Analysis Overview
SHA256
93c462c41b65140147682b68160a5bed14f9ff9677c1907c94d8734eb20a9c74
Threat Level: Known bad
The file 2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
XMRig Miner payload
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 12:02
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 12:02
Reported
2024-08-13 12:05
Platform
win10v2004-20240802-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ILqAgJS.exe | N/A |
| N/A | N/A | C:\Windows\System\wKftVLp.exe | N/A |
| N/A | N/A | C:\Windows\System\lzKXKNC.exe | N/A |
| N/A | N/A | C:\Windows\System\mSsOWyN.exe | N/A |
| N/A | N/A | C:\Windows\System\UWpfJHg.exe | N/A |
| N/A | N/A | C:\Windows\System\yYtUiKW.exe | N/A |
| N/A | N/A | C:\Windows\System\djdKJYH.exe | N/A |
| N/A | N/A | C:\Windows\System\SuLgBuE.exe | N/A |
| N/A | N/A | C:\Windows\System\gESmabV.exe | N/A |
| N/A | N/A | C:\Windows\System\LhGXCAO.exe | N/A |
| N/A | N/A | C:\Windows\System\sgwAYiM.exe | N/A |
| N/A | N/A | C:\Windows\System\sODbcEy.exe | N/A |
| N/A | N/A | C:\Windows\System\rGQOsCx.exe | N/A |
| N/A | N/A | C:\Windows\System\YuzaDIo.exe | N/A |
| N/A | N/A | C:\Windows\System\TyldNye.exe | N/A |
| N/A | N/A | C:\Windows\System\uESQSRM.exe | N/A |
| N/A | N/A | C:\Windows\System\VtIwufQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EfPJwBy.exe | N/A |
| N/A | N/A | C:\Windows\System\MJbwsGS.exe | N/A |
| N/A | N/A | C:\Windows\System\JlzRJbf.exe | N/A |
| N/A | N/A | C:\Windows\System\BqgSehE.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ILqAgJS.exe
C:\Windows\System\ILqAgJS.exe
C:\Windows\System\wKftVLp.exe
C:\Windows\System\wKftVLp.exe
C:\Windows\System\lzKXKNC.exe
C:\Windows\System\lzKXKNC.exe
C:\Windows\System\UWpfJHg.exe
C:\Windows\System\UWpfJHg.exe
C:\Windows\System\mSsOWyN.exe
C:\Windows\System\mSsOWyN.exe
C:\Windows\System\yYtUiKW.exe
C:\Windows\System\yYtUiKW.exe
C:\Windows\System\djdKJYH.exe
C:\Windows\System\djdKJYH.exe
C:\Windows\System\SuLgBuE.exe
C:\Windows\System\SuLgBuE.exe
C:\Windows\System\gESmabV.exe
C:\Windows\System\gESmabV.exe
C:\Windows\System\LhGXCAO.exe
C:\Windows\System\LhGXCAO.exe
C:\Windows\System\sgwAYiM.exe
C:\Windows\System\sgwAYiM.exe
C:\Windows\System\rGQOsCx.exe
C:\Windows\System\rGQOsCx.exe
C:\Windows\System\sODbcEy.exe
C:\Windows\System\sODbcEy.exe
C:\Windows\System\YuzaDIo.exe
C:\Windows\System\YuzaDIo.exe
C:\Windows\System\TyldNye.exe
C:\Windows\System\TyldNye.exe
C:\Windows\System\uESQSRM.exe
C:\Windows\System\uESQSRM.exe
C:\Windows\System\VtIwufQ.exe
C:\Windows\System\VtIwufQ.exe
C:\Windows\System\EfPJwBy.exe
C:\Windows\System\EfPJwBy.exe
C:\Windows\System\MJbwsGS.exe
C:\Windows\System\MJbwsGS.exe
C:\Windows\System\JlzRJbf.exe
C:\Windows\System\JlzRJbf.exe
C:\Windows\System\BqgSehE.exe
C:\Windows\System\BqgSehE.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 52.111.227.13:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3404-0-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp
memory/3404-1-0x000001DC688B0000-0x000001DC688C0000-memory.dmp
C:\Windows\System\ILqAgJS.exe
| MD5 | 93de91ede08cb2df8bcfc2c6f30ae560 |
| SHA1 | 0963910b27e06235495bc40bb524565670c983d5 |
| SHA256 | f46e43d8986750dd64837b130eccb4b6dd2e1179d83f69e2d8e0d3564d5e2fed |
| SHA512 | 0368a74483ae407e43f9aed0152ac63fb030e4ae521160e684a168b5748be25f7d6c7d7f46106059141792e2a13bc80b380ae3bd65814533f5b0bcfca59f2387 |
C:\Windows\System\wKftVLp.exe
| MD5 | 1ed7c6b4895d623ccc63b362a536004d |
