Analysis Overview
SHA256
c4931b0c9169da8f10f0b5f9e93be3ab97b708f218ed08eecebac7d88fa5219e
Threat Level: Known bad
The file 2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 07:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 07:13
Reported
2024-06-29 07:16
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pVFVnBx.exe | N/A |
| N/A | N/A | C:\Windows\System\LbLJjZd.exe | N/A |
| N/A | N/A | C:\Windows\System\EAtZYgm.exe | N/A |
| N/A | N/A | C:\Windows\System\JiUgRBV.exe | N/A |
| N/A | N/A | C:\Windows\System\uqPBaZu.exe | N/A |
| N/A | N/A | C:\Windows\System\JpHzPmI.exe | N/A |
| N/A | N/A | C:\Windows\System\nrcJMmP.exe | N/A |
| N/A | N/A | C:\Windows\System\GCdPALE.exe | N/A |
| N/A | N/A | C:\Windows\System\gCQRnca.exe | N/A |
| N/A | N/A | C:\Windows\System\VqNNWAy.exe | N/A |
| N/A | N/A | C:\Windows\System\KFDHgCH.exe | N/A |
| N/A | N/A | C:\Windows\System\yPkriQW.exe | N/A |
| N/A | N/A | C:\Windows\System\KxmnWLo.exe | N/A |
| N/A | N/A | C:\Windows\System\pnPLTsL.exe | N/A |
| N/A | N/A | C:\Windows\System\DEHhtpq.exe | N/A |
| N/A | N/A | C:\Windows\System\MDTEtKa.exe | N/A |
| N/A | N/A | C:\Windows\System\sKDadii.exe | N/A |
| N/A | N/A | C:\Windows\System\COgCAhj.exe | N/A |
| N/A | N/A | C:\Windows\System\pZBgwYI.exe | N/A |
| N/A | N/A | C:\Windows\System\jGXyrnZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nJiFnEG.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\pVFVnBx.exe
C:\Windows\System\pVFVnBx.exe
C:\Windows\System\LbLJjZd.exe
C:\Windows\System\LbLJjZd.exe
C:\Windows\System\EAtZYgm.exe
C:\Windows\System\EAtZYgm.exe
C:\Windows\System\JiUgRBV.exe
C:\Windows\System\JiUgRBV.exe
C:\Windows\System\uqPBaZu.exe
C:\Windows\System\uqPBaZu.exe
C:\Windows\System\JpHzPmI.exe
C:\Windows\System\JpHzPmI.exe
C:\Windows\System\nrcJMmP.exe
C:\Windows\System\nrcJMmP.exe
C:\Windows\System\GCdPALE.exe
C:\Windows\System\GCdPALE.exe
C:\Windows\System\gCQRnca.exe
C:\Windows\System\gCQRnca.exe
C:\Windows\System\VqNNWAy.exe
C:\Windows\System\VqNNWAy.exe
C:\Windows\System\KFDHgCH.exe
C:\Windows\System\KFDHgCH.exe
C:\Windows\System\yPkriQW.exe
C:\Windows\System\yPkriQW.exe
C:\Windows\System\KxmnWLo.exe
C:\Windows\System\KxmnWLo.exe
C:\Windows\System\pnPLTsL.exe
C:\Windows\System\pnPLTsL.exe
C:\Windows\System\DEHhtpq.exe
C:\Windows\System\DEHhtpq.exe
C:\Windows\System\MDTEtKa.exe
C:\Windows\System\MDTEtKa.exe
C:\Windows\System\sKDadii.exe
C:\Windows\System\sKDadii.exe
C:\Windows\System\COgCAhj.exe
C:\Windows\System\COgCAhj.exe
C:\Windows\System\pZBgwYI.exe
C:\Windows\System\pZBgwYI.exe
C:\Windows\System\jGXyrnZ.exe
C:\Windows\System\jGXyrnZ.exe
C:\Windows\System\nJiFnEG.exe
C:\Windows\System\nJiFnEG.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 107.116.69.13.in-addr.arpa | udp |
Files
memory/4656-0-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp
memory/4656-1-0x000001E0951C0000-0x000001E0951D0000-memory.dmp
C:\Windows\System\pVFVnBx.exe
| MD5 | 0cb8236fa760807baf70dfb52e810fcc |
| SHA1 | 92bcd12ba5211aadcfeff1f8bcc4684bc965cb7b |
| SHA256 | eb5cddbd9fdcf864d80c63096865da7c29940479d497027f5801b5057dd17fb1 |
| SHA512 | ef717dafe3adecd4c377aaa40a7dc3707f495447f7180ee4ad00987c2fdf0dd71cf328b95004385ce61147feea8e9956b2da02de17ef11d2fa0f814a447cd5fa |
memory/1912-7-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp
C:\Windows\System\LbLJjZd.exe
| MD5 | 393bcdd69f0a17c58320bb13c7a49a24 |
