Analysis Overview
SHA256
d20a561983c4c7ab6b25e5f043686600ab197b2cc9082b6516940b1ca9acea31
Threat Level: Known bad
The file 2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Xmrig family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:51
Reported
2024-08-13 11:54
Platform
win7-20240729-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VuyyHRY.exe | N/A |
| N/A | N/A | C:\Windows\System\JGliWmB.exe | N/A |
| N/A | N/A | C:\Windows\System\vzvRUDJ.exe | N/A |
| N/A | N/A | C:\Windows\System\NJwckaq.exe | N/A |
| N/A | N/A | C:\Windows\System\FCCzUJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nhsdoPz.exe | N/A |
| N/A | N/A | C:\Windows\System\PQvLBXQ.exe | N/A |
| N/A | N/A | C:\Windows\System\yKaAMEY.exe | N/A |
| N/A | N/A | C:\Windows\System\qvFhcZm.exe | N/A |
| N/A | N/A | C:\Windows\System\heHiCmu.exe | N/A |
| N/A | N/A | C:\Windows\System\jDQJEmd.exe | N/A |
| N/A | N/A | C:\Windows\System\THnYrzq.exe | N/A |
| N/A | N/A | C:\Windows\System\UWWtRzU.exe | N/A |
| N/A | N/A | C:\Windows\System\edtwlSA.exe | N/A |
| N/A | N/A | C:\Windows\System\DBYQJUd.exe | N/A |
| N/A | N/A | C:\Windows\System\Mvvdmxl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZwhGzav.exe | N/A |
| N/A | N/A | C:\Windows\System\nCKcKvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PEWrAVu.exe | N/A |
| N/A | N/A | C:\Windows\System\oNnkLuE.exe | N/A |
| N/A | N/A | C:\Windows\System\wSsTCqk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\VuyyHRY.exe
C:\Windows\System\VuyyHRY.exe
C:\Windows\System\JGliWmB.exe
C:\Windows\System\JGliWmB.exe
C:\Windows\System\vzvRUDJ.exe
C:\Windows\System\vzvRUDJ.exe
C:\Windows\System\NJwckaq.exe
C:\Windows\System\NJwckaq.exe
C:\Windows\System\FCCzUJZ.exe
C:\Windows\System\FCCzUJZ.exe
C:\Windows\System\nhsdoPz.exe
C:\Windows\System\nhsdoPz.exe
C:\Windows\System\PQvLBXQ.exe
C:\Windows\System\PQvLBXQ.exe
C:\Windows\System\yKaAMEY.exe
C:\Windows\System\yKaAMEY.exe
C:\Windows\System\qvFhcZm.exe
C:\Windows\System\qvFhcZm.exe
C:\Windows\System\jDQJEmd.exe
C:\Windows\System\jDQJEmd.exe
C:\Windows\System\heHiCmu.exe
C:\Windows\System\heHiCmu.exe
C:\Windows\System\THnYrzq.exe
C:\Windows\System\THnYrzq.exe
C:\Windows\System\UWWtRzU.exe
C:\Windows\System\UWWtRzU.exe
C:\Windows\System\edtwlSA.exe
C:\Windows\System\edtwlSA.exe
C:\Windows\System\DBYQJUd.exe
C:\Windows\System\DBYQJUd.exe
C:\Windows\System\Mvvdmxl.exe
C:\Windows\System\Mvvdmxl.exe
C:\Windows\System\ZwhGzav.exe
C:\Windows\System\ZwhGzav.exe
C:\Windows\System\nCKcKvQ.exe
C:\Windows\System\nCKcKvQ.exe
C:\Windows\System\PEWrAVu.exe
C:\Windows\System\PEWrAVu.exe
C:\Windows\System\wSsTCqk.exe
C:\Windows\System\wSsTCqk.exe
C:\Windows\System\oNnkLuE.exe
C:\Windows\System\oNnkLuE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1724-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1724-1-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\VuyyHRY.exe
| MD5 | 0895d5e87058333082e50fcadbded578 |
| SHA1 | af6767a1a1b7729e25602a19cdee2af2e13a8943 |
| SHA256 | 3a5a25e7f799614579f91484bd9373a9f0f586ed60ea38173579f880da7745dd |
| SHA512 | 6ed7b15fbc659905c64e5cb24ec581d5d668c3660714300b96da2726c1a3058d31d823773840483d10144857c81911297c67c02888a62d64bacbbaf85045d66c |
memory/1004-9-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1724-8-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1724-13-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2572-15-0x000000013F2B0000-0x000000013F601000-memory.dmp
C:\Windows\system\JGliWmB.exe
