Analysis Overview
SHA256
dae583eaf154b9870a017c5c2f68ce5cc4c3ba9ac4cd097ca8b6f09a531a7fdc
Threat Level: Known bad
The file 2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
xmrig
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:45
Reported
2024-06-30 05:48
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FRngiHc.exe | N/A |
| N/A | N/A | C:\Windows\System\tjKiDxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\viRJKZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\flBdXke.exe | N/A |
| N/A | N/A | C:\Windows\System\iFFrLbX.exe | N/A |
| N/A | N/A | C:\Windows\System\LJJWmZM.exe | N/A |
| N/A | N/A | C:\Windows\System\YCfblCu.exe | N/A |
| N/A | N/A | C:\Windows\System\qnJzXlY.exe | N/A |
| N/A | N/A | C:\Windows\System\RWVDarU.exe | N/A |
| N/A | N/A | C:\Windows\System\TOTDoIC.exe | N/A |
| N/A | N/A | C:\Windows\System\GyXxVdX.exe | N/A |
| N/A | N/A | C:\Windows\System\MBIqhBq.exe | N/A |
| N/A | N/A | C:\Windows\System\IJNyWyd.exe | N/A |
| N/A | N/A | C:\Windows\System\jkTIhbx.exe | N/A |
| N/A | N/A | C:\Windows\System\CZodZmn.exe | N/A |
| N/A | N/A | C:\Windows\System\uqsiuLj.exe | N/A |
| N/A | N/A | C:\Windows\System\LRHyXdv.exe | N/A |
| N/A | N/A | C:\Windows\System\SGFqcep.exe | N/A |
| N/A | N/A | C:\Windows\System\RHvqXGl.exe | N/A |
| N/A | N/A | C:\Windows\System\XMgvgNU.exe | N/A |
| N/A | N/A | C:\Windows\System\tVeIcBx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FRngiHc.exe
C:\Windows\System\FRngiHc.exe
C:\Windows\System\tjKiDxQ.exe
C:\Windows\System\tjKiDxQ.exe
C:\Windows\System\viRJKZJ.exe
C:\Windows\System\viRJKZJ.exe
C:\Windows\System\flBdXke.exe
C:\Windows\System\flBdXke.exe
C:\Windows\System\iFFrLbX.exe
C:\Windows\System\iFFrLbX.exe
C:\Windows\System\LJJWmZM.exe
C:\Windows\System\LJJWmZM.exe
C:\Windows\System\YCfblCu.exe
C:\Windows\System\YCfblCu.exe
C:\Windows\System\qnJzXlY.exe
C:\Windows\System\qnJzXlY.exe
C:\Windows\System\RWVDarU.exe
C:\Windows\System\RWVDarU.exe
C:\Windows\System\TOTDoIC.exe
C:\Windows\System\TOTDoIC.exe
C:\Windows\System\GyXxVdX.exe
C:\Windows\System\GyXxVdX.exe
C:\Windows\System\MBIqhBq.exe
C:\Windows\System\MBIqhBq.exe
C:\Windows\System\IJNyWyd.exe
C:\Windows\System\IJNyWyd.exe
C:\Windows\System\jkTIhbx.exe
C:\Windows\System\jkTIhbx.exe
C:\Windows\System\CZodZmn.exe
C:\Windows\System\CZodZmn.exe
C:\Windows\System\uqsiuLj.exe
C:\Windows\System\uqsiuLj.exe
C:\Windows\System\LRHyXdv.exe
C:\Windows\System\LRHyXdv.exe
C:\Windows\System\SGFqcep.exe
C:\Windows\System\SGFqcep.exe
C:\Windows\System\RHvqXGl.exe
C:\Windows\System\RHvqXGl.exe
C:\Windows\System\XMgvgNU.exe
C:\Windows\System\XMgvgNU.exe
C:\Windows\System\tVeIcBx.exe
C:\Windows\System\tVeIcBx.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.192.11.51.in-addr.arpa | udp |
Files
memory/2160-0-0x00007FF701A40000-0x00007FF701D94000-memory.dmp
memory/2160-1-0x000001D0229C0000-0x000001D0229D0000-memory.dmp
C:\Windows\System\FRngiHc.exe
| MD5 | cf8b9c536072e9c2adc0ac7e9b17b5ee |
| SHA1 | d548f027c103fcbbe3297606c381ce3a199a9667 |
| SHA256 | af1e2b4fc9afa85aef56a94718fea087a12553243e2d2c4908b531dbf39d9b46 |
| SHA512 | 428a099a711ac905a753dcfed845027eb56a803d966681bca6dbf5762f62f65a3edae4dcc78df0331424463d47935bf87d26e4464efb30d7d54227734391992e |
memory/5056-7-0x00007FF63CEB0000-0x00007FF63D204000-memory.dmp
