Analysis Overview
SHA256
392bb2b7c32e5344548d0dcebd59fdc44aaebba5b81aca573d8c898600e1e4b6
Threat Level: Known bad
The file 2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
xmrig
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 06:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 06:30
Reported
2024-10-27 06:33
Platform
win7-20240903-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BFROFlo.exe | N/A |
| N/A | N/A | C:\Windows\System\gDnmtGx.exe | N/A |
| N/A | N/A | C:\Windows\System\QLPJSgL.exe | N/A |
| N/A | N/A | C:\Windows\System\xrFeRFD.exe | N/A |
| N/A | N/A | C:\Windows\System\WEftmWK.exe | N/A |
| N/A | N/A | C:\Windows\System\MOIZZYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\mVzdyTM.exe | N/A |
| N/A | N/A | C:\Windows\System\ffMHgHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZxbSjLz.exe | N/A |
| N/A | N/A | C:\Windows\System\QpiUNFb.exe | N/A |
| N/A | N/A | C:\Windows\System\mKNEWyx.exe | N/A |
| N/A | N/A | C:\Windows\System\yGNBKBt.exe | N/A |
| N/A | N/A | C:\Windows\System\NxbANXK.exe | N/A |
| N/A | N/A | C:\Windows\System\AYgcBze.exe | N/A |
| N/A | N/A | C:\Windows\System\GQpKvIa.exe | N/A |
| N/A | N/A | C:\Windows\System\GfiaXxK.exe | N/A |
| N/A | N/A | C:\Windows\System\msLPbcc.exe | N/A |
| N/A | N/A | C:\Windows\System\SqHacEJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qfiQasZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cgOLVhA.exe | N/A |
| N/A | N/A | C:\Windows\System\WaXAKFj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\BFROFlo.exe
C:\Windows\System\BFROFlo.exe
C:\Windows\System\gDnmtGx.exe
C:\Windows\System\gDnmtGx.exe
C:\Windows\System\QLPJSgL.exe
C:\Windows\System\QLPJSgL.exe
C:\Windows\System\xrFeRFD.exe
C:\Windows\System\xrFeRFD.exe
C:\Windows\System\mKNEWyx.exe
C:\Windows\System\mKNEWyx.exe
C:\Windows\System\WEftmWK.exe
C:\Windows\System\WEftmWK.exe
C:\Windows\System\yGNBKBt.exe
C:\Windows\System\yGNBKBt.exe
C:\Windows\System\MOIZZYJ.exe
C:\Windows\System\MOIZZYJ.exe
C:\Windows\System\NxbANXK.exe
C:\Windows\System\NxbANXK.exe
C:\Windows\System\mVzdyTM.exe
C:\Windows\System\mVzdyTM.exe
C:\Windows\System\AYgcBze.exe
C:\Windows\System\AYgcBze.exe
C:\Windows\System\ffMHgHQ.exe
C:\Windows\System\ffMHgHQ.exe
C:\Windows\System\GQpKvIa.exe
C:\Windows\System\GQpKvIa.exe
C:\Windows\System\ZxbSjLz.exe
C:\Windows\System\ZxbSjLz.exe
C:\Windows\System\GfiaXxK.exe
C:\Windows\System\GfiaXxK.exe
C:\Windows\System\QpiUNFb.exe
C:\Windows\System\QpiUNFb.exe
C:\Windows\System\msLPbcc.exe
C:\Windows\System\msLPbcc.exe
C:\Windows\System\qfiQasZ.exe
C:\Windows\System\qfiQasZ.exe
C:\Windows\System\SqHacEJ.exe
C:\Windows\System\SqHacEJ.exe
C:\Windows\System\cgOLVhA.exe
C:\Windows\System\cgOLVhA.exe
C:\Windows\System\WaXAKFj.exe
C:\Windows\System\WaXAKFj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1088-0-0x000000013F240000-0x000000013F591000-memory.dmp
memory/1088-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\BFROFlo.exe
| MD5 | af346e39460d073266452cbf8082afb1 |
| SHA1 | c3db709440e8c7f68fb44f08155d9563328c657c |
| SHA256 | 968bed06f4583807173ea847c0999bf54ab6f4d56556228ddf1b665167e092d7 |
| SHA512 | 7e1bc5da26c315c645483efb96a7d3db078ae634f71231d9c44f3aacd9c07cea7aa0501900c6caae1d0c8419a4b516bc95bfa11b4e3ad67adc99c86fcf453feb |
\Windows\system\QLPJSgL.exe
| MD5 | 1e9b219181ba96ca4c28bdf7b7fe51e2 |
| SHA1 | 78d4e89d84951999757acd990b0fafe779ee2692 |
| SHA256 | f286242dd342289ca2d02c5453ed37c4db7838bdacca2360b756c65efe277765 |
