Analysis Overview
SHA256
f9890e500017842ef38ae3a3c923e7cef669f9a2a495f127e0b708e0629a8639
Threat Level: Known bad
The file 2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:20
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:20
Reported
2024-08-14 21:23
Platform
win7-20240729-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CupArAq.exe | N/A |
| N/A | N/A | C:\Windows\System\IiswCcs.exe | N/A |
| N/A | N/A | C:\Windows\System\lTuUesp.exe | N/A |
| N/A | N/A | C:\Windows\System\vPczCsa.exe | N/A |
| N/A | N/A | C:\Windows\System\stnXumI.exe | N/A |
| N/A | N/A | C:\Windows\System\JyzeMlv.exe | N/A |
| N/A | N/A | C:\Windows\System\mANJUoA.exe | N/A |
| N/A | N/A | C:\Windows\System\PcjdWZb.exe | N/A |
| N/A | N/A | C:\Windows\System\SrZXdEF.exe | N/A |
| N/A | N/A | C:\Windows\System\sMoeIYJ.exe | N/A |
| N/A | N/A | C:\Windows\System\kzJmFBp.exe | N/A |
| N/A | N/A | C:\Windows\System\PhthMmy.exe | N/A |
| N/A | N/A | C:\Windows\System\dkBoNoO.exe | N/A |
| N/A | N/A | C:\Windows\System\wfGIFjn.exe | N/A |
| N/A | N/A | C:\Windows\System\DQawMLa.exe | N/A |
| N/A | N/A | C:\Windows\System\JbWwINU.exe | N/A |
| N/A | N/A | C:\Windows\System\gspsYwc.exe | N/A |
| N/A | N/A | C:\Windows\System\SestRjd.exe | N/A |
| N/A | N/A | C:\Windows\System\wecqzFc.exe | N/A |
| N/A | N/A | C:\Windows\System\fypniOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\eYrAkYz.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\CupArAq.exe
C:\Windows\System\CupArAq.exe
C:\Windows\System\IiswCcs.exe
C:\Windows\System\IiswCcs.exe
C:\Windows\System\lTuUesp.exe
C:\Windows\System\lTuUesp.exe
C:\Windows\System\vPczCsa.exe
C:\Windows\System\vPczCsa.exe
C:\Windows\System\stnXumI.exe
C:\Windows\System\stnXumI.exe
C:\Windows\System\JyzeMlv.exe
C:\Windows\System\JyzeMlv.exe
C:\Windows\System\PcjdWZb.exe
C:\Windows\System\PcjdWZb.exe
C:\Windows\System\mANJUoA.exe
C:\Windows\System\mANJUoA.exe
C:\Windows\System\SrZXdEF.exe
C:\Windows\System\SrZXdEF.exe
C:\Windows\System\sMoeIYJ.exe
C:\Windows\System\sMoeIYJ.exe
C:\Windows\System\kzJmFBp.exe
C:\Windows\System\kzJmFBp.exe
C:\Windows\System\PhthMmy.exe
C:\Windows\System\PhthMmy.exe
C:\Windows\System\dkBoNoO.exe
C:\Windows\System\dkBoNoO.exe
C:\Windows\System\wfGIFjn.exe
C:\Windows\System\wfGIFjn.exe
C:\Windows\System\DQawMLa.exe
C:\Windows\System\DQawMLa.exe
C:\Windows\System\JbWwINU.exe
C:\Windows\System\JbWwINU.exe
C:\Windows\System\gspsYwc.exe
C:\Windows\System\gspsYwc.exe
C:\Windows\System\SestRjd.exe
C:\Windows\System\SestRjd.exe
C:\Windows\System\wecqzFc.exe
C:\Windows\System\wecqzFc.exe
C:\Windows\System\fypniOZ.exe
C:\Windows\System\fypniOZ.exe
C:\Windows\System\eYrAkYz.exe
C:\Windows\System\eYrAkYz.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1316-0-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1316-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\CupArAq.exe
| MD5 | e4d34b1eac24f6abd437eb2bf47a0040 |
| SHA1 | c9e266980412148f1dfc89b8e7bdfffb078fbeca |
| SHA256 | 497ce566297b5ec16573dd4609739ecc7f4a5f17575becd9d544f7bd1af0ed98 |
| SHA512 | 2f7389259231a6e3766b4cac9b5dce7ab052144108f7b00793b3517bac9732ab01f13127056ca699f9170098e402f36d27eb8ddcbfa87a7f423d991d97c702b8 |
memory/1316-6-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/1500-8-0x000000013F070000-0x000000013F3C1000-memory.dmp
C:\Windows\system\IiswCcs.exe
| MD5 | 7e4bea86398f8e1af5d2344ce241e108 |
| SHA1 | f2779bf7812a9e3f23b59332da65da392a58ac8b |