C:\Windows\System\viRJKZJ.exe
| MD5 | 89d5a3db6e6b0599135cb23dec996c86 |
| SHA1 | 51d312d509b3e6ef7e3ba5ed591bab215041006d |
| SHA256 | 9e9d9b252e0668f8167dd628f623e36cd8f51e3e942f6d7e8e975b373a2dfec8 |
| SHA512 | c9b31ff6226199e0c4da051ed933b91a5cd6444562bb128e32fc837026b2d94ef86c7a215e7dc282c3acf99cf366b3b2afd18ba05b22f315e97346a280cb10da |
C:\Windows\System\tjKiDxQ.exe
| MD5 | ae4e287ed5f4d8da1d1cfc47dbe48c47 |
| SHA1 | 3c74c6fe601e53e8a3359deeb02e384227598af9 |
| SHA256 | 15221d3db9954119e9e7f4aaa01673b3966d85061cc5065addf99664eef1ec18 |
| SHA512 | d550bbc1b29780f350cf15fb8b69e592fbc672993caa25429b3d51b212b9dbcda23b5bf8e6b27d90f13d46a5bcd6650fa26167c507bbd0204208ad29c084879b |
memory/4740-14-0x00007FF765120000-0x00007FF765474000-memory.dmp
C:\Windows\System\flBdXke.exe
| MD5 | dcb234ef7ed53ad6dda13514e2849bee |
| SHA1 | a1cacef38f796ccc759643b5355ddd2d58d81616 |
| SHA256 | b1be3b93b782027b473e6c7aa50847c63b4ad77ea53791f1250a92c344c67950 |
| SHA512 | 0ccd6600e12babf7aba08b4bf741febf1c5177c3039a14bbae841115fc8fce71a951aacf3b54459b7f7ba105f8cac391208978b157043b9d0a8a0fe50242962c |
memory/5104-27-0x00007FF746140000-0x00007FF746494000-memory.dmp
C:\Windows\System\iFFrLbX.exe
| MD5 | f385ae1612d0e19aa9568bc332543662 |
| SHA1 | 1f07d2ebc25768520da6e5139cc0880c7d9dd941 |
| SHA256 | e3f8313bff3c5b148c0f6cfd2781cbd7d1d7562b3057666eec9ac6794d2410d7 |
| SHA512 | e4a906c020a8f4d734a1b10ae51ae527531b7d36a41a2fd02e37da56ad9de887cfc47f299509333a7a5a0285f72cf7d3fcb6819445fcd2285443b566c72dd287 |
memory/1524-30-0x00007FF67C190000-0x00007FF67C4E4000-memory.dmp
memory/4816-22-0x00007FF61F100000-0x00007FF61F454000-memory.dmp
C:\Windows\System\YCfblCu.exe
| MD5 | d5ddde8c6bd35daf8ff0d2194446c439 |
| SHA1 | 74529f475697465f999143b5d400206394fbf64f |
| SHA256 | 93067b16b64777b5f943f1b375e68257d063eebd67d9e2b0d571de7c4253ed29 |
| SHA512 | b852015fee1649c6daccf6a417308986d87523eb5ef4d04d91ac9508f60a099b11e71e85c864994f6ef970403dbd63f7c6b5feb6534296f487c7dae3fceaba99 |
C:\Windows\System\LJJWmZM.exe
| MD5 | cf03975a361640412c43ed0c48d9e55e |
| SHA1 | 0fee1ee954377ffa7afc022bd9465d83b0a89811 |
| SHA256 | f956da0063363ac6c25afebe10f7c3ecbda3986e1670c796e9e479cb8fc79f02 |
| SHA512 | 027e52c6472533347fa1c9b87774b0d42e819a5097d1ce8f872212010b671ef463b2f6845abc3fdaaa1eb22ab3909d364d821847a85b78d3109bcfa0278101d4 |
memory/3244-43-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp
C:\Windows\System\qnJzXlY.exe
| MD5 | 75914cf7b1f341f0860ebd71f4251c6a |
| SHA1 | 53e61fc893bdeba0a497d5121972618dd476358a |
| SHA256 | 59871ceda7e8a18539fb725b93ecdf75d60b4eca115c8cb363304e0003b94366 |
| SHA512 | c48524268040dee5e99425b0db747a631e237d1bbe0b17f1c50126425992493f1c7c8fa0e4c8a4385bd1ec194ac6db7314487bf5274f90034e850ed01e0e4a55 |
memory/4576-49-0x00007FF6F25E0000-0x00007FF6F2934000-memory.dmp
C:\Windows\System\RWVDarU.exe
| MD5 | d05e9070b74fead9cd41593fc93024cf |
| SHA1 | 8be3bde35f35156aa0c2495e5bd8344cba21296d |
| SHA256 | f18c273890ddfbeceb7db2cc1b9c0c209757d8e855ea2d80efd95134f965ddb8 |
| SHA512 | 0846ef2a781fdf79b5f0ca189cbeb34109c9d20409547a40e1569c7836f47a7c46192c6818a5d06829e6b6a651721230e120b3e251459f913e9fbb3b2e8141dd |
C:\Windows\System\TOTDoIC.exe
| MD5 | 8847df65dd0d92dab566eeec1c52ef27 |
| SHA1 | 553d6ffa79ca6900920ec394aab82c1eef60f7b7 |
| SHA256 | b5be397adeab9d56d924b2655603c795f7fd6db97577d70f66fe4d2bee31ac36 |
