Analysis Overview
SHA256
250a1742e24744b9dbb482c3a4d679d4aa507319af6b840077444d29cac88f4e
Threat Level: Known bad
The file 2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
xmrig
Xmrig family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:26
Reported
2024-08-06 11:29
Platform
win7-20240705-en
Max time kernel
142s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SNnwgRb.exe | N/A |
| N/A | N/A | C:\Windows\System\dQToXbj.exe | N/A |
| N/A | N/A | C:\Windows\System\VGgpyQI.exe | N/A |
| N/A | N/A | C:\Windows\System\yyjWhBX.exe | N/A |
| N/A | N/A | C:\Windows\System\lUBxmlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JTvgmQU.exe | N/A |
| N/A | N/A | C:\Windows\System\ssvRGYf.exe | N/A |
| N/A | N/A | C:\Windows\System\dngWqHB.exe | N/A |
| N/A | N/A | C:\Windows\System\tlUCRAw.exe | N/A |
| N/A | N/A | C:\Windows\System\vycKdpC.exe | N/A |
| N/A | N/A | C:\Windows\System\zkQlXFT.exe | N/A |
| N/A | N/A | C:\Windows\System\gxAVuKG.exe | N/A |
| N/A | N/A | C:\Windows\System\cNKuwjU.exe | N/A |
| N/A | N/A | C:\Windows\System\pZufMnU.exe | N/A |
| N/A | N/A | C:\Windows\System\iyGzXnm.exe | N/A |
| N/A | N/A | C:\Windows\System\BMCBPPB.exe | N/A |
| N/A | N/A | C:\Windows\System\fOkuxeS.exe | N/A |
| N/A | N/A | C:\Windows\System\eqXGkou.exe | N/A |
| N/A | N/A | C:\Windows\System\igRyAoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fScpPUL.exe | N/A |
| N/A | N/A | C:\Windows\System\jTKKTQV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SNnwgRb.exe
C:\Windows\System\SNnwgRb.exe
C:\Windows\System\dQToXbj.exe
C:\Windows\System\dQToXbj.exe
C:\Windows\System\VGgpyQI.exe
C:\Windows\System\VGgpyQI.exe
C:\Windows\System\cNKuwjU.exe
C:\Windows\System\cNKuwjU.exe
C:\Windows\System\yyjWhBX.exe
C:\Windows\System\yyjWhBX.exe
C:\Windows\System\pZufMnU.exe
C:\Windows\System\pZufMnU.exe
C:\Windows\System\lUBxmlJ.exe
C:\Windows\System\lUBxmlJ.exe
C:\Windows\System\iyGzXnm.exe
C:\Windows\System\iyGzXnm.exe
C:\Windows\System\JTvgmQU.exe
C:\Windows\System\JTvgmQU.exe
C:\Windows\System\BMCBPPB.exe
C:\Windows\System\BMCBPPB.exe
C:\Windows\System\ssvRGYf.exe
C:\Windows\System\ssvRGYf.exe
C:\Windows\System\fOkuxeS.exe
C:\Windows\System\fOkuxeS.exe
C:\Windows\System\dngWqHB.exe
C:\Windows\System\dngWqHB.exe
C:\Windows\System\eqXGkou.exe
C:\Windows\System\eqXGkou.exe
C:\Windows\System\tlUCRAw.exe
C:\Windows\System\tlUCRAw.exe
C:\Windows\System\igRyAoJ.exe
C:\Windows\System\igRyAoJ.exe
C:\Windows\System\vycKdpC.exe
C:\Windows\System\vycKdpC.exe
C:\Windows\System\fScpPUL.exe
C:\Windows\System\fScpPUL.exe
C:\Windows\System\zkQlXFT.exe
C:\Windows\System\zkQlXFT.exe
C:\Windows\System\jTKKTQV.exe
C:\Windows\System\jTKKTQV.exe
C:\Windows\System\gxAVuKG.exe
C:\Windows\System\gxAVuKG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3056-0-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/3056-1-0x0000000000300000-0x0000000000310000-memory.dmp
C:\Windows\system\SNnwgRb.exe
| MD5 | 080554788b196ca902850dd9f8ce5e77 |
| SHA1 | 50f594765122370b031fa217d7ff71c1f179d785 |
| SHA256 | b17b8397980b98a0387789a0d72a9e5491deb31b84ab92cb6f2ce8a637813242 |
| SHA512 | 6c8f274ac6953ee6d92ad04961a9f35246fa064d75766941ead7c4909e0f094291e5827a10f0f054299f7bad5da32333dbc0689a455ef4ba9537736063de6886 |
memory/2524-8-0x000000013F700000-0x000000013FA51000-memory.dmp
C:\Windows\system\dQToXbj.exe
| MD5 | 4f0bc2118d7ea94fcff182c8aa675b58 |
