Analysis Overview
SHA256
27e4768a567a38f5bae2336588a4021de5a7d3e1f5761e5252d14c1ac2bdbf97
Threat Level: Known bad
The file 2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:06
Reported
2024-08-13 12:09
Platform
win7-20240708-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tvgFlzu.exe | N/A |
| N/A | N/A | C:\Windows\System\mzpYgyu.exe | N/A |
| N/A | N/A | C:\Windows\System\rntEvRY.exe | N/A |
| N/A | N/A | C:\Windows\System\GxXxpDT.exe | N/A |
| N/A | N/A | C:\Windows\System\fRYuURj.exe | N/A |
| N/A | N/A | C:\Windows\System\kygzDZq.exe | N/A |
| N/A | N/A | C:\Windows\System\gLcbeMl.exe | N/A |
| N/A | N/A | C:\Windows\System\rZnWTWI.exe | N/A |
| N/A | N/A | C:\Windows\System\ndsKaEo.exe | N/A |
| N/A | N/A | C:\Windows\System\RYEoNaU.exe | N/A |
| N/A | N/A | C:\Windows\System\WuyODxY.exe | N/A |
| N/A | N/A | C:\Windows\System\XsYECbs.exe | N/A |
| N/A | N/A | C:\Windows\System\XZCVund.exe | N/A |
| N/A | N/A | C:\Windows\System\udrGZci.exe | N/A |
| N/A | N/A | C:\Windows\System\DgwMROP.exe | N/A |
| N/A | N/A | C:\Windows\System\EWfTFdA.exe | N/A |
| N/A | N/A | C:\Windows\System\mqVikfR.exe | N/A |
| N/A | N/A | C:\Windows\System\LzXGQMK.exe | N/A |
| N/A | N/A | C:\Windows\System\oCtTmRs.exe | N/A |
| N/A | N/A | C:\Windows\System\VfGXmgT.exe | N/A |
| N/A | N/A | C:\Windows\System\SzGdlrK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\tvgFlzu.exe
C:\Windows\System\tvgFlzu.exe
C:\Windows\System\mzpYgyu.exe
C:\Windows\System\mzpYgyu.exe
C:\Windows\System\rntEvRY.exe
C:\Windows\System\rntEvRY.exe
C:\Windows\System\GxXxpDT.exe
C:\Windows\System\GxXxpDT.exe
C:\Windows\System\fRYuURj.exe
C:\Windows\System\fRYuURj.exe
C:\Windows\System\kygzDZq.exe
C:\Windows\System\kygzDZq.exe
C:\Windows\System\gLcbeMl.exe
C:\Windows\System\gLcbeMl.exe
C:\Windows\System\rZnWTWI.exe
C:\Windows\System\rZnWTWI.exe
C:\Windows\System\ndsKaEo.exe
C:\Windows\System\ndsKaEo.exe
C:\Windows\System\RYEoNaU.exe
C:\Windows\System\RYEoNaU.exe
C:\Windows\System\WuyODxY.exe
C:\Windows\System\WuyODxY.exe
C:\Windows\System\XsYECbs.exe
C:\Windows\System\XsYECbs.exe
C:\Windows\System\XZCVund.exe
C:\Windows\System\XZCVund.exe
C:\Windows\System\udrGZci.exe
C:\Windows\System\udrGZci.exe
C:\Windows\System\DgwMROP.exe
C:\Windows\System\DgwMROP.exe
C:\Windows\System\EWfTFdA.exe
C:\Windows\System\EWfTFdA.exe
C:\Windows\System\mqVikfR.exe
C:\Windows\System\mqVikfR.exe
C:\Windows\System\VfGXmgT.exe
C:\Windows\System\VfGXmgT.exe
C:\Windows\System\LzXGQMK.exe
C:\Windows\System\LzXGQMK.exe
C:\Windows\System\SzGdlrK.exe
C:\Windows\System\SzGdlrK.exe
C:\Windows\System\oCtTmRs.exe
C:\Windows\System\oCtTmRs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2380-0-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2380-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\tvgFlzu.exe
| MD5 | 0bd627f43568e8f1e2640cc417dee621 |
| SHA1 | dd54221c8bb32c7b6f76023d253c03df2d989065 |
| SHA256 | 99e80d4bafcd86443e7d9115382296178b784955842ae8d36b5bd15b5cb99bfc |
| SHA512 | acee98bf94bdd310647137b7232f0ae8bb58952e4a07759c1cbee8c19974e0f565c8ae7a66d4f7995c2fc6f193d0114cb403ee955d210c7224ef2c3431db0e2e |
memory/2380-7-0x000000013F210000-0x000000013F561000-memory.dmp
\Windows\system\mzpYgyu.exe
| MD5 | 39798e228d5fb48afd4dfac350fcc50a |
| SHA1 | 53f0e1845352779e911bdc7356802d8456a7d140 |
| SHA256 | a5ed13a4cf6b26d5b71f5e77b439857ad28953a58015cfe91d9bc43d90610c2a |
| SHA512 | c57f21839d3a2c386481483b17b33ae6fa763a176365373cc60997208e984de52e9bd6ebc09210d95595ca3fb582462367408917e2ab4fc492e5bcb1c9306ec3 |
