Analysis Overview
SHA256
0ded469b0368f4d680688dc69a218552931e1fc78feaa68e4a981c1b189feb4b
Threat Level: Known bad
The file 2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:50
Reported
2024-08-13 11:52
Platform
win7-20240708-en
Max time kernel
141s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XHanqSi.exe | N/A |
| N/A | N/A | C:\Windows\System\ooZFHrR.exe | N/A |
| N/A | N/A | C:\Windows\System\tFwslCX.exe | N/A |
| N/A | N/A | C:\Windows\System\BXeVRkd.exe | N/A |
| N/A | N/A | C:\Windows\System\mKIbRtn.exe | N/A |
| N/A | N/A | C:\Windows\System\LMHJYTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XsnDvpk.exe | N/A |
| N/A | N/A | C:\Windows\System\TtcBxLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\APETBhb.exe | N/A |
| N/A | N/A | C:\Windows\System\DUHqOoM.exe | N/A |
| N/A | N/A | C:\Windows\System\PpsMoZW.exe | N/A |
| N/A | N/A | C:\Windows\System\FHulRji.exe | N/A |
| N/A | N/A | C:\Windows\System\siwHftl.exe | N/A |
| N/A | N/A | C:\Windows\System\FdFzDvw.exe | N/A |
| N/A | N/A | C:\Windows\System\foXOuoi.exe | N/A |
| N/A | N/A | C:\Windows\System\BJhdyon.exe | N/A |
| N/A | N/A | C:\Windows\System\FwlFsHR.exe | N/A |
| N/A | N/A | C:\Windows\System\oxiuALY.exe | N/A |
| N/A | N/A | C:\Windows\System\nswOQON.exe | N/A |
| N/A | N/A | C:\Windows\System\YsmRNOc.exe | N/A |
| N/A | N/A | C:\Windows\System\PMINowk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\XHanqSi.exe
C:\Windows\System\XHanqSi.exe
C:\Windows\System\ooZFHrR.exe
C:\Windows\System\ooZFHrR.exe
C:\Windows\System\BXeVRkd.exe
C:\Windows\System\BXeVRkd.exe
C:\Windows\System\tFwslCX.exe
C:\Windows\System\tFwslCX.exe
C:\Windows\System\LMHJYTQ.exe
C:\Windows\System\LMHJYTQ.exe
C:\Windows\System\mKIbRtn.exe
C:\Windows\System\mKIbRtn.exe
C:\Windows\System\XsnDvpk.exe
C:\Windows\System\XsnDvpk.exe
C:\Windows\System\TtcBxLZ.exe
C:\Windows\System\TtcBxLZ.exe
C:\Windows\System\APETBhb.exe
C:\Windows\System\APETBhb.exe
C:\Windows\System\DUHqOoM.exe
C:\Windows\System\DUHqOoM.exe
C:\Windows\System\PpsMoZW.exe
C:\Windows\System\PpsMoZW.exe
C:\Windows\System\FHulRji.exe
C:\Windows\System\FHulRji.exe
C:\Windows\System\siwHftl.exe
C:\Windows\System\siwHftl.exe
C:\Windows\System\FdFzDvw.exe
C:\Windows\System\FdFzDvw.exe
C:\Windows\System\foXOuoi.exe
C:\Windows\System\foXOuoi.exe
C:\Windows\System\BJhdyon.exe
C:\Windows\System\BJhdyon.exe
C:\Windows\System\FwlFsHR.exe
C:\Windows\System\FwlFsHR.exe
C:\Windows\System\oxiuALY.exe
C:\Windows\System\oxiuALY.exe
C:\Windows\System\nswOQON.exe
C:\Windows\System\nswOQON.exe
C:\Windows\System\YsmRNOc.exe
C:\Windows\System\YsmRNOc.exe
C:\Windows\System\PMINowk.exe
C:\Windows\System\PMINowk.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2884-0-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2884-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\XHanqSi.exe
| MD5 | 86fa59ec11f939e5a9237391543b320d |
| SHA1 | bbe175f47417a95a4dc22e67460a213de57b31d6 |
| SHA256 | dac458d9b9de03c6b0358ac0401ce973e759e90b28285109e6116e3ab3857d2b |
| SHA512 | 52e717d1272a1fa08a79f518eabeebc3df32ac17e3a22f683f01de15b31a965eb764f9ccb0e96dbe12f57ce358b189265b3efe6ce731c4dd8d19c9105a180312 |
memory/2884-6-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2728-9-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\ooZFHrR.exe
| MD5 | 7a85ba9dd1ac229b8a2b69838049111b |
| SHA1 | 55bd436d226d4df4d759aa3d48385efbcdb123d3 |
| SHA256 | 374f0faa8b4c0e90c63f645b08eaed9a061e16ad2941c4fa19a7d0fa3631f68d |
