Analysis Overview
SHA256
33d81467dabb18a777061bef0143b1ef637e3341d31ec5e224e47055526a88a0
Threat Level: Known bad
The file 2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:09
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:09
Reported
2024-08-06 12:11
Platform
win7-20240708-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wUdKHZw.exe | N/A |
| N/A | N/A | C:\Windows\System\SFrjdtO.exe | N/A |
| N/A | N/A | C:\Windows\System\UhTzrQt.exe | N/A |
| N/A | N/A | C:\Windows\System\tOgOnBV.exe | N/A |
| N/A | N/A | C:\Windows\System\zobsCgP.exe | N/A |
| N/A | N/A | C:\Windows\System\JSJMuuH.exe | N/A |
| N/A | N/A | C:\Windows\System\vfhuDrU.exe | N/A |
| N/A | N/A | C:\Windows\System\FTdMwmY.exe | N/A |
| N/A | N/A | C:\Windows\System\zdFdPHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ncgtUco.exe | N/A |
| N/A | N/A | C:\Windows\System\KuuWhve.exe | N/A |
| N/A | N/A | C:\Windows\System\aiiXRwe.exe | N/A |
| N/A | N/A | C:\Windows\System\eJiLwoM.exe | N/A |
| N/A | N/A | C:\Windows\System\itIYgLo.exe | N/A |
| N/A | N/A | C:\Windows\System\ozeaOPd.exe | N/A |
| N/A | N/A | C:\Windows\System\DrAuOmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KYpGXCO.exe | N/A |
| N/A | N/A | C:\Windows\System\nVHIwKX.exe | N/A |
| N/A | N/A | C:\Windows\System\akOaDSr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZuQSbvS.exe | N/A |
| N/A | N/A | C:\Windows\System\dfDBpFm.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wUdKHZw.exe
C:\Windows\System\wUdKHZw.exe
C:\Windows\System\SFrjdtO.exe
C:\Windows\System\SFrjdtO.exe
C:\Windows\System\UhTzrQt.exe
C:\Windows\System\UhTzrQt.exe
C:\Windows\System\tOgOnBV.exe
C:\Windows\System\tOgOnBV.exe
C:\Windows\System\zobsCgP.exe
C:\Windows\System\zobsCgP.exe
C:\Windows\System\JSJMuuH.exe
C:\Windows\System\JSJMuuH.exe
C:\Windows\System\vfhuDrU.exe
C:\Windows\System\vfhuDrU.exe
C:\Windows\System\FTdMwmY.exe
C:\Windows\System\FTdMwmY.exe
C:\Windows\System\zdFdPHQ.exe
C:\Windows\System\zdFdPHQ.exe
C:\Windows\System\ncgtUco.exe
C:\Windows\System\ncgtUco.exe
C:\Windows\System\KuuWhve.exe
C:\Windows\System\KuuWhve.exe
C:\Windows\System\aiiXRwe.exe
C:\Windows\System\aiiXRwe.exe
C:\Windows\System\eJiLwoM.exe
C:\Windows\System\eJiLwoM.exe
C:\Windows\System\itIYgLo.exe
C:\Windows\System\itIYgLo.exe
C:\Windows\System\ozeaOPd.exe
C:\Windows\System\ozeaOPd.exe
C:\Windows\System\DrAuOmJ.exe
C:\Windows\System\DrAuOmJ.exe
C:\Windows\System\KYpGXCO.exe
C:\Windows\System\KYpGXCO.exe
C:\Windows\System\nVHIwKX.exe
C:\Windows\System\nVHIwKX.exe
C:\Windows\System\akOaDSr.exe
C:\Windows\System\akOaDSr.exe
C:\Windows\System\ZuQSbvS.exe
C:\Windows\System\ZuQSbvS.exe
C:\Windows\System\dfDBpFm.exe
C:\Windows\System\dfDBpFm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2092-0-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2092-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\wUdKHZw.exe
| MD5 | c48665e50042755fd19cd3545c9b1403 |
| SHA1 | 84ff5e1c0386aedddf8a11847492b760a9e1c5f7 |
| SHA256 | 8ef54ace60e5cb7353c0e26326d491e844fb84fede43e8080b4b064a74d08559 |
| SHA512 | 68b30634548d7a4ba125459354036d15ae67d918eef66a53d3d147b42d65ffaf4302f5a96bc8a383c26bbc8180300fdc923b44d6a245eddfd0fe0a9a421ae7b1 |
memory/2092-6-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2524-8-0x000000013FBD0000-0x000000013FF21000-memory.dmp
\Windows\system\SFrjdtO.exe
| MD5 | a17655d9bdf7ab973192031a459cc283 |
| SHA1 | 1c6dc291b38ea38066a794fa8180fbba7d37e0f2 |
