Analysis Overview
SHA256
f66917555a3646dfcedf582dee6c9ed319ad8f1c6c4d21fe641f1717fee68cc0
Threat Level: Known bad
The file 2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:03
Reported
2024-08-15 11:05
Platform
win7-20240729-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QMeaOxm.exe | N/A |
| N/A | N/A | C:\Windows\System\nbeDHKB.exe | N/A |
| N/A | N/A | C:\Windows\System\WdEpZXt.exe | N/A |
| N/A | N/A | C:\Windows\System\alKEITs.exe | N/A |
| N/A | N/A | C:\Windows\System\tSWorrF.exe | N/A |
| N/A | N/A | C:\Windows\System\QoSAoDl.exe | N/A |
| N/A | N/A | C:\Windows\System\BFYcVDk.exe | N/A |
| N/A | N/A | C:\Windows\System\iCMihrm.exe | N/A |
| N/A | N/A | C:\Windows\System\zoimbdG.exe | N/A |
| N/A | N/A | C:\Windows\System\kMcuLan.exe | N/A |
| N/A | N/A | C:\Windows\System\mjEumXB.exe | N/A |
| N/A | N/A | C:\Windows\System\YEpuRmy.exe | N/A |
| N/A | N/A | C:\Windows\System\nSfgNBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LsRkwPG.exe | N/A |
| N/A | N/A | C:\Windows\System\riRpcGJ.exe | N/A |
| N/A | N/A | C:\Windows\System\tnyhRMF.exe | N/A |
| N/A | N/A | C:\Windows\System\MiWdPQo.exe | N/A |
| N/A | N/A | C:\Windows\System\ftegOVj.exe | N/A |
| N/A | N/A | C:\Windows\System\EpJkHNq.exe | N/A |
| N/A | N/A | C:\Windows\System\POYvwbu.exe | N/A |
| N/A | N/A | C:\Windows\System\JbrHVMq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QMeaOxm.exe
C:\Windows\System\QMeaOxm.exe
C:\Windows\System\WdEpZXt.exe
C:\Windows\System\WdEpZXt.exe
C:\Windows\System\nbeDHKB.exe
C:\Windows\System\nbeDHKB.exe
C:\Windows\System\alKEITs.exe
C:\Windows\System\alKEITs.exe
C:\Windows\System\tSWorrF.exe
C:\Windows\System\tSWorrF.exe
C:\Windows\System\QoSAoDl.exe
C:\Windows\System\QoSAoDl.exe
C:\Windows\System\BFYcVDk.exe
C:\Windows\System\BFYcVDk.exe
C:\Windows\System\iCMihrm.exe
C:\Windows\System\iCMihrm.exe
C:\Windows\System\zoimbdG.exe
C:\Windows\System\zoimbdG.exe
C:\Windows\System\kMcuLan.exe
C:\Windows\System\kMcuLan.exe
C:\Windows\System\mjEumXB.exe
C:\Windows\System\mjEumXB.exe
C:\Windows\System\YEpuRmy.exe
C:\Windows\System\YEpuRmy.exe
C:\Windows\System\nSfgNBJ.exe
C:\Windows\System\nSfgNBJ.exe
C:\Windows\System\LsRkwPG.exe
C:\Windows\System\LsRkwPG.exe
C:\Windows\System\riRpcGJ.exe
C:\Windows\System\riRpcGJ.exe
C:\Windows\System\tnyhRMF.exe
C:\Windows\System\tnyhRMF.exe
C:\Windows\System\MiWdPQo.exe
C:\Windows\System\MiWdPQo.exe
C:\Windows\System\ftegOVj.exe
C:\Windows\System\ftegOVj.exe
C:\Windows\System\EpJkHNq.exe
C:\Windows\System\EpJkHNq.exe
C:\Windows\System\POYvwbu.exe
C:\Windows\System\POYvwbu.exe
C:\Windows\System\JbrHVMq.exe
C:\Windows\System\JbrHVMq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2604-0-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2604-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\QMeaOxm.exe
| MD5 | 800eb861771eb1da3a2afa8fe17b9308 |
| SHA1 | d957f28ccdf4f280c72c67622007bde12012f4d8 |
| SHA256 | 9846bac71f4a65912a78a8ce9726222bc5af60a4291b67ee2a92f130539023ac |
| SHA512 | b1bd94ab619fe58bc42d10b12fa6ecc17156ca2f571b094638a511b74a9b7063e6f76d9ce767adebba607e01a7f995a993856b4aea46c24cc442b78b1e798218 |
C:\Windows\system\WdEpZXt.exe
| MD5 | 1b1a77df7b0aea7305fdd5528b32c334 |
| SHA1 | c77e780df39c8de0476cd8d5900d540a476d08e5 |
| SHA256 | 0c8dc60369a726be6fa1ba28c869f6ec5b6d23f8d5bc9219bc86cd468fdeb8ed |
| SHA512 | fcd6e4d56c0425dbde00242b61cd157586043738dfec63d151d425eec6b339ffd54256aa2f446f7d7803f54e4fd9772cb9e21fe177dbda466587f0bae4600d73 |
