Analysis Overview
SHA256
87f27ebca3322a81f90a4813a9a7a4175b09e2f03b6c478201dd3fb1b571aa6c
Threat Level: Known bad
The file 2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:25
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:25
Reported
2024-08-14 20:27
Platform
win7-20240704-en
Max time kernel
144s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PEYMZqf.exe | N/A |
| N/A | N/A | C:\Windows\System\OLxbKJx.exe | N/A |
| N/A | N/A | C:\Windows\System\myuLDxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\CgEMLKi.exe | N/A |
| N/A | N/A | C:\Windows\System\KsmntwM.exe | N/A |
| N/A | N/A | C:\Windows\System\VeqaPwp.exe | N/A |
| N/A | N/A | C:\Windows\System\QOIQHzC.exe | N/A |
| N/A | N/A | C:\Windows\System\joJgpJY.exe | N/A |
| N/A | N/A | C:\Windows\System\fTWFDqK.exe | N/A |
| N/A | N/A | C:\Windows\System\NDxtuUO.exe | N/A |
| N/A | N/A | C:\Windows\System\jhoMRTi.exe | N/A |
| N/A | N/A | C:\Windows\System\NRRWXMf.exe | N/A |
| N/A | N/A | C:\Windows\System\HuYdSAw.exe | N/A |
| N/A | N/A | C:\Windows\System\HgnzrVq.exe | N/A |
| N/A | N/A | C:\Windows\System\VHqmsgz.exe | N/A |
| N/A | N/A | C:\Windows\System\NYuaYKw.exe | N/A |
| N/A | N/A | C:\Windows\System\JaFhwBt.exe | N/A |
| N/A | N/A | C:\Windows\System\IoLFxpK.exe | N/A |
| N/A | N/A | C:\Windows\System\iFUWRAE.exe | N/A |
| N/A | N/A | C:\Windows\System\RKRLOws.exe | N/A |
| N/A | N/A | C:\Windows\System\flqLnwd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\PEYMZqf.exe
C:\Windows\System\PEYMZqf.exe
C:\Windows\System\OLxbKJx.exe
C:\Windows\System\OLxbKJx.exe
C:\Windows\System\myuLDxJ.exe
C:\Windows\System\myuLDxJ.exe
C:\Windows\System\CgEMLKi.exe
C:\Windows\System\CgEMLKi.exe
C:\Windows\System\KsmntwM.exe
C:\Windows\System\KsmntwM.exe
C:\Windows\System\VeqaPwp.exe
C:\Windows\System\VeqaPwp.exe
C:\Windows\System\QOIQHzC.exe
C:\Windows\System\QOIQHzC.exe
C:\Windows\System\joJgpJY.exe
C:\Windows\System\joJgpJY.exe
C:\Windows\System\fTWFDqK.exe
C:\Windows\System\fTWFDqK.exe
C:\Windows\System\NDxtuUO.exe
C:\Windows\System\NDxtuUO.exe
C:\Windows\System\jhoMRTi.exe
C:\Windows\System\jhoMRTi.exe
C:\Windows\System\NRRWXMf.exe
C:\Windows\System\NRRWXMf.exe
C:\Windows\System\HuYdSAw.exe
C:\Windows\System\HuYdSAw.exe
C:\Windows\System\HgnzrVq.exe
C:\Windows\System\HgnzrVq.exe
C:\Windows\System\VHqmsgz.exe
C:\Windows\System\VHqmsgz.exe
C:\Windows\System\NYuaYKw.exe
C:\Windows\System\NYuaYKw.exe
C:\Windows\System\JaFhwBt.exe
C:\Windows\System\JaFhwBt.exe
C:\Windows\System\IoLFxpK.exe
C:\Windows\System\IoLFxpK.exe
C:\Windows\System\iFUWRAE.exe
C:\Windows\System\iFUWRAE.exe
C:\Windows\System\RKRLOws.exe
C:\Windows\System\RKRLOws.exe
C:\Windows\System\flqLnwd.exe
C:\Windows\System\flqLnwd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2544-0-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2544-1-0x0000000000200000-0x0000000000210000-memory.dmp
\Windows\system\PEYMZqf.exe
| MD5 | ecfaaa1d3e24d34f3d0b01404b08fc91 |
| SHA1 | af89a080067181e7ccb6af4e1232d2e87850b01e |
| SHA256 | e2c792a82c80cc331e53f565830f9326b82ca47ee42a9599b8350478f635d8ae |
| SHA512 | efcac90bdce48fe7b0118b4425aa70a357b9a46bc91ae69344c1acb8d484ac3d012b37c608be32ac4fc608721494234633775d7f7e6f5b876a8be0161dea2159 |
C:\Windows\system\OLxbKJx.exe
| MD5 | d7bb83afe8c18a48369eddf11ca1ce37 |
| SHA1 | 0b5a3ecfb0ba774913adae8e68539ffa4ca75c96 |
| SHA256 | b37c703cb9c0efd1c7b740295d7a966eb269938834c3125f62806d1033140f2e |
