Analysis Overview
SHA256
90ca6d20112814eb280944bab62157a9e254d0777f19947d057188cf54677899
Threat Level: Known bad
The file 2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Cobaltstrike family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-12 00:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 00:50
Reported
2024-08-12 00:52
Platform
win7-20240729-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sCjkxMW.exe | N/A |
| N/A | N/A | C:\Windows\System\CQwedQF.exe | N/A |
| N/A | N/A | C:\Windows\System\pBvDIwh.exe | N/A |
| N/A | N/A | C:\Windows\System\ObkLxnr.exe | N/A |
| N/A | N/A | C:\Windows\System\CzQilXc.exe | N/A |
| N/A | N/A | C:\Windows\System\jlsnRzE.exe | N/A |
| N/A | N/A | C:\Windows\System\pptoQZK.exe | N/A |
| N/A | N/A | C:\Windows\System\wlLcHgf.exe | N/A |
| N/A | N/A | C:\Windows\System\HzMSXIp.exe | N/A |
| N/A | N/A | C:\Windows\System\DxmUwLd.exe | N/A |
| N/A | N/A | C:\Windows\System\fpNaByN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPsTwPa.exe | N/A |
| N/A | N/A | C:\Windows\System\VcPyHho.exe | N/A |
| N/A | N/A | C:\Windows\System\oSdhbRv.exe | N/A |
| N/A | N/A | C:\Windows\System\kpeyWLl.exe | N/A |
| N/A | N/A | C:\Windows\System\KylzsZU.exe | N/A |
| N/A | N/A | C:\Windows\System\aBkOifW.exe | N/A |
| N/A | N/A | C:\Windows\System\bYfoYVF.exe | N/A |
| N/A | N/A | C:\Windows\System\HRghQoL.exe | N/A |
| N/A | N/A | C:\Windows\System\zBrFPEw.exe | N/A |
| N/A | N/A | C:\Windows\System\FshksHn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sCjkxMW.exe
C:\Windows\System\sCjkxMW.exe
C:\Windows\System\CQwedQF.exe
C:\Windows\System\CQwedQF.exe
C:\Windows\System\pBvDIwh.exe
C:\Windows\System\pBvDIwh.exe
C:\Windows\System\ObkLxnr.exe
C:\Windows\System\ObkLxnr.exe
C:\Windows\System\CzQilXc.exe
C:\Windows\System\CzQilXc.exe
C:\Windows\System\jlsnRzE.exe
C:\Windows\System\jlsnRzE.exe
C:\Windows\System\pptoQZK.exe
C:\Windows\System\pptoQZK.exe
C:\Windows\System\wlLcHgf.exe
C:\Windows\System\wlLcHgf.exe
C:\Windows\System\HzMSXIp.exe
C:\Windows\System\HzMSXIp.exe
C:\Windows\System\DxmUwLd.exe
C:\Windows\System\DxmUwLd.exe
C:\Windows\System\fpNaByN.exe
C:\Windows\System\fpNaByN.exe
C:\Windows\System\ZPsTwPa.exe
C:\Windows\System\ZPsTwPa.exe
C:\Windows\System\VcPyHho.exe
C:\Windows\System\VcPyHho.exe
C:\Windows\System\oSdhbRv.exe
C:\Windows\System\oSdhbRv.exe
C:\Windows\System\kpeyWLl.exe
C:\Windows\System\kpeyWLl.exe
C:\Windows\System\KylzsZU.exe
C:\Windows\System\KylzsZU.exe
C:\Windows\System\aBkOifW.exe
C:\Windows\System\aBkOifW.exe
C:\Windows\System\bYfoYVF.exe
C:\Windows\System\bYfoYVF.exe
C:\Windows\System\HRghQoL.exe
C:\Windows\System\HRghQoL.exe
C:\Windows\System\zBrFPEw.exe
C:\Windows\System\zBrFPEw.exe
C:\Windows\System\FshksHn.exe
C:\Windows\System\FshksHn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2424-2-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2424-0-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\sCjkxMW.exe
| MD5 | 4f00098e3499ad1b338cfa4ce338bcb5 |
| SHA1 | 09598cf4ac73fbef781f07c40c2133ef9f9029dd |
| SHA256 | d762bdff9b4091bfcaef06f27599b67aaa6421d6715ed62ac5dc00ac74e03846 |
| SHA512 | dd6a0495c2d252d5576aa20886f69835f65a49563f13e876b3c9a0e567b3ddcd08402404cef5a1593460c66911f4ac3ea14a872af2483b92a9fdf82b74ed9437 |
memory/2424-6-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1340-9-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\CQwedQF.exe
