Analysis Overview
SHA256
7f87dcb6f51d354e36fa504751a4183cfd0343e14584ccf48e3b920203452275
Threat Level: Known bad
The file 2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-30 05:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-30 05:47
Reported
2024-06-30 05:49
Platform
win7-20240508-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DKiJEPZ.exe | N/A |
| N/A | N/A | C:\Windows\System\SeUkslf.exe | N/A |
| N/A | N/A | C:\Windows\System\zmoCGfM.exe | N/A |
| N/A | N/A | C:\Windows\System\EZpNsZP.exe | N/A |
| N/A | N/A | C:\Windows\System\lGpEQsM.exe | N/A |
| N/A | N/A | C:\Windows\System\tSLqIrp.exe | N/A |
| N/A | N/A | C:\Windows\System\jLFpJtj.exe | N/A |
| N/A | N/A | C:\Windows\System\QzIURfO.exe | N/A |
| N/A | N/A | C:\Windows\System\qLCvGgY.exe | N/A |
| N/A | N/A | C:\Windows\System\TIHvecm.exe | N/A |
| N/A | N/A | C:\Windows\System\rnmGPKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\YkiHnpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ceHLElA.exe | N/A |
| N/A | N/A | C:\Windows\System\wqwTTlg.exe | N/A |
| N/A | N/A | C:\Windows\System\yqoKxLf.exe | N/A |
| N/A | N/A | C:\Windows\System\Tivnwbf.exe | N/A |
| N/A | N/A | C:\Windows\System\bMfzcCC.exe | N/A |
| N/A | N/A | C:\Windows\System\VULROnn.exe | N/A |
| N/A | N/A | C:\Windows\System\hZiNmDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\okNtyzV.exe | N/A |
| N/A | N/A | C:\Windows\System\pErQpRW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DKiJEPZ.exe
C:\Windows\System\DKiJEPZ.exe
C:\Windows\System\SeUkslf.exe
C:\Windows\System\SeUkslf.exe
C:\Windows\System\zmoCGfM.exe
C:\Windows\System\zmoCGfM.exe
C:\Windows\System\EZpNsZP.exe
C:\Windows\System\EZpNsZP.exe
C:\Windows\System\lGpEQsM.exe
C:\Windows\System\lGpEQsM.exe
C:\Windows\System\tSLqIrp.exe
C:\Windows\System\tSLqIrp.exe
C:\Windows\System\jLFpJtj.exe
C:\Windows\System\jLFpJtj.exe
C:\Windows\System\QzIURfO.exe
C:\Windows\System\QzIURfO.exe
C:\Windows\System\qLCvGgY.exe
C:\Windows\System\qLCvGgY.exe
C:\Windows\System\TIHvecm.exe
C:\Windows\System\TIHvecm.exe
C:\Windows\System\rnmGPKJ.exe
C:\Windows\System\rnmGPKJ.exe
C:\Windows\System\YkiHnpQ.exe
C:\Windows\System\YkiHnpQ.exe
C:\Windows\System\bMfzcCC.exe
C:\Windows\System\bMfzcCC.exe
C:\Windows\System\ceHLElA.exe
C:\Windows\System\ceHLElA.exe
C:\Windows\System\VULROnn.exe
C:\Windows\System\VULROnn.exe
C:\Windows\System\wqwTTlg.exe
C:\Windows\System\wqwTTlg.exe
C:\Windows\System\hZiNmDZ.exe
C:\Windows\System\hZiNmDZ.exe
C:\Windows\System\yqoKxLf.exe
C:\Windows\System\yqoKxLf.exe
C:\Windows\System\okNtyzV.exe
C:\Windows\System\okNtyzV.exe
C:\Windows\System\Tivnwbf.exe
C:\Windows\System\Tivnwbf.exe
C:\Windows\System\pErQpRW.exe
C:\Windows\System\pErQpRW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1956-0-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1956-1-0x000000013FAE0000-0x000000013FE34000-memory.dmp
\Windows\system\DKiJEPZ.exe
| MD5 | 3fcc0f73c57d800540c3a1ed9a2e88e7 |
| SHA1 | e3b24b9ac3b50e52646ba1b662551bc941fceef5 |
| SHA256 | 8b0aa8db42ed2c815321c534df513b33eeb97cc3cfbd4002250a24052f2376db |
| SHA512 | e8d9f4ea6efb00216d0bfa2c45deea8d04c820b753f9cd4cc99bbc2c700a4e9019754cbabd6ee18a7b1e3d8ad2767aa097d546b4df7075e86cd28a5ec8e1c6b2 |
\Windows\system\zmoCGfM.exe
