Analysis Overview
SHA256
4a8c5d4cee26d5b20f65dcd4dc87dd44f7df5cd208e99fb7c1881ae43949e57c
Threat Level: Known bad
The file 2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
Xmrig family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:51
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:51
Reported
2024-08-06 11:54
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xEggfcW.exe | N/A |
| N/A | N/A | C:\Windows\System\bMeRKpF.exe | N/A |
| N/A | N/A | C:\Windows\System\CgschQb.exe | N/A |
| N/A | N/A | C:\Windows\System\ejdthVn.exe | N/A |
| N/A | N/A | C:\Windows\System\rohfuHy.exe | N/A |
| N/A | N/A | C:\Windows\System\VIsdGzN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZpeZQVX.exe | N/A |
| N/A | N/A | C:\Windows\System\BDoLVbH.exe | N/A |
| N/A | N/A | C:\Windows\System\AqDLYDK.exe | N/A |
| N/A | N/A | C:\Windows\System\JgfhATI.exe | N/A |
| N/A | N/A | C:\Windows\System\NOKQnIi.exe | N/A |
| N/A | N/A | C:\Windows\System\PdggOue.exe | N/A |
| N/A | N/A | C:\Windows\System\ATHLFoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ahPGhFp.exe | N/A |
| N/A | N/A | C:\Windows\System\ksYzkHd.exe | N/A |
| N/A | N/A | C:\Windows\System\FHAmyYE.exe | N/A |
| N/A | N/A | C:\Windows\System\vaNRReU.exe | N/A |
| N/A | N/A | C:\Windows\System\xzFvsvK.exe | N/A |
| N/A | N/A | C:\Windows\System\Ussywuc.exe | N/A |
| N/A | N/A | C:\Windows\System\nxFnRtv.exe | N/A |
| N/A | N/A | C:\Windows\System\jdpFuOY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\xEggfcW.exe
C:\Windows\System\xEggfcW.exe
C:\Windows\System\bMeRKpF.exe
C:\Windows\System\bMeRKpF.exe
C:\Windows\System\CgschQb.exe
C:\Windows\System\CgschQb.exe
C:\Windows\System\ejdthVn.exe
C:\Windows\System\ejdthVn.exe
C:\Windows\System\rohfuHy.exe
C:\Windows\System\rohfuHy.exe
C:\Windows\System\BDoLVbH.exe
C:\Windows\System\BDoLVbH.exe
C:\Windows\System\VIsdGzN.exe
C:\Windows\System\VIsdGzN.exe
C:\Windows\System\ZpeZQVX.exe
C:\Windows\System\ZpeZQVX.exe
C:\Windows\System\AqDLYDK.exe
C:\Windows\System\AqDLYDK.exe
C:\Windows\System\JgfhATI.exe
C:\Windows\System\JgfhATI.exe
C:\Windows\System\NOKQnIi.exe
C:\Windows\System\NOKQnIi.exe
C:\Windows\System\PdggOue.exe
C:\Windows\System\PdggOue.exe
C:\Windows\System\ATHLFoJ.exe
C:\Windows\System\ATHLFoJ.exe
C:\Windows\System\ahPGhFp.exe
C:\Windows\System\ahPGhFp.exe
C:\Windows\System\ksYzkHd.exe
C:\Windows\System\ksYzkHd.exe
C:\Windows\System\FHAmyYE.exe
C:\Windows\System\FHAmyYE.exe
C:\Windows\System\vaNRReU.exe
C:\Windows\System\vaNRReU.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4248,i,15436195446242760253,4000484513008731869,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8
C:\Windows\System\xzFvsvK.exe
C:\Windows\System\xzFvsvK.exe
C:\Windows\System\Ussywuc.exe
C:\Windows\System\Ussywuc.exe
C:\Windows\System\nxFnRtv.exe
C:\Windows\System\nxFnRtv.exe
C:\Windows\System\jdpFuOY.exe
C:\Windows\System\jdpFuOY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3712-0-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp
memory/3712-1-0x000001D63D0A0000-0x000001D63D0B0000-memory.dmp
C:\Windows\System\xEggfcW.exe
| MD5 | c959b838d915c60a86e2e3d6cf67c563 |
| SHA1 | b98b1e718bf0fb4ab756331744bc037ebe15bb9e |
| SHA256 | ab38d3c10d4309e7b1df49fd84df799293ef956154968f8f1cbbc27137ed2bd9 |
| SHA512 | 751619a7d189ae3d6592a54a127ca441868d9e9912a9bb830c766da878ef3c23d88757f197a699c512897be4a598172e2d090e25f41998ca85eeffdf0328c9fe |
C:\Windows\System\bMeRKpF.exe
