Analysis Overview
SHA256
ff60204746603020701de89c59b2e5fe645cd74d9e384f5b911ceef620c0fa48
Threat Level: Known bad
The file 2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:06
Reported
2024-08-13 12:08
Platform
win7-20240705-en
Max time kernel
140s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IGtTain.exe | N/A |
| N/A | N/A | C:\Windows\System\vAGaira.exe | N/A |
| N/A | N/A | C:\Windows\System\NKXQgdE.exe | N/A |
| N/A | N/A | C:\Windows\System\KEBUKbw.exe | N/A |
| N/A | N/A | C:\Windows\System\DuZOvLc.exe | N/A |
| N/A | N/A | C:\Windows\System\vDnMyUB.exe | N/A |
| N/A | N/A | C:\Windows\System\cxZvpfN.exe | N/A |
| N/A | N/A | C:\Windows\System\qFmMGwi.exe | N/A |
| N/A | N/A | C:\Windows\System\PioGgfk.exe | N/A |
| N/A | N/A | C:\Windows\System\PeSzhup.exe | N/A |
| N/A | N/A | C:\Windows\System\nnAVGAq.exe | N/A |
| N/A | N/A | C:\Windows\System\dgIHHBW.exe | N/A |
| N/A | N/A | C:\Windows\System\ERrDWNv.exe | N/A |
| N/A | N/A | C:\Windows\System\eraujBj.exe | N/A |
| N/A | N/A | C:\Windows\System\bVBvEDl.exe | N/A |
| N/A | N/A | C:\Windows\System\jvIuiuC.exe | N/A |
| N/A | N/A | C:\Windows\System\VbRDnvM.exe | N/A |
| N/A | N/A | C:\Windows\System\RqSnwoi.exe | N/A |
| N/A | N/A | C:\Windows\System\qydxbtB.exe | N/A |
| N/A | N/A | C:\Windows\System\ogzKPRM.exe | N/A |
| N/A | N/A | C:\Windows\System\wvJzbhw.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\IGtTain.exe
C:\Windows\System\IGtTain.exe
C:\Windows\System\vAGaira.exe
C:\Windows\System\vAGaira.exe
C:\Windows\System\NKXQgdE.exe
C:\Windows\System\NKXQgdE.exe
C:\Windows\System\vDnMyUB.exe
C:\Windows\System\vDnMyUB.exe
C:\Windows\System\KEBUKbw.exe
C:\Windows\System\KEBUKbw.exe
C:\Windows\System\cxZvpfN.exe
C:\Windows\System\cxZvpfN.exe
C:\Windows\System\DuZOvLc.exe
C:\Windows\System\DuZOvLc.exe
C:\Windows\System\qFmMGwi.exe
C:\Windows\System\qFmMGwi.exe
C:\Windows\System\PioGgfk.exe
C:\Windows\System\PioGgfk.exe
C:\Windows\System\PeSzhup.exe
C:\Windows\System\PeSzhup.exe
C:\Windows\System\nnAVGAq.exe
C:\Windows\System\nnAVGAq.exe
C:\Windows\System\dgIHHBW.exe
C:\Windows\System\dgIHHBW.exe
C:\Windows\System\ERrDWNv.exe
C:\Windows\System\ERrDWNv.exe
C:\Windows\System\eraujBj.exe
C:\Windows\System\eraujBj.exe
C:\Windows\System\bVBvEDl.exe
C:\Windows\System\bVBvEDl.exe
C:\Windows\System\jvIuiuC.exe
C:\Windows\System\jvIuiuC.exe
C:\Windows\System\VbRDnvM.exe
C:\Windows\System\VbRDnvM.exe
C:\Windows\System\RqSnwoi.exe
C:\Windows\System\RqSnwoi.exe
C:\Windows\System\qydxbtB.exe
C:\Windows\System\qydxbtB.exe
C:\Windows\System\ogzKPRM.exe
C:\Windows\System\ogzKPRM.exe
C:\Windows\System\wvJzbhw.exe
C:\Windows\System\wvJzbhw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2988-0-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2988-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\IGtTain.exe
| MD5 | edd5a92da720d2fedeaf2b5bc7c01951 |
| SHA1 | bf8cec8933236e16c868d6b9538bfd1f6e6f6167 |
| SHA256 | c0ad55af1e740ee7e75c8f6e8f9953e734ccf2832883a45f05bd8d7c9b8381a2 |
| SHA512 | 61aedcd17a617e0085667440f883b073b4cdd4797d73f7848f06f100ddb3fb5144bf70a71813726311294edb1aea658d8fe3d2ac45d1e221a6215af1b3322ff3 |
\Windows\system\vAGaira.exe
| MD5 | 5792afdac2c72de69d402b54f02bdba5 |
| SHA1 | d6ac4bcf1505e12793b82575f126f2050e204560 |
| SHA256 | 068eb8d39221c89d7bfac80e2acac8607bc356e48d3da9a1aac8fec9a6e4cdca |