| MD5 | fd798ca64dc57d6bbe7a53f4bf3e7f6f |
| SHA1 | 857ff95ee24aaf11c9bfe54201ba34f142675284 |
| SHA256 | 3630de0a92c7444f3d689c66a7b180d0b38db1a31828457ecd4eb471fbbc52a9 |
| SHA512 | 91c657471fe0fdc81b45ad6cc554b95f768deefd7202f71bcc1c8912becd40e3fee0924ba6bfadc6f1b6c5e017a121bdd760c08d9d291e536bd3832c1ddefc0b |
C:\Windows\system\SeUkslf.exe
| MD5 | 6a81a9b1b6fbca8f507bc25685c05578 |
| SHA1 | 0c9d81b3f5cbebdd06be05fd0c81638216ab3e0e |
| SHA256 | cdf2a482e06328b6f3e04c7e66aee5cf9077d1ba64353b26fb1350ddbe72705f |
| SHA512 | 846439089dc5efa652b45e42d53266e06bcfb59ea71f87a6053c40f2dcdc5af4d0eb8048a4fda9470afabbacc5aa50b96ac5751e0653d8e1f2b855ef61acc03d |
memory/2140-17-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2640-23-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/1956-21-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2160-19-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1956-18-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/1956-6-0x0000000002430000-0x0000000002784000-memory.dmp
\Windows\system\EZpNsZP.exe
| MD5 | 389c8e6d4add397df4acfb501d9250ce |
| SHA1 | c0ec71ec3324a33e4994f6af5242a324df9a429e |
| SHA256 | e8d890c20b15f2f87a23890b9623275d9a8e671ded559ce087421fd549608eda |
| SHA512 | dba35f0782dc17716f30c750acddc0a518e29035585347da2f7a968f39715638c949e352b982b902f20141ebaf8e87668e258d001ef17a35a4075849bdde2d47 |
memory/2664-29-0x000000013F930000-0x000000013FC84000-memory.dmp
\Windows\system\lGpEQsM.exe
| MD5 | 47a4093ff9dc29c2494ecaf3b54b82e0 |
| SHA1 | 610825bbb07d1f084eecbf668c87efbe8fb7205c |
| SHA256 | 44ea8186fbc6acc915fadee10d4d98ef276a1dc2c3c88eae58419d5bab4b9185 |
| SHA512 | 8d9cdb9d42962d22bf6f372d664439840cbfd8dcc878ca11300845eaef9fe9b55527d8f6e9396fca8f2b960bb0eb60cd59b88586742a9c1461d230a5ce1dc649 |
memory/1692-35-0x000000013F3C0000-0x000000013F714000-memory.dmp
\Windows\system\tSLqIrp.exe
| MD5 | 615af330ff5ec1b65fe706dd4acea65e |
| SHA1 | 84742128debe0bc72084f95ef26d607085a07beb |
| SHA256 | 5ec495f66f10ffdf6287acd9193c3000f3541ef0d7090dfae3a492002b33409c |
| SHA512 | 7908a2de12857e20e1231f50bbc64a41d97a8780e0bf2312f194449f9411f0782d9ba22dac3d9ecaa08417b7c83603fc5a912005e23742432f93a5b281f568b3 |
memory/2792-43-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\QzIURfO.exe
| MD5 | f19ed57d2cebbfa4decd75c4f5678df7 |
| SHA1 | f120fe6e0bd5fda02a29a5e95d46ea7c2e04ea1e |
| SHA256 | 0f91e6685253bdac2b51032e80c090324d826adb0ad82f01143fd127ee36129c |
| SHA512 | bec46d567386c6fef4a7e10c4d0ccaeeccb2e4407d0b458816ea468f72539780f84f816f8a911bdcbe4eca59e2c7f327795f9a76f7c85b06513ba60a65906bc1 |
\Windows\system\ceHLElA.exe
| MD5 | 87d248df6cf95a11d0bfb437b64dce20 |
| SHA1 | b57a6ab7f7fe0a5a26d51ef723e0743df5e51cc1 |
| SHA256 | eb021ce7b33b52b5479491333f2090f5e42452acd2129de291c8f621a9bbe6bb |
| SHA512 | f6d98fb5b1e94da262afbe5f13f565d9ddd293c54152573948458bebae115744224e538c4de5479699832d768f033cef415e549b8d1d727aba693589711ac56e |
memory/1956-89-0x0000000002430000-0x0000000002784000-memory.dmp
\Windows\system\Tivnwbf.exe
| MD5 | 81db55f1fd72cf64f918c2d9329f1323 |
| SHA1 | e3b94904ca19cd7394d371909d9b164999492417 |
| SHA256 | 5ecff1996d38ee8e592dc1090d1039fcba2c501097fcbb216397bb3bd248d159 |
| SHA512 | 61b07a65829b1f47cff4434b3824f32db5535ef324b03673f7418cc3e8a6bd89543d36087be20d3a24de624ff3109cec480dd48ce9061315038e17471175766b |
