Analysis Overview
SHA256
0982f6db774f8549398f52a461dda8701963f9d3c9d3ec59c635e2ca6994632c
Threat Level: Known bad
The file 2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:29
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:29
Reported
2024-08-15 11:31
Platform
win7-20240705-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OTbTBIy.exe | N/A |
| N/A | N/A | C:\Windows\System\AneVIkp.exe | N/A |
| N/A | N/A | C:\Windows\System\wLtExFK.exe | N/A |
| N/A | N/A | C:\Windows\System\zJnWWGR.exe | N/A |
| N/A | N/A | C:\Windows\System\JzahhfW.exe | N/A |
| N/A | N/A | C:\Windows\System\PBBfqnp.exe | N/A |
| N/A | N/A | C:\Windows\System\eroeGdX.exe | N/A |
| N/A | N/A | C:\Windows\System\cPELJOm.exe | N/A |
| N/A | N/A | C:\Windows\System\wSJURPA.exe | N/A |
| N/A | N/A | C:\Windows\System\exhDQTx.exe | N/A |
| N/A | N/A | C:\Windows\System\KSDyqZp.exe | N/A |
| N/A | N/A | C:\Windows\System\biDaVYe.exe | N/A |
| N/A | N/A | C:\Windows\System\QKtcyYg.exe | N/A |
| N/A | N/A | C:\Windows\System\YArcfJh.exe | N/A |
| N/A | N/A | C:\Windows\System\WlLweSX.exe | N/A |
| N/A | N/A | C:\Windows\System\grifmNx.exe | N/A |
| N/A | N/A | C:\Windows\System\qNivVtG.exe | N/A |
| N/A | N/A | C:\Windows\System\UXNlubQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ygAAAVI.exe | N/A |
| N/A | N/A | C:\Windows\System\HPrEamr.exe | N/A |
| N/A | N/A | C:\Windows\System\fegQgSL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\OTbTBIy.exe
C:\Windows\System\OTbTBIy.exe
C:\Windows\System\AneVIkp.exe
C:\Windows\System\AneVIkp.exe
C:\Windows\System\wLtExFK.exe
C:\Windows\System\wLtExFK.exe
C:\Windows\System\zJnWWGR.exe
C:\Windows\System\zJnWWGR.exe
C:\Windows\System\JzahhfW.exe
C:\Windows\System\JzahhfW.exe
C:\Windows\System\PBBfqnp.exe
C:\Windows\System\PBBfqnp.exe
C:\Windows\System\eroeGdX.exe
C:\Windows\System\eroeGdX.exe
C:\Windows\System\cPELJOm.exe
C:\Windows\System\cPELJOm.exe
C:\Windows\System\wSJURPA.exe
C:\Windows\System\wSJURPA.exe
C:\Windows\System\exhDQTx.exe
C:\Windows\System\exhDQTx.exe
C:\Windows\System\KSDyqZp.exe
C:\Windows\System\KSDyqZp.exe
C:\Windows\System\biDaVYe.exe
C:\Windows\System\biDaVYe.exe
C:\Windows\System\QKtcyYg.exe
C:\Windows\System\QKtcyYg.exe
C:\Windows\System\YArcfJh.exe
C:\Windows\System\YArcfJh.exe
C:\Windows\System\WlLweSX.exe
C:\Windows\System\WlLweSX.exe
C:\Windows\System\grifmNx.exe
C:\Windows\System\grifmNx.exe
C:\Windows\System\qNivVtG.exe
C:\Windows\System\qNivVtG.exe
C:\Windows\System\UXNlubQ.exe
C:\Windows\System\UXNlubQ.exe
C:\Windows\System\ygAAAVI.exe
C:\Windows\System\ygAAAVI.exe
C:\Windows\System\HPrEamr.exe
C:\Windows\System\HPrEamr.exe
C:\Windows\System\fegQgSL.exe
C:\Windows\System\fegQgSL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1240-0-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1240-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\OTbTBIy.exe
| MD5 | 69a07a11ce7a919cb85324bd4082ba6e |
| SHA1 | 6189db492f48f0886511a10d13ee83be47a3790a |
| SHA256 | bfb9eb1cc33adfcc7d07fd3cecd1e723dbd8ebcd4859f90d427517a2fcf9bebf |
| SHA512 | d12487f25a77c4ceae0a8eacdfac35fada048884041c7ace79cda7570e9dfc733feba6f7c65c2f480df51f5f0863263d263e0bd34acd0b20f0af70193c485a05 |
\Windows\system\AneVIkp.exe
| MD5 | e90417be32cd711df563188503c6905a |
| SHA1 | 018f3bb24deefb352c98456d2acf173da23d3cbe |
| SHA256 | 5a460bfa45866c8fb0442cbacb7455c1dba760d47420b2545d90df6110c9969c |
| SHA512 | 980d9b21db80b05d1905ba312c4eb66f74d9ce5c3bd56356f2588638b7c584d558d67a659d28e61da320f064ff871cd2e47d15ab35b6a6331768062b6f15ac90 |
