Analysis Overview
SHA256
e9fb559514d55c6bb2ce6b36ccc09456ccf22426ed927529157fe567e49cfc4b
Threat Level: Known bad
The file 2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
Xmrig family
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 19:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 19:30
Reported
2024-08-07 19:32
Platform
win7-20240708-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TlmMHXB.exe | N/A |
| N/A | N/A | C:\Windows\System\snlUMOA.exe | N/A |
| N/A | N/A | C:\Windows\System\sZcLFZB.exe | N/A |
| N/A | N/A | C:\Windows\System\jhWNstY.exe | N/A |
| N/A | N/A | C:\Windows\System\zoJRFoO.exe | N/A |
| N/A | N/A | C:\Windows\System\jbqiYgu.exe | N/A |
| N/A | N/A | C:\Windows\System\RlFFUuf.exe | N/A |
| N/A | N/A | C:\Windows\System\swcZOBm.exe | N/A |
| N/A | N/A | C:\Windows\System\YGWokiz.exe | N/A |
| N/A | N/A | C:\Windows\System\xAcGxqH.exe | N/A |
| N/A | N/A | C:\Windows\System\GYHYkWf.exe | N/A |
| N/A | N/A | C:\Windows\System\iezJDhd.exe | N/A |
| N/A | N/A | C:\Windows\System\WCBkUHX.exe | N/A |
| N/A | N/A | C:\Windows\System\jCLdPQU.exe | N/A |
| N/A | N/A | C:\Windows\System\EhKaMZs.exe | N/A |
| N/A | N/A | C:\Windows\System\qyBPtps.exe | N/A |
| N/A | N/A | C:\Windows\System\cNRdwKz.exe | N/A |
| N/A | N/A | C:\Windows\System\ASMbOxh.exe | N/A |
| N/A | N/A | C:\Windows\System\JgVvdWD.exe | N/A |
| N/A | N/A | C:\Windows\System\KgiWHZf.exe | N/A |
| N/A | N/A | C:\Windows\System\mcdIWnA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\TlmMHXB.exe
C:\Windows\System\TlmMHXB.exe
C:\Windows\System\snlUMOA.exe
C:\Windows\System\snlUMOA.exe
C:\Windows\System\sZcLFZB.exe
C:\Windows\System\sZcLFZB.exe
C:\Windows\System\jhWNstY.exe
C:\Windows\System\jhWNstY.exe
C:\Windows\System\zoJRFoO.exe
C:\Windows\System\zoJRFoO.exe
C:\Windows\System\jbqiYgu.exe
C:\Windows\System\jbqiYgu.exe
C:\Windows\System\RlFFUuf.exe
C:\Windows\System\RlFFUuf.exe
C:\Windows\System\swcZOBm.exe
C:\Windows\System\swcZOBm.exe
C:\Windows\System\YGWokiz.exe
C:\Windows\System\YGWokiz.exe
C:\Windows\System\WCBkUHX.exe
C:\Windows\System\WCBkUHX.exe
C:\Windows\System\xAcGxqH.exe
C:\Windows\System\xAcGxqH.exe
C:\Windows\System\jCLdPQU.exe
C:\Windows\System\jCLdPQU.exe
C:\Windows\System\GYHYkWf.exe
C:\Windows\System\GYHYkWf.exe
C:\Windows\System\EhKaMZs.exe
C:\Windows\System\EhKaMZs.exe
C:\Windows\System\iezJDhd.exe
C:\Windows\System\iezJDhd.exe
C:\Windows\System\qyBPtps.exe
C:\Windows\System\qyBPtps.exe
C:\Windows\System\cNRdwKz.exe
C:\Windows\System\cNRdwKz.exe
C:\Windows\System\ASMbOxh.exe
C:\Windows\System\ASMbOxh.exe
C:\Windows\System\JgVvdWD.exe
C:\Windows\System\JgVvdWD.exe
C:\Windows\System\KgiWHZf.exe
C:\Windows\System\KgiWHZf.exe
C:\Windows\System\mcdIWnA.exe
C:\Windows\System\mcdIWnA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2072-0-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2072-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\TlmMHXB.exe
| MD5 | db3f77d1ed8c4b9de8d5c16937426b3f |
| SHA1 | 93acd21a2fcaa53a838bf3a9b5d6783149fbe578 |
| SHA256 | b1914d7e7ab54a5c07c04cacc9b7ce38c736808538062ef1d152e478b42123e9 |
| SHA512 | bb6cb63072f7b734b7d7c1d940b7d6bedca1e03d4b642431b1a3cf4d068233b5f1cd7b1361dcc1750e765c48a3db77d37f112ff8a624d443299906143c9b76df |
memory/2752-9-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2680-15-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2072-14-0x000000013F230000-0x000000013F581000-memory.dmp
