Analysis Overview
SHA256
e3426a0b314d10311aadb77f7e063d07e09de12ddd5c7a4d27537a328290c3b5
Threat Level: Known bad
The file 2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:02
Reported
2024-08-15 11:04
Platform
win7-20240705-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wnaeiKy.exe | N/A |
| N/A | N/A | C:\Windows\System\ihfXNNC.exe | N/A |
| N/A | N/A | C:\Windows\System\OlBBLST.exe | N/A |
| N/A | N/A | C:\Windows\System\DqObolo.exe | N/A |
| N/A | N/A | C:\Windows\System\aUQTsYe.exe | N/A |
| N/A | N/A | C:\Windows\System\JlLMIRa.exe | N/A |
| N/A | N/A | C:\Windows\System\gWZlAvG.exe | N/A |
| N/A | N/A | C:\Windows\System\dUrkODF.exe | N/A |
| N/A | N/A | C:\Windows\System\aUwhsBe.exe | N/A |
| N/A | N/A | C:\Windows\System\hXveRdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mzRAQxH.exe | N/A |
| N/A | N/A | C:\Windows\System\dutQXja.exe | N/A |
| N/A | N/A | C:\Windows\System\jQptGCO.exe | N/A |
| N/A | N/A | C:\Windows\System\kpjTaDq.exe | N/A |
| N/A | N/A | C:\Windows\System\wmEioWq.exe | N/A |
| N/A | N/A | C:\Windows\System\dwjEnqs.exe | N/A |
| N/A | N/A | C:\Windows\System\ZByEWla.exe | N/A |
| N/A | N/A | C:\Windows\System\YFvMVON.exe | N/A |
| N/A | N/A | C:\Windows\System\lebSegn.exe | N/A |
| N/A | N/A | C:\Windows\System\Ciwxonp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhgLUmQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wnaeiKy.exe
C:\Windows\System\wnaeiKy.exe
C:\Windows\System\ihfXNNC.exe
C:\Windows\System\ihfXNNC.exe
C:\Windows\System\OlBBLST.exe
C:\Windows\System\OlBBLST.exe
C:\Windows\System\DqObolo.exe
C:\Windows\System\DqObolo.exe
C:\Windows\System\aUQTsYe.exe
C:\Windows\System\aUQTsYe.exe
C:\Windows\System\JlLMIRa.exe
C:\Windows\System\JlLMIRa.exe
C:\Windows\System\gWZlAvG.exe
C:\Windows\System\gWZlAvG.exe
C:\Windows\System\aUwhsBe.exe
C:\Windows\System\aUwhsBe.exe
C:\Windows\System\dUrkODF.exe
C:\Windows\System\dUrkODF.exe
C:\Windows\System\hXveRdQ.exe
C:\Windows\System\hXveRdQ.exe
C:\Windows\System\mzRAQxH.exe
C:\Windows\System\mzRAQxH.exe
C:\Windows\System\dutQXja.exe
C:\Windows\System\dutQXja.exe
C:\Windows\System\jQptGCO.exe
C:\Windows\System\jQptGCO.exe
C:\Windows\System\kpjTaDq.exe
C:\Windows\System\kpjTaDq.exe
C:\Windows\System\wmEioWq.exe
C:\Windows\System\wmEioWq.exe
C:\Windows\System\YFvMVON.exe
C:\Windows\System\YFvMVON.exe
C:\Windows\System\dwjEnqs.exe
C:\Windows\System\dwjEnqs.exe
C:\Windows\System\Ciwxonp.exe
C:\Windows\System\Ciwxonp.exe
C:\Windows\System\ZByEWla.exe
C:\Windows\System\ZByEWla.exe
C:\Windows\System\ZhgLUmQ.exe
C:\Windows\System\ZhgLUmQ.exe
C:\Windows\System\lebSegn.exe
C:\Windows\System\lebSegn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2636-0-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2636-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\wnaeiKy.exe
| MD5 | ec6520806f7dffca7d2709c4301bcdc2 |
| SHA1 | ae363e7a06f31907b49323f75f33b0e010fe20c0 |
| SHA256 | 4fedfd2637aed628354313a8111b0f2c2dc06c3aa99f13a14f9c3a33a6839a6f |
| SHA512 | 24398b3d06e44dd25157930121dfaf1feb5ed5d81bb8e574a1b8838b4fbc560fb439834280cac3635528df6aa1ec7403bd600d635c6bf80f3963c58e88f79082 |
\Windows\system\ihfXNNC.exe
| MD5 | 9d2bc829f8c2b06df3c05e06b06eb3a5 |
| SHA1 | 33400327da1eac0912f61e82a5d2711337a61236 |
| SHA256 | d0605eda4c389225fe571afe32a11946846e2d20d36cc62cf57db399ab667d44 |
| SHA512 | 4a12b45cff03f416975535ac43c90a08379708964e67d0a1c0035671d48668eff255a3ccb82de57fd18c966b4e78c49a18abd24041623822b1cdfeb9348b673f |
