Analysis Overview
SHA256
c7b4dca410e01266e143d8fd5f6428efa26ea5191c41c7b66094101e90132e13
Threat Level: Known bad
The file 2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:53
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:53
Reported
2024-08-15 10:56
Platform
win7-20240729-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rOtKjzD.exe | N/A |
| N/A | N/A | C:\Windows\System\qCooiyS.exe | N/A |
| N/A | N/A | C:\Windows\System\EqixWXc.exe | N/A |
| N/A | N/A | C:\Windows\System\jcMBFKr.exe | N/A |
| N/A | N/A | C:\Windows\System\AytMoGn.exe | N/A |
| N/A | N/A | C:\Windows\System\PSIcznB.exe | N/A |
| N/A | N/A | C:\Windows\System\oADQplM.exe | N/A |
| N/A | N/A | C:\Windows\System\dfNLfeH.exe | N/A |
| N/A | N/A | C:\Windows\System\jekxWJc.exe | N/A |
| N/A | N/A | C:\Windows\System\fWBfgtS.exe | N/A |
| N/A | N/A | C:\Windows\System\bCaoNTw.exe | N/A |
| N/A | N/A | C:\Windows\System\MyZJzVq.exe | N/A |
| N/A | N/A | C:\Windows\System\GLAOVUC.exe | N/A |
| N/A | N/A | C:\Windows\System\uLazgSE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUoEFiP.exe | N/A |
| N/A | N/A | C:\Windows\System\PBRzKea.exe | N/A |
| N/A | N/A | C:\Windows\System\RFHmFvG.exe | N/A |
| N/A | N/A | C:\Windows\System\hjqilsk.exe | N/A |
| N/A | N/A | C:\Windows\System\RJHdMbk.exe | N/A |
| N/A | N/A | C:\Windows\System\GyljXva.exe | N/A |
| N/A | N/A | C:\Windows\System\wAyburv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\rOtKjzD.exe
C:\Windows\System\rOtKjzD.exe
C:\Windows\System\qCooiyS.exe
C:\Windows\System\qCooiyS.exe
C:\Windows\System\EqixWXc.exe
C:\Windows\System\EqixWXc.exe
C:\Windows\System\jcMBFKr.exe
C:\Windows\System\jcMBFKr.exe
C:\Windows\System\AytMoGn.exe
C:\Windows\System\AytMoGn.exe
C:\Windows\System\PSIcznB.exe
C:\Windows\System\PSIcznB.exe
C:\Windows\System\oADQplM.exe
C:\Windows\System\oADQplM.exe
C:\Windows\System\dfNLfeH.exe
C:\Windows\System\dfNLfeH.exe
C:\Windows\System\jekxWJc.exe
C:\Windows\System\jekxWJc.exe
C:\Windows\System\fWBfgtS.exe
C:\Windows\System\fWBfgtS.exe
C:\Windows\System\bCaoNTw.exe
C:\Windows\System\bCaoNTw.exe
C:\Windows\System\MyZJzVq.exe
C:\Windows\System\MyZJzVq.exe
C:\Windows\System\GLAOVUC.exe
C:\Windows\System\GLAOVUC.exe
C:\Windows\System\uLazgSE.exe
C:\Windows\System\uLazgSE.exe
C:\Windows\System\ZUoEFiP.exe
C:\Windows\System\ZUoEFiP.exe
C:\Windows\System\PBRzKea.exe
C:\Windows\System\PBRzKea.exe
C:\Windows\System\RFHmFvG.exe
C:\Windows\System\RFHmFvG.exe
C:\Windows\System\hjqilsk.exe
C:\Windows\System\hjqilsk.exe
C:\Windows\System\RJHdMbk.exe
C:\Windows\System\RJHdMbk.exe
C:\Windows\System\GyljXva.exe
C:\Windows\System\GyljXva.exe
C:\Windows\System\wAyburv.exe
C:\Windows\System\wAyburv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1316-0-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1316-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\rOtKjzD.exe
| MD5 | 003e0bde51281d9728e18e65b50f64dd |
| SHA1 | 24dd5027d62d69a8979beed67ffa7623ad3cadec |
| SHA256 | cbfece501a656853a823174778a8e53544db3d82bcd62c33b732617128fbe269 |
| SHA512 | a6c48c5af05acb8333ea62e3f87b369fa8fa579c2f945bc275a4746d0ee4290e091a94f7b9bc3d0b40b74866c1496b94730ab691f3376c505eec3ec213bea29f |
memory/1316-6-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\qCooiyS.exe
| MD5 | e6bdac8945aeebde6aeea9f0eafc793a |
| SHA1 | 1de61a4ff5540a938d5f9b5e8f1d97f82cd09ae3 |
| SHA256 | cdb2e0b36802ce13aa7ab4b28ca5b39b99f8d545ce15f8bd473301ef04671779 |
| SHA512 | ed6d24b8e387806deaaea2212012f927515dfdcda63c486e86579d505c193c3b1f6e3fae866614f14ffabb65896ed839d830d52716a867bb9dcc73d735c86819 |
