Analysis Overview
SHA256
31b4900742c7817b1772984763d0a05d4bd4f5c9580f72ba00a89a84cfbb3424
Threat Level: Known bad
The file 2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Xmrig family
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-29 06:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-29 06:57
Reported
2024-06-29 07:00
Platform
win10v2004-20240611-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dPBjinJ.exe | N/A |
| N/A | N/A | C:\Windows\System\MvVRqaw.exe | N/A |
| N/A | N/A | C:\Windows\System\pjSisze.exe | N/A |
| N/A | N/A | C:\Windows\System\jWzHtWY.exe | N/A |
| N/A | N/A | C:\Windows\System\OStnhog.exe | N/A |
| N/A | N/A | C:\Windows\System\lzOYTyo.exe | N/A |
| N/A | N/A | C:\Windows\System\pmUkfSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qNZUzVH.exe | N/A |
| N/A | N/A | C:\Windows\System\JcfxDSR.exe | N/A |
| N/A | N/A | C:\Windows\System\mKkYyVF.exe | N/A |
| N/A | N/A | C:\Windows\System\zAqhync.exe | N/A |
| N/A | N/A | C:\Windows\System\iFMJYAB.exe | N/A |
| N/A | N/A | C:\Windows\System\GPJtLrX.exe | N/A |
| N/A | N/A | C:\Windows\System\FSufaEp.exe | N/A |
| N/A | N/A | C:\Windows\System\hyLiplr.exe | N/A |
| N/A | N/A | C:\Windows\System\tLoqfqO.exe | N/A |
| N/A | N/A | C:\Windows\System\HCOkrQh.exe | N/A |
| N/A | N/A | C:\Windows\System\gpZnjdO.exe | N/A |
| N/A | N/A | C:\Windows\System\mqbAmsP.exe | N/A |
| N/A | N/A | C:\Windows\System\KPzbgFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRXPWzA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dPBjinJ.exe
C:\Windows\System\dPBjinJ.exe
C:\Windows\System\MvVRqaw.exe
C:\Windows\System\MvVRqaw.exe
C:\Windows\System\pjSisze.exe
C:\Windows\System\pjSisze.exe
C:\Windows\System\jWzHtWY.exe
C:\Windows\System\jWzHtWY.exe
C:\Windows\System\OStnhog.exe
C:\Windows\System\OStnhog.exe
C:\Windows\System\lzOYTyo.exe
C:\Windows\System\lzOYTyo.exe
C:\Windows\System\pmUkfSZ.exe
C:\Windows\System\pmUkfSZ.exe
C:\Windows\System\qNZUzVH.exe
C:\Windows\System\qNZUzVH.exe
C:\Windows\System\JcfxDSR.exe
C:\Windows\System\JcfxDSR.exe
C:\Windows\System\mKkYyVF.exe
C:\Windows\System\mKkYyVF.exe
C:\Windows\System\zAqhync.exe
C:\Windows\System\zAqhync.exe
C:\Windows\System\iFMJYAB.exe
C:\Windows\System\iFMJYAB.exe
C:\Windows\System\GPJtLrX.exe
C:\Windows\System\GPJtLrX.exe
C:\Windows\System\FSufaEp.exe
C:\Windows\System\FSufaEp.exe
C:\Windows\System\hyLiplr.exe
C:\Windows\System\hyLiplr.exe
C:\Windows\System\tLoqfqO.exe
C:\Windows\System\tLoqfqO.exe
C:\Windows\System\HCOkrQh.exe
C:\Windows\System\HCOkrQh.exe
C:\Windows\System\gpZnjdO.exe
C:\Windows\System\gpZnjdO.exe
C:\Windows\System\mqbAmsP.exe
C:\Windows\System\mqbAmsP.exe
C:\Windows\System\KPzbgFJ.exe
C:\Windows\System\KPzbgFJ.exe
C:\Windows\System\ZRXPWzA.exe
C:\Windows\System\ZRXPWzA.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=4188 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3100-0-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp
memory/3100-1-0x0000023C47720000-0x0000023C47730000-memory.dmp
C:\Windows\System\dPBjinJ.exe
| MD5 | f0a06c8e5a5f1b84900b6b63ecd41a9d |
| SHA1 | 0e5a87db07b57547a510e6975b2a01258183d6da |
| SHA256 | 5be0232c00fca70d642503b0d523e618fd4256f382bff07b3329615323c6e26c |
| SHA512 | baeebf8d3afd701914d85f1c9a312234f95134bd289570b9a4fe6ee0ce5f429493560c983bfd9426aca8e80616e419cd893049fe212c4c43ae011f17fc06a895 |
