Analysis Overview
SHA256
10b8f937fa5a8a7330af46da1b66d2345971560741562184ac6f662defee5702
Threat Level: Known bad
The file 2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:28
Reported
2024-08-14 21:31
Platform
win7-20240708-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\HEHzlXS.exe | N/A |
| N/A | N/A | C:\Windows\System\gKrkxog.exe | N/A |
| N/A | N/A | C:\Windows\System\yFpElDK.exe | N/A |
| N/A | N/A | C:\Windows\System\SzxYeTG.exe | N/A |
| N/A | N/A | C:\Windows\System\EvWHlsj.exe | N/A |
| N/A | N/A | C:\Windows\System\mKguZWY.exe | N/A |
| N/A | N/A | C:\Windows\System\OqOXUwa.exe | N/A |
| N/A | N/A | C:\Windows\System\orsNwIo.exe | N/A |
| N/A | N/A | C:\Windows\System\DMWwCaj.exe | N/A |
| N/A | N/A | C:\Windows\System\eaAVcKd.exe | N/A |
| N/A | N/A | C:\Windows\System\AOxRUtV.exe | N/A |
| N/A | N/A | C:\Windows\System\xzlhFDN.exe | N/A |
| N/A | N/A | C:\Windows\System\XbDfJVE.exe | N/A |
| N/A | N/A | C:\Windows\System\anOFzNr.exe | N/A |
| N/A | N/A | C:\Windows\System\PzFtQGD.exe | N/A |
| N/A | N/A | C:\Windows\System\NLRXMkv.exe | N/A |
| N/A | N/A | C:\Windows\System\mshZYzR.exe | N/A |
| N/A | N/A | C:\Windows\System\ISFXVdG.exe | N/A |
| N/A | N/A | C:\Windows\System\CApeJMH.exe | N/A |
| N/A | N/A | C:\Windows\System\fbOGPDE.exe | N/A |
| N/A | N/A | C:\Windows\System\BBPkxau.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\HEHzlXS.exe
C:\Windows\System\HEHzlXS.exe
C:\Windows\System\gKrkxog.exe
C:\Windows\System\gKrkxog.exe
C:\Windows\System\yFpElDK.exe
C:\Windows\System\yFpElDK.exe
C:\Windows\System\SzxYeTG.exe
C:\Windows\System\SzxYeTG.exe
C:\Windows\System\EvWHlsj.exe
C:\Windows\System\EvWHlsj.exe
C:\Windows\System\mKguZWY.exe
C:\Windows\System\mKguZWY.exe
C:\Windows\System\OqOXUwa.exe
C:\Windows\System\OqOXUwa.exe
C:\Windows\System\orsNwIo.exe
C:\Windows\System\orsNwIo.exe
C:\Windows\System\DMWwCaj.exe
C:\Windows\System\DMWwCaj.exe
C:\Windows\System\AOxRUtV.exe
C:\Windows\System\AOxRUtV.exe
C:\Windows\System\eaAVcKd.exe
C:\Windows\System\eaAVcKd.exe
C:\Windows\System\xzlhFDN.exe
C:\Windows\System\xzlhFDN.exe
C:\Windows\System\XbDfJVE.exe
C:\Windows\System\XbDfJVE.exe
C:\Windows\System\anOFzNr.exe
C:\Windows\System\anOFzNr.exe
C:\Windows\System\PzFtQGD.exe
C:\Windows\System\PzFtQGD.exe
C:\Windows\System\NLRXMkv.exe
C:\Windows\System\NLRXMkv.exe
C:\Windows\System\mshZYzR.exe
C:\Windows\System\mshZYzR.exe
C:\Windows\System\ISFXVdG.exe
C:\Windows\System\ISFXVdG.exe
C:\Windows\System\CApeJMH.exe
C:\Windows\System\CApeJMH.exe
C:\Windows\System\fbOGPDE.exe
C:\Windows\System\fbOGPDE.exe
C:\Windows\System\BBPkxau.exe
C:\Windows\System\BBPkxau.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2692-0-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2692-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\HEHzlXS.exe
| MD5 | bdea8d2fe3c9d8a8147fafe3354cf4fa |
| SHA1 | 7bf742a5b85535e161658ac38e44ea0dfcd68d4c |
| SHA256 | 2643fe15e57661343287652018f36c69efa6ffd71c5c740ed86a9439129891de |
| SHA512 | 3847a3a656e71ecaa80103575a5f7ba5e7a574491e7a696e29cb695c43eae5f16464f80c8cdd9b2829dfa64d462ac1b43084f2b714855f8c349bd4737d608b1a |
memory/1452-9-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2692-7-0x00000000021A0000-0x00000000024F1000-memory.dmp
\Windows\system\gKrkxog.exe
| MD5 | bf98a841d8ba0ee49c9680021dbfe742 |
| SHA1 | 327f6f97ebe85f884bef8e843a5378d7a8856dfc |
| SHA256 | 9f3e321f3e1aeb9f4a2edf1c29f3b4b96d77d125a344e68f54ef5fa17de3cf3a |
