Analysis Overview
SHA256
ea2cc081aa0706a948800629fad1b276f0192e71969db3266bfa7e3d578766b1
Threat Level: Known bad
The file 2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:32
Reported
2024-08-06 11:35
Platform
win7-20240705-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ohXotHz.exe | N/A |
| N/A | N/A | C:\Windows\System\mqQbfsE.exe | N/A |
| N/A | N/A | C:\Windows\System\OPBHKnw.exe | N/A |
| N/A | N/A | C:\Windows\System\bbbWowz.exe | N/A |
| N/A | N/A | C:\Windows\System\sLjsvhF.exe | N/A |
| N/A | N/A | C:\Windows\System\mmLbQAY.exe | N/A |
| N/A | N/A | C:\Windows\System\nALQOIC.exe | N/A |
| N/A | N/A | C:\Windows\System\BJkYkmS.exe | N/A |
| N/A | N/A | C:\Windows\System\FEHQtZp.exe | N/A |
| N/A | N/A | C:\Windows\System\OSkGFky.exe | N/A |
| N/A | N/A | C:\Windows\System\LWayfDH.exe | N/A |
| N/A | N/A | C:\Windows\System\PdeYhqt.exe | N/A |
| N/A | N/A | C:\Windows\System\sTaoZYw.exe | N/A |
| N/A | N/A | C:\Windows\System\QpmXztw.exe | N/A |
| N/A | N/A | C:\Windows\System\lgLPQhN.exe | N/A |
| N/A | N/A | C:\Windows\System\aHNTWYz.exe | N/A |
| N/A | N/A | C:\Windows\System\tSWuHSi.exe | N/A |
| N/A | N/A | C:\Windows\System\RGivLrv.exe | N/A |
| N/A | N/A | C:\Windows\System\XaphJbJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UlRNRzO.exe | N/A |
| N/A | N/A | C:\Windows\System\QkTdiEn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ohXotHz.exe
C:\Windows\System\ohXotHz.exe
C:\Windows\System\mqQbfsE.exe
C:\Windows\System\mqQbfsE.exe
C:\Windows\System\sLjsvhF.exe
C:\Windows\System\sLjsvhF.exe
C:\Windows\System\OPBHKnw.exe
C:\Windows\System\OPBHKnw.exe
C:\Windows\System\mmLbQAY.exe
C:\Windows\System\mmLbQAY.exe
C:\Windows\System\bbbWowz.exe
C:\Windows\System\bbbWowz.exe
C:\Windows\System\nALQOIC.exe
C:\Windows\System\nALQOIC.exe
C:\Windows\System\BJkYkmS.exe
C:\Windows\System\BJkYkmS.exe
C:\Windows\System\FEHQtZp.exe
C:\Windows\System\FEHQtZp.exe
C:\Windows\System\OSkGFky.exe
C:\Windows\System\OSkGFky.exe
C:\Windows\System\LWayfDH.exe
C:\Windows\System\LWayfDH.exe
C:\Windows\System\PdeYhqt.exe
C:\Windows\System\PdeYhqt.exe
C:\Windows\System\tSWuHSi.exe
C:\Windows\System\tSWuHSi.exe
C:\Windows\System\sTaoZYw.exe
C:\Windows\System\sTaoZYw.exe
C:\Windows\System\RGivLrv.exe
C:\Windows\System\RGivLrv.exe
C:\Windows\System\QpmXztw.exe
C:\Windows\System\QpmXztw.exe
C:\Windows\System\XaphJbJ.exe
C:\Windows\System\XaphJbJ.exe
C:\Windows\System\lgLPQhN.exe
C:\Windows\System\lgLPQhN.exe
C:\Windows\System\UlRNRzO.exe
C:\Windows\System\UlRNRzO.exe
C:\Windows\System\aHNTWYz.exe
C:\Windows\System\aHNTWYz.exe
C:\Windows\System\QkTdiEn.exe
C:\Windows\System\QkTdiEn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2180-0-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2180-1-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2180-27-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2180-22-0x000000013FF50000-0x00000001402A4000-memory.dmp
\Windows\system\mmLbQAY.exe
| MD5 | 8c16febf366b46e68cec534fec44b835 |
| SHA1 | 207c265ac339b6fae9e1b2bf5200d0abe3b13c36 |
| SHA256 | 2c2b8e763cacea86979d02b60a087ea758b861330c5bdaabd087fb0e5f035455 |
| SHA512 | cd6cdd937e633612619ee3c0bc9d0e0022128fffeb949c43cd1477c4197b528ff033340e9a4190439af5f2c85a402ea49a3d2d10d6ba09432a5339bf15990a56 |
