Analysis Overview
SHA256
323140ae6707575622973ae79a6f015a2a38e63a4b9462a202fa6e2e2c0d3d19
Threat Level: Known bad
The file 2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:50
Reported
2024-06-30 05:53
Platform
win7-20240611-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ueirzPj.exe | N/A |
| N/A | N/A | C:\Windows\System\sWQwijm.exe | N/A |
| N/A | N/A | C:\Windows\System\ZmepKAM.exe | N/A |
| N/A | N/A | C:\Windows\System\lkRHtqs.exe | N/A |
| N/A | N/A | C:\Windows\System\abvwOtK.exe | N/A |
| N/A | N/A | C:\Windows\System\aFZXNak.exe | N/A |
| N/A | N/A | C:\Windows\System\aeJXnXg.exe | N/A |
| N/A | N/A | C:\Windows\System\WnXYHVz.exe | N/A |
| N/A | N/A | C:\Windows\System\bGAUnqf.exe | N/A |
| N/A | N/A | C:\Windows\System\RMDDIQR.exe | N/A |
| N/A | N/A | C:\Windows\System\oZzxQaR.exe | N/A |
| N/A | N/A | C:\Windows\System\tNXtptD.exe | N/A |
| N/A | N/A | C:\Windows\System\CMtfDvM.exe | N/A |
| N/A | N/A | C:\Windows\System\WhRGbvN.exe | N/A |
| N/A | N/A | C:\Windows\System\ixGgruw.exe | N/A |
| N/A | N/A | C:\Windows\System\OSMONhS.exe | N/A |
| N/A | N/A | C:\Windows\System\ixCvjzd.exe | N/A |
| N/A | N/A | C:\Windows\System\zPDSOdS.exe | N/A |
| N/A | N/A | C:\Windows\System\NyBmulz.exe | N/A |
| N/A | N/A | C:\Windows\System\WOMEdeI.exe | N/A |
| N/A | N/A | C:\Windows\System\MlKnunE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ueirzPj.exe
C:\Windows\System\ueirzPj.exe
C:\Windows\System\sWQwijm.exe
C:\Windows\System\sWQwijm.exe
C:\Windows\System\ZmepKAM.exe
C:\Windows\System\ZmepKAM.exe
C:\Windows\System\lkRHtqs.exe
C:\Windows\System\lkRHtqs.exe
C:\Windows\System\abvwOtK.exe
C:\Windows\System\abvwOtK.exe
C:\Windows\System\aFZXNak.exe
C:\Windows\System\aFZXNak.exe
C:\Windows\System\aeJXnXg.exe
C:\Windows\System\aeJXnXg.exe
C:\Windows\System\WnXYHVz.exe
C:\Windows\System\WnXYHVz.exe
C:\Windows\System\bGAUnqf.exe
C:\Windows\System\bGAUnqf.exe
C:\Windows\System\RMDDIQR.exe
C:\Windows\System\RMDDIQR.exe
C:\Windows\System\oZzxQaR.exe
C:\Windows\System\oZzxQaR.exe
C:\Windows\System\tNXtptD.exe
C:\Windows\System\tNXtptD.exe
C:\Windows\System\CMtfDvM.exe
C:\Windows\System\CMtfDvM.exe
C:\Windows\System\WhRGbvN.exe
C:\Windows\System\WhRGbvN.exe
C:\Windows\System\ixGgruw.exe
C:\Windows\System\ixGgruw.exe
C:\Windows\System\OSMONhS.exe
C:\Windows\System\OSMONhS.exe
C:\Windows\System\ixCvjzd.exe
C:\Windows\System\ixCvjzd.exe
C:\Windows\System\zPDSOdS.exe
C:\Windows\System\zPDSOdS.exe
C:\Windows\System\NyBmulz.exe
C:\Windows\System\NyBmulz.exe
C:\Windows\System\WOMEdeI.exe
C:\Windows\System\WOMEdeI.exe
C:\Windows\System\MlKnunE.exe
C:\Windows\System\MlKnunE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2280-0-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2280-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ueirzPj.exe
| MD5 | 994db2047cecd5adbaca6247f0e35456 |
| SHA1 | 123f9f84a9ec6ea61613b60727b17edd29acd2ff |
| SHA256 | 9cc7f56e06bef7f5224c18da1d9bd1e9e33d7ea7fbaa8b8d4e2cde2cf35d8ad6 |
| SHA512 | 47044d098279e9ebf8fca91ef1291a327522209bfea5bb23341fcb900970efb0a88b3342c5271b720b0adf83abe798fcacb5499559efae0630f3c43257b61749 |
memory/2420-8-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2280-7-0x000000013F640000-0x000000013F994000-memory.dmp
\Windows\system\sWQwijm.exe