| SHA512 | 4dd83705d6894f2f439b9b29ad775076de13626acdb1524d91cd748604c9a0730dcf1e86b353bdeed2994453a0e36892afe4f79118fc19e7cdc986e22bf5c92e |
memory/2692-13-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2168-15-0x000000013FEE0000-0x0000000140231000-memory.dmp
C:\Windows\system\yFpElDK.exe
| MD5 | 1e3fd4cac0832d7c17148ec5b538beea |
| SHA1 | 0df3f98208fb6c995082beeeeb57b6ec3b8db301 |
| SHA256 | 8247fa9d019c19a260645feddb48debd12b9af75c9908612650c3e490dbae383 |
| SHA512 | a36a768c98404011521733fd9902d8bda72ae7fe4fa29a5311b7e71ae7e50925ec74fc42b1dfe87949d14d3db6346e0f9716843703d57e30e659f8117b7fc786 |
memory/1924-22-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2692-21-0x000000013FF60000-0x00000001402B1000-memory.dmp
C:\Windows\system\EvWHlsj.exe
| MD5 | e482cba5a776ed36d99125633d06b53e |
| SHA1 | 838ffa3ded3b11d77e32ca14e47c098fc7fa6701 |
| SHA256 | 97a1774ee693d85edb9cb951920ced26ec283c007dbc0ba9f12c0fbf9d330841 |
| SHA512 | 362f1a6e5ac9f9654bc12df610c7aa160dfd81816a2b6e537a49a646899405c3bd3a0e4da80d7e76c56874b9fe47695033fb8a1e2df5ad17841be45d5b2feb07 |
C:\Windows\system\SzxYeTG.exe
| MD5 | 330120b4f3e0f5b54cd1f46592eadd4a |
| SHA1 | db12c31c66210119ee0ad1c89de3e41c7dc39deb |
| SHA256 | 40c2cb5ff8cd1131599be27ec25f9a6f4de634e6ff82bafb80d4e5de8077680f |
| SHA512 | 2d58f62aa006e6a777c491d3d35b48f1490faeb5ab5b6f95adc4a220885b45d3bd37d05e856b945b60283fad0476db8aa5a3a16a9c262b34fe0e89f251c2ec6b |
memory/2692-28-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/800-37-0x000000013F9C0000-0x000000013FD11000-memory.dmp
C:\Windows\system\mKguZWY.exe
| MD5 | f779ff8b801e9ce7038cf0d2dd64c8f7 |
| SHA1 | 6a6d0ceb01fcfffd2eee740934569e0158fb6deb |
| SHA256 | 84a84c3c655b2e98c4ff45ae2bf9fbde4f07f424972ff3ea9fdcdbc18bc26462 |
| SHA512 | 84394446581021e28dbe9ba1d637f26e11bf4aa2ff953e76b8b748127310d4d1d508c5cdf9b387a3960cb3bb997ddddd1231b777314fae4fb6d1bf8e40255fd5 |
\Windows\system\OqOXUwa.exe
| MD5 | 408ff4528977a37918c6b15b42c42c29 |
| SHA1 | 8aaccbb13fd80c687ce57042a142a8fc9f73ac64 |
| SHA256 | c8474fad104364c52a316b75fd232b3c93d3f8c5aef1b394e8ce5e6c6aeb9473 |
| SHA512 | 3f4348a557eaa7574ba1e253aca5c1855d6cb38139fb858b89c4fe4400430442b1661f959f7eb268aceab29c0cef0912fb2d62a4a5b9cced9b6be510122aec36 |
memory/2796-36-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2692-34-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/2764-50-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
C:\Windows\system\orsNwIo.exe
| MD5 | d8c92396faad1b24cd5c00b7760ea91d |
| SHA1 | bacf09df2efe289982308ba383d06511d882a808 |
| SHA256 | ea160ea032aa71c24922ff8cfe0ba53c29a0d46426f0688cadf502e10c8c36bf |
| SHA512 | 7081328e2ad1b5d7fd35a4e8e4b5ba66e455eff81af9f1a5b03a796ece3f9088c0b113f1781b4d09b8a0a142491ceeca0319edae3100793108a30f9a06488734 |
memory/2692-56-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2724-58-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2692-51-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2836-48-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2692-47-0x000000013FB90000-0x000000013FEE1000-memory.dmp
\Windows\system\AOxRUtV.exe
| MD5 | 175f42652fc80e9760c1629f1d52daf0 |
| SHA1 | 63cf68456ce2e2aa8f2822e0f1905536a0be1dfa |
| SHA256 | e4d74db54ee4a372948f13cbd324aa092f50a43f2a0310977dee00f36be7fa4c |
| SHA512 | 649a2328566baaa9a770cd23e13a1c66b6be7350ed45a50efcd93753bcb59298fa7f837c2faf6ddceb614602e82a597fada97200cc011a84dbb9a0c73f39ab0e |
\Windows\system\xzlhFDN.exe
| MD5 | 6f78552563666420c23cbab259ed97be |