C:\Windows\system\wLtExFK.exe
| MD5 | 75c39046dbf7a27c5b6536c1a0b44485 |
| SHA1 | f888ce953fbbe919b8281239c577ce4c6bd43f52 |
| SHA256 | 58bff3039ac6f10ac46e703196ff9f958c1eb5e87d625a35f3ab6ddeab6fbc3c |
| SHA512 | 17329427ba17971e11350d487d660526cb63af4605db1179635b62c084562bb2ed44b43fbf9a833658f6e08369f4cd4893c38ca7cd00c7fcfdeb5496b2dfe17e |
C:\Windows\system\zJnWWGR.exe
| MD5 | 87c88b1cad3cb6e1c191b6a0a641e771 |
| SHA1 | 5558c13209f73d88480a1acb88154d9fd49bc337 |
| SHA256 | 0b70c167ad0819a3354501670e061925b474975e044204631455beea4d1729e9 |
| SHA512 | 4ca5fb69da362bae5b8d9f91d0d3ef7fae29ad6bb8f27d935011e646e462ee214d83c13820b9e73949a3301bb99f8db1a59692b1f431ca2c2284bbfd8614f1d4 |
C:\Windows\system\JzahhfW.exe
| MD5 | 475f01fdac8328d4aa305e1b6b1ee269 |
| SHA1 | c36073afa06a32d03ff1da6cc879928cd22aedb3 |
| SHA256 | f0c845c2fba97fc3d009348d70f8fd4c581c2fb52620496aff0abf255a3b3459 |
| SHA512 | c1087ef157960ada6fdc80bfc0f11f623883b1e7c0dd90893e40b29f3ebfcfbdd1803d879294381f73c6e8fd72335da438ad73c9bf69f67559a6df9028f53dd5 |
C:\Windows\system\eroeGdX.exe
| MD5 | 1ae6bb531f40a5a93bda5ddc4032d721 |
| SHA1 | 6bbf1d7ad9dabb2ff83d5f63eed12fd21fe54a13 |
| SHA256 | 9d1079bf2239d6950262788bd875c0064aa5956ccebed04523c26105c8286f24 |
| SHA512 | 4713d6c444760a36122528d0c8563e9d066766a9203493800b33ce50d0512818490636e88abfbb9bdee58920a2ef2df0c875947523adb11dbd51642edf5647bf |
C:\Windows\system\cPELJOm.exe
| MD5 | e5f28dfc080ce8fa225dcf57ff4b682f |
| SHA1 | 8c09b9bc2323b125daab41774c31d9e67422c69c |
| SHA256 | f7576286e9509d0d920b97d68d07f06a69eed64788074438e8420997d4f3c9b6 |
| SHA512 | 681246527fb24f0d359338dd000cb051bcfc862886011d2b98bf40b09bf8e81e02aa1b59d759904a8194ee30e7f645971b2c3b500d409b0df2bbf4d9cb455b8b |
C:\Windows\system\wSJURPA.exe
| MD5 | 676ff169429cc7eee96ceb144b689b8d |
| SHA1 | 9efaa7b7b757ed2d22cb1678bc00bf952e112fec |
| SHA256 | f470596fdd30a2a55a7ed9ca4ee01a5c04d185bab900033ba1d2d1fa66bf6dee |
| SHA512 | 5c2172a9ca451aa0e817b958b8e668e0d9dc853bd9250f6b10dbcc54c6b5dcdd661c89d961cad6cbbf74df5fd492823225e46b4ee94f2890d967f1964d6f4d5b |
C:\Windows\system\exhDQTx.exe
| MD5 | cb05cf88b8d14784763b970c28983b7c |
| SHA1 | 374133a337edd44883bf97e30bc57fc11ed7d18d |
| SHA256 | cac6db0f3c070e21744e9d95ce59ebc1490c76e4da82827d6a9dffff3444b4e5 |
| SHA512 | 12ce53a3b60912c5b7445ade2113f42f75ba7527b8c13102646f3605247e60d65dc0b6417135bcd75a3793ae792884841226fe46547b0836531d9789737b4db1 |
C:\Windows\system\biDaVYe.exe
| MD5 | aecb1343d3de3857e7c088ff2fbbd8a0 |
| SHA1 | 890c325ae4c41344fab28ce6bcee32a5982cba61 |
| SHA256 | c1e437d569d12a8ef1c277ea894278bcda046efbcbb57b829799463fc6bb48a4 |
| SHA512 | d6b182abc861df213a323cbc27fc76c5625a4a6d2411576964f17690ba7f1b60c6a5c8c1ae8995dd409783e929882c0e69f27f43b72545952abf6128bb04e819 |
C:\Windows\system\WlLweSX.exe
| MD5 | 483b49990dff74cfc382116be40a093e |
| SHA1 | 8236406e87009c9d0527f126b1984237c5439715 |
| SHA256 | ec8593258cbf5650f9038fd0ac8cfd3ccfd3057e5f0df5baef4b3b7c0f049f3d |
| SHA512 | b9017a2618c5b963448ae559fe9e94aa4087d037423193feb0ec3ea3947883523b5a4c2cadedd90af418ae384bf888e0f38501d38897074996b4437d3f72f39c |
C:\Windows\system\UXNlubQ.exe
| MD5 | 825c35dc2e54af5497116c807710fc39 |
| SHA1 | 5339da8c4ae611a0c8bb76d22fe15f1e09208c5c |
| SHA256 | e8cf1b9358c28525ac1ca2e103e3c8977058b41303bdd9d5b5e36db0cfe89922 |
| SHA512 | 6d200841c86e05a9eb6f0ab7cb95975450424b57398a27745ad0edfee3e40ed472cb53c7d67baac913eea80845320d53a1649bce9a9978e7a770524f2859bdaa |
C:\Windows\system\fegQgSL.exe
