Analysis Overview
SHA256
8f6f8caeb1f06933503e813545c030ff319d66cafe7642a37d3ceb0af647f089
Threat Level: Known bad
The file 2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
xmrig
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 12:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 12:29
Reported
2024-08-05 12:31
Platform
win7-20240705-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xixAQpt.exe | N/A |
| N/A | N/A | C:\Windows\System\tcdHnUz.exe | N/A |
| N/A | N/A | C:\Windows\System\gCBCqny.exe | N/A |
| N/A | N/A | C:\Windows\System\VEEDIsw.exe | N/A |
| N/A | N/A | C:\Windows\System\GhPjGUB.exe | N/A |
| N/A | N/A | C:\Windows\System\BXijEEe.exe | N/A |
| N/A | N/A | C:\Windows\System\bZeLRGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PsDhrVd.exe | N/A |
| N/A | N/A | C:\Windows\System\wzzwcbr.exe | N/A |
| N/A | N/A | C:\Windows\System\KqlLZsE.exe | N/A |
| N/A | N/A | C:\Windows\System\EIAvzAf.exe | N/A |
| N/A | N/A | C:\Windows\System\XFZECab.exe | N/A |
| N/A | N/A | C:\Windows\System\yCaVxfT.exe | N/A |
| N/A | N/A | C:\Windows\System\zYaCeMF.exe | N/A |
| N/A | N/A | C:\Windows\System\gbCavBV.exe | N/A |
| N/A | N/A | C:\Windows\System\xYxdeDM.exe | N/A |
| N/A | N/A | C:\Windows\System\OtEQVTO.exe | N/A |
| N/A | N/A | C:\Windows\System\qQnKgOG.exe | N/A |
| N/A | N/A | C:\Windows\System\FngMgsf.exe | N/A |
| N/A | N/A | C:\Windows\System\tmRIoAY.exe | N/A |
| N/A | N/A | C:\Windows\System\BVKvGVG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xixAQpt.exe
C:\Windows\System\xixAQpt.exe
C:\Windows\System\gCBCqny.exe
C:\Windows\System\gCBCqny.exe
C:\Windows\System\tcdHnUz.exe
C:\Windows\System\tcdHnUz.exe
C:\Windows\System\VEEDIsw.exe
C:\Windows\System\VEEDIsw.exe
C:\Windows\System\GhPjGUB.exe
C:\Windows\System\GhPjGUB.exe
C:\Windows\System\BXijEEe.exe
C:\Windows\System\BXijEEe.exe
C:\Windows\System\bZeLRGZ.exe
C:\Windows\System\bZeLRGZ.exe
C:\Windows\System\PsDhrVd.exe
C:\Windows\System\PsDhrVd.exe
C:\Windows\System\wzzwcbr.exe
C:\Windows\System\wzzwcbr.exe
C:\Windows\System\KqlLZsE.exe
C:\Windows\System\KqlLZsE.exe
C:\Windows\System\EIAvzAf.exe
C:\Windows\System\EIAvzAf.exe
C:\Windows\System\XFZECab.exe
C:\Windows\System\XFZECab.exe
C:\Windows\System\yCaVxfT.exe
C:\Windows\System\yCaVxfT.exe
C:\Windows\System\zYaCeMF.exe
C:\Windows\System\zYaCeMF.exe
C:\Windows\System\gbCavBV.exe
C:\Windows\System\gbCavBV.exe
C:\Windows\System\xYxdeDM.exe
C:\Windows\System\xYxdeDM.exe
C:\Windows\System\OtEQVTO.exe
C:\Windows\System\OtEQVTO.exe
C:\Windows\System\qQnKgOG.exe
C:\Windows\System\qQnKgOG.exe
C:\Windows\System\FngMgsf.exe
C:\Windows\System\FngMgsf.exe
C:\Windows\System\tmRIoAY.exe
C:\Windows\System\tmRIoAY.exe
C:\Windows\System\BVKvGVG.exe
C:\Windows\System\BVKvGVG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/948-0-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/948-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\xixAQpt.exe
| MD5 | 87e2c0fee4854875cf961783c847f81e |
| SHA1 | 9263067cdfa0bfbf99dd4f3237141bc0ca84e15d |
| SHA256 | c3aa543351862b40b7e704112aaa3026d2795e81806b1568c557e8eced14a46b |
| SHA512 | b85ee97429b4a21b71c6d924bd282d786d792571cf0259544542ba2572bf24d9d9741f79600cf60173f67669364a3c33e6a3fbc342f8b58e7f1d6d9a5eda002b |
C:\Windows\system\tcdHnUz.exe
| MD5 | 95cc1c56c04eada4a36b9febaa8dc2f8 |
| SHA1 | 49c939faf124eccff7f49f4d71b6766ba7e8ea89 |
