Analysis Overview
SHA256
f69aba3cc1df5434b224f2602793954ca6ef6ba9e3a6ecb9c52050da806bfb16
Threat Level: Known bad
The file 2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 09:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 09:44
Reported
2024-08-05 09:47
Platform
win7-20240704-en
Max time kernel
142s
Max time network
141s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FEXYgpA.exe | N/A |
| N/A | N/A | C:\Windows\System\aQEvfUT.exe | N/A |
| N/A | N/A | C:\Windows\System\EtOVdSV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDxcyje.exe | N/A |
| N/A | N/A | C:\Windows\System\QHkIiis.exe | N/A |
| N/A | N/A | C:\Windows\System\WcWMrgA.exe | N/A |
| N/A | N/A | C:\Windows\System\EWqBpVM.exe | N/A |
| N/A | N/A | C:\Windows\System\IjkFwuX.exe | N/A |
| N/A | N/A | C:\Windows\System\rKxWUNW.exe | N/A |
| N/A | N/A | C:\Windows\System\LzPlvBf.exe | N/A |
| N/A | N/A | C:\Windows\System\olNFrMm.exe | N/A |
| N/A | N/A | C:\Windows\System\iATGiMj.exe | N/A |
| N/A | N/A | C:\Windows\System\xFTpXsG.exe | N/A |
| N/A | N/A | C:\Windows\System\SFgfmoC.exe | N/A |
| N/A | N/A | C:\Windows\System\UmIZkIu.exe | N/A |
| N/A | N/A | C:\Windows\System\YKyjprW.exe | N/A |
| N/A | N/A | C:\Windows\System\QjVLuis.exe | N/A |
| N/A | N/A | C:\Windows\System\NRCEyAk.exe | N/A |
| N/A | N/A | C:\Windows\System\zRzXVbh.exe | N/A |
| N/A | N/A | C:\Windows\System\oBYPivO.exe | N/A |
| N/A | N/A | C:\Windows\System\sDJCNvX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FEXYgpA.exe
C:\Windows\System\FEXYgpA.exe
C:\Windows\System\aQEvfUT.exe
C:\Windows\System\aQEvfUT.exe
C:\Windows\System\EtOVdSV.exe
C:\Windows\System\EtOVdSV.exe
C:\Windows\System\ZDxcyje.exe
C:\Windows\System\ZDxcyje.exe
C:\Windows\System\QHkIiis.exe
C:\Windows\System\QHkIiis.exe
C:\Windows\System\EWqBpVM.exe
C:\Windows\System\EWqBpVM.exe
C:\Windows\System\WcWMrgA.exe
C:\Windows\System\WcWMrgA.exe
C:\Windows\System\IjkFwuX.exe
C:\Windows\System\IjkFwuX.exe
C:\Windows\System\rKxWUNW.exe
C:\Windows\System\rKxWUNW.exe
C:\Windows\System\olNFrMm.exe
C:\Windows\System\olNFrMm.exe
C:\Windows\System\LzPlvBf.exe
C:\Windows\System\LzPlvBf.exe
C:\Windows\System\iATGiMj.exe
C:\Windows\System\iATGiMj.exe
C:\Windows\System\xFTpXsG.exe
C:\Windows\System\xFTpXsG.exe
C:\Windows\System\SFgfmoC.exe
C:\Windows\System\SFgfmoC.exe
C:\Windows\System\UmIZkIu.exe
C:\Windows\System\UmIZkIu.exe
C:\Windows\System\QjVLuis.exe
C:\Windows\System\QjVLuis.exe
C:\Windows\System\YKyjprW.exe
C:\Windows\System\YKyjprW.exe
C:\Windows\System\NRCEyAk.exe
C:\Windows\System\NRCEyAk.exe
C:\Windows\System\zRzXVbh.exe
C:\Windows\System\zRzXVbh.exe
C:\Windows\System\oBYPivO.exe
C:\Windows\System\oBYPivO.exe
C:\Windows\System\sDJCNvX.exe
C:\Windows\System\sDJCNvX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2388-0-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2388-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\FEXYgpA.exe
| MD5 | 7aad44f2b25c3ccf5f0dba336ab22166 |
| SHA1 | fabbe946794e48bea55868b97bfb23b76d1947d0 |
| SHA256 | b5e882ae414987263ef40f0e9796350d82517987f4bc190f44e9945c8c6aa26e |
| SHA512 | ed13dc0726f2e038ebfe02f02298a3794533b2202f2e13721675dd25513cdc83edc988d9464c236c966c3639cc3d0c9cb13901f193e56ae7a4f4a8ac2768c730 |
\Windows\system\aQEvfUT.exe
| MD5 | f6f22fe7b8de79d67bca21779a73d237 |
| SHA1 | fad6f2249399cfdbfe1ba1d2ea0aa81f4b89e782 |