memory/2072-15-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/1316-13-0x000000013FE70000-0x00000001401C1000-memory.dmp
C:\Windows\system\EqixWXc.exe
| MD5 | 5df813a5df1c7bda45c444f0e51a327f |
| SHA1 | ddbe761a60190b86e15f7e42f18e754e9429b30c |
| SHA256 | d8611cb36556ea9da110dea1de9bf5e19fc19d9bc41b1768a7879d9cfc59e7e6 |
| SHA512 | d1b87be67315ab3b897a0975f48cbc19705bc376b772cfa46b4d5009594f8cc88442a89c219310594df07662ba6db045f3cbc1db6a2717d0ca17ce19cf17a987 |
memory/1316-22-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2796-21-0x000000013F240000-0x000000013F591000-memory.dmp
\Windows\system\jcMBFKr.exe
| MD5 | d215d8b6153feed6f7efe158bdbd35d6 |
| SHA1 | 795ca5b24aef0e9218d7a630e9e39d7c0334230a |
| SHA256 | 710ecd24c31a8f3db2446364fef01f7fea7ea2acab698b448ca40fc085401c0e |
| SHA512 | cdf6bb8b4ce30c5d2dd893bb50ce003d89c5c648d3e0d6b63691b7af2d9746863558ca5707cdcc6a06a5ad5a3e001983c6e97f4f8b6f34b8b1cc111fa169c7d0 |
memory/2888-28-0x000000013F5B0000-0x000000013F901000-memory.dmp
C:\Windows\system\AytMoGn.exe
| MD5 | c543fe2fd978df5c3bc98da79a2b5574 |
| SHA1 | c963fa64189640b9cf8ee7e4ba59658c94fc4bf8 |
| SHA256 | b18e5676de138d94338f84439f05d7809508151bc325b01898f4a3b447b409ab |
| SHA512 | d8e9216d9b2fa576d38f832935f076b9156b658175aa3a0a9412bb2dda9c315a547fcf1358032c73db968636147fdd0a75edfefccff620a208dfffcb1a1fc05c |
C:\Windows\system\PSIcznB.exe
| MD5 | d9e5c30e798531b18aff882c2d3e0940 |
| SHA1 | f4bfc1429847e57568c4e8107926ef6218135b2c |
| SHA256 | 369df291836577e15671cd5e5779ef256e84b76269b30d17235edcd7a56cc536 |
| SHA512 | 542fb32cba2e1123fc99f3ab299af4730e4b63478c8da436e3ed2f525b4995f31a586a7b1675abf00994dff1c9b00d99c6fcc077c472a6715e5da1190e1f8478 |
memory/2884-40-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2908-38-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
\Windows\system\oADQplM.exe
| MD5 | 6861f36dfd8f2be82b9672a879bf6005 |
| SHA1 | 5036f1fb5b99e88399b48575cdb82ad94a9b0f7b |
| SHA256 | 328257df6a923601083f25ab39a08993757c3cfe856d023d708fa92fd0d9bc09 |
| SHA512 | b8267613d3cd79df579ecc4ec739df2c1eb2fe317d6142389de3c7518c22fa9d8ac0cb547618993910751b1730b52f57d8846fe7113583fa79b015a21df984a2 |
memory/1316-42-0x000000013F6E0000-0x000000013FA31000-memory.dmp
\Windows\system\jekxWJc.exe
| MD5 | f6373d5faefee29841412bb12b60ec1a |
| SHA1 | cb689ede636105ce76c8a303a859c6f5040413de |
| SHA256 | fa10f9612f32b95efce99077e88b146f41037dbe58e6392321f6fbe43cc6c804 |
| SHA512 | 4fd6b0a8c61d7ba9d8132c038d7c99f55e0302ed0cd09d17e8c4a1c62845d797473e830821a4fce345514beb1e67d923039eaf68561347333c59379cd5703fd0 |
memory/680-56-0x000000013F510000-0x000000013F861000-memory.dmp
C:\Windows\system\fWBfgtS.exe
| MD5 | f16d4de0c94bba35383d0114dfa0bceb |
| SHA1 | c3d58c8aec6029837c41b6ad7bd1a04f1e0256d7 |
| SHA256 | 6563956e7cb4224129c7da01ee8cd63bc49a0ff413dde36076456c1dbd633f00 |
| SHA512 | 1bef3ed6559346ba569325642758dae8af03343b68f2f1e14c27bacf2f1c2cfc8512974435e93ead22585b9f32edc9df808b1ae7d2603e0f29e49d1449303d9f |
memory/3068-72-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/1316-61-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2072-60-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2908-83-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2904-88-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2532-79-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\MyZJzVq.exe
| MD5 | ceba380a04b1f067ad20538bc039a255 |
| SHA1 | 8c6ef467c361e692efd0e3fec235f227aba923a8 |
| SHA256 | 713d5a86afd6da88d7c32c51346f375941ad0674b788ef7e0a74106b256be338 |
