Analysis Overview
SHA256
1d39195dc8ea0a8a7b208bef28611f846c5567c30f3cc5c3d07f3cb8c831d8c7
Threat Level: Known bad
The file 2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobaltstrike family
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:47
Reported
2024-10-25 11:50
Platform
win7-20240903-en
Max time kernel
143s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UVODvOj.exe | N/A |
| N/A | N/A | C:\Windows\System\wBIBRIR.exe | N/A |
| N/A | N/A | C:\Windows\System\xlbGofo.exe | N/A |
| N/A | N/A | C:\Windows\System\msesElz.exe | N/A |
| N/A | N/A | C:\Windows\System\MUSwzFL.exe | N/A |
| N/A | N/A | C:\Windows\System\xHRrbtI.exe | N/A |
| N/A | N/A | C:\Windows\System\HWAxHEq.exe | N/A |
| N/A | N/A | C:\Windows\System\VucMpvt.exe | N/A |
| N/A | N/A | C:\Windows\System\MugCTnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\remvhOe.exe | N/A |
| N/A | N/A | C:\Windows\System\CGrozRo.exe | N/A |
| N/A | N/A | C:\Windows\System\WoemvHc.exe | N/A |
| N/A | N/A | C:\Windows\System\gNaudIF.exe | N/A |
| N/A | N/A | C:\Windows\System\tWhygbR.exe | N/A |
| N/A | N/A | C:\Windows\System\mbqKTCS.exe | N/A |
| N/A | N/A | C:\Windows\System\APtaoRi.exe | N/A |
| N/A | N/A | C:\Windows\System\GIVBNwq.exe | N/A |
| N/A | N/A | C:\Windows\System\NvVNjWS.exe | N/A |
| N/A | N/A | C:\Windows\System\biliBRz.exe | N/A |
| N/A | N/A | C:\Windows\System\GoXZYaF.exe | N/A |
| N/A | N/A | C:\Windows\System\MMyhMyH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\UVODvOj.exe
C:\Windows\System\UVODvOj.exe
C:\Windows\System\wBIBRIR.exe
C:\Windows\System\wBIBRIR.exe
C:\Windows\System\xlbGofo.exe
C:\Windows\System\xlbGofo.exe
C:\Windows\System\xHRrbtI.exe
C:\Windows\System\xHRrbtI.exe
C:\Windows\System\msesElz.exe
C:\Windows\System\msesElz.exe
C:\Windows\System\HWAxHEq.exe
C:\Windows\System\HWAxHEq.exe
C:\Windows\System\MUSwzFL.exe
C:\Windows\System\MUSwzFL.exe
C:\Windows\System\VucMpvt.exe
C:\Windows\System\VucMpvt.exe
C:\Windows\System\MugCTnQ.exe
C:\Windows\System\MugCTnQ.exe
C:\Windows\System\remvhOe.exe
C:\Windows\System\remvhOe.exe
C:\Windows\System\CGrozRo.exe
C:\Windows\System\CGrozRo.exe
C:\Windows\System\WoemvHc.exe
C:\Windows\System\WoemvHc.exe
C:\Windows\System\gNaudIF.exe
C:\Windows\System\gNaudIF.exe
C:\Windows\System\tWhygbR.exe
C:\Windows\System\tWhygbR.exe
C:\Windows\System\mbqKTCS.exe
C:\Windows\System\mbqKTCS.exe
C:\Windows\System\APtaoRi.exe
C:\Windows\System\APtaoRi.exe
C:\Windows\System\GIVBNwq.exe
C:\Windows\System\GIVBNwq.exe
C:\Windows\System\NvVNjWS.exe
C:\Windows\System\NvVNjWS.exe
C:\Windows\System\biliBRz.exe
C:\Windows\System\biliBRz.exe
C:\Windows\System\MMyhMyH.exe
C:\Windows\System\MMyhMyH.exe
C:\Windows\System\GoXZYaF.exe
C:\Windows\System\GoXZYaF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2232-0-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2232-1-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Windows\system\UVODvOj.exe
| MD5 | 1068ac6f349c89725d9cac9191966ecb |
| SHA1 | a760ca0a9f17329e4762308ba078dfe2a65bb024 |
| SHA256 | 50d5991a5f8f329815a1ae26d4a80ff0c91be7aabd147125d5cbbe353ddc484f |
| SHA512 | 4fa60087e26bb9e5c3061c12e1812be05bed3a421d13c10efe0c2ebba69c291af8fe689805d505ceed76330261956a142b47a291e2bc04c21d97551a2040ea4a |
C:\Windows\system\wBIBRIR.exe
| MD5 | 4c1e9a2236a5af650b21649c6ad8becf |
| SHA1 | 3fc80cde0d77ce733f6e8df0e6d2079d639abc72 |
| SHA256 | 7ebb8c057b3058750293e29c009a4756fdc18f55edb85c11c43a060d3dc9f174 |
| SHA512 | 36ab3e99d745879daa5d654ee7c1d4bf523a08b9651f8e6eca4afb4a0849e4f5c339e0a934f9f5f1e795c14dba61c495c788036795c84f6b77812c9794b3e9f0 |
