Analysis Overview
SHA256
86256cba6711c887e414aaa9acdaac0e92f65adc08fee3717d39253c5859d6b8
Threat Level: Known bad
The file 2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 05:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 05:09
Reported
2024-10-27 05:11
Platform
win7-20241010-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aGUXElm.exe | N/A |
| N/A | N/A | C:\Windows\System\JXrsZUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\sivpkWn.exe | N/A |
| N/A | N/A | C:\Windows\System\NsFEQIL.exe | N/A |
| N/A | N/A | C:\Windows\System\lOzMiAb.exe | N/A |
| N/A | N/A | C:\Windows\System\rxObeFB.exe | N/A |
| N/A | N/A | C:\Windows\System\yObhmul.exe | N/A |
| N/A | N/A | C:\Windows\System\MSUPJlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jsfmpib.exe | N/A |
| N/A | N/A | C:\Windows\System\qOvEfkM.exe | N/A |
| N/A | N/A | C:\Windows\System\TPCffOD.exe | N/A |
| N/A | N/A | C:\Windows\System\VKvJykh.exe | N/A |
| N/A | N/A | C:\Windows\System\SCKgnmR.exe | N/A |
| N/A | N/A | C:\Windows\System\vOqFEka.exe | N/A |
| N/A | N/A | C:\Windows\System\iDLBvqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\BKfLtvL.exe | N/A |
| N/A | N/A | C:\Windows\System\bwgwOXR.exe | N/A |
| N/A | N/A | C:\Windows\System\bIzeGzG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPAUpvi.exe | N/A |
| N/A | N/A | C:\Windows\System\QEcUMtd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZSMURvy.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\aGUXElm.exe
C:\Windows\System\aGUXElm.exe
C:\Windows\System\JXrsZUZ.exe
C:\Windows\System\JXrsZUZ.exe
C:\Windows\System\sivpkWn.exe
C:\Windows\System\sivpkWn.exe
C:\Windows\System\NsFEQIL.exe
C:\Windows\System\NsFEQIL.exe
C:\Windows\System\lOzMiAb.exe
C:\Windows\System\lOzMiAb.exe
C:\Windows\System\yObhmul.exe
C:\Windows\System\yObhmul.exe
C:\Windows\System\rxObeFB.exe
C:\Windows\System\rxObeFB.exe
C:\Windows\System\MSUPJlJ.exe
C:\Windows\System\MSUPJlJ.exe
C:\Windows\System\jsfmpib.exe
C:\Windows\System\jsfmpib.exe
C:\Windows\System\VKvJykh.exe
C:\Windows\System\VKvJykh.exe
C:\Windows\System\qOvEfkM.exe
C:\Windows\System\qOvEfkM.exe
C:\Windows\System\SCKgnmR.exe
C:\Windows\System\SCKgnmR.exe
C:\Windows\System\TPCffOD.exe
C:\Windows\System\TPCffOD.exe
C:\Windows\System\vOqFEka.exe
C:\Windows\System\vOqFEka.exe
C:\Windows\System\iDLBvqQ.exe
C:\Windows\System\iDLBvqQ.exe
C:\Windows\System\BKfLtvL.exe
C:\Windows\System\BKfLtvL.exe
C:\Windows\System\bwgwOXR.exe
C:\Windows\System\bwgwOXR.exe
C:\Windows\System\bIzeGzG.exe
C:\Windows\System\bIzeGzG.exe
C:\Windows\System\ZPAUpvi.exe
C:\Windows\System\ZPAUpvi.exe
C:\Windows\System\QEcUMtd.exe
C:\Windows\System\QEcUMtd.exe
C:\Windows\System\ZSMURvy.exe
C:\Windows\System\ZSMURvy.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2032-0-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2032-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2032-7-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\aGUXElm.exe
| MD5 | 46bfffe508af3e4919845b6290a5091c |
| SHA1 | b31e7e7a939754d5981fd4b9a44e3d6f4b7835a3 |
| SHA256 | 1fbe40949d26b4617cf6a429da010e6eb11748c92576474c18c19c4db5e20f1b |
| SHA512 | 6439144a251b202233961562ce117df814a5be8c29b70a164f5981610b31f8fb79dcc7f54ff7b8d77445da0f711e6ea42a4878cb5c067cf3b9399711d1d96bd1 |
C:\Windows\system\JXrsZUZ.exe
| MD5 | 5c9b8f29f518ecf21e4e6477bd63decc |
| SHA1 | 17ffb003f319d17753c19a3ebf4fd952e06bfdb4 |