C:\Windows\system\snlUMOA.exe
| MD5 | 34b4c482c48def4f5e43cddf5c9de526 |
| SHA1 | 07da9eced39cee354d84e980695de1366c36f55f |
| SHA256 | 22bbf457080144cbd8fbf133226e187717db82beb84e70f7ce212ed11fca7a64 |
| SHA512 | e150e5dfd92c0e3a9c799329a1894634fab4f7b2dc2b7f0b6d440abe10c74b4eb6b20c04dc6e3e5122966ab6d1b4a3f2bacad6f4204d490a0c2f597b4ecddc03 |
C:\Windows\system\sZcLFZB.exe
| MD5 | 5284293efa6a757e11a4128ae4068073 |
| SHA1 | ae2c4f64e582b7c685cdc3c2a888ebdaeae9244a |
| SHA256 | d48e865fd3a74535daf6f66ea25c9be62118b5dc72a76110e6687e57dbffe195 |
| SHA512 | af33c9b1715c86faa145a80226c592180e4b2aaae6f8d5aea2f0318da6b43885632eb6908232c4d72b0ad444cdb93a8a3d6e9799cf03f7a7ed997ff3023caed8 |
memory/2944-22-0x000000013F520000-0x000000013F871000-memory.dmp
\Windows\system\zoJRFoO.exe
| MD5 | bf0eed1f5751ef377637e16ee9df795a |
| SHA1 | 09c1bfa54271e03e63869a29bf7028dc1a30049d |
| SHA256 | aa262b38bbc6d5b9627af37ac328dd62f1ea2df4e23e35bf423cc7b7a082c283 |
| SHA512 | af5c4b4af6faa76ddeec84da0441fb86037867db14ecb462c8bcd7824a5707b81c656c6cb77e141581c829d62e76b244487787ae960b9bf863678e94a8c8c53b |
C:\Windows\system\jhWNstY.exe
| MD5 | 9ea7c2e255841b1fa632d3adff49dedc |
| SHA1 | ff29411591b2169b9a2ce862744fc06925b4c312 |
| SHA256 | f892912f7e06ffffecf92d122647523ceb5894b7428c4410751e0ea4141a15db |
| SHA512 | 74a669b9e5035d33991957006409b260a7252362acd6d27196a4526d385afcd7d86c45fd952cd7391f19842dba2b3ba5207991a889614f3d57498e0bdc54e424 |
C:\Windows\system\jbqiYgu.exe
| MD5 | 5c4225707482838f674e03ec5ed84c7a |
| SHA1 | 3ef9d380abee5ea52673a6423571ac18b2773a3a |
| SHA256 | f1b58311cb4f8401e86bb48d4f895c25c210be4656afab5a091a1e679e53b02a |
| SHA512 | 0ea76fd5ff85a0b68b2c076d1b467d7f498c36196d9fdf6369b30d7cedec4c20752bdc5cd0bfa79b2d84f84ace226f201a5f3d61618b457d193ff1169d83cc27 |
C:\Windows\system\RlFFUuf.exe
| MD5 | 7243b97f3a6891bc23c3c49a4ac90744 |
| SHA1 | 84c2fab5bbee32a74b331113d98d193d49bd0afd |
| SHA256 | c6e2ec5f70805dc6baf3d90ff52a68df4bcfd744af0a730469878cc5608b5a94 |
| SHA512 | 4d4e6d91964f334685791b4ed47480ca6090eac382ae7f46f8d34ee46e91cb885570087ff9072054b2a9013db6fe03a3ec4a1cb6684a27fd1dabb18df8430552 |
\Windows\system\swcZOBm.exe
| MD5 | 8291a0452bba51a8002d3fd11bdeb26c |
| SHA1 | 7eb13325eaa27deda7f93f14d26b858b2485aeb7 |
| SHA256 | ecc62db3c7e82705d4f2fcc61b90cd42231d4a1325b80df787d3bff4ad3bc23c |
| SHA512 | 5d0533d8280f58791e56d4c419faa67c2e19a3229415dae72b107bfe66e128d7c4af496764fa94aa84d8867a6ad56069e2c53c319f3f48074f6d9aa0076a22cc |
memory/2328-57-0x000000013FD00000-0x0000000140051000-memory.dmp
\Windows\system\WCBkUHX.exe
| MD5 | cc215099db9d718efbf262b0ef4585ea |
| SHA1 | 57b8d61a13c5e98e7f5fffa5c3b5a0a111e3a4d7 |
| SHA256 | 317d138ccf2d9c29d3bd4d97f15dc950a7214f45e016abbf24b56e10544b2d36 |
| SHA512 | 0eccd32119ae82639573867f962704fa8e6e6d787401261b78a293cffe656eafc94377a58d783640a51a83dcba4220547caa703d4bfa1646f3f96190044fa1cb |
memory/2680-105-0x000000013F230000-0x000000013F581000-memory.dmp
C:\Windows\system\cNRdwKz.exe
| MD5 | 2193ac0c16e874002a46ae5a3ebc24fa |
| SHA1 | 75980538685235ff51b297e074c53856fbbc2818 |
| SHA256 | 6cbfc2cbd465e8a996fe981826ff463b2569c90c2cc10a5b2d9761f1096ffde8 |
| SHA512 | 0994a7a9d2a55937a33db825f91e6418af6ad3523ed16121fff6c524a2d8f7c419035463cc11ecefa2b7dffbf197e0ad6c89edda0939ace2a620e0d55ff0f019 |
C:\Windows\system\mcdIWnA.exe
| MD5 | 2245980d46bc289780ecf5a1b66cd112 |
