Analysis Overview
SHA256
82c38c205750229efeabc721f140d7431d9a30f6ec32ab849229e62b1a7fb563
Threat Level: Known bad
The file 2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:03
Reported
2024-08-14 21:05
Platform
win7-20240704-en
Max time kernel
145s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wugqpND.exe | N/A |
| N/A | N/A | C:\Windows\System\IUsjwKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LSlLMmD.exe | N/A |
| N/A | N/A | C:\Windows\System\iHdIzRv.exe | N/A |
| N/A | N/A | C:\Windows\System\qPSFium.exe | N/A |
| N/A | N/A | C:\Windows\System\nCAgQJT.exe | N/A |
| N/A | N/A | C:\Windows\System\jdIQbOG.exe | N/A |
| N/A | N/A | C:\Windows\System\TBvLJIR.exe | N/A |
| N/A | N/A | C:\Windows\System\PWeNykw.exe | N/A |
| N/A | N/A | C:\Windows\System\pQUfErl.exe | N/A |
| N/A | N/A | C:\Windows\System\eRNPxMg.exe | N/A |
| N/A | N/A | C:\Windows\System\dGYLBgE.exe | N/A |
| N/A | N/A | C:\Windows\System\EXHddcI.exe | N/A |
| N/A | N/A | C:\Windows\System\HWNtEhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YWCSlMd.exe | N/A |
| N/A | N/A | C:\Windows\System\obSuNTF.exe | N/A |
| N/A | N/A | C:\Windows\System\ksSsAhb.exe | N/A |
| N/A | N/A | C:\Windows\System\CFwvHdW.exe | N/A |
| N/A | N/A | C:\Windows\System\KJcCvkT.exe | N/A |
| N/A | N/A | C:\Windows\System\xalrQRq.exe | N/A |
| N/A | N/A | C:\Windows\System\vhIKDYr.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wugqpND.exe
C:\Windows\System\wugqpND.exe
C:\Windows\System\IUsjwKQ.exe
C:\Windows\System\IUsjwKQ.exe
C:\Windows\System\LSlLMmD.exe
C:\Windows\System\LSlLMmD.exe
C:\Windows\System\iHdIzRv.exe
C:\Windows\System\iHdIzRv.exe
C:\Windows\System\qPSFium.exe
C:\Windows\System\qPSFium.exe
C:\Windows\System\nCAgQJT.exe
C:\Windows\System\nCAgQJT.exe
C:\Windows\System\jdIQbOG.exe
C:\Windows\System\jdIQbOG.exe
C:\Windows\System\TBvLJIR.exe
C:\Windows\System\TBvLJIR.exe
C:\Windows\System\PWeNykw.exe
C:\Windows\System\PWeNykw.exe
C:\Windows\System\pQUfErl.exe
C:\Windows\System\pQUfErl.exe
C:\Windows\System\eRNPxMg.exe
C:\Windows\System\eRNPxMg.exe
C:\Windows\System\dGYLBgE.exe
C:\Windows\System\dGYLBgE.exe
C:\Windows\System\EXHddcI.exe
C:\Windows\System\EXHddcI.exe
C:\Windows\System\YWCSlMd.exe
C:\Windows\System\YWCSlMd.exe
C:\Windows\System\HWNtEhQ.exe
C:\Windows\System\HWNtEhQ.exe
C:\Windows\System\obSuNTF.exe
C:\Windows\System\obSuNTF.exe
C:\Windows\System\ksSsAhb.exe
C:\Windows\System\ksSsAhb.exe
C:\Windows\System\CFwvHdW.exe
C:\Windows\System\CFwvHdW.exe
C:\Windows\System\KJcCvkT.exe
C:\Windows\System\KJcCvkT.exe
C:\Windows\System\xalrQRq.exe
C:\Windows\System\xalrQRq.exe
C:\Windows\System\vhIKDYr.exe
C:\Windows\System\vhIKDYr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2336-0-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2336-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\IUsjwKQ.exe
| MD5 | eb6eb36b337c5ec6df418bba314868c9 |
| SHA1 | a9fa05234ee6cd4449ced6a4840ce88dfaed0768 |
| SHA256 | 2f0529e4ec1241385c35bc73d8788d5de7cb2505f25afba2ec4d4b3d91daa06b |
| SHA512 | 53bb1c56ddecad6467395017f6cf0d540feb416f80c16deaf0d03ec8abf2c393a52c42482908e97d854123626097edfb87d39e9f2b8ee10bcc128445ca69edb2 |
C:\Windows\system\wugqpND.exe
| MD5 | 68fbd4722f58f0b22cc3be1ff8feb506 |
| SHA1 | 1c78876f4000022b57d8320d26f8549c3411e9b9 |
| SHA256 | faae7fc97367c141c34038659eea9522eda6583f948fc197ce22ff938300cf9d |
| SHA512 | 7ab0379d1ef698b96c259d266865e0c22072f42bdb39906225e8544ae87876cd2e9ecbcb308be1874233873edb1b69720d45025590acf0601697e846b3a6a456 |
