Analysis Overview
SHA256
783891f9badcd0dab4da8eb3baeb4ebd82bf0a197ff420218b9a46d7a6dac967
Threat Level: Known bad
The file 2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:01
Reported
2024-08-06 12:04
Platform
win7-20240705-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JjYOmSE.exe | N/A |
| N/A | N/A | C:\Windows\System\KeXZBEg.exe | N/A |
| N/A | N/A | C:\Windows\System\yluKqCg.exe | N/A |
| N/A | N/A | C:\Windows\System\PvErwhz.exe | N/A |
| N/A | N/A | C:\Windows\System\dxWTUIx.exe | N/A |
| N/A | N/A | C:\Windows\System\Utbivbh.exe | N/A |
| N/A | N/A | C:\Windows\System\VINnNzD.exe | N/A |
| N/A | N/A | C:\Windows\System\ywYCbDo.exe | N/A |
| N/A | N/A | C:\Windows\System\cyKtUds.exe | N/A |
| N/A | N/A | C:\Windows\System\VOPEzDj.exe | N/A |
| N/A | N/A | C:\Windows\System\iFdilAE.exe | N/A |
| N/A | N/A | C:\Windows\System\Ozsyrhc.exe | N/A |
| N/A | N/A | C:\Windows\System\iWEVvWv.exe | N/A |
| N/A | N/A | C:\Windows\System\dVKoFES.exe | N/A |
| N/A | N/A | C:\Windows\System\zyMHqsB.exe | N/A |
| N/A | N/A | C:\Windows\System\WqhGPwl.exe | N/A |
| N/A | N/A | C:\Windows\System\PSmevMm.exe | N/A |
| N/A | N/A | C:\Windows\System\wuEcThH.exe | N/A |
| N/A | N/A | C:\Windows\System\NzhTfSA.exe | N/A |
| N/A | N/A | C:\Windows\System\hQgEJwK.exe | N/A |
| N/A | N/A | C:\Windows\System\rxajomg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\JjYOmSE.exe
C:\Windows\System\JjYOmSE.exe
C:\Windows\System\KeXZBEg.exe
C:\Windows\System\KeXZBEg.exe
C:\Windows\System\yluKqCg.exe
C:\Windows\System\yluKqCg.exe
C:\Windows\System\PvErwhz.exe
C:\Windows\System\PvErwhz.exe
C:\Windows\System\dxWTUIx.exe
C:\Windows\System\dxWTUIx.exe
C:\Windows\System\Utbivbh.exe
C:\Windows\System\Utbivbh.exe
C:\Windows\System\VINnNzD.exe
C:\Windows\System\VINnNzD.exe
C:\Windows\System\ywYCbDo.exe
C:\Windows\System\ywYCbDo.exe
C:\Windows\System\iWEVvWv.exe
C:\Windows\System\iWEVvWv.exe
C:\Windows\System\cyKtUds.exe
C:\Windows\System\cyKtUds.exe
C:\Windows\System\dVKoFES.exe
C:\Windows\System\dVKoFES.exe
C:\Windows\System\VOPEzDj.exe
C:\Windows\System\VOPEzDj.exe
C:\Windows\System\zyMHqsB.exe
C:\Windows\System\zyMHqsB.exe
C:\Windows\System\iFdilAE.exe
C:\Windows\System\iFdilAE.exe
C:\Windows\System\WqhGPwl.exe
C:\Windows\System\WqhGPwl.exe
C:\Windows\System\Ozsyrhc.exe
C:\Windows\System\Ozsyrhc.exe
C:\Windows\System\PSmevMm.exe
C:\Windows\System\PSmevMm.exe
C:\Windows\System\wuEcThH.exe
C:\Windows\System\wuEcThH.exe
C:\Windows\System\NzhTfSA.exe
C:\Windows\System\NzhTfSA.exe
C:\Windows\System\hQgEJwK.exe
C:\Windows\System\hQgEJwK.exe
C:\Windows\System\rxajomg.exe
C:\Windows\System\rxajomg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/884-0-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/884-1-0x00000000003F0000-0x0000000000400000-memory.dmp
C:\Windows\system\JjYOmSE.exe
| MD5 | 8d293678e5e499315421cd60e368a328 |
| SHA1 | 1c35bb2f01fed11c72d1ee01552e15d94d035082 |
| SHA256 | c956708c95003215fe5ee4a81e518c95e3768e93b411a754662f04f9be445267 |
| SHA512 | 2d7efe8a84012d335579fccdbfe1cc8d6eeff8f6cbe3fb545723c659ef0879f3694e09eb92c4da99903cf03096f7367c048680a168de0bdf6dfea99102b7c8b3 |
memory/884-8-0x000000013F440000-0x000000013F794000-memory.dmp
\Windows\system\KeXZBEg.exe
| MD5 | 9a18d609321c991ba5269e0f55de0b6f |
| SHA1 | 37bde00060ad595cc797e7c120eef01766cb8dd2 |
