Analysis Overview
SHA256
4d314d0d6ad2e348cb8ee7ccce4c24584d8a66f28edb0c7e0d1d4a1ceb9d89ba
Threat Level: Known bad
The file 2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:26
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:26
Reported
2024-11-09 15:28
Platform
win7-20241010-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cPDitjp.exe | N/A |
| N/A | N/A | C:\Windows\System\wyRjevo.exe | N/A |
| N/A | N/A | C:\Windows\System\hbdSkJS.exe | N/A |
| N/A | N/A | C:\Windows\System\QjvttAT.exe | N/A |
| N/A | N/A | C:\Windows\System\AtpNFyh.exe | N/A |
| N/A | N/A | C:\Windows\System\LonQnje.exe | N/A |
| N/A | N/A | C:\Windows\System\bDaWWdr.exe | N/A |
| N/A | N/A | C:\Windows\System\Lxdgula.exe | N/A |
| N/A | N/A | C:\Windows\System\mBpeirY.exe | N/A |
| N/A | N/A | C:\Windows\System\dmRSYzc.exe | N/A |
| N/A | N/A | C:\Windows\System\XZlMAbs.exe | N/A |
| N/A | N/A | C:\Windows\System\fsBwxTK.exe | N/A |
| N/A | N/A | C:\Windows\System\rPQUHCY.exe | N/A |
| N/A | N/A | C:\Windows\System\JUccupJ.exe | N/A |
| N/A | N/A | C:\Windows\System\CWCYbYg.exe | N/A |
| N/A | N/A | C:\Windows\System\aRUoyel.exe | N/A |
| N/A | N/A | C:\Windows\System\LkouLZi.exe | N/A |
| N/A | N/A | C:\Windows\System\fzEXKsg.exe | N/A |
| N/A | N/A | C:\Windows\System\YIhPsoM.exe | N/A |
| N/A | N/A | C:\Windows\System\iDuUlws.exe | N/A |
| N/A | N/A | C:\Windows\System\gdYTCvo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cPDitjp.exe
C:\Windows\System\cPDitjp.exe
C:\Windows\System\wyRjevo.exe
C:\Windows\System\wyRjevo.exe
C:\Windows\System\hbdSkJS.exe
C:\Windows\System\hbdSkJS.exe
C:\Windows\System\QjvttAT.exe
C:\Windows\System\QjvttAT.exe
C:\Windows\System\AtpNFyh.exe
C:\Windows\System\AtpNFyh.exe
C:\Windows\System\LonQnje.exe
C:\Windows\System\LonQnje.exe
C:\Windows\System\bDaWWdr.exe
C:\Windows\System\bDaWWdr.exe
C:\Windows\System\mBpeirY.exe
C:\Windows\System\mBpeirY.exe
C:\Windows\System\Lxdgula.exe
C:\Windows\System\Lxdgula.exe
C:\Windows\System\dmRSYzc.exe
C:\Windows\System\dmRSYzc.exe
C:\Windows\System\XZlMAbs.exe
C:\Windows\System\XZlMAbs.exe
C:\Windows\System\fsBwxTK.exe
C:\Windows\System\fsBwxTK.exe
C:\Windows\System\rPQUHCY.exe
C:\Windows\System\rPQUHCY.exe
C:\Windows\System\JUccupJ.exe
C:\Windows\System\JUccupJ.exe
C:\Windows\System\CWCYbYg.exe
C:\Windows\System\CWCYbYg.exe
C:\Windows\System\aRUoyel.exe
C:\Windows\System\aRUoyel.exe
C:\Windows\System\LkouLZi.exe
C:\Windows\System\LkouLZi.exe
C:\Windows\System\fzEXKsg.exe
C:\Windows\System\fzEXKsg.exe
C:\Windows\System\YIhPsoM.exe
C:\Windows\System\YIhPsoM.exe
C:\Windows\System\iDuUlws.exe
C:\Windows\System\iDuUlws.exe
C:\Windows\System\gdYTCvo.exe
C:\Windows\System\gdYTCvo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2464-0-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2464-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\cPDitjp.exe
| MD5 | 449ac1d4fba787970d6716f6529d292e |
| SHA1 | ddaa13876816e035539674961a9bf18fd51287d3 |
| SHA256 | 457f4e44d9414b744a974be77f6dea789c22b61631adcaa9db1d6a4a9c57d509 |
| SHA512 | 27b601160e4c5856afa5ee711ec747cf35717ce89e6087972f795258d46964173e5368f036ce9b4b49378d7bf9cbff710cde9ae82d3c6160d662d18ecf22a228 |
memory/2464-7-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
C:\Windows\system\wyRjevo.exe
| MD5 | 6a1c0b13dbaccf9079f114dc058a7b57 |
| SHA1 | 65ca9e7d031ccf66ce5c02db664cc203030813b4 |
| SHA256 | a8420c91317666f3a5e99e92e6873ee5ce8a33563083d8a1708ad87e89e9136a |
