Analysis Overview
SHA256
51cd37ff6337188ad601474243d43fa854b5d299b6b3c19a26751b281f4d664f
Threat Level: Known bad
The file 2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 12:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 12:42
Reported
2024-08-05 12:45
Platform
win7-20240729-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AxFqRpA.exe | N/A |
| N/A | N/A | C:\Windows\System\tpovEmE.exe | N/A |
| N/A | N/A | C:\Windows\System\SKaQsHR.exe | N/A |
| N/A | N/A | C:\Windows\System\kCEBmvw.exe | N/A |
| N/A | N/A | C:\Windows\System\qWrdvxd.exe | N/A |
| N/A | N/A | C:\Windows\System\amAyrjH.exe | N/A |
| N/A | N/A | C:\Windows\System\deNJVtU.exe | N/A |
| N/A | N/A | C:\Windows\System\GSEjQud.exe | N/A |
| N/A | N/A | C:\Windows\System\GseQBBk.exe | N/A |
| N/A | N/A | C:\Windows\System\wXrFXMm.exe | N/A |
| N/A | N/A | C:\Windows\System\cBExyJs.exe | N/A |
| N/A | N/A | C:\Windows\System\wSfrXDs.exe | N/A |
| N/A | N/A | C:\Windows\System\XpdNWbL.exe | N/A |
| N/A | N/A | C:\Windows\System\cAqfCMh.exe | N/A |
| N/A | N/A | C:\Windows\System\ijkhlSq.exe | N/A |
| N/A | N/A | C:\Windows\System\PxnTuYe.exe | N/A |
| N/A | N/A | C:\Windows\System\mSdpExi.exe | N/A |
| N/A | N/A | C:\Windows\System\QXQtrPo.exe | N/A |
| N/A | N/A | C:\Windows\System\SYAIKwk.exe | N/A |
| N/A | N/A | C:\Windows\System\PiSXnIL.exe | N/A |
| N/A | N/A | C:\Windows\System\TEDhLPB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AxFqRpA.exe
C:\Windows\System\AxFqRpA.exe
C:\Windows\System\tpovEmE.exe
C:\Windows\System\tpovEmE.exe
C:\Windows\System\SKaQsHR.exe
C:\Windows\System\SKaQsHR.exe
C:\Windows\System\kCEBmvw.exe
C:\Windows\System\kCEBmvw.exe
C:\Windows\System\qWrdvxd.exe
C:\Windows\System\qWrdvxd.exe
C:\Windows\System\amAyrjH.exe
C:\Windows\System\amAyrjH.exe
C:\Windows\System\deNJVtU.exe
C:\Windows\System\deNJVtU.exe
C:\Windows\System\GSEjQud.exe
C:\Windows\System\GSEjQud.exe
C:\Windows\System\GseQBBk.exe
C:\Windows\System\GseQBBk.exe
C:\Windows\System\wXrFXMm.exe
C:\Windows\System\wXrFXMm.exe
C:\Windows\System\cBExyJs.exe
C:\Windows\System\cBExyJs.exe
C:\Windows\System\wSfrXDs.exe
C:\Windows\System\wSfrXDs.exe
C:\Windows\System\XpdNWbL.exe
C:\Windows\System\XpdNWbL.exe
C:\Windows\System\cAqfCMh.exe
C:\Windows\System\cAqfCMh.exe
C:\Windows\System\ijkhlSq.exe
C:\Windows\System\ijkhlSq.exe
C:\Windows\System\PxnTuYe.exe
C:\Windows\System\PxnTuYe.exe
C:\Windows\System\mSdpExi.exe
C:\Windows\System\mSdpExi.exe
C:\Windows\System\QXQtrPo.exe
C:\Windows\System\QXQtrPo.exe
C:\Windows\System\SYAIKwk.exe
C:\Windows\System\SYAIKwk.exe
C:\Windows\System\PiSXnIL.exe
C:\Windows\System\PiSXnIL.exe
C:\Windows\System\TEDhLPB.exe
C:\Windows\System\TEDhLPB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2208-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2180-8-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2208-12-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/1264-14-0x000000013FAD0000-0x000000013FE21000-memory.dmp
C:\Windows\system\tpovEmE.exe
| MD5 | 28d76122c5c11892f574cece62ae3bc9 |
| SHA1 | 3d918635cbe8b76a8319fd9126dd8540b937da13 |
| SHA256 | 71853efadda01f4da1035cb2f8913eb8f596570271e4de154cc64ea6a5964337 |
| SHA512 | 5d9f44838017eb7aa8f49385e8c8b1350e9f348da2dedbdb3c5d3cbcc88d49473534cd898d63a76392a0d2350f67b7249bfc2de3a4bb719451cff6fd56dda8ff |
C:\Windows\system\SKaQsHR.exe
| MD5 | c16f033f18a0f435e2d2b29e67196bd5 |