| SHA512 | faa17628564e96657288af3087e608a69f9840dfcfe5ea73ded013f5effb3dec0c8aa93e34e42295d6d99c5b3e0559ff1a3afa2dcb2efcc6db9577f1b0a1df07 |
memory/552-104-0x000000013F230000-0x000000013F581000-memory.dmp
C:\Windows\system\hjqilsk.exe
| MD5 | 72087d739a9d6a651709d79491e9812b |
| SHA1 | af7eede590c3ce212ca84cb2f89d9e391ffe18b8 |
| SHA256 | 6d5cc3397c1bcf6ba9db0c1efd372ecef170acd93f50c8afa185a9e0cb03100a |
| SHA512 | 43434a190cd9f0ad1cda0e59847ebcf73491976c562148848a5539cad1af0297bde28a8ce1b787139504a16b4aa87fc1663a1acf295ee7e3e583e8e908905655 |
C:\Windows\system\GyljXva.exe
| MD5 | 6d114c8915b1b4b0e127f5100669fedb |
| SHA1 | b08a98ccbf5debcd0010591aa7625292ae2c20e4 |
| SHA256 | 026e50935b72923a1a99f0019bf4a8617100c5e9c493fb22c31f409b4efe8025 |
| SHA512 | 5478df769dd077f9872122981a063741176842d5bb611c97ce949a38588fe133fc221c054a53b73aaee225aca2caaeed4a9b7d96ad7d09af3fbf948037106e7a |
\Windows\system\wAyburv.exe
| MD5 | 55b91aa7f7b39998cfce3a9cdd5b63b5 |
| SHA1 | 78aeba8f49511e1b4e827f2b35d2c837a930912b |
| SHA256 | cb83f0d95dfa8e4b73a92b35c0b864fed371b28826d0b0540d2913ce97108167 |
| SHA512 | 513487ef10451d3e559baad97734af9da37cd67e97ece5f55a189eaad0b1ebe82b783396cae6780e06c395c2f27d622b498c78f479e7fd201d2c40617091eb85 |
C:\Windows\system\RJHdMbk.exe
| MD5 | 468aa2e5927cf4185facb9a1d2d8f16a |
| SHA1 | 6ebf006e3de3029e3d1730d1221246dbedfa253a |
| SHA256 | 41351272b43cb2dc6c9a41dfa827a0b0c050a0f0a97bd20a76ebb7b1c919c609 |
| SHA512 | 09dfa485029e87c5ef05088bae5bea7b189b03539245cd4a84df55f0f8fa379eb2c0d59e6647f6f8886b18b8f36a3f1adc436dbf6a8060eecbc7d40a5598ecb9 |
C:\Windows\system\RFHmFvG.exe
| MD5 | d4ecb459d4d29e660e736ff49eab551b |
| SHA1 | 90cab15136663f5205bccf2b1bd938a7262ed747 |
| SHA256 | cb170aecd39362c852c5166f3b0c77944d60c8e2ec006a17f1a17432657a761d |
| SHA512 | e31b77d95aebf12dca9b48c7d20473a77a2537f8df0b667939d67dd9019a0c107dca3051aa974c0db53face9c917e95519228b3ba4b616cced121f0e8d86c870 |
memory/3068-143-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\PBRzKea.exe
| MD5 | fe4aa999e0b3c4af3bd52331a0d48123 |
| SHA1 | fa2c3360041eb43d1bf16606abec20bbfe38ba6d |
| SHA256 | 1610e49b13249c5161ba45d1be6073b0c391b9307f9086f0bb0d9c1d272ab8f0 |
| SHA512 | fd161c13db3de8c8dabf177b4cce79f4690b12284b3f76fac839f6ee3369737386a669c87f628f0b3063175a1b48484c3e461be8cd7e6a252df7323e97005b88 |
C:\Windows\system\ZUoEFiP.exe
| MD5 | e21c3757dd84a116c59f5b511b5253a6 |
| SHA1 | b0b7626e191734eabfc7fed6a0873fbfe5c733ca |
| SHA256 | 8065f7cff5774e5cad63c9f8fc9ef0639e856a0fdb4cb631de8ce26e75882b7a |
| SHA512 | dad134d7437bb5aa518ded1fb5f48a9c50b6ce037fbf3c6104c1009a06625aa981d35a5ea83f04af28fe96bc1a7f2c7642240d6f83fee5f52f35ea267347c2b9 |
memory/1316-109-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2604-108-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1316-144-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2700-96-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/680-95-0x000000013F510000-0x000000013F861000-memory.dmp
C:\Windows\system\uLazgSE.exe
| MD5 | afab6261f4010913116885da92182a10 |
| SHA1 | a8b7a33c1293eaea0e843af8fe24b249cd464046 |
| SHA256 | f6d38e56930cb8f4b3b1721f222ad00206f03a2759153953a33182b7be9621ac |
| SHA512 | 9a3baa0b88430bfac2aa3ed6dea170bd26352da883acebc36b4bdbf134bf5ebf45b7579b34038ef54e64115cceaf278d96fc631959931a73a0300bfa64d274b7 |
C:\Windows\system\GLAOVUC.exe
| MD5 | 715458b1114a90a73917258cda19465f |
| SHA1 | c9942eaf683738537bf2d3f501e9a137c419ca81 |
| SHA256 | 201ec5575a03274ddbf56c98872d01881221b456729aaa56026137e497f303ee |