memory/4220-8-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp
C:\Windows\System\MvVRqaw.exe
| MD5 | 558f3be622ab6913c6b3e9147bb6ae19 |
| SHA1 | 6d3ed2d1f2f401eb10536df1717b43c0de7ec331 |
| SHA256 | 44bd2566927fd690a6736888383d9a4960710a10ee00a2a77a763bde6daa1b28 |
| SHA512 | e9aa479dafd5a2bac968f68e9f72514d3ce07e82c8a4418ca23037e2c75a80748cef85b471e243ed08a31215e1ec62551c264620d8416d10ace196e649c03d44 |
C:\Windows\System\pjSisze.exe
| MD5 | b6276dcd064471eb48d753e6557b073e |
| SHA1 | a148c405fd4dc2a7ca555c99f75aa9ac3f7e3641 |
| SHA256 | 98fe3af1e223d714a2d6d051b33b179b5865a518e0f6d7307ec5721681a04423 |
| SHA512 | 06abc93ca5c367a9e4860f28f66c20dfc7700d411a5e858f0bd40d78c03d99e9e8bd7f15dea151b0568b8b2e367727fc2e4385ea90edb7f382c111401320ef54 |
C:\Windows\System\jWzHtWY.exe
| MD5 | 9a38d01e0b181e0b6079c4b39eb7deb1 |
| SHA1 | d8a75c9e6554dd047cca2264eb4d46b46a57f38d |
| SHA256 | f0d5f37dd6b62f4f9873ce70f68494c8855fba71df02f62abcefc260c8a8cf32 |
| SHA512 | 54061a2bd598cbdb06dc26ef938fdb03bea912dc33a94c74fa403bc62ed2bee53279c8dc8c60da01ee0d4b11bb93f25735f6320db6ee7c129b8c1e3a1b9d3c8f |
memory/3212-22-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp
memory/3056-28-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp
C:\Windows\System\qNZUzVH.exe
| MD5 | 8b6ff434545b856413505cf3c9bf8d1f |
| SHA1 | 7a509a2f415fbfa8a63c7607e764019a176574d3 |
| SHA256 | 88f6cb8bd7e70d95456ec6ac9761720e9169f505f1882e0e3c58ef6317af640c |
| SHA512 | ebdccedcc0be2ae03728a4501ddfbb1fa0458e067d3571ae5ff1573f005a5deff5b936571e9172bff815bb51a9c8e15a25914308b9a3e01a947c4068620f2c27 |
C:\Windows\System\JcfxDSR.exe
| MD5 | 8ca6f1b8da065c8ceabcdc558fe27985 |
| SHA1 | 96bfcc1ca7af2d373fc3bae99b7898fbf65fa74c |
| SHA256 | 6000573e4b82db82a8412329bd3f741c7ca0c92ddc96a5d0d12c346a2be546f2 |
| SHA512 | 81579a6fcb71e33d4616ae5e1eae059b198b9e5bc66a4173ace283e2f5054abc52d10e4ea816e2ba19babec46fb88595faa58b875cecf160e3b086e8ad866133 |
C:\Windows\System\iFMJYAB.exe
| MD5 | 915bc9276f222b8d498f332426e03998 |
| SHA1 | e229beadcc5c0dd252f177f08e5589584647bd59 |
| SHA256 | 7d764e0ce3b2f06abd652c5d628b9730f735367b6f3bbb559eb6b8d070f1b931 |
| SHA512 | 518532ef02523e734620436a0dc2423185f4a9cd86ca0f3461e2d841e961a91f2102ec3b2dd32aa41187ada97fb983e3c0e96e3449f657374232be80703e6061 |
C:\Windows\System\HCOkrQh.exe
| MD5 | b0eb70b552e9046438fb65e90f84533a |
| SHA1 | 7f554df4c34815684b1cfda900025d498715bdb9 |
| SHA256 | 116a755fa1e68157604a0514b3d80813a3dd9963d64aa33360cd03c4e76c184d |
| SHA512 | ea21bbc6146acdc284618cc781b934f8f51041e35b6720f9953af57c9c19cde734d413463e085b7318969174092cc580ff7529e214a6e44ad991ca4c22e89073 |
C:\Windows\System\ZRXPWzA.exe
| MD5 | 9a3afb221adaad6c7ae9937523be18b0 |
| SHA1 | f10bb1b113b32d66be8a6ce33b3dff11586c7f13 |
| SHA256 | 93f437530613e6bbbbc4b8df5f9aa99a9866973641dddc8f7ef298eebeaa8b36 |
| SHA512 | b79cf7d2c9ccf3649e4301ca4bbbbaa3b3758c8b0a7aab29c634c3aceea9306b480d36215310b2ccab2c952b1672be1a3b61dd70d792ccef28de7ea81a471933 |
C:\Windows\System\KPzbgFJ.exe
| MD5 | 2a525c3fcf5069268e4866ad4fe0d4d7 |
| SHA1 | fbef09c3073aebf0f964cd20abea04c4c21ccf90 |
| SHA256 | 994820f4d75829ae5be8af697f15e92bb3c6d1c253631b9ad6710b7736fd600e |
| SHA512 | 381d0d706a2eee5d2040a1136e7b3af55c94ac1a86416aec4ac55509d6bd535c1b2f2f755adf2e2514286aae2a1aaed7d0cbebb6e0f1cfddb303ad089ff08e04 |
