Analysis Overview
SHA256
d31f27a9d8ed5d4ae6f7fedac59ecffb701d213fb79c3cb0a2f22e139c4a4089
Threat Level: Known bad
The file 2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:57
Reported
2024-08-06 12:00
Platform
win7-20240729-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mZbmofy.exe | N/A |
| N/A | N/A | C:\Windows\System\VQXwNnW.exe | N/A |
| N/A | N/A | C:\Windows\System\rhnuymr.exe | N/A |
| N/A | N/A | C:\Windows\System\uktXoAP.exe | N/A |
| N/A | N/A | C:\Windows\System\xKWUCDN.exe | N/A |
| N/A | N/A | C:\Windows\System\rUHHuiR.exe | N/A |
| N/A | N/A | C:\Windows\System\xPDvEFu.exe | N/A |
| N/A | N/A | C:\Windows\System\keENkcc.exe | N/A |
| N/A | N/A | C:\Windows\System\sToFiGl.exe | N/A |
| N/A | N/A | C:\Windows\System\EBoEGHq.exe | N/A |
| N/A | N/A | C:\Windows\System\hRcbtcq.exe | N/A |
| N/A | N/A | C:\Windows\System\hcpTeDd.exe | N/A |
| N/A | N/A | C:\Windows\System\lMhRQnR.exe | N/A |
| N/A | N/A | C:\Windows\System\NyHVvso.exe | N/A |
| N/A | N/A | C:\Windows\System\gQNyQfX.exe | N/A |
| N/A | N/A | C:\Windows\System\woVToyr.exe | N/A |
| N/A | N/A | C:\Windows\System\NgEkwCO.exe | N/A |
| N/A | N/A | C:\Windows\System\cnhVKyR.exe | N/A |
| N/A | N/A | C:\Windows\System\PfdQlqh.exe | N/A |
| N/A | N/A | C:\Windows\System\YHEILTq.exe | N/A |
| N/A | N/A | C:\Windows\System\zTsHDfQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mZbmofy.exe
C:\Windows\System\mZbmofy.exe
C:\Windows\System\rhnuymr.exe
C:\Windows\System\rhnuymr.exe
C:\Windows\System\VQXwNnW.exe
C:\Windows\System\VQXwNnW.exe
C:\Windows\System\uktXoAP.exe
C:\Windows\System\uktXoAP.exe
C:\Windows\System\xKWUCDN.exe
C:\Windows\System\xKWUCDN.exe
C:\Windows\System\rUHHuiR.exe
C:\Windows\System\rUHHuiR.exe
C:\Windows\System\xPDvEFu.exe
C:\Windows\System\xPDvEFu.exe
C:\Windows\System\EBoEGHq.exe
C:\Windows\System\EBoEGHq.exe
C:\Windows\System\keENkcc.exe
C:\Windows\System\keENkcc.exe
C:\Windows\System\hRcbtcq.exe
C:\Windows\System\hRcbtcq.exe
C:\Windows\System\sToFiGl.exe
C:\Windows\System\sToFiGl.exe
C:\Windows\System\hcpTeDd.exe
C:\Windows\System\hcpTeDd.exe
C:\Windows\System\lMhRQnR.exe
C:\Windows\System\lMhRQnR.exe
C:\Windows\System\NyHVvso.exe
C:\Windows\System\NyHVvso.exe
C:\Windows\System\gQNyQfX.exe
C:\Windows\System\gQNyQfX.exe
C:\Windows\System\woVToyr.exe
C:\Windows\System\woVToyr.exe
C:\Windows\System\NgEkwCO.exe
C:\Windows\System\NgEkwCO.exe
C:\Windows\System\cnhVKyR.exe
C:\Windows\System\cnhVKyR.exe
C:\Windows\System\PfdQlqh.exe
C:\Windows\System\PfdQlqh.exe
C:\Windows\System\YHEILTq.exe
C:\Windows\System\YHEILTq.exe
C:\Windows\System\zTsHDfQ.exe
C:\Windows\System\zTsHDfQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1884-0-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1884-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\mZbmofy.exe
| MD5 | ea58591657c732d9e178f9b576e353f4 |
| SHA1 | e7315840abeb8618340b80e7acc3fcf88efcb691 |
| SHA256 | 422124e1f138e538bccfa57070dcdcec6ca00b56dd6ccbff3b92e90bc7e63abf |
| SHA512 | 1ab73dbf2ca94f7e51790c63d3e9a96283b9eb641b28d504ce2976292128c8454596b2e003595b2b9e5b14175215272972e496e8de31cb5fcac4dffe283cceba |
\Windows\system\rhnuymr.exe
| MD5 | 8bc55cb8f92ea142558adbc95f413dde |
| SHA1 | 817fec5f0482cdadd3f6754428fb7b9e1f4f178c |
| SHA256 | 67f4d1968c99ae21134b5ad6e097e97dc5b54a3030a45013b12a0466fe5b1a4f |
| SHA512 | 8b078f96cdf6549dcac1f7a3d3c2efb13d117b55fc4c873676e5cfa6765fc18d49be0bab4a3214cdd0b948829ed9203fbdbd155853f90c8fcabd825e4d76eaf6 |