| SHA512 | 918c3d266350090f7bec733fce0975407963319e4f93df5dd53032a2e5b63417155ff28a310117d9c879c54ca5a71c6b08cfb6fd1b96708af7d17ea948afc5f4 |
memory/3056-59-0x00007FF787F70000-0x00007FF7882C4000-memory.dmp
C:\Windows\System\GyXxVdX.exe
| MD5 | 7f9af53cd53e2f640ec39902c29b661f |
| SHA1 | cc87ad943174a96cf183c512b6df363013c08e3a |
| SHA256 | 34dd39c638ace0b2fa42bf36b6586ca6ec7fa8072b6abfe88933c4b15a39b9f4 |
| SHA512 | 273c91402cd5bc15b91e2ac7b029eda4d8e00763227e01ad785cb1cdba82f73fab0fd054123350475d6c4c8392a7fd9f32ce29d6469f84c8674adf50afe8a8e0 |
C:\Windows\System\jkTIhbx.exe
| MD5 | 2dd447702f5466cc1445701472f5a685 |
| SHA1 | c507735d860476e611a7ea06b73433d678a44d16 |
| SHA256 | 77f778238a945a4a69b319911b99f1726d9f545b4f93c68c4bb3ba4f01eaba91 |
| SHA512 | ef67185c63a51e555b99997f4c05d661f593942e7f822feaaa80dd22a5a84581f569cd8c170cf8a2316514ab2ab0b60e75da719409e0d67ec18661ee451fe13c |
C:\Windows\System\uqsiuLj.exe
| MD5 | 590e101148df6022bfaed1ed03c3099b |
| SHA1 | d9c77430e529fa53635139df77bcb3e4a5d51522 |
| SHA256 | 2c8e47c6b44b9f8909894b2b6c300d86fb4ab67fd516231de044fea1afe9e14b |
| SHA512 | 2ed62faade74cc428186218812a4df61af506be262fee346563484495fc0dc9f2ed46f3a39af35a64c682180b7889da4a3d2fbf63a41ba02553b90d74772872d |
C:\Windows\System\RHvqXGl.exe
| MD5 | 65105ae46e1930d8986da63a4804b76c |
| SHA1 | 6b6e71597fa7f538f0220932010ebac34e84383b |
| SHA256 | 8a9a50a8b1a22b5c9e60314d862936449e16586e6669a8d7dddb52db61492933 |
| SHA512 | 2bb10422fff5a4d212baafa95c1914a53146307d10bee26072591c89ae41baef4d291fdc79b7068b2cfecd6e690b75a1f2f74544304d6cd663fdaec679f59556 |
C:\Windows\System\tVeIcBx.exe
| MD5 | dcc98e0e17d43fdd196b513fe905eeb2 |
| SHA1 | a99f0f10a6d81f0a1aed715eaae0c50ac305f3d2 |
| SHA256 | c423076a0cfd16814d56ac4cd3e14514d63fec4250bd402c28d81acc7c438c42 |
| SHA512 | 5fbc54fe4aaed829c2194eac9675fc8999c555b9541986d5788d919714f095178d327f253132992079e5e4246cc25866fe32f919807f6e240a60529f1f9d8a91 |
C:\Windows\System\XMgvgNU.exe
| MD5 | 706fbf9521dda484c547bc53e70c482b |
| SHA1 | dd6c2a1f957d9ce2af1f29a5721a23d3d835ecbb |
| SHA256 | 948d2e5fe038006626106c98b3ad649a393a00f1bf9a022a4ced0517c2db9ed6 |
| SHA512 | e13ec6f153e384a037ae96d22f149e518fd4032c9076db3323a31bb2886b7cf1961c3ae56a170e72b706bfff4e6248c82741f1ce5cc72b33fac4d73d98b9be97 |
C:\Windows\System\SGFqcep.exe
| MD5 | 256b1a15787e4a380ef977258ab5061f |
| SHA1 | d8ab54128e2c20d0efc3633db17c7d3502db57ad |
| SHA256 | a04c20239fd56182ed26933e68f7583f5089d373de0c69023268db444fb803aa |
| SHA512 | 51ba94d494d977d94368852ad1fde3f558118041f554a16aebe50bb94462b288d7c253ed11fc4028e2a5c5e3c156840bf54a525db351469218bcf61d1e2da777 |
C:\Windows\System\LRHyXdv.exe
| MD5 | 6b5a7903dcbc7ed152921739986ffbdf |
| SHA1 | df48432386828a095146c6830a046352c269d49b |
| SHA256 | 78cfca2fe8e75f1a7fb38b18de7c66e0e133da50d025bc38ae60ee4bb44131fe |
| SHA512 | 028b515573a0a91b8f355cbf0da961f0e4e779d4a4dcf7a03640caf6408996ce97ae256dc6cc61c7bf7f485a9d72348fcbb012d62cdf8de9e270b5eaf1a9fbaa |
C:\Windows\System\CZodZmn.exe
| MD5 | f3f6b3eea6cbf00474e2fe806ef8c58d |
| SHA1 | d4fb74278e518f8df2694a83361a5e7124e43dbd |
| SHA256 | 3f03f6fda85dc284c0502db80a229e2ab732bb4da4b5301343cd544e9861fc74 |
| SHA512 | 571791188319e0ad61683dc4b51d2a931ea04ea337ab63f8c3e1302da81e335b502d8d77d392a968a1d3cbf9e63468172e4002364a10ea71f684366133b24e32 |
