Analysis Overview
SHA256
0adc7117f2115f32df945e44ab2af9cabb5465db10904fd2fbe16ed472cbe7cb
Threat Level: Known bad
The file 2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike
xmrig
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:30
Reported
2024-08-14 21:32
Platform
win7-20240704-en
Max time kernel
144s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YPGlDfo.exe | N/A |
| N/A | N/A | C:\Windows\System\caPpyTW.exe | N/A |
| N/A | N/A | C:\Windows\System\mUPDpND.exe | N/A |
| N/A | N/A | C:\Windows\System\NhwjkSp.exe | N/A |
| N/A | N/A | C:\Windows\System\VnTEbqX.exe | N/A |
| N/A | N/A | C:\Windows\System\IDWOwcS.exe | N/A |
| N/A | N/A | C:\Windows\System\SwHNJBq.exe | N/A |
| N/A | N/A | C:\Windows\System\gRTkZrB.exe | N/A |
| N/A | N/A | C:\Windows\System\oRnyCGq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZczjrSH.exe | N/A |
| N/A | N/A | C:\Windows\System\dbFleBB.exe | N/A |
| N/A | N/A | C:\Windows\System\jNVkzMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wjHvlHr.exe | N/A |
| N/A | N/A | C:\Windows\System\lGjHQAb.exe | N/A |
| N/A | N/A | C:\Windows\System\WySsnMs.exe | N/A |
| N/A | N/A | C:\Windows\System\epWaAUx.exe | N/A |
| N/A | N/A | C:\Windows\System\DMrAExf.exe | N/A |
| N/A | N/A | C:\Windows\System\TsBrmoW.exe | N/A |
| N/A | N/A | C:\Windows\System\ydWkEYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YduWLHn.exe | N/A |
| N/A | N/A | C:\Windows\System\YGcRLqV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YPGlDfo.exe
C:\Windows\System\YPGlDfo.exe
C:\Windows\System\caPpyTW.exe
C:\Windows\System\caPpyTW.exe
C:\Windows\System\mUPDpND.exe
C:\Windows\System\mUPDpND.exe
C:\Windows\System\NhwjkSp.exe
C:\Windows\System\NhwjkSp.exe
C:\Windows\System\VnTEbqX.exe
C:\Windows\System\VnTEbqX.exe
C:\Windows\System\IDWOwcS.exe
C:\Windows\System\IDWOwcS.exe
C:\Windows\System\SwHNJBq.exe
C:\Windows\System\SwHNJBq.exe
C:\Windows\System\gRTkZrB.exe
C:\Windows\System\gRTkZrB.exe
C:\Windows\System\oRnyCGq.exe
C:\Windows\System\oRnyCGq.exe
C:\Windows\System\dbFleBB.exe
C:\Windows\System\dbFleBB.exe
C:\Windows\System\ZczjrSH.exe
C:\Windows\System\ZczjrSH.exe
C:\Windows\System\jNVkzMQ.exe
C:\Windows\System\jNVkzMQ.exe
C:\Windows\System\wjHvlHr.exe
C:\Windows\System\wjHvlHr.exe
C:\Windows\System\lGjHQAb.exe
C:\Windows\System\lGjHQAb.exe
C:\Windows\System\WySsnMs.exe
C:\Windows\System\WySsnMs.exe
C:\Windows\System\epWaAUx.exe
C:\Windows\System\epWaAUx.exe
C:\Windows\System\DMrAExf.exe
C:\Windows\System\DMrAExf.exe
C:\Windows\System\TsBrmoW.exe
C:\Windows\System\TsBrmoW.exe
C:\Windows\System\ydWkEYJ.exe
C:\Windows\System\ydWkEYJ.exe
C:\Windows\System\YduWLHn.exe
C:\Windows\System\YduWLHn.exe
C:\Windows\System\YGcRLqV.exe
C:\Windows\System\YGcRLqV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1612-0-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1612-1-0x00000000003F0000-0x0000000000400000-memory.dmp
C:\Windows\system\YPGlDfo.exe
| MD5 | 232ea4320f2d81c658f49dd0578a7dda |
| SHA1 | d17bc3f8abc5f3f060cc07b66c10d9496db25634 |
| SHA256 | cea2fb41ffb903560c41c1a98f9f7894dfd4512face628069d6fd650ed3d583b |
| SHA512 | c2a4e0f465d7ad735acd5b6075ec4a8ff2590679009cb291377d4e3bec284f2302200bed1028ab726872b2cfac35316904866d89375fac33d12d422eb71d5d21 |
\Windows\system\caPpyTW.exe
| MD5 | edbd4494b6a166c05081d35e97d14c8d |
| SHA1 | 261c236c87f5974efe54da9ef7c107cab3deef18 |
| SHA256 | 7817fa5908a527a2f4cfc4d00e1f99d3a0a5c9255e8759f432f95e6a8cde48d6 |
