Analysis Overview
SHA256
c7f1d2ad027183698f66593d55ddc3116b0a035deb5e8d2450ff5763edd396a2
Threat Level: Known bad
The file 2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
xmrig
Xmrig family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:56
Reported
2024-08-06 11:59
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vOrpsMG.exe | N/A |
| N/A | N/A | C:\Windows\System\TIRnwUu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDrxZew.exe | N/A |
| N/A | N/A | C:\Windows\System\bimROGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ovNMJGd.exe | N/A |
| N/A | N/A | C:\Windows\System\esjbvZP.exe | N/A |
| N/A | N/A | C:\Windows\System\AcNWdgT.exe | N/A |
| N/A | N/A | C:\Windows\System\RTIuzUa.exe | N/A |
| N/A | N/A | C:\Windows\System\QXRWdLc.exe | N/A |
| N/A | N/A | C:\Windows\System\HWHOvnF.exe | N/A |
| N/A | N/A | C:\Windows\System\RgeWCbN.exe | N/A |
| N/A | N/A | C:\Windows\System\wQiyXVq.exe | N/A |
| N/A | N/A | C:\Windows\System\NnrcvDC.exe | N/A |
| N/A | N/A | C:\Windows\System\lueruHE.exe | N/A |
| N/A | N/A | C:\Windows\System\OBxmEzh.exe | N/A |
| N/A | N/A | C:\Windows\System\JJdeuwn.exe | N/A |
| N/A | N/A | C:\Windows\System\PQhgzUz.exe | N/A |
| N/A | N/A | C:\Windows\System\dGkmDIM.exe | N/A |
| N/A | N/A | C:\Windows\System\YLiZEAy.exe | N/A |
| N/A | N/A | C:\Windows\System\lZstcZe.exe | N/A |
| N/A | N/A | C:\Windows\System\YXqhHlp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vOrpsMG.exe
C:\Windows\System\vOrpsMG.exe
C:\Windows\System\TIRnwUu.exe
C:\Windows\System\TIRnwUu.exe
C:\Windows\System\ZDrxZew.exe
C:\Windows\System\ZDrxZew.exe
C:\Windows\System\bimROGZ.exe
C:\Windows\System\bimROGZ.exe
C:\Windows\System\ovNMJGd.exe
C:\Windows\System\ovNMJGd.exe
C:\Windows\System\esjbvZP.exe
C:\Windows\System\esjbvZP.exe
C:\Windows\System\AcNWdgT.exe
C:\Windows\System\AcNWdgT.exe
C:\Windows\System\RTIuzUa.exe
C:\Windows\System\RTIuzUa.exe
C:\Windows\System\QXRWdLc.exe
C:\Windows\System\QXRWdLc.exe
C:\Windows\System\HWHOvnF.exe
C:\Windows\System\HWHOvnF.exe
C:\Windows\System\RgeWCbN.exe
C:\Windows\System\RgeWCbN.exe
C:\Windows\System\wQiyXVq.exe
C:\Windows\System\wQiyXVq.exe
C:\Windows\System\NnrcvDC.exe
C:\Windows\System\NnrcvDC.exe
C:\Windows\System\lueruHE.exe
C:\Windows\System\lueruHE.exe
C:\Windows\System\OBxmEzh.exe
C:\Windows\System\OBxmEzh.exe
C:\Windows\System\JJdeuwn.exe
C:\Windows\System\JJdeuwn.exe
C:\Windows\System\PQhgzUz.exe
C:\Windows\System\PQhgzUz.exe
C:\Windows\System\dGkmDIM.exe
C:\Windows\System\dGkmDIM.exe
C:\Windows\System\YXqhHlp.exe
C:\Windows\System\YXqhHlp.exe
C:\Windows\System\YLiZEAy.exe
C:\Windows\System\YLiZEAy.exe
C:\Windows\System\lZstcZe.exe
C:\Windows\System\lZstcZe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5000-0-0x00007FF696210000-0x00007FF696564000-memory.dmp
memory/5000-1-0x0000015542C50000-0x0000015542C60000-memory.dmp
C:\Windows\System\vOrpsMG.exe
| MD5 | ee9e7472e76da40537bbc96bfb54de3d |
| SHA1 | fa595f4ff2e120510f61fd2e9074a7a0bab5780f |
| SHA256 | 62c711f0d3290c9440ce0a3df9fc2247a55a1b4becd87a319d7290b43b2fe50d |
| SHA512 | d6e769550cd28b6b07519d7e1de3d575fd75f8f9349ddc54cb6fc6e941598dd1041939a814387567c27508ace38b80d8f16acf927603721a5846ca8e9bb22b20 |
C:\Windows\System\ZDrxZew.exe
| MD5 | 950b376a5eb2410c9e55db31b5a8975e |