| SHA1 | 4c2c8074ae019aafd0454e0cbcf02c401b8a480a |
| SHA256 | 9d3023de29bf585e4634e6072b8b4db212e50ccefa478ab97bc5b795d589e8b5 |
| SHA512 | a9169d368663373d2087c9752919dedf39fae8c96f1c73024530fd6508189388f70e4200154b726aff8d960678fde87b722a1e51859651c08f9bce9be9c43155 |
memory/308-14-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/3056-13-0x0000000002170000-0x00000000024C1000-memory.dmp
C:\Windows\system\VGgpyQI.exe
| MD5 | 4f307baabd41761aa554bb9772b9c2b3 |
| SHA1 | e6d4b5912ad5d88453693230fcd8edfe47acceaa |
| SHA256 | 1ffceecfca95e2dd2374b8fbd2f9cb91dd4215ffc3ed39bb983bca10e4322a60 |
| SHA512 | 9222de1fd58d75187fac52678237657619fc539e5da2d516f38f3a7c25e1f77997ecaa5f2695d4674c1ce7a6a7755b48d2b9896e438810a5f85389db559e708e |
memory/3056-112-0x000000013FFF0000-0x0000000140341000-memory.dmp
C:\Windows\system\igRyAoJ.exe
| MD5 | df942960bfdf71276b4991cc4039ba2e |
| SHA1 | 577c4b4cfe5fd5217fd0c223a44df9ade6501f13 |
| SHA256 | 00a685e18f176c1d78960e777f7bdd64c7cc568e85eab38218a78e063fde3dfd |
| SHA512 | 5ceff327aa1e5c234da8af1ba88d91e75720e13a20acdbaf419b66d765aca18ce010382c2bb219cd50801993fdc82b90615558c1849e89ce90e4f07072c522ff |
memory/3064-98-0x000000013F690000-0x000000013F9E1000-memory.dmp
\Windows\system\jTKKTQV.exe
| MD5 | 602103058cf28250aa0bfe9cbac21eb6 |
| SHA1 | 7b1752dbd0cbaf756557d2ada70d3f9dcfc0acab |
| SHA256 | 5c5bafb73466d432b43237a84f6949c824210db855522a78d717b6a3bed13c6f |
| SHA512 | fa6fde1fb1a4cf808bd641e44ee870d90056e4b2f89764c477ca4461fb95e59735897493c264219206175ed05f6a81bcaa361943c13e32b0f47836bfb042a845 |
C:\Windows\system\vycKdpC.exe
| MD5 | e06e5835ae6b2dd081b585664221a290 |
| SHA1 | d729b54eb484fe64d7b71941e6d547db3460f617 |
| SHA256 | 536a2c979042570f26c668fe0d0492c2ad1fb041d9127ae6e1b5110fd8ca081a |
| SHA512 | ac5688100f0b3ec97de6cc401a3ef67f7a1a72c4355db15f3ddd5ccd2e3b915e6f2e8e4630bd7f74212678eb31210e1d1be750481607035e34a405f1dbe88968 |
C:\Windows\system\tlUCRAw.exe
| MD5 | 438592b4c446c3c253b97b2a7e718cd3 |
| SHA1 | a87512454e9078519c217558dc626a0e9c7841fc |
| SHA256 | 2fcb431cf2077529a352ee6c12fae94096190a49d3a20053129bcf09d95ab55c |
| SHA512 | 55d44f704ac278de65705413a16bd22b725be53cf164603d66dfbb66faf9a07c591d53ed00b786be7deec01d3b512871cfa835dc721f16a0788b4911beda1127 |
\Windows\system\fScpPUL.exe
| MD5 | f482c9128535bb5712982ef6addaf9ce |
| SHA1 | 1304e51a944dafe3d0ba3182deac6c15fff31251 |
| SHA256 | 4d93657c5e1799988576e807f582c9f092eebb1768cf9a7e785d8a587df2f174 |
| SHA512 | a45d0bdb8f687a1074f74917d0583c37cf8c355393752a631ae2da2f4b45a6cceb9ef23ad08c2c8b52fa4899b362d6a4ab060444b318d2ec9b810363ca59298f |
memory/2864-79-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/3056-72-0x000000013F320000-0x000000013F671000-memory.dmp
memory/3056-71-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/3056-70-0x000000013F2B0000-0x000000013F601000-memory.dmp
C:\Windows\system\dngWqHB.exe
| MD5 | 4f3377628bff0a2c8ca173fb04f9b796 |
| SHA1 | 1bd959ce22bc7bfe88886b663dafd5980fa5c2a4 |
| SHA256 | 90e67a35f1459d77c04bebcc06ac1dca598867892dbe3370fface65f349e97a6 |
| SHA512 | 06d937883e2f513f2d4db1ed09ce657052166291efd298a5ac4b530c820be1ae39bfac742e04e54311597867b8efbdb18b37d4db54d91ea30d083ee243b6a329 |
C:\Windows\system\ssvRGYf.exe
| MD5 | 1929b6547aee47533af69f2d7a1ff3a5 |
| SHA1 | 83e0122d6644c89d65443896a1023cb5b9978747 |
| SHA256 | a81fa0074048f7814dc7fd1e8273c8e7d5f781ce1e90e06645fa7ffbeca80aa5 |
