Analysis Overview
SHA256
9e06c80d196357b9186ac87ef45340436ce70bed5321980e7432fdc1ee07926c
Threat Level: Known bad
The file 2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:08
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:08
Reported
2024-06-28 00:11
Platform
win7-20240611-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UiWmzBl.exe | N/A |
| N/A | N/A | C:\Windows\System\QVSUDMR.exe | N/A |
| N/A | N/A | C:\Windows\System\wptfawH.exe | N/A |
| N/A | N/A | C:\Windows\System\IBYzrIv.exe | N/A |
| N/A | N/A | C:\Windows\System\GiqJURa.exe | N/A |
| N/A | N/A | C:\Windows\System\bYTjfEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\zklPevg.exe | N/A |
| N/A | N/A | C:\Windows\System\luPqsVz.exe | N/A |
| N/A | N/A | C:\Windows\System\QfzJqWC.exe | N/A |
| N/A | N/A | C:\Windows\System\txqIwhB.exe | N/A |
| N/A | N/A | C:\Windows\System\kUkRCZu.exe | N/A |
| N/A | N/A | C:\Windows\System\eHQZGZn.exe | N/A |
| N/A | N/A | C:\Windows\System\rkPXngq.exe | N/A |
| N/A | N/A | C:\Windows\System\pFreTGv.exe | N/A |
| N/A | N/A | C:\Windows\System\ubSVwOv.exe | N/A |
| N/A | N/A | C:\Windows\System\OcIsmgy.exe | N/A |
| N/A | N/A | C:\Windows\System\MvwqyNI.exe | N/A |
| N/A | N/A | C:\Windows\System\hhAGcis.exe | N/A |
| N/A | N/A | C:\Windows\System\BRqKtBg.exe | N/A |
| N/A | N/A | C:\Windows\System\LALXfrU.exe | N/A |
| N/A | N/A | C:\Windows\System\qNjXuPB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\UiWmzBl.exe
C:\Windows\System\UiWmzBl.exe
C:\Windows\System\QVSUDMR.exe
C:\Windows\System\QVSUDMR.exe
C:\Windows\System\wptfawH.exe
C:\Windows\System\wptfawH.exe
C:\Windows\System\GiqJURa.exe
C:\Windows\System\GiqJURa.exe
C:\Windows\System\IBYzrIv.exe
C:\Windows\System\IBYzrIv.exe
C:\Windows\System\bYTjfEQ.exe
C:\Windows\System\bYTjfEQ.exe
C:\Windows\System\zklPevg.exe
C:\Windows\System\zklPevg.exe
C:\Windows\System\luPqsVz.exe
C:\Windows\System\luPqsVz.exe
C:\Windows\System\QfzJqWC.exe
C:\Windows\System\QfzJqWC.exe
C:\Windows\System\kUkRCZu.exe
C:\Windows\System\kUkRCZu.exe
C:\Windows\System\txqIwhB.exe
C:\Windows\System\txqIwhB.exe
C:\Windows\System\eHQZGZn.exe
C:\Windows\System\eHQZGZn.exe
C:\Windows\System\rkPXngq.exe
C:\Windows\System\rkPXngq.exe
C:\Windows\System\ubSVwOv.exe
C:\Windows\System\ubSVwOv.exe
C:\Windows\System\pFreTGv.exe
C:\Windows\System\pFreTGv.exe
C:\Windows\System\MvwqyNI.exe
C:\Windows\System\MvwqyNI.exe
C:\Windows\System\OcIsmgy.exe
C:\Windows\System\OcIsmgy.exe
C:\Windows\System\hhAGcis.exe
C:\Windows\System\hhAGcis.exe
C:\Windows\System\BRqKtBg.exe
C:\Windows\System\BRqKtBg.exe
C:\Windows\System\LALXfrU.exe
C:\Windows\System\LALXfrU.exe
C:\Windows\System\qNjXuPB.exe
C:\Windows\System\qNjXuPB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2056-0-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2056-1-0x0000000000200000-0x0000000000210000-memory.dmp
C:\Windows\system\UiWmzBl.exe
| MD5 | dba1329ba470d1a6f71c29c5dc14e3b4 |
| SHA1 | 8939c6746490d1041e7442eb1d479efebf56964e |
| SHA256 | 4a94eee8a10b1eb5c613a85996df119a282b26a93aea69ee1452bac6dd7fa631 |
| SHA512 | 71b978a7a0c68391e6e98aeb62c2c117d2792add0093802c7f3d6133ed6f98fe64756b442664c2d4595eb64a7378fd6a2a14479884618de847219a17004eaa25 |
memory/2056-23-0x000000013F230000-0x000000013F584000-memory.dmp
\Windows\system\IBYzrIv.exe
