Analysis Overview
SHA256
0f6de8be043a6917c54b10570817dc04902e02d0d3694de38a69bfe7f8e548f9
Threat Level: Known bad
The file 2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:17
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:17
Reported
2024-08-14 21:20
Platform
win7-20240729-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WmFDjXW.exe | N/A |
| N/A | N/A | C:\Windows\System\JZoGjrN.exe | N/A |
| N/A | N/A | C:\Windows\System\taPRxzr.exe | N/A |
| N/A | N/A | C:\Windows\System\pWVmEfU.exe | N/A |
| N/A | N/A | C:\Windows\System\ESRJNLd.exe | N/A |
| N/A | N/A | C:\Windows\System\UPcIBFX.exe | N/A |
| N/A | N/A | C:\Windows\System\dmwNWvt.exe | N/A |
| N/A | N/A | C:\Windows\System\iJBqjeU.exe | N/A |
| N/A | N/A | C:\Windows\System\xxpkweu.exe | N/A |
| N/A | N/A | C:\Windows\System\DXwsfxg.exe | N/A |
| N/A | N/A | C:\Windows\System\IkqHhVT.exe | N/A |
| N/A | N/A | C:\Windows\System\WRtERxP.exe | N/A |
| N/A | N/A | C:\Windows\System\xHeYnVK.exe | N/A |
| N/A | N/A | C:\Windows\System\ccNLUhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\tQsXpDy.exe | N/A |
| N/A | N/A | C:\Windows\System\RMzpOOb.exe | N/A |
| N/A | N/A | C:\Windows\System\uuUwAoE.exe | N/A |
| N/A | N/A | C:\Windows\System\VzMBbOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\foQYYIX.exe | N/A |
| N/A | N/A | C:\Windows\System\WSmkDkl.exe | N/A |
| N/A | N/A | C:\Windows\System\GpicYJJ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WmFDjXW.exe
C:\Windows\System\WmFDjXW.exe
C:\Windows\System\JZoGjrN.exe
C:\Windows\System\JZoGjrN.exe
C:\Windows\System\taPRxzr.exe
C:\Windows\System\taPRxzr.exe
C:\Windows\System\pWVmEfU.exe
C:\Windows\System\pWVmEfU.exe
C:\Windows\System\ESRJNLd.exe
C:\Windows\System\ESRJNLd.exe
C:\Windows\System\UPcIBFX.exe
C:\Windows\System\UPcIBFX.exe
C:\Windows\System\dmwNWvt.exe
C:\Windows\System\dmwNWvt.exe
C:\Windows\System\iJBqjeU.exe
C:\Windows\System\iJBqjeU.exe
C:\Windows\System\xxpkweu.exe
C:\Windows\System\xxpkweu.exe
C:\Windows\System\DXwsfxg.exe
C:\Windows\System\DXwsfxg.exe
C:\Windows\System\IkqHhVT.exe
C:\Windows\System\IkqHhVT.exe
C:\Windows\System\WRtERxP.exe
C:\Windows\System\WRtERxP.exe
C:\Windows\System\xHeYnVK.exe
C:\Windows\System\xHeYnVK.exe
C:\Windows\System\ccNLUhQ.exe
C:\Windows\System\ccNLUhQ.exe
C:\Windows\System\tQsXpDy.exe
C:\Windows\System\tQsXpDy.exe
C:\Windows\System\foQYYIX.exe
C:\Windows\System\foQYYIX.exe
C:\Windows\System\RMzpOOb.exe
C:\Windows\System\RMzpOOb.exe
C:\Windows\System\WSmkDkl.exe
C:\Windows\System\WSmkDkl.exe
C:\Windows\System\uuUwAoE.exe
C:\Windows\System\uuUwAoE.exe
C:\Windows\System\GpicYJJ.exe
C:\Windows\System\GpicYJJ.exe
C:\Windows\System\VzMBbOQ.exe
C:\Windows\System\VzMBbOQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2264-0-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2264-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\WmFDjXW.exe
| MD5 | d37bfc2aaa4b68cf405b863967dd68b4 |
| SHA1 | 7661df3b97b66866781e243babeb5b66e16cd3eb |
| SHA256 | 21ea9849f914a35a1274d174c513e1ff96d69944dcbe07a6630a74c972f00e5f |
| SHA512 | 1c2d1aff5fee170c2f02497be9a76a0e7991b47068211a3e84fb1c9f037c6b580fd43754d8ca3cd343a8aa4a778fcca503eccde81bea41b6c97b02c3a797acbc |
C:\Windows\system\taPRxzr.exe
| MD5 | 920f9cb2cc8ad1dc09c760297116b5d0 |
| SHA1 | 99772d0bad7a0251e41169cc90735ad087f467af |
| SHA256 | af66fc5c2baf49dc72baa04bc501d18d8b038c007e112c8450687bd91f309c37 |