| SHA512 | bdc81b56d0efbc21c8c849beb1c4bb7335c60af715e29420e1c96baeed61044513ba75de9853c2c43c0a226e2d53d93e2953cbbee0b538527d52367199fe7d27 |
\Windows\system\DuZOvLc.exe
| MD5 | d8cd8b51ce5b9dc8ae3ee4803b3c02e5 |
| SHA1 | 609561f390297deeafceac958d37745013433028 |
| SHA256 | 669a21b1a0b07aeb94380d7e0ec64f8de717dac1a87ca455a6cdff9e64cdb371 |
| SHA512 | 26a78ea726c93a41ddad7511c452898f6cdd2f137d109bbc6bc6665340472318f4ce39dfed3c9c9d8a26b37824b6d81e966e06f76659d59cdfda19145d8ddd98 |
C:\Windows\system\PioGgfk.exe
| MD5 | 88b83c87c03a59129dd6fea9cc37e122 |
| SHA1 | 737a6980a34e7b3c4f734b4e05313ba76bec561d |
| SHA256 | 2b76a28f15b9438054429bee1468d2cd1e99cc67127b38d66dc5d278151c8dda |
| SHA512 | f29920fc7d856c16e4f4202a55d9d2974989f0ca98ace0fa7fb20b86546777ea57091d1695157964a782d2cae5b0accfd75d983f345712efcc4a7eb61a03ce90 |
C:\Windows\system\PeSzhup.exe
| MD5 | 1748191102891a33fedbaacb47280833 |
| SHA1 | 0085a25cc480a54c438b89667537abf6b72e0b3e |
| SHA256 | 0b49293d77395cfee6034cbce75f1e914c60dc0277bfb48c04d0121c57efb575 |
| SHA512 | c612c205b9e0b370a285b1ec68b286f1ee2a5c81eac200f6d998159a74c7c594f0b1b74e2a024e4a341da726aa1f494b690b02afe077899c1b4859f31f89e116 |
C:\Windows\system\nnAVGAq.exe
| MD5 | c440ab0fd8586b63b80dbd1f1d4d15d2 |
| SHA1 | 6bb0e26c8a3b01b62d2aafe7eb047379f2398236 |
| SHA256 | db40624ec63d15e95f0c543ecde35c7bb3591301035425a2873463308e1a29bc |
| SHA512 | 4b45736f534ad25524d4f6403cf84a2dcaa88a3fe926799fea282c0810cb587695552f92d551fc428ee916d6999e04d39b0a11cfc8a5aee916b7dbbbd93f4cfd |
C:\Windows\system\dgIHHBW.exe
| MD5 | 030508abefb63b213d61438e5bd098e5 |
| SHA1 | 49ac5535b8da05a83f825271c0c102c17e925412 |
| SHA256 | 143ec251ff7dfab91303ad99067d59d4a10dbe8fb5da248da90391329f50e5ed |
| SHA512 | 4ad9cda070f1734fcb59330c72d5fe88d09c65368b7a143f8f4e3bc8219801be9a7f46dd57d46e0923d9515f52e68ce5e04ab37047de7a01c95e0ee3fd5bdf1e |
C:\Windows\system\eraujBj.exe
| MD5 | da1ed6ec943426e6a3b9a5fb8c1f3b7d |
| SHA1 | 3cb69be5dd2c4aa31b982787d15bda49f0ba10e8 |
| SHA256 | 9211f4e37018356115d8ab5a0eecad391ee088fa854f1df559eeaf15fdc78c49 |
| SHA512 | 983bce040277b566bafa14dd3735a92c9a1021dc0d1e765b0664b1fb54ff03830b788eb28c59e586fb4211f76f40cd349a900be4f00c76886942cfde851c88dc |
C:\Windows\system\bVBvEDl.exe
| MD5 | 00ef40fff59921117f517a6ee4b82394 |
| SHA1 | fcb2d521cdbf7cc515219efdaa399abfdccdfa0b |
| SHA256 | 3e882acdad555c023c2d2f85d16345696c53d6eb093b182918fd01781a1eb43c |
| SHA512 | 941eca7c510d7f04dd6d2890e48479d356fe60d44f126f0d77bd21f703e4a19fbcc0b8278e6150ff34c1be1eab76debeb5648148994863496eb7659606e90ae5 |
C:\Windows\system\jvIuiuC.exe
| MD5 | 2ef8b2eed2d354ce6c3f7ffb1314bc2f |
| SHA1 | 68ea8491b39a355381308655de0c077cae8966a2 |
| SHA256 | ea96e5a2bf18cb9ca49715eb3e0b4e1d33c4c569fd3fcb7e439731149bda252f |
| SHA512 | 09b4fc85f86f39a91d2b654c0a993b9a96f7ecb918d6105f2d09f3326f7ac5bf3d9bf2cc41415db8d6ae76476c3818c217bcda324bbf0cfdb70cc28e2bb7bba7 |
C:\Windows\system\qydxbtB.exe
| MD5 | 3d1bf965d380e1658f1ce8aa757fc252 |
| SHA1 | c326a80e6f296ecc6b76897241a4889f3721820a |
| SHA256 | 27188ed5d558e49f381d236f278f4bac2b7f781bcc376faebde17b0974c28cd0 |
| SHA512 | f710b47e2d1b7b84b02c993531079f6f822800090792b8b909ada512d31eb8891d49f099846cb40ce598279108034083f5d69a02508845cb4d802c6d22aa3637 |
C:\Windows\system\ogzKPRM.exe
| MD5 | d5c76ea2aa6eafc8df041619882d2270 |
| SHA1 | 3730c457478ca5882cc23fa96436b8ffe50e1bc7 |
| SHA256 | a91bb7d6d85d6840f1e66a221488a2230b2ec233e48ecc6b4e7dfc5fa998354d |
