Analysis Overview
SHA256
9311ff1052617b0a651f8b395441dcd4939677da44d9a255bccca5ed9a1c71b5
Threat Level: Known bad
The file 2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
XMRig Miner payload
Xmrig family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:53
Reported
2024-08-15 10:55
Platform
win7-20240705-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dZJmlJU.exe | N/A |
| N/A | N/A | C:\Windows\System\EjLSJKt.exe | N/A |
| N/A | N/A | C:\Windows\System\ornhikP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLxCpdj.exe | N/A |
| N/A | N/A | C:\Windows\System\ieNwCGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WEnVqKK.exe | N/A |
| N/A | N/A | C:\Windows\System\iupFaFp.exe | N/A |
| N/A | N/A | C:\Windows\System\IaYVdEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CZfBebo.exe | N/A |
| N/A | N/A | C:\Windows\System\RtfopzW.exe | N/A |
| N/A | N/A | C:\Windows\System\jbwTEXE.exe | N/A |
| N/A | N/A | C:\Windows\System\sMIMFvG.exe | N/A |
| N/A | N/A | C:\Windows\System\yolmzwK.exe | N/A |
| N/A | N/A | C:\Windows\System\lFDWffz.exe | N/A |
| N/A | N/A | C:\Windows\System\eTiSDNG.exe | N/A |
| N/A | N/A | C:\Windows\System\QpSgtFj.exe | N/A |
| N/A | N/A | C:\Windows\System\OUfXvMY.exe | N/A |
| N/A | N/A | C:\Windows\System\mbKkSId.exe | N/A |
| N/A | N/A | C:\Windows\System\KybSQoN.exe | N/A |
| N/A | N/A | C:\Windows\System\MsmHxtI.exe | N/A |
| N/A | N/A | C:\Windows\System\OyDgiVf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dZJmlJU.exe
C:\Windows\System\dZJmlJU.exe
C:\Windows\System\EjLSJKt.exe
C:\Windows\System\EjLSJKt.exe
C:\Windows\System\ornhikP.exe
C:\Windows\System\ornhikP.exe
C:\Windows\System\ZLxCpdj.exe
C:\Windows\System\ZLxCpdj.exe
C:\Windows\System\ieNwCGZ.exe
C:\Windows\System\ieNwCGZ.exe
C:\Windows\System\WEnVqKK.exe
C:\Windows\System\WEnVqKK.exe
C:\Windows\System\iupFaFp.exe
C:\Windows\System\iupFaFp.exe
C:\Windows\System\IaYVdEZ.exe
C:\Windows\System\IaYVdEZ.exe
C:\Windows\System\RtfopzW.exe
C:\Windows\System\RtfopzW.exe
C:\Windows\System\CZfBebo.exe
C:\Windows\System\CZfBebo.exe
C:\Windows\System\sMIMFvG.exe
C:\Windows\System\sMIMFvG.exe
C:\Windows\System\jbwTEXE.exe
C:\Windows\System\jbwTEXE.exe
C:\Windows\System\yolmzwK.exe
C:\Windows\System\yolmzwK.exe
C:\Windows\System\lFDWffz.exe
C:\Windows\System\lFDWffz.exe
C:\Windows\System\eTiSDNG.exe
C:\Windows\System\eTiSDNG.exe
C:\Windows\System\QpSgtFj.exe
C:\Windows\System\QpSgtFj.exe
C:\Windows\System\OUfXvMY.exe
C:\Windows\System\OUfXvMY.exe
C:\Windows\System\mbKkSId.exe
C:\Windows\System\mbKkSId.exe
C:\Windows\System\KybSQoN.exe
C:\Windows\System\KybSQoN.exe
C:\Windows\System\MsmHxtI.exe
C:\Windows\System\MsmHxtI.exe
C:\Windows\System\OyDgiVf.exe
C:\Windows\System\OyDgiVf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2860-0-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2860-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\dZJmlJU.exe
| MD5 | d5e2ad2168012d1c90d9c93947511e45 |
| SHA1 | 7b854106020bace938b974ce2b651732e6f7ed81 |
| SHA256 | 9c58b1238c4edd54896dff8e32bf844a8d3df2ddccaf707f347c7598ee6ad987 |
| SHA512 | d71d8c296041513bc0421c5f84f401f46936be275c3439469d442cbd95e0e6eaf75743ebe0d5314490ba4af003168ced474a2724ee07e3eab5698c99e7ffc2df |
C:\Windows\system\EjLSJKt.exe
| MD5 | ba0b9ca9efa44da291708eebcae368b2 |
| SHA1 | 25ed9eb10649a595df13ecb60f668a740f11fc23 |
| SHA256 | f6bd8d5d30fe7c89230f4b82802cc2e348a16c17415d02ca5b18ed5ff88638d1 |
| SHA512 | 4666f2cc86ed25af029ebfc9aac629e3d64ee8959c2bc2fc17126128f80ca779204605953fc79412ccb787ebdca91e23b18f4b50b7901a1f0a10d5f100301567 |
