Analysis Overview
SHA256
8f11c7567bfda2f3264a945aea810f715c7230e6705308fa71a7a1ad411c13f5
Threat Level: Known bad
The file 2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:02
Reported
2024-08-06 12:05
Platform
win7-20240704-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xJgYQKE.exe | N/A |
| N/A | N/A | C:\Windows\System\FNAXAuo.exe | N/A |
| N/A | N/A | C:\Windows\System\zqZuBAv.exe | N/A |
| N/A | N/A | C:\Windows\System\LGzeNAD.exe | N/A |
| N/A | N/A | C:\Windows\System\OljorXm.exe | N/A |
| N/A | N/A | C:\Windows\System\mDUafCW.exe | N/A |
| N/A | N/A | C:\Windows\System\IKFdvhU.exe | N/A |
| N/A | N/A | C:\Windows\System\SYLQlfj.exe | N/A |
| N/A | N/A | C:\Windows\System\AtAwWVt.exe | N/A |
| N/A | N/A | C:\Windows\System\jSOzIVz.exe | N/A |
| N/A | N/A | C:\Windows\System\ixfyFov.exe | N/A |
| N/A | N/A | C:\Windows\System\GIaqaDo.exe | N/A |
| N/A | N/A | C:\Windows\System\QOmlqYV.exe | N/A |
| N/A | N/A | C:\Windows\System\hwAahOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\yhNcYVz.exe | N/A |
| N/A | N/A | C:\Windows\System\kxwkWrd.exe | N/A |
| N/A | N/A | C:\Windows\System\xhEsWZW.exe | N/A |
| N/A | N/A | C:\Windows\System\xfWUJyy.exe | N/A |
| N/A | N/A | C:\Windows\System\LhUpaEb.exe | N/A |
| N/A | N/A | C:\Windows\System\STVJbTE.exe | N/A |
| N/A | N/A | C:\Windows\System\uqSbHht.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xJgYQKE.exe
C:\Windows\System\xJgYQKE.exe
C:\Windows\System\FNAXAuo.exe
C:\Windows\System\FNAXAuo.exe
C:\Windows\System\LGzeNAD.exe
C:\Windows\System\LGzeNAD.exe
C:\Windows\System\zqZuBAv.exe
C:\Windows\System\zqZuBAv.exe
C:\Windows\System\OljorXm.exe
C:\Windows\System\OljorXm.exe
C:\Windows\System\mDUafCW.exe
C:\Windows\System\mDUafCW.exe
C:\Windows\System\IKFdvhU.exe
C:\Windows\System\IKFdvhU.exe
C:\Windows\System\SYLQlfj.exe
C:\Windows\System\SYLQlfj.exe
C:\Windows\System\AtAwWVt.exe
C:\Windows\System\AtAwWVt.exe
C:\Windows\System\jSOzIVz.exe
C:\Windows\System\jSOzIVz.exe
C:\Windows\System\ixfyFov.exe
C:\Windows\System\ixfyFov.exe
C:\Windows\System\GIaqaDo.exe
C:\Windows\System\GIaqaDo.exe
C:\Windows\System\QOmlqYV.exe
C:\Windows\System\QOmlqYV.exe
C:\Windows\System\hwAahOZ.exe
C:\Windows\System\hwAahOZ.exe
C:\Windows\System\yhNcYVz.exe
C:\Windows\System\yhNcYVz.exe
C:\Windows\System\kxwkWrd.exe
C:\Windows\System\kxwkWrd.exe
C:\Windows\System\xhEsWZW.exe
C:\Windows\System\xhEsWZW.exe
C:\Windows\System\xfWUJyy.exe
C:\Windows\System\xfWUJyy.exe
C:\Windows\System\LhUpaEb.exe
C:\Windows\System\LhUpaEb.exe
C:\Windows\System\STVJbTE.exe
C:\Windows\System\STVJbTE.exe
C:\Windows\System\uqSbHht.exe
C:\Windows\System\uqSbHht.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/308-0-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/308-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\xJgYQKE.exe
| MD5 | dbbc4e3b9e7783c13ad92f66dbfe1ff1 |
| SHA1 | be098ffd539767415e2855b67ddb5a9e74441f45 |
| SHA256 | a13b30d42ff3eb65b5cf95af547199984c4f3b1137a8b4faf4fa360d52fb8fc9 |
| SHA512 | a575b0056eda28e32f3c746846e311c24b432d281fb43a544ceb64bc8dfeaf5387256063dd1c08706d2fa524caf113711293bcf8d348d43db3e87610072267b2 |
memory/308-8-0x000000013FA70000-0x000000013FDC4000-memory.dmp
C:\Windows\system\FNAXAuo.exe
| MD5 | 30122cd2588388aaece550b13d854ca2 |
| SHA1 | 30c2f6aac6244751a81da3c81afe9dd3d9ab4dee |
| SHA256 | 67bec11bf57b4b4f88717f7c212abe31d110cdd215d1bcf7b92cc6b3d8d792eb |
