Analysis Overview
SHA256
64ee0b608fe5812fc7aa29fa780e9c02cf96c6ea729664449c51cad8ec4507ec
Threat Level: Known bad
The file 2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
xmrig
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:10
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:10
Reported
2024-08-14 21:13
Platform
win7-20240729-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qlTnpFi.exe | N/A |
| N/A | N/A | C:\Windows\System\CcAkuQx.exe | N/A |
| N/A | N/A | C:\Windows\System\gVYWvqz.exe | N/A |
| N/A | N/A | C:\Windows\System\QphtKOm.exe | N/A |
| N/A | N/A | C:\Windows\System\kFmxryP.exe | N/A |
| N/A | N/A | C:\Windows\System\AYZTiwR.exe | N/A |
| N/A | N/A | C:\Windows\System\JkFukUh.exe | N/A |
| N/A | N/A | C:\Windows\System\PHXzBKK.exe | N/A |
| N/A | N/A | C:\Windows\System\tZiVRIU.exe | N/A |
| N/A | N/A | C:\Windows\System\LstfOdT.exe | N/A |
| N/A | N/A | C:\Windows\System\lWKzThU.exe | N/A |
| N/A | N/A | C:\Windows\System\scBYGRH.exe | N/A |
| N/A | N/A | C:\Windows\System\FbaoTkB.exe | N/A |
| N/A | N/A | C:\Windows\System\BdtDDuz.exe | N/A |
| N/A | N/A | C:\Windows\System\UCCXUHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NJNXXar.exe | N/A |
| N/A | N/A | C:\Windows\System\CrAXMPO.exe | N/A |
| N/A | N/A | C:\Windows\System\FulppyH.exe | N/A |
| N/A | N/A | C:\Windows\System\FlKIRcx.exe | N/A |
| N/A | N/A | C:\Windows\System\CkrXHON.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNDdNEh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\qlTnpFi.exe
C:\Windows\System\qlTnpFi.exe
C:\Windows\System\CcAkuQx.exe
C:\Windows\System\CcAkuQx.exe
C:\Windows\System\gVYWvqz.exe
C:\Windows\System\gVYWvqz.exe
C:\Windows\System\QphtKOm.exe
C:\Windows\System\QphtKOm.exe
C:\Windows\System\kFmxryP.exe
C:\Windows\System\kFmxryP.exe
C:\Windows\System\AYZTiwR.exe
C:\Windows\System\AYZTiwR.exe
C:\Windows\System\JkFukUh.exe
C:\Windows\System\JkFukUh.exe
C:\Windows\System\PHXzBKK.exe
C:\Windows\System\PHXzBKK.exe
C:\Windows\System\tZiVRIU.exe
C:\Windows\System\tZiVRIU.exe
C:\Windows\System\LstfOdT.exe
C:\Windows\System\LstfOdT.exe
C:\Windows\System\lWKzThU.exe
C:\Windows\System\lWKzThU.exe
C:\Windows\System\scBYGRH.exe
C:\Windows\System\scBYGRH.exe
C:\Windows\System\FbaoTkB.exe
C:\Windows\System\FbaoTkB.exe
C:\Windows\System\BdtDDuz.exe
C:\Windows\System\BdtDDuz.exe
C:\Windows\System\UCCXUHQ.exe
C:\Windows\System\UCCXUHQ.exe
C:\Windows\System\NJNXXar.exe
C:\Windows\System\NJNXXar.exe
C:\Windows\System\CrAXMPO.exe
C:\Windows\System\CrAXMPO.exe
C:\Windows\System\FulppyH.exe
C:\Windows\System\FulppyH.exe
C:\Windows\System\FlKIRcx.exe
C:\Windows\System\FlKIRcx.exe
C:\Windows\System\CkrXHON.exe
C:\Windows\System\CkrXHON.exe
C:\Windows\System\ZNDdNEh.exe
C:\Windows\System\ZNDdNEh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2400-0-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2400-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\qlTnpFi.exe
| MD5 | fe43f38ef91640eb24e32a56c7760d8a |
| SHA1 | 3304c4248d4bebf8f61336072fb73827a3dcb91b |
| SHA256 | ce16336af0d6a1528da63181022234f279e2e3b451934eeeba899d29c896d1c4 |
| SHA512 | 502a39431e7c368c28b9229a2ec868720095e281dfb87197bb9eb67452ec19f784e3bab9f968a1a6ff17362787c33692a320bc0168c40ea4ff3057992d561f6a |
C:\Windows\system\CcAkuQx.exe
| MD5 | fba8861019e96180c2803077452bb030 |
| SHA1 | b22cbb51d1082134115de2edd799382d9cb81f3b |
| SHA256 | d49210ec2b1462af24cf8057527907b9081fa4f14e809be20ede1a81dbe73213 |
