Analysis Overview
SHA256
663e486d3adffcfcf63f008e7f6d79a5657b699393e770dbe7d86594800cfed8
Threat Level: Known bad
The file 2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Xmrig family
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 11:00
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 11:00
Reported
2024-08-15 11:03
Platform
win7-20240708-en
Max time kernel
143s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RDrPIHG.exe | N/A |
| N/A | N/A | C:\Windows\System\QZhKLGE.exe | N/A |
| N/A | N/A | C:\Windows\System\yLPirLN.exe | N/A |
| N/A | N/A | C:\Windows\System\zttRKXv.exe | N/A |
| N/A | N/A | C:\Windows\System\oJmqUEE.exe | N/A |
| N/A | N/A | C:\Windows\System\WqKphhj.exe | N/A |
| N/A | N/A | C:\Windows\System\ooAWzoG.exe | N/A |
| N/A | N/A | C:\Windows\System\LKVSTmT.exe | N/A |
| N/A | N/A | C:\Windows\System\rjASony.exe | N/A |
| N/A | N/A | C:\Windows\System\szVbeFR.exe | N/A |
| N/A | N/A | C:\Windows\System\GltztZE.exe | N/A |
| N/A | N/A | C:\Windows\System\yvaIpBh.exe | N/A |
| N/A | N/A | C:\Windows\System\ubYattX.exe | N/A |
| N/A | N/A | C:\Windows\System\RtjylDl.exe | N/A |
| N/A | N/A | C:\Windows\System\BmIJUKm.exe | N/A |
| N/A | N/A | C:\Windows\System\PcssotQ.exe | N/A |
| N/A | N/A | C:\Windows\System\yRudPDB.exe | N/A |
| N/A | N/A | C:\Windows\System\vPpejou.exe | N/A |
| N/A | N/A | C:\Windows\System\bTQzGuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\oiVgvxV.exe | N/A |
| N/A | N/A | C:\Windows\System\VzrNtfo.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\RDrPIHG.exe
C:\Windows\System\RDrPIHG.exe
C:\Windows\System\QZhKLGE.exe
C:\Windows\System\QZhKLGE.exe
C:\Windows\System\yLPirLN.exe
C:\Windows\System\yLPirLN.exe
C:\Windows\System\zttRKXv.exe
C:\Windows\System\zttRKXv.exe
C:\Windows\System\oJmqUEE.exe
C:\Windows\System\oJmqUEE.exe
C:\Windows\System\WqKphhj.exe
C:\Windows\System\WqKphhj.exe
C:\Windows\System\ooAWzoG.exe
C:\Windows\System\ooAWzoG.exe
C:\Windows\System\LKVSTmT.exe
C:\Windows\System\LKVSTmT.exe
C:\Windows\System\rjASony.exe
C:\Windows\System\rjASony.exe
C:\Windows\System\szVbeFR.exe
C:\Windows\System\szVbeFR.exe
C:\Windows\System\GltztZE.exe
C:\Windows\System\GltztZE.exe
C:\Windows\System\yvaIpBh.exe
C:\Windows\System\yvaIpBh.exe
C:\Windows\System\ubYattX.exe
C:\Windows\System\ubYattX.exe
C:\Windows\System\RtjylDl.exe
C:\Windows\System\RtjylDl.exe
C:\Windows\System\BmIJUKm.exe
C:\Windows\System\BmIJUKm.exe
C:\Windows\System\PcssotQ.exe
C:\Windows\System\PcssotQ.exe
C:\Windows\System\yRudPDB.exe
C:\Windows\System\yRudPDB.exe
C:\Windows\System\vPpejou.exe
C:\Windows\System\vPpejou.exe
C:\Windows\System\bTQzGuJ.exe
C:\Windows\System\bTQzGuJ.exe
C:\Windows\System\oiVgvxV.exe
C:\Windows\System\oiVgvxV.exe
C:\Windows\System\VzrNtfo.exe
C:\Windows\System\VzrNtfo.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2404-0-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2404-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\RDrPIHG.exe
| MD5 | a8841e7e0f192a5a4ec4de636cd41dcc |
| SHA1 | e9b1c7d919ad963aa6fcf4b8c8157ce4da33c443 |
| SHA256 | 5042f9d745d601e5eae0565ee02de657011fc56a7900f319ab8a2eb118973115 |
| SHA512 | 53a2ae43a45682174fc7a66658c22d85c1ea1e1b8843b316c4972a9d96a2164b8cbb093a2afc8f8cc210bb1ec6ad4a6a20d67ae31a3b0a7f7561092f39bb7f0f |
C:\Windows\system\QZhKLGE.exe
| MD5 | d122d0750f0df2a8a3c962511dd51eaa |
| SHA1 | a5f869d7efa08437c238d8ac7c0f80fbeac462d7 |
| SHA256 | 2ccc129e8e2a9f24cadf92acb4f2d6947c98cd07e013e90f4bee5eeffcce3699 |
