Analysis Overview
SHA256
71d98518acc17769e133e17eab1883bf1e1a4385387409cd7d942488cfd847f0
Threat Level: Known bad
The file 2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 15:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 15:57
Reported
2024-08-06 16:00
Platform
win7-20240708-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZzRFgGw.exe | N/A |
| N/A | N/A | C:\Windows\System\REJLOgs.exe | N/A |
| N/A | N/A | C:\Windows\System\GBzTqMA.exe | N/A |
| N/A | N/A | C:\Windows\System\HNZlAKW.exe | N/A |
| N/A | N/A | C:\Windows\System\DeGEdDi.exe | N/A |
| N/A | N/A | C:\Windows\System\gJFSpFl.exe | N/A |
| N/A | N/A | C:\Windows\System\bVqNhPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\bAiXLuL.exe | N/A |
| N/A | N/A | C:\Windows\System\kFMGXVN.exe | N/A |
| N/A | N/A | C:\Windows\System\rurUHyz.exe | N/A |
| N/A | N/A | C:\Windows\System\gLhbCrH.exe | N/A |
| N/A | N/A | C:\Windows\System\tpYcHTi.exe | N/A |
| N/A | N/A | C:\Windows\System\PnfKdeY.exe | N/A |
| N/A | N/A | C:\Windows\System\ExnNNJs.exe | N/A |
| N/A | N/A | C:\Windows\System\WshGKsu.exe | N/A |
| N/A | N/A | C:\Windows\System\GBNyTYj.exe | N/A |
| N/A | N/A | C:\Windows\System\vvbJkMb.exe | N/A |
| N/A | N/A | C:\Windows\System\UfaPsxa.exe | N/A |
| N/A | N/A | C:\Windows\System\UDKhKOC.exe | N/A |
| N/A | N/A | C:\Windows\System\ePNgDhn.exe | N/A |
| N/A | N/A | C:\Windows\System\IEOmDtq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\REJLOgs.exe
C:\Windows\System\REJLOgs.exe
C:\Windows\System\ZzRFgGw.exe
C:\Windows\System\ZzRFgGw.exe
C:\Windows\System\GBzTqMA.exe
C:\Windows\System\GBzTqMA.exe
C:\Windows\System\HNZlAKW.exe
C:\Windows\System\HNZlAKW.exe
C:\Windows\System\DeGEdDi.exe
C:\Windows\System\DeGEdDi.exe
C:\Windows\System\gJFSpFl.exe
C:\Windows\System\gJFSpFl.exe
C:\Windows\System\bVqNhPZ.exe
C:\Windows\System\bVqNhPZ.exe
C:\Windows\System\bAiXLuL.exe
C:\Windows\System\bAiXLuL.exe
C:\Windows\System\kFMGXVN.exe
C:\Windows\System\kFMGXVN.exe
C:\Windows\System\rurUHyz.exe
C:\Windows\System\rurUHyz.exe
C:\Windows\System\gLhbCrH.exe
C:\Windows\System\gLhbCrH.exe
C:\Windows\System\tpYcHTi.exe
C:\Windows\System\tpYcHTi.exe
C:\Windows\System\PnfKdeY.exe
C:\Windows\System\PnfKdeY.exe
C:\Windows\System\ExnNNJs.exe
C:\Windows\System\ExnNNJs.exe
C:\Windows\System\WshGKsu.exe
C:\Windows\System\WshGKsu.exe
C:\Windows\System\GBNyTYj.exe
C:\Windows\System\GBNyTYj.exe
C:\Windows\System\vvbJkMb.exe
C:\Windows\System\vvbJkMb.exe
C:\Windows\System\UfaPsxa.exe
C:\Windows\System\UfaPsxa.exe
C:\Windows\System\UDKhKOC.exe
C:\Windows\System\UDKhKOC.exe
C:\Windows\System\ePNgDhn.exe
C:\Windows\System\ePNgDhn.exe
C:\Windows\System\IEOmDtq.exe
C:\Windows\System\IEOmDtq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2680-0-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2680-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\GBzTqMA.exe
| MD5 | cae11ee601a12481c738fdbe79ae70d8 |
| SHA1 | c99a53932dea4e8b40d635f1b7fa632ceb9d1b92 |
| SHA256 | aa89fb8e728c628adc77b0cfb57cb6dd3ef6d0e2c17c77d610e6386b4cf68a2f |
| SHA512 | 01c88004cf2c2a11509454d0cf09622041e5e8bb8ca28c6fdc7aa9cde619e2c52aa53f37b9a5c99cee95cfde18874d6279536e6109b0b2368d64ff9420c11510 |
memory/2680-9-0x0000000002350000-0x00000000026A4000-memory.dmp
\Windows\system\ZzRFgGw.exe
| MD5 | aba154ac8da8c6dbbe6ca9dff77cfe0a |
