Analysis Overview
SHA256
0c5ad5ccdf16e3e5cf96f01762d5c919b816354981f303251e10cee5e3992ae8
Threat Level: Known bad
The file 2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:35
Reported
2024-08-06 12:37
Platform
win7-20240705-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sOUkhFs.exe | N/A |
| N/A | N/A | C:\Windows\System\EsYDsaK.exe | N/A |
| N/A | N/A | C:\Windows\System\BiexykG.exe | N/A |
| N/A | N/A | C:\Windows\System\qPMWvDa.exe | N/A |
| N/A | N/A | C:\Windows\System\MNOFtHs.exe | N/A |
| N/A | N/A | C:\Windows\System\IcqYWzC.exe | N/A |
| N/A | N/A | C:\Windows\System\IDrnSgB.exe | N/A |
| N/A | N/A | C:\Windows\System\iggNMKl.exe | N/A |
| N/A | N/A | C:\Windows\System\CrrKtyH.exe | N/A |
| N/A | N/A | C:\Windows\System\GdMHqfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\cnPddfu.exe | N/A |
| N/A | N/A | C:\Windows\System\EQbaVww.exe | N/A |
| N/A | N/A | C:\Windows\System\iyLiLHM.exe | N/A |
| N/A | N/A | C:\Windows\System\nadISpb.exe | N/A |
| N/A | N/A | C:\Windows\System\eFgZIFF.exe | N/A |
| N/A | N/A | C:\Windows\System\lrfacZC.exe | N/A |
| N/A | N/A | C:\Windows\System\WufaZLx.exe | N/A |
| N/A | N/A | C:\Windows\System\SFLiCBR.exe | N/A |
| N/A | N/A | C:\Windows\System\lXrYFLu.exe | N/A |
| N/A | N/A | C:\Windows\System\TRXygMU.exe | N/A |
| N/A | N/A | C:\Windows\System\HppnXEo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sOUkhFs.exe
C:\Windows\System\sOUkhFs.exe
C:\Windows\System\EsYDsaK.exe
C:\Windows\System\EsYDsaK.exe
C:\Windows\System\BiexykG.exe
C:\Windows\System\BiexykG.exe
C:\Windows\System\qPMWvDa.exe
C:\Windows\System\qPMWvDa.exe
C:\Windows\System\MNOFtHs.exe
C:\Windows\System\MNOFtHs.exe
C:\Windows\System\IcqYWzC.exe
C:\Windows\System\IcqYWzC.exe
C:\Windows\System\IDrnSgB.exe
C:\Windows\System\IDrnSgB.exe
C:\Windows\System\iggNMKl.exe
C:\Windows\System\iggNMKl.exe
C:\Windows\System\CrrKtyH.exe
C:\Windows\System\CrrKtyH.exe
C:\Windows\System\GdMHqfQ.exe
C:\Windows\System\GdMHqfQ.exe
C:\Windows\System\cnPddfu.exe
C:\Windows\System\cnPddfu.exe
C:\Windows\System\EQbaVww.exe
C:\Windows\System\EQbaVww.exe
C:\Windows\System\iyLiLHM.exe
C:\Windows\System\iyLiLHM.exe
C:\Windows\System\nadISpb.exe
C:\Windows\System\nadISpb.exe
C:\Windows\System\eFgZIFF.exe
C:\Windows\System\eFgZIFF.exe
C:\Windows\System\lrfacZC.exe
C:\Windows\System\lrfacZC.exe
C:\Windows\System\WufaZLx.exe
C:\Windows\System\WufaZLx.exe
C:\Windows\System\SFLiCBR.exe
C:\Windows\System\SFLiCBR.exe
C:\Windows\System\lXrYFLu.exe
C:\Windows\System\lXrYFLu.exe
C:\Windows\System\TRXygMU.exe
C:\Windows\System\TRXygMU.exe
C:\Windows\System\HppnXEo.exe
C:\Windows\System\HppnXEo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2352-1-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2352-0-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\sOUkhFs.exe
| MD5 | ae1cc2afd09218ffa622bd6280b123f3 |
| SHA1 | 4548a086c2fc449cede12c6063b03c681ed76ad0 |
| SHA256 | 1fad161e1146a312953ea64c9961819cdeb7774679924f5beb673c6bbe354e19 |
| SHA512 | 12f3f2ed16a6c30b7c0f46ad3999fa01c499cf87397f92e05f391e6265ede3adde113dcb98757b053d1755a2cc213852bd46572cd042ecf3720149bb03cdae5f |
\Windows\system\EsYDsaK.exe
| MD5 | 511df3c526428412ccd8381cc58e5795 |
| SHA1 | 525aa97d4cd94540392eec8ebcfc090f8597df45 |
| SHA256 | ee3dbeab3d3237f86483c313b4248ac861e4567fec2508e0bc0c492b8860e1df |
