Analysis Overview
SHA256
133733bcdc40011509f82498b38480d38b381133a731d628ae8e2926d2139dcb
Threat Level: Known bad
The file 2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:06
Reported
2024-06-28 00:09
Platform
win7-20240611-en
Max time kernel
125s
Max time network
139s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ftOheVX.exe | N/A |
| N/A | N/A | C:\Windows\System\wMnznLA.exe | N/A |
| N/A | N/A | C:\Windows\System\voVQOJk.exe | N/A |
| N/A | N/A | C:\Windows\System\UmjMXhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aELtPHd.exe | N/A |
| N/A | N/A | C:\Windows\System\ilXwGWh.exe | N/A |
| N/A | N/A | C:\Windows\System\dEUvAaT.exe | N/A |
| N/A | N/A | C:\Windows\System\SygfcrU.exe | N/A |
| N/A | N/A | C:\Windows\System\ENTgooL.exe | N/A |
| N/A | N/A | C:\Windows\System\gEZxQwx.exe | N/A |
| N/A | N/A | C:\Windows\System\qASADpO.exe | N/A |
| N/A | N/A | C:\Windows\System\IiKBgAn.exe | N/A |
| N/A | N/A | C:\Windows\System\aemVKzh.exe | N/A |
| N/A | N/A | C:\Windows\System\CGCMggr.exe | N/A |
| N/A | N/A | C:\Windows\System\GVwMGJv.exe | N/A |
| N/A | N/A | C:\Windows\System\brjKfGL.exe | N/A |
| N/A | N/A | C:\Windows\System\lntIsZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\iZMgzVh.exe | N/A |
| N/A | N/A | C:\Windows\System\ouQToyH.exe | N/A |
| N/A | N/A | C:\Windows\System\houGYMS.exe | N/A |
| N/A | N/A | C:\Windows\System\zCbJtpo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ftOheVX.exe
C:\Windows\System\ftOheVX.exe
C:\Windows\System\wMnznLA.exe
C:\Windows\System\wMnznLA.exe
C:\Windows\System\voVQOJk.exe
C:\Windows\System\voVQOJk.exe
C:\Windows\System\UmjMXhQ.exe
C:\Windows\System\UmjMXhQ.exe
C:\Windows\System\aELtPHd.exe
C:\Windows\System\aELtPHd.exe
C:\Windows\System\ilXwGWh.exe
C:\Windows\System\ilXwGWh.exe
C:\Windows\System\dEUvAaT.exe
C:\Windows\System\dEUvAaT.exe
C:\Windows\System\SygfcrU.exe
C:\Windows\System\SygfcrU.exe
C:\Windows\System\gEZxQwx.exe
C:\Windows\System\gEZxQwx.exe
C:\Windows\System\ENTgooL.exe
C:\Windows\System\ENTgooL.exe
C:\Windows\System\qASADpO.exe
C:\Windows\System\qASADpO.exe
C:\Windows\System\IiKBgAn.exe
C:\Windows\System\IiKBgAn.exe
C:\Windows\System\aemVKzh.exe
C:\Windows\System\aemVKzh.exe
C:\Windows\System\CGCMggr.exe
C:\Windows\System\CGCMggr.exe
C:\Windows\System\GVwMGJv.exe
C:\Windows\System\GVwMGJv.exe
C:\Windows\System\brjKfGL.exe
C:\Windows\System\brjKfGL.exe
C:\Windows\System\lntIsZJ.exe
C:\Windows\System\lntIsZJ.exe
C:\Windows\System\iZMgzVh.exe
C:\Windows\System\iZMgzVh.exe
C:\Windows\System\ouQToyH.exe
C:\Windows\System\ouQToyH.exe
C:\Windows\System\houGYMS.exe
C:\Windows\System\houGYMS.exe
C:\Windows\System\zCbJtpo.exe
C:\Windows\System\zCbJtpo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2580-0-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2580-1-0x0000000000090000-0x00000000000A0000-memory.dmp
\Windows\system\ftOheVX.exe
| MD5 | 51be5b80d4cbf8a47b11b9794d2c176a |
| SHA1 | 76e20f133905757359a5b585ad19b15600fb7538 |
| SHA256 | 37f166200d49608bf20c7d25509e052356d92cbe03cf24fd58f69337e52aeb54 |
| SHA512 | 3cf0e520fab2cecb6320e11b64f0e213af28e177afb44dae8249371e271c890a94f64dd7559f4cc09b85e0d8954e39963d82f57d4b8323a507b3df932e29d4da |
memory/2588-9-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2580-8-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\wMnznLA.exe