| SHA256 | 5a74ef7e58514d433fdc89ee11dcdb6c472980854fbf69932cb63110aa7143e4 |
| SHA512 | 434675a44d1f2833219a111e4ebd3b721c16f1ecb4e61080c4fa3a2fd6f3abe7632f2dfa9f0f39d88ed472f4d09dbe98c048ecc2dd47db534a35aa13d0dc5c55 |
C:\Windows\system\UhTzrQt.exe
| MD5 | 1f9d6578fcfbc6d8a201806764c141ca |
| SHA1 | e1955fcbd58223748c87d17c606fa0462871d3b9 |
| SHA256 | 24393385d3ad3ffe3adf5264300266c017f1d264a8f1189ba5061545b3d0db0f |
| SHA512 | bb25bd9bf71cf61199b71868f7215fc0821177cf6e83afa109e95982161ebff37c146a81d0206f57c5bf761d4ba30c08f22879c041ab01f1a5703da4dbfc3788 |
C:\Windows\system\tOgOnBV.exe
| MD5 | 9a999330003584a5f12f74d47906d007 |
| SHA1 | c67b796afe2f09771b3faa5ece75eb380df2633d |
| SHA256 | d28b274fea84f0134522ad875f22ad720dadf38fe0e7506d3a513bc9985d229a |
| SHA512 | 33498f4691e3bce0e91b5a2ffbad27d07069d2471cd247f5cb7ddfb18e35235aa11323e170d2054e3e54fa8c30ee56c729c614f7340f99877ca8ba3c12306e26 |
memory/2092-32-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2132-26-0x000000013F8E0000-0x000000013FC31000-memory.dmp
\Windows\system\zobsCgP.exe
| MD5 | 08be2903987e85c4e25e1bf69b5e16e9 |
| SHA1 | f526f9ce295fff4eec216d6cc0e86dbeb589fd4a |
| SHA256 | 291584b629697f8574f2ec3e2019b1268faa761367578c659b2e04e415b31df8 |
| SHA512 | 2854584b254085c32aacce6f50e967ef3dfb3f0470c428a03f14e51cc357669b8cb4d4a330e044ed0376f67d278826ca37e2612d3246fc357317f87bd991042b |
C:\Windows\system\JSJMuuH.exe
| MD5 | 935200058f5998400a2e9efafd15f32e |
| SHA1 | 27e1d4843fb7f1426202778ff15a940156b436ab |
| SHA256 | 244e1c85fa8baf0cb036d7626b3a5bf9b6ad58e456beb7bf57f53add7f6603e0 |
| SHA512 | 17a73cb07c42cd224bd04c457bef1f87df9324fb30ede3a2362944c73871714782a8e543d11faddf01fddd501ae1c4f2d69c6a23da826cc4b543bcd012bc1896 |
memory/2760-39-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2836-40-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2960-48-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2092-47-0x000000013F8E0000-0x000000013FC31000-memory.dmp
C:\Windows\system\vfhuDrU.exe
| MD5 | 2d80dc1cf3248d6fbf27507827fd356d |
| SHA1 | ff8b9aa7c2718908379349ab61c09302aa43f1f4 |
| SHA256 | a8d7e26c30d53cdc3f730066a8dd7c080e0e48988e42ca9e74346f67e084be46 |
| SHA512 | 442618859a4e5d6c61284a6c91d69455d8b169f8aff6e929f7c1bfaffd75b1388fcc257ccd5d38a6cdd17179b71448cc19b3c4ea549c9f9398350b1ecc80af9d |
C:\Windows\system\FTdMwmY.exe
| MD5 | d2125e2f558ba76a07a19cbe50f47e7d |
| SHA1 | 66c08d4d876c847d9be7c7de382f3c7db11c1582 |
| SHA256 | 8a2d113290a9019a92afd2e81c556f64c860170c69f779bcb1aa233f6dc57910 |
| SHA512 | e9933212f1c2c013dfd0381c13e2c892062c40bb177fa7bf471320422cf3544c6a229ba702d8737828b32aff4f1463bd4bc6b1acdd7f5e03555bf969bd245c17 |
memory/2844-56-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2092-54-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2092-34-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2092-33-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2720-31-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2080-20-0x000000013FFA0000-0x00000001402F1000-memory.dmp
C:\Windows\system\zdFdPHQ.exe
| MD5 | 935dcc01409464415a3f26b427f83137 |
| SHA1 | 8477c06b19d5664c493b2a8766e9817f3c21cb54 |
| SHA256 | b69fb0b11fac19f381e4f078733e69823f5eaa269177153618377da8f364dc79 |
| SHA512 | 9ffb8e4e2f6b2e2feaa1d38bafff81f3e096d9375ae5756402fb0c8df1c7f8441257bf7d7b6de9605958a5e1d4672d49a5c85a6689639a4cdeb7b22877e1eddd |
memory/2684-70-0x000000013F670000-0x000000013F9C1000-memory.dmp
C:\Windows\system\aiiXRwe.exe
