Analysis Overview
SHA256
333e58bb3a5a406fdf706e8be1fd15043bf203cd5e231af3b8d7e373909e3c60
Threat Level: Known bad
The file 2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:23
Reported
2024-08-15 11:26
Platform
win7-20240729-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tPrWgFw.exe | N/A |
| N/A | N/A | C:\Windows\System\OeJxhkx.exe | N/A |
| N/A | N/A | C:\Windows\System\IvkwQek.exe | N/A |
| N/A | N/A | C:\Windows\System\OJpTrcv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTqULSy.exe | N/A |
| N/A | N/A | C:\Windows\System\EUfjKUE.exe | N/A |
| N/A | N/A | C:\Windows\System\DpDgasZ.exe | N/A |
| N/A | N/A | C:\Windows\System\HQVrtQq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZlccSpd.exe | N/A |
| N/A | N/A | C:\Windows\System\jWLlzyb.exe | N/A |
| N/A | N/A | C:\Windows\System\hTTORuX.exe | N/A |
| N/A | N/A | C:\Windows\System\kGvglmz.exe | N/A |
| N/A | N/A | C:\Windows\System\rdGkKPf.exe | N/A |
| N/A | N/A | C:\Windows\System\LBpMSrO.exe | N/A |
| N/A | N/A | C:\Windows\System\NBMAhHK.exe | N/A |
| N/A | N/A | C:\Windows\System\MnPRLEG.exe | N/A |
| N/A | N/A | C:\Windows\System\STamACE.exe | N/A |
| N/A | N/A | C:\Windows\System\TfzDYLj.exe | N/A |
| N/A | N/A | C:\Windows\System\kkmuXsN.exe | N/A |
| N/A | N/A | C:\Windows\System\KkIQUuU.exe | N/A |
| N/A | N/A | C:\Windows\System\rJdgZDe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\tPrWgFw.exe
C:\Windows\System\tPrWgFw.exe
C:\Windows\System\IvkwQek.exe
C:\Windows\System\IvkwQek.exe
C:\Windows\System\OeJxhkx.exe
C:\Windows\System\OeJxhkx.exe
C:\Windows\System\OJpTrcv.exe
C:\Windows\System\OJpTrcv.exe
C:\Windows\System\ZTqULSy.exe
C:\Windows\System\ZTqULSy.exe
C:\Windows\System\EUfjKUE.exe
C:\Windows\System\EUfjKUE.exe
C:\Windows\System\DpDgasZ.exe
C:\Windows\System\DpDgasZ.exe
C:\Windows\System\HQVrtQq.exe
C:\Windows\System\HQVrtQq.exe
C:\Windows\System\ZlccSpd.exe
C:\Windows\System\ZlccSpd.exe
C:\Windows\System\jWLlzyb.exe
C:\Windows\System\jWLlzyb.exe
C:\Windows\System\hTTORuX.exe
C:\Windows\System\hTTORuX.exe
C:\Windows\System\kGvglmz.exe
C:\Windows\System\kGvglmz.exe
C:\Windows\System\rdGkKPf.exe
C:\Windows\System\rdGkKPf.exe
C:\Windows\System\LBpMSrO.exe
C:\Windows\System\LBpMSrO.exe
C:\Windows\System\NBMAhHK.exe
C:\Windows\System\NBMAhHK.exe
C:\Windows\System\MnPRLEG.exe
C:\Windows\System\MnPRLEG.exe
C:\Windows\System\STamACE.exe
C:\Windows\System\STamACE.exe
C:\Windows\System\TfzDYLj.exe
C:\Windows\System\TfzDYLj.exe
C:\Windows\System\kkmuXsN.exe
C:\Windows\System\kkmuXsN.exe
C:\Windows\System\KkIQUuU.exe
C:\Windows\System\KkIQUuU.exe
C:\Windows\System\rJdgZDe.exe
C:\Windows\System\rJdgZDe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2264-0-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2264-1-0x0000000000180000-0x0000000000190000-memory.dmp
C:\Windows\system\tPrWgFw.exe
| MD5 | 5d41029c52f9d89ebdad3ecba2d0c8ac |
| SHA1 | c109ce6934bef3b6ef1687ea7f2520213b58d659 |
| SHA256 | 57621c848398d9d5bfefe1d39d8941967eadf1743723f74300766b5d8bb0e423 |
| SHA512 | 7992ddca5ae0dab359381ab4b92c81374c21fa990e05826f05d2544e0dd0497e957a1112ff65ac29d31d7f19602d5c5d03e9e9c7a0905295344b3e8d5c7f0d33 |
C:\Windows\system\OeJxhkx.exe
| MD5 | f49af44c2e415beb8e1a4de6e2e2bbf5 |
| SHA1 | 7163f3541e0d6ae64f15f3c4c71cc6c0aaf11fc3 |
| SHA256 | 402ca1741b5070390b06c8d2bcd713ab38161cfa18ad18f8412af32e62818b14 |
| SHA512 | 01ce54511d2c3e9633742c8dd24e14920e7ca3d9adfd20e205ec7e5da7ee57371835fdae3045e98fd1187e9a36aa8d95fb1cf091989e0587755e21e9b18dbc41 |
