Analysis Overview
SHA256
e686be11c93288904aa18aa36f682f35bdb9890999a985cbc1e32924778ec40f
Threat Level: Known bad
The file 2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:44
Reported
2024-08-06 11:47
Platform
win7-20240704-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XsTOQYr.exe | N/A |
| N/A | N/A | C:\Windows\System\hddPrdm.exe | N/A |
| N/A | N/A | C:\Windows\System\BvgPfAj.exe | N/A |
| N/A | N/A | C:\Windows\System\QgQcOQT.exe | N/A |
| N/A | N/A | C:\Windows\System\pJHmlxa.exe | N/A |
| N/A | N/A | C:\Windows\System\iNEvjBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kQdUlth.exe | N/A |
| N/A | N/A | C:\Windows\System\ZByVbaC.exe | N/A |
| N/A | N/A | C:\Windows\System\npFDjOB.exe | N/A |
| N/A | N/A | C:\Windows\System\OrLNinI.exe | N/A |
| N/A | N/A | C:\Windows\System\OWyppdd.exe | N/A |
| N/A | N/A | C:\Windows\System\zVEqCQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sdrLRfi.exe | N/A |
| N/A | N/A | C:\Windows\System\kYZkrfW.exe | N/A |
| N/A | N/A | C:\Windows\System\pDaHrLk.exe | N/A |
| N/A | N/A | C:\Windows\System\KMSXksP.exe | N/A |
| N/A | N/A | C:\Windows\System\CCwTcbR.exe | N/A |
| N/A | N/A | C:\Windows\System\jWOkSGa.exe | N/A |
| N/A | N/A | C:\Windows\System\AVqGMwS.exe | N/A |
| N/A | N/A | C:\Windows\System\DSOewGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wQApehG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\XsTOQYr.exe
C:\Windows\System\XsTOQYr.exe
C:\Windows\System\hddPrdm.exe
C:\Windows\System\hddPrdm.exe
C:\Windows\System\BvgPfAj.exe
C:\Windows\System\BvgPfAj.exe
C:\Windows\System\QgQcOQT.exe
C:\Windows\System\QgQcOQT.exe
C:\Windows\System\pJHmlxa.exe
C:\Windows\System\pJHmlxa.exe
C:\Windows\System\kYZkrfW.exe
C:\Windows\System\kYZkrfW.exe
C:\Windows\System\iNEvjBQ.exe
C:\Windows\System\iNEvjBQ.exe
C:\Windows\System\pDaHrLk.exe
C:\Windows\System\pDaHrLk.exe
C:\Windows\System\kQdUlth.exe
C:\Windows\System\kQdUlth.exe
C:\Windows\System\KMSXksP.exe
C:\Windows\System\KMSXksP.exe
C:\Windows\System\ZByVbaC.exe
C:\Windows\System\ZByVbaC.exe
C:\Windows\System\CCwTcbR.exe
C:\Windows\System\CCwTcbR.exe
C:\Windows\System\npFDjOB.exe
C:\Windows\System\npFDjOB.exe
C:\Windows\System\jWOkSGa.exe
C:\Windows\System\jWOkSGa.exe
C:\Windows\System\OrLNinI.exe
C:\Windows\System\OrLNinI.exe
C:\Windows\System\AVqGMwS.exe
C:\Windows\System\AVqGMwS.exe
C:\Windows\System\OWyppdd.exe
C:\Windows\System\OWyppdd.exe
C:\Windows\System\DSOewGZ.exe
C:\Windows\System\DSOewGZ.exe
C:\Windows\System\zVEqCQJ.exe
C:\Windows\System\zVEqCQJ.exe
C:\Windows\System\wQApehG.exe
C:\Windows\System\wQApehG.exe
C:\Windows\System\sdrLRfi.exe
C:\Windows\System\sdrLRfi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1864-0-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1864-1-0x0000000000200000-0x0000000000210000-memory.dmp
C:\Windows\system\XsTOQYr.exe
| MD5 | ed4f39b7260b8bad9fd029327543420b |
| SHA1 | 6b2bdca5b4a94a57a23b7dbc050a26521ceae9b6 |
| SHA256 | 339a1ffc37fe2937441cca6588e9687664c60868855b29e5a672d22d1ea92336 |
| SHA512 | a83adbd6b1609ef6a222b6eb18477859e0246b90c8dadd1f4bf902f39a9cf174397d3c84415e57e88c0edc24e16e4fc246c6d17b7ff49f4cf058803d81651cd8 |
C:\Windows\system\hddPrdm.exe
| MD5 | f7822ac5d0506a6581a34184d92e7578 |
| SHA1 | 501cfe2315696c1f50bc6907af3965d9190e3bff |
