Analysis Overview
SHA256
ffce603765f6bad1f27321a2c7dbe428b7b7aa9d5d4a0ed78b83296fc3f236f1
Threat Level: Known bad
The file 2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Xmrig family
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:52
Reported
2024-10-25 11:54
Platform
win7-20240903-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ovrsbix.exe | N/A |
| N/A | N/A | C:\Windows\System\AXOozjm.exe | N/A |
| N/A | N/A | C:\Windows\System\vPyYRrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\jTxAHHz.exe | N/A |
| N/A | N/A | C:\Windows\System\CwhxAJo.exe | N/A |
| N/A | N/A | C:\Windows\System\hdyluPt.exe | N/A |
| N/A | N/A | C:\Windows\System\akfvPJS.exe | N/A |
| N/A | N/A | C:\Windows\System\QChvyPh.exe | N/A |
| N/A | N/A | C:\Windows\System\QwhyrUh.exe | N/A |
| N/A | N/A | C:\Windows\System\nihYrQn.exe | N/A |
| N/A | N/A | C:\Windows\System\xabPOoe.exe | N/A |
| N/A | N/A | C:\Windows\System\TcKMHTv.exe | N/A |
| N/A | N/A | C:\Windows\System\KHAglYz.exe | N/A |
| N/A | N/A | C:\Windows\System\dUhUXFw.exe | N/A |
| N/A | N/A | C:\Windows\System\uXpZXMS.exe | N/A |
| N/A | N/A | C:\Windows\System\stxLpsb.exe | N/A |
| N/A | N/A | C:\Windows\System\ocoYEit.exe | N/A |
| N/A | N/A | C:\Windows\System\nhFXJOE.exe | N/A |
| N/A | N/A | C:\Windows\System\IvcBcQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kGVUcgu.exe | N/A |
| N/A | N/A | C:\Windows\System\xlkAOgW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ovrsbix.exe
C:\Windows\System\ovrsbix.exe
C:\Windows\System\vPyYRrZ.exe
C:\Windows\System\vPyYRrZ.exe
C:\Windows\System\AXOozjm.exe
C:\Windows\System\AXOozjm.exe
C:\Windows\System\jTxAHHz.exe
C:\Windows\System\jTxAHHz.exe
C:\Windows\System\CwhxAJo.exe
C:\Windows\System\CwhxAJo.exe
C:\Windows\System\hdyluPt.exe
C:\Windows\System\hdyluPt.exe
C:\Windows\System\akfvPJS.exe
C:\Windows\System\akfvPJS.exe
C:\Windows\System\xabPOoe.exe
C:\Windows\System\xabPOoe.exe
C:\Windows\System\QChvyPh.exe
C:\Windows\System\QChvyPh.exe
C:\Windows\System\TcKMHTv.exe
C:\Windows\System\TcKMHTv.exe
C:\Windows\System\QwhyrUh.exe
C:\Windows\System\QwhyrUh.exe
C:\Windows\System\KHAglYz.exe
C:\Windows\System\KHAglYz.exe
C:\Windows\System\nihYrQn.exe
C:\Windows\System\nihYrQn.exe
C:\Windows\System\uXpZXMS.exe
C:\Windows\System\uXpZXMS.exe
C:\Windows\System\dUhUXFw.exe
C:\Windows\System\dUhUXFw.exe
C:\Windows\System\IvcBcQQ.exe
C:\Windows\System\IvcBcQQ.exe
C:\Windows\System\stxLpsb.exe
C:\Windows\System\stxLpsb.exe
C:\Windows\System\kGVUcgu.exe
C:\Windows\System\kGVUcgu.exe
C:\Windows\System\ocoYEit.exe
C:\Windows\System\ocoYEit.exe
C:\Windows\System\xlkAOgW.exe
C:\Windows\System\xlkAOgW.exe
C:\Windows\System\nhFXJOE.exe
C:\Windows\System\nhFXJOE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2532-0-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2532-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\ovrsbix.exe
| MD5 | b747aec628f8cc1dddb412c8ce2ff573 |
| SHA1 | 1171aa9a966a57ece62459a2b0ab4681fab3b2a9 |
| SHA256 | 2e605fc8d4d69b3495918433ff9c581b284fb79d44b680623a149a3d1151da16 |
| SHA512 | 7af332817f4c30e13fb46765e31147afdee46c3e680aa36421505e4cad1a58f4e55ae877c8b16a836fb59d9392439f967c4d9e7f863c3fefe03314b2ea2942ab |
\Windows\system\vPyYRrZ.exe
| MD5 | 731bb354aee32b74dc17d3b8faaa6b1c |
| SHA1 | 6e0048d57fd3aca9315fe2ff50da2ab5d77c5874 |
| SHA256 | 437d9857ddce2576cf0261b6d87efaa070968e29ff849b3c72c7adcfd4eff591 |
