Analysis Overview
SHA256
614233b5e50372848f77dbeea5484975f0933abeb96124801397c2918ab477a9
Threat Level: Known bad
The file 2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 21:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 21:23
Reported
2024-08-14 21:25
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OzrORBx.exe | N/A |
| N/A | N/A | C:\Windows\System\wGoHHIM.exe | N/A |
| N/A | N/A | C:\Windows\System\EebEoVM.exe | N/A |
| N/A | N/A | C:\Windows\System\jzDjCMs.exe | N/A |
| N/A | N/A | C:\Windows\System\iijXHPa.exe | N/A |
| N/A | N/A | C:\Windows\System\ukjSniC.exe | N/A |
| N/A | N/A | C:\Windows\System\bzOVeAk.exe | N/A |
| N/A | N/A | C:\Windows\System\rXFmJUz.exe | N/A |
| N/A | N/A | C:\Windows\System\ZnWfJaP.exe | N/A |
| N/A | N/A | C:\Windows\System\QCiVaYK.exe | N/A |
| N/A | N/A | C:\Windows\System\dBqIuaf.exe | N/A |
| N/A | N/A | C:\Windows\System\nigEBMX.exe | N/A |
| N/A | N/A | C:\Windows\System\gZMNeRC.exe | N/A |
| N/A | N/A | C:\Windows\System\LIRLenV.exe | N/A |
| N/A | N/A | C:\Windows\System\bDgwqLh.exe | N/A |
| N/A | N/A | C:\Windows\System\WGImGiN.exe | N/A |
| N/A | N/A | C:\Windows\System\DlkOXGs.exe | N/A |
| N/A | N/A | C:\Windows\System\giHwwJu.exe | N/A |
| N/A | N/A | C:\Windows\System\WowAWxd.exe | N/A |
| N/A | N/A | C:\Windows\System\aRELhyd.exe | N/A |
| N/A | N/A | C:\Windows\System\fgZHZhF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\OzrORBx.exe
C:\Windows\System\OzrORBx.exe
C:\Windows\System\wGoHHIM.exe
C:\Windows\System\wGoHHIM.exe
C:\Windows\System\EebEoVM.exe
C:\Windows\System\EebEoVM.exe
C:\Windows\System\jzDjCMs.exe
C:\Windows\System\jzDjCMs.exe
C:\Windows\System\iijXHPa.exe
C:\Windows\System\iijXHPa.exe
C:\Windows\System\ukjSniC.exe
C:\Windows\System\ukjSniC.exe
C:\Windows\System\bzOVeAk.exe
C:\Windows\System\bzOVeAk.exe
C:\Windows\System\rXFmJUz.exe
C:\Windows\System\rXFmJUz.exe
C:\Windows\System\ZnWfJaP.exe
C:\Windows\System\ZnWfJaP.exe
C:\Windows\System\QCiVaYK.exe
C:\Windows\System\QCiVaYK.exe
C:\Windows\System\dBqIuaf.exe
C:\Windows\System\dBqIuaf.exe
C:\Windows\System\nigEBMX.exe
C:\Windows\System\nigEBMX.exe
C:\Windows\System\gZMNeRC.exe
C:\Windows\System\gZMNeRC.exe
C:\Windows\System\LIRLenV.exe
C:\Windows\System\LIRLenV.exe
C:\Windows\System\bDgwqLh.exe
C:\Windows\System\bDgwqLh.exe
C:\Windows\System\WGImGiN.exe
C:\Windows\System\WGImGiN.exe
C:\Windows\System\DlkOXGs.exe
C:\Windows\System\DlkOXGs.exe
C:\Windows\System\giHwwJu.exe
C:\Windows\System\giHwwJu.exe
C:\Windows\System\WowAWxd.exe
C:\Windows\System\WowAWxd.exe
C:\Windows\System\fgZHZhF.exe
C:\Windows\System\fgZHZhF.exe
C:\Windows\System\aRELhyd.exe
C:\Windows\System\aRELhyd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5104-0-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp
memory/5104-1-0x0000024551930000-0x0000024551940000-memory.dmp
C:\Windows\System\OzrORBx.exe
| MD5 | 9b0f98f21605468f44710db0e742fdb3 |
| SHA1 | a08cecd4b68a42da0d8ef77663f417ed32930d31 |
| SHA256 | 4ccd7c79c81303d1255e8c4395f4fc573e70b91ed5becf6b7aaf9454fa377358 |
| SHA512 | b11da14ca240b8b3feda03c4ce72712f8d4d640f66d0b9c3f580ded3ab69e42dbf66ed5c96d5be97a11ba13ea8a5adecb329932738ea58bad0a4f62e1284b3ef |
memory/828-10-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp
C:\Windows\System\wGoHHIM.exe
| MD5 | fd5fe0f088f7044ecee704be88ea928d |
| SHA1 | c2db757af03b14f0f20c1a412b54748f81992f47 |
| SHA256 | 14c320bae32d780af64e3df6e3bc83b8e9aec075592052218f57aae592aae9cc |