| SHA1 | 2b6ed4c9092262926f3fc1fab71cd9b88cc32788 |
| SHA256 | 84436d5c26f1417e4681bca77ae2146f21fbd32663d31d4d9e67bf251fdf51ba |
| SHA512 | 3f28f9f35abfe06bc7743a7d7ef12436de832a72077585fc6c334f3f0f13aaccf0b73393d7ed69a996dd94bfac66065cb4ecf1d29e73d170d857c4efd12f5eb5 |
C:\Windows\system\AxFqRpA.exe
| MD5 | 303be004ca833c7889901ac36a1ed38d |
| SHA1 | bfd3842511217218455c349f7028c2c1141a200e |
| SHA256 | daf99014f205f218a35a6bb8f8bd082e7af4a9b90057780b7d0dbb62fbb75ec7 |
| SHA512 | 8d95ce6ae34a78c2b6b0f3b2037d49b882047e80c2951aad30fa2a3486ab3cb4e2f04796486821a8a0f074a2c9284c27690559004a28e8393b7adbcf685d1fca |
memory/2720-22-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2208-19-0x000000013F380000-0x000000013F6D1000-memory.dmp
C:\Windows\system\XpdNWbL.exe
| MD5 | 4ae06478e410d3478f4a17148e36e47b |
| SHA1 | 368bf265b2f0680659117f1f266b903519d813c3 |
| SHA256 | e50cf0efb815919876d20f67e01f3726a39d8a3953123635cff8a5c8cc643b12 |
| SHA512 | 3521488c176a11cc734a4f9bc052e2d18403fd365f01c9d8f8c89e5ebbf62530e18bc0d60031fda707211e726989bc6b1cb9f962617afb9b95fde992bb98d56b |
C:\Windows\system\wSfrXDs.exe
| MD5 | 991435bd50a54cc69049355c40b169dd |
| SHA1 | 402ddbe9251de78eced31087c326488305aa3b51 |
| SHA256 | d852e945f13c772e8bed95ba520d65331629e832d745f5e4740d9505345565e5 |
| SHA512 | 10e275940ecf23b0f94ec3d3d25d5bfd9d6d53e4d4cdd322cf5d829d79dce70b42c0f597a64e7a8400530a92ee05febfefa9aed3e42db9a492b64ca435af1ae3 |
C:\Windows\system\wXrFXMm.exe
| MD5 | 881c41f351c8a04ea71cbe806cfb0f1a |
| SHA1 | d2fff83801f456e9d8702e78cb8e5f8a99ff61e9 |
| SHA256 | e00d60b6551a315257723eade156eaa837cf9dccc81d6624ae0cffceb51451dc |
| SHA512 | 67815095258a1a49ef23489a22ce5befa60aa92f69e85d827a274be650694ab7a03610331876290ade0abee3d9911a442b72fe9c0f8ce5951bbd6b54844e79c0 |
C:\Windows\system\cBExyJs.exe
| MD5 | e004efe269a0ac57cdb6cf10b66fbe65 |
| SHA1 | eeb2f5e71ea4c8a36f6d56326c1c7285c317e8bc |
| SHA256 | 6e589746aa63ef6655cb31d75c134ebcb431b090c558714a7eee34d68d18f9c9 |
| SHA512 | 276800c031d25b7ff7c2ab936050e6e22a4721d1781d41ba58f9cceb402d9592a759ba1cfe4d6745f2f7abf26aa8e592a9b9121418cf5dc3cd909e11e9636980 |
C:\Windows\system\GSEjQud.exe
| MD5 | b90c1d6329bd4f371de0d2ab5cf3df9a |
| SHA1 | 159f44a542fca1b668a26e2c780e8e36d514492b |
| SHA256 | f2352968d24b0b1af160b4fd88bd59c30c8abcbba80fab29cb23b664bf624024 |
| SHA512 | 02f2064e9998b651d883547610662267a0c6d7aa1a8fc435e0c4363b2bbe317bedf9963ae024a286ac342ae80ddb0bd7b316cea68156e8a5b4d4c3a6852a1db1 |
C:\Windows\system\GseQBBk.exe
| MD5 | e1abd9509725f05ed0a544f5026a3952 |
| SHA1 | 13ebf8b39ef802d6936a5d0faa5e8c0b2e63cb2e |
| SHA256 | 5bd40ad12c66d727ab42bcf5c569d64d3709630b8afeb52cf7b099603645ee36 |
| SHA512 | 1b5324ec3a80104385d25212adba5e913645e3376d24b98caec1de590a5ea053cce2e77c02ec5119eb5f49434ac6c400c68f6f5358600d4a8e24a2b80d4ac2b8 |
C:\Windows\system\deNJVtU.exe
| MD5 | 9f7aef3cb0ccc37d6362a5b16ea1f1fa |
| SHA1 | 9692d7ef331b1c7cb66420098849c78977d88363 |
| SHA256 | a4d6c270c5982834f20e36133f41d19b032732fee86a4cdf75b1f072f9657b24 |
| SHA512 | ac202f9ce8e3ded8b45b9daf5064df3dd00a95ce7624a17bd186b7a6852b59bfbd5998f2b8a5fb3eb96d8ad0ca15de18a84ddbe71631778b11b213bad5c8a694 |
C:\Windows\system\amAyrjH.exe
| MD5 | 3fdf3d256b10e97c52f98665fa057d00 |
| SHA1 | 043b5fc5b9d6a22889014fefe9a0fda8f572f94c |
| SHA256 | 56177327393a5ec6f548e09fc095d3b3d48f7694cb21a0aa128cfc1cd4dbf36d |
