Analysis Overview
SHA256
adf076728ddc0e5cf38abf623659ae147a59d622ba6042734548073eb36eb102
Threat Level: Known bad
The file 2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
xmrig
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:59
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:59
Reported
2024-08-13 12:02
Platform
win7-20240705-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cTVQVUS.exe | N/A |
| N/A | N/A | C:\Windows\System\RFbrkdy.exe | N/A |
| N/A | N/A | C:\Windows\System\rODwLxb.exe | N/A |
| N/A | N/A | C:\Windows\System\UHXTSur.exe | N/A |
| N/A | N/A | C:\Windows\System\MLCPKbp.exe | N/A |
| N/A | N/A | C:\Windows\System\dAhWWgU.exe | N/A |
| N/A | N/A | C:\Windows\System\UfrNVhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\RErTTXC.exe | N/A |
| N/A | N/A | C:\Windows\System\gvdxgXO.exe | N/A |
| N/A | N/A | C:\Windows\System\RKDgBfH.exe | N/A |
| N/A | N/A | C:\Windows\System\QqzzqoX.exe | N/A |
| N/A | N/A | C:\Windows\System\aUsrkKb.exe | N/A |
| N/A | N/A | C:\Windows\System\uzSHrlQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PNGAbMs.exe | N/A |
| N/A | N/A | C:\Windows\System\LhwdWks.exe | N/A |
| N/A | N/A | C:\Windows\System\VkwWxhT.exe | N/A |
| N/A | N/A | C:\Windows\System\FFueDxL.exe | N/A |
| N/A | N/A | C:\Windows\System\ocCdYDg.exe | N/A |
| N/A | N/A | C:\Windows\System\EuFwBsw.exe | N/A |
| N/A | N/A | C:\Windows\System\ChVPPZS.exe | N/A |
| N/A | N/A | C:\Windows\System\LSOjtLS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cTVQVUS.exe
C:\Windows\System\cTVQVUS.exe
C:\Windows\System\RFbrkdy.exe
C:\Windows\System\RFbrkdy.exe
C:\Windows\System\rODwLxb.exe
C:\Windows\System\rODwLxb.exe
C:\Windows\System\UHXTSur.exe
C:\Windows\System\UHXTSur.exe
C:\Windows\System\MLCPKbp.exe
C:\Windows\System\MLCPKbp.exe
C:\Windows\System\RErTTXC.exe
C:\Windows\System\RErTTXC.exe
C:\Windows\System\dAhWWgU.exe
C:\Windows\System\dAhWWgU.exe
C:\Windows\System\RKDgBfH.exe
C:\Windows\System\RKDgBfH.exe
C:\Windows\System\UfrNVhJ.exe
C:\Windows\System\UfrNVhJ.exe
C:\Windows\System\QqzzqoX.exe
C:\Windows\System\QqzzqoX.exe
C:\Windows\System\gvdxgXO.exe
C:\Windows\System\gvdxgXO.exe
C:\Windows\System\aUsrkKb.exe
C:\Windows\System\aUsrkKb.exe
C:\Windows\System\uzSHrlQ.exe
C:\Windows\System\uzSHrlQ.exe
C:\Windows\System\PNGAbMs.exe
C:\Windows\System\PNGAbMs.exe
C:\Windows\System\LhwdWks.exe
C:\Windows\System\LhwdWks.exe
C:\Windows\System\VkwWxhT.exe
C:\Windows\System\VkwWxhT.exe
C:\Windows\System\FFueDxL.exe
C:\Windows\System\FFueDxL.exe
C:\Windows\System\ocCdYDg.exe
C:\Windows\System\ocCdYDg.exe
C:\Windows\System\EuFwBsw.exe
C:\Windows\System\EuFwBsw.exe
C:\Windows\System\ChVPPZS.exe
C:\Windows\System\ChVPPZS.exe
C:\Windows\System\LSOjtLS.exe
C:\Windows\System\LSOjtLS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2988-0-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2988-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\cTVQVUS.exe
| MD5 | ecf9ed2f46c976d3256f616d1abb7560 |
| SHA1 | 2398a12ca5b8d0efd6398b5cffca4a84e745056b |
| SHA256 | 111cfd80165710cc18fc268178e6c353ec00334b7fc1c145a5dcb41d09fcac95 |
| SHA512 | 85523b51fe9c950be48e3e13c18aef5829f15488c6031a83abb3ced472666021b0b46aea9619091898fd55a12c3d61b23213b3ae9ccbcdb59b4048febf8d3b87 |
\Windows\system\RFbrkdy.exe
| MD5 | 61d5165ada89e2de42a027fbf0e7460a |
| SHA1 | c478903d5815d5dff18c1438ba24678914e45754 |
