Analysis Overview
SHA256
7f7935b5ac5f0d8ed1a649042a7c3c6625bb9ddb648b4525ef29c42b32f87099
Threat Level: Known bad
The file 2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:48
Reported
2024-08-06 11:51
Platform
win7-20240704-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ABynvRH.exe | N/A |
| N/A | N/A | C:\Windows\System\FozHHCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\yshLIzc.exe | N/A |
| N/A | N/A | C:\Windows\System\nNKYxJK.exe | N/A |
| N/A | N/A | C:\Windows\System\gmNNfpt.exe | N/A |
| N/A | N/A | C:\Windows\System\IQqTYlO.exe | N/A |
| N/A | N/A | C:\Windows\System\fNSYPXo.exe | N/A |
| N/A | N/A | C:\Windows\System\TFkmWXG.exe | N/A |
| N/A | N/A | C:\Windows\System\ezDzxHw.exe | N/A |
| N/A | N/A | C:\Windows\System\rwxJDmc.exe | N/A |
| N/A | N/A | C:\Windows\System\mFnJsmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GRlVmvj.exe | N/A |
| N/A | N/A | C:\Windows\System\eWlcQme.exe | N/A |
| N/A | N/A | C:\Windows\System\quPbBgr.exe | N/A |
| N/A | N/A | C:\Windows\System\oSvjTSA.exe | N/A |
| N/A | N/A | C:\Windows\System\nIzPVbM.exe | N/A |
| N/A | N/A | C:\Windows\System\HSPPNlP.exe | N/A |
| N/A | N/A | C:\Windows\System\nHKHflI.exe | N/A |
| N/A | N/A | C:\Windows\System\aiWfciJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JvOsEAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\okjSmEq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ABynvRH.exe
C:\Windows\System\ABynvRH.exe
C:\Windows\System\FozHHCZ.exe
C:\Windows\System\FozHHCZ.exe
C:\Windows\System\yshLIzc.exe
C:\Windows\System\yshLIzc.exe
C:\Windows\System\nNKYxJK.exe
C:\Windows\System\nNKYxJK.exe
C:\Windows\System\gmNNfpt.exe
C:\Windows\System\gmNNfpt.exe
C:\Windows\System\IQqTYlO.exe
C:\Windows\System\IQqTYlO.exe
C:\Windows\System\fNSYPXo.exe
C:\Windows\System\fNSYPXo.exe
C:\Windows\System\TFkmWXG.exe
C:\Windows\System\TFkmWXG.exe
C:\Windows\System\ezDzxHw.exe
C:\Windows\System\ezDzxHw.exe
C:\Windows\System\rwxJDmc.exe
C:\Windows\System\rwxJDmc.exe
C:\Windows\System\mFnJsmJ.exe
C:\Windows\System\mFnJsmJ.exe
C:\Windows\System\GRlVmvj.exe
C:\Windows\System\GRlVmvj.exe
C:\Windows\System\eWlcQme.exe
C:\Windows\System\eWlcQme.exe
C:\Windows\System\oSvjTSA.exe
C:\Windows\System\oSvjTSA.exe
C:\Windows\System\quPbBgr.exe
C:\Windows\System\quPbBgr.exe
C:\Windows\System\nIzPVbM.exe
C:\Windows\System\nIzPVbM.exe
C:\Windows\System\HSPPNlP.exe
C:\Windows\System\HSPPNlP.exe
C:\Windows\System\nHKHflI.exe
C:\Windows\System\nHKHflI.exe
C:\Windows\System\aiWfciJ.exe
C:\Windows\System\aiWfciJ.exe
C:\Windows\System\JvOsEAZ.exe
C:\Windows\System\JvOsEAZ.exe
C:\Windows\System\okjSmEq.exe
C:\Windows\System\okjSmEq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2376-0-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2376-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\ABynvRH.exe
| MD5 | 5421355ffd74516e6f7679739ddab457 |
| SHA1 | ecd52f069f2aec3e40aeb131ddeaad6bbed9ddf3 |
| SHA256 | de6c76fe38523380f1b02776e17d03a3a6e4681f1d9105b29f7fec102c89eeb5 |
| SHA512 | c0753b7bbff53ec414d516345dc4a6c2c2ac0470aa556163859fae211db59ba06b4956a2fe52cb914a36da7558965b846de593dd6c015496f69f67a2b9765f2b |
memory/2376-7-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2244-9-0x000000013FCF0000-0x0000000140041000-memory.dmp
C:\Windows\system\FozHHCZ.exe
| MD5 | 2f736b2faeac7ed758a83cb85ac7a718 |
| SHA1 | df60f35daf18738bac5ddb6587bcdebd6b579ba4 |
| SHA256 | c1b6e28d2d35ea95cdda96a46658b967367d853fae7eb793dbb4b65c6ff799f6 |
