Analysis Overview
SHA256
7a2754b0aa64e18ff9bc44e5bfd7f796af9c0bc5a8ae071b9b2fa50e232da11c
Threat Level: Known bad
The file 2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
Xmrig family
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-12 00:35
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-12 00:35
Reported
2024-08-12 00:38
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RnwLFGj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZzyUHYU.exe | N/A |
| N/A | N/A | C:\Windows\System\JmuVpIe.exe | N/A |
| N/A | N/A | C:\Windows\System\CaLgmiu.exe | N/A |
| N/A | N/A | C:\Windows\System\adlQkte.exe | N/A |
| N/A | N/A | C:\Windows\System\AYPQJyc.exe | N/A |
| N/A | N/A | C:\Windows\System\tRnqjCE.exe | N/A |
| N/A | N/A | C:\Windows\System\eWBVoOB.exe | N/A |
| N/A | N/A | C:\Windows\System\QKrgFis.exe | N/A |
| N/A | N/A | C:\Windows\System\usZtvqw.exe | N/A |
| N/A | N/A | C:\Windows\System\lsrGtNK.exe | N/A |
| N/A | N/A | C:\Windows\System\FavMtBC.exe | N/A |
| N/A | N/A | C:\Windows\System\ueGHIoQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QiaQjqZ.exe | N/A |
| N/A | N/A | C:\Windows\System\vUOnGvN.exe | N/A |
| N/A | N/A | C:\Windows\System\OLEjaWy.exe | N/A |
| N/A | N/A | C:\Windows\System\vqThtyR.exe | N/A |
| N/A | N/A | C:\Windows\System\bCoWeNX.exe | N/A |
| N/A | N/A | C:\Windows\System\cKCtLhg.exe | N/A |
| N/A | N/A | C:\Windows\System\ghYTzCb.exe | N/A |
| N/A | N/A | C:\Windows\System\MSYmpVY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\RnwLFGj.exe
C:\Windows\System\RnwLFGj.exe
C:\Windows\System\ZzyUHYU.exe
C:\Windows\System\ZzyUHYU.exe
C:\Windows\System\JmuVpIe.exe
C:\Windows\System\JmuVpIe.exe
C:\Windows\System\CaLgmiu.exe
C:\Windows\System\CaLgmiu.exe
C:\Windows\System\adlQkte.exe
C:\Windows\System\adlQkte.exe
C:\Windows\System\tRnqjCE.exe
C:\Windows\System\tRnqjCE.exe
C:\Windows\System\AYPQJyc.exe
C:\Windows\System\AYPQJyc.exe
C:\Windows\System\eWBVoOB.exe
C:\Windows\System\eWBVoOB.exe
C:\Windows\System\QKrgFis.exe
C:\Windows\System\QKrgFis.exe
C:\Windows\System\usZtvqw.exe
C:\Windows\System\usZtvqw.exe
C:\Windows\System\lsrGtNK.exe
C:\Windows\System\lsrGtNK.exe
C:\Windows\System\FavMtBC.exe
C:\Windows\System\FavMtBC.exe
C:\Windows\System\ueGHIoQ.exe
C:\Windows\System\ueGHIoQ.exe
C:\Windows\System\QiaQjqZ.exe
C:\Windows\System\QiaQjqZ.exe
C:\Windows\System\vUOnGvN.exe
C:\Windows\System\vUOnGvN.exe
C:\Windows\System\OLEjaWy.exe
C:\Windows\System\OLEjaWy.exe
C:\Windows\System\vqThtyR.exe
C:\Windows\System\vqThtyR.exe
C:\Windows\System\bCoWeNX.exe
C:\Windows\System\bCoWeNX.exe
C:\Windows\System\cKCtLhg.exe
C:\Windows\System\cKCtLhg.exe
C:\Windows\System\ghYTzCb.exe
C:\Windows\System\ghYTzCb.exe
C:\Windows\System\MSYmpVY.exe
C:\Windows\System\MSYmpVY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4268-0-0x00007FF75A920000-0x00007FF75AC71000-memory.dmp
memory/4268-1-0x000002B8C6DA0000-0x000002B8C6DB0000-memory.dmp
C:\Windows\System\RnwLFGj.exe
| MD5 | 5e1bb1f76ee0e6b2d5b21a46d5ba29b1 |
| SHA1 | 48106c132ba165b408818603a4f071aa15824002 |
| SHA256 | 36e5bf4466a208d1d172d0e44fd1f6800a5800984d55fcf5aa9941acc1dad15b |
| SHA512 | a39c6c6dc18b989dc22f5d3a3c61056e4df456027c432bdfe174e2c39f610a0549df6a39db7d9bd4c0d26f9e7ae9aaffcdb82f2643a218874a9411b255bcb1f5 |
C:\Windows\System\JmuVpIe.exe
| MD5 | 02e20b38ab070424e60cd117aa90ca14 |
| SHA1 | 31e0a46e8a473b6b91c87f1fbcf07e50ef6c6e23 |
| SHA256 | 7c1705382644121a604ff3204c45e8e4b93a81e2356f20f0e9623ac0578cebe9 |
