Analysis Overview
SHA256
59277f7a8c3a688e0513533404320896462cd027bb1e6b180e750986f20e77e5
Threat Level: Known bad
The file 2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:01
Reported
2024-08-06 12:03
Platform
win7-20240708-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WBRwBiE.exe | N/A |
| N/A | N/A | C:\Windows\System\HwvSBOf.exe | N/A |
| N/A | N/A | C:\Windows\System\eQoqKDB.exe | N/A |
| N/A | N/A | C:\Windows\System\WBivkWv.exe | N/A |
| N/A | N/A | C:\Windows\System\sJCGwkP.exe | N/A |
| N/A | N/A | C:\Windows\System\JaqqTAr.exe | N/A |
| N/A | N/A | C:\Windows\System\aFVqeIl.exe | N/A |
| N/A | N/A | C:\Windows\System\eVdwSaB.exe | N/A |
| N/A | N/A | C:\Windows\System\RrBBdXo.exe | N/A |
| N/A | N/A | C:\Windows\System\OVOwfsc.exe | N/A |
| N/A | N/A | C:\Windows\System\YCgeNMo.exe | N/A |
| N/A | N/A | C:\Windows\System\cbDRgDe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhlexNY.exe | N/A |
| N/A | N/A | C:\Windows\System\CGBsHXX.exe | N/A |
| N/A | N/A | C:\Windows\System\qNGjxtq.exe | N/A |
| N/A | N/A | C:\Windows\System\iDVIcHK.exe | N/A |
| N/A | N/A | C:\Windows\System\kshUEOb.exe | N/A |
| N/A | N/A | C:\Windows\System\vJusVRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\HYmxrga.exe | N/A |
| N/A | N/A | C:\Windows\System\oEsHqaP.exe | N/A |
| N/A | N/A | C:\Windows\System\pEikerL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WBRwBiE.exe
C:\Windows\System\WBRwBiE.exe
C:\Windows\System\HwvSBOf.exe
C:\Windows\System\HwvSBOf.exe
C:\Windows\System\eQoqKDB.exe
C:\Windows\System\eQoqKDB.exe
C:\Windows\System\WBivkWv.exe
C:\Windows\System\WBivkWv.exe
C:\Windows\System\sJCGwkP.exe
C:\Windows\System\sJCGwkP.exe
C:\Windows\System\JaqqTAr.exe
C:\Windows\System\JaqqTAr.exe
C:\Windows\System\aFVqeIl.exe
C:\Windows\System\aFVqeIl.exe
C:\Windows\System\eVdwSaB.exe
C:\Windows\System\eVdwSaB.exe
C:\Windows\System\RrBBdXo.exe
C:\Windows\System\RrBBdXo.exe
C:\Windows\System\OVOwfsc.exe
C:\Windows\System\OVOwfsc.exe
C:\Windows\System\YCgeNMo.exe
C:\Windows\System\YCgeNMo.exe
C:\Windows\System\cbDRgDe.exe
C:\Windows\System\cbDRgDe.exe
C:\Windows\System\ZhlexNY.exe
C:\Windows\System\ZhlexNY.exe
C:\Windows\System\qNGjxtq.exe
C:\Windows\System\qNGjxtq.exe
C:\Windows\System\CGBsHXX.exe
C:\Windows\System\CGBsHXX.exe
C:\Windows\System\kshUEOb.exe
C:\Windows\System\kshUEOb.exe
C:\Windows\System\iDVIcHK.exe
C:\Windows\System\iDVIcHK.exe
C:\Windows\System\vJusVRJ.exe
C:\Windows\System\vJusVRJ.exe
C:\Windows\System\HYmxrga.exe
C:\Windows\System\HYmxrga.exe
C:\Windows\System\oEsHqaP.exe
C:\Windows\System\oEsHqaP.exe
C:\Windows\System\pEikerL.exe
C:\Windows\System\pEikerL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1748-1-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1748-0-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\WBRwBiE.exe
| MD5 | 9551439504153c08bff3a74eb15b0597 |
| SHA1 | a2704f8996f38a346da2ffbfec0c7b54079b243a |
| SHA256 | be0a8af62c05ee89e57d7caf37672d67b548b9d14f609b96e67d0466dc89397a |
| SHA512 | 68be98635be2fed41b6570388ac1c8229ee724098566b5d3fe055cf3352499f6c7c53621d92def7b619b97afa808366a98b2092453ce92da37d18cccd4869efe |
memory/2044-9-0x000000013FD00000-0x0000000140054000-memory.dmp
\Windows\system\HwvSBOf.exe
| MD5 | 50549e5a29a489146376cb3c1ba001d3 |
| SHA1 | fe28076f86f3eccfcc45b6a733c6a1c538dc80c3 |
| SHA256 | 18545b355a0022c6117da765380b5ac79009e38368ec8c6a0b40d3be061b2661 |
