Analysis Overview
SHA256
7704bc9af6bfe7ac6738088d5b4e6882e3058f4e8b919a50119f487876c069ed
Threat Level: Known bad
The file 2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 20:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 20:49
Reported
2024-08-14 20:52
Platform
win7-20240729-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WIIherF.exe | N/A |
| N/A | N/A | C:\Windows\System\YgyaSpb.exe | N/A |
| N/A | N/A | C:\Windows\System\KyhBGXG.exe | N/A |
| N/A | N/A | C:\Windows\System\MlWYeUc.exe | N/A |
| N/A | N/A | C:\Windows\System\hNUuAOX.exe | N/A |
| N/A | N/A | C:\Windows\System\iBTrSTB.exe | N/A |
| N/A | N/A | C:\Windows\System\QGtpkLO.exe | N/A |
| N/A | N/A | C:\Windows\System\uEdVpvG.exe | N/A |
| N/A | N/A | C:\Windows\System\yzqaHIx.exe | N/A |
| N/A | N/A | C:\Windows\System\AxEOCuI.exe | N/A |
| N/A | N/A | C:\Windows\System\yVtUVDD.exe | N/A |
| N/A | N/A | C:\Windows\System\vmWGEln.exe | N/A |
| N/A | N/A | C:\Windows\System\ccyTQib.exe | N/A |
| N/A | N/A | C:\Windows\System\zzhREvn.exe | N/A |
| N/A | N/A | C:\Windows\System\oNPVPph.exe | N/A |
| N/A | N/A | C:\Windows\System\UaECsnx.exe | N/A |
| N/A | N/A | C:\Windows\System\NtsiVKY.exe | N/A |
| N/A | N/A | C:\Windows\System\SjUrMMR.exe | N/A |
| N/A | N/A | C:\Windows\System\KUVLbar.exe | N/A |
| N/A | N/A | C:\Windows\System\fQcFiSl.exe | N/A |
| N/A | N/A | C:\Windows\System\hUHbMal.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WIIherF.exe
C:\Windows\System\WIIherF.exe
C:\Windows\System\YgyaSpb.exe
C:\Windows\System\YgyaSpb.exe
C:\Windows\System\KyhBGXG.exe
C:\Windows\System\KyhBGXG.exe
C:\Windows\System\MlWYeUc.exe
C:\Windows\System\MlWYeUc.exe
C:\Windows\System\hNUuAOX.exe
C:\Windows\System\hNUuAOX.exe
C:\Windows\System\iBTrSTB.exe
C:\Windows\System\iBTrSTB.exe
C:\Windows\System\QGtpkLO.exe
C:\Windows\System\QGtpkLO.exe
C:\Windows\System\uEdVpvG.exe
C:\Windows\System\uEdVpvG.exe
C:\Windows\System\yzqaHIx.exe
C:\Windows\System\yzqaHIx.exe
C:\Windows\System\AxEOCuI.exe
C:\Windows\System\AxEOCuI.exe
C:\Windows\System\yVtUVDD.exe
C:\Windows\System\yVtUVDD.exe
C:\Windows\System\UaECsnx.exe
C:\Windows\System\UaECsnx.exe
C:\Windows\System\vmWGEln.exe
C:\Windows\System\vmWGEln.exe
C:\Windows\System\NtsiVKY.exe
C:\Windows\System\NtsiVKY.exe
C:\Windows\System\ccyTQib.exe
C:\Windows\System\ccyTQib.exe
C:\Windows\System\KUVLbar.exe
C:\Windows\System\KUVLbar.exe
C:\Windows\System\zzhREvn.exe
C:\Windows\System\zzhREvn.exe
C:\Windows\System\fQcFiSl.exe
C:\Windows\System\fQcFiSl.exe
C:\Windows\System\oNPVPph.exe
C:\Windows\System\oNPVPph.exe
C:\Windows\System\hUHbMal.exe
C:\Windows\System\hUHbMal.exe
C:\Windows\System\SjUrMMR.exe
C:\Windows\System\SjUrMMR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2124-0-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2124-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\WIIherF.exe
| MD5 | e358776c4ef5658a6c8d371c349a9adc |
| SHA1 | cc25a34e0a01fea823eb7368e7db88898062ed83 |
| SHA256 | 7049ebb37fb983769000ad28e3acb2a1b5fbf762c717f5d86df4b4266bed243f |
| SHA512 | afa0b8fd61fe4ae5706a4506b0a6dd3c24ac02cd6748e8b5694fb891b8c54dc87d14816b73f18236a038bf78a009278c6f53f70af9593641ba9281e8327f6f9e |
\Windows\system\YgyaSpb.exe
| MD5 | 61e2d97c85a64e4ab39f97b37b05b298 |
| SHA1 | 1b33fb8bd1d5386ff98d19209236e9338ba4d126 |
| SHA256 | b414c736bf000b6ff6dc5d7a00b1f564f1845c18362267a187e98cc630d8381b |
