Analysis Overview
SHA256
f51ef87b6fa51cb4753b3ea1c8ad4c0124ef922ec5563d14e509810845434f49
Threat Level: Known bad
The file 2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
xmrig
Xmrig family
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:53
Reported
2024-08-06 11:56
Platform
win7-20240708-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FCruoHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SqYpWpE.exe | N/A |
| N/A | N/A | C:\Windows\System\njTGBGo.exe | N/A |
| N/A | N/A | C:\Windows\System\nhCRGOD.exe | N/A |
| N/A | N/A | C:\Windows\System\vazVQqG.exe | N/A |
| N/A | N/A | C:\Windows\System\aZZymwz.exe | N/A |
| N/A | N/A | C:\Windows\System\cmjKBpI.exe | N/A |
| N/A | N/A | C:\Windows\System\pgxhDcS.exe | N/A |
| N/A | N/A | C:\Windows\System\CzpoPoR.exe | N/A |
| N/A | N/A | C:\Windows\System\bxYuiAu.exe | N/A |
| N/A | N/A | C:\Windows\System\SZTcCSG.exe | N/A |
| N/A | N/A | C:\Windows\System\ESvxbyz.exe | N/A |
| N/A | N/A | C:\Windows\System\WtXcFLg.exe | N/A |
| N/A | N/A | C:\Windows\System\HYQcgIK.exe | N/A |
| N/A | N/A | C:\Windows\System\sTVOqPa.exe | N/A |
| N/A | N/A | C:\Windows\System\FvOlgxx.exe | N/A |
| N/A | N/A | C:\Windows\System\KTKMURB.exe | N/A |
| N/A | N/A | C:\Windows\System\aEyVQvD.exe | N/A |
| N/A | N/A | C:\Windows\System\GGpAUIK.exe | N/A |
| N/A | N/A | C:\Windows\System\OpmcMFc.exe | N/A |
| N/A | N/A | C:\Windows\System\BTxsEpo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FCruoHJ.exe
C:\Windows\System\FCruoHJ.exe
C:\Windows\System\SqYpWpE.exe
C:\Windows\System\SqYpWpE.exe
C:\Windows\System\njTGBGo.exe
C:\Windows\System\njTGBGo.exe
C:\Windows\System\nhCRGOD.exe
C:\Windows\System\nhCRGOD.exe
C:\Windows\System\vazVQqG.exe
C:\Windows\System\vazVQqG.exe
C:\Windows\System\aZZymwz.exe
C:\Windows\System\aZZymwz.exe
C:\Windows\System\cmjKBpI.exe
C:\Windows\System\cmjKBpI.exe
C:\Windows\System\CzpoPoR.exe
C:\Windows\System\CzpoPoR.exe
C:\Windows\System\pgxhDcS.exe
C:\Windows\System\pgxhDcS.exe
C:\Windows\System\bxYuiAu.exe
C:\Windows\System\bxYuiAu.exe
C:\Windows\System\SZTcCSG.exe
C:\Windows\System\SZTcCSG.exe
C:\Windows\System\ESvxbyz.exe
C:\Windows\System\ESvxbyz.exe
C:\Windows\System\WtXcFLg.exe
C:\Windows\System\WtXcFLg.exe
C:\Windows\System\sTVOqPa.exe
C:\Windows\System\sTVOqPa.exe
C:\Windows\System\HYQcgIK.exe
C:\Windows\System\HYQcgIK.exe
C:\Windows\System\FvOlgxx.exe
C:\Windows\System\FvOlgxx.exe
C:\Windows\System\KTKMURB.exe
C:\Windows\System\KTKMURB.exe
C:\Windows\System\aEyVQvD.exe
C:\Windows\System\aEyVQvD.exe
C:\Windows\System\GGpAUIK.exe
C:\Windows\System\GGpAUIK.exe
C:\Windows\System\OpmcMFc.exe
C:\Windows\System\OpmcMFc.exe
C:\Windows\System\BTxsEpo.exe
C:\Windows\System\BTxsEpo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2288-0-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2288-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\FCruoHJ.exe
| MD5 | 0eec8de02a741f0debd4479c0dee85c5 |
| SHA1 | b77d32862bab36989c1c9b9cae1057b1998e1234 |
| SHA256 | 5d98fb9255566ef056795ccd1163f9ba002de6feb9911deefa4bc044cdfcdd6d |
| SHA512 | 0cc37ad15255631d54ac7e7fe5552f01498a102a7c654676f4909880f29b4ba3c42303da5d8bb97ccd51b328cd0bdf0cbeed4a10b500f57434ce370690936ca9 |
\Windows\system\SqYpWpE.exe
| MD5 | f6044e32819635975117b629fbb8c82b |
| SHA1 | e1ee98de8ebd20e99a67958ad1bb755e9995cc70 |
| SHA256 | 8a01008e713a581bac6adb000122d19aa09fe3a894e6e41597789f6cf35f9fd0 |