| SHA1 | f92ed9bcd4bf90dcc5b27053c9302895c8854ee2 |
| SHA256 | 9c8826f1861b6cc3038305c06e5ce9797d1046aa70815cd70202d7d44607e0f5 |
| SHA512 | d0294cf1563d9086131cb615ccd18510f9be0ac93831f63dc7db3c42910b70ebb0cd65ccec87d38dae462093b50ab717e69e7d3cba970c651407c9f366c3d8ac |
memory/2776-78-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2692-83-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2608-86-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2636-85-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2168-84-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2372-80-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2692-79-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2692-74-0x000000013F160000-0x000000013F4B1000-memory.dmp
C:\Windows\system\eaAVcKd.exe
| MD5 | a4834cc6954431806db1653f0169a735 |
| SHA1 | eab947bebcc84689b2c790238ee4f5da1319f772 |
| SHA256 | efb89e08952846a2d74f122bfa641e6b8bcf41db810e56392ae274038319374a |
| SHA512 | 58818160ab16beac324f97c2c119206a1c358e9d25b3ba23daf255632daff8bf4a1e7a543223fca07ec271f6b8b9e013660062f1ff912e2a474bc5ff4e495d38 |
C:\Windows\system\DMWwCaj.exe
| MD5 | 447e9c0b4342f838d7a1f5d71a56f6a0 |
| SHA1 | c215229a9e6a244f2f4fc60eb2fd8b0d1dc759aa |
| SHA256 | 2193c21cca3dc7cd777d2d690e7204fe84dba5b9bf40f786e9e68b6d4b4f8e49 |
| SHA512 | 13c3fee75b4f0227c41efc971c7352cdefdbcaf6b474ee29396378962e74f3240e3a7c5adbc5913456136816751f0453bb677bcec8ff50633fe49b96b9b4a395 |
\Windows\system\XbDfJVE.exe
| MD5 | 84c1e4c6824ac913ca1ab20e6241e706 |
| SHA1 | 11704eab46a443a694985410c2e9eb888db180b9 |
| SHA256 | 87299f648b2f25f3e1101a756cd484b588881c79a0b0940e644a642abb269e49 |
| SHA512 | a0f12f56d57b0f383d66c781ee03c4620c8bb401f5c638533c7eb303b169d9d2b3e5e9b5c6ceae98bfcd62a4c282a64ba1317fbfdb68382a5289b715b3f816aa |
memory/1972-93-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2692-92-0x000000013FDE0000-0x0000000140131000-memory.dmp
C:\Windows\system\anOFzNr.exe
| MD5 | adeda8254c1d6b0214fedb58e67f4f2b |
| SHA1 | 6856df24be07253877de20c0e71e484962f13320 |
| SHA256 | 732af5688f208c1547d2fa77dd6c6336359ece1faa2d5a6057b10ce74ad9e7ca |
| SHA512 | 8a37c9b2d9722ccdd65a3fbf5e3ab454c1bd24b2543e75491816f3925611d41649fc6ae2d870d88ab4b4ff664aafd81d0c7e5778649402ec154ff177175365a1 |
C:\Windows\system\PzFtQGD.exe
| MD5 | 83bdfdf81f74b774dbda6bb8279d415a |
| SHA1 | dd51b92a24c9a02e440cb2ea50c62593ebfa5064 |
| SHA256 | 203b38779253ebfb72aae0dd70491e62812c3e7945bb9f932293d5addd942f06 |
| SHA512 | 9c03f1bb7ee3f9c8789ab33c7dc08e78bd3d99656f58acfedcee829640249631f3c9502b521c76d5373b2fc8c8c7b64e07f1e03028b6aa8f777e160d238b971f |
C:\Windows\system\NLRXMkv.exe
| MD5 | 2874666e94c864dc6e87b02e7776d10b |
| SHA1 | 39f8c7721c7eaf498693324f55f646d14a041377 |
| SHA256 | 0990ca65d2ed7cc90ff650aba913b5045c054680885aaccbe9f054ee2bda81cb |
| SHA512 | 0cd2797f0b339286852c77250bf23a05e4f55be4217f840d25129d3eb443dc0870b1d16427565f40ac7d3a106428ca2bf6a3c2c0241b6a57c26de4956374138d |
C:\Windows\system\ISFXVdG.exe
| MD5 | 8749fb606c991f689d4dc9f50ec22683 |
| SHA1 | 9570fbb8da8a4f9e562e0e7a27a7cf25f2a6f825 |
| SHA256 | 400ef8af55e96caf849ee032877c63551973d3dd46452435a0c7690eaa80d0e8 |
| SHA512 | a9def0e0806ff8685d2ea1d69a4d2fa89eaae0596bede518a64c8c74083c753f01905f6585e407d7f9267b4d8c5a6a641b543078615aded134429939a1d67c7c |
C:\Windows\system\CApeJMH.exe
| MD5 | 51a83cb2a9d78dcdec8043ded81572f6 |
| SHA1 | bab787de9b2e1fd6d2aa32b1f354b8998ae5969c |
