Analysis Overview
SHA256
627bf59509313d97ab8a2972bd27135583fccd1ec2054d9c818bdbdb2d76797f
Threat Level: Known bad
The file 2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-10 15:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-10 15:48
Reported
2024-11-10 15:51
Platform
win7-20240903-en
Max time kernel
140s
Max time network
140s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rvdmiZd.exe | N/A |
| N/A | N/A | C:\Windows\System\zQsKSHF.exe | N/A |
| N/A | N/A | C:\Windows\System\wgEKHjj.exe | N/A |
| N/A | N/A | C:\Windows\System\FmkmaOX.exe | N/A |
| N/A | N/A | C:\Windows\System\HgHBXiy.exe | N/A |
| N/A | N/A | C:\Windows\System\kOPqpyu.exe | N/A |
| N/A | N/A | C:\Windows\System\czcNSRd.exe | N/A |
| N/A | N/A | C:\Windows\System\AQtYpgA.exe | N/A |
| N/A | N/A | C:\Windows\System\NsJfTEG.exe | N/A |
| N/A | N/A | C:\Windows\System\UdPjHot.exe | N/A |
| N/A | N/A | C:\Windows\System\upStjTz.exe | N/A |
| N/A | N/A | C:\Windows\System\doYLUpz.exe | N/A |
| N/A | N/A | C:\Windows\System\TUuKfii.exe | N/A |
| N/A | N/A | C:\Windows\System\jicyRKC.exe | N/A |
| N/A | N/A | C:\Windows\System\PFSICgC.exe | N/A |
| N/A | N/A | C:\Windows\System\jsdthIu.exe | N/A |
| N/A | N/A | C:\Windows\System\hoayHmc.exe | N/A |
| N/A | N/A | C:\Windows\System\qOtgjxq.exe | N/A |
| N/A | N/A | C:\Windows\System\zyMsGzP.exe | N/A |
| N/A | N/A | C:\Windows\System\gJkmndg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbFLRNT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\rvdmiZd.exe
C:\Windows\System\rvdmiZd.exe
C:\Windows\System\zQsKSHF.exe
C:\Windows\System\zQsKSHF.exe
C:\Windows\System\wgEKHjj.exe
C:\Windows\System\wgEKHjj.exe
C:\Windows\System\FmkmaOX.exe
C:\Windows\System\FmkmaOX.exe
C:\Windows\System\HgHBXiy.exe
C:\Windows\System\HgHBXiy.exe
C:\Windows\System\czcNSRd.exe
C:\Windows\System\czcNSRd.exe
C:\Windows\System\kOPqpyu.exe
C:\Windows\System\kOPqpyu.exe
C:\Windows\System\NsJfTEG.exe
C:\Windows\System\NsJfTEG.exe
C:\Windows\System\AQtYpgA.exe
C:\Windows\System\AQtYpgA.exe
C:\Windows\System\UdPjHot.exe
C:\Windows\System\UdPjHot.exe
C:\Windows\System\upStjTz.exe
C:\Windows\System\upStjTz.exe
C:\Windows\System\doYLUpz.exe
C:\Windows\System\doYLUpz.exe
C:\Windows\System\TUuKfii.exe
C:\Windows\System\TUuKfii.exe
C:\Windows\System\jicyRKC.exe
C:\Windows\System\jicyRKC.exe
C:\Windows\System\PFSICgC.exe
C:\Windows\System\PFSICgC.exe
C:\Windows\System\jsdthIu.exe
C:\Windows\System\jsdthIu.exe
C:\Windows\System\hoayHmc.exe
C:\Windows\System\hoayHmc.exe
C:\Windows\System\qOtgjxq.exe
C:\Windows\System\qOtgjxq.exe
C:\Windows\System\zyMsGzP.exe
C:\Windows\System\zyMsGzP.exe
C:\Windows\System\gJkmndg.exe
C:\Windows\System\gJkmndg.exe
C:\Windows\System\ZbFLRNT.exe
C:\Windows\System\ZbFLRNT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2236-0-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2236-1-0x0000000000200000-0x0000000000210000-memory.dmp
C:\Windows\system\rvdmiZd.exe
| MD5 | beda17125a8249334a402b7cb3a46968 |
| SHA1 | 42ae630262d37379c80ee9d6410b2fa78ebbe40d |
| SHA256 | 47d956df9602246bf5450b4ce0ac887e467e56221bc58c9adc3bec08046f7d42 |
| SHA512 | 9701c04398492a62ac241f55371856d5d6332f3b413a54020ee5dcb2c16e817c6124951b5dd4e13988c9dc1501c74e879aab186ab8229e35211c18c905d8176b |
C:\Windows\system\zQsKSHF.exe
| MD5 | 41b9334e47f0182da92eed5c70248d5b |
| SHA1 | 9a563b20202ece09aaae142ac4121a3dc0ef3d26 |
