Analysis Overview
SHA256
8311e443f96e95e8a9c1735b352706688e7cf1f34dcfa8e3d7825d5c7db8727d
Threat Level: Known bad
The file 2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Xmrig family
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 06:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 06:45
Reported
2024-06-29 06:48
Platform
win7-20240419-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IPiaTdT.exe | N/A |
| N/A | N/A | C:\Windows\System\KoiGxHp.exe | N/A |
| N/A | N/A | C:\Windows\System\JDLDquF.exe | N/A |
| N/A | N/A | C:\Windows\System\AibkyIm.exe | N/A |
| N/A | N/A | C:\Windows\System\KnElQBR.exe | N/A |
| N/A | N/A | C:\Windows\System\kpNAhsL.exe | N/A |
| N/A | N/A | C:\Windows\System\nFgKLKM.exe | N/A |
| N/A | N/A | C:\Windows\System\mtRLIhc.exe | N/A |
| N/A | N/A | C:\Windows\System\WkZvXCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\PlUkWHF.exe | N/A |
| N/A | N/A | C:\Windows\System\NDpMeVp.exe | N/A |
| N/A | N/A | C:\Windows\System\EuuFVry.exe | N/A |
| N/A | N/A | C:\Windows\System\LDJsWId.exe | N/A |
| N/A | N/A | C:\Windows\System\LWjeDdz.exe | N/A |
| N/A | N/A | C:\Windows\System\VnZRkuE.exe | N/A |
| N/A | N/A | C:\Windows\System\pTHtDEr.exe | N/A |
| N/A | N/A | C:\Windows\System\YZAkkum.exe | N/A |
| N/A | N/A | C:\Windows\System\YvqCuyG.exe | N/A |
| N/A | N/A | C:\Windows\System\EHLiXuy.exe | N/A |
| N/A | N/A | C:\Windows\System\XGWLmgU.exe | N/A |
| N/A | N/A | C:\Windows\System\ZGYxfNf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\IPiaTdT.exe
C:\Windows\System\IPiaTdT.exe
C:\Windows\System\KoiGxHp.exe
C:\Windows\System\KoiGxHp.exe
C:\Windows\System\JDLDquF.exe
C:\Windows\System\JDLDquF.exe
C:\Windows\System\AibkyIm.exe
C:\Windows\System\AibkyIm.exe
C:\Windows\System\KnElQBR.exe
C:\Windows\System\KnElQBR.exe
C:\Windows\System\kpNAhsL.exe
C:\Windows\System\kpNAhsL.exe
C:\Windows\System\mtRLIhc.exe
C:\Windows\System\mtRLIhc.exe
C:\Windows\System\nFgKLKM.exe
C:\Windows\System\nFgKLKM.exe
C:\Windows\System\WkZvXCZ.exe
C:\Windows\System\WkZvXCZ.exe
C:\Windows\System\PlUkWHF.exe
C:\Windows\System\PlUkWHF.exe
C:\Windows\System\NDpMeVp.exe
C:\Windows\System\NDpMeVp.exe
C:\Windows\System\EuuFVry.exe
C:\Windows\System\EuuFVry.exe
C:\Windows\System\LDJsWId.exe
C:\Windows\System\LDJsWId.exe
C:\Windows\System\LWjeDdz.exe
C:\Windows\System\LWjeDdz.exe
C:\Windows\System\VnZRkuE.exe
C:\Windows\System\VnZRkuE.exe
C:\Windows\System\pTHtDEr.exe
C:\Windows\System\pTHtDEr.exe
C:\Windows\System\YZAkkum.exe
C:\Windows\System\YZAkkum.exe
C:\Windows\System\YvqCuyG.exe
C:\Windows\System\YvqCuyG.exe
C:\Windows\System\EHLiXuy.exe
C:\Windows\System\EHLiXuy.exe
C:\Windows\System\XGWLmgU.exe
C:\Windows\System\XGWLmgU.exe
C:\Windows\System\ZGYxfNf.exe
C:\Windows\System\ZGYxfNf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2944-0-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2944-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\IPiaTdT.exe
| MD5 | 5bf7550d674eab4e17396cfce7c2e136 |
| SHA1 | 588e887bad3e231153a2c10624e042b4a30785eb |
| SHA256 | 327bb8327ce36cad82272e9780a5c443285a6c0db821b46c395d22750e914e07 |
| SHA512 | 8a85d0c1a7b82358f8963e17e49650c1ef22563e8a2ef0869e41d5521338b4f5b8fc6daf61529a5edcd8cbbced192548ed655f9565bb627ef5c24160073ba6ae |
memory/2944-6-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2416-9-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\KoiGxHp.exe
