Analysis Overview
SHA256
9dc08942a9069f8cc18d378a4a19af33a18c4d75ecfd03fe3cbfbbc22d2b077f
Threat Level: Known bad
The file 2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:26
Reported
2024-08-15 11:28
Platform
win7-20240708-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CHgRkUe.exe | N/A |
| N/A | N/A | C:\Windows\System\wofnClE.exe | N/A |
| N/A | N/A | C:\Windows\System\xNmfHfn.exe | N/A |
| N/A | N/A | C:\Windows\System\VBeoQZc.exe | N/A |
| N/A | N/A | C:\Windows\System\SXTllMt.exe | N/A |
| N/A | N/A | C:\Windows\System\vvGwTlv.exe | N/A |
| N/A | N/A | C:\Windows\System\zqkQDZT.exe | N/A |
| N/A | N/A | C:\Windows\System\ofYkOpC.exe | N/A |
| N/A | N/A | C:\Windows\System\fSrbeSk.exe | N/A |
| N/A | N/A | C:\Windows\System\UmcnAsp.exe | N/A |
| N/A | N/A | C:\Windows\System\gUhgZRm.exe | N/A |
| N/A | N/A | C:\Windows\System\bDVTZZK.exe | N/A |
| N/A | N/A | C:\Windows\System\WXfeEmL.exe | N/A |
| N/A | N/A | C:\Windows\System\JunHmfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qyisume.exe | N/A |
| N/A | N/A | C:\Windows\System\MGvoJEA.exe | N/A |
| N/A | N/A | C:\Windows\System\XurKEql.exe | N/A |
| N/A | N/A | C:\Windows\System\QwcjkNV.exe | N/A |
| N/A | N/A | C:\Windows\System\aisdMUA.exe | N/A |
| N/A | N/A | C:\Windows\System\NgfQmLF.exe | N/A |
| N/A | N/A | C:\Windows\System\vSvjtNp.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\CHgRkUe.exe
C:\Windows\System\CHgRkUe.exe
C:\Windows\System\wofnClE.exe
C:\Windows\System\wofnClE.exe
C:\Windows\System\xNmfHfn.exe
C:\Windows\System\xNmfHfn.exe
C:\Windows\System\SXTllMt.exe
C:\Windows\System\SXTllMt.exe
C:\Windows\System\VBeoQZc.exe
C:\Windows\System\VBeoQZc.exe
C:\Windows\System\vvGwTlv.exe
C:\Windows\System\vvGwTlv.exe
C:\Windows\System\zqkQDZT.exe
C:\Windows\System\zqkQDZT.exe
C:\Windows\System\ofYkOpC.exe
C:\Windows\System\ofYkOpC.exe
C:\Windows\System\fSrbeSk.exe
C:\Windows\System\fSrbeSk.exe
C:\Windows\System\gUhgZRm.exe
C:\Windows\System\gUhgZRm.exe
C:\Windows\System\UmcnAsp.exe
C:\Windows\System\UmcnAsp.exe
C:\Windows\System\bDVTZZK.exe
C:\Windows\System\bDVTZZK.exe
C:\Windows\System\WXfeEmL.exe
C:\Windows\System\WXfeEmL.exe
C:\Windows\System\JunHmfQ.exe
C:\Windows\System\JunHmfQ.exe
C:\Windows\System\qyisume.exe
C:\Windows\System\qyisume.exe
C:\Windows\System\MGvoJEA.exe
C:\Windows\System\MGvoJEA.exe
C:\Windows\System\XurKEql.exe
C:\Windows\System\XurKEql.exe
C:\Windows\System\QwcjkNV.exe
C:\Windows\System\QwcjkNV.exe
C:\Windows\System\aisdMUA.exe
C:\Windows\System\aisdMUA.exe
C:\Windows\System\NgfQmLF.exe
C:\Windows\System\NgfQmLF.exe
C:\Windows\System\vSvjtNp.exe
C:\Windows\System\vSvjtNp.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1928-0-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/1928-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\CHgRkUe.exe
| MD5 | c6b745a4595fe81478bf926d7a4f117e |
| SHA1 | 81e4ad3b8dca4bd4a24ce7c868a32badbe566839 |
| SHA256 | da7170afe3c89f9b704d3678a8d72c3f4929df2e014c2ae9999779d549e16414 |
| SHA512 | 22cdcbe90485fffd0932995cc0819ff399d426cedcde21473651823ac4e9da59efcb402121c8c6adb53a4b6f4de7aa510d9e3abd57ec32a9e97721bba823e22b |
C:\Windows\system\wofnClE.exe
| MD5 | e74b80311090a1dc0765871644fc1a68 |
| SHA1 | 4023254c09fdd57dc370ac86d4dde07a34121e5d |
| SHA256 | b7d15179a35f7f613a63a329c289e8babe9034fe278cfe96433dade98b719364 |
| SHA512 | 5a614cbe26e560ab990f95ea0384893bd64686728d8f2b62c3d2e7ac5a8eb8f2afab2bac3ed7aef663ddbc272b8a64a85b7a2decb171fc84f4a89fd349080a2a |
