Analysis Overview
SHA256
7682d382c2a8bd112c73a6b7658e16222c7f454ac17e66f88ab6740b92ab7baf
Threat Level: Known bad
The file 2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:55
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:55
Reported
2024-08-13 11:57
Platform
win7-20240704-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LGytLeV.exe | N/A |
| N/A | N/A | C:\Windows\System\KXdgDRz.exe | N/A |
| N/A | N/A | C:\Windows\System\hMURsjR.exe | N/A |
| N/A | N/A | C:\Windows\System\CSoUsRN.exe | N/A |
| N/A | N/A | C:\Windows\System\sADGxsH.exe | N/A |
| N/A | N/A | C:\Windows\System\FmuHxtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\yOQqNZw.exe | N/A |
| N/A | N/A | C:\Windows\System\PcIdIhp.exe | N/A |
| N/A | N/A | C:\Windows\System\LxaYmeZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fEDhpBe.exe | N/A |
| N/A | N/A | C:\Windows\System\fFaXdPS.exe | N/A |
| N/A | N/A | C:\Windows\System\JmgVCIv.exe | N/A |
| N/A | N/A | C:\Windows\System\YtTcvuA.exe | N/A |
| N/A | N/A | C:\Windows\System\LQxAHjp.exe | N/A |
| N/A | N/A | C:\Windows\System\JdFjhDA.exe | N/A |
| N/A | N/A | C:\Windows\System\RJSWJwb.exe | N/A |
| N/A | N/A | C:\Windows\System\iEotxIi.exe | N/A |
| N/A | N/A | C:\Windows\System\llwSedC.exe | N/A |
| N/A | N/A | C:\Windows\System\hVXQnqR.exe | N/A |
| N/A | N/A | C:\Windows\System\GwwQulG.exe | N/A |
| N/A | N/A | C:\Windows\System\XTikjmu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\LGytLeV.exe
C:\Windows\System\LGytLeV.exe
C:\Windows\System\KXdgDRz.exe
C:\Windows\System\KXdgDRz.exe
C:\Windows\System\hMURsjR.exe
C:\Windows\System\hMURsjR.exe
C:\Windows\System\CSoUsRN.exe
C:\Windows\System\CSoUsRN.exe
C:\Windows\System\yOQqNZw.exe
C:\Windows\System\yOQqNZw.exe
C:\Windows\System\sADGxsH.exe
C:\Windows\System\sADGxsH.exe
C:\Windows\System\fFaXdPS.exe
C:\Windows\System\fFaXdPS.exe
C:\Windows\System\FmuHxtZ.exe
C:\Windows\System\FmuHxtZ.exe
C:\Windows\System\JmgVCIv.exe
C:\Windows\System\JmgVCIv.exe
C:\Windows\System\PcIdIhp.exe
C:\Windows\System\PcIdIhp.exe
C:\Windows\System\YtTcvuA.exe
C:\Windows\System\YtTcvuA.exe
C:\Windows\System\LxaYmeZ.exe
C:\Windows\System\LxaYmeZ.exe
C:\Windows\System\LQxAHjp.exe
C:\Windows\System\LQxAHjp.exe
C:\Windows\System\fEDhpBe.exe
C:\Windows\System\fEDhpBe.exe
C:\Windows\System\JdFjhDA.exe
C:\Windows\System\JdFjhDA.exe
C:\Windows\System\RJSWJwb.exe
C:\Windows\System\RJSWJwb.exe
C:\Windows\System\llwSedC.exe
C:\Windows\System\llwSedC.exe
C:\Windows\System\iEotxIi.exe
C:\Windows\System\iEotxIi.exe
C:\Windows\System\hVXQnqR.exe
C:\Windows\System\hVXQnqR.exe
C:\Windows\System\GwwQulG.exe
C:\Windows\System\GwwQulG.exe
C:\Windows\System\XTikjmu.exe
C:\Windows\System\XTikjmu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1968-0-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1968-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\LGytLeV.exe
| MD5 | 02934d2af270ffd28f8b88d1fd06d0ea |
| SHA1 | 359fc2b56e34b6934e709901019e5e67ab6dd5b7 |
| SHA256 | 4af56679706f37d4396c12f084444650b400c70bc0d97bfdefafe8dc65928281 |
| SHA512 | 8fd8fa4dfc919f4aaeae848ad7cb2ca0dba920c24af65be4c90531456c1dd37d333b34f20f0d314e25050b26fdfe1588338893cf1ad374a9db184feda6f23e72 |
memory/1968-6-0x000000013F0B0000-0x000000013F401000-memory.dmp
\Windows\system\CSoUsRN.exe
| MD5 | 20dfc2403ffe5f7fe1e8123d7a0a8f8d |
| SHA1 | 7075ad7fcb7cf155e4b1891410d801eb9af970a2 |
| SHA256 | 72dfbee0db1d9b064a743764203e2159073ea4563da68070ea1d25990c3b1973 |