memory/2752-18-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/1884-22-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2676-23-0x000000013F1E0000-0x000000013F531000-memory.dmp
C:\Windows\system\uktXoAP.exe
| MD5 | 47f2e98a10e51eb7e6c553b49a3481ae |
| SHA1 | f92360e4979c96c17084147f24e16fb88f1a7a88 |
| SHA256 | b81634b516bad2736407b7609723eb992287543a869666c1b9f8792a5fcb8755 |
| SHA512 | 238e4aec67a6be4eba55be668bacd88af14985d98ba41b0e1190da46d5d4d2dd731752e186af75699d6b4e448ae1ec71eff0e08b2ce9e567839e3ca7e1b1a249 |
memory/1720-29-0x000000013FB40000-0x000000013FE91000-memory.dmp
C:\Windows\system\xKWUCDN.exe
| MD5 | e0dfacf381ac3a643144e0514c163394 |
| SHA1 | 7044f0d039098ec1169490fd30212026f1ae475f |
| SHA256 | 32afdad819d39929ece34276f40bac5b762f93481238e5d62d54470338031393 |
| SHA512 | e7babe48c530114f2854272daa3103f6b03bbc24539861117d93ac32814b450c17e4928a8ca75ea2430354955dc22b9615d58005efabe629e9aa3d55bf88d02d |
memory/2576-37-0x000000013F0D0000-0x000000013F421000-memory.dmp
C:\Windows\system\rUHHuiR.exe
| MD5 | ed371befd9c1b5c1c7ba11ec87ebd7b4 |
| SHA1 | b4f175fdd4c815935a162db28ee7668b8a843d57 |
| SHA256 | 002b52b41d978bc4a95f97518bd27b47bd13953e187273103c17b255f992b8a4 |
| SHA512 | 4cec8c0f2ca1b9802d8ea0997eec8c146c1f5c86dc00f42aecbbc1e6267b421e68a9fa13dd8375128e4230dda100324d39e0f6f69d5df8d7c60484015db79c26 |
memory/1884-42-0x00000000023E0000-0x0000000002731000-memory.dmp
\Windows\system\keENkcc.exe
| MD5 | ffdc7b95ab8e591457e762a5cd055e08 |
| SHA1 | b4ea7e59c4e200b96177dd2149a69b23b8bdc5cc |
| SHA256 | a3bde742067a1ffde51767f32169c54bc9018220cc5c1a6b13023c394667ebfe |
| SHA512 | b6d079366baa8263ce44b1d96744ee067c4bf80c96fcef47520e71bf1581a1a12920b0c35399d763f67b833e6014caee50e4717f348052fac143182e7a9083c1 |
memory/1884-70-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2572-60-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2060-75-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/1884-86-0x000000013F1D0000-0x000000013F521000-memory.dmp
C:\Windows\system\NyHVvso.exe
| MD5 | 7866f8662c1b96c5935cb93b0075d65a |
| SHA1 | 23238fa6fa08c834773b81dc8f5e06009211d293 |
| SHA256 | 81b8da5e38b77c7814cf0f88ba4d4335d7915c023f9a169e500f114e32817b7f |
| SHA512 | e19700283322ca08dd5d6d4184606f9e427527fafec7d72c60712f7e31cc1e8427ca4edf0071571af84d852e0be8dddb3f1eae66450089de2a8a7f5ed9ead895 |
memory/1696-94-0x000000013F3E0000-0x000000013F731000-memory.dmp
C:\Windows\system\cnhVKyR.exe
| MD5 | a4433fc670e61e09acbc66a5ba9261ed |
| SHA1 | 5172bbd22673be32037a82e3cfa953a9f3406d93 |
| SHA256 | 21895afd8e7c7a45e4e5715bcb1c88bcc4ab89667f88452e9fd8158c824316b0 |
| SHA512 | 90d19354fb5c36047b1857da51db00e0a1d467057de902541d3fe79f65ec03e35b399858366d2ae0e20cc9bcd097030ff3021f68b1d10972a61fbaf1112fa24c |
C:\Windows\system\zTsHDfQ.exe
| MD5 | e04223f52cdbed43ca687d1eccf7f9b7 |
| SHA1 | e34b5bebd5c93c20834ff6c85d47fe33992be7a9 |
| SHA256 | 516271e7807296298c9449b777d0b7a56e1a5b102b6be6058409e37b976e8b3e |
| SHA512 | 2f9a8458c9eb950ed88a36adee583ed2a1e1dfcc3c6e077d2a10e3e129bbfe87a6522fdb77030fd18a852a76014cdc0548c68ed7a7ec3a0fe2a48e5fb8e2d184 |
C:\Windows\system\YHEILTq.exe
| MD5 | cba3bdb56bd2a1e852cb9d40bbd078f4 |
| SHA1 | 1d92c712f49952c96f77a7945d5c7c35adc185a0 |
| SHA256 | 90442645e4cc2820b5f723da982074b8f5a0b469addac18e5db6944ff8881ad7 |
| SHA512 | eff983858bb768747342b4d702b2361a1754a499bce41186c46e4db84a82723c114d64101f8c0709c0bd63b8672343c757fe4aa9c2d0936d8d850f2d42dac391 |
