Analysis Overview
SHA256
e0d2cd648dbbe45e74cc6bfa96d9715dde44fa4fb4d351ab9616a56607a6b725
Threat Level: Known bad
The file 2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 18:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 18:23
Reported
2024-08-06 18:25
Platform
win7-20240704-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mtrURiD.exe | N/A |
| N/A | N/A | C:\Windows\System\EKqpjgy.exe | N/A |
| N/A | N/A | C:\Windows\System\XkMZDkV.exe | N/A |
| N/A | N/A | C:\Windows\System\suQKIer.exe | N/A |
| N/A | N/A | C:\Windows\System\fvGfULo.exe | N/A |
| N/A | N/A | C:\Windows\System\vddEqId.exe | N/A |
| N/A | N/A | C:\Windows\System\hUNslDI.exe | N/A |
| N/A | N/A | C:\Windows\System\JqMhbzQ.exe | N/A |
| N/A | N/A | C:\Windows\System\pGXkXOz.exe | N/A |
| N/A | N/A | C:\Windows\System\teaDfTX.exe | N/A |
| N/A | N/A | C:\Windows\System\pWnuemb.exe | N/A |
| N/A | N/A | C:\Windows\System\fCcAuUI.exe | N/A |
| N/A | N/A | C:\Windows\System\BpgHetA.exe | N/A |
| N/A | N/A | C:\Windows\System\YiNovJM.exe | N/A |
| N/A | N/A | C:\Windows\System\mThPXxm.exe | N/A |
| N/A | N/A | C:\Windows\System\SxXUAFz.exe | N/A |
| N/A | N/A | C:\Windows\System\sjAzCGy.exe | N/A |
| N/A | N/A | C:\Windows\System\OKIOddb.exe | N/A |
| N/A | N/A | C:\Windows\System\PgOxUlp.exe | N/A |
| N/A | N/A | C:\Windows\System\CiNnqnJ.exe | N/A |
| N/A | N/A | C:\Windows\System\igAXafq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mtrURiD.exe
C:\Windows\System\mtrURiD.exe
C:\Windows\System\EKqpjgy.exe
C:\Windows\System\EKqpjgy.exe
C:\Windows\System\XkMZDkV.exe
C:\Windows\System\XkMZDkV.exe
C:\Windows\System\suQKIer.exe
C:\Windows\System\suQKIer.exe
C:\Windows\System\fvGfULo.exe
C:\Windows\System\fvGfULo.exe
C:\Windows\System\vddEqId.exe
C:\Windows\System\vddEqId.exe
C:\Windows\System\hUNslDI.exe
C:\Windows\System\hUNslDI.exe
C:\Windows\System\YiNovJM.exe
C:\Windows\System\YiNovJM.exe
C:\Windows\System\JqMhbzQ.exe
C:\Windows\System\JqMhbzQ.exe
C:\Windows\System\SxXUAFz.exe
C:\Windows\System\SxXUAFz.exe
C:\Windows\System\pGXkXOz.exe
C:\Windows\System\pGXkXOz.exe
C:\Windows\System\sjAzCGy.exe
C:\Windows\System\sjAzCGy.exe
C:\Windows\System\teaDfTX.exe
C:\Windows\System\teaDfTX.exe
C:\Windows\System\OKIOddb.exe
C:\Windows\System\OKIOddb.exe
C:\Windows\System\pWnuemb.exe
C:\Windows\System\pWnuemb.exe
C:\Windows\System\PgOxUlp.exe
C:\Windows\System\PgOxUlp.exe
C:\Windows\System\fCcAuUI.exe
C:\Windows\System\fCcAuUI.exe
C:\Windows\System\CiNnqnJ.exe
C:\Windows\System\CiNnqnJ.exe
C:\Windows\System\BpgHetA.exe
C:\Windows\System\BpgHetA.exe
C:\Windows\System\igAXafq.exe
C:\Windows\System\igAXafq.exe
C:\Windows\System\mThPXxm.exe
C:\Windows\System\mThPXxm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1916-0-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1916-1-0x0000000000080000-0x0000000000090000-memory.dmp
C:\Windows\system\mtrURiD.exe
| MD5 | c87b7bc74a1e6987fb6030586384667f |
| SHA1 | 9c07cffce92243211c566a82adfe55c521cab15b |
| SHA256 | 8c0ca9d5f13f37b5616d56d483f386f82f1b689dd68e751d96495a0a5a0d58e1 |
| SHA512 | f161396c5121958eb3b83d6ade932e022fcd654fd68d9bb5ed13fc299ac4e46d0cc4552637793e05882c99e75981f657b8aedf278889c51c0f510ea0a5f3529a |
memory/2896-18-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/1916-14-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2844-30-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1620-29-0x000000013F920000-0x000000013FC71000-memory.dmp
