Analysis Overview
SHA256
e78b4e5876285560a5dfec63610febeffcf3b7fa69d69fc1cdf1725e801081f1
Threat Level: Known bad
The file 2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:47
Reported
2024-08-15 10:50
Platform
win7-20240729-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ELRIjCN.exe | N/A |
| N/A | N/A | C:\Windows\System\icuvtEB.exe | N/A |
| N/A | N/A | C:\Windows\System\BwsPaEr.exe | N/A |
| N/A | N/A | C:\Windows\System\EilvOVR.exe | N/A |
| N/A | N/A | C:\Windows\System\gexnndi.exe | N/A |
| N/A | N/A | C:\Windows\System\mZBgisT.exe | N/A |
| N/A | N/A | C:\Windows\System\awaVaKx.exe | N/A |
| N/A | N/A | C:\Windows\System\hEjlGEY.exe | N/A |
| N/A | N/A | C:\Windows\System\nbHewlH.exe | N/A |
| N/A | N/A | C:\Windows\System\ebbPaoh.exe | N/A |
| N/A | N/A | C:\Windows\System\tkTnwvA.exe | N/A |
| N/A | N/A | C:\Windows\System\bkGdnjG.exe | N/A |
| N/A | N/A | C:\Windows\System\IOmtonY.exe | N/A |
| N/A | N/A | C:\Windows\System\hUCsPuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xAJuAyn.exe | N/A |
| N/A | N/A | C:\Windows\System\RzmGEDq.exe | N/A |
| N/A | N/A | C:\Windows\System\LvhHQzc.exe | N/A |
| N/A | N/A | C:\Windows\System\fPRYZLN.exe | N/A |
| N/A | N/A | C:\Windows\System\xfyBEMO.exe | N/A |
| N/A | N/A | C:\Windows\System\YQOqzYI.exe | N/A |
| N/A | N/A | C:\Windows\System\xnDAVat.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\icuvtEB.exe
C:\Windows\System\icuvtEB.exe
C:\Windows\System\ELRIjCN.exe
C:\Windows\System\ELRIjCN.exe
C:\Windows\System\BwsPaEr.exe
C:\Windows\System\BwsPaEr.exe
C:\Windows\System\EilvOVR.exe
C:\Windows\System\EilvOVR.exe
C:\Windows\System\gexnndi.exe
C:\Windows\System\gexnndi.exe
C:\Windows\System\mZBgisT.exe
C:\Windows\System\mZBgisT.exe
C:\Windows\System\awaVaKx.exe
C:\Windows\System\awaVaKx.exe
C:\Windows\System\hEjlGEY.exe
C:\Windows\System\hEjlGEY.exe
C:\Windows\System\nbHewlH.exe
C:\Windows\System\nbHewlH.exe
C:\Windows\System\ebbPaoh.exe
C:\Windows\System\ebbPaoh.exe
C:\Windows\System\tkTnwvA.exe
C:\Windows\System\tkTnwvA.exe
C:\Windows\System\bkGdnjG.exe
C:\Windows\System\bkGdnjG.exe
C:\Windows\System\IOmtonY.exe
C:\Windows\System\IOmtonY.exe
C:\Windows\System\hUCsPuQ.exe
C:\Windows\System\hUCsPuQ.exe
C:\Windows\System\xAJuAyn.exe
C:\Windows\System\xAJuAyn.exe
C:\Windows\System\RzmGEDq.exe
C:\Windows\System\RzmGEDq.exe
C:\Windows\System\LvhHQzc.exe
C:\Windows\System\LvhHQzc.exe
C:\Windows\System\fPRYZLN.exe
C:\Windows\System\fPRYZLN.exe
C:\Windows\System\xfyBEMO.exe
C:\Windows\System\xfyBEMO.exe
C:\Windows\System\YQOqzYI.exe
C:\Windows\System\YQOqzYI.exe
C:\Windows\System\xnDAVat.exe
C:\Windows\System\xnDAVat.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2224-0-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2224-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\ELRIjCN.exe
| MD5 | 4a16f39f2ac4c032e01b9a991a609519 |
| SHA1 | d25d49fc7a02e62caf114f93d5730911a53d0f72 |
| SHA256 | 2fb3965043659737311b4b7945ec37775a965bc9ebadf9c46428981a20c9f306 |
| SHA512 | a226321c39148e4228d95def038af65dbfb893739d2eee3a9730fc95a55ba6e352c571c1c23690a938bb56f348c23f1fbe82739e3f3af6229bc9e13cc95abc65 |
memory/2224-7-0x000000013F2E0000-0x000000013F631000-memory.dmp
\Windows\system\BwsPaEr.exe
| MD5 | ac5cd9e20d3edd3f969f47206521cb6e |
| SHA1 | f4894a2035e61fe9d3f0fe3ec4641e5a2c565b52 |
| SHA256 | 9b6c389ec15938152b07c7f67d59249644607ff70d42edf9ae23fb1a3d90a6a5 |
| SHA512 | e872d5e0ac26a0b4c17cae90bb6366e2e92633dab84d91f1eee91b4b195c72764fbaadbbb707c199f61ce43764557db6d2733f3dd1f80fa277248dbaf71f4edf |
