Analysis Overview
SHA256
25eaf9a351b758af2055556819802cebb4f4c8b3936d6e53b68c89c6414c86a4
Threat Level: Known bad
The file 2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:33
Reported
2024-08-06 11:35
Platform
win7-20240705-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cHeyWzz.exe | N/A |
| N/A | N/A | C:\Windows\System\ggtifjM.exe | N/A |
| N/A | N/A | C:\Windows\System\EgoLbgk.exe | N/A |
| N/A | N/A | C:\Windows\System\zJWCOGA.exe | N/A |
| N/A | N/A | C:\Windows\System\XifonPN.exe | N/A |
| N/A | N/A | C:\Windows\System\aCDOwzU.exe | N/A |
| N/A | N/A | C:\Windows\System\XjDsMQv.exe | N/A |
| N/A | N/A | C:\Windows\System\lmMOQXp.exe | N/A |
| N/A | N/A | C:\Windows\System\dlfeCPN.exe | N/A |
| N/A | N/A | C:\Windows\System\cvoEuVF.exe | N/A |
| N/A | N/A | C:\Windows\System\YpvIXvl.exe | N/A |
| N/A | N/A | C:\Windows\System\APpLIqy.exe | N/A |
| N/A | N/A | C:\Windows\System\SixYAxL.exe | N/A |
| N/A | N/A | C:\Windows\System\sKwfMnR.exe | N/A |
| N/A | N/A | C:\Windows\System\lxOJTIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\mvxBmMx.exe | N/A |
| N/A | N/A | C:\Windows\System\wqGCkgl.exe | N/A |
| N/A | N/A | C:\Windows\System\aMMjElo.exe | N/A |
| N/A | N/A | C:\Windows\System\TlLUBzA.exe | N/A |
| N/A | N/A | C:\Windows\System\mSeyPxD.exe | N/A |
| N/A | N/A | C:\Windows\System\LKCPouu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cHeyWzz.exe
C:\Windows\System\cHeyWzz.exe
C:\Windows\System\ggtifjM.exe
C:\Windows\System\ggtifjM.exe
C:\Windows\System\EgoLbgk.exe
C:\Windows\System\EgoLbgk.exe
C:\Windows\System\zJWCOGA.exe
C:\Windows\System\zJWCOGA.exe
C:\Windows\System\XifonPN.exe
C:\Windows\System\XifonPN.exe
C:\Windows\System\lmMOQXp.exe
C:\Windows\System\lmMOQXp.exe
C:\Windows\System\aCDOwzU.exe
C:\Windows\System\aCDOwzU.exe
C:\Windows\System\dlfeCPN.exe
C:\Windows\System\dlfeCPN.exe
C:\Windows\System\XjDsMQv.exe
C:\Windows\System\XjDsMQv.exe
C:\Windows\System\cvoEuVF.exe
C:\Windows\System\cvoEuVF.exe
C:\Windows\System\YpvIXvl.exe
C:\Windows\System\YpvIXvl.exe
C:\Windows\System\APpLIqy.exe
C:\Windows\System\APpLIqy.exe
C:\Windows\System\SixYAxL.exe
C:\Windows\System\SixYAxL.exe
C:\Windows\System\sKwfMnR.exe
C:\Windows\System\sKwfMnR.exe
C:\Windows\System\lxOJTIJ.exe
C:\Windows\System\lxOJTIJ.exe
C:\Windows\System\mvxBmMx.exe
C:\Windows\System\mvxBmMx.exe
C:\Windows\System\wqGCkgl.exe
C:\Windows\System\wqGCkgl.exe
C:\Windows\System\mSeyPxD.exe
C:\Windows\System\mSeyPxD.exe
C:\Windows\System\aMMjElo.exe
C:\Windows\System\aMMjElo.exe
C:\Windows\System\LKCPouu.exe
C:\Windows\System\LKCPouu.exe
C:\Windows\System\TlLUBzA.exe
C:\Windows\System\TlLUBzA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2088-0-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2088-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\cHeyWzz.exe
| MD5 | eb8a70fb699d85e8cbe3769c63f6e1f6 |
| SHA1 | 18c44a325794292c71539ee0da2f59068b1c4ea0 |
| SHA256 | fc4a7919b51dcfe20d742fba1e644b86825db80d2697cd1f1b126945e56328df |
| SHA512 | ac50ac49bea1e9e715428351297be0770bcc3df8d717a5027b1998deb5de3e6d7fa398af576a235428b557b297a7c75d877118dd7b0f411f5b2bbb51d34eb63e |
\Windows\system\ggtifjM.exe
| MD5 | 7580f94b49a61f91cccc27960f7a587b |
| SHA1 | dc77376aa6522ec8e27498b2282db5e3464a2d93 |
