Analysis Overview
SHA256
96248c94d0380804b4ee560efe3ddee2de8111906618cf15ea58ee0bea9edaf5
Threat Level: Known bad
The file 2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Xmrig family
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 21:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 21:48
Reported
2024-08-07 21:50
Platform
win7-20240704-en
Max time kernel
143s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nXsOhXM.exe | N/A |
| N/A | N/A | C:\Windows\System\oQywFQj.exe | N/A |
| N/A | N/A | C:\Windows\System\XXjEtYK.exe | N/A |
| N/A | N/A | C:\Windows\System\WYBYADY.exe | N/A |
| N/A | N/A | C:\Windows\System\INFJpdC.exe | N/A |
| N/A | N/A | C:\Windows\System\oGgxeiQ.exe | N/A |
| N/A | N/A | C:\Windows\System\dOlmvEU.exe | N/A |
| N/A | N/A | C:\Windows\System\QBJCTBw.exe | N/A |
| N/A | N/A | C:\Windows\System\PVbOPna.exe | N/A |
| N/A | N/A | C:\Windows\System\vUZTkUb.exe | N/A |
| N/A | N/A | C:\Windows\System\HLIhXKN.exe | N/A |
| N/A | N/A | C:\Windows\System\cjbOtJQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fmuqJkF.exe | N/A |
| N/A | N/A | C:\Windows\System\gVVZyIc.exe | N/A |
| N/A | N/A | C:\Windows\System\igDXBgz.exe | N/A |
| N/A | N/A | C:\Windows\System\ArecPcW.exe | N/A |
| N/A | N/A | C:\Windows\System\OMQVvla.exe | N/A |
| N/A | N/A | C:\Windows\System\cwIGWVT.exe | N/A |
| N/A | N/A | C:\Windows\System\PjIxuQh.exe | N/A |
| N/A | N/A | C:\Windows\System\mJHZuiJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QRlZQpY.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\nXsOhXM.exe
C:\Windows\System\nXsOhXM.exe
C:\Windows\System\oQywFQj.exe
C:\Windows\System\oQywFQj.exe
C:\Windows\System\XXjEtYK.exe
C:\Windows\System\XXjEtYK.exe
C:\Windows\System\WYBYADY.exe
C:\Windows\System\WYBYADY.exe
C:\Windows\System\INFJpdC.exe
C:\Windows\System\INFJpdC.exe
C:\Windows\System\oGgxeiQ.exe
C:\Windows\System\oGgxeiQ.exe
C:\Windows\System\dOlmvEU.exe
C:\Windows\System\dOlmvEU.exe
C:\Windows\System\QBJCTBw.exe
C:\Windows\System\QBJCTBw.exe
C:\Windows\System\PVbOPna.exe
C:\Windows\System\PVbOPna.exe
C:\Windows\System\vUZTkUb.exe
C:\Windows\System\vUZTkUb.exe
C:\Windows\System\HLIhXKN.exe
C:\Windows\System\HLIhXKN.exe
C:\Windows\System\cjbOtJQ.exe
C:\Windows\System\cjbOtJQ.exe
C:\Windows\System\fmuqJkF.exe
C:\Windows\System\fmuqJkF.exe
C:\Windows\System\gVVZyIc.exe
C:\Windows\System\gVVZyIc.exe
C:\Windows\System\igDXBgz.exe
C:\Windows\System\igDXBgz.exe
C:\Windows\System\ArecPcW.exe
C:\Windows\System\ArecPcW.exe
C:\Windows\System\OMQVvla.exe
C:\Windows\System\OMQVvla.exe
C:\Windows\System\cwIGWVT.exe
C:\Windows\System\cwIGWVT.exe
C:\Windows\System\PjIxuQh.exe
C:\Windows\System\PjIxuQh.exe
C:\Windows\System\mJHZuiJ.exe
C:\Windows\System\mJHZuiJ.exe
C:\Windows\System\QRlZQpY.exe
C:\Windows\System\QRlZQpY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2172-0-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2172-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\nXsOhXM.exe
| MD5 | c5754cec7f4a1c3b1bf4bffa30e3bff2 |
| SHA1 | 848fc2e18def9971930cd9a15e95c48ce7a64730 |
| SHA256 | eee335a1d812795b419d94b8ccd4393b86abfabfb3ea1dc82953fc8a1bc7edb8 |
| SHA512 | 31276030e159cec7d81a6ffddae688f0706c25f9ff5be74ac3f2b42470bbe9af1903d5f1eb37620d6a565e98701fbceeed281fe65ab69e3d2453dce2fd3fa3d6 |
