Analysis Overview
SHA256
decc8358c64788a64472e275f44a37e54535c98243f884874bcd39ca549ef70b
Threat Level: Known bad
The file 2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobaltstrike family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 21:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 21:45
Reported
2024-08-07 21:47
Platform
win7-20240704-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yhzgaOi.exe | N/A |
| N/A | N/A | C:\Windows\System\HKOmGoh.exe | N/A |
| N/A | N/A | C:\Windows\System\kKroCcR.exe | N/A |
| N/A | N/A | C:\Windows\System\nBqYGDS.exe | N/A |
| N/A | N/A | C:\Windows\System\dVXhRZm.exe | N/A |
| N/A | N/A | C:\Windows\System\tuqgRID.exe | N/A |
| N/A | N/A | C:\Windows\System\ComPUQW.exe | N/A |
| N/A | N/A | C:\Windows\System\IgFBgHN.exe | N/A |
| N/A | N/A | C:\Windows\System\wzSoKjQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JtaVFwB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZixQKWd.exe | N/A |
| N/A | N/A | C:\Windows\System\KOQclam.exe | N/A |
| N/A | N/A | C:\Windows\System\OGFfQtG.exe | N/A |
| N/A | N/A | C:\Windows\System\zZMMEXY.exe | N/A |
| N/A | N/A | C:\Windows\System\emQmQqZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AorWIyd.exe | N/A |
| N/A | N/A | C:\Windows\System\AOlmqjg.exe | N/A |
| N/A | N/A | C:\Windows\System\EwPTZJd.exe | N/A |
| N/A | N/A | C:\Windows\System\AgmDPyE.exe | N/A |
| N/A | N/A | C:\Windows\System\mlglSqp.exe | N/A |
| N/A | N/A | C:\Windows\System\rUvYPBg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\yhzgaOi.exe
C:\Windows\System\yhzgaOi.exe
C:\Windows\System\HKOmGoh.exe
C:\Windows\System\HKOmGoh.exe
C:\Windows\System\kKroCcR.exe
C:\Windows\System\kKroCcR.exe
C:\Windows\System\nBqYGDS.exe
C:\Windows\System\nBqYGDS.exe
C:\Windows\System\dVXhRZm.exe
C:\Windows\System\dVXhRZm.exe
C:\Windows\System\tuqgRID.exe
C:\Windows\System\tuqgRID.exe
C:\Windows\System\IgFBgHN.exe
C:\Windows\System\IgFBgHN.exe
C:\Windows\System\ComPUQW.exe
C:\Windows\System\ComPUQW.exe
C:\Windows\System\wzSoKjQ.exe
C:\Windows\System\wzSoKjQ.exe
C:\Windows\System\JtaVFwB.exe
C:\Windows\System\JtaVFwB.exe
C:\Windows\System\ZixQKWd.exe
C:\Windows\System\ZixQKWd.exe
C:\Windows\System\KOQclam.exe
C:\Windows\System\KOQclam.exe
C:\Windows\System\OGFfQtG.exe
C:\Windows\System\OGFfQtG.exe
C:\Windows\System\zZMMEXY.exe
C:\Windows\System\zZMMEXY.exe
C:\Windows\System\emQmQqZ.exe
C:\Windows\System\emQmQqZ.exe
C:\Windows\System\AorWIyd.exe
C:\Windows\System\AorWIyd.exe
C:\Windows\System\AOlmqjg.exe
C:\Windows\System\AOlmqjg.exe
C:\Windows\System\EwPTZJd.exe
C:\Windows\System\EwPTZJd.exe
C:\Windows\System\AgmDPyE.exe
C:\Windows\System\AgmDPyE.exe
C:\Windows\System\mlglSqp.exe
C:\Windows\System\mlglSqp.exe
C:\Windows\System\rUvYPBg.exe
C:\Windows\System\rUvYPBg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1968-0-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/1968-2-0x000000013F690000-0x000000013F9E4000-memory.dmp
\Windows\system\yhzgaOi.exe
| MD5 | 0aa373119ccce4b916891a7ed6f4a83b |
| SHA1 | 9395f2063a91c62a8972267475d11494bb42af7b |
| SHA256 | 19edc396b1f9f0d557fd3c73f01bfda681c67d70912360a31ef9fe8ba495ce4b |
| SHA512 | 91b8df4265ffa0aaab65da07a59c4fcc4c083f777e4ffbdc4b5fc822e407f6b636f5b8deb0e6f311525de20177db58e9f8e72d285cd721bfc9a06c2dbd75fa7a |