| SHA512 | 823b5f7bad2d9de0be0a5cc76269efb6a7d61b6a182495d8d701370faea639b1828c676f4da4474c84e753a7245b58b68ccd3721bda6f65249f4dc74a353e2d5 |
memory/1088-9-0x000000013F780000-0x000000013FAD1000-memory.dmp
\Windows\system\gDnmtGx.exe
| MD5 | ec74b4629217b9b2c92a5dcf5bb56b4e |
| SHA1 | 299ccf88c16ab13b3a8853cfb31f5d7235c4cfa4 |
| SHA256 | 83ac208f23f1e556e325868ca759d3a8ab6b1894f33a96587efbc154ad627ef2 |
| SHA512 | baecb841378c83134f45d0da5537a92c29968a5f9bcac1b8fc608aaf6e95ab4c75c7a19241a9543efe1f54b35fd3085cfcb16d1d5f38cdb7482e9ed9f3aa2617 |
memory/1088-18-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2444-23-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2344-22-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/1696-17-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1088-14-0x000000013F9F0000-0x000000013FD41000-memory.dmp
\Windows\system\xrFeRFD.exe
| MD5 | 0f524b43828b6af7d51860f8ee708893 |
| SHA1 | 97cbf833d5c13aef7a3147762e3f228ac98ea7c3 |
| SHA256 | 8c5a598b1fc2ac366ea75ab1e3eec34e8bd09aa36b1b576ef6d77c21c758a62a |
| SHA512 | 2ddbea160b5e4ff8dfa84d450ab2ac0a224f2019ac0081d899440e049834cf4be40a731174b73b4282baecd4c4ce78aed9621fe7771cf2ff657b9f57a643a99c |
C:\Windows\system\MOIZZYJ.exe
| MD5 | e93b1c4ac1ecb78a92ebea1bce34f9fe |
| SHA1 | b3c67600ea7049d129f342e4844b65d2b5f429ba |
| SHA256 | 78c203416cab64f3cf8e9dc708d1b60c76192ef6501b40f97d62b0f5b14c8b05 |
| SHA512 | cf72b7af852775aa403a31848c2517249a6fd83e1b911c9723e6808258d8bad0653155327d2d9763aa9465dac22c3b887d4581c435effceb578afb2e6705605f |
\Windows\system\ZxbSjLz.exe
| MD5 | 9d06a6e0d690547146c6dd60d81c9b57 |
| SHA1 | b5b64bce0f653e01a51c298e04d0642a3059ef9e |
| SHA256 | c5c4dd21f359dc9916417b51f2ca91f31865ede8c686d2c7b5a16e867bb81748 |
| SHA512 | 84f1b4237b29f1af7c475522cb472d0ffdb311173534bb69c3f5e42aaf3e09c5088668a5095805804e2dfbca4120b73d3d7a067eda626a88fb382ac43ab873db |
\Windows\system\qfiQasZ.exe
| MD5 | 647f03a397fbb671e85a166934a53824 |
| SHA1 | a03c695469a92af6039d71e9f1fbf7a327fe281d |
| SHA256 | ef8e92352b1b168aed9ebc7a05c71fa4b2f96cdfa0fcf273ec813fa4e606c67d |
| SHA512 | 94c2b73ff54731ce97c3c289201e1a48a914060927c7a2bb78c80a00dc23866e629221b36514663db9e0b56455fb4cec1b88837cf3a5ccd5f43f9a123901e673 |
memory/1088-94-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\NxbANXK.exe
| MD5 | e9b3d11367a483c3fdbf327a1a9b83da |
| SHA1 | 171361c1140af742c44d4062e3ebcca1a4850365 |
| SHA256 | d6abf551e4e38d9ce5d154b643cbfa7c6d3c87dfb63739e8861c9ad75b7b2139 |
| SHA512 | 70e351afdf0aa3c95fb73d30c0b36cec9099909af4e04ff50b4f967fb3124d20abbd0f8b6cc34cb7e97d3dedd0ab4f601f4c47cbcde55d3218fc9c91e3285987 |
C:\Windows\system\GfiaXxK.exe
| MD5 | b9802c5a4b5d71a5525968c01332dfc9 |
| SHA1 | e716acddf9e1f02572a40cc4a29d15e4cd2b3899 |
| SHA256 | b808c84415bd7e1db832f9eb424a7bb19dc945179689ea0795884a994906e71b |
| SHA512 | 0c7ece077d96ed3fb0f32b2a0438f7ee7c28068cae9aebb126755f17356a342c56242d2c48f3035f7e0f7556b5ed31a1493274f89536e3cfb83d86847b703123 |
memory/1088-90-0x000000013F240000-0x000000013F591000-memory.dmp
\Windows\system\msLPbcc.exe
| MD5 | 362350cdd46eb5e796c8eaae562382fe |
| SHA1 | bfafee3a7b169e947a663d5b4d9a5b4c35f2497d |
| SHA256 | c621d55095331bec620c18e86610f4ac66691fe1703a5982e5f90b7e8021e380 |
| SHA512 | f85f95aadd3b52f993d833499d89360b552f47067329770741791d73003236f7b5e0ca0a401f53b99fcd85fda4f810c2f5614cea22452ab39ea00a4b9bd6da36 |