| SHA512 | 4d5b8110c5fad4f4f4773bbbb1b745c2620e0af83fbdb5fc439ee70a5203e981fab99fb5c2d604ae74051d762d332ff98d8fe4e7f7dd732b20034149d6d07499 |
C:\Windows\system\BiexykG.exe
| MD5 | 0725bbb63b46a4dad828bd0f69a95d12 |
| SHA1 | 260e94334849754835aff8270f2f12211277f714 |
| SHA256 | 18d68ec594271433d29686ffdec0ddded159cf7003cb47105e04b13d8d7e80bb |
| SHA512 | 691a257527885682ea4cf0521f7d47c55b0112c822ab73284e0a95ebee777d76b6beb33be2ea54b55adbb74194f82e223b4fe2b1c54bab6c2ad788bfdb57c1fe |
C:\Windows\system\MNOFtHs.exe
| MD5 | 754361ad21563a170b5ed8e0bab39758 |
| SHA1 | 5e9f77d840099342e2abf6bd4f7795a64fa240a8 |
| SHA256 | 72b90189be88b2c5638a85ad088fccdb610db0bdbef1be4861dcd6d29e22d07c |
| SHA512 | f5696a6c6e448951b98125ccaeb23932580d027ed7b5916730ef8ba59ce68a79230988a912f4d08e2ab27ea37186c8f5c480b79843f07fe89f98a697a455d22c |
C:\Windows\system\IcqYWzC.exe
| MD5 | 33e0dfe5ab8fad1fc0e475cbefc915b2 |
| SHA1 | 7cb727f245d29ec888a00b6dc5e8af4926418631 |
| SHA256 | c98bad83ce19f3534bb3aeb296a4c275a330a3f9ae20f1da9402c6ea040d73d2 |
| SHA512 | 5f077b02629aefa81d8f1546f92baf7910ba52ed430f842f90f75fdabd1f91c5e5d6a9da715af3f51afc365c40b107159deee66aa9db02e50e98da76e921ea94 |
C:\Windows\system\IDrnSgB.exe
| MD5 | 894ca33b89ed7691527ba2255c805278 |
| SHA1 | 16ee14a111d1ed6c239b30fcb1def66bc35f2b70 |
| SHA256 | 18de127029951943b1204263f070266afd3ca03fa8e490ee7112c7d7fce5c5fc |
| SHA512 | 714b8f60e9e8e80e0f3b3ddbe610b0fba26f47262b3dfb2bced3384af903e0736751dc6780acd790a1325bd0253509c1777c33052cbe13f68cd82d14b3ad887d |
\Windows\system\iggNMKl.exe
| MD5 | 40d133c9ff726de66091e934e96b4ab7 |
| SHA1 | 62522900b8196d49f3da3e3b43a97e7802dab27e |
| SHA256 | 24d3baec775f21844d74cc642c6eca07a87fd08e780eda19e60fd8a1b835576c |
| SHA512 | 9a5d13dc91b6e3426075d053b104c678874f5f465862a32a46f1fce382e2df008f335e35acc771e3404d7da620f97bbe5bcf5412128b61e58ca90a6293b5681e |
C:\Windows\system\CrrKtyH.exe
| MD5 | d39959b157259bf648464b85c30c7b82 |
| SHA1 | bc1abe0bf7d72879ed4b98af087378c9109d364d |
| SHA256 | 503f14233693a48d18fe2ffa92dfab626e4fcc54faf8b8149cf6dc2fe8a8493f |
| SHA512 | 9f137f4a7f7b13d90038d60c2266971a2f7399003c423f8ce3c4727a76205d5e3ef74d9c8d09ec4c4e5ce5c9d3fe9655ce6e95baa6dff985acf4f7297786e334 |
C:\Windows\system\GdMHqfQ.exe
| MD5 | 06b9ebe9a9aa94d0656684f93c5771a3 |
| SHA1 | b204b28e446bd3fb836a5720e2db49240c82a688 |
| SHA256 | 5e4df3b1eb6af20de2f838e55ee828b4032ff93ed4a23785a870018f32c1be59 |
| SHA512 | 1d6ce24740942bd5fc41b9e8e0dd8587f0980f836f6ed31ca55e06085e4d5640055c19c5e718928f8ddc9c515264728fc6d6b5b829207a5ed899c4e05dcd1d14 |
C:\Windows\system\cnPddfu.exe
| MD5 | edfc50591cf416cdabb62ab602e26f4d |
| SHA1 | 26b566924b1a78f3bf23f2dc29d97d4550768c5d |
| SHA256 | 25a6e08523dc2cb8f297bdcc67952b881098a1062b21e74b166037a021392156 |
| SHA512 | 4d16789885a8fa32568f6a6b7bb0ae9ef132a810c43961d99dbbdd7b548296f9116ee7b368e7c072e927b1989effae6895153eb3c5bdfade4715b2458185f3da |
C:\Windows\system\nadISpb.exe
| MD5 | 14891920167cf25150a9d093b38190c8 |
| SHA1 | 519ce70d7689d8fad23e09cea189a63c77cd5a83 |
| SHA256 | b77b58b2c4177cf46a37ac65c8b1f8c5fb7e5a301edc6d2fa14f754a188cf41a |
| SHA512 | 13f4618fd4e17bf406695fe382a3efcabe3792142dbb0c0ce0b7e9cd8fba84323c1a34d6fb21b90a9e2b6ca982e5c449155c08d3bbffbc3cce72f2ed419f9535 |
C:\Windows\system\eFgZIFF.exe
| MD5 | 787d7be1ee56b4e3d72190a91a05bd76 |