| SHA512 | 4a01470176a467bc3051fd3cdf3885f4599a86d2905ec7a0b4cf4b8a293dc51821eca1954cb53b46a9790aa9cd49431a0a373ea1fba1d81e24e84aa1b9abf83e |
C:\Windows\system\yLPirLN.exe
| MD5 | f77686cc1293b0731898d78430f53f5c |
| SHA1 | 573bcc8690488bde8b68e730e60d430f671b06d4 |
| SHA256 | a8eff2795054055487921d9ebaffe2dd77ad53b44ca971576d751375488609b3 |
| SHA512 | fb1aff3e98ef051a63ba10909b3c27d365746acd9936d96a0493d429da6d9e701553605c784219c389f6d98fda6b842a64075e151be9b8670137cd595db29f86 |
C:\Windows\system\zttRKXv.exe
| MD5 | e42b937872904d4fb29d0891c242621f |
| SHA1 | 887d7d5954a02bd482d008b7a750bd24c9d5750e |
| SHA256 | b2a6c1f0590b897bd9a46fd8017acd3bc78247c1aa286d8c08c2bf945dc1a45f |
| SHA512 | 159d2de6ee819325832548254e702fccb1f46aac777209287eb9add776e884db5032ff632fecc27f4d2b4000258e19544c1ec5803a34de11d2021495284058ec |
C:\Windows\system\oJmqUEE.exe
| MD5 | 911a83d9534c794dfeec9b5e301bfff3 |
| SHA1 | 895e1f206035109d5386b6de0a36000c03014851 |
| SHA256 | 37771b8c125dbc24e6acf283d41baf8c81ff15c516ab501cd9aecb7e44af8e24 |
| SHA512 | 0ffbb27c6111628313fd13555703b8398f1d9374b0839985ea5e5356776705cdd57fa104c1686aab80890a42fa509f32f2307becae3f3ad1cb25e8ca1d8fdfe4 |
C:\Windows\system\rjASony.exe
| MD5 | 442fc3a90090a3957c34c5affb0bb437 |
| SHA1 | de69417a1011d41e1af9d179a4d99b4d642c1425 |
| SHA256 | fed54ce439da5f05e7ad8a36e09215d246f4283b5aa8901d7fd134a45ca4f1a2 |
| SHA512 | e6232cc6b44a2230d95e34cd09900f1a6ecdc8a60d641e45d5138beee9e120d83b095e4cc76fe7de995df7163682e9f69e18ef77f1bbd44f0454581dd26ceb5c |
C:\Windows\system\yvaIpBh.exe
| MD5 | 887ce42ee4ca6095ec831f286b673d37 |
| SHA1 | c21d2fbf50d841b030178eb64dacdda04ce69dcf |
| SHA256 | 464e0df29c157d8e5df673945a53e86d0351f0d14f6256ee7b0b64b48d95a9c7 |
| SHA512 | 51ef19f962ee2ffb65a44511a8d4c4ee2fe57c598b14ab7e277b47eb7ae1a0af365d9d87b64c3c7e428e7d2149ad9de8d8a96491bbaf7b2ff12b388119bbdfce |
C:\Windows\system\PcssotQ.exe
| MD5 | b89867cd27dd89d18f07fae6bcfa5222 |
| SHA1 | bbec310011d3dd38b865b789c9b625cb6dac9b21 |
| SHA256 | 7f6ae08901cb5003291e9f4b20f8039c921f8eb9488a6d21b9bb056126e8eab1 |
| SHA512 | 0d73008890b1179b52f0008382ff352ba977bee892b3a4d7f672f8ca38c4b16a8bc2f7225e118da148acf679d2e0ad9da4b31a6ead1fedaf6a77d5bc53f12709 |
C:\Windows\system\vPpejou.exe
| MD5 | 1bc42e4079d769bc40dfd895202a9c66 |
| SHA1 | 0d8253cf60de1a8ff37bc78176ab0eeb8c86b0ae |
| SHA256 | 20b0ef1a899b74047edc5ef20ee0526809bdf3044eaa8df0e60ff3df23d7d9a7 |
| SHA512 | 44d3e1ab823e11f51a6728720be09c9eb01aabe8959414372848aa780c634efe8a0637ab25345f9d7dfc5720fd15f863258c9a6f517dd8318fa0daf198afd059 |
C:\Windows\system\VzrNtfo.exe
| MD5 | 7e0343856ac9827b2d68d2cc7dc0b977 |
| SHA1 | fdb59f446ea82fb05e7208418251ef04450abd8a |
| SHA256 | 452f54598755fae343d6460545db91ec0d9abedb658958a349315fb3ca718daa |
| SHA512 | 699adf11b92080950f45de2291cab91bed48e1294570a2768db1932223c1fcc26e0eaf45e2d467caa92eef833b45fad8b5f62568e02ce5eb6cb18497e9a85b4c |
C:\Windows\system\oiVgvxV.exe
| MD5 | c23edfc23d12f632b37f9b2cc241fdd2 |
| SHA1 | 066d387b03105e1e1ffd3bf58e8bfb6d4bcd50bf |
| SHA256 | a10e523d0fc04c1e059bc79147cc56a51a1e0e48ea8d6825883794c5c9599f36 |
| SHA512 | 3b365fe8400cb10856ddd610af1145527247d9b3211b82b60287e9a9dd17e2273021d0cc0ce96e38b0b5011c7298ff90ab72567b059998afbeef69c6423634f4 |
C:\Windows\system\bTQzGuJ.exe
| MD5 | bef60f92efa033f2de87fa7292bbaadf |
| SHA1 | e7d50d6f8840cf02c9868bfcdbb0e68236e748c0 |
| SHA256 | 6ddd58b0cf3a203e63fa25851c2398d4046cccf85b2b71708410e05d6543595d |
| SHA512 | a48e63e9c52c2cc44fb5f91da29cba108c20e6d66b3dcf92c777b37ce7b3c2fef8f2382dbd150ec0ac434f63158f3feb1f9cb653d2c5620a37cf20763c1ed90e |
