Analysis Overview
SHA256
f24f07ff3da33479ced4a01582a36d4967f6592ee1dca94068be3b74fcdc347b
Threat Level: Known bad
The file 2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 10:36
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 10:36
Reported
2024-08-05 10:39
Platform
win7-20240708-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hfyiLCt.exe | N/A |
| N/A | N/A | C:\Windows\System\rmrnTBN.exe | N/A |
| N/A | N/A | C:\Windows\System\sTkMQhc.exe | N/A |
| N/A | N/A | C:\Windows\System\MUFtipL.exe | N/A |
| N/A | N/A | C:\Windows\System\IKynVKG.exe | N/A |
| N/A | N/A | C:\Windows\System\paKusyu.exe | N/A |
| N/A | N/A | C:\Windows\System\XhTxnLp.exe | N/A |
| N/A | N/A | C:\Windows\System\pAAmuGR.exe | N/A |
| N/A | N/A | C:\Windows\System\pttMcoy.exe | N/A |
| N/A | N/A | C:\Windows\System\VXPbhul.exe | N/A |
| N/A | N/A | C:\Windows\System\lwnAzcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YDwCVzB.exe | N/A |
| N/A | N/A | C:\Windows\System\IEIJkNg.exe | N/A |
| N/A | N/A | C:\Windows\System\jAGGdtW.exe | N/A |
| N/A | N/A | C:\Windows\System\vxGeorS.exe | N/A |
| N/A | N/A | C:\Windows\System\NMZBSyf.exe | N/A |
| N/A | N/A | C:\Windows\System\DOssgMV.exe | N/A |
| N/A | N/A | C:\Windows\System\ytYucKO.exe | N/A |
| N/A | N/A | C:\Windows\System\KzbaoeM.exe | N/A |
| N/A | N/A | C:\Windows\System\MjcDrhx.exe | N/A |
| N/A | N/A | C:\Windows\System\vvxCTEy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\hfyiLCt.exe
C:\Windows\System\hfyiLCt.exe
C:\Windows\System\rmrnTBN.exe
C:\Windows\System\rmrnTBN.exe
C:\Windows\System\sTkMQhc.exe
C:\Windows\System\sTkMQhc.exe
C:\Windows\System\MUFtipL.exe
C:\Windows\System\MUFtipL.exe
C:\Windows\System\IKynVKG.exe
C:\Windows\System\IKynVKG.exe
C:\Windows\System\paKusyu.exe
C:\Windows\System\paKusyu.exe
C:\Windows\System\XhTxnLp.exe
C:\Windows\System\XhTxnLp.exe
C:\Windows\System\pAAmuGR.exe
C:\Windows\System\pAAmuGR.exe
C:\Windows\System\pttMcoy.exe
C:\Windows\System\pttMcoy.exe
C:\Windows\System\VXPbhul.exe
C:\Windows\System\VXPbhul.exe
C:\Windows\System\lwnAzcJ.exe
C:\Windows\System\lwnAzcJ.exe
C:\Windows\System\YDwCVzB.exe
C:\Windows\System\YDwCVzB.exe
C:\Windows\System\NMZBSyf.exe
C:\Windows\System\NMZBSyf.exe
C:\Windows\System\IEIJkNg.exe
C:\Windows\System\IEIJkNg.exe
C:\Windows\System\DOssgMV.exe
C:\Windows\System\DOssgMV.exe
C:\Windows\System\jAGGdtW.exe
C:\Windows\System\jAGGdtW.exe
C:\Windows\System\ytYucKO.exe
C:\Windows\System\ytYucKO.exe
C:\Windows\System\vxGeorS.exe
C:\Windows\System\vxGeorS.exe
C:\Windows\System\KzbaoeM.exe
C:\Windows\System\KzbaoeM.exe
C:\Windows\System\MjcDrhx.exe
C:\Windows\System\MjcDrhx.exe
C:\Windows\System\vvxCTEy.exe
C:\Windows\System\vvxCTEy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2876-0-0x0000000000480000-0x0000000000490000-memory.dmp
memory/2876-1-0x000000013FE30000-0x0000000140184000-memory.dmp
\Windows\system\hfyiLCt.exe
| MD5 | e50b0e74a0b5cd6b553e94507373a450 |
| SHA1 | c14b7e22672fa4b9dee82247b75be8d2382d4c2d |
| SHA256 | 409d0bc8bc719eb423c942a72a12d3de7d9631065163231c4e4a19e0a5ecf019 |
| SHA512 | 9ac00e474a2946f1ac04ea121dbf87a9e4a1fe6ae17153a6d1be38368b796c34492ec951092bea59d78f0df731f198ac8ff2ed1aaf6600caa7aecabef0c5b895 |
memory/2752-9-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\rmrnTBN.exe
