Analysis Overview
SHA256
da546be39afefac19381843da07b48a75351d54012a615c3d01ac49cb075e44e
Threat Level: Known bad
The file 2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
Xmrig family
XMRig Miner payload
xmrig
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:48
Reported
2024-08-13 11:51
Platform
win7-20240705-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ILgcBpl.exe | N/A |
| N/A | N/A | C:\Windows\System\cvlVZkk.exe | N/A |
| N/A | N/A | C:\Windows\System\iuwqlxB.exe | N/A |
| N/A | N/A | C:\Windows\System\SckhVTK.exe | N/A |
| N/A | N/A | C:\Windows\System\AUyGpcG.exe | N/A |
| N/A | N/A | C:\Windows\System\zsYRnVP.exe | N/A |
| N/A | N/A | C:\Windows\System\rxXCPLB.exe | N/A |
| N/A | N/A | C:\Windows\System\CtpEjgB.exe | N/A |
| N/A | N/A | C:\Windows\System\osZAJSs.exe | N/A |
| N/A | N/A | C:\Windows\System\wSgxCXv.exe | N/A |
| N/A | N/A | C:\Windows\System\xtRRxBY.exe | N/A |
| N/A | N/A | C:\Windows\System\okashqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qIsVdXR.exe | N/A |
| N/A | N/A | C:\Windows\System\QacaVvW.exe | N/A |
| N/A | N/A | C:\Windows\System\acYnYtf.exe | N/A |
| N/A | N/A | C:\Windows\System\sVdHZMV.exe | N/A |
| N/A | N/A | C:\Windows\System\UnDfvDn.exe | N/A |
| N/A | N/A | C:\Windows\System\HlFdHWe.exe | N/A |
| N/A | N/A | C:\Windows\System\hkdaMJj.exe | N/A |
| N/A | N/A | C:\Windows\System\kspvCuc.exe | N/A |
| N/A | N/A | C:\Windows\System\kdLWyMv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ILgcBpl.exe
C:\Windows\System\ILgcBpl.exe
C:\Windows\System\cvlVZkk.exe
C:\Windows\System\cvlVZkk.exe
C:\Windows\System\xtRRxBY.exe
C:\Windows\System\xtRRxBY.exe
C:\Windows\System\iuwqlxB.exe
C:\Windows\System\iuwqlxB.exe
C:\Windows\System\okashqQ.exe
C:\Windows\System\okashqQ.exe
C:\Windows\System\SckhVTK.exe
C:\Windows\System\SckhVTK.exe
C:\Windows\System\qIsVdXR.exe
C:\Windows\System\qIsVdXR.exe
C:\Windows\System\AUyGpcG.exe
C:\Windows\System\AUyGpcG.exe
C:\Windows\System\QacaVvW.exe
C:\Windows\System\QacaVvW.exe
C:\Windows\System\zsYRnVP.exe
C:\Windows\System\zsYRnVP.exe
C:\Windows\System\acYnYtf.exe
C:\Windows\System\acYnYtf.exe
C:\Windows\System\rxXCPLB.exe
C:\Windows\System\rxXCPLB.exe
C:\Windows\System\sVdHZMV.exe
C:\Windows\System\sVdHZMV.exe
C:\Windows\System\CtpEjgB.exe
C:\Windows\System\CtpEjgB.exe
C:\Windows\System\UnDfvDn.exe
C:\Windows\System\UnDfvDn.exe
C:\Windows\System\osZAJSs.exe
C:\Windows\System\osZAJSs.exe
C:\Windows\System\HlFdHWe.exe
C:\Windows\System\HlFdHWe.exe
C:\Windows\System\wSgxCXv.exe
C:\Windows\System\wSgxCXv.exe
C:\Windows\System\hkdaMJj.exe
C:\Windows\System\hkdaMJj.exe
C:\Windows\System\kdLWyMv.exe
C:\Windows\System\kdLWyMv.exe
C:\Windows\System\kspvCuc.exe
C:\Windows\System\kspvCuc.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1908-0-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1908-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\ILgcBpl.exe
| MD5 | e29eb385cdf8d14c36bdca8a8883883f |
| SHA1 | 10b17292f2a936f3be54f9d67f2773324e318ccb |
| SHA256 | 769c2f89f220b407ada5ecf115014dd3b52e8c1c6c5c7d616104143dbea0b873 |
| SHA512 | a7077fa15b938e64cf3ba53244371035f85aac2c4a0591a2200355c4a93e6f655556f82005dc669a325a29ad23d764a3cb5c94163538c0cb1434fc103bcdf8a7 |
\Windows\system\cvlVZkk.exe
| MD5 | 3458b619aa322ddb18e57b9c5f8008f7 |
| SHA1 | 5d2ed0f9ca6d7a8767e3861a413551a0631c2baa |
| SHA256 | d9a651c809386b01f45e099b783ab7fec43b76c76a6871d5189c9bd6799ae393 |
