Analysis Overview
SHA256
704131dad1674a92f450dcf24ae7279a5f743e0bd6d886bb3408ee17a529446e
Threat Level: Known bad
The file 2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 22:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 22:44
Reported
2024-08-07 22:47
Platform
win7-20240729-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tjnEMac.exe | N/A |
| N/A | N/A | C:\Windows\System\ryFveAK.exe | N/A |
| N/A | N/A | C:\Windows\System\OBrxPDQ.exe | N/A |
| N/A | N/A | C:\Windows\System\pgwImoi.exe | N/A |
| N/A | N/A | C:\Windows\System\cKKyKpz.exe | N/A |
| N/A | N/A | C:\Windows\System\eycDneJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fKGitVm.exe | N/A |
| N/A | N/A | C:\Windows\System\KLDNxnv.exe | N/A |
| N/A | N/A | C:\Windows\System\cLKGDvT.exe | N/A |
| N/A | N/A | C:\Windows\System\kXbXaoo.exe | N/A |
| N/A | N/A | C:\Windows\System\QlDhkGT.exe | N/A |
| N/A | N/A | C:\Windows\System\yXXdRyM.exe | N/A |
| N/A | N/A | C:\Windows\System\bhHYCib.exe | N/A |
| N/A | N/A | C:\Windows\System\gEhmlWA.exe | N/A |
| N/A | N/A | C:\Windows\System\zHUvTXO.exe | N/A |
| N/A | N/A | C:\Windows\System\mMvyBqp.exe | N/A |
| N/A | N/A | C:\Windows\System\DaXnYFU.exe | N/A |
| N/A | N/A | C:\Windows\System\dohHquR.exe | N/A |
| N/A | N/A | C:\Windows\System\mipktnB.exe | N/A |
| N/A | N/A | C:\Windows\System\CJSsLwb.exe | N/A |
| N/A | N/A | C:\Windows\System\jgEopYi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\tjnEMac.exe
C:\Windows\System\tjnEMac.exe
C:\Windows\System\ryFveAK.exe
C:\Windows\System\ryFveAK.exe
C:\Windows\System\OBrxPDQ.exe
C:\Windows\System\OBrxPDQ.exe
C:\Windows\System\pgwImoi.exe
C:\Windows\System\pgwImoi.exe
C:\Windows\System\cKKyKpz.exe
C:\Windows\System\cKKyKpz.exe
C:\Windows\System\eycDneJ.exe
C:\Windows\System\eycDneJ.exe
C:\Windows\System\fKGitVm.exe
C:\Windows\System\fKGitVm.exe
C:\Windows\System\KLDNxnv.exe
C:\Windows\System\KLDNxnv.exe
C:\Windows\System\cLKGDvT.exe
C:\Windows\System\cLKGDvT.exe
C:\Windows\System\QlDhkGT.exe
C:\Windows\System\QlDhkGT.exe
C:\Windows\System\kXbXaoo.exe
C:\Windows\System\kXbXaoo.exe
C:\Windows\System\yXXdRyM.exe
C:\Windows\System\yXXdRyM.exe
C:\Windows\System\bhHYCib.exe
C:\Windows\System\bhHYCib.exe
C:\Windows\System\gEhmlWA.exe
C:\Windows\System\gEhmlWA.exe
C:\Windows\System\zHUvTXO.exe
C:\Windows\System\zHUvTXO.exe
C:\Windows\System\mMvyBqp.exe
C:\Windows\System\mMvyBqp.exe
C:\Windows\System\DaXnYFU.exe
C:\Windows\System\DaXnYFU.exe
C:\Windows\System\dohHquR.exe
C:\Windows\System\dohHquR.exe
C:\Windows\System\mipktnB.exe
C:\Windows\System\mipktnB.exe
C:\Windows\System\CJSsLwb.exe
C:\Windows\System\CJSsLwb.exe
C:\Windows\System\jgEopYi.exe
C:\Windows\System\jgEopYi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2632-0-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2632-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\tjnEMac.exe
| MD5 | 214158e4261489d96ad8a102e7d88379 |
| SHA1 | 47e3dc0a3e8b5562270f56ce1f2b3f602898b594 |
| SHA256 | af4d564417bd8eed2109d31da2d22995f59d8a1ebe784b4621eff3d1477bfc5b |
| SHA512 | 826da1d7cd3010af8a72090958ae94d7aa44759722bd55914cbe4dda673df1ebc8aeea09bf8f9568403ed63e677af7e625a83a6aa2c6b7de172252c978efdceb |
\Windows\system\ryFveAK.exe
| MD5 | 3fe5a1c3d3e38c29887563eeeacfb1f8 |
| SHA1 | 4df014c8f8ff87c62d4ada6f6fde1ec10e0c368b |
| SHA256 | 7495c36bbce6a962a224c2e31d03fbbbc1984016e1d9231c2299449ea1c6f39a |