memory/1956-115-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\bMfzcCC.exe
| MD5 | cf85f04119122963d26a831c5d8b2d65 |
| SHA1 | 88c8581394632ec9b67cc887d7f5713506bc15ed |
| SHA256 | 037e4ebc1d548c09e866e8df965d711319bbc09c25f22f95fae0d1a7639a1be5 |
| SHA512 | 26f29db6a37cd6569b1c2fcad32ce4c6089c5bcacf1dc432dbd54fabf66814a4e08e8c2a046343293b1f35a935ab8672c06050aaac009f19fae778830bf8b2cd |
C:\Windows\system\hZiNmDZ.exe
| MD5 | 57860a71703203ff62422c4d26157dad |
| SHA1 | a5a6e5e5a4348a026f7072057ed806bdc67d822f |
| SHA256 | 56e2cfd008133228d64bb5a9e587f52deaae1189509ff5e3b0283fa3a6232264 |
| SHA512 | 81f6631069b595ba88bdc159508f8c57721af7ed8f6ce2dfd0ef3f3b0920913785bfc0a726336a6b36db2c208cafcbe83f406a9b03306eebd6878d43087f60ad |
C:\Windows\system\pErQpRW.exe
| MD5 | 107d72b1e49fbe2e4c2fbd4dfaf9bb85 |
| SHA1 | b0989f6122fc533f371fbbd0bf28e92d5313d611 |
| SHA256 | 1e694b8beca079c9335421e24e6e93881652d69679fec242c5e29b36034196c3 |
| SHA512 | b407b1b69958f04894ceacc3e77e1f5eaac4acea12d0646576f516e03a4c0764251bca32384669dbe2e75f06811d74b37bdfec7eb8791053a1d2c5248bcb7912 |
memory/1956-106-0x000000013F460000-0x000000013F7B4000-memory.dmp
\Windows\system\okNtyzV.exe
| MD5 | db9eb8fbf595864b00b0e4fee5988cd3 |
| SHA1 | 659c240bc4f992bc92b6437b18516e28b6f67669 |
| SHA256 | abd519ba004d2d84554ad6c99d42751bf18fc8f5c23840027de7498d4ab1c2e6 |
| SHA512 | e39c5bbb3947615338531635954100685671dfa9dba7cde82edea52fb7c4e1e5f4064a4827c5e4a6ce819046a8defefc299ef08620f4d72a3e01927a440a21ac |
memory/1956-95-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2524-94-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\wqwTTlg.exe
| MD5 | e135a6fbae413d0713e52a96449130a9 |
| SHA1 | d1bd2a1109d8547e9efb25f85bd34c6dd135c0c6 |
| SHA256 | 27c0b94426c6cd61387919c7ffb9cd620450f2020f7cb69139793cf739ed55a3 |
| SHA512 | a56673f921c0a6e2ff41ebf3a5096c0fe2ef61c54be06fdb96795e6d01ce977984e026f6aba0f20ca70ca3bb2619338a212f2a3e07df8acb3d18dc0c9546a5e5 |
\Windows\system\VULROnn.exe
| MD5 | a868c95d50102abf094f1f009003c709 |
| SHA1 | b8610ed2f5589aa40904d02f7ee94ac76a9ede08 |
| SHA256 | c5e7eabb01aabd0cacb0e4de93d5896ea934fea0baa8715ccc03d7314cfe21d7 |
| SHA512 | 73db015ce3ea3c399dcb50a48816e2e77e9fe47d49b1e4b4f2968808c10650ca3dafd2faf3406d86bc91330858aaa2ac45a89dd96f9e55986a8707d445fc7692 |
memory/1956-76-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\rnmGPKJ.exe
| MD5 | a585666b674daa660921b6f619487077 |
| SHA1 | 3a5c84ccd1c08bad0b21a9da293df47b79e39982 |
| SHA256 | eac1ecfbb02b3dbf5fb16dc34eb757924e9f4cdd53bced17b0dfc07cad788d55 |
| SHA512 | de2acd7fdc6033a0826d3807fa066485588db4ab087c4bd31bc799a128f807ed4672a0fa9d7e4061746730fa77a6bd8eea4e37e61da722efeefc4d4995dc6955 |
memory/2140-73-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1956-121-0x0000000002430000-0x0000000002784000-memory.dmp
memory/1956-120-0x0000000002430000-0x0000000002784000-memory.dmp
memory/1956-119-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2984-118-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2568-116-0x000000013F410000-0x000000013F764000-memory.dmp
