Analysis Overview
SHA256
91dc3677505c52eb853eae7c3e1ee0189387ead408ac6d68415a7d29e25a5c8e
Threat Level: Known bad
The file 2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:14
Reported
2024-08-14 21:16
Platform
win7-20240729-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\azmcFMN.exe | N/A |
| N/A | N/A | C:\Windows\System\qfHNGpF.exe | N/A |
| N/A | N/A | C:\Windows\System\yOJgSWP.exe | N/A |
| N/A | N/A | C:\Windows\System\CcqRruC.exe | N/A |
| N/A | N/A | C:\Windows\System\KblNPTD.exe | N/A |
| N/A | N/A | C:\Windows\System\BXvqMLw.exe | N/A |
| N/A | N/A | C:\Windows\System\nMQZUhu.exe | N/A |
| N/A | N/A | C:\Windows\System\ATgNxkd.exe | N/A |
| N/A | N/A | C:\Windows\System\RYcurfh.exe | N/A |
| N/A | N/A | C:\Windows\System\FGumifU.exe | N/A |
| N/A | N/A | C:\Windows\System\AbKoSTI.exe | N/A |
| N/A | N/A | C:\Windows\System\SarEDSe.exe | N/A |
| N/A | N/A | C:\Windows\System\nBFcgGR.exe | N/A |
| N/A | N/A | C:\Windows\System\LwgPVVm.exe | N/A |
| N/A | N/A | C:\Windows\System\gWgKSUG.exe | N/A |
| N/A | N/A | C:\Windows\System\vIwDYXo.exe | N/A |
| N/A | N/A | C:\Windows\System\EowHJVn.exe | N/A |
| N/A | N/A | C:\Windows\System\KOsCvhT.exe | N/A |
| N/A | N/A | C:\Windows\System\Evqlfcf.exe | N/A |
| N/A | N/A | C:\Windows\System\tNGjBYh.exe | N/A |
| N/A | N/A | C:\Windows\System\AktOWTj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\azmcFMN.exe
C:\Windows\System\azmcFMN.exe
C:\Windows\System\qfHNGpF.exe
C:\Windows\System\qfHNGpF.exe
C:\Windows\System\yOJgSWP.exe
C:\Windows\System\yOJgSWP.exe
C:\Windows\System\CcqRruC.exe
C:\Windows\System\CcqRruC.exe
C:\Windows\System\KblNPTD.exe
C:\Windows\System\KblNPTD.exe
C:\Windows\System\BXvqMLw.exe
C:\Windows\System\BXvqMLw.exe
C:\Windows\System\ATgNxkd.exe
C:\Windows\System\ATgNxkd.exe
C:\Windows\System\nMQZUhu.exe
C:\Windows\System\nMQZUhu.exe
C:\Windows\System\RYcurfh.exe
C:\Windows\System\RYcurfh.exe
C:\Windows\System\FGumifU.exe
C:\Windows\System\FGumifU.exe
C:\Windows\System\AbKoSTI.exe
C:\Windows\System\AbKoSTI.exe
C:\Windows\System\LwgPVVm.exe
C:\Windows\System\LwgPVVm.exe
C:\Windows\System\SarEDSe.exe
C:\Windows\System\SarEDSe.exe
C:\Windows\System\KOsCvhT.exe
C:\Windows\System\KOsCvhT.exe
C:\Windows\System\nBFcgGR.exe
C:\Windows\System\nBFcgGR.exe
C:\Windows\System\Evqlfcf.exe
C:\Windows\System\Evqlfcf.exe
C:\Windows\System\gWgKSUG.exe
C:\Windows\System\gWgKSUG.exe
C:\Windows\System\tNGjBYh.exe
C:\Windows\System\tNGjBYh.exe
C:\Windows\System\vIwDYXo.exe
C:\Windows\System\vIwDYXo.exe
C:\Windows\System\AktOWTj.exe
C:\Windows\System\AktOWTj.exe
C:\Windows\System\EowHJVn.exe
C:\Windows\System\EowHJVn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/632-0-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/632-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\azmcFMN.exe
| MD5 | eb64a4a31e6dd61fd29ed72a2238cf7d |
| SHA1 | 15600900814adf133be4e324225b336ab648c0fd |
| SHA256 | 8154889dec80f1358800bacf4bf0ce89d2086c5132cbfaf608a5704cb7602b02 |
| SHA512 | 91885a2de7a54db2e9f5677798a4ddc9aeffe61b2032d5ebab3233c636cecb9238704c1086723c5ff4d4eb06c83523653e4c293e2bf26eed8631710675ffbaaf |
\Windows\system\qfHNGpF.exe
| MD5 | 8144c0f1cd936f497c2890b2919b169c |
| SHA1 | 712ed042a5a402ce6babee2b613f34d93cda41d4 |
| SHA256 | 8539ab292c67fbad3b27fc4639140abfced04dc425042ca035c76c8a88d4359b |
| SHA512 | 33aff8b047045d34c53739418f3339f8460772e50ada1d641ec7cb23001a6492f1f2f54a9439455fb2b3973df856eaa3b412a66ba68ba63c34fa14dd6988f894 |
