\System\zeZTbil.exe
C:\Windows\System\zeZTbil.exe
C:\Windows\System\omTkdxC.exe
C:\Windows\System\omTkdxC.exe
C:\Windows\System\NJgsEKx.exe
C:\Windows\System\NJgsEKx.exe
C:\Windows\System\JYssWgW.exe
C:\Windows\System\JYssWgW.exe
C:\Windows\System\MzzipPB.exe
C:\Windows\System\MzzipPB.exe
C:\Windows\System\kvOkbME.exe
C:\Windows\System\kvOkbME.exe
C:\Windows\System\nVgaBlP.exe
C:\Windows\System\nVgaBlP.exe
C:\Windows\System\AifFnKR.exe
C:\Windows\System\AifFnKR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 216.131.50.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4120-0-0x00007FF711810000-0x00007FF711B61000-memory.dmp
memory/4120-1-0x0000025141BA0000-0x0000025141BB0000-memory.dmp
C:\Windows\System\mmROltr.exe
| MD5 | 49d7aca535240090e420e1e2b3418974 |
| SHA1 | cb8a615df10175e4c0e4f092f1127a3a54439244 |
| SHA256 | 34c0ffd25f48a338e99e2fea9feca5cd142af682f1df0f1cb958f0a4de1bf2b9 |
| SHA512 | b1f549e2c8245c9c9bb6eb9bebd5f34ea2b858aed726a2f454b656b89cda126abc358515af705c1ed2e4d0458d6649627f5432a80053b241479fef811053df93 |
C:\Windows\System\pklsYMU.exe
| MD5 | 4b7d5c58600634875f12b5b08523e76d |
| SHA1 | 68b8a2ecdcb04c5839db8e646a34ae035734eeff |
| SHA256 | ef658c1758fae750aeb0b94a738fb585022106a57cc45e33616cb026ddd28ecd |
| SHA512 | 5a82f7eb29e9dfeca690c10e2bf762779f39c95a3677eb377f948a5d4b11bb94e36988f3b49ae1ac796502653d00444f1476b7443e9809307a4902c44a6c52d3 |
C:\Windows\System\ISObBQO.exe
| MD5 | 584d11fff8ac0a1754b914bd87d36b9c |
| SHA1 | a2491d58a39532212c9c334fe481950d10cf41b6 |
| SHA256 | 5b4dc6b779685c85cb88cadfdb7161cb5c2e56a68b0acd6f1c09e1989658fd9f |
| SHA512 | 2e7240262e26faa7d660d00bd1ea2f6222de2907f0cb8ae5c862ebbb496fd4541b64d3ac2b06d8377acf58093ba4c7ed6ef65cbef90a15492930ad7878f2566f |
memory/4820-19-0x00007FF6F5790000-0x00007FF6F5AE1000-memory.dmp
C:\Windows\System\wQebiKU.exe
| MD5 | 53e8f9ef8816aea4b2b7af66a6382074 |
| SHA1 | eb0998868d7fb4aa811a31bcd9208734a2e9c234 |
| SHA256 | d37dff07877c099cd806aff40e8b8addd14b667c00eff4957f5cc2345151ef53 |
| SHA512 | 2a7bf8e45b5dbaeb994a4dfd0dbc38375f51c3395bc1f84e59bb5a569a13aeb7c55fda787cfb3a91e13adb520fe5392bfa5b60ea06a75c2262b15811de09b60b |
C:\Windows\System\nKBVPHw.exe
| MD5 | bd745a4e816a29a7f0276cd64cec227d |
| SHA1 | 5fcb9359437af517828643bbdc261cdd74837861 |
| SHA256 | 6cc97089b6e25cab6463d388c5ca51821e49aa3920b35c6497c74a5eb7f1ab86 |
| SHA512 | 30900d102b82eb43e7ee0272adc0204f6b3478e4fb3804160a35a1db71c3b0a2069f4d64d41d2e0c3257f43e50a6b07642b6c1f0cd754b1ce2b884ccb7d76cfd |
memory/3984-47-0x00007FF78E570000-0x00007FF78E8C1000-memory.dmp
C:\Windows\System\vydhAxR.exe
| MD5 | 923656be8392d49121559cbd4993c429 |
| SHA1 | 2e2a4e12cc13a7fc0b3a09b3f6474d783a8a5f09 |
| SHA256 | 3db2e1925bed877f96cbfb5e4789a4796cddd9647c5a7d534b5c67f802622b6d |
| SHA512 | 5db6a0b5c9887dd95721924920747636269c77af84ff4f08736c02cf3e05e61270c07ffb19c6f0fdd1ebbd25cb61b61a7a8884a2121a7084c5a2cc24c9e17501 |
memory/1576-76-0x00007FF699B30000-0x00007FF699E81000-memory.dmp