| SHA512 | a17d0abe4250839b128836026be967094d73e18dc73695496e933c250ba5347f6c73ce9953e2b2b464ca62127f57be09d9cb936d7a6ffc58d52dd77135bd00d8 |
C:\Windows\system\xtRRxBY.exe
| MD5 | d257112bfd594846c8b689cb6830b235 |
| SHA1 | 00afe84b30f11f4f029c44cbcc8ac5d06ce98a6b |
| SHA256 | f12d0f83d17487f1c1d048e0e366a951b1cc613d56b71d2f1354c4e62f03fc32 |
| SHA512 | f2ac1fc6dffab7db1b5d6342609c33a02be582dbace08d93bb33fa4f0c5ce4cba41c88a148a417354570ff1b8e61b971ff76260810ead08593624827c8ed833f |
C:\Windows\system\kspvCuc.exe
| MD5 | 4b3bb2b166c8172afeedb466436baadd |
| SHA1 | 1b8b744a032aa248a85b965b59030ffbbcd601c4 |
| SHA256 | 9b61936bc990afa59cd072686a65e7cecaf29038882bf0fb094c4b503e7fb6f1 |
| SHA512 | 68d7d87de389a88d7fe69d9e6f4fc8ee8de0d95a756d72a76e077f38cc95b65fc686af1c8d1e21f0145ea22e2a96d7a22f6cd945c1522ae8145589e64d3d9d36 |
\Windows\system\kdLWyMv.exe
| MD5 | b046dbc9edba326bc5ebdf10b12ca7be |
| SHA1 | 3463d7c03aa7154cb4b97590aedac8929e9550e3 |
| SHA256 | e75c538432454ce5ead117627036568120368543044d0a8bca73245bc88cf8e8 |
| SHA512 | 30f44c5cec73aed8e9f2b98680099ac1f89ae211b831fbcf7428d7a193b5c045e1ab383a0670a113e5e88c468913f9893f79138012d219cdce5b30a2a196cd31 |
memory/2100-77-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\hkdaMJj.exe
| MD5 | b6292bb2a997669475b1d7591c8d95e6 |
| SHA1 | 9f21b93322d7b194c2ddc3181689a01d9a0e10ba |
| SHA256 | c83cbf1cf4273533b1c4cd3d36daf9da68e840a6de2cddfa89a1b6518546bbb1 |
| SHA512 | d62463ac85b352a94d6a13ce4234ba496414e04452b86e2af172410f657f7e2bc8939a9b7c1ddbf0416ad2ed92f205392daa918fd0ef26d116b3f7d91ba53124 |
C:\Windows\system\HlFdHWe.exe
| MD5 | b7eb250642de8ac458c58aae45f11fa1 |
| SHA1 | 0a887cc56f52b3765afe8858d45ea0b78d1ca726 |
| SHA256 | 163fcd30dcbad9ca5db1b450c1313e61143af43b621b2834d1e8d3d4d72ea410 |
| SHA512 | 8732a48ec9d87a92289911794edfd147bd06238fdad940a07c00a867a31479c903ce12bfe907d3a90ce3490ddb92d6589cdca8bf4ad8992c7d023467c19e4e5c |
C:\Windows\system\UnDfvDn.exe
| MD5 | eb0bec7eba81a1fab0bd600233d6a4ea |
| SHA1 | 00df82b0d56735836df88569290813a3a6ad8ede |
| SHA256 | 622d7131496686587ff2e1e808b59f33e73a49af9b1da550be2791c08630f67b |
| SHA512 | 7eabef3a6590efb92e7f96b05a4572b5ddc496552b09a12bab3ce8874bc1b02d19960fcb3a9a2c6712fdfd0a9268ed712ca0e4244a8061a1291321846790d1b7 |
C:\Windows\system\sVdHZMV.exe
| MD5 | d11ab0cc9252485c12005af1f745561a |
| SHA1 | 330bf2d92f0db31855771cda457a122ef88401de |
| SHA256 | a307b60f9d273d01f04806b9b153929548d76c1b7239ee5811236b867f6f3718 |
| SHA512 | 8b9748d9c450e993f8529b3dfd48a292a4be3290e7f5fd173c920c9a5a6e4b879720fa50746cd194202cd35dd1781f70657064854dacb872abc21edffb2af5d8 |
C:\Windows\system\acYnYtf.exe
| MD5 | ea3fad7ec9ff98e2a480d27ee7b7a3d2 |
| SHA1 | f4fc2d7c398ec5a06ed368249b0693e697b3ef7d |
| SHA256 | 7daa996c3885279267c54ffa264cab3824d8903f6d617cb9dc9188374bfd592b |
| SHA512 | 6fea39fdbec30dfea5ff59807bcfbe79d654fe829eb03bfdb000cc833e5f72df18c71c256a79311208ffe28eacb926594a23236d66a69b841961960a1d7ddcba |
C:\Windows\system\QacaVvW.exe
| MD5 | 73d6bccf023cde3001d3c447bbbc4c9e |
| SHA1 | 4ae3e627b2c3d03d130c1cab1eaafca8bfc6f4db |
| SHA256 | b82b93eca314efc65a4a55e8ab1602caf8f194621c7a358bbb8c1f1ff0128b89 |
| SHA512 | e0ff09f88f3d4dfb23d82ad71e673ffccf7c083c076ed8442784331496238f9981b285788009ce300711de3c0a4f397d79a39eb8cf010fd94a20993821f0306e |
C:\Windows\system\qIsVdXR.exe
| MD5 | d4002232188fea13653c673732b16a6f |