| SHA256 | 48c28e9e418019a1924db3c903d59deebd29782d047b3c6ef646ee207c94309c |
| SHA512 | 2006db7dc860601080992cba050ce713805f38f7927cabf80457580c2a77faf6c87ef82e13082a0e4b51ef2a5af365a4439045cec58b65dc280ee097243f9bed |
\Windows\system\wgEKHjj.exe
| MD5 | b912b1b0586547cfc9565bd122b524fb |
| SHA1 | e4def1717085fc2d6d91e29487d0e6c8faca2481 |
| SHA256 | 8014514bf0ffb772dcda55e49de993d5100c999a8c6c4a8eca4eb2a4d22492e3 |
| SHA512 | b77528826392f9e716dfe9e00310c6212f16128217cb8c2bee6a30d9ff29efe0083564c6ebb998b9925562a7b7dce0b07e74f6540fdcdfca2d74098845b9c953 |
memory/2236-59-0x00000000021A0000-0x00000000024F1000-memory.dmp
C:\Windows\system\kOPqpyu.exe
| MD5 | 700e1d3e6c9d09b2164734a5b3c4d449 |
| SHA1 | ecf0637e6f739090caf0b00f1538904734e614de |
| SHA256 | a4683f080e2bcdb810dcad282fc2b689d3ec515764bff0370d8ccffe097949d3 |
| SHA512 | 2a39d0d850feaa7d3cfe9f5e9fd46be8742cf7f9b15f43b16215defa0d6cdcebd0c84f245028dbbcc0f6b3b63af3816c6ddae37bc910ec6928a3f464f4955f43 |
C:\Windows\system\UdPjHot.exe
| MD5 | 8c3dfa69c2d6cd09a7912616d98d0be0 |
| SHA1 | 87ba26d483500eaf7b7e9d895a08df93516790cd |
| SHA256 | 1c223483e3881cf16d740b871ce2b39fd4970736d4ba759d63750d359e4cb22e |
| SHA512 | 73e45ff76b469b1652b6a756c73aa8e20d537a1e8e450ee8603e61971a3a8773416704686298f5425cd88a031ea43adf50e1113c5d1cba502744986747a9c188 |
C:\Windows\system\doYLUpz.exe
| MD5 | 8f8fa000401c26220334558dfe4f24ad |
| SHA1 | 59536fc7f6556dc0576387f446ccfd799cade9f8 |
| SHA256 | 85f476ae9a92a2e0476dd07dbfbd571f26a4bfe2e7551af9983b652a7b821055 |
| SHA512 | a9563eaa31c2975d1db10513e579350677cdc3266df85d4da1ab3ae7553e6d3e63b0bb7c3ce1a58e8beddb9f076d9d8539b48f7e58f42c887ecaaed4f3f04ffc |
C:\Windows\system\jicyRKC.exe
| MD5 | 8c17b4a8478630397cb1f29a01bee5ca |
| SHA1 | af029784aa5d53d6dfbf85dfb5caea07b7aa69cb |
| SHA256 | afd1ef1386210153685dca6718bd9302b5df3831ec2cac824d635974f95c2d37 |
| SHA512 | 0369295b19ae39b71629eb458509fb8d776c221524377f2a78541abf049408508e2678f652c873cde34d71a1c8c27bc4112de69d6a7c7d340b1cdaaa3c41a2c9 |
C:\Windows\system\gJkmndg.exe
| MD5 | 0872ef6581f7f138eddee5bb582fd71e |
| SHA1 | 40e3c14d64e9638a5b5a1ffee6b197805c942be0 |
| SHA256 | 3fdfe6cd9b132a0f608ef6b8c0ff6ebdc87b016c05733eedf637f09ed4073f06 |
| SHA512 | e4c0bc18201b07b144e2911477620709014a5b9f7ceff13f3c6934a9d21f6cf4548c975c3fb5ffdf72cfd44d499d8741eae47546af41b3318d9bec2db3f148b6 |
C:\Windows\system\ZbFLRNT.exe
| MD5 | 65a6710691fb78a639552e094054f2f4 |
| SHA1 | d6118e6eb096f2c4f548300468e35f0f6a84b785 |
| SHA256 | 632d1f765845c3718be92154e2d7921f766d7ea16b8cb876baef85bd993133f9 |
| SHA512 | 6b8c65a56d666dcef13ee1efb5b51afbf4f3fc571772686e676f377054acd86a2a08f535e83ca1db44e11b8e0c5cf59a50dd57f3e40b540817aea519563573fb |
C:\Windows\system\qOtgjxq.exe
| MD5 | 8ecf8ea9aa7c0329f763996ffd5d52d4 |
| SHA1 | 16c25fc61c54c55cd5b2edf87910ba676c81c219 |
| SHA256 | c21fed18ea0a52778490e41a27fe4d7e29b8042d3a805d9da30538ed782d2984 |
| SHA512 | d06d502009dee00b0949a41cfa12dde3d5109b645e0ae1ecea5d3ce895bed06679a853835eaca72855bf874b89334c7d3641d9fe32f8e45d8fc55f39f25b475b |
C:\Windows\system\zyMsGzP.exe
| MD5 | 1e5d003fbd9032c0d8b4fef7d7a3fbad |
| SHA1 | b56cb309e12c23eed29e9e247152f9444da1b57e |
| SHA256 | 15dcfebaa6be85fc38251593981db85e163925116df26f2d16fbdecaf6864940 |
| SHA512 | b346d3c5e1d1440d6ff775f63659f18d9a1c90b5f8fab4a07f080eaff4c248d12bf1790c42787a62b4c769073f30b2ce7919abb1bc365cca7c0c84f254cfdd07 |
C:\Windows\system\jsdthIu.exe
| MD5 | 5b7dbef7b5e7ef7d8810e72b79b797b4 |