| SHA512 | a9c92fdd5fb1a9c51a85dd43ffcc023e20e1548ddb1da602e8444e597114fc6066724e06d166175ce8df0b27867c458e56c72378be1bf73e82465b8260adacd2 |
C:\Windows\System\jzDjCMs.exe
| MD5 | b526fbfcc1547bd7020c9b53f8e4b4db |
| SHA1 | 75c858a0f02e08fd6b2992dff307bf8b1fbb5348 |
| SHA256 | 40e3ef47f33ee16356bd2a51477a3cd35cb2dd441f2af853aa13154a4d508ec1 |
| SHA512 | b0be21b2ad0e268441abbf555b884d66eb590a104b5df2d9edac0f8c7982b1a46607214443d61aef06ad90764d4965b86e46e37af2d04ef1ad7ac189ad04b4fb |
memory/4376-23-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp
C:\Windows\System\EebEoVM.exe
| MD5 | 35007a25bca19ef42d037ba9a134d790 |
| SHA1 | 222033eee7fca0ad79c66aafd3faf84381d63173 |
| SHA256 | f737ec262257a18db47d5d8c333744afcc9fcf32c30075c66106a7db5d231c1d |
| SHA512 | ebae774c144ca95ddf59299ea1354e83d2467919c10cce7b32341df5e5892d0f17c41cbec5ff91fa97cf24ac5bf6b441b8bd3bf63161198818f6b9afc1ac19b5 |
memory/1600-21-0x00007FF79B140000-0x00007FF79B491000-memory.dmp
memory/1040-16-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp
C:\Windows\System\iijXHPa.exe
| MD5 | ff10b15414efe70d269f09e3c17e44e9 |
| SHA1 | 5655a8448aa7e986ec90894b6dd7eb8bf096119f |
| SHA256 | 43eea3c4b1ad952dbbb599c8f64fde4c106a229401edbbd0673efb6c057946a7 |
| SHA512 | 23380b66ac055dd704410dc3266016ec38b4ffa0f815ccbed75cfc4cbb8938c130d78fe4be07188fc3edf77e937c25d58927e45a742c8b56d5d6abcee6202959 |
C:\Windows\System\ukjSniC.exe
| MD5 | c114200f7db4a78956a4bdcee5e3aaee |
| SHA1 | e89c85bf54f9489a4d15af0f1cbfd1cb993f9bd4 |
| SHA256 | e279ce39ba10fd0f824140759fe16fed0673adbfc03e9c7e9ca4f9a62a290e4a |
| SHA512 | 13c2cbd18fdec8beb041da358c4c77f5a5de5826a12c954737c627696451ce66ff2f49a65f722796e2b042646f4a5adfeed9d6474d3269ff82cd50f3bf839860 |
memory/4756-31-0x00007FF76C330000-0x00007FF76C681000-memory.dmp
memory/972-37-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp
C:\Windows\System\bzOVeAk.exe
| MD5 | ef1e9146fdb568a8a533a8bbc0394cc4 |
| SHA1 | 668db20e9163b27875db2e2dee2a59dba552286c |
| SHA256 | 5bb20dd852ed7c830ece9cb333084d4484b168be47e50637e98c3267c49406dd |
| SHA512 | f4b280675772ccaaaaa07d3cc9edd7658e7c7ba5457a382b9b00f3f6494928cd6380e3ca66a5454f5e9168c2f9d86c1487a244e161624b24075e153c87ab28e1 |
memory/4228-44-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp
C:\Windows\System\rXFmJUz.exe
| MD5 | fac4c6a8805acee762781f27bfd37395 |
| SHA1 | c9b4c2c4f065d0673124523d4c42febf42d93d02 |
| SHA256 | 737e629de8c8c3f983ea53b3d75cf9b74fe97b50836dcd362ec2116e2344da9b |
| SHA512 | 485f368aa9d261d5559351e5e5741cfa95feb6192998bea2dbea17a7f63573e346b7cc8c303d1e25b548371b89035045d8e6bc2b2bb7e84d342768b0c8aa354a |
memory/2228-50-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp
C:\Windows\System\ZnWfJaP.exe
| MD5 | c352140102b37b84979e0b91cd1b6c42 |
| SHA1 | 1b7f3a51682dbc1f8e221b98b4a75be2a30668b3 |
| SHA256 | 1d0614c6ca711f41f55980e3d3bb432ca6dead6732136ae6d26c6e4b82cf5cb1 |
| SHA512 | 800f4e2f69f52304a84dc35126bd1f0a76e46fa081ad4acdf544591e40e9ba5b17fc80ee053d1c599915b909f203c6a92ff29c9849379954129ea09b5d48a659 |
memory/1192-56-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp
C:\Windows\System\QCiVaYK.exe
| MD5 | b93f9bf1b7ef4f16eae6c2d95456a5d8 |
| SHA1 | ac715d3711ec4b0559934d79a1cf82af98e74042 |
| SHA256 | 97094005b6d3035eeb6b2cee010bf010ebd6f97a1048b0ef03341792da08e7ab |
| SHA512 | 42159a045dfc8fd782ee52e538b60bd4630ec6b0813e0342befcba8fe62f40fddaad9ff7113b0999387c16e92ec78716b405e6b463ac952f09e4cece9f74e8a1 |
C:\Windows\System\dBqIuaf.exe
