Analysis Overview
SHA256
a0ac15c6f4cc4f2e2ee3e945b8204948b8e5f097d9a73902b481f73e4a74953d
Threat Level: Known bad
The file 2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:47
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:47
Reported
2024-08-06 11:49
Platform
win7-20240704-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\COadeJQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kXnesIh.exe | N/A |
| N/A | N/A | C:\Windows\System\EQQGFYw.exe | N/A |
| N/A | N/A | C:\Windows\System\TJKnymj.exe | N/A |
| N/A | N/A | C:\Windows\System\uwKOjHj.exe | N/A |
| N/A | N/A | C:\Windows\System\AtGQKPC.exe | N/A |
| N/A | N/A | C:\Windows\System\opJIJpH.exe | N/A |
| N/A | N/A | C:\Windows\System\womnHfH.exe | N/A |
| N/A | N/A | C:\Windows\System\wTtmePu.exe | N/A |
| N/A | N/A | C:\Windows\System\LNojVpU.exe | N/A |
| N/A | N/A | C:\Windows\System\UIYofZl.exe | N/A |
| N/A | N/A | C:\Windows\System\kRsaEfa.exe | N/A |
| N/A | N/A | C:\Windows\System\CqLjXpE.exe | N/A |
| N/A | N/A | C:\Windows\System\PRHmlvw.exe | N/A |
| N/A | N/A | C:\Windows\System\SaOYmIw.exe | N/A |
| N/A | N/A | C:\Windows\System\UVdPgSP.exe | N/A |
| N/A | N/A | C:\Windows\System\gTTOFTd.exe | N/A |
| N/A | N/A | C:\Windows\System\oKqZeCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GWvCsbc.exe | N/A |
| N/A | N/A | C:\Windows\System\kWApIhJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PkEvXGe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\COadeJQ.exe
C:\Windows\System\COadeJQ.exe
C:\Windows\System\kXnesIh.exe
C:\Windows\System\kXnesIh.exe
C:\Windows\System\EQQGFYw.exe
C:\Windows\System\EQQGFYw.exe
C:\Windows\System\TJKnymj.exe
C:\Windows\System\TJKnymj.exe
C:\Windows\System\uwKOjHj.exe
C:\Windows\System\uwKOjHj.exe
C:\Windows\System\AtGQKPC.exe
C:\Windows\System\AtGQKPC.exe
C:\Windows\System\opJIJpH.exe
C:\Windows\System\opJIJpH.exe
C:\Windows\System\womnHfH.exe
C:\Windows\System\womnHfH.exe
C:\Windows\System\wTtmePu.exe
C:\Windows\System\wTtmePu.exe
C:\Windows\System\LNojVpU.exe
C:\Windows\System\LNojVpU.exe
C:\Windows\System\UIYofZl.exe
C:\Windows\System\UIYofZl.exe
C:\Windows\System\kRsaEfa.exe
C:\Windows\System\kRsaEfa.exe
C:\Windows\System\CqLjXpE.exe
C:\Windows\System\CqLjXpE.exe
C:\Windows\System\PRHmlvw.exe
C:\Windows\System\PRHmlvw.exe
C:\Windows\System\SaOYmIw.exe
C:\Windows\System\SaOYmIw.exe
C:\Windows\System\UVdPgSP.exe
C:\Windows\System\UVdPgSP.exe
C:\Windows\System\gTTOFTd.exe
C:\Windows\System\gTTOFTd.exe
C:\Windows\System\oKqZeCQ.exe
C:\Windows\System\oKqZeCQ.exe
C:\Windows\System\GWvCsbc.exe
C:\Windows\System\GWvCsbc.exe
C:\Windows\System\kWApIhJ.exe
C:\Windows\System\kWApIhJ.exe
C:\Windows\System\PkEvXGe.exe
C:\Windows\System\PkEvXGe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
C:\Windows\system\LNojVpU.exe
| MD5 | 92efcae111b95371daffe3c857918e1e |
| SHA1 | 249afece1ad1cfab570c95957f3ec7c0c404aeac |
| SHA256 | 16ebb2cfe4e5d969f4928e1e9e17f5dbffb823d092a17a707e678ce01ebf2717 |
| SHA512 | a82b55fb9d3b0bea03720b34e9cb1f94311770c3a3ad7c128dec6b80f02c0bcc09780f43a46f559e012b7c7c7da1afa103c3b4f8a303b99a0ad53d7abb035856 |
C:\Windows\system\CqLjXpE.exe
| MD5 | cc53cd7f49b6d4ba4fa23d18cc5faf32 |
| SHA1 | 5b7abdd9c79c91117b395aed3f701137c8d31fe3 |
| SHA256 | 04bf58b48da8bcfbcbf35a70bb23ba67280c10c50a48d153f7da51858240ccad |