| MD5 | 8a3db8d9c9841d7f46f72e32c4854a8c |
| SHA1 | ab75dd6ef13e762f60bb3280dee3966766795ead |
| SHA256 | b19aca7a208f78d5d7fb41df8bcc6fb2880c8054bebf6d3be66e9c80a5f6cc86 |
| SHA512 | e09fd7ee4e24a5e363a3ef5a2c74ed5323d662ff6fde172600fcf2bb73a6fdaa83b5df0ed72d085e0cb84cd9157c23cba918df98e34b224c129fb553f60d8fab |
memory/2944-14-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2892-15-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\JDLDquF.exe
| MD5 | 9e9ce53df2798b69354a7c5536599d3d |
| SHA1 | a90614843895a0d9b562e7e0ed4503dfed2cde12 |
| SHA256 | e25666022bb77059e8f6b24c9b7421dc6ef1251f6ef3fcf51772d990a6076068 |
| SHA512 | 165e3ace5f1cd0317b497da35c6104d33400f20ad91ff083803d9fb1b09f1e2c2ac37b07e178fc15d89397beb141a31f336ce1e433c370facdb79a9abe46a546 |
memory/2696-22-0x000000013F280000-0x000000013F5D4000-memory.dmp
\Windows\system\AibkyIm.exe
| MD5 | 4d11f5ec1dc3e5b0218571b56e43e968 |
| SHA1 | 4dabad53127790b58a0a497665d0dba877c0f739 |
| SHA256 | d7605906ae2c5f1d52b2d6b838128ccac61ffc48208f9868bc199fc7c3640856 |
| SHA512 | 485aa8d73dd4e44a2ef0f4a38855e3bff64f912f392696b2f3b3df1e7d0c1d52a45dfd7d91a7b1df599c97a6594d0513336cfbe5368abdebbe7b86f38b0e01d5 |
memory/2916-29-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2944-27-0x0000000002370000-0x00000000026C4000-memory.dmp
\Windows\system\KnElQBR.exe
| MD5 | b9f4aca0988610cc1eb78a844106af28 |
| SHA1 | d49bb143ca5a34fea7b4855342bfe62fc4431d44 |
| SHA256 | 59e3c9541b00cc2f6fe35a6745a09a4c8549643129513435e029b1498ed4c1cb |
| SHA512 | 159050c801e5bd9534f7cdaf0925f8bcb520e0998d379e634ba2d8529d357b8691f331dd01728f0c64232a314da5b2dac031aa465209d7e1b8bcc02db41b0ab5 |
\Windows\system\kpNAhsL.exe
| MD5 | 6272febeb13e1c3e1b4648a6e7946643 |
| SHA1 | b9f33e7bb4af8846bdf62deb068c7b529d530da3 |
| SHA256 | bf8f459d6e132ea7e019bff7d784f244364d43d82d6e360b98c6d4d5b9ebc8cc |
| SHA512 | 3cc4ca8d20e24b3a29bda953bde8bb9f8f464f0b0ab67f37652b8c90fa6fcb93408a14ea79b68e9fe0a706c6f2e76de90d0e5ea3fee5b743f9216f633aa1c5b1 |
memory/2944-48-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2944-52-0x0000000002370000-0x00000000026C4000-memory.dmp
memory/2944-41-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2540-56-0x000000013F110000-0x000000013F464000-memory.dmp
\Windows\system\mtRLIhc.exe
| MD5 | b16c918a253da40eda9793b31c58d8b2 |
| SHA1 | e7e776a9b325af75065ab1dc2f360c12292d645e |
| SHA256 | 77140501003351280d658d88a6ddcc06ef3a188dd4c47426c534c5a9eafff926 |
| SHA512 | 8d3792fc09464c3fb24b944fdd71766fb04c44e3a86eeb3fabaeb2122eb3754dae56a3daecb7ef4502f43c698f7554b6fa0fe1f24503f894e92743705b38cdaa |
memory/2416-66-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\PlUkWHF.exe
| MD5 | ca58d7f923dcd8f62a8838a67b9434dc |
| SHA1 | 51b9fb8da43165c93c24c0adb81d5b0aac85e21d |
| SHA256 | 27d63b2d6025ce2292547cb5887e544122f60409b814e1d4fbcfaee352f64d93 |
| SHA512 | 218b638d86ff60002ad87126d6f484a5dccff0992c3fe33d39f68c604647b550f8b0cc197ea77da022c476a7220be01898304709317c76374f0dfcf9a3499652 |
memory/2580-73-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2892-72-0x000000013FFD0000-0x0000000140324000-memory.dmp
\Windows\system\NDpMeVp.exe
| MD5 | 84f38381f3f035bf14f74848aad8668e |
| SHA1 | a46efb84e91b9b2529ee0bdf04529b6016575274 |
| SHA256 | b2d24b02489b4345f6db3772d34e250a8e51e0f2b8de491550deccc2c2ba4010 |