| MD5 | 1cd30cf45b4cd26c8d21d569e8c3eeb4 |
| SHA1 | 79ef85bf45eb1dbf3948dd39caeb9a3535be2269 |
| SHA256 | 79085577b60aa73e937d5a9bb98f375944559f874e0267024970e1e0b7cae516 |
| SHA512 | 1b5f893eb3baee0ed80f48455e7cd99a9e1ff4985f50689eb222478a64f0e94a4d487644968aeb52407232178913bced8dcaeeeffbb4bec11ecdaab2c67134db |
C:\Windows\system\QVSUDMR.exe
| MD5 | 5d68642bb3c32c4dd39e366377b54327 |
| SHA1 | c8b389b1f10c4f1905902e8669e1ff18454a1d1a |
| SHA256 | f4bee0db429b72276f59d922e32e667c50ffc9825d507288472382efada40251 |
| SHA512 | 90d8aea678d1277604b1864f38924e94fde6e76e568bb550e25e89849571639007fe50d440ab3d64fe0b215fcc4b32ac448653f3d513c514932e7b460e468b2d |
memory/1508-15-0x000000013F0F0000-0x000000013F444000-memory.dmp
\Windows\system\wptfawH.exe
| MD5 | b19d46454598ff7d7005e878e95d92a2 |
| SHA1 | 4ee80073675a78e1c488d962cf1a82e37dbc6fdc |
| SHA256 | c26b7ff49a2d05bbc5ff590a24d58009bc6fb286c1a99a41e058a7b6c1299900 |
| SHA512 | fef0b6110c54500c0c1269049f651c85d363d1dcc0320ed76312a48f573f3751fd4f3f4752f10e7f2bb0ebb4756fe69111ca6c2899eeb9ce82a242f9ce723723 |
memory/2056-8-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2056-32-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2320-36-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2024-34-0x000000013F230000-0x000000013F584000-memory.dmp
C:\Windows\system\bYTjfEQ.exe
| MD5 | b49d6c2f5d9c9df530368311f91e1452 |
| SHA1 | c620c61adbf17b30d3255cc3893bbdb556f0ee80 |
| SHA256 | 13624aa95222992b6bd1733adc90b68d259c8602477bfaf5c2719253fbbba236 |
| SHA512 | 787e364211e7013a18f24d49b90ad74edd44e4a38fb94ded013b53776b289b000958a69534a2ae2fe8cf7a786675cc6f222f783d0e2cde096bba29768150376a |
memory/2056-71-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2792-74-0x000000013F3F0000-0x000000013F744000-memory.dmp
C:\Windows\system\QfzJqWC.exe
| MD5 | 28158159edf3651c788d9c77cd52b9b1 |
| SHA1 | e20e5be11a8e4dd270268cbcdd84cf3300719600 |
| SHA256 | 9b12a40d07cc06bf4ddf13410755440b886585443cb457a21333198eba8e6273 |
| SHA512 | 8cbe6f202112cb31f5464e75421e5bf6cad7dfe26db1e07194405734d128d003baf59f1535bb6057eb85f5a83ca46bcc3d4bcafc9aaef25f330fb52a7101ff94 |
memory/2056-83-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\ubSVwOv.exe
| MD5 | daa453b9f691d9d73b12b1b6c6b8a438 |
| SHA1 | 190c94625492416e572186fe3f5169113db9b536 |
| SHA256 | 324babb47c69b714e1177b13390dcb5bcac261c0256f72c80014f81f19ad0dba |
| SHA512 | 19d8256591e354979bb685dd5981bf56d562a49992edda8f0a4098f23cea0bdd4d143396ef039b254f69fef468beb8dc0e248b9fa675a60d9edfb5a462b89754 |
\Windows\system\MvwqyNI.exe
| MD5 | 31b2a7b4554cbd34e1990c95f54bb7d2 |
| SHA1 | 1d50c759da33c1e7bb645fa793c93aaa7a60dd9e |
| SHA256 | 7670999afcd4909c543c16868e2d4abd781a5acc3ceb174d5bbb7dcf99c94fad |
| SHA512 | d1d5f0d317430f48ddf3947e8018d5c001028a3579b424cdede7266c4e8c06933d89192c3456a1e24ae57523af1334b5da136e239ce445586fc7a17c8ac49c57 |
C:\Windows\system\LALXfrU.exe
| MD5 | 4539d372448d97cc806d2231720afad9 |
| SHA1 | 2ced51ef9221b8edc96516e72122eccbb1419e2d |
| SHA256 | c3ae489a1a8f36946555e280005a5a445299673f072020e24bc889cba70be8f6 |
| SHA512 | 072c0153e5c5344da043314279f4f3bfc72cb5aab3c23a33edebadb2d1dfc6b1e5d6483e2ed70c85c54b41017b9d3e2080b92132666385754799e31cfb737dc5 |
C:\Windows\system\qNjXuPB.exe
| MD5 | 2916de78777b4f443f2500517331bfd3 |