| SHA256 | 27eff5905196158bd3daecdb39c2e4038eedba75f5854825139d736045f1b528 |
| SHA512 | c01fcc7b7960665ef89f19180b655aa926204b997b6d826cbc0060ac022a628154e5cdd79271ed2e664a854ed9ac4c2d188c4d494c5af02655fb476c9160609e |
\Windows\system\UfrNVhJ.exe
| MD5 | 3cca4cc473b7e1fee792cdf0113311b8 |
| SHA1 | 33ee9ac7f830787a412f5c7f642165bed64a499c |
| SHA256 | e61463aca450338e6eee3024ec09f9458c4d7fb83646434a874df482cf493799 |
| SHA512 | 91af1545e7362908430f103b3ca2707c6ef850b54f1d28c0e2a18c47ce24457acf15938eaf537a9a59a74d01c9391bb498fe64565416050fceba196e47ec1eed |
\Windows\system\dAhWWgU.exe
| MD5 | 3eced770f6cb05ba9b0eb798209d8759 |
| SHA1 | b5916790cbb6d1f5c1b87c9d9068c043231b206f |
| SHA256 | d09f858103ac80dc88dfb1bb8051bc5d8e8c8f455329757919112937975580f2 |
| SHA512 | d5a7d8fbb593e9362774ac379184841e1ec2ddf83b4720cd2b17ba9ed3c5a3969931691be6508bf898dc299b449d199f5b8e613867188fbc3b8ffa0a77350cc7 |
memory/1192-24-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
\Windows\system\MLCPKbp.exe
| MD5 | 881668b4e3786e6c499b4aa421a10558 |
| SHA1 | 1ef70e3abca5ef45d33922b9d735d10c622df11d |
| SHA256 | 3602f1f38ac32fbd2c95ce788ecce504f57e35780427897e174c08820ffe5dc1 |
| SHA512 | 7b5b54aae1cee0a0ec9e6cf5276f424e8a2a3dc74592ef4e244e9283c48c0df7bf841fe6ee9e40658a8a51f3f4d3c3a780f88e0d66a8d5153e3f8a5bc690bc81 |
\Windows\system\RErTTXC.exe
| MD5 | 75027e1ba2a7b7718a43f5faf01803cf |
| SHA1 | 5e8170c29d065ccf5bce490f576d16b95788884a |
| SHA256 | eaec94936d1f986dbec794df34e488973f0652fee2867bd389ab4f11fa5f9d6e |
| SHA512 | 912814a941c3f58fd2cf05c3d12b8a13e4716d86eafa4085094ea92b5bf3093fae4da043cc2667646ba468baefedd62977fdaf20fb04f6e840a28f19d14d5e26 |
C:\Windows\system\rODwLxb.exe
| MD5 | 2011e088a1b8ce40b59c710801ecc925 |
| SHA1 | c58c4bd3ebfeb38f710c12411809c0f54ff8a5ec |
| SHA256 | 86e345bb528bf39e3e2b1fc8576af1a263132b03f990883c7815aa4daa733749 |
| SHA512 | d58be39a841f2ddc57671d075bb78e090d29451ab6b8f67c3e832d0f71da68366555ba9a6d6743095ee444b62a50885ffba05dc4505e3ede5feeb2600a327072 |
\Windows\system\UHXTSur.exe
| MD5 | 091d4a75397d8b6f9749a7efaae1c0a5 |
| SHA1 | c06aaee3807e056537c75637eacdc5987534087d |
| SHA256 | 9116f7dd82b621ed5d55e328399703262120f5e1b05af893c5130a0079465e7f |
| SHA512 | 109f0efbadeb4dd58a55762890051d425ce8a0d4c83065d0fc548ccd95ad283b5b80b7faada90cea6620ebbe2533ac19c2b5ff048600702a359460a310384f21 |
memory/1320-12-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2056-41-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2988-71-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2960-81-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2988-84-0x000000013F8F0000-0x000000013FC41000-memory.dmp
C:\Windows\system\aUsrkKb.exe
| MD5 | 093352fd4e55d8cdf8de534a8c5b6ac0 |
| SHA1 | f5c1a9f079f973d6b5d90c7ddbb506153afd95c3 |
| SHA256 | cc6d4af4623375957d2b62a67dfaee114956da0d25d2c5a5dd49c80d1aa72ea1 |
| SHA512 | fc597c962524343f0898814fbbc45ef302695ca6bd668ccd09f56426a8fd9d7ee27e1b92f0aa99eeccef0be2227c356115704ea95005c7d567eee00a0e63dd2d |
memory/2788-79-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2716-78-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2148-76-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2988-75-0x000000013F750000-0x000000013FAA1000-memory.dmp
C:\Windows\system\QqzzqoX.exe
| MD5 | 7e7761185543b37fe4c65f0c65cd2fa0 |
