Analysis Overview
SHA256
de9bad680e02891cedcc3fbd0cd11d8bb088f17481020dd52b4d5d6af58bf6cd
Threat Level: Known bad
The file 2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
xmrig
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 21:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 21:47
Reported
2024-08-07 21:49
Platform
win7-20240708-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GCZPhhx.exe | N/A |
| N/A | N/A | C:\Windows\System\asJxJsN.exe | N/A |
| N/A | N/A | C:\Windows\System\Ulouvvt.exe | N/A |
| N/A | N/A | C:\Windows\System\tlnylwz.exe | N/A |
| N/A | N/A | C:\Windows\System\DjemAUK.exe | N/A |
| N/A | N/A | C:\Windows\System\bPwgeWz.exe | N/A |
| N/A | N/A | C:\Windows\System\KZnJwtN.exe | N/A |
| N/A | N/A | C:\Windows\System\BLXYJgY.exe | N/A |
| N/A | N/A | C:\Windows\System\vPyMEIZ.exe | N/A |
| N/A | N/A | C:\Windows\System\SnAkFQI.exe | N/A |
| N/A | N/A | C:\Windows\System\EtlwrkE.exe | N/A |
| N/A | N/A | C:\Windows\System\OySaTXJ.exe | N/A |
| N/A | N/A | C:\Windows\System\oQOswPx.exe | N/A |
| N/A | N/A | C:\Windows\System\cLIUFQt.exe | N/A |
| N/A | N/A | C:\Windows\System\hwsoDlA.exe | N/A |
| N/A | N/A | C:\Windows\System\NJDvNsZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ipHImRk.exe | N/A |
| N/A | N/A | C:\Windows\System\loRsXEs.exe | N/A |
| N/A | N/A | C:\Windows\System\wwoHycb.exe | N/A |
| N/A | N/A | C:\Windows\System\VDAWoBo.exe | N/A |
| N/A | N/A | C:\Windows\System\faikVMY.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\GCZPhhx.exe
C:\Windows\System\GCZPhhx.exe
C:\Windows\System\asJxJsN.exe
C:\Windows\System\asJxJsN.exe
C:\Windows\System\Ulouvvt.exe
C:\Windows\System\Ulouvvt.exe
C:\Windows\System\tlnylwz.exe
C:\Windows\System\tlnylwz.exe
C:\Windows\System\DjemAUK.exe
C:\Windows\System\DjemAUK.exe
C:\Windows\System\bPwgeWz.exe
C:\Windows\System\bPwgeWz.exe
C:\Windows\System\KZnJwtN.exe
C:\Windows\System\KZnJwtN.exe
C:\Windows\System\hwsoDlA.exe
C:\Windows\System\hwsoDlA.exe
C:\Windows\System\BLXYJgY.exe
C:\Windows\System\BLXYJgY.exe
C:\Windows\System\NJDvNsZ.exe
C:\Windows\System\NJDvNsZ.exe
C:\Windows\System\vPyMEIZ.exe
C:\Windows\System\vPyMEIZ.exe
C:\Windows\System\ipHImRk.exe
C:\Windows\System\ipHImRk.exe
C:\Windows\System\SnAkFQI.exe
C:\Windows\System\SnAkFQI.exe
C:\Windows\System\loRsXEs.exe
C:\Windows\System\loRsXEs.exe
C:\Windows\System\EtlwrkE.exe
C:\Windows\System\EtlwrkE.exe
C:\Windows\System\wwoHycb.exe
C:\Windows\System\wwoHycb.exe
C:\Windows\System\OySaTXJ.exe
C:\Windows\System\OySaTXJ.exe
C:\Windows\System\VDAWoBo.exe
C:\Windows\System\VDAWoBo.exe
C:\Windows\System\oQOswPx.exe
C:\Windows\System\oQOswPx.exe
C:\Windows\System\faikVMY.exe
C:\Windows\System\faikVMY.exe
C:\Windows\System\cLIUFQt.exe
C:\Windows\System\cLIUFQt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2308-0-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2308-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\GCZPhhx.exe
| MD5 | 4b2d2eb532cfb0b879fb04ce0e3c5a75 |
| SHA1 | 28c72391744f094e8e6affe381eb95824d189b66 |
| SHA256 | 7af48cccdacf7e17ab88a4f7ed0b86470f2428d97c3460600b81be8959fc12fa |
| SHA512 | a18bf4573919a97cacc23232c44e880ec5467efc47fc71dcc0ca8ad09920adbedbd3b7975385f2b57c7ca8ab5a8314b1e609ec35033d2a1847cb93000b351a1c |
memory/2308-7-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\asJxJsN.exe
| MD5 | 3a362e7a2b8694ce0d74174127d185f9 |