| SHA1 | 4a19dcd649f4d166e0c977a0cb8e33b66b5f74d1 |
| SHA256 | abd0dda5d9f969faccebd0dd1376cb46dc8a04c693ad33cafe14bbe8ed1ef26d |
| SHA512 | d3ab86347cee7b85f13e763eec4776a0a2177423e4ca844d3ea56a8150cb27a1dded57aaae47ebde8f50d4bfdea853db6d71a5097f7b0368f176d6dff199f487 |
C:\Windows\system\BRqKtBg.exe
| MD5 | feb4f43171df5be7b2e90c8ac15d52ae |
| SHA1 | fb8fa3f50e57af27a971fd4db41a0f90b329b0e7 |
| SHA256 | aa9067e649f043ff26a5478112002728e1d4ba4b5a44cbae53e9a3a5432e5465 |
| SHA512 | 1047aff972d359fe7cde562d3528777228eb0431f603a36c2f337825740864db5d91d31e5f8da2794c34f2bf2c3e26a20b142617d030e014ee5694d34868fd25 |
C:\Windows\system\hhAGcis.exe
| MD5 | 8990df7c90e62d792c71227566a9ee6b |
| SHA1 | 68dc136d916d0130f8149136cb9c5436c2229744 |
| SHA256 | f501e49ae03ae72956d53f467badc411489da886204969b7b16e5b4cce79ed03 |
| SHA512 | 5ad47f09198d2373aacf5120a9f6a253303b321b1043400f0c9c6ad8b00f474b4faf7106a32cc7bcad88b4b8c0fd06bcd4291365d5d3b0713ac0722bd4cd4ffa |
C:\Windows\system\OcIsmgy.exe
| MD5 | 88227995f910c0903e6081f4618ffbe5 |
| SHA1 | 9d3082f82b823574a6995d6b470a3ae0b9410cb9 |
| SHA256 | 1768fa0321b827979809bf5ae1de45adc4c0b0376edda873812c0b828e855a78 |
| SHA512 | 2ec9ee93391b6f614ad0969f6941f5eabed59cd47ab2b941773b6bd8763addbb341dec40828b130e93dc7edfb708e35503db6aba6868c59483dd18d3a68704e9 |
memory/2964-109-0x000000013FA50000-0x000000013FDA4000-memory.dmp
C:\Windows\system\pFreTGv.exe
| MD5 | 89db638b16557b1ea7579c66070fd784 |
| SHA1 | 85e6de449ebdec68c9a1fe3ed86ad7ee3a8b0efb |
| SHA256 | 0389be5da89f6766fbe9dd9006fb017aaa732d731c046ba85eb50e1c3c9b32b4 |
| SHA512 | b8e4e7c880c61d3101b1873b4975a69e6995e7842b9f070e6e405ae90acb96709b125a3cafb17cf22a18e3eccd330777267919888db4d5518ee120893cda68ed |
memory/2320-135-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2056-98-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2504-84-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2056-97-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2620-96-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2972-91-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2056-90-0x000000013FB60000-0x000000013FEB4000-memory.dmp
C:\Windows\system\rkPXngq.exe
| MD5 | a9d5601544324b5f278b6ec33c8839ee |
| SHA1 | bfad6a6d5b9d443000a5fa03dc1c8afb73dd5733 |
| SHA256 | 93db643a56686bf4a60e98423afee4a9228066f8518c6268d8c61cf846f75ddd |
| SHA512 | 14b3e92acb24ce509769b2e87f31f660fd32dbebe9f85d6b5946eefbf3c986b0e80abf06e1f1dacc5ebd54e8af02ee65bef10ee9232f8e53ea645c74399584b9 |
C:\Windows\system\eHQZGZn.exe
| MD5 | e810f3f2f14a67f664c6523f72de7ff5 |
| SHA1 | 75c8617bd482fbd296f2ecdb084b9453772c4ece |
| SHA256 | 1fa49f6a80a98e508a45c38065cc81da23cacf9ff5384adcdf3b0b3e922c97dc |
| SHA512 | c19b86f4ce0b42cb241b2f9a669c69de2c9c0ad76ecdb9ab47c03b49635b57219ca642169bc2dac774433afcd19b17dbe1da953534c0a2f63ec8d967b4184970 |
memory/2604-59-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\luPqsVz.exe
| MD5 | f70f79d733a28f4d26a9223f63410fbb |
| SHA1 | 48a471a282e2b3d1662f439f934b449f345c1ebb |
| SHA256 | d9c58fb3147021e3827abc8a770b03111cdc705b2c5bc448b60eb90fd7b5edf8 |
| SHA512 | 8b32a83e56b354e2cbb69005b4cfd472ba1956c7913e21c9c93ce7b320ec9af56f88aceb815a1d424b55f15d0fe5cb5913eee4cb768f51d0ed3e01507563fb83 |
memory/2740-136-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2876-76-0x000000013F110000-0x000000013F464000-memory.dmp
