Analysis Overview
SHA256
07255353ae5e995a465f5685e5de3b2691fd0ec17e4b35615bd81556253d596f
Threat Level: Known bad
The file 2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:16
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:16
Reported
2024-08-14 21:18
Platform
win7-20240708-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LpDkCQl.exe | N/A |
| N/A | N/A | C:\Windows\System\ubvJuWJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WvAcTLN.exe | N/A |
| N/A | N/A | C:\Windows\System\KpfEotI.exe | N/A |
| N/A | N/A | C:\Windows\System\LkNCNUo.exe | N/A |
| N/A | N/A | C:\Windows\System\LxvXOHC.exe | N/A |
| N/A | N/A | C:\Windows\System\kGGTJzF.exe | N/A |
| N/A | N/A | C:\Windows\System\smqsRFf.exe | N/A |
| N/A | N/A | C:\Windows\System\PGPVQqr.exe | N/A |
| N/A | N/A | C:\Windows\System\GTPxnyy.exe | N/A |
| N/A | N/A | C:\Windows\System\ONDjsEn.exe | N/A |
| N/A | N/A | C:\Windows\System\sEBarEe.exe | N/A |
| N/A | N/A | C:\Windows\System\lINfzuD.exe | N/A |
| N/A | N/A | C:\Windows\System\OcDTPER.exe | N/A |
| N/A | N/A | C:\Windows\System\cetTRSd.exe | N/A |
| N/A | N/A | C:\Windows\System\gNolyja.exe | N/A |
| N/A | N/A | C:\Windows\System\GlAXLPo.exe | N/A |
| N/A | N/A | C:\Windows\System\rPSLNGk.exe | N/A |
| N/A | N/A | C:\Windows\System\iuJgiHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ThfPmFt.exe | N/A |
| N/A | N/A | C:\Windows\System\VhOOMTW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LpDkCQl.exe
C:\Windows\System\LpDkCQl.exe
C:\Windows\System\ubvJuWJ.exe
C:\Windows\System\ubvJuWJ.exe
C:\Windows\System\WvAcTLN.exe
C:\Windows\System\WvAcTLN.exe
C:\Windows\System\KpfEotI.exe
C:\Windows\System\KpfEotI.exe
C:\Windows\System\LkNCNUo.exe
C:\Windows\System\LkNCNUo.exe
C:\Windows\System\LxvXOHC.exe
C:\Windows\System\LxvXOHC.exe
C:\Windows\System\smqsRFf.exe
C:\Windows\System\smqsRFf.exe
C:\Windows\System\kGGTJzF.exe
C:\Windows\System\kGGTJzF.exe
C:\Windows\System\PGPVQqr.exe
C:\Windows\System\PGPVQqr.exe
C:\Windows\System\GTPxnyy.exe
C:\Windows\System\GTPxnyy.exe
C:\Windows\System\ONDjsEn.exe
C:\Windows\System\ONDjsEn.exe
C:\Windows\System\sEBarEe.exe
C:\Windows\System\sEBarEe.exe
C:\Windows\System\lINfzuD.exe
C:\Windows\System\lINfzuD.exe
C:\Windows\System\OcDTPER.exe
C:\Windows\System\OcDTPER.exe
C:\Windows\System\cetTRSd.exe
C:\Windows\System\cetTRSd.exe
C:\Windows\System\gNolyja.exe
C:\Windows\System\gNolyja.exe
C:\Windows\System\iuJgiHQ.exe
C:\Windows\System\iuJgiHQ.exe
C:\Windows\System\GlAXLPo.exe
C:\Windows\System\GlAXLPo.exe
C:\Windows\System\ThfPmFt.exe
C:\Windows\System\ThfPmFt.exe
C:\Windows\System\rPSLNGk.exe
C:\Windows\System\rPSLNGk.exe
C:\Windows\System\VhOOMTW.exe
C:\Windows\System\VhOOMTW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3052-0-0x000000013F300000-0x000000013F651000-memory.dmp
memory/3052-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\LpDkCQl.exe
| MD5 | b3abca92f6ade5fff7d04ab521e24dc4 |
| SHA1 | 3980b66c9924dacf644faea856004ac015cc7f9b |
| SHA256 | 07f4d3c06fd42e874ab361f8b65420793dedd1303f006d32e6a737861311a223 |
| SHA512 | fa2cc35588271450f9b01cc96d47a71b24b058adb4c4e93e23dce5c7262cc925a2a0cba67dee2387a62e4dd2c0f5ba6a9b2812ec41b07b8b5afa87b769dc310b |
memory/3052-7-0x000000013FF40000-0x0000000140291000-memory.dmp
C:\Windows\system\ubvJuWJ.exe
| MD5 | 76864bdd5586675dbae022da540d1ecf |
| SHA1 | 1eaab402a602e157d0cfc756a37e363f16cc045f |
| SHA256 | 130dcae26ca4a378e00780a00dc7bcef984d52ddabf65937aff0a391e51eaf55 |
| SHA512 | 693cc751759ac241e24a80c8248d0a944c96fb598c8e3637f4a754fef340e5f133b62fadc285af6b0789ea99af5cc82f91171043e2a3ad66aeebb6c079d0c779 |
