Analysis Overview
SHA256
d6fa81219bc189e713fe68f1b2f7e25128987e0b075a2f2e6ce742ce82cdf7ea
Threat Level: Known bad
The file 2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
Xmrig family
Cobaltstrike family
xmrig
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 09:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 09:51
Reported
2024-08-05 09:54
Platform
win7-20240729-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sqcUIws.exe | N/A |
| N/A | N/A | C:\Windows\System\ijYMHIB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpnKngi.exe | N/A |
| N/A | N/A | C:\Windows\System\MVhzxDI.exe | N/A |
| N/A | N/A | C:\Windows\System\nyqhQPL.exe | N/A |
| N/A | N/A | C:\Windows\System\lDXmfov.exe | N/A |
| N/A | N/A | C:\Windows\System\wzzbiZS.exe | N/A |
| N/A | N/A | C:\Windows\System\POpPReH.exe | N/A |
| N/A | N/A | C:\Windows\System\IIxfgyr.exe | N/A |
| N/A | N/A | C:\Windows\System\GPjFsDr.exe | N/A |
| N/A | N/A | C:\Windows\System\sPzLPAr.exe | N/A |
| N/A | N/A | C:\Windows\System\oNnSAwe.exe | N/A |
| N/A | N/A | C:\Windows\System\kPpsdoS.exe | N/A |
| N/A | N/A | C:\Windows\System\KBMMZsf.exe | N/A |
| N/A | N/A | C:\Windows\System\mwFujae.exe | N/A |
| N/A | N/A | C:\Windows\System\FcdHRoZ.exe | N/A |
| N/A | N/A | C:\Windows\System\LZBMJhq.exe | N/A |
| N/A | N/A | C:\Windows\System\MtEkbdA.exe | N/A |
| N/A | N/A | C:\Windows\System\ggIcAuW.exe | N/A |
| N/A | N/A | C:\Windows\System\MDgelcY.exe | N/A |
| N/A | N/A | C:\Windows\System\VleTOWd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sqcUIws.exe
C:\Windows\System\sqcUIws.exe
C:\Windows\System\ijYMHIB.exe
C:\Windows\System\ijYMHIB.exe
C:\Windows\System\ZpnKngi.exe
C:\Windows\System\ZpnKngi.exe
C:\Windows\System\MVhzxDI.exe
C:\Windows\System\MVhzxDI.exe
C:\Windows\System\nyqhQPL.exe
C:\Windows\System\nyqhQPL.exe
C:\Windows\System\lDXmfov.exe
C:\Windows\System\lDXmfov.exe
C:\Windows\System\wzzbiZS.exe
C:\Windows\System\wzzbiZS.exe
C:\Windows\System\POpPReH.exe
C:\Windows\System\POpPReH.exe
C:\Windows\System\IIxfgyr.exe
C:\Windows\System\IIxfgyr.exe
C:\Windows\System\GPjFsDr.exe
C:\Windows\System\GPjFsDr.exe
C:\Windows\System\sPzLPAr.exe
C:\Windows\System\sPzLPAr.exe
C:\Windows\System\oNnSAwe.exe
C:\Windows\System\oNnSAwe.exe
C:\Windows\System\kPpsdoS.exe
C:\Windows\System\kPpsdoS.exe
C:\Windows\System\KBMMZsf.exe
C:\Windows\System\KBMMZsf.exe
C:\Windows\System\mwFujae.exe
C:\Windows\System\mwFujae.exe
C:\Windows\System\FcdHRoZ.exe
C:\Windows\System\FcdHRoZ.exe
C:\Windows\System\LZBMJhq.exe
C:\Windows\System\LZBMJhq.exe
C:\Windows\System\MtEkbdA.exe
C:\Windows\System\MtEkbdA.exe
C:\Windows\System\MDgelcY.exe
C:\Windows\System\MDgelcY.exe
C:\Windows\System\ggIcAuW.exe
C:\Windows\System\ggIcAuW.exe
C:\Windows\System\VleTOWd.exe
C:\Windows\System\VleTOWd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1316-0-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1316-1-0x00000000003F0000-0x0000000000400000-memory.dmp
C:\Windows\system\sqcUIws.exe
| MD5 | 1eeb9a736cc42fafe5f450f8e8cdd241 |
| SHA1 | e106cf09c2606509b6e8eb1d4d0f699a9928722a |
| SHA256 | f229d84d4b1f73a58ab539022a8f8ef2ed5993a651acf4d9dcbb3c6252690f31 |
| SHA512 | 7968c83ad002a3d1a950c5a2fa8b7abb3162ca728b6468460d0c2a0eb6b79294ce66d6d81c5c75d60987ce990b387afd2c05bec6696ca35ca8a3f6b3ae7dc4c1 |
memory/1316-7-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/1500-9-0x000000013F9F0000-0x000000013FD41000-memory.dmp
C:\Windows\system\ijYMHIB.exe
