Analysis Overview
SHA256
05aa61b199311adfc2541bf46f1aa264ed54ffb684b085d131ec561f78a19778
Threat Level: Known bad
The file 2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:04
Reported
2024-08-06 12:06
Platform
win7-20240729-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zggOrkf.exe | N/A |
| N/A | N/A | C:\Windows\System\vVFIaZN.exe | N/A |
| N/A | N/A | C:\Windows\System\wSsOZdn.exe | N/A |
| N/A | N/A | C:\Windows\System\CuDpVzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QBbaImr.exe | N/A |
| N/A | N/A | C:\Windows\System\prjRQyC.exe | N/A |
| N/A | N/A | C:\Windows\System\KTLVtFK.exe | N/A |
| N/A | N/A | C:\Windows\System\PwvLyqE.exe | N/A |
| N/A | N/A | C:\Windows\System\kJtZVey.exe | N/A |
| N/A | N/A | C:\Windows\System\jkoaHXl.exe | N/A |
| N/A | N/A | C:\Windows\System\eGbsGwO.exe | N/A |
| N/A | N/A | C:\Windows\System\zCkiEjq.exe | N/A |
| N/A | N/A | C:\Windows\System\UZPUoBf.exe | N/A |
| N/A | N/A | C:\Windows\System\jCmBUQz.exe | N/A |
| N/A | N/A | C:\Windows\System\VayUiQX.exe | N/A |
| N/A | N/A | C:\Windows\System\EIGoakW.exe | N/A |
| N/A | N/A | C:\Windows\System\ghFcHVg.exe | N/A |
| N/A | N/A | C:\Windows\System\tZVCbzw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTufAeg.exe | N/A |
| N/A | N/A | C:\Windows\System\xlIpMjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mkFNere.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zggOrkf.exe
C:\Windows\System\zggOrkf.exe
C:\Windows\System\vVFIaZN.exe
C:\Windows\System\vVFIaZN.exe
C:\Windows\System\wSsOZdn.exe
C:\Windows\System\wSsOZdn.exe
C:\Windows\System\CuDpVzQ.exe
C:\Windows\System\CuDpVzQ.exe
C:\Windows\System\QBbaImr.exe
C:\Windows\System\QBbaImr.exe
C:\Windows\System\prjRQyC.exe
C:\Windows\System\prjRQyC.exe
C:\Windows\System\KTLVtFK.exe
C:\Windows\System\KTLVtFK.exe
C:\Windows\System\PwvLyqE.exe
C:\Windows\System\PwvLyqE.exe
C:\Windows\System\kJtZVey.exe
C:\Windows\System\kJtZVey.exe
C:\Windows\System\jkoaHXl.exe
C:\Windows\System\jkoaHXl.exe
C:\Windows\System\eGbsGwO.exe
C:\Windows\System\eGbsGwO.exe
C:\Windows\System\UZPUoBf.exe
C:\Windows\System\UZPUoBf.exe
C:\Windows\System\zCkiEjq.exe
C:\Windows\System\zCkiEjq.exe
C:\Windows\System\jCmBUQz.exe
C:\Windows\System\jCmBUQz.exe
C:\Windows\System\VayUiQX.exe
C:\Windows\System\VayUiQX.exe
C:\Windows\System\EIGoakW.exe
C:\Windows\System\EIGoakW.exe
C:\Windows\System\ghFcHVg.exe
C:\Windows\System\ghFcHVg.exe
C:\Windows\System\tZVCbzw.exe
C:\Windows\System\tZVCbzw.exe
C:\Windows\System\ZTufAeg.exe
C:\Windows\System\ZTufAeg.exe
C:\Windows\System\xlIpMjZ.exe
C:\Windows\System\xlIpMjZ.exe
C:\Windows\System\mkFNere.exe
C:\Windows\System\mkFNere.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1760-0-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1760-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\zggOrkf.exe
| MD5 | b467110fb9338f33a5decb718d82c16f |
| SHA1 | e5090a4c96c75a6ed9fca20ff733895b03c34146 |
| SHA256 | 5a745f676753f3f3ea67f33a174d09f2c539fd3b2137d7c8da0b954926078d88 |
| SHA512 | 617bda769730cd6837fc1d7a2862b5eb44f9b391ac6fe289bbb9294c46911c646eb6f3718738304c23f4e5f59ac4660d68711dd3c5563726764ff44441031a4b |
\Windows\system\vVFIaZN.exe
| MD5 | 763a81abff26387b8c89ca69578ac1d8 |
| SHA1 | e89c0898a3e99a6f301cc12ea10eb4a5f3dc1a90 |
| SHA256 | c381de94823989ce3aeffd225fdd7502754319dae45703eda80250eb35b23d61 |