memory/2336-9-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/1968-8-0x00000000024F0000-0x0000000002844000-memory.dmp
\Windows\system\HKOmGoh.exe
| MD5 | e120f7fc797b572ac05b65beb91a8eee |
| SHA1 | bf064cd9b15ba96e2282ed37fa37711d092e60cd |
| SHA256 | b09f0b6456b65a4e057ac584ed46e37f542b618fb1549e60a67893b329a76fcf |
| SHA512 | ecd662210a4853933c1f9dbca9b8e5300867d5bbc53ef0df8643ddaeba7345dfa295b1637bdd67e927bf4203e6c0160b611baefb465632d9fbdc676405fb2fd5 |
memory/2856-15-0x000000013F5F0000-0x000000013F944000-memory.dmp
\Windows\system\kKroCcR.exe
| MD5 | a8885b02d5e6e4dae7a551c82143b23d |
| SHA1 | a125d9dfe7d8e6cac0d44df423a6222e5708156c |
| SHA256 | d76e0e9eb729b161649011b4e826fabf0e1f0f196c28f3b713c1c363027acbc0 |
| SHA512 | 2346dd1ee96831d88bf6229f4b8e14c9eaa266c7a6b4aac321c44ef085c2acf6997fac28e30a999a0c215d1f6b629bcfb3913867bacdf535b2da4762de61f9a4 |
memory/2828-21-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1968-19-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1968-14-0x00000000024F0000-0x0000000002844000-memory.dmp
C:\Windows\system\nBqYGDS.exe
| MD5 | 051302c668914aa3f15c1d978d43ed65 |
| SHA1 | c40f648d8cb6949f5189b260ee7c036e8aeb86a4 |
| SHA256 | 150eec9d4fbc66f0bb60cd701fd7cd39f6a45b1e875eaa1f98240609fe998e66 |
| SHA512 | 2ecb5d0a7a515cff34dc2d4363d4ee874bc1197b1b72a4243641a2ea7a69611940c55f2c78df34580facd16e4f1baba7cbe4d55ea868fe7a6379c03eaaba81a3 |
\Windows\system\dVXhRZm.exe
| MD5 | a3f5598cc93915039491debf90db1288 |
| SHA1 | 1bb897227e85bfdcc2840afb3727837ed79a0f27 |
| SHA256 | 327d77f35e11af1feb62c47d238fd38643dbd6ea8010f3087ad28b5ae17c446b |
| SHA512 | 1e20ed6c567c89ea2d5de438fa8495835628b98c6f0ab8b7b2c14972443e65ddea6f2befc7a5ff77047b1dff7b3f945a91b80f2fad71ff10c7c0694f85d24d86 |
\Windows\system\ComPUQW.exe
| MD5 | 1e44f80331940770c1a2d52746152a2f |
| SHA1 | ab9246f64109038b713030b306821e09e7a3c9aa |
| SHA256 | 547be7de27a350676927518b9fc57dbe361dacccaeffdd0157468a4996ff5d7d |
| SHA512 | 3bc4d88a852048dff59f32d6b9fce517a6afa508c0c9c4ce6742cc276efba87ce9cc46e7af812a55439f05c7ce9fa705de077a1701934da58747ca8c0df8cee0 |
\Windows\system\wzSoKjQ.exe
| MD5 | 4da21f18ffef5ecbc0f8eda6612ff0f6 |
| SHA1 | 901ca3a1d0b9e9d1048343e2e3b4a9b9ec939bef |
| SHA256 | 26f9f4046f9bea7616b7f162c123081a1f24f0e4bc55150638a40331bca48fb4 |
| SHA512 | fd1d88e83113518b184293728569b1541a6f97909d33d09f0e64a97b8ee4a1b56c32f297dedbb2a2ab38ecc9344caf1ce3e1c176840ff5a6be897b5cee628737 |
C:\Windows\system\tuqgRID.exe
| MD5 | e283f2a1e5df5796d6ae93b966a36131 |
| SHA1 | 0e95119d85665ab0b9e580440090722a4351a204 |
| SHA256 | 0e0652e9fb2cc4ee7923a52b40db8b17be82b3137f6ffca4b98656a0c6871bf8 |
| SHA512 | b126f846fb225aec18f5bdefd2b69db37ff6b64db425c046db4cfa1dc866f44b17fa37cc4bec64ba9ac2465d3014a00693701959269e5a3dd43c1891c5f6984d |
memory/1968-39-0x00000000024F0000-0x0000000002844000-memory.dmp
\Windows\system\IgFBgHN.exe
| MD5 | 3a9b1cbf632491b4838ebd948ef6030d |
| SHA1 | f2251efbbf01e31858776840057036a8e73e3c50 |
| SHA256 | 84364ace2169489d16ad61f3199d8de8330167cf4d425e666feb5190104429ae |
| SHA512 | 1fbfb84cd1db25a8ff8a70e752f4fd87cceafcf6a73f282c67af653dcf68a7698bc4013edff4c3432413b50d0d14cbd28cf229431e71456e362db9d3fa0e2623 |
