Analysis Overview
SHA256
ae656088796f40c75727c41eefa410ea4c2ca7bb022d388c1e568f23c067fec2
Threat Level: Known bad
The file 2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:45
Reported
2024-08-06 11:48
Platform
win7-20240729-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lEbzTJu.exe | N/A |
| N/A | N/A | C:\Windows\System\PCyHBOC.exe | N/A |
| N/A | N/A | C:\Windows\System\oHHZzdz.exe | N/A |
| N/A | N/A | C:\Windows\System\XcEcsnA.exe | N/A |
| N/A | N/A | C:\Windows\System\cFUZtJE.exe | N/A |
| N/A | N/A | C:\Windows\System\mBQwnJI.exe | N/A |
| N/A | N/A | C:\Windows\System\jbRaUcj.exe | N/A |
| N/A | N/A | C:\Windows\System\EOTPeot.exe | N/A |
| N/A | N/A | C:\Windows\System\KPkkejn.exe | N/A |
| N/A | N/A | C:\Windows\System\iAgWLho.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNYaPSP.exe | N/A |
| N/A | N/A | C:\Windows\System\FLIYCOY.exe | N/A |
| N/A | N/A | C:\Windows\System\WbHTuvY.exe | N/A |
| N/A | N/A | C:\Windows\System\FyekUIN.exe | N/A |
| N/A | N/A | C:\Windows\System\LjCZPtP.exe | N/A |
| N/A | N/A | C:\Windows\System\DAYTkjN.exe | N/A |
| N/A | N/A | C:\Windows\System\PzJoZNP.exe | N/A |
| N/A | N/A | C:\Windows\System\dkvFOrI.exe | N/A |
| N/A | N/A | C:\Windows\System\JCOwyPj.exe | N/A |
| N/A | N/A | C:\Windows\System\AcVZMla.exe | N/A |
| N/A | N/A | C:\Windows\System\sfrWApv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\lEbzTJu.exe
C:\Windows\System\lEbzTJu.exe
C:\Windows\System\oHHZzdz.exe
C:\Windows\System\oHHZzdz.exe
C:\Windows\System\PCyHBOC.exe
C:\Windows\System\PCyHBOC.exe
C:\Windows\System\XcEcsnA.exe
C:\Windows\System\XcEcsnA.exe
C:\Windows\System\cFUZtJE.exe
C:\Windows\System\cFUZtJE.exe
C:\Windows\System\mBQwnJI.exe
C:\Windows\System\mBQwnJI.exe
C:\Windows\System\jbRaUcj.exe
C:\Windows\System\jbRaUcj.exe
C:\Windows\System\EOTPeot.exe
C:\Windows\System\EOTPeot.exe
C:\Windows\System\KPkkejn.exe
C:\Windows\System\KPkkejn.exe
C:\Windows\System\iAgWLho.exe
C:\Windows\System\iAgWLho.exe
C:\Windows\System\ZNYaPSP.exe
C:\Windows\System\ZNYaPSP.exe
C:\Windows\System\FLIYCOY.exe
C:\Windows\System\FLIYCOY.exe
C:\Windows\System\WbHTuvY.exe
C:\Windows\System\WbHTuvY.exe
C:\Windows\System\FyekUIN.exe
C:\Windows\System\FyekUIN.exe
C:\Windows\System\LjCZPtP.exe
C:\Windows\System\LjCZPtP.exe
C:\Windows\System\DAYTkjN.exe
C:\Windows\System\DAYTkjN.exe
C:\Windows\System\PzJoZNP.exe
C:\Windows\System\PzJoZNP.exe
C:\Windows\System\dkvFOrI.exe
C:\Windows\System\dkvFOrI.exe
C:\Windows\System\JCOwyPj.exe
C:\Windows\System\JCOwyPj.exe
C:\Windows\System\AcVZMla.exe
C:\Windows\System\AcVZMla.exe
C:\Windows\System\sfrWApv.exe
C:\Windows\System\sfrWApv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2540-0-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2540-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\lEbzTJu.exe
| MD5 | 237b4e0851dc9f92c6b1352291cbc76d |
| SHA1 | cbcca8a957d5284c9f44748691b0d28b07db48d7 |
| SHA256 | 9422f0ee421834cbce84ea7109a7912ad8882ed1f4d48a0ed5a7afd8322f53ba |
| SHA512 | 733cba2519a3f813a00655e296db3e4d51ff9cc317be3e640facc896d1bd8b00513b6c281059011b4eccd6fc0634d4f1ad9e329e98df1d5cb04709c25801c15b |
\Windows\system\PCyHBOC.exe
| MD5 | 287477a01c831e2a6a5d77e5ea95afa5 |
| SHA1 | 5b4d7f6ac72899078ee74bbdedf44e7b84574e66 |
| SHA256 | 56b970f8c352b00817058bb2d74d4184a011d48cdba98d3f811c376b3bf31caf |
| SHA512 | f00e878251394adae43e045af18d079f87d8af689cc125312bce9adafb2965e88ad252c98cd5b20b5ea7396e6034c97ba17f5f6babc34ee98401372aecbb7f79 |
memory/2540-7-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2696-20-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\oHHZzdz.exe
