Analysis Overview
SHA256
da10aee97e1087049ebed91c5f8c5d0b1a502cc70d4e9547429f37eeab8fbb88
Threat Level: Known bad
The file 2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:46
Reported
2024-08-14 20:48
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\zcaNUmo.exe | N/A |
| N/A | N/A | C:\Windows\System\yVSFOtj.exe | N/A |
| N/A | N/A | C:\Windows\System\UQJDshL.exe | N/A |
| N/A | N/A | C:\Windows\System\zOkyVEW.exe | N/A |
| N/A | N/A | C:\Windows\System\ULACJPe.exe | N/A |
| N/A | N/A | C:\Windows\System\yEXgJaT.exe | N/A |
| N/A | N/A | C:\Windows\System\NzHDryE.exe | N/A |
| N/A | N/A | C:\Windows\System\AklfKwU.exe | N/A |
| N/A | N/A | C:\Windows\System\bheZHVk.exe | N/A |
| N/A | N/A | C:\Windows\System\RtUwaJU.exe | N/A |
| N/A | N/A | C:\Windows\System\VTRSegD.exe | N/A |
| N/A | N/A | C:\Windows\System\tyJZRBA.exe | N/A |
| N/A | N/A | C:\Windows\System\HMZdwiW.exe | N/A |
| N/A | N/A | C:\Windows\System\FlXCBja.exe | N/A |
| N/A | N/A | C:\Windows\System\xedoIZx.exe | N/A |
| N/A | N/A | C:\Windows\System\DhpVMBy.exe | N/A |
| N/A | N/A | C:\Windows\System\smgerfY.exe | N/A |
| N/A | N/A | C:\Windows\System\oqSTCgy.exe | N/A |
| N/A | N/A | C:\Windows\System\rEdanZP.exe | N/A |
| N/A | N/A | C:\Windows\System\kSlrTHi.exe | N/A |
| N/A | N/A | C:\Windows\System\ghHtnnr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\zcaNUmo.exe
C:\Windows\System\zcaNUmo.exe
C:\Windows\System\yVSFOtj.exe
C:\Windows\System\yVSFOtj.exe
C:\Windows\System\UQJDshL.exe
C:\Windows\System\UQJDshL.exe
C:\Windows\System\zOkyVEW.exe
C:\Windows\System\zOkyVEW.exe
C:\Windows\System\ULACJPe.exe
C:\Windows\System\ULACJPe.exe
C:\Windows\System\yEXgJaT.exe
C:\Windows\System\yEXgJaT.exe
C:\Windows\System\NzHDryE.exe
C:\Windows\System\NzHDryE.exe
C:\Windows\System\AklfKwU.exe
C:\Windows\System\AklfKwU.exe
C:\Windows\System\bheZHVk.exe
C:\Windows\System\bheZHVk.exe
C:\Windows\System\RtUwaJU.exe
C:\Windows\System\RtUwaJU.exe
C:\Windows\System\VTRSegD.exe
C:\Windows\System\VTRSegD.exe
C:\Windows\System\tyJZRBA.exe
C:\Windows\System\tyJZRBA.exe
C:\Windows\System\HMZdwiW.exe
C:\Windows\System\HMZdwiW.exe
C:\Windows\System\FlXCBja.exe
C:\Windows\System\FlXCBja.exe
C:\Windows\System\xedoIZx.exe
C:\Windows\System\xedoIZx.exe
C:\Windows\System\DhpVMBy.exe
C:\Windows\System\DhpVMBy.exe
C:\Windows\System\smgerfY.exe
C:\Windows\System\smgerfY.exe
C:\Windows\System\oqSTCgy.exe
C:\Windows\System\oqSTCgy.exe
C:\Windows\System\rEdanZP.exe
C:\Windows\System\rEdanZP.exe
C:\Windows\System\kSlrTHi.exe
C:\Windows\System\kSlrTHi.exe
C:\Windows\System\ghHtnnr.exe
C:\Windows\System\ghHtnnr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/2964-0-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp
memory/2964-1-0x000002623A6C0000-0x000002623A6D0000-memory.dmp
C:\Windows\System\zcaNUmo.exe
| MD5 | 9972e53bac3bb8ee1eadf7a3c3cb7b13 |
| SHA1 | 94286ed279f0e2f0f05ff23632199b6b59f96b8b |
| SHA256 | cb1b657996b7b4533d8730b6efeb8b5808fa74927ed357030f45ddd3ede65dc9 |
| SHA512 | 3d964519e2bc84f6dc573af77632827f8dc372a17fd2280247ece647f45408f8a6b3ca415dcdf7e6992ade86f7f3bceb6598ababf02ae65a2eb2c8f5f37bc8a6 |
memory/4468-8-0x00007FF613ED0000-0x00007FF614221000-memory.dmp
C:\Windows\System\UQJDshL.exe
| MD5 | 1242999156885f2426f5caf169388e4b |
| SHA1 | 00e879306ef4b0c36699bb83c4f890f62024e6e2 |
| SHA256 | 2dd1c7867c2d0de7bfdc5dc8b13ac45c18ee013faa46a45c03bda1990312a9cc |
| SHA512 | c0b1a379fa3160c54205236412875090d0964051f33bc130cbe91410324022215eeeb760e07d8818ef30e572f04bfce39950c8e3c4be644a3f872b47da37cb10 |