| MD5 | 6d508af3e9cbdb100b99058a61aa5471 |
| SHA1 | 72b1a3e29b098ffd4f3921142db778b51a724471 |
| SHA256 | 19604a49580c5eb1310a8970b09fc3febbafa6785a199c7d84fd8d7c8989384e |
| SHA512 | abbdb291821e361496c4e8884cef9be98c788d331556bbdcdedd9a40b0fdaa15cfe02c34c2f32c5a54649a006450eb8cc11041bae14c8e8bdc0f2469a54af210 |
memory/5104-75-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp
memory/4920-76-0x00007FF674FD0000-0x00007FF675321000-memory.dmp
memory/828-85-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp
C:\Windows\System\LIRLenV.exe
| MD5 | 78fe256792bf3c16d59e25164c8087cd |
| SHA1 | a4565614c453ca26355bcc15b95fef5a1965d83e |
| SHA256 | 4a7ef8803bd0400f94fa4ab58d7cc216d7ce843ef12d18a4bb5fe9d1cd6c8d13 |
| SHA512 | 298a84abadfbfaac377c51ae313b80a1ff6a78b8891a605cb88161c1a86f91000ef3d279494a95cfed1f93c5303070c768214f3e319c712e16d692ad754eecc3 |
memory/4740-86-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp
memory/5116-84-0x00007FF769C40000-0x00007FF769F91000-memory.dmp
C:\Windows\System\gZMNeRC.exe
| MD5 | 80ea1cb707401f718ad38f239c569648 |
| SHA1 | 4b8aabaf10e6858e758b915f6d015d3a1b23268b |
| SHA256 | 0747c86f6ae9b0ecd8fa4a47c4843e413b8a004a649c8ad0540d4edc9c30b99d |
| SHA512 | ac8c24e9d2e1bdd6db62d646fa6b52e57be594b16ef9bc4f1228fbafd5bd8dd78589dccfd705b4484e35021fcb8081f5ebcddfd3577f01eec09695f62532241d |
memory/4172-79-0x00007FF661970000-0x00007FF661CC1000-memory.dmp
C:\Windows\System\nigEBMX.exe
| MD5 | 4e96412b35a44abe68f1f700c3a10847 |
| SHA1 | 44d7ec31a2a5b95e33103a5c5de46b5c95993622 |
| SHA256 | 40eafebdb0999106498825151a0345771c0b9b43ebe9ab41a7c1c2ba243c691d |
| SHA512 | f89f4216eda2d61e87a6e2060396a9f6f7415b9696e6026856bdeefc5abde74f4268d0b762650dd0dd2885a33cbce4b497d5b72f5b7ce7def0460a37f1f011a0 |
memory/2648-64-0x00007FF695220000-0x00007FF695571000-memory.dmp
memory/4376-103-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp
C:\Windows\System\giHwwJu.exe
| MD5 | 2e9e251cd3c6abe1d28fc21857a4307e |
| SHA1 | 73173d5206e53071021593dd8ee5dd578406a7a8 |
| SHA256 | 75f7e5d01758c21fd21a45d145579c4cc3b4d6bd105e988249e537411718ea1f |
| SHA512 | 1c998c590b8173024ee6729238e5fdbfa6befc17c2186663cc73f6b207fd6a3a9e91bcb8679e7cebbaa55c6270d744c541bcf5fc979d036197c8abb5869ed5d2 |
C:\Windows\System\WowAWxd.exe
| MD5 | 5ae619ec26ca88146b65bc48337316cf |
| SHA1 | 13be319a7822110e7a5067f68368a15e82a891a1 |
| SHA256 | b851542825f65c49697b228208cfe8ff9b0efd2b3a5304886b7dcc92287d429a |
| SHA512 | 6eba1a6797d1a24af7ff40446f04c4ca7b4d8492fb926bff1bef94ac3992a8fa06a033c62349a93a858d2ecef06df3b9c0f2ebe1670462cd5f562015a557e921 |
memory/3964-110-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp
memory/212-109-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp
C:\Windows\System\fgZHZhF.exe
| MD5 | 44aad26b5511cc29c55f6bba327ffdf4 |
| SHA1 | 6fdc98c90d87dca5f89da6723f8ec55f5687470d |
| SHA256 | d95ae8f75c7a66a22b6509ab019f11980d67af44eb5226fc853761a9300127af |
| SHA512 | 555ebff71b5a5783bf3b5dde7aaad0a4fc1645ebbd0199927ffd00eb1c2fbf3894e1cb7b0ef94c148c8deb8d85aa18fa49f001e36900c8f15fbbc4f91ddc4bf0 |
memory/2140-131-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp
memory/2228-134-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp
memory/3280-133-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp
memory/972-129-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp
memory/2420-128-0x00007FF692910000-0x00007FF692C61000-memory.dmp
C:\Windows\System\aRELhyd.exe