| MD5 | 10c1d82061cb9545660d99382db27d4a |
| SHA1 | dbf650a1a58ca12d19e938f4e57f4cc07f8f44ef |
| SHA256 | 3e888f1000ee18bf36dc1adee3fc9b06496179fb881ccdeea57893f2bf2265ed |
| SHA512 | 28f005c039133e50f502461504218e5c7d74542b40559a2e05cd4ca24f7e68a5b08c603946ddbeb82949a34a494ef74dd124a8f5dbaaf5f6508adf6b158f826b |
C:\Windows\System\CgschQb.exe
| MD5 | bcd1cd926be376c721025d06095d29e0 |
| SHA1 | 0eeb161df297421a25e7e9bf42d27c0329abcfe4 |
| SHA256 | 70d9ac3e8aa7d86383fe36f25adddb430ec64c0bb4da7f363ad5f87a9a926c09 |
| SHA512 | 8cc7aec0305199d45dc0329efa97e7661b39ff2695bbef17ddcf0c1a8be84f534ba6adc53848bb510421caed8617dd672e837f1e82e93e1302f1955960df6c1b |
memory/4956-14-0x00007FF68CAF0000-0x00007FF68CE41000-memory.dmp
memory/4968-21-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp
C:\Windows\System\VIsdGzN.exe
| MD5 | 227cf4e7d126043451418b04c9c24af4 |
| SHA1 | 503fed2284947db725e70344b42004743ada6384 |
| SHA256 | 1ae02b06414ba1dfea348959096e00b9c6338a31edd9e2d1f075c5f373d58034 |
| SHA512 | 68160b161fc3452b33b1141b9c9a25bb0c7f4fffdeea400b94e0a4492d72f247a95add74198b74f015b0b40d9112c94354f1dee217f8b52d2ec4aa21534b0956 |
C:\Windows\System\NOKQnIi.exe
| MD5 | 385dd37675cc0053eb2b525b12ddaf9a |
| SHA1 | 016974e454869447ee9e342b2cb7af08dee343a2 |
| SHA256 | 1077237e7102a5adfd36ac4c6d9654e7e0034710e7671c301951a24143d77c1d |
| SHA512 | 010027c7e8f2d85a0228a69507eeb9a90627eb179491f9fe302173ea1344c953d9e49e370f17d354fb23f64f3f4d4d10e61c3d97047820675339f53e939f8c67 |
memory/2948-73-0x00007FF725840000-0x00007FF725B91000-memory.dmp
memory/3748-87-0x00007FF7E2390000-0x00007FF7E26E1000-memory.dmp
C:\Windows\System\FHAmyYE.exe
| MD5 | aaa372ee9e5a384b61789e5d96cc0bfc |
| SHA1 | e90dd7cf11848377ba372c88b7294931e0ac6bdb |
| SHA256 | 098f4d6bde1fdcd9d12273af620f27d120d367253a037b89ba943ca0d40ad474 |
| SHA512 | 8f1bc664d0281640e53b4e44847c3f986dd0714eeab10c5f200d86cc8a6e06a5f9eac64ca9f83de28c6b36ec436f5dae1e7748d0b4d35dc0eca3e0cef3393966 |
memory/1000-98-0x00007FF63F680000-0x00007FF63F9D1000-memory.dmp
memory/3364-97-0x00007FF630190000-0x00007FF6304E1000-memory.dmp
C:\Windows\System\ksYzkHd.exe
| MD5 | 7b3ae4c506bdd822bdcbcb8676602d14 |
| SHA1 | d45243e18b5d5d7796ec1a1fc094e8bd0e287008 |
| SHA256 | 44dccd3012eaae9bc65646fd4642d8f86008bbba7e2b85b34d62a442344649ec |
| SHA512 | 80b7dc6876c9aaa659a0e57fa69d11e8cf06834511f2a77da61b0996b3f6b21012cbc33d45a5d52a74c49f8986d7ab1f5940d76b0bf9d891f10ff6296fab19b7 |
memory/2636-92-0x00007FF63D270000-0x00007FF63D5C1000-memory.dmp
memory/3452-91-0x00007FF639FF0000-0x00007FF63A341000-memory.dmp
C:\Windows\System\ATHLFoJ.exe
| MD5 | 976b4fbd635097c80058c742d540d1fe |
| SHA1 | 2afb48293a312e70def17d80ff5fe72096a09b82 |
| SHA256 | 1906b14e6bc1fd4cd5d90915865cad1190e8fb9f58b12ca3df2ed89c16a5e9f6 |
| SHA512 | 2efafdec2ac6452509ebae4bba26a6a78cf541c69151e4e7c94e3bcb13e084f7900ee252424fbb7c4b31fb2a1c54fc3961ea9aa4f623f1a84a5f908888a2ddb7 |
memory/3248-88-0x00007FF7C1DF0000-0x00007FF7C2141000-memory.dmp
memory/2268-84-0x00007FF6FDCB0000-0x00007FF6FE001000-memory.dmp
C:\Windows\System\ahPGhFp.exe
| MD5 | 2ae52827c09d03e5a81709f2a9d7970f |
| SHA1 | 3aeb8a5fca4588e473e45a83c7e4255aa5a2b8f6 |
| SHA256 | 3655abfd6660549476d13cca39267f62f29592aa4cc9efd1a572f96b00b35c5e |
| SHA512 | 67fcc89737b6fa53246fc16bdf9b5323f60943ca6ae77cc34755139abc84abeda4ed4563239e3df170bed1d1422ad3dfa7189a0d21ff25eeace1ccca53f4abc9 |
C:\Windows\System\JgfhATI.exe
| MD5 | 2c9d9dd50b1e8fc532b631c6b517d3d7 |