| SHA512 | aaa02042ead3b9b57d095c5cb05af416914765d21edc6425c543450ca62c95bae29aeddbdda4913ee4761eee83008d97744c213767927ae16f56d5a656efbd28 |
C:\Windows\system\JZoGjrN.exe
| MD5 | 9d9ba7fedb06114e991cbf17a2233c1e |
| SHA1 | 058a655adde4b301becfdf2f4fd7841dc6879093 |
| SHA256 | 04927b1f45c2f3130eba66257a00f8b5bbdf0bffe58149ab02b561b480ee20ee |
| SHA512 | 0814861749a770970bfb2d7de833397a0d7d989a9615ed528974cdb913c8a59666a4e9e951af6a8bc0fde427e8c48463e5bedfdb257168d6438585d381ac38c5 |
memory/2264-21-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2552-23-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2264-22-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/548-20-0x000000013F520000-0x000000013F871000-memory.dmp
\Windows\system\pWVmEfU.exe
| MD5 | 5aa8edbfda4ed5a4696421cedc62d744 |
| SHA1 | c280506d05a6738d77e7e96d6fb939463b2416fd |
| SHA256 | 359f337a693c65547093de741408c85f1d158755d4e4ee4ef1cf3612be5fc456 |
| SHA512 | 6e76e6a04e055f9cbc34a05051e827cb76040fefd018f9086b0f89e93f4086de922055bee347ebb8e12a37b19a7430dbe504464aa9dd08dff2d5102371ea5d85 |
memory/2204-29-0x000000013FC70000-0x000000013FFC1000-memory.dmp
\Windows\system\ESRJNLd.exe
| MD5 | 2a1e8776053416d40848a092b0df842f |
| SHA1 | dbef395361fcf9f4c6abf892a24ea21d7f161adb |
| SHA256 | fe0f666dc4fcda6f614a41dd20986c32d18f8a0bde8db2bc67cda307b229f3e9 |
| SHA512 | 886b305a7ff75bb6ced7abd6b0f568c8e469ae1dd3cecf38820ab172573414b1d516e12a12bf5cb4b37eb3ba9b981c4e1a0559b2ed27554c80f60c9b87f3cc8f |
memory/2264-28-0x000000013FC70000-0x000000013FFC1000-memory.dmp
C:\Windows\system\UPcIBFX.exe
| MD5 | 92aeca5591540046ebcef301880ded58 |
| SHA1 | 2aa23441e6e425c46659ae54d1e0b9063da5131a |
| SHA256 | 45c8a02af70d5c125d73b0cc2e59fe537361b03be411ce6b930de66ae6f59825 |
| SHA512 | c9bb98b397fe7d2c7eb594a09dd9f9172e277842b56b898fbfe5b1c8c32c478a52c44826f6b6bbc5eccb33a3f85c2b18c2e3b59b201da3481dd228385d0515f0 |
C:\Windows\system\IkqHhVT.exe
| MD5 | a9c9082079a42f9d0711767608485b4e |
| SHA1 | 600e897401b14347ba7a6839fd78eac8be6a10c9 |
| SHA256 | 29be709f443ba896af2a9f24ca5fe6b9e5f38c0eb06efbaf0384382eaf3294d8 |
| SHA512 | 963b3570ade564d454b5d611f08637181ebc16e8e7e3b99f65acbbd57df49dddea24ad6daf12d74cf7e51b4e221b7d2bff360bcb94d4833ed0fd9549748d2257 |
C:\Windows\system\DXwsfxg.exe
| MD5 | ec2f0d877c2cc16c9c4b649691f6c769 |
| SHA1 | 8b31301d6d666a2f2957d9af30b058b4cbc8ed64 |
| SHA256 | d9ecc063964082e91bf470e0423c6219bf4ac775e877a72f121118922b9a2d4d |
| SHA512 | d02eb6d0f05819875e7c6fade669d6d0c9fb413431f69d07466155ea0e58320d901fccbf15fa304184424dac9f16fe86ffa4724f90152e4db04924d561c5f1d1 |
C:\Windows\system\ccNLUhQ.exe
| MD5 | 29f157f9792693982592da5947feace0 |
| SHA1 | be9f0336d8eed7523732b53d8d3af15cfcf06348 |
| SHA256 | e04d186cfb80150ca7571ec9acd1fe75e15d53fc14ae31f0616e3a9727759234 |
| SHA512 | bd2a2634c56f47c3e20df007725451e32dcb57b2d05ec11832968d26bea963e76f0c61479e3da012af6aac0d62046b7a71445a6bda9a3ba4b4f59ca1c3a82b55 |
C:\Windows\system\uuUwAoE.exe
| MD5 | 64730a69ac38eca835e1d95b26718944 |
| SHA1 | c593b6dae7affafae4088fc219a24bcc3aca892a |
| SHA256 | 0cdbc903ed130386ce1e4beb4ec0466ac9ebedd32c722693488aab2653c4ea56 |
| SHA512 | 29577b668cb95f9a27a8c68a02a8b5bbba7737a2027124a3b15fa2ad1ee7997b02e499e286c47b03d457f1a822e3f178339864d7424c49a81ea1911f291cd93f |
memory/2824-123-0x000000013F1D0000-0x000000013F521000-memory.dmp
\Windows\system\GpicYJJ.exe
| MD5 | dd9f985763a241106afd6e87104136c7 |
| SHA1 | 9875e4b467b72af59c2ecc9608296dcb55410230 |