| MD5 | c498c7318980e84f97bea0ce36c95349 |
| SHA1 | d61615e7d9a24235854075f3f1f4d7382ff89e83 |
| SHA256 | a0df93fe3735811fc037f750132ae04ef70b6fc58aea6526eca7499b6d92a8da |
| SHA512 | 1b2f911043d69b20cc194be167fd00bf28213ed7d2154fbb01327ed58d6d4f4e1575151569d1d021d19bcb470bf0369d2c10a4a098fab55bd6c63bd7b6af0e71 |
memory/4696-120-0x00007FF770D40000-0x00007FF771091000-memory.dmp
C:\Windows\System\DlkOXGs.exe
| MD5 | 9db71973617b98f3b3cdd8825dbaafed |
| SHA1 | b8fd64c158430227f76d48e74d14d64f414503d0 |
| SHA256 | 7d920f1cf1e87b54a1e3a09e70d4479bd9adcc8e4e0879879a9710a0ba1d5e20 |
| SHA512 | 54bc10133957dfbbef1c87c1d02e6964c2a775f8488bcd2121f696262e3f550334ec4f2dc848ce7294884ff22c2346fefa0da22ffefb570656398397470f1475 |
memory/4756-116-0x00007FF76C330000-0x00007FF76C681000-memory.dmp
C:\Windows\System\WGImGiN.exe
| MD5 | 4ccee419168d7581b32eb04cdbc1dfc8 |
| SHA1 | 860a90e93a9dad42599dc90f3cd06100fd8f6a6a |
| SHA256 | 58e240139a9bf738d8f708b8beade02752f57d28f124203d7c05a82fc5594ca6 |
| SHA512 | ba118dd6befc4e8ee30e24aca9624d121b48fa9f29acab969b29c892a7e82b9326f18b1b171cebe97c74224479f54558b05de556668f4ef57ba2250dd6b5d1c3 |
memory/1600-101-0x00007FF79B140000-0x00007FF79B491000-memory.dmp
memory/1976-97-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp
memory/1040-96-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp
C:\Windows\System\bDgwqLh.exe
| MD5 | 1c5375807dad036f6cc803a38d4e88a5 |
| SHA1 | 3d637b80e98d6a5539e3093abafb53799e5c23a3 |
| SHA256 | bc8c2ab89c4d547d5dee5509758f991c17f75e0443452e5e03bd79510790a6cc |
| SHA512 | d306a6cd45793bc35b2819c55fb76db31346aeb06a57f484100259813d8494ad9cb28563f0a04dfe81895db34a1a2ae33ae3bd9602e1b588994d03d27d3f8919 |
memory/5104-136-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp
memory/4172-148-0x00007FF661970000-0x00007FF661CC1000-memory.dmp
memory/4740-150-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp
memory/5116-149-0x00007FF769C40000-0x00007FF769F91000-memory.dmp
memory/1192-145-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp
memory/4696-153-0x00007FF770D40000-0x00007FF771091000-memory.dmp
memory/3280-156-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp
memory/3964-154-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp
memory/2420-155-0x00007FF692910000-0x00007FF692C61000-memory.dmp
memory/212-152-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp
memory/5104-158-0x00007FF65CDE0000-0x00007FF65D131000-memory.dmp
memory/828-203-0x00007FF60B7E0000-0x00007FF60BB31000-memory.dmp
memory/1040-205-0x00007FF61DC60000-0x00007FF61DFB1000-memory.dmp
memory/4376-208-0x00007FF6F1970000-0x00007FF6F1CC1000-memory.dmp
memory/1600-209-0x00007FF79B140000-0x00007FF79B491000-memory.dmp
memory/4756-216-0x00007FF76C330000-0x00007FF76C681000-memory.dmp
memory/972-218-0x00007FF7B3EE0000-0x00007FF7B4231000-memory.dmp
memory/4228-220-0x00007FF64CA90000-0x00007FF64CDE1000-memory.dmp
memory/2228-222-0x00007FF6DAC70000-0x00007FF6DAFC1000-memory.dmp
memory/1192-224-0x00007FF600E50000-0x00007FF6011A1000-memory.dmp
memory/2648-226-0x00007FF695220000-0x00007FF695571000-memory.dmp
memory/4920-228-0x00007FF674FD0000-0x00007FF675321000-memory.dmp
memory/4172-230-0x00007FF661970000-0x00007FF661CC1000-memory.dmp
memory/5116-232-0x00007FF769C40000-0x00007FF769F91000-memory.dmp
memory/4740-234-0x00007FF7C9470000-0x00007FF7C97C1000-memory.dmp
memory/1976-237-0x00007FF7B98E0000-0x00007FF7B9C31000-memory.dmp
memory/212-239-0x00007FF6566E0000-0x00007FF656A31000-memory.dmp