| SHA1 | 5220a0ec702d37de1aee7c96b21d13fc1d7a639b |
| SHA256 | bb548a4a02d4cdabb661b6afa02b195c871a7e31a44694c9239770e8577a4618 |
| SHA512 | cbe288923a9472fe71f3121a339abfc32dc067bccedff18a253e808ff92e7150ca48af3ffcdaf541701c13fbc823bbdf2871d8dc59468102a8e928140fec5604 |
C:\Windows\system\okashqQ.exe
| MD5 | cc548279809476507f0c6011190c6cc5 |
| SHA1 | 512fa037be83ffac48b6c0402e153a4985293a8b |
| SHA256 | 53cf89630887f57dce68aa5c82a6f9fd2ba50168c94a4f127604b82b7df9ea8c |
| SHA512 | 50faf7ea84a5f98d669b1d9b5c0e3c2aef4e1afc9a1938da2f9c1f3bbadbd3f00e434ca1ab9b0e31c7757d512a2a08e72217af6219b67b866d4c8e03137628c6 |
memory/2844-110-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2908-108-0x000000013FA50000-0x000000013FDA1000-memory.dmp
C:\Windows\system\wSgxCXv.exe
| MD5 | f2cd354debf5fcd35b0ee6750ce6b43f |
| SHA1 | 4339b40ef82d4e8dac3dada9f09e41bd463e77a6 |
| SHA256 | 7b9569ebe275c3e86a41481c7ddecc6bd0f1c6c6052a4713a724a9ac41fa622b |
| SHA512 | 44bf97748236da0688df7f1fa8724863d3c3ace3ef4b940e4c5d393d0193627061d8f2897902ab691faafec6844c75ce8b3cf8f5e73c94dcf13cc59a039ac61b |
memory/2760-106-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2756-105-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1908-103-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/1908-102-0x000000013FD70000-0x00000001400C1000-memory.dmp
C:\Windows\system\osZAJSs.exe
| MD5 | 2a6a49b56078caf376896d1d3166daac |
| SHA1 | 13944aa4e4aae65dea0a1aafcd2a539c7556bd9c |
| SHA256 | 662a406a2e37b8fceaa187653f0e949d81a6bc867849cfd44909effb9902fc12 |
| SHA512 | e79eaa0a22f6d9d9b0278bb62dba2302ba6034c333ae6b54fa2b917ebeee47aece07126b8677da86c04b5d2a7268278c3f39895202a60cde87acc603cd270c65 |
memory/1908-99-0x000000013F900000-0x000000013FC51000-memory.dmp
C:\Windows\system\CtpEjgB.exe
| MD5 | 2f2e57bd872477210a7340c3f1888a91 |
| SHA1 | bc9065295839298f674f3435eb519af95151afae |
| SHA256 | 6de66c748a29b813e32eb1f34d9a8823c067a38b2b7cc6762dabb2220172ae4d |
| SHA512 | d1af978cb7fbf316c8d958e931d3346b6b2551708e4d2ebe570d320671e5cc5e90b6c8bc461bc6d3e42399c5fabe3081b5711f2979f824242efc33368f264276 |
memory/1908-97-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/1908-96-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1908-95-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2080-93-0x000000013FC10000-0x000000013FF61000-memory.dmp
C:\Windows\system\rxXCPLB.exe
| MD5 | 7a642943fae4d17210fe9c3727d7e09c |
| SHA1 | 3f1fcb8fc51fc964dcd876d0f0c267c25a94b26a |
| SHA256 | b4358efb6325b68a3cb22dae8bfff1615fa32d7957bf5dceb298c0b890e4b205 |
| SHA512 | 10e2534bfe383f03b49daab3ada67fb78216d8e4806f77dd4cd40c07c94da24d13b48b5e4fb7f5985341979e345a2a639aa6849e896dc61ea77b0d7a057c6ddd |
memory/1908-91-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/1160-90-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1908-89-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1908-87-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/1908-86-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\zsYRnVP.exe
| MD5 | 62f1d23cbfe8b9a960983c459d69149d |
| SHA1 | 707eba6cf5d9e094196b83d27dd587e4c113a45a |
| SHA256 | 35e906a64f0622d5ac5f0fe1fa5e9e55f92d7500dd01909754b631c397885853 |
| SHA512 | d56468853002f12dd5fbd405094a8479bfdd3e74e1dd8560ac022c15fabf42add4e049de81a616ec4468ce73aed6a1d9bbc08fa2736b432b04f73d94e58f37af |
memory/1908-84-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1908-82-0x000000013F7C0000-0x000000013FB11000-memory.dmp