| SHA512 | 0957eeaa7ba3f01f99fe3f38b0fbcded79a02a4ea8905ead8daf095842dfa884563a3b1a92b8450c6addf17dbfb8cc34e70c3fc82c2fe12e476ce038588aaa85 |
\Windows\system\yOQqNZw.exe
| MD5 | 8ebe511d08488c4bd5f43c9b26247009 |
| SHA1 | 028583736a8760d4f9066da7ba56564204884269 |
| SHA256 | 185c0e9309e2a3337b117e3f635ce3be476ea808ca4ea1e1d5d2f1b2fd27ce08 |
| SHA512 | 5ca8b783e25f6c154622818e613b63438e036ec73ccdc59ca02bc5ec6baa259d36689256263468ad51824e91697963522162ba903435b0c8f1c5dcdaee8ea20b |
memory/2736-38-0x000000013F840000-0x000000013FB91000-memory.dmp
C:\Windows\system\LxaYmeZ.exe
| MD5 | b1c17becd1dbab04a3023f69c749652a |
| SHA1 | 27d90a75fb54e4880e9c446445dfe81be10fb10e |
| SHA256 | a11bcf02d9f5a5b947f261258c6929bd41b38accfab7aa2ea680ee5e29586068 |
| SHA512 | bebbee2b005fd3ce963cb6551833fdc5d4b97a45907d260fb138d0f3bbaff95ad1c307d963a404df9a1b79215c99265f9aa4ac927d3046a3469300967bd52c2c |
\Windows\system\fFaXdPS.exe
| MD5 | c067c3660032bd43f88e83b8a921ace7 |
| SHA1 | 35db09bc128319123c70a23b269cd2f325a677c3 |
| SHA256 | b5d68491c96c57058466826ba0a3ccb91e79eec0d19da29ec444a85ef2c8ac04 |
| SHA512 | 5a84725431984da0ca0b456c96cddb09fff48ff67976147fef3cc88bca1a5bbfbd80ffbcffdfe8400c244680e7fdabd92bb0001c68fc8e09e8e5dcbc2fd8f8fe |
C:\Windows\system\fEDhpBe.exe
| MD5 | 98b863fe92457c790f50fa270a4b8ee6 |
| SHA1 | 158117c31e10d25859078215c9e96422d099bb3e |
| SHA256 | 1e24cdba875120127f652e4d0106e875840c20b5da7780ddf6ad69fb0246d002 |
| SHA512 | ed50fe40fc5c53c5ea3c0b8418bc31de377f8cec2d627cbbcdade22eeca987f2cd2ffadf266621f798423b8576225836c6771cf75b08afa6e5cb40099f414031 |
memory/1968-83-0x0000000002180000-0x00000000024D1000-memory.dmp
memory/2624-82-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/1968-79-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\FmuHxtZ.exe
| MD5 | efd00603dc36609eb90828fa465a5afb |
| SHA1 | 3a8683395774a9d211d011735e5a5ebe598e8d8b |
| SHA256 | d78e60ad2b1b7f2ed53ce32406f583043b0b9a0e2fd1ca7b985e9cf987927be0 |
| SHA512 | 6cfa19b853ae15536e227da3be0e56c4ce9adb1d5c1ee6fcb6b566939303dba440c06e5e98c7f8e5095833b3199824930b2208607a6ace6a159db15d16b604f0 |
memory/1228-96-0x000000013FAF0000-0x000000013FE41000-memory.dmp
C:\Windows\system\LQxAHjp.exe
| MD5 | 3e99e829806316df677524f6f2cb1c2f |
| SHA1 | 1a4fa92e80ac8735d885599ceb8fd8f200e0cdca |
| SHA256 | 5f9ce6324bd95d58ba15f38364e9b288d5a36f2036a2da8732bec1dc7637e3f5 |
| SHA512 | 545fcbc9cf05af7d22e16935b676e9b4dc4624adb5f94e4317472be2eee86f67ea3f74923459d9250468bd44918801c92d2ae5f7c47cbdd275b284fccbb68beb |
memory/2688-94-0x000000013FCE0000-0x0000000140031000-memory.dmp
C:\Windows\system\YtTcvuA.exe
| MD5 | c20626b1a915d3ad3ac725d7ed1cd205 |
| SHA1 | ac2ee15b6a82486952aabadb197522aa8526e703 |
| SHA256 | 3d76e289e69ee6242590aba78e251990ce53a66aeea831da1b89f9ef9268a61d |
| SHA512 | 815456445e3b85857c59f20fd9b1993580043b0062e8cc78fd1b40e0317c9289752a2602ebf520ad8aa6408c7f0db56ee65d03c55cace0bc062c301ab4cb88e7 |
memory/2664-91-0x000000013FE60000-0x00000001401B1000-memory.dmp
C:\Windows\system\JmgVCIv.exe
| MD5 | 049d85702ddb746a35799c911da70d9d |
| SHA1 | 8bf8d381a54b077153987e357c082c3d75eeb9e1 |
| SHA256 | 4219696a6752f4ad3413ed213e6114cb5dc741a9d6e4420dd4e869170db3fac4 |
| SHA512 | f6d20e71dc61bbad45ccfc3f62ab6e83f4a3b8808817a0c263a78bb351e912cca2395e88f4875c92796b377fdd9ffb3d3ba58701d34ebc4f466717c1deb27420 |
memory/1968-88-0x0000000002180000-0x00000000024D1000-memory.dmp