| SHA512 | 0c3fb430f45bfc657912e2a9e2f25ee551c628fa6868741dc8e731f7958522edb9d2e25957189df93d233fba7ff6c5394ad36b74260e7e1366c49871ed414bdb |
memory/2400-16-0x00000000022A0000-0x00000000025F1000-memory.dmp
C:\Windows\system\gVYWvqz.exe
| MD5 | 00b23fabb631d4dc8dc21d854b1dcedb |
| SHA1 | ae1e480ea37f35c188d813df95fac4300da0c823 |
| SHA256 | dab61a7e1af34169edef5f36ce14d4225a733cdd08c6b5d15273e8224103d98e |
| SHA512 | 0725a9b9802420ee7bcbefdcfdb8d9d4b931d0bc0ad77906f28be571bdfd075241defd81839bc449b3b9616c7d5394a92e4be3fa0d246bb5a7b1448cb232a37b |
memory/2720-23-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2400-21-0x000000013F390000-0x000000013F6E1000-memory.dmp
C:\Windows\system\QphtKOm.exe
| MD5 | 99619a0263be7cc59d3adc637e9fe7a4 |
| SHA1 | 68dab220cd45f46b078299032aa5ec6a9c9f84c1 |
| SHA256 | f2acc29dc2aeba643a97d8ce0d93be3ab094eb67ed0280d8f28603204a21d203 |
| SHA512 | cf564a95379d22394cf0d908224e5b86f8a2418e0c0fa885191c504096a50cb827ef750d2c05dd21147fdd6bad57b4d6a102d64b28fa747c47ea535ab10f7ccd |
\Windows\system\kFmxryP.exe
| MD5 | 8fc8f80cba6ab1cb38c114179ae76c00 |
| SHA1 | 4ef0c61b87e84335f68e04fa00ac9fc94c10945c |
| SHA256 | 65f49b69f6a0c56700fd0a605a4fa2c7bc2c8ce8c2a1e4a1b63ccad891b2f0e2 |
| SHA512 | f358006a70d17dba8426fa58d7a95440613019dd6a68169b4f2e256653d4700d24b92ac3ab5c561c9cac4464532402c544982df3a32cd68dd8bfccb5e8bae1e5 |
memory/2400-32-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2820-29-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2400-28-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2332-15-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2864-14-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2400-13-0x000000013F1D0000-0x000000013F521000-memory.dmp
\Windows\system\AYZTiwR.exe
| MD5 | 67dea55fa8262c276af74dbc0a181b03 |
| SHA1 | 2c9cda9009b4bc71af51ee77a38dfa1f9754face |
| SHA256 | a1e84ceddbe3b942f7eebc96e6e1df92a514de850adc7c92954636b5f4c4bd00 |
| SHA512 | 27c45260c3f63fdcc5b5e4797c48dabff15e93246f1c8139170bae4634982e5c5d1c6bf406ebb616b2e348b9822b3fe75bc74ceec3fae00e2071e68aaf52d806 |
memory/2704-40-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2400-42-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2740-51-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2400-53-0x000000013FF90000-0x00000001402E1000-memory.dmp
\Windows\system\PHXzBKK.exe
| MD5 | 5f40170ef5ff39ace99b16ec23f655b4 |
| SHA1 | 2c0c5bca37d7265afb55a5b0ba5a6d9d30c62e68 |
| SHA256 | 4e80adecf14db22e8cfdac5eec7f21f6310a3e3c9412ec6f4e51a7ae5c615770 |
| SHA512 | 1054a481a7a7322d745e9d87725d3e18821addc5564b0080913efde3abb1001fde83a01f6c5f0c434a141c717d6d92288c5e703207b8dbe836bf6a426fde10e2 |
memory/2400-49-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2688-43-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
C:\Windows\system\JkFukUh.exe
| MD5 | 8d17eee8fc8377660207e2abc57cdb29 |
| SHA1 | 2dbb855f03e182e5d83bf3ecee84a6757f66926c |
| SHA256 | 8a0c85f1625a344aee18ef4ccb76d9e74b83e89354458b1bf7321172cd5838e3 |
| SHA512 | fadf7a1329de66233857721976191579d925fa82e7e048b201a129f43c557dd83aa0c46f348438af131efbce43eab1b7a5f25611d74fbc3d723217fe8926b106 |
\Windows\system\tZiVRIU.exe
| MD5 | 0405dfaa3d39556c5694bc9d5ed5d5ac |
| SHA1 | 3a72d6162f9d599de9ce429d9b1738c4fe713b87 |
| SHA256 | 38085b570d9a89b177d073297778b2c346723e4773d5e2d57137b99399cca2f9 |
| SHA512 | 0b6b17f018449fed96306554fc3bea015fe9203e3cbf57b660ce6cec28925baa9881c59ad5cea71c28c55b2389d6a3135de316a55db2f0d74b63ac541f2ff506 |