C:\Windows\System\yVSFOtj.exe
| MD5 | 5eb0bb2501346fe9f8208d31ff740385 |
| SHA1 | 325f6f31594a2feb76e86fd89e4ce25d82638ef3 |
| SHA256 | c09b84268c0af3c20a6505f6e4881033291b4ac4b0318e0b3e45fcd0aef1e243 |
| SHA512 | c99b8f1a4e35b86fe5aca9bcffd79fce3c437535b2d1e8b1b5d97686fd34697ef7129f1bacd01777a81c34ce5765d0f37d1954052b9e1e90abb863a3158f7708 |
memory/3564-22-0x00007FF62B0F0000-0x00007FF62B441000-memory.dmp
memory/3756-27-0x00007FF790080000-0x00007FF7903D1000-memory.dmp
memory/4544-34-0x00007FF776E80000-0x00007FF7771D1000-memory.dmp
C:\Windows\System\ULACJPe.exe
| MD5 | 6f773f5117343a769d0f7b7aca1d4494 |
| SHA1 | 32b3e824ea0efecaa1558f7de1aa3a416d374d07 |
| SHA256 | 2b266e58155974d07d7fb1d9d23c8f64f90a56e4474bd18a297f432ffdc2deac |
| SHA512 | fac4c665c65ee25458a3046c140904ca2d6a0ce9f0708de4e705056a9c6255e0c517966d78ea87856c54b92985fc04754adf875ff557e5083c23c6c1f2bfc058 |
C:\Windows\System\AklfKwU.exe
| MD5 | 200e0832ec068392a31b632d06802a03 |
| SHA1 | 065a365cdc301a24f8863eddd2eef5056bbb2281 |
| SHA256 | 63e0ee9c5daac4b62be008f42b4084644173422bb6f3d1eba3401b0f190a96e8 |
| SHA512 | 36a3ef8b2eae3174df6043fc4988fb576297636e39ff1db90807082b540be96691323cfa521ba0e007f8a117a7732474e167eddc09c7635fb79b26fd4ffb0931 |
C:\Windows\System\bheZHVk.exe
| MD5 | 9524953868a07fd240bb113ea8aafdde |
| SHA1 | 1bd9b490e72bf60e7f7f7e90dcf0b986575de154 |
| SHA256 | 576fca5919d39536ec2acac2cb0fcb650846a947c7e70cb75b4831a37654bd4d |
| SHA512 | 76427446de5bfb74602c2f1dde8c35f68f0bd9cc21e40a29b332bdaad4d963c084293d7adabaf0746d7deac2107d481f324bb669a5ab2baad88345e5671827df |
C:\Windows\System\NzHDryE.exe
| MD5 | 82b80af5a54a4100da04e66c248e09a4 |
| SHA1 | c6982893c313f089aa1134c6af76fdf88d12798f |
| SHA256 | 2d08da7decfa248a98837b9e892f05444773ccb228a51eb9bb8864dc004caa6f |
| SHA512 | a94ed8d55b1f2a728141ae58c3176750e2f261f621049ce6d84a31790d04d9896357c983a8ddac686c5ebf61dc2ed25dbb1bdad428e4d329bcd14f03e7c3036f |
C:\Windows\System\RtUwaJU.exe
| MD5 | 5537867b41ae7b610a7b18f83d00600f |
| SHA1 | 99cc276e3a31e422ffdb09bbed4e4333e3ad47c7 |
| SHA256 | 28216a1f39b56d9e2b795de195bccb917d70627b312a69f507cfb76d3a22a3b9 |
| SHA512 | 88448f42f86682c3ba26481711570a446f030291e76be3b7a8729a6d26437257500a4124c6d8e428f8baa88fa1f570447bec469c7d468b5910fff77ebcee226b |
C:\Windows\System\HMZdwiW.exe
| MD5 | 0e105482c36d3c2b6842891d284894a4 |
| SHA1 | fb9b013574c61db37188789fdfe0bbbd24e7220d |
| SHA256 | 6e7c7f7351d4d2b56bc744c255a5b2220b2df610fbbd9e87cb29c2c8c2326639 |
| SHA512 | a172f6e729ae93e5957271fdcee73f25f3e6a271b925fdf9cdaed0b68902039cf1af08a1c0e9fce17884488e4b8811c08e912309de42c878d610157f11344c95 |
C:\Windows\System\FlXCBja.exe
| MD5 | 24181455093c756b8d023ea52b7a1d6a |
| SHA1 | 503a5f5bd2b837f9c97454bb91df55169b21d614 |
| SHA256 | 10aa027ff46eed13c8c71a740f3cf06e4c6029251bea6639903630387f708ae9 |
| SHA512 | de15d625b62830a83218e6a794ed332dcf825d32fa13854fe0045e18987c88f7347a2e97f132ba07b130424746bba8528ccc14adbd11718d9dfaa051b223b49c |
memory/2304-84-0x00007FF690660000-0x00007FF6909B1000-memory.dmp
memory/5016-83-0x00007FF639390000-0x00007FF6396E1000-memory.dmp
memory/2436-74-0x00007FF73D580000-0x00007FF73D8D1000-memory.dmp
C:\Windows\System\tyJZRBA.exe
| MD5 | 1659f6614cc67b09709c66ec908c7e5d |
| SHA1 | b296c243754a5a52494d5dde53a577f915bee590 |
| SHA256 | 8fd3fce23c0a419ab277d26c617fd7f36344efa8a72a8f884920bbe15c672aaf |
| SHA512 | 26bb1bd3634e61e9239e7704ca69a48ed81640005fe15ca05b73d99467af513499e1b180943a6365b62b7f66ff5f0d2c2ed4f0598599122fb62730df3e1f246b |