| SHA1 | 9fb533b93a573c73b1cd2e806aad3131ae5b7441 |
| SHA256 | 032ab393935848e73fc1f98d40f9e326ac9a023f96ee2ceaad702c02afc513ef |
| SHA512 | d1caaa912c4ca0a5f73e1f0f547c520c83242df02e7f1236831c2d8a4a152836e93a8c3dc059ac92d808494d692b370607c5bd3d6c9c7abeb09771ce3214e30a |
C:\Windows\system\SFLiCBR.exe
| MD5 | 5aeaee02d0b3f45e6b313b92f5cfda68 |
| SHA1 | 9909a8e414d2ce01f720f36a1120f85b33843228 |
| SHA256 | f6a4c72950a260e7a9aed1e53c563118bbd41744d0b898a159b73060ad4bb0d5 |
| SHA512 | 52319e2c657dde9bf46e5aa7a199d846715e5328019dfd13774e508a09f71fe0f51ff72734e52b2e6415c28511cc4d6da4bd3acec4a7632874570bcec760e3a3 |
C:\Windows\system\HppnXEo.exe
| MD5 | 7c0f8749b50bdb3a60012a4cb477cc9a |
| SHA1 | d354258551b6e4b9bb19c8fd0e0190705f5ba5f5 |
| SHA256 | 775a8a982e441b08429da68ae92fb3bb30def6ba923428992433626195a28391 |
| SHA512 | 8c6bd1724f02adee44b78b891419d4e59d83eb94f23f6c3ac8c778d207c67b40e215ad7e64e2e5b36d1be9774b087e781d7205a213e804ed3b9f0172f91c8e74 |
C:\Windows\system\TRXygMU.exe
| MD5 | 156365673e7f87f52b59d06f5ab38904 |
| SHA1 | 20644e62a60d38ca02190167c2dca6f4c0188c88 |
| SHA256 | 30b822255b10aebc825640ba695781bdc5363d274d903b840c55af124ac86f7c |
| SHA512 | 2e0c022a89b189aa396e99a5049fd4149346ba76721cf56b9efbef79766d9c3da654d688e565a0aa1319e47442e8f72b55cd07db0dfe8a8ebe73e6d24b7b9bc4 |
C:\Windows\system\lXrYFLu.exe
| MD5 | 4e5297868ab42f322dbb5ca730761dfb |
| SHA1 | 66d570ca89e54880a472f96bb4f99d9dc7e115f4 |
| SHA256 | c4ad90af5fe2fe20e52805622ca6dcabe710e0326b9768e89757d881a78aaca2 |
| SHA512 | 4f364c8e8d45f2e13f49dc999d14f79c249fecff87aa129b95cbd8a3246dc641831ac706fef40e218427511c8acec8db1693d9a99886802007383830f116c172 |
memory/2352-115-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2776-116-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2644-114-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2352-113-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2904-112-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2900-111-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2788-110-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2352-109-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2884-102-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1236-101-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2352-100-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2840-99-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2352-98-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2812-97-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2352-96-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1924-95-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2352-94-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2868-93-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2352-92-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2472-91-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2100-90-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2352-89-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2528-88-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2352-87-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\WufaZLx.exe
| MD5 | ee30517b8dd5cc2c06d2e1b9a41cf4cb |
| SHA1 | 5cf7b144f8809dbc8b082130a1a8464440d51c04 |
| SHA256 | 5cf6f3fdc753f8d93cdfd9bdfd66a81341f60408797015ace083ee8f1d9bf5bb |