| SHA512 | a4aa0aa8f2201507298a0b6a960b07048dfe375b5394451c426f05be477d078da0bcd7acb76dff13cfc5078704c1805594ecda0ef43ad47d1b9454e8e0dca51c |
C:\Windows\system\UVdPgSP.exe
| MD5 | b7f059e2051c6b93c3acee9100837107 |
| SHA1 | cf3eb10df1737e0599aa398024a24aaf4b7714eb |
| SHA256 | a8c1d2f8260627dfe154e1201d94be67f930219db71f1784aa7a05ddae8e6864 |
| SHA512 | 955ac52ac6635a9620f9b792bfdcc5789bc4ec965b25a39fdbb20f3de8e242ef0d9b92917e87f9905d88f2e1a4b8fcf0e075b6d82544dde75c4133b4d9298e7c |
C:\Windows\system\kWApIhJ.exe
| MD5 | 9e0128249ce87bbd0c0df0b7955d4dd7 |
| SHA1 | 464c04a4b0e1a89b5c017e851a2163c1eabc9e2f |
| SHA256 | 32246554e3386fb8a788a33ed1ddc8b20cf38de6eec890ffea36b94dc6ae718b |
| SHA512 | 4a9a97612f66bf7c123c7e5fce0a32af541f0166d226f0730b1e68732ae6fde38d3363376a9c18db4361a88a9e7be03f7ea89cd7339f6b044cdf85630b7251ac |
\Windows\system\PkEvXGe.exe
| MD5 | 53f9b4bb8f455bf0add47d0c44855d09 |
| SHA1 | e0bc217b24d0b4b2a35bbd35438e157b2c9569f8 |
| SHA256 | 2e7c32ebf18b66ae7d276b1492afb9a7c0f38aa770b69579dc1ffec4c3924afc |
| SHA512 | a97af333a5d679f0a617e6429cd4945dfa48bfa020ed4713b12d918b4c7c19e7a58bad23470002d0d6fa01723270f21533df82af6dd3aefc3486128a702930d2 |
C:\Windows\system\GWvCsbc.exe
| MD5 | 62226d53736e408e389c85366b9332d1 |
| SHA1 | ab90f625ff5ffdd596afbda131a140949f4f559c |
| SHA256 | b27e478c7a6483e289b0caef0160e56f068592f39889c533721f3cdf5042bb2d |
| SHA512 | 371c3f94adc1591864230e93545d2f68b564fe8e4b90cfa1cf6c4110cb43317e9926a77611c46c91739736bd3d1e599f979ebb210a243299e5ae9f62851fccfa |
C:\Windows\system\oKqZeCQ.exe
| MD5 | e15e8e7cbfc5270571fd910b60e68219 |
| SHA1 | f391203a0cbf64aa5de984d04a2959f9910770b4 |
| SHA256 | 4b6f89f87a21c25625370268f2ca3686c8f4c20563c1194b4472c9e340c0d477 |
| SHA512 | 52e3897e3b1bf2893f57dbc5d08addf4dcb8a1786128d936ebd938877197adffd404208daefe81f19435c5ee1ef279b47819317d135b552e550e6e0c35915b41 |
C:\Windows\system\gTTOFTd.exe
| MD5 | 2d8ad74bc8aac7d50ee84145709e5d48 |
| SHA1 | 8e5fda1463ff0ee11885dc25eb31a0157820c22f |
| SHA256 | eb262e44a066fe8b9f754f7dab0580178f005a436029d8121ba297a37c180141 |
| SHA512 | 2f400e8ef98db93c0c884daa0175ae4660a82b4015655c0710b1c37390a2d73c1e43cc74d05f3aa4ce3b091cd0f519ffcc155115a70ffe859f8812a70e454b46 |
C:\Windows\system\SaOYmIw.exe
| MD5 | 526bf5e5cd7125c368325495ac737665 |
| SHA1 | f0e7b1c51bfecf4713ab35d2cb288b6f409ed70f |
| SHA256 | 1b3a8fcee0822b6ea86ebb5e8f730a19bd5ddd63658740f991a0a5cb89670f48 |
| SHA512 | d0be1cda89be8c8c7a166c79f32f44bb59290d344acbe6326debc1beb406b9dabdd3601576b62050d43f39bf668bc70d1fc1cb8e6e2b19e73e5b821f386a19e6 |
C:\Windows\system\PRHmlvw.exe
| MD5 | 851435b935a74727d8eee1956e60115d |
| SHA1 | 9266fc275b8ce5f3c4bae298103a92ea5041da79 |
| SHA256 | 03ed03fbe8518a6408f26225377be9cccd81cbdc290b42e5c788d0977355ca03 |
| SHA512 | d7d79bd03444febefb2959490734c8ee8a15dd769bb8d05e5b18a09bb2c8f7642557de95d78683a3fa000849d34dbcd92cc23b90fc4785d2dd9b01249e8f6614 |
C:\Windows\system\kRsaEfa.exe
| MD5 | 6efcc4fdced7ef4370aca210f62cc460 |
| SHA1 | 17de8beb67322e0d27b849c01af13c1abeb539d9 |
| SHA256 | fe245425345054594a0a247a38b66a5b7426ced4e3a19c8a4a66341be89c3e5a |
| SHA512 | f9b776cb39fa5751ffcf91207681ae22d6715ae6c031f2034ac095f713b09422dfde71a87c5c00b77dd6d196e7524cb20a68e04b9183e5e811f052a5b477884c |
C:\Windows\system\UIYofZl.exe
