Analysis Overview
SHA256
0abd00e3fbd2f2341b01cc1c148b7cc9b8aa496baf5815aee28660fd22886018
Threat Level: Known bad
The file 2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:31
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:31
Reported
2024-08-15 11:34
Platform
win7-20240729-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HPaTVxt.exe | N/A |
| N/A | N/A | C:\Windows\System\aYHsSjz.exe | N/A |
| N/A | N/A | C:\Windows\System\TryOgjj.exe | N/A |
| N/A | N/A | C:\Windows\System\Stwgers.exe | N/A |
| N/A | N/A | C:\Windows\System\iGQpNES.exe | N/A |
| N/A | N/A | C:\Windows\System\wYAWVuS.exe | N/A |
| N/A | N/A | C:\Windows\System\XuafsUj.exe | N/A |
| N/A | N/A | C:\Windows\System\NlRjVzG.exe | N/A |
| N/A | N/A | C:\Windows\System\ICICrVF.exe | N/A |
| N/A | N/A | C:\Windows\System\qIMNegO.exe | N/A |
| N/A | N/A | C:\Windows\System\ylBDJhE.exe | N/A |
| N/A | N/A | C:\Windows\System\FlMLVMm.exe | N/A |
| N/A | N/A | C:\Windows\System\JraneBd.exe | N/A |
| N/A | N/A | C:\Windows\System\OUyqeli.exe | N/A |
| N/A | N/A | C:\Windows\System\WVrVeQj.exe | N/A |
| N/A | N/A | C:\Windows\System\FvsLNLI.exe | N/A |
| N/A | N/A | C:\Windows\System\xTYYBdX.exe | N/A |
| N/A | N/A | C:\Windows\System\NhOxeLZ.exe | N/A |
| N/A | N/A | C:\Windows\System\syTMsNp.exe | N/A |
| N/A | N/A | C:\Windows\System\BItoASl.exe | N/A |
| N/A | N/A | C:\Windows\System\FbXUiYO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\HPaTVxt.exe
C:\Windows\System\HPaTVxt.exe
C:\Windows\System\aYHsSjz.exe
C:\Windows\System\aYHsSjz.exe
C:\Windows\System\TryOgjj.exe
C:\Windows\System\TryOgjj.exe
C:\Windows\System\Stwgers.exe
C:\Windows\System\Stwgers.exe
C:\Windows\System\iGQpNES.exe
C:\Windows\System\iGQpNES.exe
C:\Windows\System\wYAWVuS.exe
C:\Windows\System\wYAWVuS.exe
C:\Windows\System\XuafsUj.exe
C:\Windows\System\XuafsUj.exe
C:\Windows\System\NlRjVzG.exe
C:\Windows\System\NlRjVzG.exe
C:\Windows\System\ICICrVF.exe
C:\Windows\System\ICICrVF.exe
C:\Windows\System\qIMNegO.exe
C:\Windows\System\qIMNegO.exe
C:\Windows\System\ylBDJhE.exe
C:\Windows\System\ylBDJhE.exe
C:\Windows\System\JraneBd.exe
C:\Windows\System\JraneBd.exe
C:\Windows\System\FlMLVMm.exe
C:\Windows\System\FlMLVMm.exe
C:\Windows\System\NhOxeLZ.exe
C:\Windows\System\NhOxeLZ.exe
C:\Windows\System\OUyqeli.exe
C:\Windows\System\OUyqeli.exe
C:\Windows\System\syTMsNp.exe
C:\Windows\System\syTMsNp.exe
C:\Windows\System\WVrVeQj.exe
C:\Windows\System\WVrVeQj.exe
C:\Windows\System\BItoASl.exe
C:\Windows\System\BItoASl.exe
C:\Windows\System\FvsLNLI.exe
C:\Windows\System\FvsLNLI.exe
C:\Windows\System\FbXUiYO.exe
C:\Windows\System\FbXUiYO.exe
C:\Windows\System\xTYYBdX.exe
C:\Windows\System\xTYYBdX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2124-0-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2124-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HPaTVxt.exe
| MD5 | 7ad9efe6d61ecaf7f57f913261b8c527 |
| SHA1 | cb9de80e04bb923c32e82fc364667feea77841f2 |
| SHA256 | a9c811cad96201ba6e8e4ae9220814eefa5453c9780384402ac23e8b35a55ef5 |
| SHA512 | 2585d4d1242f4e784c995b4a798c8e5ce7f969c5c93110768bbf6dfdb33aa2ce027136bdf04928629ec20d4ae8d172709a5ef38b30ff88e0bf59c257cdececc8 |
\Windows\system\aYHsSjz.exe
| MD5 | b0005c7a3420a205011b28207d0fd3a9 |
| SHA1 | fa00b36fc7e02e380fd5716f65354a1dfce144fb |
| SHA256 | 357e52576a78e49ac6404aa6e8e9b40e88f94876fdc50b39eb17ff4e3b4eb809 |
