Analysis Overview
SHA256
c77276ec6dd1928c6f3d03deeac5bc7b712612b3845adc049fe71770c529014b
Threat Level: Known bad
The file 2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 21:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 21:46
Reported
2024-08-07 21:49
Platform
win7-20240708-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FuhUpub.exe | N/A |
| N/A | N/A | C:\Windows\System\JRGjtZw.exe | N/A |
| N/A | N/A | C:\Windows\System\gxWyPGB.exe | N/A |
| N/A | N/A | C:\Windows\System\sjCwBXt.exe | N/A |
| N/A | N/A | C:\Windows\System\ybeuwjh.exe | N/A |
| N/A | N/A | C:\Windows\System\zCtlhRN.exe | N/A |
| N/A | N/A | C:\Windows\System\jvHntHS.exe | N/A |
| N/A | N/A | C:\Windows\System\jkwrxkP.exe | N/A |
| N/A | N/A | C:\Windows\System\cGsoKFR.exe | N/A |
| N/A | N/A | C:\Windows\System\vWqAorH.exe | N/A |
| N/A | N/A | C:\Windows\System\xlEPEAP.exe | N/A |
| N/A | N/A | C:\Windows\System\xCMXfsp.exe | N/A |
| N/A | N/A | C:\Windows\System\bxFLcOc.exe | N/A |
| N/A | N/A | C:\Windows\System\lMQaDdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xBWslNS.exe | N/A |
| N/A | N/A | C:\Windows\System\ijnFSfW.exe | N/A |
| N/A | N/A | C:\Windows\System\aYNEBdE.exe | N/A |
| N/A | N/A | C:\Windows\System\XgffJxT.exe | N/A |
| N/A | N/A | C:\Windows\System\hTaXfGq.exe | N/A |
| N/A | N/A | C:\Windows\System\maOQgwR.exe | N/A |
| N/A | N/A | C:\Windows\System\ostxXlA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FuhUpub.exe
C:\Windows\System\FuhUpub.exe
C:\Windows\System\JRGjtZw.exe
C:\Windows\System\JRGjtZw.exe
C:\Windows\System\gxWyPGB.exe
C:\Windows\System\gxWyPGB.exe
C:\Windows\System\sjCwBXt.exe
C:\Windows\System\sjCwBXt.exe
C:\Windows\System\ybeuwjh.exe
C:\Windows\System\ybeuwjh.exe
C:\Windows\System\zCtlhRN.exe
C:\Windows\System\zCtlhRN.exe
C:\Windows\System\jvHntHS.exe
C:\Windows\System\jvHntHS.exe
C:\Windows\System\jkwrxkP.exe
C:\Windows\System\jkwrxkP.exe
C:\Windows\System\cGsoKFR.exe
C:\Windows\System\cGsoKFR.exe
C:\Windows\System\vWqAorH.exe
C:\Windows\System\vWqAorH.exe
C:\Windows\System\xlEPEAP.exe
C:\Windows\System\xlEPEAP.exe
C:\Windows\System\xCMXfsp.exe
C:\Windows\System\xCMXfsp.exe
C:\Windows\System\bxFLcOc.exe
C:\Windows\System\bxFLcOc.exe
C:\Windows\System\lMQaDdJ.exe
C:\Windows\System\lMQaDdJ.exe
C:\Windows\System\xBWslNS.exe
C:\Windows\System\xBWslNS.exe
C:\Windows\System\ijnFSfW.exe
C:\Windows\System\ijnFSfW.exe
C:\Windows\System\aYNEBdE.exe
C:\Windows\System\aYNEBdE.exe
C:\Windows\System\XgffJxT.exe
C:\Windows\System\XgffJxT.exe
C:\Windows\System\hTaXfGq.exe
C:\Windows\System\hTaXfGq.exe
C:\Windows\System\maOQgwR.exe
C:\Windows\System\maOQgwR.exe
C:\Windows\System\ostxXlA.exe
C:\Windows\System\ostxXlA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2576-2-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2576-0-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\FuhUpub.exe
| MD5 | 930d7e8e91e8a0c1219cd617278204fa |
| SHA1 | a05158124bb4ed9a8d92ca5d4e6c16070aaa0aa1 |
| SHA256 | 64c53379a40fa62f37504ea5c37e240baec1847ef92b19945a876cd1c231e54a |
| SHA512 | 554d11eb0c117ab98bd54d69e080a5e4f73afe170eac2da7668715ee5d053d02b5df8b27427a527852ae54d4ab3c41dd9295d6e488f2453f3a0ce66fe4270e6a |