\Windows\system\kUkRCZu.exe
| MD5 | ff8398841ba29593d831476129dcbb7e |
| SHA1 | cf782f197605e2b4ea003e70c74d986a6d2997aa |
| SHA256 | e70084e653dcf011f34a4cbca3c78e6fe4b149529d08b5eb786f98f7e519d6bc |
| SHA512 | 0a7bb10562591a5220e175bd4571c456ae3b2f8c5374e0ebf4b141a9cb6683feeef4c5af90b0ae3de8c8153da12ab3ca1cfe9f0fac3d0f55e0d05ab590250fad |
memory/2716-72-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2056-70-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\txqIwhB.exe
| MD5 | 3774b8848cc61b459c98fa54c7b39871 |
| SHA1 | 26942471d316f2b4bdbaa67b081b49f1f55096d6 |
| SHA256 | c1b69dede3412c2b14e60e83773ada5b06d835e16fd8b338efacbe56ecaae8d6 |
| SHA512 | 4239d992050d5aa2ddc6f0f8466e3ebcd114fb99bd2af6022a68bc8bed9b198bf39c46817907be08558eeac5341980b8d7d4f82277b5f52d6776388f138b3f89 |
memory/2056-68-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2704-66-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2056-65-0x000000013F210000-0x000000013F564000-memory.dmp
C:\Windows\system\zklPevg.exe
| MD5 | e6cbc78bfcc562e91b3a2acc4c5a0760 |
| SHA1 | cfd830a007e97c62facd4f6f5eea846744c92673 |
| SHA256 | 70fd69cc01beca1d04cb2fbd32329f434eff50d908e2bcc15780db84be210444 |
| SHA512 | c305704cd40c7dc7b4d34b76355c1f0c6719482330376212970801a966f4c91ebbaaa7aae1e1cf6b30dbc48e2feda5bc70419e952fce83607630071e6cf75774 |
memory/2740-42-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2056-41-0x0000000002380000-0x00000000026D4000-memory.dmp
C:\Windows\system\GiqJURa.exe
| MD5 | 667354188761882bdf6fd487954c2169 |
| SHA1 | 2fcadbc89a750bc65dd6e8f734b6133cf0ca75a3 |
| SHA256 | 397f81359d41b90bab2b3a576aadf7fcb6ce1c3591ad5fe6ec302bcbdfa04d8c |
| SHA512 | 44354dbe90ba3d36379a42956e60ec2b45e96cc818c79d9a1d9d2036f8a50ba0d87c0488ffd83239a9bb2017c0f87fa153ad6004d7e3218d8f71bad13fe2ba39 |
memory/2692-31-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2056-29-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/2972-27-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2876-137-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2056-138-0x0000000002380000-0x00000000026D4000-memory.dmp
memory/1508-139-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2972-140-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2692-141-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2024-142-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2320-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2740-144-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2604-145-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2704-146-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2716-147-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2792-148-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2504-149-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2964-151-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2876-152-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2620-150-0x000000013F2B0000-0x000000013F604000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:08
Reported
2024-06-28 00:11
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XTqZRbd.exe | N/A |
| N/A | N/A | C:\Windows\System\kMMUGvG.exe | N/A |
| N/A | N/A | C:\Windows\System\ehcKjPL.exe | N/A |
| N/A | N/A | C:\Windows\System\giUUhtM.exe | N/A |