| SHA256 | 192bf856ede3968df19cfef653355f5655cb7259a86259717723bd0c3db63a64 |
| SHA512 | 5855ed2aeb10214be0eb4302ad7009af35110b8a43fbacfd6cebec2049ae930d9a987ea46f0640eb754feaafde8a1ff12285a605c74f196c9eb294eb8d3e6dfd |
memory/2088-14-0x000000013F270000-0x000000013F5C4000-memory.dmp
\Windows\system\XifonPN.exe
| MD5 | 5cb6d507b01f74229b11ae7a4af0c11f |
| SHA1 | 4b6f4ab4d84fae14b3e423f8fe71008d4fcdff9a |
| SHA256 | e93fc9cdcb426011cfb8b236f742054ac71253def9b47d261b4c9d681adb578e |
| SHA512 | 098e5cb34d5388ee4705dc0c3673b747e93b2d8598debc926e65f00a0d5c841fdfe2eba831f97082def6d0b6795b42695a79fe86f793e3f48a74cb6a78160b84 |
memory/2088-33-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2396-29-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2088-28-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1196-26-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\zJWCOGA.exe
| MD5 | c1040430d5d0a6c6cd770168bdad3ac2 |
| SHA1 | bf99c1fdaa375a4959aa0d42bf67bcbc05d51ec8 |
| SHA256 | 12267479459a49223e63987876cc39a4f1e88f4e1c439ae1a342e91d53a7860f |
| SHA512 | 3f33593bf8854d7d3067c292d7ca69847b1dbe7576f0229403ce5750738989d0b7057d92985b9973d1b851119a1728587cffe8f1cedd5619cc8126e3e310bd28 |
memory/2532-13-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\EgoLbgk.exe
| MD5 | 64813827cd7d3d8c4f197683469b3091 |
| SHA1 | 7f6811520b5a3f5dcfe7d092a939dd6b723c388b |
| SHA256 | a2d514a7e0797592e0bac493a6333077838813af7d3dea3792f264688b431257 |
| SHA512 | b1a947701e6266aa9af22a63c880ab748459384e567082f537d741e7e54efa265d70c52b2430b9dc8c792d2bab8334841d16ee05a433d285f1dce5da9e22f1d3 |
memory/2088-19-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1668-18-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2088-51-0x000000013F540000-0x000000013F894000-memory.dmp
\Windows\system\cvoEuVF.exe
| MD5 | b6f8fffd07d8bb3aede94367b79b6e90 |
| SHA1 | 37d2ec92a09e918309c7ff6ab4dd50f904e971f4 |
| SHA256 | 21667025d5593bd673b4b7ca6f244ddc8609753310d002ddcbbbbf39cfef0d90 |
| SHA512 | ba5b784fe2407d30a6ccb7ba5a49a8ae261999906a760d1892ad23da2fa8435c5a65cb209d29f9d2979f875e73f2fa4b5a79592acc8ddd6df62173c44d386360 |
memory/2088-66-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2740-79-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\APpLIqy.exe
| MD5 | 446e40ec33dfb73078d5d7d2ab13c454 |
| SHA1 | 2af2e1fff0cdc80e026c238db8623e82edb10d6e |
| SHA256 | 2ad1105d4731e11a34723141675436076a2f5fdc1cda3dc3f4e903f30d219f4f |
| SHA512 | da93fdbfa19c679173d0f7c7cd1a3d7d01705eda6462a053a43563d09826f0df81e3f30090418edb130db220cc0d00bfdd2e1802eb811b64924d1199bab57543 |
memory/1196-92-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2672-95-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\sKwfMnR.exe
| MD5 | 7332f4b1089c24dc4b740d58d5a81cd0 |
| SHA1 | f90f3b2bddc3fc30eb247e4f2635bd8294a3bb04 |
| SHA256 | 4f3b7d125d9a3277f1de589aafd695b13caacd70b7f254da5d3b77c577df81ce |
| SHA512 | 2c1bb9525b60217a5c5b8b57a083c74835ac09b0e5778f13a430ec984318c4a974f24c56412a09f5f1f238b2e7791753f98fb07f10b34c4781e8ea671b67359a |
\Windows\system\LKCPouu.exe
| MD5 | f17a627699a351f14b4b160fcd85e207 |
| SHA1 | 5636d46444aa5e09457e6481df840de966f0e13c |
| SHA256 | 5369dc8bd93bcef0d2a7cf521db8a3c75f7fbc2226fbe5dfc02d0065e87830b6 |
| SHA512 | a23f154253f8a9e182ab572857430203becc7c8331b5579ed5c452b538c8c1225cbb12f4f033689ad7c6ff4b4e66badbbdbaa0145c0066baaa88cbc1f79d08f0 |