| SHA512 | 740def5f8d440db1ce8c628636ac033bad1177439e1e9e3a107ba9dd95bf588616a9aba06d797855ab152c1dadb4a355a50b0b33770fcef8dfc7209e67bf03ad |
C:\Windows\system\TryOgjj.exe
| MD5 | 30b44b15cfa63ff389066939d49780af |
| SHA1 | 794dbf0b998f85a2cf5a13a3c8f57f4c061c1d3b |
| SHA256 | 42b726321d7f26b070bbb15fc48432c17446990d0a073544574dabeda054a0e3 |
| SHA512 | 193afcc5e37e9a2eefa5b7309863ebcc759d72a1413469dc70d4b6273df36e2eb6f0bc66b540287dc2b906386fdeaa8c07f2813cf384bf7fee8b34975eadde64 |
C:\Windows\system\iGQpNES.exe
| MD5 | 5f9fb92da9311690b964861bff90e23b |
| SHA1 | 981577a2ddda46bc3efda5d2c0b509bd860375d5 |
| SHA256 | c292518ab0a4402c55fdce912aaf681a38c1cb76b0d952ed0f128d7bd4633cfe |
| SHA512 | d09d4b71b0adc365712bba42863d3ae25e14f39fb87a37b4b5712054c99614ecc15af86a7677dc959706d48499711aa726f3fe494fe8b4433e8b20344b0061c4 |
\Windows\system\NlRjVzG.exe
| MD5 | 80e1ef40eaffd886ad40f2e7640eb791 |
| SHA1 | 29c2c5981ec31adff0b574c2142eecee6408ec81 |
| SHA256 | 4db6c8397bac00f786c6cc9fd216e00f92b36f972bdce58cd094b3f39d3e778d |
| SHA512 | 1aa53d213787375df6762d4f05f934bcc9e39291ea9ee24e9da989f4c4b6339d745b261e813f2203ac30387a3a567c2793202bc44b57b80660fc455300278c2a |
C:\Windows\system\XuafsUj.exe
| MD5 | bf28b3b4d86abdf71b29dffeb32631d5 |
| SHA1 | 56cf1f69ef1e0a88674adef17bce1eff592edc30 |
| SHA256 | 25072bac8cf63ac77ad1d909867ef4f157fdf05ab2dc2d2eea28e536658aac9e |
| SHA512 | cd5f9de47fc5359e34cc9f687efbf3ab355d23098cea41651dbe12174d510a6c14b90fb3df3b0fd9597af889e1a24925bd314b8d4fc8a087165c83aa6aa82220 |
C:\Windows\system\wYAWVuS.exe
| MD5 | 7adcd5f9ac866a14735f14c96fd016dc |
| SHA1 | e544b82ca618d2b728f1e9d5b9de29895f427005 |
| SHA256 | 0607f35a4df0ffc9130306fa6b3bfc1a7b43cbe482c9b0a0fc37e8b0395627d2 |
| SHA512 | d5f3827e092f4aa38166fee646f9f71a6f4dc47d095ba48289b40d952970dc58196927521beb23ade1260741424a1f2d6147627ae89946d7a146ca154a54a2ab |
C:\Windows\system\Stwgers.exe
| MD5 | 4c68f630875f4fa65d6787be8049decd |
| SHA1 | 9eac5a262dcd75287383c30c30c8efc3897a679f |
| SHA256 | 2226ae65eb4ab407e9e3a251550bf2facdea05fe43d6233ce1dca41651192105 |
| SHA512 | 3a416b84ad821dae01cc5c0831f87e059945e1f22fcfe41161c23cca0919ca344998558ce028177827b0bf744465bf0f0d26871fe1d74e89cc848a568ff56fd0 |
memory/2124-53-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2952-81-0x000000013F3E0000-0x000000013F731000-memory.dmp
\Windows\system\xTYYBdX.exe
| MD5 | b08e519306ed4058348e60ee95a3c6af |
| SHA1 | 71a62ce1a3111459116eddd08ed226fbaf0f3219 |
| SHA256 | c8120935d10d32ad3997fb37792dd44ad815616e820fcabbfbdd60875f8f41c2 |
| SHA512 | c699dd78fcf3a60610b804b60a22f521634a72a762ccf7040d5039362771710863add6599acf3ab2469efc3f251180dacf3ac49fa622e21e0a474e6c45bfd7c8 |
\Windows\system\NhOxeLZ.exe
| MD5 | 6c6804edb49f57b366869f1a1eef9eb1 |
| SHA1 | cf41210d3fcde203b553f002437a85bbc3e62086 |
| SHA256 | 6e7f42203bd5333b907aa5af51c0eb65cca74938b43daf49109fcbf4cd872709 |
| SHA512 | 1d741cc1b09eeafcf76efea95c8a4443a7d19c9d3eeaa0c71497bfc623ad3c1786025243ec2df79ed7bc15401d7601f47725aed6ad2b3312d5887132229cf8e0 |
C:\Windows\system\FvsLNLI.exe
| MD5 | 795b27a21eca23f23bf90b4d30dcd01c |
| SHA1 | b9d12bec9b6d8d22d6a582edfa926d3253483278 |
| SHA256 | bd3c8d371b5c855a8a166460c0c89ed56a0bebf8b5a2a0592ca23fc6f0f6f6bb |
| SHA512 | df25b2e547cc0d76c58cc0c3e89e9d231ed1d156be9a193dfebf2adc295f7e8db1bdc52cda3e1b58609aba410dd4c321a28e1ca377a0ae6e45aacf405cf27be3 |
C:\Windows\system\WVrVeQj.exe