| SHA512 | daa58670e5730a7a62917cc68bf73172925cd1a79190453f507c75fefe32616668b8bc43e6e51c60cc68a21a272adaf7d45274b3877dea0292ee705f7e955b0f |
C:\Windows\system\qWrdvxd.exe
| MD5 | d67c6ca6d35b377d57d0e633a98f4410 |
| SHA1 | 4ddbfa10ce9ef73e41ceb764a4cbcf70e36734a2 |
| SHA256 | dc9c227b909e309e842487c064747523ce643966ca93af469608aeeaa4d34eb3 |
| SHA512 | 442f94cfe89e6ff45499105d4b1ebdcc68de203868f7be011af1be54e2ba63f7408f020a11820a469817d23908eb7196eaa48f904c35dd65e85c9355c39794ff |
memory/2780-28-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2208-27-0x000000013F670000-0x000000013F9C1000-memory.dmp
C:\Windows\system\kCEBmvw.exe
| MD5 | 84d92db4efb83c8fbc9a26bdf9dbf1ce |
| SHA1 | 7f82e446feaf0232c9f1ad56c3cdec6035ad3d42 |
| SHA256 | 0ba5c858f28c9b8b8762be1bffaf0b99bb3aa53fe71f05192c5f7b4c588e2ee8 |
| SHA512 | 6223b3a934dc815b5491013347ed9e0409dad5688cccb56be924e212726a4982620b089aa795e51289b3485fb9037757520886234d589e89237e19189de0d58e |
memory/2844-86-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2208-85-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2628-98-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2208-97-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2208-106-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/2916-105-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2208-104-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/1972-103-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2208-102-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/328-101-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2208-100-0x000000013F770000-0x000000013FAC1000-memory.dmp
\Windows\system\PxnTuYe.exe
| MD5 | a431e3ab0439eff11b1da93924973e93 |
| SHA1 | 847e9fb879a92130c6e13dc72cd921042536b066 |
| SHA256 | e046ba8f5636f02c36c72385d979581b33ca4bff21823638814f6b170bd536b7 |
| SHA512 | 0c0569981497767b41e63ff6e25416ebf46669917eb54f469290ffcdc9a1ecdc729b1a6598f29c11d2f96a18bc5a7c227103845e41a8364290072e97c428da50 |
memory/2568-96-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2208-95-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/2740-94-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2208-93-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2248-92-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2208-91-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/2936-90-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2208-89-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2688-88-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2208-87-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\ijkhlSq.exe
| MD5 | 686aba5bee1ab1106d8475c8eaaadfb6 |
| SHA1 | 3e65bd88f02d3efd50dbcbe9484c6e1e0ce1c48a |
| SHA256 | b859f60ac1d20625bc882829e811f40552d7b9190bb7313f8ca787249b0abe9e |
| SHA512 | ae5d0d6d2cce63e14e262fa0b07546da9232110b2b1a8b62a6df11c508bb816203895e16d2003ba96fa6dcd2cb66797a7e65932a382a3be081d48fbc5fba00cf |
C:\Windows\system\cAqfCMh.exe
| MD5 | 64a6582ca93681ca0b8d8b4658349f4f |
| SHA1 | cdcc8c643fbdfcf005848999bf85585d488a479f |
| SHA256 | a0229d5321f499d9285675babaddf7c94a05e6131b904733b050b964e01ab662 |
| SHA512 | 7dc05ace00c29ef589549f6d2e88d842ac4136a7d41df242c42cb68c9e2a021c24d807b88fa645e4f8f88951513c7032dd6a473042d83cc6a61fb932bc65cdce |
C:\Windows\system\mSdpExi.exe
| MD5 | ada2e921859b8461422731e10a6a66c1 |
| SHA1 | f7694f2d9ca490d6777ec22dbb5072e7f1b29c91 |
| SHA256 | 34d62568cdc609453d3032797aa4c7ad9ab806b34a06a846e4ef090b7141bdd4 |
