Analysis Overview
SHA256
9c29ded5444dd83831866898b6ee7e58a714ede76802b7c69f675f5dbccae0ca
Threat Level: Known bad
The file 2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 16:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 16:02
Reported
2024-08-06 16:04
Platform
win7-20240705-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kVxfUyS.exe | N/A |
| N/A | N/A | C:\Windows\System\hqwXULO.exe | N/A |
| N/A | N/A | C:\Windows\System\JWUvINU.exe | N/A |
| N/A | N/A | C:\Windows\System\IStXkKR.exe | N/A |
| N/A | N/A | C:\Windows\System\OEjOlvT.exe | N/A |
| N/A | N/A | C:\Windows\System\UyhDJZR.exe | N/A |
| N/A | N/A | C:\Windows\System\vGoIvtv.exe | N/A |
| N/A | N/A | C:\Windows\System\qBztODV.exe | N/A |
| N/A | N/A | C:\Windows\System\tvOrjMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rsiQRaQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EEkLAwG.exe | N/A |
| N/A | N/A | C:\Windows\System\HedKxpj.exe | N/A |
| N/A | N/A | C:\Windows\System\JvMAdxR.exe | N/A |
| N/A | N/A | C:\Windows\System\WmHcSDE.exe | N/A |
| N/A | N/A | C:\Windows\System\UYXtBJi.exe | N/A |
| N/A | N/A | C:\Windows\System\mDATkDT.exe | N/A |
| N/A | N/A | C:\Windows\System\MZyWfAi.exe | N/A |
| N/A | N/A | C:\Windows\System\ZsVGAHy.exe | N/A |
| N/A | N/A | C:\Windows\System\GRlsDUp.exe | N/A |
| N/A | N/A | C:\Windows\System\EWsQOKG.exe | N/A |
| N/A | N/A | C:\Windows\System\WkRlczU.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\kVxfUyS.exe
C:\Windows\System\kVxfUyS.exe
C:\Windows\System\hqwXULO.exe
C:\Windows\System\hqwXULO.exe
C:\Windows\System\JWUvINU.exe
C:\Windows\System\JWUvINU.exe
C:\Windows\System\IStXkKR.exe
C:\Windows\System\IStXkKR.exe
C:\Windows\System\OEjOlvT.exe
C:\Windows\System\OEjOlvT.exe
C:\Windows\System\UyhDJZR.exe
C:\Windows\System\UyhDJZR.exe
C:\Windows\System\vGoIvtv.exe
C:\Windows\System\vGoIvtv.exe
C:\Windows\System\qBztODV.exe
C:\Windows\System\qBztODV.exe
C:\Windows\System\tvOrjMZ.exe
C:\Windows\System\tvOrjMZ.exe
C:\Windows\System\rsiQRaQ.exe
C:\Windows\System\rsiQRaQ.exe
C:\Windows\System\EEkLAwG.exe
C:\Windows\System\EEkLAwG.exe
C:\Windows\System\HedKxpj.exe
C:\Windows\System\HedKxpj.exe
C:\Windows\System\JvMAdxR.exe
C:\Windows\System\JvMAdxR.exe
C:\Windows\System\WmHcSDE.exe
C:\Windows\System\WmHcSDE.exe
C:\Windows\System\UYXtBJi.exe
C:\Windows\System\UYXtBJi.exe
C:\Windows\System\mDATkDT.exe
C:\Windows\System\mDATkDT.exe
C:\Windows\System\MZyWfAi.exe
C:\Windows\System\MZyWfAi.exe
C:\Windows\System\ZsVGAHy.exe
C:\Windows\System\ZsVGAHy.exe
C:\Windows\System\GRlsDUp.exe
C:\Windows\System\GRlsDUp.exe
C:\Windows\System\EWsQOKG.exe
C:\Windows\System\EWsQOKG.exe
C:\Windows\System\WkRlczU.exe
C:\Windows\System\WkRlczU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2408-0-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2408-1-0x0000000000710000-0x0000000000720000-memory.dmp
\Windows\system\kVxfUyS.exe
| MD5 | 20d68370ff0844bc2d7dc0e1753e2573 |
| SHA1 | 0a77b6b3c0b922314b61d44a9ec09fc477034dae |
| SHA256 | 1034116a6a190c2ae8b6e2c9c824b33ca6450b37e3079a86087cf40dc6526019 |
| SHA512 | ae55e5a203fa4235f4570915bfc0a40682bd93b064493322337f2e35f5511684840a55248e3b20727967fc99da46860a64e2a8bcaf006ce36e2b47c05a48b5d9 |
\Windows\system\hqwXULO.exe
| MD5 | ca00304dff9a999b957108ef2109ed93 |
| SHA1 | 223c93310b5595837fb8494fe584934361a4cba7 |
| SHA256 | 174a7912cba95c2b3b466c74b85f107d9032aa5beacbf7b050a37c49357a7302 |