| MD5 | aa36cd627643f2510f6732854616b2de |
| SHA1 | 4322e66384f5efea105ca1943833496bcada9d93 |
| SHA256 | fbe977cb586e12364c011f35109630fc1109540385c03992e18802894a9715f4 |
| SHA512 | 802ad4646e58bdc2ba8d379e490d9d4177c801a6890fc7e5151ba7dbaf74fe550d33cb57c0d21daf6ac87994cc100d62d6acc504939134916c6a3cd72c414b1f |
memory/2644-16-0x000000013F3F0000-0x000000013F744000-memory.dmp
C:\Windows\system\voVQOJk.exe
| MD5 | d07d1dd6021b827c584b863354fe7946 |
| SHA1 | 1c592f19b48da1dbcd02e5df1d16cc8efca70d43 |
| SHA256 | 6575d5e75fe434c43d8ad2b71f14ac7db380cb60d1d71515d69ed3262db53eed |
| SHA512 | 7651f95048bcae280d55a96acdbadfaed1d618ecd6209a369ba624c511a121a0f952b489ae85073ded390e9723b111393eea341255b533a97910eff7d74e760b |
memory/2580-15-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2652-22-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2580-20-0x00000000023C0000-0x0000000002714000-memory.dmp
\Windows\system\UmjMXhQ.exe
| MD5 | 138178a1d34a74f69e07dd917b41bc1d |
| SHA1 | 450a9157634ccea4d1d6ed45a3b435f9333c89b5 |
| SHA256 | a8ce7e96d9a7d119a054e3c933e33beceda75d8c42ddf730df01c2fbe1d4a0a3 |
| SHA512 | 195392b7b14d2c0facecf5b2d11472955eca45f66db988b2456a645b4142c6b60a0792e3c2e1afcd69404de926f42d74eea7f453ae820de331f3e7f889ebf425 |
memory/2580-26-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2628-32-0x000000013FB40000-0x000000013FE94000-memory.dmp
C:\Windows\system\aELtPHd.exe
| MD5 | b7a3db72f4bc0a45dde25c740bb09a31 |
| SHA1 | 8ac2e3f7988048b3f035c3291de627552dfc7bee |
| SHA256 | 48a1872d7acdae0c4ce0ec2c0d000d50f085d1a2af5a1aa514d9eb4b4b131655 |
| SHA512 | 149795b60b354d64a289e585ef0a1985ea1caeab3cda4a8d53d32eefb4d6b01ff601c184679c60eb215cefe03340526d8bb3b26ddaacca8069dae48daa8b9fd8 |
memory/2784-36-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2580-40-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2580-43-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2520-44-0x000000013FB10000-0x000000013FE64000-memory.dmp
C:\Windows\system\ilXwGWh.exe
| MD5 | d7a01a591986badceef9b0988d98bc34 |
| SHA1 | 73ae65b182dd5a200a208d28d9c8957688699982 |
| SHA256 | 6dcac8adb85522c8b07c23c3d6f81483d7f395c460f0ec7930a30d49ff04bcee |
| SHA512 | 35652da1ecb0a52ded8b730a90d77313392f615d68292764e93fdb437020dadf47e2577f769a4e5263fede3245458717f44e1878523657318db08b6f08d121ac |
C:\Windows\system\SygfcrU.exe
| MD5 | 2cf2e67010d6a5ead1c658e49623ff33 |
| SHA1 | 99ed5e17d168e86c1887b087c29890e27a721fca |
| SHA256 | 06d2232e31d7a0f2024d6b7108324d81ae1ce7b00f39172bc881e718a4e5bb2c |
| SHA512 | 24c4d97149f0939fdf2d88e5c396e7ed16b163148f27f1a8391f9ec353d5ddef04302d8bfdb30d051ade5083e482d8f7f925dde8a50641555b952d0c848e6816 |
C:\Windows\system\dEUvAaT.exe
| MD5 | ff9a249a2a21bcb5c2d5664036574124 |
| SHA1 | e31325bcd9efa457e5e827d59af408a3c4efdc66 |
| SHA256 | 7688119faf166aae8da7473514edc8a02cbf9e727d464e91aa8d79e50456bc94 |
| SHA512 | 6bee2113d61fe4c29f60ce239f6daf21a3c88fc316b45925ef6fdd9c5e482811841c6a9edda02ec8089a1207caceda531addba32c9309f570e29f6fbf164d2db |
\Windows\system\ENTgooL.exe
| MD5 | 63cb7b819a7539dfc8dc7d12df47b237 |
| SHA1 | 2da1bd94ebd9cd263e02066a60527e14924a532a |
| SHA256 | b6f9d80451f85009cd6514ac60320010c6b3c17a8bff53fd6c5757b6dd981b67 |
| SHA512 | 704db969adbff83a66f5ec72effb6cbf676ca88b1fce3b220b4443a439dc8439323b0ddbe01b1c4289fb06de4abc0e55a2660d1e5eb458c5e5bd4a5f7915793d |