C:\Windows\system\LSlLMmD.exe
| MD5 | 8bef8b58d847416a52afef7e20562182 |
| SHA1 | 13d10a2767f44d640579dde643786d9597d55ec6 |
| SHA256 | d4deb4930be144d2549d140a0b52f548335c97aba6f7b98c9553556d5a32464e |
| SHA512 | 50c328bcd95d19da393bb4a096957123cdd8f0ad8264ee56b5c4f36f2e7a9971888ece0629cd1e09973035b964cf6d4be737271f50c5053ac3b72282b36d924a |
memory/2240-22-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2336-23-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2720-21-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2336-20-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2236-19-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2336-17-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2336-33-0x000000013FC60000-0x000000013FFB1000-memory.dmp
C:\Windows\system\iHdIzRv.exe
| MD5 | 3fe212ea6e48e52eb4dc53ab27f1195b |
| SHA1 | f8aa2cf3019d77305f18b3c782de506b7366e36d |
| SHA256 | 1b66c02bd24e18dd742c243febc9f39c0703438bd1553dff74ac2c7ce8195c5a |
| SHA512 | f6da09a4509f38a31f3d119babec48c530f3c27d831d505dd27e7a707ad0c9f6b8eb7be05877e1681e197cb737cc9511f411d77318eb0afb0d9f624786c19e98 |
memory/2852-42-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2660-59-0x000000013F680000-0x000000013F9D1000-memory.dmp
C:\Windows\system\TBvLJIR.exe
| MD5 | a695b92fb3ff7bf994ab5c1570194891 |
| SHA1 | d4b42c15833f03f84e486b03cc0ac1b7da5f66f0 |
| SHA256 | 8d8aba2b5d9d029f2258ab6e297504b68624aa48df1ca12d98d93b8279102e85 |
| SHA512 | bb17240aee6c9042a4fedc6b3ab2109024486020ca7705032df466595f9fc2debe8accd6eb1737f18cdf4b6efc0777d0617d0d175531f2a15e1c3a7b33c53905 |
C:\Windows\system\pQUfErl.exe
| MD5 | bfdc1263f67ff7b3152dfe30ee5c8a71 |
| SHA1 | 751a89587d0675a72b28bcfbee1f238e399fdfa4 |
| SHA256 | 3c6e668afed18d97b328166f883a8749f405611213899c466c713d2e412df7b5 |
| SHA512 | bf66a2eab6503d848e55b92d6b6b977088be742f530425984fb3d0f3fd119f8e971c52343e0c0df380c3e206770ec81930164be89b4d22c3e034d87a40c3c626 |
C:\Windows\system\dGYLBgE.exe
| MD5 | 44c225fe82725a93f7f94841b58acbc4 |
| SHA1 | 877a6b47ed0e6cfbc5dd9d90630d1999171e3d8c |
| SHA256 | 0fa3deb7b4c09d50022f98920de9184b4bdf13dcf820236902cab2cb0c7290e8 |
| SHA512 | 825a678fa6245cc1fc7a2a29b0fc422d58b27aea61e30c62401fc82063ff11b27c49d187ca92d66fa3a1c9f093660729e31a17fe3b069b709a9522a6769ae334 |
C:\Windows\system\KJcCvkT.exe
| MD5 | b6b4ba1a764d52037e7c3661b0166dc1 |
| SHA1 | 533a3035d8c00cdbd96841880065bede4a1cc7a2 |
| SHA256 | c6a091937c72532e545b5b2c3b13a43ecbdd9921d6eb8d73dc30979201d5f50a |
| SHA512 | c3d4c9ce25c27f1788bad78d71b9542e7541cb97f303f3baeb6e64c07d6aa3d1a0c6ced6955723c4120056c6f1d5809f9055e9ff66e6596c1632b407bc60d4e2 |
C:\Windows\system\vhIKDYr.exe
| MD5 | d43619922d8238b43977dce63696c72f |
| SHA1 | ab71a9cf2cb970d6bf36d4855bf7e1fe42c1159b |
| SHA256 | 7794882c36a4af70cef1dfd25bf8a8576a96fa53a86687d241f657c7811c4881 |
| SHA512 | 61a780c393d6232a63170637f922998cc39a8617dbdd29d4c749bac76897251a492838a6582fd86f715aaddcd6c58ac24651b0eb09f96edda519d6ad54d29e38 |
C:\Windows\system\xalrQRq.exe
| MD5 | 0643f6a8e4df20e1d6b7dfaa12988d30 |
| SHA1 | ac47979e54582a32441d00dd368a3bbcd917fd37 |
| SHA256 | 50d1a2673b220fd1f073d92354a76ef3a065a5a74ce6b1c494b0d50478d4b2f9 |
| SHA512 | 412d5e4b91f9548c28afbcfe0b53749f530ded70226b16c8a9ca07ce2502c164a0bfb6355a745cf57577b6fba1a7ba5581b9a42e84e1a65d39ba04c68be2e370 |
C:\Windows\system\CFwvHdW.exe
| MD5 | 2533b54d521a7d19f867d4d56899bcbd |
| SHA1 | 80442dc2565c9ea174daaa85ec72654dbebe0220 |