C:\Windows\system\JRGjtZw.exe
| MD5 | 6e1a614582d6e5efea223bfdb3fbd7e2 |
| SHA1 | a21c81c18b54215dcbe65604b50b5feaa3595e86 |
| SHA256 | 52c77bc2b44747621a05f2623f25c26299df92976dac302aca663f8592d30fae |
| SHA512 | ed0da5f241cc331a8aa9d62d118593624b11865914907446ef713d2502e11d4744c7b634c95901a25d75b3e1116d4e15c1d5d81c48753a14a8f43554a877ea10 |
C:\Windows\system\gxWyPGB.exe
| MD5 | f700dad73d9fd011b4832ca6973f52d0 |
| SHA1 | 1e086dece80b644c338b29a6c82c2be3f6685df5 |
| SHA256 | 62000c5b55a5ede909f6b4fa59be80458824265e725bc60c8d8c33343853a020 |
| SHA512 | 47148258edf932e1c20e48b7d8a0d1bff52228f0aadddf6231f44b96a82260a4ca42ae3ac85263dd06e0527fe3bf5ea453b404d9c51da188eb5bf9688c2b1d24 |
\Windows\system\sjCwBXt.exe
| MD5 | 5f313ed858543fe06e2d9f46f11b711c |
| SHA1 | 87737c2c3e525534445bfa3070162f10e5eb7989 |
| SHA256 | 5dbffb2f77d2cc750ac7f2cf68cb55b491647804ea3f1f8fc20db04271a55459 |
| SHA512 | 09edee560a41165a224adbba680ec12996c461a631320e99ab177ef5672193d22c458eadb50002cf9bc2ab31f7aed41586ecdbf59413637077e204b9fac19703 |
C:\Windows\system\jvHntHS.exe
| MD5 | dc4bd519e5145aa08cb348f94d26c8c2 |
| SHA1 | c10a384ffdb81aff62b95db3b68c50231ca7a37d |
| SHA256 | 1b058db252e513b272bc670a3e30f332677830ed14c287b500e911ac7cb3fede |
| SHA512 | 2f456e06b7c38270ad8f8dc69edeb2bb22b094f98214e55d05735711e79a8e8408478e060842ea163f6f04ed1322bea412fd813c977e7f15d4511dc0707ff5b2 |
C:\Windows\system\cGsoKFR.exe
| MD5 | be6d47993f423fbafca4eda7ade4a25b |
| SHA1 | 30f5d922e66550500e9b16ae3da962bf7170e08a |
| SHA256 | f80ead8a69551c7f0a12757aa5cd6ce8f34487b9dca1b933cd6883354429a671 |
| SHA512 | edfb05574d77194368199e1a95d79a0e07dd0c8c101543753eb47981c95f0735452c09f6309f06b883628970a363afd16c40127c8b842c30e4564231451e62e6 |
C:\Windows\system\vWqAorH.exe
| MD5 | 9113c1d9c8211ff5fa38b89503dde6be |
| SHA1 | 297029f81320b7b86e31943f4534c9f21b1b37c1 |
| SHA256 | 43b3206ff8d7cdac8b236ad51c019d2cdc1382391e745faece2857ba7818cdb5 |
| SHA512 | 7f58c00b699a434ce696304a718f25f3e713acd4519ad5087547460ae955d3b81621b1eef7d4829b4a7764f7fb7de09610facdf4b8e734a6ac4eec0243cdd8d6 |
C:\Windows\system\bxFLcOc.exe
| MD5 | 8de1b0bc90f3e7d56b5619d69723880b |
| SHA1 | 0185f5e85e00e92a3cb87606601f83069d1e0eea |
| SHA256 | e6d90c18b1c45ff6e23cb99843646b611a6d7c4ac799b450467457e27741697a |
| SHA512 | 7d565803b02ed66f1dbdeee85c71b33892a4787ec1d0dd7248fe3ae503b4511db1d34dfb0e134f7c09350363ef1da5772df71eed5717a8f2d8e48cb0ec32b65e |
C:\Windows\system\hTaXfGq.exe
| MD5 | 1942858845c616b276c18fea57b91ab2 |
| SHA1 | ac1dad18457b88e0847f213d0cf33dddef3f6fa3 |
| SHA256 | ca4acb712c663cb05afc09e3c406e7af3ecda63b162bd69b408b5f75356c33e3 |
| SHA512 | 21b2db86502f20f894ea686601643fb9de5d64d2bfa2735815ab218181b80760be9fa4ffc6017dd5f6347c4d61c51e87ffa25a86b0a37ced6e1ae840a21de351 |
C:\Windows\system\ostxXlA.exe
| MD5 | 0b31011328c580e0ab3744004ad1a6f0 |
| SHA1 | 954484f68964b24608053e677410a68b0ebc9b45 |
| SHA256 | b77df57dc87a1969de8f93391c6baba23c12e53a62886846acf6d33539f55e05 |
| SHA512 | 91b2f90def507932c6dc8882abd140eeb6712b945546693fe016593ba0f673114c4e60d28ae729ec15a5bd3b1ea62eb7bacd19e45ae32dd03060991dd39236a8 |
C:\Windows\system\maOQgwR.exe
| MD5 | 951d3ba945e049e67b175e0c8b1ac65d |
| SHA1 | 9cac3f5e9f076ebb39701116d761ed0dc9891b28 |