\Windows\system\mSeyPxD.exe
| MD5 | 233706f260a580713a1838a124b66666 |
| SHA1 | 4053a34db31f3e3a07638e46486c95cfaed13614 |
| SHA256 | 801519c1ba1fd9a92ae6d9b4b7ab58ba6f4526e25e274aba9c39bde88a362886 |
| SHA512 | 3aaa465ac9fdaa094789a7fdbc6ba2b957a9838944af20ca063c718ed36c7bc1b29ecf9236ae31a39e2ccd1ad6fc37cb45e63d49325cbaae3d324039d8f47832 |
C:\Windows\system\TlLUBzA.exe
| MD5 | 4a5f4324f0f7b7ab788668148aa64601 |
| SHA1 | a66fc69067ab623a333c72286877b14778cff5da |
| SHA256 | b18b261a247196b70ff4b12e82096c66451fdcfba5bf9e02f81b7dfa9640be33 |
| SHA512 | 21aab0ccbf5a55a68f3f0a8baf485fc3919f4a30c8536b7f628143b4afddc5a77e298fb8e18d55106dcfb7206561277af45a28d32cd83e5336a2ea4a7bfe1448 |
C:\Windows\system\aMMjElo.exe
| MD5 | 7268b36f572ccc72d7e94975edb02441 |
| SHA1 | 97c90709e8d6f99b7c1e3bef4f98641de8bdc35b |
| SHA256 | ac5498529541a512f1372f0799d445730ed7df0bcfea9a59e789328b52ddf2bf |
| SHA512 | c5a741bdfe21053ac031c66939cbeca7fba9d7d4dc2b28aa0654e02a83759784e71e4a779fd883410137fd16d10dfbe2908942c2e2993218c8ed9d4ee23a8409 |
C:\Windows\system\wqGCkgl.exe
| MD5 | 1f95e8542f37e951ceff381548678878 |
| SHA1 | 39ddf94f97f4cb0ba9cecd71248699475f566d2e |
| SHA256 | 2bac7be8c8a344b396b6aace55dbd5d34d9fa013ba0d269f7ca9a7e7f3a990df |
| SHA512 | 26eaad2b5a7a4eb7d7e74b81fabe04b9c736079464fd1909828297cca778457682ff3272ceede14bc6edd965da67466044879c6064ef715de0ed81bb4ff01993 |
C:\Windows\system\mvxBmMx.exe
| MD5 | 053bbb24a84c5999219cc922ac16377d |
| SHA1 | 8301a205de36599d08632a0e4d3eb2f9df55c50e |
| SHA256 | 1dea3713273e76d833b5968a63ceec454d124941087b9b39ae043c2d8b5e6b38 |
| SHA512 | 63b79d717b87453682b5b5469e24d2638d0150125b9e59d9b5e56940d5789b0c65448c8bcee5dc431148fe10be08fa5b97e4d8304626a15c1632da2cf54ec53e |
memory/2088-107-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\lxOJTIJ.exe
| MD5 | e60b3279a564a2e200e7b32b9ae5fc14 |
| SHA1 | a583dfb21c55bcf4bb09e46e4dcff5ab7928c29e |
| SHA256 | 12dd63e7647c0ac755d027c43b23514e06008ce0207144013087efa53b2cc739 |
| SHA512 | 7f314023f729e6ab457653540ae2d25367bc5a7ea3912b2f5bd4013eef06c400bdbc86713d6d5a7a5119cfb880b042c0578ffdbb2e78f85f204fc13931c65c33 |
memory/2156-101-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2088-94-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/480-93-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\SixYAxL.exe
| MD5 | fbef7d3462d9a83caa9ec5aa146c6aa0 |
| SHA1 | 4b0fc8f30be0f47e42f9b1eb91ce0860d8f56fc9 |
| SHA256 | f6a37a7b06caf40263b0c8f996957c82fac3335185dbc1d0b4c8b80444eb363b |
| SHA512 | 51e48f5210552ad25deb9bb7fa6c148faf94f71a31f9860ad8c1c5dbdefbac371b26374f0ecff67ea5f181e4d800a97b8f00be2cec7f11bb36bb128ff4015e71 |
memory/2596-85-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2088-84-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2088-78-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2088-77-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2836-69-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2756-68-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2752-67-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2088-76-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\YpvIXvl.exe
| MD5 | a45a788b4aad1b7d0d2b87c2dadfcb37 |
| SHA1 | 795292f99e7f94c975ca3bd1e01cb4f2143c36c3 |