C:\Windows\system\AUyGpcG.exe
| MD5 | ffdfe9ca1aedcdbda5b63d166d3a6cc0 |
| SHA1 | 7d6a28b9b6e542e8a5da425360384a8331c9d6fc |
| SHA256 | 705c9ca0aa6f832f9e7daa9a75653ab244f7396b63443d825d685d67d0e5e775 |
| SHA512 | cd7ae8d1be34541154c58624e0a8112319b4289a477945c923e599f04afa276a79e49f7d380d3b60c83e44f4c1461d1ad4b7bce6d674aec9eaac995939bd32ec |
memory/1908-80-0x000000013F610000-0x000000013F961000-memory.dmp
memory/1908-45-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/1908-38-0x000000013FC10000-0x000000013FF61000-memory.dmp
C:\Windows\system\iuwqlxB.exe
| MD5 | 032edffb03c0091d4ad8af933d978183 |
| SHA1 | c966b12582fc0498e9c80ba15175844b0248c8d3 |
| SHA256 | 079eee493c62338c8f3e67ae0996bb92b4bc8efc07beb14cd36fa03269e1af3b |
| SHA512 | bf7f819b70f520178968c4af28a75455843a201076b45ce6a66602934da2ae54469026d8cb4270989c1f5ba1cd6362cfaba35d4b44c55518e324b1f271403641 |
memory/1908-29-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2544-21-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/1908-70-0x0000000002360000-0x00000000026B1000-memory.dmp
memory/1908-63-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\SckhVTK.exe
| MD5 | 941f0dc772223b9bd0b8c609ef0309ad |
| SHA1 | bcfd52d1f29f7d0c700508c964348ee5e3ffd649 |
| SHA256 | 92bf98b86fed3272ad2d5fccb94e74e369a52d066fb76a1f9433d683101296bc |
| SHA512 | 4073c05d30811efe9d5ca4ae734e8bfd6fd726bdfe6e48a4a79a35a012967ebeece8f8e97b333a9a0ad35e4f1ef3277f39c57a2a779b8e1b8b489401e42b42ab |
memory/2568-138-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2500-136-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2924-144-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2880-142-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2272-140-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2544-134-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/1908-133-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2892-149-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2624-151-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2204-154-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2684-152-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/1984-150-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2632-148-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2032-153-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2916-146-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/1908-155-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1908-156-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1908-157-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1908-158-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2544-203-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/1160-205-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2080-207-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2756-229-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2100-209-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2844-235-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2760-231-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2908-233-0x000000013FA50000-0x000000013FDA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:48
Reported
2024-08-13 11:51
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SIFawRG.exe | N/A |
| N/A | N/A | C:\Windows\System\eEZdgdD.exe | N/A |
| N/A | N/A | C:\Windows\System\qUKGopp.exe | N/A |
