Analysis Overview
SHA256
3069a6de07f662a26e2a3437fe52217c9a15adf04fe874cdb1400e2e02c424ff
Threat Level: Known bad
The file 2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:57
Reported
2024-08-15 10:59
Platform
win7-20240708-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oFcZBQt.exe | N/A |
| N/A | N/A | C:\Windows\System\lalFDbM.exe | N/A |
| N/A | N/A | C:\Windows\System\PCFwlqB.exe | N/A |
| N/A | N/A | C:\Windows\System\DOGMxcY.exe | N/A |
| N/A | N/A | C:\Windows\System\eNkVRQT.exe | N/A |
| N/A | N/A | C:\Windows\System\IiWgeOT.exe | N/A |
| N/A | N/A | C:\Windows\System\XJSGSzR.exe | N/A |
| N/A | N/A | C:\Windows\System\GNWoxZM.exe | N/A |
| N/A | N/A | C:\Windows\System\NTFQvqn.exe | N/A |
| N/A | N/A | C:\Windows\System\RMmUTHB.exe | N/A |
| N/A | N/A | C:\Windows\System\NzajhiM.exe | N/A |
| N/A | N/A | C:\Windows\System\ftrIOYl.exe | N/A |
| N/A | N/A | C:\Windows\System\nkWNVSp.exe | N/A |
| N/A | N/A | C:\Windows\System\kVqmrvf.exe | N/A |
| N/A | N/A | C:\Windows\System\hEquLZM.exe | N/A |
| N/A | N/A | C:\Windows\System\hWDiwbW.exe | N/A |
| N/A | N/A | C:\Windows\System\luUhgUo.exe | N/A |
| N/A | N/A | C:\Windows\System\MAzkfgj.exe | N/A |
| N/A | N/A | C:\Windows\System\WVmKyaj.exe | N/A |
| N/A | N/A | C:\Windows\System\xTtLUpE.exe | N/A |
| N/A | N/A | C:\Windows\System\BQGGxZH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\lalFDbM.exe
C:\Windows\System\lalFDbM.exe
C:\Windows\System\oFcZBQt.exe
C:\Windows\System\oFcZBQt.exe
C:\Windows\System\PCFwlqB.exe
C:\Windows\System\PCFwlqB.exe
C:\Windows\System\DOGMxcY.exe
C:\Windows\System\DOGMxcY.exe
C:\Windows\System\eNkVRQT.exe
C:\Windows\System\eNkVRQT.exe
C:\Windows\System\XJSGSzR.exe
C:\Windows\System\XJSGSzR.exe
C:\Windows\System\IiWgeOT.exe
C:\Windows\System\IiWgeOT.exe
C:\Windows\System\GNWoxZM.exe
C:\Windows\System\GNWoxZM.exe
C:\Windows\System\NTFQvqn.exe
C:\Windows\System\NTFQvqn.exe
C:\Windows\System\RMmUTHB.exe
C:\Windows\System\RMmUTHB.exe
C:\Windows\System\NzajhiM.exe
C:\Windows\System\NzajhiM.exe
C:\Windows\System\ftrIOYl.exe
C:\Windows\System\ftrIOYl.exe
C:\Windows\System\nkWNVSp.exe
C:\Windows\System\nkWNVSp.exe
C:\Windows\System\kVqmrvf.exe
C:\Windows\System\kVqmrvf.exe
C:\Windows\System\hEquLZM.exe
C:\Windows\System\hEquLZM.exe
C:\Windows\System\hWDiwbW.exe
C:\Windows\System\hWDiwbW.exe
C:\Windows\System\luUhgUo.exe
C:\Windows\System\luUhgUo.exe
C:\Windows\System\MAzkfgj.exe
C:\Windows\System\MAzkfgj.exe
C:\Windows\System\WVmKyaj.exe
C:\Windows\System\WVmKyaj.exe
C:\Windows\System\xTtLUpE.exe
C:\Windows\System\xTtLUpE.exe
C:\Windows\System\BQGGxZH.exe
C:\Windows\System\BQGGxZH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2128-0-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2128-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\lalFDbM.exe
| MD5 | 0ac85c9015b1831333f8930d6d67fc41 |
| SHA1 | dff016e438b375e20530996da1360bd65a23a73d |
| SHA256 | 8889db95d72b510b30d7328c8a4a1e07b4fe5f5ed4b476d30cb5ca173c1b5ffa |
| SHA512 | 94d1897725c5c42611f30d977e7da459c95b85b93d3bdc9184e824b7de2c06a4703696a3e09af95ac72282d25fd78cacf916b1cdde9e32f934f6ccf6e4be8387 |
\Windows\system\oFcZBQt.exe
| MD5 | f6a94a01a488861950f04ef1220f06b2 |
| SHA1 | f7272c2f0b126d0b85b5237cac21ff2097634bfb |
| SHA256 | ba772f78b5a685edd8efc278fb938f1debdd99b597ebc0148b86a8e8ced8ae1f |
| SHA512 | 2bf79aa34a810443ddfed69d3b74c245bd54243567bb6a109bcdd6e725575b4af8b836a0e50413cd20de526550441583678c8830976d4fd89c2419856b0c044b |