| SHA512 | a38d81f7b5e3ed539940e9d72bc8afb42e02cbf6810b31a6df2d1fec5b333dd737150586d2a8742efbb63027a9ab521b5ee02a6c3a81d5f99c0ac9615cf440d8 |
memory/2784-12-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2408-14-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2992-13-0x000000013FDD0000-0x0000000140121000-memory.dmp
C:\Windows\system\JWUvINU.exe
| MD5 | f9c1fbf0cc979424ad8427843dc68694 |
| SHA1 | 1337418acc65b953754563d3fdc94c1ca9e8d8b7 |
| SHA256 | 7d366d20c7f79417ef4be63f8c64696003edd985cf533206350b3ee76944cfed |
| SHA512 | bc1fe595b19828c405e0b694623a1d831fe4bc2ec29c7eb079c49f774a8c3216bb5676f964cc5a64c7b4f83535b653aaf71fc2811c1bfd24eabf016239a53601 |
C:\Windows\system\IStXkKR.exe
| MD5 | 51b9d70268e9db1272174c637442241c |
| SHA1 | 3aeffc2621a120177317972cc7e442db1bc004c1 |
| SHA256 | 791afcf7809f37c26370501961262e0a45a8011675a929cf1373cb2f61ed93a5 |
| SHA512 | d2dd428a30314ee5e587283d05a80ea40ef349dc50d8420498270b2c467ff0762fe2c74ad37abe0b0e48b74c0bd165343937cf856b749aa70bd0bd829a2b421a |
memory/2408-18-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2248-29-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2408-28-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2712-26-0x000000013F370000-0x000000013F6C1000-memory.dmp
C:\Windows\system\OEjOlvT.exe
| MD5 | 600beba4c32cb5145eca717e76c048a9 |
| SHA1 | bd328f08d0a7c61df4c25bf45fa83d5bcede090a |
| SHA256 | 2dfcb049bfe39a5349d5ab0ac92dfffcdd7b0e51b9df000bbcdcbaff60827a09 |
| SHA512 | a51164fbcf50d32c83a0191bb08d470dbfb935af264f550f91525228d37d0a64154504b16c6a1bbc0f9fd59107c77f384b07382cf6526b7df25b223d7c55bf99 |
C:\Windows\system\UyhDJZR.exe
| MD5 | a31abb84d2192a8d285101108f27dfe6 |
| SHA1 | e56091475b2c3d29e96033b322143af9fb0a558e |
| SHA256 | ab9c9b50e87debeb2ef34e233bf5fde383cbc736cef46b2e74917b8a3370e46b |
| SHA512 | e9250dadd5e00c7a8f1d23d529ecfc5d8cf7f2e97422a585073c2a6b1a41c78d9cc1937f78cba4c00938994e439968cf8e565025900494a46d6cb98678305972 |
memory/2576-43-0x000000013F490000-0x000000013F7E1000-memory.dmp
C:\Windows\system\qBztODV.exe
| MD5 | 423457533f687fa50cfc3a94dd7a2c2d |
| SHA1 | e74baa3b3a05c1cbe796fa5e9a5b7bda7d35acbd |
| SHA256 | d3335a2e87f25e7363c2e17e1aa4e47a0d7aae55404aa593ee51a3a32d037894 |
| SHA512 | 08e674759f4b9a892e4cebc2893dda240168acc5f4acce4c2c503339b23147cca6951f0724528e68b7a716358eb55b9bd0289d28838800825860f3b0c4e512c3 |
memory/2408-53-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2204-54-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2700-48-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2408-70-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1260-71-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\EEkLAwG.exe
| MD5 | e1d6a1db990971b96ece3b04f8b71b23 |
| SHA1 | 8bed818d78b512f66b7b8fe6ac3c631b1186c75d |
| SHA256 | 4f1a264da437d2e319e4a507f9b74aee660cb09ffac0cade9ea14edeaaf2f867 |
| SHA512 | e52e8a52e9215e7ef9a32bfc228982b6d37f0f8d236928ff4c20f8c018296767138118ba594d5bbca003f706b27a1d1ce81d3fac06cb2ee98657348f38f091f4 |
memory/2408-85-0x000000013FE20000-0x0000000140171000-memory.dmp
C:\Windows\system\ZsVGAHy.exe
| MD5 | eece682655de1abaaa6eeb92ce23c4f7 |
| SHA1 | 0a182048b83a4a7edf63c872daff4cc6afeb3c74 |
| SHA256 | 2a2ba7b8a1f8eba613af5a64283b3928220efc5851df6d1f31bb77280ce621f2 |
| SHA512 | fa442d26b881e0618a77a5c9e1fd764192428d50fb0eb69c323942d6127752492a0eda4f969c0bf59494a0fbffa4163ca8e20fb05da7c1d640f4643f028c36ed |
