Analysis Overview
SHA256
a4d3c52ddd999983d3962eeed98a8d5e9f0b1ca6b24ea4b8b462c74a2ad329c1
Threat Level: Known bad
The file 2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:49
Reported
2024-08-15 10:52
Platform
win7-20240705-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AYeHzDR.exe | N/A |
| N/A | N/A | C:\Windows\System\wysoCwX.exe | N/A |
| N/A | N/A | C:\Windows\System\faMitaO.exe | N/A |
| N/A | N/A | C:\Windows\System\pJHOVsi.exe | N/A |
| N/A | N/A | C:\Windows\System\vfvHyCy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgZixCE.exe | N/A |
| N/A | N/A | C:\Windows\System\LZJGxNM.exe | N/A |
| N/A | N/A | C:\Windows\System\VjCoEtv.exe | N/A |
| N/A | N/A | C:\Windows\System\pOcBcUN.exe | N/A |
| N/A | N/A | C:\Windows\System\VmUNgiJ.exe | N/A |
| N/A | N/A | C:\Windows\System\xFAtEaN.exe | N/A |
| N/A | N/A | C:\Windows\System\JRAApjQ.exe | N/A |
| N/A | N/A | C:\Windows\System\nUMKkit.exe | N/A |
| N/A | N/A | C:\Windows\System\QyJJJdq.exe | N/A |
| N/A | N/A | C:\Windows\System\gmXhzCI.exe | N/A |
| N/A | N/A | C:\Windows\System\rHKaQVk.exe | N/A |
| N/A | N/A | C:\Windows\System\RyLLpyy.exe | N/A |
| N/A | N/A | C:\Windows\System\IAqyVZX.exe | N/A |
| N/A | N/A | C:\Windows\System\qiwpHeM.exe | N/A |
| N/A | N/A | C:\Windows\System\lVsQShw.exe | N/A |
| N/A | N/A | C:\Windows\System\FKawCaX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AYeHzDR.exe
C:\Windows\System\AYeHzDR.exe
C:\Windows\System\wysoCwX.exe
C:\Windows\System\wysoCwX.exe
C:\Windows\System\faMitaO.exe
C:\Windows\System\faMitaO.exe
C:\Windows\System\vfvHyCy.exe
C:\Windows\System\vfvHyCy.exe
C:\Windows\System\pJHOVsi.exe
C:\Windows\System\pJHOVsi.exe
C:\Windows\System\ZgZixCE.exe
C:\Windows\System\ZgZixCE.exe
C:\Windows\System\LZJGxNM.exe
C:\Windows\System\LZJGxNM.exe
C:\Windows\System\VjCoEtv.exe
C:\Windows\System\VjCoEtv.exe
C:\Windows\System\pOcBcUN.exe
C:\Windows\System\pOcBcUN.exe
C:\Windows\System\nUMKkit.exe
C:\Windows\System\nUMKkit.exe
C:\Windows\System\VmUNgiJ.exe
C:\Windows\System\VmUNgiJ.exe
C:\Windows\System\QyJJJdq.exe
C:\Windows\System\QyJJJdq.exe
C:\Windows\System\xFAtEaN.exe
C:\Windows\System\xFAtEaN.exe
C:\Windows\System\gmXhzCI.exe
C:\Windows\System\gmXhzCI.exe
C:\Windows\System\JRAApjQ.exe
C:\Windows\System\JRAApjQ.exe
C:\Windows\System\rHKaQVk.exe
C:\Windows\System\rHKaQVk.exe
C:\Windows\System\RyLLpyy.exe
C:\Windows\System\RyLLpyy.exe
C:\Windows\System\IAqyVZX.exe
C:\Windows\System\IAqyVZX.exe
C:\Windows\System\qiwpHeM.exe
C:\Windows\System\qiwpHeM.exe
C:\Windows\System\lVsQShw.exe
C:\Windows\System\lVsQShw.exe
C:\Windows\System\FKawCaX.exe
C:\Windows\System\FKawCaX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2668-0-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2668-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\AYeHzDR.exe
| MD5 | 0d8bbb300d21f10e26a9385fc822669f |
| SHA1 | 71380a854db3ef0f3a2405401dc5ba19f02da719 |
| SHA256 | da1778c1b6c5f4c5fa5b9688803ec3f16739af146c0a91d504b8c836319342fb |
| SHA512 | d061405e13308b789b6a9eebbc7ef81835af3c0566b6ccc972c5538974aaf445c84f43ab474f1a5d5e1f008f55a11966d47fd5808f4f8e44115b38a05c5fe189 |
C:\Windows\system\wysoCwX.exe
| MD5 | cc7920b36766e7b3e934e2024efaba92 |
| SHA1 | fced483b04ce955e9e13dbb7d8f739c20c382e39 |
| SHA256 | a93d310eb73488dc280e1e7d17739f6d2cb80aae7d351fac6a3abbebbd0cbebd |
| SHA512 | 62516c59d82f26d7a9c21adbb03fbf0e2cb18d6b0fe8ee65fadb441bdf1fe75a5a03766de38acc2fbf0a2529e0427583abba1bd5e28ac85550cfc4088553162e |
\Windows\system\faMitaO.exe