| SHA512 | d514b39eaf258fe2a60a7547108489866a91666bc27efb61fa450c6ceaaac653243479dde9de9d981870c298fbae4cac0ccc7604bf03b72dfa91f9b08a621ef9 |
\Windows\system\jTxAHHz.exe
| MD5 | ea26bd2c13ec70e2d364cfcc0300d8b1 |
| SHA1 | af03a8bf8d0f1c8bfe9503e2a94631213471a9a6 |
| SHA256 | 48254d202e4dd0eb3edb3aa0788301c8d82facf8a0833e4df1c02b4295884716 |
| SHA512 | f594f384cf432d78e475f98cec239d32b66fd3bbc14e51182f268fa7e87b2cbd5158c31eee08362c36f3ab5b4662727769b4c3fd20de8e89703e8837c98da7cd |
C:\Windows\system\AXOozjm.exe
| MD5 | dd7b7b1f301fe7bc635bc5caedd1d98e |
| SHA1 | 2de8dd0873711a8bd4a8a6f05b95c38e2845dc24 |
| SHA256 | ea87847bed4a84c67729792a4bf5ef4df89e90a4854c83168beba7b32643bb59 |
| SHA512 | 6be4947d689558ac4c100dd31c0b4fca4dc367451e2e5c038efa127d8878f56487a860e36c60b89117f6bfa7f3e63ad4cf0e2bb434cb7619126d8b8fd93a1288 |
memory/2532-21-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2532-25-0x00000000022F0000-0x0000000002641000-memory.dmp
\Windows\system\CwhxAJo.exe
| MD5 | 3dfb3012eb1ca73d46078be4ff496932 |
| SHA1 | 6e93f073c22d36353f3dc28321d06a854085cd24 |
| SHA256 | f06f81da1e6e5adebd9cca82cad4ead356c082891541b543c801edc70fd609af |
| SHA512 | 944d83eda315a8a3f901de910048ba7ecd34e0d5ce1dc60b6bd9ac796aff53ccc387f1458b5d0f916fe2019ce97738f575e497e85214259b13f268732710728f |
memory/1956-24-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2328-23-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/1300-31-0x000000013FE00000-0x0000000140151000-memory.dmp
\Windows\system\hdyluPt.exe
| MD5 | 021ef29676f6bb9192fb222c2fa0a76f |
| SHA1 | ec60b055ff832b2c0de21704ce855860586b078b |
| SHA256 | fc34fc87fc03375ed5aa253f15633247781f81ef5c2f837a4898c17a11ff6526 |
| SHA512 | 1ac6f9517a4e1e7f22ee3d35ccc134becd6fe4ad15937e38094b45286c726fc220f683eb0d5672caedd971fef9da49c795822f17c902bb31fd1e4f8d5729e6a9 |
memory/2816-35-0x000000013F4B0000-0x000000013F801000-memory.dmp
\Windows\system\QwhyrUh.exe
| MD5 | 61fe9e548561343b63bc33b0160ed2ff |
| SHA1 | 0105df08bc88c718ed6bf240d6755b34d701b942 |
| SHA256 | 9872f7e0079f11893de835767e667f347dcfe1080f5a30fae9bc19e81a8f7c20 |
| SHA512 | 0864f936df7091be0fa451e279d8faad2fbd74833ca13e9ba20b1ab7a5acbd5c4c92be979e9a23db55b67690a5c3ff5c397a14e917b4f252a99764c99bf650e3 |
C:\Windows\system\akfvPJS.exe
| MD5 | 5a05ff45dee6fa342c95ef78b69dc316 |
| SHA1 | 0a37393a1c39e9642767528e11451fb21624a8aa |
| SHA256 | 29766e57260d63826c5531b6c3eaae04fc6c1951d1bb47ef06bc596aad5c368c |
| SHA512 | 752c5217b245c9dfec9cff859d8c45409d50d74d8df3f29cbc934cf679ff0100fba201ffe2c02ad0ef95266803ff3a75235ae6ba4316ca0bf428fea447b21851 |
memory/2532-59-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2532-96-0x00000000022F0000-0x0000000002641000-memory.dmp
\Windows\system\xlkAOgW.exe
| MD5 | dd38dc3dc1d23738f5ab13f4c78f2b10 |
| SHA1 | 0a21ff3e02f9f6e790d41649048e8c4dbd8e9b8f |
| SHA256 | 6c979b7130af2048f6d822567192ea1c8a2e37742ef59cc71a5cc5e0d4bf50c8 |
| SHA512 | 0a30c2f01ab647d5e359bf23c096e0f506bd2d9e1e8bfee4c943edbc66fc2b001c3aeb4d1800dbfb9b14e60ef312d70460412247e6a8337c6f5cb9d438b72e29 |
memory/2780-100-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2532-99-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\stxLpsb.exe
| MD5 | 456c7bd5d92aeac7a720db03ce3bf034 |
| SHA1 | a46aa7f83d24953fd91d04d6e870fd8e26abfb59 |
| SHA256 | 1187905fcae89521ffdd2659f5534adaf36554846f3285a0910ffd1e0d1d75e7 |