| SHA256 | 187e82deccc71fc5498f75408ca500142e91dd4c6a0bd48f1390e59cb12b6ec2 |
| SHA512 | 231a5e1011f72478639964fa3118736ef74554cff57b4f3550223b0fff50f68f9ea7f1ab1154dff5bf5983283a067d1cc2fbea67deea3997e8abb2d3f3904763 |
memory/2388-20-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2864-22-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2388-15-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2776-13-0x000000013FA10000-0x000000013FD61000-memory.dmp
\Windows\system\ZDxcyje.exe
| MD5 | 54a1ebcb3da8e2af6759a337a11d8bf6 |
| SHA1 | 2765277999e12357ffe7d78f2cfb0f97ed953b76 |
| SHA256 | 28a623c241979c5ffa33df2ed1db1120230b302b88f0bc2e0a5cfeaa5e7a0319 |
| SHA512 | 57267d5c252c10fe8705f82664deda60c2cc55b4db52a3cf233b922d199ef3c30e903e770a6480c1659740c8060f42dac005977f6e3699e163cc666ef5feca3f |
memory/2780-28-0x000000013F160000-0x000000013F4B1000-memory.dmp
\Windows\system\EWqBpVM.exe
| MD5 | 4b5ad1c33235cc9f502a9d38ccb9e7af |
| SHA1 | 36263cbb7973ac0cc7911707ce95b3d9f6280bc2 |
| SHA256 | 061caeeaea04ec8b2dc78d51874866da8c2a3d17831fe9aaadbbf437ced0ddda |
| SHA512 | e068a22f36995ecc009b9fce35d76c8b45bb3ff8e1edff5b162fd4fd3d60548fdeee3033b8271fbdc29fc229dbb59afb66e1c983b7d742491e54ebdfe6247534 |
\Windows\system\IjkFwuX.exe
| MD5 | 96a43ee58d0cbb47d9d120a209be30cf |
| SHA1 | 1cfc675faa31f58e942e4c914444505c891f3538 |
| SHA256 | 3aeb3cf98160223ac78889c3aae637fcb7cecb09b56ef56f3d9c10e35f8b2128 |
| SHA512 | 374469411368915a19654cf20c415dadfa76c69ccf6ba7cbac1824d6c2a95f36b2f0de4fdd2fb88ce5f3963860bdf7cd8fa021e79e31ad3fd55ed704a2674090 |
memory/2708-56-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2388-55-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2952-48-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2336-46-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2388-68-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\xFTpXsG.exe
| MD5 | afef1935d262682624b6bf7d706ee868 |
| SHA1 | 66d953762383d1e4a1f58f37edddf7e3cc5c2925 |
| SHA256 | 36d50709549dc7844f2580ff90912c3934dae9e9d57eb9a8185d86f9bec711bb |
| SHA512 | 4b3cb903006d2ea786d791ff3c11ea2ad6df4f170eb539dd4fa749a6ec5f0d20c62af9c7f2c43881224e52ccde94653035525dbd04640b778b435224cdd12cee |
C:\Windows\system\iATGiMj.exe
| MD5 | ceea56cfb949804a69778b2a2a0212bb |
| SHA1 | aca42026e4dc260dfe0050e4253ce20085e429a8 |
| SHA256 | f7d309c76c51dd73ae2a3e51814a4540d20929677fcdcd046d1630fd8df796cd |
| SHA512 | 05c04f66bbfb88c8166610dfc8d4477a7d220abd42e3497de20defb07f15a029a100970aad79a522536d6b8d6a9f4a179f0c01a5c8ccbccc6bf375ab17642c44 |
memory/2780-97-0x000000013F160000-0x000000013F4B1000-memory.dmp
\Windows\system\QjVLuis.exe
| MD5 | c13c90f8ec661de5963775a96b98343c |
| SHA1 | 3c21c99611d6f71f58c0541124e9722bebd30b5a |
| SHA256 | 3a383fa13814472f8d21af11cec1906d16875664de123b0eaba72661716a50b7 |
| SHA512 | f4116b2ecffc9e1a9715d4fbe7e0dca41aefdf939e15d9e11886c2c71e2667e00dea6a3cfb66fb73bdfcc110563cdf0f444984df499073bc3bb9bb770950bd3c |
C:\Windows\system\NRCEyAk.exe
| MD5 | ca370c0216070e2f9bbd689f336f2235 |
| SHA1 | dd5b62c670ea8cd49eda18d62f388abcb0a906bc |
| SHA256 | 5c851f82b9a60acde0f549a585982a94b1c9a39a8224d4e3b04d11dfc57d9051 |
| SHA512 | 89e81806b5c9cce6592d8fac54355c45ef9f382ad82a71e3d0ca2f966d553101daea60adb5250ef09dd0952669a2496258b56583b8698d5f8defcc1d412caee9 |
C:\Windows\system\sDJCNvX.exe
| MD5 | da80a776ea3a844f94b17ea22eca1557 |
| SHA1 | 16866bbb0d8e980812fd8a59e47b26adc6a4fafb |