| SHA256 | e40b98675c7cf6fbdef7ed794b8310cef3f29210fdc9cf212d8b564ecfdcb8b8 |
| SHA512 | bc4e3f31c55bd7d03493b132fb70c82ca874c1340205b3bf0f8eedd47925a7cdb2f0c8051e5ebf342671802031890448320d700bf65321eb75b05e9ce728a2a7 |
memory/1924-12-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2796-14-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\yluKqCg.exe
| MD5 | 29da39d1777611b5b7c42bf5170aa9f3 |
| SHA1 | c5fcdbb0c372c55dfd419deea57adc8d7c52f76c |
| SHA256 | 3f80cf41e30c5e77ab68bf18f8f2d849072f46b15bcdac54b6771b05a79ef3ff |
| SHA512 | 47d1e0855f803a5695997a7ccf3df54fc4e06ea0049d6f814ab812bfe46806c273ae615045af43cbc05359cf82b70ca6a645213afe4aa00416477f099cf60ad1 |
\Windows\system\PvErwhz.exe
| MD5 | f8992f9b27144d775d217cf7854963ea |
| SHA1 | f234e3bc0c27c1ae49591c3f293d59a435753054 |
| SHA256 | 4e1f4e71e3abe0bdb3659eb40142dee9be29f37cc919b4f8f1a2f0cb41effd39 |
| SHA512 | e761727df9ee3d8012721a6ef961917668c7089ceeee3e2762b5907ee41409ed2b6962700fd853f0c7a8b6dcca66199222c250a64eb80d53dd5f1e692970679c |
memory/2764-33-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\Utbivbh.exe
| MD5 | 048744e267de33e5460091e91715f461 |
| SHA1 | 05840aa99c3a9db4ddbd9d5004fb57d6221fa3e2 |
| SHA256 | 180da5d5c5d61574710f494cec7f7ce004d902e47e6f1d70edac325f14d1e219 |
| SHA512 | 5462649950c9beefe2d5dc6d21a0b41f53f844a27d4e8f3e8198ba1d632aa7be284d2acf54e558d20822a91151e777d4e36ec0228b4fba26bf194a947d4bb660 |
memory/2960-40-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\VINnNzD.exe
| MD5 | 99951c41a29ede0f03a17f562e66afd3 |
| SHA1 | cdcd1f6eeb938268376c134ec7601c1c5c52250a |
| SHA256 | a3466b504dd9b655ec64fdee44d5d3decb8a99265eb76f50fb50792016eeeb93 |
| SHA512 | 561e0203c01d2530f06050071ff75b7328cc16029c69b7ec771ef745adbac3cbac5758c38eb73c919df174961c20f218b295989f0e22f29c8520a12ea97f49e8 |
C:\Windows\system\iWEVvWv.exe
| MD5 | dd91a2fd2e1d1c560ba7f70dd56403b4 |
| SHA1 | dfa85bb02e85e751f53d1877d742204b4ba15ae8 |
| SHA256 | aa9d28f10d715e0fd0346dd41eb830069506283dc44448671e0cb38e33beca16 |
| SHA512 | 11a57d10df9a95ec31b3ea5417d6ee8639d11ef9f0d71c89380858128c2eb310eba97025f5f8bb337fe41b2139361f9b22ac53ebbf87671d429a47711cf144f5 |
C:\Windows\system\PSmevMm.exe
| MD5 | afbf1d9a0b1edb6163efb15413714962 |
| SHA1 | 7e56f9b8618ff02792939879cbef53e4ce94944f |
| SHA256 | d90f069382dd3d5c906a5030ec5eb9ebd4d31b664e28e322d80b190af55f9934 |
| SHA512 | b085d5dde808b1121cce7c5662287ee62bb1ad13e7d2c95fd01d28e2c1c616af21487b2ecc61f57f512fa3e53087299002c3adb9c9c3f0bf7c3d07003eb7c4b4 |
\Windows\system\rxajomg.exe
| MD5 | 83bacaf4b115381c1d44d1fb9294c954 |
| SHA1 | cce056c439dae38a08954c6a0cf52a91ed0d308d |
| SHA256 | 679dbdbf39c1a0127d04c7302a9dc33aa4497736aa9d6474139109094f6d719b |
| SHA512 | 1b5c5587116c2d0a5b29943f6bb77db0d3a6c7357084fb5cf5551f526ade421cfc49d61f292f505e7bb400fe1c287147fe98694d7e59379d2fb8e61674394066 |
C:\Windows\system\hQgEJwK.exe
| MD5 | cbd543e219b0730a23cc39a1abf91a18 |
| SHA1 | f4258e7a7c0d7ae4cd50cd829e48801e1ed457f0 |
| SHA256 | 1511858d7f59167a0b5a6a3d21791f0a7b289b2e9660211afe84b30918fc2945 |
| SHA512 | 62e90639cce6d053eefb7c6b66fe7f4bade74ecf25b33409311f4b4522cb4a1e21d809ec51e409e59f1d942aa58a478f40d4b8719c95b2e35a5729e31e61c450 |
C:\Windows\system\NzhTfSA.exe
| MD5 | 2e8c03d1e17f1c4cbe874455866372d0 |