| SHA512 | 0c74997f743ad8d69ccbf136f90b43c796e175ea7b00712ceb688402f853d9a01171fa7d08030dd0cbc9c200e8ecbf2083327111069e3d9356ec2167f004dad6 |
C:\Windows\System\ZzyUHYU.exe
| MD5 | bdd77893ad912817d68cd740defd2ccb |
| SHA1 | cea6ff91da56d4c406c278851dc0c8c8fb28fc2c |
| SHA256 | 833fa5e4a65b95e3570a81378f412c5ddb964c17f9cd8e94bec496c173b930c3 |
| SHA512 | c6e1f2c0cd0bacbe0a6556ad93df9dfbc8197f890d9af8d54383d9db2e51d0915080f6d0253176c361bfa58dbe2ccd35976608bb04d8d637c4f3440adcfd2b38 |
memory/2388-19-0x00007FF714990000-0x00007FF714CE1000-memory.dmp
C:\Windows\System\tRnqjCE.exe
| MD5 | e44875a83e1606af9a9595b84427fe77 |
| SHA1 | 4254c5b3b5f91b688b607734b124fd699b89b218 |
| SHA256 | 993161376a200219d11b2f034fe076f798f64bffac0bf789adabd57a9f4c15e8 |
| SHA512 | 23522718aff0e2d554c5759b0f048859887195d658134061084eff9639219e415dc5dc8f5ab8b43db58df7f0f190134ed78c699a0eb0c904831497d34f8c551d |
C:\Windows\System\adlQkte.exe
| MD5 | 7a41f60e9dcca4ac594935d3fce36bd9 |
| SHA1 | 4f83c2068984849af656a115d5bd80768bb6d185 |
| SHA256 | d919d9dfcd17bd2341870e9e733840f4ebcd79383078418cc494bb1fc681a2e0 |
| SHA512 | 54fac8b8dca6d9276a0b3ba606b6436ae8e129e62320b8d0eee1bfd4a785a7b8137f0a12bd155660bc11b9445afaae22eb1ac19a07eab5ba298dd162a2ca7773 |
memory/1988-40-0x00007FF78E260000-0x00007FF78E5B1000-memory.dmp
C:\Windows\System\eWBVoOB.exe
| MD5 | 38ef816d45f6c780b64cdd07367eed69 |
| SHA1 | 90c744f1938ff30715ba36010672217c4af16fd2 |
| SHA256 | 1dbb5f8f7b8a14220a0c8be6a611c0989d4fe07860989726ff501ac73f6c297b |
| SHA512 | 517e641d38c06b99fb71a751bcb8392bf2585e6080aaccf3de8ca73cf1d1dbce42cafb3d91d5c06d14488503db2c445f8bcd44724ef0378087a6f514d10dc08f |
C:\Windows\System\QKrgFis.exe
| MD5 | 7b86c42b66e0805b7b55fc3070301a89 |
| SHA1 | 0588937bf979d302d0709f4f0b766cac3b0a3c6c |
| SHA256 | 57bfa00a97d85343c48e544b479c5c73c0f05c4dce77102b00ae4f1528a348c5 |
| SHA512 | 5a285bc36fee18cd15ebdcc108abc24389b2f6fffec27dd1f291b16d5bf996041916eb17b0996cabf10b4c8e4df0d52bcbbabc3d49167f9cd9f39b7421ca319f |
memory/1904-72-0x00007FF797E00000-0x00007FF798151000-memory.dmp
C:\Windows\System\OLEjaWy.exe
| MD5 | 98595064f722e0f9336ff45fd7497c7b |
| SHA1 | 5a791e7f0f37aa4c4869fbcef67e7724ceef28e6 |
| SHA256 | b8b9c03f5c781fd49ca357b2bc86b7283ef5d359c2b66d0e2c5b681ba49754e4 |
| SHA512 | 3e507f7609b1320c56ed80211d3e406a9eed04d4facac25565ac6901968b0b1d628e6e0cc5206e440c0614fe698be46614c60dbdd1a6da22c955fb729d560f62 |
C:\Windows\System\QiaQjqZ.exe
| MD5 | 9a752a9c8582227c593b454ef472b60b |
| SHA1 | 19d48e11b54e256907e090c3fac85633c3548dde |
| SHA256 | 259b8d80a8009fc3c5a582bc46cb50368eb14562cde810eb55dcf0c33b5f6232 |
| SHA512 | 3ee7099f94c8032d4bd5e2aca7e3c5be8df5a4c11dd1fa13d162da77eea8bb0f692b7c26318dd4ff08ac2b646a1ee7546826622bc33faf71489c0ce8cbd0755a |
memory/2064-108-0x00007FF6F5200000-0x00007FF6F5551000-memory.dmp
C:\Windows\System\MSYmpVY.exe
| MD5 | 0e75fd02fc6a1b418068ea28c6654abf |
| SHA1 | c300673ed50346d414887f911d6e0ed398102c9e |
| SHA256 | 714ec1023227f13bf805fd3612a2577ae3f9f23029e63ab5b2b7f41da5a3c10b |
| SHA512 | 95fe444d107f6d530297cfa05f171eabd4e2ad74859b2f2a3b07c2bdced934969e3b74f65be54409684d91674a89126fa6393e1e878a57b1a7f2325ab671be99 |
memory/2264-122-0x00007FF721960000-0x00007FF721CB1000-memory.dmp
memory/3448-127-0x00007FF7E9E00000-0x00007FF7EA151000-memory.dmp
memory/3320-126-0x00007FF60B8F0000-0x00007FF60BC41000-memory.dmp
memory/992-125-0x00007FF6FA700000-0x00007FF6FAA51000-memory.dmp
