Analysis Overview
SHA256
237ac774ed9765035e75e8b788c8240891a0207f40f435d21f7300544c6d2eeb
Threat Level: Known bad
The file 2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
Xmrig family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 20:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 20:42
Reported
2024-08-07 20:44
Platform
win7-20240704-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NnymmRb.exe | N/A |
| N/A | N/A | C:\Windows\System\bsJMxbx.exe | N/A |
| N/A | N/A | C:\Windows\System\gKBRBDA.exe | N/A |
| N/A | N/A | C:\Windows\System\zPChrJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\bOYjrgP.exe | N/A |
| N/A | N/A | C:\Windows\System\HBrWbtj.exe | N/A |
| N/A | N/A | C:\Windows\System\LocCdgH.exe | N/A |
| N/A | N/A | C:\Windows\System\mCVFDvv.exe | N/A |
| N/A | N/A | C:\Windows\System\fMZMkcP.exe | N/A |
| N/A | N/A | C:\Windows\System\iXdppRh.exe | N/A |
| N/A | N/A | C:\Windows\System\EVrItBL.exe | N/A |
| N/A | N/A | C:\Windows\System\USXlIkf.exe | N/A |
| N/A | N/A | C:\Windows\System\chyTqcD.exe | N/A |
| N/A | N/A | C:\Windows\System\RkwKbLQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nIBpIQU.exe | N/A |
| N/A | N/A | C:\Windows\System\TrPxHSb.exe | N/A |
| N/A | N/A | C:\Windows\System\AgpFylb.exe | N/A |
| N/A | N/A | C:\Windows\System\QgPPGNC.exe | N/A |
| N/A | N/A | C:\Windows\System\HbaDVdn.exe | N/A |
| N/A | N/A | C:\Windows\System\eAxBqYr.exe | N/A |
| N/A | N/A | C:\Windows\System\VJwJXcz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\NnymmRb.exe
C:\Windows\System\NnymmRb.exe
C:\Windows\System\bsJMxbx.exe
C:\Windows\System\bsJMxbx.exe
C:\Windows\System\gKBRBDA.exe
C:\Windows\System\gKBRBDA.exe
C:\Windows\System\bOYjrgP.exe
C:\Windows\System\bOYjrgP.exe
C:\Windows\System\zPChrJZ.exe
C:\Windows\System\zPChrJZ.exe
C:\Windows\System\HBrWbtj.exe
C:\Windows\System\HBrWbtj.exe
C:\Windows\System\LocCdgH.exe
C:\Windows\System\LocCdgH.exe
C:\Windows\System\fMZMkcP.exe
C:\Windows\System\fMZMkcP.exe
C:\Windows\System\mCVFDvv.exe
C:\Windows\System\mCVFDvv.exe
C:\Windows\System\iXdppRh.exe
C:\Windows\System\iXdppRh.exe
C:\Windows\System\EVrItBL.exe
C:\Windows\System\EVrItBL.exe
C:\Windows\System\chyTqcD.exe
C:\Windows\System\chyTqcD.exe
C:\Windows\System\USXlIkf.exe
C:\Windows\System\USXlIkf.exe
C:\Windows\System\RkwKbLQ.exe
C:\Windows\System\RkwKbLQ.exe
C:\Windows\System\nIBpIQU.exe
C:\Windows\System\nIBpIQU.exe
C:\Windows\System\TrPxHSb.exe
C:\Windows\System\TrPxHSb.exe
C:\Windows\System\AgpFylb.exe
C:\Windows\System\AgpFylb.exe
C:\Windows\System\QgPPGNC.exe
C:\Windows\System\QgPPGNC.exe
C:\Windows\System\HbaDVdn.exe
C:\Windows\System\HbaDVdn.exe
C:\Windows\System\eAxBqYr.exe
C:\Windows\System\eAxBqYr.exe
C:\Windows\System\VJwJXcz.exe
C:\Windows\System\VJwJXcz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3036-0-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/3036-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\NnymmRb.exe
| MD5 | 6a24a9ddb5039b1672584426040b5a63 |
| SHA1 | 2821ac2bf44091daaf8956eb7d164d3a601f9541 |
| SHA256 | bb3accbbafa71929bb85e928c565b70f47247e69b6b16edac6dc6b2bcf9ce3ed |
| SHA512 | 0f8cdd5726a2560c2f7182b67eaed6a9d51a31dc9ebf749b2ab076b0f4a81a2626e692a163834d0e64615bc1e053954187e12edf6779f8d43f91c47733a92672 |
memory/3036-8-0x000000013FE10000-0x0000000140164000-memory.dmp
\Windows\system\bsJMxbx.exe
| MD5 | 8090886a3da6d494ab8c23da2db9e031 |