C:\Windows\system\PfdQlqh.exe
| MD5 | f6ba636e18cc2c28a37a728b65aa9fc9 |
| SHA1 | 3ac8b7a251effebe7050a2cbc747b9d9be621f32 |
| SHA256 | 5839ba5e9fd7d59b0cd5c545195ddd8ab47d827fae6474c74bc23b538e364c09 |
| SHA512 | 3ff48c38cb5cc9a8215514c4474d92f698408a53f220d393ef367abb1522132908fa04db9ced5c0dd51ebe7e4c4ec6b935e501ac3cd480119905ed70e51f7531 |
C:\Windows\system\NgEkwCO.exe
| MD5 | 714788d28654ed2b754a80be977bc0fa |
| SHA1 | 9eeb0a0a13a264270cb272c8ac851e6e6f0407a1 |
| SHA256 | 614c60b7e9bfdef9673444b95467dc3998a15bc90ae062b31defe82b42fc476c |
| SHA512 | ddf5c7177daf008707e1ff628c6dc2bd293a713c4bfd1155dba919d682280c433c5c0bee9215935b0022e463bef0f1eb33b503e5eee2a64c7cf51b296f654b02 |
C:\Windows\system\woVToyr.exe
| MD5 | 0f53f4a8e758596712b3b64ed658d81c |
| SHA1 | 5e27dfd42aad98277408a9a59fe22246dca92806 |
| SHA256 | 807e5b39204042f134bf29502fa0f771d47c7e1fbedeeea0f7c0dc1d451e5224 |
| SHA512 | 6184bbf43c1dfa580ebc82c7e883c0aaebdb376d9aa5fdf9138e900d0a4fd1d7668b22f580932bd8bada7b819f1cc70f99bf5b06080573cdcfdaf2a09d0c7a31 |
memory/1884-99-0x000000013FE60000-0x00000001401B1000-memory.dmp
C:\Windows\system\gQNyQfX.exe
| MD5 | 56c8913ba4ef6714f246dfe7c4a2e4db |
| SHA1 | 7ddb430243c4347f4a9dd05cd58d02efe5ca1d0d |
| SHA256 | 3574e293db184fc77abfd7b80bfb034bc5e2904a76a20ee1d26fad186bd08599 |
| SHA512 | 5a4b8b17afeeda4aacb820aedd5601ba5ce1c7350541af17c1fb619dd5dfdc9e9bd9ef582a91249eb27ccaac1ed0a9ac05f09142d93b9d2b3af7e50a5df8090b |
memory/1884-93-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2092-88-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1720-136-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2752-87-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/3000-81-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1884-80-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\lMhRQnR.exe
| MD5 | 847957277869ee0836dc9e71fe5ad9cb |
| SHA1 | 3887c295511ee56ead4af631bc2cea1992b444d7 |
| SHA256 | 0eb438c45459bfbc486e82f291a0482096dfb2400a80d4b4eea63d850434b0b8 |
| SHA512 | cb7835b994fb89acbc5d5769e282539a90d07789d93e004cf0bf0a88e7b1292407579852eeb4b0c10d0c9cad074c19d0f969d8acb8c75b6029dae153348c4113 |
C:\Windows\system\hcpTeDd.exe
| MD5 | f347bec1b30cc87db9b80d4c605ebe04 |
| SHA1 | 28663125cf6ebf48b298c56198ae7610bd3fb36d |
| SHA256 | cdc50ad248b8cd48507c0dad8deededb4e1bfc20ed9f8c2f658fe9d6fec5df15 |
| SHA512 | 9549c88c15f97f08038b5d4fc3424ad7830fe48282d57d690332536e809689986f1a010acb4e38d4100b22509a7be7f06d62dde55b3876a718c072c694b5a93a |
memory/3064-74-0x000000013FDC0000-0x0000000140111000-memory.dmp
\Windows\system\hRcbtcq.exe
| MD5 | e6703502f7373aba234d66e812e889db |
| SHA1 | aded1e4000e560305c4e925ff6b8890a71e9994d |
| SHA256 | 820961b824c47baeba08252ea4d024e1c11fc509a41754523f8f60607e84f84a |
| SHA512 | d623488ecad644a60f6db4fa71576f941cb6dae36021ac61f1780d96ab44bf1414bc1ab774ae2f5f7dfaeb1637c8a44454be0935eb6c54ba457172e6bc749c05 |
\Windows\system\EBoEGHq.exe
| MD5 | 95654e1f45b403b4a3b65f2ddbbd5bfb |
| SHA1 | b45b97b7b73e5bee20e0f5207cb633d0ce0f26e5 |
| SHA256 | 668a49e0dc3f62adc7e26dc78b481b9031578cab5bcbe90d19da70fd760a158d |
| SHA512 | 97e581016ff900b97b7f63b7ce5d66b407661115ed7e26247dee8adf02d53a0cb7d6f6c94262dd6a33795e618ea33a2e2d9a85ba34a9b4049c37b2b9e315eb0e |
memory/1592-71-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1884-69-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1884-68-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\sToFiGl.exe
