Analysis Overview
SHA256
69c6e9ab389338aaf5825690a22618fab4271818ff82ee46d1c1a19a8c4a9b20
Threat Level: Known bad
The file 2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:58
Reported
2024-08-06 12:00
Platform
win7-20240708-en
Max time kernel
134s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\djDjkqi.exe | N/A |
| N/A | N/A | C:\Windows\System\GzJAILh.exe | N/A |
| N/A | N/A | C:\Windows\System\QUMvCxF.exe | N/A |
| N/A | N/A | C:\Windows\System\FetlVvE.exe | N/A |
| N/A | N/A | C:\Windows\System\xhgjvzF.exe | N/A |
| N/A | N/A | C:\Windows\System\LwWmkrT.exe | N/A |
| N/A | N/A | C:\Windows\System\uvkVfdV.exe | N/A |
| N/A | N/A | C:\Windows\System\qsVFVmy.exe | N/A |
| N/A | N/A | C:\Windows\System\wlAEjtd.exe | N/A |
| N/A | N/A | C:\Windows\System\IUqhrQa.exe | N/A |
| N/A | N/A | C:\Windows\System\UGpoNlK.exe | N/A |
| N/A | N/A | C:\Windows\System\SpxwlmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KlgGcYn.exe | N/A |
| N/A | N/A | C:\Windows\System\hDjrpmY.exe | N/A |
| N/A | N/A | C:\Windows\System\zgdJTSN.exe | N/A |
| N/A | N/A | C:\Windows\System\Lwcptkd.exe | N/A |
| N/A | N/A | C:\Windows\System\GnQyWvg.exe | N/A |
| N/A | N/A | C:\Windows\System\NGkVVkC.exe | N/A |
| N/A | N/A | C:\Windows\System\bSNBjsn.exe | N/A |
| N/A | N/A | C:\Windows\System\iVWFQgN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZvjiSlq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\djDjkqi.exe
C:\Windows\System\djDjkqi.exe
C:\Windows\System\GzJAILh.exe
C:\Windows\System\GzJAILh.exe
C:\Windows\System\QUMvCxF.exe
C:\Windows\System\QUMvCxF.exe
C:\Windows\System\FetlVvE.exe
C:\Windows\System\FetlVvE.exe
C:\Windows\System\xhgjvzF.exe
C:\Windows\System\xhgjvzF.exe
C:\Windows\System\LwWmkrT.exe
C:\Windows\System\LwWmkrT.exe
C:\Windows\System\uvkVfdV.exe
C:\Windows\System\uvkVfdV.exe
C:\Windows\System\qsVFVmy.exe
C:\Windows\System\qsVFVmy.exe
C:\Windows\System\wlAEjtd.exe
C:\Windows\System\wlAEjtd.exe
C:\Windows\System\IUqhrQa.exe
C:\Windows\System\IUqhrQa.exe
C:\Windows\System\UGpoNlK.exe
C:\Windows\System\UGpoNlK.exe
C:\Windows\System\SpxwlmZ.exe
C:\Windows\System\SpxwlmZ.exe
C:\Windows\System\KlgGcYn.exe
C:\Windows\System\KlgGcYn.exe
C:\Windows\System\hDjrpmY.exe
C:\Windows\System\hDjrpmY.exe
C:\Windows\System\zgdJTSN.exe
C:\Windows\System\zgdJTSN.exe
C:\Windows\System\bSNBjsn.exe
C:\Windows\System\bSNBjsn.exe
C:\Windows\System\Lwcptkd.exe
C:\Windows\System\Lwcptkd.exe
C:\Windows\System\iVWFQgN.exe
C:\Windows\System\iVWFQgN.exe
C:\Windows\System\GnQyWvg.exe
C:\Windows\System\GnQyWvg.exe
C:\Windows\System\ZvjiSlq.exe
C:\Windows\System\ZvjiSlq.exe
C:\Windows\System\NGkVVkC.exe
C:\Windows\System\NGkVVkC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2652-0-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2652-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\djDjkqi.exe
| MD5 | 28614080dd86c9760e55acb375b74cf4 |
| SHA1 | ef55b89877222212e390911980612a1fb4c5249c |
| SHA256 | 1affb63d00ec0f1789cdc0cca5e942a79394eec5b15b279ad94e0072bd800226 |
| SHA512 | e4405bd85ebd0ceba66b54ed60624cc56efdee9659298c6d84d4bb94999e7f5e4fe841441b472204d41a0c973f06173fe2bb6fc542d4da15b600ed464a02a7e7 |
memory/2652-8-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2792-9-0x000000013F8F0000-0x000000013FC44000-memory.dmp
\Windows\system\GzJAILh.exe