| SHA1 | a893e0400fa4aed801d9365e8675c9d08b21d42c |
| SHA256 | f064803086fb70ae5b5b30c33dd89d112ca77107781a6529bbf7bcd63ba05ac9 |
| SHA512 | 27aee2e52f357640ca002bc40bd1e7c3f6364fb1a9ac186d27d46b5190d0fde6462e45f196b67c06bf0acb26c6c392ff5def1b9fd7c757f09ee6b3455191a323 |
C:\Windows\System\TIRnwUu.exe
| MD5 | 7315a23db3a927a0a253eb81b91f3592 |
| SHA1 | a7efde3b384588034764b7874d2062b30aa49667 |
| SHA256 | dbf6ca9515b10a9fbd374fe3ae1dba67452c292bf69c3290fb411986a57161ae |
| SHA512 | d020ad356d1428b7346d1477ea760bcc1fd5950189568fcfb0c32e4b7aa157b359b709e0853bf4ee3c5288fd690ed5933818399ff2edcdb0348bbd109555fd76 |
C:\Windows\System\ovNMJGd.exe
| MD5 | f4d6e972b2ec8aa065f39ea022d85fca |
| SHA1 | 47f913b9407d39105adf9c7da601bdda3015c263 |
| SHA256 | d9e907aeb0ab3c392a1b53a57de2dab40ecdcd3edcd32086e62b0e41cf823dc9 |
| SHA512 | da4b874cd03cd316db0d85ad3fe86d050052cf4cde45d61c2953c35c6736a60172eca1baeba322e48d5b04742629209b3cbc68e7723d93f6539f12f0c283ce10 |
memory/4052-46-0x00007FF7B8080000-0x00007FF7B83D4000-memory.dmp
C:\Windows\System\HWHOvnF.exe
| MD5 | 8a8c3422bfc29a770f00c4f90289cd70 |
| SHA1 | b55db37e2828bd1d614f2b237620d4670fd83258 |
| SHA256 | ebc0804c7552c739daf87639f2277b5948a5a2ece89d4193c8d1d5681a35f848 |
| SHA512 | 6b91e05ee778445f94629cd91f9fadf1d5e4e3d8763909a508433e12b8bbccbf2f66a8971d1e9d4be4f6f1353ef2e997b16efa77bc445a32270ab81b018c12c3 |
C:\Windows\System\wQiyXVq.exe
| MD5 | ff17dc9355b6ac10aadcf233a156e5bb |
| SHA1 | 8e33cc2e2a40a0073042a9c4ff83dfd99065e3cd |
| SHA256 | 88a57b20b1fce993d0bb1310ea5fb02eac78b9013a3b48f74ff1a36c2f3daf8c |
| SHA512 | a11e1697e200dd01fadbbe31b1ea3b56a2c843039c0f38ccf40455a06d7b28a8ac87df4697ed21987d4e18610fd1609aef31b35bd46c8c2284ceee2c0c300eb5 |
C:\Windows\System\NnrcvDC.exe
| MD5 | fca2d8f931ae3d73ce3a2ec6c92699f0 |
| SHA1 | b1e71bf5f65de1dc493d93adca07209aacc044b8 |
| SHA256 | d413fae0cbce972cd6e9dd6ec168157e5e9b614e60d39b21545008561c9fbca1 |
| SHA512 | a4c350be5a0ab289b6c8fa674e42dbecb9d368f7fff7adbaf1283f319338475f815501f310f86432a8a0afdc396cdcf3216d16d17aef89b4eface5845777677c |
C:\Windows\System\OBxmEzh.exe
| MD5 | aed71f971f06b648139c0e3beaabacf6 |
| SHA1 | 62f1eb75bf8c663c3a8179ee355d4f64e77d0390 |
| SHA256 | 9c5180aaa3260957ffa6a7363cd9b0490a06441e781b1a3bed904ff459010724 |
| SHA512 | 8ab15081adc7341624ff17657e7e35b107ba31312fb9b2fd0dc4a92dbb5b426dec93e18f2d510ca20f48172a79f2356033180af1d4a3f925a371959a74922521 |
memory/2908-91-0x00007FF60DEE0000-0x00007FF60E234000-memory.dmp
memory/4104-101-0x00007FF6E42F0000-0x00007FF6E4644000-memory.dmp
C:\Windows\System\dGkmDIM.exe
| MD5 | a789fb6cf14e8ee0386930c7f27b3d09 |
| SHA1 | dc47c5a86f2895bb2493af184bb0e877b3b592aa |
| SHA256 | 25294402529b4dbef89680b875348bb9d894e1864cd10bcc18aa6e03960d6979 |
| SHA512 | 9927bdc46c29426baf1a0c0d302051f18b8a53438ca7ffec7b0e2b83460939d7479f70fad57ea9a69ec2e5892581d474362ea72806fff40d89a2803d0039df05 |
C:\Windows\System\YXqhHlp.exe
| MD5 | 19d09261ff28ef11b78cf8f594b9f5fb |
| SHA1 | 6b8c511e83dcd57bfa58f7590e7c10acee56c63f |
| SHA256 | 8068795370b7afcfe30ccb018ba60b9ae7fa6cf7d342f16fccd497844cd0c0c0 |
| SHA512 | 46b2f2795ca04ea3d3503f7dca1ca9ff750c5a00a6975af93162a713f87ade827af0c5e34f0a60028faa8432c4f4a018b0e927955f7b4ac569a3140c35bfda51 |
C:\Windows\System\lZstcZe.exe
| MD5 | aa4d46691abece6940178e17fedd2a1d |