\Windows\system\yOJgSWP.exe
| MD5 | 3c3f47e5c96c75852beb4f0aae5cc866 |
| SHA1 | eeb58bba1fd1cce913b3be2699c2b5e9921d7f00 |
| SHA256 | b7da5a9ee950c43272611f852a2b1bca50f8a6f9e146d5ebc0e45adafbef3911 |
| SHA512 | 67ce6fdfb137e8c238c7f0df9ced46051e416518680d22238a9dd2a027f95ca52c14f558114ce6836739abf12446bf305e483e7215029c19538014e359fdfa56 |
memory/2188-18-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/632-15-0x0000000002170000-0x00000000024C1000-memory.dmp
C:\Windows\system\CcqRruC.exe
| MD5 | 15543f4ac755d979e37dc500b31b6dc5 |
| SHA1 | 7ef01075bd8766a61c234521537a9a53d2320842 |
| SHA256 | ffd7ee3b3a3e0f6421f5531d2d5bd05f7e16675a4108c1f5917a4f3b53362739 |
| SHA512 | be86629369a858bee6fab8f5dea55e149182c73ce5914870e3c48f10fdea35125beeadb1e035b64b8bd9f1f4180fc77736b89d3f221a447f7c84f5f464aeaa30 |
memory/2240-26-0x000000013F8F0000-0x000000013FC41000-memory.dmp
\Windows\system\KblNPTD.exe
| MD5 | 9c5bd96edbc9618e8e54b853eb438451 |
| SHA1 | 1fe80323282cbf63c5b5e9fe613e0ea70374b543 |
| SHA256 | c4eafc35241744d479ed28a52786407f540dc8162d25e53284a799dd89e97d47 |
| SHA512 | f2204625f2349d62cce82489dd2d86fb08033f54e671cb3501ef0a2408839078a54a5014decb03d984398a555cc08d8c12100ecc29c2e953cb4335468bb6a3a1 |
memory/632-31-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2644-29-0x000000013F610000-0x000000013F961000-memory.dmp
memory/632-28-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/632-27-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2700-24-0x000000013F950000-0x000000013FCA1000-memory.dmp
C:\Windows\system\BXvqMLw.exe
| MD5 | e6c609677ad9e8614dcf17c4a0f94ffc |
| SHA1 | acaed90af06b55f4281c798d63a52736daae4458 |
| SHA256 | ff8b403219e2ba59c6ae50771a21e40c583163256f852de25490a991540ed69b |
| SHA512 | 6e4f2e0149f71c92c0e88433d57337c64c2ec9f4f4eb0cca1202f3ef399412769a620e54c8ed0b0f1273e4dc37ff0480a0648e3874da35d87cd5fedf2c2c2338 |
memory/2684-48-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2620-43-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/632-62-0x0000000002170000-0x00000000024C1000-memory.dmp
C:\Windows\system\RYcurfh.exe
| MD5 | e65cc83426d4de0bc5227bc048d7773e |
| SHA1 | a3bc20885d8785883cce9787414841878ef1a6c8 |
| SHA256 | b2f829f11d25d40201e95f943dd62668caf17eba7c35c3be7b89672323f7a61a |
| SHA512 | 98073180b21bf2651986a39a0c4e2d0e87f392f1bfbc27862006117c1fd181b13b7a3a6f9049049b097607968dbe136e7f45c93cc24fa6d1191abac94c305973 |
\Windows\system\FGumifU.exe
| MD5 | bffec7ce62b0f2c927bccd78b30ee9ab |
| SHA1 | f3a681d3c61e4ba5506b62080770e5a32b84a2a0 |
| SHA256 | 1e80ba7c1a8437b8fc186ab56837c6e826a5455930ddccaef46d27fca5d44a73 |
| SHA512 | 68ed80be85ff001fc6a3b248b52cebbb3e6e6f8dbdb9a6cbafb757c52aee112874fcf74cd08f8dd353515397c7eb861ef9feb09b125d7dcdbbfd08e771dfc045 |
memory/632-76-0x0000000002170000-0x00000000024C1000-memory.dmp
C:\Windows\system\nBFcgGR.exe
| MD5 | 73b2e1b9b502a6db76cf0e52602368cc |
| SHA1 | 3864a331d6022e9a6661b7374238d7285788d106 |
| SHA256 | 438332a28094254750563b5d9af43a5fe0c94c4a3f46da68220382ea1964cdcb |
| SHA512 | 763646f6591a1e2fad7760072262043b7247a1f5af01592227730cd075b00ccda8a9fafe8044fb689022a0dacc7ce3eaeb67274f0c30e8cd0aece6224f31b72e |
\Windows\system\LwgPVVm.exe
| MD5 | 483102acf827b80cc6e652fe3bdf8c52 |
| SHA1 | 6cb2bd7396ffd55cb5c93a351a2e3ff13821f54b |
| SHA256 | fd77cd403f5034d77f011eaf3fafbb7fcbfd3d2fd0e637c9a274a45820ccd5db |
| SHA512 | 2fb254fc5c532f92891b9c6f0397cadbef244a9d6784103b9decb833e66bdef465c6d3730e3cf2b4072aed40aabeae69461eb9a151e6e65e5b4c03d2ef33fc1c |