\Windows\system\oQywFQj.exe
| MD5 | 96f0a5eb336485a2cf4ace7d7b47150e |
| SHA1 | 596f4ec1d9b159231f3ee2566f9e314ec3533334 |
| SHA256 | 32ed9dcfceed0eff4d3d0fef2a3d5012d945905c81ce8700427d0e6ca84ddcbe |
| SHA512 | 54ee9ef11cbf98c4bd18f28d8521757e08b0208cb8b5e9fa01ea0a0648ec0f22f1fd61f085d7129fc86d7de7ba58d39636b9a105a743d54784e0ec34f98da97e |
C:\Windows\system\XXjEtYK.exe
| MD5 | 9bd0e1648e8ac0a7126590791a50c4c3 |
| SHA1 | 6edb632d96a97c02e56096a7d77594941af9d5ca |
| SHA256 | 7fbacf67c6bdc7c859cb33eae052ffb738d9662a59326d1f2399fa0bccbe63a2 |
| SHA512 | ffde9e7df923bb5506fb98205206ff775e346160e951451895dbc626d011d0e5079453c914b006563707de34906fd0c9478a02115d2205d465c7d3c7075c4184 |
\Windows\system\INFJpdC.exe
| MD5 | f5669dacc0a623e7b055bf51548366a2 |
| SHA1 | e9fb88de2ceb57c4c7a1b12056f21aa97fae90c9 |
| SHA256 | 8894794fdb868029068489ac478f81eb388ebe58c31c88e0e9ed5903208bbfff |
| SHA512 | 3bba5ba8b19a2634c086d73ccd5d74c9b88530ed10f422dedba223112441418b6b823460dbf9705a566dd6079ec79ea8ff7a4675575dab5c378bdbca9be2bff0 |
C:\Windows\system\HLIhXKN.exe
| MD5 | 107387bbbda053349e4a2b4182a38ab3 |
| SHA1 | c08bcd6372701e8671232d8d6269937a18912476 |
| SHA256 | af1a068f73441a1eb03ca2d572b854beb6aa17d2d88c341d0c54f5ac65ebf8a5 |
| SHA512 | 7b522b27526eaecae6712193321884e97c6264b46a2e6a43dc805fe3319f57f07a9e505483663d39a4793830ccda7d445adf0457df8da7a65ba7bc40a81d5493 |
C:\Windows\system\cjbOtJQ.exe
| MD5 | 12fb6ba6b2baa2c0d4efabeb549a320d |
| SHA1 | 89328c20c8e65cb29be51613c84e781a42cc959c |
| SHA256 | eda328db0ee2c307e695a12b6ddd3f992fe0f6b6c9ba403ac3551cc6d44009d6 |
| SHA512 | 61f72e9cc33a51c3c7aa1f7137880fe2cda70319527e63bf1c48caf1ccbe5336d93aae8973147268d6e9e313b2b530d6746b9958febaa4bf14bc01ac9acb25c8 |
C:\Windows\system\QRlZQpY.exe
| MD5 | e645cf5742db473a4cfc7f3849d5b31c |
| SHA1 | b4a1c8b16c5626bead98d9f07b507a4f0c92e7aa |
| SHA256 | 0efa4b0e0432e4c7b2d31af4391475e651853b245bced2c5f1d0ba626f71e2f5 |
| SHA512 | 9eb81f5a47e6cbd7a4f734212ca1e9c151fe4b7728024e76862a241a748b850d0f9c9401d15610a930f687ed95b5afae55b45057f8c5cd83147a72a3eed8b030 |
C:\Windows\system\mJHZuiJ.exe
| MD5 | 8d929d6af605e5aed5cfa5bb693651fd |
| SHA1 | 29d3fcc521352e6559aa6521838d108a06aab33e |
| SHA256 | 783848f97f6c399c91c3da68043deadc32fa460832332dad9ca7faf5a10a2a7e |
| SHA512 | b709259e6bc91a9ea542dab67f798dd6fba5961a0156146f8138ff5e000fca5286f6eb11342333bcdbbdd51b35299eb0c7a92b12110492abcb4b019ad8175e29 |
C:\Windows\system\PjIxuQh.exe
| MD5 | b078410f886884464f625a5c0af95bd7 |
| SHA1 | fbe9537ee5bad1e735d3766db407a5991f3f0b1d |
| SHA256 | 4390c002983bf2973536556078f07d3760f929aa1bc079d9657c801b3b22556d |
| SHA512 | bec09a592d44d102fd83516e37f1ee297ce54d621b727560dd3ed20372bf26a4a6d7eb60bc31c9364a1c77cfaf96d9a6afe8464a300083797c926027384f7750 |
C:\Windows\system\cwIGWVT.exe
| MD5 | 57a1138a471a9d0df82b6f846c99c86a |
| SHA1 | 52418d911d6b77b540b3b3afdec17a19b819fee0 |
| SHA256 | f23abe67883baff02b92ca82c8e0570a2acc9700ef00463396b4df929472f91b |
| SHA512 | b9b6c55f8b555b8a65907f34f135270be2952b48e7d481e9c60d3151d98248873fa04b19350ebcead3b47e66d2d2b2d717253a0d6e8e1bf94909f5ed0dbeb7a0 |
C:\Windows\system\OMQVvla.exe
| MD5 | 7b755ddbe22c39c5b6851fa40ecdb09a |
| SHA1 | 0327c2dad2d3dafbf9d46965bbd376478e1b5647 |