| SHA512 | 5be8f7a1624872d8a35ab8fec33b340ce001e14955233c0a50975574aaa7574c44f6247695e71d16d66cff6837a8283c3945487a7ea70a9aee2d8959d45b66ff |
\Windows\system\KyhBGXG.exe
| MD5 | e819f45a861b51772810e69462483eb7 |
| SHA1 | 49ab80d8242987937240a5dfcaabc0f69b4bad2e |
| SHA256 | b17e6cfa80193d4c8391bf94e2470fa167c6e2051d73bcdaf13c4610af631ece |
| SHA512 | 0bd142f17a011ed643f8e14561a9755d53f7627882629c9528127d5a9f62670f42c67f96b53d4b5cf0081bfd1feac5e354d05adf488b2ffbfaaaf6171328339e |
memory/2124-17-0x000000013F160000-0x000000013F4B1000-memory.dmp
\Windows\system\MlWYeUc.exe
| MD5 | 57386051d165a59240e4ff6447573527 |
| SHA1 | c911a833beab204a34baae10116bb34c90606ea7 |
| SHA256 | 89925b8053ca1f2c09640ada3e49bdd9e9175119759dc8f730dc314e2bda942a |
| SHA512 | 6bcad626a507babd6df9f5a343ca03f34349e77117ad06f8e2087e74307bb59150d35bdbfc385473ae3d1821926290860ef0c93fda2d28ec9903a70b1e9677a7 |
C:\Windows\system\hNUuAOX.exe
| MD5 | f7d29da800b2a0d9ccaa76edc7e51bef |
| SHA1 | cbbef753241a66988e4e858fc861ce3872b42134 |
| SHA256 | e990c5755375b2c8c2517faa2cd02fca638d90754879f92e51a7a4179b2ec75a |
| SHA512 | 5278b5487c4fb63e893ad3a4de44d8513f901ee862c9e4bb2e9e926fcf4576e0fb268a49964c3520b141e71eeb0411508d1b71711479262f4806a46df65f3b30 |
memory/2124-30-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/3044-28-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2308-34-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2124-33-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2124-36-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2372-35-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2124-49-0x000000013F030000-0x000000013F381000-memory.dmp
\Windows\system\uEdVpvG.exe
| MD5 | 487ca191495e5c51917f26e356c8cd80 |
| SHA1 | 3b809a1a38d5b3c126be1e5a1ca1743ca7e1fb0a |
| SHA256 | 9c7663a573d4ba3c3a057e157b22c31be808b14110c3c65f1305b543da4b9838 |
| SHA512 | c2b086c859c5f3256727f16f42e0f047ce01938ea6ab07841c53c811e3978a46b4422a9796f484ea6cfee96625985fb0c61d4b20d090c4915fdd41c3778aa794 |
memory/2124-52-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2620-50-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2344-46-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\QGtpkLO.exe
| MD5 | 0e809ee73003c67de9c808b348e71106 |
| SHA1 | 1e38e11171802527f18478730eba2a0238736f53 |
| SHA256 | f631d21dc756e588a06ee429bec1348cc4ccc415ca6b45ddb9c733cbeb3275e4 |
| SHA512 | d24cb3babff60522b0920b97e4b3df8808ac7fe8960a12ceb59567d5a2cdf499d300d93a5ebbd01ccad98f1cb25f2046f07c81a27006fc39a522888741a4d391 |
memory/2124-41-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\iBTrSTB.exe
| MD5 | 2168ac01bd71df4fbdf2f4a27f40708a |
| SHA1 | 5ae8073f40ba066396aca1912946b1de5a9c3da2 |
| SHA256 | 2c53a35fac482b8805f54e031265115c6eae5e1f290b4d3b31d51b94d9507528 |
| SHA512 | 65c67110661210de366ec54fbce025175a16344755809adb431018d7930a25b21bc65f8ddda8fe019580572f0b7314ef0f6089bc3c2ef763a94f644ba12570a3 |
memory/2148-32-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/1104-31-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2640-57-0x000000013F780000-0x000000013FAD1000-memory.dmp
C:\Windows\system\KUVLbar.exe
| MD5 | 11e21d3dab3453b934396f58923efbff |
| SHA1 | f9e2c25f1000d7a3076afb3226a07b98c0b47413 |
| SHA256 | 0ea68fb3e101de9c68f3b939f27bf6ac000c9838a404ae3b75d1e95fbe7370d7 |