| SHA512 | 99b0d79edf79fa3caa85adda52c4eea0ab92ea22c082c667a78fb43f9d911cf8da8ac0f2aa4fe52df358ed40b677cebab1aecef7139145b912d7a1f1c4929315 |
memory/1612-7-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1300-13-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1612-16-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2732-15-0x000000013FAF0000-0x000000013FE41000-memory.dmp
C:\Windows\system\mUPDpND.exe
| MD5 | 712939be41421d90c20ea715d1c60306 |
| SHA1 | 465dca9ada0f85c57e921c618a4225d3f9b7ee6c |
| SHA256 | d2260a248cbcdbd56b87b7ec0660943ea638a716b9f3883137505fddb53a6457 |
| SHA512 | 75f907092a30e2e35b07ca3a31b731cd218003442df477760dde9ae38c057f9d5b58f2b3b4f58eec7de52561f5b14ceaba6c73ea094953f8bcdfcab1658eb537 |
memory/1612-21-0x00000000023B0000-0x0000000002701000-memory.dmp
C:\Windows\system\NhwjkSp.exe
| MD5 | 2d67423a6d4d307415fd82a8810a3768 |
| SHA1 | bb4f9bc55213accf1ba5f3d9cda32e512f8c7105 |
| SHA256 | 66ffcfd638d97d7d6757e1a44fdb01ee2f81d5f33e3cf531170cd23588dfc93b |
| SHA512 | 852254244a84cb5cbd2ea928a42b0f86a5b72a525782176ddcc0a0d9dd17b88e3788c5bade8ad1a341cde24519da9038e2f10f3902971ad0a8d6459ffad5116d |
memory/1612-35-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/3008-36-0x000000013F730000-0x000000013FA81000-memory.dmp
C:\Windows\system\IDWOwcS.exe
| MD5 | 7e59f39a52142fb43dbf1d0c5db2fffd |
| SHA1 | 7c8c2a0290a82854c26b4e89dcef09855404ec24 |
| SHA256 | c38c220e2900b0349332ca3d5ae47105813fd473651aa64b00c77cf7dbd185d4 |
| SHA512 | d2a2a854ad30d194972452305b6512356c2c7a29d3c4ede2d897ebc46e77ec28a2b2b08a2d6c6075ff4dc537f13e104f0f32b4479c64122e5311252d4c399bd7 |
C:\Windows\system\gRTkZrB.exe
| MD5 | 4c27fbf858cf52fd277b68ebd7c16a1c |
| SHA1 | 608d213589be2534411a503616ea444fe9ff1c39 |
| SHA256 | e4b64b0d36aad1fb03fea6a5260fa8b8fe5ea6f7589591589eaecd0d56996489 |
| SHA512 | 8cae95b6161517ab711ea041b79239c362b006b09722c1a03f6d0f2cc32a5fbdf5144c66ad2e67e793bd2fc48aa72d2b51fc3cea7883aa86a3d34aedb0e2ac3e |
C:\Windows\system\dbFleBB.exe
| MD5 | dcb48f57976fb27c8c76f2289c20253b |
| SHA1 | 575f83b2129dc2bb3ba389b38e788006a0ce816f |
| SHA256 | 3cb1115d9ef1e0b915ccd247f37603de19b8b873fd42d00baca17869ef5954f2 |
| SHA512 | b7267c4c3fd210c1639c12daab632e71f7e0894156ad30cf772abf411112c16fbb47e984228be77a7152cb18a65869cebd621fa2ffd59568212e25929d6cfce7 |
memory/1612-91-0x000000013F490000-0x000000013F7E1000-memory.dmp
\Windows\system\jNVkzMQ.exe
| MD5 | 3f8b7506ef17721771c4e5245b03f47e |
| SHA1 | 829e39b18b4fe5b774c44c0a0b43d95bc0a8234a |
| SHA256 | b3ff9afdc937c56e74706dd3f57d8d6e74ddbbedfee40422a07676748d9e22ac |
| SHA512 | 64a96fff291698315ae9922f0c97b9c97ca22c8ba81b520d50255f48e70144a7d16cdabe0dfb0d7d891b89d1d162abb749b4d49ec32ea5179b6a47936e76b1ee |
C:\Windows\system\WySsnMs.exe
| MD5 | bf3a38b556261030fc31ca16f7807740 |
| SHA1 | 9e27cdfa3e0c688f3a2b660af86d53f7c954389f |
| SHA256 | 95ea74aac4d8f19b47b6af2f8362f7369924b8e4e35c5b9b5343f717f61365a0 |
| SHA512 | 350585996210fcf8406126d119e0b5dfdcc945ea0d8a96dfba2cf46cb8cf5c63864f61a4b365e2253a493f3bbacfcb04bfb139f61d5350581884143992bb5f7a |
memory/1612-104-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1612-99-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2112-98-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2412-97-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2432-96-0x000000013F8B0000-0x000000013FC01000-memory.dmp
C:\Windows\system\lGjHQAb.exe