| SHA1 | cab16443d264ed5a1ee719c774b9dea00934be13 |
| SHA256 | 4a8cbec33ebc8e9389f5ce85349418b2af51ad834c69af783deb4442d520ff13 |
| SHA512 | 2475fba8fcce78586a8ffff271f1a4c8de6492802e1704780bc7c5b041559c8e79c81d278c543739b17294163559c32c7d7cf25a26a1c907d98aaa9c76fff6e7 |
C:\Windows\system\Ulouvvt.exe
| MD5 | 952d498252f8b7f38947828cf86842ad |
| SHA1 | d0c54d4636b04e245fd45916f3bc5ad7d99ee73c |
| SHA256 | eda408c41d618fe570309ab0b5dbdc8130d0b73c746425f09d2a2fab64644cc7 |
| SHA512 | 42e566d9de3b8cfbbbfd9cec5c3a2d153e6e238300cb20c95ebc95b8c9621e41b6c4df50f614bf30a3961f70fa4044436c61081d150209c98495f2959fa049a8 |
C:\Windows\system\DjemAUK.exe
| MD5 | 301deb742e25d53c1e4160bf758424ea |
| SHA1 | 1bd327f1b1fe4c625f93686b7f4a669ff5a98b7c |
| SHA256 | fa6e10c6f7ba7910c8791a485caa79983c86b0640d0ac0203898fb094c605911 |
| SHA512 | 74b2c88acc4bbb88ea6a4aefb1dcd36d6311e8bf83fd7e6f3c18233a3f3b4c9425a6d5b933e261c7e456068c55ce8dfc723b89bbc453fa11ae46af3aeaa8429f |
memory/2308-25-0x00000000021B0000-0x0000000002501000-memory.dmp
\Windows\system\tlnylwz.exe
| MD5 | d07763b570bec0f346b373a0ad75603d |
| SHA1 | 33e097080582f17d2725cc2b0bc27493d9474b37 |
| SHA256 | b51b11d1911ecf3ec714a18c04f83816c07cab6f2b1f2baa03ff9e6455a1ceb1 |
| SHA512 | 1e48eef3517691f52a4dbbb2b7e9dcd706e7d1c8a37bdba7f8ccc02a8f75285911e8150a8855728f9895450cc1b61108c619ce55d0804b09fdb78fdfb5738bd2 |
memory/2308-23-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2708-22-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2308-21-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2808-20-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2664-19-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2872-39-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2308-38-0x000000013F630000-0x000000013F981000-memory.dmp
\Windows\system\SnAkFQI.exe
| MD5 | a779c7db743a653ce9d638beba72f1c3 |
| SHA1 | 9c32c4c13b8eb1ab6534a814d86e7265378308e3 |
| SHA256 | 4a0d3198b667377d1b6f472aaa336885ea7e16b1ea335f4162b2134a32dbf113 |
| SHA512 | dc84327e305a4991c7dc21b2359166b4056a3c7ea60bc96935371804049171ab2784a00623398b002ee7cec44dcbb48b950a8615cf1d851a7c35e279d264a01b |
\Windows\system\vPyMEIZ.exe
| MD5 | d6ea440092951505619205c7b039b0ad |
| SHA1 | bf64c2ed7eea3f43a7782f3040586e036a0d8aa9 |
| SHA256 | e46dafb0174832e48e892b9a4a76a643ae880a8d5cba9f51d0122cc3c754d2fe |
| SHA512 | 6714131f56621b5d2d521bff33e79a96526275cbe768e3fa65acf2217acb008b5e0e255787417e09194fd75e52f0e26dbe37c3a27791af451a442ec1500cfc35 |
C:\Windows\system\KZnJwtN.exe
| MD5 | fa35d567a4ee924b68aec4c2777d9516 |
| SHA1 | 4469ac3ce8a546418faae4ab6a07862dd3bdb178 |
| SHA256 | f7652e6471c64c8434453854117a5b719141fff2d2d34bb986ffd3a2b1883c2a |
| SHA512 | f42a130724e8a3fcf4a73f221878e4217672593c89390ee9c2b0b26d70d2a7cbcf48238a7e4b07367aeceb026904b5bf6b895a4af86b01c4efeafe7e886a384c |
\Windows\system\BLXYJgY.exe
| MD5 | afc553fa36742eccadc61ba14feefc86 |
| SHA1 | 228253f2b44d48387c6b3c83f607f561438af528 |
| SHA256 | 0d54ff0ce37ebc17911debd00296754cec1fe3f7b8b82c3f92b3a947f93a581a |
| SHA512 | 80221d57f215bb028eed3b630e50f9aa83be68f39632e6433358df3ec1923274867629ac7bff014c20ef61c7097b61f3bde3219938a8e4cfefee9440a195ce28 |
memory/2764-37-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2308-47-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2172-46-0x000000013F580000-0x000000013F8D1000-memory.dmp
\Windows\system\bPwgeWz.exe
| MD5 | 158e66c64bc3b83df73aa9acb7f6a7bb |