| MD5 | 588a6bc8291f425b67feb758997f9f07 |
| SHA1 | 9fb66f11c1401d4d9dff7f822a366b091bf7eff7 |
| SHA256 | dc7424c23e40fe6273de7f98d1683dec1978a0b6ce4b7d15410f0ab8fd300045 |
| SHA512 | 1a710964e6299e7fa3ba0e7da93b9966d2cba24bf77565ee700800c9a6ce0d2c192a7646b49563fe82e70bfdf283ee709865db7ad280a96529a0bc512e100b10 |
memory/2248-15-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1316-14-0x000000013F480000-0x000000013F7D1000-memory.dmp
C:\Windows\system\ZpnKngi.exe
| MD5 | 5f72ce968e7394cac98644fe01952058 |
| SHA1 | ef6049eaf659f7a9bb565e024e75e7ce59279b42 |
| SHA256 | 53c242aedd97dcf6f2a520259a4c8da9538d58047837511926ff7099f73f03a3 |
| SHA512 | 4096879b8d741607fb3ddd80d87526fd069d78a2e86b640cd5fd7eeadc9fde6c80c21ea0cd4abd845a08de3b9a15c0916dc4eb284f634e9d22c464ed99e12a0d |
memory/2796-22-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/1316-21-0x000000013F290000-0x000000013F5E1000-memory.dmp
C:\Windows\system\MVhzxDI.exe
| MD5 | 068cc7f6456a6b356d696bdcefb59f5b |
| SHA1 | d274cd511cde6b3966213d8f4a3b9ab787cd7868 |
| SHA256 | fba4ff89fc4c463274c21172b42a3ae7e4fe611b46922449bdf8aade05509373 |
| SHA512 | e8ca9187cebce14eec789d6a3c28c6611c1f2e82487209fc9080f1ec738b2ccf33d1fec8f933059908a28be2b5194c8071f110d973bc733b9f3559e4c7d7ee68 |
memory/1316-28-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2800-30-0x000000013F490000-0x000000013F7E1000-memory.dmp
C:\Windows\system\nyqhQPL.exe
| MD5 | 7ce47363c24bd9d4a7fb1d7d81887a80 |
| SHA1 | 39a1dd5faa2afe06f2660d56e669dea14d8c6e74 |
| SHA256 | effcc71a1d992e2427816f1d7cc4abf10aff5070eae2d08cb98f326a8361673f |
| SHA512 | 8d6769faad288ca13067f049381a971375f2aa6079196cb5cb744c762747d8b3f576a1a43b991e1d2b6f982729f4e805e06c25ac433043646eb1d0eef81bc7aa |
memory/1316-35-0x000000013FCF0000-0x0000000140041000-memory.dmp
\Windows\system\lDXmfov.exe
| MD5 | 2ba17871ab767a44da44447432280fb7 |
| SHA1 | 2973f78568bc69c1637fc7b431609338136e154c |
| SHA256 | 07ea08bff7cb404ec432150983ba93b626d26ab80591e04ddc13552f3db51d8e |
| SHA512 | 966a0eb8c9e7a41ffda94cb9d1fbdc4c5aae9fe89de3934c3e15df62244bc0b71753d71e2ca6f309e07245d7612b15f5d6d6822243517bfe3e9813096007e747 |
memory/1316-44-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2988-43-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2728-42-0x000000013FCF0000-0x0000000140041000-memory.dmp
\Windows\system\POpPReH.exe
| MD5 | 5b8685af10faf03f48050e4c301a6066 |
| SHA1 | b9170ae00fe8d4a2accbfcd8f90341b5fba6bb93 |
| SHA256 | 439fcd60caffa88ea91d353dbddd980840b86087052fb317f56f551fc3cad8f4 |
| SHA512 | 60228698aef133d3afcd2597eeb31ee5786a270ce94669b301578b646537d5df7892b6b9834eaef741693a877045ae1a72e6f14db6a1ca599336a66a08dd021b |
\Windows\system\IIxfgyr.exe
| MD5 | c3e838b2b4840828cd7d0a65f55e1c2b |
| SHA1 | 250253f2c59847a06693bcf870fb426987fbc5b2 |
| SHA256 | cde4f849643a58d30068e8758717f00ba111e0e4e7762c4720675e9b53b5fcc1 |
| SHA512 | 9c2d7b64d5d8c4dd711962732c08f6238e8398ae4185a92ece257337247c3b5e5138d04c8229cdcded4ee38811da0ea8301dba2e805a5364e06f71e5d8fecfc7 |
memory/2716-56-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2668-64-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2616-63-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1316-61-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1316-58-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\wzzbiZS.exe
| MD5 | de87a6b75084272b7fcca478ec43e970 |
| SHA1 | dbc8b4d47a7455a07a18a35ae0b8c3a8133781f9 |
