Analysis Overview
SHA256
24ae73feda96f01920850e38506ee05c8473f9ceb333483821ab28a60a9207bf
Threat Level: Known bad
The file 2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:06
Reported
2024-08-06 12:09
Platform
win7-20240704-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lPbwqfx.exe | N/A |
| N/A | N/A | C:\Windows\System\nhDXfNu.exe | N/A |
| N/A | N/A | C:\Windows\System\BWmOhfO.exe | N/A |
| N/A | N/A | C:\Windows\System\FeFengD.exe | N/A |
| N/A | N/A | C:\Windows\System\JzfsqDx.exe | N/A |
| N/A | N/A | C:\Windows\System\jICCvQU.exe | N/A |
| N/A | N/A | C:\Windows\System\RoYgLyz.exe | N/A |
| N/A | N/A | C:\Windows\System\IElrPPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AhJVjkH.exe | N/A |
| N/A | N/A | C:\Windows\System\RsFArWn.exe | N/A |
| N/A | N/A | C:\Windows\System\bMXlnMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PmlKDUv.exe | N/A |
| N/A | N/A | C:\Windows\System\XNQatGW.exe | N/A |
| N/A | N/A | C:\Windows\System\KpvAcWF.exe | N/A |
| N/A | N/A | C:\Windows\System\TQxNHHz.exe | N/A |
| N/A | N/A | C:\Windows\System\zUOFRZR.exe | N/A |
| N/A | N/A | C:\Windows\System\hSrERtG.exe | N/A |
| N/A | N/A | C:\Windows\System\YMgxckm.exe | N/A |
| N/A | N/A | C:\Windows\System\ffujPBy.exe | N/A |
| N/A | N/A | C:\Windows\System\BbmZgii.exe | N/A |
| N/A | N/A | C:\Windows\System\YmirsgI.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\lPbwqfx.exe
C:\Windows\System\lPbwqfx.exe
C:\Windows\System\nhDXfNu.exe
C:\Windows\System\nhDXfNu.exe
C:\Windows\System\BWmOhfO.exe
C:\Windows\System\BWmOhfO.exe
C:\Windows\System\FeFengD.exe
C:\Windows\System\FeFengD.exe
C:\Windows\System\JzfsqDx.exe
C:\Windows\System\JzfsqDx.exe
C:\Windows\System\RoYgLyz.exe
C:\Windows\System\RoYgLyz.exe
C:\Windows\System\jICCvQU.exe
C:\Windows\System\jICCvQU.exe
C:\Windows\System\IElrPPZ.exe
C:\Windows\System\IElrPPZ.exe
C:\Windows\System\AhJVjkH.exe
C:\Windows\System\AhJVjkH.exe
C:\Windows\System\PmlKDUv.exe
C:\Windows\System\PmlKDUv.exe
C:\Windows\System\RsFArWn.exe
C:\Windows\System\RsFArWn.exe
C:\Windows\System\KpvAcWF.exe
C:\Windows\System\KpvAcWF.exe
C:\Windows\System\bMXlnMQ.exe
C:\Windows\System\bMXlnMQ.exe
C:\Windows\System\TQxNHHz.exe
C:\Windows\System\TQxNHHz.exe
C:\Windows\System\XNQatGW.exe
C:\Windows\System\XNQatGW.exe
C:\Windows\System\zUOFRZR.exe
C:\Windows\System\zUOFRZR.exe
C:\Windows\System\ffujPBy.exe
C:\Windows\System\ffujPBy.exe
C:\Windows\System\hSrERtG.exe
C:\Windows\System\hSrERtG.exe
C:\Windows\System\BbmZgii.exe
C:\Windows\System\BbmZgii.exe
C:\Windows\System\YMgxckm.exe
C:\Windows\System\YMgxckm.exe
C:\Windows\System\YmirsgI.exe
C:\Windows\System\YmirsgI.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/696-56-0x0000000002280000-0x00000000025D4000-memory.dmp
\Windows\system\AhJVjkH.exe
| MD5 | f795886f73de56a6e4151dc8f4be324d |
| SHA1 | 9d26c03983b9b3a5a151fafcf7e5d68210ac77e0 |
| SHA256 | 39c69a5a71bc5275bc511f45500a68b242d742d0388877da5b585cfebf8664b3 |
| SHA512 | 352fd238b40eeaf92811d23c78fe04b6f8a0926b85a49b552034234cc936cc96455d3d8ca02e1b311b0d108ab28c4ca171b221447482d1b4e1d269dd051fb0dc |
