Analysis Overview
SHA256
0e4bfc4715567ed5f082eba2d08ab3fef55946a65ceedcba44e2b762f800a555
Threat Level: Known bad
The file 2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:45
Reported
2024-08-14 20:48
Platform
win7-20240704-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YFwMItj.exe | N/A |
| N/A | N/A | C:\Windows\System\xLObocD.exe | N/A |
| N/A | N/A | C:\Windows\System\cGBbvEm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpFAhBE.exe | N/A |
| N/A | N/A | C:\Windows\System\hOoyxtV.exe | N/A |
| N/A | N/A | C:\Windows\System\opbepcf.exe | N/A |
| N/A | N/A | C:\Windows\System\TJFTIPD.exe | N/A |
| N/A | N/A | C:\Windows\System\AuvyMxo.exe | N/A |
| N/A | N/A | C:\Windows\System\AWzAtie.exe | N/A |
| N/A | N/A | C:\Windows\System\shTDOsi.exe | N/A |
| N/A | N/A | C:\Windows\System\ctpUobm.exe | N/A |
| N/A | N/A | C:\Windows\System\YbxdqeY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZHpOqZa.exe | N/A |
| N/A | N/A | C:\Windows\System\uBeGcjs.exe | N/A |
| N/A | N/A | C:\Windows\System\OUwbKFI.exe | N/A |
| N/A | N/A | C:\Windows\System\bqSYpHN.exe | N/A |
| N/A | N/A | C:\Windows\System\VWtVCzw.exe | N/A |
| N/A | N/A | C:\Windows\System\FoSNCJL.exe | N/A |
| N/A | N/A | C:\Windows\System\jeEHWPL.exe | N/A |
| N/A | N/A | C:\Windows\System\pHyBWcw.exe | N/A |
| N/A | N/A | C:\Windows\System\FGpSMgE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YFwMItj.exe
C:\Windows\System\YFwMItj.exe
C:\Windows\System\xLObocD.exe
C:\Windows\System\xLObocD.exe
C:\Windows\System\cGBbvEm.exe
C:\Windows\System\cGBbvEm.exe
C:\Windows\System\ZpFAhBE.exe
C:\Windows\System\ZpFAhBE.exe
C:\Windows\System\hOoyxtV.exe
C:\Windows\System\hOoyxtV.exe
C:\Windows\System\opbepcf.exe
C:\Windows\System\opbepcf.exe
C:\Windows\System\TJFTIPD.exe
C:\Windows\System\TJFTIPD.exe
C:\Windows\System\AuvyMxo.exe
C:\Windows\System\AuvyMxo.exe
C:\Windows\System\AWzAtie.exe
C:\Windows\System\AWzAtie.exe
C:\Windows\System\ctpUobm.exe
C:\Windows\System\ctpUobm.exe
C:\Windows\System\shTDOsi.exe
C:\Windows\System\shTDOsi.exe
C:\Windows\System\YbxdqeY.exe
C:\Windows\System\YbxdqeY.exe
C:\Windows\System\ZHpOqZa.exe
C:\Windows\System\ZHpOqZa.exe
C:\Windows\System\uBeGcjs.exe
C:\Windows\System\uBeGcjs.exe
C:\Windows\System\OUwbKFI.exe
C:\Windows\System\OUwbKFI.exe
C:\Windows\System\VWtVCzw.exe
C:\Windows\System\VWtVCzw.exe
C:\Windows\System\bqSYpHN.exe
C:\Windows\System\bqSYpHN.exe
C:\Windows\System\FoSNCJL.exe
C:\Windows\System\FoSNCJL.exe
C:\Windows\System\jeEHWPL.exe
C:\Windows\System\jeEHWPL.exe
C:\Windows\System\pHyBWcw.exe
C:\Windows\System\pHyBWcw.exe
C:\Windows\System\FGpSMgE.exe
C:\Windows\System\FGpSMgE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2376-0-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2376-1-0x0000000000100000-0x0000000000110000-memory.dmp
memory/2376-7-0x000000013F120000-0x000000013F471000-memory.dmp
C:\Windows\system\YFwMItj.exe
| MD5 | 9201564dbeeee96d0f3af482df0dcb54 |
| SHA1 | dd7ce4792494306e1043c32aaa0aae9f42384fe6 |
| SHA256 | 2d33f65ba80fb8c6aed588c91c24f61373df493d15be8da63d9d19aafa65828e |
| SHA512 | 663c200f297a26879ea20c26d0a33193e65d41aba513d09171b3812550e192cb4a2bf721b663b3eeb751a0775ef67c3a906b115d9067230e558002a7313cdbfb |
\Windows\system\xLObocD.exe
| MD5 | 82856729967fb3f6fd5c7b80c0ae2ca7 |
| SHA1 | a53f5380500fedeb6e08d8c9cf3253c8111e5294 |
| SHA256 | 95315972ecc22f653c26a5b677781e7c673ac6533f06bc9bcc616b3d4f47cf6a |
