Analysis Overview
SHA256
01163beabb86da264b02d1a1e6397870f547c03efec024bafdc90ce6b7c27dfa
Threat Level: Known bad
The file 2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:00
Reported
2024-08-13 12:03
Platform
win7-20240708-en
Max time kernel
142s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AFfmXef.exe | N/A |
| N/A | N/A | C:\Windows\System\FglVIKq.exe | N/A |
| N/A | N/A | C:\Windows\System\AokBrXx.exe | N/A |
| N/A | N/A | C:\Windows\System\MhYHkNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\aYZYAPE.exe | N/A |
| N/A | N/A | C:\Windows\System\ZKApZxV.exe | N/A |
| N/A | N/A | C:\Windows\System\NFmWOiD.exe | N/A |
| N/A | N/A | C:\Windows\System\qsISCcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kNXQuCN.exe | N/A |
| N/A | N/A | C:\Windows\System\tXVKTbc.exe | N/A |
| N/A | N/A | C:\Windows\System\mUvoJYo.exe | N/A |
| N/A | N/A | C:\Windows\System\vSIxXzU.exe | N/A |
| N/A | N/A | C:\Windows\System\WvmScha.exe | N/A |
| N/A | N/A | C:\Windows\System\yzuZupD.exe | N/A |
| N/A | N/A | C:\Windows\System\DSAAZpx.exe | N/A |
| N/A | N/A | C:\Windows\System\vXESrBK.exe | N/A |
| N/A | N/A | C:\Windows\System\FADBjsj.exe | N/A |
| N/A | N/A | C:\Windows\System\aiXjYJF.exe | N/A |
| N/A | N/A | C:\Windows\System\auduUjb.exe | N/A |
| N/A | N/A | C:\Windows\System\bAYnMGo.exe | N/A |
| N/A | N/A | C:\Windows\System\hBacXIy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AFfmXef.exe
C:\Windows\System\AFfmXef.exe
C:\Windows\System\FglVIKq.exe
C:\Windows\System\FglVIKq.exe
C:\Windows\System\AokBrXx.exe
C:\Windows\System\AokBrXx.exe
C:\Windows\System\MhYHkNQ.exe
C:\Windows\System\MhYHkNQ.exe
C:\Windows\System\aYZYAPE.exe
C:\Windows\System\aYZYAPE.exe
C:\Windows\System\ZKApZxV.exe
C:\Windows\System\ZKApZxV.exe
C:\Windows\System\NFmWOiD.exe
C:\Windows\System\NFmWOiD.exe
C:\Windows\System\qsISCcJ.exe
C:\Windows\System\qsISCcJ.exe
C:\Windows\System\kNXQuCN.exe
C:\Windows\System\kNXQuCN.exe
C:\Windows\System\tXVKTbc.exe
C:\Windows\System\tXVKTbc.exe
C:\Windows\System\mUvoJYo.exe
C:\Windows\System\mUvoJYo.exe
C:\Windows\System\vSIxXzU.exe
C:\Windows\System\vSIxXzU.exe
C:\Windows\System\WvmScha.exe
C:\Windows\System\WvmScha.exe
C:\Windows\System\yzuZupD.exe
C:\Windows\System\yzuZupD.exe
C:\Windows\System\DSAAZpx.exe
C:\Windows\System\DSAAZpx.exe
C:\Windows\System\vXESrBK.exe
C:\Windows\System\vXESrBK.exe
C:\Windows\System\FADBjsj.exe
C:\Windows\System\FADBjsj.exe
C:\Windows\System\aiXjYJF.exe
C:\Windows\System\aiXjYJF.exe
C:\Windows\System\auduUjb.exe
C:\Windows\System\auduUjb.exe
C:\Windows\System\hBacXIy.exe
C:\Windows\System\hBacXIy.exe
C:\Windows\System\bAYnMGo.exe
C:\Windows\System\bAYnMGo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1592-0-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1592-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\AFfmXef.exe
| MD5 | 44be54cf5e3993486158a83bcdd02fd8 |
| SHA1 | c671496de78847f5bb1f5aa46ab88a01b1e12856 |
| SHA256 | 7487be41c9f6c87aa53b1b619745be6fe21dc84eb780363c44f1f77bc487efba |
| SHA512 | 836f795b25a50ad094b11bb2090a69d3084d20d3a48cca0c0913782b76e862909de5aa54c9fa43f3933b332ae259672d6b2fcc90d408ac1a22e1b497102470de |
\Windows\system\FglVIKq.exe
| MD5 | 6cb3cc052ebcf79daa06d00de214dc84 |
| SHA1 | 084776bf8308e55fd73f35699ad0e60c40f2673f |
| SHA256 | a0a434a4de01427d4294ab441fd2ef798e5a0788ea76ec2ef38017dd288e8f70 |
