Analysis Overview
SHA256
fe976a7e383b394424552a3b9084fefeeab182f64ca5032daa0e9aff4fb6df53
Threat Level: Known bad
The file 2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike family
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 20:22
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 20:22
Reported
2024-08-07 20:25
Platform
win7-20240704-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vanOKdh.exe | N/A |
| N/A | N/A | C:\Windows\System\nxMomeB.exe | N/A |
| N/A | N/A | C:\Windows\System\nzLgRVq.exe | N/A |
| N/A | N/A | C:\Windows\System\GwdPSom.exe | N/A |
| N/A | N/A | C:\Windows\System\aWyJolS.exe | N/A |
| N/A | N/A | C:\Windows\System\AUJkEUA.exe | N/A |
| N/A | N/A | C:\Windows\System\TSWxiud.exe | N/A |
| N/A | N/A | C:\Windows\System\jtWmsEd.exe | N/A |
| N/A | N/A | C:\Windows\System\OpPlkXh.exe | N/A |
| N/A | N/A | C:\Windows\System\FeNXwnM.exe | N/A |
| N/A | N/A | C:\Windows\System\kQRAHwl.exe | N/A |
| N/A | N/A | C:\Windows\System\TbadXlL.exe | N/A |
| N/A | N/A | C:\Windows\System\PuOybkI.exe | N/A |
| N/A | N/A | C:\Windows\System\ioXjcNK.exe | N/A |
| N/A | N/A | C:\Windows\System\vwxFCQV.exe | N/A |
| N/A | N/A | C:\Windows\System\qSzBtBM.exe | N/A |
| N/A | N/A | C:\Windows\System\aFqbxwl.exe | N/A |
| N/A | N/A | C:\Windows\System\eypJqcQ.exe | N/A |
| N/A | N/A | C:\Windows\System\tMZyOCT.exe | N/A |
| N/A | N/A | C:\Windows\System\mDEORpd.exe | N/A |
| N/A | N/A | C:\Windows\System\wuJlhIc.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\vanOKdh.exe
C:\Windows\System\vanOKdh.exe
C:\Windows\System\nxMomeB.exe
C:\Windows\System\nxMomeB.exe
C:\Windows\System\nzLgRVq.exe
C:\Windows\System\nzLgRVq.exe
C:\Windows\System\aWyJolS.exe
C:\Windows\System\aWyJolS.exe
C:\Windows\System\GwdPSom.exe
C:\Windows\System\GwdPSom.exe
C:\Windows\System\AUJkEUA.exe
C:\Windows\System\AUJkEUA.exe
C:\Windows\System\TSWxiud.exe
C:\Windows\System\TSWxiud.exe
C:\Windows\System\OpPlkXh.exe
C:\Windows\System\OpPlkXh.exe
C:\Windows\System\jtWmsEd.exe
C:\Windows\System\jtWmsEd.exe
C:\Windows\System\PuOybkI.exe
C:\Windows\System\PuOybkI.exe
C:\Windows\System\FeNXwnM.exe
C:\Windows\System\FeNXwnM.exe
C:\Windows\System\aFqbxwl.exe
C:\Windows\System\aFqbxwl.exe
C:\Windows\System\kQRAHwl.exe
C:\Windows\System\kQRAHwl.exe
C:\Windows\System\eypJqcQ.exe
C:\Windows\System\eypJqcQ.exe
C:\Windows\System\TbadXlL.exe
C:\Windows\System\TbadXlL.exe
C:\Windows\System\tMZyOCT.exe
C:\Windows\System\tMZyOCT.exe
C:\Windows\System\ioXjcNK.exe
C:\Windows\System\ioXjcNK.exe
C:\Windows\System\mDEORpd.exe
C:\Windows\System\mDEORpd.exe
C:\Windows\System\vwxFCQV.exe
C:\Windows\System\vwxFCQV.exe
C:\Windows\System\wuJlhIc.exe
C:\Windows\System\wuJlhIc.exe
C:\Windows\System\qSzBtBM.exe
C:\Windows\System\qSzBtBM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1696-0-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1696-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\vanOKdh.exe
| MD5 | f30e25b53ddb6b41723e531eeb8daa52 |
| SHA1 | 9ed22225bfe341beb793dc7e6fb3d12f4d853f59 |
| SHA256 | 4cdf09602b1e914c126eb4ea6519265efd7361a613484c08ecd5c5110f377547 |
| SHA512 | 26872bfed607cf8308f2c4bd08f6365e0a19855e86ae1a416011711b1ae828fb22b64bcfe85799419d76ca49ff5bc2335a4f27aba92128fed244c8b200ea93c8 |
memory/1696-7-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/1696-9-0x0000000002250000-0x00000000025A1000-memory.dmp
C:\Windows\system\nzLgRVq.exe
| MD5 | 2f497bf21fff1b299c2ca016dde2a026 |