| MD5 | 2104bf8a8f28b2484508393fa7e7d836 |
| SHA1 | 860f5e73507604278eeda04f3bd8f6ac19dca173 |
| SHA256 | 136aa3d20977e63494be95ee3d214b73ce85b64a8b79e9f1836afad3bad84516 |
| SHA512 | a35b7f98ee7913396f95bf46373e2ec9f3bd4b6ce862228a5b0c8584eb098ecb7fa164435fbe3a589d37fd81eb4e52daf02f1724ef2422a404822c6a9627f09f |
memory/2236-66-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1884-64-0x000000013FDC0000-0x0000000140111000-memory.dmp
C:\Windows\system\xPDvEFu.exe
| MD5 | fcda17b5572acc32df013264e6b10241 |
| SHA1 | db00ae4f2f2f66078026451035bd0cca6539600b |
| SHA256 | 89c9a530a97b4aada5789688b1e332d9a34f525b762bed3957c49c25ddadc860 |
| SHA512 | 68e7fbc36b9a4b7379badfa80deaa70aba34ff01458b56f58aee4637389397b9bae9f3a53dc140e0de4e3e5d2c4b411d30bbb1cb216462f4f398dac4622f195e |
memory/2776-43-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1884-35-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/1884-28-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2576-137-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2988-21-0x000000013F320000-0x000000013F671000-memory.dmp
memory/1884-19-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/1884-10-0x00000000023E0000-0x0000000002731000-memory.dmp
C:\Windows\system\VQXwNnW.exe
| MD5 | 9a4e562bcb84d06fc36fe431a48a0f16 |
| SHA1 | 8cb32feb7adc92e506d87c039f20f9f3fadad1b2 |
| SHA256 | 322513fee2774f9c0706820db991681324b35401a3d561676175615ad6795eda |
| SHA512 | c6b899de59ae7d98526021ebc5bae19ba745f1535ec604a90cf32fc4f504b65ce4a3a8d8d95731d312797c178f7e23dfec471bf9edde7756c5896664ede07283 |
memory/2776-138-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/1884-139-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2060-149-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2092-152-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1592-150-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/3000-151-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/3064-147-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2440-160-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2328-158-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2780-157-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2612-156-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/1884-161-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/584-155-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2648-154-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2840-159-0x000000013F400000-0x000000013F751000-memory.dmp
memory/1696-153-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1884-162-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1884-163-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1884-185-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2752-209-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2988-211-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2676-213-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/1720-215-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2576-217-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2776-236-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2572-238-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2236-240-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1592-242-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2092-244-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/3064-251-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/1696-256-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/3000-255-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2060-253-0x000000013F150000-0x000000013F4A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:57