| SHA1 | 40fff09d07d6f4611b19d6a5896454b4add58f0c |
| SHA256 | 49061d2e30cb8f7020a3a9fa083ab34d54e1eeb652c13aa1d2e8be91e65b409e |
| SHA512 | 2ab3e3d3756f88405055b71d6bd182202fd32ba16bf3bb0392d5af56006c057f6d92c95cb52012abc89297ad321db8c354e7d9612115bf601c491ab43dab4ae3 |
C:\Windows\system\wuEcThH.exe
| MD5 | 90698bde0b11305bba84ad7bdb5ce7df |
| SHA1 | 122dbc0036534e824558e661b23ef4d411db2147 |
| SHA256 | 086f9951bf23779c8a9114198bca6fee7f0ab0cdda7527dfeaa1f1c9c00aba38 |
| SHA512 | fa861b5d8923f1a274dbf6b1f23f4152465f5e5e8b93230132c5bb72ae2cf6049e2d796731e5586570784ffebbc0e838bc935e59a31473eb3e016fddb0d2324d |
memory/2656-107-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\WqhGPwl.exe
| MD5 | f5b237b27da5362376c96508e754b56e |
| SHA1 | bbfccfdb5a6d2dad2a39841c9d015e6d5227c0c5 |
| SHA256 | af8d9f87fe5420a09a9a86e1ca9afaadde64eba5fc0cdcaa0d5920bf0aa9c5b9 |
| SHA512 | 8a83329e5ca25bedf8e776e2fd1694e2a82e9e4a15f0910240efcff8178926f958326b662654117662c3764d48eedfbe163ac85c14334b79be24a825c24bbd4e |
C:\Windows\system\zyMHqsB.exe
| MD5 | 37215013fb11553905d34005ce71734b |
| SHA1 | ee56c47d4fb2da8b7907aa863db5433f27edc75f |
| SHA256 | 2973e61d26caaa70be73131e05755b070b9e92f254280aa6b6519ecba6f61d30 |
| SHA512 | 2f20586461b8775485d3bc227a60750ee74b193004b189575a0c367984b22cba0c3a041be6fdafcfc0cd33a6c27959c394aa0522392e53455a90fe8fb6b29a4c |
C:\Windows\system\dVKoFES.exe
| MD5 | 0f1e5a736e02f760c44c3a396f133ae0 |
| SHA1 | b2a4e98fe037e8c95d6532cc08a53cd9d01ca8cf |
| SHA256 | 6fc217fd889807158accbf5161ed03fd120315b99ebd94381183a5b7fe97a527 |
| SHA512 | 5ad52b263e18da9ecf8f9fb338718eeb35f4efb0aac03daacc8818aca6caf2eca6020b48582ab6b3ad192d6f3bffd369500a97f6f1a0e218b2072bff1178f6e7 |
memory/884-77-0x0000000002330000-0x0000000002684000-memory.dmp
memory/884-54-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2700-98-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/884-97-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2796-96-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/884-95-0x000000013FC10000-0x000000013FF64000-memory.dmp
memory/2420-94-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2204-93-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1984-87-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2876-86-0x000000013F200000-0x000000013F554000-memory.dmp
C:\Windows\system\Ozsyrhc.exe
| MD5 | 16f2add5a7bd8a78226c3c7d6000aa83 |
| SHA1 | fb0585238b40b5b3ee9535327cc63d55c37b64e9 |
| SHA256 | afa83733218d3ef1deec55b92ce6ec7e3fa6c6eb73f10678915a9ca2364a43b2 |
| SHA512 | 34cc773c713a2475946c5e95a8ca240f5c4a98eee7e8a85a6dbd36d3d120d146f607c2fa486f3cca72fafaa44c78c9efddd9bb7075fa3ecc45af90b4271a90c1 |
C:\Windows\system\iFdilAE.exe
| MD5 | df544bcc7e997e34df3bb591b26e7c7f |
| SHA1 | f2942225212ad739a9e5ccc0822a587482e2a8de |
| SHA256 | 9536f476a3a275d9c6289da112ee81b4bfb21e64d4f07c3143a6be8e37d977a3 |
| SHA512 | 1ede233c80191ce0ea6359c63ee7b5bfef622bf288b249505f981fc704ffb834dfed74e24cc67ac56e380557feec9c599ecd78d773b5e37479c255141f096200 |
C:\Windows\system\VOPEzDj.exe
| MD5 | b85906160cf8faecf630cb9163c884c5 |
| SHA1 | ec8099d5a5e8c77b2a740a444f7dfdccea1e3a5b |
| SHA256 | 2527752898b50cb194b8fbe25754283f04a49757d30ad119d2150a512c94b69a |
| SHA512 | d68f54ea3e9f15b10af3381e598af8f75fca436ba19a6e4671279a621c73a592e3016158bf6ea42378b3adeb52798ad0f6255afb5fbd578d6be07993041d2fc1 |