| MD5 | b5fdabfa0d4ea2d97f732a2f44784625 |
| SHA1 | 49c262e218d43bd4756c30a084e28b74d5357a75 |
| SHA256 | 273a160913b5471e60f0d0204fcb4c33367737d772650abcdb52e01016b88dd2 |
| SHA512 | 6880e68b0bc262d137be6d91f5756bf3fda28d50cb98de59de068376f2361ce803e067507fb57e70d96e367ab98ef9e6004232b2e657bea0cc92def35b40d900 |
memory/2876-11-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\sTkMQhc.exe
| MD5 | 15b3296a7f068f3523a91df3db74e0a9 |
| SHA1 | d5f83649c4447e546631051056245c1cb5886ba6 |
| SHA256 | a574a5b5e96246f565065e9e2defb70de03cdfd4799c1771911ce5c0f1df6da1 |
| SHA512 | 427bc22a5133783abd769b464f79325271bbdc462aa299511f4b90167b86dac6582788902f59c4087ae2fa058dcdb170546ede316f00df7205752313c2476a63 |
memory/2900-14-0x000000013FC00000-0x000000013FF54000-memory.dmp
C:\Windows\system\MUFtipL.exe
| MD5 | d67610419b5b3fa939a66c84674506f9 |
| SHA1 | e98bbe3f4cde0831ebae46030bb6d82a62b6b869 |
| SHA256 | a12b6a15790cd89f09456578b3eb9a372420cb52bc77626e22eccbb2e08e4556 |
| SHA512 | f1ab773e2e4b20ca21036a36a97a62aa71188b9100c2284392257b30ac4ae8a730f7886a6276057adf596433bb75cb57d97675e848872ec4f7586a3905109b4e |
memory/2916-28-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/1808-27-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2876-19-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\IKynVKG.exe
| MD5 | 0080fdfb3b3a646a6be8cc3b037159cf |
| SHA1 | 87070b1752b8ad001f9c2886d715afb908a0f12c |
| SHA256 | efa9aaab08f7831066cae18091bc62612474c1f3c9edd5e3171a7bee9578ecf8 |
| SHA512 | 5eccbaa0d0299fa184116b2199e4debf2a868cec90c6419930c5e24ffe7e5e3d2c60afc85072c9596fb329a51365333ea3b340b60f2716a467796e813a76b0a8 |
memory/2160-35-0x000000013FE40000-0x0000000140194000-memory.dmp
C:\Windows\system\paKusyu.exe
| MD5 | 91bfec24cfd9fe0da421b74f0bcd99ed |
| SHA1 | efb18dc24a5b33d9e605ba91ee13ffecb6ed73cd |
| SHA256 | a526846a4345b0d0830b0e3c697b1d0494a9baab1eddd904e5c2d1dc0dbb879f |
| SHA512 | db6a79e5ebf0b41b4097f3b7efc86d02925ece7a86d10293f7d79e641d7ed475547be5aecf9825a731c720109156555d6229d1942f32cddafc2f86f4431abe6b |
memory/2668-40-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2876-39-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\XhTxnLp.exe
| MD5 | a26951d7fe27227d8a8e4b9467c167fc |
| SHA1 | be3891291ed44c7b692cc0eac355576ea7c87715 |
| SHA256 | e434521e72a37e109f0ebdaa64999c7fb91fcdbb986ca63202fbbbd40c50b764 |
| SHA512 | b4962814dbbfd34f993ca29f9fa993cddff2220cd2ecd1f599d77a7a1f944750fe636913b13a6632161bf206ae3b9c895796c8b5ae83f6c8c032eedf9d0f01f7 |
memory/2272-49-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2876-48-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2876-34-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\pAAmuGR.exe
| MD5 | d4a3be7ae8703e870bfa948a1ec19cb2 |
| SHA1 | 47258d13795ae3dbb9aad17144e375d787e132b8 |
| SHA256 | 8aeb3cde1c7e64c154b9cd6a8d71246a972cb0a94deee7484f58d48cfb4374c6 |
| SHA512 | c644351e9729ca3afb51f271de862fd17f330b39cab8032d2071faed87d7dc108632598535f09f4b6a1e6e558c8e48b503f8c3b4b6c734b4f437aa71dad74c0d |
memory/2876-63-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2812-61-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2876-60-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\pttMcoy.exe