\Windows\system\xlbGofo.exe
| MD5 | ad9649c76d080a576134ade9feef6822 |
| SHA1 | cf4968c6fc89ec7bffa30c4db53d43fabcfa2c64 |
| SHA256 | de94ad74f623801d5a7dd11b245885edeb2e7f76073402d43760f32c3266d63b |
| SHA512 | 93946e8b643b9251a9aaed3ebb25ab1ce2ed06517991faa2af4c06104794ff0f731157c5d315071ae00336d52b9a07e4d0ad7851db54799ae141b2974d7afde9 |
memory/2232-44-0x000000013FA90000-0x000000013FDE1000-memory.dmp
C:\Windows\system\HWAxHEq.exe
| MD5 | 413693583d20bb1a1337899999aba1de |
| SHA1 | 61587c2a1d2d50ef95402db45ed4e0df6a34d6ff |
| SHA256 | 23c5469da711472196bfe723eccc7df425c9ba4a263264bcb470d63591b2dd78 |
| SHA512 | e0585e273f6802626f54b136d7456b5c6be3eb74ee8ab463da8b6435419d08029d53b821d83574800ff6a663956ddf9dd420830172313c374bea26d50d7d040e |
memory/2872-49-0x000000013F710000-0x000000013FA61000-memory.dmp
C:\Windows\system\VucMpvt.exe
| MD5 | 582cfb94956ee8cfc6de6339b06f4447 |
| SHA1 | f10c24ff2c0c4678592e7b9b2ff16c7d8f5a3a09 |
| SHA256 | a1f3bb5c6a16bad0e3f2d4caa24a0286f047b0a66abd456f24e993da4ea5a95a |
| SHA512 | 9e52eea21acf0e99fef54a069fc96b954f0291c14daa6bd5deecc6333ed26216cbd82d6e0bbcee12029fde17de0306e7b4e0f3c5b5c49ce595b7eee0aae7fe80 |
memory/3004-63-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2892-68-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2216-81-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2684-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/620-98-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/3004-104-0x000000013FE50000-0x00000001401A1000-memory.dmp
C:\Windows\system\APtaoRi.exe
| MD5 | 878b014b824b60ddeb4324a7cc7fa450 |
| SHA1 | 52115c4a424097175fd47f3355df93d2938f5a59 |
| SHA256 | 4e27bc4cb80a9a28576d7ae7b981dbadcaacdad9fd2db24ef586d42514f0b588 |
| SHA512 | 95bae29a24c241ebe711bb29bf0bf15287af7d68770a92546072ffa21952f94351fda523337eb074c700ff06b6fd09980e6603a45a7cf66b9a19c79865e7ce2b |
C:\Windows\system\biliBRz.exe
| MD5 | 2282581c45738e3359a8e9f738b552c9 |
| SHA1 | f102b190efdbec1258c03d4a55d29378ee95b088 |
| SHA256 | 0765af7b03ef7debb80feb690dbcd13dee62c81aae61bbff3a8178bc906b5f74 |
| SHA512 | 1a7e5602399f0e9d58728528186e2c524dce73fba3b7d2cf3bc8b9eaacc3f5863866d7e8ecde54375e44def97fb2e2d091af0a984e66b13459e2c8b255ba28fa |
\Windows\system\MMyhMyH.exe
| MD5 | b563766f414133cf524bfdb27be28f8d |
| SHA1 | ab54986c1955e038f6bc0cf323d5af9354686953 |
| SHA256 | bbd0f7450f94159eb1156a85323d55e5715769aff2a7e37e364b2702665969d3 |
| SHA512 | d4b2cf6e87d855a022ac206ee1acdb75394d33a7d5de36a97f43692dd042d945df5985ceebc3bd13bbe3737498804704e7e52290cecc5268788c22cb60afe937 |
C:\Windows\system\GoXZYaF.exe
| MD5 | 796fc14ce45eff131d65e6f0b79599b4 |
| SHA1 | 108a22166bc3158bc20bcfbce4d37bc4084f8157 |
| SHA256 | cb30abf259426c84d84ddd559c30dc2fb54599f4d048d9377460f5cfee4a3f84 |
| SHA512 | c45fd219ad1fa0023e74556107749ea5770dd86e6203aed2f7eb58126d73ddb34c1afd95ad08593d265a30519661e16561ec7590527f2e81042409e14146bd7c |
C:\Windows\system\NvVNjWS.exe
| MD5 | d5d8d408f28e05269b70747da70e73fa |
| SHA1 | 4d599d74170b0a21dff567be1eb2ee62b4124de2 |
| SHA256 | 4a92b8ff02fd4a5222f78f75e6007e82f44d3d1a11dba7c7864ef6f17ad10e42 |
| SHA512 | b631424878d9592192f87aff18b7dfd8200bf0b3a90f644ad74e0312300e945e38acb24db8b9ed8771eb30738eda3e2d0a8be1bfab6528388592808574985c21 |
C:\Windows\system\GIVBNwq.exe
| MD5 | 4c2627985bc9d161e5539cf6ec9426e9 |
| SHA1 | 97192b4411cf9d09eba3c8612ed11b7420b7563f |
| SHA256 | 7b405f3df79f2e4b9876706146f0dbbb17d9f457d2afbcb24f20d463b40df228 |
| SHA512 | 7342af3204aa3f61fadc8e0e5ab276dc4818eaaa08dbf19ebaa71d2666ec2b66ac9221c55a819757d9ded7a12262b3cdb0b8f9b675f4264daf5f5876c9cc9b8d |