| SHA1 | 4d7730ed46aeb2dc06f4bfcbfe05324ea947548d |
| SHA256 | c3c46eab60dcfcd2b966bf7e49c8b3c6f70b7f722eced74be41fe9d344c4489a |
| SHA512 | 7bbab9666dffaeb59d5dfb5f94064e9c88dd306a4fd5b360642a7e3ec825f49828497bc7fcff88d406686695a49dc43383f68e8b7b92ace9f22ecf1b0ea71b30 |
\Windows\system\uzSHrlQ.exe
| MD5 | 3253831737a5e4adf0ae366925e7dd71 |
| SHA1 | 9d9556517744e57b5ebd1010e3f44435a622f27e |
| SHA256 | b43992c51db3add51713ee86b8e98ccaa97a7095962e02aa05de9e12b6fb06f0 |
| SHA512 | ebfb3f62ab88aa5f43c0560fdad59a6da3899ddc22623a7b6418913a0161611037b3723e34523a591fa8f77c9b81d15a280407df4cc94838b936580fe00909ea |
memory/2568-73-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2816-70-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2988-69-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/3000-68-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\RKDgBfH.exe
| MD5 | 13067b910ae200e7b637dd2972a8525b |
| SHA1 | 26a4793dc2c89a655282e1f1d46c44f8cea5bb77 |
| SHA256 | 844d04efe91b17da27b7c86ebd9d8b676b8f4f235e32c61585b9ef6b55ff7c23 |
| SHA512 | 14f677ceae1e6d837239d9e7d9ec7aea2c0ad7aaacbee31fd92dfe44e706e3cba261ab1731a2dfab9348d13dbaa3cee57c312be35c236809b8b76b760dedfcc5 |
memory/2876-66-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2196-64-0x000000013FC10000-0x000000013FF61000-memory.dmp
C:\Windows\system\gvdxgXO.exe
| MD5 | 08d8c98c413a6cb9e765d9cb00719bb2 |
| SHA1 | d3aa871a74061c519d7b0b73d1e0e1993ffa1296 |
| SHA256 | 7dde317d74bae535332780f47f8778ca5172d8294d85322fb3ac5f4844e1de65 |
| SHA512 | 532ba0ebcd96ac7ba47073e52b361cf6f963e81c5a61b0b34d4064467f128927af6ad02348e83713e5e905f933af1bf1fe9677f03c91aaca94e471f04b21ff1c |
memory/2988-62-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2988-61-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2988-59-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2988-35-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2988-50-0x0000000002240000-0x0000000002591000-memory.dmp
\Windows\system\PNGAbMs.exe
| MD5 | b188757be2090e607985bb405275203b |
| SHA1 | d26b22ee429f4f3a3b45d1a018d0cd5c5754afc4 |
| SHA256 | efa9547337910f4c5fc26eae8ce139c67bfb188c6a716f459b7c6dcb7ad9cd0f |
| SHA512 | 686cb2446df14aca0b2839f033ea314f1e23c4fd0393df41ddd2e9b728963f965d3a2b0f435e77aef32ad794bcdc0c4160bfda3a4efdbe3918880b5bce85ae7d |
C:\Windows\system\LhwdWks.exe
| MD5 | 8dbcce25e1760a6115561a19818d133e |
| SHA1 | 4e07629e6f91db7ea893c3f92ca7afaa9dde8ee3 |
| SHA256 | fd854bf338cb61a145f35f49194bc6f5b00c742425b443f1bf4736acae2cf9ef |
| SHA512 | fb25385b86968b562ead204c9fdc6599eeeb8d6691e799eced6a2c36c48dfa5c354e23827885e3f264a814b265e48d6532fd23f90c5732c91d57d9299f82b7c7 |
memory/2928-101-0x000000013F420000-0x000000013F771000-memory.dmp
\Windows\system\VkwWxhT.exe
| MD5 | c3e61022c239e660e03bae60edfab58a |
| SHA1 | 3a9d37f3416e60c2d82bb64e385bdd58f186cdfd |
| SHA256 | 4d19dff0b28715a75a2fc63f26c5131ce46c59c2e79125e4452a7fee19e11283 |
| SHA512 | bc2600759c0466895780cf3c51310906327091bb473fc68e87c6aa6854e4d0982153bf127a4319df1e9c58af312d3a117f2a76c62259ba7ee24d12c9a4c88d1f |
memory/2988-102-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/2988-93-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2180-89-0x000000013F8F0000-0x000000013FC41000-memory.dmp
C:\Windows\system\FFueDxL.exe
| MD5 | c272101c5ceae0c1c7394a819be10179 |
| SHA1 | 558b62ff8eab836c1e877556e0cda106dcaae6a3 |