\Windows\system\OlBBLST.exe
| MD5 | f90225e8262605ee21f3c78433e4f866 |
| SHA1 | 939c364555aa2ed8253f832f0141dc284885e5de |
| SHA256 | 324cdf2509ad1cce0d4da2e434389bd2d3c0c550ca93da2b3543415dab8f08f4 |
| SHA512 | 1cd219e01a08de7bf09318db4582b0398fdcbe8d099d7995ed01a967e0b2ef88f6b1be8c7c5a90e0843e95394c44c92d2f274d2b841ce1b38c7b7da08003945e |
memory/2772-21-0x000000013FDB0000-0x0000000140101000-memory.dmp
C:\Windows\system\DqObolo.exe
| MD5 | 5cc7d0ed5d6f2ed810cc72ae76064880 |
| SHA1 | 6634da5b441c7f6872fe47db251dab4bc68427c9 |
| SHA256 | 62ccb7435b0a422720579c4ed3a5a077cdddd4dc9c17acfeee97a356afb318da |
| SHA512 | cb7a3bfe620f2d2a8e831cb35890c3115b0ee280758e6f3d453c9ade3c6414860988afd309e4e09b43521c4bc7ddf38d50c6ae9a43a748a9f4ec06a3ee6523a2 |
C:\Windows\system\aUQTsYe.exe
| MD5 | 8476020b560208fa30b6984ee6c6ab2d |
| SHA1 | b7dc41d8d6655350ab8e8277523ba775e0ae498f |
| SHA256 | abf51dce90b5247714bd16aa7fdd67e31229575fb97ae9f086abe8dc462e76ed |
| SHA512 | 07f38cab352beab7de30f5bbe5a5eaa11d91715a535ebffeeeee31ce5336b14fa17f1c2f76104709261e70f422510e1cdfa8feb267c93bd2c0eb6ae3c3a6c618 |
\Windows\system\JlLMIRa.exe
| MD5 | e7db0f15528a06f51046cb84917a431f |
| SHA1 | 2268f68f45413b429c8bac638107e90e87559be2 |
| SHA256 | bb8ff851e42ced861e2cb30e51cc2da92fbaf3f626f9548a94d6714c81b677c3 |
| SHA512 | b276b6fcc9930fa9cf84735b3b7cd9fc495d278235f0ec29b9c81bf5bd6d69fb9a7a238904507d4da572721b688f002dd335420ece0e74f8d5e471fc5789f222 |
memory/2636-38-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2888-36-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2636-35-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2548-28-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2636-26-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2636-25-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2772-59-0x000000013FDB0000-0x0000000140101000-memory.dmp
C:\Windows\system\dUrkODF.exe
| MD5 | 1cf0bfac0f7fec0701719b8fe7da40b7 |
| SHA1 | adb2c220f1c44749a5682137ad00b29cc5818d74 |
| SHA256 | 467c001b4af235465b7d9a4b867e05139dd99c4e93b431a4c86ed763a661bad6 |
| SHA512 | 65bdb8b0c55d27ca6f82daab206e1a2aaddba7d21050881b9ef4f27c76f1f2c0e741d39d8c979586374b645384d74d5200f1e7e5e5908cc722a8691112202634 |
C:\Windows\system\hXveRdQ.exe
| MD5 | 241e54c278a7f529fc24f6a425ef54f5 |
| SHA1 | d9f360d87ef2a6048370239216ff95a99a191fc7 |
| SHA256 | d2326f88cefbef0178de66af2ec4913ec157778c756304d323095e8cd5e41775 |
| SHA512 | 4c452106855b1c778bb1647620afa97966e7e7fcf5e9b381b1be9e968a4956ae02954949b9595f5a200aebdbe233b03b3780131cab5246ff0115a7b7540250b7 |
memory/776-78-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
C:\Windows\system\dutQXja.exe
| MD5 | deae6fe44ad409cbdb9a2fe2687acb08 |
| SHA1 | c5723f9ddb57f0a13cb7404fd2cc8e2f6962282b |
| SHA256 | dfcb90b313fbd4b3472add302c961a38274a1e377959c530dd28028d15c417f5 |
| SHA512 | 687f36badd14c861fcf5b06f0851737e14ad16715c143b4204cfd2fb8bc087551f48795633cf2d3fcdeee88d50eede903f944b7dd211eca1d21623dff0bcbe21 |
C:\Windows\system\kpjTaDq.exe
| MD5 | 40a0b160d55fd39c067664fa99173716 |
| SHA1 | 19e18bf8f98861b5d455c53a74c0008f9a63ca9e |
| SHA256 | 9ff9785ac7c4e275fcae9bf31c44d68949c4df28db8122a22cb1d2ac4e5f01ad |
| SHA512 | c2168769a2f50af823213518ea1a99edeb931e1cb181f5a9aa6f7749dde5081f966c0d7b937587d51b9de4b7bcecba439678f7183760ddc7b55978276c3bf267 |
\Windows\system\YFvMVON.exe
| MD5 | 7c33847041e6a068027ac9561ce38e53 |
| SHA1 | 5cf0fc285530b28a24faa8675bead970dcad5fad |