memory/2040-79-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2700-66-0x000000013F440000-0x000000013F791000-memory.dmp
\Windows\system\scBYGRH.exe
| MD5 | ee40ae6c9121045d087e341c06cb3460 |
| SHA1 | c8be085024fcb7f4569fee208dd7ee00c0f0f514 |
| SHA256 | 05a74d172aaa99a2f5c7b165991af244cf4f2aa637dca2755464cd3a7f5afaa2 |
| SHA512 | c16fcab4e0eead9e667b7336fdf2261c6c7e528b41f8ae117488c92bf9034c56329d5e7ea91e82d72f8efebc9985a92b4e0561a51b93bb6a1f4b52e13e7df22d |
memory/2400-84-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2704-82-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2404-81-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2400-80-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2820-78-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2400-77-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2720-74-0x000000013F390000-0x000000013F6E1000-memory.dmp
C:\Windows\system\lWKzThU.exe
| MD5 | 6d432b623850fdf766af7c3b4a6eb3bf |
| SHA1 | 5cb2f79b072b3b20526e04e11b6866cbecfba8c2 |
| SHA256 | dfa75a040581770131cbdb81c10929ec3e5256801471490a14bc42834b8abfa4 |
| SHA512 | f233ccc88424323a57b6cf6c3c8d0447e64d54dfaa215d427ccd0dcd8d441448bcb0cdd1b04ee8c2c38a905202778836abeaa738a8776bd7c6503e217f177015 |
memory/2400-65-0x000000013F440000-0x000000013F791000-memory.dmp
C:\Windows\system\LstfOdT.exe
| MD5 | 6f2bc5616eab7209a52dbdaae87a36fd |
| SHA1 | 8185aa2cdae81d9d4298332d423a7d9842ef0ce5 |
| SHA256 | ff82cb7ec05ffcff9ea8e5b8a962a3fbdeed39498fd6fb5ef81ea527ff78ebbd |
| SHA512 | 9806aa2ba7305f0d595a7c9685ecceaf960ee88960de32847751955f9bd0bb7820849d017e5ac401f6bc64cd30c55c9d802356dac001c89c0a889bcd342621d6 |
memory/2588-62-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2344-88-0x000000013FF90000-0x00000001402E1000-memory.dmp
\Windows\system\FbaoTkB.exe
| MD5 | 5afe25bfc97e1ca3e2e2944c530f121d |
| SHA1 | d8a09c023235e40d234e46708b22d75a2026c7f8 |
| SHA256 | 81eb95367ef73ccde917fa4c2d144269470d873c9f9de7606ddba0d05038bdc2 |
| SHA512 | 3a5f27f546b94ac6fdb79b60a73f1292968413dfcfa1e68e4363ed5cba4ee893430add56c9a9026c9df1a3bac05783115fdde57752cb8aaf0a4c3742896060ef |
memory/2688-95-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2536-96-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\BdtDDuz.exe
| MD5 | ce682b7f2520737f4d546386290c1577 |
| SHA1 | ff47ce89681815f734dc8c4779ff67d7e949e76b |
| SHA256 | 93a717b0e4655547b67a9a458c3b04a1275a390c85ac3c3362f3709111fd5fa6 |
| SHA512 | 95611519a00d7500b4008e1c0a0b6c12d630477c6ec5ab7a4847cee22d6a87b52c33d6ad4a31e7622fd83d887af6764f1de58b6d156eb808dd1dc116c4af3886 |
memory/2400-103-0x000000013FB40000-0x000000013FE91000-memory.dmp
\Windows\system\UCCXUHQ.exe
| MD5 | 45195ac466b7867df566e8d6e06c0da8 |
| SHA1 | 7c53a3d304769dd23bca6cb9c2ca672898ff4399 |
| SHA256 | c92125ff2b2219992e8c40f305e39944f1bdb9c99bb06a2870a674fc14036c41 |
| SHA512 | 9982ae2b5f234bc6cf191a5aa659eee92ddcc0f21d7410bd94afa438de33308a006f25730f86e43a651e7ce7766eee6d782d33291b89a266e566313f9a0c1569 |
memory/2400-109-0x000000013F760000-0x000000013FAB1000-memory.dmp
C:\Windows\system\CrAXMPO.exe
| MD5 | 5f520d0716f14d7dec9cdf696a9bc928 |
| SHA1 | b5b41c314a22d363ce90f9e4024dc0d775ff90fe |
| SHA256 | 96b98cd476a3b5f565284fcc084bb8c9c5fa618ed49004cb084c187ffbf13661 |
| SHA512 | ca4014503eb589b5ec64b38cbd168c2358cda99d909cce3a8663c87f5c357365a10e16efc392ff84a214f0429a6c8e26b7be22a1f5e10cf81c7522ec7a8a6071 |
C:\Windows\system\FulppyH.exe