memory/1088-82-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2704-81-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2872-79-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1088-68-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2860-67-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
C:\Windows\system\ffMHgHQ.exe
| MD5 | 09b8827546af5e11f213d35e1fbecd52 |
| SHA1 | 256bdf1fdbc015e3266c5fe70cf3502ca9f327a7 |
| SHA256 | 8131c8743542282063bec63a661267e689f05d0c803f9794020c92ec653cf239 |
| SHA512 | 9abcb6c3d641cf53ddc2c80bd003b8ee78d3f6a7eb3351dc286a3c6a056daa06bb919b53c62e94efa65ab1b7e38a459078cebb9a3ade2bef0698992fe4c92714 |
C:\Windows\system\mVzdyTM.exe
| MD5 | eb7d04f9fb88feb7d93df6fae4b72131 |
| SHA1 | 1b8a66d5b6882694da3f0f52e3fb369f8029ef96 |
| SHA256 | 485e3ea1dd5d80c367c0d778f5edb34243700424d062116278dcd3128576ce8a |
| SHA512 | 2eef732906017b4a6a9b19eec040c2eb87f58c830ad36aafb754369a59726153cfc2d1dba1b9e6999aa5c2f295819b9769706895e0e5ee434b23d7cb486dda52 |
\Windows\system\GQpKvIa.exe
| MD5 | 8e7c45a45a7a5b184dd165843ab504d3 |
| SHA1 | 65243be8aec65f42215bca11d914dd10b27be6c3 |
| SHA256 | 9a6700f270618b7147c32a4bbd5bad2520ef989378782201598500d326d961bd |
| SHA512 | 57c83785873424b9c2539716da9336ba17c78fcc6a3ade26d27f3a26bfc896469a037e3c8ce89ac79d090e802789fd91f1a730f1f0d542962646d5991f6e6436 |
\Windows\system\AYgcBze.exe
| MD5 | c5e12a3de48a44b17c715951f4fcec29 |
| SHA1 | 0d894b064a2da0f76bd5f64f05872cba6cc9d5a5 |
| SHA256 | 710bcab21727c9a94aa724464c194f01f4be4718001a541440b9c39b9c5f3dc2 |
| SHA512 | 088f1623e33ba59488ca68a58136b44b438408b5da90c4fac97b23274f101eb408e5673ef5272eefd2e7edece09d892c5a501ab41693f65239690d77c064b084 |
memory/2816-50-0x000000013F250000-0x000000013F5A1000-memory.dmp
C:\Windows\system\WEftmWK.exe
| MD5 | 75bdda8b1cf2bc918a72a36c5ffcbebc |
| SHA1 | 010fe4bda274b05eede90bacf80c26c620f251a0 |
| SHA256 | 8aa841f0c666dd8dbef3bb89b792f4c55d34f5ab65a09b0b0577ab229d459e90 |
| SHA512 | d3603b8ba3f2fc5ef75176d6b45ec90adb8f054f7fbf57a079b838324769c83e91e6375a87a0f92d1a8a6094aae36863f2bda8034dc0e4bf67183f3a15bf3877 |
\Windows\system\yGNBKBt.exe
| MD5 | d7eaceea28d9e7a88c419876d3ec12db |
| SHA1 | d8137ab22e7fd2a6ae62f0108e84af63536f2cff |
| SHA256 | dfa7863750a39f4b655f86b1f71e272081667611d74301c44130722981832d39 |
| SHA512 | ba146c098cef54d20843f18c99507a18a70d22715bc9bd2725336005d24733d96bbbf4febb7cf43f25687e065e84e8cf9ba41e7a59103937790cd497f0a0d4f4 |
\Windows\system\mKNEWyx.exe
| MD5 | c392cb0d1cbf6ec489e8bc034cdbf7d4 |
| SHA1 | 784008c4568e302cd5f5ef18d1106c533e9e7dcc |
| SHA256 | 6b1f909ae18cd07389d50d4ba0b2bab03d0421e91cf80099a49956fab0029249 |
| SHA512 | 2671d9d894cf8c10266c37e133b13a18b632826a14c44f46e6485bde628c38421e3713d6da899ba41018dfb2911dd4568490433e55dddde885ad3615c676f2f2 |
memory/1088-95-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1088-93-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
C:\Windows\system\QpiUNFb.exe
| MD5 | 2092571d1713de95b7e3a5df5a3e1cf7 |
| SHA1 | cb11494fbd2eae4e5e4ed2912c26572596ccadf2 |
| SHA256 | c9d7f83226c3b210a50bc59dfef733632b2100b2d0886d5bdce8c56ec755e6e2 |
| SHA512 | c0f104a6d84fdd08ba323117567f3649d26e79bfc47a8e80f40958582a7bea27a891f4b408709bbf9bbdca6b7f4b88156afa51eccfaed405975da28cb619f757 |
memory/1088-63-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1088-55-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1088-38-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1088-35-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2364-29-0x000000013F140000-0x000000013F491000-memory.dmp
