Analysis Overview
SHA256
389c061e1d670e55b89da6a91913b3fb35033855ec9041e669f9113fbcd8270e
Threat Level: Known bad
The file 2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
Xmrig family
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 07:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 07:13
Reported
2024-06-29 07:15
Platform
win7-20240611-en
Max time kernel
128s
Max time network
141s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eQpczlG.exe | N/A |
| N/A | N/A | C:\Windows\System\tAcnUUt.exe | N/A |
| N/A | N/A | C:\Windows\System\XthwAEd.exe | N/A |
| N/A | N/A | C:\Windows\System\spYgSHa.exe | N/A |
| N/A | N/A | C:\Windows\System\aZqrWwy.exe | N/A |
| N/A | N/A | C:\Windows\System\iOLqonB.exe | N/A |
| N/A | N/A | C:\Windows\System\IBLfnjW.exe | N/A |
| N/A | N/A | C:\Windows\System\piJwKZN.exe | N/A |
| N/A | N/A | C:\Windows\System\HimXdlq.exe | N/A |
| N/A | N/A | C:\Windows\System\TdQoVrl.exe | N/A |
| N/A | N/A | C:\Windows\System\EMZWvnz.exe | N/A |
| N/A | N/A | C:\Windows\System\EbAsenw.exe | N/A |
| N/A | N/A | C:\Windows\System\VJKjbAb.exe | N/A |
| N/A | N/A | C:\Windows\System\ImyFhbd.exe | N/A |
| N/A | N/A | C:\Windows\System\HbusmiI.exe | N/A |
| N/A | N/A | C:\Windows\System\XPAhrUW.exe | N/A |
| N/A | N/A | C:\Windows\System\GaavpUg.exe | N/A |
| N/A | N/A | C:\Windows\System\FuWExOo.exe | N/A |
| N/A | N/A | C:\Windows\System\bvOZzLC.exe | N/A |
| N/A | N/A | C:\Windows\System\wkGBNiM.exe | N/A |
| N/A | N/A | C:\Windows\System\IJvZrBP.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\eQpczlG.exe
C:\Windows\System\eQpczlG.exe
C:\Windows\System\tAcnUUt.exe
C:\Windows\System\tAcnUUt.exe
C:\Windows\System\XthwAEd.exe
C:\Windows\System\XthwAEd.exe
C:\Windows\System\aZqrWwy.exe
C:\Windows\System\aZqrWwy.exe
C:\Windows\System\spYgSHa.exe
C:\Windows\System\spYgSHa.exe
C:\Windows\System\TdQoVrl.exe
C:\Windows\System\TdQoVrl.exe
C:\Windows\System\iOLqonB.exe
C:\Windows\System\iOLqonB.exe
C:\Windows\System\EMZWvnz.exe
C:\Windows\System\EMZWvnz.exe
C:\Windows\System\IBLfnjW.exe
C:\Windows\System\IBLfnjW.exe
C:\Windows\System\EbAsenw.exe
C:\Windows\System\EbAsenw.exe
C:\Windows\System\piJwKZN.exe
C:\Windows\System\piJwKZN.exe
C:\Windows\System\VJKjbAb.exe
C:\Windows\System\VJKjbAb.exe
C:\Windows\System\HimXdlq.exe
C:\Windows\System\HimXdlq.exe
C:\Windows\System\ImyFhbd.exe
C:\Windows\System\ImyFhbd.exe
C:\Windows\System\HbusmiI.exe
C:\Windows\System\HbusmiI.exe
C:\Windows\System\XPAhrUW.exe
C:\Windows\System\XPAhrUW.exe
C:\Windows\System\GaavpUg.exe
C:\Windows\System\GaavpUg.exe
C:\Windows\System\FuWExOo.exe
C:\Windows\System\FuWExOo.exe
C:\Windows\System\bvOZzLC.exe
C:\Windows\System\bvOZzLC.exe
C:\Windows\System\wkGBNiM.exe
C:\Windows\System\wkGBNiM.exe
C:\Windows\System\IJvZrBP.exe
C:\Windows\System\IJvZrBP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2420-0-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2420-1-0x0000000000480000-0x0000000000490000-memory.dmp
C:\Windows\system\eQpczlG.exe
| MD5 | 86f31c6245a080a3728dd8e67d9f22b5 |
| SHA1 | 96471eb7b28372cf491cf2100f4c418556b6972e |
| SHA256 | 377881030d8e146f2e624d134c70365e466be1d9ae5e48203a4c7854b9eb5f93 |
| SHA512 | 0158ca8d74260a5bb370e9f5178c0240df6762fdb5ae13d36d60bf3206ec27d12cc992ace11ca04524062a9a9583fe59ccdf49570d96a2b1474e4cc91f659ebc |
