Analysis Overview
SHA256
d7f139448a4fe00f4992a8dbeb8a6f48869080091be6b203b66ba0e2b888e79b
Threat Level: Known bad
The file 2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 06:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 06:54
Reported
2024-06-29 06:56
Platform
win7-20231129-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qoVgFNr.exe | N/A |
| N/A | N/A | C:\Windows\System\ynbNDLe.exe | N/A |
| N/A | N/A | C:\Windows\System\ybDixph.exe | N/A |
| N/A | N/A | C:\Windows\System\bUtgNgh.exe | N/A |
| N/A | N/A | C:\Windows\System\gZkqEUk.exe | N/A |
| N/A | N/A | C:\Windows\System\Pdefkxy.exe | N/A |
| N/A | N/A | C:\Windows\System\IEGesfe.exe | N/A |
| N/A | N/A | C:\Windows\System\DnvENpr.exe | N/A |
| N/A | N/A | C:\Windows\System\SRhnJaE.exe | N/A |
| N/A | N/A | C:\Windows\System\AhxZddD.exe | N/A |
| N/A | N/A | C:\Windows\System\haRHsaH.exe | N/A |
| N/A | N/A | C:\Windows\System\FCbOCdF.exe | N/A |
| N/A | N/A | C:\Windows\System\mXDhMDz.exe | N/A |
| N/A | N/A | C:\Windows\System\ocxPJaq.exe | N/A |
| N/A | N/A | C:\Windows\System\kHNzAeX.exe | N/A |
| N/A | N/A | C:\Windows\System\kNxfakh.exe | N/A |
| N/A | N/A | C:\Windows\System\KCBRItS.exe | N/A |
| N/A | N/A | C:\Windows\System\OcJwozm.exe | N/A |
| N/A | N/A | C:\Windows\System\WvAlYoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\GKoLgYD.exe | N/A |
| N/A | N/A | C:\Windows\System\FeMHIoi.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\qoVgFNr.exe
C:\Windows\System\qoVgFNr.exe
C:\Windows\System\ynbNDLe.exe
C:\Windows\System\ynbNDLe.exe
C:\Windows\System\ybDixph.exe
C:\Windows\System\ybDixph.exe
C:\Windows\System\bUtgNgh.exe
C:\Windows\System\bUtgNgh.exe
C:\Windows\System\gZkqEUk.exe
C:\Windows\System\gZkqEUk.exe
C:\Windows\System\Pdefkxy.exe
C:\Windows\System\Pdefkxy.exe
C:\Windows\System\IEGesfe.exe
C:\Windows\System\IEGesfe.exe
C:\Windows\System\DnvENpr.exe
C:\Windows\System\DnvENpr.exe
C:\Windows\System\SRhnJaE.exe
C:\Windows\System\SRhnJaE.exe
C:\Windows\System\AhxZddD.exe
C:\Windows\System\AhxZddD.exe
C:\Windows\System\haRHsaH.exe
C:\Windows\System\haRHsaH.exe
C:\Windows\System\FCbOCdF.exe
C:\Windows\System\FCbOCdF.exe
C:\Windows\System\mXDhMDz.exe
C:\Windows\System\mXDhMDz.exe
C:\Windows\System\ocxPJaq.exe
C:\Windows\System\ocxPJaq.exe
C:\Windows\System\KCBRItS.exe
C:\Windows\System\KCBRItS.exe
C:\Windows\System\kHNzAeX.exe
C:\Windows\System\kHNzAeX.exe
C:\Windows\System\WvAlYoJ.exe
C:\Windows\System\WvAlYoJ.exe
C:\Windows\System\kNxfakh.exe
C:\Windows\System\kNxfakh.exe
C:\Windows\System\GKoLgYD.exe
C:\Windows\System\GKoLgYD.exe
C:\Windows\System\OcJwozm.exe
C:\Windows\System\OcJwozm.exe
C:\Windows\System\FeMHIoi.exe
C:\Windows\System\FeMHIoi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1404-0-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1404-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\qoVgFNr.exe
| MD5 | de5373eec9d13605217fd2de94229711 |
| SHA1 | cb996148af8401dec01d301253810bc27d213e6c |
| SHA256 | a2427bc91389da5d07c358099d26ecb9fd0873bcdab1445d07d42c2f2b7579a6 |
| SHA512 | 209ecfc3b0a5b9c6afc05930c0ad7b4a0331d11beb9cb23dd0f4bf74a94aaaf7019a3d70b637f89d5a00c70d6213a937545c2dec8e236888f62768467de8f6d1 |
\Windows\system\ybDixph.exe
| MD5 | 2fcdaaddd670f36dfdeb85359364fb7c |
| SHA1 | ff76309c52835cb73859c92036afef6db3ba3dd0 |