| SHA256 | 07326aaafb79a1ebe0a99e00b506c0a06e90142add8a87bb6de532d58e228dd0 |
| SHA512 | 6c0b4c0baddbbe6e1e6d413ac729ea1b59439d57311d790d888e55bca0c29457c2c4ae84f80702996561460332d9b45877bad03b0695253724c6ce7b451f05e9 |
C:\Windows\system\ksSsAhb.exe
| MD5 | 61374f59258163eb29464139ec57854d |
| SHA1 | 71ffcef2cd01974076af05929020b9e3e586ff9b |
| SHA256 | 664a7d7c96ed3683de343f5ac31933dd4073419494ccf2f8469c613891c7869c |
| SHA512 | d55158ef17a8fa4205ddca968be895b06d89d93d6027de5fb0785bd2463648ae5715cbda24e0b8eb69ed1e2a7e26be8c04b7d16607b40d9529b6ebd52d40047b |
C:\Windows\system\obSuNTF.exe
| MD5 | eff20c0d2b5320a47c774c4bb3058478 |
| SHA1 | c58537d400088091c59873469a81c4a104702f51 |
| SHA256 | 705fc80ce28a699488ed605c0431d631affb32ef926b7a49ce5d67dfdd481788 |
| SHA512 | 82e9d71a3b1206f5cad0147191205b44763819e7aef763f70600162400c23a2b01017570e25b82ecc8dff8cfbe1a37be352eac8035a1e917ede60907b2a0eab1 |
C:\Windows\system\YWCSlMd.exe
| MD5 | e5c804151b81e8113e078b5aee822730 |
| SHA1 | 704e405bdb6b6e4b8450cd279b0ea47c77469530 |
| SHA256 | 30b7b2a3af6d50403df96411428e273ec0c4b7e3e24eabc2bfefe6b4562eaaaa |
| SHA512 | b20274d85e477b2ffcc6cb42ff502aee173b37a8bfb1ca0854b5b920c16be3612fcb0abd8105a5b9585c337f0a809fdaf1b58eca8172649ed9acbe210ae32336 |
C:\Windows\system\EXHddcI.exe
| MD5 | b7c583c1f5f77b91d93282d4d08b12cd |
| SHA1 | d3c692394a0a2f832654a84c7446a46c454daf8c |
| SHA256 | c427a31f28c7ae6692f7a9bace6922ce9dc54ce467e7eb088e232f1551caee0c |
| SHA512 | c9bfa9a24a6949a4321c148828fdac896cccd2bcfe06a665b33ad4c05a52e374bcb74109e3da7262d13d621d63887a5361c7eb700643825843c1c9f1bc174b77 |
memory/2336-93-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2336-92-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2336-91-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2484-90-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2852-135-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/472-89-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2000-88-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2336-87-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\HWNtEhQ.exe
| MD5 | 87e23d25334520d20d58a8f58bb55369 |
| SHA1 | f7c061582f0712e2591e672ccee3a970a8e7e107 |
| SHA256 | 05177ad3d0be44e94b8366452cf1b830d5e8452ca87dd4bfd8aaf325579ae302 |
| SHA512 | cbcf462679761c9723a2922f8cb59bbe37877f0f65fa1e4b9290951fa74f3e2989feb8187cda285aea0f8b207f0b85dbbc25ab398168861766d3e0df5810b3b6 |
memory/1832-71-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2640-66-0x000000013FEE0000-0x0000000140231000-memory.dmp
C:\Windows\system\eRNPxMg.exe
| MD5 | 839179d085188ae3c56fb129ef3d4cd1 |
| SHA1 | 1059458551ac69e08a142accae02720902026b25 |
| SHA256 | 0e8b7813ae57e2c62fac595fae4f9f0d2dbd136ccf706b09106998d7a468cc76 |
| SHA512 | fc46c79558f754e9162aa8885045dea5e04497e86c14867eadf39b22dc11896ab3f2d526562e4a5cb0a7d3e276f83380dfc51cea95825acb8d84a9c71b0f900c |
memory/2336-64-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2336-63-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2336-58-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2600-57-0x000000013F3C0000-0x000000013F711000-memory.dmp
C:\Windows\system\PWeNykw.exe
| MD5 | b1f09c73e35b019f1a02193981d051aa |
| SHA1 | 9cefc4c9b16c233829086850c72140c8e5504ac3 |
| SHA256 | 46189d6c84102bbe518d3d273dfdedf9337f444dc7e65fdf6ca84d49f15b44be |
| SHA512 | fb3dc2a349221b74317113a8902a89fdc1c1520c8f0204aa1b6918b0c4b4f21e9aad0a71b583311c79198d434f6aef6ebc4beb17670ed066ca325f51bfe26059 |