C:\Windows\system\IvkwQek.exe
| MD5 | c0c44ab615ec0e91723012716cf89273 |
| SHA1 | 254902238888c292637dbdc7795755a694c3de91 |
| SHA256 | 8b73310621345d7e20738ea98eaaaf2aa2a25696e8e65fe746fabe3c98baf8dc |
| SHA512 | 14e89e9433b551bd394b4332c80308e1b86139930abce43caec9b3fda89d5f2c2b913c4d27480f777d023ee1f92b209732e72876c51736940756824346e621a5 |
C:\Windows\system\OJpTrcv.exe
| MD5 | 65e3b17f9c381909246bf7dab6073905 |
| SHA1 | 32b269026aacf9dedf4af0b378cb4972900b5eb3 |
| SHA256 | 918433469013f96519f6d8ebe0ab81265f18beb8c0a117c8367169fa51c5d837 |
| SHA512 | 1a46fc11fe5eb2877d188806dd24599934af6790bfac810b65729c55767196b712aa0f0b0d0900ebfeeab3d76a280e6fb5ea8fe2bd10b6f96673dace218e2cbc |
C:\Windows\system\ZTqULSy.exe
| MD5 | 80a20d3042b0a01e4a8ccf996b8a6814 |
| SHA1 | 3fe34bb28c82b116d97090d51e5c36c12d6a0d59 |
| SHA256 | f860fae510cc6ceaf3eac188c67f47c48a954788f48fbc8bb87d7b09a79b1209 |
| SHA512 | 6744873e8899a952caebf5649ea62892358113b92ad2f3baa75cc65623e1ac9c2b605067cc62ea3de0d46e66a17f8b3055139c5f1b52c7d2ed6ae70baec41392 |
\Windows\system\EUfjKUE.exe
| MD5 | 0b9e4acfd618dcf75fa843e2a1853995 |
| SHA1 | db8f320a20f2af1937bf88226e7fc8a4b516322e |
| SHA256 | 210926fac8be432a623d699e4469aa11a8d46e997c9c97d8aa67b266b7b0889f |
| SHA512 | 1e4e2d018a041fe5567edbec0f9925d03e8ce2e8f5d6f35f007a902aa6964921cb72721df9db236356075eacd30e7cf998675e33508193cfaa040b83c8352893 |
C:\Windows\system\hTTORuX.exe
| MD5 | c5223c181b5441b9c6934767898bad0b |
| SHA1 | a1ba0208c9096617dda46526211caaa7c9452fe4 |
| SHA256 | 1dda0265e3cc2580e3d71e84e113aa493d5d84743747f2ef5de16e85ca95de8a |
| SHA512 | f2058a2fb0495238ba2c13f3a1d0fd949065ec57f27d9213098ebba2867fbab4aca5cf5f5cfd462428739eaf7a05c83842eb027222811fcd04a03b482a0c422c |
C:\Windows\system\kGvglmz.exe
| MD5 | 1369d3046ed58f8295dbe627d881664d |
| SHA1 | f10239fd32cd487bc3407511251021b6f49433c9 |
| SHA256 | de355de287e1616fb264fc6c954f3e8109bf749bb09f43aaf8c36ae27d053e0c |
| SHA512 | 674e7de1fbccbec36606767f348d2b9465c67a5fa5b5bbd65ddf3056e7816a892f0795888f33a8fc3fcbbf15593307d5fa8b9be812242f4ca143191adb0df5ff |
C:\Windows\system\KkIQUuU.exe
| MD5 | 43e5ed40a4295b178c93b5b2b9490763 |
| SHA1 | 5e995b9876e6e8a08624798f61b0cd4bfc40a144 |
| SHA256 | e0c04fe5160ba82c477745b742aa0820a7faaab92f83c9063189e9f12dbfacbe |
| SHA512 | eb1306e832024d633d993d111f82f10fcdff79c7ec54f0967dc69d34d3731915ce3fd127d432d1100abc0df17abe9afd4b11cd3523082c1fe66d66011e2176b8 |
C:\Windows\system\rJdgZDe.exe
| MD5 | 401f2fb55ce595ce08c7419beadace52 |
| SHA1 | db12dc2562e574016117d5e7ef889aaa880116bf |
| SHA256 | eec82db48ada329685a6f3e17a31f672b9965e8e609a3d98941d83af86674c72 |
| SHA512 | 67ab0889cd141cd70817301fd64660d1147b01eb49763a7fd08bde3c7a806bf5d318e45b991e6b9d675c8e8bd5e07d6f355e892bd65eb76cedda600e1b4dc06c |
C:\Windows\system\kkmuXsN.exe
| MD5 | b0d66ccb2a27567d4fb01c0ffd9f7684 |
| SHA1 | 39b6097353363bc27fb12371dbc8e5f49b713483 |
| SHA256 | 4a80fed3c67413a74a464fe819b7325adb220d361ed573e8d76bf2781bfc0cae |
| SHA512 | 9232df1612b9c3bac5bc4c9f35f11f8973ecb65ed3eeaa8e7d7932dd6357a45fc0320d10dd8e097c4f08dda64342ac1e15f39fd0504901fd0a95821d66de06ef |
C:\Windows\system\TfzDYLj.exe
| MD5 | 9141c92a83680540d1a3a3d82f974197 |
| SHA1 | 3a77899ddec09a0e4dff6a323271c90d65a77fa7 |
| SHA256 | ed2132ca749606fe422a99b04088f6f1dc84b04d89600720c5c03d243cbee3cf |
