Analysis Overview
SHA256
d99377a546391844c7a4e9917b86ee6d316fceaee76a6ee7cfda39786332d387
Threat Level: Known bad
The file 2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
xmrig
XMRig Miner payload
Xmrig family
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:57
Reported
2024-08-14 21:00
Platform
win7-20240704-en
Max time kernel
142s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rAKCtgP.exe | N/A |
| N/A | N/A | C:\Windows\System\zvRSPIJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fPYONeV.exe | N/A |
| N/A | N/A | C:\Windows\System\voTbKCj.exe | N/A |
| N/A | N/A | C:\Windows\System\gDxENbN.exe | N/A |
| N/A | N/A | C:\Windows\System\nCzXvto.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiYUZAv.exe | N/A |
| N/A | N/A | C:\Windows\System\dpDFlAG.exe | N/A |
| N/A | N/A | C:\Windows\System\oNczCmu.exe | N/A |
| N/A | N/A | C:\Windows\System\NCdAmXU.exe | N/A |
| N/A | N/A | C:\Windows\System\vEYbZRh.exe | N/A |
| N/A | N/A | C:\Windows\System\PlXokHj.exe | N/A |
| N/A | N/A | C:\Windows\System\reMTGcD.exe | N/A |
| N/A | N/A | C:\Windows\System\ygBcHFm.exe | N/A |
| N/A | N/A | C:\Windows\System\uzPBMEb.exe | N/A |
| N/A | N/A | C:\Windows\System\Rpgjbrp.exe | N/A |
| N/A | N/A | C:\Windows\System\DYEsBDF.exe | N/A |
| N/A | N/A | C:\Windows\System\djidzbK.exe | N/A |
| N/A | N/A | C:\Windows\System\kJuSAAh.exe | N/A |
| N/A | N/A | C:\Windows\System\hBzHvwN.exe | N/A |
| N/A | N/A | C:\Windows\System\FhkdbEG.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\rAKCtgP.exe
C:\Windows\System\rAKCtgP.exe
C:\Windows\System\zvRSPIJ.exe
C:\Windows\System\zvRSPIJ.exe
C:\Windows\System\gDxENbN.exe
C:\Windows\System\gDxENbN.exe
C:\Windows\System\fPYONeV.exe
C:\Windows\System\fPYONeV.exe
C:\Windows\System\reMTGcD.exe
C:\Windows\System\reMTGcD.exe
C:\Windows\System\voTbKCj.exe
C:\Windows\System\voTbKCj.exe
C:\Windows\System\ygBcHFm.exe
C:\Windows\System\ygBcHFm.exe
C:\Windows\System\nCzXvto.exe
C:\Windows\System\nCzXvto.exe
C:\Windows\System\uzPBMEb.exe
C:\Windows\System\uzPBMEb.exe
C:\Windows\System\ZiYUZAv.exe
C:\Windows\System\ZiYUZAv.exe
C:\Windows\System\Rpgjbrp.exe
C:\Windows\System\Rpgjbrp.exe
C:\Windows\System\dpDFlAG.exe
C:\Windows\System\dpDFlAG.exe
C:\Windows\System\DYEsBDF.exe
C:\Windows\System\DYEsBDF.exe
C:\Windows\System\oNczCmu.exe
C:\Windows\System\oNczCmu.exe
C:\Windows\System\djidzbK.exe
C:\Windows\System\djidzbK.exe
C:\Windows\System\NCdAmXU.exe
C:\Windows\System\NCdAmXU.exe
C:\Windows\System\kJuSAAh.exe
C:\Windows\System\kJuSAAh.exe
C:\Windows\System\vEYbZRh.exe
C:\Windows\System\vEYbZRh.exe
C:\Windows\System\hBzHvwN.exe
C:\Windows\System\hBzHvwN.exe
C:\Windows\System\PlXokHj.exe
C:\Windows\System\PlXokHj.exe
C:\Windows\System\FhkdbEG.exe
C:\Windows\System\FhkdbEG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1952-0-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1952-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\zvRSPIJ.exe
| MD5 | 8fd86c87c4dcf9996571c099377464d2 |
| SHA1 | b597873b96d5d314434c3aae7e4175ee18de3b5a |
| SHA256 | 321394c5456f13efd2f1af3618232ffd7cbd27843f7d5e4509f0f8e84d6f909f |
| SHA512 | 7fdf2239bd662771d6c5d6b06c51c0565e2ed31459a8bbc9d489166e5b22db2646bcfec8ac2d69c73c74136fbc2359ebb17ae99ba9a7e03b540136a02e44233a |
\Windows\system\uzPBMEb.exe
| MD5 | 3ae4f93bf930b684f4012f72b796478e |
| SHA1 | a4c57dbb0ace96c5b89694b23563f4f7e32242c4 |