memory/5012-124-0x00007FF710750000-0x00007FF710AA1000-memory.dmp
memory/3456-123-0x00007FF783990000-0x00007FF783CE1000-memory.dmp
C:\Windows\System\ghYTzCb.exe
| MD5 | 62d3d4f51d4c46d7caf62874b8cc8efe |
| SHA1 | 4e2360fbc6cf4b6788ecde845764116571135f88 |
| SHA256 | f1416838445520f25b63fa620830a70455eadfacfb163fd6641415fa04f85829 |
| SHA512 | 62eff98adccf296f0485fd364efb55b3ec6fbb04102a54785bb37ae8e302ec286dee06a5d22db22269508c701dff190503b7fdb698380f1aee7b56213325a3a4 |
C:\Windows\System\cKCtLhg.exe
| MD5 | 119c54b7831d2a3d35ab9c10171fb46a |
| SHA1 | 9a2b9a96b0164edb26d2e7c2035ba0fb890966c8 |
| SHA256 | f6b21708282d6be2194b690b9763f50fe1b0a5592ef8177d48efa81d7d0347b9 |
| SHA512 | c956ad38a498b4c0fa81a5ee620e5a884566a9e57c1a3da0d003b2b4de01c3f7f6db0e299abbc777899206be940b1562b3852363703c0d096b846a82ba5f8610 |
memory/2752-117-0x00007FF7CA410000-0x00007FF7CA761000-memory.dmp
memory/396-114-0x00007FF6D1330000-0x00007FF6D1681000-memory.dmp
memory/1780-113-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp
C:\Windows\System\vqThtyR.exe
| MD5 | 6dc0f35db40c2bf90a9a153e92448f27 |
| SHA1 | 337736fe145762d8a989389cc40ccb90194584d4 |
| SHA256 | f8f7ede1c05f62ddfe47da73eedc7aafaa83bc4034c53a12ed53a14d1df49110 |
| SHA512 | 1d1dc8c11511b6900ed0a8913c577a54bb65db3f3a53d6b68ba10c080334b66fdec127e3f9ec3fbe956d5b396de3ebdf9132c58131ee7119df7d9742aca6af44 |
C:\Windows\System\vUOnGvN.exe
| MD5 | 7eb4ff88e20a91061c4f36791fbc26ef |
| SHA1 | bed524aa0d38850bdfdb611844a41edd3e14c4f6 |
| SHA256 | e33cf3a58efa0702360940218af74585c7848541fa7fa9953c0cda808e920788 |
| SHA512 | 60376c3c15c5d8de81f04aa308d12643802d2b1aedb5083972b36feb153f4a79c04a5b1aebc9e2387398560593ec75eafc5e4c91a52f345b8bcff4db23401187 |
memory/3924-99-0x00007FF752DD0000-0x00007FF753121000-memory.dmp
C:\Windows\System\bCoWeNX.exe
| MD5 | 7485b2c579a6306577e8c7a26215baca |
| SHA1 | 19937408a338e774710d79b74816b45e52b89bb7 |
| SHA256 | e07a744643431da096fcf124981850c860affc00bbeeb1cc0a9f6e0a0fd19754 |
| SHA512 | 444b01ac6baa6b1aa60397dfc10dcfc79e2079361c46c10a6a3ed41213fb51b6eb61abe3bc20ffc9a244f9b5c389e9f06c39b83d264a501ee88b6aea8355d442 |
C:\Windows\System\ueGHIoQ.exe
| MD5 | 64956a147a31a519a97fa27b57444bef |
| SHA1 | fb60645dd520d8e5fbe5ec3949b021d0df0612e6 |
| SHA256 | 8af615925a14fa9bb3699b8413d56b2ebfe071d2f2c28f56c619b95bfdf7a9e0 |
| SHA512 | 8eabbf96a518e8cfca3f9d0ecc03e0de2ffc21d11cb064d4942b3a4cfc37985931919b3aecaf6012e90168876746ff4f9607deb357174277b324082933ab8261 |
memory/2068-86-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp
C:\Windows\System\FavMtBC.exe
| MD5 | 9743c412946cfa8f9e5d2175c61d6ebd |
| SHA1 | 5f724c62aebf4cbcb894667d1c3ec0041244ac1a |
| SHA256 | b9caf568e4394fc385679367412f80c8fcbd0e37110c1b0e7713f7242d2c31d6 |
| SHA512 | e656d708ec38d1a4048bd222009984b6c3bbeb2db8dcf4241b382576241b04b57a916b400e6b52e08b2addf82aaecd6e03e14869390982f6e69074cd463f0980 |
C:\Windows\System\lsrGtNK.exe
| MD5 | 2c09787a98d6c6add0f7cfae2921ad86 |
| SHA1 | 2890c287223c7b5240e6722eb3e220270df39da1 |
| SHA256 | c755f01f1604faa3b1294d9f4d079c2652fabc39c45abf833c7a28e104d5acaa |
| SHA512 | ee3c2f22b995669271c8a2d3c75f345c053032480ba5549ea61cb0cb33205b9a2e5aace799b1591dc1650c46c52488212113f5189702b53aedefbd27e1a932e1 |
memory/1764-76-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp
C:\Windows\System\usZtvqw.exe
| MD5 | ecd19f914cab41bc318cc4a530bc4e9c |
| SHA1 | e486993c29d490642a2b271f3901cb44e1f95112 |
| SHA256 | 6ad8670c07788cf3528841a76fcc4cf5adcd663e3bac8293e919fce88208f61b |
