Analysis Overview
SHA256
8fc94c3007b1d914b5869e67db6211367e0b69c1c4ee1953ebb95fd6fd0491d3
Threat Level: Known bad
The file 2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
xmrig
Cobaltstrike family
Cobaltstrike
Xmrig family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 19:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 19:28
Reported
2024-08-07 19:30
Platform
win7-20240704-en
Max time kernel
130s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YywOPzI.exe | N/A |
| N/A | N/A | C:\Windows\System\vhIQand.exe | N/A |
| N/A | N/A | C:\Windows\System\kRrhMwu.exe | N/A |
| N/A | N/A | C:\Windows\System\tNnusPC.exe | N/A |
| N/A | N/A | C:\Windows\System\ltrsvHl.exe | N/A |
| N/A | N/A | C:\Windows\System\SIClXoE.exe | N/A |
| N/A | N/A | C:\Windows\System\vTEWYLI.exe | N/A |
| N/A | N/A | C:\Windows\System\sZekaFG.exe | N/A |
| N/A | N/A | C:\Windows\System\bUsNSNr.exe | N/A |
| N/A | N/A | C:\Windows\System\VFgAwcL.exe | N/A |
| N/A | N/A | C:\Windows\System\UOzoLbr.exe | N/A |
| N/A | N/A | C:\Windows\System\LcDDCpU.exe | N/A |
| N/A | N/A | C:\Windows\System\bRgOgVh.exe | N/A |
| N/A | N/A | C:\Windows\System\TvaVaNC.exe | N/A |
| N/A | N/A | C:\Windows\System\vgNhZlV.exe | N/A |
| N/A | N/A | C:\Windows\System\fFuCopx.exe | N/A |
| N/A | N/A | C:\Windows\System\dgPqKLz.exe | N/A |
| N/A | N/A | C:\Windows\System\fFnnosA.exe | N/A |
| N/A | N/A | C:\Windows\System\WSlFbcr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnLnbwP.exe | N/A |
| N/A | N/A | C:\Windows\System\nDvlvJT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YywOPzI.exe
C:\Windows\System\YywOPzI.exe
C:\Windows\System\vhIQand.exe
C:\Windows\System\vhIQand.exe
C:\Windows\System\kRrhMwu.exe
C:\Windows\System\kRrhMwu.exe
C:\Windows\System\tNnusPC.exe
C:\Windows\System\tNnusPC.exe
C:\Windows\System\ltrsvHl.exe
C:\Windows\System\ltrsvHl.exe
C:\Windows\System\SIClXoE.exe
C:\Windows\System\SIClXoE.exe
C:\Windows\System\vTEWYLI.exe
C:\Windows\System\vTEWYLI.exe
C:\Windows\System\sZekaFG.exe
C:\Windows\System\sZekaFG.exe
C:\Windows\System\bUsNSNr.exe
C:\Windows\System\bUsNSNr.exe
C:\Windows\System\VFgAwcL.exe
C:\Windows\System\VFgAwcL.exe
C:\Windows\System\UOzoLbr.exe
C:\Windows\System\UOzoLbr.exe
C:\Windows\System\LcDDCpU.exe
C:\Windows\System\LcDDCpU.exe
C:\Windows\System\bRgOgVh.exe
C:\Windows\System\bRgOgVh.exe
C:\Windows\System\TvaVaNC.exe
C:\Windows\System\TvaVaNC.exe
C:\Windows\System\vgNhZlV.exe
C:\Windows\System\vgNhZlV.exe
C:\Windows\System\fFuCopx.exe
C:\Windows\System\fFuCopx.exe
C:\Windows\System\dgPqKLz.exe
C:\Windows\System\dgPqKLz.exe
C:\Windows\System\fFnnosA.exe
C:\Windows\System\fFnnosA.exe
C:\Windows\System\WSlFbcr.exe
C:\Windows\System\WSlFbcr.exe
C:\Windows\System\ZnLnbwP.exe
C:\Windows\System\ZnLnbwP.exe
C:\Windows\System\nDvlvJT.exe
C:\Windows\System\nDvlvJT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1996-0-0x00000000001F0000-0x0000000000200000-memory.dmp
memory/1996-1-0x000000013FF30000-0x0000000140284000-memory.dmp
\Windows\system\YywOPzI.exe
| MD5 | e479b48d3dcf88d0b0197d0dae9dded1 |
| SHA1 | 1e4732ed83d2604b0fc74f01bce86e3ceb9f2698 |
| SHA256 | abcce2d5a5467bbf24afe15e3998bd6e4c2f6c45120826361f61558da19e64c6 |
| SHA512 | 42776f3097983c3da3ce306ea5b2fe25d7214a6848f2151a8e821bee2df78171ec80c0adc98d3fe68ea5b3b212e5f36c9370570fa8b6f3c819a0093e45a47c8e |