| SHA512 | e68a93dd48bc23293b5c297097e9b31e2692c1d0166153bdf4ac89bbc4e61f45687523f941695ed25199e947d1cf3bddfd5f6d3b086698bcd9adb23334b86f22 |
memory/2632-21-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2876-22-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2688-20-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2764-18-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\OBrxPDQ.exe
| MD5 | 1f658eeae3d1a0bdb964c309d421e4dd |
| SHA1 | 0988e3bc5a9bc76514ebfbd7dbc5816f2fcb44c7 |
| SHA256 | a27d1bf169a3aab9eb2297a2e5cb091a7bfd122f40943f9a4dcea87ddc64274e |
| SHA512 | 4fb38144345d772cb275f69694caf11993f96d3f9a194590b20904972746d214840ca4ad66a8b74865222c73e8c57ad1322f0c90d938a0670abebed242e5245a |
\Windows\system\pgwImoi.exe
| MD5 | 735d60dbe2f1fb6cd194be6bc503af30 |
| SHA1 | af7099e5bac8ca964d90db7e3eeaaf4579d3c239 |
| SHA256 | 74dcd642c1f889d7bf23550c81b679675b6aa83229a985cd1a99e581ecf43ba7 |
| SHA512 | 958ee9c15888b58a4c855b6326131ed7d4022933a35b8415e57d42f7da8920625fdd61975f010cfb3cab83c37fb8712af5df452215eb246c588b2ccba0ea25f5 |
memory/2632-24-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2632-12-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\cKKyKpz.exe
| MD5 | 8ef90ed04ad15c9deb2af952b6a1a597 |
| SHA1 | c5c6ec3a5a3f3a6e84a7bbf4b6b93b5bc8671ac3 |
| SHA256 | d2ada8f218c2d33b8667b86deb261bf418be3352e9a9592d3d95a423ad635ed2 |
| SHA512 | 9ce7ebd9e13fde1020d94e8d5500b538552adb0b6e45dbb7b3beb182de8361cae959601db73e2918bce5b818710ffd3d891026dc450f56436db0a5fc01bef139 |
memory/2676-35-0x000000013F560000-0x000000013F8B4000-memory.dmp
C:\Windows\system\eycDneJ.exe
| MD5 | 5789d35707948d355efe9c60edccba9d |
| SHA1 | 23340eb05efb667b7fb48e51c231743f50e1b5a9 |
| SHA256 | 549cf3e480a0099e341e4c23a05c13c5dd5e9e4e8e25cc0407bea1af75246abe |
| SHA512 | 53441c41bc9968f37988ef54f2f728a7d0d3dea85215b3823b9da58d5770f74071a159cef73c5deab6867cdcc0a29e0ec0f8ace86065ac2cb1daa2da5bd83110 |
C:\Windows\system\fKGitVm.exe
| MD5 | 2a201ae27d2c87195681defe3f5d6be4 |
| SHA1 | 3d5c4aecd8c43e4221e32db5853277c1859743f2 |
| SHA256 | e2996f461285dd6a5d661e3f1d359b4d3e406ce36c89adcd7c59363540825bbb |
| SHA512 | 05cf820f41b8eff62f0d00e096b149304f12aa328f386c4ca16a88f22cfe3ba2c8ac3d29af41166b019d76fdd74960b55b704c9a75ffe1dc043bea89a19fb140 |
memory/2632-67-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2964-55-0x000000013F1F0000-0x000000013F544000-memory.dmp
\Windows\system\bhHYCib.exe
| MD5 | 7b44f36b32b223e7af0a58146d308e25 |
| SHA1 | d29593f6c3a1a7832078124d3169e6ac6bdfccab |
| SHA256 | 7d259a78c70ba04c72632cfcc440780ad2913171b8166c7de1811c400c57c02b |
| SHA512 | 8997cb7a85ed358ca6e9d81f22dcae096b52d0d0e5706b6d04d626ba4fd9e4f0307c335d530c12e5d2c64ac7a00cc6ff0b62501dc67e5d8801f92a6483441100 |
memory/1716-90-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\mMvyBqp.exe
| MD5 | 658f02e1491decff0abf1c7156b839ba |
| SHA1 | 65b050628e393e8f2b1bb5c58753ccb7f480c28c |
| SHA256 | 6551ac056a68cb9a063bb387c0cb821897c8eac74908a8ee1a2b082ba1c50cfc |
| SHA512 | 6e6858f1132b80615a50dc88b3d9037d684a40302b00b299b3c5723c2e8f4226d3dbd0cfed44ecc3b8954a5ebc31706c4300a4c9dfedc6c206b9e9b2a436d592 |
C:\Windows\system\mipktnB.exe
| MD5 | 9fb52e49934591af685cfe29ff6dd3ee |
| SHA1 | 74778406fddc80f1e6547f157a620836ed38af92 |
| SHA256 | b5aa3b5225907024ff37c043d3cfa9eae2c673541a06b08a763a73c86dec95ad |