| MD5 | ac047b865702a27e32ba89a31c7f082f |
| SHA1 | 481b3c36428e7d1ea36fe6f290a95963799a48fe |
| SHA256 | d92fd77f31bf6af79528c05f372d25d409d999dea89b6f7a681c12dafd3195e8 |
| SHA512 | 84a550f5da521c2c7e8b45ce632885e886ae1804efd12ce88a6683ca9a6ef9f72b756d741bfaf96542d7bd9c5b3a7440090cbe494657e90215202d8127363af7 |
memory/1612-90-0x000000013F8B0000-0x000000013FC01000-memory.dmp
\Windows\system\epWaAUx.exe
| MD5 | 50e8fc2a21de8fc41f334e0542c00d70 |
| SHA1 | 080cb620d207cc0c51933343655513c6e8f4f19a |
| SHA256 | d329893fd3fae8a80dead6fdcc9302277004c5b3f7bfa78e4c08280562550da8 |
| SHA512 | eb3fba5afb85380371ddfbe5fa3508ff4211bfd54d7fbf2e1285a5442d5db230bd352cbb47c437048b7d88c0d845594987bac1c0522914870d5aad58bb252a0c |
memory/2700-88-0x000000013F900000-0x000000013FC51000-memory.dmp
C:\Windows\system\wjHvlHr.exe
| MD5 | b08cd0f93761f2742eccd3601759e3a2 |
| SHA1 | d7b3d5bf140a232737fc1526a0a54aa341f801c4 |
| SHA256 | 565e7961d3dbd2f5ef9a7aa21da64ebec62deb029e859a22c043983c541ff1ae |
| SHA512 | c37aac02e1f90f872198c114ffd8bdc2d46f145810ff4d68ba73a0607df233583d7dafd459197a2a1de1d6eddab7b852f48d2be51456b8550c48bbab09b58822 |
memory/2880-118-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\TsBrmoW.exe
| MD5 | bdb642d6d0e709d1deef11f20b3c27d1 |
| SHA1 | 3b9a5a4f3e617832cfe63acdd6a2a9e37cb6a799 |
| SHA256 | 6b888d29589988a583efa123c685280c498e2bdba2667bfce8a526122d00c494 |
| SHA512 | 17ed5f51512e7f85ee81ba87ff6d00875febfb63845697d50b924e3301434a7a20da59f8c1cc14d8f204255edd45a62cf358cd54058a02d1118a0e0904711abd |
C:\Windows\system\ydWkEYJ.exe
| MD5 | 609b8a5e5ae4ad32e79f3dbae881f794 |
| SHA1 | 130e96de86d6d2632ff9302d5c6240fd7c45bec5 |
| SHA256 | 42b7a4bbfa0ddeadb3eb9186f4e3567490dbc7c26803ebb800a3fd6c58bcc98b |
| SHA512 | 1d9b692c5858892247e606e37f08eb24a7ab40cde3956b0b4d514fc9065a91eb7f65be9bb525af7388ed848a9dff3bab1b1961f12216e7724c8ec6836e4178b1 |
C:\Windows\system\YGcRLqV.exe
| MD5 | 996c9b41b829a37744a13174a5743596 |
| SHA1 | 4e6c4088e2bb098346fd5ec76cc7f2f5ee19a170 |
| SHA256 | a49685664c96f12a3ed09e015f8c1195a3a338cd3187f3f4cf49e602cf400322 |
| SHA512 | d770af17de773a8ca8b3de5f3a2b146e1e9d665a9a99cc918738897a23a024c0dead73b3ca3e3cff278fed8d5a2f06c868cecba63233e1a0f2a6e969ada9d5c5 |
C:\Windows\system\YduWLHn.exe
| MD5 | 879294f2ea776490ef2781f701d63fff |
| SHA1 | ff3d8abe977714bb4d79704aa068e64a2ebe7e52 |
| SHA256 | dc60e832484dec5772d45e850ba7e91e431dc6495685787dd7937acc33fd69d0 |
| SHA512 | 7c6e2c921fb805cff121efe5b96e5f34d04e75d184f85c8e607d0f373d2943fc7892ed353557b99db05bdebce064f7135fb852e12e78c06eb48e96c2a6012d23 |
C:\Windows\system\DMrAExf.exe
| MD5 | e833ad00d4770fa13d6426d26f4eb680 |
| SHA1 | ebd92355d1d9cc1e3d56e04442f47326ef87ef64 |
| SHA256 | 93a7eab758a525fcb83cbacb67b910bb9353af845afefe6b0153b2645ebaa335 |
| SHA512 | a04ef2c0131e9e48f60f00ce9cfbb5e15ea84072a9b1331163294edd406a1d5bcffd56eac50dd079bc4a248a7f5a5c9b9c854e9cf1614ef3254c053bf0ea847a |
memory/2940-58-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1300-57-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2196-77-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1612-76-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1612-75-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2632-73-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1612-72-0x000000013FEE0000-0x0000000140231000-memory.dmp
C:\Windows\system\ZczjrSH.exe
| MD5 | de8349bf7440fd7042716b5bfbffc23c |
