Analysis Overview
SHA256
49307a5fec33154e269e337a739fa3412b7a4086d58ea53b0f942b86b88627d3
Threat Level: Known bad
The file 2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
xmrig
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:58
Reported
2024-08-13 12:01
Platform
win7-20240704-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lmXFcFG.exe | N/A |
| N/A | N/A | C:\Windows\System\FtrOxLe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcExsAV.exe | N/A |
| N/A | N/A | C:\Windows\System\DbrFeIl.exe | N/A |
| N/A | N/A | C:\Windows\System\pUMsvay.exe | N/A |
| N/A | N/A | C:\Windows\System\oWzbYVx.exe | N/A |
| N/A | N/A | C:\Windows\System\mFAViNp.exe | N/A |
| N/A | N/A | C:\Windows\System\cUbMJxQ.exe | N/A |
| N/A | N/A | C:\Windows\System\rCuIulK.exe | N/A |
| N/A | N/A | C:\Windows\System\wxtYblt.exe | N/A |
| N/A | N/A | C:\Windows\System\odbmNYS.exe | N/A |
| N/A | N/A | C:\Windows\System\OeBHpna.exe | N/A |
| N/A | N/A | C:\Windows\System\oMpWhAX.exe | N/A |
| N/A | N/A | C:\Windows\System\bmeHQNh.exe | N/A |
| N/A | N/A | C:\Windows\System\qqvkfLE.exe | N/A |
| N/A | N/A | C:\Windows\System\lnNCnST.exe | N/A |
| N/A | N/A | C:\Windows\System\IyngoOA.exe | N/A |
| N/A | N/A | C:\Windows\System\CkVIbUB.exe | N/A |
| N/A | N/A | C:\Windows\System\KZgTPkD.exe | N/A |
| N/A | N/A | C:\Windows\System\kgefsDQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nXINvRj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\lmXFcFG.exe
C:\Windows\System\lmXFcFG.exe
C:\Windows\System\ZcExsAV.exe
C:\Windows\System\ZcExsAV.exe
C:\Windows\System\FtrOxLe.exe
C:\Windows\System\FtrOxLe.exe
C:\Windows\System\DbrFeIl.exe
C:\Windows\System\DbrFeIl.exe
C:\Windows\System\pUMsvay.exe
C:\Windows\System\pUMsvay.exe
C:\Windows\System\oWzbYVx.exe
C:\Windows\System\oWzbYVx.exe
C:\Windows\System\mFAViNp.exe
C:\Windows\System\mFAViNp.exe
C:\Windows\System\cUbMJxQ.exe
C:\Windows\System\cUbMJxQ.exe
C:\Windows\System\rCuIulK.exe
C:\Windows\System\rCuIulK.exe
C:\Windows\System\wxtYblt.exe
C:\Windows\System\wxtYblt.exe
C:\Windows\System\odbmNYS.exe
C:\Windows\System\odbmNYS.exe
C:\Windows\System\OeBHpna.exe
C:\Windows\System\OeBHpna.exe
C:\Windows\System\oMpWhAX.exe
C:\Windows\System\oMpWhAX.exe
C:\Windows\System\bmeHQNh.exe
C:\Windows\System\bmeHQNh.exe
C:\Windows\System\qqvkfLE.exe
C:\Windows\System\qqvkfLE.exe
C:\Windows\System\lnNCnST.exe
C:\Windows\System\lnNCnST.exe
C:\Windows\System\IyngoOA.exe
C:\Windows\System\IyngoOA.exe
C:\Windows\System\CkVIbUB.exe
C:\Windows\System\CkVIbUB.exe
C:\Windows\System\KZgTPkD.exe
C:\Windows\System\KZgTPkD.exe
C:\Windows\System\kgefsDQ.exe
C:\Windows\System\kgefsDQ.exe
C:\Windows\System\nXINvRj.exe
C:\Windows\System\nXINvRj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2564-0-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2564-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\lmXFcFG.exe
| MD5 | e1cd4f3c2f05902818c9d7883bbf1555 |
| SHA1 | 9df702f65beb0f031eacbaccd8d945ae5bda47bb |
| SHA256 | 4c4f7380f2ac0bcd2d463773c41c8d4bdde33711257a8cb64b83884fe8822a71 |
| SHA512 | f4e81d0e4abaa50e0f3b93d88c1969d8d41b27c58ff5eec9d0b08f041e5bf1aa62e73ed71864a574b018968b385bdf82aedf7f0b59b6cf7feebcbf9f85a863d9 |
C:\Windows\system\DbrFeIl.exe
| MD5 | 137fb3b5800630314aee87c131289ddf |
| SHA1 | e383bb28d630e70a8599315ae49986f4a726a7db |
| SHA256 | c423194e4ce233b0aa8bb33bae2974681c26e08c291e6d4b58f19943c96638d1 |