| N/A | N/A | C:\Windows\System\QBpevcS.exe | N/A |
| N/A | N/A | C:\Windows\System\sVJctfI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMXwTHu.exe | N/A |
| N/A | N/A | C:\Windows\System\MzkSFkl.exe | N/A |
| N/A | N/A | C:\Windows\System\EFGCoya.exe | N/A |
| N/A | N/A | C:\Windows\System\OXLbWFU.exe | N/A |
| N/A | N/A | C:\Windows\System\rUQzPix.exe | N/A |
| N/A | N/A | C:\Windows\System\wUQBtWI.exe | N/A |
| N/A | N/A | C:\Windows\System\jPKRPCJ.exe | N/A |
| N/A | N/A | C:\Windows\System\Lmiyqdm.exe | N/A |
| N/A | N/A | C:\Windows\System\jRGtBOI.exe | N/A |
| N/A | N/A | C:\Windows\System\JPJYpmi.exe | N/A |
| N/A | N/A | C:\Windows\System\PTjMnMs.exe | N/A |
| N/A | N/A | C:\Windows\System\FvfmdqU.exe | N/A |
| N/A | N/A | C:\Windows\System\nHNEimU.exe | N/A |
| N/A | N/A | C:\Windows\System\xZdMrVq.exe | N/A |
| N/A | N/A | C:\Windows\System\dqIHfCC.exe | N/A |
| N/A | N/A | C:\Windows\System\TYNERbj.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_4dcd08092daeda8661ee59480091a8d0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SIFawRG.exe
C:\Windows\System\SIFawRG.exe
C:\Windows\System\eEZdgdD.exe
C:\Windows\System\eEZdgdD.exe
C:\Windows\System\qUKGopp.exe
C:\Windows\System\qUKGopp.exe
C:\Windows\System\QBpevcS.exe
C:\Windows\System\QBpevcS.exe
C:\Windows\System\sVJctfI.exe
C:\Windows\System\sVJctfI.exe
C:\Windows\System\ZMXwTHu.exe
C:\Windows\System\ZMXwTHu.exe
C:\Windows\System\MzkSFkl.exe
C:\Windows\System\MzkSFkl.exe
C:\Windows\System\EFGCoya.exe
C:\Windows\System\EFGCoya.exe
C:\Windows\System\OXLbWFU.exe
C:\Windows\System\OXLbWFU.exe
C:\Windows\System\rUQzPix.exe
C:\Windows\System\rUQzPix.exe
C:\Windows\System\wUQBtWI.exe
C:\Windows\System\wUQBtWI.exe
C:\Windows\System\jPKRPCJ.exe
C:\Windows\System\jPKRPCJ.exe
C:\Windows\System\Lmiyqdm.exe
C:\Windows\System\Lmiyqdm.exe
C:\Windows\System\jRGtBOI.exe
C:\Windows\System\jRGtBOI.exe
C:\Windows\System\JPJYpmi.exe
C:\Windows\System\JPJYpmi.exe
C:\Windows\System\PTjMnMs.exe
C:\Windows\System\PTjMnMs.exe
C:\Windows\System\FvfmdqU.exe
C:\Windows\System\FvfmdqU.exe
C:\Windows\System\nHNEimU.exe
C:\Windows\System\nHNEimU.exe
C:\Windows\System\xZdMrVq.exe
C:\Windows\System\xZdMrVq.exe
C:\Windows\System\dqIHfCC.exe
C:\Windows\System\dqIHfCC.exe
C:\Windows\System\TYNERbj.exe
C:\Windows\System\TYNERbj.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.229.48:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3556-0-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp
memory/3556-1-0x0000026C73F70000-0x0000026C73F80000-memory.dmp
C:\Windows\System\SIFawRG.exe
| MD5 | dd59237e78c549fe65935cce16952beb |
| SHA1 | 8f7733a07e656ebd55eef2ca3cead8c91949717b |
| SHA256 | 4ac79ff208ba82babd2de67109ea9c96a56bf68e5311c036fb95c922a970adb0 |
| SHA512 | 2f48b9f6d6dea36145dd9bef294964c49e9c330327e62dec0ea3957980faf8f642fdeb196f4d17c6c02904077dc742fbb0c24c2e17e45825240c486ab6832bdc |
memory/436-7-0x00007FF6CFF00000-0x00007FF6D0251000-memory.dmp
C:\Windows\System\eEZdgdD.exe
| MD5 | 20c458549410c60e728eea47aef12f98 |
| SHA1 | 1782059bbffaee8d469e04a4208d3141b2bfe7c7 |
| SHA256 | 7cea72ad63f588be9e3fa37fed6f581b89bf17f18f8f49127f3c8c11fabc9386 |
| SHA512 | f4ab0777f3ed93cb7e2fd28da7463be11e8c431d9d6fe19cebbd73457392f3ca6d055d5e89e8e3f461a1f5a485a4462a5cfaeebb79ee45c40c07d1ad5130a86e |
C:\Windows\System\qUKGopp.exe
| MD5 | 640b089cd777964956ad4460292fa77e |
| SHA1 | fc7069e5c1116dca54574999f435d3dde3b429cf |