| SHA1 | d20aa4e74dd55e874fd6ee400f8c9e896cbb1302 |
| SHA256 | 17b924a30f2d5594e1df978be4809548b669bbb7e9b87fe20fa1e44c6d7fa433 |
| SHA512 | dcbafcd0bb1a8933fe733175a85676340acc7cbb559e99a4b988ef18a3b751573f2ac98a5611d876880bf792fc044e44f50428586033ecb94871cd62e9b1a512 |
C:\Windows\System\PdggOue.exe
| MD5 | 40d9cd0ba6a3079acb09b6f62db6669e |
| SHA1 | 6b862f8962670eec55fe271b223f98bd9400cbea |
| SHA256 | c68a7bddb197ebd816d03b44243593cb6b217d11f1478ae6d1bb8b155259a628 |
| SHA512 | a9d3b406e3d46b0e8f37afa623f99be676bfae667423e2327b4072a730b6b26e72bbb0ce33c49741226140ee79303d8c2de5802a0842c32d0e11c746a9ffc540 |
memory/2772-67-0x00007FF6546C0000-0x00007FF654A11000-memory.dmp
C:\Windows\System\BDoLVbH.exe
| MD5 | 3e73a450061d2569142a535a8ada9fa9 |
| SHA1 | 8c40022d88d28173ff0d18bd84a9b50cc11a2e47 |
| SHA256 | d003460d2de545fe6a1e224693e57c124c175687fc88dcd9eef51535cd7802aa |
| SHA512 | 416bd9c2c18ab8537de6b9d5bb344700aaaf19473f2cc4d00a3c0a6512d5b02c8c548b757f8b904aaa1ae47ef80487ce71bd0fd723971f2d0584171f26eaaac8 |
C:\Windows\System\ZpeZQVX.exe
| MD5 | 43a2913fa6817e08ddde42c983533ae5 |
| SHA1 | 36b661338b16eb48d79475ad0248ddf12d3988e4 |
| SHA256 | a237b58dc3d1ecc130da3a536b8aa8ad8ff5d969c7370f53683f32032770749e |
| SHA512 | 48e66174006cd57100adf06b689a79ba4385618db72b7676a00b30ddcaad5db357525548e0856adf791cd5419090331502950c6179f21da28c0c24a6a97d94c0 |
C:\Windows\System\AqDLYDK.exe
| MD5 | 7007655dc7bbb7a880b2a08b97a36b5f |
| SHA1 | 510dcd6e98ddc8492cf02aa92e39f05593b81740 |
| SHA256 | 726aff53fba2d9f02440d64cf993289e2c93f686a86d36f7c0e9a2077d4ba5e0 |
| SHA512 | 8cd57d6a4620f2ff48c15a88813ac92e4025a3074b8d4ee379b785977aab0ecc3315e5f162a10b035e5a46e826edb500dc5fb5d49897808200fa9cdfd97a14e0 |
memory/4760-54-0x00007FF768B70000-0x00007FF768EC1000-memory.dmp
C:\Windows\System\rohfuHy.exe
| MD5 | c00367c592c9ea128b09db346fd7821b |
| SHA1 | c14a509b6f68feca11b5c22057eddba2f78b72e6 |
| SHA256 | 083853e870ed12c8a00dd15e24d9aa85228a443a06731e82f9cf73a3b2164fd5 |
| SHA512 | ab0701522d9e4eab8218a00ba0075c500a747bd1e36f7b6af403d33fa52fac58281445470c90c3a104ecc4eaddeef5c926fe2c04d5e6b5a40e18f40ef52957e1 |
memory/4376-46-0x00007FF6CD2A0000-0x00007FF6CD5F1000-memory.dmp
memory/4832-45-0x00007FF6A3280000-0x00007FF6A35D1000-memory.dmp
memory/4072-32-0x00007FF7163F0000-0x00007FF716741000-memory.dmp
C:\Windows\System\ejdthVn.exe
| MD5 | 9d949ad6ee13e1719597ae3dfda31713 |
| SHA1 | 78f69a42c5d31586ab476f7529714903519bdf09 |
| SHA256 | 3c6c69ecbf9dc006159c0779abf81cddec006d4012aa7a731aeb800811a2f515 |
| SHA512 | 91d93eb763f59e3b7e6aa7b3a8e47dd698198affe7909f627656b1a283b086151e258877ea8589c14a1446b53f2de5a5a20ba2207769f15820f0b20e210072cd |
memory/1084-23-0x00007FF688A10000-0x00007FF688D61000-memory.dmp
memory/3712-102-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp
C:\Windows\System\vaNRReU.exe
| MD5 | 3e65393d8f69c25761334f7cdd6855e5 |
| SHA1 | bd46891e27c12eb642a0b54552911550fcf11e92 |
| SHA256 | cafce2fb9b92088b6e8167d561967ea21df90aec8d568e0bf4120aeb26c9ee3d |
| SHA512 | 877a92346c7eec9134ad8596ee795f0f4412e44121f82397b2653151bb61c84623f532a16b08292b2b03f6fda78cce31d184cd39112fa132a61bbbbc8a70f148 |
C:\Windows\System\Ussywuc.exe
| MD5 | 668f013906f90b0d173bcd571bb5dac2 |
| SHA1 | 414f919c04ca9eea0594c9c9552b5bb8ec703d56 |
| SHA256 | 79b5539f448398b673b0c576c9b1c519381bbc538fbf98449c37493203332db9 |
| SHA512 | 9f0ae3b006aceb468299bc7eabe6cf4cd992c7d14a636f1acda4e28960dd9d5771667e057bb624b81053e75b5e4246c5fb276e3dc6af2fb6b7e8a2e244a51471 |