| SHA512 | df4e1ebcb764aafe9e32b18668c6a0e2d8952231b0b2dfca0d6b524889c22ecae3fcf79c9af6539923a84c2e213f41938326fc2344f875033ac50e0fd7f329f2 |
C:\Windows\system\njTGBGo.exe
| MD5 | 014ef89643e088e59729bb9fdcf19102 |
| SHA1 | 48b18171db63a9e523d0b7c330ac59c04853c32d |
| SHA256 | 8dd5e0e427a438b208847315584fcaaf4a8b2342a987c9243607dac7334e04d4 |
| SHA512 | aa36bef1d221c87256c83c81d2a9daa1489f4b29115739033ac1fa78fdc1442a0155fb76d1313034893b187f6c619623b1a4f17cba0ad48290913738d30e9f51 |
memory/2684-21-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2288-22-0x000000013F760000-0x000000013FAB1000-memory.dmp
C:\Windows\system\nhCRGOD.exe
| MD5 | ee6bf19d879bc3198b897fa985412ed4 |
| SHA1 | f703dc3efd5e0500dce82d6a25d71a15f877e11d |
| SHA256 | b37a7a080b22846fcff3a625bf72978c5445fc9719e3ce86ea73c6abdb1a9901 |
| SHA512 | 7d0166f7e5029cf4453cceb5938edf0b53d031717f6df3926f309c5bdf7750e4c337d4db20ac7b678c4a18ab771678cda43a624a8ce67181813b5eab582f33a5 |
C:\Windows\system\vazVQqG.exe
| MD5 | 848b688a7be8c6a99c738a9a2202c644 |
| SHA1 | 29bdcc65ea68a268528291b83a2a45f9b5679525 |
| SHA256 | e2861db6cbf8c6611c0921de0cd392bf1c40d10439e29532c00e1297ca579031 |
| SHA512 | a812a85d4325558b0b6a3325231d56b46eeeb1ff49b3a0890101ffbe11413fa479977743bdc7320317fe6837a00dc9fa69b1896092a67dc20dfac339a01b353c |
memory/2580-36-0x000000013F380000-0x000000013F6D1000-memory.dmp
\Windows\system\aZZymwz.exe
| MD5 | 1f5b2554a12a5519fcbd3559101cef20 |
| SHA1 | e24f1734a9ff6fd484a95e3e679451d456b0c0a2 |
| SHA256 | 9e86e0c00b770244fad39fe2a40cd2d868ea8bdedeaa333603f2424b9376b2f8 |
| SHA512 | 4759b9470dec7fff2236adfcd5371813187ebea9a2388096ef718b155f0725980aaf5099341cf3a8080a92e946cbdaf991d332db225557e04f8b93893445f5bf |
memory/2608-41-0x000000013F480000-0x000000013F7D1000-memory.dmp
\Windows\system\CzpoPoR.exe
| MD5 | d304bef3c1a2482e482818905cbfceb0 |
| SHA1 | fba33592968535e100dbda73e9c958b31b70fa9f |
| SHA256 | 6c5e32b1cb55a714b07b411ba5720afd1abe1bc5b0e2ed7354c673e22c49bf53 |
| SHA512 | da5b3c2e4d389b3097eb16db560db7459ca2f3482c7fa56821e37116e034f6dcb1c68229cfdbf18eb903fa3b965f49662193389228798bfbb4396959effeb4fd |
memory/2624-60-0x000000013F2D0000-0x000000013F621000-memory.dmp
C:\Windows\system\SZTcCSG.exe
| MD5 | e24c8692d4e565fde31d5a1b20aac982 |
| SHA1 | b345083134157ea3a1570277c172fd36b7e3b865 |
| SHA256 | a3ea71c9442270bfb4faa39c51ea9027e06cee9500ed5414fec5ad207ba21824 |
| SHA512 | 0d3990ccdb4b0b023c911d9526b5aad5faad3af8911668a57c38ce3886d1f43c0ba758fc76d1b5f4307742a01fb4a88d54259074e17e64a3702d6768ee280f7d |
memory/1060-73-0x000000013F4C0000-0x000000013F811000-memory.dmp
\Windows\system\HYQcgIK.exe
| MD5 | 4e0d1407da6a0739efb274cc36efc9cd |
| SHA1 | 8325a4c5328a91574d4b1d9ba55ce92acc22efaa |
| SHA256 | 720b1c06c169a1438c520870a23808c2ebed0690c59a4242b5c4a0b815248102 |
| SHA512 | c8d49acfb6479f117de739383ef79c074ea6827ae19b8618f1ed372d71d26dd5df52d05311ad4233edb259e4087d47ffd2101880fd59df0b52f978c53ac7fa51 |
C:\Windows\system\WtXcFLg.exe
| MD5 | 4153e763f2ad5adbf15d2fa30051f92a |
| SHA1 | 4c5f12b392c37e9d9da9751160df25cbd7c78f5c |
| SHA256 | 438da61d40b5b95ba71cfad7bd4d276b6a59d8b70c55a8387a857f33d68dc5d6 |
| SHA512 | e4ce26ed2d4093e88679852f9cf8363a2e0cf8db807c1d82f09698ae0dc28d09740e6438bee1ae10c7c245d2d7276fa76ae1ea6e6474dae82477f30c87d898f3 |
C:\Windows\system\FvOlgxx.exe
| MD5 | 10edcf11420df28c83b2f4bc8f1c7e08 |
| SHA1 | 344db61bee92c7a77a0093843f103733603a0ae0 |
| SHA256 | de87e11799596e654b387e780caeb48bb42ef7b262b5522c29f44cedb47d11f0 |
