Analysis Overview
SHA256
11a7933fa0e8f98b2459a1992e0ec2f8996034b4de79f034b31566d84e1e16e6
Threat Level: Known bad
The file 2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:56
Reported
2024-08-13 11:58
Platform
win7-20240708-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\Wimrvpn.exe | N/A |
| N/A | N/A | C:\Windows\System\FKOqBiX.exe | N/A |
| N/A | N/A | C:\Windows\System\NjDWpoh.exe | N/A |
| N/A | N/A | C:\Windows\System\rOyKuVI.exe | N/A |
| N/A | N/A | C:\Windows\System\NjfisLX.exe | N/A |
| N/A | N/A | C:\Windows\System\sLPmnoh.exe | N/A |
| N/A | N/A | C:\Windows\System\KjuTnME.exe | N/A |
| N/A | N/A | C:\Windows\System\dqhRVJk.exe | N/A |
| N/A | N/A | C:\Windows\System\iJwWOYz.exe | N/A |
| N/A | N/A | C:\Windows\System\TpxLbRd.exe | N/A |
| N/A | N/A | C:\Windows\System\JmNQwsS.exe | N/A |
| N/A | N/A | C:\Windows\System\Phrnhix.exe | N/A |
| N/A | N/A | C:\Windows\System\wBbFyJS.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaNDkXD.exe | N/A |
| N/A | N/A | C:\Windows\System\QpLFTDY.exe | N/A |
| N/A | N/A | C:\Windows\System\LRMXSAb.exe | N/A |
| N/A | N/A | C:\Windows\System\WNCisjA.exe | N/A |
| N/A | N/A | C:\Windows\System\LaqcycD.exe | N/A |
| N/A | N/A | C:\Windows\System\yUhSlOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DQjXold.exe | N/A |
| N/A | N/A | C:\Windows\System\MjaYLlj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\Wimrvpn.exe
C:\Windows\System\Wimrvpn.exe
C:\Windows\System\FKOqBiX.exe
C:\Windows\System\FKOqBiX.exe
C:\Windows\System\NjDWpoh.exe
C:\Windows\System\NjDWpoh.exe
C:\Windows\System\rOyKuVI.exe
C:\Windows\System\rOyKuVI.exe
C:\Windows\System\NjfisLX.exe
C:\Windows\System\NjfisLX.exe
C:\Windows\System\sLPmnoh.exe
C:\Windows\System\sLPmnoh.exe
C:\Windows\System\dqhRVJk.exe
C:\Windows\System\dqhRVJk.exe
C:\Windows\System\KjuTnME.exe
C:\Windows\System\KjuTnME.exe
C:\Windows\System\iJwWOYz.exe
C:\Windows\System\iJwWOYz.exe
C:\Windows\System\TpxLbRd.exe
C:\Windows\System\TpxLbRd.exe
C:\Windows\System\JmNQwsS.exe
C:\Windows\System\JmNQwsS.exe
C:\Windows\System\Phrnhix.exe
C:\Windows\System\Phrnhix.exe
C:\Windows\System\wBbFyJS.exe
C:\Windows\System\wBbFyJS.exe
C:\Windows\System\ZaNDkXD.exe
C:\Windows\System\ZaNDkXD.exe
C:\Windows\System\QpLFTDY.exe
C:\Windows\System\QpLFTDY.exe
C:\Windows\System\LRMXSAb.exe
C:\Windows\System\LRMXSAb.exe
C:\Windows\System\WNCisjA.exe
C:\Windows\System\WNCisjA.exe
C:\Windows\System\LaqcycD.exe
C:\Windows\System\LaqcycD.exe
C:\Windows\System\yUhSlOZ.exe
C:\Windows\System\yUhSlOZ.exe
C:\Windows\System\DQjXold.exe
C:\Windows\System\DQjXold.exe
C:\Windows\System\MjaYLlj.exe
C:\Windows\System\MjaYLlj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1964-0-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1964-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\Wimrvpn.exe
| MD5 | edabf4d70ef899956cc5690b63a61dd8 |
| SHA1 | 0a788b00002b2b1c6c195fb2c91033d3d7f9c578 |
| SHA256 | 6c65d4c32e6e38963eb12c3e0da86a0ac19e60bc3ed2fbb2b7413a7b773ac272 |
| SHA512 | c835d36f8b3efeac61a4042bc6cfb544b8e765de3b600d1de9893b95b4373348882d61afd9a10bcce856b8886289f63c7d2a07aef4182bd1105831858417fbf3 |
C:\Windows\system\FKOqBiX.exe
| MD5 | 6f18363cff745d52bba800a663286f8b |
| SHA1 | 7eb261f223c617a27bde98d7f6bcdcf7c705178e |
| SHA256 | cb5c23abb08854f30046d8b41ca1b01741daf66d40d47b3786bf75521f1e7158 |
| SHA512 | aeb189738d3dc76994e76b680a586d71425ab59122fa8857fd5b26f8514f3ad1c9c46c51ee6f37627cdaab7da4eae5a8aa052b7f42073f4deb3d898f7f6a2daa |