| MD5 | 78c9f0a2eae7106f92735bda8e35dff1 |
| SHA1 | a724e7952a5d3d008d3bbddf293edc59f8e7d622 |
| SHA256 | 963c96fb17d0684f0141e677bb2532af302b10962da84c1e61b388af0f9aad30 |
| SHA512 | 61c71aead4f5b6c5fee73b7304dfff609fd188be4368a39f5d2bca6f508b66beb2fe4a64560b1edfa06949e5a5154e009a11cac883940ae946df1a22b08156dd |
memory/1812-81-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2660-75-0x000000013F9D0000-0x000000013FD21000-memory.dmp
\Windows\system\itIYgLo.exe
| MD5 | d9fdb3fbd7234977b8ec5ae4b54440aa |
| SHA1 | a8888978bc1b9adfc4f6ad73a2117ed9a756de6c |
| SHA256 | 1f022fa0f8a84bd29408f3d4861bafb68fdb678ab6a75254099e495450725167 |
| SHA512 | 7b32d44bd7f16151fd2cef02f2f5767f3dfed1f3cbebcc5d58ff902586f44cc6e535a790f2c8c39c4ff2ef28df27c606259e65b4f349a4956e9206901a1320e6 |
memory/1736-96-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2092-103-0x000000013F040000-0x000000013F391000-memory.dmp
C:\Windows\system\ZuQSbvS.exe
| MD5 | 5173550d7fc3c261297d90763946055d |
| SHA1 | 2a994e02258e73cbdb8690af14cea05946aece98 |
| SHA256 | 67ecdf47594e3b6e7cef86dbfb9a61d6e8f4b45736ee56cc683cd1d0aff0a3bc |
| SHA512 | d5340f0983beee172123b9c16ddf1976b5ee312c4e061483c356430707a5c7114bf9e1c13b8f45d85c875e1d8b999ade56aa901b63e830a819a73c18031a7064 |
\Windows\system\dfDBpFm.exe
| MD5 | d5d97f049b3fef7e62f730998a8f1e0a |
| SHA1 | f9739b0280df49dd522e97212d38436c03a21c89 |
| SHA256 | 3fe69702ab75c6ea779507e964930bdfef16526f5289894b5e459155438a3447 |
| SHA512 | 7809043e6d0875cb3c69fefd923307312214e8eb4381c756c556c184f8fd786bf815011ce5bfcee9c37bb68c70106a422d5837e70eaaf3940fca9f54d34c9afe |
C:\Windows\system\akOaDSr.exe
| MD5 | 208783e2940fc93cd73a107eb39a0825 |
| SHA1 | d91d2e84002659cbe4f644b93e3a78ce1d54b4e2 |
| SHA256 | 274462de7dac0f962641aa2eab6adcb0b701b4105615bf550d8d5ddebd14e14b |
| SHA512 | 6e1afa9d52c60d831293390cc3c28de763a73a04b70b68bfcbb3f7e3b9935bee7ab3575bb5aeac334243a10640e239948b55dd0597936607b612f74946da7b42 |
C:\Windows\system\KYpGXCO.exe
| MD5 | 38049dc88d53f7407908e38361e71cc9 |
| SHA1 | dd33b4b332443637b2608fd13fdc4a73afb86f63 |
| SHA256 | 003a87538879a58b633c57ccb724c7dca3304d7ba34557c8fd423e476dff6f05 |
| SHA512 | 572e8a9e94c185510e158dce920e67809abe2850071b26f698af21ab3d95906b1ad82d35cc3e45477b4cdd65b58cf50450f8ca6ab070b10526845c62428694c6 |
C:\Windows\system\nVHIwKX.exe
| MD5 | 722cc13315767efae534b821f7338a86 |
| SHA1 | 3f130cafa1d0b01e30bd00c000ca63421d905991 |
| SHA256 | 921353e8e3732f59ded62609bd88b76045ce763038ef2be93fe139e9c5680f41 |
| SHA512 | 6149a868a60a0c29f9a08cea66e7aa75ed1fd63d4a619f9e2ffcae6e12ba4f296b33fa5e9b993ae0d2a5d1aa56b425a6f876225e47cbaaabd34ce8e4cf7e93bc |
C:\Windows\system\DrAuOmJ.exe
| MD5 | 8b3b1d1d4be4362120a405b0f863b47f |
| SHA1 | 10d106616ed8e49fdd6a98dbfa247efd0a1ff3a6 |
| SHA256 | c81a059c8ac820e1acd731779542bd406314c8776e90e685fc895e96565087fa |
| SHA512 | f566e4ba49873e2c09cad0ee8f4b7f61697e4d588a6fb8b3f90f1469b5ac7190f01995477b4c4a91a1956d84fb71826d66f1e0d8d258b5dacff0d077a8c4a1bd |
C:\Windows\system\ozeaOPd.exe
| MD5 | e72e0d9ad6555cebdc14ed607296734e |
| SHA1 | ff86e3effea0637546b5c6c12db395cdc56b0d0b |
| SHA256 | c687998e6af4cc71dbfe834866014298b3913443d45b7fa2bf08074c2f573d61 |
| SHA512 | acc5003e72f5a0c14e2ad3514891d7be9fc6629c4cca2c50b6250f884a2f07e68b07e69762535dc49a70ee4c267e7f62f869c594899721181eacdf3920780fe8 |