| SHA256 | 3f5d0793ace28cedf24c6364e0029c5a6b6c5c0a9a29078f9ea01a9c985c41d7 |
| SHA512 | 5aa503e871418973aed4501a56cc4159ff4d135b218374572aba9662917a861a41fae72062421e7402d156e35dcf8b24179a0cbd8995e800cf1935f4dbec2719 |
C:\Windows\system\ArecPcW.exe
| MD5 | afd0724294f1718f593a40c1cc199828 |
| SHA1 | 85fe062ba6b0158de4b2952d5bf3fb4eb8100fb8 |
| SHA256 | 8084aceb2691f0c0bceef0dfd05b3c5c765879d2ce08e8d72a7e12f99ea85d4a |
| SHA512 | 88471ff0fe0635d97fb4181bdeeb322d5cb655c9b18de539cc5a9a0b9d51864c98069882d2fbc046c822c413c4f3a1301e9babd6c190aefa1693b9100f050755 |
C:\Windows\system\igDXBgz.exe
| MD5 | b5a3203c2bf454f4ac6c31f9be4bd771 |
| SHA1 | 4f5001c207ccd603a38b567cdb11aabf2573cb7c |
| SHA256 | e7fa7e059ddd03a90095807b9ce30152f4ac5c23750dd9962c395ead25bb5d9f |
| SHA512 | 00bd75c97cf9b471e40e89271ae2688f7cf96e53124dc667a73402ae38f162a75dcfbefefdb8a2b51d015980c77b580896560b2304b251a78e874784b08be71b |
C:\Windows\system\gVVZyIc.exe
| MD5 | 68c75f6da3b47c8446eaa4504c4f0146 |
| SHA1 | 3ef214af59383405aeaaf80d28970fe909d40dbc |
| SHA256 | cfdc483a2ae36ae2c98b0ac75888443cf170302b2a2417b45f063d43285098ac |
| SHA512 | 9f656ce646ce4a0dd51407c603f90e4875cbb8e8c60c3a781e028e904e05bca75296f7f80636f9f078efee038d9e177a2418547db972d4c0e1fbc057d4b39430 |
C:\Windows\system\fmuqJkF.exe
| MD5 | 4f6e765b5974ead088c8631030a85d0d |
| SHA1 | 01ae2a226ed2a320e55838b75a2df2a9fb2dca90 |
| SHA256 | a3abb3209f8ab6cbf1e554fd6209dd19a4a8c70e96d2fc959310d082b36885cb |
| SHA512 | 429a1cb3ef42984378e1edbda9d1a8e621b87498f893de1729be940952ff35a748124c85321ee7b356b7b0677314050565661daf3170ec372b7430699e9b3bf3 |
C:\Windows\system\vUZTkUb.exe
| MD5 | 490e13ddead724dcf3ff0dbe05d92634 |
| SHA1 | 22c98500de7cc99b1ba62c1ca69d49b00248e4c8 |
| SHA256 | b2f70ed7bfe4bee6505884f4db286774e86b268a3a43dc7ff48ba9698b393253 |
| SHA512 | 4c8360e6cc7d38143c7885380b13da39981678fdf0672ed83cfa4cad3dddbb16331892d4c81278912b8305d18791e2f48a2ceb1dd2720adeee364e4a60e17deb |
C:\Windows\system\PVbOPna.exe
| MD5 | a869a50e94b058a858fb70f51812d115 |
| SHA1 | a582f5c09c3c1e38b401d06fd32ab12f430722cd |
| SHA256 | fc92367b14e847f5d9b38c82f1dadc8d943baa90312a2c6414f79ee2f395475e |
| SHA512 | 679f442a18d30fa6769f47f04de4721cf82c52a62b6bfa57ff2dd1839363a93b13a9abaa2c790500af424a0a1173df74b46d7001464954348ab2113aa5d31d92 |
C:\Windows\system\QBJCTBw.exe
| MD5 | be3f0621aec174f49e81c0ac58d98112 |
| SHA1 | 41995aed948fd00afb56808dcfb521ed55c7e9d7 |
| SHA256 | abd1af79aeacf506f155476ba91bbc5eff08af68ac8fc1987f2f28513eda9c09 |
| SHA512 | c4bad43b025414ffc10a0834cf61b1757baf85c70a589b53b0de64e9308e26a95101f1268bea5eb4125b42ae4eb955f620e2a377ccedb9a392a4b64d9635740c |
C:\Windows\system\dOlmvEU.exe
| MD5 | 8cbb54798607f8963d5b86ccf646562a |
| SHA1 | b0a60013924c9ee786fba8cdae38e8ae8435e748 |
| SHA256 | 419e3c642e8007753f05378c0291b8d75cc6c45eb54b820e441e118d1351bded |
| SHA512 | ff8ebc515bf17ff55815deb72f85bf8aa94042eac8784272af20c5869b4a891cc1bda2f528e4fc9e4b69805da00a69d33f09641395a04aeb43acd53fd9a580d7 |
C:\Windows\system\oGgxeiQ.exe
| MD5 | 1f1d1ecddbec4355c858c09d93d48d83 |
| SHA1 | 66f28c30dc4a6216ce65b7d6d764a163255c6d66 |
| SHA256 | 7195ff397f1b83237b22dbf78445934e688c581992d35ef983d279557458a22d |
| SHA512 | 779903bfb4b6726dcd1bc1ac08ff4fe804916b494be55c2979474472c83d31d62220923be305ec73dc8c1d6a30baff23b1e3bdbf171efae25ce8bd8846fc38e6 |