| SHA512 | daf187f9ea8cbd41a640c5dde7e5d4c7c1fccf01fb342980eb5e8c703e8de10ef5f13917417ed7c092dc9b4b3807bb96d0061ff318851becdce9feb761f8f91c |
\Windows\system\ZcExsAV.exe
| MD5 | c2619ca7f858d426aabf7e2761489697 |
| SHA1 | 4b07b21bda25f66905cefdbe424447aac14ffbb9 |
| SHA256 | 5ea799a31bf031d5f02864c1003331b0340612817048a597d7b23b2c30a24659 |
| SHA512 | ac32895d555f3c8f0d1f3ba36856b91c7d90e3d8aa04eb02cb80ad2ea91afde927176e11389c25710325d4c8c03632972688d82667f57a8e4522520ad8d1876d |
C:\Windows\system\pUMsvay.exe
| MD5 | db173ce1a0208d7e305a7d5bdd908b30 |
| SHA1 | 0df0f0453f180785321c7b1462c3ae8056fe030b |
| SHA256 | 5d995077ccd7eca93a292fcbf911dec9885ca8e1f543cf89fd0358ffbec8361e |
| SHA512 | 7c67298c159f0272e68ba3647ac8ffa6b379ea974724fef2905df8797ff39b264d51ebf17c063c1f085f1544e2fa06339fa0505160e7cbfdffcdbe2ef147397f |
C:\Windows\system\oWzbYVx.exe
| MD5 | 3ccfd9f4b0ca62d9f137afa3defcfd1d |
| SHA1 | e40332747358730428279423c978f95208d31431 |
| SHA256 | 2440066553c4d126208af35173474777fe6baa5c0bad37e0366d94735ca70936 |
| SHA512 | a5c11df24b4c53246dd203608927d58bc15a7414145923a98dfede02d4effe0ce1d5922d564a4f81de95795ef34b76e8663af1cb68f17c77be46cef437041ecd |
C:\Windows\system\mFAViNp.exe
| MD5 | 04c48dba0ac14bb8105d81af4d31feb6 |
| SHA1 | dfe28ea52f761fa48d4914862ccece8972706268 |
| SHA256 | 3dcae3adc54cc8ed9cae9d6c1d955a21617cca0a37757cc7ec5246321c37dd1e |
| SHA512 | 3bc6ba0fab63778ec2900b030faa1b31ca1ebe449dab7d7b2b3ef883ec8e8eeb5c209445601e70d25801c79f3a090d90a2e466f2d7c0d26400c9434823125069 |
C:\Windows\system\cUbMJxQ.exe
| MD5 | eb0e88e1408b631fd4a8b4048e169b7b |
| SHA1 | 522450a9a23793040d33cc0397aba1fc28a7357c |
| SHA256 | 480bd81a8bad814e0b15fe3dfa1d2d17193cd6802c5876f59c87aa912cba7094 |
| SHA512 | 6c875fed36b9e6a56004515b095119140de0ceb0319e5accddeb337722917c927503a38e03ccb3373683820fffb77011ff5b4442df4f78396cfb3d20455bdd21 |
C:\Windows\system\wxtYblt.exe
| MD5 | 2d6af4d0fd7ec96b79de95ca0559f02e |
| SHA1 | 93f228237b82cc0367849d1e7e0a6c55ac8f5b5e |
| SHA256 | 2f6d9d216380924369408ea126a7b513e66cc9fcb8ba18c376a430fbd6281c0a |
| SHA512 | 1f80a6ee86863aa237345bb0d3c4d632f7592b2bd2b2e1a07be7f0fdca34cb81d575803c326d712572392b36e75e4f664fa646213179cdb4df5d290c8af5d70e |
C:\Windows\system\oMpWhAX.exe
| MD5 | 9d7805452edbd8473408cd4641e47816 |
| SHA1 | 05476c101149e9b221e3e8df9362ba1f87202c85 |
| SHA256 | 28a3781bd127c61671b652e69211d58086c556a2871a77a4a1c727d99f418856 |
| SHA512 | 32064cbd277d19207a25e3be2262e822a404ca14a1c0bd67fd63aad595e0e877cc750e76d1711f548de6d44604a72d59bbd9e5d7bb4cd2246780dad16198e80c |
C:\Windows\system\KZgTPkD.exe
| MD5 | 2705346f263c61832beceb01bdeb68fd |
| SHA1 | d1799323a5451b10b3b861b9590a7ba4a26befa7 |
| SHA256 | 71da389fa28401fc20a18352ded37e20b72a4ef88d0fe74491d08defdf5cb065 |
| SHA512 | 7d214b1a8c75e51ba1497922f6894cc8a73bd5a5a76b67a334a13eda94f4db0b18b090529a27e0ea6212824c4bde286f49be23ba12cc171c0a885234eb732c1f |
C:\Windows\system\nXINvRj.exe
| MD5 | 97dab9e00c615f53b182b50d5dc9bade |
| SHA1 | f782df30bb2539577887563db9fa1139bd446ab9 |
| SHA256 | 77fb0558243bb85ee897c9bb5385e412b4d71301cd56e51ade0422ced1bb7220 |
| SHA512 | 9064785b40319e979eddec518aa8db3a39a05dcb755f96197df5628511df4f3f1cfe2486852c8958e6cd6e7f9cca723684bbd2dc8778286da18e056660a11a49 |
C:\Windows\system\kgefsDQ.exe
| MD5 | 52c6fd637e8214ccde9102af616986e5 |
| SHA1 | 97d01e42229148cc0f6feaec45d89c5876d1815b |
