Analysis Overview
SHA256
0a6e7d489bd550aa8566a41256d25b2191780f57fef260e9ab65af87f3961ee9
Threat Level: Known bad
The file 2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-28 08:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 08:48
Reported
2024-06-28 08:51
Platform
win7-20240221-en
Max time kernel
139s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LKlFUJS.exe | N/A |
| N/A | N/A | C:\Windows\System\uCgCAxY.exe | N/A |
| N/A | N/A | C:\Windows\System\bGlWoKd.exe | N/A |
| N/A | N/A | C:\Windows\System\TrfxDdi.exe | N/A |
| N/A | N/A | C:\Windows\System\kKejgDb.exe | N/A |
| N/A | N/A | C:\Windows\System\pvmVkZm.exe | N/A |
| N/A | N/A | C:\Windows\System\UEuNVPC.exe | N/A |
| N/A | N/A | C:\Windows\System\kwCpxOc.exe | N/A |
| N/A | N/A | C:\Windows\System\EoUfTzJ.exe | N/A |
| N/A | N/A | C:\Windows\System\iEVXxsy.exe | N/A |
| N/A | N/A | C:\Windows\System\pwmvBXE.exe | N/A |
| N/A | N/A | C:\Windows\System\nmrDsLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bJtNeYz.exe | N/A |
| N/A | N/A | C:\Windows\System\dxBuJMs.exe | N/A |
| N/A | N/A | C:\Windows\System\oezPbEn.exe | N/A |
| N/A | N/A | C:\Windows\System\msTsSau.exe | N/A |
| N/A | N/A | C:\Windows\System\yvgXdML.exe | N/A |
| N/A | N/A | C:\Windows\System\flXEETd.exe | N/A |
| N/A | N/A | C:\Windows\System\USuXvUq.exe | N/A |
| N/A | N/A | C:\Windows\System\bkgVmzW.exe | N/A |
| N/A | N/A | C:\Windows\System\JfQTIjc.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LKlFUJS.exe
C:\Windows\System\LKlFUJS.exe
C:\Windows\System\uCgCAxY.exe
C:\Windows\System\uCgCAxY.exe
C:\Windows\System\bGlWoKd.exe
C:\Windows\System\bGlWoKd.exe
C:\Windows\System\TrfxDdi.exe
C:\Windows\System\TrfxDdi.exe
C:\Windows\System\kKejgDb.exe
C:\Windows\System\kKejgDb.exe
C:\Windows\System\pvmVkZm.exe
C:\Windows\System\pvmVkZm.exe
C:\Windows\System\UEuNVPC.exe
C:\Windows\System\UEuNVPC.exe
C:\Windows\System\kwCpxOc.exe
C:\Windows\System\kwCpxOc.exe
C:\Windows\System\EoUfTzJ.exe
C:\Windows\System\EoUfTzJ.exe
C:\Windows\System\iEVXxsy.exe
C:\Windows\System\iEVXxsy.exe
C:\Windows\System\msTsSau.exe
C:\Windows\System\msTsSau.exe
C:\Windows\System\pwmvBXE.exe
C:\Windows\System\pwmvBXE.exe
C:\Windows\System\yvgXdML.exe
C:\Windows\System\yvgXdML.exe
C:\Windows\System\nmrDsLJ.exe
C:\Windows\System\nmrDsLJ.exe
C:\Windows\System\flXEETd.exe
C:\Windows\System\flXEETd.exe
C:\Windows\System\bJtNeYz.exe
C:\Windows\System\bJtNeYz.exe
C:\Windows\System\USuXvUq.exe
C:\Windows\System\USuXvUq.exe
C:\Windows\System\dxBuJMs.exe
C:\Windows\System\dxBuJMs.exe
C:\Windows\System\bkgVmzW.exe
C:\Windows\System\bkgVmzW.exe
C:\Windows\System\oezPbEn.exe
C:\Windows\System\oezPbEn.exe
C:\Windows\System\JfQTIjc.exe
C:\Windows\System\JfQTIjc.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1632-0-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1632-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\LKlFUJS.exe
| MD5 | 00467dbe6d4738fc0ef1c0d910ab6a48 |
| SHA1 | ff206b51842853e5576b20d32e3fda4bab88339b |
| SHA256 | 85d33e2264be59353fa70f53aca1c56999daa98d6377e050be8280a2a7f93974 |
| SHA512 | 082abd5c01a2fb15923be143ea7173ed42f79273c8c8bf418f64cd1e31eb95aa01ad646979a9346db638890c769433f6f2ba099249b8b6eefa99a9d26d7a707a |
