Analysis Overview
SHA256
72133dda07b1d5344bb6caee1e0c8c44b7eb50dc28be603deae0c41367d7c68b
Threat Level: Known bad
The file 2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:52
Reported
2024-08-14 20:55
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vggzEfU.exe | N/A |
| N/A | N/A | C:\Windows\System\XMWdxEg.exe | N/A |
| N/A | N/A | C:\Windows\System\vseJgKb.exe | N/A |
| N/A | N/A | C:\Windows\System\NAgHgem.exe | N/A |
| N/A | N/A | C:\Windows\System\bLQvdey.exe | N/A |
| N/A | N/A | C:\Windows\System\wbvRmXr.exe | N/A |
| N/A | N/A | C:\Windows\System\CDMQFqw.exe | N/A |
| N/A | N/A | C:\Windows\System\SaOUnxN.exe | N/A |
| N/A | N/A | C:\Windows\System\PLhUzSF.exe | N/A |
| N/A | N/A | C:\Windows\System\JizhngT.exe | N/A |
| N/A | N/A | C:\Windows\System\HelVvxt.exe | N/A |
| N/A | N/A | C:\Windows\System\mclAoPu.exe | N/A |
| N/A | N/A | C:\Windows\System\okbDsto.exe | N/A |
| N/A | N/A | C:\Windows\System\Qzaylvk.exe | N/A |
| N/A | N/A | C:\Windows\System\tpZQRTB.exe | N/A |
| N/A | N/A | C:\Windows\System\RlWwhAf.exe | N/A |
| N/A | N/A | C:\Windows\System\ilTRwuh.exe | N/A |
| N/A | N/A | C:\Windows\System\Bhneiar.exe | N/A |
| N/A | N/A | C:\Windows\System\KUsDZSM.exe | N/A |
| N/A | N/A | C:\Windows\System\SDVVOkp.exe | N/A |
| N/A | N/A | C:\Windows\System\dMfpiNW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vggzEfU.exe
C:\Windows\System\vggzEfU.exe
C:\Windows\System\XMWdxEg.exe
C:\Windows\System\XMWdxEg.exe
C:\Windows\System\vseJgKb.exe
C:\Windows\System\vseJgKb.exe
C:\Windows\System\NAgHgem.exe
C:\Windows\System\NAgHgem.exe
C:\Windows\System\bLQvdey.exe
C:\Windows\System\bLQvdey.exe
C:\Windows\System\CDMQFqw.exe
C:\Windows\System\CDMQFqw.exe
C:\Windows\System\wbvRmXr.exe
C:\Windows\System\wbvRmXr.exe
C:\Windows\System\SaOUnxN.exe
C:\Windows\System\SaOUnxN.exe
C:\Windows\System\PLhUzSF.exe
C:\Windows\System\PLhUzSF.exe
C:\Windows\System\HelVvxt.exe
C:\Windows\System\HelVvxt.exe
C:\Windows\System\JizhngT.exe
C:\Windows\System\JizhngT.exe
C:\Windows\System\mclAoPu.exe
C:\Windows\System\mclAoPu.exe
C:\Windows\System\okbDsto.exe
C:\Windows\System\okbDsto.exe
C:\Windows\System\Qzaylvk.exe
C:\Windows\System\Qzaylvk.exe
C:\Windows\System\tpZQRTB.exe
C:\Windows\System\tpZQRTB.exe
C:\Windows\System\RlWwhAf.exe
C:\Windows\System\RlWwhAf.exe
C:\Windows\System\ilTRwuh.exe
C:\Windows\System\ilTRwuh.exe
C:\Windows\System\Bhneiar.exe
C:\Windows\System\Bhneiar.exe
C:\Windows\System\KUsDZSM.exe
C:\Windows\System\KUsDZSM.exe
C:\Windows\System\SDVVOkp.exe
C:\Windows\System\SDVVOkp.exe
C:\Windows\System\dMfpiNW.exe
C:\Windows\System\dMfpiNW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4548-0-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp
memory/4548-1-0x000002214D370000-0x000002214D380000-memory.dmp
C:\Windows\System\vggzEfU.exe
| MD5 | 112f2175076c158e6e24f92935648b57 |
| SHA1 | cbcf4426163dcbe08a7370fc7d93c5a6d777cc93 |
| SHA256 | 63ee820123e7601f385ee8e9989e98d3dfcd957bf9dd8807f16e2543005b47a0 |
| SHA512 | 12d2af16a9725131bf22a4b91ea6607d3807df05f0fe401131d81929797849929005681ec2fbfb813c9884a5f50b6bba4e9ac8c5e85436be80c18d1b5a8f6ec0 |
memory/2164-8-0x00007FF751A00000-0x00007FF751D51000-memory.dmp
C:\Windows\System\XMWdxEg.exe
| MD5 | a4766afe38d3a6e0492102aba49f3f96 |
| SHA1 | 41c80dac61b629cf7cf9707f227ce113b888f572 |
| SHA256 | b86c82d87e035a7e6fb2b59cbda743ef43ea58f956dbfdf54466fa8ee2a92e25 |
