Analysis Overview
SHA256
674787aabddeafed1b06a7a1ff5c0c476e3c99b1e49049cc91a809c497a6c62a
Threat Level: Known bad
The file 2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Xmrig family
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:27
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:27
Reported
2024-08-14 21:30
Platform
win7-20240704-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pnuwUHq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJUOdRS.exe | N/A |
| N/A | N/A | C:\Windows\System\HPbJgGC.exe | N/A |
| N/A | N/A | C:\Windows\System\OksvdLa.exe | N/A |
| N/A | N/A | C:\Windows\System\aiEOBDE.exe | N/A |
| N/A | N/A | C:\Windows\System\rfgHDMV.exe | N/A |
| N/A | N/A | C:\Windows\System\pzEkNat.exe | N/A |
| N/A | N/A | C:\Windows\System\BfSTxXk.exe | N/A |
| N/A | N/A | C:\Windows\System\jqigppa.exe | N/A |
| N/A | N/A | C:\Windows\System\CyKeJQN.exe | N/A |
| N/A | N/A | C:\Windows\System\RYuUhzB.exe | N/A |
| N/A | N/A | C:\Windows\System\cCMAeWt.exe | N/A |
| N/A | N/A | C:\Windows\System\IvXrUka.exe | N/A |
| N/A | N/A | C:\Windows\System\VaORTVS.exe | N/A |
| N/A | N/A | C:\Windows\System\obmxsuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\TGsUsmE.exe | N/A |
| N/A | N/A | C:\Windows\System\JQJxYFT.exe | N/A |
| N/A | N/A | C:\Windows\System\IGNSlAF.exe | N/A |
| N/A | N/A | C:\Windows\System\GbesgbB.exe | N/A |
| N/A | N/A | C:\Windows\System\QFuZuMt.exe | N/A |
| N/A | N/A | C:\Windows\System\WkZBANh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\pnuwUHq.exe
C:\Windows\System\pnuwUHq.exe
C:\Windows\System\ZJUOdRS.exe
C:\Windows\System\ZJUOdRS.exe
C:\Windows\System\HPbJgGC.exe
C:\Windows\System\HPbJgGC.exe
C:\Windows\System\aiEOBDE.exe
C:\Windows\System\aiEOBDE.exe
C:\Windows\System\OksvdLa.exe
C:\Windows\System\OksvdLa.exe
C:\Windows\System\rfgHDMV.exe
C:\Windows\System\rfgHDMV.exe
C:\Windows\System\pzEkNat.exe
C:\Windows\System\pzEkNat.exe
C:\Windows\System\BfSTxXk.exe
C:\Windows\System\BfSTxXk.exe
C:\Windows\System\jqigppa.exe
C:\Windows\System\jqigppa.exe
C:\Windows\System\CyKeJQN.exe
C:\Windows\System\CyKeJQN.exe
C:\Windows\System\RYuUhzB.exe
C:\Windows\System\RYuUhzB.exe
C:\Windows\System\cCMAeWt.exe
C:\Windows\System\cCMAeWt.exe
C:\Windows\System\IvXrUka.exe
C:\Windows\System\IvXrUka.exe
C:\Windows\System\obmxsuQ.exe
C:\Windows\System\obmxsuQ.exe
C:\Windows\System\VaORTVS.exe
C:\Windows\System\VaORTVS.exe
C:\Windows\System\GbesgbB.exe
C:\Windows\System\GbesgbB.exe
C:\Windows\System\TGsUsmE.exe
C:\Windows\System\TGsUsmE.exe
C:\Windows\System\QFuZuMt.exe
C:\Windows\System\QFuZuMt.exe
C:\Windows\System\JQJxYFT.exe
C:\Windows\System\JQJxYFT.exe
C:\Windows\System\WkZBANh.exe
C:\Windows\System\WkZBANh.exe
C:\Windows\System\IGNSlAF.exe
C:\Windows\System\IGNSlAF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2540-0-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2540-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\pnuwUHq.exe
| MD5 | b73986bd65637c245a861626ae1c03c0 |
| SHA1 | 6e49be65e63952da5d7e5305b9e3969bc1d9d5b5 |
| SHA256 | 107da02fbf317aff2b3979a73da188db15a2fa40ee0979bafbc33725cf874f80 |
| SHA512 | 78caf24ef5f1133da34c9cee7b85a7ff9d411d9f71a5b99d8a4e42b8d118f095bedc6185f6b0482c86c39c88885e3db0a2054042eb0c82c05009e9094b1ffcc2 |
\Windows\system\ZJUOdRS.exe
| MD5 | 6ce394bb58a1bbcad4c602c162b3be3a |
| SHA1 | 379a6769f5bb82cfa351f0f799ab602b79e92c7c |
| SHA256 | f58c4b15d308f6648384389aff9daa84ce65b545c6a157ab0102ba42a6c605b6 |