memory/1624-16-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/1964-14-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2072-11-0x000000013F530000-0x000000013F881000-memory.dmp
memory/1964-9-0x0000000002440000-0x0000000002791000-memory.dmp
C:\Windows\system\NjDWpoh.exe
| MD5 | 33324651b35c896fc83f61ffaac8f6df |
| SHA1 | 1f565e08b6df1ec93df3b99162efd4b3b6116104 |
| SHA256 | 2dea67a3fdca0112737a78cfbaf163e60246c0566e0b7687d838f6f2e262daae |
| SHA512 | 3c2a045e35e58b0c3e68246917cdb79c4a1e6c734c46e30ffaee337c798dd1d7bfb658c792893ad94c99ad9afa8486f72e174cd793b8cf626e5c4cb2cad2752c |
C:\Windows\system\rOyKuVI.exe
| MD5 | 62d91f93b52bec0fb00ae6ba2b6bbd5d |
| SHA1 | a0b1f6210578cc289eb74530f291419f02ddd9d1 |
| SHA256 | 4c2e3cff74b5921e7a8a1a7663180a77868c6155c08c9cd984a5bb1a078d9368 |
| SHA512 | 0dbe63f9336112b3e24624ea5f33fc768a075fede3e63845fa7af1de56604209cc23c9fbf338481fb052d6295162863d89667d21c1d82087d7908d6ffda4e863 |
memory/1964-29-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2904-30-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2292-23-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1964-22-0x000000013FE20000-0x0000000140171000-memory.dmp
C:\Windows\system\sLPmnoh.exe
| MD5 | 995691522de11988284d61792ef7cd49 |
| SHA1 | b467529c4ca6e7142bd82a50a3a5d91b08f0b3b8 |
| SHA256 | 7cbd9f2a15ee82d8c6028796c03cf57e2dbcaf3461e361a0c7da39f5dd74364e |
| SHA512 | c13381e98570d2923e3e51c8e76068c579e39774e7bd4da3e4ec286d88dde73efa1e6b27483a7ac7953bd0e5a5e67a54311cf676907dcd129206d60dc062d8d2 |
memory/1964-41-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2776-42-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2920-54-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/1964-53-0x000000013FE90000-0x00000001401E1000-memory.dmp
C:\Windows\system\KjuTnME.exe
| MD5 | a5db96b65da171e2436d58930d114178 |
| SHA1 | 73e37b07e55088f3171fcc1970f9cf2cd1cd7995 |
| SHA256 | 4b38a00db350c54ff6e9e4c78fa17cb462a6c365d0ea66fd9a22099521064f7a |
| SHA512 | c12d6ed3bb1db9f06efa32badd711beeede5ab8f560c4e59bf38a8a0e3b4c5a62079db405956a6be2e856e1d237c4deed66b196fb33033bbccc8a39c40e90ccb |
C:\Windows\system\TpxLbRd.exe
| MD5 | 4e62e3452979d555d5fd6f3736069ff9 |
| SHA1 | 4a16a635ba7baf0c229e98c95c3a05e5734370c7 |
| SHA256 | e558d89e156431f15369c66cb8ec6788115f0907ca7c14b53d277b4b0d89761a |
| SHA512 | 95a4be378da88b2fe75b6949d473b97db2cc68f03518d2f689e323c0e3a81c818aa7728bb7788256e6e6be250c198be021e2327abcbf2813d05d5b84071052d9 |
memory/2632-71-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2736-65-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2648-80-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/3000-87-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1356-100-0x000000013F520000-0x000000013F871000-memory.dmp
C:\Windows\system\DQjXold.exe
| MD5 | f597874f408b26264915010a7cde0360 |
| SHA1 | 22f6bda1fc0ecf0d846a08639dffdb8db31ca9d3 |
| SHA256 | 994d7e1fd1029373df81afa32144572dab801d944d12e52a5a7f99a355db028c |
| SHA512 | b677e799f7d4b20b7c768ac24189b31acb62ad2bb1846625cfc93ca65efccd238e04226f50f5aa5c0c9e8fdeecf4fb1522a84deb1a37c5db97dfe6693d8a6895 |
\Windows\system\MjaYLlj.exe
| MD5 | 8cce9f66d3a892ffcb40a1e4be993f71 |
| SHA1 | d93bc06fbf2f9928a325ef0d9b0383143481fa32 |
| SHA256 | 9aacb2d912e0334cfd5a7a93bd1a87c4325d7181d45a255c8cb16fe90c6886ff |