| MD5 | cca901924a28cdcb6718eb2201dcfa53 |
| SHA1 | 4fc47f8a59fc0b69b452ea304bc02f7dd946381e |
| SHA256 | e048cf52c4423a0f41eec500c280df610790e3419b807b4a1fb24af3ac9f309a |
| SHA512 | c5b76e2bde39e44ef09c1cd93f270ea2b9e49212a78298e8158a72d421db45a542b6fc1bf6bc8d0e45e56ec728ba37d9874337ae120bcce71057c87c1bf8d6f0 |
memory/2668-30-0x000000013FD40000-0x0000000140091000-memory.dmp
\Windows\system\vfvHyCy.exe
| MD5 | 5e6a13ecbcc32e82d2bd80c8f9df6220 |
| SHA1 | 98f5337c817df00fa8420ca86e38ec114d48891c |
| SHA256 | 90aa7680d804d61ee3ea69c7f82b77c5387eb8452f787e9088d71fad506c5bc1 |
| SHA512 | b48353b10f6c22120dd33b2a6eb33f78350cce6cdd009bff89611bdac53777a36af756705bae647be96bc33aa06c2c93c469b4b4bbf29c523cc368c641b9e9ad |
memory/2724-35-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\ZgZixCE.exe
| MD5 | 870f5f42bf143e026ceacc68703a84c6 |
| SHA1 | ae4da4613ccbc9df59218be73c8007e4c6541d17 |
| SHA256 | 34129542df93d495418466426e2d05527cfd91cb3ec6578e970e4de688fe4b11 |
| SHA512 | 039572b0484ae23bdd45b7dadb1a581c70ddb79d6fd68e212088b95cface9423b98cf177bec198c36f8f0fac99106c7ae07f3e252b1643b2312457de9ec6cf4c |
memory/2636-49-0x000000013FAF0000-0x000000013FE41000-memory.dmp
C:\Windows\system\VjCoEtv.exe
| MD5 | 9ab2dbb3b7ce84257b07b34bdac52a4b |
| SHA1 | 7f69794850aab763ecb59de52e2a5f8f5c32044b |
| SHA256 | 48b7a43e11c7f82402658e897d1a68a3a1e9a0dccb8cbf13b9bc209fcc2b4208 |
| SHA512 | a14d778cbb23d82a078bba8a811d932bad54c55a7ca9be6b7ca910172935a1fff9df93fdb3ec489062055e0c9a57c09ddb0e6b24f97323a6b48252b7f6d1c34b |
memory/2852-55-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\IAqyVZX.exe
| MD5 | 8cd088bd4854424d44950ea018bee2c7 |
| SHA1 | 16680bfa407c391f7d59b20f01d2beaf3314bccb |
| SHA256 | f1ba3840d4c1bb002d91a491385766c3fd521f35cfa17c6397d9b2ac161fd5a1 |
| SHA512 | 96fa5f3d98f8719e2881a47978711c773a7cc77e9a334f3003748b719229d055f56b838bdd773da2dca0da3b1f98f236aafe7bc43fb0b0474c4c0abba0903028 |
C:\Windows\system\qiwpHeM.exe
| MD5 | 5f1d4ef5528569cefb88b9ca2e64aca9 |
| SHA1 | 10fdcbd261351c5c9601f23a99b4f634091c9edd |
| SHA256 | 69da8cd28316dcec7eae83b646ef3d39cc5664975a6607a1e02f83e7807968dd |
| SHA512 | 45bfb7ab6148d9fa09e2ec67d3c691fccbf67f281cd6765a71c52e92f76f8a7bbbe2cbde9306020d44193f6439c03e21b2eef94c4ebb6f3d2b73e88f26b644a8 |
C:\Windows\system\lVsQShw.exe
| MD5 | bb6d6ca03d790613ff68b52f5d5b8fe6 |
| SHA1 | cb538264147911fe925f98e833776f52f0ba0800 |
| SHA256 | d74b51f7dae139995dc97546b4d3d001c3384d1caac5c817d17e1155f2ed33af |
| SHA512 | 1908691184d5fd42c73451a2582f5737bd573880ca7c94f0a403d63862d204b956cadff92a213606fb77ba4e8a5942fb3126211805d914d0713669f0d766cf88 |
C:\Windows\system\FKawCaX.exe
| MD5 | a376bb3115028e9b58e2a627c08a5def |
| SHA1 | d78411a0ef2254c76f8defb7f3def68361b6236d |
| SHA256 | e19673e1ef1a7c000520eba4f3c2cb60598f193e72fcae286b078802418730a5 |
| SHA512 | 0b4a07b3ba00ee6ec193565a93f49cb2c2865bf71a21b3707e3660b89fc6ea7ed227707ca7f6cdce86d269746b3fa4a1a4eb00b5a2105c66624711098683d1af |
C:\Windows\system\RyLLpyy.exe
| MD5 | cbabee3c46e6376f06e6dc2417e8c21e |
| SHA1 | ed6335679d9d196634e1a7102d9a8a46bc843b17 |
| SHA256 | a68dc34719d44e2dc6be5bcf17f0dfcd8a69676d5046eecd8d6b38e0fc3f02e5 |
| SHA512 | 0b0c4b02b8bc942a55b511b628eaeff3ea62a50a71803fe2e08266afd9f1d91ba430c168871c65ec20450c7e0555f83e982d0a88115915694278d5c28abe01f4 |
C:\Windows\system\rHKaQVk.exe
| MD5 | d4207e35ec52896e787ef4bac2a5981d |
| SHA1 | e9474b770f66d32acbf4e0e8ff9074feb7ddf398 |
| SHA256 | 6a684a373b35abd1f71b72b344520fa809e9956f9d9a71766174be2d2a1fdee6 |