| SHA256 | 7b3a02e6523072cd882e1bfe9ca7da06f8f3d36f58d53dde6309ccafbfd9af17 |
| SHA512 | 010fb6f86037df76b880a5b8df2316abe8afc54550d61721853def1c0f7f5b3a63b830399a992ab24cd9464ddf9f516c6ac86b3b3b0c9c5c8c867a8d24153423 |
\Windows\system\BBPkxau.exe
| MD5 | 5072bb07750e7e407532efe518af793e |
| SHA1 | 34e0d1554cb0d74b364fd962a94634ff33b2ef6d |
| SHA256 | 3fb59f0299d6334fedfd098adb635abd7fd54dc8fabefeb06e64306e6a072902 |
| SHA512 | e5d76384b45e371f177333f861baae813d539bcfa8bd131a7e5ec91030b65617a9787080fd0fd48eecd373bc7219d68866add54dd48713dba8221a042d173739 |
C:\Windows\system\fbOGPDE.exe
| MD5 | 44a6cfa3b598e175bfd33ea4466bb312 |
| SHA1 | a0a95a32b49b5bece94391db45d6e206b3150887 |
| SHA256 | 23028ef6a7b2d81f551ebd9386bd7fe262d6764edbf08693393dca19563a8a33 |
| SHA512 | 22a12e44d929c0f048713453ffe9fcf43f1b4618cfa20e0736f2ea23736873586b7dbd9e2baa454aa5c7402b8cfe7a5bc6e5978a89e2eff01f17dc378bc93ce0 |
C:\Windows\system\mshZYzR.exe
| MD5 | 8db826b8c8e6b908cd7ca6eb7c61485c |
| SHA1 | afd8ce53dc6f7966d30aa8bf162cd708493a339e |
| SHA256 | 43695a22445086402ffc3743a93b172124c0ff7bc266f538b0d8fc8e369385ea |
| SHA512 | 7f8857e5b5ffa4eca8c8cc3e050fa73343f6d83f469adaf0f2cf38deaf1d35da086d21fe27858bbdd5cc357c77b40a74854eefda27f5bfa3c30a368d9d455814 |
memory/2692-134-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2692-136-0x00000000021A0000-0x00000000024F1000-memory.dmp
memory/340-135-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/1924-133-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2692-137-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2372-149-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1444-153-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2516-154-0x000000013F300000-0x000000013F651000-memory.dmp
memory/824-158-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1648-157-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/1584-155-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/1312-156-0x000000013FF00000-0x0000000140251000-memory.dmp
memory/2592-152-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2692-159-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2692-181-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/1452-205-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2168-207-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1924-210-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2796-211-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/800-213-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2836-215-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2764-224-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2724-226-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2776-228-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2636-230-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2372-232-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2608-234-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/1972-245-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/340-249-0x000000013FDE0000-0x0000000140131000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:28
Reported
2024-08-14 21:31
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QBgxgzv.exe | N/A |
| N/A | N/A | C:\Windows\System\hTXsLiz.exe | N/A |
| N/A | N/A | C:\Windows\System\qhjtcrc.exe | N/A |
| N/A | N/A | C:\Windows\System\AHjMpGW.exe | N/A |
| N/A | N/A | C:\Windows\System\AgNrxgb.exe | N/A |
| N/A | N/A | C:\Windows\System\BDUJXLJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jhGcwBm.exe | N/A |