| SHA256 | b3a7a0811db9babbdbfc8ed775f28455993665e1c7688041c68d3bd31c8365d9 |
| SHA512 | 8d5daff5f2da9b9e4356e6eb52cd7b307847dcf5536c323f4c530a2ed656f8309e4ac666fdcf9136c3ed39b57e4beb2850e149413791a9ea4547ef507c3e52eb |
\Windows\system\ZhgLUmQ.exe
| MD5 | 9ae86a7a09c4f91a9631d816c4efa71f |
| SHA1 | 4067b7d4def3f71b979a2a3d15ef25c26705481a |
| SHA256 | 3da9b50685492335215b94746ec13d6828b258e01223ce32fdca085d49dca56d |
| SHA512 | c8d25f398fe990dfe309b681a84d034f055de6399bc55f80b0f54b3978b01f7ecc736847b799d2ff4cadf373c2a3e262706c6307f00f7a19142f9a592df04c22 |
\Windows\system\Ciwxonp.exe
| MD5 | 7bb1518ad8580cdeba1b47f877a433f1 |
| SHA1 | dfaaa2c942e6aba4bbc33d8fb817e63cef62140f |
| SHA256 | 90be2cd05fc010bdee69d079a651a74eef65fdc0afce4d87370662e0e26afef4 |
| SHA512 | 53ddd878a942667c9a7bdc0c2ee8150b44601fbdc2a6812c3b18e56b075fcb7320aa6fc89e36d03ec1f6dddf56989784357e74d911a3a03e8afc9885c1d6b5a2 |
memory/1256-110-0x000000013F7D0000-0x000000013FB21000-memory.dmp
C:\Windows\system\lebSegn.exe
| MD5 | aec8586f093fe8c5013bb65323b777cf |
| SHA1 | be3e508bc9cdba19de757bce989bfa9c03b2dcbe |
| SHA256 | 38a822273ad49578b022a26c712dd5335ff00cf41ac02249cad30135a950803e |
| SHA512 | 3f999bf65d43b828a0f33f49eb032ee120470e05ac6551e7109eb8ed395f0144883a00c09f27134e055cb71c2425cdf35f67dc4ccbca4b21dc68af4289185931 |
memory/2636-100-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2636-99-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2728-98-0x000000013F350000-0x000000013F6A1000-memory.dmp
C:\Windows\system\ZByEWla.exe
| MD5 | 9202e331a959fdd1c4d2027ef4965bfb |
| SHA1 | 693ede5ad53502385cff1b270a67ec0cc91f3d51 |
| SHA256 | 86e8faa97f272130c1b68fa357e9191ef50b1a7e8fd697e08418d5c4b6898d77 |
| SHA512 | 3fbce1bba83d435dad1de81e4ee4c97c2a0576708cfb1fc1633c8a48a61d5460a920107c6d55ed6856d076d46de83b23ecebfbf4ce664ec0fe4b84ce2a6d476a |
memory/2636-139-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2636-115-0x000000013F7C0000-0x000000013FB11000-memory.dmp
C:\Windows\system\dwjEnqs.exe
| MD5 | 66fe254ab2dc074c102d31f7aff546dd |
| SHA1 | 89c29b02dbdd8a560c9a9eab31e53ade380abaf1 |
| SHA256 | 24d2fefdccba04ffed226bd6e0838ff42b90f0bae8954927a21afccd8d37f6de |
| SHA512 | 2b98f76f05ded690076bb6b41ee8ab2190e9c1e6f47242096e6e9eadc6951c3f4a076fadd1a36c44c73451ff9dee3ab13002a598c0627be3cf271d260e93c760 |
C:\Windows\system\wmEioWq.exe
| MD5 | 0cb6ae08849bc16177a966ba7aa99f01 |
| SHA1 | 088d8b8ab9ed2987a54d897ac07e0b2947f15b7c |
| SHA256 | 05e8158d3927c51fcec19a89478fbe580fd6bf6e2482b410ba52dcf9b20fe83a |
| SHA512 | 8c82b2f5c71cf6feeecfc30b6e103b5f48aa2f785b75c414e13e22ee815bc19b1f66e76eff81b8f6f1c657080717b018b5ad45422d10a5ad692306b71cbeb7e0 |
memory/2600-93-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2940-92-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2636-91-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2716-86-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2164-85-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2636-84-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\jQptGCO.exe
| MD5 | eca7f91b6f36a38f75f47cce1b4d8aa2 |
| SHA1 | 32f8b55a33a8afd4da289cc2bf9f960d8f4f9085 |
| SHA256 | b66e98dd3cd92c83b77df65be09853bfc6a155d9376e0ae04a3e97c3316d1557 |
| SHA512 | abb3d160d885b1d60240cca25b6b080b67f8569bf6a5931711044e084998a0ea53ded2f409294ebae3763cdff87c43dfc68399122da7e08b17f3de318607c1f7 |
