Analysis Overview
SHA256
15d6830b17a879ee36eb4f14ea6e9597480679b897b0262a7c4b53f232b59fe5
Threat Level: Known bad
The file 2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:04
Reported
2024-08-14 21:07
Platform
win7-20240704-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hzUYrSg.exe | N/A |
| N/A | N/A | C:\Windows\System\HueECcs.exe | N/A |
| N/A | N/A | C:\Windows\System\lbiwyXX.exe | N/A |
| N/A | N/A | C:\Windows\System\mvGnTaU.exe | N/A |
| N/A | N/A | C:\Windows\System\QliQpVJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WXJfaJi.exe | N/A |
| N/A | N/A | C:\Windows\System\ngcAVtS.exe | N/A |
| N/A | N/A | C:\Windows\System\wVFKsjz.exe | N/A |
| N/A | N/A | C:\Windows\System\LDExCJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\HdMTmEf.exe | N/A |
| N/A | N/A | C:\Windows\System\riXNPPo.exe | N/A |
| N/A | N/A | C:\Windows\System\xhatQTk.exe | N/A |
| N/A | N/A | C:\Windows\System\lGCgJNb.exe | N/A |
| N/A | N/A | C:\Windows\System\jAIKwuf.exe | N/A |
| N/A | N/A | C:\Windows\System\ThtScjb.exe | N/A |
| N/A | N/A | C:\Windows\System\JxTPJYi.exe | N/A |
| N/A | N/A | C:\Windows\System\HFisDfW.exe | N/A |
| N/A | N/A | C:\Windows\System\olVwuWL.exe | N/A |
| N/A | N/A | C:\Windows\System\PHqWRzH.exe | N/A |
| N/A | N/A | C:\Windows\System\ERFWURk.exe | N/A |
| N/A | N/A | C:\Windows\System\MCUeisu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\hzUYrSg.exe
C:\Windows\System\hzUYrSg.exe
C:\Windows\System\HueECcs.exe
C:\Windows\System\HueECcs.exe
C:\Windows\System\lbiwyXX.exe
C:\Windows\System\lbiwyXX.exe
C:\Windows\System\mvGnTaU.exe
C:\Windows\System\mvGnTaU.exe
C:\Windows\System\QliQpVJ.exe
C:\Windows\System\QliQpVJ.exe
C:\Windows\System\WXJfaJi.exe
C:\Windows\System\WXJfaJi.exe
C:\Windows\System\ngcAVtS.exe
C:\Windows\System\ngcAVtS.exe
C:\Windows\System\ThtScjb.exe
C:\Windows\System\ThtScjb.exe
C:\Windows\System\wVFKsjz.exe
C:\Windows\System\wVFKsjz.exe
C:\Windows\System\JxTPJYi.exe
C:\Windows\System\JxTPJYi.exe
C:\Windows\System\LDExCJZ.exe
C:\Windows\System\LDExCJZ.exe
C:\Windows\System\HFisDfW.exe
C:\Windows\System\HFisDfW.exe
C:\Windows\System\HdMTmEf.exe
C:\Windows\System\HdMTmEf.exe
C:\Windows\System\olVwuWL.exe
C:\Windows\System\olVwuWL.exe
C:\Windows\System\riXNPPo.exe
C:\Windows\System\riXNPPo.exe
C:\Windows\System\PHqWRzH.exe
C:\Windows\System\PHqWRzH.exe
C:\Windows\System\xhatQTk.exe
C:\Windows\System\xhatQTk.exe
C:\Windows\System\ERFWURk.exe
C:\Windows\System\ERFWURk.exe
C:\Windows\System\lGCgJNb.exe
C:\Windows\System\lGCgJNb.exe
C:\Windows\System\MCUeisu.exe
C:\Windows\System\MCUeisu.exe
C:\Windows\System\jAIKwuf.exe
C:\Windows\System\jAIKwuf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1628-0-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/1628-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\hzUYrSg.exe
| MD5 | 691985f9989b52930b8422b4293c798d |
| SHA1 | cbd38ec3262c3a6253c352798ba5b0d3f8979a33 |
| SHA256 | 6dff1ebdb41e5e4c459ceddfb6fc8cfa90e759150ed6af249400efee07098507 |
| SHA512 | 3d4b166e770cd6f27e313362261e2ab194b7fd3d04c8e041cf164c360487c338435ae37d7447006189282452ee125060957a63129582484f0ac0c384c7b2260a |
\Windows\system\mvGnTaU.exe
| MD5 | dac290ced9b7f61ba53a7cbd803ab335 |
| SHA1 | 61cb8ceeae5a785bca2e6cb027b38c33ac8b74dc |
| SHA256 | 07660fd577373a0de31e669e8741372bcb7acc46685dfe7d3097796107907731 |