| SHA512 | 8a67d99ba5b20d430d98f3d2cc11d803c808ed31cbe1db554793978b922a8615600a40263dadd00f9a7d3c08ccff405f078062375fb77fc19499a6ae3534d77c |
C:\Windows\system\wvJzbhw.exe
| MD5 | 393943b069ed7fccaea948dd5946523c |
| SHA1 | 2b0926b73c923c380c8beb54ac24464fef93a577 |
| SHA256 | 405c7b9794f13d49e9a288b7e64051526593776ef8da31be5897b272377eb173 |
| SHA512 | 5872b671db436d44d8e5bb8d9cea42b190ac74b261f504bc063f5bc3ee34a38a3a7998e297e290849b3b9b81388216eb3f01692bf543fb9be31808eb75de4672 |
C:\Windows\system\RqSnwoi.exe
| MD5 | 5432c4ecca284b6fb0d00c0e8a59b409 |
| SHA1 | dc8e64f852ab3d4a25a9236dd297ee6d973d20b4 |
| SHA256 | c8fe2f559fa32de5ba1868b8e9e22dba16177f4da77863b6e868846ce30b01a4 |
| SHA512 | 66debb9a0076898191e330dbf12d21e5d1731f8df3e430024d6e2fa53ae39d7b9bf31fc4c856c5f231f497e5dc245f17883b1dd6ad453f0e8077d875d6e22c9f |
C:\Windows\system\VbRDnvM.exe
| MD5 | 303e2976d3fcb24cf149a784f86fcecf |
| SHA1 | 8d3d60a87e190eeee06170b03078b8f55c6988ed |
| SHA256 | 5de951b7b8191bd6f6cdf92fb908362bd8899b044011dedbfd403e01ceb2be1f |
| SHA512 | aef0710ec3e1b757a8434f5fbc9da09edca587f2ca8ff461560624dd45e0e806ca4a6705affc2d275cd87a0e883682251f2cc42ad3e913ba689bda9d09d4467e |
C:\Windows\system\ERrDWNv.exe
| MD5 | 695a5a092f766e0f08f8c2c04713252a |
| SHA1 | dfa6564f91fb409a0ebaa3e28ce7b01cb9230ed5 |
| SHA256 | 272dcefb45a461f3f446edb963538eebaae24ab84c11b9beea150fce7c0cfb05 |
| SHA512 | fd6b6dee748990d7b82dec9f66a035407bd88b2870b7f14ddeb7ed9bce76fca439a119cdc0f6963651de2ffd258cfe67e2ac7aa5db8b9137c5a901d4ea0aafaa |
C:\Windows\system\qFmMGwi.exe
| MD5 | cbe09f0d9c3ac0bb426fb56e5ed97cb0 |
| SHA1 | 553797f3578926524af4a7b9c6aa25281072cffd |
| SHA256 | d14845380022a7036db765e93a1bc0ded789c03d05e1e2f5b59f03d5c4dc0bbf |
| SHA512 | 063c2f89f892abeb9e899e7e111e418d43607984c260971e11999142492bfe4fa87c7414fd963f398aa62a0f6a1cbdb8768ade5e9b10269c68bb149a40c94237 |
C:\Windows\system\cxZvpfN.exe
| MD5 | 6c18142366d53bf83b94fc9a945365e5 |
| SHA1 | 18b406350438e378d4d388166b8c9f46f866193d |
| SHA256 | 1564bf3c0062edfb6a5f3518336555b461db8f001f60bf4630fb59a6455ebd3e |
| SHA512 | 7e8dd7e95d6ccec072487dd13c27cdebc117f59bd2e54c030b736a10d8b6c19b3fd58a9dfe9a2d9a3da6504cee5d7607e29166a7de7b971f78fd826db54ffdf4 |
C:\Windows\system\vDnMyUB.exe
| MD5 | ff46a37572e620536d9e6332e9bac1f5 |
| SHA1 | 8bf944cd917bc35a81cacbf513553f1bf5ca1604 |
| SHA256 | c605e740b0fb9e84c6c4d30bf103e8d2ecc55aba427911b78c994db8358d8750 |
| SHA512 | dfa8f5710941947c166ee8ecad58d8290da4c4d6d5ac2ab31206a38b8ec535b753c1a0f768207daa2b565b8e78285c4697bcdacc313c942f5fe273b8c3a3f675 |
memory/2276-33-0x000000013FF20000-0x0000000140271000-memory.dmp
C:\Windows\system\KEBUKbw.exe
| MD5 | a42259fe93f4aa01761bc38c9929845e |
| SHA1 | cb7cffaa3dd8f532af1ad3b7b6271066d08cfe66 |
| SHA256 | 3c6f719590e66619b3f3ceccbe1ea266f23117f1c5fbe4d06fc7f5de0d5496cf |
| SHA512 | ed6f51f3b7e25be410fd25e5cca733bdd7c36f1e4cdd3d253e6f523b3267d7a807a7573b999a9e92fb1b97117839706ffe44ae14527136813e9fb12bbe8b1033 |
