Analysis Overview
SHA256
a9f13cd1daa00a11d71ce2d1f3fda74900bb4a5be35ebe6d6701df9b1b9308f5
Threat Level: Known bad
The file 2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobaltstrike
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:44
Reported
2024-10-25 11:46
Platform
win7-20240729-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eurnuFT.exe | N/A |
| N/A | N/A | C:\Windows\System\SYWQBRn.exe | N/A |
| N/A | N/A | C:\Windows\System\VJgereS.exe | N/A |
| N/A | N/A | C:\Windows\System\LVtyELN.exe | N/A |
| N/A | N/A | C:\Windows\System\YEknpJW.exe | N/A |
| N/A | N/A | C:\Windows\System\BwVHBZe.exe | N/A |
| N/A | N/A | C:\Windows\System\KXwICSN.exe | N/A |
| N/A | N/A | C:\Windows\System\MTNncLS.exe | N/A |
| N/A | N/A | C:\Windows\System\kiDzZgH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPKODMY.exe | N/A |
| N/A | N/A | C:\Windows\System\uUfKaxS.exe | N/A |
| N/A | N/A | C:\Windows\System\DUAWMnY.exe | N/A |
| N/A | N/A | C:\Windows\System\PxVGxYw.exe | N/A |
| N/A | N/A | C:\Windows\System\gaXqTmE.exe | N/A |
| N/A | N/A | C:\Windows\System\eQZKIax.exe | N/A |
| N/A | N/A | C:\Windows\System\iavwKwo.exe | N/A |
| N/A | N/A | C:\Windows\System\vbVwIAg.exe | N/A |
| N/A | N/A | C:\Windows\System\ejyMyzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\HEFGNtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kkYbEBj.exe | N/A |
| N/A | N/A | C:\Windows\System\EZXJVvS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\eurnuFT.exe
C:\Windows\System\eurnuFT.exe
C:\Windows\System\SYWQBRn.exe
C:\Windows\System\SYWQBRn.exe
C:\Windows\System\VJgereS.exe
C:\Windows\System\VJgereS.exe
C:\Windows\System\LVtyELN.exe
C:\Windows\System\LVtyELN.exe
C:\Windows\System\YEknpJW.exe
C:\Windows\System\YEknpJW.exe
C:\Windows\System\BwVHBZe.exe
C:\Windows\System\BwVHBZe.exe
C:\Windows\System\KXwICSN.exe
C:\Windows\System\KXwICSN.exe
C:\Windows\System\MTNncLS.exe
C:\Windows\System\MTNncLS.exe
C:\Windows\System\kiDzZgH.exe
C:\Windows\System\kiDzZgH.exe
C:\Windows\System\ZPKODMY.exe
C:\Windows\System\ZPKODMY.exe
C:\Windows\System\uUfKaxS.exe
C:\Windows\System\uUfKaxS.exe
C:\Windows\System\DUAWMnY.exe
C:\Windows\System\DUAWMnY.exe
C:\Windows\System\PxVGxYw.exe
C:\Windows\System\PxVGxYw.exe
C:\Windows\System\gaXqTmE.exe
C:\Windows\System\gaXqTmE.exe
C:\Windows\System\eQZKIax.exe
C:\Windows\System\eQZKIax.exe
C:\Windows\System\iavwKwo.exe
C:\Windows\System\iavwKwo.exe
C:\Windows\System\vbVwIAg.exe
C:\Windows\System\vbVwIAg.exe
C:\Windows\System\ejyMyzZ.exe
C:\Windows\System\ejyMyzZ.exe
C:\Windows\System\HEFGNtZ.exe
C:\Windows\System\HEFGNtZ.exe
C:\Windows\System\kkYbEBj.exe
C:\Windows\System\kkYbEBj.exe
C:\Windows\System\EZXJVvS.exe
C:\Windows\System\EZXJVvS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2500-0-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2500-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\eurnuFT.exe
| MD5 | f643097666526b3d61b7793f8f9da02d |
| SHA1 | d6cb889a7b72b67794080ea45a6a1f443e5c0d89 |
| SHA256 | 4c27cfe0ca64601d53c7a09091172c9948cafd4c8678411b82506e783b6bcca5 |
| SHA512 | f68ed12bf0ee001a5179c8a029bce9e7bb557978e984acfd79ed2841ae3b642cec5be8f6d1b6fae5ae8b523611f90900b8a1cc3d3fe5d128c5f2289b5ff6c4d6 |
memory/2500-10-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\VJgereS.exe
| MD5 | 20d3dedd0bf747a54657210f6624bf7b |
| SHA1 | 2f5c25be08fafebddcef6e68d17848cbdad6adf8 |