| SHA512 | dd9bb0fd8b12e5bcabd6dc38f89532043595521c7d61f0cd0f7070931973cf1cc04e9d3521c0e9133bc2410f1cd9b8630a64e0dfe16c304e438abef8034ed547 |
memory/1668-28-0x000000013F4C0000-0x000000013F811000-memory.dmp
\Windows\system\QliQpVJ.exe
| MD5 | 569c2e7312f0b1b29ff14efbfc3d07c9 |
| SHA1 | de655258ea0088482b7f7947f2df79ce02817282 |
| SHA256 | 92c4c885c5345d180ddc076ded289ca33c49ccd395ef19eb899a732fe01a6f50 |
| SHA512 | 1f04855893c87e637559a31cc6b9672b695a68cffabe4044aa86b8e7ddf9e728fd45ed3aaa0ecd4d84747a8eae48dfc7c0ce2777b967cfde30a58bd86d3ae328 |
memory/1628-27-0x0000000002210000-0x0000000002561000-memory.dmp
memory/1628-25-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2796-24-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2104-23-0x000000013FF50000-0x00000001402A1000-memory.dmp
C:\Windows\system\lbiwyXX.exe
| MD5 | a37b91985b005ef7ed849969d30f0ab2 |
| SHA1 | 8c4c13e504e64c1dc2eebc04fd3d6563b690f91d |
| SHA256 | 277eb02ec285f483346661eb2ae658b8fab439144b2e5ce04be1efa411658407 |
| SHA512 | c98a79d5ae0f1cfdcd525a14a29335947e6d0ec737d30210b9e0d23143153ed7eb7770c3d75927e660732a449bf2d5aa1b7895edca4c93d0646577047727e596 |
memory/1628-19-0x000000013F030000-0x000000013F381000-memory.dmp
C:\Windows\system\HueECcs.exe
| MD5 | ddca784f53b9f9a4b3be097fe7f3f647 |
| SHA1 | 75f55617498f590019e2b7cdea688090e4558b79 |
| SHA256 | f031127a0507cfc99b8451e6a99aef3703e436ca094325a666ed0c12872259ba |
| SHA512 | 9d12a595119168d9a746dd152ad878c15108a2ab1738c8ec4339dd4343ff9d28b395766d6f3cb19dbd636a29c6216c134d474094541df771769aa14f69e6dbea |
memory/2856-11-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2912-36-0x000000013FAC0000-0x000000013FE11000-memory.dmp
\Windows\system\WXJfaJi.exe
| MD5 | b4fbb313c97ec9919da4af9982fbafad |
| SHA1 | 43d0eb95539d54190ffae91d4bc7e8fca5c111f0 |
| SHA256 | 0afd8e5f29d33a303b8a71785a1d71439b4a8c43f5bcd709189dcef399c60c3d |
| SHA512 | dc8a65b6c99ec51dab5a106547cd0b814076f897548ded7337e843dbae69d24e9f6695a6a997d8a2d1738b5eebf938714ce6f7ce511d02fe95a063bc9553d3d0 |
memory/1628-117-0x000000013F280000-0x000000013F5D1000-memory.dmp
C:\Windows\system\xhatQTk.exe
| MD5 | 36933b75a81d78c2245c3f22721daabc |
| SHA1 | a8bad0c0d0dc0c1617b1c53b9b471ceaa9e2bbe8 |
| SHA256 | 307db04e6bf9372c5db806361f3e462c85e5224479d3614a236452a6b97fecc1 |
| SHA512 | ba0aa6dd40adc4715099dd5e33c8b30b16418f18f2475841d39fc8864661b72f6f0cf95d7cbfedc108cf5c3f82c4bdbf027f67df0f3aa9f1c8e885d4b4ff501f |
C:\Windows\system\riXNPPo.exe
| MD5 | bef6b3dac9df6cd90d38ac22f486ac19 |
| SHA1 | 0f38eae0bafe49445787fc31a7e8c8856270f3a1 |
| SHA256 | 718aa8b01f1d609a2deb18059dc50040f95206b92d7acab23570b401083c6033 |
| SHA512 | 29c1b502d0fc567f622b80a43badce6c9968e016068b1c1441533efaa7509e4df14bbd001c6b50fc408706fdc486c97c30d7f23e2a795b8d71a1626256c241bc |
\Windows\system\MCUeisu.exe
| MD5 | 993174cce772894629382608884797fc |
| SHA1 | 6b5d34b2cf333f70c7413a182937b06507264072 |
| SHA256 | e7746c4917314bb50a706c291c6a1606cd6b32af48dae9355a4a0531e1a661ce |
| SHA512 | 87ca0ac79cf4b26fed6cafabc868ed48abe2373396e73e8943df6b95310a5c679592a0e5934a99901d8e12ff1e8f8e58d97b67a9fe0566077b85390b2d02ddd9 |
\Windows\system\ERFWURk.exe
| MD5 | b32122aa79ccabc3b1e2fb1b2a3dc135 |
| SHA1 | 7cbd03494e3aec0eaec78b4f7b7d15157d0eaf63 |
| SHA256 | 5d9dc92b0fdef0f3de4332a4eb649aed78800c3f7caa109846d2ed85be1e405c |
| SHA512 | adb5f58e92699ec46668faed78288eb4e32c40732a9442043a1d2e05d4a4b5e658f350e8d7aef533f5e31dbab6f8bc8d24112bb01a4016ff524c2e64368303e9 |