\Windows\system\xNmfHfn.exe
| MD5 | f3e0dcdd991736d45225b30395841566 |
| SHA1 | aaa85aa40ec235ed79c6cda01c6344e77a655bd6 |
| SHA256 | 72627d8cc16173cca3c325206ac431460e0ae21586028ba1b8ca9be080c3bc2f |
| SHA512 | 3f68f527c749c27422db8ef3cc448581a63cfbc558f1808540e771f06f07ccb548af183c79bbeaea89c48809c8ab60f05342e97d370c86c1592ea26dbc0765c6 |
memory/1256-27-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\SXTllMt.exe
| MD5 | 1f4f27786e6df75cbba9aaaef271f815 |
| SHA1 | 9dcfe55080b4cd515bd80a6a76b33c4b3211278d |
| SHA256 | 7885be79b12f60fb53873875a78e4bfd7d77ec3710323e1f45e0964d0d0ecbb5 |
| SHA512 | a328da4f303eff453d592bfbc33cc926fe61654fea15aabbece97652a0e9cfa040ae077de056eebd7bea0d2999ac9888d4f28131f07038c540a0a061f674d5bd |
memory/2324-35-0x000000013F310000-0x000000013F661000-memory.dmp
C:\Windows\system\vvGwTlv.exe
| MD5 | 2d747a3ca834c0e53c58c0d45f1cd062 |
| SHA1 | 1970e6a457e841a57e458fc19bb65a2ae4553a8e |
| SHA256 | 60f469c60a6e8d043a9a00d7052cd3de5bdc7370104a1f4e06b035c4cc56c3d1 |
| SHA512 | 18eff493a6cd5705124be34c9fdc25f026ae8fed17a27f881d68c5fcd6b2bab4db9a48458ba7c76486349741a08078f314a15f365bad63c19a4eee14fef566f3 |
memory/2764-50-0x000000013F7D0000-0x000000013FB21000-memory.dmp
C:\Windows\system\ofYkOpC.exe
| MD5 | 9466b53cf3b50c6c6dcdde15ba1de426 |
| SHA1 | 97bb93173237a52b25032aabc7799303f3d6f61a |
| SHA256 | d66cdf6b4a851d39a3cbb01cab5daa3e97525f08d2602e52bfe25e3667a4b6d7 |
| SHA512 | e6c7ee112e09a78ddd7751892b5fe3349281edace25828ac8b353ab8cd2ab34ea4676d24e548597fba3661d18feb4e663a343f01bd3fe49039960de62d82c298 |
\Windows\system\gUhgZRm.exe
| MD5 | 1e91dd8934b3bdf0fb9259ec4df40ccb |
| SHA1 | 7ea1f62167afc32be627f6ea62a18d04b0479139 |
| SHA256 | b3f6e151fb67aaf92b1f1ae45f34fac00dc3e62d9d061dac9382d0d849e61cd6 |
| SHA512 | 7ae4d93e6a01780cad3587331332eead800bc6b80bcbc8a97be5ba99c8c9c341d2f4cd1fd30d11b9b4b254d63a4d5c13dc9f5393c894be62c44a077d1fea8364 |
memory/2776-81-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2616-88-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/1092-94-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2896-103-0x000000013FFB0000-0x0000000140301000-memory.dmp
C:\Windows\system\MGvoJEA.exe
| MD5 | 42aea7ffeb273258ab6f7f748cf27511 |
| SHA1 | d6f708e69bc9967a2d991f834a91d3af06404e04 |
| SHA256 | 25ecfbf9c8fff297f9d8dacd1a891cf5a63856927b72f7c8210cff31798e375f |
| SHA512 | 7ade4a1019bb20402a5b8c440b08806e968644554ab6da287c70ff616ae9cbd18bd2db2a46b24aacdcb02b8e16f0a9c64dc0f221ce5e3b5fff9619ebd8d43174 |
C:\Windows\system\NgfQmLF.exe
| MD5 | 63c65de1f82985b8ddd92edc64543bda |
| SHA1 | b4cd3ceec6eab84c06efe10380179618f9f500cc |
| SHA256 | 23089ded8f32286373fe45ac2f88cbd1e9f25f23fcbdb4d7985d06412bd64b06 |
| SHA512 | b5b0af84fb2487a29f3db77c9e4b56ed79b29a3cd3be3de9b68889a4d915341b3c77adfaa03701fe0efc75ef844d0e2487cc9285342b55178d9f202599feff0e |
C:\Windows\system\vSvjtNp.exe
| MD5 | b8d980a112b248f343386dba9cf9ffd1 |
| SHA1 | 4b19bef53c51813f3a9f2014dc603134e8d68f90 |
| SHA256 | 0bab36ee3a421c1e3b25c0ef2eb72f26e97cbd03e3c358a28efc6e3290bad5e7 |
| SHA512 | f7b65ab16d45a354a6ec127af560765e22caf74ac47d764d904da4b3fca2082f2d734f48a7daec89bd65fbc51a74619b863ab4dda441f658587362a544c95382 |
C:\Windows\system\QwcjkNV.exe
| MD5 | 43ced77a2bb9861a86dc6c54f36bf5b1 |
| SHA1 | dbe97179fb6466739c909691bd4c3ec2675a6af6 |
| SHA256 | f04c4142f94616e9f3d1ebc5eafc5db5262d1c2eb87a731ca45ec96509ec095d |