| SHA512 | 1738f7874341bbd84c2513217edb4a6bbd8c41f56e6e11f00bfb2c1dac4db1a4a25965389138244035a60c7529771e241e78a03016b4cd26c528fd8a7ea3cd33 |
C:\Windows\system\SYAIKwk.exe
| MD5 | 355399ae3dd1f3fc03e293b8f34b66c9 |
| SHA1 | f409926268a95bae42228f3402c9794c54dd8072 |
| SHA256 | e86df49d0f12eb862094f42e7384bc3d6a3e7ae785315affc27e11922a923ceb |
| SHA512 | 8c20e6adbff3e797129b3cbc3ede79e5dce45e49e7d0a35ae639e2a4aeedef7a88d547c0a86c5eebf033e16f8cdc8b2813f11ee48c3d5bcad93755c1f36019f6 |
C:\Windows\system\PiSXnIL.exe
| MD5 | 5a8fd82b9eb585b3edfd9ebbe71c3d51 |
| SHA1 | d8035f3eb425ea391ac871e7989d35336eb417c4 |
| SHA256 | 079fdf478f7448831a31a056bc3fe41f03da426eaa028a5e278d2582c82ec8f2 |
| SHA512 | 3ef2bcc6d8b8c0f11d14ec3d0b2754914c3a66dbfd3d97fc4f45c5ac58edf922452f9e6c472c53ab781a166b653363642af6019cb0a662173845a100b3547458 |
C:\Windows\system\TEDhLPB.exe
| MD5 | 5ad7a0a8bffa9b2d3f83cf2387fd94be |
| SHA1 | 6f543806e958c65e28ab2c6653d49a1647891c5d |
| SHA256 | f14be995a1992b3a982e2af124d15bdb711f42b9f5e6528c6506bebc5516af70 |
| SHA512 | 778d43c3461bb4915934b723f5b352573bf2838feee950158e458a2c51adbef82e38e598c431af2cd12c0d87d04db8e7071b707346785cda678b577f17dbed62 |
C:\Windows\system\QXQtrPo.exe
| MD5 | 22d6bebd88004616a069496bb1d916ab |
| SHA1 | 016f8021f684b06bad822df63a1cb45ee83e818c |
| SHA256 | 8c8af0a6c3287691eb85b88da1d648b88cb1737d146021945aa1147941009e7a |
| SHA512 | 41800466376eac5b0b58cc25ae43cde9f93ad38a8ad0b2b416a4869e32792080082d959f0c812bc7835ce625fa445b1627fa4541e6c5f61cff3b69f725ed5e98 |
memory/2208-135-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2208-136-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2776-152-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2780-140-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2720-139-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2512-151-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1264-138-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2208-153-0x0000000002480000-0x00000000027D1000-memory.dmp
memory/880-156-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/920-158-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2184-155-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2908-154-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2620-157-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2208-159-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2180-207-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/1264-210-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2720-211-0x000000013F380000-0x000000013F6D1000-memory.dmp
memory/2780-213-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2844-215-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2688-217-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2936-219-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2248-221-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2740-223-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2568-225-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2628-227-0x000000013F540000-0x000000013F891000-memory.dmp
memory/328-229-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1972-231-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2916-233-0x000000013FD10000-0x0000000140061000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 12:42
Reported
2024-08-05 12:45
