Analysis Overview
SHA256
18977197ae619df636d1e8085a0a1def1946c7a8a824181763a6e2d5bf98cedc
Threat Level: Known bad
The file 2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:24
Reported
2024-08-14 20:26
Platform
win7-20240705-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FdtGwfN.exe | N/A |
| N/A | N/A | C:\Windows\System\bQMREtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GbLyzll.exe | N/A |
| N/A | N/A | C:\Windows\System\VtuXKHv.exe | N/A |
| N/A | N/A | C:\Windows\System\nfWuHRl.exe | N/A |
| N/A | N/A | C:\Windows\System\WSeCZzP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZeBOPFs.exe | N/A |
| N/A | N/A | C:\Windows\System\nrJTzil.exe | N/A |
| N/A | N/A | C:\Windows\System\GxGFjaH.exe | N/A |
| N/A | N/A | C:\Windows\System\JpALcsT.exe | N/A |
| N/A | N/A | C:\Windows\System\ygtYQOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JhAHcAP.exe | N/A |
| N/A | N/A | C:\Windows\System\WRmZbaT.exe | N/A |
| N/A | N/A | C:\Windows\System\GKddvzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WvkXGgc.exe | N/A |
| N/A | N/A | C:\Windows\System\TZBRGzv.exe | N/A |
| N/A | N/A | C:\Windows\System\YyzRhum.exe | N/A |
| N/A | N/A | C:\Windows\System\fSRWvdp.exe | N/A |
| N/A | N/A | C:\Windows\System\SGJcMcv.exe | N/A |
| N/A | N/A | C:\Windows\System\UrXEcnV.exe | N/A |
| N/A | N/A | C:\Windows\System\pcygDwh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FdtGwfN.exe
C:\Windows\System\FdtGwfN.exe
C:\Windows\System\bQMREtZ.exe
C:\Windows\System\bQMREtZ.exe
C:\Windows\System\GbLyzll.exe
C:\Windows\System\GbLyzll.exe
C:\Windows\System\VtuXKHv.exe
C:\Windows\System\VtuXKHv.exe
C:\Windows\System\nfWuHRl.exe
C:\Windows\System\nfWuHRl.exe
C:\Windows\System\WSeCZzP.exe
C:\Windows\System\WSeCZzP.exe
C:\Windows\System\ZeBOPFs.exe
C:\Windows\System\ZeBOPFs.exe
C:\Windows\System\nrJTzil.exe
C:\Windows\System\nrJTzil.exe
C:\Windows\System\GxGFjaH.exe
C:\Windows\System\GxGFjaH.exe
C:\Windows\System\JpALcsT.exe
C:\Windows\System\JpALcsT.exe
C:\Windows\System\ygtYQOQ.exe
C:\Windows\System\ygtYQOQ.exe
C:\Windows\System\JhAHcAP.exe
C:\Windows\System\JhAHcAP.exe
C:\Windows\System\WRmZbaT.exe
C:\Windows\System\WRmZbaT.exe
C:\Windows\System\GKddvzZ.exe
C:\Windows\System\GKddvzZ.exe
C:\Windows\System\WvkXGgc.exe
C:\Windows\System\WvkXGgc.exe
C:\Windows\System\TZBRGzv.exe
C:\Windows\System\TZBRGzv.exe
C:\Windows\System\YyzRhum.exe
C:\Windows\System\YyzRhum.exe
C:\Windows\System\fSRWvdp.exe
C:\Windows\System\fSRWvdp.exe
C:\Windows\System\SGJcMcv.exe
C:\Windows\System\SGJcMcv.exe
C:\Windows\System\UrXEcnV.exe
C:\Windows\System\UrXEcnV.exe
C:\Windows\System\pcygDwh.exe
C:\Windows\System\pcygDwh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1960-0-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1960-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\FdtGwfN.exe
| MD5 | d217bd25cecdd00430873d3cd81d7c51 |
| SHA1 | 02301acfa2743e33631a2a9b84bb99aacc908de7 |
| SHA256 | 03fe2606f6fe0ecfbb44ebf961bbcb92da622d6e00efa52041a5cf6843b9664a |
| SHA512 | 13470e70cbb9c8a9450ada0b11b1394dba51a79652db38b2bef619c0a3e9b4777bff703f5aff8521a59ba6d08e2f345b03981f94e72459b09e52a27b22fbd968 |
memory/1960-6-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2412-8-0x000000013F8D0000-0x000000013FC21000-memory.dmp
\Windows\system\bQMREtZ.exe
| MD5 | 8bd006f34a52fb64a6e9ae5a6b9a26e3 |
| SHA1 | 3a6832d68696b38e2f577545a61cf513c7d03700 |
| SHA256 | ecf7624c83d0ec3ee7cf8a11db09c2524c5937d3ac07d1ee10e7fa7d907c5642 |
