Analysis Overview
SHA256
82ddcf208870b5e00846fbd3bf96f43a4447386d9919458a312420aaf72fad6a
Threat Level: Known bad
The file 2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
xmrig
XMRig Miner payload
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 20:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 20:44
Reported
2024-08-07 20:47
Platform
win7-20240729-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WenaqoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\OlNLbjR.exe | N/A |
| N/A | N/A | C:\Windows\System\HteHcyq.exe | N/A |
| N/A | N/A | C:\Windows\System\ncCJlIN.exe | N/A |
| N/A | N/A | C:\Windows\System\vyhBERD.exe | N/A |
| N/A | N/A | C:\Windows\System\ydajkJa.exe | N/A |
| N/A | N/A | C:\Windows\System\HxBlOMC.exe | N/A |
| N/A | N/A | C:\Windows\System\MbUNEAU.exe | N/A |
| N/A | N/A | C:\Windows\System\rjcEPXC.exe | N/A |
| N/A | N/A | C:\Windows\System\gdrcXks.exe | N/A |
| N/A | N/A | C:\Windows\System\qhspczV.exe | N/A |
| N/A | N/A | C:\Windows\System\beROeQP.exe | N/A |
| N/A | N/A | C:\Windows\System\yVwevHM.exe | N/A |
| N/A | N/A | C:\Windows\System\YeCFDqK.exe | N/A |
| N/A | N/A | C:\Windows\System\QxPhWDp.exe | N/A |
| N/A | N/A | C:\Windows\System\TKvMFRV.exe | N/A |
| N/A | N/A | C:\Windows\System\FHGeCaI.exe | N/A |
| N/A | N/A | C:\Windows\System\NxsvSQo.exe | N/A |
| N/A | N/A | C:\Windows\System\xZgfKFa.exe | N/A |
| N/A | N/A | C:\Windows\System\hvVJJyU.exe | N/A |
| N/A | N/A | C:\Windows\System\YKWErmK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WenaqoJ.exe
C:\Windows\System\WenaqoJ.exe
C:\Windows\System\OlNLbjR.exe
C:\Windows\System\OlNLbjR.exe
C:\Windows\System\HteHcyq.exe
C:\Windows\System\HteHcyq.exe
C:\Windows\System\ncCJlIN.exe
C:\Windows\System\ncCJlIN.exe
C:\Windows\System\vyhBERD.exe
C:\Windows\System\vyhBERD.exe
C:\Windows\System\ydajkJa.exe
C:\Windows\System\ydajkJa.exe
C:\Windows\System\HxBlOMC.exe
C:\Windows\System\HxBlOMC.exe
C:\Windows\System\MbUNEAU.exe
C:\Windows\System\MbUNEAU.exe
C:\Windows\System\rjcEPXC.exe
C:\Windows\System\rjcEPXC.exe
C:\Windows\System\gdrcXks.exe
C:\Windows\System\gdrcXks.exe
C:\Windows\System\qhspczV.exe
C:\Windows\System\qhspczV.exe
C:\Windows\System\beROeQP.exe
C:\Windows\System\beROeQP.exe
C:\Windows\System\yVwevHM.exe
C:\Windows\System\yVwevHM.exe
C:\Windows\System\YeCFDqK.exe
C:\Windows\System\YeCFDqK.exe
C:\Windows\System\QxPhWDp.exe
C:\Windows\System\QxPhWDp.exe
C:\Windows\System\TKvMFRV.exe
C:\Windows\System\TKvMFRV.exe
C:\Windows\System\FHGeCaI.exe
C:\Windows\System\FHGeCaI.exe
C:\Windows\System\NxsvSQo.exe
C:\Windows\System\NxsvSQo.exe
C:\Windows\System\xZgfKFa.exe
C:\Windows\System\xZgfKFa.exe
C:\Windows\System\hvVJJyU.exe
C:\Windows\System\hvVJJyU.exe
C:\Windows\System\YKWErmK.exe
C:\Windows\System\YKWErmK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1464-0-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1464-2-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
\Windows\system\WenaqoJ.exe
| MD5 | c13a00d5283403ae1c1c7d360606f647 |
| SHA1 | 323484f941612b3a569fca59bf89594f6636fbcc |
| SHA256 | 57c9de7748ce9a3c7e681dcd27d52a3a37690e6f202897ee3328b06db3ef5989 |
| SHA512 | 859c79a952ce17c04897a8292184cdcf5e57f83684c58f18be1db3d5ec7203082c10c79ddc4dbe79c436c2ce615b6feac2955c5f6d0a72c9904136df72eacaf9 |
memory/576-9-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/1464-8-0x00000000023F0000-0x0000000002741000-memory.dmp
\Windows\system\OlNLbjR.exe
| MD5 | 821ddbfe24db55c12a3e0de54e878637 |
