Analysis Overview
SHA256
91d7cade90470f4bbbd6a2196d178acd9868110d6d7602499812ffb8ed943f5a
Threat Level: Known bad
The file 2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
xmrig
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 22:41
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 22:41
Reported
2024-08-07 22:43
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TSlEsvS.exe | N/A |
| N/A | N/A | C:\Windows\System\wwfZYdd.exe | N/A |
| N/A | N/A | C:\Windows\System\ojzUkDS.exe | N/A |
| N/A | N/A | C:\Windows\System\tBZYHoj.exe | N/A |
| N/A | N/A | C:\Windows\System\zZCKyAM.exe | N/A |
| N/A | N/A | C:\Windows\System\kktvIEP.exe | N/A |
| N/A | N/A | C:\Windows\System\KSXMITS.exe | N/A |
| N/A | N/A | C:\Windows\System\ycabdmf.exe | N/A |
| N/A | N/A | C:\Windows\System\vJHiXiM.exe | N/A |
| N/A | N/A | C:\Windows\System\VPBzrRC.exe | N/A |
| N/A | N/A | C:\Windows\System\sJUxpXu.exe | N/A |
| N/A | N/A | C:\Windows\System\fVfBCmg.exe | N/A |
| N/A | N/A | C:\Windows\System\hzujaRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wyHbLYg.exe | N/A |
| N/A | N/A | C:\Windows\System\cdPbIHA.exe | N/A |
| N/A | N/A | C:\Windows\System\eBbwfhB.exe | N/A |
| N/A | N/A | C:\Windows\System\WEIRxMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\pKsVCjR.exe | N/A |
| N/A | N/A | C:\Windows\System\DADTbER.exe | N/A |
| N/A | N/A | C:\Windows\System\qOFndhT.exe | N/A |
| N/A | N/A | C:\Windows\System\mkjTIoq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\TSlEsvS.exe
C:\Windows\System\TSlEsvS.exe
C:\Windows\System\wwfZYdd.exe
C:\Windows\System\wwfZYdd.exe
C:\Windows\System\ojzUkDS.exe
C:\Windows\System\ojzUkDS.exe
C:\Windows\System\tBZYHoj.exe
C:\Windows\System\tBZYHoj.exe
C:\Windows\System\zZCKyAM.exe
C:\Windows\System\zZCKyAM.exe
C:\Windows\System\kktvIEP.exe
C:\Windows\System\kktvIEP.exe
C:\Windows\System\KSXMITS.exe
C:\Windows\System\KSXMITS.exe
C:\Windows\System\ycabdmf.exe
C:\Windows\System\ycabdmf.exe
C:\Windows\System\vJHiXiM.exe
C:\Windows\System\vJHiXiM.exe
C:\Windows\System\VPBzrRC.exe
C:\Windows\System\VPBzrRC.exe
C:\Windows\System\sJUxpXu.exe
C:\Windows\System\sJUxpXu.exe
C:\Windows\System\fVfBCmg.exe
C:\Windows\System\fVfBCmg.exe
C:\Windows\System\hzujaRQ.exe
C:\Windows\System\hzujaRQ.exe
C:\Windows\System\wyHbLYg.exe
C:\Windows\System\wyHbLYg.exe
C:\Windows\System\cdPbIHA.exe
C:\Windows\System\cdPbIHA.exe
C:\Windows\System\eBbwfhB.exe
C:\Windows\System\eBbwfhB.exe
C:\Windows\System\WEIRxMZ.exe
C:\Windows\System\WEIRxMZ.exe
C:\Windows\System\pKsVCjR.exe
C:\Windows\System\pKsVCjR.exe
C:\Windows\System\DADTbER.exe
C:\Windows\System\DADTbER.exe
C:\Windows\System\qOFndhT.exe
C:\Windows\System\qOFndhT.exe
C:\Windows\System\mkjTIoq.exe
C:\Windows\System\mkjTIoq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2604-0-0x00007FF692EF0000-0x00007FF693241000-memory.dmp
memory/2604-1-0x000002AC009D0000-0x000002AC009E0000-memory.dmp
C:\Windows\System\TSlEsvS.exe
| MD5 | dde5fc8628c24dcaf795dcbc44d4d7d2 |
| SHA1 | 0cd547d9592309dff265050dc8f2405c54a102d4 |
| SHA256 | de8e6eef312bda0f61d55106dc9b5d1caa1ee2eda3c9710fb2ee618e0da75a5b |
| SHA512 | d74cbe43b0850745dae94b4cb001bd2b9312bb7238e0a52382825b865b41a731d08ab2b6d0d77763bd9d6468ec1121588d2edf49d06f2a83e322c63f66c2d271 |
C:\Windows\System\wwfZYdd.exe
| MD5 | 2064faed10b4b1cb0a92b9aa456e2845 |
| SHA1 | 707680385abdd8904001cdfd3537c758ab597a49 |
| SHA256 | 29688225fc7be6f13740d12c1fd3126e2c5c1216408ff8894f41eb5b91829883 |