memory/2608-64-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2580-66-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2580-67-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2580-69-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\gEZxQwx.exe
| MD5 | 1c940482952c2e8b6c230d480cac0936 |
| SHA1 | 55744e0f49b8295018d84bf759066d504566d838 |
| SHA256 | 937a83f3d75710573382c9e9fb91936344a1d847653e4fc45962340c4a160fd3 |
| SHA512 | b9da65284a19b16d92e7b1edae77cdebf05a5627401a70ae7cf5fcaa5ba0f80704108d04d972e8306696ae47e80ed4c1cead622f4928ebdd8074692a8762fea9 |
memory/2652-71-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2512-59-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2580-57-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2316-72-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2228-68-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\qASADpO.exe
| MD5 | 54a1c95128e1e85c4daa1ae31d5d20f5 |
| SHA1 | f86b161b6a7b17600e7e38438b5f5678241e1e05 |
| SHA256 | 37d3366221b6fe3f4dd9d62990ef1cf916566dcdd6acb3ce873a5130ba4e5fa2 |
| SHA512 | 4b1e9baf01e101d24ebf3630d772aa74e150e2c06dc94ae72634837189a2fd39db6ed8efeb62781acc98e91d9837c8b08ff91aaae6dee5c107cac9cc0defac1a |
\Windows\system\IiKBgAn.exe
| MD5 | fbdfaa34778b38dd540812d95d7b38cd |
| SHA1 | 0b972a9b9de02cb1a91836bc4386f97765d3513d |
| SHA256 | 99a5791040cade5fb28b9beb684371401c43eff5798038599c0e6d2405e02813 |
| SHA512 | 823b567fee66cd31091f0ce243e79e51273cddfafccde79112d28f84455754a6810ee886ac0b66b2d44050051ff3565d903094d964973c8332779a26df7deb62 |
memory/800-85-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\aemVKzh.exe
| MD5 | 6e801dc29f89b7217e610df0451d52ca |
| SHA1 | c36a6b83f9a11b2e614fe5f68304a430be754bf5 |
| SHA256 | 969a66a6bff83e6687bb50a6e5cba4c91d5c7a544b2e191937973f1688360c0f |
| SHA512 | 54d6cbf2866a0fa6e4963320b64e43b318544ffd8958e16351ff207030c865750e26166b6fe80c04d46a5cb9c5185bebdadc2d275e720960abfb0e5e642907de |
memory/2580-95-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2580-100-0x000000013F780000-0x000000013FAD4000-memory.dmp
\Windows\system\houGYMS.exe
| MD5 | f0bc4a06fa56c79f74e99eba5b25307f |
| SHA1 | 535ecba60252109116af6b31c10c6178742adf20 |
| SHA256 | 455cb31bb05273d4b3f05d9e98af3cf0aff57a3721948c64affaf5a2759804e6 |
| SHA512 | 0ec2c6783c4b419efce1bc7277248c92361f493098c7578e4e25c9c3ce9ebd045da61fb8ff7eaaf59d19d8af716856d69387be1b348a1403910c8aee589c9f81 |
\Windows\system\zCbJtpo.exe
| MD5 | 0d39403bbf6491db9455b60536104733 |
| SHA1 | 898345a7a089d1c5048c4df35a7ca0743397b7ba |
| SHA256 | 7c340d3bb02a3f66660dbae6913aae8977877b87bfecd344c68f429496f79f78 |
| SHA512 | 346e5d31066147ca8ca1e0cf920a62a9b02798c9c46b7c25afc06f67575a5eb4a8dbc4b4bb2f0b109f63caeeec2617181ee01159b55d2809bb7ae89164935427 |
C:\Windows\system\ouQToyH.exe
| MD5 | 55a168336cdbeb94690af31fd4fda5e3 |
| SHA1 | 5bd5f366539265deaef43df0e38cfc24051c7c07 |
| SHA256 | 966d1227b75e20d7790f511e56dc63f85e3fb621390ded5530304a77bc3fba29 |
| SHA512 | b99964580b692f470a30c5c32ea6794596f6e5a0e31e5a6919460e182a24a26527b505930a8adcf77cbce063d1d558d175df9f51e383f483cd13b0c951c9b5f0 |
C:\Windows\system\iZMgzVh.exe
| MD5 | 8a13ce5b4fafcf9bb845a8bde5071f25 |
| SHA1 | e1f43a52438ae95601d89ac201964d02330eddb3 |
| SHA256 | 8ae6e88cad511b76eea56f2255c2c959d7a44aca30a6ae22a7948885c916e53d |