| SHA512 | be6469ab98bf69b63ee5c0f4dcaaf22eeae2a13bd83ae6dbb7cc2228c070c8bd6983532b7c330d5bf1321dd14398d7cb8cd8ff7c466d5671e5e55bde6b9bc1e5 |
C:\Windows\system\lrfacZC.exe
| MD5 | 88c8a0e8651ce769ae17af2109f63be8 |
| SHA1 | f4febfa027504e885c6e58fe4add65ac60db92ba |
| SHA256 | cf3e5464123a6767fab58a9e1ad6f0c43093d9d94525ac12159884fa1c06f1bf |
| SHA512 | 5f382ead0ddb61330a4ccc1382f52d6edb04c6673e54a4e42e2daebc12b3a0fad42212ab6bd18016f06d21662e59d8ea6397aba7096a227db65b09da472b3719 |
C:\Windows\system\iyLiLHM.exe
| MD5 | 9e0295f83255524d4ac9e69fdcc6fc89 |
| SHA1 | 9802a2f9a5887a3392576fad583d98bcc006a5d8 |
| SHA256 | 1509c42a8ea69a5983d85a619051f1e363f5b7d0a545f7c4fa1e7328885c5a77 |
| SHA512 | fe89c66241d7f283ce0e771b3916b229cf3ff09837a6450d3f274a7e5885287fa5614e163b4cddb3439c29aaf11aae713be692aedb0d069387bc4f53de59a76f |
C:\Windows\system\EQbaVww.exe
| MD5 | 21a7c0bff74c9f88f1563e3f1fb0bc75 |
| SHA1 | 901627c83645a18f59a14829a17a5584000fb94f |
| SHA256 | 5097a3d2eea280639735a6b22d4a845aa4b89a3a8f6743139e8a7419dcad545f |
| SHA512 | bd02c11a8c775862ecde52d1e34b76fe49545424de988fb79ea1618ce41f700ca4593fdd0c3df15d7bcb03b1a6bae0ac2c6dd672ef0619b24b13033615303280 |
C:\Windows\system\qPMWvDa.exe
| MD5 | 3dd926993bba0fe0c7cb3f426d1cce2b |
| SHA1 | 1d62b7d2a6041ad62bb7f17fe999e729e7618c8e |
| SHA256 | d71af01c306844b239ff83fe51d40387ee70c006c92bf11930c8b462a6fa569f |
| SHA512 | 441912defabc5da0f7527753b4c295dde79a70a161a8bda18f18044f9bb8391490460bfa7b4a80e44acd6b5d2f5f93868d3b4fb48ce58d0f17788a41b6dc5a93 |
memory/2352-131-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2100-132-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2472-133-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2868-134-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1924-135-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2812-136-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2840-137-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1236-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2884-139-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2900-140-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2904-141-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2644-142-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2776-143-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2528-144-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2472-149-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1236-148-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2868-147-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2812-146-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2100-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2788-150-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1924-152-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2904-155-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2644-156-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2900-154-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2884-153-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2840-151-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2776-157-0x000000013F130000-0x000000013F484000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:35
Reported
2024-08-06 12:37
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vqpPrgk.exe | N/A |