memory/2172-28-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\WYBYADY.exe
| MD5 | dc3b796774550421003cb6350e97380b |
| SHA1 | 31bb49ea716dacf7c4e0173e9465dbd06eccbbc7 |
| SHA256 | 4f94113bd5c45d119ff088cbccbe1dedcd8920aee3544da55f5811e4e68327b8 |
| SHA512 | 70da4907d938f5b0dca923b2761412099f5a9aea6a8ab6c829ff683b7c6fd004b4b34ea3d7d371b424d685ade24e1d431d6ab04a42f9ab1c6c0c97c0bb739831 |
memory/736-119-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2172-118-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/772-117-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2172-116-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/1092-115-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2172-114-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/1924-113-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2172-112-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2944-111-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2172-110-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2396-109-0x000000013F310000-0x000000013F664000-memory.dmp
memory/3068-108-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2876-120-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/3036-123-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2172-122-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2172-124-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/3048-121-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2920-127-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2172-132-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2172-131-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2780-130-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2172-129-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2204-128-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2172-126-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2952-125-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2172-133-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/3068-134-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2944-135-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1924-136-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1092-137-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2396-138-0x000000013F310000-0x000000013F664000-memory.dmp
memory/736-139-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2876-140-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2952-143-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2920-144-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2204-145-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2780-146-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/3036-142-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/3048-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/772-147-0x000000013F250000-0x000000013F5A4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 21:48
Reported
2024-08-07 21:50
Platform
win10v2004-20240802-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\nXsOhXM.exe | N/A |
| N/A | N/A | C:\Windows\System\oQywFQj.exe | N/A |
| N/A | N/A | C:\Windows\System\XXjEtYK.exe | N/A |
| N/A | N/A | C:\Windows\System\WYBYADY.exe | N/A |