| SHA1 | 3396626c611981dbf30c6b34f100eb419550e1ae |
| SHA256 | 5d175114be87f8201368290f297f0f9ceeb633c76e0b1b28e360dfda3d20279a |
| SHA512 | c82cd5180457c6816330862ff8d0b40b1107e202d17463745d4f7f54ee89929832baf4fab9eb431c22d9627c2706b7173d9fed7ba1a1a8adc2e579df0ca57799 |
C:\Windows\system\wwoHycb.exe
| MD5 | bf580d2d1a9f128c49b8ff69ea7c47b8 |
| SHA1 | 69397f7c5936c2d58be955900747c1c79bb16b10 |
| SHA256 | 5929ea534f7ad4a3ece2f746693a3b46811e2a3a262ac3fb39d7dd6bc3c95275 |
| SHA512 | 08c8335e7476e19707e6e441c7e717630fcc986dbe0ab9c4bdd14a0acc9b21525c2d3e4ca613d0abf4c3c916da47fdfe28f179ccdfff03569ab84f068345c75e |
\Windows\system\faikVMY.exe
| MD5 | 46c374c1f296339623dd0cf3a4322bca |
| SHA1 | 9a7c6278027ad82cfc41de2016f4f92fe448c88f |
| SHA256 | 65856e86a90616e0d954cd4e2e1f72e238609b2a18c80df25414fad23a4c8d79 |
| SHA512 | deee64d2ce955473d2f7d93b852b8777884a8a7845beb04ad7210c8172282bd28ad5107b06f28a9d39a3377aedb0badc4e4fcebedbc9122773bd6636ae181b6d |
\Windows\system\VDAWoBo.exe
| MD5 | 14502f6d55f55de1af0415ae88325930 |
| SHA1 | 8fcb1c549e2a8ec644ec9614b75727ce923c9890 |
| SHA256 | f7b1491fef69a1489ec69e25dde850aac5be41a30223b61cb62c3cb800a0edf2 |
| SHA512 | c77919835a30f5d8ae3dce5ea8c6a37f997347915b659f53cdc0c98b26383800955f09f407f730b36e4f9b5c8637ee7ac5a569138faba4a1fc9079a8b3d4cdbf |
memory/2308-75-0x000000013FFC0000-0x0000000140311000-memory.dmp
\Windows\system\loRsXEs.exe
| MD5 | 066346c9857ca5214ef81a9c66747deb |
| SHA1 | ad0144021c8818d2d3a13ccc0ab15beec11a5bed |
| SHA256 | 5da5a1849871e98c7ca32b0da36eee87098506d7b66149fc6a991fe2821528f6 |
| SHA512 | 40af8bddc6ce20e4aa103507d7e71b1deb36fea9679cb49a06299049b03e14b71523941baf332d18ca49c25717d6278d227b8074213e946595367de89664d58c |
memory/2556-65-0x000000013F3F0000-0x000000013F741000-memory.dmp
\Windows\system\ipHImRk.exe
| MD5 | d24a3ca7bbaee238f4a5cf737fa9ba5a |
| SHA1 | 1c3187b27cc4d6a69562ee1f396920618e95b0f3 |
| SHA256 | 5e1d889e54d7480d08e65897e019202f92493d8710d41aaf23230285b15e37f7 |
| SHA512 | d13dd7d39b62021f00c612885d9dde28cdc34410d00c3a6d9cc996e06e392b16497867e339549e5fffbd924a51f21f87ea53d0626ebc57336b3972e3813c8aec |
memory/2308-58-0x000000013FC50000-0x000000013FFA1000-memory.dmp
\Windows\system\NJDvNsZ.exe
| MD5 | 015549dd36644c335a25f28a81538498 |
| SHA1 | 6514b7ae8901354fd1d70090f0b093525b449408 |
| SHA256 | 9769232965e2e217be6d214220e7849126e064f99eec5b32475de74dd13c8939 |
| SHA512 | d1d37c735b254e97cf932581f7b850d70174a5654d11ef20ef256f09d6ae6d9cd74818e8d479b55edef0146c65d6cf940b51ebb2c4944938067aa5c88bd34d0b |
\Windows\system\hwsoDlA.exe
| MD5 | bbf54077c1eabf314b0359998f1036ad |
| SHA1 | 213a81e48bf7d0f429b6dfb944377cab1a712406 |
| SHA256 | 5ebe07808f329d2a4632210a3738c2239ffc0b56dc89d5e3b0830448bd6ed2da |
| SHA512 | dc27cf17973a11f483c0e3beb2cc38c4279385df5252a3b2bc40ce778b14db8050d72e67e6044fbd0a356d9d774afcc37f5a0bf45665ae28a9842682b4ed5466 |
memory/2308-118-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2308-117-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2308-116-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2308-115-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2308-114-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2308-113-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2888-112-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2308-111-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/3056-110-0x000000013FD00000-0x0000000140051000-memory.dmp