C:\Windows\System\mqbAmsP.exe
| MD5 | df08956135d699f4011016d9729e501d |
| SHA1 | ecc27ae449be760126f8a3e1b364da5fca1f25d1 |
| SHA256 | 949677cf6b0608ae4f163decfe821a47840d1a04512289661f6310d90afbe389 |
| SHA512 | 4d5e88c556b9de11ece8fcbe7b5880fa2cfcc0bccc2caf4d8827c3428beeaf167cff7f22d8cbd0c6d61bbf4dfc690415b571dc520049b71cfcca28d8e7877e31 |
C:\Windows\System\gpZnjdO.exe
| MD5 | a9ea4f700074a532e8c5d9c3f7cb4b8a |
| SHA1 | 17bccee444a4f5293f253a80f78886a7ef548031 |
| SHA256 | 10170adb7c3c069e4357b7b96881fcff68ceaa3016c92f2e97e3f09fda5da921 |
| SHA512 | 42fba6c68eb12ddb66786a3b94ef5fc2605bed3aff1ce3b11de3795bc20d350c7ad84b2304decf768ecde23d366c8d28440035082ccc2806fed1d33690dd67bc |
C:\Windows\System\tLoqfqO.exe
| MD5 | 56da738263d4f6ec21b2a3fa8156e449 |
| SHA1 | 3a5b84a9d5056bb956b95d280abd9f45522a85c3 |
| SHA256 | 7b554e14634c830efe44dced703c9b03ad4e4230c51e9211d9eb31203389c72f |
| SHA512 | 59c8b9c465fbb7b8de6648c0bfa83a5e6d55f516b4a16b94dbc98c907b6f7b8a3c790b3fdb53014d7b3679017c85820ee9a4324f952efdca8893f57e1b9ab44d |
C:\Windows\System\hyLiplr.exe
| MD5 | 9b80b6af17285620c1acc91ccc691587 |
| SHA1 | 403d6169040e1e8f414774e4ba963113339a5402 |
| SHA256 | 5775fc3aefedbc6fc943b6a5d5a2c5074be00435dccea1c71990f5f329a232df |
| SHA512 | 3eddd501e76e95968d159ac0fd77b2ea183bc21165724438263d9b9d4b204b37fe32667680e5fe39801f1019ec530f9b0c63fa3f82a4cf8ab319dcc17bd1603b |
C:\Windows\System\FSufaEp.exe
| MD5 | 04829796693a4fe9ba67d10a042e1fe6 |
| SHA1 | 09104e59b481b9c77e85e7e7a843fe8aefb50acc |
| SHA256 | b6c936fd4ae9d9f9484af9848e43f0cdc25b5ee19c269889ead52ace3d7fafa4 |
| SHA512 | 4dd3af6f2f1cc75e7dd5a02d0383aad62fe992e8d43186eab4cd45409abc5d121639f9659313a3d02933f3c24cdd09af538b6a16bdf7e2ec03c353a11d40012e |
C:\Windows\System\GPJtLrX.exe
| MD5 | 7d7fd01a061fd5a7e89753c368088b08 |
| SHA1 | 4502b4ca69fc47ee61419cc59cb3c5394ce487db |
| SHA256 | 58a8f52e1eced881312ae32d539f8881698431fc7dd1b1e0f12f59879f5cabf2 |
| SHA512 | 3712103971807d87a792f078932fea72c5ff47d2861e3650eee9dd24e4beffb66b9e3efd8aad3bb116714fbc542f688c3b8158a7f546a35dcfe4d3796b595759 |
C:\Windows\System\zAqhync.exe
| MD5 | 3930869b2c530758aac63d3cf8cdf11b |
| SHA1 | 6315336a21b35224a2020bc24469bb484c7927bd |
| SHA256 | 10c8d2ab251bfe245c505c36ed8f818573287b65858b823c551916eee6d26dcc |
| SHA512 | 1940b32f0f53c2192e013ad6b2fd1ad349fd31993948544c99d478174cc57e267d3a0909baf8bfa9fbb5e6fae473adb3bcde2a8f35616a35ac54a9617f4ce128 |
C:\Windows\System\mKkYyVF.exe
| MD5 | 36c6e7c7a978e45d320aa67e8f9e042c |
| SHA1 | 89dd36abddfee7a4224c943f1714643172c03dd3 |
| SHA256 | 01eced5d3fee1110d6a6cb10d27ec36235bf12b07352065fd220a7b4f729ac9f |
| SHA512 | 9b2915c877d1824e9d48cc8fb4509efc4a7bc2ec3c085a9fbcc00304ca97765dd631ebbcd1f959135ccd99dd85457cf61b71aa54e8b893fbecf4ec9200fbb8b3 |
C:\Windows\System\pmUkfSZ.exe
| MD5 | 15c77185a20361e32e46bb1ddd0e1182 |
| SHA1 | d5b9693fc5a5ab0ee2611968fa7f9a218a4c3903 |
| SHA256 | d69a8f42931bee1c90e1f119eb287a2f1d930485c6ec8ffc251d34e3219ab3f1 |
| SHA512 | 6de4fee1f2b8b4a6e59658f9b8117c190b108ff950795238e3f4c8bf805e53582fce8461a1b995f5ca4e29063d2ad08955ff2a0d7732da47202c5d75e9f31cfb |
C:\Windows\System\lzOYTyo.exe
| MD5 | e5f000530419cb3da9e22ff850f62a86 |
| SHA1 | c1e01a8a0fe7332101a61e84b40d3b48524de9de |
| SHA256 | 29e611ec24b9278365257ac9426bed7ba0b449272abd8c9cc693fd049d5995a3 |