memory/2684-63-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2664-61-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1968-59-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2620-58-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1968-57-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2748-56-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1968-53-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2948-51-0x000000013F0B0000-0x000000013F404000-memory.dmp
C:\Windows\system\JtaVFwB.exe
| MD5 | 3a351170d21d580db1652854869d5d2a |
| SHA1 | 414392b1c184f0568c8e00271527fca39840f79d |
| SHA256 | d41c5d7f535565cf3989a66abb73c85b3e3239181b3e40be7e0bec4a738965ea |
| SHA512 | 57bcd1fe63d69627a01e919e4562a70323c9f9d8f1d711253d8111b05ad4d7a710dbb6048f1d4c297b38596b4dd29b01b4fba50e8f144c3dda4f69e0886f21ee |
memory/1548-70-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\KOQclam.exe
| MD5 | b21698a37650f94aeb97a2a150404ea7 |
| SHA1 | 192d778e85bef8628816dfc2d1bbc01b46d122b5 |
| SHA256 | c074e68c313b868c9879369d9bcc503d74e62a4e8144d6c946aacb645447ad7c |
| SHA512 | 99e2b2a645b3553497af2606cf5b0faacd24a39ede398bab2742742d6925295906ce325f09eb2f5f77e6c07031ac736d97d0ea79cd67a28850e7501254778510 |
memory/1680-76-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1968-75-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\zZMMEXY.exe
| MD5 | c414c952c522fa09bbb56d1542cb34f1 |
| SHA1 | 022fbcdbdeec7af0abde031b2898394510816951 |
| SHA256 | 84000cff2315b39a1ee58022b174970b0b9fea92b36ba5e43cf1fce93b763826 |
| SHA512 | 0181d2fd92bfcfe6291dfe30d21742bf16ab4b0241883cccf27a9c15ed846dd5595dc9f2a3663a424e59243158518180d65364dd7bc96d77c97cf6aa8dcf25c3 |
memory/2712-98-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\AorWIyd.exe
| MD5 | d0e243f39e8d35e60858bf1cd36167aa |
| SHA1 | bd526e10ed9c7a99a336d6e9270555ae3a835500 |
| SHA256 | be274a1ad7d9cad500ff919019c316cf67d08ba89b54c2f093385527525405bd |
| SHA512 | 490428dc0a3af8f9c634627a3d7c0b3e48ec8cf2f7bc22a5ce92a221b7f902e07ba6c6183e626ea50f2be2a26775ddfde11e7b31dad294a5148a21ee7e4b2bc3 |
C:\Windows\system\EwPTZJd.exe
| MD5 | 1cb7602a81d5028e10841e2e41a539eb |
| SHA1 | 12afc2168e4d786e371a0a37049d18770a095517 |
| SHA256 | 28c0a480b4e6bde851f97c7969637b8ea7c878d4caf090e98ce712e9d5a1bf9c |
| SHA512 | 467a2115d6cd52b8509ea65271338d6240de1cd0ca065355cbb63233841cf050fade1d7770bbd6923f2f1a57f18e7b31377a901bcce7f95c9dd423187543a9ac |
\Windows\system\rUvYPBg.exe
| MD5 | f7a4fbabb745a689b5710adf51a410de |
| SHA1 | 26bcfe9f06bda3a4fd1d7c715c41b0d1e483f6ed |
| SHA256 | 32687f150b6740674e49dbcad46ab481dc723cad3ab7cd8bc9fa7068c909c93c |
| SHA512 | 8c811325b9df0b0baadd42ea18a095a3b2148eb62df848735b47c2394e39a5c7036eda300d8091684aa1dc57d35b083a36e89561992ee1f35225993dffc604b4 |
C:\Windows\system\mlglSqp.exe
| MD5 | e656576e0b228b56a9105046f438c09a |
| SHA1 | 3fead55752fabc2dfb0e97a11521c4b80b010be6 |
| SHA256 | 3d14cb0a8777f2c2a0e801778e7058a66fb4163832f84575093056ee3df78e0e |
| SHA512 | ce8c62df7631f5ec453ae04c461a1f193fe9953d77b0755ecd1310b957553a69c6e187ac44fd55f1c7b794d16bf2996c2cb5bf7976a7649a417bd0af881522d5 |
C:\Windows\system\AgmDPyE.exe
| MD5 | 84842f9389169fd4866bad1c2cf50c86 |
| SHA1 | d7c16ce0044fcab943b9731650f8cb327164a56f |
| SHA256 | 23ae6f75a6d5a2920c7536909b5c7f3e23e69c182105ed18450db6192c558128 |