| SHA256 | 5f4d337ff7a2b9804614ce17cdd32880e08aa2eff13b0f12dbf32693cd64ff34 |
| SHA512 | 36c8622dd842eb5fcd42dc3dc035baca5f69081a42e14e505676c17cab93a7a9524b0384d437b0ad438c1c6312a4f21ebf90fc5167a42af187753db5cf215050 |
memory/1292-16-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1316-15-0x0000000002220000-0x0000000002571000-memory.dmp
C:\Windows\system\lTuUesp.exe
| MD5 | bc6cadb18c39ff32d1e7e458dac279fa |
| SHA1 | 8ac26e36a66ae183ac88e91c33c6463364f4e6b5 |
| SHA256 | c3da0cb6aac83c83afe971ab273eecf94d78dda41b575b7c83012409ec9a25ea |
| SHA512 | 22f0464d4d983d033c78b34b689c7c06a924dcca55b12782f2ee60f07c51fffd374fa8266872f649d3ba51a4855e522e1e4d6c3963bf194306cc0dd40f4e3e73 |
memory/2804-23-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1316-22-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\vPczCsa.exe
| MD5 | 54a1f2ab20c3d434791c9da3302e3600 |
| SHA1 | f898094de0c2176ba4663c35e1bd3439953c8cfc |
| SHA256 | 7c3c35a38affc5ead467ab84c8035449f3701de7a07205bbd9eab27454a44343 |
| SHA512 | a2bc05b0553566f60d042437b7e9c17f108cfa7360718a506e91ddddf1552d095a9ef846ecbafbb39a543c38824168d63156520d0d17cd692df6162c6badd31b |
memory/1316-28-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2800-30-0x000000013FB10000-0x000000013FE61000-memory.dmp
C:\Windows\system\JyzeMlv.exe
| MD5 | 4169e378ae809604eb73bfd10d9bb33a |
| SHA1 | 20b92c6cc923a715cef84c415fd7b9bdf9cc11d4 |
| SHA256 | fe550399fc13ece380241c5ba03a596e01752d32a9b128e7d65c50d780095fcc |
| SHA512 | 16e9d8f03d848b5795cd50eaf69a17bd66af784f9c8b85c60090341455adf8d45003fde13c497f49b6c738f7f2c0dcdc11468aa275c1acd57cb415e5b69e23cf |
memory/2628-42-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1316-41-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2908-36-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/1316-35-0x000000013FBB0000-0x000000013FF01000-memory.dmp
C:\Windows\system\stnXumI.exe
| MD5 | 544ee3e4d1abadf995f3f72e61ab966a |
| SHA1 | a21b27552f5d3f1c2f468dbbb6e984a1a9e1d12d |
| SHA256 | 97be945dc7d9f3cc64b6f989b46f4fd00d93e3635ca13b5dfff206d5207615ec |
| SHA512 | 9b4d07727c0075f9cfe4477987151f6763a1534a080670259d2e414e3f2be3c7f877e96d7fb33cb481c062b7c5e1e1c8a849661b118dfe5a75b803ad9123ca0b |
C:\Windows\system\PcjdWZb.exe
| MD5 | af5f99fbe4007c7c703205e60fbc9c89 |
| SHA1 | b6f9d701c77d60c74049817bb198b39fd0cc55f5 |
| SHA256 | a819debd71fcd71aeca06d379dbd0d3bc1c8a20e1c18d57f6bba3fc760efaffc |
| SHA512 | 45371004dda16fb390d4b4874600ca44063978295dee3bc0d9b64dc153afa972308c9a986e8dc6273185d6bca25da2430db1b62291ddfd601fffbcca950d8aa2 |
memory/2896-55-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2668-63-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2740-62-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1316-61-0x000000013F5D0000-0x000000013F921000-memory.dmp
C:\Windows\system\SrZXdEF.exe
| MD5 | 2b89302075a557901d005bdf12628809 |
| SHA1 | 3fa4a03ebd0deec64927f0bcf5bec62703b209c5 |
| SHA256 | 1f36ab8f5aa4702a139ed5e0fecf2ff64f865de7562fd83be130e1f4b5a97772 |
| SHA512 | e3e85d43f621c2c03974e7fb80065dec9d41ec0ea9be9c8e75e369531beebd8f5c0a6e93ac0ed6749b4635d34488e66802eced7cf19ce707b232d9bf20acff02 |
\Windows\system\sMoeIYJ.exe
| MD5 | e226fb4299faf404e0d8de00147db77b |
| SHA1 | de60f0d54a4d8cc26b5e5ca6ea437a2d26f82c87 |
| SHA256 | 5a877ac55d6a1b57a4dbb5f225e88935640484e5caf9b478482f200ff1c39c5f |
| SHA512 | 0edfc984e778116bafefb7da5908cddf6330795b291e835b245432be1317955bc85facd0b8b1d8c20fbcbbcbfdb1982d01f96f3c1f01148c657452d1b9c25374 |