| MD5 | 1e0a9251d656326ceebddbe1969b994d |
| SHA1 | 8d6995bda5a3584faaf5df316761771e9a6647e0 |
| SHA256 | dbc0eff9648d4aaeb8d6a1a8be3516e3d26bb299081551b61c1f17e36871554a |
| SHA512 | 33e6c8ef6b428caafc11ff54b71be2f281d9b08d8e89f947a6faf8273ffa67504b1d78189b38b7777c4f16fb37548c5fa42d9758cc24cf2038776d6536fee6e0 |
C:\Windows\system\QUMvCxF.exe
| MD5 | c48c91721263eb92f0902b23e385bf4b |
| SHA1 | 8a73494aeab34e31e2adaaa7020e85db0cecec8b |
| SHA256 | be734455387711764f8db6579aaa19580270bb95e254d718a53bf15a644a40a5 |
| SHA512 | 02ec5c793f7959be086e0216147e6eaf71dc1ee76378c2a6e9044c293a2e928561c82f76980706b490a83bce44bec0878109793331ebfe15a620a45ffdbd5c7c |
memory/2652-18-0x000000013FB80000-0x000000013FED4000-memory.dmp
\Windows\system\FetlVvE.exe
| MD5 | 4fd7affdce14eb9fa50234cd678e276e |
| SHA1 | 9a86188db17a484160d662d8805292eb5839381e |
| SHA256 | a3d0bd03ba245624ffc2f56159b7b97ba858808f0038c42ab010d746f70add73 |
| SHA512 | 9b970ee4fc2e5ac6bd5b4c96f16a133c59e48999f6cc967a1d3fd5392212e1c6fb0296375a48a147d192758d08c5a83331ef4c7f582cf6df761e58974f7e392c |
\Windows\system\xhgjvzF.exe
| MD5 | 9cb75357943816a15c3f360bc28245fb |
| SHA1 | 8937688dee8c2580bfffca0fe537da1d407675c2 |
| SHA256 | d7b0af472b29387b095837b7b0d4041aa448eb413c4fe4be515926d9bc574ad7 |
| SHA512 | 3d5abf704570323e445fd371450feeca9cc8db0ff3854e0820b760f4735d9cfc29bc4f540af559f4eaa099f183c5894af905343c0dd66d9c8d0f935c2851b725 |
C:\Windows\system\LwWmkrT.exe
| MD5 | e825c41122ba7d6a71aa62d586c22a50 |
| SHA1 | 80aeef559a66493adf748171b8cde4aca654c0e5 |
| SHA256 | 27dae262f98a41e3c8520f128c7079c91f7dbff04b0d039c772d52e060435311 |
| SHA512 | cf7a1f27d8ebd97902beb30c360d20b2917d9a6b3a453bbe92ee0744704f4b7aa7a419c511f3a216241fadfb8022593d24637a6591f55b22caccc752579c3032 |
C:\Windows\system\uvkVfdV.exe
| MD5 | ea707652831a0ce47b68cd946d9ade2a |
| SHA1 | aff4574d9851b496c48b73c4c65e15f9c4b9538f |
| SHA256 | e937f0eda2744eebdb23e21dc07df5e07936a1ae81b2271258270e57c4e19b88 |
| SHA512 | 67196ecbac877161c2a6dfc61ee6c007bcb9020697d0b390a2a18dc24e0de972cf1cb119cb5499e7c859f396afb1260511dcd8f930f6044e1fbbae18e85b4f44 |
memory/2688-34-0x000000013FB80000-0x000000013FED4000-memory.dmp
C:\Windows\system\qsVFVmy.exe
| MD5 | 160e3bc9b33847def1c20161671edb68 |
| SHA1 | 6cfaa18280258f37c47429f4186da0751a412cf2 |
| SHA256 | d9896464505ac0b8e89cc360b9b8a6f721e1957ffd22180ae6aba9b5b9fcf044 |
| SHA512 | 7231e7b241ddb5ac5854549ee258739b977bcd1e8955e4ea7830f2c39c30f0fd40a09c6944498cfa0ad51994824dfaa4f76916cd86f23179d541616f3118a261 |
memory/1612-50-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2652-49-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2584-55-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2652-54-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/556-64-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\IUqhrQa.exe
| MD5 | e52e3c3017e41e9d229053908efc37c7 |
| SHA1 | 896a51eb6121c2cce4c0263a047c0c0127417c41 |
| SHA256 | 1bb4fab5ea3318a4ef220e4b2579f59d65df867cb5e3b1bd6d8f32d76e0b4361 |
| SHA512 | c13cc03905bb0f1374fe61bece5e3731a16ae1d59a2363af3ef9c854fab3934d43b0558d76249077981eb920628144104a701b6bed2708edf6e67be0918e48a8 |
memory/1092-72-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2220-78-0x000000013FD80000-0x00000001400D4000-memory.dmp
\Windows\system\SpxwlmZ.exe
| MD5 | 2ebe76f5ec8b7e3505a752722377e472 |