C:\Windows\system\PCFwlqB.exe
| MD5 | 6f54b2134b03341738b3685814e068c6 |
| SHA1 | 0e7d17465f311f015859102718ef471cbbf990ed |
| SHA256 | 7ac1ba00e86575717cba56a3cd960c6c21faa1de6c59b880da92bd6c0a54ae51 |
| SHA512 | ddc3fb59cb9cc7aadb8afaae028d90da64abe4dbca3f68e351e554b0939b7191afc9c7ae36be270f0962263f9c194aff35152133054504438dbbddeafc66c8d9 |
memory/1884-23-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2564-21-0x000000013FF70000-0x00000001402C1000-memory.dmp
\Windows\system\DOGMxcY.exe
| MD5 | 05f640d12184bb697ebaf94e89b764f6 |
| SHA1 | cbb83dbc96a29ad894da44e37829da18726fe01b |
| SHA256 | 7f6a775c05dcb780e917ff82a9ec3bf24e359b559779df40f47ff6499688b613 |
| SHA512 | 3636b84d396b639080ea5062dae154b68839d3f1a1e004e30c04a5bb2248efeceb7546ba5639f101469ef4759720c4b8228280bc8a5873bf1f0a708a7918c506 |
memory/2128-19-0x0000000002380000-0x00000000026D1000-memory.dmp
memory/2128-18-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2920-17-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2128-10-0x000000013FF70000-0x00000001402C1000-memory.dmp
\Windows\system\IiWgeOT.exe
| MD5 | cb3d73e51741d20dc433ffdc352e1000 |
| SHA1 | b93f9b99c6bf6f17f9dfe2f5b95cb869616b17eb |
| SHA256 | 6edd77e5b9a620d85fe5d5ffff42a258a356cb5563aef1528befca7338937d65 |
| SHA512 | 08ba5c3d4e148e4a918f250307feb353c90faab4269c4e7048166a7710ea98f9c5ddc75c40838c36e2627b5ec3f92f3fa6fd7e496b3ccb0aacabbd918abb1636 |
C:\Windows\system\eNkVRQT.exe
| MD5 | b42f0a88c667d8b651ec5c67a6f2bf07 |
| SHA1 | 6f522f45028962a08c6a47294cdf166f11c8edac |
| SHA256 | 0d386790e223d3991bbcb11fc1f448508114b76f2647fa5fba9bdb6f01b2f403 |
| SHA512 | 9bba980a2f281665bf6a74a00f1cc2cd9b17ad7abac99901ba2031642e236286b378376fda2b3e1eacf61532d8d0e2f8d103133a6cce5e6473715d93555b0ea8 |
memory/2148-62-0x000000013FE50000-0x00000001401A1000-memory.dmp
C:\Windows\system\RMmUTHB.exe
| MD5 | 25a43eb12896344414671eca28c45ff7 |
| SHA1 | c03d7992bee69ed01a101a4b7bb93beecdd83014 |
| SHA256 | 15e5151d9b44a486311578e67f529ab65a8a89a55b87db0962add27cc8c0d6e0 |
| SHA512 | 48d33c7d7951e6af6c2355460bb1c303046b82b7eb6e589f01975267d049ed55fab47276ddb0d2659e17dd997c66980e6d2d3d6ec36938985a29a51b4b388828 |
C:\Windows\system\ftrIOYl.exe
| MD5 | d339f330bac370d13248733776dd5e57 |
| SHA1 | c36bf931bd73ab191a4ad5e872c08cef66ddfb76 |
| SHA256 | 36320d8c02fcab9985365b828857928cf334f6398ad5e95248ca2ea57bebdd01 |
| SHA512 | 9f27ac694bbab4ef568099485b672816842a6ea6d5429fdf4d001791eaf65487c6f08d96eed90fb6456d33f04feefbcd7a4743b9ff41207c183475f373007097 |
memory/2220-89-0x000000013F3F0000-0x000000013F741000-memory.dmp
C:\Windows\system\hEquLZM.exe
| MD5 | a7f4c2e5d2f2dd4833119b9594e1b1ea |
| SHA1 | a97ff59a06a2c51d089bcbc50bb52f3295d0019f |
| SHA256 | 0390ae47e7a14165e2080bfc1a93032d89abfdbc4c9db11aab29f871de275eed |
| SHA512 | 35623855a38a26a953388be4d697bf5ede01d1d6eee6ce315c5fa68b66362a024b042c2ec895ec85a14a0b706822180c8e8e1d2c0fa5920832bd36e7963cdb6f |
memory/1868-94-0x000000013F960000-0x000000013FCB1000-memory.dmp
C:\Windows\system\hWDiwbW.exe
| MD5 | 04289db7c5a51e7ffb79384cc5bfa19c |
| SHA1 | f2946ee9577b9f29bf27e24d93e459c521fee402 |
| SHA256 | 11d26f97123f9fcc0618fad2876b9489c22a7b453ff5b3a6d61d4b49a9398e51 |
| SHA512 | b416d0f9c8dba9dda9977615752afec3017d057097aa60a63aff32eaf1edffe3efae4f6c78eef2407251e85e06e1254c42b8b0c39b1d134a33a5ae917d43a227 |
C:\Windows\system\MAzkfgj.exe
| MD5 | 9d3e6fb7ca80c26c0b7b1dd883eab9b2 |
| SHA1 | 9f6b1ae247007c797b4ebd5cb79ce141c48a15ad |
| SHA256 | b5cabaaabf07753a3f002e68e6bc437c4b54acd5ce6316f280907686fe7f8eb8 |