| SHA512 | 884af338e14469b8c7681799e6e8450667bff765b6c71f4c7680f2bec410da5255ed01a08adde58f70b747b68d703aab2e9600e359d72e55961359245b247778 |
C:\Windows\system\gmXhzCI.exe
| MD5 | cedba16e5f2e32888e313bad5d3b2a1b |
| SHA1 | ccf0d8b5e94e31c377442cc17ed04516fc5c85b9 |
| SHA256 | e2626a49bf1c6e1a3f4325f1685aabcb8c682394a9c69f04640513b2116d5cdb |
| SHA512 | 2511ff125705d446832725b3427ea8bdbc825a0e9ca54d519f989741652c64250985b2fcac090d4cd076e9ea99e0172f25605c7306186ab0b786679e208547dd |
memory/2568-134-0x000000013F820000-0x000000013FB71000-memory.dmp
C:\Windows\system\QyJJJdq.exe
| MD5 | 35940f904f1c6274cedda2537dc64e63 |
| SHA1 | 03bc8543586e2e085db74bead13dfa0f1631641c |
| SHA256 | 888b90d7487fd3b1bb89100e0967ebc89dead7561aaf1871250a1a16f46f8090 |
| SHA512 | 6034d47a38d9efb2ccd56d1f205c68a8eef361b1cf118f495b58533646064a8eff7ef302cf670316def6b6f4bf4a445152717bf4fa8e81106ba522ee19945510 |
memory/2940-100-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2724-99-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2668-98-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2668-97-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2668-96-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/328-95-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2604-94-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2668-93-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\nUMKkit.exe
| MD5 | de4629eefd0499f763def91f7358078c |
| SHA1 | d23e1f9aac560b4afda4254d5d53c68103c8167f |
| SHA256 | 39a8255dbbd6ad18ce04a6dccb2ec06d0c3f7fe936a73df4fa19d4e4f8cc2a5e |
| SHA512 | a69ca675c79830aa90bc0d96bebf37a80ed9d00c20fffa16aa12d917f38ad4638bde18bf5b539faf66eb1cc836822be4ab68f4846d4fa1fab126a1853129b131 |
memory/2668-90-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2668-89-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2668-80-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2452-72-0x000000013F0C0000-0x000000013F411000-memory.dmp
C:\Windows\system\VmUNgiJ.exe
| MD5 | a19ffc4da3bd714cc8fc4e62b9b52b14 |
| SHA1 | 0acf1b151ad199e52be799d8e38a458dd6dba1ba |
| SHA256 | 44de80d5da597e6b5cea58d0eceb5ab2250c9302ced98dc232c82c44d967d5ae |
| SHA512 | 25c5e58a92bee17d4887dee644c812acd9910cbceace7c5ee3c1541a9b70c74b2716ce95579806c769f9b71e151a3c9f65c1f2661fe528f5f7aee9cd5ab334cb |
memory/3020-64-0x000000013F130000-0x000000013F481000-memory.dmp
C:\Windows\system\JRAApjQ.exe
| MD5 | f35b68dedf86003f37d86055a9243969 |
| SHA1 | f29fe00c66703dc3e61bb4127de8408f033d12b6 |
| SHA256 | 9e1f5f485ac393a6c8b4ebe1d978f7ed7f935f45d1d8e30b2c2fe2e782a974dc |
| SHA512 | ca4818fc8a64547b55c84a5621b198cc3bbee937ea33ae4ac83e9d0fdf9b931cc220373bc68b39640c0f808258b0eb8c28c59eb142e26f93ebf03a2e0edbed5a |
C:\Windows\system\xFAtEaN.exe
| MD5 | eacce68997d5fb64a789fe11b1066f3e |
| SHA1 | b87af987b4d00a04578f6ac13e207a3758e30037 |
| SHA256 | 5e0b9fba3d4b824aec0e049f568c8ed03cc1d1a314c38fd89511436feacfe388 |
| SHA512 | 82085cbc49a9454a83b0b387ced568f130be81ec430fe6f636db4b4860914378af1f495482a1d1a44708369777b1a6205994a974ed6afe20f041aa5b6944730c |
memory/2988-76-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2668-60-0x000000013F690000-0x000000013F9E1000-memory.dmp
C:\Windows\system\pOcBcUN.exe
| MD5 | e7674709920171155b74d55bdeb04194 |
| SHA1 | d68a284cdb082f5d71c0c98acd06cc6f3019bc33 |
| SHA256 | b0a8086b96f802f41e81cf98d83729fc474d4994289af798feee790c2a80c90f |
| SHA512 | 75560da7d83a8f8c0635beca25ff00fbc04d9b327244ff407e5a5dc915b7fd27df69a1d6dabdfb224de32dfd977ee1eda045cec999a5a0da7fff39f9b61cad56 |