memory/2092-95-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2720-94-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2836-135-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2760-134-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1252-89-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/2524-88-0x000000013FBD0000-0x000000013FF21000-memory.dmp
C:\Windows\system\eJiLwoM.exe
| MD5 | 14565b68181dfe40b4ac480296184ee9 |
| SHA1 | 6b8034b56fcfe733eaade74e0a88e27a82653dcb |
| SHA256 | 7097fafd16d0a69d147b4625a32ba1a60c01bd01ac61cabb545221914c21b7f5 |
| SHA512 | e57602143bd72547b00122d152bdbf133dee1301383c4268421c794ee6d1a2c8832625752c302545178e42fdd2510f92ab297e20935119f7f3b340c047a44362 |
memory/2092-74-0x000000013FCF0000-0x0000000140041000-memory.dmp
C:\Windows\system\KuuWhve.exe
| MD5 | 5f680e992ce16d2555649f0562ac325a |
| SHA1 | 94556cedd3d39d5aac33bf917217ed7706bb5a67 |
| SHA256 | 3a668d1f4fe6a4ebeff07c1479baa44193703036305b4b468f834af6cab804ef |
| SHA512 | 6f788d9cfeb4f6fa8efff775b248ef567ad8bf69db16846368d2994a0d22325c43ce271d0f134ecd8cffdf1e5a07f9f62635078d08aaaf3afc8b7fd346ae57a8 |
memory/2092-69-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2612-62-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2092-61-0x000000013F6E0000-0x000000013FA31000-memory.dmp
C:\Windows\system\ncgtUco.exe
| MD5 | 8dff1632b6e9c0008f746009f45b9699 |
| SHA1 | 441c510aa15773035d6a321d3a95b788bf87a795 |
| SHA256 | ae75eeae447dbaac50f59eb0883e6ac0ffaf2dedfc0920765b0320baba445eea |
| SHA512 | ce67a7e4eae18d9e96d47b2d977d509e8881fcadf03513e2d975ee83bbf64090e75d12123c1e7040d1c363a0471e37198f61e60ced4cade596a7420d83afdde8 |
memory/2960-136-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2844-137-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2092-138-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2612-149-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2864-154-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2660-150-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1856-159-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1772-160-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/1924-158-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/692-157-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/1104-156-0x000000013F0C0000-0x000000013F411000-memory.dmp
memory/1948-155-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/1736-153-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1252-152-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/1812-151-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2092-161-0x0000000002230000-0x0000000002581000-memory.dmp
memory/2092-162-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2092-184-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2524-209-0x000000013FBD0000-0x000000013FF21000-memory.dmp
memory/2080-211-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2132-213-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2720-215-0x000000013F420000-0x000000013F771000-memory.dmp
memory/2760-217-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2836-219-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2960-221-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2844-223-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2612-238-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2684-240-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1812-242-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2660-244-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/1252-246-0x000000013F460000-0x000000013F7B1000-memory.dmp