| SHA512 | fdef40676334a7c1d9bfcb7f6ac69a1efd692ec2aec1d77d9b17ca2bfd0abe1f5dfb786486deebbb330a7fd59a34f57f21e43f16f6234144226251721e852c2a |
memory/2884-15-0x000000013F2E0000-0x000000013F631000-memory.dmp
C:\Windows\system\tFwslCX.exe
| MD5 | 5623d65846c4ae92bccccef515a3c53e |
| SHA1 | d9336f6faccb65cb38db95ef7971e8f75e56d662 |
| SHA256 | 71ea8c354240fa7ac580b325fc01ff5d198147402f807edb4ee685ddbbf58db6 |
| SHA512 | b5da32e6393beab2e09ead75403a09beed871acb737caad1b2955c4556e469850c8be297690ff9263c0b3a27b1d636099c505fbf29436a2f7135d2bc5cd954cc |
C:\Windows\system\BXeVRkd.exe
| MD5 | b94cebbcb6172568912ef4847ae14681 |
| SHA1 | e1f1b953b889b194bf63c4718d4fc068d497b6ee |
| SHA256 | 41c322e9ff44295de0edc3640ab0bafd75b145bcdceaf411cb56c96deec833b1 |
| SHA512 | 01d4f61d27e0435c4a778e43423dfa4691ddc7df28ceb1b2ede1336c664b15fc4eecf1101079ea0916f65f221d2209b3f13793b053ab362344de5a7738fededd |
memory/2740-27-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\LMHJYTQ.exe
| MD5 | e63c7f25d4f079fa8e194ff707a17842 |
| SHA1 | 2b616655c40a7c63fab84050b56d11195092e31d |
| SHA256 | aa79d1cf5db65e058bf8e4a1c92e5f72ba1c58c99aac5f1627e5b1af196eec0f |
| SHA512 | 59bf730aa910c14fef40e079f2cf76e7d992b1df9684d7e51f7c1445cde880ac12c8f027d12346ab632e8a372f8c13bfc71852cc641a73f4ea887d112ae1ce30 |
C:\Windows\system\mKIbRtn.exe
| MD5 | c4e6459c6a6c44b38faed4e78e54dc1a |
| SHA1 | dd6c5f89f743cac5bfcd664501f495f6cf4fdfc2 |
| SHA256 | 0d4182c209c4096b4a65f53fd556265a175ab91711522253979f89d7bc7b48e3 |
| SHA512 | bdc9ccbded378ce5bb242485721923d4fedc5145306e9c5ca9b634d37824ab27b6c9a97a6a1141fdae162b6669a6936bdb71de49d6eef9043e87002c9cfb3bf0 |
memory/2852-19-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2660-41-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2884-33-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2908-32-0x000000013F740000-0x000000013FA91000-memory.dmp
C:\Windows\system\TtcBxLZ.exe
| MD5 | 8c0e3fcaf469784d1ba8ff887f52d625 |
| SHA1 | 069c832f21d1387d83f3488f03a153c8345bcfc5 |
| SHA256 | aa92e6f2f60017bdbb15e4a24e514520ccf7ebd6b48108807499af201b34d398 |
| SHA512 | 795d16827d2ebd4ee37a721acf27af7f54034b2c6f52219f2fdcac570a2a38643ede2195205271d1c4dcbb04aa98781cbb5a94a61aeff159e787c0c91d0a43a1 |
memory/380-55-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2652-49-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2728-68-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/852-69-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/584-61-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2060-83-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2884-96-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\oxiuALY.exe
| MD5 | 868792d988e9b34357c2ba69ede23343 |
| SHA1 | 63666d568ab2354498a7f614d7ed52b3011bf876 |
| SHA256 | 4c4ba5796dea8da25705c81539effe1dac12e5acf31047fdee6708747770b0d5 |
| SHA512 | f0ee3fe63041dcbbe2b2197d95bb6a3af0383e8528aba8b286634d5a025b0e18614cf6e1937b95ddba63b8575f9d62eeb63255da6f5665bca7939fa706345f04 |
C:\Windows\system\YsmRNOc.exe
| MD5 | e935c488f2737f1834a15ad749c92382 |
| SHA1 | b74a3c98109782c2b4846af51626cc914817166e |
| SHA256 | c6cb01cb7f50ec38a305a69c0f67cfe8712696edf849cf1a979b913a01ba3ab0 |
| SHA512 | 4a5c6df099fbfe23042f41ff917016d3959e768cfbbf93320f7bf6f0f5513fcad22e49ebdfdb9b59e4bf013ff6e37b2fce13a8240fd6e9b8fbe4e94c6c590584 |
\Windows\system\PMINowk.exe
| MD5 | 9a261ac68a113f4749bd27e0e289e8c2 |