| SHA512 | 4dcfa71d7a5e39d7281692f22778954c05edba6db63494c6f9015e742c0ff3620210c4e485a142074b3310338a138eb22a7be1df503915c9abba11990fb0b41e |
C:\Windows\system\AOlmqjg.exe
| MD5 | d97464085234b0e762d2580c64fb5aeb |
| SHA1 | ad07174aaee3e018bdc5d626d78cfb69ee040824 |
| SHA256 | bb29a13e301f9dac03b9de8198173fe07933455e936c9da91b0d4438400c9a4d |
| SHA512 | 24444af1e9e5d56db6f8f2b8ce29b688ce014588c2a7bd2123d5602d943e2d11ca7cfe7410e8a048372117c28319e18cfc2f3cf893968eeba2fd10118520b942 |
C:\Windows\system\emQmQqZ.exe
| MD5 | 2a10967b33c3b5ea745c65425ec80190 |
| SHA1 | 32f2b7e1be5d81072bbb1ca7c96ddf0ad0799d81 |
| SHA256 | f1167ea98334598e3a86263139e57a8e84d022ef3b2820e64b7db688c0ab3be0 |
| SHA512 | d831845c259970f5277e7db2cdbfcddc916a2192113fef04d1ab61eb024bd6dca7409ddf5b780d21dbb21f89c1fb29f237c527ef6a4c405f06ca787cdc3105f3 |
memory/1968-105-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/1968-104-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2828-103-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2524-91-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1968-90-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2856-89-0x000000013F5F0000-0x000000013F944000-memory.dmp
C:\Windows\system\OGFfQtG.exe
| MD5 | 6cce76f5394f80a27e4252c4a7471158 |
| SHA1 | 45504410c2b146c90c954391f02390d660a43405 |
| SHA256 | b109292d4fb6c830f3fa258c97bbdfc05ef4ddbcd148d03f58a8838a484147d9 |
| SHA512 | 1f5082453258d9bd784e0c4b6eec6546f559833cd2c89ab908e641e6c290a2df0b9fd8690af9e5024c6e25f04b952a10260f8eb882da4062b4828670a16a81bd |
memory/1968-97-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2052-84-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/1968-83-0x00000000024F0000-0x0000000002844000-memory.dmp
C:\Windows\system\ZixQKWd.exe
| MD5 | 061552de92b426ac2876d23dc7e0b609 |
| SHA1 | 84a270d9fce1546ba19e28343094bba533fe83e6 |
| SHA256 | 52b80da22e451114d8e43d8a7efe6c5058e3f80e0e0e0bdf2f00d5163e0fc7b9 |
| SHA512 | 627c3f84c7f5b83a11a2c5a4c47229160fa12e6168588928439dfe3b1044f3c75ec27b8f3ee3e0b81f1ca695f6c3fcf95b16bdec9ca75ce054885e3889de0e0c |
memory/1968-69-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2984-35-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2684-137-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1680-138-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1968-139-0x00000000024F0000-0x0000000002844000-memory.dmp
memory/2524-140-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2336-141-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2856-142-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2984-143-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2828-144-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2948-145-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2748-146-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2620-147-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2664-148-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2684-149-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1548-150-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/1680-151-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2052-152-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2712-153-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2524-154-0x000000013F690000-0x000000013F9E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 21:45