| SHA256 | f7be87e6f16169711c324a79cab89bf3a13a30e22c92e41f2418d9c17451a857 |
| SHA512 | d03d961c61ea3b9216955c1c44df1395f54735b70a34736f44b946e7c468f4d9e6ff77dba0fc5809898663e71b43238270a7e3e0872e3814cb54c9fa5767a0fa |
\Windows\system\ocCdYDg.exe
| MD5 | f67f83967db7a0502c4edd9760830eae |
| SHA1 | 85f882358255781623d090039915aeb47a5cde6d |
| SHA256 | 1022e64e2349734cca39a025e1f8ab6c56c58c9ad151d8d8aaa710834c9a185a |
| SHA512 | 667bbef0875e17f4cb62ce4cdd1ae3c829dd039d971b75411feaa4412a57e85e1a03f9c70be406a17003960555f06063887d335a2a53d99c3d385958ca47958b |
\Windows\system\EuFwBsw.exe
| MD5 | 6d8ddac73b76cc898f5e06e5f34e233e |
| SHA1 | d579422f2aeaed3660d8a2c7edc63ac17b303ede |
| SHA256 | f0019489287d06f803d64910666cd02712df8401c155174aef77bab66df60fca |
| SHA512 | 19e099dd01465e7bde82477681f7b91ff74cd77d411e85534be028f7ec39f9ad2eebdeff4e9c160b5142a0b958b282d6c53ef355a2baf1da3464b2da43408ef9 |
\Windows\system\LSOjtLS.exe
| MD5 | 444b45a971312d872a9dd75d18ee02b3 |
| SHA1 | 5cf523035c4cf4a5c82c1f514de73a08dad0ab42 |
| SHA256 | edc18c397373208216130c39f1449e7399d122df9ec4d94ce15955f92fb9ecca |
| SHA512 | d65eaff07824d5bee9dda060b3e5e1faf59f5103f1bcd9ced0a45a4d20fb68e6aed02c732af6dc59a0117f7bf0690515bd1dde3b19863d7518575449f54d7a25 |
C:\Windows\system\ChVPPZS.exe
| MD5 | 3b3259c80a6aa34405f86477f311f99f |
| SHA1 | a2c44b423864e3b9f2ab58d7275713d62c0a2ca2 |
| SHA256 | c3579ebdce8869e2830db012aafc3510d6591ad125957131bd71b94e0529703a |
| SHA512 | f506eec7ba7447ccb599d1229f75ede039d9af2a28d47ae2ec93917bfed2c106e482af274985bf594ce485cc29068b63636658f37dc976c1c1aa19779b0a1139 |
memory/2988-132-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1192-133-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2988-134-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2988-135-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2988-136-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2960-148-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/332-151-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1372-152-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/1980-154-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/1184-157-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/1524-156-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/856-155-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1292-153-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2988-158-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1320-203-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1192-205-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2056-207-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2196-209-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2876-213-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2816-217-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/3000-215-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2568-212-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2148-219-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2960-221-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2788-223-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2716-225-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2180-229-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2928-231-0x000000013F420000-0x000000013F771000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:59