memory/2724-54-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/696-53-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/696-52-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2576-51-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/696-59-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/3000-50-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\IElrPPZ.exe
| MD5 | 7f6682a0c72d1d5724052f2fde57f1fd |
| SHA1 | e52fd401c034c56f5cebf425657169245e73470d |
| SHA256 | 24df30f99591ce986ec8b36129658cdba2c31b70c49275610383553a80f3b2c5 |
| SHA512 | db503f34560fb085fd80c5cef89b49ce6c3418cd9c220064acb994763c90c7347786b977fb10436ba5c41d3cbf6bd653e85aaa89b543db3c2748060bf7f6e610 |
C:\Windows\system\RoYgLyz.exe
| MD5 | 528692f9f548805bdb3c8c4dd5454e30 |
| SHA1 | 03fa9328a108bc56ceb718730649d7f2f1c9d031 |
| SHA256 | 0956f3a48d17a0d9e2edbe4559c819a1a5633f3b1b53f12473478a712e1873f3 |
| SHA512 | 21c58f5d5fde24a90ecdff60576042d1fd901131f4050f39dfb6b0aa4e7440451c73504ee4884a668415c031d01c26d662066563e4b183cb1ea30b1a4641ff23 |
C:\Windows\system\jICCvQU.exe
| MD5 | fe4ed8fbc693372e44052208856d4208 |
| SHA1 | 88e6b33ab2d3aa81dd50795e1722b55141985925 |
| SHA256 | 094c532509ae5a236db5562a9817e13f6289e20e3c979558b3bdd723ab6d3ec4 |
| SHA512 | 49416604625a0c0651f93b43dd47ef69c0e5231dabc2db632939b3e2244f7bf6bbdbad47a59a71fb790e11f788303ec1160e8203f4d8c3ccdb531dc00bfeb662 |
memory/696-42-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2784-37-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1848-33-0x000000013FEB0000-0x0000000140204000-memory.dmp
C:\Windows\system\JzfsqDx.exe
| MD5 | a85bf9aafaf28da78c181db9632e348c |
| SHA1 | 03f58cebc11e880bfe3742de0f8031677abd9a38 |
| SHA256 | b8336fe6b6416abdaa64e8b85f1e6ed93d0059f2a3687821c1a2eebb6ef084d4 |
| SHA512 | 8678e1890faf257a521c551089f33fa0f27da60e7da4525e0945cdac551a7164fa1647b6dd7789d73839c8df5e397b81d601f44898c07b3bca8cec1a96dc9568 |
C:\Windows\system\FeFengD.exe
| MD5 | 2347581441d51024f53c00c39f8276a4 |
| SHA1 | e1618f79638eba02c3b24dc0f1cd54fd989193a3 |
| SHA256 | 510cd8158b4fbf5cc1ee40bc467b290f1ee3d100d3ace00de67a3a65e940e6fe |
| SHA512 | 0f30776003c87fdaa818883897b2cd6e2b99653822a6d50c3623789fa595c31e0ebbd6b2599edb2e6721fbd2b82df99009f141737ba583573d1d423e168339ee |
memory/2984-21-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/696-23-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/696-20-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\BWmOhfO.exe
| MD5 | 734b2a77432c5285cd811980a13f6c39 |
| SHA1 | ca164cdfd14a4fbf9d6f7c0551567ac7620fac0f |
| SHA256 | 600eaeb9cc4143720ab04553358d0b30e92d71a16cc19ec85c1d19a17e534ae6 |
| SHA512 | d02b72b11cdc9f86d4c2ef8e68718623e0f86f1ba81c130b865ede940e954dfbf2c62dcfd2b390b3f8dc66dbb394b4389762f8d694f3fee43d9f6dd19f374e65 |
memory/3064-14-0x000000013F040000-0x000000013F394000-memory.dmp
memory/696-13-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\nhDXfNu.exe
| MD5 | d24455962b1f9ce3e5d244c54ba8d334 |
| SHA1 | 8f1b34988c66d6d57e58b6be008e6b3aebe7f3a0 |
| SHA256 | cbf1d166568f476e40a7557279f47fb118f8e680d49ebaf5c2c469413a58a31a |
| SHA512 | d38510724fcb7c08b251eca4dea77cfea65a795857facfbed1539bb9acca3980a65697dfa639f7eec56c83623185699ee6d9f9d74766b4b63076021c5949b55f |
C:\Windows\system\lPbwqfx.exe
| MD5 | c9d50a8cc9610503e475a09fd02df996 |
| SHA1 | aa7c532f9108743b190fb526df9f4b4effe5db03 |