memory/2568-40-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2668-39-0x0000000002240000-0x0000000002591000-memory.dmp
C:\Windows\system\LZJGxNM.exe
| MD5 | 6f5a9c06281d25d2b63f24257a6d0f1d |
| SHA1 | f20981fe93771f241f9dd2c2cadf7c4774ee1e79 |
| SHA256 | 9b08150ad0cf8d2628794e304927a2721f506c1d6a8a29a9c759df86d75e7c6f |
| SHA512 | dcfffbea0c97c8c33aea89fa2f9270b58e6d0017efafd32fc48b0af63199c476a9aac405d1d0cb66f78044017b530dde6211c8c170b27ab52304ce299b6035eb |
memory/2668-33-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2956-32-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2668-31-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2880-29-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2668-28-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2688-27-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/3020-26-0x000000013F130000-0x000000013F481000-memory.dmp
C:\Windows\system\pJHOVsi.exe
| MD5 | 69289ce35ff1c8a2b0a6a0a8e6816da2 |
| SHA1 | 6979e53dff5f6c77a1b452805cc40968095fe8ae |
| SHA256 | dca09c661fbd8acfe2df396a878b1c372f2b763bc010e5ba5595e352a5cc9d54 |
| SHA512 | 5f8e04e8053393ed2d6baa2536894d4262a58738b02946379d1dc152f91233cb74ff024e1d8a911c4570f2f3cf588413134eb3ffcdd1a42e76631f9aae4b9e55 |
memory/2668-136-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2988-137-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2452-138-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2668-139-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/328-148-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2604-147-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2668-146-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2668-140-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2928-155-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/296-159-0x000000013F540000-0x000000013F891000-memory.dmp
memory/3036-165-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2432-163-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1916-162-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/504-161-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/1272-160-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2236-157-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2940-153-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2668-164-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2668-166-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/3020-228-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2956-234-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2688-232-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2880-231-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2568-236-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2724-240-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2636-239-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2852-242-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2452-244-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/2940-252-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2988-254-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2604-258-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/328-257-0x000000013FBB0000-0x000000013FF01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:49
Reported
2024-08-15 10:52
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AYeHzDR.exe | N/A |
| N/A | N/A | C:\Windows\System\wysoCwX.exe | N/A |