| SHA512 | e6a8ad6eea69ce180954f6c3ba9493f4b5634a22e3633c839d15565bc40b3f75da99785dbbfa33fa947968fe98cf9f01488a45e3772348b6236727a86a46cb2e |
C:\Windows\system\oNPVPph.exe
| MD5 | 40ced5a150b1cb6bbb3198700048504b |
| SHA1 | d5172d878d0b314620f142f8db02dd5cbcf26d06 |
| SHA256 | 9766dec8c71e9cbe60e8ba363be852cd3b4551a401a19d06b98a39c27176636e |
| SHA512 | b6d5f55ae9d2d51dd1ba6b578dab2ee081732621c394531f9516bc85e34417ca6ccf15c448bb293e6f444248e806eceee454ab12030547bcd49cec0076ad92a5 |
\Windows\system\hUHbMal.exe
| MD5 | cbbe2c27ca557c0609a419aa0fd6480e |
| SHA1 | 2801691ee142f01d526f03de5febb0e238cc8f3c |
| SHA256 | 25c6da70e0daae2223e6d01c3d1e1ac11775c4b5c8f57186c11c3bb502457d70 |
| SHA512 | 57276d294fe8922e091dc4c534787dade3a1d05c4ce62e3efd412d9c0644ba45fdff85f6036110d56b232861724f8bbd665c571941876ce837f2a6297629f610 |
memory/2572-103-0x000000013FCC0000-0x0000000140011000-memory.dmp
\Windows\system\fQcFiSl.exe
| MD5 | bcd3ac7019d6b59d77b16b80cdc2f6b6 |
| SHA1 | ebd2e89e7fe0b4638f962818a4d24b5f112d66d2 |
| SHA256 | 7bcfe74f1b2529d0ca50fae9e5c483ada72c6f6a82c902eea4ebaddabf240e0c |
| SHA512 | 945e3528f617b55436c2b402d65d77adcc392f31ec2126af91cf6fd5f788b016c4edf7e317b9f4124f520705fc280fbb09f5ce61a65678066ce861cd7f1b304f |
memory/2124-95-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2676-87-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2124-86-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2404-85-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\vmWGEln.exe
| MD5 | 8f560a940bbef5782930992bc0d8a3ac |
| SHA1 | f4bccd79d2a3795af5a5e055059ebfe58a50c722 |
| SHA256 | 182e7aeb3d29c23e066f8898841936b8c19c0f49886eae981f4a2be1aa118bac |
| SHA512 | 5900a5c52ab7865e07a0781c312ae4e4a6e709a43acf2624c2e8af09670a16138ded1437134b54ba2067485340d16944980d9ad744f5688c64b8dbe4b86ce86e |
memory/2124-126-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2124-125-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2124-124-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\SjUrMMR.exe
| MD5 | 49f3783990ceb8bb53d9fb49cd3bce39 |
| SHA1 | b24a4e6832174c275d4e9559d5e8ad2d4f4f707b |
| SHA256 | fcacfc27a5441c85a93520f83e838294be42a6cb6bc70b925354b8c2bb0fe073 |
| SHA512 | 0c3d91db1e6ede2a8abd8bfbc75dda943067d37e14f3db3bfd32dfd98c8b4f74b2b0b774e61d57bb6f0185245c1bb4d7501d0bd201472cef45abeec318075414 |
C:\Windows\system\NtsiVKY.exe
| MD5 | c8337dacc931149294d49d3bd5d29fb0 |
| SHA1 | aa43f19d065c8896d8106303863482d75dc68c24 |
| SHA256 | 39bb5eb887f86fc5043bd9f6b396bf55bbf1169d998583de04127864842457b1 |
| SHA512 | b5f04a30e5a7bd16287e7c1509699576bcde0d9ac79309c0a6d16e29942abdbc48baced57ef5791d8e78c6e1b23b6b9721654543187652c8013deaf69c08c4eb |
memory/2124-120-0x000000013FE50000-0x00000001401A1000-memory.dmp
C:\Windows\system\UaECsnx.exe
| MD5 | 1d6a1165ce16ad4ce13dfe28897c0038 |
| SHA1 | a81f33025ff1f110da9f5af55174dc5497bc18ee |
| SHA256 | 50ac9137bc59c117916562b9198ab2ce0f0543dff7922f6c705fd1accca78d5f |
| SHA512 | 53d6c49620b5ba712b3aa7d75be5e02db7403c17dd62c169083899b49e23438997bef523188267e9b1067ff9ff2c0302eb61c8d967a32795f5e1c715a8a7fed6 |
C:\Windows\system\zzhREvn.exe
| MD5 | a598a3df47778af2504e4a7bb5368b9f |
| SHA1 | 00bfeb36fe73f2852de5bdb36f6014f3dbc99f05 |
| SHA256 | 970b7dba331ba2ce4c097fc79653e837f741c979ce71ff2b31f42ac2d7de4fb1 |
| SHA512 | c86e828166729d6ef1580394b23f1e27231702c96501c8a5f6aa95b677f270d339fded1a39a6ddd1115ad29bfe4b8fa606c51b6a401b67a3e7fabc9bc0202ee8 |
