Analysis Overview
SHA256
be9b421e3d2594c2ff3f2b8c10b26e70dba99fb76f245c33f4fbaec3c574c503
Threat Level: Known bad
The file 2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
Xmrig family
xmrig
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:52
Reported
2024-08-06 11:55
Platform
win7-20240705-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eRrffSl.exe | N/A |
| N/A | N/A | C:\Windows\System\pdUQGUj.exe | N/A |
| N/A | N/A | C:\Windows\System\FRnuftA.exe | N/A |
| N/A | N/A | C:\Windows\System\PerTEcM.exe | N/A |
| N/A | N/A | C:\Windows\System\vSHCbQq.exe | N/A |
| N/A | N/A | C:\Windows\System\GvQbWvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wxpyFKU.exe | N/A |
| N/A | N/A | C:\Windows\System\ICDngmT.exe | N/A |
| N/A | N/A | C:\Windows\System\OAIBeKN.exe | N/A |
| N/A | N/A | C:\Windows\System\szANevR.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJUlFKW.exe | N/A |
| N/A | N/A | C:\Windows\System\IXAmNeK.exe | N/A |
| N/A | N/A | C:\Windows\System\FaBJKJG.exe | N/A |
| N/A | N/A | C:\Windows\System\VGbwIJR.exe | N/A |
| N/A | N/A | C:\Windows\System\OYqZuDf.exe | N/A |
| N/A | N/A | C:\Windows\System\JKiHOgz.exe | N/A |
| N/A | N/A | C:\Windows\System\vgLMsAt.exe | N/A |
| N/A | N/A | C:\Windows\System\DsOfSOp.exe | N/A |
| N/A | N/A | C:\Windows\System\wLnvunM.exe | N/A |
| N/A | N/A | C:\Windows\System\uYekrPo.exe | N/A |
| N/A | N/A | C:\Windows\System\PiSKyvE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\eRrffSl.exe
C:\Windows\System\eRrffSl.exe
C:\Windows\System\pdUQGUj.exe
C:\Windows\System\pdUQGUj.exe
C:\Windows\System\FRnuftA.exe
C:\Windows\System\FRnuftA.exe
C:\Windows\System\PerTEcM.exe
C:\Windows\System\PerTEcM.exe
C:\Windows\System\vSHCbQq.exe
C:\Windows\System\vSHCbQq.exe
C:\Windows\System\GvQbWvQ.exe
C:\Windows\System\GvQbWvQ.exe
C:\Windows\System\wxpyFKU.exe
C:\Windows\System\wxpyFKU.exe
C:\Windows\System\ICDngmT.exe
C:\Windows\System\ICDngmT.exe
C:\Windows\System\OAIBeKN.exe
C:\Windows\System\OAIBeKN.exe
C:\Windows\System\szANevR.exe
C:\Windows\System\szANevR.exe
C:\Windows\System\ZJUlFKW.exe
C:\Windows\System\ZJUlFKW.exe
C:\Windows\System\IXAmNeK.exe
C:\Windows\System\IXAmNeK.exe
C:\Windows\System\FaBJKJG.exe
C:\Windows\System\FaBJKJG.exe
C:\Windows\System\VGbwIJR.exe
C:\Windows\System\VGbwIJR.exe
C:\Windows\System\OYqZuDf.exe
C:\Windows\System\OYqZuDf.exe
C:\Windows\System\JKiHOgz.exe
C:\Windows\System\JKiHOgz.exe
C:\Windows\System\vgLMsAt.exe
C:\Windows\System\vgLMsAt.exe
C:\Windows\System\DsOfSOp.exe
C:\Windows\System\DsOfSOp.exe
C:\Windows\System\wLnvunM.exe
C:\Windows\System\wLnvunM.exe
C:\Windows\System\uYekrPo.exe
C:\Windows\System\uYekrPo.exe
C:\Windows\System\PiSKyvE.exe
C:\Windows\System\PiSKyvE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2708-0-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2708-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\eRrffSl.exe
| MD5 | ed60a66e209c6f7f2b18495660d5c71f |
| SHA1 | 9bf34a12d6d963eb7409138261df1999875b308e |
| SHA256 | 8667ea4d442d29f653986f2ab12439ad69342dde06126b788163ec397de1c482 |
| SHA512 | f3d3bcf746e2bfb80e4624d0974a7d4cc639d00c1f04c4e8c7e3e3b6747bfba3d6fcc9b0067f9fe157f49b4f7f8596f5ef88fabaef22ecef67657122f3157bb9 |
