Analysis Overview
SHA256
a0e7fdd7aa26deaac321ade82e16de068909cf1342617747ffd4e9cb9d97d026
Threat Level: Known bad
The file 2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:09
Reported
2024-08-13 12:11
Platform
win7-20240704-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ldIkQsO.exe | N/A |
| N/A | N/A | C:\Windows\System\jZZPzCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XLanwMr.exe | N/A |
| N/A | N/A | C:\Windows\System\TwIGjwV.exe | N/A |
| N/A | N/A | C:\Windows\System\qEanfdY.exe | N/A |
| N/A | N/A | C:\Windows\System\QORVmmY.exe | N/A |
| N/A | N/A | C:\Windows\System\fzPtDIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bpEbmEt.exe | N/A |
| N/A | N/A | C:\Windows\System\qshehft.exe | N/A |
| N/A | N/A | C:\Windows\System\kksdCQq.exe | N/A |
| N/A | N/A | C:\Windows\System\tiwkrkQ.exe | N/A |
| N/A | N/A | C:\Windows\System\WeMCWHX.exe | N/A |
| N/A | N/A | C:\Windows\System\emqHUbN.exe | N/A |
| N/A | N/A | C:\Windows\System\XgOEPXs.exe | N/A |
| N/A | N/A | C:\Windows\System\toyYnod.exe | N/A |
| N/A | N/A | C:\Windows\System\DLhOLQx.exe | N/A |
| N/A | N/A | C:\Windows\System\UGBXSJq.exe | N/A |
| N/A | N/A | C:\Windows\System\XGtxCON.exe | N/A |
| N/A | N/A | C:\Windows\System\HAlekrH.exe | N/A |
| N/A | N/A | C:\Windows\System\FFQsmaX.exe | N/A |
| N/A | N/A | C:\Windows\System\mjgbcgO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ldIkQsO.exe
C:\Windows\System\ldIkQsO.exe
C:\Windows\System\jZZPzCQ.exe
C:\Windows\System\jZZPzCQ.exe
C:\Windows\System\XLanwMr.exe
C:\Windows\System\XLanwMr.exe
C:\Windows\System\TwIGjwV.exe
C:\Windows\System\TwIGjwV.exe
C:\Windows\System\qEanfdY.exe
C:\Windows\System\qEanfdY.exe
C:\Windows\System\QORVmmY.exe
C:\Windows\System\QORVmmY.exe
C:\Windows\System\fzPtDIJ.exe
C:\Windows\System\fzPtDIJ.exe
C:\Windows\System\bpEbmEt.exe
C:\Windows\System\bpEbmEt.exe
C:\Windows\System\qshehft.exe
C:\Windows\System\qshehft.exe
C:\Windows\System\kksdCQq.exe
C:\Windows\System\kksdCQq.exe
C:\Windows\System\tiwkrkQ.exe
C:\Windows\System\tiwkrkQ.exe
C:\Windows\System\WeMCWHX.exe
C:\Windows\System\WeMCWHX.exe
C:\Windows\System\emqHUbN.exe
C:\Windows\System\emqHUbN.exe
C:\Windows\System\XgOEPXs.exe
C:\Windows\System\XgOEPXs.exe
C:\Windows\System\toyYnod.exe
C:\Windows\System\toyYnod.exe
C:\Windows\System\DLhOLQx.exe
C:\Windows\System\DLhOLQx.exe
C:\Windows\System\UGBXSJq.exe
C:\Windows\System\UGBXSJq.exe
C:\Windows\System\XGtxCON.exe
C:\Windows\System\XGtxCON.exe
C:\Windows\System\HAlekrH.exe
C:\Windows\System\HAlekrH.exe
C:\Windows\System\FFQsmaX.exe
C:\Windows\System\FFQsmaX.exe
C:\Windows\System\mjgbcgO.exe
C:\Windows\System\mjgbcgO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2284-0-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2284-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\ldIkQsO.exe
| MD5 | 651481c8f957d7971824ea97f2c21d8e |
| SHA1 | 6af55930081e98330c6492355db7f8b9082a8759 |
| SHA256 | e4f5b7f4c80d0af16bbad1b9fd273c55550055cf5d1c402b839f97668b29011f |
| SHA512 | 0650fba7f2786dd5e80519517e79afb3c46cbd3b124301c3b34f0efdb654281d037f82a56a64d13af92effcd14cdffc6699fdbb812270f773e9b898074f103d9 |
memory/2876-7-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2284-5-0x000000013F360000-0x000000013F6B1000-memory.dmp
C:\Windows\system\jZZPzCQ.exe
| MD5 | 137028657b2b49a8863ad550d4e2a08c |
| SHA1 | 72c24b7e934fc21d2887d1df53277f5035b6d0bf |
| SHA256 | 4f302e76ba1f3036cf4334dfe0d5aaf1c3c9cf109e77f1a16e8a830f7821902c |