| SHA1 | 9fadf640d384bb7fde03bd1fb3fba4aa6c282d4c |
| SHA256 | 55703cfed6bd69b2ebdde31b49164b003e2e3f1af2078f15d67ce5c9e06fbab6 |
| SHA512 | 74290d13c105451398bb93215bf8245fea8d6b85df0f8bb659246a8c4604491b22120b61e199a9fa29e8ec1e7718625f169fbc984f819bdf6b7c92ba14a77baa |
C:\Windows\system\REJLOgs.exe
| MD5 | 0fde5577a3de0a4f49610d5e2636be51 |
| SHA1 | f8cb363ef96d5aa0f183cbe065c99ee8c7a669d5 |
| SHA256 | 55b9ae806e7b4bd0acd5c54402f65173a3fb2f79563a34c974479e81b0e33957 |
| SHA512 | b0fcde08a3dad778bae98b4a44698af1a995dead0c32a46403f080b514a5853a1f914f9cd9c241f79e05b8a0c82d4e00ef3231e97352c59c96e06835af56d6f2 |
\Windows\system\HNZlAKW.exe
| MD5 | 5e1d165b232dd3ef1a5b491c96c2196e |
| SHA1 | 1189e63c92b8f6d0149d4ecf6d7c43a350514292 |
| SHA256 | aa534b398127eb5992382e9108b65fc61140475410b6ed7999df0bb92257094d |
| SHA512 | 1012f7083ca60c2999528b0cd7eb53f00290be2b5e0fffcae2b6fb7fb9109c36983b3afdf547403208ac6ea9c1725e51a306d9572fb8b1c0d7265b989f57b9ee |
memory/2544-21-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2076-28-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2680-25-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2800-35-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2680-38-0x0000000002350000-0x00000000026A4000-memory.dmp
\Windows\system\gJFSpFl.exe
| MD5 | 587a417d9e22d5349e01af160f35c7b3 |
| SHA1 | 9c0fbf3988f55407b372256ca3a6abfcd862507c |
| SHA256 | d6017b8589a4ea6fcff7af68c3433f1a2cbdf227d59eb2f20a75e122e438653b |
| SHA512 | 076ee96e68b1b89426b738ed6c4847c03c60c347c9ff66bedf140e97f72e13df9a096ee0f19134710183fd1c5630a967f6790494805e962667101b7a5a8e51e4 |
memory/2680-34-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\DeGEdDi.exe
| MD5 | 617bfc469cf8d504602bbd53445c941b |
| SHA1 | 8f273e8984ae2e17f292a87cb7ceaea3a68eb3b8 |
| SHA256 | a30d985d8d2882f5af4aa7cbce0cb17ee7fe655022692a9a57a1f04c54eaea68 |
| SHA512 | 154982f47229a4965a0bf7b5a9884d306a719635904aff8bd3dd2a21ddd69daf821d08850051183b6fb12d86d53bb5c407ed27a8a61fb87b1258a0b02c6016c2 |
memory/2536-43-0x000000013FF30000-0x0000000140284000-memory.dmp
\Windows\system\bVqNhPZ.exe
| MD5 | c94c7a65ff4f33798130a7acb787e043 |
| SHA1 | fde91e4a4ce8b84af07c6efba2faddb18e364a4e |
| SHA256 | feb77437d1896e9fb7752fc828c454e9fd7eca8f0a422382d3c69ea9ac892a6f |
| SHA512 | 54a6bff067b9bbb415ed8fbdcd3e6e952beb5dfd42d0bd26ead2ccecf76013f16d0e0031989e2fcb6a945366e2ff5662ad5ca7d4194c6d6247c3c9ddce23b348 |
memory/2756-17-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2612-50-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2680-49-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2680-16-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2732-15-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\bAiXLuL.exe
| MD5 | b731fb4b82167c081d89e0de1b93f2c4 |
| SHA1 | 388685abb14b413ed6bedf1b7f759fb785337bba |
| SHA256 | 46684e504435334ce36f79d451cb3f2b0335ad7f947ce359df74b3c6a2b13c24 |
| SHA512 | f9ce353f707981053455f64d2c52ac1e5df6a2a51f22e8cab3cc8c6a72654ca081cd445f9f51450f99993db267492e55917760da1a47bd627e4ee523cbec2448 |
memory/2396-56-0x000000013F760000-0x000000013FAB4000-memory.dmp
\Windows\system\kFMGXVN.exe
| MD5 | 0200e36f398dc69fa71e41a8dfab81b8 |
| SHA1 | a2206acd2c90c91912d0b7067a13952e6174812a |
| SHA256 | ce65fe2e5565c916a534c277b8704f7fa4ed056404881f75dff8b6eef0a7db59 |