| MD5 | f476e58c7c4ed6e79eb5a190e5569efe |
| SHA1 | 2878bc59185b85648fc0cf57617a6aeb6d03fbe3 |
| SHA256 | 68d875a97afb5b4c72ca6bf8013aa750be0d22c8373ea68cce17acb3b09073f8 |
| SHA512 | a5367aaa5b770cf11a5f5fcfb24490694958b6d2f34ff4adbbb95afe853b8b377a67635edc32758b1925327450e1a229dc84eabbd8b700565d20fc747c85fbd1 |
C:\Windows\system\VXPbhul.exe
| MD5 | 665f4b169afa0f812f719a3ed0fcbcba |
| SHA1 | 8795734029e5a14ffc53f20ca28540790a3db3a1 |
| SHA256 | 060a1ad059d2069191a1e806b6672948c459d8f18c28d52fef9ee087dbf2c1b2 |
| SHA512 | 96adf7d3c4df26014c0c554d6e7c97f4bfee91307822452d31193680993bfa3a2c6a72b8433aa91a0e7ad445a12908cff10210c3d66323a0c9444a7542ebc9e5 |
memory/1096-55-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2900-68-0x000000013FC00000-0x000000013FF54000-memory.dmp
\Windows\system\vxGeorS.exe
| MD5 | 7b68c3b6699644fe7670652d4e4c953a |
| SHA1 | eb477d1aaacafd49e10e91538ebd91a4ff0ed6cf |
| SHA256 | 85459e8031700f763935f09ce6ef46b4a0df20cc57352ddfe231b413e987a110 |
| SHA512 | 849ebe48b1195bb3dffc5c92e45ccbd6dee19f657c7bfe2cda3e8df5a25e68e9729e327b3d30e131c63d7e3ffdd439e4e9bb33346a46c4fb9b58deeaeb47a7d5 |
memory/2876-109-0x000000013F380000-0x000000013F6D4000-memory.dmp
C:\Windows\system\NMZBSyf.exe
| MD5 | b12686e8860a879e5723c6906c33d8c6 |
| SHA1 | c162a9953d2500ed109413733205da9a238a9089 |
| SHA256 | d1dbebb954fb7be0e4b78ca386f3d60dcaf970664138328f5ea267b315a1b489 |
| SHA512 | 3fce8ae2eafbc036854b0a5de5e30d660a74256de630a89d4af04760736006e45bfa6a71384d4f734ab317e68ae82fbb260e1131687cde881b1fa4964d6cc80e |
memory/2056-86-0x000000013F630000-0x000000013F984000-memory.dmp
\Windows\system\ytYucKO.exe
| MD5 | e24228a909a65850a4d494aff7b72f6d |
| SHA1 | 9bdc91cedfa425c646e193a5b7d8a7222cd4d0d3 |
| SHA256 | acd213feb615f626c3b0416e81f44724b27b7b0d75b626beebfcf67f94666c4a |
| SHA512 | b00a7040d6c1f63b12bea33e00c6db90dd0d5ea3cc9da5637be426349937cc3e7a988eaee875663eda60135c32d192cddfd0e60de68abe6d61c152d81599b7c9 |
C:\Windows\system\KzbaoeM.exe
| MD5 | 35f498783232dd0deb04d061387f6d59 |
| SHA1 | 2343e5c8ce71a812c45c21a594f699d4e5afb62c |
| SHA256 | b675a3f4c84afb73c960094cd795486a59760b21e1d6b96ae01bbeac41854a1a |
| SHA512 | 0a85af23f2c25b7d4dc3e4ef2e9c4635edce7b63bd49edffaee2317ab7d26b9ffeb22c2da012145f9cfc92576fa68b296c5d2b8c5f0a63b52a2feef762907ed7 |
\Windows\system\vvxCTEy.exe
| MD5 | 3a0dd2121bc3e5de7a9b93e9d8ee7b80 |
| SHA1 | c4575bc1f148448b49a2ec5e3876a7fd0127f65b |
| SHA256 | 7bdb41d994bddeb1df9809ed0e49f394141f6b67624aba4875a9733468151938 |
| SHA512 | 825de0c9902dca5532d60b01ff07fd78962e05bd0a32863f368111a3ea69a4c63b854d95cb29908834648730d63e7b8d2c7becaca1da05035975cf6274236f82 |
C:\Windows\system\MjcDrhx.exe
| MD5 | 1c17479c6332f627da7f4bf97e5ccfd6 |
| SHA1 | 217db7d9bfd1ef64ae48ccd666ebf4c3377ff0ea |
| SHA256 | 2943479ead54b3b0def6c2bdf4a2bfcb7a099178cc4b67768cbe1e9bd25c8a38 |
| SHA512 | b3577b29276f7737de8a3cf5cd823537c19d8d50649237e998ea74c8acf4ff19e2467ba8ab9d6eea6c0c6e7a75d560b5289136cf81652113bfb046281e8a15b9 |
\Windows\system\DOssgMV.exe
| MD5 | 0ceeee20163c987f53885b674b95544a |
| SHA1 | ce2beb2fc8d3eaa51512f247ef1f24cdca2ee64a |
| SHA256 | aef4b1489e0295a0d5088a0e47990847451d84b0a97d2cabffe2098bfb9113d9 |
| SHA512 | 18420f95690539e301bf6c7b67e4b8d253d1d503f7c4f3ed5ba115dfef26a87eebc00c36f35c25fe46628afbff6a19582e69de4a02aab66e2e9afadc06340746 |