| SHA512 | c9d62f2f2b4c6284d1819a48121f8504c0e91744bc8145cad85947ef363f540659c78668b52298cb677349a0d5457bb29e8d3947ed83e89eb95789bf29af73c8 |
C:\Windows\system\QjvttAT.exe
| MD5 | 8df235e75b3bc8e91092415dc3591105 |
| SHA1 | d77bfc57e28612b7a8a6b410e4852212eaf42819 |
| SHA256 | c815b5dc93bf23dd6d2bae2b04ae248364b81116909086809da269f2556d1054 |
| SHA512 | abb66eb836b131693969d7162d527defcaaceb03a547b76db34b3fd1d55631984b2ef68d6faed3e0dfbb147139db9ea6e6178c34cf24f21830088849f27d5716 |
\Windows\system\AtpNFyh.exe
| MD5 | b6f046410876011bb325aab04c3edc6f |
| SHA1 | 945bf12d5be691f4f09771430709ec66cb231201 |
| SHA256 | c8fbcd57f9abd120d3f194bdd1d6d508c56b3c6540e7f7c23f851f413f7953ba |
| SHA512 | 115c5ea34fdbc149974a02293d1d17df9f5114b73682fa18dfd2fbabb27040a21da0263870420f0ae633107748b69b13e4933321cc81ebbdbf1d4dd870ae7e41 |
C:\Windows\system\hbdSkJS.exe
| MD5 | 9b8d41f3e670f923d04dff3488073658 |
| SHA1 | 3143b5e0b69d2a66d396d25f36c3ebb1ace18612 |
| SHA256 | 45b93a1899ba562d1d6dbcec96f5253a1c21c9daff2743972a9406477c67f2b8 |
| SHA512 | 527f5d1116c11fae1096ac5a076a7c03f07fc7d4514c3e4d873584fcf9b70c303321c59298b5d776f92aaf6e57896ae63e5db06a5da86252409a218b10731b90 |
\Windows\system\bDaWWdr.exe
| MD5 | f611ca873d7cec0a871cd4046fcc28fa |
| SHA1 | b294d7b60b9dda2ea27c19d14934f7bd5621bd4c |
| SHA256 | a5a87ea6f45fc3f2fc39a5042135449b53cfe2018dd6d6701ba6c19c20437b20 |
| SHA512 | e42d769ca31ffd270e2e365e770ce91fb1f713f9d2c991284342844d46fa3df077fac3990563a133ac981bfbfa060d8221eff284f669cc9456a729c00e78f79d |
\Windows\system\Lxdgula.exe
| MD5 | 85b049193d161c2f0b9601ba72c478aa |
| SHA1 | cd015b7a971b3a7403ca247d22aa3fcc5e983aa9 |
| SHA256 | 6bffd60fb1310796a44912d4896d5f94671ec8868689b1922134ce1c0e0ad0b0 |
| SHA512 | 7bb8bbb21d57ebcde6b919fcfc2cd24d097fbf2b0d9a22a679fbaefdb8570542e041650fc618720edac2ac34f7a93eec94ff2915651b61a77d8c6bc25ed7aef2 |
C:\Windows\system\dmRSYzc.exe
| MD5 | 59727371ecd8ca5039019ad8dfa0965d |
| SHA1 | 2a0a10d23c8e02c3e50959af010d3626ab52729d |
| SHA256 | f61b78dfe0fe730e7fa2c7cc084b4cded33ff0ed14e5f2f11b2060b5a9d6ebcb |
| SHA512 | 1205d6fc4e45f463c0c8adfc6f2ee822eb653e9422d820ecd9d943ce19f5272ca3e1af1afbc1280dc5ce2fb13cf6b78fc467c3a3c2e2cd2219f55e78292757c5 |
C:\Windows\system\fsBwxTK.exe
| MD5 | 1206a76e4b266bb16e3276b91ec1fd47 |
| SHA1 | 2337bf9c4fd81e58f5cea746796311d5f7514747 |
| SHA256 | 2d47e4fd8cf1031b3b69ecedd2c24f167e7a45c0e86e46e24c78c60f37e00aa7 |
| SHA512 | 47135bd666f0892d5064caa4ffbb254e22dcf94e3b3da812d162f9bd952931725c2aacd15a4d608a80ed571de18b6baf89931726d6e32b5efc1f9dc7d0631bfc |
memory/2464-90-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2448-89-0x000000013F0B0000-0x000000013F401000-memory.dmp
\Windows\system\rPQUHCY.exe
| MD5 | de0a45ffef70641cce66b3533b6a9974 |
| SHA1 | 4bb02e15f8e32e08bc04a2ab890dd514cf6a2653 |
| SHA256 | bc11e9465503962bd7ec06203b1ad0d9ecc47a5290677429ca9b5c53af6678db |
| SHA512 | c814b4e7b18c5ffcd84b2620c8cf8dd97a6a865cc82fc193522decc4a55c05cb8c4b53cd61e892c049c9445a736f7fdc375afd0568d1cdce9e33c6a87c5ca1ff |
memory/2380-84-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2768-83-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2464-82-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/1676-77-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2464-76-0x000000013FCF0000-0x0000000140041000-memory.dmp
C:\Windows\system\XZlMAbs.exe
| MD5 | f71b5b92f3f669dbfd7837d05304e586 |
| SHA1 | 948aaf019a7eea405c592ae2a8bf5baf17edfc9f |
| SHA256 | ea421976139248b493c29c805e2ad34f58b84395296ff0304b85021265cb2a2c |
