Analysis Overview
SHA256
e31af51f38bf9ec5f8dc945e4d75f7db8ad5b0e06922248a3998cebd4040222e
Threat Level: Known bad
The file 2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
xmrig
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 19:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 19:26
Reported
2024-08-07 19:29
Platform
win7-20240729-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dKPEGOl.exe | N/A |
| N/A | N/A | C:\Windows\System\OKrjwfW.exe | N/A |
| N/A | N/A | C:\Windows\System\IxgrzQf.exe | N/A |
| N/A | N/A | C:\Windows\System\xuyUVKl.exe | N/A |
| N/A | N/A | C:\Windows\System\kHQLqMl.exe | N/A |
| N/A | N/A | C:\Windows\System\dBSkTCr.exe | N/A |
| N/A | N/A | C:\Windows\System\HokRgGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\iVNABRL.exe | N/A |
| N/A | N/A | C:\Windows\System\wutlrbi.exe | N/A |
| N/A | N/A | C:\Windows\System\qPQcQNd.exe | N/A |
| N/A | N/A | C:\Windows\System\vnZDpxR.exe | N/A |
| N/A | N/A | C:\Windows\System\oIJkEeX.exe | N/A |
| N/A | N/A | C:\Windows\System\QhpVowH.exe | N/A |
| N/A | N/A | C:\Windows\System\qdAaHbo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaiJsFI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgRQzGw.exe | N/A |
| N/A | N/A | C:\Windows\System\pupbqqd.exe | N/A |
| N/A | N/A | C:\Windows\System\kFdsLIN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJvsPcy.exe | N/A |
| N/A | N/A | C:\Windows\System\RGqhlix.exe | N/A |
| N/A | N/A | C:\Windows\System\iERYzbG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dKPEGOl.exe
C:\Windows\System\dKPEGOl.exe
C:\Windows\System\OKrjwfW.exe
C:\Windows\System\OKrjwfW.exe
C:\Windows\System\IxgrzQf.exe
C:\Windows\System\IxgrzQf.exe
C:\Windows\System\xuyUVKl.exe
C:\Windows\System\xuyUVKl.exe
C:\Windows\System\kHQLqMl.exe
C:\Windows\System\kHQLqMl.exe
C:\Windows\System\dBSkTCr.exe
C:\Windows\System\dBSkTCr.exe
C:\Windows\System\HokRgGZ.exe
C:\Windows\System\HokRgGZ.exe
C:\Windows\System\iVNABRL.exe
C:\Windows\System\iVNABRL.exe
C:\Windows\System\wutlrbi.exe
C:\Windows\System\wutlrbi.exe
C:\Windows\System\vnZDpxR.exe
C:\Windows\System\vnZDpxR.exe
C:\Windows\System\qPQcQNd.exe
C:\Windows\System\qPQcQNd.exe
C:\Windows\System\QhpVowH.exe
C:\Windows\System\QhpVowH.exe
C:\Windows\System\oIJkEeX.exe
C:\Windows\System\oIJkEeX.exe
C:\Windows\System\qdAaHbo.exe
C:\Windows\System\qdAaHbo.exe
C:\Windows\System\ZaiJsFI.exe
C:\Windows\System\ZaiJsFI.exe
C:\Windows\System\ZJvsPcy.exe
C:\Windows\System\ZJvsPcy.exe
C:\Windows\System\ZgRQzGw.exe
C:\Windows\System\ZgRQzGw.exe
C:\Windows\System\RGqhlix.exe
C:\Windows\System\RGqhlix.exe
C:\Windows\System\pupbqqd.exe
C:\Windows\System\pupbqqd.exe
C:\Windows\System\iERYzbG.exe
C:\Windows\System\iERYzbG.exe
C:\Windows\System\kFdsLIN.exe
C:\Windows\System\kFdsLIN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/848-0-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/848-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\dKPEGOl.exe
| MD5 | 23d02a4c6b8ff0caf8cd9f13347d00bc |
| SHA1 | c0efe7252d688ad731b2e01ec6eeaa5e89dbef91 |
| SHA256 | 8a16b4ef0e37fb5be65343f92595d8246539cddc3a449821d1769c17dfa50b23 |
| SHA512 | c7fbfca6d33323a50fafde467bc7365bbbf26b964fe0e1c6d76268d48cd1680e0af9e9c7407f87dc18ab549ad0ebce6073968afd2d45b1bef8969f6e1c3e0947 |
memory/848-7-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\IxgrzQf.exe
| MD5 | 39a7eb977112156d506201987e27559b |
| SHA1 | ddbf59db00887f5564c645c4a5baa95500ec33af |
| SHA256 | 2d49ac119dd0b2296c116a3d48ba06466b0b605967d06f2b845ec9cccd081d8a |