| N/A | N/A | C:\Windows\System\INFJpdC.exe | N/A |
| N/A | N/A | C:\Windows\System\oGgxeiQ.exe | N/A |
| N/A | N/A | C:\Windows\System\dOlmvEU.exe | N/A |
| N/A | N/A | C:\Windows\System\QBJCTBw.exe | N/A |
| N/A | N/A | C:\Windows\System\PVbOPna.exe | N/A |
| N/A | N/A | C:\Windows\System\vUZTkUb.exe | N/A |
| N/A | N/A | C:\Windows\System\HLIhXKN.exe | N/A |
| N/A | N/A | C:\Windows\System\cjbOtJQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fmuqJkF.exe | N/A |
| N/A | N/A | C:\Windows\System\gVVZyIc.exe | N/A |
| N/A | N/A | C:\Windows\System\igDXBgz.exe | N/A |
| N/A | N/A | C:\Windows\System\ArecPcW.exe | N/A |
| N/A | N/A | C:\Windows\System\OMQVvla.exe | N/A |
| N/A | N/A | C:\Windows\System\cwIGWVT.exe | N/A |
| N/A | N/A | C:\Windows\System\PjIxuQh.exe | N/A |
| N/A | N/A | C:\Windows\System\mJHZuiJ.exe | N/A |
| N/A | N/A | C:\Windows\System\QRlZQpY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_fdc8881af78ef6e63f6210419efc7356_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\nXsOhXM.exe
C:\Windows\System\nXsOhXM.exe
C:\Windows\System\oQywFQj.exe
C:\Windows\System\oQywFQj.exe
C:\Windows\System\XXjEtYK.exe
C:\Windows\System\XXjEtYK.exe
C:\Windows\System\WYBYADY.exe
C:\Windows\System\WYBYADY.exe
C:\Windows\System\INFJpdC.exe
C:\Windows\System\INFJpdC.exe
C:\Windows\System\oGgxeiQ.exe
C:\Windows\System\oGgxeiQ.exe
C:\Windows\System\dOlmvEU.exe
C:\Windows\System\dOlmvEU.exe
C:\Windows\System\QBJCTBw.exe
C:\Windows\System\QBJCTBw.exe
C:\Windows\System\PVbOPna.exe
C:\Windows\System\PVbOPna.exe
C:\Windows\System\vUZTkUb.exe
C:\Windows\System\vUZTkUb.exe
C:\Windows\System\HLIhXKN.exe
C:\Windows\System\HLIhXKN.exe
C:\Windows\System\cjbOtJQ.exe
C:\Windows\System\cjbOtJQ.exe
C:\Windows\System\fmuqJkF.exe
C:\Windows\System\fmuqJkF.exe
C:\Windows\System\gVVZyIc.exe
C:\Windows\System\gVVZyIc.exe
C:\Windows\System\igDXBgz.exe
C:\Windows\System\igDXBgz.exe
C:\Windows\System\ArecPcW.exe
C:\Windows\System\ArecPcW.exe
C:\Windows\System\OMQVvla.exe
C:\Windows\System\OMQVvla.exe
C:\Windows\System\cwIGWVT.exe
C:\Windows\System\cwIGWVT.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4116,i,1602949858158667699,12464335823361976127,262144 --variations-seed-version --mojo-platform-channel-handle=1296 /prefetch:8
C:\Windows\System\PjIxuQh.exe
C:\Windows\System\PjIxuQh.exe
C:\Windows\System\mJHZuiJ.exe
C:\Windows\System\mJHZuiJ.exe
C:\Windows\System\QRlZQpY.exe
C:\Windows\System\QRlZQpY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1708-0-0x00007FF7D4E90000-0x00007FF7D51E4000-memory.dmp
memory/1708-1-0x0000019824EB0000-0x0000019824EC0000-memory.dmp
C:\Windows\System\nXsOhXM.exe
| MD5 | c5754cec7f4a1c3b1bf4bffa30e3bff2 |
| SHA1 | 848fc2e18def9971930cd9a15e95c48ce7a64730 |
| SHA256 | eee335a1d812795b419d94b8ccd4393b86abfabfb3ea1dc82953fc8a1bc7edb8 |
| SHA512 | 31276030e159cec7d81a6ffddae688f0706c25f9ff5be74ac3f2b42470bbe9af1903d5f1eb37620d6a565e98701fbceeed281fe65ab69e3d2453dce2fd3fa3d6 |
memory/4788-6-0x00007FF6D88C0000-0x00007FF6D8C14000-memory.dmp
C:\Windows\System\XXjEtYK.exe
| MD5 | 9bd0e1648e8ac0a7126590791a50c4c3 |
| SHA1 | 6edb632d96a97c02e56096a7d77594941af9d5ca |
| SHA256 | 7fbacf67c6bdc7c859cb33eae052ffb738d9662a59326d1f2399fa0bccbe63a2 |
