Analysis Overview
SHA256
08746a846e8fc37f3cfbac834eed7bf9412606e81d41582889bdc6d4e73f9792
Threat Level: Known bad
The file 2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:07
Reported
2024-08-13 12:10
Platform
win7-20240705-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aQrElqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\zQffceQ.exe | N/A |
| N/A | N/A | C:\Windows\System\uRoOtnp.exe | N/A |
| N/A | N/A | C:\Windows\System\iklXESs.exe | N/A |
| N/A | N/A | C:\Windows\System\jvyRBac.exe | N/A |
| N/A | N/A | C:\Windows\System\qqPQEtH.exe | N/A |
| N/A | N/A | C:\Windows\System\HAZEcYA.exe | N/A |
| N/A | N/A | C:\Windows\System\afMkbfw.exe | N/A |
| N/A | N/A | C:\Windows\System\BnxAhLr.exe | N/A |
| N/A | N/A | C:\Windows\System\sraMsBV.exe | N/A |
| N/A | N/A | C:\Windows\System\ipIjVzM.exe | N/A |
| N/A | N/A | C:\Windows\System\ImsKJSY.exe | N/A |
| N/A | N/A | C:\Windows\System\kZoTyza.exe | N/A |
| N/A | N/A | C:\Windows\System\pKvwIgS.exe | N/A |
| N/A | N/A | C:\Windows\System\iTOmbKS.exe | N/A |
| N/A | N/A | C:\Windows\System\IROpedw.exe | N/A |
| N/A | N/A | C:\Windows\System\mDbdLBi.exe | N/A |
| N/A | N/A | C:\Windows\System\cPOHMzy.exe | N/A |
| N/A | N/A | C:\Windows\System\nSSDWNC.exe | N/A |
| N/A | N/A | C:\Windows\System\hifaLUw.exe | N/A |
| N/A | N/A | C:\Windows\System\TIWYqqX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\aQrElqJ.exe
C:\Windows\System\aQrElqJ.exe
C:\Windows\System\zQffceQ.exe
C:\Windows\System\zQffceQ.exe
C:\Windows\System\uRoOtnp.exe
C:\Windows\System\uRoOtnp.exe
C:\Windows\System\iklXESs.exe
C:\Windows\System\iklXESs.exe
C:\Windows\System\jvyRBac.exe
C:\Windows\System\jvyRBac.exe
C:\Windows\System\qqPQEtH.exe
C:\Windows\System\qqPQEtH.exe
C:\Windows\System\HAZEcYA.exe
C:\Windows\System\HAZEcYA.exe
C:\Windows\System\afMkbfw.exe
C:\Windows\System\afMkbfw.exe
C:\Windows\System\BnxAhLr.exe
C:\Windows\System\BnxAhLr.exe
C:\Windows\System\sraMsBV.exe
C:\Windows\System\sraMsBV.exe
C:\Windows\System\ipIjVzM.exe
C:\Windows\System\ipIjVzM.exe
C:\Windows\System\ImsKJSY.exe
C:\Windows\System\ImsKJSY.exe
C:\Windows\System\kZoTyza.exe
C:\Windows\System\kZoTyza.exe
C:\Windows\System\pKvwIgS.exe
C:\Windows\System\pKvwIgS.exe
C:\Windows\System\iTOmbKS.exe
C:\Windows\System\iTOmbKS.exe
C:\Windows\System\IROpedw.exe
C:\Windows\System\IROpedw.exe
C:\Windows\System\mDbdLBi.exe
C:\Windows\System\mDbdLBi.exe
C:\Windows\System\cPOHMzy.exe
C:\Windows\System\cPOHMzy.exe
C:\Windows\System\nSSDWNC.exe
C:\Windows\System\nSSDWNC.exe
C:\Windows\System\hifaLUw.exe
C:\Windows\System\hifaLUw.exe
C:\Windows\System\TIWYqqX.exe
C:\Windows\System\TIWYqqX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/448-0-0x000000013F130000-0x000000013F481000-memory.dmp
memory/448-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\aQrElqJ.exe
| MD5 | 21b9643bbf7d74231955e9a090fd527c |
| SHA1 | 13a588743db2d088d1287ae5457cf916490e368b |
| SHA256 | 4f499bd98e363210710a0cec150c9ba13ea8803e1a3beb9e565243809d809fef |
| SHA512 | a3db8b90e70a9a339cce13f19dbaf19e7d4706fa3fdea9581a3e578d655c5f21cebcebf5056b67dd61a26788c0f946ddb866c255e3c56678fb7656dabe39e5dc |
C:\Windows\system\zQffceQ.exe
| MD5 | 84857d4124413079733e03e52ba0797c |
| SHA1 | 4a7a53f5fef4bde530c6fff9407b1d88f395dea2 |
| SHA256 | ec222732364aeddbc94a028b313bea79cea2d8a6247281d6bba08ec572bee14e |