| SHA512 | 051d25690f6fe3e9f1d0752bce45ea6ca62b643b8bc99f153155643ed2bd34ae00b14804ea30e9898eb7cc6750238e7c2a2dbc62a0b925eccc895ed0d4aa5502 |
memory/2376-13-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2244-14-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1692-16-0x000000013F840000-0x000000013FB91000-memory.dmp
\Windows\system\ZpFAhBE.exe
| MD5 | 711b4ad7b99173779baa39d2e921f00e |
| SHA1 | bcfed633cbf1b07ea308f3e528bfc6012b2c8192 |
| SHA256 | be55496e456ded10eabdd93df1e3e53e2934d9de319335ae7b21cefa8a78228d |
| SHA512 | 6f344c09ddb922d4a0be7c7b0d50bc2c38e67e270b66cdfee0e0ac4aef32b059d36ce2a43a7d9506794a1ad410f558cdb285fc946c46785ce7b37413c1ce0220 |
memory/2376-25-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2376-36-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2756-37-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/3044-30-0x000000013FFF0000-0x0000000140341000-memory.dmp
C:\Windows\system\opbepcf.exe
| MD5 | 137a2928f723716350f65145c834412b |
| SHA1 | 3ba5da002beb858d1ec765eeb0f63b8c781dda18 |
| SHA256 | a15826a8e45c1f830de877acd11bdc897d44f991dedbcb4499df47d723879ca8 |
| SHA512 | 4425b1768f845bf5c567420b76e22ab6c7d2a2193c768bf5f9634c93bad726000c7b1d47ff1701ee35bb62b49615eebdce9a1030ad34872b661835ba5fb2b81f |
memory/2744-42-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2376-41-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2376-28-0x000000013FFF0000-0x0000000140341000-memory.dmp
C:\Windows\system\hOoyxtV.exe
| MD5 | c2f043224ac40840a1a9e859eaaebbe5 |
| SHA1 | 69aa9bc06f8ec71b1a127ef0a65ea0a466aa476b |
| SHA256 | 1418a1bf1bf87e982c736a24821b06837e9917e4dfb27713653489299581bfe2 |
| SHA512 | b35ebe21588cf5e51665d16d2b3f33be10f8383f8b56b0611717bf755245318eb070e4eda44e1d78357ad2c9287c0c8bc2e262521fd8ab25c61ce9e75bda0681 |
memory/2172-26-0x000000013F790000-0x000000013FAE1000-memory.dmp
C:\Windows\system\cGBbvEm.exe
| MD5 | 13c15f483c4f07e7eb71fdbffdc2402c |
| SHA1 | 99540747e529c5bc622498b6eae861b3589286b9 |
| SHA256 | ef94347fd38293053bdc0095fe8290689f767b63477cdea4e5e9f2bb7b53a94f |
| SHA512 | 5e30ab99c102012f043d5f51c11d3735cb8dc6faad104576c3bab0fcf7cd29cc25f31892da10cec2f5c7feac5ee235d41909e9249cca5b88e872882817ef38ac |
C:\Windows\system\TJFTIPD.exe
| MD5 | c86564f78d45f5d7ff762f298b709eb3 |
| SHA1 | f0089532a11de18bef0314149de43990f2e24783 |
| SHA256 | 18206273f2ccfa8fc40f0d95f80865238f81a513911ad1303bceebe8a8801441 |
| SHA512 | 79e11dba43253d312634dde2d6d5c7e4235ae234c267d3f84bb351d5682c57dde9cf5129c86280ef28b97352a2bde1cb325726a83ea520c1bc26fcc1fd57828f |
memory/2376-53-0x0000000002330000-0x0000000002681000-memory.dmp
\Windows\system\AuvyMxo.exe
| MD5 | acaff6b61f9c684ee3b2b5d3acd14097 |
| SHA1 | 06a45ecbcba8a12941fe81990b5ca92763199cd4 |
| SHA256 | db6876a39d61f68300e74bd817c7c75a5409bb2a051a5dea9fbc19fcf40155a3 |
| SHA512 | fc30facc06335ad3f29572959064e7325fa097880a83a3a1bbfcca8c45c9f039c58f6d514e920620d75bf18601702249c3f34cf2ad3d10565c881b6c8af47ea8 |
C:\Windows\system\AWzAtie.exe
| MD5 | 2fc28661bb02e9342cdfba24b8555f31 |
| SHA1 | 769b56d682b44be9368e582f945d77d557893a31 |
| SHA256 | e5d450760a0475a14e584ebab4e100be1884bc613e4942fa309e9a01943d4dbf |
| SHA512 | 503af93acffbc9d3259f7d7ba00f53e1161fa3730cabec3fec4821269c4afb2713f3bdcdc2a4593826bb600133c771f9f1dfcd78b843de7afb96ddc589f8a046 |
memory/2568-80-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2376-82-0x000000013F9E0000-0x000000013FD31000-memory.dmp
\Windows\system\YbxdqeY.exe