| SHA512 | ddc47eed9be3e35f9a5d8e0aadc358625c28561f51f47163db8f1878ccb81780a7cf19fc7b45006018dbb42710cf7ab30a924f704ba9b2095a26f5272a2ba219 |
memory/2376-15-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2544-12-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2544-9-0x0000000002170000-0x00000000024C1000-memory.dmp
\Windows\system\myuLDxJ.exe
| MD5 | 77ade68a0ca316aead759fbbdcd24526 |
| SHA1 | a5def735cade3efc14a4a212efd747234e9d8ad9 |
| SHA256 | 10ad1e08e11bc1e9b8d5bbcc0cc48212ba60f79b4faffeb5dc4802e6d7521c7f |
| SHA512 | 5238b605e758f2bea1045787ece32cf3b0765509d0cdb8223d44af37f236f2d97e11c6722c61b3d1ff68f0bf9a501bef2f2ce49db5b3c6ee21e73bf75430e866 |
C:\Windows\system\CgEMLKi.exe
| MD5 | d8f6e71e6f561adb40d82fc703a4112c |
| SHA1 | 87493aaf0fb19d11275a66ff6f4d71dfb6048d3d |
| SHA256 | 53c26556cd046c8c9d1fecd5c5c412d2f5c00f391e375b91effbe3f114ea0c74 |
| SHA512 | ffc8d12a16f1edda98b0a4afa05b3c4f2f75412efc46362afdd98884189f03a1182c1b51651edcf05b11603243e77ff7df43dbf4354f3f1de5f072078b7b91a5 |
memory/2964-20-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2812-28-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1640-27-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2544-29-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2756-34-0x000000013F250000-0x000000013F5A1000-memory.dmp
C:\Windows\system\KsmntwM.exe
| MD5 | 5f9f3d84ae8dd6c561e1940661295caf |
| SHA1 | 6552d1b62e056cc2507454563f1782e32b183fd5 |
| SHA256 | 8140023e2fca193b8e22de8aa28d0312419ed5e182a1522f5a75ab2270c5f057 |
| SHA512 | 82ff13c168820e740f32fd79ff326b379f3aaf823b11cc6adf408026d5fbf8292bf8d8cc925641458ccd640157f7f2d4bf485659519a8b87a795cc961409f7c1 |
C:\Windows\system\VeqaPwp.exe
| MD5 | c4ad242163bbd79487e15bda4369080c |
| SHA1 | ec3c6e0d05a27b4e1ebbbf5bd02cd449e26bde85 |
| SHA256 | 615b3d98665495b4085225e0fb799fe4d00fcb86d227bb0d8716fcfc4a6e4847 |
| SHA512 | 2857e776c994848a572761367a263b1e0b8c1da8b94405b9cf4ca72c98aa68f25dc5d4a472c1865c709f4ca460f9ff414938d77cd8e9fde073aad49d462bf5ea |
C:\Windows\system\joJgpJY.exe
| MD5 | 9c899f2c0ba43233879e373628921a13 |
| SHA1 | bb8febba611178dd1dfae31e77d4b5875d93efc2 |
| SHA256 | 6359981a10a735c344b0d2a1561cfa39a3576515203480922b44155cb85c68a3 |
| SHA512 | 07d6138b8f8637c41b12916a5a1ce4e89febaa6c76cd8a661e48a14920789fe85160b2489a6bf2295b535cd62f36fd5c3ef30dd411a3b1936a5fa597bbf4fdbe |
C:\Windows\system\fTWFDqK.exe
| MD5 | 4d46dd4509118dfd5dea3f92778f5999 |
| SHA1 | f8470ff2de860359c4db84513100964cd1921722 |
| SHA256 | 5da9d4eb390e2915786e58f832e06883141c30a1cb7a4e1d5795c5336b52a954 |
| SHA512 | 263747cf3486bf32237c66506a4ede99af3c5c8b2c29ebf79cb1c9685b680e35df33cbb1c90029a29149a82e436b406811a652f2de8087324c79782967916350 |
C:\Windows\system\jhoMRTi.exe
| MD5 | 001cc0611eabe43ad6d4374ab8680fa3 |
| SHA1 | 00f5b769ec4b64fcabd87e28a18747aed868bd31 |
| SHA256 | fc613e4f4d4b2722302dddbcac941380e374a8da8790829a259014e8b0d2590d |
| SHA512 | 3310871ff0bb79201ee98c9dad70fde22edba7a7fcf7f1a54d6db88f37c1bb127a5924025bf49f562fe1a9815e9cbf5e46260840e1a072e47e95289455b65c77 |
C:\Windows\system\NRRWXMf.exe
| MD5 | 2d6fea8e8390fae73cc264f86691fe4d |
| SHA1 | 4ef46cf6948ac41ea9c6354aebad9f7fd6cd71af |
| SHA256 | 078646146155cd4462f9ec3ac9ee66438f9052e96cf6e93deda517cb91f323a2 |
| SHA512 | b73b6101d8e5be536d058ca2ef779c69fc98146eebe959f7a4197ed40f8895f8d85a698c5b5ab02bd597126a3f981782e327502c93a27f769165bd32781d1d72 |
C:\Windows\system\HuYdSAw.exe
| MD5 | c1b9b7f72d03acb5d34334184440d7cf |
| SHA1 | 7c0dacaa205bbd434389613c637dfb6658173a15 |