| SHA512 | 6bf113a3c7b566089891a4f81c4a64cea447bb4bbb2ec738462145bb8973f33c34c598f4dc2eb76942c9ae5ed046e3edd25d0f1f4f3e15922fe51d3ea35faf82 |
memory/2740-71-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2612-70-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2672-69-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2732-68-0x000000013FE80000-0x00000001401D1000-memory.dmp
C:\Windows\system\mBpeirY.exe
| MD5 | 854df6ae5721f36f121b03036032d08c |
| SHA1 | 1d926055efb8a9ba6a212b781b58b20ffe1e9ecf |
| SHA256 | 8d2105ac7147020919558e897601ff7370e82dc7999a14ff83ef789ead661467 |
| SHA512 | b0af54fe7ad3bc639d3ac96f6a24188ef402f33e9ae2f6005b5b11a885a7364720232406e5315dde025a5f7c8a4a30b776a7893f391c32ac08a7ec3264f3b530 |
memory/2464-60-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2464-59-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2464-57-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2464-55-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2464-42-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2448-46-0x000000013F0B0000-0x000000013F401000-memory.dmp
\Windows\system\LonQnje.exe
| MD5 | e755d224ab12ac51a4145d2b3f287e93 |
| SHA1 | 44b31151872cf4ebcc5c207e5001514a2cde34d5 |
| SHA256 | 086147c89cb09cffc36f0cbbbbceef8faf334b79234e221e8ddc69be0b4faf68 |
| SHA512 | 0e738272248b0cd8aca4332429895c7ec664b4e563e1dc29bc0684a70f7560883e1a17c086cc70eaf2a7cde84685a48e82ce373350a38c62986dbfb175d17c9b |
memory/2732-91-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2464-37-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2360-36-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2464-35-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2936-34-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2464-33-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2780-32-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2464-31-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2904-30-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/1676-93-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2464-92-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2768-28-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2380-94-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2464-104-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2960-106-0x000000013FC70000-0x000000013FFC1000-memory.dmp
C:\Windows\system\JUccupJ.exe
| MD5 | 21070b12d8cce5cadbe734f971f80aba |
| SHA1 | c7f5b02b0dd3aefe6d34ed0170c5f7479f5a328b |
| SHA256 | 126a0ca407ff42d9662d3ea68f1e359218834f338d8f15b23d30641053e26e41 |
| SHA512 | ab6944e6c912396f6382d49765dcaaa840d03548c04a938c012a33eff4e6de1435ce3f913ecfa42d01287d293ead637274758c5ec77787ef070f0852d1e8acf7 |
\Windows\system\CWCYbYg.exe
| MD5 | 3509bdb74205b1d6d9eb06fa3499e043 |
| SHA1 | c67b9876f5d291a8661355e8092631d7d2a810a0 |
| SHA256 | 571600c9cae2321bb55a5ee66f910d5f22cbb8ae6fd1c9d1aabe08694ae9000a |
| SHA512 | ec80409e19fd4e0e6564e21abbfc003350b2d07158623174cd2d9eb35db95b08e33c5b7a74219b3b0146f4cd97ab31e6e268460d74f5571f15735540f6d34b99 |
C:\Windows\system\LkouLZi.exe
| MD5 | 37dec2448fc595f42b9f2630232b8641 |
| SHA1 | 4f5ea9a4ed7c9087ee6bfe3fdd4f3cce64468bc2 |
| SHA256 | 8d676c8644f55fe624d8bafb34b711b4b2ac6085c0ac108985a89a500873b662 |
| SHA512 | aa308ddc92c2a0e544b4024e8f89df5339b7a1c2684f38cb302bbdbd83bcc6247cf7270e6fbc9d1018404bbee5b3734ebc99e0aa3087cf55bcb4531d022e827a |
C:\Windows\system\aRUoyel.exe
| MD5 | 53876e8e06a7ce014daca01ec5edbd37 |
| SHA1 | cfe151e4606c49ac8c35ecc34fac6084fba34c79 |