| SHA512 | d0ae551e3b564d0b28cf1b655ab2e48c1ba17ce9895bdb792012233b07f79b05275d145eadd2211df95524e562cebf1fc96102955cf5c0f72994b396005770e4 |
C:\Windows\System\OStnhog.exe
| MD5 | 9c88bde4cd903853e890dc3ead4f1087 |
| SHA1 | 366c0114a7412433aaa26313325aa74452f130f8 |
| SHA256 | 3b6c30785dd1f9deb79b62d3a78884e140f4b7516d55953a71bb38cdb067c127 |
| SHA512 | 0a1f67a5be5c84e1be24232fc3faca7388ef499da6d119a7ba9479c003a9a49cb3fc8324c590b12ac07f4d96b6b9e3b209e589b272db596863995cf8cff6b9e6 |
memory/4184-19-0x00007FF631F40000-0x00007FF632294000-memory.dmp
memory/3924-111-0x00007FF731110000-0x00007FF731464000-memory.dmp
memory/3880-112-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp
memory/5112-113-0x00007FF769520000-0x00007FF769874000-memory.dmp
memory/3184-115-0x00007FF760540000-0x00007FF760894000-memory.dmp
memory/2600-114-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp
memory/4980-117-0x00007FF787290000-0x00007FF7875E4000-memory.dmp
memory/4772-116-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp
memory/2248-119-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp
memory/824-118-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp
memory/5056-121-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp
memory/3592-123-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp
memory/4976-125-0x00007FF656A30000-0x00007FF656D84000-memory.dmp
memory/3584-127-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp
memory/4316-126-0x00007FF778A40000-0x00007FF778D94000-memory.dmp
memory/3008-124-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp
memory/2476-122-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp
memory/4840-120-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp
memory/3100-128-0x00007FF73FC50000-0x00007FF73FFA4000-memory.dmp
memory/4220-129-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp
memory/4184-130-0x00007FF631F40000-0x00007FF632294000-memory.dmp
memory/3056-131-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp
memory/4220-132-0x00007FF7F08C0000-0x00007FF7F0C14000-memory.dmp
memory/4184-133-0x00007FF631F40000-0x00007FF632294000-memory.dmp
memory/3212-134-0x00007FF60D8D0000-0x00007FF60DC24000-memory.dmp
memory/3056-135-0x00007FF62EBB0000-0x00007FF62EF04000-memory.dmp
memory/3924-136-0x00007FF731110000-0x00007FF731464000-memory.dmp
memory/5112-139-0x00007FF769520000-0x00007FF769874000-memory.dmp
memory/2600-138-0x00007FF7AF0A0000-0x00007FF7AF3F4000-memory.dmp
memory/3184-137-0x00007FF760540000-0x00007FF760894000-memory.dmp
memory/3592-145-0x00007FF79BE00000-0x00007FF79C154000-memory.dmp
memory/4316-150-0x00007FF778A40000-0x00007FF778D94000-memory.dmp
memory/4976-151-0x00007FF656A30000-0x00007FF656D84000-memory.dmp
memory/3008-149-0x00007FF7F7800000-0x00007FF7F7B54000-memory.dmp
memory/824-148-0x00007FF6E9D70000-0x00007FF6EA0C4000-memory.dmp
memory/2476-147-0x00007FF6C3C80000-0x00007FF6C3FD4000-memory.dmp
memory/2248-146-0x00007FF6A5FB0000-0x00007FF6A6304000-memory.dmp
memory/4980-144-0x00007FF787290000-0x00007FF7875E4000-memory.dmp
memory/4840-143-0x00007FF6EBF80000-0x00007FF6EC2D4000-memory.dmp
memory/4772-142-0x00007FF645D70000-0x00007FF6460C4000-memory.dmp
memory/5056-141-0x00007FF7F4180000-0x00007FF7F44D4000-memory.dmp
memory/3880-140-0x00007FF691EA0000-0x00007FF6921F4000-memory.dmp