| MD5 | 84437934067ce7fe1071846c68e03f4d |
| SHA1 | 0acc88ffe0e4c2259bef5c893751bd3ae9a1b72d |
| SHA256 | 662158a8055a4590c767cf95d747e974cd16fcfca073f6c5108b437a28e8a1c7 |
| SHA512 | 5980a279d1f9ba54cdadcd64b164b63d81c2871acaf688f74fc30d3c764becec3415f555a705f4b0d182849d6813cdef5fed74b400ebaa3a7eb81fab1151a2e3 |
memory/1728-88-0x000000013F9E0000-0x000000013FD31000-memory.dmp
\Windows\system\uBeGcjs.exe
| MD5 | 3596286c2dc461d2ddcc5aafac339a80 |
| SHA1 | bb9b5daee4894652f2b18057bd92a00200f628d5 |
| SHA256 | 8c3cae09194d0912696e664c18fa95ffeb67c3085f009ea5e58f9ced1224a300 |
| SHA512 | 156ab2b4acf223f1704e73b101d3967a39c5eb84ec91deb9c1d8ee479043c09efc656e0be3327cc3cea412389b4fae5b4192ed56d1c42a2d3822406443e13e12 |
\Windows\system\VWtVCzw.exe
| MD5 | ab5afddf33259428c8ce2abe898ef3aa |
| SHA1 | ee379f59d47dbb4da9286df96fd058cb8caa79ce |
| SHA256 | d8952116778a19b07a5397ef792f6a77469a7cb6fe3e1e94df2ffa87c6c84858 |
| SHA512 | 9066cdccd7ce343f992c7c6dacb2cb0d35b51466f29afdb92ca6bd97a60dbc14d6a30296e64b884880dea3b72f7cdefe4cd82f8ce4317f637cbbcb09ccd6cecd |
C:\Windows\system\FoSNCJL.exe
| MD5 | b79f7af2e7b93b6b2fa148f9477b84b4 |
| SHA1 | fa1781913af05adb463927e786ad1b2d147716b1 |
| SHA256 | ebc2279b1c7c79fb652d448e7471b5f44ef2d8ea8a422ab8a72b1d8dc7a8a4e3 |
| SHA512 | bb0d8a040db16d22b8ff102e68f205a9b043765f18474b96bdfb56ed99c53ff6f1419ab9b69bab929a80d1f6004d0a6fe403cb560fc36c63dc70dcd710e8da5e |
C:\Windows\system\pHyBWcw.exe
| MD5 | 394c250b12cf04b5c7d33a60b7bdc60d |
| SHA1 | 3d85560d7181d9f207afbe032aaa804d49aa3fcd |
| SHA256 | 1210546bc09fda24512188c3c788d68d1c9119ad4927eb44522c8dcd04d6df9d |
| SHA512 | 3dc4cac78ab001e22c22b5734b5031dcb2418c64281082da0547ce3b12dda02a87fe6a7a04417d94d21f90980b2c4568636b02d83d6019babe8343e9a4bf00e4 |
C:\Windows\system\FGpSMgE.exe
| MD5 | 0dfb978cf054e3f0584cbe7925e84b7d |
| SHA1 | 1ab36585cd0ba669d337306f267e12b475e4679e |
| SHA256 | ed867c448ff4554a021d2ced9cb52c2d6b44d56d2e2f241eb9895c066f3c25af |
| SHA512 | 5f3a2165ce63e89395d3dad0793f30799064802e2ddc163e4d8beda0c3a3d948d4c1892429edbb8504f88339d53e2b3bb55a8f0c025b601004847feec8bdfd23 |
C:\Windows\system\jeEHWPL.exe
| MD5 | 0e4454a1dfabf6846c00a016715480be |
| SHA1 | 7e7eff8d9c1eba302b26b807f8685235359fc0ec |
| SHA256 | 34c157eb1dce2b65284124888292e50ab3ae6e6dbcb16febfcd73c9d87061726 |
| SHA512 | e10c5827805d4a51b25fdf584393e2009facee16fa711b18acd9e995ff3854b93e62864721da019fe6c8aa30bf042c0d759676ce3f33f77de70f779376717321 |
memory/2744-98-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2376-97-0x0000000002330000-0x0000000002681000-memory.dmp
memory/1744-96-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2376-95-0x0000000002330000-0x0000000002681000-memory.dmp
C:\Windows\system\bqSYpHN.exe
| MD5 | f6cffc0b4d9697e895be4de75af894fc |
| SHA1 | 61a36ea8417029a779ed5c5533c1a64e4f4d7dfc |
| SHA256 | bca57e83880ecb53d4e2f563a0fa612e3620e78ef13a5a113414a85afef4d202 |
| SHA512 | f1b87d2bbdf976849ada2bd40902bac637e185b86e784114e5968291bfab7407b6a6b58eef1b801e51d1cca33a1b58c5282d91fa09ea0b78e722c89997a4e8df |
memory/2376-113-0x0000000002330000-0x0000000002681000-memory.dmp
memory/1504-112-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
C:\Windows\system\OUwbKFI.exe
| MD5 | 6828044f6aca0a0a98225b7bf3e87e06 |
| SHA1 | 7d50ac11b833fd31553287a4059b19960e9ff25e |
| SHA256 | ec43da44f5a6771795afa52aa2ce7ccf8325bd75724e383d1f5e94198e8ce916 |
| SHA512 | b584bb0b8f96652233803fde2902fe706588abe25b2efc74991d1a5d2fa529963d1e8c582baf70988cf384276eaa67c7e7d15bc20216e77b7e2fccaccec0c5bb |