| SHA1 | 2a93fb810bd958261fb927c7fea31e889aa2e564 |
| SHA256 | b2c72eaf9c27f2b879682e4f53d05ac0d69e766d5f4fc637d97da676ae3fc63c |
| SHA512 | be36ec4cd257b0937aa589c2713de67a31365987e999d812c82e54fa8b75b550e84e7423f6767dff548859de7d7160d3e1f6a37a5b0bb93904db5b5fe0c6c3e8 |
C:\Windows\system\hoayHmc.exe
| MD5 | 8e2a76a20dd0ce5c26ed148deb646d65 |
| SHA1 | b24c145ce17c1b9916d93e24bbfc21f5da514d18 |
| SHA256 | 6997c9c63ce2da1701f493cba37348b3c644c46d71d961d8d757e280e6a092a4 |
| SHA512 | 25c2375a13039fcd7a50a7b6f248eb255e88f963cd3c41184d9bf511dcfcc11e4fbc4687361be925fae19d8f63214a9d27e6c7fe9e0c519c6fe9e991dd7e6cf5 |
memory/2236-100-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2700-99-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2536-137-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2236-106-0x000000013FEA0000-0x00000001401F1000-memory.dmp
C:\Windows\system\PFSICgC.exe
| MD5 | 6452ddcd62f0c0d47adfa3525328a44a |
| SHA1 | 622c3281a85f8e4cda070cbf3556504991da5f38 |
| SHA256 | 47ca4ba0f7f1fb15e0ce0942a522645360ba4cb17c2e2f00c7cbfac3f1a8da59 |
| SHA512 | 75e3c7b2628c5e6592436c8770f842874199c6ce10979fe2a9f9f47ce98a2d8818044bc5c486bd6ece0637fb6b43b10fb8a3b804dedcea56be44979ae4600c7a |
memory/1312-104-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2236-92-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2236-85-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2500-84-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/1892-91-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2172-90-0x000000013F060000-0x000000013F3B1000-memory.dmp
C:\Windows\system\TUuKfii.exe
| MD5 | fd844b2520c1238fe34202d391d21f2f |
| SHA1 | 1e23453aa8372e512526d246baab5a263e8a028e |
| SHA256 | bd99ae650201601886db2ca134ea399060253f4df5d07ad3116b83a7da77ebb0 |
| SHA512 | e3f32f33cbf7eca3342a2a97774dd39445bddebefb6079e8a54fcb54c99bc4cebf52f0d7fc1096b9daf68861de12d3f9670ccd021a8ed180437a6813db16e5b4 |
memory/1892-138-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2536-77-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2236-76-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2236-139-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2964-71-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2236-67-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2700-66-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2236-152-0x00000000021A0000-0x00000000024F1000-memory.dmp
C:\Windows\system\upStjTz.exe
| MD5 | 714e8ba8d27fd2f11f724731979fdb52 |
| SHA1 | 334b61d4fbefa27def76cef1428c520d93b45990 |
| SHA256 | 275fc5b00cded4799902d271136df3218916bb302802ba9fde81936aee4621a3 |
| SHA512 | ce7b8bf2283e34fc90736ca00227cf0d386319445f2258fe2cb9a42ed2c9a56f7da5c2a4baed5445c6198b0eed69af7079d0fa5aa4446deb90d39e9caa5a08b2 |
memory/2236-41-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/1984-159-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2236-162-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/1900-161-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/1924-160-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2380-158-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2404-157-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/1940-156-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2460-155-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2076-40-0x000000013F520000-0x000000013F871000-memory.dmp
