Analysis Overview
SHA256
48fcee6b39d5a892949f20d02a26b9b8577d9a3e27cc45c87f288f5061965a90
Threat Level: Known bad
The file 2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Xmrig family
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:27
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:27
Reported
2024-08-06 11:29
Platform
win7-20240704-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TVfkYEx.exe | N/A |
| N/A | N/A | C:\Windows\System\uyWCfmz.exe | N/A |
| N/A | N/A | C:\Windows\System\KmylfFA.exe | N/A |
| N/A | N/A | C:\Windows\System\VPDwgJa.exe | N/A |
| N/A | N/A | C:\Windows\System\DGkPuez.exe | N/A |
| N/A | N/A | C:\Windows\System\QuFaIlG.exe | N/A |
| N/A | N/A | C:\Windows\System\EyiThXE.exe | N/A |
| N/A | N/A | C:\Windows\System\gKCFdoX.exe | N/A |
| N/A | N/A | C:\Windows\System\iXaYmra.exe | N/A |
| N/A | N/A | C:\Windows\System\TrPooQU.exe | N/A |
| N/A | N/A | C:\Windows\System\qWpOGgp.exe | N/A |
| N/A | N/A | C:\Windows\System\QBWeEDO.exe | N/A |
| N/A | N/A | C:\Windows\System\fTQYEPd.exe | N/A |
| N/A | N/A | C:\Windows\System\UljDTIp.exe | N/A |
| N/A | N/A | C:\Windows\System\JdjzWXi.exe | N/A |
| N/A | N/A | C:\Windows\System\olSIYdN.exe | N/A |
| N/A | N/A | C:\Windows\System\rYgYvjH.exe | N/A |
| N/A | N/A | C:\Windows\System\cpxguQg.exe | N/A |
| N/A | N/A | C:\Windows\System\GhEGoOS.exe | N/A |
| N/A | N/A | C:\Windows\System\dceWQgc.exe | N/A |
| N/A | N/A | C:\Windows\System\UYQsjpy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\TVfkYEx.exe
C:\Windows\System\TVfkYEx.exe
C:\Windows\System\uyWCfmz.exe
C:\Windows\System\uyWCfmz.exe
C:\Windows\System\KmylfFA.exe
C:\Windows\System\KmylfFA.exe
C:\Windows\System\VPDwgJa.exe
C:\Windows\System\VPDwgJa.exe
C:\Windows\System\DGkPuez.exe
C:\Windows\System\DGkPuez.exe
C:\Windows\System\QuFaIlG.exe
C:\Windows\System\QuFaIlG.exe
C:\Windows\System\EyiThXE.exe
C:\Windows\System\EyiThXE.exe
C:\Windows\System\gKCFdoX.exe
C:\Windows\System\gKCFdoX.exe
C:\Windows\System\iXaYmra.exe
C:\Windows\System\iXaYmra.exe
C:\Windows\System\TrPooQU.exe
C:\Windows\System\TrPooQU.exe
C:\Windows\System\qWpOGgp.exe
C:\Windows\System\qWpOGgp.exe
C:\Windows\System\QBWeEDO.exe
C:\Windows\System\QBWeEDO.exe
C:\Windows\System\UljDTIp.exe
C:\Windows\System\UljDTIp.exe
C:\Windows\System\fTQYEPd.exe
C:\Windows\System\fTQYEPd.exe
C:\Windows\System\JdjzWXi.exe
C:\Windows\System\JdjzWXi.exe
C:\Windows\System\olSIYdN.exe
C:\Windows\System\olSIYdN.exe
C:\Windows\System\rYgYvjH.exe
C:\Windows\System\rYgYvjH.exe
C:\Windows\System\cpxguQg.exe
C:\Windows\System\cpxguQg.exe
C:\Windows\System\GhEGoOS.exe
C:\Windows\System\GhEGoOS.exe
C:\Windows\System\dceWQgc.exe
C:\Windows\System\dceWQgc.exe
C:\Windows\System\UYQsjpy.exe
C:\Windows\System\UYQsjpy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2540-0-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2540-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\TVfkYEx.exe
| MD5 | 6f7643015c38168fe537749319df88bc |
| SHA1 | 14cdf7dee22f6761a676418ae6bffcb880619850 |
| SHA256 | a070fc87381c0e244ee4736a99fb8f191073292491c086fb7d4d83b4e9858709 |
| SHA512 | c7f354a43e00e2df1cf02d3bf0e6c49f2cc971051637814a9d5e196309ba7fae82143af83cc7407e8a919ec2899bf9be0a11bf2426967d25804faf57a82076cf |
memory/2540-6-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\uyWCfmz.exe
| MD5 | 918094938594af8c01fa748854a36bdb |