| SHA1 | 1ac2a7eb6f3ad115299a3562e6099df5982ffdc8 |
| SHA256 | d669f837423a51ccb0bdc5245442190d278f5eb1e63a27f397c2fc50bfb5bcd9 |
| SHA512 | e81b131ebf85635945c3236b335de6e73366238fee4523f8418f28f5189f856301f5b87450274de7f5419381e576deb1ddde1ada495e4d72e6af52c5c76e7e55 |
memory/1612-55-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\oRnyCGq.exe
| MD5 | 16d9a1d9dec03319424cee580fd115c9 |
| SHA1 | 3973bf9522c5740ed6f2fddcd90594711eee121a |
| SHA256 | 91ffc67a0b0412292196a67d2340708146b8867a030f0cb2e82916d5b1a7809a |
| SHA512 | 71e4890ffdb16efb63ccc869c20b2663e8c52d0a02c8a55045906e7c58cb04b72ed46b536b56b00becf86423085a0317c73ed303826a2107852709450309ad98 |
memory/1612-54-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2672-53-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/3004-52-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1612-51-0x00000000023B0000-0x0000000002701000-memory.dmp
C:\Windows\system\SwHNJBq.exe
| MD5 | b1f31cebc28a7dad18ecd7b9f7f44bbb |
| SHA1 | 83e871f547fe3b1638371c42954f63ec1d166aeb |
| SHA256 | f4ed82ade55ea9e99fd9fe62a1d8711ac74c3bfef484247b68ff21f26fd973f5 |
| SHA512 | da38359c04f6e18611452b400003f683a7ee701d56d5864d8b0f75bc8da077923e9b4a28a1ac5c322c59eae7abaebdea40873b26f37bbea3c624aeec7613daca |
memory/2880-29-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\VnTEbqX.exe
| MD5 | 1741a6cc8082ec6d7ed04383196e90f2 |
| SHA1 | 6784f6606d04fd27f41bd64587e5fa9348e22292 |
| SHA256 | 8145727230b4803be8e835aeeced4dd76815e62efd24838aeb103912e2a947c9 |
| SHA512 | 096ab67616edeeb759620b440f0a227fd64a0721092065bee7306d2bd545506147bd198dea320dcb00ca998764becfe5c638c4fe307384975decaafc55d65540 |
memory/1612-27-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2768-26-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2940-146-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1612-138-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/968-153-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2112-152-0x000000013F210000-0x000000013F561000-memory.dmp
memory/2944-155-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/1612-154-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2432-150-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2832-158-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1504-160-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1320-159-0x000000013F120000-0x000000013F471000-memory.dmp
memory/1372-157-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2256-156-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1612-161-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1612-177-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1612-181-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/1612-185-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1612-195-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1300-216-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2732-218-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2768-220-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/3008-222-0x000000013F730000-0x000000013FA81000-memory.dmp
