Analysis Overview
SHA256
14ebc34fc109c6babd8231811e7371077e82a5cd36276c7ab389c84504b23a79
Threat Level: Known bad
The file 2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 21:22
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 21:22
Reported
2024-08-07 21:24
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZFbFNrl.exe | N/A |
| N/A | N/A | C:\Windows\System\jXFIDzq.exe | N/A |
| N/A | N/A | C:\Windows\System\DkZEdNl.exe | N/A |
| N/A | N/A | C:\Windows\System\GtXpmaL.exe | N/A |
| N/A | N/A | C:\Windows\System\ImQywtv.exe | N/A |
| N/A | N/A | C:\Windows\System\VisaCuv.exe | N/A |
| N/A | N/A | C:\Windows\System\DPrTxtD.exe | N/A |
| N/A | N/A | C:\Windows\System\QhhBMzn.exe | N/A |
| N/A | N/A | C:\Windows\System\Zxelqwc.exe | N/A |
| N/A | N/A | C:\Windows\System\fFuMtzc.exe | N/A |
| N/A | N/A | C:\Windows\System\UMwZQxG.exe | N/A |
| N/A | N/A | C:\Windows\System\hequdPE.exe | N/A |
| N/A | N/A | C:\Windows\System\XMngTdt.exe | N/A |
| N/A | N/A | C:\Windows\System\iWLkdOJ.exe | N/A |
| N/A | N/A | C:\Windows\System\MJIBtWh.exe | N/A |
| N/A | N/A | C:\Windows\System\xVDUbGI.exe | N/A |
| N/A | N/A | C:\Windows\System\RwpkHIl.exe | N/A |
| N/A | N/A | C:\Windows\System\lckuBDC.exe | N/A |
| N/A | N/A | C:\Windows\System\kxYOpSR.exe | N/A |
| N/A | N/A | C:\Windows\System\fSbfqpv.exe | N/A |
| N/A | N/A | C:\Windows\System\gvRdjoO.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZFbFNrl.exe
C:\Windows\System\ZFbFNrl.exe
C:\Windows\System\jXFIDzq.exe
C:\Windows\System\jXFIDzq.exe
C:\Windows\System\DkZEdNl.exe
C:\Windows\System\DkZEdNl.exe
C:\Windows\System\GtXpmaL.exe
C:\Windows\System\GtXpmaL.exe
C:\Windows\System\ImQywtv.exe
C:\Windows\System\ImQywtv.exe
C:\Windows\System\VisaCuv.exe
C:\Windows\System\VisaCuv.exe
C:\Windows\System\DPrTxtD.exe
C:\Windows\System\DPrTxtD.exe
C:\Windows\System\Zxelqwc.exe
C:\Windows\System\Zxelqwc.exe
C:\Windows\System\QhhBMzn.exe
C:\Windows\System\QhhBMzn.exe
C:\Windows\System\fFuMtzc.exe
C:\Windows\System\fFuMtzc.exe
C:\Windows\System\UMwZQxG.exe
C:\Windows\System\UMwZQxG.exe
C:\Windows\System\hequdPE.exe
C:\Windows\System\hequdPE.exe
C:\Windows\System\XMngTdt.exe
C:\Windows\System\XMngTdt.exe
C:\Windows\System\iWLkdOJ.exe
C:\Windows\System\iWLkdOJ.exe
C:\Windows\System\RwpkHIl.exe
C:\Windows\System\RwpkHIl.exe
C:\Windows\System\MJIBtWh.exe
C:\Windows\System\MJIBtWh.exe
C:\Windows\System\xVDUbGI.exe
C:\Windows\System\xVDUbGI.exe
C:\Windows\System\lckuBDC.exe
C:\Windows\System\lckuBDC.exe
C:\Windows\System\kxYOpSR.exe
C:\Windows\System\kxYOpSR.exe
C:\Windows\System\fSbfqpv.exe
C:\Windows\System\fSbfqpv.exe
C:\Windows\System\gvRdjoO.exe
C:\Windows\System\gvRdjoO.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2008-0-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp
memory/2008-1-0x000001A403090000-0x000001A4030A0000-memory.dmp
C:\Windows\System\ZFbFNrl.exe
| MD5 | 4d193580b617c1de6ba11b4a0eaa7600 |
| SHA1 | 5c7bbef2d295557284ac8f66d5f3d89a0ee7652a |
| SHA256 | 60a2149ea81d502e5c2a6df2f40ec68d6fb7b42bab75f463bcada2d345d5f344 |
| SHA512 | 0eebf8491fe4882b42ea2a90fc2eb5d5967a100535ae6f7f9c0b3d1efc7ae05a2e5694373b2c6499d973499ed9f67050a816b1c123cc55ba7f565dada7be282a |
memory/2752-7-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp
C:\Windows\System\DkZEdNl.exe
| MD5 | 73f0047721e0be9a36849fae85e039d9 |
| SHA1 | 3fe0e0c9511b8288c1ff5f77aacd3402c3977e43 |
| SHA256 | 7846d056ed6e1e8d7c671afb3a45ec23dbf0d629f5f031914e5a92d8c32bc5ba |