| SHA512 | c73c280297ed0901f136ee0d64319005ef9e793f31422220e00a3979e3d4c3567006c8ad7cfc51c7acc332bc058b747745527baf4fe6edbce4326981d7406072 |
memory/4788-18-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp
C:\Windows\System\NAgHgem.exe
| MD5 | 452b3599df9b2a58cb75497bafcce364 |
| SHA1 | a16f18f58811e674d72e3e31e45e19cf21f85d9a |
| SHA256 | 22794e2e6bb0f2de1d0d0660cbcc8b3ebe85e063828c4279c2b945654bed8751 |
| SHA512 | 7f855beec0887e0c9fbae5e0e8d2daad0e938c5d872f5f31ee220a5ab43c42a1d00e1b1cd9dac46a9889eb337e338a862a39309ed985e72bee45e96c748269b3 |
C:\Windows\System\bLQvdey.exe
| MD5 | 8e717d8990f440d4af09afb416dde7f7 |
| SHA1 | 082fcf8926c47cb955bbed27756da5b1572b7424 |
| SHA256 | 6c1f202bb45f20e505b25a76c6809baf90bcf2c950d5d9f4597b2db1ecbe1c2b |
| SHA512 | b16162dbe5d862ea4c49994d1cfe79eb00ed049c0d49e49f8af161ef139c4e8170d7186c5e99d095834f755f17da8d3f936ace54c4020d955841a9071b4a48ec |
memory/1448-28-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp
memory/1132-46-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp
memory/768-56-0x00007FF774970000-0x00007FF774CC1000-memory.dmp
C:\Windows\System\PLhUzSF.exe
| MD5 | 9f22adb652ca7e509577479551a33b27 |
| SHA1 | b848f518ed2773268f7d4dec8f723f65b83d3fd9 |
| SHA256 | ee6c824831e8fb2cdd09e9cd3aee991241726fee314e4f2af0f02c7b0b2e3628 |
| SHA512 | ec48e1321c342796e8230bb5f321d633d3afd504d52ddc3cb4d8f21f4b09e28591589ce8f54cbcbc563178bc796c97bc5a34c28a7c3d81e638f09bec979a65ca |
memory/4512-69-0x00007FF793580000-0x00007FF7938D1000-memory.dmp
C:\Windows\System\tpZQRTB.exe
| MD5 | d7c9883133883601b074e9516a03c56b |
| SHA1 | 290ac4a7f0c4c144d4f961de695f2857685a808a |
| SHA256 | 6b76c89433e0166f91b49493f24d981a822b98d2543fd7a9fb6e25584125c6c2 |
| SHA512 | dd867962843de05a5ad1ea23c42f019065e0fe2a582fb21ca2ef47b8aadaf4bc4b3b34bb372e5dba5da4d618e5df875eac87b8480482d2abc977fb1bd93c7d4a |
C:\Windows\System\Qzaylvk.exe
| MD5 | d17b39a11f719cfa3f5b776abf93622c |
| SHA1 | 782231a344b5bf63fa903f6b9195223263609e95 |
| SHA256 | d020f29e55f3072f20cc0856b04aa7dcbf27af0512449a5d99e062b78fdb66ca |
| SHA512 | 0d5d2bc9b1a84888816329efe63a8e9b94d146b22640c1cb2e8979c4c270c554f08baeec7d8da40676accdfc099bea6b748c494a134abbb57844bb8982e945c6 |
memory/1604-100-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp
C:\Windows\System\ilTRwuh.exe
| MD5 | 79fe620657f6a782f670af214cb88175 |
| SHA1 | 46a823c9f9d71eca473b30e53ed342b851aa7aff |
| SHA256 | ef03c98a579517e6cbd1a249ef63ece7ea493194af3a980e8be20605e053b84a |
| SHA512 | dbd6368d6c296c5000c4f1281c7849e8349e7a8ae98cca6eaf85433e46137d85629d957fcaca17559e2a273e0e796286b02cbaf0e66492c824148063d6eb163d |
C:\Windows\System\RlWwhAf.exe
| MD5 | 940daf91e823e4b4c99887ed2c7b1044 |
| SHA1 | ace6dc2b325663664b450190986276b4b6b76f40 |
| SHA256 | 113aac504f6e860ff0e07ba38b93650d7d66878ce58ac414db68cfd0483e43ad |
| SHA512 | e9dd70a990eb07649dbf7dd154a70fd303451c1e74ade038f3053466292542f07bd2d401d2374b67e695c80bf66fef910b7e8dc9418e3f52f8cbde037974ce6a |
memory/2028-101-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp
memory/4548-97-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp
memory/3256-96-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp
memory/4764-89-0x00007FF66C530000-0x00007FF66C881000-memory.dmp
memory/4492-85-0x00007FF666040000-0x00007FF666391000-memory.dmp
C:\Windows\System\okbDsto.exe
| MD5 | be79bb72b307ab96a7cac44341b8a535 |
| SHA1 | 805fd33fe670bfd8bbb12eaf42901e7605e445b1 |
| SHA256 | 114cde461a6e09e923f7c217ad5665879d7bda871455408e01d50fbe63882c7f |