C:\Windows\system\nbeDHKB.exe
| MD5 | 0d491f3d4aad65447bf880681dfe2f35 |
| SHA1 | a578f8cf242ca82ac6b4f303df89b6e660b12f41 |
| SHA256 | d458d44fdca0892e10443027225caa3ccf01c9faf25320d8da46d3cef13b5def |
| SHA512 | 4c063c691346cc42eabfe71e985213b80781ae3d0f52c02911d31030a437d868eba78a6097d380fa332dcc1605eb3d7ac58f90c0f62732d1e8f2dd72d923f627 |
memory/2604-13-0x000000013F8C0000-0x000000013FC11000-memory.dmp
C:\Windows\system\alKEITs.exe
| MD5 | 5d2d8ed636eb65ade7cc68c9c39f7f54 |
| SHA1 | cab06d54051ac398ba82be8a377d7a6a700ea27c |
| SHA256 | 97f6ed29ada67b45262cdeeb36062d1d8b664b5be5272d05703fefb204933fde |
| SHA512 | b32c938606042909734375af8996525907810f710e959ec89136da63f7f526e7bde95239ea6dc1dd4c9b0853d0b17a1a1e5a831fae71c950d04f749751acf5ed |
C:\Windows\system\tSWorrF.exe
| MD5 | 264f82a6a9264a9c65495fcacc9619be |
| SHA1 | d42f8ef4d161d86ea605ca7babba241731fbd6ec |
| SHA256 | c6d58de4981ed7d9bab7f768f073f28f53d75d2a712ab68ec858c23202f28bd3 |
| SHA512 | b1d1bc02d33e105e86585b1767cbf75c53c3e4ce7e1d4666c0f8926dec0ed85b93de237e96d994982afe0d44b6488dcf844aebba8b7ce317e5fb712855955186 |
C:\Windows\system\QoSAoDl.exe
| MD5 | 1ba2ecdd9c94171899d72abeee1be70f |
| SHA1 | f0188bf243ea2497c92acd72a4ca2e57f81e988e |
| SHA256 | 7eac8d01cd453cdf8bbb3c22b3f7f8230d85bcfd922ce5b2a4f069b6a5fff9f9 |
| SHA512 | 7e6e8758af6a69dc0cbbb35d79b1e2ca123d8e8d7fcf88562c6938e5d548e1906ab86985fb13dcf7041797514f8052d22d46cb3ac4f110aa20ff52a562dd642f |
C:\Windows\system\BFYcVDk.exe
| MD5 | 32fc894eec0904b700a5356fd8339170 |
| SHA1 | 1464ce328a344706e9ad4d5a676cf83a7b693f8d |
| SHA256 | 0d4fc19e978c2360042cf1a6157a5ae3aea47e9fe2f50104b4d8b3be37f1da10 |
| SHA512 | cabe246758861a50f39f0418e4cac083b2094532201842699d7fa0333c00c760c58a00cd5c83fd780378be65aa199441f7c60f47d5a834ff07117bce14594354 |
C:\Windows\system\kMcuLan.exe
| MD5 | ecd56b70028d9b5d28aac31dad689556 |
| SHA1 | 048b9d13d9ae258e133cbe2e49f752b452f1a1ad |
| SHA256 | 26c380542bd8004d56d9fbbdbf2d061473d451a8b9cb295d64c59d62b368fd5b |
| SHA512 | 21a2af8f2078e860cac743a3724375b014771c8ba9322eab638cd3a8381c53496198a493ce34f243cc76b1a0a94ea2e45b1f0c5158146cb392d99ce8536d44ef |
C:\Windows\system\mjEumXB.exe
| MD5 | 4afe943a8b04628977aca828a580eab1 |
| SHA1 | f784c058463ed01002edfb194e8a7f41b23b1485 |
| SHA256 | 4b17ed2d53ab70fd1d98f6072f0a362a7a9e3bb62bedd9862cf31a4b6efe0a35 |
| SHA512 | b1c61f2cf8551a295b2ee84c594cc1df84e509d378ca0b6c46b79d6dc297529c451b570bb95d2f86175e93ba501826808323a26abdf1aaba9c12680c3d21383a |
C:\Windows\system\riRpcGJ.exe
| MD5 | a80bd1a106283c0d9648be663b6be021 |
| SHA1 | 0035591baa525692d353e7c97fffd05c5b648764 |
| SHA256 | 230ebf87b5f23960fd85625e30f8f7a274d9bbb8a5a55a0370e79f20b7baddf0 |
| SHA512 | 1eb54273551e0044559acf99573d26a0666da083290d7a2423fb3234fcec5fba7c7a3ccf874765efede48729268a14d812c34c27c5fefe2541d6934a39e34b7e |
C:\Windows\system\tnyhRMF.exe
| MD5 | 18c35a37004024bc71080728f19f0823 |
| SHA1 | 312761aa86512ebcc43c9c4f481d53fa7794556e |
| SHA256 | 2c916bd94f019f298ca0a978058c10726bc1b49fa4e98b9dd8b3286a2f075230 |
| SHA512 | 0a2986ebd56495d832fb4e1365cb5161f75dcf5babfeb6368b012ae1041f0160f0a8d0193cd49ee42d225f6aaa87f80d09f2b9fc9b760cc7d2fc4d43ba13d3db |
C:\Windows\system\EpJkHNq.exe
| MD5 | 76c5b86d9fb8168d42a123a680109d12 |
| SHA1 | 9ad85e4ad24bf8ea1c31c496eea4b433345c2965 |
| SHA256 | 17a4af9eb4fa24b3e0a8ffce72776d7ef4b87516c2d27f4f77b39af7d36b9be3 |