| SHA512 | 52013a0afdd1d6b07298c4dc0036b5fab176e83fa85cae1d7d05bcbaf528d96c09dd7ded0de74324b9d31caf65571dc8252a7661b5d9ad059ba52eb993abf7ed |
memory/4404-10-0x00007FF619160000-0x00007FF6194B1000-memory.dmp
memory/5104-13-0x00007FF6B7D20000-0x00007FF6B8071000-memory.dmp
C:\Windows\System\ojzUkDS.exe
| MD5 | deee0a3bb78f2d9ed693b22b46bb9285 |
| SHA1 | a5ff4325a8caa4d3c34ba0bcbfdb0b393dbca19a |
| SHA256 | aee0e814461dd29d1a926c5fbcea52327d4cc4c64a0f054a27d98b2d487d0240 |
| SHA512 | 9f099eecd62e3a3a83b729fb7cef1a5dbd8d97bffc272c708bc0415842cec7cfd548a3e024b81efa0cccf66b8de966f39f4abaa8d10d80c89c827065b07dfe45 |
C:\Windows\System\tBZYHoj.exe
| MD5 | e6c83446217a3b6519aab189ca5e7c8d |
| SHA1 | 46226ebbfb651116e247b60ca0b21e0980529fff |
| SHA256 | 5efa058e760de69d13e4533ead5fcca286d54d79af1c3264a5ae43c14e00ed6b |
| SHA512 | 45cd56c2a6690d6490d9ed5a2cd42dfcc47cfec44e0143509d07b74eddfae01f67811db9c164bd271d0b94cd06f680d948dd4b7e460ea2619ba5b182642dc667 |
memory/2164-22-0x00007FF643200000-0x00007FF643551000-memory.dmp
memory/4980-29-0x00007FF61FCF0000-0x00007FF620041000-memory.dmp
C:\Windows\System\kktvIEP.exe
| MD5 | 98038545d39abb6fb1b9393fb4ea24d4 |
| SHA1 | 6f4865d3b9c9240cccc40a7d3f07bb97eb0a32c3 |
| SHA256 | 069fbefb6eabd96b8b9fcbfb1b2c0d7dbed7f2de0b8846d891388b92afad9e23 |
| SHA512 | b958f1731b6b4ec80da85e504c0f5edae5333a03e049d8051ba9cfc91b18674fac2509e184a4cbb4d493ef6d5146635eea2252d10416850a4549b9a3947be1ec |
C:\Windows\System\KSXMITS.exe
| MD5 | aa1d0ddbff752a5d41245e068d000985 |
| SHA1 | 060dbe2013dcd9e479e68a7a1f2d24cce7b23c5a |
| SHA256 | f4f6b6de2986614f5239696bbff88a5af5ed050267783f87ed44cd9b04de635a |
| SHA512 | a8e70017c135df13497c5b2d71f222018e8691b6ce2f703665365b8b2af930d4424b4a387f7c85ab1ee77648afcfe420bc2d3b9a5784bbf39124418caf186e3b |
memory/1028-43-0x00007FF66CC30000-0x00007FF66CF81000-memory.dmp
memory/3688-40-0x00007FF71E130000-0x00007FF71E481000-memory.dmp
C:\Windows\System\zZCKyAM.exe
| MD5 | 18c9feef836eed91722b75d3ef5cfcae |
| SHA1 | 5649e6cbacab469e574c44e0aaa89ddce5e0d660 |
| SHA256 | 1a7b4acdae9c04ca645e6c8374a0afad199bb24a4c3c47482af80e0e0067e2c3 |
| SHA512 | 7824b1345a72525fa2f61275d124071f87a386c352a4a93a288bdb202f052428a37b2c81eaa1373480dba97319838c48afd92b8c945eace89766b070c8c87c91 |
memory/2488-32-0x00007FF641DD0000-0x00007FF642121000-memory.dmp
C:\Windows\System\ycabdmf.exe
| MD5 | 7ba6c62eeec492d550c4efdb13b5ac0f |
| SHA1 | fc44ded28647344bc59367e317c1aa9e1c931045 |
| SHA256 | e3b1a64288d202e743ce390538af671aad2f98ec1ca0200ab3652cf74849c448 |
| SHA512 | 8ca1457adcc04d39d4a02e49b3c683eeea32b15f896bc4c97dfbe9864b4c4fd22c2c5ed0a99e7244749abc80068bdf19607ad0d0d5ce4e65b790bfca92ac8129 |
memory/4656-52-0x00007FF6BBB90000-0x00007FF6BBEE1000-memory.dmp
C:\Windows\System\vJHiXiM.exe
| MD5 | 11da90363d3091ea379c06f106d6cd78 |
| SHA1 | 5e0f35e79d871353db7f6f05ff2e2c693730ae02 |
| SHA256 | 5fded039ce185737d5025385ef1f518e09d2d725daaebe53b6e3a1accf10099e |
| SHA512 | 0853a0b6ffc35c7476d34f8a8cf5aada430d86b3787f65a56d0363bc47d5a176636c0929755ad56189fc9abceaafc5c6a160feba2b8b1fd6ad8c60d69a036276 |
C:\Windows\System\VPBzrRC.exe
| MD5 | 9cf79aeab7e6f5af14c3921f90a5c093 |
| SHA1 | b9a379a6d59da423d0b0c2f3d98bc8e2ee47ce6c |
| SHA256 | e159ecc0b813096783032ac18ec71a424815c76e4f5f37e424ee2659e9a84416 |
| SHA512 | 44e5b5685757d8a9941a0cf0fd30423ab002d67c56a22dcac8aedd09ead5be3f2592541e2bd4c572761644d542fd69a94a31dd4f94f9858d1926c35f74d54d78 |
C:\Windows\System\sJUxpXu.exe
| MD5 | 271b58329ea11dc8dd84f947157cd60c |