| SHA256 | 4dfe74f3dd93e137a856bb2e2bc17918ea9ccd873b555cc687642b2f09a8553d |
| SHA512 | 1b38c945333cfb05efdeb97757280cf29adfc3a12642b02762440659a03eaab7a3a0da295211ca4d6281585b54f08b2ae7957694952c694e644fc76d5259e2e9 |
C:\Windows\system\fzEXKsg.exe
| MD5 | e7397767c1a8a642f796cebfc72a3bfc |
| SHA1 | 5d796ed4b0c006dfc587896ebeb8435c776d088b |
| SHA256 | 77f135b9eae239630feca98e9ef6c9c5d9b15eb7edad3dd4e42d1c9b3249530d |
| SHA512 | 16c550ddfca2c5e92d112aa5469eda451637a04ef5ca8ef1cc4ee6b40df8347107ec693cc118242d827df8c6a61027c43f9bb9225785aa1a1e477a57bde6b9c1 |
C:\Windows\system\YIhPsoM.exe
| MD5 | 63ff4901cee99b8b97cbcdd6a7785190 |
| SHA1 | 374dcdd23130b988aad3a7881bd28ae48a4155bd |
| SHA256 | 90637be964f0966deabc6d0c8b7e443816c121308a7cd3986a05b4c64a50e3a4 |
| SHA512 | c14c4a165f6032b114a44ff93c3f75cea4a4b25c5422192a0f9e89e1a2821f50ae2dffa29847b8d025058af671c32ea3d46a0d10a057d69c11a8b34b11deeda0 |
C:\Windows\system\iDuUlws.exe
| MD5 | ea68bae9d42b06cd1f3d8671eb865094 |
| SHA1 | 3c2988ee75d7a2ec9939724f39478552148b5554 |
| SHA256 | 23d01686f945858d80a5d9487f49d22a9dcaa44311f4e7867f9a36da576288b6 |
| SHA512 | 817a57d04437a844b61bdfdeb8a5302a99c0241adfc5dcaacb8aee2bdbe8539184d7478326662013cf7fda319fab2df055388a3f8d36eed94cb43681f7084fa8 |
C:\Windows\system\gdYTCvo.exe
| MD5 | d005a3f71c342cb987262f3db41bc505 |
| SHA1 | 327c1715a6518c8baeabfe92ab8feead470cf122 |
| SHA256 | ff3ab2caf601ed402f7c49bb39f80e0e525a33473bc170ce8bae62b5809a52bb |
| SHA512 | 06effc657c47c30056cfd5e9c242e46b950f3b1fc2c9a7bd18e570bd6413c5e944aacc18d1a21bc980fbd82a5ce1572c46840a387832b0ad519b49fb05cf13b5 |
memory/2808-123-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2464-120-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2960-150-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2808-156-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2464-157-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/548-172-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1208-170-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2248-171-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/908-177-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1940-178-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/772-175-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1768-176-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2464-179-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2768-224-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2780-226-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2360-230-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2936-232-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2904-229-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2672-235-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2612-238-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2448-237-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2740-242-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/1676-244-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2732-241-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2380-246-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2808-256-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2960-255-0x000000013FC70000-0x000000013FFC1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:26
Reported
2024-11-09 15:28
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fzYNEKh.exe | N/A |
| N/A | N/A | C:\Windows\System\JhLjgWd.exe | N/A |
| N/A | N/A | C:\Windows\System\QTNxBTd.exe | N/A |
