Analysis Overview
SHA256
fac50c17f8c212c120e2764de5d2b9b44ac32cce59e96a01d93953fd32dbb306
Threat Level: Known bad
The file 2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 16:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 16:43
Reported
2024-08-06 16:46
Platform
win7-20240708-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\Tasdxio.exe | N/A |
| N/A | N/A | C:\Windows\System\WpJxNJy.exe | N/A |
| N/A | N/A | C:\Windows\System\fPtJxge.exe | N/A |
| N/A | N/A | C:\Windows\System\xVZfPxb.exe | N/A |
| N/A | N/A | C:\Windows\System\tnUofSw.exe | N/A |
| N/A | N/A | C:\Windows\System\jkrVjAE.exe | N/A |
| N/A | N/A | C:\Windows\System\XeJizAb.exe | N/A |
| N/A | N/A | C:\Windows\System\JUJvWMd.exe | N/A |
| N/A | N/A | C:\Windows\System\vBGqZlV.exe | N/A |
| N/A | N/A | C:\Windows\System\JzUHqmX.exe | N/A |
| N/A | N/A | C:\Windows\System\acHLAtb.exe | N/A |
| N/A | N/A | C:\Windows\System\ghdiXRd.exe | N/A |
| N/A | N/A | C:\Windows\System\omxPRng.exe | N/A |
| N/A | N/A | C:\Windows\System\ULJTnrJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qyQLuGD.exe | N/A |
| N/A | N/A | C:\Windows\System\NABSSkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\RBdInQv.exe | N/A |
| N/A | N/A | C:\Windows\System\gvDrfuf.exe | N/A |
| N/A | N/A | C:\Windows\System\yfIIqsy.exe | N/A |
| N/A | N/A | C:\Windows\System\sIaHVRr.exe | N/A |
| N/A | N/A | C:\Windows\System\FMxJHHG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\Tasdxio.exe
C:\Windows\System\Tasdxio.exe
C:\Windows\System\WpJxNJy.exe
C:\Windows\System\WpJxNJy.exe
C:\Windows\System\xVZfPxb.exe
C:\Windows\System\xVZfPxb.exe
C:\Windows\System\fPtJxge.exe
C:\Windows\System\fPtJxge.exe
C:\Windows\System\tnUofSw.exe
C:\Windows\System\tnUofSw.exe
C:\Windows\System\jkrVjAE.exe
C:\Windows\System\jkrVjAE.exe
C:\Windows\System\XeJizAb.exe
C:\Windows\System\XeJizAb.exe
C:\Windows\System\JUJvWMd.exe
C:\Windows\System\JUJvWMd.exe
C:\Windows\System\vBGqZlV.exe
C:\Windows\System\vBGqZlV.exe
C:\Windows\System\JzUHqmX.exe
C:\Windows\System\JzUHqmX.exe
C:\Windows\System\acHLAtb.exe
C:\Windows\System\acHLAtb.exe
C:\Windows\System\ghdiXRd.exe
C:\Windows\System\ghdiXRd.exe
C:\Windows\System\omxPRng.exe
C:\Windows\System\omxPRng.exe
C:\Windows\System\ULJTnrJ.exe
C:\Windows\System\ULJTnrJ.exe
C:\Windows\System\qyQLuGD.exe
C:\Windows\System\qyQLuGD.exe
C:\Windows\System\NABSSkZ.exe
C:\Windows\System\NABSSkZ.exe
C:\Windows\System\RBdInQv.exe
C:\Windows\System\RBdInQv.exe
C:\Windows\System\gvDrfuf.exe
C:\Windows\System\gvDrfuf.exe
C:\Windows\System\yfIIqsy.exe
C:\Windows\System\yfIIqsy.exe
C:\Windows\System\sIaHVRr.exe
C:\Windows\System\sIaHVRr.exe
C:\Windows\System\FMxJHHG.exe
C:\Windows\System\FMxJHHG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1532-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1532-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\Tasdxio.exe
| MD5 | 7e9bbd25ed6a4b917a9ecd1864d3b6b8 |
| SHA1 | eac2a27abcbca1f8a45528189390e2256a0a061f |
| SHA256 | 65f7af471506e1cf6035fd91b1aa1b06f45277142c50c65d3969afba4db2e63e |
| SHA512 | 3520663021dda657120ed901dc84fcfe9b41f8d8910e7b6c35314b4f4f2fa15a98d3d913cf287ad09c07d65d1f07b27b2d0492571b97664bae629451c4eff27e |
\Windows\system\xVZfPxb.exe
| MD5 | 98aa97df4458d8ac0b8689ac25497d4a |
| SHA1 | 605561a9535051febc8c37ea0dd4c24f1140765f |