| SHA1 | 022e9ca1d1a32cca38f0123b9ae8cc68594793e4 |
| SHA256 | 8d2c648c5f25f68be7d01749783a7e9fcbc53490ffa26a274d0c282e23c653b7 |
| SHA512 | 9e24450097b5e35a076e0bd33ff9e9170aedbb1498c2fd1832cc039637e78a8bbf371d2b936b14c8f628ab887f1b2ed2b249c697373fd52fa324f7be4028a3e5 |
C:\Windows\system\KgiWHZf.exe
| MD5 | 6ddd2bbd4f3baf9b32179d3bdf8e4c31 |
| SHA1 | 70b70be99932ad4f22888dbc476787ed5d26ddcc |
| SHA256 | c6cbb40161f4f9fc420b0d16e7d88fd1246570d1b282f28eef1403ccdaff1d80 |
| SHA512 | b5237d48383447d320ac621b8e55550c77756f65e056c6d0d36baeb26dd29e16818cb24c01eb1702e740ab2d4ef8a40eeff0d07698b2aaf23f10880cd6004ade |
C:\Windows\system\JgVvdWD.exe
| MD5 | 0c49e5e6972e97960c244e58b1e131f9 |
| SHA1 | 02ce5d434819c5faddd1c35fbc9217e9fe674816 |
| SHA256 | ae4a4b686d7c1f517db2ed431ba4b4764403e4985cae55072b72350e44457e2e |
| SHA512 | b3073ec65ad9dfbe4eb3374c200a8e82c738368a4201122705564205e8ea9d2969c1dfe41fd848ddb19312eb7213d0b60c02c983f0b233dda39181a5717fd884 |
C:\Windows\system\ASMbOxh.exe
| MD5 | c6d444ed2d6bc3f134fb4b869c47e714 |
| SHA1 | 284aa8ca997c06a28290f386ae1836712a1b966b |
| SHA256 | fef16139869b8b7b395e2729b73200117b4ff11a8531ebed58d70396eb600e6d |
| SHA512 | 47093a69de6dc2b92bbc4ecc51474974b21667445b8bc5610c1b2ee18a4e07ce4546fb1366d6741d62340f3862ca3e1fcf7bbc41bc982714f11ae4b88aea2617 |
C:\Windows\system\qyBPtps.exe
| MD5 | 65ba19beb04cf0aa1fb0ca4dc91aa5cf |
| SHA1 | 799f81c34600699c14d02b633720d8f06ea70629 |
| SHA256 | ea530254011f4e25ed8e05af4bd0382d4aa1c46cd016fb9102ff8256bbcad095 |
| SHA512 | 947f46591feb406015241ab31a340f51e0c69860d2efbb8f7193ce28754d53fb3a055150d98db938dfe4907bb274c2f3b01bdd8caf80b19a3a47a13ca086cc95 |
memory/2892-107-0x000000013FD10000-0x0000000140061000-memory.dmp
memory/1360-106-0x000000013F120000-0x000000013F471000-memory.dmp
C:\Windows\system\EhKaMZs.exe
| MD5 | cc80ad984a5afd8b894b99e9cd83c699 |
| SHA1 | 7dd9a0c81b98ede59bbe041fa49eb64c77d4f305 |
| SHA256 | 115cde702207256af1eddd4bf67b456effd71fb22df089fb20c734dd7d72c9b3 |
| SHA512 | b6bf60fc0e65f28cc58ee9e23a72821ca285eedb1cddb4fc2d619c5ab744a77d4775a22759ab8266150ebc84d7ac2fc7b86dc4165d3fd70d0c28e4848bc81381 |
memory/2832-81-0x000000013FB60000-0x000000013FEB1000-memory.dmp
C:\Windows\system\xAcGxqH.exe
| MD5 | 00c48ef00661960e80bbe6b7decdc492 |
| SHA1 | b2243ef963ba01eb79236fae7210b4e8ba1f03e3 |
| SHA256 | a3c97c84dd89dce5e267ff678e249634922f0975e44857f0bf84326d6f2eee5c |
| SHA512 | b5ac999955082d13b246158edccaf47b5523d8f9d50a6bd2b85e4961b63802c0e38ad2d2b552822f0a0ecc89353e8cbef3446db8aae63c1362f03231bd65f205 |
memory/1128-72-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2768-135-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2944-134-0x000000013F520000-0x000000013F871000-memory.dmp
\Windows\system\jCLdPQU.exe
| MD5 | 190cf2b771836f7b6c2b75a6150bb87c |
| SHA1 | 681e7c9e6290783e7ccfb1382da9e2d16a0f1d24 |
| SHA256 | 4da9bfe743548dc134a7154376703ff409967bac6da3f11005fa80827df098e2 |
| SHA512 | 1c1ec3f973c8a3c51e80440d11ff61023513dba74c00b5eb23d5e6c9641128ad1ac661df6e9ecbb24582df1e5bf34c0bcb67384516e7c0f66213be2e8d94f2ac |
memory/2904-95-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2072-56-0x0000000002210000-0x0000000002561000-memory.dmp
memory/2288-94-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2072-93-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2072-92-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2072-91-0x0000000002210000-0x0000000002561000-memory.dmp