| SHA256 | 2dc08d680c3d4fa4b4693d18f51d9deb3d01ec7d2426fa5b909ef6e5e43292f9 |
| SHA512 | 2606f1932ad396fe49d1a076894cc39a0a8b6d5d52487ce5c7a80134b24d95ae143e658927b7a9ce9c04488052bb9e44ca4b19fd096a6ae9d7a760f10affa2f8 |
C:\Windows\system\GPjFsDr.exe
| MD5 | 4f63f7085c3f39eb7fec3133390dc201 |
| SHA1 | 271a3059ec25696f476ab1ecbeaa2f97cc41eda8 |
| SHA256 | 39c75658eb8bb851e1bbeefcb83d9a13ede0b0120f21cb37a49d53e7ab8ec3c7 |
| SHA512 | 9340e2f70bae21236be6225ca1034d2ca3742a8eb4da9929ef90af6e7870ea34d71c615f3b1d9a7bf509d548db07c68607c022aa9782b3b29a6ac216a5556e24 |
\Windows\system\sPzLPAr.exe
| MD5 | 99d252b5abed7c3344d4d81752aa9a45 |
| SHA1 | 00bec83742dd0eeeb974eb85ef1069e3ba98a1d1 |
| SHA256 | 916bb540396cf3c75d00169982484beaaeb1bf93f040853f94ebd5474316d4a4 |
| SHA512 | 12fddf0a9b9ba7c1a2abd82d74c8131f9580a23d4f383d8dad54f6e132231eb14c7fea494e0fb9ee93820538738d84f72161f514d163445e4ad15a2fd0335507 |
memory/1316-78-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1500-76-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1040-79-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2248-80-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1640-71-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/1316-70-0x000000013F980000-0x000000013FCD1000-memory.dmp
\Windows\system\oNnSAwe.exe
| MD5 | 801bebdd46901a90e4b1614f52913d03 |
| SHA1 | cba5e46ac56130ef58a8da389e5bd68110897198 |
| SHA256 | 7c79c95f946b0700f13cccfbe797c1a1084ab17ae68cf30649cc6b44bce4fe2f |
| SHA512 | 5c35109d5053d341f541835351ecbe795f5a636baf3911948d1933f4334409176b127b6913010309254a79bbb3deecc53c9ae7cbb637f37e1738c4c7c9f9eb0f |
memory/2796-90-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/1316-95-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2728-97-0x000000013FCF0000-0x0000000140041000-memory.dmp
C:\Windows\system\KBMMZsf.exe
| MD5 | a42bc2993aa90277d37445b995db29bb |
| SHA1 | 415c45c04d61712859891d8cd2f0bd0ce146e086 |
| SHA256 | ed039caa11c5cb8bedc78f73c9333ca17b00405cf67f648952d1d2b2f3b08594 |
| SHA512 | 8664582b6415484ff5861554800df508314d2537db05f78014cc2345d7fef50ba1b2f22d4463bdfb92878fe4b8d11dead1d8685d444f5362f8d6cfa239d697b4 |
memory/3020-104-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1316-103-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/2800-96-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2132-94-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/1800-93-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1316-92-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\kPpsdoS.exe
| MD5 | 55f9d4b8e6fd4e6a45618ed5c2c7a232 |
| SHA1 | 62fdda2bfac01bfbfdaa9e0ae13b95e5964559c8 |
| SHA256 | 34609c2f2b45a4e00b067e7dcae95fe4a27cc298a6ca55803124fc699e15963c |
| SHA512 | 99007ca8c213438153efe4d09b177924d7105353b077da9bb767e20093b0538277e543371c838b91301eb3d61dd6f6710d245449a99503a1c98d9d70c58f6f4d |
C:\Windows\system\mwFujae.exe
| MD5 | e159cce3d8915d0107c614c703122c62 |
| SHA1 | 421d24b09a090f3e54c843c230c06a7e0a7216ec |
| SHA256 | 2fd81b388cf83519efc385779a80f7006c3517b057d4022037c0aa4883ef659a |
| SHA512 | dd6bdce6ddc2fab3ee32f2b6d286714d8973e88557a2a9cf04b3f9825cdf3eb05bb036170d245ea8d610046fc25887165f51744e29daa037aed95cc70031917d |
memory/1316-110-0x00000000022B0000-0x0000000002601000-memory.dmp
\Windows\system\MtEkbdA.exe
| MD5 | 225dae27cc840f2abb4b37c56b1090ef |
| SHA1 | fc18c472a82e62c98a9759deef0c88186a9cafca |
| SHA256 | 07c8e2b2b47682b451c429e05450ab08f85c142d43343fc66d87232aefbcf7ab |