\Windows\system\tAcnUUt.exe
| MD5 | ae778629199e89253caa6b54289a2ed1 |
| SHA1 | 35c835250456bb725e408f9ca27eafb295082e2d |
| SHA256 | 72111bd41978d88eed5a13a1a6df8052a30bfbf0c3db544089c22688a028bc67 |
| SHA512 | 53b12ee9052bac416f1868f88df0a65660ff7d339cdff77b19b07891e40319631b44ed61b0b62cf782fb3069443189a6f5c4961f896d8501fefbf8229069cadd |
memory/2580-21-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2420-22-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\XthwAEd.exe
| MD5 | 253de7b43fea3471863556135b3c2140 |
| SHA1 | 0e61057d859a2ab768b898fb2a314f6bbdecd152 |
| SHA256 | 2bf10c7e9148d5adebdbf48d9e445cf5f022790ea3d5c590e4b125fd1f3c5506 |
| SHA512 | d5229cf7b0b1f300d664f074c9d61afcdbd248824b9b4db0b703ffadfbf57cf8e81a596f45a2976ffad1b4f3c16be64356df0e9f960ab421a8566d8491bc1484 |
memory/2420-20-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2756-19-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/3032-18-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\HimXdlq.exe
| MD5 | e694782acf642cd9434a34c8cc8fe9bb |
| SHA1 | fb87704252863350945943e3f6c04cc788d97619 |
| SHA256 | 2f2d6e782dfe1170238f329c8077bbe91addf6b5f05f531e3dccab69bbad381f |
| SHA512 | 0178ee141909b47a8d289807725e6947b6dffeaa7c08d48cc5a5eaba7d7f0bdbb6b1ca026bd2684a7e6585a6baf6ebf4395538597e1b4a9372c9e38b4152ca23 |
memory/2420-33-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1716-89-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2760-96-0x000000013FB40000-0x000000013FE94000-memory.dmp
C:\Windows\system\HbusmiI.exe
| MD5 | 5c20b70ab2638502f07aa51323ec85b2 |
| SHA1 | 55234b1e3e00b01e91c1cfbfe6b74a0dde0e0f5d |
| SHA256 | 66b3c51dd29f22085151b9309ac7b77d15d93c1e056def2e8dd05705185e5010 |
| SHA512 | a40dbbdb396d400b36fb0841a0eb17861aaf97580de3027e76ee3f899c8df69a8114074e1d92ea2443b310ed2214a5455a3e40ae37f75feb3f1f8bc0c3ac8dd0 |
C:\Windows\system\GaavpUg.exe
| MD5 | 7b230bb0a4498c5c9198af6319bc859e |
| SHA1 | 593d30f0b03ac1d2f532f3e0328d00f976133294 |
| SHA256 | 821964f0f60742ca7a67ba16aa54f335881e813e71558f5774ffea05741aec87 |
| SHA512 | 7152e0a9e9182da7b3cd7976884adf4f6e619500a03da51794d69452281ae784fe2a36adad3d0260ee6b5ccc02ccb649da5fa27e269f84fa74e8cc051bc53367 |
C:\Windows\system\IJvZrBP.exe
| MD5 | 8c5fc407e899b282b57de5df42f75171 |
| SHA1 | 19eb607323fe65d62e1740272403ff572204a6f4 |
| SHA256 | ae95500be345c300a557f689d835c01c01f5458e45af586c92e45247e06c20a0 |
| SHA512 | 3a12b53dd674ac78dc984fe82fc0d168677765870ff090bcf9b4a374b08e19ad8f7b88b3ca76c096052029c8708c97b5a33f9a17970ffee70553eb082c8f2d82 |
C:\Windows\system\wkGBNiM.exe
| MD5 | d0f8fb159d5710a5d49b680eee0d6aa3 |
| SHA1 | 2f02ab56ab5633383b6daadb91916bfdf38e6810 |
| SHA256 | 211a64cbb3e94c6c91d877bbe3fceb26052d81acfbe590d7222b60bb28dabcfe |
| SHA512 | d315414834e39de17ac4758184ee823ff4244824553cedcf8491359282e9f89fb66c24d2b8a608e6aa0f4831d66b709c32045df07193adbbea4e9702b6722f7e |
C:\Windows\system\bvOZzLC.exe
| MD5 | a8b928cb4e3aea188ff5907ec6dea98c |
| SHA1 | c9e1f228db0a28942e53af56768743897d2d42a0 |
| SHA256 | d912136504474717ba589762a4b2916fc6ae1c8091ef6a987c0ee35ae8e293b5 |
| SHA512 | f574441556070971d3d40f861987280623aa32fd383d23f61b26b23789fecff5cb27fcac341f29607f71db4024c82816e7b24b0c2697076727a9ff37a6b43056 |
C:\Windows\system\FuWExOo.exe
| MD5 | 9111114f0d78b261dd13d7d6271e2ff4 |
