Analysis Overview
SHA256
208297709d5170b955043494875092131d07ddc4b69e188d13687d986a8d1232
Threat Level: Known bad
The file 2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:28
Reported
2024-08-15 10:31
Platform
win7-20240729-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DbkcpEn.exe | N/A |
| N/A | N/A | C:\Windows\System\epdNwky.exe | N/A |
| N/A | N/A | C:\Windows\System\qwwDpjd.exe | N/A |
| N/A | N/A | C:\Windows\System\qqAPBBI.exe | N/A |
| N/A | N/A | C:\Windows\System\CfNTXLV.exe | N/A |
| N/A | N/A | C:\Windows\System\oDiZrtd.exe | N/A |
| N/A | N/A | C:\Windows\System\bNVftTp.exe | N/A |
| N/A | N/A | C:\Windows\System\tTtQsNo.exe | N/A |
| N/A | N/A | C:\Windows\System\iCZxnZC.exe | N/A |
| N/A | N/A | C:\Windows\System\fTYRbcc.exe | N/A |
| N/A | N/A | C:\Windows\System\jpLbLFI.exe | N/A |
| N/A | N/A | C:\Windows\System\kQiAjOf.exe | N/A |
| N/A | N/A | C:\Windows\System\YHVqpWc.exe | N/A |
| N/A | N/A | C:\Windows\System\awRTQUL.exe | N/A |
| N/A | N/A | C:\Windows\System\ucdPksu.exe | N/A |
| N/A | N/A | C:\Windows\System\baENvmq.exe | N/A |
| N/A | N/A | C:\Windows\System\pVmmHac.exe | N/A |
| N/A | N/A | C:\Windows\System\IzZHjtn.exe | N/A |
| N/A | N/A | C:\Windows\System\Knmjeye.exe | N/A |
| N/A | N/A | C:\Windows\System\XNYVkuE.exe | N/A |
| N/A | N/A | C:\Windows\System\RQtVjcm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DbkcpEn.exe
C:\Windows\System\DbkcpEn.exe
C:\Windows\System\qwwDpjd.exe
C:\Windows\System\qwwDpjd.exe
C:\Windows\System\epdNwky.exe
C:\Windows\System\epdNwky.exe
C:\Windows\System\qqAPBBI.exe
C:\Windows\System\qqAPBBI.exe
C:\Windows\System\CfNTXLV.exe
C:\Windows\System\CfNTXLV.exe
C:\Windows\System\oDiZrtd.exe
C:\Windows\System\oDiZrtd.exe
C:\Windows\System\bNVftTp.exe
C:\Windows\System\bNVftTp.exe
C:\Windows\System\iCZxnZC.exe
C:\Windows\System\iCZxnZC.exe
C:\Windows\System\tTtQsNo.exe
C:\Windows\System\tTtQsNo.exe
C:\Windows\System\fTYRbcc.exe
C:\Windows\System\fTYRbcc.exe
C:\Windows\System\jpLbLFI.exe
C:\Windows\System\jpLbLFI.exe
C:\Windows\System\kQiAjOf.exe
C:\Windows\System\kQiAjOf.exe
C:\Windows\System\YHVqpWc.exe
C:\Windows\System\YHVqpWc.exe
C:\Windows\System\awRTQUL.exe
C:\Windows\System\awRTQUL.exe
C:\Windows\System\ucdPksu.exe
C:\Windows\System\ucdPksu.exe
C:\Windows\System\IzZHjtn.exe
C:\Windows\System\IzZHjtn.exe
C:\Windows\System\baENvmq.exe
C:\Windows\System\baENvmq.exe
C:\Windows\System\XNYVkuE.exe
C:\Windows\System\XNYVkuE.exe
C:\Windows\System\pVmmHac.exe
C:\Windows\System\pVmmHac.exe
C:\Windows\System\RQtVjcm.exe
C:\Windows\System\RQtVjcm.exe
C:\Windows\System\Knmjeye.exe
C:\Windows\System\Knmjeye.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2084-0-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2084-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\DbkcpEn.exe
| MD5 | d73f7b3dc46484a3f43a60b41f17144e |
| SHA1 | 71567d6d4efc91ab09d6f7207ab923ab01f932fc |
| SHA256 | 280c054317260d9611e77d742c43fab7fa4f3260d15f1b8d623fa7b46a5f3101 |
| SHA512 | 9021427beb693a079c4b2572f271a9fbffc018c0987f4fbc424f903f632e1d8c7597d8d235deb72d06622c9f209f1288bf6eaca02269e10325088e95c69eb3f0 |
\Windows\system\epdNwky.exe
| MD5 | 93530e2f9d751e64651a84e10dcad873 |
| SHA1 | 3c31f1cb1316c8f688127211efa26b26a3312b2f |
| SHA256 | f988d7fd88cd344bd171dfb6c8ec726b31599d09f547ef891a471be1a997e201 |
| SHA512 | 8e66ded956e9844cae1e62cf198f51c31afb9f4b06c60749d8ca062356cfd68dedf59d7631f51fc62977f9b132ecf75f570d903a35075636816ad9447527c93e |