| SHA512 | 780129278a9d1f52285efd017876ff5b983642640ac3a8ac695d854a7bcadd5cf44d32b118f7921f2a7998697dfad08a21953fb0bf4b07a8c83a19deed5cebc3 |
C:\Windows\system\GGpAUIK.exe
| MD5 | 1a66abe6544d488d2cb4f1767df41394 |
| SHA1 | b9507b731360bf539e5aa647680c43fbde964918 |
| SHA256 | b154a1f5dd62c52912fbd9afcef2fdd210434a1a2c001f7faf4b1d9c96e422ed |
| SHA512 | 5d188d60f8f8cd5f3b73d5d2943338177c7b92427f725fde91c2a4879bef8c48aed775bc7b586c54fbdfb485e577576374a724a9d11e36f42014e56e68c2a0a6 |
C:\Windows\system\BTxsEpo.exe
| MD5 | d4087772c813bd4cf3f7910d3252e2fc |
| SHA1 | 02ce94350266cfaf72c1975232fafe08538b4b12 |
| SHA256 | fa5fc7f8ed6711d741204baebea02b1a5fc6eb78e0d86dbfd24c6eea7162b298 |
| SHA512 | 5285242959d28d0c7d1f3b2c72857ddd8d92e51e6dc0de25b4c960f7df5d269f8d044e3711d4d49b8fbdd426a44833da7bef96c04bd4bdd622ee3db452753775 |
C:\Windows\system\OpmcMFc.exe
| MD5 | 1c6dd83688e5f110ed68b6d25811c61a |
| SHA1 | 45456e752c6fd129e34ad3971b7fa099a8a19c49 |
| SHA256 | 643bcf533e61802ec0b80c4eb1db5999752351fd9b557e8d8f1e5cffcef89a73 |
| SHA512 | 855029293a0a5c86d06af5139c67f4c57d34fdf90e749f1796706d23766d727a1655acfa24072bbcddcbcd349fc51e94f9c84403733e959209d77bcfc9827c65 |
C:\Windows\system\aEyVQvD.exe
| MD5 | bdeb879932e12a8e1b44a49b34854f58 |
| SHA1 | 290b002882662aba64bd0a0eeea66da8147897a6 |
| SHA256 | 2cea684e94bd7571f33681231da27b959ba360f56440e5b93f5f495a9d020388 |
| SHA512 | 0efa5cfecc29325940509583961a48f18a3284c05e11ddd1f16c85a58ae07a3b1c69cf9dde4a9902910f13af96655947f0c3cbc5e0a575fa5b0dc198ba89d122 |
C:\Windows\system\KTKMURB.exe
| MD5 | d8b4392a55c31875c0bc63a7c16ceb1e |
| SHA1 | b50ec8a56c4eb4b1882df4774d77534d15eb1379 |
| SHA256 | 0047717e1f8011a052805c5f0a3d15b4df5b39bc86eb4075c41c062d06236c32 |
| SHA512 | 239b1177ed0ead04f4a1b384c9e51ad75d6a408b15b6606358a8e8063c7c7c3de86df8dfe4457f0bc90a5569f57a2b77e0a7a99fbfbeb128d13e585cf7c92ca8 |
memory/568-103-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2288-102-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2876-93-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2288-92-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2288-91-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2276-90-0x000000013F890000-0x000000013FBE1000-memory.dmp
\Windows\system\sTVOqPa.exe
| MD5 | c93b55111845d703a4d0bd93c90e55d3 |
| SHA1 | cec30b20c288eaae73d5f057ca4da939f16dcfcc |
| SHA256 | 9a6f465687309b28c786d43da870ed80f9a33ac7ffbe25634f8c0e6d25922a67 |
| SHA512 | 82cd3bc3d330b05e9856e832b38283604f581965d511551f3e100c9176d82e4074431a39b7250f00235d0a8d105f83ba993708c2f5e3c4bf6e8501d986d05e56 |
memory/2588-133-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\ESvxbyz.exe
| MD5 | c8edb1669996e8f1be71afb0b623abdf |
| SHA1 | 69885fac1b81b9ac0c683aff362f7f08c6473534 |
| SHA256 | 15027974eb72be839b10ec9ee95d4bf9d04526f6962ca951b1eefa8d2e30539e |
| SHA512 | dba43bd8f6a7f236fbfadbd858e609964282b4e588a59458226c4466f79cd656f51738d7d9eb43e3320c1dc267563dd06f0f38d7d4e77526efe3b16ef8bd6437 |
memory/2288-72-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2288-71-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2732-66-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2288-65-0x0000000002310000-0x0000000002661000-memory.dmp
C:\Windows\system\bxYuiAu.exe
| MD5 | 0508cace9c650a5e9acef75140a2196e |
| SHA1 | 1b5f21c155150d05caa637215f015206fff4cebd |
| SHA256 | 990033269682f2e4439aeff3e260c9e374d6b8c7a51b586ead74002041548a14 |
| SHA512 | 25efd64f700b65f9b0de48bc922001e0d39f13d3cd7471872ee0e30627e97395817355b62783eb6af2e68b7062aa72aab2ebcb4e5cd201bcb7eba8c67794b96e |