| SHA256 | d4b6025d4af5bd0db5f4b1d0efe4aaa114c5d07300363156d427b448b000e8d6 |
| SHA512 | 2d91ae49305ef2515c0a4f4a34201ce754779b9129e95786a56692f507f6a51bc81dd8c593686bb8f637e7e76775a6964d759842fb42537d28e29cee4f8fed13 |
\Windows\system\SYWQBRn.exe
| MD5 | 105ad6a10d96566a91a2abafe57a8157 |
| SHA1 | 7986ae3a0fd924a7d4c535b4dd42e9fd5d3589ee |
| SHA256 | c6333edc330e9fdb88e1a1fd51a2c74a67adbf753591c83c0a6f30eaba16a32a |
| SHA512 | c1dee4cf0fbe22848e479e8afe10acf45e32e3ddaaa24972d72621a9fd0a60de2ae268e64a46b6683cc1414098ff35bd55ff3d6e42124d23368f254248f15c77 |
\Windows\system\LVtyELN.exe
| MD5 | c784c3cbfcc054ca886873b03673ad5d |
| SHA1 | 33dff63ef5b20e85d34c76b14adcd27a28da361c |
| SHA256 | a3ef5a3f5ca28442d7c4b2e56ebc488f13c0e63d69fd44b08cf874b7cb831af5 |
| SHA512 | 4842fcff23c884c462a92702fd850b6d04593754e0a50b4248c826e0eaaa6c69022f874eaeaa9d2e5cc474b1251c705dcc0f1383bcdcba6c26ca87ad73a4e742 |
memory/2500-26-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2716-28-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/1884-22-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/1612-18-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/1684-16-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/2500-15-0x00000000022F0000-0x0000000002641000-memory.dmp
C:\Windows\system\YEknpJW.exe
| MD5 | 862be89aa680d0ced5ed539babff5b4d |
| SHA1 | 7a4b7cc368a09ef00351de664aa1ecaf24f166db |
| SHA256 | 248d5795fa121ebeccbd224341a3a6f115aa98da8f1178ba99c79cf6fd117df7 |
| SHA512 | 3ebf6321af38569816d562e8088962b01648e61294b5a1802cc932b602cdeb3effe0e48208c7b06508e35ce41d845245d0bd948197143f6d80e3510efe8f167d |
C:\Windows\system\BwVHBZe.exe
| MD5 | 7c108317990d2a6ad777941a4e8fd056 |
| SHA1 | 8715d3d2b419d187bb8d644e6a546bcdc26d9289 |
| SHA256 | f973a98eef79bbde49045c4151e418b3bd27c77a0cebb24ad7b6561956460e77 |
| SHA512 | 58c950c22076020c843465133e9388029afe71f5b1b3ef4e2bc5d78648da39f9da15457e5c9dc8cbb2599d2375cb261fc3a0735b4a6d01a99b94ce3bfdc9511c |
memory/2500-38-0x000000013FCE0000-0x0000000140031000-memory.dmp
\Windows\system\KXwICSN.exe
| MD5 | c4e75792d200018f81114cb0fdb2808f |
| SHA1 | 7d2006e73a5f9202458f69865ece4476c55b9e6c |
| SHA256 | ee3619010819031f41e4b185d3a743c23119489f28bcbabc4c26de2d0d4f977c |
| SHA512 | 2522a120b411f9ecb8d9c91a3108a15bd69394404f9689cabc064f880339875ced98315dd296f646e53167c271c7db8e32e100bdf3063924524713af7f70e4fb |
C:\Windows\system\MTNncLS.exe
| MD5 | 352ab7a7c63cba482381dd8ceb0efc8e |
| SHA1 | 932d8277bc7a8a1937c9de4c45cc2db98cbad8aa |
| SHA256 | c4f5c29fbc9bcc1e32aa318012e7cbaff51e963bd8d69211fbec84aad2ff5d79 |
| SHA512 | 29de69fdf7e7ef9c4330b5c612d382d8d846524c10cb19feba50da906a9eb461b3e0943f9387cf6b51aad9eb1abb6de1bb28c472771aed1b6c31b669a4c363d4 |
C:\Windows\system\kiDzZgH.exe
| MD5 | 4145f3c2d89991be684aa790d627ec3c |
| SHA1 | 14f1911850a03ef3e23536bc5b0df6c3222efa1f |
| SHA256 | 61c2896ce5c4efaa5608255d049bc0032396385003164cf8b45ddd3531b814b9 |
| SHA512 | 4df6a6ebad4ed4b960a89672fef4c307e77f2dc1821a6104dfa8390f642763b718afd82bb25ac76ae57248a7d62868cedbac4719b3601116fe61b4ac40133449 |
C:\Windows\system\ZPKODMY.exe
| MD5 | 63ba3bf55885790b3b3d94eee70a80c6 |
| SHA1 | 8dd53a4fc20de32f406f227595764ccd0088e7f8 |
| SHA256 | 9a9925dea58f95c693d7acc97ac70dd3e79fdd386518ccf1446bc023e24e0bc6 |
| SHA512 | 0cdbba2784e279a226e814ffb078446112b268c3bc02c63b4f5f1be7d3f7e990342491e3cea207318c8700e94eeec39861e0d71ad1e3fca23eabaf34d0504ea2 |
