Analysis Overview
SHA256
3c2f8effbe01c0fe9a5baac25cf0c5f59c189fa468f6b16c1b95d1e4fc8b1819
Threat Level: Known bad
The file 2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:11
Reported
2024-06-28 00:13
Platform
win7-20240611-en
Max time kernel
134s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WGAxUNc.exe | N/A |
| N/A | N/A | C:\Windows\System\TTkmDRj.exe | N/A |
| N/A | N/A | C:\Windows\System\KMPPZrN.exe | N/A |
| N/A | N/A | C:\Windows\System\GMYHtgi.exe | N/A |
| N/A | N/A | C:\Windows\System\INlGxhx.exe | N/A |
| N/A | N/A | C:\Windows\System\gmaDEBa.exe | N/A |
| N/A | N/A | C:\Windows\System\IuFgFuP.exe | N/A |
| N/A | N/A | C:\Windows\System\VsnVnfP.exe | N/A |
| N/A | N/A | C:\Windows\System\jirIdKM.exe | N/A |
| N/A | N/A | C:\Windows\System\iFsOJWX.exe | N/A |
| N/A | N/A | C:\Windows\System\NmZERlQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nMKQChI.exe | N/A |
| N/A | N/A | C:\Windows\System\SyZmZtA.exe | N/A |
| N/A | N/A | C:\Windows\System\cJGBWLN.exe | N/A |
| N/A | N/A | C:\Windows\System\gHVxJuA.exe | N/A |
| N/A | N/A | C:\Windows\System\EEZVqkx.exe | N/A |
| N/A | N/A | C:\Windows\System\jlaTiXV.exe | N/A |
| N/A | N/A | C:\Windows\System\uSEBNhO.exe | N/A |
| N/A | N/A | C:\Windows\System\RjMutyh.exe | N/A |
| N/A | N/A | C:\Windows\System\UXRZlVz.exe | N/A |
| N/A | N/A | C:\Windows\System\AtwvJvR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WGAxUNc.exe
C:\Windows\System\WGAxUNc.exe
C:\Windows\System\TTkmDRj.exe
C:\Windows\System\TTkmDRj.exe
C:\Windows\System\KMPPZrN.exe
C:\Windows\System\KMPPZrN.exe
C:\Windows\System\GMYHtgi.exe
C:\Windows\System\GMYHtgi.exe
C:\Windows\System\INlGxhx.exe
C:\Windows\System\INlGxhx.exe
C:\Windows\System\gmaDEBa.exe
C:\Windows\System\gmaDEBa.exe
C:\Windows\System\IuFgFuP.exe
C:\Windows\System\IuFgFuP.exe
C:\Windows\System\VsnVnfP.exe
C:\Windows\System\VsnVnfP.exe
C:\Windows\System\jirIdKM.exe
C:\Windows\System\jirIdKM.exe
C:\Windows\System\iFsOJWX.exe
C:\Windows\System\iFsOJWX.exe
C:\Windows\System\NmZERlQ.exe
C:\Windows\System\NmZERlQ.exe
C:\Windows\System\nMKQChI.exe
C:\Windows\System\nMKQChI.exe
C:\Windows\System\SyZmZtA.exe
C:\Windows\System\SyZmZtA.exe
C:\Windows\System\cJGBWLN.exe
C:\Windows\System\cJGBWLN.exe
C:\Windows\System\gHVxJuA.exe
C:\Windows\System\gHVxJuA.exe
C:\Windows\System\EEZVqkx.exe
C:\Windows\System\EEZVqkx.exe
C:\Windows\System\jlaTiXV.exe
C:\Windows\System\jlaTiXV.exe
C:\Windows\System\uSEBNhO.exe
C:\Windows\System\uSEBNhO.exe
C:\Windows\System\RjMutyh.exe
C:\Windows\System\RjMutyh.exe
C:\Windows\System\UXRZlVz.exe
C:\Windows\System\UXRZlVz.exe
C:\Windows\System\AtwvJvR.exe
C:\Windows\System\AtwvJvR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2424-0-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2424-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\WGAxUNc.exe
| MD5 | 0abcb36fbfde006be1ead7e7e306ea13 |
| SHA1 | 9b226dd2006c3b426e5ab8a6944c43955e59547e |
| SHA256 | 31f95f0df97e94d9aa1e80bd6079be6442ca5b5995e9c653a955e2e731071934 |
| SHA512 | 0c208ff130bd82a523ed9b8b0a06c3df70957f6f985e2bd7dc352ef8526021869f40e199568a0819e16d3d3321d16f60b78d23854b0eeba9d7a1c2e844b84a24 |
C:\Windows\system\TTkmDRj.exe
| MD5 | 5edd47916cb6941872a8e38cab2a1531 |
