Analysis Overview
SHA256
08354515e8c11421ec627eabae2cab21baa3a62a5f25ee79f2284b478f69daf8
Threat Level: Known bad
The file 2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Xmrig family
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:01
Reported
2024-08-13 12:04
Platform
win7-20240705-en
Max time kernel
140s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UdjiDRS.exe | N/A |
| N/A | N/A | C:\Windows\System\tcCmVVg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZeFDnPf.exe | N/A |
| N/A | N/A | C:\Windows\System\kcTcFwc.exe | N/A |
| N/A | N/A | C:\Windows\System\BeYByjX.exe | N/A |
| N/A | N/A | C:\Windows\System\pglVahh.exe | N/A |
| N/A | N/A | C:\Windows\System\PhWSHkP.exe | N/A |
| N/A | N/A | C:\Windows\System\nNaqgyj.exe | N/A |
| N/A | N/A | C:\Windows\System\TxcGbYV.exe | N/A |
| N/A | N/A | C:\Windows\System\zOFIEZQ.exe | N/A |
| N/A | N/A | C:\Windows\System\gOAcGig.exe | N/A |
| N/A | N/A | C:\Windows\System\oeraTSo.exe | N/A |
| N/A | N/A | C:\Windows\System\GioaETr.exe | N/A |
| N/A | N/A | C:\Windows\System\zyobLnr.exe | N/A |
| N/A | N/A | C:\Windows\System\ySQSrSR.exe | N/A |
| N/A | N/A | C:\Windows\System\wMCSNQH.exe | N/A |
| N/A | N/A | C:\Windows\System\yUEjRCs.exe | N/A |
| N/A | N/A | C:\Windows\System\YucjItb.exe | N/A |
| N/A | N/A | C:\Windows\System\YGHnnzL.exe | N/A |
| N/A | N/A | C:\Windows\System\CtFZysH.exe | N/A |
| N/A | N/A | C:\Windows\System\YiKUzFk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\UdjiDRS.exe
C:\Windows\System\UdjiDRS.exe
C:\Windows\System\tcCmVVg.exe
C:\Windows\System\tcCmVVg.exe
C:\Windows\System\ZeFDnPf.exe
C:\Windows\System\ZeFDnPf.exe
C:\Windows\System\kcTcFwc.exe
C:\Windows\System\kcTcFwc.exe
C:\Windows\System\BeYByjX.exe
C:\Windows\System\BeYByjX.exe
C:\Windows\System\gOAcGig.exe
C:\Windows\System\gOAcGig.exe
C:\Windows\System\pglVahh.exe
C:\Windows\System\pglVahh.exe
C:\Windows\System\ySQSrSR.exe
C:\Windows\System\ySQSrSR.exe
C:\Windows\System\PhWSHkP.exe
C:\Windows\System\PhWSHkP.exe
C:\Windows\System\wMCSNQH.exe
C:\Windows\System\wMCSNQH.exe
C:\Windows\System\nNaqgyj.exe
C:\Windows\System\nNaqgyj.exe
C:\Windows\System\yUEjRCs.exe
C:\Windows\System\yUEjRCs.exe
C:\Windows\System\TxcGbYV.exe
C:\Windows\System\TxcGbYV.exe
C:\Windows\System\YucjItb.exe
C:\Windows\System\YucjItb.exe
C:\Windows\System\zOFIEZQ.exe
C:\Windows\System\zOFIEZQ.exe
C:\Windows\System\YGHnnzL.exe
C:\Windows\System\YGHnnzL.exe
C:\Windows\System\oeraTSo.exe
C:\Windows\System\oeraTSo.exe
C:\Windows\System\CtFZysH.exe
C:\Windows\System\CtFZysH.exe
C:\Windows\System\GioaETr.exe
C:\Windows\System\GioaETr.exe
C:\Windows\System\YiKUzFk.exe
C:\Windows\System\YiKUzFk.exe
C:\Windows\System\zyobLnr.exe
C:\Windows\System\zyobLnr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3056-0-0x000000013F430000-0x000000013F781000-memory.dmp
memory/3056-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\UdjiDRS.exe
| MD5 | 5f7c8b950482997d895009d2a9d50b44 |
| SHA1 | e054ecf3ea38e351ddebf87474ed74678d8d6636 |
| SHA256 | beeeba0f3779d0f337298b10d9b788bb5b9a2cb437c1208cf16b406e52460ed3 |
| SHA512 | 15ad582d523bcaf9621cc98829772a72e91df5760e780992c7a86368a4ec4e4568ee69a097b7ad3b5ee8fbebd43c1db019bb9fae0054cb60babadcdd78f9d1c0 |
\Windows\system\ZeFDnPf.exe
| MD5 | ed1e3ca4ed2845ba32263d00ec35849a |
| SHA1 | eab8f51c7bdecc97ba9022a382de6c7cca262505 |
| SHA256 | 6440cb8d5d65876daa03c57a5e2a5c9698af42574a999266d48c646b1551803a |