C:\Windows\system\pdUQGUj.exe
| MD5 | a1465d10feee4de92115e49a0efeea34 |
| SHA1 | fc7deb1518d5ed052de6c16f85c56e5cdf14abd5 |
| SHA256 | 44bb3aac82d5a9ec25a52af74c20cdba361953f36670cd9c3ad96e3b1aa13ec4 |
| SHA512 | f265da7054094c3ac9de23f3cc0bf7f25b86c7c797632bc3e7f91b065656e06c4a94c436021794d52b7f2424681cc304e34813e4a45587086aa19f07460293ab |
C:\Windows\system\FRnuftA.exe
| MD5 | 9517fc874ae86c685afa8759199f5477 |
| SHA1 | acc97bdf7b877890f06eec680e079a2e65d85d5b |
| SHA256 | 148e03c2479550c472ff9238d51f09d9ef03c1e2b7fd740a2a63e55167bf5109 |
| SHA512 | f123cbcc3c074e8678544ae5b7c8557e8258f96037532a8fe2d1f1f4fb355e82b94a7ebdcd95a0a0ea75da91efbee1a58dce4d785767574091234f651c22b4e5 |
C:\Windows\system\PerTEcM.exe
| MD5 | 46d061de18b7cbab47a525d3c054be81 |
| SHA1 | f106e189e6bed5f868aa6dc220415aef03d072f2 |
| SHA256 | ccc468ca561078049bf358117b66522ede6888d17625ce3693d1d9519dac0a71 |
| SHA512 | 314abb479c58ded7a11e4d83396b599d15b2084c156839f025cf7f66271f97b48a99d41c27c4118454dff7b7df0be43e554b20db9ee7c2390d6cf4ae35dcb5fb |
C:\Windows\system\vSHCbQq.exe
| MD5 | be85e7283e1564b48ff6ecf53aaaa0a8 |
| SHA1 | 0878368b5006f0fc1303f63fccef855002ef3058 |
| SHA256 | 6cecdee4d557cd8a91f3d26961c8c9794cd833f8cf67700157b9f8ffb5cd5c37 |
| SHA512 | 1174add257d72686b81667779a0c20349ebb3016bd35c6f0b561a4cb1062d270a6198ff16866308ee0c4ddf0491aa2b32bf31ed87b9f9e3a6709dc47770b9b4b |
C:\Windows\system\wxpyFKU.exe
| MD5 | e6a508aab8518cd7006a2216ea5c4020 |
| SHA1 | 52c488c113c9df5f2268daf8ba7dfd342b7fd6e6 |
| SHA256 | 19fa27452374cf1b277ccaffed6c7b25bae20ae35fe4f9ab0da6c8e1d3c7f5b4 |
| SHA512 | 5b49bcd978abb9a94da410a5f76b01d468f6a1e095c0292a76cad13b2e43e60b78a29738015fba61f45e9283870a5bbee4e5a77cc3bde8fca29408fc59536996 |
C:\Windows\system\ICDngmT.exe
| MD5 | 44ce7bc0ae5df48c8b813db42d99e5a7 |
| SHA1 | c7355e5a667fb19c4000fa229d6e3ac3779dac20 |
| SHA256 | a2a6c2cf4d7389072d5810a72c5bdb5a1e16db0d74bec18157143de255f8e199 |
| SHA512 | 2ed76adc865bb1b1159ee7d41d7e0fc0e3555b703bb9a2c05ff527b1b48f0a361fbc70a112fbc3d59cf9b74cde5b34d89b1f0f0c3569af6b41e36a8ca56137d5 |
C:\Windows\system\szANevR.exe
| MD5 | c253735eda1f883c378e668016112132 |
| SHA1 | 9fde88f95044c4aeed50ec1c08ab14ab4081b79e |
| SHA256 | b3e8ede483646cbff3a4ac052f48a6f46f800eb834a7954036209b293be339a3 |
| SHA512 | 0587fa24227aebcaf06d6ea4a25ff5ceddde05b3c14794ea775008ce41fd874abc7f8a0150af1ec602fc4d1e12308033e71ce419995f54bc79d7f553da651267 |
C:\Windows\system\IXAmNeK.exe
| MD5 | 72955636b6d2f03f9dd7651faa8d9b2f |
| SHA1 | 6ad3a7fac0557cec373dc8effe09dd33f444a185 |
| SHA256 | d9c4fe45e6ac1c08d9849ca66cf59406b8b82aac404bf2a9c28f9ee44359e639 |
| SHA512 | 15bafe5faa6b469352ef7119e2b9c97292d1bffa60774a649f33b36d9186f83213452053979a3c3f9212a4af29fc84ce3fa3d441ce84c0d7c48c1da68bb33c79 |
C:\Windows\system\wLnvunM.exe
| MD5 | e45f38571622bd6042beffd51a8b193e |
| SHA1 | ecfb98c6948df47887245fa956d744716a1b6e06 |
| SHA256 | 53f9621e543327f4baa301cb6791e3bfb840a407f901f7bf632aab78d7217a32 |
| SHA512 | 6be1fc895e41a93abce925bade8757f198683d31d67ba668fc839b37d29b030afc71d1d456ad83faa318816a97947365813c7d19be0f91f378cf9ee4d6387aa9 |
C:\Windows\system\PiSKyvE.exe
| MD5 | ffbc463a462257cf1a0e102c2c8b875f |