| SHA512 | 029a65dfeade96fb088c3797f617141775fba635ff68788c386a73b0e6ea39df47470aa2e80c9f6dd52ac307a07fbb16e18aca1ee7b8f54b28c3b6134f31d0d5 |
C:\Windows\system\JTvgmQU.exe
| MD5 | 5974023ea5aed022df75fdab5f077151 |
| SHA1 | b02c140b5ccb3efa24bd4f14ca5d2685dd40fbb5 |
| SHA256 | c6032087d6216956348748741d9e0eefe51f689694e736cf45b6d907608337b1 |
| SHA512 | 1f64f62e90cf0153647e35c8b356f1b068dcf071a7ea6eab0c1614e8c0c19c9045a3fdb28d6fc1ba03681f745ba14ddf4f9cd729ffdf2dd3664fcddc316085f2 |
C:\Windows\system\lUBxmlJ.exe
| MD5 | d3efa1f6870a66542c2276d0ee6a2b82 |
| SHA1 | 9c260ceb986ecdd24a657a1f15aa8b3a65ddd583 |
| SHA256 | bf552c53149918b11483f43c003a637d753a878b2ce51ec065f5295a89e02679 |
| SHA512 | 088f7019ae89ec9ad8e8d48b0c82bf5f84816c00632d5c57f53077a0eb3f6e379328d7686a547ee925fff575e4c0bca1d005e95ad50699e27223d376193273f9 |
\Windows\system\eqXGkou.exe
| MD5 | 1c8cfb733d5eb878db6dbb4f2024a41f |
| SHA1 | 8c7f69ece54092c6648d9292f71aef6bd2270234 |
| SHA256 | 78d2b8709d43683220ee92d857815a438a794dabc7f76000e617fed1edc99b32 |
| SHA512 | a2d9223a4865245ef23f721a0414c9a61d3970a8292c715c4660ef90cae82473ea661514fdee54d4b8acb2ef8226b51230cc91470c0968d3f2314985abbf70cd |
\Windows\system\fOkuxeS.exe
| MD5 | fd557cfb97248ad9fbdc8b2dd39a1a61 |
| SHA1 | f711818bacba9da2a49c3bba5153144fe2371e1d |
| SHA256 | 6d197c7e1667a546b795f095c95a70b32480b0b6607edcffe19e6dacf4edc323 |
| SHA512 | 247168c4941c622536e59e08b91ab8ee8a4f0e1c2fdae3fb27468b9023015b9f943b630c79db9205d4aee493d593756fc67eab23236cad3428ae1d07ace189e8 |
\Windows\system\BMCBPPB.exe
| MD5 | 69da40ac5de323ba3969ad726911cd17 |
| SHA1 | d8cd0921e0b62ae625aee9a7cded347785fada27 |
| SHA256 | 52c925806b62713f5ba8b5d2bb924c7628de5edfa261f7b9d8e180cc2d851fd9 |
| SHA512 | 2858c07ebe086f5755230a8953bc070440b4338665bf6629c1b2b2a791a37dea5b3357728ad0cfdcaab44e9961fc3dd2aabbb49b644aa18008c7c3d44fb3a6a9 |
\Windows\system\iyGzXnm.exe
| MD5 | f8273ff2c54939aa677fe0a980bb7f2e |
| SHA1 | 53d378d33cd57925e108df2d65696bf5b61db9c1 |
| SHA256 | 5107893544369258f3695fea98999d0fcfc7522b9e6cc0568f4646273281f1e1 |
| SHA512 | 9c02b52215482eba21f694801e695749139555d989fea8db7d84e3fe3a3f792ef2eea851ef8dbf71a12a18fc0110bb7728bd26c8794efeb125ebdcf36287fc5a |
memory/3056-33-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/3056-31-0x0000000002170000-0x00000000024C1000-memory.dmp
\Windows\system\pZufMnU.exe
| MD5 | fab367808ed88074fdf2cd69db128790 |
| SHA1 | 47557e96ac778388b2328c57e132d07699b88c84 |
| SHA256 | a9be96e609218538babc9f7cbf7f70af25f6b700a1bfa5bc2b5679d275d527fe |
| SHA512 | af3c2e7229841c5c59887ff659384ed6a5e38afc025738064cc9f1a0ad95e77aa18eaba5188fb82c4fbd94a5095835408a08f4c6ef505e637b4fa28355bf7606 |
memory/3056-116-0x000000013F320000-0x000000013F671000-memory.dmp
memory/3056-115-0x000000013F030000-0x000000013F381000-memory.dmp
memory/3056-114-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/3056-113-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/3056-111-0x000000013FF40000-0x0000000140291000-memory.dmp
C:\Windows\system\cNKuwjU.exe
| MD5 | b273d0ac61ff8e38331da5a56003d651 |
| SHA1 | 6c155c9a8ad172df608447918edb741fed0b25ff |
| SHA256 | 23bb25f1037bb14b25eb74120f92f032f77271e2d20bc806d23dde2b034d8c60 |
| SHA512 | 2dc0189c971821bdf2df3063957c78de30480f4bb07c1981daf1abb5f0e5c4ba214c3ee7a83f23ca407040cc376847432fa30f8567a72c79292dd3420b719592 |
