Analysis Overview
SHA256
d501bdb6f2f87f83525b1fe9fe20c02ad38dbdae6e391a5c8a9dc539ef867781
Threat Level: Known bad
The file 2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
xmrig
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:44
Reported
2024-08-15 10:47
Platform
win7-20240705-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FyndwtS.exe | N/A |
| N/A | N/A | C:\Windows\System\ruprLVE.exe | N/A |
| N/A | N/A | C:\Windows\System\RmzSSzf.exe | N/A |
| N/A | N/A | C:\Windows\System\ghQBlsF.exe | N/A |
| N/A | N/A | C:\Windows\System\IlYUbby.exe | N/A |
| N/A | N/A | C:\Windows\System\GIJGluI.exe | N/A |
| N/A | N/A | C:\Windows\System\qjkqSVP.exe | N/A |
| N/A | N/A | C:\Windows\System\wVRPawO.exe | N/A |
| N/A | N/A | C:\Windows\System\TJOyvlp.exe | N/A |
| N/A | N/A | C:\Windows\System\JMtmySY.exe | N/A |
| N/A | N/A | C:\Windows\System\vggYLLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qtnoiaG.exe | N/A |
| N/A | N/A | C:\Windows\System\imCagkN.exe | N/A |
| N/A | N/A | C:\Windows\System\pXOasYH.exe | N/A |
| N/A | N/A | C:\Windows\System\ehMKZFv.exe | N/A |
| N/A | N/A | C:\Windows\System\wkVmbhv.exe | N/A |
| N/A | N/A | C:\Windows\System\NQEndlz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZyrOSla.exe | N/A |
| N/A | N/A | C:\Windows\System\gcqTvGQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HHfYUai.exe | N/A |
| N/A | N/A | C:\Windows\System\PrxIkPx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FyndwtS.exe
C:\Windows\System\FyndwtS.exe
C:\Windows\System\RmzSSzf.exe
C:\Windows\System\RmzSSzf.exe
C:\Windows\System\ruprLVE.exe
C:\Windows\System\ruprLVE.exe
C:\Windows\System\ghQBlsF.exe
C:\Windows\System\ghQBlsF.exe
C:\Windows\System\IlYUbby.exe
C:\Windows\System\IlYUbby.exe
C:\Windows\System\GIJGluI.exe
C:\Windows\System\GIJGluI.exe
C:\Windows\System\qjkqSVP.exe
C:\Windows\System\qjkqSVP.exe
C:\Windows\System\wVRPawO.exe
C:\Windows\System\wVRPawO.exe
C:\Windows\System\TJOyvlp.exe
C:\Windows\System\TJOyvlp.exe
C:\Windows\System\JMtmySY.exe
C:\Windows\System\JMtmySY.exe
C:\Windows\System\vggYLLZ.exe
C:\Windows\System\vggYLLZ.exe
C:\Windows\System\imCagkN.exe
C:\Windows\System\imCagkN.exe
C:\Windows\System\qtnoiaG.exe
C:\Windows\System\qtnoiaG.exe
C:\Windows\System\pXOasYH.exe
C:\Windows\System\pXOasYH.exe
C:\Windows\System\ehMKZFv.exe
C:\Windows\System\ehMKZFv.exe
C:\Windows\System\wkVmbhv.exe
C:\Windows\System\wkVmbhv.exe
C:\Windows\System\NQEndlz.exe
C:\Windows\System\NQEndlz.exe
C:\Windows\System\ZyrOSla.exe
C:\Windows\System\ZyrOSla.exe
C:\Windows\System\gcqTvGQ.exe
C:\Windows\System\gcqTvGQ.exe
C:\Windows\System\PrxIkPx.exe
C:\Windows\System\PrxIkPx.exe
C:\Windows\System\HHfYUai.exe
C:\Windows\System\HHfYUai.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1056-0-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1056-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\FyndwtS.exe
| MD5 | f60eaa4ad8519b8aa7561949a16f882b |
| SHA1 | 9da2f8263997ff52aeb9c0418c05e80dbde3eb79 |
| SHA256 | cc3bc9c595d2c0e5d2c91f136f11f7ac328d3b6c6777f2b80397e14fda3d9921 |
| SHA512 | 29de60f338397dc5147d21be291f95fe2938c77bff53599fb77a94fec542bb583437781545955250b198f8b6fcb5069f5d5fc1407ed17572d6c01aee967812dd |
\Windows\system\RmzSSzf.exe
| MD5 | e400d8a74f8e6d7005aa82e1dcef21e4 |
| SHA1 | 6b40c4988209dbaf27c9a71af2ccedda24e6ca59 |
| SHA256 | cf6890fe494a3ff1e1ab283737204441a3d1547a2b166b56e76e43b6f44cc6ac |