| SHA512 | 0b4179ab75cccde2b4d2447217b9dfd339b9cb3e7268e6e1f79776ab1aa2257aac068ec4f1ad10b837274d34b54f1cd9f454bb0a6f5d8a96a436aa5493b69ddc |
memory/3024-23-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/848-21-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/848-19-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\xuyUVKl.exe
| MD5 | 2430cefe147cedfc9a1852df939295d9 |
| SHA1 | 50ab208eeea6fbc8b461fda7d76f5c71344b3ac6 |
| SHA256 | 6cb579e0eac9a12b94f518b7a360f22d2f4b16d1564277b5bbb95823b242b596 |
| SHA512 | fef6964844748d3877586261608055f0c995de17dac86195db3e0a47c28018eb71dd9b8993049265ffc7ed5229f1c23cc1c4d24795872fe88dd6d51630a548c3 |
C:\Windows\system\kHQLqMl.exe
| MD5 | a510ece376e809ff545f8ad4011dfe75 |
| SHA1 | b2ee57e60e583890f19a97253e37aaae2e0605a8 |
| SHA256 | 5bd2afe89bf71b3c069c9b578e4ee50cf900b59dffa3e9ba8ec13097b365a3d3 |
| SHA512 | c73055ff2c606c1ff3b1005b9649a804c34b282a420d97e93c8a50c7d109de3c118218bcad6c51cbaa5617645b92b9841db5bee37b70de102a84c524e9d56324 |
memory/2840-37-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/848-41-0x000000013F3C0000-0x000000013F711000-memory.dmp
C:\Windows\system\HokRgGZ.exe
| MD5 | cce87d11d5907495efa761436c1b9927 |
| SHA1 | 52055f37d48baf801ea2ea276d111ae8f788000f |
| SHA256 | b90c507e246b2236bd754bb3ba8eb8f4d5c97f6d294405010bb4e8264151b1cc |
| SHA512 | d57b6c10ca4f23a7bf6f49eaff03bee5aada1d43a79a909d67963a80d891e41f3b41f5f50a897e74730d932db5eabdbb6f0e5e959f464b7be031f47460044bae |
\Windows\system\iVNABRL.exe
| MD5 | d312d59086c43a8f4767785c0427af3a |
| SHA1 | 984cf786e4cd1a7b3a9c766ddd07061de6bdcc7d |
| SHA256 | 7ce3410ba303d4a947593c63435867e4a83c533251d1fce9e17c9a7fa6a4306e |
| SHA512 | 594bdb28a514e41038dc94f3aecc5948d51a0befb7b1cb88f256ec1bd6716b3d4fb81c0b8d64c3e719af973a961066025541729fa4f27499bcf3bfadc92ca661 |
memory/2892-57-0x000000013F170000-0x000000013F4C1000-memory.dmp
C:\Windows\system\QhpVowH.exe
| MD5 | d0329af70ca33e8612d63600a14360df |
| SHA1 | 479bf5831e0a556a0004fa5708b78b62e2156824 |
| SHA256 | 0ad823d62cd2ab72a95e3997eaac2cda647bdd84caa7f9e423b995aa91079efd |
| SHA512 | 85e7ace687e944618063ac3bf9b509285fbb9892c647625701869f0a8cdd4fc73e30f75fa0870b8bf488b384c0c75353fed171c940fad35a8e7714158d0bddd7 |
memory/2128-93-0x000000013FD90000-0x00000001400E1000-memory.dmp
C:\Windows\system\vnZDpxR.exe
| MD5 | 71a4e314d9f029574aab8e4033ff4b46 |
| SHA1 | a77c4041521470a0d7864a5f7e1fa0cea2a613c7 |
| SHA256 | 61227e9ab9657dacb812c2f7e43648b64f85eb3e61da5d15bcc936d6842f2da2 |
| SHA512 | 34d75543c9edb7f588957d3ae761cf2365a4995b9cac97f6121416d869c9af5f5bcccc3bed3699dd63b9d04667a29d6999c03ed99c07a25ddbd2531bb0bfe40c |
memory/2732-135-0x000000013F3C0000-0x000000013F711000-memory.dmp
\Windows\system\ZJvsPcy.exe
| MD5 | bece7aa4c02b0a60568054b57fb2f84e |
| SHA1 | ed3cd7f179e24671b3b3624778a6b45e4638ee47 |
| SHA256 | 56f9ade9223d3092af1584b09cb24132b486732e8d5c0a3be3efd7970ceeec4b |
| SHA512 | bb4c9260f082eb01193ec3a16563def96223bb4a422aa2832efaa07fb9d1a1fca45247655b3c5a5b31f38f9f8f194babf2e8d0c0abbf35f02bf2ed80de35c454 |
\Windows\system\iERYzbG.exe
| MD5 | 694c4f6345f9d36b6a5021199070e988 |
| SHA1 | 55fd2792f9da07876a984ab9125bf5978a2686ec |
| SHA256 | 85c1d772d0aca4d3488a4abe6ed0ab28f03a7a99328dbc2a74efd137094912cb |
| SHA512 | b79526305fb1d4425c0d8191aaae17257d34ee510d41430d3cecb915eb28a953e455874f26c49152f3fd3694ea0a79e43c6d1e2c693018be2b1108b401cb89ae |
\Windows\system\RGqhlix.exe
| MD5 | ddd34676ed055ed9063c8006efe98cf3 |
| SHA1 | 45fb221780cae2b4646a566a49dcdc82f5d4d0da |