| SHA512 | 5725c04b9d37cc0fc95e5283930a49b77c00ad71ba59911f6069bea41c8cd382d20370be5d000bd7c6979ad8413adb37ebb309b175fda66f4cc148e6180ecf6e |
C:\Windows\system\yUhSlOZ.exe
| MD5 | d6451902cfa62699ff8c5266bd62f7a5 |
| SHA1 | 60fddb060b636cea82fe103e860442d1b8c3a730 |
| SHA256 | 04f8458e2f0cb3f881e5c39b21bfe258838fbccb317cd51c7d14dc0b29ef4920 |
| SHA512 | a5841178f3bd3e2c0526b20652650046b3652ce350115917cdb0bc2abdffafd00a06c3ebbc798ad80ce38e49670cdd18c995c71421dbcd6f03d313c75bd8d8ad |
C:\Windows\system\LaqcycD.exe
| MD5 | abcaaadce2360f05b562d8f43fe803f5 |
| SHA1 | c54017840b106384fb506f154575d2f5d65f7211 |
| SHA256 | 290067c4f667505c07b3f90326433dc1e4979cf82d35a37432b3dc4b1320a58b |
| SHA512 | 6535101d3b3bfb63b4da16806fdf06d4f6674d29e769d585580c924d26fd5eba68035f5b456e77fbcad4cb312d3219c58bebb780bf71d66ff1b33acaa26514f1 |
C:\Windows\system\WNCisjA.exe
| MD5 | 7fc5472e1aa133bd23cf3772d31adb51 |
| SHA1 | 54ac214f99f02dae736eb1e75c4bd1b8a1f653a2 |
| SHA256 | def0e7d91e29fa5404e8cfffbd3686d166a0b14aae880b9c10a20d630028c354 |
| SHA512 | fd900d7ad661dba5ef9f1bf76945e207e55280b4c9c8e2d40b56a66acb6568f57ba3ec398ccd19d54444ab595f369d88c92f3ce23a67877ab96cd99416056ead |
memory/1964-108-0x0000000002440000-0x0000000002791000-memory.dmp
memory/2776-107-0x000000013F070000-0x000000013F3C1000-memory.dmp
C:\Windows\system\QpLFTDY.exe
| MD5 | 49312f666ab7ec16a6f3612cd41dab51 |
| SHA1 | 3093d2a420f0bb75f82089f32034a31dd18b56d4 |
| SHA256 | 8d8ea1df6c18413549439444ccb53667cb47590264c2de999f4c06336a2a68b4 |
| SHA512 | ba933b441a64bbc60b694fff03339f1ff42cef252993578f5077d5645388453f0c14fe28936449cdcff1a2aebbe9ba39e6e8bd0568a6274bb4b28c49f36c507d |
C:\Windows\system\LRMXSAb.exe
| MD5 | 1146fd19ec25ad029dd0e84353cbe8b5 |
| SHA1 | 080e3b1ab2f8158b9856548e2f5ba15a78d05aff |
| SHA256 | 196c6b7509782293ac26175f645cd8d52da4ba5c899eb9daf03330b262080a87 |
| SHA512 | f79c6f18fd45125148f99628070304e8e7c077017b4f6914fb771ca141296a0d3ed66a676152dff498429d9acbc7d3ccaf284e363d2dffebc7d9fe2561c44948 |
memory/1964-99-0x0000000002440000-0x0000000002791000-memory.dmp
memory/2276-98-0x000000013F510000-0x000000013F861000-memory.dmp
C:\Windows\system\ZaNDkXD.exe
| MD5 | e9978ab3ba609e744c41746f1ee9fa58 |
| SHA1 | 2bf0cfab93804840759cbc32a1dbd331d42944dd |
| SHA256 | 2665825a8a7b90f2db1366296ee34a7ec3fe5a709e767c55d0f8b933f59980b5 |
| SHA512 | 0e0900dc1c6a7ddd0841a8401ebb023b04f1c2f300fa04370057616df665426049bb9f33c48081f6bce1e041a5f894cafffae5ea4a8cd057e8b4b8655eb0b918 |
memory/304-92-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1964-91-0x000000013F170000-0x000000013F4C1000-memory.dmp
C:\Windows\system\wBbFyJS.exe
| MD5 | 76e68d3ace6ed8e1a1c052359e99ba0e |
| SHA1 | 5181082f0b8de06dfed96202669b4599637bed70 |
| SHA256 | f25f823065e9dd098ff8a0a1ade62f31aa7cfeac47759daf77ee4591af393881 |
| SHA512 | ec1660c99764e703e49a57ae260f383bb688c08c281b307ecefc9cf75c44899a92a5131755c0fa51db584c09fca46944883b6c2cc4668e96ea26b6462aaae17b |
memory/1964-86-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1964-79-0x0000000002440000-0x0000000002791000-memory.dmp
memory/1624-78-0x000000013F0F0000-0x000000013F441000-memory.dmp
C:\Windows\system\JmNQwsS.exe
| MD5 | 05b986d5923e487b6ea6a1d004607a71 |
| SHA1 | 4c5b31688435ec8efc8a24ebabd99a248372a06b |
| SHA256 | 977888d6682056fec369a7caebcd51e2c7c402c055d2a3c7d88dc9d9b289dd6f |
| SHA512 | e1fe467f02700accaa193800311d72726ea5df0932c43f05d0c4bbb04ccb2d406aac78f0ceef52d8f1dac931e75801a8d4ad88de919ebf3ecabdd1018ec3ca03 |