| SHA512 | a0d7bac1ecb8d385b27c11c9e68ab48906ad6bd4ee14b4ecb8136ba75bac4f4f935df078c283bebe89c13c0016d5fa176c11ab0bc696a2676b9d628b05f8ea7d |
memory/400-65-0x00007FF7C2B30000-0x00007FF7C2E81000-memory.dmp
memory/4068-57-0x00007FF71AA60000-0x00007FF71ADB1000-memory.dmp
memory/4792-38-0x00007FF6C7660000-0x00007FF6C79B1000-memory.dmp
C:\Windows\System\AYPQJyc.exe
| MD5 | bf759f30a278ac0213dc746d31d8ef35 |
| SHA1 | 6fbfacd7068b04fb7642de3d7ee6bbca89253675 |
| SHA256 | 12467cb567da209f8103419da0ca24c649e3486f5c831235e0c5715221fbc4ae |
| SHA512 | 05575814468f55b75144f5e55545b8f2e13cbd6803c1dbc683b27f496b07602bc358241b223fc49c632799343f91ce8a6b59dbbeec5ddd157604834ac3e1c873 |
C:\Windows\System\CaLgmiu.exe
| MD5 | 7a21dbe1da32286980a3c75840628aa8 |
| SHA1 | ddac0217c9a7a24879cf6371925d47753670802f |
| SHA256 | 7c02971b8b6bb25fb729d3cbf181b0538de25f5c98c5f09dd337389c6d8fea27 |
| SHA512 | 2652e83103b8d1b3736d3c5b83002395b913063728a7a90b5e1f364dd900a3ee20a24525cefc5f5089fb5f3dad1293ca68303fcc95dfd01fba1eb67b9dbce087 |
memory/4472-27-0x00007FF7809D0000-0x00007FF780D21000-memory.dmp
memory/4772-10-0x00007FF78E640000-0x00007FF78E991000-memory.dmp
memory/4772-129-0x00007FF78E640000-0x00007FF78E991000-memory.dmp
memory/2388-130-0x00007FF714990000-0x00007FF714CE1000-memory.dmp
memory/2068-140-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp
memory/3924-142-0x00007FF752DD0000-0x00007FF753121000-memory.dmp
memory/1988-134-0x00007FF78E260000-0x00007FF78E5B1000-memory.dmp
memory/4792-133-0x00007FF6C7660000-0x00007FF6C79B1000-memory.dmp
memory/4472-131-0x00007FF7809D0000-0x00007FF780D21000-memory.dmp
memory/4268-128-0x00007FF75A920000-0x00007FF75AC71000-memory.dmp
memory/396-148-0x00007FF6D1330000-0x00007FF6D1681000-memory.dmp
memory/2064-144-0x00007FF6F5200000-0x00007FF6F5551000-memory.dmp
memory/4268-150-0x00007FF75A920000-0x00007FF75AC71000-memory.dmp
memory/4772-203-0x00007FF78E640000-0x00007FF78E991000-memory.dmp
memory/2388-205-0x00007FF714990000-0x00007FF714CE1000-memory.dmp
memory/4472-207-0x00007FF7809D0000-0x00007FF780D21000-memory.dmp
memory/4068-209-0x00007FF71AA60000-0x00007FF71ADB1000-memory.dmp
memory/4792-211-0x00007FF6C7660000-0x00007FF6C79B1000-memory.dmp
memory/400-214-0x00007FF7C2B30000-0x00007FF7C2E81000-memory.dmp
memory/1988-215-0x00007FF78E260000-0x00007FF78E5B1000-memory.dmp
memory/2752-217-0x00007FF7CA410000-0x00007FF7CA761000-memory.dmp
memory/1904-219-0x00007FF797E00000-0x00007FF798151000-memory.dmp
memory/1764-221-0x00007FF71EF90000-0x00007FF71F2E1000-memory.dmp
memory/2264-223-0x00007FF721960000-0x00007FF721CB1000-memory.dmp
memory/3456-225-0x00007FF783990000-0x00007FF783CE1000-memory.dmp
memory/1780-227-0x00007FF7A2920000-0x00007FF7A2C71000-memory.dmp
memory/3924-229-0x00007FF752DD0000-0x00007FF753121000-memory.dmp
memory/5012-233-0x00007FF710750000-0x00007FF710AA1000-memory.dmp
memory/2068-232-0x00007FF6C11F0000-0x00007FF6C1541000-memory.dmp
memory/2064-240-0x00007FF6F5200000-0x00007FF6F5551000-memory.dmp
memory/992-241-0x00007FF6FA700000-0x00007FF6FAA51000-memory.dmp
memory/396-243-0x00007FF6D1330000-0x00007FF6D1681000-memory.dmp
memory/3448-238-0x00007FF7E9E00000-0x00007FF7EA151000-memory.dmp
memory/3320-236-0x00007FF60B8F0000-0x00007FF60BC41000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-12 00:35
Reported
2024-08-12 00:38
Platform
win7-20240704-en
Max time kernel
146s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LazAUFz.exe | N/A |