| SHA512 | 821b078203c5553c0070be1241d19082d28f885466fef0da5e4273ff031e1e288147aaae1528d2ab20c81c41db660aa5b90450cd607c5696594cda09d7ff7aa3 |
C:\Windows\system\zqZuBAv.exe
| MD5 | a684651659246d8c320b588d5d67e467 |
| SHA1 | 98f2c8e38692849e81abdbbd16db92430ab111d1 |
| SHA256 | 6f4109f89c02419fc02431faaeccb933ba51d966decfe6bfe30aa00f9f5d4d6f |
| SHA512 | 7e63405882612dc358050130e0af5323a9120025b012557f05f6774ea68b369fba92691f92bf68f8a69a97745a9528fea33a4e5898a106a9aec435fc119cfd62 |
C:\Windows\system\LGzeNAD.exe
| MD5 | 546c64dc46cb30a2cd2b5e5a4f44cb97 |
| SHA1 | 6744dcc765cf3aca8a6825e1d4dcc2bc5924d725 |
| SHA256 | 3e868bf983445de8fe4b290271b2d0cd4122105e3c32c22ebc606f81028b0bcb |
| SHA512 | ee834802fe7858d4e4c4e218f3d5ded5a6c726b4ad6030a86d011692e20193b4d7b8599b62da25c608088c4de842e2eb4d7b6cb6004c2a0478c22137d9f7b161 |
memory/2232-25-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2324-14-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1832-28-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/308-24-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/308-22-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/1352-19-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\OljorXm.exe
| MD5 | a725e5e4b0788b246c21d33e631aa9f5 |
| SHA1 | 3455f6f0bda176d5b8ddaebcf08c801b486be4e3 |
| SHA256 | e9c2ec05a74511c7272e9c44329eccd328506a9cb4bcd56339036af0b4c544bb |
| SHA512 | 9be196b5758232628bb04acfd8bf450beea5f148df4b9783f58b153e016275ca1fb6491a43b8923ba6ace7fb7e86c0298e81e6b2fa750d0e5291c79bb8acd4d0 |
C:\Windows\system\mDUafCW.exe
| MD5 | 5406c04d7a83900841a190c9c7a522b7 |
| SHA1 | 889103b5cc18662e84448702634a60022d1dade9 |
| SHA256 | 3c14a83bd6dfeac54827589790cb42e3fc60ab21d7f273e6b39a6c38c7e3eed5 |
| SHA512 | 68d4f4b6df0de18ab48c82c8d523a372a97d555dbd57c5a521afc4d0562fdecdbb40595d75e6e817c608f6298a6d199510c49d4f6be8198f142f51040af1c9cc |
C:\Windows\system\IKFdvhU.exe
| MD5 | 9b5d46faf128787768f966776d387179 |
| SHA1 | 2836b1db2d1286caf011af6ef760c214a3f6d82d |
| SHA256 | 599e7c048fad460aa9f5a085f70b5eb85d404bbcd09962f2f844932d5e28a74d |
| SHA512 | 8cbdbc575d46c0e931913a49efd91b26dbd0a1350704b62a26f995ae4326bd0daa03e6e58e5926aa593f3a4f76f936798b9db8ad5ec5667fd51d5223d9726bba |
C:\Windows\system\SYLQlfj.exe
| MD5 | 8fb0e86c5fa335ef95aacde9afa07998 |
| SHA1 | ec2587cabdf60f9ac9b90596c63214be997e37d8 |
| SHA256 | 73fdf062b4840cc120f0517660919809e22fcb341d912db5ce48668d2af757c2 |
| SHA512 | 74b266eb686c52fa32eacd4505bc5da1e556dd38272ee82ec8529d9b317c18bc350d1606651d4079b7d7918434a11d53cfa9d24ab5939a219376b4e16842d04b |
memory/2824-48-0x000000013F270000-0x000000013F5C4000-memory.dmp
\Windows\system\AtAwWVt.exe
| MD5 | 27c5839d4c6dca6d0cd3148117dbb60e |
| SHA1 | e18b12d61c1c912797be9d289ad123882e1b6f55 |
| SHA256 | a4b47ab809519392c42a5f3fcd30fdbfb66e3469c656b625bebfbdfbee3ceecb |
| SHA512 | 455495108f2ae20551d99fdd81a3316ad7aa904ff8cd76d8fdd5584ade99129d35b49330024906ad95f79c5a034ad2b15fa3801f454dccfb9126d2a3ec3b3d21 |
C:\Windows\system\jSOzIVz.exe
| MD5 | 334b16b589b412b9a43988f388d7727c |
| SHA1 | 2d1cc4df9e0c3afbddcf66884783750eaff1d2be |
| SHA256 | eb2f135a0649bdbf959bdd7ab1d8759ba4c31bf229a392985fa4da07da2d1328 |
| SHA512 | db110d472eea7b98f7dcccb9108fd95b4f4d2d051bb00796b900b8f08db925b26c5aa121c0f69809c1c224799ed0dbb389823cf7d721035d8707e99c992a05b9 |