| SHA256 | 80e8082d5bf1cb4522779499dd353863296562f6a22917e00f880a7cf24140cb |
| SHA512 | 5a61c5497c095850ba0f4bfdb4fca743e65fe43c9beba38b809a35cc3c68d9fe4908a09e19045ac9848f7449bd0b838457ae479da62a76b8e447cf1c492a5f7b |
C:\Windows\system\CkVIbUB.exe
| MD5 | 2b345ff60b5058ff034068fdcb2b5f61 |
| SHA1 | d648085ae05bd2c27ff01750384939376dd314ad |
| SHA256 | 6e61566c0c3575f2980409456f35df70d81a9e195b8a63b4806eb1aa9604f34b |
| SHA512 | 8bb41484921a082626e5f4222dffdd01561b70c5f9daa9813528587a7d87a2ad01854a08ea7cf7e7e25e4d8d9c30566d0968327099318f5614083cbb13318fcd |
memory/2564-108-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2588-107-0x000000013F3D0000-0x000000013F721000-memory.dmp
C:\Windows\system\lnNCnST.exe
| MD5 | cb42ec7a60a7134288c662d0f69a238e |
| SHA1 | 17049ce757731ce7bfb30183e445268ad65ccb5d |
| SHA256 | 848727cb52a31c36998baf2ef0d58e7b54d6c9cd3b5f3d3012de9c6a0303a930 |
| SHA512 | bdfd88826454372ee65243b7ea4910c9151e897e72e1e776cf4ea673f85ac074a6de72c5843e98e9357449bb705efab2cbfcfc659600dd4d2e3e37fdded5143b |
C:\Windows\system\IyngoOA.exe
| MD5 | 12e510cd57788a2cb91df08ec97e7807 |
| SHA1 | 650f759b87365dd44fdc41187b41f232a2eea92d |
| SHA256 | 58cba5a5bc8cac90c31914e888e526e74cb5f229f3da6d19000761ef6e584c27 |
| SHA512 | 7e2adcbabc4cd7bf146659d69c0474df02fbb9e0d1445d5c754b79df250a6ef55124cc356b5b2531c1409e57548aad623883fedcdc654bc79060aec72fd59f55 |
C:\Windows\system\qqvkfLE.exe
| MD5 | dae963379c7d9ae89527ee7af1112f63 |
| SHA1 | e2c65de3b8316c3f98e2a2e22121e15c7943fc6b |
| SHA256 | 1fe90f3c3e8a4818bf82eab0f3f7bec5fee64d1e461a78a3210dcdf3e2fcbafe |
| SHA512 | 88324e3a5d11d8241e6d9c08f636ed4641e6bde71c9e9deec7fe8124946a1d70964e801aa3cbac67da309509b6970f9d453db0bfcbe3de9127d9fd067bd17e89 |
C:\Windows\system\bmeHQNh.exe
| MD5 | bb163c95756c774631fa7780b54d519e |
| SHA1 | b2d8acfe74eb197cc8fb0915fff3cfdacb1b93b7 |
| SHA256 | 359d9f30df20f5f0f8f004611e5341a07ca626caf606275cdae0943a723ec91a |
| SHA512 | f79f0d1508c108d569f980b36db34f3b9dac1419713192d64ff4f1824ccf26d04e7ddee2a52acd4f6efed2c8c1d52758e8f60e6848b7e7bb0f6f6adaf8e81561 |
C:\Windows\system\OeBHpna.exe
| MD5 | 57dfa1782766b08127392ca1054eb6f4 |
| SHA1 | 3c546867470713f14e37ff933a6816d8856bcb0e |
| SHA256 | c14c7006ff3007a1531f1c0246a0f597925d30437151513f40bcd34416707a9d |
| SHA512 | 0c9c301e6f0aa9b6626f62f35602b8acea46db8f17033fb7402f4190ccaaf0fdbafad7106851eab61d476257ca7dabd9335886015286cefba0ccf168e5ee9c98 |
C:\Windows\system\odbmNYS.exe
| MD5 | 97272f725f8f2b8c58b1e1512e46fcdb |
| SHA1 | d04ca1e9052a4ffbc13fb5a4c83631886df7d93f |
| SHA256 | 038d0fd41e9af6ab2f485994fff723fa7f43f8e165ab3814703aebfb5cea65f1 |
| SHA512 | 40f107182a48761a750200445858b86efbe844ca2d75c02dbbff0f5685e3de3dee3a9f1f242777022b6386b3963c9fcf01bf65c754a03c0b77ac9598485f7eef |
C:\Windows\system\rCuIulK.exe
| MD5 | 232d47f0e3a3a3e9e2b2019118fed1fd |
| SHA1 | 32ec7d369b5389c6a98eb2c352d22549da60728c |
| SHA256 | 532f0fa210c72aa102bffc1b1c88a12cf7b0297f9e279b71829eab953e5e8898 |
| SHA512 | c2d7d4f342de7a95756e5d70167eda13ba6a96295879bf2e9b730924e639caba385f9e10d16aec305f567d2f8b7287e9534b282a831decb5b48252b2f6d6ac24 |
C:\Windows\system\FtrOxLe.exe
| MD5 | ab1fe7f9db9b91d78221f7a56794c661 |
| SHA1 | a993b55c6450d18bd3366a7da11d6904294e3962 |
| SHA256 | 1f9fe3c476462abbabe8e979b306db5273c3eaaf58b0e65d6ee1d85f04ddf349 |
| SHA512 | f71d77773f9f5b166b0a4946e2b2df899015b600f852de79d17fa3b3e8f47e4283aad7b9d1e63e635cf0dd7e3458405ef204ad8f115d9c71d6025cbeedbc6b1a |