memory/2660-42-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1344-41-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2776-38-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2412-37-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/1860-36-0x000000013F4E0000-0x000000013F834000-memory.dmp
C:\Windows\system\sLjsvhF.exe
| MD5 | 17d2ac1f8c2ea17119e754055b586da5 |
| SHA1 | dd365770308c9f6975fd63d41924ad4597a17003 |
| SHA256 | 5efeba49e74589fe9c91728f02faeafd3cfbeada06850778186c0e5b04c9c05b |
| SHA512 | 66354b8f43bdb2c88ccbdbed3514648859fa5c3d2d01299c287f9de2d40923b62b33162f5383b3366d631234ce91ee5eb6b89d804fcaec678dacdf50a0312457 |
memory/2180-15-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\bbbWowz.exe
| MD5 | 4b76acd30cf1433f004e8acca9f14df3 |
| SHA1 | ed8c26a51f7a53d396c0ba8b98280d496445906b |
| SHA256 | 001c498593a71ea78d6d635b04b71ecf905e05586c876901f68808cbe03ff238 |
| SHA512 | 62e49f400e38bf383324f1f6107ab53b9bdc2706b42f26789099c71a2c0eba6db41b2dd1922f88eb4530a45fd81f021ec961dcc39cfd2c4ff3485c8a6b859138 |
C:\Windows\system\OPBHKnw.exe
| MD5 | 4c1554759990403032cd3dccf5edaa2c |
| SHA1 | 367d26c9c175f48fa927ae0ed2e76b1e739547b4 |
| SHA256 | 146fe4041b1974f9cfd9c4f60b669fe0f0ba36915b9a6f15d16b9c97eb96cbf4 |
| SHA512 | e763d21c3be4baba2bdc7c5718dffd119471a4c954dbd6910ea3bbb03f81b30389aa174af8a2af4add5ef9a5b7cdfd104be30428a171f34fa1458c24f5dfdcfb |
C:\Windows\system\mqQbfsE.exe
| MD5 | 620a080d3612d9a9201cef0aa5a2e74b |
| SHA1 | 3009bea1b7e92d45fa8ea4b9bfce4056c666f401 |
| SHA256 | 00dfa2dc175b5b3dd1c9b75d05a7cc918b326fc5145830f84fab7fde8ca2e08a |
| SHA512 | f86c6fff2933b52d2ef6b462cfedd021be5071d9d5ee64f585d05ac52a40fde84513c8de5bafc93538ad64c53c2291e0bba09979b1975715befcbc86cd9b6e32 |
memory/2180-26-0x0000000002390000-0x00000000026E4000-memory.dmp
\Windows\system\nALQOIC.exe
| MD5 | 83349a5db80a026aae88de3dce04a725 |
| SHA1 | c88bab8bfedd93c78ae40fc71ad10262aad86f89 |
| SHA256 | c597bf6608f73657a7f21af06cadc07423029edf242c1e09d384fcd6774129de |
| SHA512 | 197ca53335ae78861dcf06f8b187c4b0ecc7f24eed452cfcc80d547631f50ac3a27211e30bd7feb8fafe9d8225747e4717cc79a3d4954138e8e74a7faf27752f |
memory/2180-44-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2020-11-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2180-48-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2948-49-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2680-57-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2180-55-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\BJkYkmS.exe
| MD5 | 3215ebd23f496889790fb7c79e74a5e6 |
| SHA1 | 0bff4e88fc1299200ec2313daa52d8ce077190e7 |
| SHA256 | 5b620326065c6e47c5ef18a479a88255adfaa131d8dd9c5664bd3d37cfd5e4e8 |
| SHA512 | e5c7dd5557d3d3e74f177d773e5be96fb88844bc1b2696fd6f07f09000caf43f450f81fd899a42d0fc37a1e66dfb2f3ea9c8928a09d01646390db0829bb8bd46 |
C:\Windows\system\ohXotHz.exe
| MD5 | e2b7c3a166a26d13785bddb2fd709cda |
| SHA1 | 783b79b0d807be2407d3fcb2e5a74e7c5fcb125f |
| SHA256 | 8217dd5d40f2be93e01bf64a14e4a2e68396f6e7ce085a1c26af72115f00a322 |
| SHA512 | e28cd346caed5bff7d359488f8f70a283709bd743ac686bc414b72abe8dc1e897a68d84d16412ddfd50ae4b1e37c22c4c26ed7a7673cb42895fc108e186fcffd |
\Windows\system\FEHQtZp.exe