| SHA256 | a463439c1e8be7d8d3a25663c1ce640ebedf70fc2efb95649e8a6f68a7cf3497 |
| SHA512 | 651c5a453bdefc75e102e84108fc9bbf71a8bcf8c31db2f56762354f57bd4543af0e3411e938e544f963f6c0d086c1f3fac1e024fd1aadad85e588e34295e993 |
C:\Windows\system\dlfeCPN.exe
| MD5 | 86d25cd84d97fb1f4462f006d0f20bd3 |
| SHA1 | 6747ecd26fbe2f266e1d2589e6030e041c98e7bc |
| SHA256 | 523a0705b3f00e2c1bc49303b96f4731e10cb4ca4f267e2bdd2a53e482e91793 |
| SHA512 | d21e51ae8e94ded0f7aaf22c228e24122ed3598839d51f3f9ddc951611ae2f2a9c2c29b90bf6449f805cb6f42bb3dd87de82f1ebed4e47c584da494714c3e42a |
C:\Windows\system\lmMOQXp.exe
| MD5 | 012c8393ad1d4c23ede73a70b6106989 |
| SHA1 | 3a056f76b76835ca413348861037af3670e583c1 |
| SHA256 | 895667709e1905fd0293614140502fef2404281eff09f96ba624f36d385a58e2 |
| SHA512 | b803fa4d8d7502c9b7aecbd8231caf0f64e1304a52a7245fa77b68e24f330ac3a7247249d436d243768d8ff0c25c3fccd2be25a0974e95f006b4c73a8dfd9f9d |
memory/3020-60-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2088-58-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2820-57-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\XjDsMQv.exe
| MD5 | 5133fb8c34e8ae71893401b02c73bee4 |
| SHA1 | 02e9ce13fc5cdea61d3885fc361e4303d2608777 |
| SHA256 | 4961e606756a39bb4b0ebd1ea2a08b116880258a1ceba7d01e404f723d9d60b5 |
| SHA512 | 8eb15d00eddce6a9262fb3c2e637207f2670ccac1b07ed85b7a9e09f4810053ffdf77dbe47f4eed52d6a9a96b653f07fa8d20c6004b314bdfb9252df3654c611 |
C:\Windows\system\aCDOwzU.exe
| MD5 | a54456fc9076dc3243c77c7641a54852 |
| SHA1 | 295add3ffd643e63723761cf6d8d109396e22d57 |
| SHA256 | 40e1a10d75c85651511af0b17c9708bb3bc17d360b14a2b419706e453116d15d |
| SHA512 | 3b220a9e6176f32a527b1cb2ed267425f060eef7da8a4c29ca5cf19ac503f7f8b5fe97c7c2ad0ff3fe54775f41288527482d9de4a8386457eb6af101638a8308 |
memory/480-38-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2088-43-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2756-137-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2088-138-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2088-139-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2596-140-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2088-141-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2088-142-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2088-143-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2532-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/1668-145-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1196-146-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/480-148-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2396-147-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2820-149-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/3020-150-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2836-152-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2752-151-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2740-153-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2756-154-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2672-155-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2596-157-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2156-156-0x000000013F350000-0x000000013F6A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:33
Reported
2024-08-06 11:35