| SHA256 | 881e06f6660667f5e52a6d55ef3c0ec1af1d2fd0401dae294df1b8884ae51b9c |
| SHA512 | 04d632757a819a4ebbb2d749037e0d751d5ab3ec486398c4ba44db49c4d8642d9fd0b24b00b7258f28aead1151885e6a7936bc488aa458c9b34f67e1d6be1614 |
memory/948-10-0x000000013F4B0000-0x000000013F801000-memory.dmp
C:\Windows\system\gCBCqny.exe
| MD5 | 0ab1030470d1e9fc6f2d35a94827a496 |
| SHA1 | 5dd4f9b43aa0f32f682d220dadfa75151d7f56d4 |
| SHA256 | f2a6f7542506418f13a097069895beefab8fe71933a7632d3a1ab24431add71c |
| SHA512 | 48bd63aabcd4b4cea7623e425de41f9a7335ce2201eca7a7d662fdabd07bf63e8a22596cd3eec02cc994ab04e1fa36da42842620e9e906cb3cabcf32659e0a6d |
C:\Windows\system\VEEDIsw.exe
| MD5 | afbd701108e1c8cc095bc35ebbfc34c3 |
| SHA1 | cec13cf164fe51f92e1101c0d1855bb2020032a1 |
| SHA256 | ce6689406edf7e2474cdbc31c731f7f1b7905ccad52e6b1347b5278d9f466148 |
| SHA512 | 7ba662711d835fb4e82595745958686743cf707f280d33f50ea52c3cdc14e515e2c886fab883fc8bef8670579f7f38d2447028f56271704109564044d72f834b |
C:\Windows\system\GhPjGUB.exe
| MD5 | 33f44684e20cebdd8f35d129abed7ef4 |
| SHA1 | 5cdb7b0ebf4f1fe88be190eeedc3de557c83e088 |
| SHA256 | 760b5e95790b8445089426f1edd574d8828f854e86db1c4350439b2e4d926170 |
| SHA512 | b0a61681e4251081ceb6804688f7965619f2d76c7c9c82f32edd0cb40f1b8aff649e6aed85010db3491dc007326090d8f21ef492139bd7bfef5df4402d07e05f |
C:\Windows\system\BXijEEe.exe
| MD5 | 9745bbc6370b0652bb9087288a1c0f48 |
| SHA1 | fb70c79951587e6c809afb7f5994a2a56d8401bb |
| SHA256 | 356c15b29ac4a41b604cb437f8bcb524e042f4545221f8d280202ea88114d40d |
| SHA512 | 330beba0353efa7eccc2d9b969daf94c8ff39b2b00a304206792572fd9349f1d0d05fb4abdf1ca08eebc98231a08be63eeb294ea647699419d91523bbe997646 |
C:\Windows\system\bZeLRGZ.exe
| MD5 | 003a4981eab3cba6c6f252ea2c649bac |
| SHA1 | 9720bf3097c43ef3e48cf4e6d4a3714b09c62fbc |
| SHA256 | 0735621ba67028050af46406433ad96b0dc405441737c5683c6233303206bcba |
| SHA512 | 2efec6a0bd72e7d3a939cf556be79502c941bdfd678b5a7e5fb0161cfcdcbe6afe1fdbbc22b9f1c28dc5f972e8ad20f45c9dd50ccef37f7a099033e98ad3d91c |
C:\Windows\system\PsDhrVd.exe
| MD5 | 87b009a05d4a18ad5a217053000175a6 |
| SHA1 | 5aea292db96858e4aaefcfd9edd8ad674c73b5f0 |
| SHA256 | 0dc2d68ea1627b68bbebdbb3c9654f2a4de5e59198caaba8af31a0c5f78b6c64 |
| SHA512 | c879cd13dd5d515e7761947288e7fc813d28e2813ca049de5590e77b45e2d31cec4505d6b81525d87a84bca0ae8e40e13c469f4115cc658e2e3b453e3dc0dd7b |
C:\Windows\system\wzzwcbr.exe
| MD5 | 0b3292c6a442b203f264bddcce6a3ad4 |
| SHA1 | c8c456fa871a9d4d84120f839c1636c22da830fa |
| SHA256 | 86a3de30c2c9f630688b43bea9578480ba28dc3898885a60e1472c05420b5a88 |
| SHA512 | 4804b3dcd703e510927c8c02d70842b89408b986e6e816d05508589dfd15b21f23434406e0d0bc44492647181361111cf862f0e12e6afe1f058e6a8409176f47 |
C:\Windows\system\EIAvzAf.exe
| MD5 | ae045d644386b83275e7599dabcbba44 |
| SHA1 | f23312705ee193741c42dbcf2fff2b6595eafbc5 |
| SHA256 | 88360a0e64c90d4a7900b79780e2238d14ec68d1772b26265e14f89afb6a47d5 |
| SHA512 | 315b2a9355b5c7f9a0532dc0e7b4a4102c858ece0b6b80ec84091d428e93d3a35f653bab7a6aca02e1f0684c74ba5ab0c22ff0cbeb2dbc518bf6d1999c4dc478 |
C:\Windows\system\gbCavBV.exe
| MD5 | f2b3233496e8f9b666a73c6f2d3f95d5 |
| SHA1 | ee2bb304eb3a96b2d7feeac56187efad751d5ffa |
| SHA256 | 7f6f9c596374589e065a9cf066de2e28b7a7b1d24a5a6ec4c36d1ee9cafad11b |
| SHA512 | 3f708caf3261740d968b7d2fc20a4449a24d16fbdf7a9d7ce8e44db8064c85c8fe3eab1bb2a4ec55d2eceadbd15f6dc8be5e95311892eaa5cf614af02cf21765 |
