Analysis Overview
SHA256
83a44075ec09125c07834729e45ef0626088249387be2c14ec9eb550619aaa68
Threat Level: Known bad
The file 2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 06:59
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 06:59
Reported
2024-06-29 07:02
Platform
win7-20240611-en
Max time kernel
135s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PNSreig.exe | N/A |
| N/A | N/A | C:\Windows\System\HkRNWAA.exe | N/A |
| N/A | N/A | C:\Windows\System\NQJflob.exe | N/A |
| N/A | N/A | C:\Windows\System\XUdbfpY.exe | N/A |
| N/A | N/A | C:\Windows\System\qjpviNe.exe | N/A |
| N/A | N/A | C:\Windows\System\viNFWuu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFePzwc.exe | N/A |
| N/A | N/A | C:\Windows\System\IRaXcdb.exe | N/A |
| N/A | N/A | C:\Windows\System\nHPGvvS.exe | N/A |
| N/A | N/A | C:\Windows\System\FmbcYgG.exe | N/A |
| N/A | N/A | C:\Windows\System\nYFiuoj.exe | N/A |
| N/A | N/A | C:\Windows\System\axfUATw.exe | N/A |
| N/A | N/A | C:\Windows\System\GMhUljt.exe | N/A |
| N/A | N/A | C:\Windows\System\KgFEujg.exe | N/A |
| N/A | N/A | C:\Windows\System\eUHRaxD.exe | N/A |
| N/A | N/A | C:\Windows\System\edmqGEI.exe | N/A |
| N/A | N/A | C:\Windows\System\IZjHHur.exe | N/A |
| N/A | N/A | C:\Windows\System\BWTbtcW.exe | N/A |
| N/A | N/A | C:\Windows\System\KPKMAiU.exe | N/A |
| N/A | N/A | C:\Windows\System\qKpWZFj.exe | N/A |
| N/A | N/A | C:\Windows\System\CvZYXtS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\PNSreig.exe
C:\Windows\System\PNSreig.exe
C:\Windows\System\HkRNWAA.exe
C:\Windows\System\HkRNWAA.exe
C:\Windows\System\NQJflob.exe
C:\Windows\System\NQJflob.exe
C:\Windows\System\qjpviNe.exe
C:\Windows\System\qjpviNe.exe
C:\Windows\System\XUdbfpY.exe
C:\Windows\System\XUdbfpY.exe
C:\Windows\System\viNFWuu.exe
C:\Windows\System\viNFWuu.exe
C:\Windows\System\ZFePzwc.exe
C:\Windows\System\ZFePzwc.exe
C:\Windows\System\nHPGvvS.exe
C:\Windows\System\nHPGvvS.exe
C:\Windows\System\IRaXcdb.exe
C:\Windows\System\IRaXcdb.exe
C:\Windows\System\nYFiuoj.exe
C:\Windows\System\nYFiuoj.exe
C:\Windows\System\FmbcYgG.exe
C:\Windows\System\FmbcYgG.exe
C:\Windows\System\GMhUljt.exe
C:\Windows\System\GMhUljt.exe
C:\Windows\System\axfUATw.exe
C:\Windows\System\axfUATw.exe
C:\Windows\System\KgFEujg.exe
C:\Windows\System\KgFEujg.exe
C:\Windows\System\eUHRaxD.exe
C:\Windows\System\eUHRaxD.exe
C:\Windows\System\edmqGEI.exe
C:\Windows\System\edmqGEI.exe
C:\Windows\System\IZjHHur.exe
C:\Windows\System\IZjHHur.exe
C:\Windows\System\BWTbtcW.exe
C:\Windows\System\BWTbtcW.exe
C:\Windows\System\KPKMAiU.exe
C:\Windows\System\KPKMAiU.exe
C:\Windows\System\CvZYXtS.exe
C:\Windows\System\CvZYXtS.exe
C:\Windows\System\qKpWZFj.exe
C:\Windows\System\qKpWZFj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2248-0-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2248-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\PNSreig.exe
| MD5 | 53fc12ec3d81efc8c79aab5669e5d64f |
| SHA1 | 5e0bed5d79ad7ad77696d62e80434097e1cea402 |
| SHA256 | ac3b54b59c916413ae68dc74e9c1b28398ea158370a01c2556ee0c4e70fba73b |
| SHA512 | e58409ce660dfc5ad59170de331c526d1214587c19c898b8c0ebc3fb6c722850dff8a35ed1aad30d2c56976961ffa0d4a552323353fb8ca3379dd664c1b64c3c |
\Windows\system\HkRNWAA.exe
| MD5 | 4a81ab6e71f0967dae2f083a033604a2 |
| SHA1 | 85e526181cfadb548e70c7ebebf430fb7783e6e5 |