| SHA512 | 1c30090caf1ad74c8cdc0a8a56d5f8545de56eec45baec98979648f5b2bfe8b5995f4186cd3a7ce4163e493f4167986b54cf8a0769eefb7ca8481b43914ae693 |
C:\Windows\system\eQoqKDB.exe
| MD5 | 9e598373ab2690b39ebd8c0ace16d4aa |
| SHA1 | e15673aa61faa8380fefe86e7fa5e25f28375964 |
| SHA256 | 4f3ce4abde3bc8bc50ac243196a09bd630fd791729f100dbc95bafe8fe005153 |
| SHA512 | 4cd993eb68acfaebb840708b3a7d8f2d091dd24690443188dac5ccb66753fefb34853aeb6dfb8bbaea8fd27a0a73169eeb2224d45abb432bea5737eebe239087 |
memory/1748-13-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1748-7-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1128-23-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1748-22-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\WBivkWv.exe
| MD5 | 44cd6bced489ca8c9e2d181d02c431e7 |
| SHA1 | 65fda74736f116c65a8a8a57a8c6d312122a53a9 |
| SHA256 | d610619889de99c2f2ac4802c9a503809c61d75b3c28b033e003d09a783a07e6 |
| SHA512 | eb72e0b463a21d3300e9d2ac8acc268c751543dfa362b5c0ebc442c433978bd02b664ae7771c2158e66c63c104a87442e7c6570f1708ab670b060571cfcda283 |
C:\Windows\system\sJCGwkP.exe
| MD5 | a6eae83aaa849516b3a2318f4e26dc4a |
| SHA1 | 86dcda398e3a856572f9ef43e2d3a5e1076328fd |
| SHA256 | 6bf4e43a2da2d4a476759a2a83a1739addca38bda795b1666e207dbbfb57f68f |
| SHA512 | 68046277470b70942f1ad241eece08f35f15182be4051db546aed495ddc44dccfb5cf0c16624dc9672fc7451191db412ce922c42882d4fa03ceaa13826ca7327 |
memory/2820-35-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\aFVqeIl.exe
| MD5 | 0b9487acde08ef4dfb284db14043b612 |
| SHA1 | d463dd3273a509b895c75a1f4a241aea4e8ba34c |
| SHA256 | 63788bf30429d24cbb0ec45188fb3ba20c6b7c77be6ac4505883e91e1e60e526 |
| SHA512 | 896ada3e91d60c6c00543ebd1f99d53c98169a92a59338762b4dce5f249357e49ddec2c22817f702177344615c8b1a8c3f8509c2c0dde22cc34747e5e35c181e |
memory/2596-41-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1748-63-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2828-64-0x000000013F560000-0x000000013F8B4000-memory.dmp
C:\Windows\system\YCgeNMo.exe
| MD5 | 2f315d77809a9eabed45894cb03bdd7f |
| SHA1 | 7ce6111a32c081069bb3cee0d5590b391aec1888 |
| SHA256 | 3e9ef11f4f9fbd4f5e44961ef96c00e9551c570d61c543a0b36576bcafad4fca |
| SHA512 | 317fb9f7b32a6549e5669a6fcd31c43fe6a8b92b12bf8e92c757473f27bd1cd9ae0c7e4cb33a3b18352297f0d7281ed7c6f9757d4721f362ca60fc1ee5ec13cc |
memory/1748-86-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1748-98-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\kshUEOb.exe
| MD5 | faffc51574c1973762f9b2a405531524 |
| SHA1 | 408e43361c014fed7ff6ca5c47ef80614815ef73 |
| SHA256 | 91bd3347155d89369f51342fb4f9f2c007ef4d04848d7ea2ce83245e888c6dbb |
| SHA512 | ee2b090bd97f85928a03e7a9d3ece64aeba144474c5ab9b47a372a2783592243a337e9a162997247ab62cc8c66e9854b60656168fed70767305df14cdae3f910 |
C:\Windows\system\oEsHqaP.exe
| MD5 | 3351eabfeff5fbc9f34cefae9dfa6dca |
| SHA1 | 13d0667d3833a27296c11e7b6e5e35d007b2a4a6 |
| SHA256 | 90ad0b7315a9ad2c52612597fc3354df468ffa2ff9a355a6d579d2e8be7d4fc3 |
| SHA512 | 98ebcc9c829cb502798ff2ecad54d471529cf9ffe75d9dfceb8aec105c00ffe21cdbee6cce7cdbd283722e2a4f836a0436c38fc092e401d96938d43f7d09fd86 |
C:\Windows\system\pEikerL.exe
| MD5 | f9fced727418d8f38dcf78e04b2889e6 |
| SHA1 | 0060ffd35ddf391d5934bd70d6e5ccfbb5e10ebd |
| SHA256 | 1bb072b1e9b266ace2591469ea7cd3a184f7a0bbe57964a07c983d400d411bc2 |