| SHA256 | cb2becc17c99064062afe079e29863d670bc5cd833e8599ea02472b1c2e5340d |
| SHA512 | e145bb6e65da06fdb795bf906741784a8f799ff409d035d7dffbbb034582363de7b1ad12ce829a2c64cd2b4165483a97e1054f7ae375e0128b46930ed7ab4f31 |
C:\Windows\system\fPtJxge.exe
| MD5 | a9e182ec9151d0fd7c588b3df814fc5d |
| SHA1 | 6b6440eafcf491ad0db47b919723ace29db0f132 |
| SHA256 | a7880160f4783eef51f07d3bbfb22b0d1f7b1cbefb6fff3f0c7703c8eea56513 |
| SHA512 | d0f42bfdb714a2faf97100e1e1215462f16a30bade99a3780e64795b2707f79c11e66780cef17f1bbe09c744244380f2a644fc986751c31b84fffea0f29b7839 |
memory/2436-26-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2172-28-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1532-27-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2568-25-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2884-20-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\WpJxNJy.exe
| MD5 | ce3ea2a7140ec4a191cb0ce860fb1cac |
| SHA1 | c9da29fc28e6919864a6c3c86d9724526a3cd830 |
| SHA256 | 2c77586a47993d4982fdb69a1783b38bddd55970ad53bcdf9e81e14389c5f41d |
| SHA512 | b8248db798f704966207f2e483b478cbf2c84fa71f08ef2a04699ae71541d3ea6ede6f6a0fbb1cd34e5d5beb42d460fa689c5e3d4c9bbaf8ab4c33319c152ebe |
memory/1532-11-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\tnUofSw.exe
| MD5 | fc8394bae73509d71e3f7854b38b69fa |
| SHA1 | e4a60621f39b3d6439750bbca7c1625669457261 |
| SHA256 | 22c606584c0902f913d393e3c2b5cd32cba7d128663ceb43638f4d3bd6d77573 |
| SHA512 | a40317895402ce67b80fc1a6ed148a5a3d680c906fd35a713f3fe7f0971b69962cd6806232a26593ebe5c03ee3c1810f3a225072e18b1c84cf5e29005d4e9b66 |
memory/2428-35-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\jkrVjAE.exe
| MD5 | b9235e902ed8fd944657cac22a96058a |
| SHA1 | 31e1db4242949dc980d29056e5a6cb5a85044b52 |
| SHA256 | f9fdfefa9b78b6e55a557e36b40fca3ad186c2643b35e906f826d8fb566bf28a |
| SHA512 | 47051b21ee05649182287a8d08adc1ee0200643f591c576b5dd30dfdba078a2039f86fc8cf9a82114a0c6f7a18db90d4b6e97cf0155d86c85389f6a70858a918 |
memory/1532-40-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2076-41-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1532-34-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\XeJizAb.exe
| MD5 | 076de34d79d6598237f2fab738d27ad6 |
| SHA1 | c25dd0f70637ed3723d452908b62451c8587886c |
| SHA256 | 0ade44cd87186f8011e92284628f8bb6193d9ebb0509fcf8a3217dda805678af |
| SHA512 | c6eb1831f232fbcba13346f8087f02cf126b20cf11ddef2c66ed68e3d443368a6506a45f7bbcb18f30fb6738ef36c114de75473d8fe7b80490afea752daa4437 |
memory/2716-56-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2700-62-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2724-70-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\ghdiXRd.exe
| MD5 | e05c830a043d08f79fea6d98abee5443 |
| SHA1 | 26ae02ece319ef8edb96ea237504169a668f93db |
| SHA256 | dde4958824bd428e94e2fde4f13b7531a5e5bb1e007b24fced2fccdae2afe7ba |
| SHA512 | 085eff5c3503a8c1ffaebf43a84b93c8c7362e187bf7edab32fae9501b535ebd5abaeb3404e1ca2229092965762226edabf9bee09490c21f2f7a167d9207141c |
memory/2568-81-0x000000013F570000-0x000000013F8C4000-memory.dmp
\Windows\system\omxPRng.exe
| MD5 | 70794d7fe6066a62acf8c5209012c17e |
| SHA1 | d2380fe382830686c2b5733db5b4af9bcf6fb318 |
| SHA256 | 0483d79e5a43c14aa2be3a96d6b9fbea2a16be283687ca4f7053ae842cec7502 |