| SHA512 | 7466577b1f1b6ad212c56d7033acebfd9c1f42ae6db5932cd2831be03c9adf8623087011ef3e7bfc15062079a8d56d73b799688705eeb2c9db46b4800e39751a |
C:\Windows\system\BQGGxZH.exe
| MD5 | defac85e63e5ae8ed555312655e6717c |
| SHA1 | 91149770118cb2feed22062cddb0366c5378c81f |
| SHA256 | 122ea09eae384667472e271625782d24834f733c765572d3729cc78e1ddbae62 |
| SHA512 | 62a49a8412796000c00b7e883718758c4aa14f91476874dbb8048a9d0f46a1de9a5db5f00681192fb05f3258851c178adc5519e455db9fadeb1c913eae08bd3d |
C:\Windows\system\xTtLUpE.exe
| MD5 | b0d8691c5e2657eba0d388ca420e8b7f |
| SHA1 | 73453ce6efbee32150b3adbad38b7ee722b420bb |
| SHA256 | 73af223a799ccc625d3186efffa4337a28b947fe8a975d28e98d8155115b5c54 |
| SHA512 | cefabd7cea8df373a8c723139a568c209e4595dbf5ed40e2e07b99955bf67ec0bac9969c2ee2876efc1147d9ec6e46523f7ad186d35971901c5685347bd23590 |
C:\Windows\system\WVmKyaj.exe
| MD5 | a61c35041e0e05e2d40c81035b4b7d8c |
| SHA1 | 85b70a47adfea8ce294a0e19b5832d6c5dd39f9b |
| SHA256 | 3863158c1be05048f11c40222e19628c153a421961ffe9390061b65edc873e8a |
| SHA512 | 522074e840a010aa198823d835d3e94950560b415293b18a4aa01d31547f3f1567798bc4951833c2a76c513163d33074d048c0332c1f8f4f4d2cea25e23ef288 |
C:\Windows\system\luUhgUo.exe
| MD5 | 54a5a29ead9eb409ab44e463580f3a07 |
| SHA1 | ec4e37cfa5c934533ff8498ed95af76b40de122c |
| SHA256 | eb3ff8492710e39d8fa6e996cc382dddb5d5a0ee098cc08bf0dbce21399158f5 |
| SHA512 | 11134891ef7f577542318836dae22287f19c98a01f98e6729ea857488a6e7b57adcc6673eb64c76b5219f404c6b294f8ac44075e776256d6b4cef4e0ab7d5602 |
memory/440-137-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2128-107-0x0000000002380000-0x00000000026D1000-memory.dmp
memory/2128-106-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\kVqmrvf.exe
| MD5 | 81bf4d4687dbbf86aedb7c35dece738e |
| SHA1 | 8f0255713efb784060e26315705b4a19746f7756 |
| SHA256 | 24dc9faced0627ead24f17051b2d6f0eafff7be24b2cd74026c7cd79e4b1896f |
| SHA512 | de7355e5b8c59b3c2998c7904ad90235ac1512c3feaa739efe615be3fd65833729aa65a72cc39803da7dc4b7206aa56b49e5337c42f14d23311eb3f5130d7b2d |
memory/2128-88-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2724-87-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2736-86-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\nkWNVSp.exe
| MD5 | f86a67ac5052c784da0ea0a06375bbb3 |
| SHA1 | c18aa1a82bbcc6b4e015a1dbe03099438b16863c |
| SHA256 | a50d17927023723d6359fa41b9ac829d739b59ba3eef704b57308052e46fdb58 |
| SHA512 | 36d669dfb5e03270405fd0c440bfe7eaecc65bd26b2c1fc86c1e43697dddd149e0d203427bec8af9ec2eeca1b129c4b555d2de798c86def6ab53889a3e4312e1 |
memory/1480-139-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2128-138-0x000000013F600000-0x000000013F951000-memory.dmp
memory/1480-81-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2128-80-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2128-69-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1076-68-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2128-67-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/440-75-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2128-74-0x000000013FEE0000-0x0000000140231000-memory.dmp
C:\Windows\system\NzajhiM.exe
| MD5 | bab2b9535d4ca1d7c92d192f9209b6cc |
| SHA1 | a5464461af9918026d248933dfbec68aa49a77a4 |
| SHA256 | d45a11d3bec2ff7ea64e901655e16cb3ddb43d3c476ee02ecb4eaebd4c99092d |
| SHA512 | e0cf8562a5920d329a3f881bb455c43703e21e4d73398dc86cb4bac8d76faf4f607fdc6eff4aee321cd14c15f7d74e6e748c95742d3242d5a5c577c597db9a58 |