C:\Windows\system\ccyTQib.exe
| MD5 | b99e96b9d80680315c1eeee6a77b7b40 |
| SHA1 | 4505add5a8f01142595badab71ca435cefd21366 |
| SHA256 | 23e3b40bdab0d2a87107faf6180ec5afdb09fc152a994c69e1c44ab574938c58 |
| SHA512 | a81d1cd93ed1886023ec990baa2f26cce25052d58c9cf3b8902c0ccb690530e9ec44c032886743b377565be19676b31fc0144ece47b4ac88c7866104f1a2d643 |
memory/2124-92-0x000000013F320000-0x000000013F671000-memory.dmp
C:\Windows\system\AxEOCuI.exe
| MD5 | d850cae1c6df9dbd46ef3fd7791c9c6e |
| SHA1 | 17f9bfbbc09b4a25d31e838d4bdbfe5a1f3b671c |
| SHA256 | 2af22a1bdb9c172e09e43f4021fd92462144e7b4152cf5135a8fcc50155f0bac |
| SHA512 | fef32c526ada502c1a8925d86e97c670948bd666bd2e466813a7e8bd3cf560fc61e857aeea2b51f4055911cf46cc6ea99a455f0f1c1017d54604e583520fa382 |
C:\Windows\system\yVtUVDD.exe
| MD5 | 969edf1ad32c7ae03d9c2d01036cb96b |
| SHA1 | d207e2cb0d8e89592d07be2cc66094b0cdd7a791 |
| SHA256 | 9e7e27e635b533709f9e3766abebf988b404a8ba2686be892d517d6ce89b7c80 |
| SHA512 | 8ac00c5c8e0c0c937c2bff0fd1676576e06964eb494e2d1ff01acf7d6b9692ab7298093a4f84d481ffeacb94531568bf60e7b6192ea4d5a86fc1ed9eb356f9f3 |
memory/2828-64-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2124-63-0x0000000002280000-0x00000000025D1000-memory.dmp
C:\Windows\system\yzqaHIx.exe
| MD5 | f93e6174fc8200d99ec5fb8b117432d9 |
| SHA1 | 0d59cf904812d8aa6e79871427f3eaf322696719 |
| SHA256 | 6b3061247fe0510325ef72130d7b4eb6250b3e47e070da3e3ae4e0e860423689 |
| SHA512 | 43f17648176152f7f6c2db7de170db043a6787bf3ff42b4f660d5f40872c928d91227ba49fce5c3b42ea116f57ce035d4ff563c8869adc10e1cd0e1a7bcc0458 |
memory/2344-134-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2124-135-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2120-156-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2844-154-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/2584-152-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2008-150-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/1984-149-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1532-155-0x000000013FE20000-0x0000000140171000-memory.dmp
memory/2708-153-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2544-147-0x000000013F320000-0x000000013F671000-memory.dmp
memory/824-151-0x000000013F020000-0x000000013F371000-memory.dmp
memory/2124-157-0x000000013FE50000-0x00000001401A1000-memory.dmp
memory/2124-180-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2124-179-0x000000013F020000-0x000000013F371000-memory.dmp
memory/3044-205-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2372-206-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1104-208-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2148-210-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2308-212-0x000000013FA40000-0x000000013FD91000-memory.dmp
memory/2620-215-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2344-216-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/2828-233-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2640-235-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2404-237-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2676-239-0x000000013F1C0000-0x000000013F511000-memory.dmp
memory/2572-241-0x000000013FCC0000-0x0000000140011000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 20:49
Reported
2024-08-14 20:52
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cVEsHsq.exe | N/A |