| SHA1 | 38f1af921c81d447a662dc66df9d9a9c4f0c320f |
| SHA256 | 9296170a82df567483f8aae12727654e918ce43d3afadb9f111028d3f1fd1c4a |
| SHA512 | 0f35aed7d3f8b6e46f7eb0bac64521dceb8e4d66444e987c0399d6e72660e042dbd364667f701cb54f289ad431fd2fb3fe9e7271ff73e40b50165a943fef7e47 |
memory/2652-91-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\NGkVVkC.exe
| MD5 | 3a30ba1ec79ae77611d44fdfb0c44a9d |
| SHA1 | 539b7913cf5e5b4f99e73022d02c2bf9842dd3b1 |
| SHA256 | 6dde1ae92262abcac724ba4148123a44ef3bdce56e313d6c37c9b1f7b6e5e58d |
| SHA512 | 78aaf022b68d2226b9436f5e8bdf2f34a9539df48356456696f6b38e5dd7ad5b05be3fa70b5ecec73ee6e90735ce5594a95cfe8aa08b12a7458482c37b4ccfb5 |
C:\Windows\system\hDjrpmY.exe
| MD5 | de16f949bb6ddaee8b14c6effb04c4f4 |
| SHA1 | 8739759d58202f1c4b4665edd1ee2ed7c2bce177 |
| SHA256 | d6e5093a44b6e18fc8fd8c9126f7f8c0f729c6844838868101a847514a4e75bf |
| SHA512 | 7399c139262e9ded170af770d7d3d70cc669b80288562862c6b67f09290129a8023f898d3cf8538196b6d95ed8900245b5b5cbc06c2c90ef76f5cdb372cf0b8d |
\Windows\system\ZvjiSlq.exe
| MD5 | 83c5e64b3842bcf0fd4aa937f22a7a16 |
| SHA1 | d12c1fcbd5ef161e7213f3901356dba97ca30bd6 |
| SHA256 | c3bc29586863933a934e189a392e72ec19eb5df1142a151d96a2c8d354f362b8 |
| SHA512 | d57db60bb749401327a91ee0a8e4c035cb367b14ea409617a92c9a1cf92b900edb64090cfa3774150a5c97c2d2c8bf459e7ddbf5390c6b02ff9aedcd888c2948 |
C:\Windows\system\Lwcptkd.exe
| MD5 | f489de01f5da8cd037d47efca893be35 |
| SHA1 | a0058b1c51c5d162e8f8399b6bfe026e1f2b842a |
| SHA256 | d19d4c27e53ec60e7c41da319a267089138261d4190fda63c9b7494dff546fd2 |
| SHA512 | 69c7b8e79535e42362cd75b95262f308746b0ef95215ab0d225b8b04f07f6e0c526a9f1edc01705e126a1f10be61ac1832659460370f4da382b451a3d8913942 |
\Windows\system\iVWFQgN.exe
| MD5 | d76ca198e39a31d395db1f3d1d2704d8 |
| SHA1 | 420a2583c10a5ade06cc7515ee7240af58e3ec7f |
| SHA256 | bb714814e97dd4527d15e5a355aa4ffbbb77e23bfc3cbcc101d431bde1d7aaa4 |
| SHA512 | 0fe2b83c8741e7c4d307c3be397392b3c5720d55d75238656493439a3de2374cd22c410beab82dc89cbcfc9e7948f2a216eb9f41c25952e953d0a8aa4844bf11 |
\Windows\system\bSNBjsn.exe
| MD5 | 163e4871a5159bf528c46d7770ab2d94 |
| SHA1 | 3add22d337aea706be8c78f88ab1404506f4b4bf |
| SHA256 | 18dcdaad937765e22a0ec2f7c36f31afa4154588d8c865158ef87b889e07f6e5 |
| SHA512 | 5e93afbebd886d6883abe70209440ba9db8815b38faa0a0aa85afb2ddf96381967504f61945c507404e536f3f7a32846162631b581d7ade218a1a7e64ec5a6c1 |
C:\Windows\system\GnQyWvg.exe
| MD5 | a965b329c5b9fb8892941202bd2e0440 |
| SHA1 | df3cac5d1f44b35fd54d25b20d85789ffda45a72 |
| SHA256 | d8a714a07365bcff68bb51b1a3791ba9e53214fec73f73e96f81d24f2f0fdf3c |
| SHA512 | 1fac8ae97cc4227d1129ff0b134fc39fa2103401b2fccca6cd2b06d4cfa0d07ea1d73eff550dc111ddf449534d5551f6914f30328063f04f186f4a7686e8a9c7 |
memory/2688-125-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2620-124-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2652-109-0x00000000024D0000-0x0000000002824000-memory.dmp
C:\Windows\system\zgdJTSN.exe
| MD5 | f772e1d29700950f02bbf65a91a12689 |
| SHA1 | ea48345e50aa260c87ea6cc5dce8e7f7a75303f7 |
| SHA256 | d8e34c7062b3977df214e0cd183bb16832d32c428250c118ae51982d4ef166d4 |
| SHA512 | 0bf56caf55482e699058b30489dc7c5eb94615cf584fa8acece7c6a7109cf2e8d23a3c9c69e9ef1af0bc69a8979b439349250eaab9b1cda0e32e7f4dbe70d479 |
memory/2652-136-0x00000000024D0000-0x0000000002824000-memory.dmp