memory/3060-57-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2288-56-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2288-55-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2564-54-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2288-53-0x000000013FB90000-0x000000013FEE1000-memory.dmp
C:\Windows\system\pgxhDcS.exe
| MD5 | a4a64a79ee9d5229f328c0d4dac4d79c |
| SHA1 | aa61bb6572ae1703b3e72ee7f3428e743a03b35d |
| SHA256 | bdee92f1ec6e9183d3a68dd55ebab113aaa62da36dd4bb449eb7c09dd861aba6 |
| SHA512 | c6fde72887f79a40cccbb960a588f835f41f349c7c7c004095461deae4dc8afcab88c3bd0a25f1e7f89e89a3e92fb491477acadf933f8ac761198f0aeb709a64 |
C:\Windows\system\cmjKBpI.exe
| MD5 | 30afb897bfcb2780d68964e4a01c0025 |
| SHA1 | a6f078ef42b6a5cc30c60cd8f874df91776c2285 |
| SHA256 | 27330fb5bb780756eb73bb0716432c234e7b91acfac2aff59cb7287d76253ebc |
| SHA512 | 3e170bf27fa32d477257c409b70b0229fe521f365dfeb1ded76fca360c9b8b9566fd679fdeca7c012152f2c2beb14b32dad152f15dc9af1d33798fe31398e6a5 |
memory/2580-134-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2288-33-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2588-28-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2288-27-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2288-20-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2712-19-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2800-18-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2288-136-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2608-148-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1060-147-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2732-146-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2624-144-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/3060-145-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/284-151-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/1032-154-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1784-155-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2288-159-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2016-157-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2880-153-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/1288-158-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/1092-156-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2288-160-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2288-182-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2800-206-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2712-210-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2684-209-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2588-214-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2580-213-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2564-216-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/3060-234-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1060-237-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2624-240-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2608-238-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2276-242-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2876-244-0x000000013F110000-0x000000013F461000-memory.dmp
memory/568-246-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2732-255-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:53
Reported
2024-08-06 11:56
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ImLZHaB.exe | N/A |