| SHA512 | 7f6555329a792c6a654b03a728ad6977531377a2a6a4fe1d319311e487f0260ecf4b3faddd602425895d4c7e497194033bbe117283cb46e62f4f1243bea7277d |
memory/3032-15-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2376-14-0x00000000022A0000-0x00000000025F1000-memory.dmp
\Windows\system\yshLIzc.exe
| MD5 | 34f5bb61de674e4350761199aace883b |
| SHA1 | 1498e1c5277e6e6f90fad73763e9fe6b70881ff9 |
| SHA256 | 40027af1622f5c6aa40e22ccb8aa3252dec90614a930c5c0e511eaaff8ebaef2 |
| SHA512 | 32bc265d467f41f7dbb62587819cbe9969fdd3ad383dee4e312d230048e9979907f1c0a06dd0be8847651373a2a52daaa808f968199ab725e8b268002e06b31e |
memory/2376-22-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\nNKYxJK.exe
| MD5 | d97dc46919d7a2e51da31e6166aad106 |
| SHA1 | b5da62931328b8e7e2d935bc0401f96eacd2a98f |
| SHA256 | c3336f349b7bcbb21f28271fdfe155f5467570450c69b2e44a359d243056c1b4 |
| SHA512 | 665e3cc6862603c3680bdae0b29bbe56716b77827b05b7a3cdb2fe8914d61105674594c671aaa107c0507c2f3f23cb5081d2214cbee4eb9bd6ded1132df99518 |
C:\Windows\system\gmNNfpt.exe
| MD5 | 07950ce5852412a465733965fbf0455e |
| SHA1 | 32caad14a18c36ad17319fedc9253a11fd999892 |
| SHA256 | 399dfb6bf09110dedaabc86941356bc8d889da62755acc79ee12119e867a050f |
| SHA512 | b92c6216f00ac64cb4f82d09f285689f30c72817074829ce93cfaced6b704b02f4ec5f81b0036860366dd870239000e5732eea4693dd03b47bd08719afd5689f |
C:\Windows\system\fNSYPXo.exe
| MD5 | 3ce35dbc7475df500057f8fb11ff61c0 |
| SHA1 | 74659398660f7c80ed51086ae512564179dff54b |
| SHA256 | aef47cd235fe56a151034e59cf2438b9407b26a4b5d7f936e4237f16e67e09f1 |
| SHA512 | bd4171f259177f87ca44192cf02b964c57a243b5813501913b3ae1b6c7ceae81c6bfb4edd4cafd797432b080e425a7cd552de8b6346383833bd6368be02ec3ab |
memory/2688-42-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2376-53-0x000000013F790000-0x000000013FAE1000-memory.dmp
\Windows\system\ezDzxHw.exe
| MD5 | 5d3072d07b505c957015a5c4dd19355d |
| SHA1 | 9504d50919e1f6f016be6f506dac60e014a9e67d |
| SHA256 | c0edefb55579dfb7590608428eabf0fd5d7f124f7bd3f106536417f97b900331 |
| SHA512 | 24290d7a39d21e86c546055cb90358da1b086073589a80a8962cdb7c5e662a6223fcdfaa8430f62d8ae2d98f8af5247c99476c5179cb21d2e1ce82dae57edade |
C:\Windows\system\TFkmWXG.exe
| MD5 | fc64ffe4a7d19364eaa00385df78a045 |
| SHA1 | 1c5328221a92ea9280f366f98dc9f80d0a013da8 |
| SHA256 | 541b9039ec815b408b172ebd3dff27bb9a665562a96551f38a8ea244a77a0265 |
| SHA512 | 9553cc52964132fb360e86e131b8409db5e23f280873f1d9119c0a3e15ff232e35395d6364755d835ae117b047eba32de4bb32fbdc37847b3a115db23706ea02 |
memory/2376-55-0x000000013F910000-0x000000013FC61000-memory.dmp
C:\Windows\system\rwxJDmc.exe
| MD5 | 257612fbe2ef5e26b4c920dfe671ea19 |
| SHA1 | 4dc56306154adc2de757ba16ac963d6011272190 |
| SHA256 | b51f7a61a05775d29e542a7a5b5f80f297351fd8bfdfb7c98ca85f5dc6d47ebb |
| SHA512 | 080763931ae2d91c5ed33210ac61593723733b92a5b00e030cb87180833381ead3caab9c96d509092a5578bd973edfa554b4476b1291e32c71c5a49927d7b2bc |
C:\Windows\system\GRlVmvj.exe
| MD5 | d2e6be731842b0dafe759fc3bd32e83d |
| SHA1 | 82dc0188054f654b912c9a285020d15fba6413b8 |
| SHA256 | 3331fe63ab605524bf6d3b0211db6335f6f6a10dfbcb2114cc58b3c3d0d0787e |
| SHA512 | 9f4f0ca0e6f11ab26a36d8ee910021ebf6d0d7ec2724e1a03a2239cc0156479531f8936d78c43e0ab79366c3221b0dea669c47558ac53bb02c5158f8a9dd5ce0 |
\Windows\system\oSvjTSA.exe
| MD5 | 5927a95638bbec62407a1cfd0f15299b |
| SHA1 | 387f1a6af0e890c563979636e6b1df79037f5d58 |
| SHA256 | 7c3dc2273c27d89aeff99fa78d2616e052caf08b8d454058c1b3bca8c2bd4d2d |
