Analysis Overview
SHA256
545e9f29d091b951c5a44edd6c32d9f008263eb9d1836ded2e0527bd93638bfd
Threat Level: Known bad
The file 2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:07
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:07
Reported
2024-08-06 12:10
Platform
win7-20240708-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SzBIfSf.exe | N/A |
| N/A | N/A | C:\Windows\System\dJtJKpF.exe | N/A |
| N/A | N/A | C:\Windows\System\CQEIEku.exe | N/A |
| N/A | N/A | C:\Windows\System\nDrxQnB.exe | N/A |
| N/A | N/A | C:\Windows\System\bxmmAgE.exe | N/A |
| N/A | N/A | C:\Windows\System\geVJHMM.exe | N/A |
| N/A | N/A | C:\Windows\System\xErHPfX.exe | N/A |
| N/A | N/A | C:\Windows\System\WMXZJXR.exe | N/A |
| N/A | N/A | C:\Windows\System\uSPFqAy.exe | N/A |
| N/A | N/A | C:\Windows\System\tQyQQaw.exe | N/A |
| N/A | N/A | C:\Windows\System\sDzEzSj.exe | N/A |
| N/A | N/A | C:\Windows\System\fGzVXCG.exe | N/A |
| N/A | N/A | C:\Windows\System\Oiwghhs.exe | N/A |
| N/A | N/A | C:\Windows\System\baBasSK.exe | N/A |
| N/A | N/A | C:\Windows\System\EbTiivP.exe | N/A |
| N/A | N/A | C:\Windows\System\HigMpnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ekcQRQU.exe | N/A |
| N/A | N/A | C:\Windows\System\TNsSpNE.exe | N/A |
| N/A | N/A | C:\Windows\System\fQLImec.exe | N/A |
| N/A | N/A | C:\Windows\System\xAbwRIa.exe | N/A |
| N/A | N/A | C:\Windows\System\XBQDjAl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SzBIfSf.exe
C:\Windows\System\SzBIfSf.exe
C:\Windows\System\dJtJKpF.exe
C:\Windows\System\dJtJKpF.exe
C:\Windows\System\CQEIEku.exe
C:\Windows\System\CQEIEku.exe
C:\Windows\System\nDrxQnB.exe
C:\Windows\System\nDrxQnB.exe
C:\Windows\System\bxmmAgE.exe
C:\Windows\System\bxmmAgE.exe
C:\Windows\System\geVJHMM.exe
C:\Windows\System\geVJHMM.exe
C:\Windows\System\xErHPfX.exe
C:\Windows\System\xErHPfX.exe
C:\Windows\System\tQyQQaw.exe
C:\Windows\System\tQyQQaw.exe
C:\Windows\System\WMXZJXR.exe
C:\Windows\System\WMXZJXR.exe
C:\Windows\System\sDzEzSj.exe
C:\Windows\System\sDzEzSj.exe
C:\Windows\System\uSPFqAy.exe
C:\Windows\System\uSPFqAy.exe
C:\Windows\System\fGzVXCG.exe
C:\Windows\System\fGzVXCG.exe
C:\Windows\System\Oiwghhs.exe
C:\Windows\System\Oiwghhs.exe
C:\Windows\System\baBasSK.exe
C:\Windows\System\baBasSK.exe
C:\Windows\System\EbTiivP.exe
C:\Windows\System\EbTiivP.exe
C:\Windows\System\HigMpnQ.exe
C:\Windows\System\HigMpnQ.exe
C:\Windows\System\ekcQRQU.exe
C:\Windows\System\ekcQRQU.exe
C:\Windows\System\TNsSpNE.exe
C:\Windows\System\TNsSpNE.exe
C:\Windows\System\fQLImec.exe
C:\Windows\System\fQLImec.exe
C:\Windows\System\xAbwRIa.exe
C:\Windows\System\xAbwRIa.exe
C:\Windows\System\XBQDjAl.exe
C:\Windows\System\XBQDjAl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2092-0-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2092-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\SzBIfSf.exe
| MD5 | ff7d784bbdc4ddfa1a90a3c9e85fb29d |
| SHA1 | 47aaf04d4fe7150a83d962e37ea6fd7a8393c513 |
| SHA256 | 9d1a7aa4c6c6d9013c05db3366f6d46e6926b209c57bbb2a3484e3c9e9d3d132 |
| SHA512 | 21007b6cd04cc5ce31fc3f1c11dae2e5db969e179daa6d44a3d6383a7aff9f4dac5237f9d191a000d5509ce2ccf4f16be3aade215adb8c18f087368313f35734 |
\Windows\system\dJtJKpF.exe
| MD5 | 48c435fdd8f51bc0c75d339c5430ade9 |