| MD5 | 3190e8e1dd50ac304ccf0b8364d21684 |
| SHA1 | ca6c9a69a50cdcac6c5de1269ab589575a78e008 |
| SHA256 | 51ddaa1ae3335c357b37fc8e046cffd403b7a9280bcc915c64224dcb5a511c09 |
| SHA512 | a853c94e6e36e0a669f9f346184d9bed5d9a4eba45b735f01f13730a3751641921c4dcc75206798c27902a6ac18ee9b443b153993404ec17c8e57b88f020a19f |
C:\Windows\system\ZmepKAM.exe
| MD5 | 49da1fc0bfdad7b656c944cb25f41b0e |
| SHA1 | 11935ed09688c420e374fc9ef1b5ede261995165 |
| SHA256 | fa53e24145ea58fbe5a13da02864c3a3d076712096152f1ed22086083b445c5f |
| SHA512 | 064ae47aca95ecbc8db34b52fabf2ca5015a0ecb86fd3f52ffbcb443904479f11a1538c397cb9ee958734a555038ed66b198344f82fc3a672b50ea48bf5a4773 |
C:\Windows\system\lkRHtqs.exe
| MD5 | 721767b7dccc9116721a06c9573ce654 |
| SHA1 | 41e2f0c1ddf1a4eabd33b0fb91765c3743918f00 |
| SHA256 | 8d1806e8c22a3d1a4e3efdc562010c2f0711589f448e3293769a11a65f64f09e |
| SHA512 | 56d9a394ad443298ff02b4cf553daf0cf780049ec48714cb3e5e698e6237da596dd027ec2d4a781ee6439f4977115342ec48462e13654d2b16cf08d5d20bec3d |
C:\Windows\system\abvwOtK.exe
| MD5 | 90bfbfbc1da84c1ba4962fed51a15c55 |
| SHA1 | fe13907cb6e7b26fd689a1e17c3d44a632116860 |
| SHA256 | 5ba2b595f5a8b588d357cedcf04a366bb3a394a1ee9fe1311e3a7c102b7ac4e6 |
| SHA512 | c5baf051655db5420e2c827dffff9c3f22f47f471e315c83d68a11ef42ce121911fe0ff32b003a648061bedde45cade37a4904d7b4c58a9d50840930269434db |
C:\Windows\system\aFZXNak.exe
| MD5 | fa83c344b0d48f510687758277cb798e |
| SHA1 | c0730f54d05a7117e45c04ac4ec54a8c26e56a6d |
| SHA256 | 8d1f2b2f71c32a1446f6a473feaf2877296c659f2f5f6c11acb57e458627091a |
| SHA512 | 1214f9fb40ce5c86d54a43f68fa727e99a917bc20d745690e4bd65118306bd0225b0b36b2a9989808a3b8b6a46fe3a845a3c167ae31e207a194e63a9f1bd26ee |
C:\Windows\system\RMDDIQR.exe
| MD5 | 4281dacdf0026027dd0b4f5ade104add |
| SHA1 | dd49c7bf0ad9799544b91aa476d30e21da0764b4 |
| SHA256 | d0e39b6f6a2d2daa82e1b834d8390427c2f18ab60e388ee24065a595e5711e0a |
| SHA512 | 12e1aca7ab190c56e37e753cc17d2a22afb1835eabf3e7d2d338d3f28eaef355a2c86e0edf3ca7ddf45352319488b98a7b115ad7d5a1c25919f38ca5c3bea989 |
C:\Windows\system\CMtfDvM.exe
| MD5 | 26be89865883e8fbda0b4168303d40d4 |
| SHA1 | 14032d7439c00ade39bf5414335d614840c3959d |
| SHA256 | 38585d4141f8251c1ca107b43b8aaa45ab0cf0217536781433e816f7587ad670 |
| SHA512 | 79648f020b24ee4cd33650630e3a09a923acb90792601dc9043fd9c4b73e700ad606ab12387ef45171f8906668edeb3d61e14aa624f8bc5f40e20e6d4be3e360 |
C:\Windows\system\ixCvjzd.exe
| MD5 | b149652ff3fb949dec836412c2d86cb6 |
| SHA1 | 8b2665ca32bc0a8adee42172d7734d7358b6fee0 |
| SHA256 | dfb708eab43533073faba041b0af3049f8cc7840ba9646fe521ff509710a6c35 |
| SHA512 | d88c0ab70ad367613d14eb1378836fc4f58d0b174acce156646799c19d6b8e10dc9151ff2bcd0e4ac844db4cda45968863bd309bb88eea31280d64c59c6850df |
C:\Windows\system\NyBmulz.exe
| MD5 | 8f6032678675b0df8fcfa15b8ac5e856 |
| SHA1 | 7d9667565547cf498452a08db28ca38a14587216 |
| SHA256 | 4b8be19534a14d64d17efaf249b2bdd5e933ccf2c11148d1789257ce0a19f719 |
| SHA512 | 4afd2d062fb00dcdd86f940eed08f7bd73ab6d2dfc4f78ad384c4dc5786d3e325de422cf029e6cea98185ffcc1e2d3cb106b870109e6b6c89457ee7ec73cfd16 |
\Windows\system\MlKnunE.exe
| MD5 | af9e5f957641734bd6624fb448c4914e |
| SHA1 | 4d0689372672bd40ea87f19ded4c3da93f68a7e8 |
| SHA256 | 282979de691f2363d5e78bdd62fe40e7f0598e2ff1537dfd300576f52cf42c7a |