| SHA1 | e18fd9b1473807693f2203aa787ff4379a3c33a9 |
| SHA256 | 42f56463dce195fbae1468e399da44e10b9ddbec44381d3ac8a24030e96168e0 |
| SHA512 | 10113178b2471ec0517c19b4d423e9c7722fac9e594f02031c63d0ddd8a52ed3ba0a8d49c41decbc43d47d36953d395cb5b04df971d749112a260e33e20da7df |
memory/2332-14-0x000000013F9E0000-0x000000013FD31000-memory.dmp
C:\Windows\system\HteHcyq.exe
| MD5 | a9f5c8603567e49a2c1dafecbe57f8ea |
| SHA1 | e5d1cc3f173dcc0b6fd41c31fff4e1854b8c7d98 |
| SHA256 | 1ab74fdd74a4c1d03fe005ed203f4121cca5ae2c4768f73db0154ea5e1ec7668 |
| SHA512 | 55ef2b267994ce572ae1887d621412a58481381d17ca388338f9cb4e18ae474bc4d5d05c31cd1101c116243f750595f05f33d83af665ef8fb01bffb87f6d7605 |
\Windows\system\ncCJlIN.exe
| MD5 | 939162d3d76be8a06fc39314f60b2a85 |
| SHA1 | 3f085e00f03fa5e78f00e5d7ee35997d0e6dc9b1 |
| SHA256 | 3bd88b7b9154677e474603e5acc954979e79f3d439dd3c15ed4db386f9715391 |
| SHA512 | 434b96db78a4ac6818f471cb93abd496371eea60c6fd1f48e5d8624b833b20712349aa975c7b4b8f00ede911534d9f8fc51d68529e56e3897bb4fc408f8c1544 |
memory/2240-27-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1464-26-0x00000000023F0000-0x0000000002741000-memory.dmp
\Windows\system\vyhBERD.exe
| MD5 | a6eda52c2e4fa593e0fb527c71598c80 |
| SHA1 | 54ff09906fe68c19bd6fe7d9dc2c6449f370f02a |
| SHA256 | 5f23eb480ff03c2f7b7febec3c6830e3f93bdc9082f859b26d0934fe237c284a |
| SHA512 | 3fd6ad3ecbfafdb8c9bdcdfab05461f966be8119c317df7d50829baf077e27024a947914d0f34d0e28fe80e2c0edb53e4eaeedac161d9a11660f91c9eb6d8689 |
memory/2712-33-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2960-21-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/1464-19-0x000000013FF70000-0x00000001402C1000-memory.dmp
C:\Windows\system\ydajkJa.exe
| MD5 | 94a732b81fb87c72206d0da10fcd8aed |
| SHA1 | 06cf190c0e5064131a8787ffbeacaab6162e4b22 |
| SHA256 | 4e352def4194362ea2f540f983b9351b0ececdbfa37102f21446c4203a9cc739 |
| SHA512 | a8c37e2229abbead23c94a57b6f287a0f181d815db2194ac22338749b6f7ddbb8d8717e37c0cad1d26818a558e696e457bd537d610d860c4eb254430e64b42ac |
C:\Windows\system\HxBlOMC.exe
| MD5 | f9bec652b04e850f236edd2fbc827317 |
| SHA1 | dc420a6dfa638ba5867a791e3b14290a4cac1291 |
| SHA256 | 1f3f40d5623dee1e7d02027e490be151c8cf96763e0c21cdd7881cb0f3f5f263 |
| SHA512 | 6eaf0d6d786c050cfe5ba9887fda46d1ad919df652d76a33dc8091710f5f1f5a4807838147aa3c813eb53390da46e64ae7d57db24e8f4cd6639e91e80bdaa167 |
\Windows\system\MbUNEAU.exe
| MD5 | 7b5a32e251d08ba9baf684db50ac2cdb |
| SHA1 | 22e04771b789b53bdd1c689f7fb9dc3372440223 |
| SHA256 | f1d823107d6c9ee7fd8f42cd3c9359e36beffa137622137e409d7c3c32c75c7e |
| SHA512 | 1ae1e2422e1d0a82504d2fa1d7c0e87615f32d8fb75e3a5223b8f2a11472ac4379cb9b9bd99f6b36e0fada26d9f18673e4873baf347bb8dd3115db826995def3 |
memory/1464-54-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2796-48-0x000000013F200000-0x000000013F551000-memory.dmp
memory/776-55-0x000000013FFF0000-0x0000000140341000-memory.dmp
\Windows\system\gdrcXks.exe
| MD5 | f12463632e80b223a352a2b6eae7d68e |
| SHA1 | 50b8451bfef16bac1a0d1f653eebe4ffd9ee1bed |
| SHA256 | 7c352fd2c24e037d16d716bd0011c12f196b238a019286a4cbc1395dc16c13cd |
| SHA512 | 10a465711f476609bd51b57d5a135956445345fcda95132a7fae8fa59b65411465c4acf39691b4bb3c23395eaac86beb7c687721a907613803b50f39ad2bb8cf |
memory/1556-73-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1464-72-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1200-79-0x000000013F2D0000-0x000000013F621000-memory.dmp
C:\Windows\system\YeCFDqK.exe
| MD5 | cc943880f668b92f5a4adb18f767c8ef |