C:\Windows\system\cyKtUds.exe
| MD5 | 881a694db364502f526517c39aa4b31d |
| SHA1 | 31ba055fd170bda4d92ed1aff2c31660f9f5feaa |
| SHA256 | d4032f95989e9af9a0c9dff4e4854145c70ec51f340162743f65f102147ba53b |
| SHA512 | 018992395f1616c3cce3491ac1823a111418eae92757c58e2c5f61c99a588b5d334b7497672cc4117d121decfcaa30edaa91b7850de3ae15e00879736a786d36 |
memory/884-81-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/884-73-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/884-60-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2832-58-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2976-50-0x000000013F280000-0x000000013F5D4000-memory.dmp
C:\Windows\system\ywYCbDo.exe
| MD5 | 3f261bc893b1c3d879c2ffabcddcea39 |
| SHA1 | d5f43db8fb151a50ae9962827991ab2e0c61e9d0 |
| SHA256 | 1922b18651444f1738816666369503ec8ef2e8ba7f31a1ba203e47f3f25ce7c0 |
| SHA512 | 16c4e8e8134ea0ab651317ff1c851701d7f66cc48b89a0139a9b2278d77186724fe43711f15f9379d9f4f62829a061264c48b6c96d99758b4ee435c56c501f90 |
memory/884-39-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2816-31-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\dxWTUIx.exe
| MD5 | bf8efa01e41d04057c0506aacd88f64f |
| SHA1 | d3cc22da2c35b95d1f45b8cdf1acd83cc7e4ad25 |
| SHA256 | 5aae3d89b95ee00a3c525bf85319f4f2b077a9dbd57cefd3297609cbc763510d |
| SHA512 | 00754c5853071cfebfe03d9362980d46d27922f85104eb71cb74641fa9a8beb9e08b617b1569a8595b52ebee23d77087074c13fab7b80019877eb7e66a639d0a |
memory/884-27-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2876-25-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2960-133-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2764-132-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2832-134-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/884-135-0x0000000002330000-0x0000000002684000-memory.dmp
memory/884-136-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/1984-137-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2204-138-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/884-139-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2656-140-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1924-141-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2796-142-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2816-143-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2876-144-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2764-145-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2960-146-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2976-147-0x000000013F280000-0x000000013F5D4000-memory.dmp
memory/1984-151-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2204-150-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2700-149-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2420-148-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2832-152-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2656-153-0x000000013FF00000-0x0000000140254000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:01
Reported
2024-08-06 12:04
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QwUZQUp.exe | N/A |
| N/A | N/A | C:\Windows\System\rwKZFXK.exe | N/A |
| N/A | N/A | C:\Windows\System\IVEUQXm.exe | N/A |
| N/A | N/A | C:\Windows\System\PDLUetW.exe | N/A |