memory/1632-6-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\uCgCAxY.exe
| MD5 | 2ab68d2992ed2410b625a0164a305ada |
| SHA1 | de1d47e753e2bf1360d8de1bc7175be3bccc6212 |
| SHA256 | 4675e30e4094a725bec6f904fdf210297172482b2d2d9a746e4b87bf7b80c619 |
| SHA512 | 0400a986e916e80d96a9b5e58fbd7e3deac9ffea8614260cb00ac65ce1d9d78a515a11fac673dd7a221f547280efbd12d1d3f385759edbdc272166fd4fd32798 |
memory/1632-12-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/1680-14-0x000000013F730000-0x000000013FA84000-memory.dmp
C:\Windows\system\bGlWoKd.exe
| MD5 | 05b7abc9c63a04d86f93fcf6f19c77fe |
| SHA1 | b6e5202f95b913938e68f696c5d1f344d2eadc1e |
| SHA256 | 745ecc5aa56741437b9d5b78640654912f97441f7d6d3c0964fcc6166f4d6207 |
| SHA512 | 2fcf6236c332c47ecbea446452f67b80b68624507fd1c93feaabf15117d59a4df7543ed50ef45b92a4d65afb02a3491d6eb0ba7db63687f480160c27f9a551b7 |
\Windows\system\TrfxDdi.exe
| MD5 | eb983ba7548d7fcd4822ec13334075f8 |
| SHA1 | 31a8853ddcca68bd0ccd80407c232c2e3f94ec77 |
| SHA256 | a2c498e03512c8bca2ff9617589c5bb0e3d39547fd6e9ed7d802772c8a55282e |
| SHA512 | 8d2fbf5fdd1bf86c73e8252d258e9e3bef6e554eef99016910fcf022335885e6c27ed38276c1703e2cd590715e6e25cea7075242b85e86c9d40e8a51ef951935 |
\Windows\system\kKejgDb.exe
| MD5 | 6698ba73c2240ee51928fe6c6e9c874e |
| SHA1 | be28ceaed9f601e7581e843993ac30f9e316a244 |
| SHA256 | 23eb78a348ae44158ec8fd696290bc37a403efd0a8722c20daf6675040bcca6f |
| SHA512 | bad7f206502f5c569b00d5d4690e69808cba40ee2e818c51d25bc5b603b906498d24aec29a47b7d62cf70f56217fea0f213781c2feabc802e11e8c8c0f24aaf4 |
memory/1632-31-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2552-28-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1632-27-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/2728-22-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/1632-20-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2664-35-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\pvmVkZm.exe
| MD5 | dd8f1356d42641904c69e77c36e2be39 |
| SHA1 | b683523a364c9df7c609ad255fcb2f5214f2ea73 |
| SHA256 | 34cb0c95c7ce2032620d537c98ea0f745481124b90435a66750609c78200f8d4 |
| SHA512 | 35297ef9a06a9e1f96d63b1a24210f163f1dc0f6646fbf514571afd0e7ef31a8f206bc84bc2eb96b41248e625cc3316ca60a986aff3bd56b536b69b091bff5f2 |
memory/2724-42-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1632-45-0x000000013FE40000-0x0000000140194000-memory.dmp
\Windows\system\UEuNVPC.exe
| MD5 | e70c85f547196fa5e0eae96c55b90c8c |
| SHA1 | 5de6f839e6adc7c14434e6c68f63706aa4976a06 |
| SHA256 | f7705f6425c3df7830f00a84ec3ce831a70e065499046b359d171aac076e6f2a |
| SHA512 | da22066d165da23f85b4afe99e3f07681a7f0400eb792e4f76432c00ba90643cf15145d848b3bd93b51c4cee094ac6b59e8aa3dfaed1a8f5923433b3692d60be |
memory/1632-41-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1632-37-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1512-47-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2608-51-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1632-50-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\kwCpxOc.exe
| MD5 | 7c31d479827047c0eb2157a3441c2a8c |
| SHA1 | 1c218794b9ee73370e09a76ad5e479a9fae2a89c |
| SHA256 | 239146a28b7f750b55918e7d2bce61070c0243cdb652d0c5786ebb6140e49761 |