| SHA256 | fb1303f88c61a8350924245a51ba781a273a16cc67dd87104288ece78a1ce20e |
| SHA512 | f4c76a60bf3226e6f6aeb44d0ecf95bcbe35d497d5aa70d3e417badd01a364ceccca3f3f8f730e6603ba3fed4f7f80e829d98b627c3fcf30029cc76ff7105524 |
\Windows\system\PlXokHj.exe
| MD5 | 18e41c75b2737f2b4f8af4a22a762d26 |
| SHA1 | 6ce410d502301b177d522f66dda2f0d7a4b85289 |
| SHA256 | 13a1a16c251d769604ac51a59a6b1cf65159150dfe1e753ccbc3a0a3656fd32b |
| SHA512 | 5c36b2c3d771f67ea7b8ea8e7021dc734599cb8fb095a8dac80b65fffb0d4aaaef0f5489b19771769d728242368903e43c16990313d60bf6699af4b2b6fa9066 |
memory/1952-116-0x000000013F3B0000-0x000000013F701000-memory.dmp
C:\Windows\system\djidzbK.exe
| MD5 | 3aed239ef612d9f25b7f977bc4d4a868 |
| SHA1 | bc32e657c3b4490e51e81ef98c9f9101f58ca324 |
| SHA256 | 94ac41103df04d0cc42f88079a783f42e1e15f7799e0df68c48696bb39687cc8 |
| SHA512 | 067a890465174945267297e45f230a8bc0fa33163b03b09ccd4f6a4272e76eac3846efddac09cefb965666033038e24c1aabb2c1c68232cd57db3793a394d37b |
memory/1952-86-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/3068-96-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2176-95-0x000000013FFC0000-0x0000000140311000-memory.dmp
C:\Windows\system\vEYbZRh.exe
| MD5 | abb3826be8e9ff15deae6effef59dcb5 |
| SHA1 | aac26e2ad80e20c0ed72c6186922026f5244a0a1 |
| SHA256 | e2fabf2f5f245006e280b573b85cc8d8e5b10f1b283a6357d06000db60a784d0 |
| SHA512 | 806d201e84b176653769b3c094102c5aa2b37dc293cb12ba4a9e0442a7a8f43e9fd47e0d28787579b91963ef378a31fc7582b1172690254caba3728fe1549645 |
C:\Windows\system\NCdAmXU.exe
| MD5 | bb3f8956b1c73affbbde1d020fbd2c69 |
| SHA1 | 95f26b452996e26fce57448d63189689d7648269 |
| SHA256 | 6d90ea2728a4b35c7108d84bbedcc6c7a9edde93a15f5a8ac990549a1ed84628 |
| SHA512 | 7ea3415ec9ba3da90986e71fe80a9c9c87bd2540a64133a66b6eaad351fdf1daa1a7cb298d2bd940ae965b16baa020f3e0181859108e3b0d40e037dcb00c12e5 |
C:\Windows\system\oNczCmu.exe
| MD5 | 8ef72604f750cf30fedd1b571a7d6d3e |
| SHA1 | d14f5ed3c4baff7c56f64728b691121d734b12b6 |
| SHA256 | 6ef9307a587083363b15483c65ed6b7037f7d3c0a7209de91406c55f0297a350 |
| SHA512 | b4d62cd2556236b33392a18518bc133bcbe35750d828b77356d773bf359182c3049346880bddd064e5b471d2f710520ab87db9735417968518264f6c62ff2110 |
C:\Windows\system\dpDFlAG.exe
| MD5 | e0b65a3dafff7e2cbf29c0bdac8d2480 |
| SHA1 | c574be5ae904332fcd00de8a8eb7aff638676244 |
| SHA256 | 3b89ed6893c64622c3c07b263a36ff4c13fbef97f7613d6afebfa303e2058d99 |
| SHA512 | 0825169c988f8aafc37dcd1a46ceb238082e9ccaa4a53f9359b8bbf1936e04d86990aec56ca56db9c418c34424885b8b3bb95093b5ba354757306daf1465a98f |
C:\Windows\system\ZiYUZAv.exe
| MD5 | 04e95b26c56f6f3489984b68cc28a044 |
| SHA1 | e469935d5630220866c9138ed73dc40c733b3a4e |
| SHA256 | 478d29331370c9cd07a9e44182709c44c6ed683bd18e24579efe68e70290efa7 |
| SHA512 | 9afc67c518c5d6d895f3017c77121bd4ceb27c5154d10a2b6f85d24baa1d189f4272ade173b87c7c2c74b95041278eefa9d566f1a18877e7a130c36562841c75 |
C:\Windows\system\nCzXvto.exe
| MD5 | 1255524a0818840bfd98795919b7756b |
| SHA1 | 9ac0371ccb2142373e452ff24be532427cf6a952 |
| SHA256 | 1ee97bec2e789308bd4e23e197e6e31060d9173fb1a66ab89fb45e7e30f01ee7 |
| SHA512 | b89ebb5f4185e927ef8c4f22551ec750de7bd6db62bbf1a687d708333cbc0d81dd1ffe4ee842d043e5f2f5cb9968ac8fc1f6b1be85cbcbdc0e72edc3ebb91d03 |
\Windows\system\FhkdbEG.exe
| MD5 | 3163a08a810d7b46f9ddd0a516fd1ec3 |
| SHA1 | 86a3f64fa1b0b93ec7052aff06d79a9cbd0dac8e |