| SHA512 | d9c53bb8f0dcbb959bc3ed302df4f98a4cdb066acfcbc3d32c67e3257f21f87795608cc4727537dd2e7ffe5916d0c37790d6bac258c10faaa6c402ef47234d1a |
C:\Windows\system\wSsOZdn.exe
| MD5 | 671b770e5e2e3b722c667ae10e238c02 |
| SHA1 | d11315197462f052e93ac4852100ef29c6607f36 |
| SHA256 | 27ab9675bbd15902f681f187d4ffb2da71e14d84bf0a4a4632da3b20ea5a2e3d |
| SHA512 | e8ad97b837b6cb6021cba6111a763cccbfe5986bf409cf2d7780df57040d6bdab8007ced24d3b107f0e7fc951b823f05799b2cc42510eb9e439887433e868c8d |
memory/1952-20-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2968-22-0x000000013F4F0000-0x000000013F844000-memory.dmp
\Windows\system\CuDpVzQ.exe
| MD5 | 56100d4fd690aad70436f6c2be9499f8 |
| SHA1 | 0b3f307f096f49452340a9853d0fe1b1d8a34fba |
| SHA256 | 559c81131c124b022f680076b096876c3eb4944398de00ab21e8e5f7c9dfa4f7 |
| SHA512 | 5f06836dbe32fd582fcde7ba25f4d6082bdb9b7193fcd495307ba52e3f5b90f1426698c3295a7e7c568555aeeacb3944c1664baf3454210081db021de086e300 |
memory/1760-21-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1760-25-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/1760-13-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2272-9-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1760-7-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\QBbaImr.exe
| MD5 | 0c3295b8195679b04dfea7757b284223 |
| SHA1 | e6241fee447c0cab567030b5e7119939699f33a6 |
| SHA256 | 04aa90fefde62d82fbc048bd39dfd5f86ae917e478eb520292e5fc22899459b0 |
| SHA512 | f4236fdd42d5036490b0e69a2faa218cb40bf845879f60f1de972580dae00cd43edb23c6a82ffdfe0fda03c3e8261aae31d1fd9c0fc30dc9f1d393edfd5da7ed |
memory/2952-36-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1760-37-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2852-34-0x000000013F660000-0x000000013F9B4000-memory.dmp
\Windows\system\prjRQyC.exe
| MD5 | e3bca7f1051cfd8aeaa5d9c83e3e8500 |
| SHA1 | a88a952f01bd171f79a8033cb23e2d27f08979db |
| SHA256 | e83838b83504114045ec9955123196bcb28c64273a92e7e11ee2ed5fc13fc5d2 |
| SHA512 | 45483d456a0d8527cd50c1e4177768482a466f29bece859e3471872a5b0f7607846e34b5d75dd515e8cce7c7a38b45ff76808fff65fd4d2a5b7e7db1e54aaf6b |
memory/1760-39-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\KTLVtFK.exe
| MD5 | 63099eb1faa8f3c0661931e563501cda |
| SHA1 | b7f6cdb850fceabddfe3616a80d0e620f44cfdff |
| SHA256 | de1fbc6267469de0608214f13f15dc28ac425c15daa3daa2e37b36c7ef8e1a7a |
| SHA512 | 6c9bfe34642f7d6ddf3285f0eedbbea73a95a245f4069e6d1e1f55fcc2ed5cb9047297cfd7b94f5bebf8ba86a664404df26787265734f1a05b1f143b498186fc |
memory/1760-48-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1760-47-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/1760-46-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2856-43-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\PwvLyqE.exe
| MD5 | 81895f990587eacf3d73c0a071113ce5 |
| SHA1 | 1fb64645be959705014e8715ec638a5e82cd94f2 |
| SHA256 | 2eca30e6c4a47a634aa33537287009028089d856853de33aa681bb83827cb76f |
| SHA512 | 9a06fdca074cf0165a4f911c28bcd418871eb5021b52e931e2e905b1f38b6e52b74766baa58373c72380906b938e19cf4c151c41c0b7d38e99194a833d884e92 |
memory/2744-58-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2808-57-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\kJtZVey.exe
| MD5 | 0dbd3ed3fe5a5d155331f3dcf756d2f3 |
| SHA1 | abfb7f8ea23184f33bfeee0ea95203823d148f52 |
| SHA256 | 414d7679a560ed635e076a3a0bb2d82e53781f789addcb14d5808b458d3e9fd5 |