memory/2072-89-0x000000013FC90000-0x000000013FFE1000-memory.dmp
C:\Windows\system\iezJDhd.exe
| MD5 | cdb7f11557d9c97e9abceb977834c2ea |
| SHA1 | 87c836476bd3a68cc399979bfd6a505ff30c3196 |
| SHA256 | 03a63a85028c09dee08fa2e082d72238315c5ec82c1feeb45f87e9e11c24baf1 |
| SHA512 | a062611f9f7c24f13f8f99260c9cbfdec088cebe301827558efc77bd33fe98a04d9a1340192f5caeafa34f5d1b14d570891fe0745d6b51a48c04f0aadd546b09 |
C:\Windows\system\GYHYkWf.exe
| MD5 | 21cc04cf7eb8ea255a906e997fd19cae |
| SHA1 | 88736e6858c35a19d5d1843def102f09ec52d2bc |
| SHA256 | a941bfc43a5f21182804d7de740c455f70c7edfa2ee827cb2f83e29dfee037a0 |
| SHA512 | a388f918e51f46ab92990c59ea5e849357cc12490fba5ff36696bd2cc48459fdfb68678239fb0fb025c1632015440ac0bf8315c3957a83893b9ad70491ba928e |
memory/2072-77-0x000000013F120000-0x000000013F471000-memory.dmp
C:\Windows\system\YGWokiz.exe
| MD5 | 2303032176c134abb2de347f7649adc4 |
| SHA1 | abf07fefe1c9b927cd10a7356ebf8219ee6136c2 |
| SHA256 | 7c03e0553a5ee465059c0a1a8d47a745ca7928d34e34d1631ea20387560e8c8f |
| SHA512 | ae6e1793ff6de165771ee521b6caddcac8ecc1622ba5ab5b30686b0eda97d85b2501d542648887249b193d5437cf331390741c489000103b5cf82a7242e40206 |
memory/2544-50-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2072-49-0x0000000002210000-0x0000000002561000-memory.dmp
memory/2668-42-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2776-136-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2776-39-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2072-37-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2768-36-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2072-27-0x0000000002210000-0x0000000002561000-memory.dmp
memory/2072-20-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2072-8-0x0000000002210000-0x0000000002561000-memory.dmp
memory/2072-137-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2668-143-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2832-148-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2928-151-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2072-159-0x0000000002210000-0x0000000002561000-memory.dmp
memory/1312-157-0x000000013F4D0000-0x000000013F821000-memory.dmp
memory/548-156-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2500-155-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/300-154-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/620-153-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2228-158-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2072-160-0x000000013FC90000-0x000000013FFE1000-memory.dmp
memory/2752-205-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2680-207-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2944-209-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2776-212-0x000000013FEA0000-0x00000001401F1000-memory.dmp
memory/2768-213-0x000000013F9B0000-0x000000013FD01000-memory.dmp
memory/2668-215-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2544-217-0x000000013FF50000-0x00000001402A1000-memory.dmp
memory/2328-219-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1128-223-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/2904-241-0x000000013FB30000-0x000000013FE81000-memory.dmp
memory/2288-239-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2832-237-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/1360-243-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2892-247-0x000000013FD10000-0x0000000140061000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 19:30