memory/1928-22-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2224-20-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2740-19-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2432-18-0x000000013FB60000-0x000000013FEB1000-memory.dmp
C:\Windows\system\icuvtEB.exe
| MD5 | bdd0fd3cf38024d1f624800375ca484b |
| SHA1 | 95eb522f386bf38107493a6f0d0668035b959d37 |
| SHA256 | c5fae26d5281e458d272e52a377509cd0dfe4e0cdade69f61be2df8f0f60c407 |
| SHA512 | 47876e15c469c16320ec9bd583cffc2dbfe09300b092169a91e83e1c4ccfed8732b8b3e1e80b9b5562db890ae6c1141c7ffd9d9365c64ffe98fa040bace2d4a0 |
memory/2224-12-0x0000000002370000-0x00000000026C1000-memory.dmp
\Windows\system\EilvOVR.exe
| MD5 | b5d42630ba95d1b8aa4fa881e6edc768 |
| SHA1 | 8fd6d7eb3ceba5137e2d7f77f98d82a71db6020f |
| SHA256 | d697bb3f70a103775a14f986e4d377078bf0979e7445fcb2283f743f3b95f41b |
| SHA512 | f85a5e672d8892d8ad6f6933f09ef2a3d838ef33d72ef27ebafc612507831b5a1a89d0742200678e881367f82918874ee1338ac76d7f5c9ae25c6ad73777a9b0 |
memory/2988-29-0x000000013FEB0000-0x0000000140201000-memory.dmp
C:\Windows\system\gexnndi.exe
| MD5 | 27abdbb99f799fc5ff6032c8b4c7c6f3 |
| SHA1 | eb3b005b9e7a8dc4e189199edfaf1ec2810e1ca4 |
| SHA256 | 85ac7aabf5ee75188f77ff56e8af8184427bf5ab3dd5b8a38d86148f311eefbd |
| SHA512 | 086931e7795ae7eb48715f3d4ed467d542309729c61baaa6e9486d3c719083260e88bab5a8e8e2413edde68a78209d6614442405be291ff1da71fc27708ca71d |
memory/2808-35-0x000000013F060000-0x000000013F3B1000-memory.dmp
C:\Windows\system\mZBgisT.exe
| MD5 | ef99a7d32c84a940e09098915a15bc10 |
| SHA1 | f420f73c53ebea9e5ed36b8aeed2a53a2215fe31 |
| SHA256 | 6166e37c7a996e7e7d57c39d997a65153d7bb543ff561b9a6f80b61873500c21 |
| SHA512 | 4a94d4e7f0cdb44a27606a7d63705221b0489244d3973b2e31350db1ae6248a7c98eb14b1db6efc37860d220b9247f6eac68de94f924ab3d1fc5c61e973750bf |
memory/2224-38-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2224-41-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2824-43-0x000000013FA80000-0x000000013FDD1000-memory.dmp
\Windows\system\hEjlGEY.exe
| MD5 | 3869418ed38a45742f7c08703bc118b2 |
| SHA1 | b644df3a7e279c6b1ed7dd46fc0a108972d20e69 |
| SHA256 | 591adf3c7b144f80b3858ea126eaeaa17aa72b79577b9ab44f9e7cfa74d8f8cf |
| SHA512 | c71261d4ee1c98dd97f2b36896b98235b963c2cbcedd7588ad74ebb0bf21a6c30bb3cd847fb7f986afa1d8d2969b2ed0d669ed15e4cf123869aa3500f8484f88 |
\Windows\system\awaVaKx.exe
| MD5 | 0b450a3f9ea0c2dea0c196b06ec42d3e |
| SHA1 | 1787646dcc46017a273a0777fe918b604c742f21 |
| SHA256 | 713bd4a8d0662a2f50396e4d52bb8b8b7932028e910bb37c7c90451379766f62 |
| SHA512 | 66af5adbce30a540ed191eb5f0c598e5111d955500713639f52a5bb4b514a8ae9cceceda16a302ab3fb004574a7b3fda018100a9f9ef52b652ccf4ee842d58aa |
memory/2224-52-0x0000000002370000-0x00000000026C1000-memory.dmp
memory/2932-55-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2652-56-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1928-58-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
C:\Windows\system\nbHewlH.exe
| MD5 | 435fe85978728c72a4fb32b5e23ccc9a |
| SHA1 | fdd044dc6365cb533aeb406235026d5100ceab52 |
| SHA256 | b097f0e813eead32a76078634d363f7a6b6dc090012de2497b64017501854b67 |
| SHA512 | e59c621162e43911324c5a466ccac51c118ffa326ec60a86b148d0b819f1657ade53511ce89e3663ffcf5842b0a98265a08779f510f7daffb40d3d3866e868e9 |
memory/1612-64-0x000000013F590000-0x000000013F8E1000-memory.dmp
\Windows\system\ebbPaoh.exe
| MD5 | 7d3fa332b54aaf81b690a810491712a9 |