| SHA512 | 15c97835b6eea1d811fe442f7f268f521a188ace0cbb6b78648f5233e1e6d785d8987cc3c84c408217437dbe1829a15711108c9401e6493519dc12b315195d0e |
memory/1760-61-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1760-68-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/872-69-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1968-97-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\UZPUoBf.exe
| MD5 | f716fd6be520759156a6c8021877b67e |
| SHA1 | 4c26b610eed7c7c729d52d4aaeba0b71720243cd |
| SHA256 | 7d483e5712b63573994981dc41b9ff01d170b767c5a20bb0d5aa7ccaa7d2854d |
| SHA512 | 566dd195ae6a9ac225f47353ab90cce59b23abec48f988a66c3d17846ea093ffad1a6e1abbc5857028efd5f034b4cf07b6c12fd87e41092494a0f77fe945df6d |
C:\Windows\system\jCmBUQz.exe
| MD5 | 87601552167d328db97bac44aa602cb1 |
| SHA1 | 9883b8b6f608737bf036b6fe536d8dcef40ae008 |
| SHA256 | 8175efa799c461f01ddd19e3b27ad65489738a08d61f30b80f80e853570fa3a2 |
| SHA512 | 42f03413fe1daad939bdbf9a82ea0206486fb65354684f4c77dd4e44ef59a854a57913b7129a87ba8b2060381b4d5dbd868769c107fa33e4f77ecab69a7282ff |
memory/568-107-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\mkFNere.exe
| MD5 | ebf091e9af65401efcecb3586c6112bc |
| SHA1 | b8bb85ef5964cbea2128303da4c5f2bf346b915f |
| SHA256 | 27852c6bf2f43250ecaf848c103c384d1678d03ea4bab77416a37f7427c191e6 |
| SHA512 | 33dc285e93abcc0db8b08c3bd99cd51d14c00b3ac0c4cff84f9e4c741cc39b729e78ddaa1ab53a27fbb86ddb9759fa346ca6c59aec207529c34268cc15373511 |
C:\Windows\system\xlIpMjZ.exe
| MD5 | d61b8d744f3c5f49f8d13de8badb19f3 |
| SHA1 | 784a4db7419494c3656c945f300da84b291615bd |
| SHA256 | 34ab1efc3be17d0c01657d616f78ef004f28a5aeba9b341b6598dbaca6c5eb5f |
| SHA512 | 8cea5cec97268fb7280ae28bdd4c8d557b465f2efca186e857963e945b30a21d9250c8cdef1b5b1e39cfa8f902e8f2754bc9b607c85eccac96e982c5656ed458 |
C:\Windows\system\ZTufAeg.exe
| MD5 | dec587d9578233220501482ae1a4dcb1 |
| SHA1 | abfe4cf55c10db3b20eb9dc76b611200e7bfde22 |
| SHA256 | 16ef0bb880aaa93dc84d293611729d3ad1983842e598df392c91b847e80110a5 |
| SHA512 | 1af4f57136179f5b60347073f6222709ab3cb87bcd10967982e64b3e5ccfa357ef217813c2fe709ec6a432868f305e908956e8b757a68c696521a16336d656a7 |
C:\Windows\system\tZVCbzw.exe
| MD5 | 4f0fc018e109e553970951474411f585 |
| SHA1 | 109835fae27678ed62b7036f725d1ea1e6a7a5dd |
| SHA256 | e26eab95231445477b4cce7c7695562ff9e6300170f3b837d093278ec33400dc |
| SHA512 | 8aaab88950676cab84075b7c8b71536a57e21401c583a0ee544083298f8295be6c36f811d44da0ccdff279c6f51b1c5f83bd88e33c9d0ea1445e24d4f16ea45e |
C:\Windows\system\ghFcHVg.exe
| MD5 | 5f3dc74f4070b04f2f9ad8e17c5d27f3 |
| SHA1 | 4822488fc15376b69d122b024e7476fb398a3cee |
| SHA256 | 920e3f63958fdaf2ccf8ca9cc61080dcd35fec5649e216162cbeb443c9cc3b28 |
| SHA512 | 20778657398821a94cfc1013f3a3a2d0cb4ac99298c0a855b30d2c69058a34ec63e27ef6d880280eecd4de610e37cb0c6ee3ed00dae202bf1e3fafb7d5f5f851 |
C:\Windows\system\EIGoakW.exe
| MD5 | 7c5a7d59e2d9195ca4099776c7c9481a |
| SHA1 | 87d32c8b96064313572336d8055346e33c527930 |
| SHA256 | 1ffacdfcd5dff5ffd39bd226cc8c05adbe43c1417081a896bf019dcb97971ac0 |
| SHA512 | 4613e2f6ac40433ac83efedae2ce19c42d04adc9b5eb746050f8479cbe919f5cd44f8ae27707852e5314b3152b80aee13c010b998803db2ff153fcaae126512f |
memory/1760-113-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\VayUiQX.exe
| MD5 | 8b86267cc6772047a0445b48b049cdcb |
| SHA1 | 28d7406a189e78fcfda99f47b8c3dd591932eae3 |