C:\Windows\system\rntEvRY.exe
| MD5 | af93200f6cba4ea8d280ca5108336fa7 |
| SHA1 | 945f67832ffb4d9d2eb478192fd28ca554347590 |
| SHA256 | 28c7178408047d3ef5fa569e17d3f79a78d94882c3319c1d9e6979f5e85f2f61 |
| SHA512 | 8a9b06c2db477f9af487f02923cb2e959d821ee96dea5b08edfd3a0dc79af602a6f9afe44a0a7d56fb54388bc3cb76821f408e1e72650ec4e61d753c1b06b7c4 |
memory/2040-22-0x000000013F2B0000-0x000000013F601000-memory.dmp
\Windows\system\GxXxpDT.exe
| MD5 | 50b8a9bff2b93592425c1026e6caba90 |
| SHA1 | dce99f00009cae382281d8924eed1bcc9059802f |
| SHA256 | 3744b5fc3c6caaea5072b6638f799c78165a8f70e2d3ddf5a76bbd14fb5d8b28 |
| SHA512 | 1e86d17aa4b8b1727f4df0b419a31707b836afd7b278fae06a2a0133b265d3461aba411c33443ce0785a5217fa47674c44b0ee9f40850b38d2331a59a8a10544 |
memory/2380-16-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2084-15-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2332-13-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2988-28-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\fRYuURj.exe
| MD5 | ecad4c50104bbac9165f120320dd0258 |
| SHA1 | 8a12cfadd04ba8a9aead5e5aaf81f5a4ef6994f1 |
| SHA256 | fb24997cfd9ae081edd9b14cc9d89b834331352cea143ba4372fcabf17ed70cd |
| SHA512 | 25d666e14695790e4a76b86e125c7e1e5ba09a36fbf384c4019561498de78e43a0b1c400576c156212116c3104da534b938e7770a3cef03bd80f951fff957ce0 |
C:\Windows\system\kygzDZq.exe
| MD5 | af2e59888d6e42ea1e87333437132709 |
| SHA1 | a3a7c76e4332daf9c6f9e182629bb682f4e75f6c |
| SHA256 | 245b1e001f4aef09a328b8ee78f6c96f1d61587e32d8ab4fbb0645bc4567c5a7 |
| SHA512 | 5e4258d7d1ef8be054c2ac071b72d7acb8897a097105b39a6d5ea4fdaeb82f2e2fdbe1cf811db43dd238d5ded65f91896d26e20f4b3121b938728556d354dab1 |
memory/2380-48-0x000000013F210000-0x000000013F561000-memory.dmp
\Windows\system\rZnWTWI.exe
| MD5 | 920bcd61137f6a23bed3e4bc11346ef7 |
| SHA1 | 2123dca5f23a5e29b60acc66180be7756e8aad40 |
| SHA256 | ac6cf97dd6ef432e3110f8996444ace62df7cc61d06d1988b19144edfe5ba07d |
| SHA512 | 4fbcd75f1c933be37314b007b2dfca36ef2178125a9cab3cd7daaaa69ef6389d909ac93d89b919d3433f1edd734a15a8d6cda84f3e93f646d422e16e19ef2457 |
memory/2332-54-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2796-52-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2380-49-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2380-47-0x000000013FFB0000-0x0000000140301000-memory.dmp
C:\Windows\system\gLcbeMl.exe
| MD5 | f81961949a28fe6bc92235cdb788e2bf |
| SHA1 | 6d005ac72c1f1890bb8999ff3beda70e4140d522 |
| SHA256 | eb28a93b0ff18087133c876ad082b7be8cbdab87549cc453a42b074121e1334e |
| SHA512 | ce88898eb0fcec6c5ed38462ee646665c67da6ec678b9d3007e331879ccfc28afa10fec14f3c462a5eb1b811322a0a96c243aca6805e3b19063e37ec9a43347b |
memory/2964-42-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2380-40-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2124-38-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2380-33-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2380-27-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2084-58-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2756-60-0x000000013F070000-0x000000013F3C1000-memory.dmp
\Windows\system\ndsKaEo.exe
| MD5 | a2cd55275a319e74c39937e531ad1c5b |
| SHA1 | 14898b884201c680c00f5f7c7d85b355f193e143 |
| SHA256 | 2090e61300920af43a5fdd2d442f125b10c908727e505aad7489b6d36ee5ee9c |
| SHA512 | 868a430a15b31b1b576391034a55c478fa767820eb09d7f3aa77cf13d2e37c349dfa8d6b421ff24ec74ef00bb21c8af57faf765eeedf2fddff6bb36d60a445e5 |