C:\Windows\System\nxFnRtv.exe
| MD5 | 6e5272724566a1d9862f047f2039e6b6 |
| SHA1 | 5bf4873c97de956314be988e5d913822f2ecdd51 |
| SHA256 | 810ce411fa513993b7efc50123d094c4afb6f7547f3b136f7a27b30a015a9289 |
| SHA512 | 45c64ab0d8965de0441b313803845ae6454845344d6d9a12d2a9c95649bb555d35130d9e2696cc79bb52298da8827fbed7287affe3bf7aea7dc4db25d54db151 |
C:\Windows\System\jdpFuOY.exe
| MD5 | 1dbd55aeb4913c7ea43ec910a98a42e9 |
| SHA1 | 1486ef0c29b51eec6ffef772d3226b1e2752fb63 |
| SHA256 | a7ac72c5f87b01e3e80c343626cdff00da9a09cd9d3fd26ab92677f31f235369 |
| SHA512 | 9dcf103f5215d222ba4aa716cd3d9d40276358051ae09c1f2f179ef7467e7554a4253ece49739891b51852067938a59cf78d68b555d21623ccbcfb06d5904ec7 |
memory/368-126-0x00007FF68F020000-0x00007FF68F371000-memory.dmp
memory/3636-128-0x00007FF7A1410000-0x00007FF7A1761000-memory.dmp
memory/1084-129-0x00007FF688A10000-0x00007FF688D61000-memory.dmp
memory/3712-127-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp
C:\Windows\System\xzFvsvK.exe
| MD5 | 14ad67b354a74a60d4550d81966b3ff2 |
| SHA1 | 6cb3375f876f8acff7854b4409a17550d646bcb7 |
| SHA256 | 17fcae7ab2b0d7c2cce185ced1dc6c1e837b4f63a88fa1dc19119d01a727b941 |
| SHA512 | 03fa54d79ea701e4a73dd917acffb1b444a43815ac402b4afcb646e45e8b77fcf71fef71d281e90a3fa01d355b62dca66d03a04cd9b3b0a256c35b240a01620f |
memory/3280-115-0x00007FF72CB60000-0x00007FF72CEB1000-memory.dmp
memory/4056-112-0x00007FF7E7770000-0x00007FF7E7AC1000-memory.dmp
memory/844-105-0x00007FF7F9270000-0x00007FF7F95C1000-memory.dmp
memory/4832-135-0x00007FF6A3280000-0x00007FF6A35D1000-memory.dmp
memory/4760-136-0x00007FF768B70000-0x00007FF768EC1000-memory.dmp
memory/844-147-0x00007FF7F9270000-0x00007FF7F95C1000-memory.dmp
memory/3364-146-0x00007FF630190000-0x00007FF6304E1000-memory.dmp
memory/2948-141-0x00007FF725840000-0x00007FF725B91000-memory.dmp
memory/2772-140-0x00007FF6546C0000-0x00007FF654A11000-memory.dmp
memory/4376-138-0x00007FF6CD2A0000-0x00007FF6CD5F1000-memory.dmp
memory/4072-133-0x00007FF7163F0000-0x00007FF716741000-memory.dmp
memory/4968-132-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp
memory/3712-148-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp
memory/4056-149-0x00007FF7E7770000-0x00007FF7E7AC1000-memory.dmp
memory/3280-167-0x00007FF72CB60000-0x00007FF72CEB1000-memory.dmp
memory/3636-169-0x00007FF7A1410000-0x00007FF7A1761000-memory.dmp
memory/368-168-0x00007FF68F020000-0x00007FF68F371000-memory.dmp
memory/3712-170-0x00007FF65E860000-0x00007FF65EBB1000-memory.dmp
memory/4956-193-0x00007FF68CAF0000-0x00007FF68CE41000-memory.dmp
memory/4968-195-0x00007FF7DD380000-0x00007FF7DD6D1000-memory.dmp
memory/1084-197-0x00007FF688A10000-0x00007FF688D61000-memory.dmp
memory/4072-213-0x00007FF7163F0000-0x00007FF716741000-memory.dmp
memory/4832-220-0x00007FF6A3280000-0x00007FF6A35D1000-memory.dmp
memory/3248-222-0x00007FF7C1DF0000-0x00007FF7C2141000-memory.dmp
memory/3748-224-0x00007FF7E2390000-0x00007FF7E26E1000-memory.dmp
memory/4760-231-0x00007FF768B70000-0x00007FF768EC1000-memory.dmp
memory/2636-236-0x00007FF63D270000-0x00007FF63D5C1000-memory.dmp
memory/4376-242-0x00007FF6CD2A0000-0x00007FF6CD5F1000-memory.dmp
memory/3452-240-0x00007FF639FF0000-0x00007FF63A341000-memory.dmp
memory/2948-239-0x00007FF725840000-0x00007FF725B91000-memory.dmp
memory/1000-235-0x00007FF63F680000-0x00007FF63F9D1000-memory.dmp
memory/3364-233-0x00007FF630190000-0x00007FF6304E1000-memory.dmp
memory/2268-227-0x00007FF6FDCB0000-0x00007FF6FE001000-memory.dmp