C:\Windows\System\zeZTbil.exe
| MD5 | d8b4d430ff779f7d89c1ba8450add420 |
| SHA1 | f2b0eb1732f57245ec4b3e9dbea154ee8da54529 |
| SHA256 | e8aad6ba930cebe15fc18a7c4ee9988edd4b7ac6c3b2373c4b6c60abd065bf5b |
| SHA512 | 2aeb2558954e6b4782b9d3487b5e65a7981c14f83f9233ba8b4135f82830d80b64999a7c707158ad99bf3b92d7dacbd6be94a21ec3b91e76432f913cba735993 |
memory/1192-86-0x00007FF719560000-0x00007FF7198B1000-memory.dmp
C:\Windows\System\NJgsEKx.exe
| MD5 | a24032ba3234a7529689230af7f393cc |
| SHA1 | 021f62305b3436cb0e74ec760913ce65d7f2c1a6 |
| SHA256 | ee11d5c1402eb1b25fb3bf9d51fc1aafed73c02e989ccbd52c0fc69bfc9648f0 |
| SHA512 | 857f867113c039614446d2618d2610d07d6234c310cb74d7f3437dcde44e909763de7239205fb12a925c0837f73499e95feae72216fab6ca5e29799b91ae6df6 |
memory/3512-104-0x00007FF6F6F80000-0x00007FF6F72D1000-memory.dmp
memory/2500-112-0x00007FF65A790000-0x00007FF65AAE1000-memory.dmp
memory/4968-113-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp
memory/4120-111-0x00007FF711810000-0x00007FF711B61000-memory.dmp
C:\Windows\System\JYssWgW.exe
| MD5 | 53a8a93cc824dd90e0b052f9c067079c |
| SHA1 | 7d315f041984b072045075f9365f25b264931b43 |
| SHA256 | fc03663d3b80d7a3cc1d2a1096405967da074af4de4085ddda3c8e3fbc91aca2 |
| SHA512 | ad4903535b104aa1a8f29009b3c8277ce376514f89378bee36a2b78d522d8b800d389d7fa3f4644172e484b3a144af53607a74e32bac04afe8da391b9fcebe5a |
C:\Windows\System\kvOkbME.exe
| MD5 | 8478f04a068aec7841a39e3eca34ce8f |
| SHA1 | b0d8c042e6753d497e3d81bb1d26d34b13c7838f |
| SHA256 | 3e0d36eb4b37bc1c1e4edc9fc8aed8b46c08a1eae5766b15dd202f3b25763024 |
| SHA512 | 92fc8a0b386409cd49f98fa2536b26a19887375ad657fe21e491d93db4fed261395a34c69e582f72a7b900c948bf842e8ebe2652566a85e75597c44ee4d4a69e |
C:\Windows\System\omTkdxC.exe
| MD5 | 34a910498bed7579538be7cab40bf06a |
| SHA1 | 1d71732bc39076b782658dc40caa4c9ab3ab9dad |
| SHA256 | 76eea15a6b33b17138b95ade49c257d625a3acca8cc773334ee1cd6bc9569bf8 |
| SHA512 | ac68d7bf17f74f63ac09d3e2003a57f2b6c033fecd2afde2129042162e705b61c7b792cec7b91b0494314e4bb850bc2bef52a6cdd36d972edf57c243a3ef16b6 |
C:\Windows\System\MzzipPB.exe
| MD5 | 42e4cd109bea86ab8df5fa6bbe42b3a2 |
| SHA1 | f1ff50c010a3a1838015cbf6f74c67eb5d1056fa |
| SHA256 | d9639f7b74a2168ee082aace589003607d1a1cc3a3eef4b1ba3180f2c302716d |
| SHA512 | 6328c4dd1023283d3258cb3cdd0f298568872b1ea927776adb3d85572626160dd7ffb547c047862c7535c32afd5fba78f4b32266d53afb5c044475ffc411bc5f |
memory/1392-99-0x00007FF766D20000-0x00007FF767071000-memory.dmp
memory/3336-98-0x00007FF67DE90000-0x00007FF67E1E1000-memory.dmp
memory/880-85-0x00007FF7F6360000-0x00007FF7F66B1000-memory.dmp
C:\Windows\System\JHwWygI.exe
| MD5 | ee0c51359a73ab71051b3f6a8645014d |
| SHA1 | 1b88bb5a8758c0c4fd4794f933752cdc7c765d16 |
| SHA256 | 01f4e584f4d4930fc7eedfd72d41a5ecaca4eac9ed460483eb6d77a4637973be |
| SHA512 | 96352b4ad18ad68cadb491b85dbb214e4dfbda1f4e4378c65c53a9c169560dc09fb19a67475048e4ed63aad357d695300990afb515b7a3ea2ffc61280b939dc3 |