| SHA512 | e7eb5e4815f7ffabde268b5e34f9666f7cb18b12ef6aa455d3ce01f5fe572e6f1bbd702d4a9590f538797f2824da0c08733e3d7373f2fb5f0f601a4a71640f3e |
C:\Windows\system\GbLyzll.exe
| MD5 | 9e96192477bd78f3529dc8146bbb0b23 |
| SHA1 | 4c49622c0facf95b3574feaddc34fe2d9a7e9ade |
| SHA256 | 441d9f6ee367a1c2d457efeaab8deddc2f60b00e92706ebeb95f76d9707b56ca |
| SHA512 | 9a09842a04d676989a88f13f4a18197848caeef59b99fa2fca7cb7c609b5b250cf5131ffcfc03f52f1c40c7922a2d911b684e3112fce0bfcfbf91b38638c5ed6 |
memory/1960-16-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1732-23-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/1960-22-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2536-21-0x000000013FDF0000-0x0000000140141000-memory.dmp
C:\Windows\system\WSeCZzP.exe
| MD5 | d82d788a49a129380ca193c5f9deea99 |
| SHA1 | f97a235017ec1b02aa728f16cef6c9afab460867 |
| SHA256 | 772e90f0390cdb0a3d8e7c538d6bf9478ce5346d452090f37dee7d6eef5610df |
| SHA512 | 08d637cb16410b434535419d9840e247b2ab3b5fa5d59191cbe0d2b768522ca2905c8b39345aac7e46718ea8db6039f3085c083d7b7bc2a46184168a6bf4431d |
C:\Windows\system\nfWuHRl.exe
| MD5 | bed7add3bb8f1f8bd3e389867e1712d0 |
| SHA1 | 42e58d6cf1c669ab6e72ce045d6053bd5be09524 |
| SHA256 | 78e1109e5b1b43db07d4b7fe13b5cdd69989dbe0bcdf1cbaf7052d22bdf018ef |
| SHA512 | 301f9a45ed7539db58065b3ffcd5e7894bb8b0caeb842bbc7833323121a8cc6df4dfbbe0691757126c111c0e411b8067ab662753267750ce73961b8f89974599 |
memory/1960-36-0x000000013FBE0000-0x000000013FF31000-memory.dmp
\Windows\system\ZeBOPFs.exe
| MD5 | 113fa79f9281fc2ab08b80ed70c5ac6b |
| SHA1 | 2168676d761c43a7cebc318a20771b7141263b35 |
| SHA256 | 03f3d7b32c3f2d52922a440faf3d1a1df66da1b7e074a4c5497ab0e1d4bebe21 |
| SHA512 | 2563de55f582fad2e84f13dd6169f0ffff79956d839a908c7525f42f09055949fd685e8307c1eadd5e84e85ee1abb9da49dbe9b90a48a96b64ab8bdcfbbb9ced |
memory/2772-46-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1960-42-0x0000000002230000-0x0000000002581000-memory.dmp
memory/1960-50-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2776-51-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1960-48-0x0000000002230000-0x0000000002581000-memory.dmp
memory/1652-41-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2276-40-0x000000013FBE0000-0x000000013FF31000-memory.dmp
C:\Windows\system\VtuXKHv.exe
| MD5 | e57dd81bcdf8b8a40966f854c1a2b78f |
| SHA1 | 0dd3ef15d5e82a0ec675213a637086c60b42d3e9 |
| SHA256 | 13b4506f9cf8ab6b661601caec6803fd60382b81e61468d8ef0b668277249563 |
| SHA512 | 4bad20683a0f7ff559b6e54d6de1c71c2ee9f30788bdb4d58f047a5cde5140f563aeec3682029d5fe842eab54ac8a1851fd554c9ae5c7db1f32395e2e8fccc27 |
\Windows\system\nrJTzil.exe
| MD5 | c624326af697094d7f760c39ac8274cb |
| SHA1 | 92f52a7b5235c998ffb126182778767703f0e0ff |
| SHA256 | 96a8e05e317560b4379e283bbe332fa5f52791530cba868a43647431214cafa0 |
| SHA512 | 8e90aee4856b1dc70d96a34c4f997b13023de03338fd4c0946aab5f317a2f2e809b82ccf49fd448c78513b0e220ff14dc314a6c0b0879c092057c0ab38a7d19a |
memory/1960-57-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1720-58-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1960-64-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1992-65-0x000000013F9C0000-0x000000013FD11000-memory.dmp
C:\Windows\system\GxGFjaH.exe
| MD5 | 57368a36ace5384fdb8bac56d92d1dd7 |
| SHA1 | fc9675e8e880f7494689c111bc801694db9b8dda |
| SHA256 | 03ae9245de3fa0587d3d10abc60ec93c5b4eba29eb1abaf42730ca898ba07c76 |