memory/3056-108-0x000000013F640000-0x000000013F991000-memory.dmp
memory/3056-107-0x000000013F360000-0x000000013F6B1000-memory.dmp
C:\Windows\system\gxAVuKG.exe
| MD5 | a5ede32fe7142faa33ccdc8f5c827045 |
| SHA1 | db0a61df4f78baadf3ec31b1f02a3ef1c47846ab |
| SHA256 | 41b00556d0b366e099418304a6dbfec86a506f0d67e051a8c0433b2b80d0b0ad |
| SHA512 | b5d9db60ec36061eea0812e18fa265491f452d1655a6239f7fdd37962b644171914ca1ae9e4099c21a55aec1d4b3173e1611237210a23ba6022bae9eeceb6598 |
C:\Windows\system\zkQlXFT.exe
| MD5 | a3efec4ccafd32cbda28282ae4fe84a0 |
| SHA1 | 3c8067e3e725b3bc99628f2a86308ba781cfbfa0 |
| SHA256 | 167e879cb967198150771b80e2970d4f72e6e873652601ec72d3736bdefc18bf |
| SHA512 | 6df11e2ad579e687fbd5323f3a30744be02c2b1b522a3b7ad7e82b166ea498926817667f3ad8f17f179cf3e098ef82ec3ab6eeef3e88731736ba21fef8d0ac2d |
memory/3056-103-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1944-102-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2756-94-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2884-84-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2960-76-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2948-51-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/3056-38-0x000000013FFB0000-0x0000000140301000-memory.dmp
C:\Windows\system\yyjWhBX.exe
| MD5 | 3484fece33b0a2490288252e4a060c6d |
| SHA1 | 46a3ffa2ce8b9476fac5800b9ad27331f6999e57 |
| SHA256 | 7e633fb0362e1ff5db75534adba6bab65dc2c5366410755bd7ef5fa1a88a227b |
| SHA512 | 104449c8fb654503f4a88350e8a3d6607afc71b3194128f0ba418412e9e1a37a3347d0f913fbeee608bb8838411eddc60b805304f2a1e49fb4ab94724563f791 |
memory/2876-28-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/3056-19-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/3056-134-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2524-135-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2772-148-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1592-146-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2144-144-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2160-142-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2808-140-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2948-139-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1496-138-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2876-137-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/308-136-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2320-155-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/1948-154-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/856-152-0x000000013F320000-0x000000013F671000-memory.dmp
memory/3028-150-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/3064-149-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2576-153-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/3056-156-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/3056-157-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2524-202-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/308-204-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2876-206-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2948-208-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2864-210-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2884-233-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2756-232-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2960-229-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1944-235-0x000000013F030000-0x000000013F381000-memory.dmp