| SHA1 | 5f2b3c8200dcdffb21202da62159ff2f1aba0ff4 |
| SHA256 | 79674ce10d73f707cb3848cf54adc2537a4695d2fb5ff3ba6089eed09ab2e1cb |
| SHA512 | f644b6da76f027167e02a41b855f32e1a7c8668302da40cfd9e3d38b8588c14d8b67ecbe13fdf81faa29f5df4f23985f73ba099057988d4190180a2a87b5a418 |
C:\Windows\system\gKBRBDA.exe
| MD5 | aaf90ee02808e5884953055968e28757 |
| SHA1 | 42be2744b23b3dbf8ebde0cd4165566ac9abadc1 |
| SHA256 | 5c0335f0d62eaa7ae0a698c67651883c5f277d291231d55b89eea81e27b1b364 |
| SHA512 | e16811ef5e96c071a9db47eaf049f6f95cd411f644290cd9e2a39520a43881d637d543ec33e1924bce9ea7fc4947b0b41022f37c91c7c374061d91a21bd53e3a |
memory/3036-23-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2832-36-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\HBrWbtj.exe
| MD5 | 1fe26f9d9cc0d5fcf8442288c6eb5358 |
| SHA1 | fcfc3d886c5731c9701d55c4964dae7a6c544287 |
| SHA256 | a167e39ef447f0f15a11fdf203a8eb6e13f510a61735ec951ac80b65caebe948 |
| SHA512 | ff2c96bd4381f4cd5c3ebacdbd3afc3f52bb149a18654efc98b5dea1bb5167a0c8d302484d4d94e17a6e84bf9d2d6a2d891171770e2bdaa662ee1857fd2bd4f5 |
C:\Windows\system\LocCdgH.exe
| MD5 | cbf63c961d20a8ee6c5055c2d0bd1207 |
| SHA1 | 2a77bbd246721ea48feeb354b0ac73dc4125b42a |
| SHA256 | 370423fc22b83c2e5c8148b3b1f5c624e7f1a58a9d2e8eb4df5684c7a1210194 |
| SHA512 | 25cae159f73ca14968b000b465539ad74b2cea1b80512800b2df91c3224575f5db8b3de543fde9b1450c84c2f29c4a9a892a934e9d6cd5a2881636cbbbaadf6b |
\Windows\system\fMZMkcP.exe
| MD5 | 212d826126f5556d37a443fbaf9b3d8a |
| SHA1 | 99d765e5990ba89a09201e7593d7c640d3aa7466 |
| SHA256 | f0b5294687e6f903f59a5ab9ba4db3383b338ecd2978ea0a78c1e11753b8ce0d |
| SHA512 | 9edc9ed0661d67874998071c020c78c13c0071b9bd5299a6918e15dc1ccb896d57881132deb65be43afe6fb136fadb01ec7e87962f5e1dbc49ff2618bdf57a81 |
memory/2160-72-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
\Windows\system\chyTqcD.exe
| MD5 | 0e83abbafd565c4f0f6754213a5f4af7 |
| SHA1 | cf8bf5f8962c2a56f2df8ac6c4cc863340f3ff2e |
| SHA256 | 724460fade7e741174001f48eadb1bad966f4d2a90428222f333f93f37d5abb7 |
| SHA512 | 5dac2d4fd8027148af6acf4371bb1d62195bb3df4e5fd95a45616ffdfde46caaac8d45a34fb45b3e2ecb2a2f1a2af29abdcfe3940583ecbc73d0ada893849ed0 |
memory/2312-95-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\VJwJXcz.exe
| MD5 | a42ac9ca673599424e57bcd89e456751 |
| SHA1 | 30f0f688713f900a36afd2596058e7ef76771f6b |
| SHA256 | 015c2d9563a3345acd2d36e53e5187cbed73020148bf189355ce706327d4182c |
| SHA512 | e82d17b34312dca2c5eccb0d2cfcc534e80c47dacf12a266291d94b2ab6f9f9ac71fc7e31bd6fe6e8ad98173b52b9eac1537d4c6a7f8595cdca67ad40ca11f9b |
C:\Windows\system\eAxBqYr.exe
| MD5 | a76f884d78337c831e1288faa9a189aa |
| SHA1 | df479a7964ad08fccb31bea6d6233328d771c79d |
| SHA256 | ff5717edc25f74d560e2b0a0e05b644c0dcfb42d411dc1856f19efa63d2efcc3 |
| SHA512 | 3f28ae29d8711db81c2880c15ffc3cef4ffd691970c7ddf7dc2ac4c76fba0c48af9ed171ca6c51d97a7083cfeaca6c2a14b9f2c15ffdabd737c58c4b7e5cef5f |
C:\Windows\system\QgPPGNC.exe
| MD5 | 68c03a4b6e1a6262056dddbc1804680c |
| SHA1 | 563c3ed627cd03750b8ae30e8f54ead7932991f4 |
| SHA256 | b0d86edfe1b479ecffabba5ccf25ea0ccd1ce29f4587f964212154a56eba5742 |
| SHA512 | 444866f136e6cde56ee36e03febaba64c4a1dd50af433db8b3b68f74f58a32f3d38bca12ce5debe32398b4b11198e61bcf55895e21581acc4864f1ca7d2193c0 |
C:\Windows\system\HbaDVdn.exe
| MD5 | 52de67d53873d410cd7364e7f2472091 |
| SHA1 | 01f8e7838fb8b0c5064c8e0399dd504443cd6ed9 |