C:\Windows\system\Phrnhix.exe
| MD5 | 02f28c767f69b86fb7c6d5d22485adbd |
| SHA1 | c7e6a1ae412b11134f2dc91a1fe9a3811cf25f05 |
| SHA256 | 281c6f526dd9ad4bd17fd993b90b7f285b64eb89f8d28e69ef797ea5214f4378 |
| SHA512 | aad160fdf3d983b59fc9123e4b2526dba17c8d25f044a6220cfee4ad1da14ced70dfbb6a1ca5bc538722d3d30b57545b3cb8dc0eaf2f57db2177ed6a0d205d0e |
memory/2072-64-0x000000013F530000-0x000000013F881000-memory.dmp
C:\Windows\system\iJwWOYz.exe
| MD5 | a399e2ab5e45c5e09fe2b55e301fa434 |
| SHA1 | e9527808ddcc65782b1bfbe09a2c9245be38a631 |
| SHA256 | 245499fc2f3cc55bf9fd7b4fe99b2a3f3505f3f985ceef17e3e4727be3028c82 |
| SHA512 | 1ed561c7f8f1fc8ce310adbe92a70bf9ad3342cf8f5b560c7398d6226303a3b51484344878a2397787e892113953d8c5653f3ea3cde07aed6b30e2a6e826b75b |
memory/2816-60-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/1964-59-0x000000013F780000-0x000000013FAD1000-memory.dmp
C:\Windows\system\dqhRVJk.exe
| MD5 | 736da9e5f75adaad4963d2fa19eaa81b |
| SHA1 | 53f73147ab05c2a94aeab26352e3b2edddbea78e |
| SHA256 | 9a2157a28de9ef0f9e65cf032562eae138b83ce183702ca7496f2e0ee52b1648 |
| SHA512 | c544ff975d3494f1983198120170b807d37249294e42c57cd9f4585952844c4a0873e9e21bfd1048e4f4efddd269d200cd6b52f94231770f4f7aa1e355bb7ef5 |
memory/1964-70-0x0000000002440000-0x0000000002791000-memory.dmp
memory/2276-36-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1964-35-0x0000000002440000-0x0000000002791000-memory.dmp
C:\Windows\system\NjfisLX.exe
| MD5 | 44a9fb981cf87f0018cf1be6c3ab3f2b |
| SHA1 | 6c91d01b89ee91361ddd82d77eab5d70e25ee956 |
| SHA256 | 924a5dc4e1dff9450b4449c0b01246f7e1d681c7786a2950c390862f20477474 |
| SHA512 | 06c0958c14d9b97b890422110ec75e8515d84422034d4aa38509d7132690afec88208359e12fb9011cd384378605f847b4a39081608aee9035648cbecbf88586 |
memory/2816-139-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/1964-140-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2632-150-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/304-153-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1356-154-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1768-160-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/1928-161-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1964-162-0x0000000002440000-0x0000000002791000-memory.dmp
memory/1900-159-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/1056-158-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1960-157-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1708-156-0x000000013F300000-0x000000013F651000-memory.dmp
memory/1756-155-0x000000013F6B0000-0x000000013FA01000-memory.dmp
memory/1964-163-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1964-164-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1964-169-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2072-210-0x000000013F530000-0x000000013F881000-memory.dmp
memory/1624-212-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2292-214-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2904-216-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2776-218-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2920-233-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2276-235-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2816-237-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/2736-239-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2632-241-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2648-243-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/3000-245-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/304-247-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1356-249-0x000000013F520000-0x000000013F871000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:56