| SHA256 | ce45915289f42b31488c0264592d02b6fcfe06a852ae96a132bc9027b902fda6 |
| SHA512 | ddca8ea412a1d8a6e68670969e61e215750356e39da207fb0ff40a83965165814cd264b2a9a350dd8b0908fc35a8bec73ee2e4a68e61db904458c0ebc0365b2a |
memory/824-105-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/848-136-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/848-104-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2684-103-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/848-134-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\kFdsLIN.exe
| MD5 | a2c9d24d3f3de8689dc1cf61d05cb140 |
| SHA1 | 23654e57e33f20f2a927382f6839e2bb92ff9623 |
| SHA256 | 2159d0643b8cda9c878bf0802386ac58465573d32b02110835e0423c257158f3 |
| SHA512 | 2d0a74a4700a53f63d42b055ba1aed99cbe77b0d340b9fd5f8aa0c78cc27e7f6188ffe098ba805b2e0e5ca9a418228f2f387bcfc2d05984b4493b4ef7b70e887 |
C:\Windows\system\pupbqqd.exe
| MD5 | 8d9577de1b12db50f50036fafc4a12cf |
| SHA1 | e58e9dd0e9b8f119628cb0e3003b8c7771ee3688 |
| SHA256 | dd874a91077182a1814f7346c79a755d79e7a5f9c983131684ebef4fcc1e71f0 |
| SHA512 | b1603dfe1e4ada1f4060493b639da364593f47d32cecb1a777dbe4eb22d6261a463a5f7d273404147fd76bf7597afc4763cc2fdd3d09a0a617f0dd87b243882a |
C:\Windows\system\ZgRQzGw.exe
| MD5 | eb7086ece612d6dc0620c4166f9ebb50 |
| SHA1 | e18c9e6a795b00c66aa3b35a171e7c0d2779bbf0 |
| SHA256 | fa959f88ae1d6e83ba15757a04752533e44b50069367b91c4df2a4ead3e78249 |
| SHA512 | 2bd399fd00e590d18544a7f077296902eea0e8fe316f7bb746e46e5311c2980c808e71b307653e1354f7bb3b6ad5cb4ddbbe7f62585e9e71655a1f0f31ecb982 |
C:\Windows\system\ZaiJsFI.exe
| MD5 | c67cd8a1a3b5d613152c5ba37923d49a |
| SHA1 | 0ef1951728436b98309c1eea96ff7b0321066d40 |
| SHA256 | 4915455a1530dbecd0488ae57b6b606273f0b8c82db6d902189c5c3e9076640f |
| SHA512 | 626b71b887b1f8050c05339a49b558910b3282fe87455403bc83d6d0f5a7c0877f6f9deb38a6b1546e422f8dada5f82616079add757bca91572373cab35b4ef9 |
C:\Windows\system\qdAaHbo.exe
| MD5 | 35cfa6919aa1c0cc03725381d6102d8d |
| SHA1 | 20c8e458bdc08a27aaa462ee8755eb6ade322313 |
| SHA256 | 2599178e83a66c03995bd336b20b12ffbc9aee33838a3eae728050c908dc36e5 |
| SHA512 | 0bd2ed0a70f8934373c57e930c36e6c77aefd99187fb405175054a04032b9a7124a7727132406fd052d1dc5f2266b64460b51055febab785e122f12112ac75af |
memory/2140-82-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/848-81-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2880-80-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/848-79-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/848-78-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2600-77-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/848-76-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/848-74-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2620-96-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/3024-95-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/848-92-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2860-89-0x000000013F310000-0x000000013F661000-memory.dmp
C:\Windows\system\oIJkEeX.exe
| MD5 | fa6b4771d53fb554637842a3b54fb237 |
| SHA1 | 48a968b857bbcc22e92f4f667730f4dfbd02e9c4 |
| SHA256 | 551eeee149d7b902740ed74a7b92c0b42fda487b44c06ae6025569737a933d55 |
| SHA512 | 6889ca108e900518affdef25276dea978fd97d4558a3e01dd838dd10a46508e1a12889681e6883d84b921d561ab1c4e431ae58a37dbeb4c62fb2a0a2084754b3 |
memory/2224-87-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/848-55-0x000000013F170000-0x000000013F4C1000-memory.dmp
C:\Windows\system\qPQcQNd.exe
| MD5 | 72848087756fbc45f0b887153b6b42cc |