| SHA512 | 9bbf830983dbf5bd57b0d833f18aeaa92d1c1dd12f2f32c1d19a68e1af10220e65df5060ddb441f39f5c6fc255a98125c4b9d2dc3e32bc8ea19584d5dda60eea |
memory/2992-80-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2916-75-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2508-64-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2944-63-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\WkZvXCZ.exe
| MD5 | 30b2c6d99c64ad9f43a6ad07d74f7cf8 |
| SHA1 | b03d8e63f86c4e264adb2d75145511e6b9561a8c |
| SHA256 | e91538c6f9518da80b0d951bde89b846d0385e3a382a09108d222642f3aee289 |
| SHA512 | eb9e4fdb3716b5559c2ee27609ef1f288febd16fffc4acb0b7186ff812717b123e1164027b49b987824b9948ce1d390956645ed2d6df51ef6622ae2994c2b986 |
memory/2944-58-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2620-54-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2528-53-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2944-49-0x0000000002370000-0x00000000026C4000-memory.dmp
C:\Windows\system\nFgKLKM.exe
| MD5 | 03e0866a5082215286dc039032d6bbd5 |
| SHA1 | 613a1687ec2a38ae16320ce6f7a1615a28c69928 |
| SHA256 | 5030592b8d87156c1e5355c2aa6e17cf9152d653a14f65bc7da94e95c205dd42 |
| SHA512 | 772a2fb7e606d583b2bcb1156d54036e4903d3371a27c1bf91d82c20e4c1637544dd4e1a19912e81f3041b4509e7755891418f7ff1a19b5ec3c3aa1667682a7f |
memory/2904-45-0x000000013FA20000-0x000000013FD74000-memory.dmp
C:\Windows\system\EuuFVry.exe
| MD5 | 0a428a0d270000de051b97fa71457564 |
| SHA1 | b2e822a4bed50563d25271eb41e7465a9300066d |
| SHA256 | e470b1adc3996a80f4e97d9b2571633ce5ffaee88fdba894ad0ac2d80c8f2746 |
| SHA512 | 3463133e21dc147def9c428663269f1bba16d82fce0b0eeeda68b6e284cfd627f35e4cbb38c004bacf59774d2c8b68133c8dabd9729c8da95925ef4203e237be |
memory/2776-87-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2944-86-0x000000013FD30000-0x0000000140084000-memory.dmp
\Windows\system\LDJsWId.exe
| MD5 | 1618bed45ea7817a0a11bbfa0eb4f71c |
| SHA1 | 93867f8103155708db696b92981a32bfb7347f51 |
| SHA256 | 109d6e3bba34c62ae650b7ce4975feb61b044946d9a138d6bfc1fe8eaa838ba1 |
| SHA512 | f50f23e28fb29308e7ea704f04d9012edfb57124202aabc7231e652817c51f77531b147b3e56341841451b6c47628e7077f0d2782477f1792a268e053485c445 |
memory/2944-93-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2844-94-0x000000013F880000-0x000000013FBD4000-memory.dmp
C:\Windows\system\LWjeDdz.exe
| MD5 | 84192b6acca4103f42df46f1128b04e9 |
| SHA1 | c66aafd0fbea385a432405db47d7276877cf09fa |
| SHA256 | b0d968eeb9097b23ab5becd35bac8589dc0b20d61971d81536f73fe96dc8cd05 |
| SHA512 | 0e0c3ce9760136a5cb5b6dd343097b9e4af50c6acdfcbddfbb4f20a64d0fba3ce98d11e5926cb65cb93000345547f28575390e50df42b218e2fc24a5339b14eb |
memory/2884-100-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\VnZRkuE.exe
| MD5 | fa078a60994cb2a930e5ed4b8e1ba7e5 |
| SHA1 | cc15849250f15b50141a972db342acf7d4f00a5a |
| SHA256 | ad7ae085289e1f714d27bd056bfb816927e3035024406db77034726ecb2e37ba |
| SHA512 | b1f676926d74385eded3f064976ecf16d07660ad8e3e52ca515c54ddd7c4593f4f7a8b47b3cc66e2e97a3c8a6fc803dcfd8af4d1f0e5dad06928e3e1b5c15e0b |
C:\Windows\system\ZGYxfNf.exe
| MD5 | 8a0469a52a8eead038269787dbe28012 |
| SHA1 | 09ecf0ad5b7eea1ea1804d07917ff6cdaaaa58a9 |
| SHA256 | c787b21c44d0a5bb735f497fbe8d4141de6ddad092fcf6c8dd5cd9ad8010f2f4 |
| SHA512 | 3813596a42a15e039285018646f039cd2f2d8b36375320230bcea62fec250a83279310b7b53ab74f9f1ff3ccd11d66d51f18525674312856c2f328b1468e4d81 |