C:\Windows\system\cLIUFQt.exe
| MD5 | 15752b24422404316c5020ad28004880 |
| SHA1 | 2aefb465f5e3a2c89f14b5f12db46ba59fbac49a |
| SHA256 | 7635d32c161132fe9f9de33832f878942ba5f32a2480db7c064fd39d18d2ab2f |
| SHA512 | 22da87fdd2ce7a41f6e856b61c8547fec8aaf080617a0028521e5898106eb51570800e55f4f796ef80a71477f9e84bcbf698b9884fe563ef111edc28b4234195 |
C:\Windows\system\oQOswPx.exe
| MD5 | 66130f00482bac899b26a32bf837fbed |
| SHA1 | 5450fa305cdf2cfcf1d77d1b56fd11d4c6cdcaf4 |
| SHA256 | a625e8b3e835146eb67b260f8761e3b6a200bbcb1281f7a05575d778aa60462d |
| SHA512 | 6f098119147730cfe1c30b30701240922bf287ffcc886de881b24f6942d0da5d92777d12e35efb8f3ef11c3268938a188290f1836486546c72bafaf64bef50f9 |
C:\Windows\system\OySaTXJ.exe
| MD5 | dabc9787818df944141cf4eb490c24f6 |
| SHA1 | 8c8577e84bb87ad3da88ceaee208a44c36f5c075 |
| SHA256 | f2283f372b62d8b59253f09eebefec127114074b70f0e11260c4f7e6b710bdfc |
| SHA512 | 7e02cb7a31339cd9767958e4bbfc33c9c2f0c841dfcaad51ee5087a36333087c8df35126d876bf88f316e9ab5f9706799311f9a752673a757486482b741e53ce |
C:\Windows\system\EtlwrkE.exe
| MD5 | 2d13e88985e10c6ad036908c6ae59b31 |
| SHA1 | 002e1fbd8741ce5a1dd12f73f42f01e33e576a19 |
| SHA256 | f5e8c0a4eca72bdd09cd5c120741e6f4eef9d051da18cb34a525951e2315d75d |
| SHA512 | 916b3adebb2a5072e00a7a4d1d1012dce7e9a41b6552ab9b85d3c4d86820b0e1d8aba0662dd9b27d994b59cff8c25a45d9c04e2fe5c8df653eda32aa83e30954 |
memory/2532-100-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2308-40-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2664-133-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2308-134-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2604-142-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/636-146-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/3008-149-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/1616-154-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/1716-153-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2656-152-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2836-151-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2156-150-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2912-148-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/3036-144-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2532-143-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2556-141-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2172-140-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2360-155-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2308-156-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2664-201-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2708-203-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2808-205-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2764-226-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2872-228-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2172-232-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/3056-231-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2532-234-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2556-238-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2888-236-0x000000013F640000-0x000000013F991000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 21:47
Reported
2024-08-07 21:50
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NXWaKia.exe | N/A |