| SHA512 | 10fe0fe9f53b826e4a8b05655480037009db059fd2d4f0c727329fbcbdac8c5ee9c8c5382547ba15b9a3494d589746796f3cd0f960ebfb0cffc90fcdc8e1e6f4 |
C:\Windows\system\ghQBlsF.exe
| MD5 | 530113de8256c6e996b0ee38627a2739 |
| SHA1 | 5d338382b787d040be7f5f11524cb02c7d6f3e39 |
| SHA256 | b9f9322d097a9682c197c25cf48149eb70f896642033ff611564827b96ed405b |
| SHA512 | b660140f246abb88c232a36027f4601ada2fa5866d957020e3cd5ebc888916e99e47b362bc7aab5a5fc5a4f987024f0bf5a09c47c7515c5aac480ec302cc6243 |
C:\Windows\system\IlYUbby.exe
| MD5 | 87a403cd30e50aeb618b988a22ef34eb |
| SHA1 | ebad54f2e0dc09472f2b0bd51d39f54e01a6b7e8 |
| SHA256 | f5e14ebf937b57d073a9b0dd29540ca065e76fb066ee414d8981d52f8cc6ee1e |
| SHA512 | 1c2d80124497575ea0fbd54d3535257f75e31b98b9712ab2461b6b1cf1c3b94f7839a82174a0da43effa9173065f11b8588757ebe51b02deea4445547fb4b0f2 |
C:\Windows\system\GIJGluI.exe
| MD5 | b27b217ef4fb8cc0e859a449d9235fc0 |
| SHA1 | 1541d1b1dce6bf6382f1932ae6b831d3e1eb1b17 |
| SHA256 | d098fb9fe74df4f23f58d92f4a9869ff9e8d39f1440cda8c46e89664dca5a45b |
| SHA512 | a622a78a397b235dd0dbc17bd061c269995fb5fe26ebb7ccb81f471da945fbcab5e67ec8e0329376c05c53fb70b867e40533f85d577c9dcaccc25f2dcd8a36dd |
C:\Windows\system\qjkqSVP.exe
| MD5 | 859c687cc7721f4a03474f5907903e1c |
| SHA1 | eafa3c928d7ce9e87d09352959288c3b96f2a861 |
| SHA256 | e5b11f46db2d9e4e6cc8a89680417988be845054bfc95ab1d28d66f11f005b56 |
| SHA512 | 30de955265623dff2fe0a8f6ad44d253e1c705ac0073f657c54d13f8d6ecf4c936140267b67bed1e9664dca8c18f106d61f6c614909f368a8932a9ef71a97182 |
C:\Windows\system\wVRPawO.exe
| MD5 | b979a0af1511ee3636a88a9df071d432 |
| SHA1 | f27663b45edae5123c39e89128f45b7696ae9aef |
| SHA256 | bc94c59d60b8090ac34eaccdb72e5805313918fe417b519eecbb331fd6437c33 |
| SHA512 | bc8fa190759d759e8a942855d288663ca5b113653cdc429e1373bc44e8b9534618760f5efbe7adfd634ec07d5a47decd507b2706f4e06c0912879448eb3182c3 |
C:\Windows\system\TJOyvlp.exe
| MD5 | c1525569232ec0201e261dea2aeba682 |
| SHA1 | 0da13dd9012aaeb39616f12ff9adb0545013b71c |
| SHA256 | 9d47b0d1ec6af7eee25979a95d59c60a27ffcc8374426bc23293c48d32a786cc |
| SHA512 | 401cf364f90c3a579a471596b58ecde160440168d97b2112cc3afc883fcff035f9b0d3d200727650278538add99e5818f6708f3173097f4047dd6c4a61f9d553 |
C:\Windows\system\JMtmySY.exe
| MD5 | edc22d4bc13f87cd9af92775f9748b3b |
| SHA1 | 45d82a5071103a038410c9f28b68b6ffb82a9315 |
| SHA256 | 7984826472d7d7193146e817f2e319c4815d5357fe90ce1a8abcdb58ecc21769 |
| SHA512 | 2e5b1cfc2d8ce61c1ec94cd71519715cc7010e04d969f9ed20cfd9799ebbb730106efb2e616caee5a79c4632c0ddf6270f30cb1eeaacf633510fe421a1c7ee9c |
C:\Windows\system\vggYLLZ.exe
| MD5 | 0ab5c8c9014fc73a231b00530261be22 |
| SHA1 | ec8ed059fb0cdb44465f62c321379b23335544b7 |
| SHA256 | 812afc57d51dbe125ac558839250ae724624bf0ab5082e3d08f6cc5873b48ea1 |
| SHA512 | 9a1023fe95765ee5c1de28b7c0fa482e1858216631a41f1b0bede1440262df0b8abc0a65ca505f0f2eb7fd888322c8dbdc49b02ee2db54ef12a9efa226226ea8 |
\Windows\system\imCagkN.exe
| MD5 | 9eac613751a594a5160c761c58ce9dec |
| SHA1 | 7dce162f87c13e69cfff6bedd16e8ade7d551002 |
| SHA256 | bf0ac2263599e0454d49d0430338dd88d20f5b718cb91d87b427c1a0f8320d95 |
| SHA512 | bf14356849df743328a8af25906b743340fb753a72a32f8400aacb38e5c51b1f735b21c02c46ee676ba2e26741697bb8d06e88060e2d2d69c42aaf6d0e14e723 |
C:\Windows\system\ehMKZFv.exe
| MD5 | c52fa641d4ec326147da6ed2b2629562 |
| SHA1 | 1984162032ee380bb06a0be325c5035d757bdaa5 |
| SHA256 | 68d207cdc87bd27f23ebde62d507c6e76a5d07452806c920d6b3caa7a41d039e |