| MD5 | 22fdc544c8e14eceb5f27b98b261672f |
| SHA1 | 192c973c7d0612c6fa4d70504bd1cb65aa4dfbb1 |
| SHA256 | d16e9150310875471320337f446deff76ff0f7d26aba782940e8b96559ed036c |
| SHA512 | 23e5abd993c31ddb0c6fc070d76ef977face8052edaecb1d11a3e97a8ddd1cede7242643b8b874e916f01d2a270f078c15d111db83e7fb835cfdebc2e4774b95 |
C:\Windows\system\pBvDIwh.exe
| MD5 | faaf155e3125bf7bf662633e1e837545 |
| SHA1 | 7376a82d1e93f585fa96f6a8881f7974050b3fd2 |
| SHA256 | fec5b5d3ecab4687aea91b00fe9e8e7cd634c248af79ca8fb6da58dc358ecfc0 |
| SHA512 | f6a66c6867916f9341accc9b27a9bf8791f0276e5caa05093fde756c0db06022bf11b7bf01ac181f0d7a27603838fa35e463ec79748154ede27619a14fe0ffc9 |
memory/2648-21-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2424-18-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2328-17-0x000000013FBB0000-0x000000013FF04000-memory.dmp
C:\Windows\system\ObkLxnr.exe
| MD5 | fa54fa9445d0f30f1014c69c4f053c7b |
| SHA1 | 2dd79076f2f19b3905fe832ccebd670ee79fcf9b |
| SHA256 | 8b38ff520114f2ebf1942b1e898b404d62fbe417e2494abc94639b0d7ba2b21d |
| SHA512 | 4628b02ce3b9366f568e04b1ddc185a39f762132162b543e4e740b6f9c1bc3c00a03ab16b89dc6cf22d2db13eca0ea6e3e46e8c12205c4aa8bacf0c7908bdcd7 |
memory/2780-28-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2424-27-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\CzQilXc.exe
| MD5 | 5ef858616a3bfcdbfcdd55a5fded342a |
| SHA1 | 5d9713cdfa1ee1eb554740f8c4d43daa5eeb5fb9 |
| SHA256 | 0c2fdb059554b2c91370eee51362d6383780c66995d539a87f975bd07c3c3c7d |
| SHA512 | 03f586a0c5f87afe067c34c06f8882ed0f912beb268a842f7c4db2980f6e23d571d432af9998f55d2565a0edbf73462689d6244038dc5a90bbe18f1e58628395 |
memory/2976-36-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2424-35-0x0000000002240000-0x0000000002594000-memory.dmp
\Windows\system\jlsnRzE.exe
| MD5 | 532df2fd6ae377a7127cdf2153b786fe |
| SHA1 | 9c39968d12b6063272e290d92b311ad579a7a788 |
| SHA256 | 29e8c1ad9ee02c9d6f453ead1f7ee010c2b07a5b50a3505aff7b6e1b3839cb90 |
| SHA512 | d634216bcd80df6f9d5f186dbf628925731058ad0dbc93fc5d587db0e254a9e452a5953886e67764f71f338af3dfed8a5921df576d965f91fa6ae5dcf525159e |
memory/2424-42-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2804-43-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2424-44-0x000000013F670000-0x000000013F9C4000-memory.dmp
\Windows\system\pptoQZK.exe
| MD5 | 0cd2ec03c60401f66b789a47bd85d65a |
| SHA1 | 776040cd20bd09f04b8d83f69f332127c85d3227 |
| SHA256 | a9d77ea65bf4611138058382febed0e7ccda33cfa7cd19ed42e5cee08104e4bc |
| SHA512 | 2ecf4c0deb030bf5f837c95991564fc1b98171a76e6ddc539fecf20f015f418038a8e7761435ead592c37e6b0400fd15b366e0172b54c1128c3a464802db6f4a |
memory/1676-51-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2424-50-0x0000000002240000-0x0000000002594000-memory.dmp
\Windows\system\wlLcHgf.exe
| MD5 | a9a30ab8a27375fdaf67f5d3a6136d80 |
| SHA1 | d972be4ef8bc8143d36dfbf93f11eec781ed6b1c |
| SHA256 | 3c8406fa556cbdfe4f68f80662eba26c7370aa82fa3931526a2bdc7f80af084e |
| SHA512 | d8d3194ffd04fc85e3ddf83cda286d521082afc2ebc330b28986c06ed244b53e73c3c00048a934b17e807871c8985f7686bd3ab02b2ecec05c3ea3683799121e |
\Windows\system\DxmUwLd.exe
| MD5 | ab000ca4da9b650e4b8ff1aa54217fe6 |
| SHA1 | 450620c29941905469b15138793f4af072235e0b |
| SHA256 | 0b3a5a67c020408270f98dd11246b8cba7d70955fa81f1b6d65c7d0c733fb81b |
