Analysis Overview
SHA256
8036158698767316525cec7f9107b2f82928286decac024905ad5f19d14cae60
Threat Level: Known bad
The file 2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 09:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 09:46
Reported
2024-08-05 09:49
Platform
win7-20240729-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GTYHPPj.exe | N/A |
| N/A | N/A | C:\Windows\System\HRKXwys.exe | N/A |
| N/A | N/A | C:\Windows\System\hMHwxDF.exe | N/A |
| N/A | N/A | C:\Windows\System\cPafSiy.exe | N/A |
| N/A | N/A | C:\Windows\System\TXdurFF.exe | N/A |
| N/A | N/A | C:\Windows\System\PCEzZZt.exe | N/A |
| N/A | N/A | C:\Windows\System\xQUIQxs.exe | N/A |
| N/A | N/A | C:\Windows\System\YlcNpEq.exe | N/A |
| N/A | N/A | C:\Windows\System\bSqzUXb.exe | N/A |
| N/A | N/A | C:\Windows\System\nDngiOY.exe | N/A |
| N/A | N/A | C:\Windows\System\HAKXvJy.exe | N/A |
| N/A | N/A | C:\Windows\System\ESIkvKa.exe | N/A |
| N/A | N/A | C:\Windows\System\fARmlvT.exe | N/A |
| N/A | N/A | C:\Windows\System\TLazaic.exe | N/A |
| N/A | N/A | C:\Windows\System\kugQxSk.exe | N/A |
| N/A | N/A | C:\Windows\System\JTAuIAi.exe | N/A |
| N/A | N/A | C:\Windows\System\ULLnTUb.exe | N/A |
| N/A | N/A | C:\Windows\System\rfuauCS.exe | N/A |
| N/A | N/A | C:\Windows\System\IKATang.exe | N/A |
| N/A | N/A | C:\Windows\System\ELaMwBf.exe | N/A |
| N/A | N/A | C:\Windows\System\cxwwkNA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\GTYHPPj.exe
C:\Windows\System\GTYHPPj.exe
C:\Windows\System\HRKXwys.exe
C:\Windows\System\HRKXwys.exe
C:\Windows\System\hMHwxDF.exe
C:\Windows\System\hMHwxDF.exe
C:\Windows\System\cPafSiy.exe
C:\Windows\System\cPafSiy.exe
C:\Windows\System\TXdurFF.exe
C:\Windows\System\TXdurFF.exe
C:\Windows\System\PCEzZZt.exe
C:\Windows\System\PCEzZZt.exe
C:\Windows\System\YlcNpEq.exe
C:\Windows\System\YlcNpEq.exe
C:\Windows\System\xQUIQxs.exe
C:\Windows\System\xQUIQxs.exe
C:\Windows\System\bSqzUXb.exe
C:\Windows\System\bSqzUXb.exe
C:\Windows\System\nDngiOY.exe
C:\Windows\System\nDngiOY.exe
C:\Windows\System\HAKXvJy.exe
C:\Windows\System\HAKXvJy.exe
C:\Windows\System\ESIkvKa.exe
C:\Windows\System\ESIkvKa.exe
C:\Windows\System\fARmlvT.exe
C:\Windows\System\fARmlvT.exe
C:\Windows\System\TLazaic.exe
C:\Windows\System\TLazaic.exe
C:\Windows\System\rfuauCS.exe
C:\Windows\System\rfuauCS.exe
C:\Windows\System\kugQxSk.exe
C:\Windows\System\kugQxSk.exe
C:\Windows\System\IKATang.exe
C:\Windows\System\IKATang.exe
C:\Windows\System\JTAuIAi.exe
C:\Windows\System\JTAuIAi.exe
C:\Windows\System\ELaMwBf.exe
C:\Windows\System\ELaMwBf.exe
C:\Windows\System\ULLnTUb.exe
C:\Windows\System\ULLnTUb.exe
C:\Windows\System\cxwwkNA.exe
C:\Windows\System\cxwwkNA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1916-0-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1916-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\GTYHPPj.exe
| MD5 | ed6d06e661602c90a1bf34e879f05178 |
| SHA1 | fac225ec457917f6b3aa513f25b161fb0e1e1f44 |
| SHA256 | 56ef590839292a20a8836734a7331c0457eca19b96c7b2d86721178bda6c5aef |
| SHA512 | 1fbab0d26f876b121345b8d630d0e1b1a65b9aa22ad43cf1be5d2e3d48a28b4e67e87494ea049ce7fc77cc831e302bb9ac61e6fe809416be483f885c190145a9 |
\Windows\system\hMHwxDF.exe
| MD5 | 7e07aff2ad257b529710fbc9f01d8d30 |
| SHA1 | 76d5842be1f337e8ffc4bad6e552213372a2a6d4 |
| SHA256 | 13f6353a55291897bcc5eea0584f02a68e89678ab49faea73f7e48056640b022 |