memory/2988-96-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2988-124-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2960-123-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2988-130-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1320-129-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2876-131-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2988-128-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2888-127-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2988-126-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2828-125-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2148-122-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2988-120-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2996-119-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2988-118-0x0000000002290000-0x00000000025E1000-memory.dmp
memory/2852-117-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2988-116-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/1236-115-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2812-114-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2868-113-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2988-112-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2196-93-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2988-91-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2472-90-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2988-17-0x000000013F9F0000-0x000000013FD41000-memory.dmp
C:\Windows\system\NKXQgdE.exe
| MD5 | 9bbc61bc83471e0bad79ec1607d78033 |
| SHA1 | 75e7cd3101ae13f0ed0cefcafe558d1afcf8c441 |
| SHA256 | 3b94eeb0c4a93f0fedf8ab794ab7078089cfba4db9b5612662ada3b75293d9c5 |
| SHA512 | c5fd62404e5b6d20c166cfb99d56c8f12206a57e387ba7878eb940c9473684ef23a7fd61f391908f317801721752647811dd1dd306d115823fc4a429cce2f739 |
memory/2988-132-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2680-148-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2812-138-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2276-134-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2332-150-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1528-151-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2204-149-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2620-147-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/824-152-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/980-153-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2988-154-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2988-176-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2988-177-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/1320-201-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2472-203-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2196-225-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2852-229-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2876-227-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2148-232-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2960-248-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2996-246-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2888-250-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1236-244-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2276-242-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2868-241-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2828-235-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2812-254-0x000000013FFF0000-0x0000000140341000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:06
Reported
2024-08-13 12:08
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IGtTain.exe | N/A |
| N/A | N/A | C:\Windows\System\vAGaira.exe | N/A |
| N/A | N/A | C:\Windows\System\NKXQgdE.exe | N/A |