memory/2876-111-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/1808-110-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2876-108-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2876-107-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\jAGGdtW.exe
| MD5 | 02d12ad9094b342aa903823b339b604e |
| SHA1 | e964f7e0c54605bf6b734633c2a09f55cc1830a3 |
| SHA256 | 49c64371250956565f04f658506dea9b33fede9852341708c7f9232b9445476f |
| SHA512 | 06a0839b517dd4d9986f6da41ea7a215ff33d85a8c46fdacd263a6b1ae2a4377c031f8379d8fd479cc65d97f7d2f16df0f68e9605906f5038eb459bafa265969 |
C:\Windows\system\IEIJkNg.exe
| MD5 | e75ebec61e3f4f74b281a67057bd79ca |
| SHA1 | a38f28b01b7273da83bd9019452235494ff3925f |
| SHA256 | a4803dfb343325f846f7a82c00e8c81935e79019d6764f68eb68fd893e56c39d |
| SHA512 | 50af00ffd9e332b710962f5a5fe5b3c326dca44d6634d471693d40c6a9d8bc8910b3734d85cbcf6fa08194bc5e19a25a6c24cad0be4272cf3e9afe89514108bc |
C:\Windows\system\YDwCVzB.exe
| MD5 | df3fefc4c9bb0fdd29e5431ad2b395dc |
| SHA1 | aad5791b7073726066313c0c1af6e0b9071df7a6 |
| SHA256 | ecc9857de31d65355536efabf1e4d0c6b6e54d45b43816a0e39188be184cc250 |
| SHA512 | 4a39fc1ad2485e6218b26ff70db2156103056ee1bd1b7ad4575f29513c74aaa2726c7ed07763b0ec31a3e1215130511d0e259a990b4d1afec6af9ce9f53526aa |
memory/2876-92-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2064-78-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\lwnAzcJ.exe
| MD5 | 016ad82a1e54b5caac53f87a8f20ab2f |
| SHA1 | 6985e90045a4888d0de290b5233747865b284d5d |
| SHA256 | 50de4dbec25bbba11f1e1e490e48ef0724b749f0a37690cc935772904b4c1710 |
| SHA512 | 381561bf675ee501b54c48ba55dc2a56ddbc0a0e46ec4f8fd4bc9d394e2269929764dfde0bf719ad569cdf5ca3a77f12e085c9fc5af55a50e8004c572de74aa6 |
memory/2876-132-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2668-133-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2812-134-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2876-135-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2752-136-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2900-137-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/1808-138-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2916-139-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2160-140-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2668-141-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2272-142-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1096-143-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2064-144-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2812-145-0x000000013FDA0000-0x00000001400F4000-memory.dmp
memory/2056-146-0x000000013F630000-0x000000013F984000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 10:36
Reported
2024-08-05 10:39
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eDevBkI.exe | N/A |
| N/A | N/A | C:\Windows\System\WDxfRaY.exe | N/A |
| N/A | N/A | C:\Windows\System\JbJhzWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mMcjNOa.exe | N/A |
| N/A | N/A | C:\Windows\System\kjBszdL.exe | N/A |
| N/A | N/A | C:\Windows\System\fJfGWQi.exe | N/A |
| N/A | N/A | C:\Windows\System\NwWNvVg.exe | N/A |
| N/A | N/A | C:\Windows\System\PtPqxvn.exe | N/A |
| N/A | N/A | C:\Windows\System\nItxwWw.exe | N/A |