memory/2836-62-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2872-69-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\hwAahOZ.exe
| MD5 | 819bec9a8620ce96a6a2014b6740d4a1 |
| SHA1 | c2173f0ea0a3cbbb81016c18ea6505c8f7831f00 |
| SHA256 | 805d8dc5ad80e934284f6d0e6a67c7acca2240540c50f9ef9a0400730ceff527 |
| SHA512 | 35356f24049e68a546836931509938bd477537d9c690e697dc1f50802d5973d7746da466169a2d9faa37fa92ab5f7b02305308bc935774648ee6ab22af1e2156 |
memory/3064-101-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\STVJbTE.exe
| MD5 | 74ca7418a70c83988816a38002398be5 |
| SHA1 | 17f5ec94227832cfc1ae74cca443b6dc487df8ce |
| SHA256 | 18ac7578b7f028b579890b32e8ef2da6633b9f3cc8b20b8a83f3e9a497bdd35c |
| SHA512 | 3fdc8443574e9428afd5ad4d19996d3a32d7655d5d2bec553c417e915a6fba5fa98474c495b170929c18b06af32f6eb04d9e3dd7b6b3f62344c8287f9ed86388 |
\Windows\system\uqSbHht.exe
| MD5 | f650aa1a4a8ccafa2e2092c97e5ee622 |
| SHA1 | 3b94c015972a2ac26d7cf0bee98a6f60f3b0c150 |
| SHA256 | d306af1a5272984f8cda275a045656cd9fcbabc7e87ecad4e77200a0a76c15c4 |
| SHA512 | 6af83ad8046462d78eafe6f17983f284572e2774b57b7276ab1c0d20806f40a3dad8622a29d9c1b031cec8a0b0a37144ee2af611b3d6df81b9a69e299accf6ec |
C:\Windows\system\LhUpaEb.exe
| MD5 | c9e1f3db746b2ae8b8b39021e5c8d762 |
| SHA1 | c02e2bc33de4523fad93b80c3c116633013ac0f2 |
| SHA256 | 05780493211f2a8278a598c22ef0ded813561c8b3ee23f0f0e12452d78591ed2 |
| SHA512 | c70c43f3ea1637e20c6f68575d2630972a7b39e487f2c671d2c5c2b788ea35ec16ef2e92b0df8388731ce270b8054231e045980fefd4eb58c98804709b9aa3e7 |
C:\Windows\system\xfWUJyy.exe
| MD5 | 99352a68acfd021b5f1c4cbc086a0bae |
| SHA1 | d7fae825f596ebcf654637a335b2093e16ac13fb |
| SHA256 | 411cb2936230e590b8a45c3d7f1089c1bb39cf0ae2798aee25130d899e7efb29 |
| SHA512 | d269fcea1abd4c76fb5d21b6fa0cc62fcdb769d32a4bed8f022bdb4be5ee271a283c976c889552a5e5717f3da6e590de1c0476bada9e5b3f4972df19bc56244d |
C:\Windows\system\xhEsWZW.exe
| MD5 | 9cdc933bb1f958889c241455e73ddef6 |
| SHA1 | 7526afa31a026a386fc0985cd344540a839a2394 |
| SHA256 | 1454af1d1bfd12449237015c904aca716a106e1ce89e0fbb302a75ee06749c84 |
| SHA512 | acbee2e73e7196ae56ffd426189ce507b8d99127255e8dcdc213fc6819416129c3c6381c04dab30991fa2cbb49a0e4ab8670f5aa09dcbaf7338a32afd130e2f1 |
C:\Windows\system\yhNcYVz.exe
| MD5 | ecf96477c516a5e5998c8d598b160c5a |
| SHA1 | f6567bcd536039da7496a2f269fafcb27d53acd4 |
| SHA256 | 69ade744a3d0184002ec505a08227912a35f3b94cbc735dac46dd1969308d6f1 |
| SHA512 | ad8a91c366b1785001cb2c8c33f70beacca648269218728611831ac66a6243f82d8d5359321b1f50ca3513349f820def2af47df3962295393a06d929725d94cd |
memory/308-105-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\kxwkWrd.exe
| MD5 | 8a5c8dfcacab7b6a3f1b61d887fbfe3c |
| SHA1 | 7ef85f974917eba1442e65af74a881b46ec65759 |
| SHA256 | a95577a6de47b8ba972875b8d9df5dd45d5e636dfb9db5fc70daaae177e89639 |
| SHA512 | a29bbcbca3644b8312b2dca31eaab462d7bc260eafe0339c4f09da9cf4c1629dcbb2a5a42bbee20dc67d0bbec9a09d8b3c3d7af67e143096828b2f444ab3d5a9 |
memory/308-100-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2660-94-0x000000013F640000-0x000000013F994000-memory.dmp
memory/308-93-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1832-92-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\QOmlqYV.exe
| MD5 | 2d2f2632a58e7f3c89d21ec3e6ca1706 |
| SHA1 | f63cdfd9ab0d6ef957655d00c6c60bf042b8c90b |
| SHA256 | 45d633dac34a634f0ba181cc2140e9f93aa37d77bc62712ca2fe3bbb1c3d49b0 |