| SHA256 | edd39ed5a99ed774d15dc560995f35fa2b970f39de5676846a1a8c0da29014fe |
| SHA512 | 8cd4c0f53a5bd1d4d9087fdd00d20c6b998cba5ea3c0e8c42c61a8560f0f6b04981a9acf2b450c06334af5ea2c7bd49a3a019457a74585b5222da7274be5b880 |
C:\Windows\system\XgffJxT.exe
| MD5 | 4ff4984efe94a3d37a141f94d6dd9c40 |
| SHA1 | f0c5d7b5d11bb46f38b510714b4757de2ddda6c9 |
| SHA256 | a9d55f45c753449e5ba4d5594ac24dd52171c0bff23cd411af4fdd74e2c555a8 |
| SHA512 | 668d0279504b0ee50aceea8b050eae730ca8e8ea2782f5e08e090381744b54e7b6a626b4804edc6fe867762a85f6ade6be38ac6835c5c9911394d9a254354323 |
C:\Windows\system\aYNEBdE.exe
| MD5 | 7e8afde485baf31689609efddf07c33f |
| SHA1 | 46f6f278c8ea57653eb928c45aec1c27e38af139 |
| SHA256 | 72b95a569f50027d1b63dc29658b2768156644468e82ac8132dc8d7b994631b9 |
| SHA512 | bb58df5db1d57a536ff42a6d521be8d11daae8d7357f50732311dfcd8c080ca915700f2c59e217d16847e0081d55cfdc61922e5cbc8dbccedd833ba345190612 |
memory/2852-114-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2576-113-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1972-127-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2576-128-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2680-126-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2576-125-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2084-124-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2576-123-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1708-122-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2892-121-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2944-120-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2576-119-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2668-118-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2208-117-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2576-116-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2912-115-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2808-112-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2532-111-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2576-110-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2480-109-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2288-108-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\ijnFSfW.exe
| MD5 | deef49fef1bda3717b2b6002d89a6cd8 |
| SHA1 | d9f785fdb058d6759a367461e9321ef13e314166 |
| SHA256 | 49d8a63dba94d87a18723515fdb570ae52467116786c07f57852265a50c301ce |
| SHA512 | 3d5831a4db367fa0ee9747919e03355bb0c0ab8f7c9e02b3cb997f87d820d7c6bb94050e746488117df602f2dfb9a84dfb465a5c93e0e9fb9d7bfae755b827c8 |
C:\Windows\system\xBWslNS.exe
| MD5 | 42322f7445b50f5db96b1264fd366952 |
| SHA1 | d4956a0065bce43c35030a61a9b16a6798be5717 |
| SHA256 | 277e82a63efe3b78e7a55f2538b895a73e0119cb52d64112967eb6d66c6bc770 |
| SHA512 | 7db0a046ad7e955512d0290cd4d81d96fb31f7ec425f2cc93e3db3baf46835b162a67e6ca7326ff2c9f1d5a16ef2c7f6e83708cf5bf84032055009b851fc17eb |
C:\Windows\system\lMQaDdJ.exe
| MD5 | 0e3ed9a9aa9d63be5effd7269db3f51f |
| SHA1 | 4d86d77e0db0e8f72577ab29ff1a62a15892b10b |
| SHA256 | f51614b985da19e4191e395702e1ecb090d2283541684da5b9a8e7b5363d2323 |
| SHA512 | dade94df301306ed2539d8fa1fc0c5ae2bdba8d6eef77f6c1cb855bf7c55f1a7618fa9f1e63335bb8fa01923651b8512f048f655cd30c8ba297d6d31f0b032f4 |
