Analysis Overview
SHA256
cdb51c813437685db3fbd116ecd6522a14e57ca10dd958f748b4156fe51fbc64
Threat Level: Known bad
The file 2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Xmrig family
XMRig Miner payload
Cobaltstrike
xmrig
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-27 04:38
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 04:38
Reported
2024-10-27 04:40
Platform
win7-20240903-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\smlUjnr.exe | N/A |
| N/A | N/A | C:\Windows\System\XCMBDxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\zYRLSqe.exe | N/A |
| N/A | N/A | C:\Windows\System\ustqoxO.exe | N/A |
| N/A | N/A | C:\Windows\System\rRVNpIO.exe | N/A |
| N/A | N/A | C:\Windows\System\YgdsyZC.exe | N/A |
| N/A | N/A | C:\Windows\System\IjfTcZX.exe | N/A |
| N/A | N/A | C:\Windows\System\SzYyHRW.exe | N/A |
| N/A | N/A | C:\Windows\System\KYOKlIU.exe | N/A |
| N/A | N/A | C:\Windows\System\XBEYyIk.exe | N/A |
| N/A | N/A | C:\Windows\System\yOnzGkV.exe | N/A |
| N/A | N/A | C:\Windows\System\GHKtyld.exe | N/A |
| N/A | N/A | C:\Windows\System\IFOCDno.exe | N/A |
| N/A | N/A | C:\Windows\System\zZMGLkm.exe | N/A |
| N/A | N/A | C:\Windows\System\VNWUtXU.exe | N/A |
| N/A | N/A | C:\Windows\System\hoEzqbm.exe | N/A |
| N/A | N/A | C:\Windows\System\DsjwAKj.exe | N/A |
| N/A | N/A | C:\Windows\System\UPnUpUX.exe | N/A |
| N/A | N/A | C:\Windows\System\weYIamj.exe | N/A |
| N/A | N/A | C:\Windows\System\rLSXZJl.exe | N/A |
| N/A | N/A | C:\Windows\System\yFfJJxH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\smlUjnr.exe
C:\Windows\System\smlUjnr.exe
C:\Windows\System\zYRLSqe.exe
C:\Windows\System\zYRLSqe.exe
C:\Windows\System\XCMBDxJ.exe
C:\Windows\System\XCMBDxJ.exe
C:\Windows\System\ustqoxO.exe
C:\Windows\System\ustqoxO.exe
C:\Windows\System\rRVNpIO.exe
C:\Windows\System\rRVNpIO.exe
C:\Windows\System\YgdsyZC.exe
C:\Windows\System\YgdsyZC.exe
C:\Windows\System\IjfTcZX.exe
C:\Windows\System\IjfTcZX.exe
C:\Windows\System\SzYyHRW.exe
C:\Windows\System\SzYyHRW.exe
C:\Windows\System\KYOKlIU.exe
C:\Windows\System\KYOKlIU.exe
C:\Windows\System\XBEYyIk.exe
C:\Windows\System\XBEYyIk.exe
C:\Windows\System\yOnzGkV.exe
C:\Windows\System\yOnzGkV.exe
C:\Windows\System\GHKtyld.exe
C:\Windows\System\GHKtyld.exe
C:\Windows\System\IFOCDno.exe
C:\Windows\System\IFOCDno.exe
C:\Windows\System\zZMGLkm.exe
C:\Windows\System\zZMGLkm.exe
C:\Windows\System\VNWUtXU.exe
C:\Windows\System\VNWUtXU.exe
C:\Windows\System\hoEzqbm.exe
C:\Windows\System\hoEzqbm.exe
C:\Windows\System\DsjwAKj.exe
C:\Windows\System\DsjwAKj.exe
C:\Windows\System\UPnUpUX.exe
C:\Windows\System\UPnUpUX.exe
C:\Windows\System\weYIamj.exe
C:\Windows\System\weYIamj.exe
C:\Windows\System\rLSXZJl.exe
C:\Windows\System\rLSXZJl.exe
C:\Windows\System\yFfJJxH.exe
C:\Windows\System\yFfJJxH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2096-0-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2096-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\smlUjnr.exe
| MD5 | 5756d6991c9d3f091efdc8812809b7aa |
| SHA1 | 563a747acfcb76f559a046cdcd15e2d28c751cde |
| SHA256 | a3dba698730c7de87a2dfca1dcd2e39e99b452c0ef890ca636bc6e6136f69dca |
| SHA512 | e2a59ded82631fa577f6197a79334dc54dbdf955d82fca68e1dc736d44bfeca5373f6b360323909bd147e175ab397efc6fb866e536c243ea3b9ced7cc6b5b3ad |
C:\Windows\system\XCMBDxJ.exe
| MD5 | 93ebb467f9b66f60b49ea98fc3d38d7a |
| SHA1 | 5a210f6093cc51feee4dabda1ad6165f24a20327 |