| SHA512 | 549fbcaa11bda25a876818db49df80b3ff3d8e6b03d590002d34d272fe0072281ed6235c089a3d74965a6d1785e4537392f77aae0719ed7b407b907f06a51d20 |
C:\Windows\system\AokBrXx.exe
| MD5 | 9ca15290e0774b6ac9a7f20e1729edcb |
| SHA1 | 02c53e55418ce1b8b716a0fea8f44d164112cbb1 |
| SHA256 | 4fd6160e87da724e4cb3c5a0223433ee255615b8595f3b894c0f0e82b6aa26e7 |
| SHA512 | 7fbf700261a80fd960a22102b82b0c54eb0c3f478d119e59babdea02564c4e471b7e66842baebaac182827cfde6cdda466f9be3dbbaad95cc00809c63d9def70 |
\Windows\system\MhYHkNQ.exe
| MD5 | ebc80d979708920736c4ca6540e767f0 |
| SHA1 | 816b9278cc7ab4d0a9e43d5bf29bb79b6ec92ba1 |
| SHA256 | ee8b1c56d681657983b52b11b82c5e903185e68774bdf087679e5ccc1d714ae7 |
| SHA512 | bc9331de69444d10e285ab308417daabacd2f55b4bf6bfea01421023dc256b9a563d5db5fbcbb13a72bfde637f0bb3cc4043a932cd83681be6505dc9b8e0dff1 |
C:\Windows\system\aYZYAPE.exe
| MD5 | f17b90f8833a11c62fd2b4b84966d140 |
| SHA1 | 0d894ef09ff3dbe4ebc7bdbd475e034215023c67 |
| SHA256 | 03926fd71030e0db874e0b8f53f77ae6d7b0da9de4619cd6f308d16c5a09062d |
| SHA512 | 664c16fc0656ae2f9f8ad719eebcb90f9f476e36816c357b61306c23abdba67f0f79331c11be575addb0b8a05f643c3e98615f446c896735a9740b964a0b8b9d |
C:\Windows\system\NFmWOiD.exe
| MD5 | 798bb166376852f97602e17363bd8a76 |
| SHA1 | 18cd028c9b723b43dc472520e0667c65f88223f1 |
| SHA256 | 4eac4b7e7383dd436514f593aa7aafe06dccc9abe31211931d11587ba106135e |
| SHA512 | c4375d64920cbecc6767c63854053872efb33e84ffabb728e386275abb76c7cbf428f692302ac226d2f5c2e0b4203209eb61fe2c8931ad1c8af8c629172137b9 |
C:\Windows\system\kNXQuCN.exe
| MD5 | 6eb7cfa6bd3c866cb3b7c8fb6a147dbd |
| SHA1 | ce9172883f21f13e1217f767800e1ae9fe8d2d3b |
| SHA256 | 3aad1a406553df12ed188edbc4345de8195b82eb126592e60347eb3dd072166f |
| SHA512 | ed1c5938c3c86de303d4426faf29aed2246ec1b2bb4c5dd7491052a9e5488d63db67e240abb4025cfe84423915987d52455691a9a79e4de2436ab81ac8cf9c18 |
C:\Windows\system\mUvoJYo.exe
| MD5 | d6a5c415f692412b77a3a210a46a179a |
| SHA1 | 3db00286291cf4775e915cc0fb1d82a67da2c97c |
| SHA256 | dc09fd2948d51c7fe5f22572d1a33b685dddd15a39e8a2c2ce14578908c7b20d |
| SHA512 | b76b2d74e4a63b77ac7f8da01f0763a56838c29c9aea095b3eff0f086078f85f895cac58d57e8394dc4ac8e854a74273823bc1aaea3da32adf40e1129eab865c |
C:\Windows\system\DSAAZpx.exe
| MD5 | cab065fa8d210ef46ff2cb0e07e4b9c6 |
| SHA1 | a3b01caa121f6d9f9ee3f75fb2193d5609356866 |
| SHA256 | f5fd9be516fb2dde3fa33e13c1c75c2632fc273d85b29ce94037af65bbe55e25 |
| SHA512 | 9f20fe8fb5435967c5e30577ac4677a701a3eb23ed130228d87967e6a4b82afd2f67b3ef8b32db9d29bf42f87507619bd073d2f3f6036b321c43955ca0c14e76 |
C:\Windows\system\bAYnMGo.exe
| MD5 | da1cc3dba2743c36a0258b9da53d6581 |
| SHA1 | f627bbb4c6560314f7d658c28a48fb7f9a42853b |
| SHA256 | bbb089c45e37ccb18a4a937d42b9f6900103442b9308783731c5e8b587abe718 |
| SHA512 | e657ca4db7ffd40ac9f250f8d0758500cb186c9c17519f3185f08822f337753886abf94607e9698ebe634427efcf1639c430c1ca10dc5e9dc7bf7e7a3673e287 |
C:\Windows\system\aiXjYJF.exe
| MD5 | d1af2125c91b60fef4f727e39a7c9f75 |
| SHA1 | 98082b7289eb847fc163927bc051790da95bd081 |
| SHA256 | e3b9778900b527a6759747816e101fd20cb06ed4180d5f10207667e853a38ee2 |
| SHA512 | 9dae5755da968b52923786287037bd879f105cffc18f94a36d2735baa465f6319894f88b71c6808d6f59ce4be993c36e2e940cb6fc0c5bb36d5dd3db89e22be4 |
\Windows\system\hBacXIy.exe
