Analysis Overview
SHA256
d4c62700ce14c4cb710f5e1ba743afd1ca4ba3382b44f802015d66c4f8c05613
Threat Level: Known bad
The file 2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:47
Reported
2024-08-15 10:49
Platform
win7-20240708-en
Max time kernel
140s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yfPRbmt.exe | N/A |
| N/A | N/A | C:\Windows\System\NMaKlvt.exe | N/A |
| N/A | N/A | C:\Windows\System\PTWaTQX.exe | N/A |
| N/A | N/A | C:\Windows\System\tntKfmH.exe | N/A |
| N/A | N/A | C:\Windows\System\LRiVlnn.exe | N/A |
| N/A | N/A | C:\Windows\System\eQncUyq.exe | N/A |
| N/A | N/A | C:\Windows\System\fkhcBmH.exe | N/A |
| N/A | N/A | C:\Windows\System\oXfIjQg.exe | N/A |
| N/A | N/A | C:\Windows\System\XgDRCMC.exe | N/A |
| N/A | N/A | C:\Windows\System\jhobuIC.exe | N/A |
| N/A | N/A | C:\Windows\System\LcetrGR.exe | N/A |
| N/A | N/A | C:\Windows\System\iQqgARr.exe | N/A |
| N/A | N/A | C:\Windows\System\xGcbINp.exe | N/A |
| N/A | N/A | C:\Windows\System\KakYiLR.exe | N/A |
| N/A | N/A | C:\Windows\System\UpOWngJ.exe | N/A |
| N/A | N/A | C:\Windows\System\EYXhYTr.exe | N/A |
| N/A | N/A | C:\Windows\System\vgdcLHY.exe | N/A |
| N/A | N/A | C:\Windows\System\baeojTc.exe | N/A |
| N/A | N/A | C:\Windows\System\uxHPdGS.exe | N/A |
| N/A | N/A | C:\Windows\System\ceEsHtF.exe | N/A |
| N/A | N/A | C:\Windows\System\GnSYJqx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\yfPRbmt.exe
C:\Windows\System\yfPRbmt.exe
C:\Windows\System\NMaKlvt.exe
C:\Windows\System\NMaKlvt.exe
C:\Windows\System\PTWaTQX.exe
C:\Windows\System\PTWaTQX.exe
C:\Windows\System\tntKfmH.exe
C:\Windows\System\tntKfmH.exe
C:\Windows\System\LRiVlnn.exe
C:\Windows\System\LRiVlnn.exe
C:\Windows\System\eQncUyq.exe
C:\Windows\System\eQncUyq.exe
C:\Windows\System\oXfIjQg.exe
C:\Windows\System\oXfIjQg.exe
C:\Windows\System\fkhcBmH.exe
C:\Windows\System\fkhcBmH.exe
C:\Windows\System\XgDRCMC.exe
C:\Windows\System\XgDRCMC.exe
C:\Windows\System\jhobuIC.exe
C:\Windows\System\jhobuIC.exe
C:\Windows\System\LcetrGR.exe
C:\Windows\System\LcetrGR.exe
C:\Windows\System\iQqgARr.exe
C:\Windows\System\iQqgARr.exe
C:\Windows\System\xGcbINp.exe
C:\Windows\System\xGcbINp.exe
C:\Windows\System\KakYiLR.exe
C:\Windows\System\KakYiLR.exe
C:\Windows\System\UpOWngJ.exe
C:\Windows\System\UpOWngJ.exe
C:\Windows\System\EYXhYTr.exe
C:\Windows\System\EYXhYTr.exe
C:\Windows\System\vgdcLHY.exe
C:\Windows\System\vgdcLHY.exe
C:\Windows\System\baeojTc.exe
C:\Windows\System\baeojTc.exe
C:\Windows\System\ceEsHtF.exe
C:\Windows\System\ceEsHtF.exe
C:\Windows\System\uxHPdGS.exe
C:\Windows\System\uxHPdGS.exe
C:\Windows\System\GnSYJqx.exe
C:\Windows\System\GnSYJqx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2348-0-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2348-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\yfPRbmt.exe
| MD5 | 84c82d9f9d3f1430755b31f900ab25e7 |
| SHA1 | ab5dfd2c1dc5bf8f6620e0232c7a097964b7540f |
| SHA256 | a9ea53a0957172ff49b7f590f75cd672809bb6a1edc156268e0869bf0f55127f |
| SHA512 | bc93c7fd5a80db0b8b497291d888b7ade2c6ad629c09d39ad5011fab913d27871556be500aa2165da31d7348bd57ed00e4e7cbe214635fd683fd589272facb6b |
C:\Windows\system\NMaKlvt.exe
| MD5 | c128fbf632fefa24be18346c4c206a2b |
| SHA1 | 2ad1d50a35d72d8c03d6b80adfa00e373e0ba115 |
| SHA256 | 27640af7bd126364cb73d26c00a4e60fae38f32666f107e45e6435d9514516ff |