C:\Windows\system\XGWLmgU.exe
| MD5 | 5851a5344d9e2d390c782875d1bc73a3 |
| SHA1 | 17131ad4e0c648a54d786b82a1ff0c72f4ca9d0a |
| SHA256 | a42bdf32a9c51e58bf7d1fe9887d7bbbe5b7971dfe3e510a9a120a2965848d73 |
| SHA512 | 9065c702d1982a99b945619fa99714e43b8164998052dfdcc3257e791a7370e5f028625a929e04ae7834b6d91ede50fb4ce19d2dc8c34cadd66cae2dc0a50fa3 |
C:\Windows\system\EHLiXuy.exe
| MD5 | 4d911ae1760b8ca3af0c4dc9fa87ea8b |
| SHA1 | b9a6d3268814c74e93bacc5e9e6afdbedc4c9f3e |
| SHA256 | 3912c86c5b1acc1e5a4814dacdc0f21e2b5e2c8c519428a4802f238137260af6 |
| SHA512 | eac4f6e0ad8ccd7ab7e612ec6ee22e0a7bbab0357b0052db158bb68bd5e925ac33bdc4bd809f2eaab73265c2d1277ee0be8f6f0cd40718199790e164628edcba |
C:\Windows\system\YvqCuyG.exe
| MD5 | 6327594a6e43e899d4417f3c2086a8b6 |
| SHA1 | caaacfbc1224529340da3ff37397218b9879224f |
| SHA256 | 5f7b808f04745afe0c212699a2863b0241773f6553b9c324ec7db7adfa59e2f7 |
| SHA512 | e01febdea7e7ea64273e74a7892110f8d1cb1f2ea489410f3d16281492c7ca2ea4ead4965f94bcd146b627a1e78f04adef755efdb6dce6bb0c532c0ee2e53f05 |
C:\Windows\system\YZAkkum.exe
| MD5 | 838fe44710393f419c4f569d82bacc83 |
| SHA1 | 05b57d3b6dfda904a86f2a08c4da7fd98fe2aa55 |
| SHA256 | 2ff59d354810fdb5dffc6e46d0c87ab0b8d96479bb1d07cf1f0b57eb79255cd8 |
| SHA512 | c7a3198be3b96fb6be3a63aee1122313c3c67a1bd3b989569f4ea29fad795d19c8a9cda09dcccf6fcc984b0627e68f0ff921134824c91e1e7dfafa35dcddf9aa |
C:\Windows\system\pTHtDEr.exe
| MD5 | 89dcc12c83fdc8b5a5eb2229b2a9fb46 |
| SHA1 | 7953703c76a55e28afc7837bdd6f7eebf27b4ef6 |
| SHA256 | 71c442a1cef41ebe2bb542f3cf6390fba808f0c4b837c4ec706c20fe279b7a26 |
| SHA512 | f03fc0e217ab4671a4a74011f4539628be86602ac5fe4fd86bc15c0fee14482738890f208777fdbb473082ed898a08dc7d1d3b95cf16306e1cb9e6d0e68ba440 |
memory/2944-104-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2540-103-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2944-99-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2944-138-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2944-139-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2944-140-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2944-141-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2884-142-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2944-143-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2416-144-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2892-145-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2696-146-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2916-147-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2904-148-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2528-150-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2620-149-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2508-151-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2540-152-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2580-153-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2992-154-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2776-155-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2844-156-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2884-157-0x000000013F6F0000-0x000000013FA44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 06:45
Reported
2024-06-29 06:48
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LzCFmEM.exe | N/A |