Reported
2024-08-07 19:32
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QIKgowQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XwrUKnL.exe | N/A |
| N/A | N/A | C:\Windows\System\JitgnOx.exe | N/A |
| N/A | N/A | C:\Windows\System\JhsCXJn.exe | N/A |
| N/A | N/A | C:\Windows\System\aNMWkHT.exe | N/A |
| N/A | N/A | C:\Windows\System\hRLuKzi.exe | N/A |
| N/A | N/A | C:\Windows\System\HAIVcMV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhrdRrR.exe | N/A |
| N/A | N/A | C:\Windows\System\WWfZEQx.exe | N/A |
| N/A | N/A | C:\Windows\System\CbjcLDv.exe | N/A |
| N/A | N/A | C:\Windows\System\bgwhKvM.exe | N/A |
| N/A | N/A | C:\Windows\System\jcPujhd.exe | N/A |
| N/A | N/A | C:\Windows\System\zQqMQJl.exe | N/A |
| N/A | N/A | C:\Windows\System\ccEwGue.exe | N/A |
| N/A | N/A | C:\Windows\System\jFXLITt.exe | N/A |
| N/A | N/A | C:\Windows\System\haNLeGp.exe | N/A |
| N/A | N/A | C:\Windows\System\MMLmagT.exe | N/A |
| N/A | N/A | C:\Windows\System\CWqbGgc.exe | N/A |
| N/A | N/A | C:\Windows\System\QzUinEm.exe | N/A |
| N/A | N/A | C:\Windows\System\DnAsLca.exe | N/A |
| N/A | N/A | C:\Windows\System\ajelOck.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_bf0575a6f253b0c260097259084b75dc_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\QIKgowQ.exe
C:\Windows\System\QIKgowQ.exe
C:\Windows\System\XwrUKnL.exe
C:\Windows\System\XwrUKnL.exe
C:\Windows\System\JitgnOx.exe
C:\Windows\System\JitgnOx.exe
C:\Windows\System\JhsCXJn.exe
C:\Windows\System\JhsCXJn.exe
C:\Windows\System\aNMWkHT.exe
C:\Windows\System\aNMWkHT.exe
C:\Windows\System\hRLuKzi.exe
C:\Windows\System\hRLuKzi.exe
C:\Windows\System\HAIVcMV.exe
C:\Windows\System\HAIVcMV.exe
C:\Windows\System\ZhrdRrR.exe
C:\Windows\System\ZhrdRrR.exe
C:\Windows\System\WWfZEQx.exe
C:\Windows\System\WWfZEQx.exe
C:\Windows\System\CbjcLDv.exe
C:\Windows\System\CbjcLDv.exe
C:\Windows\System\bgwhKvM.exe
C:\Windows\System\bgwhKvM.exe
C:\Windows\System\jcPujhd.exe
C:\Windows\System\jcPujhd.exe
C:\Windows\System\zQqMQJl.exe
C:\Windows\System\zQqMQJl.exe
C:\Windows\System\ccEwGue.exe
C:\Windows\System\ccEwGue.exe
C:\Windows\System\jFXLITt.exe
C:\Windows\System\jFXLITt.exe
C:\Windows\System\haNLeGp.exe
C:\Windows\System\haNLeGp.exe
C:\Windows\System\MMLmagT.exe
C:\Windows\System\MMLmagT.exe
C:\Windows\System\CWqbGgc.exe
C:\Windows\System\CWqbGgc.exe
C:\Windows\System\QzUinEm.exe
C:\Windows\System\QzUinEm.exe
C:\Windows\System\DnAsLca.exe
C:\Windows\System\DnAsLca.exe
C:\Windows\System\ajelOck.exe
C:\Windows\System\ajelOck.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3408-0-0x00007FF7963E0000-0x00007FF796731000-memory.dmp
memory/3408-1-0x000002F5088C0000-0x000002F5088D0000-memory.dmp
C:\Windows\System\QIKgowQ.exe
| MD5 | f887a65160bee2c568a9b2dfe9e18754 |
| SHA1 | 301ca044d404e2f8a7c740ea4e3e45209d8a026a |
| SHA256 | e37a1c5fb1ccc56dd5ac195dcca818ca7f357da71888209541d6d95d560a7a7e |
| SHA512 | 984638b8075a3ca8e2a8376a7de85a37986db2a6e77ee4d09a0a6c2e341ce77b79d1625db492194b7390a89080a8c3eb2c4516a11864acd6c2e07c35ff91df3d |
C:\Windows\System\JitgnOx.exe
| MD5 | 7eabb126773092fe6347077c790ba92d |
| SHA1 | f57f7f506fc084836b38f5f99a4f32bced7f844f |
| SHA256 | fcc854561da09770546af99ff42da3efda9e34fc97e7e610662b1fe0118e814f |