| N/A | N/A | C:\Windows\System\faMitaO.exe | N/A |
| N/A | N/A | C:\Windows\System\vfvHyCy.exe | N/A |
| N/A | N/A | C:\Windows\System\pJHOVsi.exe | N/A |
| N/A | N/A | C:\Windows\System\LZJGxNM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZgZixCE.exe | N/A |
| N/A | N/A | C:\Windows\System\VjCoEtv.exe | N/A |
| N/A | N/A | C:\Windows\System\pOcBcUN.exe | N/A |
| N/A | N/A | C:\Windows\System\nUMKkit.exe | N/A |
| N/A | N/A | C:\Windows\System\VmUNgiJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QyJJJdq.exe | N/A |
| N/A | N/A | C:\Windows\System\xFAtEaN.exe | N/A |
| N/A | N/A | C:\Windows\System\gmXhzCI.exe | N/A |
| N/A | N/A | C:\Windows\System\JRAApjQ.exe | N/A |
| N/A | N/A | C:\Windows\System\rHKaQVk.exe | N/A |
| N/A | N/A | C:\Windows\System\RyLLpyy.exe | N/A |
| N/A | N/A | C:\Windows\System\IAqyVZX.exe | N/A |
| N/A | N/A | C:\Windows\System\qiwpHeM.exe | N/A |
| N/A | N/A | C:\Windows\System\FKawCaX.exe | N/A |
| N/A | N/A | C:\Windows\System\lVsQShw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_88455dbda7e54d7eecc1645585c9db25_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AYeHzDR.exe
C:\Windows\System\AYeHzDR.exe
C:\Windows\System\wysoCwX.exe
C:\Windows\System\wysoCwX.exe
C:\Windows\System\faMitaO.exe
C:\Windows\System\faMitaO.exe
C:\Windows\System\vfvHyCy.exe
C:\Windows\System\vfvHyCy.exe
C:\Windows\System\pJHOVsi.exe
C:\Windows\System\pJHOVsi.exe
C:\Windows\System\ZgZixCE.exe
C:\Windows\System\ZgZixCE.exe
C:\Windows\System\LZJGxNM.exe
C:\Windows\System\LZJGxNM.exe
C:\Windows\System\VjCoEtv.exe
C:\Windows\System\VjCoEtv.exe
C:\Windows\System\pOcBcUN.exe
C:\Windows\System\pOcBcUN.exe
C:\Windows\System\nUMKkit.exe
C:\Windows\System\nUMKkit.exe
C:\Windows\System\VmUNgiJ.exe
C:\Windows\System\VmUNgiJ.exe
C:\Windows\System\QyJJJdq.exe
C:\Windows\System\QyJJJdq.exe
C:\Windows\System\xFAtEaN.exe
C:\Windows\System\xFAtEaN.exe
C:\Windows\System\gmXhzCI.exe
C:\Windows\System\gmXhzCI.exe
C:\Windows\System\JRAApjQ.exe
C:\Windows\System\JRAApjQ.exe
C:\Windows\System\rHKaQVk.exe
C:\Windows\System\rHKaQVk.exe
C:\Windows\System\RyLLpyy.exe
C:\Windows\System\RyLLpyy.exe
C:\Windows\System\IAqyVZX.exe
C:\Windows\System\IAqyVZX.exe
C:\Windows\System\qiwpHeM.exe
C:\Windows\System\qiwpHeM.exe
C:\Windows\System\lVsQShw.exe
C:\Windows\System\lVsQShw.exe
C:\Windows\System\FKawCaX.exe
C:\Windows\System\FKawCaX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1484-0-0x00007FF623260000-0x00007FF6235B1000-memory.dmp
memory/1484-1-0x0000022C3CB30000-0x0000022C3CB40000-memory.dmp
C:\Windows\System\AYeHzDR.exe
| MD5 | 0d8bbb300d21f10e26a9385fc822669f |
| SHA1 | 71380a854db3ef0f3a2405401dc5ba19f02da719 |
| SHA256 | da1778c1b6c5f4c5fa5b9688803ec3f16739af146c0a91d504b8c836319342fb |
| SHA512 | d061405e13308b789b6a9eebbc7ef81835af3c0566b6ccc972c5538974aaf445c84f43ab474f1a5d5e1f008f55a11966d47fd5808f4f8e44115b38a05c5fe189 |
memory/2444-10-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp
C:\Windows\System\wysoCwX.exe
| MD5 | cc7920b36766e7b3e934e2024efaba92 |
| SHA1 | fced483b04ce955e9e13dbb7d8f739c20c382e39 |
| SHA256 | a93d310eb73488dc280e1e7d17739f6d2cb80aae7d351fac6a3abbebbd0cbebd |
| SHA512 | 62516c59d82f26d7a9c21adbb03fbf0e2cb18d6b0fe8ee65fadb441bdf1fe75a5a03766de38acc2fbf0a2529e0427583abba1bd5e28ac85550cfc4088553162e |
memory/3328-22-0x00007FF6691B0000-0x00007FF669501000-memory.dmp
C:\Windows\System\vfvHyCy.exe
| MD5 | 5e6a13ecbcc32e82d2bd80c8f9df6220 |
| SHA1 | 98f5337c817df00fa8420ca86e38ec114d48891c |