| SHA256 | 92709d4411c142b1d8e3b63e9f6a7bfdd5c2e36134d6e4f1c40695dd41e008ac |
| SHA512 | 035a9179969e927cbc80d00ec4f7e45061d14d2bf6e01b43ba9779237f1fc4e7a03820372551c90556e9cca1f7219657856b955ac851931d982c9b13f8ea1915 |
memory/2164-27-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/3060-28-0x000000013F400000-0x000000013F754000-memory.dmp
C:\Windows\system\ynbNDLe.exe
| MD5 | 84b6cc9f4c634c6a959a75da61fd654d |
| SHA1 | 7b3fca6fc95c2f0dc3f9f55a9e498089de509875 |
| SHA256 | 33a1109c3d0dd87c9b07fd75bd652ffdd7b23163b8c133f51c8b5a5cdf3dac15 |
| SHA512 | f1cf4bff48442acff69addbb96aa79b3d467ecbb6567dff5c5d8abc9f2852607aaea9660ed6d336852d1647176412442ec6b0580f59da6293f16fc5629b0f4a3 |
memory/1712-24-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\bUtgNgh.exe
| MD5 | 219598b59571ad85d2eae26a700d098e |
| SHA1 | 8c8552c5fed2d9af5da03bc1f4a62af9c4ad2bdb |
| SHA256 | 0ef23139ba335f35f2b921e10d236e30ad7dd2b5eb0c7f8b38da1d3703f5b025 |
| SHA512 | 3488b9676d9d81d109daef5da01e914354d696475e0f0946c34e8b614b934650c22c534b70b932a77c2c48f2ab148f66689b9d52569aa7e534aad4f2f28bf48d |
memory/1404-21-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1404-18-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2216-10-0x000000013F670000-0x000000013F9C4000-memory.dmp
\Windows\system\gZkqEUk.exe
| MD5 | 3820243ca0c4dd58b300d2e9c118944b |
| SHA1 | 12b6bcc314247a413cd5c6d479f14b1eb02d1af2 |
| SHA256 | 945e7a3da0d69f06f7dba438da9a4820f36d8ce16297936b4834ea1c142e4489 |
| SHA512 | bbf0ee909c0bf941e2c4b8f4df4c9b15605c78c6f556f90fac4630fdec89f5fc2b8075173af43946b8c439319d8edfc8464de3e08f31001171715074625cbfbc |
C:\Windows\system\Pdefkxy.exe
| MD5 | 751a680da80bfaaccd15580d3937ba7f |
| SHA1 | 53a8fbd8b478c42700a4e1d282ddb749ce8e7051 |
| SHA256 | fde523d6f01f713af4030035bad5d1b27c06c1590302edec4381812924fb4aa5 |
| SHA512 | 32b9aec1877a7db6cdfa674c6e6ddb9307e7caca45f0a796647610de6f6b7b764556fba77870bacd4b8dcafea2651ebcf06c144106bd727dc16fb82ed03d4139 |
memory/2564-40-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2600-34-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1404-33-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\IEGesfe.exe
| MD5 | 2a19ce0ba53738dd22827c44a29ec903 |
| SHA1 | 641c934cdcebf8bdc0200860ea46fc4a14004e1a |
| SHA256 | dd7988f92a90603f7a94b57fcdcf10613fc5deb7ab3116931cbc47651a46e073 |
| SHA512 | 0a815499c57bb3ecb45f7888f4c845079dc560c0e46ec083d55fe104587c356258d2d573d1293ee56b9633ee90d952bd183a351d5bb9f23469c57bc1fd7ff62a |
memory/2592-46-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1404-43-0x000000013FF30000-0x0000000140284000-memory.dmp
\Windows\system\DnvENpr.exe
| MD5 | c2794f1bf1abda254218174e15a722eb |
| SHA1 | 05bb17400b7e6efce2a3e90f8d9774bcaf3ec8f6 |
| SHA256 | 2067ca1bd426072616cddde411f651520d8ed692430ac9b62c33bce302e7662e |
| SHA512 | c532d78e6f1c87c959a63e414c70583fe86382fed2ee1be8d10d12f83dbe2f897c2952a58dbb471ec5b5873c2b73c74096ea1157bcd473f6d22c650417ac35f2 |
memory/1568-55-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1404-54-0x0000000002340000-0x0000000002694000-memory.dmp
\Windows\system\SRhnJaE.exe
| MD5 | 7dce52cd17a2b661d24bd3a4dcc8a0aa |
| SHA1 | fe1d9611db4cb97f1877c0d8a9163602a6168676 |
| SHA256 | a1ea41ce246fe0c5acdde97a4863743d6764af93277eb111c1ce24e5fd695dda |