memory/2548-71-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/1256-70-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2616-69-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2636-140-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\aUwhsBe.exe
| MD5 | 24cdaca37964e03c4ab5a9258bd729ff |
| SHA1 | 52feecfc10034b5cbdb90361c4049dc1cbc69e51 |
| SHA256 | 55af8d8393deeacf6811ac9440ecd3e4769fe9a9290062ec907ff6bcd3cdb1fe |
| SHA512 | 1aaf4dffeccb90f1c303d6fee21479eb3f8f956442277e783887637b1b849d277983455eddfd81340208573aabbbe9bf8578ed90d520b6d0ff6c027830aa32c5 |
memory/2636-65-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2600-63-0x000000013FBF0000-0x000000013FF41000-memory.dmp
C:\Windows\system\mzRAQxH.exe
| MD5 | 724910a37da7c0a621c5ce24649524b0 |
| SHA1 | a09d99f75cf2a04faf550c5d9c64a5bd0d9a6905 |
| SHA256 | 63f0d0a3ce5d267eb58a36e2a30cff23ccc3f565a82042879c59f756035c61ae |
| SHA512 | 03794364027147a635a3af284bc84b7bf4b54380b2d50252f73d2400bf0e39d54f8c36f0abf2e498f92d284640acda7b0dc1161bf2249dc8ac9a3f1a93bbea68 |
memory/2636-52-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2552-50-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2636-49-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2716-41-0x000000013F9E0000-0x000000013FD31000-memory.dmp
C:\Windows\system\gWZlAvG.exe
| MD5 | 49693bd4bfc77ffc1e696359e7496ab6 |
| SHA1 | 032aac699c7eaea56af4d7786e49530c000c547c |
| SHA256 | a470cb012f957491d4017de4b3ed16a1de79874a14ffa15b057cbe223ee27111 |
| SHA512 | 41a8b91d70cd825936da532953ff1ffe87f49b55e6e4f69bd6555cbea7672609e2ecd503f9d16b082b0c8986e80cd60b16f6fe2b592a3deeb3a50176499739b4 |
memory/2068-24-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2636-23-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2672-22-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2636-141-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2940-142-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2636-143-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2728-144-0x000000013F350000-0x000000013F6A1000-memory.dmp
memory/2636-145-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2832-161-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/992-165-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2604-164-0x000000013FC00000-0x000000013FF51000-memory.dmp
memory/2184-163-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2896-162-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2204-160-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2304-166-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2636-167-0x000000013F070000-0x000000013F3C1000-memory.dmp
memory/2772-219-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2672-222-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2068-223-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2888-225-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2548-227-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2716-240-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2552-242-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2600-244-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2616-246-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/776-249-0x000000013F3A0000-0x000000013F6F1000-memory.dmp
memory/1256-250-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/2164-252-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2940-254-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2728-256-0x000000013F350000-0x000000013F6A1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:02
Reported