| SHA512 | 73f502bd975ebb68fcbbb8a927aa4a311b3e9fe48d14884724eea54a69f6755a190b5a2822cfa1bbcd24c9d4b600fd1d6bf7edf897362d32666c0c5839a3de1b |
C:\Windows\system\WOMEdeI.exe
| MD5 | a996b80bb2a83de0350862eee401a0e5 |
| SHA1 | 25262a6e21bf79e681c02420e287a5b9e5f944f7 |
| SHA256 | b9a4a5146185c23c25900210fbbafb98aede4483d63ee29c01a7f4764f70bd43 |
| SHA512 | 2b78b7ef3ba850336a48287bb04320672cda701e302350348fb793730916b82d5c3006cc82dfa89a5eac7acaf9cdc6219278095c0f70fc9167d5f60a278636ba |
C:\Windows\system\zPDSOdS.exe
| MD5 | f49d930415b5d4ce8d5ff13b9b6d477d |
| SHA1 | e69b4dc1841e98d3ed3314d2edd2ca453b3ab4ad |
| SHA256 | 7cbf260e71aeda00de2eeffb72ac86aef5909f6ce6979ff671f0e1cf77875ee6 |
| SHA512 | 8746e695988eb992165fbc2119cefca830eb10d5f7e5569c127400a556d5396a7513558e23005a463027d5ca2f71e0294d3b2246457b7625a7147a2add64664c |
C:\Windows\system\OSMONhS.exe
| MD5 | 04e1aae67758019249c8c0b97404146f |
| SHA1 | 10c97bb00527660d7d35e4f1f9725df2ef38657d |
| SHA256 | 28c228cc8dbf2bc646c09206760c4e63432f7404590d0ee3200365ada2f6dc6c |
| SHA512 | 84613f5ee378fbabd9844342609492233fc72a1278e8205445b0f03e57820a89479c95fa6a88d07fd9d719a52f351f8a0471ef56877b73597b1355134cfe0bcd |
C:\Windows\system\ixGgruw.exe
| MD5 | 152516264ec1b5af43a201d06b1469ee |
| SHA1 | a3676348bc1fd2116a1160014e816334ea34f64f |
| SHA256 | b2668372047a2e0f46eed45db98f6ed42e66cce4008572e732a89de240f51851 |
| SHA512 | 9d3bcf8976111dc2641ee2e6eacae65577a7875a07e12ce7546cc79664ed3c2c5da130960048b909362abcb61ce538ee34929a1724f2076d247f9953ce6d317b |
C:\Windows\system\WhRGbvN.exe
| MD5 | 1f20b7a202529b56daf200c83297f38c |
| SHA1 | 4b3e3b4c365753d74d95847a9bfe2edd9c6eb2ca |
| SHA256 | 01dcda796ed14867523e1d74cb72d532ac3b81263c7e271b6ce740ee4b12afb4 |
| SHA512 | 946993375eaabf8919191ad1eafac33ff00d0c0432064e4c77c2d1ac66c816a6660b705196e4d3657fed18237bebf096211abedc61ddd6d89155c2e6411fe69e |
C:\Windows\system\tNXtptD.exe
| MD5 | c26cd5139197d419a50c5db95be07daa |
| SHA1 | 640e070392c1cb4d3d4acda09da6c236c16998cd |
| SHA256 | 6193ad25459860792f21b13eeab028e3acbd898f5f11c98817ca344816a771d2 |
| SHA512 | c2224fe4a6fcaeb9970a2a9f97815ee674dc693d8d6a64181334e4545aa0cf5d80eb4b890e25727458ab57e35ea66a403cb0c214493cddb764f60485c623573e |
C:\Windows\system\oZzxQaR.exe
| MD5 | 801ea311d078eb99348e6b26f16acca3 |
| SHA1 | d6ced33e9fa65df8e084627fd3a8e114e954f1f3 |
| SHA256 | d01cd64a8ff705a11c09979b7cafc2196dd0b851f36ebab91ec9edb34baddb57 |
| SHA512 | acbc5431d050c9b90577cb853d29c4363ec0d977609d9a34b2e5b01c2826dd79338873686e5df288948aad82ac4393470766714a2557db0d625413c039b4a3f6 |
C:\Windows\system\bGAUnqf.exe
| MD5 | 8aac43af33d5c314e3106552610e3432 |
| SHA1 | f2513ba9a5b148b5c5395070d2a55db043bdcddb |
| SHA256 | 63ff2c6e7a1efed818297e7360963810a1895c1117645d149cb3caf5e816618a |
| SHA512 | b0329a0a90f08130cc9b3175d3230cfd723bac0b2d765baaac03cc12cee449b7b6162bfe55528bd2031c7c72aa22deb78f925b9d5b3864114038723ec241f2ef |
C:\Windows\system\WnXYHVz.exe
| MD5 | 153fea8b83c8e0720e60be2a65740d97 |
| SHA1 | a5b535d9170fc2c7d404068f7c06749ff847695a |
| SHA256 | 262e6a6e7ae51cf209995e309b233756b1785721ebbd53a9fe32e947a0331a43 |
| SHA512 | a6f0049efdbaacfd0d59aa80a8824a59ca05f120865dd9a7536b31909c18559b16351376dcaf6a68956d8e2e1b7c89ac2ab602ea9297681ab7b447305aae6019 |
C:\Windows\system\aeJXnXg.exe
| MD5 | 40e401908756388600366f4455dd3a6a |