| SHA512 | 65bbfe56dac2196681df5ce9c49cd7516ff236bc1870406775f7b928d5be7853ca48e865503f6c59cdcded57fb39d66680434a9fd2e67f802166d4f01a2c0546 |
C:\Windows\system\HPbJgGC.exe
| MD5 | ba18ec25ff4ca8cd5ae4e3de5d7b0bd2 |
| SHA1 | b941746d4be772bd17a27b8952a8d305d7befa25 |
| SHA256 | e1e2b6a97e20f362983b05f3601a68d05ca99caebdb2b22380d91b635a38638e |
| SHA512 | d0a4bc768a8efeddea0e52b372fef50a57b4fdb33b9aca8182392a5fca6c6225cf992ebf43fb5c8ebc760aa552ed68201dbdbf338fbc66b4347cb727ffbe3b6a |
memory/2364-22-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2540-21-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2988-15-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2292-14-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2540-13-0x00000000021C0000-0x0000000002511000-memory.dmp
C:\Windows\system\OksvdLa.exe
| MD5 | 3758852c7da6ccc5cf68ae544f76a610 |
| SHA1 | c5937a31109d785c66c8ff6b810e518eab412991 |
| SHA256 | 9fac3fdee47fd203796a8b138b0273671db9306d0ad0eaf93633106ea36fbab0 |
| SHA512 | cc4e4420db7e40f5cf55ca53bc1836c956b13dca013cafce4fef5b0a1c4881e9c9d2b6bfcfdbd4491bb2b16fcc7cceb8d1bc95d655f531ad5b1e560e64c6e4a0 |
\Windows\system\aiEOBDE.exe
| MD5 | f3b67ee0ffa2d77f6f6eda23c590989e |
| SHA1 | 7c97bb5ab9b7245d3a66795bd801c0b3f32f25c2 |
| SHA256 | c93c745f72b649e6bd3d8b8432ef6393ad3d1703c3b68d63ddf2d079fb130689 |
| SHA512 | c78f2ea5979e7ca9fafb14991e85325a8027fa83fad1afe0205c5852062fa53dbec1a0e3649799878682a5f42a5b02f035107eb55078d6f4c3cf46813f61b389 |
memory/536-35-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2900-40-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2516-50-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\jqigppa.exe
| MD5 | 88ed67c8163969f63215b5c47c26ca13 |
| SHA1 | b5f8ad2f85589ec7fc4dda9d608c1a4049ce65c0 |
| SHA256 | f929b74b5bd38b3866916a0191b02816d09d333a4db073b90fd00df7b1de2104 |
| SHA512 | 1d0f561f1e17f55aa903683252c62eb2df2f74516b5c95a10837aa48d75646127d6fc4bc0abe4934cbb7d0b6d418ce3e9b0b69cd8129f41f93a4cf1191c6d258 |
memory/2672-63-0x000000013F1E0000-0x000000013F531000-memory.dmp
C:\Windows\system\RYuUhzB.exe
| MD5 | 849e1eb05ebb5bfadf3d1721b9f4f2f0 |
| SHA1 | 0d63dcc533111a7fbca458a43266655997155705 |
| SHA256 | d1798e4dc46c37877359182a02833a205c08d1bf8f5e4c1bc890cfde055f2ffa |
| SHA512 | 6354c051ae3d7b57c5db179afd18b1ca620e62c6aaa696e079c33e1768b1fc3e8cf13c50e0634ca2ec3bc25ed584b3d52b0fe6361f2c670c885a854cd848f517 |
memory/2648-77-0x000000013F690000-0x000000013F9E1000-memory.dmp
\Windows\system\obmxsuQ.exe
| MD5 | 50c34b26e5093d5516c6ff459bcb9493 |
| SHA1 | 140bfb0a61d503b40198b784afa2a1614f0d89c7 |
| SHA256 | ba1c78d0a8cdd4c6279a0e04f29c4c6049e984bb4181f2e0f78a8ceff64c5a1e |
| SHA512 | d62e83cf28d5553ed1a05f5f90eef032bac1ebaab51846edfb345b461769c853bbbe8c6b726d3e286ce05e147c3f7c62f3982d64cab2b1c39de513453d8765eb |
\Windows\system\WkZBANh.exe
| MD5 | e28d5940d1b07bd71945ee4d99fbb634 |
| SHA1 | 18ea70271de216e09d1e59540530e3cbf9d77f41 |
| SHA256 | 943e2290745b0d76964b5ca1676457928bf46755323f360598ee9b0d1116438c |
| SHA512 | 04e08035bdbc3b8e08b430d5bde6ca747208292e2859b35e035b842cd80eb8e5c196234718b935e564884ed1827591e778c8ffd97baa347ae2e052dbd4f0ecd8 |
\Windows\system\QFuZuMt.exe
| MD5 | 23f76b8b763b8c8c8335a7cafcf65a1d |
| SHA1 | 5f18d50b3df6d7c4f521afe1ef2e603184f1d1e0 |
| SHA256 | aa81f34151a26245c378c4cd7b99125f3ebadcd2c9e420234b34337b7f267e56 |
| SHA512 | 5bc218405d12e168aafdd0aa37d37690caa9bb9d8aae1d140ec3aef98e3d7de6f7d8cbabfd6bb3628dc2ada029622be8efb6c4e9b8e601a474a928e8f2a1ea2e |