| MD5 | 17c53dfc1752d0cc0730eade523bee92 |
| SHA1 | 055a87ee27dc39929f2e985ae909edaf71f72b56 |
| SHA256 | feeb320e8511b124a705a1e7e877a3cbd23b2bf6c632d2da6bac64df2b365ed4 |
| SHA512 | cd7a90c0957be4e3933e33cb3442cc0df696821ad569323dee732cfcd36b0d7660031419f0ca0f2d6dba9370727021c9143fc3ef88505c20412eb22be40e3603 |
C:\Windows\system\auduUjb.exe
| MD5 | beb6148c4567acc04f045abedb0c298b |
| SHA1 | 537011d4dc8d3574d47c31984cb4a26fe6c370ca |
| SHA256 | f9b9571045e1371954c3fcdcaf992c2362c9acfdd092251d44495e8844a408b3 |
| SHA512 | 945f3b7e6d119a4527ea98f3bac02c9ddeedaca4605aba099d65e2ba6e1ec70af090e2cc78bc557b736b6aa188d29d37ac3a4ce9350866ee7e44374215444d02 |
memory/1592-107-0x000000013F650000-0x000000013F9A1000-memory.dmp
C:\Windows\system\FADBjsj.exe
| MD5 | e14b55ac4f2f43b551be38d1d0f1bac3 |
| SHA1 | 0b9b2533f15b162ea5864aa834cde1f04b95e579 |
| SHA256 | 9b0756cf70de48dd768a78bed3b07ae8a3994b91d6f6b07e0c5026f7069f8f3a |
| SHA512 | 94d260bcdcbddaa858a0406be7ab97395b47ab801f94997afc256b8ac8b90432378397eaa843b57c9ab1340d9bec6d620609e2918bcff0ef1f63390ece16981a |
C:\Windows\system\vXESrBK.exe
| MD5 | 1d897d965d68efe75eafb3a272cc29dc |
| SHA1 | 0559c55a612e5761c6b904cc0a318e3297ad2676 |
| SHA256 | 32e79b72ff470930207c33e9d0123f8d5b0035d3222775313b3847fc2afbc791 |
| SHA512 | 7f0967301fdefd8c15104e21b49abdac9104ebe0218a989fecfc961746b974442688b397e3b4e7e5b58fca7c0d35725c872a94e918de9e176f0a4ebebaef0d90 |
C:\Windows\system\yzuZupD.exe
| MD5 | 3d4c709f28b2ab19785d449107b2964d |
| SHA1 | d8906771414188c80c9192d2e3166a2a210e6e01 |
| SHA256 | e5df40e4047ad83f188056932a61d7797b56b2c0048a5a6b18f68f28cac1ec67 |
| SHA512 | 23604281696f14f9052166de88302da6f1aa295caec368e080090d716d665c42da8f2da8ae009371330f1a72385e2f2cbc3508b709e6c05b689e6e22ff84ab52 |
C:\Windows\system\WvmScha.exe
| MD5 | 8dae645ac54beca8fc05ac0e864a17e6 |
| SHA1 | e9a2728104c0e36371d30f45ded27e5df20cb179 |
| SHA256 | 51e4ace5f0b497190d0087a61c707df308b247fc8c2324ac7b36ccdb2a716eb9 |
| SHA512 | fbaa512454c42398fbcef5a3085715cdddfdfa083c13f1ade630e290a5eb4fc823c8c8109d43eef6c92e725a52d95a51dcdd4a4c7e5eeb984b26b21cb2f5b236 |
C:\Windows\system\vSIxXzU.exe
| MD5 | ff87b2a48486499a006cebee03adc9cb |
| SHA1 | 6b0213840e48e333eeb9d1814717a90ad8082923 |
| SHA256 | 1f63402c79fe87dd5053e568d03c1f5ad06c6339630526b94fe7db0bc2ba5575 |
| SHA512 | 18c9de5e45556603bd50f6f970b63d91ce0893b14343e287500258c0886566b412cdbc801f259d475b6e820be7f9f4ea95302fef65fa08eed3f8b4e36b2e0ad8 |
C:\Windows\system\tXVKTbc.exe
| MD5 | 195283c0c24222d2cd57f66fbe241f0c |
| SHA1 | 00f786fea1c69213173c080a7d46dc2db19f8a38 |
| SHA256 | e1c3ca5f863019995076500bbfc1d302063e1f331efefb69804711f153652ed3 |
| SHA512 | 656840a39b6f26b58d24b8e9a02690d16e43ad6dffecfd27625260ded036fb568bdaf50d398c28f9066dc8fbbe8dd9081c572d0acc40f462e68ab2448c742403 |
C:\Windows\system\qsISCcJ.exe
| MD5 | 7118df1574cced2c8d3f62fa2873dfa7 |
| SHA1 | 49fc8a65cfcc148ea8092a8a6c2f41268c9fa63a |
| SHA256 | afd9c9c134f48d9116fd27800cd4060b106a8293200b895c08ea5b3c56e4f561 |
| SHA512 | 1462aa0bfeeffe0aa485c7d92cc3c03b9c203217a9151b9fec475015a64ace50c26fc37c596b21df6fd26054c6a3bbecb3f909ff0c9951948d0a4ef0077cb131 |
C:\Windows\system\ZKApZxV.exe
| MD5 | 49e510881b1d1c3995b90c232dd31532 |
| SHA1 | b85d2f3939a8859bc02227700b71cdbe5269f30b |
| SHA256 | 5120f14edc54ffe34a4add44c113b28df29e9d26a2ba11198bb4ac7cb970be08 |