| SHA1 | 9db5d91081c876237065e716aa2bb990868efa8a |
| SHA256 | 2d0cd97a676ed84e6e3e0c6d01b29fcbc08280ef3e5b83a1492ca6a09e7b2e5f |
| SHA512 | 1c17768b3de182595f4109b12d6ed51d6e38f58752511bc6bb0414758161adcfd3ca15dbc3a744673ba26bdfac2764d80c22f833d1430cff7d440ccfc2821e97 |
C:\Windows\system\TKvMFRV.exe
| MD5 | 6b25ababececbb9196d965d97a974806 |
| SHA1 | 3b35f61dcbc3229cd8ba7135b1ee5d3ed484a59d |
| SHA256 | 6c361498da9af5a06a07777a9875196d4546e01a6590527ec0de8be5b3cebea8 |
| SHA512 | cb1841b22b9990296707fe928c4b151dfd02a6f3c040aafe7a660d7ae011493e1bda11af4a9f98e5ab53317ade945ebb1203d559c6e905ee825c9ae4e8d23527 |
C:\Windows\system\NxsvSQo.exe
| MD5 | 1437b22845787e7de8f610e56b3ee488 |
| SHA1 | 0ec10aa72545293670018bc16f48abe9400fecf3 |
| SHA256 | 5a8de90c47bdaed81f60446beffc35fc8b4ffcfc9dc683708610c07330b0e6d0 |
| SHA512 | f7a1df9acef827c55c9d4ca36dee0418ef2c098e8920207e511ba4a689bb8cc65a925e90699fb529c005e51a080d067a164aa7af726bf00525a6d2a36e99f502 |
\Windows\system\YKWErmK.exe
| MD5 | fe0ec9c010600b72dceacea8d8df43af |
| SHA1 | 2011ef0f694e6e954111f378ffb126f5d75a9ba1 |
| SHA256 | 888bbcfab680c1cd68b5fe94ce2116dbaa10452e53748bbe32aed9e6e865345b |
| SHA512 | 49fd1fa2b51dcd9655ff285b04c35aab861a4ebb898eb730dd908941b7f200e3321d24cf74490c39f516038c9603be674f3c1102ae89a5b02a34f98ebf169add |
C:\Windows\system\hvVJJyU.exe
| MD5 | 4286513126a21822533a7bb7145c08d4 |
| SHA1 | f8402078dfab7b4e75d52929101dafa72d71aea7 |
| SHA256 | 7c3717f74e2afacd1bb52cbd100a46344e8241b61978e2255795c1de08cb00e8 |
| SHA512 | 00e7defc88995f3594a76d556a162889551b090402886283ad177f46f70aee0364e5a8df158c3e5da1d0afe0fd8bf66de33425e0700bcc3513896d4be74ce524 |
C:\Windows\system\xZgfKFa.exe
| MD5 | 8dc202f1d6e788fbeb8670cf576560bf |
| SHA1 | 3e269bb6a3bb0d65cfa231604d74445289f78279 |
| SHA256 | 91a7368a53dc1b379af86f28e97c6a265cba8bb72afaed87e61db2b88e5f590c |
| SHA512 | b2fc2d63bf1f949adfa3d41ad307874dff45121b2681982a1e7e282bcd912b5af6699993bddbde7d43991ca5520854314e444a3002bd9b8011415de9b7bc6e27 |
C:\Windows\system\FHGeCaI.exe
| MD5 | b7032a3e2cec44d895035e437f7db499 |
| SHA1 | 67cf9615db120cfc86408a23d8c1c82729d2f2c0 |
| SHA256 | 2c41d713e6db8a696bb6c7a4816cdbc845a40ecd3bfbcd9d54623167f699749f |
| SHA512 | d7a6cc64b2529d7ecb52715db0fc505fa295ea6bd0fe58c6213c65f6bbc61e8b78b6bb244d32bbcdce867be44db0acc4df09b1b414243b216b5f2464fdd8aed0 |
C:\Windows\system\QxPhWDp.exe
| MD5 | 4b183dbbd3e3cb9b6a06b46611d78a9a |
| SHA1 | 02e8397ec590a4c5fb03e066e95b83668d787639 |
| SHA256 | 635092c6456f38834de46b705092e244971dc6cc167ed0680ddcf89a18ce9b2f |
| SHA512 | 6d4d47d01adaa20bc14b353d71d699f5ddd02f69d9be990a0ee5c0cd1cf9abfc4e1e8bedd52e168a0f806169384f3212523bab0e7ae83ed00062d6d8bf7682d2 |
memory/1464-106-0x000000013F040000-0x000000013F391000-memory.dmp
memory/1464-105-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1332-103-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2684-93-0x000000013FF80000-0x00000001402D1000-memory.dmp
C:\Windows\system\yVwevHM.exe
| MD5 | ff9758c3496c3670d6b0eb281e5fd8ee |
| SHA1 | a0e70e1714ee189fdaa37ea3b20ac886386decd7 |
| SHA256 | ffc0d2808941642d28771f9457e8ef7d365b88a30de6c4fd4bfd175922599274 |
| SHA512 | 4e902f57e2cd53a6589b854dacadac1a2915f8bb582a11603f920a8c6af9a507b7f8692b8665a054480e15ed20aa18ca290989856bd330d9e9a43ee198882580 |
memory/776-102-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2796-97-0x000000013F200000-0x000000013F551000-memory.dmp
memory/1032-88-0x000000013FAD0000-0x000000013FE21000-memory.dmp
C:\Windows\system\qhspczV.exe