| MD5 | 6746d3fa60b1533d8fd9a95db594185c |
| SHA1 | bfc38fdde043c990091c906760261eaf9d5f996d |
| SHA256 | bdf4ea66681a32859c01b75564ed3a61edcc56c35677ffbf6781cdbbe0754937 |
| SHA512 | 7b42cadef93594697a478fab073d70b70a9263f0022ba68782d55eb4ff7f84e4a358a96421312f4ddc14a2d4fb5c108150b2c97fa995a306942e8d30462c2113 |
memory/1388-18-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2892-16-0x000000013F5B0000-0x000000013F901000-memory.dmp
C:\Windows\system\XcEcsnA.exe
| MD5 | b1c2e9e407af5b0153f792b61f6d0556 |
| SHA1 | 329fa56c9f03cdf0629d6224780af12c30c54322 |
| SHA256 | 1f43095f7d3b1e0937be3fd9a6c3f9d7730a0310acd0711dba71a180a66df137 |
| SHA512 | 9e0f720b630b2c6895396853f70479dfb14c178f11a98cf64bb9ce76f6f2fb5ee7f59baa9da544c6423e7905601aeee0aa25b5124f99e8463429cc291e9e4f8d |
memory/2880-27-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2540-26-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/2540-12-0x0000000002270000-0x00000000025C1000-memory.dmp
memory/2540-30-0x000000013FEF0000-0x0000000140241000-memory.dmp
\Windows\system\cFUZtJE.exe
| MD5 | 55885f2e4170e24c2bd67ae4ac131c16 |
| SHA1 | 2e4275da6db147775906dcfef5ba5a5ced9f459b |
| SHA256 | ba89a3f815c3cecf9a08ca74113a178985342d0f5d8c14be2b07a848f0634d28 |
| SHA512 | b0011a75f2f08ad78fc4c928372515b5757ff689284edbba37e9e938aa0ab3222e146d3935d0d8b2295c1c21be7ecf8ad7feaf464966b9604abad1566d2efcee |
\Windows\system\mBQwnJI.exe
| MD5 | 378dae981adc4ec2c6c77645163c5037 |
| SHA1 | 37dc9bff210beceaf00d9f617a29a23d2a5d14af |
| SHA256 | 2abf520671ee050647bf44fa696185e818eb6f781ff30e8be9be4a96bd1fe2b4 |
| SHA512 | 148deb77cf50e47b1757ed1d66c6f761dfa0533e672cfb2c0979f6b2fded9c10738b3af4e43cdaf7be87ec8857a0449ca6c541537642674802700157669f7050 |
memory/2748-36-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2540-42-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2860-44-0x000000013F7E0000-0x000000013FB31000-memory.dmp
\Windows\system\jbRaUcj.exe
| MD5 | c4bf16091879d64fa33d66fbf655b9be |
| SHA1 | 9e0f0d6a24a02d7c7eb321e63d5d387e63e733e3 |
| SHA256 | 7cc463f560e5d89fd25ca21052e8e53d95435ae09088b0e3dedb5d8095578385 |
| SHA512 | af71ee9c6a8a0cf3ec2525d65a7b6a42f4275b0f1c69a7f02c29cf07248855b8ee4bb60a3e93a83e2f7cc86cf4682981d083d81413c3de56fe9446e87b764af5 |
memory/2540-41-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2540-38-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2892-56-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/3016-51-0x000000013F590000-0x000000013F8E1000-memory.dmp
\Windows\system\FLIYCOY.exe
| MD5 | 52ffc3479c8e08978b55f35c5ed11b05 |
| SHA1 | 983ad6dec87685a0b379b92b2fef96c09c9342b8 |
| SHA256 | c54f9340d08bfe84fc534272a8d3add227d179ddfdb2ea631fb504097e5b7294 |
| SHA512 | 4be043d69f55bc8a7de8a37698230b65c85457b5c41904c1089e1923b09a67ce7cd7e43aa4152c8759f22579f648e5583657ad5fb57fb9c297e25e938cf592d4 |
memory/2696-80-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2540-81-0x000000013FA60000-0x000000013FDB1000-memory.dmp
\Windows\system\FyekUIN.exe
| MD5 | 294b09b993c0ead0ca65551e9da427be |
| SHA1 | d3cff205b010081dd06b1c8a5c019cf0a304b989 |
| SHA256 | d04d2552078ee6e24dd824b8a053e7ca368a6c8a839de8f12374bbf719beb954 |
| SHA512 | 8723de2b506b2c3cac80c530d93bea1189e681d4f1ce38d42ae3ef88b9521a528cd55e8d53be4238f7a2a503d881403d2354f61ef8f20b7847b202ca1aa4f35c |
C:\Windows\system\PzJoZNP.exe
| MD5 | 9ea6f2ea5f387f02a17638189c3f8d18 |
| SHA1 | 0818ebc5c660e4e667447497ee50eeff0dfe9f8b |
| SHA256 | fd49474f433d58e2e032ca310c454346f4a6e48e38ebe22e38c68389a5b85166 |