| SHA256 | 970f892d32305786e6dfedc164d21191eaf220aabb4c5c2589b7a2a571e4b875 |
| SHA512 | a1a4241c2c7558fae901a6f5d9d9315966b4494dacca96c292886bbedf69bd4bef0a10f68af422d9c25052360d8bd17a8f5a9cd41a6da2b8b329db347290ed3f |
memory/2248-30-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\qjpviNe.exe
| MD5 | 7e261d912c30f8ca89936ca095df8098 |
| SHA1 | 9e22a592958e3dcd05c63558e035a974fd168652 |
| SHA256 | 28cfcadcb8cae705f2c7aaefe312cb5cbc9b416e8efe217e85dbbdab30c7283a |
| SHA512 | 00bccdebb50e95505c66be60a0243d84f2d74a06afad34327978ba6db7b11d97497278849787b736be81b250c8afd61dd46020a41799855d0d184adad35df43a |
memory/1532-35-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2320-33-0x000000013F5F0000-0x000000013F944000-memory.dmp
\Windows\system\viNFWuu.exe
| MD5 | 75eea773ac44597676c8ab00bd85374a |
| SHA1 | 4c6caf2412e2e2f02561fcba39abb14faf256401 |
| SHA256 | 512d3237aed28b0a0473adf635560effb53dc1d3545e5b3bdd5432d71bb4e376 |
| SHA512 | adacbba883afda35a9c2ec173435e4ca49e45d5613bbee6b12cdfa97eebb0409db828ee713826e8991e6963c587fd178ba18a93ff9b23a57c41f3cc50a79ed11 |
memory/2772-42-0x000000013FA20000-0x000000013FD74000-memory.dmp
\Windows\system\axfUATw.exe
| MD5 | 3eb7241ed876921bdc42ca398e3c647c |
| SHA1 | 36eb61b1ddb8e426eac7b228513c731c472ae6bf |
| SHA256 | 61682b9ad9c9cdc2eb2803659e367b8a767f549b7f9f3c7d1d62a55b10a125b1 |
| SHA512 | 33c30af63819666e3cbc24b1a9d25f0187c7b71e627300d6cbfbb6a09e3d5e3c6a5fb1bd32b8cb247dbf6a3f6d693925477f141a0c76b2d97c4383eda3cefab3 |
\Windows\system\GMhUljt.exe
| MD5 | 4251acf718104c0c0bd1e25d28952c38 |
| SHA1 | 35d85b1a9221acc5f148f5ee00ecb57de23f1f46 |
| SHA256 | a3c311ebdb4375386dd03e7cb406498d7680f83d9fa33699695e74f11164e0c8 |
| SHA512 | 972f9726d43317da2d50ad2754ecfdbc53d862117e163f0c9f25d713de470d48aa5c3e6ee5958c9c5bf9dcd36b354175b51efea1944bef61c6cb6757c56ed365 |
C:\Windows\system\edmqGEI.exe
| MD5 | 287a483b2ac05d819cfde9813676c0a6 |
| SHA1 | 97b80c407b1371a84cbfb9124dfb74bd057189ec |
| SHA256 | 9e7e1b64e4a6d3fc207c8f74bef16cc341bf45c43a9e47299ba643ee9c775b52 |
| SHA512 | 748debc4ac657b8f18c7ff2689b1aed123cbc8ce3838889b97b3436499a6e14560cc2ccedc1c186550fc6f46fb197a9922f1d0fa053b9c8a82837fdcde8227e3 |
\Windows\system\CvZYXtS.exe
| MD5 | b1aadf3fc7d0e104ca4ff3ce0f2e593e |
| SHA1 | 31fd62b1dbf91ae07308e152e63d5a7ea496d41c |
| SHA256 | 3000fce3138170a33203091c3afeae784f7ad70e5b88b5ea4e64e418420e5e33 |
| SHA512 | 38e02b625a737c9f1ff38910a8415f6c0817d81900bd8023b700879274ada571b715dcbb4c132f1197b02d6bb2e1137f91e8f171cd4c9710285ab3f89853214d |
C:\Windows\system\qKpWZFj.exe
| MD5 | 0880bd1514fc25030a1086b9dda8f85a |
| SHA1 | 4c05657cf8857ae89f0da169fa319a306fc5f268 |
| SHA256 | aaedfaff188aa70596c0cfcd453062647ebceaaf6b7be1efdec351a8351b7231 |
| SHA512 | 69bffb2e50408558d05138f742395b01c052f282c17f25be826d6f8d5b3625987d60267dda7474c38cb2b848fb5371767a42a452d1ea9e5fac1e9416f39b8f9c |
C:\Windows\system\KPKMAiU.exe
| MD5 | 877f18e21df0e275d9d963ffe4c6bf35 |
| SHA1 | 4cc8bffc9ab7696a9184d00a79f7898469fdf799 |
| SHA256 | 74de9b1eaad24a443f031e4f0e149a3cdb1a886c7da72e1d36cfe673bb31797c |
| SHA512 | e31d2579108558fa72642a5cac3b2784e171a13ae062c24be409380dfbd446fb2e01afb87f5e25d1e56ef4c35aefd76a367d2ae5a9b07b74c659a89ea6ab1523 |
C:\Windows\system\BWTbtcW.exe
| MD5 | ceb9c97a89ea5588aecdb6dfc15aaebc |
| SHA1 | bbb7638e1035f773bf485cbafb0af8f4c6da6219 |