| SHA512 | 1eb0272b3fdfd222badc150fd6403ec70a967f59a1edb54e4adbcd46e73e768fc3d802ed235e327e2dcf4e54bea2c7eee4c96f56a392805485aeb01062f6e370 |
memory/2556-86-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/308-85-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2232-84-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\GIaqaDo.exe
| MD5 | 67b960c6e6ab7a080402e15458680177 |
| SHA1 | 67c7920e660a9affc1d9e3ccf161355de3de0139 |
| SHA256 | 0c28241373d8e1f89e354556a489aded11d5517f1be0aeed41b7192bf8613ab5 |
| SHA512 | 74a4158fd898a65b3eaf0d6f51eb955df90ff98de9362dcf2d4365cd97693b425beaf9dafa630d8f74e321fea61a4eb14ebf0bc276e132b468e49cf437dbb88c |
memory/2824-138-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2676-76-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/308-75-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\ixfyFov.exe
| MD5 | 347b62ca0286fda8106b225fbab3b46e |
| SHA1 | e9f6b0ba232b1395410e267abe72b0bfcc5b174d |
| SHA256 | 0d47c3f5183f961751f000fa8ccfe01e2d86c50040bede6ee97329ad44d5d8ae |
| SHA512 | 5ad6fc51469219a01ceea85469365b7dc098a1fd3f1dca528fa2dfc15802f66ba8b8095f721f8cd6198ae9b36a006fa3652db230a23212971a2954822a544aa4 |
memory/308-68-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1352-61-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/308-60-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/308-56-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2668-54-0x000000013F420000-0x000000013F774000-memory.dmp
memory/308-53-0x000000013F420000-0x000000013F774000-memory.dmp
memory/308-47-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2684-42-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/308-41-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2632-35-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/308-34-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2668-140-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2836-141-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/308-142-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2872-143-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/308-144-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2676-145-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/308-146-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2556-147-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/308-148-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2660-149-0x000000013F640000-0x000000013F994000-memory.dmp
memory/308-150-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/3064-151-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/308-152-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2324-153-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1352-154-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2232-155-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2632-156-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2684-157-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2668-158-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2872-159-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1832-160-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2676-162-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2836-161-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2556-163-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2660-164-0x000000013F640000-0x000000013F994000-memory.dmp