Reported
2024-08-07 21:47
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BRbMtpb.exe | N/A |
| N/A | N/A | C:\Windows\System\ctIuIXW.exe | N/A |
| N/A | N/A | C:\Windows\System\TCSTLmd.exe | N/A |
| N/A | N/A | C:\Windows\System\NJTjTfM.exe | N/A |
| N/A | N/A | C:\Windows\System\twUcmzh.exe | N/A |
| N/A | N/A | C:\Windows\System\vDVUfpP.exe | N/A |
| N/A | N/A | C:\Windows\System\SRDdYxX.exe | N/A |
| N/A | N/A | C:\Windows\System\VvXLRaz.exe | N/A |
| N/A | N/A | C:\Windows\System\ybKDqBK.exe | N/A |
| N/A | N/A | C:\Windows\System\VUrdOAe.exe | N/A |
| N/A | N/A | C:\Windows\System\vudpxRY.exe | N/A |
| N/A | N/A | C:\Windows\System\KpLSRAd.exe | N/A |
| N/A | N/A | C:\Windows\System\UPVqkzA.exe | N/A |
| N/A | N/A | C:\Windows\System\beRqKCv.exe | N/A |
| N/A | N/A | C:\Windows\System\dLtkLxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JUfaPZf.exe | N/A |
| N/A | N/A | C:\Windows\System\QOrdMNL.exe | N/A |
| N/A | N/A | C:\Windows\System\JtuahZi.exe | N/A |
| N/A | N/A | C:\Windows\System\lOmQOQV.exe | N/A |
| N/A | N/A | C:\Windows\System\BVOPPmu.exe | N/A |
| N/A | N/A | C:\Windows\System\CODvXEw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b03db4a7953dcae769c5f18c8bd22fa5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\BRbMtpb.exe
C:\Windows\System\BRbMtpb.exe
C:\Windows\System\ctIuIXW.exe
C:\Windows\System\ctIuIXW.exe
C:\Windows\System\TCSTLmd.exe
C:\Windows\System\TCSTLmd.exe
C:\Windows\System\NJTjTfM.exe
C:\Windows\System\NJTjTfM.exe
C:\Windows\System\twUcmzh.exe
C:\Windows\System\twUcmzh.exe
C:\Windows\System\vDVUfpP.exe
C:\Windows\System\vDVUfpP.exe
C:\Windows\System\SRDdYxX.exe
C:\Windows\System\SRDdYxX.exe
C:\Windows\System\VvXLRaz.exe
C:\Windows\System\VvXLRaz.exe
C:\Windows\System\ybKDqBK.exe
C:\Windows\System\ybKDqBK.exe
C:\Windows\System\VUrdOAe.exe
C:\Windows\System\VUrdOAe.exe
C:\Windows\System\vudpxRY.exe
C:\Windows\System\vudpxRY.exe
C:\Windows\System\KpLSRAd.exe
C:\Windows\System\KpLSRAd.exe
C:\Windows\System\UPVqkzA.exe
C:\Windows\System\UPVqkzA.exe
C:\Windows\System\beRqKCv.exe
C:\Windows\System\beRqKCv.exe
C:\Windows\System\dLtkLxJ.exe
C:\Windows\System\dLtkLxJ.exe
C:\Windows\System\JUfaPZf.exe
C:\Windows\System\JUfaPZf.exe
C:\Windows\System\QOrdMNL.exe
C:\Windows\System\QOrdMNL.exe
C:\Windows\System\JtuahZi.exe
C:\Windows\System\JtuahZi.exe
C:\Windows\System\lOmQOQV.exe
C:\Windows\System\lOmQOQV.exe
C:\Windows\System\BVOPPmu.exe
C:\Windows\System\BVOPPmu.exe
C:\Windows\System\CODvXEw.exe
C:\Windows\System\CODvXEw.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4316-0-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp
memory/4316-1-0x00000190C3270000-0x00000190C3280000-memory.dmp
C:\Windows\System\BRbMtpb.exe
| MD5 | 980919e13763f9dcee616641f5890b48 |
| SHA1 | 90619b5e41bb82c411c53cf56db4983e534c3c51 |
| SHA256 | f6c8adfa9678efc19dbb8cec1bc703fa069d9f842e62f19ac338fbf936248f18 |
| SHA512 | 2a819d80dee22171de26cc1957bfc61c53e700da5ab2e4bc2c4cad706ad6f460bf354f2a362e00ebae609b14dc0bc2150b41108a27f3ad569e63241001f1cc84 |
C:\Windows\System\TCSTLmd.exe
| MD5 | e3de828cde67b392f7b4f4c28c0aa158 |
| SHA1 | b231987e1aedfdce6c83243d3c8c757be49b5d63 |
| SHA256 | 4360338fe0b04b4c758e9aa042b209a76c3ef04a4cbd361170f684d9cadadc8c |