memory/2704-143-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2600-145-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2836-141-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2336-136-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2704-48-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2336-47-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\nCAgQJT.exe
| MD5 | 516b5ad186938ff604edfddcf9b5092a |
| SHA1 | f43daf784b421e2dcdb98c21f3dd01b965781ce3 |
| SHA256 | 041b76189227543c3d4958cd6e9ef59d9e075f284a85f7f68d45bcf381a00690 |
| SHA512 | 100d076ac646d05b806c9e43b1eb2fc335f6b1bd767b88751b0ae67d651070ca9dda39a228e9d7a32d04fb8b9622517634eb5dcce8a2afce814fd6e2b89209a9 |
C:\Windows\system\jdIQbOG.exe
| MD5 | 91e3368e964201b70921fe7c3ed3718b |
| SHA1 | eaf5050346842e74f7e9c07df149765d89fc5210 |
| SHA256 | f0a0ff956e00a0c5779fe0dc49a1d7b35dcae393aa09df6293cb0d03e36443eb |
| SHA512 | a8149557aea33b6107ab201bad5058b31ee937e27fe4127635c1f75448e039235b1da7a2ba4311305224d46d89413e43aacc4568a20c1f01f917a80929564bcd |
memory/2336-40-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2836-39-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2336-38-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2296-36-0x000000013FC60000-0x000000013FFB1000-memory.dmp
C:\Windows\system\qPSFium.exe
| MD5 | cb2bc6610b6ae9f03d494b3366b6f5fd |
| SHA1 | 97d1dd4dd984a92fbc5714c96d01d1bdca428462 |
| SHA256 | c056f7d2e320305fee0646fcecbdddc05a368bfcdc183bf8bac2b2e7d048ed2b |
| SHA512 | 8980696ab94ee59144808ddeb405d1d7d167f0b6e6cc49e3ef36c47241abe8d00696b1662728183ba41803178729685738f397551cb94fd7c5bb7e69781bfb98 |
memory/2000-150-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/1832-149-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2640-148-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2660-147-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2104-155-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1948-159-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1628-158-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/536-157-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/1792-156-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1944-154-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2484-153-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2464-152-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/472-151-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2336-160-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2336-161-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2336-162-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2336-184-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2336-185-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2240-209-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2236-211-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2720-213-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2296-219-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2836-236-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2704-238-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1832-241-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2484-246-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2660-244-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2000-257-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2600-253-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2640-255-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2852-251-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/472-243-0x000000013F2D0000-0x000000013F621000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:03