Reported
2024-08-06 12:00
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wWskkzT.exe | N/A |
| N/A | N/A | C:\Windows\System\siUBMnK.exe | N/A |
| N/A | N/A | C:\Windows\System\NjRlFTo.exe | N/A |
| N/A | N/A | C:\Windows\System\csfLyff.exe | N/A |
| N/A | N/A | C:\Windows\System\tDFEOrF.exe | N/A |
| N/A | N/A | C:\Windows\System\GFvWkXC.exe | N/A |
| N/A | N/A | C:\Windows\System\bGmsgKN.exe | N/A |
| N/A | N/A | C:\Windows\System\InwrFWK.exe | N/A |
| N/A | N/A | C:\Windows\System\ibnOdma.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBUBMoY.exe | N/A |
| N/A | N/A | C:\Windows\System\HKgTDjW.exe | N/A |
| N/A | N/A | C:\Windows\System\Zvcidul.exe | N/A |
| N/A | N/A | C:\Windows\System\xlmAYEq.exe | N/A |
| N/A | N/A | C:\Windows\System\mWfJOhn.exe | N/A |
| N/A | N/A | C:\Windows\System\dtLqJOT.exe | N/A |
| N/A | N/A | C:\Windows\System\XXegSsr.exe | N/A |
| N/A | N/A | C:\Windows\System\LqeuSOM.exe | N/A |
| N/A | N/A | C:\Windows\System\bdNdqMq.exe | N/A |
| N/A | N/A | C:\Windows\System\WUVCQuo.exe | N/A |
| N/A | N/A | C:\Windows\System\SUKtsIF.exe | N/A |
| N/A | N/A | C:\Windows\System\hAHQSLX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8fdee9d32023cc46ccce8f9d512271d2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wWskkzT.exe
C:\Windows\System\wWskkzT.exe
C:\Windows\System\siUBMnK.exe
C:\Windows\System\siUBMnK.exe
C:\Windows\System\NjRlFTo.exe
C:\Windows\System\NjRlFTo.exe
C:\Windows\System\csfLyff.exe
C:\Windows\System\csfLyff.exe
C:\Windows\System\tDFEOrF.exe
C:\Windows\System\tDFEOrF.exe
C:\Windows\System\GFvWkXC.exe
C:\Windows\System\GFvWkXC.exe
C:\Windows\System\bGmsgKN.exe
C:\Windows\System\bGmsgKN.exe
C:\Windows\System\InwrFWK.exe
C:\Windows\System\InwrFWK.exe
C:\Windows\System\ibnOdma.exe
C:\Windows\System\ibnOdma.exe
C:\Windows\System\ZBUBMoY.exe
C:\Windows\System\ZBUBMoY.exe
C:\Windows\System\HKgTDjW.exe
C:\Windows\System\HKgTDjW.exe
C:\Windows\System\Zvcidul.exe
C:\Windows\System\Zvcidul.exe
C:\Windows\System\xlmAYEq.exe
C:\Windows\System\xlmAYEq.exe
C:\Windows\System\mWfJOhn.exe
C:\Windows\System\mWfJOhn.exe
C:\Windows\System\dtLqJOT.exe
C:\Windows\System\dtLqJOT.exe
C:\Windows\System\XXegSsr.exe
C:\Windows\System\XXegSsr.exe
C:\Windows\System\LqeuSOM.exe
C:\Windows\System\LqeuSOM.exe
C:\Windows\System\bdNdqMq.exe
C:\Windows\System\bdNdqMq.exe
C:\Windows\System\WUVCQuo.exe
C:\Windows\System\WUVCQuo.exe
C:\Windows\System\SUKtsIF.exe
C:\Windows\System\SUKtsIF.exe
C:\Windows\System\hAHQSLX.exe
C:\Windows\System\hAHQSLX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1456-0-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp
memory/1456-1-0x000001EC5F1A0000-0x000001EC5F1B0000-memory.dmp
C:\Windows\System\wWskkzT.exe
| MD5 | 56d5a8c119de077208d959a008466690 |
| SHA1 | e01cb90583e68c0ae6983ae6fe3ca38130303a55 |
| SHA256 | 76e922b6bf7a7f799efe3ee564025a16afee6364ba1a1fdc5354c475643a9073 |
| SHA512 | f1788242083c479958ed1a1c94dfa0f90d8e2d26badd477e8ae15361b32411b27919dd315441fcfb4ab42a87e201590b60c8b09f84d925413101af2744c479f0 |
memory/3840-6-0x00007FF69ACD0000-0x00007FF69B021000-memory.dmp
C:\Windows\System\siUBMnK.exe
| MD5 | a27b7afe5e91617f76ddbbd331fbb4f5 |
| SHA1 | 41b6d57779a4eee4d256c4b08d93dc7a83738e62 |