\Windows\system\JdFjhDA.exe
| MD5 | 46f7bf0ff5da9577006a1d11fbf4644b |
| SHA1 | 8445fd824b8fa4ba01732553b9baa62548cb79e3 |
| SHA256 | a6c9ae09752e266a0076e34a42f6cd52053e1fe8e6e2053f489f36512349a02e |
| SHA512 | 8d143dd05bdd1533b064e1f201d62c216bd0e0301ba8082480b9ee32a569e0ca29299cfc1899dee6a305b675f7b2663009792896337949fad47356ce16c6a2ec |
memory/2964-86-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2120-85-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/1968-84-0x0000000002180000-0x00000000024D1000-memory.dmp
memory/1968-70-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2772-54-0x000000013F3B0000-0x000000013F701000-memory.dmp
C:\Windows\system\sADGxsH.exe
| MD5 | c20f5c028076bdc065142eeb5d8862aa |
| SHA1 | 9b9ecf8d14c0b048a73dc17e8aedf434ef796c80 |
| SHA256 | bddce79b201d387637c15e1ce43c7c75db4e97c56b21c31b087567a181ed639f |
| SHA512 | 765120eb464b81e1999eb8b25ea65341176859f8c48c2f26810ea457a1e52f610f34228ce28b865fae85beba443830c5c4b6de7d3accdef6e6202ea83095ca98 |
memory/1968-35-0x0000000002180000-0x00000000024D1000-memory.dmp
memory/1968-78-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/1968-76-0x0000000002180000-0x00000000024D1000-memory.dmp
memory/1968-73-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2824-67-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2896-25-0x000000013F520000-0x000000013F871000-memory.dmp
memory/3068-66-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/1968-65-0x0000000002180000-0x00000000024D1000-memory.dmp
memory/2616-62-0x000000013F5F0000-0x000000013F941000-memory.dmp
C:\Windows\system\PcIdIhp.exe
| MD5 | 8d88d7b07f2b3a5c3e8414c1ab6a713d |
| SHA1 | 12c3629a0643fc0cb57aea7bef2999fc21b9139e |
| SHA256 | 9259205d84b46b078358bf643401046a15c0f9dde8f9fb615ab1d92332a79249 |
| SHA512 | 5a9c6da4a15314ee2c05cdf6206c0c8326731904e42949b39009452f6e2270e1fcb43f08c49223b96e2abd1104203dc461c713aae45d16a7f9ba981120adde84 |
memory/2748-58-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1968-98-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/1968-18-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
C:\Windows\system\hMURsjR.exe
| MD5 | 882c63efaf95ca4f6be1a5fc10700ab4 |
| SHA1 | e2bd5282a9e747ef518d14887636fd276f466e43 |
| SHA256 | 80a2efce25a34457eac79c7d64cfb73a0467be32813cb7470ca01bb8186ac1ac |
| SHA512 | 04bf54f7f5c0c2190935a6f835a6e778668a06c26f3a2a598a2b0884f47fdd4a5002d59db3929c8b4d533d38e7a4e80ce197d77626b263b157952b978f845230 |
C:\Windows\system\KXdgDRz.exe
| MD5 | 563c55cba0376deb462f7c873ec79ba9 |
| SHA1 | 84a2a2a1bc3ef5ecdc4d454b8c0ecaf7bf55b942 |
| SHA256 | 559573e20150619076ace539c86da9b230a17bf78945fa7d508b73ad2e13aff6 |
| SHA512 | 337d42338aa39a79084e266b77daf02d4a92249eb2f80d4b1805678bd09db2b610d7e8a4747d398283dfec751a177269535728763437e5e8dff9605a445947ac |
memory/2896-99-0x000000013F520000-0x000000013F871000-memory.dmp
\Windows\system\iEotxIi.exe
| MD5 | 21d8c87d83e1a653c0c94b2434b522de |
| SHA1 | b2b7a5044d237905a13c69cc04fae929b1a79b84 |
| SHA256 | 4de9e1d44b425dd67e0ecc58a0fade26d260d217e68cac9a6c23215acd94b4dd |
| SHA512 | fd88675cc0f23fbb0d143d85e3e4950b831cdb9e600fabd8ab9991165bb5b5c2ae169db5dd866978a2aafd964d4816f4d237ce7b2fbdb1afb529fb25556d33e3 |
C:\Windows\system\GwwQulG.exe
| MD5 | 455436a85947a66a5f7ef66bbc570d67 |
| SHA1 | 084a4b3b26e03da61c4acab46187ef028d60430d |
| SHA256 | 074ac376199bcc0cff2074da7798bb2c17524a219dc18752128bea9d269d64f8 |