| SHA1 | 6c3cf7dbcf7f05514d654b598aae521ec8957c94 |
| SHA256 | ef060705e285b3f6e8680c1bc080891ca1f44d4c35b0893f8b1c7431549d102f |
| SHA512 | 5627da95550629e034e89207b7cfd96875152bfb84a8ab5b1a58c327afbd4533e0beffc4a34ed1988824741c91e3841bdcc56f2134ea87029fca79ae35edf300 |
memory/2092-13-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2668-16-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2092-15-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/3008-14-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\CQEIEku.exe
| MD5 | febd6ed17c1ee7aa0be72e33efbcf94f |
| SHA1 | 5d2bedfc5fe33853318a45291d98179f69f42341 |
| SHA256 | 80813ad667ca60c01e0f107afc09eace2bf6315bf9641f3cef23ab3a30fd0306 |
| SHA512 | d43fa29270e19fbad26eceb5a30a9bc17d9df3e8b55d11c27ac950c00d4032461d526196d0aa65ace76569e66dae17dc414a563738b1e05708642dde657756ce |
memory/2092-18-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2704-23-0x000000013FF70000-0x00000001402C4000-memory.dmp
\Windows\system\nDrxQnB.exe
| MD5 | 2588e5eae93cb64402cb649e87f4550e |
| SHA1 | eeb56276cb4e9bc736e795d0f93ad0efef726918 |
| SHA256 | 61619f6874a13b708e20279c2f873f3de72b4dd47fa4604e6db75628117e85c2 |
| SHA512 | d331699dee02219a8e6e85511999e3b086b775ca7f23917b33373f2ba1017a4b8679d4079cb7c3f743e32b65ffd90e1d31decc8c709b41117415b7b2eb84706d |
C:\Windows\system\bxmmAgE.exe
| MD5 | cdeb10f27fe9b4fffeadcbeded83f5b0 |
| SHA1 | e0c1f5aa359ac72353962131ee0252177b80a71b |
| SHA256 | b1bd5b3cdf98787e7667f21ecc6b8574e413aa78943ec5a94bade94dcea3692c |
| SHA512 | 2766bfac1b263948fc12d60fa2ba2d21773665f1a48ea78c4958e3d9fa463dc98935bd7530eb5aa98f9141274240961e50cc9677f19747fc3f8f43f776e275b3 |
C:\Windows\system\geVJHMM.exe
| MD5 | 6559a58454ec33769b5316ddba5077a9 |
| SHA1 | 44423c7e420f54f188be4fcbaa741f22a5babc24 |
| SHA256 | b0a9c8cb1ead6c745909abd86ee24983742d25a10db9d96f092eb8cbea71467d |
| SHA512 | 468d8ed949bef0d7324f77a4b53b4de22a0044a986dcff3549f337c348c72469388f18cdf5788164f2a2057147fde04807a1de64d53b7a4523208d7a907e927d |
\Windows\system\WMXZJXR.exe
| MD5 | 1a0f5ff1a6be89caaecb8cc725499bec |
| SHA1 | 9b6219d8cc1c746cf94db123f0e48471215e35e9 |
| SHA256 | 61cdc318d6f45ec31a899b23037e13e1fc7a6c8eaff919ffd9e0d7b98e770499 |
| SHA512 | b0fa18ea69a980aace4ce5f5b2db8175c2c38b0d0a644c999ebe377c34ea5da8276c8df74d00274b8b545d8ebdc39c6b009d5144b91a0961da94c0a4282044a8 |
\Windows\system\xErHPfX.exe
| MD5 | 7c91349cb932a3a5d4874ddb2181019a |
| SHA1 | 5f94ac16e4553b990d95f054ed1332d276b9fa5e |
| SHA256 | 07ffdf4ddf50b6ef515fb75a64e3cdecf1349b54f0c1dc2844facfd48d097731 |
| SHA512 | 09eccade6f082a8f46faa8ec3de33075128ab5c5d127bf4df5cc87938e21a3c9902d88d5bbdd477769f98f9e94779262c1641dfc444fcc1a51fc346a98a45c4a |
memory/2092-42-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2092-70-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2732-83-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2868-92-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2092-97-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1556-98-0x000000013F410000-0x000000013F764000-memory.dmp
C:\Windows\system\TNsSpNE.exe
| MD5 | 24f8a89896ee93514d05ec83cda28ab2 |
| SHA1 | 496f4d5bb27d76f5b3ab924cec618de1960c4fd0 |