| SHA512 | ffde9e7df923bb5506fb98205206ff775e346160e951451895dbc626d011d0e5079453c914b006563707de34906fd0c9478a02115d2205d465c7d3c7075c4184 |
C:\Windows\System\oQywFQj.exe
| MD5 | 96f0a5eb336485a2cf4ace7d7b47150e |
| SHA1 | 596f4ec1d9b159231f3ee2566f9e314ec3533334 |
| SHA256 | 32ed9dcfceed0eff4d3d0fef2a3d5012d945905c81ce8700427d0e6ca84ddcbe |
| SHA512 | 54ee9ef11cbf98c4bd18f28d8521757e08b0208cb8b5e9fa01ea0a0648ec0f22f1fd61f085d7129fc86d7de7ba58d39636b9a105a743d54784e0ec34f98da97e |
C:\Windows\System\WYBYADY.exe
| MD5 | dc3b796774550421003cb6350e97380b |
| SHA1 | 31bb49ea716dacf7c4e0173e9465dbd06eccbbc7 |
| SHA256 | 4f94113bd5c45d119ff088cbccbe1dedcd8920aee3544da55f5811e4e68327b8 |
| SHA512 | 70da4907d938f5b0dca923b2761412099f5a9aea6a8ab6c829ff683b7c6fd004b4b34ea3d7d371b424d685ade24e1d431d6ab04a42f9ab1c6c0c97c0bb739831 |
C:\Windows\System\oGgxeiQ.exe
| MD5 | 1f1d1ecddbec4355c858c09d93d48d83 |
| SHA1 | 66f28c30dc4a6216ce65b7d6d764a163255c6d66 |
| SHA256 | 7195ff397f1b83237b22dbf78445934e688c581992d35ef983d279557458a22d |
| SHA512 | 779903bfb4b6726dcd1bc1ac08ff4fe804916b494be55c2979474472c83d31d62220923be305ec73dc8c1d6a30baff23b1e3bdbf171efae25ce8bd8846fc38e6 |
memory/3152-37-0x00007FF78DF70000-0x00007FF78E2C4000-memory.dmp
memory/1136-41-0x00007FF70D640000-0x00007FF70D994000-memory.dmp
C:\Windows\System\PVbOPna.exe
| MD5 | a869a50e94b058a858fb70f51812d115 |
| SHA1 | a582f5c09c3c1e38b401d06fd32ab12f430722cd |
| SHA256 | fc92367b14e847f5d9b38c82f1dadc8d943baa90312a2c6414f79ee2f395475e |
| SHA512 | 679f442a18d30fa6769f47f04de4721cf82c52a62b6bfa57ff2dd1839363a93b13a9abaa2c790500af424a0a1173df74b46d7001464954348ab2113aa5d31d92 |
memory/4832-52-0x00007FF609440000-0x00007FF609794000-memory.dmp
C:\Windows\System\HLIhXKN.exe
| MD5 | 107387bbbda053349e4a2b4182a38ab3 |
| SHA1 | c08bcd6372701e8671232d8d6269937a18912476 |
| SHA256 | af1a068f73441a1eb03ca2d572b854beb6aa17d2d88c341d0c54f5ac65ebf8a5 |
| SHA512 | 7b522b27526eaecae6712193321884e97c6264b46a2e6a43dc805fe3319f57f07a9e505483663d39a4793830ccda7d445adf0457df8da7a65ba7bc40a81d5493 |
C:\Windows\System\cjbOtJQ.exe
| MD5 | 12fb6ba6b2baa2c0d4efabeb549a320d |
| SHA1 | 89328c20c8e65cb29be51613c84e781a42cc959c |
| SHA256 | eda328db0ee2c307e695a12b6ddd3f992fe0f6b6c9ba403ac3551cc6d44009d6 |
| SHA512 | 61f72e9cc33a51c3c7aa1f7137880fe2cda70319527e63bf1c48caf1ccbe5336d93aae8973147268d6e9e313b2b530d6746b9958febaa4bf14bc01ac9acb25c8 |
memory/2568-82-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp
memory/2360-92-0x00007FF650C00000-0x00007FF650F54000-memory.dmp
memory/2924-100-0x00007FF715730000-0x00007FF715A84000-memory.dmp
memory/4920-109-0x00007FF7659A0000-0x00007FF765CF4000-memory.dmp
C:\Windows\System\cwIGWVT.exe
| MD5 | 57a1138a471a9d0df82b6f846c99c86a |
| SHA1 | 52418d911d6b77b540b3b3afdec17a19b819fee0 |
| SHA256 | f23abe67883baff02b92ca82c8e0570a2acc9700ef00463396b4df929472f91b |
| SHA512 | b9b6c55f8b555b8a65907f34f135270be2952b48e7d481e9c60d3151d98248873fa04b19350ebcead3b47e66d2d2b2d717253a0d6e8e1bf94909f5ed0dbeb7a0 |
memory/1688-106-0x00007FF680470000-0x00007FF6807C4000-memory.dmp
C:\Windows\System\OMQVvla.exe
| MD5 | 7b755ddbe22c39c5b6851fa40ecdb09a |
| SHA1 | 0327c2dad2d3dafbf9d46965bbd376478e1b5647 |
| SHA256 | 3f5d0793ace28cedf24c6364e0029c5a6b6c5c0a9a29078f9ea01a9c985c41d7 |