| SHA512 | 69c4384befbe3cb8c459fa96a74d277b34e8e4472ffd3088a1adf0011b82fa1804c5553624de878ed712b075147e61fbea7efebca006b201793257380433aae6 |
memory/2360-16-0x000000013F140000-0x000000013F491000-memory.dmp
\Windows\system\XLanwMr.exe
| MD5 | 8408a1fbd0ba2d282a6f104f87792138 |
| SHA1 | 51b2200ef48a013472a6b4a93917e74969dea2d7 |
| SHA256 | 2fbbed44f51f7c5cf10495da989a019b7a16d68e793d8f2c85a796ef2406e4c3 |
| SHA512 | 06063f31bcf1ca73c3d1967697078cb1faa08aaa65f88b8ade2a8b395f7badf29ff355e8da30a7686f5ffcd1f5be2060a4469a4d1963e730c9d0e5bc705604f0 |
memory/2284-15-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2740-23-0x000000013F9D0000-0x000000013FD21000-memory.dmp
\Windows\system\TwIGjwV.exe
| MD5 | fc481451f3b597b863cd76a63db68689 |
| SHA1 | 18fa1b9d343f3e887fc70eca2b19de414501d761 |
| SHA256 | 4f2da30fcb6ab2185b28ed1545a7bc240ad983c65663bf343ccb1e6053360225 |
| SHA512 | d4da7a847f0377f783146b53dbf89557d2bd1dcd94ffd72a950b44feb38de4cedda1104d0ca6ee96f1129675ea0d83588a0f55cc23abf8ad89d72b5a8ce2be7b |
memory/2284-28-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2624-29-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2284-21-0x00000000023B0000-0x0000000002701000-memory.dmp
C:\Windows\system\QORVmmY.exe
| MD5 | b0040a993d519e8074f9cc53f0a65739 |
| SHA1 | f325f855a5ea58cf2ead24a78ef6e17e04e633f4 |
| SHA256 | d2dcd28425d24672936b6c38b874fa5064d79c6b41342fcc89ebbc13dd09adf7 |
| SHA512 | 92317554d131bdd400e87e893adeb699bd8bc0da76ec7ee95962d52598adcbe566f684adba97d2e620db32b911f67cfdf3503dea9c1d83a1b3fbe755f57d03c5 |
memory/2364-36-0x000000013FCD0000-0x0000000140021000-memory.dmp
C:\Windows\system\qEanfdY.exe
| MD5 | e6e31d1af0cc8ca678f50300d6b89e0d |
| SHA1 | 6d531c514391e04389c847aa823d6e0d661f599c |
| SHA256 | 33b0fdfe46d8a3d7000ba26ca86677a7b1b4a7cc0148c9fd1d14b4397016ae73 |
| SHA512 | 4f69270d7c7369c26a906c2654aa29915d4562355f97cd3e22495a910d00c9221bc3419450929307423671453025077bef286eeb5af0b84fe48e037797b9322c |
memory/2284-34-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2876-56-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/568-51-0x000000013F340000-0x000000013F691000-memory.dmp
C:\Windows\system\fzPtDIJ.exe
| MD5 | c03e9525e9ed041a13cb60b3a5ccc0c1 |
| SHA1 | ee1fcb3a29ba4d30428d7d78f15b637e6c17dd4c |
| SHA256 | 001c6efa978db5f08c089e8e9f0519ce15fcf21936e0ea4c62c3d47a96297925 |
| SHA512 | 34c74c6ad53ed819c99946ea22a4437e3e65911d51d7ef708b8e711d7b57b855b7d446991dd187175a01073d13e8366ad1e0072d3bf95356a1c5065627c08a63 |
memory/2284-48-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2284-71-0x00000000023B0000-0x0000000002701000-memory.dmp
\Windows\system\qshehft.exe
| MD5 | 4135418813dc43519510d41631f38f16 |
| SHA1 | 2edcaa50580572993f331879d230dff3d49e0ea1 |
| SHA256 | 79ef65cf3db5cb9fe7765b168963af260d7476e005ef6e4b292aea17dd5ac9d4 |
| SHA512 | 655c46236c602edbabca65dcba14247e32d6d4e893b01bca1bfa054f35d9ae0a53b64f356a0ef7e3f06cfb9d6ece5ac3b37e33f70633a84d6534c8e5ba639bc2 |
memory/2804-72-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2624-85-0x000000013F820000-0x000000013FB71000-memory.dmp
\Windows\system\XgOEPXs.exe
| MD5 | 2e793b56993819a71077a44489348230 |
| SHA1 | c58fc21eedfab2317af45dfd8010d1a62e38c0ef |
| SHA256 | 4d7984ec4be98b950a62764c42e3b01343ffdd013863264aa2d58ef6053fcef8 |
| SHA512 | e45a1775e292819f0e6a902e1464d23740fbaa17260d60001abbf3bb31d1cbf7e6194b0f32f8a01bf0ae150758d0f68fa5d7ce7e17b60bb9ffc1c6795008c9e3 |
memory/2284-101-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/364-102-0x000000013FE20000-0x0000000140171000-memory.dmp
C:\Windows\system\DLhOLQx.exe