| SHA1 | b78e0ba335ce3bdaaea23cb7b8ecb00b4307d173 |
| SHA256 | 552fb694d1161d8dddd90c26a148d72118063cd81ef7e00e28ae44b09ae690bc |
| SHA512 | 869967c4f67d47884156a24695e061b11d3b209c816573af334e3eb346f795488fc5783142b29a87cd189a1ddc22ebf199d1bbd95bca71ff5f4e705a0ea26c0c |
memory/2824-80-0x000000013FA80000-0x000000013FDD1000-memory.dmp
\Windows\system\tkTnwvA.exe
| MD5 | 49e757dd81780cde3713ff6e84624032 |
| SHA1 | 7534e6025d490f21a211c83ca4a9a14bff49ed6c |
| SHA256 | 5f5559b89248ba0980c2cb218f6508be2553b332defe155a37708bc8a8b802eb |
| SHA512 | 63cadf2bf0d58c2d4aefd2c2ccaf5a6983cc7427d2c7a5604852d52ea3dc8c04541fec0396e35dab2afd656b89d95101d63117e2eec73f0ede423c51f38d2be6 |
memory/1488-78-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/360-76-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2808-74-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2224-72-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2224-71-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/1948-83-0x000000013FC20000-0x000000013FF71000-memory.dmp
C:\Windows\system\bkGdnjG.exe
| MD5 | 6c4bdb7131e3c2018164b777b870c2c4 |
| SHA1 | d34a002973f368417b1323291d8054a2b03d0a2d |
| SHA256 | e070fca12ec6c5d637ff86152d88e70bbe1793cc74c0ebf38a00caed18ffc435 |
| SHA512 | 0847434ce570b7ac4b5d0ecfd9f3cd2d8979ae94522d0682b3e7cac06a611235ff9cb411f2f276cd8c2e680c4f4b08078014e4133499c14e22f522faabb3b60e |
memory/2224-61-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\hUCsPuQ.exe
| MD5 | 81b64fbd165684732d01d45e50e5197e |
| SHA1 | 005a2c57812dafef3ccfb44f17777b4fffd523d8 |
| SHA256 | add029a26dc423e56f183e7b34a6a6c7473f311fa72051d36b3a7ee67564896e |
| SHA512 | 6af4ab26a21d99f00b454df55626fe8990802102d4acb1d9e670ea856c990774c58886e777499f89e63e50ec6b7ecd6879570b72a6af7bd1781e1adab3cfaca5 |
C:\Windows\system\RzmGEDq.exe
| MD5 | 3a85a50be704a066db3bc725035f452b |
| SHA1 | eb77c3ac92116ba782880165ad682b53f4e46e1e |
| SHA256 | ef53855d78f23e6280fcec8ab8aff53c543b9d3b443427ca83d3b8c2cb5f11da |
| SHA512 | 54eb91188b6dbfeaede33a85d6fc186de76cd2e38dbb78d7ad42c7e5c023d1a5358cdda5a3fff826fd1ca94049bab41d24b310de2b3a8f8adb0e118e52ecbb5b |
C:\Windows\system\fPRYZLN.exe
| MD5 | d54b460bdcfa8b71094fb03215bbd7a1 |
| SHA1 | 7f52a5670ee4ece55c767ad46b275b09fab66bc0 |
| SHA256 | bf1a8c7ee76ff6794dee13b0e6248e04e1f8825beae58b8b4c523776768b06d1 |
| SHA512 | 07f5bdce4dd90e9c5a4aa79984c77d426887a06d48758c23d593d7a8ca6f587d4cba8837e2d94bcabc275d30eb5f7a7b87eb4f0e178d259c1433d7de4ff80958 |
C:\Windows\system\xfyBEMO.exe
| MD5 | 444918270c46ff2f0ec14e529f5d9e6b |
| SHA1 | d231352494976d43e464a3d8586d59e0ff5dbbf5 |
| SHA256 | 7cfae6907c82d82ec9bc23fe29de094051a12dc8329add61129d6aa9fd4d7cb9 |
| SHA512 | 151c2e16afdc6951adabd4c9308f2c7d8d174e7233c6a6a22735b5730a3bc660c943d5b644c48c70651321917a9272fa0b3502313b10907cae048704562bc67c |
C:\Windows\system\YQOqzYI.exe
| MD5 | 64121f80d451c5a87a278d0a7e3164f7 |
| SHA1 | 74ae04cfdc07c5af5df554ddff7a3eb6c3e2df82 |
| SHA256 | 42a7456ff3aa506659ec86789c35c93565a5055fbf09abd365dbd1be933dffc3 |
| SHA512 | 373121d459209d9f695e871d521fa7ba3532f31bb2a787075cda65ec36379ca9cd2b314557b248a470b295dbe0f5a9605eb1ffba4447dd258e75005363752d6a |
\Windows\system\xnDAVat.exe
| MD5 | bcdeca127a8a72259ce0fe60a3b1096c |
| SHA1 | ef117fd771eee2a1c85b9e0ccd8b755dcc3281b3 |
| SHA256 | 9520b6e1252637665782259827a2d6246f9b324ad0530f7d2e61d7a8c61c57bb |
| SHA512 | d7dff5eac2caf730110be031be6fdfaa6d9796d0451f0ed0023b795d377ae9737e2bf6302115dc3bf87f86658323d0378b0fef78af9b1e01dd2ddfe9591d0bd5 |