memory/2528-109-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2564-113-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1816-112-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2564-111-0x00000000023A0000-0x00000000026F1000-memory.dmp
memory/1612-110-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2520-116-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2280-124-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2564-130-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2564-129-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2688-128-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2564-127-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1680-126-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2668-125-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2932-123-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2564-122-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2788-121-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2908-120-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2564-119-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2776-118-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2564-117-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2564-115-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2824-114-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2564-131-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2588-132-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2044-152-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2968-151-0x000000013F340000-0x000000013F691000-memory.dmp
memory/1932-150-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/600-149-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/584-148-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2692-147-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2628-146-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2564-153-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2564-175-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2588-200-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2528-202-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/1612-204-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2824-206-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2520-208-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2776-210-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2908-212-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2788-214-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2932-216-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2280-218-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2668-220-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1680-222-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2688-224-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1816-234-0x000000013F4E0000-0x000000013F831000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:58
Reported
2024-08-13 12:01
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\szTQNHr.exe | N/A |
| N/A | N/A | C:\Windows\System\GCsxwSz.exe | N/A |
| N/A | N/A | C:\Windows\System\MjziUMI.exe | N/A |
| N/A | N/A | C:\Windows\System\PcBXXgk.exe | N/A |
| N/A | N/A | C:\Windows\System\Veyiehn.exe | N/A |
| N/A | N/A | C:\Windows\System\AwICIcd.exe | N/A |
| N/A | N/A | C:\Windows\System\FTvhLsA.exe | N/A |