memory/1316-48-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1316-54-0x000000013FE20000-0x0000000140171000-memory.dmp
C:\Windows\system\mANJUoA.exe
| MD5 | af66bc4b65d0f7eb9896eeb8a1e1b27f |
| SHA1 | cabf37fc0c0f5b5ad52b8640952ac5e71bf93ddf |
| SHA256 | 123ee2098e1d00e2a41446f4bebbf22f6f8157a12e5fc426bdc30d08a03d1fff |
| SHA512 | a594142fd7179111d79178a0ca2537c76dca71733fcb55604a26bf2abe008d1e632e696c4cf84961209b582c65e8ef14cf37f28dd43394cf310e03406ab0a88f |
memory/1500-70-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2652-71-0x000000013FFB0000-0x0000000140301000-memory.dmp
C:\Windows\system\PhthMmy.exe
| MD5 | 71af8917fa96351c90e0195278185e6e |
| SHA1 | b341e1fd11117456994a15c71c3f9b9aa626b75a |
| SHA256 | 8fa295b4defe2fa36739726cbf9d68358b719818eb708f76a90ea2e207441228 |
| SHA512 | f86274face99e616ba6b53bb5337cb5bb00f958ccd2b65eb35d302e15abecb1b0960043008e1dcf5cef9498c6267d244b2bc5bbef39b314c017bdab8bac0a49a |
memory/808-84-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2548-77-0x000000013F5B0000-0x000000013F901000-memory.dmp
C:\Windows\system\wfGIFjn.exe
| MD5 | 61fe24790d9d6736ec8adfa4727667d1 |
| SHA1 | 75a406c0ecc70e6d10315dfa3aeeb51ad146fd93 |
| SHA256 | 8bc87ded84701f763d45e615d6f928f8f3ec2d215de612ce1affc077d02a70b2 |
| SHA512 | 919bec8e60554c75accf9acc588cc872aa556f61bd8bb86829f4affcc85c3133a129ec1aa9b51e449d0cd4459bc95eed1ea0e07c16ea582eb861ecd767b9e0cb |
memory/1748-99-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\SestRjd.exe
| MD5 | bf60d78603cf22aeac1a600c32ff9f11 |
| SHA1 | fc4208625ce67f65a01315e8a4f0606ed574be52 |
| SHA256 | fc4aeb17e1f437d3909f6f4f1d01332102394d9534b4cd64326c7ecf99f07295 |
| SHA512 | e62e70f8043b75bd774d27419f1e38333f05714e02661dd9d9377b009c6ea75271bf852ce4d9855317f4a515598766b896190ddce83895b8ae770ef4bd2a814e |
\Windows\system\eYrAkYz.exe
| MD5 | 1c514e7ed10b51b92b6563c604a81d32 |
| SHA1 | 5132182ac0f7de5727995574001a83720e4d6553 |
| SHA256 | 6aca55bf845220ebdd72dbf3d083e0242df591e3edd2a7511bc3970fcdde4d13 |
| SHA512 | e2c50d953e0c60fbe4b6f5b522f95d643d08aa6619b7e64c82c37e47e023b78731b5f9cee46b5f2a8fc31ff568602709d3fc21dc1b2c16a060d557abce038d82 |
C:\Windows\system\fypniOZ.exe
| MD5 | d12eb47a1a6eb4f0772cc2308c4c7b70 |
| SHA1 | c339f9da15af84c84853080e9da050d1318480b8 |
| SHA256 | 0bdd67d23e5fe389e4fc9d4aed63294264ad2b606cd988e34b8ea4f8a9fb3c20 |
| SHA512 | da2e17873b0b1eb587aa2cc9f1986a21a0925ba73d3270e86be933d4845db30cd4fb55c44302179e6bd113b16787940c259283b9373129d9fce2514e7d6c6806 |
C:\Windows\system\wecqzFc.exe
| MD5 | 0a39f99983df4b5ee6dd0004c39f6fe3 |
| SHA1 | 5956124c5ce48dddd3acf098750e33b32640e428 |
| SHA256 | 7374e3919154c5052b5070d4472ddff2f247245d6e32ff326ccc7ae91372eb35 |
| SHA512 | 8fe657208c3e6c19c4018ab723fd199987266f97ac06474c7866c1f7ca9dc3ab41b56ad4353b2b18d6a2c790c6390ae41087a6c9349b426cda0a73bd04ba36a4 |
C:\Windows\system\gspsYwc.exe
| MD5 | 271790b834c249e67a807abd240ccf45 |
| SHA1 | 4aa95faa0d576e6608684b745e2096b463bbd614 |
| SHA256 | c26c5390dbf4cc5040ba7ee514f0ab9fcb07a418ac4172048b2b1b45845e2475 |
| SHA512 | 152a2468fef78a8c6d42ab30a240de1b86be721654c2084ee21a738b45fee8523e1a6f0258d5a1b2ce7e6061af5904bbecb62b5873dd90eea6747c7408c20bbd |
C:\Windows\system\JbWwINU.exe
| MD5 | 247ea2be0ec1c3f98090de212a858c00 |
| SHA1 | 8c47ac35bb855ba79706f0cdee9f115e18423970 |
| SHA256 | 0e955b10187924ba3ce541123f197ddedc7bcd1b7036898ac485d72801bbbd77 |