| SHA512 | d6c5e98b35c832d59c460f735371dc9b220d2d6ac196c64d166171a591dd3522cfc5914e4054f40a7c9f7d3b6d092e239206fa9ebb2970be3a143598d4620791 |
memory/3576-19-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp
memory/1404-20-0x00007FF630520000-0x00007FF630871000-memory.dmp
C:\Windows\System\jXFIDzq.exe
| MD5 | 4020b7920e6009f7c29f838ac2b2c246 |
| SHA1 | 63b2ff9881bff23fb55debb6d022f1634066ace9 |
| SHA256 | db1beff56ea84827d84a2419f2c588e208084a1b62857e5eba72104cc6c52048 |
| SHA512 | 3524aae439ef5e4fe0b13446aec3ec4fbe5f38676ac4f57898f09084fa6217d5d11b5b23e3f9a7faed31954b0ad80ab59e22647bec925693d0d6c499b01671e2 |
C:\Windows\System\GtXpmaL.exe
| MD5 | 1639eb65276d348242ef8fee0e2a3b95 |
| SHA1 | c4368aeda51da192dd1ea0915f94baed85437d30 |
| SHA256 | ee33b86605addf9dedf913418af20de9a42581ac73127952db72512b070d632b |
| SHA512 | c257c8661ca91f332d0faf0849496df03750921a751fb3d2c3af2b90cc17fe0cd8c30c47a328ca19d6b45a32dacf01e7ce7be6876b6e82568222ed610657818f |
C:\Windows\System\ImQywtv.exe
| MD5 | 8749afb3ea2cb91bc797d60f0cb77aa9 |
| SHA1 | 495ac99c37986c3939ae0fa7aa11e00ce8dc6d4d |
| SHA256 | 3c03b05cef5e2e467bbbb34b879c75f0bb5c22aec09a7d63111de09cc6379213 |
| SHA512 | 1f339befc66bad599656f572d639a8220f9265cb11b9f1b34735e12e447342c02315ac4ad3cff3908c64048cd26bdef7da3cf91f59ad31f2cf831df46bb5b976 |
C:\Windows\System\VisaCuv.exe
| MD5 | d04f2edd39c43fde6492386eefaa38c8 |
| SHA1 | 95ac8aa19fddd1c9d81519322f93a409a36a6473 |
| SHA256 | 7be557e728350f78ac8885eb899bf0c14f498fd19a169c90735541ce4cc58427 |
| SHA512 | 307f2417209daee873979428c26e8a16e470b84726235732b6c36ef56306ec09df3a50986356281662bf193ac48a35dc10d49e7a9ae0aa766f2207933851a1b7 |
C:\Windows\System\Zxelqwc.exe
| MD5 | 2921b808845b4ee9938f96927e7dc62a |
| SHA1 | d5de6a867935c5dcfcf82d360efa380eb579f2d9 |
| SHA256 | cd304366d95802c52e527b35c4613a941c83c9bd1631d1fe4c1d09148e9af3dc |
| SHA512 | 7a6fabd05b1fa4a370781fcd05d4103eda75efc90021da64b3c131781136e7d5ea10cc66da77db5fff310bb2974848da26767498c497b85c728f3062fb9c177b |
C:\Windows\System\UMwZQxG.exe
| MD5 | 1c5f921255913e606bf38f2cd2f6da58 |
| SHA1 | 67bbb749c48c66c76301db64a3edc81bd92fd3df |
| SHA256 | 73be29e6e0ff28dbfcb54b6cabe99db2bd9af2e2103dd4983c49fc99ba183167 |
| SHA512 | babb52c36d603c5fa7a1a2f214419108cdc9ca7051926a363f4f767bb14d40f5baaeb59bf4e4fb272b61776dc4e88cb75e3be319c58fd1c574d8f43692b06008 |
C:\Windows\System\QhhBMzn.exe
| MD5 | 69a4d4d426608f627b37b076dceff9f9 |
| SHA1 | 65ffb49f6fb8422d9c7f1abf9190b5c8c126c83c |
| SHA256 | ea82641be57f1810a0fe5f90f74749bbf864998162a3c82e2def63f3ed0cdfae |
| SHA512 | cac9d79f64995409283af54177ae387da887ad0c777551195df8a8ad58b703b3715e0cb7b070712b56f0bdff5abcf52c63b576fe1d4ea47bf5d8924cc726b921 |
C:\Windows\System\fFuMtzc.exe
| MD5 | 015e1f1c478c927a7ecc93e1a3a6fc8e |
| SHA1 | 3358cba6ea64a6d8f2850b42da23fa787530c4d0 |
| SHA256 | 609c31cd4d0209369066619ca44b29761090f9701718a61a2f05c19007c4d4c5 |
| SHA512 | 15e1afed3dcb717e7d4282b0daa4e095945c44289276ae216c765b997ef64b2580625e5eb865acee861d6cea6955cc877ca2d4614dd414ae2a974e1e8ad1474e |
C:\Windows\System\hequdPE.exe
| MD5 | 9d0175ebd669b70f6eae311b8d16021d |
| SHA1 | 77b0b976a2d8609a2791f8a1aee9c13ef0824dc1 |
| SHA256 | 61d6d663482b3d86e53976a1d081bad717d16a511742c3c9906d0799329d324a |
| SHA512 | b154f4bc9525e8a525dc3d7aa72cd828f5b0840802fece11a47b8bc397644a1df3d61aeb2da31eb5603ee9d921f66d95c993df7d1f82c8e004b87603acc540e4 |
memory/1172-66-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp
memory/5048-58-0x00007FF640720000-0x00007FF640A71000-memory.dmp
memory/2496-59-0x00007FF625320000-0x00007FF625671000-memory.dmp
memory/380-56-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp
memory/1960-50-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp
memory/3040-46-0x00007FF6411E0000-0x00007FF641531000-memory.dmp
C:\Windows\System\DPrTxtD.exe
| MD5 | 6d0941990005e8c64a31ad8620deda23 |
| SHA1 | 7b981ede1daff462084e0214fcda617177d31964 |
| SHA256 | 18ce9427726240370e338b4c45ebb33a10ce665d7e26ecd6c6c5b1a15343d9c5 |
| SHA512 | d02ddaa1d343ef825060cc9affbcf4f5ef662977a70176f543a08047e1f6868524e813bf8742465c8ea3e7b91065e520e3518679caa561cd7e6504ed54cc3925 |
memory/5072-38-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp
memory/116-31-0x00007FF710140000-0x00007FF710491000-memory.dmp
C:\Windows\System\XMngTdt.exe
| MD5 | d3eda531576c79d599d7d2700f3dabcc |
| SHA1 | 04f90fc2eb785d32df275b94ab58cf4b58f6d708 |
| SHA256 | 19ba6b6d4599d1cdbf58643a4957eaa50d2acace4a33247913376d54cd5b56d9 |
| SHA512 | 19cc61e1aea3da15e42b4b4b95fee3a42063e53170db35a8ec64d6815f9546b4e709f2546cc8c892bceae20980e10e2d1afe96f6e32e524669b445ef1286f1ea |
memory/1848-76-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp
memory/3576-88-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp
C:\Windows\System\MJIBtWh.exe
| MD5 | 19c4cc5735b1810bd9519d28f3d03dd9 |
| SHA1 | cb1193971ef414f7bad9985e8d4a252f91be3db0 |
| SHA256 | 8c340ffd6487640f3fd6bb4cdcd2b8b2e70d4a21faeb2ecbd4caceddccdefc25 |
| SHA512 | fcd56c2f0ffbe39e5e7872325a0ff1be7d50308678e8967b226605115e06438fa12f38a24e78836af47363cdfbe44a82ee4c2e5058010070fe88ac1f5630561d |
memory/1232-104-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp
memory/2680-106-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp
C:\Windows\System\xVDUbGI.exe
| MD5 | 2dbf276a0d06a88b7f88d9ef8fe846b6 |
| SHA1 | 25b89236f64cfbc307131fec2d674b948daa49ae |
| SHA256 | 46c05c5a77619af4689ddef84e4fba1bdd005088d60ec44be463013eb0d89e4e |
| SHA512 | b575d6b6614f06ca65f95ef8dca6caae6e2d81b77ba0921ce63bce050a94a4c828e433367563dcc3f83bfb9d2f46ec168e635fabfb68d02137d93b3f78bd231c |
C:\Windows\System\lckuBDC.exe
| MD5 | e2a1f04c6a0136452da90f738f591a82 |
| SHA1 | 433811576548d9cf19b702ea7358713f5a2710cf |
| SHA256 | 0d7cee4f161bb97714ca5b764fc016e2df63e12a2d39bf581ad7ebc4cd2e0712 |
| SHA512 | 97ab06f9108f69ccb4384ccb819989a800bf23432c057ac215eee7ef252000cfb6cfe5e541f0e01c7ba0f633817e8d08651cdd9816f7b28e1dda39deb7aca9a5 |
C:\Windows\System\RwpkHIl.exe
| MD5 | b5803e9c79e1e77cd95193f8abb500fd |
| SHA1 | e0fe3c83f8dc572fb45350a9193d602df6da4a6a |
| SHA256 | 0516409a63464f86280c56e43262bdbfa97ccd0e33a21842f8223e9c87e75960 |
| SHA512 | 33b379ccc431e51f16acd6280ae42f59eac9824bc2bdf9d1c989f0a7f49d376d16f040af38691c672f89e37b987223cf918fade2e821ddc28f9b8c2e8584246f |
memory/3588-108-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp
memory/5072-107-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp
memory/3648-105-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp
memory/2620-95-0x00007FF744ED0000-0x00007FF745221000-memory.dmp
memory/2752-87-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp
memory/4364-86-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp
C:\Windows\System\iWLkdOJ.exe
| MD5 | 2b5ba4cec4d8181dec77af1f41496736 |
| SHA1 | 8aa2b5d9b36a6500dc4f25f43ec2e0cf5a0aeb76 |
| SHA256 | 69fc56de00a44cd3d8c58e924d5687a7dd8258bf93f2c378585f61a083e526b8 |