| SHA512 | 564dd392e10ac0767d24d80baf518de949eb802bdf6d80811f97800c1b38d3f9627eb3e66d0523f18e463d3c673bf26609c575a51b1c6d765a4c559f3a7a4317 |
C:\Windows\system\jgEopYi.exe
| MD5 | 6bb99d7c0308d7b566eb463236a0c8fa |
| SHA1 | 2554562dd84f66c40f2b81a4d2bab8614ac69c45 |
| SHA256 | 002538892bc5a4c99d8cb74865ebcfc24ed499fbd5a68a0ba8abd537a28da0a0 |
| SHA512 | 0fb09a7bc94d4a3e57bed73191a6e2d29e55bc8fddb2bec3231a1bc3713d6f865171715e69190ead6ccf9358d24f79f5ad085b6ff25a13e213a2360523d8b63b |
C:\Windows\system\CJSsLwb.exe
| MD5 | 5b8b9a5b7fd85d9503b1d2dd5c2aa39c |
| SHA1 | 5cae0b94a74e07eb73d6158c3ec48cc76aa3a327 |
| SHA256 | 8ec4f534cfa664b7aa59013dd862135a9999dc5082ec3efe489bd9b15f2cc777 |
| SHA512 | a9d886a043a6faea2a1b75bc29b2b7250ebd5a4885bab6e62eac347ba2fc16af1256ee74a6cd8644a933c9a809514e9d0461923e1e2c3cca43f598256b0cb2e2 |
C:\Windows\system\dohHquR.exe
| MD5 | c96d86836a097a99dfa305e9d049f2c7 |
| SHA1 | 88712fff56bde3d8ac94e7e8a8e17ec6f55ca0fa |
| SHA256 | dfe5913752b55fae62e15fff18147d2b788b1ea75f6f567df5150fef3dd99039 |
| SHA512 | 076813a6d81f2b74fff4b006f29fea15b1283e6fc4b7192a7f19237e621c5b41ea6e1d9154e41e38b20f41f2044a501dc6637abb0a088ad59e4812cf8ab97856 |
C:\Windows\system\DaXnYFU.exe
| MD5 | 233cf985dc1e62ff6ab5dcb5aad66cf0 |
| SHA1 | 4ad12506a83702c07f88ecdbd751e23c42793549 |
| SHA256 | 056e26beddc0b00bfc6a872ca90093b89ec66d0c739f96f3335b0fada9616e19 |
| SHA512 | 5a8d03e84fce16b7daaf9f3fc7c1d9a98892a4ac0893ff20c732f63816eafb930bddc36a5e18a5e559318b78747ed320703ff39d8dc2f9e8ed7c8d71fe50b6d7 |
C:\Windows\system\zHUvTXO.exe
| MD5 | 06ef9f7c9487b50a793d0950caac23bf |
| SHA1 | 98eaff1a52c1b12d0b12698a5033c53415397a6c |
| SHA256 | 93774e8a388e727541dcfaa52ce821765068b446fa2a6f36bdfc190dbf56e305 |
| SHA512 | 9735af85589f2dc13b4b71e1d9b83d998006e8c47803cef0118342a1f0c634581ce4572654d88d73bbffab62e7839dc6ec1040f9e6063d0122955a311fba3d99 |
memory/1684-97-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2632-96-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2872-95-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
C:\Windows\system\gEhmlWA.exe
| MD5 | 0a6e78ea64817dd4be6b7c3579796d91 |
| SHA1 | ae8f6992357261ac909c91435f524d2b2d24ef92 |
| SHA256 | 3cbc70aebd65fb2f84fcfc9b717f7294ea97ce7d1f4bd57246007df85ae6fa64 |
| SHA512 | 3674d8cbe585a97debcb17a9279097bdbc11e55e0275b86cd5b8b15a07783c6acc4dd1253120288981f93b771347695a142278ba27cf5161db0f62281004eb2b |
memory/2632-89-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1416-84-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1748-83-0x000000013FCB0000-0x0000000140004000-memory.dmp
C:\Windows\system\yXXdRyM.exe
| MD5 | ed2fb329dffcb0434902f6ca150d68ce |
| SHA1 | b0576da60c22d4280fea9b2c2d8a2c0e3bb42851 |
| SHA256 | 06b661178cb2fb53c86a634c0d1fd4ad60f676a496f15591668cb671d5cfcc5b |
| SHA512 | e256282ec91d48678a91ee8d02fbd9f7a0b63764339ff6b2524a397c89df0f335a9d502f630d50caa19ec6885c58695caed939d88d5f21b98168e1e0e32aad06 |
C:\Windows\system\QlDhkGT.exe
| MD5 | 63b387fc8b190c6116ef754b16c98c1b |
| SHA1 | debf93fddf9ce461b513e791fb7425659b72cacb |
| SHA256 | 8f08a899f5eca0340a773683d739433685baae66a7976def2ba7b6732f9a4f41 |
| SHA512 | 3e9576839374c45573250e522e88621615d1f3a0d313eeec20aafc851f02f88d62062a77b194da9f95fbe696f782e931a9f11c369d73d3708d01a77f8ee60462 |