memory/2084-15-0x000000013F9C0000-0x000000013FD11000-memory.dmp
C:\Windows\system\qwwDpjd.exe
| MD5 | f85bbeb3156be7a676097b1523b4c0a7 |
| SHA1 | 99f726d8633fda46a6699d44f7f8c26a03bc495f |
| SHA256 | 56ea4700084b209b5243f4c8f20e949d2882877ba5b6d91971774a6c0ba64a1f |
| SHA512 | 4d3e8e61eaf9b715bb5a2dd0e194b386b7109253e09d131221b492de4a1515ca2d7116bd289067b7b95f85bf0d4ed9fc7492bd4da356a10896423d12fcfc4957 |
memory/2312-18-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2372-19-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2332-22-0x000000013F9C0000-0x000000013FD11000-memory.dmp
C:\Windows\system\qqAPBBI.exe
| MD5 | bde6bc248d123165468314b418ec641f |
| SHA1 | 9939dc8cf9b4d0a062114399dd931dca3651ba58 |
| SHA256 | ffcbb43b0848759d2ec3ecd805a31e3752b44a040b88e9549feac7da42ae3c37 |
| SHA512 | 076f47d7ba1e5db433c28ca2584a7f16a66590de022ed212043c9294edf61c10ed0a406cfdbf66918df96f10eabe7082989c1c2634061049cf551c034bcce99d |
C:\Windows\system\CfNTXLV.exe
| MD5 | a989dc64b4b01a8c23b6315213572cb3 |
| SHA1 | eff5824bd669487f565f1c9d8b9ab023dc4007f7 |
| SHA256 | dac1767164610ba857c6752bd3b1dd69d268eb33c503b797a3e8afbb300953eb |
| SHA512 | e7b25fa8ae9459616bdfdf71e9adf864b311b45dacb08d0fd5547f36493cc1c2c24556e9b113e051960cff49478d65d524414bd9392f4485ea7f207e813ca140 |
memory/2728-34-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2084-38-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/1932-64-0x000000013FC90000-0x000000013FFE1000-memory.dmp
\Windows\system\fTYRbcc.exe
| MD5 | c24900801220393785e91b6d7628d07f |
| SHA1 | fef9032aaf5c0c1278ad27a1706f81e6ec01b646 |
| SHA256 | 5ebf510f4ece133fa5d43615d19f447a405a6d6d34267e93cb4d0146bddcff5e |
| SHA512 | fc4dcd480fd88d53ddc9b66a1eac42846e5120bf16d10c599d34bd10e818e21dac6e08ee62d7fe5c8f336175c5e19216d04c761f29ae1637d484eef2020e158c |
memory/2084-66-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2248-50-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2472-62-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2908-39-0x000000013FBC0000-0x000000013FF11000-memory.dmp
C:\Windows\system\oDiZrtd.exe
| MD5 | e30ea9d4c0ad503a376b4d98866cb862 |
| SHA1 | 4aa6585052717c94cace49cf5a718b61f8292c70 |
| SHA256 | 749b3d249bd5b6f17c8063212f5b35f6d5aad802a1c0e0cf1f94fa2bfdbff199 |
| SHA512 | fa608d763c821cd00b27116d72d4ae456575c3b84d4afcb7a38e5b4ca84ff20d4c045bbd164f18f7d463b22bad1ab87fcd650f8d666e1f8ffa07e2775d01a88b |
memory/2084-61-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2312-60-0x000000013F790000-0x000000013FAE1000-memory.dmp
C:\Windows\system\iCZxnZC.exe
| MD5 | f010de3a2e8d8be80e4215428a5b9c5b |
| SHA1 | 7b96c5ddbfbd6b6acd394b57f6ca844a8815bcb5 |
| SHA256 | 731c07cc599660630815eb848fe22c9345263963fcc14a4bf8b219129c8e48ec |
| SHA512 | 499e5df12b05b37f52803f85c7ada974e1126af9504388fe57fde3f2993dce91a1f6569809bc6c464e6f4bb32cb53ecfd50cf2881ff60ae2b0f11c2cb2fa1610 |
C:\Windows\system\tTtQsNo.exe
| MD5 | 54c59388e240c525411d2951083eb7f8 |
| SHA1 | ba5aa52259994b7bb9d3592eab3fbaf1173e9181 |
| SHA256 | bbf7ebd9b46657c31c810e3a61c77a357f48ab3f509a4ad4ed386ca23509c917 |
| SHA512 | 79fc33a72dc7ef29f2811b218c1acaffdcd8684cf27ae0f4a265bc5b7ce80d9cbd4f2cc220fa802269f3bc384927b7aba18d89c5f5e2eed3e620cbb0e5168535 |
memory/2084-55-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2084-54-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2328-67-0x000000013F470000-0x000000013F7C1000-memory.dmp