| MD5 | 864e6f681ad1ffa8d2412e2d6b8a1237 |
| SHA1 | 27232655b52b660663bfac04c2b309a1bf0cfcf4 |
| SHA256 | 7934bc0f0fe862dfc9aaac07ad67dd7b293783083f0c2eae51c01e3d3b614e6d |
| SHA512 | a09333f63363b87b568cf9992ed3ec7c9ffba41820c6220c1331ed9ce8923e646a8222f5abe218c3a2a8798ade622f31ba79dc40f13694214e89ec918ede99ea |
\Windows\system\vzvRUDJ.exe
| MD5 | 79864d22f26357ce54839f4844cc22be |
| SHA1 | 9931fe3dfd9ec1a2edbc323a099d8bed453270ec |
| SHA256 | 312e447aea5aefa7dd0aec91f2c0fce1a17f716163210fbc5f9f83aa3557eb88 |
| SHA512 | f9eeee51ea2e3b6f1fb3d6b80379bea2c34e5e6ff502f6fdc519cf47f4e7a90c51a9bf2dbe154fa5bb705f66816d821f0514d34602722f11ea3f9035974c3556 |
memory/1724-17-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1284-22-0x000000013F7D0000-0x000000013FB21000-memory.dmp
C:\Windows\system\NJwckaq.exe
| MD5 | e76b4892bf906e45658c73a887217b0e |
| SHA1 | 309e3976edda8e872eb3a59cf5eb4b5ab146733e |
| SHA256 | 6ac6ae00060db8dc8aa139dbc5ed72abc7510d5b19ca1b82f73a255cc121d7a2 |
| SHA512 | 3452357eabc5825ca4183e4d7b41b817cb69292c2d723d7e6385354961621be4cb4d366c3f936c9c04cf0b83958dc2f0cd30788d1c2d17bd730110a863357cbb |
memory/2444-35-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2768-40-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1724-46-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\PQvLBXQ.exe
| MD5 | 920680001fd539e32ff422bd40912113 |
| SHA1 | 4cbad9eb9c18999e8bc3946fb9bc027842f58a53 |
| SHA256 | e907448ceb275197fac8d788b9c167db5aea356537f186d15c145a4609c35312 |
| SHA512 | 0f5503dd24f5e9b30236f4c4ebedd822e44cd36cd87da5f2a73c3df74a6618047678dd4331636c9d102d688585ff2b201f7f6cdfd19f642ce31c91e1acc35a10 |
memory/1724-57-0x000000013F2B0000-0x000000013F601000-memory.dmp
\Windows\system\jDQJEmd.exe
| MD5 | e58fa42418b4ba3d340e3308ae17cd6f |
| SHA1 | 039c5b7d66d7942e09883d3718b5a940482f3427 |
| SHA256 | 78112a3e6469feced4ee7d81e01eedd55eb46365dfad9de5e8251c7e7ea41bab |
| SHA512 | c63135a0d9594fbc9fa7ed3780bcd125399c59b6de469e695db0bde8cdee9e6ef611fa8353def67e3dbee704b52c4409215f8dd017651444f89f863e7cae9eb7 |
\Windows\system\THnYrzq.exe
| MD5 | ba3290eb3ef882efc07df0770e25979f |
| SHA1 | f068f9f7596af4d2e5c1e94ea575e313985a6e45 |
| SHA256 | 99f5eb87cb410a76b932d09dbd87db15c3e0e55a1880de2fef4a0bd374dec792 |
| SHA512 | 36857cae14543f76611dcf39e68ba320a88382dd7035f4b98658252a1fab764df5baacd54b7a031be422b19bb80b96d94505b1ddca567937ad77e1f710c5c0c2 |
C:\Windows\system\UWWtRzU.exe
| MD5 | f1220da14fedc0b886da562614c8a412 |
| SHA1 | 8ab8613f059097d73c07b87904a9dc4a65ca3eb5 |
| SHA256 | 2429cdd8c1f528957e83874db05112ff5af48bb3f605e3feb1cd471a3b9ad1aa |
| SHA512 | db0a6d07ea7b63bc5630767fd6275d3cd12cd629320f922b5e011b66b4e753c15602201ab96e550b5709cd88745630d6b5fa86116dde86cdc0b9e1fb9b62168e |
memory/2172-91-0x000000013FFD0000-0x0000000140321000-memory.dmp
C:\Windows\system\DBYQJUd.exe
| MD5 | 51f85f9a7846154619b8042baf63dd77 |
| SHA1 | 136db2694d0d57c3d6ed32d0ed51868baf5ee860 |
| SHA256 | a714576a2f1ea364df5586deab9d67f794dde70883d378bfbfcaf3960e236f29 |
| SHA512 | 8ed7e05444a4bca6263491618981aeb068f07afc3b4c927b75beccdd1d28e86155822ef1c397d9ddf4d19870e41bd93e23e3b6b40fbc2be1cc466ec41988ddbd |
memory/2840-110-0x000000013F790000-0x000000013FAE1000-memory.dmp
C:\Windows\system\oNnkLuE.exe
| MD5 | 818ad38e5d8c1326b4bb36677b001ed2 |
| SHA1 | 640586995d8361fd402092beb46cfa7c0e0ab0b1 |
| SHA256 | e9354970960cc1efdab242c56cfdb6f2863f0632af6c78efdb1866befa08ca99 |
| SHA512 | b08bbbaf930eb2ef8908fd51bfb043702ebce3a0a200379273925a11b30cf11d79dd1ec5392f21c0c3123fade74b1dae8d975532ac269d487e148ef5bbef8d8d |