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AxFqRpA.exe | N/A |
| N/A | N/A | C:\Windows\System\tpovEmE.exe | N/A |
| N/A | N/A | C:\Windows\System\SKaQsHR.exe | N/A |
| N/A | N/A | C:\Windows\System\kCEBmvw.exe | N/A |
| N/A | N/A | C:\Windows\System\qWrdvxd.exe | N/A |
| N/A | N/A | C:\Windows\System\amAyrjH.exe | N/A |
| N/A | N/A | C:\Windows\System\deNJVtU.exe | N/A |
| N/A | N/A | C:\Windows\System\GSEjQud.exe | N/A |
| N/A | N/A | C:\Windows\System\GseQBBk.exe | N/A |
| N/A | N/A | C:\Windows\System\wXrFXMm.exe | N/A |
| N/A | N/A | C:\Windows\System\cBExyJs.exe | N/A |
| N/A | N/A | C:\Windows\System\wSfrXDs.exe | N/A |
| N/A | N/A | C:\Windows\System\XpdNWbL.exe | N/A |
| N/A | N/A | C:\Windows\System\ijkhlSq.exe | N/A |
| N/A | N/A | C:\Windows\System\cAqfCMh.exe | N/A |
| N/A | N/A | C:\Windows\System\PxnTuYe.exe | N/A |
| N/A | N/A | C:\Windows\System\mSdpExi.exe | N/A |
| N/A | N/A | C:\Windows\System\QXQtrPo.exe | N/A |
| N/A | N/A | C:\Windows\System\SYAIKwk.exe | N/A |
| N/A | N/A | C:\Windows\System\PiSXnIL.exe | N/A |
| N/A | N/A | C:\Windows\System\TEDhLPB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_06da8eefefd70cdcd0601a65d11f74b2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\AxFqRpA.exe
C:\Windows\System\AxFqRpA.exe
C:\Windows\System\tpovEmE.exe
C:\Windows\System\tpovEmE.exe
C:\Windows\System\SKaQsHR.exe
C:\Windows\System\SKaQsHR.exe
C:\Windows\System\kCEBmvw.exe
C:\Windows\System\kCEBmvw.exe
C:\Windows\System\qWrdvxd.exe
C:\Windows\System\qWrdvxd.exe
C:\Windows\System\amAyrjH.exe
C:\Windows\System\amAyrjH.exe
C:\Windows\System\deNJVtU.exe
C:\Windows\System\deNJVtU.exe
C:\Windows\System\GSEjQud.exe
C:\Windows\System\GSEjQud.exe
C:\Windows\System\GseQBBk.exe
C:\Windows\System\GseQBBk.exe
C:\Windows\System\wXrFXMm.exe
C:\Windows\System\wXrFXMm.exe
C:\Windows\System\cBExyJs.exe
C:\Windows\System\cBExyJs.exe
C:\Windows\System\wSfrXDs.exe
C:\Windows\System\wSfrXDs.exe
C:\Windows\System\XpdNWbL.exe
C:\Windows\System\XpdNWbL.exe
C:\Windows\System\cAqfCMh.exe
C:\Windows\System\cAqfCMh.exe
C:\Windows\System\ijkhlSq.exe
C:\Windows\System\ijkhlSq.exe
C:\Windows\System\PxnTuYe.exe
C:\Windows\System\PxnTuYe.exe
C:\Windows\System\mSdpExi.exe
C:\Windows\System\mSdpExi.exe
C:\Windows\System\QXQtrPo.exe
C:\Windows\System\QXQtrPo.exe
C:\Windows\System\SYAIKwk.exe
C:\Windows\System\SYAIKwk.exe
C:\Windows\System\PiSXnIL.exe
C:\Windows\System\PiSXnIL.exe
C:\Windows\System\TEDhLPB.exe
C:\Windows\System\TEDhLPB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1900-0-0x00007FF687200000-0x00007FF687551000-memory.dmp
memory/1900-1-0x0000014E64A00000-0x0000014E64A10000-memory.dmp
C:\Windows\System\AxFqRpA.exe
| MD5 | 303be004ca833c7889901ac36a1ed38d |
| SHA1 | bfd3842511217218455c349f7028c2c1141a200e |
| SHA256 | daf99014f205f218a35a6bb8f8bd082e7af4a9b90057780b7d0dbb62fbb75ec7 |
| SHA512 | 8d95ce6ae34a78c2b6b0f3b2037d49b882047e80c2951aad30fa2a3486ab3cb4e2f04796486821a8a0f074a2c9284c27690559004a28e8393b7adbcf685d1fca |
C:\Windows\System\SKaQsHR.exe
| MD5 | c16f033f18a0f435e2d2b29e67196bd5 |
| SHA1 | 2b6ed4c9092262926f3fc1fab71cd9b88cc32788 |
| SHA256 | 84436d5c26f1417e4681bca77ae2146f21fbd32663d31d4d9e67bf251fdf51ba |
| SHA512 | 3f28f9f35abfe06bc7743a7d7ef12436de832a72077585fc6c334f3f0f13aaccf0b73393d7ed69a996dd94bfac66065cb4ecf1d29e73d170d857c4efd12f5eb5 |
memory/1996-13-0x00007FF76DA80000-0x00007FF76DDD1000-memory.dmp