| SHA512 | 95f518a081d5d1e44cd9832852055572915035e2334d4bbd866266f3ac21806b97566e5a49efb9a144eefd80df892957f71981a45112852864b9fd86085df8f3 |
memory/2008-80-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp
C:\Windows\System\kxYOpSR.exe
| MD5 | c02b04321826a3eeb7e7f48a7fc37582 |
| SHA1 | 125f12e98a27e0b64a6efa9710dabcc55a86c818 |
| SHA256 | 43b5d3657ab4fbc90650afcd77ea978ab1c99093ece772a79d37589d4b38682d |
| SHA512 | aa9c1543e4f68643870fa788c6083df5889592c54cc60bb240010a694b92c80c0be855604159c7988ef99924bbf9978c2baeeb0088ac5fb3420ccfd1a9b8be0a |
memory/116-123-0x00007FF710140000-0x00007FF710491000-memory.dmp
memory/2284-127-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp
C:\Windows\System\gvRdjoO.exe
| MD5 | 31deb27eff3bf54ed665142c13ead7ff |
| SHA1 | 9c9715e162b19db70e8268c33d4be66e7f47047d |
| SHA256 | 36da9bad3e9f2dd6fe2e0972bd95bed9540a52b57ff778fb74611035f7fe410d |
| SHA512 | 0163887544f8b4d76a9f13aa6187e3e302f511bdd8ac57e265f69137cc019731e5ca036fe7251c78eb45ed8562876222a9e110534cb6891aa4e2746f74c546b1 |
C:\Windows\System\fSbfqpv.exe
| MD5 | 06d761d6f637513a15223d31f02b53d3 |
| SHA1 | 0b755cff50f4feaaab82641a227a1848fd407931 |
| SHA256 | 692c3e00cee9b42cea9f52fc846e641d8af7c93020badd521849ea8bab69f7f8 |
| SHA512 | 5c5f3a0973b31a7e07235941018a1443be48451709907d632d3885114f26dc42899ac8080b396a555f1b53c81d5f895d7050ccdc3ab5098271d5fd4cf8223b89 |
memory/1416-136-0x00007FF78C320000-0x00007FF78C671000-memory.dmp
memory/3456-138-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp
memory/3040-135-0x00007FF6411E0000-0x00007FF641531000-memory.dmp
memory/2496-143-0x00007FF625320000-0x00007FF625671000-memory.dmp
memory/1172-145-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp
memory/5048-144-0x00007FF640720000-0x00007FF640A71000-memory.dmp
memory/380-142-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp
memory/2680-149-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp
memory/2620-148-0x00007FF744ED0000-0x00007FF745221000-memory.dmp
memory/3648-151-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp
memory/3588-152-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp
memory/2008-153-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp
memory/2284-158-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp
memory/1416-159-0x00007FF78C320000-0x00007FF78C671000-memory.dmp
memory/2008-175-0x00007FF74B6C0000-0x00007FF74BA11000-memory.dmp
memory/2752-203-0x00007FF70BDD0000-0x00007FF70C121000-memory.dmp
memory/3576-205-0x00007FF6E5940000-0x00007FF6E5C91000-memory.dmp
memory/1404-207-0x00007FF630520000-0x00007FF630871000-memory.dmp
memory/116-209-0x00007FF710140000-0x00007FF710491000-memory.dmp
memory/5072-211-0x00007FF6F4D00000-0x00007FF6F5051000-memory.dmp
memory/1960-224-0x00007FF7C7BC0000-0x00007FF7C7F11000-memory.dmp
memory/3040-226-0x00007FF6411E0000-0x00007FF641531000-memory.dmp
memory/2496-236-0x00007FF625320000-0x00007FF625671000-memory.dmp
memory/5048-235-0x00007FF640720000-0x00007FF640A71000-memory.dmp
memory/380-233-0x00007FF6BA6D0000-0x00007FF6BAA21000-memory.dmp
memory/1172-231-0x00007FF6DEC20000-0x00007FF6DEF71000-memory.dmp
memory/1848-229-0x00007FF73DCC0000-0x00007FF73E011000-memory.dmp
memory/4364-242-0x00007FF7FA860000-0x00007FF7FABB1000-memory.dmp
memory/2620-244-0x00007FF744ED0000-0x00007FF745221000-memory.dmp
memory/1232-246-0x00007FF7E84F0000-0x00007FF7E8841000-memory.dmp
memory/2680-249-0x00007FF7F81C0000-0x00007FF7F8511000-memory.dmp