memory/1736-248-0x000000013FAE0000-0x000000013FE31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:09
Reported
2024-08-06 12:11
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wUdKHZw.exe | N/A |
| N/A | N/A | C:\Windows\System\SFrjdtO.exe | N/A |
| N/A | N/A | C:\Windows\System\UhTzrQt.exe | N/A |
| N/A | N/A | C:\Windows\System\tOgOnBV.exe | N/A |
| N/A | N/A | C:\Windows\System\zobsCgP.exe | N/A |
| N/A | N/A | C:\Windows\System\JSJMuuH.exe | N/A |
| N/A | N/A | C:\Windows\System\vfhuDrU.exe | N/A |
| N/A | N/A | C:\Windows\System\FTdMwmY.exe | N/A |
| N/A | N/A | C:\Windows\System\zdFdPHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ncgtUco.exe | N/A |
| N/A | N/A | C:\Windows\System\KuuWhve.exe | N/A |
| N/A | N/A | C:\Windows\System\aiiXRwe.exe | N/A |
| N/A | N/A | C:\Windows\System\eJiLwoM.exe | N/A |
| N/A | N/A | C:\Windows\System\itIYgLo.exe | N/A |
| N/A | N/A | C:\Windows\System\ozeaOPd.exe | N/A |
| N/A | N/A | C:\Windows\System\DrAuOmJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KYpGXCO.exe | N/A |
| N/A | N/A | C:\Windows\System\nVHIwKX.exe | N/A |
| N/A | N/A | C:\Windows\System\akOaDSr.exe | N/A |
| N/A | N/A | C:\Windows\System\ZuQSbvS.exe | N/A |
| N/A | N/A | C:\Windows\System\dfDBpFm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_fd19dc71bb52a2e8ee9d2cf6c32e90ca_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\wUdKHZw.exe
C:\Windows\System\wUdKHZw.exe
C:\Windows\System\SFrjdtO.exe
C:\Windows\System\SFrjdtO.exe
C:\Windows\System\UhTzrQt.exe
C:\Windows\System\UhTzrQt.exe
C:\Windows\System\tOgOnBV.exe
C:\Windows\System\tOgOnBV.exe
C:\Windows\System\zobsCgP.exe
C:\Windows\System\zobsCgP.exe
C:\Windows\System\JSJMuuH.exe
C:\Windows\System\JSJMuuH.exe
C:\Windows\System\vfhuDrU.exe
C:\Windows\System\vfhuDrU.exe
C:\Windows\System\FTdMwmY.exe
C:\Windows\System\FTdMwmY.exe
C:\Windows\System\zdFdPHQ.exe
C:\Windows\System\zdFdPHQ.exe
C:\Windows\System\ncgtUco.exe
C:\Windows\System\ncgtUco.exe
C:\Windows\System\KuuWhve.exe
C:\Windows\System\KuuWhve.exe
C:\Windows\System\aiiXRwe.exe
C:\Windows\System\aiiXRwe.exe
C:\Windows\System\eJiLwoM.exe
C:\Windows\System\eJiLwoM.exe
C:\Windows\System\itIYgLo.exe
C:\Windows\System\itIYgLo.exe
C:\Windows\System\ozeaOPd.exe
C:\Windows\System\ozeaOPd.exe
C:\Windows\System\DrAuOmJ.exe
C:\Windows\System\DrAuOmJ.exe
C:\Windows\System\KYpGXCO.exe
C:\Windows\System\KYpGXCO.exe
C:\Windows\System\nVHIwKX.exe
C:\Windows\System\nVHIwKX.exe
C:\Windows\System\akOaDSr.exe
C:\Windows\System\akOaDSr.exe
C:\Windows\System\ZuQSbvS.exe
C:\Windows\System\ZuQSbvS.exe
C:\Windows\System\dfDBpFm.exe
C:\Windows\System\dfDBpFm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4604-0-0x00007FF775C40000-0x00007FF775F91000-memory.dmp
memory/4604-1-0x000001F96C8B0000-0x000001F96C8C0000-memory.dmp
C:\Windows\System\wUdKHZw.exe
| MD5 | c48665e50042755fd19cd3545c9b1403 |
| SHA1 | 84ff5e1c0386aedddf8a11847492b760a9e1c5f7 |
| SHA256 | 8ef54ace60e5cb7353c0e26326d491e844fb84fede43e8080b4b064a74d08559 |
| SHA512 | 68b30634548d7a4ba125459354036d15ae67d918eef66a53d3d147b42d65ffaf4302f5a96bc8a383c26bbc8180300fdc923b44d6a245eddfd0fe0a9a421ae7b1 |
memory/1540-8-0x00007FF6D98B0000-0x00007FF6D9C01000-memory.dmp
C:\Windows\System\UhTzrQt.exe
| MD5 | 1f9d6578fcfbc6d8a201806764c141ca |
| SHA1 | e1955fcbd58223748c87d17c606fa0462871d3b9 |
| SHA256 | 24393385d3ad3ffe3adf5264300266c017f1d264a8f1189ba5061545b3d0db0f |