memory/3436-71-0x00007FF6088D0000-0x00007FF608C21000-memory.dmp
memory/1064-68-0x00007FF77CBF0000-0x00007FF77CF41000-memory.dmp
memory/1396-64-0x00007FF7FB340000-0x00007FF7FB691000-memory.dmp
C:\Windows\System\VTRSegD.exe
| MD5 | eafbb76f4ac34bad81215f8b9dfb0b7e |
| SHA1 | 9f905e5f69f8eb49a8269450588822af4141d940 |
| SHA256 | 8ee7e7b70adee0f3adcedeca2f4a7dae8fd5bce4404d13f74cf400ee855feff3 |
| SHA512 | c00c06a83b8ee7f9c7ff396f4472fb540f430368fd80b432692decd27cd26bee6773dec3aacf9bbf76e9da1e8319439e46f56c6c9d32a32dd41f02a6858f770c |
memory/4512-56-0x00007FF711680000-0x00007FF7119D1000-memory.dmp
memory/3580-49-0x00007FF768AD0000-0x00007FF768E21000-memory.dmp
C:\Windows\System\yEXgJaT.exe
| MD5 | 0eda4edb9389e5c765f262d561bc3452 |
| SHA1 | c56549bd2ddd05329b2d41ddf2a0a8465d37db86 |
| SHA256 | 388a2890a67c5e7878e6020b2fc7f1b7415764580f1e996a6e175fbae6107d55 |
| SHA512 | 1436fae69e9f8752842cd221505f8505856a689d83c3443ab558619aef4b46453d596f19a05f2904ee3c0719c76c76da8d19daaabb098777510ed85bd5592d5d |
memory/2224-39-0x00007FF6F54B0000-0x00007FF6F5801000-memory.dmp
C:\Windows\System\zOkyVEW.exe
| MD5 | 06f6d155f15b555ee8ccaaf2da5ece02 |
| SHA1 | aeb55b8d19e83c02702bc797c13d39d70c319913 |
| SHA256 | 29425bc28097c85566d5af0ad843a1a3792d389f0e5082733677d37e171ef12c |
| SHA512 | 4198bd71d83d51aae5b36fb35ec49020b72bb362b79001a542711253aada0ba31af596bbd509ef8a2ad373dc55e53bffb04ca42b8a6103b445f343a9883d9d9c |
memory/4748-15-0x00007FF778DE0000-0x00007FF779131000-memory.dmp
C:\Windows\System\xedoIZx.exe
| MD5 | 71e130f97e66cc566618695c16b8c34f |
| SHA1 | 66d2f016f96b3499affa38bac8b1f9fc2acfa0df |
| SHA256 | a2b8f9581f279be75949927d074af92d16394e820771539102c00d9119165cda |
| SHA512 | d8c13e9db9d6b8263d584c5f5b08f9ceec40bfcfcd709761b74dfbd534ac5886ce05840cacc9e1ec34e365514546f0c02ff6b55a4bc166211db7be50ca6f41c7 |
C:\Windows\System\DhpVMBy.exe
| MD5 | 4a8c482d44c520ab04d4deefcf3ea4c0 |
| SHA1 | 45c88d23e4ddae9e10e8693b69281a020c2c1d87 |
| SHA256 | 9113bd144ee533d9a39e8decab02192462cc854e9b8eb208632a900fe92f4db0 |
| SHA512 | f37ee8e85b00f0c94622e5b48cfa3c948edce9bd752d106193795c5d64347d75f46d06fc4b6ba130d87af8de238d401047a37a197738d9574bd7b752a2f9e549 |
C:\Windows\System\smgerfY.exe
| MD5 | 3d4f6455d2e2ce607503b00915b314bf |
| SHA1 | 1d15a00a813cc88243b7129d542f470d78e4eafd |
| SHA256 | ed868e0e9f57a9c6f30f13410f3e38aa82c83ec67543180a69fb0e4bedca9efa |
| SHA512 | 479e748b7053ec8d0240c519169b12db620e0ca5511ba17fdf400194a6ab238ad3f8f7e32577da52fcd6965047367ba4eab425f6aeac27c9db8f45f9bfe16b96 |
C:\Windows\System\kSlrTHi.exe
| MD5 | b715ba3b61e370397511c94dc3e87712 |
| SHA1 | 36feacdd30d4d55ff2bc83a3d2f344eaa66e0da8 |
| SHA256 | caf369f4ec8af2a34c2954042df443ae5e51c4e5e83352b985f76e3063c938b3 |
| SHA512 | a54313cb113f3eb584d892d7e20c077ae3c1e8adec8e0bc4e96f3505f88d17ee00541b24833a54f56b4658102bb82e74421145a01b814210e6bba8473fcccacf |
memory/3184-121-0x00007FF774430000-0x00007FF774781000-memory.dmp
C:\Windows\System\rEdanZP.exe
| MD5 | df4464fadd52e48ceae6ccd41aa86c27 |
| SHA1 | 0f8528f07f6c8e9b556c1f963b812724a3c71299 |
| SHA256 | 3e4d1557742873d0e83976dbe50421760ad8e877d1ef3bcdf0df17d8b3def7f8 |
| SHA512 | 93d72bec7923f527d02e51e1291f6d71b1935fe91b0c06c5c8ce402bd885426da6b4f02200862f3678bcbba25378a4defa68dd438a0d56996af0d424f3bbd39b |
C:\Windows\System\ghHtnnr.exe
| MD5 | a3c3d134bc66977293954d549643bd13 |
| SHA1 | 915b05bff8f9898be3d16e811e18f383196fc5a4 |