| SHA256 | 90aa7680d804d61ee3ea69c7f82b77c5387eb8452f787e9088d71fad506c5bc1 |
| SHA512 | b48353b10f6c22120dd33b2a6eb33f78350cce6cdd009bff89611bdac53777a36af756705bae647be96bc33aa06c2c93c469b4b4bbf29c523cc368c641b9e9ad |
C:\Windows\System\faMitaO.exe
| MD5 | cca901924a28cdcb6718eb2201dcfa53 |
| SHA1 | 4fc47f8a59fc0b69b452ea304bc02f7dd946381e |
| SHA256 | e048cf52c4423a0f41eec500c280df610790e3419b807b4a1fb24af3ac9f309a |
| SHA512 | c5b76e2bde39e44ef09c1cd93f270ea2b9e49212a78298e8158a72d421db45a542b6fc1bf6bc8d0e45e56ec728ba37d9874337ae120bcce71057c87c1bf8d6f0 |
memory/4764-36-0x00007FF607160000-0x00007FF6074B1000-memory.dmp
memory/4912-40-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp
C:\Windows\System\pOcBcUN.exe
| MD5 | e7674709920171155b74d55bdeb04194 |
| SHA1 | d68a284cdb082f5d71c0c98acd06cc6f3019bc33 |
| SHA256 | b0a8086b96f802f41e81cf98d83729fc474d4994289af798feee790c2a80c90f |
| SHA512 | 75560da7d83a8f8c0635beca25ff00fbc04d9b327244ff407e5a5dc915b7fd27df69a1d6dabdfb224de32dfd977ee1eda045cec999a5a0da7fff39f9b61cad56 |
C:\Windows\System\nUMKkit.exe
| MD5 | de4629eefd0499f763def91f7358078c |
| SHA1 | d23e1f9aac560b4afda4254d5d53c68103c8167f |
| SHA256 | 39a8255dbbd6ad18ce04a6dccb2ec06d0c3f7fe936a73df4fa19d4e4f8cc2a5e |
| SHA512 | a69ca675c79830aa90bc0d96bebf37a80ed9d00c20fffa16aa12d917f38ad4638bde18bf5b539faf66eb1cc836822be4ab68f4846d4fa1fab126a1853129b131 |
C:\Windows\System\QyJJJdq.exe
| MD5 | 35940f904f1c6274cedda2537dc64e63 |
| SHA1 | 03bc8543586e2e085db74bead13dfa0f1631641c |
| SHA256 | 888b90d7487fd3b1bb89100e0967ebc89dead7561aaf1871250a1a16f46f8090 |
| SHA512 | 6034d47a38d9efb2ccd56d1f205c68a8eef361b1cf118f495b58533646064a8eff7ef302cf670316def6b6f4bf4a445152717bf4fa8e81106ba522ee19945510 |
C:\Windows\System\rHKaQVk.exe
| MD5 | d4207e35ec52896e787ef4bac2a5981d |
| SHA1 | e9474b770f66d32acbf4e0e8ff9074feb7ddf398 |
| SHA256 | 6a684a373b35abd1f71b72b344520fa809e9956f9d9a71766174be2d2a1fdee6 |
| SHA512 | 884af338e14469b8c7681799e6e8450667bff765b6c71f4c7680f2bec410da5255ed01a08adde58f70b747b68d703aab2e9600e359d72e55961359245b247778 |
memory/5040-96-0x00007FF665590000-0x00007FF6658E1000-memory.dmp
C:\Windows\System\RyLLpyy.exe
| MD5 | cbabee3c46e6376f06e6dc2417e8c21e |
| SHA1 | ed6335679d9d196634e1a7102d9a8a46bc843b17 |
| SHA256 | a68dc34719d44e2dc6be5bcf17f0dfcd8a69676d5046eecd8d6b38e0fc3f02e5 |
| SHA512 | 0b0c4b02b8bc942a55b511b628eaeff3ea62a50a71803fe2e08266afd9f1d91ba430c168871c65ec20450c7e0555f83e982d0a88115915694278d5c28abe01f4 |
memory/3124-111-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp
C:\Windows\System\FKawCaX.exe
| MD5 | a376bb3115028e9b58e2a627c08a5def |
| SHA1 | d78411a0ef2254c76f8defb7f3def68361b6236d |
| SHA256 | e19673e1ef1a7c000520eba4f3c2cb60598f193e72fcae286b078802418730a5 |
| SHA512 | 0b4a07b3ba00ee6ec193565a93f49cb2c2865bf71a21b3707e3660b89fc6ea7ed227707ca7f6cdce86d269746b3fa4a1a4eb00b5a2105c66624711098683d1af |
memory/3480-123-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp
C:\Windows\System\lVsQShw.exe
| MD5 | bb6d6ca03d790613ff68b52f5d5b8fe6 |
| SHA1 | cb538264147911fe925f98e833776f52f0ba0800 |
| SHA256 | d74b51f7dae139995dc97546b4d3d001c3384d1caac5c817d17e1155f2ed33af |
| SHA512 | 1908691184d5fd42c73451a2582f5737bd573880ca7c94f0a403d63862d204b956cadff92a213606fb77ba4e8a5942fb3126211805d914d0713669f0d766cf88 |
memory/5032-121-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp
memory/4068-120-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp
C:\Windows\System\qiwpHeM.exe
| MD5 | 5f1d4ef5528569cefb88b9ca2e64aca9 |