memory/1996-6-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2476-9-0x000000013FCE0000-0x0000000140034000-memory.dmp
\Windows\system\vhIQand.exe
| MD5 | 4385499fec743d4892273f2824229711 |
| SHA1 | 6758e19646ad3d2aba83e1e9886d54899e2a8cb4 |
| SHA256 | e1e313430efdf218ddb6e9cdc5c3eb6dec315dc8f8709979ff7f7dea75923d1c |
| SHA512 | 7044adc64a88bc703eb0a1b894948b2ef3f25c025ee6e2966edbdae2ac6f6db2cff2e346c1880d18cab1d1bbec5cf7f10687ff867df072837df10bda955a5616 |
\Windows\system\kRrhMwu.exe
| MD5 | 44c4d9473a6f2a1480e53a504bb17376 |
| SHA1 | 6564ef2679a6cdd8389d719c758b55ad30afe613 |
| SHA256 | 7b31d01feb24c647e5d084d50a1e8c83daf22ce9dafc93592971eb438a4eeef8 |
| SHA512 | 298fff5182e34939365ff4e1de4ac21b47d16a63458a8f298f4891b5cb45c4f224d44a19b727fc76ae5ec5431fee2f172bc23e3192277a588d90d432616a4fff |
memory/2808-19-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\tNnusPC.exe
| MD5 | 8ef819f7011fa0ff6f2cd4d48d626c2a |
| SHA1 | 756c59eeca6b98403451657bf1624533ce7d5fb4 |
| SHA256 | 6e1bb1c4220925260fd1fd88965071437311bc5caf7dbf1dd2c13880e642dd3d |
| SHA512 | 47391ba1539cc02f8e3558a5ef6fc42fbce1baf8d7ad54fb903b252b551668b7184d59adc4ee522620ee7af9087cabc9c44962f3c5c58e5aa229342443ab30c1 |
\Windows\system\ltrsvHl.exe
| MD5 | 7eb430af02a995da37dd75132e2a1832 |
| SHA1 | de1c766a81c0daff6ad84f87758d76095a22af1e |
| SHA256 | 53225b48a938469b4cbc0fa5a55306cd9d4195c59cbf5aab3e94b8257359e520 |
| SHA512 | 90c880c3f986886fb1ab1a73871331079c547cfe1c9fa2acce4c1c582384963f65b43ff7a88735d442b0c975e3f8ce58dec6675178a8b34ebe2db75f811aa90c |
memory/2672-33-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/1996-29-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2216-24-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2756-35-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1996-39-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2664-40-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\SIClXoE.exe
| MD5 | 2d678a9af8bd15070cb04c1a8565d876 |
| SHA1 | c5d9ad361c3a5dad5ac72bd66dda3043b2274205 |
| SHA256 | 14d2fc47e08704eb9d20181be59eb3ceec567bd580921c6ee7b080f133ad490a |
| SHA512 | b1f1e6915ffafb443f8670bc3243d99b5b410bdb537a3c6e01023284e83f755a20a77ce83510eebde379246402002729c72fc90e58bb4299521053ebe5ff6a15 |
memory/1996-34-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\vTEWYLI.exe
| MD5 | 3241450cea1bb087812986e23768c129 |
| SHA1 | feb104420c5082b06dfabfea4321889e957ec5f3 |
| SHA256 | 78fe14da3b52df8cd98419313f16d6ad3b49b1377c50f603c821e2acc43879f4 |
| SHA512 | fc9ca57c9e80003d7e720d2113dda7a8503c1b4cb7d928cc119cf85285ad231cc9486b51b548f8fc114ac27a204c8423d21e23521d8f099d4de9970b5a00d2c9 |
memory/2848-48-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1996-46-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1996-50-0x000000013FF30000-0x0000000140284000-memory.dmp
\Windows\system\sZekaFG.exe
| MD5 | a7e935f1ac005c1d3f0d8776c1e2a909 |
| SHA1 | dc0a200ffb2a8fa26c1bb9e808450b5375fdec9f |
| SHA256 | 51b5351570b642e7654b83c762780939ad888433ebb5514b828027c6eace5d6c |
| SHA512 | bd108d53f3f35d9ff435d1fd528b240e55e9aab01607cb776eb9e272f9f9517edc2a6fd6f67c6dfeef9394e350ad69204ee049cb7667a76abb165624c7a56b2b |
memory/1996-56-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2588-57-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2564-63-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1996-62-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\bUsNSNr.exe