memory/3064-237-0x000000013F690000-0x000000013F9E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:26
Reported
2024-08-06 11:29
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WyHczkU.exe | N/A |
| N/A | N/A | C:\Windows\System\pHNoZKY.exe | N/A |
| N/A | N/A | C:\Windows\System\wyHUQbL.exe | N/A |
| N/A | N/A | C:\Windows\System\CNoNQLF.exe | N/A |
| N/A | N/A | C:\Windows\System\OhgRCaa.exe | N/A |
| N/A | N/A | C:\Windows\System\rrYTaUg.exe | N/A |
| N/A | N/A | C:\Windows\System\nxzZebL.exe | N/A |
| N/A | N/A | C:\Windows\System\BFrDUpP.exe | N/A |
| N/A | N/A | C:\Windows\System\LDvvTiW.exe | N/A |
| N/A | N/A | C:\Windows\System\NnTJYTe.exe | N/A |
| N/A | N/A | C:\Windows\System\OMbqtTa.exe | N/A |
| N/A | N/A | C:\Windows\System\jvEqKMv.exe | N/A |
| N/A | N/A | C:\Windows\System\HvclqLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\foYcdEB.exe | N/A |
| N/A | N/A | C:\Windows\System\sJFAMPg.exe | N/A |
| N/A | N/A | C:\Windows\System\rLGKHQM.exe | N/A |
| N/A | N/A | C:\Windows\System\MGhtyLi.exe | N/A |
| N/A | N/A | C:\Windows\System\kPHpXlQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kSRyVYk.exe | N/A |
| N/A | N/A | C:\Windows\System\yMsoPUa.exe | N/A |
| N/A | N/A | C:\Windows\System\ryAsBNe.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_55b2bb132db145bee458443f2e5c868a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WyHczkU.exe
C:\Windows\System\WyHczkU.exe
C:\Windows\System\pHNoZKY.exe
C:\Windows\System\pHNoZKY.exe
C:\Windows\System\wyHUQbL.exe
C:\Windows\System\wyHUQbL.exe
C:\Windows\System\CNoNQLF.exe
C:\Windows\System\CNoNQLF.exe
C:\Windows\System\OhgRCaa.exe
C:\Windows\System\OhgRCaa.exe
C:\Windows\System\rrYTaUg.exe
C:\Windows\System\rrYTaUg.exe
C:\Windows\System\nxzZebL.exe
C:\Windows\System\nxzZebL.exe
C:\Windows\System\BFrDUpP.exe
C:\Windows\System\BFrDUpP.exe
C:\Windows\System\LDvvTiW.exe
C:\Windows\System\LDvvTiW.exe
C:\Windows\System\NnTJYTe.exe
C:\Windows\System\NnTJYTe.exe
C:\Windows\System\OMbqtTa.exe
C:\Windows\System\OMbqtTa.exe
C:\Windows\System\foYcdEB.exe
C:\Windows\System\foYcdEB.exe
C:\Windows\System\jvEqKMv.exe
C:\Windows\System\jvEqKMv.exe
C:\Windows\System\HvclqLJ.exe
C:\Windows\System\HvclqLJ.exe
C:\Windows\System\sJFAMPg.exe
C:\Windows\System\sJFAMPg.exe
C:\Windows\System\rLGKHQM.exe
C:\Windows\System\rLGKHQM.exe
C:\Windows\System\MGhtyLi.exe
C:\Windows\System\MGhtyLi.exe
C:\Windows\System\kPHpXlQ.exe
C:\Windows\System\kPHpXlQ.exe
C:\Windows\System\kSRyVYk.exe
C:\Windows\System\kSRyVYk.exe
C:\Windows\System\yMsoPUa.exe
C:\Windows\System\yMsoPUa.exe
C:\Windows\System\ryAsBNe.exe
C:\Windows\System\ryAsBNe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
memory/4924-0-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp
memory/4924-1-0x000001C9E3CB0000-0x000001C9E3CC0000-memory.dmp
C:\Windows\System\wyHUQbL.exe
| MD5 | 8935561dba725b19731f1d9ee4d6215e |
| SHA1 | 3ec1aaa6ab202c77f2d3df1bbb0bb423b8b61f89 |
| SHA256 | b1f2619d498665aa20c3f41d20081969a5bb216491c98f67fe44fbb51559fe10 |
| SHA512 | 6b83ff20581c4ad9738e970b28a520398c9b92b62b913c3986b01c1763dd7eaf22b14bfa17673d2ecb0575d28b62fce1955b6752f9f7129e884ef9c895ad8411 |
C:\Windows\System\pHNoZKY.exe
| MD5 | 00eb485ed9af0524672eb0ca740e043c |
| SHA1 | 91e5349dfaa527ecaf9df0537608b36fa5ee99a9 |
| SHA256 | 3e21bab0c2dadece159db45cb515850ca41d15080cae9bbe0a1e606d60e23c33 |