| SHA512 | bb25bd9bf71cf61199b71868f7215fc0821177cf6e83afa109e95982161ebff37c146a81d0206f57c5bf761d4ba30c08f22879c041ab01f1a5703da4dbfc3788 |
memory/3608-16-0x00007FF6F27B0000-0x00007FF6F2B01000-memory.dmp
C:\Windows\System\zobsCgP.exe
| MD5 | 08be2903987e85c4e25e1bf69b5e16e9 |
| SHA1 | f526f9ce295fff4eec216d6cc0e86dbeb589fd4a |
| SHA256 | 291584b629697f8574f2ec3e2019b1268faa761367578c659b2e04e415b31df8 |
| SHA512 | 2854584b254085c32aacce6f50e967ef3dfb3f0470c428a03f14e51cc357669b8cb4d4a330e044ed0376f67d278826ca37e2612d3246fc357317f87bd991042b |
C:\Windows\System\tOgOnBV.exe
| MD5 | 9a999330003584a5f12f74d47906d007 |
| SHA1 | c67b796afe2f09771b3faa5ece75eb380df2633d |
| SHA256 | d28b274fea84f0134522ad875f22ad720dadf38fe0e7506d3a513bc9985d229a |
| SHA512 | 33498f4691e3bce0e91b5a2ffbad27d07069d2471cd247f5cb7ddfb18e35235aa11323e170d2054e3e54fa8c30ee56c729c614f7340f99877ca8ba3c12306e26 |
C:\Windows\System\vfhuDrU.exe
| MD5 | 2d80dc1cf3248d6fbf27507827fd356d |
| SHA1 | ff8b9aa7c2718908379349ab61c09302aa43f1f4 |
| SHA256 | a8d7e26c30d53cdc3f730066a8dd7c080e0e48988e42ca9e74346f67e084be46 |
| SHA512 | 442618859a4e5d6c61284a6c91d69455d8b169f8aff6e929f7c1bfaffd75b1388fcc257ccd5d38a6cdd17179b71448cc19b3c4ea549c9f9398350b1ecc80af9d |
C:\Windows\System\zdFdPHQ.exe
| MD5 | 935dcc01409464415a3f26b427f83137 |
| SHA1 | 8477c06b19d5664c493b2a8766e9817f3c21cb54 |
| SHA256 | b69fb0b11fac19f381e4f078733e69823f5eaa269177153618377da8f364dc79 |
| SHA512 | 9ffb8e4e2f6b2e2feaa1d38bafff81f3e096d9375ae5756402fb0c8df1c7f8441257bf7d7b6de9605958a5e1d4672d49a5c85a6689639a4cdeb7b22877e1eddd |
memory/3924-66-0x00007FF7FAFE0000-0x00007FF7FB331000-memory.dmp
memory/1796-50-0x00007FF75F250000-0x00007FF75F5A1000-memory.dmp
C:\Windows\System\FTdMwmY.exe
| MD5 | d2125e2f558ba76a07a19cbe50f47e7d |
| SHA1 | 66c08d4d876c847d9be7c7de382f3c7db11c1582 |
| SHA256 | 8a2d113290a9019a92afd2e81c556f64c860170c69f779bcb1aa233f6dc57910 |
| SHA512 | e9933212f1c2c013dfd0381c13e2c892062c40bb177fa7bf471320422cf3544c6a229ba702d8737828b32aff4f1463bd4bc6b1acdd7f5e03555bf969bd245c17 |
memory/3944-43-0x00007FF63B330000-0x00007FF63B681000-memory.dmp
memory/3280-33-0x00007FF7951D0000-0x00007FF795521000-memory.dmp
C:\Windows\System\JSJMuuH.exe
| MD5 | 935200058f5998400a2e9efafd15f32e |
| SHA1 | 27e1d4843fb7f1426202778ff15a940156b436ab |
| SHA256 | 244e1c85fa8baf0cb036d7626b3a5bf9b6ad58e456beb7bf57f53add7f6603e0 |
| SHA512 | 17a73cb07c42cd224bd04c457bef1f87df9324fb30ede3a2362944c73871714782a8e543d11faddf01fddd501ae1c4f2d69c6a23da826cc4b543bcd012bc1896 |
memory/1836-20-0x00007FF7A60B0000-0x00007FF7A6401000-memory.dmp
C:\Windows\System\SFrjdtO.exe
| MD5 | a17655d9bdf7ab973192031a459cc283 |
| SHA1 | 1c6dc291b38ea38066a794fa8180fbba7d37e0f2 |
| SHA256 | 5a74ef7e58514d433fdc89ee11dcdb6c472980854fbf69932cb63110aa7143e4 |
| SHA512 | 434675a44d1f2833219a111e4ebd3b721c16f1ecb4e61080c4fa3a2fd6f3abe7632f2dfa9f0f39d88ed472f4d09dbe98c048ecc2dd47db534a35aa13d0dc5c55 |
C:\Windows\System\aiiXRwe.exe
| MD5 | 78c9f0a2eae7106f92735bda8e35dff1 |
| SHA1 | a724e7952a5d3d008d3bbddf293edc59f8e7d622 |
| SHA256 | 963c96fb17d0684f0141e677bb2532af302b10962da84c1e61b388af0f9aad30 |
| SHA512 | 61c71aead4f5b6c5fee73b7304dfff609fd188be4368a39f5d2bca6f508b66beb2fe4a64560b1edfa06949e5a5154e009a11cac883940ae946df1a22b08156dd |
C:\Windows\System\ncgtUco.exe
| MD5 | 8dff1632b6e9c0008f746009f45b9699 |
| SHA1 | 441c510aa15773035d6a321d3a95b788bf87a795 |
| SHA256 | ae75eeae447dbaac50f59eb0883e6ac0ffaf2dedfc0920765b0320baba445eea |