| MD5 | 30e921ab9aa8a589c14f47ac03ad7148 |
| SHA1 | 2f935f68afb2c05b2243d62740454629070cd57a |
| SHA256 | 043fefbb2c18360df1cf7b38fdf25484df1aa4faed29f0563095645a7a2e9ecf |
| SHA512 | 54b6a510c6bac1d9d9ac8700fff379cf84a0c8e97e9d028792f61354f0207fe5d105f0641fcc517102c0018b076467286ad2565162130dcf386658d022f26ff1 |
memory/1464-76-0x000000013F2D0000-0x000000013F621000-memory.dmp
C:\Windows\system\beROeQP.exe
| MD5 | 0c78563b7b5c5feb77ef214ec050adb7 |
| SHA1 | b071ef0227c9a2d62535f0bb2a2b0b963e06aab9 |
| SHA256 | f1c425a6b58d46c33839f24cf9e4036f36be90a086f759e146b128a93592828a |
| SHA512 | 1c49d4ed5059acefc30b8194f29a6d4cc8ef3895f78c2f7a90b13fd1141748a1a23d25ab364f36966f8c0137f2e0e807969226a71749507cf53be0cec2543983 |
memory/1464-86-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/2712-83-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2748-65-0x000000013F370000-0x000000013F6C1000-memory.dmp
C:\Windows\system\rjcEPXC.exe
| MD5 | a570cfb690aa4fdef92b2da973a3c63e |
| SHA1 | cf7db3f94ead7baa58e78515ba41e1ef3498654e |
| SHA256 | e6da3873bf088e184534b4b86466b9fc45a5ab26158a9f78bcde717d94eb9b70 |
| SHA512 | fead50a3f0fa7e327e9c0583a9663952606c4fe72e2d8b5ccfca0b03bb43bb262b9689b06e5f988529ac95c883035abb7aea36a369c966ce8a97a482f30cbc55 |
memory/1464-60-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2332-59-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2240-71-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2960-70-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/1464-53-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/1464-46-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/3016-45-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1464-44-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/1556-141-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1464-140-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1464-144-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/1464-142-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1200-153-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/1288-164-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/1464-166-0x00000000023F0000-0x0000000002741000-memory.dmp
memory/1656-165-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1924-163-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2136-161-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2204-159-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2684-157-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1032-156-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2524-162-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2280-160-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1464-167-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1464-189-0x000000013F040000-0x000000013F391000-memory.dmp
memory/576-213-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2332-221-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2240-223-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2960-225-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2712-227-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/3016-229-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/776-242-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2796-244-0x000000013F200000-0x000000013F551000-memory.dmp