| SHA256 | 596d9d1788ed36cc8e4aad40189e977c55ae2421ebecfe734a25cd2fb77a0757 |
| SHA512 | 805238c81742b98cffa3b460f867f1df42819fad5c49ce98bd2a74151539e946a4816d73c3f21dfd0d920486c4876bc01404694aca3ae4461a338970864d0178 |
C:\Windows\system\IZjHHur.exe
| MD5 | ef6341601d56173fd0e8538678a6a937 |
| SHA1 | 07121c60ee031639e06cee5a00ee3ba318461df0 |
| SHA256 | 6df9699894645ebbf07b0e189c49ed95a64f58bf4ad9acbd31eba22a65f04742 |
| SHA512 | 65889d1e34d54f1664f5a2e34cf0386c7138846b31fb02ed0dad3576e6c31065a1a50f7d147b7e7282bcd05041b239ff8ce8397353be5136d981f483d8e93612 |
memory/2248-108-0x0000000002520000-0x0000000002874000-memory.dmp
memory/1532-107-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\eUHRaxD.exe
| MD5 | a914381b82004ec17f7ed56c7c4b4d29 |
| SHA1 | 380b476a31a4514a761119528607a6628c230448 |
| SHA256 | f9ad5ad0a136602fdb2d74fcd53c092c1f0a1dc9ceb8142919725542d04695f6 |
| SHA512 | 34899e89bd44784d306991eb9db4c7f1d2f453f02cec606fc8bf001a778195c7b00cc543cbf08af7e59b9e5984de9162c9188c4cc8e580dd7a7f4002d5ae7d54 |
memory/2040-101-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2248-100-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\KgFEujg.exe
| MD5 | 74196eac5734d9864ae560af4848502f |
| SHA1 | bbf1f5885453cb74376373c9eed7daa33d3640d1 |
| SHA256 | 123f552a7f071991606de1bdb1c42f74b7290e90371bf79f00b4d04bad3234f5 |
| SHA512 | 266e48c2887bbaadef4c55b90e697912149d885fabc64bc6425b88c4aad287e3bc46061da18e076006c90ac5d0cb635b62911b0a3afc460d6ca2e04b113f0781 |
memory/2248-97-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2528-96-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/3016-95-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2248-94-0x0000000002520000-0x0000000002874000-memory.dmp
C:\Windows\system\nYFiuoj.exe
| MD5 | 203d74e3419d0f522dde656664de14fe |
| SHA1 | d232be49d811aa116b01553ff7d3600b80274b09 |
| SHA256 | d6dd825b767e5a9e26fc704656b0315ccb2f768de912982f454b0bce82cd5f97 |
| SHA512 | ab4ac730160ea93483a673a8d02fef73e0804172e645a1ab1cc0de3ba6eb9eff65ba95bcc608d71ecd1db91ac9ea796f13f1e8054454015e9fd912e95cdea901 |
memory/2248-78-0x0000000002520000-0x0000000002874000-memory.dmp
memory/2628-77-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2248-76-0x0000000002520000-0x0000000002874000-memory.dmp
memory/2720-75-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2708-74-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\nHPGvvS.exe
| MD5 | 896e839e786319e512ebe6dd28002350 |
| SHA1 | aea316a8dc80752695fbfb237aa8c59ce6592a13 |
| SHA256 | d0932d619989ab8f40b21cf3f4ba980f8186bcfdf821348be4fb3b7c583b8937 |
| SHA512 | 535a0513240bf3f55d987b93f552ee4520477b5aa0b760e6918b55c23baf223e21721f08633139be6da3c1959ded63111ad5a32407806544b4d7cecb91c6e777 |
memory/2680-90-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2056-89-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2456-88-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2248-138-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2776-52-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\FmbcYgG.exe
| MD5 | 668c6d22607e1d590a2328b08d83d835 |
| SHA1 | 5de20564ef2b4a56feb699db66dc586a76d70c57 |
| SHA256 | 36102a2c6b958e76d740eb01d4ca5c0e17e6523c39643156cd94638d6f6d573f |
| SHA512 | 5a9533cbe0d9f6327b34ca993385c36a687afafa6a34700da524e4aba49283afff3e8cd9cba783dd629eacdc28b3526853e1bdb44ebf48da988b588495f97baa |