| SHA256 | 0a0c86a9b39a2cacee05dba5ea60f265f9636babdbf63b91adaa6141129cfb0f |
| SHA512 | af1a35a36507b69e06025416facfc031872969e93fa81a0b6fb5e80ac9d88d3a5274ea738bfcbfd5fd6dd02365de0b39c9142a2eb833190092b16b64e4a0651c |
memory/1952-81-0x000000013F340000-0x000000013F691000-memory.dmp
memory/1952-128-0x000000013FE20000-0x0000000140171000-memory.dmp
\Windows\system\hBzHvwN.exe
| MD5 | 5a538338899c5469f2bd401a9310a256 |
| SHA1 | 9bbbfb6c803dfe19f7123da9d669233817d81e70 |
| SHA256 | 3b57999ae5adf4252870f84c943b16a72388976bc45252881d676fbc25a68d64 |
| SHA512 | 4d20698e83b0c2ba8d0a7752aa64ce4f95b8fe24e805c309f022f9ff8e82cc4c4fa0b2d1beff60c0fd214f709f7288dfe5ada5a45a97eb05662a299d7e943ce4 |
\Windows\system\kJuSAAh.exe
| MD5 | 376abc219deeaa9b39bfebab935552bb |
| SHA1 | f308ae745fad42d76a0332a3a56b75f1e09bfbc7 |
| SHA256 | 900013d91711a988523a05af3ac31d8ea448f2e70d48394bf8e77742ceeed03e |
| SHA512 | 4853d12ed3b734096d41c9736d88d11c6296a4797f9c6aa999d858b8de3247f7243e2281941e9f5cada573bd197f0394bc4a3fc94488bc4ca6a92264ef80b7ab |
memory/1952-60-0x000000013F910000-0x000000013FC61000-memory.dmp
\Windows\system\DYEsBDF.exe
| MD5 | f7e81efc09521892db100f8cdb1ee603 |
| SHA1 | ca5ad31e7d7c79a95c7bf3580d1aa902ffd6c6e5 |
| SHA256 | 89430db1dddafaf1e6f04f3791acadd9ec6de9ddf34ea737c3f1f8ad990e5e61 |
| SHA512 | 2dc277762343712d5d9d5b449ed0d8a82ad17fcd95f9270cf3d7b3759aa8110b0c58425b69de028669d6f8b5a46bb41ca9a85ce98b4c63dcd4c45bd449da895f |
C:\Windows\system\gDxENbN.exe
| MD5 | 27b64fc4efee216407cf00ee1f2e28a2 |
| SHA1 | bdb96b01e653ac7f162f5254b53a7b6748c2f193 |
| SHA256 | 1b662c4374e48cb2e26bf79bcb8a0c50e4ba1d56477210794239cea38aaeb2ff |
| SHA512 | b19f80b5372cce01273f15d8b8382b381bbd523e3a144674ac78d8ec5d9245ecada4af0d99c61d4dec2a81e8c4710ddf9226543a0d1208ba7233aaba76c3c692 |
memory/1036-50-0x000000013F900000-0x000000013FC51000-memory.dmp
\Windows\system\Rpgjbrp.exe
| MD5 | c82839f45c742502945124ea6551db41 |
| SHA1 | 25acaa0f596c282e269af00879774e9bafb47d38 |
| SHA256 | 9132f6229fc30a570fd08fdfdbf48a4f2b33d86cf394fcc8527bbe65734b51c3 |
| SHA512 | a86d7ac1ce1486d0bf77f32c0db944fb9b41c9c6cf1065b54605de647805e818c6b5273817b68b85a95731f0cd89229d88ac95b394c154466fe33537edf6ae79 |
memory/2300-41-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1952-115-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2440-129-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/1952-114-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/1952-111-0x000000013F570000-0x000000013F8C1000-memory.dmp
C:\Windows\system\ygBcHFm.exe
| MD5 | f623e27720b07fdc6ff92308df47bdf1 |
| SHA1 | 7e37ab6b76c825cb00ea10ad33a5b3d4d2961901 |
| SHA256 | 99b35d394af20da5a61f372b1d2ed085e6d5d112fb009cecbbdf8316bb1b4b4b |
| SHA512 | 9bafb21e769f12043319233ad283e97de093a1a2c68db21e3020a0508162b8c9fd199c4ef953813425c7ef57c291bb22dfbee6885103343ba01fbb87dc9d39aa |
memory/1952-100-0x00000000021C0000-0x0000000002511000-memory.dmp
C:\Windows\system\reMTGcD.exe
| MD5 | 8638613018abeec4b660d4d6c4bf9ca0 |
| SHA1 | 2f711eb075e3b20fd6685b417a07ac1fab3ca7dd |
| SHA256 | 70899eb29d848f49415422582a784be7bd3c4fff310563c36d96dd142d2989a5 |
| SHA512 | 38ecd05e7bb726f904aec236f41efc7d75d972d17dc13083ae5f50b34891913fbe6f6d8ca83579cf9bb0c03e32ce9623492928dec19317f75dbf338112db7b9d |
