Analysis Overview
SHA256
bdd012c106ef6b6be69b0d1fea641387b4fc959018965d98062ece2f45b4fac6
Threat Level: Known bad
The file 2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:27
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:27
Reported
2024-11-09 15:29
Platform
win7-20240903-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zfyjqxj.exe | N/A |
| N/A | N/A | C:\Windows\System\IOaZSZr.exe | N/A |
| N/A | N/A | C:\Windows\System\rtnnqza.exe | N/A |
| N/A | N/A | C:\Windows\System\SWPfxcb.exe | N/A |
| N/A | N/A | C:\Windows\System\AmYzhSh.exe | N/A |
| N/A | N/A | C:\Windows\System\YBgCscm.exe | N/A |
| N/A | N/A | C:\Windows\System\aKzcIiX.exe | N/A |
| N/A | N/A | C:\Windows\System\NUCSyIv.exe | N/A |
| N/A | N/A | C:\Windows\System\tyGjuyD.exe | N/A |
| N/A | N/A | C:\Windows\System\rZOGjtn.exe | N/A |
| N/A | N/A | C:\Windows\System\MoNYRbK.exe | N/A |
| N/A | N/A | C:\Windows\System\tmjhKdw.exe | N/A |
| N/A | N/A | C:\Windows\System\lCdPzvN.exe | N/A |
| N/A | N/A | C:\Windows\System\CnjRxyK.exe | N/A |
| N/A | N/A | C:\Windows\System\Rdxwytz.exe | N/A |
| N/A | N/A | C:\Windows\System\UVuQcPv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTinELi.exe | N/A |
| N/A | N/A | C:\Windows\System\XdPWEEn.exe | N/A |
| N/A | N/A | C:\Windows\System\vltxkkp.exe | N/A |
| N/A | N/A | C:\Windows\System\muYzMxe.exe | N/A |
| N/A | N/A | C:\Windows\System\EZNXdcW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zfyjqxj.exe
C:\Windows\System\zfyjqxj.exe
C:\Windows\System\IOaZSZr.exe
C:\Windows\System\IOaZSZr.exe
C:\Windows\System\rtnnqza.exe
C:\Windows\System\rtnnqza.exe
C:\Windows\System\SWPfxcb.exe
C:\Windows\System\SWPfxcb.exe
C:\Windows\System\AmYzhSh.exe
C:\Windows\System\AmYzhSh.exe
C:\Windows\System\CnjRxyK.exe
C:\Windows\System\CnjRxyK.exe
C:\Windows\System\YBgCscm.exe
C:\Windows\System\YBgCscm.exe
C:\Windows\System\Rdxwytz.exe
C:\Windows\System\Rdxwytz.exe
C:\Windows\System\aKzcIiX.exe
C:\Windows\System\aKzcIiX.exe
C:\Windows\System\UVuQcPv.exe
C:\Windows\System\UVuQcPv.exe
C:\Windows\System\NUCSyIv.exe
C:\Windows\System\NUCSyIv.exe
C:\Windows\System\ZTinELi.exe
C:\Windows\System\ZTinELi.exe
C:\Windows\System\tyGjuyD.exe
C:\Windows\System\tyGjuyD.exe
C:\Windows\System\XdPWEEn.exe
C:\Windows\System\XdPWEEn.exe
C:\Windows\System\rZOGjtn.exe
C:\Windows\System\rZOGjtn.exe
C:\Windows\System\vltxkkp.exe
C:\Windows\System\vltxkkp.exe
C:\Windows\System\MoNYRbK.exe
C:\Windows\System\MoNYRbK.exe
C:\Windows\System\muYzMxe.exe
C:\Windows\System\muYzMxe.exe
C:\Windows\System\tmjhKdw.exe
C:\Windows\System\tmjhKdw.exe
C:\Windows\System\EZNXdcW.exe
C:\Windows\System\EZNXdcW.exe
C:\Windows\System\lCdPzvN.exe
C:\Windows\System\lCdPzvN.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2868-0-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2868-1-0x0000000000580000-0x0000000000590000-memory.dmp
\Windows\system\zfyjqxj.exe
| MD5 | f8ef8f9048f7339a65ec8de77e83588c |
| SHA1 | f17debb35a9bd54b4ff61c7daa361916f3156049 |
| SHA256 | 4346cc8fd6f1a296a7cc5509efc8223c9770d7d823e20b550c266306f49ead46 |
| SHA512 | e6807054dee6efade17e2e3091ec13c2e07556e12a26876885462b0ec126242f8c9835fb5055e35505bb69f6227a3c6046a006cb42c679209537649d05b86ecc |
C:\Windows\system\IOaZSZr.exe
| MD5 | e7ec46e87b7d1b8cdbeb051e97e10b05 |
| SHA1 | 1d3fe91fe4312d5e600e9e72ac138ce08137c100 |
| SHA256 | d02072009e705b21835ef05fd316928adfcd51a36ad84cc9f7bb589b55e540f9 |