| SHA512 | dda784c23317fb24bb558770aa8362928b04352a97933ea98242573922f5132f599d404afb09570805d6c29642d0a12972f76f3609a7f0a4194cd2bc9580f97c |
C:\Windows\System\HelVvxt.exe
| MD5 | 8bcffcf26c28e8b88abf4be8f257291b |
| SHA1 | 9d1c3c1c9de470a625fd66998d5e364f871814fc |
| SHA256 | 283dc24c08b405f7655c8b8c1247bf5c19d4ba44ed6fe213edf35f2ab613b10c |
| SHA512 | b39c17c5f62fb9491cd87ecd1130f55454719b8da3b41eafd49001d9ad0d72e901e2de201819c343f2eb79337268c713513bd3a2ec0c13ff5bd4849d2fa6b16c |
memory/3020-76-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp
C:\Windows\System\mclAoPu.exe
| MD5 | e5b7e680c1b6f482ecfa4c52e3a099f0 |
| SHA1 | e11bd106346b5824be1df42186b5f0b64e291b4d |
| SHA256 | e00dfd0723595ccd100586764d233c829e2253acd84e0c1a07fc4209b397565c |
| SHA512 | f5b01f2baddff03dbdbf55d4fdaa9d8e557bb2ca98cae828a1bc9d86a86db5ebb5dddf3a25b4c21a30a4ddc25820155b5c79a1f6807a986cf0130c82f59cceb3 |
memory/1596-68-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp
C:\Windows\System\JizhngT.exe
| MD5 | a023e9574dc0b6dc558b191ec6c5a675 |
| SHA1 | 73f205cd7d6c6452fa869c328f0cb1a54783770b |
| SHA256 | 91280fd3d25ab882717547e0db04b071a39a0592218827be4c529f9743d9389a |
| SHA512 | 297c1754beb15800f1d5efcb4bec8279d9189871046132ed331d46bb63bbf8296d26888d6065adf5f850d0588b8e8ec875c488900d0585521323f6131f66e43b |
memory/800-63-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp
memory/4408-62-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp
C:\Windows\System\SaOUnxN.exe
| MD5 | 8445f115208c14231d5ea458a88ee6d7 |
| SHA1 | 357062b76c410942ad409b6f92254bdc7c7b2e17 |
| SHA256 | e58d1fc3a957552ba5be71bb0fa68de6c0a3e5360461ec911ffcc314b1203d38 |
| SHA512 | 7500cd1d39f5c4a8870704ec8600953218d50062018abc81afb63e89dd0cc4a0de67960f2ae942d756763738eeb363ed6fe3fc995b937771813b8b40ef0cf160 |
memory/3892-45-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp
C:\Windows\System\wbvRmXr.exe
| MD5 | 5494db551da7d46346d6323e6e9a28d2 |
| SHA1 | fc091e071e6df9d0489273a3c0a847b15d254904 |
| SHA256 | df1f44d9facd2eee88d6f626b3ceb9f73ab5de30dfa294cd5bebccaee0f95561 |
| SHA512 | 2a92a1175b99e279af838dee92d0727e694ad4991d0755d27c65caf5b5e86dec97dfe02ff72d9ad91857b01f0ea54b2c10a6127159e16369acaccb300b411759 |
C:\Windows\System\CDMQFqw.exe
| MD5 | 79f5d0f0e9d8904648acd41fd223ac49 |
| SHA1 | 58ad732378798add09f6321685ce4effcc8d19e0 |
| SHA256 | b6c7164585c47be123136ff603458e835407f64414a3648eaa1caaca370fe44a |
| SHA512 | b83eddba859308d0ca0ab129dd88b111f936451498633aa2e8941ceeb8f298965769bcbdc9b47fc4fb77a88992f208e51d734445a8b33df193416ae08d29dbc3 |
memory/836-32-0x00007FF646010000-0x00007FF646361000-memory.dmp
C:\Windows\System\vseJgKb.exe
| MD5 | f836b41e4084350dbb189a49658dde50 |
| SHA1 | c38d8c34ef5f3227049fb856730fcd00cba05dfd |
| SHA256 | 6aa945672a09f16a97669e40815e4ed2114845218eea7c87f2ec314f997f4912 |
| SHA512 | 20a97ed14fa9025c1366ed847d76fe08c3b7793f928215fb262532f17814947f224c2e69b884a7c8b7e7911d3af9377a2d8420bb33ffe75a5acabc55eff29a19 |
C:\Windows\System\Bhneiar.exe
| MD5 | 425b1b42e61982d1e92521cefc7e4aea |
| SHA1 | e15015fdc4906b18b37150bbecdad9b878d28040 |
| SHA256 | 099c3232a42f5fd7a32491d7b037ca90c82b1b2de1ab2b30d92db045661899f0 |
| SHA512 | 7447ff7daf802f54394f95a1912dfdab36c96457ded55277c1e79aa9e882886469a7cfc6cbdd2c05f26d635c14100e588ac686962e047133b31ba926944719a0 |
C:\Windows\System\KUsDZSM.exe
| MD5 | 2103b2d482b9a2102fbe342fcf2dc346 |
| SHA1 | 802ba6b8711af4ce32c1dfcf93c8dd264b99e3c3 |