C:\Windows\system\xCMXfsp.exe
| MD5 | 70e355b3e3d388bd13a1e645d6e21761 |
| SHA1 | e02f4e8b73dece7064bb182a77a00999e6db076e |
| SHA256 | 01da36ac89d05ad42dab7fdab7bad61d2e62f1ec832c4b70d7839186a8e24f3c |
| SHA512 | b1ea5bcc67706a87533366d7d3fbdc6dd5ff240218a46f444b6a970ccf77cc2c3d52cf8b6a44e2f00e12badfa8e1750a2301e7ae1d349dcbd7e3032c4afc6c2e |
C:\Windows\system\xlEPEAP.exe
| MD5 | 4e10b50c9fd23119f9479e8abd3130b4 |
| SHA1 | d95aa1152939a40483306e5d08f1a8c417730254 |
| SHA256 | fb2d9b7bc44d0e498b232ec309959a5c903af7dfda5264c130d58130c4aa6aa1 |
| SHA512 | cf2e84825856b5b2a4f0a648e94280a6d092c1a472cdc02e2ecf72133b8e6b9c06e2a616ce04c9d9e475f762895e9dd989ed96d929d6c64177c1365cbeaa8518 |
C:\Windows\system\jkwrxkP.exe
| MD5 | 8b4ea0b0e66db5778e9ee9c359c5f428 |
| SHA1 | f94d024a7c67b5cdb130138327cb7d9b188cd5c0 |
| SHA256 | e63977f841072c0832d7b9b3ffb5c2f5b5c8f92e8d62b29bfe4e84b3b362d57f |
| SHA512 | 4add58c9e2c1d078ba9aac3b4b6e0d7584802fc35fb9a1dc159b38d8e375ef1d9b97e9a46cef938ed4d7cc7e07fbebd106495d7c22fd02a68ddced21f6d2467e |
C:\Windows\system\zCtlhRN.exe
| MD5 | 5d02e6b0fee44d15de85596d62bdfaf1 |
| SHA1 | 1f2a21b7b78a56c89efe95c7836449f3ef52c0d0 |
| SHA256 | 99f82fec37608b9a612d8885791a9aa1b1dab318c4d5ba9ea3671d22cd390308 |
| SHA512 | d2bb96a584287b06a7399fa3904ec870cecc07169ece9c5ef7b00f9d75edb635714de48e22038ad8ec9fddbd1353caba307c47d934d50f5aa71bf36b78823eff |
C:\Windows\system\ybeuwjh.exe
| MD5 | 3619db178033144f0bbe44984f638a55 |
| SHA1 | 54b8668757b05c7fc3d09397f184bf6a47219673 |
| SHA256 | bedab5b2781960f02cac681d88001df185c1821afe3a91cd6c50900857778e40 |
| SHA512 | d429e17c332ecbda40147b7d5148f45466dbcd4b8d2ca3902e18919f734096d263ca47bb91bbbfccf7fcde2bc26cc5eb504dc90708991ff48b6d3c25091373cd |
memory/2576-8-0x0000000002280000-0x00000000025D4000-memory.dmp
memory/2576-129-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2288-130-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2480-131-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2532-132-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2808-133-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2852-134-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2912-135-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2208-136-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2668-137-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2944-138-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2892-139-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2084-141-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1972-143-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2680-142-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1708-140-0x000000013F940000-0x000000013FC94000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 21:46
Reported
2024-08-07 21:49
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FuhUpub.exe | N/A |
| N/A | N/A | C:\Windows\System\JRGjtZw.exe | N/A |
| N/A | N/A | C:\Windows\System\sjCwBXt.exe | N/A |
| N/A | N/A | C:\Windows\System\gxWyPGB.exe | N/A |
| N/A | N/A | C:\Windows\System\ybeuwjh.exe | N/A |
| N/A | N/A | C:\Windows\System\zCtlhRN.exe | N/A |