memory/2464-17-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2452-21-0x000000013FFF0000-0x0000000140341000-memory.dmp
C:\Windows\system\ornhikP.exe
| MD5 | 2863837307334581d54bf9f2e2e2c080 |
| SHA1 | 7709a433fa8882d4599864c460d5a555dfce914f |
| SHA256 | 88a87f3138c968c75c13ae947603505424a781e7b663be87f4967fe16e980a01 |
| SHA512 | 8898050c6cea15d2815baf6ef87e6add284f418cdadeab8be22b40f5a9674448e43d37fa71d185160120ac35adf355828ecfb851594f50cc99cfdea928539c5a |
memory/2860-19-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2860-18-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/3040-13-0x000000013F5F0000-0x000000013F941000-memory.dmp
\Windows\system\ZLxCpdj.exe
| MD5 | 6adba04bc90ae488f11109bf838a0f55 |
| SHA1 | 7f962408fdb14c7c7a66e56ca2bc98914ab2f08b |
| SHA256 | 12091e358b647a0fe39464d5ca2bbdc140a9c3532dd258c976e84277c2874e59 |
| SHA512 | 99aeb8db44a44ed875e82bc4953a34b2704e8aadd8ba5630753463fc32476af31788debabec84b5fdd1dd25b1106c53bbecd6a43fbd8f9384c3039424cadc762 |
memory/2260-29-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2860-24-0x000000013F700000-0x000000013FA51000-memory.dmp
\Windows\system\ieNwCGZ.exe
| MD5 | b020c7d0085f43a0aed05374d9c4e0c0 |
| SHA1 | 9d340be5c84bf11728c79606dce4edc397530388 |
| SHA256 | c09b5b7ab689de8d46729db852801417b57d5eebf12149fb4a63c0727d76d8cb |
| SHA512 | 0b066faf5c1c690419f7a1f5e5fac8356b9bfbf819a2e0a539994c1b5ed0c73e71b3bd8f5b4a659f8abd66d21ca19ce1d0e1b8f1df276cb30882810256ad6c78 |
C:\Windows\system\iupFaFp.exe
| MD5 | 75d685a159229305125c9bcfd58e41bf |
| SHA1 | 12eb21aabdc7bccdc62abe6327d787173b6eaa61 |
| SHA256 | 35d705f8a240ac7a7245fc59f196f143c4ea9fc707455a1086c953b2472f2e32 |
| SHA512 | 14f761d02a2ea2d4ecc028048b8e72d72bad9c9f40c37a7b081bffa956b86fac69659798535bab2357ed9474827f5ef92e8870be53a4fbfcf35b4a1a8a8b460b |
\Windows\system\jbwTEXE.exe
| MD5 | 649bdec09dd46c129580e3ca35829a0d |
| SHA1 | 72398bfd1f86a8220fc186dca241259bb59f4559 |
| SHA256 | b54415fea7861ac84b72a0bdaa8aadfb9f560e339752ad1bf68a3265b76e3b0b |
| SHA512 | b5947c5219092e424746ad43dc0c5ccbe0e50208af731ef48a74e138a98fc42404dc1b984971af33b730b4980f3f990c2ecf2ae465b0c82a35a7a82eb1d0c2b2 |
memory/2860-76-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2648-73-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2680-67-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2860-66-0x000000013FDC0000-0x0000000140111000-memory.dmp
C:\Windows\system\RtfopzW.exe
| MD5 | 3a5c3f57f96f24473e722ac79b2c7016 |
| SHA1 | 43ccb8f1c8f7b0366e9fa26f8da38460626a0b1d |
| SHA256 | e1039eaa865d0daa5d4682268b185021cd0209bbdb53bb5f3804ec5f8d140d62 |
| SHA512 | 2fd7bd1143cacefcca78f3453d880a9f728e946efc92e90352c7ca70fca4016c591b3b2f1f46b640c8d94d4c69c1a7c684df65016708865dae05f5043d1b0ce8 |
\Windows\system\lFDWffz.exe
| MD5 | 3681529c9b0132b4076c0100e3848270 |
| SHA1 | 3c05ff368cded41f587f1b30acb426694f3a8a9a |
| SHA256 | 15b0e8ff79501534b63547073a76d0a86d7ce9031d8448aa57a431ca509e9ab0 |
| SHA512 | 785451062be06af6e2cf3693f236e5be92c8fcc13702d1fe8d9301328734cde154c678a352693614cc0a1a36c93659074239a4fb2453476f3e933a74f5aafffd |
memory/2860-97-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2984-98-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2764-71-0x000000013FDC0000-0x0000000140111000-memory.dmp
\Windows\system\yolmzwK.exe
| MD5 | f87dc1e0cdb00d232689ba8d11c11107 |
| SHA1 | 6a6123a4307473b47e8c6a63f14e2f5abd362c6d |