C:\Windows\system\vbVwIAg.exe
| MD5 | 06fab3b5755a755a293663b36428f5ae |
| SHA1 | 4bc37af8ff502533e6bb09ed1f0be7f29787cd39 |
| SHA256 | be02c671b0e12c5b407da04375806e64ef4409891106b0f1cd62e2b64e00a252 |
| SHA512 | 38f5edc294bc5088906e3e4605af509e8aa3cbed6036508f654d117e77abfe9d38054116a6e9dfb568e55e6a5992ea2c04446a68c8103f5c7ed6ef705e0c642a |
C:\Windows\system\HEFGNtZ.exe
| MD5 | 5b5fbdce4e49a7e2b4d2068abe6b914d |
| SHA1 | 846b4370e791973980ea9ecb4ea2ddf23dda77a4 |
| SHA256 | d4cf82cf5635163df3904672c18a85956b023e8d328f295cf6be1a0c1a14e4d0 |
| SHA512 | 72dd87956996510574fe53e5391630b95a8f18d20017b964c3da34c6c68ca2365dad7957c80269aa7d54fdf5f45f5352f0c3fc5a3ca2c7ff401a217064b0d6e0 |
\Windows\system\EZXJVvS.exe
| MD5 | a40a020ad368dbe3193de0300557f83f |
| SHA1 | 079fde7041e048504f134b68f84a4a95c0f5f611 |
| SHA256 | b4540c79b07cb9573c1b78d6882b964633dc39a69101d451140a5c58f4e7910a |
| SHA512 | 4dc44bb0ad4814342eda3eba8f97cb14a30958b8522e485e18d77fc969a5bd350f8fe6741d19e928926ddacffab95105b5e85b8e32834fa40bdc1a8d294ab609 |
C:\Windows\system\kkYbEBj.exe
| MD5 | af9de6cebf3020f315db5d7572f0ef0e |
| SHA1 | a0f8438912683a047ef92b959350adba9a84de35 |
| SHA256 | dde80c1d8b0a14f383093155315a63b9d83eed2296fb2100b5926ce574e0f030 |
| SHA512 | 6e7cb2d98d480136957aa8907b2d274a5d89b07b3089c9127d0b2470affc4b5dab46371322de215bcb2b3dc18c43ede500868b6de04386dd55711ffe9369916a |
C:\Windows\system\ejyMyzZ.exe
| MD5 | a0e005e436d56420898a36de73e24966 |
| SHA1 | 87f73522540a3fa8baed8defc2eacd65e6efe7bc |
| SHA256 | 50c12f91fd5f1c7158d2c446d3bac40abac86ebff5897d2d6c0cad9d8bf1d6ef |
| SHA512 | cbaefaae7aed3a825d8517c94a6404a2c0dd8484313423292214b00d7bb41aaa286318be9dcce9725e1d0e7b096e57c5fdb0b5144ce831d288ab444b5db585d0 |
memory/2760-117-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2764-123-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2500-126-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2500-128-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/888-130-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2732-129-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/1716-127-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2836-125-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2500-124-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2500-122-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2784-121-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2500-120-0x00000000022F0000-0x0000000002641000-memory.dmp
memory/2864-119-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2500-118-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2216-116-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2904-115-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2500-131-0x000000013F8E0000-0x000000013FC31000-memory.dmp
C:\Windows\system\iavwKwo.exe
| MD5 | f125520a980f1700b6978cf8b809a305 |
| SHA1 | 228c5e21307e36656cb3010d3e543eef55e60936 |
| SHA256 | f30295607308280f2c7b07fd4a57cfea728b23cee6c05389f3ce3b215277c356 |
| SHA512 | 4ae4dcbf931fe3f5892f4ff09244d4b40aee136bf922e78b36cb6f345c815933efe7bd5c9ffe33bc294702c9e43a3353e8fe73d60cb01b6fdf69ee35ec77d0d1 |
C:\Windows\system\eQZKIax.exe
| MD5 | a633c7c1056b81af6f1952063867d3ad |
| SHA1 | 4faa9210b48c2f1e56375c7904492f56457f392d |
| SHA256 | 0c1ba497e19b3ceb52899348d703f11dc1845273e14f9afa25c0a16833cbb7fc |