| SHA512 | 33fbd79faddf14400169f2dc42f869effe17e341815034dbc04f739dec2a44baedd20e36285b373ddad11fb7d389af9011eeb69dbe50d90c1b51aedc739ef2f9 |
\Windows\system\fpNaByN.exe
| MD5 | 45af9d385f7866e1b5358a2eebe0db17 |
| SHA1 | 05a45f7fad2688cea3c22310dce39d83a078770b |
| SHA256 | b76d48a88372481db2c5ba25186251615f46433984821fa77555cbd9af57c372 |
| SHA512 | 1ad9b541d47b71e8142d0fc17e8ffac4aacc6eb7775255de0e1199531e2ba838b19e541b316036c5f00aa303bf15110c3865304293947ede922a724f2e1fccd2 |
memory/1340-68-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2588-81-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2424-85-0x0000000002240000-0x0000000002594000-memory.dmp
memory/1044-86-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2648-92-0x000000013F350000-0x000000013F6A4000-memory.dmp
\Windows\system\bYfoYVF.exe
| MD5 | 2a8bbfe77b8c0e40fc5312ae86f5d107 |
| SHA1 | 21ffee0702f31d78b62a86348bb1248f2f683c70 |
| SHA256 | 5cb853e1e65daf32b21a1160560a856e86cc428d84654398074d5f497aa40ce9 |
| SHA512 | c8f2c9e72fcc9ec8ea142aff2b87d8e65609e9b5c48db8d3996ec780264840cc0f0849be3c5c629c8a4edeb7239fff5b01b30faf0c0aad844996159e6165370d |
\Windows\system\FshksHn.exe
| MD5 | 5947025c1e643b927df675591a8f9cc1 |
| SHA1 | 763a0535e9887c261d8b3122236ac35ac1c58263 |
| SHA256 | 2ee143e534c44b4bd15ca24b4bb91487ae38cc62a875d3d66420cfcf4f35442e |
| SHA512 | b50cc060cf37e7c7d13a8f14d1769d52ca43329772b865219a1a708878b5d97e7fcd1e08ee322f101da43453e21c5de524be39278250947afac6fd2015e63747 |
C:\Windows\system\zBrFPEw.exe
| MD5 | cb72a5987cbf8089eae77dae735d9c28 |
| SHA1 | fdb8041540d4717259bdcee1cac0dbd644cbf8b2 |
| SHA256 | 17e1029f7ccc8a12d5599fe4b540bcc3ede6639245a8e3120b0c029caa21529b |
| SHA512 | 8312e45b3b2d9a946fe6d9aa7624b913549d7222c88cc309ccb843b02d129dc09e637e5c30e8c168e1a5a631d839039dbb5ea3f8daaefbdbc446af53e54c91da |
C:\Windows\system\HRghQoL.exe
| MD5 | 54a39a3f76ff9b4c2eb92bebd2001a6f |
| SHA1 | 1c5a42ab3271607bb2f497056165848d5763671f |
| SHA256 | 04c3ce0faffe3d168c49a85d3468dbcb82473e476ad6b0b7a63fd8f8d229ccfa |
| SHA512 | b0c0d3318825edddcf84a1756046a2f90702678347320e56de47b27df74f78398721ad19c854edf168100c1ad4b1efec26e7054b5bb5fb2e310357da3b60f71e |
C:\Windows\system\aBkOifW.exe
| MD5 | 231dbec3fa505db8c0a4117f164d0995 |
| SHA1 | 3faa3d3441c3c44b0bf028336472df4c14c553b9 |
| SHA256 | a49aae644d27c23341c1b186d922a75764abf1ad6812f3e3e9e0695afdc36acb |
| SHA512 | 586f5173a4eadffcac35fd60d4a15759315d90fccf8ff3f7230299d20ab80cedfbf87360829711eefc48a29c6ad3d65f4bac410908e67b68fe695514579ea7ec |
C:\Windows\system\KylzsZU.exe
| MD5 | f96567f5bb76852bea3232177a5e0285 |
| SHA1 | 691f19ed9c85bfa6abd3ccad321aa18620ed288a |
| SHA256 | 3d01fdea01eac08bd90e8774b86f2f3f7a93e85ff6e26a6dce2a14cdb6b9ba75 |
| SHA512 | 458a4c6c9af0f7257a7c4928dac949868bbbb72b0aa38d6a05571f7fce581179e4b1b57af8b22da44fe6a1ade4377d0a9126b57c98b065c134595c6bc25222dc |
C:\Windows\system\kpeyWLl.exe
| MD5 | 53cde31d40ddda05ad8dac482fc39387 |
| SHA1 | bd8b7818d384752a278714da02e3687ac35ab785 |
| SHA256 | e3105e2715bd60e9c5d0f8700a5d9687f445c30c2de31bb47788e4077e8e285a |
| SHA512 | 9fb3ce7478cc2204ab9b8d6d06a5ac311ab08a09a0b546a2f861d5df5b421b416d32dcae4c9b7586f2b95b6c1a67847ef5c07815a6f9cd3d0cf9c4b3eb6f8269 |
memory/2412-94-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2424-93-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2476-101-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2424-100-0x0000000002240000-0x0000000002594000-memory.dmp