| SHA512 | 74453e4fa582a033217407352395424551c86926c4568b91875da391a15f4669cc8e782b6b3a07c58a0b4ad0cee184d5b88581d4cad51c0bd70612f93415fba6 |
C:\Windows\system\DQawMLa.exe
| MD5 | 90c8bd0a138c253746c6fa9337bdc884 |
| SHA1 | 3489157b2cc8642c58985b07ba1c9f40b4b7f635 |
| SHA256 | 8bf4c531e74cd70abe1bae52e5c237f5bffbea117de20fc52be7c6295ca95ab8 |
| SHA512 | 737afa3f63ad852bf9cb69bbb47b835aaae8303da0210649b27497479a31028736beb04e37b405545dc4d4cd8d9974e7e8e81252af898a52ce1a27c5b5efd6f3 |
memory/1316-104-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2628-103-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1316-98-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2908-97-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/316-91-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1316-90-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2800-89-0x000000013FB10000-0x000000013FE61000-memory.dmp
C:\Windows\system\dkBoNoO.exe
| MD5 | 7dbaff32ca609343234cce67a5c8c80c |
| SHA1 | b9c15a0bf33fd7c5bac69dd58c1e21579b8ccf8c |
| SHA256 | 9a412f29f8a1ecfbadf9062c8624f876a0180dc426ff5ca859650acb11e8c59b |
| SHA512 | 2a1fc0bf8665f700458591e83514b750c16c544f9b22b2fe923120c18c1ec9466ddc4518951121b9f9c3e68c9a290173474807e5d0ed23c4cf94d03c449e6fde |
memory/1316-76-0x0000000002220000-0x0000000002571000-memory.dmp
memory/1316-83-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\kzJmFBp.exe
| MD5 | 43301a0e56127ceae73a43c69d03df5b |
| SHA1 | 0dad59836c92254b1eb7e9caa4773872e7e1d2bd |
| SHA256 | ac101b00ac5bb08b8e1e6fa910f9948f07194e5bcc4aeafad639ba5cb8402ebb |
| SHA512 | c70f82f376c8260fb4b1261a5b2d7c04aa3493a3eff5ff313eee9527e5c265a8ca4b58a8f2c6572b678f972305689e267bde6d4483893ee973966f0efefdba98 |
memory/1316-139-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2668-143-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2740-142-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2548-152-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/808-153-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2668-150-0x000000013F130000-0x000000013F481000-memory.dmp
memory/3012-156-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2192-162-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2344-161-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/3064-160-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2924-159-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2912-157-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2936-158-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/1748-155-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/316-154-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1316-163-0x0000000002220000-0x0000000002571000-memory.dmp
memory/1316-164-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1316-166-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/1316-187-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1316-188-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/1292-214-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1500-213-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2804-221-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2800-223-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2908-225-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2628-227-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2896-229-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2740-231-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2652-235-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2548-248-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/808-250-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/316-252-0x000000013F8B0000-0x000000013FC01000-memory.dmp