| SHA256 | f4e49cd76631a739f9d42359f890807a281147cd5a860d792dbe0387d2bcad0f |
| SHA512 | 067349ca4a8b2302065e97039d3484d5467fe0a66ff0fea83c065fe6668c1cdf30bf941f872b6aecae4cba96ce3dc9a47a5785f9fe190c0a753a9d1d48618110 |
memory/696-6-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/696-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/696-0-0x000000013FC50000-0x000000013FFA4000-memory.dmp
\Windows\system\bMXlnMQ.exe
| MD5 | 6f3f900d3492b4556edbd97c970ccfdb |
| SHA1 | 176922d6a28466e9fd602e2af324407f5c9c2a52 |
| SHA256 | 4e72baf6b4771cd38b91cf79148c14b9d05bf63b23a2d733caec6228342bc2f6 |
| SHA512 | 8c2a82a83495bd1a0e527e16823c9244b604f417cb94d5a267be0b1433af8bee3375f9723056e7b9ae9224fb8d45bf20062822fdddd60a772a3e8e44a6298d8a |
memory/696-89-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\YMgxckm.exe
| MD5 | 0b1d475d6ae8e3cdcecd3dad52a198c8 |
| SHA1 | 78734acd7312df43ccc59834d5c3cdae29a75f03 |
| SHA256 | f6a595d8eec241d976f692c2932a0bb12c68aa8c022874ce1fd52cd1d96563a2 |
| SHA512 | fc1a9523a9a804ab61eeac4b7a8849c2d9b478b42c482981e10a29d8d426502f9a416f29af472080552110de9b300d4993fd54056b49540ac03a53bedb5e1d73 |
C:\Windows\system\hSrERtG.exe
| MD5 | 1a9985a395f675a3f8b142db77c5f8cc |
| SHA1 | 51b8e0e628403f9519ef7e36b73ec93e2a5fa222 |
| SHA256 | 7d619afd7b051a526257d3128cecda94b8670fcc9ff68a5a76df37d9bb01d612 |
| SHA512 | fa6380ad6b8caeba9bdb0a8e93fa8601449ed705093b397dfc013ee6e51b78d6d8c640515133bda74fa337eed6e019c08ade24658e58ad81b98d7e800c2c734f |
C:\Windows\system\ffujPBy.exe
| MD5 | 5322be8fb45832c905d21e15baad3d40 |
| SHA1 | c931fea182a22e3a3e92b7f39ca2e09b462e4b3a |
| SHA256 | 042b25481d2945382aaeacff3301d843b6372e01e61ee796cd0cd04d7c2557af |
| SHA512 | 02603d8650aa2ccb282146f8534facaa72146e327d5feb70a2bc6bc311ebe3c6ebadc75ebb22931f63c2ba85af3ca1850135afbb7b37a825346934252d095fc5 |
C:\Windows\system\BbmZgii.exe
| MD5 | 672e55b19eb3172f1c5394139b976b17 |
| SHA1 | 708d0b99d0f2e7ac8c6674779205af81709a9bb2 |
| SHA256 | 5cc55d938d1eb7de6c549227ddcdb14f00826c3177439eab62c58be5761b944d |
| SHA512 | 1b7844bfe97b4d1c16dfde11cb280f1e69decefb7d1e1072e5b7697f20a4c7df2791d1247d1843101a65974f023c8487fad93c31b5580a9c4166be20d18423ff |
\Windows\system\YmirsgI.exe
| MD5 | e6f74d27e7321e92fd1e0f141a21714b |
| SHA1 | fed7cb1a0033ca887b3249e013cabbe742aac4dc |
| SHA256 | 7aae7867a8749a468627f770a515d515e2fe0ec953d08ff46f12ea5a7b412bb9 |
| SHA512 | 2cc8cffaf2b7c28a350596fad92ec7a1d80e8b6b12b069d6501f7d0de0335ee83416a522838617e735548cd7d67f4ecde981f1e69099eeb51689bc56d59324e3 |
memory/696-103-0x0000000002280000-0x00000000025D4000-memory.dmp
C:\Windows\system\zUOFRZR.exe
| MD5 | 999976ee2acd53430a472f1d844995c0 |
| SHA1 | b94deaead82da0b222581d7b194c46efa5ccf35f |
| SHA256 | 143f0464863880a0f30bd89f71055aded9342f92dc2b3786395607f53ade7f58 |
| SHA512 | 94f28f88d602b214c9dcfabfa89566321a2e146cbf339b5954449694e774275daa13bd1baea33642f952c8df38dd1db20a3c13346b399cb14d1753fdc2e53021 |
C:\Windows\system\TQxNHHz.exe
| MD5 | 124ec58acbe899143de4ac477169c759 |
| SHA1 | d72ed9d1e71fab50fa97caeb1fa51e7a224062c5 |
| SHA256 | 13594b9285092c111adb5cb17383f76efe1f79f338327c181e9063761fcbe4d8 |
| SHA512 | a5b91d17a5f710ef4f03231f84ffca4ab5a9be1332875c8c803bcc2c19ab9cad97c5cbbd1f58e1d691d2a23a560d53e4adbb126814a9d921725e66fd1cbf0887 |