C:\Windows\System\IJNyWyd.exe
| MD5 | a346222c88ee2df031fd9b28e6402162 |
| SHA1 | 4b5b9c723c3857e39a907992faadd87e8ac67a26 |
| SHA256 | 5e8f2bc6ef42c927d31a5733188b341fbfcc787c6fbad0a16dc5ffc0e5e33796 |
| SHA512 | 3e5874eef8949fa2e2cefd8b021ed61ca1a0db5d3856f730af5859a4ac9ecdb80c256c2409f667e0d14f5613933ffc73549d18e30dbbc450ffd42814fa6fcb70 |
C:\Windows\System\MBIqhBq.exe
| MD5 | d914795c0ce77812a276ed1b258230d2 |
| SHA1 | 43f3bc813523531d3d369df7626a94b7cc7cb717 |
| SHA256 | f3eac2a51c5f7233e155e92e22660c3607ded4eb41f15b792c7ebd55962acfac |
| SHA512 | a5b7b79fe7dc6c3830d00a0866427badcd78f7183bbdc8363e5adb498a5397206398fc55ef4203d5c2e4a7e4015ea0fb4483035801aeafcdc714a188b2301a09 |
memory/2256-60-0x00007FF6BD590000-0x00007FF6BD8E4000-memory.dmp
memory/3956-51-0x00007FF7FE1E0000-0x00007FF7FE534000-memory.dmp
memory/1408-117-0x00007FF614780000-0x00007FF614AD4000-memory.dmp
memory/4860-119-0x00007FF734260000-0x00007FF7345B4000-memory.dmp
memory/3564-118-0x00007FF6901D0000-0x00007FF690524000-memory.dmp
memory/1232-120-0x00007FF7B9A10000-0x00007FF7B9D64000-memory.dmp
memory/4268-121-0x00007FF7205D0000-0x00007FF720924000-memory.dmp
memory/3260-122-0x00007FF74AFF0000-0x00007FF74B344000-memory.dmp
memory/3020-123-0x00007FF61A5B0000-0x00007FF61A904000-memory.dmp
memory/1008-125-0x00007FF665230000-0x00007FF665584000-memory.dmp
memory/3992-124-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp
memory/3928-126-0x00007FF76D3E0000-0x00007FF76D734000-memory.dmp
memory/3100-127-0x00007FF72DB30000-0x00007FF72DE84000-memory.dmp
memory/2160-128-0x00007FF701A40000-0x00007FF701D94000-memory.dmp
memory/5056-129-0x00007FF63CEB0000-0x00007FF63D204000-memory.dmp
memory/4740-130-0x00007FF765120000-0x00007FF765474000-memory.dmp
memory/5104-131-0x00007FF746140000-0x00007FF746494000-memory.dmp
memory/1524-132-0x00007FF67C190000-0x00007FF67C4E4000-memory.dmp
memory/2256-133-0x00007FF6BD590000-0x00007FF6BD8E4000-memory.dmp
memory/5056-134-0x00007FF63CEB0000-0x00007FF63D204000-memory.dmp
memory/4740-135-0x00007FF765120000-0x00007FF765474000-memory.dmp
memory/4816-136-0x00007FF61F100000-0x00007FF61F454000-memory.dmp
memory/5104-137-0x00007FF746140000-0x00007FF746494000-memory.dmp
memory/1524-138-0x00007FF67C190000-0x00007FF67C4E4000-memory.dmp
memory/3244-139-0x00007FF6F8870000-0x00007FF6F8BC4000-memory.dmp
memory/4576-140-0x00007FF6F25E0000-0x00007FF6F2934000-memory.dmp
memory/3956-141-0x00007FF7FE1E0000-0x00007FF7FE534000-memory.dmp
memory/3056-142-0x00007FF787F70000-0x00007FF7882C4000-memory.dmp
memory/2256-143-0x00007FF6BD590000-0x00007FF6BD8E4000-memory.dmp
memory/1408-144-0x00007FF614780000-0x00007FF614AD4000-memory.dmp
memory/3564-145-0x00007FF6901D0000-0x00007FF690524000-memory.dmp
memory/4860-146-0x00007FF734260000-0x00007FF7345B4000-memory.dmp
memory/1232-147-0x00007FF7B9A10000-0x00007FF7B9D64000-memory.dmp
memory/4268-148-0x00007FF7205D0000-0x00007FF720924000-memory.dmp
memory/3260-149-0x00007FF74AFF0000-0x00007FF74B344000-memory.dmp
memory/3020-150-0x00007FF61A5B0000-0x00007FF61A904000-memory.dmp
memory/3992-151-0x00007FF6A7C20000-0x00007FF6A7F74000-memory.dmp
memory/3928-153-0x00007FF76D3E0000-0x00007FF76D734000-memory.dmp
memory/1008-152-0x00007FF665230000-0x00007FF665584000-memory.dmp