| N/A | N/A | C:\Windows\System\HSwFOCr.exe | N/A |
| N/A | N/A | C:\Windows\System\mVzEdQz.exe | N/A |
| N/A | N/A | C:\Windows\System\BlDTbzW.exe | N/A |
| N/A | N/A | C:\Windows\System\ktYcrbz.exe | N/A |
| N/A | N/A | C:\Windows\System\npFIGmX.exe | N/A |
| N/A | N/A | C:\Windows\System\enidYYX.exe | N/A |
| N/A | N/A | C:\Windows\System\STPoFxy.exe | N/A |
| N/A | N/A | C:\Windows\System\yXGLWYU.exe | N/A |
| N/A | N/A | C:\Windows\System\tKeMXAf.exe | N/A |
| N/A | N/A | C:\Windows\System\nvKCmqP.exe | N/A |
| N/A | N/A | C:\Windows\System\ihygGaC.exe | N/A |
| N/A | N/A | C:\Windows\System\fDoHBjo.exe | N/A |
| N/A | N/A | C:\Windows\System\qHcBjGd.exe | N/A |
| N/A | N/A | C:\Windows\System\CxHkpFQ.exe | N/A |
| N/A | N/A | C:\Windows\System\OrRPNuY.exe | N/A |
| N/A | N/A | C:\Windows\System\vHdALOT.exe | N/A |
| N/A | N/A | C:\Windows\System\PwJeMzI.exe | N/A |
| N/A | N/A | C:\Windows\System\KXOSlIf.exe | N/A |
| N/A | N/A | C:\Windows\System\CDykOFa.exe | N/A |
| N/A | N/A | C:\Windows\System\zzYGMmi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fba34cf4973da0b771605f9dd845a1d3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\NXWaKia.exe
C:\Windows\System\NXWaKia.exe
C:\Windows\System\HSwFOCr.exe
C:\Windows\System\HSwFOCr.exe
C:\Windows\System\mVzEdQz.exe
C:\Windows\System\mVzEdQz.exe
C:\Windows\System\BlDTbzW.exe
C:\Windows\System\BlDTbzW.exe
C:\Windows\System\ktYcrbz.exe
C:\Windows\System\ktYcrbz.exe
C:\Windows\System\npFIGmX.exe
C:\Windows\System\npFIGmX.exe
C:\Windows\System\enidYYX.exe
C:\Windows\System\enidYYX.exe
C:\Windows\System\STPoFxy.exe
C:\Windows\System\STPoFxy.exe
C:\Windows\System\yXGLWYU.exe
C:\Windows\System\yXGLWYU.exe
C:\Windows\System\tKeMXAf.exe
C:\Windows\System\tKeMXAf.exe
C:\Windows\System\nvKCmqP.exe
C:\Windows\System\nvKCmqP.exe
C:\Windows\System\ihygGaC.exe
C:\Windows\System\ihygGaC.exe
C:\Windows\System\fDoHBjo.exe
C:\Windows\System\fDoHBjo.exe
C:\Windows\System\qHcBjGd.exe
C:\Windows\System\qHcBjGd.exe
C:\Windows\System\CxHkpFQ.exe
C:\Windows\System\CxHkpFQ.exe
C:\Windows\System\OrRPNuY.exe
C:\Windows\System\OrRPNuY.exe
C:\Windows\System\vHdALOT.exe
C:\Windows\System\vHdALOT.exe
C:\Windows\System\PwJeMzI.exe
C:\Windows\System\PwJeMzI.exe
C:\Windows\System\KXOSlIf.exe
C:\Windows\System\KXOSlIf.exe
C:\Windows\System\CDykOFa.exe
C:\Windows\System\CDykOFa.exe
C:\Windows\System\zzYGMmi.exe
C:\Windows\System\zzYGMmi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3564-0-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp
memory/3564-1-0x0000025A2ADE0000-0x0000025A2ADF0000-memory.dmp
C:\Windows\System\NXWaKia.exe
| MD5 | b2c386ddf4b19a2421a347cda55df4d8 |
| SHA1 | 9ea08eedd57fab4e7f003376169f10c02b285abe |
| SHA256 | 3b8fa17dce4bf2a92302a1df4b7c436fe3c8e8ffd1d4571f491ac5976ec7b6cc |
| SHA512 | 926e27db7b4074a90cdc637de382793df0199b43255e885c24bfb42eea642d369f3922f88c2b8cc28fa70754f24fe98e53a43aad44ed3a912a8ed5c72df953d2 |
C:\Windows\System\HSwFOCr.exe
| MD5 | 91e4115c33dcb82b2fd97ae6c6c09b3c |
| SHA1 | f0fe10838b3bc4fe9ff91caa8154f44b8ce9dfe0 |
| SHA256 | 90fa58e2d75aa75bf4f6e7bea0fcdaa57bb4e4a610d7cc9ac1258745577aec90 |
| SHA512 | 50f6a0b786d98dd6eb313b24cd6c64ce9c440e58cec2f64848b9461caa9722804bad1656f9fafa0941fde8b5b5ab2487970007ebc3cbcde03bd5faabc2c4ccd8 |
C:\Windows\System\BlDTbzW.exe
| MD5 | aa8d1cd263dbffe27ba626b80d68bb5d |
| SHA1 | a3adfa9f2bde39438a9cb4ddb729cc23b6566eb6 |