| SHA512 | a657368a4b165aa3ccd7cce45b3ae61206ff9991333e471fa9e6b26718af68423238c6800e6208957ca665c810f9e7f65c6607d553147828b5f86280d023630f |
memory/1404-59-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2216-63-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1904-62-0x000000013F5F0000-0x000000013F944000-memory.dmp
\Windows\system\AhxZddD.exe
| MD5 | 9c45114be0ff39a3798fd3e9479e9f0b |
| SHA1 | 698eed1ebb6ea7b48552477b444fd0959149fe0d |
| SHA256 | bb341d86473e3220d9ffdadb3061bd6381260bd6102ac6f4919af80b25e06db7 |
| SHA512 | b084cf7d546cab90a89968cd2c3a0f0e2a9d2ea65cda3acbc9ae321af246b517763dcfc502ece1f7a6d3a0b3057e19b229aca8511a131ca4c5a16ccf6bd52d2c |
memory/1404-69-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2456-70-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\haRHsaH.exe
| MD5 | 41a9e45873791d2706baf20325a57833 |
| SHA1 | 76bd016cbaada8c67639423ff325276cf409fb36 |
| SHA256 | 99f94a063205c6042f77447ebed90a167898f6dd47459b23841bdfeef9832aa3 |
| SHA512 | 09ee5af6de2df02a58534861b7fe59a38a92e5b451d682d90b62e253c1619d349a2f227c277a1e8f0867c5294fc3fdb45a804bc5b628e4885752d66f3251d66e |
C:\Windows\system\FCbOCdF.exe
| MD5 | 7ba0e187e61ce5624eda222304abcdf3 |
| SHA1 | 8232901901af2304155b9ef69d5e114285c593db |
| SHA256 | e5707ab6614fc7525b70bf3a04b91536079a8fc04e67cf7395010d42fd8861d7 |
| SHA512 | 2f6912f95dc10e918a95618cf04639aab5d0e9ef1c3b67cdc2feebcc466ab6d087b1589dd26c04a951f8ae69db5ec143c21179847f6da0074e9a1265dda0ea2c |
C:\Windows\system\ocxPJaq.exe
| MD5 | 26be51fdc474cb18f6cc9b4977af8f8c |
| SHA1 | ce46c273e7d54ffc9ec09d990056c8538f6ef612 |
| SHA256 | dcdb4d982ad2501ee94eda15626fc53d14dfd0f5be829978b3ffe56ba0f528b9 |
| SHA512 | 75c247fcad226a7e500beb481b22d93e15d43c2eaddde8ad5c2c70173380af216650b0d0e6ec233944713ea32a2f53813068a7a463e13f71faeda10e5eaa834f |
C:\Windows\system\kHNzAeX.exe
| MD5 | 108f6fc4417fd998f9febf744b1184af |
| SHA1 | f42e7562c795bff10d2d31830ff0436eb3dc3a08 |
| SHA256 | e7dcc090c47f948632e3875773fa299497acca10524c043973d9f5286d7b6580 |
| SHA512 | de70ff40c429def4cc9c10c22cf4a9f23b8bc775ca6bc2fe7233f69fd6e15748eca79afa379b288d1fa9a74df3f191018cf4e68140ac186a29940e2e1b6ea38f |
C:\Windows\system\OcJwozm.exe
| MD5 | 37e8cd6a78dee02a24c2b641787161d8 |
| SHA1 | 3c4690aae048230df4a77bdfd299f4465ec92a8e |
| SHA256 | 8e1ff747eb7cc2559f54fa2c8caaa507fdd921b83dbb12dec31d37975325a0f4 |
| SHA512 | be7bfd31aefce5cfed8eadbf25f8b87d25c9222550d15143eeda369c39ad1dbd33d2532e28275427ad15b246191e032c71c61ddbeff6b6f8a5a70be0f9a92b53 |
memory/1404-124-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
\Windows\system\FeMHIoi.exe
| MD5 | f5484c3a7bd2ae22b9e5d859210728b6 |
| SHA1 | 387a0322eea70fa0e23a16dbf1608c4b67620fa9 |
| SHA256 | e3f01d7e96fa093980fac500cccc64e7cc7e77ebbcd0a669cfc55863a4dfbc2a |
| SHA512 | 00e9ccd5646f00d74af4abc8874ddd780e83c6154e5a1a53454ee7a053084b314778d33cad0b09a069d90249d1e2d18354868427f53a447419e855466f9778d9 |
C:\Windows\system\kNxfakh.exe
| MD5 | 9d8db93574d546a9b6517f8206f8c5d0 |
| SHA1 | 3183afdf801cd7f1a234a9e0c90ad35d8cb60f9a |
| SHA256 | 54d4941e2fd996481f263c4024fbc0e243c3d6fbef85e148929c012ab5ab9eb1 |
| SHA512 | 06d11bb8550fac0cf62d49039079215f772b5bdeff3599198d24ce270ff466c62132cc6a5b8b91331f3e347647498fea90d8bac79c634663c8a6d0cf18f0ce76 |
\Windows\system\GKoLgYD.exe