| SHA512 | 2f25c985e178defc7995dd95650ed8cbbd30b17efaa927f5e4d3bcf0478a5017f968f4cc799a0e509aee76db84500b9f92c54ec8b389c0b5bc48e6159df2ece1 |
C:\Windows\system\tcCmVVg.exe
| MD5 | 6797827bbb1a58d8311a04c6f2ab9c2e |
| SHA1 | 95f7de7b2539bfc10d301d3225d92de5a1fafa01 |
| SHA256 | aa526cad22f711d568b7dce8569559431df96aa632cdfb18436892d1bce834e0 |
| SHA512 | 175da9de7fee708eef471d1ea367510a9093abb61bfeceb1eab3590ddcc2c05de17bb64e5b4c8439c82f5e29c8029d85db779850bc0a8a91af79d12b25815f03 |
\Windows\system\kcTcFwc.exe
| MD5 | e3f838df37c4f11095c217b5daedae69 |
| SHA1 | de1bdc77f30f7d6de75b70acaa23f89a2280f9aa |
| SHA256 | 604f9acc0f7a07f65e3ac84ce7ffe886ac2d81c5d8737e38524ce84b4faee75b |
| SHA512 | da2d6bdced3c531b817eb06fff474c2d4234380352cad731fc62cf12ff3ff27ed647f6d4b554b8f596e99001bcc3be13daab9f86e51ec546e65ea49aaf082d6a |
memory/3056-14-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2692-116-0x000000013F120000-0x000000013F471000-memory.dmp
\Windows\system\wMCSNQH.exe
| MD5 | aee410f15801b4a956d1d5bd04b1ff62 |
| SHA1 | 21763740670d2d21ae8d3a0d951cea9eaa54b471 |
| SHA256 | 9a116c5997264127b901bf2e44be38978dbfdaafbe8e9d1095458bdcc010a3de |
| SHA512 | 8c9c8dba7dd7ebfda715281841df25bad8d806fbe6c49f9b610bb3531d6a2f03da0625af0eeb8fa83e2daa7bc741c897c107d94021fbd3e924165b4c877d1bef |
\Windows\system\YiKUzFk.exe
| MD5 | 63dfb68794a722f093bd233c641cf676 |
| SHA1 | 50ca7a740dda84ab5821621330ceec3b92d5af34 |
| SHA256 | a0034f4fa1a2b01a799fcdf8da78993da776b7f6bd99963326549f914565c77e |
| SHA512 | 63b38aae6011c2035e1dc6c68d32411c7b03c59813f64fffbeb8b789c88046993a0b191829220e89fafdcc6e9d11b62c7f564e8ceaf0e439511124d9f6fdabfd |
\Windows\system\CtFZysH.exe
| MD5 | b180a8837805502d6c647626d6f2cb4d |
| SHA1 | 20e99b0e16cf013405ddf17cfdcca4515dd505d0 |
| SHA256 | 57d179165377d6776fb736e58d6153bda7441b31decc94e1eeaab0558a1c1ec8 |
| SHA512 | 27ac0bfa90184df859a8c9b10bb79fc8e15424c745edb8a83cfeba3cfbc0ebd8064a15ebff67336004ecb8b4ffab43ab861ec8914e49c90d932f7bcd6c3e185d |
memory/3056-71-0x0000000002210000-0x0000000002561000-memory.dmp
\Windows\system\YGHnnzL.exe
| MD5 | a96f203dcfe333f757d22f3fa6c4db47 |
| SHA1 | 10f915aa302f39f588bfe167fef49765c5aa81ad |
| SHA256 | 5e9ea27955e0cc6caf4f2ae346a20ea211d049c77ee763e0a199877c72ea1961 |
| SHA512 | 2f98915591865931865e1bc35ba99429cf3934f458153515c113556a3e64aeaefb8bea9cdb8266899c795e34362919ef7fd573257247d13f58756e8b1ebf1769 |
\Windows\system\YucjItb.exe
| MD5 | 880a144a97f19029ed9f0a7b95b212c0 |
| SHA1 | f0c40667eb474975b6fa84764cf099be66cf38d6 |
| SHA256 | e4544e5f30679eceb9fb286bd9e5d06945af36864e3f37a92996b4bd57ee40a0 |
| SHA512 | ad54eb1fd28f667a30b49be828561ce048d79b5daea4b1435fbc9c4c9c711cf64c89cbcf009b7e9e20ab018d611c1df23c9624232ad791fda2c72a05087a7227 |
\Windows\system\yUEjRCs.exe
| MD5 | 18fb8b20f53b5638ac9eeab11a201084 |
| SHA1 | 8964bfa3cd3f52e2e14f7537e82a57965f454e21 |
| SHA256 | 87901544896c725cb9a7b215d0a60d972a6e796a980508b0a5e55d42116791c3 |
| SHA512 | f6644a66efad3b5eb6fdd34cfb92fa627c62f985f3cc1c5bf290e27cac594e43cc03913be925899b99a3e00d3e07d93837f1dfff6946138715f760ebc3e43e2c |