memory/2740-66-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2380-64-0x000000013F450000-0x000000013F7A1000-memory.dmp
C:\Windows\system\RYEoNaU.exe
| MD5 | 6e086a3419617075420028b4a749b0af |
| SHA1 | df400656289f54a6ee8b724f43204d0900932a0a |
| SHA256 | d70ae2d406950967ca3180f01c12a740dbdba4b1187bf9055becbbfbc449b91a |
| SHA512 | bd5ffe718a4e97339bf55fd0d06319676e0518ba1da3c887bfa548efeb7597ecb171c599a2ea03219b338356769a4bce81cf2d068625bd49b27c3ec8bf5b0379 |
memory/2380-71-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2380-74-0x000000013F4E0000-0x000000013F831000-memory.dmp
\Windows\system\WuyODxY.exe
| MD5 | 2fa133df7f366fb1d60d05bd1e85d8e3 |
| SHA1 | 8794a1674c83ffb1dbe80f38bdc9314cb03d6dd6 |
| SHA256 | 8a9fbed79d4c33fb9e1ad252f787d512b05a31fc9d13ce542bd4ca3bf100a7b6 |
| SHA512 | e69f1e82e459286c3cc0954bafb6e41dedb5e6bd18a01f0fab796b2f9e82e44360b3f31b7f92e15d5a98aceaaad18f7d4389651bb55869fbf79a14dd4a81002e |
memory/2168-81-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2380-83-0x000000013F4B0000-0x000000013F801000-memory.dmp
\Windows\system\XsYECbs.exe
| MD5 | 53146f93631eea9e5a548138f09249a6 |
| SHA1 | e1b5d48cd559222cc64f3d300af8f53745f26dbf |
| SHA256 | 53b1e1d4172f79600d640d9390cc6bf21efb8d8f3c6d71e876fa2ccdabf01c94 |
| SHA512 | 69374054274f0a36c27f9e20203f3578a14310c9ca9e354043b663255214d128cb2b920ae047f42b7789a83ae9af98ffbc735dbf3454fbe7e6f1c5531804113b |
memory/2988-79-0x000000013F500000-0x000000013F851000-memory.dmp
\Windows\system\XZCVund.exe
| MD5 | c4d0806b22b708817e732f0f548570ed |
| SHA1 | e96180364984832f33ca8dfd448afcc7b7e7c9d5 |
| SHA256 | 4b4936b88c8e02777f9f19781161e4398075fbf993347232dbd95a553f6d8207 |
| SHA512 | f47dbcea544e2b6ee2f6002087199e927ca48aa8ac99a835e203a58143b463bae306916e347f9bece9556b0c3a61563fdd5206487dd00dede292da13851d32ba |
memory/2124-92-0x000000013FB30000-0x000000013FE81000-memory.dmp
\Windows\system\udrGZci.exe
| MD5 | 75c7d34d3d069a2f64ec7d99bba4a2b9 |
| SHA1 | a1ab80ce764cc35277ce6ae71052901a8625900e |
| SHA256 | 4d27531f1a1b9bf27e4f82a74e13bb38818988ea756f686760a5af7c64973477 |
| SHA512 | d91fe1b72a3102b03eed3c2c78a8bd757bb96b6e4a3cd67a722f4f756c4e0fc4d03b0c893334c639d0a009f22051df0ff3dfbd7bcc0b6336173a6fc4713add6b |
C:\Windows\system\DgwMROP.exe
| MD5 | 2b86d08f2ac434aba099115edbe3f54c |
| SHA1 | 99dad65c3d09f1ff4abc32e72766d1f463f2c550 |
| SHA256 | d65e70c0cb8747c452a7796a84efae3628f7013aab363ab214e236412ab41edb |
| SHA512 | 2004418e87c1ee497b9cddecd5f7e860044697183ab492edfd2c8be99347654a4732b16df4d218e9f2c5a90b1f7a6dd3b79523fd18dc037697fc3c1e86df1eed |
memory/952-128-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2964-127-0x000000013F200000-0x000000013F551000-memory.dmp
C:\Windows\system\VfGXmgT.exe
| MD5 | 7752081149451de1521633db2d37b9be |
| SHA1 | 5e0e802661831830fa42d7a73dc978e655f7b1ac |
| SHA256 | 5ed35c6aa8c685104f113548d4b027dfc68b94e329adff5ae43ca0e109373fe6 |
| SHA512 | 3721efda13a0bb8c7014de76345f189edcf60c7ab159654436238f5a0e296a6eaf5e545cd1cb8a21002c02a4e6eedeaab70be88bacd5987b3f3ee1c84bdbd859 |
\Windows\system\SzGdlrK.exe
| MD5 | d85532cf001b4a16567c6c599085156c |
| SHA1 | 51242d1225a30bf8043b6af3e2096026ef6f026d |
| SHA256 | abc9eca68f47af789bb658af7b1c97141bbafcc5a600ceed1f38cdafcf7d06ff |
| SHA512 | 363025e6793988e59a4e8b7c8e43bda8296a8d9cfdf071b677b1ea887a1bc44f6e0bcff708c0aeebd1d76529edf899970d6dbebe7e5abc26b3e2b7510095bb4d |
C:\Windows\system\mqVikfR.exe
| MD5 | 50fb721466ba732d86cbb05fe715e1a3 |