| SHA512 | 234ca3ffe89dd4e512bf99ce40e05cf27a246980fa1f3c91c609ad100cefdd33a50809b195afcf19566bdea20e130aa521dadb8ae509845156f03ba3934e108c |
C:\Windows\system\ggIcAuW.exe
| MD5 | 2eb3bb4f180fe0f43f5cc95027af6822 |
| SHA1 | b79165dbf44da70cf8a23706ad640d17814b9f12 |
| SHA256 | 173ead8c9a50309e97251bb9fee5c69d2a4217be6c92c071eeb66b360cf4bce3 |
| SHA512 | d2957c79ddbd08f392778025f292bd091ad971c7420b2f1917bfb9c123495377d10b958cc6d2bed1fcd9b7a705c7aee8c53b24e584a6e7ceb0abce019f8a56e3 |
C:\Windows\system\MDgelcY.exe
| MD5 | 50d3448a041ff3290dd39eb9ac227489 |
| SHA1 | 4de101865f988e701463d8b96566b9a8e5a7468b |
| SHA256 | 76bc502cd45e8f5d7be84ec3596d2d20018b102ef874880824e49ddd7311d214 |
| SHA512 | 9be3e9946432924bd3694452d1f7abe666c4a8ba42a3cef807443e6dbc5574aaba4eb4461d927f9f99541255b405bc2e9484b2bef4ff8083e4c42148f78f318a |
\Windows\system\VleTOWd.exe
| MD5 | 4211f8a0594a25631dbcbeb73cee8767 |
| SHA1 | b9998ae4cb50e829cd6b7781ced57564b62d3037 |
| SHA256 | 9653ad91e9388e36a19134d26207119547a2cd67d36bafb7bd196c790d0fb839 |
| SHA512 | 7ad7f8f5bbac9f90af63ce0f5fc53d7159c9230839842b800011b49b70b2ea163f27980ec4ede3b10608cba66d4879de451fb7df1c94f7d1b1b28b2b3c0a5442 |
C:\Windows\system\LZBMJhq.exe
| MD5 | 8912542331e92b7617ec576bd4d32685 |
| SHA1 | a0d984f76e07339e227e757fc21a3afa65dd2f19 |
| SHA256 | 614dc45c0f7017cba2e1994126dc083f30b350e6dad3524cc04db353e23ece07 |
| SHA512 | 94b2d409bff1d3d22bb73e3e5aae444fa0729d94c61a63791139a3fa8f375b6417bde6714e4c80b289a4812aa21186a91f26d4a0addf4f65e99719e50560b06a |
C:\Windows\system\FcdHRoZ.exe
| MD5 | 074c71162e0c8fcc630aa649af1ad21a |
| SHA1 | a4033f94bc0d6bc2854ce6bf6bf8769b1728dd87 |
| SHA256 | 953de87a6b40f543c5903e2b5aa754a4f90b80110a75881561c9b6ebbcafdb79 |
| SHA512 | 96ed5e6fc6fdbfa2887dfa3b925d5d930d64ca389c6c11be8d15b5ba54bbe42e6e92f2f2170905b9fa0f6216ea77ce397ce930457c50c0476ccfec6b5100117d |
memory/2716-140-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/1316-141-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1316-155-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2780-158-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2500-157-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/1940-161-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/1524-163-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1316-164-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1916-162-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/3048-160-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2784-159-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1316-165-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1316-187-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1500-211-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2248-219-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2796-221-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2800-223-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2988-225-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2728-227-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2716-229-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2616-231-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2668-233-0x000000013F330000-0x000000013F681000-memory.dmp
memory/1640-237-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/1040-239-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1800-241-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2132-248-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/3020-250-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 09:51