| MD5 | 3178488a76bda55d79b77779eb83e5a0 |
| SHA1 | b78d9dbaa0e2ae14e0c795ff8feab25c388d64f8 |
| SHA256 | 118aab608a94c94021231854b5dcb94d3f08c67ac03874e1a8c22644073b4ae2 |
| SHA512 | b9dcee34374eeea9263837cdfd1e760c938e5df59b94acc4796610354a7aa0c9393f06302d52674d956f20f3c7afe78ab2c1a181a7789b36e19adb9fcbbf3c8f |
memory/2564-108-0x000000013FE50000-0x00000001401A4000-memory.dmp
\Windows\system\WvAlYoJ.exe
| MD5 | 253a26298444952b43ab9878f8c541c0 |
| SHA1 | 2c27cb172f863d5edf1279af9cfe7933fc8e4ded |
| SHA256 | 095f317c3f47e88429b4446a90ef27385dc406c3bbd38099b0a16fa518191c06 |
| SHA512 | fe2ef4ff07adb6bb83d5c388ae8eb398f6a5d53f2821bc938f43375f6c20e8c6aa179f3cbafa785dc53f66e83a1eb4181f5ccbbe1c3fa138d7d5906fe165e0fe |
memory/2960-100-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\KCBRItS.exe
| MD5 | b2d1fca371a287532ac5359bf28e07ba |
| SHA1 | 774233e9bb34818f9fe880b3cd6af8ddfb85e756 |
| SHA256 | d12d4a0b87f9b1fe4f2bf98312d89fb8d78b3708bffe95e9cdcf61637d4aa00b |
| SHA512 | 53fb30060516700e74282796004a824451a6ef106f297a4b474869294596126a390a6af07bebbca4c03ebb6cee808ef92b0ed7ba739188d2d36149c41ed4e83a |
memory/2084-112-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1404-95-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/1404-92-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2600-91-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1404-89-0x0000000002340000-0x0000000002694000-memory.dmp
C:\Windows\system\mXDhMDz.exe
| MD5 | cbb0db6f8d7a126ba8ca1eb6a90ac767 |
| SHA1 | 596df1f7b77027c205a2aa3c4b3406550b67cd55 |
| SHA256 | def6aa256b07be1f36f9d238dd642c3db9384006751d0ee51f073b72add29d7b |
| SHA512 | db0f5b838d2edeb716e8872ffce5f53f412c3d5d16aed3cc1697455db2410872479c0299bd53a94c6d50e7483e76960ce3e1930ae4eb9a01bcbe15279de5361a |
memory/2764-87-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2516-86-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/1404-85-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2592-135-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1404-137-0x0000000002340000-0x0000000002694000-memory.dmp
memory/1404-138-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1404-139-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2216-140-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1712-142-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/3060-141-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2164-143-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2600-144-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2564-145-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2592-146-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1568-147-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1904-148-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2456-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2516-150-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2764-151-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2960-152-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2084-153-0x000000013F680000-0x000000013F9D4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 06:54
Reported
2024-06-29 06:56
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qoVgFNr.exe | N/A |
| N/A | N/A | C:\Windows\System\ynbNDLe.exe | N/A |