| SHA512 | 31b09d51ca23d3d0c08d4bc7ae00092f12b53b5aa25b3db3505bc69d39976678da9320931f900259866c4ffe680881363c1adc735a14063b8049810ac7bf7427 |
\Windows\system\uRoOtnp.exe
| MD5 | dc8b802a4c73d2432cb4d93c085e399c |
| SHA1 | 5c0995df8bc310ecf5b0cb218ed4d2464da23ed2 |
| SHA256 | 0a015403cb0162aca0c989a6e76bc6e2c005a79525ca31c553a26183719d6ab0 |
| SHA512 | ca8b107c23d5f07c6c44c370a127dfc9acc330d61c5d5bf463bb90ae10d7ff9746aaa3f197d436fd28c1ae3d7f3fe6aaa4d38f65e54010fb3dc037a948501f7a |
memory/1988-16-0x000000013FB40000-0x000000013FE91000-memory.dmp
C:\Windows\system\qqPQEtH.exe
| MD5 | 6c7fd8079c6913d0e1c5d40ce5a42f1d |
| SHA1 | a4158357fae2aa456acac4d6b9350ae91e95c117 |
| SHA256 | 90037f1f403abf08cae82ee9008df1f55fb226589e528e9a88b77d6beaab1074 |
| SHA512 | 8036da322d951124156fff945d0b12dbdf4f0b169bae93b3597a543e94d8ff1b4ec2e0c79092ef704a79f28f378d92e817028d7c6af2e4b11cf0a9d700d1629d |
C:\Windows\system\HAZEcYA.exe
| MD5 | 0549d87c1cf2f124a3c5b689445f7ffb |
| SHA1 | f3a9628d696311d108d13aa73c8fd25fdf85541a |
| SHA256 | d446946c0d3a2d11773e007eb9bde86b76ce06aa8ba12ec7dd54ac653dddafd6 |
| SHA512 | 15dc4a099828420c7c271e4dbedfc3468e1a9b3814be370c59dc2298bee40cb5b695f44c3454c04b75893014e94d8882a6f130d5dfbd8823826938f51429e098 |
C:\Windows\system\sraMsBV.exe
| MD5 | fefbe08cc58fca5b5f2ba76d0b214595 |
| SHA1 | aac0c3696661ecb68edd1310f63ddd8101335c87 |
| SHA256 | edb0cbf4e830d9fbce422be9f665423dfc8201432d31b61370a424a23779d04d |
| SHA512 | afb80d1e78c0a92b90b96f2a6a461c438d7acbf92d03b659c33dfa2f59e4be3b7cbc3d1457fb0e4a3927407f7db98c5565eb857f0d1cae07d1fd23b2232903a7 |
C:\Windows\system\iTOmbKS.exe
| MD5 | bef6a8229c6e334a2064de61fafb5483 |
| SHA1 | b26a29688e7e673ceac68ff87b5ed17715ba6325 |
| SHA256 | 338a5c37118c2a832de1dd6364b000d60d4af9d757ed278b405d25deb1a4b3a5 |
| SHA512 | 971141c83f12f1b2ee2959dbf1c03e48be410e6baa15079264cf29bf1ea75ad96af8f712a9c1bd5120d8d9b540d8546d1ee6fcea81297e2b8ef8ca7933a46080 |
C:\Windows\system\mDbdLBi.exe
| MD5 | d1d65c8eb5aa20eaae014584a2ccef72 |
| SHA1 | f66047859c8047ad483c82d26a7166c6b6e1434c |
| SHA256 | 77905d09a4dbad954fd89db479698f869193427241d8f4580a64c645b9ea9009 |
| SHA512 | 5e9eea4562652956ed8d06d68412e54fc7dad10e6677a14015632e294ffe48612aa9f6c84b769646c1878e71eac1c7d44f5404103ef624a5972f7f65f72f7a97 |
C:\Windows\system\TIWYqqX.exe
| MD5 | 038d0678b6840570fa9cc0a25272830d |
| SHA1 | 939ea5629a77ace4c9b386dbf070fa8a4b734d5b |
| SHA256 | 02c281f469e511ab06fea69f4d432ba9728039a00a3c2884a260c6bfb3dc4db5 |
| SHA512 | 3efac48332a754e96dca8ded1180495057047e47ad3f9cacfbe1f28a24efc12fd0ef49e723727a3b1c0efaec4ea51f396c645c45d547f24b0f89f2be49fa937a |
C:\Windows\system\hifaLUw.exe
| MD5 | 468c25e92dc9d1d67857bc2c411f2c8f |
| SHA1 | e7d2f5f4b4900250c606bcdd8f8fe698477c1c30 |
| SHA256 | 0c90b29f8cd9fb01a136f3b04c794bac7a059e2eca91553bd69d5a914991f8b6 |
| SHA512 | f8149d9da66af44a2bd4b68e1e495d145e1695a186923ad1f6c1ca7a4f3ddba7c6abd92dcdb685af7ce76260fa506d6def7107ece8fb98735effc952d2b76df7 |
C:\Windows\system\nSSDWNC.exe
| MD5 | a24bae3b9ef3305f46b24b03a5a46e0e |
| SHA1 | 20baef6542ff59cd97a0dc58c116f7ed02f13085 |
| SHA256 | bb48712db491e788eecf6a801ce9a623419662c0c0431e8fc74ce5ec55f9bf2c |
| SHA512 | 45f41e90c2163dc06fae5cf2963d2b82ada02736057e9f26015bdb44e6d8fbeba4ca6dd71effc8f7acc9a6800ed15219919c415506c06c202e5d90162f550d45 |
C:\Windows\system\cPOHMzy.exe
| MD5 | 4261cbb720f34bcfeb1e8353ceed5eb9 |
| SHA1 | 6f9d95e4541f5ae500a2824b489b2625ab45889b |