| N/A | N/A | C:\Windows\System\yjYDGbE.exe | N/A |
| N/A | N/A | C:\Windows\System\QUmHaXc.exe | N/A |
| N/A | N/A | C:\Windows\System\NxSEJRq.exe | N/A |
| N/A | N/A | C:\Windows\System\loXGOTA.exe | N/A |
| N/A | N/A | C:\Windows\System\EQiafCt.exe | N/A |
| N/A | N/A | C:\Windows\System\NiVDbLU.exe | N/A |
| N/A | N/A | C:\Windows\System\xMaiiDF.exe | N/A |
| N/A | N/A | C:\Windows\System\ulRcvWn.exe | N/A |
| N/A | N/A | C:\Windows\System\fSwfdtt.exe | N/A |
| N/A | N/A | C:\Windows\System\yYggjHK.exe | N/A |
| N/A | N/A | C:\Windows\System\lahHBUY.exe | N/A |
| N/A | N/A | C:\Windows\System\BvfOWnI.exe | N/A |
| N/A | N/A | C:\Windows\System\joIsNNo.exe | N/A |
| N/A | N/A | C:\Windows\System\btCdhuW.exe | N/A |
| N/A | N/A | C:\Windows\System\cwbXTRm.exe | N/A |
| N/A | N/A | C:\Windows\System\RihbiHd.exe | N/A |
| N/A | N/A | C:\Windows\System\xncyisx.exe | N/A |
| N/A | N/A | C:\Windows\System\rWgiKGF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_b488f797c4cae1c1f5ab43f070da6c45_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\fzYNEKh.exe
C:\Windows\System\fzYNEKh.exe
C:\Windows\System\JhLjgWd.exe
C:\Windows\System\JhLjgWd.exe
C:\Windows\System\QTNxBTd.exe
C:\Windows\System\QTNxBTd.exe
C:\Windows\System\yjYDGbE.exe
C:\Windows\System\yjYDGbE.exe
C:\Windows\System\QUmHaXc.exe
C:\Windows\System\QUmHaXc.exe
C:\Windows\System\NxSEJRq.exe
C:\Windows\System\NxSEJRq.exe
C:\Windows\System\loXGOTA.exe
C:\Windows\System\loXGOTA.exe
C:\Windows\System\EQiafCt.exe
C:\Windows\System\EQiafCt.exe
C:\Windows\System\NiVDbLU.exe
C:\Windows\System\NiVDbLU.exe
C:\Windows\System\xMaiiDF.exe
C:\Windows\System\xMaiiDF.exe
C:\Windows\System\ulRcvWn.exe
C:\Windows\System\ulRcvWn.exe
C:\Windows\System\fSwfdtt.exe
C:\Windows\System\fSwfdtt.exe
C:\Windows\System\yYggjHK.exe
C:\Windows\System\yYggjHK.exe
C:\Windows\System\lahHBUY.exe
C:\Windows\System\lahHBUY.exe
C:\Windows\System\BvfOWnI.exe
C:\Windows\System\BvfOWnI.exe
C:\Windows\System\joIsNNo.exe
C:\Windows\System\joIsNNo.exe
C:\Windows\System\btCdhuW.exe
C:\Windows\System\btCdhuW.exe
C:\Windows\System\cwbXTRm.exe
C:\Windows\System\cwbXTRm.exe
C:\Windows\System\RihbiHd.exe
C:\Windows\System\RihbiHd.exe
C:\Windows\System\xncyisx.exe
C:\Windows\System\xncyisx.exe
C:\Windows\System\rWgiKGF.exe
C:\Windows\System\rWgiKGF.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3928-0-0x00007FF739970000-0x00007FF739CC1000-memory.dmp
memory/3928-1-0x000001E2D9980000-0x000001E2D9990000-memory.dmp
C:\Windows\System\fzYNEKh.exe
| MD5 | f10f40912cda9fb9032d1fdc1368e604 |
| SHA1 | 5a47d9a1c2e2f3287dfa47d85ee5ec02000cd6b4 |
| SHA256 | 1d80eaac2b63970e15c9acd26134ad88e20e3fce9fe32e5e41391f7bd6a4ab51 |
| SHA512 | f7aae34c0bdd21c77dcb2fc89f63e46a9227a75c7fe7b9d80e69367a3facd29ed827945fd3faa4c02c4f4315be8d314d6d79dff1eb42467704ba431b550b7d3e |
memory/2364-6-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp
C:\Windows\System\JhLjgWd.exe
| MD5 | 99b4b7df3ca4be0fdcf0dcd48bf6f95f |
| SHA1 | d8c339aeadc4430d9fbedfcd0a46c14420d8c350 |
| SHA256 | 789406f8f488df45cca38174e6fb80d4be5201e198967ed26fa7d3051db9fdd5 |
| SHA512 | 78035ef781628b89c1314b6060a286a4e780f3e43d7d196a60fc06e39ec510651e910a45d923f33b75a2b57229f47645d317ef3e92f0e78f8fd36e958a5f06c4 |
C:\Windows\System\QTNxBTd.exe
| MD5 | 84e5db288f70a1cbb0e68b7c6669638b |
| SHA1 | 52bfbe5fdbeeac3a4b4b9410c2fe4cd4970696bc |
| SHA256 | 3a4bf2759be6deedc2a9e671aa97a43b4383535c55035b3c636923aa12f1fc31 |