memory/1088-25-0x00000000022C0000-0x0000000002611000-memory.dmp
\Windows\system\SqHacEJ.exe
| MD5 | eafc5ea2e607f741d08c9d878df0ec26 |
| SHA1 | ecf747a170f983af82d144172712702fd5094517 |
| SHA256 | a51d53d44958dffc5d0efe0af308e3183203fc18e4a72513b555d5399a96dd0d |
| SHA512 | 4945ddf03bcb89a11863de499c5f360537bf467d3f3ab45699ec8da4c2d5a7dd3a95e2858ce47b7724ed769f567dba68f020dd21884c876df23b37fb75e450e3 |
memory/1100-117-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2344-127-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2804-128-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1088-126-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1088-125-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1608-124-0x000000013F4F0000-0x000000013F841000-memory.dmp
C:\Windows\system\cgOLVhA.exe
| MD5 | abb2eb23cca87ca05a44c6d85ebbc33b |
| SHA1 | e0cdc293c4d11af774186ca2104e5c0fb33cf874 |
| SHA256 | 95af843efdf692ed0702e3138f1b060523745099449ca522659edc583e8fb2c3 |
| SHA512 | 507f6d1517a6b1b9cc5d292c4dcd87d77d5d6e5e25267caaa183302bf06b5c58f11692163a7e67370a8580c4b56cfe2cc1264ed14f814ec07558e2257a93377e |
memory/1088-121-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/1088-113-0x000000013FC50000-0x000000013FFA1000-memory.dmp
C:\Windows\system\WaXAKFj.exe
| MD5 | 1f80626b0278efad25ac51cb863e6d64 |
| SHA1 | 6884ab99cce8911da512b8b38f47b1e5b0002d5b |
| SHA256 | d368dfe1a77b0be266ac50daf21f009caefb78ee834bb13f5da1503c466d7fa8 |
| SHA512 | 249919fe32a3d39fdbebeb3370afaf07b235ee45077fa44c630bbf6484a92764a7802199f0ff8fcdc7f421f72b5ccda843f79baa1ba16e7586f8f717f44ab527 |
memory/1088-137-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2364-141-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2744-155-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1700-154-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2548-150-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2644-148-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2564-146-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2536-144-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2816-143-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2176-152-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2872-147-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1088-156-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/1088-157-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/1088-158-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/1088-159-0x000000013F240000-0x000000013F591000-memory.dmp
memory/1392-161-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2188-162-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1788-160-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/1696-211-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2344-213-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2444-215-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2364-232-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2816-234-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2860-236-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2872-238-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2704-240-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/1100-242-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1608-244-0x000000013F4F0000-0x000000013F841000-memory.dmp