\Windows\system\NsJfTEG.exe
| MD5 | cdaede17c156e4c53a377baa810086fd |
| SHA1 | 4f5be93228f3841c31b081f32df2da49f98139f3 |
| SHA256 | 4a23fa1221974d838630ba1842fb2f0a0619fbbf35784c1bd26706fb4557a735 |
| SHA512 | e9da2a28ab252e9c8f305901a82a795c5e5f3f016e2acf8a6e5dfc948255ab7837346097d15e22c8b67fb9e4a750093be8805ce26a74f5e2b637645319240b86 |
C:\Windows\system\HgHBXiy.exe
| MD5 | fb9b05d1dde11a80015c4f615ddf7b2a |
| SHA1 | 8f1f14ceca0c051d184693ecfd3f613c2032e747 |
| SHA256 | 91f151e3d394d8121a248700dcdd5282508e6ed6f100368b42fdbd7348abb9b8 |
| SHA512 | c6eca44f6565d0762f4ec68a6ba558be75f897152e5075b2b28427aaebc76dcbede67c5006a3355f9745ca212cbbfa54853eb8c838083c77e319f1f151a510ea |
memory/2180-61-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2628-60-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2236-58-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2236-57-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2304-56-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2236-28-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2644-54-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2236-53-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2316-51-0x000000013F070000-0x000000013F3C1000-memory.dmp
C:\Windows\system\AQtYpgA.exe
| MD5 | 4c454695921f29a4bf58d9f91291b246 |
| SHA1 | 959c6597c26d405fca5abf201992dec3ac67747f |
| SHA256 | bae2ab98d1a40fe0b83432f388b99f96b9fde4a7ba7c37c1658890526f5e5ed9 |
| SHA512 | 77d7aecf8ac11e902269b9436287cd7267c31eafb76b8edb1b9af3bb9a3a5d29bb742f291e29fb4011c73f084fdd9b4dd91cc132fbc7d3ec88e072072fcc28d3 |
C:\Windows\system\czcNSRd.exe
| MD5 | 8be4bd1ee508cd6a3f1533231040e5b9 |
| SHA1 | 9e06b9f4a2b190c041e2fda88cbb6899bed3413b |
| SHA256 | 3abdb8f56a93985972f1e1e8fff43034a0db8b2c659af4a548a885e23f62c230 |
| SHA512 | 37dacbbe99c294fed2bc93831351af68517968ce63bf447fb5bd644c3337dd6a03845e9e9ef9179e4fdd33e5ea3a6fe135050dd954bd649a507b856c6d6b65f6 |
memory/2236-48-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/1000-46-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2236-34-0x000000013F520000-0x000000013F871000-memory.dmp
C:\Windows\system\FmkmaOX.exe
| MD5 | e9b4cfdc3b6f7b6c4320b1318d535210 |
| SHA1 | c420f7280a82f90744da70a17f27ad5a3d2af59b |
| SHA256 | 5ba92d078e5b2f03f2b6113905ac67e38c19ac13a7415d80d27873cb6261adaa |
| SHA512 | 8f4af482c1da57dbcba6696881e8eb84277edda2ad08eaff593e3374658baddab8a647f8f25fcd7245f6d223593ee71deaeae27b8ff3428b83356edc522fdf9f |
memory/2172-20-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2236-163-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2172-221-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2304-223-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2076-225-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2316-228-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1000-229-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2628-231-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2644-233-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2180-235-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2964-237-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2700-241-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/2536-240-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2500-243-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/1312-256-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/1892-246-0x000000013F9C0000-0x000000013FD11000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-10 15:48