memory/2216-146-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2232-145-0x0000000002160000-0x00000000024B1000-memory.dmp
memory/2232-115-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2892-114-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\mbqKTCS.exe
| MD5 | 982d30082ff9fde2795fde691619aaf5 |
| SHA1 | 5e354f05ebd05118951774ac67564d07ce9e61a6 |
| SHA256 | dec76b742dd5f32c3c15d5bfa9f3410f5fb8716dbf127bf3adbfb73debde20d9 |
| SHA512 | 4b2c5d2e75ee9b441254c2c8b6ef0026c9e7026eba9d8fd9c1dedf7627546e8c3a893e948c277bf8d4541528294ad5cc8c1f6e465db728cfd6c04a036368aa67 |
memory/1744-106-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2232-147-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2232-105-0x0000000002160000-0x00000000024B1000-memory.dmp
memory/2232-103-0x000000013FE50000-0x00000001401A1000-memory.dmp
C:\Windows\system\tWhygbR.exe
| MD5 | 0b9ddf121bc98e70e56280961075fa7d |
| SHA1 | 25bab8152299b38d10b01be5f7384bc50e6f9ef1 |
| SHA256 | c4e10886b599e885e1a0dc788d69d58fdc2da8123a35ab8e0ecf3c10c01ea8dd |
| SHA512 | cede29bcf66fbb7b8a743b4d647e7dd8008ed5ccad4b7eb873df99d249787a2f31c035178f56cd26ee29a6af3635ca582034f6941257a68b5627348844c75944 |
memory/2232-97-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2232-96-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
C:\Windows\system\gNaudIF.exe
| MD5 | 1984fec2f8ca74e863c6865cc8fea283 |
| SHA1 | badfa53fdcbc48df4e685597b3d196ab5a1a47f5 |
| SHA256 | 9688b12b5cb72c1f6dcafc1e9deb38775e410597a31ffe59b114e6ea23f2c40d |
| SHA512 | e2a63c54b97c13642992236f4702145b769c3b1c6347f9178f291f87c6d3374d6761884476c54eefbe2eafac2d8cad68ccf623db55c2a9e0164c5f8c4df77c0a |
memory/2872-91-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/620-149-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2232-148-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2356-90-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2232-89-0x000000013F550000-0x000000013F8A1000-memory.dmp
C:\Windows\system\WoemvHc.exe
| MD5 | 0f239a47768b2157d10c0da4b1e5398e |
| SHA1 | 739ad2bc729e5e0cb4a922080afe254bf9e27e59 |
| SHA256 | a13e8fba8784d21fa5be4e6e7f1059e3e110686c44905a9bd77efdeff7261969 |
| SHA512 | ff44d9734de3c430d2f29880ffcf115aabee8db297f4becff7a42d9e03334f5b83ced28c624482ba4fe299820ff6464dc9de6870fc087210162ac1667f757888 |
memory/2796-70-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2232-69-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2232-67-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\remvhOe.exe
| MD5 | dd12975eae881464253af4e31f868905 |
| SHA1 | d857c59b60846cb761173d36812192225e2df4a0 |
| SHA256 | 7d8389e383b327f4cae54dd9067144a0144f2e48b47876c54bfb00aa61b9b444 |
| SHA512 | 0d97b374d5732601cc00af72dc49c0331ec245055860d276b92a1a4df032ed1676d9e661b044cb825106040fdeb0e3ebffcd7ac22bbc913b9733ef09499aa3d0 |
memory/2232-80-0x0000000002160000-0x00000000024B1000-memory.dmp
memory/2232-79-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2232-78-0x000000013F990000-0x000000013FCE1000-memory.dmp
C:\Windows\system\CGrozRo.exe
| MD5 | 887498d539056a496ebab188f5138ef8 |
| SHA1 | 0e201c20a98a552f88a80af5167b650ae31554a5 |
| SHA256 | ae2411d5de74b12a64ead0ba00739b3f9be02587ef312e2a1386b774c6f9d9a8 |
| SHA512 | c07bde08f0a6916ffc35950812a51103dcb052017106f4d46f33836d035198cfa708f5198cad8caec5c46f333f173fce1b45bd14ef6ed7fc0427e701a865b009 |
memory/2232-62-0x000000013FE50000-0x00000001401A1000-memory.dmp
C:\Windows\system\MugCTnQ.exe
| MD5 | af02cbaef61d08b1b6eea6fe1f83b2ae |
| SHA1 | 071f78c9213f88c9e28d33afb2d947db2f9afa35 |