| N/A | N/A | C:\Windows\System\hkVuNhx.exe | N/A |
| N/A | N/A | C:\Windows\System\ehxXtdc.exe | N/A |
| N/A | N/A | C:\Windows\System\JVizWlp.exe | N/A |
| N/A | N/A | C:\Windows\System\DBAmxXV.exe | N/A |
| N/A | N/A | C:\Windows\System\SQrgWoE.exe | N/A |
| N/A | N/A | C:\Windows\System\EvBhLdO.exe | N/A |
| N/A | N/A | C:\Windows\System\PJWYjcw.exe | N/A |
| N/A | N/A | C:\Windows\System\ehLPuHe.exe | N/A |
| N/A | N/A | C:\Windows\System\ptfrIlk.exe | N/A |
| N/A | N/A | C:\Windows\System\WoYzCtR.exe | N/A |
| N/A | N/A | C:\Windows\System\olbcXUf.exe | N/A |
| N/A | N/A | C:\Windows\System\VScCFwL.exe | N/A |
| N/A | N/A | C:\Windows\System\fdVbIBd.exe | N/A |
| N/A | N/A | C:\Windows\System\eeXGkHG.exe | N/A |
| N/A | N/A | C:\Windows\System\mzqXjUx.exe | N/A |
| N/A | N/A | C:\Windows\System\altAbnZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BHrmBaS.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_b0887affde9e562dcb9420b870c62b35_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\XTqZRbd.exe
C:\Windows\System\XTqZRbd.exe
C:\Windows\System\kMMUGvG.exe
C:\Windows\System\kMMUGvG.exe
C:\Windows\System\ehcKjPL.exe
C:\Windows\System\ehcKjPL.exe
C:\Windows\System\giUUhtM.exe
C:\Windows\System\giUUhtM.exe
C:\Windows\System\hkVuNhx.exe
C:\Windows\System\hkVuNhx.exe
C:\Windows\System\ehxXtdc.exe
C:\Windows\System\ehxXtdc.exe
C:\Windows\System\JVizWlp.exe
C:\Windows\System\JVizWlp.exe
C:\Windows\System\DBAmxXV.exe
C:\Windows\System\DBAmxXV.exe
C:\Windows\System\SQrgWoE.exe
C:\Windows\System\SQrgWoE.exe
C:\Windows\System\EvBhLdO.exe
C:\Windows\System\EvBhLdO.exe
C:\Windows\System\PJWYjcw.exe
C:\Windows\System\PJWYjcw.exe
C:\Windows\System\ehLPuHe.exe
C:\Windows\System\ehLPuHe.exe
C:\Windows\System\ptfrIlk.exe
C:\Windows\System\ptfrIlk.exe
C:\Windows\System\WoYzCtR.exe
C:\Windows\System\WoYzCtR.exe
C:\Windows\System\olbcXUf.exe
C:\Windows\System\olbcXUf.exe
C:\Windows\System\VScCFwL.exe
C:\Windows\System\VScCFwL.exe
C:\Windows\System\fdVbIBd.exe
C:\Windows\System\fdVbIBd.exe
C:\Windows\System\eeXGkHG.exe
C:\Windows\System\eeXGkHG.exe
C:\Windows\System\mzqXjUx.exe
C:\Windows\System\mzqXjUx.exe
C:\Windows\System\altAbnZ.exe
C:\Windows\System\altAbnZ.exe
C:\Windows\System\BHrmBaS.exe
C:\Windows\System\BHrmBaS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2684-0-0x00007FF72C4B0000-0x00007FF72C804000-memory.dmp
memory/2684-1-0x0000015C0F8A0000-0x0000015C0F8B0000-memory.dmp
C:\Windows\System\XTqZRbd.exe
| MD5 | c2eb6d2a28d7d2d1f4584f87894c8e06 |
| SHA1 | 5c726be9d5103a4af99d4c2180751a495074bd27 |
| SHA256 | dba7c597557ca3bbe8ed13d478c0598a2d42b52a10b22d3ed24050482f19dcd7 |
| SHA512 | 77eb505ba7202fd697fd461ea2f5fa6a8970dab926c99f830bd98929d59597378211e0dd8b4a7b3739789a5353cb6e8922490dc1f747c56862f83b03f95f90e8 |
memory/2252-8-0x00007FF72FBE0000-0x00007FF72FF34000-memory.dmp
C:\Windows\System\kMMUGvG.exe
| MD5 | ae207073ab90cf21cb124b741e0b1827 |
| SHA1 | 86c50b8b656b05a0a926493ab2f19d93de77acc1 |
| SHA256 | 2a14796ae6e188d6ae9ed750fe0157e075c57fab6cc518f65cf7a46cba8b4435 |
| SHA512 | c76178b58b1766522a0b4da0b5a2c11c14513f14ccd615a2f3b548d23385fdaa71e570846b0870d038df50816b50c47e6c35c52530ef6b4d60444d4aa8f20382 |
C:\Windows\System\ehcKjPL.exe
| MD5 | b3724161a9334ed2e2ca650f25418099 |
| SHA1 | f52b8fb07267950cbc669c4db692e6b59552dd74 |