| SHA1 | 780d86c4b978b6ade17db09ea9523877c3aa064e |
| SHA256 | bf4e769f06887dfd38185d3e872a177cded293d56bba1dd9253c0a5b342fd88a |
| SHA512 | 8e1cd01386562b6f043750748376f6e2e3ea34504462497e998099d444ee40d4df41dfe5c7e72bb17483818a6c86737c61a960b43ed5eaad22fa8c1e4419c91f |
memory/2796-138-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2380-137-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2380-135-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/2380-134-0x0000000002390000-0x00000000026E1000-memory.dmp
memory/2380-133-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2420-131-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/3048-130-0x000000013FE00000-0x0000000140151000-memory.dmp
C:\Windows\system\oCtTmRs.exe
| MD5 | a5234dee213901a665dd61a269d1c091 |
| SHA1 | 660721a3737d583df0418a3182c7ba62ce2ffb78 |
| SHA256 | ce70acf5581745fade183dee2fd48bca5c0740b8e1f763a6ebe4b1f1fb3c6b8e |
| SHA512 | feb733cd33b325edbbf4af9dd0ce1f5139427a1366ef7acd8d1b5bcec2ceb649df3c02e767e6c7e67c082f04a362de7b112e92de487d3166739d2c3c54b47c2b |
C:\Windows\system\EWfTFdA.exe
| MD5 | 14a3ab15149971d90e41302300a34831 |
| SHA1 | af060473015e7b6a8860bc6b325ed22afff9f8f0 |
| SHA256 | f431c4ceff858aed18f6964bf82818b5f418123777d06e44743d9a6be13bb46e |
| SHA512 | c58660272a9b21f4a21b541723bc0391d90a4c6eaa620b9a15bcf6e461792a34962b820c3dc744a5575912986f975f055fbd957c3ee25a6be0a362a0a83aacd6 |
C:\Windows\system\LzXGQMK.exe
| MD5 | 631bc2d74318062576ef79d1dadca639 |
| SHA1 | d3af2fa37e2b0f8d0d17e508cb2c726a8a5063a6 |
| SHA256 | d138e2d6056a5ec1acb143d5478cadaa119faf78fd2900779d826b6aa5e0cff2 |
| SHA512 | 7ea5ee5c005a6b8408eadb9812ce0895d7a3261f555e9be2a0c05c5443f6f71708eb6e9242da0b9b70a02aec2e7f5dbd6c8291a5285a78a2657b717fe277d764 |
memory/2756-142-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2380-143-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2380-152-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2740-153-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2280-154-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2380-166-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2928-165-0x000000013F200000-0x000000013F551000-memory.dmp
memory/1788-164-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1988-162-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2288-161-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1192-160-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1048-159-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/1612-163-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2380-167-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2380-180-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2332-213-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2084-215-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2040-217-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2988-219-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2124-229-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2964-232-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2796-233-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2756-235-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2740-237-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2168-239-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2280-241-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/952-253-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/3048-255-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2420-257-0x000000013F4D0000-0x000000013F821000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:06