| MD5 | 34893bf828231024662c7212dbac4fb4 |
| SHA1 | f799f00c3f51e9a84fe9bbe37f5c0975d6a5d1a9 |
| SHA256 | ed2203c39dfe56ba1c90d7877ec3f3a06586bab934e5669cc3905f182dc56c09 |
| SHA512 | fec63c22744923b706f71686b21fd39be5e7f52740099fa04042bddd06e1a0c87d7874bcf3cf86952c2b4bf1c5acef730a2ce2a8275085c31691991889a2e14d |
\Windows\system\FbXUiYO.exe
| MD5 | 66781931fe6f60fb92bf438a41068e33 |
| SHA1 | 409133f415fe415a6c0c1f90fd657dc46ce59474 |
| SHA256 | 8625eb0ffc6fe09b3b0546ddf3ceb5ea50ebd2bb4fa18c6e0e7df46f1b502c28 |
| SHA512 | 1defae8b56b56f0610e8335aa6eadcf4c132052194ce3131b7006a2b1da5b381779c9278f24ca4c624e3beadd1e862f84db80ea932d5ff27bac2f54292173d7f |
memory/2124-104-0x000000013F100000-0x000000013F451000-memory.dmp
\Windows\system\BItoASl.exe
| MD5 | 9a9333e4652f9ac99dda4ddd91eafc49 |
| SHA1 | 673a6e56ac379cea44d09b536b47ae655503cdb4 |
| SHA256 | 5398791e44f71c7d0abdc75ad77becd0e081187ad14f73c905e3cff1d353f795 |
| SHA512 | 19c9939d82894d7438f1dab4d46447ad8561422ecd4b821f83e752e056ff52f3aa447a1fb794ab05c4144dda7790c5cd4eedb2992ca66af71ecd409f8756b9d3 |
memory/3068-96-0x000000013F8D0000-0x000000013FC21000-memory.dmp
\Windows\system\syTMsNp.exe
| MD5 | c7cbeba32abf3c07f103dee69daabbfd |
| SHA1 | 0b59537d42969c01ab70b50785fb837cf5c305b8 |
| SHA256 | 98261b73ae051da6d36b3351c7c74579d859fc63964c9401e4cc25aeef858105 |
| SHA512 | 1e2106ca6308c1545dfea47ebd607b6c84b01282f1f37fcafa62e801319895558ebb56b804b84795ccea2183d0fd0119178c4379fa57131df5425d476c2eaaec |
memory/2124-122-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2124-135-0x0000000002380000-0x00000000026D1000-memory.dmp
memory/2124-116-0x0000000002380000-0x00000000026D1000-memory.dmp
C:\Windows\system\ylBDJhE.exe
| MD5 | 032bd963f4a26e961fde062e4f90c293 |
| SHA1 | 5e35e8eab62a868bbaa8dfdaa89417184577a556 |
| SHA256 | a309ec1446502446260a772bdb2cf900afcb923a9ce811f7aeb9396ae805f72d |
| SHA512 | 04c1bd34736761fb2c3249719d9dea552fab63c2936667777ee0441a853170c6d01e5d4df27ed53ec46dfc6e73620510136762fdeae9f41acd973c8913ed9abb |
memory/2648-74-0x000000013F1C0000-0x000000013F511000-memory.dmp
\Windows\system\JraneBd.exe
| MD5 | bfa7ea4c088d2376a16e9c4a3ac9184b |
| SHA1 | 16c2f500fd754bf6fc898b58a1704b9d10e50d91 |
| SHA256 | 094cd99e53ca065abc6ff5a5f26b6db5dbfff6da751e48a96a258657bfe085c9 |
| SHA512 | d482ec6b1502a8077c35e55cb424985d1bae5222e7423864391386f7ffce2be1c5ae4d53332ba03414b6b1cb8d5819305f13cbcac9c0d5659ed8e1de2ec5fbfb |
memory/2124-108-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2828-136-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\OUyqeli.exe
| MD5 | 93ec3bd3ead9b6526e4222456e02db9a |
| SHA1 | b0692440c35abe31c55bf872125fc52a06712f8b |
| SHA256 | ec4bc47f4cfdf27160235f78ccafd419a33eb73a475b0bff5aa260b9fceb614f |
| SHA512 | 7e5e834c268785631ffde472c637139283ed0326a2f3eb1f537adcd1c464e02bae31531c19eef89aa7eaa3d373d59ca0d4960d5bdd5b6dc783ce2474c922af3e |
memory/2648-137-0x000000013F1C0000-0x000000013F511000-memory.dmp
\Windows\system\qIMNegO.exe
| MD5 | b45533529c5aefba010b35c593c1ef92 |
| SHA1 | 62814e8f62864bb01c1117b4ace96cc4840c6573 |
| SHA256 | 2a0e798717ecf6a4d47dcccbc6f32f0ef31bd7404186822cf3dc65788bc1d508 |
| SHA512 | 9b1318ccf9b210e22a4a0385754d5f8f827b400fe35e9fc417aacc6c60897eb9afab0c2886e5bb3a1c2f7ad1f8bc025f3614368f97876008463c56e4edc312da |
memory/2884-84-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2124-82-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