| SHA512 | 901652a44fc0a60e2c8aea3aca47c9a71d87abe9b5f6e7ed1af3b93f00ee39832044cb3121e65e5948a875f09c675bd74c3244e8b243d65e0e3b30da89b8a141 |
C:\Windows\system\yfIIqsy.exe
| MD5 | e0dd97d406c9c89e40c3349b79a6bcc7 |
| SHA1 | e428fa438861ad47ea85c30906104df63cd5c208 |
| SHA256 | 6d7dadb3f07d6184c79d69e02a92b37d288d9a6a31f34f2125b187523d22c7fe |
| SHA512 | 45d4f44ce9d593ff6bfae0be23294e3ff023375c04564b9528d21c5b3ddd0dd8694b548a3107a7965fe2e1cfe24a293cf3f1b95d8bef470eee9a962d3e2458e7 |
\Windows\system\FMxJHHG.exe
| MD5 | 1be3e423a43c529458a1f519bfe41222 |
| SHA1 | f4867d2d5ecc929e86ddd984215d5f505e5cca33 |
| SHA256 | 880ff948cfce794c4a9e7a4f387df7ca37ae86e6606d27aac5bb1c8add8d8058 |
| SHA512 | da62b0312ce5728987624cb6c95405cbc2e99ec4c44232cd487c7dfcbcf5db0068e52be7aeb77243a2b22efacc3aba2a818d2703683ed58590bf7d0b99dddd23 |
C:\Windows\system\sIaHVRr.exe
| MD5 | a3075465e067d8c56b580408efb0787a |
| SHA1 | 1dbef8902274df99024b68a340c0cff89a793ca7 |
| SHA256 | 637edcc6ca1ced00419a6df367aeb85a1e995f58ed91476f36ee0ab4420d1e76 |
| SHA512 | 54274f15271a351271a13cb3efcf22d850967f078d0d3191ddca4802b009257034e8491d2d0ae5b148b9f855da42d94276b57ada2ef821cbdc78e537bddcf9e1 |
C:\Windows\system\gvDrfuf.exe
| MD5 | 9ea58de6b0a665d6ce2ea08344f852f6 |
| SHA1 | 0221ff1940af63a1cd369e4399c849b1f58c7f5a |
| SHA256 | 0fcd6c85badfbc814bd955d499071e67945dc4286245e991596999dd2ebf8c9d |
| SHA512 | 1b01074710104d0c3472bf94ece4422c624932e753bf257a386316835045a7f24a7154fd67bcc623e42c3ee5a238cb256aa92f90507289645564558706db1de3 |
C:\Windows\system\RBdInQv.exe
| MD5 | 05b068cce9887186959266c285e68169 |
| SHA1 | 47e87b8bb479f95b3cc0deba8d1240c53d0ee9f5 |
| SHA256 | 405e7a4a9d8fe7ef428697c2d006347f5f87f57b55ea7687792f2f487284f6bb |
| SHA512 | da1dc83000cc9f97b9870f09c194601b7f813f3a3fd5b6bf70e648bd1e5938cc7843a3324eb2c1856df83c6d8614787184808ace7f1791714b598ab6c4342b8a |
C:\Windows\system\NABSSkZ.exe
| MD5 | db9e51f7676579d9293bffc3023d2b77 |
| SHA1 | f1bc57d4441b86c5a2bd713911401690319695fe |
| SHA256 | bc7aa6946d06c36c0bf2463d28d44234a8044f9a0bf7a1e4f3060954f169477a |
| SHA512 | c7eea84ec334b1f29cf653bad4d40ea3b4cdea60892868e150ab00d8bf538616e6cc7dd43784c21614b45a0b4db3edea03babaf6a0069141e0159341330105d2 |
memory/1532-101-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\qyQLuGD.exe
| MD5 | b42e78076c889cd0503600d8e6f6b3fa |
| SHA1 | 3d59e848303d1c520d7b7bb0ba579065006178ee |
| SHA256 | 02bfbaea53a59850a197707f749c1a217c76b8cf283865859ba12188894e0c9d |
| SHA512 | 75064fa4666dcf5f9ca52858f9dc46c6c3f8d92709080967912cbf59cfea277583a46320e2584081dc466533be2cc484a98fde5b8c8b0ce0fc5c03b3aac7ef12 |
memory/2652-90-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2076-133-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1532-89-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2492-96-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/1532-95-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\ULJTnrJ.exe
| MD5 | 28ebe286b2ae4b68a9206e1135274a3b |
| SHA1 | 355493bcd488fc08983368fa84f35eebbd84abb1 |
| SHA256 | 0f6921eb935b52578e6bbbba69e8f311c9211b666b499998572253b06b09b8a0 |
| SHA512 | 3d08980f5fef1686be1d05749641113b9380a7a28d8739408ed804493629257bf80a65bd04a321dd6c710aedc1f53bf71d83e22cc08de7fd5bc3099a4d582eb9 |