Reported
2024-08-13 12:09
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wgAkEam.exe | N/A |
| N/A | N/A | C:\Windows\System\yijgihj.exe | N/A |
| N/A | N/A | C:\Windows\System\aXcjMcb.exe | N/A |
| N/A | N/A | C:\Windows\System\gxAIKfF.exe | N/A |
| N/A | N/A | C:\Windows\System\vsVpqre.exe | N/A |
| N/A | N/A | C:\Windows\System\uPKnRHC.exe | N/A |
| N/A | N/A | C:\Windows\System\qoRLWCu.exe | N/A |
| N/A | N/A | C:\Windows\System\KhhaQYd.exe | N/A |
| N/A | N/A | C:\Windows\System\hFkiHWi.exe | N/A |
| N/A | N/A | C:\Windows\System\dyWwWex.exe | N/A |
| N/A | N/A | C:\Windows\System\sGenysT.exe | N/A |
| N/A | N/A | C:\Windows\System\XSUuiBb.exe | N/A |
| N/A | N/A | C:\Windows\System\dhSgOsX.exe | N/A |
| N/A | N/A | C:\Windows\System\WjxlfHw.exe | N/A |
| N/A | N/A | C:\Windows\System\uMhJNcr.exe | N/A |
| N/A | N/A | C:\Windows\System\NuUYVNv.exe | N/A |
| N/A | N/A | C:\Windows\System\DqiZGIw.exe | N/A |
| N/A | N/A | C:\Windows\System\SbkfuFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\wYXTOfb.exe | N/A |
| N/A | N/A | C:\Windows\System\hjoHinH.exe | N/A |
| N/A | N/A | C:\Windows\System\zwBqucR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_fc168d091243e9aadea163111984e422_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wgAkEam.exe
C:\Windows\System\wgAkEam.exe
C:\Windows\System\yijgihj.exe
C:\Windows\System\yijgihj.exe
C:\Windows\System\aXcjMcb.exe
C:\Windows\System\aXcjMcb.exe
C:\Windows\System\gxAIKfF.exe
C:\Windows\System\gxAIKfF.exe
C:\Windows\System\vsVpqre.exe
C:\Windows\System\vsVpqre.exe
C:\Windows\System\uPKnRHC.exe
C:\Windows\System\uPKnRHC.exe
C:\Windows\System\qoRLWCu.exe
C:\Windows\System\qoRLWCu.exe
C:\Windows\System\KhhaQYd.exe
C:\Windows\System\KhhaQYd.exe
C:\Windows\System\hFkiHWi.exe
C:\Windows\System\hFkiHWi.exe
C:\Windows\System\dyWwWex.exe
C:\Windows\System\dyWwWex.exe
C:\Windows\System\sGenysT.exe
C:\Windows\System\sGenysT.exe
C:\Windows\System\XSUuiBb.exe
C:\Windows\System\XSUuiBb.exe
C:\Windows\System\dhSgOsX.exe
C:\Windows\System\dhSgOsX.exe
C:\Windows\System\WjxlfHw.exe
C:\Windows\System\WjxlfHw.exe
C:\Windows\System\uMhJNcr.exe
C:\Windows\System\uMhJNcr.exe
C:\Windows\System\NuUYVNv.exe
C:\Windows\System\NuUYVNv.exe
C:\Windows\System\DqiZGIw.exe
C:\Windows\System\DqiZGIw.exe
C:\Windows\System\SbkfuFZ.exe
C:\Windows\System\SbkfuFZ.exe
C:\Windows\System\wYXTOfb.exe
C:\Windows\System\wYXTOfb.exe
C:\Windows\System\hjoHinH.exe
C:\Windows\System\hjoHinH.exe
C:\Windows\System\zwBqucR.exe
C:\Windows\System\zwBqucR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/3240-0-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp
memory/3240-1-0x000001DF72340000-0x000001DF72350000-memory.dmp
C:\Windows\System\wgAkEam.exe
| MD5 | 241ed7f461b9bfed03d59453b963fd3c |
| SHA1 | fe04f5cabfb1d152769519475f7aefe7cf2bf0d9 |
| SHA256 | de0be3b5c7fca76283bdea06ea294c3f9b5c7a8f5773129f47fe25b7fbb4ed8c |
| SHA512 | 628e8251d91fd6c713a67dec659c63cf0ea26ab19c308f9caad8dad8121780d7ad80d9e226af441c9d71350799e22494d7152654f5c013e65c20ddf6d212fe8b |
C:\Windows\System\aXcjMcb.exe
| MD5 | f2b91ede8487059cbd69423567fb3199 |
| SHA1 | 264939e9517c348d4b815aaa60484afabbc0f69c |
| SHA256 | 8abcb28ad05db1e056fef53d7ab358b7bf96b632a0d388eaa525f5d8530a06c2 |
| SHA512 | f9fc715623c3a5d2968c838ca58659b27dd496d0dde1c84efef92a3388880e6568a1a8a22821ba7e6d3a59adfb7befaf378b6eaa94bcd377c8bea570aabb5a1b |