memory/316-114-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1956-112-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2680-110-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2576-109-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\yqoKxLf.exe
| MD5 | 22ccc44f86ec456eed054863832c1f11 |
| SHA1 | df7e9c0c3172e372743431c7c9b8da3aae7c35d0 |
| SHA256 | 2b4387d1615bab8de16f31db50eeb3f1bc1dd7abf859e263df82949674c0919f |
| SHA512 | 7edd77f718dfd5b9047c7f273f9c8f1c385f5d94dca6da3bd229ab821e53a49e89a7076d62848b6b1ff683863b68b1966d1e3ee8587f4ba744c589b9caf08adf |
memory/1956-80-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1956-79-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\YkiHnpQ.exe
| MD5 | 5246ddaff439d6fd1b0ea6fd76d6c4b7 |
| SHA1 | 80bccd97f3e138639db1777310cb0ccd2c1ed60e |
| SHA256 | f11ed2d465dec9fd1124db74997cd5fe359ce06c2c1e4f58b989172fa29f4ec3 |
| SHA512 | f5c85e06f0b52300b3745e8c09e781cc1be70f90ed12d76f1b0cc6290befc4ea866bd3898a2874d2b11dd4ee69e1095f8f11e3a5c7dd88bc729b879fc7a87f52 |
C:\Windows\system\TIHvecm.exe
| MD5 | dd51a95e71e8d91046b2fa98771ab541 |
| SHA1 | dcf6e5eb64b2633c19c0ede6380c3b42aaa2561c |
| SHA256 | a587b653f7c779e3aaa0b7e1f904d681a7667d376e21b9d959e3865a4a34bd48 |
| SHA512 | bbba9dbf0aae97a0ed2fdff02e18a74a0b98d0529f89cddd49fe7a5d202647c736b3b4cd32891341bc6e5846111be17d184cbb0b319b583ae486733f9c493f22 |
C:\Windows\system\qLCvGgY.exe
| MD5 | 91f7dc9d3d5494f2b5923cef1b7d9409 |
| SHA1 | cd85d01d59bc40696d0e7491aff9034c602651cc |
| SHA256 | 917d545c5f07512a23214da2ef661a5589d183e9851073f0f1dda0c58c2263aa |
| SHA512 | 5695f7cddb294f734a5c5005b7c20aecbafe126d9b64d41b309a201d23b4fc3eb9b67ed220ae96ccb565289ae5e41fa9773e66f51b67b82ba58879544553b8b2 |
C:\Windows\system\jLFpJtj.exe
| MD5 | 43119b90f69fa967c6853262389f9317 |
| SHA1 | 28be7ae2e11e555001cf9f871873c6909ac97243 |
| SHA256 | ffc829659135f25cbfe87cf3b3968b4263b7f04361f40c2bff3e1109adbd994d |
| SHA512 | d1d9eec03232101725b7fd2ed8a474d2500fdf97c7cc5bbc0e2b4c4abe21bb3faa6db7d22cd8e1ed0da3300f9a852b90a497b533201521bd72e91e8612dc19f9 |
memory/1956-41-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/1956-40-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2640-136-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2664-137-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1956-138-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2160-139-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2140-140-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2640-141-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2664-142-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/1692-143-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2792-144-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2524-145-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2680-147-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2576-148-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2984-149-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/316-150-0x000000013F460000-0x000000013F7B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-30 05:47
Reported
2024-06-30 05:49
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GvCoWqR.exe | N/A |
| N/A | N/A | C:\Windows\System\eVOkuUU.exe | N/A |
| N/A | N/A | C:\Windows\System\iePhXpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\eZSfNAA.exe | N/A |