| SHA512 | e79e088e47664125ba32b6cb5ee9f02c746cbc3136505724798a757903acb1f0c707bd4df35357a29c53f01ed568df4c16783d4944315a4ced7fb2b8a321abc0 |
\Windows\system\sfrWApv.exe
| MD5 | 71ceb187522fe398eda918f82ef44712 |
| SHA1 | 42a3dbb3ab2c0541867a46d05d5ec9b2295bf84f |
| SHA256 | bd31e24c05c18fb50a82dd4083e1e150ced12862f3dba670792f9ad5d6f1aada |
| SHA512 | 275979bfbab96d4c6575ee318161eabaadc3cfff8b1badb04b53a65d64f55d672993dad363d12dcc4095a98ee9dfd7025e06aad23e1d8ad4050b09e427124bad |
C:\Windows\system\AcVZMla.exe
| MD5 | 8b708c004d1b7d26e1c2c40d35ddc8da |
| SHA1 | c3d15d1b31b672c3185f22f3f3a1a227e1863d07 |
| SHA256 | 9ff4cd1e74ce7a78efb5d4c9fdec7200bef5376e1e64e707c033f4107a942e1b |
| SHA512 | c63269e674d7dcca0a67992a8d75dda8d03d6f860a591813a6f40411a902c795f4c879575d56f617f382954afed4f4b6f88c989890a3e45a699a36b80753b550 |
C:\Windows\system\JCOwyPj.exe
| MD5 | 4a6d60a54fcd15b6a31bf0b1e0b46b04 |
| SHA1 | 98713295955625c0964d27e357c191f00c64bc7b |
| SHA256 | 0f99bf7d521dc97f2bcc666f8740303857a2372e4146f37e725d3b4ec21e98d1 |
| SHA512 | 706672503945daa520e15158da4cfeda46fd2bb1cf19b06fb72be6090a3347cc088be7b8e65095879b990e13df4fefe4b974a09e5d3991c49c40b5eb6ced6f48 |
C:\Windows\system\dkvFOrI.exe
| MD5 | 3de65a14d3ad77ec9fc7262597b0b78b |
| SHA1 | d04fa90edd4030c4a1c90b61741acba699ac411a |
| SHA256 | 2039bdd4a2c171762b82d66c759cacb64b753f6cfbb2978c3cc97659e24a4b3c |
| SHA512 | d76467e14c88839c05309bdfdf30c8f67881403e28d2d5c1083f6b0173a5739eb0b4d825e00462741d7438a5949ffcb21d58d798adda31f284c2eea834de4d54 |
memory/1616-145-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2540-144-0x0000000002270000-0x00000000025C1000-memory.dmp
C:\Windows\system\DAYTkjN.exe
| MD5 | 9a2e0b40dcfd39065f15de604a932e83 |
| SHA1 | fff23ad63a98d6c8df902364ddca4bfa33144f1c |
| SHA256 | 45c467b09df4c8d26479b1c30e5ba408a82a54ad5a189c19d45945ce35a95889 |
| SHA512 | 6edaaf1846d1680e8aa3a987b39e35cfa00a73fdbeeb247e8a5c66dfe59e6159c313025b504d2cddbc4fce19b72d24289dc9a4673d97cd53f93b8c0e3cb7af90 |
C:\Windows\system\LjCZPtP.exe
| MD5 | 7b5dcaf72266afd9856851059e9b85f9 |
| SHA1 | b96d341ea6a7ba04d347d0cbf795c31782ac4857 |
| SHA256 | 47f0ec521f477824e8ebeac75ac985fb76887722b70af68c5e747d6bd2bcfbef |
| SHA512 | 1e4300d0e434fef760da7235d766db286733efb4b8ae527ec36e0c9fcc39b1f62bbce9b2066943faff9c50da7aa06d41741afa1e745d9c87030aeadde3896b47 |
memory/2540-112-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/3016-111-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2540-110-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2792-106-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2860-105-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2540-100-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2372-96-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2540-95-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2748-94-0x000000013FEF0000-0x0000000140241000-memory.dmp
C:\Windows\system\WbHTuvY.exe
| MD5 | 13cdebe31c87cd059ee0b404ce25e22f |
| SHA1 | ee1b4266ece8e1287a74142b9da7ed1fd44c25e6 |
| SHA256 | 5c4c590fac463c5dfc7e5b0ce99cef1468db55afeafcb2984a5f06d7ea095e9c |
| SHA512 | efbc888e78c14cf945bf791e1ffe9344af12c5998a0777be792cfb4eb471f48245eea746f060e9111740ef0f9218f698599639d72073cd8c5a0fafb6ff91f1cf |
memory/3044-82-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2260-90-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2636-146-0x000000013F370000-0x000000013F6C1000-memory.dmp
C:\Windows\system\ZNYaPSP.exe
| MD5 | ff90b5642694d68494692a4630beb14d |
| SHA1 | 6b31dd6789f813a0e5624badabd9bec49d8a2373 |