memory/3964-241-0x00007FF6588D0000-0x00007FF658C21000-memory.dmp
memory/2140-243-0x00007FF6D2C10000-0x00007FF6D2F61000-memory.dmp
memory/4696-245-0x00007FF770D40000-0x00007FF771091000-memory.dmp
memory/2420-247-0x00007FF692910000-0x00007FF692C61000-memory.dmp
memory/3280-250-0x00007FF642B70000-0x00007FF642EC1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 21:23
Reported
2024-08-14 21:25
Platform
win7-20240704-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JpiHJrB.exe | N/A |
| N/A | N/A | C:\Windows\System\KzhtXoe.exe | N/A |
| N/A | N/A | C:\Windows\System\wtNGJPP.exe | N/A |
| N/A | N/A | C:\Windows\System\KfqiGWU.exe | N/A |
| N/A | N/A | C:\Windows\System\RjMtjcp.exe | N/A |
| N/A | N/A | C:\Windows\System\fVKjFfP.exe | N/A |
| N/A | N/A | C:\Windows\System\bdAejdn.exe | N/A |
| N/A | N/A | C:\Windows\System\fAbuhuG.exe | N/A |
| N/A | N/A | C:\Windows\System\yRgSdoU.exe | N/A |
| N/A | N/A | C:\Windows\System\lkLFWql.exe | N/A |
| N/A | N/A | C:\Windows\System\TQVvpsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\zUWZhVa.exe | N/A |
| N/A | N/A | C:\Windows\System\micZyeo.exe | N/A |
| N/A | N/A | C:\Windows\System\nVXpkSs.exe | N/A |
| N/A | N/A | C:\Windows\System\ajQutaJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fmwyVKP.exe | N/A |
| N/A | N/A | C:\Windows\System\UlqFtbX.exe | N/A |
| N/A | N/A | C:\Windows\System\deewEaI.exe | N/A |
| N/A | N/A | C:\Windows\System\HNwMVQD.exe | N/A |
| N/A | N/A | C:\Windows\System\uRHlWeK.exe | N/A |
| N/A | N/A | C:\Windows\System\mKMipJu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_c14b07d3350ec258e473a3fb3054c675_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\RjMtjcp.exe
C:\Windows\System\RjMtjcp.exe
C:\Windows\System\JpiHJrB.exe
C:\Windows\System\JpiHJrB.exe
C:\Windows\System\fVKjFfP.exe
C:\Windows\System\fVKjFfP.exe
C:\Windows\System\KzhtXoe.exe
C:\Windows\System\KzhtXoe.exe
C:\Windows\System\yRgSdoU.exe
C:\Windows\System\yRgSdoU.exe
C:\Windows\System\wtNGJPP.exe
C:\Windows\System\wtNGJPP.exe
C:\Windows\System\lkLFWql.exe
C:\Windows\System\lkLFWql.exe
C:\Windows\System\KfqiGWU.exe
C:\Windows\System\KfqiGWU.exe
C:\Windows\System\TQVvpsJ.exe
C:\Windows\System\TQVvpsJ.exe
C:\Windows\System\bdAejdn.exe
C:\Windows\System\bdAejdn.exe
C:\Windows\System\zUWZhVa.exe
C:\Windows\System\zUWZhVa.exe
C:\Windows\System\fAbuhuG.exe
C:\Windows\System\fAbuhuG.exe
C:\Windows\System\micZyeo.exe
C:\Windows\System\micZyeo.exe
C:\Windows\System\nVXpkSs.exe
C:\Windows\System\nVXpkSs.exe
C:\Windows\System\ajQutaJ.exe
C:\Windows\System\ajQutaJ.exe
C:\Windows\System\fmwyVKP.exe
C:\Windows\System\fmwyVKP.exe
C:\Windows\System\UlqFtbX.exe
C:\Windows\System\UlqFtbX.exe
C:\Windows\System\deewEaI.exe
C:\Windows\System\deewEaI.exe
C:\Windows\System\HNwMVQD.exe
C:\Windows\System\HNwMVQD.exe
C:\Windows\System\uRHlWeK.exe
C:\Windows\System\uRHlWeK.exe
C:\Windows\System\mKMipJu.exe
C:\Windows\System\mKMipJu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1772-0-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/1772-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\RjMtjcp.exe
| MD5 | 8c47f625a0fa1b8050fab3386298df5f |
| SHA1 | 003ba1726d61acd4a08291e9543dd760e7373a39 |
| SHA256 | df75049ede5c468df3710ae9b993d0d76aaaa28f9f1428bb5c37bc95c30b50bc |
| SHA512 | bf629566e15bd01e1ef4e50e1763c1160fde9384f0cf7ac253fcdf708e929c7b16b67600a1b219bec862a1994cf9cab533a754033e0f545c8a0bc11e314c8a91 |
\Windows\system\wtNGJPP.exe