| SHA512 | 17d4fd6496950ed163a901d062fc0fa191fc5f4276c2ab1376db954bb0d42b87af70b5adbb1f6448e5b31442fe77f3d987783f0314531ec3bf0cdf033739cc90 |
memory/1680-57-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\msTsSau.exe
| MD5 | f22f9d4ba893b9ad67894ccbbffd7e37 |
| SHA1 | 6038412458848bda02f5cefa0072f14051a3dee9 |
| SHA256 | 8e7f616f9ab7ddfc25061c69a1d1d6dac56208a76e9c68cca308293046e36281 |
| SHA512 | 9794e8fdf0cca27033bb2044617755cc3ffea770f3499f95a0f92b15eda42945d51adc79cc0dab2eabbe4011b0ca2f8e074aa34b00038dc71c58fe4be1418398 |
C:\Windows\system\iEVXxsy.exe
| MD5 | d71c48ceee30d64a80ac7f3d6e462f42 |
| SHA1 | 50b849ddb1ccec5e8292bb4d7b336fc307b0ff94 |
| SHA256 | de3668fb4c53fcadc63b2ca8735b91e0d5f8ee68e54ef66ef4db62cfde65cd8a |
| SHA512 | 379dc179fae84074dbd6a662543f1f08cf8b7f36a8c17df44e3d95d35294d9462594171b91c3b60fde1f2a03a34af135c4aaa55f3ced319c977ff2690515b1c0 |
memory/2724-129-0x000000013FF20000-0x0000000140274000-memory.dmp
C:\Windows\system\flXEETd.exe
| MD5 | 726c9539dd42118bddff42007c45939d |
| SHA1 | a25e215d1e525719cf84f9f194a1aa56b154f383 |
| SHA256 | d82f330805d0744484aff2cf34aa903f056f45b475df56c68db1d3677aafdd6f |
| SHA512 | 4962a9def886f1c0c337a1dd94386ce39c652bcda92816a88f111bb967f76f05d2d2d7f05d00e8b8d5a6075515d8fb7496ca5c8dfccd6cfbabaf852168be465a |
memory/2728-67-0x000000013FDE0000-0x0000000140134000-memory.dmp
\Windows\system\JfQTIjc.exe
| MD5 | 506f06eeceb122adb54882eb3dfa9845 |
| SHA1 | e1785dec4a9cbaa97781fe23d61333858d8cfa0c |
| SHA256 | 9d0287eb5bde5415a4ad79d899753c27066c41778bc7a95ab0960a2ae0a41ea0 |
| SHA512 | 394fe08922e0bf88e38c215a5e74c2a5d5377a6e9cea0138646d8cb03712ce2cce317184f220b47a6cf16e6efc796d431e18969cfd6388c3c11a20b47cf53ac8 |
memory/1632-102-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\bkgVmzW.exe
| MD5 | 0f5826e2ee42a88220481a1eb6fc3abf |
| SHA1 | 3678849a56e889aa6648eb10f21c00920fa46cb5 |
| SHA256 | 6a2b3527f0d5486377830f5bc5bdef5a4c22f7cdff1efb3cc597f3d4fe52fb52 |
| SHA512 | 14f9499f4c1218c6821248573c4e7c165ee621fa7ad0a49be0d2793b3a32b009fcb192c5c9c8c26deaf7030716fbbce5da3d0c68c8952eb1d0d75389ada58149 |
memory/1632-94-0x00000000024B0000-0x0000000002804000-memory.dmp
\Windows\system\USuXvUq.exe
| MD5 | 0dc799c7fb53abfd684813a2a139411d |
| SHA1 | a0fe303d05d64dc6a04d6767e1766cc1278fcd10 |
| SHA256 | 03ef97a9b226ef696b3edec663f7359f12013416f94aa253e49857e99ef2801d |
| SHA512 | 85ae255911e5a80d7e8325b583576f21035be7338c10ef207fec6bc772bff29ff7bade14003acf089db9190c0147f1ef9f50389634df8da827ba008071f71f78 |
memory/2552-85-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2488-76-0x000000013F2B0000-0x000000013F604000-memory.dmp
\Windows\system\yvgXdML.exe
| MD5 | 50475fcf8663c14c9f0741de3b25b502 |
| SHA1 | f6e026da7fedb0128eb94a6eda38768a7c07e200 |
| SHA256 | b1cf3c2f091f01ecbf53d4109c437c0948da87f8ab4c887d98582a313ca4596d |
| SHA512 | 7a21f4e00b6759c37d86accd3fec119a77b71de4411c06f24e2d636436b38000495ac2ea158d6e7b535dcf151e913dd36fec91590ee192a324034b32d9466377 |
memory/1632-122-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/1632-119-0x000000013FD40000-0x0000000140094000-memory.dmp
C:\Windows\system\oezPbEn.exe
| MD5 | 4e8919974b133454a1eef4a0904d6536 |
| SHA1 | b20b95ce7b019a30fb0369b58b53cc6f43f3a35f |