memory/2504-139-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/3044-87-0x000000013FFF0000-0x0000000140341000-memory.dmp
C:\Windows\system\ZHpOqZa.exe
| MD5 | 2c7a8f710d3b5bbfdc8c05e1dc64ba08 |
| SHA1 | 86b3985fe139fc1ba6b41589380346742543f77f |
| SHA256 | 4a5fd237302ba404dca04a4907169135058eb0c3671b00ddc4481e515dcefb3f |
| SHA512 | b57b4348feaf24973bd9b6484b3b961cefdb14d02a1c93ca421a157caffc183ff61d688d4e3411dd18dc7bdf06d067fe1ae3eccf15674551c5e07dd521625a28 |
memory/2992-79-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2376-78-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2376-77-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2820-59-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\ctpUobm.exe
| MD5 | 6cfa8b78986b7d7410fd9b60cf437b75 |
| SHA1 | 25f4eb90b895cb820e7377f93c4b4cb6c4382d51 |
| SHA256 | 173cf9d1a6fd2256a3412ba899a7208700c60540895fb539972ce879350b2fd9 |
| SHA512 | 3bb526b4d44998dff90bffc50d0f8881c600882e9fed3bf64f7cbb2f9882363e7fde9f5258e2bd266f56cab509c83aa80ce15d1697f32249a0ce7b3fb2d703db |
memory/1692-74-0x000000013F840000-0x000000013FB91000-memory.dmp
C:\Windows\system\shTDOsi.exe
| MD5 | 4647546c96675c18166cdb3dc59d6e34 |
| SHA1 | 3606e3d3f18372b3cc417ed5c9b8d2218aa4dba7 |
| SHA256 | 3168a544587ae0c0b6715372c2ae7a26bf6f677c79e60c98595ee6eb4db2901e |
| SHA512 | f96cdac79999ceb1ab47d629a2d3a75aff3f72d0f4ea8b0c56635cf887182c79d94bc2b1834e7e70fb4e076dced1d0318edd1b6ea6a682df9a0d65b37bee29b7 |
memory/2504-70-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2376-140-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2376-55-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2660-54-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2376-57-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2376-161-0x0000000002330000-0x0000000002681000-memory.dmp
memory/960-160-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2216-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2784-158-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2392-157-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1668-156-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/1828-155-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/1256-163-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2376-162-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2376-164-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2376-186-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2376-187-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2244-211-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1692-213-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2172-215-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/3044-217-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2756-219-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2660-230-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2744-229-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2820-232-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2504-235-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2992-236-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2568-238-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1728-240-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1744-242-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1504-245-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:45