| MD5 | 10c23e5086caf8fc9da5881ab3b4db1e |
| SHA1 | 1ff81bb588495d05e6728b6a628e980c34bd5868 |
| SHA256 | 9162622ddf5bf07451320d05bd395bf769aebf9a36fcab42f3e562cd747eb956 |
| SHA512 | 5a5113f757dee85bce234a72ee329c250bb9e3cbe2e270f6afb18ec65a20a4776b6ac411ef9be54a1ab579f4f815da274c56fce7b4335f5a3e5087711de2daa0 |
C:\Windows\system\wTtmePu.exe
| MD5 | 493a75760540b17f553f1440f4b97fb3 |
| SHA1 | c25b87fddfdf975a017e5a0347e673eaa6726b76 |
| SHA256 | a99bff6d33a7b7bea8892f634353a0c66aa7aeda41225042b829f9402ea64204 |
| SHA512 | 85549281c87b3785274ede2b944d9545d63ce33d7722470da48963985be5f583c4597f773a3a87dcde4857330626cad102aeac0830d3b11cf332123923c3e190 |
C:\Windows\system\womnHfH.exe
| MD5 | dbdca9385e64a13aba3d5bd6b51aa864 |
| SHA1 | 18d86d39b19a275f321edf48fcb5dfc86b2fa589 |
| SHA256 | d0d8e112abb5a9e15f4146e403bb22d3c21813758a7a49ef32a8b5e0c4fd6e82 |
| SHA512 | 0fd4095e8f3992c5b683e3ad13e75df8e53ba3d2d98475d5710c4665430d09b80c869e83edbf74fffbd416fc24b443dcff6f968e4d7ed9889452868edf3be848 |
C:\Windows\system\opJIJpH.exe
| MD5 | 0761c22eaf9b2ec17fb1a48d34ad0b2f |
| SHA1 | 7d5ead77ce3d31bf15338f9e05677ae37dcce6ff |
| SHA256 | edb6d0550d51040654867e8b15251220da6458adde5e97f3060a3404c3565435 |
| SHA512 | 2d5c6abe95da5944b418eddb123c6ec9b0c936d8051a03319fc962f4c2f08923348695cb2017b12439d19504673793cf4efa41934eae06cf0fbc50b9ca959a92 |
C:\Windows\system\AtGQKPC.exe
| MD5 | b5626af693d795b510a358faa84b294a |
| SHA1 | 1e5b819676782b03170b7828cf51fb392ad41ab0 |
| SHA256 | 6c04d43fb725e9563f13cb602ff34031d679d7609ee2d75bda692d0843dc3468 |
| SHA512 | 93d378b3d1c4a61a63667e2e95d19f6b5a19b4aa7ecdebd39e41215d85ebba81ed30b8367d7c775489f4768387127c71c499f8ade98e350ad9bea335a72c782a |
C:\Windows\system\uwKOjHj.exe
| MD5 | 009fb79d2f4b3130faf6c0ce78322d95 |
| SHA1 | 51c7376846d7970406061c685ab0c6974b414c42 |
| SHA256 | 9fec5d36ea27508475258de7d6a0257fc1033cefda109728718cc4fcdfc4fc29 |
| SHA512 | 23ff09e40a38257ecb41331164e1a7b3024102b869322e04626e0b0a57edd2b9f016c0dd60241c22d82d5b01c82dff9a25ac7cc5050308d78687fc645368dd6b |
C:\Windows\system\TJKnymj.exe
| MD5 | 9d30247feaf63f9be3d4a63520b3719f |
| SHA1 | 109e85a30d18032a4ba03431705a00666d7206f9 |
| SHA256 | 6b6a8ea3e34d40e546bcdb68e9a34aed16fd85701c2d94cf6346aeb0380544ab |
| SHA512 | ef20d2368266c31b45709dfd02b48e48b3ecb6682f55ef64128e5b9c35c4f71420cc348ab3cce7eba7637c80b25a53ee99810ccbf56e170338c7b2865c870cb9 |
memory/2536-22-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1760-20-0x00000000024F0000-0x0000000002844000-memory.dmp
\Windows\system\EQQGFYw.exe
| MD5 | 175c7a15a5631ef1185a0e1ade11921a |
| SHA1 | 271cb9522a8be074bff95d1d2acadff6f9d95056 |
| SHA256 | 9878fadeca4fe3b4f9442fb4ddb5eec400ecda494b60c4712c646a1c7757e444 |
| SHA512 | bafc128b5e7c12d2440cbd19772ff270336799518d4765105b14aabe22b16af5cfb0d5549d5aa80541644373173497a101bfdacfdb7d0aed5de6ae2a6f506630 |
memory/2636-15-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1760-13-0x000000013F160000-0x000000013F4B4000-memory.dmp
C:\Windows\system\kXnesIh.exe
| MD5 | 31770f2ef263e3d262f52d109cc72942 |
| SHA1 | beb9eb89addf50764477f1349cec588c89d619f7 |
| SHA256 | 0c7372f37b599e77c325d8c2853f5c83b96bffbf2533226ac0da8fde767dcc44 |
| SHA512 | 4f7d0c650d879c91162a98773f383a602b7ab6b055eafc132429f6f635519b389193c3b5ca935bb3fa8651fa4228a21e7149b756b7c47d7740d1b88db2ad943a |