| N/A | N/A | C:\Windows\System\ybDixph.exe | N/A |
| N/A | N/A | C:\Windows\System\bUtgNgh.exe | N/A |
| N/A | N/A | C:\Windows\System\gZkqEUk.exe | N/A |
| N/A | N/A | C:\Windows\System\Pdefkxy.exe | N/A |
| N/A | N/A | C:\Windows\System\IEGesfe.exe | N/A |
| N/A | N/A | C:\Windows\System\DnvENpr.exe | N/A |
| N/A | N/A | C:\Windows\System\SRhnJaE.exe | N/A |
| N/A | N/A | C:\Windows\System\AhxZddD.exe | N/A |
| N/A | N/A | C:\Windows\System\haRHsaH.exe | N/A |
| N/A | N/A | C:\Windows\System\FCbOCdF.exe | N/A |
| N/A | N/A | C:\Windows\System\mXDhMDz.exe | N/A |
| N/A | N/A | C:\Windows\System\ocxPJaq.exe | N/A |
| N/A | N/A | C:\Windows\System\KCBRItS.exe | N/A |
| N/A | N/A | C:\Windows\System\kHNzAeX.exe | N/A |
| N/A | N/A | C:\Windows\System\WvAlYoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kNxfakh.exe | N/A |
| N/A | N/A | C:\Windows\System\GKoLgYD.exe | N/A |
| N/A | N/A | C:\Windows\System\OcJwozm.exe | N/A |
| N/A | N/A | C:\Windows\System\FeMHIoi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_488b601724d379fe005684d87ef8fd29_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\qoVgFNr.exe
C:\Windows\System\qoVgFNr.exe
C:\Windows\System\ynbNDLe.exe
C:\Windows\System\ynbNDLe.exe
C:\Windows\System\ybDixph.exe
C:\Windows\System\ybDixph.exe
C:\Windows\System\bUtgNgh.exe
C:\Windows\System\bUtgNgh.exe
C:\Windows\System\gZkqEUk.exe
C:\Windows\System\gZkqEUk.exe
C:\Windows\System\Pdefkxy.exe
C:\Windows\System\Pdefkxy.exe
C:\Windows\System\IEGesfe.exe
C:\Windows\System\IEGesfe.exe
C:\Windows\System\DnvENpr.exe
C:\Windows\System\DnvENpr.exe
C:\Windows\System\SRhnJaE.exe
C:\Windows\System\SRhnJaE.exe
C:\Windows\System\AhxZddD.exe
C:\Windows\System\AhxZddD.exe
C:\Windows\System\haRHsaH.exe
C:\Windows\System\haRHsaH.exe
C:\Windows\System\FCbOCdF.exe
C:\Windows\System\FCbOCdF.exe
C:\Windows\System\mXDhMDz.exe
C:\Windows\System\mXDhMDz.exe
C:\Windows\System\ocxPJaq.exe
C:\Windows\System\ocxPJaq.exe
C:\Windows\System\KCBRItS.exe
C:\Windows\System\KCBRItS.exe
C:\Windows\System\kHNzAeX.exe
C:\Windows\System\kHNzAeX.exe
C:\Windows\System\WvAlYoJ.exe
C:\Windows\System\WvAlYoJ.exe
C:\Windows\System\kNxfakh.exe
C:\Windows\System\kNxfakh.exe
C:\Windows\System\GKoLgYD.exe
C:\Windows\System\GKoLgYD.exe
C:\Windows\System\OcJwozm.exe
C:\Windows\System\OcJwozm.exe
C:\Windows\System\FeMHIoi.exe
C:\Windows\System\FeMHIoi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3648-0-0x00007FF797E40000-0x00007FF798194000-memory.dmp
memory/3648-1-0x0000021FA6520000-0x0000021FA6530000-memory.dmp
C:\Windows\System\qoVgFNr.exe
| MD5 | de5373eec9d13605217fd2de94229711 |
| SHA1 | cb996148af8401dec01d301253810bc27d213e6c |
| SHA256 | a2427bc91389da5d07c358099d26ecb9fd0873bcdab1445d07d42c2f2b7579a6 |
| SHA512 | 209ecfc3b0a5b9c6afc05930c0ad7b4a0331d11beb9cb23dd0f4bf74a94aaaf7019a3d70b637f89d5a00c70d6213a937545c2dec8e236888f62768467de8f6d1 |
memory/4772-8-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp
C:\Windows\System\ynbNDLe.exe
| MD5 | 84b6cc9f4c634c6a959a75da61fd654d |
| SHA1 | 7b3fca6fc95c2f0dc3f9f55a9e498089de509875 |
| SHA256 | 33a1109c3d0dd87c9b07fd75bd652ffdd7b23163b8c133f51c8b5a5cdf3dac15 |
| SHA512 | f1cf4bff48442acff69addbb96aa79b3d467ecbb6567dff5c5d8abc9f2852607aaea9660ed6d336852d1647176412442ec6b0580f59da6293f16fc5629b0f4a3 |