| SHA256 | 9ce7f64f87963320ae2d6ee4c90096d2d989b60dfe8914a7d429e1059396a00b |
| SHA512 | 8dd140618ba27a93497203a9ecc7d372dbfc3d68d847a07a1fd1d59a4be8f82ed25095db2b71e1c05a0246474b93d28062e55816b0d45e1e7eaaf3991d9fcc87 |
C:\Windows\system\eTiSDNG.exe
| MD5 | 0598c1d9443fce494689e7e5460e4fd2 |
| SHA1 | 2c2b03fdafe3349ee7321a6fc6b7cb50cfbbe3a1 |
| SHA256 | 81802cb7eb7ea87767068f77a9a8b37d131cb8b7ce2f15e2561f2c83f6dcc377 |
| SHA512 | 5a6a5ef88f0d36be94532bc34ad241a62cddafc98e3bf62344927505c25eb5488fa45e6f58f5d73ffb8962c24ce1a0aaf2462f0c205fb8153e6edf7491a05fc1 |
C:\Windows\system\OUfXvMY.exe
| MD5 | c6754fbd3842dabb85b0477821e2960b |
| SHA1 | b83add4e9e9434b233f03115ef143efa97f4cb22 |
| SHA256 | ec4b6533b36e99e7ed0437e9299ed75925fc1b5bf696319160efbb3dabef9571 |
| SHA512 | 3fac7bcb12867db8817600c7b4c554b5b2ceb4be260f2206efe6f60e36a39ecea9984927522e5f3818439b8bb1cd4d20417637cb165bce8db0c1c140865b225e |
C:\Windows\system\KybSQoN.exe
| MD5 | 438b697db2e28218af012cdc3f23cbc2 |
| SHA1 | 28a51981f6a8557de4905bbcca3ab15579e1d9c6 |
| SHA256 | 6f10d91e89fae8c238ee39a284b30ad55f753c5a987543e150c24a3f9c6351a4 |
| SHA512 | 2d2546b1b7c9930a03d39f8879d0adbc7c733b9bfcd759103a612874f170474ba8063b4793d11f319c24d6783b88a25ed153902d3fd2e24bd75c9d11f4714ecf |
C:\Windows\system\OyDgiVf.exe
| MD5 | 713edfe2a44ec5a56af5212fd3e0c5f6 |
| SHA1 | d881889b99536e6bd218e2c359776b745fed8994 |
| SHA256 | 32032b21fe20ee1a996e5ad6006ba030509f909518e977a91e1d1fa9900fab55 |
| SHA512 | 818be3f20219e1138cec012f42e426397634293d304e9c6af6b7614d51b6f2cb2145c693b87d2f7464c22852aeeeffe41e59db3714c55d394bd5b55e4c2fa0cf |
C:\Windows\system\MsmHxtI.exe
| MD5 | da65af14142b17b9e62cad0ea6aa3ada |
| SHA1 | 2e14690a2c250ddf63c9000560557663d94912af |
| SHA256 | 6296d17770e2894675ebb7d493ea1c60aae30f3639bc2af43eed9f8df1c7df37 |
| SHA512 | 4653d117d1ed6552203573c64567c7e16e12bf980e68ef612f273c335801eb9a697b64cb20539d737e01a64beb2b82d7ba32705a604546bc65f0e066c3b42fd9 |
C:\Windows\system\mbKkSId.exe
| MD5 | 588a14e757003563e5c5de73cf494424 |
| SHA1 | 062cb29b076aee3244a00df17db48f81770ab58f |
| SHA256 | c81b85d8111ac102757eba8919ff2feaa24ad14adee9dd1bbc6d24549afb86db |
| SHA512 | b19e5a2d2dedab8c5053fc4664a4f718a671231c5be296894154477ebf5580635461f76060376b17eb0720732f43b4dedc7a9945e3fd0c63c491fd08496136ab |
C:\Windows\system\QpSgtFj.exe
| MD5 | 143df7085279957b2e5b6bff37863d2e |
| SHA1 | 6ffc2ace25e437afb289f3300656659ff0f309cf |
| SHA256 | 015c2417c571ee351182ce05d0b7a0517e9838e080c3bfbee15b6efdf5a78a7b |
| SHA512 | 7db59372c12ac3a8ee515a00ce48aad25c87adb7cdb6141bfa01849dc142f6e497a7b0d1aab65c15cd70f6ea888c163384f38b7f393b62b049ed034eb1392f0a |
memory/2860-106-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/300-138-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/592-104-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2860-102-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2776-91-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2452-90-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2556-88-0x000000013F4F0000-0x000000013F841000-memory.dmp
C:\Windows\system\sMIMFvG.exe
| MD5 | 1f4c50486abd889204320505bf940739 |
| SHA1 | 1147ac4aa1052175b7ab5b7359a2a783f7706fb4 |
| SHA256 | 1d1dbe5fdec45c4ada576d04b5a5b09d3e383e2d8ded870b2f9d13befbd281a8 |
| SHA512 | 46e7b2c8d6a35a45dcba35d650930d6efabddf86ef5d4eac18804d63b7ee0c18a6e0a3117d251068061e3157d2b5f7b8b4ac8a076ced449360a34efd3b00c76b |