| SHA256 | 9ad1aae9b832b1978e4b1cca1944471f0d87f2ba4c92c3a574e72370a5c88134 |
| SHA512 | 76dbf70e5bff49bede9e61ccb5a99450194fe4fca5ab252d8ba4c3f158ec87931f37a525919e00797f76ca926cf7d61c407326c941da8745554596268901414c |
memory/4688-16-0x00007FF6BC250000-0x00007FF6BC5A1000-memory.dmp
C:\Windows\System\QBpevcS.exe
| MD5 | f5db597cdc3c2e8fc7a5ec84e576d063 |
| SHA1 | ea358447cd5f57d4606d34cf9f3f6d98b900d2b3 |
| SHA256 | 46fca46074dcab80ebb3f4f8ed4881c1d8f8e9465bbafb64f60b0e104df59275 |
| SHA512 | 5af4fcee0aa20dec66a3020a8b03a703eb8bd5c452a785a875187ffacb64d1c4ad8eec7e682cd494ca1b471ca6524247a831e99d7a1d8bdd35e0872d280f1974 |
memory/3088-22-0x00007FF66E4E0000-0x00007FF66E831000-memory.dmp
C:\Windows\System\sVJctfI.exe
| MD5 | b0e0357d43b3ace59259b9e2834c76f6 |
| SHA1 | 880381125bfa14c5fe67751fece2d7da94fbf9c0 |
| SHA256 | 0e4e2089a264f78fda9647ff276c3dacbff3c4f1ad711eaebd5d375ff778c99e |
| SHA512 | ffbcb400109c540bf21886ad261261c5bbeaedc2c82ce2cbd143801163188ad85531ffa40a09fed9c99c37877a37fdb4682118eb436028182ca157dc35b9af60 |
C:\Windows\System\MzkSFkl.exe
| MD5 | 59bc3b6d79ff274898dd3cb1dce5432e |
| SHA1 | 5f0cfc29f757c521d8a25bcfbdacb8bb5daf9d52 |
| SHA256 | 2c914dfc67436300cdab2329fe552607dd636fc2d20254084d8ca628c9981abf |
| SHA512 | 2b641c7cf93daaa2b8d9e09d337b95aa553afca2ccd18d7a6bff992234bf8bde9b59112e62e4cc90aded7c3f53087e89fb4581e11aeb7d83a7c5e7ad0a8acf96 |
C:\Windows\System\EFGCoya.exe
| MD5 | 2baeaa55981dadbc0edbdd178eaae4c8 |
| SHA1 | b40d72ab1510569cc3bfb23b70ef3a875998f2a2 |
| SHA256 | 12e2927855cd4fbd3d3d0f8d3d0803e12d1fe017b2de0a04b1ae057a5b69f549 |
| SHA512 | 4118c1598d99a1953c06499b99e8ccbb35d9dfdd42cc81a6f4fe743967419616b55a66fcaf555f223892aece73d189b5bca57e8c0c27cc847a04efd91d80eae1 |
memory/2180-52-0x00007FF62E5D0000-0x00007FF62E921000-memory.dmp
memory/2252-60-0x00007FF600BD0000-0x00007FF600F21000-memory.dmp
C:\Windows\System\Lmiyqdm.exe
| MD5 | 923bf372d1c56607f12a2eeac2d23986 |
| SHA1 | 50f63862c3d32ec319fbb520d1985d6e910fcb27 |
| SHA256 | d39e4bb2cd7fd608290d98c378162a50e84f8486dc72956f90889012a5c40055 |
| SHA512 | 27dd8f7531a30bdfd5190ab8a43f72bfb926eac617d04c97eb86cb95b82c0a62e11221f09e921911b88f66606cd8ecdf907751ad46700c83d0c27e48baff7f4b |
C:\Windows\System\wUQBtWI.exe
| MD5 | 02fc85cbe95832e58978573fbb135603 |
| SHA1 | 20f029b9f61864fd91e0af064a0bc9bd7be38e83 |
| SHA256 | 2d02809712238b4d1b3be115b268658cdd362a9adcb0182818977dd88e0e26ad |
| SHA512 | 86a5ae5fd522fd1aa18dc19bf287c50b00a5706c6c2ae409a2d8c02cd812a6503f17f45d8fd4e0a6daa35def1fd7aba2f55b24a86d7811b70d74afdb5e283fd5 |
memory/4612-80-0x00007FF6C2380000-0x00007FF6C26D1000-memory.dmp
memory/4472-89-0x00007FF781EC0000-0x00007FF782211000-memory.dmp
memory/4288-93-0x00007FF6B57E0000-0x00007FF6B5B31000-memory.dmp
C:\Windows\System\PTjMnMs.exe
| MD5 | b49eca0f463c0158bb46c98fcbc1f978 |
| SHA1 | 4a5a49259387540cd4ff679d1bfbeb650746f8f8 |
| SHA256 | 1ef71c23361854f14e9867a6c2d2bfa58b154d07b55aacd82185ceb5f3d5979e |
| SHA512 | 2fe1db7dad578cc2a8e5e5bf314f8e550a9dd89a1182a3307b86a91928117d42882277c251ec3ef4ea38e3e1f76bf26af5d95e23dd95c70c73d537f70920f53f |
C:\Windows\System\JPJYpmi.exe
| MD5 | 612c2f9f3ff1b093355164a0d05d3a59 |
| SHA1 | 77c9e27bafd8293e1d56cc52367eb0c44bdc24a2 |
| SHA256 | 56848f5dbd4cf4b7c3a6ba4bd85da74200599027975231d1b3b82f8f2fa34845 |
| SHA512 | cb0b0b3b35965bd3c8711ddd264244fc4d890bd3874792476a4853a3fe16a50450c14d3937fd947c06b7dabf2a3db0c9666d25e66293684eb90d178f456ae40a |