memory/2916-82-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2720-75-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\acHLAtb.exe
| MD5 | 0eec6a248529fff36cbed267dc7d2a94 |
| SHA1 | f65e9903f178ac27785fa58c3921429be82b0ca0 |
| SHA256 | f484c57599a98ce92a293dd58b3eb7de4f06f5f1c64e98e75e5e451502930ec6 |
| SHA512 | 1e0dda3415c3546cbb6b686af69782c717f47d19f3a794f42ec78f74f5f094014c3dc29e3c7901cca72488d1ce5d5d14b397afb504336eb889463d229689323a |
memory/1532-69-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1532-61-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\JzUHqmX.exe
| MD5 | 4d7574295fef77d4ae5dc0b41bb2fd5c |
| SHA1 | 50221c49e21591ffde8b09a82d3646420e60583d |
| SHA256 | 790184ca0964a07d8e5e81888a52fa4ed8089f306e44e043020bf94ae8591502 |
| SHA512 | 0acb1f441a1b17e11df6e58b0e09552de88be7d897f0f5e23bd7b187c3fac333ce91ae9b04f9735b39a3035f4825560809344ca755190b541d15fc90a92c54dc |
C:\Windows\system\vBGqZlV.exe
| MD5 | 822e9583b6692730302f0df5e6ea1402 |
| SHA1 | 56c9f9c6bc69f9a69e9f15f79fd2b843e5bd3338 |
| SHA256 | c8bc1b14cd47a17bc06e2cb392f82ebe9037893e46a4d83e662f3073173a0a25 |
| SHA512 | 51f601e660b3bba195ab696449e980e302a5d32d54ff243e93f066336aa75fa45fe72cab7e833a6a893fff7f4088f1504d81fcf8f60105226c1b30e6e6a72b97 |
memory/1804-49-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/1532-48-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1532-55-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\JUJvWMd.exe
| MD5 | 1a72852baa1a85da4a76ab0d4be707dd |
| SHA1 | 19ece0e539bfd9ea53c7718b6d31c1ae6fb9d2c1 |
| SHA256 | 3b07dfbf04a9f242a1376cca22eceec30e5a3b8a44bb56cd3aa343233471bb2a |
| SHA512 | 6d96cd909dd715a184e6e7c685494c9d65eb13f6c161f5fa128759a6be2e8ad3dbc97711c1869653e7fdb7bf4adb15b459426a3571c3c96a43f7dd3962f3574c |
memory/2700-134-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1532-135-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2720-136-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2916-137-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1532-138-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2492-139-0x000000013F9F0000-0x000000013FD44000-memory.dmp
memory/2884-140-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2172-141-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2568-142-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2436-143-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2428-144-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2076-145-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/1804-146-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2716-147-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2700-148-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2724-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2720-150-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2916-151-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2652-152-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2492-153-0x000000013F9F0000-0x000000013FD44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 16:43
Reported
2024-08-06 16:46
Platform
win10v2004-20240802-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WCMIPAh.exe | N/A |
| N/A | N/A | C:\Windows\System\rgDxPsn.exe | N/A |
| N/A | N/A | C:\Windows\System\gNIKgPe.exe | N/A |
| N/A | N/A | C:\Windows\System\FPfTSHX.exe | N/A |