Reported
2024-08-13 11:58
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZKGeOQg.exe | N/A |
| N/A | N/A | C:\Windows\System\RtHqDRM.exe | N/A |
| N/A | N/A | C:\Windows\System\namBGys.exe | N/A |
| N/A | N/A | C:\Windows\System\RNkVPxu.exe | N/A |
| N/A | N/A | C:\Windows\System\dKcdNlZ.exe | N/A |
| N/A | N/A | C:\Windows\System\udtaBWu.exe | N/A |
| N/A | N/A | C:\Windows\System\nbeCNzl.exe | N/A |
| N/A | N/A | C:\Windows\System\cqnPkWi.exe | N/A |
| N/A | N/A | C:\Windows\System\ktnluqB.exe | N/A |
| N/A | N/A | C:\Windows\System\mQOUkVF.exe | N/A |
| N/A | N/A | C:\Windows\System\fGtornN.exe | N/A |
| N/A | N/A | C:\Windows\System\PzneVRg.exe | N/A |
| N/A | N/A | C:\Windows\System\DJrQSPM.exe | N/A |
| N/A | N/A | C:\Windows\System\BgShqCR.exe | N/A |
| N/A | N/A | C:\Windows\System\PVwDWSA.exe | N/A |
| N/A | N/A | C:\Windows\System\UoAbijW.exe | N/A |
| N/A | N/A | C:\Windows\System\nNQZONg.exe | N/A |
| N/A | N/A | C:\Windows\System\IXVcGBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jChWjpz.exe | N/A |
| N/A | N/A | C:\Windows\System\SAQtlhi.exe | N/A |
| N/A | N/A | C:\Windows\System\YdivTwH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_a5b73043d4964e2937ee8704be7ba786_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZKGeOQg.exe
C:\Windows\System\ZKGeOQg.exe
C:\Windows\System\RtHqDRM.exe
C:\Windows\System\RtHqDRM.exe
C:\Windows\System\namBGys.exe
C:\Windows\System\namBGys.exe
C:\Windows\System\RNkVPxu.exe
C:\Windows\System\RNkVPxu.exe
C:\Windows\System\dKcdNlZ.exe
C:\Windows\System\dKcdNlZ.exe
C:\Windows\System\udtaBWu.exe
C:\Windows\System\udtaBWu.exe
C:\Windows\System\nbeCNzl.exe
C:\Windows\System\nbeCNzl.exe
C:\Windows\System\cqnPkWi.exe
C:\Windows\System\cqnPkWi.exe
C:\Windows\System\ktnluqB.exe
C:\Windows\System\ktnluqB.exe
C:\Windows\System\mQOUkVF.exe
C:\Windows\System\mQOUkVF.exe
C:\Windows\System\fGtornN.exe
C:\Windows\System\fGtornN.exe
C:\Windows\System\PzneVRg.exe
C:\Windows\System\PzneVRg.exe
C:\Windows\System\DJrQSPM.exe
C:\Windows\System\DJrQSPM.exe
C:\Windows\System\BgShqCR.exe
C:\Windows\System\BgShqCR.exe
C:\Windows\System\PVwDWSA.exe
C:\Windows\System\PVwDWSA.exe
C:\Windows\System\UoAbijW.exe
C:\Windows\System\UoAbijW.exe
C:\Windows\System\nNQZONg.exe
C:\Windows\System\nNQZONg.exe
C:\Windows\System\IXVcGBJ.exe
C:\Windows\System\IXVcGBJ.exe
C:\Windows\System\jChWjpz.exe
C:\Windows\System\jChWjpz.exe
C:\Windows\System\SAQtlhi.exe
C:\Windows\System\SAQtlhi.exe
C:\Windows\System\YdivTwH.exe
C:\Windows\System\YdivTwH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.13:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/624-0-0x00007FF762660000-0x00007FF7629B1000-memory.dmp
memory/624-1-0x000002384A530000-0x000002384A540000-memory.dmp
C:\Windows\System\ZKGeOQg.exe
| MD5 | 51b8d0280e5eb5c39e9aab10d816fbaa |
| SHA1 | 4f9396d46af50af38604ac8e5c1dae1eee1be93e |
| SHA256 | 8f76943905cb719785f27d5edbc7842d262a29bf6e078e31fd0ec6c260b50aa9 |
| SHA512 | 0e9108d98680625f1c7e8b75a6abd8a8bece464a7ee011930e3f83ac4bd8729bf903986dcab50acd0e3dd97b9a79d1f4d194ef705657f5dd94811ae84320dd72 |
C:\Windows\System\namBGys.exe
| MD5 | 1b50b8c13907faed6975f358c711d024 |