| SHA256 | 30e975ded8edaa634cdb8e72f7626496e3cc4c753f795b0f4416469cdc5e4b0e |
| SHA512 | d606cbcd0930a858e3dd5814ed49ab8059ca59927b8618900cf41b42575dbf452cd12a3cacd17295b81a574a375631747d45b37f7168aa518972fc7a6a1e31e2 |
C:\Windows\system\zYRLSqe.exe
| MD5 | 2eea7f32bd3b237ab80c20968761b76b |
| SHA1 | 1d207d4091f9401cf23698c1933d9507553fd493 |
| SHA256 | a6c07ded74083ad009f52a5a4dc02d7aa42fc39eb1c105a9e4b8b0635174ed24 |
| SHA512 | 50564b81b9ebf894e6c93a2eaedd63993769f548ba9f94fe7264c59d28e14d69274a94037045b19c8892ef04c2eb134b39d23cae17cb06cf1779fa4f5a5736e5 |
\Windows\system\ustqoxO.exe
| MD5 | 7c94b56fed2e1c6458d245cbd8b0e217 |
| SHA1 | 5ca0080eb9de0971b1d25e4737d1753d6b649474 |
| SHA256 | b357737c567813098f659c10cdbe95c796726a4dd1ceef4128def600006bbcf6 |
| SHA512 | a3d5123a65d477ffd7cdd20e85b8d7914a050e87dc9b2fd040f676920949dbf0bcab7f193083d9b4988166c280eea3deac27af395d24ce7b19146e448950fb75 |
C:\Windows\system\rRVNpIO.exe
| MD5 | 022ff5d37de9c88d75d37e90c48077f2 |
| SHA1 | 5bcc19ad9d17a3590a32777db12c5f5988c774c6 |
| SHA256 | 57acb7a0feec1858e60ee432d356800c35c5a987c80c7d5043778e035aa95ef8 |
| SHA512 | 711a040da47c9110f2ba14be4346bb1effe266e62104e7923b9e7ffe7c1bff40e4e305c55b12a9c6e991bd1f5407e2de73b23d0ed43d2a4579bc734ca3048e04 |
C:\Windows\system\YgdsyZC.exe
| MD5 | 140b6f8f138e2e51411a2c2ec199c907 |
| SHA1 | 61a986a89a06b1bc0f67608dc1aedff179ea28a7 |
| SHA256 | 5ba64213d862b2bc578538cf6b5b95ab1c0661372c6416114372c3261a52fedb |
| SHA512 | 61a1b41c4fa7cde386255f31b2315f12c1efb153a88af3e419c2a7feda2b27867c9ef6f8a2eef8e382c1e050c8826512d132aaae2b6acc5bfc174f5bdf2f223b |
C:\Windows\system\IjfTcZX.exe
| MD5 | 2c2640ac9eed8ed79bbad9c6a605f472 |
| SHA1 | ec939cd2358849e2676752486c5fe26f0c0cc98f |
| SHA256 | e178c6ccf1237718cee1807e4572379e0130348dea5d20f8de2b598258522a63 |
| SHA512 | e03c33fb411317205cbc504d0a294459907c912f8e4d50392477c943de937393dbe63b679fa1a9420de88660c85da40e84efdd5e768584b33f3282538c35839a |
C:\Windows\system\SzYyHRW.exe
| MD5 | 217f6b22ca587af978bd39e75080ae57 |
| SHA1 | 07c35c5a1ae7ac2b723fa1e30f9b2895f6313d0e |
| SHA256 | b8eb1346a991058f139b44edf4b58f235c9d1fe4e272ef4457009985bf1d9e1c |
| SHA512 | a97bcf80fe2edd3ae7bd1b90560a82d42380714debb7517984c24fb8ddaf091fccb9e6ad7b8d7f0ad0233bbac233d79ce5607ca649caab9e48e0ef6ce1d242a8 |
C:\Windows\system\KYOKlIU.exe
| MD5 | e9c5bb137f7d493cafe84140f52fd15f |
| SHA1 | d8c567ca4b2f89d2e42d4213e286831668c79619 |
| SHA256 | f466c486a32a67fe8e214e2b5a33b91f36b1912475f4c09fa96f4c057e38b3b3 |
| SHA512 | 54551ac2e0b421fe1e17e154f16822931d34e769b6d26e0a12f26fc6ea1122054361bdfbc3988cb177fcd54a6373e98196136cc798a3edd6448b163122aee5ae |
\Windows\system\GHKtyld.exe
| MD5 | c8c2b8a67f81a7519331476a0e26ba00 |
| SHA1 | f42d00836fc843cd3e9f5a5707709403728acd5f |
| SHA256 | c725e46fe08ecb396356181830003f2bd65d83041faffd9613c8db5ef2f09388 |
| SHA512 | c119fafcfd2a04112f13af23761704b8045408c87134237b18daa4661f94674cc5aa9482c4c5d2a3d5db8bcb25d5e9087db399bf5cdde19ea1084cdf60853336 |
C:\Windows\system\DsjwAKj.exe
| MD5 | 772435871c1ae1dafb756d130d46339a |
| SHA1 | c82e7cf5578cda9877b7249cff04aa328526c2c9 |
| SHA256 | 91bb1ca6e2d63025610ffb57856ca805e1f3f9399a4d44b50a7e0b3e7ee6da64 |
| SHA512 | 2c595f4ada0b27cded5296a16bf04cc1a125e55d5dffbe6f299704b978fca420f64e7101d94f12420851a10d2f5928f4e937b56e3efc047917953eb5644b9584 |
C:\Windows\system\yFfJJxH.exe
| MD5 | 4e4e71a1b0e55eebf40722b576d61c22 |
| SHA1 | af62eb20e2d8d2ac5f6aaf08552ab9894c0d2b51 |