| SHA512 | 4c7a44e7afd75bef57bc0c5b8b418071ce3b6e2fc24610bc3b0fb88a34bcfbbc7a71f841e130778c19eb39ec2e7cf520aa6324a19524dafbbd580503ad6c02be |
C:\Windows\system\JbrHVMq.exe
| MD5 | 2a0ec37d7b581a6b72ced304a235dbdf |
| SHA1 | c738e345cc528830a6aa8da0b1d3a98e721af5b2 |
| SHA256 | 6a7b23c7837c43f830033d405e531be161e1d9ba2aa39397b687828b1922751a |
| SHA512 | 890d6a280b3818c142a95293cc0d86d94c30f0e2cf837f10e67adad28c9cd45e4c1ab2468bf59d35a38548ec26e962f044dec19fec92de7b92c364c3eb2ea769 |
C:\Windows\system\POYvwbu.exe
| MD5 | 09fd1392a3332c9621193b0a180f9736 |
| SHA1 | 7bd084710afb106ff16fcab4bddbb18b870ca128 |
| SHA256 | 33df5634b9f3b442d7ded7c6a8289b6a57e700eaeeb3a5b7a12473dbde1ef715 |
| SHA512 | 70285669b258d55e856a69e9238e3bbf9aa351d015f2f54f26130c2da2564c25dd137f4155545e78b9087257ac8ccf798cab07af3c44caff33044f520c3af9ed |
C:\Windows\system\ftegOVj.exe
| MD5 | 8bb10c805e44cda5dc84975c4987d185 |
| SHA1 | 7f7208d8dfe83de40929e06a323d8d10aeec4e02 |
| SHA256 | e6b8f737855b30cb2a735175425333bf00282229e0151880fcd9c9b7755d3aab |
| SHA512 | 503e70854e4ce0502c4a013e80543d8d1a1f3a12ed30bae8f7671826c31e404beb3a656edae3bdb1d06f6571cc572c971d905acfe2b5017b81fdf82433a01fba |
C:\Windows\system\MiWdPQo.exe
| MD5 | 6748fb2d7822a3d48b1c02f2b63bcace |
| SHA1 | 809c942ba99b97e9546af1029674180003d98559 |
| SHA256 | e0030e454e9969ca3b7594767ac030214874dd58c1d80c35817253f1c94e47b8 |
| SHA512 | 96fcc6e8c7c52f970e010b7a6d64cea03e3de433f530f73ab5bb60af6dcad88ef455df7e55c887f82df7937480acc6fec9647734411294b23116b564dbcccbdd |
C:\Windows\system\LsRkwPG.exe
| MD5 | 86c0566eeb2284c4cb7d1de1c7880808 |
| SHA1 | eb81069eee59e53db7397f61719188f038bcc5f7 |
| SHA256 | 13b0f87a7c69ec71c4b39b23e2967bd709f2ee111589952f8ef1a3ab4476684e |
| SHA512 | 15edc0b075be61a2c15d0185a69d765405d4112ae5c66faac07015cbd5bd4f57bf6d650563e64edb7dc756f7109290b66de04a8fc7c817200d25031f8f9a32ae |
C:\Windows\system\nSfgNBJ.exe
| MD5 | 1c51ad616b1dfea0bd24fce882b08d97 |
| SHA1 | 6f8c693cabc19691b0522dd3dd38ed29bd7625d8 |
| SHA256 | 86e1d41f8f064f2934abe61b42fc7088941b089041fc3dc539450aa2b5cda9af |
| SHA512 | 3134cf7fc7bef619463040e8fe00ac06842fe19cb4ad2d425ca393a5eac68e7922c0bc080dc60fad0dd735e3caa618a49e98cedebaf800180ed4956bbbc25b1a |
C:\Windows\system\YEpuRmy.exe
| MD5 | 5afbb9c151dedd8e5c7f84c0f185647b |
| SHA1 | 0b201fdad140abf36d97801578315aeeba90188b |
| SHA256 | 40a8769ae15d68d79384433fe95c351986b4e550662a0d9507ecd22b6fbab24a |
| SHA512 | 9be1527686fa9af19cff997435a223e67c1c43da44a7740cac4d3477e9ae0811cd073bb07cf01b73d96d1904d9563718c9d2d1c65d8559cbadf8f8ccea77c064 |
C:\Windows\system\zoimbdG.exe
| MD5 | f11a3770358efd6ff5d7b3d0b0c32fa6 |
| SHA1 | e22ceb61e823ceba324dd9e72d0916f82f0d0153 |
| SHA256 | 5bebe01e675e23d14d7f6fa78a6bd8792f49ea426bdf647e7dfa679c1e50b992 |
| SHA512 | 275e613bffa2ce934c450f92d6fe21a5572c420111e9ef79a1a645238f9e680bde443e3daf714fcc5c7e7003a0aaa447b07c4c350c538f71d10756944006eafe |
C:\Windows\system\iCMihrm.exe
| MD5 | 9db77f4aae939aca2ae43b9ba2d134c1 |
| SHA1 | 0b6ef7d03cef471f2740a1716b4667f424f4b582 |
| SHA256 | d30611af37eec0547aa94ec7d07b8b577361036bba5e617da01d7ddcdb1d21bc |
| SHA512 | 4954326c928e9caee90d93d0558da84895c9bfe551797f494e06f046c31d93811d2f11096021dd7edd476961d61ef225ae38718aef4f29ed73dd345339b2665b |