Reported
2024-08-13 12:02
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cTVQVUS.exe | N/A |
| N/A | N/A | C:\Windows\System\RFbrkdy.exe | N/A |
| N/A | N/A | C:\Windows\System\rODwLxb.exe | N/A |
| N/A | N/A | C:\Windows\System\UHXTSur.exe | N/A |
| N/A | N/A | C:\Windows\System\MLCPKbp.exe | N/A |
| N/A | N/A | C:\Windows\System\RErTTXC.exe | N/A |
| N/A | N/A | C:\Windows\System\dAhWWgU.exe | N/A |
| N/A | N/A | C:\Windows\System\RKDgBfH.exe | N/A |
| N/A | N/A | C:\Windows\System\UfrNVhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QqzzqoX.exe | N/A |
| N/A | N/A | C:\Windows\System\gvdxgXO.exe | N/A |
| N/A | N/A | C:\Windows\System\aUsrkKb.exe | N/A |
| N/A | N/A | C:\Windows\System\uzSHrlQ.exe | N/A |
| N/A | N/A | C:\Windows\System\PNGAbMs.exe | N/A |
| N/A | N/A | C:\Windows\System\LhwdWks.exe | N/A |
| N/A | N/A | C:\Windows\System\VkwWxhT.exe | N/A |
| N/A | N/A | C:\Windows\System\FFueDxL.exe | N/A |
| N/A | N/A | C:\Windows\System\ocCdYDg.exe | N/A |
| N/A | N/A | C:\Windows\System\EuFwBsw.exe | N/A |
| N/A | N/A | C:\Windows\System\ChVPPZS.exe | N/A |
| N/A | N/A | C:\Windows\System\LSOjtLS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ccfe7e7d075f7d22e0918a1dcf990c65_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cTVQVUS.exe
C:\Windows\System\cTVQVUS.exe
C:\Windows\System\RFbrkdy.exe
C:\Windows\System\RFbrkdy.exe
C:\Windows\System\rODwLxb.exe
C:\Windows\System\rODwLxb.exe
C:\Windows\System\UHXTSur.exe
C:\Windows\System\UHXTSur.exe
C:\Windows\System\MLCPKbp.exe
C:\Windows\System\MLCPKbp.exe
C:\Windows\System\RErTTXC.exe
C:\Windows\System\RErTTXC.exe
C:\Windows\System\dAhWWgU.exe
C:\Windows\System\dAhWWgU.exe
C:\Windows\System\RKDgBfH.exe
C:\Windows\System\RKDgBfH.exe
C:\Windows\System\UfrNVhJ.exe
C:\Windows\System\UfrNVhJ.exe
C:\Windows\System\QqzzqoX.exe
C:\Windows\System\QqzzqoX.exe
C:\Windows\System\gvdxgXO.exe
C:\Windows\System\gvdxgXO.exe
C:\Windows\System\aUsrkKb.exe
C:\Windows\System\aUsrkKb.exe
C:\Windows\System\uzSHrlQ.exe
C:\Windows\System\uzSHrlQ.exe
C:\Windows\System\PNGAbMs.exe
C:\Windows\System\PNGAbMs.exe
C:\Windows\System\LhwdWks.exe
C:\Windows\System\LhwdWks.exe
C:\Windows\System\VkwWxhT.exe
C:\Windows\System\VkwWxhT.exe
C:\Windows\System\FFueDxL.exe
C:\Windows\System\FFueDxL.exe
C:\Windows\System\ocCdYDg.exe
C:\Windows\System\ocCdYDg.exe
C:\Windows\System\EuFwBsw.exe
C:\Windows\System\EuFwBsw.exe
C:\Windows\System\ChVPPZS.exe
C:\Windows\System\ChVPPZS.exe
C:\Windows\System\LSOjtLS.exe
C:\Windows\System\LSOjtLS.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1632-0-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp
memory/1632-1-0x00000234DA010000-0x00000234DA020000-memory.dmp
C:\Windows\System\cTVQVUS.exe
| MD5 | ecf9ed2f46c976d3256f616d1abb7560 |
| SHA1 | 2398a12ca5b8d0efd6398b5cffca4a84e745056b |
| SHA256 | 111cfd80165710cc18fc268178e6c353ec00334b7fc1c145a5dcb41d09fcac95 |
| SHA512 | 85523b51fe9c950be48e3e13c18aef5829f15488c6031a83abb3ced472666021b0b46aea9619091898fd55a12c3d61b23213b3ae9ccbcdb59b4048febf8d3b87 |
memory/3700-7-0x00007FF76D190000-0x00007FF76D4E1000-memory.dmp
C:\Windows\System\RFbrkdy.exe
| MD5 | 61d5165ada89e2de42a027fbf0e7460a |
| SHA1 | c478903d5815d5dff18c1438ba24678914e45754 |
| SHA256 | 27eff5905196158bd3daecdb39c2e4038eedba75f5854825139d736045f1b528 |