memory/2796-86-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2860-84-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2860-83-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2688-82-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/3040-80-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2860-62-0x000000013F390000-0x000000013F6E1000-memory.dmp
C:\Windows\system\CZfBebo.exe
| MD5 | df25396eebb164f86c42e82d2acfe4ae |
| SHA1 | b98a3f6e3555a1553dbe00efbfae81398352d6e6 |
| SHA256 | 612867ba3cdf01b98df85539fe562d8e1b5cece3c484ebdfb9200792f2645bb1 |
| SHA512 | 3a6f578b38827791f2a1ef0c03b10b029b86a56d1dcfce3649d17e202625b3cf70f0d742bedee1b238437a93e0a35484e34c5df6ca0af8334bed28ac346da9b9 |
C:\Windows\system\IaYVdEZ.exe
| MD5 | 3619b1653ca30c9760b4e2bceb772b6f |
| SHA1 | e82974b609351c2a7db60d63c727650dd665d6e9 |
| SHA256 | 253d52c3d367d7cf40d07b59e7a84bc8f4f0268796dd99123b177e7d64da0326 |
| SHA512 | 37ea515c6220a6227d56a566c2ae5e5c2a1be81cc9576f708c6b1e42b58130e46d787e9757966f4beef732b6f4d746930e178f7beebe335aaff32dc7571c08e3 |
memory/2860-53-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/300-50-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2860-44-0x00000000022C0000-0x0000000002611000-memory.dmp
C:\Windows\system\WEnVqKK.exe
| MD5 | a816df0afc02db72aed84cf69417780b |
| SHA1 | daf30940ace0a55d5f54ae74ba4fd07a55087f3d |
| SHA256 | 0924d02f3312012ac4820a71a86ba59b361577a1ccf3eb857760c5ae6db466dc |
| SHA512 | e49d68b54df1f70b2d88a5b08112febe73784c261464f4878b88997e6412436572435e48cc4003464fa85d0d1b4ebd3a219cb9885ecf0c1c1f62647d04132b61 |
memory/592-38-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2860-34-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2556-139-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2776-140-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2860-141-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2860-142-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2984-148-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2436-162-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/1384-164-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/1728-163-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1632-161-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1996-160-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1460-159-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/856-158-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2860-165-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/3040-225-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2464-227-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2452-230-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2260-231-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/592-233-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/300-235-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2764-238-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2648-241-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2680-240-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2688-243-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2796-245-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2556-247-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2776-256-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2984-258-0x000000013F560000-0x000000013F8B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:53
Reported
2024-08-15 10:55
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dZJmlJU.exe | N/A |
| N/A | N/A | C:\Windows\System\EjLSJKt.exe | N/A |