| SHA256 | 8273cfec9d620dfd5eb699b095fc3d1757990cc93aa06613787dcfecb45e9a0b |
| SHA512 | 0343b75273ee0143c0bc2adeb62ca9747dba84390c61fced08026e075f62e44a76ef1a795b80e0a9794fddd1178f72052fbd16219fbbc0b0ae6eab03b195150d |
C:\Windows\System\oqSTCgy.exe
| MD5 | 21585babfbb242a73bc967b57337e15d |
| SHA1 | 531ad24c131222a476bd50b02cbad5a09845dd98 |
| SHA256 | d9bc8a1880108ce764d87741f2a95e1c8b4ac0660ef73eed28e7cffb2a25c1c2 |
| SHA512 | 311402822a726af3c209f854bc3653d908854bfbedf74776024c83b9fb2e288ddda3eac981e4fe30c21da2b818a7e1193abc9e5a6ea62ae32279a0bd45cb4787 |
memory/3248-131-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp
memory/4544-130-0x00007FF776E80000-0x00007FF7771D1000-memory.dmp
memory/2888-129-0x00007FF760AB0000-0x00007FF760E01000-memory.dmp
memory/3892-116-0x00007FF7AF3B0000-0x00007FF7AF701000-memory.dmp
memory/1500-111-0x00007FF6A8C20000-0x00007FF6A8F71000-memory.dmp
memory/4748-110-0x00007FF778DE0000-0x00007FF779131000-memory.dmp
memory/972-105-0x00007FF78C300000-0x00007FF78C651000-memory.dmp
memory/3316-104-0x00007FF6175A0000-0x00007FF6178F1000-memory.dmp
memory/4468-95-0x00007FF613ED0000-0x00007FF614221000-memory.dmp
memory/2964-94-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp
memory/2964-132-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp
memory/3580-139-0x00007FF768AD0000-0x00007FF768E21000-memory.dmp
memory/2436-144-0x00007FF73D580000-0x00007FF73D8D1000-memory.dmp
memory/2304-146-0x00007FF690660000-0x00007FF6909B1000-memory.dmp
memory/3436-142-0x00007FF6088D0000-0x00007FF608C21000-memory.dmp
memory/2224-138-0x00007FF6F54B0000-0x00007FF6F5801000-memory.dmp
memory/3756-136-0x00007FF790080000-0x00007FF7903D1000-memory.dmp
memory/3184-150-0x00007FF774430000-0x00007FF774781000-memory.dmp
memory/3892-151-0x00007FF7AF3B0000-0x00007FF7AF701000-memory.dmp
memory/1500-149-0x00007FF6A8C20000-0x00007FF6A8F71000-memory.dmp
memory/2964-154-0x00007FF6C88B0000-0x00007FF6C8C01000-memory.dmp
memory/4468-199-0x00007FF613ED0000-0x00007FF614221000-memory.dmp
memory/3564-201-0x00007FF62B0F0000-0x00007FF62B441000-memory.dmp
memory/4748-203-0x00007FF778DE0000-0x00007FF779131000-memory.dmp
memory/3756-205-0x00007FF790080000-0x00007FF7903D1000-memory.dmp
memory/4544-207-0x00007FF776E80000-0x00007FF7771D1000-memory.dmp
memory/2224-209-0x00007FF6F54B0000-0x00007FF6F5801000-memory.dmp
memory/4512-211-0x00007FF711680000-0x00007FF7119D1000-memory.dmp
memory/3580-213-0x00007FF768AD0000-0x00007FF768E21000-memory.dmp
memory/1396-217-0x00007FF7FB340000-0x00007FF7FB691000-memory.dmp
memory/1064-216-0x00007FF77CBF0000-0x00007FF77CF41000-memory.dmp
memory/2436-220-0x00007FF73D580000-0x00007FF73D8D1000-memory.dmp
memory/3436-221-0x00007FF6088D0000-0x00007FF608C21000-memory.dmp
memory/5016-225-0x00007FF639390000-0x00007FF6396E1000-memory.dmp
memory/2304-224-0x00007FF690660000-0x00007FF6909B1000-memory.dmp
memory/972-235-0x00007FF78C300000-0x00007FF78C651000-memory.dmp
memory/3316-237-0x00007FF6175A0000-0x00007FF6178F1000-memory.dmp
memory/1500-239-0x00007FF6A8C20000-0x00007FF6A8F71000-memory.dmp
memory/3184-241-0x00007FF774430000-0x00007FF774781000-memory.dmp
memory/2888-243-0x00007FF760AB0000-0x00007FF760E01000-memory.dmp
memory/3892-245-0x00007FF7AF3B0000-0x00007FF7AF701000-memory.dmp
memory/3248-247-0x00007FF6C0260000-0x00007FF6C05B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:46
Reported
2024-08-14 20:48
Platform
win7-20240705-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jKNFvIi.exe | N/A |