| MD5 | 268ee41a699745798c47479882afbbe7 |
| SHA1 | e5c4e29249bab5578783729a5fdd9225280f2e4b |
| SHA256 | a545420c95086a65b95c2d22093570eb86a95be08c2ddd04a9a3a9a7d78df722 |
| SHA512 | 0384672f2274c10674164058128863e203f6482764f548985fb5dc2e901277ae579cd40d890d7425dbc666b306292e247e3a15196695f95ec85e9c404dd45b37 |
C:\Windows\system\XGtxCON.exe
| MD5 | 7620eb64154e62d47fb0ef60fbf84a47 |
| SHA1 | 4b1ab22860c1a433c734de4033724ad5a15be2f5 |
| SHA256 | faf49851a37a96da22d0e1a673146ad7787d6bf40a6d754e566125322e113feb |
| SHA512 | aa2b6bedaa38b1fa675552eba5edd0cbfc982f42156bd7fd41352c9436c4021fe84c8373a419877d44266834626440d11d8e27d7fe7ff01b2fbf95e44f4ce83b |
C:\Windows\system\HAlekrH.exe
| MD5 | 0bad23bc4860a9285f5f0fc25cb7b8f9 |
| SHA1 | 6f8fd9064badc0767eb50ac22cdf9999e4ba7a76 |
| SHA256 | 78a2e30219605d6a83d655d2078358f95c47bfa057e7c8f82bcc5e31eb95e78a |
| SHA512 | 3f6d10c1fc9ef1ef1990730a661ea75c3927b18efbc48bb829cca35f1f7541b10ac5493ee28366975889b0ff31b874310559409ee03390552a75ae0f5eeb73e5 |
C:\Windows\system\FFQsmaX.exe
| MD5 | 5ec752649eca18a769b96c020c528e8c |
| SHA1 | 6e3382659138545c26381939419e22f4ffe5b909 |
| SHA256 | 7a74c46a47b740a580d31301a2ded57ba8f0dc81c0119dcbe0b596b16d8ea60b |
| SHA512 | 7b58f93feacc44f8b2c57d1dadc723e75dc4e51944a061cfd233adf33a004a835e029a57bf221dc04eef78e05b29c077752e5538bf66bad43235a2406f92a4f7 |
\Windows\system\mjgbcgO.exe
| MD5 | b4cf68d1e6611281d707c6feff293c0c |
| SHA1 | 0306b579ca8f32d097d10fb291d0f3f3b748dfbc |
| SHA256 | fc22eba9cfa37d999e62c9b15b490b9bcb7bc0e8beeeb48970585e7de59203d7 |
| SHA512 | bbf42beeeb98dcd73ef013ec28032f3ca07c0942cb824a5547ff212709bc9cc6742a4fc83f1b47237d47f6488cf274e706226c17a1917fc0223bfb9cd3e62cbc |
C:\Windows\system\UGBXSJq.exe
| MD5 | 4d64abb35f3570866a88720913f38e78 |
| SHA1 | cff65c965953d5d923f4a612460f184186f83fb9 |
| SHA256 | 8965245bf2c2765e53b0a8c1ba2f414274a1353ba6f4737cb0af0a698fbcad55 |
| SHA512 | a4c71d3e5de0195084eeae885d37d142b013fa8e89141b1699113b9faf1e493a23e52580873d200f0f3261681a48f52ddafc06a49706b9da5b22a14350851394 |
C:\Windows\system\toyYnod.exe
| MD5 | ec9453494948a6e77ae2bd5c2e9c538a |
| SHA1 | d8e1100d6360d08ad9d97ded598f6dabcc1eb718 |
| SHA256 | 86480cd806ef65d15f9a2f99d527a82c19f969f150372c007797c749ec19b216 |
| SHA512 | 523057e553f41598290a16211a3c29592ec99c3fe97d2debd756747677f455580b36220f1b12cc448b89ba140a0a3a4388e0ee59c23f536adf789ae9f718c78f |
memory/2284-106-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2548-105-0x000000013F5D0000-0x000000013F921000-memory.dmp
C:\Windows\system\emqHUbN.exe
| MD5 | 852e5e78c090eb5a47404da337a4c247 |
| SHA1 | 4be0f451291369307d2f32837a35de8ab204381f |
| SHA256 | eca6429f4b9d05dc11c2181b0ac9c7ecfdbb96dface6a195d4ed389c70d980af |
| SHA512 | fd2a04f974aa757553b9e0da86694184b2f2df4c953c2d4c4e06227cf3c3c5aacde7cf0e59d40926ff0131779fafaf9de4c05e432ec8c0761a1ce7a559095ea7 |
memory/2284-93-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2864-100-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2364-99-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2284-145-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2688-146-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2284-141-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1532-80-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2284-79-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2740-78-0x000000013F9D0000-0x000000013FD21000-memory.dmp
C:\Windows\system\tiwkrkQ.exe
| MD5 | e54d2e11e3fbe89f46aad79a98d7ab47 |
| SHA1 | c189d76d2aa0df90364fb07583310a92ac851a9e |