C:\Windows\system\FlMLVMm.exe
| MD5 | 831721347d12cb2fd98a6e31e2c90745 |
| SHA1 | e69df395a5909fc463a73bc8d7c3e0a3cddf1fad |
| SHA256 | 0f6184c62cef021c9cdb9e5edc960f5f12a8c4f5d28826f6747ec41463031fe0 |
| SHA512 | 8a967fb6af07b23fcc30a06abca2478dc4ba35b25bf2ba6769e69fe9a90b2b52a644d03049a59dbaa9c8d785714fab98f827a6cad7c2f3b17dffa0b1b3aa44f5 |
memory/2124-79-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2124-78-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2952-138-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2124-69-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2828-62-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2372-57-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2608-56-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2124-55-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2136-54-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1652-52-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/3068-140-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2884-139-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2124-51-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2316-50-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2124-49-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/1236-48-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2124-47-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1104-46-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2124-45-0x0000000002380000-0x00000000026D1000-memory.dmp
memory/3044-44-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2124-43-0x0000000002380000-0x00000000026D1000-memory.dmp
memory/2124-141-0x000000013FC60000-0x000000013FFB1000-memory.dmp
C:\Windows\system\ICICrVF.exe
| MD5 | e7e443f6af5ab8b14387bfc6e7137c6d |
| SHA1 | 1dff29a6f30640a228f837acf312c37e2a5a1cbe |
| SHA256 | 8a8557bf9929252f16eb7ee18318cec3761c273b4b56c5287ca2195c38bf5b05 |
| SHA512 | 3153d350ecb7d4040c2d36612e98d34341c0e00320486f3cd730ed02537fd1f5e783a192018367ac175760a1c983856e74624564eb01c938f0f6be05ec010e2a |
memory/2716-162-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2124-163-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2708-161-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2576-160-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1864-159-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2056-158-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/3012-157-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2588-156-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2536-155-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2124-164-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2316-232-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2372-237-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/1236-240-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/3044-245-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2608-243-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/1652-242-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2136-235-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1104-233-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/2952-247-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2884-249-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2828-251-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2648-255-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/3068-254-0x000000013F8D0000-0x000000013FC21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:31