memory/584-88-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2336-92-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2748-94-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2404-98-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2804-101-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/1940-106-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2080-107-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2404-105-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2744-104-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2404-103-0x00000000023B0000-0x0000000002701000-memory.dmp
memory/2920-102-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2404-100-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2980-99-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2732-97-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2992-96-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2404-95-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2404-93-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/1148-91-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2404-90-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2060-89-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2404-87-0x000000013F040000-0x000000013F391000-memory.dmp
C:\Windows\system\yRudPDB.exe
| MD5 | f1008295165c33711ac78817813e517d |
| SHA1 | 3cd603e5ed9e6f4d7356ba60b48130860cdc8d4b |
| SHA256 | b5f92d0dee40f3785faff5dd45a08e69177a44e0ed47fc6885093010aed3aa14 |
| SHA512 | 072fbcd808858e8d869840d76e59dfe91a6015aff5f563bf9a10e023ec63bf51a02446abb5850e14b8e31ef10a9d24a6a2fcab8aa01f0ab3d7645c3613e1750d |
C:\Windows\system\BmIJUKm.exe
| MD5 | cd7ed7159eca816818ddb678c103dcbb |
| SHA1 | f018f81d9c388f0dad446b8b8d68fcf7720b4439 |
| SHA256 | a4e802306cafb4db8c15ad16f155c954aeb33c572018c9318639ecb5c1c1f620 |
| SHA512 | db331f34e3b302054045c8f2e5775fa62b702524b37761cf361d581bb0964bd246f7e6d6ddd96f36c93906aeddfaeb94d9015c7e46f1ba0ee53f4e50fa8d385f |
C:\Windows\system\RtjylDl.exe
| MD5 | 761e277c885a34657ccbe55914a75a09 |
| SHA1 | b7a0051768567410642afc0762efa353bc0ff5cc |
| SHA256 | 9c80c1a2ad355328c4aa943b3ee6c7b1062fdd5b0e61fc1bd29e7dad7519e07f |
| SHA512 | fd4704645527c6ba65f745eded9dcfb25dc6c4d6333e735c7fa087eb2939d0ecd1e0b2cdfded3b1651a892933f7a087698f63657de3ac9493c41ffb87c9f47a1 |
C:\Windows\system\ubYattX.exe
| MD5 | b9923bce94e49319210703f3bcc07b88 |
| SHA1 | ad45e5a32fd15ac179a88a75162777e1ff6b423b |
| SHA256 | a4c7001dcfde9ec6b8b1da0144d6be2dbf9b43782f554820b0837b36097a9c63 |
| SHA512 | 8333afdffe0ca018ed4f0a3e5cd509690464c54f0d81b26434e67560a96c62fbdb0918339562fbb343e10a73c2247cab8841419a9b1afee73b6933bf3487562f |
C:\Windows\system\GltztZE.exe
| MD5 | 94ede26822b5b3a6e050f1bc44338d4b |
| SHA1 | 0cc9e78fd910891222ea4c3226e43532a6d7c2a6 |
| SHA256 | c22a2965b288fd418ae4c588ca37732e0b07ce95acc8ed5c5f4edfaca2b50a60 |
| SHA512 | 9b178a320a2902822c3cc0420705eff67d3f90027dad6f4af71bc65f4ea010b4cb6e921ae95007cb2b44f967098d2fe120e737459e8d62db74bd6944a08b7c91 |
C:\Windows\system\szVbeFR.exe
| MD5 | dad7b9a486c0fccc5ec4ca730a10631e |
| SHA1 | e317b57f910b97c64dd92e64446f4c42f30da7cb |
| SHA256 | 0c47d804d159f84d1cc2838d0e848ba2bda423eaf9316718640f1fbec0c1e92a |
| SHA512 | bea0de541ed243b7e64b1f07c9e5dcb91240062df879285336cb15850e007adeb49437546030fe081bd96231d23ce101c7c29f6f732b2a542c5d0fa45ea9e001 |
C:\Windows\system\LKVSTmT.exe
| MD5 | f7073ba9a6fecebe5cc12753c6a55957 |
| SHA1 | 89039db3f61f8de1937374d214bc7b657c8328ae |
| SHA256 | 0e0263f762271b943962a644de4113cd26868de047d83c08aca7389b8c6c8a85 |