C:\Windows\system\oSdhbRv.exe
| MD5 | 4e72d0c0d3adf78b33b9e6ff51b110b6 |
| SHA1 | 91422801469ae665f3939c01b45c9ec54f73f111 |
| SHA256 | 0de0c618173edc7f1d4926bc5232e68bc9b87393e2715ce89fa1ebd5ff688f21 |
| SHA512 | 62128689a008b75a49a9e28446b2236a9c85b52a26072b63c247a017dc5125667a1ffdad253c04ca56b48c19a082cb22f7757a95b192b560a1a77b18d27f8583 |
C:\Windows\system\VcPyHho.exe
| MD5 | 5536285b8c5a06faa42b940386be3947 |
| SHA1 | 05cbd4164c0748442655341f508fcf20f154edd6 |
| SHA256 | 88ba3a06c66a3cbed85451969a414b35f9bad62142e0845cc81da7484426a945 |
| SHA512 | 850bdb8fffc625518aae15e3cadbf529d13fb75b1be5a71fb87748c2b68f3b1465e1183dbdd47d6ad836f19518609aad6f899b8f3ed349f3b9e4a0ed44d9b6fc |
memory/2424-76-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2424-74-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/3060-84-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2328-83-0x000000013FBB0000-0x000000013FF04000-memory.dmp
C:\Windows\system\ZPsTwPa.exe
| MD5 | f51d56f29f4429816df031e3539b9326 |
| SHA1 | 28fb3dc1ce046689accad810ccc5565cf34f6215 |
| SHA256 | 676faed22be77a563a7d79b21286fea175589e8b41ec9b02093a178b301ff923 |
| SHA512 | f7658b6aaeeb02a40a10c539787e7ca1498fec1fda16553b0704fb7ceee55d9deb3268369ec978f10632295bba628365196cf49f05f78533b044cedc04528877 |
memory/2620-65-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2540-62-0x000000013F530000-0x000000013F884000-memory.dmp
C:\Windows\system\HzMSXIp.exe
| MD5 | 88d186483a9b9b28ca02ad8b99a0ed52 |
| SHA1 | 0e75c29aae1c3a31e46562c52c25f88ce6a8d6e6 |
| SHA256 | 634a0ecf844e4e602d880689af5f51084d48dced70001a342a03dd81b325591d |
| SHA512 | 538258c0b9ff4e50154585fba8a56b2c42277c2325117f7f60a83a9909dbf68adffbbe5ff90db8d1a98bdbbec1a4a6c1b533af5ea12c9006da84ec908be723e0 |
memory/2424-56-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2424-137-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2620-138-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2424-139-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2424-140-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/1044-141-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2412-142-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2476-143-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2424-144-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1340-145-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2328-146-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2780-147-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2648-148-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2976-149-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2804-150-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1676-151-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2620-153-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2540-152-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2588-154-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/3060-155-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1044-156-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2412-157-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2476-158-0x000000013F470000-0x000000013F7C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 00:50
Reported
2024-08-12 00:52