| SHA1 | a35726f77674ae7a7a0c98dae4927ed5034dc03c |
| SHA256 | 0a98678653b7d9cd523786f843502808cf45fb1f574bc5fc2ce41fb08fa604ea |
| SHA512 | 007ea99b10c524cc7758a159b3ab29a96eeaa564a59c3c7617b18c2274d18fe49ec33c123614b58c7f03903321ef98b9573a7388ee17b95b3f85b4fc065e373c |
C:\Windows\System\RtHqDRM.exe
| MD5 | ba4a7263f90eddad57bfc6f7d0d15583 |
| SHA1 | 9e7176f50e99eafbfd5a7189553bd911378441e5 |
| SHA256 | de96581d1e67df0e16dde35e44e3f1c21a082a7a908b83c8ef674862692455f7 |
| SHA512 | 519b641a7c03adc27a01fbb2ff63374c34b75222d29907d303a1af820c3b0e8683d5511547305ba093c5f60f6d1913b8101c12810392cc3b25f94fc061070e84 |
C:\Windows\System\udtaBWu.exe
| MD5 | e846a9d8a2d5a62df51409090194d849 |
| SHA1 | 7281e546e3df9f79c938cbaae6db9ade511c0c38 |
| SHA256 | 1e15aea5d2c7bc9c5f421dd960cb3ed7baae192c2138fe4b3feb06441ab61efc |
| SHA512 | 797cd7f7740d7bf6c98cd07acce9157bcf914db21a7c249626c98fda621c864ba8836c4a6d5b82e868d0bed901d176c8e803703d9f6dc189dfde27ef2492a803 |
C:\Windows\System\nbeCNzl.exe
| MD5 | 29093688848a38c82abbd979184fc772 |
| SHA1 | 292948a9c94b97c41ad0866c9109b82230bab134 |
| SHA256 | f3b65cc26062e833d662d867d6f127302a52466e5b5a51fe50083ce2386ada8a |
| SHA512 | a16b2b69b2a950c0c7295b36192381beb0432cf3ce7c4505c54a8e201ec1f2205522fab5001f6cb37a8ea47658c4435879d7449366bc27e980d72e89f403bf71 |
C:\Windows\System\ktnluqB.exe
| MD5 | 767a92ae86db3ae1ba66059f6d53d588 |
| SHA1 | f5c6dcea2a53ffc1ffeab401606c87dffd896082 |
| SHA256 | d0ea9d76b53488673d0d8d50f211f616ab8dba64efb61a1214eff50cc79e3806 |
| SHA512 | ebc8ec587456655ed2a24de99723548007f5918c84b232dec6531eab8c5bfa77849c39852bd88c4208c0ba3a6b20734ae207457aba6dfa2affed895bc21ea8e4 |
memory/4500-58-0x00007FF7B2B10000-0x00007FF7B2E61000-memory.dmp
memory/860-62-0x00007FF6ACF20000-0x00007FF6AD271000-memory.dmp
C:\Windows\System\mQOUkVF.exe
| MD5 | aa704c7a648cd8bbbde216b6c64c1979 |
| SHA1 | 105ec65bc60a564154913a820d351b4adb30d2c9 |
| SHA256 | 95bcd2c7bedc6984dba7336ab2aeca15a76d777b013cb751468c1ad826afff0b |
| SHA512 | 4dfd9c52790ec40d98b187cbc808ded1da44a36d59db97ee5ea9b015bd8eaf18bf27dd3fa3345b2f2b0c3ac3596e1a3662f843e66b0f49ab7c0d334e069629aa |
memory/4824-59-0x00007FF6FEA60000-0x00007FF6FEDB1000-memory.dmp
memory/4364-57-0x00007FF7682A0000-0x00007FF7685F1000-memory.dmp
memory/1376-52-0x00007FF7691D0000-0x00007FF769521000-memory.dmp
C:\Windows\System\cqnPkWi.exe
| MD5 | eac86ec934647ca014143a2b5e584680 |
| SHA1 | ea90a3e8bb4c486933e6c2d28be5861ff009e752 |
| SHA256 | 4687302e096895afec443fa04f75e55390834aa8e1abf9f6fca71ea4fc8bc315 |
| SHA512 | 32e6709bf505b3bbf2c65f6b8cc77988702f975b340147245a4b3c9a2d98dd4696aa719e386637570ea3cb78e65d00c667c8531d2e6d4fec2da0f19145b9cdec |
C:\Windows\System\PzneVRg.exe
| MD5 | fcc7b2823b78b78f126115443aadaa56 |
| SHA1 | ed659ff918d3994184998298ae19ae7d5df79b14 |
| SHA256 | 8501632fb9a063294b8d78572ca01b14642148be2affdfc9a25da2e4e73738cf |
| SHA512 | 08ae8e3dd52ff1d14ab6e53b6b2be4e572772bf747bf48ae3cf86962ea1488577a235ba8de287a1410628b8edc154ed584309c6d76a0c3ccf07c92830ba37f67 |
C:\Windows\System\BgShqCR.exe
| MD5 | 9c10dc12add0f550281e1fcf8451ffcb |
| SHA1 | d94ae0ce6f3a8854e66c4bddb172535bb70fde9b |
| SHA256 | 2b37d725c55c0c212232041a826b45bc2efbd7dcad370560e5fe394f58f6dff5 |
| SHA512 | f8b297046d0cef0f18c374dc23fd6d5a7103ec08116b76d43d76d3c563c322a16504b51af06a4e171ed40e9113d75d1734ea711648118d2eac89352f9c3751bb |
memory/4180-80-0x00007FF77FAE0000-0x00007FF77FE31000-memory.dmp
memory/2392-86-0x00007FF63A120000-0x00007FF63A471000-memory.dmp