| SHA512 | 2e7cb8ab57a793efcced92ad9bcec9991f224d869c2116e1c0afa13c70a3f39ea7833e88254ce80b077962cf6f7017f3d113f276e77cd707f6332de889c1f357 |
memory/2680-68-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2340-70-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\tpYcHTi.exe
| MD5 | 5a763f177c91bf598c903cb162c90973 |
| SHA1 | c06880d9d6969df72fdf5f88431153e57e526276 |
| SHA256 | 5d6d5a1e4e95ad390ce034f3c0e107c5bd9cf13e8596ce452d268de3fd6458fe |
| SHA512 | 7d293e0418916599ffa0b89a637e75f56574a73fbc4c37049230038b8626fbc2d76651bfc55ac95de70431b61cf7823145226d774e404643138223601986f6e2 |
memory/2544-75-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2680-96-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\PnfKdeY.exe
| MD5 | 8717329003110e11b20930ad399c07c9 |
| SHA1 | c74e24bdbb703fb8dca2d9a4d8ac74f6616fa5dc |
| SHA256 | d303f44d55315a94e5e985c085155573680f35e7aa72ba940cc01c3716902e8b |
| SHA512 | 1be167954a4ac774e6ecbdcbb372f5864d7cad815f4f4f7e2cef34af042bcc16927fa4b31f36cbc24d482d7d7bc7d04a5a502f6e5f1cdac67cb8b61058e04cc4 |
C:\Windows\system\WshGKsu.exe
| MD5 | 8881ff6ef910623e8d185c3f2b585b7a |
| SHA1 | 6680433ae62fbed80edaf558e20e72966d519cfa |
| SHA256 | a42acc468c45e8b5e3691738e1f4f450a02a98cb8a443c563da737c9314ba4f0 |
| SHA512 | 7699185c8a832a357adbbd7cdb5f5879806c7928c425755f163ea390e93fe8d4d0f6e1898cbca3598e67339b12a38391e7f7fc9973b0c0d5af0d059cdb196508 |
C:\Windows\system\ePNgDhn.exe
| MD5 | b6ac8810d577de9e764336f10a11cfb7 |
| SHA1 | 7dc0f103a93bcd01a0ac7943b57c46c8562a35a9 |
| SHA256 | a3088638c3300d4855de1bc54bfbdcb0badc6bd2fcae680bf0031726ba3aaf8a |
| SHA512 | c3ae5ef2c1356a1a8573f4894786d571ddc1e1f7373f6f6bd8ecb36d002ea735728b32011708c83d4bf7fd21ae82e03c0e1f72e682326023bac71c1cd57b4ade |
\Windows\system\IEOmDtq.exe
| MD5 | eb4d4e5e97502ff98018a65bf04243f3 |
| SHA1 | 2a43805d65f39c3d0fcb11b9ba4f7d4b6357a991 |
| SHA256 | 255cafdce691e87703ab6b1b70492b1ce8ec86424dffd943d306c4f851c4827d |
| SHA512 | 6565fece397f9fb4e51ccdb946ca208bf7aed3dd0c0fecd1ca7e3c37825d27ebe4e1be7a37b6e95d152c59b1bfb99841a9e0d607e7e75764b023f70cf8223f04 |
C:\Windows\system\UDKhKOC.exe
| MD5 | 305cef12edc976327b1e70df678ae2a0 |
| SHA1 | b3f0a87728f4eee7afdd65f7845714d7009d2178 |
| SHA256 | c5bad03636fc696b9229bb1d16a47c1867866017f6f24e7961659834d05b7b6a |
| SHA512 | 65fc86e12a37b4f82fab01d5cec6c990634990c850bece94de7ac7c87981b9963ae5ed427271cb3bdb6018d72617b6c458745ccf00d61bb78f20812307cd704b |
C:\Windows\system\UfaPsxa.exe
| MD5 | c6842cd9b87758ece9c8bf5a84040252 |
| SHA1 | e952c77c186df9d68c74919463861084f72a7015 |
| SHA256 | e7ec435255dc67db09b1c857dd2b02966c0a47ffdf017ecc7ebce346d2d56e11 |
| SHA512 | 78621668a0ed3aaf67c9e868f199c6f071e99208d7ef9bd01bc2cdebb4d345064e3c66d82d21cb5d3d456377807ad67366cfb09bf460d32332c65cbc591c4bc6 |
C:\Windows\system\vvbJkMb.exe
| MD5 | 7bc11a4da436bdbe19fc3cdc033b77e7 |
| SHA1 | 623976be60e6fecdc5f94b97f6df88dbd5359fae |
| SHA256 | 582eba46b7b96c8c50a370eca2a0d2c4563bdffb59eae933999f2e495fe2765c |
| SHA512 | b5a1fdc8d6a58449d306421712ab95b408abe43e2f25047b8aafaf780a3dda65e84f5b4422e37ce863d0aa592995935d7c81981a68e37dd0560650aced904ea6 |
C:\Windows\system\GBNyTYj.exe
| MD5 | 67254871ffb09342abc2c587c18d8577 |
| SHA1 | d312e5ead10e93579310c6800163e072220bb48d |