| SHA512 | ce67a7e4eae18d9e96d47b2d977d509e8881fcadf03513e2d975ee83bbf64090e75d12123c1e7040d1c363a0471e37198f61e60ced4cade596a7420d83afdde8 |
C:\Windows\System\eJiLwoM.exe
| MD5 | 14565b68181dfe40b4ac480296184ee9 |
| SHA1 | 6b8034b56fcfe733eaade74e0a88e27a82653dcb |
| SHA256 | 7097fafd16d0a69d147b4625a32ba1a60c01bd01ac61cabb545221914c21b7f5 |
| SHA512 | e57602143bd72547b00122d152bdbf133dee1301383c4268421c794ee6d1a2c8832625752c302545178e42fdd2510f92ab297e20935119f7f3b340c047a44362 |
C:\Windows\System\ozeaOPd.exe
| MD5 | e72e0d9ad6555cebdc14ed607296734e |
| SHA1 | ff86e3effea0637546b5c6c12db395cdc56b0d0b |
| SHA256 | c687998e6af4cc71dbfe834866014298b3913443d45b7fa2bf08074c2f573d61 |
| SHA512 | acc5003e72f5a0c14e2ad3514891d7be9fc6629c4cca2c50b6250f884a2f07e68b07e69762535dc49a70ee4c267e7f62f869c594899721181eacdf3920780fe8 |
C:\Windows\System\KYpGXCO.exe
| MD5 | 38049dc88d53f7407908e38361e71cc9 |
| SHA1 | dd33b4b332443637b2608fd13fdc4a73afb86f63 |
| SHA256 | 003a87538879a58b633c57ccb724c7dca3304d7ba34557c8fd423e476dff6f05 |
| SHA512 | 572e8a9e94c185510e158dce920e67809abe2850071b26f698af21ab3d95906b1ad82d35cc3e45477b4cdd65b58cf50450f8ca6ab070b10526845c62428694c6 |
memory/5060-97-0x00007FF693B40000-0x00007FF693E91000-memory.dmp
C:\Windows\System\DrAuOmJ.exe
| MD5 | 8b3b1d1d4be4362120a405b0f863b47f |
| SHA1 | 10d106616ed8e49fdd6a98dbfa247efd0a1ff3a6 |
| SHA256 | c81a059c8ac820e1acd731779542bd406314c8776e90e685fc895e96565087fa |
| SHA512 | f566e4ba49873e2c09cad0ee8f4b7f61697e4d588a6fb8b3f90f1469b5ac7190f01995477b4c4a91a1956d84fb71826d66f1e0d8d258b5dacff0d077a8c4a1bd |
memory/3908-98-0x00007FF70AB90000-0x00007FF70AEE1000-memory.dmp
memory/2084-96-0x00007FF7919D0000-0x00007FF791D21000-memory.dmp
memory/1676-95-0x00007FF6D33C0000-0x00007FF6D3711000-memory.dmp
memory/4172-94-0x00007FF793350000-0x00007FF7936A1000-memory.dmp
C:\Windows\System\itIYgLo.exe
| MD5 | d9fdb3fbd7234977b8ec5ae4b54440aa |
| SHA1 | a8888978bc1b9adfc4f6ad73a2117ed9a756de6c |
| SHA256 | 1f022fa0f8a84bd29408f3d4861bafb68fdb678ab6a75254099e495450725167 |
| SHA512 | 7b32d44bd7f16151fd2cef02f2f5767f3dfed1f3cbebcc5d58ff902586f44cc6e535a790f2c8c39c4ff2ef28df27c606259e65b4f349a4956e9206901a1320e6 |
memory/1556-89-0x00007FF79C200000-0x00007FF79C551000-memory.dmp
memory/2384-88-0x00007FF700A10000-0x00007FF700D61000-memory.dmp
memory/1436-81-0x00007FF6D10F0000-0x00007FF6D1441000-memory.dmp
memory/3304-73-0x00007FF6D66B0000-0x00007FF6D6A01000-memory.dmp
C:\Windows\System\KuuWhve.exe
| MD5 | 5f680e992ce16d2555649f0562ac325a |
| SHA1 | 94556cedd3d39d5aac33bf917217ed7706bb5a67 |
| SHA256 | 3a668d1f4fe6a4ebeff07c1479baa44193703036305b4b468f834af6cab804ef |
| SHA512 | 6f788d9cfeb4f6fa8efff775b248ef567ad8bf69db16846368d2994a0d22325c43ce271d0f134ecd8cffdf1e5a07f9f62635078d08aaaf3afc8b7fd346ae57a8 |
memory/1424-60-0x00007FF7AF9D0000-0x00007FF7AFD21000-memory.dmp
C:\Windows\System\nVHIwKX.exe
| MD5 | 722cc13315767efae534b821f7338a86 |
| SHA1 | 3f130cafa1d0b01e30bd00c000ca63421d905991 |
| SHA256 | 921353e8e3732f59ded62609bd88b76045ce763038ef2be93fe139e9c5680f41 |
| SHA512 | 6149a868a60a0c29f9a08cea66e7aa75ed1fd63d4a619f9e2ffcae6e12ba4f296b33fa5e9b993ae0d2a5d1aa56b425a6f876225e47cbaaabd34ce8e4cf7e93bc |
C:\Windows\System\akOaDSr.exe
| MD5 | 208783e2940fc93cd73a107eb39a0825 |
| SHA1 | d91d2e84002659cbe4f644b93e3a78ce1d54b4e2 |
| SHA256 | 274462de7dac0f962641aa2eab6adcb0b701b4105615bf550d8d5ddebd14e14b |