| SHA1 | e975c26a90decc1e4502df095afc8b67f94dbd2c |
| SHA256 | c6cd1fba544f13b48141fec77476119cd4caf50897e36ab1ae3ad16a177b0b67 |
| SHA512 | d53ee11e736e8e89fcbd15b4e629b8c9dc2b50fc52b9fc01e2e6097fe34e75817ca9b5034be5d9dcd4a50c754f7cc89a7c0a85e2fef059674f9b25825de9a803 |
C:\Windows\system\XPAhrUW.exe
| MD5 | 6764ce62cced274984c3e7185eb600be |
| SHA1 | c793384e9e2c3c0404f6d016cd338aa489220d1a |
| SHA256 | 085f5bb88cc660774a8443280fff11b4d7f11ec80b2e401459d47edd5c48d6f0 |
| SHA512 | 07625ffbed57221e3bcc8e89e95ba5ffe091951f268881496e1d1a932e78bf02ee70e3e968f735143b958ccc74a233347a8920e08e5c60cbcde7a51a02ea55e8 |
memory/2420-105-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2420-104-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\ImyFhbd.exe
| MD5 | 172bb273f37836f3b79af477f95d2875 |
| SHA1 | 474591bb62872b27a9f9ac9bbd8df871dba92f79 |
| SHA256 | 7b4539a65f0cfec75219e119cf72fe433049dca5161ae5c4564ad6bde9dcf95b |
| SHA512 | 01a4a4e35af6fac3f6d6c999c3a6fe6196b421091f85fb5064dfd96779ff5a096510ab3c0018bb9852b09082b85e09da02684c135478465ba5734673650bbc9b |
memory/2420-94-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2988-93-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2468-92-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2492-91-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2652-90-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2420-88-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2420-69-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2420-68-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2420-67-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2596-66-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2512-65-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2516-64-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2420-63-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2504-62-0x000000013F390000-0x000000013F6E4000-memory.dmp
\Windows\system\VJKjbAb.exe
| MD5 | 406facef8f14099e7446306c2cdc51c4 |
| SHA1 | 453bd5733aedd847cbaccdd7a021c24f0b1180f4 |
| SHA256 | d35af7cced3d7f6e73454e5adf93e5edfc0047fed15c95a8ca0d0f959e132f63 |
| SHA512 | e5b148066bcf7be5c3ba58531643c7733e8e18a0996b7a40408a97abfaa4919b6848eaa14ae8009fcbea4ed81725462965f20a1926fd7d803f259fee4e3b3953 |
memory/2420-52-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\IBLfnjW.exe
| MD5 | 46e98567d316d7b77338fd72fd4ee41d |
| SHA1 | 09a58d7b5134f617d88b9d93f2e92c23f308dde6 |
| SHA256 | b78b86aafd0c70a0edf99a6f46d027b71ae57079e2a574255ae73deb009506a8 |
| SHA512 | 6022e5a80eb844657b2cc093332a34329091201fb58071f43821e5fc8396758a9e3734f3b3b6b6dea8f441d94883e7ea129de0d50caa35e3b6d7134fa1b4adca |
memory/2504-136-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2716-135-0x000000013F6E0000-0x000000013FA34000-memory.dmp
\Windows\system\EbAsenw.exe
| MD5 | 2e72b96836ef4566f6f6b99bc45748ac |
| SHA1 | 2b885bfc388005c126d1b80406f1349e96b7a2b9 |
| SHA256 | de764f6695b261e9d88dc63aa19953d55c369846165aebe6c273d798497999b0 |
| SHA512 | 4b043f254f7a09a254b791e63a66ce3e1839ae602c444dae942c78b4f6c6b519baa4a14ff063344b359109d8d7e46cf2522d861d43c7e5d2fbb37365af9eeae4 |
memory/2716-44-0x000000013F6E0000-0x000000013FA34000-memory.dmp
C:\Windows\system\iOLqonB.exe
| MD5 | a46d25727b86c1cc2aca188c47605515 |
| SHA1 | 90ee06081e661da689f005ba883cba318ee55b5f |