| SHA1 | 036fbe47a9c4e1fd58ad25dfb9d3b8fe02f4093a |
| SHA256 | 15069d7c77e4958bfe4aeb667b8cb6cc04cbc57fd5b19fd175b6b8024a4d2a9b |
| SHA512 | e4fd4c17e9520ec99c3549fcd142e4edaac3bb122fed7f01026d2abf005755cd00ca34d7bd520023bd37204de0ef8f7510570d412eb6f37c502dd8f7adb698c9 |
memory/2416-71-0x00007FF7BA5C0000-0x00007FF7BA911000-memory.dmp
C:\Windows\System\hzujaRQ.exe
| MD5 | 20b8ea0a72857f3f179a33d72742bf4f |
| SHA1 | dc4b3bc655fccfed2a16d0f7aeb15d17a7e318ee |
| SHA256 | 1879cf1ae875cd1cc2b8f18431177d6b11d84cb0c2b8a3fed07d8c26632e4171 |
| SHA512 | 57839c4661e7e9e1051d0c35bcc14e815de0c8bab236975af54c5bc93f8bc5f4038417dd57a35ffd595d3ed997c77e0396bb81b874be30bf01d79d97ef16f0e8 |
C:\Windows\System\wyHbLYg.exe
| MD5 | acd059e0ba67b1fa4a18c7db6dc718a9 |
| SHA1 | 53e7a55fed1f27b7e91647fe68a7dd68a02950e2 |
| SHA256 | a18e7f5f49af8eff701e73df30b086f0da77d419671663854ca16b74441a3ffe |
| SHA512 | ff4afa5ebbee7e2a43f6274fb91611968d2de6736fe0b06a1001d65f3aecbd6cbe04c4e04b0735b7f664176e3dfdbe9c1841835779ecff272ea8301b341a267c |
C:\Windows\System\cdPbIHA.exe
| MD5 | 44eeb64c9fd3d33e9debc197643a9e5e |
| SHA1 | b8aac120255b6f061d49f37a1237e9b839824c6d |
| SHA256 | f0e3791141e9afc4cb8c81af1a1a4fc23921f0fa9458ba650300ce8b34122d0c |
| SHA512 | ecbc3be8f6e7b542084329e33fa32fe5f9282899f5a0bb54dc296c72933a2c9aded865a15b82d45bd93c3f5a7969e672c1013c1e57f4df4f80fb15b13391742b |
memory/4544-89-0x00007FF778D90000-0x00007FF7790E1000-memory.dmp
memory/4756-90-0x00007FF752570000-0x00007FF7528C1000-memory.dmp
memory/1092-88-0x00007FF6DD0F0000-0x00007FF6DD441000-memory.dmp
memory/3384-86-0x00007FF6B88C0000-0x00007FF6B8C11000-memory.dmp
memory/5104-85-0x00007FF6B7D20000-0x00007FF6B8071000-memory.dmp
C:\Windows\System\fVfBCmg.exe
| MD5 | a8c0ad1c435ce541ff6076e715c16e59 |
| SHA1 | ba892c9e2030807d446cb4848acd0b5f10bb746e |
| SHA256 | 0011264788017bb33a6f0b35ec1f79c233b90c6b482da53a393c42f47fd7af7c |
| SHA512 | 504a3206f432c50af08e9b5cb9584dcf7672003cfca6c4003ef82dcae472b11bd0723ae9b93dc0c3788cfdb54542ec855db3175c95b200d05ba5cdd0aee33a73 |
memory/4212-68-0x00007FF728D30000-0x00007FF729081000-memory.dmp
memory/2604-60-0x00007FF692EF0000-0x00007FF693241000-memory.dmp
memory/4012-59-0x00007FF61FFD0000-0x00007FF620321000-memory.dmp
C:\Windows\System\eBbwfhB.exe
| MD5 | c1650e4e54f5bffb4d6f1df0219d1a5a |
| SHA1 | 3d8334a3e53acd430df05547301025a8be242ab0 |
| SHA256 | cd81fcc80a95b500f6aa0915291666e60e48709b88fa6faf82d56713819131ff |
| SHA512 | 66148c9e099d9cf67d1c3d06b98ea696747c43d74e02a2cf7f8a7cc87187e6cf2f4f5e87057b62c4d47a23a18c61b5001e31ddda7716cd4b5ba5e8856a5e4aec |
C:\Windows\System\WEIRxMZ.exe
| MD5 | 17cdd680c7d8aed978e3406838f596b4 |
| SHA1 | e171868f7e2aad18bdbef6b41833d9ec53c0d20c |
| SHA256 | d3941d533cd275081cfceb4612a0b6194738ef704c4d6efbbd80eb7312315bda |
| SHA512 | d88cf1ddd279d2bcad18da37c54e18960904e353f0c578d2d6471a16e8bc2f91ae6d5974f308f1158ede20a4a00fe67aa2c182da5ac1a75a86b3aaecf9d0d6c5 |
C:\Windows\System\pKsVCjR.exe
| MD5 | aebee996a20ea1bc13cfdddb116a8a75 |
| SHA1 | 80a4d34ec64e4b6db2c54fbd998fb707dd92eefe |
| SHA256 | 20d15a9c069c2a80399bd130d49b6b9cc200003306169223ea862ece05292652 |
| SHA512 | 911d5115cf68c9fb404ce96c4953b81ea1744c969f9e7e5450368b073224fcf14a936ea9b3570e7cbd24f8cea7a4eec2457307a847f2917612ccd62fbc9af670 |
C:\Windows\System\qOFndhT.exe
| MD5 | 8683ccde9d43a73f59de197dafe649de |
| SHA1 | 2cbcf4ae77fd0ace4e1cd57d2cab8d0f78a4e478 |
| SHA256 | 4fabdb1672ac7c237a4223beec8be3f30b3e60d60ea620066bc949b20759ed72 |