C:\Windows\system\tmRIoAY.exe
| MD5 | 31bbf2efd4a71a89b499cd8e57f1db94 |
| SHA1 | 31114a54ca664c66950208c23f8c92db324a9b76 |
| SHA256 | be473c6658b3162f305f04a7b3b00e2f6ed7a6d176a1ce3d71b0879f8ad070d3 |
| SHA512 | fd28e99836a8421ed127a6ad247c6d225bd5ec4b39c93da9ffc07823e600cfec7d8f9937d1b43464b3182649b06864a9d4346df64d4aa7b1cf3b5e5e0e8bfc2e |
C:\Windows\system\BVKvGVG.exe
| MD5 | 4aae25affe1f9596e9ace2e90002e869 |
| SHA1 | d7fb94218ea87995770557c989a2dc186c80b957 |
| SHA256 | 8f241c07d3be5fbcf48beda12f0a13aa5406097faa4f07d9573bbca9fd4feaa1 |
| SHA512 | 768413caed4e4dfb155cfb45362f1a7ca5a7e4b9d86ff4fdf7b3dd83b7c1ec51206410c2ea6ef807e10652a83570d3c0cdcf88a8f324077055e221ddc2ebb986 |
C:\Windows\system\FngMgsf.exe
| MD5 | 43c94b650c76f75c76c7f5432501a708 |
| SHA1 | 34351ecd6945426ae7a8df6c520737e48bfd3528 |
| SHA256 | 47ea120b4e3de5b6109ecd0462593d8675351bf0d702cae923a0985b3258f740 |
| SHA512 | ddecea70ab3188f6a571f5647fb8db79eaab428875ed30335c0a710e261d41eccc5a698a993b45b018a5b75dd4b6bc10d608dc56b964916cb701d9f27588666a |
C:\Windows\system\qQnKgOG.exe
| MD5 | 6e7734a226382b3e1514a714442f14a8 |
| SHA1 | 1e71f37d7348da159da19e60e4d497e0d1e0d0d6 |
| SHA256 | de9f0b81307bd50d3d049fe067cacbee5c4553a89e8acd3068a68f7ec5755d4b |
| SHA512 | 9eec71096948b0632d60cf08861b28cdb1ed517474ea9e5fde53ba57a3b0799eb08de7ab291831687813416f0dbfcf9f3b80665a1b85b9d2c761066794648835 |
memory/3000-110-0x000000013F040000-0x000000013F391000-memory.dmp
memory/948-109-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2072-107-0x000000013F4B0000-0x000000013F801000-memory.dmp
C:\Windows\system\OtEQVTO.exe
| MD5 | d57aed9a184e15f29320a676bc25091a |
| SHA1 | 216f2ed657a29eab23ca067c65e3bd880409c911 |
| SHA256 | 82938417934dfe1187dda7195810ed0bd3553ba931f0feacea276e79b5abcaeb |
| SHA512 | 86f21be56dd3dac606d4d80770bad4c8c35f4a637f3316578661e1637c814d6ca36e3121c96b54ed36b29b37bdfe32fe82a0a22d926ecf68c7e1d1f6866b4a38 |
C:\Windows\system\xYxdeDM.exe
| MD5 | b74909ee77ace23819fc9d2220e42e13 |
| SHA1 | 5b212605de2afb4d55cd290727b3c85a053233bb |
| SHA256 | 183a5f13fe31ef9f59fdbb8628be491e5484cd06dbe68386b6a019a27518282a |
| SHA512 | 595ea5bba0eb3bbd3c82077cffc3e1e86c09310253c6537d325e0595ccfd06dae28f570421420efa53161ebf29ad149db7f6030558ece2de5dd9d52c8a7846ba |
C:\Windows\system\zYaCeMF.exe
| MD5 | 5ab8cb1e5f9a67a3497bb40eaf089fdc |
| SHA1 | 11cffc1feaa14be2579d0d8f65c60ddb13519c7a |
| SHA256 | 225e7ddf8babf14f6ef51c8a8fe284400016813e0729ff0987320dcd1e8ea3af |
| SHA512 | 782c565a359b295dd98a3fc5b7fda95a7ab7718eb8454a0e01b09d644fbf0ffce6a8523aefcf742a4a84bd6d38e777e3fe476f574e5a25f3bd82ca0e29264fe6 |
C:\Windows\system\yCaVxfT.exe
| MD5 | 212c2e9aac40ad6df76d15a636e8bc52 |
| SHA1 | 0651dcb0c1386ca43491b8a3aaa48b557db4167d |
| SHA256 | df3ff15ff10d7c0f6dc8492f6a4a7d814454bbf3f7b86bf9b4811a764dc3f603 |
| SHA512 | 2d245b6a3c17d1d80679b625d2dc770847c403910d73c74539ac9475c890328824e2b254ab7e808463676532174ef26cfe10a13e40f68c8eb696eaa24ccc9ef9 |
C:\Windows\system\XFZECab.exe
| MD5 | e8b40d6e487584b4dd6ed6f724812fc2 |
| SHA1 | 4aef75fa33129d62c183c3d4daf5ee11d4e54547 |
| SHA256 | 517cdd46eeaeb502ccb95b1a849f3421da825f819fcbc0d672e45385104f4493 |
| SHA512 | dc826d3af3a3904ab85bffcd253455696d93bd87410a72c42cab4bf169d20c008505c386cdb43b71e1523553f39e310450b8a957fded6ba53b3cbf6c2c480833 |