| SHA1 | b469a392ad6908f6a925b6052d677047b2b160a5 |
| SHA256 | ae85e23dac461aa6485fe4fd64b99d4bfba86122b65547e01b2d21d39b8bbc94 |
| SHA512 | d817a86db379714ad0b1f63c4ae42482c21f59948676b91774267493b6c99026b61763a55a8840e67b0ccb20b850e142a0a9d33654ec209280de07e967cdc049 |
memory/1696-22-0x000000013F140000-0x000000013F491000-memory.dmp
C:\Windows\system\aWyJolS.exe
| MD5 | 14b3c9a6242772ad78a86283ce20360c |
| SHA1 | 78483ea49e11c79febe0e3782a237fc31b0fbd3f |
| SHA256 | 882cf44775bd82b7b2e3df92df12b51e64ee6754f3040bacc900d3c5b976ddcb |
| SHA512 | 9acdcb2903992bd4eb3509d3595d35dc559d07a9402841709d44481db1413f31e0028035918d43dcd8253bec3c3f5be7df2fcfc08a3ed54c1836c690e2053001 |
memory/2832-36-0x000000013F910000-0x000000013FC61000-memory.dmp
C:\Windows\system\AUJkEUA.exe
| MD5 | 891134b54eaedc1348194494268dc804 |
| SHA1 | 944b1536f5b6cad998bd208df839f566e2fe2102 |
| SHA256 | 80cc9fa35cb42964baa82e214c9590c17452d302ac1ebcfe2d856e94ba191ead |
| SHA512 | 44c73a1acc37df6a74ec42721ecab6ebc18ff5b76c48abf3e738eb564eea6c57c5db80cd749fb1ca9a531be82cbb73e8ae6f76e6301b27a7d10c68b0090c06d1 |
memory/2876-41-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/1696-119-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/1696-122-0x000000013FE80000-0x00000001401D1000-memory.dmp
C:\Windows\system\PuOybkI.exe
| MD5 | a36bff5f8ce1f17370990e0504fa68c1 |
| SHA1 | a159af90d69f3a4ade683609602b56427b8d91c4 |
| SHA256 | d3ce1727d4cc1b510e09978b633d030d27659974674bd58e39189a01a1bbd317 |
| SHA512 | 7abe4b20325db68330320b76e40a0cedf3707bd9f36025a834a83a4cc3e37cf706d63bab40a740f54738142b2bae3b9d1d56d2f864716ab021c0c1ada2c2c813 |
C:\Windows\system\vwxFCQV.exe
| MD5 | 9b87d59cb76ba7e42dece039996632ca |
| SHA1 | 6c58d7580c7b3824643d3192b0fe4cc5714556f5 |
| SHA256 | a354f8aaa069fb00a4d42f84d951a6856bdf5344d5d8afe061e6f0e63b6fbf59 |
| SHA512 | c617de2809b3c8f2f12f1308b18375e05cf68fe232ccdb469929e546413a513e4e7314ab69d39e5982d436f76dba47f2af087330224d4ab0ba88bf434f6b52b0 |
C:\Windows\system\ioXjcNK.exe
| MD5 | 3e5c9439cbc3c1800ebf1653dbd3e68a |
| SHA1 | b7fae3d87434ca295b1797a57d7e53005cb7daef |
| SHA256 | 16db1af00d7ec8a08fc941a423703ec482586fdcbf1cdd568a4e2ed1850fe88b |
| SHA512 | 1fb30cb6f23cd441cedae3244cad4e573f5080fa6bc5f1cf37e8750969a3707ae466e38ca60be4b622cc79a85ef5f6930d73c1323b74eb335f33db03d305ac31 |
memory/1696-102-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/1696-101-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2752-99-0x000000013F510000-0x000000013F861000-memory.dmp
\Windows\system\wuJlhIc.exe
| MD5 | 75e222420dac26f7f66aefdfabc278fd |
| SHA1 | 721d3983d2189188a38b43cec06c9632b472670b |
| SHA256 | cdb72dbec52e31c2b7b1cd122aabe7d620bbd606bd591226664443b0994c8160 |
| SHA512 | 18d4d51d0a7672624fd80fb108ebb9a389cf7f8c0b6ade89e5c67e7f73cc227bf18cf8ef8fd0c242e709d08f1bcc2aad688095cef46c39ee57f4f1d2e3cb15b6 |
\Windows\system\mDEORpd.exe
| MD5 | f89328d32c4b8d4df9e461b65a7c48d0 |
| SHA1 | 19d73e2d2c7ea9ac509ac6553a87f60184c9fc99 |
| SHA256 | 919b075672a4eba080146551892eb2c4cb3ac4b717333ad4b27c90ab547e85e6 |
| SHA512 | 00d4ecdfa7bb3bd53d7601490030ad2a08b8e5d56cbde4678b2c2460338d63cf608549c1240d3fa418b345e7aa7a909b607190d8f6e58b66a88f6d1b364e8516 |
C:\Windows\system\TbadXlL.exe
| MD5 | a8aaa48fc4ebd1a62bac3395dfd8e469 |
| SHA1 | 10defb0154d39a1b08dcf147de65d55eb43183b5 |
| SHA256 | 0288af5168baee5315bbd9135448d08da716186703f00501093db677ba658d33 |