| SHA256 | 9b9c2fea2ab48e05fd0ddf0062bfd3b7eb5bd7943628a9e55cd531f2580386c0 |
| SHA512 | fa9f93f076a4b697018d4dc6a4a2a7af6a2c5043bbb62cee4955aa16c8545d859a13bedbc53872a6d6d9a6a8bd20eec6e2c9568f2f8aab9fde1d6ff352d2d4ef |
C:\Windows\system\TrPxHSb.exe
| MD5 | c56d78ddf30d1ad6394300835b73c4be |
| SHA1 | 6e809bb5e412ca746d54d7b1bddf19a89c404a55 |
| SHA256 | 331f8016ad219be8d3f006f227545ee32bc4d8c6bd15f2e4c6a1e9af1cc2e3c0 |
| SHA512 | 5cfc74d7988148688710290072ddda8d0ed1dd08bb519394ac2400a43554a60e8609962ad0621e3dcb86e4953532fa62b489e6ad417a55db36088a496a6437ba |
memory/3036-111-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2840-110-0x000000013F9C0000-0x000000013FD14000-memory.dmp
C:\Windows\system\AgpFylb.exe
| MD5 | 1c13a296510351bb6dbfd1548282b80c |
| SHA1 | f360ade73ef9b7a7b7083f843fcb6ed40a729479 |
| SHA256 | 41572d649a3c910fc55b2678258496373c705dacbcebfa913a12cd45d88e085a |
| SHA512 | 105d2cba5b27a9ceeb8a6ec74fddd71c325e0f3744f847947e48b4df61f5f4d0eb9fe077105995274b5a7e544cae12d4dbc6bc52999d45c1cbb1381aaf98a30f |
memory/2124-101-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/3036-100-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2916-99-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\nIBpIQU.exe
| MD5 | f516db5f81e1614df7d13f7a9d4dc38d |
| SHA1 | 115dbd7bdb1923cf03fbdc5fc9fb6844bd1529a1 |
| SHA256 | 324379e6a2d507b7830143a6fd22809832bed6308e52b431a1ab7ed094b88409 |
| SHA512 | 228b587fcf779c2b800ba6c202652deefe888d52d9d70429782b6d38940cff5ffdcb6113cb7b81722d1dc6a35550a4584bf56d444cfa96a22fe871247531ff84 |
memory/2716-140-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\RkwKbLQ.exe
| MD5 | 8a4b0d9e4d43fac67bdff0e96abf94a6 |
| SHA1 | c993443a8da6429e9dd78523f5a2ea9875a0b126 |
| SHA256 | 3e4c856c72ac49c096998641c6a3a74a1864957abdca29e1b756d12fde9d1df1 |
| SHA512 | 321204faba3fbd9216b559c82c4d02c28c39730179c6382cbf00bd92dbad8a9f7842fb35ac2508e9c3c48ff95becf0c7ab9b7a793f9bde538ca4770b7a80a14d |
memory/1188-94-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\USXlIkf.exe
| MD5 | 748dfac66a254fa88f3479ab45b67a25 |
| SHA1 | d032f34138178db2c727f6204853f2f344fe8b72 |
| SHA256 | 805e426521243a9f90537db05600532faa3f760e5dc732157b35a9c6167bc980 |
| SHA512 | 7ccc09c5081ec3bd1894a7b422ae3ec2c9a7c67768336275d2f6348441ae48ae61b3b6df91278fd794f937d5fc35fc41bb71c36870c63e760ab98f49d28cd30d |
memory/3036-86-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2284-73-0x000000013F790000-0x000000013FAE4000-memory.dmp
C:\Windows\system\iXdppRh.exe
| MD5 | 08c2e4e268c920f4b1799d7cc8f33a8d |
| SHA1 | 1b68d42a31261d1747da5ce3f751208f7552d648 |
| SHA256 | e339784564227cf238e2afa2023d0c7b1df7af5ca50b5e38da59c0834dc50fc5 |
| SHA512 | ff70b218be245f708731ee234677f4e5c56eb5b4e132e363b3fe17b4b52e3c27546d6607ed80c1a1454cfc987122bbd0f2024f664936c7036f6dc46be9e92b7d |
memory/2760-69-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/3036-68-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/3036-85-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2036-84-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/3036-83-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2832-82-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\EVrItBL.exe
| MD5 | 1310322b832ca86e97484d50bb919f2d |
| SHA1 | d03eafc21efeb18fb49c9da5d858dea5a4caeab2 |
| SHA256 | 84327f50627f41ad0c08193882408c5f05cf9139ae248d9e61f42c4d6ed1ff0a |