| SHA1 | 937db0ee47cc1f2cac0b49d7a233ad4ff70e8cf1 |
| SHA256 | 5a36fca304e283be6bcf02e0781a68eff6f71ffebc392d697190a9cf44fa3d51 |
| SHA512 | 647869e1c8a7b22cb201b047c7b47cd30151d3764845b14eda8ea3dc3dfb964d790485fb02330664ee0b5740ec2ef93053183d40baba7f4ea2a6af675bfe4ed3 |
C:\Windows\system\KMPPZrN.exe
| MD5 | fad8ffa31b4e6689a4b33b2a9d633718 |
| SHA1 | cef1ec3978a1f64036cfcbd2bd9aa73ca73850b6 |
| SHA256 | cfd4419dde3a4c7c0d29429a1d9c55c477c18df5cea5e00048d9d06866d84f34 |
| SHA512 | 4ac171b137c9ba4af7795f77e2ee717fb20101e6b0a724c3324c3b939a398e912ae2f891a264644a62f4344099ebf8f0622b564161c93bff3eea9a855de4fbaa |
C:\Windows\system\GMYHtgi.exe
| MD5 | bd52a45ff622b5b94a12f033b39cd55e |
| SHA1 | f915a8df7dd3a5080ecfd1ce25f9a3e20d8f84b0 |
| SHA256 | 03dee971679b0da0ab50e05d425c12b6d880affeb65df7861a195a1bc2fea6e8 |
| SHA512 | 0203a7b7a0aed8b8762968e6886a6f7c1a761478298642c7126ad3e09ae4376a90b7296be3f329fcff893d891d48a83d7327e4e7dcf4707abc28d028c3538a2e |
C:\Windows\system\gmaDEBa.exe
| MD5 | 940752a67bc8d32ca6ea3ebbae154299 |
| SHA1 | d5dc1292d53e45bcfda35805b3d6fab20e2d742d |
| SHA256 | 0b026e5bc15130c0c399b5be2c95f3ab6337becfe3f12ce6499b14a38b08ce11 |
| SHA512 | 2f97fe6c8f5e97a1cfa514b46c07acfac8f4ac534e18ebd83a865d2d4dabd9352864b48b7b14237c60dd10fbca3f6ff7205876e7d79ccb9e1777aa8d3d402c46 |
C:\Windows\system\VsnVnfP.exe
| MD5 | a6a032d8297e8afa5d65f93481f57e36 |
| SHA1 | 2f1762af5baebbbd4771b7cb0468c0c2e99ce40d |
| SHA256 | aab5e6ba35018860aa165fa3130062e9534b71f2bceec87dfebf406388a212cf |
| SHA512 | 99d5d589776b28c7316557abdfd0207ca42e87a4c194eedc9fe694ae276fdb919881f06d8a67bf81bc317717ae10ef6c8702a113187131e6a573496e5f509c14 |
C:\Windows\system\jirIdKM.exe
| MD5 | a9a5b9472afedb3fcec3af260b96cadb |
| SHA1 | 86e421dcefe3365d95afaf90838a15f55783677a |
| SHA256 | d07bdae91015e13792d70faf3e9f2699f255f1b22e68131e97133003e5410e99 |
| SHA512 | a2af93434d08803f27308dae93faf5610864777c791a92fa930561c81ceaea592986e8b01fde45df7ace83603bf60f859bd4853f7f9317e550067cde24e5aa1d |
C:\Windows\system\NmZERlQ.exe
| MD5 | 433306bd33551dd04d024f28ec820e24 |
| SHA1 | 77e7d0783810a959e024c4f43af49e91b84531b0 |
| SHA256 | 54f4e0e55a98664b0a089d4506dd1cbc7c1f18dc799367ba9fc2f09f004d2186 |
| SHA512 | 7f9dbfc975f0ae9ba558eed92c1bd6905067d5a97f769818724dbb1b15b40193975a717c3cf45048311aa97d7af2b4fd68e7fc3db9f3ad1e91bfc264c5bed61c |
C:\Windows\system\nMKQChI.exe
| MD5 | fe91f93a07407fc6d69bad246a767d96 |
| SHA1 | 21ef35ded0000e652ea072df1a75c5b0052d13d3 |
| SHA256 | 0ff5359b725515e9c663f1b78e7ce09903e96137d1e6606d969fa307681ba597 |
| SHA512 | 2d92ba54c36d3a77c1fdded3e92dd3d8ee624bb36771d29d311ba2d964819ffe2bee077c9e2fe2c8c9c759ceceb2706daa1ee15450a243f65492c23555a1a3bb |
C:\Windows\system\SyZmZtA.exe
| MD5 | eead0e592bf64191850673374422f927 |
| SHA1 | 502591d4194bf79d3261b04630abe26accee51a7 |
| SHA256 | c355b50a9c0bb3bca51237b43a5ae64e4e5c8371cee8c7c077c1373274db6f56 |
| SHA512 | 9ae6de2fdba4e6752dacba64b9454bdcb57fd09ea183174a92a3907741aa2be5d8fa95369429e9a9e030439d45d4ba0d83f09d5764cc4e6a00e7212c691c9a58 |
C:\Windows\system\jlaTiXV.exe
| MD5 | 30d78bdc76522ccf31c91e0034cc1511 |
| SHA1 | d83dec1c094e1e3d4093b55277a1a36a4c81794a |
| SHA256 | dac068b298970af44bded6e3c75f44df48e29ae582044493d18e44de6de45b5d |