| N/A | N/A | C:\Windows\System\JwGLYqI.exe | N/A |
| N/A | N/A | C:\Windows\System\PcHbEhO.exe | N/A |
| N/A | N/A | C:\Windows\System\YdALpRS.exe | N/A |
| N/A | N/A | C:\Windows\System\HEIpqst.exe | N/A |
| N/A | N/A | C:\Windows\System\fzufeqK.exe | N/A |
| N/A | N/A | C:\Windows\System\EqHukyt.exe | N/A |
| N/A | N/A | C:\Windows\System\acaBVSb.exe | N/A |
| N/A | N/A | C:\Windows\System\isLDGhb.exe | N/A |
| N/A | N/A | C:\Windows\System\pAcegaF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZZbVpLn.exe | N/A |
| N/A | N/A | C:\Windows\System\Fzvhuks.exe | N/A |
| N/A | N/A | C:\Windows\System\kCpfLta.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_8c0a03fd04668efb20f863db99239cfd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\eDevBkI.exe
C:\Windows\System\eDevBkI.exe
C:\Windows\System\WDxfRaY.exe
C:\Windows\System\WDxfRaY.exe
C:\Windows\System\JbJhzWQ.exe
C:\Windows\System\JbJhzWQ.exe
C:\Windows\System\mMcjNOa.exe
C:\Windows\System\mMcjNOa.exe
C:\Windows\System\kjBszdL.exe
C:\Windows\System\kjBszdL.exe
C:\Windows\System\fJfGWQi.exe
C:\Windows\System\fJfGWQi.exe
C:\Windows\System\NwWNvVg.exe
C:\Windows\System\NwWNvVg.exe
C:\Windows\System\PtPqxvn.exe
C:\Windows\System\PtPqxvn.exe
C:\Windows\System\nItxwWw.exe
C:\Windows\System\nItxwWw.exe
C:\Windows\System\JwGLYqI.exe
C:\Windows\System\JwGLYqI.exe
C:\Windows\System\PcHbEhO.exe
C:\Windows\System\PcHbEhO.exe
C:\Windows\System\YdALpRS.exe
C:\Windows\System\YdALpRS.exe
C:\Windows\System\HEIpqst.exe
C:\Windows\System\HEIpqst.exe
C:\Windows\System\fzufeqK.exe
C:\Windows\System\fzufeqK.exe
C:\Windows\System\EqHukyt.exe
C:\Windows\System\EqHukyt.exe
C:\Windows\System\acaBVSb.exe
C:\Windows\System\acaBVSb.exe
C:\Windows\System\isLDGhb.exe
C:\Windows\System\isLDGhb.exe
C:\Windows\System\pAcegaF.exe
C:\Windows\System\pAcegaF.exe
C:\Windows\System\ZZbVpLn.exe
C:\Windows\System\ZZbVpLn.exe
C:\Windows\System\Fzvhuks.exe
C:\Windows\System\Fzvhuks.exe
C:\Windows\System\kCpfLta.exe
C:\Windows\System\kCpfLta.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4116-0-0x00007FF7DA940000-0x00007FF7DAC94000-memory.dmp
memory/4116-1-0x000001E7F7C70000-0x000001E7F7C80000-memory.dmp
C:\Windows\System\eDevBkI.exe
| MD5 | 27cbc8a03db7ae9a28cfe16399beaf76 |
| SHA1 | fe70df2be18ae57f0444c8ab9ab86f5b04203860 |
| SHA256 | b25ea7c4c1b38858cf40bcc2f0be4f2f135b373127ff4f88cb8fa260c98b30a6 |
| SHA512 | 925d8bb8a1da09f14787a45a9a87c480e191fa452d65ee46e2818a3c73d6e00e51d5d902928e63ac99544e231e1e1a3b79594851f7d8937b3e25c85b742a5138 |
memory/4144-8-0x00007FF763DA0000-0x00007FF7640F4000-memory.dmp
C:\Windows\System\WDxfRaY.exe
| MD5 | a3a163f5ee9474e31ec724951b7299d4 |
| SHA1 | c42f25d7eeee306eeaa3215df1f508bf01fa9bbc |
| SHA256 | 05a1cc4688a055c748ab5084341991ec8cc9120541ce05c05ba25751dc46dbdf |
| SHA512 | 8c172eb77481a60d7936cf709261ba87e5e7359f5fb291e8b64005c373c4fa48122bf0bb7e7aadd696978bcd687a3e800c70680ddc343d0a90cd2b640799ddfd |
C:\Windows\System\JbJhzWQ.exe
| MD5 | 4e513726e21683dad85088742b7164b8 |
| SHA1 | 9a11db260dbaca14cde1ce0aa8d18a26dbecccb4 |
| SHA256 | ec56ff910cf726d8f714a82db7c9319a0cf699a92c236e483ad08e789789ef75 |
| SHA512 | 22df05a9d5e6651f3140ade8d617c242a58c81d164e625bd37b583e5f625f8711f86f92f30e8a611e56c3e42a748c285b987b94bb77389234966a6f3c0ec46ed |