| N/A | N/A | C:\Windows\System\eXbOzqe.exe | N/A |
| N/A | N/A | C:\Windows\System\suuizFR.exe | N/A |
| N/A | N/A | C:\Windows\System\aiFCTkg.exe | N/A |
| N/A | N/A | C:\Windows\System\aWBglaM.exe | N/A |
| N/A | N/A | C:\Windows\System\uHrovZX.exe | N/A |
| N/A | N/A | C:\Windows\System\wWOvAXm.exe | N/A |
| N/A | N/A | C:\Windows\System\FMRGIVh.exe | N/A |
| N/A | N/A | C:\Windows\System\YVYKDUb.exe | N/A |
| N/A | N/A | C:\Windows\System\bMltfMi.exe | N/A |
| N/A | N/A | C:\Windows\System\jOVdRIk.exe | N/A |
| N/A | N/A | C:\Windows\System\EUpwJap.exe | N/A |
| N/A | N/A | C:\Windows\System\SMZEyWX.exe | N/A |
| N/A | N/A | C:\Windows\System\nbpJKIV.exe | N/A |
| N/A | N/A | C:\Windows\System\UTKOfIo.exe | N/A |
| N/A | N/A | C:\Windows\System\GynxLnm.exe | N/A |
| N/A | N/A | C:\Windows\System\oaObGXR.exe | N/A |
| N/A | N/A | C:\Windows\System\VsVBCXT.exe | N/A |
| N/A | N/A | C:\Windows\System\yhDvNNP.exe | N/A |
| N/A | N/A | C:\Windows\System\myEpjcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kzgMnYw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_03f72815581f3b582e9f2b9ab3eb02c9_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LzCFmEM.exe
C:\Windows\System\LzCFmEM.exe
C:\Windows\System\eXbOzqe.exe
C:\Windows\System\eXbOzqe.exe
C:\Windows\System\suuizFR.exe
C:\Windows\System\suuizFR.exe
C:\Windows\System\aiFCTkg.exe
C:\Windows\System\aiFCTkg.exe
C:\Windows\System\aWBglaM.exe
C:\Windows\System\aWBglaM.exe
C:\Windows\System\uHrovZX.exe
C:\Windows\System\uHrovZX.exe
C:\Windows\System\wWOvAXm.exe
C:\Windows\System\wWOvAXm.exe
C:\Windows\System\FMRGIVh.exe
C:\Windows\System\FMRGIVh.exe
C:\Windows\System\YVYKDUb.exe
C:\Windows\System\YVYKDUb.exe
C:\Windows\System\bMltfMi.exe
C:\Windows\System\bMltfMi.exe
C:\Windows\System\jOVdRIk.exe
C:\Windows\System\jOVdRIk.exe
C:\Windows\System\EUpwJap.exe
C:\Windows\System\EUpwJap.exe
C:\Windows\System\SMZEyWX.exe
C:\Windows\System\SMZEyWX.exe
C:\Windows\System\nbpJKIV.exe
C:\Windows\System\nbpJKIV.exe
C:\Windows\System\UTKOfIo.exe
C:\Windows\System\UTKOfIo.exe
C:\Windows\System\GynxLnm.exe
C:\Windows\System\GynxLnm.exe
C:\Windows\System\oaObGXR.exe
C:\Windows\System\oaObGXR.exe
C:\Windows\System\VsVBCXT.exe
C:\Windows\System\VsVBCXT.exe
C:\Windows\System\yhDvNNP.exe
C:\Windows\System\yhDvNNP.exe
C:\Windows\System\myEpjcZ.exe
C:\Windows\System\myEpjcZ.exe
C:\Windows\System\kzgMnYw.exe
C:\Windows\System\kzgMnYw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3760-0-0x00007FF752000000-0x00007FF752354000-memory.dmp
memory/3760-1-0x0000028E283A0000-0x0000028E283B0000-memory.dmp
C:\Windows\System\LzCFmEM.exe
| MD5 | 8c4add64c1e5350e3d8b3faeba233486 |
| SHA1 | 7c4a4643d74a4a033a1e765ee659ed04dedcdde9 |
| SHA256 | 43c6b9f16aead7873b68721d86d79673102c947cb3daf74e30dc8f0a63f88c99 |
| SHA512 | 37be5f4db501429a85fbd9eeeb9528374eaad5583b6a523f2cfae6731a93c64c928a4b556dae2fa467db23544405668004e240fd8649cf7510d71f41b198563d |
C:\Windows\System\eXbOzqe.exe
| MD5 | 706c7b184ade147e67b2491a30bcfb8c |
| SHA1 | de6486f0ba6e26ba76235cc81dabf6469b57d747 |
| SHA256 | 9036ab4b06843b479d25c5a333f933b19a9734f8a7387bd781eeebf5b96566b7 |
| SHA512 | fd18de3a604552f490b7fda24b25da574dbc8dfe11335811a9266a4fe83184af537dfcf015611c5d621551d26521ab3edef9ab85afb5641750261e4f48213aa7 |
C:\Windows\System\suuizFR.exe
| MD5 | a81334358994239ac59f61975b1c5fae |
| SHA1 | 7ba11a9659f2f87e60970aee068836517a560fbf |