| N/A | N/A | C:\Windows\System\ornhikP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZLxCpdj.exe | N/A |
| N/A | N/A | C:\Windows\System\ieNwCGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WEnVqKK.exe | N/A |
| N/A | N/A | C:\Windows\System\iupFaFp.exe | N/A |
| N/A | N/A | C:\Windows\System\IaYVdEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\RtfopzW.exe | N/A |
| N/A | N/A | C:\Windows\System\CZfBebo.exe | N/A |
| N/A | N/A | C:\Windows\System\sMIMFvG.exe | N/A |
| N/A | N/A | C:\Windows\System\jbwTEXE.exe | N/A |
| N/A | N/A | C:\Windows\System\yolmzwK.exe | N/A |
| N/A | N/A | C:\Windows\System\lFDWffz.exe | N/A |
| N/A | N/A | C:\Windows\System\eTiSDNG.exe | N/A |
| N/A | N/A | C:\Windows\System\QpSgtFj.exe | N/A |
| N/A | N/A | C:\Windows\System\OUfXvMY.exe | N/A |
| N/A | N/A | C:\Windows\System\mbKkSId.exe | N/A |
| N/A | N/A | C:\Windows\System\KybSQoN.exe | N/A |
| N/A | N/A | C:\Windows\System\MsmHxtI.exe | N/A |
| N/A | N/A | C:\Windows\System\OyDgiVf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b19220e7df143d39bd88607c17f94732_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dZJmlJU.exe
C:\Windows\System\dZJmlJU.exe
C:\Windows\System\EjLSJKt.exe
C:\Windows\System\EjLSJKt.exe
C:\Windows\System\ornhikP.exe
C:\Windows\System\ornhikP.exe
C:\Windows\System\ZLxCpdj.exe
C:\Windows\System\ZLxCpdj.exe
C:\Windows\System\ieNwCGZ.exe
C:\Windows\System\ieNwCGZ.exe
C:\Windows\System\WEnVqKK.exe
C:\Windows\System\WEnVqKK.exe
C:\Windows\System\iupFaFp.exe
C:\Windows\System\iupFaFp.exe
C:\Windows\System\IaYVdEZ.exe
C:\Windows\System\IaYVdEZ.exe
C:\Windows\System\RtfopzW.exe
C:\Windows\System\RtfopzW.exe
C:\Windows\System\CZfBebo.exe
C:\Windows\System\CZfBebo.exe
C:\Windows\System\sMIMFvG.exe
C:\Windows\System\sMIMFvG.exe
C:\Windows\System\jbwTEXE.exe
C:\Windows\System\jbwTEXE.exe
C:\Windows\System\yolmzwK.exe
C:\Windows\System\yolmzwK.exe
C:\Windows\System\lFDWffz.exe
C:\Windows\System\lFDWffz.exe
C:\Windows\System\eTiSDNG.exe
C:\Windows\System\eTiSDNG.exe
C:\Windows\System\QpSgtFj.exe
C:\Windows\System\QpSgtFj.exe
C:\Windows\System\OUfXvMY.exe
C:\Windows\System\OUfXvMY.exe
C:\Windows\System\mbKkSId.exe
C:\Windows\System\mbKkSId.exe
C:\Windows\System\KybSQoN.exe
C:\Windows\System\KybSQoN.exe
C:\Windows\System\MsmHxtI.exe
C:\Windows\System\MsmHxtI.exe
C:\Windows\System\OyDgiVf.exe
C:\Windows\System\OyDgiVf.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/3444-0-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp
memory/3444-1-0x0000021E41560000-0x0000021E41570000-memory.dmp
C:\Windows\System\dZJmlJU.exe
| MD5 | d5e2ad2168012d1c90d9c93947511e45 |
| SHA1 | 7b854106020bace938b974ce2b651732e6f7ed81 |
| SHA256 | 9c58b1238c4edd54896dff8e32bf844a8d3df2ddccaf707f347c7598ee6ad987 |
| SHA512 | d71d8c296041513bc0421c5f84f401f46936be275c3439469d442cbd95e0e6eaf75743ebe0d5314490ba4af003168ced474a2724ee07e3eab5698c99e7ffc2df |
memory/3848-8-0x00007FF687010000-0x00007FF687361000-memory.dmp
C:\Windows\System\EjLSJKt.exe
| MD5 | ba0b9ca9efa44da291708eebcae368b2 |
| SHA1 | 25ed9eb10649a595df13ecb60f668a740f11fc23 |
| SHA256 | f6bd8d5d30fe7c89230f4b82802cc2e348a16c17415d02ca5b18ed5ff88638d1 |
| SHA512 | 4666f2cc86ed25af029ebfc9aac629e3d64ee8959c2bc2fc17126128f80ca779204605953fc79412ccb787ebdca91e23b18f4b50b7901a1f0a10d5f100301567 |
C:\Windows\System\ieNwCGZ.exe
| MD5 | b020c7d0085f43a0aed05374d9c4e0c0 |
| SHA1 | 9d340be5c84bf11728c79606dce4edc397530388 |
| SHA256 | c09b5b7ab689de8d46729db852801417b57d5eebf12149fb4a63c0727d76d8cb |