| N/A | N/A | C:\Windows\System\sVIAweI.exe | N/A |
| N/A | N/A | C:\Windows\System\JJFyCkg.exe | N/A |
| N/A | N/A | C:\Windows\System\rypzvGD.exe | N/A |
| N/A | N/A | C:\Windows\System\BRskxnO.exe | N/A |
| N/A | N/A | C:\Windows\System\rAHOZuW.exe | N/A |
| N/A | N/A | C:\Windows\System\xaYwFuV.exe | N/A |
| N/A | N/A | C:\Windows\System\zLftRCy.exe | N/A |
| N/A | N/A | C:\Windows\System\LkEmJpz.exe | N/A |
| N/A | N/A | C:\Windows\System\xuaspev.exe | N/A |
| N/A | N/A | C:\Windows\System\kCGitLH.exe | N/A |
| N/A | N/A | C:\Windows\System\AHmeCrg.exe | N/A |
| N/A | N/A | C:\Windows\System\RphQpQP.exe | N/A |
| N/A | N/A | C:\Windows\System\ZoMrxAT.exe | N/A |
| N/A | N/A | C:\Windows\System\jintMzA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_e47bd7181d56e9ddd9767ec24280e17e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QBgxgzv.exe
C:\Windows\System\QBgxgzv.exe
C:\Windows\System\hTXsLiz.exe
C:\Windows\System\hTXsLiz.exe
C:\Windows\System\qhjtcrc.exe
C:\Windows\System\qhjtcrc.exe
C:\Windows\System\AHjMpGW.exe
C:\Windows\System\AHjMpGW.exe
C:\Windows\System\AgNrxgb.exe
C:\Windows\System\AgNrxgb.exe
C:\Windows\System\BDUJXLJ.exe
C:\Windows\System\BDUJXLJ.exe
C:\Windows\System\jhGcwBm.exe
C:\Windows\System\jhGcwBm.exe
C:\Windows\System\sVIAweI.exe
C:\Windows\System\sVIAweI.exe
C:\Windows\System\JJFyCkg.exe
C:\Windows\System\JJFyCkg.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4112,i,9445584274764997943,12714240264001792460,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:8
C:\Windows\System\rypzvGD.exe
C:\Windows\System\rypzvGD.exe
C:\Windows\System\BRskxnO.exe
C:\Windows\System\BRskxnO.exe
C:\Windows\System\xaYwFuV.exe
C:\Windows\System\xaYwFuV.exe
C:\Windows\System\rAHOZuW.exe
C:\Windows\System\rAHOZuW.exe
C:\Windows\System\zLftRCy.exe
C:\Windows\System\zLftRCy.exe
C:\Windows\System\LkEmJpz.exe
C:\Windows\System\LkEmJpz.exe
C:\Windows\System\xuaspev.exe
C:\Windows\System\xuaspev.exe
C:\Windows\System\kCGitLH.exe
C:\Windows\System\kCGitLH.exe
C:\Windows\System\AHmeCrg.exe
C:\Windows\System\AHmeCrg.exe
C:\Windows\System\RphQpQP.exe
C:\Windows\System\RphQpQP.exe
C:\Windows\System\ZoMrxAT.exe
C:\Windows\System\ZoMrxAT.exe
C:\Windows\System\jintMzA.exe
C:\Windows\System\jintMzA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 34.56.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3732-0-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp
memory/3732-1-0x00000297879D0000-0x00000297879E0000-memory.dmp
C:\Windows\System\QBgxgzv.exe
| MD5 | 7cb5357446f0bbca777558a7df9bcd98 |
| SHA1 | cf023f4bc452b144877a47964426e0202a1f3e95 |
| SHA256 | e5bdeee96b2f7a4cc4713f8cda4c1ad32b908e66e7e0126db83d9d0b8550ad8c |
| SHA512 | 48220067a525686627c491f21e25691ac553d8ce262b72e5bd1fbae833024143e5b8ce3a55cc599a349d853468b27c4a9dbbef33e1170c11fca5c8900229d0e1 |
C:\Windows\System\qhjtcrc.exe
| MD5 | b0dcf62d5edde090ff74f12af8f0a6d5 |
| SHA1 | 119d4484b606091dbe70b679c84379b216d03fc6 |
| SHA256 | 87340dc127d669ae70b3806e1a1650cf9d401e67095dcd6eca209c51519f0c69 |
| SHA512 | c5515faaa65b6333e5c3e919a947783b2bf42622f81e0c15c07b21d7f17b1fd1e21e773519d239104fd25bbbcd1c31399fade4ad3d6e7c53d39f40166015da0f |
C:\Windows\System\hTXsLiz.exe
| MD5 | 8e445f23e9b03ff02a3b4d47b4c2842f |
| SHA1 | 4877028d7f55c750a37d5513d1228a5fa4fe4051 |
| SHA256 | 4ef2160515766d3888003e244bf0b44e9313c32d98186157f3b364df5887a48e |