| SHA512 | 604aa31f7a356925ee4625d6b7ead019b606089028976114ff8c5debe314efbe1b41b93c0036a30d2a6e34cc0b93586aed829f7b9b0a3597911fe83fcb5b923d |
\Windows\system\tMZyOCT.exe
| MD5 | 5f3fca2ae661fad154955a864c2a8515 |
| SHA1 | f42444459b4a64e11c670649cd357f2ae55d7186 |
| SHA256 | 618d228214da04bae21a34839cce8664ace245c79c216063350318910e95e6b1 |
| SHA512 | 071a4c6a484b137f757bbfa6f01ee6a735775fc6a785ae3261f7ab80458774e52eeb0198ab09a4ddaac896bb9267b9f8fe0def26bd78ab64fd4f7dfeed3b18a4 |
memory/1696-72-0x000000013FD30000-0x0000000140081000-memory.dmp
\Windows\system\eypJqcQ.exe
| MD5 | d686232a09ab9dc964210a75263dc591 |
| SHA1 | 879c78799bccfc0e6291af8118cb669225744249 |
| SHA256 | fd87dc8dd5d2e651a786289384e582851c93ff48747379ed3e7cbc7517c70be0 |
| SHA512 | 654cd971a07e177c6670859aa1c9e243264f361503074059106c3d4b19e7db86001dc0a486b2b36ccd9d68840b2607455e6a25e9918fc37cc2ef74c02aa711e3 |
\Windows\system\aFqbxwl.exe
| MD5 | ee6e1913dc112d9595cc10f2900e5c16 |
| SHA1 | fc1853660c86b4f3e8550ef743b025f30f5138cd |
| SHA256 | c57325972fc3319e71a2d9ed74c5779952880674d53a1a3bb58aa384f860e251 |
| SHA512 | 65c77193cdcc8a825f8def9e6c8249ec4bcc137338836d712328ff45346d48ea36c240a47c1863c535edc25aee814dc948048de8143f4d018522a364540f223a |
memory/1696-121-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1696-120-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/1696-118-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/1696-117-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/1696-128-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2192-116-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/1696-115-0x000000013FFB0000-0x0000000140301000-memory.dmp
C:\Windows\system\qSzBtBM.exe
| MD5 | eefb6878c95ed783a06fab5be3c4c4f6 |
| SHA1 | 8009df40bd16d0053a971307f203752466a62bf5 |
| SHA256 | da970c7b300388c8f7e4971765b7d5699915dc69863ddafc05555bd05d1b61cc |
| SHA512 | 25b01b55b4daf92e6f6869bb0865491bebed9311d8b263b5d8aa3383304a54116834ac00191c603175e481507a7e0e8bf274b4e57e62ad4b282b17c89dcbe5ee |
memory/2784-113-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2620-112-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2956-108-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\jtWmsEd.exe
| MD5 | 12557229ff93d056ed5b4f6d4624aa8f |
| SHA1 | 90bafc65caf94c2af65418d9470c5983102e6397 |
| SHA256 | 3a677fe30a17e851e400da187dccaeb0eaa6d49df40c2e199b872f55caf784d8 |
| SHA512 | 0be6ba7d88dbbf6243070240eed52a66dfb98065e38e49edaecfa8643394a610bb505c2ab9ed84038050d6d040da4665d8a71855de2ad297c52291c0a686d922 |
C:\Windows\system\kQRAHwl.exe
| MD5 | 47e2e5396949c2bf8358e8710a984770 |
| SHA1 | 5abcdcb269bc12862fdd161bfd0360a0e541c83a |
| SHA256 | 7741669427c34982b00066edf967d141bc697563959ec1b3f6179e88e70e29ad |
| SHA512 | 6829f3ac1f090c9f3f0f1c66d1517f86544a8b371982b050fc5c84fc36bbd3ffb59aecdfcc50564cf1d6f34d54975739439ccd9498204c6b84101f65d454f647 |
C:\Windows\system\FeNXwnM.exe
| MD5 | 8cf603dc15d0a06c41821d2abbbe5b7d |
| SHA1 | 086c7906b7beab3433beb2dacfd5144dd8fe4ed3 |
| SHA256 | 9dab7efa2a4a711b7d8e0f7429c28aab996ec280fe14d83e0239a60123fd4d7e |
| SHA512 | 2f40ec4241fb8274b6875b17ddafd5a01ab9ff1028dfd39b3f7a5da4ff3741d953867ca80496d682a52df8d15bc845b6b3e0daa0281a9e9a4757279d22577051 |
C:\Windows\system\OpPlkXh.exe
| MD5 | 31d538006e59b0820c051a8499602770 |
| SHA1 | f096361d1dd05fcbbd79e121b9778bc103b42bdd |
| SHA256 | b1a7a101f21e39c9bea2e68b90c76bfb41bbc0aeaf18beab600ff6553a475ce4 |