| SHA512 | f89af88b9f6c95bc672f73b748cdcc50ed8c5e5f3966b26de2680d43a4ac21c93ae7487de6f11e1dad29a23f7775dcfdcea1a621846e4655a5bd52e63eef7f96 |
memory/2716-57-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/3036-56-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\mCVFDvv.exe
| MD5 | 0bac24827eb57dcb192a42cf2a0c145e |
| SHA1 | 7b1e72dbd88c310cafdca3bf37ace33f64df5bb4 |
| SHA256 | 3926140f32ce60dcc850cecd1575f9538cb816eb68d853c0d7a2f92c4dc9d005 |
| SHA512 | 62bce774fdd66f7c11127fab754c096be7dfc744bb871106d8c7d9ed412b0c6b0bc8a440198d3e9a62d5807d4ac8b1bc3474ba0f85ee070b00d79a8c331546bd |
memory/3036-54-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2840-47-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/3036-46-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2916-41-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/3036-39-0x000000013FF10000-0x0000000140264000-memory.dmp
\Windows\system\bOYjrgP.exe
| MD5 | 727f3354d77f6e3a34c664b524069d49 |
| SHA1 | 4bebbc9db3cb1a08bf9cb5d93a558090cef5b7e6 |
| SHA256 | d8b2306ee4589daf625a9f6f9fa41075098618c9fd9a85a8218f94d7301797ed |
| SHA512 | 76256ae5795964cf95262d1dbaa511648f714c8265854168d085415d594f8ff4231167ac6e46a3dde447b311875b19dc3e1b62d73772b0003aa4f1945e8ef0b7 |
memory/3036-33-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/3036-32-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2848-31-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2160-30-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2964-29-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/3036-28-0x00000000024B0000-0x0000000002804000-memory.dmp
C:\Windows\system\zPChrJZ.exe
| MD5 | c5d659924bee2469d9e2fec6974d951d |
| SHA1 | 7ef45296cbeee6322a1235b0558c59748efad9ec |
| SHA256 | 0d1e84b12714fe185a4c95b24ca284a2da43452b69abe7dc154f717b4cfcb67a |
| SHA512 | 934b91ae8e0bf51f99d454ff42e60ba86720d02584742d0e6f4ac5481d8658a0ac01c67d4d401bb8c2ef9a8eef58e08d8e688360716feb25e1518f5f21339d9b |
memory/2240-19-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/3036-141-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2036-142-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2124-144-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/3036-143-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/3036-145-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2240-146-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2964-147-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2848-148-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2916-152-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2760-154-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2832-153-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2716-151-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2284-155-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2840-150-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2160-149-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1188-157-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2312-158-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2036-156-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2124-159-0x000000013F8E0000-0x000000013FC34000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 20:42
Reported
2024-08-07 20:44
Platform
win10v2004-20240802-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AFFJgWG.exe | N/A |