| SHA256 | 3ac679b69677298fcfd9abe4594e2d686d424b266954fdfea339bf832a4de6af |
| SHA512 | 72945a753a02b829163e44e7b424a2e3fc010ad84886a316d62311af13251ed0348e052476236f3c1f2076ed861d7ad6956e9b125473d346d7bcafacf575afe6 |
C:\Windows\system\dxBuJMs.exe
| MD5 | 8ecd8085bb2418f72df08164de3227ee |
| SHA1 | dc9415befdc19a5c7cb371f45ddbc9c3d4b563fc |
| SHA256 | 25bcc39d85d2129570d54562612490fb25041240526a8835fb305849a5969274 |
| SHA512 | df8a1093d17f6d763f7b4b774762b1c94930e227684f0bf39fbd0f3f1ccc0a090d44210580cba87d38c3b2adef1c9afc1c4f50b8b7ffe86bed4035d005e3fc3c |
C:\Windows\system\bJtNeYz.exe
| MD5 | a4edb6b56b62ccc635734649d62cb55c |
| SHA1 | 0149b8cbdd82d287fb9841ecca91d728188afbff |
| SHA256 | e659b7b8e3e148a66816ed77b56943d01f12464da770ffd8931cd56fb71402ff |
| SHA512 | b0ee725ee627d4e50e16e6b11acc2013b0ab1691d84c8261aa4f4f819d46d2812ae66f5360536df0da0ac53758f5751c357a9f5b6a52052884cbfba9765cc009 |
C:\Windows\system\nmrDsLJ.exe
| MD5 | 11d1b0dc3cef995241a73d10525e2e49 |
| SHA1 | b68f11f78aaaab7f264220df4f675075ac3fc949 |
| SHA256 | ccc25f8c667287ebe11955b049700e8d407ad803da2ebfc2ecf10bcecc0e6013 |
| SHA512 | 5d857d5fa1b5c2810d87a31429462d458b97fdd865961018a3ee19a4808c2a40ff7152544e7d5b7bc6fd3fb2b1b2b44f135a052d2bee9fef6f54a28cf8c82530 |
C:\Windows\system\pwmvBXE.exe
| MD5 | c536a9d6256ecef39b67945556668642 |
| SHA1 | 686e95f2cf64dd691a18b60d1142fea8bc3c8810 |
| SHA256 | 96644ccaf48c3106bc42068b3c0baeee175318f447dc819d5d3c549a4a409680 |
| SHA512 | dd26013621469cf567afa58edc7a2e195219cd224e488aba57ee66b863711fd6e6e45fa1a9e19e804796b317ba90a41569ea35a61cb8c3e4389822705b207b29 |
memory/1632-111-0x00000000024B0000-0x0000000002804000-memory.dmp
C:\Windows\system\EoUfTzJ.exe
| MD5 | e04dbdcdb8cb4db4f464c5c2afbf9c2d |
| SHA1 | 92ccda48f4489d5c29503143a438712c8c0823c9 |
| SHA256 | 292766eb495b97bdfabf8fd1d3d3327dfb19d8ab7186e6138cf2fcd95d329331 |
| SHA512 | a765730412a843d7f41bbfe783e36f0e47db1fbdec5ca52e0f3c15bc27fc5a4085bbee105619a7beeeaa0da1658f44a219f1d6ddeb4b1340dbf3e11ec47355bf |
memory/2664-109-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1632-105-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1632-98-0x00000000024B0000-0x0000000002804000-memory.dmp
memory/1632-90-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/1632-88-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1632-81-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1632-73-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2608-140-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1632-141-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1632-142-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1632-143-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1512-144-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2728-145-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2552-147-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1680-146-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2664-148-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2724-149-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2608-150-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2488-151-0x000000013F2B0000-0x000000013F604000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 08:48
Reported
2024-06-28 08:51