| SHA512 | f323f94f6bd438805a3bd09dff3fb3c6bdc359dfea6f035590545dcd7f080345b92c7ad7a165a30110f06477db5f980818dd24bb33773556a6b96ea15065ad80 |
C:\Windows\system\uXpZXMS.exe
| MD5 | b011a4bc3b8d63ebe6624ca657e25b14 |
| SHA1 | 97097450edb7640107229a95e866937c5fd803f1 |
| SHA256 | d53b63476eece83bf2d763ba2e49b31787d018d82ef5a744b6c8537deb01d6c3 |
| SHA512 | 7629653d77a90c4f20a3c57e00711cf514e8c3ce0a90cd823ac6b17e0ac866155a05cc58648d1588cdba8bf3d6355c817a34e5a6060acfe6a36af0e3697b2265 |
\Windows\system\kGVUcgu.exe
| MD5 | b383dd9b2c7267068f9164ef983b46a6 |
| SHA1 | c84bcfd78d5c0c4ae2027d1d6b70cf0c349dc219 |
| SHA256 | aac41dea56ecece8dca1604f8a9b7a5a944ff575fd7c1013ab2b7d82f5aa82be |
| SHA512 | 7b34cfb20c582964bd978d529b2cb3ffa29619d705fe15fe77f2c2b22ba03bc1e1c56e79ed512408dc4bfdf090334defa7bbac1fd318fd74a046c29f7428fc2a |
memory/3020-88-0x000000013F940000-0x000000013FC91000-memory.dmp
\Windows\system\IvcBcQQ.exe
| MD5 | f4d5049db7fc4739bc9e208fb63ffce1 |
| SHA1 | bdac238af3c0eeeb2c27e3b1e2b723eebff3f507 |
| SHA256 | 0233a04e202368834bc52bb37cdb1f010eefd05be6246a6373f19e0ade57f561 |
| SHA512 | d6084c781313465d5b1d0c1e06b70c23dc2c8b9be7c813f8c4ddb042e19e4b7cc9bc1f6c1e9244017721a3d07cea01bbb8fc9e325f5f4796d9246bb4c88d9e41 |
C:\Windows\system\xabPOoe.exe
| MD5 | e7f8403e22d0ab1593160418aa38c121 |
| SHA1 | 69c44ae2b5feaedde7626c55e7807e4b55245f63 |
| SHA256 | 4873e247acd6f5cff04fb9e2880003604beddb5df2e3cfa6c01c92d4becd2b6b |
| SHA512 | 8cefa3a51dc17de934ea825a625e80ed434a7cc0a4c04b8fa9d5aec511ead6df23859aa796dba10653d7b104e06512c030470cd138383b8c8ed3d2b80b3ab4c7 |
\Windows\system\KHAglYz.exe
| MD5 | e89c564d0e70f0ea54a69b2e1652999e |
| SHA1 | ba1612a45e47021792b0388ee4d88dcea1cfbe2a |
| SHA256 | ba4310c1cd999869ac490af9ff393abd9f0459af58c92f411d47263a54fc6c6b |
| SHA512 | f449ca55629ccd37ac2ce603db1b5835c1ba9e02c1d9640e60d39f55a72d9951aad71b73cb4d35076b6c8cb41f16b4ed3f51490978a9f3c13aa8e4650919a638 |
\Windows\system\TcKMHTv.exe
| MD5 | be84a168702978b0ea5a5f861ddd70c9 |
| SHA1 | 7c2e7020490cb404a7d0cc47b7c5155eb3a07f5a |
| SHA256 | 08d4084dce88f147517f8ad8f5e13aab27092e8ecc8192e05489d5749d078dab |
| SHA512 | e12be6c0747a906495c6940018e63bc80a9a00e1d89218259b678151c4c312701f75fbecf43765c4ce5b08c5216c41cd00aa96869b01fe1d98bee5d82bc07128 |
memory/2620-123-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2908-122-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2532-121-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2764-120-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/1292-119-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2716-118-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2532-117-0x000000013F760000-0x000000013FAB1000-memory.dmp
C:\Windows\system\nhFXJOE.exe
| MD5 | 5f7a70af28f40145fcd78ff443de188c |
| SHA1 | 1c6f6db591f5d8500548b82fadc7318eca4e4373 |
| SHA256 | 3730b3056afffaf6727b49adddca17a574db3e95aabe038bfea8560ec7d54dca |
| SHA512 | 11dbc5b5d3ab703447c9a56afe0e36fdb8053eb1b876fd09017c29f2851064d74e5e18bce518a6042468493809a3bf0f2356f46bf876a26dac31e0a887d28920 |
memory/1776-114-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/2136-113-0x000000013FC90000-0x000000013FFE1000-memory.dmp
C:\Windows\system\ocoYEit.exe
| MD5 | cb74b886437a380425adb60f22becf82 |
| SHA1 | a375c2f722a7be9918175e4ca69544f073dca616 |
| SHA256 | 89baceab4cb75e3e43d2698f14f4fea481f2a94fb5e936d9bdfd2f5dc11fcae9 |
| SHA512 | 671ea1977a8ff9f3b2bd5a8ccd04d46eae50757b770d18e6767f4760e2ca47af40974da44175f85cc34978621ce23f5cefd4002ba1feef12b6dcd4ed3b971171 |