memory/3064-165-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2824-166-0x000000013F270000-0x000000013F5C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:02
Reported
2024-08-06 12:05
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NbsopgK.exe | N/A |
| N/A | N/A | C:\Windows\System\wnUnLzl.exe | N/A |
| N/A | N/A | C:\Windows\System\WJvlfBb.exe | N/A |
| N/A | N/A | C:\Windows\System\qxaDtqr.exe | N/A |
| N/A | N/A | C:\Windows\System\qgMHuTc.exe | N/A |
| N/A | N/A | C:\Windows\System\FWRRFHf.exe | N/A |
| N/A | N/A | C:\Windows\System\FXjuISG.exe | N/A |
| N/A | N/A | C:\Windows\System\PQyEfOC.exe | N/A |
| N/A | N/A | C:\Windows\System\CKTcjWv.exe | N/A |
| N/A | N/A | C:\Windows\System\ODoyCqn.exe | N/A |
| N/A | N/A | C:\Windows\System\xUkCAzW.exe | N/A |
| N/A | N/A | C:\Windows\System\yaFfuKN.exe | N/A |
| N/A | N/A | C:\Windows\System\owfsvHT.exe | N/A |
| N/A | N/A | C:\Windows\System\LnbXTGJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kOhzYiz.exe | N/A |
| N/A | N/A | C:\Windows\System\lciEWEb.exe | N/A |
| N/A | N/A | C:\Windows\System\ctwbrke.exe | N/A |
| N/A | N/A | C:\Windows\System\rNEbGDi.exe | N/A |
| N/A | N/A | C:\Windows\System\FdMAuCY.exe | N/A |
| N/A | N/A | C:\Windows\System\iJiCuJV.exe | N/A |
| N/A | N/A | C:\Windows\System\zRxVmcp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b395776625112212e7877bdebc8d730b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\NbsopgK.exe
C:\Windows\System\NbsopgK.exe
C:\Windows\System\wnUnLzl.exe
C:\Windows\System\wnUnLzl.exe
C:\Windows\System\WJvlfBb.exe
C:\Windows\System\WJvlfBb.exe
C:\Windows\System\qxaDtqr.exe
C:\Windows\System\qxaDtqr.exe
C:\Windows\System\qgMHuTc.exe
C:\Windows\System\qgMHuTc.exe
C:\Windows\System\FWRRFHf.exe
C:\Windows\System\FWRRFHf.exe
C:\Windows\System\FXjuISG.exe
C:\Windows\System\FXjuISG.exe
C:\Windows\System\PQyEfOC.exe
C:\Windows\System\PQyEfOC.exe
C:\Windows\System\CKTcjWv.exe
C:\Windows\System\CKTcjWv.exe
C:\Windows\System\ODoyCqn.exe
C:\Windows\System\ODoyCqn.exe
C:\Windows\System\xUkCAzW.exe
C:\Windows\System\xUkCAzW.exe
C:\Windows\System\yaFfuKN.exe
C:\Windows\System\yaFfuKN.exe
C:\Windows\System\owfsvHT.exe
C:\Windows\System\owfsvHT.exe
C:\Windows\System\LnbXTGJ.exe
C:\Windows\System\LnbXTGJ.exe
C:\Windows\System\kOhzYiz.exe
C:\Windows\System\kOhzYiz.exe
C:\Windows\System\lciEWEb.exe
C:\Windows\System\lciEWEb.exe
C:\Windows\System\ctwbrke.exe
C:\Windows\System\ctwbrke.exe
C:\Windows\System\rNEbGDi.exe
C:\Windows\System\rNEbGDi.exe
C:\Windows\System\FdMAuCY.exe
C:\Windows\System\FdMAuCY.exe
C:\Windows\System\iJiCuJV.exe
C:\Windows\System\iJiCuJV.exe
C:\Windows\System\zRxVmcp.exe
C:\Windows\System\zRxVmcp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 235.17.178.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
memory/3436-0-0x00007FF65D110000-0x00007FF65D464000-memory.dmp
memory/3436-1-0x000002BD7D260000-0x000002BD7D270000-memory.dmp
C:\Windows\System\NbsopgK.exe
| MD5 | 89436a0fef3be3cd8f6b67421b1cb5ee |
| SHA1 | beafa9369ac9b1426810ad5739164eb94877c29a |
| SHA256 | 2c74a5461bf0997fb164703deca914c9624b51aea14c5a19c7e7e3ecd9a91182 |
| SHA512 | bda4d0e16c15002826521bca21f82a804b693d865fc20be589bb03476d2b597adf0b97aeb178d9fa43dd5eb6caa693e929954f8304ac8969ea65619bce303d0c |
C:\Windows\System\wnUnLzl.exe
| MD5 | b6ff8c395d11b9fefefed7477ba4cc8c |
| SHA1 | c72e68b759eea6ce32ec5622a3d1f9746f3c40a8 |