| SHA1 | f1f420b75e9bdc8530a4da158d0244ece1449192 |
| SHA256 | bb28997da966650c5d849ceb549997fed1d6db31f1113e1ad6f6032f62f9e06a |
| SHA512 | 5241999818dbe8f1576f3816fdbd74c848b6f198c7a843df8961bb41681dbd1ab8216157ca2772132841fe53195ffc21cd9228f6ae44da68f103a6caf3745d9a |
C:\Windows\System\YLiZEAy.exe
| MD5 | 911d08148edc09ded0b8457ee7bc0adb |
| SHA1 | e108eef8e38ad4f9e8ef61668e80aed6dad35117 |
| SHA256 | a13eb827b0e7380067da9eb22a13e25c335f333bb995d418eb7206b2a55e16fb |
| SHA512 | cb2d84b62bc57e1ec16f811a7e298e3a5c42b170303fe5caa9a06650127d1e48569744f3aba333f3318f0714f418d5471bcbed4ac4295f2b16df9469362939da |
C:\Windows\System\PQhgzUz.exe
| MD5 | eb35d7012470f28b07f7f30074c787c4 |
| SHA1 | 8cf5e4f479e1fa30b1311c247273079f3fae0170 |
| SHA256 | c77c6033b5dc1e42c7e7ee760b73ef91035940c712b09e00cc455932efc3000a |
| SHA512 | 3beaf188e558d2cce4acf5800dca3cf6186bd699af17aa723765f5abbecc049966375495d1564779984371f56aff02fb90f361ffcfef67d7990af9a09a1655f1 |
C:\Windows\System\JJdeuwn.exe
| MD5 | 3d96b3db69d833e1a97de71ee722b535 |
| SHA1 | c4f32bf260c986b2d9ea6c2c1d9488cf0e357b82 |
| SHA256 | 30b7b5c989e8e93f1547e7b2b03b9afb4512f64e13c67081f00ba4d67ac7b5c1 |
| SHA512 | d16a8ff7754b80a136db2322ce02ca90ef14bdd626d788447a228e3774cf38e90d7624c201e32d018f19a211bfa65d35a1805483afae791a6be9543f1cdd92bc |
memory/3940-92-0x00007FF6E7F70000-0x00007FF6E82C4000-memory.dmp
memory/1484-90-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp
memory/3428-89-0x00007FF748170000-0x00007FF7484C4000-memory.dmp
memory/3776-88-0x00007FF75F250000-0x00007FF75F5A4000-memory.dmp
memory/2572-87-0x00007FF7991D0000-0x00007FF799524000-memory.dmp
memory/612-86-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp
C:\Windows\System\lueruHE.exe
| MD5 | 8511ca951c8921c4215cf6a4a2aec7db |
| SHA1 | c65e7a282967ce093e8b9261b6c7ceb8cac547c6 |
| SHA256 | 647fd61070a8703771042336dad20788c164d3115cccc9c3dc0f829c8e487487 |
| SHA512 | 3e69f6732e7d00b969a61e25dabd4b6d2ee799b9a0fd83f84352b701e7b901c5a86ef7362a3e780bad91094c1a814d31ca30bf0e0100174e0ca6605aeb143617 |
memory/544-81-0x00007FF7A32C0000-0x00007FF7A3614000-memory.dmp
memory/4472-80-0x00007FF729400000-0x00007FF729754000-memory.dmp
memory/4784-77-0x00007FF7B7B00000-0x00007FF7B7E54000-memory.dmp
C:\Windows\System\RgeWCbN.exe
| MD5 | 66faa074353cb8f06141ef11d3da5d9d |
| SHA1 | 93721ebae146a9da9392a0d9593031dfaa5b3a0b |
| SHA256 | 3807b992a3afef06da4bfdf4f7648f941d4927dc07a0bd739085e27efbeab384 |
| SHA512 | 27e12578d83034f474e03e69910fabf686e3b5a1f664c43be9f358127c57d34d7ed3b2b62882a70ad7da281357840edc1fcb288731f440ca215573896a3e7d75 |
C:\Windows\System\QXRWdLc.exe
| MD5 | ec6449498347b257d9fb57b114bbf55a |
| SHA1 | 633542dbdd1adf286c016231fae2b743b11a5b7f |
| SHA256 | d5ca09f1b6d7deb71e8901f4c5e4685062ede8130dc6e1fb36c2f5f9134be98b |
| SHA512 | 9d27b76dd98ecdd667f61218091da28864d25b0e39931b0b4ed43ffb3245dc5fefede17114556f1318e7e594dcbde5d5f1c275eba780bf676caaa6d8b3aed719 |
memory/1052-52-0x00007FF628B70000-0x00007FF628EC4000-memory.dmp
C:\Windows\System\RTIuzUa.exe
| MD5 | db0cafcd6953144e72ac77ba7b53b65f |
| SHA1 | 40d4f7b335a2ae9b429e442428f97ff218326e8c |
| SHA256 | 9aff080617571ab6d87d986d0cbce9819327ea12bd7eb4ed26bb82c45175b7bd |
| SHA512 | ea40e869072f6eed7dde78a926177a74c35a761a2d9448f50a7c11aa4221fbf1fb5edf464906abee8a4094d99b45f8b162ff389d0646d5b35367ebf8a4e80ff6 |