| SHA256 | 6fd2a151cc408418360a38d78c616f6e2c7f266027967225e39a86afcb28a52d |
| SHA512 | 721eba934d587d88d0b8b2e3b4646055e586fe6414620a06a1b6d2aca3ca4329fd90e8dacd93613b5c11add05bbfc29f1841135630c9c40eb6e33c8c26199a24 |
memory/2744-144-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1760-106-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2856-105-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2916-84-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2308-99-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2852-74-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/1760-96-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/564-93-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1760-92-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\zCkiEjq.exe
| MD5 | 5563b9d2cbd88110cced2096603a8d6e |
| SHA1 | 3683994630a149b5dd791b45cce1fd7f94f7565c |
| SHA256 | f855abf9125ada8c9c40f49d342c2ad7b8d1c250c81acccbe89ee496a7716964 |
| SHA512 | fa6f38d707629ce99580ad10c3f0fba5baaaf9fc98fc0b794c1b7a03a71ae45558942f03a29ed9a02cd944c35166a1045ff2b3670f9a60612cbbf9e00a7ab92d |
memory/1760-88-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2952-87-0x000000013F990000-0x000000013FCE4000-memory.dmp
C:\Windows\system\eGbsGwO.exe
| MD5 | 2a63b1e9a57b0081a164f024c6b741d3 |
| SHA1 | 5c52cefdda3e3817633f49d0615fd21c215c1d59 |
| SHA256 | d50770022e6dad8e9de529055b661fb0efb9852b72418cb44b17a087b328cf94 |
| SHA512 | db04aedede596771b8f3bc9b96a8671d8f27234db23d047b5811bdf409dbba5780b5ae170dcdc9fb3b0d57e2d3e7576bbeb79f7ee693823fb1b76dd14e78720a |
C:\Windows\system\jkoaHXl.exe
| MD5 | 2ba60a724867c167a6686da4714eae5a |
| SHA1 | ec022c19c9bb5f30c8e191eaa1c03079e7e54ddc |
| SHA256 | 353a8ffcebe2a4cd51d8bf879223ceb2ef28e4fa50683d7d8e214a6e798e028b |
| SHA512 | f2a98b7fdf7abc085c37606d9b369f52b171877d59dfad0c405fd818662616874a36ff91a8fd2830830092fd70eada072d95585ffc1dde1c64c7d08518c611ad |
memory/1760-78-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/1952-67-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/1760-65-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2272-60-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1760-145-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1760-147-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2916-148-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/872-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1760-149-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/564-150-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2308-151-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/1760-152-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2272-153-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2968-154-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1952-155-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2852-156-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2952-157-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2856-158-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2808-159-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2744-160-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/872-161-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2916-162-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/564-163-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1968-164-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/568-165-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2308-166-0x000000013FD00000-0x0000000140054000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:04