| N/A | N/A | C:\Windows\System\JWRjBsz.exe | N/A |
| N/A | N/A | C:\Windows\System\tuVJxiQ.exe | N/A |
| N/A | N/A | C:\Windows\System\hPGKrpk.exe | N/A |
| N/A | N/A | C:\Windows\System\cbuzTWH.exe | N/A |
| N/A | N/A | C:\Windows\System\xlyFFLX.exe | N/A |
| N/A | N/A | C:\Windows\System\dhlPzqA.exe | N/A |
| N/A | N/A | C:\Windows\System\xoojwgW.exe | N/A |
| N/A | N/A | C:\Windows\System\YHZYLzL.exe | N/A |
| N/A | N/A | C:\Windows\System\uuValsa.exe | N/A |
| N/A | N/A | C:\Windows\System\xQXytOg.exe | N/A |
| N/A | N/A | C:\Windows\System\heBJqMf.exe | N/A |
| N/A | N/A | C:\Windows\System\WgpeZTb.exe | N/A |
| N/A | N/A | C:\Windows\System\hKjzJla.exe | N/A |
| N/A | N/A | C:\Windows\System\driynTt.exe | N/A |
| N/A | N/A | C:\Windows\System\rMIVgTX.exe | N/A |
| N/A | N/A | C:\Windows\System\HsIlSOw.exe | N/A |
| N/A | N/A | C:\Windows\System\RFFgPSX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_21f849bb6cc83bddda7a7c7d75380a18_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WCMIPAh.exe
C:\Windows\System\WCMIPAh.exe
C:\Windows\System\rgDxPsn.exe
C:\Windows\System\rgDxPsn.exe
C:\Windows\System\gNIKgPe.exe
C:\Windows\System\gNIKgPe.exe
C:\Windows\System\FPfTSHX.exe
C:\Windows\System\FPfTSHX.exe
C:\Windows\System\JWRjBsz.exe
C:\Windows\System\JWRjBsz.exe
C:\Windows\System\tuVJxiQ.exe
C:\Windows\System\tuVJxiQ.exe
C:\Windows\System\hPGKrpk.exe
C:\Windows\System\hPGKrpk.exe
C:\Windows\System\cbuzTWH.exe
C:\Windows\System\cbuzTWH.exe
C:\Windows\System\xlyFFLX.exe
C:\Windows\System\xlyFFLX.exe
C:\Windows\System\dhlPzqA.exe
C:\Windows\System\dhlPzqA.exe
C:\Windows\System\xoojwgW.exe
C:\Windows\System\xoojwgW.exe
C:\Windows\System\YHZYLzL.exe
C:\Windows\System\YHZYLzL.exe
C:\Windows\System\uuValsa.exe
C:\Windows\System\uuValsa.exe
C:\Windows\System\xQXytOg.exe
C:\Windows\System\xQXytOg.exe
C:\Windows\System\heBJqMf.exe
C:\Windows\System\heBJqMf.exe
C:\Windows\System\WgpeZTb.exe
C:\Windows\System\WgpeZTb.exe
C:\Windows\System\hKjzJla.exe
C:\Windows\System\hKjzJla.exe
C:\Windows\System\driynTt.exe
C:\Windows\System\driynTt.exe
C:\Windows\System\rMIVgTX.exe
C:\Windows\System\rMIVgTX.exe
C:\Windows\System\HsIlSOw.exe
C:\Windows\System\HsIlSOw.exe
C:\Windows\System\RFFgPSX.exe
C:\Windows\System\RFFgPSX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 52.111.229.48:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3184-0-0x00007FF69B7E0000-0x00007FF69BB34000-memory.dmp
memory/3184-1-0x0000019E867D0000-0x0000019E867E0000-memory.dmp
C:\Windows\System\WCMIPAh.exe
| MD5 | 94156eb0dfc8ccb655a95932858bfdb0 |
| SHA1 | 5fbae10dd222f318039d797383f7c639c9b081aa |
| SHA256 | caf6ae44f2e3bb0c67007b9d1c86440b69581aba0ef56b88915f0d6abfb94fe5 |
| SHA512 | 905c48adfbfd443a3bb9f904bd1224931ece4033a07cefa0a4963d6f1e52ea88ce1f58902718c2f6e936cc77d2c4fd36e98b906427ceec42f33d769d5accb04d |
C:\Windows\System\gNIKgPe.exe
| MD5 | e391490fad3482bd93b10a667319160b |
| SHA1 | 37330500077a907c4951af4d6d723f81fedcc8b8 |
| SHA256 | 59eefbf3e54373b9a2df5bad4a8a184c854748f1f5480f2b794d5a6888655a3d |
| SHA512 | dbc77b10944e1a37397d52e4c709887e79458cea2cadbfec373a0132196a11f963290e04c80b2e3b6d5d9f18ae413fbe4eb51e480be0409af899b7ce4b94327b |
C:\Windows\System\rgDxPsn.exe
| MD5 | ef7c49739400b02ac90ef8e5412b7d04 |
| SHA1 | 382a37c165b2c0b962ba2d91cf30104a2e4565fa |