memory/2804-246-0x000000013F620000-0x000000013F971000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 06:30
Reported
2024-10-27 06:33
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FiltYEg.exe | N/A |
| N/A | N/A | C:\Windows\System\Auhmvpm.exe | N/A |
| N/A | N/A | C:\Windows\System\qDyojyW.exe | N/A |
| N/A | N/A | C:\Windows\System\Xyiomhp.exe | N/A |
| N/A | N/A | C:\Windows\System\CtKzsgr.exe | N/A |
| N/A | N/A | C:\Windows\System\YNJhAEW.exe | N/A |
| N/A | N/A | C:\Windows\System\HjDdCrC.exe | N/A |
| N/A | N/A | C:\Windows\System\fVtVWim.exe | N/A |
| N/A | N/A | C:\Windows\System\PZbPtpM.exe | N/A |
| N/A | N/A | C:\Windows\System\GvQmHXp.exe | N/A |
| N/A | N/A | C:\Windows\System\ekMBouZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fFIyMqz.exe | N/A |
| N/A | N/A | C:\Windows\System\MYNWPOM.exe | N/A |
| N/A | N/A | C:\Windows\System\BChxpqO.exe | N/A |
| N/A | N/A | C:\Windows\System\FLSXaLu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNXgVod.exe | N/A |
| N/A | N/A | C:\Windows\System\DsZyxxH.exe | N/A |
| N/A | N/A | C:\Windows\System\njEQiJe.exe | N/A |
| N/A | N/A | C:\Windows\System\DQHnbWi.exe | N/A |
| N/A | N/A | C:\Windows\System\rYwpRdF.exe | N/A |
| N/A | N/A | C:\Windows\System\hUfXJQA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_9948f7655658372d3a3a7dd21637236b_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FiltYEg.exe
C:\Windows\System\FiltYEg.exe
C:\Windows\System\Auhmvpm.exe
C:\Windows\System\Auhmvpm.exe
C:\Windows\System\qDyojyW.exe
C:\Windows\System\qDyojyW.exe
C:\Windows\System\Xyiomhp.exe
C:\Windows\System\Xyiomhp.exe
C:\Windows\System\CtKzsgr.exe
C:\Windows\System\CtKzsgr.exe
C:\Windows\System\YNJhAEW.exe
C:\Windows\System\YNJhAEW.exe
C:\Windows\System\HjDdCrC.exe
C:\Windows\System\HjDdCrC.exe
C:\Windows\System\fVtVWim.exe
C:\Windows\System\fVtVWim.exe
C:\Windows\System\PZbPtpM.exe
C:\Windows\System\PZbPtpM.exe
C:\Windows\System\GvQmHXp.exe
C:\Windows\System\GvQmHXp.exe
C:\Windows\System\ekMBouZ.exe
C:\Windows\System\ekMBouZ.exe
C:\Windows\System\fFIyMqz.exe
C:\Windows\System\fFIyMqz.exe
C:\Windows\System\MYNWPOM.exe
C:\Windows\System\MYNWPOM.exe
C:\Windows\System\BChxpqO.exe
C:\Windows\System\BChxpqO.exe
C:\Windows\System\FLSXaLu.exe
C:\Windows\System\FLSXaLu.exe
C:\Windows\System\ZNXgVod.exe
C:\Windows\System\ZNXgVod.exe
C:\Windows\System\DsZyxxH.exe
C:\Windows\System\DsZyxxH.exe
C:\Windows\System\njEQiJe.exe
C:\Windows\System\njEQiJe.exe
C:\Windows\System\DQHnbWi.exe
C:\Windows\System\DQHnbWi.exe
C:\Windows\System\rYwpRdF.exe
C:\Windows\System\rYwpRdF.exe
C:\Windows\System\hUfXJQA.exe
C:\Windows\System\hUfXJQA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3592-0-0x00007FF793450000-0x00007FF7937A1000-memory.dmp
memory/3592-1-0x000001FE5B6F0000-0x000001FE5B700000-memory.dmp
C:\Windows\System\FiltYEg.exe
| MD5 | 1f791207fd69d7a13e98f55f0d9dc7d2 |
| SHA1 | 61c4a04281cf4961cb2e879b25d2524c76acae43 |
| SHA256 | 6751841af1ea9a47173ff376e7e3f06da963d47d2510c667bceeefde173fcd21 |
| SHA512 | c397c2fbb73aa472f5d34cf91a405f867daa7f3915d54f561236f49706eba2c30aea0387971cb068c818a0007be8306ece97d284c20103fc32c015c11eb787e3 |
C:\Windows\System\Auhmvpm.exe
| MD5 | 0e08bd84fb3ed82231940fc6cf99b2d4 |
| SHA1 | f170a17ba37922010cd4ad3d579500906ab20e5d |
| SHA256 | 71ae346ae9fa2779b0a644636c6afdf184b426eea3fcd92fb7b067b6ffa4d47e |
| SHA512 | 4f0d4f4dc023163bba95a7e268f2ec1a1a9fd670116beec0d9e1b38754464178c58e50b5afdb01fe3e7e27999d88394ad5fa59989cebf66347dc332aa4963191 |