memory/3584-152-0x00007FF6DBEE0000-0x00007FF6DC234000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-29 06:57
Reported
2024-06-29 07:00
Platform
win7-20240221-en
Max time kernel
137s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dPBjinJ.exe | N/A |
| N/A | N/A | C:\Windows\System\MvVRqaw.exe | N/A |
| N/A | N/A | C:\Windows\System\jWzHtWY.exe | N/A |
| N/A | N/A | C:\Windows\System\pjSisze.exe | N/A |
| N/A | N/A | C:\Windows\System\OStnhog.exe | N/A |
| N/A | N/A | C:\Windows\System\lzOYTyo.exe | N/A |
| N/A | N/A | C:\Windows\System\pmUkfSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qNZUzVH.exe | N/A |
| N/A | N/A | C:\Windows\System\JcfxDSR.exe | N/A |
| N/A | N/A | C:\Windows\System\mKkYyVF.exe | N/A |
| N/A | N/A | C:\Windows\System\iFMJYAB.exe | N/A |
| N/A | N/A | C:\Windows\System\zAqhync.exe | N/A |
| N/A | N/A | C:\Windows\System\GPJtLrX.exe | N/A |
| N/A | N/A | C:\Windows\System\FSufaEp.exe | N/A |
| N/A | N/A | C:\Windows\System\hyLiplr.exe | N/A |
| N/A | N/A | C:\Windows\System\tLoqfqO.exe | N/A |
| N/A | N/A | C:\Windows\System\HCOkrQh.exe | N/A |
| N/A | N/A | C:\Windows\System\gpZnjdO.exe | N/A |
| N/A | N/A | C:\Windows\System\mqbAmsP.exe | N/A |
| N/A | N/A | C:\Windows\System\KPzbgFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZRXPWzA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-29_76220fbe02249ab34dab933ea8f666f1_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\dPBjinJ.exe
C:\Windows\System\dPBjinJ.exe
C:\Windows\System\MvVRqaw.exe
C:\Windows\System\MvVRqaw.exe
C:\Windows\System\pjSisze.exe
C:\Windows\System\pjSisze.exe
C:\Windows\System\jWzHtWY.exe
C:\Windows\System\jWzHtWY.exe
C:\Windows\System\OStnhog.exe
C:\Windows\System\OStnhog.exe
C:\Windows\System\lzOYTyo.exe
C:\Windows\System\lzOYTyo.exe
C:\Windows\System\pmUkfSZ.exe
C:\Windows\System\pmUkfSZ.exe
C:\Windows\System\qNZUzVH.exe
C:\Windows\System\qNZUzVH.exe
C:\Windows\System\JcfxDSR.exe
C:\Windows\System\JcfxDSR.exe
C:\Windows\System\mKkYyVF.exe
C:\Windows\System\mKkYyVF.exe
C:\Windows\System\zAqhync.exe
C:\Windows\System\zAqhync.exe
C:\Windows\System\iFMJYAB.exe
C:\Windows\System\iFMJYAB.exe
C:\Windows\System\GPJtLrX.exe
C:\Windows\System\GPJtLrX.exe
C:\Windows\System\FSufaEp.exe
C:\Windows\System\FSufaEp.exe
C:\Windows\System\hyLiplr.exe
C:\Windows\System\hyLiplr.exe
C:\Windows\System\tLoqfqO.exe
C:\Windows\System\tLoqfqO.exe
C:\Windows\System\HCOkrQh.exe
C:\Windows\System\HCOkrQh.exe
C:\Windows\System\gpZnjdO.exe
C:\Windows\System\gpZnjdO.exe
C:\Windows\System\mqbAmsP.exe
C:\Windows\System\mqbAmsP.exe
C:\Windows\System\KPzbgFJ.exe
C:\Windows\System\KPzbgFJ.exe
C:\Windows\System\ZRXPWzA.exe
C:\Windows\System\ZRXPWzA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2172-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2172-2-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\dPBjinJ.exe
| MD5 | f0a06c8e5a5f1b84900b6b63ecd41a9d |
| SHA1 | 0e5a87db07b57547a510e6975b2a01258183d6da |
| SHA256 | 5be0232c00fca70d642503b0d523e618fd4256f382bff07b3329615323c6e26c |
| SHA512 | baeebf8d3afd701914d85f1c9a312234f95134bd289570b9a4fe6ee0ce5f429493560c983bfd9426aca8e80616e419cd893049fe212c4c43ae011f17fc06a895 |
memory/2172-8-0x0000000002440000-0x0000000002794000-memory.dmp
memory/1032-9-0x000000013F6E0000-0x000000013FA34000-memory.dmp