Reported
2024-08-14 21:05
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mwQBlli.exe | N/A |
| N/A | N/A | C:\Windows\System\HLLbpQx.exe | N/A |
| N/A | N/A | C:\Windows\System\TzrWMHt.exe | N/A |
| N/A | N/A | C:\Windows\System\szkVpee.exe | N/A |
| N/A | N/A | C:\Windows\System\uejUWFu.exe | N/A |
| N/A | N/A | C:\Windows\System\YKMRSVa.exe | N/A |
| N/A | N/A | C:\Windows\System\FmRUHBn.exe | N/A |
| N/A | N/A | C:\Windows\System\PXnPKtx.exe | N/A |
| N/A | N/A | C:\Windows\System\QZvLFSq.exe | N/A |
| N/A | N/A | C:\Windows\System\xgcGkfC.exe | N/A |
| N/A | N/A | C:\Windows\System\HZUBkjv.exe | N/A |
| N/A | N/A | C:\Windows\System\lglwBpx.exe | N/A |
| N/A | N/A | C:\Windows\System\lyCtNEr.exe | N/A |
| N/A | N/A | C:\Windows\System\rymeSXV.exe | N/A |
| N/A | N/A | C:\Windows\System\KuHIDxc.exe | N/A |
| N/A | N/A | C:\Windows\System\NsJakZE.exe | N/A |
| N/A | N/A | C:\Windows\System\uitjfVl.exe | N/A |
| N/A | N/A | C:\Windows\System\CQQobPF.exe | N/A |
| N/A | N/A | C:\Windows\System\CUbQPYM.exe | N/A |
| N/A | N/A | C:\Windows\System\LNoGiUj.exe | N/A |
| N/A | N/A | C:\Windows\System\NtlBozk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_537bcd684bf14b9f43763d7339027e18_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mwQBlli.exe
C:\Windows\System\mwQBlli.exe
C:\Windows\System\HLLbpQx.exe
C:\Windows\System\HLLbpQx.exe
C:\Windows\System\TzrWMHt.exe
C:\Windows\System\TzrWMHt.exe
C:\Windows\System\szkVpee.exe
C:\Windows\System\szkVpee.exe
C:\Windows\System\uejUWFu.exe
C:\Windows\System\uejUWFu.exe
C:\Windows\System\YKMRSVa.exe
C:\Windows\System\YKMRSVa.exe
C:\Windows\System\FmRUHBn.exe
C:\Windows\System\FmRUHBn.exe
C:\Windows\System\PXnPKtx.exe
C:\Windows\System\PXnPKtx.exe
C:\Windows\System\QZvLFSq.exe
C:\Windows\System\QZvLFSq.exe
C:\Windows\System\xgcGkfC.exe
C:\Windows\System\xgcGkfC.exe
C:\Windows\System\HZUBkjv.exe
C:\Windows\System\HZUBkjv.exe
C:\Windows\System\lglwBpx.exe
C:\Windows\System\lglwBpx.exe
C:\Windows\System\lyCtNEr.exe
C:\Windows\System\lyCtNEr.exe
C:\Windows\System\rymeSXV.exe
C:\Windows\System\rymeSXV.exe
C:\Windows\System\KuHIDxc.exe
C:\Windows\System\KuHIDxc.exe
C:\Windows\System\NsJakZE.exe
C:\Windows\System\NsJakZE.exe
C:\Windows\System\uitjfVl.exe
C:\Windows\System\uitjfVl.exe
C:\Windows\System\CQQobPF.exe
C:\Windows\System\CQQobPF.exe
C:\Windows\System\CUbQPYM.exe
C:\Windows\System\CUbQPYM.exe
C:\Windows\System\LNoGiUj.exe
C:\Windows\System\LNoGiUj.exe
C:\Windows\System\NtlBozk.exe
C:\Windows\System\NtlBozk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3472-0-0x00007FF789310000-0x00007FF789661000-memory.dmp
memory/3472-1-0x00000278ABC70000-0x00000278ABC80000-memory.dmp
C:\Windows\System\mwQBlli.exe
| MD5 | f973c39cff17192d0ab0fb8bbc8f9f35 |
| SHA1 | 12d2194b4be1c98e54297e47bb2ae702a6fd1b56 |
| SHA256 | 0e04a15986c1df4d9a169d6a9bd7fe5ab13fb78d3117132ae00cc6043bb406a4 |
| SHA512 | 4905b59d91f55a1d4671de18984100f71116f1fbead5473e4a99963885ba8a4226750013a57ddc7f2deb85fe9a2d1b8f2f89e36c452aae61e387a99efbbbc90a |
memory/396-8-0x00007FF799990000-0x00007FF799CE1000-memory.dmp
C:\Windows\System\TzrWMHt.exe
| MD5 | d4a0f75d8ee05fe4b6abf6b82fdb0df5 |
| SHA1 | fff090ef6fc1c4364d1ea4cc405f8a411f910a36 |