| SHA256 | 97472a8e72a7821f4c1414cfa6ea711304f00a13dd468c8d4f6b0d192caf7180 |
| SHA512 | ee212e88c8e7895ff77c214eeedf11d683c187aeb9c91bfb86f89d7393e7c65495b7477af01809cc6c8d7ccc4bd03b842c0461dd797f5a4be6b2fb304872447c |
memory/2348-100-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2680-88-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2076-87-0x000000013FB80000-0x000000013FED4000-memory.dmp
C:\Windows\system\ExnNNJs.exe
| MD5 | 19fc320b250879ee3d8ec0829b577163 |
| SHA1 | 33ea22229a4abc2d09c4327344470374a5eae8af |
| SHA256 | d68d2b27570b57d3aecf0d561bfc15b7bccb25a184f3053c99bbba27bee7ad5e |
| SHA512 | dc338a79d7248f5523bc8237b4ad6012e0221447b5724afc8f1fa2c6bfcdbb7700bcac2657f882de98bc6b834445de720a3d7ebbb8ed56cf0eaeaf67aa78a773 |
memory/1160-95-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2800-94-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/788-77-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2680-76-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1744-85-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2680-84-0x0000000002350000-0x00000000026A4000-memory.dmp
C:\Windows\system\gLhbCrH.exe
| MD5 | 7595c4bdf6a774bfcf9d780e153b6045 |
| SHA1 | e4dbbb28a5f58cc4e0e02aa7745b4e4e3c1a4395 |
| SHA256 | 0d83d41ae43c8ab57e219eaffb4037cb835c88fb7d00e39505af0553f5146c89 |
| SHA512 | ec0a12e47a29b4581c23da06bcb51219a9eafa8800dcf2aa749c68d15e1fb86c9b095ab3eab9b70a89474f7b6b683ba622d165a316ebfc26b98561a4441f79c0 |
memory/2716-63-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2680-62-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\rurUHyz.exe
| MD5 | 99979d8adb199741541544eeea892ab8 |
| SHA1 | a612bd48a9183e3a6d83e114cefad5c4897ef6ea |
| SHA256 | 87aba2a0faa1b68557ab5e4650474e6416453b2f125e7010f574010e8be2f001 |
| SHA512 | 1a80630939c15421a88f1fd808abe8da19b4c8e8da1128d7cf5d84ee3053642da174cf70edab6e264e1262d3105d961d4dda0741a5a2ddebf18e8051938c3e28 |
memory/2340-137-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2680-136-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2680-138-0x000000013F400000-0x000000013F754000-memory.dmp
memory/788-139-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2680-140-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2680-141-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2348-142-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2732-143-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2756-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2544-145-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2076-146-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2800-147-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2536-148-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2612-149-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2396-150-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2716-151-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2340-152-0x000000013F240000-0x000000013F594000-memory.dmp
memory/788-153-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1744-154-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/1160-155-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2348-156-0x000000013F650000-0x000000013F9A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 15:57
Reported
2024-08-06 16:00