C:\Windows\System\vsVpqre.exe
| MD5 | e047fd53e3283d150be12e8bc63e478f |
| SHA1 | ddc046dd4cb03853fca42f4ce5ed5e64d8938a3a |
| SHA256 | 3dda5f39718ad9bd6ee4f5d3413c73c9326b014aa0f1a87080c69167bce1a87e |
| SHA512 | cae790613a47e311324536604872b01ab05712d2247597c660416f7d379cd294dbada847403a137890660db9dee5e7ede680abfb4a3908aabc64602e3d974cb4 |
memory/4812-41-0x00007FF6AD380000-0x00007FF6AD6D1000-memory.dmp
C:\Windows\System\hFkiHWi.exe
| MD5 | 626df3f140bfb81ddd6c4f568e0dd5ac |
| SHA1 | ee35d76f3d9b56cc6a891f133ecea9af89cf8d51 |
| SHA256 | 1007508939c9482dcb5e7d2526eb5282b489b7298dc33bcccd8647c1d9d5730d |
| SHA512 | f1763eb44134ea849f752c991b36d8f65b2466a74114b293200c013ee7f24a23bfd90c0646058199281a210af6f6b3163c5066f6ce296b028814c25674457b93 |
C:\Windows\System\KhhaQYd.exe
| MD5 | abcbd2ec613ab308b753b5d38dc48003 |
| SHA1 | 024d350f874d2db552c9d70451dab7f37013f1c4 |
| SHA256 | 9d91b0ac6beb3406559ee15d8d8c6fa706430a93325fa4c8324fb7c1888e38ce |
| SHA512 | 6c60884f21bbf890da7f6645f67494aebc1e1063b46628e5d421c42b1d3266c4aaabb6f3d8672e12371582c030cab672658ff852b622b9e3131a0397b77325b2 |
C:\Windows\System\qoRLWCu.exe
| MD5 | fd66cfbfc1336324246dc0d7c3eb5910 |
| SHA1 | f22bde4f5f884ddfde62980d26a9154373111cbf |
| SHA256 | 2be00b5f177b10104099bb4501b77c6897844c05ea2edfb3af550188143d56b8 |
| SHA512 | 51296924085fa6c9e4203e4ec66da7dffee39e3328e9ac40f64d3ad4f7b6e0d8abb8c736d635ac7ec11bee5ee59c7e3297f1444494c488f5bd75dd5a2d42cd29 |
memory/4300-38-0x00007FF65C150000-0x00007FF65C4A1000-memory.dmp
C:\Windows\System\uPKnRHC.exe
| MD5 | 5ab3bb9eedbe560e5a5de3900f3a6312 |
| SHA1 | c439cb81a976219b50c3b813991d53b8d39f2ca0 |
| SHA256 | a6cc13b31ec499251db099edf8f0ce9a5a3d5798913808a18522cc5d9cebced8 |
| SHA512 | c22b12d9270834e8a0d0a7862642b7a2ee1811716958351435df5267fdace14cae2ffda66327b1e731c40f149b8aae8110327a7c5c056f03c75e254f5abe850e |
memory/4308-32-0x00007FF7D8BB0000-0x00007FF7D8F01000-memory.dmp
memory/3908-25-0x00007FF743090000-0x00007FF7433E1000-memory.dmp
memory/396-20-0x00007FF651E30000-0x00007FF652181000-memory.dmp
C:\Windows\System\gxAIKfF.exe
| MD5 | 76f65ff8d6af68a62dbf39e146707887 |
| SHA1 | a0b89574470fd276c82ec7084a94dd851b578cd0 |
| SHA256 | 3c4bbc1d7a4e37fbad1e8abd2de9bb9d4d1555d4cb7e2e15bcf862e6e98f43c0 |
| SHA512 | 55b8c8ce2aed4d30f3546e86e1690b8e5ab0d2f0de3608c786afb8671243eaa3ebcb70700c48505a59177a74b2d233796c7d84a2dda426e65e1e6320dcb8030b |
C:\Windows\System\yijgihj.exe
| MD5 | 634ca7303131e4a74b2334f3b892d5f3 |
| SHA1 | b92bfaafffe382a423c474375bd1ee159cd0b15e |
| SHA256 | 8cce443f349c3858837ee7358439a4763a21be4df1c15b6350eb17b15aeb0674 |
| SHA512 | 20680f0ea1f40fd0b66af9f061a7eb9c728cef738184712e6cd5677e5d26e6eae5f8a6233d81801dab802a8d835ba4269c4b05e2e41c5cd079f9f7f5ee866221 |
memory/4628-6-0x00007FF701370000-0x00007FF7016C1000-memory.dmp
C:\Windows\System\sGenysT.exe
| MD5 | 32f1b9f67374cf108570bb9771653585 |
| SHA1 | 42b8a0973d92a8f5c72f4e03be1fcc30b0623a39 |
| SHA256 | 36e61b9c8a59c11cdfd9d50df7bfce19e58049ae0068d4f3f3ea3dc10d5760cc |
| SHA512 | 65299f5b022a4b94dbf84da4f37abbcf607aa274c8203400ab46fe76c5c393fae3fadcdaaea1892ffae8972246927e13de201e383dca294689078a26c239be44 |
C:\Windows\System\dhSgOsX.exe
| MD5 | 17dc9b750b2e08fad1f5ce747fd0bd39 |
| SHA1 | 40dc4e89f8b16c747a92b47c1ad2c89d74f46cb4 |
| SHA256 | 73baa9f65ee30575f1bab01737056b3ccc5c65dfd917b97427c79e0c48b0048f |
| SHA512 | 1b7c36b046b0d0b79a446b60bc87242506ffd43ae6af5bce5894bbd209f258322e532705d0f2f35e10c450f92ac02235eee804c94abdce9c3588163a3ef738a3 |