| SHA512 | ecda35052114be403ca287d57598354da77ea138170021f71baa2472549ff3f0de2466d0eb8df7c1d2b14e6ba68ad5799e381c9a6846108f7c21cac0fb2ea56e |
C:\Windows\system\vJusVRJ.exe
| MD5 | 5f5054d4e7fdfcfe9fe334919212570a |
| SHA1 | 7f6cc2b56f1d1254ca6bca4e3d652cc504f80fbf |
| SHA256 | 6204aee6b1b48da79770c162cbd8710e22607cf60b8e110ec5167f8e28bac92d |
| SHA512 | e76e614e7cfcc281b3f387e8d3e693cbd9bff47e15c2366cfd58e981abafa25b0268abee91cfab3560af45b1ef4394d5237bad5d16e4c81b9e828e366d1e244b |
memory/2172-119-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\iDVIcHK.exe
| MD5 | 1990ed5989c857a1408e1a3d6e290178 |
| SHA1 | cbe8d65f7332f38bc49579083d7711fa10aeb6d2 |
| SHA256 | 3df22c88cb4e3db7bc89f791344295d2564679de0704433be14b06fdb890acde |
| SHA512 | fcaec985f14fa59987f823c38a4ab27a5cb013f65fc01f45abe46ddf9dc425160d86a4cc68a320de28a4a2e0026f005b1ca31e37665ff973fd7e99f9d6eba04c |
C:\Windows\system\HYmxrga.exe
| MD5 | 5e9376215b34938fe41aeedabc080132 |
| SHA1 | 3c7755de9c3fe755a3510e5220f6b33a7b87e79f |
| SHA256 | 6184ca301701224cf3f57095b952931da43fcf7fd9802c9dd6a528dedfddf60d |
| SHA512 | a9470c9cefad060a82eef4a17ebdc48c99c5509024f21b77ccc467bc92a3250167f33f722f6b8f5d43e42e59e7df028042c9c86f985dc470a10a3f1cb6be06a3 |
memory/2596-116-0x000000013F600000-0x000000013F954000-memory.dmp
\Windows\system\qNGjxtq.exe
| MD5 | d2081332dd04bbe49ff54d4c9719e511 |
| SHA1 | e553f7a4292d3f939fefb86bdb7d0dee68c44ed0 |
| SHA256 | bfa85352d121bd3eaa4f487185deb9d489c1a71b7a24c540bd39848b9410a760 |
| SHA512 | cdac9369c0189710b0f03762c106a71f8c107c7641636550ae771e881176fe720b0b7d23b1e20df4845ff8f2ffa024f45522bfccf4a2650d030f2df87893361d |
memory/2924-141-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\CGBsHXX.exe
| MD5 | 0dd822c87ef3d91f74615e20d0f11c3b |
| SHA1 | 215efe14efcf042ddc8aceab4c73d92572989d4b |
| SHA256 | 2a215b040aef7da387a6275a2de04b3d1a2d401100fb8ee5a08fb6e93a817b7c |
| SHA512 | 3fdcc5fbe8a2653a96e7662152aca0766703c34e1ff089300b02d49efd005d4e0b98506c1b78bbf95fc39ce3fac00842c2d39f4ea12b4b5dafc86dbe95e49bac |
memory/1748-103-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1748-102-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1552-88-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1748-87-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2808-85-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\cbDRgDe.exe
| MD5 | fbd849df5c2740e7beca47b3d0a1c4ff |
| SHA1 | 25e4b963db76b617a71ca102921212c781ed35a5 |
| SHA256 | 0556b8e5b0c6ad97b83a93b67037ec7ca8e53d0f728a798347d50c3b0ba5736f |
| SHA512 | 5b4b299a890a31d67a30b46edd351082ed3bc1ceeee0edd294dc4d9373729241c47b6826dd6df3dfdaa93c95ed937a8a7f5917d9e6894fc966cd642944f107c6 |
memory/2820-101-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/264-100-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2976-94-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\ZhlexNY.exe
| MD5 | 39e737c0e3b345220236f9c420008035 |
| SHA1 | bca57705dddc2921799a64ccc191aca8be3fa398 |
| SHA256 | e685574092778f80b073fd18e8d8e7938f2cbcb79a6d16bca39713ed78000cc7 |
| SHA512 | 193b844225ddd9d300bd785c99789206702c0d22f89a7c60c01cd5118f6135c811e24703a43602f06e217f7b029eaf0635c711e9886ef623130d9999ffa3a6db |
memory/1748-142-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2760-79-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1748-78-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2768-72-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2044-71-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1748-70-0x000000013FD00000-0x0000000140054000-memory.dmp