| SHA1 | 15056b342f8c327d68a5f6c87390a3c3c542f85b |
| SHA256 | 01885ea70efe5c591c04dd02a7567ea72f155a41bb892030c4c6c11ec522a308 |
| SHA512 | cb7d32fb2a95bdeead8347a064e6d765d1b21675e95361b63a3858c005ade9619d96c8e4cffd667ba10a6852ee4122b63307cdb41237eb718faee7d4e5c493a1 |
memory/520-14-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2540-15-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2908-10-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\KmylfFA.exe
| MD5 | 0cda67402110739498a2d772180e80e6 |
| SHA1 | 49576c3ccfa36ccc8668520a5b28a7ec542e5ac2 |
| SHA256 | 264fb8cd853d560716406c7807c977137f482a0415c908091e747170e000a422 |
| SHA512 | 5b2a0d2845233166fd381880f8510d129749ed5f1eb32bf73cc261d30e7f28c78128fc05cefa4422d29dc60e4038b4223b454402ab4591eaf6941f7cf4258a56 |
memory/2540-20-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2728-23-0x000000013F520000-0x000000013F874000-memory.dmp
\Windows\system\VPDwgJa.exe
| MD5 | 3a70581b19cb917787593407eff53b5a |
| SHA1 | 632f671fb6b27ddb6c16c23e05174e15e6908f2d |
| SHA256 | e1ea948831285888ce9244cba8d6895c2493d8d9ce1a43f0fe3cd83faae42465 |
| SHA512 | e78c5083041dc09ac9019c5054c781f69c00b3613f3bfe66a387dd74198a16c7a2803ac46cdf89d34f038b0c38c5d4ee977c0e13c7b03536fd7690c1ffbf2fb2 |
C:\Windows\system\QuFaIlG.exe
| MD5 | b9b0a9afdda5e33b6de93953b56895f0 |
| SHA1 | 00db5cf97f506acbb09ffa2dc3b40e257e852f75 |
| SHA256 | 90f58a225f1d372131deb01a40426635a7cf0616edd162b4731d7a08203fe74d |
| SHA512 | 222478b403c809a89c4a14740c52c12e2d00afe6383139e3a865814cb2dca5efe9e928d0964e248e7d42d281d43e402f8f9335b6bf7cae5378671fe763b7cd5a |
memory/2540-34-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\DGkPuez.exe
| MD5 | 5638ac21cd2058bd228aea05c68066ea |
| SHA1 | 1e25bd916491856717123aa9a6b52b76a26a4c62 |
| SHA256 | 06ee67d9d17c323f42171743da0a01de248169cf729c5db4bcfa686a6a95df97 |
| SHA512 | 026a29e11a6a49cdf76d833ccae413b9f78a0fc9940624a6ea483910d627e186091a739520d8c0b05e8b0058ad97747d5d9c23c3f00ebe942b3a832543a30844 |
memory/2760-42-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2540-43-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2940-44-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2608-33-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2540-29-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2540-46-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2908-54-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\gKCFdoX.exe
| MD5 | 13608fe109d94f7a882b001bcb78d1dd |
| SHA1 | 652dde679a700d5915c2c2fa009f60b00307d746 |
| SHA256 | 7daae6aaf89759f7bd05d299ec4683d79588cf787e8182b02890709ac9bc5767 |
| SHA512 | b0fb80286fc77fb14f84a7ecac4f2ee4ae6664a2618989d0f9c67598a4af2338389e365233705abb06f015ba11e54f7a7234654720ddc5b5cf9a8dcebbe83544 |
memory/520-59-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2616-60-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2648-51-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2540-50-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2540-53-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\EyiThXE.exe
| MD5 | 8118c567f8d92f5fe5b1dca6eeb65624 |
| SHA1 | f1a88d08164f738d0067e6687117b7bfe3c00a52 |
| SHA256 | 42b28789d38bad24a42f482efcc7c4b2b0b5128e2d0048165a916b3058fe43d2 |
| SHA512 | 6eb16ca14036ab42a226c54f68bb2192e3d063343919b46e161754f09ac90d2d26cefe5683a39c98bd83a0012dad743777a8f2a4c5ee5077c3af813a2789306f |