| MD5 | ae02388c87bd4a6e33b7c5f5cac899b3 |
| SHA1 | 0f483fa483a070fcac3783d12dde3e11304ecab0 |
| SHA256 | 009d801745fd393777d09724760ca76d637df9933293a8ef38ad200786b2188f |
| SHA512 | 467cab12624bda545afa6f777186d2de8ff77caf04e98047760ac23029adb42dae6ab3b9d0521af8e90e76c6974b5d88e8ad0520b8470859bfcffe77c8966c93 |
C:\Windows\system\OSkGFky.exe
| MD5 | dcab91ff9743f110fd8a4f5ec0f8677d |
| SHA1 | dc25cf5d2498f27487a71f7cb22c062756fa344a |
| SHA256 | 07d3365ac154f2de4ceb7a69bc083bfb19c746f64cba4aa8fc64d0043160face |
| SHA512 | 46dc72f799b4f755b8d58b549538157e166d645d2134f71c1cf9baac8f7316f2eb1619d3f8502ec233a3e88b942ecfab4b3aeb57db9f6fc0deb05f2b1b0fb8d1 |
memory/2180-67-0x0000000002390000-0x00000000026E4000-memory.dmp
\Windows\system\LWayfDH.exe
| MD5 | 185ec263cc93b2cef3b20250cb7fddab |
| SHA1 | ff74b1aa688114430887efb28c5b9eae7a66e8c3 |
| SHA256 | 5ffafa01faace256c940a0e9ddde8eb5616b45c0a4d58c9225c9308700212635 |
| SHA512 | ad3e78b49d9e70f0d5b94d855ce24711b43bde796309674c60a6e3f58502394fbf9f93b945fe1b897ea4e756e9b53a1ba04a7e1b8685523c624ffe1efb3825a8 |
memory/1640-69-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/1860-73-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2156-75-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\PdeYhqt.exe
| MD5 | 9ba5606458db989104959cff00f9f2e2 |
| SHA1 | b027ac72c33f043aa4d9621cb5e04f003aeec4db |
| SHA256 | 72d3e5a7e970684b6f23f465d1b5ee6a33611a8c26476fe0c21859f76afd3a01 |
| SHA512 | a26bde574af380cd03f2ab13387290f558363c23e2b4345aceb2cd868adda1a5775d0973a142571551ea39afe38e698c4bf1b6a0604cf05508227365c9f26a92 |
C:\Windows\system\lgLPQhN.exe
| MD5 | 5ccdbfcfeb15ccc3e495328785af647c |
| SHA1 | dc6915a1781c10f6f5b6e99feef5157be233b430 |
| SHA256 | 57605b283ce674a5c7c3a165bacc667fa91d38d8ab252a43a2ed4796221c62b1 |
| SHA512 | 96ab7e7bca15305f3636e8b95f27eaee56a3dca17d969ddc0660b561b802ff1334d69d1ea49548540d2c27dcccbfbb7ac1452c8fadaeffe4468ccc28abd57878 |
C:\Windows\system\aHNTWYz.exe
| MD5 | e75a2799a99c17022b42f02e1537a735 |
| SHA1 | 77a929c9a957f457cbded1dfa24b0f6f40153a49 |
| SHA256 | 590105cad853e8f9b9a0730f170ede68d3c005254ba1d39df129279c6b84d34f |
| SHA512 | 717c0a1aac8f8804460153604b7361ef4017379249d66c6a9ea441547cc5718a9ca3a01fb90aa8a063233cac86adee1e89e1dc449d4d4d3f9e8c8d381b924fe5 |
C:\Windows\system\tSWuHSi.exe
| MD5 | 771f888681d53e823992806b9a316ae8 |
| SHA1 | 369033150449dd1038424d51f0d49d2f0d3a585a |
| SHA256 | 1cb092f645bb8d6999434ad2f4d19a544fe60a991261971431f4df4a1d4575cc |
| SHA512 | e66d218fbd4f37eae866264f7794c158580e096b66add7e0b65b92d555a0c8e5ec03a25a4c8b8feff0b69b63585aa2507aad8b77edf658ded3dd03ad95d96b8d |
\Windows\system\XaphJbJ.exe
| MD5 | 6f577d2141a71657abfedd425a39dc04 |
| SHA1 | 2c3538ec175bbf46ded8370759008413207d841f |
| SHA256 | 62547d53c3f5f3e6f44873c99c9cd9457d33a075e7a91def6e1594c2fc167c18 |
| SHA512 | ed6e5424543c382e72ecab4e0adf8a2ef643ec7093da99c312e63f59129c6c489afe35285eb8915221c64b6f862ddd6cb110aa9f38d65841606603b62418dbf5 |
\Windows\system\QkTdiEn.exe
| MD5 | 940ce7ecad60897589f60d127ab82066 |
| SHA1 | a4655a9f78e2fffd99d99f42a9a53b5be2932da4 |
| SHA256 | abff612ffb7ece0094d6fc06ce84f57810a7a5ae197c482cd163a4b6d7c2c31b |
| SHA512 | 2beafa709fc7f362b46c0b3f598a43ea8bcad4ce1fa006920df50f03ec4f3b7ba3001d80c5e61a5c95582c428077f79c52210489b059d61e8ae46adeb593feb8 |