| SHA256 | 94854d814480acb2db3fd6d2f1e07203ee9ff8a8ff4b9b890df6d8024792850d |
| SHA512 | 299345891914aec2c2f81e8ebad60d0c6bf5fc4fa01b78175a764ba09efc7c83f6eff2c317407d89f0d41192845ab4c726457a7843e2a2e748bebbc435ae40eb |
C:\Windows\system\oBYPivO.exe
| MD5 | 0bc971f49c53eb8ffdbd958192e17ae2 |
| SHA1 | 5e8543efa5d040f8e798dc531190b28557c768bb |
| SHA256 | eceaf7670758854ee1a5336afd09201361d735d2b123b486e0635e78f9fc08ad |
| SHA512 | ebacc52373cc61e461aa840a9b69afd14810b141e98b13aacaea61971491fdf89a9f6cf618d7804c28af8e43571135eafeae853381c8e334c2a9a1151e5d4eb1 |
C:\Windows\system\zRzXVbh.exe
| MD5 | ab99eadfe25a053b181806505e75b6ce |
| SHA1 | 9d0e4acfac2ca01ada44c422bdc6d1b3cc5cc5dd |
| SHA256 | 1888e5705a89073ea72dc29562caa37b3c5ce36730dbb081d79f6963f1272c62 |
| SHA512 | 2dad3fab562beb3ef806f806ecc51efdd0d9665049584a55feb2b1b2ae4326691ce6d4d73f45bdcc8f2b267f539d7c6ec0d80bf0374ad2622b4f3648483ce980 |
memory/2388-98-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\YKyjprW.exe
| MD5 | 5a4a4fd82e320b47dad2777d150afb41 |
| SHA1 | a0ef0dad2a43c3d71a95d3d9469fb6bf24749b39 |
| SHA256 | 693b73073a8d1b37d8437204e4eed3a01d3c7a98660fcafb704a1853d543c1d6 |
| SHA512 | e62590937c5b3d008f07e5c3a6afc2416fbe8344c4cde98ce089b90c719a228db7b0ea98d286c8b16fce888676346b7d05605bae2ab771824c447b0cc3bbde90 |
memory/2388-104-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2952-135-0x000000013F6D0000-0x000000013FA21000-memory.dmp
C:\Windows\system\UmIZkIu.exe
| MD5 | af39bb29d427d99c22e952c1fedf2abc |
| SHA1 | 823738910e45f2cbfdf0a05abd8adf077b900921 |
| SHA256 | c73c0fffddf9cdd280d662a148d67c6642b50d7b61543b532c23f27b1f710343 |
| SHA512 | 5f37ab6765a209e2128115f4d20c6ef85749be0a9a79af1ae1b5894fb2e02bfd14c22adaf1ab67d2b395da1fb582a3fbcba8b26241b9e6f368536c589e756fda |
C:\Windows\system\SFgfmoC.exe
| MD5 | eb58a6e8d76972e174efdbd2ef8102a0 |
| SHA1 | 6b1410e562c5c792b59230edc52d92d2471e7c9f |
| SHA256 | c55c88d270d534b6d0890218799a837c9eeb9209213c2e6008540dc55c24fada |
| SHA512 | b994a488dd9dcb35a4f2bfbae3f167978e834b7f207f9bab5776b511acaec8f6cfa15c8f386061d679114c796341512d1de2aff834b2582701933b099d25e472 |
memory/3060-102-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2388-136-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2080-91-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2388-90-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2136-89-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2388-81-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2616-80-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2988-79-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2924-155-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2476-156-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2696-154-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/3040-153-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2984-152-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2904-151-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/1632-65-0x000000013F490000-0x000000013F7E1000-memory.dmp
\Windows\system\olNFrMm.exe
| MD5 | 58f0f78fae64e9a8e3002e1a95da3f91 |
| SHA1 | 66a27c613f4bcdde39142d3d1e64372efb452a9a |
| SHA256 | 24f74d62f5846f27da93c0e44ca389a34bbbb8db92da65d09d04c6c7ea94862a |
| SHA512 | 3fb88645090fb971a32511d2f2d225c4e93c2fc4e4953201e88165f666a38e05e04c9f52800aa65803129170f0dc414c3decf3315c5d0373fbcd18237a59bd21 |