| N/A | N/A | C:\Windows\System\NAjEhGp.exe | N/A |
| N/A | N/A | C:\Windows\System\FrgxtFn.exe | N/A |
| N/A | N/A | C:\Windows\System\THBlTRN.exe | N/A |
| N/A | N/A | C:\Windows\System\mvOBSnn.exe | N/A |
| N/A | N/A | C:\Windows\System\pAZLPWm.exe | N/A |
| N/A | N/A | C:\Windows\System\fNnVRde.exe | N/A |
| N/A | N/A | C:\Windows\System\IbYVoDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WNUqMAW.exe | N/A |
| N/A | N/A | C:\Windows\System\mcnoWTv.exe | N/A |
| N/A | N/A | C:\Windows\System\LKTdldf.exe | N/A |
| N/A | N/A | C:\Windows\System\koPWKDN.exe | N/A |
| N/A | N/A | C:\Windows\System\utChYOc.exe | N/A |
| N/A | N/A | C:\Windows\System\QzarDqv.exe | N/A |
| N/A | N/A | C:\Windows\System\AzRHMSx.exe | N/A |
| N/A | N/A | C:\Windows\System\jkZZWgY.exe | N/A |
| N/A | N/A | C:\Windows\System\mVBFHwy.exe | N/A |
| N/A | N/A | C:\Windows\System\UuEHRiP.exe | N/A |
| N/A | N/A | C:\Windows\System\GNhEzGO.exe | N/A |
| N/A | N/A | C:\Windows\System\VuSmMnX.exe | N/A |
| N/A | N/A | C:\Windows\System\bbYdIsc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_01c56173cdbdfe59ff4416ecdcd81065_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AFFJgWG.exe
C:\Windows\System\AFFJgWG.exe
C:\Windows\System\NAjEhGp.exe
C:\Windows\System\NAjEhGp.exe
C:\Windows\System\FrgxtFn.exe
C:\Windows\System\FrgxtFn.exe
C:\Windows\System\THBlTRN.exe
C:\Windows\System\THBlTRN.exe
C:\Windows\System\mvOBSnn.exe
C:\Windows\System\mvOBSnn.exe
C:\Windows\System\pAZLPWm.exe
C:\Windows\System\pAZLPWm.exe
C:\Windows\System\fNnVRde.exe
C:\Windows\System\fNnVRde.exe
C:\Windows\System\IbYVoDZ.exe
C:\Windows\System\IbYVoDZ.exe
C:\Windows\System\mcnoWTv.exe
C:\Windows\System\mcnoWTv.exe
C:\Windows\System\WNUqMAW.exe
C:\Windows\System\WNUqMAW.exe
C:\Windows\System\LKTdldf.exe
C:\Windows\System\LKTdldf.exe
C:\Windows\System\koPWKDN.exe
C:\Windows\System\koPWKDN.exe
C:\Windows\System\utChYOc.exe
C:\Windows\System\utChYOc.exe
C:\Windows\System\QzarDqv.exe
C:\Windows\System\QzarDqv.exe
C:\Windows\System\AzRHMSx.exe
C:\Windows\System\AzRHMSx.exe
C:\Windows\System\jkZZWgY.exe
C:\Windows\System\jkZZWgY.exe
C:\Windows\System\mVBFHwy.exe
C:\Windows\System\mVBFHwy.exe
C:\Windows\System\UuEHRiP.exe
C:\Windows\System\UuEHRiP.exe
C:\Windows\System\GNhEzGO.exe
C:\Windows\System\GNhEzGO.exe
C:\Windows\System\VuSmMnX.exe
C:\Windows\System\VuSmMnX.exe
C:\Windows\System\bbYdIsc.exe
C:\Windows\System\bbYdIsc.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4176-0-0x00007FF7580E0000-0x00007FF758434000-memory.dmp
memory/4176-1-0x000001F2FA1B0000-0x000001F2FA1C0000-memory.dmp
C:\Windows\System\AFFJgWG.exe
| MD5 | fb45ce017f9803501d56dce593f4df63 |
| SHA1 | 7ba386fe2cf08a0cd6dee38f19e39a81c5a13085 |
| SHA256 | a79cff814af0908cf5c70e14fd8f16b9e3978a8619f8370804c3d1b342f56241 |
| SHA512 | d0549989ce666008e0e1cdabff70e4f9bcaa0a7a131ffaeed04dbecbc823c86fd9b8d385004fe9672aa087d6d02f10e9346d6b4764c5b9df57a81094f01733ec |
memory/2596-8-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp
C:\Windows\System\NAjEhGp.exe
| MD5 | 11ca59ac2e2688102ee6af372c3c85b8 |
| SHA1 | 0b106bdfb21deb36fed0747bbb87d35dda1e403f |
| SHA256 | 044844ff762dc1832bf225f292e33370c6a7eed80b6385d59323a5a31e3ce997 |
| SHA512 | 9f87c282c1e4bbda7f6451bebbb4b20b44546e3025aab4e2af7f7008da0a64321e9500d0a00c12b40fd52e08d547df50efece32d4eee3aab83a6a85761554761 |