| SHA512 | 6aa10a03ea9cde29b5a0c0122c1a95f69396dbd1bd74325b5931e0845677202357ccbf28e60f844ed6e3569b8b4477b73699e3172789e089b3c98c75e8f2f9b6 |
memory/1720-36-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp
C:\Windows\System\AgNrxgb.exe
| MD5 | 2cdbd69048dd7f1236e41931748f8e9b |
| SHA1 | f07062fcb83213350b827326b4adc1609e596ed7 |
| SHA256 | ab65e79a396fd0f670f5777e6e72da0cb396530e8a080fdbcdfeda6ebe3ff01d |
| SHA512 | 6410039175bec05410ac7290bcf34cecefb5b82b4e10631a1775d1480d10e93a517b28221499ca12455aacca1fd879a446d0c69c4f964958dfbf5727240ec609 |
memory/4044-44-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp
C:\Windows\System\jhGcwBm.exe
| MD5 | 529880b4e46db2ec8ce94e8b89d7fe61 |
| SHA1 | 4cb151d82b7d06ee70dbd521afe8eda5cda79a2a |
| SHA256 | 5a874ec7f1addb3b69ffcfa5194d028bfd73318af145221564de93ce56038ff0 |
| SHA512 | 57c8af3bae89b8960320b4979ba82cac4275b3781df534e20d1ec02710b657c0f9092eed259a58e1a64fe13d22d2e4be52db092b7022f89b3f8547896623b04c |
C:\Windows\System\sVIAweI.exe
| MD5 | 1303a0c9822c5f8c873220f4e1055f78 |
| SHA1 | 6f0ef8d8d718621a5d1f01a2bfe1b9e1bd1004ae |
| SHA256 | 645277f5fb5ae5b72010532ab0c98d5dc10550f7744f5ab0f26f45d6b52c1193 |
| SHA512 | 38bf2cd57cae625ced60292d432d84d44485f5fa158876fd2b12a80caf9aca6e933e922ee0034dca748d9d3aa643316e8100d27b2938b3d275b7dc795b80f2e1 |
memory/1100-46-0x00007FF7544C0000-0x00007FF754811000-memory.dmp
memory/1976-45-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp
memory/4588-43-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp
C:\Windows\System\BDUJXLJ.exe
| MD5 | 0dc5541f6c238f45eb2b70ba03fa9ed9 |
| SHA1 | c36840707aade436a2d0da24fd0b7509c5d038b3 |
| SHA256 | cdbbb0b3012b008cf0f1de242322359a9f05d4a6dc3331fff9c0f568a4770fae |
| SHA512 | 6f5928384a28a0d264a08d236b4a93d065d6e7ccaa3c7c98b48e411c18330aeb61b17dd6d6ea9cdfccba7b8316b706c5927cb998b1c7f487827e3990a346cbdb |
memory/3268-30-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp
C:\Windows\System\AHjMpGW.exe
| MD5 | 7d9fea9028b328a28a9b88d53b6546ce |
| SHA1 | b14047bb95a103dc4910aa103a232e671b7641e3 |
| SHA256 | e35a0841c8152cfdec4b2258fa71f556de4d8dc82179cd704a7609f66ec934c7 |
| SHA512 | 2d00843198b2f6dffa3f9d61a9170dd62353f7a181614fdcaeef3a34b93a0f0993939b67a25e708fefc6fe3919d81d11aabf31ed9ab68eacc08066927d2f99c0 |
memory/2344-18-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp
memory/2812-9-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp
C:\Windows\System\JJFyCkg.exe
| MD5 | 61624e7e800e87a7ac632ec464dbf743 |
| SHA1 | 562817b329c4c7573689acd59d0ebe6b9c000d2c |
| SHA256 | f896edb9e98b9d2ca103963574d059b98ae2cbf19bd6e7a8f80a9cbbae4a7a81 |
| SHA512 | 5dc8a3e8f44f262e558d24e7b194e045c5bfb228637195840c6fa9d8516bf1a21b1636976ab1e2086b3bbb5114dab1919345edcb665adba09b81464060a5e45e |
memory/2544-56-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp
C:\Windows\System\rypzvGD.exe
| MD5 | c7363edf941c2867932f092305c01a68 |
| SHA1 | 68fe14071a6b578bbc43dbb05efc037e282e8ed9 |
| SHA256 | 64319e04fe14ca6167d518b00e113599beb4156fa0ebef8a71f82e7c3b48018c |
| SHA512 | 5bfadcb2f82c271c467c2d2978639597c9d65af33dacf3cccfb3c320fae5f25f90e0bbde0627f2eb241e279f9a32fa0b304544f3a4f36de614d262e4f967e8ef |
C:\Windows\System\rAHOZuW.exe
| MD5 | 1ea632188f9ed2ebd8d314c221618cb1 |
| SHA1 | 9fac5f38f79332c3d4a23b4ac0d80f338c881748 |
| SHA256 | 9ad04e4180325b7a171ebad3bb3b775984db9dea4d7f3ea0a038be22a62d65a8 |
| SHA512 | 8a042207e7290dcb40e68951765be8c856e6c95c88b7a5b8fdfac5a8d0c2534deda649c1ca71886a2b17122e2ca86efcc4aeed3f757081fc3d319fe5c8ff0ed5 |