| SHA512 | 8d0978d140e20ab6dff4d443ac64536e38f5f0df89e3d3e15d478b723d3fa342bf79733bc159ca19bf877c94e7793cc4b2645aaaed20db1d49b029f93bad3486 |
C:\Windows\system\aisdMUA.exe
| MD5 | 067efcd1760b9d4c9be5135a2a442fde |
| SHA1 | 25c330288218170df5cefd09ac728dcb65dce9e2 |
| SHA256 | f705b21cee936e88bb997094cccaf65791076b01bc45b05f2e4f5aac4aaeb3a4 |
| SHA512 | df5b3560f97b8d8011b15e7b0576253bd609c3d71b8bbce31443ccea24a41753d1e6969531220b5035a6b4f8b9259e1db6f0e794af930df44e30aeaf89ea3ae8 |
memory/1928-139-0x00000000022A0000-0x00000000025F1000-memory.dmp
C:\Windows\system\XurKEql.exe
| MD5 | 588fb392166a118e85ca380e1e924965 |
| SHA1 | 4f0dda2a873202c59cdb14b6e1fcb12581c557b5 |
| SHA256 | c46dc2f71ae5a8d037436f0a3ea0d32fe82594a4cfdf9dd8f1bf504b3ea1149a |
| SHA512 | b39d58e6187ecd96feff934f321b4fbf864ed6850d4bbe9d1786f8caa83214b4b774768fd5092c62eca7185d511c984f34b2ac85fa63cdda1f322daf62c67874 |
memory/1928-140-0x000000013F430000-0x000000013F781000-memory.dmp
memory/1928-108-0x000000013F040000-0x000000013F391000-memory.dmp
memory/828-102-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/1928-101-0x000000013F4C0000-0x000000013F811000-memory.dmp
C:\Windows\system\JunHmfQ.exe
| MD5 | ec77448f2398b704eccc5502a4d57b1a |
| SHA1 | f207d6fd854ef35e79c1bb94b2b5c11ae7edc531 |
| SHA256 | 5aa06da7affe9e8bfe5a2037453e05bec21546cf2d38b17c507b18043bc82dd3 |
| SHA512 | e1294254e95af84870d9c4f91cd21aa2f24cc4c421ac80fd9b7fd45aaa9a7bbd4648c97ba277bdedc160a849d530ee10f6875bbf30c4782aa2ca390c3d787aee |
C:\Windows\system\qyisume.exe
| MD5 | a01d6847cedc032220f4bf3b1d4d2cd7 |
| SHA1 | ba645e53c36cd2c512b0b26fbe3c56e79af5cfc4 |
| SHA256 | fbdda3a95fb6fdec55b64bbd6310b2f1a686068cafed72802632309f2238970a |
| SHA512 | 9fd24ca382cc2e3670d80e57f8572cb13807977c14c1810656eebbad23b504fd9a4c34ca2a785f55850d2b33b046805d8a583c1cae52f16846acd193b3b0b4b5 |
memory/1928-141-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/1928-93-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2868-87-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\WXfeEmL.exe
| MD5 | 8c2ad59738d1cfafdc03fc6cd208f504 |
| SHA1 | 5633f1803a0e47136bbfb65af958d1a1076515a8 |
| SHA256 | 6ef7ed837191f97c45104e7f8a6aa2dfb4a4107838df41d3fa30f2d4ed48c5be |
| SHA512 | 6fbe26a416b3985874c899dee04c770f87d0369821502054e207d9fa98dd8b43f2db2c41e4d757c2a1a9205a06ab4f5e65364fc402ed78b3382346c5613ccfb7 |
C:\Windows\system\bDVTZZK.exe
| MD5 | 9cfb4c89ea8f7ddb8e0a02ce1dd7787f |
| SHA1 | 641a3dd9a43bc812c13b1ade225626662649c436 |
| SHA256 | bb3678273bd22d4d4dbfe6586db7ab0a1a7e3faf2b70ea42f5df753272edea42 |
| SHA512 | 4fd74c8147a0ed80f5bd28e6ca35660f3d086f71b0c6b8eb0606183c1cdedd67b8df6556a9cd288ee0b3010f823481077b5ea8a2b78e85c50ec38948da68dc3b |
memory/2324-84-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2972-83-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1928-82-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/1928-66-0x000000013FDF0000-0x0000000140141000-memory.dmp
C:\Windows\system\UmcnAsp.exe
| MD5 | c624114489776791b6fba5fd33f16ddf |
| SHA1 | f1f6704beb1e495f3a8976f88b12ccdc3098281e |
| SHA256 | c2f4ea79904d1f9c5621009c98cd044a5293258ed4264856c3761bd41b555d3e |
| SHA512 | 4753094bfd0d4bca10f893febc83af6ce5bba7906d87ac92e536e7c65a20f346ec32397fb8bf5961521304419de290d23ec724103f3c8d6ba8037be0f906b516 |