C:\Windows\system\WkRlczU.exe
| MD5 | f849eaca2addad4bd30a2a6a2929157a |
| SHA1 | e599144d7fa8fd871e313077cdc32c6b1ef57b24 |
| SHA256 | 77fede436cab7e80aca3afc24aa6d63096ddb07d419536997920e4e7bf4ca76a |
| SHA512 | c1863eb7df6624b96f9fdedd2319fcfc8f28c2417bd31d0bbabfa798f60d0db9cb2879f762329924ca1ad3ac3c74027c37baa8945040d8d4436287a397da108c |
C:\Windows\system\EWsQOKG.exe
| MD5 | 2c6a793fd579b289aa27f8821d0736fa |
| SHA1 | 7c2517f2c682789157d25c3aeb73371cca2a972c |
| SHA256 | 49ffa2dd35a5ffbad0c21ae82d9ea2fa4edff7cb44fae4733610bb15428ccfa5 |
| SHA512 | 4afa237e33e07700912db38de1b4618f0674e0af3d00005bab074858f0da733fe9dbc44f7496b45c0be468c23f99293775f3cab1e55d65af6ae185866cf38184 |
C:\Windows\system\GRlsDUp.exe
| MD5 | 556fc68c466b06168c101bef6f9ab119 |
| SHA1 | 8f4d7b66890a5f3bcbaa4f68a7dee029d4b7d485 |
| SHA256 | 694b3bb6c14b592288595083db49c4e9e828e31ea8ea605518b500e938c2d028 |
| SHA512 | 0fbdc229eed265d779436b47a975cb4e83501c6a9b3dea39a359a1f14365c41c1e87e4584887a4db53552f821ec830b51e892bc7b8d3fe3be2753ad48979015e |
C:\Windows\system\MZyWfAi.exe
| MD5 | 0ca94011f7e7683d81af180844bfd53c |
| SHA1 | 9e068b66711f61ce71ce44285272c01a335fabf2 |
| SHA256 | 84b91fd1089804a501b38a49a22b728f3ba60c84b8b628ae19fd9b64351eabcd |
| SHA512 | 5730341c07af4b64ef4a40487f9cd098d0dc833c6ae190a640a9f0fb3bfb1abc33cd95e04dd6a5cd80e5cf341b031273ff6bef7f16ddc36e3a284115570e1e51 |
C:\Windows\system\mDATkDT.exe
| MD5 | 4b2b811b26adf3739db37fdcd22c1681 |
| SHA1 | 88321800d24c1ae507cf2d01f6d9f31852d1692f |
| SHA256 | 9b2afdda1db4e793d28a9bcb6a10e7b1e43bedb44fca408ea255ee4f8ea40581 |
| SHA512 | 7b02352c407462bbcca09a7ee5bf3a93c9c585ccbe4bce842bfaed00d04f76cc97b7c3d80403da00393f30cbac1b6297aa43d48ce950dad82c46c5de9f9b0c80 |
C:\Windows\system\UYXtBJi.exe
| MD5 | 068e203de6ec08f13264d439da310c13 |
| SHA1 | a918a27acc273f71bee26ab96b45bcf6b5d93c2b |
| SHA256 | 4702269ce0589c2de40e007d275c7eea552b8bf1eb94555d84f818242109565c |
| SHA512 | a860bd722583655247aa41dc72faaee96df501f01177c67cf0c72fb2cda544e10113e6a81b09bec8384adeccc622ad7eaae314b11c15ff0b701c7b55d482d3e1 |
memory/2700-137-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2164-101-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2408-100-0x000000013FE80000-0x00000001401D1000-memory.dmp
C:\Windows\system\WmHcSDE.exe
| MD5 | 9aa4fa2a7b077cb6d2a2958880d6ddfb |
| SHA1 | 744a77a8948d9304ffc9836318a0b853b77ebdac |
| SHA256 | 4a44598ffc5a246af0dcd13e83e00c4e6fb16d1d1091d38386d4b060cdf01d8a |
| SHA512 | 842177085ec8e28b872667796bc32bc2e66848ff9b4498ee556df808efcf996645fe974e63e42e9303f08204f3e4dd0e98a55dae85013727fc0291aa6231223d |
memory/1620-94-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2408-93-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2604-92-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\JvMAdxR.exe
| MD5 | 7e89903065575d513d12e235e4b3674f |
| SHA1 | 4b46bb5817ebe8a798adf0fb3444030c05bcb996 |
| SHA256 | 583fb8ad54217148bb0e484b64d46d60e8542efa65fc273466543c280357ec35 |
| SHA512 | 81d5291b72a2aaeec82860bdb427661ff32b72be2e3db4994736b262f8c252ae91e6eaa2d55f3edff39ffab86c1a7c8676bb7bf0c5baea03141ae046316f0bb1 |
memory/2564-86-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2712-84-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1736-78-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2408-77-0x000000013F8F0000-0x000000013FC41000-memory.dmp
C:\Windows\system\HedKxpj.exe