| N/A | N/A | C:\Windows\System\NGliWzF.exe | N/A |
| N/A | N/A | C:\Windows\System\cisLhAN.exe | N/A |
| N/A | N/A | C:\Windows\System\VtltUYH.exe | N/A |
| N/A | N/A | C:\Windows\System\NXGcrVV.exe | N/A |
| N/A | N/A | C:\Windows\System\uccTCjZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jToKUih.exe | N/A |
| N/A | N/A | C:\Windows\System\faINjHF.exe | N/A |
| N/A | N/A | C:\Windows\System\CUhMTAt.exe | N/A |
| N/A | N/A | C:\Windows\System\YynnUDO.exe | N/A |
| N/A | N/A | C:\Windows\System\UbwjMwO.exe | N/A |
| N/A | N/A | C:\Windows\System\rBFJDlt.exe | N/A |
| N/A | N/A | C:\Windows\System\HuLeswS.exe | N/A |
| N/A | N/A | C:\Windows\System\REDriUJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ahLGPDn.exe | N/A |
| N/A | N/A | C:\Windows\System\dQpbxto.exe | N/A |
| N/A | N/A | C:\Windows\System\hItrEtG.exe | N/A |
| N/A | N/A | C:\Windows\System\aQlFyQE.exe | N/A |
| N/A | N/A | C:\Windows\System\KUPuEjQ.exe | N/A |
| N/A | N/A | C:\Windows\System\LpXixTv.exe | N/A |
| N/A | N/A | C:\Windows\System\hWkdUiH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_2339ca56a292236cc4d3883a9e7c78c8_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\cVEsHsq.exe
C:\Windows\System\cVEsHsq.exe
C:\Windows\System\NGliWzF.exe
C:\Windows\System\NGliWzF.exe
C:\Windows\System\cisLhAN.exe
C:\Windows\System\cisLhAN.exe
C:\Windows\System\VtltUYH.exe
C:\Windows\System\VtltUYH.exe
C:\Windows\System\NXGcrVV.exe
C:\Windows\System\NXGcrVV.exe
C:\Windows\System\uccTCjZ.exe
C:\Windows\System\uccTCjZ.exe
C:\Windows\System\jToKUih.exe
C:\Windows\System\jToKUih.exe
C:\Windows\System\faINjHF.exe
C:\Windows\System\faINjHF.exe
C:\Windows\System\CUhMTAt.exe
C:\Windows\System\CUhMTAt.exe
C:\Windows\System\YynnUDO.exe
C:\Windows\System\YynnUDO.exe
C:\Windows\System\rBFJDlt.exe
C:\Windows\System\rBFJDlt.exe
C:\Windows\System\UbwjMwO.exe
C:\Windows\System\UbwjMwO.exe
C:\Windows\System\HuLeswS.exe
C:\Windows\System\HuLeswS.exe
C:\Windows\System\REDriUJ.exe
C:\Windows\System\REDriUJ.exe
C:\Windows\System\ahLGPDn.exe
C:\Windows\System\ahLGPDn.exe
C:\Windows\System\dQpbxto.exe
C:\Windows\System\dQpbxto.exe
C:\Windows\System\hItrEtG.exe
C:\Windows\System\hItrEtG.exe
C:\Windows\System\aQlFyQE.exe
C:\Windows\System\aQlFyQE.exe
C:\Windows\System\KUPuEjQ.exe
C:\Windows\System\KUPuEjQ.exe
C:\Windows\System\LpXixTv.exe
C:\Windows\System\LpXixTv.exe
C:\Windows\System\hWkdUiH.exe
C:\Windows\System\hWkdUiH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1048-0-0x00007FF731290000-0x00007FF7315E1000-memory.dmp
memory/1048-1-0x000001AE3F5A0000-0x000001AE3F5B0000-memory.dmp
C:\Windows\System\NGliWzF.exe
| MD5 | fc299b781d66337126562768af4ce8a2 |
| SHA1 | 2e3b1209963aad234541698373042143099398d4 |
| SHA256 | 667ab0845d023d174f154787c7979ebbfa6716d76d22ed50dfd720aab5216506 |
| SHA512 | b64f72ee3de11c3309fa32f691e0644c38035be23e3e5c432c4b6384fd9ae251b52f5772dd78fd812f09877babd010d11054bd5b4bee71021f33a27f7db1f814 |
C:\Windows\System\cisLhAN.exe
| MD5 | 00d9f3eb591cf33e97b90bed9a42a83a |
| SHA1 | b3eb79d31563edb9891c2a68f14209c57e8f3328 |
| SHA256 | 275b5ccff2a73affbb8cc7c86ce1f89bdcbc303e462ca02e5ab44e076233f0e6 |
| SHA512 | 25a067c1f7d257030309cacc7746f057d508eb702c8e0a26bf7eb5429ae6cf0c510666f591db34f8de0e30bbfc7c172a7e155e6043725c52e1b7c9f1dae44f6a |
memory/4204-26-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp
C:\Windows\System\NXGcrVV.exe
| MD5 | 76787f3a2e1667ab4b916fed00433fac |
| SHA1 | 4f8dcdc858d7bff2c546cea110e39330d8ef717b |
| SHA256 | d0589153dc35d2d5d827b235c680d9fe82d08a756dc89218ac0d7f113769c13b |
| SHA512 | 0f1b5a497b33c7417b42ced4b6ccf682d3a11d3dc54562c95edfd761235499b913fa3f79c78d57c3c78bd7d0605c3d979b2e76d35ab39fad5567e7a4d91d7849 |
C:\Windows\System\uccTCjZ.exe
| MD5 | e22352a365c3348bce165ed3a5b164d5 |
| SHA1 | 8bc9ef2e68c41f16063b292ffc998cf3a04841ed |
| SHA256 | 604dc8e0811a9b5c636bf35162685b80a38923466b5ea73adce09ef16520b772 |
| SHA512 | 9951650c439eb367ce858ada4c1e4c3ebc84897f9053a74adbc7657706d9822f4a1382ad7394239e039a9d1ea8317bc8563fa5c8d637e029529c056a3f320370 |
memory/2384-30-0x00007FF7169E0000-0x00007FF716D31000-memory.dmp
memory/3200-25-0x00007FF6D7110000-0x00007FF6D7461000-memory.dmp
C:\Windows\System\VtltUYH.exe
| MD5 | d2976c42a1dde768b053796b9800be2a |
| SHA1 | 8c012fd07207faff3a4f1aa51582871cade273d4 |
| SHA256 | 2ece92e52f970ccfe02aca9b585284012356bdf501ebfcae8b5ea3f3e8cd634b |
| SHA512 | ff9c7ea7ff66a33a35986be8f12a599a2f8fb9993be9a06af8bfbdd09a3471c8d9c054bf1229c845780335c4005faccd7f2761baf63f12c5b479718ea4c13390 |
C:\Windows\System\jToKUih.exe
| MD5 | 5a38484b616ac1d4012fc688c4d8a00d |
| SHA1 | fb29dfed19241a3027149f65ebafa957171a775a |
| SHA256 | e68fe9d3395ed9a71e1aa270e4f36923825b14367f093a4d08cbaa4032e81a1a |
| SHA512 | 956f737320bb4dc9cb76c0e0aed6b6056ed5c5bb44b264787920e3439fbe3d947a5a4537385d38edb6148638ce9b9ff4f14362235420c85d5e8cb2b5026fa589 |
memory/5116-40-0x00007FF716000000-0x00007FF716351000-memory.dmp
C:\Windows\System\faINjHF.exe
| MD5 | 48b86696e1b264dc8083a1b2688c9eca |
| SHA1 | 47772cd846ccb482c18cea8b43717a0242ca4b9b |
| SHA256 | 63ecabdfdcebb99f6abfad05310b8bac5805c925cfb4499de619891c8732d39d |
| SHA512 | c95e1d3583f71a6b091d4772c00bffc7add5895850229303fa94feee704b66578534fb1914386d204c37ad6e86c593500b03f557459c079f8ae153be878d5d51 |
C:\Windows\System\YynnUDO.exe
| MD5 | e4045d707e01daa08911f779d16efb54 |
| SHA1 | d66ed3b286c042cdf24facc3ddfcfc0d10f7cad8 |
| SHA256 | 747466a7c0d7b205a8ab06308c8bbb8f68e5c4598c40f47881d73b0b5f0a4f76 |
| SHA512 | c138a8c3aef413c704667c80d06e0454c866e7ab8ba42139481edab5817219b9cdc95a9d7d0aefa026081fb1904e93a0927c28cc59f43f817d79da238fdd76dc |
C:\Windows\System\rBFJDlt.exe
| MD5 | 5530742d7a1b6b7769e228d1804b2c79 |
| SHA1 | 4fa1f3c3350dbd66e47e9a7c856b531b37065fe5 |
| SHA256 | 698a790db2f4883e4cdbf4036094e6ff7e627ccea7073f2e8c2e5f95b69412e9 |
| SHA512 | 1782119bfb967006b8f910e925de4089bb64faac144ac2e4ea989154eef750001478a1a486f897c903487bc3f9b975817463ff780b7f0527e9a2b60efe9260c9 |
C:\Windows\System\HuLeswS.exe
| MD5 | ec9b5c91eac99704ad698a0b5f45a4de |
| SHA1 | e20cd0325adf577e838825865bf0430d4e942eb4 |
| SHA256 | 501141c7f8b0bf96a7d58fba49370f824a5e3cdcf7e86ffa635ae22f82f12357 |
| SHA512 | f86d2154b18a8acf8f3e2d7a2a68c328cbd948b9655fee6b5e1b05a245c523db2f741a26bd743e8b4de39db3b6d807e174034742e1c0ca42064cd29bd7c8c313 |
memory/3164-85-0x00007FF621A80000-0x00007FF621DD1000-memory.dmp
memory/2816-87-0x00007FF694C30000-0x00007FF694F81000-memory.dmp
C:\Windows\System\dQpbxto.exe
| MD5 | 526c5894a27db7521a7d76ec5c9e24e5 |
| SHA1 | 0093dd647d0a3d53c938fd8d8f6dcf8438e5e9c1 |
| SHA256 | e3f7cf35d8f5dc553f5b951fcc05b8c607af702d4c96e90f0d66123a545a9472 |
| SHA512 | aff2e017bf14d5c27df3f2532365b69d6cab2a41449c6ede6585148f27d59199d0adc3e4d6e51eb9c69fd398368fd42079aa3464b0ad1384d22b991534c5b223 |