| SHA256 | bc9efa03f3cabcc18bb230a446a97eadb7e6ba5325a6fa85f4f5b7372b823b39 |
| SHA512 | 7846460c4b2f6637d29e5d213fcbfe55f6529af296dcf2658341ab1f6fa910f1f4269b2d158bd35e9e457e020016518f3305af92298b33a061c4e294ced08fea |
memory/2540-85-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2880-84-0x000000013F320000-0x000000013F671000-memory.dmp
memory/1092-73-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2540-72-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1388-71-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\iAgWLho.exe
| MD5 | 4aa510a0b9b4153eca068ef3cc6efb8b |
| SHA1 | b091097e7b846aed2e0007ccfdd4fe6d472410bf |
| SHA256 | d2db97696ce01b27dd634686ab00a46cc448a1330b609b8c4b98aeab27da433a |
| SHA512 | 8b249d0713e133ebc5a6ea8b5923adbadcee1c342d1055a2fb1eddb3c248c6706d35cbd7be49b8d0e67ea856d34c9e8be28df782e8892fdb2d4e3366ceb7b7b0 |
memory/2636-65-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2540-64-0x0000000002270000-0x00000000025C1000-memory.dmp
C:\Windows\system\KPkkejn.exe
| MD5 | f0cc01faf6aef37b7916a3d5320129fc |
| SHA1 | 5ea03c018f27fcf02d21e651f51ce69ae50f1ccd |
| SHA256 | 38745718f62a3adf11022a66db96bfeaf2593138f43cd5b0d4ff776dd8bef276 |
| SHA512 | c5d7fdb8d738cc7db4a650f649dab876438e7dd4e829516070648467095937c5b671b84502b8583b01f1e9b4c2ed8a6c5a785bd8918c5d7793d18a46374e2548 |
memory/2540-50-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1616-58-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2540-57-0x0000000002270000-0x00000000025C1000-memory.dmp
C:\Windows\system\EOTPeot.exe
| MD5 | 232faba01c9a4845f036a8a840c9d541 |
| SHA1 | 17c6ec0dd969b8bb4be1403a5169e4533341c7d8 |
| SHA256 | a88a556bcdd69aeef38797dd46d9655457a3a40534fe5d9625ee0912cfef6791 |
| SHA512 | 556af97367a1ba32b3c9adf5541afebf308e2dac6a7979da1add528ed27cc5244f1a7c59bd9a4b6fab8db7ddec52ec25f2492ae448331ac83867673947340c5b |
memory/1092-148-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2540-147-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2540-150-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/3016-157-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2540-162-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2372-164-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/1060-166-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/1332-170-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/876-172-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1524-169-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1364-168-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2540-173-0x000000013F540000-0x000000013F891000-memory.dmp
memory/956-167-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/1160-171-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2540-174-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2540-175-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2540-197-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2892-225-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1388-227-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2880-231-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2696-230-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2748-233-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2860-235-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1616-237-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2636-239-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1092-241-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/3044-243-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2260-245-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2372-247-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2792-258-0x000000013F530000-0x000000013F881000-memory.dmp