| SHA512 | 2da4f5386a31d89c30e2dd800a9c235e413d1b5d4633e79aafba0626e6901ace26381730d5de6b0485b5caf2fd9fa13948b2682930d18b8c90a23d063ca58105 |
C:\Windows\system\lntIsZJ.exe
| MD5 | b6a91782a672f2b72b82ad834c6608f7 |
| SHA1 | 539b3c77c3d471235fdc932b89d83d6aada80597 |
| SHA256 | 1e49528f81355f68343e29dba51adb58daf30a77e81ae67f4ccc7ec70ea2d735 |
| SHA512 | b54bc4df1d53018e42df14cb34d69c50acfaba73717d203aa97e3f90c32f6bbf203cbc4af69184968c966ea7145fb2fde1c752acb9085d29ba6c391922ee9634 |
C:\Windows\system\brjKfGL.exe
| MD5 | 48aede63f1ef6c345e6575abf54a854e |
| SHA1 | a8b4885fb37d9b17e4444f0ad26bb727f033ff61 |
| SHA256 | 34b93e5c2deb29e0e9a2d3b2cefc98c4bb16dfe5ffbfaed40f5e3c2f668376ac |
| SHA512 | 6197f3d7805a2b292a4fbc0ab6fb9eb5031982f3980f34ce5eb46f81af76ff9f979843cf32730092e7f555b358e888e8439f1591972bd44c2e6c2153fbc9dfbc |
C:\Windows\system\GVwMGJv.exe
| MD5 | 0f9672eb44033f2a8c1217c1bba66ff2 |
| SHA1 | 1965985b540c0fccebe92fb74df552fbfed10ac4 |
| SHA256 | 8d1ce83adf2889f80ac8e126ee2f0919ac26e844cf52de8c8183b563c6a7e8f2 |
| SHA512 | 48daecdd08b1c16c1df6f0186d5c56a4f549b4f4a319811e45eb7c0327f57f45af8c8f6dca5043f6ffed7fbd7945142576dc46f4f4aa0c44eef4f30c0af3a39a |
memory/2580-105-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2844-102-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2580-101-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\CGCMggr.exe
| MD5 | 345dd3be472ca8cb765d53c2a495aa3b |
| SHA1 | d3a16315d9f32f9b2add6703c17a6497cbe240c6 |
| SHA256 | 46ab59a52edd7039e4ee355ed1eb5b2b668d6bbf5628c7643d6e455d1efba6d3 |
| SHA512 | 9c9482032473fab963759338eae3792c7fd454b26c77037635fced2c966f38ffdc0b25e9459a3ba78703e9e208ae2f27ea7cea94c93888dfc280f0751601344b |
memory/2580-96-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/1668-91-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2580-139-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2580-82-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2784-81-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2480-77-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2580-74-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2480-140-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2580-141-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/800-143-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1668-144-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2580-145-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2844-146-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2580-147-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2588-148-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2644-149-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2652-150-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2520-152-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2784-153-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2608-155-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2512-154-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2228-156-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2480-157-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/800-158-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1668-159-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2844-160-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2316-161-0x000000013F780000-0x000000013FAD4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:06