memory/3648-250-0x00007FF6116D0000-0x00007FF611A21000-memory.dmp
memory/3588-252-0x00007FF7A5DF0000-0x00007FF7A6141000-memory.dmp
memory/3456-260-0x00007FF7A2DC0000-0x00007FF7A3111000-memory.dmp
memory/2284-259-0x00007FF7219D0000-0x00007FF721D21000-memory.dmp
memory/1416-262-0x00007FF78C320000-0x00007FF78C671000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 21:22
Reported
2024-08-07 21:24
Platform
win7-20240708-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WVHaDQt.exe | N/A |
| N/A | N/A | C:\Windows\System\PoLAAQB.exe | N/A |
| N/A | N/A | C:\Windows\System\csxZMCi.exe | N/A |
| N/A | N/A | C:\Windows\System\gutXRzS.exe | N/A |
| N/A | N/A | C:\Windows\System\sDbDaTs.exe | N/A |
| N/A | N/A | C:\Windows\System\TQNmgNj.exe | N/A |
| N/A | N/A | C:\Windows\System\teujFDu.exe | N/A |
| N/A | N/A | C:\Windows\System\Hilptlz.exe | N/A |
| N/A | N/A | C:\Windows\System\Oxiefhl.exe | N/A |
| N/A | N/A | C:\Windows\System\TWkDkvz.exe | N/A |
| N/A | N/A | C:\Windows\System\qAQBdKL.exe | N/A |
| N/A | N/A | C:\Windows\System\hDvEphV.exe | N/A |
| N/A | N/A | C:\Windows\System\QEXUrYH.exe | N/A |
| N/A | N/A | C:\Windows\System\NQGFXjv.exe | N/A |
| N/A | N/A | C:\Windows\System\SQFmEtJ.exe | N/A |
| N/A | N/A | C:\Windows\System\DdTxmnf.exe | N/A |
| N/A | N/A | C:\Windows\System\oMxdFld.exe | N/A |
| N/A | N/A | C:\Windows\System\ngFulew.exe | N/A |
| N/A | N/A | C:\Windows\System\zPYJqsA.exe | N/A |
| N/A | N/A | C:\Windows\System\PatBCtr.exe | N/A |
| N/A | N/A | C:\Windows\System\UBJGbdq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_8a140827fa2626ef6bba6b213feae955_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WVHaDQt.exe
C:\Windows\System\WVHaDQt.exe
C:\Windows\System\PoLAAQB.exe
C:\Windows\System\PoLAAQB.exe
C:\Windows\System\csxZMCi.exe
C:\Windows\System\csxZMCi.exe
C:\Windows\System\gutXRzS.exe
C:\Windows\System\gutXRzS.exe
C:\Windows\System\sDbDaTs.exe
C:\Windows\System\sDbDaTs.exe
C:\Windows\System\TQNmgNj.exe
C:\Windows\System\TQNmgNj.exe
C:\Windows\System\teujFDu.exe
C:\Windows\System\teujFDu.exe
C:\Windows\System\Hilptlz.exe
C:\Windows\System\Hilptlz.exe
C:\Windows\System\Oxiefhl.exe
C:\Windows\System\Oxiefhl.exe
C:\Windows\System\TWkDkvz.exe
C:\Windows\System\TWkDkvz.exe
C:\Windows\System\qAQBdKL.exe
C:\Windows\System\qAQBdKL.exe
C:\Windows\System\hDvEphV.exe
C:\Windows\System\hDvEphV.exe
C:\Windows\System\QEXUrYH.exe
C:\Windows\System\QEXUrYH.exe
C:\Windows\System\NQGFXjv.exe
C:\Windows\System\NQGFXjv.exe
C:\Windows\System\SQFmEtJ.exe
C:\Windows\System\SQFmEtJ.exe
C:\Windows\System\DdTxmnf.exe
C:\Windows\System\DdTxmnf.exe
C:\Windows\System\oMxdFld.exe
C:\Windows\System\oMxdFld.exe
C:\Windows\System\ngFulew.exe
C:\Windows\System\ngFulew.exe
C:\Windows\System\zPYJqsA.exe
C:\Windows\System\zPYJqsA.exe
C:\Windows\System\PatBCtr.exe
C:\Windows\System\PatBCtr.exe
C:\Windows\System\UBJGbdq.exe
C:\Windows\System\UBJGbdq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2052-0-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2052-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\WVHaDQt.exe
| MD5 | c5f0b58971cf3b26a14478c69b64fa9d |
| SHA1 | 91fc4147d2b590cdbb60fb9babd439704fa9d74f |
| SHA256 | 73c239d137b39a1550e5c38310a61deb51b391485ca5261c4429a2bfffb11c31 |
| SHA512 | 619f15cd37894d11aa4010c27b01a7d538d8c0991d992813499cea053656abb49c4d7b015f2fc1b6123ddc66dbd7ec72d397da127ecc7a0ff84c79de25d4f5d7 |
C:\Windows\system\PoLAAQB.exe
| MD5 | 47cfb92a306004984eeaabc176c956ab |