| SHA256 | 6f9f3efb054e89529cd88cc493422a9c4f10e3d6c0fddfed9993dad61c3b3771 |
| SHA512 | a5b76f324e41aeda12954a96d239744f579e44e6943b947a8c3bdb081b865cc227bba30b8a589a21b7a3f08b60cd72a9f5d556edf4742d88488276a208440ba6 |
\Windows\system\EMZWvnz.exe
| MD5 | 35dc9da2f60f7f331225fdc1f52c606e |
| SHA1 | f225c155b14cade16264675b4196a758a5e4b22e |
| SHA256 | aec70179c3b9a79963f10d515c360c7f49b6f1d22e45f852e5520fc78ebb140d |
| SHA512 | 1d1ffa0e8baf209d8fa851b671aae0ff18260d6ff6b6d11d23a4ef3f08a9059f25f850840a0b63c8d7962a8e2aad8e9b2e355cc53e6b3669e1626b5207702d00 |
C:\Windows\system\aZqrWwy.exe
| MD5 | 7d1fb11a7e27ed573ff074480546780d |
| SHA1 | e198f13f82007e860b7b75b1f9eb002353c77675 |
| SHA256 | 08a7eb53c609567f2d269a5b5f9a56f05212f4e87dccedb22a1e5a1505d873a0 |
| SHA512 | 50c685c2687d191483fa407d7821065936a32f9eeb8d8506b2fc417bc7c78446e6cd8c998f1db0aa64f693b45952c3c39d337be0c1578d8c73564e33b129f060 |
\Windows\system\TdQoVrl.exe
| MD5 | abc7acb1a671b55bbbafdccb8848954a |
| SHA1 | 3a10b6eb53579b6b79878d1adcab1b6431605d3e |
| SHA256 | 7499daaba1c09804cf046a9a4e7a5d2b90ce3047ff23663a4b1050630a973341 |
| SHA512 | 38746f27f00adbdf1001ade35e478931ab7439dd36c9d9e116b9d4e2cdc68c18201e2db369ed3997e08108073b94fed3b063a9efb8a0addac0be78f08b401126 |
memory/2512-138-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2516-137-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2420-58-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\piJwKZN.exe
| MD5 | 82b2b96ec0108adc30a707b91a2e9568 |
| SHA1 | 73038fd7dc189c56cc738c20249b29a3041b5a44 |
| SHA256 | 84fd744187aac7e8c7082592109fa1ffed80941e6b14925501f504c4ba9911d9 |
| SHA512 | 19102757ba6d9cacb09d7635fefa64aef44910bf9443498db87eff669048d122f2c9b45596cb3440313b2d82edc6b6073f1fc0ca6d51d1d387ba01bc68634e6c |
memory/2420-56-0x000000013F390000-0x000000013F6E4000-memory.dmp
C:\Windows\system\spYgSHa.exe
| MD5 | 02bc66bc9662afaf687cf880dd002ce1 |
| SHA1 | 731565b76e70f65d3c7c549a3d98782d55ac0907 |
| SHA256 | c37491f88f4807b4eec3e643298799282a3390a7fe2c6e61d6247ddd66204175 |
| SHA512 | 24fcbfd4b3fe7ee796c48bdfda6f2126c4379224778057cc2881b4044f212a40e17556875ee51dc43df95dd9fb46bc1cebf061ea1ec72e42c9d2edb0c13dbb64 |
memory/2420-29-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2760-140-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2420-141-0x0000000002300000-0x0000000002654000-memory.dmp
memory/3032-142-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2756-143-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2580-144-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2716-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2504-146-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2512-148-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2516-147-0x000000013F9C0000-0x000000013FD14000-memory.dmp
memory/2652-150-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1716-149-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2468-151-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2492-152-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2760-153-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2988-154-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2596-155-0x000000013FD70000-0x00000001400C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 07:13
Reported
2024-06-29 07:15