C:\Windows\system\bNVftTp.exe
| MD5 | 405a6bd3cc432877e7ccdc91fb61b2e9 |
| SHA1 | 903ffae805014f24071351ddec9d39609a7c5bf3 |
| SHA256 | ad52a879fab6c95cd411fbac37169ca496dee8164d95434e98500e1272da864b |
| SHA512 | c9329d6ff91907d406e0da8ec838a577b801e864b8267fd9fc60ed4d1bf1fd1608a46eecaf0a849f52ef6a81e226ae4c9e5fd09b37f88e67484b8b8edd5f083a |
memory/2084-33-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2328-28-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2084-27-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2084-21-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2728-68-0x000000013F230000-0x000000013F581000-memory.dmp
C:\Windows\system\jpLbLFI.exe
| MD5 | b984b94d78dc7e771174717327ca5361 |
| SHA1 | 244964be362cc3d9b0f2b890acbbf8c072c07759 |
| SHA256 | f4aa492b781b36a5d306c6a95e7cf64cdf5c779900333dc46d590183bb05152b |
| SHA512 | 1af6fd24b13ad27671a60094552347d4d488648e1297e9af90644b40ca3af2896be127fa11e1704164ffafe9da4938978b3cdd26d8a5fc521ed87d5c9809e320 |
memory/2452-82-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2084-84-0x000000013F0D0000-0x000000013F421000-memory.dmp
\Windows\system\kQiAjOf.exe
| MD5 | 921d3156607880b8cb1a29e190f5ad8e |
| SHA1 | b03e612b7580881ce04e8fdc6e8d0dfc98a3f20a |
| SHA256 | 81052be0d9446df51e3fc3e19c22d73c9055fecc8e04023a21e43685d8c6521f |
| SHA512 | 1f44786f9f82a5a864e7d78caa9751931e7e74f7298a99ed9ec1968ba149895d024da9e3984f8b4bdc66ad9a2da27962e466f69329f072d806f0da9cb7825f4b |
memory/2084-80-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2908-78-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2844-72-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2084-88-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2472-89-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2228-91-0x000000013F0D0000-0x000000013F421000-memory.dmp
\Windows\system\YHVqpWc.exe
| MD5 | 8c912b9db5a493a5c279b302685689d4 |
| SHA1 | e95b017be53b7425497ccd6ba137085514a52fb1 |
| SHA256 | 024ee3d1f3c1d8ce1c55b059f54f110e2aae84747d766e6bbc57bfb3c1578e2f |
| SHA512 | f773aab898c7e809f71825a7e1fa662fdf763d6f3f69a161d16ea242f8bfd14349fb4ba0e4d9643349c3290c6c6c1c9defdf746827ac163cb096dbbd45521d60 |
memory/2776-99-0x000000013F410000-0x000000013F761000-memory.dmp
C:\Windows\system\awRTQUL.exe
| MD5 | 0e5c68d7bdec72cf0d8c1c51383a9d57 |
| SHA1 | 81cce9abdbd15b0bdb970da715870f3149cb0a59 |
| SHA256 | 50da804b76f2566d602a4e1f1bb995d4e33b74c05d06bc42180b82b97f19725f |
| SHA512 | 372b9780e44397af66b94bfb32537c05723d5edd45dbaa1c163c32a3d01e760e5cee2bf192f34adb9402828ac64941774df338cd792f3cb16673226a9339bdbb |
memory/320-126-0x000000013F360000-0x000000013F6B1000-memory.dmp
\Windows\system\RQtVjcm.exe
| MD5 | 2f0e8d35213859a0c9a3c208fafce37c |
| SHA1 | d8e4c9bd4fb2d38a8bad1489daa02e6a21e76178 |
| SHA256 | 58770cb5db2ae9b3e6357ab20a56cd5d34d1b2e16cb71965ae316903effd9fc4 |
| SHA512 | 5c66db90aa7ae6dd28ad4c5e4d3a7b7af5e37f8342e5e98fdb694b161e7322b20453bfbaace4e2b19ead426c809a2cb75dd432f448d42f2c0059206ce94096b9 |
\Windows\system\XNYVkuE.exe
| MD5 | 2f345b0899a1fd43080391cfde5530fe |
| SHA1 | 3517d69a34f4979120be4a16e815dcdd7b0462ff |
| SHA256 | 1b392c93d04bcf972bfabaf8b2def13ba63b046c91f1812b204def88bf181322 |
| SHA512 | 897b3560436884feb6df1db28002db6c552bcabd1965c7b8f376217cab3c76589f46e1df67e1a00a78ecf9bfa76c370ed4755ad181455e6074ad61f5a6ce5c9b |
memory/2084-136-0x0000000002260000-0x00000000025B1000-memory.dmp
C:\Windows\system\Knmjeye.exe