Reported
2024-06-28 00:09
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\MyZlmZR.exe | N/A |
| N/A | N/A | C:\Windows\System\tCZkaXG.exe | N/A |
| N/A | N/A | C:\Windows\System\JuqmgqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\wWxlKPj.exe | N/A |
| N/A | N/A | C:\Windows\System\ailXrmt.exe | N/A |
| N/A | N/A | C:\Windows\System\MIvRKlL.exe | N/A |
| N/A | N/A | C:\Windows\System\eOlCwAg.exe | N/A |
| N/A | N/A | C:\Windows\System\DrIvdFf.exe | N/A |
| N/A | N/A | C:\Windows\System\cCPCWUu.exe | N/A |
| N/A | N/A | C:\Windows\System\NBbRtPC.exe | N/A |
| N/A | N/A | C:\Windows\System\EQiYNrs.exe | N/A |
| N/A | N/A | C:\Windows\System\QpjXYSg.exe | N/A |
| N/A | N/A | C:\Windows\System\wglDeKx.exe | N/A |
| N/A | N/A | C:\Windows\System\wKNjwJk.exe | N/A |
| N/A | N/A | C:\Windows\System\cIrqTqM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhRdYKK.exe | N/A |
| N/A | N/A | C:\Windows\System\xbvhJtW.exe | N/A |
| N/A | N/A | C:\Windows\System\rvsRukj.exe | N/A |
| N/A | N/A | C:\Windows\System\RQXvVqs.exe | N/A |
| N/A | N/A | C:\Windows\System\CGzjJix.exe | N/A |
| N/A | N/A | C:\Windows\System\iggrPjb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_755db3989b25cb17784c3b2c578c5657_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\MyZlmZR.exe
C:\Windows\System\MyZlmZR.exe
C:\Windows\System\tCZkaXG.exe
C:\Windows\System\tCZkaXG.exe
C:\Windows\System\JuqmgqJ.exe
C:\Windows\System\JuqmgqJ.exe
C:\Windows\System\wWxlKPj.exe
C:\Windows\System\wWxlKPj.exe
C:\Windows\System\ailXrmt.exe
C:\Windows\System\ailXrmt.exe
C:\Windows\System\MIvRKlL.exe
C:\Windows\System\MIvRKlL.exe
C:\Windows\System\eOlCwAg.exe
C:\Windows\System\eOlCwAg.exe
C:\Windows\System\DrIvdFf.exe
C:\Windows\System\DrIvdFf.exe
C:\Windows\System\cCPCWUu.exe
C:\Windows\System\cCPCWUu.exe
C:\Windows\System\NBbRtPC.exe
C:\Windows\System\NBbRtPC.exe
C:\Windows\System\EQiYNrs.exe
C:\Windows\System\EQiYNrs.exe
C:\Windows\System\QpjXYSg.exe
C:\Windows\System\QpjXYSg.exe
C:\Windows\System\wglDeKx.exe
C:\Windows\System\wglDeKx.exe
C:\Windows\System\wKNjwJk.exe
C:\Windows\System\wKNjwJk.exe
C:\Windows\System\cIrqTqM.exe
C:\Windows\System\cIrqTqM.exe
C:\Windows\System\ZhRdYKK.exe
C:\Windows\System\ZhRdYKK.exe
C:\Windows\System\xbvhJtW.exe
C:\Windows\System\xbvhJtW.exe
C:\Windows\System\rvsRukj.exe
C:\Windows\System\rvsRukj.exe
C:\Windows\System\RQXvVqs.exe
C:\Windows\System\RQXvVqs.exe
C:\Windows\System\CGzjJix.exe
C:\Windows\System\CGzjJix.exe
C:\Windows\System\iggrPjb.exe
C:\Windows\System\iggrPjb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3044-0-0x00007FF6D8D20000-0x00007FF6D9074000-memory.dmp
memory/3044-1-0x00000223F66B0000-0x00000223F66C0000-memory.dmp
C:\Windows\System\MyZlmZR.exe
| MD5 | ef1db4519b689b0aaa8f4d9c4acaacb8 |
| SHA1 | 1cba9e23b4f879f9359a66575e89f2c0a4ea9300 |
| SHA256 | 5bbae32cebb9d4b515b92c27a0c86cc98645e42563070c55cabdc1db0aba54e3 |
| SHA512 | d973269516316a96e628156b051a8fcfe023094770f1387cfb8165985af3c406bd228dbb68dcb44bd9abab861a42a2ad8c94ed40105e9dbb22e52cc413e352e7 |
C:\Windows\System\tCZkaXG.exe
| MD5 | 76eb5edd19648d326bb486f191f3619b |
| SHA1 | 9c253b3b3329e079de0adf64f6d6be1088abb116 |
| SHA256 | 090a92548f32dfc6b825458d31c71abf9b13fb30792bd16a56b0cfc1d9b8b1dc |