memory/3056-118-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/3056-117-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2932-115-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/3056-114-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/3056-113-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/2732-112-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2592-111-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2788-110-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2852-109-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2944-108-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2844-107-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/3056-106-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/3056-105-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/3056-104-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/3056-103-0x0000000002210000-0x0000000002561000-memory.dmp
C:\Windows\system\ySQSrSR.exe
| MD5 | d2a63e747ff2da9253dc489e18781a64 |
| SHA1 | 4371adc7ab0b57048548232732a9e6424547fa2a |
| SHA256 | 6ec713c2350ecd5f1b39400e43bcfc35bc7f95fe65184f90e5ab1b62554d1be0 |
| SHA512 | ee21335f36ce42b6b92fff9c7cd2010c0fefd59e1c9087ab3730189d9d0071bd808dd3e95aeb857442319e8190da353cf378b7192207f52feb5e4fece989e355 |
memory/3056-101-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/3056-98-0x000000013FBE0000-0x000000013FF31000-memory.dmp
C:\Windows\system\zyobLnr.exe
| MD5 | 52bcc09b76467b6c18de46b568fc6bbb |
| SHA1 | 32f2645d087f2afaac348b48c07def1a7207af07 |
| SHA256 | 8b8e5be5c2428ce62bf6c21a6efdd09cbb95057d955ed11e8faedf19856a43c5 |
| SHA512 | 5075fafb2249cfb28370269d719d18e469e46e3d724ccf47869f2134de141075b4e3102b2108aab1237258b4f957c68d1089cf7db5846c3ea2c8d2afe93f6a56 |
C:\Windows\system\GioaETr.exe
| MD5 | 0b69607c497436d0f76b4885619f195a |
| SHA1 | 98c72a65bbd54784d4f189210c543541ad1a82d5 |
| SHA256 | 34e184b200b42f20a22f9456fbc69f3a4b766378b574809189ee44bf0346bf5b |
| SHA512 | 86027f2faceba9a0a80d28f4a2938917f80ae52b983bf729d7dde324209c250bea8c37584efaa67d915f9a5c98fc867eeb4a78fe279e892ab6e0085950857a54 |
C:\Windows\system\oeraTSo.exe
| MD5 | 5babeb4ae73fc08717a834c7f6c87d96 |
| SHA1 | cf5e2149093c827ba62cc18b97f37eb2955f4eae |
| SHA256 | 9b52333e59e2f87c1ff6810c6f0149b681547b615b54faeddc1f599037b409ea |
| SHA512 | aa7c43ee1ea2c746165ae87c30a68ed59280de77d7e03ab75c43017615c83e229628021a9f8d7089f67afc0d7c5d4c0f9b6e561c30fa3251a153e0664cc151bc |
memory/2268-93-0x000000013F150000-0x000000013F4A1000-memory.dmp
C:\Windows\system\gOAcGig.exe
| MD5 | 60ba1acd297fa5ca38a70e48e534cc78 |
| SHA1 | 436fd17bc53f2608fb8de5135ce1654b1827cef8 |
| SHA256 | e9cbeaafe7309396a90b4a50fa8f66662f33ba0181b2505cfbd74bfadfbbc17e |
| SHA512 | 12feb958aed0babb3486a08abd4d8ddaa3a55a76a107146e81712d880099d5f475700780f348b4e2074a742cb8ef56a432d79ad84597115fa428c9fd497e1c8e |
memory/3056-67-0x0000000002210000-0x0000000002561000-memory.dmp
C:\Windows\system\zOFIEZQ.exe
| MD5 | 15a4a100a497cdc0019b2f5ac69d9aa8 |
| SHA1 | 4375091ad92ae11b38d939782b792742335bc806 |
| SHA256 | eedd1c0c962121e8f4f8d20a79d878be84f6502b4fd5912e9dccf8b218a9f091 |
| SHA512 | b358989746e3ce3e02439f9d6fe517040378774fc92ecc87015fd7380f5f742430789d464af07d5f118edeaaa3cb0b8482c6059898f57487e7d4ee5ed0a48762 |
C:\Windows\system\TxcGbYV.exe
| MD5 | ad2886c42b48a6d3cce5f00ce7636321 |
| SHA1 | fdf3ad3fe6480baa79dcf64a8b43697eacc1e94f |
| SHA256 | db43d05d17d04af3f94e0ea6e7ea35aa40caef8e67c1a0c343d1d03419f23d4d |
| SHA512 | 6e78aee95ee5fd2b8fa52a922f510838dd4fb310fb31996ef0466f02fe67b9658e37f0230479aec6e6841e59468046145c1b239571f458a3a5c6ad4b6b57bcdc |
C:\Windows\system\nNaqgyj.exe
| MD5 | 1cd9de47ee39cc00dc82cc03a3683dce |
| SHA1 | 6f7ccb4c467365c3a24147f75a1b9cce6ae7a2a1 |