C:\Windows\system\KqlLZsE.exe
| MD5 | 5e86d779e8d2700f5f095e7cfc719fa6 |
| SHA1 | fcc116a9e25dde38f48fd4ca59b520d2aefd37b1 |
| SHA256 | 76ad69afdce29de6573bd339bacc9eb62cd1c62bd267e58a12249d1be6b9aeb4 |
| SHA512 | a6c7ab3ff575da731e956896499ab83672ec8fce004c8fb2b50927ea73436334800c6fb703a5c913295a27656fba0398d640d8e0ba2c9092ee86488bceb4e2e4 |
memory/948-111-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2776-112-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/948-113-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2864-114-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/948-115-0x0000000002370000-0x00000000026C1000-memory.dmp
memory/1636-116-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/872-117-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2936-118-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/948-119-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2684-120-0x000000013F500000-0x000000013F851000-memory.dmp
memory/948-122-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2280-132-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/948-131-0x000000013F040000-0x000000013F391000-memory.dmp
memory/948-130-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2712-129-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/948-128-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2644-127-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/948-126-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2704-125-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/948-124-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2784-123-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2324-121-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/948-133-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2072-134-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2340-148-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2396-154-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2152-153-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/844-151-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2896-150-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2284-149-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1692-152-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/948-155-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2072-201-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2324-227-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2776-223-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1636-225-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/3000-234-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2712-229-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/872-245-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2936-238-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2864-236-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2644-251-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2280-240-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2784-248-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2684-246-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2704-241-0x000000013F700000-0x000000013FA51000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 12:29
Reported
2024-08-05 12:31
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xixAQpt.exe | N/A |