| SHA512 | a538c404de3f67ca3fddc065cfc8b4243b6f2423c64c1bc0cf147d8f278e5ab99229097d26aed3d544d3cf4452c140b4f59c9603626d0b57805e83d03cebfc48 |
C:\Windows\system\JpALcsT.exe
| MD5 | 674df379d1c786e041241e45220e7404 |
| SHA1 | 815a3696b3515396888c45a834f23befe48a3a35 |
| SHA256 | eb1bda47105ff98060c762f1d328e76a769aedafcdca27568501a5b400d3ee8a |
| SHA512 | 3ce82a026b4d556bf4c0f51b3fe140c700c62daa997de2dd8caa8ae3facb18251bc269ea8d53a3e3a1c6f083adecc3f975a6fa13ac679ae72fc5eae1b8255076 |
memory/1960-70-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1960-72-0x0000000002230000-0x0000000002581000-memory.dmp
memory/1952-73-0x000000013F450000-0x000000013F7A1000-memory.dmp
\Windows\system\ygtYQOQ.exe
| MD5 | 6c67dfd3cc73fb8137a557d010eb7fa0 |
| SHA1 | 182d686845dee1887604e78b15d9aeb8b757f5ff |
| SHA256 | 0af2015ebd50a2dbf15845fb3051b018802b1307eb14e42a149f8da892ec2919 |
| SHA512 | 9c242b15f25bc7ca5636c2a4c9a2ade76de66041893e461231f0acc4e4fa6053a3873f3d94f042afca09ac83302107c925a1260d337d0cb27e783eb59e53b0ea |
memory/2360-79-0x000000013F1D0000-0x000000013F521000-memory.dmp
\Windows\system\JhAHcAP.exe
| MD5 | f030531ae355906bdb4a553b9ef07e10 |
| SHA1 | cb6ce122841b0128be73a06841d5f78825cb572c |
| SHA256 | f6a3cb7016045f232bf851da1094d759c3b0b07d82d93f52c8fbf108f1a4bc49 |
| SHA512 | cede4e5ba8263d2cbb23e87b75a3de5412f620c75f4bd879f91a55fee6282a2aa02f09ab068b92c31d862ba3a77a4f1955ef6796b56ebbadbef0179cd79d1b59 |
memory/2536-85-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1960-87-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
\Windows\system\WRmZbaT.exe
| MD5 | e6f3dad1ccd0538fe2a5595227054720 |
| SHA1 | cc033aa7426010315a9f91d65067670acb9974ae |
| SHA256 | 67ab56bf0b9dd6f3d23e127434a3e6188d1799a9444c28e096eda8f13407bc2f |
| SHA512 | 358c173eeb6dce8c1c946cc6ebf10a8ee5a899727a81094a2f954b40dcbb4b5a9864df78d7bc1dc74a8a1f62503121cfa2f7de3ff021ecd68e34dbe32d4bafe6 |
\Windows\system\GKddvzZ.exe
| MD5 | d0a03fb4ffcd57500374638cba31a013 |
| SHA1 | e32a1c85763fc9423fc14d842487896875133ba9 |
| SHA256 | b0fd6a415d4c4b34e1613a2fc53b836d8d6b666e2b63047d25298ee858b26e34 |
| SHA512 | b17c99587fbb3a0436466f403b54fbb2763be28e9c19b45344257b4c2a6b8b3e36c6ed73e4a3a19f317d58bcd4489edf013c917ad24f73a9ce4977244ae9cff4 |
memory/1960-101-0x0000000002230000-0x0000000002581000-memory.dmp
\Windows\system\WvkXGgc.exe
| MD5 | 73afb241c5bf3b4771bca486a560fa7c |
| SHA1 | dcd956ad69c9a53511ce52eb5b7b2c754f36dc54 |
| SHA256 | 28160097bc079944f99ffa3d49f8abecca6ddea7052e2cbb021b47769e2cd28b |
| SHA512 | e8150e78d16f42dccd5d27ec7bbcb11accc85e4a34f8a0a59a77df458b92a4df54dd57a4e21869a502eb77dbbc6e1a18e87a900ee8bf4d96142a2d8e3b10f610 |
\Windows\system\TZBRGzv.exe
| MD5 | a806ba44a81afe00149025eec8c50c54 |
| SHA1 | 85dabd7313e65875a8a19d51cf9cda67a53ec482 |
| SHA256 | e3552329c683ef3a02edc490ee849fc88f0ad5ac7c602257fb333087033d6438 |
| SHA512 | bbf649ff899808211aa06709b79f33949eb86420e47ecfec2bdec38c2b6620af772e91b9b44d58dc219cba136d5dcab59b08f43727bef409b5e1f532c5bad5b4 |
C:\Windows\system\YyzRhum.exe
| MD5 | a9eb452dc67cd09208369361836294f4 |
| SHA1 | f53f86e71414a034c2b4cbf257c23b4e9f7dde40 |
| SHA256 | 9bd9435dbbec44e655fe3381edc5f813c155f3f516054ee2b6d708c7ca79c925 |
| SHA512 | 2be2e004d6f0662614c06438c2b968f4f4ee9b7db35b24fb096e33007a52c35f60de1ccb22a53c411a432aaee85d2bade9d6b24ffbbd515d2c22224ef171bbc0 |
memory/1960-116-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2880-102-0x000000013F610000-0x000000013F961000-memory.dmp