| N/A | N/A | C:\Windows\System\jkwrxkP.exe | N/A |
| N/A | N/A | C:\Windows\System\jvHntHS.exe | N/A |
| N/A | N/A | C:\Windows\System\cGsoKFR.exe | N/A |
| N/A | N/A | C:\Windows\System\vWqAorH.exe | N/A |
| N/A | N/A | C:\Windows\System\xlEPEAP.exe | N/A |
| N/A | N/A | C:\Windows\System\xCMXfsp.exe | N/A |
| N/A | N/A | C:\Windows\System\bxFLcOc.exe | N/A |
| N/A | N/A | C:\Windows\System\lMQaDdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xBWslNS.exe | N/A |
| N/A | N/A | C:\Windows\System\ijnFSfW.exe | N/A |
| N/A | N/A | C:\Windows\System\aYNEBdE.exe | N/A |
| N/A | N/A | C:\Windows\System\XgffJxT.exe | N/A |
| N/A | N/A | C:\Windows\System\hTaXfGq.exe | N/A |
| N/A | N/A | C:\Windows\System\maOQgwR.exe | N/A |
| N/A | N/A | C:\Windows\System\ostxXlA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_f46369adc3525bf2078d9202b855753d_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FuhUpub.exe
C:\Windows\System\FuhUpub.exe
C:\Windows\System\JRGjtZw.exe
C:\Windows\System\JRGjtZw.exe
C:\Windows\System\gxWyPGB.exe
C:\Windows\System\gxWyPGB.exe
C:\Windows\System\sjCwBXt.exe
C:\Windows\System\sjCwBXt.exe
C:\Windows\System\ybeuwjh.exe
C:\Windows\System\ybeuwjh.exe
C:\Windows\System\zCtlhRN.exe
C:\Windows\System\zCtlhRN.exe
C:\Windows\System\jvHntHS.exe
C:\Windows\System\jvHntHS.exe
C:\Windows\System\jkwrxkP.exe
C:\Windows\System\jkwrxkP.exe
C:\Windows\System\cGsoKFR.exe
C:\Windows\System\cGsoKFR.exe
C:\Windows\System\vWqAorH.exe
C:\Windows\System\vWqAorH.exe
C:\Windows\System\xlEPEAP.exe
C:\Windows\System\xlEPEAP.exe
C:\Windows\System\xCMXfsp.exe
C:\Windows\System\xCMXfsp.exe
C:\Windows\System\bxFLcOc.exe
C:\Windows\System\bxFLcOc.exe
C:\Windows\System\lMQaDdJ.exe
C:\Windows\System\lMQaDdJ.exe
C:\Windows\System\xBWslNS.exe
C:\Windows\System\xBWslNS.exe
C:\Windows\System\ijnFSfW.exe
C:\Windows\System\ijnFSfW.exe
C:\Windows\System\aYNEBdE.exe
C:\Windows\System\aYNEBdE.exe
C:\Windows\System\XgffJxT.exe
C:\Windows\System\XgffJxT.exe
C:\Windows\System\hTaXfGq.exe
C:\Windows\System\hTaXfGq.exe
C:\Windows\System\maOQgwR.exe
C:\Windows\System\maOQgwR.exe
C:\Windows\System\ostxXlA.exe
C:\Windows\System\ostxXlA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 44.56.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4528-0-0x00007FF77A7C0000-0x00007FF77AB14000-memory.dmp
memory/4528-1-0x000001285D3D0000-0x000001285D3E0000-memory.dmp
C:\Windows\System\FuhUpub.exe
| MD5 | 930d7e8e91e8a0c1219cd617278204fa |
| SHA1 | a05158124bb4ed9a8d92ca5d4e6c16070aaa0aa1 |
| SHA256 | 64c53379a40fa62f37504ea5c37e240baec1847ef92b19945a876cd1c231e54a |
| SHA512 | 554d11eb0c117ab98bd54d69e080a5e4f73afe170eac2da7668715ee5d053d02b5df8b27427a527852ae54d4ab3c41dd9295d6e488f2453f3a0ce66fe4270e6a |
memory/1404-7-0x00007FF783080000-0x00007FF7833D4000-memory.dmp
C:\Windows\System\JRGjtZw.exe
| MD5 | 6e1a614582d6e5efea223bfdb3fbd7e2 |
| SHA1 | a21c81c18b54215dcbe65604b50b5feaa3595e86 |
| SHA256 | 52c77bc2b44747621a05f2623f25c26299df92976dac302aca663f8592d30fae |
| SHA512 | ed0da5f241cc331a8aa9d62d118593624b11865914907446ef713d2502e11d4744c7b634c95901a25d75b3e1116d4e15c1d5d81c48753a14a8f43554a877ea10 |
C:\Windows\System\gxWyPGB.exe
| MD5 | f700dad73d9fd011b4832ca6973f52d0 |