C:\Windows\System\ybDixph.exe
| MD5 | 2fcdaaddd670f36dfdeb85359364fb7c |
| SHA1 | ff76309c52835cb73859c92036afef6db3ba3dd0 |
| SHA256 | 92709d4411c142b1d8e3b63e9f6a7bfdd5c2e36134d6e4f1c40695dd41e008ac |
| SHA512 | 035a9179969e927cbc80d00ec4f7e45061d14d2bf6e01b43ba9779237f1fc4e7a03820372551c90556e9cca1f7219657856b955ac851931d982c9b13f8ea1915 |
memory/2952-14-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp
memory/3336-19-0x00007FF724480000-0x00007FF7247D4000-memory.dmp
C:\Windows\System\bUtgNgh.exe
| MD5 | 219598b59571ad85d2eae26a700d098e |
| SHA1 | 8c8552c5fed2d9af5da03bc1f4a62af9c4ad2bdb |
| SHA256 | 0ef23139ba335f35f2b921e10d236e30ad7dd2b5eb0c7f8b38da1d3703f5b025 |
| SHA512 | 3488b9676d9d81d109daef5da01e914354d696475e0f0946c34e8b614b934650c22c534b70b932a77c2c48f2ab148f66689b9d52569aa7e534aad4f2f28bf48d |
memory/1552-26-0x00007FF608E30000-0x00007FF609184000-memory.dmp
C:\Windows\System\gZkqEUk.exe
| MD5 | 3820243ca0c4dd58b300d2e9c118944b |
| SHA1 | 12b6bcc314247a413cd5c6d479f14b1eb02d1af2 |
| SHA256 | 945e7a3da0d69f06f7dba438da9a4820f36d8ce16297936b4834ea1c142e4489 |
| SHA512 | bbf0ee909c0bf941e2c4b8f4df4c9b15605c78c6f556f90fac4630fdec89f5fc2b8075173af43946b8c439319d8edfc8464de3e08f31001171715074625cbfbc |
memory/960-30-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp
C:\Windows\System\Pdefkxy.exe
| MD5 | 751a680da80bfaaccd15580d3937ba7f |
| SHA1 | 53a8fbd8b478c42700a4e1d282ddb749ce8e7051 |
| SHA256 | fde523d6f01f713af4030035bad5d1b27c06c1590302edec4381812924fb4aa5 |
| SHA512 | 32b9aec1877a7db6cdfa674c6e6ddb9307e7caca45f0a796647610de6f6b7b764556fba77870bacd4b8dcafea2651ebcf06c144106bd727dc16fb82ed03d4139 |
C:\Windows\System\DnvENpr.exe
| MD5 | c2794f1bf1abda254218174e15a722eb |
| SHA1 | 05bb17400b7e6efce2a3e90f8d9774bcaf3ec8f6 |
| SHA256 | 2067ca1bd426072616cddde411f651520d8ed692430ac9b62c33bce302e7662e |
| SHA512 | c532d78e6f1c87c959a63e414c70583fe86382fed2ee1be8d10d12f83dbe2f897c2952a58dbb471ec5b5873c2b73c74096ea1157bcd473f6d22c650417ac35f2 |
memory/2872-52-0x00007FF688320000-0x00007FF688674000-memory.dmp
C:\Windows\System\SRhnJaE.exe
| MD5 | 7dce52cd17a2b661d24bd3a4dcc8a0aa |
| SHA1 | fe1d9611db4cb97f1877c0d8a9163602a6168676 |
| SHA256 | a1ea41ce246fe0c5acdde97a4863743d6764af93277eb111c1ce24e5fd695dda |
| SHA512 | a657368a4b165aa3ccd7cce45b3ae61206ff9991333e471fa9e6b26718af68423238c6800e6208957ca665c810f9e7f65c6607d553147828b5f86280d023630f |
C:\Windows\System\IEGesfe.exe
| MD5 | 2a19ce0ba53738dd22827c44a29ec903 |
| SHA1 | 641c934cdcebf8bdc0200860ea46fc4a14004e1a |
| SHA256 | dd7988f92a90603f7a94b57fcdcf10613fc5deb7ab3116931cbc47651a46e073 |
| SHA512 | 0a815499c57bb3ecb45f7888f4c845079dc560c0e46ec083d55fe104587c356258d2d573d1293ee56b9633ee90d952bd183a351d5bb9f23469c57bc1fd7ff62a |
C:\Windows\System\AhxZddD.exe
| MD5 | 9c45114be0ff39a3798fd3e9479e9f0b |
| SHA1 | 698eed1ebb6ea7b48552477b444fd0959149fe0d |
| SHA256 | bb341d86473e3220d9ffdadb3061bd6381260bd6102ac6f4919af80b25e06db7 |
| SHA512 | b084cf7d546cab90a89968cd2c3a0f0e2a9d2ea65cda3acbc9ae321af246b517763dcfc502ece1f7a6d3a0b3057e19b229aca8511a131ca4c5a16ccf6bd52d2c |
C:\Windows\System\haRHsaH.exe
| MD5 | 41a9e45873791d2706baf20325a57833 |
| SHA1 | 76bd016cbaada8c67639423ff325276cf409fb36 |
| SHA256 | 99f94a063205c6042f77447ebed90a167898f6dd47459b23841bdfeef9832aa3 |