| SHA256 | a86424af3dc60f5b3a0a2f66dfe1b95ac7017f058f6b38f62445d8410ef532ed |
| SHA512 | 8a02fc17734d43cbdc17a5337f70b7352e93f876ec83a2cef981cc566c8d9a113ea1d3749dc77b52090961455ac7a44ac02b5de8f717831d9946c5dd5e50d869 |
C:\Windows\system\rLSXZJl.exe
| MD5 | 1f7dd2c68833ca454faba85da3652cfe |
| SHA1 | bf2c7f45302279c10f332eb07dae49a9a5d38f1d |
| SHA256 | 71a8ea5f29fcc6836bd10867840f6b426785399554a6f486c500978224938a2f |
| SHA512 | 6d3592b99d3c67f64f329ad6f6ad86a9fad083ea45bef450d347243e7af953d1cb69656e998f2a0f02ca8dca87431bc3743176d50926140b0d1393e76cc59200 |
C:\Windows\system\weYIamj.exe
| MD5 | d4e01206b136492ba1873f82eef288f3 |
| SHA1 | 823e537fc4879c1a5633af6a74e33df84f9e866f |
| SHA256 | 9ca099e315ddb10e22201195e66420b024ad59973e3fede6035437d9fa3ff0e1 |
| SHA512 | eb8a44eb1ff713c86b25d925abb5b309e3747a2b85796cb34269e43877632a846e7bb8eb896aa4f141b8d5e9638d61da3b398685d4dcade8490804b42e7dc9a0 |
C:\Windows\system\UPnUpUX.exe
| MD5 | cbc737f339a9d7bd6e77d34b89368eaf |
| SHA1 | d0a74499f28c665f7723b16b66f97027b708a67a |
| SHA256 | c1b9a5a8a2bd575c9195fab67bdcaf88ebe30b95f447982fb716b32f40b86976 |
| SHA512 | 568111174ab5645fe0852eb5d970a5097e007923434bc537647133ff497adf5e9b49e3794c0090610efe23aec06aab4d535b84c55fa44733d5c75b96313d10b8 |
C:\Windows\system\hoEzqbm.exe
| MD5 | 0260c5d41cce7411666ec923d9e21531 |
| SHA1 | 14a0ae976b74eeff372998bc5e274f98a4327698 |
| SHA256 | 33ff2accfd8dea886f77655c3cbe3015a9d29abb14fb81c609ab555ee6043c5a |
| SHA512 | 145e27a3bb5ea69d4de4248d388b1c584f9f4a1b64449ce0a64a7c994cac3f6ca8fde7641c77b6e9e4251abf8c66b718fdcd827c4e21c6f08bb9cbcae03b0cc6 |
C:\Windows\system\VNWUtXU.exe
| MD5 | 8ed47bd4484fac484f6c9ffe960e1b9c |
| SHA1 | 9736cec0c9582cecc473bc4eb0137ac7718b8aef |
| SHA256 | 73e3e14099460293a139109eef08bb541a18e11d83c4ddc6b4eabba275ca3772 |
| SHA512 | 2868e057f9f569d960d5ef2e74d932c52bac47ae11b69b0066dc7192544ea4f92e22e770bb7ff14ef375be720d6294709e33377a39f1a77b53bf4db8bb945196 |
C:\Windows\system\zZMGLkm.exe
| MD5 | ce92e3b12e4e21c205e2d8d03120a7a9 |
| SHA1 | 5f750aa332f998586f908cc0ec3048ee9c345d95 |
| SHA256 | f4ce984df512c92fc3935061d40478ef7908ebfc79ab6bb69df37ae25a7de409 |
| SHA512 | 0036c70c883cf675942ee0e56dd0a843dde96c562fcb010d84fb142bb8f2623c768500abfa9026f88155fb80bc22d34e8abd13cd37a9729c2369c971fa48b625 |
C:\Windows\system\IFOCDno.exe
| MD5 | f518981dfbd9eaabfb1169c1cbbe8589 |
| SHA1 | a2e7a07d06f339041d8d100bb58717cf1db6911d |
| SHA256 | e1b901ef9f1685b2b0cf5b05681f97e32d333e784a6c2d2af57a9be2696f6d04 |
| SHA512 | f26a6ae8c1ae07bdde48021b96acc12f723305946363b6e54edb548c1131aa488e3493db2a816c222d4cf259eca3fcf16c112c79ac44a6c9569508e63597edd4 |
C:\Windows\system\yOnzGkV.exe
| MD5 | d70c4650764d59b421e4b848dc2448fc |
| SHA1 | 7e5977afcc39621fe32ce024abccfb883a37be25 |
| SHA256 | 0dbace26a16580e700cc140d10991ef67dc36f5240a39b432cb1e9b77b3134e2 |
| SHA512 | 749a5b2c3e5f358ccb309e55091620367769a15f02759086afd01426f5b64873fb9b4685162b4568cf6973801fd275027302028caba82a428981fa50fc56f051 |
C:\Windows\system\XBEYyIk.exe
| MD5 | 78594d1b93326a67781d1bb490cb50a2 |
| SHA1 | 338d49f13222146cdda7f62bd201752be06f423e |
| SHA256 | 86788bb1d369f0683bac2ef54ba61e7e71faed4fa4239c6eeb6bee96c575d580 |
| SHA512 | da1ee6d4413a91d7631734971489d4144dd136cb7a29fe53bdbfd86d422df656287be81a1a63438dfdb826a259dea97aedb7958d2b53d48a57906f42bfa99d3e |