memory/2012-94-0x00007FF7630B0000-0x00007FF763401000-memory.dmp
C:\Windows\System\jRGtBOI.exe
| MD5 | 918bde73501ea50c73c334a10cd7615f |
| SHA1 | 55dc3a1ad5cf48e86b37ba3522aac17a12f98af2 |
| SHA256 | 9abde8182ceaf73dd94e078ec596a4f5cc89e76a9887f049191ab179111adde7 |
| SHA512 | 25daf7ad414021890f838e878a4c70a143dac2650fd9eb79a254054c4d579c1011eddef3af49d38e8a8c32f24ced95e4a771c0cc069da13f2cba0b04ac4385c6 |
memory/1268-90-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp
memory/216-76-0x00007FF600290000-0x00007FF6005E1000-memory.dmp
C:\Windows\System\rUQzPix.exe
| MD5 | 5d040ff44ced22c3057b0c509991f931 |
| SHA1 | 24ad13a8e32f1b8dfcb9c9c2224a467f1afcfd2d |
| SHA256 | 27946c3a9a574f0e35ba3700c37058fd0eb04e39b9f411e666db7a95d5677f5e |
| SHA512 | 097863f570bfee45e6c25c1ba641e90d919d3117f39ad28f1938f471679a3f90b2085337faaa9a4b6c9dbc8033ec680cda21edffab72d5b09fefc57cbb1f0b92 |
memory/4240-68-0x00007FF7E9FA0000-0x00007FF7EA2F1000-memory.dmp
C:\Windows\System\jPKRPCJ.exe
| MD5 | e0fd0a726630ba670c0c2b5f1d66e6d8 |
| SHA1 | 50eefe82b079c3ce3f1316fd306750c230b5b966 |
| SHA256 | 0208c604b9a0dde206f9eaa0162a90ebd2c8f04680943e34d6049b8e91d673d3 |
| SHA512 | 2d7349a61f2d05a41c578f8f2a89bd90661cf8ba0c683150b0af2dd1efe2bcf27065d437b8f4976470d60f1fc086944e94e9d7e8de4794f3c672728356b3e2b7 |
memory/3552-61-0x00007FF7FD550000-0x00007FF7FD8A1000-memory.dmp
C:\Windows\System\OXLbWFU.exe
| MD5 | 96e0854aa1d2def083368d1651d651a9 |
| SHA1 | da4cb8784d20cc55deda3512da2e5c604d4c7fca |
| SHA256 | 96ec1ebe21237cf4710aff79d80b2c89391bc9ee4db51581144e1ca06f97e560 |
| SHA512 | d09032cb46037a5c0b794d1c1a1acf5b707d2f876708472848b8d595b109c7d7bd97b2961bbd3ce091572b91d713a58a592507ebfdb67acd527dd96f802c613a |
memory/4736-48-0x00007FF702B20000-0x00007FF702E71000-memory.dmp
C:\Windows\System\ZMXwTHu.exe
| MD5 | aacae323a71239b415bdd8a602d724c3 |
| SHA1 | 3b96b504949fd408975019fa39a35adf143ecfdf |
| SHA256 | b3ecf60748a02a0f42b2aa5fd78ea7cfff6d5235364b94c0dd522a8ecd8a2259 |
| SHA512 | 3b4c136432cc95751aa44a8512a0b9f87c8219d35326aa68f7dc337dafd4569b894853b13f81b6fdcacc33f4c23502a6ad28d5f4057327956b98948a155f1710 |
memory/4504-35-0x00007FF7DFCD0000-0x00007FF7E0021000-memory.dmp
memory/4968-28-0x00007FF6ADC60000-0x00007FF6ADFB1000-memory.dmp
C:\Windows\System\FvfmdqU.exe
| MD5 | 8d4e7332df1b61b9a672e86b8bc7aa5c |
| SHA1 | 3383b3d1ab4ea2f4e8c6942f6f42be8b513a3c60 |
| SHA256 | 591917ad44782b2b385b1aa1394580cb7dcf98682ca2b876ecfe434da2a936ee |
| SHA512 | c2c8e5e148f3f4d959544c3c1aa4bde88c7b52425772d34d8ce0e7361bd5bae0cadcdcdc3498a64401f8fcd2ad40ca69464134b286db6a8899de0154e8af5869 |
C:\Windows\System\nHNEimU.exe
| MD5 | ff7f088ecf4d21281af06fac2f6097ab |
| SHA1 | 4c10ca6966409f1c0bbfb51bf03da1ded96d4664 |
| SHA256 | 44312baa7cc133a7271494018bd149a3474ec6d4fb128cb6c7a0baf4d3e04390 |
| SHA512 | 82b63a78145feb72810f2f1eae34def9592f922d9858ab9ab4d005b1dfa797a7b0b93ae3da3dbb3dc48cf08b9d5a2183254e103d09824c61e10bbab861e3b617 |
C:\Windows\System\xZdMrVq.exe
| MD5 | e0e50cfe59ae3ddb321845d088444d6f |
| SHA1 | 04e44b86f701e5b2e0e50076a853ac35c6242c47 |
| SHA256 | f0d72207841dd39b4cd493423e4674bafabc529b088e635ab7c2a6c1b566ede5 |
| SHA512 | 37e8998801e89688d9ff608a8141158842ff5de444a97dcb3b9083fe63bdf012af767a93dff035d08c610d50534ffc5feb412c20c536539a15a4f1724a22db2e |
C:\Windows\System\TYNERbj.exe
| MD5 | a45b28a521b5e14fa39796a9d35f7f8b |