memory/2748-14-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\WvAcTLN.exe
| MD5 | 406c5090804ef3d0607ff101d6facf93 |
| SHA1 | cd92686a4f30fe7f983814ecce00f6c716392179 |
| SHA256 | 7ee5dd2ae9d1f1a58c0da0763ee7f135e390324d77a5ea5563324b63f5521a4b |
| SHA512 | 9f39be358baa532ca9a6e2244c6aa6b6d6ac577b647a666640a4ae8493a832a94fb563ea43f93abc1d5aa42f9397043da31bf038866b40bbf5feb0d42c8109a5 |
memory/2760-13-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/3052-20-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\KpfEotI.exe
| MD5 | eb7352b190adb3d10d94d6ddb92abd7d |
| SHA1 | d5096aa58a230969845b9e2cf8c2f8984858afc2 |
| SHA256 | 33b3cca43504e4689d105350bc78c53a15c326dc794030037ffedf74976dcf59 |
| SHA512 | 8cede28b377e383ee10edf92948482394faccded4f167972e30b7cd2b3386047b9749c7dde5b190b3f5b7c50112c214be43a77e03d21273954c167f95bb1ba63 |
memory/2804-28-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/3052-30-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/3052-29-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2788-26-0x000000013FCC0000-0x0000000140011000-memory.dmp
\Windows\system\LkNCNUo.exe
| MD5 | 1c1979c9878466284dd340b000f431bf |
| SHA1 | a0f91cf7606e2f4460519772d1eecc91f00ebee8 |
| SHA256 | ddaea488538436dfe056f4cdaa648d93a804f41498b1e329a4d4e3be35e482b2 |
| SHA512 | 53a4b19e75d6c70bee9a7561f3daef65b2f717eb3eb34abb7fa880d9a6e2f8953c600c36f13b525da0251157eaf1646f3b9a925016e945468caf9b9cae2bccd8 |
C:\Windows\system\LxvXOHC.exe
| MD5 | a73af8a7a1c43cda50cea112d4747f06 |
| SHA1 | 8e3abe68e5f8b75978f533b3637f82c4217ae913 |
| SHA256 | 8bf6a3a98d29ca3f9696cf792c2fd1662a4f5ef9706e3456499764f97a7f7445 |
| SHA512 | 3fc799b59ff42ac0e5ad58155193d8238e42729215923e56d48193cdcb86bc357f6cbb41e52aea9897afbf6265895719efedb511475cd6ffffec60cfdd994fdb |
C:\Windows\system\kGGTJzF.exe
| MD5 | cffebf543abcdf0c8c47b46a153b46be |
| SHA1 | 91f77710fa40fb09b66e243a00b41ad68d601647 |
| SHA256 | 92395b9fd6ac20328bedfdd7d2c83ec4593ca2cd7202785d475e1df63961a0d8 |
| SHA512 | c93f5f5856b8be9c8321a5b32db05be8a70e110e3bf6d64a0a9a0e0ca09b5eb3fa8284e8c47c1bcb90d8539e45c8608fad9be3af391948834c068fba17738c86 |
C:\Windows\system\smqsRFf.exe
| MD5 | a5ec12a330e0a9d24cc8e85f63875a48 |
| SHA1 | b18a8b9443c182c07107a419a1542dfd5af7469b |
| SHA256 | 2a995049bfe5d971b6fcf24dd4e81cf1c75441851f5f348f6497ac12e33a1709 |
| SHA512 | ddd8c9c98128d1f4dcb49b29c8f0fd8cbf5582cffe34cdbe386d4f88097cec1ee9850675421abe37df1dddd14f92feed76530f590a36ebca789c61d05b530926 |
memory/3052-34-0x000000013F780000-0x000000013FAD1000-memory.dmp
C:\Windows\system\GTPxnyy.exe
| MD5 | 47ed5564d5ba1a849fb961c3efd39c46 |
| SHA1 | 503562288cb337a6b7324d9461c5bd04899a1926 |
| SHA256 | 5088658cbde73f25ed99c5b89f1a4fd64974250e70728f629218ca57abb04e75 |
| SHA512 | b43548e12c138cde947e6e382011be311ab75b683b3758edf03d97d43bc11b60bcd585a0fb1128ab480b74807c10cab0bad849ce2727ad94adff81e129e55be1 |
memory/576-64-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1696-75-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/3052-74-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2760-63-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/3052-62-0x000000013F300000-0x000000013F651000-memory.dmp
C:\Windows\system\PGPVQqr.exe
| MD5 | b3b77e6e07a06dccdff8cd61098b032a |
| SHA1 | bac0130906ccb4f906114987610d3cf1e316db2e |
| SHA256 | 1d125ab8e108c58540e609e0906db4bf2ae64e73294024baf47be23ce558254e |
| SHA512 | 4fc20c5e9ea451f665fa6e53e9ec5a6855591a41f95d42cc10af8eac415194aae75603b55448c3fe50bd5f66b2b827a75967f82c559ed82b566802418670a558 |