| SHA1 | 7d01678dc8b131c4be580f941d78c5178b1b3b43 |
| SHA256 | adeb5cddf88743cbfee1209c0704d89885a4a7666d565132dc7636587f50a679 |
| SHA512 | 3e2884d06fa31f20e8e29298795c8603c4785194b1a0ddbb206abe40d08b5bd0f6d1921172d5fa739d765fcb08a799a474872e6eb9f71673766fc33a66ab92e6 |
memory/2280-109-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2280-110-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2748-113-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2824-115-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2280-118-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2576-121-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2860-122-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2280-120-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/1072-119-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2684-117-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2280-116-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2280-114-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2280-112-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2644-111-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2540-125-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2280-124-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2704-123-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2256-131-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2280-130-0x000000013FEE0000-0x0000000140234000-memory.dmp
memory/1516-129-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2908-128-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2280-127-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2584-126-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2280-132-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2420-133-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2280-134-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2644-135-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2748-136-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2824-137-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2684-138-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1072-139-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2576-140-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2860-141-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2704-142-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2540-143-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2908-145-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1516-146-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2584-144-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2420-147-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2256-148-0x000000013F470000-0x000000013F7C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:50
Reported
2024-06-30 05:53
Platform
win10v2004-20240611-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xODeKqc.exe | N/A |
| N/A | N/A | C:\Windows\System\EFKwkKb.exe | N/A |
| N/A | N/A | C:\Windows\System\IeOUbKP.exe | N/A |
| N/A | N/A | C:\Windows\System\TkDZOZd.exe | N/A |
| N/A | N/A | C:\Windows\System\yCsrjTN.exe | N/A |
| N/A | N/A | C:\Windows\System\cXDLbzw.exe | N/A |
| N/A | N/A | C:\Windows\System\kHGHfMp.exe | N/A |
| N/A | N/A | C:\Windows\System\puIUEXc.exe | N/A |