memory/1492-95-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/1960-94-0x000000013FE10000-0x0000000140161000-memory.dmp
C:\Windows\system\fSRWvdp.exe
| MD5 | 9572db163dff17493799d8f449a49e03 |
| SHA1 | 274f70d589c5a4fc23182ff37a74c079d4273a04 |
| SHA256 | f5826940c7d677fa3821a3a94e6617ebb7999cb705ed15feada6093b8480d97a |
| SHA512 | 483944c0839ded02015ddff5b6a16cdd51ce2fb9403e4963a11b6402392b143740bf9fb93816e3562146e26086f65296a85c54d7105e319f9e3038e6f42a93cb |
C:\Windows\system\SGJcMcv.exe
| MD5 | 66e46ced46e867f7d7258369d03b2866 |
| SHA1 | 646e0e6ed0509b1d255a7e1ae69556cd59a2aba8 |
| SHA256 | 73c7b2834b88d3d6e21d2550d612cdd1748e030acd514de0dff4d23582857696 |
| SHA512 | 840ca9c2106772d35106b544f97c0298cb6fb8ae27fac1b80a1c6a87e8fe36fae1aac64ff253c7ab5a55d1fd63136adeaa35a9919bbfab0562ea171b13b75fe0 |
\Windows\system\UrXEcnV.exe
| MD5 | e09930f923e056cf033b05f6131a4d0e |
| SHA1 | d692890657e4fc7e0c498d833605d37a13cb7c58 |
| SHA256 | 13c51309551a77d0d25c51f5d3bd2c8e45d6bd437ac266dc438aa60a819508a8 |
| SHA512 | e2178e7289f9dde5c80f438bda636585498d53a8888756c3575df67d737d2a116e5fe4988707ce484dd2398400cda2e978e4f96ae40fac198a19542159631717 |
memory/2244-88-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2412-83-0x000000013F8D0000-0x000000013FC21000-memory.dmp
\Windows\system\pcygDwh.exe
| MD5 | ee6d9cebe33a40c03b1079ed9ae44f69 |
| SHA1 | cf7856ea2c1dc4a9533f05769a56af4c6e7cc3de |
| SHA256 | ee786db08ed2fd3754f81edb0e7f34e490b12b079e9818c0e60c69f2a98356e8 |
| SHA512 | adcc0da544906daa48ab5de5114c640563fc10d39a47da9ce74e782797d0587c8b406bdca767798c8634e8bf4dfbbd24aca0a2286f35f37bda588f7d9f263ed4 |
memory/1960-146-0x0000000002230000-0x0000000002581000-memory.dmp
memory/1960-138-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2360-150-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2016-154-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/1068-159-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/840-160-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1960-161-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1804-157-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/1872-155-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/1700-158-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2868-156-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/1960-162-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1960-166-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2412-208-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2536-210-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1732-212-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2772-218-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1652-216-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2276-214-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2776-223-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1720-225-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1992-227-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1952-229-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2360-231-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2244-235-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1492-241-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2880-243-0x000000013F610000-0x000000013F961000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:24
Reported
2024-08-14 20:26
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FdtGwfN.exe | N/A |