| SHA256 | 46c65d4d0e56264b19bc425e942be05c490b3184ac4bbe3c470fecefb8e78a8b |
| SHA512 | 53e958aa8c77cfdfa185ca19316b0c2954e0cb910d265027a27c7a320ee41359f574e11f8caa2c8ed72b820b7b41eab3861699822a776185a7356b67ced794fc |
memory/2264-128-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/3028-127-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2264-126-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2400-125-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2264-124-0x00000000021E0000-0x0000000002531000-memory.dmp
C:\Windows\system\RMzpOOb.exe
| MD5 | b2111e76667410e4717ea9b55dc5901c |
| SHA1 | 8b514980378966da7c23fab43b949f2da003e1f7 |
| SHA256 | f74f3d5ce063a62933bbddbdf58a41384a76997ae6079f8909fb44be17bd7a07 |
| SHA512 | 03d4d330baee9b5d3f14eb3fce7b00bc5c1a583445dfd183b0ffea77e3a0f77e74df202c75d768d9c679aa6a2c5f4570c03484fe5bc3144c2f8524fbae7fdd27 |
\Windows\system\WSmkDkl.exe
| MD5 | cece320810fd384fbd4f608f08bb0499 |
| SHA1 | caead9aa5b00472aefe3206610118ad714de35b1 |
| SHA256 | 355d14b7d4cf69568924b7b5dec24c9b174a0f4a8502bcb00f48b5b95d406789 |
| SHA512 | f2cfe8e96bc498028985cf2b0f774a4c35325ce6849ff8b464a87d5dcc75eeadc3abe016d0a856e6c5641ef1726b0ced56829175fc08b0385de046bbd5baffdc |
\Windows\system\foQYYIX.exe
| MD5 | 7e613900597eed0653195ae29c2954d0 |
| SHA1 | bdbc383ab5925c9abfc3c07ae8fa0415bfc14197 |
| SHA256 | bf81ed58f747c481c80f42da8143422989e9a6e09b757d345d355c6144880068 |
| SHA512 | 5a0ae7e55480fc71bb1934c1511d5a9f2a713e05295a08c88d855cdf45b99f528756da924b4ad067dddceb9e418d7717d19f28bf8595b170ec13478b06f6cb67 |
memory/2264-122-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2756-121-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2264-120-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2636-119-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2264-118-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2884-117-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2264-116-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2724-115-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2264-114-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2732-113-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2264-112-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2804-111-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2264-110-0x000000013F910000-0x000000013FC61000-memory.dmp
C:\Windows\system\VzMBbOQ.exe
| MD5 | 8ada81e4f5ddfacf8c11bebfd40da123 |
| SHA1 | 9da6c0ef8dfa750dc9130488520428242d0a9995 |
| SHA256 | d4259716127daa19123b6b57f88ccfd6fab9bbf64ea660daea22d065e19e342a |
| SHA512 | 681004b69b5f000f83d366a8d1a31a4f74338d3ff727c0a9d43359ecfad5e0a9fd8a3e6409d09379b048a8d3d359f25a5de2370852988dd4c878b173c0bd973b |
C:\Windows\system\tQsXpDy.exe
| MD5 | 74058ae866a381bfae54684566f93dc9 |
| SHA1 | c9b121b92064f14af1245d41d84b4743a297a3d4 |
| SHA256 | e68aa84c7714b16b66e84d566d72ca626b9089dbf5fdc155c551a5a882367116 |
| SHA512 | 0b8b31ba266f359fdcd14dd65e9a6c40f81914c0595946de616e6e6ac074a90195d34ebdae677ab51562748a2d1658bfe4274aa1bdeb29ca6546327bc3a50443 |
C:\Windows\system\xHeYnVK.exe
| MD5 | 9b7dfae671512189d8cd0f31b59a0c96 |
| SHA1 | 7e025a338540c586cff365ade2474b5e4d29c7b2 |
| SHA256 | 7c87e8a78d87d56812e01204b64279c6a798c53dafed64ad7840e986fdcbb1ae |
| SHA512 | 536d5b43041286ef8e92755598dfdd8a328a1f0655ba44986ed6383f21f5ff8495793fbb94c82e078e97b682568601985d3bb7b3b8861611f778f68ac4083433 |
C:\Windows\system\WRtERxP.exe
| MD5 | ca98c944faf8a562b518b2868be9d220 |