memory/1928-71-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2896-55-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1928-54-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/1928-70-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2640-69-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2524-68-0x000000013F7F0000-0x000000013FB41000-memory.dmp
C:\Windows\system\fSrbeSk.exe
| MD5 | 79cb17ac8d924a873835f6ee1da9f2fb |
| SHA1 | 526d51bc46003fb690f7d05f9c1bb4f91155c8fb |
| SHA256 | 0f0ff44e4ea17e8c337dcfabeea069a88a7809b24eb68b802a51ca14a20ccd28 |
| SHA512 | d7e7299c529d30e4ad469eae7914b8d2ea087555a181dbc15581b05942a27235cfe785af606e9e3331606cb7a05d1698d432e8cbeb380f11d86504e10cfdc137 |
memory/1928-49-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2868-40-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1928-39-0x00000000022A0000-0x00000000025F1000-memory.dmp
C:\Windows\system\zqkQDZT.exe
| MD5 | 1606314ed3d399d9d32bdcbde3862aab |
| SHA1 | 2c617744f099d518c470ce3328c2ba61b4f8272b |
| SHA256 | bcd4ee11b2b12698de343fdbebad5ce0bd98b3a4bc13fa3741fd2c255fa1cf5e |
| SHA512 | 408924a40aa50d8fb61ae667e7e0c6f82cef73f2cd5af949f0fca6742090a64526e2520acb2ae093a7041c04cd4c82b152fbdde8bc1109cca21c8689f1bbe6eb |
memory/1092-142-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2384-33-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1928-32-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1928-31-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/1928-29-0x00000000022A0000-0x00000000025F1000-memory.dmp
C:\Windows\system\VBeoQZc.exe
| MD5 | 7331241f65fe7cdf6a5d543110f6df28 |
| SHA1 | 84cc7e04cfe04ea526c6a65fdce79ad4a51fb3ca |
| SHA256 | 153ddd80241fe5b74927afea3cedb81a4718b4a747f7e04613628f9fedad212b |
| SHA512 | 21b26c8d590c0289bb284f8360c40c4dc23a349351454d3ad74f712b7a6f84bfc749eb84b4b8eb37b04f65fc3568c1c67927aa8c8cdb413a1be1b04bb6bc770f |
memory/1928-26-0x00000000022A0000-0x00000000025F1000-memory.dmp
memory/2376-25-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2524-18-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1928-143-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/1928-144-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2044-159-0x000000013F040000-0x000000013F391000-memory.dmp
memory/804-164-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2016-163-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2040-162-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1872-161-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1880-160-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/1992-165-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1928-166-0x000000013FDF0000-0x0000000140141000-memory.dmp
memory/2524-224-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1256-226-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2376-228-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2384-230-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2868-232-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2324-234-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2764-236-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2896-238-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2640-240-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2776-242-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2972-244-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2616-246-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/828-257-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/1092-259-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:26