| SHA1 | 5d4e7219f952d7775d80ebaf9385be2739b88361 |
| SHA256 | d656605c1078637feb0d3fdc1fbe6467297b50f180fcae0967c27d6649c1c41e |
| SHA512 | b321318ef122627860b09671cac9136e18499d17b78fe7fd198513dedb17bb2222d4f52f8d37cf6fccf8afa79fcbfdae8a58c4ef2711ade799c83eac9ab88d65 |
C:\Windows\system\nswOQON.exe
| MD5 | 85616bcad8e3c5424c65fd3f7cdedb5e |
| SHA1 | 349fbc8f2307920d7f913117c3e93163dc1a534b |
| SHA256 | 90d35535d94b52f821fd4de6f07a51d4e718d6573e9ff1dc5ba06796763373a8 |
| SHA512 | f2d56b9b8947fcff7f4d6fa2c18c8a91f6f36e7fd3a35ac87cd9ff54b8d9fac5419adf452b6e8becd555afaf4dbcf7f55bdf8281199df6b1ce131c9f921c87f8 |
C:\Windows\system\FwlFsHR.exe
| MD5 | 4247d609adb3c0bed702e8720b7777f2 |
| SHA1 | 447ce12363c507f2040812fd4e2dca6b0869418d |
| SHA256 | a5522a4264c56256e06e435088d7028d870bf31419debe7c7342e15e964b2cdc |
| SHA512 | 3d4c477d816ce648522fb7d42f3914d735597e5d3bcfeba3abdc32ffb055ff48ca84efacc0fee4fa6e48671adc27ced3fbbd524f87853012491e792c4af45e35 |
memory/2884-104-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2908-103-0x000000013F740000-0x000000013FA91000-memory.dmp
C:\Windows\system\BJhdyon.exe
| MD5 | fcbdff7368d5e525560416255d70d3b4 |
| SHA1 | 7b48eb5b89b2bc0a1b50dc3683dd42559602d5f9 |
| SHA256 | eea5017ca6336a117f3f12a1a831cccf1c716bb1b4d3b5a865156f72caf64753 |
| SHA512 | bf415cd9389e85476ab67d7f5c51df5cee0d1acb495657d63c902276f9c704e7652989cd206e08988bdd8bd44a6e34b960ae91624528898b18278032bc26433e |
C:\Windows\system\foXOuoi.exe
| MD5 | 085f1ed145656e6c6a290dd7896339c4 |
| SHA1 | e358058c356ba16ac85c23504b1ef2139921c677 |
| SHA256 | a4ad09356e75fc9bf061bb357b5d167b5a4bbd9bc8ee6865d796382c050526f0 |
| SHA512 | 3fce46ed811a55cdd6902292f784406f48f70a339ebcd787638110b3573e303a3f26f7242d3431c62431a3cad06e13287c3315af073365636745176eed5c0813 |
memory/2600-136-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2660-135-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2236-97-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2740-95-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2700-89-0x000000013F4B0000-0x000000013F801000-memory.dmp
C:\Windows\system\siwHftl.exe
| MD5 | f7bf9ed0274b04887bcca70b3d58e71c |
| SHA1 | 6a4a4534744a8b844512c1c1c27bfa5d5dd3d345 |
| SHA256 | 165e6bd01e9bcdf4887e8f7fac354ca82a41257cf3c4deeb538cad9172d198bd |
| SHA512 | 928c9787ac64d0117e626b43f4fb3d857ee80202c7f1ee97ed60416b8311d9f0802b44a5d9c899a077ffe6eb0eae6fcfeab4b4342ea2b89275bac367fb48be38 |
C:\Windows\system\FdFzDvw.exe
| MD5 | 0446a241958390d883907dd29dc9b0de |
| SHA1 | 2a77c8bbc47c5afece81e8d338b28239f22216c3 |
| SHA256 | 99d7ab8fa333f1203cb13ce78e52866f9986db808b4b8d3007a1c6b966d17a5b |
| SHA512 | d469ed9faaea0b5426037e4d589a2ed1a097e2eeeef17bed8d8447943eec0691bf777effb3ffb22f60b1b47fc7f94ba686c0a6647d53518020b9d4d32dbccb35 |
memory/2884-82-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\FHulRji.exe
| MD5 | 5ec2e4a44f00883cc26319de250503ff |
| SHA1 | e4efa2aed60fd3baefbfd7cbf267ee42c397aad9 |
| SHA256 | c5da6c2e87ae238c60382a4315a07ae9404f1bd924ac92dbb1987ef6d1226363 |
| SHA512 | 1487ec1d82c3bc2e27ffd8734a985d870f2f299dafe5b54f3e81ff0a7ef90a3aeaa47531b523bdeb2bb816ad5ba3ac80c677c5b42aca9cebc5f2010bc6aba7ad |
memory/2256-75-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2884-74-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2884-73-0x000000013F2E0000-0x000000013F631000-memory.dmp
C:\Windows\system\PpsMoZW.exe
| MD5 | fb16ca09448e037153066b8843d6fe37 |