| SHA1 | d3c0d1175b4180235e2332297a151c8647e7c5f6 |
| SHA256 | 7c461a78b0b787787b4c6a6de6188484629d97881aa61a31675abe49e1b47a99 |
| SHA512 | 784186c3be6ebb4c48d537821ecc976acd86b1cd66ed50d52a2765510be15a5aae925547ccee45df9ce2bea37d84f0b9b1009fb75b64a450362e2f3d7669cec2 |
C:\Windows\system\wutlrbi.exe
| MD5 | ac460159cc52616dcf69a988a8b61f79 |
| SHA1 | e8fb5a28a5bea3158589b6fe17fa123373534b06 |
| SHA256 | 1acbd83f91d5e024f2664a686f5e318967a6e6c7ba6ddcbf1a980375b36d82c0 |
| SHA512 | 8aee17f2059092554b67eaf820a0b6aa32ca5755dafdd4f8321b00d136854751b4130e4f6117c5cb256d11e8424fda672e476c9d67a7d58f9e1b9135a0a3d6fa |
memory/2876-54-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/848-53-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2732-42-0x000000013F3C0000-0x000000013F711000-memory.dmp
C:\Windows\system\dBSkTCr.exe
| MD5 | 9a99768b37abf9cc5712f8dac36689d6 |
| SHA1 | 6591fd4bc6de5f8e603569fa3bfb3ca19902f947 |
| SHA256 | 4459f8ced756b8b39c836421fc7478b4a37923f876bcb693b7692476da155168 |
| SHA512 | 0b95c97d6feb37f6628b10e10c23caca8e4cd83e396663746529bad5b44ec5f9eaad8cbd9d77da82aa270284e1a754cf5b3ef55121e7a0bc1707a0e1af7f706f |
memory/848-36-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2684-29-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/848-28-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2224-17-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2140-16-0x000000013FF10000-0x0000000140261000-memory.dmp
C:\Windows\system\OKrjwfW.exe
| MD5 | d512b255eba2e67ec85daea110ba7dce |
| SHA1 | 098daeaffaa4a4e0ddd9fd801d004f467adde5f7 |
| SHA256 | 0db441db937dd756d97621e0b6a8a202bbecb232ddbbc8c744d6257187866f20 |
| SHA512 | 47f6b630907bddb59c01fb397fa7eeae655ac94e92721c7858e71c7102ef08014c7e4d9defcec29283535f1dd86b034fe8ec9f37377f1345c05d741dd4879434 |
memory/2892-143-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/848-144-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/2620-156-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2860-154-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2944-165-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2768-164-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2792-163-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/1056-161-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2812-160-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1636-159-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2468-162-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/848-166-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/848-167-0x000000013FC80000-0x000000013FFD1000-memory.dmp
memory/848-189-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2140-213-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2224-215-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/3024-217-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2840-221-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2684-220-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2732-223-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2876-225-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2600-227-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2892-229-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2880-231-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2860-245-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2128-247-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2620-249-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/824-251-0x000000013FAD0000-0x000000013FE21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 19:26