memory/920-79-0x00007FF6A2B70000-0x00007FF6A2EC1000-memory.dmp
memory/2608-74-0x00007FF672190000-0x00007FF6724E1000-memory.dmp
C:\Windows\System\YqrSWdA.exe
| MD5 | 979f8785319ee12c8a672aee0a85bb74 |
| SHA1 | 2b56d83f2336f8f9a7cb470589ae8a631dc93ff7 |
| SHA256 | eb19346767851a7607b4c6d2df66d05baa56a0fb941044593c398afe9d562809 |
| SHA512 | c16c455a5954fe74731d39b9be205eefba242bf81497e5a56feb3dd65687492cf138471d6caace62e84076569ef42c6ae4e809958148d0e8ed78fe1b3732cd47 |
memory/1108-68-0x00007FF7446F0000-0x00007FF744A41000-memory.dmp
C:\Windows\System\vHennrh.exe
| MD5 | e651e2dc06e9b933aa789a0489e50bb9 |
| SHA1 | 1e8839312685a4dd5de5e01a4b84e1bb2c5c57d7 |
| SHA256 | fabaae96f28701bff17501f12d6a567b41bc2ae3aeee93188b0a58ec705d5bf2 |
| SHA512 | cd8dfecce3eabe721412e70956fe0fd2674f311b32d2f285200f363197f851be9567ac8054d552ae804457cd3f2bb402b837d54895f4b017d2b70273ddab5d10 |
memory/4724-63-0x00007FF795300000-0x00007FF795651000-memory.dmp
C:\Windows\System\yqfOVvT.exe
| MD5 | a1811936c4ec923fe2ea89981333bf65 |
| SHA1 | 78db1bccfa3985104b0b2094efe12e7873bcca39 |
| SHA256 | 5e2a2bb308b74a35984c0ef6577e1c738aeb142d34ea6e54fc38cc3c5234ff04 |
| SHA512 | 3f58ff9687bb602c8891b2ef862fc5e931c4707965ccff1c7ddbb2719cd61fa43251d8e37712dbcc4663792ac7563bd675021104b31085a4f070a9f6e3546c63 |
C:\Windows\System\LLMldGU.exe
| MD5 | 2e3efb4b3ef8934f2930f27546e898a1 |
| SHA1 | 162d60b00d7c3324dc9adaed7148ce38178e6b89 |
| SHA256 | f7426936a83fc6db1f78b6dbbf940e2f441f9f5347ac3358006c3361e70604cd |
| SHA512 | afc8f873b8dec79667013edd54d304fb200c09ded3ab6f04a1851d0eb2a842eeda37ba381b8cde855b058077caad24a70c746aea1104d49b17650607d6d7c323 |
memory/1912-54-0x00007FF7C10C0000-0x00007FF7C1411000-memory.dmp
memory/1028-39-0x00007FF6B4520000-0x00007FF6B4871000-memory.dmp
C:\Windows\System\WhGHSLN.exe
| MD5 | 75b1111610e0c4abdde8cfa5b122074c |
| SHA1 | c91d02bb56cdc93accf0265e63a9562d04f5483a |
| SHA256 | b69e1c306c84428056cc83f438287ee4366711b5864b811c268026498401ba3b |
| SHA512 | 66b696b56ba2e525ce6fa50dc3e30a6b7534d31b5d464b0badd0211d6c9be2aeeb524e13a79ffed0ef31204bfe28b0b8febff1487dd9a14de3b745e2537f5a14 |
C:\Windows\System\VGosjVs.exe
| MD5 | cd0436c15485cd99f1afae8a54cf69ae |
| SHA1 | 5c16c52daf358cd3b5a4ddf83249fa5e5bb234bf |
| SHA256 | 95cadd5f00834c890151e777e038cdc41d8e6bee3251ed9cc40ac0045dd0948a |
| SHA512 | 4c722323df3bbfaed59613b18b920e35712aac651505c8fa471774def4f9c76ba71d4401e782a7f9cc46d8b33cbad11fba791f1fc907581eccf5059c633e8e8f |
memory/1448-25-0x00007FF67BA50000-0x00007FF67BDA1000-memory.dmp
memory/2752-23-0x00007FF6754F0000-0x00007FF675841000-memory.dmp
memory/3052-10-0x00007FF6BD420000-0x00007FF6BD771000-memory.dmp
C:\Windows\System\nVgaBlP.exe
| MD5 | d9dc88c0ce4318df2ca5859b0f3f08a2 |
| SHA1 | 8cee8e1386907ed6717d06ceba902aefc480ae24 |
| SHA256 | dfe8c5134e7ce7ab05cc00f21a7c98aef99c3542640c364d4d841f255939c283 |
| SHA512 | 9b2f3ee9f3f0532e07151ca6ef3df5b7690045bbf1b0744284b9da7ab76b8c28b4928dd02501cdb419346245128955ad4f9bd4f0963674ce8602a779a13414ec |