| SHA512 | 56736bc02482a7c390ae9863b21306b00b6f85360eb7e368b04f307d6f508d26e1f787b8daea68c248ea30a37f4f1844c6a3f04791300eef5d8cc232296609db |
C:\Windows\system\gaXqTmE.exe
| MD5 | e4384778f97cee6be2e62609d9d8ae05 |
| SHA1 | 69d851a86fa3f649833ca1673b8837d1362ff8e6 |
| SHA256 | ee2c4ee7d8da75280014168b0c2448ccb5341bf25cb9278d037900ee8ab3da37 |
| SHA512 | 679bd56d6c8e9ba908c6fe389de7508ef96f212187b9ac5195a7565b355f7b83c1910318e4aaeeb8621d3f06d1e154ed043972e2750a3113867a0cd8ee41b091 |
C:\Windows\system\PxVGxYw.exe
| MD5 | dc5112913e77adceae7b8610181306d4 |
| SHA1 | eeeec035c996f8b161afeddf0f1dee484b6036f8 |
| SHA256 | e6862a43534836efcaab449052a43de5192fbe6a3495694e9e46ad6b6a12ca4e |
| SHA512 | 38cf56a6091076b3de912ee0d3f2292013c56129bfa6c7a22a7c21d3c1f6388d6a86072201c1d7d711a0adfaad1013d6910d0b1110dbcec2996fcba076782f76 |
C:\Windows\system\DUAWMnY.exe
| MD5 | 5fba68a0372033232d3a5dd67bac6fde |
| SHA1 | 717964c50edc434510beb8e30ca7eb36846a4b80 |
| SHA256 | 0f6ff7d5754688ef83cc6b744f56fccd74de0544d5e7f8c56d424cbd7510d686 |
| SHA512 | 4e67f37432bc3b9fa152c8b2059a1410f84b48ff39715044fb0c58d7db5058702744330cad49226878c229c6d73d80f7847c76cd729c220095d58805a63454de |
C:\Windows\system\uUfKaxS.exe
| MD5 | 03903582d9cf404d0e3911a89915091f |
| SHA1 | f6a8e583a6d8b1aa64e352327b0fcb0fc29b7847 |
| SHA256 | ebbdd1f95bbce464f5c0c5e451fcbf1d1cb6727469d980a0b7591773d9b63b88 |
| SHA512 | e2bc635fcd420d6cfbad57b65a50cac54eb6f92c6103546254c77ea92c3d18e843bd286ed57d2766bfd16607426c9fca25121ecc07d0bc469a4726193703b8d1 |
memory/1612-132-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/1884-133-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2716-134-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2500-135-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2904-140-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2664-153-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2500-158-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/1128-157-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1888-156-0x000000013F440000-0x000000013F791000-memory.dmp
memory/2488-155-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2288-154-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2636-152-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/1880-151-0x000000013FA70000-0x000000013FDC1000-memory.dmp
memory/2500-159-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1684-226-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1612-228-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/1884-230-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2716-232-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2904-234-0x000000013F290000-0x000000013F5E1000-memory.dmp
memory/2764-237-0x000000013F340000-0x000000013F691000-memory.dmp
memory/2784-243-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/888-242-0x000000013F9F0000-0x000000013FD41000-memory.dmp
memory/2732-257-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2864-246-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2760-258-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2836-253-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/1716-248-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2216-241-0x000000013FCE0000-0x0000000140031000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:44
Reported
2024-10-25 11:46
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kHnGXGw.exe | N/A |