| SHA512 | 9a1afc35287c2e16003ebdb914852c7250853e074e3c5e8ceeddc16b296f0c8c121667e5a6b1e31971aaaf81adf6ab78eea7740732b695812bcc4b96acefea5c |
memory/2132-108-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1592-110-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2196-109-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2952-113-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1592-112-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2856-111-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2840-117-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1592-116-0x0000000002320000-0x0000000002671000-memory.dmp
memory/2916-119-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2160-118-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/812-115-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1592-122-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2888-125-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/1592-124-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2836-130-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1592-132-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/1592-131-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1592-129-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2736-128-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1592-127-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2992-126-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1988-123-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2164-121-0x000000013F430000-0x000000013F781000-memory.dmp
memory/1592-120-0x000000013F430000-0x000000013F781000-memory.dmp
memory/1592-114-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/1592-133-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2760-148-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1928-154-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/1868-153-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1040-151-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/936-150-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/1460-149-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2580-152-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/1592-155-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1592-177-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2132-223-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2160-225-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2856-227-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2164-229-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2888-231-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/812-233-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2736-237-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2840-245-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2836-253-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2992-251-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1988-249-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2916-247-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2952-243-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2196-241-0x000000013F760000-0x000000013FAB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:00
Reported
2024-08-13 12:03
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DpzRpFX.exe | N/A |