| SHA256 | c027f9368c064eb6deab9cbce9cc7ddfb1b748c8b440acb9e088e5cbf29d9ec9 |
| SHA512 | c1faef8e4652687b42c45b0e85e1addb1e4ece956ebce5373668051d8c4ed682a0c22a2fc8fa6d11c744d17581c006fb5393b8c4cb9ff1525fdd98da5e161545 |
C:\Windows\system\XBQDjAl.exe
| MD5 | a1bbf869eb43375ee4fd08121549f580 |
| SHA1 | ac1b29ef48313a6dde1d2bc268291986b2abbf53 |
| SHA256 | 450883bc0f6a88613f08eb1ad0ae5e01ba07cb9d9b203ad571ac9762fc9ec3a0 |
| SHA512 | 978b866b94ef7d7eb2f9f0c13cec0dbe679221cfa0dfff387b46041790f7e2d13d845e71b55e4377e2758340c25587de4504f79bbcd61300b92fd09dd859d3b4 |
C:\Windows\system\xAbwRIa.exe
| MD5 | e364123ea6c9688ab3c08fc4c8fa3517 |
| SHA1 | fa2bdb9bdcb095b8461cf9dfc3a0a4437c2031a4 |
| SHA256 | 0a77866a4ad18b9dcb91bce7e2d15fe397f1eddd33da8ed22ae046912aa0de87 |
| SHA512 | ca58c978029c567bd4e93b7893a29587a9b159114af723758524927c00dee226aae8ef6fd09538d0191b6bd944b4f606d44f5253a622ee7c36ba7c889bfd2d14 |
C:\Windows\system\fQLImec.exe
| MD5 | 7722c073b3146f7c210e5e51773b264d |
| SHA1 | ef1887d3578267b489a84bfac04ec7cf08354b2a |
| SHA256 | 4f52ca9a9a9836f0b27e48a131aa12a4f492ac565626fed728f3d5d41d729a8c |
| SHA512 | b1b51d9868ce73c58efcf4e17f9a99fbfe379377cf1c7c2ec7f86e2cba04df907e5cba41d57937d8aac064863c84feccf80f67c2b25412f140ca40126c1e56d8 |
C:\Windows\system\ekcQRQU.exe
| MD5 | 0bdaa6043d33f3204f18fab319ff815d |
| SHA1 | c4365e1e57a5a9cb6bb3b642d70e997cde398718 |
| SHA256 | cabd7dfb3bb275e4d403e4cfa268401f220a1696b535718f2430147843a12dae |
| SHA512 | 197f502f8490da20b8cd147f734d4f1262fd01b9c593562b0085ce1933aebddb5817ecee460c92a871d0d82a475caf67392b6c2305e65bc22e4648eda02370ea |
C:\Windows\system\HigMpnQ.exe
| MD5 | 7d5b2432930ca07beb295c50c0184b42 |
| SHA1 | 5e024a77b7b800f0d7abf933a5057c3394c6e9aa |
| SHA256 | 7880974e062e1ce67df8feeac70e482d972bbd3607778310681ba6d0438e0f77 |
| SHA512 | a545751d63cc696f710419503e3961e6e2cd407402e17c8b4e31648fafb0f0b84cdae851e24c1c6e3e348caf4d0b827cfcc976709fbf0fe08b1839d3b0111d22 |
memory/2092-106-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2092-105-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\EbTiivP.exe
| MD5 | f7a787aeb40f9e3bdbac2a03f4279276 |
| SHA1 | ad3a8ab00e6d876f9fddd0698f24e7d6e95cf36e |
| SHA256 | 45383a22d9666f9e72a01115706690db99daa28eacee909234b4c0398bbe4d80 |
| SHA512 | 1bba278d8376971bbd6b66de01d3e23c84690697e372fde6059db118412dc567c0ee6c1313de871a13990d1283dd9a656a2019e0281f8ab445dde48861b72cf0 |
C:\Windows\system\baBasSK.exe
| MD5 | 5c5a15c0b0004014ffed8b6e885d5705 |
| SHA1 | dd0deace0919f706cdfad81385acfd922a5bb782 |
| SHA256 | 884bdd1ff0ec849977e00c4a22d5240f8acd1ab1d224cacd2ffb9cc2998e9665 |
| SHA512 | f7a2d70f4f67055d6b095503c8c4bd9005b81f3fb3d62f85fffda92b2cb9d859ea97bb31dc0fe8b63d250d9f369d2646e2981e79457420a74395d96a106c910e |
memory/2092-91-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2504-84-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\Oiwghhs.exe
| MD5 | f34fe16614740424b43521bf1d1258a1 |
| SHA1 | 32e5c3add7579922e5d183e48eba4ce81d863e6e |
| SHA256 | dfa1204eea98c057590a48d02d7a53b4d78416800beec225c619b7d4e9c5b8ca |
| SHA512 | fadbe90fe8ed1a40896da665abcbed087c71a2789f50f19a3dd1878171db7e29404b8d22e8402bfd18508af58e0d36db10eefdc07bd8efcbc834db3cfd5dec08 |
C:\Windows\system\fGzVXCG.exe
| MD5 | 5fa996e780651991de5dd77920275113 |