| SHA256 | f397adf5fe2e523f7384a4f358dd31fc0954a8365a0e78377bfd7feeafe9adfe |
| SHA512 | db0ebdf2671581e82f468e56c6ca66dabed3e055f5f2ec6c9d11f068479e31602242edfe357c32320619e70f041d84be92b63da696b314dbfe479daa1cf71e7a |
C:\Windows\system\sivpkWn.exe
| MD5 | 2486a27c5c17fb3619cc46be78e9dac4 |
| SHA1 | 1a45684e85d83898b7f73a3e64d8fd00f0b67973 |
| SHA256 | a7bd8b35bce7e313e086c3bda29d4cb597380fa16f9e68437f93d349eb9ee6a4 |
| SHA512 | b76ddd2b500284dd53e6cb109b75c1a68485cba36f35d6bcb122cc54dcbb3f33906ad0348407c5c8a1cb4eec7577b14aa4416c9fea3869d4991771cd86280944 |
\Windows\system\lOzMiAb.exe
| MD5 | 20cf1043df2a59fdf15ea0ea9e3bbb41 |
| SHA1 | ea46279535d07ae4e0dd295f7cb79e58ef77bae5 |
| SHA256 | f95b7e7f02918155c78dbbbf9f6b17c67edbf660e2440b60bd878c111c65fcbe |
| SHA512 | b8530beee0adf654994788b7276c3704558a6a0fb3f4c07f5ca522ac152485516f8ddae8f3a1f73f5fd8b42b728e9d83361e7b4686c273d1c493d721c21aa752 |
memory/2032-35-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2152-31-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\MSUPJlJ.exe
| MD5 | e3ccfccf600350ca682857ced14a09ff |
| SHA1 | 59e8c6e828ac3c98c38839584b72826c8740e4ab |
| SHA256 | aafd73e0d1e1181a457b51ba5ce222ec174964cd791aac4630ddefd197178689 |
| SHA512 | 4d0d321dc0d1e70859e737beda51e6f85d296a0572caa8b3e2f7235c1968b364c538b59d442561d78fbe1d5c50d12059c4a0517956b4120deac84a8b7d491ca3 |
memory/2852-90-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2032-95-0x000000013FC40000-0x000000013FF91000-memory.dmp
C:\Windows\system\bIzeGzG.exe
| MD5 | 0133a545c70ca1166ab0778aa60a27c4 |
| SHA1 | 4b8b8a338b18e5756115537c7b2e70e83116d8ad |
| SHA256 | 253a57c875442f4a21a3ac9f0651038a6c6cc8b595d2e38c11db37b1d6c671f1 |
| SHA512 | 2319171f147dd76e48d20131a7c8f0e958ddccf5c7c0836a11923b4cca66b0919bfdb05dc6faa2d64c81364897a0d8cfdc9689bf5f1f0ad7d11a96422178f4e9 |
\Windows\system\ZSMURvy.exe
| MD5 | 93a5a7a30000ae9a545e63f31ad5b3d6 |
| SHA1 | 5b4497ac2431c5e22831640edd1dedfc4d2da97f |
| SHA256 | b9a80eec9d0ac3996850a84004b58e5f456ece75b409b91c8d884746f4aec83c |
| SHA512 | d8ba6a374bc4639ec1c3728bba4d3b6a6913a24aecf9d4c6407b53a885b4b664f87cf2f570983e257dec4a84846491687197a61c46084b657800de258176f2fd |
C:\Windows\system\QEcUMtd.exe
| MD5 | b12666d6e2fecb2a09c561bdef3bab1f |
| SHA1 | ace60538ff789b84c652e3f292e7409007736cfa |
| SHA256 | c420b78c39aeb231864bf2eb83436cea18e3b51ee257583df99d7a8e0407bff8 |
| SHA512 | ac672be1da05dfb0c7773d34cabb9d6fb6f56cd2fd320cef821141228b3e081ffb7266e3594dd613d0abbf2ad281dc775425eaa40a9457cc6ab154dea477f8bf |
C:\Windows\system\ZPAUpvi.exe
| MD5 | 6675e1ac6295e97b56c329dc93f3aec8 |
| SHA1 | f7e9db12546be9f39b450dce3f42ef22444d36ef |
| SHA256 | 05a42cdbfe9f17493bfc6bfc39178fdd1e52b2cf2ae9262167e2ae4376a99b1c |
| SHA512 | 6bf146e3cbb9fca71ac49dd6be040dead8d3271b9a2098ca1675b5b73b2070c9b9f8925fe67043e43697e55c4cdf5e9fe0f4a6c26772fc92e0bb35d1777c8494 |
C:\Windows\system\bwgwOXR.exe
| MD5 | 4c1cdcb3c99528507283678665750e27 |
| SHA1 | d787cbcbc4d19a1f6459a4ef2c578d50a779eb5b |
| SHA256 | b42ba8545b6a7bac6a77048088ec115fd7ab9b4fb17c2439252ec4e2b36a8b13 |
| SHA512 | 6cccec56081ff979d8a35c499dc7f716ad5486c6bbda5f5eac07e33f452c7736a9f33042ef5b7f24796798e9897e8c37752f819df153c41e338bb566bacfd5bc |
C:\Windows\system\BKfLtvL.exe
| MD5 | c08db4d13178f98f24d7b41718eba25f |
| SHA1 | dc2cd4c08512494d362e32d00406bbd518c8f91b |
| SHA256 | 61a91bf5696fe0941984e561190f2614e6cf99656f0a4431fd04ed18669a35d8 |