| SHA512 | 7093ccfe217499097ec411d1cda03e3bdc1dd3a451fe312413c27fd1c190daf0430102cc4d95ba080a4e7ca368b3d098c195edffff892fb78f2b1b86a10b5352 |
C:\Windows\system\ooAWzoG.exe
| MD5 | 8476a10bad893aad73edb6a2af5e18a1 |
| SHA1 | 64192d6121606f33149a437647bd4924f9c882fc |
| SHA256 | 00cebcb9b3f76af19abcb145bf75151b50b98644f093af6981542d20fe1110d6 |
| SHA512 | ba7c6861b11a9c67f12fd6f10e7004daa9a86ad9e6e91bb67e0e583375ae42b170af824855a0e8ddd2616ba26221d5104cb9f71582ad6f517a15c2373563658c |
C:\Windows\system\WqKphhj.exe
| MD5 | 5dc4a25ed12a51c39716e8159299f572 |
| SHA1 | e4f8308726a48f0cc6975237b15a62fd747ab588 |
| SHA256 | 9b93beefd6e818e31f7d8bdd8e19905673fdb78b55bfe9d59aab4cc6340ea162 |
| SHA512 | 07ce3a090ded1f19eadbbc463d88d65a7936894b5516a86c066b363a1dc08cde646b16c949d7ce1bfe8bb1db141f68f88b46cd6826d80a102e67e4cd8981923b |
memory/2404-108-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2404-129-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/584-131-0x000000013F040000-0x000000013F391000-memory.dmp
memory/1504-150-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/584-151-0x000000013F040000-0x000000013F391000-memory.dmp
memory/944-149-0x000000013F110000-0x000000013F461000-memory.dmp
memory/2168-148-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2560-147-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/3052-146-0x000000013F1E0000-0x000000013F531000-memory.dmp
memory/2612-144-0x000000013F030000-0x000000013F381000-memory.dmp
memory/1940-143-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2744-142-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2920-141-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2980-139-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2732-138-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2992-137-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2844-136-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2336-134-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/1148-133-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2060-132-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2652-145-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2804-140-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2748-135-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2060-152-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2748-155-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2992-156-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2980-158-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
memory/2744-161-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1940-162-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2920-160-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2804-159-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2732-157-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2336-154-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/1148-153-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2404-163-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2080-230-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2336-255-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2744-261-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2748-269-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2992-275-0x000000013F520000-0x000000013F871000-memory.dmp
memory/1940-279-0x000000013F400000-0x000000013F751000-memory.dmp
memory/1148-284-0x000000013F240000-0x000000013F591000-memory.dmp
memory/584-282-0x000000013F040000-0x000000013F391000-memory.dmp