\Windows\system\wSsTCqk.exe
| MD5 | c9b6b35bc1a3f32f6d13c20e0f5f731a |
| SHA1 | 8dd26b9a0e1c163a54cc54b4ae2972bf760fe761 |
| SHA256 | 91997c90936e87aed537d3b1abe51d33d4619f96c0d78a7c2b570b8c8e449588 |
| SHA512 | ca5932df231b83a9657d9ea9ecab99eb5b530d02ceec1afcb97d31ec08ec1ebda6425d1b101d8cf95dab1332e0121f5ddf7a06f366cba48b1de7b0587f4d1a70 |
C:\Windows\system\nCKcKvQ.exe
| MD5 | bfb8441723e923ba5695c19ab1057013 |
| SHA1 | dc8e6a8c99dbb8e320b86bc9f7c9f7b23d4b9658 |
| SHA256 | f1d63fd138b6eeebe282eb1ddcfc9cc63e0645de4a3f9701babb8ff48fcc0265 |
| SHA512 | a3de0f91d823f259839579602c5703bc1e4f1857744b5efc34d82c1b1295fd9333527bf72752af373a0c94ed1704d52fd711ce3dc894a411d4e0d434b96b5a69 |
C:\Windows\system\Mvvdmxl.exe
| MD5 | 5fb2c39b4672e2d973c0bdc9dcce2a0e |
| SHA1 | f5114067318aa599f7fa52b9f94c2372347223ac |
| SHA256 | 2a506a602e7c15377c2791903ebebffd9b7061dee9c2b6ddbf9ef9153dbd0b8e |
| SHA512 | f83b6f3eef9eb2ed2ac8302b85fc21df375d6e7ed2f8738d8fd5077b43001fef1c3a5107f0e736d0703833bb2e795cd1e60e1e9e11985c97e5f84918d53d0018 |
C:\Windows\system\PEWrAVu.exe
| MD5 | 4c7088cb7c56d110ddbbf7426bf30f8e |
| SHA1 | 9897cd224b1bce2145cc5731f4fb674791e34e62 |
| SHA256 | a80e6ce95e06dbe49c43b6e2de72969fc5b9b743679854b60611629a11889168 |
| SHA512 | 02ac2bd8930dbfb49727c889dd05d302afba9db0b2982948dfb86806a150fb5182a8a9e1f2fabc5cefedf0d93ff7fe707edb8e06162f7a175b0c4e554fc8e4c2 |
C:\Windows\system\ZwhGzav.exe
| MD5 | 72d00262355b5541e8485fccca3984ae |
| SHA1 | 693ad467abda44d6bd7baefbe3c8bc59e16a1701 |
| SHA256 | 3e7f736e4747c275aef321c9e690725697a44ddf78f8a530549bc2b1aa58538b |
| SHA512 | 116f5ca44465596e78a52a1ae9149344c9dff638de43226fec8863af0d0da51c00f1b43a18fe2d7424da65e35f48745146ddfa66dbb00af0d1cca94c4e2ef95d |
memory/1764-99-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/1724-98-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2768-97-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2444-96-0x000000013F880000-0x000000013FBD1000-memory.dmp
C:\Windows\system\edtwlSA.exe
| MD5 | 3c39722b8c6eeac0e9576215dcea5c9e |
| SHA1 | 42a8100ab751eb735702f97914b64a164089373b |
| SHA256 | 6cc9ac2a689a26efaa7f4aa8aac26840b3ec4edeee15deb720d2d3e46501577f |
| SHA512 | b776649896640904d66aec34f20098ee5ff4ad2d81b1d8002719613022fb2e6a28bf7f279b9f57774c09c67c4a654056bb6d36faa48dc55119ad8051a3e6f145 |
memory/1724-90-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2136-85-0x000000013F600000-0x000000013F951000-memory.dmp
memory/1724-83-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2780-82-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2572-68-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2624-77-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1724-76-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1060-58-0x000000013FAF0000-0x000000013FE41000-memory.dmp
C:\Windows\system\heHiCmu.exe
| MD5 | da22b0c195749ad4926e2fd35cdd0b4a |
| SHA1 | 57699324acd5fbb1caf76c958023ecc71751f6fa |
| SHA256 | eb4ec967d7d7f333745fd1edd32e4839737b5e34e41d07ecba7339d1007dbe80 |
| SHA512 | a02e254c815549033bc276de8a635e561b03da599c2276c03ed51bfff1320e44a60df1818a7e7f3b5ee5a95214baf0edd2732aee74bb6bbad5aa730c1ddfda83 |
memory/1724-74-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2644-73-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/1724-72-0x000000013F350000-0x000000013F6A1000-memory.dmp
C:\Windows\system\qvFhcZm.exe
| MD5 | fb434e22726971e87a97aa0b3d723b37 |
| SHA1 | a4a61add8cd025259a14022a52192413f8242c4c |