\Windows\system\MvVRqaw.exe
| MD5 | 558f3be622ab6913c6b3e9147bb6ae19 |
| SHA1 | 6d3ed2d1f2f401eb10536df1717b43c0de7ec331 |
| SHA256 | 44bd2566927fd690a6736888383d9a4960710a10ee00a2a77a763bde6daa1b28 |
| SHA512 | e9aa479dafd5a2bac968f68e9f72514d3ce07e82c8a4418ca23037e2c75a80748cef85b471e243ed08a31215e1ec62551c264620d8416d10ace196e649c03d44 |
C:\Windows\system\pjSisze.exe
| MD5 | b6276dcd064471eb48d753e6557b073e |
| SHA1 | a148c405fd4dc2a7ca555c99f75aa9ac3f7e3641 |
| SHA256 | 98fe3af1e223d714a2d6d051b33b179b5865a518e0f6d7307ec5721681a04423 |
| SHA512 | 06abc93ca5c367a9e4860f28f66c20dfc7700d411a5e858f0bd40d78c03d99e9e8bd7f15dea151b0568b8b2e367727fc2e4385ea90edb7f382c111401320ef54 |
C:\Windows\system\jWzHtWY.exe
| MD5 | 9a38d01e0b181e0b6079c4b39eb7deb1 |
| SHA1 | d8a75c9e6554dd047cca2264eb4d46b46a57f38d |
| SHA256 | f0d5f37dd6b62f4f9873ce70f68494c8855fba71df02f62abcefc260c8a8cf32 |
| SHA512 | 54061a2bd598cbdb06dc26ef938fdb03bea912dc33a94c74fa403bc62ed2bee53279c8dc8c60da01ee0d4b11bb93f25735f6320db6ee7c129b8c1e3a1b9d3c8f |
memory/2172-23-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2688-27-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2632-28-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2216-20-0x000000013FD00000-0x0000000140054000-memory.dmp
\Windows\system\OStnhog.exe
| MD5 | 9c88bde4cd903853e890dc3ead4f1087 |
| SHA1 | 366c0114a7412433aaa26313325aa74452f130f8 |
| SHA256 | 3b6c30785dd1f9deb79b62d3a78884e140f4b7516d55953a71bb38cdb067c127 |
| SHA512 | 0a1f67a5be5c84e1be24232fc3faca7388ef499da6d119a7ba9479c003a9a49cb3fc8324c590b12ac07f4d96b6b9e3b209e589b272db596863995cf8cff6b9e6 |
memory/2592-34-0x000000013F290000-0x000000013F5E4000-memory.dmp
C:\Windows\system\lzOYTyo.exe
| MD5 | e5f000530419cb3da9e22ff850f62a86 |
| SHA1 | c1e01a8a0fe7332101a61e84b40d3b48524de9de |
| SHA256 | 29e611ec24b9278365257ac9426bed7ba0b449272abd8c9cc693fd049d5995a3 |
| SHA512 | d0ae551e3b564d0b28cf1b655ab2e48c1ba17ce9895bdb792012233b07f79b05275d145eadd2211df95524e562cebf1fc96102955cf5c0f72994b396005770e4 |
memory/2536-41-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2172-40-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2172-33-0x000000013F290000-0x000000013F5E4000-memory.dmp
\Windows\system\pmUkfSZ.exe
| MD5 | 15c77185a20361e32e46bb1ddd0e1182 |
| SHA1 | d5b9693fc5a5ab0ee2611968fa7f9a218a4c3903 |
| SHA256 | d69a8f42931bee1c90e1f119eb287a2f1d930485c6ec8ffc251d34e3219ab3f1 |
| SHA512 | 6de4fee1f2b8b4a6e59658f9b8117c190b108ff950795238e3f4c8bf805e53582fce8461a1b995f5ca4e29063d2ad08955ff2a0d7732da47202c5d75e9f31cfb |
memory/2452-48-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2172-53-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\qNZUzVH.exe
| MD5 | 8b6ff434545b856413505cf3c9bf8d1f |
| SHA1 | 7a509a2f415fbfa8a63c7607e764019a176574d3 |
| SHA256 | 88f6cb8bd7e70d95456ec6ac9761720e9169f505f1882e0e3c58ef6317af640c |
| SHA512 | ebdccedcc0be2ae03728a4501ddfbb1fa0458e067d3571ae5ff1573f005a5deff5b936571e9172bff815bb51a9c8e15a25914308b9a3e01a947c4068620f2c27 |
memory/2428-55-0x000000013FC70000-0x000000013FFC4000-memory.dmp
\Windows\system\mKkYyVF.exe
| MD5 | 36c6e7c7a978e45d320aa67e8f9e042c |
| SHA1 | 89dd36abddfee7a4224c943f1714643172c03dd3 |
| SHA256 | 01eced5d3fee1110d6a6cb10d27ec36235bf12b07352065fd220a7b4f729ac9f |