| N/A | N/A | C:\Windows\System\drssTIh.exe | N/A |
| N/A | N/A | C:\Windows\System\lvVLRUu.exe | N/A |
| N/A | N/A | C:\Windows\System\KkfODNM.exe | N/A |
| N/A | N/A | C:\Windows\System\toTjVTl.exe | N/A |
| N/A | N/A | C:\Windows\System\JNRrYBy.exe | N/A |
| N/A | N/A | C:\Windows\System\ymXkhac.exe | N/A |
| N/A | N/A | C:\Windows\System\hVrVuBY.exe | N/A |
| N/A | N/A | C:\Windows\System\gpASUQV.exe | N/A |
| N/A | N/A | C:\Windows\System\yyInNVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xLaaWBY.exe | N/A |
| N/A | N/A | C:\Windows\System\yftzkEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mGthZbN.exe | N/A |
| N/A | N/A | C:\Windows\System\YfSKCqV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_5f14ffe89964271cac4025e953339c48_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xODeKqc.exe
C:\Windows\System\xODeKqc.exe
C:\Windows\System\EFKwkKb.exe
C:\Windows\System\EFKwkKb.exe
C:\Windows\System\IeOUbKP.exe
C:\Windows\System\IeOUbKP.exe
C:\Windows\System\TkDZOZd.exe
C:\Windows\System\TkDZOZd.exe
C:\Windows\System\yCsrjTN.exe
C:\Windows\System\yCsrjTN.exe
C:\Windows\System\cXDLbzw.exe
C:\Windows\System\cXDLbzw.exe
C:\Windows\System\kHGHfMp.exe
C:\Windows\System\kHGHfMp.exe
C:\Windows\System\puIUEXc.exe
C:\Windows\System\puIUEXc.exe
C:\Windows\System\drssTIh.exe
C:\Windows\System\drssTIh.exe
C:\Windows\System\lvVLRUu.exe
C:\Windows\System\lvVLRUu.exe
C:\Windows\System\KkfODNM.exe
C:\Windows\System\KkfODNM.exe
C:\Windows\System\toTjVTl.exe
C:\Windows\System\toTjVTl.exe
C:\Windows\System\JNRrYBy.exe
C:\Windows\System\JNRrYBy.exe
C:\Windows\System\ymXkhac.exe
C:\Windows\System\ymXkhac.exe
C:\Windows\System\hVrVuBY.exe
C:\Windows\System\hVrVuBY.exe
C:\Windows\System\gpASUQV.exe
C:\Windows\System\gpASUQV.exe
C:\Windows\System\yyInNVQ.exe
C:\Windows\System\yyInNVQ.exe
C:\Windows\System\xLaaWBY.exe
C:\Windows\System\xLaaWBY.exe
C:\Windows\System\yftzkEQ.exe
C:\Windows\System\yftzkEQ.exe
C:\Windows\System\mGthZbN.exe
C:\Windows\System\mGthZbN.exe
C:\Windows\System\YfSKCqV.exe
C:\Windows\System\YfSKCqV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4892-0-0x00007FF67E020000-0x00007FF67E374000-memory.dmp
memory/4892-1-0x0000015047740000-0x0000015047750000-memory.dmp
C:\Windows\System\xODeKqc.exe
| MD5 | 7637e66be31f60c09da33e0b097cc579 |
| SHA1 | 9af8b33797441f2b9ead2eac24703860780ea896 |
| SHA256 | bd7bfb1fed76394e17266b15f2d7ad7fc4abfeaaad5c50baa5f9a9e6445bb7eb |
| SHA512 | 5ec411caebc4298736d3b9fa34e9e0ae3c19eee23a160b061c708e50cc0e8b66df6b1bcdd27b32c8dfa9e8f5d80e0e007034c6a34ef544104b4b4adfb145a082 |
memory/2132-8-0x00007FF79F210000-0x00007FF79F564000-memory.dmp
C:\Windows\System\EFKwkKb.exe
| MD5 | 3e9008a0ff2884bbb01a1723ae3709f7 |
| SHA1 | 5345165cb8bf49b207e14bfa25831d1ac7469841 |
| SHA256 | 23905344eeb78b13a3df0e4561199c98dd80894b90a7b1117bf015804e0c68a0 |
| SHA512 | b4c73844aaed83c0995dc7e42c835424bc782c7baf18ec920cd4dd75e4aa668761c03961373b3baeaf733287c4eca19b959fa41617408da117e8d72add167072 |
memory/4460-16-0x00007FF650B20000-0x00007FF650E74000-memory.dmp
C:\Windows\System\IeOUbKP.exe
| MD5 | 4ee78a6695fe36daea9706c89f8869c7 |
| SHA1 | 97fda1dc28d2c21265a1284fad975d05b66a6abe |
| SHA256 | d4fabcce57660730cc9ddc55d81e160af1bd7956fc5dc72a5a52c7ac37f325a9 |