memory/3004-224-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2672-228-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2880-227-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2632-232-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2940-230-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2196-234-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2700-236-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2412-238-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2432-243-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/2112-247-0x000000013F210000-0x000000013F561000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:30
Reported
2024-08-14 21:32
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VmdFlFw.exe | N/A |
| N/A | N/A | C:\Windows\System\HrWpwrh.exe | N/A |
| N/A | N/A | C:\Windows\System\LcfYgCA.exe | N/A |
| N/A | N/A | C:\Windows\System\fhSZPqD.exe | N/A |
| N/A | N/A | C:\Windows\System\FEWJGIU.exe | N/A |
| N/A | N/A | C:\Windows\System\FusaauG.exe | N/A |
| N/A | N/A | C:\Windows\System\JLKdRTp.exe | N/A |
| N/A | N/A | C:\Windows\System\mgojWoo.exe | N/A |
| N/A | N/A | C:\Windows\System\RAwdVxY.exe | N/A |
| N/A | N/A | C:\Windows\System\GKigUoY.exe | N/A |
| N/A | N/A | C:\Windows\System\vITKEXM.exe | N/A |
| N/A | N/A | C:\Windows\System\knZtTmh.exe | N/A |
| N/A | N/A | C:\Windows\System\xirjJCy.exe | N/A |
| N/A | N/A | C:\Windows\System\IAecJVM.exe | N/A |
| N/A | N/A | C:\Windows\System\XahukFI.exe | N/A |
| N/A | N/A | C:\Windows\System\VJiWsku.exe | N/A |
| N/A | N/A | C:\Windows\System\mLlRibA.exe | N/A |
| N/A | N/A | C:\Windows\System\OvXjdPI.exe | N/A |
| N/A | N/A | C:\Windows\System\NvWXGFj.exe | N/A |
| N/A | N/A | C:\Windows\System\JlMsOKj.exe | N/A |
| N/A | N/A | C:\Windows\System\NMUuMfE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e5f04693fd21e6635a071e3ace024253_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\VmdFlFw.exe
C:\Windows\System\VmdFlFw.exe
C:\Windows\System\HrWpwrh.exe
C:\Windows\System\HrWpwrh.exe
C:\Windows\System\LcfYgCA.exe
C:\Windows\System\LcfYgCA.exe
C:\Windows\System\fhSZPqD.exe
C:\Windows\System\fhSZPqD.exe
C:\Windows\System\FEWJGIU.exe
C:\Windows\System\FEWJGIU.exe
C:\Windows\System\FusaauG.exe
C:\Windows\System\FusaauG.exe
C:\Windows\System\JLKdRTp.exe
C:\Windows\System\JLKdRTp.exe
C:\Windows\System\GKigUoY.exe
C:\Windows\System\GKigUoY.exe
C:\Windows\System\mgojWoo.exe
C:\Windows\System\mgojWoo.exe
C:\Windows\System\RAwdVxY.exe
C:\Windows\System\RAwdVxY.exe
C:\Windows\System\vITKEXM.exe
C:\Windows\System\vITKEXM.exe
C:\Windows\System\knZtTmh.exe
C:\Windows\System\knZtTmh.exe
C:\Windows\System\xirjJCy.exe
C:\Windows\System\xirjJCy.exe
C:\Windows\System\IAecJVM.exe
C:\Windows\System\IAecJVM.exe
C:\Windows\System\XahukFI.exe
C:\Windows\System\XahukFI.exe
C:\Windows\System\VJiWsku.exe
C:\Windows\System\VJiWsku.exe
C:\Windows\System\mLlRibA.exe
C:\Windows\System\mLlRibA.exe
C:\Windows\System\OvXjdPI.exe
C:\Windows\System\OvXjdPI.exe
C:\Windows\System\NvWXGFj.exe
C:\Windows\System\NvWXGFj.exe
C:\Windows\System\JlMsOKj.exe
C:\Windows\System\JlMsOKj.exe
C:\Windows\System\NMUuMfE.exe
C:\Windows\System\NMUuMfE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1512-0-0x00007FF727890000-0x00007FF727BE1000-memory.dmp
memory/1512-1-0x000001924B7A0000-0x000001924B7B0000-memory.dmp
C:\Windows\System\VmdFlFw.exe
| MD5 | 1d6ae61b79dd29d5cf64691019b8c7da |
| SHA1 | 575b0f0a1981a58861f16a9279baee6c8f76ae26 |
| SHA256 | a7a81865df788d335566c26cae8ee899dbeb8884b3bf27a2f8eac53c7dec0438 |
| SHA512 | 70167183794cc173656bbb08f0ed7cc242032056af1eb872e3b954169fe564a10f91d0760279795b2436374452a78a4b21cae17fdc64ce6016c4d978d2c1b6fe |
memory/1540-7-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp
C:\Windows\System\LcfYgCA.exe
| MD5 | 5ced0a8d5a36cf93c36f7f55fbe22a2e |
| SHA1 | 616946d8f3fcbcfbff3dc4bb8316cd885f0b08fc |
| SHA256 | f65d41d9778dba3219ccb5477109e87bf1e8f479d6f3a653d18d357fdfcf7a27 |
| SHA512 | b2a712fd04a2df8c6f1a11877969b21031d05dd8f0c964e452d026b394ff635b45357aa697c18381630393bf2ede8548674d150957b35984d37d3b4765de8270 |
C:\Windows\System\FEWJGIU.exe
| MD5 | 41ca8e0732e7c0d78290e3715e5c52f0 |
| SHA1 | 3096e54046ac2d9acaec96599fbb909510fe9892 |
| SHA256 | d79363cc9f9ed64ef2e906e6c5d80be4655000f76d800d37df574eadb8453086 |
| SHA512 | fff1f822b7e7abb85e0240e9dde200794cbde6bd1c21c6d52ac44aebb69c751288b5933edbe21578c76ac821f3a65573cedc12e9a85fa433f74d4366d68d868f |
memory/3472-56-0x00007FF738370000-0x00007FF7386C1000-memory.dmp
C:\Windows\System\GKigUoY.exe
| MD5 | eeada16a851550b8f82abedd22f3adf3 |
| SHA1 | b95c946e9ccc2278c8925a83495653fa09ceba7f |
| SHA256 | 70cbfc601f3c526d7fcf83984935ab42762d350f4d9634af70842eeccf5ae76c |
| SHA512 | abf5d1fe4139fde66a9e8f76c4eda9e39e9475d187b47f23c8e4239a5fc0e180c0a4dc8d15ba5fe6a4048e41b6ade939998732c349566872db643be41f89f55e |
C:\Windows\System\IAecJVM.exe
| MD5 | 7bce583462bb86869a9eb5c3f3c81385 |
| SHA1 | 080a3ba8e08a042e9fe3137968ac75cca4ef6ac6 |
| SHA256 | 80ef5c3f3b29b64b396f5ba63fb2207b0baf0498d587ae134de72601bc9842c9 |
| SHA512 | 4496312d364fb4a2263330821f891951ca478897299b82c7dc6056d368911a7fe3567cda952f3d981e7baa08c6d7ebf242e8a5a478f685b5e01d9a9082aa36e5 |
C:\Windows\System\mLlRibA.exe
| MD5 | ca57eacd498740f27fef40ad6497c330 |
| SHA1 | 4e88f704d4f01b5b07dd468065463c6a40b95186 |
| SHA256 | c0f865974e137791b125108b7e157dfb3ad7fb5ae6f8a23828210ba128aa9ec6 |
| SHA512 | 4ec66a2e7e121eb863200999588de081f3c965abfc4a8023549ffefe60297b408a88098955e4c4a92844478c9fa22934b0a73bc9e2102d2efdde629869064b78 |
memory/3056-105-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp
memory/3828-110-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp
memory/3784-117-0x00007FF708590000-0x00007FF7088E1000-memory.dmp
memory/1832-120-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp
memory/4216-125-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp
memory/2232-127-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp
memory/624-126-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp
memory/2528-124-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp
memory/4940-123-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp
memory/1172-122-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp
C:\Windows\System\NMUuMfE.exe
| MD5 | efadf0eccba382c4e9094b72b18f8f48 |
| SHA1 | a472c0851e395adb7616a5bd4c178cad531fad7b |
| SHA256 | b0987761d3aa52ff44bfa29f96064bb0feac4da2defcf065e8a43411af42d01c |
| SHA512 | e632afb8c9baeb6a5299c496dcf328c639610c52c8c0ee88e3e6fc20dd2561729ec768439d73850328da8e16dd6d3b168345d7acc4a0c282c21ebddec4ce07a6 |
memory/4928-118-0x00007FF685390000-0x00007FF6856E1000-memory.dmp
C:\Windows\System\JlMsOKj.exe
| MD5 | 38299120715a385b11ff2b441ac94c34 |
| SHA1 | cb6b810e1dc4abb31c3f86239cb76eb7c405fa78 |
| SHA256 | fd7db49b8aed37225d52820de5b512177d8812ccf011f405e21eff3106a06d02 |
| SHA512 | 2a953562b009945658508c5aa1113ae36de21604a98b7b384aee1a5cc26d528a1340e4fffdb46e1d5a0839a8141d459872c1662f13d38f6d7331772576a743e5 |
C:\Windows\System\NvWXGFj.exe
| MD5 | 9f4913d2e2415595d9c3f9a8a22bb720 |
| SHA1 | 91b1b8183dc19d15ebd6ff2d20542ed0784695f1 |