| SHA1 | 8ed3ed6ea37c878920637156da9b8f75b460e7de |
| SHA256 | 916c2594325dfa58b65a79133aa4f1f3a47acdfd0a08ce24da858a1bcb110c3b |
| SHA512 | c38608cab6cc2c4707baa2782f82a63776845403e6d5efece976e23ce3aacb36f34ade2745c162a4fa07a0df5d71b8995f300d09d1a85e39c3a54bbef45f1d66 |
C:\Windows\System\EAtZYgm.exe
| MD5 | 2a4128de3f58a330f9b7271e020fd67d |
| SHA1 | 2e5a0f42ca90732e702097f90c068d5d1d7c013c |
| SHA256 | 44edbe91e877bdd5697db7a94ffb8ab2b789f6040c3afe5092580d27a565244b |
| SHA512 | 0da927d6906a0d4ddf42a3de3b4b62ca01c3361d1b342641f53aac630d542c94c67049cc0258be4e136d9e0beb9a1d0aceec962be2740e23442fb99e5b7125df |
memory/392-14-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp
memory/1692-22-0x00007FF6934C0000-0x00007FF693814000-memory.dmp
C:\Windows\System\JiUgRBV.exe
| MD5 | 66f4d81e853e1dbe339c6816df0f3e5e |
| SHA1 | 69b3757299a6bfa1161e9e9963b697d0d618dcce |
| SHA256 | b96b510156e20145187548be01f6d13244663999e14bf9a3dc61eb3652e6baa5 |
| SHA512 | c477bdfc92f1c7704f095b7f36b0e32dc65569e5a36233ebf5d0a4ad3faf268490b34fc806a3d0b17625577b81fa9d6e12a2612bd64cec9ec617a4aa2de637da |
memory/3948-28-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp
C:\Windows\System\uqPBaZu.exe
| MD5 | f654450369542b9308a5d8e5d342f2fe |
| SHA1 | e4757071c965536e34a120f48d38c48c3a95a51e |
| SHA256 | e4e15d95d06879464b20203de427a58d696a83e019cc75998373b6c7a0cbf5c5 |
| SHA512 | da70d57e563cfb18c70ce84ab12e7c788fa05c885ff386e83d4fc5a8d97f94e76128193dba771f26fe38d8ef792a94e37f032bc0f9d2946b53976e4d2bd97fab |
memory/3092-33-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp
C:\Windows\System\JpHzPmI.exe
| MD5 | 87e96e8e6301c36e3d8c591da0961a56 |
| SHA1 | a654bd2e84cbc3af6b0ad4628897620320f19c78 |
| SHA256 | 830fa537ee2d356fedb8387e25daf401569a7a4687ad8e72c791173c188521c0 |
| SHA512 | d0aa6fc64c9bafe0821217e2316363f22509fe38c44ab98fc7cac66ce5eeebfdc8ee58f5bc96667b6b053cd7c732acb4872d2ad9a0309de4ea6e5f8c245c5494 |
memory/4588-38-0x00007FF635C30000-0x00007FF635F84000-memory.dmp
C:\Windows\System\nrcJMmP.exe
| MD5 | 1696ba875fd731db368e3a5b93e14343 |
| SHA1 | 43116988fcb1f60e126329cec2bca87093dcdc24 |
| SHA256 | 9774320237e96520097acf1155cddd95789642b24f2f38f5f4e8492c3f613636 |
| SHA512 | b9a6740667185710727662a498dba55e6be8de90ce7fa5b65950c04bb666500520ce9da3f8cfade8843f3d0a6ed0941dc77d899860a9a422dfd6cd14569f803d |
memory/828-45-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp
C:\Windows\System\GCdPALE.exe
| MD5 | d49203160f3fb2fe99b88c6b9ba0ef04 |
| SHA1 | 7dcd9180b60006814e9fd47b2b583393115b7b17 |
| SHA256 | e4fbc815134b15f1e887e2438e0893da932397b0c6ad0010125932275f80c227 |
| SHA512 | 50269cfe1c9c91fbc61e0998fd27dd918eac937d52f0f3cabf3fde94cb30e5b1df83c98be2c91b3eddc70399180f5aa201692a95384344d0854c0ce11233cca7 |
C:\Windows\System\gCQRnca.exe
| MD5 | 51a184102a353690074dca64207f4282 |
| SHA1 | 1e2c9fbb5b525985a93b05d93096b47a8e058afb |
| SHA256 | 7f8cd6d70ac4c43ba5bb3749e40305f520a11a010cf9601e556c6efc4575992b |
| SHA512 | 725c700c2190492df95ebeef5281263b892d23c94e431090bc72f049e11450cad12e44b0a0c9f6a9f86908b0b9532701a6c9ac73d180a69b0aad79add6dd89e7 |
C:\Windows\System\VqNNWAy.exe
| MD5 | 41f04889c933a49a45a95735753d135b |
| SHA1 | 02f278281a669a45da128f970e4ea8bf1a0ddb33 |
| SHA256 | 1af0a6c9b359c05607fa670368dbc735633c4c099f3066cc330a694a9d2d78e1 |
| SHA512 | 690f636f1e0e8f363f8375306e293988c2d76286b1897d285a3e4767d6f3d7d974b81f1b0f320d328d59fc86c5955cf16b71dc79c9e95c7a1dbb6b799f4158e7 |