| SHA512 | 7f810f1c6ce2f9165077749764d2bea26b72e138c23dcf2868b36fa0ebc0fbd33eff263b70992b08ea81b9f4918f149a6cd8237192becebce60af9116cc7a8b6 |
C:\Windows\system\STamACE.exe
| MD5 | c8f19219e5a1fb6da0e9149ab2b220dd |
| SHA1 | ffdb0d9a12aabd5c72659a6bb4be391c4a5e2ebe |
| SHA256 | 69d60500726f5ee4afef955198e55f54dd05084fd7aa73aefd62bfaa7f414571 |
| SHA512 | 5b2f2ab44816f7095f0540f2937e027417f882e075bc5004f573ee9b532e3bea5e0d57bc03e94f47c81a09e5d2062ea1063b005dd3f2c3281b1c204ec1cf4719 |
C:\Windows\system\MnPRLEG.exe
| MD5 | 8cc9153783101b195b631c01440ff403 |
| SHA1 | c6ac40eb0d6423ea26e316c742775ab1e8395a0a |
| SHA256 | 947d565b0b2447aa453125aab166b8b851940ae08f625276e0a0494a8132e3cb |
| SHA512 | d64b3a73032effd4e674789e054c27fae7992c29ce62268d68f74ceea6af130f764d89c1ea6c42e9ad8e985f13a217cea0c0d7175d072483afa705ffa21acc91 |
C:\Windows\system\NBMAhHK.exe
| MD5 | 886c14d95c225da203f6fbb45cb65167 |
| SHA1 | cda8cfc3668bd7e675120aa9b6e90459662feae0 |
| SHA256 | a785ba223bd2ce649cfa5f1caf452a91fb2c2e3b5402db89be45369ebc49d478 |
| SHA512 | b214b13daba2dee15b4def94007a3699fd2611c4045c46bb8e7dee9ce14ee60772df29ee03cc74444aa15dbf6f7dc216150ef45fd20617057ad2368f21b0e41b |
C:\Windows\system\LBpMSrO.exe
| MD5 | 234b79e6d4b6280d071b1e186f9bf8d0 |
| SHA1 | 29834e66c6ae1066583421851be8be3a5aa2ca52 |
| SHA256 | 865fdb491386aec2e35cf44b7d3aff9e06f451567530700d4364dd0819586423 |
| SHA512 | faabd200290df708d9e790c5a55f07776c321bf4b5f4047e2ea6765ff93ebef9836f743e77aa22bb81e3547f55a74933c45f268b0eff92df05e1d015d3af51d1 |
C:\Windows\system\rdGkKPf.exe
| MD5 | 8777d6a21a9fb429aac1f09cf33888b3 |
| SHA1 | 92f7631d7ac5de8f97f20ad1c746229baf858411 |
| SHA256 | fc1a445ce5963913f7c4114a8739050bf6c192c80165809fb13c7997de07cbf8 |
| SHA512 | eb5ee9ebcff3cd5b1518115e1ea60fa5068e64f3e049536623e357e41409100477452e3eceb89ff4af63739cfb8750b9c8c6af8db835c98b87db678fdf929036 |
C:\Windows\system\jWLlzyb.exe
| MD5 | 1a02d8cb8f42a067d6bbcd797f4e4eb8 |
| SHA1 | eead1203cda02612dc78b9494dec8564c35a71e3 |
| SHA256 | ef27a608102ef761b1f2d800fd959d6126077e7dbd142bd8e6b93983c7309d8d |
| SHA512 | a6f6d17557c012fb27896063f7809b9da0f6c166c7fca846b89962029d5cc6506bbe3e214a1d4c3bff8010e6908ee1046e4be96c72be75144b44d3aa8245dfc7 |
C:\Windows\system\ZlccSpd.exe
| MD5 | c2dea86499d92bd42f892d09f2e4d183 |
| SHA1 | cc3a1aeab2ef6d7062b06a5417b7e333373e5a0f |
| SHA256 | a0e7369970883d0159a0fc676a923795339cf6294c3c3b4d0666ab0458246e6e |
| SHA512 | 6716f8f9dbeb879bd42ed7d06da16b7312b0c8b551a2171f672a136b285cdca7d912e1a8bb153c33c45ec678b6c8f0cc2d848193d6834baed80355dc0de2b0fa |
C:\Windows\system\HQVrtQq.exe
| MD5 | cb08f1a6b85061ee2d77e17e3f15df7e |
| SHA1 | cfab0cbcd1515ec507362694b69d89afc1ea9bd6 |
| SHA256 | c0ce06d29bd4ca8ab666ed8a240b2e55000ba97385dd6f723fb224f4c0ed5e21 |
| SHA512 | fce13373dd080432066c13913302b43e5f8ffafd642f91a63a5318af471755f7532455a7fc880c6de0469bc82c9f48835fab252fc30442ca12cec3dcb5fa23b3 |
C:\Windows\system\DpDgasZ.exe
| MD5 | e7f7adfd90765bd087ef0c248b46be5d |
| SHA1 | 0cb662125c4dafe3d2ba84dc079781b2f8888018 |
| SHA256 | dfbe6e78253e7d3254ba1d87f27edfeb4568848a4a96e9e62d72ed2e043a023c |
| SHA512 | d17d1aad7cb23dd9ebb0acea3a14790034fa725a089c81c02754a19bdac843243b7b110887424146c209948b636bfafef12effa0e8e2c3966452e93d6fe4221a |