memory/2804-268-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2060-277-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2844-271-0x000000013FFC0000-0x0000000140311000-memory.dmp
memory/2920-263-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2732-260-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2980-266-0x000000013F8A0000-0x000000013FBF1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 11:00
Reported
2024-08-15 11:03
Platform
win10v2004-20240802-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RDrPIHG.exe | N/A |
| N/A | N/A | C:\Windows\System\QZhKLGE.exe | N/A |
| N/A | N/A | C:\Windows\System\yLPirLN.exe | N/A |
| N/A | N/A | C:\Windows\System\oJmqUEE.exe | N/A |
| N/A | N/A | C:\Windows\System\zttRKXv.exe | N/A |
| N/A | N/A | C:\Windows\System\WqKphhj.exe | N/A |
| N/A | N/A | C:\Windows\System\LKVSTmT.exe | N/A |
| N/A | N/A | C:\Windows\System\ooAWzoG.exe | N/A |
| N/A | N/A | C:\Windows\System\rjASony.exe | N/A |
| N/A | N/A | C:\Windows\System\szVbeFR.exe | N/A |
| N/A | N/A | C:\Windows\System\GltztZE.exe | N/A |
| N/A | N/A | C:\Windows\System\yvaIpBh.exe | N/A |
| N/A | N/A | C:\Windows\System\ubYattX.exe | N/A |
| N/A | N/A | C:\Windows\System\RtjylDl.exe | N/A |
| N/A | N/A | C:\Windows\System\BmIJUKm.exe | N/A |
| N/A | N/A | C:\Windows\System\PcssotQ.exe | N/A |
| N/A | N/A | C:\Windows\System\vPpejou.exe | N/A |
| N/A | N/A | C:\Windows\System\bTQzGuJ.exe | N/A |
| N/A | N/A | C:\Windows\System\yRudPDB.exe | N/A |
| N/A | N/A | C:\Windows\System\oiVgvxV.exe | N/A |
| N/A | N/A | C:\Windows\System\VzrNtfo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_d0b6a56ca169a924433de55a0cca097c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\RDrPIHG.exe
C:\Windows\System\RDrPIHG.exe
C:\Windows\System\QZhKLGE.exe
C:\Windows\System\QZhKLGE.exe
C:\Windows\System\yLPirLN.exe
C:\Windows\System\yLPirLN.exe
C:\Windows\System\zttRKXv.exe
C:\Windows\System\zttRKXv.exe
C:\Windows\System\oJmqUEE.exe
C:\Windows\System\oJmqUEE.exe
C:\Windows\System\WqKphhj.exe
C:\Windows\System\WqKphhj.exe
C:\Windows\System\ooAWzoG.exe
C:\Windows\System\ooAWzoG.exe
C:\Windows\System\LKVSTmT.exe
C:\Windows\System\LKVSTmT.exe
C:\Windows\System\rjASony.exe
C:\Windows\System\rjASony.exe
C:\Windows\System\szVbeFR.exe
C:\Windows\System\szVbeFR.exe
C:\Windows\System\GltztZE.exe
C:\Windows\System\GltztZE.exe
C:\Windows\System\yvaIpBh.exe
C:\Windows\System\yvaIpBh.exe
C:\Windows\System\ubYattX.exe
C:\Windows\System\ubYattX.exe
C:\Windows\System\RtjylDl.exe
C:\Windows\System\RtjylDl.exe
C:\Windows\System\BmIJUKm.exe
C:\Windows\System\BmIJUKm.exe
C:\Windows\System\PcssotQ.exe
C:\Windows\System\PcssotQ.exe
C:\Windows\System\yRudPDB.exe
C:\Windows\System\yRudPDB.exe
C:\Windows\System\vPpejou.exe
C:\Windows\System\vPpejou.exe
C:\Windows\System\bTQzGuJ.exe
C:\Windows\System\bTQzGuJ.exe
C:\Windows\System\oiVgvxV.exe
C:\Windows\System\oiVgvxV.exe
C:\Windows\System\VzrNtfo.exe
C:\Windows\System\VzrNtfo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3316-0-0x00007FF737080000-0x00007FF7373D1000-memory.dmp
memory/3316-1-0x00000185C54F0000-0x00000185C5500000-memory.dmp
C:\Windows\System\RDrPIHG.exe
| MD5 | a8841e7e0f192a5a4ec4de636cd41dcc |
| SHA1 | e9b1c7d919ad963aa6fcf4b8c8157ce4da33c443 |
| SHA256 | 5042f9d745d601e5eae0565ee02de657011fc56a7900f319ab8a2eb118973115 |
| SHA512 | 53a2ae43a45682174fc7a66658c22d85c1ea1e1b8843b316c4972a9d96a2164b8cbb093a2afc8f8cc210bb1ec6ad4a6a20d67ae31a3b0a7f7561092f39bb7f0f |
memory/4340-8-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp
memory/3020-18-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp
C:\Windows\System\oJmqUEE.exe
| MD5 | 911a83d9534c794dfeec9b5e301bfff3 |
| SHA1 | 895e1f206035109d5386b6de0a36000c03014851 |
| SHA256 | 37771b8c125dbc24e6acf283d41baf8c81ff15c516ab501cd9aecb7e44af8e24 |
| SHA512 | 0ffbb27c6111628313fd13555703b8398f1d9374b0839985ea5e5356776705cdd57fa104c1686aab80890a42fa509f32f2307becae3f3ad1cb25e8ca1d8fdfe4 |
memory/4700-23-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp
C:\Windows\System\yLPirLN.exe
| MD5 | f77686cc1293b0731898d78430f53f5c |
| SHA1 | 573bcc8690488bde8b68e730e60d430f671b06d4 |
| SHA256 | a8eff2795054055487921d9ebaffe2dd77ad53b44ca971576d751375488609b3 |
| SHA512 | fb1aff3e98ef051a63ba10909b3c27d365746acd9936d96a0493d429da6d9e701553605c784219c389f6d98fda6b842a64075e151be9b8670137cd595db29f86 |
C:\Windows\System\QZhKLGE.exe
| MD5 | d122d0750f0df2a8a3c962511dd51eaa |
| SHA1 | a5f869d7efa08437c238d8ac7c0f80fbeac462d7 |
| SHA256 | 2ccc129e8e2a9f24cadf92acb4f2d6947c98cd07e013e90f4bee5eeffcce3699 |
| SHA512 | 4a01470176a467bc3051fd3cdf3885f4599a86d2905ec7a0b4cf4b8a293dc51821eca1954cb53b46a9790aa9cd49431a0a373ea1fba1d81e24e84aa1b9abf83e |
C:\Windows\System\zttRKXv.exe
| MD5 | e42b937872904d4fb29d0891c242621f |
| SHA1 | 887d7d5954a02bd482d008b7a750bd24c9d5750e |
| SHA256 | b2a6c1f0590b897bd9a46fd8017acd3bc78247c1aa286d8c08c2bf945dc1a45f |
| SHA512 | 159d2de6ee819325832548254e702fccb1f46aac777209287eb9add776e884db5032ff632fecc27f4d2b4000258e19544c1ec5803a34de11d2021495284058ec |
C:\Windows\System\WqKphhj.exe
| MD5 | 5dc4a25ed12a51c39716e8159299f572 |
| SHA1 | e4f8308726a48f0cc6975237b15a62fd747ab588 |
| SHA256 | 9b93beefd6e818e31f7d8bdd8e19905673fdb78b55bfe9d59aab4cc6340ea162 |
| SHA512 | 07ce3a090ded1f19eadbbc463d88d65a7936894b5516a86c066b363a1dc08cde646b16c949d7ce1bfe8bb1db141f68f88b46cd6826d80a102e67e4cd8981923b |
memory/4936-39-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp
memory/1208-38-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp
memory/4604-35-0x00007FF746160000-0x00007FF7464B1000-memory.dmp
C:\Windows\System\LKVSTmT.exe
| MD5 | f7073ba9a6fecebe5cc12753c6a55957 |
| SHA1 | 89039db3f61f8de1937374d214bc7b657c8328ae |
| SHA256 | 0e0263f762271b943962a644de4113cd26868de047d83c08aca7389b8c6c8a85 |
| SHA512 | 7093ccfe217499097ec411d1cda03e3bdc1dd3a451fe312413c27fd1c190daf0430102cc4d95ba080a4e7ca368b3d098c195edffff892fb78f2b1b86a10b5352 |
C:\Windows\System\ooAWzoG.exe
| MD5 | 8476a10bad893aad73edb6a2af5e18a1 |
| SHA1 | 64192d6121606f33149a437647bd4924f9c882fc |
| SHA256 | 00cebcb9b3f76af19abcb145bf75151b50b98644f093af6981542d20fe1110d6 |
| SHA512 | ba7c6861b11a9c67f12fd6f10e7004daa9a86ad9e6e91bb67e0e583375ae42b170af824855a0e8ddd2616ba26221d5104cb9f71582ad6f517a15c2373563658c |
memory/4588-54-0x00007FF735390000-0x00007FF7356E1000-memory.dmp
C:\Windows\System\szVbeFR.exe
| MD5 | dad7b9a486c0fccc5ec4ca730a10631e |
| SHA1 | e317b57f910b97c64dd92e64446f4c42f30da7cb |
| SHA256 | 0c47d804d159f84d1cc2838d0e848ba2bda423eaf9316718640f1fbec0c1e92a |
| SHA512 | bea0de541ed243b7e64b1f07c9e5dcb91240062df879285336cb15850e007adeb49437546030fe081bd96231d23ce101c7c29f6f732b2a542c5d0fa45ea9e001 |
memory/2892-57-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp
C:\Windows\System\rjASony.exe
| MD5 | 442fc3a90090a3957c34c5affb0bb437 |
| SHA1 | de69417a1011d41e1af9d179a4d99b4d642c1425 |
| SHA256 | fed54ce439da5f05e7ad8a36e09215d246f4283b5aa8901d7fd134a45ca4f1a2 |
| SHA512 | e6232cc6b44a2230d95e34cd09900f1a6ecdc8a60d641e45d5138beee9e120d83b095e4cc76fe7de995df7163682e9f69e18ef77f1bbd44f0454581dd26ceb5c |