C:\Windows\system\LzPlvBf.exe
| MD5 | 48bea2ca9552bcc69a8980a378d6031a |
| SHA1 | 3773c91abf3861c9aba2bbe484514e0913e48481 |
| SHA256 | 4f0fbce8ac66b96d73239c0cd2bc177cb05c8454a00799fde05dde2f8106dc2e |
| SHA512 | e404feafa410126d93c97a8583be9ade5da74ff735735dbc23faa8ef8402fd8413ec23356c3bf67265cad8641b8d9d9e10bcdd1394d886b6bcf86e18f461b1ac |
memory/2776-69-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1056-67-0x000000013F890000-0x000000013FBE1000-memory.dmp
C:\Windows\system\rKxWUNW.exe
| MD5 | 7bb1e3a04bc3da9b15dda044a4992e4e |
| SHA1 | 3ede41d7389b275105ccaa32c6e182b0b4699e23 |
| SHA256 | d55f6348621bddd751154c460cb9353914194bcba232268dee870fa6d4b624b0 |
| SHA512 | e744852b8cd0c21667e27e7d83cada38357b3d5c81aa691b0008aad7a05050e4b2f282a9945577e94e2f511ed62f0cd0ed60f00c169f7c0fabf9db082931431a |
memory/2388-45-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2388-44-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2852-42-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2388-158-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2408-157-0x000000013FF70000-0x00000001402C1000-memory.dmp
C:\Windows\system\WcWMrgA.exe
| MD5 | 55051fbfd9b07dda56687b621bfd8572 |
| SHA1 | 2e537dd08400c76fba861d06583f4ce7413411a4 |
| SHA256 | f5cb5752c5c12fb1e932446bcb5a71016bbc4d144d2a2cf862edcc0aa7879c42 |
| SHA512 | eddd77d7403f4b950a3ab9f7d4c9d0cd659ba2b3079bed47cd7ad2d138a6bde088886722d06f2c2edd95b745373500c7948a7ca21547072bb45cc6bc7d25968a |
C:\Windows\system\QHkIiis.exe
| MD5 | 571999f71ad992f2e36dcae1f368f606 |
| SHA1 | 02cb8851d553d9c82d6f0924c850e1f773aff9f0 |
| SHA256 | 3ad0f6b3dd24ec25c519fd8b9c4a4294b20ad2f6e9cfe68daeb24b7234b7b780 |
| SHA512 | a8f676c95c9bc51607738f73f4f79ed8f44b7aca47e2de2d877eeb789a06b97a38c3d0bb59f38f1e854965068af483555560c5511844921561239a6092b6e4fc |
memory/2388-26-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1632-12-0x000000013F490000-0x000000013F7E1000-memory.dmp
C:\Windows\system\EtOVdSV.exe
| MD5 | f9264d3d2f2219a7a07363b7140eff12 |
| SHA1 | d8fd8370d64be2b64597bb37fd583d62ea8aff77 |
| SHA256 | f6a112150edc828bf9fd7e1f4d4b865e2e2a4ae0f7b53485efc270df476d9adb |
| SHA512 | 887d388584e334fc60749dc52370350a33a57be2700e1fd9bf94a54f2441cb6f14401e48c137df301d4c5ff4851a1e0efa9ae759be3293f7c64d0fba16166a9e |
memory/2388-159-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2388-168-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2388-182-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2388-184-0x0000000002340000-0x0000000002691000-memory.dmp
memory/1632-207-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2776-209-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2864-211-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2780-221-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2852-220-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2336-223-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2708-225-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2952-227-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1056-229-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2616-233-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2988-232-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2136-237-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2080-244-0x000000013F500000-0x000000013F851000-memory.dmp