| SHA256 | 259f18dc8014017ce6751b4e6c402f860d37c4ced7f7d4afc34432b58510d751 |
| SHA512 | d273467f617cb9c97f0e70d038d1c9eace8632a68913369bf336dd8f67ce6a4d94cb0452914330236e43163df15989116c85e934541f6642940754d0268ccde0 |
C:\Windows\System\JWRjBsz.exe
| MD5 | cdd80c4dec7aa1c0c91293a8d3d80a23 |
| SHA1 | 990ed313c72a1f6b6e7c56c87586ae27a3958e4e |
| SHA256 | d98e284e6720348f751606321487ad13e780bf11f3aa83ab3dcbbe847126c373 |
| SHA512 | df0dd6be048cf1ee2cd63f0be25d67a63ae7b71314c1b93058962396254e726de97bc6a302dd2c486a89fc200d885e81066354cfa88fad451eb8a8048309ae13 |
C:\Windows\System\tuVJxiQ.exe
| MD5 | b8a7e9e8d213e9f684023c3ef7eb28ef |
| SHA1 | ab7463d98881180e8780571dcbc32e1f2ecd19f3 |
| SHA256 | f2e520c5cf47a8343749d473f1e8d6c31ff91c31881925ea752d2b38cb997582 |
| SHA512 | c2ba9fb1af7031ce74a16a53a87715bdab8ccefafc710f7d56062d55c2c2b1b7b13211559f9ad69fb157d9b003df944056b216c8df28a257a5882002a38fea46 |
memory/1032-28-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp
memory/2320-26-0x00007FF7BDB10000-0x00007FF7BDE64000-memory.dmp
C:\Windows\System\FPfTSHX.exe
| MD5 | 5946135fde1c42586f59d42e8b82f4da |
| SHA1 | 3dbed0b9aaa74726bbee526efbbf3cdd91aeab0d |
| SHA256 | fe098ab067d6205c2153f0ba1d14c87b76e737f9c3f8d7cea954e7449ef76d8c |
| SHA512 | da1257f5481693416109a0f2b899e18fc735f1d7c77cfe4671529550c07aed51913597d2fd2eda502ce00d1d35eeaad25d7f85c05d347d1e80d0b124d1852efe |
memory/1156-19-0x00007FF708460000-0x00007FF7087B4000-memory.dmp
memory/2964-8-0x00007FF6BD190000-0x00007FF6BD4E4000-memory.dmp
memory/3860-37-0x00007FF6B65B0000-0x00007FF6B6904000-memory.dmp
memory/856-42-0x00007FF784920000-0x00007FF784C74000-memory.dmp
C:\Windows\System\hPGKrpk.exe
| MD5 | e110117f00fc79e44c20c583614d4052 |
| SHA1 | 9265bb6bddb02b124ccd748a13faf2b17d232084 |
| SHA256 | 7fd24dead2ed2753c77343400a4791edd4e4049c0e26c6d733bb613b9f857de2 |
| SHA512 | d9db17c37747774900f62e2a87783a9f63e3f65b3d42d6d61c15e380f74cc820fea2b97127ed938a42b79e333179f1c6c20444b6eaa36430184a3a4bdcb1f520 |
C:\Windows\System\xlyFFLX.exe
| MD5 | ca00efef618a6a32ff5cb5d456ac58ff |
| SHA1 | a70a8ff1b8dde741e34a81bd8d235b2969ab4355 |
| SHA256 | 12490a7675dc3c078b7fc20c85058645de7cb25441245e50dab03d3fcfc61c5a |
| SHA512 | 7e8d0247f6633e61888ed4a0a0d2d39b9cad5d6e90904f4541f9c9bbe522df0c556310e561c8b958512957e6ff07fac1131b851948175ebab54d171a7b3d1b9d |
memory/4688-35-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp
C:\Windows\System\WgpeZTb.exe
| MD5 | 9215d0341b89a6b0f0716dad22140cdc |
| SHA1 | 234835a2ef36ac7bb86f2a7de9b6fbb8dadd8b25 |
| SHA256 | f2ae8821591bbfcac7f1b168b876569d66b31f15d4c997605ccc6208ffe37f83 |
| SHA512 | 9ce910910f61e8944b9dd4a2db665938d77a9a5ac7dfc33d0debaed0bebe7739f796bcd2207c14fb7f6202f740ff3a445442dd35cd20aaf3fb0beec537954b2d |
C:\Windows\System\heBJqMf.exe
| MD5 | 39f545bad2b6a0960ce40f14d067887d |
| SHA1 | 3f22d609644c7b1e4306b95da6a2f45a81f337e3 |
| SHA256 | 023775dc8a22887f205723e289ed7c60ec5156f2c3311b6e5af91068e82fd1e0 |
| SHA512 | b9b96c068da9aa681601bc4851ca613d8126b09fe9b14faee8478f626b27cb3c78a5ac2255e3b7bbce1a6a6c42d31dc99c0f973e85ebf18ae8368961f45f1444 |
C:\Windows\System\RFFgPSX.exe
| MD5 | 554e5d3d24002d74e96c3554ff8b2590 |
| SHA1 | 994b37d9a0a4aacd9bd3f5475ea31def461fc92d |
| SHA256 | 95e44d05c1f784ef724715319f4ae31a234aeb29d085261e3a9e2347c28b4a5f |