memory/2892-98-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2568-78-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/1952-58-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1952-57-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1952-55-0x00000000021C0000-0x0000000002511000-memory.dmp
memory/2452-46-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2440-15-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2300-132-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/2176-138-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2460-137-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/2496-135-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/1952-130-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1952-7-0x00000000021C0000-0x0000000002511000-memory.dmp
C:\Windows\system\rAKCtgP.exe
| MD5 | 761425f6b5e5dff12415bc1c3ec3b924 |
| SHA1 | 97007542a850226029ba74f763cabe1035247764 |
| SHA256 | b1d956cec268896fc5f5eeab0b9a5f7a6d23b38346be562e66c70cee9972256a |
| SHA512 | 65a6e70fa3197e34bfe000e4ecf2bb7536a6961845485298b68b853a374730008cf035de462626e1f524eed96985cff34cfe38a4fa7df15c7b0e6b6e1f89365b |
C:\Windows\system\voTbKCj.exe
| MD5 | 1b84ff67ef4891da136d93231cc89092 |
| SHA1 | b04f4dbe5050bbf160bfb9b75106d48bb9e41e23 |
| SHA256 | 5230a5cf5c61f6479ddb0e097fbd35d9bdbcb99343961e19f5ffd9229dcba7b8 |
| SHA512 | 19701333b2996a7652322d53e35a19bd42ae6979ddd0f0e1040681900ec98b6a14dc1c0549e8d7025dbfe23acdb52ea5296b6f76a3d5a2f47a39e58a18d45a9b |
C:\Windows\system\fPYONeV.exe
| MD5 | 43a0680fdb387594e11ec2397230908d |
| SHA1 | 22ff628f4b80d124365440281b549ec11ce997ee |
| SHA256 | 4f094ec99b796a189a152131ff2f089cb2df1d202499c97b1ba7b1ea7ccc3c51 |
| SHA512 | 24fb9332a8f109d31ed834e85be1035f408c7359f5bd07a777f455cea38f488a54d362ac18162cd2af5c148ac9f558c9c7111a7ea85dbd5244c84cf96bfd82e8 |
memory/1952-26-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1952-17-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/1300-148-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2628-150-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2212-149-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2732-147-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2644-146-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2612-145-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2724-144-0x000000013FAA0000-0x000000013FDF1000-memory.dmp
memory/2888-143-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2892-142-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/2744-141-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/3068-140-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2828-139-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1952-153-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1952-152-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2640-166-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2440-198-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2452-221-0x000000013F600000-0x000000013F951000-memory.dmp
memory/2300-225-0x000000013F6D0000-0x000000013FA21000-memory.dmp
memory/1036-223-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2568-227-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/2176-230-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2892-234-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/3068-237-0x000000013F9E0000-0x000000013FD31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:57
Reported