memory/2616-90-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2668-108-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2932-104-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2816-102-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2776-116-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2688-120-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2692-125-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/544-129-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2604-128-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2540-127-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2604-126-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2604-123-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2660-124-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2828-122-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2604-119-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2760-118-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2604-121-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2604-115-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2892-101-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2604-100-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2752-98-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2604-96-0x0000000002300000-0x0000000002651000-memory.dmp
memory/2604-130-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2616-131-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2520-150-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/780-151-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2756-149-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/568-147-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2212-145-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2700-148-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/3060-146-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2604-153-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2604-152-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2604-154-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2604-155-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2616-206-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2752-208-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/544-226-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2816-231-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2892-229-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2688-236-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2660-238-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2932-240-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2776-234-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2668-233-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2760-242-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2692-247-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2828-245-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2540-255-0x000000013F180000-0x000000013F4D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:03
Reported
2024-08-15 11:05
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TwGFYYe.exe | N/A |
| N/A | N/A | C:\Windows\System\rMypbHi.exe | N/A |
| N/A | N/A | C:\Windows\System\OTGiQUE.exe | N/A |
| N/A | N/A | C:\Windows\System\AtnPdvm.exe | N/A |
| N/A | N/A | C:\Windows\System\RBLjMRA.exe | N/A |
| N/A | N/A | C:\Windows\System\SyxnKlx.exe | N/A |
| N/A | N/A | C:\Windows\System\LiVNNkt.exe | N/A |
| N/A | N/A | C:\Windows\System\BKxeetH.exe | N/A |
| N/A | N/A | C:\Windows\System\BQhCHDI.exe | N/A |