C:\Windows\system\COadeJQ.exe
| MD5 | 4444aa22ed2eb790e6a8747279e87c5e |
| SHA1 | d1d4b70d01ddaba17790d93dbac8c28fc096341b |
| SHA256 | c5633aee73c1b154a08c3f97e5547341147300805a994798a5dda8f20d3caeaa |
| SHA512 | 92f2e1cbdbb1682dd24ec0ab0deb4c166b4b093c5b365ef0f356ce3a4dd750110959af0b5dd508dd529d5798fbb0e71f46d0f2e5b24efb76128ed6f5a1870460 |
memory/1760-6-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/1760-1-0x0000000000200000-0x0000000000210000-memory.dmp
memory/1760-0-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1760-98-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2556-96-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1760-95-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2464-107-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1760-116-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2424-117-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1760-118-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1760-121-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1540-124-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1760-131-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1760-133-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2596-132-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2788-130-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1760-129-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2520-128-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/1760-127-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/540-126-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1760-125-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1760-123-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1496-122-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2924-120-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/2484-119-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1760-134-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1760-135-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2296-136-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2636-137-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1760-138-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2536-139-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2556-140-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1760-141-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2464-142-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2296-143-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2536-145-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2636-144-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2596-146-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2556-148-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2424-147-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1540-149-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2520-151-0x000000013F260000-0x000000013F5B4000-memory.dmp
memory/2924-150-0x000000013FE20000-0x0000000140174000-memory.dmp
memory/1496-155-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/540-154-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2484-153-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2464-152-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2788-156-0x000000013F350000-0x000000013F6A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:47