| SHA512 | 3547228411c31db12a6e49c146f508072cf87fb05137ed3253cb6a485f78682fb11f473f5d63bbbed81a85e7415bf232e8f2a699f90f8ea42074f7bc1621f4e4 |
C:\Windows\system\rtnnqza.exe
| MD5 | 559df22b00a91011e8bf92968f7a223a |
| SHA1 | a16c9ba6fae7949366fb4656a036f00fbfd7db6b |
| SHA256 | 692621064834d71e10cf6efbfa5e9ab566295f013780bf70e8ea5bd10b00c19c |
| SHA512 | 73d86a5fcaad8dc1a7c174a93d233312ade3127591b3723a283e079c3cba8f3669004896ba8e530d6c6ff8b0e16930a5dda7b8fb9435b31bcfc8814572c781fa |
memory/296-21-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2868-22-0x00000000021B0000-0x0000000002501000-memory.dmp
\Windows\system\SWPfxcb.exe
| MD5 | 5a9575603f61df7b81c05978a1e7d6ce |
| SHA1 | 0c0e90dd0b2b3faba8dbafc4abae9c78f183473e |
| SHA256 | 2bb83c6e4906d8646464c2bea367a01c8993857db2a3dd032e9af7deb2247149 |
| SHA512 | 0e01df90c2fc1fb19f984581ed4c29b748779b6d26cb09c8a04d4514ea2b890f511c562073013da67c66f54be7d63adee3b3c7b6c11c11a57597859a826a44b2 |
memory/2868-109-0x00000000021B0000-0x0000000002501000-memory.dmp
C:\Windows\system\UVuQcPv.exe
| MD5 | 457574fc5e9073367f67e74b6617ea30 |
| SHA1 | 4a117ae6bf7dd1ebc434ccb15cc18c8e9a378f79 |
| SHA256 | 8e10490c29d17ea49b33aaf6e6ae5e2f49070b1cd7a34f8180f5b0217ee773bf |
| SHA512 | 40327eabb4687633d503e8281e93de47bb148f4a7e05a76a906427a2ebf6fec7c5321d0946cec51d171399b58546945e2d681ecf071f8de58a4e415fbae51294 |
\Windows\system\EZNXdcW.exe
| MD5 | d6dc130814a368fcf93e00609ffe569e |
| SHA1 | 822e3fd6a32415d22be3a226608b69ba3bd82bbe |
| SHA256 | d205f9d4e84f3c866364eb4b27e952ce531b18be6a5ce7ae5d6100b39003fe9e |
| SHA512 | 490cea49c1395c18265a5fc61cfeb4ffdf04d319f431f5b2797bd95bb58036b42225adb7dde0d0a73bac9a8150281393cb1ffe058988f0b919c0176730893afe |
memory/2508-96-0x000000013F6B0000-0x000000013FA01000-memory.dmp
\Windows\system\muYzMxe.exe
| MD5 | cb241871303bb18e61bc89c907c08f07 |
| SHA1 | 7aec50e8f369bafecefac80c0b790c5979fb3786 |
| SHA256 | a52fc213f0351f5ef586c9fb56a29252bcdbdef5e50fb02d1cfee8ac050cdeef |
| SHA512 | 144da48bc9ae2168f452a698322fdb76a94536390ee19e2b31fef56113f3d355984156888b7c7f050fcfd41db467688a3d6830a6130ddf8dc58b83a63dc19338 |
memory/2868-85-0x000000013FA40000-0x000000013FD91000-memory.dmp
\Windows\system\vltxkkp.exe
| MD5 | d0a0a1efb4859a7d47eb12caba810fdb |
| SHA1 | cc1311c3fcafa53eaab6de61c546aaeda3d91552 |
| SHA256 | 54be47cf0ca954adc0b210c62f610aaebc27f723fa2df3c1264095d45e180bed |
| SHA512 | f83c29bff2a294b85203e3338a2ac5f2fa18588294bce8293ea91767ae2cbcd081029d09eac915c85e2960b9b4335c24c53145aaa5eeea1f5abd5d6a2425a555 |
memory/2568-132-0x000000013F070000-0x000000013F3C1000-memory.dmp
\Windows\system\XdPWEEn.exe
| MD5 | fbdf3fe116ce253307b9aaafca802a19 |
| SHA1 | 8046163ad69b62b4fc0d6de95de84a07baf6ada6 |
| SHA256 | ace41fca944d0f05e140f168b8aa7d46b68216e91d6722784417c20ea965c931 |
| SHA512 | d92a0e0d0e0f9dca2bbdd51efadf528b45dfeb5a016059db2c3b97c0dcbd2457ae13d4969ef2ac0f94d82d180ee748db6e323a0216601cf327d102232f72fd43 |
memory/2868-68-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2052-133-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2104-67-0x000000013F620000-0x000000013F971000-memory.dmp
C:\Windows\system\NUCSyIv.exe
| MD5 | 35a64bde3827a866c138c94499ae7307 |
| SHA1 | 68ff5751f720cd6e28b7faf6b52f2c4b4ebbb3cc |
| SHA256 | cb60d11928293d4f8d8ff4d79d283e83f6138437bdfa4278cac5b789a460897b |
| SHA512 | 2f119c2fa73f9b0f61c4355159efacde37996ed15ca921e093e17e0e0d7f1105c7f1bf8df4d9f164f7c595ea51436b2434b091e0712bd3996aee7027d2a98764 |