C:\Windows\System\qWrdvxd.exe
| MD5 | d67c6ca6d35b377d57d0e633a98f4410 |
| SHA1 | 4ddbfa10ce9ef73e41ceb764a4cbcf70e36734a2 |
| SHA256 | dc9c227b909e309e842487c064747523ce643966ca93af469608aeeaa4d34eb3 |
| SHA512 | 442f94cfe89e6ff45499105d4b1ebdcc68de203868f7be011af1be54e2ba63f7408f020a11820a469817d23908eb7196eaa48f904c35dd65e85c9355c39794ff |
C:\Windows\System\kCEBmvw.exe
| MD5 | 84d92db4efb83c8fbc9a26bdf9dbf1ce |
| SHA1 | 7f82e446feaf0232c9f1ad56c3cdec6035ad3d42 |
| SHA256 | 0ba5c858f28c9b8b8762be1bffaf0b99bb3aa53fe71f05192c5f7b4c588e2ee8 |
| SHA512 | 6223b3a934dc815b5491013347ed9e0409dad5688cccb56be924e212726a4982620b089aa795e51289b3485fb9037757520886234d589e89237e19189de0d58e |
C:\Windows\System\cBExyJs.exe
| MD5 | e004efe269a0ac57cdb6cf10b66fbe65 |
| SHA1 | eeb2f5e71ea4c8a36f6d56326c1c7285c317e8bc |
| SHA256 | 6e589746aa63ef6655cb31d75c134ebcb431b090c558714a7eee34d68d18f9c9 |
| SHA512 | 276800c031d25b7ff7c2ab936050e6e22a4721d1781d41ba58f9cceb402d9592a759ba1cfe4d6745f2f7abf26aa8e592a9b9121418cf5dc3cd909e11e9636980 |
memory/1000-63-0x00007FF72A4E0000-0x00007FF72A831000-memory.dmp
C:\Windows\System\ijkhlSq.exe
| MD5 | 686aba5bee1ab1106d8475c8eaaadfb6 |
| SHA1 | 3e65bd88f02d3efd50dbcbe9484c6e1e0ce1c48a |
| SHA256 | b859f60ac1d20625bc882829e811f40552d7b9190bb7313f8ca787249b0abe9e |
| SHA512 | ae5d0d6d2cce63e14e262fa0b07546da9232110b2b1a8b62a6df11c508bb816203895e16d2003ba96fa6dcd2cb66797a7e65932a382a3be081d48fbc5fba00cf |
C:\Windows\System\XpdNWbL.exe
| MD5 | 4ae06478e410d3478f4a17148e36e47b |
| SHA1 | 368bf265b2f0680659117f1f266b903519d813c3 |
| SHA256 | e50cf0efb815919876d20f67e01f3726a39d8a3953123635cff8a5c8cc643b12 |
| SHA512 | 3521488c176a11cc734a4f9bc052e2d18403fd365f01c9d8f8c89e5ebbf62530e18bc0d60031fda707211e726989bc6b1cb9f962617afb9b95fde992bb98d56b |
C:\Windows\System\PxnTuYe.exe
| MD5 | a431e3ab0439eff11b1da93924973e93 |
| SHA1 | 847e9fb879a92130c6e13dc72cd921042536b066 |
| SHA256 | e046ba8f5636f02c36c72385d979581b33ca4bff21823638814f6b170bd536b7 |
| SHA512 | 0c0569981497767b41e63ff6e25416ebf46669917eb54f469290ffcdc9a1ecdc729b1a6598f29c11d2f96a18bc5a7c227103845e41a8364290072e97c428da50 |
C:\Windows\System\cAqfCMh.exe
| MD5 | 64a6582ca93681ca0b8d8b4658349f4f |
| SHA1 | cdcc8c643fbdfcf005848999bf85585d488a479f |
| SHA256 | a0229d5321f499d9285675babaddf7c94a05e6131b904733b050b964e01ab662 |
| SHA512 | 7dc05ace00c29ef589549f6d2e88d842ac4136a7d41df242c42cb68c9e2a021c24d807b88fa645e4f8f88951513c7032dd6a473042d83cc6a61fb932bc65cdce |
memory/5100-106-0x00007FF663730000-0x00007FF663A81000-memory.dmp
C:\Windows\System\QXQtrPo.exe
| MD5 | 22d6bebd88004616a069496bb1d916ab |
| SHA1 | 016f8021f684b06bad822df63a1cb45ee83e818c |
| SHA256 | 8c8af0a6c3287691eb85b88da1d648b88cb1737d146021945aa1147941009e7a |
| SHA512 | 41800466376eac5b0b58cc25ae43cde9f93ad38a8ad0b2b416a4869e32792080082d959f0c812bc7835ce625fa445b1627fa4541e6c5f61cff3b69f725ed5e98 |
C:\Windows\System\SYAIKwk.exe
| MD5 | 355399ae3dd1f3fc03e293b8f34b66c9 |
| SHA1 | f409926268a95bae42228f3402c9794c54dd8072 |
| SHA256 | e86df49d0f12eb862094f42e7384bc3d6a3e7ae785315affc27e11922a923ceb |
| SHA512 | 8c20e6adbff3e797129b3cbc3ede79e5dce45e49e7d0a35ae639e2a4aeedef7a88d547c0a86c5eebf033e16f8cdc8b2813f11ee48c3d5bcad93755c1f36019f6 |
C:\Windows\System\mSdpExi.exe
| MD5 | ada2e921859b8461422731e10a6a66c1 |
| SHA1 | f7694f2d9ca490d6777ec22dbb5072e7f1b29c91 |
| SHA256 | 34d62568cdc609453d3032797aa4c7ad9ab806b34a06a846e4ef090b7141bdd4 |