memory/2264-108-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2424-106-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2096-105-0x0000000002280000-0x00000000025D1000-memory.dmp
memory/3048-104-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2476-112-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2096-110-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2776-119-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2916-118-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2908-121-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2096-120-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2096-115-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2512-122-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2360-114-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1728-128-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2096-127-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2648-126-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2096-125-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2532-124-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2096-123-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2096-117-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2868-116-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2936-109-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2096-129-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/3048-130-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1340-150-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/672-149-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2472-148-0x000000013F510000-0x000000013F861000-memory.dmp
memory/1704-147-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2684-146-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2732-144-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2636-145-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2096-151-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/2096-152-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2096-153-0x000000013F4C0000-0x000000013F811000-memory.dmp
memory/3048-219-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/2424-222-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2264-226-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2476-225-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2868-230-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2936-236-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2908-239-0x000000013FCF0000-0x0000000140041000-memory.dmp
memory/2648-244-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2776-248-0x000000013F170000-0x000000013F4C1000-memory.dmp
memory/2512-246-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2532-242-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2916-235-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2360-228-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1728-252-0x000000013F960000-0x000000013FCB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 04:38
Reported
2024-10-27 04:40
Platform
win10v2004-20241007-en
Max time kernel
144s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
Cobaltstrike family
Xmrig family
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\smlUjnr.exe | N/A |
| N/A | N/A | C:\Windows\System\zYRLSqe.exe | N/A |
| N/A | N/A | C:\Windows\System\XCMBDxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ustqoxO.exe | N/A |
| N/A | N/A | C:\Windows\System\rRVNpIO.exe | N/A |