\Windows\system\ZTinELi.exe
| MD5 | 16d51b500a2ac5b945ec65c21066dbce |
| SHA1 | 6f192e5a32ce56199a81e625f8df228563b2f3cb |
| SHA256 | 0b82c04991ed930faf65fd766d1044069bbc5382a8a29024f38dbab8a7f62c02 |
| SHA512 | 1ac211361389e39b43a9e9359c6a62a315ac233637f990c3f935aa932328f88f5216e6c7be0c775cdeda69eed2d9d1c48727caa751b84234f7392b63ab4741d4 |
memory/2868-57-0x000000013F660000-0x000000013F9B1000-memory.dmp
\Windows\system\Rdxwytz.exe
| MD5 | a138be0497b63a42a5b584d29047403a |
| SHA1 | f4a1637a4b8607825dca4fa3426f5b2ab3eab23d |
| SHA256 | 0fb3be37f3c9ff439b6e2cf7e1130d767e32748f9a2869569052c6a26ae8ce02 |
| SHA512 | c479f9081c4effbfed425709272b3a97dbbe111e103059a5d77ddbcf5a324f95033ad51b35a9e68ca367b58b2cb6454617c16b0fb7a8b1cc82aa5e7df801cd9e |
\Windows\system\CnjRxyK.exe
| MD5 | 8c5ec894f414facce554b40fcc5c4e0f |
| SHA1 | 046d600a0e17f1a1275c20217ebb4bcc9034edff |
| SHA256 | 53216c4edef2db884bf9539645a6761714e1a732cfc9cb3e3af616b195c7de26 |
| SHA512 | 90367066e42a51104ed68bb3d8cdbf499593eccd698eee8883ace3a166d700c3300a9a6214c8cd333e1f7e660f3aad6f5cf50743f2482bf5a4fb313484ba83a1 |
memory/2868-108-0x000000013F6B0000-0x000000013FA01000-memory.dmp
C:\Windows\system\lCdPzvN.exe
| MD5 | 64c5b3846c9cf83e6b2f2d6d4382a578 |
| SHA1 | f6ce57e6c3b3275e002000b6092ef5ad1e35ed45 |
| SHA256 | ce1e6efc978e81e987769303b77632fc9ca5f2a5d487871b426aaeb709ccb36a |
| SHA512 | dec71cec0768db31d9f9032b5175fc00b17a097ec3a48808d5c01f2359c5d5de40f16a15202f155ba2a696a32f0651a3e27dd4526115f1a625bb4e88b2173aff |
C:\Windows\system\tmjhKdw.exe
| MD5 | 1234ba4d443afc41584d43eae1afe43b |
| SHA1 | 5646c3e91657901a1d6dda6a88f1649da5ff6fcc |
| SHA256 | 0c034ef7bac1f53fcfa6bd19a24bfccb29213f5a551a451732a8bdd3be1b7ad7 |
| SHA512 | 6bbd15a2aa34efc97d2ed47f0c8bfbcef16b18d942043e59eb8e2e0449d3f1d8e049c7eebe416d3f7c799ed94a677bd2c147c3ef4bd282da2d021f26b0e576c3 |
memory/2868-100-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2440-92-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2684-91-0x000000013FA40000-0x000000013FD91000-memory.dmp
C:\Windows\system\MoNYRbK.exe
| MD5 | f688440e41801f64d2ea4657203213a9 |
| SHA1 | a0d6524c084d317ffd50209f0ef842403353cedb |
| SHA256 | 45843921258c65f2085e31f6fe2523a9639aba8ee049c9b6a7769cdad80268ea |
| SHA512 | b83a8e0c863de1b300e300ad03ad6e1daac454e8d51b3c4ca051a186aeb6bb00ff5f2775ee3576b093a1c225dd31e4ccd3df7139497abc4f6cf329af6e062b9a |
C:\Windows\system\rZOGjtn.exe
| MD5 | 07b6a65aaad14741307f5b9731625b4c |
| SHA1 | 5f1265ee3a5245ef6ac5d58da178e80928601f5a |
| SHA256 | 4b4b5a9af3b732e54fe910df189672dcd231669a607932a26635c79ba00821bd |
| SHA512 | 2607ca6a8302eab9886657a7312078a3f3e433b0993a37f1004e0bc47fa870b84c3f22d8791203244c71e517ac7c78ad356fbc21d0057c86a4df4e851d0ac724 |
memory/2868-81-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\tyGjuyD.exe
| MD5 | 1e4bd37fd6afd243b2a15e92772df0bd |
| SHA1 | 049b40975ab0a7824f8029466c057b4f8476739a |
| SHA256 | 473242679a45f23944704d527cfa07b5a810ca4f778d2a697c655a16d23d4794 |
| SHA512 | d74fda55f3b0075551b03853029053bf0e087d190f4f77d6a6da8ac795c2856c3399c9e968ce5c1041652d41891103b0a699a7ef44d72fa23c9dfc3007fe8908 |
memory/2868-73-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/3048-72-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2268-61-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2868-50-0x00000000021B0000-0x0000000002501000-memory.dmp
C:\Windows\system\aKzcIiX.exe
| MD5 | f634dd3801acf3c3ae46cedffd34c899 |