| SHA256 | 65d0b0962fa733b832525a5153fc8531368c4ff9f2aecb8e2d86fff65153d269 |
| SHA512 | 7f8565ef31d6799f8f2d15bd476f3f48afda07e853b82c58c4bac429dad256d4bd7858998c00de8d3dd541daea7e1ca0995a8a43343d6487350b3e4e3577ed7a |
C:\Windows\system\BvgPfAj.exe
| MD5 | 33a4f1d80d463de0bba968ec65f827ad |
| SHA1 | 9494ad1277b2bd231c9c7d6388ecd808c6435307 |
| SHA256 | 7e9277cce875189cf47afba3388bb65e1db6dfd213f53eaafd9e2daacc00e8cf |
| SHA512 | ee41c9af5e587cec42911692b843c410b7413159369ce4be9e491a2defd977275ae7e1dd75cf27205d722610de557588bb4d5b331a7ff41c9c450a3b5254f920 |
\Windows\system\kYZkrfW.exe
| MD5 | e3bd7f8aec73a397544fac1cbe290e3e |
| SHA1 | 879a23dd8b97f62ae4aff0e4b205f87aeed659f3 |
| SHA256 | 7746b25f46071afa47e817901345af69248421e5a1cc4a44d77a372ec4ae16d9 |
| SHA512 | e3f06914354ef2e17131fa96826dd67f1e48a1d9464e2fcd3617fe58c6b64d0d1f83ed6452da9b3048a06a41dd3b2e85c97a1790007ccfbb95b50bcabfeedc6e |
\Windows\system\QgQcOQT.exe
| MD5 | 3c94ae648b377f8147e716d71f9a9458 |
| SHA1 | ccbf3ec4baae74ee2acaa230a3463464bb368c39 |
| SHA256 | aee77c3cf599ac7e52890daa77ca16c0f7a8e216a180b64790e19b02e152442c |
| SHA512 | 38f9546308f848559ded0aee3fe6ae564a139d22ce411482642186b84c1e5667151d70e2159e5b6ef46a933efc21d4679a08f42eed105abc7289418cb6b45509 |
memory/2268-119-0x000000013FCC0000-0x0000000140011000-memory.dmp
\Windows\system\wQApehG.exe
| MD5 | 61f9ec2db5ed3e64db19590d4dff0631 |
| SHA1 | 89916b5ecee960a9754e4c5771a1d9f7baae7da8 |
| SHA256 | c30300f551baeda2773856e723fb5ff06ed914c0b9a6ff022cac030a8f261ac6 |
| SHA512 | 60e69eecc0b3e9d65083adda9c2e2a4be988dcae773b8641c3392ea5212924e173fc9f25c9cd2cc77475d595b7e6f4fb512b28d760277e3821a96574a9d0993c |
memory/1864-74-0x000000013F600000-0x000000013F951000-memory.dmp
\Windows\system\DSOewGZ.exe
| MD5 | 063dfc94f2eb4b876cf77815ec511573 |
| SHA1 | 18a9b091cfb1b5d3164025998b08a8d7402ec342 |
| SHA256 | 16b845f3f9df91d5656db02946856f137cffb9864d4ca3b7ba6103021591cd66 |
| SHA512 | 210ba3b95ddb068258613f8c9a8f87049baad12cc3e984438188dfa586d774d456e5d21454daf0cd9e485ee55cfe5ad68ac156c3ac0fc802b64cbc86d69c4dd4 |
\Windows\system\AVqGMwS.exe
| MD5 | 7dde2c974e5c8803063860b7ecdd8cde |
| SHA1 | de72d3e29d92d8bf9c93234fbd9c22f7f38c255f |
| SHA256 | 3818bd5fdeedede3dba495992f7c36d81a32b69c1c81f8f1a9b6060a4bd9019f |
| SHA512 | ec36c4fe45e5b1269801af718e979168454396a607adfbf9213a40044e0abbff270f32a680df4238ff14703c1af6b8e77a42e445926483dd1f90fbb40e3f3f19 |
memory/1864-57-0x000000013FA10000-0x000000013FD61000-memory.dmp
\Windows\system\jWOkSGa.exe
| MD5 | 0d142deacd1053c066c52bf26d9794a2 |
| SHA1 | 7595e3f0f8d228dfa3a1ecb3ee047adb7a41d57f |
| SHA256 | d7c7c8bcebf4bfaf73cb2c750ff074cf991a4d1bdb3711d947196340b8c62064 |
| SHA512 | ab1dae862227cf89ccf957fa3f04b0e04aa80ae407f1693eb9c0c14678256b4f5cd360b15649b4eca3123cfaafc1e62810579215d49f7a3fa199ff477c26a4b9 |
memory/1864-52-0x0000000002220000-0x0000000002571000-memory.dmp
memory/1864-51-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1864-50-0x000000013FA90000-0x000000013FDE1000-memory.dmp
\Windows\system\CCwTcbR.exe
| MD5 | 5014db3f1c2daae73a60b8f0d9b614a5 |
| SHA1 | 5e4a044494cc7651b3a4d5004f552bbae31bd02e |
| SHA256 | 2f40b306560391f89270ca06daacb55a7871935f941fc0930ea239adce54d85d |
| SHA512 | 945a8292ad53947ef28af4f7dd1f0ab42b3820eeb1e6c24d5dc297785bd48b83cd3017b6eb909564d6509ba7d2c10c8bb646621c0551d962a87163aaf759d085 |