| SHA512 | 09ee5af6de2df02a58534861b7fe59a38a92e5b451d682d90b62e253c1619d349a2f227c277a1e8f0867c5294fc3fdb45a804bc5b628e4885752d66f3251d66e |
memory/1600-65-0x00007FF697230000-0x00007FF697584000-memory.dmp
C:\Windows\System\FCbOCdF.exe
| MD5 | 7ba0e187e61ce5624eda222304abcdf3 |
| SHA1 | 8232901901af2304155b9ef69d5e114285c593db |
| SHA256 | e5707ab6614fc7525b70bf3a04b91536079a8fc04e67cf7395010d42fd8861d7 |
| SHA512 | 2f6912f95dc10e918a95618cf04639aab5d0e9ef1c3b67cdc2feebcc466ab6d087b1589dd26c04a951f8ae69db5ec143c21179847f6da0074e9a1265dda0ea2c |
memory/2032-74-0x00007FF67E340000-0x00007FF67E694000-memory.dmp
memory/2952-73-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp
memory/2028-69-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp
memory/3648-64-0x00007FF797E40000-0x00007FF798194000-memory.dmp
memory/4544-61-0x00007FF660270000-0x00007FF6605C4000-memory.dmp
memory/996-46-0x00007FF63C120000-0x00007FF63C474000-memory.dmp
memory/3004-40-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp
C:\Windows\System\mXDhMDz.exe
| MD5 | cbb0db6f8d7a126ba8ca1eb6a90ac767 |
| SHA1 | 596df1f7b77027c205a2aa3c4b3406550b67cd55 |
| SHA256 | def6aa256b07be1f36f9d238dd642c3db9384006751d0ee51f073b72add29d7b |
| SHA512 | db0f5b838d2edeb716e8872ffce5f53f412c3d5d16aed3cc1697455db2410872479c0299bd53a94c6d50e7483e76960ce3e1930ae4eb9a01bcbe15279de5361a |
memory/3336-81-0x00007FF724480000-0x00007FF7247D4000-memory.dmp
C:\Windows\System\ocxPJaq.exe
| MD5 | 26be51fdc474cb18f6cc9b4977af8f8c |
| SHA1 | ce46c273e7d54ffc9ec09d990056c8538f6ef612 |
| SHA256 | dcdb4d982ad2501ee94eda15626fc53d14dfd0f5be829978b3ffe56ba0f528b9 |
| SHA512 | 75c247fcad226a7e500beb481b22d93e15d43c2eaddde8ad5c2c70173380af216650b0d0e6ec233944713ea32a2f53813068a7a463e13f71faeda10e5eaa834f |
C:\Windows\System\KCBRItS.exe
| MD5 | b2d1fca371a287532ac5359bf28e07ba |
| SHA1 | 774233e9bb34818f9fe880b3cd6af8ddfb85e756 |
| SHA256 | d12d4a0b87f9b1fe4f2bf98312d89fb8d78b3708bffe95e9cdcf61637d4aa00b |
| SHA512 | 53fb30060516700e74282796004a824451a6ef106f297a4b474869294596126a390a6af07bebbca4c03ebb6cee808ef92b0ed7ba739188d2d36149c41ed4e83a |
C:\Windows\System\kHNzAeX.exe
| MD5 | 108f6fc4417fd998f9febf744b1184af |
| SHA1 | f42e7562c795bff10d2d31830ff0436eb3dc3a08 |
| SHA256 | e7dcc090c47f948632e3875773fa299497acca10524c043973d9f5286d7b6580 |
| SHA512 | de70ff40c429def4cc9c10c22cf4a9f23b8bc775ca6bc2fe7233f69fd6e15748eca79afa379b288d1fa9a74df3f191018cf4e68140ac186a29940e2e1b6ea38f |
memory/4640-98-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp
memory/960-95-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp
memory/2432-91-0x00007FF657850000-0x00007FF657BA4000-memory.dmp
memory/3100-84-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp
memory/4200-104-0x00007FF743860000-0x00007FF743BB4000-memory.dmp
C:\Windows\System\WvAlYoJ.exe
| MD5 | 253a26298444952b43ab9878f8c541c0 |
| SHA1 | 2c27cb172f863d5edf1279af9cfe7933fc8e4ded |
| SHA256 | 095f317c3f47e88429b4446a90ef27385dc406c3bbd38099b0a16fa518191c06 |
| SHA512 | fe2ef4ff07adb6bb83d5c388ae8eb398f6a5d53f2821bc938f43375f6c20e8c6aa179f3cbafa785dc53f66e83a1eb4181f5ccbbe1c3fa138d7d5906fe165e0fe |
C:\Windows\System\GKoLgYD.exe
| MD5 | 3178488a76bda55d79b77779eb83e5a0 |
| SHA1 | b78d9dbaa0e2ae14e0c795ff8feab25c388d64f8 |