| SHA512 | 5aa503e871418973aed4501a56cc4159ff4d135b218374572aba9662917a861a41fae72062421e7402d156e35dcf8b24179a0cbd8995e800cf1935f4dbec2719 |
C:\Windows\System\ArecPcW.exe
| MD5 | afd0724294f1718f593a40c1cc199828 |
| SHA1 | 85fe062ba6b0158de4b2952d5bf3fb4eb8100fb8 |
| SHA256 | 8084aceb2691f0c0bceef0dfd05b3c5c765879d2ce08e8d72a7e12f99ea85d4a |
| SHA512 | 88471ff0fe0635d97fb4181bdeeb322d5cb655c9b18de539cc5a9a0b9d51864c98069882d2fbc046c822c413c4f3a1301e9babd6c190aefa1693b9100f050755 |
memory/1368-101-0x00007FF62FAF0000-0x00007FF62FE44000-memory.dmp
memory/3600-98-0x00007FF7A7750000-0x00007FF7A7AA4000-memory.dmp
memory/2528-97-0x00007FF709F60000-0x00007FF70A2B4000-memory.dmp
memory/4828-93-0x00007FF73A480000-0x00007FF73A7D4000-memory.dmp
C:\Windows\System\igDXBgz.exe
| MD5 | b5a3203c2bf454f4ac6c31f9be4bd771 |
| SHA1 | 4f5001c207ccd603a38b567cdb11aabf2573cb7c |
| SHA256 | e7fa7e059ddd03a90095807b9ce30152f4ac5c23750dd9962c395ead25bb5d9f |
| SHA512 | 00bd75c97cf9b471e40e89271ae2688f7cf96e53124dc667a73402ae38f162a75dcfbefefdb8a2b51d015980c77b580896560b2304b251a78e874784b08be71b |
C:\Windows\System\gVVZyIc.exe
| MD5 | 68c75f6da3b47c8446eaa4504c4f0146 |
| SHA1 | 3ef214af59383405aeaaf80d28970fe909d40dbc |
| SHA256 | cfdc483a2ae36ae2c98b0ac75888443cf170302b2a2417b45f063d43285098ac |
| SHA512 | 9f656ce646ce4a0dd51407c603f90e4875cbb8e8c60c3a781e028e904e05bca75296f7f80636f9f078efee038d9e177a2418547db972d4c0e1fbc057d4b39430 |
C:\Windows\System\fmuqJkF.exe
| MD5 | 4f6e765b5974ead088c8631030a85d0d |
| SHA1 | 01ae2a226ed2a320e55838b75a2df2a9fb2dca90 |
| SHA256 | a3abb3209f8ab6cbf1e554fd6209dd19a4a8c70e96d2fc959310d082b36885cb |
| SHA512 | 429a1cb3ef42984378e1edbda9d1a8e621b87498f893de1729be940952ff35a748124c85321ee7b356b7b0677314050565661daf3170ec372b7430699e9b3bf3 |
memory/3176-78-0x00007FF753270000-0x00007FF7535C4000-memory.dmp
memory/2616-75-0x00007FF695910000-0x00007FF695C64000-memory.dmp
C:\Windows\System\vUZTkUb.exe
| MD5 | 490e13ddead724dcf3ff0dbe05d92634 |
| SHA1 | 22c98500de7cc99b1ba62c1ca69d49b00248e4c8 |
| SHA256 | b2f70ed7bfe4bee6505884f4db286774e86b268a3a43dc7ff48ba9698b393253 |
| SHA512 | 4c8360e6cc7d38143c7885380b13da39981678fdf0672ed83cfa4cad3dddbb16331892d4c81278912b8305d18791e2f48a2ceb1dd2720adeee364e4a60e17deb |
C:\Windows\System\QBJCTBw.exe
| MD5 | be3f0621aec174f49e81c0ac58d98112 |
| SHA1 | 41995aed948fd00afb56808dcfb521ed55c7e9d7 |
| SHA256 | abd1af79aeacf506f155476ba91bbc5eff08af68ac8fc1987f2f28513eda9c09 |
| SHA512 | c4bad43b025414ffc10a0834cf61b1757baf85c70a589b53b0de64e9308e26a95101f1268bea5eb4125b42ae4eb955f620e2a377ccedb9a392a4b64d9635740c |
C:\Windows\System\dOlmvEU.exe
| MD5 | 8cbb54798607f8963d5b86ccf646562a |
| SHA1 | b0a60013924c9ee786fba8cdae38e8ae8435e748 |
| SHA256 | 419e3c642e8007753f05378c0291b8d75cc6c45eb54b820e441e118d1351bded |
| SHA512 | ff8ebc515bf17ff55815deb72f85bf8aa94042eac8784272af20c5869b4a891cc1bda2f528e4fc9e4b69805da00a69d33f09641395a04aeb43acd53fd9a580d7 |
memory/1032-43-0x00007FF64F7F0000-0x00007FF64FB44000-memory.dmp
C:\Windows\System\INFJpdC.exe
| MD5 | f5669dacc0a623e7b055bf51548366a2 |
| SHA1 | e9fb88de2ceb57c4c7a1b12056f21aa97fae90c9 |
| SHA256 | 8894794fdb868029068489ac478f81eb388ebe58c31c88e0e9ed5903208bbfff |
| SHA512 | 3bba5ba8b19a2634c086d73ccd5d74c9b88530ed10f422dedba223112441418b6b823460dbf9705a566dd6079ec79ea8ff7a4675575dab5c378bdbca9be2bff0 |