2024-08-15 11:04
Platform
win10v2004-20240802-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wnaeiKy.exe | N/A |
| N/A | N/A | C:\Windows\System\ihfXNNC.exe | N/A |
| N/A | N/A | C:\Windows\System\OlBBLST.exe | N/A |
| N/A | N/A | C:\Windows\System\DqObolo.exe | N/A |
| N/A | N/A | C:\Windows\System\aUQTsYe.exe | N/A |
| N/A | N/A | C:\Windows\System\JlLMIRa.exe | N/A |
| N/A | N/A | C:\Windows\System\gWZlAvG.exe | N/A |
| N/A | N/A | C:\Windows\System\aUwhsBe.exe | N/A |
| N/A | N/A | C:\Windows\System\dUrkODF.exe | N/A |
| N/A | N/A | C:\Windows\System\hXveRdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\mzRAQxH.exe | N/A |
| N/A | N/A | C:\Windows\System\dutQXja.exe | N/A |
| N/A | N/A | C:\Windows\System\jQptGCO.exe | N/A |
| N/A | N/A | C:\Windows\System\kpjTaDq.exe | N/A |
| N/A | N/A | C:\Windows\System\wmEioWq.exe | N/A |
| N/A | N/A | C:\Windows\System\YFvMVON.exe | N/A |
| N/A | N/A | C:\Windows\System\dwjEnqs.exe | N/A |
| N/A | N/A | C:\Windows\System\Ciwxonp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZByEWla.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhgLUmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\lebSegn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e114c38fd8478a1634bd3f8643d43444_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wnaeiKy.exe
C:\Windows\System\wnaeiKy.exe
C:\Windows\System\ihfXNNC.exe
C:\Windows\System\ihfXNNC.exe
C:\Windows\System\OlBBLST.exe
C:\Windows\System\OlBBLST.exe
C:\Windows\System\DqObolo.exe
C:\Windows\System\DqObolo.exe
C:\Windows\System\aUQTsYe.exe
C:\Windows\System\aUQTsYe.exe
C:\Windows\System\JlLMIRa.exe
C:\Windows\System\JlLMIRa.exe
C:\Windows\System\gWZlAvG.exe
C:\Windows\System\gWZlAvG.exe
C:\Windows\System\aUwhsBe.exe
C:\Windows\System\aUwhsBe.exe
C:\Windows\System\dUrkODF.exe
C:\Windows\System\dUrkODF.exe
C:\Windows\System\hXveRdQ.exe
C:\Windows\System\hXveRdQ.exe
C:\Windows\System\mzRAQxH.exe
C:\Windows\System\mzRAQxH.exe
C:\Windows\System\dutQXja.exe
C:\Windows\System\dutQXja.exe
C:\Windows\System\jQptGCO.exe
C:\Windows\System\jQptGCO.exe
C:\Windows\System\kpjTaDq.exe
C:\Windows\System\kpjTaDq.exe
C:\Windows\System\wmEioWq.exe
C:\Windows\System\wmEioWq.exe
C:\Windows\System\YFvMVON.exe
C:\Windows\System\YFvMVON.exe
C:\Windows\System\dwjEnqs.exe
C:\Windows\System\dwjEnqs.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4460,i,4174666705242427184,7333705955694532165,262144 --variations-seed-version --mojo-platform-channel-handle=4512 /prefetch:8
C:\Windows\System\Ciwxonp.exe
C:\Windows\System\Ciwxonp.exe
C:\Windows\System\ZByEWla.exe
C:\Windows\System\ZByEWla.exe
C:\Windows\System\ZhgLUmQ.exe
C:\Windows\System\ZhgLUmQ.exe
C:\Windows\System\lebSegn.exe
C:\Windows\System\lebSegn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 84.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2396-0-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp
memory/2396-1-0x0000018FB90A0000-0x0000018FB90B0000-memory.dmp
C:\Windows\System\wnaeiKy.exe
| MD5 | ec6520806f7dffca7d2709c4301bcdc2 |
| SHA1 | ae363e7a06f31907b49323f75f33b0e010fe20c0 |
| SHA256 | 4fedfd2637aed628354313a8111b0f2c2dc06c3aa99f13a14f9c3a33a6839a6f |
| SHA512 | 24398b3d06e44dd25157930121dfaf1feb5ed5d81bb8e574a1b8838b4fbc560fb439834280cac3635528df6aa1ec7403bd600d635c6bf80f3963c58e88f79082 |
C:\Windows\System\ihfXNNC.exe
| MD5 | 9d2bc829f8c2b06df3c05e06b06eb3a5 |
| SHA1 | 33400327da1eac0912f61e82a5d2711337a61236 |