C:\Windows\system\KpvAcWF.exe
| MD5 | 1e7018bd6c78d4cfc652dd1b82e19d3c |
| SHA1 | 680249006b9cbd1e70f990cace3146f02395ee8b |
| SHA256 | 13b190549d93c6280dbba58d9b81019dcbe62a67b4b598bd28c51e99d4d43ca6 |
| SHA512 | a21964bc5b2892d46d0d11dd12e4360bb96ce9adb60e71bccd4a7b9f48a7214f85927ff1a00d3638beca7497ae7c6938410d30a51ac56cc875b2f0d973f7ffd2 |
C:\Windows\system\XNQatGW.exe
| MD5 | a29d70108fcf8113984064a0b25e5466 |
| SHA1 | f433c0e4b2e7313e26342ca8a879702698e94dfc |
| SHA256 | 660bf8f67b0f995d5defb5039b9f274ae9be418b171a41d35d4631a11d8a6516 |
| SHA512 | 6bcc0ae87918c2a16f86643fd0030188cedd029bcec65a104fda4a632ca23e51afc514c104e20804a82548baca5e0698913631b2e8cde1489cb00289e518e10c |
C:\Windows\system\PmlKDUv.exe
| MD5 | 77bed8be487f800e199e1afe365d65de |
| SHA1 | c3b78844c1f208afaee0f092239d2685378cb2ee |
| SHA256 | 62ad222be711072240dae9c72c54687f84f238b69f9a1fb2e2468d0e338cffe5 |
| SHA512 | a66aa1dff234c909cd09357a4f4a8debe825aa784501941e5a3663d6b8fea703b115acca4bd0f3825bc85cbf31420b51d6bdde89d02de5f230f82a3da191be09 |
memory/696-116-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/3000-115-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\RsFArWn.exe
| MD5 | 694df583b091a24dce91045ef6019bde |
| SHA1 | 8880d728fae3cb6cb4d472d155863bed901e8877 |
| SHA256 | cc15ff8dd631ff527552bdacfffe621f83cfe69507f83bc25c5fb80979352890 |
| SHA512 | 541c885d2d9a5b708e0dc2dbdd816d4e8c51214c74799ef008d2714179938cf018adafabe87fe4ec4ea8d9e229b5412fb0fcae19826535aed4fb83e7b2c5c4da |
memory/696-112-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/696-111-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/696-108-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/696-94-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2784-92-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2984-85-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/696-83-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2724-138-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/696-77-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/3064-74-0x000000013F040000-0x000000013F394000-memory.dmp
memory/696-72-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2852-69-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/3040-63-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/696-139-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2852-141-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/696-142-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/696-143-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/696-144-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/3040-145-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/3064-146-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2984-147-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1848-148-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2784-149-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2576-150-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2724-151-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/3000-152-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2852-153-0x000000013FB80000-0x000000013FED4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:06
Reported
2024-08-06 12:09