| N/A | N/A | C:\Windows\System\BhmzlRO.exe | N/A |
| N/A | N/A | C:\Windows\System\EkpeWZC.exe | N/A |
| N/A | N/A | C:\Windows\System\toCZBjl.exe | N/A |
| N/A | N/A | C:\Windows\System\jOtQOpr.exe | N/A |
| N/A | N/A | C:\Windows\System\kwCLuyS.exe | N/A |
| N/A | N/A | C:\Windows\System\frQEngP.exe | N/A |
| N/A | N/A | C:\Windows\System\VzSXKFE.exe | N/A |
| N/A | N/A | C:\Windows\System\YKeqTXz.exe | N/A |
| N/A | N/A | C:\Windows\System\iVvLEIo.exe | N/A |
| N/A | N/A | C:\Windows\System\wjMqKIO.exe | N/A |
| N/A | N/A | C:\Windows\System\MAwHRuP.exe | N/A |
| N/A | N/A | C:\Windows\System\NOkXaVb.exe | N/A |
| N/A | N/A | C:\Windows\System\yiwEQYF.exe | N/A |
| N/A | N/A | C:\Windows\System\wnTKFkl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZSNFoSm.exe | N/A |
| N/A | N/A | C:\Windows\System\ibdQlYk.exe | N/A |
| N/A | N/A | C:\Windows\System\Axzfpcn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_2d096f9b854f1fa6cd242772dd203bdc_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\GvCoWqR.exe
C:\Windows\System\GvCoWqR.exe
C:\Windows\System\eVOkuUU.exe
C:\Windows\System\eVOkuUU.exe
C:\Windows\System\iePhXpQ.exe
C:\Windows\System\iePhXpQ.exe
C:\Windows\System\eZSfNAA.exe
C:\Windows\System\eZSfNAA.exe
C:\Windows\System\BhmzlRO.exe
C:\Windows\System\BhmzlRO.exe
C:\Windows\System\EkpeWZC.exe
C:\Windows\System\EkpeWZC.exe
C:\Windows\System\toCZBjl.exe
C:\Windows\System\toCZBjl.exe
C:\Windows\System\jOtQOpr.exe
C:\Windows\System\jOtQOpr.exe
C:\Windows\System\kwCLuyS.exe
C:\Windows\System\kwCLuyS.exe
C:\Windows\System\frQEngP.exe
C:\Windows\System\frQEngP.exe
C:\Windows\System\VzSXKFE.exe
C:\Windows\System\VzSXKFE.exe
C:\Windows\System\YKeqTXz.exe
C:\Windows\System\YKeqTXz.exe
C:\Windows\System\iVvLEIo.exe
C:\Windows\System\iVvLEIo.exe
C:\Windows\System\wjMqKIO.exe
C:\Windows\System\wjMqKIO.exe
C:\Windows\System\MAwHRuP.exe
C:\Windows\System\MAwHRuP.exe
C:\Windows\System\NOkXaVb.exe
C:\Windows\System\NOkXaVb.exe
C:\Windows\System\yiwEQYF.exe
C:\Windows\System\yiwEQYF.exe
C:\Windows\System\wnTKFkl.exe
C:\Windows\System\wnTKFkl.exe
C:\Windows\System\ZSNFoSm.exe
C:\Windows\System\ZSNFoSm.exe
C:\Windows\System\ibdQlYk.exe
C:\Windows\System\ibdQlYk.exe
C:\Windows\System\Axzfpcn.exe
C:\Windows\System\Axzfpcn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4804-0-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp
memory/4804-1-0x0000015A60780000-0x0000015A60790000-memory.dmp
C:\Windows\System\GvCoWqR.exe
| MD5 | 1f4a49b60707576a87dfc2dc308b5fc8 |
| SHA1 | 185daf4779408600eb0655f5d28586f9355a4807 |
| SHA256 | 57313050f1782c77af45c81436d829aea642e5b6ee2dac90aa0134b38bae28cc |
| SHA512 | 0e20a1d453d6c6362c7c4d426f4617b4e5976aaa6e95094612f18b97101415568f1c6285c90be3a19bff5ae2e478013f3a815b46f25f5f6e8214870c38584186 |
memory/396-8-0x00007FF695E10000-0x00007FF696164000-memory.dmp
C:\Windows\System\eVOkuUU.exe
| MD5 | fb7d12f019f93f59c257560ff893067b |
| SHA1 | b70d12374e87d5a1da760d1b25e6431908063cdb |
| SHA256 | beaa9bb07459aa01cfde88a40720592a10328ea48b7bd0d24ccb40241dd0f9ab |
| SHA512 | 522db0642422a174b3ec3c5352b991a02749aa7a550a2ef62facab835db704e9c38f14d9f80e878d7cacbc694f562f57ddcfb859496cedc227fdc58050632d8e |
C:\Windows\System\iePhXpQ.exe
| MD5 | 3328b7b82713033f765c51bcc14960a5 |