| SHA256 | ad1a61aad4af419a12244688a688cd4e917edca492ebba50490cc8bf18afbdd3 |
| SHA512 | c420020f26787a82e89fa75ebdc712ade1c284766a6c0a0652d58119b215d2678f91ee33ecd3db501820f602f98abe9ba118421bafa0889a9c0879a9c72812ca |
memory/2536-14-0x00007FF777980000-0x00007FF777CD4000-memory.dmp
C:\Windows\System\WJvlfBb.exe
| MD5 | fcdfdbb028c8ea3af770f74536662407 |
| SHA1 | 6c9445de65fa2f87ea71ed53baa2ebce97805be9 |
| SHA256 | 4444b1d5dc9662de6f677a7038a238c90881ca998a7438c603fb12f014a3b02a |
| SHA512 | 5326c23a25407301128e593a4f7ebfde9b69fe81e47bf5e03e4d9f207f751fc56edc9d6328aecb0e740d214118568d9dd11a9824d12ef5117e176526b49453ec |
memory/988-21-0x00007FF783940000-0x00007FF783C94000-memory.dmp
C:\Windows\System\qxaDtqr.exe
| MD5 | 0bd86a7dd09cf621ccb55f2d28ad3d48 |
| SHA1 | 486127bbeba4bac79f6e2697d57138e5d5aecd30 |
| SHA256 | a80885c45bb704839a1bf62200e842a56c9b71a453281902570ad14641f46668 |
| SHA512 | 7706035a811c864c8bf9763cf5cccd47311bf0494434b71a03ee2007a1b0e23b850dd8aa08031db89fb33e3e2b664ccdc10b4606f1e67c5d366c3f34d4aa5fd5 |
C:\Windows\System\FWRRFHf.exe
| MD5 | 82cb0d10ded7367ab3c5e0e8f243187a |
| SHA1 | dfc82900a667b5aadca3c82063454e129bf8c2d6 |
| SHA256 | e331ca6ba7a18358157b9cbf165576a88a4e2ac05a55211b8a5928e06387f383 |
| SHA512 | a3cb1a95c5a13a1901dfa8485b1c0e6bdac0e1b069eac547324d9ed5666090ce3594b85af7e44467c2f24c0bf91fe3396c8c4f30c9a9baeb384b887cf516accc |
memory/1380-35-0x00007FF712880000-0x00007FF712BD4000-memory.dmp
memory/4836-38-0x00007FF614410000-0x00007FF614764000-memory.dmp
C:\Windows\System\PQyEfOC.exe
| MD5 | 10c121d011d13d4d14906b6712f43f96 |
| SHA1 | a9d7ccb31b25d89efcfcf8c984fc6ebd19fb41a4 |
| SHA256 | 89cc0954b41a2fe9d969952f62dcf362ff702952c2317118a09d73d95610d79f |
| SHA512 | 61b78bf06c434d8237dfe5e4bc7734bf3368538973d09e6c1828c25896502a4926f88fdd33b307181d179910fc3ce3711465d1a00dfaa0d2551b611e51fd2706 |
memory/1132-49-0x00007FF641F50000-0x00007FF6422A4000-memory.dmp
memory/1876-50-0x00007FF67B820000-0x00007FF67BB74000-memory.dmp
C:\Windows\System\FXjuISG.exe
| MD5 | 5a6e8f0014f5f318a9d659dcb82dda34 |
| SHA1 | 330bd8e9f2218986c554486ad801e67036ace11d |
| SHA256 | 27711f006d58f9aec17361621714a4a3f20b9e8cf28998bc6dc3fbb5c7c6f474 |
| SHA512 | ca3acf1d4e403bcc617bcd7a3c201114bf801f9740a815c3b775945170955f582902d2cec0c1be753b13f2f53e97cfec09c4d5d58ff2d6229924ea39caae1aae |
memory/3612-33-0x00007FF63C2D0000-0x00007FF63C624000-memory.dmp
C:\Windows\System\qgMHuTc.exe
| MD5 | 65202c5111f43a521bd43c268d592360 |
| SHA1 | c5bf07d109d195f944cc108c657ddec3c96ab905 |
| SHA256 | b1293b8ba6386a5c713e6df216d20bc2fb8dd3852780a16306bd6d1db1486009 |
| SHA512 | 8754ba7df690dfc7a62f46da8428af2d8f10de75283ab19036b7ecd77395132cd2ba31799382c578ddff055fffdce981ff0a6c5ecd53d7221d79d4b551a338a6 |
memory/4412-9-0x00007FF725FC0000-0x00007FF726314000-memory.dmp
C:\Windows\System\CKTcjWv.exe
| MD5 | 1bc0d339e86c173d0bc613726fd6a9e9 |
| SHA1 | e5972c8e0aeec22d89a70e4a25bc3c6c183843bb |
| SHA256 | dd31fc92c34cc2951621112f840e26b042f02bd95b905c9167d776359580549a |
| SHA512 | eb3888721fa3e5aba6ce83f9742abbba0200f2835e4bf48f6bcd5190d50b0a8681427167e0dd88261d841b899e58ab2550c2ddf707929f2f5ca7b0c14b0a3afe |
memory/4740-56-0x00007FF79A260000-0x00007FF79A5B4000-memory.dmp
C:\Windows\System\ODoyCqn.exe
| MD5 | 604ed7b8c01ea0027a578cbe2af1790f |
| SHA1 | 17aad30d26e1399629245ca92305122a75091530 |
| SHA256 | b6f02e68798549d77fd956b0f2482d3abdfa18fc529a97d84b8a024fcbbf8d15 |