| MD5 | c6502c7cd2f82e3d246f97378aa2a3ca |
| SHA1 | 21f72af27383ecfb4c09583e7f37203598ee795d |
| SHA256 | e0d128a709c6eaa210d950f8f98cb885a3f2ec2932f4fd6daed7a33b98ec06b4 |
| SHA512 | e290042112d97ae90042989963a8ec6f4c4df23b9a1daa554817005ad6555469df9e40a7bfbd913d4a1f99c9c5af171f416726073be3cbd804028e82b09f6574 |
C:\Windows\system\VFgAwcL.exe
| MD5 | c701c6c26e7f34b5714f89324970a615 |
| SHA1 | 591b55cf63a5430d64835b892e654838c7e97ef3 |
| SHA256 | d541b1f3b8863fb59968a7cf8738316e3176789eb60d11934dde6a0e0ac65b4c |
| SHA512 | 192d5b47ed2fc0dfae7c45261bf4fb5edb0f2a86d95746cb910dd840dd4baf6ccfc165f7e3a0f022c5a24876254bad40a9fb9d6296fd4ed06784be7434583b9b |
C:\Windows\system\LcDDCpU.exe
| MD5 | a9dbc60b23a18d03beb9efb0ed61ac7e |
| SHA1 | 67192516a8dd0a2e79d3ae6a86da14d436822530 |
| SHA256 | 5fa07db1ebfc4fd200b91e92ba66a2e0645496a5c6c4021ec9c0ebd251e26888 |
| SHA512 | 680ee111fbd951d30786f53230796032a1a903c103565f9d852643deb10ea2952757f591445e9bb1cf7a961c46e7446ec3bcc01409934c0bcbf4c2279715c2ff |
\Windows\system\UOzoLbr.exe
| MD5 | c145b89bc25832d84d993172aec66296 |
| SHA1 | 60e065d9dce170640809dbf59e8f4e427443cb27 |
| SHA256 | dba87f8948394d890ebdd2bc5dbcaf58527638d48aaccb4606aea71917d9f0da |
| SHA512 | 170d936b079681351fd5b437a35ce2c0a7966247dfe696ae9909b51ff879d22febca380e4d06288e263e2ddf0e1897735136cf6e2447cbb49e79a275b054f271 |
memory/2216-81-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2988-82-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1996-83-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1996-85-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2212-84-0x000000013F400000-0x000000013F754000-memory.dmp
memory/1496-86-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2476-74-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\bRgOgVh.exe
| MD5 | 2b213ed69e846d364681442262e27ff1 |
| SHA1 | 01ad5ff1e942e070c2f9a5404763845f84992309 |
| SHA256 | 916d3dde2d0d368ec2f51c2d62a807d557771e65460fc4980ed383a37d90dd22 |
| SHA512 | 9b589d3b2a49ea5380884c78762f5f20277226d42ad7bc6a61c14c941a6b2a8d7f3c8aee29268a38bf096fa6d8d7ec041e3c9b3fc47bb9e8fbbd24d4c14b7f21 |
memory/2176-91-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1996-90-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/1996-98-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\TvaVaNC.exe
| MD5 | dc4a5df702801be85ea65e6c59bdf5e6 |
| SHA1 | 6ffe80d6d3f23203fbfe2ac879177d9143164d21 |
| SHA256 | f58001e4096c70402d71c8e4be50b2c7e722a22f0d842a4a111e9d2d77b77e64 |
| SHA512 | c561b70aa2fb644f75191fae7ef79708faeb8adb630cc1d98bf87a3995380e554d428a93c23e50c26024b32edaa77b29332b917d08158b7d01d3cc7bc3e9e468 |
memory/2868-100-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1996-106-0x000000013F5B0000-0x000000013F904000-memory.dmp
C:\Windows\system\fFnnosA.exe
| MD5 | 113e93373e95e4b39fc93c09d05bd182 |
| SHA1 | b4f60badc0bdc6f4feb83ffd4995be8a5108f598 |
| SHA256 | 1f9ff63e3150395e2bddc4c45d9a117a6af5b672fd9a1be2c4bc0b5f7012d0ea |
| SHA512 | 7fe56555821a4c1011ab929dbf499e7deba7a1c9dc3a0ed8c91a7d2bc99ac758ac33b8ff8954b4cbf10f5da5e9a4fd67f44e567630d256d0544d105963895e51 |
C:\Windows\system\ZnLnbwP.exe
| MD5 | c53e7318e647f9e28e12906cb8fa4696 |
| SHA1 | c4b35254c618d8039a309b29610aaeb5bff76afa |
| SHA256 | e90983e5c082fd97eb22c14c1c3aa062ddde6f0d06b0f86577dde41fe4f0dbf1 |