memory/2772-229-0x00007FF6546C0000-0x00007FF654A11000-memory.dmp
memory/844-244-0x00007FF7F9270000-0x00007FF7F95C1000-memory.dmp
memory/4056-246-0x00007FF7E7770000-0x00007FF7E7AC1000-memory.dmp
memory/3280-248-0x00007FF72CB60000-0x00007FF72CEB1000-memory.dmp
memory/368-250-0x00007FF68F020000-0x00007FF68F371000-memory.dmp
memory/3636-254-0x00007FF7A1410000-0x00007FF7A1761000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:51
Reported
2024-08-06 11:54
Platform
win7-20240708-en
Max time kernel
141s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GBweaEr.exe | N/A |
| N/A | N/A | C:\Windows\System\dVLZRqg.exe | N/A |
| N/A | N/A | C:\Windows\System\vzeZYDt.exe | N/A |
| N/A | N/A | C:\Windows\System\UrWgsAD.exe | N/A |
| N/A | N/A | C:\Windows\System\vZQPywq.exe | N/A |
| N/A | N/A | C:\Windows\System\QwcaTYs.exe | N/A |
| N/A | N/A | C:\Windows\System\yzjaiEh.exe | N/A |
| N/A | N/A | C:\Windows\System\dauVPsr.exe | N/A |
| N/A | N/A | C:\Windows\System\ynmFQNI.exe | N/A |
| N/A | N/A | C:\Windows\System\BQWObfq.exe | N/A |
| N/A | N/A | C:\Windows\System\kFCeIlT.exe | N/A |
| N/A | N/A | C:\Windows\System\HwTvOld.exe | N/A |
| N/A | N/A | C:\Windows\System\LsLuWFb.exe | N/A |
| N/A | N/A | C:\Windows\System\zFguzmo.exe | N/A |
| N/A | N/A | C:\Windows\System\hVfkmrY.exe | N/A |
| N/A | N/A | C:\Windows\System\pqJybaE.exe | N/A |
| N/A | N/A | C:\Windows\System\tkmanyS.exe | N/A |
| N/A | N/A | C:\Windows\System\wwmCRKj.exe | N/A |
| N/A | N/A | C:\Windows\System\bhlkcyj.exe | N/A |
| N/A | N/A | C:\Windows\System\YKCYHjK.exe | N/A |
| N/A | N/A | C:\Windows\System\KJMOKvf.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_579a4b1a1bbc38bb4be03c6d2037ce65_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\GBweaEr.exe
C:\Windows\System\GBweaEr.exe
C:\Windows\System\dVLZRqg.exe
C:\Windows\System\dVLZRqg.exe
C:\Windows\System\vzeZYDt.exe
C:\Windows\System\vzeZYDt.exe
C:\Windows\System\UrWgsAD.exe
C:\Windows\System\UrWgsAD.exe
C:\Windows\System\vZQPywq.exe
C:\Windows\System\vZQPywq.exe
C:\Windows\System\QwcaTYs.exe
C:\Windows\System\QwcaTYs.exe
C:\Windows\System\yzjaiEh.exe
C:\Windows\System\yzjaiEh.exe
C:\Windows\System\dauVPsr.exe
C:\Windows\System\dauVPsr.exe
C:\Windows\System\ynmFQNI.exe
C:\Windows\System\ynmFQNI.exe
C:\Windows\System\BQWObfq.exe
C:\Windows\System\BQWObfq.exe
C:\Windows\System\kFCeIlT.exe
C:\Windows\System\kFCeIlT.exe
C:\Windows\System\HwTvOld.exe
C:\Windows\System\HwTvOld.exe
C:\Windows\System\LsLuWFb.exe
C:\Windows\System\LsLuWFb.exe
C:\Windows\System\zFguzmo.exe
C:\Windows\System\zFguzmo.exe
C:\Windows\System\hVfkmrY.exe
C:\Windows\System\hVfkmrY.exe
C:\Windows\System\pqJybaE.exe
C:\Windows\System\pqJybaE.exe
C:\Windows\System\tkmanyS.exe
C:\Windows\System\tkmanyS.exe
C:\Windows\System\wwmCRKj.exe
C:\Windows\System\wwmCRKj.exe
C:\Windows\System\bhlkcyj.exe
C:\Windows\System\bhlkcyj.exe
C:\Windows\System\YKCYHjK.exe
C:\Windows\System\YKCYHjK.exe
C:\Windows\System\KJMOKvf.exe
C:\Windows\System\KJMOKvf.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1992-0-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1992-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\GBweaEr.exe
| MD5 | b810faa5bb99f40ec80baf22e704b3f5 |
| SHA1 | cd1d2d04cc229e53ec3819f90c5f3a21886b0569 |
| SHA256 | 9c4aa51fe1772e9baecf4704ae0419e9d0d0511dba2b167f780937c5441870ee |
| SHA512 | ed9960f3ac525bee1d31d47f70ec04200184d732ce44b2c312cd83135bb94ebbd83f563616950d74ead37184f9a181ef6f1cc6bd7fdda6b12243cb34f803cf42 |