| SHA512 | e04fc57c4fdd7205d8b17802927ff6277bee7f1eaea3267f6b7c10cc0fd932e6b2c23447e74b69996dbc06d46e15e588c748d98d3a706467a75c8a10e4f97809 |
memory/5008-61-0x00007FF7ACAB0000-0x00007FF7ACE04000-memory.dmp
C:\Windows\System\yaFfuKN.exe
| MD5 | b6493aff2f3f2e4fabd751d051ec9843 |
| SHA1 | 29c2f2614efdf0224e407d98aabf77e3a0ef7c6b |
| SHA256 | 0a8b6473f4ddc48600ae5aea50b911feb1777b5ed96b825b04479cd84dedf5a5 |
| SHA512 | 5b736b273bd171fe8e2a49d0d311078bd61f356f4878a3a8c6e8d3a7516c630e14df54f923841e5176e7cb6dd98758f233bed3df76e4a6b70da892089e3d0053 |
memory/4412-73-0x00007FF725FC0000-0x00007FF726314000-memory.dmp
memory/3444-74-0x00007FF6E9040000-0x00007FF6E9394000-memory.dmp
memory/3436-72-0x00007FF65D110000-0x00007FF65D464000-memory.dmp
C:\Windows\System\xUkCAzW.exe
| MD5 | c492f9f0dff5aef16b509f455eff4160 |
| SHA1 | ba0019dc23fac14acce15e5f4c7aa67a48741832 |
| SHA256 | b8e9fbaeea30f4731e536f71120f464652e458ae240459c9e4b6d3b526bce313 |
| SHA512 | a9f8f3fc6274023c14c65f91bb0c698a0f9ac72926e0b868a7034fcc075072dcb69d324b6aa92919aa79809a2735046e1298ec16bddd17694f8a4c38e3b477c0 |
memory/1488-66-0x00007FF6D4400000-0x00007FF6D4754000-memory.dmp
C:\Windows\System\owfsvHT.exe
| MD5 | 66f9e2a79fd38ebfa26fa20406047ce0 |
| SHA1 | d95f1f650e99ac0d24c35697796f042891903b69 |
| SHA256 | 6883214ab3520fe4eea5e25b279b5e3e545d875b83cca1458f7de47b56df7e5b |
| SHA512 | 75ea60ef5f9296e9133f75a5758bf67948a1fb4ffc26ad0ebcb3f5c1d4b7a1683198e33485f0a84ea01f12deeb23f07ea42497ae669a79845e5c13cf26a7543b |
C:\Windows\System\LnbXTGJ.exe
| MD5 | 4b5e6d073c607989bd0de0297a339a1a |
| SHA1 | b314a96b23f0e4c8ae11708ad27ca9d374340e27 |
| SHA256 | a20be4a19c01a3e47e4c8a820d20aedbf20d6eea608ab36d67e72e3044a27570 |
| SHA512 | 7371b17976b509076756ec1b755532c5bc9270f75a11b5c0ebaa1e080572f645fbfc3a00f90cde6dbb5268c7350b8a6c2b72d54e698c7e66ee690ae13395cf1b |
memory/1884-86-0x00007FF786250000-0x00007FF7865A4000-memory.dmp
memory/4660-81-0x00007FF7B5FA0000-0x00007FF7B62F4000-memory.dmp
C:\Windows\System\kOhzYiz.exe
| MD5 | 875c8e0f4f664bf32393e272a30bca78 |
| SHA1 | ad81aec16c18f16822268f7411e526be408cffa4 |
| SHA256 | 86ed3b2e7ff08ea90767435c27e74aa875ed1ef9d3aa9c7271465b85fa84b60a |
| SHA512 | 4e6a26fb0d58bcdc09bffae5abe4818ade1ba76362da39b964dad8b0ea0ff754ee852f6155fc7404d082003f4d496196cc09a37427dfed7f8d5677ada1d2ce57 |
memory/808-93-0x00007FF75B730000-0x00007FF75BA84000-memory.dmp
C:\Windows\System\lciEWEb.exe
| MD5 | a4dafe466e0e1cfa2ead34538e209cd9 |
| SHA1 | 6d3adc6937a6285ff5770ba37c4aaac534a785b9 |
| SHA256 | fa50998655af451ccd443335948cf342a703794e769b4b85d0557790a12898ad |
| SHA512 | dc910b83018186c51f9b58246cfc2ba48535aed41e7ae23f645483ca284d8b6600bbc744dd868c87bb2b43d61f918611a00ab8d1baed61e4ade8ab96f2593dbb |
C:\Windows\System\ctwbrke.exe
| MD5 | 7c53bb8ea51d7fa9f3ceb4a3d59264e1 |
| SHA1 | cc320c2410403374f5fcf6344736b5b6f9e4adb8 |
| SHA256 | e13df45dd8dad0882c62bb95c2ef559cb4ecb64b2cd0e64dc400d07995bb9711 |
| SHA512 | 00f6032ae266c1a3b1ef8d05ec953df62c1aff592a84ec3a9339f36a7f93e1aad6e14c74c783b80b22a5b735b5d62458aeb19754df8596826ba4eea33ae19848 |
C:\Windows\System\rNEbGDi.exe
| MD5 | 2556b7fb0633872091d3697a5d37a1b4 |
| SHA1 | d779c3fc710f6942f3713d7242f679f6caf26b50 |
| SHA256 | 3338dbd8041d4eda8aca85e72c073a5d4049ea31a51bab69231351458be3bdd4 |
| SHA512 | 9591e42c3f208b3f80da00e92de84d66b504063a1fce8030e368f21f1cc16ac07aa58320be0e8e86876720d11af142fdc6cb9e3a5ce686f7502a2160158d52c4 |