C:\Windows\system\AktOWTj.exe
| MD5 | 22bb8ea04632bd4c48bd31f6f3dd7217 |
| SHA1 | c0afcfa900d2e5609cd9074c2ce78687624daf42 |
| SHA256 | 69c91916cdb3ba9118086fe334d8a4bcc35cf594d93d18dde815a42897aaba59 |
| SHA512 | b281173795e8d3e08f3b1fdfa31df4be2b650a7e06bfc251d4c53e6ea8f8be44ce82fb0756d6fef0cc0ffb2d26582783d94ab9f4542a708b36063a9f97e51c43 |
\Windows\system\tNGjBYh.exe
| MD5 | c9587a2f982e43c69d3fc42712ff3a02 |
| SHA1 | cf6bd35b910c2f554ff9a29060ad40c02fcfb2cf |
| SHA256 | e15135977ab57f9ee314efe67cb98011b49e56110ea56a9cd303747135afd771 |
| SHA512 | c2ea2a54431b823e41e5d9178f61e7d474734ac82106128f0c4c3edcd32b733ed7ba2ddeb95c23cf656eb68f744bd84c3a372a93d677a8078949bdb3dc3ec73e |
\Windows\system\Evqlfcf.exe
| MD5 | cd1dc294b89bc2194203d76d609090c4 |
| SHA1 | 15baf23b00434ae94cd13e9f80c851ffc47469fe |
| SHA256 | c57e402a6b103600b7f084104ddd0f0edf601dfa8463bf6e6aa71a6f51ae5931 |
| SHA512 | 40081efa29c97fece6894b26d17a1379c278602beab74aaca7ba05d4160436cc7c862453b8913ecefe06078861d641febaa90744b8316adc0fd6c5077bdacfc3 |
memory/632-130-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1992-129-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2428-92-0x000000013FDB0000-0x0000000140101000-memory.dmp
C:\Windows\system\SarEDSe.exe
| MD5 | f987d5fb5c2aadec1f85eed2a06e4c61 |
| SHA1 | 54d935b1cd10623634d3ed410bc08015741e9aad |
| SHA256 | 6c87885d8c1603a4c4ff0bcbe669806d8aa527086f69f96db2e1b71f829238e2 |
| SHA512 | 81412e7dfae75f888248d01ed59c14f556001ffa644cf578f93c11ac96a95a322b3c4b2b5913f5f56828e7eb203aae606171c1d99859809d7df6f13663caf9b0 |
\Windows\system\KOsCvhT.exe
| MD5 | ff478d3018e6efeb9defc34287871fa1 |
| SHA1 | cb1d279231359f7283cd6a33e7b4499a2191c1bb |
| SHA256 | dd35a71f8392af05fe272addbb83e5e3ff9d7cceeaeb3ccee0718490731e46d8 |
| SHA512 | b1ffc80c5214a65896dcde6df8c4284894596d9b59f8c5914733881c058111b4ea262bd1a76157755e1c59f485611963a52cee1b454a81ba05a7635f0326ebe8 |
C:\Windows\system\EowHJVn.exe
| MD5 | 5d2f4e2479831b0bde77ed27b15f03f6 |
| SHA1 | a044d00f7c0ce1deee8edbfdef5cf110a49a2f3a |
| SHA256 | 7b603a10bf59df625659e4d0ad8481b7a83697568ba25d0ca4bf202115ba13ab |
| SHA512 | 33bba89c213321dc426dec105a77ebbfeaf82a45938bafc9cca4dc9f9cafa8a662cb1df9d16dbb5dc63b4c1c383dea3390b08b144f850a8101751ef50d69ca24 |
C:\Windows\system\vIwDYXo.exe
| MD5 | 8caa01aa8c18eab62312847e52f2dcf4 |
| SHA1 | c45eed710c102cbf9ecea76165c92b4a67144832 |
| SHA256 | 1cd187aa2e0ef8c05f045071cc86bcc44a9362f571762cacd99fc54ad72b8ef1 |
| SHA512 | aa905a0dd1b536b94438c004c8cf7e27d140c949f0e2a209255c700ed0c912845af16d24c4a16a5a7bb59243a85f2e6a981a0e51dfc4a04fcd59fcfbe7d5a79a |
C:\Windows\system\gWgKSUG.exe
| MD5 | 241e19c0e1017b01408c87cb3adf847f |
| SHA1 | fc2ee032df8c38fe88873362c55321adac9cd1b6 |
| SHA256 | 84c92195eb836a6c3f7fcfdb9d92bbb4edf84dcd87566c62bbf152dcfdfeeb12 |
| SHA512 | bf58c078c5e7cdbca5b32f6857bac22efd1aad7e1b5a3c49ed8ab3bd5dba215778c0d94a6b0098f3bc75b996c2ac64fb8be77cac203fecb0955cb57f9a93e36d |
memory/632-95-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/632-94-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/632-85-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2620-84-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/632-83-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/1040-78-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/632-77-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2908-69-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/632-75-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\AbKoSTI.exe