| N/A | N/A | C:\Windows\System\nhSpZYt.exe | N/A |
| N/A | N/A | C:\Windows\System\ObClSRs.exe | N/A |
| N/A | N/A | C:\Windows\System\Vhgcbqo.exe | N/A |
| N/A | N/A | C:\Windows\System\TJwQlXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kjDlAeU.exe | N/A |
| N/A | N/A | C:\Windows\System\mXgutWS.exe | N/A |
| N/A | N/A | C:\Windows\System\UGajMqv.exe | N/A |
| N/A | N/A | C:\Windows\System\rQpwkuM.exe | N/A |
| N/A | N/A | C:\Windows\System\otzBpNB.exe | N/A |
| N/A | N/A | C:\Windows\System\nYhCrEW.exe | N/A |
| N/A | N/A | C:\Windows\System\EsrnHYp.exe | N/A |
| N/A | N/A | C:\Windows\System\UuooZQS.exe | N/A |
| N/A | N/A | C:\Windows\System\Uhatwvo.exe | N/A |
| N/A | N/A | C:\Windows\System\GwtRbXm.exe | N/A |
| N/A | N/A | C:\Windows\System\OTCpngA.exe | N/A |
| N/A | N/A | C:\Windows\System\bbYvyng.exe | N/A |
| N/A | N/A | C:\Windows\System\YAdVZMJ.exe | N/A |
| N/A | N/A | C:\Windows\System\roqNLbj.exe | N/A |
| N/A | N/A | C:\Windows\System\VZUGABZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NMFHMAF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_68b91bea7d86a4a22dbc62bb611175f7_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ImLZHaB.exe
C:\Windows\System\ImLZHaB.exe
C:\Windows\System\nhSpZYt.exe
C:\Windows\System\nhSpZYt.exe
C:\Windows\System\ObClSRs.exe
C:\Windows\System\ObClSRs.exe
C:\Windows\System\Vhgcbqo.exe
C:\Windows\System\Vhgcbqo.exe
C:\Windows\System\TJwQlXJ.exe
C:\Windows\System\TJwQlXJ.exe
C:\Windows\System\kjDlAeU.exe
C:\Windows\System\kjDlAeU.exe
C:\Windows\System\mXgutWS.exe
C:\Windows\System\mXgutWS.exe
C:\Windows\System\UGajMqv.exe
C:\Windows\System\UGajMqv.exe
C:\Windows\System\rQpwkuM.exe
C:\Windows\System\rQpwkuM.exe
C:\Windows\System\nYhCrEW.exe
C:\Windows\System\nYhCrEW.exe
C:\Windows\System\otzBpNB.exe
C:\Windows\System\otzBpNB.exe
C:\Windows\System\EsrnHYp.exe
C:\Windows\System\EsrnHYp.exe
C:\Windows\System\UuooZQS.exe
C:\Windows\System\UuooZQS.exe
C:\Windows\System\Uhatwvo.exe
C:\Windows\System\Uhatwvo.exe
C:\Windows\System\GwtRbXm.exe
C:\Windows\System\GwtRbXm.exe
C:\Windows\System\OTCpngA.exe
C:\Windows\System\OTCpngA.exe
C:\Windows\System\bbYvyng.exe
C:\Windows\System\bbYvyng.exe
C:\Windows\System\YAdVZMJ.exe
C:\Windows\System\YAdVZMJ.exe
C:\Windows\System\roqNLbj.exe
C:\Windows\System\roqNLbj.exe
C:\Windows\System\VZUGABZ.exe
C:\Windows\System\VZUGABZ.exe
C:\Windows\System\NMFHMAF.exe
C:\Windows\System\NMFHMAF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2556-0-0x00007FF630120000-0x00007FF630471000-memory.dmp
memory/2556-1-0x00000174754A0000-0x00000174754B0000-memory.dmp
C:\Windows\System\ImLZHaB.exe
| MD5 | 63d83167f3b9246ca6e6739a4367ca73 |
| SHA1 | 8208f60937dcb8dffb2a87e32b0c1bd5fb817852 |
| SHA256 | f91e680118bdc80e78b2e1cfbb9381dd9330d40df5e5bd732915be933beff8c8 |
| SHA512 | 246f8df6bcf5d1694869c00095754e8899338e39e81c67230ddeab28df607e639ca3783da0c2435b596c3de516f4fb9000713296f3b928c961440d2edd7c1911 |
memory/3988-8-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp
C:\Windows\System\nhSpZYt.exe
| MD5 | 08d92e8560bce9a13f3dd4fccf6f515a |
| SHA1 | e0a30647f8a8dcf0d389bd86c1eb89cf4b20cd1c |
| SHA256 | 548ca2ba8a68ac30c11375321c8d1994e94d2817bbcac5aeaaf0a4b342629d37 |
| SHA512 | b8cf41314db5425e567be9995487ebc83b682e427cd559b43b218d935fb5a717d420e06a4b59d41385140b292b236670584473938a1f8e8ee0afc1f65e20c1f9 |
C:\Windows\System\ObClSRs.exe
| MD5 | 75169dea1173387d0174afd8cdd771db |
| SHA1 | 77b0ad6c3ba983ed7a9a959e634c4e10dd76697c |