| SHA512 | 534b3d6eb2a353e62f7b1aedf7aff746da53940e72d59515488909a23891eae32a5118615ab23e9f77a0a2c6aa19d21bdae9bfdb7e0999be0379345545038be5 |
\Windows\system\HHfYUai.exe
| MD5 | 0b15a6c8bd4c879fd12f733ece8376e6 |
| SHA1 | ca97d6864f0b163b4b6a9d71ddb93a416d8a1076 |
| SHA256 | 04479b52930abefce7ab49ff5e4df3be46c26d7363b6c69edbdbf99b8cd79c32 |
| SHA512 | d495c333b215401eef89b5dbcbacfa3a535d745884cad30b1b20f357aa606f8eb34343e98ff80049946fc8dbf6c861df91af56fbe57787746a3ccb504c3ad55d |
\Windows\system\PrxIkPx.exe
| MD5 | 857b5291e383ab3b1cee4359820edd54 |
| SHA1 | 1fec72eb708b5d48d3d02c6579849c5014c4898b |
| SHA256 | 3f26564e6e7c1102006a93e9b011534b7aa1353d55b84b99eeead05892405373 |
| SHA512 | 919f3edeb02168216a0f1e50b260aa928b39a9bd7f2196f02b5fe1085c69fab22ddf7fdd5b087ddc51ce8dd3134abc949c44b6a71b933c27c517a5a1d66daa30 |
C:\Windows\system\ZyrOSla.exe
| MD5 | 7f03acc4e5175e2e35588804b59fa95e |
| SHA1 | 936fa7defad190358b47beb38c065c8680c1fa13 |
| SHA256 | 1d28d0ca2c2b2720f02cb1643880069edb0208cdb4406c4f4ec4eecc88243f2f |
| SHA512 | 5e5e0e12b8aa5525183127bd517005e2a64ac77476c65e043d41c43ed15be5df5efb3caf10f80cb8b09113ad8d0fb2af5372f27f0731ae024187855e9777eef1 |
C:\Windows\system\wkVmbhv.exe
| MD5 | a0b80bd2f70e75966d1ef83a44300661 |
| SHA1 | 0f943611c71a6cfb2a6984ff3a6ae93501a52db3 |
| SHA256 | 5a71bd05b805a868a99cea3f234cc4f09ae0c8731e015e9f04f2a894021ff34d |
| SHA512 | 6545a6fec98ef3912ff162ce4ac4bb9e6f62a79c8a97d1f99e612285dd1518393a7f1e3b8ca3107d0a356681c7951bbe66210c47d9d9d126b0f0acf1a424d0a9 |
memory/1056-107-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\gcqTvGQ.exe
| MD5 | 18957cdf96caa83e026d195ed1c77f0f |
| SHA1 | 05982ead283d20f182db8244ccd8c6f1fb6abd17 |
| SHA256 | 7331158e53e66d69bf9a17525b101d68d6bd2876d8d17f27852f479fa5908bf5 |
| SHA512 | 1ce20c96a5cf864b04870d81485cab25a709d94bb576c6eadcbd819177c246bc04cd885e3f0880d719e97b1bdfcc9b5adfb4ec8c239243ce27d8f9866a7044e4 |
C:\Windows\system\NQEndlz.exe
| MD5 | 1bc5396e909710ad0bb992111433af3f |
| SHA1 | 2585f0cc2e3522e2488be1b259f6b7d2f5fc694a |
| SHA256 | b8182f1e4e0551ee3e92979e5291db06079ef70a247f9edab779077f6d661bab |
| SHA512 | 89b4a57828e0a36a868472b2c9d39e83e69881421da48d461edf8e667256fddb79a25bf5d009217597db8ec0d06eb9f0f6e69f916e50720e55807509702ef738 |
C:\Windows\system\pXOasYH.exe
| MD5 | 577fa5a3a5d5827aef1e05ac3ee19b68 |
| SHA1 | 6a135ec97ecedcb267cc0566bf9c3bd34a489728 |
| SHA256 | 261ba643a202d874e22db39519d54b7e0bb83d504620954c4857c34d389757ca |
| SHA512 | 080bd66c307fcfa494be72d10504edbcd6a17a3b63ce779cc278134e535af5116ee7a2c82d79442342113f9b507322f62242d0854242a91b8e0be24dfe5bba75 |
C:\Windows\system\qtnoiaG.exe
| MD5 | e192a766a0e52417ffd91d3dfc33a183 |
| SHA1 | 2c63d17f7fd24061271f5e733df6f05d1a8305c6 |
| SHA256 | 10e496b5647d904de0f60a7e6c64ee540219b9180349e88586a4e7f5bd4a5562 |
| SHA512 | 15ff83523672f79300d4f0d61d4a35f223ae966a214c75f884a97c62c44a9993a86e63428998d3913c3a118b9e1bd7a6d35fb3ba945922898d1f546c01dc5318 |
C:\Windows\system\ruprLVE.exe
| MD5 | e11387698c1e80efb2c748ef33d84736 |
| SHA1 | 5bb6ec425c491aa3f8082acfa3d0a5840a906f59 |
| SHA256 | 2e0e8a0faade73813f2e94a19bb31573c299b966b13e5e0441bf1a717b84ab5b |
| SHA512 | 9c1190b68a194e61e83ff2ce77baf4056600533c805b5251eab7aa60f81c08440187f936bcb84678e934460607e034e916fd9948269fe6fd9e3e87e7d1c6805b |