| SHA256 | 56d679ec313dbd0e034ac41957a052743b618ca2e6ca074b22e0abd92ff7a091 |
| SHA512 | a26329eeb15153583ba71f1d8a1bc5e58aabe30166b378d416ea50fdbde9b137fb5e9241d9de4226ae9a555202f532c9f146ba322e511f717ada3dec93a84787 |
memory/2124-110-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/448-109-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1708-108-0x000000013F280000-0x000000013F5D1000-memory.dmp
C:\Windows\system\IROpedw.exe
| MD5 | 9aa8f2b60d98fd9fd741ba477f0ef938 |
| SHA1 | acdb84c5b5e30af2228ed7be136f34cf82cd06e2 |
| SHA256 | 0c4076cb2b3d584e4de6137231c24afd7c761c17ddcfeb2cac07361e79db2463 |
| SHA512 | 96622e569e298ed484aaceb4450849531b636507da5117ae5893839d830566d72f7bcdee97fe019b6b9df5639415b0dabc1593d005d7f1dd8df8820b364bfed3 |
C:\Windows\system\pKvwIgS.exe
| MD5 | 1187136bdfbeaf02752e5c80e43071ea |
| SHA1 | d515e01802ce5ecfaab270b19d86367e5cf3bddc |
| SHA256 | c1a1a320a4b1dad71dd3b68d8a9e031b59a69da3c2e3e2b46cc9422094a8912a |
| SHA512 | 9d364a40b65f19d3c5a8fc46a03de1077f8904958f4c768c826fde566fa0ed9db339096179b88c04cbea8a911840a068b0a64c6d1c9f5adfad83a78e92ecf346 |
C:\Windows\system\kZoTyza.exe
| MD5 | c997a2d8683c4e6afd5a63a7ae7bd891 |
| SHA1 | bb900cf7e1a79029df788192c0b4094bdef84473 |
| SHA256 | 090e5e79fe6a25224fc4d3142a7c69511d3f30eeadaf6c555cfe1937892a7f7d |
| SHA512 | 080e9b268b8cef73938746039a89e3b47da829aa6df096483393f9b832728027a5c2e069ed996f46c3afac0fba52f50f7b5914b53d75f899dbab2cefefe18489 |
C:\Windows\system\ImsKJSY.exe
| MD5 | c46db5df5f99297f63b9c3fe4359adfd |
| SHA1 | a937446301b8ccaac5eb6061923d825f08ec838e |
| SHA256 | 7c4e132c83210dc95cf146102c55b248e53ff5b9cd42cad865cfe99a5b44a90c |
| SHA512 | 0ec550631ba3d6d76a47698b499b177a07a14656b67594c2bc00a3431240645d21cd16e016be257bc105fd14943a2b80e7665d91ffe8eec2d5eff01b9f83c140 |
C:\Windows\system\ipIjVzM.exe
| MD5 | ecd57ab9d84362133616787614144a2a |
| SHA1 | ec8d67d6915a29bd489a9e0cc690442d0855bb4f |
| SHA256 | 99c01af944fc1842dc3a035825ecf2ed973d1b80de83e399ebdb93dde2bad167 |
| SHA512 | 03a066cb23901bf76748e38bd081255892b09db96c657b6dea442d1daa2c37e6ca10e85d262b89dbb122a670a96d059722326e718f868cf6d42e27781ee2e2ba |
C:\Windows\system\BnxAhLr.exe
| MD5 | 026c10d72a5f0fe1693d3c4c848536e0 |
| SHA1 | 391a5f4990a41a27891e6fd26d53307e3535a3b3 |
| SHA256 | 1a334aad4651e804df50102f2fb76c65f5bf4737bfa46c12b20066137b83ec19 |
| SHA512 | fb1fe26994e2b3f3e9abe3740e181539b1aae486fffe943a56a739bca669e0e52aa20c95fc696ae1b3d0a16fcd30ed8585f8873a06cda43caaeca28475b7b5a7 |
C:\Windows\system\afMkbfw.exe
| MD5 | ed81499a9d0635898b312c1e1f2ed6c5 |
| SHA1 | b826d06a405e2bbf94b70f487dc72cd0f5c278b5 |
| SHA256 | cbadf2656deebad55bc772a6c8c14344ac71338d99acc3d54de2f4fb61c43077 |
| SHA512 | 8e8d78307b2e422117026a66842a03c5a146fd41246beb1fd7ff7d575928e717d4e31f1129f398baf5137cec562c325455801dcd40c128cd54dc445488ad5d25 |
C:\Windows\system\jvyRBac.exe
| MD5 | 05b0278a51a3df0c9a2fddedecde88c8 |
| SHA1 | 6172bb4c94737150f283824283d8c80df114cd7e |
| SHA256 | 3c5d17649aa4c52b2f1f2ac956dd3791149c2a4ce688e7f8643e5e0a4c23b8d6 |
| SHA512 | 3497e96eb8b67b897507e7c86d096e3b20d4405f215a453c34e3a2d1f63b6af4cc81cb0d779aa5482a824e57a441cf4305ee511a6cb4653ad3121d4e817c85fe |
C:\Windows\system\iklXESs.exe
| MD5 | 0f7cedbbfa3247fde4494092a1fa6ebe |
| SHA1 | 40cadf02ae32ae249d7218187c948407553abd51 |
| SHA256 | a01ba930b99fd292310d4f0ae98347f2cfa9bcca2caed8b9adc20402e87a7d17 |