| SHA256 | d0605eda4c389225fe571afe32a11946846e2d20d36cc62cf57db399ab667d44 |
| SHA512 | 4a12b45cff03f416975535ac43c90a08379708964e67d0a1c0035671d48668eff255a3ccb82de57fd18c966b4e78c49a18abd24041623822b1cdfeb9348b673f |
C:\Windows\System\OlBBLST.exe
| MD5 | f90225e8262605ee21f3c78433e4f866 |
| SHA1 | 939c364555aa2ed8253f832f0141dc284885e5de |
| SHA256 | 324cdf2509ad1cce0d4da2e434389bd2d3c0c550ca93da2b3543415dab8f08f4 |
| SHA512 | 1cd219e01a08de7bf09318db4582b0398fdcbe8d099d7995ed01a967e0b2ef88f6b1be8c7c5a90e0843e95394c44c92d2f274d2b841ce1b38c7b7da08003945e |
memory/4216-7-0x00007FF6A7350000-0x00007FF6A76A1000-memory.dmp
memory/1920-21-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp
C:\Windows\System\aUQTsYe.exe
| MD5 | 8476020b560208fa30b6984ee6c6ab2d |
| SHA1 | b7dc41d8d6655350ab8e8277523ba775e0ae498f |
| SHA256 | abf51dce90b5247714bd16aa7fdd67e31229575fb97ae9f086abe8dc462e76ed |
| SHA512 | 07f38cab352beab7de30f5bbe5a5eaa11d91715a535ebffeeeee31ce5336b14fa17f1c2f76104709261e70f422510e1cdfa8feb267c93bd2c0eb6ae3c3a6c618 |
C:\Windows\System\JlLMIRa.exe
| MD5 | e7db0f15528a06f51046cb84917a431f |
| SHA1 | 2268f68f45413b429c8bac638107e90e87559be2 |
| SHA256 | bb8ff851e42ced861e2cb30e51cc2da92fbaf3f626f9548a94d6714c81b677c3 |
| SHA512 | b276b6fcc9930fa9cf84735b3b7cd9fc495d278235f0ec29b9c81bf5bd6d69fb9a7a238904507d4da572721b688f002dd335420ece0e74f8d5e471fc5789f222 |
C:\Windows\System\aUwhsBe.exe
| MD5 | 24cdaca37964e03c4ab5a9258bd729ff |
| SHA1 | 52feecfc10034b5cbdb90361c4049dc1cbc69e51 |
| SHA256 | 55af8d8393deeacf6811ac9440ecd3e4769fe9a9290062ec907ff6bcd3cdb1fe |
| SHA512 | 1aaf4dffeccb90f1c303d6fee21479eb3f8f956442277e783887637b1b849d277983455eddfd81340208573aabbbe9bf8578ed90d520b6d0ff6c027830aa32c5 |
C:\Windows\System\dUrkODF.exe
| MD5 | 1cf0bfac0f7fec0701719b8fe7da40b7 |
| SHA1 | adb2c220f1c44749a5682137ad00b29cc5818d74 |
| SHA256 | 467c001b4af235465b7d9a4b867e05139dd99c4e93b431a4c86ed763a661bad6 |
| SHA512 | 65bdb8b0c55d27ca6f82daab206e1a2aaddba7d21050881b9ef4f27c76f1f2c0e741d39d8c979586374b645384d74d5200f1e7e5e5908cc722a8691112202634 |
C:\Windows\System\dutQXja.exe
| MD5 | deae6fe44ad409cbdb9a2fe2687acb08 |
| SHA1 | c5723f9ddb57f0a13cb7404fd2cc8e2f6962282b |
| SHA256 | dfcb90b313fbd4b3472add302c961a38274a1e377959c530dd28028d15c417f5 |
| SHA512 | 687f36badd14c861fcf5b06f0851737e14ad16715c143b4204cfd2fb8bc087551f48795633cf2d3fcdeee88d50eede903f944b7dd211eca1d21623dff0bcbe21 |
C:\Windows\System\jQptGCO.exe
| MD5 | eca7f91b6f36a38f75f47cce1b4d8aa2 |
| SHA1 | 32f8b55a33a8afd4da289cc2bf9f960d8f4f9085 |
| SHA256 | b66e98dd3cd92c83b77df65be09853bfc6a155d9376e0ae04a3e97c3316d1557 |
| SHA512 | abb3d160d885b1d60240cca25b6b080b67f8569bf6a5931711044e084998a0ea53ded2f409294ebae3763cdff87c43dfc68399122da7e08b17f3de318607c1f7 |
memory/3060-90-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp
memory/1828-92-0x00007FF6B42E0000-0x00007FF6B4631000-memory.dmp
memory/2180-91-0x00007FF761170000-0x00007FF7614C1000-memory.dmp
C:\Windows\System\YFvMVON.exe
| MD5 | 7c33847041e6a068027ac9561ce38e53 |
| SHA1 | 5cf0fc285530b28a24faa8675bead970dcad5fad |
| SHA256 | b3a7a0811db9babbdbfc8ed775f28455993665e1c7688041c68d3bd31c8365d9 |
| SHA512 | 8d5daff5f2da9b9e4356e6eb52cd7b307847dcf5536c323f4c530a2ed656f8309e4ac666fdcf9136c3ed39b57e4beb2850e149413791a9ea4547ef507c3e52eb |
C:\Windows\System\wmEioWq.exe
| MD5 | 0cb6ae08849bc16177a966ba7aa99f01 |
| SHA1 | 088d8b8ab9ed2987a54d897ac07e0b2947f15b7c |
| SHA256 | 05e8158d3927c51fcec19a89478fbe580fd6bf6e2482b410ba52dcf9b20fe83a |