| MD5 | 3f2e59055f95f804db5525b552c42792 |
| SHA1 | 9e7bdd648fce2a6024f1f4c84779628e85dc6b47 |
| SHA256 | d586de83847110e8f01c4586688f12d4a8413ce6ea9ee88e5187df24176c3976 |
| SHA512 | 83e36686900c76cbcbdba1041eb8781ca9c5e9a8805c6578ac2213584c1bd39ea698368a6dfcebd871b2e2e129fd489dbfcf9a48c4fe575fd3f17287ba7d5edc |
memory/2580-64-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2544-60-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2560-57-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/632-55-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/632-52-0x0000000002170000-0x00000000024C1000-memory.dmp
C:\Windows\system\ATgNxkd.exe
| MD5 | 46f16e07496390661cb895eaea2e76af |
| SHA1 | 05bf46e1e2a43b482060bebfdbb7c5d88a2dd7d6 |
| SHA256 | ff5ec7a0b62ba03031527088f32a58df64f5a3969cf394cdc2faf57d5791cdfb |
| SHA512 | df2b46eff4b708a0a2191196f52f565494c1a60d25101678eef202f276c90f091ca7ba9858aa1b1f3a96bc3fcb92a1fd7b1a3415aad0b60b52b0e7f912e82af2 |
C:\Windows\system\nMQZUhu.exe
| MD5 | 41a039ca81b762ab414703a9152db902 |
| SHA1 | b9d2a96dfbbe9fb09a5a818a14f2e2e8a3e1091d |
| SHA256 | 98db99e4024fcd5bdcd17a8fa3515f86cad223a4155bd254e71ba73940a6a082 |
| SHA512 | 108af6e87b088c2f26837f27e5853c7b9ee8d7af1b9838c64534c2f567223827a1d6f8689060947a28ee4e372a335c92a4a665272dd883906cc3a8c890f33f42 |
memory/632-49-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/2580-137-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/632-138-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1500-154-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2428-151-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2908-155-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2980-152-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1952-150-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2084-156-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2836-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/632-161-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/1632-160-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2756-158-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1908-157-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/632-162-0x0000000002170000-0x00000000024C1000-memory.dmp
memory/632-163-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/632-164-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/632-165-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/632-187-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/632-188-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2188-216-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2240-218-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2700-220-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2644-222-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2620-224-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2684-226-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2544-228-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2580-232-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2560-231-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1040-234-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/1992-250-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2908-247-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2428-255-0x000000013FDB0000-0x0000000140101000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:14