C:\Windows\system\fvGfULo.exe
| MD5 | 1f7715bfe6aef91d81ca80318547c77c |
| SHA1 | b7bdfeec7d1bdf4a9c16832b7731458d488c3daf |
| SHA256 | 06193d91bd8de15011629d9dd41f892cb66a9361d963eb6f7eb5f054e8db413a |
| SHA512 | 2f48e115e145bdbb5ab99da46f764c31bdcc5f95d8dc339bfd9df8a2afd6a376e58b6b4f146d17286fbf0a94cde74eff4d7dcdbda9d51d5b240ce54afa3cf663 |
memory/1916-60-0x000000013F970000-0x000000013FCC1000-memory.dmp
\Windows\system\pGXkXOz.exe
| MD5 | e2907721f959cbc77f20b3a69bb64644 |
| SHA1 | afd68bd7fcac1884415ec065fae090f342dbdbe0 |
| SHA256 | 5adb688c2dbb1f2665378d533b9979e2ffe8178d063e5da5dcc95a17995479e7 |
| SHA512 | 2e7044f8c1b3f23b22b5a4d903f2cdf7b95c8166af3e8cb038f7360726f25296b36322ae2d29ffcd4d045702af244c59008cb424445fc7364fcebf1a15ddde5f |
memory/1916-54-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
\Windows\system\JqMhbzQ.exe
| MD5 | 3034d6abd20a8bea2e1d45f9c7d00897 |
| SHA1 | 834fa9107a7fdfaebaae6db6aa4d14cdb247ad50 |
| SHA256 | d07e540f523caa138dce26eae400a89ba6b16a93f6fafa2fe5509ff422a66356 |
| SHA512 | 379d62b47e52e341c4caa6454d22944ef134e3ecc963675f33dc0712bffb6ed8ffc5908d8d518944ba432fdb1b92acdc10f55e7612048ef052ba134778aeeeb4 |
C:\Windows\system\hUNslDI.exe
| MD5 | f4e2a781063b007318fc28134d3c25ea |
| SHA1 | e82e6b7557dbe490248cb0935aa6eea2d4008400 |
| SHA256 | 443e296e04c4696fd20b8b6430afb1cc44e1a60ecfbf7c783af22de41ae3240a |
| SHA512 | 3a45969f0b62c61691dbd512a9773d6b1dda515d122d1b75f89bbde2db9c17acfdb80cec564d84079373e628452d1e0b75b526bc88e6a7d62b2350217da3744f |
memory/2912-37-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/1916-36-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/1916-27-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2564-26-0x000000013FB30000-0x000000013FE81000-memory.dmp
C:\Windows\system\suQKIer.exe
| MD5 | 669751d7aef2506c46976cbfffe055d8 |
| SHA1 | 06a2719bdd6aa6a4e163145a0aef5ccc528a4dec |
| SHA256 | a9286a3a2f2940a64a666d0eb46e97ba571d7f5d0ee13e463d4555ce4b04919e |
| SHA512 | 6b935ff966df3a1cac8b08c98056ba0b70dec8d6bb004c758db6768754555cc20aa3d88b55d66c53c4ab7dae1ec2be249afafcc9f6128360b11ca4046f38a9f3 |
memory/1916-24-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1916-21-0x0000000002240000-0x0000000002591000-memory.dmp
C:\Windows\system\XkMZDkV.exe
| MD5 | fab44f5c2b859254f160d5815a6ea2f1 |
| SHA1 | 6c37e36ce505d19c77f2cc34288c823a1e75ecb8 |
| SHA256 | 3c47822e381340953f6c8e6a363ff38a39c45923ae13ad8b9757ce3b0ccb66f6 |
| SHA512 | e70516d71295b11b2466e2f0a57db7702f76a4acc0dd238ce9a131ec7883bf21a37aaba68137703dea7e1327980a5e089b9904db2908e5acf4e2831cbf403de6 |
C:\Windows\system\EKqpjgy.exe
| MD5 | e8a95f578593f40006995ee532185e73 |
| SHA1 | fba1e039a5d71d4d34c3ec25d7428e272d40b1b5 |
| SHA256 | bcba9d3026f725c4c9808c962b02e65a8bc1079a828af163204cc6641f1b267e |
| SHA512 | 4bb84060862eefa95e6bf9a63170c90ef2b6df5ddb84c02a972346e82cdc4d3d1c7b4c5ffb0e8cb8d964916aff996a83a42c1245e9844d64b9475c0b29240a97 |
C:\Windows\system\vddEqId.exe
| MD5 | 635423fdce09789137ebf616bc03ff02 |
| SHA1 | f58d394aec72e21ae90219458f78399e6d317e5f |
| SHA256 | 20a1dc490efdb94188cdc95e7c3b8b29b68e19d1507fc17359d37fc49a6e07c9 |
| SHA512 | 0097648d1c064d45fca5ae3b02ad9ff6644f21c42b12e7e10f1eec78dd224e7f210282175e97d7e181bd9659dec06d17aad35016b998ba4ed657aeefeead55f2 |
memory/2268-57-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