| SHA1 | e3a49f990b786f72766e35d881f8949f87dcba38 |
| SHA256 | 3e3ab15fb9914580816ead6ab81de25ba1230928c3844a889b413d6530924dcd |
| SHA512 | 2b719ef61169c4c8ae777ad638f40b8c808729c16ebadf86accfd27411c9113241dccb10ab8a61b144dc8892307d2c5e43855531f0f105b09a2f73a8e90d508d |
C:\Windows\system\sDzEzSj.exe
| MD5 | 56a379f91df4a800f863f3c1b746676c |
| SHA1 | b68c6334ffb47d7ba54f0b617bec1d6eb11aaaec |
| SHA256 | 7a5904f7be0cea1716407cff1511a0c45b27594c9d99cb3b6677a367c7866141 |
| SHA512 | e267adc5c70e0758d1ea4078be027f33599cd49650627bbf68ae7f71d52ae8f2dbe856c579a56e6bd4415d631269a1b560bc7572d9fdf11ae5b638b3be8793a1 |
memory/2160-79-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2376-78-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2092-76-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2092-75-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2092-74-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
C:\Windows\system\tQyQQaw.exe
| MD5 | 04c0addbcd25cef03aa354bdb3b62d47 |
| SHA1 | cf6b161293ecb6c5126b222672c5e9f9f0f7e57a |
| SHA256 | 10ad63255d68d05032a4bf05b670c1a2742fc433216be25a4227ffba9226f26c |
| SHA512 | 660ddf96bb8b512f213d40b0e77c6b435a64df23b62bf8f18525d71c81ff0b42d57eac8a548b4f643c0b764680e363f20b8ea9f9816827ebe631ba2f76140b0f |
memory/2092-72-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2264-71-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2112-69-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\uSPFqAy.exe
| MD5 | 9301335cb4ae11bd3f8ac1115f463df8 |
| SHA1 | fab5b62788fb69d0a1f3b92b80621f49a92edc64 |
| SHA256 | 058b7d1754ca926dc50d154d46a3abe8bb00277d0d610a3f7fe399aa8fb1aee2 |
| SHA512 | 9940fd16cf66a7546e162310a711a1b85f8a070418f11fb908064dcddbb1f7b172f6241d930534e6a1f483905b7738a57b8c61c05fd4b4c6c7b9b2b532216ac0 |
memory/2604-66-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2092-65-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2092-62-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2544-59-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2712-28-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2704-136-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2092-137-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2092-139-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2712-138-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2092-140-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2504-141-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/1556-142-0x000000013F410000-0x000000013F764000-memory.dmp
memory/3008-143-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2668-144-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2704-145-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2544-147-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2712-146-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/2264-150-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2604-149-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2112-148-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2376-151-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2160-152-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/2732-153-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2504-155-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2868-154-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1556-156-0x000000013F410000-0x000000013F764000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:07