| SHA1 | 3eaa22969d2e717e3f4711902433c1d506448583 |
| SHA256 | ded72261c3983e5594e6b10a22ec3da84973c42dcb8ad98ad3c5b5f5448794de |
| SHA512 | eeed89f0481bfe518455ce6f5b20835f3de046d61de8930875070f8661c28582840aac9755d98efa93f0e0480043806b8c33379a7140939e5656fe65d4b33e1b |
memory/968-120-0x00007FF7F0930000-0x00007FF7F0C81000-memory.dmp
memory/4688-129-0x00007FF6BC250000-0x00007FF6BC5A1000-memory.dmp
memory/1384-130-0x00007FF626610000-0x00007FF626961000-memory.dmp
memory/436-128-0x00007FF6CFF00000-0x00007FF6D0251000-memory.dmp
memory/4776-127-0x00007FF6C3650000-0x00007FF6C39A1000-memory.dmp
C:\Windows\System\dqIHfCC.exe
| MD5 | 8014cf5dac5aa278227d4069db4d6b15 |
| SHA1 | 24878b6d0eb693f854f9a9935f2a0bd0fada0431 |
| SHA256 | 687f4f0f13f0b5c62271ff26bb6535f079076d85732608f0285704e5cb8e25c5 |
| SHA512 | bf9c76b39a37134c8625d50194b2c7281391612439afa6a11bb0dee0d862975c8af19030f8e4b4b3db60cd1927f3f35a74179a1b704aa729a3d1ba9eaec992bc |
memory/1592-121-0x00007FF70D830000-0x00007FF70DB81000-memory.dmp
memory/2540-114-0x00007FF72CB20000-0x00007FF72CE71000-memory.dmp
memory/3556-111-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp
memory/4968-132-0x00007FF6ADC60000-0x00007FF6ADFB1000-memory.dmp
memory/4736-134-0x00007FF702B20000-0x00007FF702E71000-memory.dmp
memory/2012-143-0x00007FF7630B0000-0x00007FF763401000-memory.dmp
memory/1268-144-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp
memory/4288-142-0x00007FF6B57E0000-0x00007FF6B5B31000-memory.dmp
memory/4472-141-0x00007FF781EC0000-0x00007FF782211000-memory.dmp
memory/4240-139-0x00007FF7E9FA0000-0x00007FF7EA2F1000-memory.dmp
memory/2252-136-0x00007FF600BD0000-0x00007FF600F21000-memory.dmp
memory/4504-133-0x00007FF7DFCD0000-0x00007FF7E0021000-memory.dmp
memory/3552-137-0x00007FF7FD550000-0x00007FF7FD8A1000-memory.dmp
memory/3556-146-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp
memory/1592-152-0x00007FF70D830000-0x00007FF70DB81000-memory.dmp
memory/4776-153-0x00007FF6C3650000-0x00007FF6C39A1000-memory.dmp
memory/3556-168-0x00007FF7AAF20000-0x00007FF7AB271000-memory.dmp
memory/436-200-0x00007FF6CFF00000-0x00007FF6D0251000-memory.dmp
memory/4688-203-0x00007FF6BC250000-0x00007FF6BC5A1000-memory.dmp
memory/3088-204-0x00007FF66E4E0000-0x00007FF66E831000-memory.dmp
memory/4968-206-0x00007FF6ADC60000-0x00007FF6ADFB1000-memory.dmp
memory/2180-210-0x00007FF62E5D0000-0x00007FF62E921000-memory.dmp
memory/4504-208-0x00007FF7DFCD0000-0x00007FF7E0021000-memory.dmp
memory/4736-212-0x00007FF702B20000-0x00007FF702E71000-memory.dmp
memory/3552-225-0x00007FF7FD550000-0x00007FF7FD8A1000-memory.dmp
memory/2252-226-0x00007FF600BD0000-0x00007FF600F21000-memory.dmp
memory/4612-230-0x00007FF6C2380000-0x00007FF6C26D1000-memory.dmp
memory/4240-229-0x00007FF7E9FA0000-0x00007FF7EA2F1000-memory.dmp
memory/4288-232-0x00007FF6B57E0000-0x00007FF6B5B31000-memory.dmp
memory/4472-236-0x00007FF781EC0000-0x00007FF782211000-memory.dmp
memory/216-235-0x00007FF600290000-0x00007FF6005E1000-memory.dmp
memory/1268-240-0x00007FF7FAC50000-0x00007FF7FAFA1000-memory.dmp
memory/2012-239-0x00007FF7630B0000-0x00007FF763401000-memory.dmp
memory/2540-242-0x00007FF72CB20000-0x00007FF72CE71000-memory.dmp
memory/968-244-0x00007FF7F0930000-0x00007FF7F0C81000-memory.dmp
memory/1592-248-0x00007FF70D830000-0x00007FF70DB81000-memory.dmp
memory/4776-247-0x00007FF6C3650000-0x00007FF6C39A1000-memory.dmp
memory/1384-250-0x00007FF626610000-0x00007FF626961000-memory.dmp