| SHA1 | 2243698451d6b354d3dda0f1d86d1a36d72adfd9 |
| SHA256 | a78ecd3e477a912bce8b4eb3ab94111ece3d45de9dd1cd73d8c9eab7b0d98ce5 |
| SHA512 | 7854a7b227e2cab4d703e07a4be940158b33fb553147007f4ea50ce54a7af4a6c2a4ebc7b3e701be9a3516c7e13e17b1647d11da9f70f33036a5c978d0223399 |
memory/1476-14-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp
C:\Windows\System\eZSfNAA.exe
| MD5 | f6b6d47d4383e57072085e05f7bfb992 |
| SHA1 | dedf48f3d7b362adc370692507383523b673e522 |
| SHA256 | 4c2fa74cc905ba8984297261792624bfcb25a8b3d6f72426df1fe0a028e4b417 |
| SHA512 | 0b98798e17984a7744fb29d26c5053924efa42ccdf1f07d3b2b8475a6270c2769165e72a1a716410f1b01ab9797292c621230393701d5ecaba701443840e2774 |
C:\Windows\System\BhmzlRO.exe
| MD5 | 09c7c14f7cd82f84465bc971e2a3f3b1 |
| SHA1 | 395bb0518cde0f9019114d38c5edfe3c3189330f |
| SHA256 | a8b9fafa6d324e800af7e24137bc69c2e07310327b3ce5887c450fb6f7aecf94 |
| SHA512 | b36706484d01ec6f39b6f4858e26c944661c2e8710270edafb30f38be27dc2683ff91918d17cbb7e4c92ef50156dbb049c044ea982a658664d7e2eadb5ee865c |
memory/1808-34-0x00007FF73FD20000-0x00007FF740074000-memory.dmp
memory/996-41-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp
C:\Windows\System\toCZBjl.exe
| MD5 | d8291c425ef892b8f40b181ed5576de3 |
| SHA1 | 8080a1622d73f2aa3eeddd7cd30270c2d6eba7dd |
| SHA256 | 247d46d99c875460e054f3363894e74ce053b5151fbe3eea7e0a8a03a004a904 |
| SHA512 | 6667559107ffc8f25f55475f6a740211707fee0d2f126781e0bc428bdf65870e512508337187baebdee99a96fecd785d5d82e954cdf7ad905c6e8b2ba86f1965 |
C:\Windows\System\kwCLuyS.exe
| MD5 | 5e545ac31846fabce0dc18f2d526fd78 |
| SHA1 | eb86c99e6e58e35638bb11ab9e31181cc10882ec |
| SHA256 | 025521ebd603f10a3e80d049e8b1bf0f51d286161bc8bb1ea95ca991471dd13b |
| SHA512 | d275994844bbdde60adcc36e24d3f4d4c66c95d004dbff8dd60403dedb2a08dd40e8c20dac0691b684ecf0c358b74b11df244f81d0e8aa2735708a9ce939a0ed |
memory/4244-57-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp
C:\Windows\System\VzSXKFE.exe
| MD5 | a33db2cbbf41db87243393d097b213b5 |
| SHA1 | b7e95077e126b8c7dc618067a277153df4411121 |
| SHA256 | 2dadc05301b47023797153cf9ef9be2c6438b16143028f2e3569a9cc3ec67444 |
| SHA512 | bbc0294f02abbb0e1a43d286c1665a470cdcf1c467faacec228964094680b37254cef3685ac0800d55c7ca21793ad2f106a7836eaa4ee87ff7be062a90575044 |
memory/3740-68-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp
C:\Windows\System\frQEngP.exe
| MD5 | 83f7d92391fff78217b059e6b23f31f6 |
| SHA1 | cffad3f969dea5d7ed5e30b8b8214f60a9cce22f |
| SHA256 | c8cf18d8b350c6ef476e3a8c24b2519b044b3bd11424fa2a8afeb87e90244e2a |
| SHA512 | ae71adce2f099d2289b056c95a61f9078c884248a7c676b75b3e6900be9fb930b2985082d169ec73ae63b620a30f7807a114837b6a84510958c66ba3bd11d58e |
memory/4124-62-0x00007FF71C640000-0x00007FF71C994000-memory.dmp
memory/1992-54-0x00007FF7680E0000-0x00007FF768434000-memory.dmp
C:\Windows\System\jOtQOpr.exe
| MD5 | a09b23ff570d1f2263c1272915a9d822 |
| SHA1 | fe956549ff25d5d55e6e44bd61797f1383d22c41 |
| SHA256 | 2b856d39cc8f6d8483e317acb918619637cef7e243818926f52efbc71e9b4afa |
| SHA512 | e52edc49677f0e46478802a225d4a96ea821c931a9683a037d80e5fe89887eeff810ee692541034f2b24d69a863b085335b9546ea90b1b5be33f1e6c232d8d27 |
memory/3140-42-0x00007FF601690000-0x00007FF6019E4000-memory.dmp
C:\Windows\System\EkpeWZC.exe