memory/2632-80-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2632-79-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2368-78-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2632-77-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2764-76-0x000000013FD70000-0x00000001400C4000-memory.dmp
C:\Windows\system\kXbXaoo.exe
| MD5 | e4d37a86f660ec2ab3a5b0afc151507c |
| SHA1 | 91c41b71dd1aa4a038420379792fc0cb0224e686 |
| SHA256 | 33d504fea9aa39d1d00dbbdb03671368f69f9539a3ead0548ed15392e2f45679 |
| SHA512 | 64a1ebb4968a15e580d16034076ba07377c33097952475ac9678163d221f62880f123df0baaee8a4ba2e24a1e066abe2f45561e408ad5a5faa73851efafe1c48 |
memory/2756-125-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2288-64-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2632-54-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\KLDNxnv.exe
| MD5 | c5d207ef5119934c1ad939040899a34e |
| SHA1 | c14df1ecbcc78ae0d60ebadbe78d04d9200ad9ac |
| SHA256 | f00caf45dba9c61b7cbe55323674ede02700517150dc5e57e3e43626b46c1851 |
| SHA512 | 3fc4b320565c9738f400a905d9f7d4f332e8b0ff618dd8245111e0cb60515740b309aad41988d091ce87437c1fd6e0f814aa6bbfbdc7be66912c26fcd8d7a174 |
memory/2632-61-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\cLKGDvT.exe
| MD5 | 393ff304f0535f905c49dd6b84c563ab |
| SHA1 | 43e36f4947cb1ca3f946f7375f3dd48b1277e150 |
| SHA256 | 7032ac2dca5f1d3c40cfc905c3eaeccf595e65f422854cfdb772a98541cd063a |
| SHA512 | ad6a0a5de9a0cca5ea4a8f1ffa8b7f7d9933cc0b9bdc3fa3d7f364b5f998fb7bb2565ee0a2f8f4b13b061dfafb9c9a5c4380ce6fe80e2e018f12bd7f0b5405ce |
memory/2584-48-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2632-47-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2756-41-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2632-39-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2632-34-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2872-28-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2632-138-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2632-139-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/2368-140-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1748-141-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1416-142-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2632-143-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1716-144-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2632-145-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1684-146-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2632-147-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2688-148-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2764-149-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2876-150-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2676-151-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2584-152-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2964-153-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2288-154-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2756-155-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2872-156-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1748-157-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1416-160-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1716-159-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2368-158-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1684-161-0x000000013FF40000-0x0000000140294000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 22:44