| SHA512 | 452393978d9ae4a71d7e87d573e04cb3c33534ec2680dd375e792503a6e1b3079cf45f0f413ffac291f37253bd6336037e7e4cbabb21d4657b4c612bd97b3b08 |
memory/2980-29-0x00007FF62BA90000-0x00007FF62BDE1000-memory.dmp
C:\Windows\System\nxzZebL.exe
| MD5 | 20648eb00f5b1c4b7965ad23d75c5757 |
| SHA1 | e09ce8a92056590b6c2b5ef5f1b11ea0d7292fed |
| SHA256 | 0ee91aaf5cedf2b9a7762b91cc0a730b8af3f83ba550d36aaa7a8850722fa731 |
| SHA512 | 65d2f41f5da22872f1df2f40bade60711790df6f10e7fe6552deedd027dde13456eb2f9dedbf56f998a5c8ca556e4143935f72342fa30969b56670b95c3df6b0 |
C:\Windows\System\BFrDUpP.exe
| MD5 | 369e0c52d2f099f2367c9b9a93c1dc5e |
| SHA1 | 5f2f4b3efe5b64b57e247ac6849e0dfe2552ddf1 |
| SHA256 | a6f1232222219322f900a2fef90a2613e7ff93fb85f138df65422a203d2c818c |
| SHA512 | a5c13875cbb75d48d8463438cff39ecc085d3d90053ef374f0eb1ae80169f2a71641c6c782b7474cf405b7c37426337774af8b7fd9e9362193792cf6975bcd3c |
memory/3024-52-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp
memory/4428-49-0x00007FF6BBD50000-0x00007FF6BC0A1000-memory.dmp
C:\Windows\System\LDvvTiW.exe
| MD5 | 6f72f7d3b737833cfe3fbc77011e12c2 |
| SHA1 | ee591bfcee4947474d7aa54c7c5a5cf5dfa73b70 |
| SHA256 | effa77b1b4f6cc08c2508375957afe0de7eb0831d97ecd3f543f1259bc41c0cc |
| SHA512 | c961215d62a7d1c35f18bdc2ee9a9e8da6d9a447b1c40ec6706b88e0f331661da6b9c315d1d34aad6bab710f8fee182e484847c5894296687302f315bffd0694 |
C:\Windows\System\OMbqtTa.exe
| MD5 | 08fac665b71039afc8efd8f6d8ab2fb1 |
| SHA1 | 5578ac583362f367568ed9da66e16a791aaa34a7 |
| SHA256 | 5e046dc6cff850bf0cb42d2945f159a9f0026d46146d67a286a8becd622c2e0f |
| SHA512 | e01eb99598c2a98b6a016e74be8b83ccf14322d14465ce8a8fc37ba17cd639bd2db581b9d3ad5277b340190006dbf7024e6638a0a0d22e44775ce732b3f648af |
C:\Windows\System\HvclqLJ.exe
| MD5 | 4fc3ac3ea57ceb6cb9c5ce6f8a19dfb1 |
| SHA1 | 0a138cc30a83da1d77897190b12b8e34b4dacd85 |
| SHA256 | e3235b262a8b40f23a52c1ba8037ca81e8e2ccbf5eea34600a9e36b3d598f7ee |
| SHA512 | 3253538f6c698459fc0c86634a70481a73ae0301eff5c6d42c56ee3aa14ba6335b7387ac25f27b962a6b746972bf8818a77d1a4c161c01e74ecb1ee5334bf065 |
C:\Windows\System\foYcdEB.exe
| MD5 | 73632738d2c4ee4dbc05f5a0734bcf59 |
| SHA1 | 3e8ff84ee1d81811be169883a188b46f99d821fd |
| SHA256 | 380e8fb142107669c690f09f1a8c555b094a91c2b5fdba5150a19657401b035a |
| SHA512 | 2bc0ef809667267393339f6523b8418abd24e66e01eeb1a7971400cf977bfc179d471beba3a86dc6d15afd8f8c559a34376ea077c5a93b0b756e914b36c34109 |
C:\Windows\System\rLGKHQM.exe
| MD5 | d8d6082f8f2b1d8201791e33cab3baa9 |
| SHA1 | e7c527a96c63300b69047273a1d9fea1d4d30a48 |
| SHA256 | 751d287bd75efbea9c5cb5e1abeefe115646cfc45bdae2b8b2a46874dc641c8b |
| SHA512 | dbaad63c9d138cb4036f3e0787dcdfaf4578d3961ca0e2fe364081da6bb93f2b598a2b957b40775f33b2288f56199f137a4136991bb3e92b2fc6bb7bd0867414 |
C:\Windows\System\yMsoPUa.exe
| MD5 | 64f0bc4f60016cbf265aa0ebd99228dc |
| SHA1 | df60301c4f5eb03aaa0ce9b8c4557d4bb2f6ad5d |
| SHA256 | 047d2804afc1ca94ae357be2b52f300bff767c39008e69ca6ba2d4c635a6594a |
| SHA512 | 273273f90fa5ccca0967cc0e564f25bb23ccaf143efdb12423801ecf121d0bb875ac7781605dbdf47aa513fa788b993c671e47b8d59f4a957a282482436d8031 |
C:\Windows\System\kPHpXlQ.exe
| MD5 | 24e3cfaa07f5855186c785b8c4a5a50a |
| SHA1 | 0f93b708601d6d7dd060d0bf45b4952fc6f527c1 |
| SHA256 | ab6b913be64b2fdbf50598e9386ae28a970c2f3f05bd2ddaa6346d7a02ad1f9e |