| N/A | N/A | C:\Windows\System\JHIJKPu.exe | N/A |
| N/A | N/A | C:\Windows\System\gTkKfiF.exe | N/A |
| N/A | N/A | C:\Windows\System\hWzAxWN.exe | N/A |
| N/A | N/A | C:\Windows\System\kLvCWPn.exe | N/A |
| N/A | N/A | C:\Windows\System\mioHQOr.exe | N/A |
| N/A | N/A | C:\Windows\System\IzsTmtp.exe | N/A |
| N/A | N/A | C:\Windows\System\WBWdnmI.exe | N/A |
| N/A | N/A | C:\Windows\System\NOGcTMI.exe | N/A |
| N/A | N/A | C:\Windows\System\DHAfmDZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mYosFKp.exe | N/A |
| N/A | N/A | C:\Windows\System\UuDBOZx.exe | N/A |
| N/A | N/A | C:\Windows\System\gCNGGra.exe | N/A |
| N/A | N/A | C:\Windows\System\xTGwuLF.exe | N/A |
| N/A | N/A | C:\Windows\System\rnOkjfT.exe | N/A |
| N/A | N/A | C:\Windows\System\jGZsULr.exe | N/A |
| N/A | N/A | C:\Windows\System\DlwMupT.exe | N/A |
| N/A | N/A | C:\Windows\System\OkqVEAO.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_ae95832c116b8f677b7328bf51b790ce_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QwUZQUp.exe
C:\Windows\System\QwUZQUp.exe
C:\Windows\System\rwKZFXK.exe
C:\Windows\System\rwKZFXK.exe
C:\Windows\System\IVEUQXm.exe
C:\Windows\System\IVEUQXm.exe
C:\Windows\System\PDLUetW.exe
C:\Windows\System\PDLUetW.exe
C:\Windows\System\JHIJKPu.exe
C:\Windows\System\JHIJKPu.exe
C:\Windows\System\gTkKfiF.exe
C:\Windows\System\gTkKfiF.exe
C:\Windows\System\hWzAxWN.exe
C:\Windows\System\hWzAxWN.exe
C:\Windows\System\kLvCWPn.exe
C:\Windows\System\kLvCWPn.exe
C:\Windows\System\mioHQOr.exe
C:\Windows\System\mioHQOr.exe
C:\Windows\System\IzsTmtp.exe
C:\Windows\System\IzsTmtp.exe
C:\Windows\System\WBWdnmI.exe
C:\Windows\System\WBWdnmI.exe
C:\Windows\System\NOGcTMI.exe
C:\Windows\System\NOGcTMI.exe
C:\Windows\System\DHAfmDZ.exe
C:\Windows\System\DHAfmDZ.exe
C:\Windows\System\mYosFKp.exe
C:\Windows\System\mYosFKp.exe
C:\Windows\System\UuDBOZx.exe
C:\Windows\System\UuDBOZx.exe
C:\Windows\System\gCNGGra.exe
C:\Windows\System\gCNGGra.exe
C:\Windows\System\xTGwuLF.exe
C:\Windows\System\xTGwuLF.exe
C:\Windows\System\rnOkjfT.exe
C:\Windows\System\rnOkjfT.exe
C:\Windows\System\jGZsULr.exe
C:\Windows\System\jGZsULr.exe
C:\Windows\System\DlwMupT.exe
C:\Windows\System\DlwMupT.exe
C:\Windows\System\OkqVEAO.exe
C:\Windows\System\OkqVEAO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4444-0-0x00007FF660D10000-0x00007FF661064000-memory.dmp
memory/4444-1-0x000001E395E60000-0x000001E395E70000-memory.dmp
C:\Windows\System\QwUZQUp.exe
| MD5 | da3b7293109d31143a81538335e5aeb1 |
| SHA1 | 166c3fd2dbb753d5c16551252bbf29b5823b55dc |
| SHA256 | 91490d2c94721d32b3afbd88e7aba2b6a8e0f91125b87e8b06ab85028e7f3a11 |
| SHA512 | 3333fc9fc17aacd7a53701772146d3b578b45ab833e94623dfce45394fc47e070d98255d9f83cfe4c60510f1b95e609e11a5c882e5a64a51d72cf6e9f767d7c6 |
memory/5048-7-0x00007FF6342A0000-0x00007FF6345F4000-memory.dmp
C:\Windows\System\rwKZFXK.exe
| MD5 | fb76903dad601ef591bf88126615389e |
| SHA1 | ece4af8976565a914620398e5d0cda9094e004c9 |
| SHA256 | 14dab2acf10166f05d0289d19fe3b69b81d1e80bf0880df8897d703fb9964cc7 |
| SHA512 | 9acb7d85a8dbaa310fc2b96d30070332eba5f7ea37439bc0513e882859565bde17726a1ba027774e45fbe18433930d6c5afeb0cc6ea57fdfd6ad79b5c58623d3 |
memory/3980-13-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp
C:\Windows\System\IVEUQXm.exe