| N/A | N/A | C:\Windows\System\gCBCqny.exe | N/A |
| N/A | N/A | C:\Windows\System\VEEDIsw.exe | N/A |
| N/A | N/A | C:\Windows\System\tcdHnUz.exe | N/A |
| N/A | N/A | C:\Windows\System\GhPjGUB.exe | N/A |
| N/A | N/A | C:\Windows\System\BXijEEe.exe | N/A |
| N/A | N/A | C:\Windows\System\bZeLRGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PsDhrVd.exe | N/A |
| N/A | N/A | C:\Windows\System\wzzwcbr.exe | N/A |
| N/A | N/A | C:\Windows\System\KqlLZsE.exe | N/A |
| N/A | N/A | C:\Windows\System\EIAvzAf.exe | N/A |
| N/A | N/A | C:\Windows\System\XFZECab.exe | N/A |
| N/A | N/A | C:\Windows\System\yCaVxfT.exe | N/A |
| N/A | N/A | C:\Windows\System\zYaCeMF.exe | N/A |
| N/A | N/A | C:\Windows\System\gbCavBV.exe | N/A |
| N/A | N/A | C:\Windows\System\xYxdeDM.exe | N/A |
| N/A | N/A | C:\Windows\System\OtEQVTO.exe | N/A |
| N/A | N/A | C:\Windows\System\qQnKgOG.exe | N/A |
| N/A | N/A | C:\Windows\System\FngMgsf.exe | N/A |
| N/A | N/A | C:\Windows\System\BVKvGVG.exe | N/A |
| N/A | N/A | C:\Windows\System\tmRIoAY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_4bda198ba3abd62f2b7a3c64a3f4c7ea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xixAQpt.exe
C:\Windows\System\xixAQpt.exe
C:\Windows\System\gCBCqny.exe
C:\Windows\System\gCBCqny.exe
C:\Windows\System\tcdHnUz.exe
C:\Windows\System\tcdHnUz.exe
C:\Windows\System\VEEDIsw.exe
C:\Windows\System\VEEDIsw.exe
C:\Windows\System\GhPjGUB.exe
C:\Windows\System\GhPjGUB.exe
C:\Windows\System\BXijEEe.exe
C:\Windows\System\BXijEEe.exe
C:\Windows\System\bZeLRGZ.exe
C:\Windows\System\bZeLRGZ.exe
C:\Windows\System\PsDhrVd.exe
C:\Windows\System\PsDhrVd.exe
C:\Windows\System\wzzwcbr.exe
C:\Windows\System\wzzwcbr.exe
C:\Windows\System\KqlLZsE.exe
C:\Windows\System\KqlLZsE.exe
C:\Windows\System\EIAvzAf.exe
C:\Windows\System\EIAvzAf.exe
C:\Windows\System\XFZECab.exe
C:\Windows\System\XFZECab.exe
C:\Windows\System\yCaVxfT.exe
C:\Windows\System\yCaVxfT.exe
C:\Windows\System\zYaCeMF.exe
C:\Windows\System\zYaCeMF.exe
C:\Windows\System\gbCavBV.exe
C:\Windows\System\gbCavBV.exe
C:\Windows\System\xYxdeDM.exe
C:\Windows\System\xYxdeDM.exe
C:\Windows\System\OtEQVTO.exe
C:\Windows\System\OtEQVTO.exe
C:\Windows\System\qQnKgOG.exe
C:\Windows\System\qQnKgOG.exe
C:\Windows\System\FngMgsf.exe
C:\Windows\System\FngMgsf.exe
C:\Windows\System\tmRIoAY.exe
C:\Windows\System\tmRIoAY.exe
C:\Windows\System\BVKvGVG.exe
C:\Windows\System\BVKvGVG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2604-0-0x00007FF78D790000-0x00007FF78DAE1000-memory.dmp
memory/2604-1-0x0000028892DA0000-0x0000028892DB0000-memory.dmp
C:\Windows\System\xixAQpt.exe
| MD5 | 87e2c0fee4854875cf961783c847f81e |
| SHA1 | 9263067cdfa0bfbf99dd4f3237141bc0ca84e15d |
| SHA256 | c3aa543351862b40b7e704112aaa3026d2795e81806b1568c557e8eced14a46b |
| SHA512 | b85ee97429b4a21b71c6d924bd282d786d792571cf0259544542ba2572bf24d9d9741f79600cf60173f67669364a3c33e6a3fbc342f8b58e7f1d6d9a5eda002b |
memory/3420-7-0x00007FF7B47E0000-0x00007FF7B4B31000-memory.dmp
C:\Windows\System\tcdHnUz.exe
| MD5 | 95cc1c56c04eada4a36b9febaa8dc2f8 |
| SHA1 | 49c939faf124eccff7f49f4d71b6766ba7e8ea89 |
| SHA256 | 881e06f6660667f5e52a6d55ef3c0ec1af1d2fd0401dae294df1b8884ae51b9c |
| SHA512 | 04d632757a819a4ebbb2d749037e0d751d5ab3ec486398c4ba44db49c4d8642d9fd0b24b00b7258f28aead1151885e6a7936bc488aa458c9b34f67e1d6be1614 |