| SHA256 | 5641d2cddc51160446b5161cd836abf2d378721fba82ffa84b9c17c74f5fc024 |
| SHA512 | 7a1cbd23462d1f86e8cbf32b29d7bbaf9ebaa79971db570fc977741bdf53a137aaad48cc64b401bd533438949179cdfcfdc7245c2c0d08dfe327908019a5f1fc |
memory/2164-109-0x00007FF751A00000-0x00007FF751D51000-memory.dmp
memory/3276-117-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp
memory/3044-120-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp
C:\Windows\System\SDVVOkp.exe
| MD5 | db0d057db7440a672ff9f06f573decd4 |
| SHA1 | ff2260a3657180dd43cb2a64631ff3f709deaedc |
| SHA256 | e64daf65538bdc557c035bf78b3755be18e5a40b3a1f76689bc01cc189e9a4a1 |
| SHA512 | cbd95e0ae9a22e34cc1886115679978dc6b692cbe600292d42599d801a0c520fdde1be60ba6e0335a7074991347dfa47fb8df96410fd8d82e052b7e3bbcf5af3 |
C:\Windows\System\dMfpiNW.exe
| MD5 | bb58815587f4526f0a888a53d90fa884 |
| SHA1 | b0976959f3f0ff49d2066b8eef471080a9aacffb |
| SHA256 | a26d926fa22b636852c05a2043e426ec86cf48c331a7b2ec79f842cc7e3f3b8c |
| SHA512 | 1f5225c795c40d89d2c4f17a890993b8774af06d21abeeedc764fe8a5806673ee64b03995b403346c6103bd5cc4bb33b2e5f45eb5e64b279403c0e841e1bb747 |
memory/3892-129-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp
memory/836-128-0x00007FF646010000-0x00007FF646361000-memory.dmp
memory/768-130-0x00007FF774970000-0x00007FF774CC1000-memory.dmp
memory/1540-132-0x00007FF640500000-0x00007FF640851000-memory.dmp
memory/4152-131-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp
memory/4548-133-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp
memory/1596-143-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp
memory/4764-147-0x00007FF66C530000-0x00007FF66C881000-memory.dmp
memory/1604-150-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp
memory/2028-149-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp
memory/3256-148-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp
memory/4492-146-0x00007FF666040000-0x00007FF666391000-memory.dmp
memory/4512-145-0x00007FF793580000-0x00007FF7938D1000-memory.dmp
memory/800-142-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp
memory/4548-155-0x00007FF61C8B0000-0x00007FF61CC01000-memory.dmp
memory/2164-201-0x00007FF751A00000-0x00007FF751D51000-memory.dmp
memory/4788-203-0x00007FF7F99A0000-0x00007FF7F9CF1000-memory.dmp
memory/1448-205-0x00007FF6B2300000-0x00007FF6B2651000-memory.dmp
memory/836-207-0x00007FF646010000-0x00007FF646361000-memory.dmp
memory/1132-211-0x00007FF66B730000-0x00007FF66BA81000-memory.dmp
memory/4408-210-0x00007FF630E80000-0x00007FF6311D1000-memory.dmp
memory/800-214-0x00007FF609DB0000-0x00007FF60A101000-memory.dmp
memory/3892-217-0x00007FF7D9870000-0x00007FF7D9BC1000-memory.dmp
memory/768-216-0x00007FF774970000-0x00007FF774CC1000-memory.dmp
memory/4492-220-0x00007FF666040000-0x00007FF666391000-memory.dmp
memory/3020-225-0x00007FF6DD6E0000-0x00007FF6DDA31000-memory.dmp
memory/4512-224-0x00007FF793580000-0x00007FF7938D1000-memory.dmp
memory/1596-222-0x00007FF6C5210000-0x00007FF6C5561000-memory.dmp
memory/2028-232-0x00007FF69FD40000-0x00007FF6A0091000-memory.dmp
memory/3256-233-0x00007FF71A490000-0x00007FF71A7E1000-memory.dmp
memory/1604-230-0x00007FF76AAE0000-0x00007FF76AE31000-memory.dmp
memory/4764-228-0x00007FF66C530000-0x00007FF66C881000-memory.dmp
memory/3276-236-0x00007FF6B2560000-0x00007FF6B28B1000-memory.dmp
memory/3044-238-0x00007FF6B2880000-0x00007FF6B2BD1000-memory.dmp
memory/4152-240-0x00007FF6A79E0000-0x00007FF6A7D31000-memory.dmp