| SHA512 | c01fcc7b7960665ef89f19180b655aa926204b997b6d826cbc0060ac022a628154e5cdd79271ed2e664a854ed9ac4c2d188c4d494c5af02655fb476c9160609e |
C:\Windows\System\rODwLxb.exe
| MD5 | 2011e088a1b8ce40b59c710801ecc925 |
| SHA1 | c58c4bd3ebfeb38f710c12411809c0f54ff8a5ec |
| SHA256 | 86e345bb528bf39e3e2b1fc8576af1a263132b03f990883c7815aa4daa733749 |
| SHA512 | d58be39a841f2ddc57671d075bb78e090d29451ab6b8f67c3e832d0f71da68366555ba9a6d6743095ee444b62a50885ffba05dc4505e3ede5feeb2600a327072 |
memory/4020-20-0x00007FF6224C0000-0x00007FF622811000-memory.dmp
memory/4948-13-0x00007FF6BEE90000-0x00007FF6BF1E1000-memory.dmp
C:\Windows\System\UHXTSur.exe
| MD5 | 091d4a75397d8b6f9749a7efaae1c0a5 |
| SHA1 | c06aaee3807e056537c75637eacdc5987534087d |
| SHA256 | 9116f7dd82b621ed5d55e328399703262120f5e1b05af893c5130a0079465e7f |
| SHA512 | 109f0efbadeb4dd58a55762890051d425ce8a0d4c83065d0fc548ccd95ad283b5b80b7faada90cea6620ebbe2533ac19c2b5ff048600702a359460a310384f21 |
C:\Windows\System\MLCPKbp.exe
| MD5 | 881668b4e3786e6c499b4aa421a10558 |
| SHA1 | 1ef70e3abca5ef45d33922b9d735d10c622df11d |
| SHA256 | 3602f1f38ac32fbd2c95ce788ecce504f57e35780427897e174c08820ffe5dc1 |
| SHA512 | 7b5b54aae1cee0a0ec9e6cf5276f424e8a2a3dc74592ef4e244e9283c48c0df7bf841fe6ee9e40658a8a51f3f4d3c3a780f88e0d66a8d5153e3f8a5bc690bc81 |
C:\Windows\System\dAhWWgU.exe
| MD5 | 3eced770f6cb05ba9b0eb798209d8759 |
| SHA1 | b5916790cbb6d1f5c1b87c9d9068c043231b206f |
| SHA256 | d09f858103ac80dc88dfb1bb8051bc5d8e8c8f455329757919112937975580f2 |
| SHA512 | d5a7d8fbb593e9362774ac379184841e1ec2ddf83b4720cd2b17ba9ed3c5a3969931691be6508bf898dc299b449d199f5b8e613867188fbc3b8ffa0a77350cc7 |
C:\Windows\System\UfrNVhJ.exe
| MD5 | 3cca4cc473b7e1fee792cdf0113311b8 |
| SHA1 | 33ee9ac7f830787a412f5c7f642165bed64a499c |
| SHA256 | e61463aca450338e6eee3024ec09f9458c4d7fb83646434a874df482cf493799 |
| SHA512 | 91af1545e7362908430f103b3ca2707c6ef850b54f1d28c0e2a18c47ce24457acf15938eaf537a9a59a74d01c9391bb498fe64565416050fceba196e47ec1eed |
memory/1820-45-0x00007FF6949D0000-0x00007FF694D21000-memory.dmp
C:\Windows\System\RKDgBfH.exe
| MD5 | 13067b910ae200e7b637dd2972a8525b |
| SHA1 | 26a4793dc2c89a655282e1f1d46c44f8cea5bb77 |
| SHA256 | 844d04efe91b17da27b7c86ebd9d8b676b8f4f235e32c61585b9ef6b55ff7c23 |
| SHA512 | 14f677ceae1e6d837239d9e7d9ec7aea2c0ad7aaacbee31fd92dfe44e706e3cba261ab1731a2dfab9348d13dbaa3cee57c312be35c236809b8b76b760dedfcc5 |
memory/1324-52-0x00007FF7781C0000-0x00007FF778511000-memory.dmp
memory/2900-57-0x00007FF748D80000-0x00007FF7490D1000-memory.dmp
C:\Windows\System\QqzzqoX.exe
| MD5 | 7e7761185543b37fe4c65f0c65cd2fa0 |
| SHA1 | 4d7730ed46aeb2dc06f4bfcbfe05324ea947548d |
| SHA256 | c3c46eab60dcfcd2b966bf7e49c8b3c6f70b7f722eced74be41fe9d344c4489a |
| SHA512 | 7bbab9666dffaeb59d5dfb5f94064e9c88dd306a4fd5b360642a7e3ec825f49828497bc7fcff88d406686695a49dc43383f68e8b7b92ace9f22ecf1b0ea71b30 |
memory/3748-60-0x00007FF764C60000-0x00007FF764FB1000-memory.dmp
memory/4484-59-0x00007FF750C60000-0x00007FF750FB1000-memory.dmp
C:\Windows\System\RErTTXC.exe
| MD5 | 75027e1ba2a7b7718a43f5faf01803cf |
| SHA1 | 5e8170c29d065ccf5bce490f576d16b95788884a |
| SHA256 | eaec94936d1f986dbec794df34e488973f0652fee2867bd389ab4f11fa5f9d6e |
| SHA512 | 912814a941c3f58fd2cf05c3d12b8a13e4716d86eafa4085094ea92b5bf3093fae4da043cc2667646ba468baefedd62977fdaf20fb04f6e840a28f19d14d5e26 |