| SHA512 | 5d088d4b687e7a669d8de689590af40e1394dcfeabe67a28876036446b15c8cdcf527524802949c10b4c8aa147a5dded954c930b3c71180aa26fa174b7d5c233 |
memory/1880-24-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp
C:\Windows\System\QUmHaXc.exe
| MD5 | 1f223a01b9784383fa5150f04576f386 |
| SHA1 | d55a253d622b361bdfb96648d205db6c570ef8b9 |
| SHA256 | 1fda00d557d5a2e787b5cba37a39b9f5d399032370841f63e06a5bcc08ed7620 |
| SHA512 | 812c3a41008750ef9273fe70023b8567cb471dd7fb1eaf0ea2e818c40c24f9f5f11993ca54178c1e3bab3a3a423e4fdaca8c507c5ae54fa9a811bb583d7f52c8 |
memory/3480-29-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp
C:\Windows\System\yjYDGbE.exe
| MD5 | e8b768b11ce4287ba3944c084e8a0b1b |
| SHA1 | f60768d0c966fccedb6c0219a1fb427fe307fa1e |
| SHA256 | eff49a52fad3b22fdf73610dfc9501af034888041bcb6ef67e3734fbfccc2057 |
| SHA512 | eb83ba70068f582147f7a9df336f629bafb42c67c22a4c1cf3cf112f3c85588ec883e845beae91b31391ee4fec26184b89d89408a68f498e96caa0ccfcf7c6ee |
memory/4556-18-0x00007FF637000000-0x00007FF637351000-memory.dmp
memory/3108-14-0x00007FF7611C0000-0x00007FF761511000-memory.dmp
C:\Windows\System\NxSEJRq.exe
| MD5 | a01418edd5b12cc90845500693305a60 |
| SHA1 | 40da102e3ad6c53d2ad858890406f5c53a8121d1 |
| SHA256 | f075be445f82e8f54bcee4f128817fba9cd8943bc2be223fae141ba1f672fcf6 |
| SHA512 | 28891969f79cdceb839c5704c7d774153121b04d80bc053be11b46f68e29ec6a165f5586103bb5f035052e0563ba85f4be295f29aa0191c1dbc5a1d2279f773f |
memory/1968-36-0x00007FF672A00000-0x00007FF672D51000-memory.dmp
C:\Windows\System\loXGOTA.exe
| MD5 | 176ff77df88b2502c5891269f02e2f9b |
| SHA1 | feb8b505d6dca7be969ae46bf12ffebff50b743c |
| SHA256 | eda185607a0ea184807f101c1d0db4e997ca854632fc0d09cae2cdbde790a1fb |
| SHA512 | 79507c466d43938a391fb709e1121b59ad92225f40756542629ac77b88ff5deb47b8d4bfcfb26421e46f3ddfe0cb6f54c3278b74b3cd7e173034bd8f3bf52f77 |
memory/4200-42-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp
C:\Windows\System\EQiafCt.exe
| MD5 | 97e5ce3685ebff1d9bc45233c930039f |
| SHA1 | 0c616dae1c947d3c5aa362d11e3e5cd99b63f20f |
| SHA256 | 6265bf5a7f5808c37df806120f79e6510ffedf10e6df8b25d8ba33ece290ea10 |
| SHA512 | 7fd72aacc7109fa265175d3583ee763f9b2fd3337428d147597d013edb2442c4792d3ffb11eadc6a7d0d7239c0fea5e2295aae5771f6fb52db63c716af091b57 |
memory/3192-50-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp
C:\Windows\System\NiVDbLU.exe
| MD5 | 8b592da54af18cdcb82b2782c9f152e1 |
| SHA1 | 3374716cc4dcc77a7c2fc8f026d0902806844ab6 |
| SHA256 | 4664aea3ea70d87face04f8a06b4ec36744edd926876a6e4145ee411c0fb1b15 |
| SHA512 | 89894d655ce477a3334a1d386c8afcd7f3dacc7120d19463d409fe2b4c25bf7fdf6dd559a6a40fe68b78b073b957e379973a06de10a17bb92f20da086da1738e |
memory/3928-54-0x00007FF739970000-0x00007FF739CC1000-memory.dmp
memory/232-60-0x00007FF659210000-0x00007FF659561000-memory.dmp
C:\Windows\System\xMaiiDF.exe
| MD5 | 68c1af30c80d0fd17c30b597f297c496 |
| SHA1 | 90899df164ea03aabb1e1db1fbcefa5314189894 |
| SHA256 | 1d0d2f95d62aa655b7cf0c074096f63a57970874a7a1a7e9af565a705c70675e |
| SHA512 | f929466361ff3ae1cfe8994be2abac455908b7c33e438331f99d57d842e5ac088bf185403c58806a94040082b58f4c9040d355a9f1f9b13be068d94d1b4f9d6f |
C:\Windows\System\ulRcvWn.exe
| MD5 | 38e182c3d994c6f58ee4cf67e2710099 |
| SHA1 | 4a6f4f44fe66633adfb7c7a90e2da8f066f4a542 |
| SHA256 | df40d7e7be7433d0c315f93af443deb53fc21cbad6a83ede6a1a60adca2cb72a |
| SHA512 | 693e489cc8887dc2175d6bd879f3acc2c2cbcc950407f51e1f01797ae1ba74db9d3f92921fa520fb6e46e44bb79f9b6bcb03ba702419a08bbc1c1208ccefdbe9 |
memory/1392-68-0x00007FF701510000-0x00007FF701861000-memory.dmp