| SHA512 | 0b066faf5c1c690419f7a1f5e5fac8356b9bfbf819a2e0a539994c1b5ed0c73e71b3bd8f5b4a659f8abd66d21ca19ce1d0e1b8f1df276cb30882810256ad6c78 |
memory/5072-35-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp
C:\Windows\System\iupFaFp.exe
| MD5 | 75d685a159229305125c9bcfd58e41bf |
| SHA1 | 12eb21aabdc7bccdc62abe6327d787173b6eaa61 |
| SHA256 | 35d705f8a240ac7a7245fc59f196f143c4ea9fc707455a1086c953b2472f2e32 |
| SHA512 | 14f761d02a2ea2d4ecc028048b8e72d72bad9c9f40c37a7b081bffa956b86fac69659798535bab2357ed9474827f5ef92e8870be53a4fbfcf35b4a1a8a8b460b |
C:\Windows\System\WEnVqKK.exe
| MD5 | a816df0afc02db72aed84cf69417780b |
| SHA1 | daf30940ace0a55d5f54ae74ba4fd07a55087f3d |
| SHA256 | 0924d02f3312012ac4820a71a86ba59b361577a1ccf3eb857760c5ae6db466dc |
| SHA512 | e49d68b54df1f70b2d88a5b08112febe73784c261464f4878b88997e6412436572435e48cc4003464fa85d0d1b4ebd3a219cb9885ecf0c1c1f62647d04132b61 |
memory/1196-45-0x00007FF631850000-0x00007FF631BA1000-memory.dmp
memory/3308-51-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp
C:\Windows\System\CZfBebo.exe
| MD5 | df25396eebb164f86c42e82d2acfe4ae |
| SHA1 | b98a3f6e3555a1553dbe00efbfae81398352d6e6 |
| SHA256 | 612867ba3cdf01b98df85539fe562d8e1b5cece3c484ebdfb9200792f2645bb1 |
| SHA512 | 3a6f578b38827791f2a1ef0c03b10b029b86a56d1dcfce3649d17e202625b3cf70f0d742bedee1b238437a93e0a35484e34c5df6ca0af8334bed28ac346da9b9 |
C:\Windows\System\sMIMFvG.exe
| MD5 | 1f4c50486abd889204320505bf940739 |
| SHA1 | 1147ac4aa1052175b7ab5b7359a2a783f7706fb4 |
| SHA256 | 1d1dbe5fdec45c4ada576d04b5a5b09d3e383e2d8ded870b2f9d13befbd281a8 |
| SHA512 | 46e7b2c8d6a35a45dcba35d650930d6efabddf86ef5d4eac18804d63b7ee0c18a6e0a3117d251068061e3157d2b5f7b8b4ac8a076ced449360a34efd3b00c76b |
memory/4932-65-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp
memory/3444-64-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp
memory/4600-62-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp
C:\Windows\System\RtfopzW.exe
| MD5 | 3a5c3f57f96f24473e722ac79b2c7016 |
| SHA1 | 43ccb8f1c8f7b0366e9fa26f8da38460626a0b1d |
| SHA256 | e1039eaa865d0daa5d4682268b185021cd0209bbdb53bb5f3804ec5f8d140d62 |
| SHA512 | 2fd7bd1143cacefcca78f3453d880a9f728e946efc92e90352c7ca70fca4016c591b3b2f1f46b640c8d94d4c69c1a7c684df65016708865dae05f5043d1b0ce8 |
memory/872-54-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp
memory/3160-49-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp
C:\Windows\System\IaYVdEZ.exe
| MD5 | 3619b1653ca30c9760b4e2bceb772b6f |
| SHA1 | e82974b609351c2a7db60d63c727650dd665d6e9 |
| SHA256 | 253d52c3d367d7cf40d07b59e7a84bc8f4f0268796dd99123b177e7d64da0326 |
| SHA512 | 37ea515c6220a6227d56a566c2ae5e5c2a1be81cc9576f708c6b1e42b58130e46d787e9757966f4beef732b6f4d746930e178f7beebe335aaff32dc7571c08e3 |
memory/3868-29-0x00007FF652CF0000-0x00007FF653041000-memory.dmp
C:\Windows\System\ZLxCpdj.exe
| MD5 | 6adba04bc90ae488f11109bf838a0f55 |
| SHA1 | 7f962408fdb14c7c7a66e56ca2bc98914ab2f08b |
| SHA256 | 12091e358b647a0fe39464d5ca2bbdc140a9c3532dd258c976e84277c2874e59 |
| SHA512 | 99aeb8db44a44ed875e82bc4953a34b2704e8aadd8ba5630753463fc32476af31788debabec84b5fdd1dd25b1106c53bbecd6a43fbd8f9384c3039424cadc762 |
memory/1216-23-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp
C:\Windows\System\ornhikP.exe
| MD5 | 2863837307334581d54bf9f2e2e2c080 |
| SHA1 | 7709a433fa8882d4599864c460d5a555dfce914f |
| SHA256 | 88a87f3138c968c75c13ae947603505424a781e7b663be87f4967fe16e980a01 |
| SHA512 | 8898050c6cea15d2815baf6ef87e6add284f418cdadeab8be22b40f5a9674448e43d37fa71d185160120ac35adf355828ecfb851594f50cc99cfdea928539c5a |
