Analysis Overview
SHA256
845864b9e7b30155bbba6b676d5cb474133040e0d73d13d7b5d6cebff25a251c
Threat Level: Known bad
The file 2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:49
Reported
2024-08-13 11:52
Platform
win7-20240705-en
Max time kernel
141s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gxqyuzx.exe | N/A |
| N/A | N/A | C:\Windows\System\RWCzxZc.exe | N/A |
| N/A | N/A | C:\Windows\System\yLxOcbu.exe | N/A |
| N/A | N/A | C:\Windows\System\aLxeDQa.exe | N/A |
| N/A | N/A | C:\Windows\System\KxpBfWf.exe | N/A |
| N/A | N/A | C:\Windows\System\SitvTkl.exe | N/A |
| N/A | N/A | C:\Windows\System\aFxdURB.exe | N/A |
| N/A | N/A | C:\Windows\System\hCDrqZJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gIQcCQb.exe | N/A |
| N/A | N/A | C:\Windows\System\cRmdQAc.exe | N/A |
| N/A | N/A | C:\Windows\System\gCqeBux.exe | N/A |
| N/A | N/A | C:\Windows\System\MvnPKAu.exe | N/A |
| N/A | N/A | C:\Windows\System\UJFSLJW.exe | N/A |
| N/A | N/A | C:\Windows\System\lgddCBN.exe | N/A |
| N/A | N/A | C:\Windows\System\MYHCrIr.exe | N/A |
| N/A | N/A | C:\Windows\System\OfhnEms.exe | N/A |
| N/A | N/A | C:\Windows\System\IgOAnZC.exe | N/A |
| N/A | N/A | C:\Windows\System\iXtDCdc.exe | N/A |
| N/A | N/A | C:\Windows\System\wkJffJO.exe | N/A |
| N/A | N/A | C:\Windows\System\XwPjGEc.exe | N/A |
| N/A | N/A | C:\Windows\System\BaIzVqz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\gxqyuzx.exe
C:\Windows\System\gxqyuzx.exe
C:\Windows\System\RWCzxZc.exe
C:\Windows\System\RWCzxZc.exe
C:\Windows\System\yLxOcbu.exe
C:\Windows\System\yLxOcbu.exe
C:\Windows\System\aLxeDQa.exe
C:\Windows\System\aLxeDQa.exe
C:\Windows\System\KxpBfWf.exe
C:\Windows\System\KxpBfWf.exe
C:\Windows\System\SitvTkl.exe
C:\Windows\System\SitvTkl.exe
C:\Windows\System\aFxdURB.exe
C:\Windows\System\aFxdURB.exe
C:\Windows\System\hCDrqZJ.exe
C:\Windows\System\hCDrqZJ.exe
C:\Windows\System\gIQcCQb.exe
C:\Windows\System\gIQcCQb.exe
C:\Windows\System\cRmdQAc.exe
C:\Windows\System\cRmdQAc.exe
C:\Windows\System\gCqeBux.exe
C:\Windows\System\gCqeBux.exe
C:\Windows\System\MvnPKAu.exe
C:\Windows\System\MvnPKAu.exe
C:\Windows\System\UJFSLJW.exe
C:\Windows\System\UJFSLJW.exe
C:\Windows\System\lgddCBN.exe
C:\Windows\System\lgddCBN.exe
C:\Windows\System\MYHCrIr.exe
C:\Windows\System\MYHCrIr.exe
C:\Windows\System\OfhnEms.exe
C:\Windows\System\OfhnEms.exe
C:\Windows\System\IgOAnZC.exe
C:\Windows\System\IgOAnZC.exe
C:\Windows\System\iXtDCdc.exe
C:\Windows\System\iXtDCdc.exe
C:\Windows\System\wkJffJO.exe
C:\Windows\System\wkJffJO.exe
C:\Windows\System\XwPjGEc.exe
C:\Windows\System\XwPjGEc.exe
C:\Windows\System\BaIzVqz.exe
C:\Windows\System\BaIzVqz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2816-110-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/1984-109-0x000000013F830000-0x000000013FB81000-memory.dmp
C:\Windows\system\BaIzVqz.exe
| MD5 | 8d955ebd79492b32b805c76922e455a3 |
| SHA1 | 29bb40bc45a24e1ec6f3e8fe0940a19ed1a5087f |
| SHA256 | b3b4d8565be02f2d2f87aaf1c2d312bf0067dd51d5ad71cf5ed0d0c4ae16fc2b |
| SHA512 | 3ba68d1d5469b21c4e13761642725dacbc3916953a09ca44bd0ebf934f47002007764f2a81513c74347a9ae3e6d59ae6623951b55ac3baad9c9ebe94f728a6a8 |
C:\Windows\system\XwPjGEc.exe
| MD5 | 188e6d45c852c11ddcaf228fb068c15b |
| SHA1 | 79ff6149b6710440ba040510094cf35c4113b117 |