| N/A | N/A | C:\Windows\System\SPfVKuf.exe | N/A |
| N/A | N/A | C:\Windows\System\jfLgIhA.exe | N/A |
| N/A | N/A | C:\Windows\System\ugCRFpK.exe | N/A |
| N/A | N/A | C:\Windows\System\yzOTVxz.exe | N/A |
| N/A | N/A | C:\Windows\System\bcfdnWq.exe | N/A |
| N/A | N/A | C:\Windows\System\XijGyQN.exe | N/A |
| N/A | N/A | C:\Windows\System\IztOzef.exe | N/A |
| N/A | N/A | C:\Windows\System\mqXfacP.exe | N/A |
| N/A | N/A | C:\Windows\System\FyeTdfF.exe | N/A |
| N/A | N/A | C:\Windows\System\JgbNwLj.exe | N/A |
| N/A | N/A | C:\Windows\System\vsEnLhC.exe | N/A |
| N/A | N/A | C:\Windows\System\dEKewnM.exe | N/A |
| N/A | N/A | C:\Windows\System\aFAEAUa.exe | N/A |
| N/A | N/A | C:\Windows\System\uylyUEZ.exe | N/A |
| N/A | N/A | C:\Windows\System\MDkWzcN.exe | N/A |
| N/A | N/A | C:\Windows\System\WBRkNNW.exe | N/A |
| N/A | N/A | C:\Windows\System\feBqgaT.exe | N/A |
| N/A | N/A | C:\Windows\System\LcdHSCB.exe | N/A |
| N/A | N/A | C:\Windows\System\wlIGUMD.exe | N/A |
| N/A | N/A | C:\Windows\System\nugCURF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_dccfa108e5edd619991eb8e0b663c67b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DpzRpFX.exe
C:\Windows\System\DpzRpFX.exe
C:\Windows\System\SPfVKuf.exe
C:\Windows\System\SPfVKuf.exe
C:\Windows\System\jfLgIhA.exe
C:\Windows\System\jfLgIhA.exe
C:\Windows\System\ugCRFpK.exe
C:\Windows\System\ugCRFpK.exe
C:\Windows\System\yzOTVxz.exe
C:\Windows\System\yzOTVxz.exe
C:\Windows\System\bcfdnWq.exe
C:\Windows\System\bcfdnWq.exe
C:\Windows\System\XijGyQN.exe
C:\Windows\System\XijGyQN.exe
C:\Windows\System\IztOzef.exe
C:\Windows\System\IztOzef.exe
C:\Windows\System\mqXfacP.exe
C:\Windows\System\mqXfacP.exe
C:\Windows\System\FyeTdfF.exe
C:\Windows\System\FyeTdfF.exe
C:\Windows\System\JgbNwLj.exe
C:\Windows\System\JgbNwLj.exe
C:\Windows\System\vsEnLhC.exe
C:\Windows\System\vsEnLhC.exe
C:\Windows\System\dEKewnM.exe
C:\Windows\System\dEKewnM.exe
C:\Windows\System\aFAEAUa.exe
C:\Windows\System\aFAEAUa.exe
C:\Windows\System\uylyUEZ.exe
C:\Windows\System\uylyUEZ.exe
C:\Windows\System\MDkWzcN.exe
C:\Windows\System\MDkWzcN.exe
C:\Windows\System\WBRkNNW.exe
C:\Windows\System\WBRkNNW.exe
C:\Windows\System\feBqgaT.exe
C:\Windows\System\feBqgaT.exe
C:\Windows\System\LcdHSCB.exe
C:\Windows\System\LcdHSCB.exe
C:\Windows\System\wlIGUMD.exe
C:\Windows\System\wlIGUMD.exe
C:\Windows\System\nugCURF.exe
C:\Windows\System\nugCURF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 148.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2972-0-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp
memory/2972-1-0x000001B91B110000-0x000001B91B120000-memory.dmp
C:\Windows\System\DpzRpFX.exe
| MD5 | 556455919c95b65d1824b7fefce232d6 |
| SHA1 | 5c410cd1784cdf175049ad85b51a2bdcd0172f9e |
| SHA256 | 573782662f953c6965c5811a22daef913e02ffa0c36b49685367cf7db1313aaa |
| SHA512 | 7aa2b1b8efb1fff5e0a43ef7e550049f385e94ebb80a7946fe1fa00e15614d91faf9271438ab55b126ac1ba6d7d3d7dc8b1043d76a111aff14e664c0b28b6050 |
memory/1836-7-0x00007FF66C6D0000-0x00007FF66CA21000-memory.dmp
C:\Windows\System\jfLgIhA.exe
| MD5 | a7b8ef72b439c325fee8926449f51017 |
| SHA1 | 937c00e099464f7646c93929441da01ff5454d51 |
| SHA256 | aef9a0982c5da146fcf15a58ec8afa85536d35acab5ab2d78007a58036350760 |