| SHA256 | 0920aebf58425887abe35de77dfd7691af8962c5ddcde5c9a21b5e39c0e8bd59 |
| SHA512 | 14110fcf2836d9fd1499d45a26b949bb3637a84cc13433c8aa5c42fd6c214c1b3d8015b4bad8bdd8750fadb48a32dd2eed7a49982d4399196e58e00a413b138d |
C:\Windows\System\giUUhtM.exe
| MD5 | 43f5268d03f1336dfa9f550e18170c48 |
| SHA1 | 8209399e9e9b8ab73e770554cf03db5e8a5e2cc6 |
| SHA256 | 66fda77672b345d3f683f0b6d4c01c3adaa329686ac4c0156ff02fa61f93869e |
| SHA512 | 2a76139bbf43e469aa45b43509687e42d8a482cc18cbbee8421fe6348845fa3a8cf81fd87563b743c3726ae65ccdbc67662b6e4a72fb9bf7275688300d671a6b |
memory/1308-26-0x00007FF748DE0000-0x00007FF749134000-memory.dmp
memory/2724-18-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp
memory/4392-15-0x00007FF66F480000-0x00007FF66F7D4000-memory.dmp
C:\Windows\System\hkVuNhx.exe
| MD5 | c3bd3aebf4dc56a8a83f73737ccee975 |
| SHA1 | 5c57f2297e65f582bfcef948a8c19781c7cd9ee9 |
| SHA256 | aa251132c2532797c4e40a02426eb7d8d3ad63549ab3b20150d3b71042a86a91 |
| SHA512 | 88c72815041a0311afcd144a65aa059c3855e55265fb0bb95c0d9f0c6b6eb2373c58fa38728abbfc2eea78fc6d17571e59df26fc63ea0de5b7ec7031e9b65d05 |
memory/4820-32-0x00007FF656B80000-0x00007FF656ED4000-memory.dmp
C:\Windows\System\ehxXtdc.exe
| MD5 | 169cd7680096cfe7c7da6fb8fb2eb543 |
| SHA1 | 168890a2137dfc2eee6589bef2f1c84a4bb00037 |
| SHA256 | ef00168b5e0b179ddbc3083e1b39366586657c464048aa55fcf6644cd94a5c3f |
| SHA512 | 67218a0fdf9c6e806119097d906340fdaaff19b550fd754c3d86c5b2b22314f02b8fcbdf08cbdd0c97511f48ec562ef4e4adbf4e3ea09e1a702c3e1aeb424743 |
memory/3488-38-0x00007FF6F19E0000-0x00007FF6F1D34000-memory.dmp
C:\Windows\System\JVizWlp.exe
| MD5 | b85f58c89595ad1c05d51210419e1a34 |
| SHA1 | 4146ef636167a1c15f932ece44eb4cd9e06aaef8 |
| SHA256 | b88cb06bf2166868ae01fc735f4061ead11f0ef03730ae998f592f6d43ad18ab |
| SHA512 | baad8d4eed398bf6faa93128c10bdf7324bb7f2e80ad8e4e314caf807181ad3c4650ae3679c851f9949ef403b35d7135a000296b2db698a7a7654668b2c4fc7e |
memory/920-44-0x00007FF7792A0000-0x00007FF7795F4000-memory.dmp
memory/4784-50-0x00007FF6A8350000-0x00007FF6A86A4000-memory.dmp
C:\Windows\System\SQrgWoE.exe
| MD5 | 738231c35ceacdeaecb2d5322496ccca |
| SHA1 | 3ec66f945c529533683eccbbda5c385fa5513f9e |
| SHA256 | d7aa49c8f95aff7183ce7b6b5c794674eee5d42f99d444b324ba6b98b863bc50 |
| SHA512 | 4b4dab4a5625aed016e5ca0ef6c48e4025b9c9a8a9476ad4991c39cafc582fa677181abcbd13e2951fe1337dc0ce34522871ab89e5a7be4972b697cbc36c1f39 |
C:\Windows\System\DBAmxXV.exe
| MD5 | 240c350115d9d25bed9dfa9f13703b88 |
| SHA1 | 86bfca4b74dd690628e7217ea07bb8343b212f4e |
| SHA256 | 70cac281eaad445824d7982e67e421741085bb9ffa363f0048acae506ff0c743 |
| SHA512 | baa82a3f1a28dfe7bb3ecda877a39de2e13e2c9cf817be0b78c849944c13efa94404878d90a782991bc5f6811290563020a2baf477ac2bcc7be94b85dfa30191 |
C:\Windows\System\EvBhLdO.exe
| MD5 | 0af65ee28850fe3164ead1e5577711aa |
| SHA1 | 88e7497c6a2ff321ae95104528365c2dbcde87ec |
| SHA256 | f76f8b312471848613e6d7eb5540b3fc8095369e2f91e71cf19381c434d4e3e3 |
| SHA512 | b6e31b8313b836ed6c9641c2083765e04e2afd78e53eacdfe9d33c2ccb9a6101b86939715066d5ca91b15612742cc42cd0afa77cd40edc96ee09be7e44f79965 |
C:\Windows\System\PJWYjcw.exe
| MD5 | a96a458492d6d098fec1b6f06f37a12d |
| SHA1 | 2f9ffb2e4d889514b5d8684c8f126f42e6b4324f |
| SHA256 | cdad48a2904c84e631bb006d8c503789815e1e0e389d35f2c4a76538278560f3 |