| SHA512 | ed31c11a4ffc714c2446d9ce369d991d34ed0b83370e4e9c4868a98a1bf340136e5627b9c2be9b090759260fe06e6c5e3ec461d4e8d035636f267e4c5cb23611 |
memory/2960-92-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/1316-101-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/1316-100-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/1316-85-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2884-84-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\bCaoNTw.exe
| MD5 | a6e941ae9a6f595d01b10c919da32835 |
| SHA1 | dee2f7bace308421c1163aff2e0cd2685258987f |
| SHA256 | 555c5908ce707ad550f7b81d355454712df31cde4f5c03cb5b0ea65a1186f3bf |
| SHA512 | 5dc3de27e61c8d318d1629df2be5ccd88ae6971907388caca8ecf7a76892d073f5a09eca0c559a8665de86387aaa8527e7951ac75045292924436dec9ec9eced |
memory/1316-76-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2532-145-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1500-59-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2888-69-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2604-68-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1316-65-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2960-55-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
C:\Windows\system\dfNLfeH.exe
| MD5 | dbdfe7bfdd2f779ba18b5009702b3ddf |
| SHA1 | ff57ff41a198752ba657777fe5a7ba2422ac85da |
| SHA256 | 681db1d7931909663283c046abbe7c0379b81a319db3e738c956208bac29a3eb |
| SHA512 | be72213c57b5551a9f620625cacbfe9fa393e941ac4c6138af40760248f2d8f712a386fa090808989584394ea3ad21c1861d87d0024b29ebf9e2f361b5c34251 |
memory/1316-64-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/1316-63-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1316-45-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/1316-36-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/1316-146-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2904-147-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2700-149-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/1316-148-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/552-155-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2144-165-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2788-171-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2328-170-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1316-169-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2840-167-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2852-168-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2704-166-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2512-172-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1316-173-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1500-222-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2072-224-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2796-226-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2888-237-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2908-239-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2884-241-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/680-244-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2960-245-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2604-247-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/3068-249-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2532-251-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2904-262-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2700-264-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/552-266-0x000000013F230000-0x000000013F581000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:53