| SHA512 | 1738f7874341bbd84c2513217edb4a6bbd8c41f56e6e11f00bfb2c1dac4db1a4a25965389138244035a60c7529771e241e78a03016b4cd26c528fd8a7ea3cd33 |
memory/2824-108-0x00007FF7512F0000-0x00007FF751641000-memory.dmp
memory/5004-107-0x00007FF6C2770000-0x00007FF6C2AC1000-memory.dmp
memory/512-105-0x00007FF7A6E50000-0x00007FF7A71A1000-memory.dmp
memory/4836-104-0x00007FF74CFD0000-0x00007FF74D321000-memory.dmp
memory/1180-103-0x00007FF7195E0000-0x00007FF719931000-memory.dmp
memory/3880-97-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp
memory/4292-96-0x00007FF6B6870000-0x00007FF6B6BC1000-memory.dmp
memory/1620-87-0x00007FF6F4FB0000-0x00007FF6F5301000-memory.dmp
memory/376-81-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp
memory/4856-80-0x00007FF764430000-0x00007FF764781000-memory.dmp
memory/3780-75-0x00007FF7B2DE0000-0x00007FF7B3131000-memory.dmp
C:\Windows\System\deNJVtU.exe
| MD5 | 9f7aef3cb0ccc37d6362a5b16ea1f1fa |
| SHA1 | 9692d7ef331b1c7cb66420098849c78977d88363 |
| SHA256 | a4d6c270c5982834f20e36133f41d19b032732fee86a4cdf75b1f072f9657b24 |
| SHA512 | ac202f9ce8e3ded8b45b9daf5064df3dd00a95ce7624a17bd186b7a6852b59bfbd5998f2b8a5fb3eb96d8ad0ca15de18a84ddbe71631778b11b213bad5c8a694 |
C:\Windows\System\wSfrXDs.exe
| MD5 | 991435bd50a54cc69049355c40b169dd |
| SHA1 | 402ddbe9251de78eced31087c326488305aa3b51 |
| SHA256 | d852e945f13c772e8bed95ba520d65331629e832d745f5e4740d9505345565e5 |
| SHA512 | 10e275940ecf23b0f94ec3d3d25d5bfd9d6d53e4d4cdd322cf5d829d79dce70b42c0f597a64e7a8400530a92ee05febfefa9aed3e42db9a492b64ca435af1ae3 |
C:\Windows\System\wXrFXMm.exe
| MD5 | 881c41f351c8a04ea71cbe806cfb0f1a |
| SHA1 | d2fff83801f456e9d8702e78cb8e5f8a99ff61e9 |
| SHA256 | e00d60b6551a315257723eade156eaa837cf9dccc81d6624ae0cffceb51451dc |
| SHA512 | 67815095258a1a49ef23489a22ce5befa60aa92f69e85d827a274be650694ab7a03610331876290ade0abee3d9911a442b72fe9c0f8ce5951bbd6b54844e79c0 |
memory/1328-55-0x00007FF68A270000-0x00007FF68A5C1000-memory.dmp
C:\Windows\System\GSEjQud.exe
| MD5 | b90c1d6329bd4f371de0d2ab5cf3df9a |
| SHA1 | 159f44a542fca1b668a26e2c780e8e36d514492b |
| SHA256 | f2352968d24b0b1af160b4fd88bd59c30c8abcbba80fab29cb23b664bf624024 |
| SHA512 | 02f2064e9998b651d883547610662267a0c6d7aa1a8fc435e0c4363b2bbe317bedf9963ae024a286ac342ae80ddb0bd7b316cea68156e8a5b4d4c3a6852a1db1 |
memory/2292-49-0x00007FF69AFF0000-0x00007FF69B341000-memory.dmp
memory/4156-48-0x00007FF73A520000-0x00007FF73A871000-memory.dmp
C:\Windows\System\GseQBBk.exe
| MD5 | e1abd9509725f05ed0a544f5026a3952 |
| SHA1 | 13ebf8b39ef802d6936a5d0faa5e8c0b2e63cb2e |
| SHA256 | 5bd40ad12c66d727ab42bcf5c569d64d3709630b8afeb52cf7b099603645ee36 |
| SHA512 | 1b5324ec3a80104385d25212adba5e913645e3376d24b98caec1de590a5ea053cce2e77c02ec5119eb5f49434ac6c400c68f6f5358600d4a8e24a2b80d4ac2b8 |
C:\Windows\System\amAyrjH.exe
| MD5 | 3fdf3d256b10e97c52f98665fa057d00 |
| SHA1 | 043b5fc5b9d6a22889014fefe9a0fda8f572f94c |
| SHA256 | 56177327393a5ec6f548e09fc095d3b3d48f7694cb21a0aa128cfc1cd4dbf36d |
| SHA512 | daa58670e5730a7a62917cc68bf73172925cd1a79190453f507c75fefe32616668b8bc43e6e51c60cc68a21a272adaf7d45274b3877dea0292ee705f7e955b0f |
memory/2036-33-0x00007FF681360000-0x00007FF6816B1000-memory.dmp
memory/4744-27-0x00007FF6460B0000-0x00007FF646401000-memory.dmp
C:\Windows\System\tpovEmE.exe
| MD5 | 28d76122c5c11892f574cece62ae3bc9 |
| SHA1 | 3d918635cbe8b76a8319fd9126dd8540b937da13 |