Reported
2024-08-07 19:29
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dKPEGOl.exe | N/A |
| N/A | N/A | C:\Windows\System\OKrjwfW.exe | N/A |
| N/A | N/A | C:\Windows\System\IxgrzQf.exe | N/A |
| N/A | N/A | C:\Windows\System\xuyUVKl.exe | N/A |
| N/A | N/A | C:\Windows\System\kHQLqMl.exe | N/A |
| N/A | N/A | C:\Windows\System\dBSkTCr.exe | N/A |
| N/A | N/A | C:\Windows\System\HokRgGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\iVNABRL.exe | N/A |
| N/A | N/A | C:\Windows\System\wutlrbi.exe | N/A |
| N/A | N/A | C:\Windows\System\vnZDpxR.exe | N/A |
| N/A | N/A | C:\Windows\System\qPQcQNd.exe | N/A |
| N/A | N/A | C:\Windows\System\QhpVowH.exe | N/A |
| N/A | N/A | C:\Windows\System\oIJkEeX.exe | N/A |
| N/A | N/A | C:\Windows\System\qdAaHbo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaiJsFI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJvsPcy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgRQzGw.exe | N/A |
| N/A | N/A | C:\Windows\System\RGqhlix.exe | N/A |
| N/A | N/A | C:\Windows\System\pupbqqd.exe | N/A |
| N/A | N/A | C:\Windows\System\iERYzbG.exe | N/A |
| N/A | N/A | C:\Windows\System\kFdsLIN.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_6ff19ed385d26fdf5d0a1462dec14897_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dKPEGOl.exe
C:\Windows\System\dKPEGOl.exe
C:\Windows\System\OKrjwfW.exe
C:\Windows\System\OKrjwfW.exe
C:\Windows\System\IxgrzQf.exe
C:\Windows\System\IxgrzQf.exe
C:\Windows\System\xuyUVKl.exe
C:\Windows\System\xuyUVKl.exe
C:\Windows\System\kHQLqMl.exe
C:\Windows\System\kHQLqMl.exe
C:\Windows\System\dBSkTCr.exe
C:\Windows\System\dBSkTCr.exe
C:\Windows\System\HokRgGZ.exe
C:\Windows\System\HokRgGZ.exe
C:\Windows\System\iVNABRL.exe
C:\Windows\System\iVNABRL.exe
C:\Windows\System\wutlrbi.exe
C:\Windows\System\wutlrbi.exe
C:\Windows\System\vnZDpxR.exe
C:\Windows\System\vnZDpxR.exe
C:\Windows\System\qPQcQNd.exe
C:\Windows\System\qPQcQNd.exe
C:\Windows\System\QhpVowH.exe
C:\Windows\System\QhpVowH.exe
C:\Windows\System\oIJkEeX.exe
C:\Windows\System\oIJkEeX.exe
C:\Windows\System\qdAaHbo.exe
C:\Windows\System\qdAaHbo.exe
C:\Windows\System\ZaiJsFI.exe
C:\Windows\System\ZaiJsFI.exe
C:\Windows\System\ZJvsPcy.exe
C:\Windows\System\ZJvsPcy.exe
C:\Windows\System\ZgRQzGw.exe
C:\Windows\System\ZgRQzGw.exe
C:\Windows\System\RGqhlix.exe
C:\Windows\System\RGqhlix.exe
C:\Windows\System\pupbqqd.exe
C:\Windows\System\pupbqqd.exe
C:\Windows\System\iERYzbG.exe
C:\Windows\System\iERYzbG.exe
C:\Windows\System\kFdsLIN.exe
C:\Windows\System\kFdsLIN.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.178.17.2:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5004-0-0x00007FF775FE0000-0x00007FF776331000-memory.dmp
memory/5004-1-0x0000016F00B60000-0x0000016F00B70000-memory.dmp
C:\Windows\System\dKPEGOl.exe
| MD5 | 23d02a4c6b8ff0caf8cd9f13347d00bc |
| SHA1 | c0efe7252d688ad731b2e01ec6eeaa5e89dbef91 |
| SHA256 | 8a16b4ef0e37fb5be65343f92595d8246539cddc3a449821d1769c17dfa50b23 |
| SHA512 | c7fbfca6d33323a50fafde467bc7365bbbf26b964fe0e1c6d76268d48cd1680e0af9e9c7407f87dc18ab549ad0ebce6073968afd2d45b1bef8969f6e1c3e0947 |
C:\Windows\System\IxgrzQf.exe
| MD5 | 39a7eb977112156d506201987e27559b |
| SHA1 | ddbf59db00887f5564c645c4a5baa95500ec33af |
| SHA256 | 2d49ac119dd0b2296c116a3d48ba06466b0b605967d06f2b845ec9cccd081d8a |
| SHA512 | 0b4179ab75cccde2b4d2447217b9dfd339b9cb3e7268e6e1f79776ab1aa2257aac068ec4f1ad10b837274d34b54f1cd9f454bb0a6f5d8a96a436aa5493b69ddc |