| SHA1 | bdedc9eeac0640b030cf65e110f974a892997acf |
| SHA256 | 12013d26fe614db203bb7f5627d71b69e58f0ff20957dab126ead6ec26f241b0 |
| SHA512 | 5ff3cc855a07befd3861e0791a106d0f4314256412c33af40ecee3a3f196112b28fc18c1f097402b56bf54df4812aea75e9cefd306b8c305c4a41438491deb5c |
C:\Windows\system\APETBhb.exe
| MD5 | 71f0940fb755c24fb20aef3c5cdc4676 |
| SHA1 | 68b8bfc22233fb26f0b4cca8b27bb81351f3a92d |
| SHA256 | fefd04710b6fe89aba19625740fa3ef9e34eb2f9969bdaa1a5b58e4ce3c72b01 |
| SHA512 | ebd849cfed228a88d6461df0ff2fcd5504fa3ad8263c1c5fc35e1cc6823a17eb69b5649a080432c1720b6145ba2c04c2c0f6b5ea7ffbec3713f65f8183cbb1d7 |
C:\Windows\system\DUHqOoM.exe
| MD5 | fa7d7ded3457cbda91d7cdde466f0dc8 |
| SHA1 | b59c48f105bf81ed6233dfd37788443ab285f505 |
| SHA256 | 011c6d73002dc8a1d54336658f90c4cc1e848bd9fa9be14ae53f07130bde3264 |
| SHA512 | 641bb1f1f4f6b96ca8f4fd3b75e2625576a97a47cc4644995e7ef40a7b36aca56bb564227a9b2cf4abf973024fdca8339fd347d58154d1aeaf387df2b0d74da7 |
memory/2884-48-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\XsnDvpk.exe
| MD5 | 805dfb456f6a7a40419f8e8aa6bd3748 |
| SHA1 | 195fceda17426757289bd067fefd2baae4a300c3 |
| SHA256 | f5e2f5cdd550c315a9274f1b5c4dab6b680bd72f4cb0126a808efc6bb3503e4b |
| SHA512 | 3193755a0d2f0aceacb9051c5673cf6d21792c5d2b551c62ffa7e1cbd74ab907d7b19b6d5ae656a4468a083e74540ff5bbd435a41f815c4bdc2707b51ab4992b |
memory/2884-54-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2884-39-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2884-25-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2884-22-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/380-137-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2884-139-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2600-144-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/584-148-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2256-150-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2236-153-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2060-151-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2692-155-0x000000013F230000-0x000000013F581000-memory.dmp
memory/1956-160-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/1272-159-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1268-158-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1232-156-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2672-154-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2700-152-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/1848-157-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2884-161-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2884-162-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2884-163-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2728-208-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2852-210-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2740-212-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2660-214-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2908-216-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2652-218-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/380-220-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/584-222-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/852-224-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2256-239-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2060-241-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2700-243-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2236-245-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2600-254-0x000000013FFA0000-0x00000001402F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:50