| MD5 | bd102341ab5f1b01934a3b57badcb9b8 |
| SHA1 | 18567166fa2c36daf427c27b52ce082bc36834a4 |
| SHA256 | 366c2a4ae075c44390ab4dd0581422af2b9358c3b81eb241ed0ff07c57fce03f |
| SHA512 | 5c054e8776c8611947ff2506a68b0ccc854c6ded270b0fbdc3d52b737d919d55935b5e3bdc3a51bd760801537acc364f949b392c387c89e8d37fda06bd6af863 |
C:\Windows\system\HPrEamr.exe
| MD5 | 7d5b9e99133e5b91e6e8ddc418904738 |
| SHA1 | a59c579c386a6ff2eb187998a4287716017182ca |
| SHA256 | 20c91a7449e1c523567276f5a2e825486e6d521feecb584d457f31e1c75ae964 |
| SHA512 | 25b2b1c29cb1a3104d161c5e4f2c512a01bcf5662f6596bed351cda71ee51adca780ed1aca9eab39fadeb713ae8e1c8444e137e7a24b4ece2494f0eb4f07176a |
C:\Windows\system\ygAAAVI.exe
| MD5 | 5a799185050f7230f9bb4060d5099300 |
| SHA1 | 06a9d1e2cdf3dbc91c5e0aef42e5eb2b3f2a3c8a |
| SHA256 | e7fc1eaff0337fecc573373809d7f4c42fa0cf7e974933a094556b49180a0e1a |
| SHA512 | 3de049b4404223a473a94379b561881f55fb3017ace818597a2e2003c21854b7b798e242e74c6cd7162acda17ebe65cdb8cc201d68e21e27af2d37d49d005ab3 |
memory/2164-110-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/1240-114-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/1240-113-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1684-112-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1240-111-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/1240-109-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/1160-108-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1240-107-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2420-106-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2600-105-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1240-104-0x000000013F620000-0x000000013F971000-memory.dmp
memory/888-103-0x000000013F640000-0x000000013F991000-memory.dmp
memory/1240-102-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2744-101-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/1240-100-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2604-99-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/1240-98-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2844-97-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/1240-96-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2696-95-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/2172-94-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/1240-92-0x0000000002410000-0x0000000002761000-memory.dmp
memory/2020-91-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1240-90-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2876-89-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2852-88-0x000000013FCD0000-0x0000000140021000-memory.dmp
C:\Windows\system\qNivVtG.exe
| MD5 | 12bbcce03353e3071aa93f4838241916 |
| SHA1 | ff9e5e5c173f5985c3214c9c674a3159e9eceec5 |
| SHA256 | eb9e83f12eb4309b58a318c51877faf202436400f329b270a0f9717f5aab5844 |
| SHA512 | 4dd3a36a618e54d05f719543d946b9ab74fe72b7d8df39d02fc77e43b36341334d091da0e3bbb8bef376858c5933c24ed6958a227bd96b4c28795ec212f1694d |
C:\Windows\system\grifmNx.exe
| MD5 | fad28099352f8040deb465e9975c3154 |
| SHA1 | 03c838b7fa40b9d43739c3901605ed7aca0dd710 |
| SHA256 | 8d56c66b5e355aeacbf6c1e467826722a130afbe535a0cd2501e73d31bf6219b |
| SHA512 | baa5d40a3cfd1ec7e635ea896efbfee3d29ebb805a2a3ae321a64943f19675a03e8fb56f378019128d69d76674c9f914e83f046f87eed9e175f5aeacaa56d775 |
C:\Windows\system\YArcfJh.exe
| MD5 | 7564318b7f346f3affb4060cce664bbe |
| SHA1 | 18958334231c5dd4f198bfca9fd37773c71cd8b5 |
| SHA256 | 2182a855ed92446ce53ed242392ca92c6083577e78700e9d6b842fd8aeee53af |