Reported
2024-08-14 21:16
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\azmcFMN.exe | N/A |
| N/A | N/A | C:\Windows\System\qfHNGpF.exe | N/A |
| N/A | N/A | C:\Windows\System\yOJgSWP.exe | N/A |
| N/A | N/A | C:\Windows\System\CcqRruC.exe | N/A |
| N/A | N/A | C:\Windows\System\KblNPTD.exe | N/A |
| N/A | N/A | C:\Windows\System\BXvqMLw.exe | N/A |
| N/A | N/A | C:\Windows\System\ATgNxkd.exe | N/A |
| N/A | N/A | C:\Windows\System\nMQZUhu.exe | N/A |
| N/A | N/A | C:\Windows\System\RYcurfh.exe | N/A |
| N/A | N/A | C:\Windows\System\FGumifU.exe | N/A |
| N/A | N/A | C:\Windows\System\LwgPVVm.exe | N/A |
| N/A | N/A | C:\Windows\System\AbKoSTI.exe | N/A |
| N/A | N/A | C:\Windows\System\SarEDSe.exe | N/A |
| N/A | N/A | C:\Windows\System\KOsCvhT.exe | N/A |
| N/A | N/A | C:\Windows\System\nBFcgGR.exe | N/A |
| N/A | N/A | C:\Windows\System\gWgKSUG.exe | N/A |
| N/A | N/A | C:\Windows\System\tNGjBYh.exe | N/A |
| N/A | N/A | C:\Windows\System\Evqlfcf.exe | N/A |
| N/A | N/A | C:\Windows\System\vIwDYXo.exe | N/A |
| N/A | N/A | C:\Windows\System\AktOWTj.exe | N/A |
| N/A | N/A | C:\Windows\System\EowHJVn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_9015c7825fe85082ad87d5d3b9da045f_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\azmcFMN.exe
C:\Windows\System\azmcFMN.exe
C:\Windows\System\qfHNGpF.exe
C:\Windows\System\qfHNGpF.exe
C:\Windows\System\yOJgSWP.exe
C:\Windows\System\yOJgSWP.exe
C:\Windows\System\CcqRruC.exe
C:\Windows\System\CcqRruC.exe
C:\Windows\System\KblNPTD.exe
C:\Windows\System\KblNPTD.exe
C:\Windows\System\BXvqMLw.exe
C:\Windows\System\BXvqMLw.exe
C:\Windows\System\ATgNxkd.exe
C:\Windows\System\ATgNxkd.exe
C:\Windows\System\nMQZUhu.exe
C:\Windows\System\nMQZUhu.exe
C:\Windows\System\RYcurfh.exe
C:\Windows\System\RYcurfh.exe
C:\Windows\System\FGumifU.exe
C:\Windows\System\FGumifU.exe
C:\Windows\System\AbKoSTI.exe
C:\Windows\System\AbKoSTI.exe
C:\Windows\System\LwgPVVm.exe
C:\Windows\System\LwgPVVm.exe
C:\Windows\System\SarEDSe.exe
C:\Windows\System\SarEDSe.exe
C:\Windows\System\KOsCvhT.exe
C:\Windows\System\KOsCvhT.exe
C:\Windows\System\nBFcgGR.exe
C:\Windows\System\nBFcgGR.exe
C:\Windows\System\Evqlfcf.exe
C:\Windows\System\Evqlfcf.exe
C:\Windows\System\gWgKSUG.exe
C:\Windows\System\gWgKSUG.exe
C:\Windows\System\tNGjBYh.exe
C:\Windows\System\tNGjBYh.exe
C:\Windows\System\vIwDYXo.exe
C:\Windows\System\vIwDYXo.exe
C:\Windows\System\AktOWTj.exe
C:\Windows\System\AktOWTj.exe
C:\Windows\System\EowHJVn.exe
C:\Windows\System\EowHJVn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4296-0-0x00007FF738D20000-0x00007FF739071000-memory.dmp
memory/4296-1-0x000002DA44660000-0x000002DA44670000-memory.dmp
C:\Windows\System\azmcFMN.exe
| MD5 | eb64a4a31e6dd61fd29ed72a2238cf7d |
| SHA1 | 15600900814adf133be4e324225b336ab648c0fd |
| SHA256 | 8154889dec80f1358800bacf4bf0ce89d2086c5132cbfaf608a5704cb7602b02 |
| SHA512 | 91885a2de7a54db2e9f5677798a4ddc9aeffe61b2032d5ebab3233c636cecb9238704c1086723c5ff4d4eb06c83523653e4c293e2bf26eed8631710675ffbaaf |
C:\Windows\System\yOJgSWP.exe
| MD5 | 3c3f47e5c96c75852beb4f0aae5cc866 |
| SHA1 | eeb58bba1fd1cce913b3be2699c2b5e9921d7f00 |
| SHA256 | b7da5a9ee950c43272611f852a2b1bca50f8a6f9e146d5ebc0e45adafbef3911 |
| SHA512 | 67ce6fdfb137e8c238c7f0df9ced46051e416518680d22238a9dd2a027f95ca52c14f558114ce6836739abf12446bf305e483e7215029c19538014e359fdfa56 |