\Windows\system\GbesgbB.exe
| MD5 | 34d8e39089b7af981ad39419fa5aad5b |
| SHA1 | 6f3e6bb8108c9cb3c8b657b41d586d3b2c62c961 |
| SHA256 | 603287b0f826a7fb23b32a783e3ee24504d72790c7ded9761dd54eb1a95bac36 |
| SHA512 | 29e2b18ba49b4cdfecea42f61e1d55c17a588d773e9367f029466f678bd58fee02882dec004b3007b4b6d8eca68203286268ea7e1e77f82fc8c2aeb69bbc9c63 |
C:\Windows\system\IGNSlAF.exe
| MD5 | 4af2e2660d7df1a2f0d3f8c9268a8905 |
| SHA1 | eb54e0e03269dbb86e77903ec4647752b59a77c9 |
| SHA256 | a4f805335e7e80a6021ba5ccaf29f5919f012ec1e540707b93ea4c46a6ef821b |
| SHA512 | 0da00122d718974fffdc5cdbfc21df3344281775774d6eaba91d4bb85fd3286861c6a31545a13de37a0cb6f9887ece4250d034098772fc62bbe74ff16ea53c90 |
memory/1732-126-0x000000013F920000-0x000000013FC71000-memory.dmp
C:\Windows\system\JQJxYFT.exe
| MD5 | ff04242b8b6e3a6e16830f9372a856d5 |
| SHA1 | 5a96317aec88cacfb3e32961bf01916249cecbac |
| SHA256 | 6a0b60c9c4ff9c447222306cdcba58bd05650dfe5667269b289c462cd611f6c1 |
| SHA512 | 6b6eafee79606b4a4e2bd468d562888010d16b5f5760e6ba8901037e2d1ec196bf941bba8fd5452d6a1df050dc05dfb9f8cd250934688505ba17455ebdd861d9 |
memory/536-119-0x000000013F4F0000-0x000000013F841000-memory.dmp
C:\Windows\system\TGsUsmE.exe
| MD5 | c5a9e55f0b0c624e5d756dd3addb1682 |
| SHA1 | 99f29b5f9d3db0e2dcb54789b4ecf784f20ac071 |
| SHA256 | 20c5edcf6bb9de8804dcc23dd4d2ebe7c4cb7e5e677a1a7c93c812bbc7d21345 |
| SHA512 | 441f872ed2c2bc17be4fe7e016119146c287f9f7e67f57b3405231da57418c5966a7948bde772c0193fad299f77be050b71edc058090aa006d10ca197591712f |
memory/2800-84-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2540-83-0x000000013FF00000-0x0000000140251000-memory.dmp
C:\Windows\system\VaORTVS.exe
| MD5 | 3fc7445575ec5d85fa7976a6d6e68212 |
| SHA1 | 3c1b29b0e43b6944ec009d8ea9c4fb251d48c6cb |
| SHA256 | 5ea973246194a05941e907912bbfa11059984d8b7143aea7dd440841d2f68e49 |
| SHA512 | e87fb9ae18e9a3d264f9f9126bf4ab488e26ddf9c72aaf857a1e4599bbfd2fea87bcb6a0e5aebf5ff0606dba1359c618af7d4ea23e14fb9bb805136acd11496e |
memory/2900-136-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2540-98-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2736-97-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2540-96-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\cCMAeWt.exe
| MD5 | bd106e52137608e644b0b9f98ccd89a8 |
| SHA1 | 176bfa45b67c27f5ed79bc55c22828ba5a41c45c |
| SHA256 | 79fa42ee6ca7c96485b6587e0950402b69b86184f4b7c5c925cd88764dcbb261 |
| SHA512 | 08aded0ee1ee146cdd2cc63c43a039c375a7c25cc466a0217d90950023ffdb8a11b1476985b5c225c1502e53504631e8ad1de273c0aa5fa36ac61d9f0d79f50e |
memory/2308-95-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2540-94-0x000000013FC70000-0x000000013FFC1000-memory.dmp
C:\Windows\system\IvXrUka.exe
| MD5 | 047c7c5cc1d57a75d0c731fed242dec3 |
| SHA1 | 8a465211e29dff0497aae3f3b3ee2e41103df5b2 |
| SHA256 | c483d2ba7c3e8b5f1850417bd1dfc3ca045e3e71f9069a04435793b8a853706c |
| SHA512 | fd4e33d00a7ae58b85726b1cad6b8253a86863178c96a3a75a0dc5bbe1ab0be45fd2b09bfa9e1339edeca993466718089257ce7cb1b81f45f48ed7c25c5bd31e |
memory/2540-76-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2680-70-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2540-69-0x000000013F850000-0x000000013FBA1000-memory.dmp
C:\Windows\system\CyKeJQN.exe
| MD5 | c1dc1e7d8afcd7a1fcea0c905dfac014 |
| SHA1 | 28b20b04b414a77fa07e0b3c9374f4e6a67a9fab |
| SHA256 | 49633d563e851539aa9b8162efa9e8699e9432b028b6ca737a38411ef96e83ce |
| SHA512 | c1c85ca55f136bf0fb224d348adf41b7815b61da151653f3cd455d4e88eb03a7fecff6c6c7d5d4bd6599be91eb6039f044fe19fba6a3a322bd2faadb3e6bbb60 |