| SHA512 | a1e48eed57edebd80de7ddf32eae9691e4673f5d729988d37a082e9fb33a2e6122d97903acbab2fa1af73a938b0a985d81364678a0bbff74223b8a9d943d5eb7 |
C:\Windows\system\QKtcyYg.exe
| MD5 | 3d9c75ae44aa52251c6d21bda49f453b |
| SHA1 | 228fe30c193a62361b2621a0701655772bd055f2 |
| SHA256 | c645ae438b3573180a80321fa29e5c74577d4f563f9de38c8735cb7f24b072a9 |
| SHA512 | 43b9c84f659756059936fb73138b3d74d6b987adffdf209338a0d9ce83cb4e29da589756bb432c817d9dafbf371ede87060acc7e8aa53a7d136eb75d20c4157a |
C:\Windows\system\KSDyqZp.exe
| MD5 | a4dba1adabeb197d46ff27c2fbfd44b8 |
| SHA1 | 91592e678f7d04156be59d8fb6aca22fdb9fb932 |
| SHA256 | 5d511d97dcdd28d2fcda23940f752ee6c237740e7ea952831f5ab4c1d5702c19 |
| SHA512 | c73f0ae815a70e72804fd74524b205ee99add95bb675d2bff686def96e98fcfec776b331f6b20ee27a6bd91b44fe34260cb5a3f520db2f88cba4740b26dae242 |
C:\Windows\system\PBBfqnp.exe
| MD5 | 51d318a1e6360cb524ba0afca8111be4 |
| SHA1 | 3c03c9279e8f145a4bc75f697e3658d502ab4597 |
| SHA256 | 844bd8870dcaf99f66a7b9b1426842e1eb9209674f47857ff34ad6c4f4b6a6f0 |
| SHA512 | 1c97d2580a2f14ba969a1ad4aa5555947f0bbe2bd49c4e6542e6752574252bcc72f3ba338e0f95167b03bbd42c08b18a6b2c0bffec015fa97aabb10c3a0b4df7 |
memory/1240-133-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1240-134-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1240-135-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2876-137-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2020-138-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1672-156-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/1632-155-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2184-154-0x000000013F100000-0x000000013F451000-memory.dmp
memory/2228-153-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2560-152-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/1520-151-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2400-150-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/1684-149-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2164-148-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/1160-147-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/2420-146-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2600-145-0x000000013F620000-0x000000013F971000-memory.dmp
memory/888-144-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2744-143-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2604-142-0x000000013FDA0000-0x00000001400F1000-memory.dmp
memory/2844-141-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2696-140-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1240-157-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2852-224-0x000000013FCD0000-0x0000000140021000-memory.dmp
memory/2172-226-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2876-228-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2844-233-0x000000013FD70000-0x00000001400C1000-memory.dmp
memory/2696-232-0x000000013F550000-0x000000013F8A1000-memory.dmp
memory/1160-240-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/1684-243-0x000000013FFF0000-0x0000000140341000-memory.dmp
memory/2164-254-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2420-252-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2600-238-0x000000013F620000-0x000000013F971000-memory.dmp
memory/888-249-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2744-236-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2020-235-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2604-248-0x000000013FDA0000-0x00000001400F1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:29