| SHA512 | 9b2469da1bfe9ac5307c5204505158ccd8c212b8e421c040f95c0a07f408056c9580c6f035fbc0a867ced6df317a5676a410e515884a4ab517e935f5f1851ad8 |
memory/2152-101-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\iDLBvqQ.exe
| MD5 | dce23e86801fe30c26449bb088589acb |
| SHA1 | fe54c4806c9673092209587efebaa66d5eab771d |
| SHA256 | 528eb957e3cf0c2a8b84d9467d0a6ed49f5ea63cebf69d5aea4cdd3101d24085 |
| SHA512 | f54cc0e3e12c8df271e08d7ebf4de963ceb2eba4383d38db3818eb51ae28648bb643160e9836b2e04c49d7f61bc3957a827cf429e510da07a4a97cf29c2315ff |
memory/2520-96-0x000000013F720000-0x000000013FA71000-memory.dmp
C:\Windows\system\vOqFEka.exe
| MD5 | 8e3d888aca13cc428fca43db13933a14 |
| SHA1 | 5e315cd287437d66bcd04fe098815a3121193d34 |
| SHA256 | e728a818a56fff80c6f9e2359d9692a8c4aef04877d374d83686c6d0a66716e8 |
| SHA512 | ba557527d63b010e35b2ee87a95f7424f55aa27c144e0610cbdc8448505f4da4fd93325d761c3c8753ddb3e58d823ed720e2d71ebbe6b33ac09bf873d18413c9 |
memory/2704-89-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
C:\Windows\system\qOvEfkM.exe
| MD5 | fa414d322767d28987a96263889a5b1d |
| SHA1 | 42581312d326137c4ca4eb09e1d3b493e5ff82e4 |
| SHA256 | 58f0e33a922a05b055630e18b914fe2acb1520190ca1a14eb8c94796a9fd4ee2 |
| SHA512 | 8e9153c7655a4ea4b152c9d40f46741ba4f49294b938f7518b0f0a72076831c7dc037874223a6a58ef3d1cf9f91b169a7dcea5fe17e03a33c2f4603c34bd9849 |
\Windows\system\SCKgnmR.exe
| MD5 | 0041c76ca6985e45db84ec07701a3881 |
| SHA1 | 9487b4c36f550f5b3acec2dfc6ec6dcfde9e48ef |
| SHA256 | c08b8ae8fdfa1913033d458da300e13ea5f0e5e464982c2a004d3e7b8d9db978 |
| SHA512 | 99189195875c1af5ffb038b50a582f4fc0eca9ab3ffbceb6e709215d028246ca8cdce35cd2fcb18330feb2d3cbdbfbb743a219ec2660a8f2c8a7ba86c02a6a40 |
\Windows\system\VKvJykh.exe
| MD5 | 9178257b8e07c5114fe6870f695c94d4 |
| SHA1 | 813f3ec5f2ccf016c1493ccfd10c54f53295d228 |
| SHA256 | 76645e533c09eb5e8d7f46876b10c394b05023fa5ccf328eaf0f27f9b7caa49a |
| SHA512 | 3530bb449a7cb3d7935f0bdfa373c3c9eb87d06fcfbc0506fa82a0da45fc9f4c2f607a9427536483af62bcb5198e0dbe4cacadf685e66aec0714a0c1f15895f1 |
memory/2680-86-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2032-85-0x00000000021A0000-0x00000000024F1000-memory.dmp
C:\Windows\system\rxObeFB.exe
| MD5 | 22268eddca172f64beb6b5166b62ee8d |
| SHA1 | 9a0eebbef2d3f8de4cf26a876582deea427ca364 |
| SHA256 | 0bd7a241a5cf2030aa5155313a43617ce59f9e26142fcf8775ccf7eac5afafe5 |
| SHA512 | 76161f391b6a0eecfc2a81ca775d649d5ed35efa61b93f5933caadb2ab44235f7f0a20b9c282540002fdbee5b8e42cd17e410406f8f3a0463039de58b7246ba1 |
memory/2032-49-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2032-48-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2608-47-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2032-46-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2032-45-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2144-44-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2032-43-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2952-42-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2032-41-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/1328-40-0x000000013F560000-0x000000013F8B1000-memory.dmp
C:\Windows\system\TPCffOD.exe
| MD5 | 68c36b2274298b76c2273813338ba3d9 |
| SHA1 | c44c157dfc3f6eae2a3b2b6dba69d1ca00473c3d |
| SHA256 | 623256c562224f177f1c1c2f5a27c185dce06966ff0965d867fd754bdf0c658c |