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vnLPQmP.exe | N/A |
| N/A | N/A | C:\Windows\System\Ozpefsu.exe | N/A |
| N/A | N/A | C:\Windows\System\YtfiZHk.exe | N/A |
| N/A | N/A | C:\Windows\System\wbWdSXd.exe | N/A |
| N/A | N/A | C:\Windows\System\aaNdGwW.exe | N/A |
| N/A | N/A | C:\Windows\System\lDXbfZQ.exe | N/A |
| N/A | N/A | C:\Windows\System\zSrRJPT.exe | N/A |
| N/A | N/A | C:\Windows\System\PtwYEiB.exe | N/A |
| N/A | N/A | C:\Windows\System\JjEiDir.exe | N/A |
| N/A | N/A | C:\Windows\System\PYDcFPG.exe | N/A |
| N/A | N/A | C:\Windows\System\BBuzolH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpoCcxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\blfKjni.exe | N/A |
| N/A | N/A | C:\Windows\System\QXjMhwK.exe | N/A |
| N/A | N/A | C:\Windows\System\jVOwaRV.exe | N/A |
| N/A | N/A | C:\Windows\System\TWaDIIP.exe | N/A |
| N/A | N/A | C:\Windows\System\rCqxEAB.exe | N/A |
| N/A | N/A | C:\Windows\System\YVBoguS.exe | N/A |
| N/A | N/A | C:\Windows\System\szguHPl.exe | N/A |
| N/A | N/A | C:\Windows\System\OmZjMBB.exe | N/A |
| N/A | N/A | C:\Windows\System\QmpzsSE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_4605264a69af115d165879739221e9e3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vnLPQmP.exe
C:\Windows\System\vnLPQmP.exe
C:\Windows\System\Ozpefsu.exe
C:\Windows\System\Ozpefsu.exe
C:\Windows\System\YtfiZHk.exe
C:\Windows\System\YtfiZHk.exe
C:\Windows\System\wbWdSXd.exe
C:\Windows\System\wbWdSXd.exe
C:\Windows\System\aaNdGwW.exe
C:\Windows\System\aaNdGwW.exe
C:\Windows\System\lDXbfZQ.exe
C:\Windows\System\lDXbfZQ.exe
C:\Windows\System\zSrRJPT.exe
C:\Windows\System\zSrRJPT.exe
C:\Windows\System\PtwYEiB.exe
C:\Windows\System\PtwYEiB.exe
C:\Windows\System\JjEiDir.exe
C:\Windows\System\JjEiDir.exe
C:\Windows\System\PYDcFPG.exe
C:\Windows\System\PYDcFPG.exe
C:\Windows\System\BBuzolH.exe
C:\Windows\System\BBuzolH.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3996,i,1729213506309163284,12809566808978835441,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
C:\Windows\System\ZpoCcxJ.exe
C:\Windows\System\ZpoCcxJ.exe
C:\Windows\System\blfKjni.exe
C:\Windows\System\blfKjni.exe
C:\Windows\System\QXjMhwK.exe
C:\Windows\System\QXjMhwK.exe
C:\Windows\System\jVOwaRV.exe
C:\Windows\System\jVOwaRV.exe
C:\Windows\System\TWaDIIP.exe
C:\Windows\System\TWaDIIP.exe
C:\Windows\System\rCqxEAB.exe
C:\Windows\System\rCqxEAB.exe
C:\Windows\System\YVBoguS.exe
C:\Windows\System\YVBoguS.exe
C:\Windows\System\szguHPl.exe
C:\Windows\System\szguHPl.exe
C:\Windows\System\OmZjMBB.exe
C:\Windows\System\OmZjMBB.exe
C:\Windows\System\QmpzsSE.exe
C:\Windows\System\QmpzsSE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3064-0-0x00007FF7D87E0000-0x00007FF7D8B34000-memory.dmp
memory/3064-1-0x00000212172F0000-0x0000021217300000-memory.dmp
C:\Windows\System\vnLPQmP.exe
| MD5 | 7540c874683ab1e02ef5c6386a22d660 |
| SHA1 | 331a506b9c141fb73f66783463fdc1e07daa8805 |
| SHA256 | 33977e941dec61e69121f6817db61234945d6fe25bb54fd77b070f1f56e000ae |
| SHA512 | 70ea6163ea9ba55dc049c9857fdbccdbe7a7743fac7ab008da3e047440663fdc9183a007b66044b0d3258a9a5376398a515c36dce22328af6da79adf32a7f65b |
memory/1176-7-0x00007FF7D11B0000-0x00007FF7D1504000-memory.dmp
C:\Windows\System\YtfiZHk.exe
| MD5 | 929bbd9181806f29f7124439bc1d5197 |
| SHA1 | 85ffedf88badb93d8b8be530dcb705526623ceb9 |
| SHA256 | 9d4b123c7c495a6bf9fd83a9f832b1d0892be2d6368af8c4df81590ab376bf4c |