C:\Windows\system\KMSXksP.exe
| MD5 | 8d6789060b560bf733436e7d237f616f |
| SHA1 | d14d6734553c98b1715a1083873959fc86f53e87 |
| SHA256 | 36932ded4abc98288d54b071400bd761a41f34bdef7c84114ae2e4c6526c2c04 |
| SHA512 | 49914d8deba14cf361ab0702165c5bc301c9f52b6382d908197611f512ac055f2c2bf13d0538aa8f308aca2c8b2c523a32ca0c9229f1fc942108621b66aa701c |
memory/2516-117-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2924-116-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2808-115-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\pDaHrLk.exe
| MD5 | b3bb048a1f94d7a264fd0f8f165f277e |
| SHA1 | 28af0d6ce0b2813f721de90c3498b2c458b6715d |
| SHA256 | 43bb0e74c5bf797a99cd949c94788154cbd1caf3dfd70c2e22af768ea75432cb |
| SHA512 | 62096ef708d43e37c292207a68a333a2b2fcfb69d580cacf5d92837f93cf95afe95c8476e753c9e0beef3f8baaf0e5b161d22a15e2afdd7a218db29cb003cc2f |
memory/2308-103-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/1864-100-0x000000013F9F0000-0x000000013FD41000-memory.dmp
C:\Windows\system\sdrLRfi.exe
| MD5 | ff0afebec3983550f50b84a4643aeba5 |
| SHA1 | cdf77aa37f6f309c8b618cc9d24958e5b60cf019 |
| SHA256 | 219bce06b442dd2ac13cddc6b67cab1d5394eeefeb1e07efd3f40c39dbe34e97 |
| SHA512 | 8004843f66bd9525b78dcf6100622413a332a041617725688618636a1cbf4cebe67418136b89960733bc4c664466edf4a10fa59e7197fac675e2b58b6883547f |
C:\Windows\system\zVEqCQJ.exe
| MD5 | f75ecf1bfa9753a9ad3628554fb0f64b |
| SHA1 | c3f8a323da4202d2e16dc783b349e8a288bb7d66 |
| SHA256 | 177f1343d88e0fd4b7b95186a4a40d1af7f4b0a4c68aa22da15bd52fd1371c56 |
| SHA512 | 4e7811ebea965681bade67acc5bdfdbf18ac6e296b564f56357e7bcad7ea7bbfc7a28fe920a630a1b7b01df99d1cf0a74fdc1254056040f95becaea74735e7ef |
C:\Windows\system\OWyppdd.exe
| MD5 | e715d9be22b450dc47531f3744d733c4 |
| SHA1 | 89b81cfa402bd9a357629248341fbcb05654c133 |
| SHA256 | 8b2681e8a3d88dcc789913589925e545545737dff5ac8fff16458f9340cd9946 |
| SHA512 | 69f49ed72ead64b6d2083a3c620e20fe86ea3f2e8c9adc451c202c684911b7195aaaeb8d269e544a413d71da2b9f2e1d38c5bf22775c094343913fae52e09225 |
C:\Windows\system\OrLNinI.exe
| MD5 | c4102702d7a612217893359c642b3066 |
| SHA1 | eec9442b25f7314171daeaa64bedf55bbaf25961 |
| SHA256 | 25fd3fa3de080190991b2872330411b13425976895743a913ef05295e2807539 |
| SHA512 | 455f9e392802d9208eec109ca3d05426d1a0d0838253fe5f9b30e06fa0ef052ee9c6b418ab347986912b4700678f48d29866359c7bf9bdcc28929f489fcb00be |
C:\Windows\system\npFDjOB.exe
| MD5 | 67fd5cb04d5515303f012905779f9638 |
| SHA1 | ab789f084f2d6917a8d2565e7bc75d6d7cfc105c |
| SHA256 | b0110a35a45dec59d21fa98088a9b5d5003ea35b98184ba15d8da64c87fb983b |
| SHA512 | 2fd26bf56de044b58e3f063bb4b221e503a6ee33e281796681142dced4e3b07217623cdb5de5c7dedcc9e5c2f59161d733c83bce6da40ba2dbf01b8b92b5bcc6 |
C:\Windows\system\ZByVbaC.exe
| MD5 | 9afbabf5cc96c7c36b5477b39d479b86 |
| SHA1 | 2c51a9c9c2f45f95324616872b55671ada7dd8a7 |
| SHA256 | 391c32a24770506b4a9f6c976e97aebb149e006fe712b452095de3cc67c204ac |
| SHA512 | 54373e3cdc71067c6bec2e5e7798102a477c32a454057142f5a8a37d42ef03cf62137b9a99d3e76c4f002ab985c0d2780ebab2273c00ed0da62cab255a9a7fab |
C:\Windows\system\kQdUlth.exe
| MD5 | 02fab31e0c85abac2f53051c1c91002b |
| SHA1 | 15766e38ec45f74cc255d771111d65bab67febb8 |
| SHA256 | 5df917f57df7eaafb10f6b444bf31b1b9da5a10e469b649346e7245af9da0c04 |