| N/A | N/A | C:\Windows\System\zyJQFjR.exe | N/A |
| N/A | N/A | C:\Windows\System\fsqoRzg.exe | N/A |
| N/A | N/A | C:\Windows\System\LUITuWs.exe | N/A |
| N/A | N/A | C:\Windows\System\MOecgQT.exe | N/A |
| N/A | N/A | C:\Windows\System\FXeidgD.exe | N/A |
| N/A | N/A | C:\Windows\System\WlrdmpY.exe | N/A |
| N/A | N/A | C:\Windows\System\xqjmWYR.exe | N/A |
| N/A | N/A | C:\Windows\System\guudmYD.exe | N/A |
| N/A | N/A | C:\Windows\System\FYtfVUd.exe | N/A |
| N/A | N/A | C:\Windows\System\nArzAfI.exe | N/A |
| N/A | N/A | C:\Windows\System\bFJetjc.exe | N/A |
| N/A | N/A | C:\Windows\System\DUsvgvx.exe | N/A |
| N/A | N/A | C:\Windows\System\kliznop.exe | N/A |
| N/A | N/A | C:\Windows\System\TUuFGvR.exe | N/A |
| N/A | N/A | C:\Windows\System\IdQMgPl.exe | N/A |
| N/A | N/A | C:\Windows\System\clpXIry.exe | N/A |
| N/A | N/A | C:\Windows\System\hcAUOws.exe | N/A |
| N/A | N/A | C:\Windows\System\lLGfCfI.exe | N/A |
| N/A | N/A | C:\Windows\System\aNnvcJH.exe | N/A |
| N/A | N/A | C:\Windows\System\GNojxul.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_0cd80e2cdb30e9b76d22bb3c1908858e_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\kHnGXGw.exe
C:\Windows\System\kHnGXGw.exe
C:\Windows\System\zyJQFjR.exe
C:\Windows\System\zyJQFjR.exe
C:\Windows\System\fsqoRzg.exe
C:\Windows\System\fsqoRzg.exe
C:\Windows\System\LUITuWs.exe
C:\Windows\System\LUITuWs.exe
C:\Windows\System\MOecgQT.exe
C:\Windows\System\MOecgQT.exe
C:\Windows\System\FXeidgD.exe
C:\Windows\System\FXeidgD.exe
C:\Windows\System\WlrdmpY.exe
C:\Windows\System\WlrdmpY.exe
C:\Windows\System\xqjmWYR.exe
C:\Windows\System\xqjmWYR.exe
C:\Windows\System\guudmYD.exe
C:\Windows\System\guudmYD.exe
C:\Windows\System\FYtfVUd.exe
C:\Windows\System\FYtfVUd.exe
C:\Windows\System\nArzAfI.exe
C:\Windows\System\nArzAfI.exe
C:\Windows\System\DUsvgvx.exe
C:\Windows\System\DUsvgvx.exe
C:\Windows\System\bFJetjc.exe
C:\Windows\System\bFJetjc.exe
C:\Windows\System\kliznop.exe
C:\Windows\System\kliznop.exe
C:\Windows\System\TUuFGvR.exe
C:\Windows\System\TUuFGvR.exe
C:\Windows\System\IdQMgPl.exe
C:\Windows\System\IdQMgPl.exe
C:\Windows\System\clpXIry.exe
C:\Windows\System\clpXIry.exe
C:\Windows\System\hcAUOws.exe
C:\Windows\System\hcAUOws.exe
C:\Windows\System\lLGfCfI.exe
C:\Windows\System\lLGfCfI.exe
C:\Windows\System\GNojxul.exe
C:\Windows\System\GNojxul.exe
C:\Windows\System\aNnvcJH.exe
C:\Windows\System\aNnvcJH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4944-0-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp
memory/4944-1-0x00000179A1850000-0x00000179A1860000-memory.dmp
C:\Windows\System\kHnGXGw.exe
| MD5 | e7d16f9a8a05bf96ef6eb43d779975a9 |
| SHA1 | 7176efa9a9506da232d1b1854ee1facf12b154e1 |
| SHA256 | d6d8c6c75a3bed7e1bb5df2774d131b53a6feff1afc469d4c60641984069cc74 |
| SHA512 | 98cdf57e822ddd917623ae82e2dcf53a9bb883ae6c526ff38c3a8905e05e12b7f7eef77ed6b39a4d8e479ec1fbb799d96f994f0e9b922eee2c5f66859ad9b008 |
memory/1048-8-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp
C:\Windows\System\zyJQFjR.exe
| MD5 | d33a46878c6deaa4255661190d831125 |
| SHA1 | a6f0d4db0f4ba889c4a337844dfcb8736abe227d |
| SHA256 | a3f00c4c5a7e3300384c705639d25b8bd4abdd136b9fb7c88d3b9b2b3c1413ee |
| SHA512 | fd2924b7d66912a972d17ff341f6740abfdc8943346a6f8762539ec5781f120f3be9b94e9d83b4cf51d114149638fe9613fbd41c39ec03ab904e3504b5ce8948 |
C:\Windows\System\fsqoRzg.exe
| MD5 | 88d4f75a5d506c5600036073c7705b4a |