| MD5 | 5ef16353ea88176ef495fd2a7a23f9d9 |
| SHA1 | 4bc2e7259eac5e5d8cf7a798384433fcbdb5d391 |
| SHA256 | c23f7e5cdad52164b13c98694833e62322ab73bb899d092a8e1680eea49bdcc8 |
| SHA512 | 1e14ab3302a3705e9a1a973e199f6905f3f73eb95c07d23c7503be3c60783443a3718c9fc34966c30e03003c5bc2cf916aaaa56bc63e9cd852128091b600d8ea |
C:\Windows\System\JHIJKPu.exe
| MD5 | 2f61d8e77fd716b6163ac85cc6edcaad |
| SHA1 | 1481a80cb5eca3149e113407c6c74ee1b0967b3d |
| SHA256 | fa6957fda8d22398725575f823cbf92f36b841378eb3b6cefe9a1625ba87a053 |
| SHA512 | 8a352f5200c431a870cde577d632d018364cb9b29fb25671376d2cc131096ceb1bb4facd616e9723ef3cf2f688dee428eb3ebe6a1cae6777c84859161a082381 |
memory/2596-27-0x00007FF7EAF00000-0x00007FF7EB254000-memory.dmp
C:\Windows\System\gTkKfiF.exe
| MD5 | d6dcff3280b646656907380a66dd410a |
| SHA1 | c7911d74ba461bd5d49f56a2224b812614fb251a |
| SHA256 | df1c0de1b7a258e727d4248bca1203bcf5f6d015368055e5e1e5cdf71a0a350f |
| SHA512 | 3a26bdaa22e781a3c5bf1be8b3311e1bed1a9ea965c4a06ec142904475647a8a8b7ec1b361e2dcdba28f84b84ed4f94770d9674238ada30950bb1b2a5fcaeb84 |
C:\Windows\System\kLvCWPn.exe
| MD5 | 0d28aa660a7c0924f0cd5d2bb4d9afa5 |
| SHA1 | 35398dfc8f83bf8f59b87ad101a736c07af3fc45 |
| SHA256 | 917ee15588037aae810890c10f20b1faedd567f87aaa53b76b46fcbfe17ad7bc |
| SHA512 | 60d07c10e24c1988c071737893a0d30fc9f4d7f6815d39e0180f722f934b3914e52246ad3d94268a7e713281bc51ba24261c8ac243d2335a4fb93f7ab4d99757 |
C:\Windows\System\hWzAxWN.exe
| MD5 | 6a579ed048f7161cc42432e7116958e7 |
| SHA1 | 8578e6f828e8fae90ea10371ea84e2cde213b96e |
| SHA256 | 8ea409d6b10c40b2e6f7de36f6afc10bf1752635dc17a931c0e1b261e45861fc |
| SHA512 | 5b153cfe99f5b89b29ef90675263b2e524a424d9fecb55726b2a2a04bf87df059ad79b8af62eb8396a700b314ce9470ac1b868d1ad7c6dd377ea2d906811fc56 |
C:\Windows\System\mioHQOr.exe
| MD5 | 7ea0ae496c25e7676040c17390e29a16 |
| SHA1 | 6f011d038a14537b7d46e70e42571e75213625aa |
| SHA256 | 77a72d7f56ddcba5b1c69c1b6ef0ac8a26ae1600471fa33bcbf56c57bcc3a6d3 |
| SHA512 | e82081dd9f35d1484a6e4893c316e88068a22a6c36915364d7f20eb983ce539576871df70e1f92a9bda09e0f79e77f3a1deaad06eee627f54c51100d5a287a20 |
C:\Windows\System\IzsTmtp.exe
| MD5 | 8020c10ff4427d31e3dd0a92163217e4 |
| SHA1 | 04a12ac684e49752c3c1b2c6666ee2d6287502ec |
| SHA256 | 762e75a44e677fd271726dbd803c356a4042641725dd006da0c858dab562b28f |
| SHA512 | 95ca6d62aaa993bda2592c86b53b536acbda847843c4dbd58d77fd7b1364bf60f768fc6ff96c576568e63a9875e9c5277f6de49aae2fbf2432f6507835cfa872 |
C:\Windows\System\WBWdnmI.exe
| MD5 | 1997992bc9be8b6c464775c25e86b587 |
| SHA1 | 52ac7fe42bc9320443cce3b783b6bf11c7ec5432 |
| SHA256 | 180d9d0c3b836909dc9c47d366155d0cabebb65d28c9309f3ef4c4f783794aa6 |
| SHA512 | 639a41cbbda970dbc3a08a93746c85113f33af701c083ec57fb815c9bf5dfe03eec0e69d18f7fdd4d3a65761f6dcf5182e51aba0023b22f7a886b95f8a71cfcd |
memory/1920-65-0x00007FF70E6B0000-0x00007FF70EA04000-memory.dmp
C:\Windows\System\DHAfmDZ.exe
| MD5 | b50ffe168aad1599dc128ff13c8224f7 |
| SHA1 | 6079a3c350446bf2e99d51268c317f31eea4179c |
| SHA256 | b014492c25a3d237e75a70638bdf86e9e925e3327b9ad7af4fee407f5617a20e |
| SHA512 | 02a0b986acfbfbbcbe364e1c1cb2e5b111b78a7ebdd09937335c7ad62e7ef50e6d43a6f54442d27c3850f8106922065379c8168dbef76e57bd4cfcc57d371f23 |
C:\Windows\System\gCNGGra.exe
| MD5 | 067ee2b530fecd1cb38dbe566141b5a2 |