| SHA512 | 63f5ff8fad567e08e4666731bc21702265d5f35d965e55ceeda3ef36dac9e75156eb018a73845aa1a6e3beda6655f6fc046ec6adf89b7568c474879f6a4dbcf4 |
C:\Windows\system\hVXQnqR.exe
| MD5 | 9032e2784273d4a81d1ac429d754e0ca |
| SHA1 | 58bf0e67f9cddc7d5169014abd6e2805eaa93ea3 |
| SHA256 | 3375be35685c5b14c0c57067ca27c665a9baceba416ee4c1ac4a421dd2d517d4 |
| SHA512 | c5fc3e019bb1435aaf53e1207ea228fb5331031866b44bc0b12f47d2a880c53917e4a511daa5731755aaee82762e73d8ce4f22024e7cc5b5b357a5293d008f5c |
\Windows\system\llwSedC.exe
| MD5 | cf84e9a2392a391da6478752da4ba42c |
| SHA1 | c497922988774e038d1d465b891018984d24262c |
| SHA256 | 7cebd7a6ce091a4e67e7158ea27edd49d761192982c548b3425f7db623f77257 |
| SHA512 | 36dc68310daaa87d076202fe4ae39c9eb8e80dfdf7475816173cb880ce6097c98cf05490f22e91c475940cfd782c199ef47c3c82215683b496fab2f1f8f6da7d |
C:\Windows\system\RJSWJwb.exe
| MD5 | e4124fded732031a7a316d7337d22b7e |
| SHA1 | dd63d12d47029e4ed2261b1f79c9f16b78aac39b |
| SHA256 | 8e79f664c1cbfc9211b3408ee6009383999e545c7bd437a1f4f5da3a184d397e |
| SHA512 | fb231f367d1b915495a55c7674186e0e606d76e81e09c366f9aac366e20de201c1ca47769971d63b7db6a821f12738a69493e5855f87554bd588f197dcc79846 |
C:\Windows\system\XTikjmu.exe
| MD5 | fb8d4cd2022143d049b6fe1247981ff9 |
| SHA1 | d4cdb874b6779db585fc15b844c8c343204d9346 |
| SHA256 | bd1f8b13a3836ba248406a2dffb5f258bc407cbaf8ea614d039e609bd4a8f200 |
| SHA512 | a03e64abbe6f72e7255b2267f28c8d4614337fa6b93215114a37fe9bcf01b7d758d83c7288990a161c743990fc88567496bc601e07de857f6350e5db05cfa708 |
memory/2336-134-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2772-135-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1968-136-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/2664-145-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2964-143-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/1228-149-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1968-151-0x0000000002180000-0x00000000024D1000-memory.dmp
memory/2076-152-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/2920-155-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/1292-158-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/1720-157-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2800-156-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1484-154-0x000000013F650000-0x000000013F9A1000-memory.dmp
memory/2160-153-0x000000013F0F0000-0x000000013F441000-memory.dmp
memory/1968-159-0x000000013FA30000-0x000000013FD81000-memory.dmp
memory/2336-204-0x000000013F0B0000-0x000000013F401000-memory.dmp
memory/2824-206-0x000000013F4A0000-0x000000013F7F1000-memory.dmp
memory/2896-208-0x000000013F520000-0x000000013F871000-memory.dmp
memory/2736-210-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2772-226-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/2748-219-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2624-230-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2616-232-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/3068-228-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/2120-234-0x000000013FA10000-0x000000013FD61000-memory.dmp
memory/2964-236-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2688-238-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/1228-240-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2664-242-0x000000013FE60000-0x00000001401B1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:55
Reported
2024-08-13 11:57