| SHA512 | 67dbad93b89560825ccba59c946d57bb26adacf37c6155db5489960e60be8eca40631b16b923fc8ddb3a092344181da392977b12c0e13e5ea253a8dfe6d7ce25 |
memory/4392-73-0x00007FF66F480000-0x00007FF66F7D4000-memory.dmp
memory/2724-80-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp
memory/4816-81-0x00007FF7D4170000-0x00007FF7D44C4000-memory.dmp
C:\Windows\System\ptfrIlk.exe
| MD5 | 6772c741e237a37c5aa36306cfd88409 |
| SHA1 | 4da409b80e1f9e0dc94c4a03b07807e858239bf9 |
| SHA256 | 611ecc9912140550ed355c6e9131a7c554e2958f48fa975052e2e37af2b07963 |
| SHA512 | 93f82d05716a086cb482b3686d5f87ee8b593102c72224e41437d442d918c9e7f979139e0c077fde3c77ae887a2f1e7e7d5bb01bf9a6271f414d93136a41757c |
memory/1780-75-0x00007FF77FA30000-0x00007FF77FD84000-memory.dmp
C:\Windows\System\ehLPuHe.exe
| MD5 | 4f98dbdf5230cdd7fa8d35d2833bf1ed |
| SHA1 | 2e524e7b351a60cba49eb952b7f6da1e460290e3 |
| SHA256 | b580c120a0d4a1b505fcf2487dcbf273a20988a61ab1930d34a1bfd55e5953b8 |
| SHA512 | 13481fd75170dfb69c4954849cb3f7649fc69e8a110b2b416c958ba1a72036a51413fbbdd82678494cca6f372f9dcf66929b39e8155a6dae10a47dd543bf15af |
memory/1840-67-0x00007FF6A07A0000-0x00007FF6A0AF4000-memory.dmp
memory/2684-60-0x00007FF72C4B0000-0x00007FF72C804000-memory.dmp
memory/2420-62-0x00007FF7DE350000-0x00007FF7DE6A4000-memory.dmp
memory/2440-56-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp
C:\Windows\System\WoYzCtR.exe
| MD5 | a23e111ade178436f1f38ca44e686640 |
| SHA1 | 63d1e99991982acd0945d55436584c18d79359f6 |
| SHA256 | 8589a261d3ca34e02c4ccfd58ab2c6acaf38295136cad7e70ca3133b8f05ccb5 |
| SHA512 | 6763add3b7669bde6d0109b94a0a7ef8ff28734895339a6e5c9c8898b2ece8701994e8f06b9135381468077fa20f9d282c94a06ab990144f6a7c74e02c0ffb38 |
memory/2268-98-0x00007FF7867C0000-0x00007FF786B14000-memory.dmp
memory/3488-104-0x00007FF6F19E0000-0x00007FF6F1D34000-memory.dmp
C:\Windows\System\fdVbIBd.exe
| MD5 | c1064cbf8fb9573f2ac89d2b2f472cf6 |
| SHA1 | 817c9ae7c1d42d826efe332071a2e830e60199a7 |
| SHA256 | 35f6f5bdb3a0c3e74322d25df315125d0b0f8e77695150952e1d11435e4262d2 |
| SHA512 | 2d93be12b82006737d4f2caf12811872fdc3a8c20c2ed9a404168b86adda67e4a1bcb0da29c780d9e624d1d2eb7e184cf8c30afa734e64c4259a0be2221f752e |
memory/2456-106-0x00007FF6C2C30000-0x00007FF6C2F84000-memory.dmp
memory/3460-103-0x00007FF704BE0000-0x00007FF704F34000-memory.dmp
C:\Windows\System\VScCFwL.exe
| MD5 | 94ab27a3a2fe7b5ff01827c8598efbec |
| SHA1 | 0e2c224dcb8c08bc27180ab2a16004c659a29bf3 |
| SHA256 | a427cc942f3c232c056bb5b0933d7505564304b467e94deb46bf416a6f2b6e48 |
| SHA512 | 573bd24c24bcbb7ce94bcce52ff65359bbae72de7e7afd1c6f68a2c8976301746cdabaed0f71030384de7fd3b57abd94e2be1e44abdc369468630f4f391ea962 |
C:\Windows\System\olbcXUf.exe
| MD5 | baa7e1df3626790a5fb77a46567e9743 |
| SHA1 | bc25204d8b925a9ba68f50161a806b9ac20a93cb |
| SHA256 | 9d7ab9fd2ba7c10e199771c1af84945aea5d167af8ab2fdc61c03f0ebdbb19b1 |
| SHA512 | 206e4abe8e07d2474cc3f4331d9adf5779c1d34c8b8d395a3b845ece4c5bf8079cfc031f85506c3553125d53d4e342c7251ea2b4fc3a01489e630041209362fb |
memory/2396-91-0x00007FF7BC920000-0x00007FF7BCC74000-memory.dmp
C:\Windows\System\eeXGkHG.exe
| MD5 | 82305a62cacb133c0bcfb974e3984847 |
| SHA1 | c0a14011723635a7fcf1018eed23ec51f0653cd4 |
| SHA256 | e855f093af9d366027337ece7b8af2a3c831cb910732bef40564d2290875aad1 |