Reported
2024-08-06 12:06
Platform
win10v2004-20240802-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zggOrkf.exe | N/A |
| N/A | N/A | C:\Windows\System\vVFIaZN.exe | N/A |
| N/A | N/A | C:\Windows\System\wSsOZdn.exe | N/A |
| N/A | N/A | C:\Windows\System\CuDpVzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QBbaImr.exe | N/A |
| N/A | N/A | C:\Windows\System\prjRQyC.exe | N/A |
| N/A | N/A | C:\Windows\System\KTLVtFK.exe | N/A |
| N/A | N/A | C:\Windows\System\PwvLyqE.exe | N/A |
| N/A | N/A | C:\Windows\System\kJtZVey.exe | N/A |
| N/A | N/A | C:\Windows\System\jkoaHXl.exe | N/A |
| N/A | N/A | C:\Windows\System\eGbsGwO.exe | N/A |
| N/A | N/A | C:\Windows\System\UZPUoBf.exe | N/A |
| N/A | N/A | C:\Windows\System\zCkiEjq.exe | N/A |
| N/A | N/A | C:\Windows\System\jCmBUQz.exe | N/A |
| N/A | N/A | C:\Windows\System\VayUiQX.exe | N/A |
| N/A | N/A | C:\Windows\System\EIGoakW.exe | N/A |
| N/A | N/A | C:\Windows\System\ghFcHVg.exe | N/A |
| N/A | N/A | C:\Windows\System\tZVCbzw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTufAeg.exe | N/A |
| N/A | N/A | C:\Windows\System\xlIpMjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mkFNere.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_cb56521124ad73a189835bd11fcc0144_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zggOrkf.exe
C:\Windows\System\zggOrkf.exe
C:\Windows\System\vVFIaZN.exe
C:\Windows\System\vVFIaZN.exe
C:\Windows\System\wSsOZdn.exe
C:\Windows\System\wSsOZdn.exe
C:\Windows\System\CuDpVzQ.exe
C:\Windows\System\CuDpVzQ.exe
C:\Windows\System\QBbaImr.exe
C:\Windows\System\QBbaImr.exe
C:\Windows\System\prjRQyC.exe
C:\Windows\System\prjRQyC.exe
C:\Windows\System\KTLVtFK.exe
C:\Windows\System\KTLVtFK.exe
C:\Windows\System\PwvLyqE.exe
C:\Windows\System\PwvLyqE.exe
C:\Windows\System\kJtZVey.exe
C:\Windows\System\kJtZVey.exe
C:\Windows\System\jkoaHXl.exe
C:\Windows\System\jkoaHXl.exe
C:\Windows\System\eGbsGwO.exe
C:\Windows\System\eGbsGwO.exe
C:\Windows\System\UZPUoBf.exe
C:\Windows\System\UZPUoBf.exe
C:\Windows\System\zCkiEjq.exe
C:\Windows\System\zCkiEjq.exe
C:\Windows\System\jCmBUQz.exe
C:\Windows\System\jCmBUQz.exe
C:\Windows\System\VayUiQX.exe
C:\Windows\System\VayUiQX.exe
C:\Windows\System\EIGoakW.exe
C:\Windows\System\EIGoakW.exe
C:\Windows\System\ghFcHVg.exe
C:\Windows\System\ghFcHVg.exe
C:\Windows\System\tZVCbzw.exe
C:\Windows\System\tZVCbzw.exe
C:\Windows\System\ZTufAeg.exe
C:\Windows\System\ZTufAeg.exe
C:\Windows\System\xlIpMjZ.exe
C:\Windows\System\xlIpMjZ.exe
C:\Windows\System\mkFNere.exe
C:\Windows\System\mkFNere.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3216-0-0x00007FF7166D0000-0x00007FF716A24000-memory.dmp
memory/3216-1-0x0000022805A70000-0x0000022805A80000-memory.dmp
C:\Windows\System\zggOrkf.exe
| MD5 | b467110fb9338f33a5decb718d82c16f |
| SHA1 | e5090a4c96c75a6ed9fca20ff733895b03c34146 |
| SHA256 | 5a745f676753f3f3ea67f33a174d09f2c539fd3b2137d7c8da0b954926078d88 |
| SHA512 | 617bda769730cd6837fc1d7a2862b5eb44f9b391ac6fe289bbb9294c46911c646eb6f3718738304c23f4e5f59ac4660d68711dd3c5563726764ff44441031a4b |
memory/3164-8-0x00007FF766530000-0x00007FF766884000-memory.dmp
C:\Windows\System\vVFIaZN.exe