Reported
2024-08-15 11:28
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FjBxCuW.exe | N/A |
| N/A | N/A | C:\Windows\System\QXZvFVt.exe | N/A |
| N/A | N/A | C:\Windows\System\YEVKYyq.exe | N/A |
| N/A | N/A | C:\Windows\System\sfxDGoe.exe | N/A |
| N/A | N/A | C:\Windows\System\lkTjlzX.exe | N/A |
| N/A | N/A | C:\Windows\System\xNlkhSH.exe | N/A |
| N/A | N/A | C:\Windows\System\BbZAvGd.exe | N/A |
| N/A | N/A | C:\Windows\System\HnJgTrX.exe | N/A |
| N/A | N/A | C:\Windows\System\hCirSkm.exe | N/A |
| N/A | N/A | C:\Windows\System\ADqpiVO.exe | N/A |
| N/A | N/A | C:\Windows\System\qyJMvnk.exe | N/A |
| N/A | N/A | C:\Windows\System\bdRJFIs.exe | N/A |
| N/A | N/A | C:\Windows\System\cgvyYsx.exe | N/A |
| N/A | N/A | C:\Windows\System\lItmsKe.exe | N/A |
| N/A | N/A | C:\Windows\System\oWSqqAO.exe | N/A |
| N/A | N/A | C:\Windows\System\VmksQfD.exe | N/A |
| N/A | N/A | C:\Windows\System\ovFtZMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NtHrteb.exe | N/A |
| N/A | N/A | C:\Windows\System\LHlqCnZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cQNubHK.exe | N/A |
| N/A | N/A | C:\Windows\System\GLDyBYG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_31673e4247eae31d066ac22e97907cf3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FjBxCuW.exe
C:\Windows\System\FjBxCuW.exe
C:\Windows\System\QXZvFVt.exe
C:\Windows\System\QXZvFVt.exe
C:\Windows\System\YEVKYyq.exe
C:\Windows\System\YEVKYyq.exe
C:\Windows\System\sfxDGoe.exe
C:\Windows\System\sfxDGoe.exe
C:\Windows\System\lkTjlzX.exe
C:\Windows\System\lkTjlzX.exe
C:\Windows\System\xNlkhSH.exe
C:\Windows\System\xNlkhSH.exe
C:\Windows\System\BbZAvGd.exe
C:\Windows\System\BbZAvGd.exe
C:\Windows\System\HnJgTrX.exe
C:\Windows\System\HnJgTrX.exe
C:\Windows\System\hCirSkm.exe
C:\Windows\System\hCirSkm.exe
C:\Windows\System\ADqpiVO.exe
C:\Windows\System\ADqpiVO.exe
C:\Windows\System\qyJMvnk.exe
C:\Windows\System\qyJMvnk.exe
C:\Windows\System\bdRJFIs.exe
C:\Windows\System\bdRJFIs.exe
C:\Windows\System\cgvyYsx.exe
C:\Windows\System\cgvyYsx.exe
C:\Windows\System\lItmsKe.exe
C:\Windows\System\lItmsKe.exe
C:\Windows\System\oWSqqAO.exe
C:\Windows\System\oWSqqAO.exe
C:\Windows\System\VmksQfD.exe
C:\Windows\System\VmksQfD.exe
C:\Windows\System\ovFtZMQ.exe
C:\Windows\System\ovFtZMQ.exe
C:\Windows\System\NtHrteb.exe
C:\Windows\System\NtHrteb.exe
C:\Windows\System\LHlqCnZ.exe
C:\Windows\System\LHlqCnZ.exe
C:\Windows\System\cQNubHK.exe
C:\Windows\System\cQNubHK.exe
C:\Windows\System\GLDyBYG.exe
C:\Windows\System\GLDyBYG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3352-0-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp
memory/3352-1-0x0000028C88810000-0x0000028C88820000-memory.dmp
C:\Windows\System\FjBxCuW.exe
| MD5 | e8fa3f6841807d9afb9e89ecd8adfaea |
| SHA1 | 93cf284a25383997ea077ae006659288b6a6b484 |
| SHA256 | 49bb4e10ed381dbcf5bd994f1699cefb6a3983ab9c3985de8c1d2491f5e906c6 |
| SHA512 | e8e401f84e84e9ea521b95acf12d5e5fbe622feb5a10dd76bf4af15b6402078e463a9c06b534f9e61c05825fd3b44c9eda4f7c4045b7b04a7ddffdea5f815788 |
memory/1032-7-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp
C:\Windows\System\QXZvFVt.exe
| MD5 | d7378d35b0bdd9da0cda68688417bc04 |
| SHA1 | a18682c31572a35d95990195d56df0d0c100fdb7 |
| SHA256 | 017a6e607e36d9215fce1ad9ad509e6ccf145c4c91c3f681317e6ccdf2bdff64 |
| SHA512 | 1546af34ad9f3e1e81500739dc5f10307f9bcf2d4ddf9daaf3e5c87fceb6ac7cda6839eaf27150995f7dd1b24f57a9fcd81428c52b3ec7894cebe43d9fa94c17 |