| SHA512 | 6e1afa9d52c60d831293390cc3c28de763a73a04b70b68bfcbb3f7e3b9935bee7ab3575bb5aeac334243a10640e239948b55dd0597936607b612f74946da7b42 |
C:\Windows\System\ZuQSbvS.exe
| MD5 | 5173550d7fc3c261297d90763946055d |
| SHA1 | 2a994e02258e73cbdb8690af14cea05946aece98 |
| SHA256 | 67ecdf47594e3b6e7cef86dbfb9a61d6e8f4b45736ee56cc683cd1d0aff0a3bc |
| SHA512 | d5340f0983beee172123b9c16ddf1976b5ee312c4e061483c356430707a5c7114bf9e1c13b8f45d85c875e1d8b999ade56aa901b63e830a819a73c18031a7064 |
C:\Windows\System\dfDBpFm.exe
| MD5 | d5d97f049b3fef7e62f730998a8f1e0a |
| SHA1 | f9739b0280df49dd522e97212d38436c03a21c89 |
| SHA256 | 3fe69702ab75c6ea779507e964930bdfef16526f5289894b5e459155438a3447 |
| SHA512 | 7809043e6d0875cb3c69fefd923307312214e8eb4381c756c556c184f8fd786bf815011ce5bfcee9c37bb68c70106a422d5837e70eaaf3940fca9f54d34c9afe |
memory/1540-126-0x00007FF6D98B0000-0x00007FF6D9C01000-memory.dmp
memory/1620-125-0x00007FF760100000-0x00007FF760451000-memory.dmp
memory/2380-123-0x00007FF73BF30000-0x00007FF73C281000-memory.dmp
memory/4604-122-0x00007FF775C40000-0x00007FF775F91000-memory.dmp
memory/4512-116-0x00007FF68F3D0000-0x00007FF68F721000-memory.dmp
memory/1812-109-0x00007FF6B30C0000-0x00007FF6B3411000-memory.dmp
memory/3280-134-0x00007FF7951D0000-0x00007FF795521000-memory.dmp
memory/1424-137-0x00007FF7AF9D0000-0x00007FF7AFD21000-memory.dmp
memory/3944-135-0x00007FF63B330000-0x00007FF63B681000-memory.dmp
memory/1836-133-0x00007FF7A60B0000-0x00007FF7A6401000-memory.dmp
memory/4604-130-0x00007FF775C40000-0x00007FF775F91000-memory.dmp
memory/5060-145-0x00007FF693B40000-0x00007FF693E91000-memory.dmp
memory/3304-142-0x00007FF6D66B0000-0x00007FF6D6A01000-memory.dmp
memory/2084-146-0x00007FF7919D0000-0x00007FF791D21000-memory.dmp
memory/1812-148-0x00007FF6B30C0000-0x00007FF6B3411000-memory.dmp
memory/3908-147-0x00007FF70AB90000-0x00007FF70AEE1000-memory.dmp
memory/4512-149-0x00007FF68F3D0000-0x00007FF68F721000-memory.dmp
memory/1620-151-0x00007FF760100000-0x00007FF760451000-memory.dmp
memory/2380-150-0x00007FF73BF30000-0x00007FF73C281000-memory.dmp
memory/4604-152-0x00007FF775C40000-0x00007FF775F91000-memory.dmp
memory/1540-197-0x00007FF6D98B0000-0x00007FF6D9C01000-memory.dmp
memory/3608-199-0x00007FF6F27B0000-0x00007FF6F2B01000-memory.dmp
memory/1836-201-0x00007FF7A60B0000-0x00007FF7A6401000-memory.dmp
memory/1796-203-0x00007FF75F250000-0x00007FF75F5A1000-memory.dmp
memory/3280-205-0x00007FF7951D0000-0x00007FF795521000-memory.dmp
memory/3944-207-0x00007FF63B330000-0x00007FF63B681000-memory.dmp
memory/3924-209-0x00007FF7FAFE0000-0x00007FF7FB331000-memory.dmp
memory/1436-213-0x00007FF6D10F0000-0x00007FF6D1441000-memory.dmp
memory/1424-212-0x00007FF7AF9D0000-0x00007FF7AFD21000-memory.dmp
memory/3304-229-0x00007FF6D66B0000-0x00007FF6D6A01000-memory.dmp
memory/1556-227-0x00007FF79C200000-0x00007FF79C551000-memory.dmp
memory/2384-226-0x00007FF700A10000-0x00007FF700D61000-memory.dmp
memory/4172-231-0x00007FF793350000-0x00007FF7936A1000-memory.dmp
memory/1676-233-0x00007FF6D33C0000-0x00007FF6D3711000-memory.dmp
memory/5060-235-0x00007FF693B40000-0x00007FF693E91000-memory.dmp
memory/2084-239-0x00007FF7919D0000-0x00007FF791D21000-memory.dmp
memory/3908-238-0x00007FF70AB90000-0x00007FF70AEE1000-memory.dmp
memory/1812-244-0x00007FF6B30C0000-0x00007FF6B3411000-memory.dmp
memory/4512-246-0x00007FF68F3D0000-0x00007FF68F721000-memory.dmp
memory/2380-248-0x00007FF73BF30000-0x00007FF73C281000-memory.dmp
memory/1620-250-0x00007FF760100000-0x00007FF760451000-memory.dmp