| SHA256 | a9a3d77819d49a48c5f075e4025205f2d019e09f80a7d4a99d49fa5f376ed148 |
| SHA512 | 1cfff07343bfcde001d661635d3e6c2efd8cb98173f939f37d514cf10073d3059adef5265c2f06d78ec6064fd439b8aedfd41ad8c4a0400cfc4614d3c9aefd9e |
C:\Windows\system\wkJffJO.exe
| MD5 | 0560d403571a5ed96a8d0af71b56f898 |
| SHA1 | ac19eedae2e1300bfa45cbfe9e4be6b19a18026e |
| SHA256 | 4e80e0a22fcbaaa0c3a7a8071b76bb64545f8c9d33e9f067d18ae8d079e6367e |
| SHA512 | e66fda8fa1d07304e5ed57bfdc74765e73c40af2b7d8aec50f48676f840d645194e99a40ea36eccaf3a552c63ca5c8006981a934424830675fd1e3acc0bd70b4 |
C:\Windows\system\iXtDCdc.exe
| MD5 | 7e9ae66bfcdf146e468cf22b96c0d97f |
| SHA1 | 85fba5243668f542c235f1cdb160dfe11093cc51 |
| SHA256 | 179f858beb8579196cccd80bc073354bd5e16e4dbdd3d37fc2f83f551f86257f |
| SHA512 | 6ed155bb81c24febfcf80887b7eb02efe089fa529d05abf381a95d4e5c1653feec6f4c7c994cd0e75706c060cca0dc8b6f4835677796a3f74b94a97dfd7a6cc0 |
C:\Windows\system\IgOAnZC.exe
| MD5 | 2cc83247dcc98f1ca440cd3b6b7bf9df |
| SHA1 | 571fe88cb107fb28f85cf44b8cdf3dce96b1c20a |
| SHA256 | e9951cf8e90a562f3a8bd41a132cf9b6c3ae426bda3a5703c5daeab43a77f670 |
| SHA512 | ce6401f7cebdf0829ffd08047be789d730f59be142651e9a22f72146f9ff9497dba6511eb8317f9714fc5009e807bf079182766c0fd41ae17b9c7f4918e307d9 |
C:\Windows\system\OfhnEms.exe
| MD5 | 8ee6c8ef3009e2cb5e04b93fa3ccfbe5 |
| SHA1 | c9c6bd18d667453cb6b6093e85ad2f7e71501036 |
| SHA256 | 2b61f2d2d965277302649e018d4f08324fb8e7b2a232ebb6771857694fa5aca5 |
| SHA512 | 8786bd6e35c21d1d48f6d82c8f870df3508567b620951d9ebf45dee016243ae22c8ffbd14b05165f89ebff1c6ff7ae9918694d03ec5fe8e7fc67e4178acc5cdf |
C:\Windows\system\MYHCrIr.exe
| MD5 | cea76e3a6a59236abbd561cbd4f3d39c |
| SHA1 | 152453e51c4e4c7b72af8bb61ea62d07eb36237e |
| SHA256 | e2ecd8db2b06670307f5f6de038bfc1c90e43fb1e966893a89e134438fee0e18 |
| SHA512 | 0a9909bb2877a0bb0c06f23861a5690926d61021a4a9761116a48378cde88969abae4d7a86af8e41ebfe4a613a7e0d1f171a4cc96582c0b3ed4241d96bcd076d |
C:\Windows\system\lgddCBN.exe
| MD5 | b0ebd617d7833a856c48949cfb157914 |
| SHA1 | d25cb062ff9b82c0b27e19e4f658221792e10e37 |
| SHA256 | 3139390514109be450f6688cfd9d7eff62dea7d88759a2a48ad5c4d8bf9e820e |
| SHA512 | b734da32ff483548fbfa0a51385d94a1e29e2dfd56272099e739ffb014af0510085fca563220d557b06ade084bf5b50f9502f6ca5d02096487e92d4758ea480a |
C:\Windows\system\UJFSLJW.exe
| MD5 | d2058a5a3d22e9cf4c514bba6e81d26c |
| SHA1 | 0e8b8711b95b955249414ddb85df0621a58e6c02 |
| SHA256 | 47a869f6bde069bc4e9c50870fb29f4a719d5900b9f278667f10ca6e02b32e75 |
| SHA512 | 7a36f1cd314094525cce9d22a5a7b66c17eacec5cd331ba2401451fe90d6f36020900428726bb2d393b985f25a4a6d83e5c6b6ca08076b8019887b91ab87dcb5 |
C:\Windows\system\MvnPKAu.exe
| MD5 | f7d0d654f4e99386f961d6c9132d0cb7 |
| SHA1 | 5436120115463fe231295494d78fa57fea77c93d |
| SHA256 | 0265c56fd2afff78fb505468c7b0882d2397fe74feb69573f3169ca50955a1c0 |
| SHA512 | 22d67158817243c0d19a20a97d25834ce752b81a26b158d37ad4d70a81ad1c5d30bcf814552b4d4f7b627f6b4db3f79d400fce55a6ec90915eda720126045310 |
C:\Windows\system\gCqeBux.exe
| MD5 | 4816eea8b3d5c4b87c2f486ea64f4abe |
| SHA1 | fae19e2bda817bbe5ebc9e9a7510b60927359649 |
| SHA256 | 35711877a7f7e365516496d2125acb0b5d66ace20111cc212f7dd94c0e0b035f |
| SHA512 | 2a6a05dcb166887b9053d7e6611d972b0ebbb9a98023b503b2342e269e3bcc0c3a4dff92c0f158bd6968017cd26f4ec8ddcba8870f7c2679bf3339c4897d1aea |
C:\Windows\system\cRmdQAc.exe