memory/428-18-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp
memory/428-73-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp
C:\Windows\System\jbwTEXE.exe
| MD5 | 649bdec09dd46c129580e3ca35829a0d |
| SHA1 | 72398bfd1f86a8220fc186dca241259bb59f4559 |
| SHA256 | b54415fea7861ac84b72a0bdaa8aadfb9f560e339752ad1bf68a3265b76e3b0b |
| SHA512 | b5947c5219092e424746ad43dc0c5ccbe0e50208af731ef48a74e138a98fc42404dc1b984971af33b730b4980f3f990c2ecf2ae465b0c82a35a7a82eb1d0c2b2 |
memory/1216-79-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp
memory/2236-83-0x00007FF608330000-0x00007FF608681000-memory.dmp
memory/3868-82-0x00007FF652CF0000-0x00007FF653041000-memory.dmp
C:\Windows\System\lFDWffz.exe
| MD5 | 3681529c9b0132b4076c0100e3848270 |
| SHA1 | 3c05ff368cded41f587f1b30acb426694f3a8a9a |
| SHA256 | 15b0e8ff79501534b63547073a76d0a86d7ce9031d8448aa57a431ca509e9ab0 |
| SHA512 | 785451062be06af6e2cf3693f236e5be92c8fcc13702d1fe8d9301328734cde154c678a352693614cc0a1a36c93659074239a4fb2453476f3e933a74f5aafffd |
memory/2672-90-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp
memory/5072-89-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp
C:\Windows\System\QpSgtFj.exe
| MD5 | 143df7085279957b2e5b6bff37863d2e |
| SHA1 | 6ffc2ace25e437afb289f3300656659ff0f309cf |
| SHA256 | 015c2417c571ee351182ce05d0b7a0517e9838e080c3bfbee15b6efdf5a78a7b |
| SHA512 | 7db59372c12ac3a8ee515a00ce48aad25c87adb7cdb6141bfa01849dc142f6e497a7b0d1aab65c15cd70f6ea888c163384f38b7f393b62b049ed034eb1392f0a |
C:\Windows\System\OUfXvMY.exe
| MD5 | c6754fbd3842dabb85b0477821e2960b |
| SHA1 | b83add4e9e9434b233f03115ef143efa97f4cb22 |
| SHA256 | ec4b6533b36e99e7ed0437e9299ed75925fc1b5bf696319160efbb3dabef9571 |
| SHA512 | 3fac7bcb12867db8817600c7b4c554b5b2ceb4be260f2206efe6f60e36a39ecea9984927522e5f3818439b8bb1cd4d20417637cb165bce8db0c1c140865b225e |
memory/832-108-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp
memory/1104-107-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp
memory/3160-105-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp
memory/2232-97-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp
C:\Windows\System\eTiSDNG.exe
| MD5 | 0598c1d9443fce494689e7e5460e4fd2 |
| SHA1 | 2c2b03fdafe3349ee7321a6fc6b7cb50cfbbe3a1 |
| SHA256 | 81802cb7eb7ea87767068f77a9a8b37d131cb8b7ce2f15e2561f2c83f6dcc377 |
| SHA512 | 5a6a5ef88f0d36be94532bc34ad241a62cddafc98e3bf62344927505c25eb5488fa45e6f58f5d73ffb8962c24ce1a0aaf2462f0c205fb8153e6edf7491a05fc1 |
memory/1196-95-0x00007FF631850000-0x00007FF631BA1000-memory.dmp
C:\Windows\System\yolmzwK.exe
| MD5 | f87dc1e0cdb00d232689ba8d11c11107 |
| SHA1 | 6a6123a4307473b47e8c6a63f14e2f5abd362c6d |
| SHA256 | 9ce7f64f87963320ae2d6ee4c90096d2d989b60dfe8914a7d429e1059396a00b |
| SHA512 | 8dd140618ba27a93497203a9ecc7d372dbfc3d68d847a07a1fd1d59a4be8f82ed25095db2b71e1c05a0246474b93d28062e55816b0d45e1e7eaaf3991d9fcc87 |
memory/1300-80-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp
memory/872-113-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp
memory/3848-71-0x00007FF687010000-0x00007FF687361000-memory.dmp
C:\Windows\System\mbKkSId.exe
| MD5 | 588a14e757003563e5c5de73cf494424 |
| SHA1 | 062cb29b076aee3244a00df17db48f81770ab58f |
| SHA256 | c81b85d8111ac102757eba8919ff2feaa24ad14adee9dd1bbc6d24549afb86db |
| SHA512 | b19e5a2d2dedab8c5053fc4664a4f718a671231c5be296894154477ebf5580635461f76060376b17eb0720732f43b4dedc7a9945e3fd0c63c491fd08496136ab |