| SHA512 | b303461959e10827a147c87bb2ab87e7456c7a4c0bc6a2912e261d1c509d0e713cb61d7e8da439bf3d288bb771136a09af33bb3a743cf3f4a85b06d87426c95d |
\Windows\system\tntKfmH.exe
| MD5 | 1e2d4ce41afec4b84fe5569ae7bc6b00 |
| SHA1 | f4e246b29113366f9fd182ad4eae5b09363598c3 |
| SHA256 | 45587ee7d18628d5ecf66b4dd0d15bec4c061d134ba15623b559f0a411281e16 |
| SHA512 | c4844bcbc438eb6d8ec71721e5d4f157a8eafd22e640499bb61395c5c7d48b6d4920f9919cf3397c46f880aa7be820f001cae0fd0c1357fcd78cd8acf2562fa3 |
C:\Windows\system\PTWaTQX.exe
| MD5 | f5b96beb65e0b0890ddd46860600a273 |
| SHA1 | 5dc61e4cd75352898b1042beab42fa56f92468da |
| SHA256 | 1d98f5032ad40b772f097c2128773476dfa5e80283d00d0eac5a6070559fcc33 |
| SHA512 | 8bf5f7f7503769f0c2ee6f6ab72f0ce6b942c5c209ad2146e1344f9b2781af5fb30bf091e7059b008de4387f4988975706eb41563330e800277da7ab5e2a8751 |
memory/1540-39-0x000000013F750000-0x000000013FAA1000-memory.dmp
C:\Windows\system\jhobuIC.exe
| MD5 | a2d8bb2452ae3a2150d73fccc29f3622 |
| SHA1 | 3c331c34268f7b271fccfd665fbe99cb38a681ba |
| SHA256 | 414018545bab3a691be7e7951f7d5fccca56a3a12e92be01f1d539e9123c1b91 |
| SHA512 | 08b1ee7bdb48237c9d5c63955c8e058cebacab885effaf16a89afc95a452553ce48c96a8201242f2366ebfbf63fed1c5112f3803bed45964b15c4d9a7096e6b2 |
memory/2760-67-0x000000013FC90000-0x000000013FFE1000-memory.dmp
C:\Windows\system\iQqgARr.exe
| MD5 | 4db8fca3fe47ee5c20615f5997ad4143 |
| SHA1 | 8666503a23b44917abaa2dfdaae977ba8a00faba |
| SHA256 | 091161bc7e399d1dea5e35bdb4582755a35815a9791b3303a13e49b58983ad47 |
| SHA512 | 1b8e40e2f3a17af0972474b9493f252c5bdddbf507772af23531042bd7aa9bd1b2ccb203de313ffc08cddddacdf312b031ea57ec0f47e1cfe09514b52dd5cb6e |
memory/2196-81-0x000000013F290000-0x000000013F5E1000-memory.dmp
\Windows\system\KakYiLR.exe
| MD5 | f463c9354ca000200ad33bcbffe76e56 |
| SHA1 | 6eba92b84f3f808034e36eb439919fcf6edbf5a2 |
| SHA256 | 02169a3619bdbbca8263689a16c7d9993fc6a5ec63b8eea7c7176e2ece6ef59e |
| SHA512 | 835954f4eac683f42b274f4081c408b2dbea6b2ac7bb05c8bdabe45df87a62bf9be1963dbf5e8b3b1a870745757865b789a0ff7655005f5367f6e7dc2c73567a |
memory/2632-98-0x000000013F530000-0x000000013F881000-memory.dmp
\Windows\system\uxHPdGS.exe
| MD5 | 597c12b0d6ceb613ea1da05cf1805d6f |
| SHA1 | 9be7a1dc7f9cd870d800551c7672d1fbf1f5f856 |
| SHA256 | a51af65a474421ba9305c07a76b8e221134d772a6c269d74986a91a39451c493 |
| SHA512 | 0651d86b6a5732adbda55cbf5c5db8fc89969a4ef098bbd645ea2b73f71b92220355801385506fbd133f5d9d1e6c0b409c9e58e751f6f5b2e4c4dba89a932015 |
memory/2308-131-0x000000013F2E0000-0x000000013F631000-memory.dmp
C:\Windows\system\GnSYJqx.exe
| MD5 | 457ba196f969307b14948aa8c575195e |
| SHA1 | 4e0348443aef068271d6ab8bc5096e40efdf22ca |
| SHA256 | 963cd19da4704730a92c9d298139f3482e431598497f233ec1dea900243a2088 |
| SHA512 | 5a5e503af588509af91de67ee3bbfcb7a1577534c52627c02508e3f1d636643e7068d1762fb3a45e9dec31393dec3da60aa029d640c307e75ae6e758b332c7c7 |
memory/2348-127-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2348-126-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2608-124-0x000000013F050000-0x000000013F3A1000-memory.dmp
C:\Windows\system\ceEsHtF.exe
| MD5 | 5b0888ce20cc7961cadcd45b1d4411ba |
| SHA1 | bba8acb4a0af10796497356cbad7aae64c5b96f9 |
| SHA256 | cdf44f0ae3346c73e76e1719479a6a95c146c8cdd8f149479d07c2d0ef5d4956 |
| SHA512 | 8f4de7504216daab5168a0f930a81b8b7b8fdfe7a653d523a52705f13d817e28eb384f8230788b8bedc3ed94bda4cf697b960fab472bde31151774031bf2651e |