2024-08-14 21:00
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ucepLGH.exe | N/A |
| N/A | N/A | C:\Windows\System\TeLaRry.exe | N/A |
| N/A | N/A | C:\Windows\System\FPKYiFG.exe | N/A |
| N/A | N/A | C:\Windows\System\HvgjWlZ.exe | N/A |
| N/A | N/A | C:\Windows\System\yxxPYkv.exe | N/A |
| N/A | N/A | C:\Windows\System\HFJOcBy.exe | N/A |
| N/A | N/A | C:\Windows\System\IRzMzvw.exe | N/A |
| N/A | N/A | C:\Windows\System\GJkbsDS.exe | N/A |
| N/A | N/A | C:\Windows\System\ojPQsed.exe | N/A |
| N/A | N/A | C:\Windows\System\lJqciEY.exe | N/A |
| N/A | N/A | C:\Windows\System\vBUAOmk.exe | N/A |
| N/A | N/A | C:\Windows\System\dPyoZip.exe | N/A |
| N/A | N/A | C:\Windows\System\KgUEVIr.exe | N/A |
| N/A | N/A | C:\Windows\System\QTqeJRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\cHTaDpl.exe | N/A |
| N/A | N/A | C:\Windows\System\WaREuyW.exe | N/A |
| N/A | N/A | C:\Windows\System\AKIJWdM.exe | N/A |
| N/A | N/A | C:\Windows\System\sAvbqqn.exe | N/A |
| N/A | N/A | C:\Windows\System\SizUtPe.exe | N/A |
| N/A | N/A | C:\Windows\System\eVFSZEo.exe | N/A |
| N/A | N/A | C:\Windows\System\QassaPW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_4a884931dd6fed9f9908150d6f769d91_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ucepLGH.exe
C:\Windows\System\ucepLGH.exe
C:\Windows\System\TeLaRry.exe
C:\Windows\System\TeLaRry.exe
C:\Windows\System\HvgjWlZ.exe
C:\Windows\System\HvgjWlZ.exe
C:\Windows\System\FPKYiFG.exe
C:\Windows\System\FPKYiFG.exe
C:\Windows\System\HFJOcBy.exe
C:\Windows\System\HFJOcBy.exe
C:\Windows\System\yxxPYkv.exe
C:\Windows\System\yxxPYkv.exe
C:\Windows\System\IRzMzvw.exe
C:\Windows\System\IRzMzvw.exe
C:\Windows\System\GJkbsDS.exe
C:\Windows\System\GJkbsDS.exe
C:\Windows\System\ojPQsed.exe
C:\Windows\System\ojPQsed.exe
C:\Windows\System\lJqciEY.exe
C:\Windows\System\lJqciEY.exe
C:\Windows\System\vBUAOmk.exe
C:\Windows\System\vBUAOmk.exe
C:\Windows\System\dPyoZip.exe
C:\Windows\System\dPyoZip.exe
C:\Windows\System\KgUEVIr.exe
C:\Windows\System\KgUEVIr.exe
C:\Windows\System\QTqeJRQ.exe
C:\Windows\System\QTqeJRQ.exe
C:\Windows\System\cHTaDpl.exe
C:\Windows\System\cHTaDpl.exe
C:\Windows\System\WaREuyW.exe
C:\Windows\System\WaREuyW.exe
C:\Windows\System\AKIJWdM.exe
C:\Windows\System\AKIJWdM.exe
C:\Windows\System\sAvbqqn.exe
C:\Windows\System\sAvbqqn.exe
C:\Windows\System\SizUtPe.exe
C:\Windows\System\SizUtPe.exe
C:\Windows\System\eVFSZEo.exe
C:\Windows\System\eVFSZEo.exe
C:\Windows\System\QassaPW.exe
C:\Windows\System\QassaPW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4568-0-0x00007FF674800000-0x00007FF674B51000-memory.dmp
memory/4568-1-0x000001C6A25B0000-0x000001C6A25C0000-memory.dmp
C:\Windows\System\ucepLGH.exe
| MD5 | a53000776c5f7f84224f16405f6ff133 |
| SHA1 | 1c919ed1db253fa8fa3819b283bdbbc2de066722 |
| SHA256 | 6b400e224d0fba22f661d20311c2c9dcef388f89ee0a4cea02fcb3d23dc548b3 |
| SHA512 | be9dcca89c836fae8a78676a0ad8a2e3ad315d30b78d9d7eac50bd94f505494ace13ae965e81131cc698c8b27ea3d92fa20fd017b4a15e95b82bc2a1eddc7d3b |
memory/1992-10-0x00007FF680000000-0x00007FF680351000-memory.dmp
C:\Windows\System\TeLaRry.exe
| MD5 | 791dae4703ddf0d6d3298f9c834aaa54 |
| SHA1 | bac122d64e283fa1bd581b5980ff428f03ea6d45 |
| SHA256 | 1f3951a16daac4f573034b2f80cb1a15192f8acbee9244bfc738cdea59daf7d9 |
| SHA512 | b8c87422b98df116fbc8326780375321d819e29260d151c9fbabd96c4a5ce617a4764e2c6390c95ca8b8b832737e1e42caff020f9c43fefc070de3ec31afc56a |