memory/2220-141-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2128-140-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2920-57-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2128-55-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2724-54-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2736-53-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\GNWoxZM.exe
| MD5 | a1bd335dc8b87c9b43589a2aaed7a507 |
| SHA1 | 6d7fada9854796f73d80fa28a6a91d0220daf386 |
| SHA256 | e37e8721befa623c06861d7fd19200731f0de65a851dddd7336ec0dd94419959 |
| SHA512 | 509f30cc390f8db8662f5d8c9dbfc50738bb86eb31ef3afc8235b71dd1e588e2d8d6d0c3587f1016de4e5a87a8c505d7fb7ef12331cf9a79429759733590285c |
C:\Windows\system\NTFQvqn.exe
| MD5 | 9d6ae1b7a0bd2bb7594e4216defd69ed |
| SHA1 | 52a81ceee9e6b77e396cd1b877bf8d652b081130 |
| SHA256 | 82e81300a2cbaa3eb6d12508ad3879579ae1b5d33849d4763be27fb2fc9113ef |
| SHA512 | 891647f13f60a0e56ff5f2a2faa1a8d3c748bd839ede9d9faf66bf78b5c20a8cef6d1e503e633a8290a9fc41c623f7d975ab6af624c4d0979293eb5314411ad4 |
C:\Windows\system\XJSGSzR.exe
| MD5 | 8ec9fb45b7736a68c1a8894e9d9c6018 |
| SHA1 | 7b0e40ef1ae286ad78c702de2700a55b2c236ffc |
| SHA256 | 38cdfa29d672cc284fca9963050093110c834af61c6dcabc431402ab136aa442 |
| SHA512 | 051a9cd93051171007154e7db2bbb01df4aeded3f3f271fd6bb980e092d4e5c618227620fad7f7b68360ce60fb5cd9f470f35d9b17c578c888d40f5e8b9708e5 |
memory/2676-50-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2128-49-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2128-47-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2128-46-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2556-44-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2808-29-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2128-143-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1868-148-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2724-152-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2148-153-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/1076-154-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/3044-159-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2468-163-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1720-162-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2720-161-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/3036-160-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2128-164-0x0000000002380000-0x00000000026D1000-memory.dmp
memory/2876-165-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/832-166-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2128-167-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2920-216-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2564-219-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/1884-221-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2808-232-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2556-234-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2676-236-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2736-238-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/440-248-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2220-252-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2148-250-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/1076-255-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/1868-259-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1480-258-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2724-268-0x000000013F320000-0x000000013F671000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:57
