Analysis Overview
SHA256
4a15551f1333d91c072a7b6e906fbc762b6ae653e2de7d49b603515032be7bef
Threat Level: Known bad
The file 2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
Xmrig family
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:48
Reported
2024-08-06 11:50
Platform
win7-20240704-en
Max time kernel
125s
Max time network
140s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NTqWRZH.exe | N/A |
| N/A | N/A | C:\Windows\System\LyXAHMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\lXbjlAF.exe | N/A |
| N/A | N/A | C:\Windows\System\CToUlyG.exe | N/A |
| N/A | N/A | C:\Windows\System\vqBsAZD.exe | N/A |
| N/A | N/A | C:\Windows\System\qyxbwKZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kKajgoW.exe | N/A |
| N/A | N/A | C:\Windows\System\zepgMvL.exe | N/A |
| N/A | N/A | C:\Windows\System\dctEOCV.exe | N/A |
| N/A | N/A | C:\Windows\System\McHXXIy.exe | N/A |
| N/A | N/A | C:\Windows\System\heKzACg.exe | N/A |
| N/A | N/A | C:\Windows\System\VXaiLvd.exe | N/A |
| N/A | N/A | C:\Windows\System\EFLyQHK.exe | N/A |
| N/A | N/A | C:\Windows\System\xSYsfEn.exe | N/A |
| N/A | N/A | C:\Windows\System\XDkNtPd.exe | N/A |
| N/A | N/A | C:\Windows\System\RColiIL.exe | N/A |
| N/A | N/A | C:\Windows\System\aDxtuZg.exe | N/A |
| N/A | N/A | C:\Windows\System\lesYhVK.exe | N/A |
| N/A | N/A | C:\Windows\System\UHjJpwi.exe | N/A |
| N/A | N/A | C:\Windows\System\Xsanmee.exe | N/A |
| N/A | N/A | C:\Windows\System\msrbUKV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\NTqWRZH.exe
C:\Windows\System\NTqWRZH.exe
C:\Windows\System\LyXAHMQ.exe
C:\Windows\System\LyXAHMQ.exe
C:\Windows\System\lXbjlAF.exe
C:\Windows\System\lXbjlAF.exe
C:\Windows\System\CToUlyG.exe
C:\Windows\System\CToUlyG.exe
C:\Windows\System\vqBsAZD.exe
C:\Windows\System\vqBsAZD.exe
C:\Windows\System\qyxbwKZ.exe
C:\Windows\System\qyxbwKZ.exe
C:\Windows\System\kKajgoW.exe
C:\Windows\System\kKajgoW.exe
C:\Windows\System\zepgMvL.exe
C:\Windows\System\zepgMvL.exe
C:\Windows\System\McHXXIy.exe
C:\Windows\System\McHXXIy.exe
C:\Windows\System\dctEOCV.exe
C:\Windows\System\dctEOCV.exe
C:\Windows\System\heKzACg.exe
C:\Windows\System\heKzACg.exe
C:\Windows\System\VXaiLvd.exe
C:\Windows\System\VXaiLvd.exe
C:\Windows\System\EFLyQHK.exe
C:\Windows\System\EFLyQHK.exe
C:\Windows\System\xSYsfEn.exe
C:\Windows\System\xSYsfEn.exe
C:\Windows\System\XDkNtPd.exe
C:\Windows\System\XDkNtPd.exe
C:\Windows\System\RColiIL.exe
C:\Windows\System\RColiIL.exe
C:\Windows\System\aDxtuZg.exe
C:\Windows\System\aDxtuZg.exe
C:\Windows\System\lesYhVK.exe
C:\Windows\System\lesYhVK.exe
C:\Windows\System\UHjJpwi.exe
C:\Windows\System\UHjJpwi.exe
C:\Windows\System\Xsanmee.exe
C:\Windows\System\Xsanmee.exe
C:\Windows\System\msrbUKV.exe
C:\Windows\System\msrbUKV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2152-0-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2152-1-0x0000000000200000-0x0000000000210000-memory.dmp
\Windows\system\NTqWRZH.exe
| MD5 | 4863766bcfdf1137ca7b69e38262b4f5 |
| SHA1 | 5da86653babcda688ac9ca60e435b1c53d7d4f78 |
| SHA256 | 7d666c009d2bbffc1b72e224b914a1fc19d52f350d108766d68d27b007a69dbc |
| SHA512 | 702f2d2b800f975bc8b1ee8d654944cfee197b15d8137ddfe30276db7e88865eba57b26a8fc7127326a7b948cf0f99b1247be2ff4610f3929234630db8f8f8c7 |
memory/2192-8-0x000000013F770000-0x000000013FAC4000-memory.dmp
\Windows\system\LyXAHMQ.exe
| MD5 | e5ce22fa516229c9bd40ff0831e0736e |
| SHA1 | 429d228e5cf3eb75aecfd1b22146ba2f529584ba |