memory/1540-242-0x00007FF640500000-0x00007FF640851000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:52
Reported
2024-08-14 20:55
Platform
win7-20240704-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\swMTlEc.exe | N/A |
| N/A | N/A | C:\Windows\System\Kdddvdr.exe | N/A |
| N/A | N/A | C:\Windows\System\MADeOAY.exe | N/A |
| N/A | N/A | C:\Windows\System\nsDoLCB.exe | N/A |
| N/A | N/A | C:\Windows\System\LkTAIwD.exe | N/A |
| N/A | N/A | C:\Windows\System\zlhdrJk.exe | N/A |
| N/A | N/A | C:\Windows\System\mqyhChp.exe | N/A |
| N/A | N/A | C:\Windows\System\zKdYqnj.exe | N/A |
| N/A | N/A | C:\Windows\System\NbpFTsD.exe | N/A |
| N/A | N/A | C:\Windows\System\vDTNutZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nWTIAlY.exe | N/A |
| N/A | N/A | C:\Windows\System\uCpKApE.exe | N/A |
| N/A | N/A | C:\Windows\System\hcDrYnC.exe | N/A |
| N/A | N/A | C:\Windows\System\otVTfQW.exe | N/A |
| N/A | N/A | C:\Windows\System\uJoaOER.exe | N/A |
| N/A | N/A | C:\Windows\System\INisaQk.exe | N/A |
| N/A | N/A | C:\Windows\System\SkOaSRC.exe | N/A |
| N/A | N/A | C:\Windows\System\EdIeaBd.exe | N/A |
| N/A | N/A | C:\Windows\System\Zmsrbzv.exe | N/A |
| N/A | N/A | C:\Windows\System\CLnrZnk.exe | N/A |
| N/A | N/A | C:\Windows\System\aTXaaCx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2cbc36328c79a498ba643d329b0e8c7d_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\swMTlEc.exe
C:\Windows\System\swMTlEc.exe
C:\Windows\System\Kdddvdr.exe
C:\Windows\System\Kdddvdr.exe
C:\Windows\System\MADeOAY.exe
C:\Windows\System\MADeOAY.exe
C:\Windows\System\nsDoLCB.exe
C:\Windows\System\nsDoLCB.exe
C:\Windows\System\LkTAIwD.exe
C:\Windows\System\LkTAIwD.exe
C:\Windows\System\zlhdrJk.exe
C:\Windows\System\zlhdrJk.exe
C:\Windows\System\mqyhChp.exe
C:\Windows\System\mqyhChp.exe
C:\Windows\System\zKdYqnj.exe
C:\Windows\System\zKdYqnj.exe
C:\Windows\System\NbpFTsD.exe
C:\Windows\System\NbpFTsD.exe
C:\Windows\System\vDTNutZ.exe
C:\Windows\System\vDTNutZ.exe
C:\Windows\System\nWTIAlY.exe
C:\Windows\System\nWTIAlY.exe
C:\Windows\System\uCpKApE.exe
C:\Windows\System\uCpKApE.exe
C:\Windows\System\hcDrYnC.exe
C:\Windows\System\hcDrYnC.exe
C:\Windows\System\otVTfQW.exe
C:\Windows\System\otVTfQW.exe
C:\Windows\System\uJoaOER.exe
C:\Windows\System\uJoaOER.exe
C:\Windows\System\INisaQk.exe
C:\Windows\System\INisaQk.exe
C:\Windows\System\SkOaSRC.exe
C:\Windows\System\SkOaSRC.exe
C:\Windows\System\EdIeaBd.exe
C:\Windows\System\EdIeaBd.exe
C:\Windows\System\Zmsrbzv.exe
C:\Windows\System\Zmsrbzv.exe
C:\Windows\System\CLnrZnk.exe
C:\Windows\System\CLnrZnk.exe
C:\Windows\System\aTXaaCx.exe
C:\Windows\System\aTXaaCx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1720-0-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1720-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\swMTlEc.exe
| MD5 | 3d371d5dacc9012cd0d244ec5486eb66 |
| SHA1 | 5757cbaea247c145cc12558e9dda63b896fb471d |
| SHA256 | 10e92552fcecfcd5eedc7cd68808c14e38aa2884fc1c2dd50ef6eaa84e87ed43 |
| SHA512 | a3eae246f2135c6046265256b600b08d1089a06d4de730805db3c63320babadf4a08b26d31045f71e802a08f1bf76079c34ac72a5fad632cd04b5ec853e48bd6 |
memory/2092-8-0x000000013F810000-0x000000013FB61000-memory.dmp
C:\Windows\system\Kdddvdr.exe
| MD5 | 5d417e6ed2c264973458b9cb4748f39a |
| SHA1 | d2aec85ec782103f499fe2209c506dce533cc924 |
| SHA256 | 9d83c010bf904606ea2e8f89902efe1928b26e95cc41cab0f826d8d7abc75a9c |