| SHA512 | 6dc45ca7c61edeb4992cbb0111089113e5a81d4c7f8e9220d33cd4b1083d6e111e1b325af7d7ce2df7c2616011967514e10bbad9d955fb2dd97d2cd6ec500104 |
C:\Windows\system\RjMutyh.exe
| MD5 | e575f356a7b6427e3b49d854215e5c5f |
| SHA1 | 6e737333f4894d04cdb9bd24e18c1b6025fbe07a |
| SHA256 | 17e8e7af142b6de6697957104c7f0debf742c792e6bcf1e1b87fea40a4568f64 |
| SHA512 | 4e624a06b47b84577d1aa6835035f283b59d3154014861016b55743c0a55ee8b386323882c6c8d4e8122ffdbcf7de8244c393c5ce29f5711c26734d45cc25a0d |
C:\Windows\system\AtwvJvR.exe
| MD5 | 3b73c350a9955ca3b90342b8dcacfd58 |
| SHA1 | 60b90604c0503e151ece5a861e9a7ac889582390 |
| SHA256 | 2617ff3eac81c0ff6e21c42c8556381931ffbdf62c5d8e103879574743659e58 |
| SHA512 | 4a3c85c1e871f06d68e7887adff497966fe42fd8d9f280a9490fe0d2c26768ef4013250a6fa2b4f0b28e7cea528f679eea973a76e25c6a63413dfdaaa9a226e2 |
C:\Windows\system\UXRZlVz.exe
| MD5 | 9138c672f64ba376557af0a8071627f8 |
| SHA1 | f119d19fca8ff00b6f637e962210b330e71dac6e |
| SHA256 | fe3cec22639d5ac209db8bff70ec753aab548e6e1b14a22e820567c21fb20dc4 |
| SHA512 | 24d46679fc23532a68e08ca60383e68f1eaa08c6b11e10490266e629bfd99b4e6550b32e802ce0b6486f3803f10e988eb209ac4f5e21499ad7873ed7143c1106 |
C:\Windows\system\uSEBNhO.exe
| MD5 | 80eba98a4c25e942a58b46fd1acf6cf8 |
| SHA1 | 97777443d7e5431fb57046a247171f61d56215f4 |
| SHA256 | ff1e9d0f1c1512c65f89963628760089c62cfb5fb64a1d805464dafbeca512bd |
| SHA512 | 0455a1d3edfabc48078a6366e8e73d527d7e850499607239eb733ccad420065ab56233e9fc846b67ff7c2f4ae82942889c297483917faae58e6b4322d8a8753e |
C:\Windows\system\EEZVqkx.exe
| MD5 | 84dbfafb62965da1e5c66ea922b8c4cf |
| SHA1 | 3a354839155421002174205b9ade5b19376ca31a |
| SHA256 | 48461d0dedb4bd2f326815a2d07eced40abd0caba9c52927af04e29aebc2338c |
| SHA512 | a4431d4a016c405c7f5ff0a1a27366d05cd1075b15f12d204a164ab73a8e8a2eb49825cda583941008f4130d014cceffb243854cc2129a7ad585d8b773dfb956 |
C:\Windows\system\gHVxJuA.exe
| MD5 | fec8148493519d314fba31508bf3cec2 |
| SHA1 | 9c5934ea498488c65e0063fced75c305ab0e153b |
| SHA256 | 9065aa2ec74846d3048a8a7fb53d81a85f0b0cee04d00d86a587213402b604ab |
| SHA512 | 3595f8f2ab0e69791d80756bc991166199806ad6147f6b0ab39166a15da8a4083b4457e2283328c01b28dee188ba4076acec3d28f8925ee3b85fbe9dc31ca1a9 |
C:\Windows\system\cJGBWLN.exe
| MD5 | 7f57f0fb2e2be7b4c4b9cad4807dd928 |
| SHA1 | 5feadd0a0c0f8ddab73cabce1cbb192a4c248df0 |
| SHA256 | 3069218205b165b2e0245202991a6858554de5ed1b0ca8380ff0d1b395d04526 |
| SHA512 | 87b67ee10bef7327c17528cd748aa6ce03ab023476debeedc1580c30c7daf2c6717f746dc01c70d305d0e65cdbfc0f5738139c0c76bdef6c94e751c48a90a411 |
memory/2564-126-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2064-128-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2228-127-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2800-125-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2724-124-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2424-123-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2744-122-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2424-121-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2732-120-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2424-119-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2884-118-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2808-117-