| N/A | N/A | C:\Windows\System\NjxDDJH.exe | N/A |
| N/A | N/A | C:\Windows\System\wPdmOdF.exe | N/A |
| N/A | N/A | C:\Windows\System\cGcpltz.exe | N/A |
| N/A | N/A | C:\Windows\System\GWtgJvr.exe | N/A |
| N/A | N/A | C:\Windows\System\BddBVLD.exe | N/A |
| N/A | N/A | C:\Windows\System\hJncnGI.exe | N/A |
| N/A | N/A | C:\Windows\System\gFpRkXS.exe | N/A |
| N/A | N/A | C:\Windows\System\gvIfdpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DrqLJdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qzGGfFL.exe | N/A |
| N/A | N/A | C:\Windows\System\EdeQAKU.exe | N/A |
| N/A | N/A | C:\Windows\System\oggswVt.exe | N/A |
| N/A | N/A | C:\Windows\System\OJtnlwa.exe | N/A |
| N/A | N/A | C:\Windows\System\JKYzCfZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_c3f8aa5650c4b06d8edd28560ae872de_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\szTQNHr.exe
C:\Windows\System\szTQNHr.exe
C:\Windows\System\GCsxwSz.exe
C:\Windows\System\GCsxwSz.exe
C:\Windows\System\PcBXXgk.exe
C:\Windows\System\PcBXXgk.exe
C:\Windows\System\MjziUMI.exe
C:\Windows\System\MjziUMI.exe
C:\Windows\System\Veyiehn.exe
C:\Windows\System\Veyiehn.exe
C:\Windows\System\AwICIcd.exe
C:\Windows\System\AwICIcd.exe
C:\Windows\System\FTvhLsA.exe
C:\Windows\System\FTvhLsA.exe
C:\Windows\System\NjxDDJH.exe
C:\Windows\System\NjxDDJH.exe
C:\Windows\System\wPdmOdF.exe
C:\Windows\System\wPdmOdF.exe
C:\Windows\System\cGcpltz.exe
C:\Windows\System\cGcpltz.exe
C:\Windows\System\hJncnGI.exe
C:\Windows\System\hJncnGI.exe
C:\Windows\System\GWtgJvr.exe
C:\Windows\System\GWtgJvr.exe
C:\Windows\System\BddBVLD.exe
C:\Windows\System\BddBVLD.exe
C:\Windows\System\gFpRkXS.exe
C:\Windows\System\gFpRkXS.exe
C:\Windows\System\gvIfdpQ.exe
C:\Windows\System\gvIfdpQ.exe
C:\Windows\System\DrqLJdQ.exe
C:\Windows\System\DrqLJdQ.exe
C:\Windows\System\qzGGfFL.exe
C:\Windows\System\qzGGfFL.exe
C:\Windows\System\EdeQAKU.exe
C:\Windows\System\EdeQAKU.exe
C:\Windows\System\oggswVt.exe
C:\Windows\System\oggswVt.exe
C:\Windows\System\OJtnlwa.exe
C:\Windows\System\OJtnlwa.exe
C:\Windows\System\JKYzCfZ.exe
C:\Windows\System\JKYzCfZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1960-0-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp
memory/1960-1-0x0000016308100000-0x0000016308110000-memory.dmp
C:\Windows\System\szTQNHr.exe
| MD5 | 114ea54f2068b86e0b358086121a1e1e |
| SHA1 | 9af64512681e2aee0961610621cf82b0b028469a |
| SHA256 | 8d3877ac363daf90da673de368b2a7f67ddeda3f9a20ef3715bbae36fad2d492 |
| SHA512 | 9a8f78c337a5f1d9d68d8c874c72b59c58ef7ffd0477442051a954bd4a981775e71950db63e708232d661717006fff44848b9177468006a2aa49161ec43f494b |
C:\Windows\System\GCsxwSz.exe
| MD5 | 66e80c7e5fd2a536852c5f0208fd2476 |
| SHA1 | 6b865c959c2afc37f5414a7cb57f5d7510560987 |
| SHA256 | 68a22b38272e3cb1b3e67077ed22a0fe9e37843b06597eb0442a836a8e078466 |
| SHA512 | d80125e129af828a00420519a442fdd75da6a4d89b719382681f66c377c3d812c1150031aacb02e3f97d26ec227a9ba4114d148fa32b19e6a292543b592c2501 |
memory/2964-13-0x00007FF6D57C0000-0x00007FF6D5B11000-memory.dmp
memory/2492-22-0x00007FF673C80000-0x00007FF673FD1000-memory.dmp
C:\Windows\System\PcBXXgk.exe
| MD5 | 31fb2b969cb0850fdbec04f3a43c5a44 |
| SHA1 | cac2437af2df6fcca0745bdc9807ba8b833aea15 |
| SHA256 | aaea38740c88624812eed119b7fb8a60823315c33e5f30b2b584d6e74dbada10 |
| SHA512 | 37f813ac6a4e021ccc5ce8585705dee2e32a37115481a2e6a9360d1a3a665c9e9ba4e31c1b1914cedecaa7821d3f311459efbdb585e66ca47e8b2c6340c25e30 |