memory/1748-254-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2668-263-0x000000013F130000-0x000000013F481000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:20
Reported
2024-08-14 21:23
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\GeRfKai.exe | N/A |
| N/A | N/A | C:\Windows\System\dRmwEMh.exe | N/A |
| N/A | N/A | C:\Windows\System\ULdznCs.exe | N/A |
| N/A | N/A | C:\Windows\System\dXGJXTL.exe | N/A |
| N/A | N/A | C:\Windows\System\IckSQUC.exe | N/A |
| N/A | N/A | C:\Windows\System\MPdSaTH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNYNOPl.exe | N/A |
| N/A | N/A | C:\Windows\System\NPyFZyV.exe | N/A |
| N/A | N/A | C:\Windows\System\UcZnKeH.exe | N/A |
| N/A | N/A | C:\Windows\System\EnFnRcm.exe | N/A |
| N/A | N/A | C:\Windows\System\HTpLswk.exe | N/A |
| N/A | N/A | C:\Windows\System\PIpYAUh.exe | N/A |
| N/A | N/A | C:\Windows\System\jtRAhuA.exe | N/A |
| N/A | N/A | C:\Windows\System\ZsMnLOK.exe | N/A |
| N/A | N/A | C:\Windows\System\CoCuPRC.exe | N/A |
| N/A | N/A | C:\Windows\System\SGKBQxP.exe | N/A |
| N/A | N/A | C:\Windows\System\xsvjtSP.exe | N/A |
| N/A | N/A | C:\Windows\System\XbWtZIj.exe | N/A |
| N/A | N/A | C:\Windows\System\iEUDqYt.exe | N/A |
| N/A | N/A | C:\Windows\System\uqXRXLe.exe | N/A |
| N/A | N/A | C:\Windows\System\iRrXsjQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_aee166a4d3f20d04a52bda276a93e292_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\GeRfKai.exe
C:\Windows\System\GeRfKai.exe
C:\Windows\System\dRmwEMh.exe
C:\Windows\System\dRmwEMh.exe
C:\Windows\System\ULdznCs.exe
C:\Windows\System\ULdznCs.exe
C:\Windows\System\dXGJXTL.exe
C:\Windows\System\dXGJXTL.exe
C:\Windows\System\IckSQUC.exe
C:\Windows\System\IckSQUC.exe
C:\Windows\System\MPdSaTH.exe
C:\Windows\System\MPdSaTH.exe
C:\Windows\System\ZNYNOPl.exe
C:\Windows\System\ZNYNOPl.exe
C:\Windows\System\NPyFZyV.exe
C:\Windows\System\NPyFZyV.exe
C:\Windows\System\UcZnKeH.exe
C:\Windows\System\UcZnKeH.exe
C:\Windows\System\EnFnRcm.exe
C:\Windows\System\EnFnRcm.exe
C:\Windows\System\HTpLswk.exe
C:\Windows\System\HTpLswk.exe
C:\Windows\System\PIpYAUh.exe
C:\Windows\System\PIpYAUh.exe
C:\Windows\System\jtRAhuA.exe
C:\Windows\System\jtRAhuA.exe
C:\Windows\System\ZsMnLOK.exe
C:\Windows\System\ZsMnLOK.exe
C:\Windows\System\CoCuPRC.exe
C:\Windows\System\CoCuPRC.exe
C:\Windows\System\SGKBQxP.exe
C:\Windows\System\SGKBQxP.exe
C:\Windows\System\xsvjtSP.exe
C:\Windows\System\xsvjtSP.exe
C:\Windows\System\XbWtZIj.exe
C:\Windows\System\XbWtZIj.exe
C:\Windows\System\iEUDqYt.exe
C:\Windows\System\iEUDqYt.exe
C:\Windows\System\uqXRXLe.exe
C:\Windows\System\uqXRXLe.exe
C:\Windows\System\iRrXsjQ.exe
C:\Windows\System\iRrXsjQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1524-0-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp
memory/1524-1-0x0000020A8DF80000-0x0000020A8DF90000-memory.dmp
C:\Windows\System\GeRfKai.exe
| MD5 | c7f3586d6af7e4010a67ee03d67045e4 |
| SHA1 | ed1109a303d5b9194117d6e16c8ac3d27c4fa630 |
| SHA256 | 1be8404d91340715ee49c7a6ef4ef25599f25ee4ef0376aab40c6b2882012869 |
| SHA512 | 129e750b47a00d48ec175b0630483a14f93031524585b2d65bb3153aa038b723c7c1645075cb199233b21075d7e2d04d96a3893515ad8710a4646884ca211474 |
C:\Windows\System\dRmwEMh.exe