| SHA512 | 8ed1d2d2f83eb71f7841dbafba78b6090b1493cd6c9934c948c7fcfd986156287976820bb79bb92854407845b72f47f0c6de7b638edc9ac81fd67f387b14e7b7 |
memory/752-17-0x00007FF6F7DF0000-0x00007FF6F8141000-memory.dmp
memory/1664-18-0x00007FF6D3960000-0x00007FF6D3CB1000-memory.dmp
C:\Windows\System\ugCRFpK.exe
| MD5 | 74e3bd1e09680c13ed9c824807d8685f |
| SHA1 | ad9971158333aafc6743d8d60cbec0de43574490 |
| SHA256 | 6d458f5ac8b39b3cb214e987dcb1a41fd2e4f43efb62aef7487de7623f222cd8 |
| SHA512 | fb0118715e4b210f4ba479370d3f61c8d46cbbfd564653795b9c295109c517dbf4e5bdd6b44a0165c44b8611bb2d203ab4d14a0d6be946dd467d25f28d76dd20 |
memory/3712-25-0x00007FF625700000-0x00007FF625A51000-memory.dmp
C:\Windows\System\yzOTVxz.exe
| MD5 | 70d1314b4acb271c9b0f1d057a69c9e3 |
| SHA1 | 4ab2c9f431acd90f0e5394607e4bd30648eb1a3b |
| SHA256 | a2ab6a52848522b0638a1237f455fbb048ab320bae9d97cd38edf25cae80c4cf |
| SHA512 | f93a3aead4617a1d42a6efe6b769ff2ef8bfcbdf4dff86775513106ba54ccfe3de06e3b761ce76fc570ce0939ce59efeec0f2538a380641bf1a6f796b122980a |
C:\Windows\System\bcfdnWq.exe
| MD5 | f1b586fef9bc6fdc1557c5c2496e956d |
| SHA1 | b285326f7d73249e054e4bc0f1d362008aeaa52c |
| SHA256 | 7120d9d00bbb5df2a84dfea9815deb7fa233132d1bc30cd5eb08a47eda6b46cd |
| SHA512 | c4f8b7d31e1825825ae9b27a2cccfa9d1830eae626939c6d0fdb52a61dfb6f8934dd8e7c493dd224824281a2179d257c7496b6003f977cae13d40ad9f5aa850a |
C:\Windows\System\XijGyQN.exe
| MD5 | 40f9c3b248f644b0a0426586656c9e5e |
| SHA1 | f8bbdd9e2183c4bad83c26f7bd7e5ed2235924e5 |
| SHA256 | 73f96b957cdf4380f9c6dd9ff2189e251fef782d7f82226f5196c949f674d59f |
| SHA512 | f80557e7dc7005763c9dbe5eec6249ef7557f74d512025b68ec5af5e69b5be612829bcf697146bcb96fa3c9d436b99a41d9913e27e90c87cabd39da48f650207 |
memory/644-44-0x00007FF774FB0000-0x00007FF775301000-memory.dmp
memory/3132-36-0x00007FF66DC60000-0x00007FF66DFB1000-memory.dmp
memory/4244-35-0x00007FF6F7350000-0x00007FF6F76A1000-memory.dmp
C:\Windows\System\SPfVKuf.exe
| MD5 | b64f186d85e377c60dedb6abe0991887 |
| SHA1 | 6160f13676a96d8b7f32061c75f3badc2b4583d5 |
| SHA256 | f971680ad5b64e95132ca9b7c93c7ab3a18c6a786991df35ef22fa21a54cde84 |
| SHA512 | df1134f4e83aa5b7a068dfbb11758244dffd87fcaf54c2d2f17c6fd41c44b77574cfc9922391c476b14b41f40261b931ea52e57c04fdba24da8aa5f2fc9d06b5 |
C:\Windows\System\mqXfacP.exe
| MD5 | cff0485935e3fec1347c10b6644260ea |
| SHA1 | f79db998fb0c74ba7cfdf15469556ae3c61bb399 |
| SHA256 | 5997738c6f8dc8137ee8eaf14bd1baf5ebb2eb1cb6dda3489d040d9bd58ac2d5 |
| SHA512 | 03a8ce8fe7fb2a0c7f0b67f4196292e6c5520193699a67d335f0afe99140370ffec5bab8c8e296c3d4f8d9c6e9d34472673cccfc6e59211fbefe00160a8e3461 |
C:\Windows\System\FyeTdfF.exe
| MD5 | 91eb368eaa5963565ef4dccf76255e3e |
| SHA1 | 5be292ae6863a86569ffa5f10bd02588a19e686a |
| SHA256 | 14263d8a00d7b250d914e67f48a4fe033a7e95d53be97e6d4bca571d053679f1 |
| SHA512 | 12b258123537cac0b5c835cfa4947efb767cf76aedd20b55d1ba2ac063a58137813c65da5356b6ed1f59729e332042cd79d4d58a859b7ff94d8652a43c838275 |
memory/1036-60-0x00007FF6BBA60000-0x00007FF6BBDB1000-memory.dmp
memory/2888-58-0x00007FF6459C0000-0x00007FF645D11000-memory.dmp
C:\Windows\System\JgbNwLj.exe
| MD5 | 4938a25f0581fa6030005ea1b5a47428 |
| SHA1 | c66643cda141e8cd797e5537e3e0556d5d7e412d |
| SHA256 | 4812132626fc47ecbeaf2a986f3c029c97cd14117b81c827f63b26c6239341a9 |
| SHA512 | 6360d403dee70145905e8b18026aebd35349182bbf1e163d65e15747aa6be46a5e8ebe30e1bc33e4001c8f63dab6eac3e877139621a43bb8cb0a6cfc326ec160 |