C:\Windows\System\xuyUVKl.exe
| MD5 | 2430cefe147cedfc9a1852df939295d9 |
| SHA1 | 50ab208eeea6fbc8b461fda7d76f5c71344b3ac6 |
| SHA256 | 6cb579e0eac9a12b94f518b7a360f22d2f4b16d1564277b5bbb95823b242b596 |
| SHA512 | fef6964844748d3877586261608055f0c995de17dac86195db3e0a47c28018eb71dd9b8993049265ffc7ed5229f1c23cc1c4d24795872fe88dd6d51630a548c3 |
C:\Windows\System\kHQLqMl.exe
| MD5 | a510ece376e809ff545f8ad4011dfe75 |
| SHA1 | b2ee57e60e583890f19a97253e37aaae2e0605a8 |
| SHA256 | 5bd2afe89bf71b3c069c9b578e4ee50cf900b59dffa3e9ba8ec13097b365a3d3 |
| SHA512 | c73055ff2c606c1ff3b1005b9649a804c34b282a420d97e93c8a50c7d109de3c118218bcad6c51cbaa5617645b92b9841db5bee37b70de102a84c524e9d56324 |
memory/4156-29-0x00007FF6F6150000-0x00007FF6F64A1000-memory.dmp
C:\Windows\System\dBSkTCr.exe
| MD5 | 9a99768b37abf9cc5712f8dac36689d6 |
| SHA1 | 6591fd4bc6de5f8e603569fa3bfb3ca19902f947 |
| SHA256 | 4459f8ced756b8b39c836421fc7478b4a37923f876bcb693b7692476da155168 |
| SHA512 | 0b95c97d6feb37f6628b10e10c23caca8e4cd83e396663746529bad5b44ec5f9eaad8cbd9d77da82aa270284e1a754cf5b3ef55121e7a0bc1707a0e1af7f706f |
memory/4948-45-0x00007FF6A5CC0000-0x00007FF6A6011000-memory.dmp
memory/1172-42-0x00007FF72A080000-0x00007FF72A3D1000-memory.dmp
C:\Windows\System\HokRgGZ.exe
| MD5 | cce87d11d5907495efa761436c1b9927 |
| SHA1 | 52055f37d48baf801ea2ea276d111ae8f788000f |
| SHA256 | b90c507e246b2236bd754bb3ba8eb8f4d5c97f6d294405010bb4e8264151b1cc |
| SHA512 | d57b6c10ca4f23a7bf6f49eaff03bee5aada1d43a79a909d67963a80d891e41f3b41f5f50a897e74730d932db5eabdbb6f0e5e959f464b7be031f47460044bae |
C:\Windows\System\wutlrbi.exe
| MD5 | ac460159cc52616dcf69a988a8b61f79 |
| SHA1 | e8fb5a28a5bea3158589b6fe17fa123373534b06 |
| SHA256 | 1acbd83f91d5e024f2664a686f5e318967a6e6c7ba6ddcbf1a980375b36d82c0 |
| SHA512 | 8aee17f2059092554b67eaf820a0b6aa32ca5755dafdd4f8321b00d136854751b4130e4f6117c5cb256d11e8424fda672e476c9d67a7d58f9e1b9135a0a3d6fa |
C:\Windows\System\qPQcQNd.exe
| MD5 | 72848087756fbc45f0b887153b6b42cc |
| SHA1 | d3c0d1175b4180235e2332297a151c8647e7c5f6 |
| SHA256 | 7c461a78b0b787787b4c6a6de6188484629d97881aa61a31675abe49e1b47a99 |
| SHA512 | 784186c3be6ebb4c48d537821ecc976acd86b1cd66ed50d52a2765510be15a5aae925547ccee45df9ce2bea37d84f0b9b1009fb75b64a450362e2f3d7669cec2 |
C:\Windows\System\oIJkEeX.exe
| MD5 | fa6b4771d53fb554637842a3b54fb237 |
| SHA1 | 48a968b857bbcc22e92f4f667730f4dfbd02e9c4 |
| SHA256 | 551eeee149d7b902740ed74a7b92c0b42fda487b44c06ae6025569737a933d55 |
| SHA512 | 6889ca108e900518affdef25276dea978fd97d4558a3e01dd838dd10a46508e1a12889681e6883d84b921d561ab1c4e431ae58a37dbeb4c62fb2a0a2084754b3 |
memory/3096-78-0x00007FF7C3A20000-0x00007FF7C3D71000-memory.dmp
memory/4980-77-0x00007FF7F0E60000-0x00007FF7F11B1000-memory.dmp
memory/4864-74-0x00007FF725A70000-0x00007FF725DC1000-memory.dmp
C:\Windows\System\QhpVowH.exe
| MD5 | d0329af70ca33e8612d63600a14360df |
| SHA1 | 479bf5831e0a556a0004fa5708b78b62e2156824 |
| SHA256 | 0ad823d62cd2ab72a95e3997eaac2cda647bdd84caa7f9e423b995aa91079efd |
| SHA512 | 85e7ace687e944618063ac3bf9b509285fbb9892c647625701869f0a8cdd4fc73e30f75fa0870b8bf488b384c0c75353fed171c940fad35a8e7714158d0bddd7 |
memory/2640-70-0x00007FF749120000-0x00007FF749471000-memory.dmp
C:\Windows\System\vnZDpxR.exe
| MD5 | 71a4e314d9f029574aab8e4033ff4b46 |
| SHA1 | a77c4041521470a0d7864a5f7e1fa0cea2a613c7 |
| SHA256 | 61227e9ab9657dacb812c2f7e43648b64f85eb3e61da5d15bcc936d6842f2da2 |
| SHA512 | 34d75543c9edb7f588957d3ae761cf2365a4995b9cac97f6121416d869c9af5f5bcccc3bed3699dd63b9d04667a29d6999c03ed99c07a25ddbd2531bb0bfe40c |