C:\Windows\System\KblNPTD.exe
| MD5 | 9c5bd96edbc9618e8e54b853eb438451 |
| SHA1 | 1fe80323282cbf63c5b5e9fe613e0ea70374b543 |
| SHA256 | c4eafc35241744d479ed28a52786407f540dc8162d25e53284a799dd89e97d47 |
| SHA512 | f2204625f2349d62cce82489dd2d86fb08033f54e671cb3501ef0a2408839078a54a5014decb03d984398a555cc08d8c12100ecc29c2e953cb4335468bb6a3a1 |
memory/916-31-0x00007FF65FF60000-0x00007FF6602B1000-memory.dmp
C:\Windows\System\BXvqMLw.exe
| MD5 | e6c609677ad9e8614dcf17c4a0f94ffc |
| SHA1 | acaed90af06b55f4281c798d63a52736daae4458 |
| SHA256 | ff8b403219e2ba59c6ae50771a21e40c583163256f852de25490a991540ed69b |
| SHA512 | 6e4f2e0149f71c92c0e88433d57337c64c2ec9f4f4eb0cca1202f3ef399412769a620e54c8ed0b0f1273e4dc37ff0480a0648e3874da35d87cd5fedf2c2c2338 |
C:\Windows\System\RYcurfh.exe
| MD5 | e65cc83426d4de0bc5227bc048d7773e |
| SHA1 | a3bc20885d8785883cce9787414841878ef1a6c8 |
| SHA256 | b2f829f11d25d40201e95f943dd62668caf17eba7c35c3be7b89672323f7a61a |
| SHA512 | 98073180b21bf2651986a39a0c4e2d0e87f392f1bfbc27862006117c1fd181b13b7a3a6f9049049b097607968dbe136e7f45c93cc24fa6d1191abac94c305973 |
C:\Windows\System\LwgPVVm.exe
| MD5 | 483102acf827b80cc6e652fe3bdf8c52 |
| SHA1 | 6cb2bd7396ffd55cb5c93a351a2e3ff13821f54b |
| SHA256 | fd77cd403f5034d77f011eaf3fafbb7fcbfd3d2fd0e637c9a274a45820ccd5db |
| SHA512 | 2fb254fc5c532f92891b9c6f0397cadbef244a9d6784103b9decb833e66bdef465c6d3730e3cf2b4072aed40aabeae69461eb9a151e6e65e5b4c03d2ef33fc1c |
C:\Windows\System\FGumifU.exe
| MD5 | bffec7ce62b0f2c927bccd78b30ee9ab |
| SHA1 | f3a681d3c61e4ba5506b62080770e5a32b84a2a0 |
| SHA256 | 1e80ba7c1a8437b8fc186ab56837c6e826a5455930ddccaef46d27fca5d44a73 |
| SHA512 | 68ed80be85ff001fc6a3b248b52cebbb3e6e6f8dbdb9a6cbafb757c52aee112874fcf74cd08f8dd353515397c7eb861ef9feb09b125d7dcdbbfd08e771dfc045 |
memory/2144-73-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp
C:\Windows\System\AbKoSTI.exe
| MD5 | 3f2e59055f95f804db5525b552c42792 |
| SHA1 | 9e7bdd648fce2a6024f1f4c84779628e85dc6b47 |
| SHA256 | d586de83847110e8f01c4586688f12d4a8413ce6ea9ee88e5187df24176c3976 |
| SHA512 | 83e36686900c76cbcbdba1041eb8781ca9c5e9a8805c6578ac2213584c1bd39ea698368a6dfcebd871b2e2e129fd489dbfcf9a48c4fe575fd3f17287ba7d5edc |
C:\Windows\System\SarEDSe.exe
| MD5 | f987d5fb5c2aadec1f85eed2a06e4c61 |
| SHA1 | 54d935b1cd10623634d3ed410bc08015741e9aad |
| SHA256 | 6c87885d8c1603a4c4ff0bcbe669806d8aa527086f69f96db2e1b71f829238e2 |
| SHA512 | 81412e7dfae75f888248d01ed59c14f556001ffa644cf578f93c11ac96a95a322b3c4b2b5913f5f56828e7eb203aae606171c1d99859809d7df6f13663caf9b0 |
C:\Windows\System\EowHJVn.exe
| MD5 | 5d2f4e2479831b0bde77ed27b15f03f6 |
| SHA1 | a044d00f7c0ce1deee8edbfdef5cf110a49a2f3a |
| SHA256 | 7b603a10bf59df625659e4d0ad8481b7a83697568ba25d0ca4bf202115ba13ab |
| SHA512 | 33bba89c213321dc426dec105a77ebbfeaf82a45938bafc9cca4dc9f9cafa8a662cb1df9d16dbb5dc63b4c1c383dea3390b08b144f850a8101751ef50d69ca24 |
C:\Windows\System\AktOWTj.exe
| MD5 | 22bb8ea04632bd4c48bd31f6f3dd7217 |
| SHA1 | c0afcfa900d2e5609cd9074c2ce78687624daf42 |
| SHA256 | 69c91916cdb3ba9118086fe334d8a4bcc35cf594d93d18dde815a42897aaba59 |
| SHA512 | b281173795e8d3e08f3b1fdfa31df4be2b650a7e06bfc251d4c53e6ea8f8be44ce82fb0756d6fef0cc0ffb2d26582783d94ab9f4542a708b36063a9f97e51c43 |
C:\Windows\System\tNGjBYh.exe
| MD5 | c9587a2f982e43c69d3fc42712ff3a02 |
| SHA1 | cf6bd35b910c2f554ff9a29060ad40c02fcfb2cf |
| SHA256 | e15135977ab57f9ee314efe67cb98011b49e56110ea56a9cd303747135afd771 |