| SHA512 | 8c82b2f5c71cf6feeecfc30b6e103b5f48aa2f785b75c414e13e22ee815bc19b1f66e76eff81b8f6f1c657080717b018b5ad45422d10a5ad692306b71cbeb7e0 |
C:\Windows\System\kpjTaDq.exe
| MD5 | 40a0b160d55fd39c067664fa99173716 |
| SHA1 | 19e18bf8f98861b5d455c53a74c0008f9a63ca9e |
| SHA256 | 9ff9785ac7c4e275fcae9bf31c44d68949c4df28db8122a22cb1d2ac4e5f01ad |
| SHA512 | c2168769a2f50af823213518ea1a99edeb931e1cb181f5a9aa6f7749dde5081f966c0d7b937587d51b9de4b7bcecba439678f7183760ddc7b55978276c3bf267 |
memory/416-78-0x00007FF6E1680000-0x00007FF6E19D1000-memory.dmp
memory/2568-76-0x00007FF74F640000-0x00007FF74F991000-memory.dmp
memory/4392-73-0x00007FF775680000-0x00007FF7759D1000-memory.dmp
memory/1892-72-0x00007FF787020000-0x00007FF787371000-memory.dmp
memory/1180-67-0x00007FF76FC60000-0x00007FF76FFB1000-memory.dmp
C:\Windows\System\mzRAQxH.exe
| MD5 | 724910a37da7c0a621c5ce24649524b0 |
| SHA1 | a09d99f75cf2a04faf550c5d9c64a5bd0d9a6905 |
| SHA256 | 63f0d0a3ce5d267eb58a36e2a30cff23ccc3f565a82042879c59f756035c61ae |
| SHA512 | 03794364027147a635a3af284bc84b7bf4b54380b2d50252f73d2400bf0e39d54f8c36f0abf2e498f92d284640acda7b0dc1161bf2249dc8ac9a3f1a93bbea68 |
memory/936-62-0x00007FF6F2F30000-0x00007FF6F3281000-memory.dmp
memory/3900-58-0x00007FF6A6630000-0x00007FF6A6981000-memory.dmp
C:\Windows\System\hXveRdQ.exe
| MD5 | 241e54c278a7f529fc24f6a425ef54f5 |
| SHA1 | d9f360d87ef2a6048370239216ff95a99a191fc7 |
| SHA256 | d2326f88cefbef0178de66af2ec4913ec157778c756304d323095e8cd5e41775 |
| SHA512 | 4c452106855b1c778bb1647620afa97966e7e7fcf5e9b381b1be9e968a4956ae02954949b9595f5a200aebdbe233b03b3780131cab5246ff0115a7b7540250b7 |
memory/764-54-0x00007FF6EEB30000-0x00007FF6EEE81000-memory.dmp
C:\Windows\System\gWZlAvG.exe
| MD5 | 49693bd4bfc77ffc1e696359e7496ab6 |
| SHA1 | 032aac699c7eaea56af4d7786e49530c000c547c |
| SHA256 | a470cb012f957491d4017de4b3ed16a1de79874a14ffa15b057cbe223ee27111 |
| SHA512 | 41a8b91d70cd825936da532953ff1ffe87f49b55e6e4f69bd6555cbea7672609e2ecd503f9d16b082b0c8986e80cd60b16f6fe2b592a3deeb3a50176499739b4 |
memory/4812-40-0x00007FF7CBDB0000-0x00007FF7CC101000-memory.dmp
memory/3528-24-0x00007FF6DB730000-0x00007FF6DBA81000-memory.dmp
C:\Windows\System\DqObolo.exe
| MD5 | 5cc7d0ed5d6f2ed810cc72ae76064880 |
| SHA1 | 6634da5b441c7f6872fe47db251dab4bc68427c9 |
| SHA256 | 62ccb7435b0a422720579c4ed3a5a077cdddd4dc9c17acfeee97a356afb318da |
| SHA512 | cb7a3bfe620f2d2a8e831cb35890c3115b0ee280758e6f3d453c9ade3c6414860988afd309e4e09b43521c4bc7ddf38d50c6ae9a43a748a9f4ec06a3ee6523a2 |
memory/1512-17-0x00007FF6C81A0000-0x00007FF6C84F1000-memory.dmp
memory/764-107-0x00007FF6EEB30000-0x00007FF6EEE81000-memory.dmp
C:\Windows\System\dwjEnqs.exe
| MD5 | 66fe254ab2dc074c102d31f7aff546dd |
| SHA1 | 89c29b02dbdd8a560c9a9eab31e53ade380abaf1 |
| SHA256 | 24d2fefdccba04ffed226bd6e0838ff42b90f0bae8954927a21afccd8d37f6de |
| SHA512 | 2b98f76f05ded690076bb6b41ee8ab2190e9c1e6f47242096e6e9eadc6951c3f4a076fadd1a36c44c73451ff9dee3ab13002a598c0627be3cf271d260e93c760 |
C:\Windows\System\ZByEWla.exe
| MD5 | 9202e331a959fdd1c4d2027ef4965bfb |
| SHA1 | 693ede5ad53502385cff1b270a67ec0cc91f3d51 |
| SHA256 | 86e8faa97f272130c1b68fa357e9191ef50b1a7e8fd697e08418d5c4b6898d77 |
| SHA512 | 3fbce1bba83d435dad1de81e4ee4c97c2a0576708cfb1fc1633c8a48a61d5460a920107c6d55ed6856d076d46de83b23ecebfbf4ce664ec0fe4b84ce2a6d476a |
C:\Windows\System\Ciwxonp.exe
| MD5 | 7bb1518ad8580cdeba1b47f877a433f1 |
| SHA1 | dfaaa2c942e6aba4bbc33d8fb817e63cef62140f |