memory/2748-246-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1556-248-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1200-250-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/1032-252-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2684-254-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1332-256-0x000000013FB10000-0x000000013FE61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 20:44
Reported
2024-08-07 20:47
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZHPNJPC.exe | N/A |
| N/A | N/A | C:\Windows\System\jbGLeSG.exe | N/A |
| N/A | N/A | C:\Windows\System\qlFmlJt.exe | N/A |
| N/A | N/A | C:\Windows\System\NkgTGsz.exe | N/A |
| N/A | N/A | C:\Windows\System\LZewaqy.exe | N/A |
| N/A | N/A | C:\Windows\System\AuFXGrm.exe | N/A |
| N/A | N/A | C:\Windows\System\RayVyuD.exe | N/A |
| N/A | N/A | C:\Windows\System\eiNJBKx.exe | N/A |
| N/A | N/A | C:\Windows\System\uTbUDxE.exe | N/A |
| N/A | N/A | C:\Windows\System\zEIlgpV.exe | N/A |
| N/A | N/A | C:\Windows\System\NtYGPmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bEMESrx.exe | N/A |
| N/A | N/A | C:\Windows\System\FdUqPVy.exe | N/A |
| N/A | N/A | C:\Windows\System\AjIkJVh.exe | N/A |
| N/A | N/A | C:\Windows\System\PdAWZSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kqkYUsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\WQMNYvn.exe | N/A |
| N/A | N/A | C:\Windows\System\KtXDbou.exe | N/A |
| N/A | N/A | C:\Windows\System\iygrAYr.exe | N/A |
| N/A | N/A | C:\Windows\System\wgCnGuY.exe | N/A |
| N/A | N/A | C:\Windows\System\cDWbzxb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3e6b4053e06fd3dafd9ef15112bfb66d_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZHPNJPC.exe
C:\Windows\System\ZHPNJPC.exe
C:\Windows\System\jbGLeSG.exe
C:\Windows\System\jbGLeSG.exe
C:\Windows\System\qlFmlJt.exe
C:\Windows\System\qlFmlJt.exe
C:\Windows\System\NkgTGsz.exe
C:\Windows\System\NkgTGsz.exe
C:\Windows\System\LZewaqy.exe
C:\Windows\System\LZewaqy.exe
C:\Windows\System\AuFXGrm.exe
C:\Windows\System\AuFXGrm.exe
C:\Windows\System\RayVyuD.exe
C:\Windows\System\RayVyuD.exe
C:\Windows\System\eiNJBKx.exe
C:\Windows\System\eiNJBKx.exe
C:\Windows\System\uTbUDxE.exe
C:\Windows\System\uTbUDxE.exe
C:\Windows\System\zEIlgpV.exe
C:\Windows\System\zEIlgpV.exe
C:\Windows\System\NtYGPmQ.exe
C:\Windows\System\NtYGPmQ.exe
C:\Windows\System\bEMESrx.exe
C:\Windows\System\bEMESrx.exe
C:\Windows\System\FdUqPVy.exe
C:\Windows\System\FdUqPVy.exe
C:\Windows\System\AjIkJVh.exe
C:\Windows\System\AjIkJVh.exe
C:\Windows\System\PdAWZSZ.exe
C:\Windows\System\PdAWZSZ.exe
C:\Windows\System\kqkYUsQ.exe
C:\Windows\System\kqkYUsQ.exe
C:\Windows\System\WQMNYvn.exe
C:\Windows\System\WQMNYvn.exe
C:\Windows\System\KtXDbou.exe
C:\Windows\System\KtXDbou.exe
C:\Windows\System\iygrAYr.exe
C:\Windows\System\iygrAYr.exe
C:\Windows\System\wgCnGuY.exe
C:\Windows\System\wgCnGuY.exe
C:\Windows\System\cDWbzxb.exe
C:\Windows\System\cDWbzxb.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3320-0-0x00007FF790CC0000-0x00007FF791011000-memory.dmp
memory/3320-1-0x00000239783C0000-0x00000239783D0000-memory.dmp
C:\Windows\System\ZHPNJPC.exe
| MD5 | ee131c0f690bf0a34c6119eaf77e165a |
| SHA1 | 9d8d0cff4b715ebc9bb2d48bf2c81bad0ede4bbd |
| SHA256 | 771963d26310700fea53c647b86c90499b2d03abfe18e5513957c53f9c3fa6cb |
| SHA512 | 23e0de3a766a8456be1b291eeeba4ffd69aa85f10253b0d38d38f37ea537c69e18ead4070f108c6cff230f8f1d3f48cecc21b8c625b07f297094c54943e3303c |
C:\Windows\System\qlFmlJt.exe
| MD5 | 08308c8789368cb5ae0f9e3d999bbdde |
| SHA1 | 0582db3f35d89b575f84e533ec7cb5804753b871 |
| SHA256 | a4409086020be1a187ca38e3c9a4463bd32b7a2186db56847ae22fe6f7572f39 |