\Windows\system\PHqWRzH.exe
| MD5 | 77da16db7bf9479d991385b594fa28a9 |
| SHA1 | ecc52c9141b538a69eb88360973cfbc869c0f2eb |
| SHA256 | e1cd0f4b80cf0bff81a1f522b339d8c1e1be54744652a212a5df2262043f4db6 |
| SHA512 | fe9e32964680ba00a81168e2a0f7e446446cd5c3ffe1768b451420b083f0750230041b3ef17aeece2441324206c529ff192aa4a09d714dbfe9b0d7dc8f7808a2 |
\Windows\system\olVwuWL.exe
| MD5 | e058b011a54d02c95272cc43847144bc |
| SHA1 | 672193aa76def1ee83ce3f19c6dad17ea0b47ff0 |
| SHA256 | 4a4f3ab75571235de2bc09d45b810bd2b985859a416da2ca2f08dd60eafba3cd |
| SHA512 | 36a2267ac4709149d8ecb79957f48b019e4a5d8237074f3d16351abec514e7af7430e9d5a6e5499cb016310892ac289b99d520452cb9285f4d7ea0eaebfc9ffc |
C:\Windows\system\LDExCJZ.exe
| MD5 | 8bd149b39db32442a747e416bc44d32d |
| SHA1 | 21f2b6732728877e14d4ac8c27b8bb3eed30e19a |
| SHA256 | fcebb720570ea0f70b9f56b391c3873cd228b787096eb6999f520cc707d14ee7 |
| SHA512 | cab3d6a53001e064bbc1939bfb8a2d33c331e14de8d152d36562f475497a016dfe2f7bc7216ccbbb76677be792c09434adc802bd1f338b21a0a4d66232eed0e7 |
\Windows\system\HFisDfW.exe
| MD5 | a1345752bf3f74335a3054541e84114b |
| SHA1 | 8534dfc33167cbcdaa7da1b87d369ed8274adeac |
| SHA256 | 8a20d01ed78b2afdf821fa24bf378911dafc1d8139a5d17e6c241d97f975ef79 |
| SHA512 | dfd943605f90ed86765af92182c1729aad7db24ba8b45a2fa92b7c84e109d6681b8d4ea631c05f89f27f57f9c916a7bc8da49ea33df966650e9b65fdb2d31a4d |
C:\Windows\system\wVFKsjz.exe
| MD5 | 9bb307b44a47d1b80be313bd0484b577 |
| SHA1 | 8c2d89c726a328b6a3a6524a8822c9fa0fe81311 |
| SHA256 | 39a1f963f68f5a64b3034fc5bea4fae4d0336a10fc91f36241d3e62b968964eb |
| SHA512 | 24a5b4548ae87c64def9867daef1b2a93cfec24ef63c223ddfe47fba19564b686d53de3ce0106b862ae57e146790f7884f696f8f51dbd2b4941fdcebc1a53d51 |
\Windows\system\JxTPJYi.exe
| MD5 | 8033c72fbb0b35609c67f5942379ed63 |
| SHA1 | 63ceb142ec42410d351dd14c42dae8562d33c20b |
| SHA256 | 6423abb87fb46d82f4f669e94644f9e73616e88981f30f0aa78ec544b5df6f31 |
| SHA512 | 555efcf6b61bdea034c4035afda531813caf46992dcd2a8fe8ef64a640c97c273800902d69595be52ebe73991518383345344b402efe49cdbb90eeb4f54a9d40 |
memory/1628-53-0x000000013FE90000-0x00000001401E1000-memory.dmp
\Windows\system\ThtScjb.exe
| MD5 | f9fb8a1ab744c2fb77c2c7540894dd37 |
| SHA1 | b038665cc1c44f63ac87c2d72857f373783ccdb3 |
| SHA256 | 29d324b02d00de215b478fbeae95c1774f2a550c8cfd4377436130664d336e61 |
| SHA512 | 1d842d84bc6ac0db75a5c31c052c11e0f0c31995e2f643d25dac2b89721be4dfb9ba2d2cb819e25b3c558ac2b7a92070725bcee9e7aca9f5e8b4905c82f93773 |
memory/2588-116-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/1628-115-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1628-114-0x0000000002210000-0x0000000002561000-memory.dmp
memory/1628-113-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/1628-133-0x000000013F680000-0x000000013F9D1000-memory.dmp
C:\Windows\system\jAIKwuf.exe
| MD5 | 966d489e647681e9f630ece01a2318d0 |
| SHA1 | 7dfdf92c3ccc471322cc4c742f9d0d95feece552 |
| SHA256 | 7bb619a809d3912cb4015977858930989bc35c906b3fb22d69bb5f91c5d84e02 |
| SHA512 | 3314d2b4f0cfc38bdc9f137b38c9ec60f25c82410a2fd3bd4f6b2036d0edaf3f3c23ac9c0f710ac8f663a52f76b2d3ae9b34824e26cf3bf7f56876c8258b1573 |
memory/1628-111-0x000000013F200000-0x000000013F551000-memory.dmp
memory/1628-110-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/1628-109-0x000000013FDB0000-0x0000000140101000-memory.dmp
C:\Windows\system\lGCgJNb.exe