| SHA256 | 90be2cd05fc010bdee69d079a651a74eef65fdc0afce4d87370662e0e26afef4 |
| SHA512 | 53ddd878a942667c9a7bdc0c2ee8150b44601fbdc2a6812c3b18e56b075fcb7320aa6fc89e36d03ec1f6dddf56989784357e74d911a3a03e8afc9885c1d6b5a2 |
C:\Windows\System\lebSegn.exe
| MD5 | aec8586f093fe8c5013bb65323b777cf |
| SHA1 | be3e508bc9cdba19de757bce989bfa9c03b2dcbe |
| SHA256 | 38a822273ad49578b022a26c712dd5335ff00cf41ac02249cad30135a950803e |
| SHA512 | 3f999bf65d43b828a0f33f49eb032ee120470e05ac6551e7109eb8ed395f0144883a00c09f27134e055cb71c2425cdf35f67dc4ccbca4b21dc68af4289185931 |
memory/3060-136-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp
memory/1828-138-0x00007FF6B42E0000-0x00007FF6B4631000-memory.dmp
memory/1428-139-0x00007FF755360000-0x00007FF7556B1000-memory.dmp
memory/2588-143-0x00007FF7084A0000-0x00007FF7087F1000-memory.dmp
memory/5092-144-0x00007FF6311A0000-0x00007FF6314F1000-memory.dmp
memory/4640-142-0x00007FF693D20000-0x00007FF694071000-memory.dmp
memory/3212-140-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp
memory/2180-137-0x00007FF761170000-0x00007FF7614C1000-memory.dmp
memory/416-135-0x00007FF6E1680000-0x00007FF6E19D1000-memory.dmp
memory/1180-134-0x00007FF76FC60000-0x00007FF76FFB1000-memory.dmp
C:\Windows\System\ZhgLUmQ.exe
| MD5 | 9ae86a7a09c4f91a9631d816c4efa71f |
| SHA1 | 4067b7d4def3f71b979a2a3d15ef25c26705481a |
| SHA256 | 3da9b50685492335215b94746ec13d6828b258e01223ce32fdca085d49dca56d |
| SHA512 | c8d25f398fe990dfe309b681a84d034f055de6399bc55f80b0f54b3978b01f7ecc736847b799d2ff4cadf373c2a3e262706c6307f00f7a19142f9a592df04c22 |
memory/3900-110-0x00007FF6A6630000-0x00007FF6A6981000-memory.dmp
memory/4812-104-0x00007FF7CBDB0000-0x00007FF7CC101000-memory.dmp
memory/1512-101-0x00007FF6C81A0000-0x00007FF6C84F1000-memory.dmp
memory/1920-102-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp
memory/4216-100-0x00007FF6A7350000-0x00007FF6A76A1000-memory.dmp
memory/2396-99-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp
memory/2396-145-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp
memory/2396-167-0x00007FF7BCFF0000-0x00007FF7BD341000-memory.dmp
memory/4216-200-0x00007FF6A7350000-0x00007FF6A76A1000-memory.dmp
memory/1512-202-0x00007FF6C81A0000-0x00007FF6C84F1000-memory.dmp
memory/3528-204-0x00007FF6DB730000-0x00007FF6DBA81000-memory.dmp
memory/1920-206-0x00007FF7CE870000-0x00007FF7CEBC1000-memory.dmp
memory/1892-218-0x00007FF787020000-0x00007FF787371000-memory.dmp
memory/4812-217-0x00007FF7CBDB0000-0x00007FF7CC101000-memory.dmp
memory/764-220-0x00007FF6EEB30000-0x00007FF6EEE81000-memory.dmp
memory/416-226-0x00007FF6E1680000-0x00007FF6E19D1000-memory.dmp
memory/936-232-0x00007FF6F2F30000-0x00007FF6F3281000-memory.dmp
memory/4392-230-0x00007FF775680000-0x00007FF7759D1000-memory.dmp
memory/2568-224-0x00007FF74F640000-0x00007FF74F991000-memory.dmp
memory/3900-228-0x00007FF6A6630000-0x00007FF6A6981000-memory.dmp
memory/1180-223-0x00007FF76FC60000-0x00007FF76FFB1000-memory.dmp
memory/2180-239-0x00007FF761170000-0x00007FF7614C1000-memory.dmp
memory/1828-241-0x00007FF6B42E0000-0x00007FF6B4631000-memory.dmp
memory/3060-242-0x00007FF708C70000-0x00007FF708FC1000-memory.dmp
memory/1428-250-0x00007FF755360000-0x00007FF7556B1000-memory.dmp
memory/3212-252-0x00007FF619F90000-0x00007FF61A2E1000-memory.dmp
memory/4640-254-0x00007FF693D20000-0x00007FF694071000-memory.dmp
memory/5092-258-0x00007FF6311A0000-0x00007FF6314F1000-memory.dmp
memory/2588-257-0x00007FF7084A0000-0x00007FF7087F1000-memory.dmp