| SHA512 | 5b7fcc96ae5d7cd4d206c2ab5bb5a83001164ce78c94e8af4387db45b521b77ed50beb209103fb2f7ff505e4bcd8c80c4d89b9a9816a6cbfb43bba6fba9653ca |
memory/2032-125-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2820-83-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2032-82-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2032-81-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2032-80-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2904-79-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2032-78-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2896-76-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2812-75-0x000000013FFF0000-0x0000000140341000-memory.dmp
\Windows\system\yObhmul.exe
| MD5 | 39ea365966a13bf3adff43a7d4814589 |
| SHA1 | 0a26421afedc495070aafd82382a75d8115a28dd |
| SHA256 | 3b003cc951ca2af7a2236e104f776ced7fce3091be8e188caf9e8e837ad95abb |
| SHA512 | d084b9c0717c20a4e9e6dcb687c882c33c554d0abd19e6340edf1524a14da1f4d81af5cbecc716b702e3c2edc528b2386c0e403c6d1c6ff7af1760e269ac29fe |
memory/2916-74-0x000000013F840000-0x000000013FB91000-memory.dmp
C:\Windows\system\jsfmpib.exe
| MD5 | 1f1ca02c2151fc024ae3b6d46741bd1a |
| SHA1 | ba89004f757508d9ff93136046825a009b4cad2d |
| SHA256 | 5cad2a08aa47adbf7358016f4b4a86ca1f82083dee265847254b10fa6bbb3db5 |
| SHA512 | ae46362c0cac1d8b66f6511145ac1f7c1f0facfbd54360e9da8584e2351fabeebde00f3566c6bd76d28ef363ac248d9a3668b3596122076082b0e899070257de |
C:\Windows\system\NsFEQIL.exe
| MD5 | 655c296f773dd484a8aa23dd347a27ef |
| SHA1 | befc10a58f048baace5a6563c7122f88f48626eb |
| SHA256 | 98aeaf181007a6d4cb1fddbb02f5e5b5c488ffff4160b5aae4ed8d2ba870d327 |
| SHA512 | 91cece5eb644aa7434c54cdafdd25072288dc3296b3d8ca1f265707545d76fb8b4731a9b742373b4f9a308bceeaa5305bddba47465b0d89e9b1babc37e52f940 |
memory/2032-147-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2680-160-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2852-159-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2704-157-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2520-161-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2960-167-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1980-168-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1220-166-0x000000013FDD0000-0x0000000140121000-memory.dmp
memory/1820-165-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2668-164-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1244-163-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/624-162-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2032-169-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2152-207-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1328-209-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2144-213-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2608-212-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2812-216-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2896-219-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/2904-221-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2916-223-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2820-225-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2952-217-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2680-247-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2704-249-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2852-254-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2520-257-0x000000013F720000-0x000000013FA71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 05:09