| SHA256 | d95cecdba4a1aa99f9818f7d8225edd5ca375ff18f88a28552d0183973cad59d |
| SHA512 | b7240a663609e677baae49e4fccb7a47ea82a5d0e61d60f59a5b10e88171f80d72cbbd8150bfffd0fcc9154d1868aaedd7765882c3990db500b4bf806bd670ee |
\Windows\system\NYuaYKw.exe
| MD5 | c60a329d2f5df331ba1c72dab662d8de |
| SHA1 | 992eec63d86952d3fea33ec3bc94d1c0e32dd811 |
| SHA256 | fb4483bb341d040b4382a25ae08816ec5f9c69c6031ffc3acc0360bb9d6046b3 |
| SHA512 | 2f8143f11fa999a949bc312cd33bd623394ef857a8e5c3b2c0c3db1571a286d09a3cc8179570114530ad544e879249dcdb586c7f0af25e69a9651ea96c075fe6 |
C:\Windows\system\IoLFxpK.exe
| MD5 | e8c41b377557e052a28f6fbf6c08f133 |
| SHA1 | decfa1bef4b3629c6ec2c55735c8960c44bc1fd5 |
| SHA256 | d2450d008a821e24c220744048a242443ab0e788ba05242a53daee6b4a2cc28c |
| SHA512 | fd0ab656dada4817557af98089157c28b515954c5cdc80000b89de65a84968819960e8b931d847d27c968313a146da6da3a909ef46644bd9d62d7c16f8bdc8b8 |
C:\Windows\system\RKRLOws.exe
| MD5 | 6f544e14f45e97175fcaa9f16e17deec |
| SHA1 | 6b9c3e84df6adc5a4f27602c57536f1da263c90a |
| SHA256 | b6532cf96e8e10bb7341748f949cfed0a6dfd6c6f1a9e61aa4174102072bf342 |
| SHA512 | 8492a1682f8930e0eff7b278eee7b18b6772046871e47cfc9295ed8197ddae20e0793d64645ff6bc571194d94fe27e5f0ae8faf826829e834b97ae89e3720bd9 |
\Windows\system\flqLnwd.exe
| MD5 | 0d7b1cc56a613c51716f43901d1ffbd8 |
| SHA1 | 9e9e78a1337f778ba4edb745aa5ce6b54de9dd12 |
| SHA256 | f7bff9d3e98cbb1b52d0f61cf2f5fb348ff62f55653e728f88288a426269c3bf |
| SHA512 | 7cf1b52a8d23fd020049a174b25461d18875726e51b3c318dc593b6c937c67c2501530fe09d454b030baedd35d7e12fca17e83b42e25e54d65837bb6ea15760b |
C:\Windows\system\iFUWRAE.exe
| MD5 | ce1972cdad34302579fbd79df5b15675 |
| SHA1 | 6b108dc19e4573504336af7ea4eb2ad6b3b957ea |
| SHA256 | 7bddaf3acf23a4fa567d5c6e1f57011cac914cd1e5b60b65146579a0ebd804b8 |
| SHA512 | aa4a8a6ea674a5d3c6ca1e96d765ceadbe012aec18116a68cd4caef32d254f2925b11c586aa0be78b505d9b5601df9230f67d207738950ab8f75f61ce1c8c0b9 |
C:\Windows\system\JaFhwBt.exe
| MD5 | e1dc971e904b232ae21cb84b0e67706e |
| SHA1 | 3cfaf3698d22c86dc862d54f485e3a1f8a391447 |
| SHA256 | 1b36988824c33573ce314dc49b385235e0308300b44cdda20cb1db42b572286b |
| SHA512 | e8aa522d2bbc5df3710d9d88d448ee518226e4918b6a9bc0bc44eba143a78a544650b9def53cf2d3daafe8c08ec65fa88b07f7927107ef5447c0de0a3d5d1534 |
C:\Windows\system\VHqmsgz.exe
| MD5 | 222184f3d5b8247e6811bd9c20854710 |
| SHA1 | e44efcc3572cc23ce43e8852bccd672e99fc4d5f |
| SHA256 | a3f10da3f6b4d150c9bb029cc24021d5d95f7d3312c91fa3910c320689d28d7c |
| SHA512 | 5163a587ffe75dd134e258f59eb2a07b24623285540660e6a0c32f46fd9228b7bee8301dd5b01d6b4e31737f7a6d3d98239bded61afe696ccea691e212b38d7f |
C:\Windows\system\HgnzrVq.exe
| MD5 | a33ed8864cd4eb41d788ef8db0d5f57c |
| SHA1 | 2b6c3c84841a8fb9c649d6cc58c07157d6a45c5b |
| SHA256 | 085b98f24d49da3d4cee07631297cfbca8ed8f90a61bb1938f216d731edf8d6f |
| SHA512 | 34cfeba0bb222de8536660420072dedbdcc1446a0ba9fe52314b67a4d891535b598b0e7c10d8c4810392edc36004a406dd3f8799d82f23bb69c901dfe17095fd |
C:\Windows\system\NDxtuUO.exe
| MD5 | ea07dafd3922e908483d53329fe22558 |
| SHA1 | 5f9c4bc40bf0bec9117730e6aae0d06e89eee4b4 |
| SHA256 | 90a59405b3ad4b0dae6b16cba13c6f176994c2b993d4f250221e8ec41498bbb1 |
| SHA512 | 5d7e1d857c31b2c8d422896c1f138f35028b0266c209d59585df7285c132eae090cd6034c843d71bdd3bd12a731427583526a39306222a482793ad976a0f392b |
C:\Windows\system\QOIQHzC.exe
| MD5 | b425bd453fc7359f7bb79d6e9b0e0c64 |
| SHA1 | 5a8f79770a9e5fb2c6935c768732085cc3c6b103 |