| SHA512 | 9e4254fed04c670450f762604a0c46798bba900550a8d1333ea91c0daf2f346f79b90b29108ad30ddafc2d1c91a9707383f7861edb4e7596769671d9c69e2c1a |
\Windows\system\nDvlvJT.exe
| MD5 | 4257531dab5691e0b07e1f6a3d3c1aeb |
| SHA1 | 76a9aa6c116baa1d28489a3a21eb0178274f71c1 |
| SHA256 | a5fb93071c7796f8e6d3a0943eabbe14dfa38f7ee4043417acdfacfdc1884c7c |
| SHA512 | 19307a001f520f2f4ad7cf56fce4e175e2d53d69b0dce3472b57380e11b6cc0c48a6d2e19c5136179e4e0d5e001dadc0d2c535d5ab788dbf05125d29df0d5d0f |
C:\Windows\system\WSlFbcr.exe
| MD5 | 13d53bffa7aee823f8edb5f34b90d2bf |
| SHA1 | e1089afff0f10aa61518604c8828cd2e80f7b495 |
| SHA256 | 69c79c5c6898f168ca5134d40d1b8bc1abde3c3ba00e451a32427232407c2d86 |
| SHA512 | 846e189c23125646abc0e2f1f218b87b254049c8c75f405febf128f91a04173ea621841ad86c698110710bddc1c4865f1157fa3494e0146e1898e5667001ef00 |
C:\Windows\system\dgPqKLz.exe
| MD5 | 5b7224f8243f3ac77d9e5ee51975df90 |
| SHA1 | 3c68e5f55f181ae61735108c744858519c2f6796 |
| SHA256 | 8a81aa76ce9918c792b4425425dddf3798899605a57b0634cc5ab27f921364ee |
| SHA512 | 8b43de436c71c45101da9bef181fa8fa3a94f9941c4d39a947ce21bf21440d8b4c31ca02bb0a4fb061c23997a6db087cedfdea5bdc14f94ac754e6d14a43f547 |
C:\Windows\system\fFuCopx.exe
| MD5 | 1421fb68c97f2062ea2f957dc2a1401b |
| SHA1 | 29ac0d5cd3d862b67829110663f45707c5247e81 |
| SHA256 | a49315c803544e45d1fa9a430c175b5acea1d033cdf3d4f5106acb03190e0e72 |
| SHA512 | d65c5d9dbcdb47314c380265f5e4dbc877ac06f83a0d8c6cd4aefc96ca284aded7855f835522179d5d0ebfe4e433d0952628ad15392c3eb2949a1540c7f01f4a |
memory/2664-105-0x000000013FC20000-0x000000013FF74000-memory.dmp
C:\Windows\system\vgNhZlV.exe
| MD5 | c5582723954ab85e5c48134b76c567e0 |
| SHA1 | 3dad44f869eab35c637d62ea1952a0877ba0846e |
| SHA256 | 7dbc217d5cbc49b3cabb6d134c31b8daf7282432851a19686ff4a1adefd6fddf |
| SHA512 | 87f5180d6a69660d340ff2147ea55502d12342b972ecabc09644f0f7ea5475be2417c4134c426d2680da6204b1676758529fcdee5f9833f7688362af21e8229d |
memory/2848-137-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1996-138-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2564-139-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1996-140-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1996-141-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2176-142-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1996-143-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1996-144-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2476-145-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2808-146-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2216-147-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2672-148-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2756-149-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2664-150-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2848-151-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2588-152-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2564-153-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2988-154-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1496-156-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2212-155-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2176-157-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2868-158-0x000000013FB50000-0x000000013FEA4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 19:28
Reported
2024-08-07 19:30
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OAgQTXn.exe | N/A |