| N/A | N/A | C:\Windows\System\EmtLUfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JDkThKw.exe | N/A |
| N/A | N/A | C:\Windows\System\YWllxMg.exe | N/A |
| N/A | N/A | C:\Windows\System\ubvshGD.exe | N/A |
| N/A | N/A | C:\Windows\System\nxWPCuc.exe | N/A |
| N/A | N/A | C:\Windows\System\qGunXNt.exe | N/A |
| N/A | N/A | C:\Windows\System\CTmlgvI.exe | N/A |
| N/A | N/A | C:\Windows\System\VicMluU.exe | N/A |
| N/A | N/A | C:\Windows\System\cxBoWmx.exe | N/A |
| N/A | N/A | C:\Windows\System\xPJxGoI.exe | N/A |
| N/A | N/A | C:\Windows\System\WyGZlYz.exe | N/A |
| N/A | N/A | C:\Windows\System\UVyedPH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e76bccd527aa4169d316c7bd1606a974_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\TwGFYYe.exe
C:\Windows\System\TwGFYYe.exe
C:\Windows\System\rMypbHi.exe
C:\Windows\System\rMypbHi.exe
C:\Windows\System\OTGiQUE.exe
C:\Windows\System\OTGiQUE.exe
C:\Windows\System\AtnPdvm.exe
C:\Windows\System\AtnPdvm.exe
C:\Windows\System\RBLjMRA.exe
C:\Windows\System\RBLjMRA.exe
C:\Windows\System\SyxnKlx.exe
C:\Windows\System\SyxnKlx.exe
C:\Windows\System\LiVNNkt.exe
C:\Windows\System\LiVNNkt.exe
C:\Windows\System\BKxeetH.exe
C:\Windows\System\BKxeetH.exe
C:\Windows\System\BQhCHDI.exe
C:\Windows\System\BQhCHDI.exe
C:\Windows\System\EmtLUfQ.exe
C:\Windows\System\EmtLUfQ.exe
C:\Windows\System\JDkThKw.exe
C:\Windows\System\JDkThKw.exe
C:\Windows\System\YWllxMg.exe
C:\Windows\System\YWllxMg.exe
C:\Windows\System\ubvshGD.exe
C:\Windows\System\ubvshGD.exe
C:\Windows\System\nxWPCuc.exe
C:\Windows\System\nxWPCuc.exe
C:\Windows\System\qGunXNt.exe
C:\Windows\System\qGunXNt.exe
C:\Windows\System\CTmlgvI.exe
C:\Windows\System\CTmlgvI.exe
C:\Windows\System\VicMluU.exe
C:\Windows\System\VicMluU.exe
C:\Windows\System\cxBoWmx.exe
C:\Windows\System\cxBoWmx.exe
C:\Windows\System\xPJxGoI.exe
C:\Windows\System\xPJxGoI.exe
C:\Windows\System\WyGZlYz.exe
C:\Windows\System\WyGZlYz.exe
C:\Windows\System\UVyedPH.exe
C:\Windows\System\UVyedPH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2128-0-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp
memory/2128-1-0x00000281B5550000-0x00000281B5560000-memory.dmp
C:\Windows\System\TwGFYYe.exe
| MD5 | d29891d28f9b41b99691f11480c54316 |
| SHA1 | ff041a346d2630b0c974490b8c075eda8294d13d |
| SHA256 | 040c4e73fc45bce44858410b42b1688af04b37835df200a545e46395623f7e43 |
| SHA512 | a15e6156c2b99037bfac3c6cb44e66aaeea1bd052230f530ce11fb339858ab1a29a6bf0a7cfb3c6e8da39b7b7997cfc4779e10d525e6c4dfe6d144aaae0d4cd8 |
memory/4704-7-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp
C:\Windows\System\rMypbHi.exe
| MD5 | fe0b99ed0a2ff39d23d95be076186d7f |
| SHA1 | 24c439121c1ae19571906809ecaa8eebbdf2b9b8 |
| SHA256 | 3be6e74cd931c4b767035f6862173ee7cf6020c0461fda8f2a31c78d711cb31f |
| SHA512 | da3fb7f400343956124781e5cb0e08b1c2dea4737ef58374a2d7b4f329932e2c01fcef25cd9f52b7cf99463c1b3fedde93e334be35971fe8054a06bf1b7f4769 |
C:\Windows\System\OTGiQUE.exe
| MD5 | f4679fd0ef402f351821b528e72f9a5a |
| SHA1 | 10c3ed3aa5479a9cd2a40f342d19c74b133e7c41 |
| SHA256 | 952ae56f8343b45a335ea589b05332380d0dca71db4de0b285adeccf2afe6cae |
| SHA512 | c6c850d04dfc037bfa573fc094e7970a8c9f12c8290aff0e0c8202b1592e46d89748da3a921425330aa011bf75a0858fb924705415c404038ffc9d2509c2099f |
memory/1900-17-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp
C:\Windows\System\AtnPdvm.exe
| MD5 | e1cd4085fc589502685626654fd0c247 |