| SHA512 | 41ab668d6676baec71d2643b9122e5a17895e5c5e9cd3d23637ec303fd1ca7efd775f49c789d6c00446f1cd71f3de4458d5e792d1fe2ce893121a47fb6fc3a48 |
C:\Windows\System\ctIuIXW.exe
| MD5 | bb323f6136598092379ede7e3bb003fe |
| SHA1 | 732247886199768c7a651b0d481bb72da0550455 |
| SHA256 | d5428d4b0ea6906015e196639c418e025476de9aba18c6c73d7d8b69607cbdc2 |
| SHA512 | fe71981d55ff17000c0a13b62a3ef8322085428a4bb7a3de4b47afa631ad3ef3d7298e57bb2af089bd25d0bf0fe334ab5b4738daf864d44013bd5d55fa6eb54d |
memory/3556-14-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp
memory/4480-7-0x00007FF621B00000-0x00007FF621E54000-memory.dmp
C:\Windows\System\NJTjTfM.exe
| MD5 | 1e5f8efe306cd1d68af79a4178b1904f |
| SHA1 | 600afadfefdb6f3445d56b84390d410b2a9b5c63 |
| SHA256 | 0b0555d08a44e6e44e7a59c9608ac86d527b7f5f430b53e8cb923319bc259b1b |
| SHA512 | f1ab6ffe8eb650fd6b9f133f35032c73858fbfe24f554e36f14dd5b8b56f55792faf1667b22982d4832d13e55a474802269eeebce4a859f5b08a773c6e54bbf8 |
C:\Windows\System\twUcmzh.exe
| MD5 | ca5dbe170a4cbaeebee92ed400fea303 |
| SHA1 | e0092655494034651d7b6fa83ea5c069005fe8a3 |
| SHA256 | f9841547d38f097d72265e86e058fe543d727e234fc4d9f45d09576ef8925846 |
| SHA512 | cf2545ef155d3201d19bbd60e8b4ee802bd45ecaf104834b3f4067290aa144a03f2c9779cd12e382aded537fddf8e86b41de18fa48d9d4f1d158ee4492fccf3d |
C:\Windows\System\SRDdYxX.exe
| MD5 | 10617398f466a13f8a93497831187bca |
| SHA1 | 7b7161889b58e641013fee15257b1fd3d93a48ed |
| SHA256 | cd09df08ae97b7b372050ca94d16ace3d5566bc7e0516863212f9f1483f16cd0 |
| SHA512 | c4a2348b76bb90bc8a5fdcbe34b61e4000de6cb11743fbe66c8b330c4301a9017ac946d8323dd1e67935167496906552ef412ff3490c14999b2c41ff0b8c7e00 |
memory/532-45-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp
memory/2528-51-0x00007FF681620000-0x00007FF681974000-memory.dmp
C:\Windows\System\ybKDqBK.exe
| MD5 | 12897976e05824993ee1eb8964775d2c |
| SHA1 | f84eed657db6accb8f78720443180dc9a536ddf4 |
| SHA256 | d523118da644538c169dd82c754c8410230ea33b14d5728f9c7ec214f0c2c491 |
| SHA512 | 0eab1812e3590d79856138958f38e6eef02b5e192bb92a217ceec1a2bb0c34ce818aab5e8f8e2a106f7d51d670b050092e7f249c386e179e4fcc834f980ef1fe |
C:\Windows\System\UPVqkzA.exe
| MD5 | 7f50a7d9db680d379ad0245d8828e575 |
| SHA1 | 4e4ab4db24a24c08577c942898846e67f126ac94 |
| SHA256 | 111da80b07a80b24aea42c528ebfd96ba544a7d2872aa7b04df6df055f0c96df |
| SHA512 | 6c22dada0f62fd54571392df1d1ef3e17443c5444ffa310200f57cc7e32a0143a87a29222a9ef8da6e732bc7d08a1c4016f09112868a510fcc7a3042cc9ff9b4 |
C:\Windows\System\beRqKCv.exe
| MD5 | 0a6e542b6fede74a754d0df98e5c13fd |
| SHA1 | b33c000ad439cb492900099da02e551214c68ca2 |
| SHA256 | 073e581be93afd71524c1ff7c5373ed0215a19be7bb10797a73719f5aa9e8632 |
| SHA512 | 5182ccc5608aa7333fb053cb8fc5e7861d7d8159e2017f716a5c90cc87c6309aaa7856e52b3145f4776164514a89bcdb024cd52ee339570780c9503724640ceb |
C:\Windows\System\CODvXEw.exe
| MD5 | d8a521f3ee3a2b7ca386fcf2ea8e1a26 |
| SHA1 | b594cfec628c242adcdf61b61186507d6c0f550e |
| SHA256 | 3320aee8de359197a15e71fe3bde63ea0e0b61650777d97f412dec3ad3878e41 |
| SHA512 | 7d6d4144a8afcebc357ca619e91fb8d840f5bfaa6b17d535dc8e764b0c117628aedfe93074bb6776b8cd515b8026bcae1864f50dee6db6a1355fa1323332e462 |
C:\Windows\System\BVOPPmu.exe
| MD5 | 218b9bff4b73bb87e15bca449744f753 |
| SHA1 | 02a62c31192c5c4b6fb910d5013b6f0dd2c0aedf |