| SHA1 | 1e086dece80b644c338b29a6c82c2be3f6685df5 |
| SHA256 | 62000c5b55a5ede909f6b4fa59be80458824265e725bc60c8d8c33343853a020 |
| SHA512 | 47148258edf932e1c20e48b7d8a0d1bff52228f0aadddf6231f44b96a82260a4ca42ae3ac85263dd06e0527fe3bf5ea453b404d9c51da188eb5bf9688c2b1d24 |
C:\Windows\System\sjCwBXt.exe
| MD5 | 5f313ed858543fe06e2d9f46f11b711c |
| SHA1 | 87737c2c3e525534445bfa3070162f10e5eb7989 |
| SHA256 | 5dbffb2f77d2cc750ac7f2cf68cb55b491647804ea3f1f8fc20db04271a55459 |
| SHA512 | 09edee560a41165a224adbba680ec12996c461a631320e99ab177ef5672193d22c458eadb50002cf9bc2ab31f7aed41586ecdbf59413637077e204b9fac19703 |
C:\Windows\System\zCtlhRN.exe
| MD5 | 5d02e6b0fee44d15de85596d62bdfaf1 |
| SHA1 | 1f2a21b7b78a56c89efe95c7836449f3ef52c0d0 |
| SHA256 | 99f82fec37608b9a612d8885791a9aa1b1dab318c4d5ba9ea3671d22cd390308 |
| SHA512 | d2bb96a584287b06a7399fa3904ec870cecc07169ece9c5ef7b00f9d75edb635714de48e22038ad8ec9fddbd1353caba307c47d934d50f5aa71bf36b78823eff |
C:\Windows\System\ybeuwjh.exe
| MD5 | 3619db178033144f0bbe44984f638a55 |
| SHA1 | 54b8668757b05c7fc3d09397f184bf6a47219673 |
| SHA256 | bedab5b2781960f02cac681d88001df185c1821afe3a91cd6c50900857778e40 |
| SHA512 | d429e17c332ecbda40147b7d5148f45466dbcd4b8d2ca3902e18919f734096d263ca47bb91bbbfccf7fcde2bc26cc5eb504dc90708991ff48b6d3c25091373cd |
memory/3136-38-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp
C:\Windows\System\jvHntHS.exe
| MD5 | dc4bd519e5145aa08cb348f94d26c8c2 |
| SHA1 | c10a384ffdb81aff62b95db3b68c50231ca7a37d |
| SHA256 | 1b058db252e513b272bc670a3e30f332677830ed14c287b500e911ac7cb3fede |
| SHA512 | 2f456e06b7c38270ad8f8dc69edeb2bb22b094f98214e55d05735711e79a8e8408478e060842ea163f6f04ed1322bea412fd813c977e7f15d4511dc0707ff5b2 |
C:\Windows\System\cGsoKFR.exe
| MD5 | be6d47993f423fbafca4eda7ade4a25b |
| SHA1 | 30f5d922e66550500e9b16ae3da962bf7170e08a |
| SHA256 | f80ead8a69551c7f0a12757aa5cd6ce8f34487b9dca1b933cd6883354429a671 |
| SHA512 | edfb05574d77194368199e1a95d79a0e07dd0c8c101543753eb47981c95f0735452c09f6309f06b883628970a363afd16c40127c8b842c30e4564231451e62e6 |
C:\Windows\System\vWqAorH.exe
| MD5 | 9113c1d9c8211ff5fa38b89503dde6be |
| SHA1 | 297029f81320b7b86e31943f4534c9f21b1b37c1 |
| SHA256 | 43b3206ff8d7cdac8b236ad51c019d2cdc1382391e745faece2857ba7818cdb5 |
| SHA512 | 7f58c00b699a434ce696304a718f25f3e713acd4519ad5087547460ae955d3b81621b1eef7d4829b4a7764f7fb7de09610facdf4b8e734a6ac4eec0243cdd8d6 |
memory/3100-58-0x00007FF62DCD0000-0x00007FF62E024000-memory.dmp
memory/1728-62-0x00007FF60AD80000-0x00007FF60B0D4000-memory.dmp
C:\Windows\System\bxFLcOc.exe
| MD5 | 8de1b0bc90f3e7d56b5619d69723880b |
| SHA1 | 0185f5e85e00e92a3cb87606601f83069d1e0eea |
| SHA256 | e6d90c18b1c45ff6e23cb99843646b611a6d7c4ac799b450467457e27741697a |
| SHA512 | 7d565803b02ed66f1dbdeee85c71b33892a4787ec1d0dd7248fe3ae503b4511db1d34dfb0e134f7c09350363ef1da5772df71eed5717a8f2d8e48cb0ec32b65e |
C:\Windows\System\xBWslNS.exe
| MD5 | 42322f7445b50f5db96b1264fd366952 |
| SHA1 | d4956a0065bce43c35030a61a9b16a6798be5717 |
| SHA256 | 277e82a63efe3b78e7a55f2538b895a73e0119cb52d64112967eb6d66c6bc770 |
| SHA512 | 7db0a046ad7e955512d0290cd4d81d96fb31f7ec425f2cc93e3db3baf46835b162a67e6ca7326ff2c9f1d5a16ef2c7f6e83708cf5bf84032055009b851fc17eb |