| SHA512 | c2ea2a54431b823e41e5d9178f61e7d474734ac82106128f0c4c3edcd32b733ed7ba2ddeb95c23cf656eb68f744bd84c3a372a93d677a8078949bdb3dc3ec73e |
C:\Windows\System\gWgKSUG.exe
| MD5 | 241e19c0e1017b01408c87cb3adf847f |
| SHA1 | fc2ee032df8c38fe88873362c55321adac9cd1b6 |
| SHA256 | 84c92195eb836a6c3f7fcfdb9d92bbb4edf84dcd87566c62bbf152dcfdfeeb12 |
| SHA512 | bf58c078c5e7cdbca5b32f6857bac22efd1aad7e1b5a3c49ed8ab3bd5dba215778c0d94a6b0098f3bc75b996c2ac64fb8be77cac203fecb0955cb57f9a93e36d |
C:\Windows\System\vIwDYXo.exe
| MD5 | 8caa01aa8c18eab62312847e52f2dcf4 |
| SHA1 | c45eed710c102cbf9ecea76165c92b4a67144832 |
| SHA256 | 1cd187aa2e0ef8c05f045071cc86bcc44a9362f571762cacd99fc54ad72b8ef1 |
| SHA512 | aa905a0dd1b536b94438c004c8cf7e27d140c949f0e2a209255c700ed0c912845af16d24c4a16a5a7bb59243a85f2e6a981a0e51dfc4a04fcd59fcfbe7d5a79a |
C:\Windows\System\Evqlfcf.exe
| MD5 | cd1dc294b89bc2194203d76d609090c4 |
| SHA1 | 15baf23b00434ae94cd13e9f80c851ffc47469fe |
| SHA256 | c57e402a6b103600b7f084104ddd0f0edf601dfa8463bf6e6aa71a6f51ae5931 |
| SHA512 | 40081efa29c97fece6894b26d17a1379c278602beab74aaca7ba05d4160436cc7c862453b8913ecefe06078861d641febaa90744b8316adc0fd6c5077bdacfc3 |
C:\Windows\System\nBFcgGR.exe
| MD5 | 73b2e1b9b502a6db76cf0e52602368cc |
| SHA1 | 3864a331d6022e9a6661b7374238d7285788d106 |
| SHA256 | 438332a28094254750563b5d9af43a5fe0c94c4a3f46da68220382ea1964cdcb |
| SHA512 | 763646f6591a1e2fad7760072262043b7247a1f5af01592227730cd075b00ccda8a9fafe8044fb689022a0dacc7ce3eaeb67274f0c30e8cd0aece6224f31b72e |
memory/4272-102-0x00007FF644CF0000-0x00007FF645041000-memory.dmp
C:\Windows\System\KOsCvhT.exe
| MD5 | ff478d3018e6efeb9defc34287871fa1 |
| SHA1 | cb1d279231359f7283cd6a33e7b4499a2191c1bb |
| SHA256 | dd35a71f8392af05fe272addbb83e5e3ff9d7cceeaeb3ccee0718490731e46d8 |
| SHA512 | b1ffc80c5214a65896dcde6df8c4284894596d9b59f8c5914733881c058111b4ea262bd1a76157755e1c59f485611963a52cee1b454a81ba05a7635f0326ebe8 |
memory/860-86-0x00007FF674100000-0x00007FF674451000-memory.dmp
memory/4092-63-0x00007FF7E4020000-0x00007FF7E4371000-memory.dmp
memory/3584-59-0x00007FF7875E0000-0x00007FF787931000-memory.dmp
C:\Windows\System\nMQZUhu.exe
| MD5 | 41a039ca81b762ab414703a9152db902 |
| SHA1 | b9d2a96dfbbe9fb09a5a818a14f2e2e8a3e1091d |
| SHA256 | 98db99e4024fcd5bdcd17a8fa3515f86cad223a4155bd254e71ba73940a6a082 |
| SHA512 | 108af6e87b088c2f26837f27e5853c7b9ee8d7af1b9838c64534c2f567223827a1d6f8689060947a28ee4e372a335c92a4a665272dd883906cc3a8c890f33f42 |
C:\Windows\System\ATgNxkd.exe
| MD5 | 46f16e07496390661cb895eaea2e76af |
| SHA1 | 05bf46e1e2a43b482060bebfdbb7c5d88a2dd7d6 |
| SHA256 | ff5ec7a0b62ba03031527088f32a58df64f5a3969cf394cdc2faf57d5791cdfb |
| SHA512 | df2b46eff4b708a0a2191196f52f565494c1a60d25101678eef202f276c90f091ca7ba9858aa1b1f3a96bc3fcb92a1fd7b1a3415aad0b60b52b0e7f912e82af2 |
memory/4856-49-0x00007FF726700000-0x00007FF726A51000-memory.dmp
memory/1088-39-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp
C:\Windows\System\CcqRruC.exe
| MD5 | 15543f4ac755d979e37dc500b31b6dc5 |
| SHA1 | 7ef01075bd8766a61c234521537a9a53d2320842 |
| SHA256 | ffd7ee3b3a3e0f6421f5531d2d5bd05f7e16675a4108c1f5917a4f3b53362739 |
| SHA512 | be86629369a858bee6fab8f5dea55e149182c73ce5914870e3c48f10fdea35125beeadb1e035b64b8bd9f1f4180fc77736b89d3f221a447f7c84f5f464aeaa30 |
C:\Windows\System\qfHNGpF.exe
| MD5 | 8144c0f1cd936f497c2890b2919b169c |
| SHA1 | 712ed042a5a402ce6babee2b613f34d93cda41d4 |