memory/1992-6-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2376-8-0x000000013FAF0000-0x000000013FE41000-memory.dmp
\Windows\system\dVLZRqg.exe
| MD5 | 5b329e876dbde0f339d56817a2260976 |
| SHA1 | a1651ac85f940810169038c3d826c5a379760121 |
| SHA256 | c6358c9754c97e13b172ad4bdafed11f82bb860906e08175a85e6f376755e3c0 |
| SHA512 | c9a63ea709d47020490b31338dd6302c7ff710586d9315dd8f8e91be7ebc0e66b78e7f4204d16f1c1bdd1a35fef49964de682b73382e16a5a4144610ded42a43 |
C:\Windows\system\vzeZYDt.exe
| MD5 | ac1f797058b38591df1f6ae337e01c10 |
| SHA1 | ed6c55686978e4e9afa0cbe2928af308e69034b9 |
| SHA256 | 4110bf0adc45c3bdc19780f96e4cd4455752e4f9276be35943a9479e39922e5a |
| SHA512 | f358d99b1fca762ee11a73d42c682035c61f721ee5e650cd04330e30a6eaadaf41af426a2a5573bdc3db1d1b4df65d3a37c36eb3e7b0b3bf0f5b25060810ac5e |
C:\Windows\system\UrWgsAD.exe
| MD5 | cb84558d08a0902f3d1f870a3697db71 |
| SHA1 | ab09f9e82ac3726bc9ed8edfe0ff7d6510661b63 |
| SHA256 | 4c702cf84391fce15897eb2d5f9d460da185422f73e9651c500766673119522a |
| SHA512 | fc3b220ea2fe56ef72dbaec75b5f7959cfefbb04e0002232c69aaaf29193057ff594954cc94a1c733cfefad462c5ecb2eba35aac657a82c505b59d5323b50d53 |
C:\Windows\system\vZQPywq.exe
| MD5 | 4c1b6f52e8df6b33ef1ef16bae5c8c1d |
| SHA1 | d3cad2b403c171b086d916b49eb64dd6d309e450 |
| SHA256 | db742a7a6ce66bd88c6bb8c6975f2c53f7d60aafc3f813d479a64cfa2960047a |
| SHA512 | 52360fc6d288fc98309d78ddfbf86e7dd54b46a0b303bb5721f126eac524316cfaa1b7c0b224a7daf19db37c70c04023e1d50373045a4f3cf9b38dde7ff48841 |
C:\Windows\system\QwcaTYs.exe
| MD5 | cc2853bd874b6edad8091c05f986f1f5 |
| SHA1 | a1044178234abb919ed9250ff4ce27f1d017e92b |
| SHA256 | a70d3a58b43d45ee33b47ce1f1be8bcf8684652cc9fcd1c4248a977faab00083 |
| SHA512 | ad04887ff5fa0676633797021159bbbd0db748cc27c76911acb6a6d7fb029825afd06a3c1e1bac94b518a83f6cffb2a651303f6769e78dc3ae0229fa597fef19 |
C:\Windows\system\yzjaiEh.exe
| MD5 | 067a99d0cb342041a679930b4fb3ae59 |
| SHA1 | 537921854c6fcba6f2b8d6cc3844f983added5da |
| SHA256 | 495a448f2159f296f4baef285fe04e736e09ad71cab01e797f6c025550edc6d9 |
| SHA512 | 47a65b16dd4b37a3aed92d8ab3b51464b3a3c41bab1a9b314211e1dd5769db2594c2a6f54a026ef129d37a97fc0ca0ae6d03839a282ef2eba395e1a7af3e3abb |
C:\Windows\system\ynmFQNI.exe
| MD5 | 010ae16ad2df9e235d5f84246e10626c |
| SHA1 | cddc60a9144cc1404f0e96f432086918c5a9241a |
| SHA256 | cddf22b99087e53da2862f0862ba59d1d502f38ef1be59ed0259de2d937c02d2 |
| SHA512 | aa0ce9954e1ae017d90f24200c9bc40a8e8aeee9df67a327200ae73ad67d3d76309742b0d642a6499c9d541a1e7483b55e21a63669f2bd94e6ad0f4d33d7b61c |
C:\Windows\system\BQWObfq.exe
| MD5 | 889be062d8347c71897e18341dd19df1 |
| SHA1 | 527117064a949b7cadcb30dd1ca662a2fb4fa29d |
| SHA256 | 02e667072d2cdbab10bfb2571e1a7bae0db84694019eded6b203b72f700f0469 |
| SHA512 | 0cf3b1fd565bedce52d451d273242e28f3ad39f6aacafafef6c45b9c019b2c8ba5461125fd7f30a17f2cbd18515fe39b2c56fb968f0084db51ba1c44457dc274 |
C:\Windows\system\bhlkcyj.exe
| MD5 | f1d6ebd75f5b9e5859c851046e031f5f |
| SHA1 | b7309693b72eadb9a67e5aa959413249a96b3e34 |
| SHA256 | 831b5979b53203eb56571d8ecfd6c9771f64fe9c68efe11e47fa50140ecb3efa |
| SHA512 | 40dc3be56fdbaf98c3ad9cb5b5b651711ffe501ae224f6935ee75bc6ade95f1768e7ed27cbe2b6e21eff463090c04b6c274d15d64f81610fd99b14fe28933a07 |
\Windows\system\KJMOKvf.exe
| MD5 | 43c401ac8c1cb4693786ef3ce54a0f78 |
| SHA1 | 5c73257c02edb78d7def2d94748ff0b0485dcc09 |
| SHA256 | 4aabb7d1182f57ece90420eb6acc458ab6aa9fc556f8f0a4877c218fa9faf1e3 |