C:\Windows\System\hItrEtG.exe
| MD5 | c85cfedfbd6811cd86d6e2887b19ce13 |
| SHA1 | 9325840d27b7acc28160b427c9a844447ca4b73d |
| SHA256 | 4ecf5ccffc3129549b6d05dcaedd29c42e3f1c02a67633223cc9eba1de48db5c |
| SHA512 | b5e4c0141524af892be058ee200543eead8f3a01b0d4495d4dc802b6070346143c0f2161736a436daf8049a95269cd22c996687b7adbf29cf53b199ec8fa8274 |
memory/3200-110-0x00007FF6D7110000-0x00007FF6D7461000-memory.dmp
C:\Windows\System\aQlFyQE.exe
| MD5 | 85de7b7a320fd2648addf93c8653c01a |
| SHA1 | 8fa9fac4b2db26f0f8df5e1dd7b4bb4d82dce9c2 |
| SHA256 | 7bd0ca6d49ce57a979bc8e1399992405da16199e52313169fa6de8c7d22343c8 |
| SHA512 | 6a7ea10e4e1e9ae52b39921c9af768ade56707151bb5c624b5f84bfc251879e389e795773d17f135700b2f9444c6ccfffa7d45a47159f47793ceffc0a72fe73e |
C:\Windows\System\LpXixTv.exe
| MD5 | d5ca62160e1ecd1556f545fbf871e560 |
| SHA1 | 99b799fb72f6846f513119b739a7516d4e7b4c1b |
| SHA256 | 98ec3315e129d74e6c912cc7f37efcbe47f1e7631cd0f1cd90a2cc26fa9f27ba |
| SHA512 | d64865d644b8aca970a40cd16e8f5c32fe1f3c9fe33954caa2e04377db9bdc01736ace3e93c6eb2a34886cd0de3d6802b9959e5a7ccadaa734885e83a0414372 |
C:\Windows\System\hWkdUiH.exe
| MD5 | 275945b9edf1b10ca25b181f1ef3595a |
| SHA1 | 1e2c8e84dec877a02bd5b49fd319b9c6511ec1c8 |
| SHA256 | fcef13d8bd3cffd878ac02e86524cd62c6bd4f4ba3e2b2b9857eb4dc2850bf0f |
| SHA512 | c010f056dc4dd18a200a78ac4a84fc61c4f12fdf1266b513cf07a55ffec4e5a9e922a389047049848fb10e1a821081ae25c375b52e2c515d1e436252dd227e4b |
C:\Windows\System\KUPuEjQ.exe
| MD5 | d16817466beaea982e72a3462cb4f210 |
| SHA1 | 25debc60bdd5bd80e25ed82ef928316c02148013 |
| SHA256 | 8b7189be56779881a648fa2e5244c664284d90a518605aee52c051570a1a6278 |
| SHA512 | 8a1ae73506bf32168f752a18aead51d52a8b59747805e922ad1d83283877069d04348e9eab9f6ad862c8e0bf9e5543bd97a42f668aa2c30c3c2ec43b2d520ea6 |
memory/764-112-0x00007FF699D80000-0x00007FF69A0D1000-memory.dmp
memory/4692-111-0x00007FF6CF8D0000-0x00007FF6CFC21000-memory.dmp
memory/3604-109-0x00007FF7E7A90000-0x00007FF7E7DE1000-memory.dmp
C:\Windows\System\ahLGPDn.exe
| MD5 | 59467a8714ddc185754acca0be9a3c75 |
| SHA1 | a30ed339fc41a76aa5a2992e83fa3ade6b9a2a8e |
| SHA256 | 64f444fb9534c45b61e68d81d927a094877bde46196be564dd04b336db6a444b |
| SHA512 | b48075d9e6f7423de78c10e41d2d5dd9e8e2012279521b511321d1679cb4f61d6663a18879fdae9a3b6ac6b9455165ab93c8c109a9e7f15b632d1d8b20922ab5 |
memory/4932-94-0x00007FF777BB0000-0x00007FF777F01000-memory.dmp
memory/2964-93-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp
C:\Windows\System\REDriUJ.exe
| MD5 | a130b47cdc764aba55ec00627557a253 |
| SHA1 | 5da49b3e72d11bd06f68ebf1ef44158e46755ee5 |
| SHA256 | 7755c5dd8e21250fb294924b2acdcc91f45a690adf07fb21ab8f8607daac6fc7 |
| SHA512 | 6080c387dd641076e89dd36ec191dbf67f0c1ae7f4b18ab20d2e289bb37b76aeb89e5f4745e0f1d29944bb95d0e23256b654c1e245e591e3d511111866ddd9f7 |
memory/3120-88-0x00007FF6DDAF0000-0x00007FF6DDE41000-memory.dmp
memory/3008-76-0x00007FF72D7B0000-0x00007FF72DB01000-memory.dmp
C:\Windows\System\UbwjMwO.exe
| MD5 | 41c67c6207db834952005d08dcd93d52 |
| SHA1 | 82168dcc0af5bda02df12ae007a3974843ad564b |
| SHA256 | 2f75fc9d0b72d22cb1cd5f22d8a8ad17800ebe5a7cf98a51794719519298299e |
| SHA512 | 888bcc0979b546f072aa99cebd1f16f63943808aa54ab4e5af0169b3d6542aaa485a0b9b42346d9e6ee5eabca1b80e3e5154e2e376183905f2163480250ebfab |
memory/1048-74-0x00007FF731290000-0x00007FF7315E1000-memory.dmp