C:\Windows\System\HvgjWlZ.exe
| MD5 | f41f1cb33b0d2f29ee0c834edcc58342 |
| SHA1 | 325ebf79d67675a83a0ba77c74789d1c5bd7d215 |
| SHA256 | e685c26d3c366299fab874f51d88f1e455109a710e67a032161a2bc524b04faa |
| SHA512 | 66dab37ca7933f5df9edf74b6b98174a8ebc8565ab3a8f0e68a29dba1022f77fced5dc019fb649b37a64a7a565647892bb017c5aa25d0f952ddacd388caa27f4 |
memory/3584-27-0x00007FF737DB0000-0x00007FF738101000-memory.dmp
C:\Windows\System\HFJOcBy.exe
| MD5 | 367d96f8cdf1074063ec586c7624725b |
| SHA1 | 04358aa1a17d724c330bf0bc9d69176069d7e31d |
| SHA256 | 4ba7412607bacd1c313fdf4a27be60bb7b966dd426322e6f83ad1e443228934b |
| SHA512 | 7601a7f6f4da996b12cd8b4fed8d774b43b8380ddd76cd465a8bf79862cec2ca3a877a9df1b19e35af9499a028b504d205d92d169082f204bf8163d7cc2f576d |
C:\Windows\System\GJkbsDS.exe
| MD5 | 797c00102e63de7e15cd278f967c5780 |
| SHA1 | d294e2a32a31805f25d7dcfb065e1c8a12de02e5 |
| SHA256 | 4c3853c17a3da21202e2a58ba21ce2b4c7ef03e464d823bbd711605c8307d84f |
| SHA512 | 8297449362066576a5affe7ffe2117ea6d953e2760f911bd891b2975038094465c7bd1855c8d5a23d3b668a825b05ab2051559bbce1c74e7ab37e19523d06f3c |
C:\Windows\System\lJqciEY.exe
| MD5 | cc30d6f70115cfb76b96a65a16aec28d |
| SHA1 | 35bc1e124148ad37648157088953804369299e07 |
| SHA256 | fa3e0cf902792cec40630fa2f8d70481b34bb7aae8616f61256fa3363942bc91 |
| SHA512 | c6b820d5d03c2e27c5a8038a719afb2bab106a64e8454162713ad8565492849e833f96afd1874d3832bd48dff6aa0bd8e59a8942ae1f7353ef81f40b15d6d99c |
C:\Windows\System\vBUAOmk.exe
| MD5 | 9910fde93c99ebadc1bf10076aee8c88 |
| SHA1 | 070e544ed8a0e8e88001a4d5c3c9992d1472e6dd |
| SHA256 | 1b88efceb452417231911e765909a6a595683b09a6bbf0c8febd9d3a05066bc0 |
| SHA512 | c35c97bb8fcfae00249d7e3e3a2c14dda588c6abd199aef0b834889c6dd12b6c152bc7d6b49891f10dc92bf7286252b26e56933274ab92f6b2f040fbff89234e |
C:\Windows\System\KgUEVIr.exe
| MD5 | bbc3fe288bc7a6721f6e02919f0b7ee3 |
| SHA1 | 161b600a37b8e882a179f2c2b26408097d322976 |
| SHA256 | 4c234ade1298299e216d6f7fc93637fa0bb9e63dea1ea224310db4dd31db685c |
| SHA512 | bb7d8476fe66400bd19b67f706ab1f346fae6e9715005e67760ccc578785f906cde1bbe5fb1f526c662619c463a1015f6bd2f769580a24d92d6b56d871dd4de5 |
memory/4028-70-0x00007FF783090000-0x00007FF7833E1000-memory.dmp
memory/3676-72-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp
memory/2384-76-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp
C:\Windows\System\dPyoZip.exe
| MD5 | ee4f689de6e0bb120608f89c340f2994 |
| SHA1 | 72e01ccfb62ee3bd70df843e91a944f6e3fd91b7 |
| SHA256 | bc2c9c6ccde69bcf8ccd9de19e6462653c23f2a47afccc11891a42fef70b84e6 |
| SHA512 | 486ead7942a25eedd814438e24bcf085b1fee9344fae0cc70d8673b94985e9ca008aaf72487f37a54d705122115e1db9c6bc5e5548200d0caf50e190e4bbe764 |
memory/4088-73-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp
memory/1628-71-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp
memory/4580-69-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp
memory/1060-68-0x00007FF603710000-0x00007FF603A61000-memory.dmp
memory/1820-61-0x00007FF7493B0000-0x00007FF749701000-memory.dmp
C:\Windows\System\ojPQsed.exe
| MD5 | 94ee4aeff3fe88acd8312b2bc4af99cf |
| SHA1 | 89e8b3cef367817239c75f9b9b33b2c5eb53d51e |
| SHA256 | 26fa5200b72b99ffd57716347b4d17b5e099a1c9fc64743366f7632eb513407f |
| SHA512 | 8024feb8827872e8725639140213052dd62a0ea07644fd76bcae4995be4e7abc6322e0abaf70fd467d3e07c9895e8df325a8ad65973e71d355a0f037028cf859 |