| MD5 | 92221ac15b3856556a5ef80cce30c606 |
| SHA1 | 046fb53a3b3b01ccb12652936c46eaf35d6417fb |
| SHA256 | ee65784aabee2752aafb64b2ad6e7d372d94669688a7d37815416ce8f9dccde6 |
| SHA512 | f6105f2b31737f058ddb9060343fad703b4b2e0463ca4a95029d82384ae3a9ae5eb5f3f83fe2dc4660fe98c5ca3ea1e1869959b74ceecfbcc2c2c04de6911438 |
C:\Windows\System\ULdznCs.exe
| MD5 | e9ddbd3b173f16495104b4dead9064b5 |
| SHA1 | 281c42728c49014b8dcd8abb18a7c61594cbbbb3 |
| SHA256 | fcf16246175303d56b957ccc2105ddb20475d84d2859e3aea11118120c4ca367 |
| SHA512 | cddb356908d5f5ceca08ea8f599d44edaf0ca4288f298c13272743c07138927936b97f2140b306ef00d47a9afa698f2fe2c78d49fbc423b8a8451ac3268b4ccf |
memory/4308-18-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp
memory/3616-14-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp
memory/3580-10-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp
C:\Windows\System\dXGJXTL.exe
| MD5 | 450d4a99720c66784dbf3b6fd2424e81 |
| SHA1 | f9c82a6c1c83483cf6da8b4a260c4db7afa91d77 |
| SHA256 | 267f4f5abbca18536fcee49a184fc41f691ba39fe4d62e53f1d6840174bee7a4 |
| SHA512 | beef506e0bd7271645873d7481d62f2d86fe3cfd1c5961d98b1bb42cc51dd322c27c652eb05576c819430077a22cfc6b41d223d2f0008dd40bacb2b4cdf5c561 |
memory/700-26-0x00007FF610B30000-0x00007FF610E81000-memory.dmp
C:\Windows\System\IckSQUC.exe
| MD5 | 1367a15755d6e43918e70e0f4c15ef4f |
| SHA1 | d65c792fef1fd812da760846c503ed32715fc533 |
| SHA256 | 6761d4c2e10b3e3d8196c98fd2da09e9d0bec10a97e7ec6542a7e54fdb5fe24e |
| SHA512 | d3bc8d8f4f07c1a0dc9ef3c6df2dddd7a60a52f345884d329a53bb860cd9caf43abb5189183be6214c4710de1767b4f95a131abb89a5474a2ede04e34fc52537 |
C:\Windows\System\MPdSaTH.exe
| MD5 | f151da0a97a451943d718269520e440b |
| SHA1 | cf07d53f953d01d106fc8f6ec6c2322db9a200ff |
| SHA256 | 1fb40df585d9ce8721c87b8d50fdc95b89061a6d092890b5616961779c47cfbd |
| SHA512 | b9c322c4b75230d860fc07185206ed86b29d5365e9f85a7ceba1d494c84d721c864d24ac6c6493f24b26b273575c30af38a977d6f22ba6e90bc52574418dcba0 |
memory/2616-36-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp
C:\Windows\System\ZNYNOPl.exe
| MD5 | f4841cf6dd2a6f658d2bc322dcdc8f20 |
| SHA1 | 4b5b884b46e1a58644a1473abc8643615531efef |
| SHA256 | 9cd2bafb1f3f305f8b8acd57ea36eba006e052169b812c73c5cdae4e0f5a6ac5 |
| SHA512 | c046e3418c0300108b55a031840f50cb648dde7c8ea5c57165d0c8c28da61bfafda69b0f1fc1d3ba66152e9bf69bfd9cb0555fd27178d341616589e1461b5e5f |
C:\Windows\System\UcZnKeH.exe
| MD5 | 89ae92b19aff807545131ae2b9a2b9b0 |
| SHA1 | 0cfc4667d8df3b99edddb0e230ff20706f26e7f1 |
| SHA256 | 10bc8f4f54cacdd85891faa47f34d2a2ad216500a9ff0f6227f73960ff451491 |
| SHA512 | e21cf774d3288a392c47f8074a608939869159cb70442c1e9ebeabbd3fa3ab6c8bf37c411a12b1acf7e60b9f01629bd197259ebb40152cd280abad963176e36f |
memory/3660-62-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp
C:\Windows\System\EnFnRcm.exe
| MD5 | ceca01e106325a83d2d73bb25c1e9a93 |
| SHA1 | 57937f85d1f1bccf3496dd8255bd3f1a5d2a6ba0 |
| SHA256 | 83773df13be2758e9e870995a1e4e56af00a696ac26fce20ab0ba552e32bdd6f |
| SHA512 | 0d75a241b3a98d45de24bb90f2d9508c4ae7fad58f0664d4fe512323c4a8071e7880dd8fad17ef037f01f4e4c2c1fc5abddd220dff43c0a6df53db6dd5822d74 |
C:\Windows\System\jtRAhuA.exe
| MD5 | d58329924b9171598f35b175c7b0033e |
| SHA1 | dcb108e24d3edd24b61c9ffd352a9c65f659be91 |
| SHA256 | abf4a20ec89fcea698310697a061d77e0344cf6e95be7e98bc383998f1b13c8e |
| SHA512 | cf9a2b0c73e7d81c0d8cbefbfe09561b5e9c818b0a8fc5523867ecc7f0f17e6de0c73ccff585bc82ee87f294055d5d8f8801222966fbe280e3ced2451b950aba |