| N/A | N/A | C:\Windows\System\vDnMyUB.exe | N/A |
| N/A | N/A | C:\Windows\System\KEBUKbw.exe | N/A |
| N/A | N/A | C:\Windows\System\cxZvpfN.exe | N/A |
| N/A | N/A | C:\Windows\System\DuZOvLc.exe | N/A |
| N/A | N/A | C:\Windows\System\qFmMGwi.exe | N/A |
| N/A | N/A | C:\Windows\System\PioGgfk.exe | N/A |
| N/A | N/A | C:\Windows\System\PeSzhup.exe | N/A |
| N/A | N/A | C:\Windows\System\nnAVGAq.exe | N/A |
| N/A | N/A | C:\Windows\System\dgIHHBW.exe | N/A |
| N/A | N/A | C:\Windows\System\ERrDWNv.exe | N/A |
| N/A | N/A | C:\Windows\System\eraujBj.exe | N/A |
| N/A | N/A | C:\Windows\System\bVBvEDl.exe | N/A |
| N/A | N/A | C:\Windows\System\jvIuiuC.exe | N/A |
| N/A | N/A | C:\Windows\System\VbRDnvM.exe | N/A |
| N/A | N/A | C:\Windows\System\RqSnwoi.exe | N/A |
| N/A | N/A | C:\Windows\System\qydxbtB.exe | N/A |
| N/A | N/A | C:\Windows\System\ogzKPRM.exe | N/A |
| N/A | N/A | C:\Windows\System\wvJzbhw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fa5fa9a176538816864ec5010960b782_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\IGtTain.exe
C:\Windows\System\IGtTain.exe
C:\Windows\System\vAGaira.exe
C:\Windows\System\vAGaira.exe
C:\Windows\System\NKXQgdE.exe
C:\Windows\System\NKXQgdE.exe
C:\Windows\System\vDnMyUB.exe
C:\Windows\System\vDnMyUB.exe
C:\Windows\System\KEBUKbw.exe
C:\Windows\System\KEBUKbw.exe
C:\Windows\System\cxZvpfN.exe
C:\Windows\System\cxZvpfN.exe
C:\Windows\System\DuZOvLc.exe
C:\Windows\System\DuZOvLc.exe
C:\Windows\System\qFmMGwi.exe
C:\Windows\System\qFmMGwi.exe
C:\Windows\System\PioGgfk.exe
C:\Windows\System\PioGgfk.exe
C:\Windows\System\PeSzhup.exe
C:\Windows\System\PeSzhup.exe
C:\Windows\System\nnAVGAq.exe
C:\Windows\System\nnAVGAq.exe
C:\Windows\System\dgIHHBW.exe
C:\Windows\System\dgIHHBW.exe
C:\Windows\System\ERrDWNv.exe
C:\Windows\System\ERrDWNv.exe
C:\Windows\System\eraujBj.exe
C:\Windows\System\eraujBj.exe
C:\Windows\System\bVBvEDl.exe
C:\Windows\System\bVBvEDl.exe
C:\Windows\System\jvIuiuC.exe
C:\Windows\System\jvIuiuC.exe
C:\Windows\System\VbRDnvM.exe
C:\Windows\System\VbRDnvM.exe
C:\Windows\System\RqSnwoi.exe
C:\Windows\System\RqSnwoi.exe
C:\Windows\System\qydxbtB.exe
C:\Windows\System\qydxbtB.exe
C:\Windows\System\ogzKPRM.exe
C:\Windows\System\ogzKPRM.exe
C:\Windows\System\wvJzbhw.exe
C:\Windows\System\wvJzbhw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4124-0-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp
memory/4124-1-0x0000021681870000-0x0000021681880000-memory.dmp
C:\Windows\System\IGtTain.exe
| MD5 | edd5a92da720d2fedeaf2b5bc7c01951 |
| SHA1 | bf8cec8933236e16c868d6b9538bfd1f6e6f6167 |
| SHA256 | c0ad55af1e740ee7e75c8f6e8f9953e734ccf2832883a45f05bd8d7c9b8381a2 |
| SHA512 | 61aedcd17a617e0085667440f883b073b4cdd4797d73f7848f06f100ddb3fb5144bf70a71813726311294edb1aea658d8fe3d2ac45d1e221a6215af1b3322ff3 |
C:\Windows\System\vAGaira.exe
| MD5 | 5792afdac2c72de69d402b54f02bdba5 |
| SHA1 | d6ac4bcf1505e12793b82575f126f2050e204560 |
| SHA256 | 068eb8d39221c89d7bfac80e2acac8607bc356e48d3da9a1aac8fec9a6e4cdca |
| SHA512 | bdc81b56d0efbc21c8c849beb1c4bb7335c60af715e29420e1c96baeed61044513ba75de9853c2c43c0a226e2d53d93e2953cbbee0b538527d52367199fe7d27 |
C:\Windows\System\NKXQgdE.exe
| MD5 | 9bbc61bc83471e0bad79ec1607d78033 |
| SHA1 | 75e7cd3101ae13f0ed0cefcafe558d1afcf8c441 |
| SHA256 | 3b94eeb0c4a93f0fedf8ab794ab7078089cfba4db9b5612662ada3b75293d9c5 |