Reported
2024-08-06 11:49
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PwKOsMm.exe | N/A |
| N/A | N/A | C:\Windows\System\GPOmBkx.exe | N/A |
| N/A | N/A | C:\Windows\System\YjkaOWQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bQZlWBt.exe | N/A |
| N/A | N/A | C:\Windows\System\OQyuRVW.exe | N/A |
| N/A | N/A | C:\Windows\System\RvYUWuz.exe | N/A |
| N/A | N/A | C:\Windows\System\TRqpVsk.exe | N/A |
| N/A | N/A | C:\Windows\System\TZnfDDw.exe | N/A |
| N/A | N/A | C:\Windows\System\wBcCDzu.exe | N/A |
| N/A | N/A | C:\Windows\System\WXxZyFf.exe | N/A |
| N/A | N/A | C:\Windows\System\NTwTvpR.exe | N/A |
| N/A | N/A | C:\Windows\System\kSbgkwR.exe | N/A |
| N/A | N/A | C:\Windows\System\UQgmHLP.exe | N/A |
| N/A | N/A | C:\Windows\System\YCdFRIS.exe | N/A |
| N/A | N/A | C:\Windows\System\GjyGjyT.exe | N/A |
| N/A | N/A | C:\Windows\System\McbnRwK.exe | N/A |
| N/A | N/A | C:\Windows\System\veGOxAG.exe | N/A |
| N/A | N/A | C:\Windows\System\lDugKpu.exe | N/A |
| N/A | N/A | C:\Windows\System\GkwBPGB.exe | N/A |
| N/A | N/A | C:\Windows\System\tboFmSV.exe | N/A |
| N/A | N/A | C:\Windows\System\JSjbmqC.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_2798fc1a302161edd7e29e5468debb56_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\PwKOsMm.exe
C:\Windows\System\PwKOsMm.exe
C:\Windows\System\GPOmBkx.exe
C:\Windows\System\GPOmBkx.exe
C:\Windows\System\YjkaOWQ.exe
C:\Windows\System\YjkaOWQ.exe
C:\Windows\System\bQZlWBt.exe
C:\Windows\System\bQZlWBt.exe
C:\Windows\System\OQyuRVW.exe
C:\Windows\System\OQyuRVW.exe
C:\Windows\System\RvYUWuz.exe
C:\Windows\System\RvYUWuz.exe
C:\Windows\System\TRqpVsk.exe
C:\Windows\System\TRqpVsk.exe
C:\Windows\System\TZnfDDw.exe
C:\Windows\System\TZnfDDw.exe
C:\Windows\System\wBcCDzu.exe
C:\Windows\System\wBcCDzu.exe
C:\Windows\System\WXxZyFf.exe
C:\Windows\System\WXxZyFf.exe
C:\Windows\System\NTwTvpR.exe
C:\Windows\System\NTwTvpR.exe
C:\Windows\System\kSbgkwR.exe
C:\Windows\System\kSbgkwR.exe
C:\Windows\System\UQgmHLP.exe
C:\Windows\System\UQgmHLP.exe
C:\Windows\System\YCdFRIS.exe
C:\Windows\System\YCdFRIS.exe
C:\Windows\System\GjyGjyT.exe
C:\Windows\System\GjyGjyT.exe
C:\Windows\System\McbnRwK.exe
C:\Windows\System\McbnRwK.exe
C:\Windows\System\veGOxAG.exe
C:\Windows\System\veGOxAG.exe
C:\Windows\System\lDugKpu.exe
C:\Windows\System\lDugKpu.exe
C:\Windows\System\GkwBPGB.exe
C:\Windows\System\GkwBPGB.exe
C:\Windows\System\tboFmSV.exe
C:\Windows\System\tboFmSV.exe
C:\Windows\System\JSjbmqC.exe
C:\Windows\System\JSjbmqC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1460-0-0x00007FF71BBF0000-0x00007FF71BF44000-memory.dmp
memory/1460-1-0x000002C450D10000-0x000002C450D20000-memory.dmp
C:\Windows\System\PwKOsMm.exe
| MD5 | 2e21b84d3cc96211c09c21a0ad4d4f4a |
| SHA1 | b708cbdd6c1ca1c167b1fa2856bfdbcec49f9514 |
| SHA256 | 37bfe3df6e2b0bb4c62e6e1343ff51a5594333263e2748d39fa1b407ca1ec1a3 |
| SHA512 | 469e1c624f5edfdf3d7e8314bce6c40c7c6ebed593754f760b309603a848ad0b7b020231b8e07d48b291e56b45c919f8ffd728f4667d67700392b6c3db7404e4 |
C:\Windows\System\YjkaOWQ.exe
| MD5 | 216e10383a49dbccd5eb3dd0639635ba |
| SHA1 | 9efda0e8649339c0e32f6a74a916d34f9e2e2b0d |
| SHA256 | 9edc21daef7d0afe48d38f526c2ad9a8763c4c82dc34fa3009acf90107ffc725 |