| SHA512 | 23282894eae29b0d491a474fd75c9a87daa11d7f89fb10fe8f088296d69766e5b3f08753c4b09942e4605e596243bb2dd15034a64883e3ee93dfaba46f8f72a4 |
C:\Windows\System\XwrUKnL.exe
| MD5 | eea0c16b5dc489c6a0bfb6731f9b6972 |
| SHA1 | a75cb7003cb2ebbfcc3c14524b045b722f20e675 |
| SHA256 | ed48aa5d2a7e6b059ad4111163384ccc7fd7ab7405086dd9d863061e4859c06a |
| SHA512 | a74f9e6b6b78c78281f2c0efd3702b77842b56c992223b21730ea1b49ccc4d560498c3879f458f34dd8e5cf269fcb95bd97769bcc74bc3e4137395641eb153f2 |
C:\Windows\System\JhsCXJn.exe
| MD5 | e32db90ef70c420474453a83c53d1685 |
| SHA1 | 9628a05882830dcb11008a25f701f816a1a5cac0 |
| SHA256 | 0dc922838d64ab9589f62419ab086537f6c56791de82d4546ac322f76e2776ae |
| SHA512 | 89207d336192f020b3da88669a661654c4ffa6766a56c44010d75184263834986e1d2e7e02af3be1b3436b86206acf2306c0ddd6a34a0d40454f117270412725 |
C:\Windows\System\HAIVcMV.exe
| MD5 | 54bc07f41732ab080d26a717865db82f |
| SHA1 | 3ed07533832eec22f56c101cf243f245b9af4f6f |
| SHA256 | cbdf49236f880ec6d7e16548c9c5d9d0da13930d073c77a443a91c6e7dc7263b |
| SHA512 | 1a573dddf8741ecfc1107c2cee416881ed76febffcc8e05a32e6696f36fee43503349aed7552e22d34ed60d257f60348606e72cabec7e4403870d5c625820ed2 |
memory/2140-18-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp
memory/5100-10-0x00007FF697670000-0x00007FF6979C1000-memory.dmp
C:\Windows\System\aNMWkHT.exe
| MD5 | 16229302870618d17562966a7fe2773b |
| SHA1 | 1b23caa2d7069db1c9bc0dce5e89df71e8dffc23 |
| SHA256 | b176be0a0067cd33cfcc98a1f4fe3c962b82cf2dda077066eb6f83bedc616b7b |
| SHA512 | 45703d2f539384d50cdca84a3e152bfdb08dd13f5f09cb01713009babaad2a452ce7041d52a2f7b73ad62b744fc751e3ee23ade8d5b66b26baea737e142f464f |
memory/1932-45-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp
C:\Windows\System\ZhrdRrR.exe
| MD5 | d77c4550c0af27021fd2812d70672ccd |
| SHA1 | 251cccca63df4f13f7c5ec1efb20305f2b41f56e |
| SHA256 | 53742b0b640ced8c2ad3ed5b38823f90f60288188eda5a91366fb81bcfa67c0d |
| SHA512 | 347649a34df173af60841dde878f4185abbec8a2f04250d3a8fb8c46e2b86bad3f5a29a07017ecf27a780c7bf0099ac3c7551bc586c465ecdc470ae19751e48b |
memory/2672-46-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp
memory/2324-36-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp
C:\Windows\System\hRLuKzi.exe
| MD5 | 5fa02a25e58184598b781000e25d873b |
| SHA1 | 0ff63fa571680ec996335683f138546f9c093702 |
| SHA256 | af72051d8cbd64302a3881eb3c78564de8a785110966f410559a8cbf591a4d43 |
| SHA512 | fd9a67e1b5c7b3a9a191b2a4b5f0a917d810d4b310f37d4a21bbc24f64fd3854322a13363c6ace5a284f5af5c99f4ac72c1a45b9756d90727fd939b4ec04f221 |
memory/5008-31-0x00007FF676010000-0x00007FF676361000-memory.dmp
memory/452-30-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp
C:\Windows\System\WWfZEQx.exe
| MD5 | 85648fc112d4d0fa74517b8e3a57901a |
| SHA1 | 60a3a074f1e6821c913cffdbcf7cf9c6f2a644d1 |
| SHA256 | 290c77b248d883e2676bea62a88f24e7b2e8d42127d00a48746d448ad36c63fd |
| SHA512 | 813d46353c676df1218ac30b3314f7beab80be4f38a597502f72782ea2e359a35bca3594139e85768b72217d39e67c5b2e3af971a7191fbd257ccf9149c0e27e |
C:\Windows\System\CbjcLDv.exe
| MD5 | 14a59ac47de077fdea64ca9cb01d7ac0 |
| SHA1 | 3f8a41ea8ac1472de06ab2544ed925fc17286a1b |
| SHA256 | 741b99f0bce6531cc1714bf1b7ec475e14a94e3cada1194aab6b9b41f39ab5a9 |
| SHA512 | ba3bb114c84f09368a74aca15b1ee3d0de855350da63dcf0173f7e54e7c1d13869eb784d12ae2dbfac86f4585b1d9b523a59075165044429963537039e87cdaa |
C:\Windows\System\bgwhKvM.exe