| MD5 | 93599197889da509ad9b44b647945d71 |
| SHA1 | 8d77457608736e1ab605b3f45b7a56a2f5344a10 |
| SHA256 | c347030c98a97c0fc8891e4251d06b2b04b39625cddd32f69e215068b901f768 |
| SHA512 | aa43c1701897a5d959a816d479414dc051ec74e6ab883759d61ec4c402526fda1b6d6f47eab1bf93675c60505295a34403909eb7ba1e181950b55841625a739a |
C:\Windows\system\gIQcCQb.exe
| MD5 | a28cfc210f13f4d6b6fb720ed7adc3f6 |
| SHA1 | 1813c0b7c80588fc1752fd070537e9e6e789ad8e |
| SHA256 | 3e14a95ef4d084bfe6b83597a5a583a95337265e7a5ef14052777887158086ad |
| SHA512 | b1da8e9709ff299e5c5c7491cf9471930d040d6ed1d906ae71f75458b847f11a7b07ea5881b380ba29ce2c91545b48faa563caf1cd6b975a4dc897161b114345 |
C:\Windows\system\hCDrqZJ.exe
| MD5 | be5d85e0f5c69780a647673e8fcffb36 |
| SHA1 | 31974e362417fb0668977f7c9578bfdc2f1d2675 |
| SHA256 | 506af81610db7925c5bce29b163d67f9dd0ecc16a15e7be277686d56c1518d7b |
| SHA512 | 6e41ecf6e663366e144d92f952f3bc7ac01ac18a8c23281979e155c44727919e61b64463f1e287dd836d09793715537f9141bfb9234de5a66b3b184b7e6f6d0d |
C:\Windows\system\aFxdURB.exe
| MD5 | 2171e3012e6f1e3e71539406e8a2a487 |
| SHA1 | cb29a6a39d18db869a2626aab1355824e2b3e2fe |
| SHA256 | 7d5bd2a79db1d94d2022f442c51872e47eb1c32740abeaa36ec20da96f236052 |
| SHA512 | afa82387bcfdb35d235784444c8b86c84a15fef65277af34027961e63ec8652c3485f24982ceecd84c4b1fa265c0da90b8974d842c0a1f3b9f9078caa5b4f3e5 |
C:\Windows\system\SitvTkl.exe
| MD5 | 1f64d8242394b9e8f6a8033498ec82fd |
| SHA1 | 0df04b40fa6bde8a0ec2b5977fe4f65883d38777 |
| SHA256 | 253eef6cdc8d6fff42efe38233a630a08b027edb6a375c1b08bd4c8a7a2fec66 |
| SHA512 | f2439b8c798d971644c72f1f08602b017623004ba6953565aa9f36f9771ca0dbca7c12cda4fbffaeb1c0e3bc7a3a295010cb202149e7224233cb7a7772981814 |
C:\Windows\system\KxpBfWf.exe
| MD5 | 2fe93e83e8de892f21f5c0bdb61e68bc |
| SHA1 | 12239b619ebda8463702e916451bd0a84f2a633f |
| SHA256 | 79171c8511d334812a3d2c09a29aede5d54c2329451755ec9344d34024fdb5a4 |
| SHA512 | cdc73cf5ffb756c7df73ce9412b90b7876efeb7ac3887e48bf8518a3d33aacbcc9b59f0aaa89cd49463ef2a98efbb412b273d323a44e28c059febaaeba778901 |
C:\Windows\system\aLxeDQa.exe
| MD5 | f72551d9b5eb39b908ceb140cb02f96a |
| SHA1 | da70c3fe744296fa1b5b0612b97d729447a38cd5 |
| SHA256 | 100464528215d2a6046f5cf4e1c96f6159d98a41fd5e91022501fd33087ad162 |
| SHA512 | 80b7eb20d80ead9a1f0767784ad3e2a98bb60ded30e519ebb289cd9e4b5e41cfb2b0bded13d5bc61aadd004b0af5b399d341051bfb4adc4945ffbe895bbcaf4c |
memory/2916-20-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\yLxOcbu.exe
| MD5 | 537a02359b3838b35ed53fa009e9d4bb |
| SHA1 | b1d843acd7b02ac960a68475d347e17af326001f |
| SHA256 | 8503e7aa8b3bf6aad589d8836e8c49b9327d7660c7d26a8fd1e1e8dc191252a9 |
| SHA512 | 6759248b45debdf6bafd5fe80ed918b72d351e4e7f879be750a01484c4b83896438298bd0571032eca02a08187f46abb58929efcaac2b2000ee01195c79ba3cf |
C:\Windows\system\RWCzxZc.exe
| MD5 | 27fa35c0db408ece325b4b5192bd8085 |
| SHA1 | 7e5780fd432620b3069ab3771804cf806f6407d2 |
| SHA256 | e1f46a919e89e84ea2192ab9f700127053b1af261e420ab1c3963dcaf52a37dd |
| SHA512 | 9e8007a9f8b6dbcbc57a89d2c47edd5d1083e61f3c7884dae694939c1c27bad87259faa4029001e22463bad0e5f1facf6945bcd45ab44085d6c1ef58013fd374 |
memory/1984-10-0x000000013F080000-0x000000013F3D1000-memory.dmp
C:\Windows\system\gxqyuzx.exe
| MD5 | c5344155b13031a6f0bb488383c75e22 |
| SHA1 | 3a04cf9d68c3daeab824db953de0212f272282be |