| SHA512 | 259ea5173fbed6eeab9869d29b2d7e90907a10e5bffa9180d5f0dfeed807d7ffc528a3539dd5c42b666d76f42ec3758ab7eb51b26ce0644f3430e9bf9f33392b |
memory/2392-17-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2396-16-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2400-23-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1916-22-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1916-20-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\HRKXwys.exe
| MD5 | d571a84bbb14a260223b8c7ba31c9b0f |
| SHA1 | b23ef2db7f8b872816cf7ed0b9b456b465418ead |
| SHA256 | 4582d3d19a0bd35954242d55451d54daba43d16f6ac67da4a22641185f1b03d8 |
| SHA512 | c97bc5281041ad797beb379624d2e262f78a0d973b4c313c30ab485ad899834d615c12d676819177e4381de6a8501cda1bc7edb9111e814546846971fa7d9309 |
memory/1916-10-0x000000013F150000-0x000000013F4A1000-memory.dmp
C:\Windows\system\cPafSiy.exe
| MD5 | b98ce02fdda7a7d88c6e310c1593412f |
| SHA1 | 7b1bb0ec7eeed37ca4beff29e5f7c0757ae42741 |
| SHA256 | b56c0ea90808d832c029aecf9af991a9030bf4e2e6c3ff0ee08a9075abab2b03 |
| SHA512 | 11161f9d8576f3c2c185bff77135e3811f83f3dd7de5d877c90ebe91a6404d32de3fc3716c5aea9419c8d4721bfc28abaec3567970c18fdbf70e8dc5f0a71d99 |
memory/1916-28-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\TXdurFF.exe
| MD5 | 555ed0ae57b108ca960746f54ca792eb |
| SHA1 | 50b74ffde15267ba498f890b66dffbdcf1865784 |
| SHA256 | 23c1ee7dd488199c5d37bb37f5381e44826215caf3b0b587cf2526a932d29b08 |
| SHA512 | 4ee1646dcdc02fadb7eaf03e9b56263534d40b7e19f69a60882cee0080c60ba117f53aba7a6628c8812e08d1348b2f765d65f4c86ac061aaecb58698e4cea4b5 |
\Windows\system\YlcNpEq.exe
| MD5 | 1bbad830c49c6bfe1e6767772c9e5c4f |
| SHA1 | b05a4bb2559785dc644fe114765f07425ab8ae18 |
| SHA256 | 97903533d8f65b43a8a227d8a8fd05091c805d656d6fd2207658831bd1d405f5 |
| SHA512 | 8cc29650f5213aff1385fd92c0af3c9bedeb5596467c2fb0428f88184bbed60536e56bed248bfc9990c268c2917d40168b386e2579c197378a133cb0b3e55511 |
memory/1916-49-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2944-56-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2848-58-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2928-57-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1916-55-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1916-51-0x0000000002200000-0x0000000002551000-memory.dmp
C:\Windows\system\xQUIQxs.exe
| MD5 | e49cb72ce260a2fe7d3bd48baf3e449b |
| SHA1 | 82c19d2e130c5b773dfbc6921cbbff65fca32142 |
| SHA256 | 8b2acf28da021be5eaa547f3c7cfe736e8b4d617bbaf7dd147c777dbdb3e2162 |
| SHA512 | 0d31fdcd573af117077ea0c030fbf366972d3308bfca214e6c73fd8b6fdfa0f746e2fae56c8df119707df1685c6250217457990c7d51e9b22e280b8fa22992e2 |
memory/1916-48-0x0000000002200000-0x0000000002551000-memory.dmp
memory/2860-46-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\PCEzZZt.exe
| MD5 | c1927b465d2ab6bb6cb3d696452fa8df |
| SHA1 | 1088d1dc06c72b7447f56f8efec136c7a4e5c19c |
| SHA256 | 3348409aee5f7318bce5dc4a9f97767f709727beba6c200d52d1c956f40742e0 |
| SHA512 | 779c99eaae5712a7bc980256cc0b5d51ff3e678ff88d098d01e14fb4f67e3c824fd9375b048135bcb183ca4c254b99f5d465455dff29918dc67ff4a749861ea9 |
memory/2744-36-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\nDngiOY.exe
| MD5 | 9d4d66947101903cfad28b19f6db40ee |
| SHA1 | 02622dde48357c28c8cbc0033f27acb47fdb1f57 |
| SHA256 | e4f6476f57229354cc7b3716d9d09f799d630f5f6f5a16d04395a1092cbe02aa |
| SHA512 | fb17e76892a2b104a3af822b4ceefe86ac2552ad181a4a85fee7ec2d73036ec1aa935e87305696da32a70cfd8440d65d2021e00ac52226c0ac99dcca8f34a84b |