memory/2532-104-0x000000013F8D0000-0x000000013FC21000-memory.dmp
C:\Windows\system\dUhUXFw.exe
| MD5 | 43a36868e3840bbb3cfe6543fda8a8f9 |
| SHA1 | b2f9584edd4aa7751a74ebe93a03dd3b146bc035 |
| SHA256 | b24c6b85c5ca1a2cbe7d5be9ca1185255275a5949a4471ca10c8789dd106fdc9 |
| SHA512 | fbad724735e467eff815e34dbb66e757b23ea091ddb71920b70828a035f68bc49fbf02492614907cbf8a0602be17536b37398fcf6ac63c80589dcd469ee6acd5 |
C:\Windows\system\nihYrQn.exe
| MD5 | 47bf4f9472e4ddd51401bf550a113da6 |
| SHA1 | 3736ba668833e6c214d488138ac5d86f48fafadb |
| SHA256 | 45e7cd1dc8886af589ae386477b66aa4f1d558e0c1357b7ba1ab5eeb0c66c60c |
| SHA512 | 4149d5b85c38c8a243ae99b528880616b0ce2943a1c260e57cb0cd9bc433ed6386663d70476b62fcf7181243f58ae2199848bc8f99bc3a645201926d5cf476d3 |
memory/2532-67-0x000000013F940000-0x000000013FC91000-memory.dmp
C:\Windows\system\QChvyPh.exe
| MD5 | b29fd3d217888209f67165ef5145f6ce |
| SHA1 | 614309b3dba6674abf77964dc8c8b3bbf0e78528 |
| SHA256 | 43ee446a8e6fbb56316cb9b12fe28fedcf7379889e6029e98ce078d6df3674c9 |
| SHA512 | f4a513b6b2eff56e271be759477b6fd9a32b251703cdc642eb713bc787da675429397754c30c7e45cb686e90d0ce117ee01a33c61dd73d18529e4f8db5fc37e7 |
memory/2532-63-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2356-48-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1300-131-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2532-133-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2532-132-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2816-137-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2532-140-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2180-149-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/1948-152-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/600-155-0x000000013F530000-0x000000013F881000-memory.dmp
memory/1308-154-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2592-153-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/900-151-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/704-156-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2532-157-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2356-207-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1956-210-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2328-211-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/1300-231-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2816-232-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/3020-234-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2780-236-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2908-238-0x000000013FF60000-0x00000001402B1000-memory.dmp
memory/2620-240-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2764-242-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2136-244-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/1776-246-0x000000013F250000-0x000000013F5A1000-memory.dmp
memory/1292-250-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2716-248-0x000000013FEE0000-0x0000000140231000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:52
Reported
2024-10-25 11:54
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sgLXlJp.exe | N/A |
| N/A | N/A | C:\Windows\System\PysYUSO.exe | N/A |
| N/A | N/A | C:\Windows\System\bPyTItp.exe | N/A |
| N/A | N/A | C:\Windows\System\SSbLcit.exe | N/A |
| N/A | N/A | C:\Windows\System\SXWsWjj.exe | N/A |