| SHA256 | 16c4a89eaaf2331351c4853aebda6e3c8343dceab58571cdd10e53b919419dd1 |
| SHA512 | ef44d8cb23cf04ab9a27d52b92739d9fec9b22a88c7dca303ec36b0c6707841efa2e2fd640f502d2f79054105098967692ea7ca27517427990634070864bb5a2 |
memory/1856-57-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2232-56-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2232-32-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2232-30-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2684-46-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2664-45-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2232-43-0x000000013F710000-0x000000013FA61000-memory.dmp
C:\Windows\system\xHRrbtI.exe
| MD5 | b1c5abff5df0b3d7d4f48a4df1086af9 |
| SHA1 | 7f78b2696f80ddfd4aa4541cd1eb9e76c4e3fcfc |
| SHA256 | 4624cdb775d64c23562b7191296d5ab74b6dc40eee7b1c48102ee034a2b09962 |
| SHA512 | a779cfbeb7f2bb37b320f63631c15d9ea26c7fe1a63e272d83f2adadc93a330699083a47cd3d6db29698d8cf7436909f395ae51351495e453266b142d1052673 |
memory/2824-40-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2232-39-0x0000000002160000-0x00000000024B1000-memory.dmp
C:\Windows\system\MUSwzFL.exe
| MD5 | 63fd3e7ec12bacee686a6991c33bb8dc |
| SHA1 | b4652bd73932b79dc87058924f9f2bc892a6d24b |
| SHA256 | bba4d8de7eead872a81cbc823f4f53d506d342f3853b9e504ab60b1cd61efd7b |
| SHA512 | ff1b4bc20d62a55dac91134b4548443383c98d620579ffea872c6284c0d3b0f136c645e5377d1d3f3d75d2150335eff3a16e9d5fbaf1963f25d9d718f514ca29 |
memory/1744-151-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2232-150-0x0000000002160000-0x00000000024B1000-memory.dmp
memory/2744-37-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2656-28-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2232-27-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2796-25-0x000000013FCB0000-0x0000000140001000-memory.dmp
C:\Windows\system\msesElz.exe
| MD5 | 2bae1da1ed3745ac0311f22ffa128cbb |
| SHA1 | c2db1f615bd253fc4a5c9fe62a0fd38a968cb4ce |
| SHA256 | de32e68111d625d409a82851175821aa1dcff2eb4061154489fb8acca7675d79 |
| SHA512 | e3366870d0cc371b8b1bdf7effd8d832d398ebd4e9bfba2361f803761656b42684b844d0afe6a07e099d8eb6d509f1d31e1592f602e306ec3f682a2751ed8d6c |
memory/2232-152-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2232-172-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1936-171-0x000000013F230000-0x000000013F581000-memory.dmp
memory/592-170-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/1760-169-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2640-167-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2848-168-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2032-173-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2188-174-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2232-175-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2796-226-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2656-228-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2744-236-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2824-240-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2664-242-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2684-244-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1856-246-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2872-248-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2892-250-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/3004-252-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2216-254-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2356-256-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/620-258-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/1744-265-0x000000013F030000-0x000000013F381000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:47