Reported
2024-08-06 12:10
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\POgcVrn.exe | N/A |
| N/A | N/A | C:\Windows\System\ISAJHOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\TYddnar.exe | N/A |
| N/A | N/A | C:\Windows\System\NDNmvDP.exe | N/A |
| N/A | N/A | C:\Windows\System\LWprezB.exe | N/A |
| N/A | N/A | C:\Windows\System\dVrVtez.exe | N/A |
| N/A | N/A | C:\Windows\System\nbCWXpN.exe | N/A |
| N/A | N/A | C:\Windows\System\aBNULYa.exe | N/A |
| N/A | N/A | C:\Windows\System\UcgKVxP.exe | N/A |
| N/A | N/A | C:\Windows\System\YUinyOG.exe | N/A |
| N/A | N/A | C:\Windows\System\QyjgDFD.exe | N/A |
| N/A | N/A | C:\Windows\System\ffDnrTP.exe | N/A |
| N/A | N/A | C:\Windows\System\IZfUNTG.exe | N/A |
| N/A | N/A | C:\Windows\System\GNwvmvv.exe | N/A |
| N/A | N/A | C:\Windows\System\Fvqlmgn.exe | N/A |
| N/A | N/A | C:\Windows\System\yKzIiLN.exe | N/A |
| N/A | N/A | C:\Windows\System\NkWhvvo.exe | N/A |
| N/A | N/A | C:\Windows\System\VQNShoy.exe | N/A |
| N/A | N/A | C:\Windows\System\uiKwwMD.exe | N/A |
| N/A | N/A | C:\Windows\System\iItSVMV.exe | N/A |
| N/A | N/A | C:\Windows\System\LHIgbpU.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_f723e8ea3d1053228be89009c9d29eaa_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\POgcVrn.exe
C:\Windows\System\POgcVrn.exe
C:\Windows\System\ISAJHOQ.exe
C:\Windows\System\ISAJHOQ.exe
C:\Windows\System\TYddnar.exe
C:\Windows\System\TYddnar.exe
C:\Windows\System\NDNmvDP.exe
C:\Windows\System\NDNmvDP.exe
C:\Windows\System\LWprezB.exe
C:\Windows\System\LWprezB.exe
C:\Windows\System\dVrVtez.exe
C:\Windows\System\dVrVtez.exe
C:\Windows\System\nbCWXpN.exe
C:\Windows\System\nbCWXpN.exe
C:\Windows\System\aBNULYa.exe
C:\Windows\System\aBNULYa.exe
C:\Windows\System\UcgKVxP.exe
C:\Windows\System\UcgKVxP.exe
C:\Windows\System\YUinyOG.exe
C:\Windows\System\YUinyOG.exe
C:\Windows\System\QyjgDFD.exe
C:\Windows\System\QyjgDFD.exe
C:\Windows\System\ffDnrTP.exe
C:\Windows\System\ffDnrTP.exe
C:\Windows\System\IZfUNTG.exe
C:\Windows\System\IZfUNTG.exe
C:\Windows\System\GNwvmvv.exe
C:\Windows\System\GNwvmvv.exe
C:\Windows\System\Fvqlmgn.exe
C:\Windows\System\Fvqlmgn.exe
C:\Windows\System\yKzIiLN.exe
C:\Windows\System\yKzIiLN.exe
C:\Windows\System\NkWhvvo.exe
C:\Windows\System\NkWhvvo.exe
C:\Windows\System\VQNShoy.exe
C:\Windows\System\VQNShoy.exe
C:\Windows\System\uiKwwMD.exe
C:\Windows\System\uiKwwMD.exe
C:\Windows\System\iItSVMV.exe
C:\Windows\System\iItSVMV.exe
C:\Windows\System\LHIgbpU.exe
C:\Windows\System\LHIgbpU.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1636-0-0x00007FF710E30000-0x00007FF711184000-memory.dmp
memory/1636-1-0x00000204CF320000-0x00000204CF330000-memory.dmp
C:\Windows\System\POgcVrn.exe
| MD5 | 34e41bb1e73b9965e46c23c7d68448af |
| SHA1 | 32d7965773e3295a4064a611c0cdd053736c5eb6 |
| SHA256 | 54138f160544b3dd4da68bbed36e20625028c694d0bcd5f22da0e21a388a7051 |
| SHA512 | e4cd6a6b6c1d3a2112d29f618eac0d71d186c708cb2187ba364adbe4b6d7f2837b610462521534b0c1b40477677d58a14e6c9db7798b8928a57605bc2046bf79 |