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2788-116-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2424-115-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2628-114-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2424-113-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/3024-112-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2424-111-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2124-110-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2424-109-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2364-108-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2424-107-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\iFsOJWX.exe
| MD5 | 5cbc9181ef5193292cdaccea96f536a9 |
| SHA1 | e4d79e134d163c39764ef469c77f26aaad914d8a |
| SHA256 | 81de7102ce44a54a2f8e3eb9caf8a1bfe87014daaa8cfa1482d9cfc4206826a0 |
| SHA512 | 4b0a35fdc0abca830a388ffe6ebe5b58d9bd0ce5146edacd241e2a85cccf1045f9c5e349b87fb13b545f6ede9647634d0a78b39d6a70ed015a9d58e425ea76ad |
C:\Windows\system\IuFgFuP.exe
| MD5 | e194b31fa86aca5e32753e34f7f44463 |
| SHA1 | 43ec437c95a4c7904588073c173ba93769ce227e |
| SHA256 | 78058e6ebad1b0dfdf18ffd306e584b75a6bcb0bacdfa8ec5de2f326938cdc2d |
| SHA512 | 0d149ac5b4a060d4cc23c0061f65b3161a207dfd0db401e7dbb8400177d73f96474e8db166c2f12d736fabad690afa68f0d36bba8aba3c1d0b50133b7aa61443 |
C:\Windows\system\INlGxhx.exe
| MD5 | 39a787adeeeba5e17146f933d7359fd8 |
| SHA1 | 974957b68961bf887102db0cf4fc92d349aed700 |
| SHA256 | c03c99a3dbe059d2f49946f40d5e90429af87e78f8f3fcdf207629adc22633fe |
| SHA512 | e158c9010bf3da45d73134569676d9361107092af50fa474e4e6c4b22cabab81dbba390fb06cdeedf259015bcad4f7cb94ae66fc6f130b8f36500aadffe147a5 |
memory/2424-129-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2228-130-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2064-132-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2364-131-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2124-133-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3024-134-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2628-135-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2788-136-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2808-137-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2884-138-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2744-140-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2724-141-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2732-139-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2564-143-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2800-142-0x000000013F990000-0x000000013FCE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:11
Reported
2024-06-28 00:13
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WGAxUNc.exe | N/A |
| N/A | N/A | C:\Windows\System\TTkmDRj.exe | N/A |
| N/A | N/A | C:\Windows\System\KMPPZrN.exe | N/A |
| N/A | N/A | C:\Windows\System\GMYHtgi.exe | N/A |
| N/A | N/A | C:\Windows\System\INlGxhx.exe | N/A |
| N/A | N/A | C:\Windows\System\gmaDEBa.exe | N/A |
| N/A | N/A | C:\Windows\System\VsnVnfP.exe | N/A |
| N/A | N/A | C:\Windows\System\IuFgFuP.exe | N/A |
| N/A | N/A | C:\Windows\System\jirIdKM.exe | N/A |
| N/A | N/A | C:\Windows\System\iFsOJWX.exe | N/A |