| SHA512 | 4adfa01250ade02d919b947863262e3e02fbb6cad3227ef68fc873988be4dbd424be8beb49be25bf656f4f098a02e04fb69ac566d81b9d491198d3b8165b3fe9 |
C:\Windows\system\YKCYHjK.exe
| MD5 | f14c64af847ddf025b4440132309b478 |
| SHA1 | fb92e6d0c32410646a842ef958122cdb41644ead |
| SHA256 | 065d982c9fdcdab85e9571dfd50ab630e58e02c1cdfdf0b66a60ad277f3ee74d |
| SHA512 | d758fa826c4befcbcb7a5e67e327e95f498bc37c65192c7623332d06f8c7491037de2691c9409052f6f86ef8417879b06ed954af0f74bf87ea7b2b46bdbc5f9d |
C:\Windows\system\wwmCRKj.exe
| MD5 | 642f1d5faa8ab06c4500a4f192b95259 |
| SHA1 | e919ce6832993e4b71989db4b34ae49e418e638f |
| SHA256 | af40019db09c96ecf952d4defa4a893a942d61287bbc09554b374782962a008c |
| SHA512 | b5870a9b0d2bc153392195ca4938d58bc89ca3a8baef91696bf822cec758c06df0528e26c4def292e5165f82266b4576f7f0d02ac1f50f6ec021d9e3900d5f5e |
C:\Windows\system\tkmanyS.exe
| MD5 | 97c78a1aa97a45cff15c1e1f21b1b9ef |
| SHA1 | 6e20e2076c3d9b3d4cf21785062683ca95381b3e |
| SHA256 | fdfa406fcf840f92ca850cbdf9423a3f301151b590829f9056cddee0610cb48b |
| SHA512 | f00fac523aae1e0e46c8512f24e6450cd6d0dbd9a63ea3b0f04508cbaf951dd2ead660f9df231ef733767d3b90d138a853f9c09c824b46cb69c34e395891023a |
C:\Windows\system\pqJybaE.exe
| MD5 | 8b7b143d01784f059bba8c317469c94f |
| SHA1 | 9f3b8680e77a7afe8e9f738198360401e2004058 |
| SHA256 | e4556d0724dee3300abf8f90f5a92333406fd486c8826ba0fba2f9878a658ae9 |
| SHA512 | 86d85618a3204022fd78758ac499c3989b0d716b1f25f6d35c22e4ff74802a814bdc865c055d47f145cd4ef004362f1e7aabef5ab9876027d745f45c6f91eb07 |
C:\Windows\system\hVfkmrY.exe
| MD5 | f8eb7afd64d091c5f22ceedfa1b5124a |
| SHA1 | 6aec959f18960c62dedac8baba156e4da7a39d14 |
| SHA256 | 10e387ddc23a88524cfe55d7c0cfbbf165bcf8b08916262e98446d002151a05b |
| SHA512 | 5f3e016a1b84cbdaa2da5d0d4024d5da621803a9816e762a3358e9b20200b96954be21b50042b26a6d134e04dc0f0d14787f40b7970649f769a5b11f9b689338 |
C:\Windows\system\zFguzmo.exe
| MD5 | 9f54532387e8ef26f97e83447e79dd24 |
| SHA1 | 23f229bab8fc975aa712b3d6fbd9401438010366 |
| SHA256 | 1f5ab62fce28c8bf1c4989be27c547f6f69670d5226cc19495c5e1d507741dd8 |
| SHA512 | 036b77d0260af1beb0389124636b0ba85927e56719d817b5c17e1a0585c69d394f9d51afc1e39c89fc21663ad0fe7e8295afda801cca748172bf0507532921e0 |
C:\Windows\system\LsLuWFb.exe
| MD5 | 2cd1a02b88101e4dec31814c6fcc84af |
| SHA1 | ecfc1331102fce038ecdd4dd7fd4e5cb487b81ad |
| SHA256 | 3ed190c748c191b7b26dd7775ae95cce0f60130b845b94d54722667bd568c2f8 |
| SHA512 | 5e17a90083d9379119709e57b3b186fed6d720382951f4c25f7839269423b8dccd48f237fccbbb2035b02155c83c05259ada46ab9d36081c1d5cae4c90ac6534 |
C:\Windows\system\HwTvOld.exe
| MD5 | b19c67cfd39bcb2a8d74a78c6c80dbbd |
| SHA1 | 0c691c444701c8f183c08b90ea074f61464ae61b |
| SHA256 | adcf26b5aba8c5c87649cb539aff9ec2ed4d4c0a5c407e1ec4ef6a88b23b322d |
| SHA512 | 034b3da187d1fc88c3935028c7687c96572bc57226ac8ce7528ddb6888cfc44b48893035d6e925d367c34b960df0274624bf56098dc43a2c32f19229ec9fc7df |
C:\Windows\system\kFCeIlT.exe
| MD5 | 62632baf7dfb012913277f10c4586406 |
| SHA1 | d3199ba1990544c7e550a829ef850078cace985a |
| SHA256 | 19f87aad2f771e1c0733fc45384e386c2e5cc586259eeca8b8d7030312df4bfa |
| SHA512 | 75d310f5cc243412d3aafee4beb59c6cba31af1a71b42c6370da5c472eb9668e57859f4a2f3c278960a5d33fad3b860611bb7d004380171336c8888c1d9b1433 |
C:\Windows\system\dauVPsr.exe
| MD5 | f7523b8c3f001c8c9242a8c97c7db9e9 |
| SHA1 | 341f44ce67f50b9b0bcaaf08412d5f30a17a88bd |
| SHA256 | bd88c8e6e9eade41d59fcd8d5d992c126cbb252ea211bdfc8a47cc3e19138aae |
| SHA512 | 257d7ee85658e72f4976b0dfe7757b1c66ca27a57ade4e9aabfe6833db80aac4a5b9b4523537b1494039922cb6469d5d68f131ac209e1d23d6a28cb671108823 |
memory/2404-90-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2752-108-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2736-122-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1992-107-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2908-124-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/1992-125-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/1992-123-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/3056-112-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2748-129-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2852-128-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1992-127-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2936-126-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/1992-111-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2820-110-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1992-109-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/572-104-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2928-101-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/1992-99-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2068-97-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/1992-92-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2096-89-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1992-130-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2376-131-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2404-133-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2668-145-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2688-147-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/680-150-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2784-149-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2504-148-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2628-146-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2736-140-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2820-138-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/572-136-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2068-134-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2096-132-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1420-151-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1992-152-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1992-153-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1992-175-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2376-221-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2928-226-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/3056-229-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2908-232-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2852-233-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2752-227-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2404-223-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2096-236-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/572-243-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2068-241-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/2748-249-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2736-247-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2820-245-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2936-253-0x000000013F860000-0x000000013FBB1000-memory.dmp