C:\Windows\system\OVOwfsc.exe
| MD5 | 0285628ad4fe948597209fe17878c512 |
| SHA1 | 8ab24088b824eeea5a2084193f0fe3232990eb6c |
| SHA256 | aae928a1215af19bc959b1768ddcd422527aeb1890bb2ad34ced558093d7112e |
| SHA512 | 9bbecf667c1df15adbeb00c5c2981fe582e19b68be7eece82629fa150b2317ec97b3baf9c27512505ed46951ad6e752755883d33896cd4637dde4615c7b72df9 |
memory/3040-57-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\RrBBdXo.exe
| MD5 | 4f7557077a0e9abd9179779df49464d9 |
| SHA1 | 975dccd3405afce666438455adfe5fdab523fff7 |
| SHA256 | 1cbd4acd78f07a62387917008114267099f144106de9140001ccef7a11172fdf |
| SHA512 | fee3ab45e749455b1c7dde0dded8b7dad5f17e1164b22d27a8bc7ec7a0e9dba163d4ec4694b4d866cd3113d05b4d1783b60847c97c7bd39f633d0e204451d98f |
C:\Windows\system\eVdwSaB.exe
| MD5 | e42412f4d32a289041c75d7be0744620 |
| SHA1 | ba0e8799dddc93513adaed102c2180a3f3550c18 |
| SHA256 | e1eada12f2af29ec53dfd228e8db04af090a1ec6f987ecba688745b89e4b2c09 |
| SHA512 | 5278e4748d713b1115af7d07594c9280ce2386e5a5f0d20d61bf0f628c058432a3478220e36bb1048751ef170e14e0506028af0dc5ed59706a3f85b499219406 |
memory/1748-55-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2924-50-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1748-49-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/1748-40-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\JaqqTAr.exe
| MD5 | eefc8894a00f4cc7d0ff22129f74dbe9 |
| SHA1 | d6f417c8ffebb6b73a345e4106e9607f7c9abd04 |
| SHA256 | 0be268a6d1a06e2c75f14bb45e9887bcca5940e13c0c3fb4c56e457499c77b4b |
| SHA512 | 3404d22adc86fd653d93af651301f84056975a9d9925b97e90eec85b590e2440cfbd94626f7bd991c10ab545ed411587924a5137b88f933f67ad97c4dc3800b1 |
memory/1748-34-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2976-29-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1748-28-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2808-20-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1748-144-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1748-145-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1748-146-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1748-147-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2044-148-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1128-149-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2808-150-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2924-151-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2820-153-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2596-152-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2828-155-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2976-154-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2768-156-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2760-157-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1552-158-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/264-159-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2172-160-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/3040-161-0x000000013F0B0000-0x000000013F404000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:01
Reported
2024-08-06 12:03
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZmlcUBx.exe | N/A |
| N/A | N/A | C:\Windows\System\cfoSDxV.exe | N/A |
| N/A | N/A | C:\Windows\System\NIPVbOE.exe | N/A |