| SHA1 | ad42a7f3fb405d5dfcaeea1fe7813dd0f63c0048 |
| SHA256 | e58b1dcf8f649cd446b9311c659b1688b608040c3b33b52a310aa87a61fea013 |
| SHA512 | e6bad5a57c951ec46cdd0934aa26889f7081d2ccb09aab0f38000797026cfdeda686f1bdab5f0a5574bd0f73c0f0e1d02427eccb7c7e57aee82a91ff12b403ed |
memory/4012-87-0x00007FF743AF0000-0x00007FF743E44000-memory.dmp
memory/3000-97-0x00007FF638440000-0x00007FF638794000-memory.dmp
memory/2952-96-0x00007FF6A39D0000-0x00007FF6A3D24000-memory.dmp
C:\Windows\System\UuDBOZx.exe
| MD5 | 41875c24ac3fd4323589d24a105eb82a |
| SHA1 | f09baaa3b65062a98187ceb762e42e5c6edfc259 |
| SHA256 | 9205d3565fd1b97c7c26840b382e98e3c42f0ae498b7bc910f984cdee54bb310 |
| SHA512 | 79731c7b9d2d3321bd88aec42c200b04957bf62dcd179a1fa2a6611bc7331c14c9c734b7440ab4a831e087f50195043eb97b06ff8f2135e596382a039f37a4e5 |
C:\Windows\System\mYosFKp.exe
| MD5 | 18ddfea6a4bac9600a4c122ec1bae9c6 |
| SHA1 | d685840b9f7fd0eb76708ed41fcac5be51f366a2 |
| SHA256 | f2206fd70f0d1155aa0d01e4d15c566aff9e25b406722a40c83d71fee573c6a4 |
| SHA512 | 13f3f9986c69c10ec1d2c1188ec5a574f0d0a246bab36c41c5c9924c07b0e344085ea70527983327758f0a66a86b3826260c7138daab252565942fccf08b801c |
C:\Windows\System\NOGcTMI.exe
| MD5 | 78ddbfcaf0a667d014c5fc13d6a1c6fb |
| SHA1 | 62c184921e53acb946e5ec6659c7b4a7059296a8 |
| SHA256 | 9c215f24fd83dfa7fed19996d03bde4ee8e4c4bd22015e6e50d0be9ed2d11232 |
| SHA512 | a5abeffced0c88cf4adde055244b800d3b412a24a26dd7f653c69c404f85e24c93064fb960c8861af1a08840c92df8f22e6f95bdd4239dfb00b04fbcf9d1b065 |
memory/1556-82-0x00007FF622780000-0x00007FF622AD4000-memory.dmp
memory/3936-81-0x00007FF622BB0000-0x00007FF622F04000-memory.dmp
memory/2420-76-0x00007FF6D3080000-0x00007FF6D33D4000-memory.dmp
memory/1840-75-0x00007FF6C89F0000-0x00007FF6C8D44000-memory.dmp
memory/3048-69-0x00007FF773B40000-0x00007FF773E94000-memory.dmp
memory/2708-60-0x00007FF6AF100000-0x00007FF6AF454000-memory.dmp
memory/1988-37-0x00007FF6328C0000-0x00007FF632C14000-memory.dmp
memory/1492-32-0x00007FF794E00000-0x00007FF795154000-memory.dmp
C:\Windows\System\PDLUetW.exe
| MD5 | 2be69c80c539fa53cf2040ac9c62f941 |
| SHA1 | 05038a85150112b76bc159675f8a743945a455b7 |
| SHA256 | 0e8b84c3c3f29d69f5f8dfa60825a8a8d929078d475beafb74b553288ef96c0b |
| SHA512 | b5449e9f742e40f6058b27663455b45a2a12b75dc159f464b591ac25182b6db7b0ef67439792bd921e2158982358993f3885095442d709a9c5bacb558803a121 |
memory/4820-25-0x00007FF667650000-0x00007FF6679A4000-memory.dmp
C:\Windows\System\xTGwuLF.exe
| MD5 | 27dc4dd753f886423ddc84e63c017086 |
| SHA1 | d9c28bf34344249eea4f9e1d3fae503ff0bdab64 |
| SHA256 | 901636e0f24a15e1cee83a052e95125376b5c889bc25ea0691b0bfd7d8d01b47 |
| SHA512 | 22bbcfc53889f2f18f88cf6d5a82a0698fa2a67e7ffd2983d84a32eff1b108fa51bc6caaca08129f8edf9e4df2ef3c9e3a65e69a5bffefa16d95c8315a6ae9c1 |
C:\Windows\System\rnOkjfT.exe
| MD5 | d9d78378c9b3463d9b2c5260f45e7e42 |
| SHA1 | a0f7b8f4a914168e2dafd3cccae36ba575b3b674 |
| SHA256 | d92b5376f2e7de41f76e148b2e04897d46f22dfbd518d384f084e62e861d70a9 |
| SHA512 | cb4f07a990b6dcf99bb9f0e7482faa383b098ea1b979078e2f223afb33a1ad9ee994b7837ca502c5430da4fa827e0e37e398f4711932f0d89833b30aa0dfa762 |
memory/4908-106-0x00007FF792290000-0x00007FF7925E4000-memory.dmp
memory/4444-104-0x00007FF660D10000-0x00007FF661064000-memory.dmp
memory/4008-111-0x00007FF6A8A10000-0x00007FF6A8D64000-memory.dmp