| SHA512 | a196a3efbd2e56b45c9e482e5b79b04ec4c00aed1698dde7dfbffb8fa4aac7089887cd4a80ce3f20dd8e882665bdfa89a87d095350d328b194c45ae05b3a2b5a |
memory/2652-68-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/1696-61-0x000000013F260000-0x000000013F5B1000-memory.dmp
C:\Windows\system\TSWxiud.exe
| MD5 | b2ee4a5cd332fb1ced91b03cf07442f6 |
| SHA1 | 9480aab380663236af8a6b631477ffee320131e9 |
| SHA256 | 86d49fcf70ff27d0dabdf441fddf331abd6367a5f2c897f6c10e72c4e7675b55 |
| SHA512 | c66c3805c79f981034bd6a912fb1640965a10f6fe6d4e70fd7332dd89ed9bdeb0fa5bfd32dd4c878b88d2b39e8dff17e26e08b61c78fd0a9446b43f5d769e30e |
memory/3008-34-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2568-26-0x000000013F140000-0x000000013F491000-memory.dmp
C:\Windows\system\GwdPSom.exe
| MD5 | a8b5f5c289ff0c97bce699eec1bf0743 |
| SHA1 | cef2afac54e74d61684b795a657d1cbba3436e1e |
| SHA256 | a5b7a192e4622ef2810a4b4979849512c8d9ed91d4f9f5687262e212993461de |
| SHA512 | 960e0a7de17c53648248368fe3957bde90b2ce6d06328ff173747677611d2186d3f2f14d7e44eff9ca1f676cbf5feb4b12c11060ab81bd7e5109fe003fd02417 |
memory/1696-30-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2900-20-0x000000013F7E0000-0x000000013FB31000-memory.dmp
C:\Windows\system\nxMomeB.exe
| MD5 | 7272f0c02e115bee98b94361724701f9 |
| SHA1 | a9a3474dee888613ca311b1a335e1af7ac258790 |
| SHA256 | 58b3309193e71958868fe3e3126604718de92a1ac298d619b6f7330cba70d271 |
| SHA512 | b2ff4fb481a28ac44ca49da79f713346804b7d5b5d9150a4bf93e8987843b149877d801f6e1129bfc9c8c776399a36677a2d5d234ff73bf7a810a1891e7da00d |
memory/2560-13-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2900-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2560-136-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/1696-137-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/3008-142-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2876-143-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2680-149-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2672-147-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2444-156-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2676-158-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/388-157-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2916-155-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1644-154-0x000000013FF40000-0x0000000140291000-memory.dmp
memory/400-153-0x000000013FFB0000-0x0000000140301000-memory.dmp
memory/2312-151-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/1696-159-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1696-181-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2560-205-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2568-207-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2900-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2832-211-0x000000013F910000-0x000000013FC61000-memory.dmp
memory/3008-213-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2652-215-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2752-217-0x000000013F510000-0x000000013F861000-memory.dmp
memory/2784-219-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2192-221-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2956-227-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2620-225-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2876-223-0x000000013FF60000-0x00000001402B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 20:22
Reported
2024-08-07 20:25
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yKPudEa.exe | N/A |