Reported
2024-11-10 15:51
Platform
win10v2004-20241007-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dOlJUfP.exe | N/A |
| N/A | N/A | C:\Windows\System\dhRCBfx.exe | N/A |
| N/A | N/A | C:\Windows\System\cNjqzlW.exe | N/A |
| N/A | N/A | C:\Windows\System\pfNoDHV.exe | N/A |
| N/A | N/A | C:\Windows\System\mMTdqMD.exe | N/A |
| N/A | N/A | C:\Windows\System\KyKCGvg.exe | N/A |
| N/A | N/A | C:\Windows\System\xmaJdvR.exe | N/A |
| N/A | N/A | C:\Windows\System\jzInWfI.exe | N/A |
| N/A | N/A | C:\Windows\System\AiTHIwA.exe | N/A |
| N/A | N/A | C:\Windows\System\ITGtWPq.exe | N/A |
| N/A | N/A | C:\Windows\System\BduGTDT.exe | N/A |
| N/A | N/A | C:\Windows\System\lwpFgQI.exe | N/A |
| N/A | N/A | C:\Windows\System\uuZPvEe.exe | N/A |
| N/A | N/A | C:\Windows\System\aEygsxg.exe | N/A |
| N/A | N/A | C:\Windows\System\zufUofr.exe | N/A |
| N/A | N/A | C:\Windows\System\bwjaFhf.exe | N/A |
| N/A | N/A | C:\Windows\System\adnyHxz.exe | N/A |
| N/A | N/A | C:\Windows\System\gMEWJjN.exe | N/A |
| N/A | N/A | C:\Windows\System\tViZCKL.exe | N/A |
| N/A | N/A | C:\Windows\System\nAZnDdo.exe | N/A |
| N/A | N/A | C:\Windows\System\ykTtcUq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-10_4e0987837fb5da33e09b7852d3075ee5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dOlJUfP.exe
C:\Windows\System\dOlJUfP.exe
C:\Windows\System\dhRCBfx.exe
C:\Windows\System\dhRCBfx.exe
C:\Windows\System\cNjqzlW.exe
C:\Windows\System\cNjqzlW.exe
C:\Windows\System\pfNoDHV.exe
C:\Windows\System\pfNoDHV.exe
C:\Windows\System\mMTdqMD.exe
C:\Windows\System\mMTdqMD.exe
C:\Windows\System\KyKCGvg.exe
C:\Windows\System\KyKCGvg.exe
C:\Windows\System\xmaJdvR.exe
C:\Windows\System\xmaJdvR.exe
C:\Windows\System\jzInWfI.exe
C:\Windows\System\jzInWfI.exe
C:\Windows\System\AiTHIwA.exe
C:\Windows\System\AiTHIwA.exe
C:\Windows\System\ITGtWPq.exe
C:\Windows\System\ITGtWPq.exe
C:\Windows\System\BduGTDT.exe
C:\Windows\System\BduGTDT.exe
C:\Windows\System\lwpFgQI.exe
C:\Windows\System\lwpFgQI.exe
C:\Windows\System\uuZPvEe.exe
C:\Windows\System\uuZPvEe.exe
C:\Windows\System\aEygsxg.exe
C:\Windows\System\aEygsxg.exe
C:\Windows\System\bwjaFhf.exe
C:\Windows\System\bwjaFhf.exe
C:\Windows\System\zufUofr.exe
C:\Windows\System\zufUofr.exe
C:\Windows\System\adnyHxz.exe
C:\Windows\System\adnyHxz.exe
C:\Windows\System\tViZCKL.exe
C:\Windows\System\tViZCKL.exe
C:\Windows\System\ykTtcUq.exe
C:\Windows\System\ykTtcUq.exe
C:\Windows\System\gMEWJjN.exe
C:\Windows\System\gMEWJjN.exe
C:\Windows\System\nAZnDdo.exe
C:\Windows\System\nAZnDdo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.117.19.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4716-0-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp
memory/4716-1-0x0000026926780000-0x0000026926790000-memory.dmp
C:\Windows\System\dOlJUfP.exe
| MD5 | e9a6a9dbb85ea60ddfcb370611edf874 |
| SHA1 | dd0f54478055adcd41edacf5a59374f4bb3c401b |
| SHA256 | 365f6b879ee7b4c243e987d0a989285c782b40680d4cd457a40cdce4acb70e44 |
| SHA512 | 9677b171986bb2c964f35f032c916d7d9afd4ce0a0885f7409c350978cce1dcf978750c153f26c74bcad1451f7c2a1ddff421f54d6159cb79f42e19ca80228cb |
memory/4424-8-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp
C:\Windows\System\dhRCBfx.exe
| MD5 | 079762613fed53684b685794bc83b4bf |
| SHA1 | 369ef5fcc3b85a80dcb4e40aba4c3105cf95f60c |