| SHA512 | 86d0f8008447e6923fc563f2fad1bad96a6fad51778ec94599d220c013b143ceb24e4478075bd4c8d7ae90ad7fd166024f6f2a7655e1cab99248f7199745809e |
memory/2168-111-0x000000013F500000-0x000000013F851000-memory.dmp
memory/448-112-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/660-113-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/448-114-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2768-115-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/448-116-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2852-117-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/448-118-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/3012-119-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/448-132-0x000000013F500000-0x000000013F851000-memory.dmp
memory/448-131-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2620-130-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/448-129-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1156-128-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/448-127-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2596-126-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/448-125-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2748-124-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/448-123-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2756-122-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/448-121-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2708-120-0x000000013F430000-0x000000013F781000-memory.dmp
memory/448-133-0x000000013F130000-0x000000013F481000-memory.dmp
memory/1988-134-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2588-148-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2156-154-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2064-153-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2504-151-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2616-150-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2648-149-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1708-135-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1788-152-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/448-155-0x000000013F130000-0x000000013F481000-memory.dmp
memory/448-177-0x000000013F130000-0x000000013F481000-memory.dmp
memory/448-178-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2124-226-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1988-225-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/660-228-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2708-231-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2852-232-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2748-234-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/1156-236-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1708-242-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2168-248-0x000000013F500000-0x000000013F851000-memory.dmp
memory/3012-247-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2768-245-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2756-252-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2596-251-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2620-257-0x000000013F670000-0x000000013F9C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:07
Reported
2024-08-13 12:10
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dtLkERB.exe | N/A |
| N/A | N/A | C:\Windows\System\UzYfeFF.exe | N/A |