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cHeyWzz.exe | N/A |
| N/A | N/A | C:\Windows\System\ggtifjM.exe | N/A |
| N/A | N/A | C:\Windows\System\EgoLbgk.exe | N/A |
| N/A | N/A | C:\Windows\System\zJWCOGA.exe | N/A |
| N/A | N/A | C:\Windows\System\XifonPN.exe | N/A |
| N/A | N/A | C:\Windows\System\lmMOQXp.exe | N/A |
| N/A | N/A | C:\Windows\System\aCDOwzU.exe | N/A |
| N/A | N/A | C:\Windows\System\dlfeCPN.exe | N/A |
| N/A | N/A | C:\Windows\System\XjDsMQv.exe | N/A |
| N/A | N/A | C:\Windows\System\cvoEuVF.exe | N/A |
| N/A | N/A | C:\Windows\System\YpvIXvl.exe | N/A |
| N/A | N/A | C:\Windows\System\APpLIqy.exe | N/A |
| N/A | N/A | C:\Windows\System\SixYAxL.exe | N/A |
| N/A | N/A | C:\Windows\System\sKwfMnR.exe | N/A |
| N/A | N/A | C:\Windows\System\lxOJTIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\mvxBmMx.exe | N/A |
| N/A | N/A | C:\Windows\System\wqGCkgl.exe | N/A |
| N/A | N/A | C:\Windows\System\mSeyPxD.exe | N/A |
| N/A | N/A | C:\Windows\System\aMMjElo.exe | N/A |
| N/A | N/A | C:\Windows\System\LKCPouu.exe | N/A |
| N/A | N/A | C:\Windows\System\TlLUBzA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_da532b046c747b4d5731ca672aadcb23_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cHeyWzz.exe
C:\Windows\System\cHeyWzz.exe
C:\Windows\System\ggtifjM.exe
C:\Windows\System\ggtifjM.exe
C:\Windows\System\EgoLbgk.exe
C:\Windows\System\EgoLbgk.exe
C:\Windows\System\zJWCOGA.exe
C:\Windows\System\zJWCOGA.exe
C:\Windows\System\XifonPN.exe
C:\Windows\System\XifonPN.exe
C:\Windows\System\lmMOQXp.exe
C:\Windows\System\lmMOQXp.exe
C:\Windows\System\aCDOwzU.exe
C:\Windows\System\aCDOwzU.exe
C:\Windows\System\dlfeCPN.exe
C:\Windows\System\dlfeCPN.exe
C:\Windows\System\XjDsMQv.exe
C:\Windows\System\XjDsMQv.exe
C:\Windows\System\cvoEuVF.exe
C:\Windows\System\cvoEuVF.exe
C:\Windows\System\YpvIXvl.exe
C:\Windows\System\YpvIXvl.exe
C:\Windows\System\APpLIqy.exe
C:\Windows\System\APpLIqy.exe
C:\Windows\System\SixYAxL.exe
C:\Windows\System\SixYAxL.exe
C:\Windows\System\sKwfMnR.exe
C:\Windows\System\sKwfMnR.exe
C:\Windows\System\lxOJTIJ.exe
C:\Windows\System\lxOJTIJ.exe
C:\Windows\System\mvxBmMx.exe
C:\Windows\System\mvxBmMx.exe
C:\Windows\System\wqGCkgl.exe
C:\Windows\System\wqGCkgl.exe
C:\Windows\System\mSeyPxD.exe
C:\Windows\System\mSeyPxD.exe
C:\Windows\System\aMMjElo.exe
C:\Windows\System\aMMjElo.exe
C:\Windows\System\LKCPouu.exe
C:\Windows\System\LKCPouu.exe
C:\Windows\System\TlLUBzA.exe
C:\Windows\System\TlLUBzA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4948-0-0x00007FF740410000-0x00007FF740764000-memory.dmp
memory/4948-1-0x000001C7C38D0000-0x000001C7C38E0000-memory.dmp
C:\Windows\System\cHeyWzz.exe
| MD5 | eb8a70fb699d85e8cbe3769c63f6e1f6 |
| SHA1 | 18c44a325794292c71539ee0da2f59068b1c4ea0 |
| SHA256 | fc4a7919b51dcfe20d742fba1e644b86825db80d2697cd1f1b126945e56328df |
| SHA512 | ac50ac49bea1e9e715428351297be0770bcc3df8d717a5027b1998deb5de3e6d7fa398af576a235428b557b297a7c75d877118dd7b0f411f5b2bbb51d34eb63e |
C:\Windows\System\ggtifjM.exe
| MD5 | 7580f94b49a61f91cccc27960f7a587b |
| SHA1 | dc77376aa6522ec8e27498b2282db5e3464a2d93 |
| SHA256 | 192bf856ede3968df19cfef653355f5655cb7259a86259717723bd0c3db63a64 |
| SHA512 | 5855ed2aeb10214be0eb4302ad7009af35110b8a43fbacfd6cebec2049ae930d9a987ea46f0640eb754feaafde8a1ff12285a605c74f196c9eb294eb8d3e6dfd |