| N/A | N/A | C:\Windows\System\PvyxDhm.exe | N/A |
| N/A | N/A | C:\Windows\System\JONEShn.exe | N/A |
| N/A | N/A | C:\Windows\System\IGjqcNb.exe | N/A |
| N/A | N/A | C:\Windows\System\rQXbGTp.exe | N/A |
| N/A | N/A | C:\Windows\System\etapbWK.exe | N/A |
| N/A | N/A | C:\Windows\System\QmdmnOS.exe | N/A |
| N/A | N/A | C:\Windows\System\DkzrRNB.exe | N/A |
| N/A | N/A | C:\Windows\System\YXEmuTi.exe | N/A |
| N/A | N/A | C:\Windows\System\uIuphof.exe | N/A |
| N/A | N/A | C:\Windows\System\BgedxCb.exe | N/A |
| N/A | N/A | C:\Windows\System\FDFPjVc.exe | N/A |
| N/A | N/A | C:\Windows\System\jepWrzg.exe | N/A |
| N/A | N/A | C:\Windows\System\bCoEPsi.exe | N/A |
| N/A | N/A | C:\Windows\System\SpJQJMq.exe | N/A |
| N/A | N/A | C:\Windows\System\KDLsMpA.exe | N/A |
| N/A | N/A | C:\Windows\System\MTovdVQ.exe | N/A |
| N/A | N/A | C:\Windows\System\uIcMNcG.exe | N/A |
| N/A | N/A | C:\Windows\System\FIkOTkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UdQyAZR.exe | N/A |
| N/A | N/A | C:\Windows\System\bGcyJsv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_14cd8eb2e76e8658710872760ab8aade_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\jKNFvIi.exe
C:\Windows\System\jKNFvIi.exe
C:\Windows\System\PvyxDhm.exe
C:\Windows\System\PvyxDhm.exe
C:\Windows\System\JONEShn.exe
C:\Windows\System\JONEShn.exe
C:\Windows\System\IGjqcNb.exe
C:\Windows\System\IGjqcNb.exe
C:\Windows\System\rQXbGTp.exe
C:\Windows\System\rQXbGTp.exe
C:\Windows\System\etapbWK.exe
C:\Windows\System\etapbWK.exe
C:\Windows\System\QmdmnOS.exe
C:\Windows\System\QmdmnOS.exe
C:\Windows\System\DkzrRNB.exe
C:\Windows\System\DkzrRNB.exe
C:\Windows\System\YXEmuTi.exe
C:\Windows\System\YXEmuTi.exe
C:\Windows\System\uIuphof.exe
C:\Windows\System\uIuphof.exe
C:\Windows\System\FDFPjVc.exe
C:\Windows\System\FDFPjVc.exe
C:\Windows\System\BgedxCb.exe
C:\Windows\System\BgedxCb.exe
C:\Windows\System\jepWrzg.exe
C:\Windows\System\jepWrzg.exe
C:\Windows\System\bCoEPsi.exe
C:\Windows\System\bCoEPsi.exe
C:\Windows\System\SpJQJMq.exe
C:\Windows\System\SpJQJMq.exe
C:\Windows\System\KDLsMpA.exe
C:\Windows\System\KDLsMpA.exe
C:\Windows\System\MTovdVQ.exe
C:\Windows\System\MTovdVQ.exe
C:\Windows\System\uIcMNcG.exe
C:\Windows\System\uIcMNcG.exe
C:\Windows\System\FIkOTkZ.exe
C:\Windows\System\FIkOTkZ.exe
C:\Windows\System\UdQyAZR.exe
C:\Windows\System\UdQyAZR.exe
C:\Windows\System\bGcyJsv.exe
C:\Windows\System\bGcyJsv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2496-0-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2496-1-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2496-7-0x000000013F610000-0x000000013F961000-memory.dmp
\Windows\system\JONEShn.exe
| MD5 | ffd55bff6322360252fbaa81ecb4c976 |
| SHA1 | 995220c46be2be79d45dc7534463461039a1254b |
| SHA256 | e783d4568a1e4427091af7a185c21bff288ddf9c189200c14a2808f8bf40f60e |
| SHA512 | ce8164a1d3eb99a21a9da6be66fdfe06cbdd41c00de154a68d54150a7adeb5bcc8dba2d346d1654857836e6888cf0ac3fc038aee813d2a8f9cfc87e65548432e |
\Windows\system\PvyxDhm.exe
| MD5 | ced9a572636024b027183a6dc84a6d06 |
| SHA1 | 0e0393e656238a8e99706e69d5de993bd7dd7794 |
| SHA256 | 0c86617267cf83541dfe2d1874bc4e3721c42a04499d1de52cffc3d4653261ea |
| SHA512 | dbfa30e37830dc0048f0da46bcc25b0b24728c9603aa69379aa3d55f0fac1fada547f4a9f9c30e651ae1479242706a14fdb5706cf724e16e59a08e37af82032f |
C:\Windows\system\jKNFvIi.exe
| MD5 | 14324899999c6dd51d47d88eaaccbdd1 |
| SHA1 | 7eae0f3888a84a2dfcab7f4f2e1d5f77a7997cb2 |
| SHA256 | ca47758f2022919f3bd5c55462d0fa635ca95ee553a6ad0e7e0c280ea7b6d33f |