| N/A | N/A | C:\Windows\System\judZQpF.exe | N/A |
| N/A | N/A | C:\Windows\System\jVcgHzc.exe | N/A |
| N/A | N/A | C:\Windows\System\KeZKehj.exe | N/A |
| N/A | N/A | C:\Windows\System\QpMTLrz.exe | N/A |
| N/A | N/A | C:\Windows\System\mKbVIXY.exe | N/A |
| N/A | N/A | C:\Windows\System\mINPePc.exe | N/A |
| N/A | N/A | C:\Windows\System\CiwPRGi.exe | N/A |
| N/A | N/A | C:\Windows\System\urxkLVh.exe | N/A |
| N/A | N/A | C:\Windows\System\WdvDejg.exe | N/A |
| N/A | N/A | C:\Windows\System\cBSSSUg.exe | N/A |
| N/A | N/A | C:\Windows\System\RSQFjzT.exe | N/A |
| N/A | N/A | C:\Windows\System\JuCuLOO.exe | N/A |
| N/A | N/A | C:\Windows\System\hCAUkFI.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBoluBS.exe | N/A |
| N/A | N/A | C:\Windows\System\MdReKcT.exe | N/A |
| N/A | N/A | C:\Windows\System\yaNuRZV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_bf492e8fe609314ea99cc11e57500cbd_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\sgLXlJp.exe
C:\Windows\System\sgLXlJp.exe
C:\Windows\System\PysYUSO.exe
C:\Windows\System\PysYUSO.exe
C:\Windows\System\bPyTItp.exe
C:\Windows\System\bPyTItp.exe
C:\Windows\System\SSbLcit.exe
C:\Windows\System\SSbLcit.exe
C:\Windows\System\SXWsWjj.exe
C:\Windows\System\SXWsWjj.exe
C:\Windows\System\judZQpF.exe
C:\Windows\System\judZQpF.exe
C:\Windows\System\jVcgHzc.exe
C:\Windows\System\jVcgHzc.exe
C:\Windows\System\QpMTLrz.exe
C:\Windows\System\QpMTLrz.exe
C:\Windows\System\KeZKehj.exe
C:\Windows\System\KeZKehj.exe
C:\Windows\System\mKbVIXY.exe
C:\Windows\System\mKbVIXY.exe
C:\Windows\System\mINPePc.exe
C:\Windows\System\mINPePc.exe
C:\Windows\System\CiwPRGi.exe
C:\Windows\System\CiwPRGi.exe
C:\Windows\System\urxkLVh.exe
C:\Windows\System\urxkLVh.exe
C:\Windows\System\WdvDejg.exe
C:\Windows\System\WdvDejg.exe
C:\Windows\System\cBSSSUg.exe
C:\Windows\System\cBSSSUg.exe
C:\Windows\System\RSQFjzT.exe
C:\Windows\System\RSQFjzT.exe
C:\Windows\System\JuCuLOO.exe
C:\Windows\System\JuCuLOO.exe
C:\Windows\System\hCAUkFI.exe
C:\Windows\System\hCAUkFI.exe
C:\Windows\System\ZBoluBS.exe
C:\Windows\System\ZBoluBS.exe
C:\Windows\System\MdReKcT.exe
C:\Windows\System\MdReKcT.exe
C:\Windows\System\yaNuRZV.exe
C:\Windows\System\yaNuRZV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5104-0-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp
memory/5104-1-0x00000202353F0000-0x0000020235400000-memory.dmp
memory/1680-6-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp
C:\Windows\System\sgLXlJp.exe
| MD5 | f7172c41a2568c098b96af909f49d6a6 |
| SHA1 | 5d2f4ef286cea53e16cff34f9f67b7141efd2900 |
| SHA256 | 2d69642395ebb109484d9b1b761266afcde26b09fa48713d1dc49fe3f0c1cdf4 |
| SHA512 | 844f457a03defb543fb88f57aca599d5b74240ebb99025e6df4974e5c572c10bbbdc24ee60c3b2c051a6239857001b1e580c5822b79c418c5fe6e5e099ee2239 |
C:\Windows\System\bPyTItp.exe
| MD5 | 369a6de3fd59eb8897d268f5b8c7fc01 |
| SHA1 | 3572de0cf0350f83f606ccaa958c24f6997fa124 |
| SHA256 | 9a2b7242e7b06452fbdaa6d5f53d98312e2f05eedb547043265654b2efebdc12 |
| SHA512 | 6265a577173c2e490d3d3c3499fedf1cbebc0ce340429c948413ee365d7264df01f4b2a4e0bd0a0e72ead0292078948da7e554aa40101e8d959d12d2675eb292 |
C:\Windows\System\SSbLcit.exe
| MD5 | d762d7426a6438fe50e3ddbeb46f2bb0 |
| SHA1 | 1372ba1c063fca5e4022801affd3558d75a25a2d |
| SHA256 | fe3849d99d0a29c55c14593b28306cfbce7d4be62b487283d3a8ffeb5d1c4399 |
| SHA512 | c4a69ea2cb76bdc1a9ec34c9158a9779bdf85c7d37a282740c77be930452fb53523424b28985a0694057b577afd2dc6bf6e9cf37b7c192a8daadbf6d5090330a |