memory/3100-154-0x00007FF72DB30000-0x00007FF72DE84000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:45
Reported
2024-06-30 05:48
Platform
win7-20240611-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CgLBPgk.exe | N/A |
| N/A | N/A | C:\Windows\System\ZARaBWb.exe | N/A |
| N/A | N/A | C:\Windows\System\MyqeAGG.exe | N/A |
| N/A | N/A | C:\Windows\System\xlQTCIs.exe | N/A |
| N/A | N/A | C:\Windows\System\SeIxpud.exe | N/A |
| N/A | N/A | C:\Windows\System\JzniQrA.exe | N/A |
| N/A | N/A | C:\Windows\System\ORhrsUl.exe | N/A |
| N/A | N/A | C:\Windows\System\YgQDaaC.exe | N/A |
| N/A | N/A | C:\Windows\System\PmWouZS.exe | N/A |
| N/A | N/A | C:\Windows\System\HfCnfEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kerYiqd.exe | N/A |
| N/A | N/A | C:\Windows\System\MbMItbI.exe | N/A |
| N/A | N/A | C:\Windows\System\CBxmCsr.exe | N/A |
| N/A | N/A | C:\Windows\System\HfOebwj.exe | N/A |
| N/A | N/A | C:\Windows\System\DtEfeXD.exe | N/A |
| N/A | N/A | C:\Windows\System\lSMefcg.exe | N/A |
| N/A | N/A | C:\Windows\System\uICHBIQ.exe | N/A |
| N/A | N/A | C:\Windows\System\VJaiUNj.exe | N/A |
| N/A | N/A | C:\Windows\System\favdYfU.exe | N/A |
| N/A | N/A | C:\Windows\System\HcyRjQP.exe | N/A |
| N/A | N/A | C:\Windows\System\icXlUqg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_06f8d8aae36ec27d193903d544cd9ecb_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\CgLBPgk.exe
C:\Windows\System\CgLBPgk.exe
C:\Windows\System\ZARaBWb.exe
C:\Windows\System\ZARaBWb.exe
C:\Windows\System\MyqeAGG.exe
C:\Windows\System\MyqeAGG.exe
C:\Windows\System\xlQTCIs.exe
C:\Windows\System\xlQTCIs.exe
C:\Windows\System\SeIxpud.exe
C:\Windows\System\SeIxpud.exe
C:\Windows\System\JzniQrA.exe
C:\Windows\System\JzniQrA.exe
C:\Windows\System\ORhrsUl.exe
C:\Windows\System\ORhrsUl.exe
C:\Windows\System\YgQDaaC.exe
C:\Windows\System\YgQDaaC.exe
C:\Windows\System\PmWouZS.exe
C:\Windows\System\PmWouZS.exe
C:\Windows\System\HfCnfEZ.exe
C:\Windows\System\HfCnfEZ.exe
C:\Windows\System\kerYiqd.exe
C:\Windows\System\kerYiqd.exe
C:\Windows\System\MbMItbI.exe
C:\Windows\System\MbMItbI.exe
C:\Windows\System\CBxmCsr.exe
C:\Windows\System\CBxmCsr.exe
C:\Windows\System\HfOebwj.exe
C:\Windows\System\HfOebwj.exe
C:\Windows\System\DtEfeXD.exe
C:\Windows\System\DtEfeXD.exe
C:\Windows\System\lSMefcg.exe
C:\Windows\System\lSMefcg.exe
C:\Windows\System\uICHBIQ.exe
C:\Windows\System\uICHBIQ.exe
C:\Windows\System\VJaiUNj.exe
C:\Windows\System\VJaiUNj.exe
C:\Windows\System\favdYfU.exe
C:\Windows\System\favdYfU.exe
C:\Windows\System\HcyRjQP.exe
C:\Windows\System\HcyRjQP.exe
C:\Windows\System\icXlUqg.exe
C:\Windows\System\icXlUqg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2764-0-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2764-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\CgLBPgk.exe
| MD5 | 57b24f0d3abf07b55caffb5aecd2a085 |
| SHA1 | a2acf8cc57fb7c08bcae37669ce5cef21d91b52c |
| SHA256 | 77899205645ac0b81b09fb387a8281747d909c5860d9bbc5f1a85e7deed1db6c |
| SHA512 | 7df9dd39496509ef6428499c80fc5b9f8d966653342aedd84c8aa0ee468d6667357ce78efab905e4d03acdd9300425836874e302c5fdef0d37299d49d242f720 |
C:\Windows\system\MyqeAGG.exe
| MD5 | e0a2c5b07c7287116c815da99e76bbc8 |
| SHA1 | 637c81c85bc7b120713b069d4cd707121f94c73c |
| SHA256 | 020025b7b7aa1fec956dd095e52b6a3a074daa2f55cacc1c1713963f5c11d8a8 |