| SHA256 | 51d11bbd4546a37bb56d3a8b96cd8e90948dd24bd166ae75d280f60f6ff97c44 |
| SHA512 | 10d82736c3d9d12e0283b0247d750a092584feb66f33ef72b040344a86540e5988e252ce5dd7ac92fc1963388c2b0a20fa6f9fa41da3b8b5688ce60014ebc961 |
C:\Windows\system\PhWSHkP.exe
| MD5 | b6fb1f84e785c6e53a1a6d033340935b |
| SHA1 | 3b66985b8fac8b58c82ce1ca1b82257a24954576 |
| SHA256 | ad08c66a664b4f18c999c4bed3f2e501dbef2dcbb58805319966b1a276ee476c |
| SHA512 | 8f33e498cf2a3f4c594aeecbd66217c9ba7559aa08827d02b7a15f94d28471b0df87a8112d31a12cb0ce8e301091e46288fda96029a5283ee13e31cf249dadd7 |
C:\Windows\system\pglVahh.exe
| MD5 | 1026e44863dbeedd53e648150d9cd37d |
| SHA1 | 0587abf1ef557eabeb266d454505cf583ac7ac9e |
| SHA256 | 07f3a2270d80e63aef89b06c5f236fb3f826d7ad49aa1420969b0939fa029907 |
| SHA512 | 22dd6c307fb73ddc4d9676f35870681aadafce6ab7557d29c0b83a542c545af1826063839743353bfdf15d6a1aff6e29052c798e7b21d3f4c451abd04f3ed046 |
C:\Windows\system\BeYByjX.exe
| MD5 | 8aa36a7634dd0ea851463774a28c30f7 |
| SHA1 | b5cc32abe06243d824e82761303e294d2263421e |
| SHA256 | a4d8a6faf70b7f63ee97f38b3d4e55bf454dc04a5c5a603b0ea12318927461da |
| SHA512 | b74019c7e3b3287e55ceef2db6a650fd2eeab20f46b78afe7c052a06621e91c3cc31b020bea638ce13883f2058610a16504c0859d15bbebf9caf2180b9940722 |
memory/2936-30-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/3056-48-0x0000000002210000-0x0000000002561000-memory.dmp
memory/2524-27-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/3056-132-0x000000013F430000-0x000000013F781000-memory.dmp
memory/1732-153-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/1780-152-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/856-151-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2200-149-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1744-148-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2700-146-0x000000013F5E0000-0x000000013F931000-memory.dmp
memory/2924-144-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2824-142-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2712-140-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2044-150-0x000000013FB90000-0x000000013FEE1000-memory.dmp
memory/3056-154-0x000000013F430000-0x000000013F781000-memory.dmp
memory/3056-168-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2524-200-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2936-202-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2932-204-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2268-206-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2692-208-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2844-212-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2732-211-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2788-218-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2852-220-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2592-216-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2944-215-0x000000013FA10000-0x000000013FD61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:01
Reported
2024-08-13 12:04
Platform
win10v2004-20240802-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UdjiDRS.exe | N/A |
| N/A | N/A | C:\Windows\System\tcCmVVg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZeFDnPf.exe | N/A |
| N/A | N/A | C:\Windows\System\kcTcFwc.exe | N/A |
| N/A | N/A | C:\Windows\System\BeYByjX.exe | N/A |
| N/A | N/A | C:\Windows\System\gOAcGig.exe | N/A |