| SHA512 | f64ed0f0c6e96aa141223c5b1d74c83f15071deede49ce85f296459c0f92065b1d4d45c029d8731deba8990aeae7ee84bbeaa33681712084d1dc9fafa9d1445c |
C:\Windows\System\HsIlSOw.exe
| MD5 | 54b98b76bf240d07648608c9dde839a8 |
| SHA1 | 537e13d71fccebc80e5ef1409826abf052847336 |
| SHA256 | 567c2e8f98695f90f04e6d35834638512149ce8c1d968b99e1b2026c3449e620 |
| SHA512 | 425aad87ad40332791d6a2048bf3893009528114bef9d3ecd38c06623ca207c916c8bb0338daf81a30095ad7cfe0a080bf7c46b1975d5fd48122b7a48be67473 |
C:\Windows\System\rMIVgTX.exe
| MD5 | c84acb370eb92b473e289bf9bfac5b05 |
| SHA1 | 2278dff1bcdf72af864307d9ea23aaac08e8ea15 |
| SHA256 | 3a0f2170cb9b7574c4fe951ab56d1524401704bc365f8ccaa4773c8daa397abc |
| SHA512 | 409c607ed0040a113e777f4cf12adecbe7eaf1300a706124d1b9e33875e235b2cd376cf5c7867aacb9a45e082e4014013a215158082f4d44c325c8acc71f9dab |
C:\Windows\System\driynTt.exe
| MD5 | db966dade5ed7f7c7c0be771dafa3f5f |
| SHA1 | 4b2a59b8f0a611833d48cc74cbdb753f452d5dee |
| SHA256 | 5070c2ddf7e0aab1fd3014b3b8bbd10ed35af17c1c3b18bc077a2dcf9f7a255b |
| SHA512 | 071648c6ec4bc2980407daf3f2bbaf26befcdc3cc71d94133e54f35bd71fa544c0dac536bafd8e0b1825dfc27aaf52ed8c322928f09348699613862fb165d8d9 |
C:\Windows\System\hKjzJla.exe
| MD5 | 7c17a0a366c5e28d9afbf7af17e91f10 |
| SHA1 | f160a80c46c615587852e9d8e4da66c6bc810e6d |
| SHA256 | ddb309a57e1b1d13706eb8aff9582fccde7bca74afc59b987c9f0fa82a394dde |
| SHA512 | f22f568da37fdff63daff92d83c039f61cf94c7a19ed1ea1825606ed1d53b74a6c0501b82fd31bf1d220ead7df2311972a7cf45378c8fd7ab16a26850049f7cb |
C:\Windows\System\xQXytOg.exe
| MD5 | fe082fbc7321ab74df2d675c43cc8b11 |
| SHA1 | d964da11dbac4848ef8605360e362de83bd78824 |
| SHA256 | 420f039ea99cf0c56c5b3747a5de7afbd3cd43a9d4d909bed321fa3e7e944f37 |
| SHA512 | 21fd4264eb19983b739751b88402fe5c4f17e7d16fc6d239b6d1248b0cf2bd8738abb4c131e02a0da7666a2bd41f735d938b6ed043016d31969b52dea00aeebc |
memory/1628-100-0x00007FF7AB9E0000-0x00007FF7ABD34000-memory.dmp
memory/2512-90-0x00007FF6C3EC0000-0x00007FF6C4214000-memory.dmp
memory/224-89-0x00007FF794680000-0x00007FF7949D4000-memory.dmp
C:\Windows\System\YHZYLzL.exe
| MD5 | 423fbbaa2885b7537aab1f39b2b6b710 |
| SHA1 | c1b8fa29347dcfc36e57e78d3349cc4866fb3892 |
| SHA256 | 4bd1e3ef97ff6de6f0ed7584ccbcb6335e1c4236684c225bd6ee1f9fcaa91b9b |
| SHA512 | 785aef56ca4e915a569b9c8b20142744de9efc6163ddf79b2e8a8bcc2c38fadf3a310e5f4dad19b3457e8fdbf35dcfc07e44ac35dfcbbe4d7fe5300bfe512ffc |
memory/824-82-0x00007FF7316C0000-0x00007FF731A14000-memory.dmp
C:\Windows\System\uuValsa.exe
| MD5 | 2d0e72c5832bc8b4902cde1f21659a4b |
| SHA1 | fa7894f81cf330ddeaf3a3af1972790c30cb4888 |
| SHA256 | 6c300366ea5e95d2369019b59f8b3a369a6092b6d2ac6a0c754cd4ee87662691 |
| SHA512 | c0e90b70637f06a13f277047ec7ae9698db4e522016d13d99162109044456b2a160fa4f698b9dfc650b63a8acee5c666f3e1310b22dc5d4662953c2d0330fae0 |
C:\Windows\System\xoojwgW.exe
| MD5 | e460d84d5cd53d3ae120ea4509bf7504 |
| SHA1 | df846bdf9cf147c1a1fd98e1eedb011c21959412 |
| SHA256 | 810040ba4da059972940fb7a0996d5c14394732acd4b65034e62b847488eeda1 |
| SHA512 | e92bce6f43dcf8f9cb78b675c5f298dd386bfe6cd60daecbb630081ec3ffa84d27bfb6b9b3fccc36d09f45732dea396ee7bdad6d237ca0a5fe9aaa4e82485339 |
C:\Windows\System\dhlPzqA.exe
| MD5 | c2d86bfefd1266e27cbe4c3dab1d60c8 |
| SHA1 | f21b177d8f6e858aafa0cf4adff8023c2de3fe0e |