\Windows\system\UlRNRzO.exe
| MD5 | b5cd54ca329fc70d4acf6d88c3deefdf |
| SHA1 | 3f4da9544a28177ffc08fe3a23767e1f93e4efef |
| SHA256 | e66a320a4dbef55ed6a363aa90423e709e7a4fd7acb67910a69141333aa7de20 |
| SHA512 | 2ee9317c4a0f812d783ba8e16dc68b14ea648cb961c1d1f77f51029941db4524b90f8846125aa1c9ae27fd9d76766df48f3b4056e23875cbbda33ab88a6da56e |
\Windows\system\RGivLrv.exe
| MD5 | a7815d55d92acc7f55d41bbb462fe8e9 |
| SHA1 | a5c4b51eb7d9ed93a359bd9f6f72f5e19bb37f61 |
| SHA256 | 33173551cea1c5a3ad858a0d7c698a483e43c77fa8d720aca202d7917c4711ae |
| SHA512 | 510de29d19343b887e86ce76089d6643528b330441b62356411a4957cbe44a9528874c14a6b27a58ad3f8495434810b8da03c5080a0041d5b5c56d5462b5f9fe |
C:\Windows\system\QpmXztw.exe
| MD5 | 7152716d5e439b25bedb6be3db5100a3 |
| SHA1 | ba487bf4c70c206ad48fbb78bb619470934f1cca |
| SHA256 | 85bf59e7ee812504b776fec5f663bada8520ed6f188f5e3daead85f43da82939 |
| SHA512 | 949a4cbd7edd708a059bbbb5bf9a98e7f6ca32d26cc8397c8a5b2b806ee1d1a385b6b6cca099a084664d01660c37d170397b95cc7e0de61ec122936cf54b0bdd |
C:\Windows\system\sTaoZYw.exe
| MD5 | 7ac75cd3f66f851cd444e53237710afb |
| SHA1 | 21415406be0ce65d80eb02169c6d4dd343906f03 |
| SHA256 | 8d35c9d1e92ccb51f1bfac7c6512ed73c298dacdd6c5678a0d8ca16e23baaa26 |
| SHA512 | ce3355fc71e216de8aa338192009c15bf563f91064e7afcdb23688ec682cee3f4cea0411e2532121b9ca9c9c548c3598fc15477e5033b903c80f420641abb371 |
memory/2180-114-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2180-113-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2180-112-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/588-87-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2180-81-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2180-74-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2536-62-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2948-132-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2536-134-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1640-135-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2156-136-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/588-137-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2180-138-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2020-139-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1344-141-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2412-142-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/1860-143-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2776-140-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2660-144-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2680-145-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2948-146-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1640-147-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/588-148-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2156-150-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2536-149-0x000000013FCD0000-0x0000000140024000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:32
Reported
2024-08-06 11:35
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sJzULis.exe | N/A |
| N/A | N/A | C:\Windows\System\ygKbhct.exe | N/A |
| N/A | N/A | C:\Windows\System\bDSXMsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\pPeRfPh.exe | N/A |