| N/A | N/A | C:\Windows\System\tgcITuK.exe | N/A |
| N/A | N/A | C:\Windows\System\rqxsVRc.exe | N/A |
| N/A | N/A | C:\Windows\System\DFCGhcl.exe | N/A |
| N/A | N/A | C:\Windows\System\pIzHjTt.exe | N/A |
| N/A | N/A | C:\Windows\System\DXPWZrL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcMZEyp.exe | N/A |
| N/A | N/A | C:\Windows\System\ovOwjie.exe | N/A |
| N/A | N/A | C:\Windows\System\dXJTRDl.exe | N/A |
| N/A | N/A | C:\Windows\System\eVpSUPc.exe | N/A |
| N/A | N/A | C:\Windows\System\GWHaqyG.exe | N/A |
| N/A | N/A | C:\Windows\System\LCQnuyM.exe | N/A |
| N/A | N/A | C:\Windows\System\QskeQFP.exe | N/A |
| N/A | N/A | C:\Windows\System\uXKhIfv.exe | N/A |
| N/A | N/A | C:\Windows\System\HvHwXCi.exe | N/A |
| N/A | N/A | C:\Windows\System\wWkiKnw.exe | N/A |
| N/A | N/A | C:\Windows\System\fWpgprB.exe | N/A |
| N/A | N/A | C:\Windows\System\oIGfIdb.exe | N/A |
| N/A | N/A | C:\Windows\System\GelTvQj.exe | N/A |
| N/A | N/A | C:\Windows\System\oaOBtHB.exe | N/A |
| N/A | N/A | C:\Windows\System\EXYkgcM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_87d95ffb654b96c7cbd7964e84413876_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\OAgQTXn.exe
C:\Windows\System\OAgQTXn.exe
C:\Windows\System\tgcITuK.exe
C:\Windows\System\tgcITuK.exe
C:\Windows\System\rqxsVRc.exe
C:\Windows\System\rqxsVRc.exe
C:\Windows\System\DFCGhcl.exe
C:\Windows\System\DFCGhcl.exe
C:\Windows\System\pIzHjTt.exe
C:\Windows\System\pIzHjTt.exe
C:\Windows\System\DXPWZrL.exe
C:\Windows\System\DXPWZrL.exe
C:\Windows\System\ZcMZEyp.exe
C:\Windows\System\ZcMZEyp.exe
C:\Windows\System\ovOwjie.exe
C:\Windows\System\ovOwjie.exe
C:\Windows\System\dXJTRDl.exe
C:\Windows\System\dXJTRDl.exe
C:\Windows\System\eVpSUPc.exe
C:\Windows\System\eVpSUPc.exe
C:\Windows\System\GWHaqyG.exe
C:\Windows\System\GWHaqyG.exe
C:\Windows\System\LCQnuyM.exe
C:\Windows\System\LCQnuyM.exe
C:\Windows\System\QskeQFP.exe
C:\Windows\System\QskeQFP.exe
C:\Windows\System\uXKhIfv.exe
C:\Windows\System\uXKhIfv.exe
C:\Windows\System\HvHwXCi.exe
C:\Windows\System\HvHwXCi.exe
C:\Windows\System\wWkiKnw.exe
C:\Windows\System\wWkiKnw.exe
C:\Windows\System\fWpgprB.exe
C:\Windows\System\fWpgprB.exe
C:\Windows\System\oIGfIdb.exe
C:\Windows\System\oIGfIdb.exe
C:\Windows\System\GelTvQj.exe
C:\Windows\System\GelTvQj.exe
C:\Windows\System\oaOBtHB.exe
C:\Windows\System\oaOBtHB.exe
C:\Windows\System\EXYkgcM.exe
C:\Windows\System\EXYkgcM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2008-0-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp
memory/2008-1-0x000001863F1C0000-0x000001863F1D0000-memory.dmp
C:\Windows\System\OAgQTXn.exe
| MD5 | 5a92b9fb9fc2c479338bcab78a5431e8 |
| SHA1 | 3d1b359ea90b29b3aff0865581150f4c1598495b |
| SHA256 | 9079a14e02c79d1222cd2954fe3d8dac5886a19d6d455d64e4c48d5a331de254 |
| SHA512 | 626f356d06cf4a41d1bf7fef4136106a37375ba4a25e558d26f808f52f746c5eacc4cd8b795db78178b33dce7d1f745d3313a210edb841b9d27d5c73dde54b2a |
memory/3636-8-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp
C:\Windows\System\tgcITuK.exe
| MD5 | 800d32925377b10e467591595a25f275 |
| SHA1 | 95340a112ad3e44e00c0a58e4a8e3cfcaca73b25 |
| SHA256 | a062c9bf248993438250cb2219d16667dbfc41a373caf5d31b8592e52c4fab97 |
| SHA512 | 3e19271d1b211246dd468e594a87ee44c6b7e09fd67e1f611c4e0157e3f45c7434be00bfe534f145340850cbbf9f4c15dcf3f7be88106aaaa609c3433e0b0bb0 |