Reported
2024-10-25 11:50
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UVODvOj.exe | N/A |
| N/A | N/A | C:\Windows\System\wBIBRIR.exe | N/A |
| N/A | N/A | C:\Windows\System\xlbGofo.exe | N/A |
| N/A | N/A | C:\Windows\System\xHRrbtI.exe | N/A |
| N/A | N/A | C:\Windows\System\msesElz.exe | N/A |
| N/A | N/A | C:\Windows\System\HWAxHEq.exe | N/A |
| N/A | N/A | C:\Windows\System\MUSwzFL.exe | N/A |
| N/A | N/A | C:\Windows\System\VucMpvt.exe | N/A |
| N/A | N/A | C:\Windows\System\MugCTnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\remvhOe.exe | N/A |
| N/A | N/A | C:\Windows\System\CGrozRo.exe | N/A |
| N/A | N/A | C:\Windows\System\WoemvHc.exe | N/A |
| N/A | N/A | C:\Windows\System\gNaudIF.exe | N/A |
| N/A | N/A | C:\Windows\System\tWhygbR.exe | N/A |
| N/A | N/A | C:\Windows\System\mbqKTCS.exe | N/A |
| N/A | N/A | C:\Windows\System\APtaoRi.exe | N/A |
| N/A | N/A | C:\Windows\System\GIVBNwq.exe | N/A |
| N/A | N/A | C:\Windows\System\NvVNjWS.exe | N/A |
| N/A | N/A | C:\Windows\System\biliBRz.exe | N/A |
| N/A | N/A | C:\Windows\System\MMyhMyH.exe | N/A |
| N/A | N/A | C:\Windows\System\GoXZYaF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_397e9f2a129724e5f9e05b336426aa27_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\UVODvOj.exe
C:\Windows\System\UVODvOj.exe
C:\Windows\System\wBIBRIR.exe
C:\Windows\System\wBIBRIR.exe
C:\Windows\System\xlbGofo.exe
C:\Windows\System\xlbGofo.exe
C:\Windows\System\xHRrbtI.exe
C:\Windows\System\xHRrbtI.exe
C:\Windows\System\msesElz.exe
C:\Windows\System\msesElz.exe
C:\Windows\System\HWAxHEq.exe
C:\Windows\System\HWAxHEq.exe
C:\Windows\System\MUSwzFL.exe
C:\Windows\System\MUSwzFL.exe
C:\Windows\System\VucMpvt.exe
C:\Windows\System\VucMpvt.exe
C:\Windows\System\MugCTnQ.exe
C:\Windows\System\MugCTnQ.exe
C:\Windows\System\remvhOe.exe
C:\Windows\System\remvhOe.exe
C:\Windows\System\CGrozRo.exe
C:\Windows\System\CGrozRo.exe
C:\Windows\System\WoemvHc.exe
C:\Windows\System\WoemvHc.exe
C:\Windows\System\gNaudIF.exe
C:\Windows\System\gNaudIF.exe
C:\Windows\System\tWhygbR.exe
C:\Windows\System\tWhygbR.exe
C:\Windows\System\mbqKTCS.exe
C:\Windows\System\mbqKTCS.exe
C:\Windows\System\APtaoRi.exe
C:\Windows\System\APtaoRi.exe
C:\Windows\System\GIVBNwq.exe
C:\Windows\System\GIVBNwq.exe
C:\Windows\System\NvVNjWS.exe
C:\Windows\System\NvVNjWS.exe
C:\Windows\System\biliBRz.exe
C:\Windows\System\biliBRz.exe
C:\Windows\System\MMyhMyH.exe
C:\Windows\System\MMyhMyH.exe
C:\Windows\System\GoXZYaF.exe
C:\Windows\System\GoXZYaF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4364-0-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp
memory/4364-1-0x0000014E454B0000-0x0000014E454C0000-memory.dmp
C:\Windows\System\UVODvOj.exe
| MD5 | 1068ac6f349c89725d9cac9191966ecb |
| SHA1 | a760ca0a9f17329e4762308ba078dfe2a65bb024 |
| SHA256 | 50d5991a5f8f329815a1ae26d4a80ff0c91be7aabd147125d5cbbe353ddc484f |
| SHA512 | 4fa60087e26bb9e5c3061c12e1812be05bed3a421d13c10efe0c2ebba69c291af8fe689805d505ceed76330261956a142b47a291e2bc04c21d97551a2040ea4a |
memory/5000-6-0x00007FF6D0820000-0x00007FF6D0B71000-memory.dmp
C:\Windows\System\xlbGofo.exe
| MD5 | ad9649c76d080a576134ade9feef6822 |
| SHA1 | cf4968c6fc89ec7bffa30c4db53d43fabcfa2c64 |
| SHA256 | de94ad74f623801d5a7dd11b245885edeb2e7f76073402d43760f32c3266d63b |
| SHA512 | 93946e8b643b9251a9aaed3ebb25ab1ce2ed06517991faa2af4c06104794ff0f731157c5d315071ae00336d52b9a07e4d0ad7851db54799ae141b2974d7afde9 |