C:\Windows\System\LkEmJpz.exe
| MD5 | d58d9a0792dd53464ea7cc140616d6d9 |
| SHA1 | a5c0d34fc335b39e72a8d42d1a710ff9053652ca |
| SHA256 | d7421c226eaea136f79dfb6c23fcf59608616f150893eec521ca82c4a24a4ef3 |
| SHA512 | 912063d6f40805058c453373e7eca9a83342512dcd28d1f7a13a194dc397cb4fec44a6db570b87399ac9100655dc86b0fbc4eaf4defc0f262f06e90351f0d33a |
C:\Windows\System\AHmeCrg.exe
| MD5 | 8fbafda7e76943e614a80e252ae5fce5 |
| SHA1 | c9860618aaa98c4568e9ebba4df46bcaad865cca |
| SHA256 | 225dd6173e33576932cf4439a48880c223bbd3a5f3b3da5edcd714b3cf42901a |
| SHA512 | 9a7f832aa841d7e8e21b0ec8babd5b0b436262b10cbdfdecf5c1445c203869a5402429ac145dbc80c209763482b7ba4027cc55a7b2b8a7bc29398a2a640cbc63 |
C:\Windows\System\xuaspev.exe
| MD5 | 39455ce5f91a4b43bed4a5231760c48e |
| SHA1 | 843800bc4acfe22738b0c57aa5160ec0f418b72a |
| SHA256 | 60c5ece67143923d06ee2000b279ec83a7f0a27f54ddbe7e752e394e9c3d1156 |
| SHA512 | a7e3551f96c2d8ec8a5c3cb803c1625e402970bfde090be69c809fcfd9b9fb36030e3850d7578d5500b6e2fb16abb251574d32b78b82e1e4d2f9cc508eb05baa |
C:\Windows\System\kCGitLH.exe
| MD5 | d92c30a17c81d84a6a7f7014c2df8fb7 |
| SHA1 | 4059039e3eefed7135e45f682fca71f3cf61fb58 |
| SHA256 | bbdfc550cf7e61bdd3500a8fdb63ca6ec0af5e8caf8c48601ab496f6324a1bd9 |
| SHA512 | 15905becc23762da9ebf41c41a1c52431ccc9907f0b51716f2d8a2834e476e4c3262ed762000bbff146f548aba4d9f32293d25a7458be24356ee3dbb44c3de9c |
C:\Windows\System\ZoMrxAT.exe
| MD5 | b39b3130069fa474556ae6689c3f17d1 |
| SHA1 | 2423aea18ad2f4c8328b020676c060a40e974304 |
| SHA256 | 6c3f4b9039258087dbeaa9f5356e182bf9df408fa507991f624a56e018d1d10e |
| SHA512 | 151469a2721fb7fc1310312d61118b4cbdf15c365dde482b6d25fc187bef3030a94c9b071790d3b9a79af0f8fa55115b76acf2283ddcd48c73a9e5a8c7ce1172 |
C:\Windows\System\jintMzA.exe
| MD5 | 305238969b1a4627680ce5a0737b1628 |
| SHA1 | 0a16fbbf20af6f2b6202e6a4c3947f0956b9aafc |
| SHA256 | edc7bdfe8c2a7b58d16274d5f68d51d18634540a4da908cb577b17389d4672db |
| SHA512 | d649b983e3795f624a4a62a01099a47e408ec382eb3f6eea3a3e1a8a0d2a8c03ed29f4d683ed271ce3604ae18f561d8f624848a5da58fcdd6ae93112d1d27739 |
memory/456-119-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp
memory/1984-118-0x00007FF668C30000-0x00007FF668F81000-memory.dmp
memory/3468-112-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp
C:\Windows\System\RphQpQP.exe
| MD5 | ec579c046b9b2c328e3bdf4928209da7 |
| SHA1 | 53a6e7e81a06127743a60f5012458614695f8911 |
| SHA256 | d075bd2d911bc1cbf17f0517da9c05c6a33c70a4d8b643f7e17c437b1e33c9ff |
| SHA512 | 93f96b04ba24ef9f0cbd7f0b61f5192744ccf9e378b071cb6f39a6af9d9de6d3f7fa688130d394a33b9ef0714efb1bb03d1f950727356713b55c208ff8b4ad56 |
memory/2520-101-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp
memory/1596-99-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp
memory/4812-94-0x00007FF670590000-0x00007FF6708E1000-memory.dmp
C:\Windows\System\zLftRCy.exe
| MD5 | 2dc8220ddb092d1b0eb11e33d29b1fbc |
| SHA1 | 05fbb440fcadb56a04267e28d08674a63318b82e |
| SHA256 | 35bd0ea876cc5022c086c6fa5ec1eee22f3054a15c89564a99e9bf33ca1bd23c |
| SHA512 | 7505ee587c7000ccd68d0c82639f5831f2392528a25ac9f3d31d30df535f192ac7fe489933cb00e6f598da0aab3903360900fdb1e608205b78b9ba78acbec663 |
C:\Windows\System\xaYwFuV.exe
| MD5 | 18605f94e586782ec66b3528bdc9374a |
| SHA1 | fa74ac79df401a7e571549ca70f0fc61220a5061 |
| SHA256 | d38e16b5b3aee1b03ff07ad982e4dbb5f5641e4ac5e3399e63477b09695c100e |