memory/1916-71-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/3000-73-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1916-67-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2832-64-0x000000013F0C0000-0x000000013F411000-memory.dmp
C:\Windows\system\bSqzUXb.exe
| MD5 | 96637af91e5527d2e72e85615ab2b077 |
| SHA1 | 2bac935edcfdb60fd6e4fbd0623980bf8ab0efac |
| SHA256 | afc4ad9f061060e6d75b76a106f16bec675b4a4b1f632247ff9598e937802c03 |
| SHA512 | e6358b3f684cf11c56a86edf1e2256bdea02cc66364bbe72b61ea48900cc544b06d71110a9f3a7db7f06fcba6d546f60bea63827a28b40bbf4008e08763ce670 |
memory/1916-62-0x000000013F0C0000-0x000000013F411000-memory.dmp
C:\Windows\system\HAKXvJy.exe
| MD5 | 1f0f5a4c9f2309f673ee44cb2b256f41 |
| SHA1 | eeb20457ea084cae4f4ca640f7c8ac38fbcae811 |
| SHA256 | f60a818a2cc9ad932020ffb3d3f340302914f0a3407943cee4d5f6501c105a17 |
| SHA512 | 64f15002a78be2f9fb815f0d8d0d0e23e15971b03986635a990aab48226e96a40ec62273ef8908dc2fd8ebfb4adc5432dc84925959bea2e1aed98817fc188a99 |
memory/1640-78-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2392-75-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2860-80-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\ESIkvKa.exe
| MD5 | 2a99d04ac209b15d4a08f19c46894541 |
| SHA1 | 0bcd3f2cf574dc34139f5050391038c2eb747dc9 |
| SHA256 | 04dcb4be5376e771191f7cf072769c621e2d95f72cf54fd4c856401425dbd23e |
| SHA512 | 67dca0748badf8a451fc635c70870959dbc1dcbd003e0c2dfbaac469b4fdcb0a81026988ead12aa3b9a5a2ca01b3d4ecc9366c15fe3d973b279d31a720b0e107 |
memory/1916-87-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1916-88-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/752-89-0x000000013F690000-0x000000013F9E1000-memory.dmp
\Windows\system\TLazaic.exe
| MD5 | 671b919a828e4449a82f716b47375bdf |
| SHA1 | c3f38b49cf56daae34f53a4f9ad5b8d8bf13b36e |
| SHA256 | d51548209f9aae471d5cd3e3bda77f39f16a9720a191e7f09e6713d7235d2d4e |
| SHA512 | 25a3a7c36ae909891355b4a5e94d820df5f33042d933676ac5af1c1c064bcc46c668d4c801a70e86e63475c57ef6ed667f3d4a2427996b148af71c167f9d6568 |
\Windows\system\IKATang.exe
| MD5 | 9baa7c5fdddf3f994eeab942c679c30f |
| SHA1 | 2cecff1da4174973f5554604c01dbeb59c4bea67 |
| SHA256 | 5b5c0f66d8bf7ddef1595cdfc14acdd2faf94c4f689974e0a8b3bdd2af2e6482 |
| SHA512 | 82747f52cd53798755335d00d0d8651da25983d10d21653e826075f7614d1e93a1ba417870a72c3d0d9677852f53e6f01b8b625fec8d3c2b20a7ed5fb671f01a |
C:\Windows\system\JTAuIAi.exe
| MD5 | 2e62e1b455784808f08d07cc1efdd3f2 |
| SHA1 | db6aa570b9c3892c360a43a4412eb9ac9e802623 |
| SHA256 | 6428f8fafe355992425888a7ea4a0706b49509108a69c85c8c14142eb0a05898 |
| SHA512 | 5ddf88b77ef221c707d920a3670968b0c35928b228aecdf4e346f121334ede5a2abf63ae7239e2bbcfb48f7aed65fe5848911e6148f032e2304eb4bd460dda00 |
\Windows\system\cxwwkNA.exe
| MD5 | c1b84739c2d5b675ded7d4deac978940 |
| SHA1 | 6ce1453169c264651517241aeb2303678851c1e6 |
| SHA256 | 80a49bafe5ef30df2be1a000ed91ffe9c4b9e84f97d45711324a059273c34261 |
| SHA512 | 28ae74bd4866e86ae2b5a6539f3663c699a2d4e995b4f2a38cf806884bc7861011c71bb90c2748a2e0a67473e0c06de8143a380715510bf85bd06c3cfa46e9c6 |
\Windows\system\ELaMwBf.exe
| MD5 | d0cf2742bb441a086efcf0a354399b0e |
| SHA1 | 42b9f1f254a702c208a5c1b5cf08b7d047bc63e1 |
| SHA256 | 0ad5ab8a5a7be26bf890c5aeb573070e162bd58a6b2742d19b3e546bc2f47668 |
| SHA512 | 2959fd862295ded2b6daf6cdf903fc0dacd75e4a787f8ce8c07f6866f60feba159d923f905408742789d8657eb487e0c23dc232fb6d2e4a5a2676c763cadd521 |