| N/A | N/A | C:\Windows\System\NmZERlQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nMKQChI.exe | N/A |
| N/A | N/A | C:\Windows\System\SyZmZtA.exe | N/A |
| N/A | N/A | C:\Windows\System\cJGBWLN.exe | N/A |
| N/A | N/A | C:\Windows\System\gHVxJuA.exe | N/A |
| N/A | N/A | C:\Windows\System\EEZVqkx.exe | N/A |
| N/A | N/A | C:\Windows\System\jlaTiXV.exe | N/A |
| N/A | N/A | C:\Windows\System\uSEBNhO.exe | N/A |
| N/A | N/A | C:\Windows\System\RjMutyh.exe | N/A |
| N/A | N/A | C:\Windows\System\UXRZlVz.exe | N/A |
| N/A | N/A | C:\Windows\System\AtwvJvR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_c6044a1ca2388d262556aee4602d6a2c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WGAxUNc.exe
C:\Windows\System\WGAxUNc.exe
C:\Windows\System\TTkmDRj.exe
C:\Windows\System\TTkmDRj.exe
C:\Windows\System\KMPPZrN.exe
C:\Windows\System\KMPPZrN.exe
C:\Windows\System\GMYHtgi.exe
C:\Windows\System\GMYHtgi.exe
C:\Windows\System\INlGxhx.exe
C:\Windows\System\INlGxhx.exe
C:\Windows\System\gmaDEBa.exe
C:\Windows\System\gmaDEBa.exe
C:\Windows\System\IuFgFuP.exe
C:\Windows\System\IuFgFuP.exe
C:\Windows\System\VsnVnfP.exe
C:\Windows\System\VsnVnfP.exe
C:\Windows\System\jirIdKM.exe
C:\Windows\System\jirIdKM.exe
C:\Windows\System\iFsOJWX.exe
C:\Windows\System\iFsOJWX.exe
C:\Windows\System\NmZERlQ.exe
C:\Windows\System\NmZERlQ.exe
C:\Windows\System\nMKQChI.exe
C:\Windows\System\nMKQChI.exe
C:\Windows\System\SyZmZtA.exe
C:\Windows\System\SyZmZtA.exe
C:\Windows\System\cJGBWLN.exe
C:\Windows\System\cJGBWLN.exe
C:\Windows\System\gHVxJuA.exe
C:\Windows\System\gHVxJuA.exe
C:\Windows\System\EEZVqkx.exe
C:\Windows\System\EEZVqkx.exe
C:\Windows\System\jlaTiXV.exe
C:\Windows\System\jlaTiXV.exe
C:\Windows\System\uSEBNhO.exe
C:\Windows\System\uSEBNhO.exe
C:\Windows\System\RjMutyh.exe
C:\Windows\System\RjMutyh.exe
C:\Windows\System\UXRZlVz.exe
C:\Windows\System\UXRZlVz.exe
C:\Windows\System\AtwvJvR.exe
C:\Windows\System\AtwvJvR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1016-0-0x00007FF686EE0000-0x00007FF687234000-memory.dmp
memory/1016-1-0x000001D144B90000-0x000001D144BA0000-memory.dmp
C:\Windows\System\WGAxUNc.exe
| MD5 | 0abcb36fbfde006be1ead7e7e306ea13 |
| SHA1 | 9b226dd2006c3b426e5ab8a6944c43955e59547e |
| SHA256 | 31f95f0df97e94d9aa1e80bd6079be6442ca5b5995e9c653a955e2e731071934 |
| SHA512 | 0c208ff130bd82a523ed9b8b0a06c3df70957f6f985e2bd7dc352ef8526021869f40e199568a0819e16d3d3321d16f60b78d23854b0eeba9d7a1c2e844b84a24 |
memory/2072-8-0x00007FF634780000-0x00007FF634AD4000-memory.dmp
C:\Windows\System\TTkmDRj.exe
| MD5 | 5edd47916cb6941872a8e38cab2a1531 |
| SHA1 | 937db0ee47cc1f2cac0b49d7a233ad4ff70e8cf1 |
| SHA256 | 5a36fca304e283be6bcf02e0781a68eff6f71ffebc392d697190a9cf44fa3d51 |
| SHA512 | 647869e1c8a7b22cb201b047c7b47cd30151d3764845b14eda8ea3dc3dfb964d790485fb02330664ee0b5740ec2ef93053183d40baba7f4ea2a6af675bfe4ed3 |
C:\Windows\System\KMPPZrN.exe
| MD5 | fad8ffa31b4e6689a4b33b2a9d633718 |
| SHA1 | cef1ec3978a1f64036cfcbd2bd9aa73ca73850b6 |
| SHA256 | cfd4419dde3a4c7c0d29429a1d9c55c477c18df5cea5e00048d9d06866d84f34 |
| SHA512 | 4ac171b137c9ba4af7795f77e2ee717fb20101e6b0a724c3324c3b939a398e912ae2f891a264644a62f4344099ebf8f0622b564161c93bff3eea9a855de4fbaa |
memory/1700-14-0x00007FF698BC0000-0x00007FF698F14000-memory.dmp