C:\Windows\System\aFAEAUa.exe
| MD5 | f8285ea6b476611c3bd204e25bf67feb |
| SHA1 | 2f0d8b74aa6c19bb54e719ea07412f159571cc48 |
| SHA256 | ac6144b0a697ca554503ed39698392e6b817872b63f9d031940fd416a5c74270 |
| SHA512 | fdaa0494186a58a93631317f086b09c8645a06425d7430ec51ca7da192000f45e46fb993a249ac36de77dca7585c88c3ffbd09795f232e479e280fe178cab4d8 |
C:\Windows\System\uylyUEZ.exe
| MD5 | bc8d31d5c93799387cd2a4e1ff657544 |
| SHA1 | 02a1f5de3c23f48e156bf14efc852bece7e1b5b3 |
| SHA256 | f1ea55643a508251177ffa3f9ed8db74e32de11b47ade6eccfecc2849824f821 |
| SHA512 | b24c82abed74d55de97d59cad15ebbb30f0b1df35dc4d6f0e18a17d2a25e44c1c59f90df75724299a0b0c50aa8ac5f4917d6c4401fad0e4e68adc7df9df53ffc |
C:\Windows\System\MDkWzcN.exe
| MD5 | 10fe68d1fd6cb0e086de6b06095d4adb |
| SHA1 | f3eeb2d52a525c70b3d101adae47ee85a0668b17 |
| SHA256 | 185c24c293b1002314e6ec852b88ecf9f3ee23705eb213e3385d24f1c80f8ca6 |
| SHA512 | f59bec2ad985b6dd05953249d44c26d0984f9c0f00c2239ca6ae889305db4da4d0ddc56f163cff3c1ce7391e61b7d1c6a6290849b4c88f68e84826d6dd0a9af5 |
C:\Windows\System\LcdHSCB.exe
| MD5 | 7b8c6ea6c26cbfb34d05f121d1359e98 |
| SHA1 | 8c34c5e48e82a0829ff854cb53672119d8dd054d |
| SHA256 | 013c7a05db82ddd25afcecc47542a2ecc5275892c0190fd109097f5241ac2567 |
| SHA512 | 9b0bca63d3ba7c375d808f2aa908d981833fb840c044e209c8940142b0b7fd8c945cafe4ba44e4eed1b27b9ac8b639376cee31f90c314d9f44c2ca81b1596c88 |
C:\Windows\System\wlIGUMD.exe
| MD5 | 0da105070592c1d1253d25e17938ad47 |
| SHA1 | 6829331063b2b23e22721aad4cc0a0c5efe21e8c |
| SHA256 | 35e36c9b3746202121953bdd21096a7c1bd31999274c226f246842735e30165a |
| SHA512 | 4cbf5d20dfea95484f3902ae5c65e25c665e12f844fdfb37bac01b05640f82c72d5f47fe2f3057cf7cadd5e744ed5fb5c673905194417b5581e29496a153f465 |
C:\Windows\System\nugCURF.exe
| MD5 | b242330e1d73f666804e19cab94b7cb6 |
| SHA1 | 4df34bcc3bda769151a0d57ea343f0ca4b46f85a |
| SHA256 | a02274c55ba8e511e7f8f23305bf55c61cc1a956a0d55f348a45a70a590f1c45 |
| SHA512 | bbdb8597c69ddc8d8c1ce3a930792c2fb077eb7e51a451862b13a99653c57939f43ec67910999fc5c982efe5c020f5ed5dd5ee22e680ca2520c50e1453e0a9eb |
C:\Windows\System\feBqgaT.exe
| MD5 | f41b460c2d5243463fff8c1855343428 |
| SHA1 | 05a461a493cb0e7518f2935d81513e075d2795cb |
| SHA256 | f823836439ff5b4c9194944040a74557d533b95c7b482729bfaccb911a18a6e5 |
| SHA512 | 2a05cbb7ee9041c09dd73016e55666dd29eb9d6a3bb971780d50cc0cd056657816090f0a4b9792fc4461ee5703d5b0c7fb8aba3b4bfe2f30137e51e1ae02fefb |
C:\Windows\System\WBRkNNW.exe
| MD5 | 799ae0c559e44d60aa0c2592e83468dc |
| SHA1 | 8e40bed6898688ea6f8a8d5ce6bb4fe49746ca58 |
| SHA256 | 6610113afa28c74d19b9efb80cab1c3991c17ef33ab4f64c4c76c54bd88cc5cb |
| SHA512 | 0a4cbc547f7dfd06f616b8ca8917ffd3c2be25e0da1ac0be1f965e393cacb73d1cc08be8c26a7c820c3a293f281b75a74564454d969240f2fd797287e810ebae |
C:\Windows\System\dEKewnM.exe
| MD5 | 08e8813a3131889b136db4cf542654d4 |
| SHA1 | 70b2168539abc7967826321b63bfc673d0d0be75 |
| SHA256 | 3b9c71697178b1900db69991c6a10a389c6b302dee19ad6b581ae80f5f2122ff |
| SHA512 | 8e64e39e686a481600d591ef394cb45ff0cb5c32cc6afdf6443112d48afdb1caf0d827451d2ba1d00d9c31af36b878cbd972294e245c9c80cd268a3bafb94cc7 |
C:\Windows\System\vsEnLhC.exe
| MD5 | 6411cf12469b9584cbb3fdf8f0420fcb |
| SHA1 | 382fdf03f9fcf0002a4427eb44503b1f8339e27d |
| SHA256 | 4f1e1932aab5409ee8614648fb37c3bb97d6d858b97123ff6ca60cbad6db50e7 |