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ozDbAGq.exe | N/A |
| N/A | N/A | C:\Windows\System\HQwfhxj.exe | N/A |
| N/A | N/A | C:\Windows\System\kONtrxR.exe | N/A |
| N/A | N/A | C:\Windows\System\neioIIx.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaUnLls.exe | N/A |
| N/A | N/A | C:\Windows\System\TxDUhfL.exe | N/A |
| N/A | N/A | C:\Windows\System\ttzmnGV.exe | N/A |
| N/A | N/A | C:\Windows\System\aLXnNRu.exe | N/A |
| N/A | N/A | C:\Windows\System\uJAsPKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jUCTMgY.exe | N/A |
| N/A | N/A | C:\Windows\System\oMlZeRi.exe | N/A |
| N/A | N/A | C:\Windows\System\CHrrQwn.exe | N/A |
| N/A | N/A | C:\Windows\System\aUnxHRK.exe | N/A |
| N/A | N/A | C:\Windows\System\wdDsNmV.exe | N/A |
| N/A | N/A | C:\Windows\System\WlBYoVy.exe | N/A |
| N/A | N/A | C:\Windows\System\IrDJYIT.exe | N/A |
| N/A | N/A | C:\Windows\System\woIStWd.exe | N/A |
| N/A | N/A | C:\Windows\System\eOWEZSL.exe | N/A |
| N/A | N/A | C:\Windows\System\mImleBH.exe | N/A |
| N/A | N/A | C:\Windows\System\nEObYgj.exe | N/A |
| N/A | N/A | C:\Windows\System\kgqGArZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e53160422deeb6d9a1ee970b395d8b35_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ozDbAGq.exe
C:\Windows\System\ozDbAGq.exe
C:\Windows\System\HQwfhxj.exe
C:\Windows\System\HQwfhxj.exe
C:\Windows\System\kONtrxR.exe
C:\Windows\System\kONtrxR.exe
C:\Windows\System\neioIIx.exe
C:\Windows\System\neioIIx.exe
C:\Windows\System\ZaUnLls.exe
C:\Windows\System\ZaUnLls.exe
C:\Windows\System\TxDUhfL.exe
C:\Windows\System\TxDUhfL.exe
C:\Windows\System\ttzmnGV.exe
C:\Windows\System\ttzmnGV.exe
C:\Windows\System\aLXnNRu.exe
C:\Windows\System\aLXnNRu.exe
C:\Windows\System\uJAsPKJ.exe
C:\Windows\System\uJAsPKJ.exe
C:\Windows\System\jUCTMgY.exe
C:\Windows\System\jUCTMgY.exe
C:\Windows\System\oMlZeRi.exe
C:\Windows\System\oMlZeRi.exe
C:\Windows\System\CHrrQwn.exe
C:\Windows\System\CHrrQwn.exe
C:\Windows\System\aUnxHRK.exe
C:\Windows\System\aUnxHRK.exe
C:\Windows\System\wdDsNmV.exe
C:\Windows\System\wdDsNmV.exe
C:\Windows\System\WlBYoVy.exe
C:\Windows\System\WlBYoVy.exe
C:\Windows\System\IrDJYIT.exe
C:\Windows\System\IrDJYIT.exe
C:\Windows\System\woIStWd.exe
C:\Windows\System\woIStWd.exe
C:\Windows\System\eOWEZSL.exe
C:\Windows\System\eOWEZSL.exe
C:\Windows\System\mImleBH.exe
C:\Windows\System\mImleBH.exe
C:\Windows\System\nEObYgj.exe
C:\Windows\System\nEObYgj.exe
C:\Windows\System\kgqGArZ.exe
C:\Windows\System\kgqGArZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5088-0-0x00007FF718560000-0x00007FF7188B4000-memory.dmp
memory/5088-1-0x000001B5D6D80000-0x000001B5D6D90000-memory.dmp
C:\Windows\System\HQwfhxj.exe
| MD5 | 46ff3292092eec90a0b7bbf397fd0568 |
| SHA1 | 6c3f5eebe4fa7481fc56871cd3668444ad6e69d4 |
| SHA256 | 78fad050bdd67eccd9fa1a29bf61edc113c85ad40ae15720e76cf19d22a8d6a9 |
| SHA512 | 5c509c46e5f16c46c26bc683a3e2d28cbdf17bb68486c957d0e127607cd5951257cfe000d3644da98202b66d633eaca292dbe9f5b30c1ba834a1af453e10c5bc |
C:\Windows\System\kONtrxR.exe
| MD5 | cd925b4514239c2511eaad5ae0759baa |
| SHA1 | 8c95812e1b5cff8785eca306503d302dc022847f |
| SHA256 | 78dbe2d6ed1d7f390eff3ddb6474206d788fcfc8dc88c6db6447df90cf22d138 |