| SHA512 | 800c535e9c23418c509d50bcdbf071488bef4bb62bae720c13f66bad47cec6dc6cf86f320ea8205ba1ed8613af1132f669f6f34f42ed89829ac8e8f419b34307 |
C:\Windows\system\iNEvjBQ.exe
| MD5 | 7eb370f43dde0a7e9f75813420eab6d8 |
| SHA1 | 793dd3d6d6ff25fd19c58d122c3f1c10b75de7cb |
| SHA256 | 7c6a0b94bc668227f070d2ddbf4aed8a9fbdf5fae2e546ba2f344c7ebb0e9ec8 |
| SHA512 | e8e3c5f327d47dc40554af43b5be9bbbc37ab3b1657723eb6eebd6b678d3cdb01f143b37d519411afcfab62479266723f8d2189540baba7fad7537692b717b49 |
C:\Windows\system\pJHmlxa.exe
| MD5 | 96ab3219b51cc1e7f55bb1bb279ea8a9 |
| SHA1 | 06efadb6a9a047ab7c784b834e130145c14f6f8e |
| SHA256 | 18e2883ca71ff29c6882f9648c597110c19ba61b005e3e012af9199d8f27e122 |
| SHA512 | 636c3ea1b1b04c4de9f9695f786b0d3ff88eb7bb0dde71ad233f46a0f752c3425540e3c61f4de4870cbf96bb3a89d1ad43fe9e208459003cf41be118f23ef37d |
memory/1864-89-0x000000013F420000-0x000000013F771000-memory.dmp
memory/1864-87-0x0000000002220000-0x0000000002571000-memory.dmp
memory/1864-86-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/1864-85-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1864-84-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1864-83-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/1864-68-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1864-62-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1864-46-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2228-38-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/3068-31-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2252-21-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1864-35-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2252-126-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2956-135-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/596-133-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2980-131-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1864-125-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2816-146-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2316-151-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1888-150-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2724-149-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2660-148-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2868-145-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2160-144-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2964-147-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2908-143-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1864-152-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1864-153-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2956-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2900-165-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2252-198-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2228-200-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/3068-202-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2924-228-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2516-235-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2268-224-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2808-226-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2308-204-0x000000013FA90000-0x000000013FDE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:44
Reported
2024-08-06 11:47
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\adntjyk.exe | N/A |