| MD5 | caf4fc856dc48ee5a6d8529bad6f53d8 |
| SHA1 | 81531deb172600acfccc38294bac236a054fc2ab |
| SHA256 | c9a1a22e80855b808594295772fe334aa4cd98690bb9014a8ece53925220aba1 |
| SHA512 | d65074b5ab7f6fb83499704d6c9feddbd77ee568d2c4f6edf97eb5a29dbd8982ed4b1437ada9e11659c238efc9435561fbf20f4579970e60cb872cf471c57405 |
C:\Windows\system\ZNDdNEh.exe
| MD5 | 02ff15817d87bd312c2d29f9309cfca3 |
| SHA1 | 0d37b9683fa019598bde967eb85c37fbc7bd83ec |
| SHA256 | 2b5d746b6443a16334ab597389c366aba3ec9b7329dcdbaa160ca3f0c61e8649 |
| SHA512 | 4d0c5bb6df171112b7081ab692bff806be925388934bccd8aba1de86c9b4ed8f4f02722fe9040fb40f78fc651024dca23c81e89ce12f7b353e71aca0dd52ea83 |
C:\Windows\system\CkrXHON.exe
| MD5 | 0c39311276f725ca46f396fe81b17710 |
| SHA1 | fac7e65ca069fb6264ae2fb5909842050b8819b1 |
| SHA256 | c3249398a490d5cafbfe0abd757806b4cd6e8e76c3953a211606040e2eb1041c |
| SHA512 | 5adffb1345e9f37a4b42c21c6052a900b94398831e627e1691857ba4fd900c2944926b4343311f491a2fe33a98af9cb5eb7b0f050f412f70cccbd535c79a7dbf |
C:\Windows\system\FlKIRcx.exe
| MD5 | 3deb4cfa46ea49aaf5bb8b433d2abf58 |
| SHA1 | 98bf31d20b5fb6cea80e3492f2056abb932706c3 |
| SHA256 | 79b29068a2739b1034049c5962ade3bd2f56a616142b83343b1c785530abddce |
| SHA512 | 2c9d0581d3a99db16e9bbf25cf52660793312927d6f24b1b80bd419295cab0cd3f96e983b437e4c8f11f12b5c999c8884ca985a49c0fab9096a452292b1af4ca |
C:\Windows\system\NJNXXar.exe
| MD5 | 4979c92edae4bf6e81ecacf6b9b9f821 |
| SHA1 | 680d3f8f7f1ef52559b16b00f9ef3b407b563677 |
| SHA256 | 8f4e5ceeda8d98e41dca4f33e9e122f49fdb8a5cf458fb5e948c0925ba80ca90 |
| SHA512 | c815b04d36c2fcb02af9280a6e7b105651ac0edfbbcf4fbf2879736b1a85e28d6e5b1743706cb5dfbed20b72f1d34ab2f47d7fbb6f162ea92f84d6c83f2ac471 |
memory/2064-104-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2400-93-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2400-133-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2400-141-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2400-150-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2344-154-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2536-155-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2972-158-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2400-164-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2460-162-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2672-161-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2908-160-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2668-159-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2900-157-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2412-163-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2400-165-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2400-174-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2400-188-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2332-221-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2864-220-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2720-223-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2820-225-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2704-227-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2740-229-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/2688-231-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2588-238-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2404-242-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2700-241-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2040-244-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2344-255-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2064-258-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2536-259-0x000000013F500000-0x000000013F851000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:10