C:\Windows\System\Veyiehn.exe
| MD5 | 3fc998e27e3ce1fe3333d3ba1151015b |
| SHA1 | 7f9166cd838cf8735fee91044a1fc999a2fdffa9 |
| SHA256 | dd6ed7f08ef237a784dc406f0c086e20299a461b51f7599b1981476d812842eb |
| SHA512 | 4c4b3724541bb2d9c863f666bc9b34a58dc49e010897a041b1ed488db996c40d7e7662ced6a36dcf45fc39b9ac6171d6e6b4fe96962a94012384827bbefe8be2 |
C:\Windows\System\AwICIcd.exe
| MD5 | c6b728f239b3d703960538a3fa2a5e8f |
| SHA1 | 7d5a10fc8f398f841e68f6ff1d82bd0d2ff520b0 |
| SHA256 | 5cc961dde7767368857c440a928a665607494617d92fdb9aa55af4abe96b9eea |
| SHA512 | a2445ea38c2e8eabd0d3e2f18bb2d6c04d6879912b34b3f115cb6d89c21aba203156024cc959cd1add0e482788f74a1d14bd59c08399c7c1015b9df1e2ab92b5 |
memory/696-50-0x00007FF732400000-0x00007FF732751000-memory.dmp
C:\Windows\System\cGcpltz.exe
| MD5 | 7d22153edd154824397d2c3b20aae57e |
| SHA1 | fa1fbdff7478f9db955bae12a1c56643f014f58a |
| SHA256 | d1686d03c61b3f8b9f1124bbcdd7f60914d83231001ff0d2664c8a0fcbdcaa58 |
| SHA512 | e843bfa477d4c766b138366b748bca7032f34304fddebd6643820581584b333b28ab585be427cba84884588e8b187dab7ea8a8e01b2f16df057697daace13920 |
C:\Windows\System\gFpRkXS.exe
| MD5 | 17b9f882a2533e8efa55f81d6bd5243e |
| SHA1 | 41a33e89afd2d233c007098da7c0a1bd0b7b25eb |
| SHA256 | e5b8512601a1e704b733d0aebdd19ab9b676d9d030d872d479cdbea6667d35cb |
| SHA512 | d01a52ebe247a3e9a7b8bfea05d8c5aa19e47503979076a1d6ebc3d67b0158d210873237df00a80cc171ef6de4060cd1c2a417757087fcf521fa884fef4eee53 |
memory/3296-93-0x00007FF6354C0000-0x00007FF635811000-memory.dmp
memory/4708-97-0x00007FF682B20000-0x00007FF682E71000-memory.dmp
C:\Windows\System\qzGGfFL.exe
| MD5 | 11c703f6d944597be377fcb255fcae1f |
| SHA1 | 673dc5b66a585d724fa2b17f649481f1b91030f2 |
| SHA256 | dc7cec926b88a8bdc6ea9d2f05f3e513e3931f05602b9692a8a890818662602d |
| SHA512 | 06b8f2e5498f0be06fb15bcf0f5c0c82aae8800a5f84e99c20bded10aa4550f02ba5fe6b9cc8d2629ca3afd790ca53ecb29f037bb2e3bf7a4d371c0640fecd41 |
C:\Windows\System\DrqLJdQ.exe
| MD5 | 6c90de6c49e2388cfe8b747694829bcc |
| SHA1 | 104677e9ee78b4033187151cae8435d1f89f46c7 |
| SHA256 | db959280b582fcfbc4cd01d008413d4d6e3f1fe1791d2aaffb93b5e95e3614af |
| SHA512 | a355882a34834b69c09827ef3093dcb9cfac28fb40fa6dfc2349ed2ea3dbec70772633c1d521bc642281dd6c86df3b08be79038eca024b22ef01c17c94310454 |
C:\Windows\System\gvIfdpQ.exe
| MD5 | 343b08a5b17bdc521c9eb1956a1bf117 |
| SHA1 | 74bf98149c5cda386e4830d433e42e2f3e71284d |
| SHA256 | 43c55dcb379991ba40e8a35771ec7807ddcddfbd5f8be9872eb1b9dad0dec95b |
| SHA512 | fd70585dfcea0a5ee9bcc8f91c1e237f23529a269c9dad0d9445a73ddc52ec7dcc4d369c9cd566a811d1984dd972be6ed0dc8915860c8d0f7bc9d0e59cd5aafe |
memory/3696-98-0x00007FF7C9D30000-0x00007FF7CA081000-memory.dmp
memory/3972-96-0x00007FF65BC40000-0x00007FF65BF91000-memory.dmp
memory/1600-95-0x00007FF6E7180000-0x00007FF6E74D1000-memory.dmp
memory/4052-92-0x00007FF660AA0000-0x00007FF660DF1000-memory.dmp
memory/1360-91-0x00007FF76C090000-0x00007FF76C3E1000-memory.dmp
C:\Windows\System\BddBVLD.exe
| MD5 | a16794f961c42d92dae17c36a97fbb2e |
| SHA1 | d848fd2a105b427e9badf4878f0747c5f31cead7 |
| SHA256 | 0e0bdab06100bebb2f283438150ad618cb2290cbfd618c8c5ef6dc82ed5ef529 |
| SHA512 | c8bb69f8d1b2daad25a62980ab0f8be076aa5e4a920e2932130b6c0e6d961d958653ac67e02f9fb639260b45e6d6182b42a705843135d01201f65f640f6a10f7 |
C:\Windows\System\hJncnGI.exe
| MD5 | f83e836165d0a5b6e13c751bb9ca6aec |
| SHA1 | 70e13087eb90ca898869a233f37ca550dfb99b75 |