| N/A | N/A | C:\Windows\System\CVIWlZa.exe | N/A |
| N/A | N/A | C:\Windows\System\dlGKCdL.exe | N/A |
| N/A | N/A | C:\Windows\System\xlIAGyD.exe | N/A |
| N/A | N/A | C:\Windows\System\UQWUpow.exe | N/A |
| N/A | N/A | C:\Windows\System\HpyfZrr.exe | N/A |
| N/A | N/A | C:\Windows\System\aBCPOob.exe | N/A |
| N/A | N/A | C:\Windows\System\piGXSyC.exe | N/A |
| N/A | N/A | C:\Windows\System\HDaPVQb.exe | N/A |
| N/A | N/A | C:\Windows\System\zanGbXc.exe | N/A |
| N/A | N/A | C:\Windows\System\VYfSfES.exe | N/A |
| N/A | N/A | C:\Windows\System\ImTsOxf.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUabGdz.exe | N/A |
| N/A | N/A | C:\Windows\System\obvYmwo.exe | N/A |
| N/A | N/A | C:\Windows\System\idqPYFT.exe | N/A |
| N/A | N/A | C:\Windows\System\NLRZISn.exe | N/A |
| N/A | N/A | C:\Windows\System\hrvxSUE.exe | N/A |
| N/A | N/A | C:\Windows\System\clbsqPE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_d578b31ef2d7d1c8a0204e4184eb6ff0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sJzULis.exe
C:\Windows\System\sJzULis.exe
C:\Windows\System\ygKbhct.exe
C:\Windows\System\ygKbhct.exe
C:\Windows\System\bDSXMsQ.exe
C:\Windows\System\bDSXMsQ.exe
C:\Windows\System\pPeRfPh.exe
C:\Windows\System\pPeRfPh.exe
C:\Windows\System\CVIWlZa.exe
C:\Windows\System\CVIWlZa.exe
C:\Windows\System\dlGKCdL.exe
C:\Windows\System\dlGKCdL.exe
C:\Windows\System\xlIAGyD.exe
C:\Windows\System\xlIAGyD.exe
C:\Windows\System\UQWUpow.exe
C:\Windows\System\UQWUpow.exe
C:\Windows\System\HpyfZrr.exe
C:\Windows\System\HpyfZrr.exe
C:\Windows\System\aBCPOob.exe
C:\Windows\System\aBCPOob.exe
C:\Windows\System\piGXSyC.exe
C:\Windows\System\piGXSyC.exe
C:\Windows\System\HDaPVQb.exe
C:\Windows\System\HDaPVQb.exe
C:\Windows\System\zanGbXc.exe
C:\Windows\System\zanGbXc.exe
C:\Windows\System\VYfSfES.exe
C:\Windows\System\VYfSfES.exe
C:\Windows\System\ImTsOxf.exe
C:\Windows\System\ImTsOxf.exe
C:\Windows\System\ZUabGdz.exe
C:\Windows\System\ZUabGdz.exe
C:\Windows\System\obvYmwo.exe
C:\Windows\System\obvYmwo.exe
C:\Windows\System\idqPYFT.exe
C:\Windows\System\idqPYFT.exe
C:\Windows\System\NLRZISn.exe
C:\Windows\System\NLRZISn.exe
C:\Windows\System\hrvxSUE.exe
C:\Windows\System\hrvxSUE.exe
C:\Windows\System\clbsqPE.exe
C:\Windows\System\clbsqPE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3116-0-0x00007FF7BC240000-0x00007FF7BC594000-memory.dmp
memory/3116-1-0x000001E6C4960000-0x000001E6C4970000-memory.dmp
C:\Windows\System\sJzULis.exe
| MD5 | 36a07181227420d03def6aa273ec1721 |
| SHA1 | d66f712d94d749d955fc4acbb2114261c12bf69d |
| SHA256 | 3f19369b11f8a0648098d76b5ab863442449eda40c2f3a75e81295933319ce23 |
| SHA512 | a2e29f3c6b7e14e88aea8833ad5d862b142e41385e34097845fa0d9b96b350c7a95d14d4534e236fcdaafa4fd35da8752b63aa8c5434261c8588f587228dfa4a |
C:\Windows\System\bDSXMsQ.exe
| MD5 | 61242b859bdfa7deafe2daf178aa36c7 |
| SHA1 | f6e0bccc4625d46815b2e72ef35d9f0df500d107 |
| SHA256 | e86c45acfff4fae9a610e91a7e635dca693b5ccf57aa56ce86b512a77d132213 |
| SHA512 | cbdefd3e162449b0ddd480d1ac1d17a8170c2391485f8a3fd82cee3fcc985b1a4a86f7a78e504a1c95c8ff56940ff9b53a4fb3f6dc027083ad45467fe367832b |
C:\Windows\System\ygKbhct.exe
| MD5 | 91430f31b9dace53fd78f315978a0fdd |
| SHA1 | e9d698ee187eaf96416b271db8874b0204da7908 |