| N/A | N/A | C:\Windows\System\HgGnpFq.exe | N/A |
| N/A | N/A | C:\Windows\System\OrmLigu.exe | N/A |
| N/A | N/A | C:\Windows\System\IWcTIMM.exe | N/A |
| N/A | N/A | C:\Windows\System\WXaKnOp.exe | N/A |
| N/A | N/A | C:\Windows\System\ClnYSCM.exe | N/A |
| N/A | N/A | C:\Windows\System\dDThacf.exe | N/A |
| N/A | N/A | C:\Windows\System\hwBhhiK.exe | N/A |
| N/A | N/A | C:\Windows\System\lVNCYWf.exe | N/A |
| N/A | N/A | C:\Windows\System\bUgPkol.exe | N/A |
| N/A | N/A | C:\Windows\System\cqtoraH.exe | N/A |
| N/A | N/A | C:\Windows\System\agmRdfb.exe | N/A |
| N/A | N/A | C:\Windows\System\qZhMbBf.exe | N/A |
| N/A | N/A | C:\Windows\System\HEvnwHm.exe | N/A |
| N/A | N/A | C:\Windows\System\KzLbSAn.exe | N/A |
| N/A | N/A | C:\Windows\System\CkOCVlW.exe | N/A |
| N/A | N/A | C:\Windows\System\yocSFip.exe | N/A |
| N/A | N/A | C:\Windows\System\kHiNZGj.exe | N/A |
| N/A | N/A | C:\Windows\System\oexSsrm.exe | N/A |
| N/A | N/A | C:\Windows\System\LerOdFh.exe | N/A |
| N/A | N/A | C:\Windows\System\BMHYBEd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_35fd3e6cfdf21d052e03cfd295554f4a_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\yKPudEa.exe
C:\Windows\System\yKPudEa.exe
C:\Windows\System\HgGnpFq.exe
C:\Windows\System\HgGnpFq.exe
C:\Windows\System\OrmLigu.exe
C:\Windows\System\OrmLigu.exe
C:\Windows\System\IWcTIMM.exe
C:\Windows\System\IWcTIMM.exe
C:\Windows\System\WXaKnOp.exe
C:\Windows\System\WXaKnOp.exe
C:\Windows\System\ClnYSCM.exe
C:\Windows\System\ClnYSCM.exe
C:\Windows\System\dDThacf.exe
C:\Windows\System\dDThacf.exe
C:\Windows\System\hwBhhiK.exe
C:\Windows\System\hwBhhiK.exe
C:\Windows\System\lVNCYWf.exe
C:\Windows\System\lVNCYWf.exe
C:\Windows\System\bUgPkol.exe
C:\Windows\System\bUgPkol.exe
C:\Windows\System\cqtoraH.exe
C:\Windows\System\cqtoraH.exe
C:\Windows\System\agmRdfb.exe
C:\Windows\System\agmRdfb.exe
C:\Windows\System\qZhMbBf.exe
C:\Windows\System\qZhMbBf.exe
C:\Windows\System\HEvnwHm.exe
C:\Windows\System\HEvnwHm.exe
C:\Windows\System\KzLbSAn.exe
C:\Windows\System\KzLbSAn.exe
C:\Windows\System\CkOCVlW.exe
C:\Windows\System\CkOCVlW.exe
C:\Windows\System\yocSFip.exe
C:\Windows\System\yocSFip.exe
C:\Windows\System\kHiNZGj.exe
C:\Windows\System\kHiNZGj.exe
C:\Windows\System\oexSsrm.exe
C:\Windows\System\oexSsrm.exe
C:\Windows\System\LerOdFh.exe
C:\Windows\System\LerOdFh.exe
C:\Windows\System\BMHYBEd.exe
C:\Windows\System\BMHYBEd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2060-0-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp
memory/2060-1-0x000001FBA6800000-0x000001FBA6810000-memory.dmp
C:\Windows\System\yKPudEa.exe
| MD5 | c3d8374b316a48a1909286f1b6a458e5 |
| SHA1 | ed9a876c2ed2464e0e49bc450ed6134935d4ba05 |
| SHA256 | 9ec14e614a2181f36e5d3aa4067fa01b35b25bafedbd1c956f403e52a4a663c1 |
| SHA512 | 3a57fb4956913547884ff0beb8d0f01526c95421433dbc9d6b64b17ff724a3b1df4d55d8ca1f4f8eb043159da78c70c6c1dcc3f257a0e349cf055781ef1f83a9 |
C:\Windows\System\OrmLigu.exe
| MD5 | 971beef3f248dde96d06e81c518defba |
| SHA1 | b425ca24d47a29b805c4e8cfb531e9f67c799d85 |
| SHA256 | 65fc08128e708ed4f714a3f0a97954fe7b5ed8f693c9206260c53b24e05c0dab |
| SHA512 | 5179bf118e93ffad8db6a85c1ddcb1ca0d417e2de9ece5bafe198ab0fa65dcfd7054a4b0202203614c0c2c0cfa0ba2c9d589c9d5da932c6bf925eb0e50acfce8 |
C:\Windows\System\HgGnpFq.exe
| MD5 | 2c5e80756ae8e6c2e5237561d6c5a1ae |
| SHA1 | c2e1435ee2fe43b9e712b66ffc10664a70eb1b1a |