| SHA512 | c5fd62404e5b6d20c166cfb99d56c8f12206a57e387ba7878eb940c9473684ef23a7fd61f391908f317801721752647811dd1dd306d115823fc4a429cce2f739 |
C:\Windows\System\KEBUKbw.exe
| MD5 | a42259fe93f4aa01761bc38c9929845e |
| SHA1 | cb7cffaa3dd8f532af1ad3b7b6271066d08cfe66 |
| SHA256 | 3c6f719590e66619b3f3ceccbe1ea266f23117f1c5fbe4d06fc7f5de0d5496cf |
| SHA512 | ed6f51f3b7e25be410fd25e5cca733bdd7c36f1e4cdd3d253e6f523b3267d7a807a7573b999a9e92fb1b97117839706ffe44ae14527136813e9fb12bbe8b1033 |
C:\Windows\System\cxZvpfN.exe
| MD5 | 6c18142366d53bf83b94fc9a945365e5 |
| SHA1 | 18b406350438e378d4d388166b8c9f46f866193d |
| SHA256 | 1564bf3c0062edfb6a5f3518336555b461db8f001f60bf4630fb59a6455ebd3e |
| SHA512 | 7e8dd7e95d6ccec072487dd13c27cdebc117f59bd2e54c030b736a10d8b6c19b3fd58a9dfe9a2d9a3da6504cee5d7607e29166a7de7b971f78fd826db54ffdf4 |
C:\Windows\System\vDnMyUB.exe
| MD5 | ff46a37572e620536d9e6332e9bac1f5 |
| SHA1 | 8bf944cd917bc35a81cacbf513553f1bf5ca1604 |
| SHA256 | c605e740b0fb9e84c6c4d30bf103e8d2ecc55aba427911b78c994db8358d8750 |
| SHA512 | dfa8f5710941947c166ee8ecad58d8290da4c4d6d5ac2ab31206a38b8ec535b753c1a0f768207daa2b565b8e78285c4697bcdacc313c942f5fe273b8c3a3f675 |
memory/676-37-0x00007FF79DD40000-0x00007FF79E091000-memory.dmp
C:\Windows\System\DuZOvLc.exe
| MD5 | d8cd8b51ce5b9dc8ae3ee4803b3c02e5 |
| SHA1 | 609561f390297deeafceac958d37745013433028 |
| SHA256 | 669a21b1a0b07aeb94380d7e0ec64f8de717dac1a87ca455a6cdff9e64cdb371 |
| SHA512 | 26a78ea726c93a41ddad7511c452898f6cdd2f137d109bbc6bc6665340472318f4ce39dfed3c9c9d8a26b37824b6d81e966e06f76659d59cdfda19145d8ddd98 |
memory/1720-46-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp
C:\Windows\System\qFmMGwi.exe
| MD5 | cbe09f0d9c3ac0bb426fb56e5ed97cb0 |
| SHA1 | 553797f3578926524af4a7b9c6aa25281072cffd |
| SHA256 | d14845380022a7036db765e93a1bc0ded789c03d05e1e2f5b59f03d5c4dc0bbf |
| SHA512 | 063c2f89f892abeb9e899e7e111e418d43607984c260971e11999142492bfe4fa87c7414fd963f398aa62a0f6a1cbdb8768ade5e9b10269c68bb149a40c94237 |
C:\Windows\System\PioGgfk.exe
| MD5 | 88b83c87c03a59129dd6fea9cc37e122 |
| SHA1 | 737a6980a34e7b3c4f734b4e05313ba76bec561d |
| SHA256 | 2b76a28f15b9438054429bee1468d2cd1e99cc67127b38d66dc5d278151c8dda |
| SHA512 | f29920fc7d856c16e4f4202a55d9d2974989f0ca98ace0fa7fb20b86546777ea57091d1695157964a782d2cae5b0accfd75d983f345712efcc4a7eb61a03ce90 |
memory/4724-53-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp
memory/3432-47-0x00007FF761E40000-0x00007FF762191000-memory.dmp
memory/1532-40-0x00007FF6A2DC0000-0x00007FF6A3111000-memory.dmp
memory/2412-27-0x00007FF6EEE60000-0x00007FF6EF1B1000-memory.dmp
memory/4964-22-0x00007FF6A9BC0000-0x00007FF6A9F11000-memory.dmp
memory/2524-16-0x00007FF65F640000-0x00007FF65F991000-memory.dmp
memory/4420-7-0x00007FF6C9FF0000-0x00007FF6CA341000-memory.dmp
C:\Windows\System\PeSzhup.exe
| MD5 | 1748191102891a33fedbaacb47280833 |
| SHA1 | 0085a25cc480a54c438b89667537abf6b72e0b3e |
| SHA256 | 0b49293d77395cfee6034cbce75f1e914c60dc0277bfb48c04d0121c57efb575 |
| SHA512 | c612c205b9e0b370a285b1ec68b286f1ee2a5c81eac200f6d998159a74c7c594f0b1b74e2a024e4a341da726aa1f494b690b02afe077899c1b4859f31f89e116 |
memory/5008-60-0x00007FF75FB80000-0x00007FF75FED1000-memory.dmp
memory/116-69-0x00007FF72E5C0000-0x00007FF72E911000-memory.dmp
C:\Windows\System\bVBvEDl.exe
| MD5 | 00ef40fff59921117f517a6ee4b82394 |
| SHA1 | fcb2d521cdbf7cc515219efdaa399abfdccdfa0b |