| N/A | N/A | C:\Windows\System\EBMGFyh.exe | N/A |
| N/A | N/A | C:\Windows\System\IkzBKSK.exe | N/A |
| N/A | N/A | C:\Windows\System\MjVehhD.exe | N/A |
| N/A | N/A | C:\Windows\System\jqSaWxm.exe | N/A |
| N/A | N/A | C:\Windows\System\xcOsPkX.exe | N/A |
| N/A | N/A | C:\Windows\System\TbAQJxq.exe | N/A |
| N/A | N/A | C:\Windows\System\uOMuIHj.exe | N/A |
| N/A | N/A | C:\Windows\System\aEXNoxF.exe | N/A |
| N/A | N/A | C:\Windows\System\bBzHMlU.exe | N/A |
| N/A | N/A | C:\Windows\System\fiCpSTK.exe | N/A |
| N/A | N/A | C:\Windows\System\TTMODZF.exe | N/A |
| N/A | N/A | C:\Windows\System\BYVYLxe.exe | N/A |
| N/A | N/A | C:\Windows\System\zDirxdq.exe | N/A |
| N/A | N/A | C:\Windows\System\BempKlH.exe | N/A |
| N/A | N/A | C:\Windows\System\sFRsdpX.exe | N/A |
| N/A | N/A | C:\Windows\System\symJqGr.exe | N/A |
| N/A | N/A | C:\Windows\System\DxZlneT.exe | N/A |
| N/A | N/A | C:\Windows\System\AyqHduc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_a7a7e5424fc64d85f9b096eee9ac4c5c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZmlcUBx.exe
C:\Windows\System\ZmlcUBx.exe
C:\Windows\System\cfoSDxV.exe
C:\Windows\System\cfoSDxV.exe
C:\Windows\System\NIPVbOE.exe
C:\Windows\System\NIPVbOE.exe
C:\Windows\System\EBMGFyh.exe
C:\Windows\System\EBMGFyh.exe
C:\Windows\System\IkzBKSK.exe
C:\Windows\System\IkzBKSK.exe
C:\Windows\System\MjVehhD.exe
C:\Windows\System\MjVehhD.exe
C:\Windows\System\jqSaWxm.exe
C:\Windows\System\jqSaWxm.exe
C:\Windows\System\xcOsPkX.exe
C:\Windows\System\xcOsPkX.exe
C:\Windows\System\TbAQJxq.exe
C:\Windows\System\TbAQJxq.exe
C:\Windows\System\aEXNoxF.exe
C:\Windows\System\aEXNoxF.exe
C:\Windows\System\uOMuIHj.exe
C:\Windows\System\uOMuIHj.exe
C:\Windows\System\bBzHMlU.exe
C:\Windows\System\bBzHMlU.exe
C:\Windows\System\fiCpSTK.exe
C:\Windows\System\fiCpSTK.exe
C:\Windows\System\TTMODZF.exe
C:\Windows\System\TTMODZF.exe
C:\Windows\System\BempKlH.exe
C:\Windows\System\BempKlH.exe
C:\Windows\System\BYVYLxe.exe
C:\Windows\System\BYVYLxe.exe
C:\Windows\System\zDirxdq.exe
C:\Windows\System\zDirxdq.exe
C:\Windows\System\sFRsdpX.exe
C:\Windows\System\sFRsdpX.exe
C:\Windows\System\symJqGr.exe
C:\Windows\System\symJqGr.exe
C:\Windows\System\DxZlneT.exe
C:\Windows\System\DxZlneT.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
C:\Windows\System\AyqHduc.exe
C:\Windows\System\AyqHduc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2060-0-0x00007FF6580E0000-0x00007FF658434000-memory.dmp
memory/2060-1-0x0000017639840000-0x0000017639850000-memory.dmp
C:\Windows\System\ZmlcUBx.exe
| MD5 | 7ae41d65a00a6a81d274fc6d5f6b8675 |
| SHA1 | 858b7734bc98df4b8a529be6dfb49baeee61df14 |
| SHA256 | 1228daf07dfe88faa106b572b87ac679d94219d4044fc96f9d84c8d5d9f02b89 |
| SHA512 | 0c0fda3429a41027b15c7545ad88d5c3f3515fcbde7fd82da850cf42bc664e1afe6145f5958f66b2006b54ddb477c162d5f168f1b094b593b93cbab0c282e26a |
C:\Windows\System\cfoSDxV.exe
| MD5 | 35375ef00178ee24b8707bb72d175d8f |
| SHA1 | e2254da44278e0f57a82cc7e6384a9fb0df5d2e3 |
| SHA256 | 979335537abdce702735a81b9ef6c375d56850783979fb6f0929e6d904cec05c |
| SHA512 | 249e15f8db9dedebe9f33e6b28cbd54e4a0a014894c5ba9ce818d87171e2c265df9184c851dc9c664c986484a8679ac4da89b69d91bea82c4361ee147f6de7a7 |
C:\Windows\System\NIPVbOE.exe
| MD5 | c09c1481ca3a327c98b408bc06ada570 |
| SHA1 | f559ed49ff4231b8306a3db2dffb1fc9d3ef3031 |
| SHA256 | dce29b8778d5ee3cb18951d0b3ffac6b11b98180ab1a61bef8dd0016379a3175 |