| MD5 | 29b51ea701d425b46f29396e74295ee2 |
| SHA1 | ae7d3bcb988cd860ddddeb4742352c923a7b9ec8 |
| SHA256 | 2ec39707c84e41b4042c84b6595ea8fffc2401a644ff0f54b002175a5fbe478b |
| SHA512 | b1f64a45bb587000d2c11daee72730e628bbc3357af815f3d6ba5f4aa689d0050079621456853240df78d71d08722b100c724f76263b2299e4ff16ed134dc6ef |
C:\Windows\system\fVKjFfP.exe
| MD5 | 7df8942a65612178b217f1a9a5bee001 |
| SHA1 | cb125ff65c332220b6d50e70b0426f83d1882925 |
| SHA256 | 01a510141d0d4c7c8f17e4fedcae52b2b4acf8fafe7a31b1181373cb070b767b |
| SHA512 | 47694f34400ea360796d2618da933bab97e944531108e05f13a61248c34aae64f87af1f716031e782942272d7133da1c9256e5f9203924c5e320cb85629af4f0 |
C:\Windows\system\fAbuhuG.exe
| MD5 | 26a8874a7357ee20ab1b9d0ee25ff585 |
| SHA1 | 2b3fea5a66f41f8dbcd8db43543c390610f12db6 |
| SHA256 | e8f1826812a9b8d33b9e9763efd83772e42e853d78573089eb8219f79f3c9d48 |
| SHA512 | 11fed5ce4da4d5cc47131b07d09fab107f532031a568f115cea7a13f1141a6a88aa8b7542c908262e948f37f491ca0a20f7cbd339737cfde47add7904a6a489e |
memory/1772-65-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2692-68-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1772-70-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/112-73-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2520-77-0x000000013F9F0000-0x000000013FD41000-memory.dmp
\Windows\system\lkLFWql.exe
| MD5 | a1e74e2e09848076025a09a647e59378 |
| SHA1 | 78c067c4d50e79e645c10c629740d4935534ecfd |
| SHA256 | 30f1d716fb6d35521b0205be9094a2a7bfb57fc952937ad4203df27254396ce9 |
| SHA512 | 3b8a55c8063ec32533ca60a262a4752711ad84da159fedbe66b03abb36cd92e91592b0f4375caacf743758c1f809fac76a4ba46a5ee5e4567a0bfe6b9adcd833 |
C:\Windows\system\KfqiGWU.exe
| MD5 | c919de64eddaf9ce472b21d66d9de993 |
| SHA1 | 3ca0accceacf65deed7661b158de4018dfad3094 |
| SHA256 | 7e51a2bbe5c784978b607bd807bfa8d88595267b796a3e686a58ca57cec2284d |
| SHA512 | 7216aad4bb1caa022c4c77a649c9c013960f6c08c3ca27f32e61bf4ab45a6b40c97e3bbb02be740638adb7f5d1eaf400382eccd9b40ba153936533dfaa516f88 |
C:\Windows\system\HNwMVQD.exe
| MD5 | 010417e27cd0da886703637ccecabac2 |
| SHA1 | 4837f4ca6e847d741cb774be23f58c556aab9644 |
| SHA256 | b0548165558d53e15da928399fbbe5b100077f61a0e032eebc5fc7aa8397c972 |
| SHA512 | 08a8571dae142fc6463271e42b8f0632920815324de2d72e8adaeecf5c8153ac8c12efcc6f52203daec77e2f3363f4d9ecb45122234a6524657c66fc2e8ef255 |
\Windows\system\mKMipJu.exe
| MD5 | 255465251e3ee9e9cf65299810ff2381 |
| SHA1 | 1716ff20c247396b735da00f20004b7c346019e5 |
| SHA256 | 2801fa7c489457bc4fd3a0874a178f64e0e96bfb441fc6073084f994a5c61b91 |
| SHA512 | 3a70022a1c0829bf40c3662a6edd939689dd104c0699c211a17c390ec07cbdffb7ee17106f960e82b4a4cd850f0a627ad077c8af262eca5b4dc92047d86b10a5 |
C:\Windows\system\uRHlWeK.exe
| MD5 | b0eed62a656e3932b629250c35cf7f56 |
| SHA1 | a013f56961f72feadcfb24ee39793ee6f28f156a |
| SHA256 | 8d7de00bb78e078fd7a8dffefbb4337de8f1b48ecd388973a70e4d78a5f43414 |
| SHA512 | 01408e38c3d5218577ce3c1a2030f8db89d33d72b9220525207a11f705df9069a20248678c8ef69fa4d6e698b75ee5d71977e9dbcdc1e75d04e0fcb460bc1046 |
C:\Windows\system\deewEaI.exe
| MD5 | a5de219fb2e0bee0938d598f4500f204 |
| SHA1 | 670f73ab732f33f14a6c1688a20d650ada0e322e |
| SHA256 | ee21bd8cd80938f3f802bd46290217e83de5817c48b6210e19b455d834b91fca |
| SHA512 | 35cd7197d66f3a5fa7a5da9e7ef36b776b56a362d2093214d181c70141222181f5d619a895eb85a47260c2be30dd8910f1c05d757a9d763e699629ae0c4bc1e7 |
C:\Windows\system\UlqFtbX.exe
| MD5 | bac36c661f98fcc0b2616f354d6eec32 |
| SHA1 | 1a9bc0d6ac8daf9d55ebdb79720de6822b769fc4 |