memory/2668-57-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2540-56-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
C:\Windows\system\BfSTxXk.exe
| MD5 | 28249796288a3beea7647301b0f4d9cb |
| SHA1 | cd22a3dcddae1160f9317a8387cbb7ac78c4b902 |
| SHA256 | 765e48d6bf05d71400436bab6189b91b3b0a1c24bbf754a33e6b2dcc1628f359 |
| SHA512 | 8949b561927c917f137a68e8643492afc5715805bc9e8678c9c16cda007e1f0fe3644491bd52772b0b568f3fea2cc379e8cfd8d140614bcca95dd98c7e7c5b0c |
memory/2540-49-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2540-39-0x00000000021C0000-0x0000000002511000-memory.dmp
C:\Windows\system\pzEkNat.exe
| MD5 | 32dab1fec17377ff6cb9879c2ed8866f |
| SHA1 | 8c99d609e476786debcc04dae51a6a8795b93285 |
| SHA256 | 793d3ae9ebe40d240f86fee75bc2be408d4ca8b66283a5903413f30d13c69eb1 |
| SHA512 | 3645af7b8d72dba60262256d97382f2e6965e2022225cce307a796e2c22a4a62dd70212851e156d89c30761452a419947d1bd1dd87264cfbc791335b543d1e41 |
C:\Windows\system\rfgHDMV.exe
| MD5 | ed5b99ba5303f87dac9c693c2132bb79 |
| SHA1 | 769805dd1e1b179c327b1070a2b5b13bac3bfba3 |
| SHA256 | 8932c4a460ca90c341e7a4b6b5040acf5a65e2f8f3bf45fedce82e85a6e93007 |
| SHA512 | 188ee9fe069fb1631626f1c9a1bb09e4734d43f22e906ef9a7ddc86b1d1ea4e873474ca03c715368d24ea6ad798bf77855d970adcc8376fba6bd9d19f9545410 |
memory/2736-33-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2540-30-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2540-27-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2540-137-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2540-149-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2948-155-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1004-156-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2072-159-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2540-160-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2884-158-0x000000013F330000-0x000000013F681000-memory.dmp
memory/640-157-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1444-154-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2636-152-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2540-161-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2540-162-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2540-170-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2540-185-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2988-209-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2292-211-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2364-213-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2736-215-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2900-217-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/536-219-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2516-221-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2668-223-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2672-225-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2680-227-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2648-229-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2800-231-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2308-243-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1732-245-0x000000013F920000-0x000000013FC71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:27
Reported
2024-08-14 21:30
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zkLtQjT.exe | N/A |
| N/A | N/A | C:\Windows\System\aSBVkKt.exe | N/A |