memory/3016-267-0x000000013F590000-0x000000013F8E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:45
Reported
2024-08-06 11:48
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ogveekm.exe | N/A |
| N/A | N/A | C:\Windows\System\JqJZBEo.exe | N/A |
| N/A | N/A | C:\Windows\System\qtamKZG.exe | N/A |
| N/A | N/A | C:\Windows\System\FbqnNXl.exe | N/A |
| N/A | N/A | C:\Windows\System\tgRUOjz.exe | N/A |
| N/A | N/A | C:\Windows\System\pSukJrU.exe | N/A |
| N/A | N/A | C:\Windows\System\tMOKMSt.exe | N/A |
| N/A | N/A | C:\Windows\System\XVELjyP.exe | N/A |
| N/A | N/A | C:\Windows\System\MzcHKBp.exe | N/A |
| N/A | N/A | C:\Windows\System\ubpeUlR.exe | N/A |
| N/A | N/A | C:\Windows\System\wZFzKNK.exe | N/A |
| N/A | N/A | C:\Windows\System\FlEOqwH.exe | N/A |
| N/A | N/A | C:\Windows\System\cjXeOIK.exe | N/A |
| N/A | N/A | C:\Windows\System\hLjOanb.exe | N/A |
| N/A | N/A | C:\Windows\System\KHnWSIz.exe | N/A |
| N/A | N/A | C:\Windows\System\MXMYsSQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gzXXviu.exe | N/A |
| N/A | N/A | C:\Windows\System\ahRNWPO.exe | N/A |
| N/A | N/A | C:\Windows\System\ubGJoiA.exe | N/A |
| N/A | N/A | C:\Windows\System\PMDDJhf.exe | N/A |
| N/A | N/A | C:\Windows\System\EZzlIAU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_1e1bc7bd963cd07a3795ffa7d42ec26e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ogveekm.exe
C:\Windows\System\ogveekm.exe
C:\Windows\System\JqJZBEo.exe
C:\Windows\System\JqJZBEo.exe
C:\Windows\System\qtamKZG.exe
C:\Windows\System\qtamKZG.exe
C:\Windows\System\FbqnNXl.exe
C:\Windows\System\FbqnNXl.exe
C:\Windows\System\tgRUOjz.exe
C:\Windows\System\tgRUOjz.exe
C:\Windows\System\pSukJrU.exe
C:\Windows\System\pSukJrU.exe
C:\Windows\System\tMOKMSt.exe
C:\Windows\System\tMOKMSt.exe
C:\Windows\System\XVELjyP.exe
C:\Windows\System\XVELjyP.exe
C:\Windows\System\MzcHKBp.exe
C:\Windows\System\MzcHKBp.exe
C:\Windows\System\ubpeUlR.exe
C:\Windows\System\ubpeUlR.exe
C:\Windows\System\wZFzKNK.exe
C:\Windows\System\wZFzKNK.exe
C:\Windows\System\FlEOqwH.exe
C:\Windows\System\FlEOqwH.exe
C:\Windows\System\cjXeOIK.exe
C:\Windows\System\cjXeOIK.exe
C:\Windows\System\hLjOanb.exe
C:\Windows\System\hLjOanb.exe
C:\Windows\System\KHnWSIz.exe
C:\Windows\System\KHnWSIz.exe
C:\Windows\System\MXMYsSQ.exe
C:\Windows\System\MXMYsSQ.exe
C:\Windows\System\gzXXviu.exe
C:\Windows\System\gzXXviu.exe
C:\Windows\System\ahRNWPO.exe
C:\Windows\System\ahRNWPO.exe
C:\Windows\System\ubGJoiA.exe
C:\Windows\System\ubGJoiA.exe
C:\Windows\System\PMDDJhf.exe
C:\Windows\System\PMDDJhf.exe
C:\Windows\System\EZzlIAU.exe
C:\Windows\System\EZzlIAU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2936-0-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp
memory/2936-1-0x00000228E1AE0000-0x00000228E1AF0000-memory.dmp
C:\Windows\System\ogveekm.exe
| MD5 | dcc5e498de15c3c325351b20c08b82c2 |
| SHA1 | 7c35399a3bd70e42f784771dcd8408c11c4b20f1 |
| SHA256 | 66c9d2a10f5a958f02ed0ddd30d0f7f456df55b8297d7e8498d5de348540c4de |
| SHA512 | d808e5f6d5fca7b22ae8cf6c1c97b25e54b7dcef39d61e380134b0723216f502627aae1b0558ed533a50117ee85921f5ee165dd5ad5961b7ba76775053f81af7 |
C:\Windows\System\qtamKZG.exe
| MD5 | b1e1d2be7fae7293b9ff583afccd9944 |
| SHA1 | 71d3fb51c0ce51537fc7284038ce39bf4edc13f8 |
| SHA256 | 85326a45bb2f6fcaa19fd9d2a19986941181a770a3f3bc3462f2c7d4297d8dd2 |