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\REJLOgs.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzRFgGw.exe | N/A |
| N/A | N/A | C:\Windows\System\GBzTqMA.exe | N/A |
| N/A | N/A | C:\Windows\System\HNZlAKW.exe | N/A |
| N/A | N/A | C:\Windows\System\DeGEdDi.exe | N/A |
| N/A | N/A | C:\Windows\System\gJFSpFl.exe | N/A |
| N/A | N/A | C:\Windows\System\bVqNhPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\bAiXLuL.exe | N/A |
| N/A | N/A | C:\Windows\System\kFMGXVN.exe | N/A |
| N/A | N/A | C:\Windows\System\rurUHyz.exe | N/A |
| N/A | N/A | C:\Windows\System\gLhbCrH.exe | N/A |
| N/A | N/A | C:\Windows\System\tpYcHTi.exe | N/A |
| N/A | N/A | C:\Windows\System\PnfKdeY.exe | N/A |
| N/A | N/A | C:\Windows\System\ExnNNJs.exe | N/A |
| N/A | N/A | C:\Windows\System\WshGKsu.exe | N/A |
| N/A | N/A | C:\Windows\System\GBNyTYj.exe | N/A |
| N/A | N/A | C:\Windows\System\vvbJkMb.exe | N/A |
| N/A | N/A | C:\Windows\System\UfaPsxa.exe | N/A |
| N/A | N/A | C:\Windows\System\UDKhKOC.exe | N/A |
| N/A | N/A | C:\Windows\System\ePNgDhn.exe | N/A |
| N/A | N/A | C:\Windows\System\IEOmDtq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8c02881b41e22291fed0a6fd706a77aa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\REJLOgs.exe
C:\Windows\System\REJLOgs.exe
C:\Windows\System\ZzRFgGw.exe
C:\Windows\System\ZzRFgGw.exe
C:\Windows\System\GBzTqMA.exe
C:\Windows\System\GBzTqMA.exe
C:\Windows\System\HNZlAKW.exe
C:\Windows\System\HNZlAKW.exe
C:\Windows\System\DeGEdDi.exe
C:\Windows\System\DeGEdDi.exe
C:\Windows\System\gJFSpFl.exe
C:\Windows\System\gJFSpFl.exe
C:\Windows\System\bVqNhPZ.exe
C:\Windows\System\bVqNhPZ.exe
C:\Windows\System\bAiXLuL.exe
C:\Windows\System\bAiXLuL.exe
C:\Windows\System\kFMGXVN.exe
C:\Windows\System\kFMGXVN.exe
C:\Windows\System\rurUHyz.exe
C:\Windows\System\rurUHyz.exe
C:\Windows\System\gLhbCrH.exe
C:\Windows\System\gLhbCrH.exe
C:\Windows\System\tpYcHTi.exe
C:\Windows\System\tpYcHTi.exe
C:\Windows\System\PnfKdeY.exe
C:\Windows\System\PnfKdeY.exe
C:\Windows\System\ExnNNJs.exe
C:\Windows\System\ExnNNJs.exe
C:\Windows\System\WshGKsu.exe
C:\Windows\System\WshGKsu.exe
C:\Windows\System\GBNyTYj.exe
C:\Windows\System\GBNyTYj.exe
C:\Windows\System\vvbJkMb.exe
C:\Windows\System\vvbJkMb.exe
C:\Windows\System\UfaPsxa.exe
C:\Windows\System\UfaPsxa.exe
C:\Windows\System\UDKhKOC.exe
C:\Windows\System\UDKhKOC.exe
C:\Windows\System\ePNgDhn.exe
C:\Windows\System\ePNgDhn.exe
C:\Windows\System\IEOmDtq.exe
C:\Windows\System\IEOmDtq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3484-0-0x00007FF68ADE0000-0x00007FF68B134000-memory.dmp
memory/3484-1-0x0000023DE4A30000-0x0000023DE4A40000-memory.dmp
C:\Windows\System\REJLOgs.exe
| MD5 | 0fde5577a3de0a4f49610d5e2636be51 |
| SHA1 | f8cb363ef96d5aa0f183cbe065c99ee8c7a669d5 |
| SHA256 | 55b9ae806e7b4bd0acd5c54402f65173a3fb2f79563a34c974479e81b0e33957 |
| SHA512 | b0fcde08a3dad778bae98b4a44698af1a995dead0c32a46403f080b514a5853a1f914f9cd9c241f79e05b8a0c82d4e00ef3231e97352c59c96e06835af56d6f2 |
memory/3144-8-0x00007FF722E40000-0x00007FF723194000-memory.dmp
C:\Windows\System\ZzRFgGw.exe
| MD5 | aba154ac8da8c6dbbe6ca9dff77cfe0a |
| SHA1 | 9fadf640d384bb7fde03bd1fb3fba4aa6c282d4c |
| SHA256 | 55703cfed6bd69b2ebdde31b49164b003e2e3f1af2078f15d67ce5c9e06fbab6 |