memory/2652-137-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1520-93-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2652-88-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\KlgGcYn.exe
| MD5 | 3c0aa76d1df26098ebf6a58f7ae08004 |
| SHA1 | 89b8ee3280cfb81a0c715e1a2f4972feea10c417 |
| SHA256 | 0322153adc5f690baa2f4a9320ab8e626543ef10cf748c7acb7273b62c8bf1a1 |
| SHA512 | 1e8fc39a2c6aa2707c30afa2fe0579862a04578083ec38dc3026d477e37c604bab80a22a7f69bdb128ac2b93d050dcf3a28ff0a3b6653ae7c1655ff44fc2dee6 |
memory/2652-82-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2652-77-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\UGpoNlK.exe
| MD5 | 11c6e527d4803456c8da92f8538ddd1f |
| SHA1 | 5065300cbb661c711d7cbd1bb536a8fe333c8df2 |
| SHA256 | 7a2ae9ed3ca31a049d317d4e038d8246ef10083e52db2d407c2a6e2566754555 |
| SHA512 | 1e489cfd5917c14caa2dc617a3a2bc1909e01541b95b5f424f4b712a6559543e723ad45e95842800915654df1928c8c59feea463091013d121a352f6ac01b2b8 |
memory/2652-70-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2652-65-0x000000013FAE0000-0x000000013FE34000-memory.dmp
C:\Windows\system\wlAEjtd.exe
| MD5 | aebbb9521345e8745b4942f3f4d43e92 |
| SHA1 | d650f6c2ae3bbf28e0c8852bc983d94ad643d2bb |
| SHA256 | beda9c0cfb3df5aed16c09fc1c85970b70a2a8b033f8a83865828c8ac944857c |
| SHA512 | 7980ad1c9126bd1ff5e66d01a2590d7ed091ae8f877509bdf375a1ed9420956fff1073a4d0b6618fe7c3367f1d10c0ac075e1ef3c361c772cb83207358696d0a |
memory/2652-57-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2652-56-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2652-61-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2536-53-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2576-52-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2652-51-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2300-48-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2148-47-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/556-138-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1092-139-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2220-140-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2244-141-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2620-142-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2652-143-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2792-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2148-145-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2688-146-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2300-147-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1612-148-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2576-150-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2536-149-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2584-151-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/556-152-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1092-153-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2220-154-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/1520-155-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2244-156-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2620-157-0x000000013F140000-0x000000013F494000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:58
Reported
2024-08-06 12:00
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gTfOuQb.exe | N/A |