| SHA1 | 7a4b8d49088f512de864676d83d24aa2ec052069 |
| SHA256 | 84dee60f32064dcf08a268d47ab78adf8415b0c7ca4b2ca7cf4c8ba59a46ae88 |
| SHA512 | 67d26d4a5042d6a55183443aec10f59ad5ae28f75164db707e450e560bdeec072cf3b9718ed99f523afb35eb05356de601b2a25d02a990034c0d7f926e928431 |
C:\Windows\System\RBLjMRA.exe
| MD5 | 29dda88cf8a07c0e9af52a0293767ffb |
| SHA1 | 4783ffb0a67dcf979184671ec9acebf535e4b885 |
| SHA256 | 5842f14d776c44f1c011a13bceb0479cc51c165807c8347ec871cc9b429cf627 |
| SHA512 | 6b1d53cf33b816c6980d6f61ae7142ddcfcde2a04fa800cdcb846b90af98dda8266ac17d980e94947febe28dad5c434efa234c90c6bdbd06dd9681ec471c9109 |
C:\Windows\System\SyxnKlx.exe
| MD5 | dcca9679b4c0254505aad42878da89b7 |
| SHA1 | 41f4cc194d66b68bdef3fa0eecd82731d7ed28fb |
| SHA256 | 0336771b2657c387696e004433d038f2bf20b09d6be08d863caade676d0fb949 |
| SHA512 | fa39316ede6b51fb9b5ac47f1d9619d197946eda5da026b70ccb91d43dd2af083c6556482901e5c8260ae27dca36e9e18d8bf10d3c72d5607d02748b1c5e7226 |
memory/3640-36-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp
C:\Windows\System\LiVNNkt.exe
| MD5 | 34288abdf27ea9c7b9604b29d2d940c8 |
| SHA1 | fa96b605105bf3d0da6fa76afa464439a3d3da37 |
| SHA256 | b995caf7117ee655a27152453380d52297b1e1c64e26208ffdbb5d7714e97905 |
| SHA512 | 3c9242a4335652949a4c0537e85a9c64fcdfee970438a691c1adf88967fbbd78dcd415fee9975e7e130b62907e982ff42c380552c7726108f593e31e77cbf7e7 |
memory/2236-42-0x00007FF708270000-0x00007FF7085C1000-memory.dmp
memory/4724-32-0x00007FF6560E0000-0x00007FF656431000-memory.dmp
memory/5040-24-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp
memory/3452-12-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp
C:\Windows\System\BKxeetH.exe
| MD5 | b24199dbff77b0d7eb35985afe580191 |
| SHA1 | f9fdd4ddc80cedb98fd48e3af8ec9a843dde138d |
| SHA256 | 6323446b43b89616bded823736f6582af57d8f4c6aa69b84bcbaae297a99d745 |
| SHA512 | 9d9f0a65658d579f6209f8a4f019dbda7387207bd1e364889a21f50c1928d0fc40592ce62145ba391cea3d80cf93de15ae0ca68f8f0430bed49aa76dff3f7a04 |
C:\Windows\System\BQhCHDI.exe
| MD5 | ce2c02149bc81b24185873c10fb13c93 |
| SHA1 | 00ef9498872266d0984473189622fec1f539e8c3 |
| SHA256 | a98ebab5ec3ea9643a84fdfc94d244333675c4966926b41745a5dddaae56648c |
| SHA512 | 72d0c5c50eb4ee414c4b5016de9105aada7ecd79a37a0954d5af9ea5e60348ac1db56c8e985ea70f00dc826a70a22064ea613380d2ba824dff6fdbb43075e349 |
memory/2128-54-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp
memory/4704-59-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp
C:\Windows\System\YWllxMg.exe
| MD5 | 0d685b1663910c8fff67ccfa01c0e2e5 |
| SHA1 | d280b2276247dabbdcf6e4193f1d00d0eae960f2 |
| SHA256 | ff0ac9a092421539d9a3ed17a9d1973b108bf438712feb5a1a71b7ca9941988f |
| SHA512 | 1d16f6b7687d838b4282b1eaac3df9822d27682b31e8222ff88a4069de4a138096aeac788f5db7e84a8bf8d096487a75dbc1971051f8be7c23b8ee2b17cad286 |
memory/3452-71-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp
C:\Windows\System\ubvshGD.exe
| MD5 | 3d8a2d3949b0a1ae4048f43357e5a667 |
| SHA1 | 1d7f7038ae0653ef65adf01a37ea5f8a881c2746 |
| SHA256 | 1f73cca652673cc5cc88ed0ee8b67437f1dfd8db381ed25e00c7393a4232158b |
| SHA512 | 42df1d6a131832415bcd441ea0382fc11201a392a058408b186018bc2449c62a71e7139eee26106893d37d2b9895600640dc60835ba633d3dc2870260b9f6cc5 |
memory/5040-81-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp
memory/4724-87-0x00007FF6560E0000-0x00007FF656431000-memory.dmp
C:\Windows\System\nxWPCuc.exe
| MD5 | 1c4bef2c6f3dbba98a231ac4127176d6 |