memory/2532-87-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2344-98-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2796-93-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2264-92-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/548-91-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2548-89-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2836-106-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2816-104-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2264-109-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2948-108-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2152-110-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2776-118-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2264-120-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2264-119-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2264-117-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2632-115-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2784-114-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2264-113-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2840-112-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2264-103-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2744-102-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2532-129-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2548-131-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2344-133-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2796-132-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/548-130-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2264-128-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2152-138-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2836-136-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2348-149-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/644-148-0x000000013F600000-0x000000013F951000-memory.dmp
memory/1652-147-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/1072-146-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/1892-145-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2624-144-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2784-140-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2664-143-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2744-134-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2264-150-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2264-151-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2264-152-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2532-218-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2948-221-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2816-223-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2548-225-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2840-227-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2344-230-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2632-234-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2836-236-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2776-240-0x000000013F500000-0x000000013F851000-memory.dmp
memory/548-244-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2152-245-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2796-252-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2784-247-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2744-251-0x000000013F690000-0x000000013F9E1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:23
Reported
2024-08-15 11:26
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wsMBrgo.exe | N/A |
| N/A | N/A | C:\Windows\System\dedwTNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\oJTeMEp.exe | N/A |
| N/A | N/A | C:\Windows\System\xVscyvA.exe | N/A |
| N/A | N/A | C:\Windows\System\qCnPgrt.exe | N/A |
| N/A | N/A | C:\Windows\System\GlKXYCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NaBRSai.exe | N/A |
| N/A | N/A | C:\Windows\System\aXHnyaT.exe | N/A |
| N/A | N/A | C:\Windows\System\TVcrzHf.exe | N/A |
| N/A | N/A | C:\Windows\System\CxcBICE.exe | N/A |
| N/A | N/A | C:\Windows\System\DnznMpS.exe | N/A |
| N/A | N/A | C:\Windows\System\chrXRUp.exe | N/A |
| N/A | N/A | C:\Windows\System\xlWwmUY.exe | N/A |
| N/A | N/A | C:\Windows\System\nOvrYXl.exe | N/A |
| N/A | N/A | C:\Windows\System\MhwycNl.exe | N/A |
| N/A | N/A | C:\Windows\System\VTEVSgJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jToVWfj.exe | N/A |
| N/A | N/A | C:\Windows\System\QcdCgjo.exe | N/A |
| N/A | N/A | C:\Windows\System\VKeGVLe.exe | N/A |
| N/A | N/A | C:\Windows\System\DDkCgOv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdquIqY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_16e74e4d3f6c08a4e610deb189b41023_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wsMBrgo.exe
C:\Windows\System\wsMBrgo.exe
C:\Windows\System\dedwTNZ.exe
C:\Windows\System\dedwTNZ.exe
C:\Windows\System\xVscyvA.exe
C:\Windows\System\xVscyvA.exe
C:\Windows\System\oJTeMEp.exe
C:\Windows\System\oJTeMEp.exe
C:\Windows\System\qCnPgrt.exe
C:\Windows\System\qCnPgrt.exe
C:\Windows\System\GlKXYCQ.exe
C:\Windows\System\GlKXYCQ.exe
C:\Windows\System\NaBRSai.exe
C:\Windows\System\NaBRSai.exe
C:\Windows\System\aXHnyaT.exe
C:\Windows\System\aXHnyaT.exe
C:\Windows\System\TVcrzHf.exe
C:\Windows\System\TVcrzHf.exe
C:\Windows\System\CxcBICE.exe
C:\Windows\System\CxcBICE.exe
C:\Windows\System\DnznMpS.exe
C:\Windows\System\DnznMpS.exe
C:\Windows\System\chrXRUp.exe
C:\Windows\System\chrXRUp.exe
C:\Windows\System\xlWwmUY.exe
C:\Windows\System\xlWwmUY.exe
C:\Windows\System\nOvrYXl.exe
C:\Windows\System\nOvrYXl.exe
C:\Windows\System\MhwycNl.exe
C:\Windows\System\MhwycNl.exe
C:\Windows\System\VTEVSgJ.exe
C:\Windows\System\VTEVSgJ.exe
C:\Windows\System\jToVWfj.exe
C:\Windows\System\jToVWfj.exe
C:\Windows\System\QcdCgjo.exe
C:\Windows\System\QcdCgjo.exe
C:\Windows\System\VKeGVLe.exe
C:\Windows\System\VKeGVLe.exe
C:\Windows\System\ZdquIqY.exe
C:\Windows\System\ZdquIqY.exe
C:\Windows\System\DDkCgOv.exe
C:\Windows\System\DDkCgOv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.73.42.20.in-addr.arpa | udp |
Files
memory/1216-0-0x00007FF611910000-0x00007FF611C61000-memory.dmp
memory/1216-1-0x000001CDE5F20000-0x000001CDE5F30000-memory.dmp
C:\Windows\System\wsMBrgo.exe
| MD5 | 2e59b4098d40170192657a26b52055bc |
| SHA1 | a1b6981df224a60526cd40dc46ae0d6d59e78b05 |
| SHA256 | eb6454ba708a81f50b1277e84094ddd9b36635890e9518b7fee0af6d90116c69 |
| SHA512 | 62a22c6768096f31b8ba01d99588a7dce02ab7ca49c3856da908df23f286c66a6b3e0a9abd41ef8291f2ecf896c3ba6ade0426f789ac91f2cd666aa361e8b14a |
C:\Windows\System\dedwTNZ.exe
| MD5 | 7570553c76ffbc3539dbbaee8529588a |
| SHA1 | e7b8d355347dde3c80b054d98de4147f4de02060 |
| SHA256 | 4efb899923b8552ff67e98099e5f31a7a2c5f52c51e871f5b9f3b9ca192f5441 |
| SHA512 | bba4d990235e3e9fe7bbe1a3550fd6ab59c79d2328445f1cffd22003a2d0b2ca6e2506becfe2276fcaf5a51a339b327c2c83472f01367b1508981a3a282a9ad0 |
C:\Windows\System\xVscyvA.exe
| MD5 | 1062a3bd5d15910607c211b102b0968f |
| SHA1 | bcac530b9b7273887d07fa5883d01e8b0e027208 |
| SHA256 | 1482f69e17eca98cb3e019fcc1afbe18d2c41b3a147279fd06d3e42fbd29f4b6 |