\Windows\system\igAXafq.exe
| MD5 | 3800ed121c1b922740086826ae3f4ad3 |
| SHA1 | 2fb385ba832e036644a1a29616f3d1cada5436df |
| SHA256 | a7ad19f4419758a01fa6cd7c8d66d6c5de2472cc99f9a9e5b55d9dd10ad5cf8c |
| SHA512 | 8062c971e05a26501aa5ca1af72bf113b535ae06c3161815762ef7fa6fccc92ea2b31e4593cc9d5879c0d5e64e18a7314719e01abf9be9fc331e8da779f870eb |
\Windows\system\CiNnqnJ.exe
| MD5 | a312b00ae5f0f1a73e7ee65971b2cfa7 |
| SHA1 | 021c1f09290681912b154dca8217466237644820 |
| SHA256 | 65a04bd9411af73e93f8d5272de36b3b2fe0865b458e7ab0acb4f46dd97f1b04 |
| SHA512 | 43f7a0e23326eaff6096f7b662add338856d87c7bc8c7897da8ea259c689ad628ff8cdd44c4f690dfdcd109d0a4001a49e1aeb75cbb44f99e5cce811994731e4 |
C:\Windows\system\pWnuemb.exe
| MD5 | fafdfb9eb833b66acc69152e9da707e9 |
| SHA1 | 630d8ca5e3048c86bfc599c7841331efa94fc6ee |
| SHA256 | 9e16c98dc2a5f1286d39f7d1e32cdd370e01812d2a9fdd180ffd31612634b4bc |
| SHA512 | bb4e4c8d8596d89c1156dccdce0201663f6be9dbaca4cad801355547445aff4ba06fd3704d39983d2277a16b9a86ebdbb90b028273bcb991cd3cc4f7f15d1756 |
\Windows\system\PgOxUlp.exe
| MD5 | 2ce5ec117e1982f30a7cb65a1c76fc4d |
| SHA1 | 853a011cd09ce7c51a9993e36c5bd8b31f6ba061 |
| SHA256 | 872163696bdd2cda08a15c424565831240b1594e8ea18fdba8ef2c3469b110c2 |
| SHA512 | e57499666e9899af6cdb51f0d66c68cc92f60d1e18d0a628d4caad4df90cbdb81c912eddf638717a832eff88d848cd9eb86f0db8a1cc1da39c2a011913a0c587 |
\Windows\system\OKIOddb.exe
| MD5 | 6f074f31b62caff05eaebe1600faca6f |
| SHA1 | d37618d529ceb08e79eab84759c08574f191f1ff |
| SHA256 | 69304e1cd0a0f577253429408d7ca95a0354694244e6bb2b9fbab7f54450b942 |
| SHA512 | 40c3c82fc8fc3d9ad1d921cfbd245bc94d36ec3c36beebfadcf10afafff72c25dd59143e0d70feb2cee3c8ee16ead518555b9fd1671f33bae7f0c617ab4c4f9a |
memory/2112-76-0x000000013F090000-0x000000013F3E1000-memory.dmp
\Windows\system\sjAzCGy.exe
| MD5 | 5fec9a1033eec2dde1d3fb9f978ad770 |
| SHA1 | 1f492d83e1ef5d74bc1ae3ff8d74711350b1c08a |
| SHA256 | 45d51e682340dd7b497d9b5d0ce9610af08397a1aa52d52a29fddcec36d0ce7f |
| SHA512 | 0191be4e964a36746ad95e7d7e6ea5c6e67993ab984412175c5920d7e05445b6929d81989c32cd2a7a8c4d4c7528e04f759f71c5631fe349ba37598eab9d678f |
\Windows\system\SxXUAFz.exe
| MD5 | 54122b947c6ae6c7dd7c712703a80cf7 |
| SHA1 | 6d5856ba0c3d11d45cc4bb3dc9b04dee5ee4cb88 |
| SHA256 | 5f0f113373d75b7c02e7a0ddd15942e30dbf17e63325be8f1d8469a506590e2b |
| SHA512 | d7c29cd2d8d0b4f8077a47de7ea6ff09d72dd5fe58633d0af0c6b140e0baa66387463cee53b30ec6fea9294deb1b8d333cc65717142ae3034d0283357f26e03e |
memory/1916-120-0x0000000002240000-0x0000000002591000-memory.dmp
C:\Windows\system\mThPXxm.exe
| MD5 | 790de10f988f54ca7a9d12e035e3053c |
| SHA1 | 69ef1ce2ba2dd813197846142d6f188e6bc54f9e |
| SHA256 | 97accd87e20433707b318391d73651cf726df760ddef7feec1f49ddf0c61c581 |
| SHA512 | 40ab44b1870bb40b059cc3b20776fb30dd95e60c60d3973727f0235074207f35005f2f822a0dce38eaa2fc756a2da646905b45ab7cb6ff3ee217ddb89a457ee6 |
C:\Windows\system\YiNovJM.exe
| MD5 | 0e52c0ea08755d506e0347183db6a99b |
| SHA1 | a8b25c9152a4df2f405b2f877c68b20c9c72e7f0 |
| SHA256 | 4ed49782c55e9ab14cea93004e6835dede68f4e8606495804f150382c16366ce |
| SHA512 | 1a4dc37a363da70232899433dff36e6121f1eb75d22085ef155cabc0dd22d73a6738ac6b7bde84f72a726feb2aba38ebf0b990c4903639b5e32c902c594b7a34 |
memory/1916-111-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/1916-110-0x000000013F5C0000-0x000000013F911000-memory.dmp
C:\Windows\system\BpgHetA.exe