memory/5048-110-0x00007FF6342A0000-0x00007FF6345F4000-memory.dmp
C:\Windows\System\jGZsULr.exe
| MD5 | d3a3b04238e067567320a80bc36f43ba |
| SHA1 | 10ce618f69353a2ecd2519277a92d65c252b6930 |
| SHA256 | 29afb86af27584cc294c3b822e595e8ea0d7f8cb5a299a5fe8a7b3a8822508e1 |
| SHA512 | 4c3a917e38743f9972f1623392709f3e869e708f1aebd216e7bffe8771e823ffdf76810221d1163d1b494f2f42b81229723f5791dc4bb5ee75460f8ce6678f34 |
C:\Windows\System\OkqVEAO.exe
| MD5 | 4806d329b908c9447024e532c454d463 |
| SHA1 | deb5c6b9e15ccf754a51d3696d9a7aaee11e99d2 |
| SHA256 | 3c5f2658c1d20e42498e5c0d55de4151db041ceed70a0447d0dad2fc564f08bf |
| SHA512 | ab4033d30ba06624a074089676181fd241bd5f02ef39875bd95f00fcbcad04dddd4436d59fb39f9644253b6594dabe3e25e0bc465dcc0d38bb980a48afd5370e |
memory/4820-124-0x00007FF667650000-0x00007FF6679A4000-memory.dmp
memory/1836-128-0x00007FF6A3150000-0x00007FF6A34A4000-memory.dmp
memory/436-127-0x00007FF6CF020000-0x00007FF6CF374000-memory.dmp
C:\Windows\System\DlwMupT.exe
| MD5 | 224827431e8c012e66b967654a967fd6 |
| SHA1 | 994ce50d24ec8a3b20869817ed6aca6f4c4974c0 |
| SHA256 | 0e71fa2dea1ee33e477a9120159a7b8dd2120803b1f08eeb2c9376cb797cd77e |
| SHA512 | f93c96b66463017a913ce8cfab3a7ebcac327ea79e65799f101f9c1cc07ab17af660c25051edf7b408c2c721b29145f8fdd7ce00dc651bb04f1a27bb38b86e3d |
memory/3980-116-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp
memory/2596-131-0x00007FF7EAF00000-0x00007FF7EB254000-memory.dmp
memory/696-132-0x00007FF6C0020000-0x00007FF6C0374000-memory.dmp
memory/1492-133-0x00007FF794E00000-0x00007FF795154000-memory.dmp
memory/1988-134-0x00007FF6328C0000-0x00007FF632C14000-memory.dmp
memory/2708-135-0x00007FF6AF100000-0x00007FF6AF454000-memory.dmp
memory/3936-136-0x00007FF622BB0000-0x00007FF622F04000-memory.dmp
memory/2420-137-0x00007FF6D3080000-0x00007FF6D33D4000-memory.dmp
memory/1556-138-0x00007FF622780000-0x00007FF622AD4000-memory.dmp
memory/4012-139-0x00007FF743AF0000-0x00007FF743E44000-memory.dmp
memory/5048-140-0x00007FF6342A0000-0x00007FF6345F4000-memory.dmp
memory/3980-141-0x00007FF7DE950000-0x00007FF7DECA4000-memory.dmp
memory/4820-142-0x00007FF667650000-0x00007FF6679A4000-memory.dmp
memory/2596-143-0x00007FF7EAF00000-0x00007FF7EB254000-memory.dmp
memory/1988-144-0x00007FF6328C0000-0x00007FF632C14000-memory.dmp
memory/1492-145-0x00007FF794E00000-0x00007FF795154000-memory.dmp
memory/1840-147-0x00007FF6C89F0000-0x00007FF6C8D44000-memory.dmp
memory/2708-146-0x00007FF6AF100000-0x00007FF6AF454000-memory.dmp
memory/1920-148-0x00007FF70E6B0000-0x00007FF70EA04000-memory.dmp
memory/3048-149-0x00007FF773B40000-0x00007FF773E94000-memory.dmp
memory/1556-152-0x00007FF622780000-0x00007FF622AD4000-memory.dmp
memory/3936-153-0x00007FF622BB0000-0x00007FF622F04000-memory.dmp
memory/4012-151-0x00007FF743AF0000-0x00007FF743E44000-memory.dmp
memory/3000-154-0x00007FF638440000-0x00007FF638794000-memory.dmp
memory/2420-150-0x00007FF6D3080000-0x00007FF6D33D4000-memory.dmp
memory/2952-155-0x00007FF6A39D0000-0x00007FF6A3D24000-memory.dmp
memory/4908-156-0x00007FF792290000-0x00007FF7925E4000-memory.dmp
memory/4008-157-0x00007FF6A8A10000-0x00007FF6A8D64000-memory.dmp
memory/436-158-0x00007FF6CF020000-0x00007FF6CF374000-memory.dmp
memory/1836-159-0x00007FF6A3150000-0x00007FF6A34A4000-memory.dmp
memory/696-160-0x00007FF6C0020000-0x00007FF6C0374000-memory.dmp