C:\Windows\System\EgoLbgk.exe
| MD5 | 64813827cd7d3d8c4f197683469b3091 |
| SHA1 | 7f6811520b5a3f5dcfe7d092a939dd6b723c388b |
| SHA256 | a2d514a7e0797592e0bac493a6333077838813af7d3dea3792f264688b431257 |
| SHA512 | b1a947701e6266aa9af22a63c880ab748459384e567082f537d741e7e54efa265d70c52b2430b9dc8c792d2bab8334841d16ee05a433d285f1dce5da9e22f1d3 |
C:\Windows\System\zJWCOGA.exe
| MD5 | c1040430d5d0a6c6cd770168bdad3ac2 |
| SHA1 | bf99c1fdaa375a4959aa0d42bf67bcbc05d51ec8 |
| SHA256 | 12267479459a49223e63987876cc39a4f1e88f4e1c439ae1a342e91d53a7860f |
| SHA512 | 3f33593bf8854d7d3067c292d7ca69847b1dbe7576f0229403ce5750738989d0b7057d92985b9973d1b851119a1728587cffe8f1cedd5619cc8126e3e310bd28 |
C:\Windows\System\XifonPN.exe
| MD5 | 5cb6d507b01f74229b11ae7a4af0c11f |
| SHA1 | 4b6f4ab4d84fae14b3e423f8fe71008d4fcdff9a |
| SHA256 | e93fc9cdcb426011cfb8b236f742054ac71253def9b47d261b4c9d681adb578e |
| SHA512 | 098e5cb34d5388ee4705dc0c3673b747e93b2d8598debc926e65f00a0d5c841fdfe2eba831f97082def6d0b6795b42695a79fe86f793e3f48a74cb6a78160b84 |
C:\Windows\System\aCDOwzU.exe
| MD5 | a54456fc9076dc3243c77c7641a54852 |
| SHA1 | 295add3ffd643e63723761cf6d8d109396e22d57 |
| SHA256 | 40e1a10d75c85651511af0b17c9708bb3bc17d360b14a2b419706e453116d15d |
| SHA512 | 3b220a9e6176f32a527b1cb2ed267425f060eef7da8a4c29ca5cf19ac503f7f8b5fe97c7c2ad0ff3fe54775f41288527482d9de4a8386457eb6af101638a8308 |
C:\Windows\System\XjDsMQv.exe
| MD5 | 5133fb8c34e8ae71893401b02c73bee4 |
| SHA1 | 02e9ce13fc5cdea61d3885fc361e4303d2608777 |
| SHA256 | 4961e606756a39bb4b0ebd1ea2a08b116880258a1ceba7d01e404f723d9d60b5 |
| SHA512 | 8eb15d00eddce6a9262fb3c2e637207f2670ccac1b07ed85b7a9e09f4810053ffdf77dbe47f4eed52d6a9a96b653f07fa8d20c6004b314bdfb9252df3654c611 |
C:\Windows\System\lmMOQXp.exe
| MD5 | 012c8393ad1d4c23ede73a70b6106989 |
| SHA1 | 3a056f76b76835ca413348861037af3670e583c1 |
| SHA256 | 895667709e1905fd0293614140502fef2404281eff09f96ba624f36d385a58e2 |
| SHA512 | b803fa4d8d7502c9b7aecbd8231caf0f64e1304a52a7245fa77b68e24f330ac3a7247249d436d243768d8ff0c25c3fccd2be25a0974e95f006b4c73a8dfd9f9d |
C:\Windows\System\YpvIXvl.exe
| MD5 | a45a788b4aad1b7d0d2b87c2dadfcb37 |
| SHA1 | 795292f99e7f94c975ca3bd1e01cb4f2143c36c3 |
| SHA256 | a463439c1e8be7d8d3a25663c1ce640ebedf70fc2efb95649e8a6f68a7cf3497 |
| SHA512 | 651c5a453bdefc75e102e84108fc9bbf71a8bcf8c31db2f56762354f57bd4543af0e3411e938e544f963f6c0d086c1f3fac1e024fd1aadad85e588e34295e993 |
C:\Windows\System\APpLIqy.exe
| MD5 | 446e40ec33dfb73078d5d7d2ab13c454 |
| SHA1 | 2af2e1fff0cdc80e026c238db8623e82edb10d6e |
| SHA256 | 2ad1105d4731e11a34723141675436076a2f5fdc1cda3dc3f4e903f30d219f4f |
| SHA512 | da93fdbfa19c679173d0f7c7cd1a3d7d01705eda6462a053a43563d09826f0df81e3f30090418edb130db220cc0d00bfdd2e1802eb811b64924d1199bab57543 |
C:\Windows\System\lxOJTIJ.exe
| MD5 | e60b3279a564a2e200e7b32b9ae5fc14 |
| SHA1 | a583dfb21c55bcf4bb09e46e4dcff5ab7928c29e |
| SHA256 | 12dd63e7647c0ac755d027c43b23514e06008ce0207144013087efa53b2cc739 |
| SHA512 | 7f314023f729e6ab457653540ae2d25367bc5a7ea3912b2f5bd4013eef06c400bdbc86713d6d5a7a5119cfb880b042c0578ffdbb2e78f85f204fc13931c65c33 |
memory/2168-86-0x00007FF791970000-0x00007FF791CC4000-memory.dmp
memory/3064-98-0x00007FF7057E0000-0x00007FF705B34000-memory.dmp