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OuFkfkK.exe | N/A |
| N/A | N/A | C:\Windows\System\GlZCCYN.exe | N/A |
| N/A | N/A | C:\Windows\System\KxUBFUg.exe | N/A |
| N/A | N/A | C:\Windows\System\tyJIYNc.exe | N/A |
| N/A | N/A | C:\Windows\System\AtbeCcV.exe | N/A |
| N/A | N/A | C:\Windows\System\zERJyHy.exe | N/A |
| N/A | N/A | C:\Windows\System\eprqOEM.exe | N/A |
| N/A | N/A | C:\Windows\System\LLnlvYx.exe | N/A |
| N/A | N/A | C:\Windows\System\GZTuARL.exe | N/A |
| N/A | N/A | C:\Windows\System\CemnGxa.exe | N/A |
| N/A | N/A | C:\Windows\System\QMzQFVp.exe | N/A |
| N/A | N/A | C:\Windows\System\pWilhxn.exe | N/A |
| N/A | N/A | C:\Windows\System\FEFjyRx.exe | N/A |
| N/A | N/A | C:\Windows\System\PrFhyrY.exe | N/A |
| N/A | N/A | C:\Windows\System\eRICHhM.exe | N/A |
| N/A | N/A | C:\Windows\System\kphZlHt.exe | N/A |
| N/A | N/A | C:\Windows\System\kTIPZxd.exe | N/A |
| N/A | N/A | C:\Windows\System\atguRlG.exe | N/A |
| N/A | N/A | C:\Windows\System\NSgalRo.exe | N/A |
| N/A | N/A | C:\Windows\System\vWhtQAs.exe | N/A |
| N/A | N/A | C:\Windows\System\VYPiIut.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-28_5b4588095736a72438b5b0bdf5149a96_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\OuFkfkK.exe
C:\Windows\System\OuFkfkK.exe
C:\Windows\System\GlZCCYN.exe
C:\Windows\System\GlZCCYN.exe
C:\Windows\System\KxUBFUg.exe
C:\Windows\System\KxUBFUg.exe
C:\Windows\System\tyJIYNc.exe
C:\Windows\System\tyJIYNc.exe
C:\Windows\System\AtbeCcV.exe
C:\Windows\System\AtbeCcV.exe
C:\Windows\System\zERJyHy.exe
C:\Windows\System\zERJyHy.exe
C:\Windows\System\eprqOEM.exe
C:\Windows\System\eprqOEM.exe
C:\Windows\System\LLnlvYx.exe
C:\Windows\System\LLnlvYx.exe
C:\Windows\System\GZTuARL.exe
C:\Windows\System\GZTuARL.exe
C:\Windows\System\CemnGxa.exe
C:\Windows\System\CemnGxa.exe
C:\Windows\System\QMzQFVp.exe
C:\Windows\System\QMzQFVp.exe
C:\Windows\System\pWilhxn.exe
C:\Windows\System\pWilhxn.exe
C:\Windows\System\FEFjyRx.exe
C:\Windows\System\FEFjyRx.exe
C:\Windows\System\PrFhyrY.exe
C:\Windows\System\PrFhyrY.exe
C:\Windows\System\eRICHhM.exe
C:\Windows\System\eRICHhM.exe
C:\Windows\System\kphZlHt.exe
C:\Windows\System\kphZlHt.exe
C:\Windows\System\kTIPZxd.exe
C:\Windows\System\kTIPZxd.exe
C:\Windows\System\atguRlG.exe
C:\Windows\System\atguRlG.exe
C:\Windows\System\NSgalRo.exe
C:\Windows\System\NSgalRo.exe
C:\Windows\System\vWhtQAs.exe
C:\Windows\System\vWhtQAs.exe
C:\Windows\System\VYPiIut.exe
C:\Windows\System\VYPiIut.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1724-0-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp
memory/1724-1-0x0000019A365F0000-0x0000019A36600000-memory.dmp
C:\Windows\System\OuFkfkK.exe
| MD5 | 2c9de10c3f2b3896bd8dfacd0f6b24cd |
| SHA1 | 08ac4d43737d7e3a819547fa446a39ba0baf14c6 |
| SHA256 | 561bfcbfdb59c36190501dab76338479db76752f611c929654d3ee4e66859ddf |
| SHA512 | e8c9959d317c24c5e14c1d7a0a84fcc7fd3b5dc5060700dda8762e8902856defb91a00fe4f04eaa97e8bff89f761f4a925508396ab1ae15eccbe4863c088b93a |
memory/2076-7-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp
C:\Windows\System\KxUBFUg.exe
| MD5 | b433589c00e77ff58691db05b02a236f |
| SHA1 | f3511071bb6263f8a324517ae0c3ef9cd44d7cd3 |