Reported
2024-08-15 11:34
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KAuynYm.exe | N/A |
| N/A | N/A | C:\Windows\System\uHAsVSo.exe | N/A |
| N/A | N/A | C:\Windows\System\sBiyzSd.exe | N/A |
| N/A | N/A | C:\Windows\System\yhFkjlV.exe | N/A |
| N/A | N/A | C:\Windows\System\CjZtxuu.exe | N/A |
| N/A | N/A | C:\Windows\System\yifKjbf.exe | N/A |
| N/A | N/A | C:\Windows\System\hfXHkKs.exe | N/A |
| N/A | N/A | C:\Windows\System\KnIRYnG.exe | N/A |
| N/A | N/A | C:\Windows\System\KjeVnkq.exe | N/A |
| N/A | N/A | C:\Windows\System\UxicEcz.exe | N/A |
| N/A | N/A | C:\Windows\System\gsCfSJb.exe | N/A |
| N/A | N/A | C:\Windows\System\JRWeJcM.exe | N/A |
| N/A | N/A | C:\Windows\System\LtcWpag.exe | N/A |
| N/A | N/A | C:\Windows\System\quTckqn.exe | N/A |
| N/A | N/A | C:\Windows\System\NAiniAS.exe | N/A |
| N/A | N/A | C:\Windows\System\BeIQzws.exe | N/A |
| N/A | N/A | C:\Windows\System\ndFMAlO.exe | N/A |
| N/A | N/A | C:\Windows\System\zFYoJrr.exe | N/A |
| N/A | N/A | C:\Windows\System\qdsYLeZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ULEyfUT.exe | N/A |
| N/A | N/A | C:\Windows\System\INgnIow.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_98ff4715111192d602e4f7b8c47f7ac4_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\KAuynYm.exe
C:\Windows\System\KAuynYm.exe
C:\Windows\System\uHAsVSo.exe
C:\Windows\System\uHAsVSo.exe
C:\Windows\System\CjZtxuu.exe
C:\Windows\System\CjZtxuu.exe
C:\Windows\System\sBiyzSd.exe
C:\Windows\System\sBiyzSd.exe
C:\Windows\System\yhFkjlV.exe
C:\Windows\System\yhFkjlV.exe
C:\Windows\System\yifKjbf.exe
C:\Windows\System\yifKjbf.exe
C:\Windows\System\hfXHkKs.exe
C:\Windows\System\hfXHkKs.exe
C:\Windows\System\gsCfSJb.exe
C:\Windows\System\gsCfSJb.exe
C:\Windows\System\KnIRYnG.exe
C:\Windows\System\KnIRYnG.exe
C:\Windows\System\KjeVnkq.exe
C:\Windows\System\KjeVnkq.exe
C:\Windows\System\UxicEcz.exe
C:\Windows\System\UxicEcz.exe
C:\Windows\System\JRWeJcM.exe
C:\Windows\System\JRWeJcM.exe
C:\Windows\System\LtcWpag.exe
C:\Windows\System\LtcWpag.exe
C:\Windows\System\quTckqn.exe
C:\Windows\System\quTckqn.exe
C:\Windows\System\NAiniAS.exe
C:\Windows\System\NAiniAS.exe
C:\Windows\System\BeIQzws.exe
C:\Windows\System\BeIQzws.exe
C:\Windows\System\ndFMAlO.exe
C:\Windows\System\ndFMAlO.exe
C:\Windows\System\zFYoJrr.exe
C:\Windows\System\zFYoJrr.exe
C:\Windows\System\qdsYLeZ.exe
C:\Windows\System\qdsYLeZ.exe
C:\Windows\System\ULEyfUT.exe
C:\Windows\System\ULEyfUT.exe
C:\Windows\System\INgnIow.exe
C:\Windows\System\INgnIow.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3920-0-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp
memory/3920-1-0x00000209586C0000-0x00000209586D0000-memory.dmp
C:\Windows\System\KAuynYm.exe
| MD5 | 40d7e3f646140fe01261ee768effd858 |
| SHA1 | f38b5233fcd49ebdcbb4eb1b6a6a49a0c85beae7 |
| SHA256 | 82fac0c5afc69223384fed7699c8f908d363fbe16a2b5119ca5d7345d93d6ab2 |
| SHA512 | 51151049506bedae7a5609803793a2144919be8f17207960f208a41f294a35358f9f7d133ccfc65f50829d16ce0d30ae8faf5bfcd8484776f4a76a85526f5e34 |
memory/2280-7-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp
C:\Windows\System\uHAsVSo.exe
| MD5 | 2ad2d25d23ac78b50ac6106a26dd2d7a |
| SHA1 | 040351943ecfd0c1bea086b3ae885d7031d3f4a2 |