C:\Windows\System\YEVKYyq.exe
| MD5 | 51b300dfd3d8dfe39b1815c66d6b253a |
| SHA1 | f4cedf4e456ac8d7f6c712abe365390792b9cad5 |
| SHA256 | 7c4a6650d2e7e237f587ba2cfc7329d59fa3936b0ba79ea8e38c1109b525be71 |
| SHA512 | c1a23137ccb568470312928e71d6eebb77cc7fae45997614cdd2d221c3010e5563fc43a73846455e0e52e2cbbf60a634d55cfcab108fd40ce35ff4c8fe558813 |
memory/1188-14-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp
memory/4708-18-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp
C:\Windows\System\sfxDGoe.exe
| MD5 | 43cbfe605aaeedfedee64ac7ef04aac9 |
| SHA1 | 4137f14e350a0a08e27a793a5d2b7588fb48c61c |
| SHA256 | 4bbf370c33c818498257c297ebc2efd333640270497552e168c69e1f5354420b |
| SHA512 | 408bc153a21a573dd349de18f1f7cd9d85d8d7569ffdbc33c847b12d25c6da67daa3f621d8c3c9c9e6be4d1d1b598fc4343907b4eb9ba190d7912b12bacdf189 |
C:\Windows\System\lkTjlzX.exe
| MD5 | 7baf4d303584a39e0be2f3ec81d6779d |
| SHA1 | 7ba4922f5749a64a0e37da9d013c80194cf42167 |
| SHA256 | 8377a857efabc0d5bd083545f9a9d78014784d3474f489d69464d6239b605856 |
| SHA512 | c134fd6c9cf3326a8f0b9000dfcfc69cfa44f5de932144df2da0bdd8a49225e0e95da16840364ad9aeb4a3d5e6f726b9a02cd7397a18790a372fe6a3425f5cd9 |
memory/712-30-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp
C:\Windows\System\xNlkhSH.exe
| MD5 | e87503ac0486a4378abcf0586a21f0cd |
| SHA1 | 7807da7eabc8e6dbc9df2807251c7a40d82281a9 |
| SHA256 | 8eabbee432808eddcea0029215e5c01db210939e19498f983a9269a34f1df3e8 |
| SHA512 | 2d5552df5e6058c505e4c2adcf5aa5cd2bafbd55ba88cae3c85b323634deb2117b1c50cec9ced2c55d995faee6d38a3d6536fb95ead0b47836727dd4d2ccf0e0 |
C:\Windows\System\BbZAvGd.exe
| MD5 | e2480807fdc6b4ccc1a1416566411963 |
| SHA1 | 82cb25938e6cb2410d0cdeead1baf7e097b0acd9 |
| SHA256 | 8bd3613ab347cba28a8cfdfa0353e1246de18d4bfdb42512f1f8e9dbd6e5d9c6 |
| SHA512 | 216ceff4364b986992eec3414a3202015ed816f11adc1a8705698ab9f2c80ba4196f9e2cd6ed928ba8a5b12dcb14c32ecb36d525318edccc10f24717e7c81332 |
memory/4220-36-0x00007FF7694C0000-0x00007FF769811000-memory.dmp
C:\Windows\System\HnJgTrX.exe
| MD5 | d3a76127cd59c2dcbd1a63a59b60e73b |
| SHA1 | 84a746446aa28161849a58c6bd6d761246056dab |
| SHA256 | d15bc19edd2ff7179216cfe7854bb327675abdc8b64d65f57157f4ff82d41de4 |
| SHA512 | 331a83d8b2323b65d024de9ae6e258d56b3b0b413e3423d364935e6d861252f257dfd10be0d5810743fb736f16a72356da373637ad3a266ec8b74d6cfd4318b8 |
memory/3544-52-0x00007FF662CB0000-0x00007FF663001000-memory.dmp
C:\Windows\System\hCirSkm.exe
| MD5 | 93e262a9e74bf3c44c1cb730de184b0e |
| SHA1 | c626a8d93cdcfdd5656e82d162acf4a77c41adfa |
| SHA256 | ef43e3500bcc66989ce727b775b5a7efd4808f52efe74c95d6f550c363530022 |
| SHA512 | cc5d82fb68b811637d3477e7e7fd127ff2ba1afb0ad2cc165e058366260565d8ccd718fa6be1bf3ea619bf792ec9401cf629b9b896bf9d9947c86493633de0ff |
C:\Windows\System\ADqpiVO.exe
| MD5 | 6c2583c996f111f19e5b7f75afc483b3 |
| SHA1 | 9f8d1d5f527474b84b9f6e172ab16ae35f0e101c |
| SHA256 | 2b8191bfda83140beb86e2143ede8b8a5233558cdd52a8f11e9a3b3229b87ec5 |
| SHA512 | dc29aad93ad5b7efd4fdeed38c1e9c573cdec3292823d99e9adcd15f2ca7ff45ad21d79872dad969a7ebe7508fc7c67b1b4a1f70d603c3b54359387f0a84a5b2 |
memory/440-60-0x00007FF7992F0000-0x00007FF799641000-memory.dmp
memory/1032-73-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp
C:\Windows\System\bdRJFIs.exe
| MD5 | 1fa12096508c3758bd3ddbf9be648964 |
| SHA1 | 224ac0cbeb61e1495729cb4c75a44c401e7cee40 |