| SHA512 | 717fa894d871b572cc30fa4c05a1320b1bfe1bf4ae4f7f8148f2bc6368f371349ee9a622ad664712e0d0e200dcc71ecb33f9724b942b882908c409a5682d3042 |
memory/2372-16-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2972-22-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2492-20-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2496-18-0x0000000002310000-0x0000000002661000-memory.dmp
\Windows\system\IGjqcNb.exe
| MD5 | 5585d25b35d2b32950e7e2baeddea066 |
| SHA1 | a399f99ed2578dfdc3b5e685ef22bbd7609d793e |
| SHA256 | d1ef87912436b1b7987dc8acf96551bf194e85879d1c8a2c2207af5f4231a80c |
| SHA512 | 1fa9d70c25a7a1b6ac39b7fd680ca3751d5572ac7a64599cfca5634b8755163c5a5efc5ee1341d9843aa3ffd14cf66809af212ab792af92d3df152a232df7c00 |
memory/2496-28-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2320-38-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2100-41-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2496-39-0x000000013F5E0000-0x000000013F931000-memory.dmp
C:\Windows\system\rQXbGTp.exe
| MD5 | fc0047c02cabec383c3747b0570d1fb4 |
| SHA1 | 6e9a360c11a72b78e9217396dc5c6adcc3a3cefa |
| SHA256 | 98ff0f0e9d1ea0da0f6b32551e31645a9d72943072af21535c0def8fe223f45e |
| SHA512 | f6c3d4449ad89e2c2f06d0c087c5fa9d6c946e06c6eda52145730d4069d1426f3ec0df0ef073cd4773926dd6d98f448917c6d9641df642ea21187b2558b1153a |
memory/2476-31-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\etapbWK.exe
| MD5 | 821e89734f57dfb3a2b95b1ef2fc556c |
| SHA1 | 95726620fa50b4050e93e7f8c238d6eb4b401318 |
| SHA256 | 84b83cc918863e2acf4c939a03d8e4c206cb8aa7c1cbbc4ca9bb1f79bafd73c4 |
| SHA512 | 609240f86699a9c9011943afbbded5eed09719b2491d93db5add9ca769544239c0268ec25cede515cd5b2ff114747385201df4fb425ec90717b305a43d499286 |
memory/2496-53-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2780-54-0x000000013F2F0000-0x000000013F641000-memory.dmp
\Windows\system\YXEmuTi.exe
| MD5 | 2da972a47e3bd6ae0e13837726f16aef |
| SHA1 | d59a120212fd5539a2b3568355d81df879fb3bfa |
| SHA256 | 4de48c0ff934811da1a6013453d0ab784392d85508521cba214273512edfe35b |
| SHA512 | f4ce5529fda1addd7eb7231efd4d6cc4c970aef71326b3956df43e19f4ada9aa62587bbbb854f60ee2ec7f284c993acb02268c7a270ff1e22201b27deb399417 |
\Windows\system\uIuphof.exe
| MD5 | ce3f4647c99237035e9ab0c925decc0c |
| SHA1 | c220dfdc8c57c5c6eb5116651c7015c354fc0a00 |
| SHA256 | b1a839a495086e252bd45c1d642ed403e0ab929dc99ea365604c58ea580f40c8 |
| SHA512 | 3b926857ad5bc494ad6c193bae10e70642149b9704e34934caa91933511cb423b04f29f99bf5b7615ce21da476e911f8a66cfa5e10ce715fe3306c014080483b |
memory/2496-79-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2496-80-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2860-61-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2920-85-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2972-84-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2496-68-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2372-67-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2100-99-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2692-93-0x000000013FEA0000-0x00000001401F1000-memory.dmp
C:\Windows\system\jepWrzg.exe
| MD5 | cb2aae0af7e2a062bab4d0c4e69c2058 |
| SHA1 | a6f073a8ff2d2e4a922d8cb0be9a0f3474e8659a |
| SHA256 | 795a692825521cf909a5e562f3b31862269b8948befffb02214ad27c712bf83f |
| SHA512 | 4347b94d31740577dad8f8c42ba4972f85ac8a4312f31715c3208200011d08b4bf2e04b4cbdea80478c18a96f15423f566b13c5ceeaa867fb7f0154298867ca6 |