memory/2732-114-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1056-113-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2160-112-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1056-111-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2012-110-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/1056-109-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2212-108-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1056-116-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2860-115-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2780-119-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1056-118-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2880-117-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/1056-122-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2888-121-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/1056-120-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2096-123-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/1988-131-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1256-130-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2628-129-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2660-128-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1056-127-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2340-126-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1056-125-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1056-124-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1056-132-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/936-151-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2940-153-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2948-152-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/1640-150-0x000000013FA50000-0x000000013FDA1000-memory.dmp
memory/2528-149-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2052-148-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2700-147-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/1056-154-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1056-155-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1256-222-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1988-224-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2096-232-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2780-230-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2860-228-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2160-226-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2628-248-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2660-246-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2888-245-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2732-240-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2012-238-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2880-242-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2212-236-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2340-234-0x000000013F170000-0x000000013F4C1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:44
Reported
2024-08-15 10:47
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PvDbrOv.exe | N/A |
| N/A | N/A | C:\Windows\System\SvfaYty.exe | N/A |
| N/A | N/A | C:\Windows\System\kWjgCJO.exe | N/A |
| N/A | N/A | C:\Windows\System\OpJooXW.exe | N/A |
| N/A | N/A | C:\Windows\System\EWHEnIq.exe | N/A |
| N/A | N/A | C:\Windows\System\NsxVjjA.exe | N/A |
| N/A | N/A | C:\Windows\System\Ticnvij.exe | N/A |
| N/A | N/A | C:\Windows\System\AyhLRTq.exe | N/A |
| N/A | N/A | C:\Windows\System\aGpzwvv.exe | N/A |
| N/A | N/A | C:\Windows\System\JwtUZeH.exe | N/A |
| N/A | N/A | C:\Windows\System\KYYmgoK.exe | N/A |