C:\Windows\system\iXaYmra.exe
| MD5 | e2ece45be55ad3647f409f7c7e036081 |
| SHA1 | 8fd4a0f0e0f27298936a8a71b50f35273a32817a |
| SHA256 | 6701d5d33464a3ff2faeabce00e047a7b8bd5cd57ac89b8ced302810d13b216e |
| SHA512 | 94c3419a9ec7a9f373a3625d6eab5045e8a515dbfe3d4d61197c91333b0d9b60b61908f8f39c89ef46f20c4271747e0f810095bb4804343318ee4a42e2211add |
memory/3056-68-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2540-65-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2608-73-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\TrPooQU.exe
| MD5 | bac6ef5f92992d4e5d7bad5a49d80d74 |
| SHA1 | ca32e204a8b058600d3e1ee0bdba02f6c5560c32 |
| SHA256 | e89b4092b3928f7fcf65967693f7f8b273f1886808372f1d5ce62c63f98989a2 |
| SHA512 | ec4b1b92dab08b15e7685c62bf09be40299d8179581f9f79b77da5fd28ce7bc58e7549fa5baa5ed6098cdd7810c3447b750cc05a383a33fa15bb70227ee197fa |
memory/2088-76-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2540-75-0x00000000023A0000-0x00000000026F4000-memory.dmp
\Windows\system\qWpOGgp.exe
| MD5 | 797d565b45681d99eabcd6419aeda150 |
| SHA1 | d906d0bcf99bfe6d2016188a5a5e403dc00ee3af |
| SHA256 | 6b7b5b4f57405ed4516d90220d692c7382c9538aba802c3fa98291cd4510ff2f |
| SHA512 | 04e85129bddaccb3f8e187cc2b13d67ddb4c5bde8d9a1013c45c9030a70e6d0f131361403cd3033a7f479c8d38cc948eb7ef0ec162787d2fe229eca395d8774e |
memory/1724-84-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2760-82-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2540-78-0x000000013FFD0000-0x0000000140324000-memory.dmp
\Windows\system\QBWeEDO.exe
| MD5 | 089301ee841a86cc41f213e71ec35847 |
| SHA1 | ca1f1443a527a002cd9274e84ae0b2790cb136c4 |
| SHA256 | d188c5774c5882d8e21e73b6525d8ca0ea92ad095f471a73547237dad65aa2cf |
| SHA512 | dd22005123f39b11d8524da4d2dc38aa42c959570281e434fc36e924a7e95fd47895f7506606b0f29b1c8324347d4fbb8800a2f8c294c1a1852bdfd961c6cfc8 |
\Windows\system\UljDTIp.exe
| MD5 | d405770338654d50dd12a4d83fce138e |
| SHA1 | 693d50c5be0f8c2aa1b45847c50d541ebc3d4edd |
| SHA256 | bccf1641d3d437fa00cddf33bff501c2da223612a864de7e654f3cd3285467f9 |
| SHA512 | d6e3fc5994d009a105b55c3abb95c199ea5d7716155f2abbcfb68dc7294d06dace96b0f352442231d8da4e2fa7ae9a11db0e521bb0b072a7a8b2b1dcbe62ac96 |
memory/2432-98-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2540-93-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2256-105-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2540-104-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2560-103-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2648-102-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
C:\Windows\system\fTQYEPd.exe
| MD5 | 65c40b78679174c01384f0041a6aa503 |
| SHA1 | 17bfd515e623d88b116090311e24c99963f6186d |
| SHA256 | c23189afdb2162c13b06bdfd6ce2afa0707f1693c8961900d9267d435b27bf9b |
| SHA512 | e6145bae10ad0d2f5dde03b4884320f2c5ab31bbff9c8c90046865dad1e2c5e2d256d40c99564959062fceac270201a0ed7b874766d3fc8153f9e46e37c2efd1 |
\Windows\system\JdjzWXi.exe
| MD5 | 51bf0999f81907f2d7b16f1c4cd56d76 |
| SHA1 | e2e50e1d6daf784a3efede1a434e115e62d8dee2 |
| SHA256 | 053bacc23c8f4c56a3aae5ac4d29b7bd60755ae0d533c2e58f7ebe1bef6e1828 |
| SHA512 | 2e963b0a090fd0f6f33d08d1b3578bcdbd10fca671bbb339553d800a221a8698331c161c8b98b46d375580b4e75987f793bb32a796897400dbd586eee922adea |
memory/2540-112-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2616-109-0x000000013F370000-0x000000013F6C4000-memory.dmp