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YvsROsV.exe | N/A |
| N/A | N/A | C:\Windows\System\EapfQBP.exe | N/A |
| N/A | N/A | C:\Windows\System\FJWeSjW.exe | N/A |
| N/A | N/A | C:\Windows\System\SRjWhlT.exe | N/A |
| N/A | N/A | C:\Windows\System\MnmqbAc.exe | N/A |
| N/A | N/A | C:\Windows\System\OCHNtkN.exe | N/A |
| N/A | N/A | C:\Windows\System\PAReEQr.exe | N/A |
| N/A | N/A | C:\Windows\System\SqvWtbA.exe | N/A |
| N/A | N/A | C:\Windows\System\Eoctara.exe | N/A |
| N/A | N/A | C:\Windows\System\YRZbLfq.exe | N/A |
| N/A | N/A | C:\Windows\System\wLxGkrX.exe | N/A |
| N/A | N/A | C:\Windows\System\VRTKHrC.exe | N/A |
| N/A | N/A | C:\Windows\System\uRGzhaK.exe | N/A |
| N/A | N/A | C:\Windows\System\DbnvNRs.exe | N/A |
| N/A | N/A | C:\Windows\System\JXZEoNx.exe | N/A |
| N/A | N/A | C:\Windows\System\ETfZVCY.exe | N/A |
| N/A | N/A | C:\Windows\System\ZZOVpVV.exe | N/A |
| N/A | N/A | C:\Windows\System\KBVwYYV.exe | N/A |
| N/A | N/A | C:\Windows\System\xoVzKSM.exe | N/A |
| N/A | N/A | C:\Windows\System\aPqtcpC.exe | N/A |
| N/A | N/A | C:\Windows\System\tOgnjfZ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_fab8dd08c1c046f7d00b6ac796d91caa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\YvsROsV.exe
C:\Windows\System\YvsROsV.exe
C:\Windows\System\EapfQBP.exe
C:\Windows\System\EapfQBP.exe
C:\Windows\System\FJWeSjW.exe
C:\Windows\System\FJWeSjW.exe
C:\Windows\System\SRjWhlT.exe
C:\Windows\System\SRjWhlT.exe
C:\Windows\System\MnmqbAc.exe
C:\Windows\System\MnmqbAc.exe
C:\Windows\System\OCHNtkN.exe
C:\Windows\System\OCHNtkN.exe
C:\Windows\System\PAReEQr.exe
C:\Windows\System\PAReEQr.exe
C:\Windows\System\SqvWtbA.exe
C:\Windows\System\SqvWtbA.exe
C:\Windows\System\Eoctara.exe
C:\Windows\System\Eoctara.exe
C:\Windows\System\YRZbLfq.exe
C:\Windows\System\YRZbLfq.exe
C:\Windows\System\wLxGkrX.exe
C:\Windows\System\wLxGkrX.exe
C:\Windows\System\VRTKHrC.exe
C:\Windows\System\VRTKHrC.exe
C:\Windows\System\uRGzhaK.exe
C:\Windows\System\uRGzhaK.exe
C:\Windows\System\DbnvNRs.exe
C:\Windows\System\DbnvNRs.exe
C:\Windows\System\JXZEoNx.exe
C:\Windows\System\JXZEoNx.exe
C:\Windows\System\ETfZVCY.exe
C:\Windows\System\ETfZVCY.exe
C:\Windows\System\ZZOVpVV.exe
C:\Windows\System\ZZOVpVV.exe
C:\Windows\System\KBVwYYV.exe
C:\Windows\System\KBVwYYV.exe
C:\Windows\System\xoVzKSM.exe
C:\Windows\System\xoVzKSM.exe
C:\Windows\System\aPqtcpC.exe
C:\Windows\System\aPqtcpC.exe
C:\Windows\System\tOgnjfZ.exe
C:\Windows\System\tOgnjfZ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1804-0-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp
memory/1804-1-0x000001EE71640000-0x000001EE71650000-memory.dmp
C:\Windows\System\YvsROsV.exe
| MD5 | 9a67570d4605f94d18783a145b1289c1 |
| SHA1 | eb5ab4db74cf64828ff2e81f332af7d7654b0d47 |
| SHA256 | b142dd84d9e0adf0d44c23a6efa9a5142e75779e175ff097c611fed40e3fea24 |
| SHA512 | a12f23ddb929299da3e5cb54ac25aa11375d70a77eee7ce88b362019e082207213384ccea1351712336e6ebba3b7a66b2a8bb567ca707042edaf19128bc1d8b2 |
memory/3392-10-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp
C:\Windows\System\FJWeSjW.exe
| MD5 | 8d4c49a4998d290817879ed727925ce2 |
| SHA1 | cec053524033be00d9e6751bf4d3d5b0a0b36fed |
| SHA256 | 7586be07b75f0f4fa1832df623e52312b3f00b4d8f2eadeecc47a206cb24ceac |