C:\Windows\System\FrgxtFn.exe
| MD5 | 39dce9b2fd44e25d1694be9d5f85d4e4 |
| SHA1 | e26d691cf7c38ea085a7e51e656521f3b7bcae43 |
| SHA256 | 8061d19c5fcb0a6c599ea06f7003a0339641bb0bc2ee351b55c94eff2ca48241 |
| SHA512 | a4379e61a3eac431ef1709f1731eadd56933ac1a5d0f96de68eab5454c38a6fc03dfc9407d4c9e84e9abc814325ee043327fc781ec97439f6e0826cb7ad59a68 |
memory/1376-21-0x00007FF751440000-0x00007FF751794000-memory.dmp
C:\Windows\System\THBlTRN.exe
| MD5 | 6063c376d7fc6110e6658c2a59d7ad53 |
| SHA1 | a99a99edd07876aad3153828bdc4401ba60fb608 |
| SHA256 | 47d2cdff30f7089c175e12087ee77f29bec3ff194297dade8d9293e633636211 |
| SHA512 | e3126d189169e1512d46b01044dc55956be53479f7b62fbb9aabd90206039aedd697990cb9a52f7103373825dd4af6694f66bc099461f4029dc05f69f2ca2c52 |
C:\Windows\System\mvOBSnn.exe
| MD5 | 1ccfd61c0b74b50ca91141edf1ea623e |
| SHA1 | 71c1f67a6538824233070b2690aafa80c0bd02be |
| SHA256 | e3d6f39f1c1821fc55159dfd4802047fdfeb40b082b8eee7b2ce006da703e162 |
| SHA512 | bf3bd05c2352bd1ba2de274a176fcd27c1b36de83362f2fe91524ba664dfa8e41d0147ba31b72c75df89ebc6a060359f905c2e6ca52e0663011c0f86a06aba2e |
memory/2480-27-0x00007FF76D140000-0x00007FF76D494000-memory.dmp
C:\Windows\System\fNnVRde.exe
| MD5 | f798517a533795dff250f13fcc446be8 |
| SHA1 | 9bda12a41083eb8acbc89516484b37610e96caea |
| SHA256 | 891dcaa734aa3307802cd1083e298a597b90aa850084bc11fdacdfa1fc2b337c |
| SHA512 | 418587e2285a451d5f349bc0f9b9ac13ea9b4d779a61b4e675857e5675f07404d54203e364012b24f3912904a9c657676cc0dad6ba7d4418c405bd4feaf8f81d |
C:\Windows\System\IbYVoDZ.exe
| MD5 | 96547644fba1670dd398bf891f64fa74 |
| SHA1 | f33ddfcf5610f8652e0b166f84dddfe3a8c77a52 |
| SHA256 | 52a4bfcc5e703a9ee412ca11146b52bd4f4d0f468fed8adb8c8c6542041e5fcb |
| SHA512 | 37fecf08765c3e71f77116846f1af10c9351ad4fea13bd9319d659052ce5e15346e173d5dfe56adb677b64b896d07584984b5c465d2ed140a0deb275ee625002 |
C:\Windows\System\WNUqMAW.exe
| MD5 | e05f3aa736af887cc6a0e7c1e93acc09 |
| SHA1 | 97fe7562ebbd6d67d2e3aaacf8339457e822a087 |
| SHA256 | a19277da9141fb7d4a0555d7103594016c5fb73811287e72929c0c268fa2787d |
| SHA512 | 6171c69c4379cda268e247a5b6dcf39e296d6e7f8822aca1f8c70cfde63a1e59ccd55792e5d2e1ff8634a3a6a55402b7599f102cdaa52b6f5c9c8eb1355991e7 |
C:\Windows\System\mcnoWTv.exe
| MD5 | ea8930f1c78f31675544eb8ad6b916ad |
| SHA1 | d4dcd88b3ca2a91e4f02858660ead6d05ae785d1 |
| SHA256 | 5f8e6dd8e91c4efa329d5b720afd90ed3d846d31472a0c48bf32ac880f43c44c |
| SHA512 | 2e1d64b99959f2d15c9e760c17ff66bd6e4215024f3632be255de0171810736d98b2b5ab85a91d6760ecdd3357722b2447601f1442216768e43fe7f34f40a290 |
memory/2540-74-0x00007FF673E20000-0x00007FF674174000-memory.dmp
C:\Windows\System\koPWKDN.exe
| MD5 | 1f0c6c7f8cca23eef2dba4de468ec7eb |
| SHA1 | 7ebd0f514b05700af085709a82c980a871c35447 |
| SHA256 | eac009d9b92797afd70dc8b03d564b4bcdf6b47975ed37b105b4efbb4d2ee7f4 |
| SHA512 | 8fb909557836b4d776ba904b5f81372f4b710eb11e8f347cb5dc687a104a4d70db60390af643dfc391c044df15c363cb2feda9b9db42fb63321934b9ffd40976 |
C:\Windows\System\LKTdldf.exe
| MD5 | 10f20988ea62e7f20b58d9e17c8a6940 |
| SHA1 | a4b637f6b19f7934b44383fe32546c8b227b9027 |
| SHA256 | b884aacafbe3a64628fdb16552c6793149f93ac9aacfdcc1f3cd151d8e8fd4ad |
| SHA512 | 886c6cc14244b86a0501e0daead0188ca406eef57a4023772dd3b9d46291d4310dda0609b675ca23162e012406d85b0ea30108acea148b4b5e8be25f0b071961 |
memory/1160-69-0x00007FF71E780000-0x00007FF71EAD4000-memory.dmp