| SHA1 | 47e86ab7f424bf219b35496f68cd4e4a8ad5aa61 |
| SHA256 | 0507ee181a373f11b913abfbcaff06e7856869f9a839d09e1bd38f679762a1f4 |
| SHA512 | 8939f6ff1bc3aea98825b7b267bf1eff81113e0ec1e3a1b5700c30c1cce4fc6323d41c90c8caec21ff0168e9ca9e0dacd79b62e36b851e0c33745c8dccf4d017 |
memory/2316-32-0x00007FF791330000-0x00007FF791681000-memory.dmp
C:\Windows\System\MOecgQT.exe
| MD5 | e0593249f634e3955f2155286488077a |
| SHA1 | f9751469dbb2a5593be958acd97bbebd995bd0be |
| SHA256 | 27e3181c0c5d67db2b19edddd0c707560b51ff4fbcedf7249d9767c00f94e636 |
| SHA512 | 0213b7c6bc217edc7274206cb99d74feb00f302cd462910135276a75c58d2e41a4c3a00394b8cd840fec17da4e03ae22432e3eba9882d54d8b7a6a8bb1bc89af |
C:\Windows\System\LUITuWs.exe
| MD5 | c2fc36a9db23ea0978ac726b62f8192e |
| SHA1 | 8ba77b3114d17115068a023b28d7b35763ddc3b1 |
| SHA256 | 944f90b089578a8106158e1de707a9e91ea8d2d981702e9f524323c494daa502 |
| SHA512 | 7f30b56d575811a01a7607a049256d0d600b359df8c5778b220564ed91e527ce1b335c864a642cd01124d4817d45787632b3bf6963762a3653b9f882fd25ceb8 |
C:\Windows\System\WlrdmpY.exe
| MD5 | f961c87fecdb9152a73891daca92e28f |
| SHA1 | 74d050cf5f3fe422afd3b0d4d1af835733a448f8 |
| SHA256 | 6c92def8ed7e4a5821a5a6d9932692aa30d36571081582692829cfe4a9490dc2 |
| SHA512 | d4960034ea16e1998e6ec233934eb93c20c85dc763aff49d431dfa635452276d236439cae0d2499b52344222f7e5e6473d06029ed5c829c90087f6f77f7e69cc |
C:\Windows\System\FXeidgD.exe
| MD5 | 4bf793afc3e04b654cc428e016644963 |
| SHA1 | 97b75fa97a8cc76d0e04adff890bf546e7e18896 |
| SHA256 | b2c141096f0141960a98e7af6bfe2d7d5d8b72e4a0f4fe18e76f217b4874ccb5 |
| SHA512 | 6fbe452064bd424d4488a7e50e48e7524aa986d3ab768e2c96ce8dedbac30c2f398b5771cc67d81a518ef8ec0752fe17c173285e19677fe1edbe05319d19b64d |
C:\Windows\System\FYtfVUd.exe
| MD5 | 1b43a9b88ae8b364ed7a1234ebebb3ee |
| SHA1 | 86bb8b5e38fa2ca333f5da80b5a511e493a5fc85 |
| SHA256 | bcf39f4a1095e09a623a819b75d5dc331e99e9be0a02bec6860944e0fb296fd8 |
| SHA512 | 38975aa61a336ada2e32471951c946a8c7888abd1810b2450ded089b58ef8edbbf7e0111cd29907454d9b2763d237e5b874de3f5266ba73abd57a50e84463929 |
C:\Windows\System\guudmYD.exe
| MD5 | 1b1ea34a4aa8c6a28258b49cc28cda49 |
| SHA1 | 8c61d60cbc56153a6cd90af199d4ddf7862ea8a7 |
| SHA256 | 3b79f2c26613614e5d330ef1377aad673772e93c952a89380cdc2dd646551449 |
| SHA512 | 8dcf884f564b86356b7497e0c77dfa3a31c8f9acfebad3ac2fde5b643a2971db9dca28fc86798ec43664f500c3710ef7657da7d10393e2b4124f4ffdc4447a62 |
memory/4140-74-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp
C:\Windows\System\clpXIry.exe
| MD5 | 703aa7e5c87549cbd5ffb47fda3045d4 |
| SHA1 | e49c720e11cf2d2e54da87c98cafd92daf4a3435 |
| SHA256 | de16d21357872e867139266a8c400b11e5a62711a77980b2c213919439bad0ce |
| SHA512 | f2d6b43e90278530b5e9b194e54aebb86b77850e1bcf7a5c0baf31b96d128074b2169dbdc44a89e186b779e4e00f78e57d43425f03d53ee2ebc32a10ddb9a3b4 |
memory/4820-103-0x00007FF664390000-0x00007FF6646E1000-memory.dmp
C:\Windows\System\aNnvcJH.exe
| MD5 | e9478fa5e44b8e44bd3900030b878c30 |
| SHA1 | dfcaf787d34ddda5c6fd9e4b15038f04c58fd8d6 |
| SHA256 | 331dc2f04544c5330c7813c720890901b34ee223900593ab96468f3f23418b73 |
| SHA512 | a1bba36409cf18efe875f703df21d80a7d1610d553c526e4beb528accb8b04a408efb9db266b177214a3bd238df646cfc1b6afd5d5788a1e06e1b875fa7d3ae4 |
C:\Windows\System\GNojxul.exe
| MD5 | d565fcb8821455db31e8b78c8bc22d14 |
| SHA1 | 4e9f50ca6d79eee16efb04312f778a8f096ce032 |