Reported
2024-08-14 21:13
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AikdlhE.exe | N/A |
| N/A | N/A | C:\Windows\System\DlhrASY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxJLmWR.exe | N/A |
| N/A | N/A | C:\Windows\System\zxShMCC.exe | N/A |
| N/A | N/A | C:\Windows\System\gqVaDnH.exe | N/A |
| N/A | N/A | C:\Windows\System\HIMjgsB.exe | N/A |
| N/A | N/A | C:\Windows\System\nbxrFiB.exe | N/A |
| N/A | N/A | C:\Windows\System\TlfnAYe.exe | N/A |
| N/A | N/A | C:\Windows\System\rWRXKaS.exe | N/A |
| N/A | N/A | C:\Windows\System\KctMqqC.exe | N/A |
| N/A | N/A | C:\Windows\System\INCOoCF.exe | N/A |
| N/A | N/A | C:\Windows\System\kugoGIG.exe | N/A |
| N/A | N/A | C:\Windows\System\YAeXbJT.exe | N/A |
| N/A | N/A | C:\Windows\System\iBSrVcy.exe | N/A |
| N/A | N/A | C:\Windows\System\QeAIVrD.exe | N/A |
| N/A | N/A | C:\Windows\System\otejBUs.exe | N/A |
| N/A | N/A | C:\Windows\System\ABagijM.exe | N/A |
| N/A | N/A | C:\Windows\System\FjSwNNg.exe | N/A |
| N/A | N/A | C:\Windows\System\VSKvxoF.exe | N/A |
| N/A | N/A | C:\Windows\System\oypJoDb.exe | N/A |
| N/A | N/A | C:\Windows\System\Itbmddo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_855a935a36c711934493ce4dcc4f4fb1_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AikdlhE.exe
C:\Windows\System\AikdlhE.exe
C:\Windows\System\DlhrASY.exe
C:\Windows\System\DlhrASY.exe
C:\Windows\System\ZxJLmWR.exe
C:\Windows\System\ZxJLmWR.exe
C:\Windows\System\zxShMCC.exe
C:\Windows\System\zxShMCC.exe
C:\Windows\System\gqVaDnH.exe
C:\Windows\System\gqVaDnH.exe
C:\Windows\System\HIMjgsB.exe
C:\Windows\System\HIMjgsB.exe
C:\Windows\System\nbxrFiB.exe
C:\Windows\System\nbxrFiB.exe
C:\Windows\System\TlfnAYe.exe
C:\Windows\System\TlfnAYe.exe
C:\Windows\System\rWRXKaS.exe
C:\Windows\System\rWRXKaS.exe
C:\Windows\System\KctMqqC.exe
C:\Windows\System\KctMqqC.exe
C:\Windows\System\INCOoCF.exe
C:\Windows\System\INCOoCF.exe
C:\Windows\System\kugoGIG.exe
C:\Windows\System\kugoGIG.exe
C:\Windows\System\YAeXbJT.exe
C:\Windows\System\YAeXbJT.exe
C:\Windows\System\iBSrVcy.exe
C:\Windows\System\iBSrVcy.exe
C:\Windows\System\QeAIVrD.exe
C:\Windows\System\QeAIVrD.exe
C:\Windows\System\otejBUs.exe
C:\Windows\System\otejBUs.exe
C:\Windows\System\ABagijM.exe
C:\Windows\System\ABagijM.exe
C:\Windows\System\FjSwNNg.exe
C:\Windows\System\FjSwNNg.exe
C:\Windows\System\VSKvxoF.exe
C:\Windows\System\VSKvxoF.exe
C:\Windows\System\oypJoDb.exe
C:\Windows\System\oypJoDb.exe
C:\Windows\System\Itbmddo.exe
C:\Windows\System\Itbmddo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp
memory/3000-1-0x0000023D8C5B0000-0x0000023D8C5C0000-memory.dmp
C:\Windows\System\AikdlhE.exe
| MD5 | 92d8543a2a161f9e64a530651574e360 |
| SHA1 | 6af2aa86d9a030124e80de1cbbe81407f5db3959 |
| SHA256 | 2b267b8d5a5e3ccf57e95df0fd2276574f382d6211dfdd0a24d8279d9ba6df03 |
| SHA512 | 836f699ed640acc3f023005edd4b151a412bb1c56014a56a784967e3830448f6681fc184fbb01e50fd5badbe8df2ba953c27fa2ea75a7881e6e7c58642f8f093 |
C:\Windows\System\ZxJLmWR.exe
| MD5 | f4f7779e228832904bd42253e320b6f6 |
| SHA1 | a99c76f75a2ba3cfd6c9b78800de5e4c34758174 |
| SHA256 | b04cd53afdf3c95b92f64c90f9ccd660e090bf1ca72abb38e2be2e68055f2a6d |