| SHA512 | 1eb81ef3ed40f2df02520862843e0e0364be24243e8195ea5986ab3d786c6d6a34dd1f144e432bcdea9f97f5b7f70210a7cdacf6765362515464c34d9ad98696 |
\Windows\system\ZARaBWb.exe
| MD5 | e8cbfdc438ae3cfc67954264c6baad51 |
| SHA1 | a5c8650731c0c887735cd8221692509407a4ec04 |
| SHA256 | 6a10913c4402c17e0d4e4ff2754bcfc5ebe8fe694942da6a390994bf084d41d1 |
| SHA512 | 24b1bb40ba4e10eb1383939ba00076cfac530331936f16d11a5df2f571c90c54ced0b5a1aa8922ee3cd10a66e71762adc5d2a8e0053d2b0f41f580252f283d0f |
memory/2680-19-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2748-23-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2764-22-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2764-20-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\xlQTCIs.exe
| MD5 | 539287310282de032250c1eb0fc69857 |
| SHA1 | ee476585499e007ef03e1f7682b07c1ef57eea42 |
| SHA256 | 6e71976577209a6ec9fb44bdf1ff2fd1b5a2ca2c19012168b10a2722c7564e41 |
| SHA512 | 0c25248d522c2671a4da9fb47e795b7716d1af81fbd86b6f3dd9d20b954bb7aeb1d4988bb0450f4a129086411c79fbf3ea6f2b34a2bff35e624648d502f52be4 |
memory/2608-17-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2764-15-0x0000000002200000-0x0000000002554000-memory.dmp
C:\Windows\system\icXlUqg.exe
| MD5 | d77c84930f9aca39bef2bb3512dc4372 |
| SHA1 | 0914b0d3c47c2c2c793ed683c76efd5ee598f820 |
| SHA256 | 1ac90b80daf61a0ecc647131fa12f10c2087a149837aeb1da109f0470defff42 |
| SHA512 | 6c3387fa4e6509c58d143831ddc20d207153e5d3c3bde266251bfa4cf5c9aec40277d157d03c6412b5f17065561846a609f3c249e81884950c6e1be237a3060e |
C:\Windows\system\HcyRjQP.exe
| MD5 | 5c4d6ade7bf4a5e10597cf80aa2de59f |
| SHA1 | 70d1dc125c918f01fe96fff13b6d6b3390314062 |
| SHA256 | e4369c4aec87861693246f1458132a941612ce6a994f2c39ea54f2750d905359 |
| SHA512 | e837dfc9d5185c5a14c409f988e851b58d03aa4ce0397f6eed37649468f53e0fd2b4960adde17d5f7f3d00692267596cf55b87df55241a2f0f4cd72437799814 |
C:\Windows\system\favdYfU.exe
| MD5 | 35544b226bc2cef48a728c4b6e11412f |
| SHA1 | 8bf56346893c7fdc7e534b6f13e2cfde004bba81 |
| SHA256 | 336ee5ac3be7d0510a61da6e26d55e794bd2c6ecdcebe005e4e230222a66b9c9 |
| SHA512 | 15c6288cc7fcb2d4f1dc2699e85ebcffe59db341b2fb6ed8a8fda5819eedf9d898e6129877ca58b1cb443d9a436c9e86064fc14c23831aca1511081563a19c4c |
C:\Windows\system\VJaiUNj.exe
| MD5 | 18dc95a6a66082acc88c9ef38b413122 |
| SHA1 | 2898f71416d742a05c578b5726ba0dee110860a5 |
| SHA256 | 74023362b09a8f4e831b94a5a16fbcd50b06dcba8d1152cb532d410848a09987 |
| SHA512 | 716dff7f668d8213721477867ccf57563387fff0e74c5b05a3f7043acd44dc237887774a7f2b094242438ee9b018bb49da9f1fab7ce4846f150fec30a1f65b63 |
C:\Windows\system\uICHBIQ.exe
| MD5 | 1bbb41e6df7a2c64a16278b5c768e04c |
| SHA1 | 1adb12261106c86506f464dc2b34c2589ce707c0 |
| SHA256 | b15dbce16dd4f4cf9ea773c1f1169dc5b815557700ff36e31788660d819190d2 |
| SHA512 | 74d0744c3f0c652484ec6193e476510d282ec2dcdba1b4a8f0393edce1ba918954691b9a4fffb8e94d54d23f22665f5ba92911cedd39753e06cc1bd2287c4988 |
C:\Windows\system\lSMefcg.exe
| MD5 | 75bd20997f1137cd5dece784b00bb2fd |
| SHA1 | c87c9aacad584bca23ee2f99360ee84bc4837352 |
| SHA256 | a7e678f068b473a63db1ab7f6cbf5da098431f5ab61d5bb26c4851c7a6f40669 |
| SHA512 | 5c0dab5c54e1668af3c2f65a1e4396418fad436418ed123294b069515bbe9117c0ba688ad7586e877ff8f03927ed9d706bf861646b43e97e305f0390ec2c0a27 |
C:\Windows\system\DtEfeXD.exe
| MD5 | 0aff8dfda841f2145111d51db92084d2 |