| N/A | N/A | C:\Windows\System\RbRLvJz.exe | N/A |
| N/A | N/A | C:\Windows\System\cZFcPvJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YPqgQfL.exe | N/A |
| N/A | N/A | C:\Windows\System\coLzPhv.exe | N/A |
| N/A | N/A | C:\Windows\System\SmVMkgO.exe | N/A |
| N/A | N/A | C:\Windows\System\SgoXKNK.exe | N/A |
| N/A | N/A | C:\Windows\System\BnSJJMH.exe | N/A |
| N/A | N/A | C:\Windows\System\wUrZZYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SEVPzrt.exe | N/A |
| N/A | N/A | C:\Windows\System\yzDCQSp.exe | N/A |
| N/A | N/A | C:\Windows\System\ErXRJWf.exe | N/A |
| N/A | N/A | C:\Windows\System\oHjufMG.exe | N/A |
| N/A | N/A | C:\Windows\System\PgjmYUq.exe | N/A |
| N/A | N/A | C:\Windows\System\ddQPDTh.exe | N/A |
| N/A | N/A | C:\Windows\System\COTerBF.exe | N/A |
| N/A | N/A | C:\Windows\System\nvtJvgc.exe | N/A |
| N/A | N/A | C:\Windows\System\PJiqSZX.exe | N/A |
| N/A | N/A | C:\Windows\System\WxjdwdM.exe | N/A |
| N/A | N/A | C:\Windows\System\jBFcVIR.exe | N/A |
| N/A | N/A | C:\Windows\System\SixJXHF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_807bd1becbd03b1212fde81835dfd8ce_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vqpPrgk.exe
C:\Windows\System\vqpPrgk.exe
C:\Windows\System\RbRLvJz.exe
C:\Windows\System\RbRLvJz.exe
C:\Windows\System\cZFcPvJ.exe
C:\Windows\System\cZFcPvJ.exe
C:\Windows\System\YPqgQfL.exe
C:\Windows\System\YPqgQfL.exe
C:\Windows\System\coLzPhv.exe
C:\Windows\System\coLzPhv.exe
C:\Windows\System\SmVMkgO.exe
C:\Windows\System\SmVMkgO.exe
C:\Windows\System\SgoXKNK.exe
C:\Windows\System\SgoXKNK.exe
C:\Windows\System\BnSJJMH.exe
C:\Windows\System\BnSJJMH.exe
C:\Windows\System\wUrZZYJ.exe
C:\Windows\System\wUrZZYJ.exe
C:\Windows\System\SEVPzrt.exe
C:\Windows\System\SEVPzrt.exe
C:\Windows\System\yzDCQSp.exe
C:\Windows\System\yzDCQSp.exe
C:\Windows\System\ErXRJWf.exe
C:\Windows\System\ErXRJWf.exe
C:\Windows\System\oHjufMG.exe
C:\Windows\System\oHjufMG.exe
C:\Windows\System\PgjmYUq.exe
C:\Windows\System\PgjmYUq.exe
C:\Windows\System\ddQPDTh.exe
C:\Windows\System\ddQPDTh.exe
C:\Windows\System\COTerBF.exe
C:\Windows\System\COTerBF.exe
C:\Windows\System\nvtJvgc.exe
C:\Windows\System\nvtJvgc.exe
C:\Windows\System\PJiqSZX.exe
C:\Windows\System\PJiqSZX.exe
C:\Windows\System\WxjdwdM.exe
C:\Windows\System\WxjdwdM.exe
C:\Windows\System\jBFcVIR.exe
C:\Windows\System\jBFcVIR.exe
C:\Windows\System\SixJXHF.exe
C:\Windows\System\SixJXHF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2508-0-0x00007FF797AF0000-0x00007FF797E44000-memory.dmp
memory/2508-1-0x000001F191E00000-0x000001F191E10000-memory.dmp
C:\Windows\System\vqpPrgk.exe
| MD5 | 97d7c4ced8ac48703838e202999c2741 |
| SHA1 | 0510c2868aa0076818a386e7a05cc9f3566273cf |
| SHA256 | 97d23d97b141d868151affe1f32a83b3486bb3b8c681efced5f8064bbd22bc36 |
| SHA512 | fcbd4043633b7ed725521c768b1469b2194d9321e41370be91425c9ea69c2525a05c4b55d305f84b5c1ae9e247e3b9f91a5631f06f7a5fe9ef2118018b35e509 |
memory/3348-8-0x00007FF707D00000-0x00007FF708054000-memory.dmp
C:\Windows\System\cZFcPvJ.exe
| MD5 | ba344c26a6c7e5182f032048e848b54f |
| SHA1 | 792799880e0210409ebb95b62670ea515b513a7b |
| SHA256 | ae4252b75c7f55357ec0ad308d2df409a20d445d0b5e43a1b254e4bd1088b2c1 |
| SHA512 | 7705f49396ae003964855c46f1682581cc565b2a7a6529a0b8cf08364287dcdec0411fa43e4c9dea3f7e09db06290f64d25ea7689f42737a9ba772ae1d776198 |