| SHA512 | 512aea7fa294efbc789f28daf57757a3d00b21e2082e662a20540392eaff0cf4dc1ad0f161a317e5f740b71f915798793fc10e5b5de265da6ed0e671180525f0 |
C:\Windows\System\GPOmBkx.exe
| MD5 | 1d8d974d5b60552b049aad12ca4fefd6 |
| SHA1 | a4af8ce3e9fdef7b1abc78adcb02caa12ab0d888 |
| SHA256 | e9833432c566fd44bd3a827425108e7cf6e12dd1a06742882d82f2af5ab6e64a |
| SHA512 | 8b2a5000fc85a43f4cdb28fb9b61213d8727e30d56cb20a99b2a42551495303ad8eab0619ebaea2ba60e434a7b28b9bdb6fd25e7c352f8faa58493c79510bf82 |
memory/3776-14-0x00007FF6C8230000-0x00007FF6C8584000-memory.dmp
C:\Windows\System\bQZlWBt.exe
| MD5 | b4395e21d7ae5b7179ffe953d54bfeca |
| SHA1 | 1079fcb38403f6b0186ca4a6b84ce7b5546b222e |
| SHA256 | 12ca0678d766d5d6c08d8dd498afcc7c4ffe64c8736d5f425f59271a9af658d5 |
| SHA512 | 940e76d41829b97cb85afb025a624747b374d5a1a6a4d29a10c7cbb12f91fd84334fe579297747fd79920f906871a8474f1abd68b561f2fad912b0dc62b203c2 |
C:\Windows\System\OQyuRVW.exe
| MD5 | 16ca5030fa5931edfac6853b73c36afb |
| SHA1 | 2b57921123b39811b601d8c475b5a0e13c8373df |
| SHA256 | 1b8dfe33801a54be4e2fc3842d2f453bd376150129d89566ea3209fa4db2a05a |
| SHA512 | c6557bb6bc61c4287f65637bde52e34434a92928dcba50d63f73a76f1f6a27fdd8155c3cf51ab9b139b0a89873c8d06a7c9ea7d1ced64b3d58ce4f15de92aa17 |
C:\Windows\System\RvYUWuz.exe
| MD5 | 05de024a93cb27fcb32d4d35ae395494 |
| SHA1 | 675f84fcc8100b6d2c632b56cc61dc9ed484b63e |
| SHA256 | ad6dbf296dec183ae0ddfd60df687e68eb14f365ff358054d0cb627f17989dd4 |
| SHA512 | b79676c296bbf87708068db4301f9a39619e714967691aa88e2e2825127f55d1ba175eba317f978da8a541208cf4650bccc889634fe92bdbefdf926e972573b0 |
C:\Windows\System\TRqpVsk.exe
| MD5 | e5ee0899bc29d0c755297d986e1d43b0 |
| SHA1 | 183883be95e96d15305f2064a673c1bdaeb2d8bb |
| SHA256 | ca53562c6d5363de6f5c1a3604a3d6a5dd8502604c7577014a534d2fcdb24529 |
| SHA512 | 626fb7a4f4d19cc531d6fadc947e0f5dd255934160f5ac7d3cec7f9e145dbf88a2431acbdb11556a8db8b2008abc6071e3a8122754ce3bd72f77bcccf99da802 |
memory/1032-42-0x00007FF797900000-0x00007FF797C54000-memory.dmp
memory/4688-39-0x00007FF66FC90000-0x00007FF66FFE4000-memory.dmp
memory/1504-33-0x00007FF699380000-0x00007FF6996D4000-memory.dmp
memory/4020-30-0x00007FF670960000-0x00007FF670CB4000-memory.dmp
memory/632-21-0x00007FF6512C0000-0x00007FF651614000-memory.dmp
memory/1552-6-0x00007FF744BA0000-0x00007FF744EF4000-memory.dmp
C:\Windows\System\TZnfDDw.exe
| MD5 | 80c8a233b4d9b92e71b1e1eb20990b4b |
| SHA1 | 39ecc7b3d7b67e3577b0643ac882f756be03c108 |
| SHA256 | e706be6e8269ccf6059e342d5799842f5ea7e4676b95c47c34ed6ac88f78affe |
| SHA512 | 5ae1546991dae09365eafb0eb778165a2828ccc75a350c7b8152329f963253bb25bceebe55469a471c08e87903585b56de85b7a6938db55b1cc36619e461dc4a |
C:\Windows\System\wBcCDzu.exe
| MD5 | 2fb5c8364218d2c7ee8b1fae25ea1cba |
| SHA1 | 950a2d09849809854f93d5c7c2218a7a6bb6bbda |
| SHA256 | 65f1a67a9b72ca0f4f652647bc7c87de5cfc1704f1cdd824bf6e7c17629c47d6 |
| SHA512 | 01cc88e769c37b3eeb3f3dfbbdabbb1db0885a66f8940cd462c3dc93e844ae61e58d11316b3e7c19bf606ba6e9b25b0320d1a1a605ca279e2aeec32c6dea7100 |
memory/536-50-0x00007FF6B3B80000-0x00007FF6B3ED4000-memory.dmp
C:\Windows\System\WXxZyFf.exe
| MD5 | dda112edbc9584c9374623a25e8e93e6 |
| SHA1 | a4ba748c304124e0e1ffbd9d4c6e410665985724 |
| SHA256 | fadce2364421817d307f5092326934c390aeceae22310c44081653f406affa76 |