memory/4360-12-0x00007FF7BF4D0000-0x00007FF7BF821000-memory.dmp
C:\Windows\System\wBIBRIR.exe
| MD5 | 4c1e9a2236a5af650b21649c6ad8becf |
| SHA1 | 3fc80cde0d77ce733f6e8df0e6d2079d639abc72 |
| SHA256 | 7ebb8c057b3058750293e29c009a4756fdc18f55edb85c11c43a060d3dc9f174 |
| SHA512 | 36ab3e99d745879daa5d654ee7c1d4bf523a08b9651f8e6eca4afb4a0849e4f5c339e0a934f9f5f1e795c14dba61c495c788036795c84f6b77812c9794b3e9f0 |
C:\Windows\System\msesElz.exe
| MD5 | 2bae1da1ed3745ac0311f22ffa128cbb |
| SHA1 | c2db1f615bd253fc4a5c9fe62a0fd38a968cb4ce |
| SHA256 | de32e68111d625d409a82851175821aa1dcff2eb4061154489fb8acca7675d79 |
| SHA512 | e3366870d0cc371b8b1bdf7effd8d832d398ebd4e9bfba2361f803761656b42684b844d0afe6a07e099d8eb6d509f1d31e1592f602e306ec3f682a2751ed8d6c |
C:\Windows\System\VucMpvt.exe
| MD5 | 582cfb94956ee8cfc6de6339b06f4447 |
| SHA1 | f10c24ff2c0c4678592e7b9b2ff16c7d8f5a3a09 |
| SHA256 | a1f3bb5c6a16bad0e3f2d4caa24a0286f047b0a66abd456f24e993da4ea5a95a |
| SHA512 | 9e52eea21acf0e99fef54a069fc96b954f0291c14daa6bd5deecc6333ed26216cbd82d6e0bbcee12029fde17de0306e7b4e0f3c5b5c49ce595b7eee0aae7fe80 |
C:\Windows\System\MugCTnQ.exe
| MD5 | af02cbaef61d08b1b6eea6fe1f83b2ae |
| SHA1 | 071f78c9213f88c9e28d33afb2d947db2f9afa35 |
| SHA256 | 16c4a89eaaf2331351c4853aebda6e3c8343dceab58571cdd10e53b919419dd1 |
| SHA512 | ef44d8cb23cf04ab9a27d52b92739d9fec9b22a88c7dca303ec36b0c6707841efa2e2fd640f502d2f79054105098967692ea7ca27517427990634070864bb5a2 |
C:\Windows\System\CGrozRo.exe
| MD5 | 887498d539056a496ebab188f5138ef8 |
| SHA1 | 0e201c20a98a552f88a80af5167b650ae31554a5 |
| SHA256 | ae2411d5de74b12a64ead0ba00739b3f9be02587ef312e2a1386b774c6f9d9a8 |
| SHA512 | c07bde08f0a6916ffc35950812a51103dcb052017106f4d46f33836d035198cfa708f5198cad8caec5c46f333f173fce1b45bd14ef6ed7fc0427e701a865b009 |
C:\Windows\System\remvhOe.exe
| MD5 | dd12975eae881464253af4e31f868905 |
| SHA1 | d857c59b60846cb761173d36812192225e2df4a0 |
| SHA256 | 7d8389e383b327f4cae54dd9067144a0144f2e48b47876c54bfb00aa61b9b444 |
| SHA512 | 0d97b374d5732601cc00af72dc49c0331ec245055860d276b92a1a4df032ed1676d9e661b044cb825106040fdeb0e3ebffcd7ac22bbc913b9733ef09499aa3d0 |
C:\Windows\System\WoemvHc.exe
| MD5 | 0f239a47768b2157d10c0da4b1e5398e |
| SHA1 | 739ad2bc729e5e0cb4a922080afe254bf9e27e59 |
| SHA256 | a13e8fba8784d21fa5be4e6e7f1059e3e110686c44905a9bd77efdeff7261969 |
| SHA512 | ff44d9734de3c430d2f29880ffcf115aabee8db297f4becff7a42d9e03334f5b83ced28c624482ba4fe299820ff6464dc9de6870fc087210162ac1667f757888 |
memory/1772-89-0x00007FF77F650000-0x00007FF77F9A1000-memory.dmp
memory/1812-101-0x00007FF7320D0000-0x00007FF732421000-memory.dmp
C:\Windows\System\GIVBNwq.exe
| MD5 | 4c2627985bc9d161e5539cf6ec9426e9 |
| SHA1 | 97192b4411cf9d09eba3c8612ed11b7420b7563f |
| SHA256 | 7b405f3df79f2e4b9876706146f0dbbb17d9f457d2afbcb24f20d463b40df228 |
| SHA512 | 7342af3204aa3f61fadc8e0e5ab276dc4818eaaa08dbf19ebaa71d2666ec2b66ac9221c55a819757d9ded7a12262b3cdb0b8f9b675f4264daf5f5876c9cc9b8d |
memory/3924-116-0x00007FF732090000-0x00007FF7323E1000-memory.dmp
C:\Windows\System\NvVNjWS.exe
| MD5 | d5d8d408f28e05269b70747da70e73fa |
| SHA1 | 4d599d74170b0a21dff567be1eb2ee62b4124de2 |
| SHA256 | 4a92b8ff02fd4a5222f78f75e6007e82f44d3d1a11dba7c7864ef6f17ad10e42 |
| SHA512 | b631424878d9592192f87aff18b7dfd8200bf0b3a90f644ad74e0312300e945e38acb24db8b9ed8771eb30738eda3e2d0a8be1bfab6528388592808574985c21 |
memory/3996-131-0x00007FF6050C0000-0x00007FF605411000-memory.dmp
C:\Windows\System\GoXZYaF.exe
| MD5 | 796fc14ce45eff131d65e6f0b79599b4 |
| SHA1 | 108a22166bc3158bc20bcfbce4d37bc4084f8157 |
| SHA256 | cb30abf259426c84d84ddd559c30dc2fb54599f4d048d9377460f5cfee4a3f84 |