| SHA512 | c0b1095934d4349b7bd3cc4384af093618f1ec684ee3a89145f8e977805b99457a0cb18f30dbd8766985ef22070d16016c639c2702de921263494d6b4666d622 |
C:\Windows\System\EBMGFyh.exe
| MD5 | 6158a97d88ab34f7e51c1197ec129812 |
| SHA1 | 8246f1c359122c34ab9d334d819ef91037df7cc8 |
| SHA256 | 2ab2394e3d4921bbe57c19a57a3c9acce898c61935a853f9f55ff88c1ae0c5e3 |
| SHA512 | 39b54f4590eb1997acd6e595aca67a3e1fc1d403938eeafaa9180d211adb726a8bca06ad56314d61b3d769696a1886a9578b1d4947090af8ed1b9aec06eadb4a |
memory/2592-26-0x00007FF6ECF10000-0x00007FF6ED264000-memory.dmp
memory/2724-25-0x00007FF620EE0000-0x00007FF621234000-memory.dmp
memory/5000-18-0x00007FF7005C0000-0x00007FF700914000-memory.dmp
memory/4460-6-0x00007FF715430000-0x00007FF715784000-memory.dmp
memory/1996-32-0x00007FF612EA0000-0x00007FF6131F4000-memory.dmp
C:\Windows\System\IkzBKSK.exe
| MD5 | 797761e3b8d2c65a4a1a63572962ea18 |
| SHA1 | 357899cc782c41c255317c457440bd847fa072b3 |
| SHA256 | a2ae417e54765e81e2b9637b23590316937726e469be2be78c151a6cad972ce5 |
| SHA512 | 9a12f03c1fdefbb27ee081f6460c381205c09e79938758e3c1593d8c7d1b9de26f22ef6cec95adfde2d2df02037ac7f8a70dc2df4611a3ed506c6b89a028ad12 |
C:\Windows\System\MjVehhD.exe
| MD5 | 43f05660bbf8f7e66b5f54fa0c0905a3 |
| SHA1 | 97ff1453aca19112a0a1b833ec61ef161c2ff097 |
| SHA256 | c5643bfe3b03305f56b99799335fe2a72de0b900f3165a4aca91f8a7584159c8 |
| SHA512 | 904302d10fb45be265dcdfe8df15477d62a26b0ee0c91674f90a1f9e40a2af344e497c6188f701c6cdc8cde53aef8fb2c34241929b633ae3142ab96ba4008e96 |
C:\Windows\System\jqSaWxm.exe
| MD5 | 3789fee80d5bcb6c06519ccd11870b46 |
| SHA1 | 4e23b47f53c2c27d0b49e305cf98d4ad8b5d4f18 |
| SHA256 | 6233ba8bbe2663b94b2c8bf8688ff1949b621e004a8bcf0d68f3c2cb7a45acb7 |
| SHA512 | 46e8dbd70023edac11de51a4b3f6a1763621b2dcab937329c19ff527fd2b1fc75196081d31df93cfe9f5d4483571bee8f9d98d44ad0a112b55e93c13889fd3d7 |
C:\Windows\System\xcOsPkX.exe
| MD5 | c636d1afae602b7384d3253181fd8531 |
| SHA1 | f2f548fbe58646571a5dc474ac10b79ee990d17f |
| SHA256 | 18298d8aa3eb56e061bbdf92e45930302cd6c61dc6cc3958c87b67a5b1b42ed6 |
| SHA512 | ec9b44c59e8942cb0f7d890ca141a575f2a7533d092616009e3087e91df3178802a1c2a1dff94ede2b55738b3ac29406ce17798d8b799df669cc98a80d121833 |
C:\Windows\System\aEXNoxF.exe
| MD5 | b36d6f5bcce122691ae636f1caece67a |
| SHA1 | 7edc839d466ea1d5855d71a7f7ef0dc76e41f776 |
| SHA256 | 411f751226a5860d76eaa73c2b7bebed41f392c6a6e4cbf7a6cde036445ae39d |
| SHA512 | 94dc7ede29077af81aaeb9e067b60bdba6179a72294291945e182b069246753ab2f1a104fe5da6386164d085850a99a3e085b9ca31c46b7ac08182d3a789981c |
C:\Windows\System\bBzHMlU.exe
| MD5 | 87604e56c5fa79963d87eaba27b38edc |
| SHA1 | 00a8329c9d13f14615279d90b0e3d3a91327a225 |
| SHA256 | edd210579f2cbb81b8309a877d1ba2f3772fe880f75eb5976cbb01291326daa1 |
| SHA512 | 059348145563aa184f65c0a713e945e46d3594347d5a8c67d5dc397b0122624aef72b0afef68e47d91eea1fada2b084f2abb34397bb5805c49eac16a1f0cb4fe |
memory/3880-68-0x00007FF7BD6B0000-0x00007FF7BDA04000-memory.dmp
C:\Windows\System\fiCpSTK.exe
| MD5 | 2c282fe33d4e21597d344f335a5b73f0 |
| SHA1 | 4f9585844b5f2755a7f641117faf5fdb756434c0 |
| SHA256 | 40e99a2c73c6f011b35263fbcc56e312ab3d4c89c481b14ed9651ef4dab7fe4e |
| SHA512 | 259854d1ad8df3db61508204b185668489c6778efcfd2b2c8f2636d05017648b5395c0df24f82ed85bac33cfa471035c1c999e98eda91ffc9f61df4d51896501 |
memory/2724-85-0x00007FF620EE0000-0x00007FF621234000-memory.dmp
C:\Windows\System\TTMODZF.exe