| SHA512 | 6d21cda569599dbaeeb578b955ab09a4cf5b34629d3282e8bcbdce1faf081a04de4e4b3165e60b652b5e69302c1edee0cae321e9647feec43644e12b687f8faf |
C:\Windows\System\JqJZBEo.exe
| MD5 | 94ae6522a0c2c45c26b3d82c92911e75 |
| SHA1 | bec8416f85f3f8554b1bac12b8671239e03810e0 |
| SHA256 | 16591c750756cc2dc81726593ca315ad2aefd4b7fc70fb3c1a798aaac26f63a3 |
| SHA512 | 043f932053fcb98abaf969a7f004615ae162e1c761a3865f13dd5cd3a58df6680c7310cd50338f8c550b65c1eaf3a89d2b8850d95e293def63cf604e069a7e8d |
C:\Windows\System\FbqnNXl.exe
| MD5 | 4d9e59de8d7fece243d0520114025a6d |
| SHA1 | 59f8346e0eec3cb3a0a36505e9fe3f402a4d27dd |
| SHA256 | 0121d471ffaec2416d4794dce16189973612bf32332ff3b6d1d0637be6d301c0 |
| SHA512 | 3f6c597e59f3592cbb65bec99fc0cdb1c765ae60c66ddf7023dc152a5fb50bb4194e3914f7fff650f9b1e7b002d637183732e59a68f6983c9026aa44a9f1951b |
memory/1512-14-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp
C:\Windows\System\pSukJrU.exe
| MD5 | 01ab0a2a2e2d93cfc3a7d1e8cebda1ef |
| SHA1 | ef2e1f9a2435fa6e441d9b817e479d1c7590b278 |
| SHA256 | eb75964e9011f12129475fed7ab57b64c338cfb8a08d9c4d25216c1f890f02f9 |
| SHA512 | 099d6f7b41c66521d96f7ed23567bc2083bb3a7b4ce6d578bd8db3d9e15a6d50c914b225fe234e29c6663a542cdca8d83129814a271f10a69c4f89a01297127d |
memory/1628-44-0x00007FF7A3050000-0x00007FF7A33A1000-memory.dmp
C:\Windows\System\tgRUOjz.exe
| MD5 | a6fee4b25839d4687457e2d3a4d418dc |
| SHA1 | a3dc7d2c28fed7b30033a384a1e7a19dbbecd9f1 |
| SHA256 | 1b52b1bf391f7259a58610573c2f0f46a6ec7a01bcc62ad80aa88c504c36ac55 |
| SHA512 | 37434582466d8747fea53f12694f16cc9a87d286ca79b30698c91ce55e0969315472c7205a2fef99e617f8ebbf695f5ec66dd6fc7f6fa3bdbfe05d447f52d955 |
memory/3468-24-0x00007FF7258C0000-0x00007FF725C11000-memory.dmp
memory/904-23-0x00007FF619A30000-0x00007FF619D81000-memory.dmp
memory/3100-29-0x00007FF63DD20000-0x00007FF63E071000-memory.dmp
C:\Windows\System\XVELjyP.exe
| MD5 | 7e31335277c6b937677ac7c7dd01186f |
| SHA1 | 9c583f1e417e97f1e938c334d8bd0d5ef3bcead1 |
| SHA256 | f89a8007ed0c0ce2a27141e664a16501f765f2dc743aa2aa14e264fa92a1e6da |
| SHA512 | f3f25103a28fb1057ff1e2e0ea1ed11f8a52715bf5199df27d44bc01c06168488aba35dc5556e465c138b1df0c89703f318e5c38f91dee0c10a4166ba7c2afd2 |
memory/2608-64-0x00007FF66AB10000-0x00007FF66AE61000-memory.dmp
memory/1632-69-0x00007FF7C4FA0000-0x00007FF7C52F1000-memory.dmp
C:\Windows\System\hLjOanb.exe
| MD5 | 7994f02efa68eba4da30aceea3602a00 |
| SHA1 | db42b39394f72b16decfcc15eeb5fbd23295566e |
| SHA256 | fbb6587854123859c63b62b108397f25d264bdc306d35307a5d25a7c0290e0d5 |
| SHA512 | f83881cf447a681096ac45d2d869c7f4349da08737845d226bb8d15275ebddd174b86f4d92459aa169cc85914b9108eee7d6deadba48d3f3e85909c36feb02d6 |
memory/4668-88-0x00007FF760F20000-0x00007FF761271000-memory.dmp
C:\Windows\System\gzXXviu.exe
| MD5 | 472ff67c04074ddd12786ae294e11d0c |
| SHA1 | b50e1f858cfa505bb5d94bf67d5cf15504d3e644 |
| SHA256 | f0e6963dd6fdcefd0fb319abe877a58bc0e09bb808876af7fa32fbe2bf9760e4 |
| SHA512 | 1f9f89bd83aa375ec446e18eddb329fdecd3269405488ff8cf96ec79da3b2a2cb706062a6ef4e443f06022b617d585cc71b406ff52e24e34a3129f8b7fc79db8 |
memory/2560-95-0x00007FF603DC0000-0x00007FF604111000-memory.dmp
C:\Windows\System\MXMYsSQ.exe
| MD5 | 6eeccd30c352d3e2555df82d8b689cb7 |
| SHA1 | 9f78d84495e5103e06720022064c1907033e950e |
| SHA256 | 276d1287d2b484e2418896dc250bd36b494370f8dbc1fe9fa4922caf205fa3db |
| SHA512 | 171865b79f360f7d46defaece359c1fb9a7798fcf2266749157cb64c6fa30dd79d4a2a09692ff87ea0688a08c687d6a31c6d9de98335316c72aae3b31c855b25 |
memory/3108-92-0x00007FF6508A0000-0x00007FF650BF1000-memory.dmp
memory/4484-91-0x00007FF68C160000-0x00007FF68C4B1000-memory.dmp