C:\Windows\system\LvhHQzc.exe
| MD5 | de4204d96f3c40fa70a1a0a31c9c97c7 |
| SHA1 | 5a69b22faedac3203222f9ec758ac97a69250b36 |
| SHA256 | 0097509158c920e819088bbb3d53e7ed529be559d49d4dac14e37a5fd9f6936e |
| SHA512 | 96384aac4e1bc1076f40c3cf8173cc39c79d2a213fc308e7f6595a50e28edf5556ef75f2f85801c82513ee03ad41c1d0706dd1fc81d872efd48f73df4093d0fc |
C:\Windows\system\xAJuAyn.exe
| MD5 | ef2ae1b34d67d0ee8ffb14024fbe2583 |
| SHA1 | 0af41358aa2004d67caadd8803e6b4424d3c6156 |
| SHA256 | 10063ed5f10e581bd71aa09d2fc2e82bc3daa24d574b899ba81cebd50ca4ba5d |
| SHA512 | 1e469cec6ff030a594db9ad729b1be33ecd32bef459ca5f70e80dadcfa03760140ef42d4896ed00a04fe90aff3863f56a8416a8d612fba2286eaa3b505cce60c |
memory/2224-106-0x0000000002370000-0x00000000026C1000-memory.dmp
memory/2224-105-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/844-102-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2224-98-0x0000000002370000-0x00000000026C1000-memory.dmp
memory/360-140-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/1612-97-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1604-93-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2224-92-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2932-91-0x000000013F490000-0x000000013F7E1000-memory.dmp
C:\Windows\system\IOmtonY.exe
| MD5 | 830fe606d05c011f2dcc2a5d5ef8bbfb |
| SHA1 | 3025b27c8cea16fdc7664f16d83559e449f02ba8 |
| SHA256 | 44bb79b48862c5b4add57fbf923f526d038415ab37618e1377dfbda5611688b9 |
| SHA512 | d2584c55124503017f83a35c7e277719ebadc014d32dd4812bd9a447ad9a4100a457273d22cc1d73a90f7aa395d81288c67f445e8827ec640983160897f7de6a |
memory/2224-88-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2224-87-0x0000000002370000-0x00000000026C1000-memory.dmp
memory/1488-141-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/1948-142-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2224-144-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2224-145-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/1604-149-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2224-155-0x0000000002370000-0x00000000026C1000-memory.dmp
memory/1488-158-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/844-160-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2928-166-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2912-167-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2904-165-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2772-163-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2356-164-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/940-168-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/3004-169-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2224-170-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2432-221-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2740-223-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/1928-225-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2988-227-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2808-232-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2824-234-0x000000013FA80000-0x000000013FDD1000-memory.dmp
memory/2932-238-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2652-237-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1612-244-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/360-246-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/1948-248-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1604-259-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/844-261-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1488-270-0x000000013F800000-0x000000013FB51000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:47