| SHA256 | c1d58be9c4b0e2bc73c9fe5a8d1cf23fb8a92d1621fd4fb877ea08f9c2001707 |
| SHA512 | 4e793167e1309aa0e1ae3a80ddd592e7f74b7372aad00136ebc83017dd650cda9410501a61628dd31cf753513686336cd4df31fe2bccc17ea2151aefa687d429 |
C:\Windows\System\yhFkjlV.exe
| MD5 | f66e7a268f630eb4cf136e06ade0ddac |
| SHA1 | 2679483459daecebb0760f941ac90f9b47a0b0c7 |
| SHA256 | 973266bfd758dfcd36947ab7f2e41bbd7e6f51c9f3b618d43b6c49b0ce355017 |
| SHA512 | c68cad259342df486fcc07a97b892f82244db00b21457d075ed295e1ed8dd539ff65db2873c509e258950b762bf19af8f7b0af52a2a06bf44f7bf8e439ccfa45 |
C:\Windows\System\yifKjbf.exe
| MD5 | fb882e9c0844356a0f55de96078f9913 |
| SHA1 | 4d0cf7f33234817cf74c25c32cd4095ebe7f59ee |
| SHA256 | 0390f96ec9b1ac20a3547d02fa0c0c0353a761dee3c5c32c15b68f0273514ad9 |
| SHA512 | adf6d29d636f8c7997ac4acf420bf10a0954aff9fdf50d47ad88ceba1d36f4481b7234422dfe61c8b9fbd9c00e58d0bc5f9f3aa9563ecdce8d54718b9bf85b58 |
C:\Windows\System\KjeVnkq.exe
| MD5 | 3629d8c7a2887794edff449048e43417 |
| SHA1 | 65e0e7919f7fad85ac13d2a28e89861ef25e56da |
| SHA256 | 1f029897b35a3da868c05b99cf4000062894483d019b5e37a7b4e46ac913d5e6 |
| SHA512 | 177a39d5a4db0699286d4d5ae5208ab44db9adec735e5b97cb6efcc24fbd354db5614711e23dcb10b41291052b8e7452cfdf8a4b9ae59411a2e32560068c2830 |
memory/4092-73-0x00007FF64D510000-0x00007FF64D861000-memory.dmp
C:\Windows\System\quTckqn.exe
| MD5 | c5a007fd35fc7ec5d56aaa61dbbec59d |
| SHA1 | 543611004b4cc8eb71231d88c1dc6eba427e9b90 |
| SHA256 | 54d0a650e630e7ce7abd375df9fc097b9ffb1a34186e6bf9f81d4537e69fdd5c |
| SHA512 | 662e45b0cfc308267137d22ad1c3c64d81484e0671de3b9d7b990fa68f48e4f75e8eede58bfe72d3b9acb2cc45489e175b1496d730e0fb29ad3684487ffc9af6 |
C:\Windows\System\BeIQzws.exe
| MD5 | 2bf8317abc2f6f15c1de78021c9ddba0 |
| SHA1 | 0b86b4fef721fe3655535f59fc5e5d8ab2882316 |
| SHA256 | 9fe605be21587f7a152de202fb28763244aca1a51a314fee6e823f3a655a0df0 |
| SHA512 | bd5b7e11f0be78d8d680ab7dfc5a05de113375cc42ae76bff36118821a1c656b61ad68d19870a64cad7c1cb4d02302a3506c378a2e2a98e18316a14affde8e76 |
memory/4164-95-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp
C:\Windows\System\ndFMAlO.exe
| MD5 | 95e2dc953453a8ce578dbc81d4beeb5e |
| SHA1 | a578a326ee8c3c93d4cc727d8600f0ec26d6ec0d |
| SHA256 | df59d9591a1a6c7208a6d67c76c78fa2b2f6a142d80aee99b58fbe06dfe490db |
| SHA512 | dbae7894133d280412eb338e038956f88ce80e29d0f6e5dbdc69bb2d4fb9be59c38e9695f8e00713e77484ac0048723c6b547ae4a90c672fbfca89938e7ac0d5 |
memory/2684-111-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp
memory/2828-115-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp
memory/2024-116-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp
memory/1808-114-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp
memory/904-113-0x00007FF644E20000-0x00007FF645171000-memory.dmp
memory/232-112-0x00007FF679590000-0x00007FF6798E1000-memory.dmp
memory/1944-110-0x00007FF771010000-0x00007FF771361000-memory.dmp
C:\Windows\System\qdsYLeZ.exe
| MD5 | 2b789311f549076804cc7dd5537df3dc |
| SHA1 | be0276206b27edd515b02c1d64cfb40ab9d6cdf7 |
| SHA256 | b25015b873cd6b6b91c0c5fff7d31c3d691843b53bd416024863755df3939a77 |
| SHA512 | 5b91aa628e0a53beba118dfd5cc4069f65b0244002c48ddfdda0144825a87ca15eb6f2e2c1b36d440fc2d2d2d6576d22f06531baec097dd80e5454eff1860185 |
C:\Windows\System\zFYoJrr.exe
| MD5 | 6427295dce47b1af149c516d2b5f50ef |
| SHA1 | ea583e9599687cbe6309c0d3e33fe964ccaf5bc6 |