memory/3552-95-0x00007FF704AA0000-0x00007FF704DF4000-memory.dmp
memory/4512-102-0x00007FF71F500000-0x00007FF71F854000-memory.dmp
memory/3952-104-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp
memory/756-103-0x00007FF6FA590000-0x00007FF6FA8E4000-memory.dmp
C:\Windows\System\aYNEBdE.exe
| MD5 | 7e8afde485baf31689609efddf07c33f |
| SHA1 | 46f6f278c8ea57653eb928c45aec1c27e38af139 |
| SHA256 | 72b95a569f50027d1b63dc29658b2768156644468e82ac8132dc8d7b994631b9 |
| SHA512 | bb58df5db1d57a536ff42a6d521be8d11daae8d7357f50732311dfcd8c080ca915700f2c59e217d16847e0081d55cfdc61922e5cbc8dbccedd833ba345190612 |
C:\Windows\System\ijnFSfW.exe
| MD5 | deef49fef1bda3717b2b6002d89a6cd8 |
| SHA1 | d9f785fdb058d6759a367461e9321ef13e314166 |
| SHA256 | 49d8a63dba94d87a18723515fdb570ae52467116786c07f57852265a50c301ce |
| SHA512 | 3d5831a4db367fa0ee9747919e03355bb0c0ab8f7c9e02b3cb997f87d820d7c6bb94050e746488117df602f2dfb9a84dfb465a5c93e0e9fb9d7bfae755b827c8 |
memory/3668-97-0x00007FF797F40000-0x00007FF798294000-memory.dmp
memory/3384-96-0x00007FF615F40000-0x00007FF616294000-memory.dmp
memory/1992-94-0x00007FF70B4B0000-0x00007FF70B804000-memory.dmp
C:\Windows\System\lMQaDdJ.exe
| MD5 | 0e3ed9a9aa9d63be5effd7269db3f51f |
| SHA1 | 4d86d77e0db0e8f72577ab29ff1a62a15892b10b |
| SHA256 | f51614b985da19e4191e395702e1ecb090d2283541684da5b9a8e7b5363d2323 |
| SHA512 | dade94df301306ed2539d8fa1fc0c5ae2bdba8d6eef77f6c1cb855bf7c55f1a7618fa9f1e63335bb8fa01923651b8512f048f655cd30c8ba297d6d31f0b032f4 |
C:\Windows\System\xCMXfsp.exe
| MD5 | 70e355b3e3d388bd13a1e645d6e21761 |
| SHA1 | e02f4e8b73dece7064bb182a77a00999e6db076e |
| SHA256 | 01da36ac89d05ad42dab7fdab7bad61d2e62f1ec832c4b70d7839186a8e24f3c |
| SHA512 | b1ea5bcc67706a87533366d7d3fbdc6dd5ff240218a46f444b6a970ccf77cc2c3d52cf8b6a44e2f00e12badfa8e1750a2301e7ae1d349dcbd7e3032c4afc6c2e |
C:\Windows\System\xlEPEAP.exe
| MD5 | 4e10b50c9fd23119f9479e8abd3130b4 |
| SHA1 | d95aa1152939a40483306e5d08f1a8c417730254 |
| SHA256 | fb2d9b7bc44d0e498b232ec309959a5c903af7dfda5264c130d58130c4aa6aa1 |
| SHA512 | cf2e84825856b5b2a4f0a648e94280a6d092c1a472cdc02e2ecf72133b8e6b9c06e2a616ce04c9d9e475f762895e9dd989ed96d929d6c64177c1365cbeaa8518 |
memory/3536-61-0x00007FF6D3600000-0x00007FF6D3954000-memory.dmp
memory/4656-55-0x00007FF709170000-0x00007FF7094C4000-memory.dmp
memory/3688-49-0x00007FF6F36A0000-0x00007FF6F39F4000-memory.dmp
memory/4980-48-0x00007FF7F5D20000-0x00007FF7F6074000-memory.dmp
C:\Windows\System\jkwrxkP.exe
| MD5 | 8b4ea0b0e66db5778e9ee9c359c5f428 |
| SHA1 | f94d024a7c67b5cdb130138327cb7d9b188cd5c0 |
| SHA256 | e63977f841072c0832d7b9b3ffb5c2f5b5c8f92e8d62b29bfe4e84b3b362d57f |
| SHA512 | 4add58c9e2c1d078ba9aac3b4b6e0d7584802fc35fb9a1dc159b38d8e375ef1d9b97e9a46cef938ed4d7cc7e07fbebd106495d7c22fd02a68ddced21f6d2467e |
memory/1008-26-0x00007FF6359B0000-0x00007FF635D04000-memory.dmp
memory/412-18-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp
C:\Windows\System\XgffJxT.exe
| MD5 | 4ff4984efe94a3d37a141f94d6dd9c40 |
| SHA1 | f0c5d7b5d11bb46f38b510714b4757de2ddda6c9 |
| SHA256 | a9d55f45c753449e5ba4d5594ac24dd52171c0bff23cd411af4fdd74e2c555a8 |