\Windows\system\olSIYdN.exe
| MD5 | 218c5ab54a4bf9b19871ae473e5b1260 |
| SHA1 | 94474de2da7b05353ecf5b30288436167718ea71 |
| SHA256 | d09a2e0b91b0455314e349b2ffc8791a14aade6126cbb8b0bcd6ed2aa08c225c |
| SHA512 | 59759b788d17d61f1c2354c330e29c676650acbfe9014fae3f365226f248e6e84a61aabb13f7f7d10bbb5b9ee25889f0c5072af3d2724fa8e1b8a28fda75eaa2 |
C:\Windows\system\cpxguQg.exe
| MD5 | 19b8ef00cac7a2d3723d93a5a24f598e |
| SHA1 | 63027eb8f3bcb5c5fbfe04e192e6759c566d4cfa |
| SHA256 | 7579dcd65cd3a48b7cf2acd9b45bba7fe94de79ff33366215a8993c2bd493d21 |
| SHA512 | 457cd0c9095c0ef3a19252c8984834113a201283dcd9d0a014b51febcec188c6fe21c4eb193a14406f8f28470c3f6bd3d1212c85aac1dd7dbd60a2eaf2d38d47 |
\Windows\system\GhEGoOS.exe
| MD5 | 303bd63832b37dfc78ebcc427e6596f9 |
| SHA1 | d89837a4d7e0de04a68e0fa0133f1e1b1b5701a4 |
| SHA256 | e54a9c900805f0e2c213c0f0afe96b516e36326fff5b2750de1cedefc6f1e8ff |
| SHA512 | c1f6d5e85cb7aae19467a917065671a15bb17065591105c214fcc76a2c1b9db99e97f5692bc800fb1d0f64fdb497d53334f17bb14d287f8d4ab4c67a1f7f7f57 |
\Windows\system\rYgYvjH.exe
| MD5 | d9ddeef81983c665a4c19c6421cd1df6 |
| SHA1 | 0e0ad1ad4d3a526b42f2942fe157a43b58e459ed |
| SHA256 | b505ac2061b0f5aff801f7a6f7195ab6e8a8293bc6ff3101ed6f02be7b3fcb9a |
| SHA512 | 0d4a6ea9d238620f53ce2820c13e55df97775f77efc1fe5f786799ffb74a6eff8b8cf394a871e095f4c772accaccdc8ce10336d3115c2877e940ee3869561bc6 |
\Windows\system\dceWQgc.exe
| MD5 | 394959eb24aabb9119911f69e54101e9 |
| SHA1 | 0e24f875a56c693ab4a2c86a250a880739f1734b |
| SHA256 | 3e3a5fd8bc843f9993cad231e3b1f7dd61a397fcccc3296cc5eb31299714fc9e |
| SHA512 | 482e974ab67088917ce9e59ee90d9e119ee2b87cd42ac4d29501b65d71e5199494ba5c65b3ae74369ffe78f902591f1131ac0c61919e7270a3b68df469c5adb9 |
\Windows\system\UYQsjpy.exe
| MD5 | 2532bb9b61689e2e9cc90c347203dad3 |
| SHA1 | ca9d1a42fb237cfe15ef744703b804202bfa0d87 |
| SHA256 | fb763a43ea24ad919b563c9a3e216c90fa80f5c5c898b6e9f8f61ab652e973a9 |
| SHA512 | 05c3ac94bd5172941c876eaaae8562e04804e8e66c1a003b58c6f18e4f368ea3a97e068c146dbe2e434265604091eb62b4669045faefa4d68aaa521d09e679cf |
memory/2540-142-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/3056-143-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2540-144-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2540-145-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/1724-146-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2540-147-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2540-148-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2540-149-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2908-150-0x000000013F220000-0x000000013F574000-memory.dmp
memory/520-151-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2728-152-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2608-153-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2940-154-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2760-155-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2648-156-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2616-157-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/3056-158-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2088-159-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1724-160-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2432-161-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2256-163-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2560-162-0x000000013F260000-0x000000013F5B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:27