Reported
2024-08-15 11:31
Platform
win10v2004-20240802-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OTbTBIy.exe | N/A |
| N/A | N/A | C:\Windows\System\AneVIkp.exe | N/A |
| N/A | N/A | C:\Windows\System\zJnWWGR.exe | N/A |
| N/A | N/A | C:\Windows\System\wLtExFK.exe | N/A |
| N/A | N/A | C:\Windows\System\JzahhfW.exe | N/A |
| N/A | N/A | C:\Windows\System\eroeGdX.exe | N/A |
| N/A | N/A | C:\Windows\System\cPELJOm.exe | N/A |
| N/A | N/A | C:\Windows\System\PBBfqnp.exe | N/A |
| N/A | N/A | C:\Windows\System\exhDQTx.exe | N/A |
| N/A | N/A | C:\Windows\System\wSJURPA.exe | N/A |
| N/A | N/A | C:\Windows\System\KSDyqZp.exe | N/A |
| N/A | N/A | C:\Windows\System\biDaVYe.exe | N/A |
| N/A | N/A | C:\Windows\System\QKtcyYg.exe | N/A |
| N/A | N/A | C:\Windows\System\YArcfJh.exe | N/A |
| N/A | N/A | C:\Windows\System\WlLweSX.exe | N/A |
| N/A | N/A | C:\Windows\System\grifmNx.exe | N/A |
| N/A | N/A | C:\Windows\System\qNivVtG.exe | N/A |
| N/A | N/A | C:\Windows\System\UXNlubQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ygAAAVI.exe | N/A |
| N/A | N/A | C:\Windows\System\HPrEamr.exe | N/A |
| N/A | N/A | C:\Windows\System\fegQgSL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_4aedd5adc0f9824d8153024baaf597a6_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\OTbTBIy.exe
C:\Windows\System\OTbTBIy.exe
C:\Windows\System\AneVIkp.exe
C:\Windows\System\AneVIkp.exe
C:\Windows\System\wLtExFK.exe
C:\Windows\System\wLtExFK.exe
C:\Windows\System\zJnWWGR.exe
C:\Windows\System\zJnWWGR.exe
C:\Windows\System\JzahhfW.exe
C:\Windows\System\JzahhfW.exe
C:\Windows\System\PBBfqnp.exe
C:\Windows\System\PBBfqnp.exe
C:\Windows\System\eroeGdX.exe
C:\Windows\System\eroeGdX.exe
C:\Windows\System\cPELJOm.exe
C:\Windows\System\cPELJOm.exe
C:\Windows\System\wSJURPA.exe
C:\Windows\System\wSJURPA.exe
C:\Windows\System\exhDQTx.exe
C:\Windows\System\exhDQTx.exe
C:\Windows\System\KSDyqZp.exe
C:\Windows\System\KSDyqZp.exe
C:\Windows\System\biDaVYe.exe
C:\Windows\System\biDaVYe.exe
C:\Windows\System\QKtcyYg.exe
C:\Windows\System\QKtcyYg.exe
C:\Windows\System\YArcfJh.exe
C:\Windows\System\YArcfJh.exe
C:\Windows\System\WlLweSX.exe
C:\Windows\System\WlLweSX.exe
C:\Windows\System\grifmNx.exe
C:\Windows\System\grifmNx.exe
C:\Windows\System\qNivVtG.exe
C:\Windows\System\qNivVtG.exe
C:\Windows\System\UXNlubQ.exe
C:\Windows\System\UXNlubQ.exe
C:\Windows\System\ygAAAVI.exe
C:\Windows\System\ygAAAVI.exe
C:\Windows\System\HPrEamr.exe
C:\Windows\System\HPrEamr.exe
C:\Windows\System\fegQgSL.exe
C:\Windows\System\fegQgSL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4512-0-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp
memory/4512-1-0x000002D785C00000-0x000002D785C10000-memory.dmp
C:\Windows\System\OTbTBIy.exe
| MD5 | 69a07a11ce7a919cb85324bd4082ba6e |
| SHA1 | 6189db492f48f0886511a10d13ee83be47a3790a |
| SHA256 | bfb9eb1cc33adfcc7d07fd3cecd1e723dbd8ebcd4859f90d427517a2fcf9bebf |
| SHA512 | d12487f25a77c4ceae0a8eacdfac35fada048884041c7ace79cda7570e9dfc733feba6f7c65c2f480df51f5f0863263d263e0bd34acd0b20f0af70193c485a05 |
C:\Windows\System\AneVIkp.exe
| MD5 | e90417be32cd711df563188503c6905a |
| SHA1 | 018f3bb24deefb352c98456d2acf173da23d3cbe |
| SHA256 | 5a460bfa45866c8fb0442cbacb7455c1dba760d47420b2545d90df6110c9969c |
| SHA512 | 980d9b21db80b05d1905ba312c4eb66f74d9ce5c3bd56356f2588638b7c584d558d67a659d28e61da320f064ff871cd2e47d15ab35b6a6331768062b6f15ac90 |