C:\Windows\System\WjxlfHw.exe
| MD5 | 00d4679133107d98cf10737b58092240 |
| SHA1 | b00b50e96d1940217686c44bc99bc0b04d8ecf90 |
| SHA256 | 9ed9a7e208d8f1db7049c2c75d75dbf26647abfff412fb0a94817ca3c2499289 |
| SHA512 | 0bbc3f6738f2d8d23e9eff8671a27898fd4ff2d087201f764d1c9277a01d2840e06cf17b8c91a0dc2af06a1d1adf812ff6cba90f223c1a80c510042989131b6e |
memory/1568-89-0x00007FF681410000-0x00007FF681761000-memory.dmp
memory/2440-92-0x00007FF64E070000-0x00007FF64E3C1000-memory.dmp
C:\Windows\System\NuUYVNv.exe
| MD5 | 3cbfc9d6a15e0027e36cdc0d25c507d2 |
| SHA1 | a48bc1094b32cd09cdb6e2fd4b13457ebdde03e8 |
| SHA256 | 8c415c6de28be74a4ee6ad7dc9cb01e97d8f46cd802b54bb83fd45546c74b3a5 |
| SHA512 | 17a400a67ac9892286acf07847829f05f16b54772ba2c1b3a10e81417b78983ab53b1d2fce4a53705823dbd087099a3ee10729b8e5604d65cecb266d29be47ed |
C:\Windows\System\uMhJNcr.exe
| MD5 | 4995fe14bd36f550e6f5cc4d11e8f104 |
| SHA1 | 4c2e87adcc9b6dd938108a19def1d85685cacdeb |
| SHA256 | c440af61d06ece8090a1c336ce57e2cb1967b8a9295988033e9c5da2bb45ddbc |
| SHA512 | 1ce76475966ff166090d50b1b3300d6198dcbae79682631aa13e6276d7f85c151549083a027991006704b8d5a770add6c7f319f18fb71465fcabbbaec285472b |
memory/4776-94-0x00007FF611570000-0x00007FF6118C1000-memory.dmp
memory/3924-93-0x00007FF7BD890000-0x00007FF7BDBE1000-memory.dmp
memory/3956-91-0x00007FF7D87F0000-0x00007FF7D8B41000-memory.dmp
memory/5080-90-0x00007FF741710000-0x00007FF741A61000-memory.dmp
memory/3560-88-0x00007FF75F110000-0x00007FF75F461000-memory.dmp
C:\Windows\System\dyWwWex.exe
| MD5 | 2fe723fe4d864cb97418a4f16050f2d4 |
| SHA1 | 8cf4647f8812d6948df9bfc4924a8cd5fdb23bab |
| SHA256 | 0fa5c2bcdfcefc83c0581ff380a330123466478ec7228747b61ad1d844587c88 |
| SHA512 | 7593c894cc9879d6b79df4b5e6f02fa8ca3aeb68a3dfc8415c88da0d441b3c928f5db347c4b27b83eaa0d511e1b5d9a06ce475e2adfe561d2029ae9725c46ae2 |
C:\Windows\System\XSUuiBb.exe
| MD5 | 61b0c0de3d9024fe30d6e6694a14df6c |
| SHA1 | b190b86c0e502136b17412cb89b6a08542c5b6f5 |
| SHA256 | e086a634fadc3053a4f27caaba1039eba29513f0aba6da2e80f67797e6742ff6 |
| SHA512 | d88102668650ec13a4fbd9146fb5530c97bac49c6a4a16d07510b02815dec3af8a77d870c694e60bd02a865fb1e3c5d06a3eca22ddc7d0cc70e3c90e41cd4b14 |
memory/3608-67-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp
memory/3412-60-0x00007FF7D20D0000-0x00007FF7D2421000-memory.dmp
memory/5104-50-0x00007FF682B20000-0x00007FF682E71000-memory.dmp
C:\Windows\System\DqiZGIw.exe
| MD5 | a25ec57e554fece67f65821b2fb76a20 |
| SHA1 | 523b9dd548d328e8eff8e8c4616fa38cb25b0004 |
| SHA256 | 4de55082c86144a91bad373bf4f58069105c0ce8fe1f4e5994a98d837519b1fa |
| SHA512 | 1ae184d92126b17e94e17cfba91425cb540d7bc45b026a699c9d012b3dd50636266524194f05e0a2b2c62ba79d600b008118c2ef03ca4b30324505e66634d86b |
memory/3780-102-0x00007FF7BBDE0000-0x00007FF7BC131000-memory.dmp
C:\Windows\System\wYXTOfb.exe
| MD5 | 60d5bc78cd31e553d5f9aa9cb7c3856a |
| SHA1 | 8e58708550e37b9f07976f3e9c6cda9b17786c95 |
| SHA256 | 4fd176a1883ddc243d2509f43383d80e9d169f1b791c2b13ace57ae66d32fd03 |
| SHA512 | 5b075a24d996ea5cf2436cccc7ad991f6341c909df5a9dd43bbd7647807bcafc3758d1f42a564678549b7538073c42b9f8a7ed19143bfb773fdf477b435e3985 |
memory/3264-114-0x00007FF7D2080000-0x00007FF7D23D1000-memory.dmp
C:\Windows\System\hjoHinH.exe
| MD5 | dbd3d2e8157875bc050e0f598ba2b4d0 |
| SHA1 | c5bb4b69d98f6613f3329c271010fdf0c057d656 |
| SHA256 | d02d1403eac7aaaee032c93099dd929db6ae9b0143a7f2b864725c8aff96423f |