| SHA256 | afc46914b6f5b2da67dec8862934d940fe240d34fcc83584c6f0930c8f324c38 |
| SHA512 | 96ab565598b2db6a3749a6a2a48970812c2c0d469b6b714300df53847eda283dcc5136cafaedae31b32b6cfc46469edbcc6678b158073974e7b0b1b1c28d0f96 |
C:\Windows\System\aiFCTkg.exe
| MD5 | 9229a2dfebde72e87526c9419aa113be |
| SHA1 | 51678b941bfa23245d353b426f81160052bd9f63 |
| SHA256 | e2af5883f8e196f33a0a0be10ba8ad82fd44a35ad97ad26398c1ee876b354de8 |
| SHA512 | cef5a28b03a797644ff401375f2eb9f6e0d01bfd07c42682dfda84c7dff460c7e8be17985cd04d135b178f2e292ca60a0dba436a28935d2f0068fd9f7b6876a9 |
C:\Windows\System\aWBglaM.exe
| MD5 | 08e76806c93813d37eb2bca2a1e4d783 |
| SHA1 | 5dbb08adade72ea0ef0ed77c080a177f78dd4721 |
| SHA256 | 49acbfebb90e9d80556cc072578d0d81deea4c6b0a50265f4f34b1f7b14cf342 |
| SHA512 | 11907a6e0ce83c4064a1c74dc50ce71926b5a4c86b947b00616511042a9c7302efe13643a41922c33fcc006e6a9b0a3268fc6df055a3ce0b5c799b00a2b9444c |
memory/1436-40-0x00007FF636BA0000-0x00007FF636EF4000-memory.dmp
C:\Windows\System\YVYKDUb.exe
| MD5 | 3bc93546776079eb9d7cdbf454ef81eb |
| SHA1 | 41130d6f723aac8bd284ecc68f6212f7c4dade97 |
| SHA256 | 664f6508376026db6f09b22bf30ddf29205f683cbc76d6d78f56da1c5c963144 |
| SHA512 | 412922577631e737f51102a52c5fdecfdfb9ca893356e2e9a18f29eebc6cc1e8c528e877c52d587cc44bd8eb870149ccef84135883bce2073ae1c6c91e0db862 |
C:\Windows\System\FMRGIVh.exe
| MD5 | 61c1f14960949639993010e6f24320d9 |
| SHA1 | 7cb324f1756d70cff2dff593a207cfd75927d089 |
| SHA256 | fa620d2a095a168d4d95dfa88b49e6b1ce7d11763d47bbd3393410863f255920 |
| SHA512 | 201c1aa42d2d284d0916ea33ec4b73a5f112c923529604d29234e2cff290c71c3a64fb8ae3d8f5b9b0dc8e15c653ffdf38f0d76d495a54eb1c847036ff8fda2a |
C:\Windows\System\bMltfMi.exe
| MD5 | 1b91228accc8baef822539895271674d |
| SHA1 | 3d32c72816942e5dd7f5c3dea81328347df6f26b |
| SHA256 | 8f10c6779a7379a6feced57d2a10f276175aa96676037a1375ed4490929ee843 |
| SHA512 | 3b31406568dddea32d725f9d4275a3ca8f68f3e2d09977f28a4f03bca2404d60fb3d032c4be7109bd27ca5b4072e7dac0e2c1b968c60d919c4330412ae2c3962 |
memory/1676-60-0x00007FF7A00F0000-0x00007FF7A0444000-memory.dmp
memory/3256-57-0x00007FF727EB0000-0x00007FF728204000-memory.dmp
memory/3684-53-0x00007FF6FE1A0000-0x00007FF6FE4F4000-memory.dmp
memory/3540-49-0x00007FF7EC6F0000-0x00007FF7ECA44000-memory.dmp
C:\Windows\System\uHrovZX.exe
| MD5 | 5c38284ba12718fec44cd68ec11c0833 |
| SHA1 | b9c6991b2cdc4a8fad94f4b19a06091270fdbfaf |
| SHA256 | fd34758e091833ec1cd3806d8080dc9eb1a97350aee3d4620b12650b767403b5 |
| SHA512 | deb9d0015368f4e19c98f277b7eee3e782f8f1a9c5b97c6fb208a977d2c522850571d3009d6011a0d1adfb048cd7f0ac0cc0cb0b2c59f57c85ce91a08b9437b7 |
C:\Windows\System\wWOvAXm.exe
| MD5 | 3108cb3326bf01b9c312d559eaedf4a0 |
| SHA1 | 3ed0e84897f7fe330c288c39e0bb607a6194d60a |
| SHA256 | 4fbc51ee9b41cdf5eaef971f64de6e5e4accaec76082ee4b5d42a2d593e2e2e4 |
| SHA512 | 7e34d37c262c94accdf13a62de4edd5433386f73f98f5ba549df5ba9ab7c24387711b4ab23a2c091864ca6fad211c6e1143a12bd885e7633cb35aa2a5d99b53c |
memory/2264-35-0x00007FF658CA0000-0x00007FF658FF4000-memory.dmp
memory/1760-34-0x00007FF7A16B0000-0x00007FF7A1A04000-memory.dmp
memory/3448-28-0x00007FF71EB10000-0x00007FF71EE64000-memory.dmp
memory/4084-19-0x00007FF6EFA60000-0x00007FF6EFDB4000-memory.dmp
C:\Windows\System\EUpwJap.exe
| MD5 | 2cb5ec22def54a743414249a7dc25e74 |
| SHA1 | 17a00846108b1fb9abde10fc3f5e09f65a5dc3c6 |