Reported
2024-08-05 09:54
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sqcUIws.exe | N/A |
| N/A | N/A | C:\Windows\System\ijYMHIB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpnKngi.exe | N/A |
| N/A | N/A | C:\Windows\System\MVhzxDI.exe | N/A |
| N/A | N/A | C:\Windows\System\nyqhQPL.exe | N/A |
| N/A | N/A | C:\Windows\System\lDXmfov.exe | N/A |
| N/A | N/A | C:\Windows\System\wzzbiZS.exe | N/A |
| N/A | N/A | C:\Windows\System\POpPReH.exe | N/A |
| N/A | N/A | C:\Windows\System\IIxfgyr.exe | N/A |
| N/A | N/A | C:\Windows\System\GPjFsDr.exe | N/A |
| N/A | N/A | C:\Windows\System\sPzLPAr.exe | N/A |
| N/A | N/A | C:\Windows\System\oNnSAwe.exe | N/A |
| N/A | N/A | C:\Windows\System\kPpsdoS.exe | N/A |
| N/A | N/A | C:\Windows\System\KBMMZsf.exe | N/A |
| N/A | N/A | C:\Windows\System\mwFujae.exe | N/A |
| N/A | N/A | C:\Windows\System\FcdHRoZ.exe | N/A |
| N/A | N/A | C:\Windows\System\LZBMJhq.exe | N/A |
| N/A | N/A | C:\Windows\System\MtEkbdA.exe | N/A |
| N/A | N/A | C:\Windows\System\MDgelcY.exe | N/A |
| N/A | N/A | C:\Windows\System\ggIcAuW.exe | N/A |
| N/A | N/A | C:\Windows\System\VleTOWd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_e5dc297a06c8e8bf5a32e6413ecd9051_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sqcUIws.exe
C:\Windows\System\sqcUIws.exe
C:\Windows\System\ijYMHIB.exe
C:\Windows\System\ijYMHIB.exe
C:\Windows\System\ZpnKngi.exe
C:\Windows\System\ZpnKngi.exe
C:\Windows\System\MVhzxDI.exe
C:\Windows\System\MVhzxDI.exe
C:\Windows\System\nyqhQPL.exe
C:\Windows\System\nyqhQPL.exe
C:\Windows\System\lDXmfov.exe
C:\Windows\System\lDXmfov.exe
C:\Windows\System\wzzbiZS.exe
C:\Windows\System\wzzbiZS.exe
C:\Windows\System\POpPReH.exe
C:\Windows\System\POpPReH.exe
C:\Windows\System\IIxfgyr.exe
C:\Windows\System\IIxfgyr.exe
C:\Windows\System\GPjFsDr.exe
C:\Windows\System\GPjFsDr.exe
C:\Windows\System\sPzLPAr.exe
C:\Windows\System\sPzLPAr.exe
C:\Windows\System\oNnSAwe.exe
C:\Windows\System\oNnSAwe.exe
C:\Windows\System\kPpsdoS.exe
C:\Windows\System\kPpsdoS.exe
C:\Windows\System\KBMMZsf.exe
C:\Windows\System\KBMMZsf.exe
C:\Windows\System\mwFujae.exe
C:\Windows\System\mwFujae.exe
C:\Windows\System\FcdHRoZ.exe
C:\Windows\System\FcdHRoZ.exe
C:\Windows\System\LZBMJhq.exe
C:\Windows\System\LZBMJhq.exe
C:\Windows\System\MtEkbdA.exe
C:\Windows\System\MtEkbdA.exe
C:\Windows\System\MDgelcY.exe
C:\Windows\System\MDgelcY.exe
C:\Windows\System\ggIcAuW.exe
C:\Windows\System\ggIcAuW.exe
C:\Windows\System\VleTOWd.exe
C:\Windows\System\VleTOWd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1280-0-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp
memory/1280-1-0x000001D0E0420000-0x000001D0E0430000-memory.dmp
C:\Windows\System\sqcUIws.exe
| MD5 | 1eeb9a736cc42fafe5f450f8e8cdd241 |
| SHA1 | e106cf09c2606509b6e8eb1d4d0f699a9928722a |
| SHA256 | f229d84d4b1f73a58ab539022a8f8ef2ed5993a651acf4d9dcbb3c6252690f31 |
| SHA512 | 7968c83ad002a3d1a950c5a2fa8b7abb3162ca728b6468460d0c2a0eb6b79294ce66d6d81c5c75d60987ce990b387afd2c05bec6696ca35ca8a3f6b3ae7dc4c1 |
C:\Windows\System\ZpnKngi.exe
| MD5 | 5f72ce968e7394cac98644fe01952058 |
| SHA1 | ef6049eaf659f7a9bb565e024e75e7ce59279b42 |
| SHA256 | 53c242aedd97dcf6f2a520259a4c8da9538d58047837511926ff7099f73f03a3 |