| SHA1 | 10fdcbd261351c5c9601f23a99b4f634091c9edd |
| SHA256 | 69da8cd28316dcec7eae83b646ef3d39cc5664975a6607a1e02f83e7807968dd |
| SHA512 | 45bfb7ab6148d9fa09e2ec67d3c691fccbf67f281cd6765a71c52e92f76f8a7bbbe2cbde9306020d44193f6439c03e21b2eef94c4ebb6f3d2b73e88f26b644a8 |
C:\Windows\System\IAqyVZX.exe
| MD5 | 8cd088bd4854424d44950ea018bee2c7 |
| SHA1 | 16680bfa407c391f7d59b20f01d2beaf3314bccb |
| SHA256 | f1ba3840d4c1bb002d91a491385766c3fd521f35cfa17c6397d9b2ac161fd5a1 |
| SHA512 | 96fa5f3d98f8719e2881a47978711c773a7cc77e9a334f3003748b719229d055f56b838bdd773da2dca0da3b1f98f236aafe7bc43fb0b0474c4c0abba0903028 |
memory/4592-115-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp
memory/4620-114-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp
C:\Windows\System\JRAApjQ.exe
| MD5 | f35b68dedf86003f37d86055a9243969 |
| SHA1 | f29fe00c66703dc3e61bb4127de8408f033d12b6 |
| SHA256 | 9e1f5f485ac393a6c8b4ebe1d978f7ed7f935f45d1d8e30b2c2fe2e782a974dc |
| SHA512 | ca4818fc8a64547b55c84a5621b198cc3bbee937ea33ae4ac83e9d0fdf9b931cc220373bc68b39640c0f808258b0eb8c28c59eb142e26f93ebf03a2e0edbed5a |
C:\Windows\System\gmXhzCI.exe
| MD5 | cedba16e5f2e32888e313bad5d3b2a1b |
| SHA1 | ccf0d8b5e94e31c377442cc17ed04516fc5c85b9 |
| SHA256 | e2626a49bf1c6e1a3f4325f1685aabcb8c682394a9c69f04640513b2116d5cdb |
| SHA512 | 2511ff125705d446832725b3427ea8bdbc825a0e9ca54d519f989741652c64250985b2fcac090d4cd076e9ea99e0172f25605c7306186ab0b786679e208547dd |
memory/4732-88-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp
memory/1032-87-0x00007FF604DC0000-0x00007FF605111000-memory.dmp
C:\Windows\System\xFAtEaN.exe
| MD5 | eacce68997d5fb64a789fe11b1066f3e |
| SHA1 | b87af987b4d00a04578f6ac13e207a3758e30037 |
| SHA256 | 5e0b9fba3d4b824aec0e049f568c8ed03cc1d1a314c38fd89511436feacfe388 |
| SHA512 | 82085cbc49a9454a83b0b387ced568f130be81ec430fe6f636db4b4860914378af1f495482a1d1a44708369777b1a6205994a974ed6afe20f041aa5b6944730c |
memory/440-81-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp
memory/5068-79-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp
C:\Windows\System\VmUNgiJ.exe
| MD5 | a19ffc4da3bd714cc8fc4e62b9b52b14 |
| SHA1 | 0acf1b151ad199e52be799d8e38a458dd6dba1ba |
| SHA256 | 44de80d5da597e6b5cea58d0eceb5ab2250c9302ced98dc232c82c44d967d5ae |
| SHA512 | 25c5e58a92bee17d4887dee644c812acd9910cbceace7c5ee3c1541a9b70c74b2716ce95579806c769f9b71e151a3c9f65c1f2661fe528f5f7aee9cd5ab334cb |
memory/2624-69-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp
memory/4924-65-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp
memory/3516-58-0x00007FF6803E0000-0x00007FF680731000-memory.dmp
C:\Windows\System\VjCoEtv.exe
| MD5 | 9ab2dbb3b7ce84257b07b34bdac52a4b |
| SHA1 | 7f69794850aab763ecb59de52e2a5f8f5c32044b |
| SHA256 | 48b7a43e11c7f82402658e897d1a68a3a1e9a0dccb8cbf13b9bc209fcc2b4208 |
| SHA512 | a14d778cbb23d82a078bba8a811d932bad54c55a7ca9be6b7ca910172935a1fff9df93fdb3ec489062055e0c9a57c09ddb0e6b24f97323a6b48252b7f6d1c34b |
C:\Windows\System\LZJGxNM.exe
| MD5 | 6f5a9c06281d25d2b63f24257a6d0f1d |
| SHA1 | f20981fe93771f241f9dd2c2cadf7c4774ee1e79 |
| SHA256 | 9b08150ad0cf8d2628794e304927a2721f506c1d6a8a29a9c759df86d75e7c6f |
| SHA512 | dcfffbea0c97c8c33aea89fa2f9270b58e6d0017efafd32fc48b0af63199c476a9aac405d1d0cb66f78044017b530dde6211c8c170b27ab52304ce299b6035eb |
memory/3920-47-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp
C:\Windows\System\pJHOVsi.exe
| MD5 | 69289ce35ff1c8a2b0a6a0a8e6816da2 |
| SHA1 | 6979e53dff5f6c77a1b452805cc40968095fe8ae |