C:\Windows\System\judZQpF.exe
| MD5 | 319ecb3c3c35fc569f0d9c0df6390e46 |
| SHA1 | 5f0ef4dc8636646f62976b6104fb7f5d6218e425 |
| SHA256 | 222282a53e98818f1e0be990aa68f262a2796caf4f7b4c1a09ff842bea3377f8 |
| SHA512 | 733c484b79d830526108e59d5b99d24da02b4b7051d9207a3ae42f881e673c8be10dde22bdefe578f062fd5b96c5d2f3645411cb7fc95c68c417618aa504f8a0 |
C:\Windows\System\jVcgHzc.exe
| MD5 | 822795e7841aa2621cd0aabb2fc324cb |
| SHA1 | ed97688766ea0bbf61e963446a4722cdba254754 |
| SHA256 | 59a95ef81f74c55bfe6e2984bb94ed5d040d1e1a47953ebdba775aad9824b0b8 |
| SHA512 | a1cb3ac802c67460f30131ca0713251bec2cadf6f7042df2bff616a83f7bb8608cd49bba0283713c679174ec333256d9b95f6afac995a0bfcf12d976e01069d5 |
memory/2032-43-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp
C:\Windows\System\KeZKehj.exe
| MD5 | f3f3dbc3b3649bbea31fbc4dca0af17b |
| SHA1 | c12d976b17bff42fdd14fa1913afa7072ea30ff7 |
| SHA256 | c41b4ac9ffedb3e5cd359690a5a4275942ea78381b08033df74fb37b2cc5d256 |
| SHA512 | f853e830eae1b8e531d8852555d71172ee03640aa954ac29ddcd1832afec81ddf7b331d4f7d4704a225ab5f2a9a705adda936f69cd25509e3139108fc56b7471 |
C:\Windows\System\CiwPRGi.exe
| MD5 | b4a56c4c87cc2868c65b160a33f6f865 |
| SHA1 | adccfa5a99c2945af961279fa28b6dce1bd63561 |
| SHA256 | e46f94e23ac45e740af5af422c8dc399494bb215b47df4fd9c76a0f3211455ee |
| SHA512 | f8c672c16a25049203afd46f07db0aec5095c146f12b9bbdf34f91eeaf2f5a4f21ec999af2494caed92caa2d2a123cd60ddf73272898188c00170a810857e85f |
C:\Windows\System\cBSSSUg.exe
| MD5 | f68fb5aa105506edc19f355471632141 |
| SHA1 | 56f7501ea438979e705d177d10c479e1939a5f8e |
| SHA256 | 01b5afef693fbc341740bdf430b8b91c010ee6bbbd95c9d5652b319fc7758bee |
| SHA512 | 7df7d2edcbe2004ca05f0c1f9709c796ca3f5f30f6dd79016066e137eb547a51f3552d0ea1693e2799780c2665c5087e8446614505d2ca00ad1b9210926d3c95 |
C:\Windows\System\WdvDejg.exe
| MD5 | 191a0d21c615a3637d83e410071001e3 |
| SHA1 | 923945537aa674487b626a01637bf40d03dfab26 |
| SHA256 | ccf6691f455ee02fb0279d21c77681029f44111a2b83d532cc94ea1b3e253618 |
| SHA512 | a23b1150977edeea6fa004fe964a269d3844896bf3de1940b5ce7dff65f041faf1432b6c2b354de7188fa0d4fbb70f6a3522d9af038e60f282b176e6b43c4471 |
memory/1268-104-0x00007FF644700000-0x00007FF644A51000-memory.dmp
memory/3064-114-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp
memory/4828-119-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp
memory/1052-121-0x00007FF645650000-0x00007FF6459A1000-memory.dmp
memory/4536-123-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp
C:\Windows\System\yaNuRZV.exe
| MD5 | fa90fd5123191f0dc568f81899fd4cfc |
| SHA1 | 504b993ff5aa3c7630010b40cd41289144a0415f |
| SHA256 | 0fe283d56defa131677adcfa166ce23831c89f95851c3c2ff7bc8d6c2967a781 |
| SHA512 | 67a03377c2e243a334a938d2a6101d8168f4091c5f17c656022446ce5d9ef41bb0de69772fb628a94b49193c1b733c1d1d9f556254beeb9668ac1265339f807f |
C:\Windows\System\MdReKcT.exe
| MD5 | 5918c27a7d6be1437379d1bae8a286d1 |
| SHA1 | 7733ef8ffc545114feb65527470c02da5f17dd8c |
| SHA256 | 1b6b074f33e674b5edd9131bd81af3a0ad906a675b1e3f59a1ebc4f0473d7526 |
| SHA512 | 58cbba05b0638bd031c27be5b6dc2498d6e51cfcd0070e58c00b05969d0e65f82cc6537b554408b14781f1e8f2e3204b8204f57d598018176b0d5ea360ba0df0 |
memory/776-122-0x00007FF7704E0000-0x00007FF770831000-memory.dmp
memory/1956-120-0x00007FF650580000-0x00007FF6508D1000-memory.dmp
C:\Windows\System\ZBoluBS.exe