| SHA1 | 04f7c8a8950f7ac991045597c81014eb5f4db9cc |
| SHA256 | ef4742c08887670eedfacf63fab530ce90e67186f3d55e2d36afd47e20815d3d |
| SHA512 | ee3d7a48e9202fecd5926bba2b30c76d7d57b8a8c997b8e353b551e57d31800cd68c0199fc4213f5ced1cec25c81d8b8a0857cc709ff4bc836b1688ece72fb28 |
C:\Windows\system\uYekrPo.exe
| MD5 | df5d8d46ec97b14c8878251e6529bed0 |
| SHA1 | c92041f331ffa5258f60fbcbd8775b5fcef19199 |
| SHA256 | 669613ceb64b99814195f4a462b81d7bb9b9b9578cbe94fb5e2b0040c1f5d454 |
| SHA512 | ed225966f4140e40cadb1803ba1c86ae40d0b0ca20b78be30b9c88915584a177109f4f561dead1e8451cb64e2ccad5f91c8bb67a5016a9c74a5643904310e3ef |
memory/2708-114-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2312-117-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2708-116-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2884-115-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2740-113-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2708-112-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2764-111-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2708-110-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2776-109-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2624-108-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2708-107-0x000000013F1D0000-0x000000013F524000-memory.dmp
C:\Windows\system\DsOfSOp.exe
| MD5 | f2832ab0e969f9815edea288730420f6 |
| SHA1 | 4cd82e088fb29205c8953cbbfb9b958c914e55f2 |
| SHA256 | eb2dc93ff5826812ecae71fb1c8bd92d65db76300e8bbbcd93c91faab60aa2e4 |
| SHA512 | 445441924abfdc31c5d24b0c507ce61a0ea7698bdf09455448fe6c9d719bac7225ef067cb058feb56e8778bdafa149f4a65e8c8fd6d69c38ef897c15b3331fbf |
C:\Windows\system\vgLMsAt.exe
| MD5 | bb7820101fb38362ad11af574f03c0a9 |
| SHA1 | 6244eb4bd98fa8005e7f89295871553a1b028fc1 |
| SHA256 | ee8e2b0d27e9bf85024ce882ce447061269887faa4d4446884a9c2ed72d6e5e9 |
| SHA512 | 67604791d7437af8783c3f3ecad5666e6e48e20b878711c106060a2568c9255f5390bfad5305d2059cf50a385c66473b7e4568e7ad7a0463caf9da16ec810418 |
C:\Windows\system\JKiHOgz.exe
| MD5 | 05bb754d81e586611b5de56033b40251 |
| SHA1 | 864821b706c75f9c5bccf45e9d95d308f95b1e0a |
| SHA256 | 30773e74e6f3089713f9a2a36598881a735ac979120b15c693d3b61a010012bd |
| SHA512 | 277a5fe5f953365b343da5879d336a96fb5a060e84f88b8fd082839e10ce87a6c2340aab3d385e51c44b1b8f02a744d45c96d43ac1a0d910200daf8261f88ca5 |
C:\Windows\system\OYqZuDf.exe
| MD5 | 5e3c52a3893fd17590abf80ee8173dfe |
| SHA1 | 11652a5b1424b54140b0e6e0ba2ecc42827ddfce |
| SHA256 | ec1aeb4abf5f3e8f250e80862f41381f092cca0b2191fe9be651ab7d2a91d05b |
| SHA512 | f43d754adec72dad3660a946fef09725f7ba2f030f996861047de595b9dbc7ec36bba3af9131bcfa2c71e12d146e1346b2c37b248f0708e547e89f99a655260d |
C:\Windows\system\VGbwIJR.exe
| MD5 | 29b308f02f7f2641ed96c2691135ce53 |
| SHA1 | b2cf3bf5a9257b9439496a12cb978abdc8037497 |
| SHA256 | 1cc3fa5d4746d41ca10543e10523c54d50bc79c3ff8919bdd57ba79357aeb8b0 |
| SHA512 | 31369b0fc0edb4e4cd1017746366f75c4284e0582abb9a34bd18e7889c3d28e6a62baee5ddb07e86429f640010ffe468fae8df0a8e62e393ee29a4e4ee2b8b95 |
C:\Windows\system\FaBJKJG.exe
| MD5 | e18489b83563cc9beb78ae5f0e12ada1 |
| SHA1 | 626ffe98c39c3d9c86c5767eed32a2953a999442 |