memory/4932-124-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp
memory/2944-134-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp
C:\Windows\System\OyDgiVf.exe
| MD5 | 713edfe2a44ec5a56af5212fd3e0c5f6 |
| SHA1 | d881889b99536e6bd218e2c359776b745fed8994 |
| SHA256 | 32032b21fe20ee1a996e5ad6006ba030509f909518e977a91e1d1fa9900fab55 |
| SHA512 | 818be3f20219e1138cec012f42e426397634293d304e9c6af6b7614d51b6f2cb2145c693b87d2f7464c22852aeeeffe41e59db3714c55d394bd5b55e4c2fa0cf |
memory/532-138-0x00007FF716780000-0x00007FF716AD1000-memory.dmp
C:\Windows\System\MsmHxtI.exe
| MD5 | da65af14142b17b9e62cad0ea6aa3ada |
| SHA1 | 2e14690a2c250ddf63c9000560557663d94912af |
| SHA256 | 6296d17770e2894675ebb7d493ea1c60aae30f3639bc2af43eed9f8df1c7df37 |
| SHA512 | 4653d117d1ed6552203573c64567c7e16e12bf980e68ef612f273c335801eb9a697b64cb20539d737e01a64beb2b82d7ba32705a604546bc65f0e066c3b42fd9 |
C:\Windows\System\KybSQoN.exe
| MD5 | 438b697db2e28218af012cdc3f23cbc2 |
| SHA1 | 28a51981f6a8557de4905bbcca3ab15579e1d9c6 |
| SHA256 | 6f10d91e89fae8c238ee39a284b30ad55f753c5a987543e150c24a3f9c6351a4 |
| SHA512 | 2d2546b1b7c9930a03d39f8879d0adbc7c733b9bfcd759103a612874f170474ba8063b4793d11f319c24d6783b88a25ed153902d3fd2e24bd75c9d11f4714ecf |
memory/1960-127-0x00007FF752B20000-0x00007FF752E71000-memory.dmp
memory/4476-118-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp
memory/4600-117-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp
memory/2236-139-0x00007FF608330000-0x00007FF608681000-memory.dmp
memory/2672-140-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp
memory/1104-142-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp
memory/2232-141-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp
memory/3444-143-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp
memory/832-148-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp
memory/4476-157-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp
memory/1960-163-0x00007FF752B20000-0x00007FF752E71000-memory.dmp
memory/2944-165-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp
memory/3444-169-0x00007FF76A780000-0x00007FF76AAD1000-memory.dmp
memory/3848-225-0x00007FF687010000-0x00007FF687361000-memory.dmp
memory/428-227-0x00007FF7FC390000-0x00007FF7FC6E1000-memory.dmp
memory/1216-229-0x00007FF79E880000-0x00007FF79EBD1000-memory.dmp
memory/3868-231-0x00007FF652CF0000-0x00007FF653041000-memory.dmp
memory/5072-233-0x00007FF79BFA0000-0x00007FF79C2F1000-memory.dmp
memory/3308-235-0x00007FF779CB0000-0x00007FF77A001000-memory.dmp
memory/1196-237-0x00007FF631850000-0x00007FF631BA1000-memory.dmp
memory/3160-241-0x00007FF64F5C0000-0x00007FF64F911000-memory.dmp
memory/872-243-0x00007FF6F3860000-0x00007FF6F3BB1000-memory.dmp
memory/4932-247-0x00007FF6FBE20000-0x00007FF6FC171000-memory.dmp
memory/4600-245-0x00007FF77F190000-0x00007FF77F4E1000-memory.dmp
memory/1300-255-0x00007FF61D690000-0x00007FF61D9E1000-memory.dmp
memory/2236-257-0x00007FF608330000-0x00007FF608681000-memory.dmp
memory/2672-259-0x00007FF727C50000-0x00007FF727FA1000-memory.dmp
memory/2232-261-0x00007FF77AE20000-0x00007FF77B171000-memory.dmp
memory/832-265-0x00007FF6FF9C0000-0x00007FF6FFD11000-memory.dmp
memory/1104-263-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp
memory/4476-270-0x00007FF6D0B30000-0x00007FF6D0E81000-memory.dmp
memory/1960-272-0x00007FF752B20000-0x00007FF752E71000-memory.dmp
memory/532-276-0x00007FF716780000-0x00007FF716AD1000-memory.dmp
memory/2944-274-0x00007FF616A50000-0x00007FF616DA1000-memory.dmp