Reported
2024-08-06 11:29
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DLSbzaj.exe | N/A |
| N/A | N/A | C:\Windows\System\LXCmUiC.exe | N/A |
| N/A | N/A | C:\Windows\System\zjCmFEk.exe | N/A |
| N/A | N/A | C:\Windows\System\eICnfam.exe | N/A |
| N/A | N/A | C:\Windows\System\SLGorqS.exe | N/A |
| N/A | N/A | C:\Windows\System\wbIjahx.exe | N/A |
| N/A | N/A | C:\Windows\System\OmwCdma.exe | N/A |
| N/A | N/A | C:\Windows\System\jKPRkFD.exe | N/A |
| N/A | N/A | C:\Windows\System\gOzthpY.exe | N/A |
| N/A | N/A | C:\Windows\System\vGopDvf.exe | N/A |
| N/A | N/A | C:\Windows\System\aHlLLVW.exe | N/A |
| N/A | N/A | C:\Windows\System\Yisqkwp.exe | N/A |
| N/A | N/A | C:\Windows\System\wvqoPZr.exe | N/A |
| N/A | N/A | C:\Windows\System\CcoaZPt.exe | N/A |
| N/A | N/A | C:\Windows\System\WxPbWLa.exe | N/A |
| N/A | N/A | C:\Windows\System\vHogYYH.exe | N/A |
| N/A | N/A | C:\Windows\System\MMnoaZz.exe | N/A |
| N/A | N/A | C:\Windows\System\izPZxEn.exe | N/A |
| N/A | N/A | C:\Windows\System\MlLDUZc.exe | N/A |
| N/A | N/A | C:\Windows\System\FmRdpqL.exe | N/A |
| N/A | N/A | C:\Windows\System\XElxNuK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_6dc52f5432ddab501d8ed5d9cd5db307_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DLSbzaj.exe
C:\Windows\System\DLSbzaj.exe
C:\Windows\System\LXCmUiC.exe
C:\Windows\System\LXCmUiC.exe
C:\Windows\System\zjCmFEk.exe
C:\Windows\System\zjCmFEk.exe
C:\Windows\System\eICnfam.exe
C:\Windows\System\eICnfam.exe
C:\Windows\System\SLGorqS.exe
C:\Windows\System\SLGorqS.exe
C:\Windows\System\wbIjahx.exe
C:\Windows\System\wbIjahx.exe
C:\Windows\System\OmwCdma.exe
C:\Windows\System\OmwCdma.exe
C:\Windows\System\jKPRkFD.exe
C:\Windows\System\jKPRkFD.exe
C:\Windows\System\gOzthpY.exe
C:\Windows\System\gOzthpY.exe
C:\Windows\System\vGopDvf.exe
C:\Windows\System\vGopDvf.exe
C:\Windows\System\aHlLLVW.exe
C:\Windows\System\aHlLLVW.exe
C:\Windows\System\Yisqkwp.exe
C:\Windows\System\Yisqkwp.exe
C:\Windows\System\wvqoPZr.exe
C:\Windows\System\wvqoPZr.exe
C:\Windows\System\CcoaZPt.exe
C:\Windows\System\CcoaZPt.exe
C:\Windows\System\WxPbWLa.exe
C:\Windows\System\WxPbWLa.exe
C:\Windows\System\vHogYYH.exe
C:\Windows\System\vHogYYH.exe
C:\Windows\System\MMnoaZz.exe
C:\Windows\System\MMnoaZz.exe
C:\Windows\System\izPZxEn.exe
C:\Windows\System\izPZxEn.exe
C:\Windows\System\MlLDUZc.exe
C:\Windows\System\MlLDUZc.exe
C:\Windows\System\FmRdpqL.exe
C:\Windows\System\FmRdpqL.exe
C:\Windows\System\XElxNuK.exe
C:\Windows\System\XElxNuK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2596-0-0x00007FF6ED250000-0x00007FF6ED5A4000-memory.dmp
memory/2596-1-0x000001FB014F0000-0x000001FB01500000-memory.dmp
C:\Windows\System\DLSbzaj.exe
| MD5 | 20bb013139c08d59024f9e98dd31a1bc |
| SHA1 | 424bdca9b38374cb44decaa602dbabcb7c19f274 |
| SHA256 | ea90ff4f43d6a30f2ffdc62d080913857fb065cf3147bb8cf17ac5b9d9d83881 |
| SHA512 | 1691d567bb2d557c3b7b234ffc66300a1a5d788783171d1425d4a1af0a7fd2eea79ced1cd680a41762ad84a3972e40b21e6624fdcae6cf2dd7e9b332a65a96b7 |
memory/1552-8-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp
C:\Windows\System\zjCmFEk.exe
| MD5 | 088903c692d35643e5138b046287adf4 |
| SHA1 | e4e50a87e71c8f38f616a117dc781b183d0d367a |