| SHA256 | 35b814d33bb7fbd6b980c92d4ccfb8ea032c3766886dcef14ea31353a5257140 |
| SHA512 | 1a251ef3c9c11d113b065398cec3565b01f0fea34977bcc40509be8e595f6a8bae7650db8ac624b154b5fcee33ff1c6fcf054903c440e43478bd2ace2cd07bb3 |
memory/1816-20-0x00007FF70F8F0000-0x00007FF70FC41000-memory.dmp
memory/4844-13-0x00007FF781460000-0x00007FF7817B1000-memory.dmp
memory/2424-25-0x00007FF693960000-0x00007FF693CB1000-memory.dmp
C:\Windows\System\Vhgcbqo.exe
| MD5 | 6167d5e247789f82e2d40d6028477c42 |
| SHA1 | 388482b719cf46993291d6738c8598e15a499782 |
| SHA256 | d9fe160eb698fe8ab0d92d53a0a3e70fe97b69692e61211c5fee9968a7a45913 |
| SHA512 | 4f85328ce02f48e27936ffa0b45cdf1de0ee8222b3a9e116b687010b4e21beb827db619d5a949c0fc8f31d7f11c7dd2f7def52d591ad1b2f99f3c38b7bcbe516 |
C:\Windows\System\TJwQlXJ.exe
| MD5 | 096d43ae7c030af60170c5a55b73a805 |
| SHA1 | 4130b22e4838d631daba5de4c1a3b690ffac0e0d |
| SHA256 | 37ed42d0e3f9e0c2c4c4c7b00c0688503ebc1d1dad27a5c23ecfa0ffc3f4aff1 |
| SHA512 | 7895364f5d76b954936e897323345c6fabc10dae63a2268867c8ee77df5c9a9746df39e5b7ea148e4b7c838628d79bcd0d0d03b14e1f4cfe707cd6a0a7b44a78 |
C:\Windows\System\kjDlAeU.exe
| MD5 | b3b1afcddf53b65bcc236e183fd61c89 |
| SHA1 | 1e19bc3dea7f7ab356c19f399686a4d7dea74185 |
| SHA256 | 3946ce14a644dffcb85799402728a549d80c12cb16bdb99552186f30b67cb7d7 |
| SHA512 | 56f0b78b8db81a2134fee7123940d5d5b4604691e189ccd8f88278c89b3e44050fe73ea79d9a1d7271a8c9a32b770a968594a27dd42b85d24a4499a53c4f0d8f |
C:\Windows\System\mXgutWS.exe
| MD5 | 7374ee1347a32faefa7503d4824f11f1 |
| SHA1 | aa94b3603c9a70742c7c7cf4a8b1069571ac221d |
| SHA256 | 9ee5edfcbeb76af4edf5872b0697110538bdf28889db92f8a22ae602ef78eca5 |
| SHA512 | 78af621a2282abf06cd198212988343fb458d53fb7e05d9ee85ae86109be27296773e72fb092d3ddce11ec68d08b19c5daaf8e6c9d2b91893672049072b890a7 |
C:\Windows\System\UGajMqv.exe
| MD5 | bae4c67a2dd37482fa0cac2b7be19fee |
| SHA1 | 6d8d95ad25365c637db123d5f27d258cbdc05397 |
| SHA256 | 823de1ae2d503b324315efcbc5edf38d74fdb41be756ef8b19aa116bc419b49d |
| SHA512 | a7c5cb0034472e327f24a9798d2bd4d65be3f87b233cb51296cc2a691a95243f33ca2452fd181dd6247d55718783af0d14b1dd78eea21eba7e38d9b62f578631 |
memory/1524-58-0x00007FF7EF8C0000-0x00007FF7EFC11000-memory.dmp
C:\Windows\System\rQpwkuM.exe
| MD5 | 91d3cb7a812b156a7905882b7b2c0e77 |
| SHA1 | 260ef31c9125bf971eae5fc110e340b3db57e102 |
| SHA256 | ba6966d492e73fc1fe1972c36f2ea4cc8cde7d7d5b088808d8937293339c044d |
| SHA512 | d08c8a6adb6950a9405e569e5845fbe4fd989adf073c057ff24959738b179bde13f04894c3e93cc926dd8836f2add9efa00baec4c5b78f65dc73defc21bdb38a |
C:\Windows\System\EsrnHYp.exe
| MD5 | 3ed5a0b7888b6f9dcfecb4896fafb010 |
| SHA1 | 062d31c134e735f1c7cb12a20d88b1f59dd1ebf4 |
| SHA256 | 209592c2c01f7b77f021048acd1ec07e272331b5d0bf489d38c2e6567de57286 |
| SHA512 | c30211fca8da674b2532ec57c389ab7fe38863e2591c46d343bba2b55b7c770caf86d399434635c874eea7914138ad94d8d854aef46c8918fcd395c8b009784e |
memory/2556-73-0x00007FF630120000-0x00007FF630471000-memory.dmp
C:\Windows\System\UuooZQS.exe
| MD5 | 22dcc506f594707db0d5df3668b3e646 |
| SHA1 | dce5ead8f6b11de3aa0460f02c6644053057975e |
| SHA256 | 99a852593fb9a124956208c720b809c27ad5e2fbbabe2d573bfb56a47dcb87d9 |
| SHA512 | 98bcd94458f0b1e5b45050cee6ebb74b2879dfd4ec8a53e04a5ed95279b84ad84cfe0f61650b3cd45932a35c48179ed495daeb14a3bd621c3760bb61f7d1db54 |
memory/1976-79-0x00007FF64AAD0000-0x00007FF64AE21000-memory.dmp
memory/1444-78-0x00007FF615C00000-0x00007FF615F51000-memory.dmp