| SHA256 | 3b9b7e862babcfe684e455330285371e9ff3cb3e2498ed2399b4babe6af434f6 |
| SHA512 | a9af3fd54ac716b28387fae86cd3a7d44dbf8995d611e99813c37ce22d4e69f56802354d5c51f3329264ec19ae7ccc403c08b5ad3c5efde583cb4290440a9270 |
memory/2152-13-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2144-15-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\lXbjlAF.exe
| MD5 | 1a40092c619e89a527557a811b9aa10f |
| SHA1 | 9be1e85387ac0d4188506a7c8ba4a0f9f32f7f50 |
| SHA256 | a5f33d32d542e2f43e0a8073714cf86541237070c6e1a382faf7a04945ad6821 |
| SHA512 | f7f5b93d1c3068140ee08db7cc4113e769f752c2bcd36869e5ef5b0d93a60e53f9dd3136e15c0304ab8171d2d7086ddd7a805b0a0b6ca50f5c9c942e1df5dac1 |
\Windows\system\CToUlyG.exe
| MD5 | 10cb4ec70b8bed04094a4de6726f4a0a |
| SHA1 | 4d28bf61e401d45c08b6f5cc760cf6f85caa2e66 |
| SHA256 | e942e939e30634a841d2b6c6f6548b3ae0270e51a5e88d6c8f1e2eea1ae801e3 |
| SHA512 | 60c2038981de648e3bbc09f53a223077446b106c35971676c0a8040778200510ad658f63c8e5ee8de63904a9f5cb9bf6a199ad031356634812650e3a36006d0b |
memory/2152-20-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2472-28-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2152-24-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2152-33-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2832-35-0x000000013FA00000-0x000000013FD54000-memory.dmp
C:\Windows\system\qyxbwKZ.exe
| MD5 | 3d0b55d576306fc7d5f1f7cfcb28ffdc |
| SHA1 | 2dc8728beea1cb398e1a87fec0428df7746b7e3a |
| SHA256 | e30c24d82a002a5574989f254793ee18309456bf095f16cab0f318c68cff5e6e |
| SHA512 | 704c555ab29368d1c06bc6c114c551689bb83ca27ea2f73164b6cecc998f37fd63e50e1e4e1210a330cb9b15b042fde3ba2c44af1e16a163e0a4f187dd5e30c7 |
memory/2836-42-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2152-39-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\zepgMvL.exe
| MD5 | 8d1056575ae83c163f43e1e2e307eb93 |
| SHA1 | f3f33b884e99742a54ce5cd672c0e384a057380b |
| SHA256 | 8e2f57adae20106002879c7d9b0fb54f6e5c470432bf8d72c600bcb9b7a4421b |
| SHA512 | 4466b2751b99909bbfd569644fa0f36fd2cc3db02354b0e4599eaaefb929bf91477e3d8a9a98df6d5dcc86350828462012e1cdef4f7b2c7b52e7c050362a0b03 |
memory/2152-56-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\McHXXIy.exe
| MD5 | 73fa09c184be70c4e95b385dedfc6f35 |
| SHA1 | e9d18b1c7626f705791bc6364d33b8a2cb0e8271 |
| SHA256 | 15157ff00df2e0b363e8edd72caf6f2273ea2f894ea14c4acca3655654732864 |
| SHA512 | c70240cb2a68052e229661306cd447cb489d4773381323f6f1a1554b01fd6c24d988875e525179faaa002c0a22eb245675759c96b868e7023bfd978243f8b6b9 |
memory/2688-72-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2152-65-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1672-64-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/836-90-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2836-105-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\lesYhVK.exe
| MD5 | e979161ea746562965140d3d5c2864fc |
| SHA1 | 09fd9646e3555c0929e53004252b3775475ad7e0 |
| SHA256 | 49f974a0ffcdd2bf03e361f0068f70161def7eed0a47e9da052608126bc9e1ac |
| SHA512 | 6617c339bb6e604d2166146546c6fff2cac02be7e6de78be08eaa0305526801de007ae36be9e3143852f742fe3702b7410e6a6c6d0ad63d2ba0b1b08cc5abbda |
C:\Windows\system\UHjJpwi.exe
| MD5 | 6e0ecd5e9d17b439a17afc97d6ae9aa3 |
| SHA1 | facffd73e1191f81a70b8a51e9703663db711c94 |
| SHA256 | cda24408ac1b5ebbf89774e8374ddb052a59a3b9f4e50659db167b8cb92d8e64 |