| MD5 | c9b286637d6f4d74a80500cefbf2264a |
| SHA1 | 7d87aa2ac17a35c67be07b9a36e19df09f4ca63e |
| SHA256 | 348dde3668614918a11ecaab7a902ea0cdd1b412728232310a52629acc0ad60a |
| SHA512 | 7812a865cba02ed01a3298c866ad959523913d2560f118cf137215e979828e3a0c415a021400c8c07b196014244d259af93d0b316730c9f9774bc1a6c85a9fc5 |
C:\Windows\system\IzZHjtn.exe
| MD5 | a857e8d1ac736e98551e19096e5c83c5 |
| SHA1 | 882add19a1762abc3394b7ffc13c9acc01a281ed |
| SHA256 | f076de36e72b85da882fc6812088af3113262dcbe664b710bab747b09ad8697a |
| SHA512 | 22c00e73440ae5c427b45151694342c47bf9b1541193f0de99b58187b00f01a443a4ac0529b515dc0840a9fdc75a9be110c3932dd7360b13980cc09e5f5130c4 |
C:\Windows\system\pVmmHac.exe
| MD5 | 2531171551fd2c98027e9f1caf56a050 |
| SHA1 | 7cbc2057c58807209ba998e72ce36c62926f5457 |
| SHA256 | bcbea8610db54597922a381be02d5970d3a11e387ca040a460f8c65da676bf8c |
| SHA512 | e680f69ebb98e756aed9447a5c303c0f64f3cc437f84f102bf336f566cb586c300df7c7f9759a3b7002e48ada678a9cc453bf24346b1a2f5c3510cd208effc9f |
C:\Windows\system\baENvmq.exe
| MD5 | 1b8f1baee111e2122bef272af9dea6b7 |
| SHA1 | b101dd0669541b981cb2f7d352b92bdd642bcbd6 |
| SHA256 | 136a7e5e85efba62003243be6bce383c1b93a1ab64b593b12f9c19b455385d25 |
| SHA512 | 0cdb362e0f740045967d97e07721aab69899c9bd8ca19abbb986597bf15fefe1b4cf4ab7ef98785d72f07968b73f37e98549a96227653b7127cafe730a312069 |
C:\Windows\system\ucdPksu.exe
| MD5 | b8612a1da5de6346501e592df86f15ee |
| SHA1 | bdc1237b4f046f19136dc9a08ba60a3bffe1c0d1 |
| SHA256 | e76f8cdfe1c38a27788d2695698ab055b3e7bcef961be57d92f376526b5db308 |
| SHA512 | 87b13f694ab1a1cb35656c0e5e75aaf91af7bf1d4e118a5d4f385dfadb71a0339c8071464fae1cc62a6d45036ef6ea9f6056989fa9f082e6d691cd671de3cd03 |
memory/2084-98-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2084-96-0x000000013F410000-0x000000013F761000-memory.dmp
memory/1932-95-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2084-140-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2844-139-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2452-144-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2084-149-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2084-145-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2084-157-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2776-158-0x000000013F410000-0x000000013F761000-memory.dmp
memory/320-160-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/860-169-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/1448-170-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2668-168-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2420-166-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/284-164-0x000000013FED0000-0x0000000140221000-memory.dmp
memory/1376-167-0x000000013F630000-0x000000013F981000-memory.dmp
memory/1516-165-0x000000013F700000-0x000000013FA51000-memory.dmp
memory/2084-171-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2372-226-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/2312-228-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2332-230-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2908-232-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2248-234-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/2728-237-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2328-238-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/1932-241-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2472-247-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2844-246-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2452-249-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2228-251-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2776-263-0x000000013F410000-0x000000013F761000-memory.dmp