memory/1536-74-0x00007FF672170000-0x00007FF6724C1000-memory.dmp
C:\Windows\System\nYhCrEW.exe
| MD5 | bfdacab612713940bb103e62b581df7b |
| SHA1 | b1f41373a6cee6615a239a62a7bc92fe015f69a5 |
| SHA256 | 4a7d2cbd88211296581c3e20a5a93da5731ce8311f84c2c6f034929007056791 |
| SHA512 | ca8bb54054ffd417b2f3267885d64f53db858d5234f05c2fb68f9d416e6ada3e27e40152085b2ffb57a215260406e1b65faf2d440eb42192458992a4da4caf81 |
memory/624-67-0x00007FF6EA4C0000-0x00007FF6EA811000-memory.dmp
C:\Windows\System\otzBpNB.exe
| MD5 | f1afcb8085bf6a656866c59a1dc02c89 |
| SHA1 | b1270e17a4c6e5506b4f9e34f04d4c4efee9b95c |
| SHA256 | c8978b70eced3136d481fa8a2e6c178e4710fa209687f5391072edcd4ff15051 |
| SHA512 | 369582324626e5746de9307c001b295046e1a977baab253a0f807c88b861374a815e4a24d7bb8857f80a08fec73a572c3899ebcf594f947051ddf6665a26c740 |
memory/2892-51-0x00007FF7CF190000-0x00007FF7CF4E1000-memory.dmp
memory/4068-44-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp
memory/4928-36-0x00007FF67CC40000-0x00007FF67CF91000-memory.dmp
memory/724-30-0x00007FF65BCE0000-0x00007FF65C031000-memory.dmp
C:\Windows\System\Uhatwvo.exe
| MD5 | f3cc5d8b19a050d7a278132378f617db |
| SHA1 | c541297ecc36712a571ae5da221927bd80865afe |
| SHA256 | 85c5f589661e8f1ec233f94df2b54c969fb40ab13ec19a31559a4162c1d977d4 |
| SHA512 | 0d5bc32ef96bfa3facd05303db14ff3854075027d802786b4f9654c0874872857502817f44ed4ec886fc13d4e24e2b6c0f0fa49ebdf0dcb93d88cea3322bd4d1 |
memory/1816-90-0x00007FF70F8F0000-0x00007FF70FC41000-memory.dmp
C:\Windows\System\GwtRbXm.exe
| MD5 | 857865f2edeeb2c92df4d6f671033a11 |
| SHA1 | 510e6f221bf542d56348c6b1c4c4264818ce51e0 |
| SHA256 | d0e3f1dbede444c0022f8ed0d62301194b9a1264a6eccc8a553cd3934a5a4056 |
| SHA512 | d899c2872dcb8a1914d35ffc709142e4de21e1050d5617717a7cbf12690ddbbbb9403b8c2c8cc860b909af2bc96425c38ffb135a1ade32c54b01fab2ed58991b |
memory/724-112-0x00007FF65BCE0000-0x00007FF65C031000-memory.dmp
C:\Windows\System\bbYvyng.exe
| MD5 | 46286fff00dd13bbf9c9e4b9cd50b6d7 |
| SHA1 | 476ecf0b9b738ddbfffce4268903c94e877de74f |
| SHA256 | 6b5be7a804712937ec2b3ce67b9b5cefa375b742e5ea28239f86a1976208ed04 |
| SHA512 | 6d12cf36ef712df26fc804db6aa9c64806b0ffe118d2d887c8b8ff3f6260fe7f7f0ba1dbb3f82c3282caefd44c5c804c7b3302e1a7f9a11a1f9e2eadb1c52b2e |
C:\Windows\System\roqNLbj.exe
| MD5 | d0b7fc320e6ef05c0335183bed57926a |
| SHA1 | c67b511effb8d4e5169e35ef4fc342a04f4eb571 |
| SHA256 | 2ac725cba23995886aad979a036b0caf5bf3aefb96cd30ff1f9dee1db3db178d |
| SHA512 | b5ee5a85f6f62f455b2778aefd18debae7deaa667a3a0b451d1979408b8e961f4797bad6a009dfffadd0192aed421ecbc3d5a5a10a347b29b0d58364ff6ee33c |
C:\Windows\System\NMFHMAF.exe
| MD5 | edaa44cb876727b3451b7d2d3925b221 |
| SHA1 | 8667c2ad82879fc8a34b71aa923aab88a5df5544 |
| SHA256 | 79b8726567f3f62999ce875f35bed3fadaf045b52f2fef417616d5bef6b5ffeb |
| SHA512 | 9d9cda9d8224ecc4fc4d96e55174c9592e5d0401125b4090b3436f16b31b8cf5b30226408e4f05840d5ba325ae0d61950373d5d8313ac08b224fe701eeb18c19 |
memory/4068-132-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp
memory/432-133-0x00007FF64F390000-0x00007FF64F6E1000-memory.dmp
memory/4928-131-0x00007FF67CC40000-0x00007FF67CF91000-memory.dmp
memory/1924-128-0x00007FF618D30000-0x00007FF619081000-memory.dmp
memory/3836-127-0x00007FF6766D0000-0x00007FF676A21000-memory.dmp
C:\Windows\System\VZUGABZ.exe
| MD5 | c38ce40978e2dee3ab4aebe5b40004e2 |
| SHA1 | 8507e09759072d876b5e6c8ffe9835ad1eb817b5 |
| SHA256 | ed3ca485c15ee567122c583cb5526f29262e072bf6a5842d1f47746bc50af75b |