| SHA1 | 86ea4c1bb45efa3b99e722d1ef3018572f685bc6 |
| SHA256 | 63bfc04ff20952b3b4f13f84c5f8a9db4d4d5558dc23b10c39fd6c4a712f6327 |
| SHA512 | 63d36e167311d2151a0d59842140e6bb7456ec1055110b95c2d7c65106a8c11d569b4fc33a26f662bcddf88d4a0915f1a6ebf031b908e1c354871dbe1a30fe84 |
memory/2500-108-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2764-107-0x0000000002200000-0x0000000002554000-memory.dmp
memory/1352-106-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\HfOebwj.exe
| MD5 | 4977c33dd5cffa10b0a5e7313eeae852 |
| SHA1 | c0f2ca53174396dd47f73462d4d3f8c4ea8b6ca3 |
| SHA256 | 969f27caf4f9747cd0c4fea424bd65ca4711e65b5026e2e9e9bb92b92e415766 |
| SHA512 | 678bb8af2e342ce6255ebf2288a636e90d5487e8f76b17188bf0313828986348cdc45615209e02dd6585ccb3380a18e80940d163e81e0d0556bb0c74b3de8e3f |
memory/2764-100-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2492-99-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2904-98-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2648-96-0x000000013FCF0000-0x0000000140044000-memory.dmp
C:\Windows\system\CBxmCsr.exe
| MD5 | fa9074c09156b4a257356df2c0e72100 |
| SHA1 | f9170f87628ffcf3b36e64c725fa61f61e64551e |
| SHA256 | 588aca2977f3877c52576867e6f8a7edc08c80b5daf4408e42ec00c07b5cc3f1 |
| SHA512 | 737dda5548dca9f64fad9f1fc850601e97c01e9f9b34465f5a6b46cec0320fc191daa55254063b704c6b70c4864f3b22a30c019067597cd930947b3a9e112768 |
memory/2696-91-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2764-90-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2816-89-0x000000013F320000-0x000000013F674000-memory.dmp
C:\Windows\system\MbMItbI.exe
| MD5 | 8ee84bebe1821fd455f41e80564617b4 |
| SHA1 | 7712f8a81b67baea5e1af7d72e3a0bc685086caa |
| SHA256 | 843cd192b9e12b90e6545c1753f9c50ace539c7d2d0156224cdaf4f6926bf6cb |
| SHA512 | f52edecba79a969ba0ee6de955a60efc1a33e23b60da3bfc55853eb859190874c46f1de64dbeebc891ba5673d084b8ba0d95dd4e7121290ae19e0ddb1587ee8f |
memory/2764-83-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2724-82-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2764-81-0x0000000002200000-0x0000000002554000-memory.dmp
memory/1648-72-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2764-71-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2764-79-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2764-78-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\kerYiqd.exe
| MD5 | 638a7b25da18c1e442864170d616c783 |
| SHA1 | 48f3de0afde2c2c02233bd63701ff7cc5636924f |
| SHA256 | e1a601107c8d58c3b308085cc2e5af01d10dfd638507ce7cc7901f2ad568fe91 |
| SHA512 | 811919464e5a3fb3c58c76b4e6a83a9aaecd1f00d2f5e9c8085a2f9224debb32fdce79b6edb34311ad0af12b4db4c732af8cb6d3c72858b89cdbb7e828665b97 |
C:\Windows\system\HfCnfEZ.exe
| MD5 | ca862a5427220f3c24fc773eabc1421f |
| SHA1 | 72109c800c42e757a2e1624f083dd0255e5c6e74 |
| SHA256 | 1c6c8a1774953dee72cade08754d539798c77856817cb1fab30811cad3ab8878 |
| SHA512 | 99bf4b9ee02577f79601bf33ac1b8b8c57aba077e9ae06395fbf82315ee68995915b7490b87c602a487a10f6fe8f41779e4c806fea57c62e032603c00533cacb |
memory/2952-65-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2764-64-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2764-142-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2500-56-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2764-55-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\YgQDaaC.exe