memory/1916-133-0x0000000002200000-0x0000000002551000-memory.dmp
C:\Windows\system\rfuauCS.exe
| MD5 | 55d4f47d72e4dc1ab5e925982ba0d88e |
| SHA1 | ea48d94b43c7fa51c6296a361ca5ceed3bcf2187 |
| SHA256 | 81448fc7bb30c0380e296794b90d0b4027eba898cbacc50de47d3e99958922d8 |
| SHA512 | 1d446426b699c832a49d98133291a687f103e9ccbb984da21d3dc127b6e75e40dc9fea8babcfb66d36b9ba4d678ff25d7375987e51feb1b83fbf2961d22590bf |
C:\Windows\system\ULLnTUb.exe
| MD5 | 8ac334c5fc979054940e75932c0e97d6 |
| SHA1 | cc2e848d5f7c998cb39dedf1eb03e71954ca5ba3 |
| SHA256 | e3fca4223574312a5d1bdc0e2b7e17a839b9a8dcaa1c3d3bd78066a44076ecd3 |
| SHA512 | e712f327e9fc64f2802941a655b634234aa583b405b4770fb045a1d7689d27547475488567ff1d3feae8fa67bd482d63a23af05637e72a862894a04b606a9e4f |
memory/1916-125-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/1916-124-0x000000013F660000-0x000000013F9B1000-memory.dmp
C:\Windows\system\kugQxSk.exe
| MD5 | 1c8e23e985baabfacca429590bca8596 |
| SHA1 | dd13c90e1abec777ff960b231d5f71c60a805c37 |
| SHA256 | 773fd4cb1e7e734e34a064d00a39d29f35089e7c6e43ff3a17ca5bacc1bbc5b0 |
| SHA512 | 49d76a258e26fce1ae32a48293cfb54f034e45aef27e08b71cf5de88818c7cb111b308a72e8fdacf892300ab2b668b1b50362a7b8ed9ec9e2d3d793b3aef6c18 |
memory/1972-101-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1916-96-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
C:\Windows\system\fARmlvT.exe
| MD5 | 938732f3972315fa7deed2525180c144 |
| SHA1 | 17c8e5426df008c605ddfbadad86291e489f6365 |
| SHA256 | 46ce5d5dbdf8e5ea1e74986fdbb14b49b156d3b4891938f72de3599ca0409e73 |
| SHA512 | c48c3c706b32559a6539c82cf60f1434aca4925aeaa27df48a710010e00eab649ae347ec824223c0697914034078f608e9a2646424b3521b572abb7df3f7a2ea |
memory/2832-136-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1916-140-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1640-151-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1972-153-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2080-156-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2016-154-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2856-160-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/376-159-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2516-158-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2684-157-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1120-155-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/1988-161-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1916-162-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1916-172-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1916-175-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1916-186-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2396-214-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2392-216-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2400-218-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2744-220-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2944-222-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2860-224-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2928-226-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2848-228-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2832-230-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/3000-232-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1640-245-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/752-247-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1972-251-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 09:46