C:\Windows\System\gCBCqny.exe
| MD5 | 0ab1030470d1e9fc6f2d35a94827a496 |
| SHA1 | 5dd4f9b43aa0f32f682d220dadfa75151d7f56d4 |
| SHA256 | f2a6f7542506418f13a097069895beefab8fe71933a7632d3a1ab24431add71c |
| SHA512 | 48bd63aabcd4b4cea7623e425de41f9a7335ce2201eca7a7d662fdabd07bf63e8a22596cd3eec02cc994ab04e1fa36da42842620e9e906cb3cabcf32659e0a6d |
C:\Windows\System\VEEDIsw.exe
| MD5 | afbd701108e1c8cc095bc35ebbfc34c3 |
| SHA1 | cec13cf164fe51f92e1101c0d1855bb2020032a1 |
| SHA256 | ce6689406edf7e2474cdbc31c731f7f1b7905ccad52e6b1347b5278d9f466148 |
| SHA512 | 7ba662711d835fb4e82595745958686743cf707f280d33f50ea52c3cdc14e515e2c886fab883fc8bef8670579f7f38d2447028f56271704109564044d72f834b |
C:\Windows\System\bZeLRGZ.exe
| MD5 | 003a4981eab3cba6c6f252ea2c649bac |
| SHA1 | 9720bf3097c43ef3e48cf4e6d4a3714b09c62fbc |
| SHA256 | 0735621ba67028050af46406433ad96b0dc405441737c5683c6233303206bcba |
| SHA512 | 2efec6a0bd72e7d3a939cf556be79502c941bdfd678b5a7e5fb0161cfcdcbe6afe1fdbbc22b9f1c28dc5f972e8ad20f45c9dd50ccef37f7a099033e98ad3d91c |
memory/2328-55-0x00007FF678260000-0x00007FF6785B1000-memory.dmp
C:\Windows\System\PsDhrVd.exe
| MD5 | 87b009a05d4a18ad5a217053000175a6 |
| SHA1 | 5aea292db96858e4aaefcfd9edd8ad674c73b5f0 |
| SHA256 | 0dc2d68ea1627b68bbebdbb3c9654f2a4de5e59198caaba8af31a0c5f78b6c64 |
| SHA512 | c879cd13dd5d515e7761947288e7fc813d28e2813ca049de5590e77b45e2d31cec4505d6b81525d87a84bca0ae8e40e13c469f4115cc658e2e3b453e3dc0dd7b |
memory/5060-62-0x00007FF773EF0000-0x00007FF774241000-memory.dmp
memory/1552-64-0x00007FF659840000-0x00007FF659B91000-memory.dmp
memory/3312-63-0x00007FF7245E0000-0x00007FF724931000-memory.dmp
C:\Windows\System\EIAvzAf.exe
| MD5 | ae045d644386b83275e7599dabcbba44 |
| SHA1 | f23312705ee193741c42dbcf2fff2b6595eafbc5 |
| SHA256 | 88360a0e64c90d4a7900b79780e2238d14ec68d1772b26265e14f89afb6a47d5 |
| SHA512 | 315b2a9355b5c7f9a0532dc0e7b4a4102c858ece0b6b80ec84091d428e93d3a35f653bab7a6aca02e1f0684c74ba5ab0c22ff0cbeb2dbc518bf6d1999c4dc478 |
memory/3496-60-0x00007FF7462F0000-0x00007FF746641000-memory.dmp
C:\Windows\System\KqlLZsE.exe
| MD5 | 5e86d779e8d2700f5f095e7cfc719fa6 |
| SHA1 | fcc116a9e25dde38f48fd4ca59b520d2aefd37b1 |
| SHA256 | 76ad69afdce29de6573bd339bacc9eb62cd1c62bd267e58a12249d1be6b9aeb4 |
| SHA512 | a6c7ab3ff575da731e956896499ab83672ec8fce004c8fb2b50927ea73436334800c6fb703a5c913295a27656fba0398d640d8e0ba2c9092ee86488bceb4e2e4 |
memory/3900-56-0x00007FF754140000-0x00007FF754491000-memory.dmp
C:\Windows\System\wzzwcbr.exe
| MD5 | 0b3292c6a442b203f264bddcce6a3ad4 |
| SHA1 | c8c456fa871a9d4d84120f839c1636c22da830fa |
| SHA256 | 86a3de30c2c9f630688b43bea9578480ba28dc3898885a60e1472c05420b5a88 |
| SHA512 | 4804b3dcd703e510927c8c02d70842b89408b986e6e816d05508589dfd15b21f23434406e0d0bc44492647181361111cf862f0e12e6afe1f058e6a8409176f47 |
memory/4288-50-0x00007FF778B30000-0x00007FF778E81000-memory.dmp
C:\Windows\System\GhPjGUB.exe
| MD5 | 33f44684e20cebdd8f35d129abed7ef4 |
| SHA1 | 5cdb7b0ebf4f1fe88be190eeedc3de557c83e088 |
| SHA256 | 760b5e95790b8445089426f1edd574d8828f854e86db1c4350439b2e4d926170 |
| SHA512 | b0a61681e4251081ceb6804688f7965619f2d76c7c9c82f32edd0cb40f1b8aff649e6aed85010db3491dc007326090d8f21ef492139bd7bfef5df4402d07e05f |
C:\Windows\System\BXijEEe.exe
| MD5 | 9745bbc6370b0652bb9087288a1c0f48 |
| SHA1 | fb70c79951587e6c809afb7f5994a2a56d8401bb |