| SHA1 | 491cdbb76765a949ffb03ac48555747f341e61be |
| SHA256 | 04cb0bf5747c4c4a5aee23fcc4be800c9f87c5bb1caa68ea6c8eeebc1836b932 |
| SHA512 | 65dfdf45b5fd54594fe5cbdb0da94db258d53c87a73c21f65604ce1d426bf8ec290455560a5b067eddc7cb58fdb9e1cf1f7d773134cbf595ec94929d3978a75d |
C:\Windows\system\YBgCscm.exe
| MD5 | 01744e1b7ac949a91c88395e2198368a |
| SHA1 | 6b23c137c8a80d45ec3d4ffe3b7c5baa7abb031f |
| SHA256 | 54eaeac1d8885e70bc422c5e6689ada188af674d6bef6733b5239e4ffd2968f5 |
| SHA512 | bf55b976e09028cd7f79d35eabfd354df620ce5adbd104b5e9d637a3b9c30ecbdbf6336d49a9a2bc94bf501e9fc88ed43ce1051b0e4acd9e38cc983dc0cd4992 |
memory/2868-41-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2052-34-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2868-33-0x000000013FC40000-0x000000013FF91000-memory.dmp
C:\Windows\system\AmYzhSh.exe
| MD5 | fe3cdce80132f563a2438ff2cc9d5f22 |
| SHA1 | 0ed703e93d10477e1dcc0f7cbc4e0c04444f69da |
| SHA256 | 354a00125835bec6a34e719a49f54fc76d0ca31207fee004c06a0a89b22ab17b |
| SHA512 | 5ab3865e12751b11ee9648a8a4d3e2ddba57d896975bc4ad36853eb47b21ec4a3dd870337f96381bc017110c8cd868df3d4472a32cbf4545bcea3fd6006a97a2 |
memory/2568-28-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2868-27-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2868-20-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2300-19-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2368-18-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/3048-134-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2868-135-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2440-137-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2684-136-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2508-142-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2868-138-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2760-155-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2868-163-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/2876-160-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2868-162-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2868-161-0x00000000021B0000-0x0000000002501000-memory.dmp
memory/2548-159-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2488-158-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2708-151-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2624-149-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1608-147-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2540-157-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2060-145-0x000000013FEF0000-0x0000000140241000-memory.dmp
memory/2696-153-0x000000013F330000-0x000000013F681000-memory.dmp
memory/2868-164-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2368-231-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/296-233-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2300-235-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2268-243-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2104-242-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2052-239-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2568-238-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/3048-245-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2684-247-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2440-251-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2508-254-0x000000013F6B0000-0x000000013FA01000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 15:27