| MD5 | d0b4cf86bb8cefc4e718197568713b8d |
| SHA1 | b42c6ac94e2be575023129163c74f084fe4a0c9e |
| SHA256 | c7a618cfa5251ab10a51fc06367c869b7bfdb3c59c06f872197f8d15ba0146c0 |
| SHA512 | c3a7d31fe664b2c9711adb8900f8f3874550d651e5b08ac22adfea67130775d7c24a0c87d6e02b25b53901369ef55c95458850da9e88e0f389969edcde16cdf2 |
C:\Windows\System\ccEwGue.exe
| MD5 | 63242d87e44e003390554346c9e87220 |
| SHA1 | 4828439b770332cd6240ffbd349c969753246d87 |
| SHA256 | 3443ef6e07c80f74a5097af5b8daae675ebfb6e467f9a5a144bb649d17cd04ff |
| SHA512 | 3b98976b0f71342963dba759c8d9c0729e84826fc3a302f42cc6ca9c1bf64b8d709eab699d62f4863b6490a1bb41a71e0dc1222227a25c0de3f7107a07cf8776 |
C:\Windows\System\QzUinEm.exe
| MD5 | 77e1701230589b5a3933910f5fb15a13 |
| SHA1 | 64bef1d09837032d759aeedf53372f47392d9fad |
| SHA256 | 3067aa7ce078b109c285a8c87fccd54e9c3bb2d5500109ba47252806dc39fe04 |
| SHA512 | 3783cc1930b7c7bf8306c99cf58f6e4407939ca7dc2b32c94194bce27b25e24c17197962d489447216501fe54e1ce89610b5dfd0cb4073ed6842757163d36d32 |
C:\Windows\System\DnAsLca.exe
| MD5 | b699da9b91fa47aae69f04bcdf85fd8c |
| SHA1 | 26c550bd561db542702b0567799c2584af44c27f |
| SHA256 | 1619d9e0d32f58e402ad357568ae7464e713d9ed543f4fc9dbb169b85eb632f4 |
| SHA512 | 61eedcb62ce8c4842c61089254c988e12b6578d2f581b6c0ba0749f0b72340a884ae1056c9ea2901b117839f32ba6b1f15fbf8fe01cf1ccbaf92e2b570b3a036 |
C:\Windows\System\ajelOck.exe
| MD5 | 5ead9ac738cab2df3b64e142bb800974 |
| SHA1 | 9a5c922d1ab140b7e601b8486e57a67a7b1b9508 |
| SHA256 | 24e7219a8e793da422d8cdf5c5be529d3310ad88938ff8bd4dd1541b34bd98cc |
| SHA512 | d42bf2c9eeb46d8603f2b017f096f691d62e1b13721c4ee3fa9dda6a6f344329f28af636b398d7030bc60e3108540b5b242dffbfc9f7300ccc35136e16920248 |
C:\Windows\System\CWqbGgc.exe
| MD5 | a9a14d660f9aba714e9b8a87a3164539 |
| SHA1 | e6374a5f0d9ad684833e7495b692905791a2994f |
| SHA256 | 4a73e2d1f3d2c4c0e77cbb10043eb64c1bb65d8883effc5c85b22d0f63fbafba |
| SHA512 | 2ce7aec3eb02107f2765eeb4981dbf728f7b3e1246dbab454d6ed5a4b111aa3935456f2e9b560c8749d30f83176f01410b895f7498e9b076b4c66a56bdae0d0a |
C:\Windows\System\MMLmagT.exe
| MD5 | 5bf58294b75f82e889ec2257910bfb0a |
| SHA1 | d954bd7311bcb87a593cdcd630e87192c7dce3bb |
| SHA256 | 8db6f459fce2e3a1083c447d641c467b512fbd79285f589cf00ddb92d9608526 |
| SHA512 | 2c9a2a53842c7eefce560741d85d8a996d236178124056f2264f2bebaaead5c3062be1929299bca9ec5a2edaa968085de8e3bca0865307f8b25206ac9f461f5c |
C:\Windows\System\jFXLITt.exe
| MD5 | 61def9f0192db5b9d3065852e85866f8 |
| SHA1 | 4a9481346bcfbf5679f6d030940809917ab90e63 |
| SHA256 | 183cabcbaf1f9a4fd72b67b0598677bd0e3e197c0c09d0ae4b0b50b85515f9c0 |
| SHA512 | de84cac51d112b170c6592085edce33a1ff6261cc83160b22607ca524d92f0d94a1f92bd01432cf113f3640c854ec987202da01711ef81fe6d3453424febd59b |
C:\Windows\System\haNLeGp.exe
| MD5 | cabaa4888428bca4e90b3160a4006f5e |
| SHA1 | 3b3e1d3e2aaa7389566948eea2720c8efa24a5c6 |
| SHA256 | 08e0bf66c2f8f01a65824745e90f3e0622dc437c1bd805ab7ed1463772307c0d |
| SHA512 | ac2690a3968444637c695b0025b518512ce0ce09adf39aef31451d79e44d6217255572701d7732b4e1a01b7d74b1ebf471d0f4cb6264cbd160556172af49ef03 |
memory/4980-87-0x00007FF65C220000-0x00007FF65C571000-memory.dmp
memory/4056-89-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp
memory/3408-84-0x00007FF7963E0000-0x00007FF796731000-memory.dmp
C:\Windows\System\zQqMQJl.exe
| MD5 | 0756988f8313a35c767de64e69d7fcf8 |
| SHA1 | a9e49358eb7b2c598f5b10493499684c4f215bba |