| N/A | N/A | C:\Windows\System\dIXtKFA.exe | N/A |
| N/A | N/A | C:\Windows\System\IkPiZud.exe | N/A |
| N/A | N/A | C:\Windows\System\zenMWHW.exe | N/A |
| N/A | N/A | C:\Windows\System\AzuDSTT.exe | N/A |
| N/A | N/A | C:\Windows\System\RdXoUOB.exe | N/A |
| N/A | N/A | C:\Windows\System\smxggpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MRrdtGy.exe | N/A |
| N/A | N/A | C:\Windows\System\DPxXNdl.exe | N/A |
| N/A | N/A | C:\Windows\System\EBoIIuH.exe | N/A |
| N/A | N/A | C:\Windows\System\IMoApsH.exe | N/A |
| N/A | N/A | C:\Windows\System\qhMeSFU.exe | N/A |
| N/A | N/A | C:\Windows\System\RQJaPLh.exe | N/A |
| N/A | N/A | C:\Windows\System\YrrkfYu.exe | N/A |
| N/A | N/A | C:\Windows\System\RpCBlNz.exe | N/A |
| N/A | N/A | C:\Windows\System\DEgUpWO.exe | N/A |
| N/A | N/A | C:\Windows\System\ZMtHUYE.exe | N/A |
| N/A | N/A | C:\Windows\System\YzSPMgT.exe | N/A |
| N/A | N/A | C:\Windows\System\oSNEHRA.exe | N/A |
| N/A | N/A | C:\Windows\System\fCevyBw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fcb28375e0b75e9dceadf93425ed5db8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dtLkERB.exe
C:\Windows\System\dtLkERB.exe
C:\Windows\System\UzYfeFF.exe
C:\Windows\System\UzYfeFF.exe
C:\Windows\System\dIXtKFA.exe
C:\Windows\System\dIXtKFA.exe
C:\Windows\System\IkPiZud.exe
C:\Windows\System\IkPiZud.exe
C:\Windows\System\zenMWHW.exe
C:\Windows\System\zenMWHW.exe
C:\Windows\System\AzuDSTT.exe
C:\Windows\System\AzuDSTT.exe
C:\Windows\System\RdXoUOB.exe
C:\Windows\System\RdXoUOB.exe
C:\Windows\System\smxggpZ.exe
C:\Windows\System\smxggpZ.exe
C:\Windows\System\DPxXNdl.exe
C:\Windows\System\DPxXNdl.exe
C:\Windows\System\MRrdtGy.exe
C:\Windows\System\MRrdtGy.exe
C:\Windows\System\EBoIIuH.exe
C:\Windows\System\EBoIIuH.exe
C:\Windows\System\IMoApsH.exe
C:\Windows\System\IMoApsH.exe
C:\Windows\System\qhMeSFU.exe
C:\Windows\System\qhMeSFU.exe
C:\Windows\System\RQJaPLh.exe
C:\Windows\System\RQJaPLh.exe
C:\Windows\System\YrrkfYu.exe
C:\Windows\System\YrrkfYu.exe
C:\Windows\System\RpCBlNz.exe
C:\Windows\System\RpCBlNz.exe
C:\Windows\System\DEgUpWO.exe
C:\Windows\System\DEgUpWO.exe
C:\Windows\System\ZMtHUYE.exe
C:\Windows\System\ZMtHUYE.exe
C:\Windows\System\YzSPMgT.exe
C:\Windows\System\YzSPMgT.exe
C:\Windows\System\oSNEHRA.exe
C:\Windows\System\oSNEHRA.exe
C:\Windows\System\fCevyBw.exe
C:\Windows\System\fCevyBw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3392-0-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp
memory/3392-1-0x0000019A1DE60000-0x0000019A1DE70000-memory.dmp
C:\Windows\System\dtLkERB.exe
| MD5 | ad897e09ab9dbaedcd73bc19eb164a8f |
| SHA1 | f329108f94290d4785770aea2695ed02d84702ed |
| SHA256 | bfa7e6731edb35e781e95d567fbb587c01e8265c0cf77340ab197430320f038f |
| SHA512 | 06c9a4b73d5b0bd7fffd03ebb6f852bef35b5c0a22ff63ca8376845e83d378b49a9962260955a71ed2021fb0cfe0403b5226f59024c3e3a6247a5c7c97904268 |
C:\Windows\System\UzYfeFF.exe
| MD5 | 5b1031a55a96f9c6f7e60077f2a8b5ec |
| SHA1 | 515e5a25433b5ad56027e3a69ca33a241c4e1d43 |
| SHA256 | 1f913e20f80ac8d6bf4be280f94f0afc6d86c26353ec13be29609630c5f6c8d1 |
| SHA512 | 1b043730b6e38bb97886becbc74493b0642973dc8f16378db59b422cb45097945c08d607dd3b037de5c969738bd2dc44c8e098daab4a8a743208953ff238288a |
memory/1756-14-0x00007FF7F6480000-0x00007FF7F67D1000-memory.dmp
C:\Windows\System\dIXtKFA.exe
| MD5 | ad79718ff581f2fa26295480a9231567 |