memory/732-66-0x00007FF7A8650000-0x00007FF7A89A1000-memory.dmp
C:\Windows\System\CUhMTAt.exe
| MD5 | 1160df369cabea1b6951762ba72af1c0 |
| SHA1 | 9b10dd370fe36512254e1b3d771ed5e244af5321 |
| SHA256 | 10d32595ae1a96aae744b946f92f600e4bd022e4d4e95c8052942e7fcd484f1a |
| SHA512 | 569612de3042e58ae040b079eacc744725cf76acf4501294ecef793256c6647c41730bd79a913f99baeae2f73c8633217f02b8accd89d4d9a98b92f52fd40f94 |
memory/396-60-0x00007FF759CE0000-0x00007FF75A031000-memory.dmp
memory/2452-52-0x00007FF7B2EA0000-0x00007FF7B31F1000-memory.dmp
memory/324-45-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp
memory/3604-12-0x00007FF7E7A90000-0x00007FF7E7DE1000-memory.dmp
memory/3120-10-0x00007FF6DDAF0000-0x00007FF6DDE41000-memory.dmp
C:\Windows\System\cVEsHsq.exe
| MD5 | 6b31b1cf00d3cf86b1b7039952f1f6fe |
| SHA1 | 9b04df83d3f5f3a554a349bce75805e6bc70a830 |
| SHA256 | 0d9b1628404062ab0df9b5c69f37507953df8c0764e6142fce01119047941990 |
| SHA512 | aa4cc287f22b0c68128b6e5645ae140a0c485233a5d773a932a8c42e52b761ec9fb984987a5372861f8e9ed51d2923b9cc4f32c8e489f4693010f431878f831f |
memory/2372-130-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp
memory/1888-129-0x00007FF79E920000-0x00007FF79EC71000-memory.dmp
memory/4780-128-0x00007FF691340000-0x00007FF691691000-memory.dmp
memory/1652-131-0x00007FF7ACCF0000-0x00007FF7AD041000-memory.dmp
memory/1048-132-0x00007FF731290000-0x00007FF7315E1000-memory.dmp
memory/3164-143-0x00007FF621A80000-0x00007FF621DD1000-memory.dmp
memory/4780-150-0x00007FF691340000-0x00007FF691691000-memory.dmp
memory/4932-147-0x00007FF777BB0000-0x00007FF777F01000-memory.dmp
memory/764-149-0x00007FF699D80000-0x00007FF69A0D1000-memory.dmp
memory/2964-146-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp
memory/396-141-0x00007FF759CE0000-0x00007FF75A031000-memory.dmp
memory/732-142-0x00007FF7A8650000-0x00007FF7A89A1000-memory.dmp
memory/2384-137-0x00007FF7169E0000-0x00007FF716D31000-memory.dmp
memory/1048-154-0x00007FF731290000-0x00007FF7315E1000-memory.dmp
memory/3120-207-0x00007FF6DDAF0000-0x00007FF6DDE41000-memory.dmp
memory/3604-209-0x00007FF7E7A90000-0x00007FF7E7DE1000-memory.dmp
memory/3200-211-0x00007FF6D7110000-0x00007FF6D7461000-memory.dmp
memory/4204-213-0x00007FF75E980000-0x00007FF75ECD1000-memory.dmp
memory/2384-215-0x00007FF7169E0000-0x00007FF716D31000-memory.dmp
memory/5116-217-0x00007FF716000000-0x00007FF716351000-memory.dmp
memory/324-219-0x00007FF6D71C0000-0x00007FF6D7511000-memory.dmp
memory/2452-221-0x00007FF7B2EA0000-0x00007FF7B31F1000-memory.dmp
memory/732-223-0x00007FF7A8650000-0x00007FF7A89A1000-memory.dmp
memory/396-225-0x00007FF759CE0000-0x00007FF75A031000-memory.dmp
memory/3008-227-0x00007FF72D7B0000-0x00007FF72DB01000-memory.dmp
memory/3164-229-0x00007FF621A80000-0x00007FF621DD1000-memory.dmp
memory/2964-233-0x00007FF65A0E0000-0x00007FF65A431000-memory.dmp
memory/2816-232-0x00007FF694C30000-0x00007FF694F81000-memory.dmp
memory/4932-237-0x00007FF777BB0000-0x00007FF777F01000-memory.dmp
memory/4692-236-0x00007FF6CF8D0000-0x00007FF6CFC21000-memory.dmp
memory/1888-243-0x00007FF79E920000-0x00007FF79EC71000-memory.dmp
memory/764-241-0x00007FF699D80000-0x00007FF69A0D1000-memory.dmp
memory/4780-240-0x00007FF691340000-0x00007FF691691000-memory.dmp
memory/1652-245-0x00007FF7ACCF0000-0x00007FF7AD041000-memory.dmp
memory/2372-247-0x00007FF7B1B80000-0x00007FF7B1ED1000-memory.dmp