memory/1712-36-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp
memory/920-27-0x00007FF73EB30000-0x00007FF73EE81000-memory.dmp
C:\Windows\System\gvdxgXO.exe
| MD5 | 08d8c98c413a6cb9e765d9cb00719bb2 |
| SHA1 | d3aa871a74061c519d7b0b73d1e0e1993ffa1296 |
| SHA256 | 7dde317d74bae535332780f47f8778ca5172d8294d85322fb3ac5f4844e1de65 |
| SHA512 | 532ba0ebcd96ac7ba47073e52b361cf6f963e81c5a61b0b34d4064467f128927af6ad02348e83713e5e905f933af1bf1fe9677f03c91aaca94e471f04b21ff1c |
memory/2556-68-0x00007FF66AAD0000-0x00007FF66AE21000-memory.dmp
C:\Windows\System\aUsrkKb.exe
| MD5 | 093352fd4e55d8cdf8de534a8c5b6ac0 |
| SHA1 | f5c1a9f079f973d6b5d90c7ddbb506153afd95c3 |
| SHA256 | cc6d4af4623375957d2b62a67dfaee114956da0d25d2c5a5dd49c80d1aa72ea1 |
| SHA512 | fc597c962524343f0898814fbbc45ef302695ca6bd668ccd09f56426a8fd9d7ee27e1b92f0aa99eeccef0be2227c356115704ea95005c7d567eee00a0e63dd2d |
C:\Windows\System\uzSHrlQ.exe
| MD5 | 3253831737a5e4adf0ae366925e7dd71 |
| SHA1 | 9d9556517744e57b5ebd1010e3f44435a622f27e |
| SHA256 | b43992c51db3add51713ee86b8e98ccaa97a7095962e02aa05de9e12b6fb06f0 |
| SHA512 | ebfb3f62ab88aa5f43c0560fdad59a6da3899ddc22623a7b6418913a0161611037b3723e34523a591fa8f77c9b81d15a280407df4cc94838b936580fe00909ea |
memory/1632-76-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp
memory/1532-80-0x00007FF740EB0000-0x00007FF741201000-memory.dmp
C:\Windows\System\PNGAbMs.exe
| MD5 | b188757be2090e607985bb405275203b |
| SHA1 | d26b22ee429f4f3a3b45d1a018d0cd5c5754afc4 |
| SHA256 | efa9547337910f4c5fc26eae8ce139c67bfb188c6a716f459b7c6dcb7ad9cd0f |
| SHA512 | 686cb2446df14aca0b2839f033ea314f1e23c4fd0393df41ddd2e9b728963f965d3a2b0f435e77aef32ad794bcdc0c4160bfda3a4efdbe3918880b5bce85ae7d |
memory/964-89-0x00007FF73DC80000-0x00007FF73DFD1000-memory.dmp
memory/4948-91-0x00007FF6BEE90000-0x00007FF6BF1E1000-memory.dmp
memory/3356-94-0x00007FF7F8460000-0x00007FF7F87B1000-memory.dmp
C:\Windows\System\VkwWxhT.exe
| MD5 | c3e61022c239e660e03bae60edfab58a |
| SHA1 | 3a9d37f3416e60c2d82bb64e385bdd58f186cdfd |
| SHA256 | 4d19dff0b28715a75a2fc63f26c5131ce46c59c2e79125e4452a7fee19e11283 |
| SHA512 | bc2600759c0466895780cf3c51310906327091bb473fc68e87c6aa6854e4d0982153bf127a4319df1e9c58af312d3a117f2a76c62259ba7ee24d12c9a4c88d1f |
memory/488-103-0x00007FF628D00000-0x00007FF629051000-memory.dmp
C:\Windows\System\FFueDxL.exe
| MD5 | c272101c5ceae0c1c7394a819be10179 |
| SHA1 | 558b62ff8eab836c1e877556e0cda106dcaae6a3 |
| SHA256 | f7be87e6f16169711c324a79cab89bf3a13a30e22c92e41f2418d9c17451a857 |
| SHA512 | d03d961c61ea3b9216955c1c44df1395f54735b70a34736f44b946e7c468f4d9e6ff77dba0fc5809898663e71b43238270a7e3e0872e3814cb54c9fa5767a0fa |
memory/4316-104-0x00007FF6775C0000-0x00007FF677911000-memory.dmp
memory/2344-95-0x00007FF7C9000000-0x00007FF7C9351000-memory.dmp
C:\Windows\System\LhwdWks.exe
| MD5 | 8dbcce25e1760a6115561a19818d133e |
| SHA1 | 4e07629e6f91db7ea893c3f92ca7afaa9dde8ee3 |
| SHA256 | fd854bf338cb61a145f35f49194bc6f5b00c742425b443f1bf4736acae2cf9ef |
| SHA512 | fb25385b86968b562ead204c9fdc6599eeeb8d6691e799eced6a2c36c48dfa5c354e23827885e3f264a814b265e48d6532fd23f90c5732c91d57d9299f82b7c7 |
memory/3700-81-0x00007FF76D190000-0x00007FF76D4E1000-memory.dmp
C:\Windows\System\ocCdYDg.exe
| MD5 | f67f83967db7a0502c4edd9760830eae |
| SHA1 | 85f882358255781623d090039915aeb47a5cde6d |
| SHA256 | 1022e64e2349734cca39a025e1f8ab6c56c58c9ad151d8d8aaa710834c9a185a |