| SHA256 | d862e3e1696a173f2860e820a8bf73cdff9c010c4f10a43ce01e362b50498f6c |
| SHA512 | 482da4f9c92adfa964f7477393a25190a19742ab625eb66092bec815efe6dbafd17d44e3f5c0cc43a310108a4e9db533c1f59d9caf1725f00517268d88766d2e |
memory/3480-12-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp
memory/4380-7-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp
memory/1240-20-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp
C:\Windows\System\IWcTIMM.exe
| MD5 | 7bfe750f8cbf9199a2fc9e00ddc0d67a |
| SHA1 | 7c9469ce346a127e8db4cf180155a2ef4e9c696c |
| SHA256 | 94dd1e19255b114b55e645862c1ddcca2ec0dd480e927b0a47b526a35e0d37a8 |
| SHA512 | 489127f977c6cb3333393438a5967932fbb36bb1c9dab8f984ef82ac2c9fac70ab47d500b4c1610b78a151bfd4f4cf3e3292f7ffe01954e78d9adf3d1d56a3c0 |
memory/1936-26-0x00007FF712A20000-0x00007FF712D71000-memory.dmp
C:\Windows\System\WXaKnOp.exe
| MD5 | b32fb0f1c3b226e39ebaed88562bc27f |
| SHA1 | a8e0c0d0e955d854eb0e696887c13f1a999c1686 |
| SHA256 | 908a723bfabdf76853982f1282a4e220efc1c0e9112aefadcaede13adc2caa56 |
| SHA512 | 616b11e60397504a6cfe5d7374bdd3279028eac49ecc0d670f302ef730715cd18a76e04f8ff0754eaf746406f32c10f64cf0fe92804d991b472d27793dd554ba |
memory/4940-30-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp
C:\Windows\System\ClnYSCM.exe
| MD5 | f6d6b546ab1c204b98a186cf46971238 |
| SHA1 | ebdfc9a06923cb909beac9f43150f21d5119799e |
| SHA256 | b3b98d8d19efebc7768a698574527d9fa890dec4c5f402cceb47c08395f15c69 |
| SHA512 | 12cdded0e2292b000442224bfe88c82fe2faf9503807937e25f6cfa9a012b01f292d7b85d6b71651e1710f99437fd863ff614b2c643156948a997639ed5f6a5c |
memory/1244-37-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp
C:\Windows\System\dDThacf.exe
| MD5 | edd247ca954096c0bfbf325a097b0791 |
| SHA1 | db113359b82b49a63446d73a1d6e274c07271639 |
| SHA256 | 2ed4fe46a4ee304433dd5354a1349d24e20a4ace2174f5f4d9bfbe115ad20648 |
| SHA512 | a42bf622cb2ab273f1e4803d0b2cda067805d789f9f6818187abebb3217eef32f8076380dd6abcf88ca7801082915bb5d0eebb76a0220a32d24f8f64f00215b3 |
memory/1636-44-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp
C:\Windows\System\hwBhhiK.exe
| MD5 | 26ceb4dea678500e2bcd4f7a06bf1dfc |
| SHA1 | 37cd1a4c48e6db4860344d0c5893ef3af2c8e0b1 |
| SHA256 | cb998e14818ff377bfae2a8d4b6d527c6aee6ae364bf545e3cb3b8b937a8d57a |
| SHA512 | 722952324492ba650aceaa96923fea31f384d240ae5c51901a4a5cc34cba13f08c06fb96ac0b6293b9d1991d70e4caa2f9ee02b64a8a7a34db45f9bffb237e18 |
memory/2756-50-0x00007FF636D00000-0x00007FF637051000-memory.dmp
C:\Windows\System\lVNCYWf.exe
| MD5 | 662695c32943f6fb2f8e4e4392aefbf1 |
| SHA1 | f3595bc8d7a614a8ec3fd43a74bf39ee94349242 |
| SHA256 | 171fa27bf69e17a07cdce6643a46eae22cfc0406f9aebda15ebaf367419887ce |
| SHA512 | 627eb8bc5603a2b17f4a82dc5b794add35143ac102f0b4fbef47b603736680c6490516df32443d0e77516c23e1f415bfdeaa429b40c0991c83e5aa4a9fa190ea |
C:\Windows\System\bUgPkol.exe
| MD5 | 423e356a9b1adf0b96e1cd9bbabfd61c |
| SHA1 | 3f065b149725044bf9e71a7197b1eae51a62c6d9 |
| SHA256 | 4f597c778918ebd976f025a8f29fc801153ae8ff7a475d9d99d0aa1ad91a56eb |
| SHA512 | 725c5c378d9d679dca99f719b9dbf6c80bd80ff78bd80e590abca6443092ab24e553002a6fae78ef6a6cef711da4731cc8e38c6707602eeb27dc374bf5168c58 |
C:\Windows\System\cqtoraH.exe
| MD5 | f9a070844afafb05fa60e8a2cdc04275 |
| SHA1 | 8f0a76d45e75cdd546fd38b4d1377296a541f9d9 |
| SHA256 | f33a9796d7db30a16f69c7a8c37456c213cf2a95e88a7a02098586919b2b4589 |