| SHA256 | 801110fd2fab2e70ed4a80ad32836dd1e227f85b3a6620b668a0266ce5227324 |
| SHA512 | 25cfdff488dfbfa46b08a999110bff665fa1cc06d490e82583e3fba6ce3f00447626365dac5d5bd167f565a65e3278924853e64f459c26d4af556154d799a5ac |
memory/1984-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/1984-0-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1984-111-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/1984-112-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2828-113-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2800-114-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/1984-115-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2960-116-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1984-117-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2708-118-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2948-132-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2768-131-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1984-130-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2252-129-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1984-128-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2724-127-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1984-126-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2668-125-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2728-124-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/1984-123-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2932-122-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/1984-121-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2852-120-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1984-119-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1984-133-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2916-134-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2884-149-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2008-153-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2332-152-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2508-151-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2160-150-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2524-148-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/1208-154-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1984-155-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1984-177-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1984-178-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2916-224-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2816-226-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2828-228-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2960-230-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2852-232-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2728-234-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2724-238-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2800-248-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2708-252-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2668-251-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2932-247-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2948-244-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2768-242-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2252-257-0x000000013F100000-0x000000013F451000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:49
Reported
2024-08-13 11:52
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\quOoqbT.exe | N/A |
| N/A | N/A | C:\Windows\System\SXjHDTv.exe | N/A |
| N/A | N/A | C:\Windows\System\rmjLTHM.exe | N/A |
| N/A | N/A | C:\Windows\System\QSqROvr.exe | N/A |
| N/A | N/A | C:\Windows\System\OigmrLX.exe | N/A |
| N/A | N/A | C:\Windows\System\hShKRhW.exe | N/A |
| N/A | N/A | C:\Windows\System\EEpaweU.exe | N/A |
| N/A | N/A | C:\Windows\System\loLnhvd.exe | N/A |
| N/A | N/A | C:\Windows\System\mFzevaY.exe | N/A |
| N/A | N/A | C:\Windows\System\UBmKsML.exe | N/A |
| N/A | N/A | C:\Windows\System\DuisWPi.exe | N/A |
| N/A | N/A | C:\Windows\System\MNafKrC.exe | N/A |
| N/A | N/A | C:\Windows\System\njCJbho.exe | N/A |
| N/A | N/A | C:\Windows\System\SEtRUrM.exe | N/A |
| N/A | N/A | C:\Windows\System\BBGnksf.exe | N/A |
| N/A | N/A | C:\Windows\System\xGzHhgs.exe | N/A |
| N/A | N/A | C:\Windows\System\GinJJlz.exe | N/A |
| N/A | N/A | C:\Windows\System\iNZKasB.exe | N/A |
| N/A | N/A | C:\Windows\System\LZBJSNV.exe | N/A |
| N/A | N/A | C:\Windows\System\RJNUoti.exe | N/A |
| N/A | N/A | C:\Windows\System\jGfIkXF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_598e30d8e379a06c25c37cbd7198c114_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\quOoqbT.exe
C:\Windows\System\quOoqbT.exe
C:\Windows\System\SXjHDTv.exe
C:\Windows\System\SXjHDTv.exe
C:\Windows\System\rmjLTHM.exe
C:\Windows\System\rmjLTHM.exe
C:\Windows\System\QSqROvr.exe
C:\Windows\System\QSqROvr.exe
C:\Windows\System\OigmrLX.exe
C:\Windows\System\OigmrLX.exe
C:\Windows\System\hShKRhW.exe
C:\Windows\System\hShKRhW.exe
C:\Windows\System\EEpaweU.exe
C:\Windows\System\EEpaweU.exe
C:\Windows\System\loLnhvd.exe
C:\Windows\System\loLnhvd.exe
C:\Windows\System\mFzevaY.exe
C:\Windows\System\mFzevaY.exe
C:\Windows\System\UBmKsML.exe
C:\Windows\System\UBmKsML.exe
C:\Windows\System\DuisWPi.exe
C:\Windows\System\DuisWPi.exe
C:\Windows\System\MNafKrC.exe
C:\Windows\System\MNafKrC.exe
C:\Windows\System\njCJbho.exe
C:\Windows\System\njCJbho.exe
C:\Windows\System\SEtRUrM.exe
C:\Windows\System\SEtRUrM.exe
C:\Windows\System\BBGnksf.exe
C:\Windows\System\BBGnksf.exe
C:\Windows\System\xGzHhgs.exe
C:\Windows\System\xGzHhgs.exe
C:\Windows\System\GinJJlz.exe
C:\Windows\System\GinJJlz.exe
C:\Windows\System\iNZKasB.exe
C:\Windows\System\iNZKasB.exe
C:\Windows\System\LZBJSNV.exe
C:\Windows\System\LZBJSNV.exe
C:\Windows\System\RJNUoti.exe
C:\Windows\System\RJNUoti.exe
C:\Windows\System\jGfIkXF.exe
C:\Windows\System\jGfIkXF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 84.65.42.20.in-addr.arpa | udp |
Files
memory/2248-0-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp
memory/2248-1-0x00000265D6C80000-0x00000265D6C90000-memory.dmp
C:\Windows\System\quOoqbT.exe
| MD5 | 2ed7d5d4377856e1940ba788667d2089 |
| SHA1 | 226658813a6ec46e19bdd2a4fdfe0926c8eb124f |
| SHA256 | cce8b08ab210560359ed19bb1c92cec873595727cd7b8ed60485e31b0da8ea42 |
| SHA512 | a02e5e258ad857eafb064b5b329ebaa9dfee819ce26ecb188997254b8fa0c616e900377821882bfd77c70e4dd58a22be91aec9a608b72c3648e8322fb82310dc |
C:\Windows\System\SXjHDTv.exe
| MD5 | 03bb8f7d0f18e1dc4c6ba12ca37e8ba4 |
| SHA1 | 2d6b4abe16f6c0519581393f7d4bb7a145fe97fe |
| SHA256 | 38dcc3aa84211f9033c96c7e254fefce3d46e2d97c8722e272e6488dc3a4b7f7 |