| SHA256 | 96e997cc1fe79dde5635902da71cad97330233525020d22c8b70f5a6f8a2ced5 |
| SHA512 | cee0b3a074e12921f577787cedca2a5ea38aa80d1088547ae3cc74e671460b7cee84b0d9847aa2741605d55977261cc08e48d29fd7beec16bb8a04057a494128 |
C:\Windows\System\NjRlFTo.exe
| MD5 | 9f962fdc92ac16cff62f5f4e4b07c5c1 |
| SHA1 | ba8d8a73dca6e8f808863e34c21a6891beca780d |
| SHA256 | cc47458bac56bcd500d65a8c7c7c2e45c1b1c82230d122002afe8c4ff511df49 |
| SHA512 | d8b7041c0d4fe22d2be092a3623300fda7e60c5921ed79e847ae32ad9954898d13a1592e79e0e203fae921cf80dfd31ba15216246b204e7f745332ba7ee03259 |
memory/3008-14-0x00007FF6B9340000-0x00007FF6B9691000-memory.dmp
C:\Windows\System\csfLyff.exe
| MD5 | 84d5c0467dd85e6dd8e6480a262b19cd |
| SHA1 | 3967541c0e1d76b679c8da46341f8987e7380a37 |
| SHA256 | a3c4797f57e0cc7708e70e1b74e549a4e10af348c563566bd88000ff6b4b9139 |
| SHA512 | 3e50ffa7d295992d52057441686d813e2f9658cc4ea1840dc829c5b136011d377a8ca7d3154cb2fbfbea7be0db3dd20349ff9ff7169b71c839201e3d54d37632 |
C:\Windows\System\tDFEOrF.exe
| MD5 | 9c67c8ce436052a147cfc0273389fb5a |
| SHA1 | e0b6a4d05e803b8448b2a370557eda379e2df3e0 |
| SHA256 | bf3593c910f73100b90423bbf5abae03347a0bc410515a86ff7b08046ea06293 |
| SHA512 | 025bef18c71aab2cb3e845c2b17a709c734bb5744ff596291d96272c0af30a7b0339ba0dbcdd14cb5517a3dbe8ecadfa3e43f94dd12431bbad40188aaf6ffc7c |
memory/4876-33-0x00007FF762380000-0x00007FF7626D1000-memory.dmp
C:\Windows\System\bGmsgKN.exe
| MD5 | be60f79e852bb467466514139831b483 |
| SHA1 | 6841cfbc980f9ada63ea1569e0b81d48bcd998fe |
| SHA256 | d33275f75b457a7512cebe8492668b278d309a7e9f96d4d2f6777dbecf9350d7 |
| SHA512 | cb9ec082936a389fb5bfce8f8082d86479c27a6633986b33644edcec37fcaaad5f9248b8fa2e21787883cd89086dd4abd4e806c7aaf638feb2631a15ad42a5fe |
C:\Windows\System\HKgTDjW.exe
| MD5 | 1ab001a617cce0b1e03a7b603a70a790 |
| SHA1 | 27ff05ae18c4e22362f7c32715dea16f09473781 |
| SHA256 | 19089d99579a7806952e8569d1b28a820628eb69387137f50ebdb4a8b3ef1ebb |
| SHA512 | 8e446ed2b3da714e4e36e3a7ce2a702422f42dacd9051c33da4caeb16454018b93d4c5fa12f94651aaae431e8212351f3c69b6e0a44221322c188b9f803c15ea |
C:\Windows\System\xlmAYEq.exe
| MD5 | 2acc1981c6546628c54788d1935fd9d9 |
| SHA1 | d49ad1cf84df02bb80191be0ab38dd6f7c74c666 |
| SHA256 | 987ddc65f90142cbab326641628c054e23d7056ee90cceb9e62edc975ddf8b7f |
| SHA512 | 6052c3d510e62fdf99637d75da695a8544529862ffc811d6ebc76b72a057f5f84c5c9429ac35a08cb4f5524f6382fb127ad2e686c20b41d9f5b7ef1d233f6b96 |
C:\Windows\System\LqeuSOM.exe
| MD5 | 0c7a4e54ce35bfc6ada7da185ea9f8e6 |
| SHA1 | 0a3f41caa0a274022e6b04d0fab41d6867ab4964 |
| SHA256 | 5518eb26682fdbbada0b4156567e8f3fbfa757992fd7a1e0043f94556acc4acb |
| SHA512 | ee1b35cdadf0f1697daa5c19f18b86d87664d7bb65e13db1a96cad216aa7f4601a14a9f11610b7c114990fb9ceab4e438594c14f120714d37e1236d2cf06f142 |
C:\Windows\System\dtLqJOT.exe
| MD5 | 32a6fda36b934eb2bfa3a3edbe378fe4 |
| SHA1 | 6b9561d4e288bc4379bb86aff2e837d6c269aa43 |
| SHA256 | 0aa5116a7b3cb0f82f71b513594c7881fd8ba9b027cad243ec0d92eff2f73b75 |
| SHA512 | 54786bb0f82794f2af4a87cb8cfc579b47d2b42b9d19baea4b30beb11caef49fffdf13947485a8ad3b652274a68fc31f0bb8c0843aefa86e4c56e6b6103c5ddf |
memory/4544-108-0x00007FF6A1A90000-0x00007FF6A1DE1000-memory.dmp
C:\Windows\System\WUVCQuo.exe
| MD5 | 9bdbda7fd55433fd751427eccf0d4f1b |
| SHA1 | bf2687aea2bfdda138accc5f67fcb115c7c859a6 |
| SHA256 | 71683bcfcd953933c1106b9a42f745f833362acbf0b1131b28b8db814a83fc2e |
| SHA512 | 464110b8b5c8c3a6751136465381075b0b0ca5a8d16d65145f70d1bdb2e6029243f2c2afc9ea67d1775f8225c25d3aa7ddea71f22349b91db892fa68ca398c75 |