| SHA512 | a059520e84e836eadf12eb695914ab465113c7e69cf3a76237258c1ba61de94f7470cee093de887e8d5c49f8cba5ad9f1794385f6a8cd7626af6a1df4f945d39 |
memory/4908-85-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp
C:\Windows\System\BRskxnO.exe
| MD5 | 5e2a98f7fec85232b2bd915e92211070 |
| SHA1 | 0448f702df880d0449e3ddb16516b802a4969b33 |
| SHA256 | a471d656f7eb6e6cb41300ad0443d2c9148a8d1c21a95f2540d9bac1843df9ed |
| SHA512 | c2389bca6d51651e545dd884f9178071f95452060ea9114d3442658be53781705cc3bb9b27b943f6731e9d03b3e5ffaa3de1b79351ed927c2bf417dea2a71c6c |
memory/3952-74-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp
memory/1152-73-0x00007FF7973B0000-0x00007FF797701000-memory.dmp
memory/3088-65-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp
memory/2812-127-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp
memory/3732-136-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp
memory/2544-135-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp
memory/3724-137-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp
memory/4044-134-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp
memory/3268-130-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp
memory/2344-128-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp
memory/1100-133-0x00007FF7544C0000-0x00007FF754811000-memory.dmp
memory/4588-131-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp
memory/3732-126-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp
memory/1956-138-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp
memory/3952-142-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp
memory/1596-144-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp
memory/3468-146-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp
memory/456-150-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp
memory/2520-145-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp
memory/4908-141-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp
memory/1152-140-0x00007FF7973B0000-0x00007FF797701000-memory.dmp
memory/3088-139-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp
memory/3732-151-0x00007FF74F890000-0x00007FF74FBE1000-memory.dmp
memory/2812-198-0x00007FF60B8C0000-0x00007FF60BC11000-memory.dmp
memory/2344-199-0x00007FF6F2E50000-0x00007FF6F31A1000-memory.dmp
memory/1720-203-0x00007FF7C4A10000-0x00007FF7C4D61000-memory.dmp
memory/3268-202-0x00007FF7D7810000-0x00007FF7D7B61000-memory.dmp
memory/4588-208-0x00007FF7B9FC0000-0x00007FF7BA311000-memory.dmp
memory/4044-206-0x00007FF613E50000-0x00007FF6141A1000-memory.dmp
memory/1100-211-0x00007FF7544C0000-0x00007FF754811000-memory.dmp
memory/1976-210-0x00007FF6DE700000-0x00007FF6DEA51000-memory.dmp
memory/2544-214-0x00007FF798C70000-0x00007FF798FC1000-memory.dmp
memory/3088-216-0x00007FF7A2780000-0x00007FF7A2AD1000-memory.dmp
memory/1152-218-0x00007FF7973B0000-0x00007FF797701000-memory.dmp
memory/4908-224-0x00007FF76E710000-0x00007FF76EA61000-memory.dmp
memory/3952-222-0x00007FF694B60000-0x00007FF694EB1000-memory.dmp
memory/4812-221-0x00007FF670590000-0x00007FF6708E1000-memory.dmp
memory/1956-228-0x00007FF6736A0000-0x00007FF6739F1000-memory.dmp
memory/2520-238-0x00007FF7E2DA0000-0x00007FF7E30F1000-memory.dmp
memory/1984-237-0x00007FF668C30000-0x00007FF668F81000-memory.dmp
memory/3468-235-0x00007FF71EAD0000-0x00007FF71EE21000-memory.dmp
memory/1596-233-0x00007FF7FF110000-0x00007FF7FF461000-memory.dmp
memory/456-231-0x00007FF73ADF0000-0x00007FF73B141000-memory.dmp
memory/3724-226-0x00007FF7368C0000-0x00007FF736C11000-memory.dmp