C:\Windows\System\yPkriQW.exe
| MD5 | 9507f5a39180c1c4d2661f0ab6ad018a |
| SHA1 | 411fc4fd24d7ea4c3244e0064755d8006c5b1ac2 |
| SHA256 | 8af81b4a2a52e273af2d4d5c5329e143586eba0bc482a05f2d92bdeaa4ed8fdf |
| SHA512 | 961438d62ba77a16ad1216c5b84a7bf6324a9c59cdf62d9789d7abfffe4d8f5f442b62410e0929ac1f9a3d68763450c38a2fc996ec81afd799a19d6e5f886f5d |
memory/1912-72-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp
memory/1020-78-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp
memory/392-82-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp
C:\Windows\System\KxmnWLo.exe
| MD5 | 4cfa7ef7f7c5ac0f1b74cbfed5f1fefb |
| SHA1 | 3976d5845d4d0a9307ba734e148d11556b2c685d |
| SHA256 | 530260916d149b2235950919b83529e3ee6ec84aac93c8f6572bd716cfc7a8fc |
| SHA512 | fac3766408190cf68759c1b040079179e8d7527dbe50fb07739df541f5de16fc487cbe62da17ed31875235cac2d65ec23003f7900fb80e367cc4d1dfd2b60da8 |
memory/1032-79-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp
C:\Windows\System\KFDHgCH.exe
| MD5 | 3af1ddfd18b4ecd47b19297aeabc893c |
| SHA1 | a10f718afd4f32b1fea11526f2cb52431369efc1 |
| SHA256 | 5bc913fafee7b55fda1accdffa58e5b786a52137f5f15ce8e474a36c64ea1db0 |
| SHA512 | 6c25d98d9e737b961d68469e5736dd0d394399664818f281aa6e1a07b17ef1da290d74d041abf6c14a8fcf0e9e250a8bd64bac2668a40c4bb36091944ae52d09 |
memory/4960-73-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp
memory/4512-63-0x00007FF715FB0000-0x00007FF716304000-memory.dmp
memory/4656-62-0x00007FF68C950000-0x00007FF68CCA4000-memory.dmp
memory/3652-58-0x00007FF719550000-0x00007FF7198A4000-memory.dmp
memory/1540-50-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp
C:\Windows\System\pnPLTsL.exe
| MD5 | a60911704dc961348a94596e47ecf61c |
| SHA1 | cbc7d93725d1011c72cf399ed18e624d3cfe4099 |
| SHA256 | 465d9954a11a6bd0acdfc91ed25926ce748a8f3f8f652eccf0e982a46285da4b |
| SHA512 | 08f01106b2fd5f6cd641cab857c63e8396db54de8edc4248e6536233ca385eb375c5b038b99a0c141bf4b93d6d88fa8535e478c9d2740638fe537584de2ac359 |
memory/4160-92-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp
C:\Windows\System\MDTEtKa.exe
| MD5 | 199fcbd5ad1b9686d080282846ebb5ea |
| SHA1 | 36edf29efedf3c1f650d925b9e9f2629d1cd5766 |
| SHA256 | d895f3e741c79ec9031020b68c89bf2da3017c5a16a545606a2d84b6e683d8d2 |
| SHA512 | dc8ff0979e089102a2ccf63754359cfd00b742924884fcff92195648fa4e87d763bd624d6524475f9bf40d7761e8b6643aef09639bc7361979442901aaecd2b4 |
C:\Windows\System\COgCAhj.exe
| MD5 | b7c6e641a96cc5ac471dc908cb945861 |
| SHA1 | e9a67770284f2b97b5381bda11f271c3aa14e8a4 |
| SHA256 | f8c228888b0966029f0b88ddab9a13e298c0ab4a6210ad285ca7daac42928d00 |
| SHA512 | ea746377d65706edfc10429c969f57e9716a6f9dc74cae2465a3e4f103d88cbe35c91f568f7cb8fe47399e412c12aca5d9a1307e62190dbfe562dc0148fc9606 |
C:\Windows\System\pZBgwYI.exe
| MD5 | 17072263cd5231ae3a43267230a732ab |
| SHA1 | 04523bb50aad4e95058ccd2e25daa529c39ec0f7 |
| SHA256 | 30d4075ce85b427dc87642d69be7d5f802fd010d6a701b0c15b47229833e98bd |
| SHA512 | bf2f9192fd270ddb410d7c0a8eb0a564c12b071a1979d0c8335a07cbac3c10cc30366fac5ec5b00c4150cba84ef5cb406af728ee7ca6f7ae37ff88c896274ab7 |
memory/4496-116-0x00007FF6824C0000-0x00007FF682814000-memory.dmp
C:\Windows\System\jGXyrnZ.exe
| MD5 | 78e836fed31e7f094ab868b12397d9bd |
| SHA1 | 5b5f370a2dbe0aafa3b1151ddde2304be5df739f |
| SHA256 | a169bd3f7225f2a408d70303bd9d028d4b70576a4bfadd37952a4146af6d6127 |