| N/A | N/A | C:\Windows\System\sZLUDOi.exe | N/A |
| N/A | N/A | C:\Windows\System\zCkLPnP.exe | N/A |
| N/A | N/A | C:\Windows\System\tSEDwWX.exe | N/A |
| N/A | N/A | C:\Windows\System\uTratmg.exe | N/A |
| N/A | N/A | C:\Windows\System\gKUvhaR.exe | N/A |
| N/A | N/A | C:\Windows\System\hrePzmg.exe | N/A |
| N/A | N/A | C:\Windows\System\tAeeuCC.exe | N/A |
| N/A | N/A | C:\Windows\System\MpACsqp.exe | N/A |
| N/A | N/A | C:\Windows\System\kMfQLfU.exe | N/A |
| N/A | N/A | C:\Windows\System\Pjqcliq.exe | N/A |
| N/A | N/A | C:\Windows\System\FaDnZtl.exe | N/A |
| N/A | N/A | C:\Windows\System\hORjTVk.exe | N/A |
| N/A | N/A | C:\Windows\System\xQsAISB.exe | N/A |
| N/A | N/A | C:\Windows\System\WhzGuHG.exe | N/A |
| N/A | N/A | C:\Windows\System\LPPHWgp.exe | N/A |
| N/A | N/A | C:\Windows\System\oHjbEEB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZJnPGXE.exe | N/A |
| N/A | N/A | C:\Windows\System\yDJTWwq.exe | N/A |
| N/A | N/A | C:\Windows\System\xfJAZHj.exe | N/A |
| N/A | N/A | C:\Windows\System\CEJLOJR.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_24fc968323aec325cdd548dcfab1b8f4_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LazAUFz.exe
C:\Windows\System\LazAUFz.exe
C:\Windows\System\sZLUDOi.exe
C:\Windows\System\sZLUDOi.exe
C:\Windows\System\zCkLPnP.exe
C:\Windows\System\zCkLPnP.exe
C:\Windows\System\tSEDwWX.exe
C:\Windows\System\tSEDwWX.exe
C:\Windows\System\uTratmg.exe
C:\Windows\System\uTratmg.exe
C:\Windows\System\hrePzmg.exe
C:\Windows\System\hrePzmg.exe
C:\Windows\System\gKUvhaR.exe
C:\Windows\System\gKUvhaR.exe
C:\Windows\System\tAeeuCC.exe
C:\Windows\System\tAeeuCC.exe
C:\Windows\System\MpACsqp.exe
C:\Windows\System\MpACsqp.exe
C:\Windows\System\Pjqcliq.exe
C:\Windows\System\Pjqcliq.exe
C:\Windows\System\kMfQLfU.exe
C:\Windows\System\kMfQLfU.exe
C:\Windows\System\FaDnZtl.exe
C:\Windows\System\FaDnZtl.exe
C:\Windows\System\hORjTVk.exe
C:\Windows\System\hORjTVk.exe
C:\Windows\System\LPPHWgp.exe
C:\Windows\System\LPPHWgp.exe
C:\Windows\System\xQsAISB.exe
C:\Windows\System\xQsAISB.exe
C:\Windows\System\oHjbEEB.exe
C:\Windows\System\oHjbEEB.exe
C:\Windows\System\WhzGuHG.exe
C:\Windows\System\WhzGuHG.exe
C:\Windows\System\ZJnPGXE.exe
C:\Windows\System\ZJnPGXE.exe
C:\Windows\System\yDJTWwq.exe
C:\Windows\System\yDJTWwq.exe
C:\Windows\System\CEJLOJR.exe
C:\Windows\System\CEJLOJR.exe
C:\Windows\System\xfJAZHj.exe
C:\Windows\System\xfJAZHj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2812-0-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2812-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\LazAUFz.exe
| MD5 | 696640ef4772242ac2e95aa8546e8e94 |
| SHA1 | 6e73628c18119e5e4f28b0faa8e6a33875b617e9 |
| SHA256 | 70a59e734fa52ae484f375379e1db258d026a5d748375d097bd8035f8d90667f |
| SHA512 | dda7ed57f98081d1e4693129640aa094a3d097ec026beca7cd4e3d14601361f9f4a1e206c8bf734a60919581d2246146e675047f2d992383816e2f9c993d95db |
memory/2812-7-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
\Windows\system\sZLUDOi.exe
| MD5 | 9eb468cb7b994a76d6c7dce15a3a882b |
| SHA1 | b0fb30a24f3af3ebab50d37ce7027d9e4d6d5ae4 |
| SHA256 | f3b2b609b0b0a67d8e499eff6c4c28f6f942dc0d2d3e3690f74b5dcf18e99c65 |
| SHA512 | b04251775e955074ecedd454127df911044366fcaa844cf76459a429e302ab754ca62085dd53ea9470dfd66bb31eeec7b98c77b249e5d23cf079b3cd5cf72d9c |
memory/2968-12-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2812-14-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2768-23-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2812-21-0x000000013F430000-0x000000013F781000-memory.dmp