C:\Windows\System\AcNWdgT.exe
| MD5 | a1dca10f43022f31c96ac73167eefbe8 |
| SHA1 | 05cb4d5c79f010fc92dbe25d24f3a11473fac017 |
| SHA256 | 349b66524495066e6546112460f0312b21a437ac9eec6d556c46e6cf999458b9 |
| SHA512 | a3ba6dba0fd9ac5917321e6d7bdf74e5692e829dc590d4369808a8b4489085980c8b62a19856ebab4eb3111c1ee5f213cc536317e8c1696cad8a6d6fe7597750 |
C:\Windows\System\esjbvZP.exe
| MD5 | 966f4539a03ea29bf3bfbdada921efbb |
| SHA1 | fcf9ae9670284d310edd82ba73dd72d728703110 |
| SHA256 | ecf023949ebee3a78dfdf4473648d15c804ffdfe9daab05c00e15afb01d2cf32 |
| SHA512 | decc1845dbb688838d4c8e316d40512dfb7a378e22d57e17038ac1774aa6e88f65def6ba8af4e7c086e77c59b0181cfe1600d817d0c627c65e20ced64ca72cef |
C:\Windows\System\bimROGZ.exe
| MD5 | 9d5a4941f675b993e492a799163027b1 |
| SHA1 | e2015d8742dae6819846e7cd809edf2095f5e990 |
| SHA256 | 8822c6f1637ae0ea330d9c5f8e2b9f529e04fb200f81b324f591ddfc8aa14700 |
| SHA512 | 875d8f9413cb1185152f17e880c4d7a9de29dd326a7481dd9a09e5fce01230eb1f42654a544ee1f16e393f485ab2698c58179b7d4073412e4027ea4d8c43bc71 |
memory/3936-22-0x00007FF7DFCB0000-0x00007FF7E0004000-memory.dmp
memory/3568-21-0x00007FF6BB800000-0x00007FF6BBB54000-memory.dmp
memory/2184-8-0x00007FF748690000-0x00007FF7489E4000-memory.dmp
memory/1908-123-0x00007FF67E050000-0x00007FF67E3A4000-memory.dmp
memory/3600-126-0x00007FF64BFA0000-0x00007FF64C2F4000-memory.dmp
memory/1184-125-0x00007FF787A10000-0x00007FF787D64000-memory.dmp
memory/3948-124-0x00007FF6F96C0000-0x00007FF6F9A14000-memory.dmp
memory/2748-127-0x00007FF6869C0000-0x00007FF686D14000-memory.dmp
memory/5000-128-0x00007FF696210000-0x00007FF696564000-memory.dmp
memory/2184-129-0x00007FF748690000-0x00007FF7489E4000-memory.dmp
memory/1908-130-0x00007FF67E050000-0x00007FF67E3A4000-memory.dmp
memory/4104-131-0x00007FF6E42F0000-0x00007FF6E4644000-memory.dmp
memory/3568-132-0x00007FF6BB800000-0x00007FF6BBB54000-memory.dmp
memory/3936-133-0x00007FF7DFCB0000-0x00007FF7E0004000-memory.dmp
memory/2184-134-0x00007FF748690000-0x00007FF7489E4000-memory.dmp
memory/4052-135-0x00007FF7B8080000-0x00007FF7B83D4000-memory.dmp
memory/1052-136-0x00007FF628B70000-0x00007FF628EC4000-memory.dmp
memory/1484-137-0x00007FF79AA10000-0x00007FF79AD64000-memory.dmp
memory/4784-138-0x00007FF7B7B00000-0x00007FF7B7E54000-memory.dmp
memory/4472-139-0x00007FF729400000-0x00007FF729754000-memory.dmp
memory/2908-141-0x00007FF60DEE0000-0x00007FF60E234000-memory.dmp
memory/544-142-0x00007FF7A32C0000-0x00007FF7A3614000-memory.dmp
memory/3940-140-0x00007FF6E7F70000-0x00007FF6E82C4000-memory.dmp
memory/612-143-0x00007FF6D4A50000-0x00007FF6D4DA4000-memory.dmp
memory/3776-145-0x00007FF75F250000-0x00007FF75F5A4000-memory.dmp
memory/2572-144-0x00007FF7991D0000-0x00007FF799524000-memory.dmp
memory/3428-146-0x00007FF748170000-0x00007FF7484C4000-memory.dmp
memory/3948-148-0x00007FF6F96C0000-0x00007FF6F9A14000-memory.dmp
memory/1908-149-0x00007FF67E050000-0x00007FF67E3A4000-memory.dmp
memory/4104-147-0x00007FF6E42F0000-0x00007FF6E4644000-memory.dmp
memory/1184-151-0x00007FF787A10000-0x00007FF787D64000-memory.dmp
memory/2748-150-0x00007FF6869C0000-0x00007FF686D14000-memory.dmp
memory/3600-152-0x00007FF64BFA0000-0x00007FF64C2F4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:56
Reported
2024-08-06 11:59
Platform