| SHA512 | 5c203c918426f9f88b9cb32d7aae591b47102515c92cbcdc63494837b2e9eb067f8f96686dba51cb95d9d5339dc49b20433441f68cb017bb84a27da07f544185 |
C:\Windows\system\Xsanmee.exe
| MD5 | dbc510557bb7d2c44c2c0bd26367ce9d |
| SHA1 | 5927dbed4ba5afe5e7ac024e3da12a7cbacbcfce |
| SHA256 | a1bdca21420f195296deb42cc925c4393395d065da90b0ea7998943e17cce996 |
| SHA512 | 30f6ffedd0287184ba9298cf71d57b92e752cb00d647e8025d86d8e841e70b806d1a55481f5a11dc0ddc8643849aa9330bb75af69b0ecd40f6b821a05e3c5b0c |
\Windows\system\msrbUKV.exe
| MD5 | 76d5ec88f3e7b4bbac85e2b982fb7db1 |
| SHA1 | a54e371b685b76ee347d83e9367a64a3b202e191 |
| SHA256 | 2461aa13888d060871dc2c2c6e136053cd273e76781fab4d907759bcfbb1a299 |
| SHA512 | 461cd78bf88ac4a8ea2a8630372979c4ef6c98fa04b7e6fe3d543021422b896d05145375a03faf2480a5280b9045110a29bac1a0074f89a078bf6520db035b74 |
memory/2812-144-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2892-143-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\aDxtuZg.exe
| MD5 | 92087a9fc49c40525c05a533de44c0b8 |
| SHA1 | 8d611b8c27d84e9c1c80c31102c52e6354ffc91c |
| SHA256 | 27b3d78c593af1a2b49675e0eb3509193a1a7f6066d10726cfe593faa74b0df1 |
| SHA512 | 934263ceee7a58da06c0ddee449f513a1f61cad1e4c64de6ae2a1ffb1ea13ec3292bc0f4495b14065b0c2ca9e6dae6cdc8db299226d64630f03fe4e6cf6e3789 |
memory/2152-112-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2152-145-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\XDkNtPd.exe
| MD5 | 2834fcca5366e47d14598aca94cb9d6c |
| SHA1 | c9f35c3b2b92d4f8279cf7f64b21ca4763b0f273 |
| SHA256 | f8170f18ca30a557bbd86180e60e97c3fccc3e244d3bb52609611bb4da6ade7f |
| SHA512 | 71a79dce5ab824b852a18dd9b35984515cbf90ef773cebf34be78b25b12c5bb08f81a61c207444768d2c184971a5103944d460366886a3c38fab87c77c85db64 |
C:\Windows\system\RColiIL.exe
| MD5 | 7911c12b54822817ec9aa2a4af7fd6ec |
| SHA1 | 0be549121fc1df9a042163f7c4d6ed267b199a31 |
| SHA256 | 7dd49d003c977700927aef2648007cc34d4f67e6e9108d1a0ff3965b13ecb983 |
| SHA512 | 3e7a72719b2ae9d0b68a880e4a225894c156cca23fe94873791c32943d8c36280a627d06d06ba0792778c2ebc7312b90ea1a721f3ba292f556c2d981aed44bca |
memory/2912-106-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\xSYsfEn.exe
| MD5 | 5fef29cdfd5e1a0dba717a0327e01d94 |
| SHA1 | de58b6e2b94f672d87f74da858a19b2c8329f7bd |
| SHA256 | a5c7457b43c945f2a68e17658c405302239acd0007615ef420d428b1bd62b146 |
| SHA512 | dd9b001ec0025981a18b7c71c7a359c7f8b783ddcb0a40149f5e44e11cd00c6d88c77911eb408d4d52be556571e1dda81f2b6a90dc98e628516a105df00bb5d3 |
memory/2512-99-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2152-98-0x000000013F4D0000-0x000000013F824000-memory.dmp
C:\Windows\system\EFLyQHK.exe
| MD5 | a6aa9016f12298b0dec578c3d9b9656f |
| SHA1 | f658caf27bee09b8bebd0d92b4c34c5b26b29e30 |
| SHA256 | fa6331ea1c9957190a4c0e80c9676b2d76c1ad4104b4f8cf896224cc241f3940 |
| SHA512 | 584117dec236a913ead2ff586b05b2478e042e98bee554481447a8de42e3ddddc23640af509fb615c90ac0c2e1a9ef2c732a495625448e9c61047679e213ffb9 |
memory/2152-95-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2832-94-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2152-89-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\VXaiLvd.exe
| MD5 | 60a20ea7f62b3d22446eb74e2f936f9d |
| SHA1 | 9194711ebf634f3dff2135119bf54bbbcb7c6e7c |
| SHA256 | df6b0d22a8f4a6a758f43ccf1d53f40d233c76f1ff87091e9262e389f6a06fab |
| SHA512 | d7e655857460f2f3235b904fb7d5bfc6a53c79b0c9aa203574ec2ed3abda71d08ec2b6fe0fcb407e7bbc76af74a35f17b3172771a7c176bdaea20ae9e6c2fb5e |