| MD5 | 29b084df434b83fd7c8cabfa93582fe6 |
| SHA1 | 66c3669c9ed94229373b49c82cd6e916729487d0 |
| SHA256 | 1d305b5871ba79943cc6d8b3ecd0461dd6302c2d2d263453832f6a5c967bd80a |
| SHA512 | c4e6e8dc5e61c913d292d6b12ce2cc7bc21895f09f9c3e5b3c3b9b669a3a5fcdd6cca74a72b57187d7078f2fd51ccec62c0216582103df10bc635dcfb3ab884e |
memory/1440-35-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp
memory/4560-20-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp
memory/4804-74-0x00007FF71FCC0000-0x00007FF720014000-memory.dmp
memory/5016-75-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp
C:\Windows\System\iVvLEIo.exe
| MD5 | dacc4dd5f0ec810e6fddc357074a675b |
| SHA1 | a5c0932d3aa7967f43ad8c03f6e46f4e77b67bf6 |
| SHA256 | 4d50c61fea19fea877defa60ffb9b70ee7215a3149d1e5bcbd7c1f687d7e7fb7 |
| SHA512 | 4f26b582fb5614454d6a8977e2cec29182b66f27a4224a7e6bbc5c06dfef1cc0c418b7bd08c0c85f1f1b46fe375bccff568df859d465c4ef83604eb55a998f43 |
C:\Windows\System\wjMqKIO.exe
| MD5 | 50ca8a5e39f2b3b71a331bca7b437df3 |
| SHA1 | a58b30bad57799fa24697705156909a0a594b726 |
| SHA256 | 61a281e3277f01ca7f71b7e82a73ff79f3ac070e4f3e584467a9437ac9fb2169 |
| SHA512 | 1e06bcad48f4a2d70fc9566c7918a349a2d047d58997bb428776ba31ad5f65f07402c1776fa298432c32b2619cac955c474147e22a45d6afcf3941da6ebf0c55 |
C:\Windows\System\MAwHRuP.exe
| MD5 | daae171eec1bd62b10824da2c16c1b53 |
| SHA1 | 5945146ada9bc3b68aacfb3a23059b694d83239f |
| SHA256 | 1cd0e27717cade15eae20eaae8e29beb1b6d1aac11ef89100b91bca32f72a28c |
| SHA512 | 2253d70bc21fade4cdda7dbfb0b477167aa1ff8d11e6a09521c219edc36f5389c6535235f14c3e06cf810db999f6be329fc9deb20323f14a79b93be9eace44ed |
memory/1476-88-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp
memory/904-84-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp
memory/396-83-0x00007FF695E10000-0x00007FF696164000-memory.dmp
C:\Windows\System\yiwEQYF.exe
| MD5 | cba46e58b11c73c3a4f0fb457610affd |
| SHA1 | df46387adae779a16aa63066e43f37c40aa5946e |
| SHA256 | c0a26bf4a4175f7f571c9e21c489c64f0e0ec3c54afb7397936b4d504ea629b2 |
| SHA512 | fc2e4ea813f50decc3ee6573ebd1bd6089671fa646180bdf2f56385c3e4ca859bfba571adc40e29ea9467fdf902f7751818131573d1330ac0d71c15f4e49dd78 |
C:\Windows\System\wnTKFkl.exe
| MD5 | f8872188489f59784d23b8abea4b1ed8 |
| SHA1 | 0697f539d03a203a3b2d7c4b7a8c177d28cfbe90 |
| SHA256 | 6888ef34e2a0b64c16dab0d946903432e8c7ce7e66f83e09fc656e0bb23c9b3b |
| SHA512 | f2b70bb5a79ac63826dd6831e6a61ba2ff2ec1a0002ade4f18c7c35ac5e73d89ec6975eee6f57979a79bd0ddc2a1458e7b1fa3bfbce4388541e9c2b271fd8641 |
C:\Windows\System\Axzfpcn.exe
| MD5 | 606ea2f6025c724dbbc0e1d29cbae871 |
| SHA1 | 7670264e18e6d69b5d89766ac6df368cbf718601 |
| SHA256 | d5c000c476489809ef9377935818bc183457ef72fb36aab28320ed53c965b0c2 |
| SHA512 | f3be7e82a5b85905e95b54da60ef520f0de41fadb337be4943891a55109b64a87c6daa134553b5404abd9f1fa550d538f51f0bace19e822cf918831066cccfba |
C:\Windows\System\ibdQlYk.exe
| MD5 | 5253520e9f8977a20226035712c2ac7b |
| SHA1 | dce71fb886bb49ccc7a0f5c2906c889b88ea31b9 |
| SHA256 | c74a5478066c637ed73a4ee34bf9b76da667abf1133572acb7736a939ed62d2e |
| SHA512 | 2a731395a65ad7eded8e77491323240393e07042e84ac82afaae2c77927d01c465166d13d0164741fd7d1939e57fb888d53ab63e27f6724198d8436cc5204566 |
C:\Windows\System\ZSNFoSm.exe