| SHA256 | 356c15b29ac4a41b604cb437f8bcb524e042f4545221f8d280202ea88114d40d |
| SHA512 | 330beba0353efa7eccc2d9b969daf94c8ff39b2b00a304206792572fd9349f1d0d05fb4abdf1ca08eebc98231a08be63eeb294ea647699419d91523bbe997646 |
memory/4732-34-0x00007FF79B860000-0x00007FF79BBB1000-memory.dmp
memory/4292-26-0x00007FF6E3A60000-0x00007FF6E3DB1000-memory.dmp
memory/1776-20-0x00007FF7B3940000-0x00007FF7B3C91000-memory.dmp
C:\Windows\System\zYaCeMF.exe
| MD5 | 5ab8cb1e5f9a67a3497bb40eaf089fdc |
| SHA1 | 11cffc1feaa14be2579d0d8f65c60ddb13519c7a |
| SHA256 | 225e7ddf8babf14f6ef51c8a8fe284400016813e0729ff0987320dcd1e8ea3af |
| SHA512 | 782c565a359b295dd98a3fc5b7fda95a7ab7718eb8454a0e01b09d644fbf0ffce6a8523aefcf742a4a84bd6d38e777e3fe476f574e5a25f3bd82ca0e29264fe6 |
C:\Windows\System\gbCavBV.exe
| MD5 | f2b3233496e8f9b666a73c6f2d3f95d5 |
| SHA1 | ee2bb304eb3a96b2d7feeac56187efad751d5ffa |
| SHA256 | 7f6f9c596374589e065a9cf066de2e28b7a7b1d24a5a6ec4c36d1ee9cafad11b |
| SHA512 | 3f708caf3261740d968b7d2fc20a4449a24d16fbdf7a9d7ce8e44db8064c85c8fe3eab1bb2a4ec55d2eceadbd15f6dc8be5e95311892eaa5cf614af02cf21765 |
C:\Windows\System\OtEQVTO.exe
| MD5 | d57aed9a184e15f29320a676bc25091a |
| SHA1 | 216f2ed657a29eab23ca067c65e3bd880409c911 |
| SHA256 | 82938417934dfe1187dda7195810ed0bd3553ba931f0feacea276e79b5abcaeb |
| SHA512 | 86f21be56dd3dac606d4d80770bad4c8c35f4a637f3316578661e1637c814d6ca36e3121c96b54ed36b29b37bdfe32fe82a0a22d926ecf68c7e1d1f6866b4a38 |
C:\Windows\System\xYxdeDM.exe
| MD5 | b74909ee77ace23819fc9d2220e42e13 |
| SHA1 | 5b212605de2afb4d55cd290727b3c85a053233bb |
| SHA256 | 183a5f13fe31ef9f59fdbb8628be491e5484cd06dbe68386b6a019a27518282a |
| SHA512 | 595ea5bba0eb3bbd3c82077cffc3e1e86c09310253c6537d325e0595ccfd06dae28f570421420efa53161ebf29ad149db7f6030558ece2de5dd9d52c8a7846ba |
memory/3600-115-0x00007FF6680F0000-0x00007FF668441000-memory.dmp
C:\Windows\System\BVKvGVG.exe
| MD5 | 4aae25affe1f9596e9ace2e90002e869 |
| SHA1 | d7fb94218ea87995770557c989a2dc186c80b957 |
| SHA256 | 8f241c07d3be5fbcf48beda12f0a13aa5406097faa4f07d9573bbca9fd4feaa1 |
| SHA512 | 768413caed4e4dfb155cfb45362f1a7ca5a7e4b9d86ff4fdf7b3dd83b7c1ec51206410c2ea6ef807e10652a83570d3c0cdcf88a8f324077055e221ddc2ebb986 |
C:\Windows\System\tmRIoAY.exe
| MD5 | 31bbf2efd4a71a89b499cd8e57f1db94 |
| SHA1 | 31114a54ca664c66950208c23f8c92db324a9b76 |
| SHA256 | be473c6658b3162f305f04a7b3b00e2f6ed7a6d176a1ce3d71b0879f8ad070d3 |
| SHA512 | fd28e99836a8421ed127a6ad247c6d225bd5ec4b39c93da9ffc07823e600cfec7d8f9937d1b43464b3182649b06864a9d4346df64d4aa7b1cf3b5e5e0e8bfc2e |
memory/1828-120-0x00007FF6D0C10000-0x00007FF6D0F61000-memory.dmp
C:\Windows\System\qQnKgOG.exe
| MD5 | 6e7734a226382b3e1514a714442f14a8 |
| SHA1 | 1e71f37d7348da159da19e60e4d497e0d1e0d0d6 |
| SHA256 | de9f0b81307bd50d3d049fe067cacbee5c4553a89e8acd3068a68f7ec5755d4b |
| SHA512 | 9eec71096948b0632d60cf08861b28cdb1ed517474ea9e5fde53ba57a3b0799eb08de7ab291831687813416f0dbfcf9f3b80665a1b85b9d2c761066794648835 |
C:\Windows\System\FngMgsf.exe
| MD5 | 43c94b650c76f75c76c7f5432501a708 |
| SHA1 | 34351ecd6945426ae7a8df6c520737e48bfd3528 |
| SHA256 | 47ea120b4e3de5b6109ecd0462593d8675351bf0d702cae923a0985b3258f740 |
| SHA512 | ddecea70ab3188f6a571f5647fb8db79eaab428875ed30335c0a710e261d41eccc5a698a993b45b018a5b75dd4b6bc10d608dc56b964916cb701d9f27588666a |
memory/4492-111-0x00007FF62C8B0000-0x00007FF62CC01000-memory.dmp