Reported
2024-08-05 09:49
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GTYHPPj.exe | N/A |
| N/A | N/A | C:\Windows\System\HRKXwys.exe | N/A |
| N/A | N/A | C:\Windows\System\hMHwxDF.exe | N/A |
| N/A | N/A | C:\Windows\System\cPafSiy.exe | N/A |
| N/A | N/A | C:\Windows\System\PCEzZZt.exe | N/A |
| N/A | N/A | C:\Windows\System\TXdurFF.exe | N/A |
| N/A | N/A | C:\Windows\System\xQUIQxs.exe | N/A |
| N/A | N/A | C:\Windows\System\YlcNpEq.exe | N/A |
| N/A | N/A | C:\Windows\System\bSqzUXb.exe | N/A |
| N/A | N/A | C:\Windows\System\nDngiOY.exe | N/A |
| N/A | N/A | C:\Windows\System\HAKXvJy.exe | N/A |
| N/A | N/A | C:\Windows\System\ESIkvKa.exe | N/A |
| N/A | N/A | C:\Windows\System\fARmlvT.exe | N/A |
| N/A | N/A | C:\Windows\System\TLazaic.exe | N/A |
| N/A | N/A | C:\Windows\System\rfuauCS.exe | N/A |
| N/A | N/A | C:\Windows\System\kugQxSk.exe | N/A |
| N/A | N/A | C:\Windows\System\IKATang.exe | N/A |
| N/A | N/A | C:\Windows\System\JTAuIAi.exe | N/A |
| N/A | N/A | C:\Windows\System\ELaMwBf.exe | N/A |
| N/A | N/A | C:\Windows\System\ULLnTUb.exe | N/A |
| N/A | N/A | C:\Windows\System\cxwwkNA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_6e9acc8c955b72b8e8a88b78ef4273e3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\GTYHPPj.exe
C:\Windows\System\GTYHPPj.exe
C:\Windows\System\HRKXwys.exe
C:\Windows\System\HRKXwys.exe
C:\Windows\System\hMHwxDF.exe
C:\Windows\System\hMHwxDF.exe
C:\Windows\System\cPafSiy.exe
C:\Windows\System\cPafSiy.exe
C:\Windows\System\TXdurFF.exe
C:\Windows\System\TXdurFF.exe
C:\Windows\System\PCEzZZt.exe
C:\Windows\System\PCEzZZt.exe
C:\Windows\System\YlcNpEq.exe
C:\Windows\System\YlcNpEq.exe
C:\Windows\System\xQUIQxs.exe
C:\Windows\System\xQUIQxs.exe
C:\Windows\System\bSqzUXb.exe
C:\Windows\System\bSqzUXb.exe
C:\Windows\System\nDngiOY.exe
C:\Windows\System\nDngiOY.exe
C:\Windows\System\HAKXvJy.exe
C:\Windows\System\HAKXvJy.exe
C:\Windows\System\ESIkvKa.exe
C:\Windows\System\ESIkvKa.exe
C:\Windows\System\fARmlvT.exe
C:\Windows\System\fARmlvT.exe
C:\Windows\System\TLazaic.exe
C:\Windows\System\TLazaic.exe
C:\Windows\System\rfuauCS.exe
C:\Windows\System\rfuauCS.exe
C:\Windows\System\kugQxSk.exe
C:\Windows\System\kugQxSk.exe
C:\Windows\System\IKATang.exe
C:\Windows\System\IKATang.exe
C:\Windows\System\JTAuIAi.exe
C:\Windows\System\JTAuIAi.exe
C:\Windows\System\ELaMwBf.exe
C:\Windows\System\ELaMwBf.exe
C:\Windows\System\ULLnTUb.exe
C:\Windows\System\ULLnTUb.exe
C:\Windows\System\cxwwkNA.exe
C:\Windows\System\cxwwkNA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 5.181.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1804-0-0x00007FF774710000-0x00007FF774A61000-memory.dmp
memory/1804-1-0x00000245D24E0000-0x00000245D24F0000-memory.dmp
C:\Windows\System\GTYHPPj.exe
| MD5 | ed6d06e661602c90a1bf34e879f05178 |
| SHA1 | fac225ec457917f6b3aa513f25b161fb0e1e1f44 |
| SHA256 | 56ef590839292a20a8836734a7331c0457eca19b96c7b2d86721178bda6c5aef |
| SHA512 | 1fbab0d26f876b121345b8d630d0e1b1a65b9aa22ad43cf1be5d2e3d48a28b4e67e87494ea049ce7fc77cc831e302bb9ac61e6fe809416be483f885c190145a9 |
memory/2892-11-0x00007FF7EAD50000-0x00007FF7EB0A1000-memory.dmp
C:\Windows\System\HRKXwys.exe
| MD5 | d571a84bbb14a260223b8c7ba31c9b0f |
| SHA1 | b23ef2db7f8b872816cf7ed0b9b456b465418ead |
| SHA256 | 4582d3d19a0bd35954242d55451d54daba43d16f6ac67da4a22641185f1b03d8 |