| SHA1 | 9c58aa9e7ec669aaf4b7018e1372e72ceee36c84 |
| SHA256 | 8872839d7653e7cae042d2f6aa223135b9d8f843cd82f38a2c486c39ddfff899 |
| SHA512 | 4f3446e33c9f91f7c0b3b53efecc941d3b20761bc2a1fcf479ac5881b82eed9d5e00988dfa60350f73957f17faf680efa5bf914a6724a29cb1b00fc39fc13228 |
memory/3352-88-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp
C:\Windows\System\qGunXNt.exe
| MD5 | 0b6df975f2b905d4d7711121a5faea7f |
| SHA1 | db3b04928e97b01bc3fbe168d59c958957b59fd1 |
| SHA256 | d04b8eb850b0a64ab2703fd6c6d62ebe92b454c3406250fbca232e39dbc07bf2 |
| SHA512 | 1325346809c3446bb761a30fa017a76d528a92da716a248bc14fc2a3f385a70ac4a2ad97b63ff6b1b3426f541f4d23a04a5f64d64521bd44953b75f99ac2095b |
memory/1080-97-0x00007FF70C130000-0x00007FF70C481000-memory.dmp
memory/3640-96-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp
memory/1072-82-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp
memory/1900-79-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp
memory/2440-75-0x00007FF698770000-0x00007FF698AC1000-memory.dmp
memory/4856-73-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp
C:\Windows\System\JDkThKw.exe
| MD5 | 2046b038bb67a55b857f5abd7fd0ff80 |
| SHA1 | 59de5fc30df012aa7960767b233b32ec5a119699 |
| SHA256 | 33951fbf44ab9451e37efd93e91001034ed650d1ebda79535da886e461bb8322 |
| SHA512 | 215362e6c686bf0a095e8eebe6bb57680d301ce33d5774f53065d1dc4a5ab261e77eff3652ff3141d9ec6373424687fbaa4353fe284ebc41271a336cb4d55d4a |
memory/1216-65-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp
C:\Windows\System\EmtLUfQ.exe
| MD5 | 65633ecea55c5dac2fd04fb7cfc4cf18 |
| SHA1 | cd30a6917c74e0042a29a07387bc94e94d69bd83 |
| SHA256 | 647ba66c14e4d3cd27322119ff331de10aff92c969ff805058e209f78bf65499 |
| SHA512 | 855c562896536e9d95bb08e7234552db4bd03b421bd93634c3da45415bbf8cf99e5924bfff4dd818e15edbf359904e18a4495b8368b54a9820923e5fc379e92b |
memory/1968-57-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp
C:\Windows\System\CTmlgvI.exe
| MD5 | 0e48d145944e2d1579ef51a7fb368722 |
| SHA1 | 904520fd3f4da4f8fc7e5c27e759ef66d1e25d6b |
| SHA256 | b368f9ac6b68fa937dac4bfc16b2c1d2dc7a994cedd4dd7ba57c4e98c6e876c6 |
| SHA512 | 5698fb21784e401b9254b56281fed0af8067bfc31f1a5c0c1000592fcdc6cd0bf5e97eaea88f2257889b2cca995581245a674df595b745264a81c8851face099 |
memory/1968-117-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp
C:\Windows\System\xPJxGoI.exe
| MD5 | 341c0ff9de2e9a58323a3f3864f33c23 |
| SHA1 | 3dbcc3ae3c8253578f5610653d0f9e58fc541605 |
| SHA256 | 4b180171a6807ed8100d9caf1ebcf4dea88777763147c0052d301996881dbaba |
| SHA512 | 630e871fde6fb699e4457fdd7ddc0cc0546501f8569c711eec1554ea171081bcfc2eb5f83b5370055d11017091c6afaa0f7b8c8ab45aecb91f137a00431d6245 |
C:\Windows\System\WyGZlYz.exe
| MD5 | 9f7c80cabb9fdd1e322e6fd4e382ced3 |
| SHA1 | 2492a16e9f36a2fd68ed881cdc0381e9cc235477 |
| SHA256 | 5c92d0c6b0d223fe9fc879ec14c7b4437390dc543c62c32558c241d616f1b892 |
| SHA512 | e87859f700d30d6761b64e619d7164192e885600f28a34a1dd7ccd74a9e0dd959c11c89fd52b434e0a2dc52e4856fdcf504e6796a00898e5020996781f38020a |
C:\Windows\System\UVyedPH.exe
| MD5 | fa9b61391e4062ddc5143448dd668c45 |
| SHA1 | 06196b3a2217af89bfe1dd6fe06def4050742265 |
| SHA256 | 769b3b8c763a13fb0d59bd282ffbaea8bf110c66c82da76169b0d07219a62a72 |
| SHA512 | 106b37a2d0c250e7f78eead8657551e8cdb88ef1ee5760e95ec633077150ffa5731d25a4bc3a53305d02396914755aad28281a5d7224590a5415b6c1fa4d3186 |
memory/4544-135-0x00007FF688120000-0x00007FF688471000-memory.dmp