memory/2348-119-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2348-108-0x00000000022D0000-0x0000000002621000-memory.dmp
\Windows\system\baeojTc.exe
| MD5 | e1a15268ecd09cdf856c974e72a4fe6b |
| SHA1 | 4b76ff5b2009550bb7d98021dc74c9054958b1c1 |
| SHA256 | 3ec3bcfd7f9d0163db349ef6ccbb76a22e5868e03dbfa4b76611d0ca194a3c35 |
| SHA512 | 5df26c7f139cd586857d3ce8a082cacd97f40bb2444d4d0b8950ace62c9a029509fa179bf0c26b6573be38e9e28866ddc8c5386907717229e22701d98ba64a85 |
C:\Windows\system\vgdcLHY.exe
| MD5 | 01e15cda26bd52002a186a357d616ea5 |
| SHA1 | 844576d7b308942b35881ab97d9c3ba1213395bc |
| SHA256 | 7771a10dee5fc16b50245c47f410c44d76380f99d42c07fb7bdbd6eb75b5f95c |
| SHA512 | a10333d8b623ef80939a676c1da0230fb4987bed8eec6725491baae42e59c335436b4b3a954b049285bdbd22a912229aa327662a6eb16f2695ac9b97fd3616f7 |
memory/2652-112-0x000000013F950000-0x000000013FCA1000-memory.dmp
C:\Windows\system\EYXhYTr.exe
| MD5 | 14d1b94e7e3556c17e04238cebca6e4e |
| SHA1 | 5a54e5ae8baf586902ed9f421052c3dc904514b6 |
| SHA256 | 98835fb7dcb12866ffad43b5c7cdffd105852ee207153eac228e8aab272eb32f |
| SHA512 | 965c6defb8d10db6261b2d095848082ae9565a60127b1d0ca22ad1d1281b4a4209d2792875df483599f366e3ea23a9b723fa50dfb81ea4ed757c1a2b6e2ea2f0 |
memory/2920-94-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\UpOWngJ.exe
| MD5 | e7a68c7f8b0614bcb69dc8b38fa68b9f |
| SHA1 | 2e79aaa1b7820536536017ac639ee6e5c29a3c33 |
| SHA256 | 092b3259a48edc58f12540c11b2cb1521884b302e9eedfae3157df9f14841a03 |
| SHA512 | 1187dbfee5b55415276c207b83b54460fbd6e77a88dbbd8f71506c8fcc42a1a55fdd510161d4eea5d748e4432972ea3c364e9b9c02a00df98f586f125340eb07 |
memory/2732-84-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2348-83-0x000000013F5C0000-0x000000013F911000-memory.dmp
C:\Windows\system\xGcbINp.exe
| MD5 | 2eb1fb4211178ce768b21a477bafa3de |
| SHA1 | 2a4eb3459bde4bc0859c2c994a684f5c499b8af5 |
| SHA256 | 13d0922b19a4c9366a74cbc8c6033c639da2e0f5f2d4909c56b33bf3b77c1cd4 |
| SHA512 | 1342f5f5b15b45f3b4729776aade2be37cb5d98350652fa3b06def0d8bb621ec5e39f326545f8df48913aa1ba536bf13464ed0bd387574426649da77c504ce7b |
memory/2348-74-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2852-69-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2348-68-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\LcetrGR.exe
| MD5 | f5232f3a0a48517980df52a9dbfd8f8c |
| SHA1 | f713d1510d837c3bf380e9d3974a17ac92781c12 |
| SHA256 | 010e2485772b686cd50ec7fafe2bb383b6d308486bca097debf4597fbc267487 |
| SHA512 | 7ed91ece28c22d844c2e06c1b0dd06a87bb06872ee0033c5b59bea8699d3e02e9f2ab72d6e010494d7d3cbe9176f7b50ea7b8cdda6517939d709ce4182d538a5 |
memory/2736-62-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2348-59-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2348-57-0x00000000022D0000-0x0000000002621000-memory.dmp
C:\Windows\system\XgDRCMC.exe
| MD5 | ea1c61220d0445c7e1559ca662dbe0b3 |
| SHA1 | e89abb2861a5d12ef5322bae0d6193cd88bc9aa3 |
| SHA256 | 8f55d8941a42ac547c4698827849dee3d1d0b5efb514b6b88db10f0181d9cda0 |
| SHA512 | 79ca0c28e8dae812f383675c4b32ae6d07a9002548e9f375abcefcf80e436f59a2ab293c47e6f406b4d09931ea451110700869d1c7a25d67dc45926d6a3150bb |
memory/2436-54-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\oXfIjQg.exe
| MD5 | a93dc31ec81a70c40150ec0ee758fce1 |
| SHA1 | a4443a86d50c3b3ef2eeded2028450b80f41da2c |
| SHA256 | c5f198ac76c49a6ed17c37ab313b736505be50f71196b1fe0a16520e0ac2c69a |