| SHA256 | c0af8748ea8246a502f19806c1b71b6c25e46ee659d4e89d0eb940010e573d8f |
| SHA512 | 880be41ee1b742700d28a1183b4c4274af96fcbdb85aab3fb4e60117527d1c5f0585f34f8b5169c86f4e8d96c52cb09e1bb2187abd33a8550ae5e2acd432d4d5 |
memory/2544-114-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2544-121-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2544-122-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2756-120-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1640-118-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2800-123-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2828-126-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2544-127-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2960-124-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2612-128-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2544-129-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2672-130-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/1608-133-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2544-134-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2384-132-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2016-138-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2544-137-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/940-135-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2424-136-0x000000013F420000-0x000000013F771000-memory.dmp
memory/3056-131-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1008-139-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1012-141-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2544-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2380-140-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2296-143-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2764-144-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2544-145-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2544-146-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2544-147-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2544-148-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2544-151-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2544-174-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2544-194-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2544-195-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2376-203-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2964-205-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/1640-208-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2812-209-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2960-211-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2800-213-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2828-215-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2612-217-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2672-219-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/3056-221-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2384-223-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/1608-225-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/940-227-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2756-243-0x000000013F250000-0x000000013F5A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:25
Reported
2024-08-14 20:27
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zuLvAMR.exe | N/A |
| N/A | N/A | C:\Windows\System\fkdTzxA.exe | N/A |
| N/A | N/A | C:\Windows\System\knyMepl.exe | N/A |