| SHA256 | 118aab608a94c94021231854b5dcb94d3f08c67ac03874e1a8c22644073b4ae2 |
| SHA512 | b9dcee34374eeea9263837cdfd1e760c938e5df59b94acc4796610354a7aa0c9393f06302d52674d956f20f3c7afe78ab2c1a181a7789b36e19adb9fcbbf3c8f |
C:\Windows\System\kNxfakh.exe
| MD5 | 9d8db93574d546a9b6517f8206f8c5d0 |
| SHA1 | 3183afdf801cd7f1a234a9e0c90ad35d8cb60f9a |
| SHA256 | 54d4941e2fd996481f263c4024fbc0e243c3d6fbef85e148929c012ab5ab9eb1 |
| SHA512 | 06d11bb8550fac0cf62d49039079215f772b5bdeff3599198d24ce270ff466c62132cc6a5b8b91331f3e347647498fea90d8bac79c634663c8a6d0cf18f0ce76 |
memory/3388-114-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp
C:\Windows\System\OcJwozm.exe
| MD5 | 37e8cd6a78dee02a24c2b641787161d8 |
| SHA1 | 3c4690aae048230df4a77bdfd299f4465ec92a8e |
| SHA256 | 8e1ff747eb7cc2559f54fa2c8caaa507fdd921b83dbb12dec31d37975325a0f4 |
| SHA512 | be7bfd31aefce5cfed8eadbf25f8b87d25c9222550d15143eeda369c39ad1dbd33d2532e28275427ad15b246191e032c71c61ddbeff6b6f8a5a70be0f9a92b53 |
memory/1868-116-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp
memory/5008-110-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp
C:\Windows\System\FeMHIoi.exe
| MD5 | f5484c3a7bd2ae22b9e5d859210728b6 |
| SHA1 | 387a0322eea70fa0e23a16dbf1608c4b67620fa9 |
| SHA256 | e3f01d7e96fa093980fac500cccc64e7cc7e77ebbcd0a669cfc55863a4dfbc2a |
| SHA512 | 00e9ccd5646f00d74af4abc8874ddd780e83c6154e5a1a53454ee7a053084b314778d33cad0b09a069d90249d1e2d18354868427f53a447419e855466f9778d9 |
memory/4324-126-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp
memory/4652-131-0x00007FF751CF0000-0x00007FF752044000-memory.dmp
memory/2028-132-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp
memory/3100-133-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp
memory/5008-134-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp
memory/3388-135-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp
memory/1868-136-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp
memory/4772-137-0x00007FF6A7F50000-0x00007FF6A82A4000-memory.dmp
memory/2952-138-0x00007FF6949B0000-0x00007FF694D04000-memory.dmp
memory/3336-139-0x00007FF724480000-0x00007FF7247D4000-memory.dmp
memory/1552-140-0x00007FF608E30000-0x00007FF609184000-memory.dmp
memory/960-141-0x00007FF6FDDC0000-0x00007FF6FE114000-memory.dmp
memory/3004-142-0x00007FF7C49A0000-0x00007FF7C4CF4000-memory.dmp
memory/996-143-0x00007FF63C120000-0x00007FF63C474000-memory.dmp
memory/2872-144-0x00007FF688320000-0x00007FF688674000-memory.dmp
memory/1600-145-0x00007FF697230000-0x00007FF697584000-memory.dmp
memory/4544-146-0x00007FF660270000-0x00007FF6605C4000-memory.dmp
memory/2032-147-0x00007FF67E340000-0x00007FF67E694000-memory.dmp
memory/2028-148-0x00007FF70A4A0000-0x00007FF70A7F4000-memory.dmp
memory/3100-149-0x00007FF7C9020000-0x00007FF7C9374000-memory.dmp
memory/2432-150-0x00007FF657850000-0x00007FF657BA4000-memory.dmp
memory/4640-151-0x00007FF7C4F30000-0x00007FF7C5284000-memory.dmp
memory/4200-152-0x00007FF743860000-0x00007FF743BB4000-memory.dmp
memory/5008-153-0x00007FF6C0450000-0x00007FF6C07A4000-memory.dmp
memory/3388-154-0x00007FF7C5800000-0x00007FF7C5B54000-memory.dmp
memory/4324-155-0x00007FF7BDF70000-0x00007FF7BE2C4000-memory.dmp
memory/1868-156-0x00007FF6A7BF0000-0x00007FF6A7F44000-memory.dmp
memory/4652-157-0x00007FF751CF0000-0x00007FF752044000-memory.dmp