| N/A | N/A | C:\Windows\System\uMXPtMb.exe | N/A |
| N/A | N/A | C:\Windows\System\knPuwKm.exe | N/A |
| N/A | N/A | C:\Windows\System\qgumisE.exe | N/A |
| N/A | N/A | C:\Windows\System\FsEhGXV.exe | N/A |
| N/A | N/A | C:\Windows\System\npEYFMi.exe | N/A |
| N/A | N/A | C:\Windows\System\sqBgciZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ISLDoVG.exe | N/A |
| N/A | N/A | C:\Windows\System\Wnjntws.exe | N/A |
| N/A | N/A | C:\Windows\System\msVjRTj.exe | N/A |
| N/A | N/A | C:\Windows\System\wNemOVx.exe | N/A |
| N/A | N/A | C:\Windows\System\BcrJQJI.exe | N/A |
| N/A | N/A | C:\Windows\System\lydOEcv.exe | N/A |
| N/A | N/A | C:\Windows\System\LbUOYlw.exe | N/A |
| N/A | N/A | C:\Windows\System\FYvKdts.exe | N/A |
| N/A | N/A | C:\Windows\System\JsWLTXU.exe | N/A |
| N/A | N/A | C:\Windows\System\fXDYLzI.exe | N/A |
| N/A | N/A | C:\Windows\System\AOteMff.exe | N/A |
| N/A | N/A | C:\Windows\System\tCECsja.exe | N/A |
| N/A | N/A | C:\Windows\System\DAiSadL.exe | N/A |
| N/A | N/A | C:\Windows\System\DWziYqH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_181ff1d239736a9a8f3a99f7926ea67e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\adntjyk.exe
C:\Windows\System\adntjyk.exe
C:\Windows\System\uMXPtMb.exe
C:\Windows\System\uMXPtMb.exe
C:\Windows\System\knPuwKm.exe
C:\Windows\System\knPuwKm.exe
C:\Windows\System\qgumisE.exe
C:\Windows\System\qgumisE.exe
C:\Windows\System\FsEhGXV.exe
C:\Windows\System\FsEhGXV.exe
C:\Windows\System\npEYFMi.exe
C:\Windows\System\npEYFMi.exe
C:\Windows\System\sqBgciZ.exe
C:\Windows\System\sqBgciZ.exe
C:\Windows\System\ISLDoVG.exe
C:\Windows\System\ISLDoVG.exe
C:\Windows\System\msVjRTj.exe
C:\Windows\System\msVjRTj.exe
C:\Windows\System\Wnjntws.exe
C:\Windows\System\Wnjntws.exe
C:\Windows\System\wNemOVx.exe
C:\Windows\System\wNemOVx.exe
C:\Windows\System\BcrJQJI.exe
C:\Windows\System\BcrJQJI.exe
C:\Windows\System\lydOEcv.exe
C:\Windows\System\lydOEcv.exe
C:\Windows\System\LbUOYlw.exe
C:\Windows\System\LbUOYlw.exe
C:\Windows\System\FYvKdts.exe
C:\Windows\System\FYvKdts.exe
C:\Windows\System\JsWLTXU.exe
C:\Windows\System\JsWLTXU.exe
C:\Windows\System\fXDYLzI.exe
C:\Windows\System\fXDYLzI.exe
C:\Windows\System\AOteMff.exe
C:\Windows\System\AOteMff.exe
C:\Windows\System\tCECsja.exe
C:\Windows\System\tCECsja.exe
C:\Windows\System\DAiSadL.exe
C:\Windows\System\DAiSadL.exe
C:\Windows\System\DWziYqH.exe
C:\Windows\System\DWziYqH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2216-0-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp
memory/2216-1-0x000001F5CDAE0000-0x000001F5CDAF0000-memory.dmp
C:\Windows\System\adntjyk.exe
| MD5 | 410fc4a9b83cf55efad5ffd45b77ffad |
| SHA1 | 8b92ec1f5597df8042db0ffffdb58ce08ebee34d |
| SHA256 | 5ce2f3f23fa96b74cc0336b54540091874cbde75a690a5742975c51b546ee31b |
| SHA512 | 1b7dc78d318d8d5eba98fbb8dc60c803a764ee235de85f309933eafd4acbf8be7f5e80d7c0a26bf03090df8e433b6aff29d385a6a434a1cbede3770cd91c1502 |
memory/2336-9-0x00007FF6BE280000-0x00007FF6BE5D1000-memory.dmp
C:\Windows\System\uMXPtMb.exe
| MD5 | e5e2bc7f2611ae08f2ea18c000681d62 |
| SHA1 | 32c8731c9946494b80b89153b858dba7c6db8894 |
| SHA256 | 965ba7500c4c7139aa72421838bf47a5e9e5b9bd31e501d7d876bbf2ab09a956 |
| SHA512 | 693103e19970a365f68500fa5c6cb4c7c1d2e1a948885b59c9d3e753fb1979d7cfe54cf60b2f188af4fa54994bf80cac260674bcc7e8cc87988f773385d07cc1 |