| SHA256 | dca09c661fbd8acfe2df396a878b1c372f2b763bc010e5ba5595e352a5cc9d54 |
| SHA512 | 5f8e04e8053393ed2d6baa2536894d4262a58738b02946379d1dc152f91233cb74ff024e1d8a911c4570f2f3cf588413134eb3ffcdd1a42e76631f9aae4b9e55 |
C:\Windows\System\ZgZixCE.exe
| MD5 | 870f5f42bf143e026ceacc68703a84c6 |
| SHA1 | ae4da4613ccbc9df59218be73c8007e4c6541d17 |
| SHA256 | 34129542df93d495418466426e2d05527cfd91cb3ec6578e970e4de688fe4b11 |
| SHA512 | 039572b0484ae23bdd45b7dadb1a581c70ddb79d6fd68e212088b95cface9423b98cf177bec198c36f8f0fac99106c7ae07f3e252b1643b2312457de9ec6cf4c |
memory/1656-31-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp
memory/3948-27-0x00007FF634CD0000-0x00007FF635021000-memory.dmp
memory/1484-128-0x00007FF623260000-0x00007FF6235B1000-memory.dmp
memory/1484-129-0x00007FF623260000-0x00007FF6235B1000-memory.dmp
memory/3328-131-0x00007FF6691B0000-0x00007FF669501000-memory.dmp
memory/2444-130-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp
memory/3948-133-0x00007FF634CD0000-0x00007FF635021000-memory.dmp
memory/3516-137-0x00007FF6803E0000-0x00007FF680731000-memory.dmp
memory/4592-148-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp
memory/4068-150-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp
memory/3480-149-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp
memory/4620-147-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp
memory/5040-145-0x00007FF665590000-0x00007FF6658E1000-memory.dmp
memory/4732-144-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp
memory/3124-143-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp
memory/4924-141-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp
memory/5068-139-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp
memory/3920-136-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp
memory/4912-135-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp
memory/4764-134-0x00007FF607160000-0x00007FF6074B1000-memory.dmp
memory/1032-142-0x00007FF604DC0000-0x00007FF605111000-memory.dmp
memory/1656-132-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp
memory/1484-151-0x00007FF623260000-0x00007FF6235B1000-memory.dmp
memory/2444-202-0x00007FF6E0950000-0x00007FF6E0CA1000-memory.dmp
memory/3948-221-0x00007FF634CD0000-0x00007FF635021000-memory.dmp
memory/3328-222-0x00007FF6691B0000-0x00007FF669501000-memory.dmp
memory/1656-224-0x00007FF70C8D0000-0x00007FF70CC21000-memory.dmp
memory/4912-228-0x00007FF6D3680000-0x00007FF6D39D1000-memory.dmp
memory/3920-227-0x00007FF7D30A0000-0x00007FF7D33F1000-memory.dmp
memory/4764-233-0x00007FF607160000-0x00007FF6074B1000-memory.dmp
memory/3516-234-0x00007FF6803E0000-0x00007FF680731000-memory.dmp
memory/2624-231-0x00007FF7BFB40000-0x00007FF7BFE91000-memory.dmp
memory/4924-239-0x00007FF675B60000-0x00007FF675EB1000-memory.dmp
memory/5068-240-0x00007FF7F07B0000-0x00007FF7F0B01000-memory.dmp
memory/440-237-0x00007FF7B67F0000-0x00007FF7B6B41000-memory.dmp
memory/3124-242-0x00007FF7F79D0000-0x00007FF7F7D21000-memory.dmp
memory/4732-248-0x00007FF6A3090000-0x00007FF6A33E1000-memory.dmp
memory/1032-245-0x00007FF604DC0000-0x00007FF605111000-memory.dmp
memory/5040-246-0x00007FF665590000-0x00007FF6658E1000-memory.dmp
memory/3480-252-0x00007FF726D50000-0x00007FF7270A1000-memory.dmp
memory/4592-254-0x00007FF7E1B10000-0x00007FF7E1E61000-memory.dmp
memory/4068-257-0x00007FF6CDF40000-0x00007FF6CE291000-memory.dmp
memory/4620-258-0x00007FF7FBF50000-0x00007FF7FC2A1000-memory.dmp
memory/5032-251-0x00007FF7F1D30000-0x00007FF7F2081000-memory.dmp