| MD5 | 29476cdcd1c50e143c0b93a4f6a03470 |
| SHA1 | b9ce833a57937246613b337f68fde8f450683587 |
| SHA256 | 1d97b32f203b5a33f14f06d99e507b57173747d6adedc688c567bbf3f70efb84 |
| SHA512 | 91e512b9ed18243e219454abc2d67e248250f3b10f4eed79aa10db94c39495db2b1b57c0f143792d83eea9bd5f3249fbbaf44ec86fb8800ef1f674c44a39ddad |
memory/1644-86-0x00007FF74FBA0000-0x00007FF74FEF4000-memory.dmp
memory/4720-108-0x00007FF7F27C0000-0x00007FF7F2B14000-memory.dmp
C:\Windows\System\DxZlneT.exe
| MD5 | 0698153eaffb9245b1894c453f3ef673 |
| SHA1 | 8bf8a6507d1722f16f8f69ad0c8c6f3fff446f08 |
| SHA256 | 317ea763ee2706d5bb6e9c47a725e90446b89c567a0365c6ec9915054014c5df |
| SHA512 | 2a72340afa76d0f6605ec2b95c57776a266cd75b06848140b6bc129172227994d66c6acdeb38688433859e6c2b7d5b2a03f872bee99851ebd4f770f7058da967 |
memory/4900-119-0x00007FF728CC0000-0x00007FF729014000-memory.dmp
C:\Windows\System\symJqGr.exe
| MD5 | 3f1856f3ccc56def17ff4896203de3bf |
| SHA1 | e7573e89e735e01bdf9220868fda44580b8c5f45 |
| SHA256 | 8f2434050617511e6f1b806eb4ab93d2505e3bda7c6c3f50d28996c5e6f4858f |
| SHA512 | 6b3854bbb906e3c0b489a1db8d9f95af785ffdbe5f0f631f65412316a44f46fe44169a42aef49efb3d3250ff30548b4a95b8165ebb07eeb32e8a756ab773aac3 |
C:\Windows\System\sFRsdpX.exe
| MD5 | 6ea4ddcad7b18cb2f36e06028df07a53 |
| SHA1 | d0bbbbc3d948d8f3648301c73d1e9352186887cb |
| SHA256 | 203f09f279a549eec405d2e7068dd1281b3aa8315ca140a69db00272fea6c5d2 |
| SHA512 | c70fc7cb5b24c7ba31bc2b8c8f9b4c83a66b2afe93a4c962f5366b33fe87819459c08a4a49b9e2b5dcb3022a065eae94177752b196af0601d5975c9f777b1a5f |
C:\Windows\System\BempKlH.exe
| MD5 | fc20f89b567e76d1a491eca6c6a240a8 |
| SHA1 | 989fb3f5b7f416343229e19661490ce1ada3ed51 |
| SHA256 | afd66f6498113b47d5dc2fc35fc08256f78a18421820eee4fcf5bd6bdf7d39ed |
| SHA512 | 89db0b52538b6001b033ab79bc3213e1d3dc4d265cd5f4efcac10617095fb6c4994df8bbefaa8cbc37f244df89d7a469284c3db284f0925f7543a4def125e914 |
C:\Windows\System\zDirxdq.exe
| MD5 | 0b7323f12578919310a84841c3ef8c12 |
| SHA1 | 5f83204f79cbc8de0bc302509e9675b4abb56e2a |
| SHA256 | b35482e58221a7c253d9386922031565be7019d3f5137163f201643653e08278 |
| SHA512 | 474af29a76814562019f893963454212211a5a5701af4296ec4685337e0941839bd548ccf4df7c56f5c332a2a66eb9e18d137e205ed60076e784fe0e62c26a94 |
C:\Windows\System\BYVYLxe.exe
| MD5 | a7cb21d7866eef307ed83ce357e6e949 |
| SHA1 | 8f72ecaec50118571c5db01b2262d0308b12f93d |
| SHA256 | 39db5df12ca7ea8a5abb125a8ac97991f6b00abad6981e36fe46f33059be3f4f |
| SHA512 | d57c2ed60e3c5710f9766439c1c9ff8812cb2c191c0fb2ca87374ccb8b073d22bdf664b2527e88055731a7694b76e7d688dbe855ff97d7e5f24bba64ada9ba13 |
memory/3840-112-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp
memory/3128-111-0x00007FF76D5B0000-0x00007FF76D904000-memory.dmp
memory/4292-110-0x00007FF7578D0000-0x00007FF757C24000-memory.dmp
memory/820-109-0x00007FF787C10000-0x00007FF787F64000-memory.dmp
memory/3364-84-0x00007FF621BF0000-0x00007FF621F44000-memory.dmp
memory/5000-82-0x00007FF7005C0000-0x00007FF700914000-memory.dmp
memory/4460-81-0x00007FF715430000-0x00007FF715784000-memory.dmp
C:\Windows\System\uOMuIHj.exe
| MD5 | 5661e8ae1604ebc940882b926371ba82 |
| SHA1 | 5af78804c80f91025811f36adcb6005f0cd2717c |
| SHA256 | 93c7150c0171f8b7726dd20c954760ba99ec34737ea5a66d2b82b49458ea6d16 |
| SHA512 | 1a5629009d6e18bdf6f0277aee8911194c702c3aee45515b716f6d40602afff104d1c81e4d26615592b86cc66f3a5e9680ca86933ebae0f0520d406b9db66cb7 |