| SHA1 | 4d287e7cc8d25c30625e7d7ec597f1f44f5f2488 |
| SHA256 | 3db33630939aeb2419cf8e75d2a668c44243b844cea70baad5cb2e67bf52138e |
| SHA512 | 92cf6c650262fd9cdf12c5dbfc56fe1b95f32d4d4caba691259acc3b91ef40c5ca5e9cad74c4ce3cfa35ebaf963168b33a7a9ad90ff2a9c8d6c41f07c1c8cdb9 |
memory/3524-7-0x00007FF7754A0000-0x00007FF7757F1000-memory.dmp
C:\Windows\System\IkPiZud.exe
| MD5 | 7adf97f5a2fbb68b328d89b627d3fc49 |
| SHA1 | 74ffe20e02e90da0934735d2393ecf11324b690c |
| SHA256 | 3a33769850c0174ac1c025e88372df33d1a4e964f5ccc1d44c9bea2659c0b036 |
| SHA512 | 72c56a1338513ab3c66814e81863a97cc5dbdc4094ce5964927eea5ce80010ee9a4884dac2d3ae4653a1f5413d6948a1e79e282dca7a7c96ef86ec6d21039f29 |
memory/1472-20-0x00007FF7B0AE0000-0x00007FF7B0E31000-memory.dmp
memory/4384-26-0x00007FF79C210000-0x00007FF79C561000-memory.dmp
C:\Windows\System\zenMWHW.exe
| MD5 | e4e1b00b33093057dda9daf616e3043d |
| SHA1 | 841fa5b0b3846b27128d05ca3946c2cb322de6fc |
| SHA256 | 4fcfa4f8797c6ae9be10fe815ef407ab7dd826b80aa4a1f17e1fe0fec74e1697 |
| SHA512 | 31f67da10ce3344c75905cae7ed7f6037f0afbe35534299daa26d1d0f50946bfae8d36c2b17b8a8f4aff021cb03c252757a51444f5d1817c67dec5aea6e5e258 |
C:\Windows\System\AzuDSTT.exe
| MD5 | b8d4bdfd3fd30d44bb9000386ef24209 |
| SHA1 | 9bc205d47777b454a3840debb3490a191e310eb7 |
| SHA256 | 09785d50d743bb0225db07854e9c6fcf39974e63cd300fb239f98dd6b9d75207 |
| SHA512 | 0a92725f384a6330d4f411ee83c8d21bc312250b1be82586beb70cfa18ccc4c6b31f12beaaafbc17e18684d1d3aec06975773ceb9d70bb1427e9c00a36574800 |
C:\Windows\System\RdXoUOB.exe
| MD5 | 3af2b95d8b3daedfcbfa2bf6ed7223f1 |
| SHA1 | d75c95cda77ec75b124e7ec9ef7eed6277665f55 |
| SHA256 | cafa85fb5a9bda634546fac77121f8ac43bd1bfe35b22cfb3632c9bc9fd21762 |
| SHA512 | a435b29ba6b720560989b1ef883fbc3209b46292e4c199f03bf49adce7dca8ea5adaa4bfc96f269ff3297074d6f9f36c50c60edbca7c426ed1ebddba76594cff |
memory/4420-45-0x00007FF62E690000-0x00007FF62E9E1000-memory.dmp
C:\Windows\System\smxggpZ.exe
| MD5 | 58de14a4bc192d166c1690901f9207aa |
| SHA1 | f347fc144670abbf36a26af306146cb33d0a01db |
| SHA256 | c516f24774281e40a49a6906b8e40592c01ad646e6abd4f440c5708698a22335 |
| SHA512 | 7de2131ba6a23034ba93e7bc78f9a908c889f6fd9b81b8d4b2313555e03c14ae95a37996c2e59404e47dc47e75ffc700009873c327e3e4ece55980ffd81d9b94 |
memory/3768-30-0x00007FF755690000-0x00007FF7559E1000-memory.dmp
C:\Windows\System\MRrdtGy.exe
| MD5 | d8acc569d4590c25846c26b626d3abba |
| SHA1 | 47cc908d5107facd52ab0a7e0567d053aa9e5a90 |
| SHA256 | 065a1dd0711dc9a543f5161b3a55a8b56f2c4e7fed3fb2b006d3eee0b8bed49e |
| SHA512 | e21ebe02bccb0f82ba3c87493fa9baa9fffec062141199dea00836ad4fc6392d2f3eb2b038ff6549f4dc27a97328f2f9302189ecda1c9e4e8e43db4996750635 |
memory/2380-61-0x00007FF7ECEF0000-0x00007FF7ED241000-memory.dmp
memory/624-70-0x00007FF764280000-0x00007FF7645D1000-memory.dmp
C:\Windows\System\IMoApsH.exe
| MD5 | c16af2dd85d91292944fec64eaf4c4a2 |
| SHA1 | b9d09d953f26c475e13f15ac761248af8fa377d3 |
| SHA256 | bb8b0a6f1a889e5832e7f8871d4942527a072fe24338f064b8f78d15bb62ded8 |
| SHA512 | cfe76b30cb16a7f1749edc6470990df175e2c500d33b1f350b5d3cf30b4850de81d88cf8eb628b79085186781890e829ef6b62a3ed60cfa06be22c8c7a458223 |
memory/2960-84-0x00007FF6E84A0000-0x00007FF6E87F1000-memory.dmp
C:\Windows\System\YrrkfYu.exe
| MD5 | 751ad43ff7e584f9ef30410bbd740bf9 |
| SHA1 | 97580ee043a4538f4d929494320ad2420cc08c00 |
| SHA256 | b8e6eb6b73e73abc2f432919f4d65cfbfe547cd65e950a3604541e8da1498be7 |