| SHA512 | 2c79a18fdca6143decb542aabc5da4215143ccf8f9ab74156e58c688e99e5741b79bff1697ac7c11a0dd622bd0996d980f475b1f13be8a407b51038ad45b0f1a |
memory/3948-8-0x00007FF660F10000-0x00007FF661261000-memory.dmp
C:\Windows\System\NkgTGsz.exe
| MD5 | 4e1a83cee8e092bab19cb01af02434d2 |
| SHA1 | 99b235c1f6554a40fe8b9a48631bd53dacd041f6 |
| SHA256 | 7b6d8f58037d964554a5c0bf68ceffc80f425d59621a7b3d594e496e405f4c6e |
| SHA512 | 1168ecdbbd1aa259b0c15324e49c4d28bf207d5ccdd582a4f87222cb28e27a286e0017d7cc3c428e154b6e43bc2108c4492a1cb902cc33a4de95c3b801e714c3 |
C:\Windows\System\jbGLeSG.exe
| MD5 | 9180475dc85b14a9d94040ad7378f3a2 |
| SHA1 | 6f1615f35f03f78106047709b5d330d210b3d22a |
| SHA256 | 4d381a9468de0d688ecc12b2c9a688b43535f75d90c0d83c58e52cff4151aef8 |
| SHA512 | c426fc6babd786fcdb0bb3e0406c11c77fdb569f7bd81e1e134fdc1c7d8e161c8692750e90c76bd1b6bc18958d0f20b2131992d29f8f9261c9ba0f335bbd3033 |
memory/3680-33-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp
memory/4128-34-0x00007FF723EF0000-0x00007FF724241000-memory.dmp
C:\Windows\System\RayVyuD.exe
| MD5 | 5d3afc8db59d4d122416aac48a802a25 |
| SHA1 | a060888afcc54f5562f77fa192044f112fa35513 |
| SHA256 | 683afcb99f53b1f83b1fe107ebcea14eb3eaf19ea1f1b6012b841fd8a39ab0f9 |
| SHA512 | 9d6196b8d6b2c44b105f400e793ba742b65f9b051628fb5babce0529af1d7c47f2a4270c6053becc59ce070470d7b11d13d3420474cee1037b7c29e3b45fd534 |
C:\Windows\System\AuFXGrm.exe
| MD5 | 0b98af4559cafd5941e57377fd31182b |
| SHA1 | c3196f2f03f97aafe006ef76c80099c6b49e7e42 |
| SHA256 | d4532636dd67df286b9ba773982d21e9215e7e6eed672f4f15380942e9bdfd8b |
| SHA512 | 258139e18937eadf93d83bd598a8721ddffe07e23c44139cf9abafd7f5ffb7dfb1da499d78b0a3b621fca79e2e09b5279443818b82895a471d9967ca7133ba71 |
C:\Windows\System\uTbUDxE.exe
| MD5 | a363c661c53db3ff8369c1a2f5414204 |
| SHA1 | 666e1c1ee9cd7454c2e79560307554902cfb2d8b |
| SHA256 | a2a4d411455cd75fc030be3d0917e67125406f98736e184b7391af9171694fa9 |
| SHA512 | 871c276923aa786ba810fa2a607e7e03266f8ef147a0e702b695e1db813fde7645fb5c3a3b896f8862e2ef48125c8550583896961e54a7a0126f0ebe0b036954 |
C:\Windows\System\NtYGPmQ.exe
| MD5 | 61eb30d01c5de07d2d73e20c40c00e38 |
| SHA1 | 6aaf9d390311fed175baa9284e7eacc9b66a66b7 |
| SHA256 | 9c4bc505c8291753bbcf9e581429ab693441eaae74e81ac28c2b2c28633476eb |
| SHA512 | 4cc2465ad95d8e2550a811f0967c7f0acde9599ca0da0f33d2cdb19fbb8bcad6ade2988431d2b4c05a658a5b641acfe0dc93310415e37938d0f71a1600bd24bf |
memory/1208-71-0x00007FF631CF0000-0x00007FF632041000-memory.dmp
memory/2768-81-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp
memory/2576-87-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp
C:\Windows\System\WQMNYvn.exe
| MD5 | d2eb2c97fa6c40987a6e38bf7b1c100c |
| SHA1 | 94bf4762e3e43e977b3d44225ff6545461b395dc |
| SHA256 | b177aa4837857e811354facf9d86cf4ac28448ca268b82454b357573173d178e |
| SHA512 | f9825cbd65f09df478be20a2bcabcc1fd7664e371900ea3ab69e680437fc6758ecd188f0f1e5552c50b5e4c9b1aaf21fe0ba329cef149560e9136c3152a5b407 |
C:\Windows\System\cDWbzxb.exe
| MD5 | 188b211175e19dda47f03a8508f14773 |
| SHA1 | 53c1062bc40f14973a35d2e69f33859676d935ad |
| SHA256 | f8d57827465f740fdefb2ca36dfb9fc805ee4bdc23a0980553c147dc4ae690e8 |
| SHA512 | a603ecee53d6b85a0569bb08442a49ebf378cf0db5545f83e1e0243919350891591d829cc4515ba997c52c3ede37943ffead1d9ff17d864521ea34ae703c8004 |
C:\Windows\System\wgCnGuY.exe
| MD5 | 4ffd1c8e3a1c3b3c01a5cd4ac884c46a |
| SHA1 | bdf8c52877488208203504a7d1bcd621f0d2f90b |
| SHA256 | eabc61c3a4f4eabcfb63019a9a159460b910276259109b7ec4a06950e44abba5 |