| SHA256 | 9fbb8ab5e23e7ba0471ba2147f4598562cca7055c1c7d3a4a3f57ce066376893 |
| SHA512 | 8a63f0c9c2238b1f9a241ca015e4e2ae1d8ba986ad86aa0db7e0aa25de841df2cba912b278702385ccb35cc3119957492cfc8eb23d7d8e203abcdbca35fd012c |
memory/4964-105-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp
memory/3024-102-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp
C:\Windows\System\NAiniAS.exe
| MD5 | e128478ecf832152df62a7c86c7515cf |
| SHA1 | 175c8d7e7c927397ab9514fa76a55f31cb2d6fc8 |
| SHA256 | db826293033db6b8ea09ec6f5ed88163b6a8f6fb0d1977a68f32d006fd32d303 |
| SHA512 | ba7cac607eb76c6915e12bf6c32fcc07c48edc87b036a183f793f49fda1314b7b77b88124eb90ad1eecf575441aa2dd2d838f0fda80c4a225395a1952f8bbcc9 |
memory/2452-83-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp
C:\Windows\System\LtcWpag.exe
| MD5 | 2180fa4fc8a4aa12796834db70905d0c |
| SHA1 | c4f3d3e9a7af1384ab95c43833796be96e2f7a8b |
| SHA256 | 6ec15a6c44afc2cbfe041c1d311d39ef7e7891613a39adb38071d3e2bacdb6b5 |
| SHA512 | 6a6db1e575202d868c0837fa555f057263c34c2aed2258892991f1524831726bd12dd6302b509ba7c8bbf584d327d1c5df4a3f9efc45e1faa25d485bdcf65453 |
C:\Windows\System\JRWeJcM.exe
| MD5 | 8ef18321d29b04e494de0a2fa142bc61 |
| SHA1 | 7e14863d73c457d28a36e29ff669a8e433125b72 |
| SHA256 | 459fb2193b9f84c41302806c469cf23ddbdfa898bad65c2275f6c7612414d30b |
| SHA512 | db53b13ee9c892694ffc93454dd1dd4efa03f88ffe7cf0544b04c92bea18d9e15ec6f5c2cc77c483680989edddb440e36334e412fb5c8fc1784fd490832abee3 |
memory/2428-74-0x00007FF7513D0000-0x00007FF751721000-memory.dmp
memory/1540-71-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp
C:\Windows\System\gsCfSJb.exe
| MD5 | 6bd622c869b4e68e1040480ada4ce7cf |
| SHA1 | 854bd88eff9bf2b33c355ff4b219c8159f5d9661 |
| SHA256 | 87f6b4cf421974f40363bccf3db8138655f4fa5e43aac50fe9dd36b31aba1bd3 |
| SHA512 | c6b56a62199529779c93fb8c61b6f240419317b42001ec8ad64e24f350c0275cc2857ae045e4f3d63e78adde3d0f7123cb5e7a060939523e4df3f4cd2591cfc8 |
C:\Windows\System\UxicEcz.exe
| MD5 | 61ebbd4ca547d615682bd6980cae1f61 |
| SHA1 | 9afdd28c48bfb915fd52b0e99c1063ab15cca7dc |
| SHA256 | a06d97c8c9288dd66728d13cda0f1af7d354cd58fa55cf019ed97c920353c911 |
| SHA512 | 324ffe5fb737bb88a6872fca5d75e257af895f5da6c4bc7de66180d5ae6fdffc1ac1898bac8c91179d19f2e690f2048c533cd246aca55ed387829e7654cbd862 |
C:\Windows\System\KnIRYnG.exe
| MD5 | afc94d1d58b51486fa6cb09f18c9df97 |
| SHA1 | f695f1f2778790e57f9faab5a565aa5b1eecc560 |
| SHA256 | 07f97e3595092f9e37e0bff9ac922fa6b76bdcef867252e585e33f55e479c6fa |
| SHA512 | 950a5b1ae4436f2e1063555df243c17b3a2f2829590c1be812d1e7d45a3e3caca55fe68a6613429dafc6a7d03302449a7e237fac37f7cb3d09dad1525b86d807 |
memory/2904-49-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp
memory/1444-48-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp
C:\Windows\System\hfXHkKs.exe
| MD5 | 4f3a875943e8669f346b4ee73079a926 |
| SHA1 | 115c235b833a3f1a7a2f5da7e250ba9204855435 |
| SHA256 | 2f33a5e09dcef367985d261986150607778d9282d4923d80f70d2b6c94fd3528 |
| SHA512 | 58cae4168b1bedd745ba0fec428f682df5ab19661a20f2108031cc475dcdfd4dab77c3b96ecc26a9fdd40488beaa70ad55bd82b7f7b215878a182d77baee027d |
memory/2548-38-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp
C:\Windows\System\sBiyzSd.exe
| MD5 | 1c2df070020fe9686d855a33ab48172d |
| SHA1 | 9552543dce8f0b05f5a0cc9a78cfc65f69f7e036 |
| SHA256 | b7f615cea8568862042d8c71fbfe469563e709143a37b3dc828f1c77d56ab765 |