| SHA256 | 7266ee624b202358b17d9b4797757a8fe3d6941f7cb7d66c1aec94e59df61d05 |
| SHA512 | a9a6893152bd29620fc512bf1f26f931471b18254c04a6d923176947d4e031d4cd9d8c690e2047e522b100ae5f86197399aebf8c390003c5bd10097b780fdd92 |
C:\Windows\System\OvXjdPI.exe
| MD5 | 10e7df477027bf68f1a468fe70febdd8 |
| SHA1 | af20b1dfc023850eab422ba15bc19da1b9d056ca |
| SHA256 | 8d086fe4f58d06dfa51ffcc8bc3fabfaad3c48fad69d65ec1f016adadb1d62bf |
| SHA512 | 5acbb80520002023a9c229f718ad31cba744f257a5c6101331f88e407b61fa42ed5e8a361716425d81c40131d4980012893f49e897b2d289178489c9a4e105ef |
memory/1116-109-0x00007FF6504C0000-0x00007FF650811000-memory.dmp
C:\Windows\System\VJiWsku.exe
| MD5 | db9ffe93446c853c3be1572b0a8d5084 |
| SHA1 | ba4abfa60d888a758340e6999efa452df6840074 |
| SHA256 | 6b6bc82223e578c1f23b1afd92c16b246b8b19b2d31a7fc82aad5909bd5a146f |
| SHA512 | 1536c8d7edc42d22be8e3404e5e45244a5c5cf6c809056fb9ac548690a46fd4733cb398eb5e8de544d8fc56255abac21e577467e2db3ca4275417f67ed7cf129 |
C:\Windows\System\XahukFI.exe
| MD5 | a0d97fe6451043292b9259a57799bf34 |
| SHA1 | 9d0b8c24d6126f66b11b38d71512639e0f1740d0 |
| SHA256 | ea6ec688cdcc4b48efedd010148504dfeeb4bd6be342c9aae0bbe08e4f0a05fe |
| SHA512 | d44160ea6a75dfa8c1cd9987796cea302cb44fb33fd7ad7568d1d114b345fa82da00efbf6d8e6edaa885b597e6e9a14ceac9bf46d465832590f0d3dafa3807ee |
memory/2988-95-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp
memory/1456-91-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp
C:\Windows\System\xirjJCy.exe
| MD5 | 9efdf32e581bf42cb82dcae58fce83d7 |
| SHA1 | e2e128674a80a74e484601341728a16e360f25e2 |
| SHA256 | 270adea835bb370ba56f8c6e1fee25e270b427fef1345a8b1987eaef399df0d2 |
| SHA512 | 91fac3c8829fe0fc1ff56672116a51661137f61ca2766adc2b9b01c76af1ea939402ea392d4e38a5dadabafa92b0dc55fffff7bb20f030d156f93e7039dede5a |
C:\Windows\System\knZtTmh.exe
| MD5 | b2fd54ce73bec966a961bce56da5e916 |
| SHA1 | 51c032a0459123f829a1ec0d5e3ecab200909a8c |
| SHA256 | a6b5a0c8c926c9d91499e6317ed3b1b1f14283a661897b006bc79e9b1aa6c79d |
| SHA512 | 51cd36b54705209ec71a5f56e29bd44cd64d1cdeef204aa82fe97ff8d8086f6a495fe5874aa87a458dd76ef17a9dcee4916f55259c82f05e8365a0e922c8eac8 |
C:\Windows\System\vITKEXM.exe
| MD5 | 4e79c915ed1ff2761a711edb2721decd |
| SHA1 | 89530eea95bc256ebe999f1a369e88781dc0e77c |
| SHA256 | ce3d0828dea500ad5a4a88ae22a412abb250f599318ea0818f73047d4549e1f4 |
| SHA512 | 5134f27bec137b0f54ce0ec3abdbc8d652af60f976f6d43cce1e8cd30d452f9146f45d60abcf908c3047fcebd55285509918c940dfcbe574a2a021c5c97d7a2d |
memory/1328-68-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp
C:\Windows\System\RAwdVxY.exe
| MD5 | 50cc22e30d665a73370e728273662789 |
| SHA1 | 578da1e64581e2ffe045754df4162e74186ee89e |
| SHA256 | aec5a674320abca9a23940559cc960d80627a70f534392106735abba46403c21 |
| SHA512 | b82ba2d5be48ca9e4ecfae216c36bbc8e36f5ae36b46b0bf93c38b3ccdf7309e5a9de22c47cbbdee561934bc5ed718001ee6e8907f279b38fbc446e9f5aa964c |
memory/3416-57-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp
C:\Windows\System\mgojWoo.exe
| MD5 | 62ae09efdc59a8cf07e84cae618d3dc4 |
| SHA1 | 951d0aee29a45b07ebd03aecbbb32fac2d846a23 |
| SHA256 | 0e90418e17eef8a57decc59c67c1b09200d8d4673091d4feb8c53d44380c4127 |
| SHA512 | 08c4334fb85ae77e9f88f07504c45b27b97676b98b9def96c99be380104b68052d20311b53e42d947c4a0963b744a8a2d22c5ada844874a9d1ccba95497eb4a3 |
C:\Windows\System\JLKdRTp.exe
| MD5 | d40ed6926b3e62c87ea7b5408640a458 |
| SHA1 | 0512cdb2136ed0826d8e6f66c9783de6ec0b6a28 |