C:\Windows\system\zCkLPnP.exe
| MD5 | 84dcc160d11987af88204ec3b6e14e63 |
| SHA1 | 0a71722134bf97c4815bc066737b3b776e4c41d0 |
| SHA256 | 242fdfe70bb671e59159d96a68f0057cbe7a672ea535dfd3268e2dd292c991ea |
| SHA512 | 533fa690b19926e5f77e99b2918fb0d19c4ed10864d1d7397ea0c63e338d81291c3421c6bfc77ce69d9a1a62392a70dc3ecb372fdcdb3d93c47e864d49ac8949 |
C:\Windows\system\tSEDwWX.exe
| MD5 | 524e9a75a380b57bb97348a8350c64ed |
| SHA1 | 9e3268f51c524259f59527fdfd3324a3c3865539 |
| SHA256 | a73a9590099bb4747b79177a3e1497324e3990c7a7dcc78e2d2ac612498c956a |
| SHA512 | 997aca27443f270f5bd9e5c7d47d0cc486a97c26f1925b7809404a9801c9d8538f6dab00b8fb725609758a4e0bd699151adfcdce86e65853dbde4067031c8433 |
memory/2812-45-0x0000000002220000-0x0000000002571000-memory.dmp
C:\Windows\system\hrePzmg.exe
| MD5 | c718729602bdb584893e144a65f75fda |
| SHA1 | 326b6d7855f584ff9a4ad594146ee7061743e7d7 |
| SHA256 | e68eb622b465c5248c9aa1d600ead673f2a3a9f62c48260a1936d59b442a155d |
| SHA512 | f97f1e4beb31cd2b68eb34cffe05885298317dafdb594ea8078a5912bbae0a308de2e1f2b1144836c82ecc8a9b1b6483a935f91cb8b7e40390d6adf3943b6b6c |
memory/2008-48-0x000000013FE30000-0x0000000140181000-memory.dmp
\Windows\system\tAeeuCC.exe
| MD5 | f8733bf1e88b7b1f7a3838252746ca7b |
| SHA1 | 5126129b0100361258da1a6587bfc91acf781ec6 |
| SHA256 | 784535fa3b62192881fd7641090db8af442d4c7559ed4d468b8f634e34c6c7de |
| SHA512 | b1834450c35d13adfea6256ab09017a9115693b9277dfc60c54d1c388a36de856db93bdcc2ac067ccabeec738f73a61a4ef54c9bb88c38a348d6bb571073fed1 |
memory/2564-54-0x000000013FBF0000-0x000000013FF41000-memory.dmp
C:\Windows\system\Pjqcliq.exe
| MD5 | 34e29352895eed5cd182a9c639706ea1 |
| SHA1 | 9c0e63e7a4c8cfe04cbb2b243ea3507d285771ff |
| SHA256 | 7689bea922ffcabb43c8c3e08ba1601601841e89d6c95c2db2062659c60699e7 |
| SHA512 | 21ecb65ea68c3e0f2b26cfea37708e43ed005b0966ae259c18b986053f361154fed87a95f1fe46315141a2eba1692baa9720a43643926bb469fe5c36b5783f4b |
\Windows\system\FaDnZtl.exe
| MD5 | 30b60055e4e8a7587cea7d0939b1ed5e |
| SHA1 | 327cf40adbe02277144fa8288d682cc7c0131ded |
| SHA256 | 49655565b2362067a7c476d2de545fa81381c63c9e95b7bc955e10bc382cc2df |
| SHA512 | a0b26681cd8df285b015157ec1f5e622d3fbda2fd697b438441491af2f28fed3944dc32ae233cbf0d11b57a053a4df0c442d8401a33d7d243ca95701e65740eb |
\Windows\system\LPPHWgp.exe
| MD5 | ec77e22c8025a39e35fafc01c5e1b9a5 |
| SHA1 | 600ed2a0d5ae0af111fac56fc676a199d013af65 |
| SHA256 | 7790f726c0fa11daefb627435622ab39a53416e646c3930ec9544ea4bda0c1d5 |
| SHA512 | 91a9499c45175433c21e73aa4e793c8ef7cec0a8c4084fd165e82a4c97b8e2cfcfd350ff0d59acffff624ccc062f0bb05beab64f086e3fb911f92edab96c0540 |
C:\Windows\system\ZJnPGXE.exe
| MD5 | 263c7d6bb50ed6e560be9f4ce85f102d |
| SHA1 | 4c3806c84607d9bad43c792d40229eb1fc0bbeb0 |
| SHA256 | ed9ff1442499407b0353983963754e96aa3fd216cdf4a1a2e91589c0a466549e |
| SHA512 | 25e66e7c6b19321b214e6a89cf4ce6decaddc02bcc933f168572abc56d8218b8246e67c3d3149157d50c150f06180f37d55ef91089a24f2bd9c46dee8c97bbf7 |
\Windows\system\CEJLOJR.exe
| MD5 | ac448ee38ff90f5ec2c33512eeed1e1e |
| SHA1 | 6ba159c6f95e8d270fcf2b3da460a82e0d0783aa |
| SHA256 | 5e67493b54edcb2075ef8efd3ea4e6057c36b3b34c0ee98e2bf4aebae539a699 |
| SHA512 | 54367ee5351d849f17be4fbc1f2d6de5d2e455a2386fcef21920c5189df888854d4b93be3f4bb9d8f3b5c92000a72fe4528fc938c8f72a53bc73ea019991bf0a |
C:\Windows\system\xfJAZHj.exe
| MD5 | c2a33bec3d38ed70034f2db8e1429dd4 |