memory/5036-69-0x00007FF6EEC10000-0x00007FF6EEF64000-memory.dmp
memory/228-67-0x00007FF79E210000-0x00007FF79E564000-memory.dmp
memory/2060-66-0x00007FF6580E0000-0x00007FF658434000-memory.dmp
memory/2948-60-0x00007FF72F740000-0x00007FF72FA94000-memory.dmp
C:\Windows\System\TbAQJxq.exe
| MD5 | 50990b1d0d11ef7ab9f97c8bfe9a256c |
| SHA1 | 97a6458e3b165b6fe34eeab1667db9df66d66d4e |
| SHA256 | fb14e01f58bbaa6f90b2f35fcd872b4d9e0d946143d522f40f383dc65361a9aa |
| SHA512 | 60855e25f8a556c22dd03caff00a9a34bf8e6057af0273fcebde5b057e734e95e4a0593b8242e4cec1139af1e666c4f49980c91731d385b55c027afca97e3c3c |
memory/3644-47-0x00007FF6C3D70000-0x00007FF6C40C4000-memory.dmp
memory/4280-43-0x00007FF7B3260000-0x00007FF7B35B4000-memory.dmp
memory/1896-40-0x00007FF63ED00000-0x00007FF63F054000-memory.dmp
C:\Windows\System\AyqHduc.exe
| MD5 | dcdc06b109a8cc7de99da4ec07538a5d |
| SHA1 | 9a45edadf29f9670ab0385e49042c01c5eb4b7dd |
| SHA256 | 57624ad9cfa8d4d5ee61484fb14d02f3ed2497e8cc1470aa66ea960c2a2dcdc1 |
| SHA512 | 01981d28dcf904b875207b38c2c380920d31a32b34e4dd9416d52370f92bf64c7f3a4d483941ad6f566e6295e13b8518d8ae7fe8010485808dfd3ee75f4f532c |
memory/4124-131-0x00007FF7787C0000-0x00007FF778B14000-memory.dmp
memory/4280-132-0x00007FF7B3260000-0x00007FF7B35B4000-memory.dmp
memory/3644-133-0x00007FF6C3D70000-0x00007FF6C40C4000-memory.dmp
memory/228-134-0x00007FF79E210000-0x00007FF79E564000-memory.dmp
memory/5036-136-0x00007FF6EEC10000-0x00007FF6EEF64000-memory.dmp
memory/3364-137-0x00007FF621BF0000-0x00007FF621F44000-memory.dmp
memory/3880-135-0x00007FF7BD6B0000-0x00007FF7BDA04000-memory.dmp
memory/1644-138-0x00007FF74FBA0000-0x00007FF74FEF4000-memory.dmp
memory/4720-139-0x00007FF7F27C0000-0x00007FF7F2B14000-memory.dmp
memory/4292-141-0x00007FF7578D0000-0x00007FF757C24000-memory.dmp
memory/3840-143-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp
memory/4900-144-0x00007FF728CC0000-0x00007FF729014000-memory.dmp
memory/3128-142-0x00007FF76D5B0000-0x00007FF76D904000-memory.dmp
memory/820-140-0x00007FF787C10000-0x00007FF787F64000-memory.dmp
memory/4460-145-0x00007FF715430000-0x00007FF715784000-memory.dmp
memory/5000-146-0x00007FF7005C0000-0x00007FF700914000-memory.dmp
memory/2724-147-0x00007FF620EE0000-0x00007FF621234000-memory.dmp
memory/2592-148-0x00007FF6ECF10000-0x00007FF6ED264000-memory.dmp
memory/1996-149-0x00007FF612EA0000-0x00007FF6131F4000-memory.dmp
memory/1896-150-0x00007FF63ED00000-0x00007FF63F054000-memory.dmp
memory/2948-151-0x00007FF72F740000-0x00007FF72FA94000-memory.dmp
memory/3644-152-0x00007FF6C3D70000-0x00007FF6C40C4000-memory.dmp
memory/4280-153-0x00007FF7B3260000-0x00007FF7B35B4000-memory.dmp
memory/5036-155-0x00007FF6EEC10000-0x00007FF6EEF64000-memory.dmp
memory/228-154-0x00007FF79E210000-0x00007FF79E564000-memory.dmp
memory/3880-156-0x00007FF7BD6B0000-0x00007FF7BDA04000-memory.dmp
memory/1644-157-0x00007FF74FBA0000-0x00007FF74FEF4000-memory.dmp
memory/3364-158-0x00007FF621BF0000-0x00007FF621F44000-memory.dmp
memory/4720-159-0x00007FF7F27C0000-0x00007FF7F2B14000-memory.dmp
memory/4292-163-0x00007FF7578D0000-0x00007FF757C24000-memory.dmp
memory/4900-162-0x00007FF728CC0000-0x00007FF729014000-memory.dmp
memory/3840-164-0x00007FF6993A0000-0x00007FF6996F4000-memory.dmp
memory/820-160-0x00007FF787C10000-0x00007FF787F64000-memory.dmp
memory/3128-161-0x00007FF76D5B0000-0x00007FF76D904000-memory.dmp
memory/4124-165-0x00007FF7787C0000-0x00007FF778B14000-memory.dmp