C:\Windows\System\knPuwKm.exe
| MD5 | b64770bba9fe32ba3bc1b2b179a1b6be |
| SHA1 | 4f4722b6e561d56d84bc9a51825747111a6d32a3 |
| SHA256 | 55f6767f4104c8df42f8639a974fc0a818c6da9501c280f39e747049084d9e03 |
| SHA512 | 440cb76547fdb86b593a331175b3a06a1a508a3788627e60eb0dab1d23b660e384b456941f88e29c7b0e2c870edcdcc57f4e652791499faec0460ae7a1e869d8 |
C:\Windows\System\FsEhGXV.exe
| MD5 | 3e945591524e7d6bfae0f65a153c1160 |
| SHA1 | 2d5bbd53497bd85f1d7b32286412390526d1393f |
| SHA256 | 8c78762abd2e00df0e23bc09c8323dd43628ef20a4fa9300f8e7951b1ad6e9b5 |
| SHA512 | c1428ff72f1a7b72353bbc26e878ab840cc7c165c9556fbe978c2d4406218cde1ea053328c5ba5b3fe087f02e0748173c3919e62aeddbcccc2556cf974a39616 |
C:\Windows\System\sqBgciZ.exe
| MD5 | e2cf5ab29dee5cf7561038918e26cfac |
| SHA1 | 5836033651eb2f446336e33a8db0f457eb247eda |
| SHA256 | b126a690bef31309610c73ca6606474c995547038303c47644eeaaa33971923e |
| SHA512 | b42741e0bd69ddd7ddc6e3cd956359c04cc8a79d74763d0caacd7b495a8156d7b36692b1640297617a8e30deacae11796c6c3bdc5813c2c233f328ba0dbcac84 |
C:\Windows\System\npEYFMi.exe
| MD5 | 4d1eed511c4491c8e15c698e3787cc04 |
| SHA1 | dd5e31523e0dc70cd3a5006fb30d07577cc6a31a |
| SHA256 | 2b2c10b721a02da5a7f2d298d2b7e00b158d826f605c6559a428f40b7e92bbf6 |
| SHA512 | ae490d1b0b37ffd1818997f3414c0d8a4494baeb164af17896e2106c326e40f063fe8ff7f67105c1d3384d16b1bbc3766b44b92e45d0cad05885cfa68c2d34ba |
C:\Windows\System\ISLDoVG.exe
| MD5 | fc0f0360164a7f5eadb941db6e9a4f73 |
| SHA1 | 8657b0a6d733d95f86ba9c7a6ed70e5eadbadddb |
| SHA256 | e4ea66d16a54d937533ddcb30559c157fc3ebb52d1f5cf233dd5b050bbb2f9e8 |
| SHA512 | 8dd0d1498218a392980c22926172f77db83b76b8bb6e1d4f8f475d28a7a3bda50b8bf6d0c7ad57f1d01e9c04e0738a7d5934fccf08d67a8e5319472743db2ea2 |
C:\Windows\System\Wnjntws.exe
| MD5 | 8eb9b619081a38eaa530d5dd5e927283 |
| SHA1 | 87324b30f56fff5a7fc05e1d3aaec3db70dfd15e |
| SHA256 | 8ad2926e146eed39eb9fb98749303f62ef102498cb5734329852663bb67d7e53 |
| SHA512 | bf42d01f7b5687598c2ce1eb6af5421e477f08345f95d8106f3550dd9cc1f7a254f7e3f3e1929ca5d37157d4a0080edea85037269c66264a1b87bb0e5fbde750 |
C:\Windows\System\lydOEcv.exe
| MD5 | 39c98b4b684bfb6a61d9fa5660b5b6da |
| SHA1 | cfec2ed06b6de2a58e410244ddc623b05c57f094 |
| SHA256 | da21b8fdfa7a726d890fc36c5de11a6e1277be8407f9b8cb8a356de0d4410b98 |
| SHA512 | 2abc87cbd2f0086ffebcc4f99f981fa06fe4d525df05509303049a289c0b761947edecb83c8323193061e98402192b74af4940a870f49c3e2cae51797ed47a0b |
memory/4964-75-0x00007FF747A00000-0x00007FF747D51000-memory.dmp
C:\Windows\System\LbUOYlw.exe
| MD5 | 31f43a84fd4f81d3cbd3ecab90d965ad |
| SHA1 | 02c31d202590ed5c81acc79d0b48aaff0c6b0c91 |
| SHA256 | fd957e1b5312fdea2e490f176448bbb1407ee926059c00a852f1ee9ee7fda9e4 |
| SHA512 | dd12cd1b8bba0162e3b2461a1a75cce896f7472640f2e7bf0018a953ce99667c517f1e4bbdbc566e6e1a7436b7372cbf137462f2b3688c5a89445582a4d9ede9 |
C:\Windows\System\FYvKdts.exe
| MD5 | f15c3ab2061203fec1a8c4d04c82d93e |
| SHA1 | 9f61356eeaec0639d066e5576f51b829f99cb5d0 |
| SHA256 | 94a2e3744f54a4a296d20f202992b51724be068d8a20ae60cae974de03debbf3 |
| SHA512 | 1894ff7d7016a0be90eb5d8b4d7a5334425025ddfa31e990831a5493e889bcf42b78f847a97db6f128a27d5ad0c1bc45278e2dda5b33c2c6b8c20d77851816ec |
C:\Windows\System\AOteMff.exe
| MD5 | 8855924775eb4e165d57065a14862d7d |
| SHA1 | c32fbf17d93402db7b49538921c0ad9af53987fc |