| SHA256 | 6479ead1a193561fa6b3a36b803fdb01942e6ce269049cfea7d37aa41f6b6f26 |
| SHA512 | e1c7d92e196e3eaa8bbcc747ae1eefc54e1cd74152444a65856faa7c50a74308d89d5c224c4375e5a82edbe6c17f7952c6f222d6a7ad0485d7a6ab50378b1242 |
memory/2060-87-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2284-86-0x000000013F110000-0x000000013F461000-memory.dmp
C:\Windows\system\WeMCWHX.exe
| MD5 | d45e3d3ac0f0bd835b43567eb58cb9aa |
| SHA1 | c77b9b456c526d05e7501b47d772e42e3418798d |
| SHA256 | 2a487ad7fcd489ced3e806078ac5272bcc4801fadd250a3e5d4571e3591bef0e |
| SHA512 | 0e134480c362ee694a05353dc5fe1c454e02aa38b50bcef15f2973e8a8cda0deda29964c3707671fd395c6226491c5780964b5129f4fd43ed3171bd4baae091e |
memory/2588-65-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2284-64-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\kksdCQq.exe
| MD5 | a747e499a0bf6525f9468337af5255f7 |
| SHA1 | 762889580940873059be708ae88e8da80c73eba2 |
| SHA256 | 612b94924998bda7e9eca2cba1f501cf8b31153993e08a897ea5084c3cb3c6ff |
| SHA512 | 4c24be5c3697334d7437643cd244063acc526794962f85d8e9bb70546d40ccb4f63a379dc2a4d9b02b1408b5efdb11fb5301bbdf0c650feffdbfe7dcee5d9ca2 |
memory/2688-58-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2284-57-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2864-156-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/1652-160-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2284-159-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/572-158-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/364-157-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2060-155-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1532-154-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2804-153-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2588-152-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\bpEbmEt.exe
| MD5 | 53403a7f0cc9c3b2c8e0c08ec7bcafef |
| SHA1 | d5b85395f60fb502d202cda2fb66189c14c234de |
| SHA256 | 1f48425061526890e43258a0468a5131ab814ce2b02d54bcb4578763815bc594 |
| SHA512 | 174a20f116e32855a8b9ede7cf3f64002b557edd83dfad67c33ebe93d829023f9f5154a2c2468a74f30974a78e104d2c492a030f156b4ca4b2943d72337370d5 |
memory/2548-42-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2284-41-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1788-163-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/1172-165-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2352-164-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2100-162-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2760-161-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2284-166-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2284-167-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2284-174-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2284-188-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/2284-191-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2876-220-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2360-222-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2740-224-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2624-226-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2364-228-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2548-230-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/568-232-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2688-234-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2588-236-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2804-238-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/1532-240-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2060-247-0x000000013F110000-0x000000013F461000-memory.dmp