memory/992-21-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp
C:\Windows\System\GMYHtgi.exe
| MD5 | bd52a45ff622b5b94a12f033b39cd55e |
| SHA1 | f915a8df7dd3a5080ecfd1ce25f9a3e20d8f84b0 |
| SHA256 | 03dee971679b0da0ab50e05d425c12b6d880affeb65df7861a195a1bc2fea6e8 |
| SHA512 | 0203a7b7a0aed8b8762968e6886a6f7c1a761478298642c7126ad3e09ae4376a90b7296be3f329fcff893d891d48a83d7327e4e7dcf4707abc28d028c3538a2e |
C:\Windows\System\gmaDEBa.exe
| MD5 | 940752a67bc8d32ca6ea3ebbae154299 |
| SHA1 | d5dc1292d53e45bcfda35805b3d6fab20e2d742d |
| SHA256 | 0b026e5bc15130c0c399b5be2c95f3ab6337becfe3f12ce6499b14a38b08ce11 |
| SHA512 | 2f97fe6c8f5e97a1cfa514b46c07acfac8f4ac534e18ebd83a865d2d4dabd9352864b48b7b14237c60dd10fbca3f6ff7205876e7d79ccb9e1777aa8d3d402c46 |
C:\Windows\System\IuFgFuP.exe
| MD5 | e194b31fa86aca5e32753e34f7f44463 |
| SHA1 | 43ec437c95a4c7904588073c173ba93769ce227e |
| SHA256 | 78058e6ebad1b0dfdf18ffd306e584b75a6bcb0bacdfa8ec5de2f326938cdc2d |
| SHA512 | 0d149ac5b4a060d4cc23c0061f65b3161a207dfd0db401e7dbb8400177d73f96474e8db166c2f12d736fabad690afa68f0d36bba8aba3c1d0b50133b7aa61443 |
C:\Windows\System\VsnVnfP.exe
| MD5 | a6a032d8297e8afa5d65f93481f57e36 |
| SHA1 | 2f1762af5baebbbd4771b7cb0468c0c2e99ce40d |
| SHA256 | aab5e6ba35018860aa165fa3130062e9534b71f2bceec87dfebf406388a212cf |
| SHA512 | 99d5d589776b28c7316557abdfd0207ca42e87a4c194eedc9fe694ae276fdb919881f06d8a67bf81bc317717ae10ef6c8702a113187131e6a573496e5f509c14 |
C:\Windows\System\jirIdKM.exe
| MD5 | a9a5b9472afedb3fcec3af260b96cadb |
| SHA1 | 86e421dcefe3365d95afaf90838a15f55783677a |
| SHA256 | d07bdae91015e13792d70faf3e9f2699f255f1b22e68131e97133003e5410e99 |
| SHA512 | a2af93434d08803f27308dae93faf5610864777c791a92fa930561c81ceaea592986e8b01fde45df7ace83603bf60f859bd4853f7f9317e550067cde24e5aa1d |
C:\Windows\System\NmZERlQ.exe
| MD5 | 433306bd33551dd04d024f28ec820e24 |
| SHA1 | 77e7d0783810a959e024c4f43af49e91b84531b0 |
| SHA256 | 54f4e0e55a98664b0a089d4506dd1cbc7c1f18dc799367ba9fc2f09f004d2186 |
| SHA512 | 7f9dbfc975f0ae9ba558eed92c1bd6905067d5a97f769818724dbb1b15b40193975a717c3cf45048311aa97d7af2b4fd68e7fc3db9f3ad1e91bfc264c5bed61c |
memory/1496-68-0x00007FF7297D0000-0x00007FF729B24000-memory.dmp
C:\Windows\System\nMKQChI.exe
| MD5 | fe91f93a07407fc6d69bad246a767d96 |
| SHA1 | 21ef35ded0000e652ea072df1a75c5b0052d13d3 |
| SHA256 | 0ff5359b725515e9c663f1b78e7ce09903e96137d1e6606d969fa307681ba597 |
| SHA512 | 2d92ba54c36d3a77c1fdded3e92dd3d8ee624bb36771d29d311ba2d964819ffe2bee077c9e2fe2c8c9c759ceceb2706daa1ee15450a243f65492c23555a1a3bb |
memory/992-83-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp
C:\Windows\System\cJGBWLN.exe
| MD5 | 7f57f0fb2e2be7b4c4b9cad4807dd928 |
| SHA1 | 5feadd0a0c0f8ddab73cabce1cbb192a4c248df0 |
| SHA256 | 3069218205b165b2e0245202991a6858554de5ed1b0ca8380ff0d1b395d04526 |
| SHA512 | 87b67ee10bef7327c17528cd748aa6ce03ab023476debeedc1580c30c7daf2c6717f746dc01c70d305d0e65cdbfc0f5738139c0c76bdef6c94e751c48a90a411 |
C:\Windows\System\SyZmZtA.exe
| MD5 | eead0e592bf64191850673374422f927 |
| SHA1 | 502591d4194bf79d3261b04630abe26accee51a7 |
| SHA256 | c355b50a9c0bb3bca51237b43a5ae64e4e5c8371cee8c7c077c1373274db6f56 |