| SHA512 | 74290d13c105451398bb93215bf8245fea8d6b85df0f8bb659246a8c4604491b22120b61e199a9fa29e8ec1e7718625f169fbc984f819bdf6b7c92ba14a77baa |
C:\Windows\System\GBzTqMA.exe
| MD5 | cae11ee601a12481c738fdbe79ae70d8 |
| SHA1 | c99a53932dea4e8b40d635f1b7fa632ceb9d1b92 |
| SHA256 | aa89fb8e728c628adc77b0cfb57cb6dd3ef6d0e2c17c77d610e6386b4cf68a2f |
| SHA512 | 01c88004cf2c2a11509454d0cf09622041e5e8bb8ca28c6fdc7aa9cde619e2c52aa53f37b9a5c99cee95cfde18874d6279536e6109b0b2368d64ff9420c11510 |
C:\Windows\System\HNZlAKW.exe
| MD5 | 5e1d165b232dd3ef1a5b491c96c2196e |
| SHA1 | 1189e63c92b8f6d0149d4ecf6d7c43a350514292 |
| SHA256 | aa534b398127eb5992382e9108b65fc61140475410b6ed7999df0bb92257094d |
| SHA512 | 1012f7083ca60c2999528b0cd7eb53f00290be2b5e0fffcae2b6fb7fb9109c36983b3afdf547403208ac6ea9c1725e51a306d9572fb8b1c0d7265b989f57b9ee |
memory/4956-24-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp
memory/1912-23-0x00007FF78C190000-0x00007FF78C4E4000-memory.dmp
memory/4308-13-0x00007FF6081B0000-0x00007FF608504000-memory.dmp
memory/4044-32-0x00007FF7880D0000-0x00007FF788424000-memory.dmp
C:\Windows\System\DeGEdDi.exe
| MD5 | 617bfc469cf8d504602bbd53445c941b |
| SHA1 | 8f273e8984ae2e17f292a87cb7ceaea3a68eb3b8 |
| SHA256 | a30d985d8d2882f5af4aa7cbce0cb17ee7fe655022692a9a57a1f04c54eaea68 |
| SHA512 | 154982f47229a4965a0bf7b5a9884d306a719635904aff8bd3dd2a21ddd69daf821d08850051183b6fb12d86d53bb5c407ed27a8a61fb87b1258a0b02c6016c2 |
C:\Windows\System\gJFSpFl.exe
| MD5 | 587a417d9e22d5349e01af160f35c7b3 |
| SHA1 | 9c0fbf3988f55407b372256ca3a6abfcd862507c |
| SHA256 | d6017b8589a4ea6fcff7af68c3433f1a2cbdf227d59eb2f20a75e122e438653b |
| SHA512 | 076ee96e68b1b89426b738ed6c4847c03c60c347c9ff66bedf140e97f72e13df9a096ee0f19134710183fd1c5630a967f6790494805e962667101b7a5a8e51e4 |
memory/2704-38-0x00007FF742190000-0x00007FF7424E4000-memory.dmp
C:\Windows\System\bVqNhPZ.exe
| MD5 | c94c7a65ff4f33798130a7acb787e043 |
| SHA1 | fde91e4a4ce8b84af07c6efba2faddb18e364a4e |
| SHA256 | feb77437d1896e9fb7752fc828c454e9fd7eca8f0a422382d3c69ea9ac892a6f |
| SHA512 | 54a6bff067b9bbb415ed8fbdcd3e6e952beb5dfd42d0bd26ead2ccecf76013f16d0e0031989e2fcb6a945366e2ff5662ad5ca7d4194c6d6247c3c9ddce23b348 |
C:\Windows\System\bAiXLuL.exe
| MD5 | b731fb4b82167c081d89e0de1b93f2c4 |
| SHA1 | 388685abb14b413ed6bedf1b7f759fb785337bba |
| SHA256 | 46684e504435334ce36f79d451cb3f2b0335ad7f947ce359df74b3c6a2b13c24 |
| SHA512 | f9ce353f707981053455f64d2c52ac1e5df6a2a51f22e8cab3cc8c6a72654ca081cd445f9f51450f99993db267492e55917760da1a47bd627e4ee523cbec2448 |
memory/4628-50-0x00007FF690AF0000-0x00007FF690E44000-memory.dmp
C:\Windows\System\kFMGXVN.exe
| MD5 | 0200e36f398dc69fa71e41a8dfab81b8 |
| SHA1 | a2206acd2c90c91912d0b7067a13952e6174812a |
| SHA256 | ce65fe2e5565c916a534c277b8704f7fa4ed056404881f75dff8b6eef0a7db59 |
| SHA512 | 2e7cb8ab57a793efcced92ad9bcec9991f224d869c2116e1c0afa13c70a3f39ea7833e88254ce80b077962cf6f7017f3d113f276e77cd707f6332de889c1f357 |
memory/4448-44-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp
memory/60-56-0x00007FF786020000-0x00007FF786374000-memory.dmp
C:\Windows\System\rurUHyz.exe
| MD5 | 99979d8adb199741541544eeea892ab8 |
| SHA1 | a612bd48a9183e3a6d83e114cefad5c4897ef6ea |
| SHA256 | 87aba2a0faa1b68557ab5e4650474e6416453b2f125e7010f574010e8be2f001 |
| SHA512 | 1a80630939c15421a88f1fd808abe8da19b4c8e8da1128d7cf5d84ee3053642da174cf70edab6e264e1262d3105d961d4dda0741a5a2ddebf18e8051938c3e28 |