| SHA256 | a2fe3580715e94b1d5ea7829a2f8f61d9d023516d1e9984fe4a1e721af3e4f18 |
| SHA512 | a294261c1a4211933fcf16ae6372f1dde5fa7b779e75b9098fb3db77406cd97de173d19bc58ec755191aaf0a03036cde3eaeb4117e3cac75d78cb8835d050ae9 |
memory/1332-41-0x00007FF741900000-0x00007FF741C51000-memory.dmp
C:\Windows\System\FusaauG.exe
| MD5 | 69d932b847c376e0da53da84ad12ff2d |
| SHA1 | d00eef3b0aee808b4f3446315cdd8812f25ad2cf |
| SHA256 | 1062e5b02b8f4159a897b31380058e66c5ba2abbf4706dc5e7d3d70e7d1f42bf |
| SHA512 | d79213b7a725dd7903ff0532a594c5af37b3f13fc34913a822ad369c84c90d7cfcefbeca0ccca8a5add450d824e63522ef3569e0a49dd7a8d3b17f19bc34c748 |
C:\Windows\System\fhSZPqD.exe
| MD5 | a8e67751c413192c1961bf08fe7533a3 |
| SHA1 | 734bb165fb08566185b21d8a17113d285fb8215b |
| SHA256 | 2c63a1a26a3764f64647548dfd4b5ab092048bc981a70f47446cddc953268676 |
| SHA512 | 8f1f137744de36b3fab2de25003267f1460114bd701fb3a4a999272249367251749f91361bccb45cff9748f2c104be74e54117dc8136f66aee424d205b8480a2 |
memory/3852-30-0x00007FF7290F0000-0x00007FF729441000-memory.dmp
memory/2872-17-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp
C:\Windows\System\HrWpwrh.exe
| MD5 | 25cc1ac540e3231c6518299feba1a70c |
| SHA1 | b397974a43411f779a49a9fc42f4d9848a5e541c |
| SHA256 | 1a1d290fc4b8bbda5ce792a53d112ee3c6e4aa0af78d00f2bac987cc182cb1b0 |
| SHA512 | 5ea90645fd6b7a1e4a7544437352dd6860c4d022264ad87652c0710cd75cfbd5f3a20500d5620f22ff17e7a6890cff79837893325ea589b2ee3f31e2093d83d0 |
memory/1332-133-0x00007FF741900000-0x00007FF741C51000-memory.dmp
memory/3784-147-0x00007FF708590000-0x00007FF7088E1000-memory.dmp
memory/1456-139-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp
memory/3416-138-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp
memory/2872-131-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp
memory/1540-129-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp
memory/1512-128-0x00007FF727890000-0x00007FF727BE1000-memory.dmp
memory/1512-150-0x00007FF727890000-0x00007FF727BE1000-memory.dmp
memory/1512-172-0x00007FF727890000-0x00007FF727BE1000-memory.dmp
memory/3852-220-0x00007FF7290F0000-0x00007FF729441000-memory.dmp
memory/1540-218-0x00007FF6F3100000-0x00007FF6F3451000-memory.dmp
memory/2872-222-0x00007FF617B90000-0x00007FF617EE1000-memory.dmp
memory/3472-226-0x00007FF738370000-0x00007FF7386C1000-memory.dmp
memory/1172-230-0x00007FF6B03F0000-0x00007FF6B0741000-memory.dmp
memory/1332-228-0x00007FF741900000-0x00007FF741C51000-memory.dmp
memory/1328-236-0x00007FF6C4A30000-0x00007FF6C4D81000-memory.dmp
memory/3416-234-0x00007FF7C2870000-0x00007FF7C2BC1000-memory.dmp
memory/4216-240-0x00007FF7A4670000-0x00007FF7A49C1000-memory.dmp
memory/1456-238-0x00007FF6DD2A0000-0x00007FF6DD5F1000-memory.dmp
memory/3056-246-0x00007FF75D5C0000-0x00007FF75D911000-memory.dmp
memory/1116-248-0x00007FF6504C0000-0x00007FF650811000-memory.dmp
memory/3828-250-0x00007FF6B8B80000-0x00007FF6B8ED1000-memory.dmp
memory/4928-256-0x00007FF685390000-0x00007FF6856E1000-memory.dmp
memory/3784-254-0x00007FF708590000-0x00007FF7088E1000-memory.dmp
memory/2232-258-0x00007FF67BEC0000-0x00007FF67C211000-memory.dmp
memory/624-252-0x00007FF6A62F0000-0x00007FF6A6641000-memory.dmp
memory/2528-244-0x00007FF7A3020000-0x00007FF7A3371000-memory.dmp
memory/2988-242-0x00007FF783AA0000-0x00007FF783DF1000-memory.dmp
memory/4940-233-0x00007FF6A13A0000-0x00007FF6A16F1000-memory.dmp
memory/1832-224-0x00007FF6A2B90000-0x00007FF6A2EE1000-memory.dmp