| SHA512 | e80f0c21cdaae57dd8cdfed6f29394658848853d09bebe72b6cc8c9d1c382bdda864913accac419b62a16daf25113c72675336dddda42148d8fd90586b7dde75 |
C:\Windows\System\EapfQBP.exe
| MD5 | 41e1ac32c00d022c548688cb36b93be9 |
| SHA1 | a84c3ffcd80d651d326e7c7d03753d2ba9958ad8 |
| SHA256 | 10aa076fe09a922a27d8f91868a22f01b426f13ce99370581551424b8dd62b42 |
| SHA512 | ffd4470f7b7493948f4c382e7f2db47c5e5f6a1d2b38cfeafb112d4a8655fa13f95017e6ee59f3dcbaefaf6cc10c0d71a5d13d41bca6dac78c297e55f75346e8 |
C:\Windows\System\MnmqbAc.exe
| MD5 | 40f0527191182ae9dbdb38149c7863bc |
| SHA1 | 0d4c2bdecb9770183fb80316c82d0e634de7d6c5 |
| SHA256 | 720246ca3b7595fde0f4f81b0af67b96ce4a4f7c1eb0ec5dcc1c68cac7f990b4 |
| SHA512 | 62e90c41f58e4a1f165937276fda5f4e0d90e5150b152dec788b3986e141abdb33986a346d7a0b02ebf1af546da11909d24952127d7a0defb1ffd0559b1430bb |
C:\Windows\System\SRjWhlT.exe
| MD5 | 84b419a45f406b3a365c8a3b1918d1df |
| SHA1 | 5d7ba50012b315f318042c8b5ee872119e70e488 |
| SHA256 | 74ec317a3f7a91b2c12b224c92dc9a4b3570b46ec48ae7fa1273aae23b84ae81 |
| SHA512 | ea7cda772897bf9b7101fcf4370be2cda55776cc872b2c44c07fd4682fb624ecdfcb013d977d4e9be1301966ff58b1d1658024b27db9dde77657be0fec8a620b |
memory/3540-24-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp
memory/4508-23-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp
memory/2824-14-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp
C:\Windows\System\OCHNtkN.exe
| MD5 | 63d6ded8b477aa427a95c1cce27b96b2 |
| SHA1 | d67078663c7dfbff584de502cc7620101b418503 |
| SHA256 | 17c5478fa16747c17aae4815c448e8aa91e6c0c274cc8ad924a20833e309d567 |
| SHA512 | 627883fb8f6b72fbeb4f6ba6c8ee8d7dcfd77996370dc250cf60b18c7aee996ed43c9bf8bc7f5bb6b9700718649ea5a84cfa3524529fc52fd15e1c6d5ed58f56 |
memory/1492-35-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp
memory/4432-36-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp
C:\Windows\System\PAReEQr.exe
| MD5 | 71569d3463a630406e74144381b9d010 |
| SHA1 | e15a64c6cf2e2637d309bd9dfc9f7d410f24d266 |
| SHA256 | adbca39c20d394e95167a2ef0b33a0f6c33660d67bb97f895d81ebcfa22efef0 |
| SHA512 | 4c57e6900c841215a33796ca227144a79cbda79f252e0d63505824a1f945db119a0a9c3e424c2aa2d13b052d11d75f34876e126383d18a004b9a4af1c4b00606 |
memory/348-44-0x00007FF698F10000-0x00007FF699264000-memory.dmp
memory/4956-48-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp
C:\Windows\System\SqvWtbA.exe
| MD5 | f3ff0ed4f1959e90d87fa7604eed531c |
| SHA1 | 016948642d8ac207d1925b693167b90e140f1539 |
| SHA256 | 80fa60efbd261650c9de15dfeb70fc4b7b4141d41b4b839610e77ed66002ae2f |
| SHA512 | db123275b132789c2f1036fc152fc171e5eebf8460a9f110e4dcde647109979dfbc6d464a01af2eaf608969f625dbda1f3f089dcde6fe323a6405a209807ba3e |
C:\Windows\System\Eoctara.exe
| MD5 | 6233eefa6a40ba893c3a5c355e75e2e2 |
| SHA1 | c9beaab6e37a511053366c29a83691add4a21d1f |
| SHA256 | 47f2789f40797ed321341d7a5bd5214a4838c8e0bbbe1a80121b9fb559c932ed |
| SHA512 | bae07d44f0229e40bc74f9bfa9b58be3625b6a637fdf7286ab945bdf1e5b0e49c7fba1e155e2f49b0fe1cf13d11add576637b0e24af4a23a7a8775bce7992d8c |
memory/4636-56-0x00007FF7692F0000-0x00007FF769644000-memory.dmp
C:\Windows\System\YRZbLfq.exe
| MD5 | e88a43050ba615e5fbc0b7a0ec27b805 |
| SHA1 | 38789cd6333474a11652d676c11d85ad92a6376c |
| SHA256 | 1c5269d85decd736abdd9a22bff2e3fc7733244dc49bc22ffae4d070e49376ea |