| SHA256 | bcd8ab5d38257732fe8b3771c87e4a9bf5539696adcdd8ba1eeda44c5373aa80 |
| SHA512 | ad40506714ae9175f75a5c9198fa443be8f94a0944fa5338aee75d9fd133adb0fd393a012b2e44021a0c5aeecffd06ef29ae7af83d05c14d25c50c2422a4aa5c |
C:\Windows\system\ajQutaJ.exe
| MD5 | 446477d46d80d8e47e8dcb17671804cf |
| SHA1 | 2e02fc27ed68e57c84784b7d411b842f14d2b053 |
| SHA256 | 3a957039b247cd2a2f5ad85e6d24989c0a5c81c238e108527712b7dbe79a0cda |
| SHA512 | a45b9392de0666da8a1b61d46f23170a95290a49c86937d2de0dfd1174db7058427edf67c638271882fca603794cfa3abf8a20cf3bc573b18da16d22dea7ade3 |
memory/2352-104-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1772-103-0x000000013FA20000-0x000000013FD71000-memory.dmp
C:\Windows\system\fmwyVKP.exe
| MD5 | 6e6b7a547f2c63615638fe4815571e76 |
| SHA1 | 8e022fda950ebe8c64c00507262dbc35076b1b2f |
| SHA256 | 4ce4ef2aaac5f6f05f2bf076164667d898e04172074b4213283f1e1a5a0f2836 |
| SHA512 | 1e5b2fe386f4a8859f7b60c6815fa1d014236b6559c98384a73e130244f62ca0ab0aff36360f86fd199e19d3c5c80b4e76c20ed12ef50ec9d72cd0dc9298a1f4 |
memory/2556-91-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/1772-90-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2644-98-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1772-97-0x000000013F210000-0x000000013F561000-memory.dmp
C:\Windows\system\micZyeo.exe
| MD5 | f5d6ec04cf070cd65490d1a8b3fec268 |
| SHA1 | fde779be42e8399dcc0d2c1c4b77ac0051879d03 |
| SHA256 | 9e06db3fa003494ff11947c807b1a47f539805b2634cb12ca32b344bf84383e9 |
| SHA512 | 3b8632a94d46a05a504f6e31c7d5728ff14a70d54caeaf86a69bd295681727eb4263b6d486b546bf1f997b7e6a55550c9b13b4679d5d48ca1543e9e04a6f68e3 |
\Windows\system\zUWZhVa.exe
| MD5 | 53bacfa409645133552d28bb7c8afa31 |
| SHA1 | a0a0df41ec182f770c151a2c5637b70da6f32b21 |
| SHA256 | 784ebe8ab600b045c2bb984da78f2da27e4d4f77d6677e52a2b0af5148dcebed |
| SHA512 | 65495e5b97f5dc407d963a61098118a6a89040d5e98c5e1d0ae9ddb2f3a53f6e8a04f634ad421a825b11c13884032f784a7ae2a9dd0c16290813c537560046b5 |
C:\Windows\system\nVXpkSs.exe
| MD5 | da26d7c39e6be8c3c53284d8cc35e3e5 |
| SHA1 | cc76c599f5c6af1dfe73a241a17216c546510f72 |
| SHA256 | 16b3250fd6606323485010122e83c84a6db4a9d50c92e5157876b47527c20dbc |
| SHA512 | 6cb8e5463c18ff80f088b39f8c87153e34ea85a983f9e838e7436687e8ba61d22ac29b872fa07f480bc8dc632751e079970f09de5617d73c25209403584032b7 |
\Windows\system\TQVvpsJ.exe
| MD5 | 8ea38b77e17fba3ecfa36c8555f17261 |
| SHA1 | 0ebedf0065d873620d6e950e7b822fa8b1e76794 |
| SHA256 | ae708f114d7dacca4a5a63776735c3016946751784e7fda1a0ee1a0061e7ea6f |
| SHA512 | a286ea6fbb54d47b91f0d6b879a5336947711e716d12cd7bf6008960687759569622ee834f390d56f071ef4b83e4a87ec63774efb5c05a6456ddf431892575d7 |
memory/2796-85-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2676-82-0x000000013F360000-0x000000013F6B1000-memory.dmp
\Windows\system\yRgSdoU.exe
| MD5 | 1f453564245d5a5949534e25afa1aee9 |
| SHA1 | 2f0071ebc0e111b3e21a38f2aa6249add7221c93 |
| SHA256 | 6456e247c3a5335ce70cbd37c679782199dbf1a73a5d3b6096d0a557abc7361f |
| SHA512 | 4636d8968699d7c7830bf73f107448a5d96defe69ebaf0713e9289d00a58cb5961a764ea52f3dac848c32ef4ae9a249bdf1d335870b0a51ba45087d24c3b9096 |
memory/2932-78-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1772-72-0x000000013F600000-0x000000013F951000-memory.dmp
memory/1772-71-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/1772-69-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2772-67-0x000000013F600000-0x000000013F951000-memory.dmp