| N/A | N/A | C:\Windows\System\pglVahh.exe | N/A |
| N/A | N/A | C:\Windows\System\ySQSrSR.exe | N/A |
| N/A | N/A | C:\Windows\System\PhWSHkP.exe | N/A |
| N/A | N/A | C:\Windows\System\wMCSNQH.exe | N/A |
| N/A | N/A | C:\Windows\System\nNaqgyj.exe | N/A |
| N/A | N/A | C:\Windows\System\yUEjRCs.exe | N/A |
| N/A | N/A | C:\Windows\System\TxcGbYV.exe | N/A |
| N/A | N/A | C:\Windows\System\YucjItb.exe | N/A |
| N/A | N/A | C:\Windows\System\zOFIEZQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YGHnnzL.exe | N/A |
| N/A | N/A | C:\Windows\System\oeraTSo.exe | N/A |
| N/A | N/A | C:\Windows\System\CtFZysH.exe | N/A |
| N/A | N/A | C:\Windows\System\GioaETr.exe | N/A |
| N/A | N/A | C:\Windows\System\YiKUzFk.exe | N/A |
| N/A | N/A | C:\Windows\System\zyobLnr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_def2e1c6e39f7f534439280db13d57b9_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\UdjiDRS.exe
C:\Windows\System\UdjiDRS.exe
C:\Windows\System\tcCmVVg.exe
C:\Windows\System\tcCmVVg.exe
C:\Windows\System\ZeFDnPf.exe
C:\Windows\System\ZeFDnPf.exe
C:\Windows\System\kcTcFwc.exe
C:\Windows\System\kcTcFwc.exe
C:\Windows\System\BeYByjX.exe
C:\Windows\System\BeYByjX.exe
C:\Windows\System\gOAcGig.exe
C:\Windows\System\gOAcGig.exe
C:\Windows\System\pglVahh.exe
C:\Windows\System\pglVahh.exe
C:\Windows\System\ySQSrSR.exe
C:\Windows\System\ySQSrSR.exe
C:\Windows\System\PhWSHkP.exe
C:\Windows\System\PhWSHkP.exe
C:\Windows\System\wMCSNQH.exe
C:\Windows\System\wMCSNQH.exe
C:\Windows\System\nNaqgyj.exe
C:\Windows\System\nNaqgyj.exe
C:\Windows\System\yUEjRCs.exe
C:\Windows\System\yUEjRCs.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3840,i,8231329449558834090,4540802069600791165,262144 --variations-seed-version --mojo-platform-channel-handle=4128 /prefetch:8
C:\Windows\System\TxcGbYV.exe
C:\Windows\System\TxcGbYV.exe
C:\Windows\System\YucjItb.exe
C:\Windows\System\YucjItb.exe
C:\Windows\System\zOFIEZQ.exe
C:\Windows\System\zOFIEZQ.exe
C:\Windows\System\YGHnnzL.exe
C:\Windows\System\YGHnnzL.exe
C:\Windows\System\oeraTSo.exe
C:\Windows\System\oeraTSo.exe
C:\Windows\System\CtFZysH.exe
C:\Windows\System\CtFZysH.exe
C:\Windows\System\GioaETr.exe
C:\Windows\System\GioaETr.exe
C:\Windows\System\YiKUzFk.exe
C:\Windows\System\YiKUzFk.exe
C:\Windows\System\zyobLnr.exe
C:\Windows\System\zyobLnr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3920-0-0x00007FF634B90000-0x00007FF634EE1000-memory.dmp
memory/3920-1-0x000002CD80F90000-0x000002CD80FA0000-memory.dmp
C:\Windows\System\UdjiDRS.exe
| MD5 | 5f7c8b950482997d895009d2a9d50b44 |
| SHA1 | e054ecf3ea38e351ddebf87474ed74678d8d6636 |
| SHA256 | beeeba0f3779d0f337298b10d9b788bb5b9a2cb437c1208cf16b406e52460ed3 |
| SHA512 | 15ad582d523bcaf9621cc98829772a72e91df5760e780992c7a86368a4ec4e4568ee69a097b7ad3b5ee8fbebd43c1db019bb9fae0054cb60babadcdd78f9d1c0 |
C:\Windows\System\ZeFDnPf.exe
| MD5 | ed1e3ca4ed2845ba32263d00ec35849a |
| SHA1 | eab8f51c7bdecc97ba9022a382de6c7cca262505 |
| SHA256 | 6440cb8d5d65876daa03c57a5e2a5c9698af42574a999266d48c646b1551803a |
| SHA512 | 2f25c985e178defc7995dd95650ed8cbbd30b17efaa927f5e4d3bcf0478a5017f968f4cc799a0e509aee76db84500b9f92c54ec8b389c0b5bc48e6159df2ece1 |
C:\Windows\System\tcCmVVg.exe
| MD5 | 6797827bbb1a58d8311a04c6f2ab9c2e |
| SHA1 | 95f7de7b2539bfc10d301d3225d92de5a1fafa01 |
| SHA256 | aa526cad22f711d568b7dce8569559431df96aa632cdfb18436892d1bce834e0 |