C:\Windows\System\PVwDWSA.exe
| MD5 | 53b82a4a82439480ee4d4c07f4ee3058 |
| SHA1 | 71a1ad2e34a4eabb39200b45d0b8b636a36dc41f |
| SHA256 | 6a561cd21864678189a52bc3a1bc5ea7c0140b3715a352e8367873ee31816fd8 |
| SHA512 | 54572d0c3e012199d95143ad2c7d56bcf027e8a858f8c8f36e0ae25f2e36d34e7a98ec6f4825a5918d6332783b045a3474eff4cb853c384d5ab2919417eda7be |
C:\Windows\System\DJrQSPM.exe
| MD5 | 1aca05dbaf6aea076421c1f76c909ff8 |
| SHA1 | d6ce29dbefa037bfbccee97ac6b0d02b1382e369 |
| SHA256 | 7f5f5b17dfa1e85c89dec837d61dc0d4205ca75f37264099b164810414eda8b8 |
| SHA512 | 339e56ff1e244cd0f45a62014669a2dea1ddafb6d47cb45c353614e750738cd9a84e2709339e5ce0859f5ef5dda9aac1d2a40a3eed79f032a233ef962875b3e9 |
C:\Windows\System\nNQZONg.exe
| MD5 | 3b481bca8014ac2702cb7024bc8bceb4 |
| SHA1 | af3506908d7f793c8b520118f1d4aadbe73df4c8 |
| SHA256 | 88a6425c71364e2158058c08a5a0cb1d78869b40e8a1bca427c91e69e81f386a |
| SHA512 | 771ed1a1aa370ba977f64ce714223327be176db6a38a9bd1a5821df0095929c470fa08ae8d80b7df38acb617d832436113ee0eeeac45d23456ed0edb58a67e74 |
C:\Windows\System\SAQtlhi.exe
| MD5 | 66881e2a311468eb9e1e8e17c79fde26 |
| SHA1 | c34dcee3c45c7ce4997b3c05c45a451c371be9d3 |
| SHA256 | d04e4ceaa3a636937c53f802a8ba0a5093c1915c026d152d85b7b10badd22a82 |
| SHA512 | 080e5ebd9e9eaccf6b81408ac5dcae857419d7746e80cfe02d81c3b9582cfc31acdfe658b07dbc7e93a7bbd04c36f98924442db3b8e0590d1669b8c982858d2e |
C:\Windows\System\YdivTwH.exe
| MD5 | 8ead08fab85158b13004aba9c18edc8d |
| SHA1 | ef7ed95ad13a57810fae0506d59b04e0e3a78c17 |
| SHA256 | a030edc4e399d5a972894f0995baf86e66f6e645a7b5c807f2cdc3472b96b43a |
| SHA512 | 854a1b30960362275854e9d9ccc0581db43cbbf823bb0c08b351cbc5ceedd92923ed5b0e85cf647efc5a0aeae23aa70c0f70310631f695a52558e6b40e97c62a |
C:\Windows\System\jChWjpz.exe
| MD5 | 1bf3ac02be31d53cf84ac37f14f6bced |
| SHA1 | dd652954f1a348eafb9e2389164aaf6477840d0b |
| SHA256 | 12a26088a69a585a03e5e6e47b93d3ae4a82c343190dee88e8bb5b9956d78990 |
| SHA512 | 447d578e91d5d133538a2b27d71d9401a8e46298568c019b05e498996f661fa69e63d3a10e8ebd8fdf230d0707d72d34177dfd6beb998ec402fa24b289793f97 |
C:\Windows\System\IXVcGBJ.exe
| MD5 | 26f78a6e357504d86f23211c1537c3bd |
| SHA1 | 38fee7b7114c172cf691031143417e84d074fd50 |
| SHA256 | 0e2dd6cc54dbca71d75cb9d1dc8beddc37652f8b9b271a69fd91a40360b41de5 |
| SHA512 | 3bccc6c57358f29426d3745d7015da9527aa8da4f9ca03807f7667a36f24a95ca35760cedb192ba3e7a86195b9a8bc231fcd325d5036c3d45c6fd3fb805b746f |
C:\Windows\System\UoAbijW.exe
| MD5 | c8a783e6bc98c640bb339b0f95f4fcd3 |
| SHA1 | 7011d271e3a1d24c32cd7a3f5b2151b0a777771d |
| SHA256 | ad6639c2ddbb1b411630002e0831d41e1647e5508d2013d1dd4bca5ef0f85e92 |
| SHA512 | bbc6ca911bfbb1a744b7d7be3b8dc592c3bffcafc8683805615229497cd64cf2aa02eeb78beee7f6ff2c5e9ab31fd0cf2675aecd6ba99c442e685c93805f2f56 |
memory/3112-88-0x00007FF77CAB0000-0x00007FF77CE01000-memory.dmp
memory/4472-87-0x00007FF731F10000-0x00007FF732261000-memory.dmp
memory/316-85-0x00007FF79C0E0000-0x00007FF79C431000-memory.dmp
C:\Windows\System\fGtornN.exe
| MD5 | 86b2e1f51b696eae04334a80e4520acd |
| SHA1 | 28b7146ab436cd519135fef9beab969ecd299c14 |
| SHA256 | 46f8d9f5be865cf39a63143913720f7a4a6c1dc2d821400899d592dbfcef6070 |
| SHA512 | 7c537947ecdb20a85b5d37efa5f2a9aa7b834580b2832308cf2acfec8fc5492a39f19025f17949520c640ed373d5db658f81888defba24d45cb68b9d25421124 |
memory/956-42-0x00007FF618F80000-0x00007FF6192D1000-memory.dmp
C:\Windows\System\dKcdNlZ.exe