| SHA512 | a0328de15042581c2e2f53dd3219d1d1ae245d06893027b270d845dbe42ca2f34d62612a6f1c60ee84cd0942e131f5ed8faf8dae3390b9dbf2fd0ef2d837bfa8 |
C:\Windows\System\nJiFnEG.exe
| MD5 | 3d874dcc0e7ef7a861ac5993bade7aef |
| SHA1 | a60a5bad5deeb922e16c4794e03ed8cb9fe7ae15 |
| SHA256 | f1cc7ac401b903c4e40fc67e37331d52ec49ef68c48834e9a06fdb2fa4989865 |
| SHA512 | 0ea03321fb054ba3defa9297c22bef80942f5f3e49e2893637cd0ec7ad10ccd12bac0e071b02811d63a5df53bcdc438a087d2acc325c91a18cfa92c2be3a017a |
memory/2252-128-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp
memory/4512-129-0x00007FF715FB0000-0x00007FF716304000-memory.dmp
memory/1808-127-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp
memory/3652-125-0x00007FF719550000-0x00007FF7198A4000-memory.dmp
memory/1540-124-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp
memory/4468-121-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp
memory/4208-112-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp
memory/2116-105-0x00007FF643060000-0x00007FF6433B4000-memory.dmp
C:\Windows\System\sKDadii.exe
| MD5 | 8e2713b04b3c4ec0fdd5d772e6eb62e5 |
| SHA1 | 3f0a1c0bf1f07a4a80511ac29962e34ed83cd29b |
| SHA256 | 951c08882e255f0be9f13d9689f0ac903673764908fe48d5802927d6431076a8 |
| SHA512 | 8ce56d38c958ced2e1eaf0af69aad6e61ad3a6fdb59eb3ddd8c803b4b9a25e65086d236b7a1725abb31e0bc978654167bb66beae6db7fadcff7bfcc037cd9623 |
memory/3572-96-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp
C:\Windows\System\DEHhtpq.exe
| MD5 | eb83ff4b7c34c75b39773db4d4b9ad22 |
| SHA1 | 70e632a22ada4eb9a52c1a3032b49dc919b0a19c |
| SHA256 | 6f0a2cf73ef7e2e87c5b982d1a6229fd9b83f093fea65ae65b0d9d8f3f5e17ed |
| SHA512 | 7c882e7328c25f268444730c740611f232bb6e6366142bba1468a53b85f10d71e2f87b16dd57768d3b028430055879a4abd17f8ac70d9c1ad4551ca6ed35f5a8 |
memory/4960-134-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp
memory/1020-135-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp
memory/1032-136-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp
memory/3572-137-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp
memory/2116-138-0x00007FF643060000-0x00007FF6433B4000-memory.dmp
memory/1808-139-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp
memory/2252-140-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp
memory/1912-141-0x00007FF7C8180000-0x00007FF7C84D4000-memory.dmp
memory/392-142-0x00007FF78EC90000-0x00007FF78EFE4000-memory.dmp
memory/1692-143-0x00007FF6934C0000-0x00007FF693814000-memory.dmp
memory/3948-144-0x00007FF76E4E0000-0x00007FF76E834000-memory.dmp
memory/3092-145-0x00007FF6FE2E0000-0x00007FF6FE634000-memory.dmp
memory/4588-146-0x00007FF635C30000-0x00007FF635F84000-memory.dmp
memory/828-147-0x00007FF6C5A20000-0x00007FF6C5D74000-memory.dmp
memory/1540-148-0x00007FF6B3BC0000-0x00007FF6B3F14000-memory.dmp
memory/3652-149-0x00007FF719550000-0x00007FF7198A4000-memory.dmp
memory/4512-150-0x00007FF715FB0000-0x00007FF716304000-memory.dmp
memory/4960-152-0x00007FF73CCC0000-0x00007FF73D014000-memory.dmp
memory/1020-151-0x00007FF70C0E0000-0x00007FF70C434000-memory.dmp
memory/1032-153-0x00007FF63E2E0000-0x00007FF63E634000-memory.dmp
memory/4160-154-0x00007FF69FBF0000-0x00007FF69FF44000-memory.dmp
memory/3572-155-0x00007FF776D60000-0x00007FF7770B4000-memory.dmp
memory/4208-156-0x00007FF7C86B0000-0x00007FF7C8A04000-memory.dmp
memory/4496-157-0x00007FF6824C0000-0x00007FF682814000-memory.dmp