| N/A | N/A | C:\Windows\System\zqNyXmM.exe | N/A |
| N/A | N/A | C:\Windows\System\QqxBMqU.exe | N/A |
| N/A | N/A | C:\Windows\System\TdjYpzS.exe | N/A |
| N/A | N/A | C:\Windows\System\GPUXBBG.exe | N/A |
| N/A | N/A | C:\Windows\System\TyvopfN.exe | N/A |
| N/A | N/A | C:\Windows\System\FJaPouE.exe | N/A |
| N/A | N/A | C:\Windows\System\pnJZpzg.exe | N/A |
| N/A | N/A | C:\Windows\System\uaKMkcw.exe | N/A |
| N/A | N/A | C:\Windows\System\oPmjucd.exe | N/A |
| N/A | N/A | C:\Windows\System\UUzQeNB.exe | N/A |
| N/A | N/A | C:\Windows\System\bUUjkJs.exe | N/A |
| N/A | N/A | C:\Windows\System\VzClKcX.exe | N/A |
| N/A | N/A | C:\Windows\System\JCVJMNG.exe | N/A |
| N/A | N/A | C:\Windows\System\hCnNJVB.exe | N/A |
| N/A | N/A | C:\Windows\System\RIRdNGu.exe | N/A |
| N/A | N/A | C:\Windows\System\IvbYajS.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwBjDJa.exe | N/A |
| N/A | N/A | C:\Windows\System\QxXmiCo.exe | N/A |
| N/A | N/A | C:\Windows\System\qnkbAZM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_de0d33ff2d524a170bec443015ea98a0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zkLtQjT.exe
C:\Windows\System\zkLtQjT.exe
C:\Windows\System\aSBVkKt.exe
C:\Windows\System\aSBVkKt.exe
C:\Windows\System\zqNyXmM.exe
C:\Windows\System\zqNyXmM.exe
C:\Windows\System\QqxBMqU.exe
C:\Windows\System\QqxBMqU.exe
C:\Windows\System\TdjYpzS.exe
C:\Windows\System\TdjYpzS.exe
C:\Windows\System\GPUXBBG.exe
C:\Windows\System\GPUXBBG.exe
C:\Windows\System\TyvopfN.exe
C:\Windows\System\TyvopfN.exe
C:\Windows\System\FJaPouE.exe
C:\Windows\System\FJaPouE.exe
C:\Windows\System\pnJZpzg.exe
C:\Windows\System\pnJZpzg.exe
C:\Windows\System\uaKMkcw.exe
C:\Windows\System\uaKMkcw.exe
C:\Windows\System\oPmjucd.exe
C:\Windows\System\oPmjucd.exe
C:\Windows\System\UUzQeNB.exe
C:\Windows\System\UUzQeNB.exe
C:\Windows\System\bUUjkJs.exe
C:\Windows\System\bUUjkJs.exe
C:\Windows\System\VzClKcX.exe
C:\Windows\System\VzClKcX.exe
C:\Windows\System\JCVJMNG.exe
C:\Windows\System\JCVJMNG.exe
C:\Windows\System\hCnNJVB.exe
C:\Windows\System\hCnNJVB.exe
C:\Windows\System\RIRdNGu.exe
C:\Windows\System\RIRdNGu.exe
C:\Windows\System\IvbYajS.exe
C:\Windows\System\IvbYajS.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4336,i,16316361669272684588,6171287487746154806,262144 --variations-seed-version --mojo-platform-channel-handle=3776 /prefetch:8
C:\Windows\System\ZwBjDJa.exe
C:\Windows\System\ZwBjDJa.exe
C:\Windows\System\QxXmiCo.exe
C:\Windows\System\QxXmiCo.exe
C:\Windows\System\qnkbAZM.exe
C:\Windows\System\qnkbAZM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/972-0-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp
memory/972-1-0x0000018E8B9D0000-0x0000018E8B9E0000-memory.dmp
C:\Windows\System\zkLtQjT.exe
| MD5 | 665b01f96bbdda83f4dfa9196dc656c9 |
| SHA1 | de61bcb3b4fcfad7a162f300859f08507cdc6ba5 |
| SHA256 | 2b96830fcf106a1986eaf94d177bd448a171963eaca8a3757892b92e684e2b25 |
| SHA512 | b5937ce97f2dbcba44dfd7c8f8ed2458d5a5a7406b8b376fd29ca2796567e696b083432eb82f54d778961d17455b2526184a898b73a41f1dfe0eb4a45632d994 |
memory/4708-8-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp
C:\Windows\System\aSBVkKt.exe
| MD5 | 54f74d696adf274bd2fdb769efec51c8 |
| SHA1 | 34e8f66c180104d42fcff35160af60a54442cc45 |
| SHA256 | 6590aa8668138ff8d32375364e2e1830816b6ae00135f0bfb96a303f16290a33 |
| SHA512 | 611e7172fb6b09bd87e1424d0e054fbccc79db3a2755608da2fc825b03970f527a0f772bb90545af26c2fab3c2d05d2a2dd4f6116f922e03f30ca6d3cbd5c7bf |
C:\Windows\System\zqNyXmM.exe