| MD5 | 39e950c439181df88d681cdf0cf3cac3 |
| SHA1 | 6395496a928b0bc7b824ba6c020bac8c4ab4c6cd |
| SHA256 | 1463bbb3863274d1dee1ab5f4998740de384ee11b8cbcc0c65f27827ddeb1dfc |
| SHA512 | 8f7efdc4cdbb1e3620c58d8431b6d4f0c926c0204c9d15b1193b6bb6f79cec14dec96fbcd3f8c6293bc85bb1eb3a3ee4dc5a37500ea9639427a63142a5540584 |
memory/2204-138-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2476-65-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2992-64-0x000000013FDD0000-0x0000000140121000-memory.dmp
C:\Windows\system\tvOrjMZ.exe
| MD5 | c52e4a4ab5d171d8a01dc90d7e26463a |
| SHA1 | 2bb0ba6a7d392e1e6121c682d41399a54b2de552 |
| SHA256 | eee10ee462046d955cc5c09a4ec527eda0950d4090f0ed0a7e583cfda077435c |
| SHA512 | e0219078080b3d8f6bf5fe54fc8ecd57053d39b72e2e1350febfd2bdf9209fbfc96d5487ad0475d6bdb514736f2277d9ffdfa5e7155ed1fb29c53b82d726aed3 |
memory/2784-60-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2408-59-0x000000013F2F0000-0x000000013F641000-memory.dmp
C:\Windows\system\rsiQRaQ.exe
| MD5 | e7a551fa7d4d3c81776fa85b02d95ea6 |
| SHA1 | 9fb1dfe75160e17fe116902f73ef5ae58e27b302 |
| SHA256 | 316bfb6c363940b935f11c78bd06a99e4d710789aea8b7233b6112efcfd6bd19 |
| SHA512 | f58182e3389dc81551acca66b478f2d4d43ec7747a889491c2f82f0e37e298b2699680923bb2f20c2747fa9f7c466bd2b92b97d0bb88cb47c8f5a724ee990231 |
C:\Windows\system\vGoIvtv.exe
| MD5 | 24fb0f43258a3134ca7703df736458ca |
| SHA1 | 15df7ad17884248aac8a8fe398536e3495e8ee93 |
| SHA256 | 35a250c7e5c21ce3e4771d1691ee910aec064b42a443e47f0376c40c15b29738 |
| SHA512 | 56aa81a5a11aee6396f6fbaf13c4459820a9cc9a7b394aaa84f88fb79c48d44d2600288f7298a64fd0b9d74ded80289327b565bd0ef0004a3c37a0b297369b13 |
memory/2408-42-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2604-35-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2408-34-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2408-139-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1260-149-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1736-150-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2360-159-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2620-157-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2408-161-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2860-160-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2412-158-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2832-156-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2568-155-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2904-154-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2164-153-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/1620-152-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2564-151-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2408-162-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2408-163-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2408-164-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2408-172-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2408-187-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2408-188-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2784-213-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2992-215-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2712-219-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2248-218-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2604-221-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2576-223-