| SHA1 | 21de25a117f89ab0a70ce763e232a35761eb22ec |
| SHA256 | e2a76aa2d527108e0c43e7b885c5f755741a33cd5e7d1855ace976ee76d47113 |
| SHA512 | e4a4ed02932a2e1660b05ba06be141176c5b0e14fafc85be2275ed70396829f458cdd004b195eb9e4b744c09f578dfb4be9ab329250285a27cbf14baef35497b |
C:\Windows\system\csxZMCi.exe
| MD5 | 0bbca82190adcecac7ff87d629321317 |
| SHA1 | a6c3fa0a316bcb9da1b6726aaea7468bf29e74be |
| SHA256 | 72b363e36d6fcfaa4f2e38cf094c9e31f28edb9ae09718c93a0ccdc2f8840436 |
| SHA512 | febceeea33ac622dc335080aa487a7110889e7b9384e67758f972e5db54b4a98b8a40b455f24cf45a194e4c400ba3af76b942609c48d0daa84307c8b28501bb9 |
memory/2052-12-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2360-14-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2960-21-0x000000013F1F0000-0x000000013F541000-memory.dmp
\Windows\system\gutXRzS.exe
| MD5 | f9fc120c322580050396855ef69e6d73 |
| SHA1 | 21e386d0ed61c46f4dbde064d4b08fc7d4b2eefa |
| SHA256 | 2ecbf8744dd032ce84cbb03bd5a69ac05148711c1465c32d8fb3a534bcff6a70 |
| SHA512 | 2b4c8f8c16ad0d5bcb9f5ce04f0fe1425b4caf3ccd4110c8629d4ccb1cd29ece7498603958bc6fd8d28958f1e228fd695b5f19f5109e9f9ef97f5535dbf20dde |
memory/2052-19-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2984-28-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2052-30-0x00000000021C0000-0x0000000002511000-memory.dmp
\Windows\system\sDbDaTs.exe
| MD5 | 17fc0e0ac290c86f673ef69dc4f5c2ab |
| SHA1 | e9630b93342b208c18ff203a60a345c3dbb9b3ee |
| SHA256 | a94af87f88450e5338280b79ee6a5c1b7e9dc9e0525be5fd25a306e6abfccdbd |
| SHA512 | 81568501f94ff82606c318fe0c8a37e70396fdd79e8664cb825c283f500b6016661ea77814f3a1fd6e0f465f2717c7a4092f20fde1e35374b4046897d1292292 |
memory/2052-26-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2844-18-0x000000013FF40000-0x0000000140291000-memory.dmp
\Windows\system\TQNmgNj.exe
| MD5 | a6e5355a9982d3ff1bdfbc2318ea1c90 |
| SHA1 | 61b1d3db1aa27c6ae59e6d744afbb3bc42016461 |
| SHA256 | a5c82f986b90244713a2983c2541fb3688b84c914fab80f468f4764c851eed3d |
| SHA512 | f6f847378a87d95d894e71a0582e42c67fc5e4bcaef808b89042d679194918f326d9d6cfc4912a2566107ebfe9b3dcdee4bc4406aa83924a17615fe69692818a |
C:\Windows\system\Hilptlz.exe
| MD5 | 8da69db9400807ff97a013c1b62d09b7 |
| SHA1 | df1527aa8997970315aa697f0d49cd16a1aa29e1 |
| SHA256 | 95f2374f8891ae455553ed25c8d0e951c21d9f8c85ce3ca2c49413c3e4cb05ca |
| SHA512 | d6d029ae46849e076e502c813421f60a197e2082cacec4ac0671eed79abca04af3e799e4fa8f453f0d1f813b9685efad81846d952c33a7ce40ade889f815e037 |
C:\Windows\system\Oxiefhl.exe
| MD5 | c689ffcfbf20e31dec2af24f8e7d1d59 |
| SHA1 | 71f3f073f6e09044b8ce14b5fae3cace559cc291 |
| SHA256 | ac524514ea808bf2f740008c4c9140c3992a58d41e4835f1e6dc1446dee23e1f |
| SHA512 | d8452cd5e7e3d6e00463aaf1dfdaa9808897d5e0c9aab4480eca17b40c601e73d427d10807577fc81ab2c5f2568c40ad8e481a3c7e474c8520fcc3f40538a53a |
C:\Windows\system\TWkDkvz.exe
| MD5 | fb96b22dad8e68ce11152a54ad66949b |
| SHA1 | 7474db7d1f72a65892738ef4fbbed51ee3d466c6 |
| SHA256 | 48932979eb57c4a51cdf25b24a6c602622a0a9747e339eb4102f912686985592 |
| SHA512 | 49ca2e1d177c301fd082abe050da5bce7d777327cd30ecdbac342dcae0d1e1da647cb2e934d82f3ec688bc1137043faa53d70288e113f2c6003eb20ffcd84690 |
C:\Windows\system\qAQBdKL.exe
| MD5 | 4efb70834ff39aff196cc9ce00d90d24 |
| SHA1 | 34fb31ed375215fa596d83b9e92df56a735656fe |
| SHA256 | b0c44fdc23f9d6d267328960f6113cefd7ef25154bc8e96652272ab9ea3b5d64 |