| SHA256 | c034c5be66a98d60a955184a13e489a4c1600671383254eb20ee588708d4bbd0 |
| SHA512 | 5216917633f9f45d0df7b1434cd2e51720db6cf69457953dff8fb805c0967df56916ca20d733fe376adc912420548bbfce00287bdc9b62b8b776b0d0d944d305 |
C:\Windows\System\DWziYqH.exe
| MD5 | 842cc090d24a0e3d693176ff2cf14a53 |
| SHA1 | 4e46f1e551543acf89812ff8e5bbe3870b200f93 |
| SHA256 | 94a79bdb310bb6a7c4106401bf9878134b6363767c1c6e6a60b7e9878d0e9b81 |
| SHA512 | 0b07db58ef4e1fea0e156b98c0e2d1e948d34ca81b40d2737fcda3a5df9384ad1070c46ec0577cfb87b15f945663abbe46fff35bd93ac934412093c5a8f08fa9 |
C:\Windows\System\DAiSadL.exe
| MD5 | 70c3e94fc075c6fbeb20fa78e6e21a1d |
| SHA1 | f576af4ad7479dfe944ea0f5ff8b870784296acc |
| SHA256 | 3c714f5f66fe2774bf4ce17a140972af55a91ef43792bbf4d588475888d1a5d5 |
| SHA512 | f20b623fd28a6b222b9afa94d7a292f4df7ea2c5350befbec6d6d4cf4bc21ed6fee0de6390817e654225fd3796c62bf46e8c229bfd1c4528622d4d53bead382d |
C:\Windows\System\tCECsja.exe
| MD5 | ae178db46010c9d49f75fe1798cd7a40 |
| SHA1 | d763db8cfc2ff066fb752b6e1b714c1f78d1450c |
| SHA256 | 401814b80f51c88347efb23a299e4ada2cefaae147c4b40bc5387eb9b7309c4f |
| SHA512 | 6631bd0d68c868c9f42c5e2681fc42bcdca61a9d75aae49b06c20dd9b37241054e708fca2e56f597033d893b713cf343a015c8b44ae5fedd13f6159908fd3ac7 |
C:\Windows\System\fXDYLzI.exe
| MD5 | 8d1ebc8fc893e7aac33c1a3273ad5e65 |
| SHA1 | dcb61b4e0dfeffa1fc343f7404e89b0cacccc486 |
| SHA256 | ada98ea04fbc2d979bfd90676291fb1e3e1b9a2ca891562a670b1b3bfa1eb9d2 |
| SHA512 | e05dbcfac700a8ebea2a731a500dd18635aa4206644d6400e7d38f161c8b6e9aca409ce5c6bc53a76bc814b06563dff3729e88bfb12489a4bcaa8688ddd2870a |
C:\Windows\System\JsWLTXU.exe
| MD5 | d532a60c4cfdcdf6c675b7e630e4ddae |
| SHA1 | 6707f9b79972354b78950ba9743144d80cb0fd81 |
| SHA256 | 151afd877a61e4d855843535938c9f09aa7d940d8523252d857852af281eaf2b |
| SHA512 | 07776aa8c0af3bec4ded64dae5338848d7997455cc07ac10a0d0417ed34e3cce94c660b4d9549470b2f93ef3ec73341d30deff06ca78cbcddfb6131a6293ec8f |
memory/3312-82-0x00007FF7C07B0000-0x00007FF7C0B01000-memory.dmp
C:\Windows\System\BcrJQJI.exe
| MD5 | 30ad1b3718eca09f261a3edcba7f99af |
| SHA1 | cf0c43b879ca99d755c73176eac9f8bbfa4327ad |
| SHA256 | 75997d98db00333d1f6afefad4cbeb7cb790edd07be58a87f1bec9b3a44a83f7 |
| SHA512 | 2823eadac81dfb3f7bc2b84dfafceeeef853d9a3878a288fb0f7a6ca740aea6d25398b885fe1d8c9f6255148b1d892ee484674a1e37a3d8905c818cee3d029f1 |
memory/1448-74-0x00007FF6F7220000-0x00007FF6F7571000-memory.dmp
C:\Windows\System\wNemOVx.exe
| MD5 | d76c8621c70b790df6d054a1b7f33c2a |
| SHA1 | b1da446e8256892235bdc729303f0840d7ab2fa4 |
| SHA256 | 0c9c987056b81d031bdcd67687a794c98f3bbce0707a5e661da6eca454371410 |
| SHA512 | b2eb579344dde3b8608c0d82f11d11bf64b1604a0a483fb2d3be4f2ed35520d69b8236b33861bff960b01292d6d8cf372378925741477744850eb6a7d59f01df |
memory/116-71-0x00007FF6E17D0000-0x00007FF6E1B21000-memory.dmp
memory/372-69-0x00007FF634800000-0x00007FF634B51000-memory.dmp
memory/1196-68-0x00007FF619010000-0x00007FF619361000-memory.dmp
C:\Windows\System\msVjRTj.exe
| MD5 | 520786dc8f35963ab0d76a61329a2bdb |
| SHA1 | 5652da51e358331eff08525fb25efd405ab35a6e |
| SHA256 | f5cef3ef19388bc70ea7ed02f0ab81f477d96b837bdd6a6168b4b6150af2b716 |
| SHA512 | 7e050af77cb609a04e6fc260046eeca3fde7425d471b9b58aef6c66b1916e05ca38e3711c16f9dee7a0c2b591fdebe36547d58b08e453645caab26400f8c5e60 |