Reported
2024-11-09 15:29
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QpLsXTp.exe | N/A |
| N/A | N/A | C:\Windows\System\rgupddw.exe | N/A |
| N/A | N/A | C:\Windows\System\CwjuHHx.exe | N/A |
| N/A | N/A | C:\Windows\System\JeQwySX.exe | N/A |
| N/A | N/A | C:\Windows\System\lhJZcNX.exe | N/A |
| N/A | N/A | C:\Windows\System\VGgIXKT.exe | N/A |
| N/A | N/A | C:\Windows\System\OGSUFMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GdkksUS.exe | N/A |
| N/A | N/A | C:\Windows\System\dUZIVkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rGNXNjj.exe | N/A |
| N/A | N/A | C:\Windows\System\csHWtTV.exe | N/A |
| N/A | N/A | C:\Windows\System\YmMbYTP.exe | N/A |
| N/A | N/A | C:\Windows\System\RoqqHZB.exe | N/A |
| N/A | N/A | C:\Windows\System\BMzTiEf.exe | N/A |
| N/A | N/A | C:\Windows\System\wPXalwn.exe | N/A |
| N/A | N/A | C:\Windows\System\WGimjxu.exe | N/A |
| N/A | N/A | C:\Windows\System\sHGImmS.exe | N/A |
| N/A | N/A | C:\Windows\System\gkOGJBX.exe | N/A |
| N/A | N/A | C:\Windows\System\eiclfam.exe | N/A |
| N/A | N/A | C:\Windows\System\bHjRESn.exe | N/A |
| N/A | N/A | C:\Windows\System\iWQKVpB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-09_d72e35939db27c6924f4f77163eb3291_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QpLsXTp.exe
C:\Windows\System\QpLsXTp.exe
C:\Windows\System\rgupddw.exe
C:\Windows\System\rgupddw.exe
C:\Windows\System\CwjuHHx.exe
C:\Windows\System\CwjuHHx.exe
C:\Windows\System\JeQwySX.exe
C:\Windows\System\JeQwySX.exe
C:\Windows\System\lhJZcNX.exe
C:\Windows\System\lhJZcNX.exe
C:\Windows\System\VGgIXKT.exe
C:\Windows\System\VGgIXKT.exe
C:\Windows\System\OGSUFMQ.exe
C:\Windows\System\OGSUFMQ.exe
C:\Windows\System\GdkksUS.exe
C:\Windows\System\GdkksUS.exe
C:\Windows\System\dUZIVkZ.exe
C:\Windows\System\dUZIVkZ.exe
C:\Windows\System\rGNXNjj.exe
C:\Windows\System\rGNXNjj.exe
C:\Windows\System\csHWtTV.exe
C:\Windows\System\csHWtTV.exe
C:\Windows\System\YmMbYTP.exe
C:\Windows\System\YmMbYTP.exe
C:\Windows\System\RoqqHZB.exe
C:\Windows\System\RoqqHZB.exe
C:\Windows\System\BMzTiEf.exe
C:\Windows\System\BMzTiEf.exe
C:\Windows\System\WGimjxu.exe
C:\Windows\System\WGimjxu.exe
C:\Windows\System\wPXalwn.exe
C:\Windows\System\wPXalwn.exe
C:\Windows\System\sHGImmS.exe
C:\Windows\System\sHGImmS.exe
C:\Windows\System\gkOGJBX.exe
C:\Windows\System\gkOGJBX.exe
C:\Windows\System\eiclfam.exe
C:\Windows\System\eiclfam.exe
C:\Windows\System\bHjRESn.exe
C:\Windows\System\bHjRESn.exe
C:\Windows\System\iWQKVpB.exe
C:\Windows\System\iWQKVpB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.208.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/228-0-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp
memory/228-1-0x0000029810160000-0x0000029810170000-memory.dmp
C:\Windows\System\QpLsXTp.exe
| MD5 | 754f5d70b5749a8d5c86ba7d76322f09 |
| SHA1 | 1ef5143a3405e789f8cde7018d1f16a150916eb7 |
| SHA256 | 84ca801571ecd94372b8b9c334259aa76390d2fc42d85b48f28ec06187679c99 |
| SHA512 | 1e5751d50d3f81dbf6693e3005b009461868b3e5632de21c90118c57cad9ca9f9ab6fbcf3176d23adaf1c8028b1e7198ca271588297adc0069a8fcd890372943 |
memory/1084-8-0x00007FF646250000-0x00007FF6465A1000-memory.dmp
C:\Windows\System\CwjuHHx.exe
| MD5 | 10d161e3fd968de9d8830a12c2e813f0 |
| SHA1 | d48cda3f2acfde028597a9c27d356c608aff52b7 |
| SHA256 | 50ff642141c2a76b4c8503bfcaaae89c855c04f235fff53f3aeb48e1c4bdccf1 |