Reported
2024-10-27 05:11
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dioKWDf.exe | N/A |
| N/A | N/A | C:\Windows\System\dGkAbDO.exe | N/A |
| N/A | N/A | C:\Windows\System\bZWUChq.exe | N/A |
| N/A | N/A | C:\Windows\System\nAiXdkx.exe | N/A |
| N/A | N/A | C:\Windows\System\BxwHviW.exe | N/A |
| N/A | N/A | C:\Windows\System\AYFVATx.exe | N/A |
| N/A | N/A | C:\Windows\System\BaLMWvK.exe | N/A |
| N/A | N/A | C:\Windows\System\nZFLGnf.exe | N/A |
| N/A | N/A | C:\Windows\System\eVWJdId.exe | N/A |
| N/A | N/A | C:\Windows\System\gkMSHoC.exe | N/A |
| N/A | N/A | C:\Windows\System\ZXarzTp.exe | N/A |
| N/A | N/A | C:\Windows\System\RcFOTMH.exe | N/A |
| N/A | N/A | C:\Windows\System\NabdSfH.exe | N/A |
| N/A | N/A | C:\Windows\System\XTwkKQo.exe | N/A |
| N/A | N/A | C:\Windows\System\hbwyyFA.exe | N/A |
| N/A | N/A | C:\Windows\System\SiUPAeO.exe | N/A |
| N/A | N/A | C:\Windows\System\rFufkAx.exe | N/A |
| N/A | N/A | C:\Windows\System\YFVmWYL.exe | N/A |
| N/A | N/A | C:\Windows\System\XpKyJpi.exe | N/A |
| N/A | N/A | C:\Windows\System\lLUrZGP.exe | N/A |
| N/A | N/A | C:\Windows\System\KpAggWA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_6ff5e93034cdb528937a2784f31a1dc0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dioKWDf.exe
C:\Windows\System\dioKWDf.exe
C:\Windows\System\dGkAbDO.exe
C:\Windows\System\dGkAbDO.exe
C:\Windows\System\bZWUChq.exe
C:\Windows\System\bZWUChq.exe
C:\Windows\System\nAiXdkx.exe
C:\Windows\System\nAiXdkx.exe
C:\Windows\System\BxwHviW.exe
C:\Windows\System\BxwHviW.exe
C:\Windows\System\AYFVATx.exe
C:\Windows\System\AYFVATx.exe
C:\Windows\System\BaLMWvK.exe
C:\Windows\System\BaLMWvK.exe
C:\Windows\System\nZFLGnf.exe
C:\Windows\System\nZFLGnf.exe
C:\Windows\System\eVWJdId.exe
C:\Windows\System\eVWJdId.exe
C:\Windows\System\gkMSHoC.exe
C:\Windows\System\gkMSHoC.exe
C:\Windows\System\NabdSfH.exe
C:\Windows\System\NabdSfH.exe
C:\Windows\System\RcFOTMH.exe
C:\Windows\System\RcFOTMH.exe
C:\Windows\System\ZXarzTp.exe
C:\Windows\System\ZXarzTp.exe
C:\Windows\System\XTwkKQo.exe
C:\Windows\System\XTwkKQo.exe
C:\Windows\System\hbwyyFA.exe
C:\Windows\System\hbwyyFA.exe
C:\Windows\System\SiUPAeO.exe
C:\Windows\System\SiUPAeO.exe
C:\Windows\System\rFufkAx.exe
C:\Windows\System\rFufkAx.exe
C:\Windows\System\YFVmWYL.exe
C:\Windows\System\YFVmWYL.exe
C:\Windows\System\KpAggWA.exe
C:\Windows\System\KpAggWA.exe
C:\Windows\System\XpKyJpi.exe
C:\Windows\System\XpKyJpi.exe
C:\Windows\System\lLUrZGP.exe
C:\Windows\System\lLUrZGP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/1936-0-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp
memory/1936-1-0x000001E343020000-0x000001E343030000-memory.dmp
C:\Windows\System\dioKWDf.exe
| MD5 | 39482f6df253b06f26e7df52b88f62cb |
| SHA1 | 844c011c8fe099a36ab0ff4bc2551d25e74fbe2f |
| SHA256 | c74deb546ffb90e41fad9fac7cc03331b4e255623e687d7c58674f1493325b31 |
| SHA512 | 81256c58df67a3eefd5386b02cf6a056f8c771f5d60fecfc4eaa1b0c57f53b55d656e5ffcb5f803ad397fb8d9e3ad994a316f9215c6346e2bd13c75df0ced48f |
memory/4972-9-0x00007FF69E330000-0x00007FF69E681000-memory.dmp
C:\Windows\System\dGkAbDO.exe
| MD5 | 5773764c26ed9d5368519c905ca756fa |
| SHA1 | f118f48fbe73f3feec8c450590068ded5075f0d8 |
| SHA256 | d3d71e53d38c07d04278616853415b97dd24177803c7a9aee2071dcf1d27d0b1 |