memory/2672-8-0x00007FF706EC0000-0x00007FF707214000-memory.dmp
C:\Windows\System\ISAJHOQ.exe
| MD5 | 05bfaa94ddc8330190fa116fdde9cef8 |
| SHA1 | 6e1b1407f81ee70f13aa47183dc571898211ea04 |
| SHA256 | 8f03038cf9184e7b3cebaff405063278ea1b9f8c85b8cb9e5b03ff56aeba0669 |
| SHA512 | 7c14c028d9e8931d515de36d1003db6aa6b95e1341cc51172d32704a02e5353b21a9cc2256637a4a496b2124165eb145f207c6247cbbd5fe2b61ed90f02c3580 |
C:\Windows\System\TYddnar.exe
| MD5 | 84d764b897e956c9b88d5405b86d200d |
| SHA1 | 5ff57c4629d5c2f8f17fb8c6bc39a9b578fc3c4d |
| SHA256 | dffac55a490924332c666ba56c9c8136a7d42537370d2f921cd349284b6a724c |
| SHA512 | 9952e4cba6104310279e4c422b4d48c18ec5c14ebdc8837f4e61701aec7555c4df251c60637a3d131f8234e23c23cf115bcab7c51f26fe81092b810475c55d08 |
memory/1744-19-0x00007FF749C10000-0x00007FF749F64000-memory.dmp
C:\Windows\System\NDNmvDP.exe
| MD5 | a38587a7a2bfe25b9a809989426da386 |
| SHA1 | 7311ff02a07562c0d057b4b35b2dce905c4bd05a |
| SHA256 | 12147afb70c53b89859b2136dfd714a3359d546c515d61ff835caa4200004031 |
| SHA512 | 8ba666d1a3b9bde26d0b33b84ff41bd5f6d87b32bcfa9122bf5946452810a7a293a2e1f38893bc03a3744b936c0e6ba31e2b374e4ae46893f9520a196fab1977 |
memory/4808-22-0x00007FF7615C0000-0x00007FF761914000-memory.dmp
C:\Windows\System\LWprezB.exe
| MD5 | 98c316770defe78194bfbec4d1fe1751 |
| SHA1 | 0416a1b6858bffaba04f8c1bdf1897787479c459 |
| SHA256 | ca3f79f638b9f2d2073cb73751389c32ee0ba1eee20d808360c043b36e82d399 |
| SHA512 | dc7314b0f561cbd88fdf5dd4b37a05b171638245dc514ec0294a5ec72b404fa1a01fe13d53ee8967947a1eaa67b628fcb710c3fcc3ad1ec080d53714bf488560 |
C:\Windows\System\dVrVtez.exe
| MD5 | 03b7ff1d8bba66af01cb9f580242fc8c |
| SHA1 | 6ab0edc919c3b7ac8669dd781c3eef141a8712e0 |
| SHA256 | 7c32003ac6b1b800b23d3835c98a52b403c7c33b5a34b6c19739b2501ff0fbf1 |
| SHA512 | b471821b2367cc84eb1a9fed26f87f326af8480e09c5335f4b17967de4991f5ab030bebf8345e98bcc373a5f6a769e80af28bfaa1bfdd2c471572f4246e1fad5 |
C:\Windows\System\nbCWXpN.exe
| MD5 | ab8df944a0b9b8dbf8eba4049739cc2b |
| SHA1 | 0bb05a72176891a2a60ee8af0e9e012ec2a1c9c8 |
| SHA256 | 38f838182ad776286ccf9490ad2df9b56214d714e8b2bbf2d796fb1049befaf6 |
| SHA512 | 89db4e66d6dbdd410380e29fd76830916d2306879ceea7360e9f647e37d03756173416f82f01528bb182a461f3edec24ef64615f9201b9c9ab93fc18c9580a17 |
memory/4136-44-0x00007FF66F150000-0x00007FF66F4A4000-memory.dmp
memory/4976-43-0x00007FF636890000-0x00007FF636BE4000-memory.dmp
memory/2392-40-0x00007FF7CA0F0000-0x00007FF7CA444000-memory.dmp
memory/2668-37-0x00007FF6F8CD0000-0x00007FF6F9024000-memory.dmp
C:\Windows\System\aBNULYa.exe
| MD5 | bed34fc6987cb64403297d9d474c3a4e |
| SHA1 | c06c4d560759bcdad5759768179ac0543b926a01 |
| SHA256 | 9227020ef6f55a3094349f12ef9b2106b58c44ad75ff72c6146d9a876ee0d7ec |
| SHA512 | d6d8bec6dd951d4b14815a0b6802ff5507ba6e56dcb5217dc4011b10974620b869425bb9fda7e86f0313545f309634f7e03ddc91959b612168c14f8e0f184adb |
C:\Windows\System\YUinyOG.exe
| MD5 | 4fe01e378e5e796a22feb405ac0301a0 |
| SHA1 | cdf48428c62b9bcd201106b7f12624ff0abefa58 |
| SHA256 | e1af910b2382f1d90041bce41520f5b8d1ba2a054b55974325b8c9a414a3b6cb |
| SHA512 | 6953fa1bac5b6242d5015f42c60459f1e4a852b1ef696aa63b235c5042f4a30c90a66f9d0b2ecfeea8d602b222fd89f29bf6350d5d15ae95290e0fcf65990abe |