memory/2788-73-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2748-72-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/3052-71-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2620-55-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/3052-52-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2568-51-0x000000013F330000-0x000000013F681000-memory.dmp
memory/3052-50-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/3052-46-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2440-40-0x000000013F780000-0x000000013FAD1000-memory.dmp
\Windows\system\ONDjsEn.exe
| MD5 | a7ab74dd4a7e0411d1da9d95e4c0ec53 |
| SHA1 | 15cd127f1eb74bccbcf0a2602d0cb1eddba1f9ea |
| SHA256 | 8a340ee4bc7345c9c83d433be37564d14aff0ef9e79596d3a8349920b1ff3374 |
| SHA512 | 7c0a5e750e443b925878d5b1a1c4e4446bab3bf78b7c3d9708a8910a9fa4a4f731980239e2c8927a71502f493894eef3af8ad8cde2678a71732c02b2ba9bf8f8 |
memory/3052-81-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2324-82-0x000000013FBB0000-0x000000013FF01000-memory.dmp
\Windows\system\sEBarEe.exe
| MD5 | a04aee1be211c56b91b0c71267bc525a |
| SHA1 | 1e31b7b07197fa6edc398029479978235da41089 |
| SHA256 | 98ad0408cf1730f67c38f86d4639f818f8f2d09416c10f57145486f01def5f53 |
| SHA512 | daf4c1c6794a24314cb63baab9c3f45bafb3f208d66df804b10736d90eb21c6ae1889d5aebb76c8d07322f4ab3cbdc6ae0add714cf22a8c9106fad70953ac84d |
memory/3052-89-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2916-90-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/3052-87-0x000000013F8E0000-0x000000013FC31000-memory.dmp
\Windows\system\lINfzuD.exe
| MD5 | 458b3b394417da20bb79ae6ebb93af0f |
| SHA1 | cf66d24ef222e2e108c44adda23c8e9e7e993b88 |
| SHA256 | 65c2c727d65232c45b2c2931d8a71f956dfd5574802d6b943e128c53a79ef0d2 |
| SHA512 | 05302c3b6cab94ae64ef8af7d1a1f273d35e91b528e00109ef2733869a16d32b79c977b18a784f2353789497f87019fb404d8a4cd50099d74806bf8ddee8da62 |
memory/2188-97-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/3052-96-0x0000000002220000-0x0000000002571000-memory.dmp
\Windows\system\OcDTPER.exe
| MD5 | f37fe66f10be0d1814032c7d0f78d20e |
| SHA1 | 7a086bb3df223fa03018d9c9e9a0d7dde9b8007b |
| SHA256 | 160c6e3f200e81ef3c1ae7c1be6ddb0c3a91a0a700ecf45f015704947c05250a |
| SHA512 | a8e0cf41e49a496a7738c45c1deb62c4391f97405236e6f20d7c9cc843625a84f078f0cbd8ac6bf9446eac7ae7f3e0652e9d968573faea73562df0e69c20d8b2 |
\Windows\system\cetTRSd.exe
| MD5 | 51fbdf8eec6a5d69ed680a98a58ed4ed |
| SHA1 | 449f5aaac2a53ead782e59e62357b230644051f8 |
| SHA256 | 850e06b05700d7e6625aef491c875e26af5f69b3ed52f1953f6b699d53ec3596 |
| SHA512 | bb8d5c53ae51777a656a4230816c77173d65bb417d31b68002a48c600a4dbdcc08c4478d63d1547a30ae00dcb5f52c02192324b9d970b4de51ced0ab90ccbb23 |
memory/2032-115-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2620-133-0x000000013F3C0000-0x000000013F711000-memory.dmp
C:\Windows\system\rPSLNGk.exe
| MD5 | 8841c4a151f5d5ce6a775cafbb592aab |
| SHA1 | bf5a8c16dee9fdd5e67dc412996d9fb7958363e2 |
| SHA256 | 68261b3c152a09f6cd63db8013139ee9e71ba60aa885477b935bc1809d80b0fd |
| SHA512 | 49876743a608b02d33694160580957cab2a8ba3f35d92b1a4e57aa6f172a23b8e8adf2630a5d4f8ee894dfe367ec218570254987eb7e53cecb6fd5685c096c1e |
C:\Windows\system\iuJgiHQ.exe
| MD5 | b0cdd08fe6150a850d11077c11529e00 |
| SHA1 | 681134996046bd4a4f5786da020feb7ae1f29bf5 |
| SHA256 | 7b918ca2fe3f73741a81d905e7f8cb9f6aee0b2d75420de8a0de6be10554814c |
| SHA512 | 5f9f18fa75f3f34a3c1d3a2a1d5832471b75c8d263978b7d7f963ea8e492377a03239e713ea5ea2e1cdcadaf02c7ba36814fc9554ad22c37f4efc37fd900b7b2 |