| SHA256 | 52451d4ff464ef822a44b71b9184d77e6ec608b5aa7f5ee72a95d3ff6d0c5aa8 |
| SHA512 | 273bbb0647e4285512f5dbc23c4e33d50b614b6cf2f78262b8c6b6c76389682621e07d55c33173ca37b1c0bc251a6c1e1adbe22705da451393b541c1079fec8b |
C:\Windows\System\STPoFxy.exe
| MD5 | 03ff789df2ee08c7bfe254c48b934834 |
| SHA1 | e1a18f95ca49ba46d06771239e902d3f7667073f |
| SHA256 | f7ea4c1eb19767e1a60dd3109e473ebe39f385592f8a3a0eef57fdd4ccb8b5b1 |
| SHA512 | d87023ca8e5b419854ffb5ced6afc2ae9395600806f0c933cb690407c442847b6d06e4bc95f1a33fe7ae595f5703d1bef3bc93a3087be957b847c333157c75e5 |
C:\Windows\System\tKeMXAf.exe
| MD5 | 7fbf6a21784a5e99718e39d9097be355 |
| SHA1 | ff8bba0fa540e41643f451ae6ac81da9e0a9ada4 |
| SHA256 | 1f51d37d307c735e8394a5ceb48f0fd1e72737d1f029322ebddd28653d5f87eb |
| SHA512 | becbf513fd0e678d85536d3dd3b3400c823f156092efea8b7ab8babd72eefd184e06bbd9e3babcd2104592ad1e86b5f73c85d57a3f8892993f8e624a736b7710 |
C:\Windows\System\fDoHBjo.exe
| MD5 | d1a0523ced9ec8aa1488dea9432be190 |
| SHA1 | 3aeb573fb4f681e07d9351bb7d5cab8255bd7f02 |
| SHA256 | 29d5e2340467ef7da9a192e19abb987859d1f7e032c48354f80f1d5ec219dbff |
| SHA512 | fb0f5c9a757a5b0d5829b1e3ded80435b86b7609ecdb330f351776651251a72c10900998484138e21d5c849ffadbea5a8b34210d0fc3d524c2f68e563402bed9 |
C:\Windows\System\nvKCmqP.exe
| MD5 | 53d32abe752558c98d681441f387ac1c |
| SHA1 | 386c9490b7d8057a069595ba9dfdfa6d2e4a62fa |
| SHA256 | ad56b3488629028083178fff32b054d2078fcc9dfeed7798de6b47424e095627 |
| SHA512 | 61ffb1d04488738b1372db75da82299df105b5a625033bafa2acdf6284033a8523e393f7f2898afcf2c6106f1cb154010e994cb951dda34342212139072ba380 |
C:\Windows\System\CxHkpFQ.exe
| MD5 | 1aff857f098422f78139b11fd766cfc2 |
| SHA1 | de22036521d2a80583329d07dcdfd8088a63418d |
| SHA256 | 2444bbec67cacd9acc7fd9e6c3a25d374a5890dec83c04fed0a952e8be2f0334 |
| SHA512 | 4f92df8f787fda12ee5a307cf6a15f47e84c04c95d17063555fbde230b3a4a77d7e2582a7ffd0661ec24712c68d06c4326b76efa0986dc8d945f5a1e2f403036 |
C:\Windows\System\OrRPNuY.exe
| MD5 | 8e222c1604c6adc3f41c65d7e4c8def0 |
| SHA1 | c29e81dad714632d506801e323630434aae996f2 |
| SHA256 | ede62ef4f04006564e960a61897443b27c00fb3e50a7e4c1a94c492a04e38019 |
| SHA512 | 72f9cb3195a0b26a7d4c6de225ded94d9e28ff1a03cd76ad1458f6a0731b80eefdde489e12350cbaaec8994a6a6840294b3065523338bf6a37fa39c2e17fb19a |
memory/1436-98-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp
C:\Windows\System\KXOSlIf.exe
| MD5 | c1c708f28c7edc5076ed05f317bb47f7 |
| SHA1 | 4a995467bcc26af495ae705106c9056fb02dc95f |
| SHA256 | 2e37d398e2799df94779939f2e31c7195039e36bc1ecf4c7db245a87b0e6ca4c |
| SHA512 | 192f6592b2a87ba9d539bdca6d16744fca8bf29283d876e9a6dd2593f191712d07a840880ecc4216882d83ae5079b5a0210df70410b8d0dacba0cfbb2cc12ac3 |
memory/60-116-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp
memory/884-115-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp
memory/2760-112-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp
C:\Windows\System\vHdALOT.exe
| MD5 | 6101c30bfae01ae04ea1052cb9065719 |
| SHA1 | 85c0f536457b109ebb78c3270f8acc295ca9b4a8 |
| SHA256 | 7605fc0ff80ec13d585575a07fc8088f6c648357ad815a6c1ccc599e8168c117 |
| SHA512 | 752a09365a2723ac3372fbd43c56df2ee2f76412b13b83eb8d4be7196fb7564a78da57ae4a896db748580051ea9b65b7e4d3398079ea133995b2e3b665c9d3dd |
C:\Windows\System\PwJeMzI.exe
| MD5 | b24aa4f151fec7a0ad61c274c238ca11 |
| SHA1 | 5f25708372b434361e9820e019023f66aa979228 |