| SHA512 | 1d72b065e2985932be0b3b04ef44c11db39e080650256e95ee971267b968baf61bc4ec1808c6267ccfc974249dfe776cfe0fd12ba9511d14ecb3e9614ca9d4b7 |
C:\Windows\System\DADTbER.exe
| MD5 | ef726ef9f257a0606a2f7a688e94dc11 |
| SHA1 | ac650993735bc4cd281cb3f445410884b1c4a041 |
| SHA256 | 727f0873f7147289f62948c40e2f678eefb9f56c456c30247895679b4465b343 |
| SHA512 | b6a24b861619b3397f3a6bb2f9d1a721c7e1fe9e0e8cc2292049fb55010041ab14cb52176d9864183e2bb56331228ca32867cddc665984efb17a946b43a8231a |
memory/1028-126-0x00007FF66CC30000-0x00007FF66CF81000-memory.dmp
memory/3716-131-0x00007FF6708E0000-0x00007FF670C31000-memory.dmp
C:\Windows\System\mkjTIoq.exe
| MD5 | 3a8138e3a36e2d674aeda9f38b7fea46 |
| SHA1 | 9675abf3da30f2b1f21889040541f595838fb683 |
| SHA256 | f57ece4e192de529448f68155c1cbe48c781a97f31d04c8670ee1e70d07c0821 |
| SHA512 | b7f0dfa2b180f3a79eac1a550192069aeec9c62e62b0a710ae52b6000c5e80739038aa347e3832c16122703a3f0997bae24bda25d32cf90cbed1c45b77491497 |
memory/4904-134-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp
memory/4012-133-0x00007FF61FFD0000-0x00007FF620321000-memory.dmp
memory/2900-124-0x00007FF724580000-0x00007FF7248D1000-memory.dmp
memory/1280-122-0x00007FF7CB590000-0x00007FF7CB8E1000-memory.dmp
memory/2656-120-0x00007FF7CA180000-0x00007FF7CA4D1000-memory.dmp
memory/2488-114-0x00007FF641DD0000-0x00007FF642121000-memory.dmp
memory/4860-101-0x00007FF7200C0000-0x00007FF720411000-memory.dmp
memory/4544-147-0x00007FF778D90000-0x00007FF7790E1000-memory.dmp
memory/4756-148-0x00007FF752570000-0x00007FF7528C1000-memory.dmp
memory/4860-149-0x00007FF7200C0000-0x00007FF720411000-memory.dmp
memory/2656-154-0x00007FF7CA180000-0x00007FF7CA4D1000-memory.dmp
memory/2900-156-0x00007FF724580000-0x00007FF7248D1000-memory.dmp
memory/3716-157-0x00007FF6708E0000-0x00007FF670C31000-memory.dmp
memory/2604-150-0x00007FF692EF0000-0x00007FF693241000-memory.dmp
memory/4904-158-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp
memory/2604-172-0x00007FF692EF0000-0x00007FF693241000-memory.dmp
memory/4404-202-0x00007FF619160000-0x00007FF6194B1000-memory.dmp
memory/5104-204-0x00007FF6B7D20000-0x00007FF6B8071000-memory.dmp
memory/2164-213-0x00007FF643200000-0x00007FF643551000-memory.dmp
memory/4980-215-0x00007FF61FCF0000-0x00007FF620041000-memory.dmp
memory/3688-218-0x00007FF71E130000-0x00007FF71E481000-memory.dmp
memory/2488-219-0x00007FF641DD0000-0x00007FF642121000-memory.dmp
memory/1028-221-0x00007FF66CC30000-0x00007FF66CF81000-memory.dmp
memory/4656-227-0x00007FF6BBB90000-0x00007FF6BBEE1000-memory.dmp
memory/4212-229-0x00007FF728D30000-0x00007FF729081000-memory.dmp
memory/2416-231-0x00007FF7BA5C0000-0x00007FF7BA911000-memory.dmp
memory/3384-235-0x00007FF6B88C0000-0x00007FF6B8C11000-memory.dmp
memory/4012-234-0x00007FF61FFD0000-0x00007FF620321000-memory.dmp
memory/1092-240-0x00007FF6DD0F0000-0x00007FF6DD441000-memory.dmp
memory/4756-238-0x00007FF752570000-0x00007FF7528C1000-memory.dmp
memory/4544-241-0x00007FF778D90000-0x00007FF7790E1000-memory.dmp
memory/4860-250-0x00007FF7200C0000-0x00007FF720411000-memory.dmp
memory/1280-252-0x00007FF7CB590000-0x00007FF7CB8E1000-memory.dmp
memory/2656-254-0x00007FF7CA180000-0x00007FF7CA4D1000-memory.dmp
memory/2900-256-0x00007FF724580000-0x00007FF7248D1000-memory.dmp
memory/3716-258-0x00007FF6708E0000-0x00007FF670C31000-memory.dmp
memory/4904-260-0x00007FF6FFFA0000-0x00007FF7002F1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 22:41
Reported
2024-08-07 22:43
Platform