| SHA512 | b35af5f12711883d0458701c07b4e4a799fd2d55bb3edc274661498b1ee6a8814786e25c657fd285e9f2e1ea90610e159f0785fc42aea5432412901a0433ee64 |
\Windows\system\fkhcBmH.exe
| MD5 | 9bf0636201b41a9127be009c1bf0f498 |
| SHA1 | c8a663055581f494d43db2975d7ec38d376b9a69 |
| SHA256 | 62c4d91bc52a84a11f9a31b42cb633ff605f71151b91080efededeb42515ca91 |
| SHA512 | cba8d34e7a64d4b6e3fda10b3a1b70f4eb1a22807eaf99dbc7923151ad0f4728e3f76fa2e193272d878cf479510719bf27fb343f3bb8a3bf0bd52ba635a53bad |
memory/1264-34-0x000000013F100000-0x000000013F451000-memory.dmp
C:\Windows\system\LRiVlnn.exe
| MD5 | 99416f41d15aa8392668f8ee874a70cd |
| SHA1 | 08c1fbfd1368bbdb08f4aee034fb75ce3fe10b5e |
| SHA256 | 2bd91dbb9544b0ec9aa2105cbff6726725dae9505f34e447e52647ba349f1e5b |
| SHA512 | d2910019d09909c6a1dafc265c84f37bc8b7dc3d8846f556bf68536cf0cde2f526d2a5906769cb8d83c299327a19df7ae33d72b545dfabdd00067bd9149615e2 |
\Windows\system\eQncUyq.exe
| MD5 | 15a34481930b332c65e72481fd2c6d17 |
| SHA1 | 1f5c7bf0ab850e92779a10f78f260d987f4dad33 |
| SHA256 | d7e75d8d621556d3a2e9b9908bb11d399fa027c61d62405bfe7832ec932eb1a4 |
| SHA512 | 364ad67f904896289e040573d59500a5ed1c17e2d73f020db8532514eb8c457480b4823dfc5750c54fc48ed4c215e3e9af7f85920c7cf0f99c1c0c5f2dda92fd |
memory/2348-29-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2520-24-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2348-22-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2348-8-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2348-133-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2348-134-0x00000000022D0000-0x0000000002621000-memory.dmp
memory/2348-135-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2348-142-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1312-156-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1900-153-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/640-157-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/1608-155-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2624-151-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2840-154-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/644-152-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2348-158-0x000000013F020000-0x000000013F371000-memory.dmp
memory/1264-225-0x000000013F100000-0x000000013F451000-memory.dmp
memory/1540-227-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2436-229-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2520-231-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2760-235-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2736-233-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2732-241-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2196-237-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2852-239-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2920-243-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2632-245-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2608-247-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2652-249-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2308-251-0x000000013F2E0000-0x000000013F631000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:47
Reported
2024-08-15 10:49
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EsLbEoe.exe | N/A |
| N/A | N/A | C:\Windows\System\CeNKpNX.exe | N/A |
| N/A | N/A | C:\Windows\System\hChkuld.exe | N/A |