| SHA512 | 433b94e32ac108152417e16b4afed9167fd47af567b48792a67c7263ffe769e53606b4a564fde203eb1e152a118b8506d61e7b306abd83f02e26e2ebf23bf629 |
C:\Windows\system\nIzPVbM.exe
| MD5 | 62c51d718719f0dcf831198575d28348 |
| SHA1 | 2a750151dd7f7b6b628143cfc7f0f17d0349e142 |
| SHA256 | 6266f5820496371c9d75fb0ce049e8b8283a6444a569371f9e7388cfce742ffb |
| SHA512 | ae182b20b37f94770cbecdcb87b841adcebb759f2eb5d2ece090686a6fab14e4353b418c6fc971ceefb244dfce89a3e379e34071e9a5b45dc1e19086d05ed39a |
C:\Windows\system\aiWfciJ.exe
| MD5 | 99825fa01f6b19108e2ce338de15933e |
| SHA1 | 50ba9fce2693761eb8fed27b0321ccf6c959dbc3 |
| SHA256 | 788b4dfa8c09388d0b2a970eb7311c1cfdc4e3c9dff222713b68e961218b263f |
| SHA512 | beab920851cf946a8dd74fca4b3ca7aef1cc8eaaad6f25fc0248d69a00c14aa6575b13637533c236e25afec1c62f95f30e191c0eeca7b8a613b3b3146dedc53a |
C:\Windows\system\JvOsEAZ.exe
| MD5 | 1f2c959084326096445bcc5bf90a88bc |
| SHA1 | a8306c795f82910ebce82c3f59a21ba4096198e6 |
| SHA256 | 2985958a7b793d10c0a1d8d972cbe1653f0338ba257960ef83ead38c9cf902ed |
| SHA512 | afe371bf459bd5fb2c890e72a7c4ace08d34e8f55aa67ccda9fb5594c1adf41f4ada5a70350925973811e26b7709116fbde3930a3f6c2b10a8151a3aae419994 |
C:\Windows\system\okjSmEq.exe
| MD5 | 44eee69d917bcca63f31680e13620824 |
| SHA1 | 532a4477423758f2ea834c60ad9cd57c814acd9c |
| SHA256 | 110ccdd3a033afe23c2a8034a89a35cd203e5fe6c982fb46326e1b45f0a018f6 |
| SHA512 | d210c82d6f291fef583c89e6474ecf527ab251bc036e6c5ac0c89e38da38411430980e217705259a6d67604140e243dc794db88d88430f440434fd310d61a9da |
C:\Windows\system\nHKHflI.exe
| MD5 | 7519ac17f8fb06a00c080ef4bcbdf601 |
| SHA1 | 2762e51abf0360ea35e869a21d03cc16866ccdcb |
| SHA256 | e06363e0aabddff64804eb54b640f7abe8b0ed1b3d796893e4340f68df3b8edc |
| SHA512 | 870070bc052916e136ff57acba35cbf496ec9eef0e5665e57fb72a5851861e481eff77522876e2295e1f70ff5acbb9b38934001efec9f223e77a61e87cd1b91d |
C:\Windows\system\HSPPNlP.exe
| MD5 | 3c4cc5f4339b16d7dedf69285d4d40d3 |
| SHA1 | 6b43f10d257e7b143134e7a6d9514c73af0b2b2b |
| SHA256 | 2b10651d8c2952d50ed38728b6af456b5c5d242dbcf29cbdda490d963f7a83d1 |
| SHA512 | 6ea1b622e18814a0b26a09d7cb3ff3ffe948ac9ee3fa69ced81620c5a0dab0aea8a1226ac3bb2040f5a0394c526011211c2b79a4afe7d1d3a501e4959df5b5f9 |
C:\Windows\system\quPbBgr.exe
| MD5 | 04a974973397f8dc5bf89cd01d5d5d8e |
| SHA1 | 969747ab1699bd605dd5ed7efcd54d22f9d06d31 |
| SHA256 | 59eb70f3a179031a2062b56b29a4d23fff066726b93dd39c745b6a47e0fffcea |
| SHA512 | 429e5b2409a4d34eed17050a80a1fe43a3cbfa0246dadf67a4995198c112a4c0b242eda637ef121c7fb4ba1a628537fa7c3bd34a1c21ef97bf612786cf421263 |
C:\Windows\system\eWlcQme.exe
| MD5 | 1482675a1d22c1f2159d627e0bd8fbbd |
| SHA1 | cb30f5bf1fb0f1111938c13b72398962608a58d5 |
| SHA256 | 269792d8b9a4729452fd3007e5aad8a18d71090987c929657e4bc635eef43b93 |
| SHA512 | 88d28a896cc006693e1ced04ec35b059427d1e9ad7cce06c9682b2ff471512abd6198e02615d0aeccbcf98cfe012cf45022cc3d359f7c8bacaaa8ab0624ed1dd |
C:\Windows\system\mFnJsmJ.exe
| MD5 | 21b0807e061bf866ec19e2cb5363c66b |
| SHA1 | 6fda65899f910b4ae07d8dcf4619d3d783cf1413 |
| SHA256 | df6fe15f718f8b0ec3bd02015baf48b46843c70d7624ff4e40a8c1ebf1142a3b |
| SHA512 | 48bf8c7e5145f6f7d990aa9a0b45bd8bd939e488a06b9be2d18085bb7ba63e7cb4f7c2240dc0b44bd0d5e2b2c2aa0cbcc082a84cd8b0d319a3c904eb6550a62b |
memory/2528-54-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2376-41-0x000000013F7C0000-0x000000013FB11000-memory.dmp
C:\Windows\system\IQqTYlO.exe
| MD5 | 3372792a32ac3da099a84fdb0ff19325 |