memory/3992-55-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp
C:\Windows\System\IRzMzvw.exe
| MD5 | ab93677cff382852eecd16ede0590a1a |
| SHA1 | 41d8522d70f796e74b231a9366172790e5022e88 |
| SHA256 | 1befaa94c22dfb7fe9072c046d5d16f6cee4ff9b574d1e37874d1c4e61a1ee34 |
| SHA512 | 4b6061d6098cf25dd0b9770dedd216c0ce9c3c901c1524933daf077ef99ef30ba5cb9a91e3bad29d5494f6295abc1cdaf53b200f64f69d90ff06b359f12616d2 |
memory/3996-40-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp
C:\Windows\System\yxxPYkv.exe
| MD5 | 1d47127291429e52c1a82171f060c18d |
| SHA1 | 498eefeafb56f840e92b893cd16a4f97f647b9ed |
| SHA256 | 5d0c3e92e4489f2f2cc6d883c362213ae942923f2fe432b097034f9ee2d072c1 |
| SHA512 | 907e33aa872373cb3c5bf75722722df7dd1764dd61d786b64d40c29bbd396b8c899a39bf70d15659699d025ade521b951d93070751617cad7492c605a42749e5 |
C:\Windows\System\FPKYiFG.exe
| MD5 | dfe7bbca6284020e335b43ecffad0616 |
| SHA1 | 616d39910cecf8d284ae8085bf4393f8f95dc902 |
| SHA256 | 9832da0d946656be7fa17e46e0f62ab5eb04540c7fd632d7ca837ba41052bfe1 |
| SHA512 | e8d28ef36b2993df118a4ac34cbb611695564b4659032d3e2035e4022b649ac9a85d105cc418aa641a3d8ff119b19df8f60a7db62210a63df9d569a9a51764c2 |
memory/4320-14-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp
C:\Windows\System\QTqeJRQ.exe
| MD5 | b8b40266eb14bd925dddbad3067c1bbb |
| SHA1 | babb11bf0384bc39b8e8f305af65c2bd9c031b4e |
| SHA256 | d0f31ba30580ec7b682d35f68b01a772b84c83140b0f2f9ab8a0ed1ab26f55d0 |
| SHA512 | 2224b0396ddfe1e1daee709aadbe456eff155c28149c27aaaeaa4e4971a435ab9e96df0c08a9940334e8cc387c05ad62e7c5cbec82dabe53717220072bbbec05 |
memory/1916-88-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp
memory/3424-92-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp
C:\Windows\System\sAvbqqn.exe
| MD5 | 5abea4fa4c2cf5cefe9d7e61453c8e7f |
| SHA1 | 134e0c55732133ec6e28c50752e7fc0e32b5ba03 |
| SHA256 | e96cba568eb13ed46045de5ed7856aef977f3b984815ff24ecd8911528b93a97 |
| SHA512 | a60bdce39543e8ab9cf83e4d1c814d8e0ab45108f3c21d275b013bfb3322894814dd0749e169ccccbdf768113be6cb77216a712d2de4a558a743d25dbe707a19 |
memory/1744-108-0x00007FF78F140000-0x00007FF78F491000-memory.dmp
memory/1908-106-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp
C:\Windows\System\AKIJWdM.exe
| MD5 | e894d852fb9d070fefdc7eacd24f70f7 |
| SHA1 | 25c807db2b0b6a9b1b822d237ae23efded667cb5 |
| SHA256 | 2e230815330166623b700af7a1b01fb708c7ca102e5e77c90dd02326308919fe |
| SHA512 | 23cf61ea88d4323e2cdde069bc5c2809e0bfe9d6daef32047908209496417ab57618887a573a0d158ce640c9b61897995fa97ae6af8597e0d189074d7fbd714b |
memory/3392-100-0x00007FF6741F0000-0x00007FF674541000-memory.dmp
C:\Windows\System\WaREuyW.exe
| MD5 | 1725c6e02294f9906609eeee99347c49 |
| SHA1 | 38df0a3f6ab3975dd84973a76b98ceb1e2340bf7 |
| SHA256 | a31be254d1b23a2e99f6c3ef032a5416591f9b0fcb06f9de821d82f659eda550 |
| SHA512 | 6b5d4e5784384403ef7368fe70e276a3be1cae4265604444be17fca8ec3629a5044bbbd022e121bf25c2179ddd14ae6edf13ddc1f70097173e3e81f114079dd0 |
C:\Windows\System\cHTaDpl.exe
| MD5 | 64b58a0f51a0556cd68293af5bfa3b04 |
| SHA1 | b48f5ac291ef025eb6bf1ba6367c2ad4adcdf9e1 |
| SHA256 | 66aaaad7451906515186e91ac836faffb3d9254137000e20bdd6e2a627cbe5c7 |
| SHA512 | 05974d0b61f2991c4d6e647fbf21b0d498c294e9b84499068a204627a179da018f06bd91dfba6deba95d0ae6bd4408304c47082a283340dcfe99d7d06aa3e733 |