| MD5 | 763a81abff26387b8c89ca69578ac1d8 |
| SHA1 | e89c0898a3e99a6f301cc12ea10eb4a5f3dc1a90 |
| SHA256 | c381de94823989ce3aeffd225fdd7502754319dae45703eda80250eb35b23d61 |
| SHA512 | d9c53bb8f0dcbb959bc3ed302df4f98a4cdb066acfcbc3d32c67e3257f21f87795608cc4727537dd2e7ffe5916d0c37790d6bac258c10faaa6c402ef47234d1a |
C:\Windows\System\wSsOZdn.exe
| MD5 | 671b770e5e2e3b722c667ae10e238c02 |
| SHA1 | d11315197462f052e93ac4852100ef29c6607f36 |
| SHA256 | 27ab9675bbd15902f681f187d4ffb2da71e14d84bf0a4a4632da3b20ea5a2e3d |
| SHA512 | e8ad97b837b6cb6021cba6111a763cccbfe5986bf409cf2d7780df57040d6bdab8007ced24d3b107f0e7fc951b823f05799b2cc42510eb9e439887433e868c8d |
memory/2164-12-0x00007FF735240000-0x00007FF735594000-memory.dmp
memory/2216-20-0x00007FF783790000-0x00007FF783AE4000-memory.dmp
memory/1740-26-0x00007FF61F400000-0x00007FF61F754000-memory.dmp
C:\Windows\System\CuDpVzQ.exe
| MD5 | 56100d4fd690aad70436f6c2be9499f8 |
| SHA1 | 0b3f307f096f49452340a9853d0fe1b1d8a34fba |
| SHA256 | 559c81131c124b022f680076b096876c3eb4944398de00ab21e8e5f7c9dfa4f7 |
| SHA512 | 5f06836dbe32fd582fcde7ba25f4d6082bdb9b7193fcd495307ba52e3f5b90f1426698c3295a7e7c568555aeeacb3944c1664baf3454210081db021de086e300 |
C:\Windows\System\QBbaImr.exe
| MD5 | 0c3295b8195679b04dfea7757b284223 |
| SHA1 | e6241fee447c0cab567030b5e7119939699f33a6 |
| SHA256 | 04aa90fefde62d82fbc048bd39dfd5f86ae917e478eb520292e5fc22899459b0 |
| SHA512 | f4236fdd42d5036490b0e69a2faa218cb40bf845879f60f1de972580dae00cd43edb23c6a82ffdfe0fda03c3e8261aae31d1fd9c0fc30dc9f1d393edfd5da7ed |
memory/2092-31-0x00007FF7821D0000-0x00007FF782524000-memory.dmp
C:\Windows\System\prjRQyC.exe
| MD5 | e3bca7f1051cfd8aeaa5d9c83e3e8500 |
| SHA1 | a88a952f01bd171f79a8033cb23e2d27f08979db |
| SHA256 | e83838b83504114045ec9955123196bcb28c64273a92e7e11ee2ed5fc13fc5d2 |
| SHA512 | 45483d456a0d8527cd50c1e4177768482a466f29bece859e3471872a5b0f7607846e34b5d75dd515e8cce7c7a38b45ff76808fff65fd4d2a5b7e7db1e54aaf6b |
memory/5076-38-0x00007FF73FAC0000-0x00007FF73FE14000-memory.dmp
C:\Windows\System\KTLVtFK.exe
| MD5 | 63099eb1faa8f3c0661931e563501cda |
| SHA1 | b7f6cdb850fceabddfe3616a80d0e620f44cfdff |
| SHA256 | de1fbc6267469de0608214f13f15dc28ac425c15daa3daa2e37b36c7ef8e1a7a |
| SHA512 | 6c9bfe34642f7d6ddf3285f0eedbbea73a95a245f4069e6d1e1f55fcc2ed5cb9047297cfd7b94f5bebf8ba86a664404df26787265734f1a05b1f143b498186fc |
memory/2772-42-0x00007FF64EF30000-0x00007FF64F284000-memory.dmp
C:\Windows\System\kJtZVey.exe
| MD5 | 0dbd3ed3fe5a5d155331f3dcf756d2f3 |
| SHA1 | abfb7f8ea23184f33bfeee0ea95203823d148f52 |
| SHA256 | 414d7679a560ed635e076a3a0bb2d82e53781f789addcb14d5808b458d3e9fd5 |
| SHA512 | 15c97835b6eea1d811fe442f7f268f521a188ace0cbb6b78648f5233e1e6d785d8987cc3c84c408217437dbe1829a15711108c9401e6493519dc12b315195d0e |
C:\Windows\System\eGbsGwO.exe
| MD5 | 2a63b1e9a57b0081a164f024c6b741d3 |
| SHA1 | 5c52cefdda3e3817633f49d0615fd21c215c1d59 |
| SHA256 | d50770022e6dad8e9de529055b661fb0efb9852b72418cb44b17a087b328cf94 |
| SHA512 | db04aedede596771b8f3bc9b96a8671d8f27234db23d047b5811bdf409dbba5780b5ae170dcdc9fb3b0d57e2d3e7576bbeb79f7ee693823fb1b76dd14e78720a |
C:\Windows\System\jkoaHXl.exe
| MD5 | 2ba60a724867c167a6686da4714eae5a |
| SHA1 | ec022c19c9bb5f30c8e191eaa1c03079e7e54ddc |
| SHA256 | 353a8ffcebe2a4cd51d8bf879223ceb2ef28e4fa50683d7d8e214a6e798e028b |