| SHA256 | 71853efadda01f4da1035cb2f8913eb8f596570271e4de154cc64ea6a5964337 |
| SHA512 | 5d9f44838017eb7aa8f49385e8c8b1350e9f348da2dedbdb3c5d3cbcc88d49473534cd898d63a76392a0d2350f67b7249bfc2de3a4bb719451cff6fd56dda8ff |
C:\Windows\System\PiSXnIL.exe
| MD5 | 5a8fd82b9eb585b3edfd9ebbe71c3d51 |
| SHA1 | d8035f3eb425ea391ac871e7989d35336eb417c4 |
| SHA256 | 079fdf478f7448831a31a056bc3fe41f03da426eaa028a5e278d2582c82ec8f2 |
| SHA512 | 3ef2bcc6d8b8c0f11d14ec3d0b2754914c3a66dbfd3d97fc4f45c5ac58edf922452f9e6c472c53ab781a166b653363642af6019cb0a662173845a100b3547458 |
memory/5072-121-0x00007FF798AC0000-0x00007FF798E11000-memory.dmp
C:\Windows\System\TEDhLPB.exe
| MD5 | 5ad7a0a8bffa9b2d3f83cf2387fd94be |
| SHA1 | 6f543806e958c65e28ab2c6653d49a1647891c5d |
| SHA256 | f14be995a1992b3a982e2af124d15bdb711f42b9f5e6528c6506bebc5516af70 |
| SHA512 | 778d43c3461bb4915934b723f5b352573bf2838feee950158e458a2c51adbef82e38e598c431af2cd12c0d87d04db8e7071b707346785cda678b577f17dbed62 |
memory/1520-127-0x00007FF7450B0000-0x00007FF745401000-memory.dmp
memory/2036-132-0x00007FF681360000-0x00007FF6816B1000-memory.dmp
memory/4744-130-0x00007FF6460B0000-0x00007FF646401000-memory.dmp
memory/3780-140-0x00007FF7B2DE0000-0x00007FF7B3131000-memory.dmp
memory/5100-147-0x00007FF663730000-0x00007FF663A81000-memory.dmp
memory/5072-148-0x00007FF798AC0000-0x00007FF798E11000-memory.dmp
memory/512-146-0x00007FF7A6E50000-0x00007FF7A71A1000-memory.dmp
memory/2824-145-0x00007FF7512F0000-0x00007FF751641000-memory.dmp
memory/5004-144-0x00007FF6C2770000-0x00007FF6C2AC1000-memory.dmp
memory/376-142-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp
memory/4856-143-0x00007FF764430000-0x00007FF764781000-memory.dmp
memory/1328-136-0x00007FF68A270000-0x00007FF68A5C1000-memory.dmp
memory/1900-128-0x00007FF687200000-0x00007FF687551000-memory.dmp
memory/1520-149-0x00007FF7450B0000-0x00007FF745401000-memory.dmp
memory/1900-150-0x00007FF687200000-0x00007FF687551000-memory.dmp
memory/1900-151-0x00007FF687200000-0x00007FF687551000-memory.dmp
memory/1996-206-0x00007FF76DA80000-0x00007FF76DDD1000-memory.dmp
memory/4744-208-0x00007FF6460B0000-0x00007FF646401000-memory.dmp
memory/4156-210-0x00007FF73A520000-0x00007FF73A871000-memory.dmp
memory/2036-212-0x00007FF681360000-0x00007FF6816B1000-memory.dmp
memory/1000-215-0x00007FF72A4E0000-0x00007FF72A831000-memory.dmp
memory/2292-218-0x00007FF69AFF0000-0x00007FF69B341000-memory.dmp
memory/1620-216-0x00007FF6F4FB0000-0x00007FF6F5301000-memory.dmp
memory/4292-222-0x00007FF6B6870000-0x00007FF6B6BC1000-memory.dmp
memory/1328-230-0x00007FF68A270000-0x00007FF68A5C1000-memory.dmp
memory/4856-232-0x00007FF764430000-0x00007FF764781000-memory.dmp
memory/3880-228-0x00007FF79A0D0000-0x00007FF79A421000-memory.dmp
memory/4836-225-0x00007FF74CFD0000-0x00007FF74D321000-memory.dmp
memory/3780-227-0x00007FF7B2DE0000-0x00007FF7B3131000-memory.dmp
memory/1180-221-0x00007FF7195E0000-0x00007FF719931000-memory.dmp
memory/5100-237-0x00007FF663730000-0x00007FF663A81000-memory.dmp
memory/512-235-0x00007FF7A6E50000-0x00007FF7A71A1000-memory.dmp
memory/376-242-0x00007FF61B050000-0x00007FF61B3A1000-memory.dmp
memory/2824-240-0x00007FF7512F0000-0x00007FF751641000-memory.dmp
memory/5004-239-0x00007FF6C2770000-0x00007FF6C2AC1000-memory.dmp
memory/5072-246-0x00007FF798AC0000-0x00007FF798E11000-memory.dmp
memory/1520-248-0x00007FF7450B0000-0x00007FF745401000-memory.dmp