| SHA1 | f4f5decbb91e58008554f93f42aa25c515dfb2f6 |
| SHA256 | e0bf99ae2de5d389ece41e44996434d02f6f9c5b7a490042b74514fe7eef85cb |
| SHA512 | 72f218ff293bd06e899e3533a578519fe0020e36521aef6c5efc8d39300cc374a55be52584895e6e32d431de76ec6fb2466cf387df8b2ea673fff8a9906cf246 |
C:\Windows\system\iJBqjeU.exe
| MD5 | d4b555de183ab5c24844b8bed9352096 |
| SHA1 | 221ed22655f9b7076982d0d92b7c51dd0aa470b1 |
| SHA256 | f7006b0bea424adb604d46728f35975b260167570d692fb90d8afcdbc2e9f42e |
| SHA512 | 9560b74f86232124a65529bc0a3d3751964a02013b8b223588e765e274780e062d2df4bd81de981c6a7772ecd97680172dd309ac25c02313c53adee3b637c19a |
C:\Windows\system\xxpkweu.exe
| MD5 | 09a7f8d1738364f431d56fa510f7243d |
| SHA1 | a2699415f5b6f7f918121552ddfd0fba1ac87386 |
| SHA256 | 418a838802a0e73ed289840fdda61e038cfe3755d6bc9d2b938d94d0beca49fe |
| SHA512 | e9ca4e051772ea8af8ebcc30a6d572e4417fc5de66ca5107a4301ed42978682d9c2eee4174ed4deb20370ff7fba2a1e9a06f2d0da707eceeab6e2ecb6fc3bfaf |
C:\Windows\system\dmwNWvt.exe
| MD5 | 4c76b34c9e2a98c167facfef04f16779 |
| SHA1 | 63e3d11d10d4d90fa31abcc0e5f24839f5b5c0a1 |
| SHA256 | d0908a41f7679e5864fec262b4b4bdea64bb878930d242b4b295a9cc4df35337 |
| SHA512 | 0b7ed9f20a81441167c8501d08bfb66b7c10267de991d475c24a75d984bef6c6a19debcd39664408df2658006ccc5162a0c1b36606fba2eab4140b7b76e12348 |
memory/2800-36-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2264-35-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2532-18-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2264-15-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/2800-141-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2804-142-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2060-151-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2264-136-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2204-140-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1144-155-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1324-154-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/1232-153-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/1736-156-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1764-157-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2264-158-0x00000000021E0000-0x0000000002531000-memory.dmp
memory/784-152-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2264-159-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2532-204-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/548-206-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2552-208-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2204-210-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2800-212-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2732-214-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2724-216-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2884-218-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2756-220-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2636-222-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2824-224-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2400-226-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/3028-228-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2804-242-0x000000013F910000-0x000000013FC61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:17
Reported
2024-08-14 21:20
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZXhiCpP.exe | N/A |
| N/A | N/A | C:\Windows\System\VIiGlaC.exe | N/A |