| SHA256 | 7b7e6e509f435ba936a311c9cf991e3d5fa0f5ee76d4d19e1fdc0aeeeb4638b1 |
| SHA512 | 44081b4fd8a66947efd9bfbb246b5de3290104cda83f894f0824c708612877709488253479b71f6de52e366d50da79c0998cd9bc3210d52b3aad0fa1de3ff2ca |
C:\Windows\system\ZJUlFKW.exe
| MD5 | 55143fd24a494f71ee2e8fb1885db972 |
| SHA1 | 265894ad63c75a96178bc6efd39a3c6988082a6b |
| SHA256 | 088d5104e6223884b6b0763627105d1554570a2d98cdfa3339236dc691a3b154 |
| SHA512 | 0a69983e7c8ee5d4e754dd3bd34d782ac182ff62cd5e69a4845e0eb755fb94d77675ca215c9a38d7ca46d8cbce7d20b0c37d7e5dfb623b1cb22edca0c5ee33df |
C:\Windows\system\OAIBeKN.exe
| MD5 | 2804198cbd66f1798ac02e00e0c53c4d |
| SHA1 | 0694de281e14f37d2c0ad7715f093e37b7a3b89e |
| SHA256 | c6635360abbe75386749756e6b15242d847f79a5fc6e3422c36f5336459df203 |
| SHA512 | f48207935d32d1a58c0bb9e43864001216ad20ebb10999474b090eff354e3c60adb6aaadc8a47fa1d558c9ea2b2153f42bec6f0f130061720f57803678a75254 |
C:\Windows\system\GvQbWvQ.exe
| MD5 | 9a5f720ad8d0f216bf0738b26814519c |
| SHA1 | fc8ad40943c44014282ebe09214ac82635f9e464 |
| SHA256 | c96f7d74b2981abcb1f530166aabe101f17531ea9dc0ff733ece9bff85b93cf8 |
| SHA512 | b2afa8bb687701b9b7b8202777de134727be1c59655448b4aa90b642cd24b4f54b4d1f29519f56914dbc7abae30529eb3f45574ec54f1809540b4830f3a3450d |
memory/2708-118-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2560-119-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2708-120-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2632-121-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2708-122-0x0000000002200000-0x0000000002554000-memory.dmp
memory/2536-123-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2640-124-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2196-125-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2988-126-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2856-127-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2428-128-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2708-129-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2708-130-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2624-131-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2764-133-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2776-132-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2740-134-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2884-135-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2312-136-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2560-137-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2632-138-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2536-139-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2640-140-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2196-141-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2988-142-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2856-143-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2428-144-0x000000013F690000-0x000000013F9E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:52
Reported
2024-08-06 11:55
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hBLKxtV.exe | N/A |
| N/A | N/A | C:\Windows\System\KUNYIwY.exe | N/A |
| N/A | N/A | C:\Windows\System\gBOZoEE.exe | N/A |