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2204-225-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2700-227-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2476-229-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/1260-243-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1736-245-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2564-247-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1620-249-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2164-251-0x000000013FE80000-0x00000001401D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 16:02
Reported
2024-08-06 16:04
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nxZTmZK.exe | N/A |
| N/A | N/A | C:\Windows\System\uZpXWmD.exe | N/A |
| N/A | N/A | C:\Windows\System\sODaZYX.exe | N/A |
| N/A | N/A | C:\Windows\System\iSXiFmC.exe | N/A |
| N/A | N/A | C:\Windows\System\engJGUW.exe | N/A |
| N/A | N/A | C:\Windows\System\WPLrXHd.exe | N/A |
| N/A | N/A | C:\Windows\System\Frltnbw.exe | N/A |
| N/A | N/A | C:\Windows\System\IQspLFr.exe | N/A |
| N/A | N/A | C:\Windows\System\vXGGPeb.exe | N/A |
| N/A | N/A | C:\Windows\System\DazZaet.exe | N/A |
| N/A | N/A | C:\Windows\System\aQQkvjA.exe | N/A |
| N/A | N/A | C:\Windows\System\zFYAlXS.exe | N/A |
| N/A | N/A | C:\Windows\System\PDcUxCD.exe | N/A |
| N/A | N/A | C:\Windows\System\yAUHYib.exe | N/A |
| N/A | N/A | C:\Windows\System\LEIrwXK.exe | N/A |
| N/A | N/A | C:\Windows\System\DbofsnW.exe | N/A |
| N/A | N/A | C:\Windows\System\daMNIWW.exe | N/A |
| N/A | N/A | C:\Windows\System\WpsOIfM.exe | N/A |
| N/A | N/A | C:\Windows\System\rrlEumG.exe | N/A |
| N/A | N/A | C:\Windows\System\TGauCGL.exe | N/A |
| N/A | N/A | C:\Windows\System\ieZIjKl.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_b83b0e0251d01860a0b1e268874ee894_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\nxZTmZK.exe
C:\Windows\System\nxZTmZK.exe
C:\Windows\System\uZpXWmD.exe
C:\Windows\System\uZpXWmD.exe
C:\Windows\System\sODaZYX.exe
C:\Windows\System\sODaZYX.exe
C:\Windows\System\iSXiFmC.exe
C:\Windows\System\iSXiFmC.exe
C:\Windows\System\engJGUW.exe
C:\Windows\System\engJGUW.exe
C:\Windows\System\WPLrXHd.exe
C:\Windows\System\WPLrXHd.exe
C:\Windows\System\Frltnbw.exe
C:\Windows\System\Frltnbw.exe
C:\Windows\System\IQspLFr.exe
C:\Windows\System\IQspLFr.exe
C:\Windows\System\vXGGPeb.exe
C:\Windows\System\vXGGPeb.exe
C:\Windows\System\DazZaet.exe
C:\Windows\System\DazZaet.exe
C:\Windows\System\aQQkvjA.exe
C:\Windows\System\aQQkvjA.exe
C:\Windows\System\zFYAlXS.exe
C:\Windows\System\zFYAlXS.exe
C:\Windows\System\PDcUxCD.exe
C:\Windows\System\PDcUxCD.exe
C:\Windows\System\yAUHYib.exe
C:\Windows\System\yAUHYib.exe
C:\Windows\System\LEIrwXK.exe
C:\Windows\System\LEIrwXK.exe
C:\Windows\System\DbofsnW.exe
C:\Windows\System\DbofsnW.exe
C:\Windows\System\daMNIWW.exe
C:\Windows\System\daMNIWW.exe
C:\Windows\System\WpsOIfM.exe
C:\Windows\System\WpsOIfM.exe
C:\Windows\System\rrlEumG.exe
C:\Windows\System\rrlEumG.exe
C:\Windows\System\TGauCGL.exe
C:\Windows\System\TGauCGL.exe
C:\Windows\System\ieZIjKl.exe
C:\Windows\System\ieZIjKl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5012-0-0x00007FF6C4B80000-0x00007FF6C4ED1000-memory.dmp
memory/5012-1-0x0000013F801B0000-0x0000013F801C0000-memory.dmp
C:\Windows\System\nxZTmZK.exe
| MD5 | 5a190d4cf7c861bd5e7b7db57fa49b99 |
| SHA1 | 4350e8479850413cf42d60858c9f3cdbff9f21a4 |
| SHA256 | 013bc8312d2c60df13e74b44204fb2433b56129fbaa266176b9eb478daa3498f |