memory/4468-158-0x00007FF74D900000-0x00007FF74DC54000-memory.dmp
memory/2116-159-0x00007FF643060000-0x00007FF6433B4000-memory.dmp
memory/2252-160-0x00007FF79FB50000-0x00007FF79FEA4000-memory.dmp
memory/1808-161-0x00007FF69FC40000-0x00007FF69FF94000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 07:13
Reported
2024-06-29 07:16
Platform
win7-20231129-en
Max time kernel
142s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iIJCBHU.exe | N/A |
| N/A | N/A | C:\Windows\System\WJYBfOz.exe | N/A |
| N/A | N/A | C:\Windows\System\nQiPpLg.exe | N/A |
| N/A | N/A | C:\Windows\System\BbNDbxq.exe | N/A |
| N/A | N/A | C:\Windows\System\OgVTsSx.exe | N/A |
| N/A | N/A | C:\Windows\System\EOyXfek.exe | N/A |
| N/A | N/A | C:\Windows\System\TehwbPF.exe | N/A |
| N/A | N/A | C:\Windows\System\VoyPyzN.exe | N/A |
| N/A | N/A | C:\Windows\System\cphnbke.exe | N/A |
| N/A | N/A | C:\Windows\System\qoewEss.exe | N/A |
| N/A | N/A | C:\Windows\System\JhrSGUR.exe | N/A |
| N/A | N/A | C:\Windows\System\yWsKOHF.exe | N/A |
| N/A | N/A | C:\Windows\System\FoFHiAI.exe | N/A |
| N/A | N/A | C:\Windows\System\lcEBHha.exe | N/A |
| N/A | N/A | C:\Windows\System\OAulvUe.exe | N/A |
| N/A | N/A | C:\Windows\System\uAqnesV.exe | N/A |
| N/A | N/A | C:\Windows\System\LBkAdjY.exe | N/A |
| N/A | N/A | C:\Windows\System\AVWukrP.exe | N/A |
| N/A | N/A | C:\Windows\System\TSBGHnS.exe | N/A |
| N/A | N/A | C:\Windows\System\FdIrGuX.exe | N/A |
| N/A | N/A | C:\Windows\System\QWTLgqY.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_facbf4258598ba435cd254d9dd00270a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\iIJCBHU.exe
C:\Windows\System\iIJCBHU.exe
C:\Windows\System\WJYBfOz.exe
C:\Windows\System\WJYBfOz.exe
C:\Windows\System\nQiPpLg.exe
C:\Windows\System\nQiPpLg.exe
C:\Windows\System\BbNDbxq.exe
C:\Windows\System\BbNDbxq.exe
C:\Windows\System\OgVTsSx.exe
C:\Windows\System\OgVTsSx.exe
C:\Windows\System\EOyXfek.exe
C:\Windows\System\EOyXfek.exe
C:\Windows\System\TehwbPF.exe
C:\Windows\System\TehwbPF.exe
C:\Windows\System\VoyPyzN.exe
C:\Windows\System\VoyPyzN.exe
C:\Windows\System\cphnbke.exe
C:\Windows\System\cphnbke.exe
C:\Windows\System\qoewEss.exe
C:\Windows\System\qoewEss.exe
C:\Windows\System\JhrSGUR.exe
C:\Windows\System\JhrSGUR.exe
C:\Windows\System\yWsKOHF.exe
C:\Windows\System\yWsKOHF.exe
C:\Windows\System\FoFHiAI.exe
C:\Windows\System\FoFHiAI.exe
C:\Windows\System\lcEBHha.exe
C:\Windows\System\lcEBHha.exe
C:\Windows\System\OAulvUe.exe
C:\Windows\System\OAulvUe.exe
C:\Windows\System\uAqnesV.exe
C:\Windows\System\uAqnesV.exe
C:\Windows\System\LBkAdjY.exe
C:\Windows\System\LBkAdjY.exe
C:\Windows\System\AVWukrP.exe
C:\Windows\System\AVWukrP.exe
C:\Windows\System\TSBGHnS.exe
C:\Windows\System\TSBGHnS.exe
C:\Windows\System\FdIrGuX.exe
C:\Windows\System\FdIrGuX.exe
C:\Windows\System\QWTLgqY.exe
C:\Windows\System\QWTLgqY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2180-0-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2180-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\iIJCBHU.exe
| MD5 | 272bb3a8be26a11dbcf56746f901aedd |
| SHA1 | ac1fe87cfd1e98e6cce25d5580e96cf54aa9aa32 |
| SHA256 | 69de1a01234ed44ce534e4da6a068a023ab7a3360ca1cf33a0cc126768ed2347 |
| SHA512 | e2146a1791a102a7951bd1a4f5cfd2ee6436d6a42517fc3ffef49975142550496cf89e595bd09c31cbc23d2f6a2367d53604245cb1fb0565dcc4a43f9c56b58d |
\Windows\system\WJYBfOz.exe