| SHA256 | 20a4f049320ebaaef95da98646f63d58f783fa426f160ff9de598a6f2d3e5e0f |
| SHA512 | 44043969b552cf1cb23879c3f276d4c5c681410e423698f90603a21ef9b93321000e673fcd84fb89e1b1a608d359d3fa5f11b40fb0ee3de47a9f2a50d9d94324 |
C:\Windows\System\SMZEyWX.exe
| MD5 | a2e1243d572244a35eb3a6112b79b580 |
| SHA1 | b9430e0bb5fb0cfc670a228d7d766fc76697d11c |
| SHA256 | 43655e87a6022edd597774632310cbd27558d8e4a0d5ea86b29620b40030319d |
| SHA512 | 0db95e44b7f4a2660bbb63f72710b39e1eb84ae7adbe24834a637e039d996146616080c1e09f9e72c5766d2f79b4247a76994c5254cc7d726604dad32d98a064 |
memory/1912-86-0x00007FF6DA860000-0x00007FF6DABB4000-memory.dmp
memory/4200-84-0x00007FF7C9500000-0x00007FF7C9854000-memory.dmp
memory/1736-81-0x00007FF7D4000000-0x00007FF7D4354000-memory.dmp
C:\Windows\System\UTKOfIo.exe
| MD5 | 5a6df708637e6fe8d65a7c9d98c4c1e7 |
| SHA1 | e0498273745a657674beb0ba987d92170e113383 |
| SHA256 | 403a95c15ff07d5d54184e80477acc3522b193007653edeea3b2f5e847b4e9f5 |
| SHA512 | e1aa356d10710fd4b8943cb25a2047cacccfb7920f6b473d309bc5f3f577f0a6c3d334b9ec1a56b90c1af7a564b532e7c2bc5344fa8da12a25df5c86ff160473 |
C:\Windows\System\GynxLnm.exe
| MD5 | 39854d1e6a3857b8ee6830860ce5ad90 |
| SHA1 | 2c7e5fc68e9b2b0bb54f808c3232cd573e1c2336 |
| SHA256 | 0b552f1003e66836dc805b24f8716fe6dfbf0607bb4cc25c3c412efb4ab58cb7 |
| SHA512 | 265d52a5127771f763f208b95cd3e79f892c2be0d340ee0de50a5ed70a3c9cac90ebcb6a54a814123e4ffa935c9c91d7dde2159135ee9c0fc81ea4eeb8d21534 |
C:\Windows\System\yhDvNNP.exe
| MD5 | c1d5808a958e994e62a1fd2200398afc |
| SHA1 | 531a38398f11993de8aacc2a5bd5895d91fe01e3 |
| SHA256 | a218a73a00f4d3bacb1e1b45c094cd2b7356a56cc031da7c9c497f65604f34a1 |
| SHA512 | 37baf93dafd651a70afdd3702803163b548321ef8edc5d7e464d6864c12c841dc4007f097368a7c35e03f0b02b02cba16e2c41d0c60ef0cb62e7665f5b3e49af |
memory/2108-115-0x00007FF623FD0000-0x00007FF624324000-memory.dmp
memory/2852-120-0x00007FF7BE010000-0x00007FF7BE364000-memory.dmp
memory/3416-131-0x00007FF773C60000-0x00007FF773FB4000-memory.dmp
C:\Windows\System\kzgMnYw.exe
| MD5 | 1b955eb68a34782a5171a49f15576a0b |
| SHA1 | c116aa212a1f604b4751909dfc393551bacdfc78 |
| SHA256 | 5ed2c776666e1de0d9d99fb2312df31183a7c47bb794059f8a4d7be5ad3092c8 |
| SHA512 | 558078ce3d0e2d016572c070a7214a6349ad9019632218175b87eedbe3b24d92202dbf5bde59823636dc8eb8244ca5949a59b36c4c915bda58daa408b474bea9 |
memory/2264-128-0x00007FF658CA0000-0x00007FF658FF4000-memory.dmp
memory/460-127-0x00007FF6063A0000-0x00007FF6066F4000-memory.dmp
C:\Windows\System\myEpjcZ.exe
| MD5 | b1bc0046d28f3f673bc48037f64d8a51 |
| SHA1 | b55b6451fe4e53b0ea45effce3ff26a513f69d15 |
| SHA256 | d6b2119324cf316e7a855221633558978d336901d546219a855936a357f4ebca |
| SHA512 | 805f554d7dc548cf53b269fd106c3cd0b9126e897893b4a765c51427524e0dbb540793f39530e439317eb6604199b996b70071189f7edc52febb2a6bd424519e |
C:\Windows\System\VsVBCXT.exe
| MD5 | 5913462cc5166fe520272ace21a3d8e2 |
| SHA1 | ae1302888aea2675a48bf51210f610f4b02d7784 |
| SHA256 | 5044ee7935f9d41aab6eddeea9845c62b2ae64d3ae415146ccc099b7f5c4d6fb |
| SHA512 | e07270057a474e95e1f2a517c2b476d7ad3a4fe4a0d2aec0078200e851e3ccd963ecc420dee4ab48e15277c84d688c461ce1bb62baf73be4be98f4d8d6f7c5a4 |
memory/5080-118-0x00007FF6D1D10000-0x00007FF6D2064000-memory.dmp
memory/1436-114-0x00007FF636BA0000-0x00007FF636EF4000-memory.dmp
C:\Windows\System\oaObGXR.exe
| MD5 | 65aeb1f03dd7cb1e8849e8db3a869782 |