| SHA512 | a8ea684c6e5d33e2472ff339fb8867cb0dc9e0f1dfa91fe74acf06d41f9a90c75c021acca307615504924894bbb79fcca747a72d6566daa42aacc97e2b059c97 |
C:\Windows\System\sODaZYX.exe
| MD5 | 9fea3947d0ad5879c11a82967282cad9 |
| SHA1 | 8135477234096cdbca507a5b4b63e01af4281f9e |
| SHA256 | c6c872a8ecfb3f0267c4e406bfb118e7204578d757409826fed9a8ab02462926 |
| SHA512 | 7b0c74de32119c3cca6c8923c1c4fa2329285409a21e74c30ab4e0422e6422afa29a548307772a4f34454d01e21f3e286b8c9d86e5d65355b6a048efc7650de9 |
C:\Windows\System\uZpXWmD.exe
| MD5 | 0505fb9eede7b503b16149e268284568 |
| SHA1 | 203e72fbe248bb276a6d6ad004019b66cb007e78 |
| SHA256 | aae896e1b88e971c4abf7a45b94184925cbab5d91148917ab1a65add77908a6e |
| SHA512 | 7a176a52946ae70b5f2c5d62b5250b029d555b4d9c774ca0bd082bf6b8a7a2d50422d6703b76fea66810e784b907aefc1fb512d799f8b53328d6eba9ead0a7ec |
memory/3924-15-0x00007FF645F50000-0x00007FF6462A1000-memory.dmp
C:\Windows\System\iSXiFmC.exe
| MD5 | de039882dad10373cde0d0c52b4d783b |
| SHA1 | 9cd6a0ac72479f1f75bd21681c04f9734463f85b |
| SHA256 | 3e91b6f6844254ee6712bb927f80c3571a300ef62a19f5aea5c451db65dd1a9b |
| SHA512 | bdfb9de2e6515ea8686698766a80adbe28062a9472b438366c5fbb0795c16cf936f5aed97aa4387d7aa155eedaf881505f5fb04b69c67b8e7fe54d1fd31b58ff |
memory/916-24-0x00007FF62A7F0000-0x00007FF62AB41000-memory.dmp
memory/4316-23-0x00007FF621470000-0x00007FF6217C1000-memory.dmp
C:\Windows\System\engJGUW.exe
| MD5 | 9d69c89ac54f13ae83f71676b0e8e841 |
| SHA1 | 1a36012dfbf11dc2c7f99cdbedfda612adf736ce |
| SHA256 | cb46dbf65df089d7255ad82ab839f7bb58c56726de6d25191a358fa2283c4977 |
| SHA512 | 225823004a77887a604721ad075cf7624406c9e5cc7ec6f00312183aeebfbc77593eb455e2eb36a7f6ac96f5223af80d5e82868472dcd41eced78e8e9788b1a7 |
C:\Windows\System\WPLrXHd.exe
| MD5 | cefa834d453c5cac380da72ddee8538b |
| SHA1 | eea9d2454052da88b67bad0852a0f2bc0c371af4 |
| SHA256 | 97d179b47a9695ed76d3069e3db90430a7b1c29ce8915bbd9f38eb51602fa448 |
| SHA512 | 4188abfe2c91e5e229775e6b11fedcd7ec5eaf3094be37556952d6170e1b9ef88f4610b3f1d0b223058c010a0591e3765efce7faddd42dbe2c95b9b260b9d0d8 |
memory/4716-43-0x00007FF6EF560000-0x00007FF6EF8B1000-memory.dmp
C:\Windows\System\vXGGPeb.exe
| MD5 | 62e062569d5477a7b9f640a7583ef345 |
| SHA1 | 76874e597acef69d433457d8361c2cc06e1264c6 |
| SHA256 | a98da941ef6013d8ce43ae27dea8e65aad37ec006ff1cf8846c48fc207fe9f7a |
| SHA512 | 918efddbc4af0f584418b5bde8eddbb5b34934173aaf3e5a15000826de94dfd6d41c2125d8a2121fe4a1ad348a39ec1ddc1751cd3c822ed2f4ee94eeaa973d0a |
C:\Windows\System\IQspLFr.exe
| MD5 | 1979cd5a891dcc12a120dffe7e308532 |
| SHA1 | c93c30298ca2c9060326f857ab90f4bb10d09d23 |
| SHA256 | a6064d938a33c80edc9f8cc59268f5c759b26344b096fefbdd6d3e7020f7acd7 |
| SHA512 | 1acd7defb75a13f22127562261074ecdf0b3838ae8aa1c8eb1034470244ee89fc12a4040cfe590677dd9600bded43a42b9c5dd9bf18cede3a8babd99a6ad9ab7 |
C:\Windows\System\aQQkvjA.exe
| MD5 | 7bbf3ee684d5e81915828440a896f854 |
| SHA1 | df6d881a21916cd8ee8fc33f7ca5ed045618fcce |
| SHA256 | a48dca318f662d6eeee7c95f2fbcc564cac083da1c207cd9e5662817dc87b17f |
| SHA512 | 2c194b6dd218a914d8cd0724955a5a56e9bf1f73a90f088a3ad3c0918d0804213c8f572c5e5474a0e7f0092e317126d89450b2b58270427f7d4ec9a4f5f19a1b |
C:\Windows\System\PDcUxCD.exe
| MD5 | 2b3340029b56a640cf8b7d1a5ae5c1e5 |
| SHA1 | 6fdf5db68c669dbaa12aa7b54ab079341f431050 |
| SHA256 | 8614a99585c7bca6852cad6c9e126ee04ac1423c611331ec23e5f42c83b6a154 |