| SHA512 | 695f302b1b1fa6a2a986beae853f15e37d8ed736f7f7d0eda8abf3717fe68163d04a38cbe0094d6cc16e94254b07739f09bcf4d752ecf9a8083d7be02777a12f |
memory/2440-118-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp
C:\Windows\System\altAbnZ.exe
| MD5 | c72666611562a0ef9feebbd81d6dd6ac |
| SHA1 | 6b9cb741eba718fb8f84c376a91eb2da2eb55209 |
| SHA256 | d72edaab1e27625a55e09beccb8599959289d806f910d3d0ca8ba6829d6d08a3 |
| SHA512 | 3083d0411c947ee45c646e78f3e6526e2148222371c9917c501c88695b569232fa89d0858c832791b61f8ad6b40847f2fa3e43df3982f4d2de96917b4869e961 |
C:\Windows\System\BHrmBaS.exe
| MD5 | 0ead6f38c827671e7c2e6c32ed7073a3 |
| SHA1 | 077e1854a271bf25d995e016fdb331f6387b409b |
| SHA256 | 25a9877fc8c318bf4ca2a223dba60c182ca6f764f9f486385cd59996e34beb94 |
| SHA512 | 754fb520fff5dbe757ee0eb3d2b310b5f1e4ab4b3b902a75a33e6a5048fe23057c199e91085917202116d7ecc29e23bccf6ffc881f9873e8678947ac4c960220 |
memory/2592-134-0x00007FF6EFD70000-0x00007FF6F00C4000-memory.dmp
memory/1840-133-0x00007FF6A07A0000-0x00007FF6A0AF4000-memory.dmp
memory/3928-129-0x00007FF6E1380000-0x00007FF6E16D4000-memory.dmp
memory/2420-127-0x00007FF7DE350000-0x00007FF7DE6A4000-memory.dmp
C:\Windows\System\mzqXjUx.exe
| MD5 | 939d7fe664770819f5fcf1f7947f8314 |
| SHA1 | 4823624aa3cef9eb621b2cf2809b7ec53a3da678 |
| SHA256 | 5a48f2766e6d0bba9309e547ff917490339f479c15a2da70ebc23b6c30bec979 |
| SHA512 | 4af031d83a7f2276c917db757eaea67c271a3edf6804c91d0ba8857117983fe0c663e498800f057e9aa246b2b8957db7e5739351dd253e0ac5c0616e14f35c17 |
memory/4348-119-0x00007FF6CE070000-0x00007FF6CE3C4000-memory.dmp
memory/1952-112-0x00007FF649E50000-0x00007FF64A1A4000-memory.dmp
memory/4816-135-0x00007FF7D4170000-0x00007FF7D44C4000-memory.dmp
memory/3460-136-0x00007FF704BE0000-0x00007FF704F34000-memory.dmp
memory/2456-137-0x00007FF6C2C30000-0x00007FF6C2F84000-memory.dmp
memory/1952-138-0x00007FF649E50000-0x00007FF64A1A4000-memory.dmp
memory/4348-139-0x00007FF6CE070000-0x00007FF6CE3C4000-memory.dmp
memory/2252-140-0x00007FF72FBE0000-0x00007FF72FF34000-memory.dmp
memory/4392-141-0x00007FF66F480000-0x00007FF66F7D4000-memory.dmp
memory/2724-142-0x00007FF60DDE0000-0x00007FF60E134000-memory.dmp
memory/1308-143-0x00007FF748DE0000-0x00007FF749134000-memory.dmp
memory/4820-144-0x00007FF656B80000-0x00007FF656ED4000-memory.dmp
memory/3488-145-0x00007FF6F19E0000-0x00007FF6F1D34000-memory.dmp
memory/920-146-0x00007FF7792A0000-0x00007FF7795F4000-memory.dmp
memory/4784-147-0x00007FF6A8350000-0x00007FF6A86A4000-memory.dmp
memory/2440-148-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp
memory/2420-149-0x00007FF7DE350000-0x00007FF7DE6A4000-memory.dmp
memory/1780-150-0x00007FF77FA30000-0x00007FF77FD84000-memory.dmp
memory/1840-151-0x00007FF6A07A0000-0x00007FF6A0AF4000-memory.dmp
memory/4816-152-0x00007FF7D4170000-0x00007FF7D44C4000-memory.dmp
memory/2396-153-0x00007FF7BC920000-0x00007FF7BCC74000-memory.dmp
memory/2268-154-0x00007FF7867C0000-0x00007FF786B14000-memory.dmp
memory/3460-155-0x00007FF704BE0000-0x00007FF704F34000-memory.dmp
memory/2456-156-0x00007FF6C2C30000-0x00007FF6C2F84000-memory.dmp
memory/1952-157-0x00007FF649E50000-0x00007FF64A1A4000-memory.dmp
memory/4348-158-0x00007FF6CE070000-0x00007FF6CE3C4000-memory.dmp
memory/3928-159-0x00007FF6E1380000-0x00007FF6E16D4000-memory.dmp
memory/2592-160-0x00007FF6EFD70000-0x00007FF6F00C4000-memory.dmp