| SHA512 | 236bf9ced0cd561ff3dca6d28d820742ad62cb9013fe93eb276623db581978738082ad76211b90e266a6f1b4f1d54b04199bb8891a13dd1345699d3a347b85bf |
C:\Windows\system\nsDoLCB.exe
| MD5 | 55862bfe0821e496d4520b30d8c8a7e4 |
| SHA1 | 37d0318a5664cddd6814d9fbb88edbdc3ec5882b |
| SHA256 | d355937458754d5a9e7fc76fa82901ad7ebadf9af7e5358847338bfc455e24b5 |
| SHA512 | d04f8107d817ecd45dfdb8fca6072c476e750028177e62e24515f38bbed034a4f9ca405026609a9ef739cc14cd735518e40669becdf6653fd99c54b008c946a3 |
C:\Windows\system\MADeOAY.exe
| MD5 | 7c80c9d8c464e270e633fe3d9dde59a7 |
| SHA1 | b737e3f10f4e24d35ce52f6650c124754252efa7 |
| SHA256 | c9c3c04e940608c7c89a8451525f5eb9f2ee6fd2633e726ef734a7e75e8a0521 |
| SHA512 | fcdb82c8ef828143d53b53f8e6e4fd12d91864c9dafd3b2950ffc0b483ae77f295d23223be42d5c7ac59ca9360a191f60bf57e5335e94c78f5337b2686c9065b |
C:\Windows\system\LkTAIwD.exe
| MD5 | f70e533dc1e455d5dc67c604931ef771 |
| SHA1 | e46c8b03726fb0a8b992ba2c96ace0d532b1278b |
| SHA256 | ed4e2554339fae346a7f2c899fbf97f0333aa39684fbd61e01d16348c01d5062 |
| SHA512 | 47f2c1cda2830ca37454e5c41e5da53a923fe0dbdbb8ea47200e4602a8318f7af3706c88de43e158dc51e7ade14b312d8950cb31229977327f86b104bc4b3681 |
C:\Windows\system\zlhdrJk.exe
| MD5 | d2b8d3acc627d73feb158f14b484df1b |
| SHA1 | c8e335962c42879c57997c06134545bfd168c9cd |
| SHA256 | 515102f63b46cdebab3f3be854c5fc72cb2b421e6081fbd58a78e19c295bdc36 |
| SHA512 | e7fa339629127020587ae48db73634d2dfaf02819bb59890a6777534ac764641b9e3eec20e1891e1e9d3cece2f53eaacade89aa8dd1d5fc8a566f2cc05e27aeb |
C:\Windows\system\zKdYqnj.exe
| MD5 | c5084f712ce9ce0b540eaa15e7cea356 |
| SHA1 | aa57ade594d38b4f242d3de21c3556c9376d7688 |
| SHA256 | 8473c3ddd60dadeb0335222e9614e7c7e2c539a5ec08e5c8c92caf58ebc0f9f2 |
| SHA512 | ace3f8403aff19bec772378c5e4630bd532fc6f664f0b6e12d7567f7bc3d90b65306c6683d4efdbee130633f6b62100803e641c06e3f30ad0e8988a6f434f40e |
C:\Windows\system\vDTNutZ.exe
| MD5 | 8193de7bc54d5500413c2d9d7131519d |
| SHA1 | 2a649ac97c3f9075b4c681b3780c7bda3e155198 |
| SHA256 | 65d91fd852cdbe4d2fe656d1444177efb377a0d9cdb250a706d05dcd943b7896 |
| SHA512 | 3836d6e58f81639d7d0b83bb181aec8b2512ec3a755fc4e6c1a168f9afc44bfa52e9f9f8301317e2901d207cbdd712c71d5584f2239d361c5b9dfeb06401714f |
memory/2780-63-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/1720-62-0x000000013FF20000-0x0000000140271000-memory.dmp
\Windows\system\uCpKApE.exe
| MD5 | aa76f5e1bbb20f21122d4e0ace7363ad |
| SHA1 | a572273c0f0889cd8c2f80fabaadd28706f849e7 |
| SHA256 | 0cfa16fed947daae60ab15eba94fad28502da0e68144f14682b9e905ff102ac4 |
| SHA512 | ea4b0b3d0c0eb39248e78d7467f61fcbe790c66827b685e38326ec7013dd2c8c258df67abd0141eb89f80e0b7fa1f4bc4a47ddd4b298872c8227b06846c92da4 |
memory/2224-61-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1720-59-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2276-57-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1720-55-0x00000000022E0000-0x0000000002631000-memory.dmp
memory/2560-53-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1784-51-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2528-50-0x000000013F280000-0x000000013F5D1000-memory.dmp
C:\Windows\system\nWTIAlY.exe
| MD5 | 36aee9d5e2e6512b4254f9d0d93a8b37 |
| SHA1 | e92bd88c9ed30eab233833a621cce03a0e2fc2f5 |
| SHA256 | 8515a92d737ec07e4e7a740bc4c2eb7e868d69e3db16f0ac37a9ced31e5d210b |
| SHA512 | d38bb80b1381e5a1b287f43260a1a7a4d53d23a5bbe516a74715ca1a1345a59889415182946950f63d9ab146d1017a94b305179009acad8d95d1d89a489eb913 |