| N/A | N/A | C:\Windows\System\zbULbuk.exe | N/A |
| N/A | N/A | C:\Windows\System\CvJnVpm.exe | N/A |
| N/A | N/A | C:\Windows\System\irwDwOO.exe | N/A |
| N/A | N/A | C:\Windows\System\ItacToq.exe | N/A |
| N/A | N/A | C:\Windows\System\RGEUvyy.exe | N/A |
| N/A | N/A | C:\Windows\System\btmDWwy.exe | N/A |
| N/A | N/A | C:\Windows\System\PiPAFYI.exe | N/A |
| N/A | N/A | C:\Windows\System\LAqrZoH.exe | N/A |
| N/A | N/A | C:\Windows\System\iQiFUZI.exe | N/A |
| N/A | N/A | C:\Windows\System\CWIzEZN.exe | N/A |
| N/A | N/A | C:\Windows\System\PtvhuVC.exe | N/A |
| N/A | N/A | C:\Windows\System\StcJlJV.exe | N/A |
| N/A | N/A | C:\Windows\System\Wcspvex.exe | N/A |
| N/A | N/A | C:\Windows\System\cqouLGi.exe | N/A |
| N/A | N/A | C:\Windows\System\VSgnHQo.exe | N/A |
| N/A | N/A | C:\Windows\System\GlERwev.exe | N/A |
| N/A | N/A | C:\Windows\System\YaWXOzc.exe | N/A |
| N/A | N/A | C:\Windows\System\dbaSZMn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6b524e2d8698c55b583d9bbcbcdcd714_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\EsLbEoe.exe
C:\Windows\System\EsLbEoe.exe
C:\Windows\System\CeNKpNX.exe
C:\Windows\System\CeNKpNX.exe
C:\Windows\System\hChkuld.exe
C:\Windows\System\hChkuld.exe
C:\Windows\System\CvJnVpm.exe
C:\Windows\System\CvJnVpm.exe
C:\Windows\System\zbULbuk.exe
C:\Windows\System\zbULbuk.exe
C:\Windows\System\irwDwOO.exe
C:\Windows\System\irwDwOO.exe
C:\Windows\System\ItacToq.exe
C:\Windows\System\ItacToq.exe
C:\Windows\System\RGEUvyy.exe
C:\Windows\System\RGEUvyy.exe
C:\Windows\System\btmDWwy.exe
C:\Windows\System\btmDWwy.exe
C:\Windows\System\PiPAFYI.exe
C:\Windows\System\PiPAFYI.exe
C:\Windows\System\LAqrZoH.exe
C:\Windows\System\LAqrZoH.exe
C:\Windows\System\iQiFUZI.exe
C:\Windows\System\iQiFUZI.exe
C:\Windows\System\CWIzEZN.exe
C:\Windows\System\CWIzEZN.exe
C:\Windows\System\PtvhuVC.exe
C:\Windows\System\PtvhuVC.exe
C:\Windows\System\StcJlJV.exe
C:\Windows\System\StcJlJV.exe
C:\Windows\System\Wcspvex.exe
C:\Windows\System\Wcspvex.exe
C:\Windows\System\cqouLGi.exe
C:\Windows\System\cqouLGi.exe
C:\Windows\System\VSgnHQo.exe
C:\Windows\System\VSgnHQo.exe
C:\Windows\System\GlERwev.exe
C:\Windows\System\GlERwev.exe
C:\Windows\System\YaWXOzc.exe
C:\Windows\System\YaWXOzc.exe
C:\Windows\System\dbaSZMn.exe
C:\Windows\System\dbaSZMn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4776-0-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp
memory/4776-1-0x00000269BE3B0000-0x00000269BE3C0000-memory.dmp
C:\Windows\System\EsLbEoe.exe
| MD5 | a0c3a5ab8d453327c8608b2b46dc0c08 |
| SHA1 | 86b34be6674f2dc58de63fd34a10485f19374cb4 |
| SHA256 | 78cde5e640e0ef696a87b54dae53064196cc2a2b9ac5b206b1e84cb7aa0a7315 |
| SHA512 | 649307f0db47391468f2a134de02e42ace6ad53f22dff3fb45d678ed30b81107df4cf26e5ce243e0b34c7a7ad4c16d8bd55312e63810d016750ecc2738f96389 |
C:\Windows\System\hChkuld.exe
| MD5 | ff05741375a2972d36cc9c8af4313f41 |
| SHA1 | 155377141c92bc3e6ed3c2158dbb02091b56d274 |
| SHA256 | b105ddba92213e1e170bee0f645f08d995fdf5a3b7ffd4e01291bd2be1f73882 |
| SHA512 | 05e415024491983ce6b1cfe4890deb5519a2ab0150fe8a047179047b7e89cbce888eeabb72141aefb33c8ad8356ea36e872f77ec78543162024e121a19084c37 |
memory/5008-7-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp
C:\Windows\System\ItacToq.exe
| MD5 | 0d9c85f7b68d90ab2e86679346d16269 |
| SHA1 | 99e8e92676b36659d12fbe2e5df930353a0685e4 |