| SHA512 | 806d870f5981d5b24a20d2ce84263afff41fc1474992e594c7f2d428904ad9e4876e0bbccb0bcb1bbcfa48b58dadcc1b3ea906204b43dd282a870f0bd81efaa4 |
C:\Windows\System\LEIrwXK.exe
| MD5 | 4a7a9dd7f2608d1d60fdb5c0b799cea6 |
| SHA1 | 5cf39f65f1392990d29a37140de5fc292482b9d6 |
| SHA256 | 240b70c46de908f7fea8364e63ec1394890a09df19fdcd2e12d17fb63a813c4a |
| SHA512 | a4349412967b36aa540750171a8cb0087e051c92f23999099d7493aaf3a4f923af94153367bc547814af81de83fc871d8bb75f00011e837f5e115317e4d6103d |
C:\Windows\System\WpsOIfM.exe
| MD5 | 96c43aafbb39b50218fdb94375a13bba |
| SHA1 | 205d9a32c030e7621657fdf5d32ff5c0ab59b6ff |
| SHA256 | 24e2fda8c72fa979ec95d1dc149160cc11e635182fb86056ac5cd0ba61a07f4c |
| SHA512 | 2013f1ccc965ac2d8f04d884aa84774af437f74196863dc644cb5e822750a5a8a9d59ce12d5d227382ba018f8b7cfb8ff3e1f4e4431d754375184bbb200a5960 |
memory/2896-117-0x00007FF6833D0000-0x00007FF683721000-memory.dmp
memory/4924-120-0x00007FF6F6490000-0x00007FF6F67E1000-memory.dmp
memory/3020-125-0x00007FF798780000-0x00007FF798AD1000-memory.dmp
memory/4812-126-0x00007FF6268B0000-0x00007FF626C01000-memory.dmp
memory/5000-124-0x00007FF62EC30000-0x00007FF62EF81000-memory.dmp
memory/4976-123-0x00007FF7D0100000-0x00007FF7D0451000-memory.dmp
memory/3008-122-0x00007FF6F38C0000-0x00007FF6F3C11000-memory.dmp
memory/4200-121-0x00007FF6EF040000-0x00007FF6EF391000-memory.dmp
memory/4124-119-0x00007FF71EDF0000-0x00007FF71F141000-memory.dmp
memory/2784-118-0x00007FF733640000-0x00007FF733991000-memory.dmp
memory/3912-116-0x00007FF609150000-0x00007FF6094A1000-memory.dmp
memory/4424-115-0x00007FF77C2F0000-0x00007FF77C641000-memory.dmp
C:\Windows\System\ieZIjKl.exe
| MD5 | 50123296165e7ae6149626b877a83a45 |
| SHA1 | ed6d163234b0c7700f5f289560489ccfd3a69ac8 |
| SHA256 | 4a59198bb1e4b31f6344cd85c93f7b22516f227e540794ed76c793f337308e54 |
| SHA512 | 5b9ee2c0a9c9da441c1b380bef9a2a38bf229470423825cd56a9ff446a7e4e9cd459e1d3ba3f6b4a01a589c9edd25ca0c2110e497402ac9e54c9da25ef6052ae |
C:\Windows\System\TGauCGL.exe
| MD5 | a764473aa673ac1f9e81d71c903741c0 |
| SHA1 | 990de874647501edb66f3d1df497a6536a108841 |
| SHA256 | a8c46bcc153f76f8b5cbd2dd5bcc8aa05e47f2ca945b45875c250c7631bb0a90 |
| SHA512 | 669a767698314d5929fb1b6dc8d1e05ddf1381ab6161a900a70abbbe87becfb8d72ac1466dabe10e59fe1a9f712c12564805ec45fd8cfc079f93252671d8f587 |
C:\Windows\System\rrlEumG.exe
| MD5 | 8828dd5c4715af829e7dded6339f3b23 |
| SHA1 | 4686d8df9012ba5ea9cf86dca5f22668bb0aa6d9 |
| SHA256 | 50573c219b80248f05f314b679636dceb5c18f85c5cc0b287bb595904769b4ff |
| SHA512 | dd59b598ee75fa43a01906a38eff48a186533a39fde7449a5f1188f8c36e58518afb225d0387cb2e47c44f9cda4582447b6d1f853cc11082a8c51e09e368e71d |
C:\Windows\System\daMNIWW.exe
| MD5 | 6633be60bc589d80afb12bada41010c6 |
| SHA1 | 6cc549a9a5a439a2b15d76426d3c7f7b96b3de58 |
| SHA256 | 115155c7c33f86a5288e68e7790ffc2e6f93194a3c3d1f173965e77c16099c25 |
| SHA512 | 7e5d5c1c97880ccc42b2930f507e467d22f1da1b2583ba6be6f7cfcd68452baa3de568ef50adfc6a7329f2f16e642f20d702f0ae56c9c7571c652e4f263ce6f4 |
C:\Windows\System\DbofsnW.exe
| MD5 | bbbdcfecc1b08496f453861cc638f8a1 |
| SHA1 | cbc47b98d91d56a79f4efca3b7dc63e1d2a932c4 |
| SHA256 | c13bc81625af74916197f5ddabca0d31ed537377345e73784dffd20bffe1cf58 |
| SHA512 | 3973544fa788947d10b0eb77257f50a2aca40c27960047a2df74d17b5bac386b3a944312f5afca14e698c5fde038ad4ea218684f1d4691fc07dbdd95c1f08140 |
memory/1000-99-0x00007FF688A40000-0x00007FF688D91000-memory.dmp
memory/4504-90-0x00007FF793550000-0x00007FF7938A1000-memory.dmp