| SHA256 | 44131d47287fe87f804790a497b94f74a6aac42c3fa30c32aa452b0dae3b9bd6 |
| SHA512 | be390e8ea133afdc8201410486191c16912b269f930ff59d95497e3e921487e981bfbbe2f0b64229c1dd5bd1ece1bcab25a066604370e4e1a9a91e242958d474 |
memory/3512-82-0x00007FF655370000-0x00007FF6556C1000-memory.dmp
C:\Windows\System\GWtgJvr.exe
| MD5 | 85399359b27ff463a474549870b56a56 |
| SHA1 | f9b32f36e98d7d4e3661b9d929b29f7b217ea643 |
| SHA256 | daf75de527ed20f6d5efdcc1de79c8f33094de93b11d360d52360cde12f8c5d6 |
| SHA512 | 423617f22a783b353c254372b8a98a161e822923206a808a3d52c20cef139d36e0b3d07043f5131a35a8344064b6ae9fb98c80a8cf611bca9c39489ebc2f67b5 |
C:\Windows\System\NjxDDJH.exe
| MD5 | 64e3cc63a16ee34619a2924db27d91a4 |
| SHA1 | 8a00028701021dfe525e58ca782d4644d14f1b88 |
| SHA256 | 211dceb8d519a5a342e350be53e25b6aeacefbe875418954e1d64da112cf3622 |
| SHA512 | b218225d059222e38a63ae45165f782493a3335131ef0589cafc75553fb06faafa9f78dbc104a135ff5c76f66d2a18a29728619cb8d8cb22e08669ed816bfa17 |
memory/2836-65-0x00007FF77C290000-0x00007FF77C5E1000-memory.dmp
memory/320-60-0x00007FF7EB970000-0x00007FF7EBCC1000-memory.dmp
C:\Windows\System\wPdmOdF.exe
| MD5 | 33d04f94a639c26a4983e1f332754685 |
| SHA1 | 11bd15d6f3124ef4b9cdd2799213b95098f6ef98 |
| SHA256 | 3a98c8eca538abb204e7eb5ea0dc14f0e103dc1bedceb0497de5681ac3a3af2b |
| SHA512 | 98cb77e8271ed9234e34448be4aad6ddce3a4ea0c0ecd2783aff5c2906b1667792fac9af843a5c1fb1b13a7f890eb6be0d08878a7a8cf7f74834d50ba3835202 |
C:\Windows\System\FTvhLsA.exe
| MD5 | e1ac26671c813a02b90bff419a9da199 |
| SHA1 | 9b11a1cbd3c3df9c70de66d19457952b1a75d36b |
| SHA256 | 5057ae8b9afc102d2f1d5d047dd7d629ed0695e2cb777773cabd41d68e3b3412 |
| SHA512 | 91fee55be31bfc56c5c229ea0e3dd7708667c89581aeff40226312d4b431fc52e0da04a910e8a782d2d46553580993cd3cefc196ad989d19499bd4cbe6fbce37 |
memory/780-42-0x00007FF66E700000-0x00007FF66EA51000-memory.dmp
memory/996-37-0x00007FF6F0DC0000-0x00007FF6F1111000-memory.dmp
memory/2628-30-0x00007FF784270000-0x00007FF7845C1000-memory.dmp
C:\Windows\System\MjziUMI.exe
| MD5 | d49ae2a63908297b7ea9348d7ea6de84 |
| SHA1 | d9a94582e7bb1037280ce72941e61c443e73ce86 |
| SHA256 | 776472582696656b10d36a5d27c8c51de277c3ec0f26748a859948dc5c509bfc |
| SHA512 | d3ced1a772ed857aa65d11ca23f4a2744c381d984518bbaa08ed95689b4f893d7092aa248561ea450772385fe1c9c98fbeedacfa57a376900b639d2e7a48a0b7 |
memory/3480-19-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp
C:\Windows\System\EdeQAKU.exe
| MD5 | 37ecb16daf5eed5ff425b45d18c475f4 |
| SHA1 | abd7071a7ca17fb3cc01aae582401919ccbfaa01 |
| SHA256 | 472bd4493ea9411e795f21c3d4f84e94dd56c19f9523d78bc03a24d82803ef92 |
| SHA512 | 16655510a3f9b19cccc472319886e84feb48ae4bc08045bad06fd6ab6c6fe7295527bc1cc511149a76a1f7461ffe33b0412c823642ecda0321cbc1c4a7f5cea2 |
memory/2964-119-0x00007FF6D57C0000-0x00007FF6D5B11000-memory.dmp
memory/1944-122-0x00007FF7B7150000-0x00007FF7B74A1000-memory.dmp
C:\Windows\System\JKYzCfZ.exe
| MD5 | cc6f8e4dac721ca438ce1242b451e127 |
| SHA1 | d9dbc60e5aa94a118e71145cb26782c24e2bd087 |
| SHA256 | 96b6e958911a1f878286d49adf743343edd49690a2aa40fd5d3e295710b522d9 |
| SHA512 | 6f1836b26a7a689b9a3d16e69a2d95e2376e59e29216512e8d459634f7919deed3bcb5480ab6e31286e4349fe68aa632bcea817187afd6509a0040317293f080 |
memory/2628-131-0x00007FF784270000-0x00007FF7845C1000-memory.dmp
memory/2780-132-0x00007FF64DC00000-0x00007FF64DF51000-memory.dmp