| N/A | N/A | C:\Windows\System\LZDwLUu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxJMqAW.exe | N/A |
| N/A | N/A | C:\Windows\System\CStjpkY.exe | N/A |
| N/A | N/A | C:\Windows\System\bKWzvPY.exe | N/A |
| N/A | N/A | C:\Windows\System\uwXswaF.exe | N/A |
| N/A | N/A | C:\Windows\System\dCEZqoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\pJXmJza.exe | N/A |
| N/A | N/A | C:\Windows\System\UJcIWIH.exe | N/A |
| N/A | N/A | C:\Windows\System\VymiDFG.exe | N/A |
| N/A | N/A | C:\Windows\System\bMfWOQy.exe | N/A |
| N/A | N/A | C:\Windows\System\WxLBMeG.exe | N/A |
| N/A | N/A | C:\Windows\System\qSeOATs.exe | N/A |
| N/A | N/A | C:\Windows\System\dGMyaql.exe | N/A |
| N/A | N/A | C:\Windows\System\LuQxYyy.exe | N/A |
| N/A | N/A | C:\Windows\System\OydqIlZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wJbKxDO.exe | N/A |
| N/A | N/A | C:\Windows\System\BVESvFT.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRLRIBh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_83680355ec2b59641517c2fbc3f3a0ea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zuLvAMR.exe
C:\Windows\System\zuLvAMR.exe
C:\Windows\System\fkdTzxA.exe
C:\Windows\System\fkdTzxA.exe
C:\Windows\System\knyMepl.exe
C:\Windows\System\knyMepl.exe
C:\Windows\System\LZDwLUu.exe
C:\Windows\System\LZDwLUu.exe
C:\Windows\System\ZxJMqAW.exe
C:\Windows\System\ZxJMqAW.exe
C:\Windows\System\CStjpkY.exe
C:\Windows\System\CStjpkY.exe
C:\Windows\System\bKWzvPY.exe
C:\Windows\System\bKWzvPY.exe
C:\Windows\System\uwXswaF.exe
C:\Windows\System\uwXswaF.exe
C:\Windows\System\dCEZqoJ.exe
C:\Windows\System\dCEZqoJ.exe
C:\Windows\System\pJXmJza.exe
C:\Windows\System\pJXmJza.exe
C:\Windows\System\UJcIWIH.exe
C:\Windows\System\UJcIWIH.exe
C:\Windows\System\VymiDFG.exe
C:\Windows\System\VymiDFG.exe
C:\Windows\System\bMfWOQy.exe
C:\Windows\System\bMfWOQy.exe
C:\Windows\System\WxLBMeG.exe
C:\Windows\System\WxLBMeG.exe
C:\Windows\System\qSeOATs.exe
C:\Windows\System\qSeOATs.exe
C:\Windows\System\LuQxYyy.exe
C:\Windows\System\LuQxYyy.exe
C:\Windows\System\dGMyaql.exe
C:\Windows\System\dGMyaql.exe
C:\Windows\System\OydqIlZ.exe
C:\Windows\System\OydqIlZ.exe
C:\Windows\System\wJbKxDO.exe
C:\Windows\System\wJbKxDO.exe
C:\Windows\System\BVESvFT.exe
C:\Windows\System\BVESvFT.exe
C:\Windows\System\ZRLRIBh.exe
C:\Windows\System\ZRLRIBh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4804-0-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp
memory/4804-1-0x00000265FE370000-0x00000265FE380000-memory.dmp
C:\Windows\System\zuLvAMR.exe
| MD5 | bf5d1c42e3ac06c2c9894d4ff40c5e26 |
| SHA1 | 0e6c225dc9e7574f2cf552bfc0c1b5e3c6bf854c |
| SHA256 | 358f9ebbaf6fec68f56bb1c904b451260e01985c5fea09e31dbfa1770e758ce0 |
| SHA512 | 8bb855ba7c518f34cb28aab64d08c9fb69f2748f22d75df3b53a00561ff5a4c44d174aa3b05acdf126295aaab5a1a890bcf95c0a4fec45fc0c96150989e9af83 |
memory/4008-9-0x00007FF719D90000-0x00007FF71A0E1000-memory.dmp
C:\Windows\System\fkdTzxA.exe
| MD5 | 315f251cb7389c1ae038ec95ae849a66 |
| SHA1 | 3641b68f087756b872e740b619b855a2e39a804b |
| SHA256 | f12e059521a144c5937b1a00e10fa170baa4cd6c22679811e23773d4ee1c1e5f |
| SHA512 | 7896d64d4c840ab40570f17b2c4e5d125ff7502151ce0f7cf122d460187171a021079163324c20429b017d793f70b012d5ac45cdc841d988ad5e1507f8e7d7b2 |
memory/2968-20-0x00007FF62D3A0000-0x00007FF62D6F1000-memory.dmp
memory/5092-18-0x00007FF73E160000-0x00007FF73E4B1000-memory.dmp
C:\Windows\System\knyMepl.exe
| MD5 | 1e765546519f17930678cc8212b0df2f |