| SHA512 | 99c2acd0fd4f5aebb383313ca5981529033aab8ae576b905097a451c670032cc13e95e549ce7b138a29f5fd068ede2dbbea21c2879c8ef3254e4935aad13652a |
C:\Windows\System\JuqmgqJ.exe
| MD5 | 656871cbb4b77e82f28940499d8f943e |
| SHA1 | c5b39057e21cd45f3122c9d7e79e0d21846b52c3 |
| SHA256 | 975c727217e17d6a0ee3a55931616687cf7c7733969c383d875686d15ba42e52 |
| SHA512 | e41b2e9d17f9049cc20b2c6a123add83e4c1e60fd679e5dab7116670d773d61433d7ccb84fd126730214aacfbbcf71ef79b9a68c8bd2a107acc7d0bcf7bf6d32 |
memory/32-11-0x00007FF6DC970000-0x00007FF6DCCC4000-memory.dmp
memory/116-14-0x00007FF7A8010000-0x00007FF7A8364000-memory.dmp
memory/2916-20-0x00007FF7D64B0000-0x00007FF7D6804000-memory.dmp
C:\Windows\System\wWxlKPj.exe
| MD5 | dfd4938c9dd94d1e2cf744bd224ffa38 |
| SHA1 | fef2bfcd4477e32bb8c93d14600849fff5a6a6b4 |
| SHA256 | 084a0e7e0b5d47b9a37fda581d22dfa645c827b7e9e715a134b0421bc606c561 |
| SHA512 | 40c22cafbac809b22692691bad2d69a5d6f364cf9d6cbbf3f396eac52c25305fcee6d592059e9fac1bda087ccb39d25e2a9321301c8054b6ea36a8f13cd601ac |
memory/3036-26-0x00007FF6C0CA0000-0x00007FF6C0FF4000-memory.dmp
C:\Windows\System\ailXrmt.exe
| MD5 | fbd24f96248df4e8416ab7fb3b353c7a |
| SHA1 | 686f2b98213856b394717da01bf15fd2fb0079d9 |
| SHA256 | db7a667248f17955b014b007163280efa357d6dc74b89f259e547bd13ff23922 |
| SHA512 | af9f4a2b05b3ba7036f943c7f9325a669821d7b3d3108c1602e761e07d5b24d0929e41a7a2102e449b18d53bb2057e232a0b1bb87d7cb1815bd81c4f9a130660 |
memory/3576-31-0x00007FF60F260000-0x00007FF60F5B4000-memory.dmp
C:\Windows\System\MIvRKlL.exe
| MD5 | eb9957c8e25d9cbdcc96597c57d4009a |
| SHA1 | 1986cf0fb004232351a5ce94b2c529ce6ea7a880 |
| SHA256 | 6ec4fdb662f2dc979c226ad322db1d612a36f559b7a249d4cd90abc9ed5fbb2e |
| SHA512 | 7e3db253d99c0cbc4d9de49e9deece23cdb74c5a54543cc7b4cb7dfd40cd5049a5edf6be5d9853766b5caa37db9715e012670be80868a4a71b18cf02b70f1629 |
C:\Windows\System\eOlCwAg.exe
| MD5 | 8b55be21b3c84e832c4b139e59a8594f |
| SHA1 | 0ba085ffeed2bd9624e11e4269a2d036602843d5 |
| SHA256 | 4903c4e92f4d587aa3c9e29594dbfc3a9b444aedbe5d8789866cfb2a65e1c899 |
| SHA512 | 0e5f3b559b4fce7e819859efa4b7c811e2381f233f9ee9df1ae88c24dbda6866c086e7f37dc8202ad1e906ca91aa4983cdd59b9f6fd4d8e67a5d41d7912017f2 |
C:\Windows\System\DrIvdFf.exe
| MD5 | f7b8051cd2bd4e73c2c78b36d305aa75 |
| SHA1 | 9a29ee7ff2e319ebb82aa107c5d80a1970fb9ac6 |
| SHA256 | e720bb414e33963ede7e66e0d5e63adc4e04e06148c954be3540db2f1c04389d |
| SHA512 | 66842bd9bb08a291bd7fa0b126a837566f5d11a84a518d2b52693fb460ba06c43f350b780d3c90c4af3adfea0a5c9d060700bc169f6c196c7f9a9f7b9e73b544 |
memory/4092-47-0x00007FF6AFF70000-0x00007FF6B02C4000-memory.dmp
memory/2632-44-0x00007FF62F610000-0x00007FF62F964000-memory.dmp
memory/756-40-0x00007FF6B2860000-0x00007FF6B2BB4000-memory.dmp
C:\Windows\System\cCPCWUu.exe
| MD5 | b8d7bca9824c7a62d7252db08e97dd7d |
| SHA1 | 6c2f45fed22a5e3cc0efb862a079ff4f8705f6a5 |
| SHA256 | 13c71e66b91476e92ebbdc5b9c582c380a8717879d4a7e1d3b6a933066910220 |
| SHA512 | 5b7902f618768aa9cccbe0c82415024c339e71dc0080a9b060c5bcef2f86704541cb0bfc375f266bf005f82ab6e6268a329fd4ec4e379ba94b4f44684aa2ace7 |
C:\Windows\System\NBbRtPC.exe
| MD5 | 51064964f182989c9672e8d758b59007 |
| SHA1 | b474b8dff201c1ff5aca14fe68af6160db72f4e2 |
| SHA256 | 1fe0398dfdaae3aa09c33bb2f778e2cbd8eff44eb9482dc997aa00695bdef0d0 |
| SHA512 | ed07bce2ddb65d1d302bab071016d8d182ffec3da4cac2a3543a3fe053920405293dde8dda73d995da0af497f029c69ef6b3cafea297a7a750872304d030c73e |