| SHA512 | 354845704701a713b474d3875e2763b488cb1d2cbedd535921f0bb9c8d17579a621c349fb3869badf3a9f5d33348ca464745a94d7430f340a27e9d43155d13d6 |
C:\Windows\System\TkDZOZd.exe
| MD5 | 4b255fd14f72ef4fb79d798757f0c562 |
| SHA1 | 9bbfbbbb903447c1abdf799465d2226e97e35b69 |
| SHA256 | 11ed67da9c756ae92abf2cd916d8fbc3343a2787c0967bd90fbcf6d265b7a318 |
| SHA512 | 223d5b8103889defd40e7e03993ab21f1a6ed03c0099d13e99c2d0a5889202a47f6056d2e67bfdbe33d0aa06b2694ced5cf88805ba1c44a3ecd9dc42257d089e |
memory/4448-26-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp
C:\Windows\System\yCsrjTN.exe
| MD5 | ffe1ffdf7f98a4339f952fa96156eab8 |
| SHA1 | bc993a0902d59a0ccda34c8d74a26dbab3eabbf8 |
| SHA256 | fbb5dd5224efa151e024f3e0a457792f50e874f0dda89c869fc837922f46bdd7 |
| SHA512 | 549bce60e609e298eb7115edc813542bbe10ebc1926ff8d0f955c48d0778be18c8f8cc505f3ba6ef63d66d3cea9c2f45a7a95af5602725e41b5bfed4dd174551 |
C:\Windows\System\cXDLbzw.exe
| MD5 | 3fdbbf62e41032def035df81a1600c7b |
| SHA1 | 31f844937ccab7bc61007bce2f687d7c2eefe136 |
| SHA256 | 6a32796d04d256e548df31b302147f9463425fb04a82ca898103fc4d51c050cb |
| SHA512 | 65cac7e44392e33db3a4432530d85e47c74bf7269c920fc2250ae8662fc23e109bc93e2b3adec5c6a8083531f9cd1157d98d650e2c20a9eb32b7f76fa0b7c232 |
C:\Windows\System\kHGHfMp.exe
| MD5 | ffbf67a490846bbb346bf0210c941c5e |
| SHA1 | 47e7340ffe3af76d5ae61dbf9ca121d314e8b9a8 |
| SHA256 | ea1a4b3e851b848e6ddc4be51cb73979d765627bf284f8281dcf235554340d95 |
| SHA512 | f232a1ba84f6b38b19f8e172afa679efe8b49d4c58c8c94473a5e530b2f8780e3a0005145dd6ba3b3dd06028b0c6a3e4a5d2e0b7b720f49721227c1415d7e12e |
C:\Windows\System\puIUEXc.exe
| MD5 | 58777fdeccd47c65423be14f9b0a862b |
| SHA1 | 90cf0a1749c8c275b3382ce9d8febaeb74a79844 |
| SHA256 | 71004afa9658e4cf7dc35f20dc6d4424782726d91f73cc1921335ad7e8e14b3d |
| SHA512 | a149256271fa9fc1a11e9f84618b27c77f75f8f91be229769998f2a69832d1f2fb0a53f01c7e1023b3ec9152c1a5be20e7871bc2787b5f472a034007d64b15f2 |
C:\Windows\System\drssTIh.exe
| MD5 | 485675bc7f964c11c58ae5b1bafd75a5 |
| SHA1 | 7325effd29e766d35a56d697358d8ba20b714bd3 |
| SHA256 | f9276d70f86062c936e4ed83a0c3e8be62adb79724d537edc61d56094e70cf12 |
| SHA512 | dfcad59fd7a4bda357f1544ae574393a7c1fbf71006f8b3e0b08826d3bf51ee27910676cc48bf83e163207ec6fc8ebe4254ccdf6593db66614aaf191ca696bc3 |
memory/3120-51-0x00007FF6330D0000-0x00007FF633424000-memory.dmp
memory/4864-46-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp
memory/4928-36-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp
memory/2224-35-0x00007FF640EC0000-0x00007FF641214000-memory.dmp
memory/3976-22-0x00007FF730FB0000-0x00007FF731304000-memory.dmp
memory/5092-55-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp
C:\Windows\System\lvVLRUu.exe
| MD5 | f1c77d4e02e44a6c428c1138cc02503c |
| SHA1 | 5c35b8d288ad14447b55030d5feff11acde94041 |
| SHA256 | 1802b5a2af7e2ba16f94a387af04156b74001b9ceffb15b34d649a18ce1aaf3c |
| SHA512 | 75c99b57880b679164fb9e7fd4b80ad19faa263e1008396196f83a48f8205f3ceb0748c7c495b91455d604694f95ff511771d9d2831d5ca2c0c1754c64e4f895 |
memory/4892-61-0x00007FF67E020000-0x00007FF67E374000-memory.dmp
C:\Windows\System\KkfODNM.exe
| MD5 | a0df513031115e5b65bbb5e3d4c4b3a6 |
| SHA1 | 96c74fa9ebd5a0ef019bdf28f91feca3ad28b947 |
| SHA256 | 71927b56a14fd7a7accb662e678b5ac98064b99fdf8bd93f9935b5e6b19adf16 |