| SHA1 | ff1f8f9c111b2b70b3823d4908e4edc8d450ea0b |
| SHA256 | 6ca4ed3a081ed1cc7b27d57654058ab1f3c68cb41230ec9f3eb8e27d6f337e02 |
| SHA512 | dcdcd4455c9d640710dce9060ab60a2d1fd01b02a0daa71457347b2c8280ee8e53e55780fa585e7de07cf9c2edec0ca1f24a481edf5088212d9a33b806b43593 |
C:\Windows\system\yDJTWwq.exe
| MD5 | 1fd811f77c05d051f9413f3544052e22 |
| SHA1 | 1a870353e95a87e7c6dddc8d511f3426a5a72945 |
| SHA256 | a30d3ba4a04a8de20ec7793063298d28b4a35e44cb513c08cc55d469bccfba78 |
| SHA512 | 30749985ea090f1a420606b575b22f0e8b3770164fb017e9a289c6bcf53c5283f9c39040c04e510323a1b88d382aa4c54ec9149ecf3ed165ec720601e6d5bc71 |
memory/2420-105-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2200-96-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/3032-128-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2812-95-0x0000000002220000-0x0000000002571000-memory.dmp
\Windows\system\oHjbEEB.exe
| MD5 | 3d4c20022992a90095d63ded7f581611 |
| SHA1 | 107b36661d6c6669e9a9e6d686099826317ea6fa |
| SHA256 | 1308ab20c4f76a43d8484cbbad806a9bdebe17a67600d839a3fecba53a4c58d0 |
| SHA512 | 06b58f24ae3e3342e4b6b5b648eb9d71c430a2e25fbbe336d90d9752fc3df7a7906583e3f1057e24c1d67808030621ed9dd21524b3c0f7ccc9004490b79dc206 |
C:\Windows\system\WhzGuHG.exe
| MD5 | de8c972c42b4bde063bf40bfaf6eca39 |
| SHA1 | e04d3978dee18ef583814cd0c780d3dd724a6a3f |
| SHA256 | f91017fe4befe92c6680e80066a80e33e7f936067a077ae2739346c3ef0184a7 |
| SHA512 | 5f0967d9257e9e8ae798117fad7bd8974b9ef880cb2802cb9eff8d9140775db9db7c63248f6f843ea594b3a758847e5ea34e9eb4fa80c3fbf100fd74097ed6a5 |
memory/2424-80-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2812-78-0x000000013FCC0000-0x0000000140011000-memory.dmp
C:\Windows\system\xQsAISB.exe
| MD5 | db3270e6e4938f03f5eb8caf77674391 |
| SHA1 | 181e6b3d3963b9caf20e8592eb297c1a9164ffb3 |
| SHA256 | dd13d7f40c80a80ef2a8bc8f0689c5d45d03efb6ca16769dc8734a49e086742e |
| SHA512 | ba656fe5a4bdb57a57c32e1f7b9e29822ff2a6b35667706e15ff0e7ac53c930fb4a084b70424711ed92ad720baf96b3c4ba59066499ebb754af789a9d2428994 |
C:\Windows\system\hORjTVk.exe
| MD5 | 6f6016512187dead45cd580e9528a3c0 |
| SHA1 | 33ce4578a5f34690c4528287173fdd2f7f9050ea |
| SHA256 | 2d974c14cc55413ed17ee3304e6d8cf72f402d75bc06cd9ff44d510332ef7fa2 |
| SHA512 | 0fe51c46ce31a8c1600605316d1c70c267f45970efa5b34a5093cb48f0f4fc0e3458aeba90de191e27f8cc441bf21ba0d2e64ae163d64b3ef8d00c9bd423fe06 |
memory/2008-136-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2148-77-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/1048-72-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2812-71-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2812-70-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2592-69-0x000000013F750000-0x000000013FAA1000-memory.dmp
C:\Windows\system\kMfQLfU.exe
| MD5 | 7935df30b8922d24b615808a08412b42 |
| SHA1 | ea06432b67f962777e0549d6f7f243eac256a296 |
| SHA256 | 1e92225cdc572ef7dcded462fc1b5095c4def825d78441ce6d990a00ae337918 |
| SHA512 | 3fdcb6130c6c9b227c862cfa93ec116fdc74b11bc8b27bb7c87e7b4a69f346f51042605a8437872f1002601a009a88969dd2e786d33a3c83b5e8645791471218 |
memory/2124-67-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2812-66-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2968-59-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
C:\Windows\system\MpACsqp.exe
| MD5 | b2ebebe62c5d8a2f17b8a23d089b1659 |
| SHA1 | 16c4f01d9a6c0e78be58c7e37f0c630ac16ff1e1 |