win7-20240708-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vOrpsMG.exe | N/A |
| N/A | N/A | C:\Windows\System\TIRnwUu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZDrxZew.exe | N/A |
| N/A | N/A | C:\Windows\System\bimROGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ovNMJGd.exe | N/A |
| N/A | N/A | C:\Windows\System\esjbvZP.exe | N/A |
| N/A | N/A | C:\Windows\System\AcNWdgT.exe | N/A |
| N/A | N/A | C:\Windows\System\RTIuzUa.exe | N/A |
| N/A | N/A | C:\Windows\System\QXRWdLc.exe | N/A |
| N/A | N/A | C:\Windows\System\HWHOvnF.exe | N/A |
| N/A | N/A | C:\Windows\System\RgeWCbN.exe | N/A |
| N/A | N/A | C:\Windows\System\wQiyXVq.exe | N/A |
| N/A | N/A | C:\Windows\System\NnrcvDC.exe | N/A |
| N/A | N/A | C:\Windows\System\lueruHE.exe | N/A |
| N/A | N/A | C:\Windows\System\OBxmEzh.exe | N/A |
| N/A | N/A | C:\Windows\System\JJdeuwn.exe | N/A |
| N/A | N/A | C:\Windows\System\PQhgzUz.exe | N/A |
| N/A | N/A | C:\Windows\System\dGkmDIM.exe | N/A |
| N/A | N/A | C:\Windows\System\YXqhHlp.exe | N/A |
| N/A | N/A | C:\Windows\System\YLiZEAy.exe | N/A |
| N/A | N/A | C:\Windows\System\lZstcZe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_8032d255bb51876d7a8a21cb4f23c571_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vOrpsMG.exe
C:\Windows\System\vOrpsMG.exe
C:\Windows\System\TIRnwUu.exe
C:\Windows\System\TIRnwUu.exe
C:\Windows\System\ZDrxZew.exe
C:\Windows\System\ZDrxZew.exe
C:\Windows\System\bimROGZ.exe
C:\Windows\System\bimROGZ.exe
C:\Windows\System\ovNMJGd.exe
C:\Windows\System\ovNMJGd.exe
C:\Windows\System\esjbvZP.exe
C:\Windows\System\esjbvZP.exe
C:\Windows\System\AcNWdgT.exe
C:\Windows\System\AcNWdgT.exe
C:\Windows\System\RTIuzUa.exe
C:\Windows\System\RTIuzUa.exe
C:\Windows\System\QXRWdLc.exe
C:\Windows\System\QXRWdLc.exe
C:\Windows\System\HWHOvnF.exe
C:\Windows\System\HWHOvnF.exe
C:\Windows\System\RgeWCbN.exe
C:\Windows\System\RgeWCbN.exe
C:\Windows\System\wQiyXVq.exe
C:\Windows\System\wQiyXVq.exe
C:\Windows\System\NnrcvDC.exe
C:\Windows\System\NnrcvDC.exe
C:\Windows\System\lueruHE.exe
C:\Windows\System\lueruHE.exe
C:\Windows\System\OBxmEzh.exe
C:\Windows\System\OBxmEzh.exe
C:\Windows\System\JJdeuwn.exe
C:\Windows\System\JJdeuwn.exe
C:\Windows\System\PQhgzUz.exe
C:\Windows\System\PQhgzUz.exe
C:\Windows\System\dGkmDIM.exe
C:\Windows\System\dGkmDIM.exe
C:\Windows\System\YXqhHlp.exe
C:\Windows\System\YXqhHlp.exe
C:\Windows\System\YLiZEAy.exe
C:\Windows\System\YLiZEAy.exe
C:\Windows\System\lZstcZe.exe
C:\Windows\System\lZstcZe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2208-0-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2208-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\vOrpsMG.exe
| MD5 | ee9e7472e76da40537bbc96bfb54de3d |
| SHA1 | fa595f4ff2e120510f61fd2e9074a7a0bab5780f |
| SHA256 | 62c711f0d3290c9440ce0a3df9fc2247a55a1b4becd87a319d7290b43b2fe50d |
| SHA512 | d6e769550cd28b6b07519d7e1de3d575fd75f8f9349ddc54cb6fc6e941598dd1041939a814387567c27508ace38b80d8f16acf927603721a5846ca8e9bb22b20 |
\Windows\system\ZDrxZew.exe
| MD5 | 950b376a5eb2410c9e55db31b5a8975e |
| SHA1 | a893e0400fa4aed801d9365e8675c9d08b21d42c |
| SHA256 | f064803086fb70ae5b5b30c33dd89d112ca77107781a6529bbf7bcd63ba05ac9 |
| SHA512 | 27aee2e52f357640ca002bc40bd1e7c3f6364fb1a9ac186d27d46b5190d0fde6462e45f196b67c06bf0acb26c6c392ff5def1b9fd7c757f09ee6b3455191a323 |