| SHA512 | c3f19273898b3855211fd8c28d03b9a5895e47689d8efd3813f1e88dfe7d4f53cb64326f3cf529a3e9c1a422f5e9e0306998968941468328470f13d51001a93c |
memory/4948-14-0x00007FF7DC900000-0x00007FF7DCC51000-memory.dmp
memory/1000-12-0x00007FF7EEB50000-0x00007FF7EEEA1000-memory.dmp
C:\Windows\System\rmjLTHM.exe
| MD5 | eec3556c2f335b37240f282d73f325f5 |
| SHA1 | 331ae3dc19396aebf25b91f02d7b70acc5f6ac86 |
| SHA256 | bb77eecf9112deba8886e7a94800ced2da22af4afa620382ff72d43d27a52c10 |
| SHA512 | 28fab65eaf72483904a41e6f1215ec0e5487320d36a208c408a3ae50df8d258e06ce1660d06fdc8a275cc2230995bbf16bd391854c06d5ca0f660dab5cd05d59 |
memory/3976-20-0x00007FF62F5E0000-0x00007FF62F931000-memory.dmp
C:\Windows\System\QSqROvr.exe
| MD5 | ad1b31e32c8f0f186b849b73b8905b8b |
| SHA1 | 656b25cfea3cce87ae340ff3b0c6ea280dce3ac2 |
| SHA256 | 993e3376d28e4a0d0c9dc0fc92c3840f117f5a977bc030a313f22884522d0758 |
| SHA512 | 85a3a165683e31455919530e01b35e90e3d9342fc8f48ce773a0db700a813daaa7912ecc7817cacf47fe0d397a485003b353d5451a8051f4a35164368763dd3b |
C:\Windows\System\OigmrLX.exe
| MD5 | 9e70e11908b259385c8c3b8c719b957c |
| SHA1 | 749d86a04aeaaba3532576b6bafee58a6d93ce63 |
| SHA256 | 7bd69622f9cc3505a8ca57109a4cd3f3cdaa77bb58cf8f5fc0b1ecec02679cbb |
| SHA512 | 771a8c8dec982f767adb5316f1880c7a3a526e8756a23cd400963c291e027810e226752ad43b6e7c1e6e80dfa3d3ac2c7d382f3864a7bfdcefabd1afca88ea7d |
memory/2128-32-0x00007FF6CE990000-0x00007FF6CECE1000-memory.dmp
memory/1440-28-0x00007FF7B9700000-0x00007FF7B9A51000-memory.dmp
C:\Windows\System\hShKRhW.exe
| MD5 | 216c8a75359e24279f3e09340b024958 |
| SHA1 | 99bb04d218bd8534fce428dc184fe6d455215690 |
| SHA256 | 68e4b53084d2d49879d2ac49b5cf501017bde5e5bf5a608d0a2c3754b7a84832 |
| SHA512 | 2bf8cecfdae0075afcb170aeb31044068db1cae1c429501932d464d27a6526db72ce60dc43c7f21f0496b25e9e69fde4da735a5537b89faf9ec002fb642e716c |
memory/2700-36-0x00007FF62EF30000-0x00007FF62F281000-memory.dmp
C:\Windows\System\EEpaweU.exe
| MD5 | db62cdb8c83aa8e0dc7c1ceb5cee23d5 |
| SHA1 | c886446f9106f5183600a76d3d5be90c3e65aa7a |
| SHA256 | 966df473c8fb7d92c2608ce94d6b50f271d29807adf02b5c1b2cfa8a8f5a051e |
| SHA512 | 30f5c2c8225f3dac098fbeeab2c16b69c2b6ff409a457733fdd10e31b3998444474c67a1ea18366e62368b35f594ea9aec207599c842f5d695a9f16b777932f3 |
C:\Windows\System\loLnhvd.exe
| MD5 | 2bf254070884298f25f24cd6b376b6b7 |
| SHA1 | 1b01a46ef7d63611f2f38da636bd1f3013e8a0bf |
| SHA256 | 1b798f1b05378d74f890eb57c314047e38dc5d1d0d32238772eeff54d010c446 |
| SHA512 | 2a6abc55765b79ee27c12373f48346ccfbaad57ab0b201dcafaed31696cbf9203b983fa37808e775e86777d7390b5a484ee832fba1bbb1374b86f6247246d9ff |
C:\Windows\System\mFzevaY.exe
| MD5 | 8508661505956340be5984a9031f450d |
| SHA1 | 054cf943ffe4c68dba3f40594bab30e6867e5405 |
| SHA256 | 81569232e1b16a3810a33a619792edf450af6288bf64aef59ac7a9a45d75edf5 |
| SHA512 | 775954121fc3faffd41825df234687d7b1344e24033bd74c07394589b8345d163729b6c4f5c1c9a293a317a0326723173036088b7c9b66ffd847267a2b337608 |
memory/2352-56-0x00007FF6181B0000-0x00007FF618501000-memory.dmp
memory/4500-50-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp
memory/740-42-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp
C:\Windows\System\UBmKsML.exe
| MD5 | 9bdc17c6b43282f60d835d2053d7d50f |
| SHA1 | f34c992ad59e0b2317edefaf70469eaa4661fa99 |
| SHA256 | 7af915594b8ce70e5ea3b0b793582a213479c527a3180cc3f7bd8789271bdfa0 |