| N/A | N/A | C:\Windows\System\bQMREtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\GbLyzll.exe | N/A |
| N/A | N/A | C:\Windows\System\VtuXKHv.exe | N/A |
| N/A | N/A | C:\Windows\System\nfWuHRl.exe | N/A |
| N/A | N/A | C:\Windows\System\WSeCZzP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZeBOPFs.exe | N/A |
| N/A | N/A | C:\Windows\System\nrJTzil.exe | N/A |
| N/A | N/A | C:\Windows\System\GxGFjaH.exe | N/A |
| N/A | N/A | C:\Windows\System\JpALcsT.exe | N/A |
| N/A | N/A | C:\Windows\System\ygtYQOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JhAHcAP.exe | N/A |
| N/A | N/A | C:\Windows\System\WRmZbaT.exe | N/A |
| N/A | N/A | C:\Windows\System\GKddvzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WvkXGgc.exe | N/A |
| N/A | N/A | C:\Windows\System\TZBRGzv.exe | N/A |
| N/A | N/A | C:\Windows\System\YyzRhum.exe | N/A |
| N/A | N/A | C:\Windows\System\fSRWvdp.exe | N/A |
| N/A | N/A | C:\Windows\System\SGJcMcv.exe | N/A |
| N/A | N/A | C:\Windows\System\UrXEcnV.exe | N/A |
| N/A | N/A | C:\Windows\System\pcygDwh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_67807eaa074dad5ed41faf8e2f7c9d92_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FdtGwfN.exe
C:\Windows\System\FdtGwfN.exe
C:\Windows\System\bQMREtZ.exe
C:\Windows\System\bQMREtZ.exe
C:\Windows\System\GbLyzll.exe
C:\Windows\System\GbLyzll.exe
C:\Windows\System\VtuXKHv.exe
C:\Windows\System\VtuXKHv.exe
C:\Windows\System\nfWuHRl.exe
C:\Windows\System\nfWuHRl.exe
C:\Windows\System\WSeCZzP.exe
C:\Windows\System\WSeCZzP.exe
C:\Windows\System\ZeBOPFs.exe
C:\Windows\System\ZeBOPFs.exe
C:\Windows\System\nrJTzil.exe
C:\Windows\System\nrJTzil.exe
C:\Windows\System\GxGFjaH.exe
C:\Windows\System\GxGFjaH.exe
C:\Windows\System\JpALcsT.exe
C:\Windows\System\JpALcsT.exe
C:\Windows\System\ygtYQOQ.exe
C:\Windows\System\ygtYQOQ.exe
C:\Windows\System\JhAHcAP.exe
C:\Windows\System\JhAHcAP.exe
C:\Windows\System\WRmZbaT.exe
C:\Windows\System\WRmZbaT.exe
C:\Windows\System\GKddvzZ.exe
C:\Windows\System\GKddvzZ.exe
C:\Windows\System\WvkXGgc.exe
C:\Windows\System\WvkXGgc.exe
C:\Windows\System\TZBRGzv.exe
C:\Windows\System\TZBRGzv.exe
C:\Windows\System\YyzRhum.exe
C:\Windows\System\YyzRhum.exe
C:\Windows\System\fSRWvdp.exe
C:\Windows\System\fSRWvdp.exe
C:\Windows\System\SGJcMcv.exe
C:\Windows\System\SGJcMcv.exe
C:\Windows\System\UrXEcnV.exe
C:\Windows\System\UrXEcnV.exe
C:\Windows\System\pcygDwh.exe
C:\Windows\System\pcygDwh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2412-0-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp
memory/2412-1-0x000002178F440000-0x000002178F450000-memory.dmp
C:\Windows\System\FdtGwfN.exe
| MD5 | d217bd25cecdd00430873d3cd81d7c51 |
| SHA1 | 02301acfa2743e33631a2a9b84bb99aacc908de7 |
| SHA256 | 03fe2606f6fe0ecfbb44ebf961bbcb92da622d6e00efa52041a5cf6843b9664a |
| SHA512 | 13470e70cbb9c8a9450ada0b11b1394dba51a79652db38b2bef619c0a3e9b4777bff703f5aff8521a59ba6d08e2f345b03981f94e72459b09e52a27b22fbd968 |
C:\Windows\System\bQMREtZ.exe
| MD5 | 8bd006f34a52fb64a6e9ae5a6b9a26e3 |
| SHA1 | 3a6832d68696b38e2f577545a61cf513c7d03700 |
| SHA256 | ecf7624c83d0ec3ee7cf8a11db09c2524c5937d3ac07d1ee10e7fa7d907c5642 |
| SHA512 | e7eb5e4815f7ffabde268b5e34f9666f7cb18b12ef6aa455d3ce01f5fe572e6f1bbd702d4a9590f538797f2824da0c08733e3d7373f2fb5f0f601a4a71640f3e |
C:\Windows\System\GbLyzll.exe
| MD5 | 9e96192477bd78f3529dc8146bbb0b23 |
| SHA1 | 4c49622c0facf95b3574feaddc34fe2d9a7e9ade |
| SHA256 | 441d9f6ee367a1c2d457efeaab8deddc2f60b00e92706ebeb95f76d9707b56ca |