| SHA256 | 53d6cf478642649a79b8b78886d018660202c5ca987c07492ff710d682c26173 |
| SHA512 | 7cec15f837134472b5b87342f3d83b794b1a0f316db80cd65db8bc02ab6a79e4e939c4525986c45888500d83b27353551f857c40f9045cac0378433cf8783f17 |
C:\Windows\System\HLLbpQx.exe
| MD5 | 595165e9cd769c4b9e79172efd28a759 |
| SHA1 | 4cc2d8acd87fa677a697518b30d75eba981adb2b |
| SHA256 | 7826daf96df272750b70f70b785375d34207d246e3c7d8d798ad04c3cf7050e2 |
| SHA512 | 479d9c0bf97ee3e562ab809a6059f4466fccb21708bd87bc67535958adbf05f6d975e651279045b4f4f0da7600c0c9f4176e5cd96620285fead14092fe09dc6e |
memory/4828-19-0x00007FF6511E0000-0x00007FF651531000-memory.dmp
memory/4020-14-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp
C:\Windows\System\szkVpee.exe
| MD5 | c00d07a6eacae9664a33f016020e6d78 |
| SHA1 | 28caf9ac2df36dc91852d9dffcd24bea4685ebe0 |
| SHA256 | 974c9039c0122cb8603d42dfc64a37dd61b405694a380ea00d5852bca9bce893 |
| SHA512 | 4f5f5e2128ebaabd0947b38e1339364364bb5244467dc2797842ee7599dfdf7c4175c660d3832aa0e2e43670ce387144f94cb9d7357476eb396a06b6c7fbd993 |
C:\Windows\System\uejUWFu.exe
| MD5 | d9b9d4698130d0829d7b602524416afd |
| SHA1 | 0e0fd48e1cff5207a748977289698219ca285846 |
| SHA256 | 1db286300ecb11113d5b01e5a2ff7bb26f1db309d039b4195d0f303d8be0ca0d |
| SHA512 | 8482870afcf5e031853671df3f940d7f025c67e3cd6e6b33f38d508e728c01e61de48fd8b65e84f7c79f50b31a8aabba5806fef4207a17c9854998d2d192f19a |
memory/1332-26-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp
memory/1796-32-0x00007FF7075E0000-0x00007FF707931000-memory.dmp
C:\Windows\System\YKMRSVa.exe
| MD5 | f84077c8b787cb34c2e07667d83dd5ec |
| SHA1 | cf02b1dd32d96fde41c7b37ae7e12ab852a6806e |
| SHA256 | 035a29131aee24e9a0f00a986609bac30dbf547c7207ef699fd1cc47b6ca1948 |
| SHA512 | de2807ee1ab9b212ebec28705c52c20801ef3ae912c61cfc90474c345eb95efbec137e98572a93233ab73f7f936d5714ede409dd6a40c2e89779e88a16c8c145 |
C:\Windows\System\FmRUHBn.exe
| MD5 | cee7355e698c91f82c32d787db9ee749 |
| SHA1 | dc685d194c447103989364345136728a31b95e78 |
| SHA256 | ae203794201cd7d968b3b2629b863024e8977a23ef492ac21801838d258f589a |
| SHA512 | e02048a6802a8ac3eec9ab4abb85d1f9973b45f9cbcbe97c6f144f022a05b97e73e2cc105ab27dcf52c54e849dfe46ce9e6d7a48874aa6c3e9bcba5ff4b2e4de |
C:\Windows\System\PXnPKtx.exe
| MD5 | aeedee60f6db31c36167b7282dbabbff |
| SHA1 | 47ba1b65ffefb58ab043f1a27adfe39b7e14d2f7 |
| SHA256 | f23355b948b5fe16e9ae05dacd0f8d72f0be74d375c54251df9f6325a390fdef |
| SHA512 | 45e420a4ed8ebb68dc9352c07920d5960a3e43bdaadd9345c269c048a058221d5aa75049e87333c3a2798823e0873fca72fa833f1d38698020431b1c9d5065db |
memory/3384-50-0x00007FF738310000-0x00007FF738661000-memory.dmp
C:\Windows\System\QZvLFSq.exe
| MD5 | 21fd2534ade111f221f8d68436d84755 |
| SHA1 | eba680d07a7e73ed464c507f2fe002cbcd577dd8 |
| SHA256 | 15c2ed95e57cec8b143f10712ee37ad1f63d9b84f55d006c8437755b5cd744c8 |
| SHA512 | 830145554eb3f7a3476e8b0694c405913e1e56f697c06fab2d8bb2957a21914ddd8c65f6f8d51177fd4ff4887546a1ffdea2b2739635c87f43d3125b5c6e81a0 |
memory/4916-56-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp
C:\Windows\System\xgcGkfC.exe
| MD5 | 210688f8c669bbbdd79b120cd0003bb6 |
| SHA1 | 36bfe17971bbf7fb9a11dc07d2e74bb94c1f0470 |
| SHA256 | 23af2e466ce12e151219a075647ec05eddf8ed6049da4ee9067d40f00b22ee37 |
| SHA512 | fffca7dd4234eff6f46ee71e46db4c49559029164fb8d2e970b83bb8c4674f85b7b4aa70bab72f540f5fdf7583883aa244c1e84dd50473432ae5599a97959058 |
C:\Windows\System\HZUBkjv.exe
| MD5 | e6c8a5f8d6034c8a1abe5229fae32870 |