Reported
2024-08-07 22:47
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wLPjeBU.exe | N/A |
| N/A | N/A | C:\Windows\System\MhzDgjz.exe | N/A |
| N/A | N/A | C:\Windows\System\ptachOT.exe | N/A |
| N/A | N/A | C:\Windows\System\XgaTHQU.exe | N/A |
| N/A | N/A | C:\Windows\System\slHsgOC.exe | N/A |
| N/A | N/A | C:\Windows\System\hIHqJMV.exe | N/A |
| N/A | N/A | C:\Windows\System\onESlLv.exe | N/A |
| N/A | N/A | C:\Windows\System\dToICxR.exe | N/A |
| N/A | N/A | C:\Windows\System\WoKVkNV.exe | N/A |
| N/A | N/A | C:\Windows\System\cUUptKw.exe | N/A |
| N/A | N/A | C:\Windows\System\PrHoNbj.exe | N/A |
| N/A | N/A | C:\Windows\System\yxSLxgu.exe | N/A |
| N/A | N/A | C:\Windows\System\iqgkenN.exe | N/A |
| N/A | N/A | C:\Windows\System\IRvJrBX.exe | N/A |
| N/A | N/A | C:\Windows\System\xgEkWlq.exe | N/A |
| N/A | N/A | C:\Windows\System\vkjCQZr.exe | N/A |
| N/A | N/A | C:\Windows\System\TideCbH.exe | N/A |
| N/A | N/A | C:\Windows\System\akLHyLf.exe | N/A |
| N/A | N/A | C:\Windows\System\XQpwsGS.exe | N/A |
| N/A | N/A | C:\Windows\System\StzVItg.exe | N/A |
| N/A | N/A | C:\Windows\System\uhMDojH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b6aad5314a485274a54a8bf06cf311a8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wLPjeBU.exe
C:\Windows\System\wLPjeBU.exe
C:\Windows\System\MhzDgjz.exe
C:\Windows\System\MhzDgjz.exe
C:\Windows\System\ptachOT.exe
C:\Windows\System\ptachOT.exe
C:\Windows\System\XgaTHQU.exe
C:\Windows\System\XgaTHQU.exe
C:\Windows\System\slHsgOC.exe
C:\Windows\System\slHsgOC.exe
C:\Windows\System\hIHqJMV.exe
C:\Windows\System\hIHqJMV.exe
C:\Windows\System\onESlLv.exe
C:\Windows\System\onESlLv.exe
C:\Windows\System\dToICxR.exe
C:\Windows\System\dToICxR.exe
C:\Windows\System\WoKVkNV.exe
C:\Windows\System\WoKVkNV.exe
C:\Windows\System\cUUptKw.exe
C:\Windows\System\cUUptKw.exe
C:\Windows\System\PrHoNbj.exe
C:\Windows\System\PrHoNbj.exe
C:\Windows\System\yxSLxgu.exe
C:\Windows\System\yxSLxgu.exe
C:\Windows\System\iqgkenN.exe
C:\Windows\System\iqgkenN.exe
C:\Windows\System\IRvJrBX.exe
C:\Windows\System\IRvJrBX.exe
C:\Windows\System\xgEkWlq.exe
C:\Windows\System\xgEkWlq.exe
C:\Windows\System\vkjCQZr.exe
C:\Windows\System\vkjCQZr.exe
C:\Windows\System\TideCbH.exe
C:\Windows\System\TideCbH.exe
C:\Windows\System\akLHyLf.exe
C:\Windows\System\akLHyLf.exe
C:\Windows\System\XQpwsGS.exe
C:\Windows\System\XQpwsGS.exe
C:\Windows\System\StzVItg.exe
C:\Windows\System\StzVItg.exe
C:\Windows\System\uhMDojH.exe
C:\Windows\System\uhMDojH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 82.27.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2444-0-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp
memory/2444-1-0x0000022EAF1B0000-0x0000022EAF1C0000-memory.dmp
C:\Windows\System\wLPjeBU.exe
| MD5 | 0d73daabe81b81a850bca2690b95fc93 |
| SHA1 | 86fcd89df5d31aec41117758515d83982ec3fec6 |
| SHA256 | 878e18b24c69e7d9386b71185ffe0b353f633e9896b29376cfb2aa82898a4a8d |
| SHA512 | 0c7710a2e45eae7b288c67fc0a2f2e47be5c351950f436d08a638e38bdb2ebef222bb4fef6d281fdfd5fd4447f114f189681522f89b1d4d63df87c5ab4b74486 |
C:\Windows\System\ptachOT.exe
| MD5 | 8a22a6c8842f9b966ad772267c691050 |
| SHA1 | ec689494854f5bcaea75796480200a4d6680f852 |
| SHA256 | c0710a66eb9229a42655cd09602e32ca0219d6a57acff9e3df4140b47043054c |