memory/3044-60-0x00007FF6D8D20000-0x00007FF6D9074000-memory.dmp
memory/2592-61-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp
memory/4084-54-0x00007FF6B2540000-0x00007FF6B2894000-memory.dmp
C:\Windows\System\EQiYNrs.exe
| MD5 | 42618e2a689ac370ad3cecec46b7ae00 |
| SHA1 | 78f9c6088e437d37ae2a7f19d4827d623e598736 |
| SHA256 | 6b6f431f1d5e4250cdc729dbda1130c58d4bcf589cb217771f7ad0e5bb989b5f |
| SHA512 | 52c42daed65bedcea13f93b50aa26af91eabb0e9a73058c83d7cb391627fd54ab023b17c6d59d5d78e8c9c45c76a725fd60c79eca12d583a19b598e2c942370f |
C:\Windows\System\QpjXYSg.exe
| MD5 | 6b3b76efc46f06d209292a6c26001ca6 |
| SHA1 | 0248588d24dbc7224e1bcff3f7128295e826cb45 |
| SHA256 | 7d8d3321a58098c4eabdd27c071ff56d30a7757e1b32db0b02c502a1ec16e47c |
| SHA512 | aa17577092d230bd7db7947854a39bfe76e8e48a4a772f6f968307da7e74a179cf56befaaa8f82041de5bd2bec7862fac5fedf959753689905aa59233a560d8b |
memory/644-70-0x00007FF69BE10000-0x00007FF69C164000-memory.dmp
memory/116-75-0x00007FF7A8010000-0x00007FF7A8364000-memory.dmp
C:\Windows\System\wglDeKx.exe
| MD5 | 715ee81e2ebc73f0d0faae3c9039da7e |
| SHA1 | fe96921eabeed79c7474896624ca97d328a0a5d8 |
| SHA256 | 7ed094ca646ed355a0b48bd5a6cd38fed674b0c6dfc1e02fc79b3640bda96f21 |
| SHA512 | 069e0b9e4c2bafc0266e7a047522d3283fb0d5b81876cf3addcfb35b2ea01927fa6e9c1259860e611cdd33f0f0bead6e597f1ecc5ee04080c4816bac295b301a |
memory/4296-77-0x00007FF7007C0000-0x00007FF700B14000-memory.dmp
memory/2772-82-0x00007FF6A0360000-0x00007FF6A06B4000-memory.dmp
C:\Windows\System\wKNjwJk.exe
| MD5 | 8e877045c3ac34ec6f1ce8dbdeeaa03f |
| SHA1 | 339e8f21602713e2d26ca8c6d244580941dc0033 |
| SHA256 | 01e83bce1ae5d26c464975a197c285b7b829d0bf9758f4506563f623a67b5100 |
| SHA512 | a58d2bd40575e77deb51ab765a6d264427598a8a286902df630455c2dbd56a19e959b62976980a04ba06133b01fe7f249a68b13c6340a0b7a695217e9dc1fd35 |
memory/1132-86-0x00007FF6BCB30000-0x00007FF6BCE84000-memory.dmp
C:\Windows\System\cIrqTqM.exe
| MD5 | 27b862f07fb7967bd400a3f6467694e8 |
| SHA1 | 7237c7ff4dd42805986904f44f7a5064441e05ba |
| SHA256 | 63f7783401edf7f807db3fac53b361ba7b23bec1ab720158326cab7bc72df808 |
| SHA512 | eedfd3eb15fe0b2a89d83fb41fe519ff7c3305d6b3695492118c666c4646c88dc92bdcbfeb13f184a4fe3a143cc67a9ef040f92eb8c200239db11d0bef28e019 |
memory/3576-92-0x00007FF60F260000-0x00007FF60F5B4000-memory.dmp
C:\Windows\System\ZhRdYKK.exe
| MD5 | 1fc9369a0f7b51bdf02fa288c0170193 |
| SHA1 | 38bab2a3993d427b5557474fecd7a8d61243c5e9 |
| SHA256 | 869fa3bd90e3aefe56cb56934f92dae45a130660a1d5c6fd3d2e151ffe8aa43a |
| SHA512 | 5ef0acf9aea25b323ff9fc63b9e23a8d31f25fde9f81adac5c3ca8482562bc857c6f2e651c474fd4472b0115b308a88417da08657c5fd645435decc9dac176bc |
memory/4012-93-0x00007FF73B400000-0x00007FF73B754000-memory.dmp
memory/3372-101-0x00007FF71C220000-0x00007FF71C574000-memory.dmp
C:\Windows\System\xbvhJtW.exe
| MD5 | f45a3693a92de2e8d86516fcd34e451c |
| SHA1 | 4c586b8fc022c2996df4102b9c80d809096fc00e |
| SHA256 | f607fe509d6ad83b2f1e371228b0411a57362d3d780432b68dba797b3759b9e6 |
| SHA512 | 985283800c71697090b2a97b72243c395a12c52e9383f7190a91636a33bcc7189bd289197cca2e741e16f532909c3cd271e1e2f13b9f443460d703f228b5b593 |
C:\Windows\System\rvsRukj.exe
| MD5 | 5eb231e3604fa468ef9a932f7d38b337 |
| SHA1 | 35e17c0fed798c332ee6a262662521ecc0713dcc |
| SHA256 | 4f1b849a9bfdd728201719d5dc729435800fbcd3b7059966a3adb28607534f41 |