| MD5 | 7ed498940599314868cfb8a29c77aa6e |
| SHA1 | b97be523d2c336d55009f72850af172b4be7e88e |
| SHA256 | 97d54eae6803fded1a7aeb93c89c87bd963409487e341f51adf27f69dcb986ac |
| SHA512 | cdf1d706c4aaafb375130e3e64a7883b23849d5901ee7ae5e5122f96996ece2c4d6c7a55e04a1ec58d2af0fc3eba5512e1988f47ced3724214629ba3b891a86a |
memory/2368-8-0x000000013FC50000-0x000000013FFA4000-memory.dmp
\Windows\system\nQiPpLg.exe
| MD5 | 9ced39ed0114cf4818be0563c20731ad |
| SHA1 | 57ea43ff7f4ed0e061d5a6c8253f4d4258a041df |
| SHA256 | 93bcc2db46656a0907989ae914d99a10bb7b8d714f2e07224b3212fdea88cae0 |
| SHA512 | b01b8edda451b388e6a3b6a36bb049140f2b5a71314b3268c25267d9d3052fe4169ba37b55954f4268d810abbb6881a6403cb9cd2b240e52ed46eaa036b60f33 |
memory/2180-13-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2260-21-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2180-19-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2908-17-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\BbNDbxq.exe
| MD5 | 081a45261dfa1ec07dc51d0f7f478f01 |
| SHA1 | 7f4a5c0b8e4e40bc855c233b21dd350578a2d468 |
| SHA256 | 309df7724bf06567365dce0d044b32632c03b9f5fcd5f26806d0e2244447542b |
| SHA512 | a7009cbf47a546e2de223e5ec572d555fe6c4a22d0afba5d9f48294e89f9a2cf24d5a744a453144613998d6c5444c1acc75ed746a4219e0ab3be0e1e6a12e226 |
memory/2584-29-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2180-28-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\OgVTsSx.exe
| MD5 | 146cd89ba6d1382eb6de3b63029f82d1 |
| SHA1 | dd746e5135dca17407780a08542daf34ca9e4f09 |
| SHA256 | 179c79b1fe4e966ada7560bcdee6c24f533659a8d9312d1586bfe2bd61288d83 |
| SHA512 | ecdcaf57c31857eaf8e9a5ea8e550f4f893f6401d3ce28c44a37703a9148ea63878bc584adfd804f8747ca6c1469c5bf6d17a62615eb718e9a7f4a118df91290 |
C:\Windows\system\EOyXfek.exe
| MD5 | 9db1ca31b832b71d55988dfd8bbe5601 |
| SHA1 | 3c5c16de8e4ae22c70133d98128fde41d0fc711a |
| SHA256 | f5f9a6bb0339c12d69f88a26826aff7270c16cfc9cd1232b38f98f9f3883e679 |
| SHA512 | cc2d5a5901c5718c765f03f0578ada6bac6bb14a3240fb222c4a3f718ef7b6f9d948a089c48681b1edd82ce70d9874ecce1d883c09f46770c4a25bb66063ce4c |
memory/2180-39-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2580-40-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2696-35-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2180-34-0x000000013F9B0000-0x000000013FD04000-memory.dmp
C:\Windows\system\VoyPyzN.exe
| MD5 | b4082ebd5e1f857d20f6b5fadf56b110 |
| SHA1 | b087945b163c550015d9e89a4c7164134c0e1bc1 |
| SHA256 | 7dd1e16ae87e0827f4d9461256c8f8c3a3dffadb1f98ba204a6d3d1511ccf652 |
| SHA512 | 70c50c7c67bbff5377b31eab483e9c22ebabb9a9a8bd0185fc8d176e62f5e27b2c0326310bbaeec5e828ef039e39d98a15d4c9059652b31b3fc22ff83b2b85c4 |
memory/2568-56-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2792-49-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\qoewEss.exe
| MD5 | 1a52af58ddc8c683383c3ff77a3a5458 |
| SHA1 | b809d8a3d68d8af984277e93dfb6e5184ddb5998 |
| SHA256 | 4d4d094fbf8dce651fc8257d8bdbd272ca3de67f139b52da3a2026d8ca4ecfe3 |
| SHA512 | 1df5b1faa969ac4802008d87faf8e23e9dff8abdfc6737ab54119198fa093218b70a0033b3c64b81dbac346b921b752a3b3f86ac0254244048491121350aa3b2 |
memory/2464-63-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2576-71-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\JhrSGUR.exe
| MD5 | 4f7f11449f5b302e5708d784d65322c0 |
| SHA1 | bc4a9178d7442ac9a496fa2797b28bb1dba2b821 |