memory/320-264-0x000000013F360000-0x000000013F6B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:28
Reported
2024-08-15 10:31
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\DbkcpEn.exe | N/A |
| N/A | N/A | C:\Windows\System\qwwDpjd.exe | N/A |
| N/A | N/A | C:\Windows\System\epdNwky.exe | N/A |
| N/A | N/A | C:\Windows\System\qqAPBBI.exe | N/A |
| N/A | N/A | C:\Windows\System\CfNTXLV.exe | N/A |
| N/A | N/A | C:\Windows\System\bNVftTp.exe | N/A |
| N/A | N/A | C:\Windows\System\oDiZrtd.exe | N/A |
| N/A | N/A | C:\Windows\System\iCZxnZC.exe | N/A |
| N/A | N/A | C:\Windows\System\tTtQsNo.exe | N/A |
| N/A | N/A | C:\Windows\System\fTYRbcc.exe | N/A |
| N/A | N/A | C:\Windows\System\jpLbLFI.exe | N/A |
| N/A | N/A | C:\Windows\System\YHVqpWc.exe | N/A |
| N/A | N/A | C:\Windows\System\kQiAjOf.exe | N/A |
| N/A | N/A | C:\Windows\System\awRTQUL.exe | N/A |
| N/A | N/A | C:\Windows\System\ucdPksu.exe | N/A |
| N/A | N/A | C:\Windows\System\IzZHjtn.exe | N/A |
| N/A | N/A | C:\Windows\System\baENvmq.exe | N/A |
| N/A | N/A | C:\Windows\System\XNYVkuE.exe | N/A |
| N/A | N/A | C:\Windows\System\pVmmHac.exe | N/A |
| N/A | N/A | C:\Windows\System\RQtVjcm.exe | N/A |
| N/A | N/A | C:\Windows\System\Knmjeye.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_e2b8bc3b15d824b761f54c53d394886c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\DbkcpEn.exe
C:\Windows\System\DbkcpEn.exe
C:\Windows\System\qwwDpjd.exe
C:\Windows\System\qwwDpjd.exe
C:\Windows\System\epdNwky.exe
C:\Windows\System\epdNwky.exe
C:\Windows\System\qqAPBBI.exe
C:\Windows\System\qqAPBBI.exe
C:\Windows\System\CfNTXLV.exe
C:\Windows\System\CfNTXLV.exe
C:\Windows\System\oDiZrtd.exe
C:\Windows\System\oDiZrtd.exe
C:\Windows\System\bNVftTp.exe
C:\Windows\System\bNVftTp.exe
C:\Windows\System\iCZxnZC.exe
C:\Windows\System\iCZxnZC.exe
C:\Windows\System\tTtQsNo.exe
C:\Windows\System\tTtQsNo.exe
C:\Windows\System\fTYRbcc.exe
C:\Windows\System\fTYRbcc.exe
C:\Windows\System\jpLbLFI.exe
C:\Windows\System\jpLbLFI.exe
C:\Windows\System\kQiAjOf.exe
C:\Windows\System\kQiAjOf.exe
C:\Windows\System\YHVqpWc.exe
C:\Windows\System\YHVqpWc.exe
C:\Windows\System\awRTQUL.exe
C:\Windows\System\awRTQUL.exe
C:\Windows\System\ucdPksu.exe
C:\Windows\System\ucdPksu.exe
C:\Windows\System\IzZHjtn.exe
C:\Windows\System\IzZHjtn.exe
C:\Windows\System\baENvmq.exe
C:\Windows\System\baENvmq.exe
C:\Windows\System\XNYVkuE.exe
C:\Windows\System\XNYVkuE.exe
C:\Windows\System\pVmmHac.exe
C:\Windows\System\pVmmHac.exe
C:\Windows\System\RQtVjcm.exe
C:\Windows\System\RQtVjcm.exe
C:\Windows\System\Knmjeye.exe
C:\Windows\System\Knmjeye.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4748-0-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp
memory/4748-1-0x0000026B31830000-0x0000026B31840000-memory.dmp
C:\Windows\System\DbkcpEn.exe
| MD5 | d73f7b3dc46484a3f43a60b41f17144e |
| SHA1 | 71567d6d4efc91ab09d6f7207ab923ab01f932fc |
| SHA256 | 280c054317260d9611e77d742c43fab7fa4f3260d15f1b8d623fa7b46a5f3101 |
| SHA512 | 9021427beb693a079c4b2572f271a9fbffc018c0987f4fbc424f903f632e1d8c7597d8d235deb72d06622c9f209f1288bf6eaca02269e10325088e95c69eb3f0 |
C:\Windows\System\qwwDpjd.exe