Reported
2024-08-15 10:50
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\icuvtEB.exe | N/A |
| N/A | N/A | C:\Windows\System\ELRIjCN.exe | N/A |
| N/A | N/A | C:\Windows\System\BwsPaEr.exe | N/A |
| N/A | N/A | C:\Windows\System\EilvOVR.exe | N/A |
| N/A | N/A | C:\Windows\System\gexnndi.exe | N/A |
| N/A | N/A | C:\Windows\System\mZBgisT.exe | N/A |
| N/A | N/A | C:\Windows\System\awaVaKx.exe | N/A |
| N/A | N/A | C:\Windows\System\hEjlGEY.exe | N/A |
| N/A | N/A | C:\Windows\System\ebbPaoh.exe | N/A |
| N/A | N/A | C:\Windows\System\nbHewlH.exe | N/A |
| N/A | N/A | C:\Windows\System\tkTnwvA.exe | N/A |
| N/A | N/A | C:\Windows\System\bkGdnjG.exe | N/A |
| N/A | N/A | C:\Windows\System\hUCsPuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IOmtonY.exe | N/A |
| N/A | N/A | C:\Windows\System\xAJuAyn.exe | N/A |
| N/A | N/A | C:\Windows\System\RzmGEDq.exe | N/A |
| N/A | N/A | C:\Windows\System\LvhHQzc.exe | N/A |
| N/A | N/A | C:\Windows\System\fPRYZLN.exe | N/A |
| N/A | N/A | C:\Windows\System\xfyBEMO.exe | N/A |
| N/A | N/A | C:\Windows\System\YQOqzYI.exe | N/A |
| N/A | N/A | C:\Windows\System\xnDAVat.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_6c5862dd6742b207080c3bf04987ed32_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\icuvtEB.exe
C:\Windows\System\icuvtEB.exe
C:\Windows\System\ELRIjCN.exe
C:\Windows\System\ELRIjCN.exe
C:\Windows\System\BwsPaEr.exe
C:\Windows\System\BwsPaEr.exe
C:\Windows\System\EilvOVR.exe
C:\Windows\System\EilvOVR.exe
C:\Windows\System\gexnndi.exe
C:\Windows\System\gexnndi.exe
C:\Windows\System\mZBgisT.exe
C:\Windows\System\mZBgisT.exe
C:\Windows\System\awaVaKx.exe
C:\Windows\System\awaVaKx.exe
C:\Windows\System\hEjlGEY.exe
C:\Windows\System\hEjlGEY.exe
C:\Windows\System\nbHewlH.exe
C:\Windows\System\nbHewlH.exe
C:\Windows\System\ebbPaoh.exe
C:\Windows\System\ebbPaoh.exe
C:\Windows\System\tkTnwvA.exe
C:\Windows\System\tkTnwvA.exe
C:\Windows\System\bkGdnjG.exe
C:\Windows\System\bkGdnjG.exe
C:\Windows\System\IOmtonY.exe
C:\Windows\System\IOmtonY.exe
C:\Windows\System\hUCsPuQ.exe
C:\Windows\System\hUCsPuQ.exe
C:\Windows\System\xAJuAyn.exe
C:\Windows\System\xAJuAyn.exe
C:\Windows\System\RzmGEDq.exe
C:\Windows\System\RzmGEDq.exe
C:\Windows\System\LvhHQzc.exe
C:\Windows\System\LvhHQzc.exe
C:\Windows\System\fPRYZLN.exe
C:\Windows\System\fPRYZLN.exe
C:\Windows\System\xfyBEMO.exe
C:\Windows\System\xfyBEMO.exe
C:\Windows\System\YQOqzYI.exe
C:\Windows\System\YQOqzYI.exe
C:\Windows\System\xnDAVat.exe
C:\Windows\System\xnDAVat.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4812-0-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp
memory/4812-1-0x000001D25A100000-0x000001D25A110000-memory.dmp
memory/2792-7-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp
C:\Windows\System\BwsPaEr.exe
| MD5 | ac5cd9e20d3edd3f969f47206521cb6e |
| SHA1 | f4894a2035e61fe9d3f0fe3ec4641e5a2c565b52 |
| SHA256 | 9b6c389ec15938152b07c7f67d59249644607ff70d42edf9ae23fb1a3d90a6a5 |
| SHA512 | e872d5e0ac26a0b4c17cae90bb6366e2e92633dab84d91f1eee91b4b195c72764fbaadbbb707c199f61ce43764557db6d2733f3dd1f80fa277248dbaf71f4edf |
C:\Windows\System\ELRIjCN.exe
| MD5 | 4a16f39f2ac4c032e01b9a991a609519 |
| SHA1 | d25d49fc7a02e62caf114f93d5730911a53d0f72 |
| SHA256 | 2fb3965043659737311b4b7945ec37775a965bc9ebadf9c46428981a20c9f306 |