| MD5 | 1c19eb27e9f53e1869ad0004477cec1b |
| SHA1 | a80173c2e779b563581837cd977796ea18b2a280 |
| SHA256 | 5ca5a70a541d06dbb88c30ebc2c1da018df944a30e924f9c6dfb123c21339d96 |
| SHA512 | 58ef2f2360dbebc34a24949416bcfc9bbd5a13d97e5831374e0cc0c1a89327ae6be61b7546c1b60064e0278aec4119c05d98004616eae3a57967abd5ffed7669 |
C:\Windows\system\fCcAuUI.exe
| MD5 | f3554866ca93a06516043eaa9bb9b4f1 |
| SHA1 | 02bc0c79e2f8315126549cdacf93d396d158ffa6 |
| SHA256 | 8f9d5444dcc4eab91577157d56751bc44e907c1fe08b8892162f608ae2e1eba3 |
| SHA512 | 23655ff00be7303a67f573dd099f09df16fdb628a3858c2740476479ff561c1ab7a3338f4534a79f31fcc6941ca7776335affabb2b631fbea726a14b60726a13 |
memory/2520-102-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2344-95-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/1916-87-0x0000000002240000-0x0000000002591000-memory.dmp
C:\Windows\system\teaDfTX.exe
| MD5 | a7feaaf3848fcd29347f45e3e72b837e |
| SHA1 | a7a50cf14aa5e74289af81c3b457cf2dde9a55c3 |
| SHA256 | 3699a4b43ec1d711a2a167c1e4946f3cf308c9e97b4e7c5ac2098f37317ba869 |
| SHA512 | 1aba99efc3d5f7ca54fb5a42b19f0d85f8abb232061af8184d21af0ae522d583c36d835312c901eb8718b9ef9540f209eface5e4992a456672b0f46f9e5bb960 |
memory/1916-72-0x0000000002240000-0x0000000002591000-memory.dmp
memory/1916-71-0x0000000002240000-0x0000000002591000-memory.dmp
memory/1916-70-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2592-69-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/1916-66-0x0000000002240000-0x0000000002591000-memory.dmp
memory/3024-65-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/1916-134-0x0000000002240000-0x0000000002591000-memory.dmp
memory/1916-133-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1916-135-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1880-145-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/816-143-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2608-147-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2964-156-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2496-154-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/1420-153-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2772-152-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2724-151-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2520-150-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2600-149-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2344-148-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2560-155-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1916-157-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1916-179-0x000000013F5C0000-0x000000013F911000-memory.dmp
memory/2896-203-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2564-206-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/1620-207-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2844-210-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2912-211-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2268-213-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/2592-216-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/3024-217-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2112-224-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2520-235-0x000000013F860000-0x000000013FBB1000-memory.dmp
memory/2344-238-0x000000013FC90000-0x000000013FFE1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 18:23
Reported
2024-08-06 18:26