| SHA512 | f2a98b7fdf7abc085c37606d9b369f52b171877d59dfad0c405fd818662616874a36ff91a8fd2830830092fd70eada072d95585ffc1dde1c64c7d08518c611ad |
memory/4144-66-0x00007FF66FBE0000-0x00007FF66FF34000-memory.dmp
memory/3216-70-0x00007FF7166D0000-0x00007FF716A24000-memory.dmp
C:\Windows\System\UZPUoBf.exe
| MD5 | f716fd6be520759156a6c8021877b67e |
| SHA1 | 4c26b610eed7c7c729d52d4aaeba0b71720243cd |
| SHA256 | 7d483e5712b63573994981dc41b9ff01d170b767c5a20bb0d5aa7ccaa7d2854d |
| SHA512 | 566dd195ae6a9ac225f47353ab90cce59b23abec48f988a66c3d17846ea093ffad1a6e1abbc5857028efd5f034b4cf07b6c12fd87e41092494a0f77fe945df6d |
C:\Windows\System\zCkiEjq.exe
| MD5 | 5563b9d2cbd88110cced2096603a8d6e |
| SHA1 | 3683994630a149b5dd791b45cce1fd7f94f7565c |
| SHA256 | f855abf9125ada8c9c40f49d342c2ad7b8d1c250c81acccbe89ee496a7716964 |
| SHA512 | fa6f38d707629ce99580ad10c3f0fba5baaaf9fc98fc0b794c1b7a03a71ae45558942f03a29ed9a02cd944c35166a1045ff2b3670f9a60612cbbf9e00a7ab92d |
C:\Windows\System\jCmBUQz.exe
| MD5 | 87601552167d328db97bac44aa602cb1 |
| SHA1 | 9883b8b6f608737bf036b6fe536d8dcef40ae008 |
| SHA256 | 8175efa799c461f01ddd19e3b27ad65489738a08d61f30b80f80e853570fa3a2 |
| SHA512 | 42f03413fe1daad939bdbf9a82ea0206486fb65354684f4c77dd4e44ef59a854a57913b7129a87ba8b2060381b4d5dbd868769c107fa33e4f77ecab69a7282ff |
C:\Windows\System\VayUiQX.exe
| MD5 | 8b86267cc6772047a0445b48b049cdcb |
| SHA1 | 28d7406a189e78fcfda99f47b8c3dd591932eae3 |
| SHA256 | 6fd2a151cc408418360a38d78c616f6e2c7f266027967225e39a86afcb28a52d |
| SHA512 | 721eba934d587d88d0b8b2e3b4646055e586fe6414620a06a1b6d2aca3ca4329fd90e8dacd93613b5c11add05bbfc29f1841135630c9c40eb6e33c8c26199a24 |
C:\Windows\System\ghFcHVg.exe
| MD5 | 5f3dc74f4070b04f2f9ad8e17c5d27f3 |
| SHA1 | 4822488fc15376b69d122b024e7476fb398a3cee |
| SHA256 | 920e3f63958fdaf2ccf8ca9cc61080dcd35fec5649e216162cbeb443c9cc3b28 |
| SHA512 | 20778657398821a94cfc1013f3a3a2d0cb4ac99298c0a855b30d2c69058a34ec63e27ef6d880280eecd4de610e37cb0c6ee3ed00dae202bf1e3fafb7d5f5f851 |
C:\Windows\System\tZVCbzw.exe
| MD5 | 4f0fc018e109e553970951474411f585 |
| SHA1 | 109835fae27678ed62b7036f725d1ea1e6a7a5dd |
| SHA256 | e26eab95231445477b4cce7c7695562ff9e6300170f3b837d093278ec33400dc |
| SHA512 | 8aaab88950676cab84075b7c8b71536a57e21401c583a0ee544083298f8295be6c36f811d44da0ccdff279c6f51b1c5f83bd88e33c9d0ea1445e24d4f16ea45e |
C:\Windows\System\ZTufAeg.exe
| MD5 | dec587d9578233220501482ae1a4dcb1 |
| SHA1 | abfe4cf55c10db3b20eb9dc76b611200e7bfde22 |
| SHA256 | 16ef0bb880aaa93dc84d293611729d3ad1983842e598df392c91b847e80110a5 |
| SHA512 | 1af4f57136179f5b60347073f6222709ab3cb87bcd10967982e64b3e5ccfa357ef217813c2fe709ec6a432868f305e908956e8b757a68c696521a16336d656a7 |
C:\Windows\System\mkFNere.exe
| MD5 | ebf091e9af65401efcecb3586c6112bc |
| SHA1 | b8bb85ef5964cbea2128303da4c5f2bf346b915f |
| SHA256 | 27852c6bf2f43250ecaf848c103c384d1678d03ea4bab77416a37f7427c191e6 |
| SHA512 | 33dc285e93abcc0db8b08c3bd99cd51d14c00b3ac0c4cff84f9e4c741cc39b729e78ddaa1ab53a27fbb86ddb9759fa346ca6c59aec207529c34268cc15373511 |
C:\Windows\System\xlIpMjZ.exe
| MD5 | d61b8d744f3c5f49f8d13de8badb19f3 |
| SHA1 | 784a4db7419494c3656c945f300da84b291615bd |
| SHA256 | 34ab1efc3be17d0c01657d616f78ef004f28a5aeba9b341b6598dbaca6c5eb5f |
| SHA512 | 8cea5cec97268fb7280ae28bdd4c8d557b465f2efca186e857963e945b30a21d9250c8cdef1b5b1e39cfa8f902e8f2754bc9b607c85eccac96e982c5656ed458 |
C:\Windows\System\EIGoakW.exe