| SHA256 | 3e882acdad555c023c2d2f85d16345696c53d6eb093b182918fd01781a1eb43c |
| SHA512 | 941eca7c510d7f04dd6d2890e48479d356fe60d44f126f0d77bd21f703e4a19fbcc0b8278e6150ff34c1be1eab76debeb5648148994863496eb7659606e90ae5 |
C:\Windows\System\jvIuiuC.exe
| MD5 | 2ef8b2eed2d354ce6c3f7ffb1314bc2f |
| SHA1 | 68ea8491b39a355381308655de0c077cae8966a2 |
| SHA256 | ea96e5a2bf18cb9ca49715eb3e0b4e1d33c4c569fd3fcb7e439731149bda252f |
| SHA512 | 09b4fc85f86f39a91d2b654c0a993b9a96f7ecb918d6105f2d09f3326f7ac5bf3d9bf2cc41415db8d6ae76476c3818c217bcda324bbf0cfdb70cc28e2bb7bba7 |
C:\Windows\System\RqSnwoi.exe
| MD5 | 5432c4ecca284b6fb0d00c0e8a59b409 |
| SHA1 | dc8e64f852ab3d4a25a9236dd297ee6d973d20b4 |
| SHA256 | c8fe2f559fa32de5ba1868b8e9e22dba16177f4da77863b6e868846ce30b01a4 |
| SHA512 | 66debb9a0076898191e330dbf12d21e5d1731f8df3e430024d6e2fa53ae39d7b9bf31fc4c856c5f231f497e5dc245f17883b1dd6ad453f0e8077d875d6e22c9f |
memory/5060-114-0x00007FF717DC0000-0x00007FF718111000-memory.dmp
memory/1544-118-0x00007FF61BCC0000-0x00007FF61C011000-memory.dmp
memory/3352-128-0x00007FF75CB40000-0x00007FF75CE91000-memory.dmp
memory/3232-129-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp
memory/3704-127-0x00007FF78B030000-0x00007FF78B381000-memory.dmp
memory/2524-126-0x00007FF65F640000-0x00007FF65F991000-memory.dmp
C:\Windows\System\wvJzbhw.exe
| MD5 | 393943b069ed7fccaea948dd5946523c |
| SHA1 | 2b0926b73c923c380c8beb54ac24464fef93a577 |
| SHA256 | 405c7b9794f13d49e9a288b7e64051526593776ef8da31be5897b272377eb173 |
| SHA512 | 5872b671db436d44d8e5bb8d9cea42b190ac74b261f504bc063f5bc3ee34a38a3a7998e297e290849b3b9b81388216eb3f01692bf543fb9be31808eb75de4672 |
C:\Windows\System\ogzKPRM.exe
| MD5 | d5c76ea2aa6eafc8df041619882d2270 |
| SHA1 | 3730c457478ca5882cc23fa96436b8ffe50e1bc7 |
| SHA256 | a91bb7d6d85d6840f1e66a221488a2230b2ec233e48ecc6b4e7dfc5fa998354d |
| SHA512 | 8a67d99ba5b20d430d98f3d2cc11d803c808ed31cbe1db554793978b922a8615600a40263dadd00f9a7d3c08ccff405f078062375fb77fc19499a6ae3534d77c |
memory/4320-120-0x00007FF60CD40000-0x00007FF60D091000-memory.dmp
C:\Windows\System\qydxbtB.exe
| MD5 | 3d1bf965d380e1658f1ce8aa757fc252 |
| SHA1 | c326a80e6f296ecc6b76897241a4889f3721820a |
| SHA256 | 27188ed5d558e49f381d236f278f4bac2b7f781bcc376faebde17b0974c28cd0 |
| SHA512 | f710b47e2d1b7b84b02c993531079f6f822800090792b8b909ada512d31eb8891d49f099846cb40ce598279108034083f5d69a02508845cb4d802c6d22aa3637 |
memory/232-109-0x00007FF74DBA0000-0x00007FF74DEF1000-memory.dmp
C:\Windows\System\VbRDnvM.exe
| MD5 | 303e2976d3fcb24cf149a784f86fcecf |
| SHA1 | 8d3d60a87e190eeee06170b03078b8f55c6988ed |
| SHA256 | 5de951b7b8191bd6f6cdf92fb908362bd8899b044011dedbfd403e01ceb2be1f |
| SHA512 | aef0710ec3e1b757a8434f5fbc9da09edca587f2ca8ff461560624dd45e0e806ca4a6705affc2d275cd87a0e883682251f2cc42ad3e913ba689bda9d09d4467e |
memory/2124-99-0x00007FF7228C0000-0x00007FF722C11000-memory.dmp
C:\Windows\System\ERrDWNv.exe
| MD5 | 695a5a092f766e0f08f8c2c04713252a |
| SHA1 | dfa6564f91fb409a0ebaa3e28ce7b01cb9230ed5 |
| SHA256 | 272dcefb45a461f3f446edb963538eebaae24ab84c11b9beea150fce7c0cfb05 |
| SHA512 | fd6b6dee748990d7b82dec9f66a035407bd88b2870b7f14ddeb7ed9bce76fca439a119cdc0f6963651de2ffd258cfe67e2ac7aa5db8b9137c5a901d4ea0aafaa |
memory/4176-94-0x00007FF65C430000-0x00007FF65C781000-memory.dmp
C:\Windows\System\eraujBj.exe
| MD5 | da1ed6ec943426e6a3b9a5fb8c1f3b7d |
| SHA1 | 3cb69be5dd2c4aa31b982787d15bda49f0ba10e8 |