| SHA1 | 2a8246c1b861b116c13283eeb559cc8f43b1e0d9 |
| SHA256 | 4b6a503218af5af89d2a97009c992465e6b0300e8ed18445eda1828ce2cecf01 |
| SHA512 | 3dfed10a4b36a56a6818caf022fd6a97989534466f5707edabadb0a96623ac745fdebfba19eb555fa59564558f1fae5082a41d53028175b78f42e89bf6d71615 |
memory/2616-37-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2376-36-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2632-29-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2376-27-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2584-26-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2376-123-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2632-127-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/3032-125-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2880-131-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2688-129-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2168-146-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2376-145-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2740-144-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2540-143-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/828-142-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1004-141-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2028-140-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1740-139-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2808-138-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2676-137-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/1296-136-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2752-135-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2612-134-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2508-133-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2244-124-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2880-122-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2376-147-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2376-148-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2376-149-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2376-151-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2376-152-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2376-153-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2376-150-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2376-154-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2376-158-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2376-199-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2376-204-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2244-207-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2584-211-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/3032-210-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2632-213-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2616-215-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2528-217-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2540-222-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2688-220-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2612-225-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2508-224-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2752-227-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1296-229-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2808-231-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2880-244-0x000000013F910000-0x000000013FC61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:48
Reported
2024-08-06 11:51
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KyOdqtl.exe | N/A |
| N/A | N/A | C:\Windows\System\HpgHOws.exe | N/A |
| N/A | N/A | C:\Windows\System\qLbAAmu.exe | N/A |
| N/A | N/A | C:\Windows\System\VVvLAwa.exe | N/A |
| N/A | N/A | C:\Windows\System\kXwqjdl.exe | N/A |
| N/A | N/A | C:\Windows\System\PJdiWiH.exe | N/A |
| N/A | N/A | C:\Windows\System\JLJVjkH.exe | N/A |
| N/A | N/A | C:\Windows\System\fjAiVub.exe | N/A |
| N/A | N/A | C:\Windows\System\kwltqRu.exe | N/A |
| N/A | N/A | C:\Windows\System\jgpjezL.exe | N/A |
| N/A | N/A | C:\Windows\System\JxgYNPu.exe | N/A |
| N/A | N/A | C:\Windows\System\yjYkmmi.exe | N/A |
| N/A | N/A | C:\Windows\System\VqMXtzH.exe | N/A |
| N/A | N/A | C:\Windows\System\fXOLvYf.exe | N/A |
| N/A | N/A | C:\Windows\System\pvqLgLw.exe | N/A |
| N/A | N/A | C:\Windows\System\PjIjzVF.exe | N/A |
| N/A | N/A | C:\Windows\System\xcoYiFF.exe | N/A |
| N/A | N/A | C:\Windows\System\mErPEAh.exe | N/A |
| N/A | N/A | C:\Windows\System\pWWRImQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CIMdmqg.exe | N/A |
| N/A | N/A | C:\Windows\System\WRHbCdx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2f4f0bf5cf4ef0d9391ff33afe3acb85_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\KyOdqtl.exe
C:\Windows\System\KyOdqtl.exe
C:\Windows\System\HpgHOws.exe
C:\Windows\System\HpgHOws.exe
C:\Windows\System\qLbAAmu.exe
C:\Windows\System\qLbAAmu.exe
C:\Windows\System\VVvLAwa.exe
C:\Windows\System\VVvLAwa.exe
C:\Windows\System\kXwqjdl.exe
C:\Windows\System\kXwqjdl.exe
C:\Windows\System\PJdiWiH.exe
C:\Windows\System\PJdiWiH.exe
C:\Windows\System\JLJVjkH.exe
C:\Windows\System\JLJVjkH.exe
C:\Windows\System\fjAiVub.exe
C:\Windows\System\fjAiVub.exe
C:\Windows\System\kwltqRu.exe
C:\Windows\System\kwltqRu.exe
C:\Windows\System\jgpjezL.exe
C:\Windows\System\jgpjezL.exe
C:\Windows\System\JxgYNPu.exe
C:\Windows\System\JxgYNPu.exe
C:\Windows\System\yjYkmmi.exe
C:\Windows\System\yjYkmmi.exe
C:\Windows\System\pvqLgLw.exe
C:\Windows\System\pvqLgLw.exe
C:\Windows\System\VqMXtzH.exe
C:\Windows\System\VqMXtzH.exe
C:\Windows\System\fXOLvYf.exe
C:\Windows\System\fXOLvYf.exe
C:\Windows\System\PjIjzVF.exe
C:\Windows\System\PjIjzVF.exe
C:\Windows\System\xcoYiFF.exe
C:\Windows\System\xcoYiFF.exe
C:\Windows\System\mErPEAh.exe
C:\Windows\System\mErPEAh.exe
C:\Windows\System\pWWRImQ.exe
C:\Windows\System\pWWRImQ.exe
C:\Windows\System\CIMdmqg.exe
C:\Windows\System\CIMdmqg.exe
C:\Windows\System\WRHbCdx.exe
C:\Windows\System\WRHbCdx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/464-0-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp
memory/464-1-0x000001790CC60000-0x000001790CC70000-memory.dmp
C:\Windows\System\KyOdqtl.exe
| MD5 | bc37172b174b78f647f2bd01772fac08 |
| SHA1 | 57a2780c5cac5a940dbb99ff5d263c6dd5916964 |
| SHA256 | 20a5311c9d6ffa3505f888934e2a1fc00fc4e2829cbcf411e5e25401cef5a6b8 |
| SHA512 | bd3e1347334af29952c4deb0df9348aa312147b4c33563197918583fb91c446bda25789fa99c06a433831bc6e9583dbc23a26ae006547e8dcb7f674317115bb7 |
C:\Windows\System\qLbAAmu.exe
| MD5 | a270e975ee6905dd7cba70815591b011 |
| SHA1 | 5aa2bacba1207d7a06f8b8da038f7170f83f759a |
| SHA256 | 679a0265a7927a6809c10bfeb5e6c69c7f064e05a15f6b45dbff62548b918314 |
| SHA512 | b9828ab08eaa2aca9af0bd9e259e24a7d4f82bd1e02cbda4c676df28558194bf0421da4fa1b3e674220403ad39d5d7566d558357dbceaeed8c9c8346e2ea6a63 |