win7-20240708-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TSlEsvS.exe | N/A |
| N/A | N/A | C:\Windows\System\wwfZYdd.exe | N/A |
| N/A | N/A | C:\Windows\System\tBZYHoj.exe | N/A |
| N/A | N/A | C:\Windows\System\ojzUkDS.exe | N/A |
| N/A | N/A | C:\Windows\System\zZCKyAM.exe | N/A |
| N/A | N/A | C:\Windows\System\kktvIEP.exe | N/A |
| N/A | N/A | C:\Windows\System\KSXMITS.exe | N/A |
| N/A | N/A | C:\Windows\System\ycabdmf.exe | N/A |
| N/A | N/A | C:\Windows\System\vJHiXiM.exe | N/A |
| N/A | N/A | C:\Windows\System\VPBzrRC.exe | N/A |
| N/A | N/A | C:\Windows\System\sJUxpXu.exe | N/A |
| N/A | N/A | C:\Windows\System\fVfBCmg.exe | N/A |
| N/A | N/A | C:\Windows\System\hzujaRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wyHbLYg.exe | N/A |
| N/A | N/A | C:\Windows\System\cdPbIHA.exe | N/A |
| N/A | N/A | C:\Windows\System\eBbwfhB.exe | N/A |
| N/A | N/A | C:\Windows\System\WEIRxMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\pKsVCjR.exe | N/A |
| N/A | N/A | C:\Windows\System\DADTbER.exe | N/A |
| N/A | N/A | C:\Windows\System\qOFndhT.exe | N/A |
| N/A | N/A | C:\Windows\System\mkjTIoq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3f19642d4e4e68e081bff1d0ae7cf863_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\TSlEsvS.exe
C:\Windows\System\TSlEsvS.exe
C:\Windows\System\wwfZYdd.exe
C:\Windows\System\wwfZYdd.exe
C:\Windows\System\ojzUkDS.exe
C:\Windows\System\ojzUkDS.exe
C:\Windows\System\tBZYHoj.exe
C:\Windows\System\tBZYHoj.exe
C:\Windows\System\zZCKyAM.exe
C:\Windows\System\zZCKyAM.exe
C:\Windows\System\kktvIEP.exe
C:\Windows\System\kktvIEP.exe
C:\Windows\System\KSXMITS.exe
C:\Windows\System\KSXMITS.exe
C:\Windows\System\ycabdmf.exe
C:\Windows\System\ycabdmf.exe
C:\Windows\System\vJHiXiM.exe
C:\Windows\System\vJHiXiM.exe
C:\Windows\System\VPBzrRC.exe
C:\Windows\System\VPBzrRC.exe
C:\Windows\System\sJUxpXu.exe
C:\Windows\System\sJUxpXu.exe
C:\Windows\System\fVfBCmg.exe
C:\Windows\System\fVfBCmg.exe
C:\Windows\System\hzujaRQ.exe
C:\Windows\System\hzujaRQ.exe
C:\Windows\System\wyHbLYg.exe
C:\Windows\System\wyHbLYg.exe
C:\Windows\System\cdPbIHA.exe
C:\Windows\System\cdPbIHA.exe
C:\Windows\System\eBbwfhB.exe
C:\Windows\System\eBbwfhB.exe
C:\Windows\System\WEIRxMZ.exe
C:\Windows\System\WEIRxMZ.exe
C:\Windows\System\pKsVCjR.exe
C:\Windows\System\pKsVCjR.exe
C:\Windows\System\DADTbER.exe
C:\Windows\System\DADTbER.exe
C:\Windows\System\qOFndhT.exe
C:\Windows\System\qOFndhT.exe
C:\Windows\System\mkjTIoq.exe
C:\Windows\System\mkjTIoq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2088-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2088-1-0x000000013F900000-0x000000013FC51000-memory.dmp
\Windows\system\TSlEsvS.exe
| MD5 | dde5fc8628c24dcaf795dcbc44d4d7d2 |
| SHA1 | 0cd547d9592309dff265050dc8f2405c54a102d4 |
| SHA256 | de8e6eef312bda0f61d55106dc9b5d1caa1ee2eda3c9710fb2ee618e0da75a5b |
| SHA512 | d74cbe43b0850745dae94b4cb001bd2b9312bb7238e0a52382825b865b41a731d08ab2b6d0d77763bd9d6468ec1121588d2edf49d06f2a83e322c63f66c2d271 |
C:\Windows\system\wwfZYdd.exe
| MD5 | 2064faed10b4b1cb0a92b9aa456e2845 |
| SHA1 | 707680385abdd8904001cdfd3537c758ab597a49 |
| SHA256 | 29688225fc7be6f13740d12c1fd3126e2c5c1216408ff8894f41eb5b91829883 |
| SHA512 | 52013a0afdd1d6b07298c4dc0036b5fab176e83fa85cae1d7d05bcbaf528d96c09dd7ded0de74324b9d31caf65571dc8252a7661b5d9ad059ba52eb993abf7ed |
\Windows\system\tBZYHoj.exe
| MD5 | e6c83446217a3b6519aab189ca5e7c8d |
| SHA1 | 46226ebbfb651116e247b60ca0b21e0980529fff |