Reported
2024-08-15 10:56
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\urWpCSw.exe | N/A |
| N/A | N/A | C:\Windows\System\LliolhH.exe | N/A |
| N/A | N/A | C:\Windows\System\eaKcnhf.exe | N/A |
| N/A | N/A | C:\Windows\System\JcqMSld.exe | N/A |
| N/A | N/A | C:\Windows\System\QhqHKnq.exe | N/A |
| N/A | N/A | C:\Windows\System\RjnQNUN.exe | N/A |
| N/A | N/A | C:\Windows\System\ylAshbW.exe | N/A |
| N/A | N/A | C:\Windows\System\wmyPcpk.exe | N/A |
| N/A | N/A | C:\Windows\System\lPcMCbe.exe | N/A |
| N/A | N/A | C:\Windows\System\zxKnpxv.exe | N/A |
| N/A | N/A | C:\Windows\System\xOGFAGq.exe | N/A |
| N/A | N/A | C:\Windows\System\MYVsfEY.exe | N/A |
| N/A | N/A | C:\Windows\System\NURapao.exe | N/A |
| N/A | N/A | C:\Windows\System\XRgemyS.exe | N/A |
| N/A | N/A | C:\Windows\System\YsYuAxz.exe | N/A |
| N/A | N/A | C:\Windows\System\YhFLZOd.exe | N/A |
| N/A | N/A | C:\Windows\System\hNUVjQl.exe | N/A |
| N/A | N/A | C:\Windows\System\mgVqtRq.exe | N/A |
| N/A | N/A | C:\Windows\System\CrHqCuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VrTNMrf.exe | N/A |
| N/A | N/A | C:\Windows\System\HtGquuU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_b471a1a0e8a077241816a8dceceaf9dd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\urWpCSw.exe
C:\Windows\System\urWpCSw.exe
C:\Windows\System\LliolhH.exe
C:\Windows\System\LliolhH.exe
C:\Windows\System\eaKcnhf.exe
C:\Windows\System\eaKcnhf.exe
C:\Windows\System\JcqMSld.exe
C:\Windows\System\JcqMSld.exe
C:\Windows\System\QhqHKnq.exe
C:\Windows\System\QhqHKnq.exe
C:\Windows\System\RjnQNUN.exe
C:\Windows\System\RjnQNUN.exe
C:\Windows\System\ylAshbW.exe
C:\Windows\System\ylAshbW.exe
C:\Windows\System\wmyPcpk.exe
C:\Windows\System\wmyPcpk.exe
C:\Windows\System\lPcMCbe.exe
C:\Windows\System\lPcMCbe.exe
C:\Windows\System\zxKnpxv.exe
C:\Windows\System\zxKnpxv.exe
C:\Windows\System\xOGFAGq.exe
C:\Windows\System\xOGFAGq.exe
C:\Windows\System\MYVsfEY.exe
C:\Windows\System\MYVsfEY.exe
C:\Windows\System\NURapao.exe
C:\Windows\System\NURapao.exe
C:\Windows\System\XRgemyS.exe
C:\Windows\System\XRgemyS.exe
C:\Windows\System\YsYuAxz.exe
C:\Windows\System\YsYuAxz.exe
C:\Windows\System\YhFLZOd.exe
C:\Windows\System\YhFLZOd.exe
C:\Windows\System\hNUVjQl.exe
C:\Windows\System\hNUVjQl.exe
C:\Windows\System\mgVqtRq.exe
C:\Windows\System\mgVqtRq.exe
C:\Windows\System\CrHqCuJ.exe
C:\Windows\System\CrHqCuJ.exe
C:\Windows\System\VrTNMrf.exe
C:\Windows\System\VrTNMrf.exe
C:\Windows\System\HtGquuU.exe
C:\Windows\System\HtGquuU.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1840-0-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp
memory/1840-1-0x000001113F670000-0x000001113F680000-memory.dmp
C:\Windows\System\urWpCSw.exe
| MD5 | aac3403fdbc5b04a9cc76ae9cde6d09a |
| SHA1 | 40f7a0fd4dbdd6dd7e3e2ad790adbb73427e6cf9 |
| SHA256 | 41522a1206fda750c725b12ed3ef1adf33075a7d1766c87f03a9e124f2c32de3 |
| SHA512 | 7474388db3c0379f24bca8c9f12770c819ed68b14172325ff2d1e4a411c495576ff174f652d66e64205e9cb13b5fc9ecb7ae92b276732187d60e6aa44dad388d |
memory/4888-7-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp
C:\Windows\System\LliolhH.exe
| MD5 | 7a6f80dec687dbeee77b27c2f9cc65c5 |
| SHA1 | 2d1addfa27d83cb6bb00d629b98b34b37bfe85d7 |
| SHA256 | 7cb4d874afa69145e6f23f66502c89bac9973f9be311e97fbb6d7adc6f4314ae |
| SHA512 | b2bd011017ef05f5ec412edd039490308bb329e42f28dcedb4b3917ac54b9b3deeb20a6d95e9faf0d3d5c77edb56b6e08d1595fbd915e953a247b01e873bcc2a |
C:\Windows\System\eaKcnhf.exe
| MD5 | 0fed4b25c7b63359988a989d311876a4 |