| MD5 | f85bbeb3156be7a676097b1523b4c0a7 |
| SHA1 | 99f726d8633fda46a6699d44f7f8c26a03bc495f |
| SHA256 | 56ea4700084b209b5243f4c8f20e949d2882877ba5b6d91971774a6c0ba64a1f |
| SHA512 | 4d3e8e61eaf9b715bb5a2dd0e194b386b7109253e09d131221b492de4a1515ca2d7116bd289067b7b95f85bf0d4ed9fc7492bd4da356a10896423d12fcfc4957 |
C:\Windows\System\epdNwky.exe
| MD5 | 93530e2f9d751e64651a84e10dcad873 |
| SHA1 | 3c31f1cb1316c8f688127211efa26b26a3312b2f |
| SHA256 | f988d7fd88cd344bd171dfb6c8ec726b31599d09f547ef891a471be1a997e201 |
| SHA512 | 8e66ded956e9844cae1e62cf198f51c31afb9f4b06c60749d8ca062356cfd68dedf59d7631f51fc62977f9b132ecf75f570d903a35075636816ad9447527c93e |
C:\Windows\System\bNVftTp.exe
| MD5 | 405a6bd3cc432877e7ccdc91fb61b2e9 |
| SHA1 | 903ffae805014f24071351ddec9d39609a7c5bf3 |
| SHA256 | ad52a879fab6c95cd411fbac37169ca496dee8164d95434e98500e1272da864b |
| SHA512 | c9329d6ff91907d406e0da8ec838a577b801e864b8267fd9fc60ed4d1bf1fd1608a46eecaf0a849f52ef6a81e226ae4c9e5fd09b37f88e67484b8b8edd5f083a |
C:\Windows\System\iCZxnZC.exe
| MD5 | f010de3a2e8d8be80e4215428a5b9c5b |
| SHA1 | 7b96c5ddbfbd6b6acd394b57f6ca844a8815bcb5 |
| SHA256 | 731c07cc599660630815eb848fe22c9345263963fcc14a4bf8b219129c8e48ec |
| SHA512 | 499e5df12b05b37f52803f85c7ada974e1126af9504388fe57fde3f2993dce91a1f6569809bc6c464e6f4bb32cb53ecfd50cf2881ff60ae2b0f11c2cb2fa1610 |
C:\Windows\System\YHVqpWc.exe
| MD5 | 8c912b9db5a493a5c279b302685689d4 |
| SHA1 | e95b017be53b7425497ccd6ba137085514a52fb1 |
| SHA256 | 024ee3d1f3c1d8ce1c55b059f54f110e2aae84747d766e6bbc57bfb3c1578e2f |
| SHA512 | f773aab898c7e809f71825a7e1fa662fdf763d6f3f69a161d16ea242f8bfd14349fb4ba0e4d9643349c3290c6c6c1c9defdf746827ac163cb096dbbd45521d60 |
C:\Windows\System\fTYRbcc.exe
| MD5 | c24900801220393785e91b6d7628d07f |
| SHA1 | fef9032aaf5c0c1278ad27a1706f81e6ec01b646 |
| SHA256 | 5ebf510f4ece133fa5d43615d19f447a405a6d6d34267e93cb4d0146bddcff5e |
| SHA512 | fc4dcd480fd88d53ddc9b66a1eac42846e5120bf16d10c599d34bd10e818e21dac6e08ee62d7fe5c8f336175c5e19216d04c761f29ae1637d484eef2020e158c |
memory/2264-70-0x00007FF650D00000-0x00007FF651051000-memory.dmp
C:\Windows\System\jpLbLFI.exe
| MD5 | b984b94d78dc7e771174717327ca5361 |
| SHA1 | 244964be362cc3d9b0f2b890acbbf8c072c07759 |
| SHA256 | f4aa492b781b36a5d306c6a95e7cf64cdf5c779900333dc46d590183bb05152b |
| SHA512 | 1af6fd24b13ad27671a60094552347d4d488648e1297e9af90644b40ca3af2896be127fa11e1704164ffafe9da4938978b3cdd26d8a5fc521ed87d5c9809e320 |
C:\Windows\System\IzZHjtn.exe
| MD5 | a857e8d1ac736e98551e19096e5c83c5 |
| SHA1 | 882add19a1762abc3394b7ffc13c9acc01a281ed |
| SHA256 | f076de36e72b85da882fc6812088af3113262dcbe664b710bab747b09ad8697a |
| SHA512 | 22c00e73440ae5c427b45151694342c47bf9b1541193f0de99b58187b00f01a443a4ac0529b515dc0840a9fdc75a9be110c3932dd7360b13980cc09e5f5130c4 |
memory/4068-99-0x00007FF76E510000-0x00007FF76E861000-memory.dmp
memory/2088-107-0x00007FF604DB0000-0x00007FF605101000-memory.dmp
C:\Windows\System\RQtVjcm.exe
| MD5 | 2f0e8d35213859a0c9a3c208fafce37c |
| SHA1 | d8e4c9bd4fb2d38a8bad1489daa02e6a21e76178 |
| SHA256 | 58770cb5db2ae9b3e6357ab20a56cd5d34d1b2e16cb71965ae316903effd9fc4 |
| SHA512 | 5c66db90aa7ae6dd28ad4c5e4d3a7b7af5e37f8342e5e98fdb694b161e7322b20453bfbaace4e2b19ead426c809a2cb75dd432f448d42f2c0059206ce94096b9 |
C:\Windows\System\Knmjeye.exe
| MD5 | c9b286637d6f4d74a80500cefbf2264a |
| SHA1 | 7d87aa2ac17a35c67be07b9a36e19df09f4ca63e |
| SHA256 | 348dde3668614918a11ecaab7a902ea0cdd1b412728232310a52629acc0ad60a |