| SHA512 | 2506aa18df9c0d54058b9dc0575639cdf80fda76954e282c22ce07fb2f8f22591725690a1e1e05b53734d072aa39ff2a10fc80b587003f9ac516fdceb66e3583 |
memory/3144-34-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp
C:\Windows\System\nZFLGnf.exe
| MD5 | 2c1441bc0909cc8a0007c9468d4fe6a6 |
| SHA1 | 47475b7decc703ad2248bfff39b8625b882bc9c2 |
| SHA256 | bbdfc2ba69408928a703b99571c92707f17b77c871c0f67688cdfeda70fe93ee |
| SHA512 | c8ef2407a34d083bba08fde84a8fb826183b88ae6ad0c2bfdbf1e7bd2bafddd99e3ac089de056cf8942e3033e228d96fac4c250a9980edffd43573ad2f8a5eb6 |
C:\Windows\System\gkMSHoC.exe
| MD5 | 9f3cac22287d5a7ca07391fe7eb5c48f |
| SHA1 | 589dca361830a0539bdb5eb411cc63a566e7d1d6 |
| SHA256 | cd7b723e1c256512923f36db40b97cc4a3ad3ef05713e7d87fd4625af3ee9a14 |
| SHA512 | d12fefe605a7415ebe739905ed4b897a267100ff044c6f1690e6a9c047359692ff51398959816a3e1a9501d84954634c27df311fea36011ce1adf9fc991aae76 |
C:\Windows\System\ZXarzTp.exe
| MD5 | 1b190420d3e8e719fd17588b7dec41bb |
| SHA1 | a575d19c2095919b3c81241cff683303b357d112 |
| SHA256 | 027cb3972c5d368a50e2e1e32256de0d62ef73ecfae46bd0fef435e11092ef17 |
| SHA512 | 8d5a2dbb42034721268e22a32c11970f50ed0f7683982d9d445b2e0f0d3ee43934d813efe9bb21d049400ba84c53cc111f0ca5d498edaab699c19a433039538a |
C:\Windows\System\XTwkKQo.exe
| MD5 | 4c94fe49795e0d6be48022ad8b5902db |
| SHA1 | fa1143dcca5089d2f0d3818521bb7e18d33585fa |
| SHA256 | acdb3d95cf30e1372c05adc7b4d2c957a74d1eb47145c9aeaeef91a173454e8e |
| SHA512 | 6f9d582bfa7112414a2c0c5727e077321ffcc296e214e76ceb5bdea49586a40846f896d0d652daab2efaa2e8f281a823248c330065760ab69959455e5dd8bd02 |
C:\Windows\System\XpKyJpi.exe
| MD5 | 399e029107c74168559b21ac0d83efb5 |
| SHA1 | a6fcf4782af02f147a23d0850dfd8dc690f92970 |
| SHA256 | 8077d2956bc4bb6905b71bc4b962c352c0eaf1ecd845042b6605d62573056a04 |
| SHA512 | f63c70b4226284fa5869fd34e8814770533721e0abab003e2e6f8013924e9de53d341633ec155fc8dbadda1878f8c69570ae978a92900b1d0a393789ea9e6bc6 |
C:\Windows\System\lLUrZGP.exe
| MD5 | c9f671b8a638c78c3bbb4d51ed34ec59 |
| SHA1 | c7e2ea688c6a6521c548d0a224240aa3c64ce024 |
| SHA256 | 781f2605c85e391b04319f5cfebc3befca548084cd0488bbc29088d3ad4e81ad |
| SHA512 | 06240ed7eb9e8ce830998396d3bd7ea15f606b0f49014ec2a771a32795c2e00ba9a2df9810a9bae7fb3da79abf3e2306b2a374d1768011fdd6f7346b1a4eb940 |
C:\Windows\System\KpAggWA.exe
| MD5 | bf0c8bfd7f22e6ff8e552a28e862fe48 |
| SHA1 | c460ab22a49c17daeb088a99bb52e40d28b4368b |
| SHA256 | 34edd75c920861f68d0f7fdb6e67a6039859431bc673fcc8ef897447e77d3473 |
| SHA512 | 8e64027e0fff581c3af3328f7e4bd0c57d66d0414486f2e4b9d3cca2444701ffca730f897afcff820e7d0d5da59669af70b87ae2e139e2a221d8d219ccbb2186 |
C:\Windows\System\YFVmWYL.exe
| MD5 | 0dddfd823e31748767b1d701941e577a |
| SHA1 | b64b12354b912d5aef54702e485970a63dffd64b |
| SHA256 | afa9ecb554496dcbf700fe5c51b4e97013d0c0d262d40c81e6b917a21ae5c885 |
| SHA512 | f1c6213acace074511452636323e2be4207785140081670da2bbdf6dc04573626bbedf6bae42f9a3ed21ae88e1dee8c7ebfdfc294046b017222b8efc10f127a9 |
C:\Windows\System\rFufkAx.exe
| MD5 | ace24cf805a15e0d7b56efa9e90d2fc9 |
| SHA1 | 02e838588072b89202c2617b031ead98bcae891f |
| SHA256 | dc661e1cad58b100e8cbb1fdd4118ceab5606ba2efc15163c621f8a806f18bd1 |
| SHA512 | 5a71b619d4c223cbbf61f1ddcf010d53173c34ce550f533ab5b9f530d6af00a1b04815abf6b438b1f891e5f956d47e253e57c71b5789d93b9f3b29149324bf96 |
memory/4820-100-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp
C:\Windows\System\SiUPAeO.exe