Reported
2024-08-13 11:52
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XHanqSi.exe | N/A |
| N/A | N/A | C:\Windows\System\ooZFHrR.exe | N/A |
| N/A | N/A | C:\Windows\System\BXeVRkd.exe | N/A |
| N/A | N/A | C:\Windows\System\tFwslCX.exe | N/A |
| N/A | N/A | C:\Windows\System\LMHJYTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mKIbRtn.exe | N/A |
| N/A | N/A | C:\Windows\System\XsnDvpk.exe | N/A |
| N/A | N/A | C:\Windows\System\TtcBxLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\APETBhb.exe | N/A |
| N/A | N/A | C:\Windows\System\DUHqOoM.exe | N/A |
| N/A | N/A | C:\Windows\System\PpsMoZW.exe | N/A |
| N/A | N/A | C:\Windows\System\FHulRji.exe | N/A |
| N/A | N/A | C:\Windows\System\siwHftl.exe | N/A |
| N/A | N/A | C:\Windows\System\FdFzDvw.exe | N/A |
| N/A | N/A | C:\Windows\System\foXOuoi.exe | N/A |
| N/A | N/A | C:\Windows\System\BJhdyon.exe | N/A |
| N/A | N/A | C:\Windows\System\FwlFsHR.exe | N/A |
| N/A | N/A | C:\Windows\System\oxiuALY.exe | N/A |
| N/A | N/A | C:\Windows\System\nswOQON.exe | N/A |
| N/A | N/A | C:\Windows\System\YsmRNOc.exe | N/A |
| N/A | N/A | C:\Windows\System\PMINowk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_5c3f8db0476869bb67ccb3e14e9ebb5e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\XHanqSi.exe
C:\Windows\System\XHanqSi.exe
C:\Windows\System\ooZFHrR.exe
C:\Windows\System\ooZFHrR.exe
C:\Windows\System\BXeVRkd.exe
C:\Windows\System\BXeVRkd.exe
C:\Windows\System\tFwslCX.exe
C:\Windows\System\tFwslCX.exe
C:\Windows\System\LMHJYTQ.exe
C:\Windows\System\LMHJYTQ.exe
C:\Windows\System\mKIbRtn.exe
C:\Windows\System\mKIbRtn.exe
C:\Windows\System\XsnDvpk.exe
C:\Windows\System\XsnDvpk.exe
C:\Windows\System\TtcBxLZ.exe
C:\Windows\System\TtcBxLZ.exe
C:\Windows\System\APETBhb.exe
C:\Windows\System\APETBhb.exe
C:\Windows\System\DUHqOoM.exe
C:\Windows\System\DUHqOoM.exe
C:\Windows\System\PpsMoZW.exe
C:\Windows\System\PpsMoZW.exe
C:\Windows\System\FHulRji.exe
C:\Windows\System\FHulRji.exe
C:\Windows\System\siwHftl.exe
C:\Windows\System\siwHftl.exe
C:\Windows\System\FdFzDvw.exe
C:\Windows\System\FdFzDvw.exe
C:\Windows\System\foXOuoi.exe
C:\Windows\System\foXOuoi.exe
C:\Windows\System\BJhdyon.exe
C:\Windows\System\BJhdyon.exe
C:\Windows\System\FwlFsHR.exe
C:\Windows\System\FwlFsHR.exe
C:\Windows\System\oxiuALY.exe
C:\Windows\System\oxiuALY.exe
C:\Windows\System\nswOQON.exe
C:\Windows\System\nswOQON.exe
C:\Windows\System\YsmRNOc.exe
C:\Windows\System\YsmRNOc.exe
C:\Windows\System\PMINowk.exe
C:\Windows\System\PMINowk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3064-0-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp
memory/3064-1-0x00000198FC000000-0x00000198FC010000-memory.dmp
C:\Windows\System\XHanqSi.exe
| MD5 | 86fa59ec11f939e5a9237391543b320d |
| SHA1 | bbe175f47417a95a4dc22e67460a213de57b31d6 |
| SHA256 | dac458d9b9de03c6b0358ac0401ce973e759e90b28285109e6116e3ab3857d2b |
| SHA512 | 52e717d1272a1fa08a79f518eabeebc3df32ac17e3a22f683f01de15b31a965eb764f9ccb0e96dbe12f57ce358b189265b3efe6ce731c4dd8d19c9105a180312 |
C:\Windows\System\BXeVRkd.exe
| MD5 | b94cebbcb6172568912ef4847ae14681 |
| SHA1 | e1f1b953b889b194bf63c4718d4fc068d497b6ee |
| SHA256 | 41c322e9ff44295de0edc3640ab0bafd75b145bcdceaf411cb56c96deec833b1 |