memory/364-249-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2864-252-0x000000013FED0000-0x0000000140221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:09
Reported
2024-08-13 12:11
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SiToZwP.exe | N/A |
| N/A | N/A | C:\Windows\System\nPMAmGW.exe | N/A |
| N/A | N/A | C:\Windows\System\mJvJNtQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CodfVmo.exe | N/A |
| N/A | N/A | C:\Windows\System\paARHIo.exe | N/A |
| N/A | N/A | C:\Windows\System\mmqqqAv.exe | N/A |
| N/A | N/A | C:\Windows\System\fKoAGiW.exe | N/A |
| N/A | N/A | C:\Windows\System\LigrwTw.exe | N/A |
| N/A | N/A | C:\Windows\System\myPjnDx.exe | N/A |
| N/A | N/A | C:\Windows\System\sZINHrg.exe | N/A |
| N/A | N/A | C:\Windows\System\HzDPBmu.exe | N/A |
| N/A | N/A | C:\Windows\System\elmYXZH.exe | N/A |
| N/A | N/A | C:\Windows\System\zvhhvtd.exe | N/A |
| N/A | N/A | C:\Windows\System\RkZbWBl.exe | N/A |
| N/A | N/A | C:\Windows\System\IbtCsVu.exe | N/A |
| N/A | N/A | C:\Windows\System\BBHhwcw.exe | N/A |
| N/A | N/A | C:\Windows\System\YtvEbdC.exe | N/A |
| N/A | N/A | C:\Windows\System\YUgqxlX.exe | N/A |
| N/A | N/A | C:\Windows\System\kXsGRbs.exe | N/A |
| N/A | N/A | C:\Windows\System\SfVVOvC.exe | N/A |
| N/A | N/A | C:\Windows\System\VNtJybB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_ffe990742aa4bb00b11729f5f0353853_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SiToZwP.exe
C:\Windows\System\SiToZwP.exe
C:\Windows\System\nPMAmGW.exe
C:\Windows\System\nPMAmGW.exe
C:\Windows\System\mJvJNtQ.exe
C:\Windows\System\mJvJNtQ.exe
C:\Windows\System\CodfVmo.exe
C:\Windows\System\CodfVmo.exe
C:\Windows\System\paARHIo.exe
C:\Windows\System\paARHIo.exe
C:\Windows\System\mmqqqAv.exe
C:\Windows\System\mmqqqAv.exe
C:\Windows\System\fKoAGiW.exe
C:\Windows\System\fKoAGiW.exe
C:\Windows\System\LigrwTw.exe
C:\Windows\System\LigrwTw.exe
C:\Windows\System\myPjnDx.exe
C:\Windows\System\myPjnDx.exe
C:\Windows\System\sZINHrg.exe
C:\Windows\System\sZINHrg.exe
C:\Windows\System\HzDPBmu.exe
C:\Windows\System\HzDPBmu.exe
C:\Windows\System\elmYXZH.exe
C:\Windows\System\elmYXZH.exe
C:\Windows\System\zvhhvtd.exe
C:\Windows\System\zvhhvtd.exe
C:\Windows\System\RkZbWBl.exe
C:\Windows\System\RkZbWBl.exe
C:\Windows\System\IbtCsVu.exe
C:\Windows\System\IbtCsVu.exe
C:\Windows\System\BBHhwcw.exe
C:\Windows\System\BBHhwcw.exe
C:\Windows\System\YtvEbdC.exe
C:\Windows\System\YtvEbdC.exe
C:\Windows\System\YUgqxlX.exe
C:\Windows\System\YUgqxlX.exe
C:\Windows\System\kXsGRbs.exe
C:\Windows\System\kXsGRbs.exe
C:\Windows\System\SfVVOvC.exe
C:\Windows\System\SfVVOvC.exe
C:\Windows\System\VNtJybB.exe
C:\Windows\System\VNtJybB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 16.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/2088-0-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp
memory/2088-1-0x000001B592690000-0x000001B5926A0000-memory.dmp
C:\Windows\System\SiToZwP.exe
| MD5 | 2892b56daae9d4e99cff0f2b8ea7c689 |
| SHA1 | 160c02a3e725d3db397cd56ec762d136d4ace392 |
| SHA256 | 568599c65755470079a52c155ab69a07b7caf388c21fb62abf8b403f56a1ab6c |
| SHA512 | 71cf95e4d3428cb960165364b8c945999e734c7ee3c7a15a8c87e93a79f8ff0571162411361d8e3c69cccf6df3ad6905b1777b813867b8c5a2b50cc9e5fc1d53 |
memory/2060-8-0x00007FF694710000-0x00007FF694A61000-memory.dmp
C:\Windows\System\nPMAmGW.exe