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
158s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JYIwbNC.exe | N/A |
| N/A | N/A | C:\Windows\System\UDxFyCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\sXSiCNz.exe | N/A |
| N/A | N/A | C:\Windows\System\rSYwqYK.exe | N/A |
| N/A | N/A | C:\Windows\System\EAdnFOT.exe | N/A |
| N/A | N/A | C:\Windows\System\bXjXAcK.exe | N/A |
| N/A | N/A | C:\Windows\System\zmtWhTx.exe | N/A |
| N/A | N/A | C:\Windows\System\HEeUqwe.exe | N/A |
| N/A | N/A | C:\Windows\System\HNesAtO.exe | N/A |
| N/A | N/A | C:\Windows\System\dsYsEil.exe | N/A |
| N/A | N/A | C:\Windows\System\xBodAHQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kCWUqWw.exe | N/A |
| N/A | N/A | C:\Windows\System\eczpgOA.exe | N/A |
| N/A | N/A | C:\Windows\System\wUDVcfE.exe | N/A |
| N/A | N/A | C:\Windows\System\RHcNUUu.exe | N/A |
| N/A | N/A | C:\Windows\System\aOVirIt.exe | N/A |
| N/A | N/A | C:\Windows\System\kXgJIdb.exe | N/A |
| N/A | N/A | C:\Windows\System\rQECDpN.exe | N/A |
| N/A | N/A | C:\Windows\System\JtZsobg.exe | N/A |
| N/A | N/A | C:\Windows\System\czdYmOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GibwJNQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_889524a4711ae31e8f9eab936c21e63a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\JYIwbNC.exe
C:\Windows\System\JYIwbNC.exe
C:\Windows\System\UDxFyCZ.exe
C:\Windows\System\UDxFyCZ.exe
C:\Windows\System\sXSiCNz.exe
C:\Windows\System\sXSiCNz.exe
C:\Windows\System\rSYwqYK.exe
C:\Windows\System\rSYwqYK.exe
C:\Windows\System\EAdnFOT.exe
C:\Windows\System\EAdnFOT.exe
C:\Windows\System\bXjXAcK.exe
C:\Windows\System\bXjXAcK.exe
C:\Windows\System\zmtWhTx.exe
C:\Windows\System\zmtWhTx.exe
C:\Windows\System\HEeUqwe.exe
C:\Windows\System\HEeUqwe.exe
C:\Windows\System\HNesAtO.exe
C:\Windows\System\HNesAtO.exe
C:\Windows\System\dsYsEil.exe
C:\Windows\System\dsYsEil.exe
C:\Windows\System\xBodAHQ.exe
C:\Windows\System\xBodAHQ.exe
C:\Windows\System\kCWUqWw.exe
C:\Windows\System\kCWUqWw.exe
C:\Windows\System\eczpgOA.exe
C:\Windows\System\eczpgOA.exe
C:\Windows\System\wUDVcfE.exe
C:\Windows\System\wUDVcfE.exe
C:\Windows\System\RHcNUUu.exe
C:\Windows\System\RHcNUUu.exe
C:\Windows\System\aOVirIt.exe
C:\Windows\System\aOVirIt.exe
C:\Windows\System\kXgJIdb.exe
C:\Windows\System\kXgJIdb.exe
C:\Windows\System\rQECDpN.exe
C:\Windows\System\rQECDpN.exe
C:\Windows\System\JtZsobg.exe
C:\Windows\System\JtZsobg.exe
C:\Windows\System\czdYmOQ.exe
C:\Windows\System\czdYmOQ.exe
C:\Windows\System\GibwJNQ.exe
C:\Windows\System\GibwJNQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3376-0-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp
memory/3376-1-0x00000294FB070000-0x00000294FB080000-memory.dmp
C:\Windows\System\JYIwbNC.exe
| MD5 | 3238f91bbdf4c6e1505921bb0d933c36 |
| SHA1 | 2ee4d5fd2ea34a60ff91e46cef87ebf223eb9fa7 |
| SHA256 | abda749655a535a0b12d87f5a30f555ea83a968985e82904629c0c750c419fa5 |
| SHA512 | 3b136c4e0825e054db4f25071e41d94795f661d14c27daa0c307e181afe3f76a050dd13d03614c74cf652194b6d24f0ae97ea9455fd09ffa491e73feda28bfaa |
memory/1608-8-0x00007FF766390000-0x00007FF7666E1000-memory.dmp
C:\Windows\System\sXSiCNz.exe
| MD5 | 590d26adcc8a9a116ba7585c5b44e3e7 |
| SHA1 | 9714589b2b7de2986ab1260153b46c3b1fe79546 |
| SHA256 | bec7931aee1203e9916560313b7eb26b964010e6dbf5bdb04e6f9284d6a7c33d |