| SHA512 | a4be7e17228df3202aa5087b6c43690e27a4e0473ea57e7720770685bcc7077c0e07c5bfbe32d5301ea9e8ab46be3aae4c0d8f0fbeb618c14cd3b5e4a6d98e22 |
C:\Windows\System\RQJaPLh.exe
| MD5 | 346be58b3d81da52bd92bc5ff2062765 |
| SHA1 | ac7be00ce3755eac8cbf2c863f7f9d2c6cabc117 |
| SHA256 | e71aca8a2f077f12c50187e6bf9b095371ebeff0cc16746eef2c4afe536808bd |
| SHA512 | 20acb103d8e09eeff56f767dce566bddf2c93ae94ebc1033f3c723c3a68da6d9bfce7c8c8a6f33f54876b45575e4de7570f1a61d1ae166f7c0e36bd02031d299 |
memory/4996-90-0x00007FF6E08B0000-0x00007FF6E0C01000-memory.dmp
memory/3392-87-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp
memory/388-86-0x00007FF66E7A0000-0x00007FF66EAF1000-memory.dmp
C:\Windows\System\qhMeSFU.exe
| MD5 | 6530b230527177afab825a9e36a55894 |
| SHA1 | 0be19f18562b6be1278dc4cb247e5d3a5fc91a2a |
| SHA256 | ce6d2d07ce129e3eb7957bc140729884735085e443b4a6cf74407a1deb739360 |
| SHA512 | cf66a160d834ff49c1782baa51a526bc2b9225e746060e790c3b5ba7bddd32bdc8d06e9a499c54afdfd164f2313059d61a2e5ea791f2f592317ed2a9936a0817 |
memory/3584-79-0x00007FF697380000-0x00007FF6976D1000-memory.dmp
memory/2932-72-0x00007FF783880000-0x00007FF783BD1000-memory.dmp
C:\Windows\System\EBoIIuH.exe
| MD5 | be8e2f518bb2499ca9b521a32662af81 |
| SHA1 | 7bbfd36aec9f71973c497c72d92509dc8a505fbb |
| SHA256 | 24d639a36f9a1f90ff9b780e947472844a44f94c26777c513fc46f49ae51e302 |
| SHA512 | e7c84f6b15fc9e0e895baff594f3253fe3d858c6157af98ecb08b40435fc86828076c4c5d5b06eeea3cf79d35ecbe57569493d55fae9c230e0801d9ed4c157c0 |
memory/3828-69-0x00007FF6C5B20000-0x00007FF6C5E71000-memory.dmp
C:\Windows\System\DPxXNdl.exe
| MD5 | 0544369cbaec31bdd39d166909406330 |
| SHA1 | 06641412b6bb45912458d925c27260d2ff3879fa |
| SHA256 | 9f860ae773015d28bb45227a2ab0ab85d1fea6bb11beda32bf06cb671495d61a |
| SHA512 | 6c6e247b13f21f4cf66dccc5c8b242b43bac2b721c3466e1a68b566dbab7e3d5f93ebb3bdc45b58e21cac3dea0838811df2c53dffb4f1dfcd29f86144c599f86 |
memory/1368-54-0x00007FF792F30000-0x00007FF793281000-memory.dmp
C:\Windows\System\RpCBlNz.exe
| MD5 | c36447a2e0c790d4c69d3a30c70bff49 |
| SHA1 | a4304b766e8d27e70ab3099be28a87015b303e7e |
| SHA256 | 0020ad521d7619036c3527ae103d9ac51e55aa1594449e3d8dda13b16e9b4230 |
| SHA512 | 7efed8650808c9f66d5863fd43e18f8265e777e401fc20d4088f167eda5b02d67e9074ab6850615b78598c00f45089417e6197aee844def8a4eef7451ebb8379 |
C:\Windows\System\DEgUpWO.exe
| MD5 | f6334a9739cacdd8b35f4f9a01024ef2 |
| SHA1 | b8912a1b8ef5e8e884a5b04389483a74e90c671a |
| SHA256 | e9af3d43e092f20371e82fa79fc6a512d96888406bbf47d6ae8a244bef1de6c4 |
| SHA512 | eb5a8ae2b1ec501b3d0ebf8b0076e5c43d300e4af9784cab4cad70fe3aec24fdd2266f37be87ebb457b8032b2afd7bd0dc7c1023754dba9368bdf5c2fca14843 |
memory/2712-107-0x00007FF750910000-0x00007FF750C61000-memory.dmp
C:\Windows\System\ZMtHUYE.exe
| MD5 | c9e64d8a3b156a27875a00152994912e |
| SHA1 | 9086a2327fc65bf715e4821009c983419b0849ef |
| SHA256 | ae05c6a88e19afdec19ea55dc05df6b45d883cfa9c736640d9fdc1d1c3d5761c |
| SHA512 | 76539017ebc06a2d86f3b06d8dee84ce82b166a1ef03ef4b04cdb0e0d3785f97f7708e074550ac148f47e5ea9f515346ee8a25f6a6f75600affabfbe3e98ed9e |
memory/4384-119-0x00007FF79C210000-0x00007FF79C561000-memory.dmp
memory/4420-127-0x00007FF62E690000-0x00007FF62E9E1000-memory.dmp
C:\Windows\System\fCevyBw.exe
| MD5 | f54223551076c53953bd2bb0f9578a50 |
| SHA1 | 3d00ac32a3922790bb51dac59147383b2bf60521 |
| SHA256 | 79848eec18c86ea599f95ab9849dde97a8c6f92cffc591125bd6a9de2714c285 |