| SHA1 | 55fd5df89a53dc30af2a035af212c44bd662a10e |
| SHA256 | 4c886efdb8ab0601d4fb4126fdf2cc7d783ea05ab9197c3d8a703e46fdc294b8 |
| SHA512 | bc8bf991bb3fc4c4970d1516035da356a1175cbae409c09ecb67045bb73912abf2883232ec8033c869115bfadc89d063a7ea18d7e94952cf8cbbeaa8f51d8039 |
memory/3232-14-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp
C:\Windows\System\JcqMSld.exe
| MD5 | 2814390e206534f196bbcf05878cea78 |
| SHA1 | 01986a9f86c5b756988d0b8157b08c379d3d99b8 |
| SHA256 | 9dd0b16337920386564fc0805fcc4f7c6e58eead582a86897f8abece479ac0df |
| SHA512 | 39b99d48261442394344c237ea976d9003f2fa642d9c716a30aff84c43ef47f053bb3831e879a2e0f7f28c86435b3cebf012f403ae999258aed433670c4d4107 |
memory/1896-23-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp
memory/1816-21-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp
C:\Windows\System\QhqHKnq.exe
| MD5 | 82208d989e97bfb6ea7aec7f0455ae30 |
| SHA1 | 3d7b7ea0796d5cce37b39d27fb773025ae6f0c5c |
| SHA256 | 6cdc9b8b3ad1446ed7d95bde8bfdfa65ac5f352c2b975f078a44028b20665af1 |
| SHA512 | f7e88d411ff04fcb2b40fd55c278b284fc5a3e6a794df6a4852b6013d89a7641c1f15b449012a94914f47667062e78c30a8d4755f7f0ba3569b180d0d960a350 |
C:\Windows\System\RjnQNUN.exe
| MD5 | 76e97519b3d174b20459713195f85f9d |
| SHA1 | 408af039237425e889a2a5190814fdbe33f58fb2 |
| SHA256 | 64c488f8b41a5a23a1415d6fca8b897b24502c97df3bfa6675c8fbede50a78b0 |
| SHA512 | 5dff318d2a8ce9e59634b699a638c743362e45fe0c6bb072b3ff40e59ffbdefb80b85c1a3834c476ab14893658d9d3361d666ec47998b4ec3272c8b5fef82703 |
C:\Windows\System\ylAshbW.exe
| MD5 | 63e26d4335d8ec305905e732824ce490 |
| SHA1 | f74bd500c8772de3a0f90205d9f0ab98a920fd73 |
| SHA256 | 2e79a1de04e5784b7eda1b1b49ebf0a505ece0d9de4e2a76eb253b4c6f9cad2f |
| SHA512 | 31be3bdde39cf11a8f02387a382cdb17ec7bb4998ecae574cf05b076fab4e92ea650124ec3e92bd04d697bf12dd3ea91c4a19546facf2be823d2bdef74ff2087 |
memory/3784-41-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp
C:\Windows\System\wmyPcpk.exe
| MD5 | e4d320f6c423c3302af13cef21e32698 |
| SHA1 | 3471d83f80deab0e849b807a7123f517d4004a9a |
| SHA256 | 4b04c477a531cb9bad76aff60642a9a57a7712ba9b6bf700f011c86a1654a935 |
| SHA512 | 027cd4713339ebcc1fef983fc49f132f716d464946592a97396b192ee06782d8c1fc35ef9c9370f74c6662890d5fa0ef217a32ac53894b9d11e2643916f2346b |
memory/404-54-0x00007FF696A40000-0x00007FF696D91000-memory.dmp
C:\Windows\System\lPcMCbe.exe
| MD5 | d0460bb2a5535bfce3f3af8070703064 |
| SHA1 | b0daa3b68a74dbbb83e42d348fe9f14fb22816a5 |
| SHA256 | 8902f0bb2cf89671346963c8c86d4c8f7a80edb70d6e1651addf3a4fc7c231b7 |
| SHA512 | 77766ddbfa274d8e0a5b383584baf46d4e77428b01028d5105e700bedfb5b27be45986241daca28d5a7f10c39490e49ec206caf2b14af06ad2c0983e73d9db9c |
memory/4564-47-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp
memory/1284-44-0x00007FF699050000-0x00007FF6993A1000-memory.dmp
memory/1296-36-0x00007FF631830000-0x00007FF631B81000-memory.dmp
memory/1840-59-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp
C:\Windows\System\zxKnpxv.exe
| MD5 | 555dca9c8ec0a146d9abc35c7f2b76f4 |
| SHA1 | 4d1226589516c3082937975f0ca630a2a97daf15 |
| SHA256 | 7af4b6cf135adae6f01f6cd37cbbfdb234442facf3b037a5a539ed15b2e1a5c2 |
| SHA512 | fdf3d869a88e9869932729106ac6d14e5e92ddf832035dff7cef21b64d916ef401a3bb56682222cc8fe728f939fd133bd09d1b2d7e164a654ae3f956dd9cc04a |
C:\Windows\System\xOGFAGq.exe
| MD5 | 58a29fbe125f168e068e8629429dd924 |
| SHA1 | 907639a28032fcb83ffd71fb53175349d7494521 |
| SHA256 | 381455e3f520aae1a122e7f4c21d9aefcfb19a98a95982bc54bd7da026cdc422 |