| SHA512 | a83d85fdafb64965730db6aa48eec4558c5981dd32f3a383ab10f08f1b6433fab248f8657b2b4964dbdd9cf9f320de43e5fcce7637c2a3a10e0f96cf8d740685 |
memory/3448-68-0x00007FF6EC9D0000-0x00007FF6ECD21000-memory.dmp
C:\Windows\System\MNafKrC.exe
| MD5 | d8b41482954634719cfb2b66b0ab78d6 |
| SHA1 | 8a02289f47d76c5f2dd9774e3aadcc0ea2452740 |
| SHA256 | a24e3fa06d0c910c73f2d0fb315e66eb98bfff5881e1d37f766d126eb6925e8c |
| SHA512 | 245d057a06163b0fbe558863ca3831189e6cfd5e277d047e21f92b608e4117d6746a1c1aceba4d59f4de5693fe35d71eb5656e4688738260d8897f9c9772f7e6 |
C:\Windows\System\njCJbho.exe
| MD5 | 9d1f02af485999a4fc3f0c7784c433b1 |
| SHA1 | 8ab3446738964dbf352f56bba5c340d6668b500d |
| SHA256 | 2a366c9543da8ed08ca4f23f91706e05ea3a3f4dde35a2a4c466ff5335d043bb |
| SHA512 | 4b2fc18626e52297228d820bd3e6c1eb368e1f4a649daa8d6fae0dda1c75f88714876b9f84ac66d5d97a5566251f6d9563601918462a9141c535d3e0c52f4478 |
memory/1964-79-0x00007FF610EE0000-0x00007FF611231000-memory.dmp
memory/1204-86-0x00007FF6D23C0000-0x00007FF6D2711000-memory.dmp
C:\Windows\System\xGzHhgs.exe
| MD5 | 1774cd35f0580094fd82548368d2431a |
| SHA1 | 8acd1218f5696fd697efc8bf6e675c0c22bb4b8a |
| SHA256 | b4addfcbdb33b7dda0d4690e21911405d11c3e3ed62aa3a9255851141b13ab76 |
| SHA512 | 4cae071878a32ed5c500140979819ab66246b295f56fe006b7fae700d0ebbf7927b478e3b9fc655d8b9c2c54e0dccee65ed589f05db5b48ceecf1dc57fe24810 |
C:\Windows\System\iNZKasB.exe
| MD5 | 5fe31f76d36d4ba959b024b22a449b60 |
| SHA1 | 9b77f655d51cc4232c1a85c904e482dcfe7e3d87 |
| SHA256 | 17b542fd40e1c6071322d4a0f449c3011ffbd3f32960264da439942b8dc8a1e9 |
| SHA512 | 75ad86611bcc2e3fedd55b92b29898022b3a156e89dde2f7195d07726cd77ca10aa39f41a06d7d5716fb8cc81ec83260e949ddcc44d7af64f35e0ef210f976a3 |
C:\Windows\System\LZBJSNV.exe
| MD5 | 0fe80f1460440ac3444d89005547a311 |
| SHA1 | 0a6049d577119dd00469d16ee4210b0ed800b8ec |
| SHA256 | 6b28461b4f9b9ed8cadb6f00674316c0aa0d20d6ec260acdf380de772dc8a3be |
| SHA512 | 744183e8e28baccbf469afce87057dd1b9f0f729e49704ff828270e85f3256010e99ea9fb664b5474b6b7b64bbcb5ce4929d8cf0bedecaff0ea111bc4c347b5b |
C:\Windows\System\RJNUoti.exe
| MD5 | a9be11576312588bf34d9d6e95c01218 |
| SHA1 | 5cdbe10b42ff5facd0bea0e601f3082a96c8842b |
| SHA256 | b39fde143c2d8ae0e5ec1354cee5c8a2a116b4c151da728f6fd79f6d0d14b99d |
| SHA512 | 61142c24a1d1b7a1e5ac05cfd9e8ba3cca6ce16faa8f011ddbf7e6cce10d97fe36e3f828e56154a7eba1b5f0359ba862c24fef610195258952f4f58f89bdd15d |
C:\Windows\System\jGfIkXF.exe
| MD5 | 9e922b766f90617e4fb08871905452fa |
| SHA1 | 440e7e79485c95395f3f1fb5be2732b50da64263 |
| SHA256 | 2acefe981e6baa20e15f76b4e9bc8790018db51d8dfd4bb20050c39b1e9578b8 |
| SHA512 | cc5645680093ba57c10f1b2d70fe5ac7a8c556454c276969b851f69376b2708641f2380fa28458528a4f0b6115ca13bc08d07c75df1aa23e7b9f66dbcafb86bd |
C:\Windows\System\GinJJlz.exe
| MD5 | ff5403c3991c45a0ad173e39cae79141 |
| SHA1 | a6a7b511b0d2c2d6a754ce9df1d3dffbfeec186c |
| SHA256 | 452a38f49070f4360fcf4b2001de11c8b528251dbeaf43506618595ebb58b112 |
| SHA512 | e4f124bfa34734e16690e23b3ea90a4eb4d73caebddd2eda0fc6b7f01a4934d5bbe8f44f4d2d751205284a80034792fd29be7b9f77cb0d2a39ace70b63900953 |
C:\Windows\System\BBGnksf.exe
| MD5 | 1f50749d9b1e468e12d083a2ef0d9933 |
| SHA1 | 47efb7b4be645cb78f9915bfb02194fe3b0dc96e |
| SHA256 | d6f65be187a70e48d998c572d3854217f8bcfaf77aff5e0212e2aa92d0df3219 |