| SHA512 | 9a09842a04d676989a88f13f4a18197848caeef59b99fa2fca7cb7c609b5b250cf5131ffcfc03f52f1c40c7922a2d911b684e3112fce0bfcfbf91b38638c5ed6 |
C:\Windows\System\VtuXKHv.exe
| MD5 | e57dd81bcdf8b8a40966f854c1a2b78f |
| SHA1 | 0dd3ef15d5e82a0ec675213a637086c60b42d3e9 |
| SHA256 | 13b4506f9cf8ab6b661601caec6803fd60382b81e61468d8ef0b668277249563 |
| SHA512 | 4bad20683a0f7ff559b6e54d6de1c71c2ee9f30788bdb4d58f047a5cde5140f563aeec3682029d5fe842eab54ac8a1851fd554c9ae5c7db1f32395e2e8fccc27 |
C:\Windows\System\GxGFjaH.exe
| MD5 | 57368a36ace5384fdb8bac56d92d1dd7 |
| SHA1 | fc9675e8e880f7494689c111bc801694db9b8dda |
| SHA256 | 03ae9245de3fa0587d3d10abc60ec93c5b4eba29eb1abaf42730ca898ba07c76 |
| SHA512 | a538c404de3f67ca3fddc065cfc8b4243b6f2423c64c1bc0cf147d8f278e5ab99229097d26aed3d544d3cf4452c140b4f59c9603626d0b57805e83d03cebfc48 |
memory/1976-62-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp
memory/1284-72-0x00007FF65E2F0000-0x00007FF65E641000-memory.dmp
memory/2216-77-0x00007FF6F5E50000-0x00007FF6F61A1000-memory.dmp
C:\Windows\System\WRmZbaT.exe
| MD5 | e6f3dad1ccd0538fe2a5595227054720 |
| SHA1 | cc033aa7426010315a9f91d65067670acb9974ae |
| SHA256 | 67ab56bf0b9dd6f3d23e127434a3e6188d1799a9444c28e096eda8f13407bc2f |
| SHA512 | 358c173eeb6dce8c1c946cc6ebf10a8ee5a899727a81094a2f954b40dcbb4b5a9864df78d7bc1dc74a8a1f62503121cfa2f7de3ff021ecd68e34dbe32d4bafe6 |
C:\Windows\System\ygtYQOQ.exe
| MD5 | 6c67dfd3cc73fb8137a557d010eb7fa0 |
| SHA1 | 182d686845dee1887604e78b15d9aeb8b757f5ff |
| SHA256 | 0af2015ebd50a2dbf15845fb3051b018802b1307eb14e42a149f8da892ec2919 |
| SHA512 | 9c242b15f25bc7ca5636c2a4c9a2ade76de66041893e461231f0acc4e4fa6053a3873f3d94f042afca09ac83302107c925a1260d337d0cb27e783eb59e53b0ea |
C:\Windows\System\GKddvzZ.exe
| MD5 | d0a03fb4ffcd57500374638cba31a013 |
| SHA1 | e32a1c85763fc9423fc14d842487896875133ba9 |
| SHA256 | b0fd6a415d4c4b34e1613a2fc53b836d8d6b666e2b63047d25298ee858b26e34 |
| SHA512 | b17c99587fbb3a0436466f403b54fbb2763be28e9c19b45344257b4c2a6b8b3e36c6ed73e4a3a19f317d58bcd4489edf013c917ad24f73a9ce4977244ae9cff4 |
memory/1216-82-0x00007FF654DF0000-0x00007FF655141000-memory.dmp
memory/4104-79-0x00007FF7902A0000-0x00007FF7905F1000-memory.dmp
memory/3020-78-0x00007FF702EC0000-0x00007FF703211000-memory.dmp
memory/3480-76-0x00007FF78D190000-0x00007FF78D4E1000-memory.dmp
C:\Windows\System\JhAHcAP.exe
| MD5 | f030531ae355906bdb4a553b9ef07e10 |
| SHA1 | cb6ce122841b0128be73a06841d5f78825cb572c |
| SHA256 | f6a3cb7016045f232bf851da1094d759c3b0b07d82d93f52c8fbf108f1a4bc49 |
| SHA512 | cede4e5ba8263d2cbb23e87b75a3de5412f620c75f4bd879f91a55fee6282a2aa02f09ab068b92c31d862ba3a77a4f1955ef6796b56ebbadbef0179cd79d1b59 |
memory/4576-69-0x00007FF7E64E0000-0x00007FF7E6831000-memory.dmp
C:\Windows\System\JpALcsT.exe
| MD5 | 674df379d1c786e041241e45220e7404 |
| SHA1 | 815a3696b3515396888c45a834f23befe48a3a35 |
| SHA256 | eb1bda47105ff98060c762f1d328e76a769aedafcdca27568501a5b400d3ee8a |
| SHA512 | 3ce82a026b4d556bf4c0f51b3fe140c700c62daa997de2dd8caa8ae3facb18251bc269ea8d53a3e3a1c6f083adecc3f975a6fa13ac679ae72fc5eae1b8255076 |
C:\Windows\System\ZeBOPFs.exe
| MD5 | 113fa79f9281fc2ab08b80ed70c5ac6b |
| SHA1 | 2168676d761c43a7cebc318a20771b7141263b35 |
| SHA256 | 03f3d7b32c3f2d52922a440faf3d1a1df66da1b7e074a4c5497ab0e1d4bebe21 |
| SHA512 | 2563de55f582fad2e84f13dd6169f0ffff79956d839a908c7525f42f09055949fd685e8307c1eadd5e84e85ee1abb9da49dbe9b90a48a96b64ab8bdcfbbb9ced |