| SHA256 | 49ab13a354524078f627f7ea96fdf19a6f2418f40ff97983306bc4b9ae736e67 |
| SHA512 | 4626aba9a1296ccebdea3d53b73e98cdf6d40f9a5bffc318afc8a783e387c4cca70772d67dd0e35a4779897788a93d9fa26cef62f5c1d7f7015a78783e1abf95 |
C:\Windows\System\btmDWwy.exe
| MD5 | 820fa2eecf656135c42b0e6aa3e2439d |
| SHA1 | 53dc66f4a0c3051862c9c0e964ae65b691ea6043 |
| SHA256 | 8ba9a557fbbcde6b878b65bda463240a53e5a532ee68c7a70801442a981954c8 |
| SHA512 | 442ec9edcaf11cb78d69fe33d86691c2b5367f6b565f0e04a9ea81b14f466b885fac9ab05dc132904c8bbc1ace2ec574b85359fca29f3e3d079d2c2198ab89c9 |
memory/4188-58-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp
C:\Windows\System\CWIzEZN.exe
| MD5 | ed68b0ce7914f16b4646a4ef7270c436 |
| SHA1 | 1a4cdb18530e939b82dd3d38aec9648f198e523d |
| SHA256 | e3f7edf7abaeb83a8394291e0690ce2b2527fde605687c88a451adba6c538087 |
| SHA512 | c15bc83f71ac91727a284b12b50ba4345f3d6f16bf8c1046becfa3abda6be9130b1ff2ce978d15839d61b42d0cd03813844117c3ce102fb56d9481e285404bc7 |
memory/2800-75-0x00007FF773350000-0x00007FF7736A1000-memory.dmp
memory/5108-89-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp
memory/1688-91-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp
C:\Windows\System\Wcspvex.exe
| MD5 | b9d9427f619b23eb4ba2ccf932f99c11 |
| SHA1 | 41b867b1055422f6ba8b1b2c5e71e5e30a7d81a6 |
| SHA256 | 1ef26c2c3d59ad8a9ee68a9281badd34ccdc99b776fbc9821b1e9c4abc97b220 |
| SHA512 | ecdc3e39a0d7a51d1c3bd05bd561252370fc8df5a524e803dc48512212fadf6c2dc92a9b8eac281b639c1ddfe08884b040806e5b1dc197b316d3b7714d1f3021 |
C:\Windows\System\StcJlJV.exe
| MD5 | 3d2e53b2338b6e3bd1c8f6376fefaedb |
| SHA1 | 620a1a2badf14059364ecb8127dcc58bc9eab4a0 |
| SHA256 | 3e72f4b1e6a922a21a958665a4a3769f16574222fec88ea0952151aa6deac7dd |
| SHA512 | ed9132a1ac71957ecaa5419e8732986934bf882722811ff38a2d409d2b19db2c69ec93cdd154c0431e9a8521b58cb76698fd09a4e84a1364b784008aae560b63 |
C:\Windows\System\PtvhuVC.exe
| MD5 | d62da8969782055141d678464d9e9ff1 |
| SHA1 | 6718c88be155e517e86e89f68385f950d0a10468 |
| SHA256 | 6ce3e4e581f999b4ac5a3177e6063bd87c5c2e71bb1ea93ff041ae841878ed61 |
| SHA512 | 4631f4f9db494febafecbae65ad06b7e052c6f4146cf6f52c48fab8351944c34f107214ee8f4029f2bbec75c491477aa7629fcc35d99ee13fc090271f067ccda |
memory/1108-92-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp
memory/1544-90-0x00007FF690790000-0x00007FF690AE1000-memory.dmp
memory/1476-81-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp
memory/3876-74-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp
memory/3824-73-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp
C:\Windows\System\iQiFUZI.exe
| MD5 | a47e02257fc0fba200b7432b7abe9c71 |
| SHA1 | 6a041d3cc78b8871e5bed9a5c8a4ad98c472db63 |
| SHA256 | 4deb060b1e9ed93c83e0504f8c3132c826818a94a85d1d70f939a611cbbcc15e |
| SHA512 | 3ad9fd3ca3e76db76e42607f31e490b92ebe49a67264a3e68b5b04dd475937e9c2b3175e51cddf315d1bfd1992c3d5569bb5ddb1850a2572339607c9d15f4356 |
C:\Windows\System\LAqrZoH.exe
| MD5 | 2b368e319fc2f79d3eb303d4b860bf6f |
| SHA1 | d3d90e62b57ff6eb9591deb34330db951fe02cf7 |
| SHA256 | 789f137965c5f518314be17151aa35870cd600aae79c2d34b6f6a2971b7ae0e0 |
| SHA512 | 2e895d8b6ea2c9260a6b4c9d8cbea6866c97dc3f2c37d49e10a4604b1b9f5a80783c520913e7e049d192462f67e2230680531da703ae95ae143bcf61fd46e0da |
memory/4356-68-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp
memory/2436-65-0x00007FF626C30000-0x00007FF626F81000-memory.dmp