memory/2752-12-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\TIRnwUu.exe
| MD5 | 7315a23db3a927a0a253eb81b91f3592 |
| SHA1 | a7efde3b384588034764b7874d2062b30aa49667 |
| SHA256 | dbf6ca9515b10a9fbd374fe3ae1dba67452c292bf69c3290fb411986a57161ae |
| SHA512 | d020ad356d1428b7346d1477ea760bcc1fd5950189568fcfb0c32e4b7aa157b359b709e0853bf4ee3c5288fd690ed5933818399ff2edcdb0348bbd109555fd76 |
memory/2828-23-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2836-21-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2208-18-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2208-17-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2208-7-0x00000000023B0000-0x0000000002704000-memory.dmp
\Windows\system\bimROGZ.exe
| MD5 | 9d5a4941f675b993e492a799163027b1 |
| SHA1 | e2015d8742dae6819846e7cd809edf2095f5e990 |
| SHA256 | 8822c6f1637ae0ea330d9c5f8e2b9f529e04fb200f81b324f591ddfc8aa14700 |
| SHA512 | 875d8f9413cb1185152f17e880c4d7a9de29dd326a7481dd9a09e5fce01230eb1f42654a544ee1f16e393f485ab2698c58179b7d4073412e4027ea4d8c43bc71 |
\Windows\system\ovNMJGd.exe
| MD5 | f4d6e972b2ec8aa065f39ea022d85fca |
| SHA1 | 47f913b9407d39105adf9c7da601bdda3015c263 |
| SHA256 | d9e907aeb0ab3c392a1b53a57de2dab40ecdcd3edcd32086e62b0e41cf823dc9 |
| SHA512 | da4b874cd03cd316db0d85ad3fe86d050052cf4cde45d61c2953c35c6736a60172eca1baeba322e48d5b04742629209b3cbc68e7723d93f6539f12f0c283ce10 |
memory/2208-35-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2052-39-0x000000013FC10000-0x000000013FF64000-memory.dmp
C:\Windows\system\esjbvZP.exe
| MD5 | 966f4539a03ea29bf3bfbdada921efbb |
| SHA1 | fcf9ae9670284d310edd82ba73dd72d728703110 |
| SHA256 | ecf023949ebee3a78dfdf4473648d15c804ffdfe9daab05c00e15afb01d2cf32 |
| SHA512 | decc1845dbb688838d4c8e316d40512dfb7a378e22d57e17038ac1774aa6e88f65def6ba8af4e7c086e77c59b0181cfe1600d817d0c627c65e20ced64ca72cef |
C:\Windows\system\AcNWdgT.exe
| MD5 | a1dca10f43022f31c96ac73167eefbe8 |
| SHA1 | 05cb4d5c79f010fc92dbe25d24f3a11473fac017 |
| SHA256 | 349b66524495066e6546112460f0312b21a437ac9eec6d556c46e6cf999458b9 |
| SHA512 | a3ba6dba0fd9ac5917321e6d7bdf74e5692e829dc590d4369808a8b4489085980c8b62a19856ebab4eb3111c1ee5f213cc536317e8c1696cad8a6d6fe7597750 |
memory/2632-47-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2208-46-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2672-51-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2208-50-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2644-45-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2208-40-0x000000013FC20000-0x000000013FF74000-memory.dmp
\Windows\system\RTIuzUa.exe
| MD5 | db0cafcd6953144e72ac77ba7b53b65f |
| SHA1 | 40d4f7b335a2ae9b429e442428f97ff218326e8c |
| SHA256 | 9aff080617571ab6d87d986d0cbce9819327ea12bd7eb4ed26bb82c45175b7bd |
| SHA512 | ea40e869072f6eed7dde78a926177a74c35a761a2d9448f50a7c11aa4221fbf1fb5edf464906abee8a4094d99b45f8b162ff389d0646d5b35367ebf8a4e80ff6 |
memory/2168-57-0x000000013F140000-0x000000013F494000-memory.dmp
\Windows\system\QXRWdLc.exe
| MD5 | ec6449498347b257d9fb57b114bbf55a |
| SHA1 | 633542dbdd1adf286c016231fae2b743b11a5b7f |
| SHA256 | d5ca09f1b6d7deb71e8901f4c5e4685062ede8130dc6e1fb36c2f5f9134be98b |
| SHA512 | 9d27b76dd98ecdd667f61218091da28864d25b0e39931b0b4ed43ffb3245dc5fefede17114556f1318e7e594dcbde5d5f1c275eba780bf676caaa6d8b3aed719 |