memory/1388-55-0x00007FF736040000-0x00007FF736391000-memory.dmp
memory/2188-50-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp
C:\Windows\System\GltztZE.exe
| MD5 | 94ede26822b5b3a6e050f1bc44338d4b |
| SHA1 | 0cc9e78fd910891222ea4c3226e43532a6d7c2a6 |
| SHA256 | c22a2965b288fd418ae4c588ca37732e0b07ce95acc8ed5c5f4edfaca2b50a60 |
| SHA512 | 9b178a320a2902822c3cc0420705eff67d3f90027dad6f4af71bc65f4ea010b4cb6e921ae95007cb2b44f967098d2fe120e737459e8d62db74bd6944a08b7c91 |
memory/3316-68-0x00007FF737080000-0x00007FF7373D1000-memory.dmp
memory/2692-71-0x00007FF724D30000-0x00007FF725081000-memory.dmp
C:\Windows\System\yvaIpBh.exe
| MD5 | 887ce42ee4ca6095ec831f286b673d37 |
| SHA1 | c21d2fbf50d841b030178eb64dacdda04ce69dcf |
| SHA256 | 464e0df29c157d8e5df673945a53e86d0351f0d14f6256ee7b0b64b48d95a9c7 |
| SHA512 | 51ef19f962ee2ffb65a44511a8d4c4ee2fe57c598b14ab7e277b47eb7ae1a0af365d9d87b64c3c7e428e7d2149ad9de8d8a96491bbaf7b2ff12b388119bbdfce |
memory/1180-80-0x00007FF660320000-0x00007FF660671000-memory.dmp
C:\Windows\System\PcssotQ.exe
| MD5 | b89867cd27dd89d18f07fae6bcfa5222 |
| SHA1 | bbec310011d3dd38b865b789c9b625cb6dac9b21 |
| SHA256 | 7f6ae08901cb5003291e9f4b20f8039c921f8eb9488a6d21b9bb056126e8eab1 |
| SHA512 | 0d73008890b1179b52f0008382ff352ba977bee892b3a4d7f672f8ca38c4b16a8bc2f7225e118da148acf679d2e0ad9da4b31a6ead1fedaf6a77d5bc53f12709 |
C:\Windows\System\BmIJUKm.exe
| MD5 | cd7ed7159eca816818ddb678c103dcbb |
| SHA1 | f018f81d9c388f0dad446b8b8d68fcf7720b4439 |
| SHA256 | a4e802306cafb4db8c15ad16f155c954aeb33c572018c9318639ecb5c1c1f620 |
| SHA512 | db331f34e3b302054045c8f2e5775fa62b702524b37761cf361d581bb0964bd246f7e6d6ddd96f36c93906aeddfaeb94d9015c7e46f1ba0ee53f4e50fa8d385f |
memory/4604-104-0x00007FF746160000-0x00007FF7464B1000-memory.dmp
C:\Windows\System\oiVgvxV.exe
| MD5 | c23edfc23d12f632b37f9b2cc241fdd2 |
| SHA1 | 066d387b03105e1e1ffd3bf58e8bfb6d4bcd50bf |
| SHA256 | a10e523d0fc04c1e059bc79147cc56a51a1e0e48ea8d6825883794c5c9599f36 |
| SHA512 | 3b365fe8400cb10856ddd610af1145527247d9b3211b82b60287e9a9dd17e2273021d0cc0ce96e38b0b5011c7298ff90ab72567b059998afbeef69c6423634f4 |
C:\Windows\System\VzrNtfo.exe
| MD5 | 7e0343856ac9827b2d68d2cc7dc0b977 |
| SHA1 | fdb59f446ea82fb05e7208418251ef04450abd8a |
| SHA256 | 452f54598755fae343d6460545db91ec0d9abedb658958a349315fb3ca718daa |
| SHA512 | 699adf11b92080950f45de2291cab91bed48e1294570a2768db1932223c1fcc26e0eaf45e2d467caa92eef833b45fad8b5f62568e02ce5eb6cb18497e9a85b4c |
memory/812-129-0x00007FF771ED0000-0x00007FF772221000-memory.dmp
C:\Windows\System\yRudPDB.exe
| MD5 | f1008295165c33711ac78817813e517d |
| SHA1 | 3cd603e5ed9e6f4d7356ba60b48130860cdc8d4b |
| SHA256 | b5f92d0dee40f3785faff5dd45a08e69177a44e0ed47fc6885093010aed3aa14 |
| SHA512 | 072fbcd808858e8d869840d76e59dfe91a6015aff5f563bf9a10e023ec63bf51a02446abb5850e14b8e31ef10a9d24a6a2fcab8aa01f0ab3d7645c3613e1750d |
C:\Windows\System\bTQzGuJ.exe
| MD5 | bef60f92efa033f2de87fa7292bbaadf |
| SHA1 | e7d50d6f8840cf02c9868bfcdbb0e68236e748c0 |
| SHA256 | 6ddd58b0cf3a203e63fa25851c2398d4046cccf85b2b71708410e05d6543595d |
| SHA512 | a48e63e9c52c2cc44fb5f91da29cba108c20e6d66b3dcf92c777b37ce7b3c2fef8f2382dbd150ec0ac434f63158f3feb1f9cb653d2c5620a37cf20763c1ed90e |
C:\Windows\System\vPpejou.exe
| MD5 | 1bc42e4079d769bc40dfd895202a9c66 |
| SHA1 | 0d8253cf60de1a8ff37bc78176ab0eeb8c86b0ae |
| SHA256 | 20b0ef1a899b74047edc5ef20ee0526809bdf3044eaa8df0e60ff3df23d7d9a7 |
| SHA512 | 44d3e1ab823e11f51a6728720be09c9eb01aabe8959414372848aa780c634efe8a0637ab25345f9d7dfc5720fd15f863258c9a6f517dd8318fa0daf198afd059 |