| SHA512 | 5971ee43a46f4895ee20a2d80f2de1fcc40227da88bfb0a9fdc067adabc72555e6988efaa90a384ec6730a97341d440fd8017f67c6d6884d314a4f4a22292e44 |
memory/928-118-0x00007FF7214F0000-0x00007FF721841000-memory.dmp
C:\Windows\System\zwBqucR.exe
| MD5 | 90e8422f08af7617ef559c8ca6752c17 |
| SHA1 | e9d1c6e11631e4f7399f5c3e4199ce50accd9fa3 |
| SHA256 | 7bfa97b5d986fd00db06fa701cb789347e0e8859adca234209a0592b3b141c8c |
| SHA512 | 2160051f2b099b2b4aecffd22d3d7077e61a62e1f1c2b8aae8410a747323c7bf24f364e39a2854b078f22b643f5a208d1ba164e0b8a66e90c6d5d534d12c7d46 |
memory/4028-126-0x00007FF728550000-0x00007FF7288A1000-memory.dmp
C:\Windows\System\SbkfuFZ.exe
| MD5 | ba3c23b6f6b877824aa4a8942790f3cc |
| SHA1 | ed887073791b06db28e2bbadff4efc1bea2ac578 |
| SHA256 | deab2d6f7f3264aedf6b7d1c4a12250bf6bc4780689fe5028ee5b90a5b980b85 |
| SHA512 | ae1bfe29df15ae06161fc65581e6711b5141aef052961891106e6bdd20b14242ba05a5093a21bed85cb159143694a93804ad6a71ba8b3ebb66347296a4e9d2bb |
memory/3240-115-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp
memory/1656-111-0x00007FF79F4E0000-0x00007FF79F831000-memory.dmp
memory/4300-134-0x00007FF65C150000-0x00007FF65C4A1000-memory.dmp
memory/4628-130-0x00007FF701370000-0x00007FF7016C1000-memory.dmp
memory/5104-137-0x00007FF682B20000-0x00007FF682E71000-memory.dmp
memory/3608-139-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp
memory/3412-136-0x00007FF7D20D0000-0x00007FF7D2421000-memory.dmp
memory/3240-129-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp
memory/3908-133-0x00007FF743090000-0x00007FF7433E1000-memory.dmp
memory/3956-145-0x00007FF7D87F0000-0x00007FF7D8B41000-memory.dmp
memory/3780-146-0x00007FF7BBDE0000-0x00007FF7BC131000-memory.dmp
memory/5080-144-0x00007FF741710000-0x00007FF741A61000-memory.dmp
memory/3560-141-0x00007FF75F110000-0x00007FF75F461000-memory.dmp
memory/3264-148-0x00007FF7D2080000-0x00007FF7D23D1000-memory.dmp
memory/4028-150-0x00007FF728550000-0x00007FF7288A1000-memory.dmp
memory/928-149-0x00007FF7214F0000-0x00007FF721841000-memory.dmp
memory/1656-147-0x00007FF79F4E0000-0x00007FF79F831000-memory.dmp
memory/3240-151-0x00007FF676F90000-0x00007FF6772E1000-memory.dmp
memory/4628-206-0x00007FF701370000-0x00007FF7016C1000-memory.dmp
memory/396-208-0x00007FF651E30000-0x00007FF652181000-memory.dmp
memory/4308-210-0x00007FF7D8BB0000-0x00007FF7D8F01000-memory.dmp
memory/3908-212-0x00007FF743090000-0x00007FF7433E1000-memory.dmp
memory/4812-218-0x00007FF6AD380000-0x00007FF6AD6D1000-memory.dmp
memory/4300-216-0x00007FF65C150000-0x00007FF65C4A1000-memory.dmp
memory/5104-215-0x00007FF682B20000-0x00007FF682E71000-memory.dmp
memory/3412-222-0x00007FF7D20D0000-0x00007FF7D2421000-memory.dmp
memory/2440-221-0x00007FF64E070000-0x00007FF64E3C1000-memory.dmp
memory/1568-225-0x00007FF681410000-0x00007FF681761000-memory.dmp
memory/3608-230-0x00007FF7818F0000-0x00007FF781C41000-memory.dmp
memory/3560-229-0x00007FF75F110000-0x00007FF75F461000-memory.dmp
memory/4776-226-0x00007FF611570000-0x00007FF6118C1000-memory.dmp
memory/3924-232-0x00007FF7BD890000-0x00007FF7BDBE1000-memory.dmp
memory/3956-236-0x00007FF7D87F0000-0x00007FF7D8B41000-memory.dmp
memory/5080-234-0x00007FF741710000-0x00007FF741A61000-memory.dmp
memory/3780-239-0x00007FF7BBDE0000-0x00007FF7BC131000-memory.dmp
memory/1656-241-0x00007FF79F4E0000-0x00007FF79F831000-memory.dmp
memory/3264-243-0x00007FF7D2080000-0x00007FF7D23D1000-memory.dmp
memory/928-245-0x00007FF7214F0000-0x00007FF721841000-memory.dmp
memory/4028-247-0x00007FF728550000-0x00007FF7288A1000-memory.dmp