| SHA256 | 1f985205b06332043cfb1b022a2c63b1713efcc48f672cf39ede4eaf3626ec03 |
| SHA512 | 2e3ebfa47653325a1bbdd5224cc17391d320cc324fa5bae2238e258e302df9d392f75cb6347fe80af4273bd1406cee58b77fe19def1369ab47c8ae1b9393f086 |
C:\Windows\system\yKaAMEY.exe
| MD5 | 7f70f0925a90f415ad6fff6dc4bb758c |
| SHA1 | 930a7c213bd70768ead4a418a2980ab5e09e08c9 |
| SHA256 | a60571908d7ed0bbe163ee93ee024a7d12385febe887742f740300226a007263 |
| SHA512 | ad7dd19597bc886c15f87b9397dfdf79b9e9316d5b875b95719fcec656947246c2536737b525b40377669b57bb707c5edaa784d205953fd7bad68a732aa5509a |
memory/1724-52-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2840-50-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/1724-39-0x000000013F120000-0x000000013F471000-memory.dmp
C:\Windows\system\nhsdoPz.exe
| MD5 | 671675705005fc706780d2f7bf4db180 |
| SHA1 | 480eb913309d81fbdf64fe977e860818240441be |
| SHA256 | 6e7c180a0bae068a572d56ff752f5954dde214fec7f4c0a016f7d416f617cf98 |
| SHA512 | e378743de4e76eadfb5ffc5290cc2c0ed0a6bf732e935794b01e36e8225ca152d034b9992d84f261a6d9c9201d4528959e343e577d71f235cd9347ec450bf32f |
C:\Windows\system\FCCzUJZ.exe
| MD5 | 14af74318a26af11e4ecd79ebc587d19 |
| SHA1 | d16fbcbb97f560915ac09122e2c73ea63807f7dc |
| SHA256 | de6f6b13558c52f1c6429e84a7698de951cc97c95d8a76efb8b2665cc74cb894 |
| SHA512 | 47fcdab8555aa470e27fcbc7c25dd4ae015339622297b1c8180bf0662b0c8cdc7499112547675559f588cb9b7d6df1eb92b14d9618add362eeffebf51a937e7a |
memory/1724-31-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1632-29-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/1724-28-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1724-140-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1060-141-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1724-142-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2780-152-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2136-154-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2624-153-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/824-160-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2172-155-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1724-164-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/380-163-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2932-162-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1204-161-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2860-159-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2456-158-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2216-157-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/1764-156-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/1724-165-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1724-171-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1004-212-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1284-214-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/1632-216-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2572-218-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2444-220-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2840-227-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2644-243-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/1060-241-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2768-223-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2172-246-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2624-247-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1764-251-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2780-249-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2136-258-0x000000013F600000-0x000000013F951000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:51