| SHA512 | c45fd219ad1fa0023e74556107749ea5770dd86e6203aed2f7eb58126d73ddb34c1afd95ad08593d265a30519661e16561ec7590527f2e81042409e14146bd7c |
C:\Windows\System\MMyhMyH.exe
| MD5 | b563766f414133cf524bfdb27be28f8d |
| SHA1 | ab54986c1955e038f6bc0cf323d5af9354686953 |
| SHA256 | bbd0f7450f94159eb1156a85323d55e5715769aff2a7e37e364b2702665969d3 |
| SHA512 | d4b2cf6e87d855a022ac206ee1acdb75394d33a7d5de36a97f43692dd042d945df5985ceebc3bd13bbe3737498804704e7e52290cecc5268788c22cb60afe937 |
memory/3960-136-0x00007FF6559C0000-0x00007FF655D11000-memory.dmp
memory/2324-135-0x00007FF78F3A0000-0x00007FF78F6F1000-memory.dmp
memory/2668-134-0x00007FF658B10000-0x00007FF658E61000-memory.dmp
memory/5060-133-0x00007FF7BCBD0000-0x00007FF7BCF21000-memory.dmp
memory/5104-130-0x00007FF7492A0000-0x00007FF7495F1000-memory.dmp
C:\Windows\System\biliBRz.exe
| MD5 | 2282581c45738e3359a8e9f738b552c9 |
| SHA1 | f102b190efdbec1258c03d4a55d29378ee95b088 |
| SHA256 | 0765af7b03ef7debb80feb690dbcd13dee62c81aae61bbff3a8178bc906b5f74 |
| SHA512 | 1a7e5602399f0e9d58728528186e2c524dce73fba3b7d2cf3bc8b9eaacc3f5863866d7e8ecde54375e44def97fb2e2d091af0a984e66b13459e2c8b255ba28fa |
memory/3532-125-0x00007FF718020000-0x00007FF718371000-memory.dmp
memory/4416-120-0x00007FF6DCC30000-0x00007FF6DCF81000-memory.dmp
memory/1300-119-0x00007FF656310000-0x00007FF656661000-memory.dmp
memory/3932-117-0x00007FF704440000-0x00007FF704791000-memory.dmp
memory/3584-110-0x00007FF7A02F0000-0x00007FF7A0641000-memory.dmp
memory/3952-109-0x00007FF730F00000-0x00007FF731251000-memory.dmp
C:\Windows\System\APtaoRi.exe
| MD5 | 878b014b824b60ddeb4324a7cc7fa450 |
| SHA1 | 52115c4a424097175fd47f3355df93d2938f5a59 |
| SHA256 | 4e27bc4cb80a9a28576d7ae7b981dbadcaacdad9fd2db24ef586d42514f0b588 |
| SHA512 | 95bae29a24c241ebe711bb29bf0bf15287af7d68770a92546072ffa21952f94351fda523337eb074c700ff06b6fd09980e6603a45a7cf66b9a19c79865e7ce2b |
memory/768-100-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp
C:\Windows\System\mbqKTCS.exe
| MD5 | 982d30082ff9fde2795fde691619aaf5 |
| SHA1 | 5e354f05ebd05118951774ac67564d07ce9e61a6 |
| SHA256 | dec76b742dd5f32c3c15d5bfa9f3410f5fb8716dbf127bf3adbfb73debde20d9 |
| SHA512 | 4b2c5d2e75ee9b441254c2c8b6ef0026c9e7026eba9d8fd9c1dedf7627546e8c3a893e948c277bf8d4541528294ad5cc8c1f6e465db728cfd6c04a036368aa67 |
memory/2336-94-0x00007FF777040000-0x00007FF777391000-memory.dmp
memory/3420-93-0x00007FF6216F0000-0x00007FF621A41000-memory.dmp
C:\Windows\System\tWhygbR.exe
| MD5 | 0b9ddf121bc98e70e56280961075fa7d |
| SHA1 | 25bab8152299b38d10b01be5f7384bc50e6f9ef1 |
| SHA256 | c4e10886b599e885e1a0dc788d69d58fdc2da8123a35ab8e0ecf3c10c01ea8dd |
| SHA512 | cede29bcf66fbb7b8a743b4d647e7dd8008ed5ccad4b7eb873df99d249787a2f31c035178f56cd26ee29a6af3635ca582034f6941257a68b5627348844c75944 |
memory/4360-90-0x00007FF7BF4D0000-0x00007FF7BF821000-memory.dmp
C:\Windows\System\gNaudIF.exe
| MD5 | 1984fec2f8ca74e863c6865cc8fea283 |
| SHA1 | badfa53fdcbc48df4e685597b3d196ab5a1a47f5 |
| SHA256 | 9688b12b5cb72c1f6dcafc1e9deb38775e410597a31ffe59b114e6ea23f2c40d |
| SHA512 | e2a63c54b97c13642992236f4702145b769c3b1c6347f9178f291f87c6d3374d6761884476c54eefbe2eafac2d8cad68ccf623db55c2a9e0164c5f8c4df77c0a |
memory/5000-85-0x00007FF6D0820000-0x00007FF6D0B71000-memory.dmp
memory/5040-84-0x00007FF6AEC30000-0x00007FF6AEF81000-memory.dmp
memory/4364-77-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp
memory/2324-76-0x00007FF78F3A0000-0x00007FF78F6F1000-memory.dmp
memory/2668-69-0x00007FF658B10000-0x00007FF658E61000-memory.dmp
memory/3996-65-0x00007FF6050C0000-0x00007FF605411000-memory.dmp