| SHA256 | 5efa058e760de69d13e4533ead5fcca286d54d79af1c3264a5ae43c14e00ed6b |
| SHA512 | 45cd56c2a6690d6490d9ed5a2cd42dfcc47cfec44e0143509d07b74eddfae01f67811db9c164bd271d0b94cd06f680d948dd4b7e460ea2619ba5b182642dc667 |
memory/2176-28-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/3052-29-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/1324-15-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2088-26-0x00000000022C0000-0x0000000002611000-memory.dmp
C:\Windows\system\ojzUkDS.exe
| MD5 | deee0a3bb78f2d9ed693b22b46bb9285 |
| SHA1 | a5ff4325a8caa4d3c34ba0bcbfdb0b393dbca19a |
| SHA256 | aee0e814461dd29d1a926c5fbcea52327d4cc4c64a0f054a27d98b2d487d0240 |
| SHA512 | 9f099eecd62e3a3a83b729fb7cef1a5dbd8d97bffc272c708bc0415842cec7cfd548a3e024b81efa0cccf66b8de966f39f4abaa8d10d80c89c827065b07dfe45 |
memory/2088-23-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2488-21-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2812-36-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2088-35-0x000000013FD40000-0x0000000140091000-memory.dmp
C:\Windows\system\zZCKyAM.exe
| MD5 | 18c9feef836eed91722b75d3ef5cfcae |
| SHA1 | 5649e6cbacab469e574c44e0aaa89ddce5e0d660 |
| SHA256 | 1a7b4acdae9c04ca645e6c8374a0afad199bb24a4c3c47482af80e0e0067e2c3 |
| SHA512 | 7824b1345a72525fa2f61275d124071f87a386c352a4a93a288bdb202f052428a37b2c81eaa1373480dba97319838c48afd92b8c945eace89766b070c8c87c91 |
memory/2088-10-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2088-41-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2684-42-0x000000013F840000-0x000000013FB91000-memory.dmp
C:\Windows\system\kktvIEP.exe
| MD5 | 98038545d39abb6fb1b9393fb4ea24d4 |
| SHA1 | 6f4865d3b9c9240cccc40a7d3f07bb97eb0a32c3 |
| SHA256 | 069fbefb6eabd96b8b9fcbfb1b2c0d7dbed7f2de0b8846d891388b92afad9e23 |
| SHA512 | b958f1731b6b4ec80da85e504c0f5edae5333a03e049d8051ba9cfc91b18674fac2509e184a4cbb4d493ef6d5146635eea2252d10416850a4549b9a3947be1ec |
memory/2576-48-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2696-57-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2088-68-0x000000013FD70000-0x00000001400C1000-memory.dmp
C:\Windows\system\fVfBCmg.exe
| MD5 | a8c0ad1c435ce541ff6076e715c16e59 |
| SHA1 | ba892c9e2030807d446cb4848acd0b5f10bb746e |
| SHA256 | 0011264788017bb33a6f0b35ec1f79c233b90c6b482da53a393c42f47fd7af7c |
| SHA512 | 504a3206f432c50af08e9b5cb9584dcf7672003cfca6c4003ef82dcae472b11bd0723ae9b93dc0c3788cfdb54542ec855db3175c95b200d05ba5cdd0aee33a73 |
C:\Windows\system\sJUxpXu.exe
| MD5 | 271b58329ea11dc8dd84f947157cd60c |
| SHA1 | 036fbe47a9c4e1fd58ad25dfb9d3b8fe02f4093a |
| SHA256 | 15069d7c77e4958bfe4aeb667b8cb6cc04cbc57fd5b19fd175b6b8024a4d2a9b |
| SHA512 | e4fd4c17e9520ec99c3549fcd142e4edaac3bb122fed7f01026d2abf005755cd00ca34d7bd520023bd37204de0ef8f7510570d412eb6f37c502dd8f7adb698c9 |
memory/1992-78-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2924-101-0x000000013F150000-0x000000013F4A1000-memory.dmp
C:\Windows\system\cdPbIHA.exe
| MD5 | 44eeb64c9fd3d33e9debc197643a9e5e |
| SHA1 | b8aac120255b6f061d49f37a1237e9b839824c6d |
| SHA256 | f0e3791141e9afc4cb8c81af1a1a4fc23921f0fa9458ba650300ce8b34122d0c |
| SHA512 | ecbc3be8f6e7b542084329e33fa32fe5f9282899f5a0bb54dc296c72933a2c9aded865a15b82d45bd93c3f5a7969e672c1013c1e57f4df4f80fb15b13391742b |
C:\Windows\system\qOFndhT.exe
| MD5 | 8683ccde9d43a73f59de197dafe649de |
| SHA1 | 2cbcf4ae77fd0ace4e1cd57d2cab8d0f78a4e478 |
| SHA256 | 4fabdb1672ac7c237a4223beec8be3f30b3e60d60ea620066bc949b20759ed72 |