| MD5 | 1354cdc3e27d1ad98ee673cecb5d18f0 |
| SHA1 | 63632e3ce12999db0ffb7964f8d2a95ad5ff1e5a |
| SHA256 | 469d555165cad8cb8b6aa7ea137fddaee711a2e9daa7bf936bfc772066df3736 |
| SHA512 | 5ad89ae70fd0e86544ee0d187acd9d2f76dda348f96c3511948f8d7a6f9fe22369376b7540d67975cdf6bbbc7b050fae80060c9f458b725e08864a77670cf9d3 |
C:\Windows\System\mJvJNtQ.exe
| MD5 | c4a5f7dd44d2dbdfb1d6a440dc4be0ca |
| SHA1 | 6439b41e89eaa448a41fdd93008be0c430b8d4c8 |
| SHA256 | fee4c192b38ba07bafff9293212357b778fca2f38c836dc63cacb564b48337d6 |
| SHA512 | 93a2b937c1345b1059cc06662a05fdc218502d86c75bf83913189f14ab06dfa7b150cdabf08318ee493e6a8d139971837cb6723760d791b217f5cac5fc41d24b |
memory/3636-15-0x00007FF7D6B90000-0x00007FF7D6EE1000-memory.dmp
memory/548-20-0x00007FF74A6A0000-0x00007FF74A9F1000-memory.dmp
C:\Windows\System\CodfVmo.exe
| MD5 | 3abab93a5a9ce44336377b53b9a405b9 |
| SHA1 | 5c2095407fa6ad6a357d91337dca305eecc85252 |
| SHA256 | 8ccdba1d9fdee39b03fc02b1672a1c8504989d0a51b15d44ce1f304a95111f31 |
| SHA512 | 69e825a33524d638a2e0519de4902898f9adc7ca88d8730d8d41c6fe505cb29d42de26fd3b451691554a0077e4ef7d379efeb53ac96f6461edcaa275ead31f5d |
C:\Windows\System\paARHIo.exe
| MD5 | 47dedc20477f48c3411fcf6772c9a27c |
| SHA1 | ba04afd4cc812ce387d4ada1bd712e1b2f14c597 |
| SHA256 | 6aff871b29821f17c5323e51e8509d14ddec082ad262abd44bb3a83034e995f7 |
| SHA512 | 792f70610565a29a857fa4e70ae7307109a29b4bab2a3a7ceede52d8b152c3c298f4aa5f360e0afbcb34ce25d40d0fc348c0b2d690c6ec77951f3b33c8759cbf |
C:\Windows\System\mmqqqAv.exe
| MD5 | 4800d23aad2b20b1ea2bf76fddcd650d |
| SHA1 | 67fa24062cbdd25b342eab2a086ee0b2b32834b5 |
| SHA256 | ea08718c4affb34305adcfb772d5974e23287a27ef110d25f983792d5068d09a |
| SHA512 | 8d36436ea704540333680fc80e2230b2a261e8142a0194c8ac382153cc3d1ecd1755eac508613930fdbd3ba9e4c5c8f90a4e0f39d3eb2a5b0515cf01857fc29c |
memory/1052-33-0x00007FF740260000-0x00007FF7405B1000-memory.dmp
memory/3660-38-0x00007FF74A890000-0x00007FF74ABE1000-memory.dmp
C:\Windows\System\fKoAGiW.exe
| MD5 | ee547c5619a8ff5dd784a9551712a610 |
| SHA1 | be118c4b567fce0b93457960e4d855c5a3c68b8d |
| SHA256 | 1af918c1bba2839d9b5bc102d0c6d70fd6ef07046e31c61114688d385071c758 |
| SHA512 | 15a1fd505821c1c901492ee365ed4d0e930602cb69b54af2fa107948b044c9ef8ca5363b6181c54b60d477e88b1a91c9b5925b49a9e684faf32e910450bca211 |
C:\Windows\System\LigrwTw.exe
| MD5 | 4b4e41128e90fa74d0228cd6feb79800 |
| SHA1 | e2385aff8fcaceab98aa8f52e01b927abcb07132 |
| SHA256 | c5f0df2f49add85147a8942d8bd84de81c2272aacde0fbae37c0333090560dc5 |
| SHA512 | 61cc8565c13e17895becc7c25a08a999542183d0af00942da566d2e82392e3b898ae853bd0d873c379a2855cda3ea84c1aa7aef735122f6ae54ac237e1624792 |
memory/3268-44-0x00007FF709A90000-0x00007FF709DE1000-memory.dmp
memory/4404-25-0x00007FF74D170000-0x00007FF74D4C1000-memory.dmp
C:\Windows\System\myPjnDx.exe
| MD5 | 16b4b448bac9258bf0066c375a4f349a |
| SHA1 | 306543dde915bba41cdc9c698d9ab9818d20f61c |
| SHA256 | 982e65aef8ea8fe1e8473bdd702de0aacd6bf0309676e9c36ea90679e471c565 |
| SHA512 | a05ab4a2c9fb09939f891c032fe1c68138af05e3889e47e16e63d9588e52ecabc5be0f8dad4ae105744434c0d85256bca1f00b6f1d211083b66862672e8354e1 |
memory/4324-54-0x00007FF672870000-0x00007FF672BC1000-memory.dmp
memory/320-50-0x00007FF6351D0000-0x00007FF635521000-memory.dmp
memory/2088-62-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp
memory/1700-63-0x00007FF61A090000-0x00007FF61A3E1000-memory.dmp
C:\Windows\System\HzDPBmu.exe
| MD5 | 2c4b0e2c12284d286becef2dc5604a00 |
| SHA1 | 30a7f2f4777eaa971318f5b0ee8660e01afdc8c2 |