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OjaYdFO.exe | N/A |
| N/A | N/A | C:\Windows\System\fGXgFAo.exe | N/A |
| N/A | N/A | C:\Windows\System\IDDwBuU.exe | N/A |
| N/A | N/A | C:\Windows\System\kSRnNBG.exe | N/A |
| N/A | N/A | C:\Windows\System\OxNljGq.exe | N/A |
| N/A | N/A | C:\Windows\System\uShuLZb.exe | N/A |
| N/A | N/A | C:\Windows\System\pqXHVFb.exe | N/A |
| N/A | N/A | C:\Windows\System\YufDuvu.exe | N/A |
| N/A | N/A | C:\Windows\System\LXYliax.exe | N/A |
| N/A | N/A | C:\Windows\System\bDZlRlS.exe | N/A |
| N/A | N/A | C:\Windows\System\CFzAihv.exe | N/A |
| N/A | N/A | C:\Windows\System\LPWPaMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\SYOMjob.exe | N/A |
| N/A | N/A | C:\Windows\System\HJJMvgB.exe | N/A |
| N/A | N/A | C:\Windows\System\IJpgkRc.exe | N/A |
| N/A | N/A | C:\Windows\System\apyaQgd.exe | N/A |
| N/A | N/A | C:\Windows\System\CmCJAyh.exe | N/A |
| N/A | N/A | C:\Windows\System\fATtFhn.exe | N/A |
| N/A | N/A | C:\Windows\System\SCPceJq.exe | N/A |
| N/A | N/A | C:\Windows\System\VgeuqhL.exe | N/A |
| N/A | N/A | C:\Windows\System\iMqHrxL.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_9f0d95948120c1764f676a431dc5fdea_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\OjaYdFO.exe
C:\Windows\System\OjaYdFO.exe
C:\Windows\System\fGXgFAo.exe
C:\Windows\System\fGXgFAo.exe
C:\Windows\System\IDDwBuU.exe
C:\Windows\System\IDDwBuU.exe
C:\Windows\System\kSRnNBG.exe
C:\Windows\System\kSRnNBG.exe
C:\Windows\System\OxNljGq.exe
C:\Windows\System\OxNljGq.exe
C:\Windows\System\uShuLZb.exe
C:\Windows\System\uShuLZb.exe
C:\Windows\System\pqXHVFb.exe
C:\Windows\System\pqXHVFb.exe
C:\Windows\System\YufDuvu.exe
C:\Windows\System\YufDuvu.exe
C:\Windows\System\LXYliax.exe
C:\Windows\System\LXYliax.exe
C:\Windows\System\bDZlRlS.exe
C:\Windows\System\bDZlRlS.exe
C:\Windows\System\CFzAihv.exe
C:\Windows\System\CFzAihv.exe
C:\Windows\System\LPWPaMQ.exe
C:\Windows\System\LPWPaMQ.exe
C:\Windows\System\SYOMjob.exe
C:\Windows\System\SYOMjob.exe
C:\Windows\System\HJJMvgB.exe
C:\Windows\System\HJJMvgB.exe
C:\Windows\System\IJpgkRc.exe
C:\Windows\System\IJpgkRc.exe
C:\Windows\System\apyaQgd.exe
C:\Windows\System\apyaQgd.exe
C:\Windows\System\CmCJAyh.exe
C:\Windows\System\CmCJAyh.exe
C:\Windows\System\fATtFhn.exe
C:\Windows\System\fATtFhn.exe
C:\Windows\System\SCPceJq.exe
C:\Windows\System\SCPceJq.exe
C:\Windows\System\VgeuqhL.exe
C:\Windows\System\VgeuqhL.exe
C:\Windows\System\iMqHrxL.exe
C:\Windows\System\iMqHrxL.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1676-0-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp
memory/1676-1-0x0000029B87930000-0x0000029B87940000-memory.dmp
C:\Windows\System\OjaYdFO.exe
| MD5 | cdfe6b2e432d9c1a0bbf2f6a228f93f1 |
| SHA1 | f0d4a1b5ad0e9c773b4436ceefc6471294427c21 |
| SHA256 | ad612d41bd10df60463a9800787b34821bc78744787b1f6c24c10c2257bb7b82 |
| SHA512 | 9e903ba2b6e76dbfa684a8ffe8c7d1bca6957cc7422f31f19a6edb7fdeb5c6f8c2c052e14e92a54c67d4a9ae6e23326534052f7624dc319302f4b38d83e31389 |
memory/3808-7-0x00007FF69E100000-0x00007FF69E451000-memory.dmp
C:\Windows\System\IDDwBuU.exe
| MD5 | dbeaa316fedf1a4d60c5715aa5468d36 |
| SHA1 | ab72a88833166a1966068c3adf978d02f514c87f |
| SHA256 | baa2c6474fdb682a467018cef659ff4276dc8480d1426f873244118625fbf31b |
| SHA512 | 19e1497dd66f5bec196d45a3663ca8954999417f9e9cfdbe3fadb95f0f79b84dfdbd06ecc874b4b875eb34b3ba119f8f5fdbf4d159ac85e11c3590e6439c4d28 |