| SHA512 | 954f47f4f20b3f69000eaa1b3750d132f8f9c25b14f3dca8028568fb6cc2c45d0716d5e9518dd9abf88552bb2835857e4817ca4286540b9061375109ee23f717 |
C:\Windows\System\iygrAYr.exe
| MD5 | 90c9521aff97adaa6cb3b77ce838dbfa |
| SHA1 | d398bf100e369ea3a34564b40ebeda9f7053b94e |
| SHA256 | 29a10bd85c56d7b03983fbe997aa03ae51665d12d370ffdae5f6350b5738af86 |
| SHA512 | 19bcd0a30dc35a85dbd859cb37313c35df7283e0695a51bdae01019204697f02d4257ae94f3f88bffbd11142e5fd9a4a9f288df81b1faa24da5f8d247e51fcf9 |
C:\Windows\System\KtXDbou.exe
| MD5 | e2130a192ee4addccababf4ec1fa4aac |
| SHA1 | 254c056c7ac2d57c3f3c11eb8eb37cd6414ac483 |
| SHA256 | 00ab6c187f607b546fc082e66b094ce5fecdfb2ee0ed76f68f31ea8cafe33bd8 |
| SHA512 | d86c9c40feae4b8148396882ff0ad9c729ef3175d1cf51ecf4cb78d77c7afb56b418157b9c5624e312e6ecd9744c819abefe971ca020b215491286c0f4118d83 |
C:\Windows\System\kqkYUsQ.exe
| MD5 | 1b2f6c220a0d78067add47cd17da681c |
| SHA1 | cc0dae9ada470ec0bb900addd84bd20a756fffe8 |
| SHA256 | 3f32b6b5f74c7fd70bae724a37aae55332f909723ed3fd2383d52d0b608b7b1c |
| SHA512 | efdbf220c0f895c1bbb5cfedfb05b8ed9d7377e632f8ffe246f0d835c08cc91cd120aa97813e69cc7ccb4d34ce8a9adb68c780f5518eb3ae97cf0e17ca75df19 |
C:\Windows\System\PdAWZSZ.exe
| MD5 | 7703a69c3e61f3ccaf2f9096311e264e |
| SHA1 | 48b999e6ff78353fc140dbfd9d6385f61869a1c1 |
| SHA256 | 9b3c6868e2893b0b18e02b3f38f469cdf2f0abee191f2ec61c5102894f605022 |
| SHA512 | b44ead27ef6ade20a0b1c494d616e4ab5a9cb3854b4288570f56119822a129b2601e5531add15653a80b90cfb252b5000ce7fe5956fce60a469b25356df997bb |
C:\Windows\System\AjIkJVh.exe
| MD5 | 42da02e06bd7f8484e0f7dc3b25ce12c |
| SHA1 | 88d29d124e6a3c4ef61f25945dc74fcf4aa463ed |
| SHA256 | a9d4d99ba7f2bb063731fefb67593485b3d2592a79c6e722172902fab072d4cc |
| SHA512 | 1014f97e7b19336051f585203a10a3f99599dffd0e8e434e01e5bcf26282ff48820f3a2b36cecc72057072f207c5b1e96f1fa080b8b2dafbd05ec4738dd64e7c |
memory/1672-89-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp
memory/3320-88-0x00007FF790CC0000-0x00007FF791011000-memory.dmp
memory/952-86-0x00007FF61FD20000-0x00007FF620071000-memory.dmp
C:\Windows\System\FdUqPVy.exe
| MD5 | ddfc0ea6efae48bb92b28c25ddd8986b |
| SHA1 | 38acb6921f00f3229a2998f3a4a5bde29161c910 |
| SHA256 | 7fbc6c6f057be30c442ad75f97335d7255ba9c38ac8e6f1bfa6e5912203828c1 |
| SHA512 | b8f29974585f8a0a4cd02c9bdb3e9cad916db507d3fb9db201fe846f8d2c5487252b97a186051c4b0d71babe6db1097810da4c7f7d484c10cb78f71c4631506a |
memory/1512-80-0x00007FF668FD0000-0x00007FF669321000-memory.dmp
C:\Windows\System\bEMESrx.exe
| MD5 | 2a915343a3b94ce5e9e08df617e80f73 |
| SHA1 | f48ab84f681f53b9ac757590abf7acffce4f1088 |
| SHA256 | 6c7f3b82a2f269b8df0df3672348725602498140812c2f4e9e404ab925da79ad |
| SHA512 | 5adf48b8a2ca447217df58b6b7019fd0bebd94eb3c0a28a6d55778397540d29fb249689947ce7eeac50ce6c61cc8223c0b7a71777ffb33e7e4b686ad82308985 |
memory/2740-69-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp
memory/4884-61-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp
C:\Windows\System\zEIlgpV.exe
| MD5 | 0e8276620e8b4ec3f12038862c322fa9 |
| SHA1 | a6415b588ad13dbdef58d865ca7bb59f77c91b42 |
| SHA256 | 88edaa5ef204fa7225c8e5369ffbe6d19334d66dfe1dd87f2ae30fcefebea320 |
| SHA512 | f6c0096830020d6f487cd525ddf571193795f237ff11f7d918c6f1f5b92b2a888462b305cd3c00626485f3bf23040f0af12c7db0ec4608762a271a0aa171d597 |
C:\Windows\System\eiNJBKx.exe
| MD5 | 60c2528a73238ec0a292fa0cf926b100 |
| SHA1 | a120925a6b504b3a4b81ca9a82419ce51636e172 |
| SHA256 | efbadc4e4fad1ffeea05ed8ee0aa5f2c2de25347ac22c947e6e79dc61bf61e00 |