| SHA256 | 9efebc672a49bd9dd885388fc65a342fae340423dcf3df55613c1b4ee87baffe |
| SHA512 | d626153fad91acff0cd6edecb6d208dd5a107ce235a2aeddf87e61bb3e5c76ca4cab9d84c73a56887aea8315c4a46a446e00f8d3490ec4c9a3f436735edf2fa4 |
memory/3012-78-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2180-77-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2180-70-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2180-62-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\cphnbke.exe
| MD5 | f0eed6c2fdbe16e7f9b323e3fbf4517c |
| SHA1 | 188b1d61a086bed0bfad1c8bf854d1298ec249ce |
| SHA256 | 7107c08c00e62cf3037406d21ea7ba9c2c4813ac0e000025f2ee48ced88af1ee |
| SHA512 | 15078485d03114150cd228c3bbc413b34887a8c423faccfe3886748addcbc7e48b54bd86f606b50a064a121c05906278e007cfbad4d9f7284fae4404de118fd6 |
memory/2908-69-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2180-48-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\TehwbPF.exe
| MD5 | f3651e0d458ec0b1c43fa814f789f39b |
| SHA1 | 9f3da86f32533b7334ed48285d9befed09bf8d69 |
| SHA256 | faee46a398570a570ef414daac19862c1f20f864392469a149d9209ded2ca875 |
| SHA512 | 335ec972d2d84dece2adae87bef4f18247c664c4d6e9a7d815dc4070a191c809e838889b4c7e33b3c75d2e7c3bdb22bad2de0f1c9f41c65a3d1bb300ea00dd95 |
memory/2180-55-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2180-83-0x000000013FA90000-0x000000013FDE4000-memory.dmp
C:\Windows\system\uAqnesV.exe
| MD5 | 96d30540a5f1476e23dcc5a777067085 |
| SHA1 | 670db871d23675d1f56dc79ac9c7b8f2ec7b736c |
| SHA256 | 5707fc7f01e9b6a718f52f02113dafcd0c0ade8b23601736ec3499e4e4f1b5f0 |
| SHA512 | 871b2fd1b0c5dcd025c285a46505a966eabafaaf5052abb7b4c476d79175ef4d4816921343c23a57ef46fdd0c6ac79c6e2f83dd3f5d3e48cb7c208a0110b1396 |
C:\Windows\system\FdIrGuX.exe
| MD5 | 7bb70dddbb68b31bd6b3fbf1780fa30d |
| SHA1 | 80a86f5239f9d572d2e9eb7a6f3c0ebb0fbe4581 |
| SHA256 | 5f5fb1331a28ef29ad338ca8e9c4603d2202846a57906c0528fd057f8fbe6d9f |
| SHA512 | 0016def87dabba17afa9b7b019bf678b8705a5f64349a5e4f8e2963e5a2108068bb74487772e0a10011332e9941d6c0fdfd751203d92561c007f0858ed8afb01 |
\Windows\system\QWTLgqY.exe
| MD5 | d39a5e2e8a73cd0062528996b3683221 |
| SHA1 | 5d573bcef6f8c24f976aba636ba3415061129572 |
| SHA256 | 095b785d393dd652dcf3d91bd21817020c5367af3fb76cd88d3b88885399b317 |
| SHA512 | 17bd88b28a7f1fc77828cc67c04f9c41abebfeac7ad273e976c306c3ff50fd32b4a998032218651fa80f540498a3c65bfa350a52e405064beb70a2645dbdce12 |
C:\Windows\system\TSBGHnS.exe
| MD5 | e1b344d31dfba4f4796a5a37c590077e |
| SHA1 | 3c0ef42a48e00a71e814c3512ebaeb3cb5a584a9 |
| SHA256 | 236833d616d6fe2b934835663b1acb66723771a811bdfd96ea2c051b5d387807 |
| SHA512 | 07f0f8785b3cf09d3f6b88030bb3d7a56be87889dd83b0577a73da19156122d0d0ad0a4cd5c601666e4539879ca0e7975c9908e169246b818ff86a14d3d216ad |
C:\Windows\system\LBkAdjY.exe
| MD5 | bdc360b5dceb28af2aa43e5679f46a1c |
| SHA1 | 8fb0f5904919ba0679c4c327b959eb8be4ec0602 |
| SHA256 | 9da609963d23df2ebbe1666a049a58081bebd8b18717abb184a0f3318dfbe6fb |
| SHA512 | 8f21ece4b29d37eae7387ee36bf3e4ea575e44ad88e2fe3413dccd64a178c235ef194439744c07a462e04c950ad27b14eecec6e506fb68e11f9ce7962f38f7e6 |
C:\Windows\system\AVWukrP.exe
| MD5 | e4b31e1ffb26ed296d66422219c7b7b4 |
| SHA1 | add760fd1f53ccd07c0db1c4986035a8d94a4c6c |
| SHA256 | 806c2536496ecae21b2089afd3ae92d150b85c20bb5146f3e09cb181e91f2197 |
| SHA512 | 0b5ca48c46fa2100b084ff59f23ad9170dde6f53e8f67c64ab61e834e069ca3d85e215a6495e09b36450d378daedbbe6023d6c29e453ef565d34aebe95fc19d6 |