C:\Windows\System\AifFnKR.exe
| MD5 | 99b534a592bd9a858b8517239c21f41f |
| SHA1 | 51154dab4e05c7ae55c3b9e7265af54a6b38a720 |
| SHA256 | ebad8fe0a61b14162d68bc64e9e6ca017f824ce866d6ec6bcda5173f4d1f4977 |
| SHA512 | 6ddc8dca199399c31ad85e27cd19d7df35c0905707d6079403983c2b6c9b4faa8c8044020d2a3052094cba209f8eda9b61b52fee3394a12e4fca69460add50f1 |
memory/2752-128-0x00007FF6754F0000-0x00007FF675841000-memory.dmp
memory/2980-127-0x00007FF7B75B0000-0x00007FF7B7901000-memory.dmp
memory/4820-124-0x00007FF6F5790000-0x00007FF6F5AE1000-memory.dmp
memory/316-130-0x00007FF65BB90000-0x00007FF65BEE1000-memory.dmp
memory/1108-141-0x00007FF7446F0000-0x00007FF744A41000-memory.dmp
memory/1912-140-0x00007FF7C10C0000-0x00007FF7C1411000-memory.dmp
memory/3984-137-0x00007FF78E570000-0x00007FF78E8C1000-memory.dmp
memory/1448-136-0x00007FF67BA50000-0x00007FF67BDA1000-memory.dmp
memory/1028-135-0x00007FF6B4520000-0x00007FF6B4871000-memory.dmp
memory/4120-131-0x00007FF711810000-0x00007FF711B61000-memory.dmp
memory/4968-149-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp
memory/3512-150-0x00007FF6F6F80000-0x00007FF6F72D1000-memory.dmp
memory/1392-148-0x00007FF766D20000-0x00007FF767071000-memory.dmp
memory/3336-146-0x00007FF67DE90000-0x00007FF67E1E1000-memory.dmp
memory/1192-145-0x00007FF719560000-0x00007FF7198B1000-memory.dmp
memory/880-144-0x00007FF7F6360000-0x00007FF7F66B1000-memory.dmp
memory/316-152-0x00007FF65BB90000-0x00007FF65BEE1000-memory.dmp
memory/4120-153-0x00007FF711810000-0x00007FF711B61000-memory.dmp
memory/3052-198-0x00007FF6BD420000-0x00007FF6BD771000-memory.dmp
memory/4820-200-0x00007FF6F5790000-0x00007FF6F5AE1000-memory.dmp
memory/1028-202-0x00007FF6B4520000-0x00007FF6B4871000-memory.dmp
memory/2752-204-0x00007FF6754F0000-0x00007FF675841000-memory.dmp
memory/3984-206-0x00007FF78E570000-0x00007FF78E8C1000-memory.dmp
memory/1912-212-0x00007FF7C10C0000-0x00007FF7C1411000-memory.dmp
memory/4724-214-0x00007FF795300000-0x00007FF795651000-memory.dmp
memory/2608-210-0x00007FF672190000-0x00007FF6724E1000-memory.dmp
memory/1448-208-0x00007FF67BA50000-0x00007FF67BDA1000-memory.dmp
memory/920-217-0x00007FF6A2B70000-0x00007FF6A2EC1000-memory.dmp
memory/1576-218-0x00007FF699B30000-0x00007FF699E81000-memory.dmp
memory/1108-222-0x00007FF7446F0000-0x00007FF744A41000-memory.dmp
memory/1192-226-0x00007FF719560000-0x00007FF7198B1000-memory.dmp
memory/2500-228-0x00007FF65A790000-0x00007FF65AAE1000-memory.dmp
memory/3336-224-0x00007FF67DE90000-0x00007FF67E1E1000-memory.dmp
memory/880-221-0x00007FF7F6360000-0x00007FF7F66B1000-memory.dmp
memory/1392-230-0x00007FF766D20000-0x00007FF767071000-memory.dmp
memory/4968-237-0x00007FF65C590000-0x00007FF65C8E1000-memory.dmp
memory/3512-239-0x00007FF6F6F80000-0x00007FF6F72D1000-memory.dmp
memory/2980-241-0x00007FF7B75B0000-0x00007FF7B7901000-memory.dmp
memory/316-243-0x00007FF65BB90000-0x00007FF65BEE1000-memory.dmp