memory/2248-139-0x0000000002520000-0x0000000002874000-memory.dmp
C:\Windows\system\IRaXcdb.exe
| MD5 | 542b1225913261f2c251056e061e8651 |
| SHA1 | f9e870cd77e22e13dbff33b8af18842e1c4ad552 |
| SHA256 | 7f272f116ddb0951acc6c2aab5ed2b0c98a968a22e82a01d6b7866d83e493562 |
| SHA512 | 0f6e636a44d76dcdf2e51ddb30d8af08eaed2f1743acf3864eb581bac2e1a1958615556dcc7a494e861f85910218004091101c11e57447b03765dde0621d0f58 |
memory/2248-56-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2248-55-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2248-54-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2248-48-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\ZFePzwc.exe
| MD5 | a74519490abbcf83c0401d47759add30 |
| SHA1 | f73dff269f2dbb538fab94897bc45cb33c5daec5 |
| SHA256 | 96a8b12b472fd70c8a7768d9781d0e6a2eccf4c94dffd81eec5b93912be6792d |
| SHA512 | a6b5a9d90db9d7cf8a6c541d8fdec23c6d1afab9f5ea8f6d440c935900ba0b8029c8e15d8487f48e2f45c9b503ed236ca5e4c7d64e5719a7d2c8c26f1f3c012b |
memory/2248-32-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2056-14-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2456-13-0x000000013FE50000-0x00000001401A4000-memory.dmp
C:\Windows\system\XUdbfpY.exe
| MD5 | a3b09bbf6f08850e574d00ee1b8e749f |
| SHA1 | 5c68c030acada055f1e1e4293555835ff86b3e85 |
| SHA256 | 697a48f249923e913a13e14819e918d9e1dab6786588828344a8082e31aa753d |
| SHA512 | a5a173e02b465851ab472f03eb764a3c1a8a18a56c94d3abcb24acd304f0b6410fe4c1d8446e2298f154e8e865fce79fa0c3bcc798fa9cb2994454ea6259f6a3 |
memory/2248-11-0x0000000002520000-0x0000000002874000-memory.dmp
memory/3044-28-0x000000013F4E0000-0x000000013F834000-memory.dmp
C:\Windows\system\NQJflob.exe
| MD5 | 51ffce6f5faf27799c8c6a6661a9d2e3 |
| SHA1 | 3d9748cfbf5b8015f6ab74858dc3e5460524650f |
| SHA256 | 73fce8558c22abb64462690bb808214eca2c1b57f89293213f5bfc9d924f402b |
| SHA512 | 88def8f931ffaf1e42a9162703bf80bbf2d5ea1e17a3dedc3e23bc70334d17855d453d8fd57e059967fd3ccfd49b1a0fe54411e98bbf4940b06c6a2d52cb8c3b |
memory/2248-21-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2248-140-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2248-141-0x0000000002520000-0x0000000002874000-memory.dmp
memory/2456-142-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2056-143-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/3044-144-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2320-145-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1532-146-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2772-147-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2776-148-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2708-149-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2720-150-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2628-151-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/3016-152-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2528-153-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2040-154-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/2680-155-0x000000013F860000-0x000000013FBB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 06:59
Reported
2024-06-29 07:02
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CfZNQnK.exe | N/A |
| N/A | N/A | C:\Windows\System\lArFOfs.exe | N/A |