memory/3108-67-0x00007FF7611C0000-0x00007FF761511000-memory.dmp
memory/2364-59-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp
memory/3268-56-0x00007FF701500000-0x00007FF701851000-memory.dmp
C:\Windows\System\fSwfdtt.exe
| MD5 | bcb82174a6fa9aa821b7b8e7a30e3625 |
| SHA1 | ba4e8625bfa0f9a671453a54c78db7d4b105656d |
| SHA256 | 7308fa0ff8c0de35177b58136a7fcddac32b3749798671491d72ffc58eeeb313 |
| SHA512 | beebd4f49f4b39f577f3283a2b33dacde519b467d6dd8245d69ad8ebb8583d4eb5c2f12bf2d2c4d8ecf1dce65ce0baf0dd1896395181a257b181a0efb54d7313 |
memory/644-90-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp
memory/1284-97-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp
C:\Windows\System\joIsNNo.exe
| MD5 | 5cc107861591663f14d6e904bfc931fc |
| SHA1 | 87d26ea88d8c123e054bccc5e330f92e919cc325 |
| SHA256 | 22f2086d3acdab05cea2e6357f8e8f99538b054a0f8cf25d52623d10a9818d76 |
| SHA512 | 42ca7db3aa585dadd56408b12784999bf1242db124b0601f0c39cda9f56eff656dda7151a9c6a11e85b8badf4b0e328125ac6bb1d43bd5416ece97d9b629379d |
C:\Windows\System\xncyisx.exe
| MD5 | 3f004d49ff7abf058aec525d3d0d8986 |
| SHA1 | f18a0edc6ce85db2184d2dc654042f90e5beb5c4 |
| SHA256 | b770a01b91ae2bb2a8745a1c6e66d455a7f8749fadd808bd2874596fd7bf3bd3 |
| SHA512 | b84c67738a78c558c3566115086ccf355a2456915f0655029cc74246db96049ba222a6851cb5d136947b15e70c2b7ba0c1e12fe8025d80899f8e478ff115304b |
C:\Windows\System\cwbXTRm.exe
| MD5 | 4c943382c34c656830ecad8ea2056003 |
| SHA1 | ec1e7bf037afa5781a6b85f98b9f3a7348c68d85 |
| SHA256 | f082550226c757cd5f83a85f26d54c71694d81e3e15d629d7832950b3328698c |
| SHA512 | 4bceb1d5c4af5ec3971eab616b70fb21048c473b9640d9d194b6499ed57ff72d0a8d9dc05394674d901de189855d1c469e7bb12b6c65409ec969de35a7f7e194 |
memory/2868-127-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp
memory/4200-135-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp
C:\Windows\System\rWgiKGF.exe
| MD5 | d38a1e3e5029a07e3fcfac2a221dbde6 |
| SHA1 | 76c7e3cc227e825e08b3dbd54516715bdf26f734 |
| SHA256 | 3fef88c9609e746603e5adcdd46508a237f7168d6b1a1653749ed3f0e7032f68 |
| SHA512 | 4e50678115d3b2a103cc950550b1ca3e3ede144f8ac4cfb222913a0490f856c95183ec21ca734e4074b3137bc49571615e286166f18f5a8d4b289ea548d2d57f |
memory/1620-132-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp
memory/396-128-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp
C:\Windows\System\RihbiHd.exe
| MD5 | c7af5b65d594ab6fef22c3d354d77e30 |
| SHA1 | b41bdfa165b51a9a082ac62bb9eca3f72ac57709 |
| SHA256 | 43625ae72550ae6be782ec19b87dbbc6c402e15a731a58ad19f275bff84add02 |
| SHA512 | 9005b103b7bcfb281194ecc28b4322cfe94538cdd30ea0495463956548cc3190dfd4132f6161eb30ab9a579e165f038de3518e98109a8015b164fa32a0cc85ac |
memory/860-124-0x00007FF632E30000-0x00007FF633181000-memory.dmp
memory/1968-123-0x00007FF672A00000-0x00007FF672D51000-memory.dmp
memory/2972-117-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp
C:\Windows\System\btCdhuW.exe
| MD5 | 7d341aaecc018f462ed8daf3cee66d1e |
| SHA1 | e36692080131322dc0d5f7c436a8a7e51652388d |
| SHA256 | d868d08bb00fc444e3767477b38fb4f4c8aa6d435a8e511d831fdd9f6fb9a8ce |
| SHA512 | 908a6d4d6117c77508571a6966d6aaed7d466a5c54cb4cdbec178dd8d62b2245c727e781f42de31f34b5087f610eb28458c67e909d296c26dd6414e8beba453b |
C:\Windows\System\BvfOWnI.exe
| MD5 | 409a7088392ff9dffd3ad370eee2933e |
| SHA1 | a05a7f3fd9fd9022bdc0621880fd47316ca72764 |
| SHA256 | 3e649f45d76113996e3ff4b484787754623d7a1bc990ef918e1e0fc0978cb9fc |