C:\Windows\System\SGKBQxP.exe
| MD5 | 9e8eb90900835727255c7756c991e64f |
| SHA1 | 857f69d37889ff6e6ed84bf5a186eff4c5238b0f |
| SHA256 | e29bef41c6ab98fa9de5d9516b0387b42eaf753bc7ef2d873cc56503a9618c71 |
| SHA512 | e69295361df45bb443d708339e7d802f0db72758c907f89162cb632721d9da529e839e5194bb2e76025b9868a3e8850752de80643d279ccf718df73a7128a81d |
C:\Windows\System\iEUDqYt.exe
| MD5 | c33ae0c0e4325b8596d5a3d96691576c |
| SHA1 | 3822512ee13291439fa1a8536170a5a3f7b46223 |
| SHA256 | 949025fd45edfcfa8dcae819a3947b313ec179e9f0c89e93b30832a825a3115b |
| SHA512 | 4aac0743c7b2070152bdabb96e774279dfb8de0bc11d4f77670021f09d321f0b6c3486142685952699b78780968517a84dd6d03a0299c30000fdfc72efe47e77 |
C:\Windows\System\uqXRXLe.exe
| MD5 | 24a19a10b69d9b2f3c58860899c1e2d8 |
| SHA1 | 3c48a06c905c4d9a6174bab6abc0ecfb164b2084 |
| SHA256 | 25089ac22fbf365000a2176b497eedac8d1da1c46988f8d4852bb152df9aa92e |
| SHA512 | 7db53982e6b5ea37f50c725ed921fe2ffe2ce7ba35466dd02a26661e507dd73b1f88ce3840564b7f245716fdc66230c4043dd7fb6bd05c530ca4ae55a787e83f |
C:\Windows\System\iRrXsjQ.exe
| MD5 | c60e8ba3eda2f03152232f8837daca19 |
| SHA1 | 4681a53e91c80438535bb3302d03b9d647edc36f |
| SHA256 | d385387f3a1aadb639faa1bed64e73b0d5f72fd21d8b77afaf57526a09f9063f |
| SHA512 | fad59278480fa09819d682140ad82492435f2f4c096eb907c6807cd377aa716ae8dee9a21adb18bf94489e7dd12cabec73d43f3d39cb898c12e01412fc4b53db |
C:\Windows\System\XbWtZIj.exe
| MD5 | 06a5e241366585e6e393169111844e7c |
| SHA1 | d57a4edec53fed441342bb33d2d741fd81b36294 |
| SHA256 | 1735d453f7276d1cc08e2a1c77c88663c3d009f070161d94054f1c1cd2aa8a8c |
| SHA512 | 569a6a2e817d84d07ae385c081ae76e91ebc0d6cd3ea868cfaa46cf3b3898bb03a115b096dbfdba82477d707d5add3a0726d363f1fd41a06d525e1261d169e39 |
C:\Windows\System\xsvjtSP.exe
| MD5 | 2eb2bb366f80e68410d1b1ef8eb1ddbe |
| SHA1 | 891f3fd2fe0cd24bcc8200d6f55d78491e66e362 |
| SHA256 | 6233fcbf7eb3434492b43639df9be3b3bea305b356ca9a63c69a3de57451a1a3 |
| SHA512 | 08864067d282d71e8ef2acd83be8ef77688486298a0269141e59dc3f539a485d500b3c1b22e5cdb1fb77ec93e704db1522041afcb99169dbdff9d03a6dbd58ce |
C:\Windows\System\CoCuPRC.exe
| MD5 | 952142da55992aa04ed8f832f997562b |
| SHA1 | 94832f3545ef4bf9005fe99d19d35dcde0c52f94 |
| SHA256 | 3bb98dde345c262ddcaf30f72279629a3018dd15d6a385066106d6225b22ca85 |
| SHA512 | c313d237cf6408aad8bb80333171d628637a1301bb0a5489dabcd9e256d2fb58a919f2410df927f7c817148a975d2bc107d8c6b74f61ba30e5d8f9db62594714 |
C:\Windows\System\ZsMnLOK.exe
| MD5 | 695544269052ed22acf0ee9fccaf3d0f |
| SHA1 | 288397003cdfde7975117f5f55e4c53521a7458c |
| SHA256 | ed72af5d6c6674e42f8e9e8c986814a5e468b5b7cf77321f497affc8c48a9243 |
| SHA512 | 0c169282b1049aa70d7fa8a67cc217efd9ff4b1fbcccbde048b828e27afbbad2a2530138a2e8eefa7364ee6309b36ba5c73e1d08a0db27748110999acfd7f26d |
C:\Windows\System\PIpYAUh.exe
| MD5 | eec773a7465593c4a06b1ba0104584f2 |
| SHA1 | 91b92361f296ea70eb6a8db1b5f67548ca829d86 |
| SHA256 | f299fb16a0869fd6158fc1e5b28920dc997f0c3e0b8af03d80d66a9f4a8f06fa |
| SHA512 | eb7d53ab260fff26a837dcfd016bd65284c6238cfcfd131c8fa6c5918f7eee85d8d0a9b6ab1c86a19739ff460e04f4aa974a880ee30c53966fba683449eaf37a |
C:\Windows\System\HTpLswk.exe
| MD5 | 999c596113074ae064169392f2a637a5 |
| SHA1 | 137e38d28ee22f50ece5cf71bea9f06bd7365279 |
| SHA256 | 6b70417c3bd520c9403d5e172f6d4ce8031700cd0eb527411112deee62e7e188 |
| SHA512 | 1558c4d02e21e4f7645faa20c6eb684aea627ba570ab6b452ac0d3b017715730d26d5492be0eca2367516bca76a1a658801b3c9a5d85991acf1b369462f206b3 |