Reported
2024-08-13 11:54
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YeSdZsR.exe | N/A |
| N/A | N/A | C:\Windows\System\WpeiYVq.exe | N/A |
| N/A | N/A | C:\Windows\System\erfwdVN.exe | N/A |
| N/A | N/A | C:\Windows\System\vRinFKk.exe | N/A |
| N/A | N/A | C:\Windows\System\VdzupqU.exe | N/A |
| N/A | N/A | C:\Windows\System\yyXRCxL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBsvtNZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QZMwROu.exe | N/A |
| N/A | N/A | C:\Windows\System\kgEwIrg.exe | N/A |
| N/A | N/A | C:\Windows\System\veiRNyy.exe | N/A |
| N/A | N/A | C:\Windows\System\Dynzphp.exe | N/A |
| N/A | N/A | C:\Windows\System\TZjOfhZ.exe | N/A |
| N/A | N/A | C:\Windows\System\aWuNtEG.exe | N/A |
| N/A | N/A | C:\Windows\System\GjzbrxW.exe | N/A |
| N/A | N/A | C:\Windows\System\ChJOMiF.exe | N/A |
| N/A | N/A | C:\Windows\System\VTkiCYg.exe | N/A |
| N/A | N/A | C:\Windows\System\pwnpdva.exe | N/A |
| N/A | N/A | C:\Windows\System\kzhcSLW.exe | N/A |
| N/A | N/A | C:\Windows\System\AlOEzoL.exe | N/A |
| N/A | N/A | C:\Windows\System\LCZxyno.exe | N/A |
| N/A | N/A | C:\Windows\System\zGvHLFV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_6f0513bd1a812158dda4001e413e6d97_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YeSdZsR.exe
C:\Windows\System\YeSdZsR.exe
C:\Windows\System\WpeiYVq.exe
C:\Windows\System\WpeiYVq.exe
C:\Windows\System\erfwdVN.exe
C:\Windows\System\erfwdVN.exe
C:\Windows\System\vRinFKk.exe
C:\Windows\System\vRinFKk.exe
C:\Windows\System\VdzupqU.exe
C:\Windows\System\VdzupqU.exe
C:\Windows\System\yyXRCxL.exe
C:\Windows\System\yyXRCxL.exe
C:\Windows\System\ZBsvtNZ.exe
C:\Windows\System\ZBsvtNZ.exe
C:\Windows\System\QZMwROu.exe
C:\Windows\System\QZMwROu.exe
C:\Windows\System\kgEwIrg.exe
C:\Windows\System\kgEwIrg.exe
C:\Windows\System\veiRNyy.exe
C:\Windows\System\veiRNyy.exe
C:\Windows\System\Dynzphp.exe
C:\Windows\System\Dynzphp.exe
C:\Windows\System\TZjOfhZ.exe
C:\Windows\System\TZjOfhZ.exe
C:\Windows\System\aWuNtEG.exe
C:\Windows\System\aWuNtEG.exe
C:\Windows\System\GjzbrxW.exe
C:\Windows\System\GjzbrxW.exe
C:\Windows\System\ChJOMiF.exe
C:\Windows\System\ChJOMiF.exe
C:\Windows\System\VTkiCYg.exe
C:\Windows\System\VTkiCYg.exe
C:\Windows\System\pwnpdva.exe
C:\Windows\System\pwnpdva.exe
C:\Windows\System\kzhcSLW.exe
C:\Windows\System\kzhcSLW.exe
C:\Windows\System\AlOEzoL.exe
C:\Windows\System\AlOEzoL.exe
C:\Windows\System\LCZxyno.exe
C:\Windows\System\LCZxyno.exe
C:\Windows\System\zGvHLFV.exe
C:\Windows\System\zGvHLFV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 89.16.208.104.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2388-0-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp
memory/2388-1-0x0000020E72F10000-0x0000020E72F20000-memory.dmp
C:\Windows\System\YeSdZsR.exe
| MD5 | a64646c9e1ba10b94b529e95b521ede3 |
| SHA1 | 31fe13189d7ee2def1a119d59c30f26a484397e0 |
| SHA256 | c20862b5be2fb45b524473e5b0bdedcbc400fa277c87474e9b6d53c8b5d32fe3 |
| SHA512 | 4602f25f53fbadb81fcad9fe696a28763d3f978e1f680837ac37c7ea781339110d5020b45548874a54fc286af8987dc0a63378ae3f80c7413a7c3640b8d54839 |
memory/2784-8-0x00007FF6F1FC0000-0x00007FF6F2311000-memory.dmp
C:\Windows\System\WpeiYVq.exe
| MD5 | ff739484bcab299ce9b9f544981ac630 |
| SHA1 | 329d7427e9ef84a5a3dc78f72d87d88f84e98686 |
| SHA256 | 26387a34799c9fe4f8e05e4aae01d14c068e789c9894fbf60cdec7234e82d646 |