| SHA512 | cbc02777b399184b89b32d5a43e6f1a67ed01fee6eb63c6fb78acf4d6a397eaff00ef3bf0f08d157f4b94680c470bcdd6a7d8c36d4da3167d1aecfcc8cd5c810 |
memory/1044-14-0x00007FF703410000-0x00007FF703764000-memory.dmp
memory/1404-6-0x00007FF77D810000-0x00007FF77DB64000-memory.dmp
memory/3520-20-0x00007FF610650000-0x00007FF6109A4000-memory.dmp
C:\Windows\System\ozDbAGq.exe
| MD5 | 236135708a2f90a28f836ad5242e00b9 |
| SHA1 | a9ca361bbb418bf8df228f023d9cb3a1a64062e7 |
| SHA256 | 7c55608f2356d16838719a9a3e57800c1854e789fb5fcac72964ab0d9bd0e274 |
| SHA512 | 5df321679555c150abd274f5ecaff80d495563c01cc75100f2e7d7e05704196ccfb71e56f8305cbeecf967babf2cdbb895d67b3e4bfa0d1e85dca41db1044da2 |
C:\Windows\System\neioIIx.exe
| MD5 | d0fb26280d4fb4a6616f69033581ef6f |
| SHA1 | a03ecd16f7811a6a8e75adbdb753069278c8de72 |
| SHA256 | 13b97b72d6f5701451341910aab97aad2463f39a5881f6d80c6c1ed779248a35 |
| SHA512 | e1494291da2d1dd4dec0cc794bb116d27f231aa3e3a6680622320f46a8fb8bd238b1a7ff3ec0d276078cb99b54284fee717a71f9c200945e7406e75fdf94c769 |
C:\Windows\System\ZaUnLls.exe
| MD5 | fa7be5a49e60f5aa1a2e6b443ea13bca |
| SHA1 | 8b0aabe8bb17fe3dadb4a9de3efa476d6151bfad |
| SHA256 | 77b83ba5fed587f53e2a78da34bd1798620a203e44136233d3a6cafdaf518220 |
| SHA512 | ec0550a09cbe181c25ead301204e8fbe04be1e0b8e9ad8f7aec7d86da1b8303f2dd716f6903d743af48a3118b988a5e381d69f96e3aca14a48d041ac44ea8980 |
memory/3644-37-0x00007FF616C90000-0x00007FF616FE4000-memory.dmp
C:\Windows\System\TxDUhfL.exe
| MD5 | 9f764fed658fc54f13e84b0317dc4ad3 |
| SHA1 | a593b84612a39e659cae92c8760debedacefaa38 |
| SHA256 | fcfc316b97b6a5337952c01b3e217b72e9e6b75584061d4c389b5f6c4282212a |
| SHA512 | 0c4af0a2e9fe153317e26b3e53a00f08152c750365322980c59060008a11f9aec6efc9bf7f6d86746648bcdc4ed4eabe966e45b9f229d49a3b75b6e48aedefe7 |
C:\Windows\System\ttzmnGV.exe
| MD5 | eb6e200fed610f4d341174d6b84f815b |
| SHA1 | ce8f81a02036aba1ef0f3485f3673adef3cf1f8c |
| SHA256 | 6a3cf2b9e51ad35eb436b49a39149a99f848bb7d69a45fb6d4517ecc503cc885 |
| SHA512 | 9483382d7f60d570224b62bd6463acaf1dbc9db81cfa6c061c74fdb5d2e943bd78be3f3879b1e913ff9741dc0a87cb6a90e058962023dc3414c69413f7333a6a |
C:\Windows\System\aLXnNRu.exe
| MD5 | 7e83a03ab5697b3fa84f87e7d6612090 |
| SHA1 | d9d9ae6db9405ecb40b4a23d5b6fd101b5516271 |
| SHA256 | c1197d9628afbd88d3cf206ae1c067cde41674308935fc6ecdc43c2cf9f12b62 |
| SHA512 | 780401b24ed4223c6e8d5b9343cdabaed8fd0243619e1b7231b4efe4f79e49de023aef8afd5879163ab548a6840b2f0ca3294fbca7d40888f41ada7c03b292e6 |
memory/2860-44-0x00007FF701080000-0x00007FF7013D4000-memory.dmp
memory/1016-39-0x00007FF6EF290000-0x00007FF6EF5E4000-memory.dmp
memory/1872-26-0x00007FF735E70000-0x00007FF7361C4000-memory.dmp
C:\Windows\System\uJAsPKJ.exe
| MD5 | 56354a5d74d6f0ae62eeb106b5f5b79b |
| SHA1 | 6df46d5e93b1b76460e56055bbce3a8f051febd3 |
| SHA256 | 8c8bde2b5aa5683a2beec01d2e65760b5d672b8189e4cf1b56516dc3049d3248 |
| SHA512 | bd069b7f097c92013c73c4dcc34faa601a302998af0f8f99b48e5ea728bbf4ed05756baad44c862bcfdeae27a57b62f9e3c9bdd3407872fc2674a683b317bb2b |
memory/1076-56-0x00007FF653880000-0x00007FF653BD4000-memory.dmp
memory/4572-50-0x00007FF6FA460000-0x00007FF6FA7B4000-memory.dmp
memory/2436-63-0x00007FF64EA80000-0x00007FF64EDD4000-memory.dmp
memory/5088-62-0x00007FF718560000-0x00007FF7188B4000-memory.dmp
C:\Windows\System\CHrrQwn.exe