memory/976-133-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp
memory/2440-132-0x00007FF698770000-0x00007FF698AC1000-memory.dmp
memory/4856-131-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp
memory/4148-125-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp
C:\Windows\System\cxBoWmx.exe
| MD5 | 98625cdd444bea92433665656f10f7c1 |
| SHA1 | 37c5f3484ef77e3fd2d3bafefc0222d40cfc233e |
| SHA256 | 61ddb084ebc02ff8b3b92605216a3a6285255ae5ece2698bd8d2883a8eaae1f2 |
| SHA512 | 6c9d0013b92613729ae6c54354b18be366704f77f8e0b6bf01e5522e21585c2cdaf7abdc27716d96c5f3bee682e48baf231352f25dc9cb23c8c05220bfdffb71 |
memory/1752-116-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp
C:\Windows\System\VicMluU.exe
| MD5 | c156af41f059b255745abc292ff0ef74 |
| SHA1 | cf7d47be2f3ae4faf15268127b4c310e4d197d13 |
| SHA256 | 8815f767e83b2491518de4913c7078d6a999d5200e8196131a1e34c64e200589 |
| SHA512 | 36b6bd9cda4ca6d1102b88a96e4edc9bdbc2096de9b423324af9f29546834e13ee591b88d145d019833d1765b426b6741c0346dbf5d73d59f24d1c09174d00c3 |
memory/2376-113-0x00007FF6163B0000-0x00007FF616701000-memory.dmp
memory/1816-106-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp
memory/2236-102-0x00007FF708270000-0x00007FF7085C1000-memory.dmp
memory/2676-53-0x00007FF6704B0000-0x00007FF670801000-memory.dmp
memory/1072-139-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp
memory/3352-141-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp
memory/2128-140-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp
memory/1080-150-0x00007FF70C130000-0x00007FF70C481000-memory.dmp
memory/1816-151-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp
memory/1752-161-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp
memory/2376-160-0x00007FF6163B0000-0x00007FF616701000-memory.dmp
memory/4148-167-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp
memory/976-165-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp
memory/4544-166-0x00007FF688120000-0x00007FF688471000-memory.dmp
memory/2128-168-0x00007FF6B40F0000-0x00007FF6B4441000-memory.dmp
memory/4704-219-0x00007FF61DF90000-0x00007FF61E2E1000-memory.dmp
memory/3452-221-0x00007FF6C4C40000-0x00007FF6C4F91000-memory.dmp
memory/1900-223-0x00007FF7203A0000-0x00007FF7206F1000-memory.dmp
memory/4724-229-0x00007FF6560E0000-0x00007FF656431000-memory.dmp
memory/5040-230-0x00007FF60CD00000-0x00007FF60D051000-memory.dmp
memory/3640-232-0x00007FF70CAC0000-0x00007FF70CE11000-memory.dmp
memory/2236-234-0x00007FF708270000-0x00007FF7085C1000-memory.dmp
memory/2676-241-0x00007FF6704B0000-0x00007FF670801000-memory.dmp
memory/1216-243-0x00007FF6C12C0000-0x00007FF6C1611000-memory.dmp
memory/1968-245-0x00007FF661F80000-0x00007FF6622D1000-memory.dmp
memory/4856-250-0x00007FF7266D0000-0x00007FF726A21000-memory.dmp
memory/2440-252-0x00007FF698770000-0x00007FF698AC1000-memory.dmp
memory/3352-255-0x00007FF7B2BF0000-0x00007FF7B2F41000-memory.dmp
memory/1072-256-0x00007FF6E0A30000-0x00007FF6E0D81000-memory.dmp
memory/1080-258-0x00007FF70C130000-0x00007FF70C481000-memory.dmp
memory/1816-263-0x00007FF6A4620000-0x00007FF6A4971000-memory.dmp
memory/2376-265-0x00007FF6163B0000-0x00007FF616701000-memory.dmp
memory/1752-269-0x00007FF72F6C0000-0x00007FF72FA11000-memory.dmp
memory/4148-271-0x00007FF6A0B90000-0x00007FF6A0EE1000-memory.dmp
memory/976-273-0x00007FF61F6E0000-0x00007FF61FA31000-memory.dmp
memory/4544-275-0x00007FF688120000-0x00007FF688471000-memory.dmp