| SHA512 | a226321c39148e4228d95def038af65dbfb893739d2eee3a9730fc95a55ba6e352c571c1c23690a938bb56f348c23f1fbe82739e3f3af6229bc9e13cc95abc65 |
memory/4772-12-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp
C:\Windows\System\icuvtEB.exe
| MD5 | bdd0fd3cf38024d1f624800375ca484b |
| SHA1 | 95eb522f386bf38107493a6f0d0668035b959d37 |
| SHA256 | c5fae26d5281e458d272e52a377509cd0dfe4e0cdade69f61be2df8f0f60c407 |
| SHA512 | 47876e15c469c16320ec9bd583cffc2dbfe09300b092169a91e83e1c4ccfed8732b8b3e1e80b9b5562db890ae6c1141c7ffd9d9365c64ffe98fa040bace2d4a0 |
memory/5016-18-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp
C:\Windows\System\EilvOVR.exe
| MD5 | b5d42630ba95d1b8aa4fa881e6edc768 |
| SHA1 | 8fd6d7eb3ceba5137e2d7f77f98d82a71db6020f |
| SHA256 | d697bb3f70a103775a14f986e4d377078bf0979e7445fcb2283f743f3b95f41b |
| SHA512 | f85a5e672d8892d8ad6f6933f09ef2a3d838ef33d72ef27ebafc612507831b5a1a89d0742200678e881367f82918874ee1338ac76d7f5c9ae25c6ad73777a9b0 |
C:\Windows\System\hEjlGEY.exe
| MD5 | 3869418ed38a45742f7c08703bc118b2 |
| SHA1 | b644df3a7e279c6b1ed7dd46fc0a108972d20e69 |
| SHA256 | 591adf3c7b144f80b3858ea126eaeaa17aa72b79577b9ab44f9e7cfa74d8f8cf |
| SHA512 | c71261d4ee1c98dd97f2b36896b98235b963c2cbcedd7588ad74ebb0bf21a6c30bb3cd847fb7f986afa1d8d2969b2ed0d669ed15e4cf123869aa3500f8484f88 |
C:\Windows\System\ebbPaoh.exe
| MD5 | 7d3fa332b54aaf81b690a810491712a9 |
| SHA1 | b78e0ba335ce3bdaaea23cb7b8ecb00b4307d173 |
| SHA256 | 552fb694d1161d8dddd90c26a148d72118063cd81ef7e00e28ae44b09ae690bc |
| SHA512 | 869967c4f67d47884156a24695e061b11d3b209c816573af334e3eb346f795488fc5783142b29a87cd189a1ddc22ebf199d1bbd95bca71ff5f4e705a0ea26c0c |
C:\Windows\System\nbHewlH.exe
| MD5 | 435fe85978728c72a4fb32b5e23ccc9a |
| SHA1 | fdd044dc6365cb533aeb406235026d5100ceab52 |
| SHA256 | b097f0e813eead32a76078634d363f7a6b6dc090012de2497b64017501854b67 |
| SHA512 | e59c621162e43911324c5a466ccac51c118ffa326ec60a86b148d0b819f1657ade53511ce89e3663ffcf5842b0a98265a08779f510f7daffb40d3d3866e868e9 |
C:\Windows\System\hUCsPuQ.exe
| MD5 | 81b64fbd165684732d01d45e50e5197e |
| SHA1 | 005a2c57812dafef3ccfb44f17777b4fffd523d8 |
| SHA256 | add029a26dc423e56f183e7b34a6a6c7473f311fa72051d36b3a7ee67564896e |
| SHA512 | 6af4ab26a21d99f00b454df55626fe8990802102d4acb1d9e670ea856c990774c58886e777499f89e63e50ec6b7ecd6879570b72a6af7bd1781e1adab3cfaca5 |
C:\Windows\System\LvhHQzc.exe
| MD5 | de4204d96f3c40fa70a1a0a31c9c97c7 |
| SHA1 | 5a69b22faedac3203222f9ec758ac97a69250b36 |
| SHA256 | 0097509158c920e819088bbb3d53e7ed529be559d49d4dac14e37a5fd9f6936e |
| SHA512 | 96384aac4e1bc1076f40c3cf8173cc39c79d2a213fc308e7f6595a50e28edf5556ef75f2f85801c82513ee03ad41c1d0706dd1fc81d872efd48f73df4093d0fc |
C:\Windows\System\xfyBEMO.exe
| MD5 | 444918270c46ff2f0ec14e529f5d9e6b |
| SHA1 | d231352494976d43e464a3d8586d59e0ff5dbbf5 |
| SHA256 | 7cfae6907c82d82ec9bc23fe29de094051a12dc8329add61129d6aa9fd4d7cb9 |
| SHA512 | 151c2e16afdc6951adabd4c9308f2c7d8d174e7233c6a6a22735b5730a3bc660c943d5b644c48c70651321917a9272fa0b3502313b10907cae048704562bc67c |
memory/3916-123-0x00007FF696E40000-0x00007FF697191000-memory.dmp
memory/2872-127-0x00007FF75A240000-0x00007FF75A591000-memory.dmp
memory/1440-126-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp
memory/4036-125-0x00007FF696D00000-0x00007FF697051000-memory.dmp
memory/4040-124-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp
C:\Windows\System\fPRYZLN.exe
| MD5 | d54b460bdcfa8b71094fb03215bbd7a1 |