| SHA512 | 88bbce5aedf5f9ae718ae9f35aa90ca15b0d70a699aa1a1e3c9fd85a3052887f5114aeed0216326b98ad4c5e8a3bba96bbc5278407e23a953928756209be5d6d |
C:\Windows\System\MhzDgjz.exe
| MD5 | fef8fee649c65abda4cef58ee8fc8bb9 |
| SHA1 | 222dbd3225a721ada66e7d7b294a565ebefe9f7a |
| SHA256 | 49b15e1da3c1c4953d27342422f9f679486660a6c9e19d072cf2ba678a3c7ff0 |
| SHA512 | 9e75d0375903c5d26790dc7237b913f9f64956682a68701cf82dcbb48f7bb97182aac63dd1335d18b9f569e10470abc018d5270a77ba013d08e3cf47b1b4c253 |
memory/3776-12-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp
memory/876-10-0x00007FF623DC0000-0x00007FF624114000-memory.dmp
memory/3180-22-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp
C:\Windows\System\XgaTHQU.exe
| MD5 | 549e892470818e57ab0e12719670a725 |
| SHA1 | 493e2f0e844074a3eeb9726c8a8643f524b3fe2e |
| SHA256 | eb212707f5a10dbbd6707e6f80b8acbe0ae194ba84b4e8249069e18bc1fc1f03 |
| SHA512 | 114de65414b6444512cef3532d1258cdffaa2feff589a64f2537f393a85fd9207d1a9e8f12d9f8ab0921ea8b6c4c01ee8ec602be3bdf2b866f800f3c28d07387 |
C:\Windows\System\slHsgOC.exe
| MD5 | d3c691aa4ebce050e2ccb8c480a066e7 |
| SHA1 | df41a547243070af2c8020dbcfda2c9f1f54ca67 |
| SHA256 | 91d92d370bfd3da00675dc86c4a0917f25a9200599c912d10f60f1bcd7694660 |
| SHA512 | 2737ce0fda2c05937abe39e15b527a09a4cbd29c5091632ec56d969a93660564d3361d7ad7d6a90489ed829da05a1b7412ced71c5c3e0714a4261c29f42028f4 |
memory/4256-29-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp
memory/2892-43-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp
C:\Windows\System\onESlLv.exe
| MD5 | 2ac655b92eac2074bdd4d94b7938545f |
| SHA1 | 8cdf4e82340afbbde3bcbb2d0b2ed8cbb78ab060 |
| SHA256 | 05417e8bb644b785902b566524644e8a0e2db10de49edd822844430c41de80fa |
| SHA512 | a0ffc4b8e30a2df43e8955c48154afac4b4551c6e48faeb479fce3e5b71730888e78c385f3c0753e73c1e1c114b36160c92d599dcd9b10070adf8bb1330a8835 |
C:\Windows\System\dToICxR.exe
| MD5 | 68c75531fc2c5cf8084d48f645d0f595 |
| SHA1 | 372da3dca77b89c987df78f4b2909fac7956af9f |
| SHA256 | b12938c287c61b1bb1d8109e4ac8e0f139e5b8b5958c6f452f2e8b26c7a806e2 |
| SHA512 | 25c79ed001c474374aa4856c13e6a86d24e98076aa343915ef78e90b33c9fd7549b3aaff74884ac42ebd3c1e65298edeb33ec615a5931147b1d8d99b7723bc22 |
C:\Windows\System\WoKVkNV.exe
| MD5 | 15a413bebf58d741055a8c306535c495 |
| SHA1 | 8dbab51f3a92d7689ed530877b8c00f8e0f017ee |
| SHA256 | 7547b94f31f1c8f7b7d89b1bdd1b0f7102daf8fec8641365bc7b29452e970fe0 |
| SHA512 | b2c2659451258e443ca4aa2a66badf1023a98ee0b508b9bfc7ea678c9ed62aad941dd788317987fdb667096bbb3c6882d2796538c08d91d474fefbd5db35447d |
memory/3000-51-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp
memory/4144-49-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp
memory/4452-41-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp
C:\Windows\System\hIHqJMV.exe
| MD5 | 42d67ea7811b295fa1f8babfb7879e46 |
| SHA1 | c95ac10f6b9f10307bcce9f7e2107af7e81c344e |
| SHA256 | 3ca6f28cc45d47ae55b33e036b24e962d3037b3afc7297a4744f5d2e7a7afe7b |
| SHA512 | a97423f962e048bcf7e0ef27803681e684c2d99d9136800249877f24ff537dae0ce590bb5ab40c11310e7f8385be233bc1d0a5a11fcd338003b9d0295121421b |
memory/1212-37-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp
C:\Windows\System\cUUptKw.exe
| MD5 | 41a944b13591ebe3f209aa9a41d72e8e |
| SHA1 | 6d78031012b80fc903c87658234f61cbf08313f4 |
| SHA256 | c6136b46cb85c76fbe30116bfca0fbba2431c3723ebec1b513435942d789d599 |