C:\Windows\System\rqxsVRc.exe
| MD5 | 24e2c2bb757ffc13782b60955eab1cdb |
| SHA1 | 372b4a30d7e3a333159262bc262e474bd46f5f89 |
| SHA256 | 660bf25f96bc80c3bf1af6fc1c5a6f5b025673981e76a2020a5f1cfbd6f4757d |
| SHA512 | eaba697eb49b6a8a535917b46135bbb825b95d38cc7af5079daca0bda30a2002b60934e815bad3405fe14d3fa4607f79af0c9c7da6b83a86506ae1393f57d57c |
memory/3380-14-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp
memory/2028-19-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp
C:\Windows\System\DFCGhcl.exe
| MD5 | d522b87082c42c7ec9e5c59d8de8260c |
| SHA1 | 00e7b32e8d1b41ad45f3946634c17b74e5eb8c60 |
| SHA256 | 755b8dd881ef898c8fd8d23bb83fe3b342cd1e51569d7f3414d650be8c18c86a |
| SHA512 | 335640324571c9f68b94e80a362985d61b03c6bf677761d17e19bd1258d8cb36a1c0868ee2ba71a414e5de4e82470851f8f3a3e6e17753ecc4f2f1b0586caadb |
C:\Windows\System\DXPWZrL.exe
| MD5 | 53e203444b147dc93c08beabf16a389f |
| SHA1 | fe57fa8c4a5ff0e7e9ecf155d81df69b7cebbaac |
| SHA256 | bfa6bb481ff876f79fb25bb866991c8aa190062e42c9a367a47d1f4ed9b051bb |
| SHA512 | 267250aae653dd3afd7d966a5858d331d946025323340736a234e0d675b1122dc423181f3466debcf0d1548969f43fba622fa244d4da200f71bd10ba282842df |
memory/1040-31-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp
C:\Windows\System\pIzHjTt.exe
| MD5 | 1d953d87db81e5e5e7bcd1335defd200 |
| SHA1 | 4d10657bad5b13dbf878f8d9006a035e2c915e7b |
| SHA256 | 656c7b9e9b134f42839303aea1a49c9d2f6c2fd97bc78601183ed9a5e57ada81 |
| SHA512 | c8d19538034b69b9b1fbfa6a1a5b92444b7f1dc1886f9e10267ce7167c0ad925dd126e16c715084166760f33b0e721e3c3727ba68083cf60dc05b79c613998a3 |
memory/556-43-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp
C:\Windows\System\ovOwjie.exe
| MD5 | d4d6ca982226d2371e49b819c4e4444a |
| SHA1 | 58a75583ea2d551f404e25c90c050c5863a6d759 |
| SHA256 | 80bc16bdb3de6bedd10e1339ca6a929cf8f6fd8ad337f132720113e0a6511a73 |
| SHA512 | bf673445696e4c6574702054e876fc19728301356269a3aaf31a9bebe40a253063d26c346f65e306eb593686463b5622a3962ee18a32438844aefe8fa99ace92 |
memory/4260-49-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp
C:\Windows\System\ZcMZEyp.exe
| MD5 | c342490e0af9db6cbaa8ca2dcd264539 |
| SHA1 | 69b61a9a82c4f74cfd808e325b50536f2f35c25a |
| SHA256 | e665d45a91673f73dc201fa97b85817bd2af09efaa1be2e4a716f5c5e1dd0f59 |
| SHA512 | 85fa7c0fe4b274af813d7e62414f5f08cf20b64fc668eae420fea3cf2bb4947ce942513b74f21ed534befe50aa099c2685fec6389cdad1e69979f6b439fae564 |
memory/1652-45-0x00007FF733FD0000-0x00007FF734324000-memory.dmp
memory/4396-41-0x00007FF63D540000-0x00007FF63D894000-memory.dmp
C:\Windows\System\dXJTRDl.exe
| MD5 | 0410c1305766d8a68f6958224db38969 |
| SHA1 | 229dd25e7c8d0ac3a78c0e3846c5de66160a0ec6 |
| SHA256 | aa388b52ac9b680cc2b25d0dcd77b3b45a2696afabb055a08d4d0ac2feaa2738 |
| SHA512 | 95a026f5d6900fecb061f3673bedbea16f4f1739a96ee47c63d66f28e2fe936574f9eaf892a46871829a32d9dc7126d9d79fbe773f7c3385c8be8b8c56ebfe52 |
memory/116-56-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp
C:\Windows\System\eVpSUPc.exe
| MD5 | b02518c920c76c90489020b47a770e50 |
| SHA1 | 8f8fbea12e38df1e96784f7955a735bbe5664eb5 |
| SHA256 | 2d98325eb4b9f707b96781e000f07d6810551a3b0af671b5fec9a7dca23b6a82 |
| SHA512 | b62e5489e1cb901afbc71865f507d20bd95a46e21243da885cc74f48814d49347315eb1d5cd92e5188ba7943675b02e077a11505826af44f209dab6eb2d53b16 |
memory/2160-61-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp
C:\Windows\System\GWHaqyG.exe
| MD5 | 52ede3b3f80ae88246ef55c23ac4d5e0 |
| SHA1 | f0b32207bec8f18c3c4075ae76a8579d21a46957 |
| SHA256 | e5693f85c6127a27413acffc6555af0c62bbd63aa63b92e6db2129ac9031e92a |
| SHA512 | ecf4b7b3a206498ab86e85ebde2a754a135b21c3e8670e57e447de5b2db1ead4e325f268e49d8d24321692a5b144d37f6cb95c404e340e8352b91ef7bae75ec9 |
memory/2008-65-0x00007FF612BC0000-0x00007FF612F14000-memory.dmp
C:\Windows\System\LCQnuyM.exe
| MD5 | 54d78b30f845d7a127c57521c8d51a14 |
| SHA1 | ef13f3be28b92081bc357e54a702e3cf2994c316 |
| SHA256 | 8ba49001eac18d986064a2bfef60f251a461bdeb18b4a699289f54c84386788c |
| SHA512 | caa45aef9450f449fbfc493165e846ce64e4c8641f79b5ec13f8d0de44cd6baaa3f917efc82071e34c03ecc8d5ec71534a4a89a47b277359dc05c0ce804d24f5 |
memory/1712-69-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp
memory/3636-75-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp
memory/1612-78-0x00007FF606510000-0x00007FF606864000-memory.dmp
C:\Windows\System\QskeQFP.exe
| MD5 | 17ebe891c61c938d243760a3e7aef802 |
| SHA1 | 3f702dfbe5889e465367469fdd7e0f1b69d510b3 |
| SHA256 | a6b4678103302fab862643f2309e6c3236f10bed082391fb84e6949b0a1f30f3 |
| SHA512 | d1d50991f2e465434a1aa1048bded3b907004a0ff1dfbe1b65232ec61826b07b5bf7af4aebc5da5c61fdb9fb3c1359aa6985fba5b81e166a1f55830aa3510641 |
C:\Windows\System\HvHwXCi.exe
| MD5 | 8de180bf23094ccab6b763a23271dca1 |
| SHA1 | 54d165e9f33959ce0ea08da028233765eba4d916 |
| SHA256 | 0e807769981a231c6050372ab3266633ece1349ffaab02c605af532d75ab592f |
| SHA512 | 81264e6fdf2732732ea27a34783f47106f468f817f38bec38cfd7eb3c5ccf65cc9a4d69edec02688d34a9f95033478ab66ac8318b055bd8fbada9731ea2ba98b |
C:\Windows\System\fWpgprB.exe
| MD5 | 12e94d95dcb12880ac2fad246a193aa1 |
| SHA1 | a71db75a85faa43a14f07939d48773bbfe12c713 |
| SHA256 | a57ee6f5d5ccad29a181acd91bf360804a4debf26c97e884aafe3c0a6fd9a18e |
| SHA512 | 5b974fc12cacef85eb4a427406c49a9419e3a1d345241db89ec2f44e99d29d29cc8a588e7dcb52b818f51d69e9f887cd6a7b0b67985b272db9efb6ca67a4e642 |
C:\Windows\System\uXKhIfv.exe
| MD5 | aa6663faaff56865384db2edebd53e69 |
| SHA1 | 780611c6c26952f885e80b31a78c1f50d6155191 |
| SHA256 | b7dd86a091d22c62db9171df9b0d80df34d576d2537db0b98fd5e1b124fc97bf |
| SHA512 | 27fed9d3bea2380e0d10db2f337fa4c4304987ac3024fb2c95aac6e45980df99ee87cb765ffcc4c83cf84da3da829ab60b83b5eb1817187076416edb58ea8e98 |
C:\Windows\System\wWkiKnw.exe
| MD5 | c7f63ce5b1068030aaf237da1295f4c0 |
| SHA1 | c8d1732316de052e9ddc4173fbdf5e1eac48d806 |
| SHA256 | 34fe8e29c46857d6e06a39f755453850d62a6234fd80e6be6b8d90eb0bc7fa19 |
| SHA512 | e9cb97ab66fe4d968a6f1ee0946df16ca753bacca17f23229f07a43b9cbd779e5c5aee72c2e7449184bbef94cf3369d709c24be95bd3900d982ba2444bdcbed2 |
C:\Windows\System\oaOBtHB.exe
| MD5 | 08ce73603c171eb9e301f71b1aae4605 |
| SHA1 | 98f2a42be9061bb5881096bb378a1d46a66d14b9 |
| SHA256 | fed57448d240c200a55ec69d96a80ddff4dd4e998d7587354d3314325c4a44af |
| SHA512 | 5334d03c0322adf39677d5e3be8dd2ad54e603d63dd8735590be7a675e95988a44d7e0db0c675d332da766b71264c4529c59693d0b63362d985da535ffce2f7f |
C:\Windows\System\GelTvQj.exe
| MD5 | ff93d06990ff393ba617fe890ecca3af |
| SHA1 | 6aa4dfe518dbf6830270dab4ac5bfd2d8dbcd9ff |
| SHA256 | 0ea6fda6d0db90814ce86bcd7e9e08e708919da9b02ffabda514ba0277988e56 |
| SHA512 | b45a14a1778fc23f5fc1a333473e088c2b8046d90d5886c7368939353a08100d849c57f669670f4512196810960a1e0c7dc97d824cabee4043444e99c870e27a |