C:\Windows\System\JzahhfW.exe
| MD5 | 475f01fdac8328d4aa305e1b6b1ee269 |
| SHA1 | c36073afa06a32d03ff1da6cc879928cd22aedb3 |
| SHA256 | f0c845c2fba97fc3d009348d70f8fd4c581c2fb52620496aff0abf255a3b3459 |
| SHA512 | c1087ef157960ada6fdc80bfc0f11f623883b1e7c0dd90893e40b29f3ebfcfbdd1803d879294381f73c6e8fd72335da438ad73c9bf69f67559a6df9028f53dd5 |
C:\Windows\System\wLtExFK.exe
| MD5 | 75c39046dbf7a27c5b6536c1a0b44485 |
| SHA1 | f888ce953fbbe919b8281239c577ce4c6bd43f52 |
| SHA256 | 58bff3039ac6f10ac46e703196ff9f958c1eb5e87d625a35f3ab6ddeab6fbc3c |
| SHA512 | 17329427ba17971e11350d487d660526cb63af4605db1179635b62c084562bb2ed44b43fbf9a833658f6e08369f4cd4893c38ca7cd00c7fcfdeb5496b2dfe17e |
C:\Windows\System\exhDQTx.exe
| MD5 | cb05cf88b8d14784763b970c28983b7c |
| SHA1 | 374133a337edd44883bf97e30bc57fc11ed7d18d |
| SHA256 | cac6db0f3c070e21744e9d95ce59ebc1490c76e4da82827d6a9dffff3444b4e5 |
| SHA512 | 12ce53a3b60912c5b7445ade2113f42f75ba7527b8c13102646f3605247e60d65dc0b6417135bcd75a3793ae792884841226fe46547b0836531d9789737b4db1 |
C:\Windows\System\KSDyqZp.exe
| MD5 | a4dba1adabeb197d46ff27c2fbfd44b8 |
| SHA1 | 91592e678f7d04156be59d8fb6aca22fdb9fb932 |
| SHA256 | 5d511d97dcdd28d2fcda23940f752ee6c237740e7ea952831f5ab4c1d5702c19 |
| SHA512 | c73f0ae815a70e72804fd74524b205ee99add95bb675d2bff686def96e98fcfec776b331f6b20ee27a6bd91b44fe34260cb5a3f520db2f88cba4740b26dae242 |
memory/4064-75-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp
C:\Windows\System\YArcfJh.exe
| MD5 | 7564318b7f346f3affb4060cce664bbe |
| SHA1 | 18958334231c5dd4f198bfca9fd37773c71cd8b5 |
| SHA256 | 2182a855ed92446ce53ed242392ca92c6083577e78700e9d6b842fd8aeee53af |
| SHA512 | a1e48eed57edebd80de7ddf32eae9691e4673f5d729988d37a082e9fb33a2e6122d97903acbab2fa1af73a938b0a985d81364678a0bbff74223b8a9d943d5eb7 |
C:\Windows\System\WlLweSX.exe
| MD5 | 483b49990dff74cfc382116be40a093e |
| SHA1 | 8236406e87009c9d0527f126b1984237c5439715 |
| SHA256 | ec8593258cbf5650f9038fd0ac8cfd3ccfd3057e5f0df5baef4b3b7c0f049f3d |
| SHA512 | b9017a2618c5b963448ae559fe9e94aa4087d037423193feb0ec3ea3947883523b5a4c2cadedd90af418ae384bf888e0f38501d38897074996b4437d3f72f39c |
C:\Windows\System\ygAAAVI.exe
| MD5 | 5a799185050f7230f9bb4060d5099300 |
| SHA1 | 06a9d1e2cdf3dbc91c5e0aef42e5eb2b3f2a3c8a |
| SHA256 | e7fc1eaff0337fecc573373809d7f4c42fa0cf7e974933a094556b49180a0e1a |
| SHA512 | 3de049b4404223a473a94379b561881f55fb3017ace818597a2e2003c21854b7b798e242e74c6cd7162acda17ebe65cdb8cc201d68e21e27af2d37d49d005ab3 |
C:\Windows\System\fegQgSL.exe
| MD5 | bd102341ab5f1b01934a3b57badcb9b8 |
| SHA1 | 18567166fa2c36daf427c27b52ce082bc36834a4 |
| SHA256 | 366c2a4ae075c44390ab4dd0581422af2b9358c3b81eb241ed0ff07c57fce03f |
| SHA512 | 5c054e8776c8611947ff2506a68b0ccc854c6ded270b0fbdc3d52b737d919d55935b5e3bdc3a51bd760801537acc364f949b392c387c89e8d37fda06bd6af863 |
memory/2468-125-0x00007FF795140000-0x00007FF795491000-memory.dmp
C:\Windows\System\HPrEamr.exe
| MD5 | 7d5b9e99133e5b91e6e8ddc418904738 |
| SHA1 | a59c579c386a6ff2eb187998a4287716017182ca |
| SHA256 | 20c91a7449e1c523567276f5a2e825486e6d521feecb584d457f31e1c75ae964 |
| SHA512 | 25b2b1c29cb1a3104d161c5e4f2c512a01bcf5662f6596bed351cda71ee51adca780ed1aca9eab39fadeb713ae8e1c8444e137e7a24b4ece2494f0eb4f07176a |
C:\Windows\System\UXNlubQ.exe
| MD5 | 825c35dc2e54af5497116c807710fc39 |
| SHA1 | 5339da8c4ae611a0c8bb76d22fe15f1e09208c5c |
| SHA256 | e8cf1b9358c28525ac1ca2e103e3c8977058b41303bdd9d5b5e36db0cfe89922 |