memory/944-9-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp
memory/2084-20-0x00007FF6435D0000-0x00007FF643921000-memory.dmp
C:\Windows\System\CtKzsgr.exe
| MD5 | 8edee2d80f8178d1ac2487abfe4a30e2 |
| SHA1 | 620365f905579f7a000432323e2fc2e5bfd30ed4 |
| SHA256 | 2191f71982305e00e770628348fa2465d9ca213c8cd77bb9a0cdc72300f0d409 |
| SHA512 | d6ed1eb1a5484d8fb5284bd748a49c7bc59448789343af1cc9ae412fdfe65faf05218608f6114601537ca94280fbb734f4e69c6c057bda97d122245b3a23d766 |
memory/2336-30-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp
C:\Windows\System\fFIyMqz.exe
| MD5 | bfdc78c463cf23e0bbf9c5c2266bd74e |
| SHA1 | 6c33fcbea63e1e8f3b0e3426cd3195773e032d2b |
| SHA256 | 414b514e0c63b1f0a026d7f5d5136ae41805ca500c30190907ed87eab6140ed1 |
| SHA512 | 81c30ac8a8e5fc7edbfd3c58f82989a53c2158ef077337ad9f7b4c0629f71f858b387c67fbc53f0b8c06a2d45f4ec4db47edf22017c775ba9f1131905954012f |
C:\Windows\System\ekMBouZ.exe
| MD5 | 5d231b9be3a53ced40074c6849162c5e |
| SHA1 | eb200dcf3a7093cd16ce2941a15c14c65cc85bc5 |
| SHA256 | c2d80c52ea13c10ad29065310bb35c2434cf7beb1c1029c59ccc11937c8dedf2 |
| SHA512 | 0526bcb966a8cf700b490a3f094309a0709552969cf921541ce392d8242b00a3dfc858c5f8895c269e4d03aed48eb37eb38ef49feff10934a40cfc2aafa05fae |
memory/2616-63-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp
C:\Windows\System\fVtVWim.exe
| MD5 | 7456c4b01e9f1bbcbb1d38f6acc7e4a7 |
| SHA1 | bcf0f2ab759a1a328564eed8066bc2b4778c25fb |
| SHA256 | 35ae01c4de3b77d0cfc9c8c1dd4dbb7879f742e2ea4bcd0cdbd1a3f54472bc54 |
| SHA512 | 501bd3cca8fa471e013c4285bc765edd9a3b0e246b01619efcf6e1373721e6814a2aeeff4b1ac3d167917e04343ad100b54851a3321b874412f8402967081d1a |
C:\Windows\System\GvQmHXp.exe
| MD5 | 1e9c2f344e5fe9fe1bc812a32811ffc2 |
| SHA1 | 1bd6cca12481db51db0002f1b41ef2360325cf34 |
| SHA256 | 8d255648120e7d12bc5162185f6378c67f7dae5baa024cd22ca55261f5e9e383 |
| SHA512 | e16bc708ecbd9ce7d9b15f59c07468099d5df4e708cbc185d47e3fa8661bfb0879a20aec6def52615ee39eac15aa633abba8106f72f337947a07b7b5e6285119 |
C:\Windows\System\PZbPtpM.exe
| MD5 | 960323918137c8a29443f829584b9a92 |
| SHA1 | d2e38d1c81315ba988879f57b8f5965e42766362 |
| SHA256 | 9e6e90ab9399dd1aac28091895f6153e40d82a288feb50d738be75b85e5a429e |
| SHA512 | eb93092abf8f2c5f33e51d1668197cce2add3d72cf74a1a392e6e26b3e8c4987b2f4856e07644a7c011976dec19d001bffaf5a018f72ef034636867b6db5ddc6 |
C:\Windows\System\YNJhAEW.exe
| MD5 | 1a175784c491cb821dbdd5a1ec1eeaa9 |
| SHA1 | 30593dfb0792439aa8c3c4ef274912300f5f156b |
| SHA256 | 665cca3c33b1dd2f7869fb9aee6df978b51ed16093a9af1941a3dd8c0f000c36 |
| SHA512 | 1e7b2cd5d97c84c4fb13edeb7e4c2c9ec3c8c627501f9d5cb56904f02aa41b16d2995ec7aa1fd6689795b58e5454e0accedd84dca1e109ea74f6511c47e46f00 |
C:\Windows\System\HjDdCrC.exe
| MD5 | 0085e3e4250ad4f06ae4a033009822d0 |
| SHA1 | 9d8855a6d2301a369eda33b77f72506e859972fd |
| SHA256 | bad7e3ef7bd528ab8608e6817dba401678f5378a62dd8fad46d60655c436506d |
| SHA512 | 50e4848d2931c37372f62906afb9831dad6bd056d995a6daa773bb1ccc41bc47152a7aede5e210f5ebcc70b53670bd4646d8a7093543b87aff60e0d07fe5f9fa |
memory/2872-45-0x00007FF662730000-0x00007FF662A81000-memory.dmp
memory/3856-44-0x00007FF736050000-0x00007FF7363A1000-memory.dmp
memory/1852-34-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp
C:\Windows\System\Xyiomhp.exe
| MD5 | 611adf5e2c8c21c030161265209916fc |
| SHA1 | bbab0d4227f99df50d0a0edfc48a7b5d9fc44d21 |
| SHA256 | a9b55ab889937f0a9143c10a3c9335d0a6b1826ddbe93605f0428f3b18a3aa2b |