| SHA512 | 229652b543f9457b3cb15885eb428ef18e8cf0bca9e5fc4d93e4d0c14bb9a0b491b89e94096b97c63fa232d98a7da9a6075d325b991900ae8753f8c3f9c38b84 |
C:\Windows\System\wbWdSXd.exe
| MD5 | 3d328fffb8bb602e4f29a09067217554 |
| SHA1 | 9aa9815d4608c69f97fe7607f19a7acefa9d8181 |
| SHA256 | e0611fef80690210c3f7ecfdb522172edd59b6a2e21977ddffd2f00387b8b075 |
| SHA512 | e928ab4a2bb0880cf935c114cffb9d1073a24c0e084681917d95d48b35b2c73af53185871629e239b2b3e5f493c97ef42d40414bb71635c9241eb1147852ace9 |
C:\Windows\System\aaNdGwW.exe
| MD5 | c06d3493da709ff7a939745def339a6e |
| SHA1 | be0d9fce8e076812572eb671a8a492a6e12cacc3 |
| SHA256 | 74831da31ae63c184ca08b3aec59454c718d50c1034815c1550c347a829d7322 |
| SHA512 | 64d17ad8733fabf90c6a5126ba31e26fc6a72075335b5e5499c1e532d9bc8c4ffd979f12cb3f250186fe381caa32712353995bb7d582bfb683877a52c3e315ff |
memory/5012-30-0x00007FF78E3C0000-0x00007FF78E714000-memory.dmp
memory/680-29-0x00007FF6274E0000-0x00007FF627834000-memory.dmp
memory/3040-23-0x00007FF6A0A80000-0x00007FF6A0DD4000-memory.dmp
memory/1380-19-0x00007FF734D20000-0x00007FF735074000-memory.dmp
C:\Windows\System\Ozpefsu.exe
| MD5 | 39e06659666508d887430b3cdeda43d9 |
| SHA1 | 0fadca7dc465952cf8ef60891fb36441f9062598 |
| SHA256 | 7a83084efea7ddb38ec03f32310e4b2c593d6fe637fa04e8ef6d667dfe0ee7c8 |
| SHA512 | 5c73a5345873ce3f333a6c05c47b2feb080c561ff324526313b0e9e4d90edae0a951b23f39a95544015c13f4d399fd21e8992a047e58c98e79539e2c446041c7 |
C:\Windows\System\lDXbfZQ.exe
| MD5 | a3691a29d9fbde6cf04d73d3653579d5 |
| SHA1 | 695c82a160aa5afdf1793087cd8fa66e5fe56286 |
| SHA256 | 3eb0bf72b63ad24469c8891c36f3742b526a6346f2af7c3d3814797ab7c048c6 |
| SHA512 | 48157c589adbd0a3f240e0cbf17fc6c2ad2ca279bf14237cbc2330883dfff26a8781cbb9d6df8d2b10b740694a53e4f07210d403823a6b52a48d226230fcffe3 |
C:\Windows\System\zSrRJPT.exe
| MD5 | 6de626fc1f87695fb99d87023e08a05b |
| SHA1 | b645c6cbbed84775799209aaca6059d216db556f |
| SHA256 | 16d1e88b62955abb605ca98fdd362304e280b7ea28a6cf4042139d6f8be77f3f |
| SHA512 | ef3de80474c4920122b64fab68bc189d65ea79fd145367a400c6f950837f47e62d6c42ba95f1fee3bbff5a5e854d82373c5d41981f0faf2ab801e3ed2ec5acfa |
memory/4064-38-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp
memory/3740-42-0x00007FF60EAF0000-0x00007FF60EE44000-memory.dmp
C:\Windows\System\PtwYEiB.exe
| MD5 | 940483d496c4e22a3af7ae69143b97bc |
| SHA1 | 2d9a88fecb2887996ce2407ef27dad4f25cf20e0 |
| SHA256 | d7c0485940001690e781859ff4c78704262a39da1a9047d2cbd83c32702ed889 |
| SHA512 | 67cb0d8ebe4c21b959d660c39ad8a71dc14393d494b3ecf79402eda499a74459f9e3fff2880176b75e2e105096baf35bc8ba7e3cb89612871c1db828c113e725 |
C:\Windows\System\JjEiDir.exe
| MD5 | bfdc94edae1fa664d858407d4a17b7e5 |
| SHA1 | 89a84b366cfc6ed7af59bace55ee2d4fb633721f |
| SHA256 | e270a311d0989064546036c8d3004b9abee27c3ea63b2cd60c9b75592d06d8cf |
| SHA512 | 2325370df4208c503168a799602c5dbf4831f916d837e0127a6a245eab5c673eedb0fb17a0b49e7c932b4fa9537342d89ae5511eea50708e9c52410245b9c908 |
C:\Windows\System\PYDcFPG.exe
| MD5 | 3303c0d295f1e1d7af8a8a5f8e1cf80b |
| SHA1 | b06dee50d25ed43b89e2a59df24113c472c5f7d2 |
| SHA256 | e517419b28bd648015d67fdcfaad6e1d1865c23acb6866ccc323d8c0daa694e1 |
| SHA512 | 1d47986218c6306d99008e932e6471e76c18e490c0cf9065a37683c2486db7b3410d34110b2753d65085a0bf569c19a40e3baaaf3436cce0ecb6a228ba902507 |
C:\Windows\System\BBuzolH.exe