| N/A | N/A | C:\Windows\System\bqDIKmW.exe | N/A |
| N/A | N/A | C:\Windows\System\rMnaTHI.exe | N/A |
| N/A | N/A | C:\Windows\System\neXwqWq.exe | N/A |
| N/A | N/A | C:\Windows\System\OIdeQhA.exe | N/A |
| N/A | N/A | C:\Windows\System\OOBaGRf.exe | N/A |
| N/A | N/A | C:\Windows\System\EghFXLe.exe | N/A |
| N/A | N/A | C:\Windows\System\RzGBSwc.exe | N/A |
| N/A | N/A | C:\Windows\System\yVrTXTf.exe | N/A |
| N/A | N/A | C:\Windows\System\cvHqAUD.exe | N/A |
| N/A | N/A | C:\Windows\System\qSVMAYF.exe | N/A |
| N/A | N/A | C:\Windows\System\SPsfQUI.exe | N/A |
| N/A | N/A | C:\Windows\System\QtwSweZ.exe | N/A |
| N/A | N/A | C:\Windows\System\JJpWvRm.exe | N/A |
| N/A | N/A | C:\Windows\System\yEGHWhx.exe | N/A |
| N/A | N/A | C:\Windows\System\kxBFycq.exe | N/A |
| N/A | N/A | C:\Windows\System\cxqgXFI.exe | N/A |
| N/A | N/A | C:\Windows\System\fRANYFa.exe | N/A |
| N/A | N/A | C:\Windows\System\rVQLNOx.exe | N/A |
| N/A | N/A | C:\Windows\System\ooRMOiv.exe | N/A |
| N/A | N/A | C:\Windows\System\YzssdvT.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9448260d39a5514ec478a013c419004b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\gTfOuQb.exe
C:\Windows\System\gTfOuQb.exe
C:\Windows\System\bqDIKmW.exe
C:\Windows\System\bqDIKmW.exe
C:\Windows\System\rMnaTHI.exe
C:\Windows\System\rMnaTHI.exe
C:\Windows\System\neXwqWq.exe
C:\Windows\System\neXwqWq.exe
C:\Windows\System\OIdeQhA.exe
C:\Windows\System\OIdeQhA.exe
C:\Windows\System\OOBaGRf.exe
C:\Windows\System\OOBaGRf.exe
C:\Windows\System\EghFXLe.exe
C:\Windows\System\EghFXLe.exe
C:\Windows\System\RzGBSwc.exe
C:\Windows\System\RzGBSwc.exe
C:\Windows\System\yVrTXTf.exe
C:\Windows\System\yVrTXTf.exe
C:\Windows\System\cvHqAUD.exe
C:\Windows\System\cvHqAUD.exe
C:\Windows\System\qSVMAYF.exe
C:\Windows\System\qSVMAYF.exe
C:\Windows\System\SPsfQUI.exe
C:\Windows\System\SPsfQUI.exe
C:\Windows\System\QtwSweZ.exe
C:\Windows\System\QtwSweZ.exe
C:\Windows\System\JJpWvRm.exe
C:\Windows\System\JJpWvRm.exe
C:\Windows\System\yEGHWhx.exe
C:\Windows\System\yEGHWhx.exe
C:\Windows\System\kxBFycq.exe
C:\Windows\System\kxBFycq.exe
C:\Windows\System\cxqgXFI.exe
C:\Windows\System\cxqgXFI.exe
C:\Windows\System\fRANYFa.exe
C:\Windows\System\fRANYFa.exe
C:\Windows\System\rVQLNOx.exe
C:\Windows\System\rVQLNOx.exe
C:\Windows\System\ooRMOiv.exe
C:\Windows\System\ooRMOiv.exe
C:\Windows\System\YzssdvT.exe
C:\Windows\System\YzssdvT.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4552-0-0x00007FF7C8740000-0x00007FF7C8A94000-memory.dmp
memory/4552-1-0x000002364E910000-0x000002364E920000-memory.dmp
C:\Windows\System\gTfOuQb.exe
| MD5 | d1f220f3c6a1123abc253acf5adc70f7 |
| SHA1 | 23e7a4b686b15ff51a7ab44635356b118536c334 |
| SHA256 | 96ccaeb1bba7c5ce4a43df91dd5cfdab3fe9fff1634b5467ccc8cbd96b53103a |
| SHA512 | 56d7e16d09e318c0707da5bc4f9bba7a5aaca7c171d93a170c5a05fae34b6c0911e0092c34c2f0fb7cfb35ba6d56c93750fbce2fcc9b93be9d15aebe5e5c2382 |
C:\Windows\System\bqDIKmW.exe
| MD5 | 6a0a96c3bd03576b32479fb70d5c2055 |
| SHA1 | d29c3197359305e43ad52548144544770bf56265 |
| SHA256 | 346d14f8744558295548d2dbb92de8c4f3318e0711e5a4b6d9e06f18b83759be |
| SHA512 | 7047b702fdbccbae2a2b6526d5132fcce3bfbbd2602acb7aeda982fcc98dae090be8622a6fba8cad704afbad0a7e7ac1b08918bb5f8c223ecb765175a4499120 |
C:\Windows\System\rMnaTHI.exe