| SHA1 | 0892f5831cf78b1735e0b71024811c3ecef3524a |
| SHA256 | 891e5b860c173e1b13e66f90a32e2f8ff5afd14416f916d6bec38fe916ef5dc1 |
| SHA512 | ccdc220b43853dcae3d7e640a8df9634075e77767dfee9e0e1d07cbd214047a6826a31cbef7fae49df242a1edf0c5ae4ba0e91185937909864db425af45e50f6 |
C:\Windows\System\LZDwLUu.exe
| MD5 | bb6b2977f35d6963b01bc5dcc73034c9 |
| SHA1 | 4cde90116109d82bfc4e4656f36ad7afb7164ed5 |
| SHA256 | 76e3585ae1dfad4a68ae8ccb9f8ffaec754586525edd83543dd1a940956cc54e |
| SHA512 | 1b5d1c37828eb56aa1dc62582b1c810f15fabe63159f80616bdcaf4839a0a433e8dacf377b06f5504eb2d3640e279d183c337b9011b5898a7b253a0851adc75f |
memory/4464-28-0x00007FF7317A0000-0x00007FF731AF1000-memory.dmp
C:\Windows\System\CStjpkY.exe
| MD5 | 6e82776ec6a51b8bee39de721ef607e4 |
| SHA1 | cb90eb32d4b33df6039e7340a24bf4dfb721d8f8 |
| SHA256 | d718d8fa8761462dd60faeeab41fb120fe40967476cd0df19c0f871eb000efa6 |
| SHA512 | 431b6623303dfbc085e32b1d1d5fb1b2945d84503b7f96797ecf107fe5dc5e9ebbd7227570167611e581e6141ac03b2695f17e4088419934d5cda7ddc95f215f |
C:\Windows\System\bKWzvPY.exe
| MD5 | c6c1051abf068c1c191732d536b31a3c |
| SHA1 | 35324721d1e614b8af1de9d456792f200dd4db9f |
| SHA256 | d8fa27b012739159757e41b192962a26b803b8ac94ae578a084cf77e11ca5d27 |
| SHA512 | 9fba205295d7e60e5f19077bdf62a8ec9860a526aef3247d8b0b4833c6e091c5df4013ea8d3e2457e35d2dcf0cd57b122018f03ce655f1b44507ceac290c86f0 |
memory/2356-38-0x00007FF7A6C40000-0x00007FF7A6F91000-memory.dmp
C:\Windows\System\uwXswaF.exe
| MD5 | cf53ae75e3876f5ace7cde8f595f0140 |
| SHA1 | aa13978ee0fcc8674c8701fec54793f5aec967f5 |
| SHA256 | 2bdc7638c472ec34f39ccd9e27e7d3f5a3ee03e6d432c9a0a799be5a77b07814 |
| SHA512 | d427efa62eb76367cb7e69998b7ea3125b7f7e2f0b3459af5e41fb6104a2bee6b2fb042f9626f704d64fdc875861b5eea67aee37132b446fca3254e44ae19f36 |
C:\Windows\System\UJcIWIH.exe
| MD5 | d95a8613c167d746dda7ac95b6f92760 |
| SHA1 | 0e6af7782e198f995bbe959643b195467924f765 |
| SHA256 | dc740c9c6e3dd0785272b4d8e8a95c3aa0fcaa0185f6d6206f20e2aafc8e1577 |
| SHA512 | 736f1ff388156820f71ecda8e60cecf3607ce61a4db74a176e348e2dd3d6d4a68c35618e8e2d0cda58133daa3d21058dfd8718675df278d7da5bfb8c5a4599ac |
C:\Windows\System\pJXmJza.exe
| MD5 | 3e62ef0e7385f009350c2c70f44ef9fd |
| SHA1 | e2a7c816c5a58aa2b191e3cdad8d6cacc9f58863 |
| SHA256 | d751d4416251780a90d369f49e3e796a1c2e3019d87dc60cc5d0fcbf672fac72 |
| SHA512 | cb21b466ee135294fa3d39a5e3c361aa4d849da71833a94a697db23d3054070715c9936e457a2179061555c6cd8760448cbad319d814be6f94df597a87e27a97 |
C:\Windows\System\bMfWOQy.exe
| MD5 | 67bb5cf214c9fcc0802d4882bcf7f8b7 |
| SHA1 | 67bc0ead38d9133a30baead4494d50b92fa9a932 |
| SHA256 | 01f17600b24e616770718bed23f96f5fbf3d2810878dd7e7893ed45209467910 |
| SHA512 | f42801186450b3a3365ea10996a4c5461fcd82fb480e003f47340b648f13a34272cc7675e38f4ac4e3c34af1942d8334a76a952417b257e93924295f00ce374b |
memory/1616-95-0x00007FF62A550000-0x00007FF62A8A1000-memory.dmp
memory/5092-101-0x00007FF73E160000-0x00007FF73E4B1000-memory.dmp
C:\Windows\System\qSeOATs.exe
| MD5 | f9d643eeda97de81a6c169aa5679d529 |
| SHA1 | 6e6d6386f8d9c3ae945c94289a2f6022f5e2b0de |
| SHA256 | 95a69233e8a5d0e6c6eec3adbbe8496facec3e86e122a6af45abb4a2eb919819 |
| SHA512 | 86ccae7ece037c87ce3af8b9950e505e1487c9b235a9208bd8f81268e1be6ef3c3b785059c2f3f8ae30c6c66422939e0aa886224ff8485f7a42e9be5bafee079 |
memory/1260-118-0x00007FF6BA590000-0x00007FF6BA8E1000-memory.dmp
C:\Windows\System\OydqIlZ.exe
| MD5 | fa2174c0238c1bcfc18938bf65c275ee |
| SHA1 | f66386924c58995d8dbc9bac619ccc90e91aa049 |