| SHA1 | 46812daddc1d02e19ae18f98769a8e57c740a608 |
| SHA256 | bada0577397ad0bd0adc8f689a7d446752da81ccbf049e5e6147bc07cebaa51b |
| SHA512 | cc72902c8a2140b684d65338bb67448957e578622aaf45e079c1a2043f843f921087003437cddee53196d8e9bb09368dba5c96ca2e43b2ddb7b7ed6b57f66678 |
memory/3564-64-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp
memory/3472-60-0x00007FF789310000-0x00007FF789661000-memory.dmp
memory/3784-53-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp
memory/5044-36-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp
memory/396-69-0x00007FF799990000-0x00007FF799CE1000-memory.dmp
C:\Windows\System\lglwBpx.exe
| MD5 | e2891f837b2e8fc5dcbf10241353d13f |
| SHA1 | 671013a499a9b0a9f973ba69a6a66ee885e6c501 |
| SHA256 | fd564742b07c46d08645ca772b0e9ec1e05e963f94e4aadad4f62091d5d806ff |
| SHA512 | b1d6392adb7ade9db05f1c62c7b79aa4a6d2f595481b9fe9249f8444f43f4c63ce3c31b70c3895fbc091291455dde5977e544ffcd0d5d48e690f35c0a66a0155 |
memory/4828-81-0x00007FF6511E0000-0x00007FF651531000-memory.dmp
memory/3428-80-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp
C:\Windows\System\rymeSXV.exe
| MD5 | bb0f5186687052df37f3b7912cf90d49 |
| SHA1 | f776de2c5b5b5c8291060ef302d296b40442be22 |
| SHA256 | 50a8ba1ecc3a13701f4b7dd7712441d05b50ea7cfa0ee02d24eb751c4e08f22a |
| SHA512 | c1ed00c256eaf42280d12c27a32ccbf298034026e849d0e11d17162bf37cbb156d8b5c16dec2bb9fad0badc4b0cc46cbd3d524544a885db0584cdf36e080889a |
C:\Windows\System\NsJakZE.exe
| MD5 | c540520ed43d90385598fb5991aed130 |
| SHA1 | d8e0a7f1a39efb721563eab25a3c6024bf8ce034 |
| SHA256 | e439904187958414ebf0a63f92b5d1567d0f085a2d3fb463cd385552caa9cd72 |
| SHA512 | 651e3ddcbc7b63dcf75de4667db769484bc77186820b152ea2fddf9a42fbc341567077079940b2516cfb600205975d0be2f76b8966a8ba44db66ce3b3b058bac |
C:\Windows\System\KuHIDxc.exe
| MD5 | 4ef0004e81abc9144b64620ffc59d1e1 |
| SHA1 | e12ffa820e7881030118881d0820dc96249685cd |
| SHA256 | 326ea5c94c44128a497a1635ed200248966b4ceb065d38931a961cbba7ce1532 |
| SHA512 | 590e51662845c56f3d63217f4a6d661ea280f3b47d2aaf70a6f77649d4fc76b59cc16fc138c58531a2e529a244f3df1a7eca4cd5c2923f85089a0a68969fafa8 |
memory/4784-98-0x00007FF67A300000-0x00007FF67A651000-memory.dmp
memory/1180-100-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp
memory/3664-99-0x00007FF713200000-0x00007FF713551000-memory.dmp
C:\Windows\System\lyCtNEr.exe
| MD5 | d35a30609466876de9543b1a90d23626 |
| SHA1 | d254780ef546d5c4bb6e0040add335eed347f4f4 |
| SHA256 | 99ade9f1b3710a47fe2a662fb287bd4b922558c72e54fa1248a44538bc160509 |
| SHA512 | 58ba87a47cb4ff28543fef244bed837bdc731e913181d4eeac8fb747f65e6c67230a6e52ff67b0d0d77a955da25ae53f4204efe39d00933cea7489d21b06206b |
memory/800-82-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp
memory/4020-76-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp
memory/4340-70-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp
memory/1052-112-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp
C:\Windows\System\CUbQPYM.exe
| MD5 | 9c8dd8b3b712f366070dc5b74f325fba |
| SHA1 | d53ef0adbcd18e495c2ea4edb481e14811e8ddb1 |
| SHA256 | 3362a9da72722de43e4b190b0fc09619e2b86ad6a39277a2c28a9db38ef14a28 |
| SHA512 | 879cc9d3cb4e921fe595ed2ab416a15eaac53bc8d1ff090bf7ef01818d7320e3f8be5dc45196d981078807460bd40efcb6a62c682f8fc8495314fb65aa737d6c |
C:\Windows\System\LNoGiUj.exe
| MD5 | de5118013f0d7863309c9709ce5bb1f0 |
| SHA1 | 8371b78d8ea53d4c8a612c941907c4ac6c3fb83b |
| SHA256 | 21e252d5e32b8c3644b05d3ff61ef1dc7f30c9b282c6aa35748994103f8b6fca |