memory/928-14-0x00007FF648690000-0x00007FF6489E4000-memory.dmp
C:\Windows\System\mMcjNOa.exe
| MD5 | 79fee50f2ea0952d4e2937d221bd850b |
| SHA1 | 7ecc340006d562b21e17643a9af72cff7b2be455 |
| SHA256 | a5d249232aed4673137b0ee91eaf861ef793950a6bb3a2fb5e7a151d140f3af8 |
| SHA512 | e8a77b3fafe37d25c740f00399757d985088262d018fe411e7544c1c9d9d5b59c5bfafdc4f2e3d8624cf19fd629732c8bf9d4564c9578cb36bd7c3e01b051aef |
C:\Windows\System\kjBszdL.exe
| MD5 | 679f416b752fa33db5ea06cce2cb4278 |
| SHA1 | b89b7b194da1d66910c1fe2cc4481a93e3dfcfd6 |
| SHA256 | b10e77d91a28b714aea355eeaad7bd16bcbf007f44de0538f2073f7774ad5418 |
| SHA512 | 5e645cfef6d46859c901b031bdb4cea91ca7c9f0f70d5a0bdfdc8776e92acd642016abe361d5ca4dbca844ab2e2e52e56d4551a02b22fea24e8e55e185210892 |
memory/2688-35-0x00007FF6CCD70000-0x00007FF6CD0C4000-memory.dmp
memory/4576-40-0x00007FF789A80000-0x00007FF789DD4000-memory.dmp
C:\Windows\System\NwWNvVg.exe
| MD5 | ac5a3684f204873002a93cc9449bd03a |
| SHA1 | 332c256a3c04dc9695a7dca7dc584b15aa023825 |
| SHA256 | e26209cd5307b0b95de066f892608024fe57cd10b13965152096d7e6b72506f9 |
| SHA512 | 140b5dcfd8cdbb4b4e240bd83719ee4ec4df020d538d9cffff13b329611156c9cf5c00d87aaca3ff6ffce9752a3597f4b1449e671b469d481681c8a2ddf6ed7d |
memory/2940-42-0x00007FF73A310000-0x00007FF73A664000-memory.dmp
C:\Windows\System\fJfGWQi.exe
| MD5 | d340aafea1ef0720acfa72b892441941 |
| SHA1 | 0d37c4a8505be53f36dbe6918ae0696ba1f153b2 |
| SHA256 | 345defe4c0dd08dfecbcb0002fafcfb090aa81ca7b9b2a8f911d4f4c4afbcf45 |
| SHA512 | d36b338e1dd72a66d909a11cacdbc47e27e4d0c69b50c9ce21fc92ecef4500120e89564216e9d9a3690e7670d51070ab43c801f15f54fce45a0680fdec9e0f2e |
memory/1856-28-0x00007FF759230000-0x00007FF759584000-memory.dmp
memory/3732-21-0x00007FF66DDA0000-0x00007FF66E0F4000-memory.dmp
C:\Windows\System\PtPqxvn.exe
| MD5 | 447384fc31a0d23bfe969e417fba27af |
| SHA1 | 19bbd48069f717fbeea272781289d880c5014582 |
| SHA256 | 3bab9f64ec6129e515e9488bd4ed84a546bb6560e79468d75a62484b5de1c389 |
| SHA512 | 6737f769daade005586ad0ee8f36ba2b7deebdfcfaee53c463c2b059d108eed4152302eb5b1bba853ba64f332c815b4fb524601669b5602baa299775c685426d |
memory/5116-50-0x00007FF61C490000-0x00007FF61C7E4000-memory.dmp
C:\Windows\System\nItxwWw.exe
| MD5 | b086f28b2fcf82db32d96c48a9b29358 |
| SHA1 | 6a5fcbd9e3040dd38c0c44664fe0e83f3bbfc0e7 |
| SHA256 | ce3bcc45f2b9393eda7095fa212051a21db5cb45485ec624cba41bcdc83eb698 |
| SHA512 | 68d80eaca7a2429786d7f456621d0eabae28c2227b1f81dd2eebabd33eb30c6194a22666c320ca8ac23d6662751614421c780126f4023d2c9f3f582b263a9eb7 |
memory/2012-56-0x00007FF66F520000-0x00007FF66F874000-memory.dmp
C:\Windows\System\JwGLYqI.exe
| MD5 | 30ba34e5c8e92daf076a7d5f97dacca8 |
| SHA1 | 0b4aedbd8017669425bbd71e4b1a26d274477ae1 |
| SHA256 | 520cf3e448bc542c2a8465f7dbd0ad7b0028a588f9e71763bbf3c59a76c178c8 |
| SHA512 | 1b8e23e20d96a6e87698c19a11ab9eb485371843609f3a9d8e40aed7e865acf5b3577ff1d6dd33ee67d9db0765b394623281e30ef5c8310c073b1a48dcf2229e |
memory/4116-60-0x00007FF7DA940000-0x00007FF7DAC94000-memory.dmp
memory/1724-63-0x00007FF7053E0000-0x00007FF705734000-memory.dmp
C:\Windows\System\PcHbEhO.exe
| MD5 | 0863d1ef6929c14eae4c645d76ac6676 |
| SHA1 | 06d4ae1447319c1c29ec101d8c24dfec674ffeed |
| SHA256 | c092ad0df978e716d82833d83885298bcc0b562fb0d6b3e2cbce1ab6e8a601e2 |