| SHA512 | ba50d255677a937a848ccc2e75a019e6562631b94666ed99b2773de624f9085aa8ba3d1bf73792c3dd8ac229ac1574160482d2286a4149b881c12343c9832b2e |
C:\Windows\System\DlhrASY.exe
| MD5 | 1e46b7893d7e63a240d1955692e77521 |
| SHA1 | 66216a0b8d3e4458fb4e8f3b255c2b7e1d49f625 |
| SHA256 | 56b60e36b161c704b29a4a07d1d526f4ba8b475b1d3c9ac78a738fd34cb8dc1e |
| SHA512 | 58832daa934f560b6e765a648ce5832b0671f3e35eba3949c0b43c0d464d2d6343a090a253ae4e9271cb5cc2814631d8f14e7c345bd5f46d6195a7eef228e8d1 |
C:\Windows\System\zxShMCC.exe
| MD5 | 344a54fc841c5da26d0891e9c0319501 |
| SHA1 | 1fe1e7a14f71935a1a182201aa75c5a14eca7166 |
| SHA256 | cf6e569ca21ed84688fd7bf26a831b158a897143cbe0bf677021f23a7243bc41 |
| SHA512 | 0983f941f27703bcef4bf92df8eb3a030a2c3a0c4c59a232355ca5e73e255d15f1ef904412c6704e47336423fdab6a36230027dc86b38f2d467ad2aa7e320bef |
C:\Windows\System\gqVaDnH.exe
| MD5 | dff11f2bba55c33b4e2a3fdf841934f8 |
| SHA1 | 773586fb08623d1d027eff68323778d224c09b82 |
| SHA256 | e6b7101367be295e63903d74ba712e5709c6c72b25ed0c0729d304e22662f25d |
| SHA512 | bae9ae5cba1f3a1372a2a5544115d0e458e209cafdf5b53dc5f567ed113179db972bda9e737e5f11f95bf4cc176c0c5aa13a012c239766d461f47bea92fe29f4 |
C:\Windows\System\HIMjgsB.exe
| MD5 | 8ec6b0c211b677d586d29563490f0ef0 |
| SHA1 | f0f6c17bfc06bcba65031088106589ec938c30c3 |
| SHA256 | eb3114953f1861051143ad9409e6297d7d9ab83da8af56f5d3463195d8eb7e51 |
| SHA512 | 2b656fb76a0e9ca1f44d3e26dbbd34294f9d288c26e81ef556447cdc2ff0258b762e4de4195996af40726c886013d3b2a8c1819567755723f6cfb7b34c540099 |
C:\Windows\System\nbxrFiB.exe
| MD5 | 099864b6b059cf72c4b36446b2534b0b |
| SHA1 | 750d08310a6dcb0c82765c6323e4de08354c876d |
| SHA256 | 621de712af8259b3f83910467c8ba17ca1effbe43f632c153bfc018946896d59 |
| SHA512 | 8bf5693a172c327b83b6a0eeafe9357aa2ec5d4efe4e8473b9657c97fdcc19c1691e18c980e682fbfb03cf5e4ea26680411b17a2c44ba5946d604302c45bb628 |
memory/2744-37-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp
memory/1956-46-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp
memory/3696-57-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp
C:\Windows\System\YAeXbJT.exe
| MD5 | eb683221617c26036d25f9144b256fbb |
| SHA1 | 6dcca45dc52e1098f1c923ebaea8e9f45d62894d |
| SHA256 | f9295cd783dcc7c39d2bbdf8ab1170808ea3a61dc28a8b98d12554dada564b16 |
| SHA512 | 7cecc81de3ef035c9c623e2d6c5f1ada631ce3f73164b6f596be6c446f57238fb41c5c82bef8a1fb3a8537757d90dc698a760d7dcdef0fd0b3ca4409c3f47244 |
C:\Windows\System\kugoGIG.exe
| MD5 | 5944afcb16ba0be5201e786c3300396a |
| SHA1 | b66170853733acc3c5278b4f8d1acc1d88a4f50b |
| SHA256 | aacf581533ee45bd5ca9fa732b92c8d9159164e5d9ff6f5d9e56781972a80025 |
| SHA512 | 5f2ecbe25b8bea4571b4b249f48387d247a2ca07bc05b9ccaf5e98cab61aee9c5505daf07529dcc28ecde105112fe41e4d8a069f8acba20e2ea1b307b93f385c |
C:\Windows\System\iBSrVcy.exe
| MD5 | c11444a303917648c5c85b802e87e861 |
| SHA1 | 14aac14177a68296c9c39da64c356cfc966fa3de |
| SHA256 | 5cc32e82ef5848d157a7457b68fc76b4583c879b57f8d321a85334f5beb6f6bc |
| SHA512 | 4b2ffdbb445edd824656bd07cd3558bba1203c805a649d77ce6901dbd1935ebd5b9f0dcda10b5bd6192f1578e871d569c859d9d2db192d137c1377304509644e |
memory/2968-81-0x00007FF737340000-0x00007FF737691000-memory.dmp
C:\Windows\System\QeAIVrD.exe
| MD5 | c33c607750787c54e0e99ba17a45623c |
| SHA1 | c24b360a1ff3f4bcfb28d73394e30474946af0b8 |
| SHA256 | 88de352b2fa97a6ed24eafb767344c9252940a792ce373fb1c7365820c998002 |
| SHA512 | a824295dfe2ec643ca2bf5255552bd216f2ced91904ceb55d205e88ad9a0fe441ff5a5d5da9329c1830aee0a5eedc40e3ea569116bceb50400cf7407c2630212 |