| MD5 | 2cfc7fc8fcd083ede56767e5de3838d2 |
| SHA1 | b406cf747831e78351df07ab4b655cd797f87ca7 |
| SHA256 | 97b4c4f8d3c3a3896fc4a1f36f4c0b42823255a3c3e56d489783cf0cb335119e |
| SHA512 | 0981252e2a132711ab04c128bce674b96b3bcb43d16561a0c0ad947752b0939fa11ec48933d9bf070c21222cb2be7c6fb6d80d72e74336cf61c7f903d90a5455 |
C:\Windows\System\NabdSfH.exe
| MD5 | 8bd0e9b54931884bb46b2d740a6514ef |
| SHA1 | 2ff2c8c63dd839afe3e7ae8990e370487e5fe1a7 |
| SHA256 | a510297fe96b37f880bef41578aff3c27ba0bc2e685d100999c2aef33c299f58 |
| SHA512 | 1a1ec044228e933f7ab1f5a9854e56abbeba25f542af593b4f249473d7e7232fb137d1076e7ec0d5cb87f1fab481ff53933ce3b343915d52e139817825263f19 |
C:\Windows\System\RcFOTMH.exe
| MD5 | f48157a9adff1091b37d4c7e4db4d78d |
| SHA1 | 929f0598320fe66b20db7c4df6b3e6590ac1ff2f |
| SHA256 | 63d109f1f03ce774eeff23e3c9a43d23ebe939b5b949a55d5d247495e5419c92 |
| SHA512 | f1a5dd1826992362ac753aaa9aba83c3e88e90f9817227b2a52be51c7f89f6a1228d759347b0f42314d393c944075b554d5154842709a9886d1debb4287c0d72 |
memory/4928-82-0x00007FF730CE0000-0x00007FF731031000-memory.dmp
C:\Windows\System\hbwyyFA.exe
| MD5 | 61cc04584aac211a6f70fa0b019b6536 |
| SHA1 | 8ca7013c06a3a952c309a325242a0ab302a36b3b |
| SHA256 | d52c9eed94e35ffb1ed46f5cdebefa0a94e64f0a0dcff49103cec498857c020c |
| SHA512 | 92752a680649b4acee36632c62788fff8296eac8fa7ca41e9be045348e66d6a97e2f910b768404aa49a6db8584a77a089e1d59e6e8710efc362fbce759a6bb4a |
memory/2404-64-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp
C:\Windows\System\eVWJdId.exe
| MD5 | 0ef7f836c40f6a9ee72f186658caf266 |
| SHA1 | 9e4fc784ad7e2ddd052c9052e6fab3cf72bf6364 |
| SHA256 | 8c4a71c71b6287a6409ff7a6974d1f10afac0b0463c95163364361867fca8051 |
| SHA512 | e05956865482d3fcad12972da495192a93419239eb02f750e4270c1bb12b948e2c66aac8dbba17d1281a3bfe57d342cbc09adf0b4285275072e4b0486242119c |
memory/2280-54-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp
C:\Windows\System\BaLMWvK.exe
| MD5 | 5c7a9eb27baf41bd10c0c59857ffc101 |
| SHA1 | 6ce4e94ae9ee220c4a34188df0c3ce9a7706979a |
| SHA256 | 8f4eacc0cf2f7b41803b4dd9958535af711595b4011ef9692e4debfe1f0432f7 |
| SHA512 | 351788bfa6be17ea411ac7558b8ff13854e223fb60542bc13e0422982adef715d6f5e5172b3d5e2ebe7440b82677a556d3b742e91ac211e03cdcef2a7ba502a1 |
C:\Windows\System\BxwHviW.exe
| MD5 | 1fe3f4c70b409662980e63cc0528d7c4 |
| SHA1 | 21dd63392fb55f454ee1ff5a257e887c30f0fb2d |
| SHA256 | 8e1032b3f9db429c87eb610c31c9625f84459dc93c50232b4d3fb1de896c73a1 |
| SHA512 | 8b8cda9b0a427e7d3d666c3f7d5e6cc15c57a6c06e05362a7bfca30d1e067619ef7ce33fc21c93dbf61901c87a5ab7a8a5cadc5637f4145c916c63714d904b30 |
memory/1776-44-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp
C:\Windows\System\nAiXdkx.exe
| MD5 | 798776519caf580bc16b615ee42396a9 |
| SHA1 | b9701e5de037ba91c42b9de96c25047a1fcd9452 |
| SHA256 | 92ff3dadcf213576eaa7242632b014853c985f0c268707894538a01543011480 |
| SHA512 | a80c597e217db1ee02cb9cf6e398a000709353119b28ace61995d04acbb8d6423e888012b6be5f7de0acd8f4342e7f7d98e31b2279394028bc3d9dc79e1f5e59 |
C:\Windows\System\AYFVATx.exe
| MD5 | b22a605671e71f6fec34da692835cf9b |
| SHA1 | 1aa09dbb8c804db873a5670e50b8cd8f0a3c243a |
| SHA256 | 481f85bbc6e57169403d8faf16ae5eb912442ce3d73296cae3102ef153a68d74 |
| SHA512 | 3012b27527706ae376886db708dc603134437f63ec081787c1711c41ef47fb23c07df56d41e39dced3a688baba18d0249d4b51c55da70dff6f18b9fbc6637bf7 |
C:\Windows\System\bZWUChq.exe