memory/3060-246-0x000000013FB00000-0x000000013FE51000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 09:44
Reported
2024-08-05 09:47
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ykbGDoP.exe | N/A |
| N/A | N/A | C:\Windows\System\lqRnaKp.exe | N/A |
| N/A | N/A | C:\Windows\System\mJELDxH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDpHQgG.exe | N/A |
| N/A | N/A | C:\Windows\System\cxqTrbD.exe | N/A |
| N/A | N/A | C:\Windows\System\zvhZFGo.exe | N/A |
| N/A | N/A | C:\Windows\System\CPkAHJq.exe | N/A |
| N/A | N/A | C:\Windows\System\PNFNCiY.exe | N/A |
| N/A | N/A | C:\Windows\System\npGsAVS.exe | N/A |
| N/A | N/A | C:\Windows\System\IcegZDh.exe | N/A |
| N/A | N/A | C:\Windows\System\TTDvNTp.exe | N/A |
| N/A | N/A | C:\Windows\System\qAciOvS.exe | N/A |
| N/A | N/A | C:\Windows\System\swnJjZa.exe | N/A |
| N/A | N/A | C:\Windows\System\OuVWaeR.exe | N/A |
| N/A | N/A | C:\Windows\System\Wivmmna.exe | N/A |
| N/A | N/A | C:\Windows\System\qgAvXPu.exe | N/A |
| N/A | N/A | C:\Windows\System\rBnJpsD.exe | N/A |
| N/A | N/A | C:\Windows\System\TZsFaKR.exe | N/A |
| N/A | N/A | C:\Windows\System\VKzxgqr.exe | N/A |
| N/A | N/A | C:\Windows\System\KZIHpDE.exe | N/A |
| N/A | N/A | C:\Windows\System\VQtQGhi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_48093dfcace2895d0220c53a6683aba2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ykbGDoP.exe
C:\Windows\System\ykbGDoP.exe
C:\Windows\System\lqRnaKp.exe
C:\Windows\System\lqRnaKp.exe
C:\Windows\System\mJELDxH.exe
C:\Windows\System\mJELDxH.exe
C:\Windows\System\ZDpHQgG.exe
C:\Windows\System\ZDpHQgG.exe
C:\Windows\System\cxqTrbD.exe
C:\Windows\System\cxqTrbD.exe
C:\Windows\System\zvhZFGo.exe
C:\Windows\System\zvhZFGo.exe
C:\Windows\System\CPkAHJq.exe
C:\Windows\System\CPkAHJq.exe
C:\Windows\System\PNFNCiY.exe
C:\Windows\System\PNFNCiY.exe
C:\Windows\System\npGsAVS.exe
C:\Windows\System\npGsAVS.exe
C:\Windows\System\IcegZDh.exe
C:\Windows\System\IcegZDh.exe
C:\Windows\System\TTDvNTp.exe
C:\Windows\System\TTDvNTp.exe
C:\Windows\System\qAciOvS.exe
C:\Windows\System\qAciOvS.exe
C:\Windows\System\swnJjZa.exe
C:\Windows\System\swnJjZa.exe
C:\Windows\System\OuVWaeR.exe
C:\Windows\System\OuVWaeR.exe
C:\Windows\System\Wivmmna.exe
C:\Windows\System\Wivmmna.exe
C:\Windows\System\qgAvXPu.exe
C:\Windows\System\qgAvXPu.exe
C:\Windows\System\rBnJpsD.exe
C:\Windows\System\rBnJpsD.exe
C:\Windows\System\TZsFaKR.exe
C:\Windows\System\TZsFaKR.exe
C:\Windows\System\VKzxgqr.exe
C:\Windows\System\VKzxgqr.exe
C:\Windows\System\KZIHpDE.exe
C:\Windows\System\KZIHpDE.exe
C:\Windows\System\VQtQGhi.exe
C:\Windows\System\VQtQGhi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2848-0-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp
memory/2848-1-0x0000020B82E80000-0x0000020B82E90000-memory.dmp
C:\Windows\System\ykbGDoP.exe
| MD5 | 1cb192f7cb5e133aa7a08513b5afa937 |
| SHA1 | 701817ac15e214ac18f886a1802ee8b2e84df38b |
| SHA256 | b59f505939fe3aea85bab42989eee3f722d358ece36c1d21981555c5a4e6f65d |
| SHA512 | 76bb59dc1291b9a09f0de743a674b9c1c8788ea98f9782a60d98c1155e52afaf71609a99a655f2caab8e3da7954fac43fe212ad8af8ce3a076294e8b88bba6e1 |
C:\Windows\System\mJELDxH.exe
| MD5 | 8a73bb49f9d9c815bad950f18c8358dd |
| SHA1 | 3bdf6aef9f3936d34d416d17eae8a41496e59406 |
| SHA256 | 50482c8b532543149cd8af4c3bf2ce4133907c6e43f542229f1a092e8f610592 |