| SHA512 | ab446dab2062442134e03bb5c474dc248d6a3afc91fcd3fbbe635f38da5e0f5f0975a76e26dbc7763b7741c8c48c5983ab7ce22fe51380098b335e224eb4ec75 |
memory/2528-8-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp
C:\Windows\System\oJTeMEp.exe
| MD5 | 2732feb1173e8f79828e102c7ea6ad05 |
| SHA1 | cad90a5fb9752c6f4dcf4d2ee2a0513a33d28af8 |
| SHA256 | 8b2e807dfed5439e7da30a0e2cc9e605ca2507a5b343fee5037189e7f15962fb |
| SHA512 | 09c43e4df28aa3783fc247eec822a288f2f6a3cb5418414ff81a100c68732e2da4d1ee854dc402462cd7d7604a54703116bc54d6ef7c4c9846993e70a8359c40 |
C:\Windows\System\qCnPgrt.exe
| MD5 | 88247d1704873da7a8ba22d82ec2b277 |
| SHA1 | 6b22df343c3175fc1332478c7abbfc985ab3050d |
| SHA256 | edf8ccbf2d9300be602b49dfe85cfa7ad854860393d97ef20d85355a17480f02 |
| SHA512 | 798eba54c1b5b83a65fce56cd154cae5a14e81b0b0b72604514df59c8a43d9a721ed42a2edcf60b87eac98e920bf70491e34ed10726dc9c9d7123a65b6044824 |
memory/2008-18-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp
memory/3264-28-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp
C:\Windows\System\CxcBICE.exe
| MD5 | 1e88355934e1c76f8faf24a85e911d78 |
| SHA1 | c7ee8166629e6436578f72462ec2938f3540da01 |
| SHA256 | 4391def8227ad136c3d1855628e47552e062a61f614765d6f71c01ec3628fbad |
| SHA512 | e059f34bdaf6ce9d5bea7a62d89d6ec93bcee240043873f83b7626da863b96fc9f8d04b10462efbf4ca30e9ca954078b78218eaec0374eaf8682c65548353e30 |
C:\Windows\System\DnznMpS.exe
| MD5 | 9a317a1ae20db8b82588bcd5d3021112 |
| SHA1 | 5080e0904a07a89a76873153a313eefb62ae308d |
| SHA256 | 5e17c68636816639df46296189e316418a43480dbc3b381a3e67970167aa148e |
| SHA512 | 4852cc255b2e7c1e4ce48452e7e8e073396863668419d5c44cd587c43cdbb857b9a9ecfef26f826795b8f05bd9883edae7e185e9a5f9a6d9fb15b04358e135ed |
C:\Windows\System\nOvrYXl.exe
| MD5 | 8794f2f1ff6aacbbb8e14e27ed353c8d |
| SHA1 | f9db2c0b5f2d48d91d3279ebb7eaebfd9de2be3b |
| SHA256 | 088f06caa3de2cf9d7662d03707ace4896ef2de3695013f3aaf38c590ca27004 |
| SHA512 | 0dd8755bdbac5971bfeff4bf200f8581e5a221cd0b6deb1081df1bad900516b2dddf4f1e61fefbe575d98caa0e779f5d5430ca7943f58a429144e8b891f67595 |
memory/644-89-0x00007FF723820000-0x00007FF723B71000-memory.dmp
C:\Windows\System\VTEVSgJ.exe
| MD5 | bc1d12d545efc32b237588db87e5b8cd |
| SHA1 | 1e89a9300d4bd41cbb7cabf4fe71c9ea5b8c82d5 |
| SHA256 | 5a4f293e41484899bc2eb3e7054218a15137308719b34ae7de88421843a6ee21 |
| SHA512 | e8a209088fad31ceb1af28c16a16a15d1735cb4d210f7d2dbfacdaae443f3353c4d70aa44e3270767e184dc06ff44bee88e2c7a4ebed574daf9002c573237c7d |
memory/1792-105-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp
C:\Windows\System\QcdCgjo.exe
| MD5 | 4a249fa5e484239e3d88101e637c8842 |
| SHA1 | 143ccc518c2b924a9c7bcea74a85092731141861 |
| SHA256 | 27ad84f6e0d1068fb23a8c2c6077492aeb8abf54658a0963c9a35ba4cd74e6a9 |
| SHA512 | ecc1818f8e4612306fe6adfcb37405aa2e4b2f4885e1ca72502332819fadc3a4e67d931970b7d04481e66ab5a0c93c1fd3410b9c654d67dc5563f434f08a753e |
C:\Windows\System\VKeGVLe.exe
| MD5 | 89ddad8765e18382e8e32cdccb473436 |
| SHA1 | 4018a9d2099d1c7611aa43eeae99dc0743b247a3 |
| SHA256 | 2a46391c0990656cb2b2a8deb0bbc858f0a557eb3eba4441fe80d9e8d50a7f92 |
| SHA512 | 9e6e7ead8c9ae1fed03b67ab88ea473d89f724df48c30564e7f70ca33873222d5544059de2543a883d9a1d053a4d39d95611b73f5057d98cdb049977406a6d5e |
memory/536-113-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp
C:\Windows\System\jToVWfj.exe
| MD5 | 7018e80488fbb8ac55e14b0e02bcfde6 |
| SHA1 | 138b74352f71ba303a6eaa2b3be3ebdf5f0ee1ad |