| N/A | N/A | C:\Windows\System\YgdsyZC.exe | N/A |
| N/A | N/A | C:\Windows\System\SzYyHRW.exe | N/A |
| N/A | N/A | C:\Windows\System\IjfTcZX.exe | N/A |
| N/A | N/A | C:\Windows\System\KYOKlIU.exe | N/A |
| N/A | N/A | C:\Windows\System\XBEYyIk.exe | N/A |
| N/A | N/A | C:\Windows\System\yOnzGkV.exe | N/A |
| N/A | N/A | C:\Windows\System\GHKtyld.exe | N/A |
| N/A | N/A | C:\Windows\System\IFOCDno.exe | N/A |
| N/A | N/A | C:\Windows\System\zZMGLkm.exe | N/A |
| N/A | N/A | C:\Windows\System\VNWUtXU.exe | N/A |
| N/A | N/A | C:\Windows\System\hoEzqbm.exe | N/A |
| N/A | N/A | C:\Windows\System\DsjwAKj.exe | N/A |
| N/A | N/A | C:\Windows\System\weYIamj.exe | N/A |
| N/A | N/A | C:\Windows\System\rLSXZJl.exe | N/A |
| N/A | N/A | C:\Windows\System\UPnUpUX.exe | N/A |
| N/A | N/A | C:\Windows\System\yFfJJxH.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-27_e596b4b937b540e38c5b747c14972cfe_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\smlUjnr.exe
C:\Windows\System\smlUjnr.exe
C:\Windows\System\zYRLSqe.exe
C:\Windows\System\zYRLSqe.exe
C:\Windows\System\XCMBDxJ.exe
C:\Windows\System\XCMBDxJ.exe
C:\Windows\System\ustqoxO.exe
C:\Windows\System\ustqoxO.exe
C:\Windows\System\rRVNpIO.exe
C:\Windows\System\rRVNpIO.exe
C:\Windows\System\YgdsyZC.exe
C:\Windows\System\YgdsyZC.exe
C:\Windows\System\IjfTcZX.exe
C:\Windows\System\IjfTcZX.exe
C:\Windows\System\SzYyHRW.exe
C:\Windows\System\SzYyHRW.exe
C:\Windows\System\KYOKlIU.exe
C:\Windows\System\KYOKlIU.exe
C:\Windows\System\XBEYyIk.exe
C:\Windows\System\XBEYyIk.exe
C:\Windows\System\yOnzGkV.exe
C:\Windows\System\yOnzGkV.exe
C:\Windows\System\GHKtyld.exe
C:\Windows\System\GHKtyld.exe
C:\Windows\System\IFOCDno.exe
C:\Windows\System\IFOCDno.exe
C:\Windows\System\zZMGLkm.exe
C:\Windows\System\zZMGLkm.exe
C:\Windows\System\VNWUtXU.exe
C:\Windows\System\VNWUtXU.exe
C:\Windows\System\hoEzqbm.exe
C:\Windows\System\hoEzqbm.exe
C:\Windows\System\DsjwAKj.exe
C:\Windows\System\DsjwAKj.exe
C:\Windows\System\UPnUpUX.exe
C:\Windows\System\UPnUpUX.exe
C:\Windows\System\weYIamj.exe
C:\Windows\System\weYIamj.exe
C:\Windows\System\rLSXZJl.exe
C:\Windows\System\rLSXZJl.exe
C:\Windows\System\yFfJJxH.exe
C:\Windows\System\yFfJJxH.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4960-0-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp
memory/4960-1-0x000001E27CB20000-0x000001E27CB30000-memory.dmp
C:\Windows\System\smlUjnr.exe
| MD5 | 5756d6991c9d3f091efdc8812809b7aa |
| SHA1 | 563a747acfcb76f559a046cdcd15e2d28c751cde |
| SHA256 | a3dba698730c7de87a2dfca1dcd2e39e99b452c0ef890ca636bc6e6136f69dca |
| SHA512 | e2a59ded82631fa577f6197a79334dc54dbdf955d82fca68e1dc736d44bfeca5373f6b360323909bd147e175ab397efc6fb866e536c243ea3b9ced7cc6b5b3ad |
memory/4936-8-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp
C:\Windows\System\XCMBDxJ.exe
| MD5 | 93ebb467f9b66f60b49ea98fc3d38d7a |
| SHA1 | 5a210f6093cc51feee4dabda1ad6165f24a20327 |
| SHA256 | 30e975ded8edaa634cdb8e72f7626496e3cc4c753f795b0f4416469cdc5e4b0e |
| SHA512 | d606cbcd0930a858e3dd5814ed49ab8059ca59927b8618900cf41b42575dbf452cd12a3cacd17295b81a574a375631747d45b37f7168aa518972fc7a6a1e31e2 |
C:\Windows\System\zYRLSqe.exe
| MD5 | 2eea7f32bd3b237ab80c20968761b76b |
| SHA1 | 1d207d4091f9401cf23698c1933d9507553fd493 |
| SHA256 | a6c07ded74083ad009f52a5a4dc02d7aa42fc39eb1c105a9e4b8b0635174ed24 |
| SHA512 | 50564b81b9ebf894e6c93a2eaedd63993769f548ba9f94fe7264c59d28e14d69274a94037045b19c8892ef04c2eb134b39d23cae17cb06cf1779fa4f5a5736e5 |