| SHA512 | cc13e443f3ad69d19dab45508ebae484637546004587ebc4f68443fc2dddd8aadde2193810bee4d81e59e7ffdc565adb61c1d759ac60e90dca41eecadbddf43f |
memory/2060-61-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp
C:\Windows\System\agmRdfb.exe
| MD5 | 7b86ae4e359a6571e615bcb82e467a7a |
| SHA1 | 05345c0add0f2174f7742cabcace80817ffcd916 |
| SHA256 | 08245a6a8208f08f36cb15c1d99b79fb1f5f5acb49d6e01c2376b9ecf3c1c60f |
| SHA512 | db323ed9bc4f0b145b84b74e4c50ff8e0691972594fe12c4d7afb0a29212d38a75e207f5c530e3ee87cba24ed862ae0a4f23af93bd1c23a5f09f533b85abe067 |
C:\Windows\System\HEvnwHm.exe
| MD5 | 0edf1a3bd3a5184333db1fee24c8efe2 |
| SHA1 | 509931f204e6ea021e106457feeedebe3b015666 |
| SHA256 | fe3b1b03a8d9e85556c76cb18bdc9fd762392bef25d2cb01d6caea959c973fb4 |
| SHA512 | 5e9eab2bd109b22409c2725d14aaaf6613be5a622506ef236f18395379c70b06838933996524bfa80fa1e976eed337f3b6b762278512ac2515fe5d73db56f6f2 |
C:\Windows\System\KzLbSAn.exe
| MD5 | b82735eb8854277cdfdbb4ffd9eed451 |
| SHA1 | f11906528242e4f3cd9cbc99327192a249b3a114 |
| SHA256 | 47e116d17744b89a4e15c0b94f8a19dc3a40ffdd72b24d58fc8fe1a402bfcef5 |
| SHA512 | ab499e67c5ede7f70336892805dacf31ba917089ea9fb084d05b67808cb45cbefd7ba895b98dd362f51b15f11a32374b6391465583af58086e366317f6b42dc2 |
memory/3780-91-0x00007FF74C330000-0x00007FF74C681000-memory.dmp
C:\Windows\System\CkOCVlW.exe
| MD5 | 55d8380f1dce015d4ff865eda13e6768 |
| SHA1 | a043fa7b652a2b00a85055affba5e4b7efb20ed3 |
| SHA256 | 6fcceb973cc3ae373aafce35f159c8d69cf7d20060ee255e481bb7b3f47369dc |
| SHA512 | baccf9503086ba4e7defe19fad803e08580f63805b85155a9d6e4751536bcbdd7f53ab0d1f2402c67ced69c1e981a8d92d2dee09be0213d8c15813984cc18970 |
memory/1040-96-0x00007FF632EC0000-0x00007FF633211000-memory.dmp
memory/4532-92-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp
memory/1752-90-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp
memory/3480-89-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp
C:\Windows\System\qZhMbBf.exe
| MD5 | afdd59fa1339f11bf36b82ac7abb060d |
| SHA1 | 0ef2e3029f0c0f2400b5069deaea497cf0489695 |
| SHA256 | d0925c226e5661f10f31c67b7fb10dafb15e6fbcd3a6502f4af28673260d2aa2 |
| SHA512 | bc0c91a76a93ef35f5abb449c06a98c689f58b34b9b9815ceedecbd712ee4c0329a1b7b64d8840e5e9d2fd00040dc9fdf941f1d0091b62d54eb35ad4a1e0750a |
memory/960-72-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp
memory/4380-68-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp
memory/2956-66-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp
memory/3228-53-0x00007FF6954B0000-0x00007FF695801000-memory.dmp
memory/1240-101-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp
memory/4492-102-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp
C:\Windows\System\yocSFip.exe
| MD5 | 526f11bd8e792948204083ae6a504874 |
| SHA1 | 5b66dfe61cc726b4e2879678bb058a87a845f203 |
| SHA256 | 31b40f30b2a153df60b11b960bdc3254eae374fca0871e057d68552f2eed4613 |
| SHA512 | 52172237a0d12ccb890f3c46515bbcc2b85645377a624f833209acec24aa688fbc0f0cd08464846d7e4db1f31b781ed55c3ef3d109b495f2724ae404db2c543d |
C:\Windows\System\kHiNZGj.exe
| MD5 | 6f19bcf308c528fe1239ad242f4dc64f |
| SHA1 | 7e1de3368ecb2cad839d5d5363658db1ba374325 |
| SHA256 | a0d550508955df26024f6460ede526e985ea83867be93bc80722c5b98fc84acf |
| SHA512 | f1ff3cb6e1dafb8637c6dc9163162f7855b158e60d04f5568d59b5a9597810384ca9d5ccd1ce976709963bd3dc7f5206346d193e937bfc0330f2ed34ab59b01d |
memory/4036-112-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp
memory/4940-111-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp
memory/4388-107-0x00007FF66A040000-0x00007FF66A391000-memory.dmp
C:\Windows\System\oexSsrm.exe
| MD5 | f7ff76f804d5b14966985e2ff126cea0 |
| SHA1 | 0c7523395d6fb0debf8e8add4ab6346c85b84760 |
| SHA256 | 32ad235c799279b63443b86f170f717e075df68213325d81c5b4e1c4e72af8a4 |
| SHA512 | b8e2409894f5e7c1b9b49a190b2dbfe283eec90eed954923920cf56745b9f17b11e1c4f6691cd55be53118da43120f83bda72fa40c4de867a2eb20aa2bb881e6 |
C:\Windows\System\LerOdFh.exe
| MD5 | 6118e86418ff089e578c56b030209ca0 |
| SHA1 | 5fde8e50e1f365ed08d76eb0a7cea032494de2e1 |
| SHA256 | 533e106eae3ebedc98d2865c8f5a9582ddefe854846777db7f612288b7b48c53 |
| SHA512 | a949eae3547132bc2bc9f56294e7458ca24652a56da27a0bede2c220e343367958d50c1c8021592f431e79588e62433b7038d303f732f57260c1ec4f761ec234 |
memory/3896-120-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp
memory/1244-119-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp
memory/1636-128-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp
C:\Windows\System\BMHYBEd.exe
| MD5 | b4eaa00d0c4749e3d28d2f569c965580 |
| SHA1 | 6a441dd508e49860f6f199cf7a62703bdf8393e9 |
| SHA256 | aa682b6514e7dcdbe1aae4b1b5dfd9e8e72f165711a01600d653f5574d72b162 |
| SHA512 | 407342f52504d0b07d8a1d5f4a3da480c62ff600d5689c3fc999b3c559db9cfa4da0121413c8ddf0a38929867cee251d00b1a6f7229234301b0b5e13286a1fab |
memory/4448-130-0x00007FF671190000-0x00007FF6714E1000-memory.dmp
memory/2428-134-0x00007FF785E40000-0x00007FF786191000-memory.dmp
memory/2060-135-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp
memory/3228-140-0x00007FF6954B0000-0x00007FF695801000-memory.dmp
memory/2956-141-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp
memory/960-148-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp
memory/1040-152-0x00007FF632EC0000-0x00007FF633211000-memory.dmp
memory/4388-154-0x00007FF66A040000-0x00007FF66A391000-memory.dmp
memory/3896-156-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp
memory/4036-155-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp
memory/2060-159-0x00007FF74D4E0000-0x00007FF74D831000-memory.dmp
memory/4380-207-0x00007FF67E6F0000-0x00007FF67EA41000-memory.dmp
memory/3480-209-0x00007FF65C900000-0x00007FF65CC51000-memory.dmp
memory/1240-211-0x00007FF6FD9F0000-0x00007FF6FDD41000-memory.dmp
memory/1936-213-0x00007FF712A20000-0x00007FF712D71000-memory.dmp
memory/4940-215-0x00007FF70B700000-0x00007FF70BA51000-memory.dmp
memory/1244-217-0x00007FF7D3470000-0x00007FF7D37C1000-memory.dmp
memory/1636-229-0x00007FF76ACC0000-0x00007FF76B011000-memory.dmp
memory/2756-231-0x00007FF636D00000-0x00007FF637051000-memory.dmp
memory/3228-233-0x00007FF6954B0000-0x00007FF695801000-memory.dmp
memory/2956-235-0x00007FF7A3460000-0x00007FF7A37B1000-memory.dmp
memory/960-237-0x00007FF7E4F90000-0x00007FF7E52E1000-memory.dmp
memory/1752-239-0x00007FF68BC30000-0x00007FF68BF81000-memory.dmp
memory/3780-241-0x00007FF74C330000-0x00007FF74C681000-memory.dmp
memory/4532-243-0x00007FF7C8FA0000-0x00007FF7C92F1000-memory.dmp
memory/1040-245-0x00007FF632EC0000-0x00007FF633211000-memory.dmp
memory/4492-247-0x00007FF7127A0000-0x00007FF712AF1000-memory.dmp
memory/4388-249-0x00007FF66A040000-0x00007FF66A391000-memory.dmp
memory/4036-251-0x00007FF74F6D0000-0x00007FF74FA21000-memory.dmp
memory/3896-254-0x00007FF7A95F0000-0x00007FF7A9941000-memory.dmp
memory/4448-256-0x00007FF671190000-0x00007FF6714E1000-memory.dmp
memory/2428-258-0x00007FF785E40000-0x00007FF786191000-memory.dmp