| SHA512 | 175da9de7fee708eef471d1ea367510a9093abb61bfeceb1eab3590ddcc2c05de17bb64e5b4c8439c82f5e29c8029d85db779850bc0a8a91af79d12b25815f03 |
memory/4704-21-0x00007FF759310000-0x00007FF759661000-memory.dmp
C:\Windows\System\BeYByjX.exe
| MD5 | 8aa36a7634dd0ea851463774a28c30f7 |
| SHA1 | b5cc32abe06243d824e82761303e294d2263421e |
| SHA256 | a4d8a6faf70b7f63ee97f38b3d4e55bf454dc04a5c5a603b0ea12318927461da |
| SHA512 | b74019c7e3b3287e55ceef2db6a650fd2eeab20f46b78afe7c052a06621e91c3cc31b020bea638ce13883f2058610a16504c0859d15bbebf9caf2180b9940722 |
C:\Windows\System\kcTcFwc.exe
| MD5 | e3f838df37c4f11095c217b5daedae69 |
| SHA1 | de1bdc77f30f7d6de75b70acaa23f89a2280f9aa |
| SHA256 | 604f9acc0f7a07f65e3ac84ce7ffe886ac2d81c5d8737e38524ce84b4faee75b |
| SHA512 | da2d6bdced3c531b817eb06fff474c2d4234380352cad731fc62cf12ff3ff27ed647f6d4b554b8f596e99001bcc3be13daab9f86e51ec546e65ea49aaf082d6a |
memory/2960-23-0x00007FF7610F0000-0x00007FF761441000-memory.dmp
memory/2508-12-0x00007FF604910000-0x00007FF604C61000-memory.dmp
memory/4716-10-0x00007FF7990C0000-0x00007FF799411000-memory.dmp
memory/2812-31-0x00007FF6293A0000-0x00007FF6296F1000-memory.dmp
C:\Windows\System\gOAcGig.exe
| MD5 | 60ba1acd297fa5ca38a70e48e534cc78 |
| SHA1 | 436fd17bc53f2608fb8de5135ce1654b1827cef8 |
| SHA256 | e9cbeaafe7309396a90b4a50fa8f66662f33ba0181b2505cfbd74bfadfbbc17e |
| SHA512 | 12feb958aed0babb3486a08abd4d8ddaa3a55a76a107146e81712d880099d5f475700780f348b4e2074a742cb8ef56a432d79ad84597115fa428c9fd497e1c8e |
memory/1944-37-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp
C:\Windows\System\pglVahh.exe
| MD5 | 1026e44863dbeedd53e648150d9cd37d |
| SHA1 | 0587abf1ef557eabeb266d454505cf583ac7ac9e |
| SHA256 | 07f3a2270d80e63aef89b06c5f236fb3f826d7ad49aa1420969b0939fa029907 |
| SHA512 | 22dd6c307fb73ddc4d9676f35870681aadafce6ab7557d29c0b83a542c545af1826063839743353bfdf15d6a1aff6e29052c798e7b21d3f4c451abd04f3ed046 |
C:\Windows\System\ySQSrSR.exe
| MD5 | d2a63e747ff2da9253dc489e18781a64 |
| SHA1 | 4371adc7ab0b57048548232732a9e6424547fa2a |
| SHA256 | 6ec713c2350ecd5f1b39400e43bcfc35bc7f95fe65184f90e5ab1b62554d1be0 |
| SHA512 | ee21335f36ce42b6b92fff9c7cd2010c0fefd59e1c9087ab3730189d9d0071bd808dd3e95aeb857442319e8190da353cf378b7192207f52feb5e4fece989e355 |
C:\Windows\System\PhWSHkP.exe
| MD5 | b6fb1f84e785c6e53a1a6d033340935b |
| SHA1 | 3b66985b8fac8b58c82ce1ca1b82257a24954576 |
| SHA256 | ad08c66a664b4f18c999c4bed3f2e501dbef2dcbb58805319966b1a276ee476c |
| SHA512 | 8f33e498cf2a3f4c594aeecbd66217c9ba7559aa08827d02b7a15f94d28471b0df87a8112d31a12cb0ce8e301091e46288fda96029a5283ee13e31cf249dadd7 |
memory/4576-57-0x00007FF6FB1C0000-0x00007FF6FB511000-memory.dmp
memory/4948-54-0x00007FF70D950000-0x00007FF70DCA1000-memory.dmp
memory/1500-48-0x00007FF6B7A40000-0x00007FF6B7D91000-memory.dmp
C:\Windows\System\wMCSNQH.exe
| MD5 | aee410f15801b4a956d1d5bd04b1ff62 |
| SHA1 | 21763740670d2d21ae8d3a0d951cea9eaa54b471 |
| SHA256 | 9a116c5997264127b901bf2e44be38978dbfdaafbe8e9d1095458bdcc010a3de |
| SHA512 | 8c9c8dba7dd7ebfda715281841df25bad8d806fbe6c49f9b610bb3531d6a2f03da0625af0eeb8fa83e2daa7bc741c897c107d94021fbd3e924165b4c877d1bef |
memory/1172-67-0x00007FF6F4DE0000-0x00007FF6F5131000-memory.dmp
memory/3444-69-0x00007FF7AB1B0000-0x00007FF7AB501000-memory.dmp
memory/1980-74-0x00007FF62FFE0000-0x00007FF630331000-memory.dmp
C:\Windows\System\TxcGbYV.exe
| MD5 | ad2886c42b48a6d3cce5f00ce7636321 |
| SHA1 | fdf3ad3fe6480baa79dcf64a8b43697eacc1e94f |