memory/1660-148-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2688-147-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2152-146-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2748-83-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2472-82-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\heKzACg.exe
| MD5 | e83b8f723ea171e67483c0dbf87cc188 |
| SHA1 | cc87f60f4dfe750ee70d9b85c82cae4f03e29fdd |
| SHA256 | 571afa213ef5372c1feb902d4aa57597d591d2e9a16df9a27b9abc3c48689981 |
| SHA512 | 944223a148f924a54c21c150f2a58b3c6adf0db81e8d9a05be113d1a10b8902813afdbee14cf99c6a466d1533dbce1cb1a28fb0a67f91c50fcfb914ebdaa3061 |
memory/2152-80-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2144-63-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1660-73-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2152-71-0x00000000022F0000-0x0000000002644000-memory.dmp
C:\Windows\system\kKajgoW.exe
| MD5 | 42952cc5e71965364d9b7b8fc06627d3 |
| SHA1 | 09c2adb84748186ed070854a17d0bfa380a9386c |
| SHA256 | ba05a6034bb1983175ed22804ac8d231cd15b8d1f0f0634077f2d3ab5d59b242 |
| SHA512 | 1162a41e3dd7b5f7d8de2132fe58f82b96d898a5e01815dbacae1784903e8533b4ad2a87d68a81c712d8da385f01bd626c568fad23db4d0472162e477b6baceb |
memory/2152-49-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2192-48-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2152-70-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\dctEOCV.exe
| MD5 | 255bb88495070c31e3e6f6b7c5c990c9 |
| SHA1 | 75a7b687800a47c52807fc4f78f18ba48b1d7945 |
| SHA256 | 2c3a909531bfe9b4c9cba3b0636a1f64b0fa94c958a17e309bf73bc63b113ee3 |
| SHA512 | 3761c15a2a993a785f6e86d3d543c020d8184b28ccfb88287b27eab1117d440397d86219631a359e644b1a8e161bdde97b9682f364b59507711d740aaf779c7d |
memory/2152-149-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2812-57-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2892-55-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\vqBsAZD.exe
| MD5 | f31f1db461a750804e8a3082db8e8b98 |
| SHA1 | 06e6061b652160c26deb36f5eb773967770e4651 |
| SHA256 | 6165d2fdfee3f0150c7adf4bcd8536dfec91c508bed70cd3ff9d77614fed0fb8 |
| SHA512 | 4f3cfc499eed372138207fb44e5733856ef1ba6cdf8f9c0c283bfa68fad3beaa995ea16fc2f29e06fbd4c43a331b3f5eef80a95ca097629dd595c92806822a2b |
memory/2152-38-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/1672-21-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2748-150-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2152-151-0x000000013F120000-0x000000013F474000-memory.dmp
memory/836-152-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2152-153-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2512-154-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2912-155-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2192-156-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2144-157-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1672-158-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2472-159-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2832-160-0x000000013FA00000-0x000000013FD54000-memory.dmp
memory/2836-161-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2812-162-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2892-163-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2688-164-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/1660-165-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2748-166-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/836-167-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2512-168-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2912-169-0x000000013FAF0000-0x000000013FE44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:48