| SHA512 | 6e30e6fbbca267be481944122ab60a840f0ef76d01606c4eacd789d01d79ecaee74acf7f98842a70a4dd987e94563adeeb27e33b7026e8a44e5a00cdb4244554 |
memory/4480-45-0x00007FF712370000-0x00007FF7126C1000-memory.dmp
C:\Windows\System\LZewaqy.exe
| MD5 | c97481e16df51133685ba9168bbaa696 |
| SHA1 | 81fa6ec75700ae4ef85ea8e321b4261eeff98149 |
| SHA256 | 29bd6b579fb444c336ca5369d339a8d97705e51bbecac46e9f32e0e1d6686937 |
| SHA512 | edb983e9921f7dd3a54ea22fe976f576865d474be58982bd79fe3e2fef37fdadc0b444723ce3c595945d4059f0d7081775b1b2a4fe6f0687cee5ada1398d9cbc |
memory/4832-38-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp
memory/2896-25-0x00007FF654A40000-0x00007FF654D91000-memory.dmp
memory/1856-15-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp
memory/3948-124-0x00007FF660F10000-0x00007FF661261000-memory.dmp
memory/3680-127-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp
memory/952-136-0x00007FF61FD20000-0x00007FF620071000-memory.dmp
memory/4400-138-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp
memory/2576-140-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp
memory/3216-142-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp
memory/4240-144-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp
memory/4624-143-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp
memory/2916-141-0x00007FF659300000-0x00007FF659651000-memory.dmp
memory/1020-139-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp
memory/1672-137-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp
memory/4884-131-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp
memory/4480-130-0x00007FF712370000-0x00007FF7126C1000-memory.dmp
memory/4128-129-0x00007FF723EF0000-0x00007FF724241000-memory.dmp
memory/2896-126-0x00007FF654A40000-0x00007FF654D91000-memory.dmp
memory/1856-125-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp
memory/1208-135-0x00007FF631CF0000-0x00007FF632041000-memory.dmp
memory/4832-128-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp
memory/3320-123-0x00007FF790CC0000-0x00007FF791011000-memory.dmp
memory/3320-151-0x00007FF790CC0000-0x00007FF791011000-memory.dmp
memory/3948-197-0x00007FF660F10000-0x00007FF661261000-memory.dmp
memory/1856-199-0x00007FF7F4540000-0x00007FF7F4891000-memory.dmp
memory/2896-203-0x00007FF654A40000-0x00007FF654D91000-memory.dmp
memory/4832-206-0x00007FF6A9E20000-0x00007FF6AA171000-memory.dmp
memory/4480-207-0x00007FF712370000-0x00007FF7126C1000-memory.dmp
memory/3680-201-0x00007FF7A1280000-0x00007FF7A15D1000-memory.dmp
memory/1512-210-0x00007FF668FD0000-0x00007FF669321000-memory.dmp
memory/4128-213-0x00007FF723EF0000-0x00007FF724241000-memory.dmp
memory/4884-211-0x00007FF61EDC0000-0x00007FF61F111000-memory.dmp
memory/2768-219-0x00007FF7278F0000-0x00007FF727C41000-memory.dmp
memory/952-221-0x00007FF61FD20000-0x00007FF620071000-memory.dmp
memory/2740-218-0x00007FF7B1DF0000-0x00007FF7B2141000-memory.dmp
memory/1208-216-0x00007FF631CF0000-0x00007FF632041000-memory.dmp
memory/4240-224-0x00007FF7DE890000-0x00007FF7DEBE1000-memory.dmp
memory/4400-233-0x00007FF7C3E90000-0x00007FF7C41E1000-memory.dmp
memory/2576-237-0x00007FF6C16A0000-0x00007FF6C19F1000-memory.dmp
memory/1020-236-0x00007FF6D8CA0000-0x00007FF6D8FF1000-memory.dmp
memory/2916-229-0x00007FF659300000-0x00007FF659651000-memory.dmp
memory/3216-228-0x00007FF6B9280000-0x00007FF6B95D1000-memory.dmp
memory/4624-225-0x00007FF71C5E0000-0x00007FF71C931000-memory.dmp
memory/1672-232-0x00007FF6C8230000-0x00007FF6C8581000-memory.dmp