| SHA512 | 01d4f61d27e0435c4a778e43423dfa4691ddc7df28ceb1b2ede1336c664b15fc4eecf1101079ea0916f65f221d2209b3f13793b053ab362344de5a7738fededd |
memory/4900-11-0x00007FF740190000-0x00007FF7404E1000-memory.dmp
C:\Windows\System\mKIbRtn.exe
| MD5 | c4e6459c6a6c44b38faed4e78e54dc1a |
| SHA1 | dd6c5f89f743cac5bfcd664501f495f6cf4fdfc2 |
| SHA256 | 0d4182c209c4096b4a65f53fd556265a175ab91711522253979f89d7bc7b48e3 |
| SHA512 | bdc9ccbded378ce5bb242485721923d4fedc5145306e9c5ca9b634d37824ab27b6c9a97a6a1141fdae162b6669a6936bdb71de49d6eef9043e87002c9cfb3bf0 |
C:\Windows\System\LMHJYTQ.exe
| MD5 | e63c7f25d4f079fa8e194ff707a17842 |
| SHA1 | 2b616655c40a7c63fab84050b56d11195092e31d |
| SHA256 | aa79d1cf5db65e058bf8e4a1c92e5f72ba1c58c99aac5f1627e5b1af196eec0f |
| SHA512 | 59bf730aa910c14fef40e079f2cf76e7d992b1df9684d7e51f7c1445cde880ac12c8f027d12346ab632e8a372f8c13bfc71852cc641a73f4ea887d112ae1ce30 |
C:\Windows\System\APETBhb.exe
| MD5 | 71f0940fb755c24fb20aef3c5cdc4676 |
| SHA1 | 68b8bfc22233fb26f0b4cca8b27bb81351f3a92d |
| SHA256 | fefd04710b6fe89aba19625740fa3ef9e34eb2f9969bdaa1a5b58e4ce3c72b01 |
| SHA512 | ebd849cfed228a88d6461df0ff2fcd5504fa3ad8263c1c5fc35e1cc6823a17eb69b5649a080432c1720b6145ba2c04c2c0f6b5ea7ffbec3713f65f8183cbb1d7 |
C:\Windows\System\TtcBxLZ.exe
| MD5 | 8c0e3fcaf469784d1ba8ff887f52d625 |
| SHA1 | 069c832f21d1387d83f3488f03a153c8345bcfc5 |
| SHA256 | aa92e6f2f60017bdbb15e4a24e514520ccf7ebd6b48108807499af201b34d398 |
| SHA512 | 795d16827d2ebd4ee37a721acf27af7f54034b2c6f52219f2fdcac570a2a38643ede2195205271d1c4dcbb04aa98781cbb5a94a61aeff159e787c0c91d0a43a1 |
C:\Windows\System\tFwslCX.exe
| MD5 | 5623d65846c4ae92bccccef515a3c53e |
| SHA1 | d9336f6faccb65cb38db95ef7971e8f75e56d662 |
| SHA256 | 71ea8c354240fa7ac580b325fc01ff5d198147402f807edb4ee685ddbbf58db6 |
| SHA512 | b5da32e6393beab2e09ead75403a09beed871acb737caad1b2955c4556e469850c8be297690ff9263c0b3a27b1d636099c505fbf29436a2f7135d2bc5cd954cc |
C:\Windows\System\XsnDvpk.exe
| MD5 | 805dfb456f6a7a40419f8e8aa6bd3748 |
| SHA1 | 195fceda17426757289bd067fefd2baae4a300c3 |
| SHA256 | f5e2f5cdd550c315a9274f1b5c4dab6b680bd72f4cb0126a808efc6bb3503e4b |
| SHA512 | 3193755a0d2f0aceacb9051c5673cf6d21792c5d2b551c62ffa7e1cbd74ab907d7b19b6d5ae656a4468a083e74540ff5bbd435a41f815c4bdc2707b51ab4992b |
memory/1016-24-0x00007FF7BE750000-0x00007FF7BEAA1000-memory.dmp
memory/4076-14-0x00007FF7A5B00000-0x00007FF7A5E51000-memory.dmp
C:\Windows\System\ooZFHrR.exe
| MD5 | 7a85ba9dd1ac229b8a2b69838049111b |
| SHA1 | 55bd436d226d4df4d759aa3d48385efbcdb123d3 |
| SHA256 | 374f0faa8b4c0e90c63f645b08eaed9a061e16ad2941c4fa19a7d0fa3631f68d |
| SHA512 | fdef40676334a7c1d9bfcb7f6ac69a1efd692ec2aec1d77d9b17ca2bfd0abe1f5dfb786486deebbb330a7fd59a34f57f21e43f16f6234144226251721e852c2a |
C:\Windows\System\DUHqOoM.exe
| MD5 | fa7d7ded3457cbda91d7cdde466f0dc8 |
| SHA1 | b59c48f105bf81ed6233dfd37788443ab285f505 |
| SHA256 | 011c6d73002dc8a1d54336658f90c4cc1e848bd9fa9be14ae53f07130bde3264 |
| SHA512 | 641bb1f1f4f6b96ca8f4fd3b75e2625576a97a47cc4644995e7ef40a7b36aca56bb564227a9b2cf4abf973024fdca8339fd347d58154d1aeaf387df2b0d74da7 |
memory/1316-69-0x00007FF692EE0000-0x00007FF693231000-memory.dmp
C:\Windows\System\FHulRji.exe
| MD5 | 5ec2e4a44f00883cc26319de250503ff |
| SHA1 | e4efa2aed60fd3baefbfd7cbf267ee42c397aad9 |
| SHA256 | c5da6c2e87ae238c60382a4315a07ae9404f1bd924ac92dbb1987ef6d1226363 |
| SHA512 | 1487ec1d82c3bc2e27ffd8734a985d870f2f299dafe5b54f3e81ff0a7ef90a3aeaa47531b523bdeb2bb816ad5ba3ac80c677c5b42aca9cebc5f2010bc6aba7ad |