memory/3128-63-0x00007FF77E510000-0x00007FF77E861000-memory.dmp
C:\Windows\System\iVNABRL.exe
| MD5 | d312d59086c43a8f4767785c0427af3a |
| SHA1 | 984cf786e4cd1a7b3a9c766ddd07061de6bdcc7d |
| SHA256 | 7ce3410ba303d4a947593c63435867e4a83c533251d1fce9e17c9a7fa6a4306e |
| SHA512 | 594bdb28a514e41038dc94f3aecc5948d51a0befb7b1cb88f256ec1bd6716b3d4fb81c0b8d64c3e719af973a961066025541729fa4f27499bcf3bfadc92ca661 |
memory/3132-48-0x00007FF7EBFF0000-0x00007FF7EC341000-memory.dmp
memory/4428-34-0x00007FF72C430000-0x00007FF72C781000-memory.dmp
memory/3644-26-0x00007FF7B7960000-0x00007FF7B7CB1000-memory.dmp
memory/3564-25-0x00007FF76C240000-0x00007FF76C591000-memory.dmp
memory/464-13-0x00007FF783050000-0x00007FF7833A1000-memory.dmp
C:\Windows\System\OKrjwfW.exe
| MD5 | d512b255eba2e67ec85daea110ba7dce |
| SHA1 | 098daeaffaa4a4e0ddd9fd801d004f467adde5f7 |
| SHA256 | 0db441db937dd756d97621e0b6a8a202bbecb232ddbbc8c744d6257187866f20 |
| SHA512 | 47f6b630907bddb59c01fb397fa7eeae655ac94e92721c7858e71c7102ef08014c7e4d9defcec29283535f1dd86b034fe8ec9f37377f1345c05d741dd4879434 |
memory/4820-86-0x00007FF70EFF0000-0x00007FF70F341000-memory.dmp
C:\Windows\System\ZaiJsFI.exe
| MD5 | c67cd8a1a3b5d613152c5ba37923d49a |
| SHA1 | 0ef1951728436b98309c1eea96ff7b0321066d40 |
| SHA256 | 4915455a1530dbecd0488ae57b6b606273f0b8c82db6d902189c5c3e9076640f |
| SHA512 | 626b71b887b1f8050c05339a49b558910b3282fe87455403bc83d6d0f5a7c0877f6f9deb38a6b1546e422f8dada5f82616079add757bca91572373cab35b4ef9 |
memory/1388-92-0x00007FF70AE50000-0x00007FF70B1A1000-memory.dmp
C:\Windows\System\qdAaHbo.exe
| MD5 | 35cfa6919aa1c0cc03725381d6102d8d |
| SHA1 | 20c8e458bdc08a27aaa462ee8755eb6ade322313 |
| SHA256 | 2599178e83a66c03995bd336b20b12ffbc9aee33838a3eae728050c908dc36e5 |
| SHA512 | 0bd2ed0a70f8934373c57e930c36e6c77aefd99187fb405175054a04032b9a7124a7727132406fd052d1dc5f2266b64460b51055febab785e122f12112ac75af |
C:\Windows\System\ZJvsPcy.exe
| MD5 | bece7aa4c02b0a60568054b57fb2f84e |
| SHA1 | ed3cd7f179e24671b3b3624778a6b45e4638ee47 |
| SHA256 | 56f9ade9223d3092af1584b09cb24132b486732e8d5c0a3be3efd7970ceeec4b |
| SHA512 | bb4c9260f082eb01193ec3a16563def96223bb4a422aa2832efaa07fb9d1a1fca45247655b3c5a5b31f38f9f8f194babf2e8d0c0abbf35f02bf2ed80de35c454 |
memory/3644-118-0x00007FF7B7960000-0x00007FF7B7CB1000-memory.dmp
C:\Windows\System\kFdsLIN.exe
| MD5 | a2c9d24d3f3de8689dc1cf61d05cb140 |
| SHA1 | 23654e57e33f20f2a927382f6839e2bb92ff9623 |
| SHA256 | 2159d0643b8cda9c878bf0802386ac58465573d32b02110835e0423c257158f3 |
| SHA512 | 2d0a74a4700a53f63d42b055ba1aed99cbe77b0d340b9fd5f8aa0c78cc27e7f6188ffe098ba805b2e0e5ca9a418228f2f387bcfc2d05984b4493b4ef7b70e887 |
memory/3512-127-0x00007FF7D8DC0000-0x00007FF7D9111000-memory.dmp
memory/4664-133-0x00007FF66A2F0000-0x00007FF66A641000-memory.dmp
memory/1172-131-0x00007FF72A080000-0x00007FF72A3D1000-memory.dmp
memory/4428-130-0x00007FF72C430000-0x00007FF72C781000-memory.dmp
C:\Windows\System\RGqhlix.exe
| MD5 | ddd34676ed055ed9063c8006efe98cf3 |
| SHA1 | 45fb221780cae2b4646a566a49dcdc82f5d4d0da |
| SHA256 | ce45915289f42b31488c0264592d02b6fcfe06a852ae96a132bc9027b902fda6 |
| SHA512 | ddca8ea412a1d8a6e68670969e61e215750356e39da207fb0ff40a83965165814cd264b2a9a350dd8b0908fc35a8bec73ee2e4a68e61db904458c0ebc0365b2a |
memory/4688-124-0x00007FF7F7450000-0x00007FF7F77A1000-memory.dmp
C:\Windows\System\iERYzbG.exe
| MD5 | 694c4f6345f9d36b6a5021199070e988 |
| SHA1 | 55fd2792f9da07876a984ab9125bf5978a2686ec |
| SHA256 | 85c1d772d0aca4d3488a4abe6ed0ab28f03a7a99328dbc2a74efd137094912cb |