memory/3484-62-0x00007FF68ADE0000-0x00007FF68B134000-memory.dmp
memory/2652-63-0x00007FF71E650000-0x00007FF71E9A4000-memory.dmp
C:\Windows\System\gLhbCrH.exe
| MD5 | 7595c4bdf6a774bfcf9d780e153b6045 |
| SHA1 | e4dbbb28a5f58cc4e0e02aa7745b4e4e3c1a4395 |
| SHA256 | 0d83d41ae43c8ab57e219eaffb4037cb835c88fb7d00e39505af0553f5146c89 |
| SHA512 | ec0a12e47a29b4581c23da06bcb51219a9eafa8800dcf2aa749c68d15e1fb86c9b095ab3eab9b70a89474f7b6b683ba622d165a316ebfc26b98561a4441f79c0 |
memory/4308-72-0x00007FF6081B0000-0x00007FF608504000-memory.dmp
memory/5092-75-0x00007FF626FA0000-0x00007FF6272F4000-memory.dmp
C:\Windows\System\tpYcHTi.exe
| MD5 | 5a763f177c91bf598c903cb162c90973 |
| SHA1 | c06880d9d6969df72fdf5f88431153e57e526276 |
| SHA256 | 5d6d5a1e4e95ad390ce034f3c0e107c5bd9cf13e8596ce452d268de3fd6458fe |
| SHA512 | 7d293e0418916599ffa0b89a637e75f56574a73fbc4c37049230038b8626fbc2d76651bfc55ac95de70431b61cf7823145226d774e404643138223601986f6e2 |
memory/3180-74-0x00007FF622DF0000-0x00007FF623144000-memory.dmp
memory/3144-71-0x00007FF722E40000-0x00007FF723194000-memory.dmp
C:\Windows\System\PnfKdeY.exe
| MD5 | 8717329003110e11b20930ad399c07c9 |
| SHA1 | c74e24bdbb703fb8dca2d9a4d8ac74f6616fa5dc |
| SHA256 | d303f44d55315a94e5e985c085155573680f35e7aa72ba940cc01c3716902e8b |
| SHA512 | 1be167954a4ac774e6ecbdcbb372f5864d7cad815f4f4f7e2cef34af042bcc16927fa4b31f36cbc24d482d7d7bc7d04a5a502f6e5f1cdac67cb8b61058e04cc4 |
memory/2384-83-0x00007FF6889E0000-0x00007FF688D34000-memory.dmp
C:\Windows\System\ExnNNJs.exe
| MD5 | 19fc320b250879ee3d8ec0829b577163 |
| SHA1 | 33ea22229a4abc2d09c4327344470374a5eae8af |
| SHA256 | d68d2b27570b57d3aecf0d561bfc15b7bccb25a184f3053c99bbba27bee7ad5e |
| SHA512 | dc338a79d7248f5523bc8237b4ad6012e0221447b5724afc8f1fa2c6bfcdbb7700bcac2657f882de98bc6b834445de720a3d7ebbb8ed56cf0eaeaf67aa78a773 |
memory/4164-89-0x00007FF6E6A10000-0x00007FF6E6D64000-memory.dmp
C:\Windows\System\WshGKsu.exe
| MD5 | 8881ff6ef910623e8d185c3f2b585b7a |
| SHA1 | 6680433ae62fbed80edaf558e20e72966d519cfa |
| SHA256 | a42acc468c45e8b5e3691738e1f4f450a02a98cb8a443c563da737c9314ba4f0 |
| SHA512 | 7699185c8a832a357adbbd7cdb5f5879806c7928c425755f163ea390e93fe8d4d0f6e1898cbca3598e67339b12a38391e7f7fc9973b0c0d5af0d059cdb196508 |
memory/4444-96-0x00007FF649970000-0x00007FF649CC4000-memory.dmp
memory/4956-95-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp
C:\Windows\System\GBNyTYj.exe
| MD5 | 67254871ffb09342abc2c587c18d8577 |
| SHA1 | d312e5ead10e93579310c6800163e072220bb48d |
| SHA256 | 97472a8e72a7821f4c1414cfa6ea711304f00a13dd468c8d4f6b0d192caf7180 |
| SHA512 | ee212e88c8e7895ff77c214eeedf11d683c187aeb9c91bfb86f89d7393e7c65495b7477af01809cc6c8d7ccc4bd03b842c0461dd797f5a4be6b2fb304872447c |
C:\Windows\System\vvbJkMb.exe
| MD5 | 7bc11a4da436bdbe19fc3cdc033b77e7 |
| SHA1 | 623976be60e6fecdc5f94b97f6df88dbd5359fae |
| SHA256 | 582eba46b7b96c8c50a370eca2a0d2c4563bdffb59eae933999f2e495fe2765c |
| SHA512 | b5a1fdc8d6a58449d306421712ab95b408abe43e2f25047b8aafaf780a3dda65e84f5b4422e37ce863d0aa592995935d7c81981a68e37dd0560650aced904ea6 |
memory/1624-102-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp
memory/4044-101-0x00007FF7880D0000-0x00007FF788424000-memory.dmp
C:\Windows\System\UfaPsxa.exe