| SHA512 | 4096879b8d741607fb3ddd80d87526fd069d78a2e86b640cd5fd7eeadc9fde6c80c21ea0cd4abd845a08de3b9a15c0916dc4eb284f634e9d22c464ed99e12a0d |
memory/1312-20-0x00007FF6AE9C0000-0x00007FF6AED11000-memory.dmp
C:\Windows\System\MVhzxDI.exe
| MD5 | 068cc7f6456a6b356d696bdcefb59f5b |
| SHA1 | d274cd511cde6b3966213d8f4a3b9ab787cd7868 |
| SHA256 | fba4ff89fc4c463274c21172b42a3ae7e4fe611b46922449bdf8aade05509373 |
| SHA512 | e8ca9187cebce14eec789d6a3c28c6611c1f2e82487209fc9080f1ec738b2ccf33d1fec8f933059908a28be2b5194c8071f110d973bc733b9f3559e4c7d7ee68 |
memory/2988-38-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp
C:\Windows\System\IIxfgyr.exe
| MD5 | c3e838b2b4840828cd7d0a65f55e1c2b |
| SHA1 | 250253f2c59847a06693bcf870fb426987fbc5b2 |
| SHA256 | cde4f849643a58d30068e8758717f00ba111e0e4e7762c4720675e9b53b5fcc1 |
| SHA512 | 9c2d7b64d5d8c4dd711962732c08f6238e8398ae4185a92ece257337247c3b5e5138d04c8229cdcded4ee38811da0ea8301dba2e805a5364e06f71e5d8fecfc7 |
memory/2608-58-0x00007FF618000000-0x00007FF618351000-memory.dmp
C:\Windows\System\sPzLPAr.exe
| MD5 | 99d252b5abed7c3344d4d81752aa9a45 |
| SHA1 | 00bec83742dd0eeeb974eb85ef1069e3ba98a1d1 |
| SHA256 | 916bb540396cf3c75d00169982484beaaeb1bf93f040853f94ebd5474316d4a4 |
| SHA512 | 12fddf0a9b9ba7c1a2abd82d74c8131f9580a23d4f383d8dad54f6e132231eb14c7fea494e0fb9ee93820538738d84f72161f514d163445e4ad15a2fd0335507 |
C:\Windows\System\kPpsdoS.exe
| MD5 | 55f9d4b8e6fd4e6a45618ed5c2c7a232 |
| SHA1 | 62fdda2bfac01bfbfdaa9e0ae13b95e5964559c8 |
| SHA256 | 34609c2f2b45a4e00b067e7dcae95fe4a27cc298a6ca55803124fc699e15963c |
| SHA512 | 99007ca8c213438153efe4d09b177924d7105353b077da9bb767e20093b0538277e543371c838b91301eb3d61dd6f6710d245449a99503a1c98d9d70c58f6f4d |
memory/4060-87-0x00007FF724E90000-0x00007FF7251E1000-memory.dmp
C:\Windows\System\FcdHRoZ.exe
| MD5 | 074c71162e0c8fcc630aa649af1ad21a |
| SHA1 | a4033f94bc0d6bc2854ce6bf6bf8769b1728dd87 |
| SHA256 | 953de87a6b40f543c5903e2b5aa754a4f90b80110a75881561c9b6ebbcafdb79 |
| SHA512 | 96ed5e6fc6fdbfa2887dfa3b925d5d930d64ca389c6c11be8d15b5ba54bbe42e6e92f2f2170905b9fa0f6216ea77ce397ce930457c50c0476ccfec6b5100117d |
C:\Windows\System\MtEkbdA.exe
| MD5 | 225dae27cc840f2abb4b37c56b1090ef |
| SHA1 | fc18c472a82e62c98a9759deef0c88186a9cafca |
| SHA256 | 07c8e2b2b47682b451c429e05450ab08f85c142d43343fc66d87232aefbcf7ab |
| SHA512 | 234ca3ffe89dd4e512bf99ce40e05cf27a246980fa1f3c91c609ad100cefdd33a50809b195afcf19566bdea20e130aa521dadb8ae509845156f03ba3934e108c |
memory/4904-106-0x00007FF729EA0000-0x00007FF72A1F1000-memory.dmp
C:\Windows\System\LZBMJhq.exe
| MD5 | 8912542331e92b7617ec576bd4d32685 |
| SHA1 | a0d984f76e07339e227e757fc21a3afa65dd2f19 |
| SHA256 | 614dc45c0f7017cba2e1994126dc083f30b350e6dad3524cc04db353e23ece07 |
| SHA512 | 94b2d409bff1d3d22bb73e3e5aae444fa0729d94c61a63791139a3fa8f375b6417bde6714e4c80b289a4812aa21186a91f26d4a0addf4f65e99719e50560b06a |
C:\Windows\System\MDgelcY.exe
| MD5 | 50d3448a041ff3290dd39eb9ac227489 |
| SHA1 | 4de101865f988e701463d8b96566b9a8e5a7468b |
| SHA256 | 76bc502cd45e8f5d7be84ec3596d2d20018b102ef874880824e49ddd7311d214 |
| SHA512 | 9be3e9946432924bd3694452d1f7abe666c4a8ba42a3cef807443e6dbc5574aaba4eb4461d927f9f99541255b405bc2e9484b2bef4ff8083e4c42148f78f318a |
C:\Windows\System\VleTOWd.exe
| MD5 | 4211f8a0594a25631dbcbeb73cee8767 |
| SHA1 | b9998ae4cb50e829cd6b7781ced57564b62d3037 |
| SHA256 | 9653ad91e9388e36a19134d26207119547a2cd67d36bafb7bd196c790d0fb839 |