| SHA256 | 1862f9cc5bb29239ea4a3f49108d2b6d4c575cba98065ea10295afa1c1eea700 |
| SHA512 | 705fc54aba7812d5545ba456d2df7393a9ee26102771a9aa0780433dfa16ecac64717e29d99d2849193fc80978317a505da31b8f72ddf9f4b6954493378443cf |
C:\Windows\System\LXCmUiC.exe
| MD5 | 3c1732e2e0cc8ff5dea40d159e47fffd |
| SHA1 | 2d99f6fff837f58ac506614555da9852e5fb3f0c |
| SHA256 | 71592b1e5fedc662054e3a0d5bd13beb9a163bc5fa9c1c818df36c4bea0960b1 |
| SHA512 | df44efa80bae8776a1722cf6ffd723bb8e5e9c381d8ffbd9c11dc7cebae06b6d08fa9b02ad67efb045ccc0febc79e72ac717a24ae3e9325a0a2888d46fa7f9bb |
memory/1664-16-0x00007FF620180000-0x00007FF6204D4000-memory.dmp
C:\Windows\System\eICnfam.exe
| MD5 | 994ba3a0c80613b8c58741ddbc192b29 |
| SHA1 | bb9ffb781cbf50671d552037145f004c4b39df31 |
| SHA256 | 4462769c20be5347761957437d60aca18fb1b168c5cccad04f01b73fe0f54cbf |
| SHA512 | 9bdc076305d15333c4bfeaa88dad15c8d2270e6a6fe1602cb26904f5f28508f5fea34550b6b9ab666bf2dedaa222325bfb6342d33320695ffb652e20c1c33251 |
memory/3744-20-0x00007FF651470000-0x00007FF6517C4000-memory.dmp
C:\Windows\System\SLGorqS.exe
| MD5 | edfd1cac706b23ff158029f3111aae7e |
| SHA1 | c31dfe6247c8a2ab6cead17a5e6d7658b1824c9e |
| SHA256 | 3b1cd305b1d06cbcde65e5e3cb52dff95afffbacc94490b41495244cfcd891e4 |
| SHA512 | f6b736dd19745f10e0f3a512698abc7f8469c6fc2eb3ce73da876b1122a0dc8c2d3411c1926b289f3c1749468ef13036ecbf2b1d064dc2be224926abc75f83c6 |
C:\Windows\System\wbIjahx.exe
| MD5 | 7b933690b0ade4c8bb701c79a38e477b |
| SHA1 | 351ddd21bb6ebea8d361e27bb83300c0a294a964 |
| SHA256 | b68e4ce41ae1ed6197aaee4d54c8ce5fe6b11de00d1b5aea0555eaf514789656 |
| SHA512 | 4372af5a64585617a4f4cd42d8ade60466bb05ef32997f222faabb86bf872ca444eed25f90a2ff61b0e61b914ec83e1c06d1a788a86a97c79422223f846149e1 |
C:\Windows\System\OmwCdma.exe
| MD5 | 2b68dad4e9d2f0793d277a00918336f3 |
| SHA1 | 4ab465f8ef7ba49d89f4f7610ab6d92c068159b4 |
| SHA256 | 25f91757149cc4a65f9908a54e69885f7194cd0afc5eb26290480c342fba73c8 |
| SHA512 | 2ea8f3f3c383ffb6a63994aa89a8990883221882cb0f93044cdbc9df2581fe1d1f663da0d74b3549d9b0c6a06e8a060b5e322b404d9a95f56e03eee4e553f9d4 |
C:\Windows\System\jKPRkFD.exe
| MD5 | c752e1c62bb44ea1766f632973af9182 |
| SHA1 | 62543fe5800f991d8c337ac3f0cadd147653c6f1 |
| SHA256 | d109d6e77fb9c6b69f277bddf0579c2dffb3887a02091bae6ac087a4cf6053a1 |
| SHA512 | 37787af8e80bbff08051d9fc2aeb2b6b980030b27b0fdf26e46ee5f7fc50acb6439ba17d7c6e3242b71e16e5964227ad6f135b747ea9b04b4eff49fcce8f7363 |
C:\Windows\System\gOzthpY.exe
| MD5 | cb6b7b13d94b2e28fa6b674e49150b0a |
| SHA1 | 41b7ea8e0c1f89637a63d4a65225f30faaf2a210 |
| SHA256 | d068a0b4466ff01670f677c724ce7bb65908f627b9ee9794ce3c6e05d212d2c0 |
| SHA512 | d8f3bf7b3d509c798668dd10eb2ee34ec52d3ccd0c47b1b1a3e88906c2facfcfc4b0e12286cb7031b4c8a5358fafcd077330815ab94639129513133a2d63a7cb |
memory/1556-54-0x00007FF679AD0000-0x00007FF679E24000-memory.dmp
memory/1200-53-0x00007FF7E99D0000-0x00007FF7E9D24000-memory.dmp
memory/2980-48-0x00007FF6B1AB0000-0x00007FF6B1E04000-memory.dmp
memory/4056-41-0x00007FF77C4A0000-0x00007FF77C7F4000-memory.dmp
memory/2560-32-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp
memory/4840-28-0x00007FF65BD30000-0x00007FF65C084000-memory.dmp
C:\Windows\System\vGopDvf.exe
| MD5 | b814b1c7a35c9c298e04a1f5904d6b5c |
| SHA1 | d9d8e0a269168ddb3e2174c68b554f163dd0a351 |
| SHA256 | efe673c4c947e51c99ae13a444a1480559573fec6279d4f9330c0d8efec8830c |