C:\Windows\system\NbpFTsD.exe
| MD5 | 668701a2ba64f44c2382fb76d56d71e2 |
| SHA1 | 65757c53d184429cf66baf659095ab782c7acbed |
| SHA256 | 9c265621ebb32ab12c277192315ad335e1bfc644ad521e1726d8692def95bff8 |
| SHA512 | 28d2e1ffd46729666d666820083179dace67b61c417d198a2c0fcedaed76f8077078a4b385b486ba0234ea0fe9a1ff46e441fa2368b26038681a5fb8954cb041 |
C:\Windows\system\mqyhChp.exe
| MD5 | 887d6657e9cf3ea3fc170f3c52db5bbf |
| SHA1 | 6779680f62d48f8a0a43f3357947f4f5559a9425 |
| SHA256 | 85834ff7cab427e0089ed65be7b83aef183a1fcfeb44b963cf834a75169e4b84 |
| SHA512 | 57de878f3a45e75cfa106678bfcae4052863c9d0582d8c0e12806a37e8c19ef0c7f40efc645129378c3792897be45c607812bff8628db71b6cb23c9718a54958 |
memory/1720-16-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1720-71-0x00000000022E0000-0x0000000002631000-memory.dmp
C:\Windows\system\hcDrYnC.exe
| MD5 | 223b669596ed7db1ce0caa0bc1e84eba |
| SHA1 | bd06bbe016601f35071e91b0d7e1fa616a39a3ca |
| SHA256 | 3dab33e9de8461419a7bd2e620555a51103ffbb3eca1e876d34ea4ca8ddd15e6 |
| SHA512 | 7867f3cfb74894adfb39faafe7154be8e33a75fefd937a4e016db80016f1311b622d5289e1306e321f31271954e58673d64dccc1ac43bf001dfd11b537cd92aa |
C:\Windows\system\uJoaOER.exe
| MD5 | ad2c11f72b5fb504b5953a9ee929b4b9 |
| SHA1 | 22596e7f83d61453ce758fb3e7542aa86a54f0ee |
| SHA256 | ca4832e9416658d0fa3f5e7c45bb8d569dee8e2e08aaa86f9a076772c743d512 |
| SHA512 | 13f13a43503374e8993399e736e64636400012f615c86c6a80cd975a2415787f92f2b03ea4a63c902a4929446fe7e2a43cfd39e30a1149e80b8fd8393fc1d56a |
C:\Windows\system\SkOaSRC.exe
| MD5 | c6e082fffc52549f804a2762e5c09b13 |
| SHA1 | 2bd47e11f0634c89af409f299d16f9389bc16e12 |
| SHA256 | 131d12fa81fd65dd7064772da5c553cb24968e63efa8dad29dc2d0393c57b486 |
| SHA512 | caee2379005f9052c2604e4d0a2d66aec2fe2232cfb4a4ef63f7f57de689fbc28f7897e8458ed9624a1d0a2db651beaa8a84467b5b70d5c118b681c34d7343a1 |
C:\Windows\system\CLnrZnk.exe
| MD5 | c6a9a25d5ab98a5eb51cb2d76172c78d |
| SHA1 | 8c0b13835f9b4893bc0dd5f3c1cfb30e0ed3b8c2 |
| SHA256 | a7cf14ff96e698f3bdca5db9f08540327cf91b9bcf493826771058bd8d88f133 |
| SHA512 | de801c54c4c264751b9abbfc997dbdb9c85df20606361bb676101f36a870ab605791028f28afffb91588d324ee05b62f184e7a96c90e3a9b3fe2300c4c9db7da |
\Windows\system\aTXaaCx.exe
| MD5 | b3271f40cf8a0fe036f6b08c16699b81 |
| SHA1 | 422533dcbc0cf90da79da7c2b7d3fdc7d7d5e9cc |
| SHA256 | 536cdb42eb38e4c0494b20fdcfc180e35892213a81aaa6feca17e8bf122b3a0b |
| SHA512 | 318634203078c5f815d74f0d2bbff132b14a36e99ba3500fdd73ec3bf0655bb7a830afc3d790df9ac4a2148443698ddcca7677ed6e72a34e71dc62112b4c514e |
C:\Windows\system\Zmsrbzv.exe
| MD5 | ab992d3ee60957dacb9d8555de4d0e4b |
| SHA1 | 188bf37b1684ccd1ca007414cc8f299ab3108467 |
| SHA256 | 020d42e88139e7693f625e6bcaf17da0e6fa3119c2000ad47ad53e21676443bd |
| SHA512 | 2bd8bcebbcc749ba7c2b6f39babe20c42fa57e14848d8fce9f599df6b74a848ae9918601bd0a2d5bb288ee0584fedff5171eff814000a16453c068fb8d599a6a |
C:\Windows\system\EdIeaBd.exe
| MD5 | 3db7e624ed8e2d3c2ae7c5f39cf82dee |
| SHA1 | e125f368406d976bb57259cfb26cef2e4b9de6e4 |
| SHA256 | 332a39d4df92df944213877ce32c23c880ecdcdcd3758af0d558861fdbb28b68 |
| SHA512 | 8f20752d311d0c150f2e861c0b7a52295657784e351d0e8c6cb8584f2925ac96d9d91e8ef6fe5f4e1559fe8ff88aeff502c931800f86c5b79b03389d4834953a |
C:\Windows\system\INisaQk.exe
| MD5 | 2a1a08434155dba32bd9b03c1d582de3 |
| SHA1 | ad63aaf6c5691584d682a3435eda99c623b52a97 |
| SHA256 | db7665aa06f2803307ea83877f1b8d3ea84aa69d565d75adec10e40f7b417b3b |