Reported
2024-08-14 20:47
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LYEityV.exe | N/A |
| N/A | N/A | C:\Windows\System\bboLYzn.exe | N/A |
| N/A | N/A | C:\Windows\System\IngznGR.exe | N/A |
| N/A | N/A | C:\Windows\System\IhiCCuC.exe | N/A |
| N/A | N/A | C:\Windows\System\VCAaQfi.exe | N/A |
| N/A | N/A | C:\Windows\System\WnJTdxi.exe | N/A |
| N/A | N/A | C:\Windows\System\ghYmvUi.exe | N/A |
| N/A | N/A | C:\Windows\System\eCuGQYy.exe | N/A |
| N/A | N/A | C:\Windows\System\ApYjUye.exe | N/A |
| N/A | N/A | C:\Windows\System\QbgeEKa.exe | N/A |
| N/A | N/A | C:\Windows\System\zWvYGcC.exe | N/A |
| N/A | N/A | C:\Windows\System\hiOYCNi.exe | N/A |
| N/A | N/A | C:\Windows\System\HhVLGDW.exe | N/A |
| N/A | N/A | C:\Windows\System\tQAoEPe.exe | N/A |
| N/A | N/A | C:\Windows\System\aMFtNHl.exe | N/A |
| N/A | N/A | C:\Windows\System\MgfYyas.exe | N/A |
| N/A | N/A | C:\Windows\System\dQvFRVB.exe | N/A |
| N/A | N/A | C:\Windows\System\ICPGNWh.exe | N/A |
| N/A | N/A | C:\Windows\System\iQMRskm.exe | N/A |
| N/A | N/A | C:\Windows\System\hJTlsil.exe | N/A |
| N/A | N/A | C:\Windows\System\LgJupxZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_0f09c7663802adc13f9cf54df52f970e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LYEityV.exe
C:\Windows\System\LYEityV.exe
C:\Windows\System\bboLYzn.exe
C:\Windows\System\bboLYzn.exe
C:\Windows\System\IngznGR.exe
C:\Windows\System\IngznGR.exe
C:\Windows\System\IhiCCuC.exe
C:\Windows\System\IhiCCuC.exe
C:\Windows\System\VCAaQfi.exe
C:\Windows\System\VCAaQfi.exe
C:\Windows\System\WnJTdxi.exe
C:\Windows\System\WnJTdxi.exe
C:\Windows\System\ghYmvUi.exe
C:\Windows\System\ghYmvUi.exe
C:\Windows\System\eCuGQYy.exe
C:\Windows\System\eCuGQYy.exe
C:\Windows\System\ApYjUye.exe
C:\Windows\System\ApYjUye.exe
C:\Windows\System\QbgeEKa.exe
C:\Windows\System\QbgeEKa.exe
C:\Windows\System\zWvYGcC.exe
C:\Windows\System\zWvYGcC.exe
C:\Windows\System\hiOYCNi.exe
C:\Windows\System\hiOYCNi.exe
C:\Windows\System\HhVLGDW.exe
C:\Windows\System\HhVLGDW.exe
C:\Windows\System\tQAoEPe.exe
C:\Windows\System\tQAoEPe.exe
C:\Windows\System\aMFtNHl.exe
C:\Windows\System\aMFtNHl.exe
C:\Windows\System\dQvFRVB.exe
C:\Windows\System\dQvFRVB.exe
C:\Windows\System\MgfYyas.exe
C:\Windows\System\MgfYyas.exe
C:\Windows\System\ICPGNWh.exe
C:\Windows\System\ICPGNWh.exe
C:\Windows\System\iQMRskm.exe
C:\Windows\System\iQMRskm.exe
C:\Windows\System\hJTlsil.exe
C:\Windows\System\hJTlsil.exe
C:\Windows\System\LgJupxZ.exe
C:\Windows\System\LgJupxZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2540-0-0x00007FF7472C0000-0x00007FF747611000-memory.dmp
memory/2540-1-0x000001809F210000-0x000001809F220000-memory.dmp
C:\Windows\System\LYEityV.exe
| MD5 | 89f01b45414451d9dab8d94979cdcf00 |
| SHA1 | fd3fe3025fe9470ecaba91fd783fab7c176e55f4 |
| SHA256 | 4c85d4f2fbbf4fca0ea1133577970e23a9efb99d8ec4c1ddb8c29503f365e4ee |
| SHA512 | 3b2c0f6e882e8983d4c480dcc714b05912ec6af1570e03b2d48c25ddee7910cc53967b6d9775edf098215c606dcdfbf5cde13d20a79744da6e88622cae1a375c |
memory/3232-10-0x00007FF7631C0000-0x00007FF763511000-memory.dmp
C:\Windows\System\bboLYzn.exe
| MD5 | 9dd400d46b744b3f088cf9babdfc1367 |
| SHA1 | 398601fbe9f3993c3010d6222e61b3ff518f32ab |
| SHA256 | db6ec1021ab7c7626ec2d5ca82f4b464cdafc01d5f6aa8bc6c6009cd219b550a |
| SHA512 | 137a90a3ae6d713799b92b883e45691d18081e8e94941fe25e1a8c4bb4159ba9be2f55bfca363785233d944d54ff22348a42d859ae5d505c269e9f38292b233f |