| MD5 | edb783f0c3e173fedc567e701ce822fd |
| SHA1 | 863acbdeb5c85f84a35f8d7e2edf5d31a551e301 |
| SHA256 | f26c9f80efa532ab2acb6afc86a36561caae42d6b1cb2f3a922ebf2430ed1f6b |
| SHA512 | a4fe7c215124a5db4e446f16ccccb9ef1f9f1445a272afb3f8c52d093b789ce600cfdfb400018967fe9fc7f76619e4005b1238f663b458f2ece8ca596149defd |
memory/1628-97-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2696-83-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\HdMTmEf.exe
| MD5 | fde495e7555101c1e06df7e3060b1fd3 |
| SHA1 | 856e552a134af3639d0e279a63adb39e13eb7b09 |
| SHA256 | 5d2ff19ce60ba5002a95145e659e522c4e7097d55e64dc9236f991f32120d121 |
| SHA512 | 0dcc09e39261db3aabd543cac8ebf66a1ec60255bd15032c7ed453284018c20a8e271640dfa02af1470125229c946723a509fdb8b679da55a2e8f8abaebc0b69 |
memory/1628-41-0x0000000002210000-0x0000000002561000-memory.dmp
memory/1628-79-0x0000000002210000-0x0000000002561000-memory.dmp
memory/1628-72-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2248-64-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2220-47-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2668-46-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
C:\Windows\system\ngcAVtS.exe
| MD5 | f3b7e26fad643c4e6a5f91298c73c40a |
| SHA1 | 9352663571545378a9cd896376da836b9510a2d2 |
| SHA256 | 7586d8d3809150a1a9d6146af233bfc76ab7739f09bb27da7444be0863fb6b46 |
| SHA512 | ffe761b4d7f37b596bcb4064682a9a37a4d73c98a238cf5c6f9a75a47bc14ff36a09f1d9e6e958decba1a39f1360629aee92f7691248552fec0454d7f1c287f9 |
memory/1628-33-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2912-139-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/1628-134-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/1668-150-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/3056-148-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2872-146-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2096-144-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2264-142-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2220-141-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2668-140-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2764-149-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2288-156-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2516-155-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2760-154-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2532-153-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2524-152-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2708-151-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1628-157-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2856-202-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2104-206-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2796-205-0x000000013F030000-0x000000013F381000-memory.dmp
memory/1668-209-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2912-210-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2220-212-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2668-214-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2248-216-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2696-218-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2588-220-0x000000013F680000-0x000000013F9D1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:04
Reported
2024-08-14 21:07
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kjoDJsY.exe | N/A |