| MD5 | c027cd478d9938d3ca86fc687e719cd5 |
| SHA1 | a52bfdd20f0c4b7a0b8375dd45b44e66db50a566 |
| SHA256 | c27effcb919f84475097c39d2688f07c6857de64870af8f561dd6ad5443f1b1d |
| SHA512 | 2b32d7c614ac46e192a04392505c3352a06b929cfb3770e74966cf66c34bdca373bfeefe7d0c0794597422a46e58f010a5a85c727e3bdfb1b63de3234d8004c3 |
memory/3424-16-0x00007FF7B02E0000-0x00007FF7B0634000-memory.dmp
memory/3600-10-0x00007FF6B0040000-0x00007FF6B0394000-memory.dmp
C:\Windows\System\neXwqWq.exe
| MD5 | dbb95c24481944a34aecc7e290efe3b8 |
| SHA1 | 492a35583206bed53853157726842a648e8aac26 |
| SHA256 | 814c77129569ebf639d748904db057c214ca61c5c121210e1559c0b3ac213cfd |
| SHA512 | 6ce1e3febee2fc8ec288a821cd19462fb8dd666175fea84e3fb65d68d10bd866f6d3ffbf4680d317c681a98adad028eba00ac15542ce0cca97d55f731fd7fb86 |
memory/2064-27-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp
memory/2988-23-0x00007FF78F720000-0x00007FF78FA74000-memory.dmp
C:\Windows\System\OIdeQhA.exe
| MD5 | cd288708c12dbfa1d0245dceca8ceb64 |
| SHA1 | 8b703f8f4923a65c360936abc10bde7340941ef3 |
| SHA256 | 68894877a848d26cfd54f00e240da1e38f3eb927040008cfd95657797b2d8979 |
| SHA512 | 9c28c84fb327cf65ddf07c7b8b04321a64b47a214e92f7ea48b5d841dbb55bf145e8aaef141a08f982f690bdad41fde2df64e625993c9608d12d87c27c803780 |
C:\Windows\System\EghFXLe.exe
| MD5 | 6fd50fab9d6f20512122d04e9e6fde03 |
| SHA1 | 3ea51b898666fc9e49f5786d3f44768a5a51e550 |
| SHA256 | f52499671c675f5e751ed24c573054031db2e7a11bca9ef908900285d480e481 |
| SHA512 | 97926a071f8ea917c9ffc6887635ea8a51221b4531d2e0bc3e38e0bf042dd1a90e0069fa153b0af1a2d2c7d86d04af8cc4720d363feeb1a513bf81b892e68b65 |
C:\Windows\System\RzGBSwc.exe
| MD5 | 252bbfb5cfd91a80efef476d8e8befcd |
| SHA1 | cf09c5d6e5054c94fdf19394a15da7c254e37359 |
| SHA256 | 881584869b6bd17d7ec864f788ffd1a80c25dcfe8353075920cf49c8fc53887c |
| SHA512 | 50d0d8744dd985076cc8e03807c16144cc5066c7c9109422300ed986e660bc3eb5d63fa658bc60fa4410e7f5592243876fb193e626317383fbeeae8109021b22 |
memory/2116-50-0x00007FF7CF760000-0x00007FF7CFAB4000-memory.dmp
memory/1500-52-0x00007FF66F1B0000-0x00007FF66F504000-memory.dmp
C:\Windows\System\cvHqAUD.exe
| MD5 | 87489dfec207491a20fd5332afe5f702 |
| SHA1 | 65878f5201fd482ede4d66692d80a28ac9d80b9c |
| SHA256 | 1c0a9edb2ca7836d91476fd93b7321ed85e292f83bab7a548e743b04b6c771b8 |
| SHA512 | 5bf8df295718d3a26668f355378918e8277c10585f6c2aacead7380de24654c6a0eddb04e25788b00fd772c37e99a8d54d15e31027b3dc10c6b3538fafacb632 |
C:\Windows\System\qSVMAYF.exe
| MD5 | 6b3122789f80af2ab0cd6dd7c205db0c |
| SHA1 | a8f1bb3e345523cd61e79e1bd62687fbb4318d2a |
| SHA256 | 279b82aca635f7704c9ff2e0d62066dcb90f87533fe9ca4f31211b15b9842a65 |
| SHA512 | 69f143045a585d4ebd8a58ccda199bfa784436cb5f7b19460ea9caa47407f37ea9423d6f26dbad7a9e4b4247360f39b25663e08f37fba853e9de13c9ff8bf10b |
C:\Windows\System\SPsfQUI.exe
| MD5 | 06aa1956221f319ed0ec2873c323a932 |
| SHA1 | bfe18d03f8e29912e4ee1dfdefd826f3e76b4e46 |
| SHA256 | a0e6b38e6781bf4c62e871b318fd5f67f810d6fe9c1024e82f24e190647cc108 |
| SHA512 | 3edb3ed6172842270af538ce059c05d52d3c1d349a922510a42f79fb49e7af8ca05f8191e06a2ccec57ce2ca6910207edf6efe02efc23a45a076b8ecc30e07be |
memory/5084-73-0x00007FF689230000-0x00007FF689584000-memory.dmp
memory/540-74-0x00007FF6CDB10000-0x00007FF6CDE64000-memory.dmp
memory/3056-70-0x00007FF6A0F90000-0x00007FF6A12E4000-memory.dmp