memory/2180-105-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2696-104-0x000000013F9B0000-0x000000013FD04000-memory.dmp
C:\Windows\system\OAulvUe.exe
| MD5 | cd22a1692dccbdcfcb2011b7898d5a49 |
| SHA1 | 10f3a4930be07903583fd9128e19695bb2f44576 |
| SHA256 | 9d8a4848ed3fabb43bc0b618888f73c69b13523378ce7fc8c7bd816d33de2cfd |
| SHA512 | 9ece6f0b96c5875b1860d118afef3d06620e07be537f5daa02c154f6b5bf049bd44a15a33e5c4ac276e7547ba36005f2f07c20af847db75d5d2bb7af82ba598e |
memory/2052-97-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\lcEBHha.exe
| MD5 | e648653cfccbe0058019c2bb76ca2985 |
| SHA1 | 71c0e9aea2fe5fa1f80d87fdcd9936a65a025ce4 |
| SHA256 | ed0c34097b75c38683a465d2da728ee13b5400a6e195f1f0c49a4e345aa145b3 |
| SHA512 | 466ced23f5c6f8ead8c0398b6c7d56db0b76a7aa2157c2f0b57dfb128fb1827ce41bc4fd0d58c89bd79e743d07fe06e9e64e86a7c19c4077f7245c685af06705 |
memory/1084-91-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2180-90-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2260-89-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2580-135-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\FoFHiAI.exe
| MD5 | 63e9dea07ac5839f741ed21b1bb4d0d6 |
| SHA1 | be9a0ae928fc52af4abf6c3f04a300c1372f09ac |
| SHA256 | bdf1f4aa21cdeb57a4dce5891977904bca987d66784809f732ee5badddacacc9 |
| SHA512 | a7031f4bfb39aadd4752f8048cb5bd36d710f35caee97a5d09a80fb4ae7fdbce831e0672ede188a8b48a253b468cd491e52e966740df16aff979ab6c9c317f8b |
memory/2212-84-0x000000013FA90000-0x000000013FDE4000-memory.dmp
C:\Windows\system\yWsKOHF.exe
| MD5 | 8a79ea0fcec491882b556a9971b89055 |
| SHA1 | f9ea90cc33caf7fc08da701d18c8c2a520b6e2ee |
| SHA256 | 9ebc69c94dacd41c61361d0043401ddfdf88be514bdd91ce01a03e0ee15b0ab3 |
| SHA512 | 926f5e84e81a74213f95a04ef70e793a6b779404f50736e0e92296403b9ff165a293201f9d30eccfb15038e2d464cc4cb14a6fc4ccfd53b70bfeb25eb07a1a23 |
memory/2792-136-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2180-139-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2180-140-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/3012-141-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2212-142-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2180-143-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/1084-144-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2180-145-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2052-146-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2180-147-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2368-148-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2908-149-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2584-150-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2260-151-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2580-152-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2696-153-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/2568-154-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2464-155-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2576-156-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2792-157-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1084-158-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2052-159-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2212-160-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/3012-161-0x000000013F5B0000-0x000000013F904000-memory.dmp