| SHA256 | bfc85b276edae863350917aa95ec9a1caf639328019df17a0f835e7516ea270e |
| SHA512 | b9bb73de958745f70ca4208666c31f517e522babe008eadf46d67e446c9ca60ab5351b0c25cf1d9e3ddc549742d8e27fb64c9fe2d240ca394c76324566705935 |
memory/3604-109-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp
memory/4968-108-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp
memory/1824-107-0x00007FF712330000-0x00007FF712681000-memory.dmp
memory/4468-99-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp
C:\Windows\System\MhwycNl.exe
| MD5 | 550828611639ef63a2ed46e238470c07 |
| SHA1 | c3a6f823f29fd821c124d98744c0110c481d0d8b |
| SHA256 | 09c3f6c2d14f90d10b515b7479ad0dd335bd3b6a0691234be51470ebe06e9eaf |
| SHA512 | 1efecf95430f69769abc92712ea893f4b489ec53232daef9e156640298903030db8e4c8e6038677b4796fc0e362b6ffa9c406f72bb412a520fd7c10f803f36e4 |
memory/5048-90-0x00007FF660EB0000-0x00007FF661201000-memory.dmp
memory/3364-84-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp
C:\Windows\System\chrXRUp.exe
| MD5 | d9d65dfb5d567e77e662899ffff5d99d |
| SHA1 | edb3439b1fa8d168ef14134487ec513e51361e7a |
| SHA256 | 9b0aea51c5f2c7b46c70d20a06914ef6e4174f0d482cce4514fa8e05dcc873aa |
| SHA512 | d3870737f98127191525e0a49417571c0a489c9ae31dd9219febfd8af76027fa5bdee6af3b5ec9613606e0f93bbebeb763c909466d43984624b586a8a98127de |
C:\Windows\System\xlWwmUY.exe
| MD5 | 98e255a984fbe0ff4ec969f7d2c7a1b2 |
| SHA1 | c71acb8f9e48323577df65ccf99aeea42524ac3c |
| SHA256 | a0607b199aefe1fcd0690692edc17f03866269610d61fa9940c14deb0cbc1fa3 |
| SHA512 | 41b58b70f6f2ed912022ab3ad9ebe363a80fad053c71b2f2e9e159942088262c5b3a897b247c3265846153a576a649ba3e44b281e0495f9ccca764f8efd8c040 |
memory/3996-78-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp
memory/1268-77-0x00007FF668320000-0x00007FF668671000-memory.dmp
memory/1388-66-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp
C:\Windows\System\NaBRSai.exe
| MD5 | d44c3c5653147f3ed9ed15d152a5d0c6 |
| SHA1 | 56feff4e041cda6fe8722c3586899b43e2859acf |
| SHA256 | 5cc06c5366ff7fbeb6ec030e063ad6d639db9a9fc4bd2877b80b2e21f939eb03 |
| SHA512 | e0501c284878dac9ce748f687ff295f1c334de8f2a1c4b6bf27169968e63a883774745ee222ffca6b241b243574961f5ac0f7682fedd6a9d65c894d7817cddbb |
memory/4576-53-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp
C:\Windows\System\TVcrzHf.exe
| MD5 | ff4eb7a43c5b64b04f659fb44017a589 |
| SHA1 | 8c410fb5aefa9646f501d837aa7d81728ce7d613 |
| SHA256 | b432719d3aec341f75ea4be2c232d8d504e603fffdc9935c0f2dce211db6179c |
| SHA512 | dec50b8a429cacdc9ceb73bc9bb830c47ee6bfe1a404237a2b5767f51f6ce00c6cbe46190bdf7c8b699103b0818e31df50fd45b824f569a06ddf819e508f4bd9 |
C:\Windows\System\aXHnyaT.exe
| MD5 | a9986172ee94db607030aa289d6b7f57 |
| SHA1 | 4df515f237f1a50bfea56c5818f7238cb925dc4f |
| SHA256 | 1e1b1bb14254c89bb81d34e05c31e924e539d4d01d3fcaa274cd1edec6fcd585 |
| SHA512 | 6ec15482013435c35c72806576d2da6e5485cbf9a59695d13aa1309707471d09231a0aaa8f5b085ffb778633fee75cc58b00d1655c77492869ca570939941048 |
memory/1828-46-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp
memory/4972-45-0x00007FF728240000-0x00007FF728591000-memory.dmp
C:\Windows\System\GlKXYCQ.exe
| MD5 | c778f52e77dac06597d248bb4a7a9c31 |
| SHA1 | f050c1a5115e09de219bd2e461f536fa55672d93 |
| SHA256 | 0d8768a396e71c2ffa513643e3ca1c2a37dd98c1bc09f61243f0bb61d6e4aa05 |
| SHA512 | 45edd6af20e5dd13e9fe01607344ac91ff4922dbf36cecc69a75af483b652e16ff497b5897b5af4ae50a37355d07f6b86bca90961aacc60af505c7d6b0581901 |