| SHA512 | 9b2915c877d1824e9d48cc8fb4509efc4a7bc2ec3c085a9fbcc00304ca97765dd631ebbcd1f959135ccd99dd85457cf61b71aa54e8b893fbecf4ec9200fbb8b3 |
memory/2216-77-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2172-79-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2784-81-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\zAqhync.exe
| MD5 | 3930869b2c530758aac63d3cf8cdf11b |
| SHA1 | 6315336a21b35224a2020bc24469bb484c7927bd |
| SHA256 | 10c8d2ab251bfe245c505c36ed8f818573287b65858b823c551916eee6d26dcc |
| SHA512 | 1940b32f0f53c2192e013ad6b2fd1ad349fd31993948544c99d478174cc57e267d3a0909baf8bfa9fbb5e6fae473adb3bcde2a8f35616a35ac54a9617f4ce128 |
memory/1104-83-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2172-66-0x0000000002440000-0x0000000002794000-memory.dmp
C:\Windows\system\FSufaEp.exe
| MD5 | 04829796693a4fe9ba67d10a042e1fe6 |
| SHA1 | 09104e59b481b9c77e85e7e7a843fe8aefb50acc |
| SHA256 | b6c936fd4ae9d9f9484af9848e43f0cdc25b5ee19c269889ead52ace3d7fafa4 |
| SHA512 | 4dd3af6f2f1cc75e7dd5a02d0383aad62fe992e8d43186eab4cd45409abc5d121639f9659313a3d02933f3c24cdd09af538b6a16bdf7e2ec03c353a11d40012e |
memory/2172-97-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2936-90-0x000000013F0C0000-0x000000013F414000-memory.dmp
C:\Windows\system\gpZnjdO.exe
| MD5 | a9ea4f700074a532e8c5d9c3f7cb4b8a |
| SHA1 | 17bccee444a4f5293f253a80f78886a7ef548031 |
| SHA256 | 10170adb7c3c069e4357b7b96881fcff68ceaa3016c92f2e97e3f09fda5da921 |
| SHA512 | 42fba6c68eb12ddb66786a3b94ef5fc2605bed3aff1ce3b11de3795bc20d350c7ad84b2304decf768ecde23d366c8d28440035082ccc2806fed1d33690dd67bc |
C:\Windows\system\KPzbgFJ.exe
| MD5 | 2a525c3fcf5069268e4866ad4fe0d4d7 |
| SHA1 | fbef09c3073aebf0f964cd20abea04c4c21ccf90 |
| SHA256 | 994820f4d75829ae5be8af697f15e92bb3c6d1c253631b9ad6710b7736fd600e |
| SHA512 | 381d0d706a2eee5d2040a1136e7b3af55c94ac1a86416aec4ac55509d6bd535c1b2f2f755adf2e2514286aae2a1aaed7d0cbebb6e0f1cfddb303ad089ff08e04 |
\Windows\system\ZRXPWzA.exe
| MD5 | 9a3afb221adaad6c7ae9937523be18b0 |
| SHA1 | f10bb1b113b32d66be8a6ce33b3dff11586c7f13 |
| SHA256 | 93f437530613e6bbbbc4b8df5f9aa99a9866973641dddc8f7ef298eebeaa8b36 |
| SHA512 | b79cf7d2c9ccf3649e4301ca4bbbbaa3b3758c8b0a7aab29c634c3aceea9306b480d36215310b2ccab2c952b1672be1a3b61dd70d792ccef28de7ea81a471933 |
C:\Windows\system\mqbAmsP.exe
| MD5 | df08956135d699f4011016d9729e501d |
| SHA1 | ecc27ae449be760126f8a3e1b364da5fca1f25d1 |
| SHA256 | 949677cf6b0608ae4f163decfe821a47840d1a04512289661f6310d90afbe389 |
| SHA512 | 4d5e88c556b9de11ece8fcbe7b5880fa2cfcc0bccc2caf4d8827c3428beeaf167cff7f22d8cbd0c6d61bbf4dfc690415b571dc520049b71cfcca28d8e7877e31 |
C:\Windows\system\HCOkrQh.exe
| MD5 | b0eb70b552e9046438fb65e90f84533a |
| SHA1 | 7f554df4c34815684b1cfda900025d498715bdb9 |
| SHA256 | 116a755fa1e68157604a0514b3d80813a3dd9963d64aa33360cd03c4e76c184d |
| SHA512 | ea21bbc6146acdc284618cc781b934f8f51041e35b6720f9953af57c9c19cde734d413463e085b7318969174092cc580ff7529e214a6e44ad991ca4c22e89073 |
C:\Windows\system\tLoqfqO.exe
| MD5 | 56da738263d4f6ec21b2a3fa8156e449 |
| SHA1 | 3a5b84a9d5056bb956b95d280abd9f45522a85c3 |
| SHA256 | 7b554e14634c830efe44dced703c9b03ad4e4230c51e9211d9eb31203389c72f |
| SHA512 | 59c8b9c465fbb7b8de6648c0bfa83a5e6d55f516b4a16b94dbc98c907b6f7b8a3c790b3fdb53014d7b3679017c85820ee9a4324f952efdca8893f57e1b9ab44d |
memory/2172-104-0x000000013F9E0000-0x000000013FD34000-memory.dmp