| MD5 | 3842541def1b004ce4bd581afa852c26 |
| SHA1 | 0e975bf66d413b4e2effb6f3c4979b305295de4e |
| SHA256 | eb0d27bcdc48a6e4d8630029c234aae32294d19e193098c6cdd6cb3ba6557805 |
| SHA512 | c072b6a39d94c5f110e374b3d9e010cbb929f988e52c1adc7693a60e9bc48430748dc7ad5613fd4332bd417ff64f819dc797a4ca3d66f47ff69c38011ab45367 |
memory/2836-18-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp
memory/4460-17-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp
C:\Windows\System\QqxBMqU.exe
| MD5 | 38865d571df1888788c3cd365be95a96 |
| SHA1 | 7db4de6920127dd94f399c15feacbdc6c6f47493 |
| SHA256 | 089ddd91489e89a50784b6299b7a84660c209baf7ac16fd5f2d9a00c12851f7d |
| SHA512 | 3c20293892717c1b59ac3d692152243a85cb456e27af92c84ae3cd4372d90f150ab9593d165aebaa0568ad0519b3ebad3c9c534768a95b026a23605fdf5b6d96 |
C:\Windows\System\TdjYpzS.exe
| MD5 | bd195dfa51fef086ad2699f8ef2082d3 |
| SHA1 | 74c36fa823f8f20eb41233bbbaebabddb60b28e5 |
| SHA256 | a02e7461863c897142a31458326c58c6c38e5ff08ebe874384baaf3e3aff91fa |
| SHA512 | 1c7c73a5876a4fcedfbaa44e1a88053ef48e1e503031de74d69b0deb243fe9ec2da069dc1846fb277ef70cc41a2163353d1aabc023baf8fda06dbe66492af692 |
C:\Windows\System\TyvopfN.exe
| MD5 | 7abfa6c8629f6f3abf848e4ad2267909 |
| SHA1 | cae09597d7acbfbc8b972394abe1003e6b7ac836 |
| SHA256 | ff9d545e06b3d83ffa1b454732e32470f9b6d9c474a16db77d6a122f8f7a5d1b |
| SHA512 | 9fe01cfce903228f1336c43575a901d8c9dedff243829403c6737949b72d57b2b29c8d0261f1b73db4804c2032360a6fc7dba224a6f446e738230395fa6e53c1 |
C:\Windows\System\FJaPouE.exe
| MD5 | 60585c8023078cb182c62dcc9fe5fbb3 |
| SHA1 | fe007c855c6d74e8bbb9e29b7a4711ad82d8ed40 |
| SHA256 | 306f36b76ed00dfa1bf385da1121cbdea333dbb3b5e934506da2d4d6f854bcb5 |
| SHA512 | f86fac394461c0671a504a0f04a785e52030777bd0b0f1231de4954b5a92fbdaf4c43c574e5fbce00cfe6d5abefec7f3a105cecb2f2e94efe620898bdbf9cdc7 |
C:\Windows\System\uaKMkcw.exe
| MD5 | 4981453496952490952b45c0742f464e |
| SHA1 | 1f45184071be522b119ff617d4e87d427a18b5d0 |
| SHA256 | ad6c5ddf10de58b9f131d83871a1ea000d0e04e94bed81225c5b738722a3d5ff |
| SHA512 | fd9fbaa7426428dac8973926ed91790ab4c7b9ef772029418b678b6228257a9f68d155c84e5ac8cf481ae2cc11d6dabd0216580dce000e5845c57581da3069e5 |
memory/3588-53-0x00007FF745B40000-0x00007FF745E91000-memory.dmp
C:\Windows\System\oPmjucd.exe
| MD5 | 16e636daebfd2e5bc386de640c32a9ac |
| SHA1 | 570c83da5a335ef87281460a0df3f1a2e49867cc |
| SHA256 | bac7fc45d415ab080839530deeec10bbfd1854ae4be82c6685d8132b2d95cd75 |
| SHA512 | f38563c08b808b9e0f0eb50404d4a75841e84b8cc2f529a49f65bf52be21e92550db1c29514a1dacbd2f5e71fb0b2dc932795886c88eab966f18b35d17dc29cd |
C:\Windows\System\UUzQeNB.exe
| MD5 | f0792a066bbb2ad3345ee03e426c131d |
| SHA1 | 52635bc6c5c3bf8f39b503eb9fba9d6339a1e8fb |
| SHA256 | 2444f5cab751f9d52e24174b11232bbd5a64e35958d0cdd32bf3ef3c7aff9449 |
| SHA512 | 95b796f06ab80f48dd581d4c11c97156274b5eff9c60bc6ea6062b4f96720c1ac6266b9eebe8864df40bf6b66e1929d79d31a0e5e5cd67a0c6b2c0ef6d1d747a |
memory/4776-79-0x00007FF605350000-0x00007FF6056A1000-memory.dmp
memory/5108-80-0x00007FF673C10000-0x00007FF673F61000-memory.dmp
C:\Windows\System\bUUjkJs.exe
| MD5 | e1c420e0d0d0339f6ab4b43187a0bd47 |
| SHA1 | 62304ae7758a801650bdc4d2f9cd0c01a406264b |
| SHA256 | f26bac1208d6dd5d0259a57b045889742f7aacee54b2d6219c510a17ef8dd77b |
| SHA512 | d9711379e786ec8cd54babbfba81d9e908df4cf14e061f5178fe8f4ed94b1902ee5d08bac020163523afdbf26d9b1e94a1f40c225913b501fcb45587f5c050a7 |
memory/4064-66-0x00007FF7474C0000-0x00007FF747811000-memory.dmp