| SHA512 | ad805f2f970cdf6e63b9a636c020e19d370d91fa2b12065d8334b6ddd2b35b8c3aa7cc47a633297440b9c80d9c5fd9346b50957670f44d8e6830c1049ddef30a |
memory/2196-69-0x00007FF6030B0000-0x00007FF603401000-memory.dmp
memory/3232-68-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp
memory/1192-64-0x00007FF613FC0000-0x00007FF614311000-memory.dmp
memory/4888-62-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp
C:\Windows\System\NURapao.exe
| MD5 | 27b4f72476fb1bfc3c972f1583e1a806 |
| SHA1 | 60d4bf53a4815e87c592a87f5767876c274c4f49 |
| SHA256 | ca14684c8b22116df2829b26c2a614eaec5c892095bd9cdd56ca2b759d1c950d |
| SHA512 | 71a54551b506ffdc7ba3b369473c42f798a1b57721e594a1d8a64f2c4704d9b542dd5ec48cbe9be7b8f4cbf222bf3c376ed2ae72d5cb06f5e2a4d7a2bfa8b6aa |
memory/2568-77-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp
memory/1896-82-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp
C:\Windows\System\MYVsfEY.exe
| MD5 | a03c1c4ac24a430aeae48055287c3687 |
| SHA1 | b8313e8c5cddf4b26a20be3ee5cbc79b3fdcd61b |
| SHA256 | 85d4e18398369a870cafd3de21410d7e54334abbeca734a48cde0932a237314a |
| SHA512 | 5df36fbb1cf3733cbb5f2082c0feee4e74a88fb592d2269c2ccc33a9962e44de20afac8c220148d0c287ca17c9cab6ede0e9427071e213edb441005863213668 |
C:\Windows\System\XRgemyS.exe
| MD5 | c5cac17b8cb931c4f3214447f1544ddb |
| SHA1 | 118d053c6735065d72aec9709b07756b7cb222ed |
| SHA256 | f59dd5a89944cf27a3ac218a6e786e51a018ab1165e0a942aad70df87b6d65ee |
| SHA512 | 639caaeba6905b45bc12529712f1cb971197277f6e18ab3e1fededdef9021b9eb73a47654fbab4c3f50ba71b8d6eeedd9ca408898d62ce214528c7dbba051126 |
memory/876-87-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp
memory/2332-84-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp
memory/1816-75-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp
memory/4564-96-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp
memory/1284-95-0x00007FF699050000-0x00007FF6993A1000-memory.dmp
C:\Windows\System\YsYuAxz.exe
| MD5 | 9f987f2a5c5c225d5e38ebb5bdbd3c6e |
| SHA1 | 75245d5655023532cf8c6ccedd007cfa96c7815a |
| SHA256 | bb25ea0c879cc324b86d898771c57546c75683f26e071e01e3873169bf2b844f |
| SHA512 | 22040c24c710c60b07300a4aadb3c758856fb1d97cb28c192bbd8bc01434dc38ab8d0d669f6a406369052f16c078fe35dccef31d7b16391dfd3a314a82ae4b21 |
memory/3620-97-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp
C:\Windows\System\YhFLZOd.exe
| MD5 | f96666ce65504d97d51d2f57b939cbf9 |
| SHA1 | 15aaf0d27b98e54e430ba8a59d4bf717e273db6d |
| SHA256 | 84bab327419c7439356d987e32c73cd51659d87d607af2375d4efc7b21825441 |
| SHA512 | bf4abe33f1848354a98cc8a140eaedf023bfe0c2cd7e91c463edefeac476fa3c88eb8fe20ac1328fdba2bcf85ec5f6b9ade9163e208ada018ab77c26f3e01ec0 |
memory/3264-103-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp
C:\Windows\System\hNUVjQl.exe
| MD5 | 2d85823a5546ded18d70f6131307a64e |
| SHA1 | 7ce4062a4c9dc57581de7a4a03245ce85028cbac |
| SHA256 | faf4cb2af8158b9b41ef8cde1c342ce4f128672e02350bf62b4a15538e93e9db |
| SHA512 | b40e430031f3fb54217b19be584588f1bef5ea9c7e7465a46c6fa2e6a02e44172615a0f249c7a4dbbba6337fd580a457f966ec80ef9d98cb941d490de554f6c4 |
C:\Windows\System\mgVqtRq.exe
| MD5 | cd01f3cc5895789b15201608abc436e5 |
| SHA1 | a79baf72b6bf22e3992fb8660613e0e0c23b8f9d |
| SHA256 | d2b45647760247eda46af8056d1c871e23fe31e07c7aae6f3635f115c699d8b9 |
| SHA512 | 6a62c21cd401531e898ab6bb53f0d784dc98656a5825f9e4f52114bd64168cf64bd51f3d34303f31ddc1f74c34244bdaaa8b68c19052cfc15082aaf655f2405d |
memory/1080-115-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp
memory/404-111-0x00007FF696A40000-0x00007FF696D91000-memory.dmp