| SHA512 | 2dba7834c68315af83b659c3d235f7323eaa59c70aadd8776b79d1315e6fa2dca7d9ede71724b2259c63126a55d185e39b0d40863208d9a649b3e4b52b74b8c5 |
C:\Windows\System\SEtRUrM.exe
| MD5 | cd8b2081d67b5b7784362372f9337b7d |
| SHA1 | d4ea7fac471b007a76b541760e0fd4368b48d428 |
| SHA256 | 819f0eb27cadb3a0890ce91a4b3f9d0a0039d9eed8fb0363eb7104903efda96f |
| SHA512 | 1c8b5078208836df49188a89f66fa4814943b0abadb1ad86fa2dd06438e3ffa6de4a02f4224f5c8efceaded0019ee5e7f4ebefb665f754406d525192238ceb13 |
memory/2776-81-0x00007FF7797D0000-0x00007FF779B21000-memory.dmp
C:\Windows\System\DuisWPi.exe
| MD5 | ad4c9997eae69ab016c02557152e029f |
| SHA1 | e2d3ae525d7dc677d83eb5df4f2b332bdae2b5d6 |
| SHA256 | 20019840cbbc7c4c3732c24a81a290a0f2e6ce32049d484d44d2cb423bc6be49 |
| SHA512 | 3aa6943b1af9cee016b98566a9cd7cdf7238e7cddfbacf8530a95781b3d716cef1d2f90d2552967f782543c5ee08b7518805fa93147aa4d0ea26283fbac8a5ca |
memory/1680-67-0x00007FF7568F0000-0x00007FF756C41000-memory.dmp
memory/1000-61-0x00007FF7EEB50000-0x00007FF7EEEA1000-memory.dmp
memory/2248-60-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp
memory/2248-122-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp
memory/3176-127-0x00007FF72A560000-0x00007FF72A8B1000-memory.dmp
memory/1580-128-0x00007FF77C060000-0x00007FF77C3B1000-memory.dmp
memory/4348-129-0x00007FF620590000-0x00007FF6208E1000-memory.dmp
memory/2700-132-0x00007FF62EF30000-0x00007FF62F281000-memory.dmp
memory/4000-134-0x00007FF7B93F0000-0x00007FF7B9741000-memory.dmp
memory/3876-135-0x00007FF6F3610000-0x00007FF6F3961000-memory.dmp
memory/2868-136-0x00007FF6489A0000-0x00007FF648CF1000-memory.dmp
memory/1052-133-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp
memory/740-137-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp
memory/3448-141-0x00007FF6EC9D0000-0x00007FF6ECD21000-memory.dmp
memory/1204-144-0x00007FF6D23C0000-0x00007FF6D2711000-memory.dmp
memory/2776-143-0x00007FF7797D0000-0x00007FF779B21000-memory.dmp
memory/2248-152-0x00007FF67EC00000-0x00007FF67EF51000-memory.dmp
memory/1000-197-0x00007FF7EEB50000-0x00007FF7EEEA1000-memory.dmp
memory/4948-199-0x00007FF7DC900000-0x00007FF7DCC51000-memory.dmp
memory/3976-206-0x00007FF62F5E0000-0x00007FF62F931000-memory.dmp
memory/1440-208-0x00007FF7B9700000-0x00007FF7B9A51000-memory.dmp
memory/2128-210-0x00007FF6CE990000-0x00007FF6CECE1000-memory.dmp
memory/2700-215-0x00007FF62EF30000-0x00007FF62F281000-memory.dmp
memory/740-217-0x00007FF6E9ED0000-0x00007FF6EA221000-memory.dmp
memory/4500-219-0x00007FF6DA9D0000-0x00007FF6DAD21000-memory.dmp
memory/2352-221-0x00007FF6181B0000-0x00007FF618501000-memory.dmp
memory/1680-235-0x00007FF7568F0000-0x00007FF756C41000-memory.dmp
memory/3448-237-0x00007FF6EC9D0000-0x00007FF6ECD21000-memory.dmp
memory/1964-239-0x00007FF610EE0000-0x00007FF611231000-memory.dmp
memory/2776-241-0x00007FF7797D0000-0x00007FF779B21000-memory.dmp
memory/3176-243-0x00007FF72A560000-0x00007FF72A8B1000-memory.dmp
memory/1580-245-0x00007FF77C060000-0x00007FF77C3B1000-memory.dmp
memory/4348-247-0x00007FF620590000-0x00007FF6208E1000-memory.dmp
memory/1052-249-0x00007FF6E4EC0000-0x00007FF6E5211000-memory.dmp
memory/4000-251-0x00007FF7B93F0000-0x00007FF7B9741000-memory.dmp
memory/2868-254-0x00007FF6489A0000-0x00007FF648CF1000-memory.dmp
memory/3876-255-0x00007FF6F3610000-0x00007FF6F3961000-memory.dmp
memory/1204-258-0x00007FF6D23C0000-0x00007FF6D2711000-memory.dmp