| SHA512 | 667bbef0875e17f4cb62ce4cdd1ae3c829dd039d971b75411feaa4412a57e85e1a03f9c70be406a17003960555f06063887d335a2a53d99c3d385958ca47958b |
C:\Windows\System\EuFwBsw.exe
| MD5 | 6d8ddac73b76cc898f5e06e5f34e233e |
| SHA1 | d579422f2aeaed3660d8a2c7edc63ac17b303ede |
| SHA256 | f0019489287d06f803d64910666cd02712df8401c155174aef77bab66df60fca |
| SHA512 | 19e099dd01465e7bde82477681f7b91ff74cd77d411e85534be028f7ec39f9ad2eebdeff4e9c160b5142a0b958b282d6c53ef355a2baf1da3464b2da43408ef9 |
memory/5060-124-0x00007FF7827A0000-0x00007FF782AF1000-memory.dmp
memory/1324-118-0x00007FF7781C0000-0x00007FF778511000-memory.dmp
C:\Windows\System\ChVPPZS.exe
| MD5 | 3b3259c80a6aa34405f86477f311f99f |
| SHA1 | a2c44b423864e3b9f2ab58d7275713d62c0a2ca2 |
| SHA256 | c3579ebdce8869e2830db012aafc3510d6591ad125957131bd71b94e0529703a |
| SHA512 | f506eec7ba7447ccb599d1229f75ede039d9af2a28d47ae2ec93917bfed2c106e482af274985bf594ce485cc29068b63636658f37dc976c1c1aa19779b0a1139 |
C:\Windows\System\LSOjtLS.exe
| MD5 | 444b45a971312d872a9dd75d18ee02b3 |
| SHA1 | 5cf523035c4cf4a5c82c1f514de73a08dad0ab42 |
| SHA256 | edc18c397373208216130c39f1449e7399d122df9ec4d94ce15955f92fb9ecca |
| SHA512 | d65eaff07824d5bee9dda060b3e5e1faf59f5103f1bcd9ced0a45a4d20fb68e6aed02c732af6dc59a0117f7bf0690515bd1dde3b19863d7518575449f54d7a25 |
memory/2832-131-0x00007FF6F6350000-0x00007FF6F66A1000-memory.dmp
memory/3748-130-0x00007FF764C60000-0x00007FF764FB1000-memory.dmp
memory/4348-127-0x00007FF6B86F0000-0x00007FF6B8A41000-memory.dmp
memory/4796-121-0x00007FF78B7C0000-0x00007FF78BB11000-memory.dmp
memory/2556-133-0x00007FF66AAD0000-0x00007FF66AE21000-memory.dmp
memory/1632-134-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp
memory/964-146-0x00007FF73DC80000-0x00007FF73DFD1000-memory.dmp
memory/4316-152-0x00007FF6775C0000-0x00007FF677911000-memory.dmp
memory/2832-156-0x00007FF6F6350000-0x00007FF6F66A1000-memory.dmp
memory/1632-157-0x00007FF7DC040000-0x00007FF7DC391000-memory.dmp
memory/3700-207-0x00007FF76D190000-0x00007FF76D4E1000-memory.dmp
memory/4948-209-0x00007FF6BEE90000-0x00007FF6BF1E1000-memory.dmp
memory/4020-211-0x00007FF6224C0000-0x00007FF622811000-memory.dmp
memory/920-213-0x00007FF73EB30000-0x00007FF73EE81000-memory.dmp
memory/1712-215-0x00007FF7D7070000-0x00007FF7D73C1000-memory.dmp
memory/1820-217-0x00007FF6949D0000-0x00007FF694D21000-memory.dmp
memory/2900-219-0x00007FF748D80000-0x00007FF7490D1000-memory.dmp
memory/1324-221-0x00007FF7781C0000-0x00007FF778511000-memory.dmp
memory/4484-223-0x00007FF750C60000-0x00007FF750FB1000-memory.dmp
memory/3748-225-0x00007FF764C60000-0x00007FF764FB1000-memory.dmp
memory/2556-228-0x00007FF66AAD0000-0x00007FF66AE21000-memory.dmp
memory/1532-230-0x00007FF740EB0000-0x00007FF741201000-memory.dmp
memory/3356-232-0x00007FF7F8460000-0x00007FF7F87B1000-memory.dmp
memory/2344-234-0x00007FF7C9000000-0x00007FF7C9351000-memory.dmp
memory/488-236-0x00007FF628D00000-0x00007FF629051000-memory.dmp
memory/964-238-0x00007FF73DC80000-0x00007FF73DFD1000-memory.dmp
memory/4316-240-0x00007FF6775C0000-0x00007FF677911000-memory.dmp
memory/4796-242-0x00007FF78B7C0000-0x00007FF78BB11000-memory.dmp
memory/5060-244-0x00007FF7827A0000-0x00007FF782AF1000-memory.dmp
memory/2832-246-0x00007FF6F6350000-0x00007FF6F66A1000-memory.dmp
memory/4348-248-0x00007FF6B86F0000-0x00007FF6B8A41000-memory.dmp