| SHA512 | 7812a865cba02ed01a3298c866ad959523913d2560f118cf137215e979828e3a0c415a021400c8c07b196014244d259af93d0b316730c9f9774bc1a6c85a9fc5 |
C:\Windows\System\pVmmHac.exe
| MD5 | 2531171551fd2c98027e9f1caf56a050 |
| SHA1 | 7cbc2057c58807209ba998e72ce36c62926f5457 |
| SHA256 | bcbea8610db54597922a381be02d5970d3a11e387ca040a460f8c65da676bf8c |
| SHA512 | e680f69ebb98e756aed9447a5c303c0f64f3cc437f84f102bf336f566cb586c300df7c7f9759a3b7002e48ada678a9cc453bf24346b1a2f5c3510cd208effc9f |
C:\Windows\System\XNYVkuE.exe
| MD5 | 2f345b0899a1fd43080391cfde5530fe |
| SHA1 | 3517d69a34f4979120be4a16e815dcdd7b0462ff |
| SHA256 | 1b392c93d04bcf972bfabaf8b2def13ba63b046c91f1812b204def88bf181322 |
| SHA512 | 897b3560436884feb6df1db28002db6c552bcabd1965c7b8f376217cab3c76589f46e1df67e1a00a78ecf9bfa76c370ed4755ad181455e6074ad61f5a6ce5c9b |
memory/1992-103-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp
memory/4064-102-0x00007FF708590000-0x00007FF7088E1000-memory.dmp
C:\Windows\System\baENvmq.exe
| MD5 | 1b8f1baee111e2122bef272af9dea6b7 |
| SHA1 | b101dd0669541b981cb2f7d352b92bdd642bcbd6 |
| SHA256 | 136a7e5e85efba62003243be6bce383c1b93a1ab64b593b12f9c19b455385d25 |
| SHA512 | 0cdb362e0f740045967d97e07721aab69899c9bd8ca19abbb986597bf15fefe1b4cf4ab7ef98785d72f07968b73f37e98549a96227653b7127cafe730a312069 |
C:\Windows\System\ucdPksu.exe
| MD5 | b8612a1da5de6346501e592df86f15ee |
| SHA1 | bdc1237b4f046f19136dc9a08ba60a3bffe1c0d1 |
| SHA256 | e76f8cdfe1c38a27788d2695698ab055b3e7bcef961be57d92f376526b5db308 |
| SHA512 | 87b13f694ab1a1cb35656c0e5e75aaf91af7bf1d4e118a5d4f385dfadb71a0339c8071464fae1cc62a6d45036ef6ea9f6056989fa9f082e6d691cd671de3cd03 |
C:\Windows\System\awRTQUL.exe
| MD5 | 0e5c68d7bdec72cf0d8c1c51383a9d57 |
| SHA1 | 81cce9abdbd15b0bdb970da715870f3149cb0a59 |
| SHA256 | 50da804b76f2566d602a4e1f1bb995d4e33b74c05d06bc42180b82b97f19725f |
| SHA512 | 372b9780e44397af66b94bfb32537c05723d5edd45dbaa1c163c32a3d01e760e5cee2bf192f34adb9402828ac64941774df338cd792f3cb16673226a9339bdbb |
memory/2192-88-0x00007FF687D40000-0x00007FF688091000-memory.dmp
C:\Windows\System\kQiAjOf.exe
| MD5 | 921d3156607880b8cb1a29e190f5ad8e |
| SHA1 | b03e612b7580881ce04e8fdc6e8d0dfc98a3f20a |
| SHA256 | 81052be0d9446df51e3fc3e19c22d73c9055fecc8e04023a21e43685d8c6521f |
| SHA512 | 1f44786f9f82a5a864e7d78caa9751931e7e74f7298a99ed9ec1968ba149895d024da9e3984f8b4bdc66ad9a2da27962e466f69329f072d806f0da9cb7825f4b |
memory/3048-75-0x00007FF609260000-0x00007FF6095B1000-memory.dmp
memory/2688-62-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp
C:\Windows\System\tTtQsNo.exe
| MD5 | 54c59388e240c525411d2951083eb7f8 |
| SHA1 | ba5aa52259994b7bb9d3592eab3fbaf1173e9181 |
| SHA256 | bbf7ebd9b46657c31c810e3a61c77a357f48ab3f509a4ad4ed386ca23509c917 |
| SHA512 | 79fc33a72dc7ef29f2811b218c1acaffdcd8684cf27ae0f4a265bc5b7ce80d9cbd4f2cc220fa802269f3bc384927b7aba18d89c5f5e2eed3e620cbb0e5168535 |
memory/4696-53-0x00007FF76E110000-0x00007FF76E461000-memory.dmp
C:\Windows\System\oDiZrtd.exe
| MD5 | e30ea9d4c0ad503a376b4d98866cb862 |
| SHA1 | 4aa6585052717c94cace49cf5a718b61f8292c70 |
| SHA256 | 749b3d249bd5b6f17c8063212f5b35f6d5aad802a1c0e0cf1f94fa2bfdbff199 |
| SHA512 | fa608d763c821cd00b27116d72d4ae456575c3b84d4afcb7a38e5b4ca84ff20d4c045bbd164f18f7d463b22bad1ab87fcd650f8d666e1f8ffa07e2775d01a88b |
memory/3468-34-0x00007FF668E10000-0x00007FF669161000-memory.dmp
C:\Windows\System\CfNTXLV.exe