| SHA512 | 8e70237476bcd800ac7c56d55490c8671246e93b1d6e84656688449cd1ac983f84491dbe5b0b948203fe2aeba142f40ffbcd2e35f96a7cedeb63b10700c69204 |
C:\Windows\System\qDyojyW.exe
| MD5 | b4390c97a50942ee8d57ffa8b2f1056a |
| SHA1 | 5b3501e2e0e46f1ab66691394e947d7421bb148e |
| SHA256 | 86b8bffd6972a16b859784a562cc00c5ff5139a5c8d8f6ba72095e72deb61497 |
| SHA512 | 83eb04eff7d37f1365bf6a4b5eca92a2465a4040e0e16e5165408f4b7316867795d97dd2990548b6c4a89ea7962de3dc5ddb41d30ff35828c4209b5d1c682a41 |
memory/4320-12-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp
memory/4244-74-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp
C:\Windows\System\DsZyxxH.exe
| MD5 | d328eb9503ac2b60ff62b219ab861d13 |
| SHA1 | 5f458b41456366e5edd0752fce889e196aae4dec |
| SHA256 | 266c59639aa524ebb0887cf88cc63270a6a6a0b10893e1199a54773a54cc001a |
| SHA512 | 91bbc024df9263e9ff7dac8206693a4ca98709e7e0879f0b6abe125776b457adf98e3d5d63b247eecd535f509af4f5ace5fc6be9bc1f2b393b6eaa7ceb786fe9 |
C:\Windows\System\ZNXgVod.exe
| MD5 | 26e1fd0ce30fa14058c0d05aae47e5e2 |
| SHA1 | 2fcf4fba98204337636e103bf3c551de7dde9cd6 |
| SHA256 | 7960a03732b1ca04221a496c071763dedc7878637923c1787cd8afa4c3b9e0f2 |
| SHA512 | c318b4701c4a806796f30fd940e82ebad66299bd46481a2ac756ad834535834ea9d94867373bc682dfe589d61ef97fe474bc412e925eebf377b5a91c08f89b4c |
C:\Windows\System\hUfXJQA.exe
| MD5 | 7b17bd1cb01db6b8ff49fd0dac97c3b3 |
| SHA1 | 9596d453622ccd88bcfa07ae3f3e47cb667f8067 |
| SHA256 | 0924308283f60ae310c43b989c2186894ccf097b3787e887c51b2a0307a0910f |
| SHA512 | a3c04f66355c6d45907ee79c4843776c4ac426bfd92d5e6be2e0dc757c8dc429a8738cb1761b15a7531847f7dc746490baec545d181b242af24e59f981668155 |
memory/4764-114-0x00007FF77F440000-0x00007FF77F791000-memory.dmp
C:\Windows\System\rYwpRdF.exe
| MD5 | ba29bd207d62821c67f90c2035c0fac0 |
| SHA1 | 813be3386f55e5d994f01e5df28d6bcac94400a2 |
| SHA256 | 13228d103054c262fa75e34452bc89f2ec24726b5ed4ab5dae46bedd9b9c57d5 |
| SHA512 | 9870ad1093f621798aacde69c9a2462237a9e26ec6c4d637ceb5c5c5db39da8e4d86ed527ad0bdc03182665ca980675f9e05f8ebb688a0edc8f9b3cd9c912c22 |
C:\Windows\System\DQHnbWi.exe
| MD5 | 828bac2b953c0396b856e97db7a10de4 |
| SHA1 | 0e87b0555fa7af9fc14824d4a65c842feef6b3f0 |
| SHA256 | c5848b9c980bc5b15503262576ea55c27214f4ecdb16f1af588b809bcbd0ac5a |
| SHA512 | 2c15730e67a180a2f47f77556a4681e6b5cd107792c70d1a06c4dc4150780e4b436a1eb1e76798e9e2396c62002e5f709d4ed9086146974f375cfe816161621e |
C:\Windows\System\FLSXaLu.exe
| MD5 | 03f3e33d218b8603e5554a40f73c6fe6 |
| SHA1 | 286abe3b418fa137bf3254cb42e9f07857b21aef |
| SHA256 | bb187d3585a0b112dea50b55e948b4960f50d01efcab44ee387bfab082f71463 |
| SHA512 | 445ba189b7c5a349c42e0bb02eb75bd4f73a73634b3733a3616a2d7713a44a3012b6d1ac508b41c57f9121ec0ce55375f2c07afc3ce956be33665190e1e28a96 |
C:\Windows\System\BChxpqO.exe
| MD5 | 122fb033b074291afb03667425e943d1 |
| SHA1 | 7292a3d6d615ea1511eae6dffe2ed777b3552e8d |
| SHA256 | 788937c7e3e99a5ff1572ee4a65d76a26b67e0d1519dbe0e3735ee614f6c161b |
| SHA512 | 2c02e023e90a3ebb857821609f07ce2830ed472962b8a5d6950a79a90eec6a84642f226fd89f36f7134aeee972e72d81021ff24145d02bfb99bbd74037910ede |
C:\Windows\System\MYNWPOM.exe
| MD5 | e443dd9913b832d473059c8bf6667ea9 |
| SHA1 | 41a7cf630a323625c256ae82d26a5d04177fd9ad |
| SHA256 | ffb92b0ac555df7c8b5c43b18e8cc4098c011c55fbcf5315bd0e79bab3c3ce1f |
| SHA512 | 10ea451509a9695af2f176829c72ea0bec2468ee512a31c4d8a1a01063eef7fa1d7ef4ef07cbca943eb0fcac96cf6da8736a49898381753f05e6cc6941c62ad1 |