| N/A | N/A | C:\Windows\System\cdXEELh.exe | N/A |
| N/A | N/A | C:\Windows\System\MTJbPia.exe | N/A |
| N/A | N/A | C:\Windows\System\UDsFoBF.exe | N/A |
| N/A | N/A | C:\Windows\System\gMfLKvE.exe | N/A |
| N/A | N/A | C:\Windows\System\hhoTorv.exe | N/A |
| N/A | N/A | C:\Windows\System\xJZkNib.exe | N/A |
| N/A | N/A | C:\Windows\System\loeOZmw.exe | N/A |
| N/A | N/A | C:\Windows\System\yFxZYJB.exe | N/A |
| N/A | N/A | C:\Windows\System\VXlYSdL.exe | N/A |
| N/A | N/A | C:\Windows\System\hPkWxET.exe | N/A |
| N/A | N/A | C:\Windows\System\zfeijFF.exe | N/A |
| N/A | N/A | C:\Windows\System\NmcfGJR.exe | N/A |
| N/A | N/A | C:\Windows\System\QrabAth.exe | N/A |
| N/A | N/A | C:\Windows\System\qGILSdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YfeaYiC.exe | N/A |
| N/A | N/A | C:\Windows\System\NigcuoQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BNkecqp.exe | N/A |
| N/A | N/A | C:\Windows\System\WgCtzfs.exe | N/A |
| N/A | N/A | C:\Windows\System\bnBIfwz.exe | N/A |
| N/A | N/A | C:\Windows\System\utQZDxE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_5bc627c80faf460469241d61a37ae05b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\kjoDJsY.exe
C:\Windows\System\kjoDJsY.exe
C:\Windows\System\cdXEELh.exe
C:\Windows\System\cdXEELh.exe
C:\Windows\System\MTJbPia.exe
C:\Windows\System\MTJbPia.exe
C:\Windows\System\UDsFoBF.exe
C:\Windows\System\UDsFoBF.exe
C:\Windows\System\gMfLKvE.exe
C:\Windows\System\gMfLKvE.exe
C:\Windows\System\hhoTorv.exe
C:\Windows\System\hhoTorv.exe
C:\Windows\System\xJZkNib.exe
C:\Windows\System\xJZkNib.exe
C:\Windows\System\loeOZmw.exe
C:\Windows\System\loeOZmw.exe
C:\Windows\System\yFxZYJB.exe
C:\Windows\System\yFxZYJB.exe
C:\Windows\System\VXlYSdL.exe
C:\Windows\System\VXlYSdL.exe
C:\Windows\System\hPkWxET.exe
C:\Windows\System\hPkWxET.exe
C:\Windows\System\zfeijFF.exe
C:\Windows\System\zfeijFF.exe
C:\Windows\System\NmcfGJR.exe
C:\Windows\System\NmcfGJR.exe
C:\Windows\System\QrabAth.exe
C:\Windows\System\QrabAth.exe
C:\Windows\System\qGILSdQ.exe
C:\Windows\System\qGILSdQ.exe
C:\Windows\System\YfeaYiC.exe
C:\Windows\System\YfeaYiC.exe
C:\Windows\System\NigcuoQ.exe
C:\Windows\System\NigcuoQ.exe
C:\Windows\System\BNkecqp.exe
C:\Windows\System\BNkecqp.exe
C:\Windows\System\WgCtzfs.exe
C:\Windows\System\WgCtzfs.exe
C:\Windows\System\bnBIfwz.exe
C:\Windows\System\bnBIfwz.exe
C:\Windows\System\utQZDxE.exe
C:\Windows\System\utQZDxE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3920-0-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp
memory/3920-1-0x000001A601A50000-0x000001A601A60000-memory.dmp
memory/528-8-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp
C:\Windows\System\MTJbPia.exe
| MD5 | 8e437ca2982b704f439eb6066a2f6256 |
| SHA1 | bd8dd67d231ad3d24ddb5e705b9fb32a2ca19b50 |
| SHA256 | 5f3f3d62c8a6ad819611d92192897c7c8c23927c672a16aecb833570a477b332 |
| SHA512 | db7cdbf66f9059a136b0fc259760e08cff417bd347a1b6027761d389f0829afdea01d15e2f0e4cbe5871b9f91e11f0e7c3a5d244fc07d1d07a062e02fd663a49 |
C:\Windows\System\cdXEELh.exe
| MD5 | bd869351799d1cef85888dbc8c8187ce |
| SHA1 | 07347084e96351d191be0cea0d0ab4bc183963e2 |
| SHA256 | c12433ab949eb8ff62ed3c230d0a9f13d2d81cffb3d9dcbed1588169d71e337e |
| SHA512 | 4bc0eb581a26ee4f2845a78098615c080cd0863f2150ca6b0a56d225395af889287b5aa3f16c251ac43848441392800879441e064c3ade55b5d12ae9a842df0e |
C:\Windows\System\hhoTorv.exe