memory/3052-132-0x000000013FE10000-0x0000000140161000-memory.dmp
\Windows\system\VhOOMTW.exe
| MD5 | 5805c7d562a7a40f32ffb74221910389 |
| SHA1 | 37589801fc35756b883d9847a3122de63f9dccf0 |
| SHA256 | f4aa5394f6cf14011a4fa1f20ae41db719eaa73429a801a0e238f10241c955cc |
| SHA512 | 26894bccdd2e298b8d557b0c9d8d12cc29d18981843710939946665a0e9a9068daf5aaf8cb8b0fcce079bc8fd58d340789cb9e448ce3ab00dce8bdc8efca9a7d |
C:\Windows\system\GlAXLPo.exe
| MD5 | 0087fba98e74a8bcb2b7b2c3c13d2ae0 |
| SHA1 | 445a3504b557d082be5a8b368650372c0c218720 |
| SHA256 | ed5a014408214eb754908ec154b53b40d5994487ec45ce9d692a27ce4d6b4395 |
| SHA512 | 9dc69140106e9bdf01a02e45966dc8e9d8dd85585a1b6b4e1e94d8b15a9b4d36ca6f8eececf344dd056b48ff2a4d9e32452b9cbb064509fc8c16b3cab663401d |
C:\Windows\system\gNolyja.exe
| MD5 | 51cb96e445ea803e0963a214459bbf40 |
| SHA1 | e8c776e5692abaabaa3b66781cc1f320d6906932 |
| SHA256 | 9029c6ec17cba27f8bcb30a40b538c98fbc505827689af7c3357f6603d962725 |
| SHA512 | 1637fb2ab513766174d9ef7618f1470e87271c559fd291fff0e7ce53c1ff74064f448b554f62a74e679ffe8719dcf78ca40f2eaa31ba08f4ad1b6146277b4a47 |
memory/3052-119-0x000000013FB20000-0x000000013FE71000-memory.dmp
\Windows\system\ThfPmFt.exe
| MD5 | 40315de74818e984696fcc8db9fd799d |
| SHA1 | 5631724e7c1b14cf1c5fef44395ebc699f2d865a |
| SHA256 | a7579b12893fe469a66e76c4928b8510cce94eb7e21535e8ddbfe18d65d549ec |
| SHA512 | a8ac3ed1f1f5986bec8bf262a81154a9078391ddde1d418d13299b4376a6bc677222c543ca0a66bc4aef5fd5035f412856bd1cb788998163eff007b3394114f4 |
memory/2652-131-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/576-139-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/3052-143-0x000000013F300000-0x000000013F651000-memory.dmp
memory/3052-154-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2852-159-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/3068-160-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2400-165-0x000000013F400000-0x000000013F751000-memory.dmp
memory/3052-166-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/996-163-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2320-161-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2164-164-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1108-162-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/3052-167-0x000000013F300000-0x000000013F651000-memory.dmp
memory/3052-178-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/3052-190-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2760-218-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2748-220-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2804-222-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2788-224-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2440-226-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2568-228-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2620-230-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2032-232-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/576-234-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1696-236-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2324-238-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2916-240-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2188-242-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2652-252-0x000000013FB20000-0x000000013FE71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:16
Reported
2024-08-14 21:18
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LpDkCQl.exe | N/A |
| N/A | N/A | C:\Windows\System\ubvJuWJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WvAcTLN.exe | N/A |