| SHA512 | 9db5a7b8f1e88ce69b0a767ed44061b822df8d880dbd99436c85917e02cc6d4f9828e1abcfbfa96e5149dac59813ccb6857ad68870f5d64b3341b6c7d5f71e26 |
C:\Windows\System\aHlLLVW.exe
| MD5 | 2cf60b36953d8681b6b7ae54522ebbd9 |
| SHA1 | 899fee47827ac988d19e58fc2831b9bb14e70cab |
| SHA256 | 5794af4cac0b783f3098e3b8b0f7f68ecf7209be03aea446a19c587486d1afbe |
| SHA512 | 5ce3f9ddb15e69f1e264cd701a96b4310f74019bb3c6151c3580f1ebfdd73c5d33f187cac9cacdbf9c340051371a8e77fa58a45c79bc0854542e9f53ad1b50ac |
memory/3320-63-0x00007FF65F760000-0x00007FF65FAB4000-memory.dmp
memory/388-69-0x00007FF62FD30000-0x00007FF630084000-memory.dmp
memory/2596-68-0x00007FF6ED250000-0x00007FF6ED5A4000-memory.dmp
memory/1552-73-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp
C:\Windows\System\wvqoPZr.exe
| MD5 | 6173e2ec4b5b3854a4529d09beee71b5 |
| SHA1 | 327db153313eb5c54007b04363025f3c74d64c76 |
| SHA256 | d8092996f0a373f6919db834657d2d580d25a1d2bf329944dfc30b9cf1f2c2c6 |
| SHA512 | 9ddb8121ea5b40fff540f8bbfd2f09b058187735a3e6689383e22919fc010d2cb7b7abbb64b1528b37a8defb35fa7dee68f66eef915ea85b4d02b75c418a1464 |
C:\Windows\System\Yisqkwp.exe
| MD5 | 85b8f4cdf5437501a9077e9ee29ed812 |
| SHA1 | 2ca6bdad63dabd6ce2fab4b8ad55074840aec7ba |
| SHA256 | 13d6746955e4c4ec588445990bf6fc5f582379d3e9cfcbc011638ca5d4696842 |
| SHA512 | 0501145bf54dde438217c3a969587f0b615fb01baa33044da9bdd45d48c416d801b5616d156985429e339487cab52c7be9ae526b04a8826e2096ec6f81957739 |
memory/2368-74-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp
memory/1664-82-0x00007FF620180000-0x00007FF6204D4000-memory.dmp
memory/4804-83-0x00007FF6D2DA0000-0x00007FF6D30F4000-memory.dmp
C:\Windows\System\CcoaZPt.exe
| MD5 | bd05bb4abc2e833c84c2f9d4ad6c28ec |
| SHA1 | a435a5bbf639dbd0a13fa5a93ac6586cc9662b76 |
| SHA256 | 109ebd3b4e2f99de75649ef54a4fabb6c1eb21dbdfc25ff3a9eef8f6cfb6decf |
| SHA512 | af945d94f3fc62d7c72ef0fc3a3c4bc9c1f2bae9f541a9fa7e70afdc8d32eafd612d9eecee212d16cf8dcc43017fdb156b75a6fdf5c431dea9040cca47e23565 |
C:\Windows\System\WxPbWLa.exe
| MD5 | 6d23aa6a9651880b1340d280466213f8 |
| SHA1 | fe822997020ced94a1acc34b41d95b3f336e22aa |
| SHA256 | 96060e99fad6c782023b9f1ad1e002133dcb936ca8c149678bb8c8d5da55782b |
| SHA512 | c9f03dc05bef69d08352ea48a8cd97c87d8a9abf8d5b9c9eb672975809082cf1f8eb521fce313b36474f13457fb44944b9e1657f1acb9560b501a3e1aef7f419 |
memory/4208-93-0x00007FF73F430000-0x00007FF73F784000-memory.dmp
memory/3520-89-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp
memory/2560-100-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp
memory/1896-106-0x00007FF796450000-0x00007FF7967A4000-memory.dmp
memory/1200-109-0x00007FF7E99D0000-0x00007FF7E9D24000-memory.dmp
C:\Windows\System\izPZxEn.exe
| MD5 | 9948abc1d5b5aac2606f119269c5051b |
| SHA1 | 71203a4094182856dd7f1460d265c4325c2bd856 |
| SHA256 | c450a869a61ef07cbc5f709b657534b1beaf4df07ee769bc0540d6ae5977226d |
| SHA512 | 03ae36789b6fa349da44c97a3fa6626f2fbe36e58781e544f0f43d9a08fabf873b7844cfc56e4c658adcba992dca2cc6f85c568f3456a6dfc42fea9f245922c3 |
C:\Windows\System\MMnoaZz.exe
| MD5 | 36beb86951a0477eecb446a18b407ed0 |
| SHA1 | ea46d04214093fc9d441be047c1e1a97c614f0b0 |
| SHA256 | 5b48e100bcf06635eff7fa886fee7f2f6c7ccf0e62b4804111d20a0bff815a39 |
| SHA512 | 37d373d12a56f9e2f67b18bf439efc646ead6f763ccbe0eb54caaefb15bb4b208453158771aff6ab2e8d5ebb948b0aec19f15a4191a42383c87d80e807386cc7 |
memory/2256-110-0x00007FF7E4060000-0x00007FF7E43B4000-memory.dmp