| SHA256 | 6021249c436ad0819613a11bc76db02039cea6114be1fddaab89e512376c8752 |
| SHA512 | e6b3d1584eaa96b2206291e741abb878e985188f51fec2336030e2bb84f954604557b6dfbabb29f0cf8a800a4e2e1ae19af7558bd629138426c33bf891b0ac67 |
C:\Windows\System\GlZCCYN.exe
| MD5 | a129147649d9223903b4bb096ec151f5 |
| SHA1 | b1a7b0f701a289b6c6dedd5283da78c3e576655b |
| SHA256 | 094c2b27331c3f85d74d71133732605ac32eea67afed96274f4be24b7b037ff0 |
| SHA512 | f562e14a30f127fbbfe9fc2083f4f8e213b78f89bd45e7a23ccca6ec38f00e91813b09dec2a20ab58dfc24f4cb5aed0b3277d09335e85cef096b490a38938b73 |
memory/972-14-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp
memory/2236-20-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp
C:\Windows\System\tyJIYNc.exe
| MD5 | a4aa32e6aa628a289151e0f87a115570 |
| SHA1 | 296c02098a5838e37a9c6019e1a4b2fd24ab07db |
| SHA256 | 752349f162adde20c398b597c137674be3a6a4089543464ae9abefbf70d77771 |
| SHA512 | 801341cd11e15cf7794023b01592074800025f29b54724bfa7551d831404137b0af9899e168908915ba90d390938b8798b507d1e6c41375f0c7cd369512c8526 |
memory/2876-26-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp
C:\Windows\System\AtbeCcV.exe
| MD5 | 0b6287beea186d5ce093985b7f6420e3 |
| SHA1 | 5d2f79b0d8c0e664395bdf1fb6b35683cb13210a |
| SHA256 | ad770cb16b4033c2be9a614e13c51500b042f1a79a699ac01dfb326bd1f180f7 |
| SHA512 | 4875c55c5644654610f8b255abd6027116e2acf85bdf98b450b84fc23ca9041be823d76f87d562479858f21c73a73623a974839276c5970326a0829735436559 |
memory/3124-32-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp
C:\Windows\System\eprqOEM.exe
| MD5 | cf398472b47a398d74d41db02e48f6a3 |
| SHA1 | ca64ecf5f30a21649f7f82ce70df0a01eced4491 |
| SHA256 | 9ae484867256d3863becc60a3900720fa4cc409d30ea7baeeff6a7d2e281a567 |
| SHA512 | 21d26d02a38b7d6d3795b41320419d390f684cc711b57d2b1cf3f309446ea86c9c7df12b8f750c2c446a45635b8c2b4d2833491cc44c4dc90c26d1df3d28a0f8 |
memory/1892-43-0x00007FF607810000-0x00007FF607B64000-memory.dmp
C:\Windows\System\LLnlvYx.exe
| MD5 | c8820ab6934b9a4fcfde9ce336466018 |
| SHA1 | b4b03af61927eacf935f3ddd8088363c2d0b77b6 |
| SHA256 | a377fba93f0556087947a4a16d0fa7c8f8bf2b4596a044742ca2b54f5adb8fad |
| SHA512 | 96a2307105576eef4e0c90f37dbd688c58c7aaa186144a426abe8fc05ba651c9c015823a4bc1451a72c8177ad10be3f7dda9f050abde4f11e3d7830ed63b9d61 |
C:\Windows\System\GZTuARL.exe
| MD5 | 9775b34acd06da4ffecc2cb34825ce78 |
| SHA1 | c9d30e09bac892480eea9ede55eea2331488d22a |
| SHA256 | 34a27c6c45eeda69b3a4870fc83ad4f49849631c1a06266594ef30b52789ad32 |
| SHA512 | a8a789edef132c0d4be036bd71c9017e176ce43ee514fa9bee1aeb999c2f8dc5ad71451ec8be40aa8f6961e8d7cda8c1e596662bedb0729c0148228c2d292168 |
C:\Windows\System\CemnGxa.exe
| MD5 | b8f6c68b57832c80cabbfc2234307a07 |
| SHA1 | 224c355d4f399bce3f6852ed43a51b7bc4788e32 |
| SHA256 | e470f3c1a14cdff60c3887c002b0f3af1706c68e8b2010d3e5523169d44c3102 |
| SHA512 | d5887bdd5fb11b102adc407b7ff85723b52ac5f3b866f89a2939b2421e39ef4d2624f6d0d7fbd00469461c352a9ca8fda38c7f4589c3ee5fb53dcc32d7875193 |
C:\Windows\System\PrFhyrY.exe
| MD5 | c58528332608f195cee67d0fa8b48fcc |
| SHA1 | 1b708dd58ba7bf80f0cbb450a8505a748c788554 |
| SHA256 | 1106cdcb22c8f7dc2a66c69fc67aa98407d4839f09c7c26a7426d1d19245dc3f |
| SHA512 | 822c096b9341a561926bde1b5ef197e4177c8f360256b7edeaccd4051a45975f0618f781c46f2544d58b0f7a7cd93db0e748878d8fb6527beed45a7e90d747c1 |