Reported
2024-08-15 10:59
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oCNkWBE.exe | N/A |
| N/A | N/A | C:\Windows\System\BoVhDri.exe | N/A |
| N/A | N/A | C:\Windows\System\yupbCAE.exe | N/A |
| N/A | N/A | C:\Windows\System\dOsXKEK.exe | N/A |
| N/A | N/A | C:\Windows\System\uohQmpO.exe | N/A |
| N/A | N/A | C:\Windows\System\hSxugZd.exe | N/A |
| N/A | N/A | C:\Windows\System\STLQWwd.exe | N/A |
| N/A | N/A | C:\Windows\System\YUHkCbh.exe | N/A |
| N/A | N/A | C:\Windows\System\PExfcIp.exe | N/A |
| N/A | N/A | C:\Windows\System\lvDlcLe.exe | N/A |
| N/A | N/A | C:\Windows\System\jLGIUVH.exe | N/A |
| N/A | N/A | C:\Windows\System\fTnyuGT.exe | N/A |
| N/A | N/A | C:\Windows\System\lsnhxXi.exe | N/A |
| N/A | N/A | C:\Windows\System\MavRxau.exe | N/A |
| N/A | N/A | C:\Windows\System\gkarGgw.exe | N/A |
| N/A | N/A | C:\Windows\System\qusmDKR.exe | N/A |
| N/A | N/A | C:\Windows\System\BvaQCpT.exe | N/A |
| N/A | N/A | C:\Windows\System\RwWjnEp.exe | N/A |
| N/A | N/A | C:\Windows\System\IDmWotI.exe | N/A |
| N/A | N/A | C:\Windows\System\MDapRlI.exe | N/A |
| N/A | N/A | C:\Windows\System\MKOdFkY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_c0d0caf16015e4abc80ef880d1ee70a4_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\oCNkWBE.exe
C:\Windows\System\oCNkWBE.exe
C:\Windows\System\BoVhDri.exe
C:\Windows\System\BoVhDri.exe
C:\Windows\System\yupbCAE.exe
C:\Windows\System\yupbCAE.exe
C:\Windows\System\dOsXKEK.exe
C:\Windows\System\dOsXKEK.exe
C:\Windows\System\uohQmpO.exe
C:\Windows\System\uohQmpO.exe
C:\Windows\System\hSxugZd.exe
C:\Windows\System\hSxugZd.exe
C:\Windows\System\STLQWwd.exe
C:\Windows\System\STLQWwd.exe
C:\Windows\System\YUHkCbh.exe
C:\Windows\System\YUHkCbh.exe
C:\Windows\System\PExfcIp.exe
C:\Windows\System\PExfcIp.exe
C:\Windows\System\lvDlcLe.exe
C:\Windows\System\lvDlcLe.exe
C:\Windows\System\jLGIUVH.exe
C:\Windows\System\jLGIUVH.exe
C:\Windows\System\fTnyuGT.exe
C:\Windows\System\fTnyuGT.exe
C:\Windows\System\lsnhxXi.exe
C:\Windows\System\lsnhxXi.exe
C:\Windows\System\MavRxau.exe
C:\Windows\System\MavRxau.exe
C:\Windows\System\gkarGgw.exe
C:\Windows\System\gkarGgw.exe
C:\Windows\System\qusmDKR.exe
C:\Windows\System\qusmDKR.exe
C:\Windows\System\BvaQCpT.exe
C:\Windows\System\BvaQCpT.exe
C:\Windows\System\RwWjnEp.exe
C:\Windows\System\RwWjnEp.exe
C:\Windows\System\IDmWotI.exe
C:\Windows\System\IDmWotI.exe
C:\Windows\System\MDapRlI.exe
C:\Windows\System\MDapRlI.exe
C:\Windows\System\MKOdFkY.exe
C:\Windows\System\MKOdFkY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2652-0-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp
memory/2652-1-0x0000021178380000-0x0000021178390000-memory.dmp
C:\Windows\System\oCNkWBE.exe
| MD5 | 06acda31d4318f5360a7eeb4f15a7a3f |
| SHA1 | 36afa86bc42fd46a910ebd2e03f05efd9aacff02 |
| SHA256 | 461d54d60d96c23400d2083926700a64b16a8911f660ea195fd90a5204653922 |
| SHA512 | fc540a3ae7d26e71df3ea8fd8c9f6c05c4c5875bf1b5748afa9b53d83115c788ff4dfc53535cd1afe73624dcd9d8282ed7c9ec75eba9184b982969303ac22f76 |
C:\Windows\System\BoVhDri.exe
| MD5 | 9588c60723cd5a19e2f386e6d463bc4d |
| SHA1 | cd72d7ced8dc6060bdd83df971804e68697d3d4d |
| SHA256 | e06862f083e4b830ad1573e9c8bec5abb2a8be0bb6a88d75edf913b60a475539 |
| SHA512 | a6c65d133ce7e62be419e566eab7a5cf794fc839d59aed402dc977bba350dd0b7f74ecdd7ca31b71db0f3a313449b805a1f0f280e1793e2350eb9825b20b97f4 |