C:\Windows\System\IngznGR.exe
| MD5 | a62590cda3e9f13dfd3489c9de98e9d4 |
| SHA1 | 0e39ff6654683c5954e1f7253624686fb2485882 |
| SHA256 | 9ee1134b060aed0d7a1308a453c7e13ae4b4341ac17761aab2f1070f42639789 |
| SHA512 | 051e1a0e9bcf3378605a0aae045ed49c657651af05a0eb31155ba5ad2421c2bf4986e92f2346367c3ffbc4e62680ac7ca04f3c9a128a34bb225020d4e32dd7a3 |
C:\Windows\System\IhiCCuC.exe
| MD5 | bc428a494ae2e030fec480ef17ce36cf |
| SHA1 | d9ba30e5ded45fb221d0b63acd3d95fdd65ca788 |
| SHA256 | c25b9b248a458ab8978773e8dfd27c4ac51463a2b542bd4f73c6c0625b4bc239 |
| SHA512 | ae345e98931c4893ab5a3eb591c8898072e1c7aeca3704bf69bfec98e8d171c20d9cb8758b2c1f0b3f63dbfe101d60a8269386d767e7ae6d24312a16239b648d |
C:\Windows\System\WnJTdxi.exe
| MD5 | c09183c3542cdb94632c6254685959df |
| SHA1 | 25d441c4e1e628bd53692f40facc7900d01ac45d |
| SHA256 | 6c47cd281bf3f9fd51b9292cbdfb2fa28498f413329dba654a7a103c8b71a64e |
| SHA512 | 6c71c475d81350c5d71ecd3bd5de5b0c0933f6894b63f6a8acb6419a61a1dbda3e8e35e54957d0af1514def1dc71df764bd323f8dc86ef5b1ff7ba44810b78c9 |
C:\Windows\System\VCAaQfi.exe
| MD5 | 6c3c5ce0f140df0b50f3f7da306d5849 |
| SHA1 | cbf530c73e37295993d37218b96c8393210f11df |
| SHA256 | 1f96da46ae16453d0059aa0f08b3600cbef4f82f258ad16e35ae140573a296d7 |
| SHA512 | 8b33ba9095b55ffd7b605c2f1810fa1f99c051c510ba131fa817fc2f26788315d784f4e3c86d0ba62fa98848b7ce40d5691a12fba6da16a7acccc32a563a76f5 |
C:\Windows\System\eCuGQYy.exe
| MD5 | 0c5c9a91bc929bea6a30c713dc2778a2 |
| SHA1 | da3b38a05a943a4592bdca887028b4a2ffaafafd |
| SHA256 | ec01e2ad6cec1b050295153a69c6c88caf167c350479ec3e5f2daa28ac16c0f8 |
| SHA512 | c227ed74c2cd0eab04f7f64cc927c7b2ec544cfe119c4b1730f490ca9ad7a7464cdfe3d5635fdf707e664f147f2e326e9f5627f9f547a2092c8543685d183d3a |
C:\Windows\System\HhVLGDW.exe
| MD5 | f278f5aefb2f0dd250fb35199bcde0de |
| SHA1 | 02be003b0e74172afaca19d513bb1d3c1adb5eb2 |
| SHA256 | 065f2a39687267a5200a29097d09d912d48eaa317076415786b46bb9d858be0d |
| SHA512 | d46e25ba7e04cab2d259307d86955f1ad76b9f7c487faca691691b484b6bba952dc4122ff08526b0006de7d10ab3e0bcdc0e0fe5604daaad7502d028802f9d98 |
memory/716-72-0x00007FF6C47B0000-0x00007FF6C4B01000-memory.dmp
C:\Windows\System\aMFtNHl.exe
| MD5 | 6a2e528920c1d67bda4a2d9b1b981e95 |
| SHA1 | 7d10f38cbc8975d7ec2af39dd0b3a987d4035013 |
| SHA256 | 122ce65d0f40885a7137b10d5236109129d0c0f634d5682924406b329df1a729 |
| SHA512 | 55007d11fee96ab547f51126908c0369d20fa6426f3b7d4a6e46fe085e24007156738e015e61f380b0b8dc0ec3f57362b45933a7116905ff52f4905429ee7986 |
C:\Windows\System\hJTlsil.exe
| MD5 | f012794eb5cffffab74a51cb6fe51987 |
| SHA1 | 03e0a97f8790638bf069506125c675f9ff9f089c |
| SHA256 | 75a35c58dc6b6b45657ee7db924bc954d74d6b1ddff26139e27bca3bc37739b2 |
| SHA512 | 0929ef0e8386e6ec2f44bb347a44780c4a9233a65adbfac3057abbb53c3519a7329a061a0a6d99e668646c1c54d1ff175ae78c27b9c55a190e05696363452a9f |
memory/3060-114-0x00007FF72C800000-0x00007FF72CB51000-memory.dmp
memory/2868-118-0x00007FF75A140000-0x00007FF75A491000-memory.dmp
memory/3144-120-0x00007FF7B2C20000-0x00007FF7B2F71000-memory.dmp
C:\Windows\System\LgJupxZ.exe
| MD5 | 38aa7ffe01f18f6a8ac28800f9f6ddbc |
| SHA1 | 2fa1e3aabc4d2295eaeae94215c5ae1d0079b3e8 |
| SHA256 | 681c20aaf045966e8719ee9ae1125ab6387a177a9d20999babb3f80956eba99b |
| SHA512 | 67543ab5c52b3feacbbd73a0ccb97a4b227ea4afa94454fe7ed393ed8023c966ae5a32394e76310b0e14af3c1f69dfa3038a183db481869ecfba98e1dcc94180 |
C:\Windows\System\iQMRskm.exe
| MD5 | f4e343a50882c703506b3a8ebf1063b5 |