| MD5 | 7c5a7d59e2d9195ca4099776c7c9481a |
| SHA1 | 87d32c8b96064313572336d8055346e33c527930 |
| SHA256 | 1ffacdfcd5dff5ffd39bd226cc8c05adbe43c1417081a896bf019dcb97971ac0 |
| SHA512 | 4613e2f6ac40433ac83efedae2ce19c42d04adc9b5eb746050f8479cbe919f5cd44f8ae27707852e5314b3152b80aee13c010b998803db2ff153fcaae126512f |
memory/3164-75-0x00007FF766530000-0x00007FF766884000-memory.dmp
memory/1220-73-0x00007FF70EF70000-0x00007FF70F2C4000-memory.dmp
memory/4832-63-0x00007FF752450000-0x00007FF7527A4000-memory.dmp
C:\Windows\System\PwvLyqE.exe
| MD5 | 81895f990587eacf3d73c0a071113ce5 |
| SHA1 | 1fb64645be959705014e8715ec638a5e82cd94f2 |
| SHA256 | 2eca30e6c4a47a634aa33537287009028089d856853de33aa681bb83827cb76f |
| SHA512 | 9a06fdca074cf0165a4f911c28bcd418871eb5021b52e931e2e905b1f38b6e52b74766baa58373c72380906b938e19cf4c151c41c0b7d38e99194a833d884e92 |
memory/3564-48-0x00007FF67E7C0000-0x00007FF67EB14000-memory.dmp
memory/2584-120-0x00007FF7519F0000-0x00007FF751D44000-memory.dmp
memory/1652-122-0x00007FF78B9F0000-0x00007FF78BD44000-memory.dmp
memory/2232-124-0x00007FF7C0BE0000-0x00007FF7C0F34000-memory.dmp
memory/3108-123-0x00007FF796E10000-0x00007FF797164000-memory.dmp
memory/4668-121-0x00007FF605B00000-0x00007FF605E54000-memory.dmp
memory/3268-126-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp
memory/2156-127-0x00007FF6C7290000-0x00007FF6C75E4000-memory.dmp
memory/3720-125-0x00007FF7F1F10000-0x00007FF7F2264000-memory.dmp
memory/2424-128-0x00007FF7680F0000-0x00007FF768444000-memory.dmp
memory/2164-129-0x00007FF735240000-0x00007FF735594000-memory.dmp
memory/2640-130-0x00007FF70C010000-0x00007FF70C364000-memory.dmp
memory/2216-131-0x00007FF783790000-0x00007FF783AE4000-memory.dmp
memory/1740-132-0x00007FF61F400000-0x00007FF61F754000-memory.dmp
memory/2092-133-0x00007FF7821D0000-0x00007FF782524000-memory.dmp
memory/2772-134-0x00007FF64EF30000-0x00007FF64F284000-memory.dmp
memory/3564-135-0x00007FF67E7C0000-0x00007FF67EB14000-memory.dmp
memory/2584-136-0x00007FF7519F0000-0x00007FF751D44000-memory.dmp
memory/3164-137-0x00007FF766530000-0x00007FF766884000-memory.dmp
memory/2164-138-0x00007FF735240000-0x00007FF735594000-memory.dmp
memory/2216-139-0x00007FF783790000-0x00007FF783AE4000-memory.dmp
memory/1740-140-0x00007FF61F400000-0x00007FF61F754000-memory.dmp
memory/2092-141-0x00007FF7821D0000-0x00007FF782524000-memory.dmp
memory/5076-142-0x00007FF73FAC0000-0x00007FF73FE14000-memory.dmp
memory/2772-143-0x00007FF64EF30000-0x00007FF64F284000-memory.dmp
memory/3564-144-0x00007FF67E7C0000-0x00007FF67EB14000-memory.dmp
memory/4832-145-0x00007FF752450000-0x00007FF7527A4000-memory.dmp
memory/4144-146-0x00007FF66FBE0000-0x00007FF66FF34000-memory.dmp
memory/1220-147-0x00007FF70EF70000-0x00007FF70F2C4000-memory.dmp
memory/2584-148-0x00007FF7519F0000-0x00007FF751D44000-memory.dmp
memory/2640-149-0x00007FF70C010000-0x00007FF70C364000-memory.dmp
memory/1652-150-0x00007FF78B9F0000-0x00007FF78BD44000-memory.dmp
memory/3108-152-0x00007FF796E10000-0x00007FF797164000-memory.dmp
memory/4668-151-0x00007FF605B00000-0x00007FF605E54000-memory.dmp
memory/3720-153-0x00007FF7F1F10000-0x00007FF7F2264000-memory.dmp
memory/2232-154-0x00007FF7C0BE0000-0x00007FF7C0F34000-memory.dmp
memory/2156-156-0x00007FF6C7290000-0x00007FF6C75E4000-memory.dmp
memory/2424-155-0x00007FF7680F0000-0x00007FF768444000-memory.dmp
memory/3268-157-0x00007FF6EBD40000-0x00007FF6EC094000-memory.dmp