| SHA256 | 64cb20d7f6b0de0f98cfbe48d4d53369f2713d229654a4f0945bcbef957bc883 |
| SHA512 | 16906a6105a2634af424921f520ab4b7ea5c6e389c2388d87feaae2fb712d43f864049adf2d216ebddf926f9fd927f0c2295ec36dfe76fd23632b8f54a3e8b0a |
memory/640-107-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp
memory/2884-106-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp
memory/1428-104-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp
memory/4000-88-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp
C:\Windows\System\qHcBjGd.exe
| MD5 | 3c9088d0ec5712346713919f55ef34a4 |
| SHA1 | 2bf2ad0a191081b54726cfa8db9e4f3474f6ad10 |
| SHA256 | 98ae8be8dfd99c3c0e55d1e12ccdb487410937eb9266c38a7594986c5cfbbd96 |
| SHA512 | dce26d4a8d149534e9d5819d748da0e595f8b19dae11606c442062322e3ec4327757a84ec514fc0d233ea4887b187dfad1859183ee8ff4aa298ba3cbb7691c6b |
memory/4672-82-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp
C:\Windows\System\ihygGaC.exe
| MD5 | d21695cf5a1c53854f7c2b50d3f931a2 |
| SHA1 | 303b11d9f9295b576755813c9ff1c1399fa6804f |
| SHA256 | 620e098eae02fa2fb76e4820f5c42a095cfa5b43763750f87f14c24d938e4305 |
| SHA512 | 3ad1f01bf262e403bc1191f9fdb20e1fdde345b089d0c3039bcd93b75c39933cf7f9698f0566aa54884282f3ac68026fc9a6feb56af171cd5226da667b6a14da |
memory/3600-74-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp
memory/1640-73-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp
C:\Windows\System\yXGLWYU.exe
| MD5 | f1616348aef8005d0322f379ceed148f |
| SHA1 | 87ff4e1460339cc5e3694f457b0e669da6f655de |
| SHA256 | 23a45676c836473a8d9b70d5a555bf3ae26333cb759756c17b79d29cec165bed |
| SHA512 | 2dee0c4278d5d40ae8b2d8708a8abc528828edb126f3999032b75db07cec2471aa5e3bcc8fc513636648b66b243385dff34a656bfb95725bd312bf84f19f1bd3 |
memory/1520-60-0x00007FF640DE0000-0x00007FF641131000-memory.dmp
C:\Windows\System\enidYYX.exe
| MD5 | 0cd1e939c25274ae366b0f73668203eb |
| SHA1 | ad3d2547fd34389faab335ccc633197b701fb2df |
| SHA256 | bb4f68b2f9884e4e98cf3262ac5cea388c6ad46e394ad45cf240c43ba97c3808 |
| SHA512 | 1ea74f25422f98445efbca3de54c669a83934a76695444e3804516d9a825c5f85961c5e1ea7424fa93e6b0b6433e5f251338bc9a0f790824e7aaaa7d317ee7e5 |
memory/1980-45-0x00007FF617670000-0x00007FF6179C1000-memory.dmp
memory/320-41-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp
C:\Windows\System\npFIGmX.exe
| MD5 | f3181d1bed8708610394d49ec2cf268a |
| SHA1 | 5b69eddfa881ea00f30c008087ecc4844c281c45 |
| SHA256 | d81a84b3892d1910a3fa911b241a465d050a064cb7a21d8e6de2b4206b28d03b |
| SHA512 | e6220898f7934068c31beaf56b84eca354540aeb5d4581cc1faafb8bd3583993030873d081417338ffd76737e4e36200d8517d07886968fab8abb6c6b8d5f902 |
memory/2204-37-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp
memory/5084-35-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp
C:\Windows\System\ktYcrbz.exe
| MD5 | 073ad5911a2c624fcdac33527c90026a |
| SHA1 | 0d3b6674043b3f16299892c30916d999b1848c49 |
| SHA256 | 63cd3a683c7efad340df2aefc4eae560137c8eeb1998d80d169c8e2f607cc8f9 |
| SHA512 | 618c72d8c1c9db89026aa6284568acdee212b9ff020279e727975a37f5c5daaa0fa50c2fbcd52eb8813173ee08eaf32607fdaa21b34bf54f0ea8e097ffbcd499 |
memory/4428-26-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp
memory/1920-19-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp
C:\Windows\System\mVzEdQz.exe
| MD5 | 031f819429cce170fbbf447c099df792 |
| SHA1 | d13c4578670499437772a5dc7d138e7e274bde7b |
| SHA256 | f66c44fded9d82aacb13312236c71da4f35457a7d1d75dc7e851071beac22c09 |