| N/A | N/A | C:\Windows\System\KpfEotI.exe | N/A |
| N/A | N/A | C:\Windows\System\LkNCNUo.exe | N/A |
| N/A | N/A | C:\Windows\System\LxvXOHC.exe | N/A |
| N/A | N/A | C:\Windows\System\kGGTJzF.exe | N/A |
| N/A | N/A | C:\Windows\System\PGPVQqr.exe | N/A |
| N/A | N/A | C:\Windows\System\smqsRFf.exe | N/A |
| N/A | N/A | C:\Windows\System\GTPxnyy.exe | N/A |
| N/A | N/A | C:\Windows\System\ONDjsEn.exe | N/A |
| N/A | N/A | C:\Windows\System\sEBarEe.exe | N/A |
| N/A | N/A | C:\Windows\System\lINfzuD.exe | N/A |
| N/A | N/A | C:\Windows\System\OcDTPER.exe | N/A |
| N/A | N/A | C:\Windows\System\cetTRSd.exe | N/A |
| N/A | N/A | C:\Windows\System\gNolyja.exe | N/A |
| N/A | N/A | C:\Windows\System\iuJgiHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GlAXLPo.exe | N/A |
| N/A | N/A | C:\Windows\System\ThfPmFt.exe | N/A |
| N/A | N/A | C:\Windows\System\rPSLNGk.exe | N/A |
| N/A | N/A | C:\Windows\System\VhOOMTW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_97462f5569857562779fc32f03db63b5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LpDkCQl.exe
C:\Windows\System\LpDkCQl.exe
C:\Windows\System\ubvJuWJ.exe
C:\Windows\System\ubvJuWJ.exe
C:\Windows\System\WvAcTLN.exe
C:\Windows\System\WvAcTLN.exe
C:\Windows\System\KpfEotI.exe
C:\Windows\System\KpfEotI.exe
C:\Windows\System\LkNCNUo.exe
C:\Windows\System\LkNCNUo.exe
C:\Windows\System\LxvXOHC.exe
C:\Windows\System\LxvXOHC.exe
C:\Windows\System\smqsRFf.exe
C:\Windows\System\smqsRFf.exe
C:\Windows\System\kGGTJzF.exe
C:\Windows\System\kGGTJzF.exe
C:\Windows\System\PGPVQqr.exe
C:\Windows\System\PGPVQqr.exe
C:\Windows\System\GTPxnyy.exe
C:\Windows\System\GTPxnyy.exe
C:\Windows\System\ONDjsEn.exe
C:\Windows\System\ONDjsEn.exe
C:\Windows\System\sEBarEe.exe
C:\Windows\System\sEBarEe.exe
C:\Windows\System\lINfzuD.exe
C:\Windows\System\lINfzuD.exe
C:\Windows\System\OcDTPER.exe
C:\Windows\System\OcDTPER.exe
C:\Windows\System\cetTRSd.exe
C:\Windows\System\cetTRSd.exe
C:\Windows\System\gNolyja.exe
C:\Windows\System\gNolyja.exe
C:\Windows\System\iuJgiHQ.exe
C:\Windows\System\iuJgiHQ.exe
C:\Windows\System\GlAXLPo.exe
C:\Windows\System\GlAXLPo.exe
C:\Windows\System\ThfPmFt.exe
C:\Windows\System\ThfPmFt.exe
C:\Windows\System\rPSLNGk.exe
C:\Windows\System\rPSLNGk.exe
C:\Windows\System\VhOOMTW.exe
C:\Windows\System\VhOOMTW.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4172,i,8548254608087149642,10333768245962368401,262144 --variations-seed-version --mojo-platform-channel-handle=4116 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.16.208.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1092-0-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp
memory/1092-1-0x0000018F657B0000-0x0000018F657C0000-memory.dmp
C:\Windows\System\LpDkCQl.exe
| MD5 | b3abca92f6ade5fff7d04ab521e24dc4 |
| SHA1 | 3980b66c9924dacf644faea856004ac015cc7f9b |
| SHA256 | 07f4d3c06fd42e874ab361f8b65420793dedd1303f006d32e6a737861311a223 |
| SHA512 | fa2cc35588271450f9b01cc96d47a71b24b058adb4c4e93e23dce5c7262cc925a2a0cba67dee2387a62e4dd2c0f5ba6a9b2812ec41b07b8b5afa87b769dc310b |
C:\Windows\System\WvAcTLN.exe
| MD5 | 406c5090804ef3d0607ff101d6facf93 |
| SHA1 | cd92686a4f30fe7f983814ecce00f6c716392179 |
| SHA256 | 7ee5dd2ae9d1f1a58c0da0763ee7f135e390324d77a5ea5563324b63f5521a4b |
| SHA512 | 9f39be358baa532ca9a6e2244c6aa6b6d6ac577b647a666640a4ae8493a832a94fb563ea43f93abc1d5aa42f9397043da31bf038866b40bbf5feb0d42c8109a5 |
C:\Windows\System\ubvJuWJ.exe
| MD5 | 76864bdd5586675dbae022da540d1ecf |
| SHA1 | 1eaab402a602e157d0cfc756a37e363f16cc045f |