| SHA256 | 72fb6b4b62043c14d8bc5285e90615765fa8f35bef4e24a24abe1f90e676a317 |
| SHA512 | 653ed91e6fca35ab31d110f3020bd43eeec87721a0983752f89e4eb3c4f576cba459acb27211c477490d5518ab9383c933df63b4c7f13309dac404fb9f764e39 |
C:\Windows\System\zvhhvtd.exe
| MD5 | 3e08899186c8df4658553432b58b792f |
| SHA1 | 58eb581c9864a11f91edfe7ea5f50f6821e8758b |
| SHA256 | f32a7c98ffba6b9f9dccdef62587f975dedab86ae3f20e51f2ae9686e01efcf7 |
| SHA512 | fcb5adfa7c75e31c3d51777f20144259efc15cebfa300b40596eabce4b6c3e1e4be2a234085494ab58f1334e1b9c4ab32d773d0870b06d97466b23127adf525c |
C:\Windows\System\RkZbWBl.exe
| MD5 | a862f5c175174405cf1ffa7f423d331e |
| SHA1 | 40f6b83915af9d5868ab7981100d1ecf4755cb2b |
| SHA256 | 3b8a2aff9c65b0811d1a057bd43cadd4dff0fc8d8ef22e1ce73eea2df3416afe |
| SHA512 | 15f56a8c26d3f2667d7f8feab738fa4c053827b4f4017dd86d69e39e940264864bebf515d427eb285a8e78b88ea849efc5cd4d7e44b28fa387564346b67dcedd |
memory/4404-91-0x00007FF74D170000-0x00007FF74D4C1000-memory.dmp
memory/4476-99-0x00007FF724A80000-0x00007FF724DD1000-memory.dmp
memory/3480-101-0x00007FF6DEB90000-0x00007FF6DEEE1000-memory.dmp
C:\Windows\System\kXsGRbs.exe
| MD5 | 08c574696267ffdde891a7c18d5b2888 |
| SHA1 | a0d4a2103ba7644d10fb3bedcb88bb61a05c541a |
| SHA256 | 7fcba61796013d2fa1a3e31d37f8c7b45bfb93563763c754522141199543af29 |
| SHA512 | 7f3c3111c2cba7951d287372b8c30a1f2f20b1ab35873a2f835c0b9a65a7d1ce965a59161b2204f127e6a6dfa4e3dda051d029b33fcb8917cf36130c87be73d4 |
C:\Windows\System\SfVVOvC.exe
| MD5 | d2c6c505a377d1009acdd766206d7f14 |
| SHA1 | 2d5ef41dcf183b7d0be4aa6b7f3dcb0eb6176f2a |
| SHA256 | daa226abcabd5d0a71c5169673cbfb05ae85646c6ea1a5cf3d60481d74c8b15e |
| SHA512 | 034a945dc17faac2242fb50bba26cb7ab1f7d69f4f96d2217e1298643246fc9171589af18e88093b296831815381a033b4c227698055f2e77cae4a8b92ffb2b7 |
C:\Windows\System\VNtJybB.exe
| MD5 | 73511e189de28599e46be6f54ae7ded3 |
| SHA1 | aafb2ffeb647883183b671446fad9910d5877a2c |
| SHA256 | 8e76b1181d488e13be0641e2351479585ad97b151838cc0ee8f3616e7dbff9bf |
| SHA512 | a248fa436030fd3a3608477dee4b2a784add02fd6597e041293868a95e8e7ac50546dd7a4d21c5cc2405fdae0c875659dfe1a5a9d3f6f94132c75465ce9dcc3a |
C:\Windows\System\YUgqxlX.exe
| MD5 | 2401888dce7e7f904f1b86869111d230 |
| SHA1 | 4a52cb4266524c1123f5685c6fd21f0cf2a727a4 |
| SHA256 | c79557d6ad91e9dede3b295de838cf63b2c8a1a4a2e7c243bbd2730e9e527a74 |
| SHA512 | ed4e672491d9bf3323e1f562f5004acc0bc38419f2f6e3a8fedd58fe9a00b7e90da57c7a725b77f8fdfa5f3a2dd68ab5f775c341c747f113ecd35483ccb49179 |
memory/3968-100-0x00007FF6F4AE0000-0x00007FF6F4E31000-memory.dmp
memory/1896-98-0x00007FF712140000-0x00007FF712491000-memory.dmp
C:\Windows\System\YtvEbdC.exe
| MD5 | 6e9bd79758fcdb7028d436cd69538444 |
| SHA1 | 6559f7654c31e665e52c99dcbbf6868552bc9d4e |
| SHA256 | 2494015a1c1246bd87d434e108f2831ff1f527631ff7c867494f676a00764cb3 |
| SHA512 | d550510580288b599d267230abda5435a25eb13315c18c0752e8ac1cf16f6e54a586532288aa7203b905bed93887f82ffbbf0ce07ab9de584f8a06fdbbe463ac |
C:\Windows\System\BBHhwcw.exe
| MD5 | 57985e853c9a510ccb1294ff1efb8bc5 |
| SHA1 | b5241d312404032252100859346da0fcf2a98fd4 |
| SHA256 | 3403df77d1f232b2e303d15d4bb294b6519ca5f8b35d29b11e8ae9313e317cb1 |
| SHA512 | 13621981ea3c50b27ba2a64063fea2051bc41d58624a365cba390c78b6e0e4dd544d560cd3da73ad8051e729067c94157390cef2f36319ab01d04410429e03e3 |
C:\Windows\System\IbtCsVu.exe
| MD5 | bac6f5fd48845508cddd527f65ec087c |
| SHA1 | f80db17255900c10cc3de06fdee69b0d73f7aa52 |
| SHA256 | 1c143050246cc8f0aaddd38f0db1c35a94a9e84c6776dba751954f5eaf4acb37 |