| MD5 | ab7cb572eac1d2b120d3f91f5fee8f31 |
| SHA1 | 939fec42fe9256b79ff4c652b1457de657c27a04 |
| SHA256 | e5a59045ad799d5d5452c48b1111b8b455aa000acc1aeac62d046a4496569de9 |
| SHA512 | 5027567805682da1b4a35adc2168c00bb40b4ce94eccf165b9ffbc8697466b26699bf03fb97856c2828b912fa942f31d058f48e455af5dac0a6a045ed92bd460 |
memory/1724-115-0x00007FF66A210000-0x00007FF66A561000-memory.dmp
C:\Windows\System\hCAUkFI.exe
| MD5 | ac49d75fa5fbab0f05c8ba8a65e7b798 |
| SHA1 | 34a962c04451057e424578da6dfa54f27b94e55f |
| SHA256 | 1c67877c3b0f7402fe6bb54a866d13eed96350096b12777cc9a874d30aa583c0 |
| SHA512 | 6fe2143d009054a6d76f3ae2accc54af2b9e6110bcc075ef95753feb4e08d3225c5fc30103adea6fa6497f8aab7314ab357c91a76fdb388b781b06adfd751273 |
C:\Windows\System\JuCuLOO.exe
| MD5 | 12f017a0617b94218b6e9e8e94767a09 |
| SHA1 | 7d4170185c116f870fc30f985c8d04a48ccdf32b |
| SHA256 | a3da256f029da4fcd3a8ef61050fb825b7075c2b636c6127bf0d78341c9594b8 |
| SHA512 | 56ed29fc23fac185ba103c7ccaa46bfe5eb2198221551c1d4c9e5a5f8912d9f7f067317ac96fce6028ae3c154862bbc8be1673d22b4ebb966b229f62dcaccaa9 |
C:\Windows\System\RSQFjzT.exe
| MD5 | 2caeeeee34e87f09f83dd79a66d8bf58 |
| SHA1 | 6fbf2b8b35d72f4e0f42217982a710094c2bed42 |
| SHA256 | cf07b064b1151e357da315eb8acaa2239574521ef349f3fe920c6978be5d9fe9 |
| SHA512 | 1226a1ccab1e8e3c8be76a284cdee76a55eb5389d7886fa3f45c6e38bd36504701cd4385586f4d88ed6a91ba6ca95017afb56993984ebce6902df8e163b1b648 |
memory/2596-98-0x00007FF684E00000-0x00007FF685151000-memory.dmp
memory/2516-89-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp
memory/956-85-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp
C:\Windows\System\urxkLVh.exe
| MD5 | f0fdaf9f00d15eb262105eacf51f5ee5 |
| SHA1 | f22ad627da756782da95dfdc5128083b87cde17c |
| SHA256 | e4fad3f84ebca2a4711cc3e980187ac94e487a07ad1d9048cfea80695fecbe53 |
| SHA512 | eff66ac332d3ed10738bbdf882d3bd531d9adc340c9cb3b046afa4d5b889c7c3b2ad5d51230530dbf24a257950e304e792c3099309bc31ee5a7eb3b5a6cb55ba |
C:\Windows\System\mINPePc.exe
| MD5 | 5666998e5e9d48721f1f91771891d982 |
| SHA1 | afa675d007ee32232f99c695c4713ce232c3882f |
| SHA256 | b5e7cd5da7e48cc3c2e8fe6a765e6407c40d7e89a5872e292d3a43421835a352 |
| SHA512 | 47085801e4944235bed8c976ff35adc7669138a47bdf1dddf9980875e14da77fb57cd3a606ff4564dec98337201fd68064b22b6e19fdebc656b5326e30a538e5 |
memory/3976-71-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp
memory/3360-66-0x00007FF699620000-0x00007FF699971000-memory.dmp
C:\Windows\System\QpMTLrz.exe
| MD5 | 5f9d6fa8fa64a75b2eceb2ce9dbc1c7f |
| SHA1 | 0b3d42e9204ca3217f46c0a8bc3bd85a157bd3c0 |
| SHA256 | 9c3baaff033e8933376d80bfe634f4263bcbf0fb5954acded179c2b4df545eaa |
| SHA512 | 0c16dad4abf94e3d088b0b78f3361d5be560d01b0564cb628b5e71548cdee423d82164e74399bca7238ff5d6c2e8f684eaabee65cb5c133393375605b03d9759 |
C:\Windows\System\mKbVIXY.exe
| MD5 | bb5262ba2c916aeaa51f7789e2a0b079 |
| SHA1 | 66d8108586ef5016a8411a5a17477204725bc7ce |
| SHA256 | 638c99e0e70be08325b3f6bdad1144a3f138053546a2ebab765be3a1811778ed |
| SHA512 | 3dbb6ed4633673c27ce52f45f350b0c98f56e4a69616eb1ff71c1e942521a41a0a61e8f89208eaf1ffcdd3d3b75125c13ce39703551141197959872feed9ae88 |
memory/952-57-0x00007FF646950000-0x00007FF646CA1000-memory.dmp
memory/2160-56-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp
C:\Windows\System\SXWsWjj.exe
| MD5 | fac369b4eb2897f47bf0b8661b1504b1 |
| SHA1 | 75ad7e83bf884ec6aabc5e770294bb57f81d4255 |