| SHA256 | ec5138ed90184f54069e48ca3a1bd1f412bf8ed92aae1382827e1f9bb48feb81 |
| SHA512 | 12b973699b8523b4ecb5b02395443b6edfb0f9ced150b3c2ada2a983bfd309f161ff6c96bad82d71b5e1820c65c0d3e54e60ab1250fae9250a4b897aa0101cf2 |
memory/2540-82-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp
memory/3204-76-0x00007FF603930000-0x00007FF603C81000-memory.dmp
C:\Windows\System\jcPujhd.exe
| MD5 | 97ef5eb76a9869f8cb9cf6873497556e |
| SHA1 | 218594f749bfb5c61ef07cda0ac378ee8d0f4b38 |
| SHA256 | 014122518a60e99e3b20343fdbc5709b435842b4553724b41423aed68ec22b39 |
| SHA512 | 8a24ee8ab9b38adcd00f611c11f460091ffc600e32ff6cc4a10052a606e425d81146f0fbcea7d9a47bcf04f8e5c7ad47c21d1bfe4b71ba9d10422698c8049c44 |
memory/800-62-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp
memory/4780-57-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp
memory/3588-52-0x00007FF69D620000-0x00007FF69D971000-memory.dmp
memory/2120-122-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp
memory/2380-123-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp
memory/436-124-0x00007FF70A540000-0x00007FF70A891000-memory.dmp
memory/2524-125-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp
memory/3228-126-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp
memory/3408-127-0x00007FF7963E0000-0x00007FF796731000-memory.dmp
memory/1932-132-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp
memory/2024-133-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp
memory/720-134-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp
memory/2324-136-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp
memory/4780-138-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp
memory/2120-144-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp
memory/4056-143-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp
memory/4980-142-0x00007FF65C220000-0x00007FF65C571000-memory.dmp
memory/800-139-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp
memory/3408-151-0x00007FF7963E0000-0x00007FF796731000-memory.dmp
memory/5100-196-0x00007FF697670000-0x00007FF6979C1000-memory.dmp
memory/2140-198-0x00007FF6E4D20000-0x00007FF6E5071000-memory.dmp
memory/452-200-0x00007FF76ED40000-0x00007FF76F091000-memory.dmp
memory/5008-202-0x00007FF676010000-0x00007FF676361000-memory.dmp
memory/2672-205-0x00007FF738AB0000-0x00007FF738E01000-memory.dmp
memory/1932-207-0x00007FF6BF0B0000-0x00007FF6BF401000-memory.dmp
memory/2324-208-0x00007FF6E4650000-0x00007FF6E49A1000-memory.dmp
memory/3588-210-0x00007FF69D620000-0x00007FF69D971000-memory.dmp
memory/800-226-0x00007FF74ED40000-0x00007FF74F091000-memory.dmp
memory/4780-228-0x00007FF7BD210000-0x00007FF7BD561000-memory.dmp
memory/2540-232-0x00007FF61D0D0000-0x00007FF61D421000-memory.dmp
memory/3204-231-0x00007FF603930000-0x00007FF603C81000-memory.dmp
memory/4056-235-0x00007FF6FA200000-0x00007FF6FA551000-memory.dmp
memory/4980-238-0x00007FF65C220000-0x00007FF65C571000-memory.dmp
memory/2024-237-0x00007FF6EFE50000-0x00007FF6F01A1000-memory.dmp
memory/2120-240-0x00007FF7C5C20000-0x00007FF7C5F71000-memory.dmp
memory/720-242-0x00007FF600D80000-0x00007FF6010D1000-memory.dmp
memory/3228-250-0x00007FF7B0FB0000-0x00007FF7B1301000-memory.dmp
memory/2380-248-0x00007FF6A6610000-0x00007FF6A6961000-memory.dmp
memory/2524-247-0x00007FF64DC40000-0x00007FF64DF91000-memory.dmp
memory/436-245-0x00007FF70A540000-0x00007FF70A891000-memory.dmp