| MD5 | c6842cd9b87758ece9c8bf5a84040252 |
| SHA1 | e952c77c186df9d68c74919463861084f72a7015 |
| SHA256 | e7ec435255dc67db09b1c857dd2b02966c0a47ffdf017ecc7ebce346d2d56e11 |
| SHA512 | 78621668a0ed3aaf67c9e868f199c6f071e99208d7ef9bd01bc2cdebb4d345064e3c66d82d21cb5d3d456377807ad67366cfb09bf460d32332c65cbc591c4bc6 |
C:\Windows\System\UDKhKOC.exe
| MD5 | 305cef12edc976327b1e70df678ae2a0 |
| SHA1 | b3f0a87728f4eee7afdd65f7845714d7009d2178 |
| SHA256 | c5bad03636fc696b9229bb1d16a47c1867866017f6f24e7961659834d05b7b6a |
| SHA512 | 65fc86e12a37b4f82fab01d5cec6c990634990c850bece94de7ac7c87981b9963ae5ed427271cb3bdb6018d72617b6c458745ccf00d61bb78f20812307cd704b |
memory/3420-116-0x00007FF694A80000-0x00007FF694DD4000-memory.dmp
memory/4556-109-0x00007FF665270000-0x00007FF6655C4000-memory.dmp
memory/4628-121-0x00007FF690AF0000-0x00007FF690E44000-memory.dmp
memory/644-122-0x00007FF6BE550000-0x00007FF6BE8A4000-memory.dmp
C:\Windows\System\ePNgDhn.exe
| MD5 | b6ac8810d577de9e764336f10a11cfb7 |
| SHA1 | 7dc0f103a93bcd01a0ac7943b57c46c8562a35a9 |
| SHA256 | a3088638c3300d4855de1bc54bfbdcb0badc6bd2fcae680bf0031726ba3aaf8a |
| SHA512 | c3ae5ef2c1356a1a8573f4894786d571ddc1e1f7373f6f6bd8ecb36d002ea735728b32011708c83d4bf7fd21ae82e03c0e1f72e682326023bac71c1cd57b4ade |
C:\Windows\System\IEOmDtq.exe
| MD5 | eb4d4e5e97502ff98018a65bf04243f3 |
| SHA1 | 2a43805d65f39c3d0fcb11b9ba4f7d4b6357a991 |
| SHA256 | 255cafdce691e87703ab6b1b70492b1ce8ec86424dffd943d306c4f851c4827d |
| SHA512 | 6565fece397f9fb4e51ccdb946ca208bf7aed3dd0c0fecd1ca7e3c37825d27ebe4e1be7a37b6e95d152c59b1bfb99841a9e0d607e7e75764b023f70cf8223f04 |
memory/3208-133-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp
memory/3692-128-0x00007FF6D2390000-0x00007FF6D26E4000-memory.dmp
memory/5092-134-0x00007FF626FA0000-0x00007FF6272F4000-memory.dmp
memory/1624-135-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp
memory/3692-136-0x00007FF6D2390000-0x00007FF6D26E4000-memory.dmp
memory/3144-137-0x00007FF722E40000-0x00007FF723194000-memory.dmp
memory/4308-139-0x00007FF6081B0000-0x00007FF608504000-memory.dmp
memory/1912-138-0x00007FF78C190000-0x00007FF78C4E4000-memory.dmp
memory/4956-140-0x00007FF6B4680000-0x00007FF6B49D4000-memory.dmp
memory/4044-141-0x00007FF7880D0000-0x00007FF788424000-memory.dmp
memory/2704-142-0x00007FF742190000-0x00007FF7424E4000-memory.dmp
memory/4448-143-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp
memory/4628-144-0x00007FF690AF0000-0x00007FF690E44000-memory.dmp
memory/60-145-0x00007FF786020000-0x00007FF786374000-memory.dmp
memory/2652-146-0x00007FF71E650000-0x00007FF71E9A4000-memory.dmp
memory/3180-147-0x00007FF622DF0000-0x00007FF623144000-memory.dmp
memory/5092-148-0x00007FF626FA0000-0x00007FF6272F4000-memory.dmp
memory/2384-149-0x00007FF6889E0000-0x00007FF688D34000-memory.dmp
memory/4164-150-0x00007FF6E6A10000-0x00007FF6E6D64000-memory.dmp
memory/4444-151-0x00007FF649970000-0x00007FF649CC4000-memory.dmp
memory/1624-152-0x00007FF6C85F0000-0x00007FF6C8944000-memory.dmp
memory/4556-153-0x00007FF665270000-0x00007FF6655C4000-memory.dmp
memory/3420-154-0x00007FF694A80000-0x00007FF694DD4000-memory.dmp
memory/644-155-0x00007FF6BE550000-0x00007FF6BE8A4000-memory.dmp
memory/3208-156-0x00007FF62E9A0000-0x00007FF62ECF4000-memory.dmp
memory/3692-157-0x00007FF6D2390000-0x00007FF6D26E4000-memory.dmp