memory/4680-65-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp
memory/3652-63-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp
memory/1080-58-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp
memory/3468-57-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp
C:\Windows\System\pnJZpzg.exe
| MD5 | f0f596a3a2c065c48309dad4757c7ba0 |
| SHA1 | 8250e5961ec0f2990d06dda3bcf757a3f6bce029 |
| SHA256 | 4235441ce5d915789501e593d7e63e36eb4ca1cc99e1a53a4eb516cdcaca3aa2 |
| SHA512 | b1ba8ac38bb9cae5f96a9ad385cda2336420a818f66088dc5eb0c67ad0189b1bc1a26b3cdd16e0bf057c8256aab42933d50e12aeda6f1c4e7ee56f0e8184a19c |
C:\Windows\System\GPUXBBG.exe
| MD5 | 9e16079b3f6ce32a9e62e7b4ed031e9d |
| SHA1 | bd3dd1ae2508b9681eead9b6855acbde80989785 |
| SHA256 | 0d99d5d0dc6e66634a55760b4fbc00febe8e59fd6d265e2b0c53b14c3ee0cf6b |
| SHA512 | 179bd0e028dde69bab5478b1450b669cb7a7ac63668f370d91d7b63fd14e3fad0a7ce2e03a5805a03764ad6a696486d42445fc3e2569418bcd0d9b9fe156cd94 |
memory/2488-33-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp
memory/3844-25-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp
C:\Windows\System\VzClKcX.exe
| MD5 | 0ead14bd0e3624fbab8d4451a614ec1b |
| SHA1 | 5ad39803193b31834602ca3e038cb7650a3deb02 |
| SHA256 | 5e199756825c4ab85497103d77be7fd78f50137e55fc985cfcbc1c16c955f1fc |
| SHA512 | c641daf9ac10f30b39c6f2c7bedfb8c0e7a48df3120da229696ce77e040bf10d91e1909f5ec8aae9ee41c7647b0f637498cd042993c90ff5cfc3ac5d4c9fa039 |
C:\Windows\System\JCVJMNG.exe
| MD5 | 69bcecac8690590b1ae6e4d8fbd4ddd2 |
| SHA1 | be4ee85223ef3fe1bd8b22ffbc88cb99efd783d3 |
| SHA256 | cc720dda53960f67d61670b76bf7b1295ecb90199b0930cc012e56192390e611 |
| SHA512 | 90320d4d4c5a6f0d0e973a5cbdd3c514b422a5c594d468bf6a1b1b017ec1e5f8b8f32df0668f0345dca3910105945287f127dba02fc664d41731684ed7a05c05 |
C:\Windows\System\hCnNJVB.exe
| MD5 | 7855dd5a33f7ad4723a0548c6047104d |
| SHA1 | b743f1990c8f87a65b0d1816c36288f3c35b6b51 |
| SHA256 | 0e34e128eb005e8c27491b37458f7073d3565f2f444f92ea7cb4506525847f6b |
| SHA512 | 2643b92f06f0396146c3bea208ccd1c5450ce495962cc20177981e46afc8a8b452dd382aa9616cdd883a85e9a98403d8bb009e71ec91b5d0e8e7af296c290038 |
memory/4848-98-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp
C:\Windows\System\RIRdNGu.exe
| MD5 | 838b60e1baebdf366f46d8f90ba5c33e |
| SHA1 | 4a93c1944ce620a71472771c0c2239816e8b2ac8 |
| SHA256 | 965cb7998b0d9c9a14fbe92c0fc1b05fa46d7aff71fe41b17ad06f6bf3131354 |
| SHA512 | 18cb70434dd210c9f67c86cc9792af7386082d7c9782dc271bb29282c9f977a06077418f5eecf9a4b1c159c570bc2b6c63f5e7336aa0be60a72e2b6d8877ef20 |
memory/1728-107-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp
memory/2488-105-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp
memory/2836-102-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp
memory/5028-99-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp
memory/4460-96-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp
memory/4708-95-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp
memory/4384-86-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp
memory/972-84-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp
memory/3844-121-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp
memory/3468-131-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp
memory/4880-133-0x00007FF662090000-0x00007FF6623E1000-memory.dmp
C:\Windows\System\QxXmiCo.exe
| MD5 | 780b59fbaa143ec5737b28d9c676d868 |
| SHA1 | eea2e7c7b39353923f3e47b5b4b9c8b8e311d8e3 |