C:\Windows\System\fGXgFAo.exe
| MD5 | 8ef24090b7dd3ee81d1edd7d01b1f707 |
| SHA1 | 51db7492fe444834c05238172cdcdbfa4570157a |
| SHA256 | 53193870216154cf65b6f5cbd422ba2ebf0378703df340240e05504240ca6f6d |
| SHA512 | 42cd47a1f167a7b16c50f837046bc181bede5d3ff37a032f34a7ca4726a6487a1cdd5a793a8ee95fddb46a9e61f1f6ddb44624fa728af3742ee8d86818afd900 |
memory/4344-13-0x00007FF6AD1B0000-0x00007FF6AD501000-memory.dmp
memory/2760-20-0x00007FF78ED40000-0x00007FF78F091000-memory.dmp
C:\Windows\System\kSRnNBG.exe
| MD5 | f9ce7edc9e292f2e24233bb036eb39b2 |
| SHA1 | 8bd5dd086a7797e475392f2dafb7064b0295f57b |
| SHA256 | 2eba3902f4c1144d275ade8347a2ae96ca7dcdc5e96a78c56e6d132c8d06c5eb |
| SHA512 | 4f0ed1e17e1f1613f9af62dd7230d12c24df85b134151f421af87d021604bc8cd0b1e1be61109ae382ee897220bfa59a2c1686672e48d3e74842fd8f8ae4be51 |
memory/3096-26-0x00007FF721B90000-0x00007FF721EE1000-memory.dmp
C:\Windows\System\OxNljGq.exe
| MD5 | 3bdd69ba3ed76617ce3fe6faa3c0a34a |
| SHA1 | 4c5782abeddebfd298a693b614b0be2ab7346fa3 |
| SHA256 | 3966cde1d16da12f93c0d733f35ac5b93940929cc519929fb48be960896f35b3 |
| SHA512 | 60d2ad4ed82a4482d10e13c6e5379b90a69804ebadb29b844d698ffc2faa57a6924da403b06f0af689cde35a8a84e46e59776a7cb11d6c792c92016d7d4dcb9e |
C:\Windows\System\uShuLZb.exe
| MD5 | 625ff0a8d6dc96fce2592fa102807057 |
| SHA1 | cc04172b34b51e4bae1d9c04fa1ebdda01f9170f |
| SHA256 | d1b4d8924bf40b1f683c25caefeb077d01c5a82e05acc4c6db9d78d20120c824 |
| SHA512 | 73b1c001a1cc9dc020399be3c2d038508c79493a5b67c7e3aa0a10f45b6f9ebaff70f062a63aa6d5353ed8860d1c2b43fd713fe608f0ab1cbbb890b3189c3f73 |
memory/3376-32-0x00007FF708080000-0x00007FF7083D1000-memory.dmp
memory/4604-39-0x00007FF7C04E0000-0x00007FF7C0831000-memory.dmp
C:\Windows\System\pqXHVFb.exe
| MD5 | c637480e8f18a756cee4fbb30f45c854 |
| SHA1 | 6d50b2bf4a0ffdce3c17207cdeb0afc9b42167e3 |
| SHA256 | 0816340da5322867542a6fbbb297cee9cd45089e59604c72ec46224d8f59f3e8 |
| SHA512 | b8086e9911b7efec5cd43239ca0e789047cd4d4f7db395764edf50229597197cd0e3181bf84ce4bdfd96e4aef98585d7b47fa8b1603c825118659e06b41f0fa1 |
memory/1364-44-0x00007FF69EF50000-0x00007FF69F2A1000-memory.dmp
C:\Windows\System\YufDuvu.exe
| MD5 | a623d9488a52d7b47d2fdae82fe8bff0 |
| SHA1 | 79e0663fd7e812ce44b47b4b93d8db4021c6f35e |
| SHA256 | 35c0a5bca86fafdfc514fa7abd23c1475d1fb5b4e4951440ef0865884395284f |
| SHA512 | 45e016eda9b7424a66097eeddea17952eb7651e28203ca951aba5a655076ac91f463fb69424ac4591fa08a8ca02d226f7ec5bfd28fcf561955932b74f1121b2a |
C:\Windows\System\bDZlRlS.exe
| MD5 | 1447766fc7d10d8eff880eb16877e3b1 |
| SHA1 | 79a720bccaca25491d8dfe6951b28ff5c5a70724 |
| SHA256 | cd74f8ae16a5348d7ed6ec39e9ba2920130de07508cd70e471484efc19f8ec87 |
| SHA512 | b118a7368c1957e2d5f66b4033e88fa97320291c47ee0bca219ceb5e197a92d7916ee3d5074c8f163a36654c7c977c555db741fc8a85033db5d932531c2e9129 |
C:\Windows\System\CFzAihv.exe
| MD5 | e711f619fdef3a5b41b147bb62a03f6f |
| SHA1 | caea1becbbe89e1a75a51dfb110c84490c08fce6 |
| SHA256 | 3e4048bf815019c6a060863e3fbf8686a226d38d63c0e02618f07b68a32fbd91 |
| SHA512 | bcdd6d7ef3b2bc4660ebef4ef25082aa7958ba7f121ec7b7b598e78ed2571bca18bc3fbd96f1e1363e50e32d193e6ac4f69990ff6b9d49be7890f749b1f78a03 |
memory/556-73-0x00007FF76CDF0000-0x00007FF76D141000-memory.dmp
memory/4288-81-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp
memory/1676-86-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp
memory/5000-88-0x00007FF763FF0000-0x00007FF764341000-memory.dmp