memory/3840-118-0x00007FF69ACD0000-0x00007FF69B021000-memory.dmp
memory/860-117-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp
C:\Windows\System\bdNdqMq.exe
| MD5 | 91c5816fa8df84348aac317e3d00bb9d |
| SHA1 | af5561bb16129f9d1da9b1db38eed2fbb0a62069 |
| SHA256 | 0602f5cc8d4e6ec8e810a6cbc8bf310cac30428f3c86e59cf92f4219b81ac70e |
| SHA512 | 625d4c26c7c2ec6e6092e49c392f569c456bf2f044462d1de1564fe29a484c3dd1b096c8aee322e90994a3f1fa48c47c6a1e3f1922d64df33f5862a927dff37d |
memory/2768-112-0x00007FF6778C0000-0x00007FF677C11000-memory.dmp
memory/3924-109-0x00007FF73FD20000-0x00007FF740071000-memory.dmp
memory/1456-107-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp
C:\Windows\System\XXegSsr.exe
| MD5 | 7d3873b7d1997a28114965f87c350a38 |
| SHA1 | 075d0a567b07d1539bdf22092946bb832fe9ac43 |
| SHA256 | 245a591929fae63232bd93fc8dd1a1a8b54433d7117a732f43735f577b277eed |
| SHA512 | 86439f0f0c61c4519c9467734dc8a52333d5d70b39a804faae7616be4f9430b0e5781f6c2db1f153e2e8e37425760d811a836ba7d625e755645dd7af8f5ae4e2 |
memory/3884-102-0x00007FF6E91F0000-0x00007FF6E9541000-memory.dmp
C:\Windows\System\mWfJOhn.exe
| MD5 | 33a227f0ee009f420749b182f9b725af |
| SHA1 | 923da0a3d23dfa1108c60a53ae62e78fb674cbdf |
| SHA256 | 9f912f4dab7cc969447760d0c070fdf4c777aa4bedd27dbfdb865d83eb71013d |
| SHA512 | bb390db1b3eecc349b493012dbb6d09a26b2c71e948aff75f84f961a05c3ac7a6fe90b715352b45f12a5ffc677245630c51224cfb09176635aec99a5e61d9c39 |
memory/1532-93-0x00007FF6E3300000-0x00007FF6E3651000-memory.dmp
memory/4756-88-0x00007FF77D880000-0x00007FF77DBD1000-memory.dmp
memory/4136-87-0x00007FF747F80000-0x00007FF7482D1000-memory.dmp
C:\Windows\System\Zvcidul.exe
| MD5 | 0edf27992bf935ce726985e1a236d4d2 |
| SHA1 | f5b5c0e8c59cab2d45f3f7c0e8b071851db3054a |
| SHA256 | 0c72b49eeb75971805d3735e1f983ab5e78abdcfe58142f9298695aa1d2574ee |
| SHA512 | c0dbad055144333e1af15943850116c9990387fc8043e9bd5bd11af537489389fd26587f2770a76616939991811b0d0b5c616ce988112225e7b6c8510022d66f |
memory/1356-76-0x00007FF79A910000-0x00007FF79AC61000-memory.dmp
C:\Windows\System\ZBUBMoY.exe
| MD5 | fadadc4f5cacc18d22df76a0928106e3 |
| SHA1 | 04ad395c0e9cfd798df32eb3b9bc7a2ecdd8f5a9 |
| SHA256 | 0429b6959288d97d8f2af8e61d1e23f399e15602c1679b5d5eb55d9ce6746fc2 |
| SHA512 | 64b3295a8bd7363bbfb0696cac36c4ffac87272e5464dde50f6bc6647453f6b6bf2cc542346949d3574ba3565e4c91c71513691a2606e9c543c19f947cfe29e6 |
memory/1980-66-0x00007FF67FC60000-0x00007FF67FFB1000-memory.dmp
memory/1968-73-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp
C:\Windows\System\ibnOdma.exe
| MD5 | 94e21db0195b02a0d595090dccc37869 |
| SHA1 | eb72812bf29256eb85c7dba0e8bc6d269a4f0dd1 |
| SHA256 | 153ccb587d74f01d25405b2eb00ff5b2c9f5ce5272681e5be22e44587947ed73 |
| SHA512 | 441d5841775d13a17515f5456a962bdfc8cfa57b54424a2cd7bab75453718719186df5ef71a3e99b0c25152baa92a4f09831378dc3ef4f76f44ee83745880b0d |
memory/60-57-0x00007FF7CEB20000-0x00007FF7CEE71000-memory.dmp
C:\Windows\System\InwrFWK.exe
| MD5 | 0ef76582912d1526999e342c227c9b73 |
| SHA1 | 111813b254b869a8fb5479934dd59fb3df3474e5 |
| SHA256 | 2bae85306091b343c6691ef4d60461b95fd867734f1a07cd4aa9fe81a993de16 |
| SHA512 | 4a7d44ce929a8b002630177faec75557c15e9d07b7c6a117b353380e34d79068e1e2bfd0526feeaf667cfb3dcf24f5ceb5939efc0cd93745eb96f2a5308daec7 |
memory/3892-44-0x00007FF684080000-0x00007FF6843D1000-memory.dmp
memory/2104-41-0x00007FF7BFCF0000-0x00007FF7C0041000-memory.dmp