memory/3280-101-0x00007FF6854F0000-0x00007FF685844000-memory.dmp
memory/3880-104-0x00007FF7347D0000-0x00007FF734B24000-memory.dmp
memory/208-103-0x00007FF66ECB0000-0x00007FF66F004000-memory.dmp
memory/3472-102-0x00007FF664B90000-0x00007FF664EE4000-memory.dmp
memory/1528-100-0x00007FF7409E0000-0x00007FF740D34000-memory.dmp
memory/1664-99-0x00007FF741D80000-0x00007FF7420D4000-memory.dmp
C:\Windows\System\wqGCkgl.exe
| MD5 | 1f95e8542f37e951ceff381548678878 |
| SHA1 | 39ddf94f97f4cb0ba9cecd71248699475f566d2e |
| SHA256 | 2bac7be8c8a344b396b6aace55dbd5d34d9fa013ba0d269f7ca9a7e7f3a990df |
| SHA512 | 26eaad2b5a7a4eb7d7e74b81fabe04b9c736079464fd1909828297cca778457682ff3272ceede14bc6edd965da67466044879c6064ef715de0ed81bb4ff01993 |
C:\Windows\System\mvxBmMx.exe
| MD5 | 053bbb24a84c5999219cc922ac16377d |
| SHA1 | 8301a205de36599d08632a0e4d3eb2f9df55c50e |
| SHA256 | 1dea3713273e76d833b5968a63ceec454d124941087b9b39ae043c2d8b5e6b38 |
| SHA512 | 63b79d717b87453682b5b5469e24d2638d0150125b9e59d9b5e56940d5789b0c65448c8bcee5dc431148fe10be08fa5b97e4d8304626a15c1632da2cf54ec53e |
memory/3728-93-0x00007FF7E4F50000-0x00007FF7E52A4000-memory.dmp
C:\Windows\System\sKwfMnR.exe
| MD5 | 7332f4b1089c24dc4b740d58d5a81cd0 |
| SHA1 | f90f3b2bddc3fc30eb247e4f2635bd8294a3bb04 |
| SHA256 | 4f3b7d125d9a3277f1de589aafd695b13caacd70b7f254da5d3b77c577df81ce |
| SHA512 | 2c1bb9525b60217a5c5b8b57a083c74835ac09b0e5778f13a430ec984318c4a974f24c56412a09f5f1f238b2e7791753f98fb07f10b34c4781e8ea671b67359a |
memory/3764-83-0x00007FF690920000-0x00007FF690C74000-memory.dmp
C:\Windows\System\SixYAxL.exe
| MD5 | fbef7d3462d9a83caa9ec5aa146c6aa0 |
| SHA1 | 4b0fc8f30be0f47e42f9b1eb91ce0860d8f56fc9 |
| SHA256 | f6a37a7b06caf40263b0c8f996957c82fac3335185dbc1d0b4c8b80444eb363b |
| SHA512 | 51e48f5210552ad25deb9bb7fa6c148faf94f71a31f9860ad8c1c5dbdefbac371b26374f0ecff67ea5f181e4d800a97b8f00be2cec7f11bb36bb128ff4015e71 |
memory/3580-76-0x00007FF638710000-0x00007FF638A64000-memory.dmp
memory/2336-72-0x00007FF7B92E0000-0x00007FF7B9634000-memory.dmp
C:\Windows\System\cvoEuVF.exe
| MD5 | b6f8fffd07d8bb3aede94367b79b6e90 |
| SHA1 | 37d2ec92a09e918309c7ff6ab4dd50f904e971f4 |
| SHA256 | 21667025d5593bd673b4b7ca6f244ddc8609753310d002ddcbbbbf39cfef0d90 |
| SHA512 | ba5b784fe2407d30a6ccb7ba5a49a8ae261999906a760d1892ad23da2fa8435c5a65cb209d29f9d2979f875e73f2fa4b5a79592acc8ddd6df62173c44d386360 |
C:\Windows\System\dlfeCPN.exe
| MD5 | 86d25cd84d97fb1f4462f006d0f20bd3 |
| SHA1 | 6747ecd26fbe2f266e1d2589e6030e041c98e7bc |
| SHA256 | 523a0705b3f00e2c1bc49303b96f4731e10cb4ca4f267e2bdd2a53e482e91793 |
| SHA512 | d21e51ae8e94ded0f7aaf22c228e24122ed3598839d51f3f9ddc951611ae2f2a9c2c29b90bf6449f805cb6f42bb3dd87de82f1ebed4e47c584da494714c3e42a |
memory/4788-42-0x00007FF78BAC0000-0x00007FF78BE14000-memory.dmp
memory/4600-32-0x00007FF60EFE0000-0x00007FF60F334000-memory.dmp
memory/4664-24-0x00007FF6656E0000-0x00007FF665A34000-memory.dmp
memory/4796-12-0x00007FF7D6150000-0x00007FF7D64A4000-memory.dmp
memory/3760-7-0x00007FF7D2A80000-0x00007FF7D2DD4000-memory.dmp
C:\Windows\System\mSeyPxD.exe
| MD5 | 233706f260a580713a1838a124b66666 |
| SHA1 | 4053a34db31f3e3a07638e46486c95cfaed13614 |
| SHA256 | 801519c1ba1fd9a92ae6d9b4b7ab58ba6f4526e25e274aba9c39bde88a362886 |