| N/A | N/A | C:\Windows\System\peVdYEF.exe | N/A |
| N/A | N/A | C:\Windows\System\Mtwxwxt.exe | N/A |
| N/A | N/A | C:\Windows\System\RNvPkdk.exe | N/A |
| N/A | N/A | C:\Windows\System\yanjxsW.exe | N/A |
| N/A | N/A | C:\Windows\System\bJojdoo.exe | N/A |
| N/A | N/A | C:\Windows\System\QcHQKcH.exe | N/A |
| N/A | N/A | C:\Windows\System\EaRVozu.exe | N/A |
| N/A | N/A | C:\Windows\System\vVAJsFR.exe | N/A |
| N/A | N/A | C:\Windows\System\ApwcBMs.exe | N/A |
| N/A | N/A | C:\Windows\System\LjRVeOs.exe | N/A |
| N/A | N/A | C:\Windows\System\pThaOgo.exe | N/A |
| N/A | N/A | C:\Windows\System\NEbXySH.exe | N/A |
| N/A | N/A | C:\Windows\System\ShXMVIC.exe | N/A |
| N/A | N/A | C:\Windows\System\LoZwWWY.exe | N/A |
| N/A | N/A | C:\Windows\System\Boteanv.exe | N/A |
| N/A | N/A | C:\Windows\System\htfItNd.exe | N/A |
| N/A | N/A | C:\Windows\System\JQMOnLl.exe | N/A |
| N/A | N/A | C:\Windows\System\bcZhGGV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_5d069a49629567730316e031c056f493_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\hBLKxtV.exe
C:\Windows\System\hBLKxtV.exe
C:\Windows\System\KUNYIwY.exe
C:\Windows\System\KUNYIwY.exe
C:\Windows\System\gBOZoEE.exe
C:\Windows\System\gBOZoEE.exe
C:\Windows\System\peVdYEF.exe
C:\Windows\System\peVdYEF.exe
C:\Windows\System\Mtwxwxt.exe
C:\Windows\System\Mtwxwxt.exe
C:\Windows\System\RNvPkdk.exe
C:\Windows\System\RNvPkdk.exe
C:\Windows\System\yanjxsW.exe
C:\Windows\System\yanjxsW.exe
C:\Windows\System\bJojdoo.exe
C:\Windows\System\bJojdoo.exe
C:\Windows\System\QcHQKcH.exe
C:\Windows\System\QcHQKcH.exe
C:\Windows\System\EaRVozu.exe
C:\Windows\System\EaRVozu.exe
C:\Windows\System\vVAJsFR.exe
C:\Windows\System\vVAJsFR.exe
C:\Windows\System\ApwcBMs.exe
C:\Windows\System\ApwcBMs.exe
C:\Windows\System\LjRVeOs.exe
C:\Windows\System\LjRVeOs.exe
C:\Windows\System\pThaOgo.exe
C:\Windows\System\pThaOgo.exe
C:\Windows\System\NEbXySH.exe
C:\Windows\System\NEbXySH.exe
C:\Windows\System\ShXMVIC.exe
C:\Windows\System\ShXMVIC.exe
C:\Windows\System\LoZwWWY.exe
C:\Windows\System\LoZwWWY.exe
C:\Windows\System\Boteanv.exe
C:\Windows\System\Boteanv.exe
C:\Windows\System\htfItNd.exe
C:\Windows\System\htfItNd.exe
C:\Windows\System\JQMOnLl.exe
C:\Windows\System\JQMOnLl.exe
C:\Windows\System\bcZhGGV.exe
C:\Windows\System\bcZhGGV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3056-0-0x00007FF687B60000-0x00007FF687EB4000-memory.dmp
memory/3056-1-0x000001CDC63C0000-0x000001CDC63D0000-memory.dmp
C:\Windows\System\hBLKxtV.exe
| MD5 | dad50c056c21eb1dc1bd694b6da2cb91 |
| SHA1 | a249cafce845bb4bec247f123551777eb3565f15 |
| SHA256 | 1ddaba18e711165482378a052394981db14d86e455cbc452be361e8f38b45fa3 |
| SHA512 | 3adbf774fe13d8aabe58b1de8dfb6f53c720882d2d4e3773c08089c3d16405a6196e2c7be9aadf95b346227882e63da45ae35679340f9b089fa924cc6f06798d |
memory/3256-9-0x00007FF7C6DB0000-0x00007FF7C7104000-memory.dmp
C:\Windows\System\KUNYIwY.exe
| MD5 | ccb911a5cb98d334068012208f555172 |
| SHA1 | 30ae429635dd41a5fbc5354cdd70caf1c9737e31 |
| SHA256 | 121c9b73510c144b55db89f314086ea267ab8b06a8584c01408a758252f1479a |
| SHA512 | cb3c694d9f60b9f05ccd14b855fc8ffe856d2a09260ec8c064b57c4032860629fdcbbef59644afaa2ae663ed32889bc6ef9435118459eed9e0459aa7f49c7d9d |