memory/4916-66-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp
memory/952-65-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp
memory/3688-56-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp
memory/3736-50-0x00007FF601C10000-0x00007FF601F64000-memory.dmp
C:\Windows\System\pAZLPWm.exe
| MD5 | 3f301689a78ff7b3f7600da69a28bf3f |
| SHA1 | e27b0cd40c74d0deb017e1519ee7943cc91cab1d |
| SHA256 | 928f17770e80ad9ec6a42887e4a4d3217cb5e2fceed2919c4784fb2b65aac618 |
| SHA512 | f98feb0940918ccc890a54b354b74fc0e1a7962eb6f309cf3ab1b66ea0e0c9b3bc832418389060b0ac00e811f0d9cdc4b6b792a2b8a648969c7fcd2775c98659 |
memory/1616-39-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp
memory/3276-36-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp
memory/4400-16-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp
C:\Windows\System\utChYOc.exe
| MD5 | cd7d7a210a52205b73c96a7f5148c7ff |
| SHA1 | 66cdd4bd8d0102b710e461aa70156e497f798628 |
| SHA256 | 4d5a1149e826faffaf2810bfab0eea2a6ef8c500a935dabbf28d4d3aff313ffb |
| SHA512 | 91c990be6117b3941111d69876a63ff415485552e4847a3b59d0bbc97f9f6b4cb3144f992a203eef40cae2a74cb21b4588f3794fe48d082e960cfad0dd22103f |
memory/3356-83-0x00007FF7E48B0000-0x00007FF7E4C04000-memory.dmp
C:\Windows\System\QzarDqv.exe
| MD5 | 59c23adc328b46cd0fc9fc04614eb5d0 |
| SHA1 | 9441f4672897bbda56b9aec23c65f89dd2c76657 |
| SHA256 | f44f711948282a664332b99f9411dde4a399a303665d1b5961107b3458aa8c18 |
| SHA512 | 791a892b88464340d567b191d7abf40e4a687fb5e09e2363164319d86b3a9b519616f17baf805ff6cdfdf565c6acedf0e368d97a250029c1a2695b6a5e70325c |
C:\Windows\System\AzRHMSx.exe
| MD5 | 12aad2539e2e720ce40b4ca2710cc29d |
| SHA1 | 007791fd07b218a784ee51382f340f3f4bb7fa66 |
| SHA256 | e35cc4c0b6dbf7dda9f047dceb538179fb91febc01adde1ec9267aba58afc737 |
| SHA512 | c9993a52143b0ff28316ce9565aef68a4f046732c8a1512ea1205546f9259f43cfb84f81661e970aa7b2afb6e15ab1dcc9e88bacd1d4c9756d5de7e3511df6e5 |
memory/4176-80-0x00007FF7580E0000-0x00007FF758434000-memory.dmp
C:\Windows\System\jkZZWgY.exe
| MD5 | 99d8dcb89430593fad4ba2d563509da4 |
| SHA1 | 9865ca289c693bfa103e0137946906b05002c7e1 |
| SHA256 | 5ad3ccdda216f05a0d823a3c6a2d41006b8d35a2a97f6d7a14dd04699daef0c2 |
| SHA512 | a7f4a10e5745404d8db32c0c0254a80df1511d5a51ec7292018212e6f31e961941d09655dfb99f3f7e5c56560b1862c5f767a7aa7c4e4faa7de34a6411f0c68e |
C:\Windows\System\mVBFHwy.exe
| MD5 | 85c23c610a1081e66b2eef36592f725a |
| SHA1 | c7cefef2e1f5db363e80628c4490a3ad9bcceb6f |
| SHA256 | 31c86cc94a03329b5fe9deb8e6044f5ade912c7df46d33ab400060feb52c7af7 |
| SHA512 | 1a4897b4557f013fe6d3badbd70c85a59fdad4fe8eb9579e742b44880bc384402a32354c157da38a157fbe1e99e15bb7862e2405fc0c443f73240962bdfc041a |
C:\Windows\System\VuSmMnX.exe
| MD5 | 5c1450bdbe278b979402546c44ee6532 |
| SHA1 | dcc02982b4f6f5f6ceefee26e1d3256460070673 |
| SHA256 | cd9ec3f374dd6298c084d77852fa80be7d80f5236fc780cc9da1ca87e4692cc3 |
| SHA512 | e507a585e14841cf1577895538f2c133c9ebfaff2d587c156691214b63b2a92e8bb803b1ae8225a5284f113968e7c1cd4b9fef67311bf2d39304d7f059340bbc |
C:\Windows\System\bbYdIsc.exe
| MD5 | ec7e4ff94c18239bf2ee2d893db67f60 |
| SHA1 | adf4aa2922f126b78cace79f6b66d1ab033d63c1 |
| SHA256 | a372a64a204e51cc6b86664caed628fccb46e5a2d676b3cc77e34adef2f0369d |
| SHA512 | 73ec6306c576ee212ee7eefda00985c6964be8b6b74bcc2330ca035c7bdb66f38cdae75fda8cb0e1d82372e57b2798d4ad3ce67f6b58311eb8f1568aa61b8910 |