| SHA256 | db43d05d17d04af3f94e0ea6e7ea35aa40caef8e67c1a0c343d1d03419f23d4d |
| SHA512 | 6e78aee95ee5fd2b8fa52a922f510838dd4fb310fb31996ef0466f02fe67b9658e37f0230479aec6e6841e59468046145c1b239571f458a3a5c6ad4b6b57bcdc |
memory/1208-85-0x00007FF710EF0000-0x00007FF711241000-memory.dmp
memory/4704-90-0x00007FF759310000-0x00007FF759661000-memory.dmp
C:\Windows\System\oeraTSo.exe
| MD5 | 5babeb4ae73fc08717a834c7f6c87d96 |
| SHA1 | cf5e2149093c827ba62cc18b97f37eb2955f4eae |
| SHA256 | 9b52333e59e2f87c1ff6810c6f0149b681547b615b54faeddc1f599037b409ea |
| SHA512 | aa7c43ee1ea2c746165ae87c30a68ed59280de77d7e03ab75c43017615c83e229628021a9f8d7089f67afc0d7c5d4c0f9b6e561c30fa3251a153e0664cc151bc |
memory/2568-112-0x00007FF6358B0000-0x00007FF635C01000-memory.dmp
C:\Windows\System\GioaETr.exe
| MD5 | 0b69607c497436d0f76b4885619f195a |
| SHA1 | 98c72a65bbd54784d4f189210c543541ad1a82d5 |
| SHA256 | 34e184b200b42f20a22f9456fbc69f3a4b766378b574809189ee44bf0346bf5b |
| SHA512 | 86027f2faceba9a0a80d28f4a2938917f80ae52b983bf729d7dde324209c250bea8c37584efaa67d915f9a5c98fc867eeb4a78fe279e892ab6e0085950857a54 |
memory/8-119-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp
C:\Windows\System\CtFZysH.exe
| MD5 | b180a8837805502d6c647626d6f2cb4d |
| SHA1 | 20e99b0e16cf013405ddf17cfdcca4515dd505d0 |
| SHA256 | 57d179165377d6776fb736e58d6153bda7441b31decc94e1eeaab0558a1c1ec8 |
| SHA512 | 27ac0bfa90184df859a8c9b10bb79fc8e15424c745edb8a83cfeba3cfbc0ebd8064a15ebff67336004ecb8b4ffab43ab861ec8914e49c90d932f7bcd6c3e185d |
memory/440-114-0x00007FF649A60000-0x00007FF649DB1000-memory.dmp
memory/2916-113-0x00007FF68A1B0000-0x00007FF68A501000-memory.dmp
C:\Windows\System\YGHnnzL.exe
| MD5 | a96f203dcfe333f757d22f3fa6c4db47 |
| SHA1 | 10f915aa302f39f588bfe167fef49765c5aa81ad |
| SHA256 | 5e9ea27955e0cc6caf4f2ae346a20ea211d049c77ee763e0a199877c72ea1961 |
| SHA512 | 2f98915591865931865e1bc35ba99429cf3934f458153515c113556a3e64aeaefb8bea9cdb8266899c795e34362919ef7fd573257247d13f58756e8b1ebf1769 |
C:\Windows\System\zOFIEZQ.exe
| MD5 | 15a4a100a497cdc0019b2f5ac69d9aa8 |
| SHA1 | 4375091ad92ae11b38d939782b792742335bc806 |
| SHA256 | eedd1c0c962121e8f4f8d20a79d878be84f6502b4fd5912e9dccf8b218a9f091 |
| SHA512 | b358989746e3ce3e02439f9d6fe517040378774fc92ecc87015fd7380f5f742430789d464af07d5f118edeaaa3cb0b8482c6059898f57487e7d4ee5ed0a48762 |
C:\Windows\System\YucjItb.exe
| MD5 | 880a144a97f19029ed9f0a7b95b212c0 |
| SHA1 | f0c40667eb474975b6fa84764cf099be66cf38d6 |
| SHA256 | e4544e5f30679eceb9fb286bd9e5d06945af36864e3f37a92996b4bd57ee40a0 |
| SHA512 | ad54eb1fd28f667a30b49be828561ce048d79b5daea4b1435fbc9c4c9c711cf64c89cbcf009b7e9e20ab018d611c1df23c9624232ad791fda2c72a05087a7227 |
memory/3732-91-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp
memory/2508-87-0x00007FF604910000-0x00007FF604C61000-memory.dmp
memory/3924-86-0x00007FF718440000-0x00007FF718791000-memory.dmp
C:\Windows\System\yUEjRCs.exe
| MD5 | 18fb8b20f53b5638ac9eeab11a201084 |
| SHA1 | 8964bfa3cd3f52e2e14f7537e82a57965f454e21 |
| SHA256 | 87901544896c725cb9a7b215d0a60d972a6e796a980508b0a5e55d42116791c3 |
| SHA512 | f6644a66efad3b5eb6fdd34cfb92fa627c62f985f3cc1c5bf290e27cac594e43cc03913be925899b99a3e00d3e07d93837f1dfff6946138715f760ebc3e43e2c |
C:\Windows\System\nNaqgyj.exe
| MD5 | 1cd9de47ee39cc00dc82cc03a3683dce |
| SHA1 | 6f7ccb4c467365c3a24147f75a1b9cce6ae7a2a1 |
| SHA256 | 51d11bbd4546a37bb56d3a8b96cd8e90948dd24bd166ae75d280f60f6ff97c44 |