| N/A | N/A | C:\Windows\System\aEppgbU.exe | N/A |
| N/A | N/A | C:\Windows\System\CKsYyqY.exe | N/A |
| N/A | N/A | C:\Windows\System\TRTvSpj.exe | N/A |
| N/A | N/A | C:\Windows\System\gLfzEbv.exe | N/A |
| N/A | N/A | C:\Windows\System\LSewzxp.exe | N/A |
| N/A | N/A | C:\Windows\System\YoXWrzz.exe | N/A |
| N/A | N/A | C:\Windows\System\WvfOKNO.exe | N/A |
| N/A | N/A | C:\Windows\System\nRrFaSX.exe | N/A |
| N/A | N/A | C:\Windows\System\AEuuSMM.exe | N/A |
| N/A | N/A | C:\Windows\System\qoCgjzh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_576a258f7767af98d3d30c02d0271b9e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\PvDbrOv.exe
C:\Windows\System\PvDbrOv.exe
C:\Windows\System\SvfaYty.exe
C:\Windows\System\SvfaYty.exe
C:\Windows\System\kWjgCJO.exe
C:\Windows\System\kWjgCJO.exe
C:\Windows\System\OpJooXW.exe
C:\Windows\System\OpJooXW.exe
C:\Windows\System\EWHEnIq.exe
C:\Windows\System\EWHEnIq.exe
C:\Windows\System\NsxVjjA.exe
C:\Windows\System\NsxVjjA.exe
C:\Windows\System\Ticnvij.exe
C:\Windows\System\Ticnvij.exe
C:\Windows\System\AyhLRTq.exe
C:\Windows\System\AyhLRTq.exe
C:\Windows\System\aGpzwvv.exe
C:\Windows\System\aGpzwvv.exe
C:\Windows\System\JwtUZeH.exe
C:\Windows\System\JwtUZeH.exe
C:\Windows\System\KYYmgoK.exe
C:\Windows\System\KYYmgoK.exe
C:\Windows\System\aEppgbU.exe
C:\Windows\System\aEppgbU.exe
C:\Windows\System\CKsYyqY.exe
C:\Windows\System\CKsYyqY.exe
C:\Windows\System\WvfOKNO.exe
C:\Windows\System\WvfOKNO.exe
C:\Windows\System\TRTvSpj.exe
C:\Windows\System\TRTvSpj.exe
C:\Windows\System\gLfzEbv.exe
C:\Windows\System\gLfzEbv.exe
C:\Windows\System\LSewzxp.exe
C:\Windows\System\LSewzxp.exe
C:\Windows\System\YoXWrzz.exe
C:\Windows\System\YoXWrzz.exe
C:\Windows\System\nRrFaSX.exe
C:\Windows\System\nRrFaSX.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3820,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4768 /prefetch:8
C:\Windows\System\AEuuSMM.exe
C:\Windows\System\AEuuSMM.exe
C:\Windows\System\qoCgjzh.exe
C:\Windows\System\qoCgjzh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3452-0-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp
memory/3452-1-0x00000138CCAE0000-0x00000138CCAF0000-memory.dmp
C:\Windows\System\kWjgCJO.exe
| MD5 | 0a80b8de65808f94864ddfa1d191b178 |
| SHA1 | 31a1da37f85a86e38e6f28781cd72a6f505801a5 |
| SHA256 | b93e9513061d363e5b6df9805fff987265947c029dd95a00b55f31355660fa58 |
| SHA512 | 63785f0fc55c1eb5ff09da6011e0f9621412f62b18c6b5f600bcdc7ff1d05250fa09e83ac51ff1afbd19f9caf9e6a6f85e5dbffd52b19894eb863cf616a60ae7 |
C:\Windows\System\PvDbrOv.exe
| MD5 | aed81308851d99e02d3cb40f91015e6a |
| SHA1 | 6a49030b72daa4dda6d9731ce9753fbeb9dc1a46 |
| SHA256 | e12d7735c7e946b07b08808514d110cddb6224fbe3ffe8d77c0b11eed49c7c10 |
| SHA512 | f6e2bc6c4362dd45c1d731cb497eac1c411fdae6f628e9ff675909690b32ba8c112c9287d84e0d4127a6f60786405e08eb4919f8966e3ffae9f0da214c040a52 |
C:\Windows\System\SvfaYty.exe
| MD5 | 14d924295176c6d9db03eec60bd90918 |
| SHA1 | 5b84a992a76c2dd5dd2bb9b7a3caa27cf4477fdc |
| SHA256 | 4d1c3a5c9347929e63f3314fbf47b15429437192a57f98705c3282fdf7070e10 |
| SHA512 | 3f7ee8d75be238957771031d0a3f2b05a9b893d01fc138808481f0393b48693299fc7cf747aebd318fa9a59d7b41733bd23ec686c4b7ede23d1319cb1fca41a8 |
memory/4136-9-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp
memory/6084-17-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp
C:\Windows\System\OpJooXW.exe
| MD5 | 08cd8adad853e96e596c4f5effb57fe9 |