| SHA512 | 84503aae070143e9548079481fcff420609ceed99943e4a62ef7d45fed712cbc9429941aff96723b032e72479cc620bb669fe6d7f5c13719f982ac1268f606f8 |
memory/2540-71-0x00007FF783630000-0x00007FF783984000-memory.dmp
memory/4460-79-0x00007FF650B20000-0x00007FF650E74000-memory.dmp
C:\Windows\System\JNRrYBy.exe
| MD5 | a4c926a2f62fc8f028ae1cb49dae2b8d |
| SHA1 | e390a6c4ea4f9dc92778b95e2334c64a39fede27 |
| SHA256 | 89690248061234c7ffe61242e3c37c76db892869a3a9c4703af86f72df9205b2 |
| SHA512 | ce665830b4a27711ebf5532bb68df46840c00b02b90fc0621c760d63eb03651869c8695d6a0f26ad1b1ca72e170fa60dd8327740720817b8ea5ba35f24838ca1 |
memory/3976-88-0x00007FF730FB0000-0x00007FF731304000-memory.dmp
memory/2956-89-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp
memory/4692-87-0x00007FF776520000-0x00007FF776874000-memory.dmp
C:\Windows\System\ymXkhac.exe
| MD5 | 7c5ab1df3abd77a5e1ba1dbc5a9eaf7f |
| SHA1 | fdc11dfe50fde9332d7716961800c78e35b8ea16 |
| SHA256 | c0f9876f8282affa241d6ed9420cda03a81a63f535a8e12b5f95e8ad0da75b36 |
| SHA512 | 37d956b2929cefe074df6f868bcc35c8850116bfb887168a1dd854c60db15953da0002c5fe3ef1480dcf3836170560d6dc0342f5d7232c08bb95fc3ae6eaa4c2 |
C:\Windows\System\toTjVTl.exe
| MD5 | dce677021b08cccc9a905c9f019c6c2a |
| SHA1 | ff66c11057c746393401e6f3b4cb4887c1222218 |
| SHA256 | 22417e5aa389886a800c53197b3f5731303dd346a04b877fcc2ce2da2c524cc9 |
| SHA512 | cf005c302a02815e7e6f1b2b2433b554282dc28e509f7b261607311163f8f3139a21aca34048b562281f5bb531c2eefa58f88b1c8cabd30af4e090b9da0adb21 |
memory/1400-70-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp
memory/4140-65-0x00007FF649830000-0x00007FF649B84000-memory.dmp
C:\Windows\System\hVrVuBY.exe
| MD5 | ac7d5f725b89566d556b3027bc81cfc7 |
| SHA1 | a680ce0653f6ce150258640b2689123f31fc373a |
| SHA256 | 9b55c27ca255073b6042703f417ea7fa22d809cbf1799f669feac9dd72424c5f |
| SHA512 | 4fc2a648a965b484575140ffd5315dc5877aab5dbe8fb8ea02083f81a55979b0fb3cdb4572ad7337bed20b3c6ce63e990d8eab69e9feb009ece9e57e0531dc9e |
C:\Windows\System\gpASUQV.exe
| MD5 | 5e025be679ced319892c6d09c1ff5915 |
| SHA1 | a6c3021164cbd2f0e2d5b08afb1e3ba787bcc00f |
| SHA256 | 9eaf622b84e3c4f82e702f491ecd51553018965ece05f2a14d137a81506e2681 |
| SHA512 | c2f2f3a370f42ec1b7e8aed8f5df92a0aa17ba3009ea4ec450c69c9f71eee0a8c58dcb0dc18e18e0215b7afcb5359ddad4b90e26898ffc7cd843b5e82619cf8c |
memory/4636-99-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp
memory/2224-98-0x00007FF640EC0000-0x00007FF641214000-memory.dmp
memory/4448-97-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp
memory/4704-103-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp
C:\Windows\System\yyInNVQ.exe
| MD5 | edb441dffee7093bd0f45152bae16228 |
| SHA1 | cb8df7f0ee9cd2af26f00f9d5fed939957515782 |
| SHA256 | 88c05f7d4cda6b44435de110f7035373c76955f4cd78e2589e51c84e227dec09 |
| SHA512 | 0062e791c30039c84762a59537f5510e2bc4e3f49301e9068e300b27f88df70f0750dd8f1f22ce7ab0ac410bf31695bf521f4ec11553a9a72a01909d0bff6d75 |
memory/4928-107-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp
memory/4908-108-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp
C:\Windows\System\xLaaWBY.exe
| MD5 | ed65866d57f09be73a6200b45a31c879 |
| SHA1 | 32e325ee654aec1410fb39ebd5f570035414b910 |
| SHA256 | 96f8319b07a56e84d7e19f859c6e91e7bd54a1f6f479b26c073f8e540915fdd5 |