| SHA512 | fd0bcb0bae3ab68c6086c65a42bd567c7f3923142010689fae8405f239c87cc29cb885501116818f33cc4e668054cb1fd871c2073982feb9b289a44ec67b3acb |
memory/1164-86-0x00007FF7FB880000-0x00007FF7FBBD1000-memory.dmp
memory/4524-76-0x00007FF68CEB0000-0x00007FF68D201000-memory.dmp
C:\Windows\System\elmYXZH.exe
| MD5 | aa71061397c61db4b54a80af60b9087a |
| SHA1 | 68a4ed1a7a27e36deac633447faa4e661b2230c1 |
| SHA256 | 29c76ee4e0cc7ebd799a01ad45a32e3aa7e2b8b262cd66c68df45e59b57f7283 |
| SHA512 | ee31f58c601fa73fa9623f4904cf317ac790180c2c96d8e399e6d1133e2b0984789e7fbbff96326ebb8c86c54d9c504f98f9b003fa2af9213d16248f5c467df9 |
memory/1752-68-0x00007FF76E380000-0x00007FF76E6D1000-memory.dmp
memory/2060-67-0x00007FF694710000-0x00007FF694A61000-memory.dmp
C:\Windows\System\sZINHrg.exe
| MD5 | 6a033e1605f2a437c2a23b9273ebef58 |
| SHA1 | bc05f7e7d2c3f47b99a2415b6cdaf3157fd22830 |
| SHA256 | 2210ad25984546710586d6bc350be2ddcdbfafe658afac311b12457148306a86 |
| SHA512 | 20b41dcbff085672500d93217749a48d28949bf9244b1f444b9967e84c4a6ed1ebd6cd43debd5b38ec62cdd076748abad72afd80560119dd2296746a21a49979 |
memory/3432-116-0x00007FF793F40000-0x00007FF794291000-memory.dmp
memory/2500-115-0x00007FF67BBB0000-0x00007FF67BF01000-memory.dmp
memory/3976-114-0x00007FF67D4C0000-0x00007FF67D811000-memory.dmp
memory/1336-113-0x00007FF793260000-0x00007FF7935B1000-memory.dmp
memory/2088-131-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp
memory/1752-142-0x00007FF76E380000-0x00007FF76E6D1000-memory.dmp
memory/1896-145-0x00007FF712140000-0x00007FF712491000-memory.dmp
memory/4524-143-0x00007FF68CEB0000-0x00007FF68D201000-memory.dmp
memory/4324-140-0x00007FF672870000-0x00007FF672BC1000-memory.dmp
memory/2500-151-0x00007FF67BBB0000-0x00007FF67BF01000-memory.dmp
memory/3432-152-0x00007FF793F40000-0x00007FF794291000-memory.dmp
memory/3976-150-0x00007FF67D4C0000-0x00007FF67D811000-memory.dmp
memory/3968-148-0x00007FF6F4AE0000-0x00007FF6F4E31000-memory.dmp
memory/1336-149-0x00007FF793260000-0x00007FF7935B1000-memory.dmp
memory/3480-147-0x00007FF6DEB90000-0x00007FF6DEEE1000-memory.dmp
memory/4476-146-0x00007FF724A80000-0x00007FF724DD1000-memory.dmp
memory/2088-153-0x00007FF6F0280000-0x00007FF6F05D1000-memory.dmp
memory/2060-198-0x00007FF694710000-0x00007FF694A61000-memory.dmp
memory/3636-200-0x00007FF7D6B90000-0x00007FF7D6EE1000-memory.dmp
memory/548-202-0x00007FF74A6A0000-0x00007FF74A9F1000-memory.dmp
memory/4404-204-0x00007FF74D170000-0x00007FF74D4C1000-memory.dmp
memory/1052-206-0x00007FF740260000-0x00007FF7405B1000-memory.dmp
memory/3660-208-0x00007FF74A890000-0x00007FF74ABE1000-memory.dmp
memory/3268-210-0x00007FF709A90000-0x00007FF709DE1000-memory.dmp
memory/320-216-0x00007FF6351D0000-0x00007FF635521000-memory.dmp
memory/4324-218-0x00007FF672870000-0x00007FF672BC1000-memory.dmp
memory/1700-220-0x00007FF61A090000-0x00007FF61A3E1000-memory.dmp
memory/1752-222-0x00007FF76E380000-0x00007FF76E6D1000-memory.dmp
memory/4524-224-0x00007FF68CEB0000-0x00007FF68D201000-memory.dmp
memory/1164-226-0x00007FF7FB880000-0x00007FF7FBBD1000-memory.dmp
memory/1896-236-0x00007FF712140000-0x00007FF712491000-memory.dmp
memory/4476-239-0x00007FF724A80000-0x00007FF724DD1000-memory.dmp
memory/3480-240-0x00007FF6DEB90000-0x00007FF6DEEE1000-memory.dmp
memory/3968-245-0x00007FF6F4AE0000-0x00007FF6F4E31000-memory.dmp
memory/2500-248-0x00007FF67BBB0000-0x00007FF67BF01000-memory.dmp
memory/1336-250-0x00007FF793260000-0x00007FF7935B1000-memory.dmp
memory/3976-247-0x00007FF67D4C0000-0x00007FF67D811000-memory.dmp
memory/3432-243-0x00007FF793F40000-0x00007FF794291000-memory.dmp