| SHA512 | f60bae003928ff4557d6d0022ffe3f16ed069e5a55ed0f7c67c665f164ef25c5d25223da0ceb2d5d6edfb5759868a809398692c0c479630bf85eec7a05581683 |
memory/1804-61-0x00007FF7CEE20000-0x00007FF7CF174000-memory.dmp
memory/4264-63-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp
C:\Windows\System\wLxGkrX.exe
| MD5 | 82cf2f8614792ac6641ffde841d9b147 |
| SHA1 | 7042c4a0b9af761dbec0abe3914da3583bb76b27 |
| SHA256 | 73455b8a84bb4591eff7a12ddee23c45ee3f5b904d9b7870a93e5adf61bec5f7 |
| SHA512 | 99bdbb9a8a64e9d7b8c811e23ca0c241b3aab49ce47e92e6e86d1b7593c7a0273e72b26f38789a848d349b78d04cb8e4b25f9df8882a7e28bdccda8258c2db66 |
C:\Windows\System\VRTKHrC.exe
| MD5 | e92fd2d9e1839036543faea3b5e45c4f |
| SHA1 | bbde7fca2ea94242823936c0fe5c362d69f3a400 |
| SHA256 | e0346180876325055fa92e5b05776f8fd30fc52db34485fa9b2db3491d8624b4 |
| SHA512 | a8f4250dd78f709b90e648c171e5cc16a9c51769ad0f57f5e78e7c18b25cfbe878d140e71c72d52c9da3dd75932f8d614f1339313cfed402dce93e6b90451291 |
memory/3392-70-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp
memory/996-77-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp
C:\Windows\System\DbnvNRs.exe
| MD5 | 3cba8851ef1e0c576d22e97a75e7545d |
| SHA1 | 9cf10e35c04f29642002ea832c8214e7fdc39ddc |
| SHA256 | 36a693c910f66d9f693d1a9877c1d3a37d3c1010cce308db0d53f795f4e821bc |
| SHA512 | 30f183f14de7793c495ceb78e98c43c4d7ecb09b1243b4eb855e3e5cba3d9205650f79b3a9662a19c52925b6472b50d19a13558be69b27eb9fc381807b92cc7f |
C:\Windows\System\JXZEoNx.exe
| MD5 | e356ef8734972dec9b34ce9d9c842389 |
| SHA1 | 85240d07b80e71a40adeb681e23ccc1df48bbf4f |
| SHA256 | 619cf454b876998a82d8d4ab43c51a45f5da7bcde2cad2c79877fdb55dc7f012 |
| SHA512 | 855c07fc60cfd0654928cbcdd9d82c2b8f227922fc564b4b71f88f715557118268dac3c392c2ed32fc06bf56a8fbd721f980a28e0e20376029bbcb8183a91619 |
memory/3764-90-0x00007FF787470000-0x00007FF7877C4000-memory.dmp
memory/860-89-0x00007FF72C300000-0x00007FF72C654000-memory.dmp
memory/4508-86-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp
C:\Windows\System\ETfZVCY.exe
| MD5 | be0ff8753f51b18085411142cc5c8f7f |
| SHA1 | e5f94eeab69be931e78cb60cfe75eb229d5158b0 |
| SHA256 | 6bc94c695f27c1d973ce0213ce06804b645fdcd5316b540990dde1ac0c1cf1cf |
| SHA512 | 174b09df6e5a6c6c2307546600d7083414063d9b4c8d49ce3a21cf324733aad73337a4969faa137d435ce39685f8519fc2c968bfa007ecbf74c997ef02339dbf |
C:\Windows\System\KBVwYYV.exe
| MD5 | c1d61b12e7bf24598369865f9b9560b0 |
| SHA1 | 8d324c8a0a700bf2c860104cd62e023ef2b3e473 |
| SHA256 | d1eaad72a2bb3c9be3b208cf0d78b99baabfcfadd65c7efd55c08e350f85e937 |
| SHA512 | 596e22b2e99ecccca7104ff7c7611fa69c0b2fa7f3a32e61e31bb9dfd8853fc3fd33f833db53e890d4b5a09e2e2a852c21620cbd43a40d204c76da48812d103a |
C:\Windows\System\aPqtcpC.exe
| MD5 | 66aff8fe3291a4bd604eb0704a44af9e |
| SHA1 | aa79d692dbad3fee17b56f893b4f03b2667909d2 |
| SHA256 | 6f64083d4627eeabed28521401659c27fd5ab73c09c7d6397bb6151a6d86d92c |
| SHA512 | 0030ec4af65252d52a912eefe4f825a141b8a9cf45cfc1ee1d2bccd32157e2aee32186715215b3332475c04f94b563673a77f0ae9c0e4e3abbc81436f970116d |
C:\Windows\System\tOgnjfZ.exe
| MD5 | a60d7868cf4a46e547892a49334b2f21 |
| SHA1 | 27f528480f3f2a26ff8b496c57df26b3a147a95c |
| SHA256 | f454ad8bcf7797084e4860221e7687a28131597ba3a810ab0ec002a8986cab00 |
| SHA512 | 26b0650de512160db41e5ec105987b521d9745bbbb0c03c761591115470c05c2ca1efc2e8cf44192f81110d3e2c40d039aaabe0dc09385960623ed470da2505b |