| SHA256 | 130dcae26ca4a378e00780a00dc7bcef984d52ddabf65937aff0a391e51eaf55 |
| SHA512 | 693cc751759ac241e24a80c8248d0a944c96fb598c8e3637f4a754fef340e5f133b62fadc285af6b0789ea99af5cc82f91171043e2a3ad66aeebb6c079d0c779 |
C:\Windows\System\KpfEotI.exe
| MD5 | eb7352b190adb3d10d94d6ddb92abd7d |
| SHA1 | d5096aa58a230969845b9e2cf8c2f8984858afc2 |
| SHA256 | 33b3cca43504e4689d105350bc78c53a15c326dc794030037ffedf74976dcf59 |
| SHA512 | 8cede28b377e383ee10edf92948482394faccded4f167972e30b7cd2b3386047b9749c7dde5b190b3f5b7c50112c214be43a77e03d21273954c167f95bb1ba63 |
C:\Windows\System\LkNCNUo.exe
| MD5 | 1c1979c9878466284dd340b000f431bf |
| SHA1 | a0f91cf7606e2f4460519772d1eecc91f00ebee8 |
| SHA256 | ddaea488538436dfe056f4cdaa648d93a804f41498b1e329a4d4e3be35e482b2 |
| SHA512 | 53a4b19e75d6c70bee9a7561f3daef65b2f717eb3eb34abb7fa880d9a6e2f8953c600c36f13b525da0251157eaf1646f3b9a925016e945468caf9b9cae2bccd8 |
C:\Windows\System\kGGTJzF.exe
| MD5 | cffebf543abcdf0c8c47b46a153b46be |
| SHA1 | 91f77710fa40fb09b66e243a00b41ad68d601647 |
| SHA256 | 92395b9fd6ac20328bedfdd7d2c83ec4593ca2cd7202785d475e1df63961a0d8 |
| SHA512 | c93f5f5856b8be9c8321a5b32db05be8a70e110e3bf6d64a0a9a0e0ca09b5eb3fa8284e8c47c1bcb90d8539e45c8608fad9be3af391948834c068fba17738c86 |
C:\Windows\System\smqsRFf.exe
| MD5 | a5ec12a330e0a9d24cc8e85f63875a48 |
| SHA1 | b18a8b9443c182c07107a419a1542dfd5af7469b |
| SHA256 | 2a995049bfe5d971b6fcf24dd4e81cf1c75441851f5f348f6497ac12e33a1709 |
| SHA512 | ddd8c9c98128d1f4dcb49b29c8f0fd8cbf5582cffe34cdbe386d4f88097cec1ee9850675421abe37df1dddd14f92feed76530f590a36ebca789c61d05b530926 |
memory/2500-50-0x00007FF642380000-0x00007FF6426D1000-memory.dmp
C:\Windows\System\lINfzuD.exe
| MD5 | 458b3b394417da20bb79ae6ebb93af0f |
| SHA1 | cf66d24ef222e2e108c44adda23c8e9e7e993b88 |
| SHA256 | 65c2c727d65232c45b2c2931d8a71f956dfd5574802d6b943e128c53a79ef0d2 |
| SHA512 | 05302c3b6cab94ae64ef8af7d1a1f273d35e91b528e00109ef2733869a16d32b79c977b18a784f2353789497f87019fb404d8a4cd50099d74806bf8ddee8da62 |
C:\Windows\System\sEBarEe.exe
| MD5 | a04aee1be211c56b91b0c71267bc525a |
| SHA1 | 1e31b7b07197fa6edc398029479978235da41089 |
| SHA256 | 98ad0408cf1730f67c38f86d4639f818f8f2d09416c10f57145486f01def5f53 |
| SHA512 | daf4c1c6794a24314cb63baab9c3f45bafb3f208d66df804b10736d90eb21c6ae1889d5aebb76c8d07322f4ab3cbdc6ae0add714cf22a8c9106fad70953ac84d |
C:\Windows\System\ONDjsEn.exe
| MD5 | a7ab74dd4a7e0411d1da9d95e4c0ec53 |
| SHA1 | 15cd127f1eb74bccbcf0a2602d0cb1eddba1f9ea |
| SHA256 | 8a340ee4bc7345c9c83d433be37564d14aff0ef9e79596d3a8349920b1ff3374 |
| SHA512 | 7c0a5e750e443b925878d5b1a1c4e4446bab3bf78b7c3d9708a8910a9fa4a4f731980239e2c8927a71502f493894eef3af8ad8cde2678a71732c02b2ba9bf8f8 |
memory/420-111-0x00007FF625460000-0x00007FF6257B1000-memory.dmp
C:\Windows\System\rPSLNGk.exe
| MD5 | 8841c4a151f5d5ce6a775cafbb592aab |
| SHA1 | bf5a8c16dee9fdd5e67dc412996d9fb7958363e2 |
| SHA256 | 68261b3c152a09f6cd63db8013139ee9e71ba60aa885477b935bc1809d80b0fd |
| SHA512 | 49876743a608b02d33694160580957cab2a8ba3f35d92b1a4e57aa6f172a23b8e8adf2630a5d4f8ee894dfe367ec218570254987eb7e53cecb6fd5685c096c1e |
C:\Windows\System\VhOOMTW.exe
| MD5 | 5805c7d562a7a40f32ffb74221910389 |
| SHA1 | 37589801fc35756b883d9847a3122de63f9dccf0 |
| SHA256 | f4aa5394f6cf14011a4fa1f20ae41db719eaa73429a801a0e238f10241c955cc |
| SHA512 | 26894bccdd2e298b8d557b0c9d8d12cc29d18981843710939946665a0e9a9068daf5aaf8cb8b0fcce079bc8fd58d340789cb9e448ce3ab00dce8bdc8efca9a7d |
memory/2864-125-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp
memory/1092-124-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp
memory/4928-123-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp
memory/2484-120-0x00007FF71FF00000-0x00007FF720251000-memory.dmp
memory/1492-119-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp
C:\Windows\System\ThfPmFt.exe
| MD5 | 40315de74818e984696fcc8db9fd799d |
| SHA1 | 5631724e7c1b14cf1c5fef44395ebc699f2d865a |
| SHA256 | a7579b12893fe469a66e76c4928b8510cce94eb7e21535e8ddbfe18d65d549ec |
| SHA512 | a8ac3ed1f1f5986bec8bf262a81154a9078391ddde1d418d13299b4376a6bc677222c543ca0a66bc4aef5fd5035f412856bd1cb788998163eff007b3394114f4 |
C:\Windows\System\GlAXLPo.exe
| MD5 | 0087fba98e74a8bcb2b7b2c3c13d2ae0 |
| SHA1 | 445a3504b557d082be5a8b368650372c0c218720 |
| SHA256 | ed5a014408214eb754908ec154b53b40d5994487ec45ce9d692a27ce4d6b4395 |
| SHA512 | 9dc69140106e9bdf01a02e45966dc8e9d8dd85585a1b6b4e1e94d8b15a9b4d36ca6f8eececf344dd056b48ff2a4d9e32452b9cbb064509fc8c16b3cab663401d |
C:\Windows\System\iuJgiHQ.exe
| MD5 | b0cdd08fe6150a850d11077c11529e00 |
| SHA1 | 681134996046bd4a4f5786da020feb7ae1f29bf5 |
| SHA256 | 7b918ca2fe3f73741a81d905e7f8cb9f6aee0b2d75420de8a0de6be10554814c |
| SHA512 | 5f9f18fa75f3f34a3c1d3a2a1d5832471b75c8d263978b7d7f963ea8e492377a03239e713ea5ea2e1cdcadaf02c7ba36814fc9554ad22c37f4efc37fd900b7b2 |
memory/1812-110-0x00007FF747280000-0x00007FF7475D1000-memory.dmp
C:\Windows\System\cetTRSd.exe
| MD5 | 51fbdf8eec6a5d69ed680a98a58ed4ed |
| SHA1 | 449f5aaac2a53ead782e59e62357b230644051f8 |
| SHA256 | 850e06b05700d7e6625aef491c875e26af5f69b3ed52f1953f6b699d53ec3596 |
| SHA512 | bb8d5c53ae51777a656a4230816c77173d65bb417d31b68002a48c600a4dbdcc08c4478d63d1547a30ae00dcb5f52c02192324b9d970b4de51ced0ab90ccbb23 |
C:\Windows\System\gNolyja.exe
| MD5 | 51cb96e445ea803e0963a214459bbf40 |
| SHA1 | e8c776e5692abaabaa3b66781cc1f320d6906932 |
| SHA256 | 9029c6ec17cba27f8bcb30a40b538c98fbc505827689af7c3357f6603d962725 |
| SHA512 | 1637fb2ab513766174d9ef7618f1470e87271c559fd291fff0e7ce53c1ff74064f448b554f62a74e679ffe8719dcf78ca40f2eaa31ba08f4ad1b6146277b4a47 |
memory/1232-104-0x00007FF7953D0000-0x00007FF795721000-memory.dmp
memory/1008-84-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp
memory/1964-83-0x00007FF617D40000-0x00007FF618091000-memory.dmp
C:\Windows\System\OcDTPER.exe
| MD5 | f37fe66f10be0d1814032c7d0f78d20e |
| SHA1 | 7a086bb3df223fa03018d9c9e9a0d7dde9b8007b |
| SHA256 | 160c6e3f200e81ef3c1ae7c1be6ddb0c3a91a0a700ecf45f015704947c05250a |
| SHA512 | a8e0cf41e49a496a7738c45c1deb62c4391f97405236e6f20d7c9cc843625a84f078f0cbd8ac6bf9446eac7ae7f3e0652e9d968573faea73562df0e69c20d8b2 |
memory/2888-73-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp
memory/4640-67-0x00007FF622990000-0x00007FF622CE1000-memory.dmp
memory/3036-66-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp
memory/3644-72-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp
C:\Windows\System\GTPxnyy.exe
| MD5 | 47ed5564d5ba1a849fb961c3efd39c46 |
| SHA1 | 503562288cb337a6b7324d9461c5bd04899a1926 |
| SHA256 | 5088658cbde73f25ed99c5b89f1a4fd64974250e70728f629218ca57abb04e75 |
| SHA512 | b43548e12c138cde947e6e382011be311ab75b683b3758edf03d97d43bc11b60bcd585a0fb1128ab480b74807c10cab0bad849ce2727ad94adff81e129e55be1 |
C:\Windows\System\PGPVQqr.exe
| MD5 | b3b77e6e07a06dccdff8cd61098b032a |
| SHA1 | bac0130906ccb4f906114987610d3cf1e316db2e |
| SHA256 | 1d125ab8e108c58540e609e0906db4bf2ae64e73294024baf47be23ce558254e |
| SHA512 | 4fc20c5e9ea451f665fa6e53e9ec5a6855591a41f95d42cc10af8eac415194aae75603b55448c3fe50bd5f66b2b827a75967f82c559ed82b566802418670a558 |