| SHA1 | 4f4b8ac72c2ed283468936ae0f7fefd648d60e31 |
| SHA256 | e332782ed5744b00d2be9cd569ef01eb1abad3e7ced3d5217f179ceeadf1d721 |
| SHA512 | f88db728021b2cc4c1385839dc9796c6bc28580d12e875fb9afb60d8c40010369cbfc0ec6190885dc76f13e6e4e208c6e080b88bdc5fccfb235931d45db36e47 |
memory/5356-21-0x00007FF696210000-0x00007FF696561000-memory.dmp
C:\Windows\System\EWHEnIq.exe
| MD5 | b25c3cd928a5913f1226b9728ec1ce91 |
| SHA1 | ed5cacf531fb3cf7bdd55f6441778dfce96bd340 |
| SHA256 | 308d0df60751b4f6928c49943dabedd3546eed91d60788ef2803548e354d1caa |
| SHA512 | 406b1486525c95e3407eaa6d25cd286994fe442f4769f4bdd52ff4715330964198bfcf76a50d1f5af1b28540a15d9a814a455767d6b198d6a690420d0b4378ab |
C:\Windows\System\NsxVjjA.exe
| MD5 | 0008f1dc6b96ef2d051e9d79261cbe86 |
| SHA1 | 3e03580414de63f2188393f4d5317b0893fd0530 |
| SHA256 | 9d0de3fe8134c860df01c46949b2cf2f14bbfe9d99308236cb22890a9687aa83 |
| SHA512 | c2a0ddcd8262ea4a2a3846255169a7792c3f60321becf77b970ec5dafaae6af1df6ab7a38e158d63fa2f4aa5a427fe797338813c521fef35a99cb8a26050f701 |
C:\Windows\System\AyhLRTq.exe
| MD5 | d3c8a80791120b1dd2bb0afa9d74a3ea |
| SHA1 | daee4b299b0e6c0e49695d9b549eb13de8f88773 |
| SHA256 | 97395ffdeaa05be8b082d805427529c3440842a55804628b3b3b969e134ee2b9 |
| SHA512 | 90245a4144e3ca9a64547457a3f8caae576445cdbef56736ded51092b44f2a7723101b17991a7665913e4d5fee21ce7d7e2e2abd0225c61fd14e2b62bdec0359 |
C:\Windows\System\Ticnvij.exe
| MD5 | f94f19ea188d3dfde2ea04fe2ecc7ab4 |
| SHA1 | 13dc58e3c8e993e66aa5c3043cede8c3c074eb6d |
| SHA256 | acece87119ec5b00f2ff8df2c183d24c4d4403b69bfa13e3da49aebd52fd8b6e |
| SHA512 | c4f7c6261a52859fe5bb8955fab9ca6994299f8d8043a6fc3ece316f12b5e3b9607b7422c881454d1ee994ebd565dd03f5a82de0b3d68e2b6512379a941039a0 |
C:\Windows\System\KYYmgoK.exe
| MD5 | 7a219fcbed816501886e9b4500da27e4 |
| SHA1 | dca431b44a696f92f6ddecf72647ab2e513f4302 |
| SHA256 | a651a0780f80423f081385eaaf1ad9dbcd0abcdca6ebf8b8948a4ef577fcbef7 |
| SHA512 | b764319d821fd7c1cc5b9daacb05b55067690905faeab71fdf1338c3047c57d9e6b175280c2678a09d556edf8cf8bf882ee986d9dc14fabbf6714579e8480296 |
C:\Windows\System\CKsYyqY.exe
| MD5 | f2fa89edbc59bab58ac4d551385c46ef |
| SHA1 | 1919c0cc52908fd8308aed625d15772aacfa3a24 |
| SHA256 | dedfbc0d0459cf30386b2d5409c677ba8246bc91da62288828387080d7fb4c92 |
| SHA512 | 65903c1f150e8e990fbf22e293c0d14b18d8432657239952fd53b1216b258680aef3bc651c83e68d51398f31ebf7e826a771ca48a0641b9dadeae1126fb13ab8 |
memory/4132-72-0x00007FF6334E0000-0x00007FF633831000-memory.dmp
memory/5888-77-0x00007FF6655D0000-0x00007FF665921000-memory.dmp
memory/1944-90-0x00007FF651570000-0x00007FF6518C1000-memory.dmp
memory/4136-102-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp
C:\Windows\System\WvfOKNO.exe
| MD5 | 29a17f28c41f82b15607deb593d2480a |
| SHA1 | 0690fad0e99c86b8d8e69118d7e1af978b1b691e |
| SHA256 | 4f82c2ada016de0045a7cb04ab7fa6df8faa02f165c4fc7abdb2491c7562a1f6 |
| SHA512 | f8119bfc98e377a5a2cefe3ab58f298a5e7f08aae14df7c95586b679849ed77766d8ac75141164460c0a74ed5dea0c80fdbec92ee3e62ba044c4440bc13668ee |
C:\Windows\System\YoXWrzz.exe
| MD5 | 9c43bcac662a6982b537079e78de26ab |
| SHA1 | 04a33e308849d12708376b76165874159262f850 |
| SHA256 | 1dd69b4a6844911161d0d991744dbb539763d62eb7107184c9ec7ff605f118dc |
| SHA512 | f536fd66fde28bc8c954e53b53d5396863e6711123b3556382354c2cb3bd916fb2962b29d336665add903d3d32a6f5da2d470788b471761fb4b6bdd73b4fb15b |
C:\Windows\System\LSewzxp.exe
| MD5 | d424e829f392686e2d44276a7b72898a |