| SHA512 | e5c4880807d6bfd71da88bedf08df4185aed875a9c6b1270de32e03271bf7576361b1e433252f3540e25f2f58bdfd396e06903d5efe8b2979d72ec39f21126c7 |
C:\Windows\system\otVTfQW.exe
| MD5 | 202edfa4746e8504aec556e780d753db |
| SHA1 | c791da56238b3df18fb59d1b432bbd029a77f4ed |
| SHA256 | b0e796201fe184f683e748e2cd3ff665dbbbbe3b4ffbc1ef81c9b6a43e130ae5 |
| SHA512 | 9ee6a3fed2cf88c98bd45b3618b970d64cbb5e90e82c12756b6a07a158ce41ec8fcfdc36fccdb619799db25e7a0f63cb30879745ab33cb5fbe4a70ced30ec826 |
memory/2176-119-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/1720-118-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2892-115-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1720-112-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2908-110-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/1720-109-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2528-127-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1720-126-0x00000000022E0000-0x0000000002631000-memory.dmp
memory/2224-131-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/1784-128-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2560-129-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1960-142-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1720-145-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1720-144-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/1720-141-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/756-140-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/1720-139-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2664-138-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2640-137-0x000000013F630000-0x000000013F981000-memory.dmp
memory/1804-149-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2960-154-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2860-153-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2852-152-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2848-151-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2724-150-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/236-148-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1720-155-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1720-177-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/1720-184-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1720-192-0x000000013F310000-0x000000013F661000-memory.dmp
memory/1720-193-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/1720-204-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1720-203-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2092-207-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/1784-209-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2276-212-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2892-215-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2640-217-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2780-214-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2528-223-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2908-225-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2176-227-0x000000013F2C0000-0x000000013F611000-memory.dmp
memory/2224-221-0x000000013F1D0000-0x000000013F521000-memory.dmp
memory/2560-219-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1960-242-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/2664-245-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/756-247-0x000000013FF30000-0x0000000140281000-memory.dmp