| SHA512 | ff7a123baca145f74158773266a9f1209c2999c26307e8a0f5f7ab8cc041617e11f11cf1197d321e7425f45bfbf50f90ef7b9ce79e2ca4a0e130cc188a2e40a8 |
memory/1876-13-0x00007FF65ADE0000-0x00007FF65B131000-memory.dmp
C:\Windows\System\lqRnaKp.exe
| MD5 | 49c13ab17085298fb4fabacb9c37c1dd |
| SHA1 | 5cea1166537ea5367c8d6a322b0bdbd9f99ac412 |
| SHA256 | 3703f9af2b6eed8dc4e0eb46ce9f87d5de72f7d42440d40bcd9c934a88059a7b |
| SHA512 | b9a2ac96662871cc1b34e9d5c7a9109e46b2615b55ecf8e6fa1351eb0df3eb8173d36f369c094d437edd9d152b2802a23fba461c4f66958ac7a3da4c7b80e92a |
memory/3120-6-0x00007FF7D4280000-0x00007FF7D45D1000-memory.dmp
C:\Windows\System\ZDpHQgG.exe
| MD5 | 80aec512a017098c978a56dc7cae0788 |
| SHA1 | cfd6f42b03bad952acb2d87131cd971cd5317360 |
| SHA256 | 4117288a85448fa79539d501795f8fba83ce1e279d9bc843456b5ca0411b688c |
| SHA512 | d18632340a344193cea7e801f248f5b41e3449943be319bebbc667285462b5d93863f4fe20095910c4b526cb7e84d466d777bc72d54949c6c9de1ea96712a7af |
memory/2252-26-0x00007FF61D4C0000-0x00007FF61D811000-memory.dmp
memory/2384-20-0x00007FF79D600000-0x00007FF79D951000-memory.dmp
C:\Windows\System\cxqTrbD.exe
| MD5 | 941fccc414edec7b624233d88dc1bc62 |
| SHA1 | 3577e4c3c039056b8b48f9fde1e20ed26e89516a |
| SHA256 | 4b6fc16b11619a594a8cdde6565ebaead55dcce7fb04ac8ba18a635c6ac01b6c |
| SHA512 | 975803435cee1eb9b3a538818edf1dfbd71eabcbae38ebc79529c687349caa938ef2ca5e47cf4a22679175b9214b185d9de161697e0056060a74c8bc5a7e7bd6 |
C:\Windows\System\zvhZFGo.exe
| MD5 | 260c2b0a3b7ec0b5c948b79ca00a1894 |
| SHA1 | c5b38d990102e41525c247e11a289b02b26647b8 |
| SHA256 | f9cedd2717971712bda857e16cc2cb18dbf5a6457c43434fa47f7831975cbbfb |
| SHA512 | 746a0b37520f30f5fa2d649fe3c18950844cab9f82aed96a18d4e501b8a377a0a00be2af06424f86e6f5cfd33f40bc8a08f5c38dea4eadf91944a8f6e7a4520d |
memory/984-37-0x00007FF665E20000-0x00007FF666171000-memory.dmp
C:\Windows\System\CPkAHJq.exe
| MD5 | 9551a480fb43190406a79db01bab220c |
| SHA1 | 27d8b13319de7fbee533d7a14af9a9d8d5f98052 |
| SHA256 | 524350829db41fc9bccb49af162067a357ce9fd9d0fdb1369491b6e1c33804fd |
| SHA512 | 685a4a0401f336a8785f7b266ff92428fdbbf6f24c518b86617e88a6470e3d881901d31148b2ded3016f8395caa819cf27ac1daa0db924e2272bba007e819a2f |
memory/3968-41-0x00007FF7C01D0000-0x00007FF7C0521000-memory.dmp
C:\Windows\System\PNFNCiY.exe
| MD5 | 644427979e1680abfa3d32838669c0f8 |
| SHA1 | 819e5aad4ca42009cb2e6577bd7d51d13a467f4d |
| SHA256 | cabb8667675cac1d65f0304b928503af37e76934e4cbb985d275aaeca81b2b12 |
| SHA512 | 323a9520b6893dc0d1d4f7bdc7e4e5e7bc18bd8c734724ab8a9594e6ac8779ebf0c52f4651bf719b1a3cece5d313fdff7d3a3899e10d0a9b6326262808f3f0be |
C:\Windows\System\npGsAVS.exe
| MD5 | 3361b232136718c52273d51618dc56a7 |
| SHA1 | cf682b17cd9aa0cfed9b4a0528d4ec213e891a14 |
| SHA256 | 0deb3afaaf16fba0664dce6595fd05d31550a8188eb67249981c1b8cdfd46023 |
| SHA512 | 64de56a3d38c4050d5eb7ebfd41c03c78292d4264aaab6645ab02f391ed80d0318a25ce02c57b8463dde2310c0432630b772d9a43812b1adadc4f6e7259d8dee |
C:\Windows\System\IcegZDh.exe
| MD5 | 3623a9dd2f93a721836f7546ea16c61e |
| SHA1 | 013c5bf59b5c5e948e73837eca104694e14bd41e |
| SHA256 | b18b19c2de6e3a71a99fff6941a6682fb14bfa6f9d28dec86e22c124e96369ab |
| SHA512 | 3cd2659c8a72c16179e8f550804e9e13004463ae5bbc1e61cb76e57ca5b6c39fecb034ec155a04c54e613d83545d4ba0600b53bcd11d238c812173952341a596 |
memory/3760-59-0x00007FF6C9780000-0x00007FF6C9AD1000-memory.dmp
memory/2848-63-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp
memory/692-62-0x00007FF77F550000-0x00007FF77F8A1000-memory.dmp
C:\Windows\System\TTDvNTp.exe
| MD5 | 8d25de9c918eb51dfb0cb227e80959d2 |
| SHA1 | 423a77eac957ff9073c50a4c8c32a4b1e090311a |
| SHA256 | 27a1d9114f0a9ac1e6aefeb9599376ad821c5551aecd339a08eb4d51c568001e |
| SHA512 | f3c42f1fe666e0de08a4c4aa12542d375e9a181a81f2658997668036a4bad19dcb8fb7b8e9f547721acb21f0797381321eb3c27879ac402a87f0c4bb63f53c56 |
memory/2072-48-0x00007FF602130000-0x00007FF602481000-memory.dmp
memory/4628-31-0x00007FF7A5830000-0x00007FF7A5B81000-memory.dmp
C:\Windows\System\qAciOvS.exe
| MD5 | f6e4e7093fd5f45a61fc20d13e980e6c |
| SHA1 | c31d457acc8e585c8ea15ee465e567abb0e5fe92 |
| SHA256 | 65ab68eab9e16df9d9b1b5a75aedd559e3184fabdcca2458f3931a0b91a16473 |
| SHA512 | d0b4d010047bd3e700aaf8e4472c5bb3ff90e4bc6734f021a783a2aee9871f7820e23bb975eb3ca8ee8fe7f86d17bf42be7141531031560240a4429954d7116a |
memory/4064-76-0x00007FF7E0640000-0x00007FF7E0991000-memory.dmp
C:\Windows\System\Wivmmna.exe
| MD5 | 3e7937c4268800eb0d4afc4b8d0b0589 |
| SHA1 | 515013db83f8918b155ee389150ce9b386f2d732 |
| SHA256 | cf2dd6d29c23d4fda6defa0f8d121ad96c3e60a62b72eaa50bf0427642bf4d7d |
| SHA512 | b877193e28ca36c28866db8d2b871531791bf30c27e47900da0e01c6624c7eb1c0cea46eedcc252294983b1ccbdc52c6a7ef915b8c329552c6ddee01ec73f64a |
C:\Windows\System\qgAvXPu.exe
| MD5 | a4ee5ab0411c9874935141f29e6fad76 |
| SHA1 | 6849736d16c88af749fc35222540bf1c97a93278 |
| SHA256 | 64dccfda534a4fcf060f784b04105ccb8141e7535c8caf0e8708ac1622388612 |
| SHA512 | 0f615c85730b715125823b192bc3634e238c66912b821476303d2e481d82a29524305bbf524006befdb113c0bd2180a2b450d6f21fd7cca4d2944361d07e11e1 |
C:\Windows\System\VKzxgqr.exe
| MD5 | 29db618456ab3621d9973b77628917ce |
| SHA1 | 7846b23bfad21cfc6229ba2723ba78e140268bdd |
| SHA256 | 851b408482fd4e276a7342597c74f55a35a0af9cf3b4146a5cbe36130abaf6f3 |
| SHA512 | 8c5e1968a759046e83d0ece574adde1b033c992b6b9dd1b9fa6ce8f9b945c5b943554ae4e5d9baab8e6bb5b76471eb255e68454e854608e965046274f888640e |
C:\Windows\System\KZIHpDE.exe
| MD5 | 246b1ce140e1a4be4b95934bbb7c313e |
| SHA1 | db65da43ae0203dcaa7cc99e387b837799643f81 |
| SHA256 | fba44a57056d9b2124f00de1d7ec59e5b068716878c78ecd1fa79e8313fe2da5 |
| SHA512 | 049befe81f7ac7813f0505332fe5d0dd1c57d82be63a8e69d3d5bdb08ea1707f175aac92c1f9969a5836e9337dd3632fe6583e98877da441126041d6e0a91a6e |
C:\Windows\System\VQtQGhi.exe
| MD5 | 99bf477cafea2ff3cf1457808ae79e33 |
| SHA1 | c11f568d2bac66f96dce02f27cbeec5f56300358 |
| SHA256 | 36a3233477c848addaaa91b3aad21856c3990075d8ee6e7e181b4e30892df476 |
| SHA512 | 93f47040162b9101e837f20dd9c73b6a25eb99a13cf526c398e8b0cd6e840921708883dad5ae0711bb73ee6a4bd6c104fb41828c3e6d8432031afb9329ee987c |
C:\Windows\System\TZsFaKR.exe
| MD5 | 67014197f9f86b3aab605ec234bf360e |
| SHA1 | c2a013febc6a4067de38bc551fc1aed93881c826 |
| SHA256 | b7c217d77bdde170d32892b9b705b45b6c53752b290c943615395e67ef6ace16 |
| SHA512 | f8989232d5c663981cf38b66c842967a6c141c901508510b37d10ee9f7c680d15f4b4f0d092838db2b3a6bbc62ee7dd3365baca0e2cb479ae7311aa674129bc7 |
C:\Windows\System\rBnJpsD.exe
| MD5 | c51d87c88dea7d2515810cee96dd9519 |
| SHA1 | e6618471d26b0bd222bdba1c35344ae2d30ad1cd |
| SHA256 | 2d86cb3caed4d8ba893dc8cc06798d4859331212f128b0c6946e2d68f5223047 |
| SHA512 | aeb78a1bff8ade2c20e2ff3af626b6710a0092a59f6773e46c182526e8a2a76fb489f97da13b821a6cda460a3f5b134cbdeeb59c52ce3b845874beb802eb669a |