| SHA1 | 7f52a5670ee4ece55c767ad46b275b09fab66bc0 |
| SHA256 | bf1a8c7ee76ff6794dee13b0e6248e04e1f8825beae58b8b4c523776768b06d1 |
| SHA512 | 07f5bdce4dd90e9c5a4aa79984c77d426887a06d48758c23d593d7a8ca6f587d4cba8837e2d94bcabc275d30eb5f7a7b87eb4f0e178d259c1433d7de4ff80958 |
C:\Windows\System\xnDAVat.exe
| MD5 | bcdeca127a8a72259ce0fe60a3b1096c |
| SHA1 | ef117fd771eee2a1c85b9e0ccd8b755dcc3281b3 |
| SHA256 | 9520b6e1252637665782259827a2d6246f9b324ad0530f7d2e61d7a8c61c57bb |
| SHA512 | d7dff5eac2caf730110be031be6fdfaa6d9796d0451f0ed0023b795d377ae9737e2bf6302115dc3bf87f86658323d0378b0fef78af9b1e01dd2ddfe9591d0bd5 |
memory/3588-118-0x00007FF610180000-0x00007FF6104D1000-memory.dmp
memory/3416-117-0x00007FF604FC0000-0x00007FF605311000-memory.dmp
C:\Windows\System\YQOqzYI.exe
| MD5 | 64121f80d451c5a87a278d0a7e3164f7 |
| SHA1 | 74ae04cfdc07c5af5df554ddff7a3eb6c3e2df82 |
| SHA256 | 42a7456ff3aa506659ec86789c35c93565a5055fbf09abd365dbd1be933dffc3 |
| SHA512 | 373121d459209d9f695e871d521fa7ba3532f31bb2a787075cda65ec36379ca9cd2b314557b248a470b295dbe0f5a9605eb1ffba4447dd258e75005363752d6a |
memory/4284-110-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp
C:\Windows\System\xAJuAyn.exe
| MD5 | ef2ae1b34d67d0ee8ffb14024fbe2583 |
| SHA1 | 0af41358aa2004d67caadd8803e6b4424d3c6156 |
| SHA256 | 10063ed5f10e581bd71aa09d2fc2e82bc3daa24d574b899ba81cebd50ca4ba5d |
| SHA512 | 1e469cec6ff030a594db9ad729b1be33ecd32bef459ca5f70e80dadcfa03760140ef42d4896ed00a04fe90aff3863f56a8416a8d612fba2286eaa3b505cce60c |
C:\Windows\System\IOmtonY.exe
| MD5 | 830fe606d05c011f2dcc2a5d5ef8bbfb |
| SHA1 | 3025b27c8cea16fdc7664f16d83559e449f02ba8 |
| SHA256 | 44bb79b48862c5b4add57fbf923f526d038415ab37618e1377dfbda5611688b9 |
| SHA512 | d2584c55124503017f83a35c7e277719ebadc014d32dd4812bd9a447ad9a4100a457273d22cc1d73a90f7aa395d81288c67f445e8827ec640983160897f7de6a |
memory/5000-100-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp
C:\Windows\System\RzmGEDq.exe
| MD5 | 3a85a50be704a066db3bc725035f452b |
| SHA1 | eb77c3ac92116ba782880165ad682b53f4e46e1e |
| SHA256 | ef53855d78f23e6280fcec8ab8aff53c543b9d3b443427ca83d3b8c2cb5f11da |
| SHA512 | 54eb91188b6dbfeaede33a85d6fc186de76cd2e38dbb78d7ad42c7e5c023d1a5358cdda5a3fff826fd1ca94049bab41d24b310de2b3a8f8adb0e118e52ecbb5b |
memory/1592-90-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp
memory/2256-89-0x00007FF624150000-0x00007FF6244A1000-memory.dmp
C:\Windows\System\tkTnwvA.exe
| MD5 | 49e757dd81780cde3713ff6e84624032 |
| SHA1 | 7534e6025d490f21a211c83ca4a9a14bff49ed6c |
| SHA256 | 5f5559b89248ba0980c2cb218f6508be2553b332defe155a37708bc8a8b802eb |
| SHA512 | 63cadf2bf0d58c2d4aefd2c2ccaf5a6983cc7427d2c7a5604852d52ea3dc8c04541fec0396e35dab2afd656b89d95101d63117e2eec73f0ede423c51f38d2be6 |
C:\Windows\System\bkGdnjG.exe
| MD5 | 6c4bdb7131e3c2018164b777b870c2c4 |
| SHA1 | d34a002973f368417b1323291d8054a2b03d0a2d |
| SHA256 | e070fca12ec6c5d637ff86152d88e70bbe1793cc74c0ebf38a00caed18ffc435 |
| SHA512 | 0847434ce570b7ac4b5d0ecfd9f3cd2d8979ae94522d0682b3e7cac06a611235ff9cb411f2f276cd8c2e680c4f4b08078014e4133499c14e22f522faabb3b60e |
memory/3268-74-0x00007FF7473E0000-0x00007FF747731000-memory.dmp
memory/556-67-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp
memory/3500-61-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp
memory/4388-55-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp
memory/2704-53-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp
C:\Windows\System\awaVaKx.exe