| N/A | N/A | C:\Windows\System\lxxLlqG.exe | N/A |
| N/A | N/A | C:\Windows\System\ibRxKGb.exe | N/A |
| N/A | N/A | C:\Windows\System\DIxvFTe.exe | N/A |
| N/A | N/A | C:\Windows\System\lgvuKXy.exe | N/A |
| N/A | N/A | C:\Windows\System\udpintH.exe | N/A |
| N/A | N/A | C:\Windows\System\QOOWzPV.exe | N/A |
| N/A | N/A | C:\Windows\System\HkzGvtb.exe | N/A |
| N/A | N/A | C:\Windows\System\bNwsSYY.exe | N/A |
| N/A | N/A | C:\Windows\System\UjCxQIb.exe | N/A |
| N/A | N/A | C:\Windows\System\PUyWFKD.exe | N/A |
| N/A | N/A | C:\Windows\System\IPLRPpk.exe | N/A |
| N/A | N/A | C:\Windows\System\IDjlWPK.exe | N/A |
| N/A | N/A | C:\Windows\System\qLYjdyY.exe | N/A |
| N/A | N/A | C:\Windows\System\mWpRNbF.exe | N/A |
| N/A | N/A | C:\Windows\System\uOEPQNV.exe | N/A |
| N/A | N/A | C:\Windows\System\EcIUEpr.exe | N/A |
| N/A | N/A | C:\Windows\System\JBSNeDv.exe | N/A |
| N/A | N/A | C:\Windows\System\BxtJtHy.exe | N/A |
| N/A | N/A | C:\Windows\System\xbKyDNM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_8b1da65cc148dc297aee5f23fed2d6d3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\CfZNQnK.exe
C:\Windows\System\CfZNQnK.exe
C:\Windows\System\lArFOfs.exe
C:\Windows\System\lArFOfs.exe
C:\Windows\System\lxxLlqG.exe
C:\Windows\System\lxxLlqG.exe
C:\Windows\System\ibRxKGb.exe
C:\Windows\System\ibRxKGb.exe
C:\Windows\System\DIxvFTe.exe
C:\Windows\System\DIxvFTe.exe
C:\Windows\System\lgvuKXy.exe
C:\Windows\System\lgvuKXy.exe
C:\Windows\System\udpintH.exe
C:\Windows\System\udpintH.exe
C:\Windows\System\QOOWzPV.exe
C:\Windows\System\QOOWzPV.exe
C:\Windows\System\HkzGvtb.exe
C:\Windows\System\HkzGvtb.exe
C:\Windows\System\bNwsSYY.exe
C:\Windows\System\bNwsSYY.exe
C:\Windows\System\UjCxQIb.exe
C:\Windows\System\UjCxQIb.exe
C:\Windows\System\PUyWFKD.exe
C:\Windows\System\PUyWFKD.exe
C:\Windows\System\IPLRPpk.exe
C:\Windows\System\IPLRPpk.exe
C:\Windows\System\IDjlWPK.exe
C:\Windows\System\IDjlWPK.exe
C:\Windows\System\qLYjdyY.exe
C:\Windows\System\qLYjdyY.exe
C:\Windows\System\mWpRNbF.exe
C:\Windows\System\mWpRNbF.exe
C:\Windows\System\uOEPQNV.exe
C:\Windows\System\uOEPQNV.exe
C:\Windows\System\EcIUEpr.exe
C:\Windows\System\EcIUEpr.exe
C:\Windows\System\JBSNeDv.exe
C:\Windows\System\JBSNeDv.exe
C:\Windows\System\BxtJtHy.exe
C:\Windows\System\BxtJtHy.exe
C:\Windows\System\xbKyDNM.exe
C:\Windows\System\xbKyDNM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1856-0-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp
memory/1856-1-0x00000220244D0000-0x00000220244E0000-memory.dmp
C:\Windows\System\CfZNQnK.exe
| MD5 | 746425482d0f6f1dac4144e8907344aa |
| SHA1 | beab0915691e5ff7ca3dd8fd78c4cf166958307b |
| SHA256 | 4fee7a17e99f56702983c1130d10d7b497887c57b7197e953c197806664f91ae |
| SHA512 | daa47f0f0128b7a7572602aaab575d1cdbdf32fdc54640b5f7336a7b3efa670859048584f3dbffed12d8152592884392c9381a9fccdc8b56b2283c9906375525 |
memory/1708-8-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp
C:\Windows\System\lxxLlqG.exe
| MD5 | 40957319aff686235be5e4833a3ac793 |
| SHA1 | 89460689d818c327ee21c2207ac23c29bdec8980 |
| SHA256 | c93f6b30fee28b1aa6bb31705752031b34aa6eaca62b97b443421e3c5d20fd7a |
| SHA512 | 41e24b7f2ff673c32f7120c36771be332430a1cc42491ae17bf902f1650287f2b44be40c6d1a6b64493c4495a692028c284e335da327fe783cc2c64f773fb50c |
memory/216-14-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp
C:\Windows\System\lArFOfs.exe
| MD5 | 1be78a059d107e9416e0ddeb01011846 |
| SHA1 | b220409523da2a19328fd470850e0bf9760147f2 |
| SHA256 | 86d607ecc5aa9183a47298c1c5a3a71a6bfcfed20ae08471bbe297b6e1f9bba4 |
| SHA512 | 793f1bf2ab29eaef6520e2768e967c79c24663fe198d067377d2c8a8bc9629080106e0b2214d7c690cb204f917cfbc4443157d46f87875f697c0184d7db66f5a |
memory/4112-19-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp
C:\Windows\System\ibRxKGb.exe
| MD5 | 874ddb311bf0a8b40ba1e334db2f3caa |
| SHA1 | ea62cfd81c162393355419997ae264e02579ca41 |
| SHA256 | 72b02642352d087164cad5d87dabc0e107659d4d827f31aaab9b9b237af38e12 |
| SHA512 | b40897c09fc4d1c5122b539fba0dea192710b1a38f2d9941ba5c43e04ffec247e3c2a69412ce86efedd5eae0671c75192519b1ded5755fce0f4abda33828d995 |
memory/1800-26-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp
C:\Windows\System\lgvuKXy.exe
| MD5 | b33caf9da8ff13a160e83c51745899c9 |
| SHA1 | ca371fb8d595549142ec99f6dfadff7b9030b142 |
| SHA256 | da405aed8c88ab6cd430c66aa3610656d05940738074e5aac8233f2846832e92 |
| SHA512 | 1a8ab02d0af928376f124030b3850f1f991bec630089342a67ce4fdbc491ff7cfdcfb715d9aea6a3ccc5edf17c882bf3a49db862c8d163ce7d509ab5b1a202f2 |
memory/4484-35-0x00007FF696400000-0x00007FF696754000-memory.dmp
memory/4900-37-0x00007FF747360000-0x00007FF7476B4000-memory.dmp
C:\Windows\System\DIxvFTe.exe
| MD5 | 64ff37cc6fdfd132ba60d9c10f1725d8 |
| SHA1 | 342cf2c46a81459bb57c77dbfef890899763504c |
| SHA256 | b26183b3ee0845351f77be3f76a4ef9e86ee51eaec8b83cc7f567893a14bc9d6 |
| SHA512 | 3b2005c4a8a20ce2875fd28f2064ef860ecf209f206ec59b70b34a3038a57ad24f02a8a65e10404f6938da8439f486e53ea603c46de1297f7a3dbbd5c8d5d7c0 |
memory/2988-45-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp
C:\Windows\System\QOOWzPV.exe
| MD5 | 715c76dfd6bbdfe2258147dbb60beee4 |
| SHA1 | 3ac59cae8bb2f45333ea2e9a57513ad7760ce335 |
| SHA256 | d4c62a92588307f09b6e4b80e2d5b02c324955ce1b73d7cdd97331b666b9fa44 |
| SHA512 | b739fdfde3a66069222241c9b037a776a1e22bdf7f7ee4ac01630ba637c2199df2250c432a94462d3f0b4b77d4d4eb42e31b642a34892eb692af9a3c89b11f03 |
memory/696-57-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp
memory/2380-65-0x00007FF6804C0000-0x00007FF680814000-memory.dmp
C:\Windows\System\UjCxQIb.exe
| MD5 | 877be9d28d652cf12ecfcba7585085da |
| SHA1 | 8cb358d29d4084ea4f1ad3e7c4e63a4291b3cba5 |
| SHA256 | c5c91ff5de6d3f5bc29293e10c09059757fe82401e763ac1f239bc27f921c328 |
| SHA512 | a1589eae517f9db82c88bea773da5f411ee70bd7be7a9883bfe2cef25d50027e58dbfb8af942d7bc1ba796b8a960d4ec39551f97c92bf01167e61d273fafc7cb |
memory/1708-74-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp
C:\Windows\System\IDjlWPK.exe
| MD5 | 690813710b3b38659a56e2a6e8a63cd2 |
| SHA1 | 7ffa5b6f7b87c3d76703e191a2d37bc5b1ef7083 |
| SHA256 | c6525db779992fec3ce2924d1892521b1c7a41846a4b979d8b52b6f67da76044 |
| SHA512 | d40c940fcac98e763e6613404f9930b667ae42ebb28a1498efd0fd1170ab3505351eb09130b51c552a153c633d860cb27fc2bad1a4d6c6fb06cfc218ffe6faf7 |
memory/216-87-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp
memory/4112-96-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp
C:\Windows\System\uOEPQNV.exe
| MD5 | 17ea6540cb51948b148691f90be60cfc |
| SHA1 | 2f44bcef6a41ac3a388a9345014afe0f0ae78386 |
| SHA256 | 5e7fb2467e0993a0f9fb6876c4cf78d3991d3b44027e8b3a880ec2ccfd2564ab |