Reported
2024-08-06 11:50
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DWSYWEm.exe | N/A |
| N/A | N/A | C:\Windows\System\JxqtBTx.exe | N/A |
| N/A | N/A | C:\Windows\System\swqulVo.exe | N/A |
| N/A | N/A | C:\Windows\System\zFKPolL.exe | N/A |
| N/A | N/A | C:\Windows\System\ULvpiLp.exe | N/A |
| N/A | N/A | C:\Windows\System\jOJLyVo.exe | N/A |
| N/A | N/A | C:\Windows\System\OTieEbC.exe | N/A |
| N/A | N/A | C:\Windows\System\vAilNgr.exe | N/A |
| N/A | N/A | C:\Windows\System\OXYWeys.exe | N/A |
| N/A | N/A | C:\Windows\System\dsBevqm.exe | N/A |
| N/A | N/A | C:\Windows\System\SmSlnZv.exe | N/A |
| N/A | N/A | C:\Windows\System\VEnTLEW.exe | N/A |
| N/A | N/A | C:\Windows\System\tgGPzqs.exe | N/A |
| N/A | N/A | C:\Windows\System\QuAEFWf.exe | N/A |
| N/A | N/A | C:\Windows\System\aalUrXi.exe | N/A |
| N/A | N/A | C:\Windows\System\ibeREOL.exe | N/A |
| N/A | N/A | C:\Windows\System\ctYkYNi.exe | N/A |
| N/A | N/A | C:\Windows\System\mhMQJGt.exe | N/A |
| N/A | N/A | C:\Windows\System\ESiXKsb.exe | N/A |
| N/A | N/A | C:\Windows\System\efcBEpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LLcSFlP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_27ab2080b88173f20675641b9ef4b6a3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DWSYWEm.exe
C:\Windows\System\DWSYWEm.exe
C:\Windows\System\JxqtBTx.exe
C:\Windows\System\JxqtBTx.exe
C:\Windows\System\swqulVo.exe
C:\Windows\System\swqulVo.exe
C:\Windows\System\ULvpiLp.exe
C:\Windows\System\ULvpiLp.exe
C:\Windows\System\zFKPolL.exe
C:\Windows\System\zFKPolL.exe
C:\Windows\System\jOJLyVo.exe
C:\Windows\System\jOJLyVo.exe
C:\Windows\System\OTieEbC.exe
C:\Windows\System\OTieEbC.exe
C:\Windows\System\vAilNgr.exe
C:\Windows\System\vAilNgr.exe
C:\Windows\System\OXYWeys.exe
C:\Windows\System\OXYWeys.exe
C:\Windows\System\dsBevqm.exe
C:\Windows\System\dsBevqm.exe
C:\Windows\System\SmSlnZv.exe
C:\Windows\System\SmSlnZv.exe
C:\Windows\System\VEnTLEW.exe
C:\Windows\System\VEnTLEW.exe
C:\Windows\System\tgGPzqs.exe
C:\Windows\System\tgGPzqs.exe
C:\Windows\System\QuAEFWf.exe
C:\Windows\System\QuAEFWf.exe
C:\Windows\System\aalUrXi.exe
C:\Windows\System\aalUrXi.exe
C:\Windows\System\ibeREOL.exe
C:\Windows\System\ibeREOL.exe
C:\Windows\System\ctYkYNi.exe
C:\Windows\System\ctYkYNi.exe
C:\Windows\System\mhMQJGt.exe
C:\Windows\System\mhMQJGt.exe
C:\Windows\System\ESiXKsb.exe
C:\Windows\System\ESiXKsb.exe
C:\Windows\System\efcBEpQ.exe
C:\Windows\System\efcBEpQ.exe
C:\Windows\System\LLcSFlP.exe
C:\Windows\System\LLcSFlP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4312-0-0x00007FF7BC0A0000-0x00007FF7BC3F4000-memory.dmp
memory/4312-1-0x0000025B8C460000-0x0000025B8C470000-memory.dmp
C:\Windows\System\DWSYWEm.exe
| MD5 | 11cd214f43f9f1d1466fda83edcfe64d |
| SHA1 | d8ba68c242a65c3a00bf33abe984adcc744afb3c |
| SHA256 | ac78afc25fb657b12662dfc6a5b9baa9137e8ee6800e3fbc731c13db17776766 |
| SHA512 | 238e546713fcf3750ea2bb8de51222fc956c520f1828e0d3eca1daa465ead1019f01b5b1455ec5ef26f0888a100f53721034052ae95e8476448c79667b97672b |
memory/5016-6-0x00007FF7012B0000-0x00007FF701604000-memory.dmp
C:\Windows\System\swqulVo.exe
| MD5 | 5df1343fcd6ba8cee5a5efab539ed0a4 |