C:\Windows\System\QyjgDFD.exe
| MD5 | 0eb1f57bc9828b3f944a4769a875f4d5 |
| SHA1 | 3d3c145e4145538a5269486fa484af149bc735e9 |
| SHA256 | e529e20756afb20567f4675cc7438b348fbaf355b1e771c79bc6af6519124dc6 |
| SHA512 | 603d3143dd76b9f6fbb62493a79125763ca0671de32a1c31efcd4c5e351fe5f641cdbfc75f5822cb2d5ae9c62b83037f38df927def8574e9f6f650c06a028bee |
C:\Windows\System\ffDnrTP.exe
| MD5 | 999c4d1b18303c51a576bf8221ed8aed |
| SHA1 | 0f503fef70b7c0e79f2b2f1c9f7f4e2ff30ff419 |
| SHA256 | d2d61094eaa14225f7d175604821118756f0feb8dc3a4052ac22e6f629a63a2a |
| SHA512 | 79447d81c84e3abe9c1a26e5c00ec6710ba897e2ffa7c77959a9fdcdce3b279f97b5a257483061dfb2635d16c986aade2e3893bfd9746f30738f6a622d2affa6 |
C:\Windows\System\IZfUNTG.exe
| MD5 | d535adc5ba9aedbbfd74bfeb7b3831fb |
| SHA1 | fc9498897e79f8690171e7691f83464a4b96b1f3 |
| SHA256 | 7db56ca5248d65c368e03961aac54a1129351b92e3d2fe8638d471e654ad4a73 |
| SHA512 | 76cea7f08d6dc710a91da877db34a11e42f0bd721e2e7c21c0762e350d1e3a45081fcbf7b4b881864f451f984477fcfaeb4e5ca278baa921dd5456327cdaa984 |
C:\Windows\System\Fvqlmgn.exe
| MD5 | 78c127578f713084d2e4539a990b54a8 |
| SHA1 | 01c3b8f6bbf009e9efb9c684900b3359ed36e54a |
| SHA256 | e429bb5f9ff5df761fa1b08e9d17c24d6ea4166589b866bec023beefb6be6e14 |
| SHA512 | 84024cca950179845c28adc5d20a572dae0d10964be0b922ea3c78e641e1fe08dd5b90f53bdb9821f6fcb646f0ecc210f6b3c1e14b429bf9963a39a64335c2fc |
C:\Windows\System\NkWhvvo.exe
| MD5 | 79b55654584db2886862fbdf8732509f |
| SHA1 | 56f5d8e5d06662404df0f96e82a92135e80a7b78 |
| SHA256 | 068fd95a5448726cd56e13f24f5cd0070b80af8b9497f0c4edc96e010a8c0cf4 |
| SHA512 | fcc53e05ddf6540fec69128b9d23dcd74caff95a02d9525ee05dd273c052e563595067ed29afc598b0ed771ca7feb0c2b22b8af76170cbb3c166d58223abd2a4 |
C:\Windows\System\uiKwwMD.exe
| MD5 | 2501ca8e5d83991d1b9c8ab8929c3e2e |
| SHA1 | 5c77f5c58d4bbe877f3a7e5aed16ea61b5dd7f70 |
| SHA256 | 900896aca97294c3e8e27e06444b59d66a07bb1a427181779ecfbf571a6ecd83 |
| SHA512 | 6322cb91c1627ddfce0db8f45e96e0b64c3deb06221302ce7ad626e6fabbd6829bf65e7218b547480bc612f28319123f53541fe76fcec53ef1380b602da7aaac |
C:\Windows\System\LHIgbpU.exe
| MD5 | f8530c994a8675a0d5a3be577e97807f |
| SHA1 | 160336df742cc4c8afaa20ce6bb4fb4f3458eab8 |
| SHA256 | 25ed62f408fc70eae6a1ca73548cff187196e27e87187cbfd9ef83a6cccf8044 |
| SHA512 | d79d9c919fef4e078bea2ee33811df2594c2ca7ac0e1d183ab15b567ab3dda36f0b7cbec5d419a64d2d602300bc03b60093ed3845a43ab367abae47e6372f349 |
C:\Windows\System\iItSVMV.exe
| MD5 | 09e2a93443b8f0d7a42bbd31ae09187e |
| SHA1 | 82f3db96c382bc24aa7e5e99202b6702de7dbf32 |
| SHA256 | 52929b02b2b3421236480f21c5d8a441a48b1cee8b77d2c525a81e6a7cf8a18f |
| SHA512 | 86426365578d9c6b42595c71f107e1a37d267eaeba22e1de703a82f437befbf711d567852f38dbd74db2a692b60ac829e3e628a502750c5347cf4b4225cf5f11 |
C:\Windows\System\VQNShoy.exe
| MD5 | 89a926e89c54727a2572a355449fd7ea |
| SHA1 | e696c44bd4d027f6de5aba0249bd3ce5dba82211 |
| SHA256 | fe08092248f4ab2dbfda5ee3d945ccbb3f6810da000bafd3fec93bd5190a5e46 |
| SHA512 | cb9c531fab80c6d38d02ade96f14adf50257720b97e97c19ea6cad27b91dac3edfc7bc591741eff82c3812fe8895de8c9468e59da8bbac6b0233f72a9e7e254c |
C:\Windows\System\yKzIiLN.exe
| MD5 | 3587ac0a2086ad57ec9ea4a2ccb5ea6a |
| SHA1 | 8d2d230d13403de37df6a35aecf439daeda590b6 |