memory/2980-103-0x00007FF6B1AB0000-0x00007FF6B1E04000-memory.dmp
C:\Windows\System\vHogYYH.exe
| MD5 | ec69953dfdb7f0561a46fd864858afaa |
| SHA1 | 3842d55abc1b7a4ede6681008d0b445a40a32750 |
| SHA256 | 71b413c200737fe19fb25b42912cd31f5e055cbdadcbe7836769801803c2d5ae |
| SHA512 | b75c11995891dbef609404f82890d26f3be9f1c1e95567086ee8d6802dc0196889b39157b3b6763536ff555cce447cc76614a6276f21d7d57881272e41fe77c0 |
C:\Windows\System\MlLDUZc.exe
| MD5 | 72627fe55f56cf9e23b85c0456991ad3 |
| SHA1 | 4ae009da06eead5269ec20f1d13e688fcced7b58 |
| SHA256 | 5ac74b42b6e2b66ad86d764bc8010f34e101a2f87e619c75f1336cb1cb676204 |
| SHA512 | 2c317bddd832b634ba8f067f8a83677a6e0d4c8307c00b1c4e2d8d59eccb7b9fd457eca43422744fa428e94648ff15cbd163184d4144d8b80dd0348e47929d4b |
C:\Windows\System\FmRdpqL.exe
| MD5 | 205b31679628c4c1862703ae98993953 |
| SHA1 | 93680ef1628ad607ecd89ee89304d33ce183072a |
| SHA256 | 1cc818bd397949724c5a3033778e57beb3fd7626cefdb40f8cf412433108826e |
| SHA512 | b7dc79cb7f47fa67aa7e475cf7dd5f25fd131d63d104558502fc2d57a58c23acb05590097389a67286ef529cb3e208e65301c8076349e3704d7f58cc27096473 |
memory/2708-129-0x00007FF72E890000-0x00007FF72EBE4000-memory.dmp
C:\Windows\System\XElxNuK.exe
| MD5 | d9756ea534d56860a0d413bcfce570c1 |
| SHA1 | 02131784112e265651035a770a06488b8a4c6548 |
| SHA256 | b75501097f2ba465307668e5104af3d160ab64b840238443a3be152576c06238 |
| SHA512 | d49dd0564f59fd733e167acd2b24b0c3f39d0a165de11dee3d9f8b5774e405a88846e628c3600ac07e1784cfeaf5a04e1e430dfeca0b37039f33d13ac1815563 |
memory/3176-122-0x00007FF615440000-0x00007FF615794000-memory.dmp
memory/1556-120-0x00007FF679AD0000-0x00007FF679E24000-memory.dmp
memory/4232-116-0x00007FF7377F0000-0x00007FF737B44000-memory.dmp
memory/4024-134-0x00007FF768E50000-0x00007FF7691A4000-memory.dmp
memory/2368-135-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp
memory/4208-136-0x00007FF73F430000-0x00007FF73F784000-memory.dmp
memory/2256-137-0x00007FF7E4060000-0x00007FF7E43B4000-memory.dmp
memory/3176-138-0x00007FF615440000-0x00007FF615794000-memory.dmp
memory/1552-139-0x00007FF6C4580000-0x00007FF6C48D4000-memory.dmp
memory/1664-140-0x00007FF620180000-0x00007FF6204D4000-memory.dmp
memory/3744-141-0x00007FF651470000-0x00007FF6517C4000-memory.dmp
memory/4840-142-0x00007FF65BD30000-0x00007FF65C084000-memory.dmp
memory/2560-143-0x00007FF7F7070000-0x00007FF7F73C4000-memory.dmp
memory/4056-144-0x00007FF77C4A0000-0x00007FF77C7F4000-memory.dmp
memory/2980-145-0x00007FF6B1AB0000-0x00007FF6B1E04000-memory.dmp
memory/1200-146-0x00007FF7E99D0000-0x00007FF7E9D24000-memory.dmp
memory/1556-147-0x00007FF679AD0000-0x00007FF679E24000-memory.dmp
memory/3320-148-0x00007FF65F760000-0x00007FF65FAB4000-memory.dmp
memory/388-149-0x00007FF62FD30000-0x00007FF630084000-memory.dmp
memory/2368-150-0x00007FF75F810000-0x00007FF75FB64000-memory.dmp
memory/4804-151-0x00007FF6D2DA0000-0x00007FF6D30F4000-memory.dmp
memory/3520-152-0x00007FF7DEBE0000-0x00007FF7DEF34000-memory.dmp
memory/4208-153-0x00007FF73F430000-0x00007FF73F784000-memory.dmp
memory/1896-154-0x00007FF796450000-0x00007FF7967A4000-memory.dmp
memory/2256-155-0x00007FF7E4060000-0x00007FF7E43B4000-memory.dmp
memory/4232-156-0x00007FF7377F0000-0x00007FF737B44000-memory.dmp
memory/3176-157-0x00007FF615440000-0x00007FF615794000-memory.dmp
memory/2708-158-0x00007FF72E890000-0x00007FF72EBE4000-memory.dmp
memory/4024-159-0x00007FF768E50000-0x00007FF7691A4000-memory.dmp