| SHA512 | b79526305fb1d4425c0d8191aaae17257d34ee510d41430d3cecb915eb28a953e455874f26c49152f3fd3694ea0a79e43c6d1e2c693018be2b1108b401cb89ae |
memory/4108-119-0x00007FF6EC080000-0x00007FF6EC3D1000-memory.dmp
C:\Windows\System\pupbqqd.exe
| MD5 | 8d9577de1b12db50f50036fafc4a12cf |
| SHA1 | e58e9dd0e9b8f119628cb0e3003b8c7771ee3688 |
| SHA256 | dd874a91077182a1814f7346c79a755d79e7a5f9c983131684ebef4fcc1e71f0 |
| SHA512 | b1603dfe1e4ada1f4060493b639da364593f47d32cecb1a777dbe4eb22d6261a463a5f7d273404147fd76bf7597afc4763cc2fdd3d09a0a617f0dd87b243882a |
C:\Windows\System\ZgRQzGw.exe
| MD5 | eb7086ece612d6dc0620c4166f9ebb50 |
| SHA1 | e18c9e6a795b00c66aa3b35a171e7c0d2779bbf0 |
| SHA256 | fa959f88ae1d6e83ba15757a04752533e44b50069367b91c4df2a4ead3e78249 |
| SHA512 | 2bd399fd00e590d18544a7f077296902eea0e8fe316f7bb746e46e5311c2980c808e71b307653e1354f7bb3b6ad5cb4ddbbe7f62585e9e71655a1f0f31ecb982 |
memory/1692-109-0x00007FF6C3870000-0x00007FF6C3BC1000-memory.dmp
memory/3564-104-0x00007FF76C240000-0x00007FF76C591000-memory.dmp
memory/4280-102-0x00007FF7461C0000-0x00007FF746511000-memory.dmp
memory/464-98-0x00007FF783050000-0x00007FF7833A1000-memory.dmp
memory/5004-97-0x00007FF775FE0000-0x00007FF776331000-memory.dmp
memory/3132-142-0x00007FF7EBFF0000-0x00007FF7EC341000-memory.dmp
memory/4980-145-0x00007FF7F0E60000-0x00007FF7F11B1000-memory.dmp
memory/4820-148-0x00007FF70EFF0000-0x00007FF70F341000-memory.dmp
memory/3096-147-0x00007FF7C3A20000-0x00007FF7C3D71000-memory.dmp
memory/4864-146-0x00007FF725A70000-0x00007FF725DC1000-memory.dmp
memory/2640-144-0x00007FF749120000-0x00007FF749471000-memory.dmp
memory/3128-143-0x00007FF77E510000-0x00007FF77E861000-memory.dmp
memory/5004-134-0x00007FF775FE0000-0x00007FF776331000-memory.dmp
memory/4280-150-0x00007FF7461C0000-0x00007FF746511000-memory.dmp
memory/4108-152-0x00007FF6EC080000-0x00007FF6EC3D1000-memory.dmp
memory/4664-155-0x00007FF66A2F0000-0x00007FF66A641000-memory.dmp
memory/4688-153-0x00007FF7F7450000-0x00007FF7F77A1000-memory.dmp
memory/1692-151-0x00007FF6C3870000-0x00007FF6C3BC1000-memory.dmp
memory/5004-156-0x00007FF775FE0000-0x00007FF776331000-memory.dmp
memory/464-203-0x00007FF783050000-0x00007FF7833A1000-memory.dmp
memory/3564-205-0x00007FF76C240000-0x00007FF76C591000-memory.dmp
memory/4156-207-0x00007FF6F6150000-0x00007FF6F64A1000-memory.dmp
memory/4428-211-0x00007FF72C430000-0x00007FF72C781000-memory.dmp
memory/3644-213-0x00007FF7B7960000-0x00007FF7B7CB1000-memory.dmp
memory/4948-210-0x00007FF6A5CC0000-0x00007FF6A6011000-memory.dmp
memory/1172-219-0x00007FF72A080000-0x00007FF72A3D1000-memory.dmp
memory/3096-225-0x00007FF7C3A20000-0x00007FF7C3D71000-memory.dmp
memory/4980-223-0x00007FF7F0E60000-0x00007FF7F11B1000-memory.dmp
memory/2640-227-0x00007FF749120000-0x00007FF749471000-memory.dmp
memory/4864-222-0x00007FF725A70000-0x00007FF725DC1000-memory.dmp
memory/3132-218-0x00007FF7EBFF0000-0x00007FF7EC341000-memory.dmp
memory/3128-216-0x00007FF77E510000-0x00007FF77E861000-memory.dmp
memory/4820-232-0x00007FF70EFF0000-0x00007FF70F341000-memory.dmp
memory/1388-234-0x00007FF70AE50000-0x00007FF70B1A1000-memory.dmp
memory/4280-236-0x00007FF7461C0000-0x00007FF746511000-memory.dmp
memory/1692-238-0x00007FF6C3870000-0x00007FF6C3BC1000-memory.dmp
memory/4688-240-0x00007FF7F7450000-0x00007FF7F77A1000-memory.dmp
memory/4108-244-0x00007FF6EC080000-0x00007FF6EC3D1000-memory.dmp
memory/3512-243-0x00007FF7D8DC0000-0x00007FF7D9111000-memory.dmp
memory/4664-246-0x00007FF66A2F0000-0x00007FF66A641000-memory.dmp