memory/2700-123-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp
memory/1616-127-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp
memory/4136-126-0x00007FF786070000-0x00007FF7863C4000-memory.dmp
memory/1524-125-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp
memory/3276-121-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp
memory/2480-117-0x00007FF76D140000-0x00007FF76D494000-memory.dmp
memory/2372-116-0x00007FF6F1120000-0x00007FF6F1474000-memory.dmp
C:\Windows\System\GNhEzGO.exe
| MD5 | aafdb4aa24b2d8cc5c270b87bb46a33e |
| SHA1 | c38f04a1765a47eb2b57d3206abe636b9ef54546 |
| SHA256 | 31ffc5ed0350ead5839f2b678b3f088e9a0b6d1ff6147ba933fc91fa631f6be3 |
| SHA512 | 772eaa327db0a3b33aadcf4db39e3a724daf8413aa11275251e9f39efbe68d0d3faebed4600532c57f7f53ccff4bb862900c37f5956ca2c474459c5634c0c96b |
memory/4068-112-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp
C:\Windows\System\UuEHRiP.exe
| MD5 | 9951fd045f286a37d46b5b9b466e84a0 |
| SHA1 | 895f045965c8e12bc58465b593535786d61cc062 |
| SHA256 | 3f9bbc7b4b17dbc7cfb1abf3378b84c41b90d8b7bf1ab65f441031999a2e8b1f |
| SHA512 | 96d368a16f7ec25ccbf418df67188a93286d36652d16d4e9f6b83bee3396c6897653acf4d2e252a1f906e702fe0b1c1ecb3760d95618c75fb1813cd870690c91 |
memory/456-104-0x00007FF6414D0000-0x00007FF641824000-memory.dmp
memory/4664-95-0x00007FF792490000-0x00007FF7927E4000-memory.dmp
memory/1724-92-0x00007FF6F9640000-0x00007FF6F9994000-memory.dmp
memory/3736-132-0x00007FF601C10000-0x00007FF601F64000-memory.dmp
memory/3688-133-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp
memory/4916-134-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp
memory/2540-135-0x00007FF673E20000-0x00007FF674174000-memory.dmp
memory/4664-136-0x00007FF792490000-0x00007FF7927E4000-memory.dmp
memory/456-137-0x00007FF6414D0000-0x00007FF641824000-memory.dmp
memory/4068-138-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp
memory/2700-139-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp
memory/1524-140-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp
memory/2596-141-0x00007FF7DCD60000-0x00007FF7DD0B4000-memory.dmp
memory/4400-142-0x00007FF6BFC90000-0x00007FF6BFFE4000-memory.dmp
memory/1376-143-0x00007FF751440000-0x00007FF751794000-memory.dmp
memory/2480-144-0x00007FF76D140000-0x00007FF76D494000-memory.dmp
memory/3276-145-0x00007FF6CFCE0000-0x00007FF6D0034000-memory.dmp
memory/3736-146-0x00007FF601C10000-0x00007FF601F64000-memory.dmp
memory/952-147-0x00007FF75EA70000-0x00007FF75EDC4000-memory.dmp
memory/3688-149-0x00007FF6F54A0000-0x00007FF6F57F4000-memory.dmp
memory/1616-148-0x00007FF6B1300000-0x00007FF6B1654000-memory.dmp
memory/1160-150-0x00007FF71E780000-0x00007FF71EAD4000-memory.dmp
memory/4916-152-0x00007FF6438A0000-0x00007FF643BF4000-memory.dmp
memory/2540-151-0x00007FF673E20000-0x00007FF674174000-memory.dmp
memory/3356-153-0x00007FF7E48B0000-0x00007FF7E4C04000-memory.dmp
memory/1724-154-0x00007FF6F9640000-0x00007FF6F9994000-memory.dmp
memory/4664-156-0x00007FF792490000-0x00007FF7927E4000-memory.dmp
memory/456-155-0x00007FF6414D0000-0x00007FF641824000-memory.dmp
memory/2372-157-0x00007FF6F1120000-0x00007FF6F1474000-memory.dmp
memory/4136-159-0x00007FF786070000-0x00007FF7863C4000-memory.dmp
memory/4068-158-0x00007FF6A60C0000-0x00007FF6A6414000-memory.dmp
memory/2700-160-0x00007FF7C9F80000-0x00007FF7CA2D4000-memory.dmp
memory/1524-161-0x00007FF72F0E0000-0x00007FF72F434000-memory.dmp