C:\Windows\System\KHnWSIz.exe
| MD5 | 0c02f770ab7b94f936a2737de35d40d4 |
| SHA1 | 5e866eb3c6fa721e19e83e8b955367c537631ad7 |
| SHA256 | 24d61248549fd8eb7f372a5c027fdd6642657eb4e7eb834f6487162e6433e968 |
| SHA512 | f6482d4c02d06395f4238eb3d47b3fc57fa1d2a90b9fe9936bd39fa9ff34e22cde6cb033162501f2395cef9991e6d0e775fe722a2262d862b9a5d48f4b17a427 |
C:\Windows\System\FlEOqwH.exe
| MD5 | 92f97c4b8ed9f57a64ce705025e1d168 |
| SHA1 | 820ded0ea58436ca8f7641c6c53a504fb63b35c3 |
| SHA256 | 879ee09724928249fabbf1f67aec2eea6184126c1450718344d378c0fa504e59 |
| SHA512 | 011bbf8f0ff210d781eff952fe5a6d272ee0a31b34e20b723b334f5c9f92b4fb91c8cbd09fe2b0b4970a9569a3cd4547b5b075ad1f872bb53ff003277da71526 |
memory/3948-82-0x00007FF7B34E0000-0x00007FF7B3831000-memory.dmp
memory/2720-81-0x00007FF79BB30000-0x00007FF79BE81000-memory.dmp
C:\Windows\System\cjXeOIK.exe
| MD5 | 7a13183813e0e449dd610f5bcd7172a1 |
| SHA1 | 7db314c408669b2f34240bb0533d2e3d85d4968a |
| SHA256 | 087e36684856e4a21975e47954e2f4c0d05e3dec59b217890efa7b7cea75b9a8 |
| SHA512 | de78a1aed6b0725336cd7645bd1340d85dcd0c66e960c426aab39ccb26cb514942c3ebdd23db3b531afef8f21322abe1352bee16189043a911438da204d3df89 |
C:\Windows\System\wZFzKNK.exe
| MD5 | 51e78f04a6fe05df687c976d3b1b70e3 |
| SHA1 | e4907ae3c74b588c9d4fd4ca535d6b9a753c7927 |
| SHA256 | 54f9fbbb8e45045822f6c64f5dffad111380969d03732328eaacd9dfac4f2fff |
| SHA512 | 435b31f385f379509bfe16114eaba0128c3b119abe9e03117ff487cc6e2cdb98fbebb84257e676333c19db527f592c52f6748b89762826d571c9ef015248fe02 |
C:\Windows\System\ubpeUlR.exe
| MD5 | 16ab7ba766b45fdc229b0dbb398ee7e7 |
| SHA1 | 9498fe029533cc97cf67a0fe37f7e75f9354a06f |
| SHA256 | 1a7d6e96e37c81f34bfd76ee5f5a7ad068954b3337889a4acc174dcf24ee3880 |
| SHA512 | c858b067d388acea7394e1d805b0e748f62d7fea94b593626406c6c882663b7f436776e2481eb6a079bf6433a4f645c61778561b795cc2d729d10da141580ffe |
memory/232-70-0x00007FF741070000-0x00007FF7413C1000-memory.dmp
C:\Windows\System\MzcHKBp.exe
| MD5 | cb92643bd9c622813ce53f951843e171 |
| SHA1 | ee9bad76f07cd69f51256221750c76fa5040efbd |
| SHA256 | 062a290af1a8e69dc111eeeaa6fb4451dab2f3afbd6b6d5011882cfb248f2d5c |
| SHA512 | 51bc0c4a3e29821dcd468e252ae824ae5e5cb822f2c58adb6eb9d5db96886608004ac4fc6dd34251adcda08ad4759c6fceb6909ad97003edd5a23fd358863821 |
memory/5048-63-0x00007FF796030000-0x00007FF796381000-memory.dmp
C:\Windows\System\tMOKMSt.exe
| MD5 | 057978985d1318ae9575de0da8ce28e0 |
| SHA1 | a9d46977466cdac6bcd89878690c83e259bdcf9a |
| SHA256 | 199bc7ebaec4629589ec0aff9ccb0cb36c44b5d8a026c2236cc2a00d7cfa34e5 |
| SHA512 | f016dafe906f743f2743828edb0c999c7c52460319442d2595f9aed26e08148753b54d0883b6654dfaad9ec0250c89ecc16d82618d289a5f62ae2617811aa5cc |
memory/2460-54-0x00007FF77E2F0000-0x00007FF77E641000-memory.dmp
memory/3312-40-0x00007FF627B60000-0x00007FF627EB1000-memory.dmp
C:\Windows\System\ahRNWPO.exe
| MD5 | c5243d7ea54a2c343c4b60ca7fc9ff39 |
| SHA1 | 0f1edb81afab95ddad4ceb7fac796b4e74e1949b |
| SHA256 | 3909fe2d0c07dd1fa43cdaa402328754eb512bd385dbd11c25629982312dc31c |
| SHA512 | d6431a170149208f293cfa1d224693e6ac0bd415b081593a8482a83ea95cea755992f26f8cb9338ad29c3f35e00b6ba8e11f49e15508cc63bd7094eaf817c9b2 |
C:\Windows\System\ubGJoiA.exe
| MD5 | 869dda48f42f9b4ed307a40fdd6e8ad5 |
| SHA1 | 88778cb7c1ee71c84296a0d54f418a266db345bf |
| SHA256 | 3d2403ede52705ab096724341fa7b478cbab78af62b70e65eefa656e26338d21 |
| SHA512 | b20d1e9cfd2a1bf03b1caae4e7e3d5b362f7858cd592fbda86f8de4a0701ebb03da766c5663498fd9208092b3d278335dbd4e83a9337423f1ef4d0a7cb672112 |
memory/3840-124-0x00007FF659110000-0x00007FF659461000-memory.dmp