| SHA512 | 995b0b45b518634cc6afe0012f32d58ad8c9c851369fce480a3edbcf0483b7c29b0858e05c5e6cd1bd0e02b8ecd4f0c00619d09743e6340e73b133611908daa4 |
memory/3936-20-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp
memory/2112-14-0x00007FF678480000-0x00007FF6787D1000-memory.dmp
C:\Windows\System\rgupddw.exe
| MD5 | 660e0aa3c381fa1b966ece6e4b1e553a |
| SHA1 | 93f2d49306994c709f5628f49c7ef10c307ff26f |
| SHA256 | 830531c0a1c7e49dc303c0fbb648940725a8c16a567ba66e811d12902733e178 |
| SHA512 | 1f4e343016eb62793b9cb6eb9dcbcf13e95edddd52247f3226886121d9ef80c2c68386cc3a5bfb8518492430de957e7690ba051fe96bc7af8f2e25409c9ebf36 |
C:\Windows\System\JeQwySX.exe
| MD5 | d998300f9672c115e59c15e7f6cbf981 |
| SHA1 | 928ce9ce33c5e0acf4910a064a5cb4d11c66ed81 |
| SHA256 | 61f098ba73e1659f8e7e167a54762ccf0493d6b99c3c5dcd93b9df8028bedea5 |
| SHA512 | 7af7c23889c4f50e75f8acc5ebc6b3c796f672a26c2c950b1b32645dfb2d1fc0219a3e9e1b60748d581b85cc20746b91e9f19247a26e971a6ce56567b778855b |
C:\Windows\System\lhJZcNX.exe
| MD5 | 0a9a9bf9bea9cec279a1ace5ea4bb897 |
| SHA1 | dd293f6012212aa72843441d5b5af0e6665c9e49 |
| SHA256 | ee558648738261d1a9543e5d8baa72c7cdf10dc97cc45e10e81659112fad8b1b |
| SHA512 | f502f1e21b35ffed3551c9dbde2a833b9a82ddd7e0fef37a0c5018bfd38e9f07c48f6e9b98d7bede27019f257a3fde792b2c0e512087784128a1865ee50e7e28 |
C:\Windows\System\VGgIXKT.exe
| MD5 | 01cd6cdea7fcd627a6307ebc997f9894 |
| SHA1 | 938ed290daad7a342b98a3eb26b4f0ab44fd6df2 |
| SHA256 | d76a16995258d37e5d8a90f1b1b1e0cf97f1f1d22204f802bc89a084752d8e13 |
| SHA512 | c5cf41f12f42154781922d9ebd503f057f677ce1f33b82a3d2ff68ecb99a054e1357e1a66c4879aaad6be8c89a6e4e6e28cbc0672483682bac403cca62c387e9 |
memory/4420-42-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp
C:\Windows\System\dUZIVkZ.exe
| MD5 | 7cc256c99443e3336f3692862f93d24e |
| SHA1 | ffd91f0bd9a1d08587b87f81707cf648523f77df |
| SHA256 | 7899dfa2d50ffd92cbf1201d9ec61949b6ab093077eb0392e2270baf7aefe099 |
| SHA512 | f29ff5efe7db054df46422e476f17620e3d57d5079ddc2c66a840880f0c23bd23eab76b9d29d887d988b8ed8306b8fab09394c8422a3bafd2812fa5664af4151 |
C:\Windows\System\GdkksUS.exe
| MD5 | 2c5d69c6a70e4fca8863440c196f14db |
| SHA1 | 86878204f4000460d8bab920b4d38cb1d755a98d |
| SHA256 | f0024b1dd076c211f9e48bb86084a660fdffd377fa7ed34fd512d20e78d5b2fe |
| SHA512 | 54c806ec22978bc828c3697af7a66151ad410269d2744720b0ec56ee72afd3c7b609062d7417838184dfff898dbd0946745e9804de1f6a659442c45ce4b89d36 |
memory/4016-52-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp
memory/1332-49-0x00007FF66F600000-0x00007FF66F951000-memory.dmp
C:\Windows\System\OGSUFMQ.exe
| MD5 | bbdcf7b68be2437c008a9a6ef951acc9 |
| SHA1 | 7d36bd7f0cc40a503093206c5dbe1ee4d8d4c7da |
| SHA256 | b5dd060f7937f27b45d110e159dbbafbda39ecf9c635ed6b1dc495ae826e7f4d |
| SHA512 | 1d84a2f53492eee5b2dc4fb1582c21a017df40f04dbc968b752fea77fb1be38ededb9e69c7e4ba9d07eac9c8b526d501718aab4b9568d91e9b7930dfb6c25ce2 |
memory/2644-41-0x00007FF65A400000-0x00007FF65A751000-memory.dmp
memory/2768-34-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp
memory/1396-30-0x00007FF796200000-0x00007FF796551000-memory.dmp
memory/228-57-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp
memory/1084-61-0x00007FF646250000-0x00007FF6465A1000-memory.dmp
C:\Windows\System\rGNXNjj.exe
| MD5 | 06adcee07b1a2b9b3a6915f3cca14531 |
| SHA1 | 3ec61834620044227b26a9fb53b2182ea5eeef66 |
| SHA256 | 097d26b06bb0c8a91e2016c89d6adb1ff10c942fe9b1068733d4eb8f4e32e311 |