| SHA512 | c97bc5281041ad797beb379624d2e262f78a0d973b4c313c30ab485ad899834d615c12d676819177e4381de6a8501cda1bc7edb9111e814546846971fa7d9309 |
C:\Windows\System\hMHwxDF.exe
| MD5 | 7e07aff2ad257b529710fbc9f01d8d30 |
| SHA1 | 76d5842be1f337e8ffc4bad6e552213372a2a6d4 |
| SHA256 | 13f6353a55291897bcc5eea0584f02a68e89678ab49faea73f7e48056640b022 |
| SHA512 | 259ea5173fbed6eeab9869d29b2d7e90907a10e5bffa9180d5f0dfeed807d7ffc528a3539dd5c42b666d76f42ec3758ab7eb51b26ce0644f3430e9bf9f33392b |
C:\Windows\System\cPafSiy.exe
| MD5 | b98ce02fdda7a7d88c6e310c1593412f |
| SHA1 | 7b1bb0ec7eeed37ca4beff29e5f7c0757ae42741 |
| SHA256 | b56c0ea90808d832c029aecf9af991a9030bf4e2e6c3ff0ee08a9075abab2b03 |
| SHA512 | 11161f9d8576f3c2c185bff77135e3811f83f3dd7de5d877c90ebe91a6404d32de3fc3716c5aea9419c8d4721bfc28abaec3567970c18fdbf70e8dc5f0a71d99 |
memory/3660-21-0x00007FF799790000-0x00007FF799AE1000-memory.dmp
memory/2176-25-0x00007FF7B5C80000-0x00007FF7B5FD1000-memory.dmp
C:\Windows\System\YlcNpEq.exe
| MD5 | 1bbad830c49c6bfe1e6767772c9e5c4f |
| SHA1 | b05a4bb2559785dc644fe114765f07425ab8ae18 |
| SHA256 | 97903533d8f65b43a8a227d8a8fd05091c805d656d6fd2207658831bd1d405f5 |
| SHA512 | 8cc29650f5213aff1385fd92c0af3c9bedeb5596467c2fb0428f88184bbed60536e56bed248bfc9990c268c2917d40168b386e2579c197378a133cb0b3e55511 |
C:\Windows\System\bSqzUXb.exe
| MD5 | 96637af91e5527d2e72e85615ab2b077 |
| SHA1 | 2bac935edcfdb60fd6e4fbd0623980bf8ab0efac |
| SHA256 | afc4ad9f061060e6d75b76a106f16bec675b4a4b1f632247ff9598e937802c03 |
| SHA512 | e6358b3f684cf11c56a86edf1e2256bdea02cc66364bbe72b61ea48900cc544b06d71110a9f3a7db7f06fcba6d546f60bea63827a28b40bbf4008e08763ce670 |
C:\Windows\System\nDngiOY.exe
| MD5 | 9d4d66947101903cfad28b19f6db40ee |
| SHA1 | 02622dde48357c28c8cbc0033f27acb47fdb1f57 |
| SHA256 | e4f6476f57229354cc7b3716d9d09f799d630f5f6f5a16d04395a1092cbe02aa |
| SHA512 | fb17e76892a2b104a3af822b4ceefe86ac2552ad181a4a85fee7ec2d73036ec1aa935e87305696da32a70cfd8440d65d2021e00ac52226c0ac99dcca8f34a84b |
memory/2340-64-0x00007FF775720000-0x00007FF775A71000-memory.dmp
memory/3940-69-0x00007FF6D4D10000-0x00007FF6D5061000-memory.dmp
memory/4076-74-0x00007FF6303F0000-0x00007FF630741000-memory.dmp
memory/4568-79-0x00007FF76E820000-0x00007FF76EB71000-memory.dmp
memory/1092-80-0x00007FF69E7D0000-0x00007FF69EB21000-memory.dmp
memory/4560-78-0x00007FF752810000-0x00007FF752B61000-memory.dmp
memory/1936-77-0x00007FF7773B0000-0x00007FF777701000-memory.dmp
C:\Windows\System\fARmlvT.exe
| MD5 | 938732f3972315fa7deed2525180c144 |
| SHA1 | 17c8e5426df008c605ddfbadad86291e489f6365 |
| SHA256 | 46ce5d5dbdf8e5ea1e74986fdbb14b49b156d3b4891938f72de3599ca0409e73 |
| SHA512 | c48c3c706b32559a6539c82cf60f1434aca4925aeaa27df48a710010e00eab649ae347ec824223c0697914034078f608e9a2646424b3521b572abb7df3f7a2ea |
C:\Windows\System\ESIkvKa.exe
| MD5 | 2a99d04ac209b15d4a08f19c46894541 |
| SHA1 | 0bcd3f2cf574dc34139f5050391038c2eb747dc9 |
| SHA256 | 04dcb4be5376e771191f7cf072769c621e2d95f72cf54fd4c856401425dbd23e |
| SHA512 | 67dca0748badf8a451fc635c70870959dbc1dcbd003e0c2dfbaac469b4fdcb0a81026988ead12aa3b9a5a2ca01b3d4ecc9366c15fe3d973b279d31a720b0e107 |
C:\Windows\System\HAKXvJy.exe
| MD5 | 1f0f5a4c9f2309f673ee44cb2b256f41 |
| SHA1 | eeb20457ea084cae4f4ca640f7c8ac38fbcae811 |
| SHA256 | f60a818a2cc9ad932020ffb3d3f340302914f0a3407943cee4d5f6501c105a17 |