| SHA512 | 9ae6de2fdba4e6752dacba64b9454bdcb57fd09ea183174a92a3907741aa2be5d8fa95369429e9a9e030439d45d4ba0d83f09d5764cc4e6a00e7212c691c9a58 |
memory/4352-84-0x00007FF72A330000-0x00007FF72A684000-memory.dmp
memory/5064-81-0x00007FF792010000-0x00007FF792364000-memory.dmp
memory/3956-73-0x00007FF78C1D0000-0x00007FF78C524000-memory.dmp
memory/1016-72-0x00007FF686EE0000-0x00007FF687234000-memory.dmp
C:\Windows\System\gHVxJuA.exe
| MD5 | fec8148493519d314fba31508bf3cec2 |
| SHA1 | 9c5934ea498488c65e0063fced75c305ab0e153b |
| SHA256 | 9065aa2ec74846d3048a8a7fb53d81a85f0b0cee04d00d86a587213402b604ab |
| SHA512 | 3595f8f2ab0e69791d80756bc991166199806ad6147f6b0ab39166a15da8a4083b4457e2283328c01b28dee188ba4076acec3d28f8925ee3b85fbe9dc31ca1a9 |
C:\Windows\System\EEZVqkx.exe
| MD5 | 84dbfafb62965da1e5c66ea922b8c4cf |
| SHA1 | 3a354839155421002174205b9ade5b19376ca31a |
| SHA256 | 48461d0dedb4bd2f326815a2d07eced40abd0caba9c52927af04e29aebc2338c |
| SHA512 | a4431d4a016c405c7f5ff0a1a27366d05cd1075b15f12d204a164ab73a8e8a2eb49825cda583941008f4130d014cceffb243854cc2129a7ad585d8b773dfb956 |
C:\Windows\System\jlaTiXV.exe
| MD5 | 30d78bdc76522ccf31c91e0034cc1511 |
| SHA1 | d83dec1c094e1e3d4093b55277a1a36a4c81794a |
| SHA256 | dac068b298970af44bded6e3c75f44df48e29ae582044493d18e44de6de45b5d |
| SHA512 | 6dc45ca7c61edeb4992cbb0111089113e5a81d4c7f8e9220d33cd4b1083d6e111e1b325af7d7ce2df7c2616011967514e10bbad9d955fb2dd97d2cd6ec500104 |
memory/2356-114-0x00007FF784520000-0x00007FF784874000-memory.dmp
memory/2520-117-0x00007FF7AE0D0000-0x00007FF7AE424000-memory.dmp
C:\Windows\System\UXRZlVz.exe
| MD5 | 9138c672f64ba376557af0a8071627f8 |
| SHA1 | f119d19fca8ff00b6f637e962210b330e71dac6e |
| SHA256 | fe3cec22639d5ac209db8bff70ec753aab548e6e1b14a22e820567c21fb20dc4 |
| SHA512 | 24d46679fc23532a68e08ca60383e68f1eaa08c6b11e10490266e629bfd99b4e6550b32e802ce0b6486f3803f10e988eb209ac4f5e21499ad7873ed7143c1106 |
C:\Windows\System\RjMutyh.exe
| MD5 | e575f356a7b6427e3b49d854215e5c5f |
| SHA1 | 6e737333f4894d04cdb9bd24e18c1b6025fbe07a |
| SHA256 | 17e8e7af142b6de6697957104c7f0debf742c792e6bcf1e1b87fea40a4568f64 |
| SHA512 | 4e624a06b47b84577d1aa6835035f283b59d3154014861016b55743c0a55ee8b386323882c6c8d4e8122ffdbcf7de8244c393c5ce29f5711c26734d45cc25a0d |
C:\Windows\System\uSEBNhO.exe
| MD5 | 80eba98a4c25e942a58b46fd1acf6cf8 |
| SHA1 | 97777443d7e5431fb57046a247171f61d56215f4 |
| SHA256 | ff1e9d0f1c1512c65f89963628760089c62cfb5fb64a1d805464dafbeca512bd |
| SHA512 | 0455a1d3edfabc48078a6366e8e73d527d7e850499607239eb733ccad420065ab56233e9fc846b67ff7c2f4ae82942889c297483917faae58e6b4322d8a8753e |
memory/4564-119-0x00007FF7C1830000-0x00007FF7C1B84000-memory.dmp
memory/3928-118-0x00007FF75C350000-0x00007FF75C6A4000-memory.dmp
memory/4508-116-0x00007FF658280000-0x00007FF6585D4000-memory.dmp
memory/4580-115-0x00007FF6510B0000-0x00007FF651404000-memory.dmp
memory/2576-110-0x00007FF62CBE0000-0x00007FF62CF34000-memory.dmp
memory/612-109-0x00007FF68D2C0000-0x00007FF68D614000-memory.dmp
memory/5080-67-0x00007FF769900000-0x00007FF769C54000-memory.dmp
C:\Windows\System\iFsOJWX.exe
| MD5 | 5cbc9181ef5193292cdaccea96f536a9 |
| SHA1 | e4d79e134d163c39764ef469c77f26aaad914d8a |
| SHA256 | 81de7102ce44a54a2f8e3eb9caf8a1bfe87014daaa8cfa1482d9cfc4206826a0 |