memory/1772-66-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/896-136-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/3048-64-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2660-63-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1772-62-0x0000000002240000-0x0000000002591000-memory.dmp
C:\Windows\system\bdAejdn.exe
| MD5 | 15bdfaa787d7bf752c6cbef2536b0fe6 |
| SHA1 | 3573334eef0386a3239e94a60f34cff354882a49 |
| SHA256 | 5832355af484fcebd52d31d50765e7b28a6586d24be171a02fa860ea3eb28d19 |
| SHA512 | a95d45b10520511d173ac561fafd33bb3b8f43db302281151e4c2b2e42aa4de86ca8ea12527875353133f8276aad330f1ed312989851b3f1afa8845839405b5b |
memory/1772-12-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2200-54-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/896-50-0x000000013F090000-0x000000013F3E1000-memory.dmp
C:\Windows\system\JpiHJrB.exe
| MD5 | 0166d2dba0a8a7f0dd150077919b9fa2 |
| SHA1 | 0a3ef169320c91890539020b16d174e162bdf661 |
| SHA256 | f24efe07ef38c203dced499acc551aa33df97814780232f2dfe5cc252698b4a1 |
| SHA512 | 2a5f3dbc38ecb01dc5e81c3948d68d696d3fb1d18523e656ede4299d42bae9047ab5e29d153bb42f22f5ff82d124205b949778e732900b50dc3f37a8d59280ac |
memory/1772-33-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1772-28-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\KzhtXoe.exe
| MD5 | b38817ec5006ba0dd5fcd1484c6c4804 |
| SHA1 | 5c6dce7d279407f385c7d222fb61adccfcc0d9d0 |
| SHA256 | 733680ac84dae7bfc64a607ed42ca98cba1f41526e0450526e68fc461b296db9 |
| SHA512 | b39900dd2c7b254dd89f367dcb752612df87093c00e9b864a1672c2b4d14bbfe9084e5b116efa247ddf1e31f034d221db2ab77634b195d274679a4e63d6a42cc |
memory/2352-18-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1772-7-0x0000000002240000-0x0000000002591000-memory.dmp
memory/1772-137-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/2932-144-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2556-150-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2644-151-0x000000013F210000-0x000000013F561000-memory.dmp
memory/1236-154-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/1804-153-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/1284-158-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2380-156-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/1088-157-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/884-155-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/876-152-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/1772-159-0x000000013FA20000-0x000000013FD71000-memory.dmp
memory/1772-181-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2352-205-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2200-209-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/896-207-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2660-211-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/3048-213-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/112-215-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2692-219-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2772-217-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2520-235-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2932-237-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2676-239-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2796-241-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2556-243-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2644-245-0x000000013F210000-0x000000013F561000-memory.dmp