| SHA256 | 3db997f274281c5488f62d65fe26f49b4e959fd3cc8d35e758684aa6c974359d |
| SHA512 | a125640baea22d8c88a4a4360e3029cb4567679698417e5ae7fe600bf34d29b181100e175d223c14c4b90ec47b06a72f4d404debd1928f2c45218e8bacb32e69 |
C:\Windows\System\cbuzTWH.exe
| MD5 | 252ec1846c5ebf9cf3fe67f33e973c95 |
| SHA1 | 931c5eb62bcd5d7327e6f63cf8fb011493ee6ce7 |
| SHA256 | f16ae098221fd5e4dd7c07a6435f6d4a759dbf6b6b1edb9bb764ceaebf1f49cd |
| SHA512 | ea175c28c34872478851d2f233ace7757409641e04a8ae387c1a6cf0424053fd1f69adacc5dc2729f61e18f075a661c4f95c570e1558b8b696d008e7506e6f9a |
memory/4856-52-0x00007FF7A6050000-0x00007FF7A63A4000-memory.dmp
memory/2084-48-0x00007FF72C250000-0x00007FF72C5A4000-memory.dmp
memory/2124-120-0x00007FF76B4B0000-0x00007FF76B804000-memory.dmp
memory/2620-121-0x00007FF741CA0000-0x00007FF741FF4000-memory.dmp
memory/320-122-0x00007FF71D0E0000-0x00007FF71D434000-memory.dmp
memory/1860-124-0x00007FF716690000-0x00007FF7169E4000-memory.dmp
memory/4232-123-0x00007FF7AF730000-0x00007FF7AFA84000-memory.dmp
memory/3184-125-0x00007FF69B7E0000-0x00007FF69BB34000-memory.dmp
memory/2716-126-0x00007FF7ACBA0000-0x00007FF7ACEF4000-memory.dmp
memory/4816-128-0x00007FF668080000-0x00007FF6683D4000-memory.dmp
memory/1256-127-0x00007FF68F900000-0x00007FF68FC54000-memory.dmp
memory/2964-129-0x00007FF6BD190000-0x00007FF6BD4E4000-memory.dmp
memory/1156-130-0x00007FF708460000-0x00007FF7087B4000-memory.dmp
memory/2320-131-0x00007FF7BDB10000-0x00007FF7BDE64000-memory.dmp
memory/1032-132-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp
memory/4688-133-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp
memory/3860-134-0x00007FF6B65B0000-0x00007FF6B6904000-memory.dmp
memory/856-135-0x00007FF784920000-0x00007FF784C74000-memory.dmp
memory/2084-136-0x00007FF72C250000-0x00007FF72C5A4000-memory.dmp
memory/4856-137-0x00007FF7A6050000-0x00007FF7A63A4000-memory.dmp
memory/2124-138-0x00007FF76B4B0000-0x00007FF76B804000-memory.dmp
memory/2964-139-0x00007FF6BD190000-0x00007FF6BD4E4000-memory.dmp
memory/1156-140-0x00007FF708460000-0x00007FF7087B4000-memory.dmp
memory/1032-141-0x00007FF762B50000-0x00007FF762EA4000-memory.dmp
memory/4688-142-0x00007FF73CEF0000-0x00007FF73D244000-memory.dmp
memory/2084-144-0x00007FF72C250000-0x00007FF72C5A4000-memory.dmp
memory/3860-146-0x00007FF6B65B0000-0x00007FF6B6904000-memory.dmp
memory/4856-147-0x00007FF7A6050000-0x00007FF7A63A4000-memory.dmp
memory/856-145-0x00007FF784920000-0x00007FF784C74000-memory.dmp
memory/2320-143-0x00007FF7BDB10000-0x00007FF7BDE64000-memory.dmp
memory/824-149-0x00007FF7316C0000-0x00007FF731A14000-memory.dmp
memory/2716-151-0x00007FF7ACBA0000-0x00007FF7ACEF4000-memory.dmp
memory/224-150-0x00007FF794680000-0x00007FF7949D4000-memory.dmp
memory/1628-148-0x00007FF7AB9E0000-0x00007FF7ABD34000-memory.dmp
memory/4232-153-0x00007FF7AF730000-0x00007FF7AFA84000-memory.dmp
memory/2512-152-0x00007FF6C3EC0000-0x00007FF6C4214000-memory.dmp
memory/2620-159-0x00007FF741CA0000-0x00007FF741FF4000-memory.dmp
memory/2124-158-0x00007FF76B4B0000-0x00007FF76B804000-memory.dmp
memory/320-157-0x00007FF71D0E0000-0x00007FF71D434000-memory.dmp
memory/1256-156-0x00007FF68F900000-0x00007FF68FC54000-memory.dmp
memory/4816-155-0x00007FF668080000-0x00007FF6683D4000-memory.dmp
memory/1860-154-0x00007FF716690000-0x00007FF7169E4000-memory.dmp