C:\Windows\system\hyLiplr.exe
| MD5 | 9b80b6af17285620c1acc91ccc691587 |
| SHA1 | 403d6169040e1e8f414774e4ba963113339a5402 |
| SHA256 | 5775fc3aefedbc6fc943b6a5d5a2c5074be00435dccea1c71990f5f329a232df |
| SHA512 | 3eddd501e76e95968d159ac0fd77b2ea183bc21165724438263d9b9d4b204b37fe32667680e5fe39801f1019ec530f9b0c63fa3f82a4cf8ab319dcc17bd1603b |
memory/2592-89-0x000000013F290000-0x000000013F5E4000-memory.dmp
C:\Windows\system\GPJtLrX.exe
| MD5 | 7d7fd01a061fd5a7e89753c368088b08 |
| SHA1 | 4502b4ca69fc47ee61419cc59cb3c5394ce487db |
| SHA256 | 58a8f52e1eced881312ae32d539f8881698431fc7dd1b1e0f12f59879f5cabf2 |
| SHA512 | 3712103971807d87a792f078932fea72c5ff47d2861e3650eee9dd24e4beffb66b9e3efd8aad3bb116714fbc542f688c3b8158a7f546a35dcfe4d3796b595759 |
memory/2172-86-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2736-98-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2536-96-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2904-69-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2172-80-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2172-76-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\iFMJYAB.exe
| MD5 | 915bc9276f222b8d498f332426e03998 |
| SHA1 | e229beadcc5c0dd252f177f08e5589584647bd59 |
| SHA256 | 7d764e0ce3b2f06abd652c5d628b9730f735367b6f3bbb559eb6b8d070f1b931 |
| SHA512 | 518532ef02523e734620436a0dc2423185f4a9cd86ca0f3461e2d841e961a91f2102ec3b2dd32aa41187ada97fb983e3c0e96e3449f657374232be80703e6061 |
\Windows\system\JcfxDSR.exe
| MD5 | 8ca6f1b8da065c8ceabcdc558fe27985 |
| SHA1 | 96bfcc1ca7af2d373fc3bae99b7898fbf65fa74c |
| SHA256 | 6000573e4b82db82a8412329bd3f741c7ca0c92ddc96a5d0d12c346a2be546f2 |
| SHA512 | 81579a6fcb71e33d4616ae5e1eae059b198b9e5bc66a4173ace283e2f5054abc52d10e4ea816e2ba19babec46fb88595faa58b875cecf160e3b086e8ad866133 |
memory/2920-74-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2428-136-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2920-138-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2172-137-0x0000000002440000-0x0000000002794000-memory.dmp
memory/2172-139-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/1104-140-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2172-141-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2936-142-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2736-143-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2172-144-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1032-145-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2216-146-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2688-147-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2632-148-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2592-149-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2452-151-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2536-150-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2428-152-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2904-153-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2920-154-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2784-155-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2936-156-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2736-157-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/1104-158-0x000000013F7E0000-0x000000013FB34000-memory.dmp