| MD5 | 09e27e351afd51464124b1ad9735f0d1 |
| SHA1 | cca2425a7a31fdcf18345b002d1fe4b0eec8b240 |
| SHA256 | c0892aad7af0bcfac82e106b2929e7f49f1c3c5452953f3780b84e1bde227022 |
| SHA512 | f419a9c1d5ac7e4a7a2d3caccae6791c2fe00673cbca54c8a78d669a8ba945395c6f1c667adc62780dc776a6579bf8d5914f98a1d93acf02af67230ac0a38088 |
C:\Windows\System\yFxZYJB.exe
| MD5 | 52bbc5f741f3d86284f36f03b317c435 |
| SHA1 | a04787aca5e710b8f017c8c8d46a17758dc7a324 |
| SHA256 | 2335d0beceacd22df07cac3a6b0ff009fb382fad14909ab338ba8693938aad3b |
| SHA512 | 98c96ef0af80a09640f322ad5b544808e695c74b0b7e978c562d860ced82434a9e2dd5e16ce4f84c72b67f9173a1643f2af3d8d51b0105bb4dfe9b09c42ba3b1 |
C:\Windows\System\NmcfGJR.exe
| MD5 | bc1a85e3d87d79c47dc945d61bc9e72c |
| SHA1 | 51946991883c05bd9060324106989d36c1765bb3 |
| SHA256 | 81c1f86ffc17e6065cbac2c045c88060583300beee541490a4075c7646ab6970 |
| SHA512 | 836f97bc7bbc7d891169d8c80c41307cb1a21b66b02c0f3a9625a2ec694ec5d212cf9cb018758b5f3feb6e63933f80e99d6deee79a7437f0c774778a5c225cdc |
C:\Windows\System\hPkWxET.exe
| MD5 | e54acdea613c89dd33f91f46e1022ed9 |
| SHA1 | d21e4d3bc5590304fecaed426f5afc692d9ac71b |
| SHA256 | c821561057e49dc0245558e33d0dac5477cc92820e46c025925650de9976ef7d |
| SHA512 | f34ca1dcf67a6ef98b05d235929bf284008fcffdacdff11a9c3af6034f0bdd5cbe9eefdcf61bc2e909b5e7b921e127b87788de233cfda8f21037cd74a8422da4 |
memory/1576-91-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp
memory/4540-96-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp
C:\Windows\System\NigcuoQ.exe
| MD5 | f83d4ab429cc3a7ed02dfeeeb9d0770f |
| SHA1 | e724482cf16fde1f9350e1c8f7ab474858a30770 |
| SHA256 | 30afc026e6a1f4f5085beefb313871beea2f66270590db3791c12ae9505bc94a |
| SHA512 | 7aacbce5ef25dfa0c6a3a1f3a4625c38831e1eefb927e81b2881c8158f23153f864d2c8a03204b05b0ab1dc606dff619981e2b95e74aad690c18db0316a8797e |
C:\Windows\System\BNkecqp.exe
| MD5 | b879d73df74303fa0429d8fd872dc68c |
| SHA1 | 0050e111d67f8f04a2ad0cf8c928db5f3800544a |
| SHA256 | eed07830050032b8d518aae5312e085638cc96dbbd8985069c96b4f900bceb1f |
| SHA512 | 2070466077841c2d4b5a4186956f48aafe3c9ab1660496ebaf40fd882985d00f6a3881475bc85ead5a7cd7872d5d3f9cb7c3a1d36721dc7e2f0059d70c46d9db |
C:\Windows\System\bnBIfwz.exe
| MD5 | 984ec1c7d7831beba4ccfb0ad1cf72b8 |
| SHA1 | 9154cc40e8a0fa9a916988b00f8b99abb2f3652d |
| SHA256 | 40d35216de7cac7f97cca60ddd6b448b285fb5bfdb2ce5cb2bdd080a1b509933 |
| SHA512 | 876ffd325d9876cf719987acfa058fe0c1d30d437fc6c9863dadd4ce80f94ca6b864af3858e239b3779ac4fe4328d407526ce960127c39f94b7874e71a759281 |
C:\Windows\System\utQZDxE.exe
| MD5 | f292b33bac174da1ae30a66a4f1d89a5 |
| SHA1 | 54809d7b0b9661a209312e966b67fb02f4615d0e |
| SHA256 | f1bdfb62164f790b964df5f64bebc897dd753707b438dc30895fc75f72f33e30 |
| SHA512 | 90ba7b1719f874f5f2ae942cf75196f861286a169a775efbd746eb5d88d3b4725706c8a14799b867fb21d09831f896c4198d33f0181b18a4930254f1816dbee1 |
C:\Windows\System\WgCtzfs.exe
| MD5 | e50d353df4ada4880a619f7d1f87217d |
| SHA1 | 559d97533c43ac42da7d4863f8719e4e8f50e7f2 |
| SHA256 | 36cefa0fcfa63700a3b2d3886ec40d64f52046cee45446f280c14cd960cdbeb5 |
| SHA512 | 48691b5975481a8d9430dd3c16f218f794c72a2d7cd6c4d2639cc82aa09c78d2c2ed8656b3719a5dac7a5c50e4a69e3856d72b0e47d5b015383c9a4429088c44 |
memory/100-104-0x00007FF781440000-0x00007FF781791000-memory.dmp
memory/2208-103-0x00007FF765810000-0x00007FF765B61000-memory.dmp
memory/4384-102-0x00007FF697820000-0x00007FF697B71000-memory.dmp