| SHA512 | 2c7317c2d1f36dd3b0b985f35fb1bf8fa0a6c3f674f0ddacb9013719395df167e343cdbe6ae9d789f3ed60fdf0ef0c709494c67b0063a80d9cae3c254985e1e1 |
memory/2044-69-0x00007FF722DA0000-0x00007FF7230F4000-memory.dmp
memory/4144-68-0x00007FF763DA0000-0x00007FF7640F4000-memory.dmp
C:\Windows\System\YdALpRS.exe
| MD5 | fade728dc1afdd25f4a911baa4692330 |
| SHA1 | 4e9f66dde138efd6af15d97750dbb055c753ba66 |
| SHA256 | cb2a4fbbf7afc61f4faed00b580050d55e4cb904384c833dfacd0b56f574d233 |
| SHA512 | e4f771c929f79316f6234fb98b65a6ef94c16c9389cc2c38ebb38f0aeaf295b4b38d772c5d3486314df5cc420115d64bc04091f7a75bfcc7ba0c1c54f1bf384f |
memory/4204-75-0x00007FF68FA70000-0x00007FF68FDC4000-memory.dmp
memory/928-74-0x00007FF648690000-0x00007FF6489E4000-memory.dmp
C:\Windows\System\HEIpqst.exe
| MD5 | 790ba18bd0c146ed19f71d7202918c7c |
| SHA1 | cfd24c1c8b3bddb272654187de0cea85a3905cd8 |
| SHA256 | 99692a0fec64f8c7cb4b99ce587faac4bd1a27a9123c4b73e1b4c75c4e0f3900 |
| SHA512 | 67500f55ed943a19c6453151f40032e39087ee54ca7b8c4a25ad924b809b6dfcca3c57dd1c5007ece21a10327dba0bfdd989010ba25580cc48f1aae5605969b2 |
C:\Windows\System\fzufeqK.exe
| MD5 | 1bc243a71f9ca159c35ca5e1ed850de0 |
| SHA1 | 9035a61027ec5669f5dee415f22bb10fc239dbb7 |
| SHA256 | 012cc6c5793258bd05a8f644097979b363f8296cc6eba9e9adea1b316ea540d4 |
| SHA512 | e86b7e9fe7cd2aabee342425455c1095751e8583a0c9434bdcc0ec81ed47ae85aaf3344d664a4ed60a06589c458d73d37e4c06d6985e7ea1693c1376e97b437c |
C:\Windows\System\EqHukyt.exe
| MD5 | 39b2fab8cc08e315c61919ee1f61cd64 |
| SHA1 | 391eccda7809d3dc39fc26493e35b65b8d766134 |
| SHA256 | 87784feef616c5de49a54354755b54dfad4af8273659d2e0a1f9b0d852c7c3b0 |
| SHA512 | e2a8cf6b07309e8efbd4aa07a962ba74fdd020043ebddfa0d206f1b4b5a27a66f839b1f9ebb03020c058ec8c84565a530f0c957469f15b0f8e92c756106ddce9 |
memory/5100-89-0x00007FF6CC0D0000-0x00007FF6CC424000-memory.dmp
memory/2688-88-0x00007FF6CCD70000-0x00007FF6CD0C4000-memory.dmp
C:\Windows\System\acaBVSb.exe
| MD5 | b91a5ba06e0e0cdd83e24a21995467ea |
| SHA1 | b269c0ed122155d34c0962a89286c85a38016b07 |
| SHA256 | 3a5a451aeba2a8d3ff59ffa5069be709357aedae517e35826cd697a0c04242dc |
| SHA512 | 5c3fd5800625c4a2fb77f7a217d629c0b6e76f2b6dcb975ebde9f3114c2fced44f0921b2e5971b80dfe4063e7ee9d26745f8b572d3cb624d7b67d5f86cb2f195 |
C:\Windows\System\isLDGhb.exe
| MD5 | ad9960552b8caec28910d6625ab1303f |
| SHA1 | 6d3413133c01308931756f22976a8bb9107002a9 |
| SHA256 | 3ed7e7241a63d0c34f2f46ece45f6c30809526fe4e72129c9ccaf124963b9a40 |
| SHA512 | 483fcfd6b9e9e4f30696bfe4521d1d6f3f152b90180e4dd7746045098e4c3121fc68a715d3f0b3d14e7e3732b5a4bf1fa0ac95c9c76ed9f5e64df1b0e011ced9 |
memory/2940-106-0x00007FF73A310000-0x00007FF73A664000-memory.dmp
memory/1184-108-0x00007FF6F52D0000-0x00007FF6F5624000-memory.dmp
memory/3608-105-0x00007FF7C6000000-0x00007FF7C6354000-memory.dmp
memory/4576-100-0x00007FF789A80000-0x00007FF789DD4000-memory.dmp
memory/3872-94-0x00007FF7CF880000-0x00007FF7CFBD4000-memory.dmp
memory/1300-83-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp
C:\Windows\System\pAcegaF.exe
| MD5 | 8886377602fd38eb7e690b4cea61d7d3 |
| SHA1 | 0920864dbfa5e3eaac20ea8fb18bfa5d534e96c0 |
| SHA256 | d56a80a403f579145b08d4399675a40c089e63620d5c5d8fa0dac836215c6010 |