C:\Windows\System\PiPAFYI.exe
| MD5 | 8d611548a2902d111580dfa163dfa84a |
| SHA1 | c232a71c39868c1dc7b8fe6b2018fbef53e49912 |
| SHA256 | ca6dc7e7f58dc74208bab4eee59ff5ee71754a8789c942a87e2b4c8e7dd6518e |
| SHA512 | ebc1c7461120ad4c5e7e61b4f5f6630740266781ffd1c59ba794f21ba384f171219ba447a642daaa5c01b4da8540f0ef896f2317e004e70c1cb24bf6f44d2e65 |
C:\Windows\System\RGEUvyy.exe
| MD5 | 77f45e1df61c7ea0efbb6f4baabffd98 |
| SHA1 | 579ca46ff92fc63dfe7d5d52546d7cde4342487a |
| SHA256 | d0380ad67060232419959d643743d9272e80e2f8d493dafcd0c53db94aee7284 |
| SHA512 | a08ec46d98559c44fe4601f76169bc1101b1d4065bcc702a4372ca4203a637c8bd08bd15a2b5c0cb397d47806e0c5b7d2dd6ff66ad062b45fc9921335fc59e68 |
memory/452-45-0x00007FF762820000-0x00007FF762B71000-memory.dmp
memory/2680-44-0x00007FF712210000-0x00007FF712561000-memory.dmp
C:\Windows\System\CvJnVpm.exe
| MD5 | 83231076ee7cb8395ae2ff8dbf3605e7 |
| SHA1 | 519ad80bd18f8135b9f77a79fb0635e5f153f83b |
| SHA256 | 4a42a675aa89e9207c17bdcd4cb80ed9d45f21926ecf000121c14d874a85f5df |
| SHA512 | 5c0c85657440b1720f3415b93db000e87b02cdb2f92e1438c6ad422a35f7e716149123d9749c0f20b5fa508b2fbde8845e2628a2c6e5e9d6658ea673fed58c01 |
C:\Windows\System\zbULbuk.exe
| MD5 | 732e76121a988cc066a3426e6c339599 |
| SHA1 | aeafce5a654334bf3da08d8f59dd9419c9b90a99 |
| SHA256 | 471aea48ad8537d8b89a3c62f35b7c5e664fa90f7e0bab960b1a3962505002f8 |
| SHA512 | 8f129b2d3e06d02bff7e1f7962dc5319f55763f35470277765df96f788d0e85efa932087f19e6973fbfdb75ef9d10ce51a58bc761d19d3b466560b2733538096 |
C:\Windows\System\irwDwOO.exe
| MD5 | 755c21475c8bca45181803dd7ed09c8e |
| SHA1 | fc563134b72ee4e8e6c4511fc1b32d6c085115d9 |
| SHA256 | 1f1bd101e25b682885b63fb85bf3e0d2f6777927dd38f010997f97f5dc363b64 |
| SHA512 | 1ae63c9e5998bd6b19fab8b14d5183a935f9da7658b2609b9c4cec2b35385c2838f204c9f1740a8c30e58e0690e9524c7ca1d29849e4ab02434c478975642152 |
memory/4700-24-0x00007FF685980000-0x00007FF685CD1000-memory.dmp
memory/3704-20-0x00007FF638F10000-0x00007FF639261000-memory.dmp
C:\Windows\System\CeNKpNX.exe
| MD5 | fe07916af8c6ff237597c8d2df8b24ea |
| SHA1 | 84e0b3ff184a9dcbb66e65e0d826fc621f3fe5ad |
| SHA256 | e4cebbe2702df29b7a24ceeed00e739aaa3279f6f343251671500a9765dc4843 |
| SHA512 | 777bcdea4e93fc35a2ef721e053093af4d044f79cefe584720270b1cce63ce62a1191f6c8750b3685d612a06cb06334ddd75e311bef7594ad4246e99b0bec777 |
C:\Windows\System\cqouLGi.exe
| MD5 | 4ab2a5f992814eb6a1c5a56a9070f590 |
| SHA1 | db02c344d78d9e3d24b17371bd60a453bd9f6a54 |
| SHA256 | e664a88e4dd453757f1478c6a9d1d274eef543898c938ac191d856d58a3fd248 |
| SHA512 | 69697c9697f89c8d2e5175830fc6c0e8fcc3f9ccb4fbe0fde695a7215be990e8449f2e828f3cd31a8aa405f8d4f5898fcc1aae596bbf1458615c3c8a57eb56a5 |
memory/4776-102-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp
memory/5008-108-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp
memory/3704-117-0x00007FF638F10000-0x00007FF639261000-memory.dmp
C:\Windows\System\dbaSZMn.exe
| MD5 | d148de388d07d644c3dccdf447487fcc |
| SHA1 | f144ef5db12d1bc3a630cd5bfb19cb476b2500dc |
| SHA256 | 735ac8a1f838186137639955d7385bfa038626112ecd7c09131b09413b3f5dd4 |
| SHA512 | 57f6c8377f5572ba016c60efe747e43cd84895b5f993459cb4a37583b3254d253dadfabd94e08c23bc7349ceba380efc6c1f5c926c6d736b5abed50ce831758a |
C:\Windows\System\YaWXOzc.exe
| MD5 | 6f9abaf6164a41e136533295856e93ee |
| SHA1 | be4dae08ffc68ae325c3b5ea19df64da885d3cfa |