C:\Windows\System\OuVWaeR.exe
| MD5 | aaca7a20da9c7163e31e86c18c14cde5 |
| SHA1 | 5be32936551357d38b4e6ed14c2d7e44d4cb4e7c |
| SHA256 | 76c92159581f7b55ca66f92bb2328e333af23c881771e0f94024886ea065ffbe |
| SHA512 | b3c12979fb3653c651f3d90a756e3246cdb262b5affc3e4bc05213064bad14af699b2888817ce42e7b02faffb41d9c5e734664bec94ec9dbc5c33a0d65257814 |
C:\Windows\System\swnJjZa.exe
| MD5 | c0828a3344a0686e1c50605587ddd05c |
| SHA1 | 31c79eb2d77c614ada9a769ff92ced9c2a42970d |
| SHA256 | c643f473a2e281738f4e049dfe64ea9b37bf67a22220993f24ca4f863f645ee5 |
| SHA512 | ada13fb0ca02fb80df19c522d3d29f50d6131c3e2b05d8a63e8fe8bec95860d6d90ea16297e40b45c0132c44f7d072e17b85fb2d92d819f5769603658a023d24 |
memory/3120-75-0x00007FF7D4280000-0x00007FF7D45D1000-memory.dmp
memory/4208-69-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp
memory/1876-121-0x00007FF65ADE0000-0x00007FF65B131000-memory.dmp
memory/5032-123-0x00007FF6C8870000-0x00007FF6C8BC1000-memory.dmp
memory/3524-124-0x00007FF61F7B0000-0x00007FF61FB01000-memory.dmp
memory/3372-122-0x00007FF7F1F30000-0x00007FF7F2281000-memory.dmp
memory/2892-126-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp
memory/3996-125-0x00007FF705080000-0x00007FF7053D1000-memory.dmp
memory/5108-127-0x00007FF69D020000-0x00007FF69D371000-memory.dmp
memory/2848-128-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp
memory/2968-132-0x00007FF6600C0000-0x00007FF660411000-memory.dmp
memory/4860-130-0x00007FF668A40000-0x00007FF668D91000-memory.dmp
memory/4528-133-0x00007FF72E960000-0x00007FF72ECB1000-memory.dmp
memory/4628-136-0x00007FF7A5830000-0x00007FF7A5B81000-memory.dmp
memory/3968-138-0x00007FF7C01D0000-0x00007FF7C0521000-memory.dmp
memory/692-141-0x00007FF77F550000-0x00007FF77F8A1000-memory.dmp
memory/2072-139-0x00007FF602130000-0x00007FF602481000-memory.dmp
memory/984-137-0x00007FF665E20000-0x00007FF666171000-memory.dmp
memory/4208-142-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp
memory/2848-153-0x00007FF6B5080000-0x00007FF6B53D1000-memory.dmp
memory/3120-198-0x00007FF7D4280000-0x00007FF7D45D1000-memory.dmp
memory/1876-200-0x00007FF65ADE0000-0x00007FF65B131000-memory.dmp
memory/2384-202-0x00007FF79D600000-0x00007FF79D951000-memory.dmp
memory/2252-204-0x00007FF61D4C0000-0x00007FF61D811000-memory.dmp
memory/4628-208-0x00007FF7A5830000-0x00007FF7A5B81000-memory.dmp
memory/984-210-0x00007FF665E20000-0x00007FF666171000-memory.dmp
memory/2072-212-0x00007FF602130000-0x00007FF602481000-memory.dmp
memory/3760-214-0x00007FF6C9780000-0x00007FF6C9AD1000-memory.dmp
memory/3968-216-0x00007FF7C01D0000-0x00007FF7C0521000-memory.dmp
memory/692-218-0x00007FF77F550000-0x00007FF77F8A1000-memory.dmp
memory/4208-222-0x00007FF6D3CE0000-0x00007FF6D4031000-memory.dmp
memory/4064-221-0x00007FF7E0640000-0x00007FF7E0991000-memory.dmp
memory/5032-229-0x00007FF6C8870000-0x00007FF6C8BC1000-memory.dmp
memory/3372-230-0x00007FF7F1F30000-0x00007FF7F2281000-memory.dmp
memory/3524-227-0x00007FF61F7B0000-0x00007FF61FB01000-memory.dmp
memory/3996-225-0x00007FF705080000-0x00007FF7053D1000-memory.dmp
memory/2892-233-0x00007FF728BE0000-0x00007FF728F31000-memory.dmp
memory/5108-235-0x00007FF69D020000-0x00007FF69D371000-memory.dmp
memory/4528-236-0x00007FF72E960000-0x00007FF72ECB1000-memory.dmp
memory/4860-240-0x00007FF668A40000-0x00007FF668D91000-memory.dmp
memory/2968-238-0x00007FF6600C0000-0x00007FF660411000-memory.dmp