| MD5 | a989dc64b4b01a8c23b6315213572cb3 |
| SHA1 | eff5824bd669487f565f1c9d8b9ab023dc4007f7 |
| SHA256 | dac1767164610ba857c6752bd3b1dd69d268eb33c503b797a3e8afbb300953eb |
| SHA512 | e7b25fa8ae9459616bdfdf71e9adf864b311b45dacb08d0fd5547f36493cc1c2c24556e9b113e051960cff49478d65d524414bd9392f4485ea7f207e813ca140 |
C:\Windows\System\qqAPBBI.exe
| MD5 | bde6bc248d123165468314b418ec641f |
| SHA1 | 9939dc8cf9b4d0a062114399dd931dca3651ba58 |
| SHA256 | ffcbb43b0848759d2ec3ecd805a31e3752b44a040b88e9549feac7da42ae3c37 |
| SHA512 | 076f47d7ba1e5db433c28ca2584a7f16a66590de022ed212043c9294edf61c10ed0a406cfdbf66918df96f10eabe7082989c1c2634061049cf551c034bcce99d |
memory/4600-20-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp
memory/3488-19-0x00007FF73D600000-0x00007FF73D951000-memory.dmp
memory/5036-12-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp
memory/116-120-0x00007FF686CC0000-0x00007FF687011000-memory.dmp
memory/3064-121-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp
memory/3720-123-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp
memory/4892-125-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp
memory/3896-126-0x00007FF67A000000-0x00007FF67A351000-memory.dmp
memory/668-124-0x00007FF6210E0000-0x00007FF621431000-memory.dmp
memory/1360-127-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp
memory/1560-122-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp
memory/4600-131-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp
memory/3488-130-0x00007FF73D600000-0x00007FF73D951000-memory.dmp
memory/5036-129-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp
memory/4748-128-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp
memory/4068-143-0x00007FF76E510000-0x00007FF76E861000-memory.dmp
memory/4064-146-0x00007FF708590000-0x00007FF7088E1000-memory.dmp
memory/2192-140-0x00007FF687D40000-0x00007FF688091000-memory.dmp
memory/1992-147-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp
memory/4748-150-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp
memory/4748-151-0x00007FF732D70000-0x00007FF7330C1000-memory.dmp
memory/5036-212-0x00007FF6F8E80000-0x00007FF6F91D1000-memory.dmp
memory/3488-214-0x00007FF73D600000-0x00007FF73D951000-memory.dmp
memory/3468-216-0x00007FF668E10000-0x00007FF669161000-memory.dmp
memory/4696-218-0x00007FF76E110000-0x00007FF76E461000-memory.dmp
memory/4600-220-0x00007FF79ED70000-0x00007FF79F0C1000-memory.dmp
memory/2688-223-0x00007FF6BB640000-0x00007FF6BB991000-memory.dmp
memory/2088-224-0x00007FF604DB0000-0x00007FF605101000-memory.dmp
memory/2264-226-0x00007FF650D00000-0x00007FF651051000-memory.dmp
memory/116-229-0x00007FF686CC0000-0x00007FF687011000-memory.dmp
memory/3048-230-0x00007FF609260000-0x00007FF6095B1000-memory.dmp
memory/2192-238-0x00007FF687D40000-0x00007FF688091000-memory.dmp
memory/3064-240-0x00007FF62AF80000-0x00007FF62B2D1000-memory.dmp
memory/1560-244-0x00007FF7764A0000-0x00007FF7767F1000-memory.dmp
memory/3720-242-0x00007FF7BE2E0000-0x00007FF7BE631000-memory.dmp
memory/4068-246-0x00007FF76E510000-0x00007FF76E861000-memory.dmp
memory/4892-254-0x00007FF60BAF0000-0x00007FF60BE41000-memory.dmp
memory/4064-253-0x00007FF708590000-0x00007FF7088E1000-memory.dmp
memory/668-258-0x00007FF6210E0000-0x00007FF621431000-memory.dmp
memory/1360-257-0x00007FF6EB2C0000-0x00007FF6EB611000-memory.dmp
memory/3896-249-0x00007FF67A000000-0x00007FF67A351000-memory.dmp
memory/1992-251-0x00007FF6C4810000-0x00007FF6C4B61000-memory.dmp