memory/4308-72-0x00007FF680FC0000-0x00007FF681311000-memory.dmp
memory/4248-71-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp
memory/2084-70-0x00007FF77ED20000-0x00007FF77F071000-memory.dmp
memory/880-64-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp
C:\Windows\System\PpsMoZW.exe
| MD5 | fb16ca09448e037153066b8843d6fe37 |
| SHA1 | bdedc9eeac0640b030cf65e110f974a892997acf |
| SHA256 | 12013d26fe614db203bb7f5627d71b69e58f0ff20957dab126ead6ec26f241b0 |
| SHA512 | 5ff3cc855a07befd3861e0791a106d0f4314256412c33af40ecee3a3f196112b28fc18c1f097402b56bf54df4812aea75e9cefd306b8c305c4a41438491deb5c |
memory/3516-56-0x00007FF659CA0000-0x00007FF659FF1000-memory.dmp
memory/464-49-0x00007FF7E8470000-0x00007FF7E87C1000-memory.dmp
memory/660-48-0x00007FF713230000-0x00007FF713581000-memory.dmp
memory/1392-45-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp
C:\Windows\System\siwHftl.exe
| MD5 | f7bf9ed0274b04887bcca70b3d58e71c |
| SHA1 | 6a4a4534744a8b844512c1c1c27bfa5d5dd3d345 |
| SHA256 | 165e6bd01e9bcdf4887e8f7fac354ca82a41257cf3c4deeb538cad9172d198bd |
| SHA512 | 928c9787ac64d0117e626b43f4fb3d857ee80202c7f1ee97ed60416b8311d9f0802b44a5d9c899a077ffe6eb0eae6fcfeab4b4342ea2b89275bac367fb48be38 |
C:\Windows\System\FdFzDvw.exe
| MD5 | 0446a241958390d883907dd29dc9b0de |
| SHA1 | 2a77c8bbc47c5afece81e8d338b28239f22216c3 |
| SHA256 | 99d7ab8fa333f1203cb13ce78e52866f9986db808b4b8d3007a1c6b966d17a5b |
| SHA512 | d469ed9faaea0b5426037e4d589a2ed1a097e2eeeef17bed8d8447943eec0691bf777effb3ffb22f60b1b47fc7f94ba686c0a6647d53518020b9d4d32dbccb35 |
memory/1876-89-0x00007FF7A0220000-0x00007FF7A0571000-memory.dmp
C:\Windows\System\FwlFsHR.exe
| MD5 | 4247d609adb3c0bed702e8720b7777f2 |
| SHA1 | 447ce12363c507f2040812fd4e2dca6b0869418d |
| SHA256 | a5522a4264c56256e06e435088d7028d870bf31419debe7c7342e15e964b2cdc |
| SHA512 | 3d4c477d816ce648522fb7d42f3914d735597e5d3bcfeba3abdc32ffb055ff48ca84efacc0fee4fa6e48671adc27ced3fbbd524f87853012491e792c4af45e35 |
C:\Windows\System\oxiuALY.exe
| MD5 | 868792d988e9b34357c2ba69ede23343 |
| SHA1 | 63666d568ab2354498a7f614d7ed52b3011bf876 |
| SHA256 | 4c4ba5796dea8da25705c81539effe1dac12e5acf31047fdee6708747770b0d5 |
| SHA512 | f0ee3fe63041dcbbe2b2197d95bb6a3af0383e8528aba8b286634d5a025b0e18614cf6e1937b95ddba63b8575f9d62eeb63255da6f5665bca7939fa706345f04 |
C:\Windows\System\BJhdyon.exe
| MD5 | fcbdff7368d5e525560416255d70d3b4 |
| SHA1 | 7b48eb5b89b2bc0a1b50dc3683dd42559602d5f9 |
| SHA256 | eea5017ca6336a117f3f12a1a831cccf1c716bb1b4d3b5a865156f72caf64753 |
| SHA512 | bf415cd9389e85476ab67d7f5c51df5cee0d1acb495657d63c902276f9c704e7652989cd206e08988bdd8bd44a6e34b960ae91624528898b18278032bc26433e |
C:\Windows\System\nswOQON.exe
| MD5 | 85616bcad8e3c5424c65fd3f7cdedb5e |
| SHA1 | 349fbc8f2307920d7f913117c3e93163dc1a534b |
| SHA256 | 90d35535d94b52f821fd4de6f07a51d4e718d6573e9ff1dc5ba06796763373a8 |
| SHA512 | f2d56b9b8947fcff7f4d6fa2c18c8a91f6f36e7fd3a35ac87cd9ff54b8d9fac5419adf452b6e8becd555afaf4dbcf7f55bdf8281199df6b1ce131c9f921c87f8 |
memory/1640-120-0x00007FF6D8060000-0x00007FF6D83B1000-memory.dmp
C:\Windows\System\YsmRNOc.exe
| MD5 | e935c488f2737f1834a15ad749c92382 |
| SHA1 | b74a3c98109782c2b4846af51626cc914817166e |
| SHA256 | c6cb01cb7f50ec38a305a69c0f67cfe8712696edf849cf1a979b913a01ba3ab0 |
| SHA512 | 4a5c6df099fbfe23042f41ff917016d3959e768cfbbf93320f7bf6f0f5513fcad22e49ebdfdb9b59e4bf013ff6e37b2fce13a8240fd6e9b8fbe4e94c6c590584 |