| MD5 | 54e87bf79b843ebaff7989bde1fd595c |
| SHA1 | acf9ce1a5fad6a9d6a412b631ede062181b5fc38 |
| SHA256 | d8f49a08e2e66c909e444148283a1b1c204883ee765b5fd6a950f08d44f6f052 |
| SHA512 | c3e95f1a73fc23601931c4f136eea0d6b797858175a6ce0fe55541ad04e5dea2a130dcb75923c0092ef4b71f40fa884d4c99fb5c86740c788b4afbc727f5949d |
memory/2244-71-0x00007FF7F12C0000-0x00007FF7F1614000-memory.dmp
memory/1404-69-0x00007FF77D810000-0x00007FF77DB64000-memory.dmp
C:\Windows\System\oMlZeRi.exe
| MD5 | e0aa3f52d8fd44754f196aa3008c6679 |
| SHA1 | 747ac58f21210df4462a04cde82abc9b2f7bacd5 |
| SHA256 | 99f1b4e55db9efa3576ff253b7a25a581a2111149b77f6f66a10ed67f662ee4f |
| SHA512 | ad7cfeaf4251655b9836f09a6440553f9ffea4525fa6237fb5fe88afd5ab33348fa6618eb7ccb7618b702bc853a5d3696df804b9f01e005d8048a2657f1ff33f |
C:\Windows\System\jUCTMgY.exe
| MD5 | aa9cb28b5993c40dc41ac3b1029128ea |
| SHA1 | ef8ccb0a8d87b054d5ce96d45171ec1b94007f7c |
| SHA256 | 320c677a8f015818c7d2b4ec8e663adf2fda5ce14646d8736c05051fb119f905 |
| SHA512 | 7106fca0905c229313d9232f045d293fa0a6115a18fe7d2a7a8696655a5a34106133616eb188009582ca38611ca6a4f845688f05ac36e30473d0cf3752f74e6a |
memory/3488-76-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp
C:\Windows\System\aUnxHRK.exe
| MD5 | 3c20e2f09329685c00e4ac2fb1696aab |
| SHA1 | cbab31cb01fb38f270c48f218afbf24a04fca987 |
| SHA256 | e9a05b02d3d95660bfd72a9ed880b7432386442aae555cbdb85516e31d44d0ed |
| SHA512 | dbbe38a5dfd044f3ce91cb69a68ff92055cdb323a4023a661b4f4d593bd7bd1ecfca34dd43419653fea0b996b8b4b55a2ecdebb8af539079b3a8f3902238f55b |
memory/2748-82-0x00007FF64CDC0000-0x00007FF64D114000-memory.dmp
C:\Windows\System\wdDsNmV.exe
| MD5 | acd0c0796bc8ff2e5c10b3d64e43d925 |
| SHA1 | b6561480c60a4c0dcdfc647077f366f7d6e52b76 |
| SHA256 | b5102e5dc16b9e2466d417e7768cb84764d03c7e89c3e788f5f9c8c53b84bcd9 |
| SHA512 | b544a05c40f0fdbc723b078142c5283bef3de24e2b41e2d63251da527c3154c93c1f18ccbdbe91077b01e12b1fd6481b55e70d4bf90d30fabf980a887accc085 |
C:\Windows\System\woIStWd.exe
| MD5 | b5025848cd045d759170a76e2d303429 |
| SHA1 | 8a0fba43623247abd20388b66928d5c625add531 |
| SHA256 | 6fd74edb93af36626678d5bbbf91c8ea93249428fc6951e0610b1efc49e75841 |
| SHA512 | 287ffe33772f5b6587fc0119797d50f060def7e1663517f7453b13a5bbab495882bb5d6c7d89386dc9b26f22c0bb9652ff7e95b0ff38d17d2fa5be5f086da365 |
memory/1548-102-0x00007FF6C7DF0000-0x00007FF6C8144000-memory.dmp
C:\Windows\System\IrDJYIT.exe
| MD5 | 2ca4cfdf458f59dc6ed71bc9b1b28e4c |
| SHA1 | f2cdaf0194db2ce17c7f982ed720eabd4c50eb24 |
| SHA256 | e7b9a486ae43b4cd3f50012ab7019d8e58345df156421e029f64376382d7938b |
| SHA512 | 0ea3a3fc4a49371d1cf7a7fa2292086ed922142cd88ff5aabe2b2f7caa792eb09abb4882afd02af5abd8ca8767134a04284f040de8956bc717b39940d6ef4fe7 |
memory/5020-97-0x00007FF64E3C0000-0x00007FF64E714000-memory.dmp
C:\Windows\System\WlBYoVy.exe
| MD5 | a27cc97bf70a72454341be51915948eb |
| SHA1 | 97d3d4327270771df5f6bc3bb253a90edc7f94c5 |
| SHA256 | 2b7295960cf2907d73cb902f90db6b504943f3fe4cc9c88f3a33d3dc7d1e5d94 |
| SHA512 | c7f1331da0066e29f9985adfebeb213cc2429703dfe631a2338073e6d156750dde8fbcdfa8d9e0deaf2c5ad9cd57cb345be19e3d5569577da0ad2364d5bf28b3 |
memory/1364-87-0x00007FF7E1A50000-0x00007FF7E1DA4000-memory.dmp
C:\Windows\System\eOWEZSL.exe
| MD5 | 19ed8af8abfcb20aaeb827845ee40100 |