| SHA512 | f19e3b6ec2e738bdd4b9b20ca338b611e315e32b3814299899c23dfcddda15232f42290510947f10fd3043bdf7f8e70750ffe00370895377d811072882c6bae6 |
memory/4712-122-0x00007FF60BFD0000-0x00007FF60C321000-memory.dmp
C:\Windows\System\kSRyVYk.exe
| MD5 | ccb243695bf11ee5bfb1ffb67da83293 |
| SHA1 | 10931d09bf972ec0ee27c3fd483b9b10700f0f30 |
| SHA256 | a3b6680621def7bc79c1869c908c9deac739d50dde7c9941c611f0b2e5dd6ae1 |
| SHA512 | b1bc1d4e94f9f9751ba82508abfdaf572cf396c70300a594ffe56a54004992a5eb84adac9be54e3c5284908b858a4f0a94b666934305fb5da1f7c1720ac9da61 |
memory/2256-117-0x00007FF6225F0000-0x00007FF622941000-memory.dmp
memory/3380-116-0x00007FF747190000-0x00007FF7474E1000-memory.dmp
memory/3872-113-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp
memory/4556-112-0x00007FF6BBC00000-0x00007FF6BBF51000-memory.dmp
memory/3512-111-0x00007FF73A940000-0x00007FF73AC91000-memory.dmp
memory/3676-110-0x00007FF7D96A0000-0x00007FF7D99F1000-memory.dmp
C:\Windows\System\MGhtyLi.exe
| MD5 | 32a11ca6570ab40efa3ab7ef41494140 |
| SHA1 | 6aa53818421495d7a5ca898fe18b69fca6be025e |
| SHA256 | bb3c694bc9e7d5ce7fb0c343e88e9af9b33dc074428626b27a4f89e77ab1901c |
| SHA512 | dbc058ebb5e4a0a0c58168ae48f08f5c8caacd90cac407377e1fdd76a1a9566dfa464b02089c4ab7d27a954fcdcb99ab6c9a88cb89ce8fd0bc20c500a7da8f03 |
memory/2112-105-0x00007FF775440000-0x00007FF775791000-memory.dmp
C:\Windows\System\sJFAMPg.exe
| MD5 | 7241d1de1d69e4914c45b231f1b75179 |
| SHA1 | 7aad44f63cd2beb1114d082e11ead3ce089e5981 |
| SHA256 | aff1af68bcebb28ea5b27b6512f42575cc61c078c0ad9eb51ecd1ac2b9d86225 |
| SHA512 | e2ec81ef4b3ec0cdd119ad6108bcf21f55cfc2b3c985ffd78065d942384e4d1707f1281eb5626bede71c6ef8b68153c4fbc27592d0482bb4380ab532da3eb301 |
memory/2132-90-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp
memory/4836-93-0x00007FF6D0140000-0x00007FF6D0491000-memory.dmp
memory/1524-83-0x00007FF6545C0000-0x00007FF654911000-memory.dmp
C:\Windows\System\NnTJYTe.exe
| MD5 | a901b0355d93152da1dd53f7d13687b2 |
| SHA1 | b839671a643d045519319fc5643534599071d971 |
| SHA256 | 298ce07ea24fcfe5815b4691a9e5f5851965c390b61475f61cc1cfbb3fcd550d |
| SHA512 | 884b4ed85030bf811e5f620972b02e19d026f35959e1e9132e3f9e55c6da825c8a84e3b2d2f006197758e767c01e49f9259f92c06a43818b181b9e5e34ee6c5f |
memory/1916-73-0x00007FF7F9C00000-0x00007FF7F9F51000-memory.dmp
C:\Windows\System\jvEqKMv.exe
| MD5 | ae0ceab403ecad335802f0b8811b59b8 |
| SHA1 | b3bbbd462e73d593e24dca9cd21ff8072196a055 |
| SHA256 | 2ece3a1014a8981a857ed2c88131b54eb330396f29cd6538278efb982c15dc58 |
| SHA512 | 9d24fcb55481602407c504f09e789e6ea77305d7c093061c5703be9e3e4cea400ba9eaee8a567786a25ab67a97edb8f9fe9d45e08906987567b76db6d2e33698 |
memory/4972-61-0x00007FF7C8E70000-0x00007FF7C91C1000-memory.dmp
memory/4732-42-0x00007FF776390000-0x00007FF7766E1000-memory.dmp
C:\Windows\System\rrYTaUg.exe
| MD5 | 4255e5906f4923ccdc2cc09bc8a530e6 |
| SHA1 | 2213ce38eebc3713d28b42c5352fac2d057cef9d |
| SHA256 | 9a86146b671ab0f23120e0b1109f723e13e7f9fa30bcaa7391839f9aac627326 |
| SHA512 | 221a015535cba18a61b2ca424e0a1269dbfd1fa647cece74e71c58c1b849e624f8e258081116c91f708984992f42b3d6800a1fc02d9501af789c6a3aa0656702 |
C:\Windows\System\OhgRCaa.exe
| MD5 | a3e158a2c5db34229f205cba3131db55 |
| SHA1 | 8e8aa5c8ff5f06868024adb2b642faea04593b4f |
| SHA256 | cc5b8fcab38e6ef257750b1e920512fcbad791be2c2b561f65379d1dea9826b4 |
| SHA512 | 4cc4f64bde11bd61d49ef6fcd6e78dc74511feb5ed3f8103a3b111cd3333535bf3da5588e5448c7c009efec19186c5313fa5109a165983764e7d86b6a03a5c08 |