memory/2656-98-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp
C:\Windows\System\njEQiJe.exe
| MD5 | 7c5437642a73599a192259e15c7740b3 |
| SHA1 | 0baeecdde25f20e2ee1063d9dd800e0fd4cd12a5 |
| SHA256 | 98177afc90279ba41574b6854ee236610eb735bc166dca02c087172a615fba9b |
| SHA512 | 7db92b6c70cd7a93adae7c51a8879711e89e96095738505eebd41604ae1c3aba6e339e5244e149a14e69ccf3f44fde6cae3db3089267dc7d4b3988548c85dfab |
memory/4588-87-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp
memory/3116-86-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp
memory/4880-120-0x00007FF668F30000-0x00007FF669281000-memory.dmp
memory/2956-122-0x00007FF672490000-0x00007FF6727E1000-memory.dmp
memory/1292-121-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp
memory/1816-123-0x00007FF766590000-0x00007FF7668E1000-memory.dmp
memory/4432-124-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp
memory/1444-125-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp
memory/2524-126-0x00007FF699710000-0x00007FF699A61000-memory.dmp
memory/2680-127-0x00007FF7954E0000-0x00007FF795831000-memory.dmp
memory/3592-128-0x00007FF793450000-0x00007FF7937A1000-memory.dmp
memory/2084-131-0x00007FF6435D0000-0x00007FF643921000-memory.dmp
memory/3592-136-0x00007FF793450000-0x00007FF7937A1000-memory.dmp
memory/3856-134-0x00007FF736050000-0x00007FF7363A1000-memory.dmp
memory/1852-133-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp
memory/4320-130-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp
memory/944-129-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp
memory/2336-132-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp
memory/3116-141-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp
memory/4764-145-0x00007FF77F440000-0x00007FF77F791000-memory.dmp
memory/2656-143-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp
memory/4588-142-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp
memory/2616-138-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp
memory/3592-151-0x00007FF793450000-0x00007FF7937A1000-memory.dmp
memory/944-213-0x00007FF6B3D20000-0x00007FF6B4071000-memory.dmp
memory/4320-215-0x00007FF68B0E0000-0x00007FF68B431000-memory.dmp
memory/2084-217-0x00007FF6435D0000-0x00007FF643921000-memory.dmp
memory/2336-219-0x00007FF76E250000-0x00007FF76E5A1000-memory.dmp
memory/2872-221-0x00007FF662730000-0x00007FF662A81000-memory.dmp
memory/1852-223-0x00007FF7C4F70000-0x00007FF7C52C1000-memory.dmp
memory/1816-227-0x00007FF766590000-0x00007FF7668E1000-memory.dmp
memory/3856-226-0x00007FF736050000-0x00007FF7363A1000-memory.dmp
memory/2616-231-0x00007FF79B470000-0x00007FF79B7C1000-memory.dmp
memory/4244-229-0x00007FF6EA850000-0x00007FF6EABA1000-memory.dmp
memory/4880-247-0x00007FF668F30000-0x00007FF669281000-memory.dmp
memory/1444-250-0x00007FF610A90000-0x00007FF610DE1000-memory.dmp
memory/1292-254-0x00007FF7586E0000-0x00007FF758A31000-memory.dmp
memory/2956-256-0x00007FF672490000-0x00007FF6727E1000-memory.dmp
memory/4764-258-0x00007FF77F440000-0x00007FF77F791000-memory.dmp
memory/2680-252-0x00007FF7954E0000-0x00007FF795831000-memory.dmp
memory/2524-249-0x00007FF699710000-0x00007FF699A61000-memory.dmp
memory/2656-244-0x00007FF7FC690000-0x00007FF7FC9E1000-memory.dmp
memory/4588-242-0x00007FF6419D0000-0x00007FF641D21000-memory.dmp
memory/4432-240-0x00007FF6AA0B0000-0x00007FF6AA401000-memory.dmp
memory/3116-239-0x00007FF6E2B80000-0x00007FF6E2ED1000-memory.dmp