| MD5 | 7df7c44b2a73500f44936264e179d93e |
| SHA1 | 6b376badba3082a1e6290172d86031e4573ff1d1 |
| SHA256 | 3a43c2916988b2563faf4fbfa69d9f0ba22cc1986e5b9c5e4d28e27b9fc1c3a0 |
| SHA512 | 368b07f4cd468ac6a8299cf067c9f524d898c7d30b0acf3f552ddff6d6ad5d8c05214aa730eddc355bd3ea2f38d7b1a84ce0c5fd61100d80d730275bd8f9ee84 |
memory/4824-22-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp
memory/3400-18-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp
memory/1936-116-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp
memory/3400-118-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp
memory/4824-119-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp
memory/2280-124-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp
memory/4276-131-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp
memory/1828-133-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp
memory/3856-132-0x00007FF68E310000-0x00007FF68E661000-memory.dmp
memory/1136-130-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp
memory/4928-129-0x00007FF730CE0000-0x00007FF731031000-memory.dmp
memory/876-128-0x00007FF611E40000-0x00007FF612191000-memory.dmp
memory/4820-127-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp
memory/1076-126-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp
memory/2404-125-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp
memory/4700-123-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp
memory/1476-121-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp
memory/3144-120-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp
memory/4972-117-0x00007FF69E330000-0x00007FF69E681000-memory.dmp
memory/2320-134-0x00007FF778510000-0x00007FF778861000-memory.dmp
memory/3048-137-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp
memory/4832-136-0x00007FF6472C0000-0x00007FF647611000-memory.dmp
memory/3444-135-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp
memory/1936-138-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp
memory/1936-139-0x00007FF63B1F0000-0x00007FF63B541000-memory.dmp
memory/4972-191-0x00007FF69E330000-0x00007FF69E681000-memory.dmp
memory/3400-193-0x00007FF7AB900000-0x00007FF7ABC51000-memory.dmp
memory/4824-206-0x00007FF7A9AF0000-0x00007FF7A9E41000-memory.dmp
memory/1776-214-0x00007FF73F7C0000-0x00007FF73FB11000-memory.dmp
memory/3144-213-0x00007FF712B60000-0x00007FF712EB1000-memory.dmp
memory/4700-216-0x00007FF6DD5B0000-0x00007FF6DD901000-memory.dmp
memory/1136-228-0x00007FF75E450000-0x00007FF75E7A1000-memory.dmp
memory/2404-230-0x00007FF76E830000-0x00007FF76EB81000-memory.dmp
memory/876-232-0x00007FF611E40000-0x00007FF612191000-memory.dmp
memory/4820-234-0x00007FF6C1FA0000-0x00007FF6C22F1000-memory.dmp
memory/4928-224-0x00007FF730CE0000-0x00007FF731031000-memory.dmp
memory/1476-226-0x00007FF6B6A80000-0x00007FF6B6DD1000-memory.dmp
memory/1076-219-0x00007FF7644A0000-0x00007FF7647F1000-memory.dmp
memory/2280-223-0x00007FF7D6940000-0x00007FF7D6C91000-memory.dmp
memory/4276-221-0x00007FF67B6F0000-0x00007FF67BA41000-memory.dmp
memory/4832-243-0x00007FF6472C0000-0x00007FF647611000-memory.dmp
memory/1828-245-0x00007FF778A50000-0x00007FF778DA1000-memory.dmp
memory/3856-246-0x00007FF68E310000-0x00007FF68E661000-memory.dmp
memory/2320-241-0x00007FF778510000-0x00007FF778861000-memory.dmp
memory/3048-238-0x00007FF68B4B0000-0x00007FF68B801000-memory.dmp
memory/3444-236-0x00007FF691AE0000-0x00007FF691E31000-memory.dmp