C:\Windows\System\dOsXKEK.exe
| MD5 | c999b7732f8fbff7d02367f05f103796 |
| SHA1 | 354063e3510a63314c7182fcb2aa4788521c9964 |
| SHA256 | 635f2c31df5f4df92e9cffbda002564816722629c13bf26295347d01d031b77f |
| SHA512 | 8fb7f5029378f93ddc778febc68f0089688da58f9b9bbac1b0d19ef888adea8db6712d560ea08f42f67a5e5b6a1d1dd0430d2c8dab21e6f5455352e8de53e8c1 |
C:\Windows\System\uohQmpO.exe
| MD5 | 0fa76bcc972cc3b544db7272dd4bb194 |
| SHA1 | 0744639e7647838b623d68bdb103db13f12a5a45 |
| SHA256 | d150dfe98f58c1e0e5713026271a4d3b348bf1af649934142b50991d77ab0ee5 |
| SHA512 | 753a442f09e0cc41f6a649f08e1b2174f2127e3c5a0caf139f1e298fc870e4a5a2a503450c90015e6a74168f85ec2647cb8317a88e1fb80a8e3bccaefb3ad8db |
C:\Windows\System\YUHkCbh.exe
| MD5 | 360dbc6759109bc1fe7f076d3fac7b62 |
| SHA1 | 6fc8fc848b72b5647b94d61aee8bab097fb4331b |
| SHA256 | 3c7434f9b56704b740009c451136e80e6d53f8c9bf4147da5d0cfd0598069cbe |
| SHA512 | bed5133186a608d5fc3a5357a2cc5b6e542c16b36de67235d8585d0e0d9eb3e01d7ff00ec57e68f96c791587c851b94b2fae44df300e566d0c8214223313f677 |
C:\Windows\System\hSxugZd.exe
| MD5 | e64ccc306c451c4d1babbc252082a72d |
| SHA1 | 8e15c4f9496f81e59ff00ac8c8d3d2aeabe09b7f |
| SHA256 | f5e3f7ed6e2f3392239d076f8277d0a0a9f13b4ae031c398b3a0eaa11e9e45a0 |
| SHA512 | 1d53f3ebabdf267e7447327e4b00617adcbf360bf6703096bf2c03d1ad95d67583f4ebb93da108fca6a1a7b1d3844b23aaf3cb3496f78804ebed737dd2599911 |
memory/4176-27-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp
memory/3264-22-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp
C:\Windows\System\yupbCAE.exe
| MD5 | d2d7e0aa27843c5005e0985bb3a92db9 |
| SHA1 | 1c0020ef7d6f12f771f253952bd1a86da956bbd6 |
| SHA256 | 1421db8618ae7625151a17346a5e90af0f9dfcf1fec64dd37cc3047262754736 |
| SHA512 | 30de79cb922bac2d6f3dd081e3cf8a9ba4400d05aa698fd295714bec101f044f5b001ff8f505bf6f02bb13f600ce9ba7c706e85a5dd02a7d4a9832ee81cd200a |
memory/4204-17-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp
C:\Windows\System\lvDlcLe.exe
| MD5 | 25e2cbab204914214a4d6fb05a6db36f |
| SHA1 | 0679ce06061424eda0d77109e64757fec474adb5 |
| SHA256 | 665a335a09179296953d1ad50103b9fdee31937aaa888afc8e9c73c0224dd5f5 |
| SHA512 | 122cf266ec4f5315884a46b91cc56204b8684d8b56429743fa3a402b6c0304c08bea250770415da89091805047acbab3c228edd2358fc0fe58cf2beef540f748 |
memory/1772-89-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp
C:\Windows\System\gkarGgw.exe
| MD5 | 07e8f874917ac1d0486d33f0f3c8caf3 |
| SHA1 | ef68f135d39e7f35e9f00bd2969fdf1df3cf665f |
| SHA256 | 180eaaf2c3deaf05da661fc12a2b3d963261ccb4872e7d1a8b792e64555fc58f |
| SHA512 | 0e84025ab4f066ce48462e26c294eef3ba1a2783c316c3d2d4a35daf0f321fb5cab027fe76a6a7f44eda402f5c3f888dea812c06f70ccaddd42a0913df08a20e |
C:\Windows\System\BvaQCpT.exe
| MD5 | cff43a34836b7deb0a9450661d432c6b |
| SHA1 | 0dda0f3bda87c93d1578ce718a5f1d6f7e064231 |
| SHA256 | fb3c3d4b3775725b94d73222112fa6d4bb15434b30462da2dab1729f8c287663 |
| SHA512 | 7980c9c6498ae1c17cd9f47c0ca8b3b1ffe124da8d971d4915e15a9cd93de111dd7d5abd77294ff2383f36ef3b53da281f557c647063669f29b334615785815f |
memory/1240-104-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp
memory/4872-103-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp
memory/1968-100-0x00007FF733220000-0x00007FF733571000-memory.dmp
memory/1780-99-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp
memory/4136-96-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp
memory/4496-95-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp
C:\Windows\System\qusmDKR.exe