| SHA256 | b8814ae6e28bccefc3b21b9b30912bf859ea08537ca8a1aa7d58d9c4ffcfd7b6 |
| SHA512 | 711c34c6bc10eda7e3a48191c972b2aec6fa3fb37b91a42d6ac4f38d0b4eed2d22ec064fdb46051119e4386806c5220d5d2cd020698ab4b53ec6cc67020e9037 |
C:\Windows\System\GNwvmvv.exe
| MD5 | 01ad191c6c61d331100a12e9aece6d87 |
| SHA1 | 39de47aeebdb9132ce1707f663ec213759c57de4 |
| SHA256 | d3e643ff443fb350f0c2bcb924c0d8653fd9996229c1fb4ecfcdf926f8920124 |
| SHA512 | 7301c1cc3180b96e8a657612710dcb6f21ad3ed8ba2f63439d07a83390a0493e0d27d0a61a342abacb967c22ef3c2ae6523d60a6ec8e42cb0e8e43138124a510 |
C:\Windows\System\UcgKVxP.exe
| MD5 | 3d6a7e4da34f3da864124f9e0dc01f12 |
| SHA1 | cd8b873fc46b547dd526d9b0823176e13f066a5e |
| SHA256 | 75873c7220d01b3838b5e961c5da9fd53c076bd0cf36c130dfbb2a56faa2781a |
| SHA512 | f4471d8eb7e98a4e661cf0eff7a86af664c112c0fdeeae901b22460733c333af2622d7b90ff48a7de6a9d7423dc3d78e351d853d91cf3f51a4047865818fcf93 |
memory/1440-114-0x00007FF7E5DF0000-0x00007FF7E6144000-memory.dmp
memory/2108-116-0x00007FF62DF10000-0x00007FF62E264000-memory.dmp
memory/2928-115-0x00007FF7DECF0000-0x00007FF7DF044000-memory.dmp
memory/3080-117-0x00007FF665240000-0x00007FF665594000-memory.dmp
memory/5004-118-0x00007FF7C4760000-0x00007FF7C4AB4000-memory.dmp
memory/3620-119-0x00007FF663020000-0x00007FF663374000-memory.dmp
memory/3108-121-0x00007FF74E540000-0x00007FF74E894000-memory.dmp
memory/3872-120-0x00007FF6B5EB0000-0x00007FF6B6204000-memory.dmp
memory/1016-124-0x00007FF7E96B0000-0x00007FF7E9A04000-memory.dmp
memory/544-125-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp
memory/4324-123-0x00007FF7B4820000-0x00007FF7B4B74000-memory.dmp
memory/3320-122-0x00007FF690350000-0x00007FF6906A4000-memory.dmp
memory/3368-126-0x00007FF7BE790000-0x00007FF7BEAE4000-memory.dmp
memory/4080-127-0x00007FF6CA7E0000-0x00007FF6CAB34000-memory.dmp
memory/1636-128-0x00007FF710E30000-0x00007FF711184000-memory.dmp
memory/2672-129-0x00007FF706EC0000-0x00007FF707214000-memory.dmp
memory/1744-130-0x00007FF749C10000-0x00007FF749F64000-memory.dmp
memory/4808-131-0x00007FF7615C0000-0x00007FF761914000-memory.dmp
memory/2668-132-0x00007FF6F8CD0000-0x00007FF6F9024000-memory.dmp
memory/4976-133-0x00007FF636890000-0x00007FF636BE4000-memory.dmp
memory/2392-134-0x00007FF7CA0F0000-0x00007FF7CA444000-memory.dmp
memory/4136-135-0x00007FF66F150000-0x00007FF66F4A4000-memory.dmp
memory/1440-136-0x00007FF7E5DF0000-0x00007FF7E6144000-memory.dmp
memory/2108-138-0x00007FF62DF10000-0x00007FF62E264000-memory.dmp
memory/2928-137-0x00007FF7DECF0000-0x00007FF7DF044000-memory.dmp
memory/3620-139-0x00007FF663020000-0x00007FF663374000-memory.dmp
memory/5004-141-0x00007FF7C4760000-0x00007FF7C4AB4000-memory.dmp
memory/3080-140-0x00007FF665240000-0x00007FF665594000-memory.dmp
memory/4080-143-0x00007FF6CA7E0000-0x00007FF6CAB34000-memory.dmp
memory/3368-144-0x00007FF7BE790000-0x00007FF7BEAE4000-memory.dmp
memory/3108-149-0x00007FF74E540000-0x00007FF74E894000-memory.dmp
memory/3320-148-0x00007FF690350000-0x00007FF6906A4000-memory.dmp
memory/4324-147-0x00007FF7B4820000-0x00007FF7B4B74000-memory.dmp
memory/544-146-0x00007FF7D8D80000-0x00007FF7D90D4000-memory.dmp
memory/1016-145-0x00007FF7E96B0000-0x00007FF7E9A04000-memory.dmp
memory/3872-142-0x00007FF6B5EB0000-0x00007FF6B6204000-memory.dmp