| SHA512 | f77c0917eb625d26d2abdb4db5a2530fcf27986afec5e8656c2e24acb7c084e25cc1faf477ff25133b8f5fc14fe6567ed51330c6d8b79de5537215cedae33c51 |
C:\Windows\System\NTwTvpR.exe
| MD5 | b3ece425c5e99a9ca1e47ddcf7cfaa0a |
| SHA1 | a46308aa53accf4920462fce461077c208ccfd3e |
| SHA256 | 8cf38c23a30a9615f3393beda6988b8f0acebdedebd97475439fb059afa02b0d |
| SHA512 | c9dbb5af0945424fc81be5e4e5a9325e36022c41f963628d061dc0f46d73039131f720e7d00f1e3c6a00c6502928a375269e78a0398be6834622b986b9c17fb2 |
memory/1460-69-0x00007FF71BBF0000-0x00007FF71BF44000-memory.dmp
C:\Windows\System\UQgmHLP.exe
| MD5 | 38ad174bf159478b5969f4b693c8bf1a |
| SHA1 | b5164ca35ab2a89e87e32420b88b180ad2e53dfe |
| SHA256 | 7db91e1ebef7e3704677d69db3bb594a96a9ccd5c996d3b1edfc7eeb15225714 |
| SHA512 | 9c00762f522cb541c42979d3a0f3cf53f2b1c59b17bba7953c05985c43fc1c5c109fb5cfc4b50d661e207a635293cbe35ef616b2299d480fe222f63a7db76410 |
C:\Windows\System\kSbgkwR.exe
| MD5 | 3d5cb7a8f6b787f0be437e0a7829b264 |
| SHA1 | 8e05d9e674abee20c4f27b28b297b00de38f5f1d |
| SHA256 | 2bbdc0e4cf07d4eb810636998bc29bbc946c4acbc0da73bdb0aee89b39f99d3d |
| SHA512 | a348b1222dc46478b3aab01363c38996b55f79733a5252bab4e787f5b0670a0876383cbe168cf20df6dbfecdade0a29febad3c271e5464c66ab12aa0a4fdc98f |
C:\Windows\System\YCdFRIS.exe
| MD5 | a4da1ff89ed8b73824f2f4439b6832d3 |
| SHA1 | 4c96669983fcae521d82ecc222fefa5eeec4620a |
| SHA256 | 554fd4fe2f8e131aa4e907b57cef1b8199aaa285140c297a3be9418cfbd89512 |
| SHA512 | 58036afa8b958b6d2dd6f9ec97feeafbf1b9da8e946e08ec1681e1d6e8bdb3206c128b9abda30bcc508bac416f64df56bb1285680b5e0916a0bb20420d0c4f54 |
C:\Windows\System\McbnRwK.exe
| MD5 | 87af2bb6303134236cefe5c0900b5d9e |
| SHA1 | 2a585ddd2db57163c0bf3d118d3ca1eb794210ae |
| SHA256 | bd45b232d250551eb0b40e21cf273ce9e42391592451ab0b1d7594a6d557d92b |
| SHA512 | 745b75d0a8fb8929895e43ba7569f762e5a5e1e1ca12ebbd8ac1daacebebf85b96ce4d3737b206e64388745d1ebdcdcf141a804d2e3fcdc2a236aa3f7790f4bf |
C:\Windows\System\veGOxAG.exe
| MD5 | e16f9af15eba820fa8f88f08cbe6790c |
| SHA1 | 7652442b5e23b4c668c026dbbe4d276a9452ff51 |
| SHA256 | c15bd02ddcf226eada134de5ff18898e663bc3493a72852142fdcf9d7d1f6741 |
| SHA512 | dd21b56d4569e3924d13637027e0b59490bcb716ed6c75d752c6beae51d17859b921eee2b5856bd2ab0be4e2479c9f80ecab01b151c7e7e51377c28e06752e98 |
C:\Windows\System\lDugKpu.exe
| MD5 | 87f8b9ee953d7b7309bf600f389da366 |
| SHA1 | 75bf7d838fa72ec6aa79bc48782fe318d50bc03b |
| SHA256 | eee61f021bcaaa173eb4d1d83c02ad63df3072a42b28338b836a5d4bb2244da0 |
| SHA512 | 41f51e77734e28e3dda978cbdb6838ca2644904645e0cbb41f013a5b3feb621d7ffca2a4374a9d3e09b0d7b4e5df8c21c5ba41789d72059cc13a9efb6276c99f |
C:\Windows\System\GkwBPGB.exe
| MD5 | 906236d7df43406eea6ab3b8b0d42b77 |
| SHA1 | fefef29475b6f2886bb131f3dff210fefa4a713b |
| SHA256 | 1460e52b819542e87a1a75fd283e8f10822ac2e5a995854872688f333630bc5c |
| SHA512 | aa8e8aeb267298bb7957fd778c6368fc4d687fa389a1512a1de61cf0bd807a2719802b6fedf7fed01865e1ec3e66d5e8332f3364565d99ebd0c51d59696f3282 |
C:\Windows\System\JSjbmqC.exe
| MD5 | 2159980575147b77df57ea41d4774546 |
| SHA1 | 344db4792d69d29bdea3e92dc0a47a77941f9852 |
| SHA256 | b23bc51ee9af44d73fe6ccfc63c10bcfa59c36f0136af6bd01c4dc0d889385fa |
| SHA512 | 71123d3ce557530ff6621c59b3180b1b25929b2f07b8f92be66e89a4c29aba9494b47e14f1afd8e11e25777c6a1e2f3708e69b0dd13ea76c28af3d199663fe37 |