| SHA512 | 6d200841c86e05a9eb6f0ab7cb95975450424b57398a27745ad0edfee3e40ed472cb53c7d67baac913eea80845320d53a1649bce9a9978e7a770524f2859bdaa |
memory/1396-118-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp
memory/816-117-0x00007FF72D300000-0x00007FF72D651000-memory.dmp
memory/4008-115-0x00007FF676FD0000-0x00007FF677321000-memory.dmp
memory/880-104-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp
C:\Windows\System\qNivVtG.exe
| MD5 | 12bbcce03353e3071aa93f4838241916 |
| SHA1 | ff9e5e5c173f5985c3214c9c674a3159e9eceec5 |
| SHA256 | eb9e83f12eb4309b58a318c51877faf202436400f329b270a0f9717f5aab5844 |
| SHA512 | 4dd3a36a618e54d05f719543d946b9ab74fe72b7d8df39d02fc77e43b36341334d091da0e3bbb8bef376858c5933c24ed6958a227bd96b4c28795ec212f1694d |
C:\Windows\System\grifmNx.exe
| MD5 | fad28099352f8040deb465e9975c3154 |
| SHA1 | 03c838b7fa40b9d43739c3901605ed7aca0dd710 |
| SHA256 | 8d56c66b5e355aeacbf6c1e467826722a130afbe535a0cd2501e73d31bf6219b |
| SHA512 | baa5d40a3cfd1ec7e635ea896efbfee3d29ebb805a2a3ae321a64943f19675a03e8fb56f378019128d69d76674c9f914e83f046f87eed9e175f5aeacaa56d775 |
memory/2656-99-0x00007FF762980000-0x00007FF762CD1000-memory.dmp
memory/5012-98-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp
memory/3064-93-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp
memory/892-92-0x00007FF648590000-0x00007FF6488E1000-memory.dmp
C:\Windows\System\QKtcyYg.exe
| MD5 | 3d9c75ae44aa52251c6d21bda49f453b |
| SHA1 | 228fe30c193a62361b2621a0701655772bd055f2 |
| SHA256 | c645ae438b3573180a80321fa29e5c74577d4f563f9de38c8735cb7f24b072a9 |
| SHA512 | 43b9c84f659756059936fb73138b3d74d6b987adffdf209338a0d9ce83cb4e29da589756bb432c817d9dafbf371ede87060acc7e8aa53a7d136eb75d20c4157a |
memory/2724-83-0x00007FF6545F0000-0x00007FF654941000-memory.dmp
memory/2692-82-0x00007FF7534F0000-0x00007FF753841000-memory.dmp
C:\Windows\System\biDaVYe.exe
| MD5 | aecb1343d3de3857e7c088ff2fbbd8a0 |
| SHA1 | 890c325ae4c41344fab28ce6bcee32a5982cba61 |
| SHA256 | c1e437d569d12a8ef1c277ea894278bcda046efbcbb57b829799463fc6bb48a4 |
| SHA512 | d6b182abc861df213a323cbc27fc76c5625a4a6d2411576964f17690ba7f1b60c6a5c8c1ae8995dd409783e929882c0e69f27f43b72545952abf6128bb04e819 |
C:\Windows\System\wSJURPA.exe
| MD5 | 676ff169429cc7eee96ceb144b689b8d |
| SHA1 | 9efaa7b7b757ed2d22cb1678bc00bf952e112fec |
| SHA256 | f470596fdd30a2a55a7ed9ca4ee01a5c04d185bab900033ba1d2d1fa66bf6dee |
| SHA512 | 5c2172a9ca451aa0e817b958b8e668e0d9dc853bd9250f6b10dbcc54c6b5dcdd661c89d961cad6cbbf74df5fd492823225e46b4ee94f2890d967f1964d6f4d5b |
memory/2324-66-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp
memory/3328-65-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp
memory/2596-61-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp
memory/1392-60-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp
C:\Windows\System\eroeGdX.exe
| MD5 | 1ae6bb531f40a5a93bda5ddc4032d721 |
| SHA1 | 6bbf1d7ad9dabb2ff83d5f63eed12fd21fe54a13 |
| SHA256 | 9d1079bf2239d6950262788bd875c0064aa5956ccebed04523c26105c8286f24 |
| SHA512 | 4713d6c444760a36122528d0c8563e9d066766a9203493800b33ce50d0512818490636e88abfbb9bdee58920a2ef2df0c875947523adb11dbd51642edf5647bf |
C:\Windows\System\PBBfqnp.exe
| MD5 | 51d318a1e6360cb524ba0afca8111be4 |
| SHA1 | 3c03c9279e8f145a4bc75f697e3658d502ab4597 |
| SHA256 | 844bd8870dcaf99f66a7b9b1426842e1eb9209674f47857ff34ad6c4f4b6a6f0 |
| SHA512 | 1c97d2580a2f14ba969a1ad4aa5555947f0bbe2bd49c4e6542e6752574252bcc72f3ba338e0f95167b03bbd42c08b18a6b2c0bffec015fa97aabb10c3a0b4df7 |
C:\Windows\System\cPELJOm.exe
| MD5 | e5f28dfc080ce8fa225dcf57ff4b682f |