| SHA256 | 494876276893737584987848bb1dc8e1a4dac2617a7ef0032b2c2b977b77c9f9 |
| SHA512 | 61cf38b80ac52beb253ddbdb613070a40caf685a947ea8609f34b11d2db47d6b637047324f0926f42c41727d8ba434d367bdb2d8a1af03e8e486817497bf1974 |
memory/1092-129-0x00007FF69C920000-0x00007FF69CC71000-memory.dmp
C:\Windows\System\ZRLRIBh.exe
| MD5 | 89bba70f3c94b62da6de323955acd62f |
| SHA1 | 254b52e978e2b016722f431244ee637232bdfebc |
| SHA256 | b5336f1a19ef79de492d0bb37f588fa344c2d263eb670ea5e9b277d0b75fc66f |
| SHA512 | b528b6e94cfb243686c02cb3e6225cf04ff01667c71a5ee68ba027651fda71f24cad343fd9a31f2f1d3da97190c825efc512557592bb349fe56a434396aacad1 |
memory/664-126-0x00007FF764220000-0x00007FF764571000-memory.dmp
C:\Windows\System\BVESvFT.exe
| MD5 | 6cb97cdce43a7c3c56462cf2a812896f |
| SHA1 | 25f5bea6b594aa2fc292371a7124780a8ab60101 |
| SHA256 | c0522ca31b1d598a72b61a48e75f490096c1fcf22e117c162f86b80aa1d0dd0f |
| SHA512 | 7d365e7fe37ac6337b1773a3b0675ac75d72a5c54f5cbc51118f40079a38cf993ba86b40331c5d65e73367218011dabd1fc1fc3a07a139030fc8e29c5da09050 |
C:\Windows\System\wJbKxDO.exe
| MD5 | 7be1f352aa72ab3cbfab3b534e9b0e9e |
| SHA1 | f5baf80197dfbf9c94485e3870b131b01fa33b52 |
| SHA256 | c02a2c62cccdc23d84c7f3b933f1110fda56d9e9bb177774677b14c340a44152 |
| SHA512 | 080aadd3c16b97dfa50874281cf49ba66939e88d779293d221f441931d2958bf60ae2fae164243c216bb0238f79b550d488e5b7f8011a444b61803ba69e285cb |
memory/1936-119-0x00007FF764E60000-0x00007FF7651B1000-memory.dmp
C:\Windows\System\LuQxYyy.exe
| MD5 | 68c3d89242ab4e6bf2df6ead6817f35b |
| SHA1 | 530f279b2cd28142ad88be2728ded011d793942f |
| SHA256 | e4ffdd3932e9c02fa84ff2f0f1ee025fee346e6fe7ab664219444060dbcb7e03 |
| SHA512 | 2451ad10394b5d62e3a3b44cbf3aad6670e2b64039af95ff2c5ecaa4ee61caf697712228d17d8394255df1603d09af648603f1145afb138fd2647dcdccb1a40b |
C:\Windows\System\dGMyaql.exe
| MD5 | a0ddaee9e70f1a85a80f863645c52490 |
| SHA1 | 2800611520aba5dd4d963d16bed2a6d1a697c31e |
| SHA256 | 194b11b4239e218d6e5dff00657ebb4cb4e661d2d22f328f71b1b480d9ab0d28 |
| SHA512 | c09d4c9164b05c6ed3ff9ab99c138bcb515bdd751ce01e7fffe5b8cabef32b0cb3889a0f68617e241ee2858195027e5fad2e6ac1fc5942c09677e5309d228f84 |
memory/2016-113-0x00007FF6F17E0000-0x00007FF6F1B31000-memory.dmp
memory/1440-112-0x00007FF7BE6A0000-0x00007FF7BE9F1000-memory.dmp
memory/4100-104-0x00007FF7FA6A0000-0x00007FF7FA9F1000-memory.dmp
C:\Windows\System\VymiDFG.exe
| MD5 | 662bc7cca2a47fc36751053fb357b26d |
| SHA1 | 85afe8c7001df1a60535ccac77577e231f829697 |
| SHA256 | a9f6b7acb76caa464a516ea54670dd09285022e752fbef05588f16cfd97a8e51 |
| SHA512 | 62eb8d8d542a91c39ee8ae10be2cba0fe388ee163e533238d559c303f6c7ba0900b613221c7fc0307a70882959bbdc23395efd99de69ce8e0a737d65bc92ecd0 |
C:\Windows\System\WxLBMeG.exe
| MD5 | 3ec2336a83df9307d342004453b57631 |
| SHA1 | db8f53a47ef2f37fb07d21fb49040a4786b62e51 |
| SHA256 | b8cf5c11e196dcf0779353cfcddf2b23441d65f0fc78b94b38973b2473da378a |
| SHA512 | 0f78715af585e08b3dd770f9f845452a127bf41e4074e5ededff75571d90c3e79ff22417da5521eec3044bcef79f5486143ef00ba0c884156637aeb1175f63a3 |
memory/1728-87-0x00007FF66AC20000-0x00007FF66AF71000-memory.dmp
memory/4008-86-0x00007FF719D90000-0x00007FF71A0E1000-memory.dmp
memory/4804-77-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp
memory/1668-76-0x00007FF715A00000-0x00007FF715D51000-memory.dmp
memory/4796-72-0x00007FF7202A0000-0x00007FF7205F1000-memory.dmp
memory/100-65-0x00007FF7E4010000-0x00007FF7E4361000-memory.dmp
C:\Windows\System\dCEZqoJ.exe