| SHA512 | 64f15002a78be2f9fb815f0d8d0d0e23e15971b03986635a990aab48226e96a40ec62273ef8908dc2fd8ebfb4adc5432dc84925959bea2e1aed98817fc188a99 |
memory/1536-65-0x00007FF72A540000-0x00007FF72A891000-memory.dmp
C:\Windows\System\xQUIQxs.exe
| MD5 | e49cb72ce260a2fe7d3bd48baf3e449b |
| SHA1 | 82c19d2e130c5b773dfbc6921cbbff65fca32142 |
| SHA256 | 8b2acf28da021be5eaa547f3c7cfe736e8b4d617bbaf7dd147c777dbdb3e2162 |
| SHA512 | 0d31fdcd573af117077ea0c030fbf366972d3308bfca214e6c73fd8b6fdfa0f746e2fae56c8df119707df1685c6250217457990c7d51e9b22e280b8fa22992e2 |
memory/4804-52-0x00007FF6FA3D0000-0x00007FF6FA721000-memory.dmp
C:\Windows\System\PCEzZZt.exe
| MD5 | c1927b465d2ab6bb6cb3d696452fa8df |
| SHA1 | 1088d1dc06c72b7447f56f8efec136c7a4e5c19c |
| SHA256 | 3348409aee5f7318bce5dc4a9f97767f709727beba6c200d52d1c956f40742e0 |
| SHA512 | 779c99eaae5712a7bc980256cc0b5d51ff3e678ff88d098d01e14fb4f67e3c824fd9375b048135bcb183ca4c254b99f5d465455dff29918dc67ff4a749861ea9 |
memory/4524-36-0x00007FF6E94B0000-0x00007FF6E9801000-memory.dmp
C:\Windows\System\TXdurFF.exe
| MD5 | 555ed0ae57b108ca960746f54ca792eb |
| SHA1 | 50b74ffde15267ba498f890b66dffbdcf1865784 |
| SHA256 | 23c1ee7dd488199c5d37bb37f5381e44826215caf3b0b587cf2526a932d29b08 |
| SHA512 | 4ee1646dcdc02fadb7eaf03e9b56263534d40b7e19f69a60882cee0080c60ba117f53aba7a6628c8812e08d1348b2f765d65f4c86ac061aaecb58698e4cea4b5 |
C:\Windows\System\TLazaic.exe
| MD5 | 671b919a828e4449a82f716b47375bdf |
| SHA1 | c3f38b49cf56daae34f53a4f9ad5b8d8bf13b36e |
| SHA256 | d51548209f9aae471d5cd3e3bda77f39f16a9720a191e7f09e6713d7235d2d4e |
| SHA512 | 25a3a7c36ae909891355b4a5e94d820df5f33042d933676ac5af1c1c064bcc46c668d4c801a70e86e63475c57ef6ed667f3d4a2427996b148af71c167f9d6568 |
memory/2044-84-0x00007FF6F1160000-0x00007FF6F14B1000-memory.dmp
C:\Windows\System\rfuauCS.exe
| MD5 | 55d4f47d72e4dc1ab5e925982ba0d88e |
| SHA1 | ea48d94b43c7fa51c6296a361ca5ceed3bcf2187 |
| SHA256 | 81448fc7bb30c0380e296794b90d0b4027eba898cbacc50de47d3e99958922d8 |
| SHA512 | 1d446426b699c832a49d98133291a687f103e9ccbb984da21d3dc127b6e75e40dc9fea8babcfb66d36b9ba4d678ff25d7375987e51feb1b83fbf2961d22590bf |
memory/3808-92-0x00007FF781B70000-0x00007FF781EC1000-memory.dmp
C:\Windows\System\kugQxSk.exe
| MD5 | 1c8e23e985baabfacca429590bca8596 |
| SHA1 | dd13c90e1abec777ff960b231d5f71c60a805c37 |
| SHA256 | 773fd4cb1e7e734e34a064d00a39d29f35089e7c6e43ff3a17ca5bacc1bbc5b0 |
| SHA512 | 49d76a258e26fce1ae32a48293cfb54f034e45aef27e08b71cf5de88818c7cb111b308a72e8fdacf892300ab2b668b1b50362a7b8ed9ec9e2d3d793b3aef6c18 |
C:\Windows\System\IKATang.exe
| MD5 | 9baa7c5fdddf3f994eeab942c679c30f |
| SHA1 | 2cecff1da4174973f5554604c01dbeb59c4bea67 |
| SHA256 | 5b5c0f66d8bf7ddef1595cdfc14acdd2faf94c4f689974e0a8b3bdd2af2e6482 |
| SHA512 | 82747f52cd53798755335d00d0d8651da25983d10d21653e826075f7614d1e93a1ba417870a72c3d0d9677852f53e6f01b8b625fec8d3c2b20a7ed5fb671f01a |
C:\Windows\System\JTAuIAi.exe
| MD5 | 2e62e1b455784808f08d07cc1efdd3f2 |
| SHA1 | db6aa570b9c3892c360a43a4412eb9ac9e802623 |
| SHA256 | 6428f8fafe355992425888a7ea4a0706b49509108a69c85c8c14142eb0a05898 |
| SHA512 | 5ddf88b77ef221c707d920a3670968b0c35928b228aecdf4e346f121334ede5a2abf63ae7239e2bbcfb48f7aed65fe5848911e6148f032e2304eb4bd460dda00 |
C:\Windows\System\ULLnTUb.exe
| MD5 | 8ac334c5fc979054940e75932c0e97d6 |
| SHA1 | cc2e848d5f7c998cb39dedf1eb03e71954ca5ba3 |
| SHA256 | e3fca4223574312a5d1bdc0e2b7e17a839b9a8dcaa1c3d3bd78066a44076ecd3 |