| SHA1 | 8d5d0105c6ffbdd7452fc3ad5cb924173c86d925 |
| SHA256 | 0d20b15cd55a79fc2f09b3dff81bdc7a8126861e45c0d8501056f6f2d2aad335 |
| SHA512 | 9379cd7ca2893e578b5c4576a82fe295ddc9e0d09d948b01a5245fb28f6e36fb24d89b3705c3ccce79beb395e6b0b11a1e70f8d1e8437b73616a2eb5ed58a3cd |
C:\Windows\System\gLfzEbv.exe
| MD5 | 1a46842517217924e92f6478685cae44 |
| SHA1 | 786161c1f4b2c870dddac1535dc02cc8a1b6cef0 |
| SHA256 | 443a181cd080c4172a9c7caa2299b1293e635240bb09be1cf393212301b8bd68 |
| SHA512 | d969d4fba174baaf0b583834c87b40f6024657b12a5db166b23f26c5f0baa110128a67f8b871652579c332a33a627755ca220dba574e32720dc3c1d0636ddb3d |
memory/3600-104-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp
memory/5624-103-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp
C:\Windows\System\TRTvSpj.exe
| MD5 | 04cccd73fcb19d1aca19d54cbdd05dcf |
| SHA1 | ad5588556bd3e6e5f86c7b627e2c1425dc9f95dc |
| SHA256 | 7b036c97feaee6c74c41734fcc50e2ea08fbb0c2baaf8ed825650131634d7a56 |
| SHA512 | 91ac0e0781f9365f67c185443d29e57b4308e90d9c791a061435a5516fca90bafc931570aef2798c873e46774c158d14201335a9609425de45c71215f7c5b576 |
C:\Windows\System\aEppgbU.exe
| MD5 | e295738d39545db9e63080634ed41931 |
| SHA1 | c01503ad8d8b72e3bd7d990b31bc4cb1eabc904e |
| SHA256 | 3b822db1057fd65bcf4e29c3a326a41ba09897f656403dbc9f054647be58efef |
| SHA512 | 22a16ba68d235f50c47e06f740d125d6cb408650e650640efcbe1e6eb397c8904dfdef985702864efe4c0f8908c339278f80051801e26992df187786fdf5d766 |
memory/3452-95-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp
memory/1488-94-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp
memory/1048-91-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp
memory/3224-82-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp
C:\Windows\System\JwtUZeH.exe
| MD5 | bea3be3215e0b678e3d919fe858f84c3 |
| SHA1 | a7c2827ea40f7a8852d048b567efb2d4fb145b96 |
| SHA256 | 8c0f19c002623675326cc6618b8e1337c083f4cb7b4048b0c45f7e1e552758b0 |
| SHA512 | 4338458a404cfae0045345eda5bf3a5130683609dd943c2b5bffa5f2ba4948ec4902469425b940b7ae73ab413bcdc4cefd76082990f7ded24caaa258b3c6d6af |
memory/3592-67-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp
memory/4968-64-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp
C:\Windows\System\aGpzwvv.exe
| MD5 | ecda2f41318f2ae7af1631708cd1dc30 |
| SHA1 | 724ab899aff7776e1917259a5807c706db808da1 |
| SHA256 | 0174a24d398a0366de4126b35966bee29838ad7ddda97b16a6e0f216ab35d9e9 |
| SHA512 | ae2329a9b87bfc111a8d89c5e59e945ed9e3252f44ca17c6f1c7040a1be6668cb0065493c29a0a3818fc243b130f4123046ca065b5edbbce7e1bd66db1367f06 |
memory/1432-53-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp
memory/5656-48-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp
memory/3448-41-0x00007FF725C00000-0x00007FF725F51000-memory.dmp
memory/4524-29-0x00007FF617CC0000-0x00007FF618011000-memory.dmp
memory/5168-26-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp
memory/1048-132-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp
memory/3600-133-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp
C:\Windows\System\AEuuSMM.exe
| MD5 | 6937d03f3b8815f814f613f662f0d3f5 |
| SHA1 | a0193f94de6fb9f294d2d36fb542d9507eb74c7f |
| SHA256 | 7f70a40d056952a1d8b6e0ac1ca75ec0fd3ea569817b5cc78fdf4b58a1d67868 |
| SHA512 | f517ef8d03368d56d259dc1b32b97a2d3f22e45d35e0eb967cd02392d57d7d88ee421053c3a39557c08e80bdf1938d2bcb5bbe8b257e43c5c5c37c08438676d9 |
C:\Windows\System\nRrFaSX.exe
| MD5 | 64a19f816bde15a998d49a487404f48a |