| SHA256 | 8539ab292c67fbad3b27fc4639140abfced04dc425042ca035c76c8a88d4359b |
| SHA512 | 33aff8b047045d34c53739418f3339f8460772e50ada1d641ec7cb23001a6492f1f2f54a9439455fb2b3973df856eaa3b412a66ba68ba63c34fa14dd6988f894 |
memory/4300-27-0x00007FF682D30000-0x00007FF683081000-memory.dmp
memory/3868-20-0x00007FF6722C0000-0x00007FF672611000-memory.dmp
memory/4544-18-0x00007FF60E5B0000-0x00007FF60E901000-memory.dmp
memory/3932-12-0x00007FF774E50000-0x00007FF7751A1000-memory.dmp
memory/2792-119-0x00007FF7139F0000-0x00007FF713D41000-memory.dmp
memory/1996-121-0x00007FF6CE710000-0x00007FF6CEA61000-memory.dmp
memory/4680-122-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp
memory/2116-124-0x00007FF776730000-0x00007FF776A81000-memory.dmp
memory/640-123-0x00007FF7904A0000-0x00007FF7907F1000-memory.dmp
memory/1544-120-0x00007FF601B80000-0x00007FF601ED1000-memory.dmp
memory/1696-125-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp
memory/3932-128-0x00007FF774E50000-0x00007FF7751A1000-memory.dmp
memory/4544-130-0x00007FF60E5B0000-0x00007FF60E901000-memory.dmp
memory/3908-129-0x00007FF7E6680000-0x00007FF7E69D1000-memory.dmp
memory/2196-127-0x00007FF658710000-0x00007FF658A61000-memory.dmp
memory/4296-126-0x00007FF738D20000-0x00007FF739071000-memory.dmp
memory/860-140-0x00007FF674100000-0x00007FF674451000-memory.dmp
memory/2792-143-0x00007FF7139F0000-0x00007FF713D41000-memory.dmp
memory/4272-141-0x00007FF644CF0000-0x00007FF645041000-memory.dmp
memory/2144-137-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp
memory/3584-136-0x00007FF7875E0000-0x00007FF787931000-memory.dmp
memory/1088-134-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp
memory/4092-138-0x00007FF7E4020000-0x00007FF7E4371000-memory.dmp
memory/4856-135-0x00007FF726700000-0x00007FF726A51000-memory.dmp
memory/916-133-0x00007FF65FF60000-0x00007FF6602B1000-memory.dmp
memory/3868-132-0x00007FF6722C0000-0x00007FF672611000-memory.dmp
memory/4300-131-0x00007FF682D30000-0x00007FF683081000-memory.dmp
memory/4296-150-0x00007FF738D20000-0x00007FF739071000-memory.dmp
memory/4296-151-0x00007FF738D20000-0x00007FF739071000-memory.dmp
memory/3932-197-0x00007FF774E50000-0x00007FF7751A1000-memory.dmp
memory/4300-199-0x00007FF682D30000-0x00007FF683081000-memory.dmp
memory/3868-201-0x00007FF6722C0000-0x00007FF672611000-memory.dmp
memory/4544-203-0x00007FF60E5B0000-0x00007FF60E901000-memory.dmp
memory/916-205-0x00007FF65FF60000-0x00007FF6602B1000-memory.dmp
memory/1088-207-0x00007FF6DA140000-0x00007FF6DA491000-memory.dmp
memory/3584-211-0x00007FF7875E0000-0x00007FF787931000-memory.dmp
memory/4856-209-0x00007FF726700000-0x00007FF726A51000-memory.dmp
memory/4092-215-0x00007FF7E4020000-0x00007FF7E4371000-memory.dmp
memory/2144-214-0x00007FF7D23F0000-0x00007FF7D2741000-memory.dmp
memory/860-217-0x00007FF674100000-0x00007FF674451000-memory.dmp
memory/4272-220-0x00007FF644CF0000-0x00007FF645041000-memory.dmp
memory/1696-223-0x00007FF7C27A0000-0x00007FF7C2AF1000-memory.dmp
memory/2116-221-0x00007FF776730000-0x00007FF776A81000-memory.dmp
memory/1996-227-0x00007FF6CE710000-0x00007FF6CEA61000-memory.dmp
memory/2792-226-0x00007FF7139F0000-0x00007FF713D41000-memory.dmp
memory/2196-232-0x00007FF658710000-0x00007FF658A61000-memory.dmp
memory/4680-235-0x00007FF7B3B30000-0x00007FF7B3E81000-memory.dmp
memory/1544-234-0x00007FF601B80000-0x00007FF601ED1000-memory.dmp
memory/3908-237-0x00007FF7E6680000-0x00007FF7E69D1000-memory.dmp
memory/640-230-0x00007FF7904A0000-0x00007FF7907F1000-memory.dmp