| SHA512 | 7ad7f8f5bbac9f90af63ce0f5fc53d7159c9230839842b800011b49b70b2ea163f27980ec4ede3b10608cba66d4879de451fb7df1c94f7d1b1b28b2b3c0a5442 |
C:\Windows\System\ggIcAuW.exe
| MD5 | 2eb3bb4f180fe0f43f5cc95027af6822 |
| SHA1 | b79165dbf44da70cf8a23706ad640d17814b9f12 |
| SHA256 | 173ead8c9a50309e97251bb9fee5c69d2a4217be6c92c071eeb66b360cf4bce3 |
| SHA512 | d2957c79ddbd08f392778025f292bd091ad971c7420b2f1917bfb9c123495377d10b958cc6d2bed1fcd9b7a705c7aee8c53b24e584a6e7ceb0abce019f8a56e3 |
memory/2096-115-0x00007FF7A3B00000-0x00007FF7A3E51000-memory.dmp
memory/4836-99-0x00007FF7F28A0000-0x00007FF7F2BF1000-memory.dmp
C:\Windows\System\mwFujae.exe
| MD5 | e159cce3d8915d0107c614c703122c62 |
| SHA1 | 421d24b09a090f3e54c843c230c06a7e0a7216ec |
| SHA256 | 2fd81b388cf83519efc385779a80f7006c3517b057d4022037c0aa4883ef659a |
| SHA512 | dd6bdce6ddc2fab3ee32f2b6d286714d8973e88557a2a9cf04b3f9825cdf3eb05bb036170d245ea8d610046fc25887165f51744e29daa037aed95cc70031917d |
memory/5004-94-0x00007FF61E080000-0x00007FF61E3D1000-memory.dmp
C:\Windows\System\KBMMZsf.exe
| MD5 | a42bc2993aa90277d37445b995db29bb |
| SHA1 | 415c45c04d61712859891d8cd2f0bd0ce146e086 |
| SHA256 | ed039caa11c5cb8bedc78f73c9333ca17b00405cf67f648952d1d2b2f3b08594 |
| SHA512 | 8664582b6415484ff5861554800df508314d2537db05f78014cc2345d7fef50ba1b2f22d4463bdfb92878fe4b8d11dead1d8685d444f5362f8d6cfa239d697b4 |
memory/1280-83-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp
C:\Windows\System\oNnSAwe.exe
| MD5 | 801bebdd46901a90e4b1614f52913d03 |
| SHA1 | cba5e46ac56130ef58a8da389e5bd68110897198 |
| SHA256 | 7c79c95f946b0700f13cccfbe797c1a1084ab17ae68cf30649cc6b44bce4fe2f |
| SHA512 | 5c35109d5053d341f541835351ecbe795f5a636baf3911948d1933f4334409176b127b6913010309254a79bbb3deecc53c9ae7cbb637f37e1738c4c7c9f9eb0f |
memory/3484-72-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp
memory/4980-69-0x00007FF78C130000-0x00007FF78C481000-memory.dmp
C:\Windows\System\GPjFsDr.exe
| MD5 | 4f63f7085c3f39eb7fec3133390dc201 |
| SHA1 | 271a3059ec25696f476ab1ecbeaa2f97cc41eda8 |
| SHA256 | 39c75658eb8bb851e1bbeefcb83d9a13ede0b0120f21cb37a49d53e7ab8ec3c7 |
| SHA512 | 9340e2f70bae21236be6225ca1034d2ca3742a8eb4da9929ef90af6e7870ea34d71c615f3b1d9a7bf509d548db07c68607c022aa9782b3b29a6ac216a5556e24 |
memory/4332-60-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp
memory/3464-59-0x00007FF6D0BE0000-0x00007FF6D0F31000-memory.dmp
memory/1424-55-0x00007FF6A71A0000-0x00007FF6A74F1000-memory.dmp
memory/836-48-0x00007FF63CE00000-0x00007FF63D151000-memory.dmp
C:\Windows\System\lDXmfov.exe
| MD5 | 2ba17871ab767a44da44447432280fb7 |
| SHA1 | 2973f78568bc69c1637fc7b431609338136e154c |
| SHA256 | 07ea08bff7cb404ec432150983ba93b626d26ab80591e04ddc13552f3db51d8e |
| SHA512 | 966a0eb8c9e7a41ffda94cb9d1fbdc4c5aae9fe89de3934c3e15df62244bc0b71753d71e2ca6f309e07245d7612b15f5d6d6822243517bfe3e9813096007e747 |
C:\Windows\System\POpPReH.exe
| MD5 | 5b8685af10faf03f48050e4c301a6066 |
| SHA1 | b9170ae00fe8d4a2accbfcd8f90341b5fba6bb93 |
| SHA256 | 439fcd60caffa88ea91d353dbddd980840b86087052fb317f56f551fc3cad8f4 |
| SHA512 | 60228698aef133d3afcd2597eeb31ee5786a270ce94669b301578b646537d5df7892b6b9834eaef741693a877045ae1a72e6f14db6a1ca599336a66a08dd021b |
C:\Windows\System\wzzbiZS.exe
| MD5 | de87a6b75084272b7fcca478ec43e970 |
| SHA1 | dbc8b4d47a7455a07a18a35ae0b8c3a8133781f9 |
| SHA256 | 2dc08d680c3d4fa4b4693d18f51d9deb3d01ec7d2426fa5b909ef6e5e43292f9 |
| SHA512 | 2606f1932ad396fe49d1a076894cc39a0a8b6d5d52487ce5c7a80134b24d95ae143e658927b7a9ce9c04488052bb9e44ca4b19fd096a6ae9d7a760f10affa2f8 |