| SHA512 | cd5cdd85f674da108d17ee365927beb05c4e821342450a55327dec13c96c66054bdaff9a946f27a77a7b5cc319d4770e71aefef3d89dc66746b63398e19f360d |
memory/4808-106-0x00007FF691DC0000-0x00007FF692114000-memory.dmp
memory/4084-114-0x00007FF6B2540000-0x00007FF6B2894000-memory.dmp
C:\Windows\System\RQXvVqs.exe
| MD5 | 66ba21d5069d6807b75fba3d407c45eb |
| SHA1 | 572a5c3c4f50469ffe307666ff8039bf2beafaa8 |
| SHA256 | eb5b5697ad2272c593f79f37fc728c0bcec0a2aa88084298b1e7a19f050fe980 |
| SHA512 | 0405dd095858d04597d8c19ff937596616a5b1d4daa37e66e9efcfaf8b5d1c01f870c58bd37fdce513522a21e339c0a64e3247424f7e45f0a08b97b76188a741 |
memory/3200-117-0x00007FF7177D0000-0x00007FF717B24000-memory.dmp
memory/532-121-0x00007FF6CDDA0000-0x00007FF6CE0F4000-memory.dmp
C:\Windows\System\CGzjJix.exe
| MD5 | ce6a23b79d6f3e27cfcd5cb736a444d3 |
| SHA1 | fcff04e9d64a9d0fb0b3976c0d213d5bfaa4f700 |
| SHA256 | bd87760da5ea5deed5a5a94e6d9bbe72602867472b872acc54ff69cb9216c20c |
| SHA512 | 01d00ca4c7abe370f98d48092aa25c944de0d3d1b9a711b9b7381fa23f47f9c9c302c31201ef0b5b8df39dac9db280b2d80ce757285f4cdd81396b6e96f091b1 |
memory/1044-126-0x00007FF74AD30000-0x00007FF74B084000-memory.dmp
C:\Windows\System\iggrPjb.exe
| MD5 | 153e8aa2950d590337316f57414776df |
| SHA1 | b833536383ae68d24085c38987a11179d61179b4 |
| SHA256 | 66dcd9bf80e473d3d47cc14656ba267aa87dbedbc63e202d8593862769905739 |
| SHA512 | d561444c68f0639daad99eadbb7d11ed63eea0445d8f7fad9362461fb347f8b7da22a69f7a504bb57ab887d045c74a57103e5a4acd5393fdf57ef96033b73547 |
memory/2592-125-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp
memory/4092-113-0x00007FF6AFF70000-0x00007FF6B02C4000-memory.dmp
memory/2620-133-0x00007FF761A10000-0x00007FF761D64000-memory.dmp
memory/1132-134-0x00007FF6BCB30000-0x00007FF6BCE84000-memory.dmp
memory/4012-135-0x00007FF73B400000-0x00007FF73B754000-memory.dmp
memory/4808-136-0x00007FF691DC0000-0x00007FF692114000-memory.dmp
memory/1044-137-0x00007FF74AD30000-0x00007FF74B084000-memory.dmp
memory/32-138-0x00007FF6DC970000-0x00007FF6DCCC4000-memory.dmp
memory/116-139-0x00007FF7A8010000-0x00007FF7A8364000-memory.dmp
memory/2916-140-0x00007FF7D64B0000-0x00007FF7D6804000-memory.dmp
memory/3036-141-0x00007FF6C0CA0000-0x00007FF6C0FF4000-memory.dmp
memory/3576-142-0x00007FF60F260000-0x00007FF60F5B4000-memory.dmp
memory/756-143-0x00007FF6B2860000-0x00007FF6B2BB4000-memory.dmp
memory/2632-144-0x00007FF62F610000-0x00007FF62F964000-memory.dmp
memory/4092-145-0x00007FF6AFF70000-0x00007FF6B02C4000-memory.dmp
memory/4084-146-0x00007FF6B2540000-0x00007FF6B2894000-memory.dmp
memory/2592-147-0x00007FF6EDBB0000-0x00007FF6EDF04000-memory.dmp
memory/644-148-0x00007FF69BE10000-0x00007FF69C164000-memory.dmp
memory/4296-149-0x00007FF7007C0000-0x00007FF700B14000-memory.dmp
memory/2772-150-0x00007FF6A0360000-0x00007FF6A06B4000-memory.dmp
memory/1132-151-0x00007FF6BCB30000-0x00007FF6BCE84000-memory.dmp
memory/4012-152-0x00007FF73B400000-0x00007FF73B754000-memory.dmp
memory/3372-153-0x00007FF71C220000-0x00007FF71C574000-memory.dmp
memory/4808-154-0x00007FF691DC0000-0x00007FF692114000-memory.dmp
memory/3200-155-0x00007FF7177D0000-0x00007FF717B24000-memory.dmp
memory/532-156-0x00007FF6CDDA0000-0x00007FF6CE0F4000-memory.dmp
memory/2620-157-0x00007FF761A10000-0x00007FF761D64000-memory.dmp
memory/1044-158-0x00007FF74AD30000-0x00007FF74B084000-memory.dmp