memory/1760-32-0x00007FF6B6200000-0x00007FF6B6551000-memory.dmp
C:\Windows\System\CNoNQLF.exe
| MD5 | a0ca952ef2cee2cbded9fa39be063b36 |
| SHA1 | 2898888d04719ded5f61e81c80711d9689e89643 |
| SHA256 | 3f8d9eab49f2ebd0b5e0cc1c8d3047a0241113f58ef92327ef7957ef575a400e |
| SHA512 | 8be1ffc2edb90cdc1c2427f30ae6678cf4d30a389128ad451f8c88dcc9c48004ea2ad481b61d8ec715b5dbc1637604569839f919d6397684433571c50744d00a |
memory/5096-16-0x00007FF637750000-0x00007FF637AA1000-memory.dmp
memory/3232-10-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp
C:\Windows\System\WyHczkU.exe
| MD5 | 8313c6be858109c22c184efa51961bce |
| SHA1 | 59a8b55cc96d50736b9cf4e3ff5814b1ff9535c7 |
| SHA256 | 9ed9481e181abc9f9606277187b171898c05b0a94512891a09cc02c9985c5574 |
| SHA512 | 72b8568595681b9b2791f5490e12e3f288ccb1ca492e30a0a1fd6eb11a47ba5493af766a5adf61961282988097b7c9bbfdfa0dd28e222a14f68e496294fb6f0c |
memory/4620-127-0x00007FF7AC8B0000-0x00007FF7ACC01000-memory.dmp
C:\Windows\System\ryAsBNe.exe
| MD5 | 11bba73bffe815e98c924c539dd2efcd |
| SHA1 | 1cffa527a7e4be684e7f1b33112546d0729514ed |
| SHA256 | 6b7ceab712a4f99ab7033abba3cb4d4a0f75a7fe09b8bc4dd9deac3f4c4754a6 |
| SHA512 | 2274ed27e8737ffb999db99fe5cca206cc621927c58937898df2c7a37479a4fe06f32c572cbaa8837e2189f1786df02b5a272715d04d83dbe3ac96be67ce743a |
memory/4924-125-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp
memory/5096-131-0x00007FF637750000-0x00007FF637AA1000-memory.dmp
memory/1916-139-0x00007FF7F9C00000-0x00007FF7F9F51000-memory.dmp
memory/4556-148-0x00007FF6BBC00000-0x00007FF6BBF51000-memory.dmp
memory/4732-134-0x00007FF776390000-0x00007FF7766E1000-memory.dmp
memory/2980-130-0x00007FF62BA90000-0x00007FF62BDE1000-memory.dmp
memory/4972-137-0x00007FF7C8E70000-0x00007FF7C91C1000-memory.dmp
memory/4620-149-0x00007FF7AC8B0000-0x00007FF7ACC01000-memory.dmp
memory/4924-150-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp
memory/4924-151-0x00007FF698B90000-0x00007FF698EE1000-memory.dmp
memory/3232-208-0x00007FF62EA30000-0x00007FF62ED81000-memory.dmp
memory/2980-210-0x00007FF62BA90000-0x00007FF62BDE1000-memory.dmp
memory/5096-214-0x00007FF637750000-0x00007FF637AA1000-memory.dmp
memory/1760-213-0x00007FF6B6200000-0x00007FF6B6551000-memory.dmp
memory/4428-217-0x00007FF6BBD50000-0x00007FF6BC0A1000-memory.dmp
memory/4732-220-0x00007FF776390000-0x00007FF7766E1000-memory.dmp
memory/3024-219-0x00007FF6232A0000-0x00007FF6235F1000-memory.dmp
memory/1524-224-0x00007FF6545C0000-0x00007FF654911000-memory.dmp
memory/4972-223-0x00007FF7C8E70000-0x00007FF7C91C1000-memory.dmp
memory/3872-232-0x00007FF62DDB0000-0x00007FF62E101000-memory.dmp
memory/3676-236-0x00007FF7D96A0000-0x00007FF7D99F1000-memory.dmp
memory/4836-231-0x00007FF6D0140000-0x00007FF6D0491000-memory.dmp
memory/2132-229-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp
memory/2112-227-0x00007FF775440000-0x00007FF775791000-memory.dmp
memory/1916-234-0x00007FF7F9C00000-0x00007FF7F9F51000-memory.dmp
memory/3512-239-0x00007FF73A940000-0x00007FF73AC91000-memory.dmp
memory/4712-242-0x00007FF60BFD0000-0x00007FF60C321000-memory.dmp
memory/3380-246-0x00007FF747190000-0x00007FF7474E1000-memory.dmp
memory/2256-244-0x00007FF6225F0000-0x00007FF622941000-memory.dmp
memory/4556-241-0x00007FF6BBC00000-0x00007FF6BBF51000-memory.dmp
memory/4620-250-0x00007FF7AC8B0000-0x00007FF7ACC01000-memory.dmp