| SHA512 | 9820fcc1fc04cc6ea122dd5cd43ebe3b792d27421c2903f8bcaca5808007c49dbd1f844298619499074c145ab613cab213c4ddd1e14b2487e3132ebbf0a047d6 |
C:\Windows\System\mWpRNbF.exe
| MD5 | ed4b752d1a2ee16c18d4b4edc749f3c9 |
| SHA1 | 01ba2b4fddda7eb7b15cf9a73ab07822b1fe7a18 |
| SHA256 | e1e2957faba04163671679560b536cc1b834ea546318b6ffe4ed14b883e384e9 |
| SHA512 | 305bf186acf8f83037fa1b5b2cffc5feb5c3dbad18c918430ba98d3ae80767d45583a0b6e52347915cdd97afa7e090d6966ebe9ecbb166ff17c05063097f4917 |
memory/2092-102-0x00007FF647DB0000-0x00007FF648104000-memory.dmp
memory/4804-101-0x00007FF65F420000-0x00007FF65F774000-memory.dmp
C:\Windows\System\qLYjdyY.exe
| MD5 | faf729392db6bf3f2956ea7f477ae501 |
| SHA1 | 6a73989b4d193e7287eb50207af7911a8fca65fa |
| SHA256 | 35b4aadfbc9def1847542b0255b9be0476f81320e87e73fa50a083895531f2b0 |
| SHA512 | 2dfaf28a26f9ed3cfba954cd33c63d504cff1a1c4dbdec4e498d50b344d1fe41c5add107e5e7f46c1bacf10170aff252fc855a6d29b45ee1517e7b956eec2ad7 |
memory/4244-92-0x00007FF753080000-0x00007FF7533D4000-memory.dmp
memory/1524-91-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp
C:\Windows\System\IPLRPpk.exe
| MD5 | c5cbeeefc2734c2e10a44ed1479a15c9 |
| SHA1 | ce2e3dadf548ad724113a58b159bba19666a8cbc |
| SHA256 | 130eb43a6cdda3ce7d5be72caf81519abd3f1289f11d8ee52329038165946868 |
| SHA512 | cebd9081fe3ba3c1ca7163109c132ec4fc9a9292b7d246b55326300e992e99e0fbf8a55659df63934f0880637dddff66e63720a9db5202713b446da2128e25fb |
memory/3828-79-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp
C:\Windows\System\PUyWFKD.exe
| MD5 | c653ecab3dd9b61cb7203a1a03280991 |
| SHA1 | 6185d15540a34c23dcd5228d015d32dc22ff10b8 |
| SHA256 | 2158cf2341b344f5e9e5efd15392235db21ff165a416c5ec245dd09093667109 |
| SHA512 | 926615ae01b1042aa496f24c63c40c06d2eb851ac1b86cd0fcb6c893daf8c7ef89822af55a34875fb6ee60ee89f788e6819d20ce8dfe9075ebe0130afc981c56 |
memory/8-78-0x00007FF728860000-0x00007FF728BB4000-memory.dmp
memory/1856-63-0x00007FF62B560000-0x00007FF62B8B4000-memory.dmp
C:\Windows\System\bNwsSYY.exe
| MD5 | 64a15ab9a61862fd7a7753df08561e0b |
| SHA1 | 91d51a89e99f68bb8ad027f2af08035a22ea6865 |
| SHA256 | 366517ab567c9e704b953f935a138b8feaa91f943011dbada938fa7827188220 |
| SHA512 | 3896ef6584a6750fea22ddaf9318055747bbcc05b59b6c1bd857fb7159f97dd1a6e1a4eecc25c03dab68f618579c8c30d010a356e9ca8602c68fa1862b1717f5 |
C:\Windows\System\HkzGvtb.exe
| MD5 | 08c1139f923abedf05bbe2fccf2d9a9d |
| SHA1 | cc1a2bd5dd35b92931f48a028a7f3fe5f3a0ba0f |
| SHA256 | 48bd0c6a7aa2b44889b8ac599a77d8bd9bbd7b98686d34b5699d531366f27777 |
| SHA512 | e507205bbf4b52d159e94de70390c024574b7f7bcc63a386781bb6279e6ac48fd13ee92492418700a6e530819596fe65efea09adb29aeb4e090c03d887dcce20 |
memory/3800-51-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp
C:\Windows\System\udpintH.exe
| MD5 | fb7271750bf1c25cbcb23d3564bd5ba8 |
| SHA1 | e50a160eaf84073d432e5a100cb785c545704aa4 |
| SHA256 | f67a387ef520e7c57b4413ce45cb91c3d21c75d75f7f417056533f02b9a84c25 |
| SHA512 | e4cb1c2b62c115d0753ce6779d37fc21c8b9950bc44e3ef73398e894910797f6bec771bbb0d1f8b3f5a21cf6b8e5dec3ef4add4b796a819ffc2c223e95773b22 |
memory/1936-108-0x00007FF750510000-0x00007FF750864000-memory.dmp
C:\Windows\System\BxtJtHy.exe
| MD5 | dce428eb10f06dca23ff514a02b81d21 |
| SHA1 | af84974a137d1042230fcd962cfe8ea30285022b |
| SHA256 | eb9597ae1a7cd40c7f65d95f0d1aee27d9c13cad7b5d89f4df171f79e25a5d61 |