| SHA1 | 8c09b9bc2323b125daab41774c31d9e67422c69c |
| SHA256 | f7576286e9509d0d920b97d68d07f06a69eed64788074438e8420997d4f3c9b6 |
| SHA512 | 681246527fb24f0d359338dd000cb051bcfc862886011d2b98bf40b09bf8e81e02aa1b59d759904a8194ee30e7f645971b2c3b500d409b0df2bbf4d9cb455b8b |
memory/4648-45-0x00007FF730C20000-0x00007FF730F71000-memory.dmp
memory/1296-41-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp
C:\Windows\System\zJnWWGR.exe
| MD5 | 87c88b1cad3cb6e1c191b6a0a641e771 |
| SHA1 | 5558c13209f73d88480a1acb88154d9fd49bc337 |
| SHA256 | 0b70c167ad0819a3354501670e061925b474975e044204631455beea4d1729e9 |
| SHA512 | 4ca5fb69da362bae5b8d9f91d0d3ef7fae29ad6bb8f27d935011e646e462ee214d83c13820b9e73949a3301bb99f8db1a59692b1f431ca2c2284bbfd8614f1d4 |
memory/3144-30-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp
memory/4596-16-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp
memory/3040-6-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp
memory/4596-130-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp
memory/1296-131-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp
memory/3040-129-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp
memory/4512-128-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp
memory/3328-137-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp
memory/2324-139-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp
memory/2656-145-0x00007FF762980000-0x00007FF762CD1000-memory.dmp
memory/4008-146-0x00007FF676FD0000-0x00007FF677321000-memory.dmp
memory/892-143-0x00007FF648590000-0x00007FF6488E1000-memory.dmp
memory/1392-136-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp
memory/880-144-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp
memory/3144-132-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp
memory/4648-133-0x00007FF730C20000-0x00007FF730F71000-memory.dmp
memory/1396-148-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp
memory/2468-149-0x00007FF795140000-0x00007FF795491000-memory.dmp
memory/816-147-0x00007FF72D300000-0x00007FF72D651000-memory.dmp
memory/4512-150-0x00007FF6C82C0000-0x00007FF6C8611000-memory.dmp
memory/4596-209-0x00007FF6B0960000-0x00007FF6B0CB1000-memory.dmp
memory/3040-211-0x00007FF6CCB80000-0x00007FF6CCED1000-memory.dmp
memory/3144-213-0x00007FF7E4F60000-0x00007FF7E52B1000-memory.dmp
memory/1296-215-0x00007FF6E6E60000-0x00007FF6E71B1000-memory.dmp
memory/1392-218-0x00007FF7BD2D0000-0x00007FF7BD621000-memory.dmp
memory/2596-219-0x00007FF7AAE40000-0x00007FF7AB191000-memory.dmp
memory/4064-221-0x00007FF76B550000-0x00007FF76B8A1000-memory.dmp
memory/2692-223-0x00007FF7534F0000-0x00007FF753841000-memory.dmp
memory/4648-233-0x00007FF730C20000-0x00007FF730F71000-memory.dmp
memory/892-238-0x00007FF648590000-0x00007FF6488E1000-memory.dmp
memory/2724-244-0x00007FF6545F0000-0x00007FF654941000-memory.dmp
memory/2324-245-0x00007FF6C07D0000-0x00007FF6C0B21000-memory.dmp
memory/3328-241-0x00007FF65E550000-0x00007FF65E8A1000-memory.dmp
memory/5012-240-0x00007FF74D2D0000-0x00007FF74D621000-memory.dmp
memory/3064-236-0x00007FF7ACFA0000-0x00007FF7AD2F1000-memory.dmp
memory/880-256-0x00007FF62F8D0000-0x00007FF62FC21000-memory.dmp
memory/2656-254-0x00007FF762980000-0x00007FF762CD1000-memory.dmp
memory/4008-257-0x00007FF676FD0000-0x00007FF677321000-memory.dmp
memory/2468-250-0x00007FF795140000-0x00007FF795491000-memory.dmp
memory/1396-252-0x00007FF7C37D0000-0x00007FF7C3B21000-memory.dmp
memory/816-249-0x00007FF72D300000-0x00007FF72D651000-memory.dmp