memory/2208-63-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2208-64-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/572-65-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\HWHOvnF.exe
| MD5 | 8a8c3422bfc29a770f00c4f90289cd70 |
| SHA1 | b55db37e2828bd1d614f2b237620d4670fd83258 |
| SHA256 | ebc0804c7552c739daf87639f2277b5948a5a2ece89d4193c8d1d5681a35f848 |
| SHA512 | 6b91e05ee778445f94629cd91f9fadf1d5e4e3d8763909a508433e12b8bbccbf2f66a8971d1e9d4be4f6f1353ef2e997b16efa77bc445a32270ab81b018c12c3 |
memory/2752-71-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2292-73-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2208-72-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2208-87-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\NnrcvDC.exe
| MD5 | fca2d8f931ae3d73ce3a2ec6c92699f0 |
| SHA1 | b1e71bf5f65de1dc493d93adca07209aacc044b8 |
| SHA256 | d413fae0cbce972cd6e9dd6ec168157e5e9b614e60d39b21545008561c9fbca1 |
| SHA512 | a4c350be5a0ab289b6c8fa674e42dbecb9d368f7fff7adbaf1283f319338475f815501f310f86432a8a0afdc396cdcf3216d16d17aef89b4eface5845777677c |
memory/2704-80-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2208-79-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2972-97-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2208-96-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2828-94-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2836-78-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2492-89-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2208-88-0x00000000023B0000-0x0000000002704000-memory.dmp
C:\Windows\system\wQiyXVq.exe
| MD5 | ff17dc9355b6ac10aadcf233a156e5bb |
| SHA1 | 8e33cc2e2a40a0073042a9c4ff83dfd99065e3cd |
| SHA256 | 88a57b20b1fce993d0bb1310ea5fb02eac78b9013a3b48f74ff1a36c2f3daf8c |
| SHA512 | a11e1697e200dd01fadbbe31b1ea3b56a2c843039c0f38ccf40455a06d7b28a8ac87df4697ed21987d4e18610fd1609aef31b35bd46c8c2284ceee2c0c300eb5 |
C:\Windows\system\RgeWCbN.exe
| MD5 | 66faa074353cb8f06141ef11d3da5d9d |
| SHA1 | 93721ebae146a9da9392a0d9593031dfaa5b3a0b |
| SHA256 | 3807b992a3afef06da4bfdf4f7648f941d4927dc07a0bd739085e27efbeab384 |
| SHA512 | 27e12578d83034f474e03e69910fabf686e3b5a1f664c43be9f358127c57d34d7ed3b2b62882a70ad7da281357840edc1fcb288731f440ca215573896a3e7d75 |
\Windows\system\lueruHE.exe
| MD5 | 8511ca951c8921c4215cf6a4a2aec7db |
| SHA1 | c65e7a282967ce093e8b9261b6c7ceb8cac547c6 |
| SHA256 | 647fd61070a8703771042336dad20788c164d3115cccc9c3dc0f829c8e487487 |
| SHA512 | 3e69f6732e7d00b969a61e25dabd4b6d2ee799b9a0fd83f84352b701e7b901c5a86ef7362a3e780bad91094c1a814d31ca30bf0e0100174e0ca6605aeb143617 |
C:\Windows\system\OBxmEzh.exe
| MD5 | aed71f971f06b648139c0e3beaabacf6 |
| SHA1 | 62f1eb75bf8c663c3a8179ee355d4f64e77d0390 |
| SHA256 | 9c5180aaa3260957ffa6a7363cd9b0490a06441e781b1a3bed904ff459010724 |
| SHA512 | 8ab15081adc7341624ff17657e7e35b107ba31312fb9b2fd0dc4a92dbb5b426dec93e18f2d510ca20f48172a79f2356033180af1d4a3f925a371959a74922521 |
C:\Windows\system\PQhgzUz.exe
| MD5 | eb35d7012470f28b07f7f30074c787c4 |
| SHA1 | 8cf5e4f479e1fa30b1311c247273079f3fae0170 |
| SHA256 | c77c6033b5dc1e42c7e7ee760b73ef91035940c712b09e00cc455932efc3000a |