| SHA512 | 1d72b065e2985932be0b3b04ef44c11db39e080650256e95ee971267b968baf61bc4ec1808c6267ccfc974249dfe776cfe0fd12ba9511d14ecb3e9614ca9d4b7 |
\Windows\system\mkjTIoq.exe
| MD5 | 3a8138e3a36e2d674aeda9f38b7fea46 |
| SHA1 | 9675abf3da30f2b1f21889040541f595838fb683 |
| SHA256 | f57ece4e192de529448f68155c1cbe48c781a97f31d04c8670ee1e70d07c0821 |
| SHA512 | b7f0dfa2b180f3a79eac1a550192069aeec9c62e62b0a710ae52b6000c5e80739038aa347e3832c16122703a3f0997bae24bda25d32cf90cbed1c45b77491497 |
C:\Windows\system\DADTbER.exe
| MD5 | ef726ef9f257a0606a2f7a688e94dc11 |
| SHA1 | ac650993735bc4cd281cb3f445410884b1c4a041 |
| SHA256 | 727f0873f7147289f62948c40e2f678eefb9f56c456c30247895679b4465b343 |
| SHA512 | b6a24b861619b3397f3a6bb2f9d1a721c7e1fe9e0e8cc2292049fb55010041ab14cb52176d9864183e2bb56331228ca32867cddc665984efb17a946b43a8231a |
C:\Windows\system\WEIRxMZ.exe
| MD5 | 17cdd680c7d8aed978e3406838f596b4 |
| SHA1 | e171868f7e2aad18bdbef6b41833d9ec53c0d20c |
| SHA256 | d3941d533cd275081cfceb4612a0b6194738ef704c4d6efbbd80eb7312315bda |
| SHA512 | d88cf1ddd279d2bcad18da37c54e18960904e353f0c578d2d6471a16e8bc2f91ae6d5974f308f1158ede20a4a00fe67aa2c182da5ac1a75a86b3aaecf9d0d6c5 |
C:\Windows\system\pKsVCjR.exe
| MD5 | aebee996a20ea1bc13cfdddb116a8a75 |
| SHA1 | 80a4d34ec64e4b6db2c54fbd998fb707dd92eefe |
| SHA256 | 20d15a9c069c2a80399bd130d49b6b9cc200003306169223ea862ece05292652 |
| SHA512 | 911d5115cf68c9fb404ce96c4953b81ea1744c969f9e7e5450368b073224fcf14a936ea9b3570e7cbd24f8cea7a4eec2457307a847f2917612ccd62fbc9af670 |
C:\Windows\system\eBbwfhB.exe
| MD5 | c1650e4e54f5bffb4d6f1df0219d1a5a |
| SHA1 | 3d8334a3e53acd430df05547301025a8be242ab0 |
| SHA256 | cd81fcc80a95b500f6aa0915291666e60e48709b88fa6faf82d56713819131ff |
| SHA512 | 66148c9e099d9cf67d1c3d06b98ea696747c43d74e02a2cf7f8a7cc87187e6cf2f4f5e87057b62c4d47a23a18c61b5001e31ddda7716cd4b5ba5e8856a5e4aec |
memory/2088-106-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2684-137-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2088-100-0x000000013F150000-0x000000013F4A1000-memory.dmp
C:\Windows\system\wyHbLYg.exe
| MD5 | acd059e0ba67b1fa4a18c7db6dc718a9 |
| SHA1 | 53e7a55fed1f27b7e91647fe68a7dd68a02950e2 |
| SHA256 | a18e7f5f49af8eff701e73df30b086f0da77d419671663854ca16b74441a3ffe |
| SHA512 | ff4afa5ebbee7e2a43f6274fb91611968d2de6736fe0b06a1001d65f3aecbd6cbe04c4e04b0735b7f664176e3dfdbe9c1841835779ecff272ea8301b341a267c |
memory/2308-92-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2088-91-0x000000013FE40000-0x0000000140191000-memory.dmp
C:\Windows\system\hzujaRQ.exe
| MD5 | 20b8ea0a72857f3f179a33d72742bf4f |
| SHA1 | dc4b3bc655fccfed2a16d0f7aeb15d17a7e318ee |
| SHA256 | 1879cf1ae875cd1cc2b8f18431177d6b11d84cb0c2b8a3fed07d8c26632e4171 |
| SHA512 | 57839c4661e7e9e1051d0c35bcc14e815de0c8bab236975af54c5bc93f8bc5f4038417dd57a35ffd595d3ed997c77e0396bb81b874be30bf01d79d97ef16f0e8 |
memory/1324-77-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2088-76-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1632-86-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2088-85-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2488-84-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2672-69-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2576-138-0x000000013FB50000-0x000000013FEA1000-memory.dmp
C:\Windows\system\VPBzrRC.exe
| MD5 | 9cf79aeab7e6f5af14c3921f90a5c093 |
| SHA1 | b9a379a6d59da423d0b0c2f3d98bc8e2ee47ce6c |