memory/4588-112-0x00007FF735390000-0x00007FF7356E1000-memory.dmp
memory/1208-105-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp
C:\Windows\System\RtjylDl.exe
| MD5 | 761e277c885a34657ccbe55914a75a09 |
| SHA1 | b7a0051768567410642afc0762efa353bc0ff5cc |
| SHA256 | 9c80c1a2ad355328c4aa943b3ee6c7b1062fdd5b0e61fc1bd29e7dad7519e07f |
| SHA512 | fd4704645527c6ba65f745eded9dcfb25dc6c4d6333e735c7fa087eb2939d0ecd1e0b2cdfded3b1651a892933f7a087698f63657de3ac9493c41ffb87c9f47a1 |
memory/2820-96-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp
memory/1500-95-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp
memory/4700-94-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp
memory/4496-89-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp
memory/2940-87-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp
C:\Windows\System\ubYattX.exe
| MD5 | b9923bce94e49319210703f3bcc07b88 |
| SHA1 | ad45e5a32fd15ac179a88a75162777e1ff6b423b |
| SHA256 | a4c7001dcfde9ec6b8b1da0144d6be2dbf9b43782f554820b0837b36097a9c63 |
| SHA512 | 8333afdffe0ca018ed4f0a3e5cd509690464c54f0d81b26434e67560a96c62fbdb0918339562fbb343e10a73c2247cab8841419a9b1afee73b6933bf3487562f |
memory/3020-79-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp
memory/4340-77-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp
memory/4024-131-0x00007FF716CD0000-0x00007FF717021000-memory.dmp
memory/3316-132-0x00007FF737080000-0x00007FF7373D1000-memory.dmp
memory/2892-142-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp
memory/1680-144-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp
memory/3428-145-0x00007FF72D640000-0x00007FF72D991000-memory.dmp
memory/3968-143-0x00007FF789E40000-0x00007FF78A191000-memory.dmp
memory/1388-141-0x00007FF736040000-0x00007FF736391000-memory.dmp
memory/4496-149-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp
memory/812-153-0x00007FF771ED0000-0x00007FF772221000-memory.dmp
memory/2820-150-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp
memory/2940-148-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp
memory/1500-151-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp
memory/3316-157-0x00007FF737080000-0x00007FF7373D1000-memory.dmp
memory/4340-211-0x00007FF7966D0000-0x00007FF796A21000-memory.dmp
memory/3020-213-0x00007FF6E2E20000-0x00007FF6E3171000-memory.dmp
memory/4700-215-0x00007FF797B70000-0x00007FF797EC1000-memory.dmp
memory/4936-217-0x00007FF6BAC40000-0x00007FF6BAF91000-memory.dmp
memory/4604-221-0x00007FF746160000-0x00007FF7464B1000-memory.dmp
memory/2188-224-0x00007FF7B7F70000-0x00007FF7B82C1000-memory.dmp
memory/1208-225-0x00007FF7C75D0000-0x00007FF7C7921000-memory.dmp
memory/4588-227-0x00007FF735390000-0x00007FF7356E1000-memory.dmp
memory/2892-229-0x00007FF6F26F0000-0x00007FF6F2A41000-memory.dmp
memory/1388-231-0x00007FF736040000-0x00007FF736391000-memory.dmp
memory/2692-241-0x00007FF724D30000-0x00007FF725081000-memory.dmp
memory/1180-243-0x00007FF660320000-0x00007FF660671000-memory.dmp
memory/2940-245-0x00007FF7F6570000-0x00007FF7F68C1000-memory.dmp
memory/2820-247-0x00007FF6EA5D0000-0x00007FF6EA921000-memory.dmp
memory/4496-249-0x00007FF72BD30000-0x00007FF72C081000-memory.dmp
memory/1500-254-0x00007FF733BF0000-0x00007FF733F41000-memory.dmp
memory/4024-256-0x00007FF716CD0000-0x00007FF717021000-memory.dmp
memory/3428-259-0x00007FF72D640000-0x00007FF72D991000-memory.dmp
memory/812-264-0x00007FF771ED0000-0x00007FF772221000-memory.dmp
memory/3968-263-0x00007FF789E40000-0x00007FF78A191000-memory.dmp
memory/1680-261-0x00007FF72CAE0000-0x00007FF72CE31000-memory.dmp