| SHA256 | 5a400feaae7fed720609b1e8cbf75a845c7a8559f443f8cd14d8a2150ec38ff6 |
| SHA512 | 1d86d5af6c462b835b965395bc9f57a2db03f46d98790070c3176da47bf72d8292889f503e00adc6040fe39b0faef078ed90d4683600d779a42cc82464c190bf |
memory/1576-123-0x00007FF65F130000-0x00007FF65F481000-memory.dmp
C:\Windows\System\lLGfCfI.exe
| MD5 | d915d8327df222365fb0f4323eca1932 |
| SHA1 | 467537fed5980ddbb16645c4397a983c88ed3d58 |
| SHA256 | d27a2ea3abc708ea2c0a8e33ba24129b8aa7c4f8bf6638ea3f1213117e46eb98 |
| SHA512 | b770eecdb48065a21f0e847ffafb667c9a33e0e35f6dfaf353f0980f78f4a8cdb210adc3a83c5f70b15a196e3d802fb1fbd9f1c109210de15d85f61939935333 |
C:\Windows\System\hcAUOws.exe
| MD5 | 54d1e4c391c4310ef5877f53c2ed4147 |
| SHA1 | c41ca2e2e1db09e29cd555041c8c6fb63d88dad6 |
| SHA256 | 5145ac0230ac5ef70e069c960d356462743c7d645638872c18c1731532977b9d |
| SHA512 | 818a209c8cb670377a40da03ebc38fa08d82d9f966a41501833da41deaff9aeeef951cb2c8a496cd3b84eb813edce33e530ebb33da1ac6809b3385d2b779c594 |
memory/1076-114-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp
memory/4816-113-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp
memory/1612-110-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp
C:\Windows\System\IdQMgPl.exe
| MD5 | d7fd38ac14bd146288e517b62c2af468 |
| SHA1 | 1dff7b858f9a60b680be37f37293c185f4f7713c |
| SHA256 | 0aa38476efd525ed435e6dc20d20f827edb5a7314d754383d23e50a0debd2bfc |
| SHA512 | f0f05e6164c517483cbe103b44a6358da94195fa6094dddac019406348ae255da1974029dba324ba42c90c3e99be7cddcb7d4cd11c4299cc62b16b1ee8042285 |
memory/3636-102-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp
C:\Windows\System\DUsvgvx.exe
| MD5 | db1dcabcc46b096b7c0bf41c0b11621b |
| SHA1 | 9fe838ee8590fbb7b050d4da8d43756b0498046d |
| SHA256 | 6ef909208da4df854aea4dba292b24f427f92dc607133a094698f35bb114c005 |
| SHA512 | aa56162f1c0e318876aa0559a44a7f0554da4b56f01f7106dd50482e71448dd27eaf191a1fdc315fea0643162e5b061986daa391cd3b7ccfcfd2b2edc1b7089e |
C:\Windows\System\bFJetjc.exe
| MD5 | e4810fd7256dfbf89fea97b94ad548ad |
| SHA1 | f3badfe9d8629d60833007e6eca3bc2a1d6eef19 |
| SHA256 | b8953d567e91177ac50ca92d308cf88a46eb59fd629ac37470e412b2b40686f1 |
| SHA512 | 4a38d229a8de4338baf3ea6521b7b319d07cd624ba1901f2326fc522af6dbd08428fc4f9600cd7ba68331d808c6f07afdfb16918f2f757da9436c2c8642c06ce |
C:\Windows\System\kliznop.exe
| MD5 | 367e21b07be9a369c2939a9fef7ffbc3 |
| SHA1 | 32adb0f2fae1d63a9b625b7538e595696226e9ae |
| SHA256 | 027a2884461c15803178b01d290c975d91f876cd576dfd66f0ef6baa7c2362ac |
| SHA512 | e67487137b69e36cc2eb1f72c0ae0416276ad8b2ec481db9632dbe9a90bbc943d3d1c43e96869717e89d0650c00101bb310346755badda998bddcb584f63bafe |
memory/2920-86-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp
memory/3216-85-0x00007FF709E10000-0x00007FF70A161000-memory.dmp
C:\Windows\System\TUuFGvR.exe
| MD5 | b9c819155e5ebcb8bd2dd69ed0a077c0 |
| SHA1 | ddcf8cf7687c9e5ecfe5b7598f70906b82f9c84b |
| SHA256 | fcb6843770b9572de55a8e433e6d1fa13540fea2d4d81fb5dd912a314385fe53 |
| SHA512 | 2312cc73f8534f8e8012bb40b88e7998b6dd8482dec5e61a2a8bb78ccd6af481eee972d60302927358c575ffc403a2897fead1c56ad81fd7f3d015a7cdd0eac1 |
C:\Windows\System\nArzAfI.exe
| MD5 | f5b556fe4c61a164211e5598e4bf789d |
| SHA1 | 7269f1f6e44048ccae2c1702512a549d03638c5a |
| SHA256 | 0ace602c353d36e5e06af206f6d314c911171c2770a3d21b1531eaf64690b97f |
| SHA512 | ef4cdf6e2b3fcd347f73ef99ba54e049182fdd12c81beb4592187c9b6e5657510727bd24e094b85174cfdbc6bb0babc258b2a485c14d04c8d2f031b8b9900184 |