| MD5 | be6bac1d21833338fe2bad5014185ed5 |
| SHA1 | b5772eee6d1b11964939b9c3d30f2219e6d8ef49 |
| SHA256 | adbd84409a73dbee47c416cc775840bbf803043a19093f47c8929910467f69af |
| SHA512 | 11c20dea925680858c9f6829f18fe9d8bcabfc9a8495e98eba4060d5ba9f99779435c5852803f1fc20cddb576871c62039bc368d5e3ddf564e7888c716ad2347 |
memory/400-56-0x00007FF67D020000-0x00007FF67D371000-memory.dmp
memory/1104-54-0x00007FF64ED40000-0x00007FF64F091000-memory.dmp
memory/1508-44-0x00007FF74C730000-0x00007FF74CA81000-memory.dmp
C:\Windows\System\ZxJMqAW.exe
| MD5 | 761c75cd10bf142b464801341b8ffb64 |
| SHA1 | ee1abeb5076a48ae43831094c67619946a5bde99 |
| SHA256 | abcb56c2151e7936cb6e21fb7cbdb7ec2e9dd67c24b974aa2812f1ba9245436a |
| SHA512 | d58158c2a889aef77fdfea8a742a596623105a70741386826949a82063806afdad999766fca2544739d1e3f4c321c8464cde8fc7f2dc093ae4196966dfa9af55 |
memory/1328-34-0x00007FF73C1A0000-0x00007FF73C4F1000-memory.dmp
memory/2968-132-0x00007FF62D3A0000-0x00007FF62D6F1000-memory.dmp
memory/4804-131-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp
memory/2356-138-0x00007FF7A6C40000-0x00007FF7A6F91000-memory.dmp
memory/4100-147-0x00007FF7FA6A0000-0x00007FF7FA9F1000-memory.dmp
memory/1668-145-0x00007FF715A00000-0x00007FF715D51000-memory.dmp
memory/4796-144-0x00007FF7202A0000-0x00007FF7205F1000-memory.dmp
memory/1616-146-0x00007FF62A550000-0x00007FF62A8A1000-memory.dmp
memory/400-141-0x00007FF67D020000-0x00007FF67D371000-memory.dmp
memory/1104-140-0x00007FF64ED40000-0x00007FF64F091000-memory.dmp
memory/1508-139-0x00007FF74C730000-0x00007FF74CA81000-memory.dmp
memory/100-142-0x00007FF7E4010000-0x00007FF7E4361000-memory.dmp
memory/1328-137-0x00007FF73C1A0000-0x00007FF73C4F1000-memory.dmp
memory/1440-148-0x00007FF7BE6A0000-0x00007FF7BE9F1000-memory.dmp
memory/1260-152-0x00007FF6BA590000-0x00007FF6BA8E1000-memory.dmp
memory/1092-153-0x00007FF69C920000-0x00007FF69CC71000-memory.dmp
memory/664-151-0x00007FF764220000-0x00007FF764571000-memory.dmp
memory/2016-150-0x00007FF6F17E0000-0x00007FF6F1B31000-memory.dmp
memory/4804-154-0x00007FF6E9A70000-0x00007FF6E9DC1000-memory.dmp
memory/4008-204-0x00007FF719D90000-0x00007FF71A0E1000-memory.dmp
memory/5092-206-0x00007FF73E160000-0x00007FF73E4B1000-memory.dmp
memory/2968-208-0x00007FF62D3A0000-0x00007FF62D6F1000-memory.dmp
memory/4464-210-0x00007FF7317A0000-0x00007FF731AF1000-memory.dmp
memory/2356-228-0x00007FF7A6C40000-0x00007FF7A6F91000-memory.dmp
memory/1328-230-0x00007FF73C1A0000-0x00007FF73C4F1000-memory.dmp
memory/1508-234-0x00007FF74C730000-0x00007FF74CA81000-memory.dmp
memory/1104-233-0x00007FF64ED40000-0x00007FF64F091000-memory.dmp
memory/400-236-0x00007FF67D020000-0x00007FF67D371000-memory.dmp
memory/100-238-0x00007FF7E4010000-0x00007FF7E4361000-memory.dmp
memory/1728-240-0x00007FF66AC20000-0x00007FF66AF71000-memory.dmp
memory/1668-242-0x00007FF715A00000-0x00007FF715D51000-memory.dmp
memory/4796-245-0x00007FF7202A0000-0x00007FF7205F1000-memory.dmp
memory/1616-246-0x00007FF62A550000-0x00007FF62A8A1000-memory.dmp
memory/4100-248-0x00007FF7FA6A0000-0x00007FF7FA9F1000-memory.dmp
memory/1936-250-0x00007FF764E60000-0x00007FF7651B1000-memory.dmp
memory/2016-254-0x00007FF6F17E0000-0x00007FF6F1B31000-memory.dmp
memory/1440-253-0x00007FF7BE6A0000-0x00007FF7BE9F1000-memory.dmp
memory/664-256-0x00007FF764220000-0x00007FF764571000-memory.dmp
memory/1092-259-0x00007FF69C920000-0x00007FF69CC71000-memory.dmp
memory/1260-260-0x00007FF6BA590000-0x00007FF6BA8E1000-memory.dmp