| SHA256 | c33e78f25e37f3a67acacade190ce3c529a0e57bf09a17b394f57f02c03e9fe6 |
| SHA512 | d1ad99754cf2eb019c011b2b26b4578580bb9c9e99d3ffc887937d5203de2307a43a8bce5ae3f4bd611d4d6bde68ddf63fd4b2c5082c61708bc5a81bdaca15c0 |
C:\Windows\System\lItmsKe.exe
| MD5 | ac269a7c7f990cab81b4fb599f0846ef |
| SHA1 | 4ad00c599aef5642575b902889254a4bbf13a97c |
| SHA256 | e0aa76d4964649872309ba61d600a1f610694d251aaa156ae18c207b1e71d649 |
| SHA512 | fbd784d91f285df05ebe72741291e4121431ac1b24e51c071e29b482f5074a9ebcd859327912317f4ad952c22fe779263138aad4182c83764ddf002bbb028e8c |
C:\Windows\System\oWSqqAO.exe
| MD5 | facc283c552d499f18cc317bd2dee48c |
| SHA1 | 821a7d8b6095c87b07d96ebca06d55b8b1383106 |
| SHA256 | 2d8d7a9e2306b59aa57f5cd27fb7747f7e02f6cc21ebefa36bde32a5d8c123db |
| SHA512 | 94dd57a8982d06c67379001898e63c780b9695c917c81c5c438deaa2df60cfd8a9f6aac1de917f0b86c60958e726ccfd779ca2f4a43d72f766176af93c7ccf8a |
C:\Windows\System\ovFtZMQ.exe
| MD5 | 35a70af3a989d82bd9ca87e04fa6f19e |
| SHA1 | aefa5f268746b98cd1bbde79578f1d936a662281 |
| SHA256 | 8244541193388ec0c36a2e42c14d81180a029489079fb1aae9fbe975eb8849a4 |
| SHA512 | e404480c7349e0fa3ebe9e695bce8b251ccbefbc61d0865a373eee74a34b3af274496133d9cc717fb234323714f5102e3542d5e85161600a02b5f9e3ee9116a3 |
C:\Windows\System\LHlqCnZ.exe
| MD5 | d8d489b54d3997a4acff082fb366ff92 |
| SHA1 | e8b395136af54e9b181b4a308c2f9ccee83f9470 |
| SHA256 | 3ac5207e873b0e1f063f44fc9951c471545c81096ac50ea2fa6914627baf1997 |
| SHA512 | a2f57c80ea180e8f999390123817aafdf3437b2fd3900d47a8ad750dc5d6ced0e31f004e7b72548bd737adee150ec34fb5469ff123c014a27767a8acfc5bc4e5 |
C:\Windows\System\GLDyBYG.exe
| MD5 | e032952e73475f0e6c9d4003cc4adf41 |
| SHA1 | 162589ef8c75fffa70e1e299ab4ca87ba08baf4d |
| SHA256 | 647fd13facb74876ec209a0733fc791264640d58e014bb5a7611b42e9d430e68 |
| SHA512 | d8c221179149e068349c7ff9ece5721a64c10ca7dc25f048f46eff8da800a0ff82f620ab49591d7f74986facffc90dc07afb5f51fcd4801a6c1ac7aed2b960ce |
C:\Windows\System\cQNubHK.exe
| MD5 | 5fad8d860d8f195a113df5cd79864250 |
| SHA1 | 20ba13de75c87dfc7744448e1bddff9bef97da2f |
| SHA256 | c6a3c659532ed50824ab507ad5a23cfd0d31f537860da1dc77c57ce6e954c59a |
| SHA512 | c0cb9e295fb1cdee4036c727cbce441f49ed9e2614aa5bf2218dbf4420636a56be491fdeaab30df088a8ba04f4745026a52381d9c248a3b0060430760442c47c |
C:\Windows\System\NtHrteb.exe
| MD5 | 5f8c8bda73e71eed27d6ed53a23a03e3 |
| SHA1 | d2651135b02aea22b5c70a7b2e4f9fb424f8e8b9 |
| SHA256 | 20047d58aca3acff7ba22709f20e598f0f2cd1ba21da80fe5556fa05a420bf84 |
| SHA512 | bc9c84047d48d36e93bedcc500ed7e7ee74721979765b0cc62ea7d56cbede5df9764920583a51e25866c8757c4f7b702f239f2c541a619d1ef15f368db40c6ff |
C:\Windows\System\VmksQfD.exe
| MD5 | d36d365b614faeea4f86f6a7746dce48 |
| SHA1 | 21ce70eb2d20ec25a82828270481b2487e3ea3fe |
| SHA256 | 734d707e9907fc052b2127afc9a7ec5f7055991a4b6e502a58fae1f4bcc34075 |
| SHA512 | 88305bf00f12469d0a0d61fd938606872b2a13666ab596fe6ce6f5284f2ad85e6db0b602927dd13048f46a72789b38dc3c7a7f6f55c31d9ca91ab47a530f8b8e |
C:\Windows\System\cgvyYsx.exe
| MD5 | e00950f43b0f7be7fc64b684fb3c4870 |
| SHA1 | 77a76239829f5097b0f2be6195704398bd33cd2a |
| SHA256 | 30a76e28dda71078a26f45e7a6cb338902713a9572634950e6427d7da6faa12b |
| SHA512 | 901f26e4bb2008527709808773b78ac91a41528745123866224b26cacfe678839cc95943d214c542d0dd52a7189e846a3f8eef53dce1de49d6fb5f7b4d36690a |
memory/2716-74-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp
C:\Windows\System\qyJMvnk.exe
| MD5 | 6e24d3cb8f69e2276bde10fc5dbd44d0 |