| SHA512 | 541d32bd76e67b638571d64bf2e35d242e51e72a6dff8378a248a2c8e1e3784fc0fe70469b7fbf020d70604e2fcf2fee12b9b705105be21e2a3f8bee1988082c |
C:\Windows\System\rSYwqYK.exe
| MD5 | a46c38f8698e8fdd435ade347e8a5e78 |
| SHA1 | f8302b7162999ba90b2759cfb42044bbf980eef8 |
| SHA256 | a7936580fae35c1ce76409d5ab370c8a422cc96f9563187030982a651ee9981f |
| SHA512 | 85a0ec8ee31101d86c1f43d9a4b3e0b61a65a73c2b05079e0460cec424b512203cd8bcd20effcb99bd83b95a74bff87d4392f1dd7d6b8af8f82f12a8c675f9a1 |
C:\Windows\System\EAdnFOT.exe
| MD5 | 1d44dbfd48a5f3bcaa9e4afff3785b4e |
| SHA1 | 2372cec5f791837d0c396f0a134ce49d30e12925 |
| SHA256 | 057e8401c864df9bf740727cca97dff1f18513ff8d11ec04d846ee4c2dd3c99b |
| SHA512 | 75477ec76e54bbd12206278573b9b654538e298823467c5f204a71b5a77c219360c8b2712f6128fe44ef629090067ef7768c4a7f9d5197de49d8d70b16dea297 |
memory/1824-32-0x00007FF60F610000-0x00007FF60F961000-memory.dmp
memory/4984-26-0x00007FF7CB1F0000-0x00007FF7CB541000-memory.dmp
C:\Windows\System\bXjXAcK.exe
| MD5 | 682146361d9646d7c3d7cf9c04ea60a5 |
| SHA1 | caaf9a4c335395fdfc4141fbb8615587ff4f2921 |
| SHA256 | 32112da82dd91172ee252c2d5985ed42e9a0a573641fbeb02b90c6f8b8ed7d70 |
| SHA512 | 09ec31edd953e30c980f3e41d0a00090394fd8b763843fb482e4765055a9b73905cca59a822138aa325c4b1b80f272c35b0bda60703649335b3348cab514dc33 |
C:\Windows\System\zmtWhTx.exe
| MD5 | 3b38ad6a8df5ae125c341921c6e5399b |
| SHA1 | 3e71541062bf3887feb35f0f0065770f7815641c |
| SHA256 | 4ad2419ddc436313d8c673ddd2aa1f1c0cca29265e5240de33285cb0c24fa062 |
| SHA512 | 44dea1e83cfd255e4562dae2b72c2b757995de52d34283ec926dd5e81a161d47d77e0ec5ad457a299fcf9543e5d1cf58584c48b2cfd2c263f43280a99f57b2cf |
C:\Windows\System\HEeUqwe.exe
| MD5 | 0b6a821cde2084526c4e71a65b39bcee |
| SHA1 | 75674f3a6b63ced62cafded1d3f28b6b60d60ac7 |
| SHA256 | 946a64d655c2089a3c2c8a4bcdcfde26f8a96729e877a1d60a1d138885e5ca80 |
| SHA512 | 48c3ae6d15f9ac47546f8cb0216fffc8e5ae34b0d0a0960725d45fa7485b22223d982d48fa1d036ad54325925eb2018fb15de4303c5757ebb1498919486bfd7b |
memory/1220-46-0x00007FF7AD260000-0x00007FF7AD5B1000-memory.dmp
memory/4996-40-0x00007FF791B30000-0x00007FF791E81000-memory.dmp
memory/3240-21-0x00007FF725D80000-0x00007FF7260D1000-memory.dmp
memory/2756-14-0x00007FF7C3E10000-0x00007FF7C4161000-memory.dmp
C:\Windows\System\UDxFyCZ.exe
| MD5 | abdc0056fd3f4cc92d08b8de401fc9f8 |
| SHA1 | ab51be67a161795a8c494ea1fca3b645de065918 |
| SHA256 | 2e406907bccfc8351cfc67cb8d93ff3dba60ad070bfac88165449b9aedd998ac |
| SHA512 | e3570eb4ed190ead0c9a3e249fd30e0a677516c4b0e45a82384061d405b570d4ce2408234eb13aabffa17acc0b410f9270cf8154332ea3609d92658710200808 |
C:\Windows\System\HNesAtO.exe
| MD5 | 17d617087d8a9f35d5f66d020df2ae62 |
| SHA1 | 421a4e65e17efbba6c5ef62885a9a1b1a6c73230 |
| SHA256 | 3ecfe0097212ebb6f1d0df97d782cf6621ec39a8bfc7d1edbf4dbcefb3320570 |
| SHA512 | 6a6452c3eb223302398ab7515cb51ba766eaca780018d14e903d815027117242a0b5f0d1770b668ec1b080abb678851ffa48ab68ddb28b5ef521efb32af255bb |
C:\Windows\System\kCWUqWw.exe
| MD5 | 9c4b7e0239a0d39abc34263fdf6c630f |
| SHA1 | 8062aa7ee2e196d3d655de65710d9fe67af02da4 |
| SHA256 | f34dece0b0ad7f4abad7bbf70982d154eaa74bdc649f49add660327904609d0b |
| SHA512 | c73dd350779bd460c262d518350866125686b794cbf9dba0adb0705789f5c6bc2eb7400ad5701028d85e053fab050d42150c349be16b045bd738daf77a8a34a0 |
memory/3604-75-0x00007FF628E20000-0x00007FF629171000-memory.dmp
memory/2756-87-0x00007FF7C3E10000-0x00007FF7C4161000-memory.dmp
C:\Windows\System\wUDVcfE.exe