| N/A | N/A | C:\Windows\System\cRqwOKv.exe | N/A |
| N/A | N/A | C:\Windows\System\XWzxZPF.exe | N/A |
| N/A | N/A | C:\Windows\System\UBOEikY.exe | N/A |
| N/A | N/A | C:\Windows\System\WhGwPnk.exe | N/A |
| N/A | N/A | C:\Windows\System\nPtyOku.exe | N/A |
| N/A | N/A | C:\Windows\System\BZvuogp.exe | N/A |
| N/A | N/A | C:\Windows\System\zihzlEw.exe | N/A |
| N/A | N/A | C:\Windows\System\XGNBgCJ.exe | N/A |
| N/A | N/A | C:\Windows\System\eEWYUQO.exe | N/A |
| N/A | N/A | C:\Windows\System\WjpmFfy.exe | N/A |
| N/A | N/A | C:\Windows\System\DQCjHaw.exe | N/A |
| N/A | N/A | C:\Windows\System\EqTqaMf.exe | N/A |
| N/A | N/A | C:\Windows\System\kwdMlSa.exe | N/A |
| N/A | N/A | C:\Windows\System\oLFcfrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\iNFYkjH.exe | N/A |
| N/A | N/A | C:\Windows\System\TORkLJq.exe | N/A |
| N/A | N/A | C:\Windows\System\VZYFMFO.exe | N/A |
| N/A | N/A | C:\Windows\System\fbUIqHV.exe | N/A |
| N/A | N/A | C:\Windows\System\hsUYbZh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9ff9f5813a6443ed0b267ca38cca4f01_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZXhiCpP.exe
C:\Windows\System\ZXhiCpP.exe
C:\Windows\System\VIiGlaC.exe
C:\Windows\System\VIiGlaC.exe
C:\Windows\System\cRqwOKv.exe
C:\Windows\System\cRqwOKv.exe
C:\Windows\System\XWzxZPF.exe
C:\Windows\System\XWzxZPF.exe
C:\Windows\System\UBOEikY.exe
C:\Windows\System\UBOEikY.exe
C:\Windows\System\WhGwPnk.exe
C:\Windows\System\WhGwPnk.exe
C:\Windows\System\nPtyOku.exe
C:\Windows\System\nPtyOku.exe
C:\Windows\System\BZvuogp.exe
C:\Windows\System\BZvuogp.exe
C:\Windows\System\zihzlEw.exe
C:\Windows\System\zihzlEw.exe
C:\Windows\System\XGNBgCJ.exe
C:\Windows\System\XGNBgCJ.exe
C:\Windows\System\eEWYUQO.exe
C:\Windows\System\eEWYUQO.exe
C:\Windows\System\WjpmFfy.exe
C:\Windows\System\WjpmFfy.exe
C:\Windows\System\DQCjHaw.exe
C:\Windows\System\DQCjHaw.exe
C:\Windows\System\EqTqaMf.exe
C:\Windows\System\EqTqaMf.exe
C:\Windows\System\kwdMlSa.exe
C:\Windows\System\kwdMlSa.exe
C:\Windows\System\oLFcfrZ.exe
C:\Windows\System\oLFcfrZ.exe
C:\Windows\System\iNFYkjH.exe
C:\Windows\System\iNFYkjH.exe
C:\Windows\System\TORkLJq.exe
C:\Windows\System\TORkLJq.exe
C:\Windows\System\fbUIqHV.exe
C:\Windows\System\fbUIqHV.exe
C:\Windows\System\VZYFMFO.exe
C:\Windows\System\VZYFMFO.exe
C:\Windows\System\hsUYbZh.exe
C:\Windows\System\hsUYbZh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2716-0-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp
memory/2716-1-0x0000023E69780000-0x0000023E69790000-memory.dmp
C:\Windows\System\ZXhiCpP.exe
| MD5 | 042bfa12392a9b3172c6eb7676a6524c |
| SHA1 | ccebe52cd3569b08948c9a9b0c05e6ab2ad52dc0 |
| SHA256 | 473da72da83367923d0b9914f4116520d16290eaef2139b830d568e48ca21612 |
| SHA512 | 0aa48a4f211a601febcfe460a15cad199befe81f05d9e6a269985980b8de64f6b2bcd940e4ed936b96578d4af5d2e429c6e0a6334adaeac23db1571723fb0b76 |
C:\Windows\System\XWzxZPF.exe
| MD5 | b3a1311b2d026a9988c8d383884babac |
| SHA1 | 0f8ad4c4d32a7c887a25771f756da9c86145fea0 |
| SHA256 | 60b05058d9e9704a36269762fdefc2e0301efd7650b5023da330d2a0acc99036 |
| SHA512 | 779769cd27c6b54d0e6d9733a79fda18de1483d32230e878fbad2d0f2402f1bc53742def2fb9d9791954c69defce85d992c8dad42e6b85e2960e6dfd43cd8315 |
C:\Windows\System\cRqwOKv.exe
| MD5 | c5dc0b89b932b6bfdb368f7ace7041f4 |
| SHA1 | 6639a54da8451fdb827ab278e13ec92dbc665a1e |
| SHA256 | c09b69a85647cb35a6419d934b03cf76fdcfabe441ed016c297a79786bd91d3a |