| SHA256 | 9211f4e37018356115d8ab5a0eecad391ee088fa854f1df559eeaf15fdc78c49 |
| SHA512 | 983bce040277b566bafa14dd3735a92c9a1021dc0d1e765b0664b1fb54ff03830b788eb28c59e586fb4211f76f40cd349a900be4f00c76886942cfde851c88dc |
memory/4420-87-0x00007FF6C9FF0000-0x00007FF6CA341000-memory.dmp
C:\Windows\System\dgIHHBW.exe
| MD5 | 030508abefb63b213d61438e5bd098e5 |
| SHA1 | 49ac5535b8da05a83f825271c0c102c17e925412 |
| SHA256 | 143ec251ff7dfab91303ad99067d59d4a10dbe8fb5da248da90391329f50e5ed |
| SHA512 | 4ad9cda070f1734fcb59330c72d5fe88d09c65368b7a143f8f4e3bc8219801be9a7f46dd57d46e0923d9515f52e68ce5e04ab37047de7a01c95e0ee3fd5bdf1e |
memory/4044-77-0x00007FF603AA0000-0x00007FF603DF1000-memory.dmp
memory/4124-70-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp
C:\Windows\System\nnAVGAq.exe
| MD5 | c440ab0fd8586b63b80dbd1f1d4d15d2 |
| SHA1 | 6bb0e26c8a3b01b62d2aafe7eb047379f2398236 |
| SHA256 | db40624ec63d15e95f0c543ecde35c7bb3591301035425a2873463308e1a29bc |
| SHA512 | 4b45736f534ad25524d4f6403cf84a2dcaa88a3fe926799fea282c0810cb587695552f92d551fc428ee916d6999e04d39b0a11cfc8a5aee916b7dbbbd93f4cfd |
memory/4124-131-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp
memory/116-142-0x00007FF72E5C0000-0x00007FF72E911000-memory.dmp
memory/4044-143-0x00007FF603AA0000-0x00007FF603DF1000-memory.dmp
memory/4176-144-0x00007FF65C430000-0x00007FF65C781000-memory.dmp
memory/5008-141-0x00007FF75FB80000-0x00007FF75FED1000-memory.dmp
memory/3432-139-0x00007FF761E40000-0x00007FF762191000-memory.dmp
memory/4724-140-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp
memory/2412-135-0x00007FF6EEE60000-0x00007FF6EF1B1000-memory.dmp
memory/232-146-0x00007FF74DBA0000-0x00007FF74DEF1000-memory.dmp
memory/4320-152-0x00007FF60CD40000-0x00007FF60D091000-memory.dmp
memory/1544-150-0x00007FF61BCC0000-0x00007FF61C011000-memory.dmp
memory/2124-145-0x00007FF7228C0000-0x00007FF722C11000-memory.dmp
memory/5060-149-0x00007FF717DC0000-0x00007FF718111000-memory.dmp
memory/4124-153-0x00007FF76B950000-0x00007FF76BCA1000-memory.dmp
memory/4420-209-0x00007FF6C9FF0000-0x00007FF6CA341000-memory.dmp
memory/2524-211-0x00007FF65F640000-0x00007FF65F991000-memory.dmp
memory/4964-213-0x00007FF6A9BC0000-0x00007FF6A9F11000-memory.dmp
memory/2412-215-0x00007FF6EEE60000-0x00007FF6EF1B1000-memory.dmp
memory/676-218-0x00007FF79DD40000-0x00007FF79E091000-memory.dmp
memory/1532-219-0x00007FF6A2DC0000-0x00007FF6A3111000-memory.dmp
memory/1720-221-0x00007FF6E6360000-0x00007FF6E66B1000-memory.dmp
memory/3432-223-0x00007FF761E40000-0x00007FF762191000-memory.dmp
memory/4724-225-0x00007FF74AB90000-0x00007FF74AEE1000-memory.dmp
memory/5008-227-0x00007FF75FB80000-0x00007FF75FED1000-memory.dmp
memory/116-240-0x00007FF72E5C0000-0x00007FF72E911000-memory.dmp
memory/4044-242-0x00007FF603AA0000-0x00007FF603DF1000-memory.dmp
memory/4176-244-0x00007FF65C430000-0x00007FF65C781000-memory.dmp
memory/2124-246-0x00007FF7228C0000-0x00007FF722C11000-memory.dmp
memory/3352-248-0x00007FF75CB40000-0x00007FF75CE91000-memory.dmp
memory/5060-250-0x00007FF717DC0000-0x00007FF718111000-memory.dmp
memory/3704-252-0x00007FF78B030000-0x00007FF78B381000-memory.dmp
memory/3232-258-0x00007FF6DD490000-0x00007FF6DD7E1000-memory.dmp
memory/232-256-0x00007FF74DBA0000-0x00007FF74DEF1000-memory.dmp
memory/1544-255-0x00007FF61BCC0000-0x00007FF61C011000-memory.dmp
memory/4320-260-0x00007FF60CD40000-0x00007FF60D091000-memory.dmp