| SHA512 | c83cd440462b8b40c513d50b35dc450181f934ef9bef49b76553262322a584ff310cfba8a6998bbb1c8d98c902e8d38d7e392d0a98f7cd65c2c2c2d53b4c8f2c |
memory/4292-7-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp
C:\Windows\System\CDykOFa.exe
| MD5 | 057c809964d300cf52566b843e6277e1 |
| SHA1 | a2882dd1499e95f0bfc1a98f53479935aafe860e |
| SHA256 | f1f119b80429ba4437b588b3821de3c0fe586bea8d46a092037ca512b245b3fd |
| SHA512 | da1e553692c82c586e79806acfa8c55cddd93d70d8d50609eae38095c1617009df391dcb94e1ee29d0cf2f1810926fe666bd4fef1671d53585e48218b8e42a7c |
memory/4968-120-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp
C:\Windows\System\zzYGMmi.exe
| MD5 | 88a1ed4d9923cf6df29ffee0036127bd |
| SHA1 | 1c737c06de75e519a8f8bbbe88e764bb35b7467f |
| SHA256 | d74eb943102a091e5076dd3133bfc1674f67e35961d6cae5405917932047c4dd |
| SHA512 | bbaef8e0e89e2e40d3aed403954e0b168822f0d66dcc91dcda85bb9366bd34d839ec4a4351473d4ecf228f2070f285609b197251bfc98156de326228e32a1318 |
memory/2460-128-0x00007FF64F610000-0x00007FF64F961000-memory.dmp
memory/3564-127-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp
memory/5084-134-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp
memory/3564-129-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp
memory/1980-137-0x00007FF617670000-0x00007FF6179C1000-memory.dmp
memory/4000-143-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp
memory/3600-141-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp
memory/4968-149-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp
memory/1520-136-0x00007FF640DE0000-0x00007FF641131000-memory.dmp
memory/320-135-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp
memory/1920-131-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp
memory/4292-130-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp
memory/1640-139-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp
memory/640-147-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp
memory/3564-150-0x00007FF7C9500000-0x00007FF7C9851000-memory.dmp
memory/4292-197-0x00007FF6D3C80000-0x00007FF6D3FD1000-memory.dmp
memory/4428-199-0x00007FF7E88F0000-0x00007FF7E8C41000-memory.dmp
memory/1920-201-0x00007FF6BDB30000-0x00007FF6BDE81000-memory.dmp
memory/2204-203-0x00007FF77BA40000-0x00007FF77BD91000-memory.dmp
memory/5084-205-0x00007FF6CC530000-0x00007FF6CC881000-memory.dmp
memory/1520-207-0x00007FF640DE0000-0x00007FF641131000-memory.dmp
memory/320-209-0x00007FF6D8AA0000-0x00007FF6D8DF1000-memory.dmp
memory/1980-211-0x00007FF617670000-0x00007FF6179C1000-memory.dmp
memory/1640-217-0x00007FF63D390000-0x00007FF63D6E1000-memory.dmp
memory/3600-219-0x00007FF6C0340000-0x00007FF6C0691000-memory.dmp
memory/4672-221-0x00007FF7D10F0000-0x00007FF7D1441000-memory.dmp
memory/1436-216-0x00007FF77E6E0000-0x00007FF77EA31000-memory.dmp
memory/1428-214-0x00007FF6CBA70000-0x00007FF6CBDC1000-memory.dmp
memory/640-227-0x00007FF77FCC0000-0x00007FF780011000-memory.dmp
memory/4000-232-0x00007FF64B8C0000-0x00007FF64BC11000-memory.dmp
memory/2884-233-0x00007FF61ABC0000-0x00007FF61AF11000-memory.dmp
memory/2760-230-0x00007FF784A80000-0x00007FF784DD1000-memory.dmp
memory/884-226-0x00007FF7D4BC0000-0x00007FF7D4F11000-memory.dmp
memory/60-224-0x00007FF6CBBC0000-0x00007FF6CBF11000-memory.dmp
memory/4968-236-0x00007FF7BA8D0000-0x00007FF7BAC21000-memory.dmp
memory/2460-238-0x00007FF64F610000-0x00007FF64F961000-memory.dmp