| SHA256 | e0e00eafa99127dd6430f9be654d15b7c527509d2dc3a4b6f4922cf1ea68bcf9 |
| SHA512 | 8e6eba0baceb7357a6cc930405aab592dff7d515fa3940910c43f5e6b01669aab6e71f41732c72246051098acc9fe80800269609b1619fae87648aa7db83edef |
memory/3464-18-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp
C:\Windows\System\pfNoDHV.exe
| MD5 | bd6b7aa99d22efa76da26000c0ccb11c |
| SHA1 | 041ccb7544cacfd8080e316e97cef08f457008ef |
| SHA256 | 253b447a9cec0bd03f521c7e00434ce41bee007f211365f3382a028fd523a9fa |
| SHA512 | c84a635141d5992560931d670d3884a87cd635ad7134ae972debfc5579d3df3211e1aa572b02e62222e908f0822d68178f1f3363aca00a843a93ac39fdbae1e8 |
memory/1572-23-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp
C:\Windows\System\mMTdqMD.exe
| MD5 | 23e02ffc2d38395979c020b146d82878 |
| SHA1 | b761e07714d931ae3742b9332e4d26991404dc39 |
| SHA256 | 2a2e36762374ae06fdd77efe70eb8001412b8a9ac247fba6e6d13d0c4b54c9b5 |
| SHA512 | 7eb8f6a19db0b8ae7feed5c84a8fe6749819429347b17723448f73a1f96c9be4a86b35aefa035c74f0a55d3bb33fad13ede65d4f9508dd2a5d53eee6e5e3cc66 |
C:\Windows\System\jzInWfI.exe
| MD5 | 92a702da68428067fb8148e4ed1e94ce |
| SHA1 | 638c795226ed6d804d76199beccb11c2bbe223de |
| SHA256 | abff49ed1640169e4dfd8eb2326bdef59e17432675522b61a8ad7dd8c18b1831 |
| SHA512 | b6bfe99234b44ed9614de1e8d2a108ab46214e779cdeadb477e523e270cd383a9eeb5f10eb46ec4702232eb7811a797735af70cf5a8a0c7bac65801a886ab75b |
C:\Windows\System\ITGtWPq.exe
| MD5 | f6cff765ca7358ec6e9aceaf8114857f |
| SHA1 | 3735b376b472d5e5d16d2393884ff9649ace8f20 |
| SHA256 | 3cf1749e131adcf89cd98574a1484650c693245b925e005f9733dcb652f0f492 |
| SHA512 | e894e08353e883633b82b5a072a6110693b183df810f4ae4f2c83adcf8b2ff194b5d313763abd0142fdb38b0abd76da9017b7ad5f38b136f661225f882bd04a8 |
C:\Windows\System\lwpFgQI.exe
| MD5 | 16896adb283d0a022b07b6aaf2a058a9 |
| SHA1 | cc15666a4c59ed26bf6dc27704ec0d9b222104ef |
| SHA256 | 3a3ce17d54fd381f3b3e28816d4543ab432d5ed0814926ab479120d815d05933 |
| SHA512 | 1dfd0966b375cac69a31f58b1a7860c6df72f2130684e9beb8435dbae01f6bd6c83ed0e867235376972ee2dd31c205714439ce4c073c3381773a65466e2b471f |
C:\Windows\System\zufUofr.exe
| MD5 | 8b33dce1c03a7828016f39d8cb18481d |
| SHA1 | 058f6b1d52bb8dc2ae1844280dc99ef765383d07 |
| SHA256 | b14e6965d26545912384a50eba38b42ffe5ff8a26fb68673729a4c79f089c4ed |
| SHA512 | cdd67d74f72340448dd8194fb74efd9301b25fd00ee952a0b300b0f92dd25ce1ffdcd3f3bd68f0e34607baca92605e899faf7671357f29fca488f38614d79a1b |
memory/4360-86-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp
C:\Windows\System\bwjaFhf.exe
| MD5 | 7480fb196400e769b7efbb179794105f |
| SHA1 | 6c757e4d80aaf91070480e0f97fb7a6906cab291 |
| SHA256 | 64f385f6df99ea05030f1f424bec2344fd90d711471fc8ccfbfb8c1a0298d471 |
| SHA512 | 9316daff5c13e72fa7736443bd9e2496a8eef341e0f279c2838918d529898fb411632571f2641be678cda53f7581ecf39d1484192831f27c8c1b05a79c4a5243 |
memory/4776-95-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp
memory/892-98-0x00007FF780DD0000-0x00007FF781121000-memory.dmp
memory/3680-97-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp
memory/4336-96-0x00007FF703120000-0x00007FF703471000-memory.dmp
memory/4444-94-0x00007FF771710000-0x00007FF771A61000-memory.dmp
memory/3772-89-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp
memory/2840-88-0x00007FF6464E0000-0x00007FF646831000-memory.dmp
memory/732-87-0x00007FF6940B0000-0x00007FF694401000-memory.dmp
C:\Windows\System\aEygsxg.exe
| MD5 | 4853deb4b8bbcdf358dbf95a67d8c966 |