| MD5 | 8b6313065757921c796a31d14de5c267 |
| SHA1 | 20f42b8b3481f4638c2594a0307de187c5dcc202 |
| SHA256 | 8802e169989d72d53f70448728426ca41f0b3e66138089a3d5f60305c801ef8c |
| SHA512 | a90e73b44fe87269f0f0d5cfbb04ed3ee4801cb085ff5be3534b2a5076ddc158b6d5fe2e47b4b840853a49e76a7f9fbb2b0c87c4af1988657170017fd6c077d8 |
memory/4884-95-0x00007FF79B220000-0x00007FF79B571000-memory.dmp
C:\Windows\System\rQECDpN.exe
| MD5 | 1e63688b60517e5d0d53e691ff72ce75 |
| SHA1 | 939bea3c28f0f72cc88105adb440ccaca9961b97 |
| SHA256 | 2fab89726baccba9d74adebc903687ad52e23348e33e93d4e3bb318dd7a6a80b |
| SHA512 | 82ca1919f40559d816b8a848316ea71b639528d5752e87e231ccff0f18857d3c218908dbf39e992cbfbd2c81e40ccb8fff0d186b1a7290472db85f1163c01b0e |
C:\Windows\System\czdYmOQ.exe
| MD5 | b0d5a0f17bcc4367bb2a73496dabbf94 |
| SHA1 | 39baa5fd60643aedc90ff99b4fd105d60fbb8ace |
| SHA256 | 3ec05ccaa24c9913285b6d6f12a1a9a64c00194aa6b2bd20979f442ed244bab3 |
| SHA512 | a66ce1ef2f626452d10f21c7002be9d827bb234646f3475ec917c03021dd3331b2d561b8d62f19f4afea7d879690fed44815edbf8c08d0a976218087cb221ba0 |
C:\Windows\System\GibwJNQ.exe
| MD5 | ae5a49602256a74f8bf2c3daef2be8a3 |
| SHA1 | 07ca1e88cf0029ebb0c0751ead657132ef368d27 |
| SHA256 | 8f2a5cae062b29b9c76ad75fdca0cd4997611ec1c1dcec6a4d2b0a42183c398e |
| SHA512 | a85f2ec92d64278b079fcd473806f9fcbbf250cd086db1174ff7b0190106be0e9a5f21c959c5a7ec9896f007c8986ec5728f60b33ce389628e7a6b803653ff82 |
C:\Windows\System\JtZsobg.exe
| MD5 | 99b14b039097b43c530888a427df63f2 |
| SHA1 | dbd4cf60aea2d7a466849689241413e590a6d6ec |
| SHA256 | e4e636aabca60cced47465c4e0b0a671e0b31368bcf8fd46453dec9700156b97 |
| SHA512 | 58efcf7e99257b32491021d8b49cf74cefb9dfc389306bd20f3f30e60517cb229d4c600a9b010112a01720321290af649813c42cccf8e109d2beaf11ce2f659b |
C:\Windows\System\kXgJIdb.exe
| MD5 | 4662e9ad53de035088eccbdbd5043aa6 |
| SHA1 | d1f4c6bc0f0047e33220edf99e06b0e53c9b26ce |
| SHA256 | 20c3bd8912d177aa97c2054af7413216901266f17bdc9d2963fbdf2353a2289d |
| SHA512 | 3815bd8999777f51bc6f601a987ee72a79b4ebb7e64cade061718d8eee99e6f242f57a885402ff97193b15d78a3f01bb4c07a8f3c8099739c955ebc31fbc2d9f |
memory/1624-106-0x00007FF6B8020000-0x00007FF6B8371000-memory.dmp
C:\Windows\System\RHcNUUu.exe
| MD5 | 0b108248eaed9c4b8df9b5d19027d276 |
| SHA1 | 5bcd7e59b27b49e061be5979e7ffa71cb02750e0 |
| SHA256 | 1eba6b8b9ed94c7ea57594c91feda0c8c09a5516c1d3fd732d9d7355bdf00ba3 |
| SHA512 | 00abfe0bc558fbcdba215cbdc0709518b52d4ec1ad7de0c07235277467866540a18c471aac75b3d4749755c8d577a5492affb6683f858b388c2245a6c8d11e35 |
C:\Windows\System\aOVirIt.exe
| MD5 | 7d5140c11983910208f16a3d394abb51 |
| SHA1 | 8d6798c2e2d7cf49112ccf23829eb138c6b5d555 |
| SHA256 | 20c117ca79dbddb0b1199b4a9b920cae2c7bff34b5a1e5c6563ddd7e0c1c26b0 |
| SHA512 | f97044c54d49ef25574b2969053d6b42ede3404a509b8a0a771b5f95a65bfdcea2ad99619154711ec726e7f24765563f8aaa2596d68a6ff2a2ad8b51cc51fbf8 |
memory/3736-98-0x00007FF682B70000-0x00007FF682EC1000-memory.dmp
memory/3240-97-0x00007FF725D80000-0x00007FF7260D1000-memory.dmp
memory/4576-94-0x00007FF686CB0000-0x00007FF687001000-memory.dmp
memory/3992-81-0x00007FF648600000-0x00007FF648951000-memory.dmp
C:\Windows\System\eczpgOA.exe
| MD5 | d961055c338356fd08c9992ef4133f15 |
| SHA1 | 7d87f60491efa64e9eb40c1a7dec4768aa40149f |
| SHA256 | bfa74e9158bb3ea152f0ab828f5c05f2182a750ce91e7a17a30617a0048a7f43 |