memory/556-113-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp
memory/2852-112-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp
C:\Windows\System\oIGfIdb.exe
| MD5 | 75ce01334acd5ee61db58f89ed872784 |
| SHA1 | c609d4b507dbb5d434ca656aee37aa0be6b73b35 |
| SHA256 | 95feb6978a3883413b801992af5a14b35bc14290fb3cc39af27c88b1de1b3e1e |
| SHA512 | 2df97d7f9de9a5ecd607f47f299f2c361e0e88c61d52df81e3bb71ad5993969ef8c0c0edaae0c9cbf6761ac09dce95780f0c0f94c023841ed15204e0ae364ecc |
memory/1020-103-0x00007FF61DA50000-0x00007FF61DDA4000-memory.dmp
memory/1636-104-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp
memory/2584-97-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp
memory/2028-88-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp
memory/2164-87-0x00007FF7F3170000-0x00007FF7F34C4000-memory.dmp
C:\Windows\System\EXYkgcM.exe
| MD5 | 775f2fb6dc8aa63ad19fd8cdba1b28a2 |
| SHA1 | 682244e7e4bac2c253f102f608eb13ea3a025e11 |
| SHA256 | fbdf2b4a560cd3cebce3a55c0c91d0bebcde5a960aa0b0954dea10bc006db874 |
| SHA512 | c5dde9e8bfd438b40cc864bba62be9edafd691691a68cb99834f2137d3f787775de0c4e6030599cad94e4e159be52dfee33cea04adb4c22f7e9be54c4885331d |
memory/4500-129-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp
memory/4292-125-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp
memory/2292-120-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp
memory/2024-119-0x00007FF74C560000-0x00007FF74C8B4000-memory.dmp
memory/2160-132-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp
memory/1712-133-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp
memory/2584-134-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp
memory/1636-135-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp
memory/2852-136-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp
memory/4292-138-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp
memory/2292-137-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp
memory/4500-139-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp
memory/3636-140-0x00007FF730AD0000-0x00007FF730E24000-memory.dmp
memory/3380-141-0x00007FF67ABC0000-0x00007FF67AF14000-memory.dmp
memory/2028-142-0x00007FF703FA0000-0x00007FF7042F4000-memory.dmp
memory/1040-143-0x00007FF6B8F30000-0x00007FF6B9284000-memory.dmp
memory/4396-144-0x00007FF63D540000-0x00007FF63D894000-memory.dmp
memory/1652-145-0x00007FF733FD0000-0x00007FF734324000-memory.dmp
memory/4260-146-0x00007FF68EEF0000-0x00007FF68F244000-memory.dmp
memory/556-147-0x00007FF6BA610000-0x00007FF6BA964000-memory.dmp
memory/116-148-0x00007FF71DAF0000-0x00007FF71DE44000-memory.dmp
memory/2160-149-0x00007FF6E9E10000-0x00007FF6EA164000-memory.dmp
memory/1612-150-0x00007FF606510000-0x00007FF606864000-memory.dmp
memory/1712-151-0x00007FF7A7A90000-0x00007FF7A7DE4000-memory.dmp
memory/2164-152-0x00007FF7F3170000-0x00007FF7F34C4000-memory.dmp
memory/1020-153-0x00007FF61DA50000-0x00007FF61DDA4000-memory.dmp
memory/2584-154-0x00007FF6A4700000-0x00007FF6A4A54000-memory.dmp
memory/1636-155-0x00007FF708F80000-0x00007FF7092D4000-memory.dmp
memory/2024-156-0x00007FF74C560000-0x00007FF74C8B4000-memory.dmp
memory/2852-157-0x00007FF6D8D90000-0x00007FF6D90E4000-memory.dmp
memory/2292-159-0x00007FF6C1560000-0x00007FF6C18B4000-memory.dmp
memory/4500-158-0x00007FF7A1640000-0x00007FF7A1994000-memory.dmp
memory/4292-160-0x00007FF6C8C10000-0x00007FF6C8F64000-memory.dmp