| SHA1 | 243e420ec474cebdccf8434e93d87e3d26b40b76 |
| SHA256 | 4701cc4dfa185709173cc33128ef380b6b56e833691dbc40e04c3ed18f9eff11 |
| SHA512 | 387186e259e78c80266361b24d4718e5462937508a2baf4bfcb3322e6740570fb020e37aea951d2396424eaa396207fc8a344884504605d91817a95d0e397b6a |
C:\Windows\System\mImleBH.exe
| MD5 | 2117e8ff3c598780e9474c730e1ac1ef |
| SHA1 | fd0b3ba0e6ce2e6016ed49da2560640ff0bbcae0 |
| SHA256 | c668db16f120c232f0ae3e494722e25d48ccc667a37e8bfe5bd879d497878108 |
| SHA512 | ae00dd4dfeb74814f1223b710f7b25c6da53ee37abcd2324e7bedd3024d2ae23e54e974b43a7b991e81d56abaf9268a2df50990bb620c9826e649a216b983fd4 |
C:\Windows\System\nEObYgj.exe
| MD5 | 12004a9e07bbf1f57a34d6edd2510d0a |
| SHA1 | 9c687a93eb94df545b223c2211ceb1d47e1a756c |
| SHA256 | d2f3c07b8ca68ad377a1da5636239306e98d777d415118d415036804da23fb32 |
| SHA512 | a6b2c42fbde86af19f5a77e59236a5af0a839ee2aef261359528467d7d05046345af176b1b50d5e3b8d236b2e04f5c7de178e7ed3379f7aedc61f346de926b92 |
memory/3184-121-0x00007FF7CF450000-0x00007FF7CF7A4000-memory.dmp
memory/3624-120-0x00007FF6A4450000-0x00007FF6A47A4000-memory.dmp
memory/2584-112-0x00007FF74A860000-0x00007FF74ABB4000-memory.dmp
memory/1544-108-0x00007FF6F7A30000-0x00007FF6F7D84000-memory.dmp
C:\Windows\System\kgqGArZ.exe
| MD5 | 39eeb67c60b5f755375a28c2423f4161 |
| SHA1 | e25dd5e504c930a0cd663536e7e78f2ae18ab94b |
| SHA256 | 425234893672113dcb20b04a5823d00805ee41e701e657943272fa56338ac6c3 |
| SHA512 | 0c19dd82bdd0587630d2a07c4ac52fdda5302e7fb67097dc95702d735bd2e636fe8e8208298a6882f83ed8e3150e2aa66b2f30dc7fc143dc6fde2f33a695f658 |
memory/4700-129-0x00007FF6C7F10000-0x00007FF6C8264000-memory.dmp
memory/1364-130-0x00007FF7E1A50000-0x00007FF7E1DA4000-memory.dmp
memory/1548-131-0x00007FF6C7DF0000-0x00007FF6C8144000-memory.dmp
memory/2584-132-0x00007FF74A860000-0x00007FF74ABB4000-memory.dmp
memory/3184-133-0x00007FF7CF450000-0x00007FF7CF7A4000-memory.dmp
memory/1404-134-0x00007FF77D810000-0x00007FF77DB64000-memory.dmp
memory/1044-135-0x00007FF703410000-0x00007FF703764000-memory.dmp
memory/3520-136-0x00007FF610650000-0x00007FF6109A4000-memory.dmp
memory/1872-137-0x00007FF735E70000-0x00007FF7361C4000-memory.dmp
memory/3644-138-0x00007FF616C90000-0x00007FF616FE4000-memory.dmp
memory/1016-139-0x00007FF6EF290000-0x00007FF6EF5E4000-memory.dmp
memory/2860-140-0x00007FF701080000-0x00007FF7013D4000-memory.dmp
memory/4572-141-0x00007FF6FA460000-0x00007FF6FA7B4000-memory.dmp
memory/1076-142-0x00007FF653880000-0x00007FF653BD4000-memory.dmp
memory/2436-143-0x00007FF64EA80000-0x00007FF64EDD4000-memory.dmp
memory/2244-144-0x00007FF7F12C0000-0x00007FF7F1614000-memory.dmp
memory/3488-145-0x00007FF65DE10000-0x00007FF65E164000-memory.dmp
memory/2748-146-0x00007FF64CDC0000-0x00007FF64D114000-memory.dmp
memory/1364-147-0x00007FF7E1A50000-0x00007FF7E1DA4000-memory.dmp
memory/5020-148-0x00007FF64E3C0000-0x00007FF64E714000-memory.dmp
memory/1544-149-0x00007FF6F7A30000-0x00007FF6F7D84000-memory.dmp
memory/1548-150-0x00007FF6C7DF0000-0x00007FF6C8144000-memory.dmp
memory/2584-151-0x00007FF74A860000-0x00007FF74ABB4000-memory.dmp
memory/3624-152-0x00007FF6A4450000-0x00007FF6A47A4000-memory.dmp
memory/3184-153-0x00007FF7CF450000-0x00007FF7CF7A4000-memory.dmp
memory/4700-154-0x00007FF6C7F10000-0x00007FF6C8264000-memory.dmp