C:\Windows\System\yAUHYib.exe
| MD5 | c82b23bfcfcb797f1dbfb25d052b2cd7 |
| SHA1 | 90ac861812eb89508592a8e4dd7d237a1798d30f |
| SHA256 | aeb6f1dc797ee59aa4c23e3be2474d7c774f1514761d626220cf3d5b015d95a4 |
| SHA512 | e65af6f36a4365e3a5a57c89f0e2126d27b7bfc69b3ce959901201fc6c745a3a490f4a5a82f3e3876fc4cc6f612583faeeb853a2a4f022e3883b069049e5bf4e |
C:\Windows\System\zFYAlXS.exe
| MD5 | ca67c682b57cec019d6839bcff4c3809 |
| SHA1 | 4ae957e7e0477cecc4f0e9129935aaf3ad65359f |
| SHA256 | accb83e9a773e5760cd37e5f1314054d3409dbdc7f1a17086ea2a04ece31fd0b |
| SHA512 | d8a650d4e2482052b11b12293ebc1c4f0ab9c30b384cc387d237917e8c1f54c17a6b440417548fbb8c63f7c97e894895082a5dfb0addb875ec6c31cdc58e2f03 |
C:\Windows\System\DazZaet.exe
| MD5 | 2fb9cc8606686324166e5adc41a727a9 |
| SHA1 | 64f30fa3e0dd4562c7e01acc1bb087dfbaf39989 |
| SHA256 | 730973aba8e7d35d2f557b083717be1583c92439b06fa20dc4ff206a409cc36a |
| SHA512 | 509aee4f31a5a3efd806c114fa82fe23d6f49cc1c27f49d2b4b5e2acef9227e38645106a0de3f8f2724d891a3fa0da68fe6677862a4136f80183a733b535d7d0 |
memory/1816-46-0x00007FF763110000-0x00007FF763461000-memory.dmp
C:\Windows\System\Frltnbw.exe
| MD5 | 26efc6a19d39b1bd68b9f8fd44f1c2bb |
| SHA1 | 6c06d28cfb1fbf097cdd5d400f053d6c52d27971 |
| SHA256 | 6975ebf66b394311e1ba1c7636749325ca08d74ab983df71d32407841b975e4b |
| SHA512 | 52eb3dbc7a2a3dcda368f1ccb2804043241ffd8a8998cd74513089787e4d94c357e1afce037675d30f62665445167361bd62a730d9cee1e28f85997916aa2347 |
memory/4300-35-0x00007FF6718F0000-0x00007FF671C41000-memory.dmp
memory/388-8-0x00007FF75F160000-0x00007FF75F4B1000-memory.dmp
memory/916-132-0x00007FF62A7F0000-0x00007FF62AB41000-memory.dmp
memory/4504-136-0x00007FF793550000-0x00007FF7938A1000-memory.dmp
memory/3924-130-0x00007FF645F50000-0x00007FF6462A1000-memory.dmp
memory/388-129-0x00007FF75F160000-0x00007FF75F4B1000-memory.dmp
memory/3008-149-0x00007FF6F38C0000-0x00007FF6F3C11000-memory.dmp
memory/5012-128-0x00007FF6C4B80000-0x00007FF6C4ED1000-memory.dmp
memory/5012-150-0x00007FF6C4B80000-0x00007FF6C4ED1000-memory.dmp
memory/388-195-0x00007FF75F160000-0x00007FF75F4B1000-memory.dmp
memory/3924-197-0x00007FF645F50000-0x00007FF6462A1000-memory.dmp
memory/4316-199-0x00007FF621470000-0x00007FF6217C1000-memory.dmp
memory/916-201-0x00007FF62A7F0000-0x00007FF62AB41000-memory.dmp
memory/4300-203-0x00007FF6718F0000-0x00007FF671C41000-memory.dmp
memory/4716-205-0x00007FF6EF560000-0x00007FF6EF8B1000-memory.dmp
memory/1816-207-0x00007FF763110000-0x00007FF763461000-memory.dmp
memory/1000-209-0x00007FF688A40000-0x00007FF688D91000-memory.dmp
memory/4504-211-0x00007FF793550000-0x00007FF7938A1000-memory.dmp
memory/5000-215-0x00007FF62EC30000-0x00007FF62EF81000-memory.dmp
memory/4976-214-0x00007FF7D0100000-0x00007FF7D0451000-memory.dmp
memory/4424-217-0x00007FF77C2F0000-0x00007FF77C641000-memory.dmp
memory/2784-220-0x00007FF733640000-0x00007FF733991000-memory.dmp
memory/3912-221-0x00007FF609150000-0x00007FF6094A1000-memory.dmp
memory/2896-223-0x00007FF6833D0000-0x00007FF683721000-memory.dmp
memory/4124-225-0x00007FF71EDF0000-0x00007FF71F141000-memory.dmp
memory/4924-229-0x00007FF6F6490000-0x00007FF6F67E1000-memory.dmp
memory/3020-227-0x00007FF798780000-0x00007FF798AD1000-memory.dmp
memory/4812-232-0x00007FF6268B0000-0x00007FF626C01000-memory.dmp
memory/4200-233-0x00007FF6EF040000-0x00007FF6EF391000-memory.dmp
memory/3008-237-0x00007FF6F38C0000-0x00007FF6F3C11000-memory.dmp