memory/1976-98-0x00007FF695290000-0x00007FF6955E1000-memory.dmp
memory/4996-104-0x00007FF6E1C80000-0x00007FF6E1FD1000-memory.dmp
C:\Windows\System\CmCJAyh.exe
| MD5 | 38e183b70f4ca53783f108bd10575882 |
| SHA1 | a3d2cbad784cd65995b056bea59a47aff46a4508 |
| SHA256 | de01ed5a6e110e399fe27792efe306b14c3d16908390431c91c5e4eb8ff65d7b |
| SHA512 | 96c72b8e02ed73e36e05b83e69a3231f35a10c81326d817fe0c4ae859a006329bea102ff4f3bf1faa575ddbbca2e6c55ab666c287d16282008afec0bbadc84c1 |
C:\Windows\System\fATtFhn.exe
| MD5 | eb789def46ba84fbcb2132d0eac53d9d |
| SHA1 | 0bcfbc7bef7e03ae3deed1b2f433c00c2a335894 |
| SHA256 | 878ec7117a1108558a240a54b471d5186ead4058d938cd469cd1d8cbdbacc1ca |
| SHA512 | b989d475f50f81ac06b0d7c1de5b52311965fae8c89159d8ed611ddfaca1b99e866f3094f37c5127e720ad22fc04bfd8e248a61b1f5e180f3ebd0cd6cfedfdb1 |
C:\Windows\System\apyaQgd.exe
| MD5 | 5444f528cc3772f42c0999b193e80476 |
| SHA1 | 5fa24719b780f93ec1cf8cb12b2fe0dde4d8d099 |
| SHA256 | aaaabe86c259e73d1be4959fe7a0c258c2d6e4d449f7607481d4dc5d2c1365ee |
| SHA512 | 241ea84c23c60273021f8f94405ac93871d7292326debcb2d1ad03069f840e5a9899e108ff8b24c37ed070b150f4f21dcd073d583886c12119e782c99741ef23 |
memory/2036-107-0x00007FF6DE320000-0x00007FF6DE671000-memory.dmp
memory/4344-106-0x00007FF6AD1B0000-0x00007FF6AD501000-memory.dmp
memory/1252-105-0x00007FF68C860000-0x00007FF68CBB1000-memory.dmp
memory/3808-101-0x00007FF69E100000-0x00007FF69E451000-memory.dmp
C:\Windows\System\HJJMvgB.exe
| MD5 | dc0c2bd443900be383c1975e9e976981 |
| SHA1 | a9e703cd5191f7125649158f2682210a56dc799b |
| SHA256 | 75d306861ac387f94fe9f5154cf12ba03d437de417b953365304cc4ec7c48446 |
| SHA512 | bb6dab9a3f706abc10347d95880c63beda4cfddaa04cd1444fe1ea66d1cb64020093888fe6f84584d4fdb5fd05ec7cae38be41cbb87f7de0e58f3de54d1c3585 |
C:\Windows\System\IJpgkRc.exe
| MD5 | 661644c8dc853161f43a45e341c1eee0 |
| SHA1 | dabfa52d8e19ce3ddb28753deaa9541e9320e93a |
| SHA256 | 18573e901f30715e04b6e661eb069f979ba3f4c550edd7bb852d2ae858df2a79 |
| SHA512 | 9991f92bf8ce0aa4471e31bd7ed7a6ee14aebea0d0188276a688c09442a268c02cc15a27eac88a5dd1e372d83450e4164681528281085ed7fbaf5e1d3e32f8bf |
memory/4552-85-0x00007FF604750000-0x00007FF604AA1000-memory.dmp
C:\Windows\System\SYOMjob.exe
| MD5 | 27c567f6df177c657c6a6d03c4a95a93 |
| SHA1 | cba585a8ce8050050d86bfbe8b8100641e52f510 |
| SHA256 | a9418c10a642be62a764f4e1241f9154900371ea63985fb6769704b3bd41823f |
| SHA512 | 723a65fb5f4f2052cca5e38ebdb8969b09f88cde8ee6451b3d6be770f280819a0fe47c5d72b379e822d20124523c82e136b718afe95908f5a12ebb4529a7fb10 |
C:\Windows\System\LPWPaMQ.exe
| MD5 | 1dfb0d6a38c11af8d9f297888c879754 |
| SHA1 | 2822709815f0d8e05b60b0be925d758e89441037 |
| SHA256 | 52820669d3902c47e1d5145c896f3ba78da5a6662d4e3c1700309371cc1ebf70 |
| SHA512 | 6879877200f0079153f8e8de2bcc903d2e760d4177cca5fee63874d39341539f348e684e226957cc0424c41ac13c1ce0a649a2bf3132e6f6eb13146a43b9dd15 |
memory/4188-76-0x00007FF7F5B60000-0x00007FF7F5EB1000-memory.dmp
memory/2892-66-0x00007FF64B0C0000-0x00007FF64B411000-memory.dmp
memory/2384-60-0x00007FF71A640000-0x00007FF71A991000-memory.dmp
C:\Windows\System\LXYliax.exe
| MD5 | 96a16ec19975ad26faada47325ca96f8 |
| SHA1 | 6e8eb600f4acde53a1a30b445d71126c99a83807 |
| SHA256 | 5f9d12e7195dbcbb9427f5abb2cf5d4dde025aedc657035616f6481066fab1b7 |
| SHA512 | 1ed0bf590549b8cf3a6d35aad26cd1fe3a0ef35a1d5e5b94eb2a17bea92de9d3d3bf53134f2931bcd3a70f3ab36da0934bf84574f0d149b79a7091b4e8e559a7 |
C:\Windows\System\SCPceJq.exe