memory/2524-20-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp
C:\Windows\System\VVvLAwa.exe
| MD5 | 2df0e936be2cfd00cf1f3eba68649630 |
| SHA1 | b36d5f6a3e4770458713dedd0cafd4c6585c162c |
| SHA256 | e396620e9e5f56316f804f19cc63b819fa3a2c5dba311e8f38f333ef2c715fb7 |
| SHA512 | 81f01263b627885153818e317e294429148f9d7679ce798d6e3d6379cba596c8c59d7b718fb790739014b320fce00ac15e3407e1b84f664404851d2abb2d2efd |
C:\Windows\System\kXwqjdl.exe
| MD5 | 17405e66388c4aa4b5a0e7813befc1a8 |
| SHA1 | c15ef83e45d8fc3108bf6b816de1894f4c4e0b61 |
| SHA256 | 443254e0860f60e3e12068b91e674bbdf0bfffb1194074efdc6b732ec7aa04e6 |
| SHA512 | e5fb3eef5e73e274cc86fe670887cec85d81c792f9f74c933a11e47673b16c8a3f784b95e9ae51d766f0f98c856c32590eba176983c71700c3426b9878c05f31 |
memory/400-32-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp
C:\Windows\System\fjAiVub.exe
| MD5 | 7e33fe5e86767452d205bb39e901a250 |
| SHA1 | d5b11edfe089e2beb2761424897f4b2ee30789e7 |
| SHA256 | fc8f073222ea566a3cc5ddef11973908e8e52f374eb78f3cae4ac163a954aa67 |
| SHA512 | 4ab3a24a4069f03483b6e040c011b0aa19baeec8a8e839794e11f406943a5a281fa799e5cc09a4a9ca49a3fce2140eda09ef498b75289d21eb413b2d0c8b5bc7 |
C:\Windows\System\kwltqRu.exe
| MD5 | 8fd26746bbf05f5c5b0538a20d043a2b |
| SHA1 | 4aa965925d054648c028788294ca59076e660252 |
| SHA256 | e57291001d76766c90514655aff0478cd8f6aa32daaa2b12b38caa3c2e95d725 |
| SHA512 | 766411e3a2b9547d8caf10c2935ae201f8849904daade52f5a539bc6ca12c0f7aa536c49642041af7e06da593b14a70ddce96c0b202113ff3a5be4dda612076f |
C:\Windows\System\JxgYNPu.exe
| MD5 | 4708234acee6aa7f41a524ca9f530d6d |
| SHA1 | a8fb267dddce6d63403063ea2267f567d3eabe07 |
| SHA256 | 1596f5e7fab511f7348d68a2aaf9d47bdc1eecbe7ba6758e8e329ef2481a6334 |
| SHA512 | fdc6fb53ae51f191245fdc588fcda18c822295bd1cb274db3a08229bf80b6f61ccafa5f840c1d57c92f2b33e643a070d6e97464a52cd1e9fa180eef9bb8b2576 |
memory/5004-60-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp
C:\Windows\System\jgpjezL.exe
| MD5 | 9b01942f047f23f4cb9a8cd9fe2f5e11 |
| SHA1 | 3a22c68ed19106372a668d587e556c31b1f96486 |
| SHA256 | 83d292ff7d17d2078b72afa7f5b401a9eb0048eeef402087099a946ab6c1b7d5 |
| SHA512 | 548efc52e6495d1069f67a4e2241e00797517be50857809db2a47ae9f1d00984188fc76470c415adc60e99082624506bc107aba9368962df21f6373001b1d0b5 |
memory/2028-71-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp
C:\Windows\System\VqMXtzH.exe
| MD5 | 28d28222c44bd0354f270daf7838c1ca |
| SHA1 | 1a65bb24e1d270627aeda07f06a95c13aab9307b |
| SHA256 | 972e32d9efa231770c3b4e185da0cf4e61359ca2cbc202e712d5821140f04983 |
| SHA512 | 51632abd24ec098ed428d2455c0670306e1f03ef78cd6fc31e6cded2dc53d5a81a0d1b01418789ea5b65b9f7a33c5fb5556d546947f95cf2612fba9c847a5828 |
C:\Windows\System\yjYkmmi.exe
| MD5 | 1c1b40ff38b54c18e22c635ba9457c01 |
| SHA1 | 6ec318458094f7062b2a6a31a0b6b886f53b1269 |
| SHA256 | f128cf2ab7013ad7527fc0ea0b10ee88e7ef624e3b0b7d8bd0d1fe9217cbdabf |
| SHA512 | 4b7f8ffb854911ca71722c1a32cbeb0511c0a9854c865e5d7af292c0568707b810bc0a7ea6beabd057bd9b129db2aa0c22440d40df4ef0eb7ea71083edf332ac |
C:\Windows\System\xcoYiFF.exe
| MD5 | f2798c1b401f05a9eea9c712ceda60c8 |
| SHA1 | ea42a77fec2e5beb98d242e0003b7e047fd494a2 |
| SHA256 | 4ef500a2da652b5696b86966c6604ef70502c2507ed0d32688af932e05be4226 |
| SHA512 | 954aa80327e4fd9a95ec9aa83444b4c943a3f4e558265dc8324985c8da5790c93d0bb32d6d614263f8e6416c0819f34fa0c60f3c1d0d878434e453a1cd32a41f |
memory/2128-103-0x00007FF765880000-0x00007FF765BD1000-memory.dmp
memory/1832-107-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp
C:\Windows\System\mErPEAh.exe
| MD5 | ecf2302123d2f5b2f2cbea1908dbe828 |
| SHA1 | 53e9967e6bda011479d218b0991372a95fe3b9f3 |
| SHA256 | e7c949e08b7d6e1cdb5ea29bef420c67aca68841fa93feda577ea2ffed7fc647 |
| SHA512 | 03aaac9cdfa3dd8bf2cc6b5e2733e3009f8dd9dfa01d901d3dc80fd788be54eff88328559c2bea1501daa28db440ca4c97a07b586efd52fa6322deb117b03973 |
C:\Windows\System\pWWRImQ.exe
| MD5 | 5be6bdf75b39246a1dcf2b01994ee6fd |
| SHA1 | 3f544b61a0e9dea18744d1872e078ab3b9f9cec7 |
| SHA256 | 741eb649f286b2d5004c62db4626956473db976d7b9e72846e29883c3df65853 |
| SHA512 | f862cdd33bcac9419847daf01482ae084943d26ab5f235d4881458e6c896d621044badb9046ae679cd8b2ac4431bca5727492b6a6f9b2b9e61fc13d1ab9c4cd0 |
memory/684-120-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp
C:\Windows\System\WRHbCdx.exe
| MD5 | 0094ce5e31057948e0794154c5941a11 |
| SHA1 | 3454dd8227838b219f78f0f2e9c09078bbfce98d |
| SHA256 | 80d55f9880aa1731742895ffd0241f65077e5706f678364796cac1ef2f6c6b38 |
| SHA512 | 50a181a132922f2abdbd492698b5ee65c12f4d80b68b7255fb864209b8108a0a5ba33cd9da3362be9563e85e11aa685629bb1be5b6290e522f0ab7a29043f0cb |
C:\Windows\System\CIMdmqg.exe
| MD5 | 6cec71ee69287080bd5913ea195eafe4 |
| SHA1 | b82b5f4159fd28f38ca3687a2619a7c99c650638 |
| SHA256 | c7d05af819075ec678d47ec14df782542a16c202fb9a4c4ba057f0579a0e5c91 |
| SHA512 | fd7b4f0377167fb20588df697dcd5a88b2cd0badc2394e8debb5798e9020d85d30852d8880f53e969a2339b6ad3bb4cdc0c8a7a1f1c507cf34bca86d98f82597 |
memory/764-125-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp
memory/4928-124-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp
memory/2524-119-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp
memory/2944-116-0x00007FF612030000-0x00007FF612381000-memory.dmp
memory/4480-113-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp
memory/2464-109-0x00007FF724DE0000-0x00007FF725131000-memory.dmp
memory/1100-101-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp
C:\Windows\System\fXOLvYf.exe
| MD5 | 020497ab51cf1f0586729c9dae3ce919 |
| SHA1 | c893633b06f0f1c3fdf963ff903d25a4c151177e |
| SHA256 | 757de446b886ae1c1c4d535d5313d346d1a63b1b513792619eff7409df43430a |
| SHA512 | ed698d4e0ea2c3997e89a7b8cdaed24bbfb04ddbeddf9c8f61e89a095e7a72ed6181fa80e25f0a69c5ae0d069fb3ae0df2937635e69a03267215be225d3981bb |
memory/2204-93-0x00007FF666370000-0x00007FF6666C1000-memory.dmp
C:\Windows\System\PjIjzVF.exe
| MD5 | b8304d59024dcc007f20b8d13e879cd5 |
| SHA1 | d09a2e5b626c8b4507346071feff9a0774b6b212 |
| SHA256 | ef8a23210536333c03a8b7e36933fbb570d562944f8100edc636d720e5dcf065 |
| SHA512 | 6a81acc7dbd0aff03c8a45f76a2a827dd7d41f28426631796c59b00200c03d4cca6a707699c706ed29d618a05560cff4a4558bc96baa568e9daca801349df039 |
memory/3076-90-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp
C:\Windows\System\pvqLgLw.exe
| MD5 | 34fb22467fda120edc2cdd929af906ab |
| SHA1 | 26428a802ac98503fd58a65b3c4c79c9d522908e |
| SHA256 | 61bf7e4fc1b848a1048489dd76de99c30e117e33295b8ef293abf289971e3347 |
| SHA512 | 7087ec97af6f6a10f1d9ac2a2a3ffa2baf506c50e438c6cf836e34d36e504fe3ade47a40c654cfec976956421236ce9d374334d05112fb1d3d650e10b1b5c82d |
memory/3432-81-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp
memory/1384-77-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp
memory/464-66-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp
memory/2136-54-0x00007FF635B00000-0x00007FF635E51000-memory.dmp
memory/1236-46-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp
C:\Windows\System\JLJVjkH.exe
| MD5 | c17d14e0a68fa356a85bf61179ed5c0c |
| SHA1 | fe1153b42e7a7d92ac18e6641c86ed4ff6e24466 |
| SHA256 | 77b9d0f52917141c0d21719f688addf81d78c4962b21cbbfa732e5a11e8a609b |
| SHA512 | dc2e7c8c599d3e09220185868540d673d719db0a0ef6d5488aeed466cd86ad98a6d5cd49e2aa38b63cc1b402becbd0359bbeaff1d2e3ab61b1058ee5ffa1fd51 |
C:\Windows\System\PJdiWiH.exe
| MD5 | a0ac01548be1258a9713dd41253b51ab |
| SHA1 | a8af64b93e3739065ba32107cb09bb04b657acfc |
| SHA256 | 5067afc8bbd84283385667d8b1140c9c077d852c783086d36e99a65205eb5476 |
| SHA512 | 118e3fbe437e654282a27432838997a537f46781314559c9cac5ab18f2ccf002a627ec9914a297e781e5b4bec5a65247542dc6ae8fbecc7a1ef51c5801689f8e |
memory/3768-36-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp
memory/4928-25-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp
memory/5092-133-0x00007FF740C10000-0x00007FF740F61000-memory.dmp
memory/400-132-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp
memory/1100-14-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp
C:\Windows\System\HpgHOws.exe
| MD5 | ebfe0f9a69db3f2130654b38cffced3a |
| SHA1 | 638484ae47c74f7ede8b774a22e8b644c4df3827 |
| SHA256 | 8f01f2f7cbaeff75aa3ff5a3807a0fad783a5732a577a2c0f1c31c0a978d1db5 |
| SHA512 | 4f2b6912a9aa1b6ddf1467b18345cd6621e0e966b1ca34d974445c56060233e44e9973956634daf700baf506c1386fee92aa4b7bb6f4187482fe23a92775872c |
memory/3432-8-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp
memory/464-134-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp
memory/1384-145-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp
memory/2204-149-0x00007FF666370000-0x00007FF6666C1000-memory.dmp
memory/2028-144-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp
memory/3768-140-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp
memory/3076-146-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp
memory/5004-143-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp
memory/764-154-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp
memory/464-156-0x00007FF6EE710000-0x00007FF6EEA61000-memory.dmp
memory/3432-203-0x00007FF67E700000-0x00007FF67EA51000-memory.dmp
memory/1100-205-0x00007FF659EA0000-0x00007FF65A1F1000-memory.dmp
memory/2524-207-0x00007FF6B1200000-0x00007FF6B1551000-memory.dmp
memory/4928-209-0x00007FF6D5E90000-0x00007FF6D61E1000-memory.dmp
memory/400-211-0x00007FF77BB30000-0x00007FF77BE81000-memory.dmp
memory/3768-213-0x00007FF68DF40000-0x00007FF68E291000-memory.dmp
memory/1236-215-0x00007FF6628B0000-0x00007FF662C01000-memory.dmp
memory/2136-217-0x00007FF635B00000-0x00007FF635E51000-memory.dmp
memory/5004-219-0x00007FF7DF580000-0x00007FF7DF8D1000-memory.dmp
memory/2028-221-0x00007FF75BF60000-0x00007FF75C2B1000-memory.dmp
memory/1384-223-0x00007FF71B780000-0x00007FF71BAD1000-memory.dmp
memory/1832-225-0x00007FF6F79B0000-0x00007FF6F7D01000-memory.dmp
memory/3076-227-0x00007FF629B70000-0x00007FF629EC1000-memory.dmp
memory/2464-231-0x00007FF724DE0000-0x00007FF725131000-memory.dmp
memory/2128-230-0x00007FF765880000-0x00007FF765BD1000-memory.dmp
memory/2944-234-0x00007FF612030000-0x00007FF612381000-memory.dmp
memory/2204-236-0x00007FF666370000-0x00007FF6666C1000-memory.dmp
memory/4480-237-0x00007FF7D19D0000-0x00007FF7D1D21000-memory.dmp
memory/684-239-0x00007FF6A50B0000-0x00007FF6A5401000-memory.dmp
memory/764-243-0x00007FF75F770000-0x00007FF75FAC1000-memory.dmp
memory/5092-242-0x00007FF740C10000-0x00007FF740F61000-memory.dmp