| SHA512 | b1cd8dd159c8f9982dbba0316dcff2eea1ce8f7a7dc14dd9f154e38e18095fd48fee321eea2ff23cf43ba3ddf336516b68bc063ebcd086a05e36cc2fb878db46 |
memory/4660-62-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp
C:\Windows\System\PrHoNbj.exe
| MD5 | cb395c85a906c7296b34cc6d49d4a1ed |
| SHA1 | 2a32498a17554049400672eb3912d8358f698b54 |
| SHA256 | 14fa3d86f88a92ff358f7342e28f00555ddd65e9bf767d5bb790f841b0f61786 |
| SHA512 | ac8a77a1858d467d45959e112c8c339fdda56fcc9dba9e22d5c14a98bba86df21b55e8714b0983cd3f0a2ac91257267064a0bfcf7db1d78c1ba1a9e628763be6 |
memory/4092-69-0x00007FF799840000-0x00007FF799B94000-memory.dmp
memory/2444-68-0x00007FF70BFE0000-0x00007FF70C334000-memory.dmp
C:\Windows\System\yxSLxgu.exe
| MD5 | 357b3d8f3cf209d53dba92912e3ed133 |
| SHA1 | 4d42fa7a5662a3322e70a3ac64e27f50809c4e3a |
| SHA256 | db80966613b1fd3822a8b8e8e8986b1bd4670763ab9b9fcf0f476352336237c2 |
| SHA512 | bbfb41420d2724c1deeec81bc7ef9180ef70723c5f1e3518ab2aeaebd9ce3a20ae6536fbfc8bce6f4d4562078e00c8e0085ccaabd2a3edd1a5bd093927c5f48a |
C:\Windows\System\iqgkenN.exe
| MD5 | b21147e24d8a00a3cf72c565a144e5f7 |
| SHA1 | 2dd3b5ed807a711d80cc1376e189e5fbf00cf306 |
| SHA256 | 064742ce6c4342e35d8a87f3bcfca0d201204577611aeae85f553887e45455fc |
| SHA512 | 16cff2b86c8970edb48c707e70f6b17bc8fc7cf1f9349d24ee69302cdd1c040268d9769b625a009936535e3b8f5f4074dca9a42e167b26437ec15f9ce6a600c5 |
memory/4632-85-0x00007FF6B7D20000-0x00007FF6B8074000-memory.dmp
memory/2036-88-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp
C:\Windows\System\xgEkWlq.exe
| MD5 | bb0e966335dd46f617690d96eb8fc923 |
| SHA1 | ae4c806f3c63c6c3f1ba3b5986b77a0e3d186a0a |
| SHA256 | 1108f787a71afc3e504e2195ee0032ba9f438350ce4e3440b1b9afc155b35c91 |
| SHA512 | 6084d14ca9cdcf4f7cd82fea9ae3d941b826eed64b8d1d52b8406688e3171f3efc737cd1729ffe90e1bb110e4c0174c4bd250d5c8c3c51b09d1c224ec8aaa89a |
memory/1116-107-0x00007FF692580000-0x00007FF6928D4000-memory.dmp
memory/4452-109-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp
C:\Windows\System\akLHyLf.exe
| MD5 | 4ede4da8197fd27e24246c0adccb07ec |
| SHA1 | 18a3cb9f106867470b581f285106978201a4d2b8 |
| SHA256 | 49834b8c0e5c6c453cc0a0dc2f37983302add7cbe508dd7ada66358a259b0b49 |
| SHA512 | 9c90452299a71fccb3dad1d389af35b0ab98ba7d7c11e2a42c11c231118c103a282a933dd28c281d2dec9abddfc196a13984ec3ce3daba4d77091a0d900005c1 |
C:\Windows\System\TideCbH.exe
| MD5 | edb21be1bf7f1ee1d0352460f4481f0b |
| SHA1 | 150921974ebdaa845e981badd63ec59479f49482 |
| SHA256 | f51c6c6d22182a2bf48e7b2b5658529c9b8c6337845211fdb76dbca406248464 |
| SHA512 | 07c6ee08850625bb5a386ad96b957bad965afbc2db42c8b5d36b2f1d475b128f4dea146256b9b604be13ecebac5927f3eef4861db0f04093bff6bb18939e2d7b |
memory/2824-110-0x00007FF604870000-0x00007FF604BC4000-memory.dmp
memory/892-108-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp
memory/4840-105-0x00007FF716EA0000-0x00007FF7171F4000-memory.dmp
memory/1212-104-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp
C:\Windows\System\vkjCQZr.exe
| MD5 | 10cf0e24509c74412c7876eb32c8d25f |
| SHA1 | 847b5a2dfa0d2c6efbb371da7a2cb592e83e6695 |
| SHA256 | 7e9df8a5357b8a30509f7e3eccbc092e722c7333b23f365b0a318ff583ec0aee |
| SHA512 | 73ef9dc11cbb36ba28ecd328691a9cec66c02b47c042becc1ae7282e260ad149e345ee22299b787619eb4bbd60c51bf552e3c33978e8a86a30b3992881c8d428 |
C:\Windows\System\IRvJrBX.exe
| MD5 | 97418fffe22167955270099d7813f1ec |
| SHA1 | 32da1750d3eb7c6112a9daf42d86643c9f87d9fc |