| SHA256 | 7ac60d8210fe3ff49891c968141a0b99dc09b50107af84688bd3abfc69654598 |
| SHA512 | fd89e238bd1914072441a0934d3ceabfe260f24e28287e177a95b4a4544c68b1b6bb3cf3abbb6066647a91ef03886dbb8d1668072f78daaddb9c5070263afd56 |
C:\Windows\System\lOmQOQV.exe
| MD5 | c3c3c06472fbe280e231f2cc23260c28 |
| SHA1 | c2d42e319ee6a6cb567d901c541711e7f29e51c6 |
| SHA256 | 42737c7ff0e425f30603c1f24029b81d96b29094b6159c62a3db67211de45f76 |
| SHA512 | 2db385a78d7f3cf2662b3d2823d975035c7a5b84db5e13784a4325bfa0f5ec07e8964422eb488e63b8b6d970ea934a04fa3ba9d5bd053bdaf59c87b07bb470c0 |
C:\Windows\System\JtuahZi.exe
| MD5 | 0a101facd8a234e9ad79490fc87b39ae |
| SHA1 | 42b883befc3263cc0b304dd590dbdca94cc788e0 |
| SHA256 | 1f77ef9042a064be6e4468cfd26ec0b5ef512c838fe5292c4f4c319bd4d2749e |
| SHA512 | 941c11912a07ee2eb19b74b39d66e49ff0cfb7ed24de8d6041840082c9fb15e529767a2404d73b49e785e2bdb292631b9ad52e6dab3df3c3f792544dc9c5b127 |
C:\Windows\System\QOrdMNL.exe
| MD5 | bc0146e09ce9c5d841667bfea058c23e |
| SHA1 | 98cf4e1ba734a8a9ffc859fc06235e18e090ad74 |
| SHA256 | 261301dbab13a05b4f3c86ccd9b674f0b27cda7920d693fbf9e74882c109b3f5 |
| SHA512 | dc87c34f8feb5a275f201a2af23d29a1f85be9997152ab3c260ffda3daf8d67c6c0ccf04111452cdabe426ac537a2058ab1d694a96405f7dbb6840a60b6d6716 |
C:\Windows\System\JUfaPZf.exe
| MD5 | ef04b24d7ee7aa05c047dad30d32d27a |
| SHA1 | fc79c820317e183f3c17edf4f56256281726832e |
| SHA256 | 71e1137a26ef392756856966f63b6a94c82307103f1afd032c0ce506c202fa69 |
| SHA512 | 6a7f3c8ca0f9b6d13ce6800651d689dd4565ec55a9c42d2e2b403b4b79f900824f590639d3a98893d495fa8b68d977e4074596ed1d2e4317772e8250500dbe7c |
C:\Windows\System\dLtkLxJ.exe
| MD5 | ff9cbd74538db081d4a2359673229436 |
| SHA1 | 6a4b1238e5f3b6ee48bde281b7696b649b57c86f |
| SHA256 | 4b95c6d50c95d4272014a7134702532bceaba7e44a7125bb17ec0668606d9bf8 |
| SHA512 | b4cd7631f1aff3f92ef3569037a7f536448d7a3368eb3c8c118f63ee0cfa5f74a1923c2d86484796a5066ac87453dcecb9662ef0136f50c2afbcd5f4aa10a6ce |
C:\Windows\System\KpLSRAd.exe
| MD5 | f7432bd74578be8c82b01f13eb03e170 |
| SHA1 | c9d5ab8f9787758b5f39f1a835bf10609c278748 |
| SHA256 | 623c12ace32fdcaffb60fb8c66923f5773486aefd4cd56f1fa525917fb88094a |
| SHA512 | ba78430b8cd25717a6f50adef1f0b791624ddf75309fa939e47bef81ee7419b24ede2a243e4eadd4e14821ba4e9640166c9622feb68b0f141ac587432d8811c6 |
C:\Windows\System\vudpxRY.exe
| MD5 | 3b7d76ddb62aa8d8a49f3d084882f476 |
| SHA1 | 258924918bb0aa67a82c4bcc2a6eff8a42b955fb |
| SHA256 | 406f95663cf2be58b7015acfe49d9cb6ebba96aaf2b0f08d326b57de7be0961f |
| SHA512 | db87b1c1b7308a422b2321459314492b47c4fc2be82bdcbd04f9a3d726586df07d12d24331db5a6e0163ff7bd307c158f0e231286ac9c464310f0e56f7471f0e |
C:\Windows\System\VUrdOAe.exe
| MD5 | 9c8f82f4c5a78a348c19599782c8f890 |
| SHA1 | 510fdbaedb8100bd5bdace2e80dd3d3b5c0a2989 |
| SHA256 | 8bc061ee083cc4c1c359af3b6e14a7997521cbce2f6bfca420ca0fa40bbd0710 |
| SHA512 | a6074ca833816646f5a57e61c4324e2bd1125f61888d750c52f0f893a5734a8b2ae0fcc353f5b2d3995e3b6e6c0741e14e6a935f20d282a0ce7cd27a4640b2d1 |
C:\Windows\System\VvXLRaz.exe
| MD5 | d41ff38f900f835773e7d99171e4e40e |
| SHA1 | 050cdb5d0a2f989297df039361991c417692b42b |
| SHA256 | 7afb291b1be9229ebba17edda084d994caff079d720839d6f9bdf370d75d7f2e |
| SHA512 | 3f97710adf99132f815bc862bbcf56d8d579f6ae596e907a7e2d24eb3b306e87eb3235f5c86482df36a2a789d5c8d3cd4524bc141dcfc2d8de8c9fdc7ded902d |