C:\Windows\System\yVrTXTf.exe
| MD5 | c0b8c2f6ec8cf5a2e368106935c3d80a |
| SHA1 | 5916e42f8acec2bfe69aaae295b259ffd8cdbde3 |
| SHA256 | 552dd12763bbda352d519693512fd4e5fb1bee996b29186cace1d4e23b8ce75c |
| SHA512 | 44f37da350f062b5488408ea02c6f18ef602dbb14da30c796d704d7663534131e1edc84d6777af79550d490c35e2ea81be30b338378b996bec768e49449ddcec |
memory/1048-56-0x00007FF6FE7B0000-0x00007FF6FEB04000-memory.dmp
C:\Windows\System\OOBaGRf.exe
| MD5 | 7f906050f8fd504d453e2b6dd9c78424 |
| SHA1 | 5eab83f7f69760c77ac26f2e1b5440782f069c0a |
| SHA256 | 073484edf17dfc9aa1e9f4f4473a60fda5266690c2008a91cae3b148736690da |
| SHA512 | c86f0c2d193740ba54ed14af53d87208f8ee56cd790f3e67acf28dcd1472a2d33eb80ab798c3b87313d085cb92141a90afdff0c0947db2e5169670cc8a055c5d |
memory/1452-43-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp
memory/3564-37-0x00007FF6CFB40000-0x00007FF6CFE94000-memory.dmp
C:\Windows\System\QtwSweZ.exe
| MD5 | b273f45720d48f5a47d4a2097efe89c4 |
| SHA1 | 52f9b7a04c09b75b34f0a6d82d096d8cadaac454 |
| SHA256 | 23b0773a062f85457cb57a3480ffd8c10868ee181d54a701ed19815c522884ba |
| SHA512 | 5c2bd94e889a716bdb93344b847baaceb18473fecacd7292e4b13d57ccba7ac4021b485ab6bce0103fe25a2ec6c0c55a69b3335ebfb39e5c920aee07f51293cd |
memory/1252-78-0x00007FF78F700000-0x00007FF78FA54000-memory.dmp
C:\Windows\System\JJpWvRm.exe
| MD5 | e8c9e2e28ae4bb11060a9b8eec5d119a |
| SHA1 | 7e28f246a6976a961f850e6d8063ba6588443bbd |
| SHA256 | 1582bc585cd78d686a16f22e3999daa140cc2ee28dd98ddebdc271747362252e |
| SHA512 | 35a4733a3592eac921d26e76ab59ccd24f28874d5b2e6b30a4f93cc5ec20adabbde06de34d9d8c308ff207ad6c51cecb6ca8f4db42a7972faff04b44f7152ee4 |
C:\Windows\System\yEGHWhx.exe
| MD5 | 6f2fa7a532e2075918302d6a01ac66ab |
| SHA1 | bd99397a0f9f3c49501443814b7075278a22bd7a |
| SHA256 | 0539e4722ccde0714f6086e4ee2470fa70d9d073eb2ff6163bcb5e7872070e39 |
| SHA512 | 753cc1e4c902f42928b456415f1fae81a254189cfde16a067b9e3c75db6f258b461459d2624cb4f67f145508d2c796976d84bd7562df06d944589786c288c0b0 |
memory/4812-87-0x00007FF718700000-0x00007FF718A54000-memory.dmp
memory/4552-86-0x00007FF7C8740000-0x00007FF7C8A94000-memory.dmp
C:\Windows\System\kxBFycq.exe
| MD5 | 035636f5bdee513f6d667b810be24f87 |
| SHA1 | 52c1fc6626c21bc3b5d6738612b2ebedf02889fb |
| SHA256 | 63325d33ba37ed1bdfa6e616df5bf55ac10a899df23b95666cffe36b3fff1add |
| SHA512 | ea7178e96d3de35d717aee66660aa6016739bdf2d6caeb0a52093684e3cf913612aef1182eb220abd866df9b50dbb8bad3b1459b399dc2f68a4a2dc86a3a9614 |
memory/4720-89-0x00007FF7EE7F0000-0x00007FF7EEB44000-memory.dmp
memory/4824-97-0x00007FF692980000-0x00007FF692CD4000-memory.dmp
C:\Windows\System\cxqgXFI.exe
| MD5 | b58cb7a76b41dfa21f6292a49de7e113 |
| SHA1 | 10b2d8fa269819775538e37475d87286c95993ac |
| SHA256 | 60e4e9dabf372dfbc1d3e76513f6df947db50afaaf1d4c0d18bc332dd2e33061 |
| SHA512 | cd56289464e250810bc5c7bdbae66f2d3992be4b36424a26a9b264d8d1a92be34a4715d91faee48f80fad85fb2dbafe228e653fd3cd09b44cdafe000c842845e |
C:\Windows\System\rVQLNOx.exe
| MD5 | 4aebb7b92ff3de0e534596f7c7430d46 |
| SHA1 | 3b7eff1f46bfb18722d3764a91d720dd61a5561f |
| SHA256 | e2d9d231c66ca70c312eda556215f9f814d3d75d1f0ff562124f1ae152a51bae |
| SHA512 | 3e1176bdad823ea0de13a9843c8266ef555226fb93ee34296259913f3a0f396af97d61c2302b61c7c6c860c4e7e16cb8d6b724a80dee0a066fa16a0c6e1a3ab9 |
C:\Windows\System\fRANYFa.exe
| MD5 | e413d690bce36fee9a2f9ecac924db8d |