| SHA512 | 3a201cccadaf495e86c1a7a84927528525fb891afaac21e6819db6575e0e25e405975101ab12ab6c53dc6baa674e482314c85f4ae87a0b7e317ec528f63929de |
C:\Windows\system\QEXUrYH.exe
| MD5 | 3a8411f33dda34aaa668e77a23c1f354 |
| SHA1 | a29cd2c81f424ccaf85588926af24925d3b46475 |
| SHA256 | 3583d8b9d74fda31965ffd92111aacd7c9bfb09ab1bb6e973765b93f4f4c73c1 |
| SHA512 | a73a5286c9705831f13b0f33ad428163fb12caa4b50e04f8ee5bf7c2c65503a2b332d897b68bd126feb7f092f593f0f3562ad548595e15f2a43d9167538897f2 |
C:\Windows\system\NQGFXjv.exe
| MD5 | fcc0d7a162dcf222f7c9a29ad4468dda |
| SHA1 | a9d45d5aa6727cb20244aedf0dee7bd9aae03a07 |
| SHA256 | 4d896ed17ad7f082c61b3db299c0fad213f237b6b8935d89d5d97cb036911ec3 |
| SHA512 | 097ca18acc25633a94b4ec3445fee5b75c245684c0544922503245d14380b49dd1d58df317367030ac1bd327a8deb72c13fd4bd8647a87f824e864f040ca8416 |
C:\Windows\system\SQFmEtJ.exe
| MD5 | c20299de3fb4a5995b7a6fd11e5c6084 |
| SHA1 | 82d54e332065b8a7392ac6a72e0fc8099c466023 |
| SHA256 | 82e7f5fda8a3a48a926617e794cc8b39f16877053b3501268ba379487ac73dd0 |
| SHA512 | 4ff46f2cff67df10207f9a4d3919811293cbc2fab18d4f8c60bc79b8b01fd28698b6bfcf3edb1a56bea85797e7ceda4adca00bd17e7e34f592f09d9cc04fb129 |
memory/2740-94-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2052-95-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2976-109-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2052-108-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2464-106-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2052-105-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/3016-104-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2052-103-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2144-102-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2052-101-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2732-100-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2052-99-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2256-98-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2052-97-0x00000000021C0000-0x0000000002511000-memory.dmp
\Windows\system\oMxdFld.exe
| MD5 | 16e0daea9ed33c35077870bbda8752c8 |
| SHA1 | 5532487335242078e06a6445851ab195a5447d52 |
| SHA256 | bacd1e53ab55a37e6c80209a6baaf5809e599fd67e72f8083ef919c73c4c3630 |
| SHA512 | 7b4399e3d76c92ee4a6ec6c99830948f09db849e1927e1e0153b5b2b4a1e996eeeee5ee922591fd1686e1e3f4559d3ec0234f5231593fcd1d67619849a0a7377 |
memory/2724-96-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2052-84-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2868-82-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2052-81-0x00000000021C0000-0x0000000002511000-memory.dmp
\Windows\system\DdTxmnf.exe
| MD5 | f709cf51e079bbde1ae012f998b7cf40 |
| SHA1 | bda575b6e4e344f32c8fc1fbc4495028ab3f82c4 |
| SHA256 | e3639f9a0f8ddb7d1d64db12ba6a2bfa6b1e7cf362f9acee1d619d786d08d73e |
| SHA512 | 25fe9b8e65ce8837585f477f4ba4b64568ad718153f578b4061ce234185a0ed4016b6b624d57f1b807a1941b518c811354d89a3e878ea548a31c2bb1399221a5 |
C:\Windows\system\hDvEphV.exe
| MD5 | 931cafea8d2ed6ebfb269da62fca1bab |
| SHA1 | 1afe3628418433931f54dfefc2a11aceb60e2f91 |
| SHA256 | 920c1e49cd77b8043141798b993fb910cced0e6e817e9719d189c3954e2a9c44 |
| SHA512 | 86bd25ab51dd289aea0859b210af7785304f0ad1ad28a411c2fcf277644fc6597e21313ff74cd69c5d1e6e027c6a3f4dcf8ec6b069c10e9a8184ca3295a59b8d |
memory/2548-38-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\teujFDu.exe
| MD5 | 6843e7dff61eb914b2a58c40cfae162a |
| SHA1 | 78c59c5aed1b0ceb1aaf09d4d7662f7c1e3e9f14 |