memory/5072-57-0x00007FF60F6C0000-0x00007FF60FA11000-memory.dmp
memory/2784-46-0x00007FF7252E0000-0x00007FF725631000-memory.dmp
memory/4256-38-0x00007FF740970000-0x00007FF740CC1000-memory.dmp
memory/4140-32-0x00007FF7A0C50000-0x00007FF7A0FA1000-memory.dmp
C:\Windows\System\qgumisE.exe
| MD5 | 6568f4f82658a74fb707a96b7720b139 |
| SHA1 | 00c00f354ee0a07185a404410036d339812f7d01 |
| SHA256 | badc5c5068c0bbac3cf317a758ad3e104f3d21f765254bc4e641aa58c069b9fd |
| SHA512 | d621b283e147175de90f94b9cc94036bfaf49d2cf945cd3641f4273a93f01ec36b26860c5987e50e6da3849c790efc4dd8aa1441cd0d4be33a01044e9b9ab5c6 |
memory/660-27-0x00007FF7D6770000-0x00007FF7D6AC1000-memory.dmp
memory/3424-16-0x00007FF675D20000-0x00007FF676071000-memory.dmp
memory/1648-121-0x00007FF6F9490000-0x00007FF6F97E1000-memory.dmp
memory/2668-122-0x00007FF6D1760000-0x00007FF6D1AB1000-memory.dmp
memory/4428-120-0x00007FF7E22E0000-0x00007FF7E2631000-memory.dmp
memory/2480-123-0x00007FF6EC980000-0x00007FF6ECCD1000-memory.dmp
memory/1364-124-0x00007FF730570000-0x00007FF7308C1000-memory.dmp
memory/4552-125-0x00007FF66E7F0000-0x00007FF66EB41000-memory.dmp
memory/3412-126-0x00007FF7E9C90000-0x00007FF7E9FE1000-memory.dmp
memory/2292-127-0x00007FF6A5670000-0x00007FF6A59C1000-memory.dmp
memory/4256-132-0x00007FF740970000-0x00007FF740CC1000-memory.dmp
memory/4140-133-0x00007FF7A0C50000-0x00007FF7A0FA1000-memory.dmp
memory/116-140-0x00007FF6E17D0000-0x00007FF6E1B21000-memory.dmp
memory/5072-134-0x00007FF60F6C0000-0x00007FF60FA11000-memory.dmp
memory/660-131-0x00007FF7D6770000-0x00007FF7D6AC1000-memory.dmp
memory/2336-129-0x00007FF6BE280000-0x00007FF6BE5D1000-memory.dmp
memory/2784-135-0x00007FF7252E0000-0x00007FF725631000-memory.dmp
memory/2216-128-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp
memory/3312-141-0x00007FF7C07B0000-0x00007FF7C0B01000-memory.dmp
memory/2216-150-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp
memory/2216-151-0x00007FF60C2E0000-0x00007FF60C631000-memory.dmp
memory/2336-196-0x00007FF6BE280000-0x00007FF6BE5D1000-memory.dmp
memory/3424-214-0x00007FF675D20000-0x00007FF676071000-memory.dmp
memory/660-216-0x00007FF7D6770000-0x00007FF7D6AC1000-memory.dmp
memory/4256-218-0x00007FF740970000-0x00007FF740CC1000-memory.dmp
memory/1196-220-0x00007FF619010000-0x00007FF619361000-memory.dmp
memory/4140-222-0x00007FF7A0C50000-0x00007FF7A0FA1000-memory.dmp
memory/5072-225-0x00007FF60F6C0000-0x00007FF60FA11000-memory.dmp
memory/2784-226-0x00007FF7252E0000-0x00007FF725631000-memory.dmp
memory/372-228-0x00007FF634800000-0x00007FF634B51000-memory.dmp
memory/1448-230-0x00007FF6F7220000-0x00007FF6F7571000-memory.dmp
memory/4964-232-0x00007FF747A00000-0x00007FF747D51000-memory.dmp
memory/116-234-0x00007FF6E17D0000-0x00007FF6E1B21000-memory.dmp
memory/3312-236-0x00007FF7C07B0000-0x00007FF7C0B01000-memory.dmp
memory/4428-238-0x00007FF7E22E0000-0x00007FF7E2631000-memory.dmp
memory/2480-241-0x00007FF6EC980000-0x00007FF6ECCD1000-memory.dmp
memory/1648-244-0x00007FF6F9490000-0x00007FF6F97E1000-memory.dmp
memory/2668-243-0x00007FF6D1760000-0x00007FF6D1AB1000-memory.dmp
memory/2292-247-0x00007FF6A5670000-0x00007FF6A59C1000-memory.dmp
memory/4552-252-0x00007FF66E7F0000-0x00007FF66EB41000-memory.dmp
memory/3412-251-0x00007FF7E9C90000-0x00007FF7E9FE1000-memory.dmp
memory/1364-248-0x00007FF730570000-0x00007FF7308C1000-memory.dmp