| SHA1 | 95c0f05b9e97a04433519edfee8f915bfebbc66a |
| SHA256 | c051a39d999741e1f25552be7de09df9efb55183ce2a2b6e1bccb5f25107c9db |
| SHA512 | 4d5c9da14a3bcf3b0814c6d25c0aa5f6d570f1e70a7e7e449d55d545e0071cfbdd4a2cf57a3ee04d1ff94292c455f4262ea5cf3f7de18071102790fcd0ee0b9f |
memory/4652-98-0x00007FF709B10000-0x00007FF709E64000-memory.dmp
memory/1760-97-0x00007FF7A16B0000-0x00007FF7A1A04000-memory.dmp
memory/4388-90-0x00007FF686780000-0x00007FF686AD4000-memory.dmp
C:\Windows\System\nbpJKIV.exe
| MD5 | 0e90db32ac3688955d212816dea0d21f |
| SHA1 | 598652480d0385aa4f1e266ae166ca3c0e0f0545 |
| SHA256 | 86571819530179ec61523ee8afb7cd0dba35c0b18baec5b219819f2243d85357 |
| SHA512 | 9b4a4d4da5c42f4d4dddd9f78c9eda2ed3bf0e4d11b45ed5aac24ae173020f15f8add36ab8b815d8275b53cc4c687721cd57ff235856b06e074f460a223e63d8 |
memory/3760-76-0x00007FF752000000-0x00007FF752354000-memory.dmp
memory/4548-70-0x00007FF6D27A0000-0x00007FF6D2AF4000-memory.dmp
C:\Windows\System\jOVdRIk.exe
| MD5 | 7c8069bf951cc7f995d78bf6c05c5734 |
| SHA1 | 5e353938785b282081ac020f3da30f753866ab1d |
| SHA256 | 03e01cfa084cf79fcb0338b6d4cb4606c13cb0fc70e4e400c9d032d58e2cf7cd |
| SHA512 | 0805d1d0e3ac8374e2a80a4c98401888c074ad67f058bd39678b8b360179aa32301313b69502c8a730e9f6b26fe3030f266c0703253f5b113e1db191f2c024a2 |
memory/2412-8-0x00007FF6A3E40000-0x00007FF6A4194000-memory.dmp
memory/3684-132-0x00007FF6FE1A0000-0x00007FF6FE4F4000-memory.dmp
memory/3256-133-0x00007FF727EB0000-0x00007FF728204000-memory.dmp
memory/1676-134-0x00007FF7A00F0000-0x00007FF7A0444000-memory.dmp
memory/4200-135-0x00007FF7C9500000-0x00007FF7C9854000-memory.dmp
memory/1912-136-0x00007FF6DA860000-0x00007FF6DABB4000-memory.dmp
memory/4388-137-0x00007FF686780000-0x00007FF686AD4000-memory.dmp
memory/4652-138-0x00007FF709B10000-0x00007FF709E64000-memory.dmp
memory/2852-139-0x00007FF7BE010000-0x00007FF7BE364000-memory.dmp
memory/5080-140-0x00007FF6D1D10000-0x00007FF6D2064000-memory.dmp
memory/460-141-0x00007FF6063A0000-0x00007FF6066F4000-memory.dmp
memory/2412-142-0x00007FF6A3E40000-0x00007FF6A4194000-memory.dmp
memory/4084-143-0x00007FF6EFA60000-0x00007FF6EFDB4000-memory.dmp
memory/3448-144-0x00007FF71EB10000-0x00007FF71EE64000-memory.dmp
memory/1760-145-0x00007FF7A16B0000-0x00007FF7A1A04000-memory.dmp
memory/2264-146-0x00007FF658CA0000-0x00007FF658FF4000-memory.dmp
memory/3540-147-0x00007FF7EC6F0000-0x00007FF7ECA44000-memory.dmp
memory/1436-148-0x00007FF636BA0000-0x00007FF636EF4000-memory.dmp
memory/3684-149-0x00007FF6FE1A0000-0x00007FF6FE4F4000-memory.dmp
memory/3256-150-0x00007FF727EB0000-0x00007FF728204000-memory.dmp
memory/1676-151-0x00007FF7A00F0000-0x00007FF7A0444000-memory.dmp
memory/4548-152-0x00007FF6D27A0000-0x00007FF6D2AF4000-memory.dmp
memory/1736-153-0x00007FF7D4000000-0x00007FF7D4354000-memory.dmp
memory/4200-154-0x00007FF7C9500000-0x00007FF7C9854000-memory.dmp
memory/1912-155-0x00007FF6DA860000-0x00007FF6DABB4000-memory.dmp
memory/4388-158-0x00007FF686780000-0x00007FF686AD4000-memory.dmp
memory/4652-157-0x00007FF709B10000-0x00007FF709E64000-memory.dmp
memory/2108-156-0x00007FF623FD0000-0x00007FF624324000-memory.dmp
memory/2852-159-0x00007FF7BE010000-0x00007FF7BE364000-memory.dmp
memory/5080-160-0x00007FF6D1D10000-0x00007FF6D2064000-memory.dmp
memory/460-161-0x00007FF6063A0000-0x00007FF6066F4000-memory.dmp
memory/3416-162-0x00007FF773C60000-0x00007FF773FB4000-memory.dmp