| SHA1 | b849d63831d15cd2f56f4470f8655c5404cde8ff |
| SHA256 | e661e1c61f4fd128264def833e106b9ae55f2d5d286fc8ded59ed405e62ffb4e |
| SHA512 | e36474bf246be737a8b763c32c43c6d0bc0d7cdd3747b0626e5a491e2ecbb7d25ec70baab45969e2b2576a496d4092d50d43c79faddf8a455adf8bf359ecfdc0 |
C:\Windows\System\JxqtBTx.exe
| MD5 | 908126ec112989102266e6e2533ceaa6 |
| SHA1 | c459591206d11c36c718f7a6507b8148b3b08167 |
| SHA256 | 4128d18f4016c408930a4ebc92b923550d88491f897e1c937c4541ac6a375e7c |
| SHA512 | 01b828851097396eef2f615183d76b0c73913a9e9d5feae0077307808d4797f8b2c9312ff25316687679a6300367a6573e1dda083105dc6b5fd04aba14f7a0c4 |
memory/4868-14-0x00007FF771A60000-0x00007FF771DB4000-memory.dmp
C:\Windows\System\ULvpiLp.exe
| MD5 | cabe945f88074d039cf580735d5a30c8 |
| SHA1 | ddd03583d7bf214ce41dd2b4f5a3bf0636f54a1c |
| SHA256 | 95d6b68499e0ac395caac73591939aa27f5668e4bf1b7d91b83dbe367cd4d5c2 |
| SHA512 | 24870ddf2cc9de6c4fbc374b47dba9d169fb4cc9871a25f7c9e4aa0fa0982fb50191369d89e5bd33801205c875ae0c9ba46e6f8b3eef232bc6d8a4767c809928 |
C:\Windows\System\zFKPolL.exe
| MD5 | 1547f22b312d34baf2fe6ef010340813 |
| SHA1 | f805ed540146c198b0cfe71519d1bd74401545bb |
| SHA256 | a29463d8ad4c5c940ef97bff81e895668337d431f3f69ca4c7a93427213d1571 |
| SHA512 | e10af60af098d8d21494b9662ebdeb3e210d3df677fd02400e26df23bc4c55953909a2131dbff73018ccb8386420ef2ec526e6e0b0341718b6d6344b1cae3a4f |
C:\Windows\System\vAilNgr.exe
| MD5 | ed76945c1ab28e80613d162135e8957f |
| SHA1 | 304cf333a6e4dac7242a7c58ffef0cde329f0bb8 |
| SHA256 | e31c6020d054b233974c459de5c9045a23b00894a0d5f45ec65c6f3af8c8f3af |
| SHA512 | be6562c2816b939fb6322b808ca2a2e8d2fd4eec740f10f925420a6323ebe374187a43715ae84dbc61babeb151c2588a417f0602d0053b771c65fc6f619959f5 |
memory/1072-43-0x00007FF70F1A0000-0x00007FF70F4F4000-memory.dmp
C:\Windows\System\dsBevqm.exe
| MD5 | d264b340d98ec88b2ff3214077eba5a9 |
| SHA1 | 69584e686c46581f49a05abf385d3603b7149628 |
| SHA256 | fe0fd8c2446f2fbb2012397f4fdcadbee1bc6fcab55a4bf6faf13c0f7440b567 |
| SHA512 | 56080b71ee12f1b74d3ce4e3a2c0fe43dde975009d3bf59f44d04da36ae39004cf6212d0e8178da3e04aa0e0a40a54fd259aac794afc28a6a6ce13a02a1a313b |
C:\Windows\System\SmSlnZv.exe
| MD5 | 6fa424e5b57e4e468e8bb03f8e1b7c41 |
| SHA1 | cbe16b72aec2b8023d4abf35105419f4b419cdbe |
| SHA256 | 27c28ffc6d740b27b9c8d747c86dadcef0007ba500df53a4d0a30a44ae585f5f |
| SHA512 | e321e48e87f69c504d4ad3bb67acee2824444639fd4f0511ebf462659c364eaec49d2e8c63eadacb7bd89f196f1b949ae29741bbe43bf256135e5bad9f2b2ee8 |
C:\Windows\System\tgGPzqs.exe
| MD5 | 0f733dbc49f4e627b4e5704144b1db87 |
| SHA1 | 914e763f78a9987cece6ebbfeb46f1aeee24530d |
| SHA256 | 435ccd0a0925e084f02ea802ea730de03bff6aa6a6593d76752e2ed882c1078e |
| SHA512 | 2f1991625943f71aac77f194ddea9363fc34968a137841e9895c2fe6890d533c49524777ddcc8023b2ca6fafa8b0d01f8c07801cf6e87846dd973dcc463b149c |
C:\Windows\System\aalUrXi.exe
| MD5 | b097e9f6f830b09d8ddda4c4c79654be |
| SHA1 | 4d0e0f2faf17b1a595e2e6f78ad4903375df3b68 |
| SHA256 | 19742d9a6ab3d3662e7aff1403a01c398e835ad7d712379048e4d8e80f8f9993 |
| SHA512 | efb41aaa77f323ca69e198d3af49c0bd2f3f241db5be89ca8ba6b57b71692d40a6a1e49811b4df2d8a38cf80ae7a038e65c3761982732274c3e3c1dc8eeb12fd |
C:\Windows\System\ibeREOL.exe
| MD5 | bc2f866539525d442a8724361c3fdbb9 |
| SHA1 | 1b454aa3e6dd6ea315f96a6f62cc3508cd2c3cd9 |
| SHA256 | 3e45c478f68d8bc8c236852c945e5d0cb75b1dd84e3878069c5760ea51c19de6 |