C:\Windows\System\xoVzKSM.exe
| MD5 | 3c15df2c3bed91834825bb594eb03abc |
| SHA1 | 05ebfcb9e62daa504d0caa8de7eada304bbe8361 |
| SHA256 | b9ef1a8c0c0db5ec97d8949a3cd23d6306ca7d7d074550c700de2679c39d8896 |
| SHA512 | 83017c0f95f2dd20dfc65d902c0aee817874a751a9be1851dc1aa5d45ed5a2003cdc3c6691134ef1f5d6fb4b42a76a5798af181bb50087820a69d6b480b1962e |
C:\Windows\System\ZZOVpVV.exe
| MD5 | e0f659fa11e66941fad0cf3351e30eca |
| SHA1 | e4916bd9c41d4e23bbf04880f40d0a078892df94 |
| SHA256 | 6373b88fa2bd934b793e035b2523fd44dc13848685eee592596e2db93d385d38 |
| SHA512 | f7e5722122a7379f53a0c6faa994bebbd710b19c1cea85615a193693d2af97c90c4b2b010de7c694f2777789e3daf2bb5366783c15a9df4e44d87036d74602ea |
memory/3192-84-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp
memory/2824-83-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp
C:\Windows\System\uRGzhaK.exe
| MD5 | ff99fecb45880f011c6529053959c8fc |
| SHA1 | 48ccd8c836ab7c71d7e6d4489d42f6a7ba3a5e88 |
| SHA256 | 96f054597066f60fefe0a36a9fefa39904e54f034a2bf82a2e0326ff7c14276b |
| SHA512 | 81a7ffc9bfeec8a6b6224bb82001df180308c2cee328d7b8eb6b99d639f087f04d5f7c9660edfdd0c016f65c06e900a09184069faa99229e84635e4341fcfa6b |
memory/3540-125-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp
memory/4844-126-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp
memory/3912-127-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp
memory/832-128-0x00007FF731D30000-0x00007FF732084000-memory.dmp
memory/4656-129-0x00007FF637750000-0x00007FF637AA4000-memory.dmp
memory/4532-131-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp
memory/1464-130-0x00007FF748220000-0x00007FF748574000-memory.dmp
memory/3476-132-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp
memory/4432-133-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp
memory/4956-134-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp
memory/4636-135-0x00007FF7692F0000-0x00007FF769644000-memory.dmp
memory/3392-136-0x00007FF6AD760000-0x00007FF6ADAB4000-memory.dmp
memory/2824-137-0x00007FF6A33E0000-0x00007FF6A3734000-memory.dmp
memory/4508-138-0x00007FF682D60000-0x00007FF6830B4000-memory.dmp
memory/3540-140-0x00007FF7B62B0000-0x00007FF7B6604000-memory.dmp
memory/1492-139-0x00007FF70D8A0000-0x00007FF70DBF4000-memory.dmp
memory/4432-141-0x00007FF68CCF0000-0x00007FF68D044000-memory.dmp
memory/348-142-0x00007FF698F10000-0x00007FF699264000-memory.dmp
memory/4956-143-0x00007FF7D1BF0000-0x00007FF7D1F44000-memory.dmp
memory/4636-144-0x00007FF7692F0000-0x00007FF769644000-memory.dmp
memory/4264-145-0x00007FF7AE010000-0x00007FF7AE364000-memory.dmp
memory/996-146-0x00007FF77ED20000-0x00007FF77F074000-memory.dmp
memory/3192-147-0x00007FF7A83A0000-0x00007FF7A86F4000-memory.dmp
memory/860-148-0x00007FF72C300000-0x00007FF72C654000-memory.dmp
memory/3764-149-0x00007FF787470000-0x00007FF7877C4000-memory.dmp
memory/3476-150-0x00007FF6CCB00000-0x00007FF6CCE54000-memory.dmp
memory/4844-151-0x00007FF7B3F30000-0x00007FF7B4284000-memory.dmp
memory/3912-152-0x00007FF7FF9A0000-0x00007FF7FFCF4000-memory.dmp
memory/832-153-0x00007FF731D30000-0x00007FF732084000-memory.dmp
memory/1464-154-0x00007FF748220000-0x00007FF748574000-memory.dmp
memory/4656-155-0x00007FF637750000-0x00007FF637AA4000-memory.dmp
memory/4532-156-0x00007FF7F4A10000-0x00007FF7F4D64000-memory.dmp