| SHA512 | 3aaa465ac9fdaa094789a7fdbc6ba2b957a9838944af20ca063c718ed36c7bc1b29ecf9236ae31a39e2ccd1ad6fc37cb45e63d49325cbaae3d324039d8f47832 |
memory/3640-108-0x00007FF711A80000-0x00007FF711DD4000-memory.dmp
C:\Windows\System\aMMjElo.exe
| MD5 | 7268b36f572ccc72d7e94975edb02441 |
| SHA1 | 97c90709e8d6f99b7c1e3bef4f98641de8bdc35b |
| SHA256 | ac5498529541a512f1372f0799d445730ed7df0bcfea9a59e789328b52ddf2bf |
| SHA512 | c5a741bdfe21053ac031c66939cbeca7fba9d7d4dc2b28aa0654e02a83759784e71e4a779fd883410137fd16d10dfbe2908942c2e2993218c8ed9d4ee23a8409 |
memory/1692-114-0x00007FF612E00000-0x00007FF613154000-memory.dmp
C:\Windows\System\LKCPouu.exe
| MD5 | f17a627699a351f14b4b160fcd85e207 |
| SHA1 | 5636d46444aa5e09457e6481df840de966f0e13c |
| SHA256 | 5369dc8bd93bcef0d2a7cf521db8a3c75f7fbc2226fbe5dfc02d0065e87830b6 |
| SHA512 | a23f154253f8a9e182ab572857430203becc7c8331b5579ed5c452b538c8c1225cbb12f4f033689ad7c6ff4b4e66badbbdbaa0145c0066baaa88cbc1f79d08f0 |
memory/1772-122-0x00007FF7746F0000-0x00007FF774A44000-memory.dmp
C:\Windows\System\TlLUBzA.exe
| MD5 | 4a5f4324f0f7b7ab788668148aa64601 |
| SHA1 | a66fc69067ab623a333c72286877b14778cff5da |
| SHA256 | b18b261a247196b70ff4b12e82096c66451fdcfba5bf9e02f81b7dfa9640be33 |
| SHA512 | 21aab0ccbf5a55a68f3f0a8baf485fc3919f4a30c8536b7f628143b4afddc5a77e298fb8e18d55106dcfb7206561277af45a28d32cd83e5336a2ea4a7bfe1448 |
memory/4948-127-0x00007FF740410000-0x00007FF740764000-memory.dmp
memory/3760-128-0x00007FF7D2A80000-0x00007FF7D2DD4000-memory.dmp
memory/4084-129-0x00007FF7A2220000-0x00007FF7A2574000-memory.dmp
memory/4796-130-0x00007FF7D6150000-0x00007FF7D64A4000-memory.dmp
memory/4664-131-0x00007FF6656E0000-0x00007FF665A34000-memory.dmp
memory/4600-132-0x00007FF60EFE0000-0x00007FF60F334000-memory.dmp
memory/3640-133-0x00007FF711A80000-0x00007FF711DD4000-memory.dmp
memory/1692-134-0x00007FF612E00000-0x00007FF613154000-memory.dmp
memory/1772-135-0x00007FF7746F0000-0x00007FF774A44000-memory.dmp
memory/3760-136-0x00007FF7D2A80000-0x00007FF7D2DD4000-memory.dmp
memory/4796-137-0x00007FF7D6150000-0x00007FF7D64A4000-memory.dmp
memory/4788-139-0x00007FF78BAC0000-0x00007FF78BE14000-memory.dmp
memory/4664-138-0x00007FF6656E0000-0x00007FF665A34000-memory.dmp
memory/3728-144-0x00007FF7E4F50000-0x00007FF7E52A4000-memory.dmp
memory/3064-146-0x00007FF7057E0000-0x00007FF705B34000-memory.dmp
memory/2336-145-0x00007FF7B92E0000-0x00007FF7B9634000-memory.dmp
memory/1664-143-0x00007FF741D80000-0x00007FF7420D4000-memory.dmp
memory/1528-142-0x00007FF7409E0000-0x00007FF740D34000-memory.dmp
memory/3580-141-0x00007FF638710000-0x00007FF638A64000-memory.dmp
memory/4600-140-0x00007FF60EFE0000-0x00007FF60F334000-memory.dmp
memory/3880-147-0x00007FF7347D0000-0x00007FF734B24000-memory.dmp
memory/3764-151-0x00007FF690920000-0x00007FF690C74000-memory.dmp
memory/208-152-0x00007FF66ECB0000-0x00007FF66F004000-memory.dmp
memory/3472-150-0x00007FF664B90000-0x00007FF664EE4000-memory.dmp
memory/3280-148-0x00007FF6854F0000-0x00007FF685844000-memory.dmp
memory/2168-149-0x00007FF791970000-0x00007FF791CC4000-memory.dmp
memory/3640-153-0x00007FF711A80000-0x00007FF711DD4000-memory.dmp
memory/1772-155-0x00007FF7746F0000-0x00007FF774A44000-memory.dmp
memory/1692-154-0x00007FF612E00000-0x00007FF613154000-memory.dmp
memory/4084-156-0x00007FF7A2220000-0x00007FF7A2574000-memory.dmp