memory/1964-64-0x00007FF69C630000-0x00007FF69C981000-memory.dmp
memory/2596-63-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp
memory/5036-59-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp
C:\Windows\System\NPyFZyV.exe
| MD5 | 47c46c269809f095bd24ed8d245f562c |
| SHA1 | 76cda4e171ee6e5e18f3ef96374d7026d0410c2c |
| SHA256 | 3d319822201bbaaa4ae26487eb33fd634c001e9e7d2328e9e3c9ce3815b010ce |
| SHA512 | 02383278be66f6b362da8242837c431c012d77a716718392b5b8b00a04270838741ff32d85a74044a51d9c6c24b7e47d533cb2db6ac3a7b1bdc75f5919882b8a |
memory/212-48-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp
memory/940-32-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp
memory/1524-118-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp
memory/552-119-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp
memory/2520-121-0x00007FF734660000-0x00007FF7349B1000-memory.dmp
memory/1544-123-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp
memory/1668-125-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp
memory/4528-126-0x00007FF68A040000-0x00007FF68A391000-memory.dmp
memory/2424-127-0x00007FF602420000-0x00007FF602771000-memory.dmp
memory/1220-128-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp
memory/1984-124-0x00007FF7134E0000-0x00007FF713831000-memory.dmp
memory/4776-122-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp
memory/4352-120-0x00007FF774500000-0x00007FF774851000-memory.dmp
memory/3616-131-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp
memory/1964-139-0x00007FF69C630000-0x00007FF69C981000-memory.dmp
memory/2596-140-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp
memory/2616-135-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp
memory/4308-132-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp
memory/940-134-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp
memory/700-133-0x00007FF610B30000-0x00007FF610E81000-memory.dmp
memory/1524-129-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp
memory/1524-151-0x00007FF6AF950000-0x00007FF6AFCA1000-memory.dmp
memory/3580-201-0x00007FF7E1770000-0x00007FF7E1AC1000-memory.dmp
memory/3616-203-0x00007FF6DD2F0000-0x00007FF6DD641000-memory.dmp
memory/4308-205-0x00007FF7636A0000-0x00007FF7639F1000-memory.dmp
memory/700-207-0x00007FF610B30000-0x00007FF610E81000-memory.dmp
memory/940-209-0x00007FF6B5780000-0x00007FF6B5AD1000-memory.dmp
memory/2616-211-0x00007FF6C0C30000-0x00007FF6C0F81000-memory.dmp
memory/212-213-0x00007FF63EBF0000-0x00007FF63EF41000-memory.dmp
memory/5036-215-0x00007FF68AD20000-0x00007FF68B071000-memory.dmp
memory/3660-217-0x00007FF7D59E0000-0x00007FF7D5D31000-memory.dmp
memory/1964-219-0x00007FF69C630000-0x00007FF69C981000-memory.dmp
memory/2596-221-0x00007FF7C97C0000-0x00007FF7C9B11000-memory.dmp
memory/552-223-0x00007FF6EC160000-0x00007FF6EC4B1000-memory.dmp
memory/4352-234-0x00007FF774500000-0x00007FF774851000-memory.dmp
memory/4776-237-0x00007FF6D5E60000-0x00007FF6D61B1000-memory.dmp
memory/2520-238-0x00007FF734660000-0x00007FF7349B1000-memory.dmp
memory/1544-240-0x00007FF7232A0000-0x00007FF7235F1000-memory.dmp
memory/1984-242-0x00007FF7134E0000-0x00007FF713831000-memory.dmp
memory/1668-244-0x00007FF75CC30000-0x00007FF75CF81000-memory.dmp
memory/4528-246-0x00007FF68A040000-0x00007FF68A391000-memory.dmp
memory/2424-248-0x00007FF602420000-0x00007FF602771000-memory.dmp
memory/1220-250-0x00007FF64D590000-0x00007FF64D8E1000-memory.dmp