| SHA256 | 4343d703c357d363d1c8eac0ffef14c7d6bfbcb9a5a0c4e2274d6bf6a182fab6 |
| SHA512 | 4734e9c8fadb89589fcc8a71b89e1b2edf3fe906d1e2fd622e89d2a78e97134976cffc89bd394745e66f37c1df9701b4f9c15f8c7bfc4d968e7fedd2f97524a2 |
memory/2124-143-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2564-142-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2812-137-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2812-53-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/3032-46-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2812-44-0x000000013FE30000-0x0000000140181000-memory.dmp
C:\Windows\system\gKUvhaR.exe
| MD5 | 0c54cabed2d1f87345b4c65411c94092 |
| SHA1 | 49788cd5127eaaacd5f6d660719110efa34080e0 |
| SHA256 | 9f3485656a401644e723fe66c124b38ca894002dd30fc5e1942c1226d103eb9d |
| SHA512 | 3fe41478f5dfb4b7dfcc88e12ecb77c0234c51d78b37cadccd954a78d9e130d5eff4884fd638a023b87f7f25a9ec8698f01a30e87dadd99564f38d70aa1318f7 |
memory/2616-42-0x000000013F740000-0x000000013FA91000-memory.dmp
C:\Windows\system\uTratmg.exe
| MD5 | cc0a7903080ced857152f6406039106b |
| SHA1 | a47be9d302f01773f0504e018355786049383892 |
| SHA256 | ce8a56ed58d309eb813562e66748e9b2d7f4f67095d9e18c73181fe47ba0545b |
| SHA512 | dc60ee6bea323e8210937f8236e68ea5341c682e0d83b209b64b008027ddb689e14ea77f5b13e7381a360fa096d7e52365cb5e4fae96d8ca04c5411c05d3929b |
memory/2696-30-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2812-29-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2592-19-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2148-149-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/3032-146-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/1048-150-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2108-153-0x000000013F7A0000-0x000000013FAF1000-memory.dmp
memory/596-160-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2812-161-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2172-159-0x000000013F620000-0x000000013F971000-memory.dmp
memory/1772-158-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/2512-157-0x000000013F9E0000-0x000000013FD31000-memory.dmp
memory/588-156-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2828-155-0x000000013F960000-0x000000013FCB1000-memory.dmp
memory/2420-154-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2200-152-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2424-151-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2812-162-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2812-184-0x0000000002220000-0x0000000002571000-memory.dmp
memory/2812-190-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/2968-212-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2592-214-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2768-216-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2696-218-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2616-220-0x000000013F740000-0x000000013FA91000-memory.dmp
memory/2124-237-0x000000013F830000-0x000000013FB81000-memory.dmp
memory/2148-241-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2008-235-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/3032-243-0x000000013F900000-0x000000013FC51000-memory.dmp
memory/2420-250-0x000000013FD40000-0x0000000140091000-memory.dmp
memory/1048-246-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/2424-244-0x000000013FCC0000-0x0000000140011000-memory.dmp
memory/2564-238-0x000000013FBF0000-0x000000013FF41000-memory.dmp
memory/2200-248-0x000000013F6E0000-0x000000013FA31000-memory.dmp