C:\Windows\System\peVdYEF.exe
| MD5 | 54c8df7a3cb4d61e9068403a5fda63bd |
| SHA1 | d6a9fe259a6d1696fdbd233829e9a46ceed69a89 |
| SHA256 | 67be8aef937f49fd93683edb8ef9c301a53c3b7f7da39a068c7f49d255db9dce |
| SHA512 | 0f9147d35bfaacef35b264f6fb450932f35c37791be760a083483aa4d2994efb61e09ab76a3a956812726483b7009e39239291214a00d9faf64d466e730da4c1 |
C:\Windows\System\gBOZoEE.exe
| MD5 | df4d19dc1b15af3a5ff7b84b5cb596fb |
| SHA1 | d04af3dbfc106ab2c60a45de1ce267f2a4d1a269 |
| SHA256 | ed7c860beedd78904cbb6e9fd7bca3ef3f29bd26bfd00054f262f32ad6445b2f |
| SHA512 | 3059054a1d3b3914f1e2a2abb921c6e26a515f8fb92f95448cf6ddf8a79e3f5604274b12aea65b69a53040b6c98ee975f8c616d7803478a3bad157889d63cf93 |
memory/4092-25-0x00007FF72E700000-0x00007FF72EA54000-memory.dmp
C:\Windows\System\RNvPkdk.exe
| MD5 | 9e8b5b559fed12d4b6e2f237071e5fe8 |
| SHA1 | 0ee292af5e1de63ae22acd67ef128730a8539812 |
| SHA256 | 9c671c2e8e0b68f94a23d058f177875685c50a0d26ff1da04422fd3172638f27 |
| SHA512 | 8ed5540616c954ff6796a20e53124317ef4294fed4156c5674fa002e5b7b112c8c592839ab5301d943b893a9e93083335874fe3dd7f7af4f6c7ea7f5a85cadba |
C:\Windows\System\Mtwxwxt.exe
| MD5 | b094288a667034327c8ff05d3d326a3e |
| SHA1 | be21caa48bc00ce7b9e07d129dfffa35f4e72763 |
| SHA256 | 9bf1d5fcf597f0c239c512363f7092e54aef6b66dfa3f77205f0bdcf71409abf |
| SHA512 | b63731d4384623bd234902f5d1c5d9e473e8f470f2ab348408f5642431551a0fa776767a6a6f837583f76a1e95c000bd8ee86411f2a917c2751b085062551f70 |
C:\Windows\System\QcHQKcH.exe
| MD5 | d87e73b32262cc75b9e5bed65e19598a |
| SHA1 | 5c832aec5a297556f4a28718e9bd1371037e3b19 |
| SHA256 | 467dbd23964abc365dc236b29ba535a724adac933563dd498df69eeaebaccce9 |
| SHA512 | 01ad3bc657b8b39acc13a1d49e303b4e4b1740a3059f8d14734d2ee4b8966b24634e2eb6d8684df973d752f886ea40b8fa2c5926fcc31b7a4a58a490763af980 |
C:\Windows\System\EaRVozu.exe
| MD5 | 8c8f64fe5f86a49c23645f307625da4e |
| SHA1 | ff6b85c2628a4b1ad3f3a9a479feb93066bb6b3b |
| SHA256 | 93078ec14144ca9c20e0bfdf1c934c75b4fd57314bc7870f682411170220c426 |
| SHA512 | 1806e6b1fcf3431c95c1eabd031ac7eb793ea07b16b9a5f2732f5b38192c96f88e9b6f4fa3288cfdf63f2c56982e05f952601bde60afc6ec1189d2f7ddf1185b |
memory/3120-64-0x00007FF696B60000-0x00007FF696EB4000-memory.dmp
C:\Windows\System\vVAJsFR.exe
| MD5 | edec393e81ad669ca55794dd0112d440 |
| SHA1 | 9275bd13395a5e7637c18cfbff2e6f304f9e6f0e |
| SHA256 | a096fe21defb472566c26d710b6b2e2e4ea78f7891f55c34f5a75c7b62ae4b68 |
| SHA512 | 26b868d90e7154cb45a5376eef133b4b083557c05d30063bef0cd8e10cb61ee356fb3ffd68168ab4d75487a5cb1b1574d8d023f282d7047d4ba9d08cf7a821c3 |
C:\Windows\System\LjRVeOs.exe
| MD5 | b458c3da61c9b3411705838577e96dde |
| SHA1 | a4eda8105638634f9a484cf49c105f13263cd0b5 |
| SHA256 | d094a31f9229dff1cfd746dd555d8ad0504247e436656085efac2f5c6a6e070c |
| SHA512 | 5c68cc42398479ad2ed2ca9757fc2c7a05ea165e2fb78e8d8beb22de7dac78e96a2e444d76d376f0a17cbeda4ef3f12dbfb43a78d43c2bc523372676bb3fb91d |
C:\Windows\System\LoZwWWY.exe
| MD5 | ae2bd6b58836a5cd5cff25b4dd66e906 |
| SHA1 | 12e3b80bf0e4f06d1465e1868ebea4246937422f |
| SHA256 | b70723209ce40a576ee5b28f9c8a7b1042f2d2d7166232a719610f64c97dac88 |