C:\Windows\System\EZzlIAU.exe
| MD5 | 0313b04e84e05e6bf38577659404c5bd |
| SHA1 | 83a6fccedcbfc4b143635bb06d5a6eddf083086f |
| SHA256 | b7ac86f76d0a0d6abe01daf623c2f8ed15de7ad40f3855669d4cd1d38623e235 |
| SHA512 | ef21b69d55645905106b04b62d631e456fc9bb45065f1f1974538bb30198b26f5387887cd3017b748197c3136acf0bff1ca3bec1592d25db9d8bb33226e2180b |
memory/2936-118-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp
C:\Windows\System\PMDDJhf.exe
| MD5 | 83ad9a03189e5a0e933e78f1a45c5333 |
| SHA1 | d3a7acce2ba5f03844d2d1f60470742f11807bc1 |
| SHA256 | 5e4f58718c8708486c3dafb098f8c8e27027b8aedb3af2ecf760b4c6ad5cc302 |
| SHA512 | 03fafd202092fdcb05f44f1424f4adc32a17f222993ce2a67125b1ab4cffac1757f85f33ca717ff97957fbdcc03a7cb661302b7b6e4d0c3586d9b953f5e89ac3 |
memory/4020-111-0x00007FF613FC0000-0x00007FF614311000-memory.dmp
memory/4748-127-0x00007FF7685D0000-0x00007FF768921000-memory.dmp
memory/904-128-0x00007FF619A30000-0x00007FF619D81000-memory.dmp
memory/1508-129-0x00007FF658960000-0x00007FF658CB1000-memory.dmp
memory/2936-130-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp
memory/1628-137-0x00007FF7A3050000-0x00007FF7A33A1000-memory.dmp
memory/3312-135-0x00007FF627B60000-0x00007FF627EB1000-memory.dmp
memory/4668-144-0x00007FF760F20000-0x00007FF761271000-memory.dmp
memory/3108-147-0x00007FF6508A0000-0x00007FF650BF1000-memory.dmp
memory/4484-146-0x00007FF68C160000-0x00007FF68C4B1000-memory.dmp
memory/2560-145-0x00007FF603DC0000-0x00007FF604111000-memory.dmp
memory/232-143-0x00007FF741070000-0x00007FF7413C1000-memory.dmp
memory/3948-142-0x00007FF7B34E0000-0x00007FF7B3831000-memory.dmp
memory/2720-140-0x00007FF79BB30000-0x00007FF79BE81000-memory.dmp
memory/2460-139-0x00007FF77E2F0000-0x00007FF77E641000-memory.dmp
memory/3468-134-0x00007FF7258C0000-0x00007FF725C11000-memory.dmp
memory/1632-141-0x00007FF7C4FA0000-0x00007FF7C52F1000-memory.dmp
memory/3100-133-0x00007FF63DD20000-0x00007FF63E071000-memory.dmp
memory/4020-148-0x00007FF613FC0000-0x00007FF614311000-memory.dmp
memory/3840-149-0x00007FF659110000-0x00007FF659461000-memory.dmp
memory/2936-152-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp
memory/2936-170-0x00007FF68B9E0000-0x00007FF68BD31000-memory.dmp
memory/1512-200-0x00007FF72A1E0000-0x00007FF72A531000-memory.dmp
memory/904-202-0x00007FF619A30000-0x00007FF619D81000-memory.dmp
memory/3100-204-0x00007FF63DD20000-0x00007FF63E071000-memory.dmp
memory/5048-206-0x00007FF796030000-0x00007FF796381000-memory.dmp
memory/3468-208-0x00007FF7258C0000-0x00007FF725C11000-memory.dmp
memory/2608-211-0x00007FF66AB10000-0x00007FF66AE61000-memory.dmp
memory/3312-212-0x00007FF627B60000-0x00007FF627EB1000-memory.dmp
memory/1628-214-0x00007FF7A3050000-0x00007FF7A33A1000-memory.dmp
memory/2460-216-0x00007FF77E2F0000-0x00007FF77E641000-memory.dmp
memory/4668-227-0x00007FF760F20000-0x00007FF761271000-memory.dmp
memory/2720-228-0x00007FF79BB30000-0x00007FF79BE81000-memory.dmp
memory/3948-232-0x00007FF7B34E0000-0x00007FF7B3831000-memory.dmp
memory/4484-238-0x00007FF68C160000-0x00007FF68C4B1000-memory.dmp
memory/1632-234-0x00007FF7C4FA0000-0x00007FF7C52F1000-memory.dmp
memory/2560-237-0x00007FF603DC0000-0x00007FF604111000-memory.dmp
memory/3108-231-0x00007FF6508A0000-0x00007FF650BF1000-memory.dmp
memory/4748-246-0x00007FF7685D0000-0x00007FF768921000-memory.dmp
memory/4020-248-0x00007FF613FC0000-0x00007FF614311000-memory.dmp
memory/1508-243-0x00007FF658960000-0x00007FF658CB1000-memory.dmp
memory/232-241-0x00007FF741070000-0x00007FF7413C1000-memory.dmp
memory/3840-245-0x00007FF659110000-0x00007FF659461000-memory.dmp