C:\Windows\System\kTIPZxd.exe
| MD5 | 1d0f46519d0acd4d19f2298055bbddcf |
| SHA1 | 3336e6a640503def8ae193bcd58022c7fb0bc346 |
| SHA256 | 0801b73e6822e633c87c457a753534e646c28648104d31f6ac030a33aae949be |
| SHA512 | 9315d69a706f52ce12997d9caf1e2bf5bfb0f74f99bc7f926d72114fb381ddd82ba811a31e4d3818a1da8ea2c1c810f3965bfbf0cc0ca43aa119716b58c8787a |
C:\Windows\System\vWhtQAs.exe
| MD5 | 88953cec1389603c5110818b72ee119a |
| SHA1 | 995363123f3c9566b59912cd88f86c4925ce54cd |
| SHA256 | 5fdef7c0b07576ca4d40d8043bd58a90a7dadf26a3303e8b9030fd9c7ff7a5db |
| SHA512 | 3d335d54b03dc7659999599e337a9a4e7901932c9aa002dfb8a9c188ac2e6cce26077527701a30910f0f4c56cc5952104f81a56a0c7a8b21441858ab7f2a7348 |
C:\Windows\System\VYPiIut.exe
| MD5 | 8a230a4270911ecd863306fe2c96f9b2 |
| SHA1 | 3062cfb76158c62b65e52da004b5e59a20fc058f |
| SHA256 | 4be44d313d1fd7a2a26da5195704649de8a054e6cb0ae91dc111ace07c3bbcc1 |
| SHA512 | 84ceb63bbf55a75f8d88a1df98f195b0dab4f4c3dea20e989c19509ec0e991cde3929fb14d0a8162a2d4c9a29a0eeaba619872fdb16571715355e126efddd4b2 |
C:\Windows\System\NSgalRo.exe
| MD5 | 494acb77ddc08e580daa358b4d9751e0 |
| SHA1 | 169b899a461302a3adbf4ac96249b4d6ed2d324c |
| SHA256 | 77262b0f2fc1289ce0e348d16a7582fc4dc5bec41d7908d0de9e0ac323b69aea |
| SHA512 | f46004c4f25011b2a717464589a51469db640fc542d1d3dfc6fb0dd1d4e7216427a1834358522517ccf43e96f0db05015b0119bd74306add202f2350d37b202e |
C:\Windows\System\atguRlG.exe
| MD5 | 06b45c028ec942d34c021b6d07297fe1 |
| SHA1 | 01d6fbb475c5f2591f267f61f206bbc46e82e1c6 |
| SHA256 | bff3022e7f6c38b003305f009ccf1fe4c43e9c0de55f9dcab67c785ea301ed8d |
| SHA512 | 277b300bca3c9bb201622e94be80a719fbe552d9dc49dd2947c2c93b9b13587835921cd29bb3bb654561b8fcb725b4b5ef12ca6b95641de6790b4fb6e6beca95 |
C:\Windows\System\kphZlHt.exe
| MD5 | 34b003ad12718a5d15412172a7878ede |
| SHA1 | c438bf0c28b9b564f5df44bb1dc5e327c1f4da7b |
| SHA256 | 0b9f45449e6fa1aa4e48e4f8dcf51a8959020618a37783657b94ccaa95d7109d |
| SHA512 | fff60b31dcc0ae190bd492d210ee18504060e7e6361b212aca741b4a9dcba27e82ceca4e56747793f12c211444a457bba53025690314f796960713d2d983dbc0 |
C:\Windows\System\eRICHhM.exe
| MD5 | 7cbcbf910986e7661b91ff09bbb37a34 |
| SHA1 | 62f2ba17e68b23fa2261d09d19dafa8b065066ee |
| SHA256 | c490cf7614aacb503c3bed7cf354d0cd6dd70c133123069d649ed1bd4f11dd7c |
| SHA512 | 5349b3c0fd4d6c23beead3386ca6e13406b0da47985c2532501113d691e805dd6fc87ddea84b1ed9780e4e1ddb36400003e4308783d97225df7af0e3c65c5786 |
C:\Windows\System\FEFjyRx.exe
| MD5 | 41cdbe7fa0c556fb39c156a936012866 |
| SHA1 | a201baf1d3d1f99e879d5c9fa6d0e46c190bd2f0 |
| SHA256 | 78420fef6fb1a215a8e2cdd9cf71a319a1daa0fcd6eccb0d949fcdffd5469524 |
| SHA512 | 5b7280ee83467ca4d55ded1ed45523e794b0812a09f2a0e03eeb1c25251bdf3e5c78ec0a86d0e3cca3b9670a12a6083f9845c5d9df4e32c0d76a7bb75e9a89fe |
C:\Windows\System\pWilhxn.exe
| MD5 | a9093990efcc56549faa7ae18bd48878 |
| SHA1 | 214227d5259588f61f433541186fbf2430a61667 |
| SHA256 | 965a96ef6763fdad6f6bd08e196ba6b01cb6dd4090038e627625cdda2da8315b |
| SHA512 | 3b555fbcefe0e718b77943bce380a1f5b7ada26a622fe4eb0eaae423d92943738bbbffa16337005f76ab17d51a59bf4158907f3b4a5866c73c34fd1fe2a4598f |
C:\Windows\System\QMzQFVp.exe
| MD5 | 59d02c6467945f67722d916500f48ce8 |