| SHA512 | 7f25cbb088acffd0a9092c7e2cdc5b9640ee3e9998659af9a8225bdb74a95eacdc0e85671411e99847912f4691d18e04054337cbae225f9dc75851fd0267b3c8 |
memory/2716-99-0x00007FF668A80000-0x00007FF668DD4000-memory.dmp
memory/2096-103-0x00007FF63E880000-0x00007FF63EBD4000-memory.dmp
memory/3800-104-0x00007FF6EC230000-0x00007FF6EC584000-memory.dmp
memory/4876-102-0x00007FF67B3F0000-0x00007FF67B744000-memory.dmp
memory/1068-101-0x00007FF7D1E70000-0x00007FF7D21C4000-memory.dmp
memory/4584-100-0x00007FF7D7080000-0x00007FF7D73D4000-memory.dmp
C:\Windows\System\QuAEFWf.exe
| MD5 | 2aa14126ae39508b7f822c557587eb9e |
| SHA1 | a734ef06ad54a368ca961b42ba4b475134a57903 |
| SHA256 | 822e88d7fda5420030c57b5d4c6ad8e2e1e65f5dc6c3a27f1f89d0a53081c2c5 |
| SHA512 | 0ebf44d209ca9302d87c3bc461e149ee05b84d69c520829ad48d5d5e0243f7677098fea8b8705e07a8d4a86efc5ee6a5b2d4d0744e5a0c247ab620778b438c60 |
memory/4196-96-0x00007FF64E360000-0x00007FF64E6B4000-memory.dmp
C:\Windows\System\ctYkYNi.exe
| MD5 | 706559a6499a211caa84207b4d5f1b65 |
| SHA1 | 9fa934be222e3166722ce07576f6834eb3945429 |
| SHA256 | 641e5d647dc102893614ffbeec4264494f4b79a08f43bb373e2cf57208283f63 |
| SHA512 | 3160f031f937f679f96f7d8ac512d212524e60c5ef7420412b3eff6b9fe55cec8f6270fc01e7882ea5828731a9b565942f729782d5a40c2c5ba9349357d7cd8b |
memory/3148-89-0x00007FF65C950000-0x00007FF65CCA4000-memory.dmp
C:\Windows\System\VEnTLEW.exe
| MD5 | 90845e57e4d8d525b3abbdb346dc4858 |
| SHA1 | 16dd1bf5e7baef7380157762651a8f1ccd21616c |
| SHA256 | 018037a3ba643a64cf41cb4478a625367cf84f245909130c9fb81602276cd136 |
| SHA512 | 861db115609a1fe690cdd16b82c5df5b3262580ea923f61ea07022f511f447a20667d67ff764dd534892e94f4a4bfd9f7e199663effc5ddae2033958ea30e3f4 |
memory/5028-84-0x00007FF6DBCE0000-0x00007FF6DC034000-memory.dmp
memory/2680-71-0x00007FF6A5B60000-0x00007FF6A5EB4000-memory.dmp
C:\Windows\System\OXYWeys.exe
| MD5 | 38a70b7ad957ba55544ad496135ede7e |
| SHA1 | 29261fcb46aa48edf57cfdb4518d95aab87d618a |
| SHA256 | a22af28a564fb4b3eb22eae0f0294c46d6231d4ddf904b234d18ca00f120fc10 |
| SHA512 | 5a1f89fa4465010b4aba71ec123ceed5195da3b91090e7ecea378575bfd97c3b6998594c12832fe6a0d53d3fe307c8aaa2dc834bf6ef8af12323cb2d9946c557 |
C:\Windows\System\OTieEbC.exe
| MD5 | 17541ed5f48daf62655483b6baed792d |
| SHA1 | 71a88fdc93be87906a61c6696d5c876aae3f2511 |
| SHA256 | ea6f2cc33c907ce5ddeaa49fb550522cbf1359115fdee46bfbd6700e5c4834e0 |
| SHA512 | 315fa21e3a87ba8e44346a6961cc6ac2f4a091f36c94fef0c693f52eaf38d0d9d9897ded14ad124f8de88710e55b72d981d5e200e83d588bc8db0c9187db5a48 |
memory/4660-44-0x00007FF7B82C0000-0x00007FF7B8614000-memory.dmp
C:\Windows\System\jOJLyVo.exe
| MD5 | 64f3dfdbc29ce9ec7d5bd3c2565075d7 |
| SHA1 | fb54a64dea4fa3f75d377c6df87c4c7b792bcd34 |
| SHA256 | aa39f09437ffe6268dcf1ef7d74a0f16835f3b0f2d2e10f203ed89cb5b09bcb9 |
| SHA512 | d36d0f6a420c2e11eb1531a0479e1cc099763b2c7e973582be30337eba23384fc752e98e6994c83d223aa35824831a9aac4701a3c834cea3c2bf9e3d3dacb4f6 |
memory/4512-36-0x00007FF6A5B40000-0x00007FF6A5E94000-memory.dmp
memory/2032-29-0x00007FF7FD880000-0x00007FF7FDBD4000-memory.dmp
memory/3512-23-0x00007FF6A81E0000-0x00007FF6A8534000-memory.dmp
C:\Windows\System\mhMQJGt.exe
| MD5 | 33d0781a26a686da787f82889a72c919 |
| SHA1 | 1d320b8ab71e116cc185bfbddb06ebda5cf3cd9c |
| SHA256 | 9c4f9353d8b43a5c0a4c027e68274af631cc14a06cf24f66f75bb37365a893c0 |
| SHA512 | 523e3cedce2de8874a24dbac9d52ebb5de003f3fb22963ad50cf4758305e5e68dafa098f975abd4b061f77fb123264321fde57964ae328f8ad753c8826a63de9 |