| SHA1 | aef7efe4363c7e4592947d59a270abe543f553d0 |
| SHA256 | 1a5d51b18a40afc2bd190df2c9f63042d74b558f747987740516a09607e14ce4 |
| SHA512 | 42098acaee81ddc013627f8013b83c9640ea6ee7eb8f7f0ddb6348add4621ee9dae17aed213c37924f9d3dc3402d2b1ed027df2def833fd0eab38a40b42f145d |
C:\Windows\System\qoCgjzh.exe
| MD5 | 54c5993bdec767624f0cbdac19d51d17 |
| SHA1 | 30d32832cba2d16ef96eee760550e605219c47ce |
| SHA256 | 018691614bb8ed18c8bcefdda99092edbe1d3ca72b936fbba559aef1c78448b3 |
| SHA512 | 94862303d9d2c09c737d10d15f29465c37a2fdb09958dc516a016d35586883aad9db78f8e2af347db32715fb249fb7e5f3d3af5d87ca1aac811c4b60423b1a2a |
memory/5772-139-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp
memory/6084-138-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp
memory/1944-131-0x00007FF651570000-0x00007FF6518C1000-memory.dmp
memory/1488-129-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp
memory/5888-128-0x00007FF6655D0000-0x00007FF665921000-memory.dmp
memory/3224-127-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp
memory/3592-126-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp
memory/4132-125-0x00007FF6334E0000-0x00007FF633831000-memory.dmp
memory/4968-123-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp
memory/5656-122-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp
memory/3448-121-0x00007FF725C00000-0x00007FF725F51000-memory.dmp
memory/4524-120-0x00007FF617CC0000-0x00007FF618011000-memory.dmp
memory/5168-118-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp
memory/1432-124-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp
memory/5356-117-0x00007FF696210000-0x00007FF696561000-memory.dmp
memory/5660-148-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp
memory/4532-149-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp
memory/3452-150-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp
memory/5772-169-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp
memory/5660-171-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp
memory/3452-172-0x00007FF65D890000-0x00007FF65DBE1000-memory.dmp
memory/4136-205-0x00007FF7D97A0000-0x00007FF7D9AF1000-memory.dmp
memory/6084-207-0x00007FF6326F0000-0x00007FF632A41000-memory.dmp
memory/5356-209-0x00007FF696210000-0x00007FF696561000-memory.dmp
memory/5168-211-0x00007FF6A85A0000-0x00007FF6A88F1000-memory.dmp
memory/4524-213-0x00007FF617CC0000-0x00007FF618011000-memory.dmp
memory/3448-225-0x00007FF725C00000-0x00007FF725F51000-memory.dmp
memory/1432-227-0x00007FF6CD7F0000-0x00007FF6CDB41000-memory.dmp
memory/5656-231-0x00007FF64B5F0000-0x00007FF64B941000-memory.dmp
memory/4968-230-0x00007FF73BF70000-0x00007FF73C2C1000-memory.dmp
memory/4132-233-0x00007FF6334E0000-0x00007FF633831000-memory.dmp
memory/1048-240-0x00007FF7AE420000-0x00007FF7AE771000-memory.dmp
memory/3224-247-0x00007FF6CFF50000-0x00007FF6D02A1000-memory.dmp
memory/3592-249-0x00007FF7F1D50000-0x00007FF7F20A1000-memory.dmp
memory/1488-246-0x00007FF6328E0000-0x00007FF632C31000-memory.dmp
memory/5624-243-0x00007FF7C0D70000-0x00007FF7C10C1000-memory.dmp
memory/5888-242-0x00007FF6655D0000-0x00007FF665921000-memory.dmp
memory/1944-238-0x00007FF651570000-0x00007FF6518C1000-memory.dmp
memory/3600-236-0x00007FF60FEE0000-0x00007FF610231000-memory.dmp
memory/5772-259-0x00007FF7146F0000-0x00007FF714A41000-memory.dmp
memory/4532-258-0x00007FF76E0D0000-0x00007FF76E421000-memory.dmp
memory/5660-261-0x00007FF6DA610000-0x00007FF6DA961000-memory.dmp