C:\Windows\System\PMINowk.exe
| MD5 | 9a261ac68a113f4749bd27e0e289e8c2 |
| SHA1 | 5d4e7219f952d7775d80ebaf9385be2739b88361 |
| SHA256 | d656605c1078637feb0d3fdc1fbe6467297b50f180fcae0967c27d6649c1c41e |
| SHA512 | b321318ef122627860b09671cac9136e18499d17b78fe7fd198513dedb17bb2222d4f52f8d37cf6fccf8afa79fcbfdae8a58c4ef2711ade799c83eac9ab88d65 |
memory/1208-125-0x00007FF62AEB0000-0x00007FF62B201000-memory.dmp
memory/4548-124-0x00007FF768130000-0x00007FF768481000-memory.dmp
memory/4036-114-0x00007FF61AF90000-0x00007FF61B2E1000-memory.dmp
memory/4660-113-0x00007FF7DB350000-0x00007FF7DB6A1000-memory.dmp
memory/4076-105-0x00007FF7A5B00000-0x00007FF7A5E51000-memory.dmp
memory/3064-101-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp
memory/3188-99-0x00007FF695710000-0x00007FF695A61000-memory.dmp
memory/1808-97-0x00007FF6FAB80000-0x00007FF6FAED1000-memory.dmp
C:\Windows\System\foXOuoi.exe
| MD5 | 085f1ed145656e6c6a290dd7896339c4 |
| SHA1 | e358058c356ba16ac85c23504b1ef2139921c677 |
| SHA256 | a4ad09356e75fc9bf061bb357b5d167b5a4bbd9bc8ee6865d796382c050526f0 |
| SHA512 | 3fce46ed811a55cdd6902292f784406f48f70a339ebcd787638110b3573e303a3f26f7242d3431c62431a3cad06e13287c3315af073365636745176eed5c0813 |
memory/3508-88-0x00007FF65A940000-0x00007FF65AC91000-memory.dmp
memory/1016-133-0x00007FF7BE750000-0x00007FF7BEAA1000-memory.dmp
memory/3064-130-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp
memory/3516-139-0x00007FF659CA0000-0x00007FF659FF1000-memory.dmp
memory/4308-142-0x00007FF680FC0000-0x00007FF681311000-memory.dmp
memory/1808-145-0x00007FF6FAB80000-0x00007FF6FAED1000-memory.dmp
memory/4036-148-0x00007FF61AF90000-0x00007FF61B2E1000-memory.dmp
memory/4660-147-0x00007FF7DB350000-0x00007FF7DB6A1000-memory.dmp
memory/1208-150-0x00007FF62AEB0000-0x00007FF62B201000-memory.dmp
memory/3188-146-0x00007FF695710000-0x00007FF695A61000-memory.dmp
memory/1640-149-0x00007FF6D8060000-0x00007FF6D83B1000-memory.dmp
memory/4548-151-0x00007FF768130000-0x00007FF768481000-memory.dmp
memory/3064-152-0x00007FF610D60000-0x00007FF6110B1000-memory.dmp
memory/4900-211-0x00007FF740190000-0x00007FF7404E1000-memory.dmp
memory/4076-213-0x00007FF7A5B00000-0x00007FF7A5E51000-memory.dmp
memory/1016-215-0x00007FF7BE750000-0x00007FF7BEAA1000-memory.dmp
memory/1392-219-0x00007FF6D7890000-0x00007FF6D7BE1000-memory.dmp
memory/660-218-0x00007FF713230000-0x00007FF713581000-memory.dmp
memory/464-221-0x00007FF7E8470000-0x00007FF7E87C1000-memory.dmp
memory/4248-223-0x00007FF7C3910000-0x00007FF7C3C61000-memory.dmp
memory/1316-231-0x00007FF692EE0000-0x00007FF693231000-memory.dmp
memory/4308-233-0x00007FF680FC0000-0x00007FF681311000-memory.dmp
memory/880-230-0x00007FF799AF0000-0x00007FF799E41000-memory.dmp
memory/2084-226-0x00007FF77ED20000-0x00007FF77F071000-memory.dmp
memory/3516-228-0x00007FF659CA0000-0x00007FF659FF1000-memory.dmp
memory/3508-241-0x00007FF65A940000-0x00007FF65AC91000-memory.dmp
memory/1876-243-0x00007FF7A0220000-0x00007FF7A0571000-memory.dmp
memory/1808-245-0x00007FF6FAB80000-0x00007FF6FAED1000-memory.dmp
memory/3188-247-0x00007FF695710000-0x00007FF695A61000-memory.dmp
memory/4660-249-0x00007FF7DB350000-0x00007FF7DB6A1000-memory.dmp
memory/4036-252-0x00007FF61AF90000-0x00007FF61B2E1000-memory.dmp
memory/1640-253-0x00007FF6D8060000-0x00007FF6D83B1000-memory.dmp
memory/4548-257-0x00007FF768130000-0x00007FF768481000-memory.dmp
memory/1208-255-0x00007FF62AEB0000-0x00007FF62B201000-memory.dmp