| SHA256 | e159ecc0b813096783032ac18ec71a424815c76e4f5f37e424ee2659e9a84416 |
| SHA512 | 44e5b5685757d8a9941a0cf0fd30423ab002d67c56a22dcac8aedd09ead5be3f2592541e2bd4c572761644d542fd69a94a31dd4f94f9858d1926c35f74d54d78 |
memory/2560-62-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2088-61-0x00000000022C0000-0x0000000002611000-memory.dmp
C:\Windows\system\vJHiXiM.exe
| MD5 | 11da90363d3091ea379c06f106d6cd78 |
| SHA1 | 5e0f35e79d871353db7f6f05ff2e2c693730ae02 |
| SHA256 | 5fded039ce185737d5025385ef1f518e09d2d725daaebe53b6e3a1accf10099e |
| SHA512 | 0853a0b6ffc35c7476d34f8a8cf5aada430d86b3787f65a56d0363bc47d5a176636c0929755ad56189fc9abceaafc5c6a160feba2b8b1fd6ad8c60d69a036276 |
memory/2088-56-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2088-47-0x00000000022C0000-0x0000000002611000-memory.dmp
C:\Windows\system\KSXMITS.exe
| MD5 | aa1d0ddbff752a5d41245e068d000985 |
| SHA1 | 060dbe2013dcd9e479e68a7a1f2d24cce7b23c5a |
| SHA256 | f4f6b6de2986614f5239696bbff88a5af5ed050267783f87ed44cd9b04de635a |
| SHA512 | a8e70017c135df13497c5b2d71f222018e8691b6ce2f703665365b8b2af930d4424b4a387f7c85ab1ee77648afcfe420bc2d3b9a5784bbf39124418caf186e3b |
C:\Windows\system\ycabdmf.exe
| MD5 | 7ba6c62eeec492d550c4efdb13b5ac0f |
| SHA1 | fc44ded28647344bc59367e317c1aa9e1c931045 |
| SHA256 | e3b1a64288d202e743ce390538af671aad2f98ec1ca0200ab3652cf74849c448 |
| SHA512 | 8ca1457adcc04d39d4a02e49b3c683eeea32b15f896bc4c97dfbe9864b4c4fd22c2c5ed0a99e7244749abc80068bdf19607ad0d0d5ce4e65b790bfca92ac8129 |
memory/2088-139-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2560-148-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2672-149-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1992-151-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2088-150-0x00000000022C0000-0x0000000002611000-memory.dmp
memory/2648-156-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2452-157-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1216-155-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2308-153-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/1632-152-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2748-158-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1740-161-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2460-159-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2024-160-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2088-162-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2088-163-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2088-185-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2088-186-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1324-211-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2488-213-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2176-217-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/3052-216-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2812-219-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2684-221-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2576-223-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2696-238-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2560-240-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2672-242-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1992-244-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1632-246-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2308-248-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2924-250-0x000000013F150000-0x000000013F4A1000-memory.dmp