| SHA512 | 5d02cdf21623c6c4f4f1c595709faa29ca2525dc2468f4351c3bf4f3b4b4b5561c190a70019bfcab2053119a90397b58667c2ce4238e9ddb650d7be516b9766d |
C:\Windows\System\CjZtxuu.exe
| MD5 | 86bc8592c2c2ff64672f10b594d9f885 |
| SHA1 | 9a727a3952f9947aae93116a6699519825dde5f1 |
| SHA256 | f5a32fa8d2a3f7a1c11608b9c4a56c34e321aa764d5a55633b908ca79162be21 |
| SHA512 | c22103d4f7d8ff31b23c4c740428471fa91bc3abaad3d4793ef0922f415c2f29464987500f75436b116790c19a791cb1da97e826dc1fe4282cfc5d7fe8b18ad1 |
memory/3048-16-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp
memory/2548-123-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp
C:\Windows\System\ULEyfUT.exe
| MD5 | 2a06e3d9da8268e4a0a69b8e4d6a4b08 |
| SHA1 | 253243e060d3d41b71a5d0424f0dbdfb94c30e56 |
| SHA256 | d961bd91fc50183c5c426e17ee36536d5e28f1047f4380d3245bc6903e70e7b9 |
| SHA512 | 80637b36472c688ce4f6a975bb57e00449c5da460df4230bf1d7bb4e8d84acc70cf78028a96715798e24f5dea80a6cbdc66e16d5c8a7cf32371d53c77df32dbf |
memory/3972-134-0x00007FF731260000-0x00007FF7315B1000-memory.dmp
C:\Windows\System\INgnIow.exe
| MD5 | 699749cf57ea252f3e0e3246208da1a7 |
| SHA1 | 30c43b44cbdcfbd60a9d4b9e1fda06a22e08343f |
| SHA256 | 5ef48c5ec581dd3a74fca9f2adea3100d4af4b88e62ab305f6f639811169fbfd |
| SHA512 | 832f86adb414cfc85b7b803d4231cc28c447907bb86b174007943fdf9788a307e1c499435256f5e76f6291adadf27b52a1631fb19992a1b668ad4c11fc4c3f7c |
memory/3048-120-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp
memory/2280-119-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp
memory/3920-117-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp
memory/2452-139-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp
memory/4632-138-0x00007FF6884D0000-0x00007FF688821000-memory.dmp
memory/3972-148-0x00007FF731260000-0x00007FF7315B1000-memory.dmp
memory/3920-149-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp
memory/3920-150-0x00007FF603E80000-0x00007FF6041D1000-memory.dmp
memory/4632-165-0x00007FF6884D0000-0x00007FF688821000-memory.dmp
memory/2280-212-0x00007FF66AFD0000-0x00007FF66B321000-memory.dmp
memory/3048-214-0x00007FF7A08B0000-0x00007FF7A0C01000-memory.dmp
memory/4164-216-0x00007FF7EB560000-0x00007FF7EB8B1000-memory.dmp
memory/2548-218-0x00007FF7389A0000-0x00007FF738CF1000-memory.dmp
memory/1444-221-0x00007FF722F70000-0x00007FF7232C1000-memory.dmp
memory/2904-222-0x00007FF71AE50000-0x00007FF71B1A1000-memory.dmp
memory/1540-224-0x00007FF76D450000-0x00007FF76D7A1000-memory.dmp
memory/4092-232-0x00007FF64D510000-0x00007FF64D861000-memory.dmp
memory/4964-231-0x00007FF776FA0000-0x00007FF7772F1000-memory.dmp
memory/3024-227-0x00007FF6E7DC0000-0x00007FF6E8111000-memory.dmp
memory/2428-229-0x00007FF7513D0000-0x00007FF751721000-memory.dmp
memory/2828-240-0x00007FF6EB850000-0x00007FF6EBBA1000-memory.dmp
memory/904-251-0x00007FF644E20000-0x00007FF645171000-memory.dmp
memory/2024-250-0x00007FF66F7E0000-0x00007FF66FB31000-memory.dmp
memory/1808-247-0x00007FF64E3C0000-0x00007FF64E711000-memory.dmp
memory/1944-246-0x00007FF771010000-0x00007FF771361000-memory.dmp
memory/2452-243-0x00007FF7D4F80000-0x00007FF7D52D1000-memory.dmp
memory/2684-242-0x00007FF71AC50000-0x00007FF71AFA1000-memory.dmp
memory/232-253-0x00007FF679590000-0x00007FF6798E1000-memory.dmp
memory/3972-257-0x00007FF731260000-0x00007FF7315B1000-memory.dmp
memory/4632-259-0x00007FF6884D0000-0x00007FF688821000-memory.dmp