| SHA512 | 6fe1ac897805b38755512b0665963eaab6c3cb63636a01815b4dc08ed3060f5a9ff0c5a8221e01637c29cf1bc0ad731c20ce83eb626544349171b45760680a08 |
C:\Windows\System\IztOzef.exe
| MD5 | 9c87b2f45a8fd895598fa64b724fc0a1 |
| SHA1 | 0b539192c9f2135803e227db532b60c0bfa6cdfa |
| SHA256 | b3c8a9ef8ef4c8a15e14fb54cb92933d00506a6c7fdb9133f05f85ea1557cc94 |
| SHA512 | 016aa0b7a1c294810d6217d4681f9e65acfea9c290bd8203305ccb84aa85d08152d0aaef6b72368d5cd8ba54f4945c9ed0e930e4d56a332f2c2df12d28616858 |
memory/1708-48-0x00007FF7BCA60000-0x00007FF7BCDB1000-memory.dmp
memory/2972-117-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp
memory/4412-120-0x00007FF75D3C0000-0x00007FF75D711000-memory.dmp
memory/2604-124-0x00007FF6285F0000-0x00007FF628941000-memory.dmp
memory/32-123-0x00007FF754750000-0x00007FF754AA1000-memory.dmp
memory/3700-125-0x00007FF6F82D0000-0x00007FF6F8621000-memory.dmp
memory/1252-122-0x00007FF72A4D0000-0x00007FF72A821000-memory.dmp
memory/1292-126-0x00007FF7981A0000-0x00007FF7984F1000-memory.dmp
memory/4216-127-0x00007FF640560000-0x00007FF6408B1000-memory.dmp
memory/2420-121-0x00007FF68D880000-0x00007FF68DBD1000-memory.dmp
memory/2644-118-0x00007FF764120000-0x00007FF764471000-memory.dmp
memory/3488-119-0x00007FF7A5F80000-0x00007FF7A62D1000-memory.dmp
memory/4652-128-0x00007FF7326C0000-0x00007FF732A11000-memory.dmp
memory/1664-132-0x00007FF6D3960000-0x00007FF6D3CB1000-memory.dmp
memory/1708-137-0x00007FF7BCA60000-0x00007FF7BCDB1000-memory.dmp
memory/3132-135-0x00007FF66DC60000-0x00007FF66DFB1000-memory.dmp
memory/3712-133-0x00007FF625700000-0x00007FF625A51000-memory.dmp
memory/752-131-0x00007FF6F7DF0000-0x00007FF6F8141000-memory.dmp
memory/1836-130-0x00007FF66C6D0000-0x00007FF66CA21000-memory.dmp
memory/2972-129-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp
memory/1036-139-0x00007FF6BBA60000-0x00007FF6BBDB1000-memory.dmp
memory/2972-151-0x00007FF792A70000-0x00007FF792DC1000-memory.dmp
memory/1836-199-0x00007FF66C6D0000-0x00007FF66CA21000-memory.dmp
memory/752-201-0x00007FF6F7DF0000-0x00007FF6F8141000-memory.dmp
memory/1664-203-0x00007FF6D3960000-0x00007FF6D3CB1000-memory.dmp
memory/4244-205-0x00007FF6F7350000-0x00007FF6F76A1000-memory.dmp
memory/3132-208-0x00007FF66DC60000-0x00007FF66DFB1000-memory.dmp
memory/3712-209-0x00007FF625700000-0x00007FF625A51000-memory.dmp
memory/644-211-0x00007FF774FB0000-0x00007FF775301000-memory.dmp
memory/1708-213-0x00007FF7BCA60000-0x00007FF7BCDB1000-memory.dmp
memory/2888-215-0x00007FF6459C0000-0x00007FF645D11000-memory.dmp
memory/2644-218-0x00007FF764120000-0x00007FF764471000-memory.dmp
memory/1036-219-0x00007FF6BBA60000-0x00007FF6BBDB1000-memory.dmp
memory/4412-224-0x00007FF75D3C0000-0x00007FF75D711000-memory.dmp
memory/3488-225-0x00007FF7A5F80000-0x00007FF7A62D1000-memory.dmp
memory/2420-223-0x00007FF68D880000-0x00007FF68DBD1000-memory.dmp
memory/3700-234-0x00007FF6F82D0000-0x00007FF6F8621000-memory.dmp
memory/32-238-0x00007FF754750000-0x00007FF754AA1000-memory.dmp
memory/4652-239-0x00007FF7326C0000-0x00007FF732A11000-memory.dmp
memory/2604-236-0x00007FF6285F0000-0x00007FF628941000-memory.dmp
memory/1292-232-0x00007FF7981A0000-0x00007FF7984F1000-memory.dmp
memory/4216-229-0x00007FF640560000-0x00007FF6408B1000-memory.dmp
memory/1252-228-0x00007FF72A4D0000-0x00007FF72A821000-memory.dmp