| SHA512 | 99e038e0bab695e193349b65191b52d82b8a066c233c75abaeeba6c778c237fdbf1119d3b3bb0f739ee8349b616e1b35d03268723b39b4ee01f2465be54e26e5 |
C:\Windows\System\erfwdVN.exe
| MD5 | f05f55965642ba8d9e37dbfe68515609 |
| SHA1 | 5e4a87e7589a8ed9ebbbc40003478c8578e8a875 |
| SHA256 | b62b647e77f4262009d1a06b4f124f614a400ce6bc7d07c032d8e74c5a75c577 |
| SHA512 | 634e5576b6dade86a8cf3c85135e0d4cb083fd806536e0b203526076bfe90775c2a5f089546a38edf8a1adc5990b05ce3a757e9cc37846c06ad91b6b7cf580b0 |
C:\Windows\System\vRinFKk.exe
| MD5 | 8796be25808dae19f783456654954d63 |
| SHA1 | c96763c5a0da672b866682cf08075a70ba46d2d7 |
| SHA256 | 41abf91a65750cb0b0265467c4e84b202152efdbb6639d93b7eabf95c7a3ba05 |
| SHA512 | fe02f382cdf83388639225f2a6ca6854539cc717c4ee002f6a571d30b101f92de80c1aecb1960f4d76158e1b3a3cd7cf3e081fe2649e5d3829d05cbb5d274630 |
C:\Windows\System\VdzupqU.exe
| MD5 | b8987ae7d8d260a207d9d5f5d7cb0d44 |
| SHA1 | a031346430ebfdf271fe8e7f89a3cd574ae2e13b |
| SHA256 | fe721a47625508953ca3351f462302d02bab47cd58fd6d545622d1ad41cf3705 |
| SHA512 | b74e084fd7f7464dfa41042441516e1c79496a5610d9b211be661811a452ab38c56796f9de485bf4b415d0edd8388bd75ab6b03bf1828ce9919df844b90bbec3 |
memory/4780-31-0x00007FF685600000-0x00007FF685951000-memory.dmp
memory/408-24-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp
memory/2400-21-0x00007FF72CE60000-0x00007FF72D1B1000-memory.dmp
memory/3520-13-0x00007FF7FF360000-0x00007FF7FF6B1000-memory.dmp
C:\Windows\System\yyXRCxL.exe
| MD5 | 442e52750c55d00d0710d7f0086dcf52 |
| SHA1 | 34e93c8babb3ab253f47ade192c5de15258bb65a |
| SHA256 | ac0c41f7a5d9cadfa6a789fed38147988f0e4875c881cd0a7373a0d851660c58 |
| SHA512 | 0b240ee92695dbb8c2c6615e6ca86ea2728ce8120c01e45aa593c7fb8da7119091c0ea28dea244ea8639f16b777b1871dacc4995ff1c0c554b006680dbc64a96 |
memory/1148-38-0x00007FF6B8F30000-0x00007FF6B9281000-memory.dmp
C:\Windows\System\ZBsvtNZ.exe
| MD5 | 32fc3a7fd13fa164afe18a7c9384dfa3 |
| SHA1 | 16399d7fb1fa7e0cabdd488939073eb738c2596e |
| SHA256 | 9402e7b0950f1cce6dd36734d9622b831ff85939fdb4a8388e117bfa7837268d |
| SHA512 | 7e6255a66190574b43d9d4fa443d22490fc15a13e764df803ee39be2eff1d8c7328c17c2d582ceaf857468409859edf4088c6b285e91714b9dcc949a6baba12a |
C:\Windows\System\QZMwROu.exe
| MD5 | 818b225947a8b0d92ffabded390be04f |
| SHA1 | 6f3a5741af5c535fc900786eea57974ded4900d3 |
| SHA256 | f1e41629957953ecf0e2c716b30fd46105c4344f5a8f0f3f5d069f1c578cc83b |
| SHA512 | f42936d7749a5821540065a19b13a33091e47258faab0bf457aeb6c015d95769f56b4116aaf241619b37e0dc7b10fd77c9c7ea56fcb28f89928192314ad04f73 |
memory/1724-53-0x00007FF672100000-0x00007FF672451000-memory.dmp
C:\Windows\System\veiRNyy.exe
| MD5 | 9645d3112ec9dde78370d9d8c0b8b6b0 |
| SHA1 | fc87f19cc91a8aae0f1e32ea56e08cba29758ab2 |
| SHA256 | 60941f6d21878a3c609cb631d626cfd0aadc1a1ac38fb50da021926d177e8aec |
| SHA512 | ec87a8320425ed3b1eef9774768c1f671423ad3a8ecefdd2ee3a0ba19fee7ff2bb6fd1de013a58db7c70df0af510fa98dc6e7072177cf33b0597056ce41e1380 |
C:\Windows\System\kgEwIrg.exe
| MD5 | c13ce50c59766d6b7321b1ec3dd9afcb |
| SHA1 | 5bbb59e57d15bd433e7f9ea61fc3d2c225786ca8 |
| SHA256 | 78e33940b889de28b138451b9a89aa51e07fc5893bfd814bfa25e35bb236dffe |
| SHA512 | 4305318481f35c0934fddf637b7b84c82998475af06ac7ec500e705a4ca45d2c4c88ada9685b01e51366074cb0a00970539cf3794f44059f74ea86fc5407ebb9 |
memory/1992-60-0x00007FF676140000-0x00007FF676491000-memory.dmp
memory/2388-65-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp
memory/5024-66-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp
memory/2784-69-0x00007FF6F1FC0000-0x00007FF6F2311000-memory.dmp
C:\Windows\System\TZjOfhZ.exe
| MD5 | c4d6b7ed58383a6a562327451edf5235 |
| SHA1 | 8f65be5d69ade8c7d347342a1a45f374d922413b |
| SHA256 | bc6dc68a7d824ffaf5c6a2f514ed4aa45611533063004ef50b42decb39e7202e |
| SHA512 | 949eb657202c2a16c4ca8d4af2b9302e37d58825af8616b98c5ee93bcb4262666e0987aae5dc04c0c5a17e727aaf4234be1d833d5db97549104708ef3d449cc7 |
C:\Windows\System\Dynzphp.exe
| MD5 | 4e1a700fbe1aa7de215da340da1a2927 |
| SHA1 | 996403fe5c12834ab201d2c9f93064ac7ea22d04 |
| SHA256 | cf92cba612aa8ad39ae9106551c8b4d91aa5bd2125e4d4da27632cfe031988ab |
| SHA512 | 17b9dbf6ade3abea11fc69fb462de7e10c011254e95ea12a614734e369d4323bb735c424833b7f61c3198ed1b519a8052141f46cfdd80939b56eba8588091859 |
memory/3160-67-0x00007FF7B3750000-0x00007FF7B3AA1000-memory.dmp
memory/5044-45-0x00007FF720DF0000-0x00007FF721141000-memory.dmp
memory/2400-77-0x00007FF72CE60000-0x00007FF72D1B1000-memory.dmp
memory/3788-78-0x00007FF6E8A50000-0x00007FF6E8DA1000-memory.dmp
memory/3520-76-0x00007FF7FF360000-0x00007FF7FF6B1000-memory.dmp
C:\Windows\System\aWuNtEG.exe
| MD5 | 779144dccb59311e3aa05ee08b904ecb |
| SHA1 | 6b913d15d952813a6b6e03c31938bb0807009a0d |
| SHA256 | 150a124e34b7398994bee722d1325966f42df9ad5b8c46eb24913a6901124c0d |
| SHA512 | 836195271218a75b606cae86dab263148882c4cc25b65d42f340e2ff0a41b35e996c740879d43c1fe729001f4e597b61659b18c24f4af296be643d2c02ecd9d2 |
memory/408-89-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp
C:\Windows\System\ChJOMiF.exe
| MD5 | 356103dc5095f914abfb52320ee85621 |
| SHA1 | e57136ddbd0883de524fb9f7709122a86635a569 |
| SHA256 | ebd6c6b524542325d28f86f00c2fdb239887e2664dd0703caecef69a330fc264 |
| SHA512 | 72ab0111b4617a45225d268847ec5e2660a64e0050c2f70786783fc8d9fc49bddf084cd8552156ac4bf87e2af00641362112645be4e15cf794a956ccad70bdb0 |
memory/3064-93-0x00007FF6746C0000-0x00007FF674A11000-memory.dmp
memory/4780-100-0x00007FF685600000-0x00007FF685951000-memory.dmp
memory/4800-102-0x00007FF6CCB00000-0x00007FF6CCE51000-memory.dmp
memory/1052-101-0x00007FF755FA0000-0x00007FF7562F1000-memory.dmp
C:\Windows\System\pwnpdva.exe
| MD5 | 41ef0c14d661f99af9379f26b68af983 |
| SHA1 | 29b20980de01b3e1b63c90855c2e20b292ca1977 |
| SHA256 | 54b40105de2e2605c70691cfee73f405eb1b3f022aca0d7d89ae4ce72449aaab |
| SHA512 | b76493ffc912b49015e47a57db026fa1d0b3b03d0737b95aca9f25886c713e2a13375a1461538e4235dcf5a098f24554dbaba345d614102eb2e7c5b4e882c3a3 |
C:\Windows\System\kzhcSLW.exe
| MD5 | 2c372040d905f7ce202e19722940e708 |
| SHA1 | 57eb91cc27640dba35667b69b4dc3c00b3f601ec |
| SHA256 | 323ddf1d6909f867254fa312d88f29493ff02787e4e7f7a476339e3cf517f281 |
| SHA512 | 643417429f23c21e4310de00107648a92940b10bc3df519b0b271ca4646474a0ceae10edb574e7b384bf0f5a4bbe7d827921e93225b4a7f58138649713517d36 |
memory/5040-112-0x00007FF79DE60000-0x00007FF79E1B1000-memory.dmp
C:\Windows\System\AlOEzoL.exe
| MD5 | 4f56c46d69ecabe2677f4409df2faf39 |
| SHA1 | cafa69fa3a68e89f7639d9491cef89bdca4acb6a |
| SHA256 | 60d0764a3f988e57feaf71f287d616c686c244e5b212fa58b0cfd31d4f222027 |
| SHA512 | 56ed3eb8bd1ee88237f162a2cc48f5d611c3eddf2d866c91cab1469d6a75db4140332efd16641ed9e845028f691e93fe40bc39101abe80032f9752a08b947cd8 |
memory/3856-115-0x00007FF74F630000-0x00007FF74F981000-memory.dmp
memory/5044-110-0x00007FF720DF0000-0x00007FF721141000-memory.dmp
memory/936-128-0x00007FF7F9530000-0x00007FF7F9881000-memory.dmp
C:\Windows\System\LCZxyno.exe
| MD5 | c0fdb42342f97197c3c610cce4d77941 |