| SHA1 | 1de16ddc60ebced80c04ad763710124515a4174f |
| SHA256 | 3eefc9cdfbbd7f234d0255b9d4dbfaaa21eb63bab95758c7dc6e65f2dc2f8fb5 |
| SHA512 | 4623e08cd61c78a86d093329483871cae1ae59eb055c2550540375bb2ba9df232d81bb37e8f1750e2e5e451a5dcc1eb82628e728c2c4e3464d822318a84e8b47 |
memory/1556-46-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp
C:\Windows\System\zERJyHy.exe
| MD5 | d7f9b442b19d26612f2ee3eb9ccecc08 |
| SHA1 | c323831eb81c146a0eb26e0ee252cc53edc40f2f |
| SHA256 | fbd45844ea7a38679c9a712f0a24c3d08ca8e31f48f98dc48e8a04831d49cd56 |
| SHA512 | 72306063ce2bd143b54f9f12512351878b686cef9a74815d811e49ab453967064f34d32c557283e0f2b3e4557b7a516ec74613d87a4bba8381514ef7f31fc102 |
memory/1436-115-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp
memory/4532-116-0x00007FF691A10000-0x00007FF691D64000-memory.dmp
memory/3528-114-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp
memory/1776-117-0x00007FF703960000-0x00007FF703CB4000-memory.dmp
memory/4584-118-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp
memory/3492-120-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp
memory/2668-122-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp
memory/4492-123-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp
memory/4188-121-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp
memory/5080-124-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp
memory/1140-126-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp
memory/1292-127-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp
memory/632-125-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp
memory/868-119-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp
memory/2076-129-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp
memory/1724-128-0x00007FF7C0E90000-0x00007FF7C11E4000-memory.dmp
memory/972-130-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp
memory/2076-131-0x00007FF7E2CC0000-0x00007FF7E3014000-memory.dmp
memory/972-132-0x00007FF6E1FA0000-0x00007FF6E22F4000-memory.dmp
memory/2236-133-0x00007FF63A380000-0x00007FF63A6D4000-memory.dmp
memory/2876-134-0x00007FF6F24E0000-0x00007FF6F2834000-memory.dmp
memory/3124-135-0x00007FF7FAE20000-0x00007FF7FB174000-memory.dmp
memory/1892-136-0x00007FF607810000-0x00007FF607B64000-memory.dmp
memory/1556-137-0x00007FF6CE0E0000-0x00007FF6CE434000-memory.dmp
memory/1140-138-0x00007FF61D980000-0x00007FF61DCD4000-memory.dmp
memory/1292-139-0x00007FF6D2E60000-0x00007FF6D31B4000-memory.dmp
memory/3528-140-0x00007FF727A70000-0x00007FF727DC4000-memory.dmp
memory/1436-141-0x00007FF7FE540000-0x00007FF7FE894000-memory.dmp
memory/4532-142-0x00007FF691A10000-0x00007FF691D64000-memory.dmp
memory/1776-143-0x00007FF703960000-0x00007FF703CB4000-memory.dmp
memory/4584-144-0x00007FF7E4740000-0x00007FF7E4A94000-memory.dmp
memory/868-145-0x00007FF6E9350000-0x00007FF6E96A4000-memory.dmp
memory/3492-146-0x00007FF6B4A50000-0x00007FF6B4DA4000-memory.dmp
memory/2668-148-0x00007FF6EDFC0000-0x00007FF6EE314000-memory.dmp
memory/4188-147-0x00007FF6716E0000-0x00007FF671A34000-memory.dmp
memory/632-150-0x00007FF7E4D70000-0x00007FF7E50C4000-memory.dmp
memory/4492-151-0x00007FF67FAB0000-0x00007FF67FE04000-memory.dmp
memory/5080-149-0x00007FF6A0C60000-0x00007FF6A0FB4000-memory.dmp