| SHA256 | 49528fe167ee723bc1a4c7cb565fa45fa6fce61287b424484db37e6af94cc49a |
| SHA512 | 6154cc5acc38103a7d6e8db0195cfe601b71c80cba5499f21f23a4b52bd22d144d40c728617a66dd632e54b6a1c2425517011144f58ee89d2579dc1642358282 |
C:\Windows\System\dlGKCdL.exe
| MD5 | 397cd6a30df905251a70e566e9f1aeae |
| SHA1 | 9b1cd85405cda8d01227fb3ebc190b6635caef42 |
| SHA256 | 7d914af6ff131ffb8e76de8de1dcb7b6b0e702e95eeaa252200ed7cfa6b8d17f |
| SHA512 | 620a1505d03b3745a1145d764ffb96232f35f40b54b1957eba871104d19b3f43cb361dc19386946840f2d5d66a89767e9462cee8344b118582dd225dcaceb23c |
C:\Windows\System\xlIAGyD.exe
| MD5 | bc75368e772f956fbd1487b6b5baadf3 |
| SHA1 | 187974d6d7825c69a55d6be70ed5792d4ef8b77a |
| SHA256 | f2dc25c967481da51e4dc6c402ba6426d95c74de4bf921864acdee95f4825258 |
| SHA512 | ed4c3fe730c59c0a9783f7b98e516e7252a3cbf2f3fd5741a38a73e759931cda85b49a49d13ee007105ecd96c5fccd2245fd1c457197aafb298e32121845c01d |
memory/2436-44-0x00007FF6C2190000-0x00007FF6C24E4000-memory.dmp
memory/5108-49-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp
memory/2072-50-0x00007FF683140000-0x00007FF683494000-memory.dmp
C:\Windows\System\UQWUpow.exe
| MD5 | 8c7c7d0fdbdcba6eff08fa6a8e8f314d |
| SHA1 | e6034c1597d68d62fd62f05fed07504aa109260f |
| SHA256 | c7416a424ead798fd8c1e49f9650853671ce7ba35bad5fd3983f26d7fa441076 |
| SHA512 | 0e2e36f790b06750ff027ae034f5be04d2bc0d36b9c1d0e78a721a81e249478d6075416e440d65bf95dc2ebb13600a999318834d52a36382bebd60b98cbb7337 |
memory/756-41-0x00007FF646DC0000-0x00007FF647114000-memory.dmp
C:\Windows\System\pPeRfPh.exe
| MD5 | cadea21cd34e9ab258ea786879a2088b |
| SHA1 | 612e9e386e58f539a02824e9ccbe2721116a6067 |
| SHA256 | 6e37fa0417aee592f1ebf34ef3a2f9a32481fd64fd19781841c9bf8a6330e50f |
| SHA512 | b57147f5190a86a58e6358c80cdd92c402cefa11e146e243556b66371e42e895928ee18af611fbec74977badf79faeae52afa47a738d3f87858989123e1f6e50 |
C:\Windows\System\CVIWlZa.exe
| MD5 | b6da10a1d9fec90fb8cd75fdc7c2baaa |
| SHA1 | c08c1d924da637a26de8905b561b702eb0d0d529 |
| SHA256 | 651147e6e4a054a81cffff794dd6db2c22fa313602660a7f376811017f9c019f |
| SHA512 | 8f12966432bd5a3612a8657f344d2d8c947861624aa9353ad81edf5f56c240e42adcae8779efaee2af5b779f829cc4067f91972e173d20eca73426ea86244d60 |
memory/4808-27-0x00007FF624B00000-0x00007FF624E54000-memory.dmp
memory/3140-26-0x00007FF747F40000-0x00007FF748294000-memory.dmp
memory/4732-17-0x00007FF627A40000-0x00007FF627D94000-memory.dmp
memory/3704-9-0x00007FF68BC10000-0x00007FF68BF64000-memory.dmp
C:\Windows\System\HpyfZrr.exe
| MD5 | 3915c98ae51b88e2aa4fbdcc21492e32 |
| SHA1 | d6b51165122bf9aa270549058adf15f06d2b453f |
| SHA256 | d50476aa575052e24e3ccf52cbcf77ab0d1148a3caae763103fc6238c42820c5 |
| SHA512 | 1d33f3cb55ee0818424f1fcf942f8ae05a40899a97fe2f3213825231edb52ecde9d8bbcbe23e42ccfda0469cf878ced00b8ee9003d01fc0c560b4593b2a0b7f8 |
memory/2052-56-0x00007FF6672E0000-0x00007FF667634000-memory.dmp
C:\Windows\System\aBCPOob.exe
| MD5 | f901d576fcca048107b3dfc1b64d32e0 |
| SHA1 | 90d6c6bc84109a15d0856cc63ac32112fab50580 |
| SHA256 | f597f5a3860a8144e017b533fff2db04d35426a90c6cebc3d297123d10ab20b4 |
| SHA512 | d69442ab02d9c9fe29bbfae6d8e7e82514e59ec87f483ee91911081964484b5cd1ed6fcdce563e26d417e53f2bd4d806f393c2a4c9480f967b3fb2f6e579a9b8 |