| SHA512 | e712f327e9fc64f2802941a655b634234aa583b405b4770fb045a1d7689d27547475488567ff1d3feae8fa67bd482d63a23af05637e72a862894a04b606a9e4f |
C:\Windows\System\ELaMwBf.exe
| MD5 | d0cf2742bb441a086efcf0a354399b0e |
| SHA1 | 42b9f1f254a702c208a5c1b5cf08b7d047bc63e1 |
| SHA256 | 0ad5ab8a5a7be26bf890c5aeb573070e162bd58a6b2742d19b3e546bc2f47668 |
| SHA512 | 2959fd862295ded2b6daf6cdf903fc0dacd75e4a787f8ce8c07f6866f60feba159d923f905408742789d8657eb487e0c23dc232fb6d2e4a5a2676c763cadd521 |
C:\Windows\System\cxwwkNA.exe
| MD5 | c1b84739c2d5b675ded7d4deac978940 |
| SHA1 | 6ce1453169c264651517241aeb2303678851c1e6 |
| SHA256 | 80a49bafe5ef30df2be1a000ed91ffe9c4b9e84f97d45711324a059273c34261 |
| SHA512 | 28ae74bd4866e86ae2b5a6539f3663c699a2d4e995b4f2a38cf806884bc7861011c71bb90c2748a2e0a67473e0c06de8143a380715510bf85bd06c3cfa46e9c6 |
memory/2176-127-0x00007FF7B5C80000-0x00007FF7B5FD1000-memory.dmp
memory/4632-126-0x00007FF60FF20000-0x00007FF610271000-memory.dmp
memory/3660-120-0x00007FF799790000-0x00007FF799AE1000-memory.dmp
memory/848-119-0x00007FF66A610000-0x00007FF66A961000-memory.dmp
memory/1804-115-0x00007FF774710000-0x00007FF774A61000-memory.dmp
memory/2100-113-0x00007FF677A30000-0x00007FF677D81000-memory.dmp
memory/3152-105-0x00007FF68E6E0000-0x00007FF68EA31000-memory.dmp
memory/5012-100-0x00007FF649080000-0x00007FF6493D1000-memory.dmp
memory/4524-133-0x00007FF6E94B0000-0x00007FF6E9801000-memory.dmp
memory/1804-130-0x00007FF774710000-0x00007FF774A61000-memory.dmp
memory/2340-138-0x00007FF775720000-0x00007FF775A71000-memory.dmp
memory/1536-139-0x00007FF72A540000-0x00007FF72A891000-memory.dmp
memory/892-141-0x00007FF762650000-0x00007FF7629A1000-memory.dmp
memory/2044-147-0x00007FF6F1160000-0x00007FF6F14B1000-memory.dmp
memory/3940-145-0x00007FF6D4D10000-0x00007FF6D5061000-memory.dmp
memory/1804-148-0x00007FF774710000-0x00007FF774A61000-memory.dmp
memory/2100-158-0x00007FF677A30000-0x00007FF677D81000-memory.dmp
memory/4632-160-0x00007FF60FF20000-0x00007FF610271000-memory.dmp
memory/848-159-0x00007FF66A610000-0x00007FF66A961000-memory.dmp
memory/1804-170-0x00007FF774710000-0x00007FF774A61000-memory.dmp
memory/2892-200-0x00007FF7EAD50000-0x00007FF7EB0A1000-memory.dmp
memory/3660-202-0x00007FF799790000-0x00007FF799AE1000-memory.dmp
memory/2176-206-0x00007FF7B5C80000-0x00007FF7B5FD1000-memory.dmp
memory/4524-205-0x00007FF6E94B0000-0x00007FF6E9801000-memory.dmp
memory/4076-214-0x00007FF6303F0000-0x00007FF630741000-memory.dmp
memory/2340-213-0x00007FF775720000-0x00007FF775A71000-memory.dmp
memory/4560-210-0x00007FF752810000-0x00007FF752B61000-memory.dmp
memory/1936-209-0x00007FF7773B0000-0x00007FF777701000-memory.dmp
memory/4804-216-0x00007FF6FA3D0000-0x00007FF6FA721000-memory.dmp
memory/1092-220-0x00007FF69E7D0000-0x00007FF69EB21000-memory.dmp
memory/4568-224-0x00007FF76E820000-0x00007FF76EB71000-memory.dmp
memory/1536-222-0x00007FF72A540000-0x00007FF72A891000-memory.dmp
memory/3940-219-0x00007FF6D4D10000-0x00007FF6D5061000-memory.dmp
memory/2044-229-0x00007FF6F1160000-0x00007FF6F14B1000-memory.dmp
memory/3808-231-0x00007FF781B70000-0x00007FF781EC1000-memory.dmp
memory/5012-233-0x00007FF649080000-0x00007FF6493D1000-memory.dmp
memory/3152-235-0x00007FF68E6E0000-0x00007FF68EA31000-memory.dmp
memory/2100-237-0x00007FF677A30000-0x00007FF677D81000-memory.dmp
memory/848-239-0x00007FF66A610000-0x00007FF66A961000-memory.dmp
memory/4632-241-0x00007FF60FF20000-0x00007FF610271000-memory.dmp
memory/892-243-0x00007FF762650000-0x00007FF7629A1000-memory.dmp