| SHA512 | 0382c5dc31b973a96be60b742116ac4c336cf25b87fe57e799cf694cb7452e491f62e0799233553f1e881f8b769dafb95fbe2cbf6608cafa62cff8e0bec8f515 |
C:\Windows\System\oSNEHRA.exe
| MD5 | 20f5e92e821993a722b51e2bca975bd9 |
| SHA1 | d62737d8b7e0c71b1b3d1a967fc261d86e3cb41b |
| SHA256 | 1ac69c4e61a980594a27030b7ad60301bf1a6b3875cb819a0c2c222e44ab1304 |
| SHA512 | 9970f272de05d0c2f722622a5a9485e14b02bc4e7fd2cf0b17e3680ec75ebc949ea75378e0b74d5acbf3a3c25c2211d3b11b0a59126949c56320705f513e77b3 |
memory/1456-129-0x00007FF786720000-0x00007FF786A71000-memory.dmp
memory/1368-128-0x00007FF792F30000-0x00007FF793281000-memory.dmp
memory/3768-126-0x00007FF755690000-0x00007FF7559E1000-memory.dmp
memory/1148-125-0x00007FF601870000-0x00007FF601BC1000-memory.dmp
memory/3512-123-0x00007FF75B070000-0x00007FF75B3C1000-memory.dmp
memory/3456-122-0x00007FF61CCA0000-0x00007FF61CFF1000-memory.dmp
C:\Windows\System\YzSPMgT.exe
| MD5 | e5863bffd0504207420c858178b46fc7 |
| SHA1 | 7a5fb03f19a9bbe88224416cad1f7589bc22f40d |
| SHA256 | 56e22db5313b7f8a81b542a670fc13e8414784e4a3418fbcb65b4623383f7a71 |
| SHA512 | b460574a8e8133c06359599eaaac9e25989c0ec342edd95bcc72926f3c3f8f6ecde41b3cca264277515efce1b4d08d6d3774902651161a26531569eef932c647 |
memory/364-110-0x00007FF65AE40000-0x00007FF65B191000-memory.dmp
memory/3524-99-0x00007FF7754A0000-0x00007FF7757F1000-memory.dmp
memory/3392-134-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp
memory/3828-149-0x00007FF6C5B20000-0x00007FF6C5E71000-memory.dmp
memory/388-148-0x00007FF66E7A0000-0x00007FF66EAF1000-memory.dmp
memory/2960-147-0x00007FF6E84A0000-0x00007FF6E87F1000-memory.dmp
memory/624-145-0x00007FF764280000-0x00007FF7645D1000-memory.dmp
memory/3584-146-0x00007FF697380000-0x00007FF6976D1000-memory.dmp
memory/4996-150-0x00007FF6E08B0000-0x00007FF6E0C01000-memory.dmp
memory/1148-155-0x00007FF601870000-0x00007FF601BC1000-memory.dmp
memory/1456-156-0x00007FF786720000-0x00007FF786A71000-memory.dmp
memory/3392-157-0x00007FF62EDA0000-0x00007FF62F0F1000-memory.dmp
memory/1756-206-0x00007FF7F6480000-0x00007FF7F67D1000-memory.dmp
memory/3524-208-0x00007FF7754A0000-0x00007FF7757F1000-memory.dmp
memory/1472-210-0x00007FF7B0AE0000-0x00007FF7B0E31000-memory.dmp
memory/4384-212-0x00007FF79C210000-0x00007FF79C561000-memory.dmp
memory/3768-214-0x00007FF755690000-0x00007FF7559E1000-memory.dmp
memory/4420-216-0x00007FF62E690000-0x00007FF62E9E1000-memory.dmp
memory/2380-218-0x00007FF7ECEF0000-0x00007FF7ED241000-memory.dmp
memory/1368-221-0x00007FF792F30000-0x00007FF793281000-memory.dmp
memory/3828-222-0x00007FF6C5B20000-0x00007FF6C5E71000-memory.dmp
memory/2932-224-0x00007FF783880000-0x00007FF783BD1000-memory.dmp
memory/3584-226-0x00007FF697380000-0x00007FF6976D1000-memory.dmp
memory/624-228-0x00007FF764280000-0x00007FF7645D1000-memory.dmp
memory/2960-230-0x00007FF6E84A0000-0x00007FF6E87F1000-memory.dmp
memory/4996-234-0x00007FF6E08B0000-0x00007FF6E0C01000-memory.dmp
memory/388-236-0x00007FF66E7A0000-0x00007FF66EAF1000-memory.dmp
memory/2712-238-0x00007FF750910000-0x00007FF750C61000-memory.dmp
memory/364-240-0x00007FF65AE40000-0x00007FF65B191000-memory.dmp
memory/3456-246-0x00007FF61CCA0000-0x00007FF61CFF1000-memory.dmp
memory/3512-248-0x00007FF75B070000-0x00007FF75B3C1000-memory.dmp
memory/1456-250-0x00007FF786720000-0x00007FF786A71000-memory.dmp
memory/1148-252-0x00007FF601870000-0x00007FF601BC1000-memory.dmp