memory/1936-92-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp
memory/3308-91-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp
memory/1752-88-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp
memory/5008-86-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp
memory/1524-78-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp
memory/4816-77-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp
memory/2960-73-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp
C:\Windows\System\INCOoCF.exe
| MD5 | e182c5e45f3defd6c1914438a06e7189 |
| SHA1 | fcc293ecf8ac2b03ca8c38af43dd940ee665081d |
| SHA256 | 320e566b189cec7d9e6c4c838d0ce25b0866964af0656c1b61b2d598497dc92c |
| SHA512 | 46da11dd74ec021c9feb8c06e130f594c8ee51d4b916d5425ad5db2de5ec7caf2581eb5e76992f85863cb53cfe4aa594dd3e77cbab3854275bd5bfb1d0d3e8fa |
C:\Windows\System\KctMqqC.exe
| MD5 | eb8a4e4c6ca9d5906dbdad69ff8cad67 |
| SHA1 | 2fc9e05e690576d4d6f5f32ad491735ade1989cb |
| SHA256 | 35564b54ac7eb97db007ac8d8a0da050def5f8280e00a5c8b4c15dbf48e5f635 |
| SHA512 | b5418bc1d285b0651a45d3c4865bb214f5b170a780c87fb16f8322b971ae9cd1f95d0edf3658895313b97a2527e89720b002a00a45cb69fe57990aa7aee4e7a3 |
C:\Windows\System\rWRXKaS.exe
| MD5 | dcd486581d196cca59542ff9ad67cf80 |
| SHA1 | bb640ea3f9baabba0236dc0b45e09c0a4a3e0195 |
| SHA256 | f6a6d645278935cd71f788228dbad25e98d3e47d0496488b0a32f0fce91913ad |
| SHA512 | 3df3be2b1aa6b3ab6adf7096e4f0483adb51dbb4765fd8692333bc63b2047b5489c9ca55eee575217344a8e0333e282364c3b4c86a5037443d19f327cb9b4ad1 |
C:\Windows\System\TlfnAYe.exe
| MD5 | 6d66314c645d9320648db4fcb16092e3 |
| SHA1 | f4b7684299b4806510d5da41cf15668ebde74e35 |
| SHA256 | 16e01ef7c298acb34dcbdcdaf61ee4550c5f17ffc03452c01b6dc55c557e7f41 |
| SHA512 | 183184e54b1a0b95614b87c8940ac0062701335465287ad2b368f5faed5d4c1fb4a64d9426e082b7b622d581bdcb6825ea83fd68fd376ad1cd2a23850f6640e7 |
memory/2904-43-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp
memory/2244-28-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp
memory/2280-23-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp
memory/3512-16-0x00007FF681720000-0x00007FF681A71000-memory.dmp
C:\Windows\System\otejBUs.exe
| MD5 | 7c92dcb030a350e085513ec8ec2c6555 |
| SHA1 | fa28b2f0c70fbeb482bac2fcc4c51d311cef8b43 |
| SHA256 | 6eff39ed2d388e49d47e800dddda5c6331da0e8b9cca6566a1408537d7e2a937 |
| SHA512 | 7affad651532ba81d4fb384d014df304156796d313cfbb4d873fe8c820a0ae3b8e3b405be3c7268dc30114c9fba6127004ea421d9d591222b18e326e707006f1 |
memory/3132-103-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp
C:\Windows\System\VSKvxoF.exe
| MD5 | 5665e3568ffaccc41e7469c7efaf855e |
| SHA1 | 519b0663911829594b7333864e07c370a786513b |
| SHA256 | 44a83b08ae3e51a6c3408cf30200cb1b4f1f5cbcfadc399b80cc2403085dc819 |
| SHA512 | 0b57ba3cea3f87b8f5053fe620a9d837f7e88577fd63e96426e9bbbe57fbeecf8925656ee22b9beca71f0be75d29234858313521f7dcffcaf7fea561779092cc |
memory/4392-113-0x00007FF744CB0000-0x00007FF745001000-memory.dmp
memory/4008-119-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp
C:\Windows\System\Itbmddo.exe
| MD5 | 05616a33de4c71390530b44e2f29d753 |
| SHA1 | 73cabd04176ce645d521e494f07c03d0323ba99d |
| SHA256 | fa26a6c3b3bccfa553ad2b3b2d57c321d3f0823051cbdce9c9dd84a9ce52b015 |
| SHA512 | dc765361b8a6f6139115205097cebd135d98c02a2c7a7ff855f4bf19d691c279fc17ee1079e2678dfeb63ee7922c0c5b048ecd51f4e4cddd5be1c0abf49946ca |
memory/1716-122-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp
C:\Windows\System\oypJoDb.exe
| MD5 | b74e9479479167ca3b5116d692741dfe |
| SHA1 | efde9e1e6db4d8017236ff1dab0437766300b3a7 |
| SHA256 | 12aa025bc907484e501256f61d22c74ef140c6cb24a46b40b53912e0d9b1d132 |
| SHA512 | 9602a78266bef37099ce404fabb21a64c7a99c2f88ce540f429b675af6019569ba66b7ade9e7021ebf8ad44ecd84748c22ef32792ee155e73ecd799e5dbbd71a |
memory/908-118-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp
C:\Windows\System\FjSwNNg.exe
| MD5 | 97b89f99656db47133feb93f9beb70e2 |
| SHA1 | a84ce949c0eae235d1fed788ed52dff689cb352c |
| SHA256 | 84f6561416a87cb6976e2143cfec6ac7d074fc66d24f13f46ceac504d4450738 |
| SHA512 | 8d0310a7a6cffc9d3c182941509463b6bdec2796e9de3ef362dd1be4aff227a6f03b43ec6436f94901dbc2f27fbd9e7784375a77a4925c703ad0cfc09625a3c6 |
C:\Windows\System\ABagijM.exe
| MD5 | d61b8b06ce4d5d3de29771efd1083371 |
| SHA1 | 44cb202031ee3a58f1364d061ac3769bb5c63629 |
| SHA256 | e9f60ac597f7575a56f0be6f201e288b9cf7833e8843fcbfb393842112f32091 |
| SHA512 | c0b5621d58b643714e5b573965644a593a453f175e16fc6a8edc5491e187553b1c83181967bd041332a5f8c09a30836a0396e4d63df3f2cb2432cb32a9251a2b |
memory/1160-104-0x00007FF644730000-0x00007FF644A81000-memory.dmp
memory/2744-134-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp
memory/2244-133-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp
memory/2280-131-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp
memory/2904-136-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp
memory/3000-145-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp
memory/3132-144-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp
memory/3000-128-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp
memory/1160-146-0x00007FF644730000-0x00007FF644A81000-memory.dmp
memory/1716-149-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp
memory/908-148-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp
memory/4392-147-0x00007FF744CB0000-0x00007FF745001000-memory.dmp
memory/4008-150-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp
memory/3000-151-0x00007FF78FA00000-0x00007FF78FD51000-memory.dmp
memory/3512-207-0x00007FF681720000-0x00007FF681A71000-memory.dmp
memory/1956-209-0x00007FF73DBD0000-0x00007FF73DF21000-memory.dmp
memory/2280-211-0x00007FF73BEF0000-0x00007FF73C241000-memory.dmp
memory/3696-213-0x00007FF6FE2B0000-0x00007FF6FE601000-memory.dmp
memory/2744-215-0x00007FF7F6E50000-0x00007FF7F71A1000-memory.dmp
memory/2244-217-0x00007FF7C7550000-0x00007FF7C78A1000-memory.dmp
memory/2904-220-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp
memory/2960-221-0x00007FF67B940000-0x00007FF67BC91000-memory.dmp
memory/2968-224-0x00007FF737340000-0x00007FF737691000-memory.dmp
memory/4816-229-0x00007FF77DDF0000-0x00007FF77E141000-memory.dmp
memory/5008-228-0x00007FF696F60000-0x00007FF6972B1000-memory.dmp
memory/1524-226-0x00007FF6EFBA0000-0x00007FF6EFEF1000-memory.dmp
memory/3308-231-0x00007FF6FF690000-0x00007FF6FF9E1000-memory.dmp
memory/1752-233-0x00007FF68D3F0000-0x00007FF68D741000-memory.dmp
memory/1936-235-0x00007FF7A02E0000-0x00007FF7A0631000-memory.dmp
memory/3132-238-0x00007FF79F990000-0x00007FF79FCE1000-memory.dmp
memory/4392-240-0x00007FF744CB0000-0x00007FF745001000-memory.dmp
memory/1160-242-0x00007FF644730000-0x00007FF644A81000-memory.dmp
memory/1716-244-0x00007FF6D1630000-0x00007FF6D1981000-memory.dmp
memory/4008-246-0x00007FF78FC70000-0x00007FF78FFC1000-memory.dmp
memory/908-248-0x00007FF7A30B0000-0x00007FF7A3401000-memory.dmp