| MD5 | 925e87273f068ede10c53882765233e2 |
| SHA1 | 7381b1c183691d58118ed86f759fbe2fb18d7dac |
| SHA256 | 0a5709d02d67204b4f8ff98e51f7667157daff381941232abb408d753ada8a72 |
| SHA512 | 13f12fae5adf33bb19e789f31ea21473172b3ba1a2810718dffb0415cc5ee3438f61161af68c15b4b5860d9e85c32c1022d863c2e73c1c0bbe8c18426019f203 |
C:\Windows\system\PmWouZS.exe
| MD5 | 409bf2e04205d7d42dd558dd924e49cd |
| SHA1 | b0a9e26e71c471736ba41423a16b319a0489288b |
| SHA256 | 199ae7061b0f8f75131d167680f50506d1528a2f5f7f8d822bfe6d41703ef5d8 |
| SHA512 | b7d715140e7016ad0494883063c76307a3660a0c72c4c0a55c79c085e0d003856d2e3793565078025e229b1574ac3b959280491a590abfe48b74d54a4802cf84 |
memory/2524-51-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2764-50-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2492-42-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2764-41-0x000000013FB80000-0x000000013FED4000-memory.dmp
C:\Windows\system\ORhrsUl.exe
| MD5 | 0e8cdd31bd79f5df0799a0b3555f0761 |
| SHA1 | 8867650b03cd9457288d4530c7d26850f583e2b7 |
| SHA256 | fad806662b8a1322e4fe99d8bc7fd1b94332393949e601be0f2d28e4d6e30d3f |
| SHA512 | f55454764d1072f27b920f72f14af95e03d7e7132b30b17d7fef37c0bc17a02b32aca082d7b4780ada759882fc4c7f036c9ec22b1ab8a0a7bd60fb5430e3a185 |
C:\Windows\system\JzniQrA.exe
| MD5 | cf55aa446c05380d40ec2bdab46aa8fb |
| SHA1 | ab5d399291a6a4909bd4daec98bcd17c99f888bc |
| SHA256 | 602375141538696b5c5094d953c789c4cae49ba39a7de3f23b31a086b2a34fa7 |
| SHA512 | 58e5628ccdf4c2269a0bbbd1323ac14b6d47df0b2a88a0d145cc0a32a1dcfa481b57cca228c941e5e3a4adb6812e39412f08ee0f2f33b405d9627f46f01d8b9d |
memory/2648-37-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2764-35-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2696-29-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2764-28-0x0000000002200000-0x0000000002554000-memory.dmp
C:\Windows\system\SeIxpud.exe
| MD5 | 5f24cf88960708824a28907129c080be |
| SHA1 | d372f35184d4d0d76550ef99afb03bc089e4a6f4 |
| SHA256 | 499b315acf336aa8ea4440c7cd2aa314f9ea1755cd93a437610efba5e978231d |
| SHA512 | ad42d2b1cce743cc9ee54d2b646bbb3c887fc25cb585e61ce5d9a92fe9d0101b23a2037f945585b11e35d6953e9c98d4c3f1cbc2a616bc3f1ad9e2eeeedf77be |
memory/2764-143-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2764-144-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2764-145-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2608-146-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2680-147-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2748-148-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2696-149-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2648-150-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2524-151-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2492-152-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2952-154-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2500-153-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1648-155-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2724-156-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2816-157-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2904-158-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1352-159-0x000000013FFA0000-0x00000001402F4000-memory.dmp