memory/1620-99-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp
C:\Windows\System\YfeaYiC.exe
| MD5 | 6fc8a76c4606f4e0c199162161ab6854 |
| SHA1 | 42ff5e6e1f1178a29c3fe720c248170256f83d9a |
| SHA256 | ccbc6a74626567264f1bc84237621a994a248191018940efe1c82043a8a95c2a |
| SHA512 | 5b35200c0391ab13626d1aecb801fddd00ea21cebfb2bb367c0d3c50cd4b5ca4cae1aebe317e729ffdf6866b78bd12c3dc406f1b46a0cac80660719dc51437e4 |
C:\Windows\System\qGILSdQ.exe
| MD5 | 372b056158c2b35c571a2ffb8f660b65 |
| SHA1 | 17c21a7c077eaa980212775011a6d1c801319560 |
| SHA256 | edecfbb018b0035a50ebaba9c6262ac433561994979a99b639f37209f80c5642 |
| SHA512 | 68efa700b90b0a311833597e5829fd3bb5b6369fb4f852c3e4bdd864fde8a00cd29129971498d7268fc5650aa6fcd0128e5d495d35069219791a256174baf3a5 |
C:\Windows\System\QrabAth.exe
| MD5 | 7e43a3296d65461aa258f65529831b58 |
| SHA1 | 288c834bc4c5aa956a9ccd932c246a3f2d625108 |
| SHA256 | fe97853e98c09de2719d6f1f0210d7f6775c071ed732d9bc7751faa178153512 |
| SHA512 | d08559d41bd204ac38ca8488e0bd0404b3e43efeb80689624e12fe197f9154da1dd33247c40613cbfb8e73ca817ebddcf2bfa6386bf3b9cdf91bcb6db5d0a633 |
C:\Windows\System\zfeijFF.exe
| MD5 | da05abc8a2c2a0dd39d7c25c4a754f0d |
| SHA1 | d02c7241816b624c2264791c2be7f22afd32f09e |
| SHA256 | 5b8e3f0cbc0b0b7ad3dbbc6b32efc45012c8bdb61ea44f0e52dc52bf4ba13524 |
| SHA512 | 2a638af7fb06ce837752391fff753a1dab4c75b203b4be257c91775df5cde4225d7b1be8b2a529b2dc4f9ad967f16935f0980f92c8636542cfb8ddee4c6e066a |
memory/228-79-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp
C:\Windows\System\VXlYSdL.exe
| MD5 | 19777df9b6c6ad0be0b81b84f18a8e6d |
| SHA1 | e6beea9077b4e5f2c993af602108d61f3e83ada1 |
| SHA256 | 5bca855bdf8101528e62ff0c15ea84ed48f3fb33e8cabf4b8363efa9fa119418 |
| SHA512 | f7494c6c39196b93f70bc4f2164691dd47b3b3339b13955bc03f8174b7076a7cc0104e4e582d9cd374262d61bf6d3068408f954e52d9616eff094d5650084c2f |
memory/848-78-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp
memory/1148-64-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp
C:\Windows\System\loeOZmw.exe
| MD5 | 529f4a038cdb4a12b53ddc6eeba61c85 |
| SHA1 | 529af4aecb5bd9b78d46b2afc9575ac30ff841d0 |
| SHA256 | 5cd820fa8ed9a5cfa3d7c9374a20e9d6d325dd5e1faa77315b8f135884c44e1c |
| SHA512 | ee8ddbe80e7544f2620ea564e789558fff23f73383e27f3ebbf9ed264a35af0f702ffac965c364b96d853ebf4be54ec9de67b9fc10843e8e44981a031975d74c |
memory/4116-51-0x00007FF719100000-0x00007FF719451000-memory.dmp
memory/3948-48-0x00007FF686450000-0x00007FF6867A1000-memory.dmp
memory/4604-43-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp
C:\Windows\System\xJZkNib.exe
| MD5 | 0fcd6d5054f75ca8bb83e31006edfb0e |
| SHA1 | d12d61a078f64f4b228754847e37e63197205cb6 |
| SHA256 | ed598494c1d15f9240606172faab3f817c87e1a527af8fef9fe0ab5351f020d5 |
| SHA512 | 3725b73bd33003f6a0155cc0d059529010f7e9e0b71277cf072a70107c6ba01c6a24a9f1e97e7e871e951ec5a06fab16cbc34fd082ba98c327323ebb4ba51ddb |
memory/3972-35-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp
C:\Windows\System\gMfLKvE.exe
| MD5 | b02bd766152ac90996b419cf56322d0e |
| SHA1 | 2fcd538f57973ff279ed1b8b0bc89d3f82b4d356 |
| SHA256 | 310cfc7bde44f3da8f0dd10653d68749a26f7c3be9e7c9fbfc90bd0507200cb5 |
| SHA512 | 16520285639b1c8c020ca3fa777bdd1de0cdaa4d55d79eeb7a6844ba560a1a5fd8584b56bea47146667a741da510a1744d437d7bacfd3849884abbcefbc224e4 |
memory/1556-27-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp
memory/2388-24-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp
C:\Windows\System\UDsFoBF.exe
| MD5 | 7291ac4a140590c82eeb9404a2078a82 |
| SHA1 | 604e3dcc561152fffb94c451decc42119b500189 |
| SHA256 | d70eefbe972348229d8cc89493be04a2dfd41b105589d0319c04864255b44e58 |
| SHA512 | b9f6be1a6d993ff02ff87cf7c8e6b33938acb8b016f51aab328b3524489f2b3a7e679cbe0aae204e18ccb57ce3e04f7cd017375fb970b3c19b1a5bb5ef902698 |
memory/1016-13-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp
C:\Windows\System\kjoDJsY.exe
| MD5 | 1dcf143d8abd965ed74c66c6879b881e |
| SHA1 | 9dc553fb0d0989084dc7843ede39360b3ffad0d3 |
| SHA256 | e7becec63235324355e4eed45936b2b5bb9f989444b6ca5a0a48023a59b350f7 |
| SHA512 | 2e1ffb75779bdafa91b7c97da7ad34c27c44d4798f2a79df6759d2d3331d8c19df05749eb2ff4a38b492c688380e739dfd327da5a57c418d8c7d03a29c37a87d |
memory/4148-126-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp
memory/1004-127-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp
memory/1500-125-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp
memory/4048-124-0x00007FF7620D0000-0x00007FF762421000-memory.dmp
memory/1016-130-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp
memory/2388-131-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp
memory/1148-137-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp
memory/848-139-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp
memory/4540-144-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp
memory/3920-150-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp
memory/1576-142-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp
memory/228-140-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp
memory/4116-136-0x00007FF719100000-0x00007FF719451000-memory.dmp
memory/3972-134-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp
memory/528-129-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp
memory/3920-128-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp
memory/3920-151-0x00007FF7E1700000-0x00007FF7E1A51000-memory.dmp
memory/528-196-0x00007FF6EE920000-0x00007FF6EEC71000-memory.dmp
memory/1016-198-0x00007FF745C80000-0x00007FF745FD1000-memory.dmp
memory/1556-200-0x00007FF64B7D0000-0x00007FF64BB21000-memory.dmp
memory/4604-202-0x00007FF6FA2A0000-0x00007FF6FA5F1000-memory.dmp
memory/2388-204-0x00007FF7A4BF0000-0x00007FF7A4F41000-memory.dmp
memory/3948-206-0x00007FF686450000-0x00007FF6867A1000-memory.dmp
memory/3972-208-0x00007FF62BAE0000-0x00007FF62BE31000-memory.dmp
memory/4116-210-0x00007FF719100000-0x00007FF719451000-memory.dmp
memory/1148-213-0x00007FF6AECB0000-0x00007FF6AF001000-memory.dmp
memory/1620-218-0x00007FF6EC8D0000-0x00007FF6ECC21000-memory.dmp
memory/848-217-0x00007FF75EF90000-0x00007FF75F2E1000-memory.dmp
memory/1576-220-0x00007FF7E8150000-0x00007FF7E84A1000-memory.dmp
memory/228-215-0x00007FF7FD410000-0x00007FF7FD761000-memory.dmp
memory/4540-226-0x00007FF7B83F0000-0x00007FF7B8741000-memory.dmp
memory/100-225-0x00007FF781440000-0x00007FF781791000-memory.dmp
memory/2208-223-0x00007FF765810000-0x00007FF765B61000-memory.dmp
memory/4384-228-0x00007FF697820000-0x00007FF697B71000-memory.dmp
memory/4048-235-0x00007FF7620D0000-0x00007FF762421000-memory.dmp
memory/4148-240-0x00007FF68BEC0000-0x00007FF68C211000-memory.dmp
memory/1004-238-0x00007FF7AB880000-0x00007FF7ABBD1000-memory.dmp
memory/1500-241-0x00007FF6E11B0000-0x00007FF6E1501000-memory.dmp