C:\Windows\System\LxvXOHC.exe
| MD5 | a73af8a7a1c43cda50cea112d4747f06 |
| SHA1 | 8e3abe68e5f8b75978f533b3637f82c4217ae913 |
| SHA256 | 8bf6a3a98d29ca3f9696cf792c2fd1662a4f5ef9706e3456499764f97a7f7445 |
| SHA512 | 3fc799b59ff42ac0e5ad58155193d8238e42729215923e56d48193cdcb86bc357f6cbb41e52aea9897afbf6265895719efedb511475cd6ffffec60cfdd994fdb |
memory/4844-46-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp
memory/1300-49-0x00007FF624200000-0x00007FF624551000-memory.dmp
memory/4644-38-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp
memory/2280-37-0x00007FF658620000-0x00007FF658971000-memory.dmp
memory/1936-26-0x00007FF755D00000-0x00007FF756051000-memory.dmp
memory/1704-16-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp
memory/2916-7-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp
memory/2888-142-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp
memory/3036-137-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp
memory/2916-130-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp
memory/1232-144-0x00007FF7953D0000-0x00007FF795721000-memory.dmp
memory/2864-150-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp
memory/1492-147-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp
memory/420-146-0x00007FF625460000-0x00007FF6257B1000-memory.dmp
memory/1812-145-0x00007FF747280000-0x00007FF7475D1000-memory.dmp
memory/4928-149-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp
memory/1964-143-0x00007FF617D40000-0x00007FF618091000-memory.dmp
memory/3644-140-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp
memory/2500-139-0x00007FF642380000-0x00007FF6426D1000-memory.dmp
memory/1300-138-0x00007FF624200000-0x00007FF624551000-memory.dmp
memory/4640-136-0x00007FF622990000-0x00007FF622CE1000-memory.dmp
memory/4844-135-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp
memory/2280-134-0x00007FF658620000-0x00007FF658971000-memory.dmp
memory/1936-132-0x00007FF755D00000-0x00007FF756051000-memory.dmp
memory/1704-131-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp
memory/1092-129-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp
memory/1092-151-0x00007FF76FD60000-0x00007FF7700B1000-memory.dmp
memory/2916-198-0x00007FF67CD70000-0x00007FF67D0C1000-memory.dmp
memory/1704-200-0x00007FF720E90000-0x00007FF7211E1000-memory.dmp
memory/1936-202-0x00007FF755D00000-0x00007FF756051000-memory.dmp
memory/4644-204-0x00007FF7A6E00000-0x00007FF7A7151000-memory.dmp
memory/2280-206-0x00007FF658620000-0x00007FF658971000-memory.dmp
memory/4844-208-0x00007FF625A50000-0x00007FF625DA1000-memory.dmp
memory/2500-211-0x00007FF642380000-0x00007FF6426D1000-memory.dmp
memory/1300-212-0x00007FF624200000-0x00007FF624551000-memory.dmp
memory/1964-220-0x00007FF617D40000-0x00007FF618091000-memory.dmp
memory/2888-222-0x00007FF6CA8C0000-0x00007FF6CAC11000-memory.dmp
memory/3036-218-0x00007FF67C390000-0x00007FF67C6E1000-memory.dmp
memory/4640-217-0x00007FF622990000-0x00007FF622CE1000-memory.dmp
memory/1008-215-0x00007FF7A6970000-0x00007FF7A6CC1000-memory.dmp
memory/420-231-0x00007FF625460000-0x00007FF6257B1000-memory.dmp
memory/3644-236-0x00007FF6DB910000-0x00007FF6DBC61000-memory.dmp
memory/1812-235-0x00007FF747280000-0x00007FF7475D1000-memory.dmp
memory/1232-233-0x00007FF7953D0000-0x00007FF795721000-memory.dmp
memory/1492-229-0x00007FF6FE6C0000-0x00007FF6FEA11000-memory.dmp
memory/2484-227-0x00007FF71FF00000-0x00007FF720251000-memory.dmp
memory/2864-225-0x00007FF7CCBD0000-0x00007FF7CCF21000-memory.dmp
memory/4928-241-0x00007FF7819E0000-0x00007FF781D31000-memory.dmp