| SHA512 | 21301706d3693b28f0cb9361be0ef052cb4c8cf5f6849bc4ac60a588e60d7be5dc6b31401c72142c72ca605f9084f197a916bc48a6120c83340314c3b3e553ca |
C:\Windows\System\bcZhGGV.exe
| MD5 | d8f1bfcf6ebf0f938a14ef97d22d1311 |
| SHA1 | 21a354857cb912d6a6adbb2395b33586800529db |
| SHA256 | 68feb3544f4f674b23d2288d246f766ee1c804c64263425dc26443eb40406df3 |
| SHA512 | 6fc0265f4f53769d9b5878b7b2498eff9add1a072bef4a27e970f4db235466434526d7c170976a3df5a1c36d06b4c1dbca67e6bb1316483d6704c5b8ae543d1d |
C:\Windows\System\JQMOnLl.exe
| MD5 | 1d7978f2defa0e47acb9c52a7d6f6b53 |
| SHA1 | 020ad48cadaa4cc100fa0db85eab7da17ac074d9 |
| SHA256 | 347f75558e09bb1e9ccaec1536e01d2084d49307d37e65ad5fefffe4491cd8df |
| SHA512 | d7c489c3f79903cf224bf30a82d7b04cf1d1e51691c29af3722fdcd2d5c19694d2dacc307445f664170e95f8eb6aeb008515488389fc9bf4d77767a1c96bce5e |
C:\Windows\System\htfItNd.exe
| MD5 | 2ad30936d8cc8a4f6faa0c660b9b0084 |
| SHA1 | ecd4b29f3db6aff8db862e04449632078f5f2644 |
| SHA256 | 05128807c10726da16b4cd2d0c5c1929c54f001851430bb72f17d5673e0b60d7 |
| SHA512 | dedcc5f07ca804ba80774d99b307701759929fe41da6defe1c57ea2bb9e0d37a5a02b742b27419a34139c534d72c1ef9530a0ec48031b004f21b823fe3755cb0 |
C:\Windows\System\Boteanv.exe
| MD5 | 963dcbff0e34c8ee366a15470f3855eb |
| SHA1 | 72592879a01ef31e3bfb8082efc48b73baa4560b |
| SHA256 | 3f19015d8d7f55c2d8b7696ded670f4fcb08e8cbd5d23f0d240987288bb1ebe1 |
| SHA512 | e727de1583b207f1396bc0bdb2afc519afabcb59d5d93f5f88f39b0e12a3fbb151096caecde974040a8be73839b5f0ab4301cc914065f93b9846c19a5f8048fa |
C:\Windows\System\ShXMVIC.exe
| MD5 | 9933496aefea1cb156f1d598c0498130 |
| SHA1 | ab1b04da71bc9c69a571b1f8cc14df1471df53f3 |
| SHA256 | 7270cedc4836b16a898f0edd2b4342b4eb27aed551fc4de19ecf2ee27d2f202d |
| SHA512 | 5e753c3578fcfcb2dcdebb04e30dc09d0e3eb7a75a9671dc672d71c5414a6d6428986e99693b9235e8ec8c9a51fe9ed7918f68de8c7a18f18b1bc6e9f80ae759 |
C:\Windows\System\NEbXySH.exe
| MD5 | 4b3e5db8a097886d4cf86b5c03b4af38 |
| SHA1 | e0fb8c6c91609e0dcefcbdeb4fffbd9aaac8175a |
| SHA256 | 9c698fb213c62a305c26f1db7fdb9d7f7934b91db3e8e3a36d7693ba66a43581 |
| SHA512 | a8ed9c51250b79c868a6c1779bf367570f00d20460a6c8c19ae0caab20dc6c0d3476f7e4b3df8218d5598f2dfa40b4efe26bc066d988c8bbef33c22efd7ac247 |
C:\Windows\System\pThaOgo.exe
| MD5 | 0ab33e5da8e49c011b7d318bee80768c |
| SHA1 | 5ec6472745c0bd84ef506b17d1294b27e68e0684 |
| SHA256 | fea8ed184a516300918f5cd10f86ef54d2cb23a28cee688b852887145402c26c |
| SHA512 | 5d755eb33a7ed8291ed2d1368b68908c58991d045899db968ca682ad3bde0623bd643d6aadc35bb186be4b47dc2a82de8d8b9dbfda19a72979464d9ad5d0b470 |
memory/744-93-0x00007FF720040000-0x00007FF720394000-memory.dmp
memory/1440-86-0x00007FF6DE650000-0x00007FF6DE9A4000-memory.dmp
C:\Windows\System\ApwcBMs.exe
| MD5 | 79fa4438ce611a5d8ebc76fe63d92997 |
| SHA1 | 417f870a32034747745ed5592b68982cc1d94383 |
| SHA256 | d5dd7f353d09d809ce172ecf53c68197bddad9d67cc56454c53d744634f74031 |
| SHA512 | 4452e23d4ad54d1efb1b64dab1d0c185f1709f1462e656369178dc6e38e6d6e3a26cba0b4daf932a81fdd1630c83859536e34d4f144edd558fb4b71e58e1a97c |
memory/3804-61-0x00007FF731A50000-0x00007FF731DA4000-memory.dmp
memory/1912-60-0x00007FF6CB900000-0x00007FF6CBC54000-memory.dmp
memory/1724-55-0x00007FF7D67E0000-0x00007FF7D6B34000-memory.dmp
memory/1928-54-0x00007FF6F4040000-0x00007FF6F4394000-memory.dmp