| SHA256 | e2fa9df3a14cec7eb5c73f7131d7dfa64657aeef66b30397b0257b119136c6b6 |
| SHA512 | aa9b3b398bf213d76e40cc8cf19055e13ad475eee697db78edb79cf2148b57fcf187556df3f23d8385edde33264ac05430611d4eab8ac1d262f0ab1aa16d16b2 |
memory/3776-83-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp
memory/32-80-0x00007FF779130000-0x00007FF779484000-memory.dmp
C:\Windows\System\XQpwsGS.exe
| MD5 | 22b12108c4a830cd626ceaba394b1f5f |
| SHA1 | ef1d832e31df2c361d64e72f7bfb14f6c2991d29 |
| SHA256 | 0cf7031ada24e0a41e535542d8d70005fd2a8a45f038e4af667a6c0aab06094d |
| SHA512 | ee681199436bc65e54cffd8fb3fb98fccedf00d8f10ed0cb060987bbd50a8a12f388afcae84e29f2ba7152d59814183db8c97949486871ef8461930ef0c76107 |
C:\Windows\System\StzVItg.exe
| MD5 | d4a1c5ac1560418138548914c35401ea |
| SHA1 | 3001b68124278e8f04a843cb61035bd24c971285 |
| SHA256 | 135859db75b3369f59c9eb1d15c4c27cdf63170613dab597dcfe7a25dc01cf71 |
| SHA512 | c5431e4e5a24a7eda322263c80e046c5b8914abadacc29b372f430c4ff9aed33e265d3247a29e51f6c38500f3ec404bffdb2ada32be2fd96d1717fe4c14e1765 |
C:\Windows\System\uhMDojH.exe
| MD5 | 341cf39c3a2e202c74e41ee28c5fca7f |
| SHA1 | 3525fe1c15fa8ac025f1edeaa91392c499e037b3 |
| SHA256 | b761e7e7e24ccc75a6796c555ee50f2153bea89bcb29f32c7d5a5040ae423c6d |
| SHA512 | f587dbed29b6bb07dc81d65328b56b8ecdec30237f5d6a2f8209bf0984cff3550cafe19d3a40d3e924c0bb80910f01294fbdfb30582d51657e7ee246297438c9 |
memory/952-129-0x00007FF669C30000-0x00007FF669F84000-memory.dmp
memory/3396-130-0x00007FF7B7AD0000-0x00007FF7B7E24000-memory.dmp
memory/772-131-0x00007FF676060000-0x00007FF6763B4000-memory.dmp
memory/2892-132-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp
memory/4144-133-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp
memory/3000-134-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp
memory/2036-135-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp
memory/892-136-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp
memory/2824-137-0x00007FF604870000-0x00007FF604BC4000-memory.dmp
memory/876-138-0x00007FF623DC0000-0x00007FF624114000-memory.dmp
memory/3776-139-0x00007FF695D90000-0x00007FF6960E4000-memory.dmp
memory/3180-140-0x00007FF7A5C20000-0x00007FF7A5F74000-memory.dmp
memory/4256-141-0x00007FF78B720000-0x00007FF78BA74000-memory.dmp
memory/1212-142-0x00007FF7BE710000-0x00007FF7BEA64000-memory.dmp
memory/4452-143-0x00007FF6BC110000-0x00007FF6BC464000-memory.dmp
memory/3000-144-0x00007FF7FB850000-0x00007FF7FBBA4000-memory.dmp
memory/2892-145-0x00007FF68B6E0000-0x00007FF68BA34000-memory.dmp
memory/4144-146-0x00007FF71F710000-0x00007FF71FA64000-memory.dmp
memory/4660-147-0x00007FF7148A0000-0x00007FF714BF4000-memory.dmp
memory/4092-148-0x00007FF799840000-0x00007FF799B94000-memory.dmp
memory/32-149-0x00007FF779130000-0x00007FF779484000-memory.dmp
memory/4632-150-0x00007FF6B7D20000-0x00007FF6B8074000-memory.dmp
memory/2036-151-0x00007FF76B2D0000-0x00007FF76B624000-memory.dmp
memory/4840-152-0x00007FF716EA0000-0x00007FF7171F4000-memory.dmp
memory/1116-153-0x00007FF692580000-0x00007FF6928D4000-memory.dmp
memory/892-155-0x00007FF7089D0000-0x00007FF708D24000-memory.dmp
memory/2824-154-0x00007FF604870000-0x00007FF604BC4000-memory.dmp
memory/952-156-0x00007FF669C30000-0x00007FF669F84000-memory.dmp
memory/3396-157-0x00007FF7B7AD0000-0x00007FF7B7E24000-memory.dmp
memory/772-158-0x00007FF676060000-0x00007FF6763B4000-memory.dmp