| SHA512 | 43f97d994231b66cef98884c0c7ccb9e8a910863e687742eda4f915421994026d9eaaf52ba8af4cac01f2bd82ce528d87b7192f42e76a58db645b4decfef2551 |
memory/1608-69-0x00007FF766390000-0x00007FF7666E1000-memory.dmp
C:\Windows\System\xBodAHQ.exe
| MD5 | 2ee6318297b5e63ed9051db4f8b08547 |
| SHA1 | a54a2bf58c647c9bf1c1d27284071c761eae9f25 |
| SHA256 | 3cb3931a92f46fe2c540e58b46799bd3265ad5b959ca42b7ce2d9e3f6ba81357 |
| SHA512 | 49f7aa6eac0c62a522b579b8088627b5748c62d1bffee69016358c41fba030b030cf9cadccdda854aaffa5508deeb200ef374255d874db4a0a65c70d43aaf91d |
memory/2128-67-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp
memory/3376-62-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp
memory/4444-60-0x00007FF728870000-0x00007FF728BC1000-memory.dmp
C:\Windows\System\dsYsEil.exe
| MD5 | 9df0228467e54fa0fc9ae366b1e6f5a0 |
| SHA1 | 670a64cedb33b546522a385e505262b12c92e77a |
| SHA256 | e8a06aed229f4288ff089824416070865c9a56782754fed122226f4eba9a9736 |
| SHA512 | d3e43e361e57c29efab90e68b9b7ad0b8f57d642219f12279a6e7acbceb62646b1db87476a683e6fc1afadd7c331e1831d6ac8f72461d98bb369fda2a202571c |
memory/1116-52-0x00007FF7BCE80000-0x00007FF7BD1D1000-memory.dmp
memory/3308-129-0x00007FF7C1B80000-0x00007FF7C1ED1000-memory.dmp
memory/3872-130-0x00007FF6BECC0000-0x00007FF6BF011000-memory.dmp
memory/5076-131-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp
memory/4388-128-0x00007FF7E65B0000-0x00007FF7E6901000-memory.dmp
memory/3364-127-0x00007FF6C5FE0000-0x00007FF6C6331000-memory.dmp
memory/3992-144-0x00007FF648600000-0x00007FF648951000-memory.dmp
memory/4444-141-0x00007FF728870000-0x00007FF728BC1000-memory.dmp
memory/1624-148-0x00007FF6B8020000-0x00007FF6B8371000-memory.dmp
memory/3736-147-0x00007FF682B70000-0x00007FF682EC1000-memory.dmp
memory/4576-146-0x00007FF686CB0000-0x00007FF687001000-memory.dmp
memory/3604-143-0x00007FF628E20000-0x00007FF629171000-memory.dmp
memory/1824-137-0x00007FF60F610000-0x00007FF60F961000-memory.dmp
memory/3376-132-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp
memory/3376-154-0x00007FF6ED5A0000-0x00007FF6ED8F1000-memory.dmp
memory/1608-209-0x00007FF766390000-0x00007FF7666E1000-memory.dmp
memory/2756-211-0x00007FF7C3E10000-0x00007FF7C4161000-memory.dmp
memory/3240-213-0x00007FF725D80000-0x00007FF7260D1000-memory.dmp
memory/4984-216-0x00007FF7CB1F0000-0x00007FF7CB541000-memory.dmp
memory/4996-218-0x00007FF791B30000-0x00007FF791E81000-memory.dmp
memory/1824-219-0x00007FF60F610000-0x00007FF60F961000-memory.dmp
memory/1220-223-0x00007FF7AD260000-0x00007FF7AD5B1000-memory.dmp
memory/1116-222-0x00007FF7BCE80000-0x00007FF7BD1D1000-memory.dmp
memory/2128-225-0x00007FF7C4B10000-0x00007FF7C4E61000-memory.dmp
memory/4444-227-0x00007FF728870000-0x00007FF728BC1000-memory.dmp
memory/4884-229-0x00007FF79B220000-0x00007FF79B571000-memory.dmp
memory/3604-231-0x00007FF628E20000-0x00007FF629171000-memory.dmp
memory/3992-233-0x00007FF648600000-0x00007FF648951000-memory.dmp
memory/4576-235-0x00007FF686CB0000-0x00007FF687001000-memory.dmp
memory/1624-239-0x00007FF6B8020000-0x00007FF6B8371000-memory.dmp
memory/3872-238-0x00007FF6BECC0000-0x00007FF6BF011000-memory.dmp
memory/4388-248-0x00007FF7E65B0000-0x00007FF7E6901000-memory.dmp
memory/3364-249-0x00007FF6C5FE0000-0x00007FF6C6331000-memory.dmp
memory/5076-245-0x00007FF7B5790000-0x00007FF7B5AE1000-memory.dmp
memory/3308-244-0x00007FF7C1B80000-0x00007FF7C1ED1000-memory.dmp
memory/3736-241-0x00007FF682B70000-0x00007FF682EC1000-memory.dmp