| SHA512 | ecc5d3084158ba44f07e3c15aa150425631775bc6cfeaaa8160ecae3cd4d21ef72097933235c1ee4151eb31c257eab63857cc33b57decf91d31ba1b32b3c9206 |
memory/1068-116-0x00007FF719470000-0x00007FF7197C4000-memory.dmp
C:\Windows\System\yftzkEQ.exe
| MD5 | 791710167ff561bdafca41f78641b7a6 |
| SHA1 | 5cfa8275241d78dcff2ba9c1fd94cc7f16be6cdb |
| SHA256 | 10bfe28296d3208ab74b4ef369ac5caca7bc1aef10d3cf3c9db0ce864a65d883 |
| SHA512 | 81c8360897ba54cf73164b5fe0409535512f6013713dd9e24f864beabf6d5a01dab03934d02c6f0817450bf4108ba59767bfbefc4ad5bb70e71d74fb20c8216f |
memory/3120-122-0x00007FF6330D0000-0x00007FF633424000-memory.dmp
C:\Windows\System\mGthZbN.exe
| MD5 | 71b0b8e2e730a916080d9f6c50822db3 |
| SHA1 | 142cf7dcf83d4705e39a0ba522011aa560520fb9 |
| SHA256 | f147d07c7f4d48d292a95bd9ce117ec05c4a966e213dbb8699686877f394cab7 |
| SHA512 | 3a255f3ad8695e22b9ee0b345c61492812c7110427a28dcf92c6a356994272a01cbf6811d7561a74ad79ea82b93a7e074bcb601e3bbd90f7f677bb36706f19ba |
memory/3712-125-0x00007FF722810000-0x00007FF722B64000-memory.dmp
C:\Windows\System\YfSKCqV.exe
| MD5 | f315f29150df7b4691e0cf1698a6a94c |
| SHA1 | d1fda091232bb440c96558f75495920b65226dc6 |
| SHA256 | 829f4963ec6202ffe75fbc8c8fbc33ad22473641bd0f33f6a854dffb2ca6cbe1 |
| SHA512 | c24565076d4b7325e03223e29e5e446f6bea250e4a35ffa4ba7583c21158b282ea0b847c8192b71b661e06a8605ce547260afdd25b67d98bd3b834be33efa3ae |
memory/4140-132-0x00007FF649830000-0x00007FF649B84000-memory.dmp
memory/1472-128-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp
memory/4440-135-0x00007FF725060000-0x00007FF7253B4000-memory.dmp
memory/1400-136-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp
memory/4692-138-0x00007FF776520000-0x00007FF776874000-memory.dmp
memory/2540-137-0x00007FF783630000-0x00007FF783984000-memory.dmp
memory/4908-139-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp
memory/1472-140-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp
memory/2132-141-0x00007FF79F210000-0x00007FF79F564000-memory.dmp
memory/4460-142-0x00007FF650B20000-0x00007FF650E74000-memory.dmp
memory/3976-143-0x00007FF730FB0000-0x00007FF731304000-memory.dmp
memory/4448-144-0x00007FF6D7600000-0x00007FF6D7954000-memory.dmp
memory/2224-145-0x00007FF640EC0000-0x00007FF641214000-memory.dmp
memory/4864-147-0x00007FF7DD1E0000-0x00007FF7DD534000-memory.dmp
memory/4928-146-0x00007FF7E4A10000-0x00007FF7E4D64000-memory.dmp
memory/5092-148-0x00007FF6F7A40000-0x00007FF6F7D94000-memory.dmp
memory/3120-149-0x00007FF6330D0000-0x00007FF633424000-memory.dmp
memory/4140-150-0x00007FF649830000-0x00007FF649B84000-memory.dmp
memory/1400-151-0x00007FF67F160000-0x00007FF67F4B4000-memory.dmp
memory/2540-152-0x00007FF783630000-0x00007FF783984000-memory.dmp
memory/4692-153-0x00007FF776520000-0x00007FF776874000-memory.dmp
memory/2956-154-0x00007FF6568B0000-0x00007FF656C04000-memory.dmp
memory/4636-155-0x00007FF7D6380000-0x00007FF7D66D4000-memory.dmp
memory/4704-156-0x00007FF749A60000-0x00007FF749DB4000-memory.dmp
memory/4908-157-0x00007FF637D60000-0x00007FF6380B4000-memory.dmp
memory/1068-158-0x00007FF719470000-0x00007FF7197C4000-memory.dmp
memory/3712-159-0x00007FF722810000-0x00007FF722B64000-memory.dmp
memory/1472-160-0x00007FF78FBC0000-0x00007FF78FF14000-memory.dmp
memory/4440-161-0x00007FF725060000-0x00007FF7253B4000-memory.dmp