memory/1444-60-0x00007FF6CC8A0000-0x00007FF6CCBF4000-memory.dmp
C:\Windows\System\piGXSyC.exe
| MD5 | 9b87fa5ca99bc4e21b61290083d30e33 |
| SHA1 | fee2f7b2be697b7cffc3ef0a16c177a275f63549 |
| SHA256 | cd4d839cebc55cdc56e869a278e225648065e2858ea695f6ed49934fd3bc02f0 |
| SHA512 | 4f09ae7e671b11e9c79e247d5ab56aeeb706dd4651023577b6414c944a374c94fb01a3a12f4e1e0627610399bc94cd6f6bafcef89593ff40de142e61ab126b29 |
memory/4980-69-0x00007FF7836B0000-0x00007FF783A04000-memory.dmp
C:\Windows\System\HDaPVQb.exe
| MD5 | 2a3177d798f847e64cfd8f216fae0b90 |
| SHA1 | 9be04fc47f2218fa1d126d005a76e3dbd0c2e787 |
| SHA256 | 7e8ec88710316482daa2176f0bb640286e453c44a2b2ab4657881d014028aa1a |
| SHA512 | 2b8f477c769a72c3ef5357e558abc73d22f1faef18fa8b215ff6606021b995312e4f75df77c7a1093d8ba135807ab03f055abe75b1ba6e0033e4a04cf055f997 |
memory/976-77-0x00007FF6A7510000-0x00007FF6A7864000-memory.dmp
memory/3704-76-0x00007FF68BC10000-0x00007FF68BF64000-memory.dmp
memory/3116-75-0x00007FF7BC240000-0x00007FF7BC594000-memory.dmp
C:\Windows\System\VYfSfES.exe
| MD5 | d7ba4e21e2c29f9609622dbb15afd6c4 |
| SHA1 | 277c033e6aabbf97d2c99ce8cd53ebb4cba8bc34 |
| SHA256 | 64df362e82523effc7616c6ee6156850375fc04177157d4b92b9753b0e119bff |
| SHA512 | 33577439877d516267c7919f0dd8ba0678a1678670649d5baed2f0595c9fa982e0a1883d0d9461865dd0b3abe4a5b4c1d4a7a1828026fcdd04127378c026c0eb |
C:\Windows\System\ImTsOxf.exe
| MD5 | e6483e940751fb50fe171f7b907acc12 |
| SHA1 | cbd56f6a9fb079113fc8d3dab388ea4712f5a17d |
| SHA256 | c3431abac25b554fb19b06f53db9ef99802cdd3791738db9feb9e91cb14b9140 |
| SHA512 | e09e0dc52a6c98a5ed33d6ef6655711fb6711793890fd16d85b82e0bfccd22b6114302babb19b7cec739ee97cc6aa03d8de65b9cc3a05b653a62fc630942b2fd |
memory/4412-99-0x00007FF6887D0000-0x00007FF688B24000-memory.dmp
C:\Windows\System\obvYmwo.exe
| MD5 | 0a2a68543703f6e58fb66d98bec0188d |
| SHA1 | 8f2ba8f73a7ad94d7b6a668049b40c0e551095d7 |
| SHA256 | 344a05ff76f5f0466a3f6d7ccbce9023f911367cdb7b0a558d82eb646176ce0c |
| SHA512 | 74911956f348774dd1ec054c5d7fe2c84c8e6197c7bc2813d017edbff531d2c2f94b4bb961bb345b3da2c3fc8dfb9374e68f89a5db5bcb867e6b96dd20752691 |
memory/4832-107-0x00007FF7C2640000-0x00007FF7C2994000-memory.dmp
C:\Windows\System\hrvxSUE.exe
| MD5 | 32fceb7134a730a0f8ca37df77953567 |
| SHA1 | 3070c345ad6154d71b69de38fe8b61ad60c08943 |
| SHA256 | 28e1b6b0e15afef5034838d8a93e0a05b706dce6be940d8297ccf607e48f2c6c |
| SHA512 | 022d89ce206c4941da6afb7583d6010cc0ad274acf119c0e8a41f4d6371c5a53f46c90dcb586708d7b7f4f2e0d2007a6dddeb2ea65ca3719944e68128291d8fd |
memory/2492-118-0x00007FF7FA8E0000-0x00007FF7FAC34000-memory.dmp
C:\Windows\System\NLRZISn.exe
| MD5 | 2114aec285769df1a57a1aee278775f6 |
| SHA1 | 2053d652bec0202e417c3915240e2aa36691ea12 |
| SHA256 | b9d55a15cd466affdcfadf123153087b8eab22e22af9ca8f40944ddf0a75adbd |
| SHA512 | 2341ae47cdc54f90440a54c0dc2b10e5ee94d9e52dd97de71bab1a801941c87a3d986b402a03f86707375edd4d31999b11dad1756bba93b98bc7432454e4cc57 |
memory/1504-121-0x00007FF7310C0000-0x00007FF731414000-memory.dmp
C:\Windows\System\idqPYFT.exe
| MD5 | 613344e94b5b89f15e03b86c35d576e7 |
| SHA1 | 34515b9e6c557bf73940c1a7432d60a66d7bd72f |
| SHA256 | 2a7b5ef463911e47c2eb75cf8cfd2496a1469c8771b75ee5eb0100dd80efef6f |
| SHA512 | e95a25d3a00dec65e979d15a797c62d500acdfa2563818331026d8436e1e186abeba211935094ce753e8bf3593e1e8ce40151fda43c4dea6e1aba068a958963b |