| SHA256 | 7ab47ffeb1dd983af1673de7d8bff4619c9f82d81c073e0fc69037b107c1e954 |
| SHA512 | ec73df2897dfd4349876b1f4bf30f6c4bd122a4d709e63674faaa1c450c1f9802ebc9ea0d915e9b969462c0d45f6cb1c671b7711dddfdb86f7b9757c9421648a |
C:\Windows\system\ngFulew.exe
| MD5 | 1aa3d7d5702a87d22362e6a337b732b5 |
| SHA1 | 8c1c1cbf7abb9c9144466cafe6cdca67760c01b3 |
| SHA256 | e0f954acbc95db1f18baa8da8c5cee87f6d2828715fd444e7a969e3bb2cba376 |
| SHA512 | 8e737e11f7be1501ab1882bd8004bdd7aa9356dd646a46840f2a074547c85d00b4ec16a99a71ed09370e08edceaf0a7aecee51d89991952200ddcbff0f2ad606 |
C:\Windows\system\PatBCtr.exe
| MD5 | 59beac1731ff67db66013d7ce515f6c1 |
| SHA1 | c699ac1f4d4237f9ae859aeac8563743fcb025a8 |
| SHA256 | 9d28d798e0396d962e5a423ff5ea162fa960c993a000df61d7b899609690889d |
| SHA512 | c90f19d579878ef228722130809cba7599b02113c1214137c7a31226bacf7f0c757dcaf4484478be4d1e58776f65f11670e89822e7904ddf72758d389252db5a |
\Windows\system\UBJGbdq.exe
| MD5 | 784af4c3429b445eceb70310e3cd381d |
| SHA1 | 688cc40698b88dff5abbcf5011a5bae1c92e5b69 |
| SHA256 | bff248741ff3491bc0e72beef1287819dd35f14e574ae7e6ea2337cd64d8340d |
| SHA512 | 20a8e555a6c8469fdeabd2fbdd5249de4add83e70e7660d0d7aa190b54ec515f6ac2cbed22a66c988c96623f45fde70af3ced98b4ef9afa2e93e802c9fcc62d3 |
C:\Windows\system\zPYJqsA.exe
| MD5 | d22dab7225eca05dab9c3b59170accbb |
| SHA1 | 28f86f35d639be5b1180ccc303f2c9135e9363d3 |
| SHA256 | 56d9343bce2405447261dd50bcd414eb7f60599bf4e51c5a8d8fc63be6e22d5b |
| SHA512 | 1aa986ca9760fcd4875f0d57caa17b25a5c5cd328f42649ee60b8cc5a0769c6117530510c09ae51866bf995e450c89e38caa1cc1c0a78b2de2b2e8e5cd2c399c |
memory/2052-134-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2052-135-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2252-151-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1140-150-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2740-143-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2548-140-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2984-139-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2960-138-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2464-149-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/1968-152-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2052-157-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/1204-156-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2416-155-0x000000013F420000-0x000000013F771000-memory.dmp
memory/1280-154-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2636-153-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2052-158-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2360-209-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2844-211-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2960-213-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2984-215-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2548-217-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2868-219-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/3016-225-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2976-228-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2740-230-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2732-223-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2724-222-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2256-232-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2144-234-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2464-237-0x000000013FAC0000-0x000000013FE11000-memory.dmp