memory/796-28-0x00007FF732040000-0x00007FF732394000-memory.dmp
memory/1316-23-0x00007FF6AB5F0000-0x00007FF6AB944000-memory.dmp
C:\Windows\System\PjIxuQh.exe
| MD5 | b078410f886884464f625a5c0af95bd7 |
| SHA1 | fbe9537ee5bad1e735d3766db407a5991f3f0b1d |
| SHA256 | 4390c002983bf2973536556078f07d3760f929aa1bc079d9657c801b3b22556d |
| SHA512 | bec09a592d44d102fd83516e37f1ee297ce54d621b727560dd3ed20372bf26a4a6d7eb60bc31c9364a1c77cfaf96d9a6afe8464a300083797c926027384f7750 |
C:\Windows\System\mJHZuiJ.exe
| MD5 | 8d929d6af605e5aed5cfa5bb693651fd |
| SHA1 | 29d3fcc521352e6559aa6521838d108a06aab33e |
| SHA256 | 783848f97f6c399c91c3da68043deadc32fa460832332dad9ca7faf5a10a2a7e |
| SHA512 | b709259e6bc91a9ea542dab67f798dd6fba5961a0156146f8138ff5e000fca5286f6eb11342333bcdbbdd51b35299eb0c7a92b12110492abcb4b019ad8175e29 |
memory/4052-119-0x00007FF6FC4D0000-0x00007FF6FC824000-memory.dmp
C:\Windows\System\QRlZQpY.exe
| MD5 | e645cf5742db473a4cfc7f3849d5b31c |
| SHA1 | b4a1c8b16c5626bead98d9f07b507a4f0c92e7aa |
| SHA256 | 0efa4b0e0432e4c7b2d31af4391475e651853b245bced2c5f1d0ba626f71e2f5 |
| SHA512 | 9eb81f5a47e6cbd7a4f734212ca1e9c151fe4b7728024e76862a241a748b850d0f9c9401d15610a930f687ed95b5afae55b45057f8c5cd83147a72a3eed8b030 |
memory/888-123-0x00007FF78FFC0000-0x00007FF790314000-memory.dmp
memory/220-127-0x00007FF7E1100000-0x00007FF7E1454000-memory.dmp
memory/1708-128-0x00007FF7D4E90000-0x00007FF7D51E4000-memory.dmp
memory/4788-129-0x00007FF6D88C0000-0x00007FF6D8C14000-memory.dmp
memory/1316-130-0x00007FF6AB5F0000-0x00007FF6AB944000-memory.dmp
memory/3152-131-0x00007FF78DF70000-0x00007FF78E2C4000-memory.dmp
memory/1032-132-0x00007FF64F7F0000-0x00007FF64FB44000-memory.dmp
memory/2360-133-0x00007FF650C00000-0x00007FF650F54000-memory.dmp
memory/2924-134-0x00007FF715730000-0x00007FF715A84000-memory.dmp
memory/4920-135-0x00007FF7659A0000-0x00007FF765CF4000-memory.dmp
memory/4788-136-0x00007FF6D88C0000-0x00007FF6D8C14000-memory.dmp
memory/796-137-0x00007FF732040000-0x00007FF732394000-memory.dmp
memory/1316-139-0x00007FF6AB5F0000-0x00007FF6AB944000-memory.dmp
memory/1136-138-0x00007FF70D640000-0x00007FF70D994000-memory.dmp
memory/4832-140-0x00007FF609440000-0x00007FF609794000-memory.dmp
memory/3152-141-0x00007FF78DF70000-0x00007FF78E2C4000-memory.dmp
memory/2616-143-0x00007FF695910000-0x00007FF695C64000-memory.dmp
memory/3176-142-0x00007FF753270000-0x00007FF7535C4000-memory.dmp
memory/1032-144-0x00007FF64F7F0000-0x00007FF64FB44000-memory.dmp
memory/2568-145-0x00007FF6BD350000-0x00007FF6BD6A4000-memory.dmp
memory/1368-146-0x00007FF62FAF0000-0x00007FF62FE44000-memory.dmp
memory/2924-147-0x00007FF715730000-0x00007FF715A84000-memory.dmp
memory/1688-148-0x00007FF680470000-0x00007FF6807C4000-memory.dmp
memory/4828-153-0x00007FF73A480000-0x00007FF73A7D4000-memory.dmp
memory/2528-152-0x00007FF709F60000-0x00007FF70A2B4000-memory.dmp
memory/4920-151-0x00007FF7659A0000-0x00007FF765CF4000-memory.dmp
memory/3600-150-0x00007FF7A7750000-0x00007FF7A7AA4000-memory.dmp
memory/2360-149-0x00007FF650C00000-0x00007FF650F54000-memory.dmp
memory/4052-154-0x00007FF6FC4D0000-0x00007FF6FC824000-memory.dmp
memory/888-155-0x00007FF78FFC0000-0x00007FF790314000-memory.dmp
memory/220-156-0x00007FF7E1100000-0x00007FF7E1454000-memory.dmp