| SHA1 | 784e78d8451bd3e0b631f18eb7ca12f83ded0fca |
| SHA256 | c654bb8de9ae7e5e7f37285d4208f139bfab8ad2ab240348ebf1f0af5119aff5 |
| SHA512 | 016e10f7c6fba5db66fa2109b415801318645b250d97d1342161f38158d652e4c2486aa87e82a49c4e6d8c7db995f96b80a947309039acd9c7fbac9ebb02384e |
memory/848-119-0x00007FF72B0F0000-0x00007FF72B441000-memory.dmp
memory/1312-117-0x00007FF6943C0000-0x00007FF694711000-memory.dmp
memory/4992-116-0x00007FF617CD0000-0x00007FF618021000-memory.dmp
memory/2316-115-0x00007FF7D63A0000-0x00007FF7D66F1000-memory.dmp
memory/3272-112-0x00007FF7DADF0000-0x00007FF7DB141000-memory.dmp
memory/4160-111-0x00007FF720C70000-0x00007FF720FC1000-memory.dmp
C:\Windows\System\ICPGNWh.exe
| MD5 | 71478876380e393c2195225850194dec |
| SHA1 | 6da34a2e2e544cc6ebbb482b1cea50c2526e7fc3 |
| SHA256 | 78277ed3547be8cbede4314bb5addd8e1eb6b39452e3a129ff5ae9795331d210 |
| SHA512 | ab755cf247a9262aa1611e7cf4af1ee3f8018d331ba3d2f98badbb7ac084bb36adecaa281b0d33b09418f6b3709e4b39bc57c5ffc8e5743bd18d88212bf7f1dc |
C:\Windows\System\dQvFRVB.exe
| MD5 | a71b965d2464f8fedc4bfd6bdf7427e7 |
| SHA1 | 56d1a150eccc0168742635f5fd3075e11374a418 |
| SHA256 | fc0c400c05799c0ccf69e863645e974e860577cbc80463c3c985a9da62988045 |
| SHA512 | 3364827d5a3f99988a72c0f1c98777bb9aa4c727e0faed8a122739c387bb1ee891db170b303b78befab643d186d8aa3ddb835ecb76541c775f8a15e8c94e65c5 |
C:\Windows\System\MgfYyas.exe
| MD5 | 5b6cf50700a85741cb6b47bd53f3be62 |
| SHA1 | 0b888b76a568801fc7f5f0c65105f733eda50681 |
| SHA256 | 73ed8377273bd9d50e724d630c03fd3abfaa8016b258cb00584b02d356f48467 |
| SHA512 | 931ffc2f8395965b1b948b8563b9cec9fac67ca5d122eff03be0a937338577cfb15bfc59fe4b3e536095484a87d32e46af6b09a9af1361d42f955ae46e8a7f76 |
memory/1956-99-0x00007FF7BE8A0000-0x00007FF7BEBF1000-memory.dmp
C:\Windows\System\tQAoEPe.exe
| MD5 | f688f3f515167b990b77993d21b95d27 |
| SHA1 | f4c22db2821bd0a629090264fec28c2583db80cc |
| SHA256 | 99c2f1182ef58a3eaa1e9d8ddbe3382a5f6d923e2f30ba2460386f4bffb6cb6c |
| SHA512 | 449b0568ad55ecfa578078cc62c3f9a4842dfc5e62bb4a17c065e06d41d0a506f457b48d1857cd3802717b9d51a00853052a2b39ddbc4ac11970d1649397f2c2 |
memory/5052-93-0x00007FF740DD0000-0x00007FF741121000-memory.dmp
memory/2452-86-0x00007FF6F8280000-0x00007FF6F85D1000-memory.dmp
C:\Windows\System\hiOYCNi.exe
| MD5 | 1c9108cdeb84a9fd5bc4e06497b4986f |
| SHA1 | 7a61c8562f6ed89974973ffcf3bb6dff5f9cc936 |
| SHA256 | 087f0761260f2edb85106e7bcabe8ee12805e5440b7f02cb20825c03d1a273fb |
| SHA512 | 8f1b5e9861999d4ece057231b6f33623e427a8a932091f7da8b66898d0654b110b7ea1eb18310bd86a5301cc1f1a6fc68025374dc81d06d29525459674d8b0aa |
memory/680-76-0x00007FF6CF4A0000-0x00007FF6CF7F1000-memory.dmp
C:\Windows\System\QbgeEKa.exe
| MD5 | 838fec81dc8bf3a480a42dc9530a2635 |
| SHA1 | c009f6ff5a5779dd1d44b4d3f72dbffe03b77314 |
| SHA256 | 1e027cf2ac321c03b57a4b080a38c3697eda65031beb4a18301820cf6187563e |
| SHA512 | 49adb8b989e46316b6b18076a64dc8f9dcdff3be43ecea5281fd39a2086b8cbaba940f9fcfa30d10dfd8ea2cdd0b973789543c24478dbb6fa35723f71d5ddff3 |
C:\Windows\System\zWvYGcC.exe
| MD5 | 1bb2fc86d4a0a565f7109bf66f213509 |
| SHA1 | 74fdfe3f61772eceeef3c4b038136cddcf042d55 |
| SHA256 | 6168e84517668818583f46c14dc6d2a479ca3469e5a258ece3b4f8b1023be247 |
| SHA512 | cf1952dd72d76058b00d8c36fadb97b085baa0facca79de4ef96b22be0a5096483d78f06ff13e26f93dbf77485e642205e5d939674e58138beca13fd239a2697 |
memory/3152-65-0x00007FF687130000-0x00007FF687481000-memory.dmp
C:\Windows\System\ApYjUye.exe