| SHA512 | a79885b9060c22a5e242faea12edf501c332b7ed1af3d179f46773c707eea38112d968e2a25d747292ba667e62d2d80a7cdde78a250e395bd1412a83de633fe3 |
C:\Windows\System\YmMbYTP.exe
| MD5 | 64086ffe86a9212b3595f8f77b51d8eb |
| SHA1 | b729edcb9d6aa91ad76273a0f524e6de23a95d0b |
| SHA256 | 0690bd2173adfe7cc9a39ed22642d217373de533ab867e57ec5dde3117652d9a |
| SHA512 | c46f1d1ce5395d54c90ce7e7177b0cb0a73df61e4811c05db98499eb8a126aefd5a669fe950bd5ee7637ef93c4e3ed01abdd22a9800f489a9ec66ba2952af955 |
memory/2372-78-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp
memory/2352-80-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp
C:\Windows\System\wPXalwn.exe
| MD5 | a643ef4fd2d763cd9c45d800c57f5f1d |
| SHA1 | aba3287f978a5f31884ff4c7840305fb0efe041b |
| SHA256 | c21697db301320cf901a2177a19fd188060582017710bcae44329714a361652c |
| SHA512 | c6fe447600463d97a01b4a1e2ac2a6a66a1cef92f5e89418656252f88aaa090655c4ea7bc56badc93f51349eea3df2a320c4d459727539acb658057942bed103 |
C:\Windows\System\WGimjxu.exe
| MD5 | 35c8c9ee0203c78c9bcb51b2e3c08dcc |
| SHA1 | 2051fb5a8e421b728e0eb81a6f6017384465f7a2 |
| SHA256 | 67db09cbf70baef799991d48680b49c7c88fee42e6901b14a32dbb112ba70132 |
| SHA512 | 37dc77a710e951b5b50a6a36e562085b78e8cbec3de99600b651eb01e6885493ac54a72c694395ef96314ddd8de99c6a9b9deb33ed5beb83de25721f5c9e345b |
C:\Windows\System\sHGImmS.exe
| MD5 | c0767e4e11fb4246ad0b838257357701 |
| SHA1 | 39b9af2d47f139c8584449addd04d9e08db7b407 |
| SHA256 | c2b6c60b461b292c032749acbdd7bd3c10cd802ee5d2bb6abddc1a6b0e283836 |
| SHA512 | aecc42452cc0349818a4d946cf4489cd8e131b734234df1e7cccb7b30f98f4cb7263c49b8b9cb790992bf05b3446f6016aca6d4ba944da8b98001708ae022351 |
C:\Windows\System\gkOGJBX.exe
| MD5 | 99ef305717bd0dadca30153e8a55cb97 |
| SHA1 | 3843878221bb9de7ef4a9a38586303f549e6e293 |
| SHA256 | e1f1e3df441eca9ff5c6923e7b7cdf0545d7a67c040828247d91ff7be3e5adfc |
| SHA512 | ac2156f6a4b7cf86525bb51671f65adfc8fed63aad23292a17f918fe9736735a70b2b97a61190ac928c376b237c1e4ed24ab174698abc9311b6ba7824578dce0 |
C:\Windows\System\iWQKVpB.exe
| MD5 | e42c663b971e51a7355170467dce4b5d |
| SHA1 | 44d2df07d19f3cfe4fbb14c793e2364d93affaa2 |
| SHA256 | f347e81a0f52ed4d31198243830cf490c645a0d77de76e5467b6f2f279860586 |
| SHA512 | 340d7c01673544764e1c108461a0e6a37fb600161658f0225461d3b5cf9569fa66e44b6693b0ae8e0d52597a24c0ecf1e1f6e27983c49bfa4e1c496f52014d1b |
C:\Windows\System\bHjRESn.exe
| MD5 | 361b27671905daa9fd9ac13400602bb6 |
| SHA1 | fdc109a86091db7e2d225b78ba696f8d66773d37 |
| SHA256 | a62d5d3443697cda8b1cdf9a7f935837fba6867796586770adf31a93c487bcc9 |
| SHA512 | 45e5eadb011b39a57e5706772783e4964d6dbe87928d74d7a13eaedf2423c4cd71e5550d5fc8e5d11c04a9d617209edb9a9302e439c530dcfa3bcd589b92698a |
C:\Windows\System\eiclfam.exe
| MD5 | a7ae74ea4280bebf2633311a250b4c7b |
| SHA1 | 503a820bee89e113154290a4c38df71d1881b3d3 |
| SHA256 | 619ac7a30deecd62f8d0075eb43c49019f8e7814e9facaca8162dee4467d3f19 |
| SHA512 | f1c11e0baf9f1454b6ad9806c50a159e02e56875b16fa9f63f208fc0f2cdd21385c308f813c80efa691cf1ab26fa4b0a4de59132c0972ef3ea3f2ff71e2c0876 |
memory/4420-108-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp
memory/2728-100-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp
memory/2968-97-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp
memory/2124-94-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp
memory/3268-93-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp
C:\Windows\System\RoqqHZB.exe
| MD5 | ea56a92454b1d72d89c6d7c6545723b5 |