| SHA1 | 10508b7e466f71d776460701244e82b6dcc3cf1c |
| SHA256 | 5f123c9f2f6d6e01c3ee6aa498889d3c935784979e8bebd61c8652b9ffb23e5c |
| SHA512 | 6fb151dd1166c5aaceb5eabd339f4fc61cab2b47e9c10a8f3a6720f98ec4a91f228b8ff89cd1727edb7b86f3007efae9761980e78e41d5fefdcbdcee17827940 |
memory/1420-82-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp
memory/4392-77-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp
C:\Windows\System\uuZPvEe.exe
| MD5 | d2bc4d1392ac8bfc558d8d60c79c12ed |
| SHA1 | 4575e24b8143efc6bc7ff3568a7dac55eeddf745 |
| SHA256 | 9e983b7aaa75376974d975cde5bbbdd098d9260ad802163845e3a520de9d49e6 |
| SHA512 | 37a2cb5e67a5595d7613d8133107bbba434a21d4a370fdf8c3e75be6415a8fe638ff7311da9d8138b4ca9b36cab55ae1d75d1d59f00b7bd07ae93e257aa82451 |
memory/5056-68-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp
C:\Windows\System\BduGTDT.exe
| MD5 | fe3788f812d5180761888e5fa1a25392 |
| SHA1 | 727c7c8542acc9e5ef31b35ec4f7294f6e0daaf3 |
| SHA256 | 9ade302588f06b61b3ae753eff2b2992e333043f1d80aba3c2419deb217167ed |
| SHA512 | 43b66b4114bfc8d1a99bdeafefccb785e06b8e70704c69449db6acc19c3a6f519101a631af1be8aa239d4ba15dce8c3b2f6a97267b50219658a2d3c379f891c2 |
C:\Windows\System\AiTHIwA.exe
| MD5 | c87529a90e6f9c71b1cde0c4618143d0 |
| SHA1 | fc6e2d3f7e4e4b2b9c187952046f4387b8e0ec07 |
| SHA256 | 5ddf0ff59084c491527f50db1f14138317015dc58c11f87fa52bce1d7f96c6cd |
| SHA512 | b163b4b4288da8c4557e29a9ffaa1479ce9f10e1b4c835b8f5cfdd8a0f6c15702e707ad5aee8c5c0ee1eb5326af56bedda6985a365bc9a5f9de76b6ada3afc99 |
C:\Windows\System\xmaJdvR.exe
| MD5 | 22fd57850ffa55b526f92c267489b661 |
| SHA1 | cbe5bc43b1780cc8b89be23be9b0945dd30a9617 |
| SHA256 | e788fbce21a1d87aec42e206e6f07e38841702138fe72075cf08bf3804059451 |
| SHA512 | 2506312a5704fd5d1c1a18d2cc8a99ee83210e3bd4f6da456b360118ddf1a1415d39f7c335e6d5cd3c28b9b41dc73715e6e5bd1c629e43bdcbbee643befff75a |
C:\Windows\System\KyKCGvg.exe
| MD5 | bd8219a4c62cff3e8c4fa6d14b364fe7 |
| SHA1 | 45c21dd3260e0334f136299d6129c9fe5d9adf62 |
| SHA256 | b45cc4dc517dfa86df52a198dca1c055f1ad0463c40fa6e294dc068a3fa2062c |
| SHA512 | 429c550b5072a6c2b360d5f6b51827b933b9a79beffd4dfe037f429ab90392b55b5faa7436321094f59ae239fa4720c6d1410bb707f5cc78d815a0da6b47c0a3 |
memory/4244-31-0x00007FF74C110000-0x00007FF74C461000-memory.dmp
C:\Windows\System\cNjqzlW.exe
| MD5 | c0b94d705346add5f44eb1fa1e6f3e26 |
| SHA1 | 68b23878921759eac92370d077540c5eb8f2dc8d |
| SHA256 | 7ee9f817b95ecf504adb3ed0da9b725b1fdd343318fcdea72f39419008a467fd |
| SHA512 | 558df339682bcaf076752da39016c817ce1bedff372b34fb9dd81c906e935e3b4038cc987f92429f5bfbdf88bc51812613c52c47a0046198cad55f98debfe224 |
memory/3464-103-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp
memory/4716-101-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp
memory/4244-106-0x00007FF74C110000-0x00007FF74C461000-memory.dmp
C:\Windows\System\gMEWJjN.exe
| MD5 | 0d1e720bd7c19c293034eb8eb399472e |
| SHA1 | 31ee9bceb9919f3e17d3dae12c4b1293b6521caf |
| SHA256 | 5504997df9f4a1e6948b64c8e417a3d517e8b0c8500a62a96ae6dcef39346b89 |
| SHA512 | 157235d4e61476ea7cb121bec4ab8b1ac726fbd59c893bcc3f0c2724e063a69ac0d982acb7d6b25584d23214820369a8448e05e2eeac3b11f86199b1064d15f4 |
C:\Windows\System\ykTtcUq.exe
| MD5 | e6f81648a19159a1c1e9fd69454521f9 |
| SHA1 | 42fd0feaff8c10fd43a3e37a9d31e883f69dd0c3 |
| SHA256 | 5d7f68c07d40ffd3c409e6b0a2e26fc97e5fa45d4e64ee37eb692fbc0be5da36 |