C:\Windows\System\ustqoxO.exe
| MD5 | 7c94b56fed2e1c6458d245cbd8b0e217 |
| SHA1 | 5ca0080eb9de0971b1d25e4737d1753d6b649474 |
| SHA256 | b357737c567813098f659c10cdbe95c796726a4dd1ceef4128def600006bbcf6 |
| SHA512 | a3d5123a65d477ffd7cdd20e85b8d7914a050e87dc9b2fd040f676920949dbf0bcab7f193083d9b4988166c280eea3deac27af395d24ce7b19146e448950fb75 |
memory/384-24-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp
memory/4664-15-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp
memory/2552-13-0x00007FF665010000-0x00007FF665361000-memory.dmp
C:\Windows\System\YgdsyZC.exe
| MD5 | 140b6f8f138e2e51411a2c2ec199c907 |
| SHA1 | 61a986a89a06b1bc0f67608dc1aedff179ea28a7 |
| SHA256 | 5ba64213d862b2bc578538cf6b5b95ab1c0661372c6416114372c3261a52fedb |
| SHA512 | 61a1b41c4fa7cde386255f31b2315f12c1efb153a88af3e419c2a7feda2b27867c9ef6f8a2eef8e382c1e050c8826512d132aaae2b6acc5bfc174f5bdf2f223b |
memory/1936-33-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp
memory/2832-34-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp
C:\Windows\System\IjfTcZX.exe
| MD5 | 2c2640ac9eed8ed79bbad9c6a605f472 |
| SHA1 | ec939cd2358849e2676752486c5fe26f0c0cc98f |
| SHA256 | e178c6ccf1237718cee1807e4572379e0130348dea5d20f8de2b598258522a63 |
| SHA512 | e03c33fb411317205cbc504d0a294459907c912f8e4d50392477c943de937393dbe63b679fa1a9420de88660c85da40e84efdd5e768584b33f3282538c35839a |
memory/1796-49-0x00007FF6642C0000-0x00007FF664611000-memory.dmp
C:\Windows\System\KYOKlIU.exe
| MD5 | e9c5bb137f7d493cafe84140f52fd15f |
| SHA1 | d8c567ca4b2f89d2e42d4213e286831668c79619 |
| SHA256 | f466c486a32a67fe8e214e2b5a33b91f36b1912475f4c09fa96f4c057e38b3b3 |
| SHA512 | 54551ac2e0b421fe1e17e154f16822931d34e769b6d26e0a12f26fc6ea1122054361bdfbc3988cb177fcd54a6373e98196136cc798a3edd6448b163122aee5ae |
C:\Windows\System\XBEYyIk.exe
| MD5 | 78594d1b93326a67781d1bb490cb50a2 |
| SHA1 | 338d49f13222146cdda7f62bd201752be06f423e |
| SHA256 | 86788bb1d369f0683bac2ef54ba61e7e71faed4fa4239c6eeb6bee96c575d580 |
| SHA512 | da1ee6d4413a91d7631734971489d4144dd136cb7a29fe53bdbfd86d422df656287be81a1a63438dfdb826a259dea97aedb7958d2b53d48a57906f42bfa99d3e |
C:\Windows\System\GHKtyld.exe
| MD5 | c8c2b8a67f81a7519331476a0e26ba00 |
| SHA1 | f42d00836fc843cd3e9f5a5707709403728acd5f |
| SHA256 | c725e46fe08ecb396356181830003f2bd65d83041faffd9613c8db5ef2f09388 |
| SHA512 | c119fafcfd2a04112f13af23761704b8045408c87134237b18daa4661f94674cc5aa9482c4c5d2a3d5db8bcb25d5e9087db399bf5cdde19ea1084cdf60853336 |
C:\Windows\System\VNWUtXU.exe
| MD5 | 8ed47bd4484fac484f6c9ffe960e1b9c |
| SHA1 | 9736cec0c9582cecc473bc4eb0137ac7718b8aef |
| SHA256 | 73e3e14099460293a139109eef08bb541a18e11d83c4ddc6b4eabba275ca3772 |
| SHA512 | 2868e057f9f569d960d5ef2e74d932c52bac47ae11b69b0066dc7192544ea4f92e22e770bb7ff14ef375be720d6294709e33377a39f1a77b53bf4db8bb945196 |
C:\Windows\System\DsjwAKj.exe
| MD5 | 772435871c1ae1dafb756d130d46339a |
| SHA1 | c82e7cf5578cda9877b7249cff04aa328526c2c9 |
| SHA256 | 91bb1ca6e2d63025610ffb57856ca805e1f3f9399a4d44b50a7e0b3e7ee6da64 |
| SHA512 | 2c595f4ada0b27cded5296a16bf04cc1a125e55d5dffbe6f299704b978fca420f64e7101d94f12420851a10d2f5928f4e937b56e3efc047917953eb5644b9584 |
memory/1916-124-0x00007FF701F10000-0x00007FF702261000-memory.dmp
memory/4664-130-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp
memory/4616-129-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp
memory/4928-128-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp
C:\Windows\System\rLSXZJl.exe
| MD5 | 1f7dd2c68833ca454faba85da3652cfe |
| SHA1 | bf2c7f45302279c10f332eb07dae49a9a5d38f1d |
| SHA256 | 71a8ea5f29fcc6836bd10867840f6b426785399554a6f486c500978224938a2f |
| SHA512 | 6d3592b99d3c67f64f329ad6f6ad86a9fad083ea45bef450d347243e7af953d1cb69656e998f2a0f02ca8dca87431bc3743176d50926140b0d1393e76cc59200 |
memory/2824-125-0x00007FF747660000-0x00007FF7479B1000-memory.dmp
C:\Windows\System\yFfJJxH.exe
| MD5 | 4e4e71a1b0e55eebf40722b576d61c22 |
| SHA1 | af62eb20e2d8d2ac5f6aaf08552ab9894c0d2b51 |
| SHA256 | a86424af3dc60f5b3a0a2f66dfe1b95ac7017f058f6b38f62445d8410ef532ed |
| SHA512 | 8a02fc17734d43cbdc17a5337f70b7352e93f876ec83a2cef981cc566c8d9a113ea1d3749dc77b52090961455ac7a44ac02b5de8f717831d9946c5dd5e50d869 |
C:\Windows\System\UPnUpUX.exe
| MD5 | cbc737f339a9d7bd6e77d34b89368eaf |
| SHA1 | d0a74499f28c665f7723b16b66f97027b708a67a |
| SHA256 | c1b9a5a8a2bd575c9195fab67bdcaf88ebe30b95f447982fb716b32f40b86976 |
| SHA512 | 568111174ab5645fe0852eb5d970a5097e007923434bc537647133ff497adf5e9b49e3794c0090610efe23aec06aab4d535b84c55fa44733d5c75b96313d10b8 |
C:\Windows\System\weYIamj.exe
| MD5 | d4e01206b136492ba1873f82eef288f3 |
| SHA1 | 823e537fc4879c1a5633af6a74e33df84f9e866f |
| SHA256 | 9ca099e315ddb10e22201195e66420b024ad59973e3fede6035437d9fa3ff0e1 |
| SHA512 | eb8a44eb1ff713c86b25d925abb5b309e3747a2b85796cb34269e43877632a846e7bb8eb896aa4f141b8d5e9638d61da3b398685d4dcade8490804b42e7dc9a0 |
memory/4568-118-0x00007FF638FD0000-0x00007FF639321000-memory.dmp
memory/4116-113-0x00007FF705F00000-0x00007FF706251000-memory.dmp
memory/2584-112-0x00007FF709D20000-0x00007FF70A071000-memory.dmp
C:\Windows\System\zZMGLkm.exe
| MD5 | ce92e3b12e4e21c205e2d8d03120a7a9 |
| SHA1 | 5f750aa332f998586f908cc0ec3048ee9c345d95 |
| SHA256 | f4ce984df512c92fc3935061d40478ef7908ebfc79ab6bb69df37ae25a7de409 |
| SHA512 | 0036c70c883cf675942ee0e56dd0a843dde96c562fcb010d84fb142bb8f2623c768500abfa9026f88155fb80bc22d34e8abd13cd37a9729c2369c971fa48b625 |
memory/3224-102-0x00007FF744000000-0x00007FF744351000-memory.dmp
memory/3404-101-0x00007FF762790000-0x00007FF762AE1000-memory.dmp
C:\Windows\System\hoEzqbm.exe
| MD5 | 0260c5d41cce7411666ec923d9e21531 |
| SHA1 | 14a0ae976b74eeff372998bc5e274f98a4327698 |
| SHA256 | 33ff2accfd8dea886f77655c3cbe3015a9d29abb14fb81c609ab555ee6043c5a |
| SHA512 | 145e27a3bb5ea69d4de4248d388b1c584f9f4a1b64449ce0a64a7c994cac3f6ca8fde7641c77b6e9e4251abf8c66b718fdcd827c4e21c6f08bb9cbcae03b0cc6 |
C:\Windows\System\IFOCDno.exe
| MD5 | f518981dfbd9eaabfb1169c1cbbe8589 |
| SHA1 | a2e7a07d06f339041d8d100bb58717cf1db6911d |
| SHA256 | e1b901ef9f1685b2b0cf5b05681f97e32d333e784a6c2d2af57a9be2696f6d04 |
| SHA512 | f26a6ae8c1ae07bdde48021b96acc12f723305946363b6e54edb548c1131aa488e3493db2a816c222d4cf259eca3fcf16c112c79ac44a6c9569508e63597edd4 |
memory/1132-92-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp
C:\Windows\System\yOnzGkV.exe
| MD5 | d70c4650764d59b421e4b848dc2448fc |
| SHA1 | 7e5977afcc39621fe32ce024abccfb883a37be25 |
| SHA256 | 0dbace26a16580e700cc140d10991ef67dc36f5240a39b432cb1e9b77b3134e2 |
| SHA512 | 749a5b2c3e5f358ccb309e55091620367769a15f02759086afd01426f5b64873fb9b4685162b4568cf6973801fd275027302028caba82a428981fa50fc56f051 |
memory/2552-78-0x00007FF665010000-0x00007FF665361000-memory.dmp
memory/4936-77-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp
memory/1172-70-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp
memory/2064-69-0x00007FF771C00000-0x00007FF771F51000-memory.dmp
memory/4960-62-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp
memory/2004-61-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp
C:\Windows\System\SzYyHRW.exe
| MD5 | 217f6b22ca587af978bd39e75080ae57 |
| SHA1 | 07c35c5a1ae7ac2b723fa1e30f9b2895f6313d0e |
| SHA256 | b8eb1346a991058f139b44edf4b58f235c9d1fe4e272ef4457009985bf1d9e1c |
| SHA512 | a97bcf80fe2edd3ae7bd1b90560a82d42380714debb7517984c24fb8ddaf091fccb9e6ad7b8d7f0ad0233bbac233d79ce5607ca649caab9e48e0ef6ce1d242a8 |
memory/4620-42-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp
C:\Windows\System\rRVNpIO.exe
| MD5 | 022ff5d37de9c88d75d37e90c48077f2 |
| SHA1 | 5bcc19ad9d17a3590a32777db12c5f5988c774c6 |
| SHA256 | 57acb7a0feec1858e60ee432d356800c35c5a987c80c7d5043778e035aa95ef8 |
| SHA512 | 711a040da47c9110f2ba14be4346bb1effe266e62104e7923b9e7ffe7c1bff40e4e305c55b12a9c6e991bd1f5407e2de73b23d0ed43d2a4579bc734ca3048e04 |
memory/384-132-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp
memory/4960-133-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp
memory/1936-138-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp
memory/2832-139-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp
memory/1796-140-0x00007FF6642C0000-0x00007FF664611000-memory.dmp
memory/2004-142-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp
memory/4620-141-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp
memory/3404-148-0x00007FF762790000-0x00007FF762AE1000-memory.dmp
memory/3224-150-0x00007FF744000000-0x00007FF744351000-memory.dmp
memory/4616-152-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp
memory/1172-145-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp
memory/1132-144-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp
memory/1916-153-0x00007FF701F10000-0x00007FF702261000-memory.dmp
memory/2064-143-0x00007FF771C00000-0x00007FF771F51000-memory.dmp
memory/4960-155-0x00007FF7E6D30000-0x00007FF7E7081000-memory.dmp
memory/4936-204-0x00007FF6C0210000-0x00007FF6C0561000-memory.dmp
memory/2552-208-0x00007FF665010000-0x00007FF665361000-memory.dmp
memory/4664-210-0x00007FF7CF580000-0x00007FF7CF8D1000-memory.dmp
memory/384-212-0x00007FF7E8EE0000-0x00007FF7E9231000-memory.dmp
memory/1936-226-0x00007FF66B1B0000-0x00007FF66B501000-memory.dmp
memory/2832-228-0x00007FF7E65C0000-0x00007FF7E6911000-memory.dmp
memory/4620-232-0x00007FF7DFD40000-0x00007FF7E0091000-memory.dmp
memory/1796-231-0x00007FF6642C0000-0x00007FF664611000-memory.dmp
memory/2004-234-0x00007FF6E2F60000-0x00007FF6E32B1000-memory.dmp
memory/1132-236-0x00007FF65D6E0000-0x00007FF65DA31000-memory.dmp
memory/2064-242-0x00007FF771C00000-0x00007FF771F51000-memory.dmp
memory/1172-244-0x00007FF65EB50000-0x00007FF65EEA1000-memory.dmp
memory/2584-246-0x00007FF709D20000-0x00007FF70A071000-memory.dmp
memory/4116-248-0x00007FF705F00000-0x00007FF706251000-memory.dmp
memory/3404-252-0x00007FF762790000-0x00007FF762AE1000-memory.dmp
memory/3224-254-0x00007FF744000000-0x00007FF744351000-memory.dmp
memory/4568-251-0x00007FF638FD0000-0x00007FF639321000-memory.dmp
memory/4928-260-0x00007FF7D3BF0000-0x00007FF7D3F41000-memory.dmp
memory/4616-259-0x00007FF73CF90000-0x00007FF73D2E1000-memory.dmp
memory/2824-262-0x00007FF747660000-0x00007FF7479B1000-memory.dmp
memory/1916-257-0x00007FF701F10000-0x00007FF702261000-memory.dmp