| MD5 | b5b7dbec1e1c751e614978a49eec1a59 |
| SHA1 | 484e3416dbfdb92339d627a6c327cff14666210d |
| SHA256 | 0ea3043005de97c431484e577def089d7f03e38d1c710e0c13771b3b8570be96 |
| SHA512 | e92a0e48ded429b8db2e6c13d4b4f82afe186ab8d801e8a56d1693a146182f8b97e3be785cba14ba08123e7b3ec84ad3c330481801c80eff282179b9f880d0a7 |
C:\Windows\System\NOkXaVb.exe
| MD5 | 4e5f82a7dd34d5d6cf566853d8a53084 |
| SHA1 | 8309f933e9754794959529f1d8972c4c6f069d9d |
| SHA256 | 3906e0085b1a7cec0a77082790607ea4cd40c1a546173627f5285cc10a045444 |
| SHA512 | bcb55b8bd8ee76447fcf4775e21cd8efb472428e9139e484fb50d8612e1eb883ff2419370eb259ce21978e25035fc2fe972f4978d8cad562cc869abfef0571a5 |
C:\Windows\System\YKeqTXz.exe
| MD5 | 4ea2c12075c85933a393825fafb6f4a4 |
| SHA1 | c681dd9d8fbc096e784cf11f4adde765abe33663 |
| SHA256 | ff915efa4dfed7f33a5a8151847364bb2a0e42fd8b1fe07e84e3f67efcfd7183 |
| SHA512 | e0ca2dcb1702eeaaea0760ce5e46019241282c51b416835229b367e8eddef5350494dfdfba5e08b2e1bdea9150c6c095a7376e50f1dfb83064c52e0f32d63299 |
memory/3820-123-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp
memory/2880-125-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp
memory/5012-124-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp
memory/3100-126-0x00007FF62A020000-0x00007FF62A374000-memory.dmp
memory/5080-127-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp
memory/1560-130-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp
memory/2088-129-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp
memory/456-128-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp
memory/1440-131-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp
memory/4244-133-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp
memory/3140-132-0x00007FF601690000-0x00007FF6019E4000-memory.dmp
memory/4124-134-0x00007FF71C640000-0x00007FF71C994000-memory.dmp
memory/3740-135-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp
memory/396-136-0x00007FF695E10000-0x00007FF696164000-memory.dmp
memory/1476-137-0x00007FF726E80000-0x00007FF7271D4000-memory.dmp
memory/4560-138-0x00007FF7F2A40000-0x00007FF7F2D94000-memory.dmp
memory/1808-139-0x00007FF73FD20000-0x00007FF740074000-memory.dmp
memory/996-140-0x00007FF6809D0000-0x00007FF680D24000-memory.dmp
memory/1440-141-0x00007FF6D9860000-0x00007FF6D9BB4000-memory.dmp
memory/3140-142-0x00007FF601690000-0x00007FF6019E4000-memory.dmp
memory/1992-143-0x00007FF7680E0000-0x00007FF768434000-memory.dmp
memory/4244-144-0x00007FF76DA00000-0x00007FF76DD54000-memory.dmp
memory/3740-145-0x00007FF778EA0000-0x00007FF7791F4000-memory.dmp
memory/4124-146-0x00007FF71C640000-0x00007FF71C994000-memory.dmp
memory/5016-147-0x00007FF7F9800000-0x00007FF7F9B54000-memory.dmp
memory/904-148-0x00007FF7E7740000-0x00007FF7E7A94000-memory.dmp
memory/3820-150-0x00007FF605E80000-0x00007FF6061D4000-memory.dmp
memory/1560-149-0x00007FF6319E0000-0x00007FF631D34000-memory.dmp
memory/5012-151-0x00007FF7C2C00000-0x00007FF7C2F54000-memory.dmp
memory/2880-152-0x00007FF7A9540000-0x00007FF7A9894000-memory.dmp
memory/3100-153-0x00007FF62A020000-0x00007FF62A374000-memory.dmp
memory/5080-154-0x00007FF6D6540000-0x00007FF6D6894000-memory.dmp
memory/2088-155-0x00007FF6F5080000-0x00007FF6F53D4000-memory.dmp
memory/456-156-0x00007FF7FC800000-0x00007FF7FCB54000-memory.dmp