memory/2496-109-0x0000000002310000-0x0000000002661000-memory.dmp
\Windows\system\bGcyJsv.exe
| MD5 | 234a613ac13198bea866eca5a2b06e8d |
| SHA1 | cae1eb0565db3233aa5aab28914a96efb05e8177 |
| SHA256 | 97006cdac178e5d2a2609f1cf75ce624ada88aff43f56343685110296150837b |
| SHA512 | 5767cc7871c13b937b31331b710bfba0507529f4f536d6affd2bcf18826ed966828cb771327d0c9ead5436aaaacd7238de29d772363081f564d03cfcd321a6df |
C:\Windows\system\FIkOTkZ.exe
| MD5 | 479058f71acaa7dd2fff4b83048e45ae |
| SHA1 | 2203c4385e143e2e44fbb18a72f855036ef5654a |
| SHA256 | 172bae7e7c9d9a6d05acca5a98a70e7f33a3e7d05b2790e230ac956bd8fd9ad9 |
| SHA512 | fa52ed3b0907495e8b5302ee996f4cd8bfeab26ed793802231dd8fdd5c44e04ea96ee0f4b6bab5a5a789e82a406da8bb96b4846a2dc3f313dccd561538e7a034 |
C:\Windows\system\UdQyAZR.exe
| MD5 | 2a10aaee0180de3acda10ec0fbf79e33 |
| SHA1 | 02cb4dd21c5e03a8d7a7e06bd5d55f250fdad14f |
| SHA256 | a85211f6fef5d60f8eb1407418eed6c88a3ad739c9a304e02438571a2c4cb372 |
| SHA512 | 78c9cd794efe26681568b6c1b228e5725675823151e0a98e164d93db2219e77928d8e57b4c37ade43be66a96b49c0e091ddda40720c37c3760d2752801aa74fb |
C:\Windows\system\MTovdVQ.exe
| MD5 | 7d3acbc6171c8b2649e081f1a7e5e2f1 |
| SHA1 | f0371c355444de0f9a6225e460362a1db31f3afc |
| SHA256 | 1e297a0f62c3bc433efdf6ddbf9cc8e1175a1690f2c86e8894a3d57de51c4a08 |
| SHA512 | 2cc68778d4be5549cd586f15d7a4550f4524b7ae0e90154b30890872535472f42238e6f3ec9ae4f5a196a0b0f64c9d974171e04c4030d0206717d3bd1409d842 |
C:\Windows\system\uIcMNcG.exe
| MD5 | 9beda5b053ddf5b124a9a59bf23af665 |
| SHA1 | e0b7327078af0259eea928d7c3483826968906f7 |
| SHA256 | b924b1440c63ac4037fffc1e7d718a74306e0ef2bc39ccc8ae7b4844bf947824 |
| SHA512 | 2012039293988cb6242cbba7d85e5d07d260060e7fd69596509e290dd99b99f919b0d56a07e1667f845877f699f8162fd639697af4f5478d34da00aa5d86c073 |
C:\Windows\system\KDLsMpA.exe
| MD5 | 5e4e7fb8952bf9047be435e9138b28df |
| SHA1 | 98ece90e4b7920c03a95a35f06a3c43b0b68d7e2 |
| SHA256 | fcac4c02c96dba3c5fa06729e18e44f6b13156dd37e323b3f82bd2fcb2c41c4a |
| SHA512 | db0cb3071145fb1a3224ce3a9a3bf0750bc2c0a7c17788b155405896cda6b0d686ad2197c40ffe9cbf8e2dfe7d91975f186c17b0ee10577620f6744ad682f995 |
memory/2712-108-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2496-107-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\SpJQJMq.exe
| MD5 | 1600300c2818bb3d19f284fde0f0f6d6 |
| SHA1 | 9112d9c0a8028aecea82d46486b5bb2d150531c2 |
| SHA256 | fca8d8f05a467c91852f53cc136f2c177f5cb4d523f904057c187d7b1ae37e70 |
| SHA512 | 240e7588ce066b8427ebdefdeef38cf0322d944489011da5a136ee3e4c76e0026e6d9435105d0e7f4c685fde651a2eb748ec7afc7b30ad641d07b47ab5d3360f |
memory/2496-90-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2860-142-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2780-141-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2496-89-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2060-101-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2496-100-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2496-98-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2320-97-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\bCoEPsi.exe
| MD5 | 6d5cf858d1c1a6d5e8b91a2ac5e7eb64 |
| SHA1 | ff483e6cb898d07e8bf3dbcbd00ae9fec86bf2ff |
| SHA256 | c96ea40cc87a8100254c9b2119f7e35b45662a6b9fe06c6f6ec3d3a70665b516 |
| SHA512 | cf1a8d9db4bb02dc107b8557b00043da1906e5987079536af28499c1fc87e4b569f4da9de44d98dbbd5dc86f5fbb1545d2f2935169cecf44b1d397d2cfc68c8a |
\Windows\system\FDFPjVc.exe
| MD5 | bb078b83699de5c9257cb1ce6f6d8d0f |