C:\Windows\System\efcBEpQ.exe
| MD5 | 8a8953755729d89371af9c97ffd7a7b8 |
| SHA1 | 3711eff160b10a8ba6ef177226f6433ace16ad5f |
| SHA256 | 3db8d0064c71f1dfb0cc95ad163ad10fbf349f1bea17e07e3fc151648ffae740 |
| SHA512 | 575347e92a2c6028ee1a97f21088d5223a23ed5e92602d0b3a71dfb5a7578c963a46b9141e47610e1047e9a19dd313d2c75e34977a4553a2d7d31e44f48431a0 |
C:\Windows\System\LLcSFlP.exe
| MD5 | fbe8ea95b531d411cc9f5ddcbb286391 |
| SHA1 | 313203c890ffec5119391c6b54ba0137a3c6e720 |
| SHA256 | f77df977c72641d693c710081ed187be22323b79a6beaf3456f79e199d31b4e1 |
| SHA512 | 9a500be921827222e30e57ac28cc2788b1caf91f3de00da74f23d633fc893d8ba80d8cfb1b7dea4cebf8ea8838e18cbc4ed15b176af19ec15a595969e0fb3d78 |
memory/1716-126-0x00007FF7BF0A0000-0x00007FF7BF3F4000-memory.dmp
memory/4312-127-0x00007FF7BC0A0000-0x00007FF7BC3F4000-memory.dmp
memory/4396-117-0x00007FF670740000-0x00007FF670A94000-memory.dmp
C:\Windows\System\ESiXKsb.exe
| MD5 | 0895ab5bcf5948a1a1fae075a8923ed0 |
| SHA1 | 95d7f769728df1ff1cc25ac09e543df91d41e994 |
| SHA256 | 7f38632a70471fc729022cec7f81ad61c718e9301dc2957667a7293f21836e80 |
| SHA512 | 2fbad4ce48241b0062e81b0bbc346d3dfcc04ccd14a4f59177a8732630a424f33bfb48150e3af8582291f01b6c9cc00dd31ce3bbd539b7d374cdeddee1cf33ef |
memory/1976-112-0x00007FF6E8120000-0x00007FF6E8474000-memory.dmp
memory/2996-128-0x00007FF6CEA80000-0x00007FF6CEDD4000-memory.dmp
memory/5016-129-0x00007FF7012B0000-0x00007FF701604000-memory.dmp
memory/4868-130-0x00007FF771A60000-0x00007FF771DB4000-memory.dmp
memory/2032-132-0x00007FF7FD880000-0x00007FF7FDBD4000-memory.dmp
memory/3512-131-0x00007FF6A81E0000-0x00007FF6A8534000-memory.dmp
memory/4512-133-0x00007FF6A5B40000-0x00007FF6A5E94000-memory.dmp
memory/1072-134-0x00007FF70F1A0000-0x00007FF70F4F4000-memory.dmp
memory/2680-135-0x00007FF6A5B60000-0x00007FF6A5EB4000-memory.dmp
memory/4660-136-0x00007FF7B82C0000-0x00007FF7B8614000-memory.dmp
memory/4196-137-0x00007FF64E360000-0x00007FF64E6B4000-memory.dmp
memory/4396-138-0x00007FF670740000-0x00007FF670A94000-memory.dmp
memory/1716-139-0x00007FF7BF0A0000-0x00007FF7BF3F4000-memory.dmp
memory/5016-140-0x00007FF7012B0000-0x00007FF701604000-memory.dmp
memory/4868-141-0x00007FF771A60000-0x00007FF771DB4000-memory.dmp
memory/3512-142-0x00007FF6A81E0000-0x00007FF6A8534000-memory.dmp
memory/4512-143-0x00007FF6A5B40000-0x00007FF6A5E94000-memory.dmp
memory/1072-144-0x00007FF70F1A0000-0x00007FF70F4F4000-memory.dmp
memory/2032-147-0x00007FF7FD880000-0x00007FF7FDBD4000-memory.dmp
memory/4876-146-0x00007FF67B3F0000-0x00007FF67B744000-memory.dmp
memory/4660-145-0x00007FF7B82C0000-0x00007FF7B8614000-memory.dmp
memory/2716-148-0x00007FF668A80000-0x00007FF668DD4000-memory.dmp
memory/2096-153-0x00007FF63E880000-0x00007FF63EBD4000-memory.dmp
memory/4584-155-0x00007FF7D7080000-0x00007FF7D73D4000-memory.dmp
memory/3800-154-0x00007FF6EC230000-0x00007FF6EC584000-memory.dmp
memory/2680-152-0x00007FF6A5B60000-0x00007FF6A5EB4000-memory.dmp
memory/5028-151-0x00007FF6DBCE0000-0x00007FF6DC034000-memory.dmp
memory/3148-150-0x00007FF65C950000-0x00007FF65CCA4000-memory.dmp
memory/1068-149-0x00007FF7D1E70000-0x00007FF7D21C4000-memory.dmp
memory/4196-156-0x00007FF64E360000-0x00007FF64E6B4000-memory.dmp
memory/1976-157-0x00007FF6E8120000-0x00007FF6E8474000-memory.dmp
memory/2996-158-0x00007FF6CEA80000-0x00007FF6CEDD4000-memory.dmp
memory/4396-159-0x00007FF670740000-0x00007FF670A94000-memory.dmp
memory/1716-160-0x00007FF7BF0A0000-0x00007FF7BF3F4000-memory.dmp