| SHA512 | 17279a702fb7b2641c79bebc4637211f0d1fbda95c05f36a622454897491b5bc64c8bcad63d252ee4a1277600bd432d2af44dda18f4ea5dc5dc805b0b1d84ea8 |
C:\Windows\System\VIiGlaC.exe
| MD5 | 3ba83b26052061c242528266363943bd |
| SHA1 | 62793415b389f03521974037c38805144bc5e773 |
| SHA256 | eb4143279f8215cf57ac0f4ba6987046b2bb5d4d4e57005cc5df578ecd9751d1 |
| SHA512 | 3799c0b690a8af4200492b13a827507e02e78f9aa93863cb1e19291a95824745b3526deab1f5c6fddb41691cc6318bcf4e754313c3e7ddaedbee048d71870f58 |
memory/632-14-0x00007FF621570000-0x00007FF6218C1000-memory.dmp
C:\Windows\System\WhGwPnk.exe
| MD5 | 208196b210c11667ca08a6608612d6fe |
| SHA1 | 912c3ef7dfab6d701226dfe03e35142c36f78854 |
| SHA256 | 0680e02263a565b4f40061e4f8284c2e1b67bb3309d50bc8f665a4c53ba7e7cc |
| SHA512 | a07f18219f45e22d4343f76f10a76b3d1294d51535e355d35de8792751706e1cd660525f8564a0d5d007fed91c848aadc5fdecfc3e483292f19cc19d69a6a867 |
C:\Windows\System\BZvuogp.exe
| MD5 | 4c527477bf319bc89104f687fa6b3bd4 |
| SHA1 | 6685ec616a8d9e6cb3e5edbefeaec00b21a8a3e4 |
| SHA256 | 46a42010d6c4f70f1cb40cdf5d401348d27e452dabf4ea855e0fade613b60a8c |
| SHA512 | bf8f9e321787db9c03ee7632d631d11b4a0965ef6dc2610f9329f17304327cb9e437c9c88d2fe74c562ea31a1f01b0d33482b86709b1a23d4d229117a11c751e |
memory/2072-52-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp
C:\Windows\System\XGNBgCJ.exe
| MD5 | 91462f5cdca58729398f7a8696e51ddb |
| SHA1 | 3927bd1780eea79069fad0317989f9bf88173ee2 |
| SHA256 | 4dc710672fae5b5e06c6e7edd6aeac6200512c957329dae0a8e539f40162e87b |
| SHA512 | 682f2e10194b216b6dbc5df03daff9007fb18800cc88428bfed70d095c4680be17a3c061c6701cb1e514fbc43c461e823d0958d5d30cdc6e13279484e4f479d2 |
C:\Windows\System\eEWYUQO.exe
| MD5 | e1dfd5d6d39ea443fb451f7661e3e9aa |
| SHA1 | b8d32fa3062156b6fb42f0fdf797d0c70c8577e4 |
| SHA256 | bb5abab78ac002c583d3ee76bd412cad82145fc8fae307879bac6ae244131097 |
| SHA512 | 6fe6953d98af2e5c07671d2222c1e0a217e81d879545d3242911e2ea4fabd1950a260028f26177971c3a75aa226a247d897346f68b8293e4dcd4adec634f4dee |
memory/1884-66-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp
memory/1908-63-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp
memory/3912-59-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp
memory/4728-51-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp
C:\Windows\System\zihzlEw.exe
| MD5 | 4da2b0a5675c6a76591accec32363c46 |
| SHA1 | 7c072b476b0ac2b2e7f2e588c9eb5bb8be3de513 |
| SHA256 | 55c717c1ee400481ceeb5c4f88abf986f71a7b476049bb19104baa9d520ec791 |
| SHA512 | 7392ea1da9a70e013315937f1aa83c1d42af8a861f85d90da4f7eca745607036d810c0e33279394ed3b908808161e0c43b35e543f898d412f73e51ef1045bf88 |
C:\Windows\System\UBOEikY.exe
| MD5 | eb5d3066783f9577914449fcfbb06d9c |
| SHA1 | 84f57d3acb889c7fa9fed5b4f35ed2330a9cead5 |
| SHA256 | c00f25a961d71372e5a0272566d794742cef449855191e82f283445bcd4d7e38 |
| SHA512 | f9ddb7c88e6030006fd64d0b1fbdf24d2365b7d3fed2c430a1bf5496228f967a74dd60b71235d21a34d147128ea8252922c980fe2f710bc054d2ce620491d23b |
C:\Windows\System\nPtyOku.exe
| MD5 | 33afb174aa583cbb72bf9339093c4048 |
| SHA1 | 9bef3995de00b1f77b2b706680a5763254b3cffb |
| SHA256 | a922e8609c2b44a16c53f3298e01990beab49f3d8e384e929b3fc639a0194a95 |
| SHA512 | 39071c4ef8fe8a4de5e1ac12ebea924a7aac072d01be4b37943274049e740d6dfeae062cd9701bce521d2343764759996a33662334eb2db46aa2f7c6a5736128 |
memory/4596-39-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp
memory/2568-34-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp
memory/2856-33-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp
memory/2656-26-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp
memory/3692-25-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp
C:\Windows\System\WjpmFfy.exe
| MD5 | 48fb63eadd62445a13508161368f0ca4 |
| SHA1 | 52f3a34368574c9d220988040bb034cd06f73815 |
| SHA256 | 749d59654b8925696e5d7ea146cfc72aa9f8245a21eba21e0bbe062f536bceb3 |
| SHA512 | 377cda7440e7cf8b0e56bb4bdfec869a77984f535f24d79ad9889ad0bdeaa9720ce749267d8e62ba3ef320643687a11c8067082387d608908f75ade0e2e08ff9 |
memory/3624-74-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp
C:\Windows\System\DQCjHaw.exe
| MD5 | e995c9f11d1e3bcaa80d7369c5fcb323 |
| SHA1 | 7a26eb5921ec06faf0b7b80b652ae78f2cbb08ec |
| SHA256 | b1581254b13949a888f31d3db13e8bd813ff02bd4ae76675104e7e7a66fda29d |
| SHA512 | 1d7dced79e5dfc226ce38229962c651a680b5cef4a7201a9919d0ab54dbfc67e56e22a7b0e51fbc39b98f40f9c3eac97527adad89775ff1989192f609cb43290 |
C:\Windows\System\EqTqaMf.exe
| MD5 | 906e67c051a83a42b12ca6ca03f52a82 |
| SHA1 | 687169b65f5b9f10cdb1800a10faf60b266760c2 |
| SHA256 | 2ce95b423e71ee96174432fd03b9c050edf1b6cca002899a9660b43c1fbb21e4 |
| SHA512 | 14387ee3f121b56bccb4916ab6cbb01b6a162f28b405568bded39f5da810ab5f2379193e671037d0cdb080494766a21d4b991047fa6d3616e5f4cc4f4799d39e |
C:\Windows\System\kwdMlSa.exe
| MD5 | 33f1fc723dda1ff857a9276b460b9d4c |
| SHA1 | e008d1ab515ef7b139ece723afd4d1d05724d0d0 |
| SHA256 | 472b783d851a8ed7cbb75df6b663d5f5e72db00f4f9345bd7d7b56517e4b059a |
| SHA512 | 2dbc7cbe520ed3ae51b8221cf9a28b3d62805711cf01b35dbda8a48ecc09ebcefb50ff74511ee57852abe748d3987c98185d98d239e976da08594f523ef3b30f |
C:\Windows\System\oLFcfrZ.exe
| MD5 | fad115af8f2eb97e4c1072fb5e688add |
| SHA1 | bac15faaed299769e655253c78da87b8233b602b |
| SHA256 | 808879bd356ce9764f4f3534f3915ee78c0fbc90ec53a821ff2cfb6d5c468680 |
| SHA512 | af9529dd44450e2d5444eba438558a0085a0ac4aca3bfbb15c9f5ba66b7ec3b59485f8df688fb371d26dfb1cfbe0e1c5873fb24728746d3f5ca7dcdefa866648 |
C:\Windows\System\iNFYkjH.exe
| MD5 | 7d8e9cf88f1f546706ae4a0eb015c447 |
| SHA1 | 518c11caaa36523208dad129a45545ba3862293e |
| SHA256 | 6abbe1dfec7e9c4ee4f0e1f841f5e3fb849d2b9188c5f06986100d74969af49d |
| SHA512 | 32a3270f4b8fbd6f9eb75cd5c593aeb4657027f25ab859a723677980d53a20cf4c36bb56c96f754312980435f62e6c5252b78cc9832566aa2bbffc1e8c79add8 |
C:\Windows\System\fbUIqHV.exe
| MD5 | da0f4ab5c56abc9fddcb91da366a3d8e |
| SHA1 | 253f61a5fcf71e99b23ee928ddbc8b3b4b62a713 |
| SHA256 | b28413e8d5e9c31b07d9251526ada307547d673e3f8c14f75346543cee58219a |
| SHA512 | 8412782fc5b4298b349a2f35aed1155200e7b136aafe88020ecf0318fc7e1df142b45f3fe5882fa3388739f93b9fd0e7ddbc013f1c8f6dc1767509ab2666e1a6 |
C:\Windows\System\TORkLJq.exe
| MD5 | 1c064bb59121d75fcae75c59bddd5743 |
| SHA1 | 5620c719216b0b5aa1b7e427c4fc53fd9d1f609f |
| SHA256 | fa09a8f80cfca351ff76d28c2c780dc568691c0006c6dcd46e32561a4fd33181 |
| SHA512 | 5c70b4ff7049d78c6e9bceeaf0da11e03438afa1d8a78565a09a094730c6749fd943411328637e5e4ab314b2b9bbd1b41969d94d85bdab5180c6d455da7f7983 |
C:\Windows\System\VZYFMFO.exe
| MD5 | 7be6034d75d7b9380c12ba76466aa3dd |
| SHA1 | ecdf32913e89342da5e7334ba4b94353df646ffe |
| SHA256 | 1c89ef45febb2e48ab70c222066cad3b177b30e37b7feaabc925559ed9c41ebb |
| SHA512 | ad1fea4c3f3ad79914da3bd8c9adbc60a40a37a1ace8fe2bacab18acbc8b87de867f6d826ca47359d5e372916750ff2c2ce8fcf272a4a809d200020fc932a224 |
memory/4728-130-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp
C:\Windows\System\hsUYbZh.exe
| MD5 | 3c522bf0848f2222a21af2153263533d |
| SHA1 | b7a682c799f2cc5bf951a170656b7c2587df1d62 |
| SHA256 | efdde5d41be9cde81d27ec750bc7cfda8cf3b6ab5bfbe5b782be6a95b1bb1ae8 |
| SHA512 | 52be7155d31750ef787c186d334cb50354961043bb390257b843000868fa67f10728ef434034a995eadca31bb8e31a0b0cd3c4910e3af7badcf4e9b43c124a0b |
memory/4596-129-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp
memory/1424-128-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp
memory/4980-124-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp
memory/3188-123-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp
memory/3692-117-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp
memory/1240-115-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp
memory/432-114-0x00007FF688370000-0x00007FF6886C1000-memory.dmp
memory/2568-109-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp
memory/1136-107-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp
memory/1272-100-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp
memory/4332-88-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp
memory/2716-92-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp
memory/4436-84-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp
memory/2716-133-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp
memory/3912-141-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp
memory/1884-144-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp
memory/1908-143-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp
memory/3188-150-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp
memory/4980-153-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp
memory/1424-154-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp
memory/1240-152-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp
memory/432-151-0x00007FF688370000-0x00007FF6886C1000-memory.dmp
memory/1136-149-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp
memory/4332-147-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp
memory/2716-155-0x00007FF7CB310000-0x00007FF7CB661000-memory.dmp
memory/632-213-0x00007FF621570000-0x00007FF6218C1000-memory.dmp
memory/2856-215-0x00007FF6C5D00000-0x00007FF6C6051000-memory.dmp
memory/2656-217-0x00007FF6BEF50000-0x00007FF6BF2A1000-memory.dmp
memory/3692-219-0x00007FF6D13B0000-0x00007FF6D1701000-memory.dmp
memory/2568-223-0x00007FF7D3000000-0x00007FF7D3351000-memory.dmp
memory/4728-222-0x00007FF73FA70000-0x00007FF73FDC1000-memory.dmp
memory/4596-225-0x00007FF63DC00000-0x00007FF63DF51000-memory.dmp
memory/2072-227-0x00007FF6DA000000-0x00007FF6DA351000-memory.dmp
memory/1908-230-0x00007FF7D6FC0000-0x00007FF7D7311000-memory.dmp
memory/1884-233-0x00007FF7C8510000-0x00007FF7C8861000-memory.dmp
memory/3912-232-0x00007FF607AB0000-0x00007FF607E01000-memory.dmp
memory/3624-244-0x00007FF6EFA80000-0x00007FF6EFDD1000-memory.dmp
memory/4436-246-0x00007FF70D7E0000-0x00007FF70DB31000-memory.dmp
memory/4332-248-0x00007FF68E4D0000-0x00007FF68E821000-memory.dmp
memory/1272-250-0x00007FF7D4560000-0x00007FF7D48B1000-memory.dmp
memory/1136-252-0x00007FF6DDF60000-0x00007FF6DE2B1000-memory.dmp
memory/1240-255-0x00007FF7DA470000-0x00007FF7DA7C1000-memory.dmp
memory/432-256-0x00007FF688370000-0x00007FF6886C1000-memory.dmp
memory/4980-261-0x00007FF6957D0000-0x00007FF695B21000-memory.dmp
memory/3188-259-0x00007FF67A5D0000-0x00007FF67A921000-memory.dmp
memory/1424-262-0x00007FF6B8F90000-0x00007FF6B92E1000-memory.dmp