| MD5 | 3b35bb0d6e56405edc58288a61dbc572 |
| SHA1 | 29cd625b7929480b0960aaa2d24e20394bd01680 |
| SHA256 | 7bd71063a1fffb3698789f1bfa1b72158023e0920187656d379bb9055c8a5100 |
| SHA512 | 6af0e5789598476ead2ac4763842b516100fc6f7fa33a2e00144020ce683dd2353c53f43de6a031931ecaf28cf501dcf81c8cb8a8c2a9fa0ba651fdc03532aac |
C:\Windows\System\ghYmvUi.exe
| MD5 | 9bb7308b0369216a0c7aba34f789b709 |
| SHA1 | 246081f979b265cf856ee46dc57f79d50bba94da |
| SHA256 | e54cfc478cfd31c2c0a5b28fe311da187595caad3b5ddd1bcb9093a55868cfd0 |
| SHA512 | 95c08823d90c23fc62c2b39603897d43cbc27d0c646dd367581f9d3dc93ab41dc2ea79c8c1a1cc5515060c1f147b5535bd6e8d72bb76f5a0b8ee2fa02bf3d0ea |
memory/3576-57-0x00007FF6BACE0000-0x00007FF6BB031000-memory.dmp
memory/3252-42-0x00007FF650920000-0x00007FF650C71000-memory.dmp
memory/3216-35-0x00007FF7881A0000-0x00007FF7884F1000-memory.dmp
memory/4120-28-0x00007FF65A1E0000-0x00007FF65A531000-memory.dmp
memory/4700-20-0x00007FF6CB0A0000-0x00007FF6CB3F1000-memory.dmp
memory/3252-132-0x00007FF650920000-0x00007FF650C71000-memory.dmp
memory/3216-133-0x00007FF7881A0000-0x00007FF7884F1000-memory.dmp
memory/2452-141-0x00007FF6F8280000-0x00007FF6F85D1000-memory.dmp
memory/5052-143-0x00007FF740DD0000-0x00007FF741121000-memory.dmp
memory/1956-144-0x00007FF7BE8A0000-0x00007FF7BEBF1000-memory.dmp
memory/3144-149-0x00007FF7B2C20000-0x00007FF7B2F71000-memory.dmp
memory/3272-148-0x00007FF7DADF0000-0x00007FF7DB141000-memory.dmp
memory/848-147-0x00007FF72B0F0000-0x00007FF72B441000-memory.dmp
memory/4160-146-0x00007FF720C70000-0x00007FF720FC1000-memory.dmp
memory/3152-137-0x00007FF687130000-0x00007FF687481000-memory.dmp
memory/3576-134-0x00007FF6BACE0000-0x00007FF6BB031000-memory.dmp
memory/4120-131-0x00007FF65A1E0000-0x00007FF65A531000-memory.dmp
memory/716-138-0x00007FF6C47B0000-0x00007FF6C4B01000-memory.dmp
memory/3232-129-0x00007FF7631C0000-0x00007FF763511000-memory.dmp
memory/2540-128-0x00007FF7472C0000-0x00007FF747611000-memory.dmp
memory/2540-150-0x00007FF7472C0000-0x00007FF747611000-memory.dmp
memory/2540-151-0x00007FF7472C0000-0x00007FF747611000-memory.dmp
memory/3232-196-0x00007FF7631C0000-0x00007FF763511000-memory.dmp
memory/4700-198-0x00007FF6CB0A0000-0x00007FF6CB3F1000-memory.dmp
memory/4120-200-0x00007FF65A1E0000-0x00007FF65A531000-memory.dmp
memory/3216-202-0x00007FF7881A0000-0x00007FF7884F1000-memory.dmp
memory/3252-214-0x00007FF650920000-0x00007FF650C71000-memory.dmp
memory/3576-224-0x00007FF6BACE0000-0x00007FF6BB031000-memory.dmp
memory/2316-226-0x00007FF7D63A0000-0x00007FF7D66F1000-memory.dmp
memory/3152-228-0x00007FF687130000-0x00007FF687481000-memory.dmp
memory/3060-231-0x00007FF72C800000-0x00007FF72CB51000-memory.dmp
memory/680-232-0x00007FF6CF4A0000-0x00007FF6CF7F1000-memory.dmp
memory/716-234-0x00007FF6C47B0000-0x00007FF6C4B01000-memory.dmp
memory/4992-236-0x00007FF617CD0000-0x00007FF618021000-memory.dmp
memory/2452-238-0x00007FF6F8280000-0x00007FF6F85D1000-memory.dmp
memory/1312-240-0x00007FF6943C0000-0x00007FF694711000-memory.dmp
memory/1956-246-0x00007FF7BE8A0000-0x00007FF7BEBF1000-memory.dmp
memory/5052-243-0x00007FF740DD0000-0x00007FF741121000-memory.dmp
memory/2868-245-0x00007FF75A140000-0x00007FF75A491000-memory.dmp
memory/3272-250-0x00007FF7DADF0000-0x00007FF7DB141000-memory.dmp
memory/3144-252-0x00007FF7B2C20000-0x00007FF7B2F71000-memory.dmp
memory/848-248-0x00007FF72B0F0000-0x00007FF72B441000-memory.dmp
memory/4160-254-0x00007FF720C70000-0x00007FF720FC1000-memory.dmp