memory/3136-104-0x00007FF66BD80000-0x00007FF66C0D1000-memory.dmp
memory/1152-98-0x00007FF7CAFB0000-0x00007FF7CB301000-memory.dmp
memory/4792-91-0x00007FF6F22F0000-0x00007FF6F2641000-memory.dmp
C:\Windows\System\yCaVxfT.exe
| MD5 | 212c2e9aac40ad6df76d15a636e8bc52 |
| SHA1 | 0651dcb0c1386ca43491b8a3aaa48b557db4167d |
| SHA256 | df3ff15ff10d7c0f6dc8492f6a4a7d814454bbf3f7b86bf9b4811a764dc3f603 |
| SHA512 | 2d245b6a3c17d1d80679b625d2dc770847c403910d73c74539ac9475c890328824e2b254ab7e808463676532174ef26cfe10a13e40f68c8eb696eaa24ccc9ef9 |
C:\Windows\System\XFZECab.exe
| MD5 | e8b40d6e487584b4dd6ed6f724812fc2 |
| SHA1 | 4aef75fa33129d62c183c3d4daf5ee11d4e54547 |
| SHA256 | 517cdd46eeaeb502ccb95b1a849f3421da825f819fcbc0d672e45385104f4493 |
| SHA512 | dc826d3af3a3904ab85bffcd253455696d93bd87410a72c42cab4bf169d20c008505c386cdb43b71e1523553f39e310450b8a957fded6ba53b3cbf6c2c480833 |
memory/4904-76-0x00007FF6F56A0000-0x00007FF6F59F1000-memory.dmp
memory/4592-125-0x00007FF6405F0000-0x00007FF640941000-memory.dmp
memory/3916-126-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp
memory/4024-127-0x00007FF77A1F0000-0x00007FF77A541000-memory.dmp
memory/2604-128-0x00007FF78D790000-0x00007FF78DAE1000-memory.dmp
memory/1552-138-0x00007FF659840000-0x00007FF659B91000-memory.dmp
memory/3900-136-0x00007FF754140000-0x00007FF754491000-memory.dmp
memory/2328-135-0x00007FF678260000-0x00007FF6785B1000-memory.dmp
memory/4904-140-0x00007FF6F56A0000-0x00007FF6F59F1000-memory.dmp
memory/3496-139-0x00007FF7462F0000-0x00007FF746641000-memory.dmp
memory/4732-132-0x00007FF79B860000-0x00007FF79BBB1000-memory.dmp
memory/1776-130-0x00007FF7B3940000-0x00007FF7B3C91000-memory.dmp
memory/3420-129-0x00007FF7B47E0000-0x00007FF7B4B31000-memory.dmp
memory/4292-131-0x00007FF6E3A60000-0x00007FF6E3DB1000-memory.dmp
memory/3136-145-0x00007FF66BD80000-0x00007FF66C0D1000-memory.dmp
memory/1828-146-0x00007FF6D0C10000-0x00007FF6D0F61000-memory.dmp
memory/2604-150-0x00007FF78D790000-0x00007FF78DAE1000-memory.dmp
memory/3420-195-0x00007FF7B47E0000-0x00007FF7B4B31000-memory.dmp
memory/1776-197-0x00007FF7B3940000-0x00007FF7B3C91000-memory.dmp
memory/4292-199-0x00007FF6E3A60000-0x00007FF6E3DB1000-memory.dmp
memory/5060-201-0x00007FF773EF0000-0x00007FF774241000-memory.dmp
memory/4732-203-0x00007FF79B860000-0x00007FF79BBB1000-memory.dmp
memory/4288-205-0x00007FF778B30000-0x00007FF778E81000-memory.dmp
memory/3312-207-0x00007FF7245E0000-0x00007FF724931000-memory.dmp
memory/3496-215-0x00007FF7462F0000-0x00007FF746641000-memory.dmp
memory/1552-218-0x00007FF659840000-0x00007FF659B91000-memory.dmp
memory/3900-219-0x00007FF754140000-0x00007FF754491000-memory.dmp
memory/4904-223-0x00007FF6F56A0000-0x00007FF6F59F1000-memory.dmp
memory/2328-222-0x00007FF678260000-0x00007FF6785B1000-memory.dmp
memory/1152-226-0x00007FF7CAFB0000-0x00007FF7CB301000-memory.dmp
memory/4792-229-0x00007FF6F22F0000-0x00007FF6F2641000-memory.dmp
memory/4492-227-0x00007FF62C8B0000-0x00007FF62CC01000-memory.dmp
memory/3600-231-0x00007FF6680F0000-0x00007FF668441000-memory.dmp
memory/4592-233-0x00007FF6405F0000-0x00007FF640941000-memory.dmp
memory/3916-238-0x00007FF6EF850000-0x00007FF6EFBA1000-memory.dmp
memory/3136-241-0x00007FF66BD80000-0x00007FF66C0D1000-memory.dmp
memory/1828-240-0x00007FF6D0C10000-0x00007FF6D0F61000-memory.dmp
memory/4024-236-0x00007FF77A1F0000-0x00007FF77A541000-memory.dmp