| SHA512 | 10d82736c3d9d12e0283b0247d750a092584feb66f33ef72b040344a86540e5988e252ce5dd7ac92fc1963388c2b0a20fa6f9fa41da3b8b5688ce60014ebc961 |
memory/3920-70-0x00007FF634B90000-0x00007FF634EE1000-memory.dmp
memory/1944-129-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp
memory/4948-132-0x00007FF70D950000-0x00007FF70DCA1000-memory.dmp
memory/2960-135-0x00007FF7610F0000-0x00007FF761441000-memory.dmp
C:\Windows\System\YiKUzFk.exe
| MD5 | 63dfb68794a722f093bd233c641cf676 |
| SHA1 | 50ca7a740dda84ab5821621330ceec3b92d5af34 |
| SHA256 | a0034f4fa1a2b01a799fcdf8da78993da776b7f6bd99963326549f914565c77e |
| SHA512 | 63b38aae6011c2035e1dc6c68d32411c7b03c59813f64fffbeb8b789c88046993a0b191829220e89fafdcc6e9d11b62c7f564e8ceaf0e439511124d9f6fdabfd |
C:\Windows\System\zyobLnr.exe
| MD5 | 52bcc09b76467b6c18de46b568fc6bbb |
| SHA1 | 32f2645d087f2afaac348b48c07def1a7207af07 |
| SHA256 | 8b8e5be5c2428ce62bf6c21a6efdd09cbb95057d955ed11e8faedf19856a43c5 |
| SHA512 | 5075fafb2249cfb28370269d719d18e469e46e3d724ccf47869f2134de141075b4e3102b2108aab1237258b4f957c68d1089cf7db5846c3ea2c8d2afe93f6a56 |
memory/1524-143-0x00007FF6E3B50000-0x00007FF6E3EA1000-memory.dmp
memory/2964-137-0x00007FF687060000-0x00007FF6873B1000-memory.dmp
memory/1500-130-0x00007FF6B7A40000-0x00007FF6B7D91000-memory.dmp
memory/3444-136-0x00007FF7AB1B0000-0x00007FF7AB501000-memory.dmp
memory/2812-128-0x00007FF6293A0000-0x00007FF6296F1000-memory.dmp
memory/3732-146-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp
memory/1208-145-0x00007FF710EF0000-0x00007FF711241000-memory.dmp
memory/1980-144-0x00007FF62FFE0000-0x00007FF630331000-memory.dmp
memory/8-151-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp
memory/2964-152-0x00007FF687060000-0x00007FF6873B1000-memory.dmp
memory/440-150-0x00007FF649A60000-0x00007FF649DB1000-memory.dmp
memory/3924-147-0x00007FF718440000-0x00007FF718791000-memory.dmp
memory/3920-153-0x00007FF634B90000-0x00007FF634EE1000-memory.dmp
memory/1524-167-0x00007FF6E3B50000-0x00007FF6E3EA1000-memory.dmp
memory/4716-198-0x00007FF7990C0000-0x00007FF799411000-memory.dmp
memory/2508-200-0x00007FF604910000-0x00007FF604C61000-memory.dmp
memory/4704-202-0x00007FF759310000-0x00007FF759661000-memory.dmp
memory/2960-207-0x00007FF7610F0000-0x00007FF761441000-memory.dmp
memory/2812-209-0x00007FF6293A0000-0x00007FF6296F1000-memory.dmp
memory/1944-217-0x00007FF7CA700000-0x00007FF7CAA51000-memory.dmp
memory/1500-219-0x00007FF6B7A40000-0x00007FF6B7D91000-memory.dmp
memory/4576-221-0x00007FF6FB1C0000-0x00007FF6FB511000-memory.dmp
memory/4948-224-0x00007FF70D950000-0x00007FF70DCA1000-memory.dmp
memory/1172-225-0x00007FF6F4DE0000-0x00007FF6F5131000-memory.dmp
memory/3444-227-0x00007FF7AB1B0000-0x00007FF7AB501000-memory.dmp
memory/1980-229-0x00007FF62FFE0000-0x00007FF630331000-memory.dmp
memory/2916-234-0x00007FF68A1B0000-0x00007FF68A501000-memory.dmp
memory/2568-237-0x00007FF6358B0000-0x00007FF635C01000-memory.dmp
memory/3732-239-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp
memory/3924-236-0x00007FF718440000-0x00007FF718791000-memory.dmp
memory/1208-231-0x00007FF710EF0000-0x00007FF711241000-memory.dmp
memory/440-243-0x00007FF649A60000-0x00007FF649DB1000-memory.dmp
memory/8-242-0x00007FF653AB0000-0x00007FF653E01000-memory.dmp
memory/2964-249-0x00007FF687060000-0x00007FF6873B1000-memory.dmp
memory/1524-250-0x00007FF6E3B50000-0x00007FF6E3EA1000-memory.dmp