C:\Windows\System\RbRLvJz.exe
| MD5 | 7ca416be53c6b2bfb9a5fa9d2408d6eb |
| SHA1 | 5708b81d281a84d622c73eb9ee523bcc786c41e4 |
| SHA256 | 06c97a3a36463c838f79d265e62e2985adfe316527e55926100f0b93991edd1b |
| SHA512 | 4e4bf2acbd8cb0e3617a13f4a6e10e3868a15038e2271f328104d752e663cd9f2a7d08d24a5740707ac1b998528480e72c92145562afb9d275b5bd7d92a59440 |
memory/860-12-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp
memory/2312-18-0x00007FF754310000-0x00007FF754664000-memory.dmp
C:\Windows\System\YPqgQfL.exe
| MD5 | ca576f60d85c005e6240fd44e5ebd564 |
| SHA1 | 433c5f2f0873817d87ce893a1b4bbc090be9f729 |
| SHA256 | 91ca2678fa2e77d2fd5b8f94174a82d2c653d63ca99b77083090d569c3ebcd8f |
| SHA512 | 66e12b0e9ef0bfca415bb221e3eca36188035c8b9abb5ccd72ebdca51bc7846f0b1133a130c40620c68d685586d08dd9109822ee3e394dc140138f64ac5516a8 |
memory/2680-26-0x00007FF601810000-0x00007FF601B64000-memory.dmp
C:\Windows\System\coLzPhv.exe
| MD5 | 5925b876ede3016b536f55b1962f6aa5 |
| SHA1 | 3c64ef1452acfab93bea8a1ae724abfd4879d8e3 |
| SHA256 | f6aadedf26b9c73a27d522743f72c5ed7d34b01d9478e37f93ed605556826417 |
| SHA512 | 7d95d8d96122fb3a9e215837868dbb95c0815d13fa4c42789aa0c0321675b234632585a820e6ad95bd4e470f057071c74d0f2b64aca772f63c140cbff0d7183c |
C:\Windows\System\SmVMkgO.exe
| MD5 | b3e268f5bb51675065f28210497407ef |
| SHA1 | 0c356da81a73d53e53ab35ddcc5480c49ff2ff02 |
| SHA256 | e1afa4ee6a99b4eb3dcedfbae11bfc81d0d40f9be43176de6155a340242825f6 |
| SHA512 | d42f2e3f598f53f806485fced0d21ded8971c52e64b09f9cf790eb66f58eadd09225b9701052a9b2ddc72ce21ac78318dd5090255d13f8097ba5b61f5a1bb2d6 |
memory/2908-32-0x00007FF6276A0000-0x00007FF6279F4000-memory.dmp
C:\Windows\System\SgoXKNK.exe
| MD5 | 71cf37dbde6471a5ec705c8562a3de92 |
| SHA1 | b5499f0f73b07c8e079c0aaf04c7735ac0b4e194 |
| SHA256 | 1dc1819c1f419fa0e5882ee915d3dcbffdadd2dbd06aa9e935ccb5cbb83e0965 |
| SHA512 | 8a94c93fa272b9b6cfa3bb1f6eb05d5dd19b4f3b89e619bd5bf478a0ada9e714c9d75d0d87a8caece341fc2f68a830b8a92b8da7738c0a692b476f5079a34285 |
memory/5048-39-0x00007FF7E8A30000-0x00007FF7E8D84000-memory.dmp
C:\Windows\System\BnSJJMH.exe
| MD5 | 4d47442799969d7a48d4c4d7d5c06647 |
| SHA1 | 9a81d036f9374f8a0ba4916a49c18d5d677a0257 |
| SHA256 | 20aad9519459b22a0787a3264dd0298f651fe86f22e743b86e01a58e453fd8dc |
| SHA512 | 76726bdbe8bd419cc214f42135098a896cce5edb86f5056bfe8d5543594efb94b8f261ccb6dee5ebe8717a379fc3ff5c61f1636226b5a923948e38c5d3163c38 |
memory/3084-44-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp
C:\Windows\System\wUrZZYJ.exe
| MD5 | 491cde0475954cf5fef23d5f0d4793b7 |
| SHA1 | b04b1e788c8cebf1d22bdaf94829643db28a4361 |
| SHA256 | f160a67147c5e61aabc5967cdcaa09e698ab65cffc4b7e683fc234ec632decc2 |
| SHA512 | ddebc0c1bd6dd073ddc80a1ae289b91f85bf1badecdb2786b7a290fff00b920ce4fbe8604489fd820a447a18d45213165f67c10f23acb4781c81343476716a30 |
memory/4332-54-0x00007FF7C51B0000-0x00007FF7C5504000-memory.dmp
memory/3684-51-0x00007FF60B8A0000-0x00007FF60BBF4000-memory.dmp
C:\Windows\System\SEVPzrt.exe
| MD5 | 59dc44cbc701683a2f921ed20c595637 |
| SHA1 | 97ac1dd27fbb87d2680e98d44775ee336fbdd622 |
| SHA256 | 6f126ca659136a1ecf5372b49628b1b487af7e1960f135ef6d56e33768d45c89 |
| SHA512 | c75ef773b6dc507d1ed6cacbd70221f8fbd8c90da8f19cbb988645b59d4a74a28286acc2e42bf6313a752c1dae504043f124f57291c19427bf6ce8d807858bbc |
memory/1624-62-0x00007FF6B7C00000-0x00007FF6B7F54000-memory.dmp