C:\Windows\System\bJojdoo.exe
| MD5 | ad37c221039e461978d9f6a0caecbcd8 |
| SHA1 | 44df0a6365121ba24fdaaa6af5c0c052444d5590 |
| SHA256 | 58d5f435fde72931a79943e82c408960a76ed9e39bc2d3814e54ad0d43d1c9ba |
| SHA512 | 437f5e4b82c9185b46edef3d494c4654982fbcd7f2c4927666e5959da1e77075a908876d2d8a4ab226756784a604bec12db107e5297290297757180d60b2ce0d |
C:\Windows\System\yanjxsW.exe
| MD5 | f10d198fda62306ff6935e489c01a20d |
| SHA1 | 4ea1c9fae1b995f85aa18ddaf1182b56e78455be |
| SHA256 | b4e28edbcdf03be8d43ff8275a5b9f485eac2e6ebbde876c25b0c42028ca4b88 |
| SHA512 | 3d42b3a7e21a19b1b089694985fd491689dce12379e8ca6558c7b5589e2032a477be3cd764389203e8447c2cdf0e482a6f3ba3486616e9315b588cc4a3f52b57 |
memory/2200-44-0x00007FF7ACFC0000-0x00007FF7AD314000-memory.dmp
memory/5072-38-0x00007FF74AEC0000-0x00007FF74B214000-memory.dmp
memory/3544-35-0x00007FF644D60000-0x00007FF6450B4000-memory.dmp
memory/4000-119-0x00007FF6D8CA0000-0x00007FF6D8FF4000-memory.dmp
memory/4656-120-0x00007FF653EB0000-0x00007FF654204000-memory.dmp
memory/3144-121-0x00007FF7243C0000-0x00007FF724714000-memory.dmp
memory/864-124-0x00007FF6B6BA0000-0x00007FF6B6EF4000-memory.dmp
memory/2760-123-0x00007FF726750000-0x00007FF726AA4000-memory.dmp
memory/1696-122-0x00007FF61A370000-0x00007FF61A6C4000-memory.dmp
memory/2168-125-0x00007FF688300000-0x00007FF688654000-memory.dmp
memory/3036-126-0x00007FF673350000-0x00007FF6736A4000-memory.dmp
memory/2412-127-0x00007FF697A70000-0x00007FF697DC4000-memory.dmp
memory/3056-128-0x00007FF687B60000-0x00007FF687EB4000-memory.dmp
memory/3256-129-0x00007FF7C6DB0000-0x00007FF7C7104000-memory.dmp
memory/2200-130-0x00007FF7ACFC0000-0x00007FF7AD314000-memory.dmp
memory/1928-131-0x00007FF6F4040000-0x00007FF6F4394000-memory.dmp
memory/5072-132-0x00007FF74AEC0000-0x00007FF74B214000-memory.dmp
memory/3256-133-0x00007FF7C6DB0000-0x00007FF7C7104000-memory.dmp
memory/4092-134-0x00007FF72E700000-0x00007FF72EA54000-memory.dmp
memory/3544-135-0x00007FF644D60000-0x00007FF6450B4000-memory.dmp
memory/1724-136-0x00007FF7D67E0000-0x00007FF7D6B34000-memory.dmp
memory/5072-138-0x00007FF74AEC0000-0x00007FF74B214000-memory.dmp
memory/1912-137-0x00007FF6CB900000-0x00007FF6CBC54000-memory.dmp
memory/2200-142-0x00007FF7ACFC0000-0x00007FF7AD314000-memory.dmp
memory/3804-141-0x00007FF731A50000-0x00007FF731DA4000-memory.dmp
memory/3120-140-0x00007FF696B60000-0x00007FF696EB4000-memory.dmp
memory/1928-139-0x00007FF6F4040000-0x00007FF6F4394000-memory.dmp
memory/744-144-0x00007FF720040000-0x00007FF720394000-memory.dmp
memory/1440-143-0x00007FF6DE650000-0x00007FF6DE9A4000-memory.dmp
memory/4656-148-0x00007FF653EB0000-0x00007FF654204000-memory.dmp
memory/864-150-0x00007FF6B6BA0000-0x00007FF6B6EF4000-memory.dmp
memory/3144-152-0x00007FF7243C0000-0x00007FF724714000-memory.dmp
memory/2760-151-0x00007FF726750000-0x00007FF726AA4000-memory.dmp
memory/2412-147-0x00007FF697A70000-0x00007FF697DC4000-memory.dmp
memory/1696-149-0x00007FF61A370000-0x00007FF61A6C4000-memory.dmp
memory/3036-146-0x00007FF673350000-0x00007FF6736A4000-memory.dmp
memory/4000-145-0x00007FF6D8CA0000-0x00007FF6D8FF4000-memory.dmp
memory/2168-153-0x00007FF688300000-0x00007FF688654000-memory.dmp