memory/3884-61-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp
memory/5060-58-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp
C:\Windows\System\xqjmWYR.exe
| MD5 | f18ec446fed7b1fdbb997d7d08a6817a |
| SHA1 | f0be1d74808ecb30be7bc42786bb320309ce447b |
| SHA256 | 0997bb93d743401af54e4a8826aa00550b830aebfb046939ec5951e5e5c7677d |
| SHA512 | 9d0bd9443f70c9e48356c2383f2980570fa4fdb1ccba6359ac4a633427bf7f7c870a4fafede9174691b850e1cd2298c8ce4b9e23f1abd1ff01fe26536532967d |
memory/2620-53-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp
memory/2876-50-0x00007FF655480000-0x00007FF6557D1000-memory.dmp
memory/1460-42-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp
memory/2928-19-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp
memory/1476-124-0x00007FF715DE0000-0x00007FF716131000-memory.dmp
memory/2368-125-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp
memory/2412-127-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp
memory/4944-126-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp
memory/4524-128-0x00007FF686900000-0x00007FF686C51000-memory.dmp
memory/2928-130-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp
memory/1048-129-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp
memory/2620-136-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp
memory/4140-137-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp
memory/1612-146-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp
memory/3216-139-0x00007FF709E10000-0x00007FF70A161000-memory.dmp
memory/2876-135-0x00007FF655480000-0x00007FF6557D1000-memory.dmp
memory/1460-133-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp
memory/4820-144-0x00007FF664390000-0x00007FF6646E1000-memory.dmp
memory/2920-140-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp
memory/2316-132-0x00007FF791330000-0x00007FF791681000-memory.dmp
memory/4944-150-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp
memory/4944-151-0x00007FF708FA0000-0x00007FF7092F1000-memory.dmp
memory/1048-212-0x00007FF7379D0000-0x00007FF737D21000-memory.dmp
memory/2928-214-0x00007FF7B1940000-0x00007FF7B1C91000-memory.dmp
memory/5060-216-0x00007FF7CCC30000-0x00007FF7CCF81000-memory.dmp
memory/2316-218-0x00007FF791330000-0x00007FF791681000-memory.dmp
memory/1460-221-0x00007FF6B9500000-0x00007FF6B9851000-memory.dmp
memory/2876-222-0x00007FF655480000-0x00007FF6557D1000-memory.dmp
memory/3884-224-0x00007FF70CA50000-0x00007FF70CDA1000-memory.dmp
memory/4140-226-0x00007FF7A37A0000-0x00007FF7A3AF1000-memory.dmp
memory/2620-234-0x00007FF6D9740000-0x00007FF6D9A91000-memory.dmp
memory/3216-242-0x00007FF709E10000-0x00007FF70A161000-memory.dmp
memory/1076-244-0x00007FF7AC800000-0x00007FF7ACB51000-memory.dmp
memory/2920-246-0x00007FF6CBC10000-0x00007FF6CBF61000-memory.dmp
memory/1576-240-0x00007FF65F130000-0x00007FF65F481000-memory.dmp
memory/4816-239-0x00007FF75EB00000-0x00007FF75EE51000-memory.dmp
memory/3636-237-0x00007FF6359F0000-0x00007FF635D41000-memory.dmp
memory/4524-257-0x00007FF686900000-0x00007FF686C51000-memory.dmp
memory/2368-258-0x00007FF6A06D0000-0x00007FF6A0A21000-memory.dmp
memory/2412-255-0x00007FF7475A0000-0x00007FF7478F1000-memory.dmp
memory/1476-251-0x00007FF715DE0000-0x00007FF716131000-memory.dmp
memory/1612-253-0x00007FF60D910000-0x00007FF60DC61000-memory.dmp
memory/4820-249-0x00007FF664390000-0x00007FF6646E1000-memory.dmp