memory/4768-117-0x00007FF712500000-0x00007FF712854000-memory.dmp
memory/2576-122-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp
memory/4208-124-0x00007FF693CB0000-0x00007FF694004000-memory.dmp
memory/3500-129-0x00007FF668660000-0x00007FF6689B4000-memory.dmp
memory/3776-130-0x00007FF6C8230000-0x00007FF6C8584000-memory.dmp
memory/4220-128-0x00007FF795330000-0x00007FF795684000-memory.dmp
memory/3256-127-0x00007FF7F4A60000-0x00007FF7F4DB4000-memory.dmp
memory/3272-126-0x00007FF75C280000-0x00007FF75C5D4000-memory.dmp
memory/2488-123-0x00007FF783030000-0x00007FF783384000-memory.dmp
C:\Windows\System\tboFmSV.exe
| MD5 | 481342f1b9ca5f1a732e8cb96cf1e11d |
| SHA1 | 91df240a1336e2e4a36855da0d3ca337270a7f19 |
| SHA256 | bbf9d1895a6c0c7f9528ad6076b97f5f20fa880b73633a3ced2a19dee6e2a44b |
| SHA512 | 956cdc23b48a2ada9eb2cf95aa9593853e1eca4ad495806391402dc06ae99980e28265daddb77aec47185e6e9cb5956dc7a2f6eaf2b924d6f65d48ac71714e7f |
memory/1100-118-0x00007FF66F4F0000-0x00007FF66F844000-memory.dmp
memory/1552-116-0x00007FF744BA0000-0x00007FF744EF4000-memory.dmp
memory/4008-112-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp
C:\Windows\System\GjyGjyT.exe
| MD5 | 0549512adf7629b1184e48b7cab0515f |
| SHA1 | 2173229ee1667082aa75fd239ac379149613f1a9 |
| SHA256 | fb6d605b0e19e423e0fba194ea78b1423b0aaf1015154e551a926c951b6ccc6f |
| SHA512 | c1855ed68fc36c9b076aa0950fff7c8995d0814d89b5efeaeb95039a69914a8e427ad20f0ce9efaa95b77434cc85b272e0eaecf5a54c91e723964c7582f244bc |
memory/948-77-0x00007FF6C0520000-0x00007FF6C0874000-memory.dmp
memory/4056-70-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp
memory/3972-62-0x00007FF6011F0000-0x00007FF601544000-memory.dmp
memory/1504-131-0x00007FF699380000-0x00007FF6996D4000-memory.dmp
memory/4688-132-0x00007FF66FC90000-0x00007FF66FFE4000-memory.dmp
memory/1032-133-0x00007FF797900000-0x00007FF797C54000-memory.dmp
memory/948-134-0x00007FF6C0520000-0x00007FF6C0874000-memory.dmp
memory/1552-135-0x00007FF744BA0000-0x00007FF744EF4000-memory.dmp
memory/3776-136-0x00007FF6C8230000-0x00007FF6C8584000-memory.dmp
memory/632-137-0x00007FF6512C0000-0x00007FF651614000-memory.dmp
memory/4020-138-0x00007FF670960000-0x00007FF670CB4000-memory.dmp
memory/1504-139-0x00007FF699380000-0x00007FF6996D4000-memory.dmp
memory/4688-140-0x00007FF66FC90000-0x00007FF66FFE4000-memory.dmp
memory/1032-141-0x00007FF797900000-0x00007FF797C54000-memory.dmp
memory/536-142-0x00007FF6B3B80000-0x00007FF6B3ED4000-memory.dmp
memory/3972-143-0x00007FF6011F0000-0x00007FF601544000-memory.dmp
memory/4056-144-0x00007FF61BDC0000-0x00007FF61C114000-memory.dmp
memory/4008-145-0x00007FF6CA730000-0x00007FF6CAA84000-memory.dmp
memory/948-146-0x00007FF6C0520000-0x00007FF6C0874000-memory.dmp
memory/3500-147-0x00007FF668660000-0x00007FF6689B4000-memory.dmp
memory/2576-150-0x00007FF75B2F0000-0x00007FF75B644000-memory.dmp
memory/1100-151-0x00007FF66F4F0000-0x00007FF66F844000-memory.dmp
memory/2488-149-0x00007FF783030000-0x00007FF783384000-memory.dmp
memory/4768-148-0x00007FF712500000-0x00007FF712854000-memory.dmp
memory/3272-152-0x00007FF75C280000-0x00007FF75C5D4000-memory.dmp
memory/4208-153-0x00007FF693CB0000-0x00007FF694004000-memory.dmp
memory/4220-154-0x00007FF795330000-0x00007FF795684000-memory.dmp
memory/3256-155-0x00007FF7F4A60000-0x00007FF7F4DB4000-memory.dmp