| MD5 | 0c0d58f95cf6bbe8f6059c4112f91072 |
| SHA1 | 0e3068700b377c33d83d6af14b3b77888cc03fbc |
| SHA256 | 65f156dbc5a0ae022edf5ca55bcc8d1e4b641750527a337a5528a19c62a6452a |
| SHA512 | 91982643d6712a2daacbcd32ba1c4f311cfc968691c36a751ec0610b3689c3b30a625cd9bcbc1318461cd58042231dca96970aaf812524b0065d5e9c6b3f061b |
C:\Windows\System\RNkVPxu.exe
| MD5 | 96b100bf256532b6bfcde939a389956f |
| SHA1 | c56028b3668dd7ab54b5f138998170acd5aed388 |
| SHA256 | e1e7f8c58fb58d39794fac6f762473cb16703d0a7d757f64976a17870aba905d |
| SHA512 | 1bfad2b3c5202383c54a9f14aaa40f3c987035d9390f83f3bf1af0c9daacbb431527f52a6628affec1b44536cb60ab785ee087d180550dc2d3a39165d8a72269 |
memory/220-30-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp
memory/908-33-0x00007FF68C970000-0x00007FF68CCC1000-memory.dmp
memory/4440-18-0x00007FF616EA0000-0x00007FF6171F1000-memory.dmp
memory/2224-7-0x00007FF6ED490000-0x00007FF6ED7E1000-memory.dmp
memory/624-122-0x00007FF762660000-0x00007FF7629B1000-memory.dmp
memory/956-128-0x00007FF618F80000-0x00007FF6192D1000-memory.dmp
memory/860-132-0x00007FF6ACF20000-0x00007FF6AD271000-memory.dmp
memory/1376-130-0x00007FF7691D0000-0x00007FF769521000-memory.dmp
memory/4988-136-0x00007FF6D4B00000-0x00007FF6D4E51000-memory.dmp
memory/5104-137-0x00007FF67D4A0000-0x00007FF67D7F1000-memory.dmp
memory/5112-138-0x00007FF624BC0000-0x00007FF624F11000-memory.dmp
memory/2824-135-0x00007FF7E8AC0000-0x00007FF7E8E11000-memory.dmp
memory/960-134-0x00007FF79C840000-0x00007FF79CB91000-memory.dmp
memory/3236-139-0x00007FF645E30000-0x00007FF646181000-memory.dmp
memory/908-127-0x00007FF68C970000-0x00007FF68CCC1000-memory.dmp
memory/220-125-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp
memory/4440-124-0x00007FF616EA0000-0x00007FF6171F1000-memory.dmp
memory/2224-123-0x00007FF6ED490000-0x00007FF6ED7E1000-memory.dmp
memory/2392-141-0x00007FF63A120000-0x00007FF63A471000-memory.dmp
memory/3112-143-0x00007FF77CAB0000-0x00007FF77CE01000-memory.dmp
memory/624-150-0x00007FF762660000-0x00007FF7629B1000-memory.dmp
memory/624-151-0x00007FF762660000-0x00007FF7629B1000-memory.dmp
memory/2224-197-0x00007FF6ED490000-0x00007FF6ED7E1000-memory.dmp
memory/220-199-0x00007FF62DE90000-0x00007FF62E1E1000-memory.dmp
memory/4440-201-0x00007FF616EA0000-0x00007FF6171F1000-memory.dmp
memory/1376-204-0x00007FF7691D0000-0x00007FF769521000-memory.dmp
memory/4364-207-0x00007FF7682A0000-0x00007FF7685F1000-memory.dmp
memory/956-209-0x00007FF618F80000-0x00007FF6192D1000-memory.dmp
memory/908-205-0x00007FF68C970000-0x00007FF68CCC1000-memory.dmp
memory/4500-213-0x00007FF7B2B10000-0x00007FF7B2E61000-memory.dmp
memory/4824-212-0x00007FF6FEA60000-0x00007FF6FEDB1000-memory.dmp
memory/860-215-0x00007FF6ACF20000-0x00007FF6AD271000-memory.dmp
memory/4180-222-0x00007FF77FAE0000-0x00007FF77FE31000-memory.dmp
memory/316-224-0x00007FF79C0E0000-0x00007FF79C431000-memory.dmp
memory/4472-226-0x00007FF731F10000-0x00007FF732261000-memory.dmp
memory/2392-228-0x00007FF63A120000-0x00007FF63A471000-memory.dmp
memory/3112-230-0x00007FF77CAB0000-0x00007FF77CE01000-memory.dmp
memory/960-232-0x00007FF79C840000-0x00007FF79CB91000-memory.dmp
memory/2824-234-0x00007FF7E8AC0000-0x00007FF7E8E11000-memory.dmp
memory/4988-236-0x00007FF6D4B00000-0x00007FF6D4E51000-memory.dmp
memory/5104-238-0x00007FF67D4A0000-0x00007FF67D7F1000-memory.dmp
memory/5112-240-0x00007FF624BC0000-0x00007FF624F11000-memory.dmp
memory/3236-242-0x00007FF645E30000-0x00007FF646181000-memory.dmp