memory/1492-116-0x00007FF7FB5F0000-0x00007FF7FB944000-memory.dmp
memory/2484-106-0x00007FF6B9500000-0x00007FF6B9854000-memory.dmp
memory/4084-103-0x00007FF77EFB0000-0x00007FF77F304000-memory.dmp
C:\Windows\System\ZUabGdz.exe
| MD5 | 6791eff461be78b1671ee125cd6ab13b |
| SHA1 | f3d2c62b11678fabc9127b7142ffcf3c8f93e07c |
| SHA256 | 01b8613c7af70867c918873c4cd6f08335b08e0092dfda036f60001019e9e1b4 |
| SHA512 | 72be655d613413a8e7740359c97c58a053e3d541caf66a1ea0a2084d94215a1b8bd5e121724c60055b75b7a93f70da0891884727d2273b5d324d8d47b9deb17e |
memory/4576-100-0x00007FF74DB00000-0x00007FF74DE54000-memory.dmp
memory/4732-93-0x00007FF627A40000-0x00007FF627D94000-memory.dmp
C:\Windows\System\zanGbXc.exe
| MD5 | 8390e17f9e0262d63ead179eb4e958a6 |
| SHA1 | 2c7118716d23b8f9a31b515709960f852a08f1f6 |
| SHA256 | db26c4612ced4886f26793a8f31ecbcd0fc3c646ab8d4f143a7f0b7da293adcd |
| SHA512 | 71313a302b2dc873b5003d37c70441fb9262d1357876bd158a906028085530c3b8dc27278c94851006a59bdd1cf817b02e45a71f8ffe7d25bc5073f6c921fded |
C:\Windows\System\clbsqPE.exe
| MD5 | 77db3141417cc233eb12047eed03298b |
| SHA1 | 7d0a48f41591b197573d2c3a5408adeb29937483 |
| SHA256 | 340ebf75a97a7986274d29d78900096e55d95cf6d5ba599b91f3fb3ba91a6a18 |
| SHA512 | 7c35af68abcc50eacdc82c6ea489df3c011e66d49cca06779c333edfe45542bca30cf945dc55246c396ae115ee7bb9fcafc0c195c148be43a7a1e2d811c7ca04 |
memory/4808-130-0x00007FF624B00000-0x00007FF624E54000-memory.dmp
memory/936-131-0x00007FF7B79D0000-0x00007FF7B7D24000-memory.dmp
memory/5108-132-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp
memory/1444-133-0x00007FF6CC8A0000-0x00007FF6CCBF4000-memory.dmp
memory/1492-134-0x00007FF7FB5F0000-0x00007FF7FB944000-memory.dmp
memory/2492-135-0x00007FF7FA8E0000-0x00007FF7FAC34000-memory.dmp
memory/1504-136-0x00007FF7310C0000-0x00007FF731414000-memory.dmp
memory/3704-137-0x00007FF68BC10000-0x00007FF68BF64000-memory.dmp
memory/3140-138-0x00007FF747F40000-0x00007FF748294000-memory.dmp
memory/4732-140-0x00007FF627A40000-0x00007FF627D94000-memory.dmp
memory/756-139-0x00007FF646DC0000-0x00007FF647114000-memory.dmp
memory/4808-141-0x00007FF624B00000-0x00007FF624E54000-memory.dmp
memory/2436-142-0x00007FF6C2190000-0x00007FF6C24E4000-memory.dmp
memory/5108-143-0x00007FF6149C0000-0x00007FF614D14000-memory.dmp
memory/2072-144-0x00007FF683140000-0x00007FF683494000-memory.dmp
memory/2052-145-0x00007FF6672E0000-0x00007FF667634000-memory.dmp
memory/1444-146-0x00007FF6CC8A0000-0x00007FF6CCBF4000-memory.dmp
memory/4980-147-0x00007FF7836B0000-0x00007FF783A04000-memory.dmp
memory/976-148-0x00007FF6A7510000-0x00007FF6A7864000-memory.dmp
memory/4412-149-0x00007FF6887D0000-0x00007FF688B24000-memory.dmp
memory/4576-150-0x00007FF74DB00000-0x00007FF74DE54000-memory.dmp
memory/4084-151-0x00007FF77EFB0000-0x00007FF77F304000-memory.dmp
memory/2484-152-0x00007FF6B9500000-0x00007FF6B9854000-memory.dmp
memory/4832-153-0x00007FF7C2640000-0x00007FF7C2994000-memory.dmp
memory/1492-154-0x00007FF7FB5F0000-0x00007FF7FB944000-memory.dmp
memory/1504-155-0x00007FF7310C0000-0x00007FF731414000-memory.dmp
memory/2492-156-0x00007FF7FA8E0000-0x00007FF7FAC34000-memory.dmp
memory/936-157-0x00007FF7B79D0000-0x00007FF7B7D24000-memory.dmp