memory/4484-52-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp
memory/336-50-0x00007FF624D20000-0x00007FF625074000-memory.dmp
C:\Windows\System\vDVUfpP.exe
| MD5 | 56ced10a8062dbfc1b8c172aa602903b |
| SHA1 | bad63674a679f06b4dd3ae142cd9bfc12ab73ebf |
| SHA256 | aa9d5e1ce6667c09c011f10cf53a56c9c08c6688b874edda2809fc90f26abb9f |
| SHA512 | eeee4713fb35d434cabae2071ecc4859f10776c398927090e5ac7a4c03c5985e6462d42836e3a7115131c7e85d863512c8edd902fe8b37d2e80d50c651d5394f |
memory/3832-34-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp
memory/4044-25-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp
memory/2520-20-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp
memory/3308-116-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp
memory/1988-118-0x00007FF768090000-0x00007FF7683E4000-memory.dmp
memory/2460-117-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp
memory/864-119-0x00007FF6AE210000-0x00007FF6AE564000-memory.dmp
memory/2784-120-0x00007FF70F020000-0x00007FF70F374000-memory.dmp
memory/1688-121-0x00007FF751EB0000-0x00007FF752204000-memory.dmp
memory/2252-122-0x00007FF6EECE0000-0x00007FF6EF034000-memory.dmp
memory/2224-123-0x00007FF75C600000-0x00007FF75C954000-memory.dmp
memory/4704-125-0x00007FF7654A0000-0x00007FF7657F4000-memory.dmp
memory/2592-126-0x00007FF6A07B0000-0x00007FF6A0B04000-memory.dmp
memory/692-127-0x00007FF6BB370000-0x00007FF6BB6C4000-memory.dmp
memory/2540-124-0x00007FF6C9CF0000-0x00007FF6CA044000-memory.dmp
memory/4316-128-0x00007FF6AC6D0000-0x00007FF6ACA24000-memory.dmp
memory/4480-129-0x00007FF621B00000-0x00007FF621E54000-memory.dmp
memory/3556-130-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp
memory/4044-131-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp
memory/2528-132-0x00007FF681620000-0x00007FF681974000-memory.dmp
memory/4484-133-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp
memory/4480-134-0x00007FF621B00000-0x00007FF621E54000-memory.dmp
memory/3556-135-0x00007FF6A1640000-0x00007FF6A1994000-memory.dmp
memory/2520-136-0x00007FF6E9430000-0x00007FF6E9784000-memory.dmp
memory/4044-137-0x00007FF62B970000-0x00007FF62BCC4000-memory.dmp
memory/3832-138-0x00007FF77E7B0000-0x00007FF77EB04000-memory.dmp
memory/336-139-0x00007FF624D20000-0x00007FF625074000-memory.dmp
memory/532-140-0x00007FF6D8DE0000-0x00007FF6D9134000-memory.dmp
memory/2528-141-0x00007FF681620000-0x00007FF681974000-memory.dmp
memory/4484-142-0x00007FF7A91E0000-0x00007FF7A9534000-memory.dmp
memory/3308-145-0x00007FF7F3280000-0x00007FF7F35D4000-memory.dmp
memory/2460-144-0x00007FF7BA3B0000-0x00007FF7BA704000-memory.dmp
memory/1988-143-0x00007FF768090000-0x00007FF7683E4000-memory.dmp
memory/2224-149-0x00007FF75C600000-0x00007FF75C954000-memory.dmp
memory/2784-153-0x00007FF70F020000-0x00007FF70F374000-memory.dmp
memory/1688-152-0x00007FF751EB0000-0x00007FF752204000-memory.dmp
memory/2252-151-0x00007FF6EECE0000-0x00007FF6EF034000-memory.dmp
memory/2540-150-0x00007FF6C9CF0000-0x00007FF6CA044000-memory.dmp
memory/4704-148-0x00007FF7654A0000-0x00007FF7657F4000-memory.dmp
memory/2592-147-0x00007FF6A07B0000-0x00007FF6A0B04000-memory.dmp
memory/692-146-0x00007FF6BB370000-0x00007FF6BB6C4000-memory.dmp
memory/864-154-0x00007FF6AE210000-0x00007FF6AE564000-memory.dmp