| SHA512 | dcbea86179a0baff4e5067be431bc6c310f4e67fc1d5ee7586571fded17bd6dfa478b3d26eb236e8627ce7aba3164cb7b90fe68a77b0fc94bad02a21f09ba882 |
memory/836-107-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp
memory/3312-105-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp
memory/3480-103-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp
C:\Windows\System\lahHBUY.exe
| MD5 | 1502ea099020ce15a04188622592e324 |
| SHA1 | d9e868cd92770b8bdc77cd2b4a6e043212d9ad4c |
| SHA256 | 175cfe70380cc3ee50ff5f69d78d22bf70a4fc43bc2b40eb38ca71d39be84f4d |
| SHA512 | 7f3dc2f24648a8465df5d9fb2d3eae19fba0893adc3d8b937ba7835fac9b1248bf2dd71ecd230535c6861f799c5fd2c0a16dfdb23df7e3cb80f4ac010687e030 |
memory/1880-89-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp
C:\Windows\System\yYggjHK.exe
| MD5 | c3294bde900e034865ff1ba1d8a2e878 |
| SHA1 | 21c232a7257686f7663e135a18edf0c678f7738e |
| SHA256 | 81d033ca5fa7bf48c8e2b62cf302f1c9e197ff0578c0365034843bc7be747288 |
| SHA512 | ff27f35a32312ed7bdbce579d43534bc8550e35f400e180b781ad3c933912f4f4a1ef356f83807a3dbd05b88df9cb510aa8b282ebe9016081daff69439580009 |
memory/4780-81-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp
memory/4556-77-0x00007FF637000000-0x00007FF637351000-memory.dmp
memory/3928-136-0x00007FF739970000-0x00007FF739CC1000-memory.dmp
memory/3192-141-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp
memory/3268-145-0x00007FF701500000-0x00007FF701851000-memory.dmp
memory/232-146-0x00007FF659210000-0x00007FF659561000-memory.dmp
memory/1392-149-0x00007FF701510000-0x00007FF701861000-memory.dmp
memory/4780-150-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp
memory/2972-158-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp
memory/396-161-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp
memory/860-160-0x00007FF632E30000-0x00007FF633181000-memory.dmp
memory/3312-157-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp
memory/1284-155-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp
memory/836-156-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp
memory/1620-162-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp
memory/3928-163-0x00007FF739970000-0x00007FF739CC1000-memory.dmp
memory/2364-215-0x00007FF7E4190000-0x00007FF7E44E1000-memory.dmp
memory/3108-217-0x00007FF7611C0000-0x00007FF761511000-memory.dmp
memory/4556-219-0x00007FF637000000-0x00007FF637351000-memory.dmp
memory/1880-221-0x00007FF7EDA90000-0x00007FF7EDDE1000-memory.dmp
memory/3480-223-0x00007FF6C4C20000-0x00007FF6C4F71000-memory.dmp
memory/1968-226-0x00007FF672A00000-0x00007FF672D51000-memory.dmp
memory/4200-231-0x00007FF665EA0000-0x00007FF6661F1000-memory.dmp
memory/3192-233-0x00007FF62EF10000-0x00007FF62F261000-memory.dmp
memory/3268-237-0x00007FF701500000-0x00007FF701851000-memory.dmp
memory/1392-240-0x00007FF701510000-0x00007FF701861000-memory.dmp
memory/232-241-0x00007FF659210000-0x00007FF659561000-memory.dmp
memory/644-252-0x00007FF7E0870000-0x00007FF7E0BC1000-memory.dmp
memory/4780-254-0x00007FF75BEF0000-0x00007FF75C241000-memory.dmp
memory/1284-256-0x00007FF62BC50000-0x00007FF62BFA1000-memory.dmp
memory/836-258-0x00007FF70C900000-0x00007FF70CC51000-memory.dmp
memory/3312-260-0x00007FF6A8A40000-0x00007FF6A8D91000-memory.dmp
memory/2868-264-0x00007FF6DA6B0000-0x00007FF6DAA01000-memory.dmp
memory/2972-263-0x00007FF781C90000-0x00007FF781FE1000-memory.dmp
memory/860-269-0x00007FF632E30000-0x00007FF633181000-memory.dmp
memory/396-270-0x00007FF6F7B00000-0x00007FF6F7E51000-memory.dmp
memory/1620-267-0x00007FF7DD910000-0x00007FF7DDC61000-memory.dmp