C:\Windows\System\yzDCQSp.exe
| MD5 | 90c9d496784268ad79b2d4827751a10d |
| SHA1 | 025d5073c7ec5adb3293a3fcf241e0df5272259a |
| SHA256 | 17af81308c6176be6fcbd0bedfee6b46771278dd1c21a3e73849da82dc5af0f5 |
| SHA512 | 4c8dd728e7ef012cc2ceae90e3d95af52d1abcf859a57367819c315a1952a7fb2274785de0aa8a53eafdffee1da051cf48ae4e95a6aea3f066538a0072c96210 |
memory/2508-59-0x00007FF797AF0000-0x00007FF797E44000-memory.dmp
memory/2292-70-0x00007FF60C8D0000-0x00007FF60CC24000-memory.dmp
C:\Windows\System\ErXRJWf.exe
| MD5 | d20b7165b47bf45f7f3f12c0756dc881 |
| SHA1 | 702e6e9a1babea7985ddede8b9026e5dc992fbcc |
| SHA256 | 5d66c2278a52eff1015c79464b52eee8d840fd0f94375a88faff286001eef139 |
| SHA512 | a0d1b202057206c847e16b9788e2407ad5ba39df1bcf776d3b040d32106b881dbda6a7071ec8f35882174437411f5206e5faa215f3df59a0b055271dd95dcfae |
memory/3348-69-0x00007FF707D00000-0x00007FF708054000-memory.dmp
memory/448-77-0x00007FF6D7B10000-0x00007FF6D7E64000-memory.dmp
memory/860-76-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp
C:\Windows\System\oHjufMG.exe
| MD5 | e02a0062aef7cd6240c72cf0cd0e02dd |
| SHA1 | 97ca42fca9d3f435c39333c44e0bc8d4ac1edde1 |
| SHA256 | 8f7cb6f3f904cd51acf9219fefbd75c65a949eac502d1e66f2de8eef59ba7dd3 |
| SHA512 | 3cb27bf3de1c452694d93b7968d04f89bada538f1c83595a848463dd16ce4b194432df71d4c31ca1c4fee2d9c48c7623d3d2a9260f9fb114f85c4a3b160ab07a |
C:\Windows\System\PgjmYUq.exe
| MD5 | 592bf2c5a0b5c1e12dcc3ecb11a19f0d |
| SHA1 | f0b870fa99aeed439f5f2338e9e1f6310090f417 |
| SHA256 | c298a35e73bdb1be77d5a51e67fe5d07d545e62ef1dff6f01d1b59f6381638d9 |
| SHA512 | 85f2a7bdf7cd4573094aa2abc2a6411e589c40e9658c5c3ae49ceb1f4ea35643e4b38b3d1146a63d675243844adeb99cb7fe4c7ce4ec9f59f385d5dc7e9599b8 |
memory/3628-90-0x00007FF6ABB10000-0x00007FF6ABE64000-memory.dmp
C:\Windows\System\ddQPDTh.exe
| MD5 | ed3a86f8a354cd45e64ae836f28c09ee |
| SHA1 | e832e87a87f6cd7ad581c5782416df7b74f4ea5a |
| SHA256 | e6f7dcdefd549e0b2e3ad7601f3fb4883216666e54a44c015dbc68634d8390bf |
| SHA512 | f7c463ece5c4c4a1bb07bd74440efc5b87705cb465082cd0a163cf94a6eceef57e90eef824e617c9144e9132a8e308d1e095d28146ad5fdb85ea7d1485683fd5 |
memory/2312-88-0x00007FF754310000-0x00007FF754664000-memory.dmp
C:\Windows\System\COTerBF.exe
| MD5 | 5ec9de73e3028d7194c057bee0c5f66a |
| SHA1 | 4a80419e7d96bf9aaea43ecac9cb9398ec7465c0 |
| SHA256 | b626b488ad44676daab06c6032f53eeb9a7b2efb64b9c9e17867871fc79e9733 |
| SHA512 | 3e14699332ac31eaf93dac776a76c108c63363d3b8ee9dd1ea535e9577d2dc4bb60ea915f7992605cf980d0c2d220cd6543deded79479c6a3c592f28c7ab82c3 |
C:\Windows\System\nvtJvgc.exe
| MD5 | b30f0420f48418ae8f26a69e91fabad5 |
| SHA1 | f674a05157f95a94128e87efc10900a8639eb57f |
| SHA256 | 8f5663fc27f35af210be8e6c03065baf694fdb03164d8fd63c7b73de6674f895 |
| SHA512 | 63a1f501c8b5f9af785d7e346e1c881c6b40c94bde155d7d5a1314ef20cba29cc71ecf48e3907f85cbcc51949b49ced1508a63dd1489572d257b524440c3a10d |
memory/4776-105-0x00007FF67F8D0000-0x00007FF67FC24000-memory.dmp
C:\Windows\System\PJiqSZX.exe
| MD5 | e0182b4f5e3a7233105dfe48c41d5ce4 |
| SHA1 | 22e9d14068d6f916a078ab5e4fd59c9a0eaf701a |
| SHA256 | 358299a826dc636a48e5228132c10487c49c034187e6f9a978a519c1189e38c7 |
| SHA512 | d290c6e1db1b0007e570159d7e9f46e01ca0b4aa8210b84826b2328cf4381540d20e3dea4761ab652284d15e64c7d4fe7377398d78256af4c12bb34dea3e4835 |
memory/3084-112-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp
memory/2604-107-0x00007FF7D67B0000-0x00007FF7D6B04000-memory.dmp
memory/2908-106-0x00007FF6276A0000-0x00007FF6279F4000-memory.dmp
memory/2400-104-0x00007FF6D9D00000-0x00007FF6DA054000-memory.dmp
memory/1788-96-0x00007FF7052B0000-0x00007FF705604000-memory.dmp
memory/2600-121-0x00007FF645480000-0x00007FF6457D4000-memory.dmp
C:\Windows\System\WxjdwdM.exe
| MD5 | 07a4a66ebf774706d9c1ecfb6cf67bba |
| SHA1 | b000b895abbda05369230e08d933d989ffb165fc |
| SHA256 | 6a512212de6578fa58cdcd2fa42cdddb1f163d82ad66989042de5a21fcb95117 |
| SHA512 | a574e993f6304a9c64425c54380960af676014be25c6c5fee1f85ba6238aff2feb8a514a976dee5d7ad0e789311b90a379022293b9070f5643f982083f2815c4 |
memory/2616-119-0x00007FF6130F0000-0x00007FF613444000-memory.dmp
memory/3684-116-0x00007FF60B8A0000-0x00007FF60BBF4000-memory.dmp
C:\Windows\System\jBFcVIR.exe
| MD5 | 629c96c18d6b1beaa0338596c421686a |
| SHA1 | a29ee082f7cb3cfb5e678901b104f0e95aa090b7 |
| SHA256 | 811e3d15e4bd5ab8a35fd567ac37b3f3c134881d66cda23a8606306b5f9634b5 |
| SHA512 | ab9fa2444ef87b2ed0b6e5f2b11254d14bdf8a95084778d54734a6124edb3936660f5c77a4c91fc5367c84f87a3d22268ed35507dc88f23695434302cbf43319 |
memory/848-128-0x00007FF75DBB0000-0x00007FF75DF04000-memory.dmp
memory/4332-127-0x00007FF7C51B0000-0x00007FF7C5504000-memory.dmp
C:\Windows\System\SixJXHF.exe
| MD5 | c94d7ac4ebb804912af88d1803599a92 |
| SHA1 | ff2a93b6bc0ecf8b325240d110cfc4e544855753 |
| SHA256 | ad95cac7fdca8786f60b9f2c42f87a4075dd2a0d8f32d489f94088cda79e4efa |
| SHA512 | 736793a5c61e8351eb9276e86cbbf331440a64014bcea7c02af7948aedcf15b07afd4c29e917a9f1fdb139575115ced1a8d65e0b16b546a23e87fb3303c75587 |
memory/1624-135-0x00007FF6B7C00000-0x00007FF6B7F54000-memory.dmp
memory/2204-136-0x00007FF644A40000-0x00007FF644D94000-memory.dmp
memory/2604-137-0x00007FF7D67B0000-0x00007FF7D6B04000-memory.dmp
memory/2600-138-0x00007FF645480000-0x00007FF6457D4000-memory.dmp
memory/848-139-0x00007FF75DBB0000-0x00007FF75DF04000-memory.dmp
memory/3348-140-0x00007FF707D00000-0x00007FF708054000-memory.dmp
memory/860-141-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp
memory/2312-142-0x00007FF754310000-0x00007FF754664000-memory.dmp
memory/2680-143-0x00007FF601810000-0x00007FF601B64000-memory.dmp
memory/2908-144-0x00007FF6276A0000-0x00007FF6279F4000-memory.dmp
memory/5048-145-0x00007FF7E8A30000-0x00007FF7E8D84000-memory.dmp
memory/3084-146-0x00007FF6196A0000-0x00007FF6199F4000-memory.dmp
memory/3684-147-0x00007FF60B8A0000-0x00007FF60BBF4000-memory.dmp
memory/4332-148-0x00007FF7C51B0000-0x00007FF7C5504000-memory.dmp
memory/2292-149-0x00007FF60C8D0000-0x00007FF60CC24000-memory.dmp
memory/1624-150-0x00007FF6B7C00000-0x00007FF6B7F54000-memory.dmp
memory/448-151-0x00007FF6D7B10000-0x00007FF6D7E64000-memory.dmp
memory/3628-152-0x00007FF6ABB10000-0x00007FF6ABE64000-memory.dmp
memory/1788-153-0x00007FF7052B0000-0x00007FF705604000-memory.dmp
memory/2400-154-0x00007FF6D9D00000-0x00007FF6DA054000-memory.dmp
memory/4776-155-0x00007FF67F8D0000-0x00007FF67FC24000-memory.dmp
memory/2604-156-0x00007FF7D67B0000-0x00007FF7D6B04000-memory.dmp
memory/2616-157-0x00007FF6130F0000-0x00007FF613444000-memory.dmp
memory/2600-158-0x00007FF645480000-0x00007FF6457D4000-memory.dmp
memory/848-159-0x00007FF75DBB0000-0x00007FF75DF04000-memory.dmp
memory/2204-160-0x00007FF644A40000-0x00007FF644D94000-memory.dmp