| SHA1 | ecb9dac4b91d33d1890a1c509b4b89079dd3cd70 |
| SHA256 | 17e8587ff7914772fb30e5b1b8cafd831ec0403f1c79eaa9661acb46d98fe128 |
| SHA512 | e04486d6c1a9a992542fd365dc08981f445c1f7163cfc9cf47a474adc09268062c43c28dc925aee9c1a31f5d13af0bd5eb79864b127c3f72e1711661fa99ae79 |
memory/3244-69-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp
memory/3352-66-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp
memory/3056-54-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp
memory/1880-42-0x00007FF787660000-0x00007FF7879B1000-memory.dmp
memory/4280-22-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp
memory/1188-121-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp
memory/3484-122-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp
memory/900-124-0x00007FF78C620000-0x00007FF78C971000-memory.dmp
memory/4940-123-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp
memory/4104-125-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp
memory/3352-126-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp
memory/4708-130-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp
memory/4744-129-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp
memory/776-132-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp
memory/2560-134-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp
memory/1516-133-0x00007FF773910000-0x00007FF773C61000-memory.dmp
memory/992-131-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp
memory/1880-138-0x00007FF787660000-0x00007FF7879B1000-memory.dmp
memory/3544-140-0x00007FF662CB0000-0x00007FF663001000-memory.dmp
memory/4220-137-0x00007FF7694C0000-0x00007FF769811000-memory.dmp
memory/712-136-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp
memory/4280-135-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp
memory/440-141-0x00007FF7992F0000-0x00007FF799641000-memory.dmp
memory/2716-143-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp
memory/3244-142-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp
memory/3352-153-0x00007FF73BBF0000-0x00007FF73BF41000-memory.dmp
memory/1032-203-0x00007FF7D34B0000-0x00007FF7D3801000-memory.dmp
memory/1188-205-0x00007FF7B61A0000-0x00007FF7B64F1000-memory.dmp
memory/4280-217-0x00007FF6E0660000-0x00007FF6E09B1000-memory.dmp
memory/4708-221-0x00007FF66A3A0000-0x00007FF66A6F1000-memory.dmp
memory/712-220-0x00007FF7BDB70000-0x00007FF7BDEC1000-memory.dmp
memory/4220-226-0x00007FF7694C0000-0x00007FF769811000-memory.dmp
memory/1880-227-0x00007FF787660000-0x00007FF7879B1000-memory.dmp
memory/3544-229-0x00007FF662CB0000-0x00007FF663001000-memory.dmp
memory/3056-224-0x00007FF6ED0A0000-0x00007FF6ED3F1000-memory.dmp
memory/3244-233-0x00007FF6BCC10000-0x00007FF6BCF61000-memory.dmp
memory/2716-235-0x00007FF6C85E0000-0x00007FF6C8931000-memory.dmp
memory/440-232-0x00007FF7992F0000-0x00007FF799641000-memory.dmp
memory/3484-248-0x00007FF6C7C20000-0x00007FF6C7F71000-memory.dmp
memory/2560-254-0x00007FF650BE0000-0x00007FF650F31000-memory.dmp
memory/992-256-0x00007FF778C90000-0x00007FF778FE1000-memory.dmp
memory/1516-260-0x00007FF773910000-0x00007FF773C61000-memory.dmp
memory/776-258-0x00007FF6D7EE0000-0x00007FF6D8231000-memory.dmp
memory/4104-251-0x00007FF71E650000-0x00007FF71E9A1000-memory.dmp
memory/900-247-0x00007FF78C620000-0x00007FF78C971000-memory.dmp
memory/4940-253-0x00007FF72DDC0000-0x00007FF72E111000-memory.dmp
memory/4744-245-0x00007FF7BB450000-0x00007FF7BB7A1000-memory.dmp