| SHA1 | c527b4fdb98a4280b4da706ee60a8af7074b39b0 |
| SHA256 | c680b7fbe422914ecd4acf0346ab42e8d7c6f3ca33e39d322303521c485c2968 |
| SHA512 | 3d114db7c85c599fb23880625d05de1edacca53b3cfc1cd1f5c0c14d8950a4c70407c12e9450b0ace2f64831f87f7c0bc7f1585ca3fff316e524b1674b82a2b5 |
C:\Windows\System\BMzTiEf.exe
| MD5 | 074f84d12d35b3d99f570a8fd21c86ca |
| SHA1 | f2bb3849197d92c903bfaa08854abab7a2bffe83 |
| SHA256 | 96a9fab52ff4f6d4a8c305ac4a23804c9bbd7d28b7b9f4a60603af95ff246f9b |
| SHA512 | 0f072803955360501506dd1f315bd2593b99d17fbb46010628f2b49b98d1575f3cdb3a789d41f8adf504da8d3974f859e1e6624bfb37de82fa3de64206024b76 |
memory/3936-85-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp
memory/2112-74-0x00007FF678480000-0x00007FF6787D1000-memory.dmp
C:\Windows\System\csHWtTV.exe
| MD5 | efb409644dbaa670a11f6095c6458ca7 |
| SHA1 | cb176b3df2042632f0d0a3bd1988220055082bbe |
| SHA256 | f16b3799755e3c3699543a5166ff2d5ee2b9900ffeb53651285100591ddd6c2b |
| SHA512 | dab3e138bce36d220bf984886443a44a68d13384224cbc1700935d52e4975165195a8d38b104d6c614c957b019312794f51edb07169ba548f6ee4ab6799a9b54 |
memory/4672-62-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp
memory/1332-128-0x00007FF66F600000-0x00007FF66F951000-memory.dmp
memory/1832-130-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp
memory/5008-129-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp
memory/4100-131-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp
memory/2984-132-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp
memory/4340-133-0x00007FF621030000-0x00007FF621381000-memory.dmp
memory/228-134-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp
memory/4672-144-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp
memory/4016-143-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp
memory/3268-147-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp
memory/2968-150-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp
memory/2728-149-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp
memory/228-156-0x00007FF6276D0000-0x00007FF627A21000-memory.dmp
memory/1084-206-0x00007FF646250000-0x00007FF6465A1000-memory.dmp
memory/2112-208-0x00007FF678480000-0x00007FF6787D1000-memory.dmp
memory/3936-210-0x00007FF6B1920000-0x00007FF6B1C71000-memory.dmp
memory/1396-218-0x00007FF796200000-0x00007FF796551000-memory.dmp
memory/2768-220-0x00007FF7BE6C0000-0x00007FF7BEA11000-memory.dmp
memory/2644-222-0x00007FF65A400000-0x00007FF65A751000-memory.dmp
memory/4420-224-0x00007FF6407F0000-0x00007FF640B41000-memory.dmp
memory/4016-226-0x00007FF60CD50000-0x00007FF60D0A1000-memory.dmp
memory/1332-228-0x00007FF66F600000-0x00007FF66F951000-memory.dmp
memory/4672-232-0x00007FF7C4450000-0x00007FF7C47A1000-memory.dmp
memory/2372-245-0x00007FF6A7AF0000-0x00007FF6A7E41000-memory.dmp
memory/2352-244-0x00007FF7EC7C0000-0x00007FF7ECB11000-memory.dmp
memory/2124-248-0x00007FF7407F0000-0x00007FF740B41000-memory.dmp
memory/3268-249-0x00007FF7BC520000-0x00007FF7BC871000-memory.dmp
memory/2968-251-0x00007FF7AD640000-0x00007FF7AD991000-memory.dmp
memory/2728-253-0x00007FF7F1240000-0x00007FF7F1591000-memory.dmp
memory/5008-255-0x00007FF7F81B0000-0x00007FF7F8501000-memory.dmp
memory/4340-257-0x00007FF621030000-0x00007FF621381000-memory.dmp
memory/1832-259-0x00007FF6CD130000-0x00007FF6CD481000-memory.dmp
memory/4100-261-0x00007FF6FC020000-0x00007FF6FC371000-memory.dmp
memory/2984-263-0x00007FF60D0E0000-0x00007FF60D431000-memory.dmp