memory/5068-52-0x00007FF603930000-0x00007FF603C81000-memory.dmp
C:\Windows\System\nrJTzil.exe
| MD5 | c624326af697094d7f760c39ac8274cb |
| SHA1 | 92f52a7b5235c998ffb126182778767703f0e0ff |
| SHA256 | 96a8e05e317560b4379e283bbe332fa5f52791530cba868a43647431214cafa0 |
| SHA512 | 8e90aee4856b1dc70d96a34c4f997b13023de03338fd4c0946aab5f317a2f2e809b82ccf49fd448c78513b0e220ff14dc314a6c0b0879c092057c0ab38a7d19a |
memory/2392-43-0x00007FF7A8BD0000-0x00007FF7A8F21000-memory.dmp
C:\Windows\System\nfWuHRl.exe
| MD5 | bed7add3bb8f1f8bd3e389867e1712d0 |
| SHA1 | 42e58d6cf1c669ab6e72ce045d6053bd5be09524 |
| SHA256 | 78e1109e5b1b43db07d4b7fe13b5cdd69989dbe0bcdf1cbaf7052d22bdf018ef |
| SHA512 | 301f9a45ed7539db58065b3ffcd5e7894bb8b0caeb842bbc7833323121a8cc6df4dfbbe0691757126c111c0e411b8067ab662753267750ce73961b8f89974599 |
memory/1156-36-0x00007FF63A8A0000-0x00007FF63ABF1000-memory.dmp
C:\Windows\System\WSeCZzP.exe
| MD5 | d82d788a49a129380ca193c5f9deea99 |
| SHA1 | f97a235017ec1b02aa728f16cef6c9afab460867 |
| SHA256 | 772e90f0390cdb0a3d8e7c538d6bf9478ce5346d452090f37dee7d6eef5610df |
| SHA512 | 08d637cb16410b434535419d9840e247b2ab3b5fa5d59191cbe0d2b768522ca2905c8b39345aac7e46718ea8db6039f3085c083d7b7bc2a46184168a6bf4431d |
memory/4336-23-0x00007FF793A90000-0x00007FF793DE1000-memory.dmp
memory/2304-22-0x00007FF6ED150000-0x00007FF6ED4A1000-memory.dmp
memory/3132-10-0x00007FF65E990000-0x00007FF65ECE1000-memory.dmp
memory/4164-93-0x00007FF6180F0000-0x00007FF618441000-memory.dmp
C:\Windows\System\fSRWvdp.exe
| MD5 | 9572db163dff17493799d8f449a49e03 |
| SHA1 | 274f70d589c5a4fc23182ff37a74c079d4273a04 |
| SHA256 | f5826940c7d677fa3821a3a94e6617ebb7999cb705ed15feada6093b8480d97a |
| SHA512 | 483944c0839ded02015ddff5b6a16cdd51ce2fb9403e4963a11b6402392b143740bf9fb93816e3562146e26086f65296a85c54d7105e319f9e3038e6f42a93cb |
C:\Windows\System\pcygDwh.exe
| MD5 | ee6d9cebe33a40c03b1079ed9ae44f69 |
| SHA1 | cf7856ea2c1dc4a9533f05769a56af4c6e7cc3de |
| SHA256 | ee786db08ed2fd3754f81edb0e7f34e490b12b079e9818c0e60c69f2a98356e8 |
| SHA512 | adcc0da544906daa48ab5de5114c640563fc10d39a47da9ce74e782797d0587c8b406bdca767798c8634e8bf4dfbbd24aca0a2286f35f37bda588f7d9f263ed4 |
C:\Windows\System\SGJcMcv.exe
| MD5 | 66e46ced46e867f7d7258369d03b2866 |
| SHA1 | 646e0e6ed0509b1d255a7e1ae69556cd59a2aba8 |
| SHA256 | 73c7b2834b88d3d6e21d2550d612cdd1748e030acd514de0dff4d23582857696 |
| SHA512 | 840ca9c2106772d35106b544f97c0298cb6fb8ae27fac1b80a1c6a87e8fe36fae1aac64ff253c7ab5a55d1fd63136adeaa35a9919bbfab0562ea171b13b75fe0 |
memory/4380-122-0x00007FF6D7F40000-0x00007FF6D8291000-memory.dmp
C:\Windows\System\UrXEcnV.exe
| MD5 | e09930f923e056cf033b05f6131a4d0e |
| SHA1 | d692890657e4fc7e0c498d833605d37a13cb7c58 |
| SHA256 | 13c51309551a77d0d25c51f5d3bd2c8e45d6bd437ac266dc438aa60a819508a8 |
| SHA512 | e2178e7289f9dde5c80f438bda636585498d53a8888756c3575df67d737d2a116e5fe4988707ce484dd2398400cda2e978e4f96ae40fac198a19542159631717 |
memory/3900-126-0x00007FF736430000-0x00007FF736781000-memory.dmp
memory/2412-125-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp
memory/4596-118-0x00007FF790E50000-0x00007FF7911A1000-memory.dmp
memory/2896-115-0x00007FF6B55D0000-0x00007FF6B5921000-memory.dmp
C:\Windows\System\YyzRhum.exe
| MD5 | a9eb452dc67cd09208369361836294f4 |
| SHA1 | f53f86e71414a034c2b4cbf257c23b4e9f7dde40 |
| SHA256 | 9bd9435dbbec44e655fe3381edc5f813c155f3f516054ee2b6d708c7ca79c925 |