| MD5 | 19eecfdef55583a9a2149e63534cb14c |
| SHA1 | d7ff675b38b5579bbdbc917bd0f7d8cd0359ffee |
| SHA256 | c27179d6eb163cd991e0714be2b1ae330b5f6e6a3caa6179a0cb2f450816957e |
| SHA512 | a5f233dbdacc77d7b48e50097e0036b39102a65f0c494a8fe152ca43a2ab72511eafbbc99e4fd916b758d1bcb6034fb2a398434af17f4572dbf0573dee51502e |
memory/1144-64-0x00007FF7C8890000-0x00007FF7C8BE4000-memory.dmp
memory/2884-65-0x00007FF748B20000-0x00007FF748E74000-memory.dmp
memory/1280-63-0x00007FF7A68F0000-0x00007FF7A6C44000-memory.dmp
memory/1740-51-0x00007FF6936E0000-0x00007FF693A34000-memory.dmp
C:\Windows\System\ZpoCcxJ.exe
| MD5 | 649286abe6b8cc4df9e19de872dfb4da |
| SHA1 | 5f4ed2bf5ee7bbd9e6fdcb5e19e69bf5478d9080 |
| SHA256 | a0450b0e8d159a253d07b4d78355b8a94bfdd2084a0ceb0f3f8a6ef92d7232f0 |
| SHA512 | de5244a95196670adc7ad50b7aa5482a12b9bdbf162bef1b7d8e2e8049d67a72811063f07497b4313498d1c7b5671c7ec83db4fab6daa4fd15ff865d7e8f79b1 |
memory/2372-75-0x00007FF6B53D0000-0x00007FF6B5724000-memory.dmp
memory/3064-74-0x00007FF7D87E0000-0x00007FF7D8B34000-memory.dmp
C:\Windows\System\blfKjni.exe
| MD5 | 8d075c6a216320e212fbdf6d304cb380 |
| SHA1 | 44207967d5fa044a486c8382b5351415bb3a9586 |
| SHA256 | 18b9f32da839e9dd2f39f97a231d5c6abee2589d19101473932aa0ebed09ea4c |
| SHA512 | 890044d44aee0a34fbd8a98ee86b1795ab13b2c3d62a54ef79dcee58d1f277d117321850e8d9652961f98e9af43ada983e37d2c7090145df9acb902c990c1b08 |
C:\Windows\System\QXjMhwK.exe
| MD5 | eff8054ac6cbbd164f34950ff74be0f2 |
| SHA1 | 4e3952aae51021b01f223fd47385fc2c95b04c63 |
| SHA256 | a1f26fe3e4e168b3340a410968dd72537d70745f78ed8a7c583d6c2da627c451 |
| SHA512 | c7b07e3ec93f51b4f50c2320be52911700890f3215896af7779c17c442c23f346625f91f5759c13758d559fd5d01a5f11b14d53dcdd91a0fd213bf7eabbe75a9 |
memory/1380-82-0x00007FF734D20000-0x00007FF735074000-memory.dmp
memory/1176-81-0x00007FF7D11B0000-0x00007FF7D1504000-memory.dmp
C:\Windows\System\jVOwaRV.exe
| MD5 | 8e2496eead3d947020f282fe8dc4cd63 |
| SHA1 | 83525f5737d4a660157d4dbf4fe6e7530fd6339b |
| SHA256 | 4347daeb7a0b8ae9f9e23f2294c5874b7c3c743c1363c5e9700120b795e50a2e |
| SHA512 | c0f11ba1f64397f24cb011c7d746fe25fb2d985896350c354341a4199203e492f5ed69787658500392b97f6e09077345e380b5bdf977e267f84fafe5533c413c |
memory/5088-93-0x00007FF66CC40000-0x00007FF66CF94000-memory.dmp
C:\Windows\System\TWaDIIP.exe
| MD5 | 609578d245363731b2307b1d075347bb |
| SHA1 | 8c9bf267cbf33b3e171f5f5abff3de2fd90a57bc |
| SHA256 | 37fb57334add9ba6ae7eabd033d4ce81c3faefa164d3d1023b0bfa1caf9f98cc |
| SHA512 | d4c51b37db62b57bac81b6fbe87c035b1bf7179c977fde6b2e71902f2bdcb93e16d9f3ba69f52079021a12dcb5d2dfab4d99fed428ff465fd5643b65221646be |
memory/3688-102-0x00007FF7F4590000-0x00007FF7F48E4000-memory.dmp
memory/680-97-0x00007FF6274E0000-0x00007FF627834000-memory.dmp
memory/3964-92-0x00007FF67D210000-0x00007FF67D564000-memory.dmp
memory/2728-90-0x00007FF7B2D90000-0x00007FF7B30E4000-memory.dmp
C:\Windows\System\rCqxEAB.exe
| MD5 | b851b71d25cf21e054fe2589f4f848be |
| SHA1 | a2a7137d2bde21942ad4c02ec1b5ad0c9504a6ea |
| SHA256 | 3e96190f016f0823bd592d9085acbb78f318ff4f71f20b3a58139711301a49b3 |
| SHA512 | e7cbde311dd5dffbd9e73aeafbc2dba81d9e69b7affc6d50249945b72a8667623ee73bdeedbd3cb9a77135f2f992c4e635ab5fa262ade0a9c8bac0d04ec1fc9d |
memory/1872-110-0x00007FF7C3B40000-0x00007FF7C3E94000-memory.dmp
memory/5012-108-0x00007FF78E3C0000-0x00007FF78E714000-memory.dmp
C:\Windows\System\YVBoguS.exe