| SHA512 | 33b9ca37c139ce70a0afaf134c2bad48fc85aca53b97b59cdc7ac86c34f6d2957942192bd1408d49299d8e3fbc676a4ef2c94fde18a1713957d8c62449143b67 |
memory/4416-119-0x00007FF7493E0000-0x00007FF749734000-memory.dmp
C:\Windows\System\ZZbVpLn.exe
| MD5 | 13486a5ae0ef3c280ee7c64fad0ad8d5 |
| SHA1 | f01fdb106e35719a829a2ae07e57253e97b6313e |
| SHA256 | 6926da48a692bffc840a8e2c5d86ef3b0615926a1d4279ef0dd32ce71da917f9 |
| SHA512 | 53eef38a33550c0caf5a503a843e2c77bfa63511f049b5cea6e1d7f965500df972f612a57abe5a38389847c2b1faed1d263c0ada6da10c4723c5cbf93e01677d |
C:\Windows\System\Fzvhuks.exe
| MD5 | 94da278c45b57b5fcf50b95cf154b442 |
| SHA1 | 5a94c5ce468a0311a9c6fa5569bccbb24dd054dd |
| SHA256 | d14e0481d63050066bb6a0c4c70031e983adbd036e593490bfa1cc6ec29e2a2c |
| SHA512 | e599c4e4c3d392d61ad1f6c8590f4d9b6b288974fcd3f59f2ebdc4dae0005be30bd38337b74edadc661d571531aac6d5b484b6a842eac2c7b981dd2e47d66671 |
memory/3156-126-0x00007FF6014E0000-0x00007FF601834000-memory.dmp
memory/3948-130-0x00007FF64E710000-0x00007FF64EA64000-memory.dmp
memory/4744-132-0x00007FF74A520000-0x00007FF74A874000-memory.dmp
C:\Windows\System\kCpfLta.exe
| MD5 | 0278932217198932283875e9c38cc92f |
| SHA1 | 43f4ee9ea335dec4b91692a86fe7727128e38e44 |
| SHA256 | 134a97df01c3503de06cbfdbc9a5407052c9d8b962f7cf303c5731b0c3df33ca |
| SHA512 | c30b4008ba669b3dadb07f46c99395609028b3ec39e3c82c36b139fe699a67435c54582bf31b4009e7021de6332350e8ca0c3287083f00c6e3ca95358f672315 |
memory/2044-131-0x00007FF722DA0000-0x00007FF7230F4000-memory.dmp
memory/4204-135-0x00007FF68FA70000-0x00007FF68FDC4000-memory.dmp
memory/1300-136-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp
memory/3872-137-0x00007FF7CF880000-0x00007FF7CFBD4000-memory.dmp
memory/3608-138-0x00007FF7C6000000-0x00007FF7C6354000-memory.dmp
memory/1184-139-0x00007FF6F52D0000-0x00007FF6F5624000-memory.dmp
memory/3156-140-0x00007FF6014E0000-0x00007FF601834000-memory.dmp
memory/4744-141-0x00007FF74A520000-0x00007FF74A874000-memory.dmp
memory/4144-142-0x00007FF763DA0000-0x00007FF7640F4000-memory.dmp
memory/928-143-0x00007FF648690000-0x00007FF6489E4000-memory.dmp
memory/3732-144-0x00007FF66DDA0000-0x00007FF66E0F4000-memory.dmp
memory/1856-145-0x00007FF759230000-0x00007FF759584000-memory.dmp
memory/2688-146-0x00007FF6CCD70000-0x00007FF6CD0C4000-memory.dmp
memory/4576-147-0x00007FF789A80000-0x00007FF789DD4000-memory.dmp
memory/2940-148-0x00007FF73A310000-0x00007FF73A664000-memory.dmp
memory/5116-149-0x00007FF61C490000-0x00007FF61C7E4000-memory.dmp
memory/2012-150-0x00007FF66F520000-0x00007FF66F874000-memory.dmp
memory/1724-151-0x00007FF7053E0000-0x00007FF705734000-memory.dmp
memory/2044-152-0x00007FF722DA0000-0x00007FF7230F4000-memory.dmp
memory/4204-153-0x00007FF68FA70000-0x00007FF68FDC4000-memory.dmp
memory/5100-154-0x00007FF6CC0D0000-0x00007FF6CC424000-memory.dmp
memory/1300-155-0x00007FF7162A0000-0x00007FF7165F4000-memory.dmp
memory/3872-156-0x00007FF7CF880000-0x00007FF7CFBD4000-memory.dmp
memory/3608-157-0x00007FF7C6000000-0x00007FF7C6354000-memory.dmp
memory/1184-158-0x00007FF6F52D0000-0x00007FF6F5624000-memory.dmp
memory/4416-159-0x00007FF7493E0000-0x00007FF749734000-memory.dmp
memory/3948-160-0x00007FF64E710000-0x00007FF64EA64000-memory.dmp
memory/3156-161-0x00007FF6014E0000-0x00007FF601834000-memory.dmp
memory/4744-162-0x00007FF74A520000-0x00007FF74A874000-memory.dmp