memory/2492-128-0x00007FF673C80000-0x00007FF673FD1000-memory.dmp
memory/3480-127-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp
memory/4100-126-0x00007FF698CF0000-0x00007FF699041000-memory.dmp
C:\Windows\System\OJtnlwa.exe
| MD5 | 92aa135144e5abb37dfb700bec4d6345 |
| SHA1 | 0213fadc7f166eed50f7351f2b079892ecd09efb |
| SHA256 | df4da16991aa27460f583c13244b6115d218f81b17d9d7aae8df7f3a8b0da364 |
| SHA512 | 8a16c518d6b3cb15a09c050aee78049cd63d729a1314a45fe8544862571ca73c0992a6f1380352564c694e456edcd5a3e0fc3acda0af1201206fbfd3107175c5 |
C:\Windows\System\oggswVt.exe
| MD5 | 42cf9b3ac1d70829283295dbee6b2bc2 |
| SHA1 | 58b7eb7c6cfbebac531d9c096c5cece6de2c575f |
| SHA256 | 87f69ac917f4bac82df8020c7040c6a670392fd5274d814954a357322bbeb8c0 |
| SHA512 | eb8a7c45938a205681706875f7bd8551e250dbc69fcb15055e1aec055361b9289c8223d35bd7a10a9687085a2215b6305576bd9f6d24f91707f63d3d26b9d082 |
memory/1960-114-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp
memory/4936-111-0x00007FF7DD0C0000-0x00007FF7DD411000-memory.dmp
memory/1960-133-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp
memory/3512-146-0x00007FF655370000-0x00007FF6556C1000-memory.dmp
memory/3296-144-0x00007FF6354C0000-0x00007FF635811000-memory.dmp
memory/4708-150-0x00007FF682B20000-0x00007FF682E71000-memory.dmp
memory/3972-149-0x00007FF65BC40000-0x00007FF65BF91000-memory.dmp
memory/3696-148-0x00007FF7C9D30000-0x00007FF7CA081000-memory.dmp
memory/2836-141-0x00007FF77C290000-0x00007FF77C5E1000-memory.dmp
memory/780-139-0x00007FF66E700000-0x00007FF66EA51000-memory.dmp
memory/696-142-0x00007FF732400000-0x00007FF732751000-memory.dmp
memory/320-140-0x00007FF7EB970000-0x00007FF7EBCC1000-memory.dmp
memory/996-138-0x00007FF6F0DC0000-0x00007FF6F1111000-memory.dmp
memory/4936-151-0x00007FF7DD0C0000-0x00007FF7DD411000-memory.dmp
memory/1960-152-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp
memory/4100-158-0x00007FF698CF0000-0x00007FF699041000-memory.dmp
memory/1944-157-0x00007FF7B7150000-0x00007FF7B74A1000-memory.dmp
memory/1960-174-0x00007FF7A74C0000-0x00007FF7A7811000-memory.dmp
memory/2964-200-0x00007FF6D57C0000-0x00007FF6D5B11000-memory.dmp
memory/3480-202-0x00007FF6CBBD0000-0x00007FF6CBF21000-memory.dmp
memory/2492-204-0x00007FF673C80000-0x00007FF673FD1000-memory.dmp
memory/2628-206-0x00007FF784270000-0x00007FF7845C1000-memory.dmp
memory/996-208-0x00007FF6F0DC0000-0x00007FF6F1111000-memory.dmp
memory/780-210-0x00007FF66E700000-0x00007FF66EA51000-memory.dmp
memory/320-227-0x00007FF7EB970000-0x00007FF7EBCC1000-memory.dmp
memory/696-226-0x00007FF732400000-0x00007FF732751000-memory.dmp
memory/1360-229-0x00007FF76C090000-0x00007FF76C3E1000-memory.dmp
memory/2836-231-0x00007FF77C290000-0x00007FF77C5E1000-memory.dmp
memory/4052-233-0x00007FF660AA0000-0x00007FF660DF1000-memory.dmp
memory/1600-235-0x00007FF6E7180000-0x00007FF6E74D1000-memory.dmp
memory/3512-237-0x00007FF655370000-0x00007FF6556C1000-memory.dmp
memory/3296-239-0x00007FF6354C0000-0x00007FF635811000-memory.dmp
memory/3696-241-0x00007FF7C9D30000-0x00007FF7CA081000-memory.dmp
memory/3972-243-0x00007FF65BC40000-0x00007FF65BF91000-memory.dmp
memory/4708-245-0x00007FF682B20000-0x00007FF682E71000-memory.dmp
memory/4936-250-0x00007FF7DD0C0000-0x00007FF7DD411000-memory.dmp
memory/1944-253-0x00007FF7B7150000-0x00007FF7B74A1000-memory.dmp
memory/4100-254-0x00007FF698CF0000-0x00007FF699041000-memory.dmp
memory/2780-256-0x00007FF64DC00000-0x00007FF64DF51000-memory.dmp