memory/2520-39-0x00007FF652A90000-0x00007FF652DE1000-memory.dmp
C:\Windows\System\GFvWkXC.exe
| MD5 | 034cd8e88d24bcdaa0270dd3a77f6cad |
| SHA1 | e254b40671bdd5d0c02412adce7b79f230bcb8d8 |
| SHA256 | 866e07f955053721f365ddd2b66cb258dc17cfcf5b2cafccf72199d97f3bac3c |
| SHA512 | 717df78bbed4926fd14b7d88d6a63ce85cc88739992833ebb5fc95ed87099b49949bee5814e1189e1d9eba51aaf303e1c768d5fc5af835a7d64bcf61c0a27fc1 |
memory/4964-24-0x00007FF754D00000-0x00007FF755051000-memory.dmp
C:\Windows\System\SUKtsIF.exe
| MD5 | e7b7d722af668a8f23950a2a2930a4d2 |
| SHA1 | 40c2263c1e7c1b85eb3e7cc99bf5d4f624bb2308 |
| SHA256 | dd8165ae8464bfa0d2094d5ea04463386ebb3b1f81ec5102b0180b37f8828088 |
| SHA512 | 366e03c7628198c17a260673a48cd9fe407cc1505b07f8a6010c6ba1a48625a39419461345a4658674f338c8d82a382ac24031a64d7ced34f6aa5d4e0b48c009 |
C:\Windows\System\hAHQSLX.exe
| MD5 | 2feb4beec71001d3767d45cf84bf4b13 |
| SHA1 | 40a5216ef47ad49e7c96235aeb0d086ea6a41b4d |
| SHA256 | 78ec365a2c5b4337268c2a98e24dc74122e1de91767795843dd0d0dc771bce2f |
| SHA512 | 06b5b1c71c01a87fe09997a5123ef98eda13421c6edda4ea6fabebfff58c81ec1dd2983c811a3338065553e655e5ad6815f5801d7072c72053d383098a739334 |
memory/4964-124-0x00007FF754D00000-0x00007FF755051000-memory.dmp
memory/4876-129-0x00007FF762380000-0x00007FF7626D1000-memory.dmp
memory/456-127-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp
memory/5032-131-0x00007FF7FC3B0000-0x00007FF7FC701000-memory.dmp
memory/1980-141-0x00007FF67FC60000-0x00007FF67FFB1000-memory.dmp
memory/3892-139-0x00007FF684080000-0x00007FF6843D1000-memory.dmp
memory/1532-147-0x00007FF6E3300000-0x00007FF6E3651000-memory.dmp
memory/3884-149-0x00007FF6E91F0000-0x00007FF6E9541000-memory.dmp
memory/1356-145-0x00007FF79A910000-0x00007FF79AC61000-memory.dmp
memory/860-150-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp
memory/1968-143-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp
memory/1456-132-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp
memory/2768-151-0x00007FF6778C0000-0x00007FF677C11000-memory.dmp
memory/1456-154-0x00007FF789AE0000-0x00007FF789E31000-memory.dmp
memory/3840-202-0x00007FF69ACD0000-0x00007FF69B021000-memory.dmp
memory/3008-204-0x00007FF6B9340000-0x00007FF6B9691000-memory.dmp
memory/4964-206-0x00007FF754D00000-0x00007FF755051000-memory.dmp
memory/4876-208-0x00007FF762380000-0x00007FF7626D1000-memory.dmp
memory/2520-210-0x00007FF652A90000-0x00007FF652DE1000-memory.dmp
memory/2104-212-0x00007FF7BFCF0000-0x00007FF7C0041000-memory.dmp
memory/3892-214-0x00007FF684080000-0x00007FF6843D1000-memory.dmp
memory/60-216-0x00007FF7CEB20000-0x00007FF7CEE71000-memory.dmp
memory/1980-218-0x00007FF67FC60000-0x00007FF67FFB1000-memory.dmp
memory/4136-220-0x00007FF747F80000-0x00007FF7482D1000-memory.dmp
memory/4756-223-0x00007FF77D880000-0x00007FF77DBD1000-memory.dmp
memory/1968-224-0x00007FF6A98B0000-0x00007FF6A9C01000-memory.dmp
memory/1356-226-0x00007FF79A910000-0x00007FF79AC61000-memory.dmp
memory/1532-230-0x00007FF6E3300000-0x00007FF6E3651000-memory.dmp
memory/4544-229-0x00007FF6A1A90000-0x00007FF6A1DE1000-memory.dmp
memory/3924-232-0x00007FF73FD20000-0x00007FF740071000-memory.dmp
memory/860-241-0x00007FF77C2E0000-0x00007FF77C631000-memory.dmp
memory/3884-239-0x00007FF6E91F0000-0x00007FF6E9541000-memory.dmp
memory/2768-242-0x00007FF6778C0000-0x00007FF677C11000-memory.dmp
memory/456-244-0x00007FF7EBE90000-0x00007FF7EC1E1000-memory.dmp
memory/5032-246-0x00007FF7FC3B0000-0x00007FF7FC701000-memory.dmp