| SHA512 | 778177c73ccbec763d20fbdb6b734808009fa9d56326a8c4eadb76224992958c230714c3c221cc17a21368bff9dd41746ef0237508b008fbe477782090264517 |
C:\Windows\System\xbKyDNM.exe
| MD5 | a6135aab6a9e90f2d7d34d9e3dc4eb1c |
| SHA1 | 8b466218bab68b465b905d915888eb903b345638 |
| SHA256 | 6180107b22b850b149f72dff61b630e37ce11d60c1f50d346830f7238b375de6 |
| SHA512 | 62bf40910bcdb901b6040bfec3209f51a4fe788925875036665d9e3d0df92443609f44b180c246bf7b3655887dc67cf3af32b0862ddde573458664e207b59135 |
C:\Windows\System\JBSNeDv.exe
| MD5 | 18dadf48f67244adcbc9cea9244334cb |
| SHA1 | 2c8547d614251206d502a86e91efb0c317931d90 |
| SHA256 | 4385338f440520ad8b92e8e618c534a739839637fe371f193ace438c5c1f89b5 |
| SHA512 | d560c1a3678ab46da888e6f51eb9385d94ea184654b82d60b4e0acc9f829f58cdd369e2ebd933152f6390f96af0f8ddb3d7df24039d67140f54dd7d25ce36d29 |
C:\Windows\System\EcIUEpr.exe
| MD5 | ac1a8b03921cbfc1adeae62b33459a0f |
| SHA1 | 99e12a35fafb7a08a6af7cc0efd8ac7741f11828 |
| SHA256 | bb8f3723e6c85bf4b163350f03a6a31235fb35d1622fd20563480fe6948655d5 |
| SHA512 | 66c93acd34836ab33e2cacf9e37a406e4e99266c944412437ab65539fd8325bb962a214d1e71595137903192665b155a59f61195d9569b4beee69f92fd4ed5ab |
memory/852-115-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp
memory/4900-112-0x00007FF747360000-0x00007FF7476B4000-memory.dmp
memory/4836-131-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp
memory/696-134-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp
memory/3800-133-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp
memory/684-132-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp
memory/3672-130-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp
memory/3828-135-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp
memory/4804-136-0x00007FF65F420000-0x00007FF65F774000-memory.dmp
memory/2092-137-0x00007FF647DB0000-0x00007FF648104000-memory.dmp
memory/852-138-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp
memory/1708-139-0x00007FF66EB40000-0x00007FF66EE94000-memory.dmp
memory/216-140-0x00007FF6D6640000-0x00007FF6D6994000-memory.dmp
memory/4112-141-0x00007FF66A160000-0x00007FF66A4B4000-memory.dmp
memory/1800-144-0x00007FF7AE740000-0x00007FF7AEA94000-memory.dmp
memory/4484-143-0x00007FF696400000-0x00007FF696754000-memory.dmp
memory/4900-142-0x00007FF747360000-0x00007FF7476B4000-memory.dmp
memory/2988-145-0x00007FF66B830000-0x00007FF66BB84000-memory.dmp
memory/3800-146-0x00007FF7B50E0000-0x00007FF7B5434000-memory.dmp
memory/2380-147-0x00007FF6804C0000-0x00007FF680814000-memory.dmp
memory/696-148-0x00007FF6E1290000-0x00007FF6E15E4000-memory.dmp
memory/8-149-0x00007FF728860000-0x00007FF728BB4000-memory.dmp
memory/3828-150-0x00007FF6B0A10000-0x00007FF6B0D64000-memory.dmp
memory/1524-151-0x00007FF7CAA70000-0x00007FF7CADC4000-memory.dmp
memory/4244-152-0x00007FF753080000-0x00007FF7533D4000-memory.dmp
memory/4804-153-0x00007FF65F420000-0x00007FF65F774000-memory.dmp
memory/1936-154-0x00007FF750510000-0x00007FF750864000-memory.dmp
memory/2092-155-0x00007FF647DB0000-0x00007FF648104000-memory.dmp
memory/852-156-0x00007FF7ED8F0000-0x00007FF7EDC44000-memory.dmp
memory/684-158-0x00007FF7D8460000-0x00007FF7D87B4000-memory.dmp
memory/3672-157-0x00007FF64E9C0000-0x00007FF64ED14000-memory.dmp
memory/4836-159-0x00007FF6A6230000-0x00007FF6A6584000-memory.dmp