| MD5 | b4f00d2a871c1becd258dd70818f6871 |
| SHA1 | f7516e892a5eca9f79cc41792069500820180a1c |
| SHA256 | 471d682f4b72e26a509fd3db67829818519ca4198c8364bccf2b568e38f4341c |
| SHA512 | f950601135a6b4914ed443c5761ffe395496d9bb8c79edffccb584ecea1386d0a7f7c3c177cce2b60bd890361c673aa38fd9b12b4ad9bcdfe3e1650e4eb8b776 |
C:\Windows\System\MavRxau.exe
| MD5 | fbba430ee614ae1ea720de4008c4d6ae |
| SHA1 | 99ed35ba92ff9dfe8428d837d91335cd15683269 |
| SHA256 | ec00e2fb5727e27515760dbbd72c0a0a427569766e9e3bc9195c1bea25dcfba4 |
| SHA512 | 0a50d18429c0fa8c1ab548ee5fa87a8fa856d1cea926fafa5e365be99bea80cdae8932d58adfafa7f01fd98b71bed93b4ec891053d4a882166aca1649cf6a158 |
memory/1304-90-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp
C:\Windows\System\lsnhxXi.exe
| MD5 | fa02c02171a0b9b6babab30634008591 |
| SHA1 | 4db2c96f526bcc7bb681403045f55e9023dfd8e8 |
| SHA256 | 2c7fd792999475dea7a32379e551c5092e3a5757d1015ebc62934daa117a64f5 |
| SHA512 | 4917a34d079f3b3afc1b8b4ba1005fc5a69814271ceb589b70b683cbba9df8052f627869777e72ea5e05f411b3e935ca2cbd5660ce1656090b7d908f71b1c9b8 |
memory/4912-82-0x00007FF790210000-0x00007FF790561000-memory.dmp
C:\Windows\System\fTnyuGT.exe
| MD5 | b5eab321dd9a4a88956cc63912b20932 |
| SHA1 | 69df440eb07493f86fd347e19faa0ef0e12366d1 |
| SHA256 | 86f18a7e9344d1370b146b70714949f2e9b996a2b0f5f38da706fa8716fe6bcc |
| SHA512 | e8a20e5359dff7fd773c006023ff29313ac1149a1b7341e0ffd4e016cefd1b7e5e47b53b505fd5685578f65d53b9503f5744ef369ef0697ab6492c732bf233ee |
C:\Windows\System\jLGIUVH.exe
| MD5 | f1e64619e336087f4fdeb8ff5682c759 |
| SHA1 | d4bf22c46d1b930c8a9a13f564b5f5588cf4c14e |
| SHA256 | 8ab0b81fbc094c6d41115c55b7ccaf410a079e7dce7c32fe27d01126f02865ae |
| SHA512 | 8fd3b9bd57391c3fbf9b278d7d237ce62803b5e62718faa086d38231a26271ceceb0558bb1a63e89bcb7aa6653a7b2029443c375b0b408ddd02f07c5d09af0a9 |
memory/3412-72-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp
memory/4080-56-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp
C:\Windows\System\PExfcIp.exe
| MD5 | 621cc33da360e86a9497d5595d71e533 |
| SHA1 | b59eb3bc0c928e34569018210bc6e18997bda432 |
| SHA256 | 684483266e7238bdd142f6b8d888fcf5124d7f07b2094300bb0c58dd84e1b788 |
| SHA512 | 92fcc0d83db7b0eb0fdf3432544cc7de106c3e76c178585351f37d01988b84a30bb55caf35836b38564a2f6315cb6f0f24687a91963498f909854024f350b4aa |
memory/2792-46-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp
memory/2400-39-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp
C:\Windows\System\STLQWwd.exe
| MD5 | 327011fcfe514d40ff1e454436e0bd7a |
| SHA1 | bdae43883ac471347b5433b9cce4c1fa6f5ae91b |
| SHA256 | fc64847c3a7686c81cc0b2a07818985183daa7ca1c295d344a1566962d48a67c |
| SHA512 | 462a39516b8c4471cf9ea18e45d083f4c9085012ce3af966be9d1a75fd220ed3f25e60f1d701a92689a021f5a392b50ee450fadf0fe4bdcfe84b546aa9190326 |
memory/2928-6-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp
C:\Windows\System\RwWjnEp.exe
| MD5 | e71dd5ab1b964c586ac1698c492c6e9a |
| SHA1 | 1309f906e36b8f34b0267601f0183f31976502e1 |
| SHA256 | d2b4256cf50cc2b56b106925f9174ea4b428fdd7c26df38134b69b86d006491b |
| SHA512 | 36ef12dbe4af4bde5465917e558c4b87ca62d416c62526d2e391a37efe5fbab36f309caa4db1710bc432c93246e121f1168da509374d67bee5c18e8e435d20b1 |
memory/2344-108-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp
C:\Windows\System\IDmWotI.exe
| MD5 | 4f31fd033c074032cfaddd137a64c17e |
| SHA1 | fcb356ee031352eccb294d16eebb04db2dbc9d59 |
| SHA256 | b8f3d3f5ee2045f0b94f04b9fbb671df658bf04208645f6580a3585d442f296b |