| SHA512 | 57d715613b8c9717150c102b879a1adb5f2a5ac1fc3b9a043abb9154b2239c7ef788787ee6e4a89e5cd3affdd7833b04b2279d63665fe5c05ee568327facfbae |
memory/1968-123-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp
C:\Windows\System\CQQobPF.exe
| MD5 | b301bb4158fab377d259b776a2543b11 |
| SHA1 | 12788b2238c70b65048f7d4f9cb918b077d23e86 |
| SHA256 | 092fb1ee974765f83d389f949edd9be3dce3a8839661542756cd430cc28fff66 |
| SHA512 | fde3ea220333a2b5a02da33187f6654acb179e43c108913b4c9f0b52cb124c961b09cc7249420ab5ff2551d56771ea88b62e4801a2092e05c645f13258ba7098 |
memory/3484-113-0x00007FF635160000-0x00007FF6354B1000-memory.dmp
memory/5044-110-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp
C:\Windows\System\uitjfVl.exe
| MD5 | 6b7b6492fd97a19da134d77e3e718452 |
| SHA1 | c7f7e4b16a0b76c2113be6997522d004989236e9 |
| SHA256 | 30692b303d0a2099a73ba16743a8cdcd9b2bce97e3bba91fbdbbad47f8dbd2e1 |
| SHA512 | f651c530576ddc0c0e191da85dc0a346b66e13dc73ce12a979e93f68f7bb5156691b31ae7f373d2dc7f78d97b75d06e462cfc129f01405e7e46c5c3051d1532d |
C:\Windows\System\NtlBozk.exe
| MD5 | d231a9fdce2229dae78b77715a77e171 |
| SHA1 | 8b786f15dcd1e4cdc10f9acb5bb6163fa7cc843d |
| SHA256 | d5008cf516da7da61826e89f0ca0c22081fa7ec46535e6e482ffa5cdc6ad5be8 |
| SHA512 | c74b0c2fb43f03aa57794a95b6d13b0dc7a85084944bc8cd8bceefbe87da7a0bd5d267b9dd454fb5d6977fbe72ef29b16612ff220cc205f3c7c15ef08bd54b9d |
memory/1580-128-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp
memory/4916-131-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp
memory/1020-133-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp
memory/3564-141-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp
memory/3472-134-0x00007FF789310000-0x00007FF789661000-memory.dmp
memory/800-148-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp
memory/1180-151-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp
memory/3484-153-0x00007FF635160000-0x00007FF6354B1000-memory.dmp
memory/1020-156-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp
memory/3472-157-0x00007FF789310000-0x00007FF789661000-memory.dmp
memory/396-202-0x00007FF799990000-0x00007FF799CE1000-memory.dmp
memory/4020-204-0x00007FF7CE2B0000-0x00007FF7CE601000-memory.dmp
memory/4828-206-0x00007FF6511E0000-0x00007FF651531000-memory.dmp
memory/1332-208-0x00007FF7FE500000-0x00007FF7FE851000-memory.dmp
memory/1796-210-0x00007FF7075E0000-0x00007FF707931000-memory.dmp
memory/5044-219-0x00007FF6D10C0000-0x00007FF6D1411000-memory.dmp
memory/3784-223-0x00007FF6B8EA0000-0x00007FF6B91F1000-memory.dmp
memory/3384-222-0x00007FF738310000-0x00007FF738661000-memory.dmp
memory/4916-225-0x00007FF6E7650000-0x00007FF6E79A1000-memory.dmp
memory/3564-227-0x00007FF7B6ED0000-0x00007FF7B7221000-memory.dmp
memory/4340-229-0x00007FF6EC3C0000-0x00007FF6EC711000-memory.dmp
memory/3428-231-0x00007FF609FA0000-0x00007FF60A2F1000-memory.dmp
memory/800-233-0x00007FF6A0DF0000-0x00007FF6A1141000-memory.dmp
memory/4784-235-0x00007FF67A300000-0x00007FF67A651000-memory.dmp
memory/3664-237-0x00007FF713200000-0x00007FF713551000-memory.dmp
memory/1180-241-0x00007FF69A660000-0x00007FF69A9B1000-memory.dmp
memory/1052-243-0x00007FF6A0760000-0x00007FF6A0AB1000-memory.dmp
memory/3484-249-0x00007FF635160000-0x00007FF6354B1000-memory.dmp
memory/1968-251-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp
memory/1580-253-0x00007FF7CAC30000-0x00007FF7CAF81000-memory.dmp
memory/1020-255-0x00007FF68D2A0000-0x00007FF68D5F1000-memory.dmp