memory/3936-124-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp
memory/224-129-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp
memory/772-132-0x00007FF677430000-0x00007FF677781000-memory.dmp
C:\Windows\System\VrTNMrf.exe
| MD5 | d949c769b0124a5121c6de5aefbecd0f |
| SHA1 | 21ef1dcb88a44ccf27ec952fa914f5317abf843a |
| SHA256 | d50cf604bced86223356cd5729efccc68f931f8316d53dde7ff7c04c8253fe2b |
| SHA512 | fce38b71ffd4807bb1c7d715a8d5687f0ec0846d37d8ac130000154179f704fe52ffca7f1bebab566fbed3894c1f902f28a93cccead098a081f9ed6b097fa3bd |
C:\Windows\System\CrHqCuJ.exe
| MD5 | fc5808f9e6bfb79f708d91b6cc2e254e |
| SHA1 | 84103c07d170f2ebcfc1a5a576a7e7538d9487f9 |
| SHA256 | d870ca3b446ee851ae639b691b704a9eb09cadea76d5c78944f31401cda93d27 |
| SHA512 | ccd8d9cfd31e2707f11dce1d1f3337f00ce9d47a55dccb1159b42ab7b0873bd605d34575deff60dc8228105355d4b840ca1efd18b329d929324923cc61c10c89 |
C:\Windows\System\HtGquuU.exe
| MD5 | 322994dac57a530b5c42444025de163d |
| SHA1 | c206f0800d4c26b05ec67870984957e6fada4243 |
| SHA256 | 655ee3327fc5cf0a4d810227b2ee65aada22e27b314296e2ec21c3209043b5a1 |
| SHA512 | 85679468a52f728646e9fe26976030940bb0350eae5572c25487b5c65889b345b802c5d177044a8ef35556ecf739ad88023eb7d038b58335ebb74b6498fe5179 |
memory/3544-122-0x00007FF636A40000-0x00007FF636D91000-memory.dmp
memory/1840-137-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp
memory/2196-136-0x00007FF6030B0000-0x00007FF603401000-memory.dmp
memory/2568-143-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp
memory/2332-149-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp
memory/876-150-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp
memory/3620-155-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp
memory/3264-156-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp
memory/3936-161-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp
memory/1080-160-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp
memory/3544-162-0x00007FF636A40000-0x00007FF636D91000-memory.dmp
memory/224-166-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp
memory/772-165-0x00007FF677430000-0x00007FF677781000-memory.dmp
memory/1840-167-0x00007FF7D26A0000-0x00007FF7D29F1000-memory.dmp
memory/4888-217-0x00007FF6A64F0000-0x00007FF6A6841000-memory.dmp
memory/3232-219-0x00007FF7D2350000-0x00007FF7D26A1000-memory.dmp
memory/1816-221-0x00007FF7C6310000-0x00007FF7C6661000-memory.dmp
memory/1896-223-0x00007FF62EF90000-0x00007FF62F2E1000-memory.dmp
memory/1296-228-0x00007FF631830000-0x00007FF631B81000-memory.dmp
memory/3784-230-0x00007FF645C90000-0x00007FF645FE1000-memory.dmp
memory/1284-235-0x00007FF699050000-0x00007FF6993A1000-memory.dmp
memory/4564-237-0x00007FF6857A0000-0x00007FF685AF1000-memory.dmp
memory/404-239-0x00007FF696A40000-0x00007FF696D91000-memory.dmp
memory/1192-243-0x00007FF613FC0000-0x00007FF614311000-memory.dmp
memory/2196-245-0x00007FF6030B0000-0x00007FF603401000-memory.dmp
memory/2568-249-0x00007FF7D9A00000-0x00007FF7D9D51000-memory.dmp
memory/876-251-0x00007FF79A7D0000-0x00007FF79AB21000-memory.dmp
memory/2332-253-0x00007FF70F6D0000-0x00007FF70FA21000-memory.dmp
memory/3620-262-0x00007FF7F55A0000-0x00007FF7F58F1000-memory.dmp
memory/3264-264-0x00007FF7ACD80000-0x00007FF7AD0D1000-memory.dmp
memory/1080-266-0x00007FF6A6F50000-0x00007FF6A72A1000-memory.dmp
memory/3544-268-0x00007FF636A40000-0x00007FF636D91000-memory.dmp
memory/3936-270-0x00007FF730AC0000-0x00007FF730E11000-memory.dmp
memory/224-272-0x00007FF610B50000-0x00007FF610EA1000-memory.dmp
memory/772-274-0x00007FF677430000-0x00007FF677781000-memory.dmp