memory/5104-56-0x00007FF7492A0000-0x00007FF7495F1000-memory.dmp
memory/3932-55-0x00007FF704440000-0x00007FF704791000-memory.dmp
memory/4416-49-0x00007FF6DCC30000-0x00007FF6DCF81000-memory.dmp
C:\Windows\System\MUSwzFL.exe
| MD5 | 63fd3e7ec12bacee686a6991c33bb8dc |
| SHA1 | b4652bd73932b79dc87058924f9f2bc892a6d24b |
| SHA256 | bba4d8de7eead872a81cbc823f4f53d506d342f3853b9e504ab60b1cd61efd7b |
| SHA512 | ff1b4bc20d62a55dac91134b4548443383c98d620579ffea872c6284c0d3b0f136c645e5377d1d3f3d75d2150335eff3a16e9d5fbaf1963f25d9d718f514ca29 |
C:\Windows\System\HWAxHEq.exe
| MD5 | 413693583d20bb1a1337899999aba1de |
| SHA1 | 61587c2a1d2d50ef95402db45ed4e0df6a34d6ff |
| SHA256 | 23c5469da711472196bfe723eccc7df425c9ba4a263264bcb470d63591b2dd78 |
| SHA512 | e0585e273f6802626f54b136d7456b5c6be3eb74ee8ab463da8b6435419d08029d53b821d83574800ff6a663956ddf9dd420830172313c374bea26d50d7d040e |
memory/3924-37-0x00007FF732090000-0x00007FF7323E1000-memory.dmp
memory/3952-35-0x00007FF730F00000-0x00007FF731251000-memory.dmp
memory/768-34-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp
C:\Windows\System\xHRrbtI.exe
| MD5 | b1c5abff5df0b3d7d4f48a4df1086af9 |
| SHA1 | 7f78b2696f80ddfd4aa4541cd1eb9e76c4e3fcfc |
| SHA256 | 4624cdb775d64c23562b7191296d5ab74b6dc40eee7b1c48102ee034a2b09962 |
| SHA512 | a779cfbeb7f2bb37b320f63631c15d9ea26c7fe1a63e272d83f2adadc93a330699083a47cd3d6db29698d8cf7436909f395ae51351495e453266b142d1052673 |
memory/3420-24-0x00007FF6216F0000-0x00007FF621A41000-memory.dmp
memory/1812-157-0x00007FF7320D0000-0x00007FF732421000-memory.dmp
memory/1772-155-0x00007FF77F650000-0x00007FF77F9A1000-memory.dmp
memory/3584-158-0x00007FF7A02F0000-0x00007FF7A0641000-memory.dmp
memory/3960-162-0x00007FF6559C0000-0x00007FF655D11000-memory.dmp
memory/3532-160-0x00007FF718020000-0x00007FF718371000-memory.dmp
memory/5060-161-0x00007FF7BCBD0000-0x00007FF7BCF21000-memory.dmp
memory/1300-159-0x00007FF656310000-0x00007FF656661000-memory.dmp
memory/2336-156-0x00007FF777040000-0x00007FF777391000-memory.dmp
memory/5040-154-0x00007FF6AEC30000-0x00007FF6AEF81000-memory.dmp
memory/4364-141-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp
memory/4364-163-0x00007FF75A280000-0x00007FF75A5D1000-memory.dmp
memory/5000-215-0x00007FF6D0820000-0x00007FF6D0B71000-memory.dmp
memory/4360-217-0x00007FF7BF4D0000-0x00007FF7BF821000-memory.dmp
memory/3420-228-0x00007FF6216F0000-0x00007FF621A41000-memory.dmp
memory/768-230-0x00007FF72FC40000-0x00007FF72FF91000-memory.dmp
memory/3924-232-0x00007FF732090000-0x00007FF7323E1000-memory.dmp
memory/3952-238-0x00007FF730F00000-0x00007FF731251000-memory.dmp
memory/4416-240-0x00007FF6DCC30000-0x00007FF6DCF81000-memory.dmp
memory/5104-235-0x00007FF7492A0000-0x00007FF7495F1000-memory.dmp
memory/3932-237-0x00007FF704440000-0x00007FF704791000-memory.dmp
memory/3996-242-0x00007FF6050C0000-0x00007FF605411000-memory.dmp
memory/2668-246-0x00007FF658B10000-0x00007FF658E61000-memory.dmp
memory/2324-245-0x00007FF78F3A0000-0x00007FF78F6F1000-memory.dmp
memory/1772-249-0x00007FF77F650000-0x00007FF77F9A1000-memory.dmp
memory/5040-250-0x00007FF6AEC30000-0x00007FF6AEF81000-memory.dmp
memory/2336-258-0x00007FF777040000-0x00007FF777391000-memory.dmp
memory/1812-260-0x00007FF7320D0000-0x00007FF732421000-memory.dmp
memory/3584-262-0x00007FF7A02F0000-0x00007FF7A0641000-memory.dmp
memory/1300-264-0x00007FF656310000-0x00007FF656661000-memory.dmp
memory/3532-270-0x00007FF718020000-0x00007FF718371000-memory.dmp
memory/3960-269-0x00007FF6559C0000-0x00007FF655D11000-memory.dmp
memory/5060-268-0x00007FF7BCBD0000-0x00007FF7BCF21000-memory.dmp