| SHA256 | 159fee32e2fbfa1889c98c9fd280c58641663fcfcceeecf438cf10b550cc3349 |
| SHA512 | 073406de243747b719c554b9bcc714f3595b67049fe3528236c8cb649c69ce044f3590167542ccc7f3d57d8ed533015b80d4f26626a0443b62ab0bde693820a9 |
memory/4700-122-0x00007FF685980000-0x00007FF685CD1000-memory.dmp
C:\Windows\System\VSgnHQo.exe
| MD5 | cb71e8901fca9b86d02ffeded67cc076 |
| SHA1 | aa915ec87f2a3c7419043ef1357d7020b24fd81e |
| SHA256 | 9362af382ad50f7d59e2d9db3aa844caadc5b5981dba9bd219aebdcd8be0243b |
| SHA512 | 263d01f0304dc1bdb118053571b0ff223e04826329261afb4885690e71e4892f410872f8725ffd84030f4acc42b0c0b8f5b6485b660b9b0c71f802559ea01320 |
memory/4832-116-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp
memory/2680-131-0x00007FF712210000-0x00007FF712561000-memory.dmp
memory/3964-129-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp
memory/4064-139-0x00007FF696030000-0x00007FF696381000-memory.dmp
memory/2792-137-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp
C:\Windows\System\GlERwev.exe
| MD5 | e9f7ce3fb4022878f68dc4bcc7acf9e6 |
| SHA1 | 854083c259949670e81c34bb3c2fccec74ce92ba |
| SHA256 | c3318d83be603f011e5bded6fa6d7fe3a7108327c8e61305e357965d15e94261 |
| SHA512 | c1efd3cf92fe4daaca3ffc229e7057225503bcafe4fff8c1a1b6b77ec7f7b829ee64e5b569616bed19c5a853f7b0f98f19e5431278ad3373c6c7431d23714819 |
memory/4972-105-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp
memory/5108-141-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp
memory/4972-145-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp
memory/1688-144-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp
memory/1108-142-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp
memory/4356-140-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp
memory/1544-143-0x00007FF690790000-0x00007FF690AE1000-memory.dmp
memory/4776-146-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp
memory/4832-147-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp
memory/4776-169-0x00007FF603A70000-0x00007FF603DC1000-memory.dmp
memory/5008-200-0x00007FF73F980000-0x00007FF73FCD1000-memory.dmp
memory/3704-216-0x00007FF638F10000-0x00007FF639261000-memory.dmp
memory/4188-218-0x00007FF79E0F0000-0x00007FF79E441000-memory.dmp
memory/4700-220-0x00007FF685980000-0x00007FF685CD1000-memory.dmp
memory/2680-222-0x00007FF712210000-0x00007FF712561000-memory.dmp
memory/452-224-0x00007FF762820000-0x00007FF762B71000-memory.dmp
memory/2436-226-0x00007FF626C30000-0x00007FF626F81000-memory.dmp
memory/2800-228-0x00007FF773350000-0x00007FF7736A1000-memory.dmp
memory/3824-230-0x00007FF67B180000-0x00007FF67B4D1000-memory.dmp
memory/1476-233-0x00007FF75E650000-0x00007FF75E9A1000-memory.dmp
memory/3876-234-0x00007FF72D360000-0x00007FF72D6B1000-memory.dmp
memory/4356-236-0x00007FF78D6A0000-0x00007FF78D9F1000-memory.dmp
memory/5108-238-0x00007FF6AF3B0000-0x00007FF6AF701000-memory.dmp
memory/1688-240-0x00007FF7D1440000-0x00007FF7D1791000-memory.dmp
memory/1108-244-0x00007FF7B6950000-0x00007FF7B6CA1000-memory.dmp
memory/1544-243-0x00007FF690790000-0x00007FF690AE1000-memory.dmp
memory/4972-251-0x00007FF64AB20000-0x00007FF64AE71000-memory.dmp
memory/3964-253-0x00007FF644AA0000-0x00007FF644DF1000-memory.dmp
memory/4832-255-0x00007FF7AE260000-0x00007FF7AE5B1000-memory.dmp
memory/4064-259-0x00007FF696030000-0x00007FF696381000-memory.dmp
memory/2792-257-0x00007FF7D63B0000-0x00007FF7D6701000-memory.dmp