| SHA1 | c2c1f86571452c836f31e7549086df2282a8edb1 |
| SHA256 | a83f3c660c3d1d1879f5a61ca5536a8183fd394e0219f00b39b1c3e12ddb50f1 |
| SHA512 | bbb7d1aba4c8a3695e5e56c203e5cd7287a618ec63b422bc5455e4447074c7cf832a55e24028806da564672ca60639ae1fd11ef55cf64dec01b0a244d5ba15de |
memory/832-112-0x00007FF73D770000-0x00007FF73DAC4000-memory.dmp
memory/712-106-0x00007FF706E80000-0x00007FF7071D4000-memory.dmp
C:\Windows\System\YzssdvT.exe
| MD5 | ee9796ae201353f63d0f28c59cbe95c4 |
| SHA1 | 61371a4e99f1eddad73655d42b9741bc4a6ec8a0 |
| SHA256 | 0c38d25a4b709f0fd9d90c562b4d9b328200c748790f308a9ede7daa9a2a72a6 |
| SHA512 | 8e9320afc23ea30f216f7eae17ca163df114880d38abfaeeeeb1d316c68a4d2321bcaafffd9c31ec927aabc9fc6e0156a3e9c6a1f07f258ad96f31676856d8b4 |
C:\Windows\System\ooRMOiv.exe
| MD5 | 8b665d2ee7b26c53c4cc6c584c27c12b |
| SHA1 | ba7a0bcdb61f8f38e2f8974c6e4717b26d42482a |
| SHA256 | 4d6d35f1571918e5d66efb48e0a91e664dcc22e5581d51e6930c8f7224e43741 |
| SHA512 | 38353cdcd9785e2d9f3c3b4752a1ed400745f9ef5ccbac5b46a85803b7ccd815f95f19400344c20de18cd9af9cd8f4c4de6c1587caa82763f7d9ca95870c36d0 |
memory/2064-103-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp
memory/1452-127-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp
memory/2116-128-0x00007FF7CF760000-0x00007FF7CFAB4000-memory.dmp
memory/1612-130-0x00007FF7408D0000-0x00007FF740C24000-memory.dmp
memory/1472-129-0x00007FF6BB260000-0x00007FF6BB5B4000-memory.dmp
memory/4840-131-0x00007FF7FF6C0000-0x00007FF7FFA14000-memory.dmp
memory/1048-132-0x00007FF6FE7B0000-0x00007FF6FEB04000-memory.dmp
memory/1252-133-0x00007FF78F700000-0x00007FF78FA54000-memory.dmp
memory/4812-134-0x00007FF718700000-0x00007FF718A54000-memory.dmp
memory/4720-135-0x00007FF7EE7F0000-0x00007FF7EEB44000-memory.dmp
memory/4824-136-0x00007FF692980000-0x00007FF692CD4000-memory.dmp
memory/712-137-0x00007FF706E80000-0x00007FF7071D4000-memory.dmp
memory/832-138-0x00007FF73D770000-0x00007FF73DAC4000-memory.dmp
memory/3600-139-0x00007FF6B0040000-0x00007FF6B0394000-memory.dmp
memory/3424-140-0x00007FF7B02E0000-0x00007FF7B0634000-memory.dmp
memory/2988-141-0x00007FF78F720000-0x00007FF78FA74000-memory.dmp
memory/2064-143-0x00007FF7CC240000-0x00007FF7CC594000-memory.dmp
memory/3564-142-0x00007FF6CFB40000-0x00007FF6CFE94000-memory.dmp
memory/1500-144-0x00007FF66F1B0000-0x00007FF66F504000-memory.dmp
memory/2116-145-0x00007FF7CF760000-0x00007FF7CFAB4000-memory.dmp
memory/1452-146-0x00007FF603AB0000-0x00007FF603E04000-memory.dmp
memory/3056-147-0x00007FF6A0F90000-0x00007FF6A12E4000-memory.dmp
memory/1048-148-0x00007FF6FE7B0000-0x00007FF6FEB04000-memory.dmp
memory/5084-149-0x00007FF689230000-0x00007FF689584000-memory.dmp
memory/540-150-0x00007FF6CDB10000-0x00007FF6CDE64000-memory.dmp
memory/1252-151-0x00007FF78F700000-0x00007FF78FA54000-memory.dmp
memory/4720-153-0x00007FF7EE7F0000-0x00007FF7EEB44000-memory.dmp
memory/4812-152-0x00007FF718700000-0x00007FF718A54000-memory.dmp
memory/4824-154-0x00007FF692980000-0x00007FF692CD4000-memory.dmp
memory/712-155-0x00007FF706E80000-0x00007FF7071D4000-memory.dmp
memory/832-156-0x00007FF73D770000-0x00007FF73DAC4000-memory.dmp
memory/1472-157-0x00007FF6BB260000-0x00007FF6BB5B4000-memory.dmp
memory/4840-158-0x00007FF7FF6C0000-0x00007FF7FFA14000-memory.dmp
memory/1612-159-0x00007FF7408D0000-0x00007FF740C24000-memory.dmp