| MD5 | c3930d16bfdf353f0a1d9a321265c3c5 |
| SHA1 | c634cac81ed1ecff2bd65e8445ccf65dc1d0c128 |
| SHA256 | 9eead261b696e8a17dd47bf469ac7df053206980497b2a5b115041be4b894923 |
| SHA512 | f7bb4c99e8f5eab8c91837d0441a2f12fa35f001bddea8769dbf05d667347cf1c031ebfd506ef2a83d66978eddd2470c631f19d40b986dd77190db410399a1d4 |
memory/2760-119-0x00007FF78ED40000-0x00007FF78F091000-memory.dmp
C:\Windows\System\VgeuqhL.exe
| MD5 | 55879d4b2ac3beff988d62204dbd9a51 |
| SHA1 | 6824e4feded9dede7fde16cbb5a484117d737223 |
| SHA256 | a44369712c4df46291ae06d3f939ef16ad62b0e26fe61cbccb00d410f9724c0f |
| SHA512 | a70dc8b2de6ef436d9845c9e879161a31033cb0c5c75caa77ecf3af26e837181fb7690e374ea82e3f275f62e56ca5384f81c13fe6de9fece1fa9a9113232e608 |
memory/432-129-0x00007FF708570000-0x00007FF7088C1000-memory.dmp
memory/4084-131-0x00007FF6E9FF0000-0x00007FF6EA341000-memory.dmp
C:\Windows\System\iMqHrxL.exe
| MD5 | c9eaa73046fdc804d553eed4e451c6ca |
| SHA1 | 768aac529ab6cd2350ffb3cf36752cbd99461950 |
| SHA256 | b90cab30e2959af10de5e3a68fb7f075114f2fbd31564a938c5b0f836f343e0d |
| SHA512 | 981df3e5f2ae01bad63c59b1b36a9f0f6718cd40b63f6650c50418b05c529af5339185a784cc27e8cb1e0698510227813d2e596acc288831bf440a5535269aed |
memory/3376-127-0x00007FF708080000-0x00007FF7083D1000-memory.dmp
memory/4300-121-0x00007FF639280000-0x00007FF6395D1000-memory.dmp
memory/1676-133-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp
memory/4188-146-0x00007FF7F5B60000-0x00007FF7F5EB1000-memory.dmp
memory/5000-147-0x00007FF763FF0000-0x00007FF764341000-memory.dmp
memory/4552-145-0x00007FF604750000-0x00007FF604AA1000-memory.dmp
memory/556-143-0x00007FF76CDF0000-0x00007FF76D141000-memory.dmp
memory/4996-149-0x00007FF6E1C80000-0x00007FF6E1FD1000-memory.dmp
memory/1976-148-0x00007FF695290000-0x00007FF6955E1000-memory.dmp
memory/1252-151-0x00007FF68C860000-0x00007FF68CBB1000-memory.dmp
memory/2036-150-0x00007FF6DE320000-0x00007FF6DE671000-memory.dmp
memory/4084-154-0x00007FF6E9FF0000-0x00007FF6EA341000-memory.dmp
memory/1676-155-0x00007FF6F1F90000-0x00007FF6F22E1000-memory.dmp
memory/3808-205-0x00007FF69E100000-0x00007FF69E451000-memory.dmp
memory/4344-207-0x00007FF6AD1B0000-0x00007FF6AD501000-memory.dmp
memory/2760-209-0x00007FF78ED40000-0x00007FF78F091000-memory.dmp
memory/3096-211-0x00007FF721B90000-0x00007FF721EE1000-memory.dmp
memory/3376-213-0x00007FF708080000-0x00007FF7083D1000-memory.dmp
memory/4604-215-0x00007FF7C04E0000-0x00007FF7C0831000-memory.dmp
memory/1364-217-0x00007FF69EF50000-0x00007FF69F2A1000-memory.dmp
memory/2384-219-0x00007FF71A640000-0x00007FF71A991000-memory.dmp
memory/2892-221-0x00007FF64B0C0000-0x00007FF64B411000-memory.dmp
memory/4288-223-0x00007FF7AA2E0000-0x00007FF7AA631000-memory.dmp
memory/556-225-0x00007FF76CDF0000-0x00007FF76D141000-memory.dmp
memory/4188-227-0x00007FF7F5B60000-0x00007FF7F5EB1000-memory.dmp
memory/4552-236-0x00007FF604750000-0x00007FF604AA1000-memory.dmp
memory/1976-238-0x00007FF695290000-0x00007FF6955E1000-memory.dmp
memory/5000-240-0x00007FF763FF0000-0x00007FF764341000-memory.dmp
memory/4996-242-0x00007FF6E1C80000-0x00007FF6E1FD1000-memory.dmp
memory/2036-244-0x00007FF6DE320000-0x00007FF6DE671000-memory.dmp
memory/1252-246-0x00007FF68C860000-0x00007FF68CBB1000-memory.dmp
memory/4300-250-0x00007FF639280000-0x00007FF6395D1000-memory.dmp
memory/432-252-0x00007FF708570000-0x00007FF7088C1000-memory.dmp
memory/4084-254-0x00007FF6E9FF0000-0x00007FF6EA341000-memory.dmp