| SHA256 | 060b06e9842896ba4f9561b2e35eef06ab9f36ce796ac3ec5020f05911e0f035 |
| SHA512 | 70b52f5d6d5a515ef8d6492a76a4487bb76baafa7177532139b273479783e7c859c5907c4e1c2dff411314f16e9b7ee3496df973ee2b9a2fd29cdfadb99d106a |
memory/3588-130-0x00007FF745B40000-0x00007FF745E91000-memory.dmp
C:\Windows\System\ZwBjDJa.exe
| MD5 | 06796a4c7b75a6a77d52dd6c08e7ab98 |
| SHA1 | eaa11391a16a9fc161b964528e79c483080137d0 |
| SHA256 | bc8d6f339828b13c013c6898b588be8dc51892a1b2d05ce44f52badd5120c3c9 |
| SHA512 | 50af591342605c40b8288bea58684f183571e8020192bd80d0262e852f75bd8cf3cdeb2c1f8a34b3fa48dddd5c66d55543cec07580a52031fd8d6bdef8bccb6c |
memory/232-129-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp
C:\Windows\System\IvbYajS.exe
| MD5 | f16365f62993a65ab946e3f093f92b0f |
| SHA1 | 513235a72f9a851de4d4385bb7ded96fa4582166 |
| SHA256 | 00f9519ec2b7f62fff58444f26dfc9cc8aa9589428d779c0b137daedc7f726fe |
| SHA512 | ebe0bdb7d99f751c7af33075c4bd82ca537842922cf0ed09e600888649a45b8ddee427a71cb8a6276f88b2dba3cd903e2de078d2487d4d0fe2afe69292d7e5c4 |
memory/832-139-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp
C:\Windows\System\qnkbAZM.exe
| MD5 | 2dbbeae13dd0e09943148d1ad9959a57 |
| SHA1 | 6dd4b4cbc0feba07ed21a9fcd0fa84c8f6e34a12 |
| SHA256 | 8c6715c49ae5d2b6302b669e73615af7c6a7a4c4879d363683de7eb0d8775b36 |
| SHA512 | feee48feb531f9f8cd983da2086ece201defa041522d09fd2729c7d3141b0b305b049695c5047a4ccb978f929b2d02c4b5be911176e742861d8b0bd1f0c39908 |
memory/1668-142-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp
memory/5028-150-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp
memory/1728-151-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp
memory/232-152-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp
memory/4384-148-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp
memory/4064-145-0x00007FF7474C0000-0x00007FF747811000-memory.dmp
memory/972-153-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp
memory/4880-169-0x00007FF662090000-0x00007FF6623E1000-memory.dmp
memory/1668-170-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp
memory/972-175-0x00007FF7D5930000-0x00007FF7D5C81000-memory.dmp
memory/4708-203-0x00007FF6978A0000-0x00007FF697BF1000-memory.dmp
memory/4460-205-0x00007FF6D43A0000-0x00007FF6D46F1000-memory.dmp
memory/2836-207-0x00007FF78F380000-0x00007FF78F6D1000-memory.dmp
memory/3844-218-0x00007FF7C9ED0000-0x00007FF7CA221000-memory.dmp
memory/2488-220-0x00007FF7ED040000-0x00007FF7ED391000-memory.dmp
memory/3588-223-0x00007FF745B40000-0x00007FF745E91000-memory.dmp
memory/1080-224-0x00007FF7DFA70000-0x00007FF7DFDC1000-memory.dmp
memory/4680-230-0x00007FF7DE320000-0x00007FF7DE671000-memory.dmp
memory/3468-228-0x00007FF679F80000-0x00007FF67A2D1000-memory.dmp
memory/3652-227-0x00007FF7D5830000-0x00007FF7D5B81000-memory.dmp
memory/4064-233-0x00007FF7474C0000-0x00007FF747811000-memory.dmp
memory/4776-236-0x00007FF605350000-0x00007FF6056A1000-memory.dmp
memory/5108-235-0x00007FF673C10000-0x00007FF673F61000-memory.dmp
memory/4384-243-0x00007FF6C5A00000-0x00007FF6C5D51000-memory.dmp
memory/4848-245-0x00007FF67B390000-0x00007FF67B6E1000-memory.dmp
memory/5028-249-0x00007FF73D270000-0x00007FF73D5C1000-memory.dmp
memory/1728-248-0x00007FF784BB0000-0x00007FF784F01000-memory.dmp
memory/832-252-0x00007FF7B68B0000-0x00007FF7B6C01000-memory.dmp
memory/4880-254-0x00007FF662090000-0x00007FF6623E1000-memory.dmp
memory/232-256-0x00007FF62A150000-0x00007FF62A4A1000-memory.dmp
memory/1668-258-0x00007FF74F6C0000-0x00007FF74FA11000-memory.dmp