| SHA256 | 52c686cc62917e8e7db87dc13461955436548211a998ca0b2688d71cadf604f4 |
| SHA512 | 5f2c85022dd9156ed3a213f40edcbef2063c50f6f131333786fd3a97b24fd85596b3a2566bd05110fe2052b00378d308427885a38a76f91af94cfcbd89fdba54 |
memory/5100-32-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp
memory/4976-30-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp
C:\Windows\System\PysYUSO.exe
| MD5 | 145025a79af2c74a556134e7d8804d19 |
| SHA1 | 124c8fd704361d0a4abeb7a5bbae2dba9112f6a6 |
| SHA256 | 344e7dbb999952bc91720654a1f3e4dc0c1392327f6b1a05bb878fee9e543e04 |
| SHA512 | 9ea88df74df2cd8b052bd26d97981b7b9d5e36d2aaa80d3a8ff5c6411b770ea3646efb9fb09577ea7ffd436078d042e93d89dcf32eb65cc874bc9b2e20b2b016 |
memory/2060-17-0x00007FF698DF0000-0x00007FF699141000-memory.dmp
memory/2096-19-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp
memory/5104-128-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp
memory/1680-129-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp
memory/2060-130-0x00007FF698DF0000-0x00007FF699141000-memory.dmp
memory/4976-132-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp
memory/2096-131-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp
memory/2032-135-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp
memory/952-137-0x00007FF646950000-0x00007FF646CA1000-memory.dmp
memory/2160-136-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp
memory/5100-134-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp
memory/5104-133-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp
memory/1268-154-0x00007FF644700000-0x00007FF644A51000-memory.dmp
memory/3064-155-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp
memory/776-157-0x00007FF7704E0000-0x00007FF770831000-memory.dmp
memory/2596-153-0x00007FF684E00000-0x00007FF685151000-memory.dmp
memory/956-147-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp
memory/3360-149-0x00007FF699620000-0x00007FF699971000-memory.dmp
memory/4536-158-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp
memory/5104-159-0x00007FF79A2E0000-0x00007FF79A631000-memory.dmp
memory/1680-214-0x00007FF7907A0000-0x00007FF790AF1000-memory.dmp
memory/2060-216-0x00007FF698DF0000-0x00007FF699141000-memory.dmp
memory/2096-218-0x00007FF7ED190000-0x00007FF7ED4E1000-memory.dmp
memory/2032-233-0x00007FF6A3140000-0x00007FF6A3491000-memory.dmp
memory/4976-234-0x00007FF75D650000-0x00007FF75D9A1000-memory.dmp
memory/3976-236-0x00007FF7E5630000-0x00007FF7E5981000-memory.dmp
memory/5100-238-0x00007FF6DAE70000-0x00007FF6DB1C1000-memory.dmp
memory/2160-242-0x00007FF6D82E0000-0x00007FF6D8631000-memory.dmp
memory/952-241-0x00007FF646950000-0x00007FF646CA1000-memory.dmp
memory/1268-250-0x00007FF644700000-0x00007FF644A51000-memory.dmp
memory/1052-260-0x00007FF645650000-0x00007FF6459A1000-memory.dmp
memory/1724-262-0x00007FF66A210000-0x00007FF66A561000-memory.dmp
memory/3064-258-0x00007FF7A46E0000-0x00007FF7A4A31000-memory.dmp
memory/956-257-0x00007FF7CC8C0000-0x00007FF7CCC11000-memory.dmp
memory/2516-254-0x00007FF649E70000-0x00007FF64A1C1000-memory.dmp
memory/3360-253-0x00007FF699620000-0x00007FF699971000-memory.dmp
memory/1956-249-0x00007FF650580000-0x00007FF6508D1000-memory.dmp
memory/2596-246-0x00007FF684E00000-0x00007FF685151000-memory.dmp
memory/4828-245-0x00007FF6C8F90000-0x00007FF6C92E1000-memory.dmp
memory/776-266-0x00007FF7704E0000-0x00007FF770831000-memory.dmp
memory/4536-265-0x00007FF680BC0000-0x00007FF680F11000-memory.dmp