| SHA1 | d1c30386adff0f906d8e25c249e02b663c9b1772 |
| SHA256 | f142ea7aebcf12d0ae2f01cd220208239089e99260d07a3b2e70360b1291c523 |
| SHA512 | fdb6924c5a4db15a0d93cdf6a751a215e40c49a798874211eadd9d1f4ada46940e4146f3387450e5fb057d36212e9ee32b42e4237edd5afaa888386cfad2249f |
memory/2496-59-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2892-81-0x000000013F460000-0x000000013F7B1000-memory.dmp
C:\Windows\system\BgedxCb.exe
| MD5 | 2f698a61f859ff212112f3accff69873 |
| SHA1 | eb6cfa7ceb336aeafb4260631c90af1c48a5a4c2 |
| SHA256 | d363d9d69c9dc5d94303652ae38651ef770320f51552efe44e2109035ccf13b3 |
| SHA512 | 3d2c08e593541a96607ed6c41c1fdf448ecd00e65ce17cfb1f506e6851a9a1c17bc11db3da3ad71d16246880387e572be1e83ad69ea536d8c66d55d2a8bb6bfe |
memory/2696-76-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2712-47-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2496-46-0x000000013F640000-0x000000013F991000-memory.dmp
C:\Windows\system\QmdmnOS.exe
| MD5 | 344db9baba30cb5b162db01707475e25 |
| SHA1 | 6791d1737f815a83a1a1b09b38254ad6a5111a5d |
| SHA256 | 0a8ddaf0323600084926485c5685195b80e59c6d61e4261a6a54b01021f0e60e |
| SHA512 | 0ebcddd171be1b2d6c439eb92f2f081db8369d8e89b345b949c9367b42fe73c93bd8d033c70b0cdaf3a5f0ab2b88b9bc9495a521f2bdb0691c8b12f5f1e448ad |
C:\Windows\system\DkzrRNB.exe
| MD5 | d71816412adc8b2607c7bd920c12396a |
| SHA1 | d22ed5e478bc21354d691bc3fff8b7aea72b30c8 |
| SHA256 | 59bbadc2e908d7b97bf3398e5789379ace9520ecbd641123141fc4bd6e7afe91 |
| SHA512 | 79a8f389b51b7173c818cc7b9a3c0d6e28239d5f022d46275b41715052446dfc980986b24cc8b7ce619e127d867ce24d59e6b6d0be7a0088c5a5f6707cedfc7e |
memory/2696-144-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2496-145-0x0000000002310000-0x0000000002661000-memory.dmp
memory/2496-146-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2496-160-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2496-159-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2892-158-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2060-162-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2008-166-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2876-169-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1352-168-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1792-167-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1648-165-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2400-164-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2004-163-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2496-170-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2496-171-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2372-217-0x000000013F610000-0x000000013F961000-memory.dmp
memory/2492-219-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2972-221-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2476-223-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2100-225-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2712-238-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2780-240-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2320-244-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2696-243-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2860-246-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2920-248-0x000000013F300000-0x000000013F651000-memory.dmp
memory/2692-250-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2060-252-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2892-261-0x000000013F460000-0x000000013F7B1000-memory.dmp