| SHA512 | 2be2e004d6f0662614c06438c2b968f4f4ee9b7db35b24fb096e33007a52c35f60de1ccb22a53c411a432aaee85d2bade9d6b24ffbbd515d2c22224ef171bbc0 |
C:\Windows\System\TZBRGzv.exe
| MD5 | a806ba44a81afe00149025eec8c50c54 |
| SHA1 | 85dabd7313e65875a8a19d51cf9cda67a53ec482 |
| SHA256 | e3552329c683ef3a02edc490ee849fc88f0ad5ac7c602257fb333087033d6438 |
| SHA512 | bbf649ff899808211aa06709b79f33949eb86420e47ecfec2bdec38c2b6620af772e91b9b44d58dc219cba136d5dcab59b08f43727bef409b5e1f532c5bad5b4 |
memory/3960-101-0x00007FF6235D0000-0x00007FF623921000-memory.dmp
memory/4356-97-0x00007FF71CEA0000-0x00007FF71D1F1000-memory.dmp
C:\Windows\System\WvkXGgc.exe
| MD5 | 73afb241c5bf3b4771bca486a560fa7c |
| SHA1 | dcd956ad69c9a53511ce52eb5b7b2c754f36dc54 |
| SHA256 | 28160097bc079944f99ffa3d49f8abecca6ddea7052e2cbb021b47769e2cd28b |
| SHA512 | e8150e78d16f42dccd5d27ec7bbcb11accc85e4a34f8a0a59a77df458b92a4df54dd57a4e21869a502eb77dbbc6e1a18e87a900ee8bf4d96142a2d8e3b10f610 |
memory/2412-129-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp
memory/4336-133-0x00007FF793A90000-0x00007FF793DE1000-memory.dmp
memory/5068-136-0x00007FF603930000-0x00007FF603C81000-memory.dmp
memory/4164-144-0x00007FF6180F0000-0x00007FF618441000-memory.dmp
memory/1216-143-0x00007FF654DF0000-0x00007FF655141000-memory.dmp
memory/4104-142-0x00007FF7902A0000-0x00007FF7905F1000-memory.dmp
memory/1284-141-0x00007FF65E2F0000-0x00007FF65E641000-memory.dmp
memory/3020-140-0x00007FF702EC0000-0x00007FF703211000-memory.dmp
memory/4576-139-0x00007FF7E64E0000-0x00007FF7E6831000-memory.dmp
memory/2392-134-0x00007FF7A8BD0000-0x00007FF7A8F21000-memory.dmp
memory/3132-130-0x00007FF65E990000-0x00007FF65ECE1000-memory.dmp
memory/1976-137-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp
memory/2896-147-0x00007FF6B55D0000-0x00007FF6B5921000-memory.dmp
memory/4596-149-0x00007FF790E50000-0x00007FF7911A1000-memory.dmp
memory/3960-146-0x00007FF6235D0000-0x00007FF623921000-memory.dmp
memory/4380-150-0x00007FF6D7F40000-0x00007FF6D8291000-memory.dmp
memory/4356-145-0x00007FF71CEA0000-0x00007FF71D1F1000-memory.dmp
memory/2412-151-0x00007FF714A70000-0x00007FF714DC1000-memory.dmp
memory/3132-196-0x00007FF65E990000-0x00007FF65ECE1000-memory.dmp
memory/2304-198-0x00007FF6ED150000-0x00007FF6ED4A1000-memory.dmp
memory/1156-214-0x00007FF63A8A0000-0x00007FF63ABF1000-memory.dmp
memory/3480-216-0x00007FF78D190000-0x00007FF78D4E1000-memory.dmp
memory/4336-218-0x00007FF793A90000-0x00007FF793DE1000-memory.dmp
memory/2392-220-0x00007FF7A8BD0000-0x00007FF7A8F21000-memory.dmp
memory/2216-222-0x00007FF6F5E50000-0x00007FF6F61A1000-memory.dmp
memory/1976-223-0x00007FF7FE670000-0x00007FF7FE9C1000-memory.dmp
memory/4576-227-0x00007FF7E64E0000-0x00007FF7E6831000-memory.dmp
memory/5068-226-0x00007FF603930000-0x00007FF603C81000-memory.dmp
memory/1284-230-0x00007FF65E2F0000-0x00007FF65E641000-memory.dmp
memory/3020-231-0x00007FF702EC0000-0x00007FF703211000-memory.dmp
memory/4104-235-0x00007FF7902A0000-0x00007FF7905F1000-memory.dmp
memory/1216-234-0x00007FF654DF0000-0x00007FF655141000-memory.dmp
memory/4164-237-0x00007FF6180F0000-0x00007FF618441000-memory.dmp
memory/4356-239-0x00007FF71CEA0000-0x00007FF71D1F1000-memory.dmp
memory/3900-244-0x00007FF736430000-0x00007FF736781000-memory.dmp
memory/3960-245-0x00007FF6235D0000-0x00007FF623921000-memory.dmp
memory/4380-247-0x00007FF6D7F40000-0x00007FF6D8291000-memory.dmp
memory/2896-242-0x00007FF6B55D0000-0x00007FF6B5921000-memory.dmp
memory/4596-249-0x00007FF790E50000-0x00007FF7911A1000-memory.dmp