| SHA512 | 022efff137e0da4a04ce36fd0ccbd0cd1c39c5be480019cd4db06f007e6e9740941a648e8d9e0f20bc7ffa9fa859730ef394e10383a61c17e5ca180c0c10ec98 |
memory/752-135-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp
C:\Windows\System\adnyHxz.exe
| MD5 | 8f23d394252f614a39815d8d0f76d938 |
| SHA1 | 1f11b6fc6408f929ec6bbc689309393e9c7ccbc6 |
| SHA256 | 1eda6ef0a95528cd3f8be7687cb99489f9c27fe6762648cf55238905779facb8 |
| SHA512 | 88cacee4f2b1ad3c624ad4210ecdf88a44d2aa016980e96c2836f1bdafffdd62da1cc5a24ff29629547db8089433ffb7ecc23f6f5b880e25c49936aff729d419 |
C:\Windows\System\tViZCKL.exe
| MD5 | ece8dab3448b67fa23e9fd9750c2b21f |
| SHA1 | a611749afc53a0e92849eb5646a20ba5ea871c82 |
| SHA256 | a6fb17a06521085380cdc3525775c733fe7baea49e4fff3d1b39e547aadb451a |
| SHA512 | 767a9cf2499bab55080de8f6febc502888bd3b6b32a51686e22d622ba82cb1c6acdeff5daceac0b03a5380e2482158e89fdaa4c8e782763d0de2ab63c484a02a |
memory/2996-134-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp
memory/2372-132-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp
C:\Windows\System\nAZnDdo.exe
| MD5 | 3eab7768f05066a7d957f76138b2318a |
| SHA1 | d4ebb9d8edcc74365a22cbdde44a4ad7cce234e0 |
| SHA256 | d1619364fded668f8a384dbe1a9503e3a03c50ec66c5f4a6dfaed7b634a5dcfe |
| SHA512 | 894228044e906ce492fb4a743d75f9d45d3af63301a4790762dd0f318bc229b2ac0d255afd691c176901922ee8a357ca3974e64441926e616af9c79ded35b68b |
memory/1572-105-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp
memory/4424-102-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp
memory/1324-143-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp
memory/888-144-0x00007FF625970000-0x00007FF625CC1000-memory.dmp
memory/4716-145-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp
memory/4716-146-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp
memory/2996-164-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp
memory/752-165-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp
memory/2372-163-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp
memory/4716-168-0x00007FF6C6DA0000-0x00007FF6C70F1000-memory.dmp
memory/4424-205-0x00007FF6F89F0000-0x00007FF6F8D41000-memory.dmp
memory/3464-207-0x00007FF6A9B40000-0x00007FF6A9E91000-memory.dmp
memory/4244-209-0x00007FF74C110000-0x00007FF74C461000-memory.dmp
memory/1572-211-0x00007FF6469F0000-0x00007FF646D41000-memory.dmp
memory/4776-217-0x00007FF73C590000-0x00007FF73C8E1000-memory.dmp
memory/4392-216-0x00007FF7E0C40000-0x00007FF7E0F91000-memory.dmp
memory/4336-219-0x00007FF703120000-0x00007FF703471000-memory.dmp
memory/5056-214-0x00007FF64ED20000-0x00007FF64F071000-memory.dmp
memory/1420-234-0x00007FF7788B0000-0x00007FF778C01000-memory.dmp
memory/3772-239-0x00007FF78B8D0000-0x00007FF78BC21000-memory.dmp
memory/732-243-0x00007FF6940B0000-0x00007FF694401000-memory.dmp
memory/2840-241-0x00007FF6464E0000-0x00007FF646831000-memory.dmp
memory/4444-238-0x00007FF771710000-0x00007FF771A61000-memory.dmp
memory/892-235-0x00007FF780DD0000-0x00007FF781121000-memory.dmp
memory/4360-231-0x00007FF630CA0000-0x00007FF630FF1000-memory.dmp
memory/3680-230-0x00007FF7476A0000-0x00007FF7479F1000-memory.dmp
memory/888-251-0x00007FF625970000-0x00007FF625CC1000-memory.dmp
memory/2372-254-0x00007FF7C59C0000-0x00007FF7C5D11000-memory.dmp
memory/1324-255-0x00007FF745B80000-0x00007FF745ED1000-memory.dmp
memory/752-257-0x00007FF6BCEA0000-0x00007FF6BD1F1000-memory.dmp
memory/2996-259-0x00007FF6FCD10000-0x00007FF6FD061000-memory.dmp