memory/2512-107-0x00007FF60BE90000-0x00007FF60C1E4000-memory.dmp
memory/4312-116-0x00007FF7E1E20000-0x00007FF7E2174000-memory.dmp
C:\Windows\System\FdMAuCY.exe
| MD5 | bbdd7bfb6072bd2e34beac4fbcf3508f |
| SHA1 | 5bac0865ba397f2d1da578d476665f18ffe5c48b |
| SHA256 | 88a2b2aa4ad4f6ccb133875202a5b9f355e793a4d50e19896e2c35325a2ea8df |
| SHA512 | de69efced213bcedec5e8242d69ab552cf274e21e5080cf99480f235ba725da3e59685d613675f163b77d6660fe5375d218b3d8c071e90db67ce1433f80968be |
memory/3416-117-0x00007FF77D870000-0x00007FF77DBC4000-memory.dmp
memory/764-102-0x00007FF672CE0000-0x00007FF673034000-memory.dmp
memory/1380-100-0x00007FF712880000-0x00007FF712BD4000-memory.dmp
C:\Windows\System\iJiCuJV.exe
| MD5 | f11d2e189dceda4807cef9d50804568d |
| SHA1 | 653970629115f4dd26670ad3b58c219d147bc22d |
| SHA256 | 6336f53dcc7e17c78baada8af531c825adcba9a077c6244ede121caeeaf58ab6 |
| SHA512 | 64bc8a3e8c17c4e987aa09bcee718e738981ffb4f40356b6351931c29e36cc511c9d28b50125bc1dbdadcb872f9d564f24ff43572d473de07ed038d30c266bfc |
memory/464-124-0x00007FF7091E0000-0x00007FF709534000-memory.dmp
memory/5008-123-0x00007FF7ACAB0000-0x00007FF7ACE04000-memory.dmp
C:\Windows\System\zRxVmcp.exe
| MD5 | 2b15f80c61ce97541c9c590e6093c16e |
| SHA1 | 6bc21af4299c349f2decdd931406aff100475f94 |
| SHA256 | fd5b86d0ec244a713e6e192fdec8719b031bfe6588bfefabce57606aa7cdc9b1 |
| SHA512 | 50eab5ac2c4ba65f37a871d419c540ee0021df8e8ddc57befed5ff400dcda78559df90774b91f2ca6ff1256a4cf8f97f3b8bbd83cc58712c5a0857594c14c611 |
memory/832-132-0x00007FF697950000-0x00007FF697CA4000-memory.dmp
memory/1488-131-0x00007FF6D4400000-0x00007FF6D4754000-memory.dmp
memory/3444-133-0x00007FF6E9040000-0x00007FF6E9394000-memory.dmp
memory/4660-134-0x00007FF7B5FA0000-0x00007FF7B62F4000-memory.dmp
memory/1884-135-0x00007FF786250000-0x00007FF7865A4000-memory.dmp
memory/808-136-0x00007FF75B730000-0x00007FF75BA84000-memory.dmp
memory/3416-137-0x00007FF77D870000-0x00007FF77DBC4000-memory.dmp
memory/464-138-0x00007FF7091E0000-0x00007FF709534000-memory.dmp
memory/4412-139-0x00007FF725FC0000-0x00007FF726314000-memory.dmp
memory/2536-140-0x00007FF777980000-0x00007FF777CD4000-memory.dmp
memory/988-141-0x00007FF783940000-0x00007FF783C94000-memory.dmp
memory/3612-142-0x00007FF63C2D0000-0x00007FF63C624000-memory.dmp
memory/4836-143-0x00007FF614410000-0x00007FF614764000-memory.dmp
memory/1132-144-0x00007FF641F50000-0x00007FF6422A4000-memory.dmp
memory/1380-145-0x00007FF712880000-0x00007FF712BD4000-memory.dmp
memory/1876-146-0x00007FF67B820000-0x00007FF67BB74000-memory.dmp
memory/4740-147-0x00007FF79A260000-0x00007FF79A5B4000-memory.dmp
memory/5008-148-0x00007FF7ACAB0000-0x00007FF7ACE04000-memory.dmp
memory/1488-149-0x00007FF6D4400000-0x00007FF6D4754000-memory.dmp
memory/3444-150-0x00007FF6E9040000-0x00007FF6E9394000-memory.dmp
memory/4660-151-0x00007FF7B5FA0000-0x00007FF7B62F4000-memory.dmp
memory/1884-152-0x00007FF786250000-0x00007FF7865A4000-memory.dmp
memory/808-153-0x00007FF75B730000-0x00007FF75BA84000-memory.dmp
memory/764-154-0x00007FF672CE0000-0x00007FF673034000-memory.dmp
memory/2512-155-0x00007FF60BE90000-0x00007FF60C1E4000-memory.dmp
memory/4312-156-0x00007FF7E1E20000-0x00007FF7E2174000-memory.dmp
memory/3416-157-0x00007FF77D870000-0x00007FF77DBC4000-memory.dmp
memory/464-158-0x00007FF7091E0000-0x00007FF709534000-memory.dmp
memory/832-159-0x00007FF697950000-0x00007FF697CA4000-memory.dmp