| MD5 | ead7436efdb3a742780c87eeb74e6bec |
| SHA1 | 2171209000cff12a83a71edc39599738f251c7a5 |
| SHA256 | fd89af8c2451ca75e245bf0a34ba52c371a11ffb1f030c9cd73f0ecc867f58fc |
| SHA512 | 8dc85769f4b32cc777b5856d9964e8168a99ec40a6360e02e8489497c93a070f90818c7d53ac72b848fb5e999ac617fcc0bc218c9529c06bc56d789c2174b708 |
C:\Windows\System\OmZjMBB.exe
| MD5 | d579ac8f7fde51391c101cf68bb8f1a7 |
| SHA1 | b0204387c03a572385d83db2f06fdb199515d5f9 |
| SHA256 | cb8bdd075da76c3b7d3969974b8d0145eb073f202c487789dcec227f3672b551 |
| SHA512 | 886056ef92739d2959dfa1c6388ed817a0c884039d5c3c31a2b2b37a1d062212a71992c9cfde11be8d578e2fd9fa6f17405fad65bd716bf5ee9cc71229614bf7 |
memory/1572-125-0x00007FF624700000-0x00007FF624A54000-memory.dmp
C:\Windows\System\QmpzsSE.exe
| MD5 | 3e735f8c16c19067691f4f3bd3ad2b65 |
| SHA1 | 601a7d7c4d360a7c45ee20e05874eec7152efd13 |
| SHA256 | 84dc9f50d004f463a59cd5a982abaf711fe3fad700d153279648f1750855a70d |
| SHA512 | 3d8fd53f8485df45c40356441e8293508e52d39ada2af8c7e6b6112ce2ec9c9bcff8cfc46d77ecebbc5da52f7e81ff906005aa9c62b183efde2b4edf0d3a61f5 |
memory/1740-133-0x00007FF6936E0000-0x00007FF693A34000-memory.dmp
memory/3376-134-0x00007FF6D6A60000-0x00007FF6D6DB4000-memory.dmp
C:\Windows\System\szguHPl.exe
| MD5 | 754cfc0bd9a3cbfe9d9f3f1dedf962c9 |
| SHA1 | a89e48e2ca01ad7517ec486ad51d3495d99fdb32 |
| SHA256 | 439bf6ab34e5da7cc557b4fba83652eac856100abad6420aac546d0a8c3daf5b |
| SHA512 | 66bb63694ecea926d45a713c3a7cc7783db80a55d4b1fd673ba7b7d47ce84077880b3f44df3214c29922bf1a12dc3442f807c57623cbb946c261cf757a2f205d |
memory/3088-126-0x00007FF7133C0000-0x00007FF713714000-memory.dmp
memory/3740-123-0x00007FF60EAF0000-0x00007FF60EE44000-memory.dmp
memory/4440-119-0x00007FF797520000-0x00007FF797874000-memory.dmp
memory/2884-135-0x00007FF748B20000-0x00007FF748E74000-memory.dmp
memory/5088-136-0x00007FF66CC40000-0x00007FF66CF94000-memory.dmp
memory/1572-137-0x00007FF624700000-0x00007FF624A54000-memory.dmp
memory/3088-138-0x00007FF7133C0000-0x00007FF713714000-memory.dmp
memory/1176-139-0x00007FF7D11B0000-0x00007FF7D1504000-memory.dmp
memory/1380-140-0x00007FF734D20000-0x00007FF735074000-memory.dmp
memory/3040-141-0x00007FF6A0A80000-0x00007FF6A0DD4000-memory.dmp
memory/680-142-0x00007FF6274E0000-0x00007FF627834000-memory.dmp
memory/5012-143-0x00007FF78E3C0000-0x00007FF78E714000-memory.dmp
memory/4064-144-0x00007FF7D6C90000-0x00007FF7D6FE4000-memory.dmp
memory/3740-145-0x00007FF60EAF0000-0x00007FF60EE44000-memory.dmp
memory/1740-147-0x00007FF6936E0000-0x00007FF693A34000-memory.dmp
memory/1280-146-0x00007FF7A68F0000-0x00007FF7A6C44000-memory.dmp
memory/1144-148-0x00007FF7C8890000-0x00007FF7C8BE4000-memory.dmp
memory/2884-149-0x00007FF748B20000-0x00007FF748E74000-memory.dmp
memory/2372-150-0x00007FF6B53D0000-0x00007FF6B5724000-memory.dmp
memory/2728-151-0x00007FF7B2D90000-0x00007FF7B30E4000-memory.dmp
memory/3964-152-0x00007FF67D210000-0x00007FF67D564000-memory.dmp
memory/3688-153-0x00007FF7F4590000-0x00007FF7F48E4000-memory.dmp
memory/5088-154-0x00007FF66CC40000-0x00007FF66CF94000-memory.dmp
memory/1872-155-0x00007FF7C3B40000-0x00007FF7C3E94000-memory.dmp
memory/4440-156-0x00007FF797520000-0x00007FF797874000-memory.dmp
memory/1572-158-0x00007FF624700000-0x00007FF624A54000-memory.dmp
memory/3376-157-0x00007FF6D6A60000-0x00007FF6D6DB4000-memory.dmp
memory/3088-159-0x00007FF7133C0000-0x00007FF713714000-memory.dmp