memory/3352-37-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp
memory/3264-121-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp
memory/3364-134-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp
C:\Windows\System\DDkCgOv.exe
| MD5 | f367131435f778c259e37beda3a41be7 |
| SHA1 | 01a23fe7c1b8a669310ed23e5353a440c8722639 |
| SHA256 | 7aa0c19175dc23fcb695df50b166c30b1af9dcdd8a1e25c95b5eb3ad9c6c70e4 |
| SHA512 | d44aaeaff99b3d3c3a2b9d06ee09dce49a3f715bf999a3f71ce7b402387672328a4b1b2ca95fb7f16388e40e4a795e6e424d02e6f86defdbdb21bad089a66b6e |
memory/4468-128-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp
memory/1828-126-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp
memory/4972-124-0x00007FF728240000-0x00007FF728591000-memory.dmp
memory/2008-119-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp
memory/2528-118-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp
memory/1216-117-0x00007FF611910000-0x00007FF611C61000-memory.dmp
memory/4004-141-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp
memory/1416-142-0x00007FF645250000-0x00007FF6455A1000-memory.dmp
memory/1216-146-0x00007FF611910000-0x00007FF611C61000-memory.dmp
memory/3604-144-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp
C:\Windows\System\ZdquIqY.exe
| MD5 | ab55e4466cccc10f93a3df772a927cab |
| SHA1 | 5ab99800143c178591410a12530ba5ad1ab13068 |
| SHA256 | 9c7ec379a92c7550b705768270dc99a7d00e61b104c4688f77fe2ee56e6001fe |
| SHA512 | 6883c1f87deac79442ad7fede593fcf629ee26f7dff0fe051b4abd485bce451705823437671d1207bc90b28506bf15f36ae9b4d76a966714cc70e74ee9ea25c3 |
memory/644-140-0x00007FF723820000-0x00007FF723B71000-memory.dmp
memory/3996-130-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp
memory/1268-125-0x00007FF668320000-0x00007FF668671000-memory.dmp
memory/4968-147-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp
memory/536-148-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp
memory/1216-149-0x00007FF611910000-0x00007FF611C61000-memory.dmp
memory/1416-160-0x00007FF645250000-0x00007FF6455A1000-memory.dmp
memory/2528-208-0x00007FF79A980000-0x00007FF79ACD1000-memory.dmp
memory/2008-210-0x00007FF775BC0000-0x00007FF775F11000-memory.dmp
memory/3352-212-0x00007FF718C90000-0x00007FF718FE1000-memory.dmp
memory/3264-214-0x00007FF6CCFE0000-0x00007FF6CD331000-memory.dmp
memory/4576-216-0x00007FF7E9120000-0x00007FF7E9471000-memory.dmp
memory/1388-218-0x00007FF6E7240000-0x00007FF6E7591000-memory.dmp
memory/4972-231-0x00007FF728240000-0x00007FF728591000-memory.dmp
memory/1268-233-0x00007FF668320000-0x00007FF668671000-memory.dmp
memory/1828-230-0x00007FF79B2C0000-0x00007FF79B611000-memory.dmp
memory/5048-235-0x00007FF660EB0000-0x00007FF661201000-memory.dmp
memory/1792-237-0x00007FF6DE660000-0x00007FF6DE9B1000-memory.dmp
memory/3996-239-0x00007FF6A9440000-0x00007FF6A9791000-memory.dmp
memory/3364-245-0x00007FF72E2B0000-0x00007FF72E601000-memory.dmp
memory/1824-244-0x00007FF712330000-0x00007FF712681000-memory.dmp
memory/4468-247-0x00007FF68B5C0000-0x00007FF68B911000-memory.dmp
memory/644-242-0x00007FF723820000-0x00007FF723B71000-memory.dmp
memory/4968-253-0x00007FF6E4600000-0x00007FF6E4951000-memory.dmp
memory/3604-251-0x00007FF7EC040000-0x00007FF7EC391000-memory.dmp
memory/536-250-0x00007FF770E70000-0x00007FF7711C1000-memory.dmp
memory/4004-258-0x00007FF62B5D0000-0x00007FF62B921000-memory.dmp
memory/1416-260-0x00007FF645250000-0x00007FF6455A1000-memory.dmp