C:\Windows\System\SizUtPe.exe
| MD5 | 9c1abb27934197f8ef835521e7723685 |
| SHA1 | 450e06b37a46a1f7612e33c5fb135af2e1ab1229 |
| SHA256 | a365e5fc29452a5e4dba8a51118d8a7f8a25ee19dfbaa8c6bea40b11028d0527 |
| SHA512 | 909e30b472f6f00d982f76ae46d96c3cedd1ea2302f030c9641e80bec29053faabee2a62e6b2c036068a6c7ef7043a0f9bda2a8538ad527c9f774f22ffc0073c |
memory/4568-114-0x00007FF674800000-0x00007FF674B51000-memory.dmp
memory/4732-118-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp
C:\Windows\System\QassaPW.exe
| MD5 | c3981bdae4ebf0c3c3603b1091669bea |
| SHA1 | 917cd9d2aeb010c1c1b3ed6eccca947acb7a0e0f |
| SHA256 | 1a95dcccb87c522c00407fbedf9dd35306c203c922096b571f72c476d8271ac2 |
| SHA512 | e96bc48829d236f25c9e8e2289ffda70563f7cab1167384619e863f5890466b5d859d63d7b02a63d70257c6da7c8de07a4083d425c20c246f4b85a30eaff7e8d |
memory/5060-125-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp
C:\Windows\System\eVFSZEo.exe
| MD5 | 66c0162e01e7bb4c1cb1adb12fc45ea7 |
| SHA1 | 2ae3497dcd05d7b4c04e743b97b1699eb8197efd |
| SHA256 | f73e51136c3b5f4cb3ce973ee4800946d57806d2dee5d74214ad7f22e696146a |
| SHA512 | e47ab24da87a693d7b648144698240904fee186fcf1bcd1dbc42678b40e82abe8f1ee4ee9350526172030f75c855fa06b9d37e477a7e25f1ffcb324fa0ae2737 |
memory/1992-120-0x00007FF680000000-0x00007FF680351000-memory.dmp
memory/4320-129-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp
memory/1872-130-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp
memory/4568-131-0x00007FF674800000-0x00007FF674B51000-memory.dmp
memory/4028-144-0x00007FF783090000-0x00007FF7833E1000-memory.dmp
memory/4088-142-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp
memory/2384-143-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp
memory/1744-149-0x00007FF78F140000-0x00007FF78F491000-memory.dmp
memory/4732-150-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp
memory/5060-151-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp
memory/4568-153-0x00007FF674800000-0x00007FF674B51000-memory.dmp
memory/1992-199-0x00007FF680000000-0x00007FF680351000-memory.dmp
memory/4320-201-0x00007FF6A6250000-0x00007FF6A65A1000-memory.dmp
memory/3584-203-0x00007FF737DB0000-0x00007FF738101000-memory.dmp
memory/3996-205-0x00007FF6B8BE0000-0x00007FF6B8F31000-memory.dmp
memory/1628-207-0x00007FF639FB0000-0x00007FF63A301000-memory.dmp
memory/3992-209-0x00007FF7E8810000-0x00007FF7E8B61000-memory.dmp
memory/3676-211-0x00007FF6E9100000-0x00007FF6E9451000-memory.dmp
memory/1820-213-0x00007FF7493B0000-0x00007FF749701000-memory.dmp
memory/1060-215-0x00007FF603710000-0x00007FF603A61000-memory.dmp
memory/4580-217-0x00007FF753F90000-0x00007FF7542E1000-memory.dmp
memory/4088-223-0x00007FF7DCA10000-0x00007FF7DCD61000-memory.dmp
memory/2384-221-0x00007FF732AA0000-0x00007FF732DF1000-memory.dmp
memory/4028-220-0x00007FF783090000-0x00007FF7833E1000-memory.dmp
memory/1916-226-0x00007FF626CA0000-0x00007FF626FF1000-memory.dmp
memory/3424-228-0x00007FF7BCAD0000-0x00007FF7BCE21000-memory.dmp
memory/3392-230-0x00007FF6741F0000-0x00007FF674541000-memory.dmp
memory/1908-232-0x00007FF62DD30000-0x00007FF62E081000-memory.dmp
memory/1744-234-0x00007FF78F140000-0x00007FF78F491000-memory.dmp
memory/5060-240-0x00007FF75E890000-0x00007FF75EBE1000-memory.dmp
memory/4732-241-0x00007FF7ECAC0000-0x00007FF7ECE11000-memory.dmp
memory/1872-243-0x00007FF60FD80000-0x00007FF6100D1000-memory.dmp