| SHA512 | 668d0279504b0ee50aceea8b050eae730ca8e8ea2782f5e08e090381744b54e7b6a626b4804edc6fe867762a85f6ade6be38ac6835c5c9911394d9a254354323 |
C:\Windows\System\hTaXfGq.exe
| MD5 | 1942858845c616b276c18fea57b91ab2 |
| SHA1 | ac1dad18457b88e0847f213d0cf33dddef3f6fa3 |
| SHA256 | ca4acb712c663cb05afc09e3c406e7af3ecda63b162bd69b408b5f75356c33e3 |
| SHA512 | 21b2db86502f20f894ea686601643fb9de5d64d2bfa2735815ab218181b80760be9fa4ffc6017dd5f6347c4d61c51e87ffa25a86b0a37ced6e1ae840a21de351 |
memory/3836-116-0x00007FF6FF0E0000-0x00007FF6FF434000-memory.dmp
C:\Windows\System\maOQgwR.exe
| MD5 | 951d3ba945e049e67b175e0c8b1ac65d |
| SHA1 | 9cac3f5e9f076ebb39701116d761ed0dc9891b28 |
| SHA256 | edd39ed5a99ed774d15dc560995f35fa2b970f39de5676846a1a8c0da29014fe |
| SHA512 | 8cd4c0f53a5bd1d4d9087fdd00d20c6b998cba5ea3c0e8c42c61a8560f0f6b04981a9acf2b450c06334af5ea2c7bd49a3a019457a74585b5222da7274be5b880 |
memory/4452-122-0x00007FF65F580000-0x00007FF65F8D4000-memory.dmp
memory/4856-108-0x00007FF77D330000-0x00007FF77D684000-memory.dmp
C:\Windows\System\ostxXlA.exe
| MD5 | 0b31011328c580e0ab3744004ad1a6f0 |
| SHA1 | 954484f68964b24608053e677410a68b0ebc9b45 |
| SHA256 | b77df57dc87a1969de8f93391c6baba23c12e53a62886846acf6d33539f55e05 |
| SHA512 | 91b2f90def507932c6dc8882abd140eeb6712b945546693fe016593ba0f673114c4e60d28ae729ec15a5bd3b1ea62eb7bacd19e45ae32dd03060991dd39236a8 |
memory/2272-127-0x00007FF62E260000-0x00007FF62E5B4000-memory.dmp
memory/4528-128-0x00007FF77A7C0000-0x00007FF77AB14000-memory.dmp
memory/1404-129-0x00007FF783080000-0x00007FF7833D4000-memory.dmp
memory/412-130-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp
memory/3688-131-0x00007FF6F36A0000-0x00007FF6F39F4000-memory.dmp
memory/1008-132-0x00007FF6359B0000-0x00007FF635D04000-memory.dmp
memory/4656-133-0x00007FF709170000-0x00007FF7094C4000-memory.dmp
memory/4856-134-0x00007FF77D330000-0x00007FF77D684000-memory.dmp
memory/1404-135-0x00007FF783080000-0x00007FF7833D4000-memory.dmp
memory/412-136-0x00007FF7D8CB0000-0x00007FF7D9004000-memory.dmp
memory/3136-137-0x00007FF7D47C0000-0x00007FF7D4B14000-memory.dmp
memory/1008-138-0x00007FF6359B0000-0x00007FF635D04000-memory.dmp
memory/4980-139-0x00007FF7F5D20000-0x00007FF7F6074000-memory.dmp
memory/3100-141-0x00007FF62DCD0000-0x00007FF62E024000-memory.dmp
memory/3688-142-0x00007FF6F36A0000-0x00007FF6F39F4000-memory.dmp
memory/4656-143-0x00007FF709170000-0x00007FF7094C4000-memory.dmp
memory/3536-140-0x00007FF6D3600000-0x00007FF6D3954000-memory.dmp
memory/4512-144-0x00007FF71F500000-0x00007FF71F854000-memory.dmp
memory/1992-148-0x00007FF70B4B0000-0x00007FF70B804000-memory.dmp
memory/3552-147-0x00007FF704AA0000-0x00007FF704DF4000-memory.dmp
memory/3384-146-0x00007FF615F40000-0x00007FF616294000-memory.dmp
memory/3668-145-0x00007FF797F40000-0x00007FF798294000-memory.dmp
memory/1728-149-0x00007FF60AD80000-0x00007FF60B0D4000-memory.dmp
memory/3952-150-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp
memory/756-151-0x00007FF6FA590000-0x00007FF6FA8E4000-memory.dmp
memory/4856-152-0x00007FF77D330000-0x00007FF77D684000-memory.dmp
memory/3836-153-0x00007FF6FF0E0000-0x00007FF6FF434000-memory.dmp
memory/4452-154-0x00007FF65F580000-0x00007FF65F8D4000-memory.dmp
memory/2272-155-0x00007FF62E260000-0x00007FF62E5B4000-memory.dmp