memory/4704-29-0x00007FF6C6320000-0x00007FF6C6671000-memory.dmp
C:\Windows\System\nyqhQPL.exe
| MD5 | 7ce47363c24bd9d4a7fb1d7d81887a80 |
| SHA1 | 39a1dd5faa2afe06f2660d56e669dea14d8c6e74 |
| SHA256 | effcc71a1d992e2427816f1d7cc4abf10aff5070eae2d08cb98f326a8361673f |
| SHA512 | 8d6769faad288ca13067f049381a971375f2aa6079196cb5cb744c762747d8b3f576a1a43b991e1d2b6f982729f4e805e06c25ac433043646eb1d0eef81bc7aa |
C:\Windows\System\ijYMHIB.exe
| MD5 | 588a6bc8291f425b67feb758997f9f07 |
| SHA1 | 9fb66f11c1401d4d9dff7f822a366b091bf7eff7 |
| SHA256 | dc7424c23e40fe6273de7f98d1683dec1978a0b6ce4b7d15410f0ab8fd300045 |
| SHA512 | 1a710964e6299e7fa3ba0e7da93b9966d2cba24bf77565ee700800c9a6ce0d2c192a7646b49563fe82e70bfdf283ee709865db7ad280a96529a0bc512e100b10 |
memory/2864-12-0x00007FF6B1800000-0x00007FF6B1B51000-memory.dmp
memory/4836-7-0x00007FF7F28A0000-0x00007FF7F2BF1000-memory.dmp
memory/5016-128-0x00007FF71FFF0000-0x00007FF720341000-memory.dmp
memory/4548-126-0x00007FF7416A0000-0x00007FF7419F1000-memory.dmp
memory/4216-129-0x00007FF7C16C0000-0x00007FF7C1A11000-memory.dmp
memory/4664-130-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp
memory/2864-127-0x00007FF6B1800000-0x00007FF6B1B51000-memory.dmp
memory/3708-125-0x00007FF6B4C50000-0x00007FF6B4FA1000-memory.dmp
memory/4704-135-0x00007FF6C6320000-0x00007FF6C6671000-memory.dmp
memory/1424-137-0x00007FF6A71A0000-0x00007FF6A74F1000-memory.dmp
memory/4332-141-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp
memory/2096-147-0x00007FF7A3B00000-0x00007FF7A3E51000-memory.dmp
memory/5004-145-0x00007FF61E080000-0x00007FF61E3D1000-memory.dmp
memory/3484-143-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp
memory/2988-136-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp
memory/1312-134-0x00007FF6AE9C0000-0x00007FF6AED11000-memory.dmp
memory/836-138-0x00007FF63CE00000-0x00007FF63D151000-memory.dmp
memory/1280-131-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp
memory/1280-153-0x00007FF6A1630000-0x00007FF6A1981000-memory.dmp
memory/4836-199-0x00007FF7F28A0000-0x00007FF7F2BF1000-memory.dmp
memory/2864-201-0x00007FF6B1800000-0x00007FF6B1B51000-memory.dmp
memory/1312-203-0x00007FF6AE9C0000-0x00007FF6AED11000-memory.dmp
memory/4704-205-0x00007FF6C6320000-0x00007FF6C6671000-memory.dmp
memory/2988-207-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp
memory/836-209-0x00007FF63CE00000-0x00007FF63D151000-memory.dmp
memory/2608-212-0x00007FF618000000-0x00007FF618351000-memory.dmp
memory/1424-213-0x00007FF6A71A0000-0x00007FF6A74F1000-memory.dmp
memory/3464-215-0x00007FF6D0BE0000-0x00007FF6D0F31000-memory.dmp
memory/4332-221-0x00007FF755EA0000-0x00007FF7561F1000-memory.dmp
memory/4980-219-0x00007FF78C130000-0x00007FF78C481000-memory.dmp
memory/3484-218-0x00007FF7D7D80000-0x00007FF7D80D1000-memory.dmp
memory/4060-225-0x00007FF724E90000-0x00007FF7251E1000-memory.dmp
memory/5004-227-0x00007FF61E080000-0x00007FF61E3D1000-memory.dmp
memory/4904-224-0x00007FF729EA0000-0x00007FF72A1F1000-memory.dmp
memory/4548-234-0x00007FF7416A0000-0x00007FF7419F1000-memory.dmp
memory/4664-237-0x00007FF7F5210000-0x00007FF7F5561000-memory.dmp
memory/4216-239-0x00007FF7C16C0000-0x00007FF7C1A11000-memory.dmp
memory/2096-235-0x00007FF7A3B00000-0x00007FF7A3E51000-memory.dmp
memory/3708-231-0x00007FF6B4C50000-0x00007FF6B4FA1000-memory.dmp
memory/5016-229-0x00007FF71FFF0000-0x00007FF720341000-memory.dmp