| MD5 | 0b450a3f9ea0c2dea0c196b06ec42d3e |
| SHA1 | 1787646dcc46017a273a0777fe918b604c742f21 |
| SHA256 | 713bd4a8d0662a2f50396e4d52bb8b8b7932028e910bb37c7c90451379766f62 |
| SHA512 | 66af5adbce30a540ed191eb5f0c598e5111d955500713639f52a5bb4b514a8ae9cceceda16a302ab3fb004574a7b3fda018100a9f9ef52b652ccf4ee842d58aa |
C:\Windows\System\mZBgisT.exe
| MD5 | ef99a7d32c84a940e09098915a15bc10 |
| SHA1 | f420f73c53ebea9e5ed36b8aeed2a53a2215fe31 |
| SHA256 | 6166e37c7a996e7e7d57c39d997a65153d7bb543ff561b9a6f80b61873500c21 |
| SHA512 | 4a94d4e7f0cdb44a27606a7d63705221b0489244d3973b2e31350db1ae6248a7c98eb14b1db6efc37860d220b9247f6eac68de94f924ab3d1fc5c61e973750bf |
C:\Windows\System\gexnndi.exe
| MD5 | 27abdbb99f799fc5ff6032c8b4c7c6f3 |
| SHA1 | eb3b005b9e7a8dc4e189199edfaf1ec2810e1ca4 |
| SHA256 | 85ac7aabf5ee75188f77ff56e8af8184427bf5ab3dd5b8a38d86148f311eefbd |
| SHA512 | 086931e7795ae7eb48715f3d4ed467d542309729c61baaa6e9486d3c719083260e88bab5a8e8e2413edde68a78209d6614442405be291ff1da71fc27708ca71d |
memory/2228-38-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp
memory/2636-33-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp
memory/4772-130-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp
memory/5016-131-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp
memory/2792-129-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp
memory/4812-128-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp
memory/556-139-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp
memory/2636-132-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp
memory/3500-138-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp
memory/5000-143-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp
memory/3416-146-0x00007FF604FC0000-0x00007FF605311000-memory.dmp
memory/4284-144-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp
memory/2704-133-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp
memory/2256-137-0x00007FF624150000-0x00007FF6244A1000-memory.dmp
memory/2228-134-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp
memory/4812-150-0x00007FF6E92D0000-0x00007FF6E9621000-memory.dmp
memory/2792-199-0x00007FF7CAF50000-0x00007FF7CB2A1000-memory.dmp
memory/4772-201-0x00007FF63DE30000-0x00007FF63E181000-memory.dmp
memory/5016-217-0x00007FF69AFA0000-0x00007FF69B2F1000-memory.dmp
memory/2636-219-0x00007FF777EA0000-0x00007FF7781F1000-memory.dmp
memory/2704-221-0x00007FF607D60000-0x00007FF6080B1000-memory.dmp
memory/4388-224-0x00007FF690A60000-0x00007FF690DB1000-memory.dmp
memory/2228-225-0x00007FF7D1720000-0x00007FF7D1A71000-memory.dmp
memory/3268-227-0x00007FF7473E0000-0x00007FF747731000-memory.dmp
memory/3500-237-0x00007FF69A7F0000-0x00007FF69AB41000-memory.dmp
memory/556-233-0x00007FF75AE10000-0x00007FF75B161000-memory.dmp
memory/2256-236-0x00007FF624150000-0x00007FF6244A1000-memory.dmp
memory/1592-239-0x00007FF6C1C50000-0x00007FF6C1FA1000-memory.dmp
memory/1440-246-0x00007FF6B5940000-0x00007FF6B5C91000-memory.dmp
memory/4040-255-0x00007FF76D980000-0x00007FF76DCD1000-memory.dmp
memory/3588-257-0x00007FF610180000-0x00007FF6104D1000-memory.dmp
memory/4284-254-0x00007FF7F1DA0000-0x00007FF7F20F1000-memory.dmp
memory/4036-252-0x00007FF696D00000-0x00007FF697051000-memory.dmp
memory/5000-250-0x00007FF72FC80000-0x00007FF72FFD1000-memory.dmp
memory/2872-247-0x00007FF75A240000-0x00007FF75A591000-memory.dmp
memory/3416-242-0x00007FF604FC0000-0x00007FF605311000-memory.dmp
memory/3916-243-0x00007FF696E40000-0x00007FF697191000-memory.dmp