| SHA512 | d1d985315d8945aaab7143eab1cd2a1d0e082b5d9006a2b9cec0a429ddcc099675205cfba241d69cedec6217e750b9faa2ae9f1d933ea76ef5019fa737003052 |
memory/440-123-0x00007FF679D70000-0x00007FF67A0C1000-memory.dmp
memory/2668-122-0x00007FF67EC40000-0x00007FF67EF91000-memory.dmp
C:\Windows\System\YAdVZMJ.exe
| MD5 | e1b3affdd6e62f84ca7711c64634ed0e |
| SHA1 | 8508c328d5d5c86f79b789c507ef8ffc30a031c1 |
| SHA256 | 074ee02d6f10e2aa08c08d0b41c9a62e7c9fe352b43a10e32b0f254c691a8581 |
| SHA512 | 0cf81c3d57f45d6f10cd3a4bcb2044f38eeffb0bdfa007f982947418f35e8020dd2c4657179c84b4cda5d3b3bed876328fd888a5e178a2ae20890ad826cfc8ef |
C:\Windows\System\OTCpngA.exe
| MD5 | 7a74178ebfa8fcd9edc55aa04016ca2f |
| SHA1 | 8a751cabf1d00b22eb6d3efcaa4881225e34635f |
| SHA256 | 424576bc6d906d433c45698546bfdc4496e9e646143c1d4c91f32b87b0f17d21 |
| SHA512 | 67f8a19a004c18989b14a873073c8f6d46a364d53a659b5d1d1e19074025e0f8bde187d7f82530acfda02691fc15f51cd295b5a7b35b8c0b987dce748795df4e |
memory/3844-100-0x00007FF6E0710000-0x00007FF6E0A61000-memory.dmp
memory/2424-98-0x00007FF693960000-0x00007FF693CB1000-memory.dmp
memory/4160-91-0x00007FF6FDDF0000-0x00007FF6FE141000-memory.dmp
memory/4432-89-0x00007FF69BEE0000-0x00007FF69C231000-memory.dmp
memory/4844-85-0x00007FF781460000-0x00007FF7817B1000-memory.dmp
memory/2556-135-0x00007FF630120000-0x00007FF630471000-memory.dmp
memory/2892-143-0x00007FF7CF190000-0x00007FF7CF4E1000-memory.dmp
memory/1976-148-0x00007FF64AAD0000-0x00007FF64AE21000-memory.dmp
memory/4432-149-0x00007FF69BEE0000-0x00007FF69C231000-memory.dmp
memory/1444-147-0x00007FF615C00000-0x00007FF615F51000-memory.dmp
memory/624-145-0x00007FF6EA4C0000-0x00007FF6EA811000-memory.dmp
memory/1524-144-0x00007FF7EF8C0000-0x00007FF7EFC11000-memory.dmp
memory/4160-150-0x00007FF6FDDF0000-0x00007FF6FE141000-memory.dmp
memory/3836-155-0x00007FF6766D0000-0x00007FF676A21000-memory.dmp
memory/2668-152-0x00007FF67EC40000-0x00007FF67EF91000-memory.dmp
memory/1924-156-0x00007FF618D30000-0x00007FF619081000-memory.dmp
memory/3844-151-0x00007FF6E0710000-0x00007FF6E0A61000-memory.dmp
memory/2556-157-0x00007FF630120000-0x00007FF630471000-memory.dmp
memory/3988-207-0x00007FF75CAF0000-0x00007FF75CE41000-memory.dmp
memory/4844-209-0x00007FF781460000-0x00007FF7817B1000-memory.dmp
memory/1816-211-0x00007FF70F8F0000-0x00007FF70FC41000-memory.dmp
memory/2424-213-0x00007FF693960000-0x00007FF693CB1000-memory.dmp
memory/724-215-0x00007FF65BCE0000-0x00007FF65C031000-memory.dmp
memory/4928-217-0x00007FF67CC40000-0x00007FF67CF91000-memory.dmp
memory/4068-219-0x00007FF7FB060000-0x00007FF7FB3B1000-memory.dmp
memory/2892-221-0x00007FF7CF190000-0x00007FF7CF4E1000-memory.dmp
memory/1536-223-0x00007FF672170000-0x00007FF6724C1000-memory.dmp
memory/1524-226-0x00007FF7EF8C0000-0x00007FF7EFC11000-memory.dmp
memory/624-229-0x00007FF6EA4C0000-0x00007FF6EA811000-memory.dmp
memory/1444-228-0x00007FF615C00000-0x00007FF615F51000-memory.dmp
memory/1976-231-0x00007FF64AAD0000-0x00007FF64AE21000-memory.dmp
memory/4432-241-0x00007FF69BEE0000-0x00007FF69C231000-memory.dmp
memory/4160-243-0x00007FF6FDDF0000-0x00007FF6FE141000-memory.dmp
memory/3844-245-0x00007FF6E0710000-0x00007FF6E0A61000-memory.dmp
memory/440-247-0x00007FF679D70000-0x00007FF67A0C1000-memory.dmp
memory/2668-249-0x00007FF67EC40000-0x00007FF67EF91000-memory.dmp
memory/432-251-0x00007FF64F390000-0x00007FF64F6E1000-memory.dmp
memory/1924-253-0x00007FF618D30000-0x00007FF619081000-memory.dmp
memory/3836-255-0x00007FF6766D0000-0x00007FF676A21000-memory.dmp