| SHA512 | 3beaf188e558d2cce4acf5800dca3cf6186bd699af17aa723765f5abbecc049966375495d1564779984371f56aff02fb90f361ffcfef67d7990af9a09a1655f1 |
C:\Windows\system\YLiZEAy.exe
| MD5 | 911d08148edc09ded0b8457ee7bc0adb |
| SHA1 | e108eef8e38ad4f9e8ef61668e80aed6dad35117 |
| SHA256 | a13eb827b0e7380067da9eb22a13e25c335f333bb995d418eb7206b2a55e16fb |
| SHA512 | cb2d84b62bc57e1ec16f811a7e298e3a5c42b170303fe5caa9a06650127d1e48569744f3aba333f3318f0714f418d5471bcbed4ac4295f2b16df9469362939da |
\Windows\system\lZstcZe.exe
| MD5 | aa4d46691abece6940178e17fedd2a1d |
| SHA1 | f1f420b75e9bdc8530a4da158d0244ece1449192 |
| SHA256 | bb28997da966650c5d849ceb549997fed1d6db31f1113e1ad6f6032f62f9e06a |
| SHA512 | 5241999818dbe8f1576f3816fdbd74c848b6f198c7a843df8961bb41681dbd1ab8216157ca2772132841fe53195ffc21cd9228f6ae44da68f103a6caf3745d9a |
C:\Windows\system\YXqhHlp.exe
| MD5 | 19d09261ff28ef11b78cf8f594b9f5fb |
| SHA1 | 6b8c511e83dcd57bfa58f7590e7c10acee56c63f |
| SHA256 | 8068795370b7afcfe30ccb018ba60b9ae7fa6cf7d342f16fccd497844cd0c0c0 |
| SHA512 | 46b2f2795ca04ea3d3503f7dca1ca9ff750c5a00a6975af93162a713f87ade827af0c5e34f0a60028faa8432c4f4a018b0e927955f7b4ac569a3140c35bfda51 |
C:\Windows\system\dGkmDIM.exe
| MD5 | a789fb6cf14e8ee0386930c7f27b3d09 |
| SHA1 | dc47c5a86f2895bb2493af184bb0e877b3b592aa |
| SHA256 | 25294402529b4dbef89680b875348bb9d894e1864cd10bcc18aa6e03960d6979 |
| SHA512 | 9927bdc46c29426baf1a0c0d302051f18b8a53438ca7ffec7b0e2b83460939d7479f70fad57ea9a69ec2e5892581d474362ea72806fff40d89a2803d0039df05 |
C:\Windows\system\JJdeuwn.exe
| MD5 | 3d96b3db69d833e1a97de71ee722b535 |
| SHA1 | c4f32bf260c986b2d9ea6c2c1d9488cf0e357b82 |
| SHA256 | 30b7b5c989e8e93f1547e7b2b03b9afb4512f64e13c67081f00ba4d67ac7b5c1 |
| SHA512 | d16a8ff7754b80a136db2322ce02ca90ef14bdd626d788447a228e3774cf38e90d7624c201e32d018f19a211bfa65d35a1805483afae791a6be9543f1cdd92bc |
memory/2024-138-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2208-137-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2208-139-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2208-140-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2168-141-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2208-142-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2704-143-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2208-144-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2208-145-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2208-146-0x000000013FE30000-0x0000000140184000-memory.dmp
memory/2752-147-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2836-148-0x000000013F230000-0x000000013F584000-memory.dmp
memory/2828-149-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2052-150-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2632-151-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2644-152-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2672-153-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2168-154-0x000000013F140000-0x000000013F494000-memory.dmp
memory/572-155-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2292-156-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2704-157-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2492-158-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2972-159-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2024-160-0x000000013F0C0000-0x000000013F414000-memory.dmp