| SHA1 | 9fc7b616ae48f2a1b309ea34e7f8967857f0ab3e |
| SHA256 | 559341b989da7f991f8d537d41c35947e21585f76a29d057d8c1474f2e755b2c |
| SHA512 | 3395731f3fcc06cbddf822a857b57a5541e37e6dbebb2703a98861cca067356c44f2b65a7d7037eba1ac841c480a98bd805a181affcba0bfacd61810c6246901 |
memory/4844-129-0x00007FF6F0130000-0x00007FF6F0481000-memory.dmp
C:\Windows\System\zGvHLFV.exe
| MD5 | 506160db51fed148f4654358fb8144a1 |
| SHA1 | ffeaa0911206870b62ba7e846f00ff9703333dae |
| SHA256 | 844503ff4d9fda49c693c5761216381ab678772be8fc686604b9f022b23b539e |
| SHA512 | ee796eb265c04aa9c2d093d216e921c91ced9bf6d92f8f0f957bf298bddff07db247232d146b6c6cc3d3dd271e3d57434d7c02a71f2e4fd585bbc64db58bf9c1 |
memory/1992-124-0x00007FF676140000-0x00007FF676491000-memory.dmp
memory/1724-123-0x00007FF672100000-0x00007FF672451000-memory.dmp
C:\Windows\System\VTkiCYg.exe
| MD5 | be881284107e2269c4c168d2033f95df |
| SHA1 | 656eb3dd7620e73e3157ee8eaf1b441c32f66691 |
| SHA256 | 05953cd1d3fbbb79a3c0d66ceb7ced24f08ac414ef337ce1b52bf0b47f96d19d |
| SHA512 | cfd6ec5bb7bbe57507208ed6ed93f3b9be3b1008b270822e4e26c1f4176a0493a2a11302e8f8f3eb23ca001ff748f43fa2fbfaf434907a438b98a72953f0abc2 |
C:\Windows\System\GjzbrxW.exe
| MD5 | b3fd5121b83adf888e33e9003e8198c6 |
| SHA1 | 015ffb1bf46230e1cda16f5629ba937836e0272e |
| SHA256 | 5dc169e2f08001478d3fa2f40ad527b0b14d820fef812d76a1e3b152774c3150 |
| SHA512 | c50612345b65a2823d7ea7b14144c8a85619363a841178d89566fb441d3959580465a68d9f9eb3dc37d4915a30a1b127e7fa9a64b5d82dd6c108262ae84b3cc4 |
memory/2588-87-0x00007FF6835F0000-0x00007FF683941000-memory.dmp
memory/2084-136-0x00007FF6050F0000-0x00007FF605441000-memory.dmp
memory/2388-137-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp
memory/3160-144-0x00007FF7B3750000-0x00007FF7B3AA1000-memory.dmp
memory/4800-154-0x00007FF6CCB00000-0x00007FF6CCE51000-memory.dmp
memory/4844-158-0x00007FF6F0130000-0x00007FF6F0481000-memory.dmp
memory/3856-156-0x00007FF74F630000-0x00007FF74F981000-memory.dmp
memory/5040-155-0x00007FF79DE60000-0x00007FF79E1B1000-memory.dmp
memory/3064-152-0x00007FF6746C0000-0x00007FF674A11000-memory.dmp
memory/2388-160-0x00007FF7F0F30000-0x00007FF7F1281000-memory.dmp
memory/2784-205-0x00007FF6F1FC0000-0x00007FF6F2311000-memory.dmp
memory/3520-213-0x00007FF7FF360000-0x00007FF7FF6B1000-memory.dmp
memory/2400-215-0x00007FF72CE60000-0x00007FF72D1B1000-memory.dmp
memory/408-217-0x00007FF7C6A10000-0x00007FF7C6D61000-memory.dmp
memory/4780-219-0x00007FF685600000-0x00007FF685951000-memory.dmp
memory/1148-221-0x00007FF6B8F30000-0x00007FF6B9281000-memory.dmp
memory/5044-230-0x00007FF720DF0000-0x00007FF721141000-memory.dmp
memory/1724-232-0x00007FF672100000-0x00007FF672451000-memory.dmp
memory/1992-234-0x00007FF676140000-0x00007FF676491000-memory.dmp
memory/5024-236-0x00007FF7EED60000-0x00007FF7EF0B1000-memory.dmp
memory/3160-238-0x00007FF7B3750000-0x00007FF7B3AA1000-memory.dmp
memory/3788-240-0x00007FF6E8A50000-0x00007FF6E8DA1000-memory.dmp
memory/2588-243-0x00007FF6835F0000-0x00007FF683941000-memory.dmp
memory/3064-245-0x00007FF6746C0000-0x00007FF674A11000-memory.dmp
memory/1052-247-0x00007FF755FA0000-0x00007FF7562F1000-memory.dmp
memory/4800-249-0x00007FF6CCB00000-0x00007FF6CCE51000-memory.dmp
memory/5040-251-0x00007FF79DE60000-0x00007FF79E1B1000-memory.dmp
memory/3856-253-0x00007FF74F630000-0x00007FF74F981000-memory.dmp
memory/936-255-0x00007FF7F9530000-0x00007FF7F9881000-memory.dmp
memory/4844-257-0x00007FF6F0130000-0x00007FF6F0481000-memory.dmp
memory/2084-259-0x00007FF6050F0000-0x00007FF605441000-memory.dmp