| SHA512 | faaa9436cec1f0923a3108d2b8ea426785ecf74a5292f0022c01ffa3da34ee85f9f54feef961e8b62eb75046fba8e946e2880bfdbd6bf9559192f69457dd4217 |
memory/920-119-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp
C:\Windows\System\MDapRlI.exe
| MD5 | 3d5ae9eddcf417760b9bdad29c397419 |
| SHA1 | c8006fb53c6beb01003b8db85656ff2b1d521314 |
| SHA256 | 98127849c55aa25e96b340de2a26a17148273426d1e9e67311f20b19cbdaca1b |
| SHA512 | cb92db0393312c09114424289cce0a4c221a4beda723df7bde85b49e30c7759a5f25d4f034a3817e7dfb3f7bc688f1283de1d8a08a96a55016dbde987e057cec |
C:\Windows\System\MKOdFkY.exe
| MD5 | 3e12fb64f3bdb280be5f2e63cb52b6ee |
| SHA1 | e575097103e34d9f6d3f6b2fba40c7e48ecad8ca |
| SHA256 | 26ad7fa0574940d317e1dd55349f43a0a91a86c7acd7ecec94a9ea4ffc1edc3f |
| SHA512 | c8b4a91f3e18dd7e288d997b0ddca8fbf995bafda67b8627252b0cd97c379cbb814f5c7bd95ab3a9c673148d2833ce569e5f8083f1e76f7b34b8b9706576f1e5 |
memory/3420-121-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp
memory/2652-126-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp
memory/1104-128-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp
memory/2652-129-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp
memory/2928-130-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp
memory/3264-132-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp
memory/2400-134-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp
memory/4496-145-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp
memory/2344-147-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp
memory/1304-143-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp
memory/1772-142-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp
memory/4912-141-0x00007FF790210000-0x00007FF790561000-memory.dmp
memory/4080-138-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp
memory/4176-133-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp
memory/3412-139-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp
memory/3420-149-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp
memory/2652-151-0x00007FF672E60000-0x00007FF6731B1000-memory.dmp
memory/2928-213-0x00007FF74B750000-0x00007FF74BAA1000-memory.dmp
memory/4204-215-0x00007FF613C70000-0x00007FF613FC1000-memory.dmp
memory/3264-217-0x00007FF66A750000-0x00007FF66AAA1000-memory.dmp
memory/4176-219-0x00007FF6C4260000-0x00007FF6C45B1000-memory.dmp
memory/2792-221-0x00007FF6B2030000-0x00007FF6B2381000-memory.dmp
memory/2400-223-0x00007FF6BEE50000-0x00007FF6BF1A1000-memory.dmp
memory/4080-225-0x00007FF6DB150000-0x00007FF6DB4A1000-memory.dmp
memory/4136-227-0x00007FF638E50000-0x00007FF6391A1000-memory.dmp
memory/1780-229-0x00007FF7EA1F0000-0x00007FF7EA541000-memory.dmp
memory/1968-239-0x00007FF733220000-0x00007FF733571000-memory.dmp
memory/3412-238-0x00007FF629F80000-0x00007FF62A2D1000-memory.dmp
memory/4912-235-0x00007FF790210000-0x00007FF790561000-memory.dmp
memory/1772-234-0x00007FF7F7500000-0x00007FF7F7851000-memory.dmp
memory/1304-241-0x00007FF6DF340000-0x00007FF6DF691000-memory.dmp
memory/4496-243-0x00007FF65D920000-0x00007FF65DC71000-memory.dmp
memory/4872-246-0x00007FF6AD170000-0x00007FF6AD4C1000-memory.dmp
memory/1240-247-0x00007FF6C6200000-0x00007FF6C6551000-memory.dmp
memory/2344-252-0x00007FF706CA0000-0x00007FF706FF1000-memory.dmp
memory/920-254-0x00007FF7146E0000-0x00007FF714A31000-memory.dmp
memory/3420-256-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp
memory/1104-258-0x00007FF6F4920000-0x00007FF6F4C71000-memory.dmp