| SHA512 | 4b0a35fdc0abca830a388ffe6ebe5b58d9bd0ce5146edacd241e2a85cccf1045f9c5e349b87fb13b545f6ede9647634d0a78b39d6a70ed015a9d58e425ea76ad |
memory/1968-58-0x00007FF6B9010000-0x00007FF6B9364000-memory.dmp
memory/3568-50-0x00007FF7EF0E0000-0x00007FF7EF434000-memory.dmp
memory/928-48-0x00007FF6E5240000-0x00007FF6E5594000-memory.dmp
C:\Windows\System\INlGxhx.exe
| MD5 | 39a787adeeeba5e17146f933d7359fd8 |
| SHA1 | 974957b68961bf887102db0cf4fc92d349aed700 |
| SHA256 | c03c99a3dbe059d2f49946f40d5e90429af87e78f8f3fcdf207629adc22633fe |
| SHA512 | e158c9010bf3da45d73134569676d9361107092af50fa474e4e6c4b22cabab81dbba390fb06cdeedf259015bcad4f7cb94ae66fc6f130b8f36500aadffe147a5 |
memory/1984-34-0x00007FF7AD760000-0x00007FF7ADAB4000-memory.dmp
memory/3928-30-0x00007FF75C350000-0x00007FF75C6A4000-memory.dmp
memory/612-29-0x00007FF68D2C0000-0x00007FF68D614000-memory.dmp
C:\Windows\System\AtwvJvR.exe
| MD5 | 3b73c350a9955ca3b90342b8dcacfd58 |
| SHA1 | 60b90604c0503e151ece5a861e9a7ac889582390 |
| SHA256 | 2617ff3eac81c0ff6e21c42c8556381931ffbdf62c5d8e103879574743659e58 |
| SHA512 | 4a3c85c1e871f06d68e7887adff497966fe42fd8d9f280a9490fe0d2c26768ef4013250a6fa2b4f0b28e7cea528f679eea973a76e25c6a63413dfdaaa9a226e2 |
memory/5096-131-0x00007FF771CF0000-0x00007FF772044000-memory.dmp
memory/1984-132-0x00007FF7AD760000-0x00007FF7ADAB4000-memory.dmp
memory/5080-133-0x00007FF769900000-0x00007FF769C54000-memory.dmp
memory/1968-134-0x00007FF6B9010000-0x00007FF6B9364000-memory.dmp
memory/1496-135-0x00007FF7297D0000-0x00007FF729B24000-memory.dmp
memory/3956-136-0x00007FF78C1D0000-0x00007FF78C524000-memory.dmp
memory/5064-137-0x00007FF792010000-0x00007FF792364000-memory.dmp
memory/4352-138-0x00007FF72A330000-0x00007FF72A684000-memory.dmp
memory/4508-139-0x00007FF658280000-0x00007FF6585D4000-memory.dmp
memory/2520-140-0x00007FF7AE0D0000-0x00007FF7AE424000-memory.dmp
memory/4564-141-0x00007FF7C1830000-0x00007FF7C1B84000-memory.dmp
memory/2072-142-0x00007FF634780000-0x00007FF634AD4000-memory.dmp
memory/1700-143-0x00007FF698BC0000-0x00007FF698F14000-memory.dmp
memory/992-144-0x00007FF70B720000-0x00007FF70BA74000-memory.dmp
memory/3928-145-0x00007FF75C350000-0x00007FF75C6A4000-memory.dmp
memory/612-146-0x00007FF68D2C0000-0x00007FF68D614000-memory.dmp
memory/3568-148-0x00007FF7EF0E0000-0x00007FF7EF434000-memory.dmp
memory/1984-149-0x00007FF7AD760000-0x00007FF7ADAB4000-memory.dmp
memory/928-147-0x00007FF6E5240000-0x00007FF6E5594000-memory.dmp
memory/5080-150-0x00007FF769900000-0x00007FF769C54000-memory.dmp
memory/1968-151-0x00007FF6B9010000-0x00007FF6B9364000-memory.dmp
memory/3956-152-0x00007FF78C1D0000-0x00007FF78C524000-memory.dmp
memory/1496-153-0x00007FF7297D0000-0x00007FF729B24000-memory.dmp
memory/4352-154-0x00007FF72A330000-0x00007FF72A684000-memory.dmp
memory/5064-155-0x00007FF792010000-0x00007FF792364000-memory.dmp
memory/2576-156-0x00007FF62CBE0000-0x00007FF62CF34000-memory.dmp
memory/2356-157-0x00007FF784520000-0x00007FF784874000-memory.dmp
memory/4580-158-0x00007FF6510B0000-0x00007FF651404000-memory.dmp
memory/4508-159-0x00007FF658280000-0x00007FF6585D4000-memory.dmp
memory/2520-160-0x00007FF7AE0D0000-0x00007FF7AE424000-memory.dmp
memory/4564-161-0x00007FF7C1830000-0x00007FF7C1B84000-memory.dmp
memory/5096-162-0x00007FF771CF0000-0x00007FF772044000-memory.dmp