| SHA1 | dffd6dca689626541cde8b0e243e24df85051478 |
| SHA256 | 1aa4c699f738ab29ddfcc09dbded2ae2fb99688955d2ae3d36b62bb08b84d465 |
| SHA512 | a81694ba4db9e80f1edec5fbb9c4d1113bc4e358c039fd57e6ca025ea4a7cbae62b07fada64e4ebe5613057ad07e2e459d4bde4b0dbeedf965ed7b60fce58d13 |
memory/468-8-0x00007FF63E380000-0x00007FF63E6D1000-memory.dmp
C:\Windows\System\lzKXKNC.exe
| MD5 | 46fb0017c6d844df79e29bc68e048477 |
| SHA1 | da59586feea49900b435477e3c7a44ba612393e7 |
| SHA256 | 17e78ee6a90007b9acab5490b825ff62985346cb1488e5eea71e10e8565e8ced |
| SHA512 | 73cbe14dcf02ec6658c12efd34b89c9627cadefdd064cd3a115a4fe5662f1037f2b197ceb36a585b8d9b0e63b46e2874a4ed3b5f8e7949d17c33235a2796bfea |
memory/3872-13-0x00007FF6FA8D0000-0x00007FF6FAC21000-memory.dmp
C:\Windows\System\UWpfJHg.exe
| MD5 | 52af2ddcb2d50cbfb9ccdebafcfea19e |
| SHA1 | 794ef3353dff058e76d923b2c534cc4df52db764 |
| SHA256 | 0bf063df19d971873b5de52049cb98b35c271208aa8d0bbcf48fefb2c289d94d |
| SHA512 | 0c4a6f2fe362485cd6880ba705616e1f173c4faa672b106de7aa3ab4dd05b588487eb9ca5a27d258370a468fe0bc6485c28664f4f39cd706da707b8fb9e933bb |
C:\Windows\System\mSsOWyN.exe
| MD5 | bfad4f7a0bc678c5fedb339de8f9cfa6 |
| SHA1 | ceed3e63a9819556c06ced86e662c65e2c8beed5 |
| SHA256 | 93be91679fe8b11e6f70480908dbdee5e963f66d3403a8c2d973e16dadb0f924 |
| SHA512 | fb733b5e4f8fd1ee3e62decba79373d08dc644e5b068b3a2f5901dda88719c04577be6d37b6119e8c3a4a4ed642bdfcd9c02eefe5066dd8c73852a2f25ae6b1b |
C:\Windows\System\yYtUiKW.exe
| MD5 | f6281fa62c14ddc27978c4e455fb3bc7 |
| SHA1 | 62565d651941cc4a5f726bedcd4326d23f872f40 |
| SHA256 | 0f19405f8214cd00eeb91a2dd7ae7bfcc3da27297abbef4c73a54090f79d0df1 |
| SHA512 | f2ebc4883ff628efc60c07fac1f0c617f5f7b29b76359ca4a00bc41e47be26b3acc613e10a24f38b90ebe66d533db932c1ee2446c4f6304112d9412097d4625b |
C:\Windows\System\djdKJYH.exe
| MD5 | ccef002f6ad31e44bc94ddc6f3814571 |
| SHA1 | ea3e720af992485d1ff09ac9735e60db8fe6ca11 |
| SHA256 | 44570e119c7b62fd830867bf129ad32d21ed31157d19bff830c1fec089aa1fd8 |
| SHA512 | 74d1b84831e5e9d64e9a6e66251863a6136654b1587e6aaada0f8565089d2a9bc44e0fec278ec1ec99f265e3f4d07eaf691871c66be25b115e60ad3ec7243148 |
C:\Windows\System\LhGXCAO.exe
| MD5 | 0f6f379ff51a316acf5b236a8fe4b76d |
| SHA1 | 8ac047477b1dec874145f6359e0ac25152b59355 |
| SHA256 | b169faa3205ccf046a53f6c9ef17805ae8e588f1b521b0b4a4b111d3a7c609d7 |
| SHA512 | 8362863a139d7f4806c167f7e7422f06918765bb55f2f76b1223cd5862f5d915f8b4dc045cf6bf28ffdaa4b83e1e09e456a1048dedde0b5703e905b84b22feae |
C:\Windows\System\gESmabV.exe
| MD5 | e335235826b8b147a413ad2523464fc2 |
| SHA1 | dfd12a777dee710676a4bfde1cfaff7dc91c0881 |
| SHA256 | b70cadb3f2df22e8196f56b5627cc13d58fefe1756c32bccc53c6c0e2c665f54 |
| SHA512 | 4242fb5c38e4b4677c19232098e3e35da5dbef78b88f2cc840c007035bd89fd09e726d97bb83e31715082dcd824e8a451376fb727f2ca2a704adf8f1a40f2a1e |
C:\Windows\System\sODbcEy.exe
| MD5 | 3edeb04ed7f33db749f37bff9a495767 |
| SHA1 | 59b05c054a1e2e2d0e7622fcf551e0dc3455a0e6 |
| SHA256 | fa545a18da686a981b13e3c03006684cc12c968f93aea4c0bccf3d9a116818ea |
| SHA512 | 6c93f12fcfd30939188b1caf5b275b080ab8f37de7ec978a28e551552a7a1100caa8523f1f5c065e19ac212c91a9b42273b49d8c71baa3619ef5c24f22da7e4b |
C:\Windows\System\rGQOsCx.exe
| MD5 | ef6209178f7fbeff4c5e765231e37653 |
| SHA1 | ce4f86a288af9f7fc141a73254bf035662d8dba4 |
| SHA256 | 525f76b36ff9c36d6f273ce86949c20d0c0d2256b4a530f9051846848c136014 |
| SHA512 | 90c67aacbe2bae7574471bf14bf6582749a9b17404f35071db95e9131846f96831dc3be6b4aae92c69c2525d35258dd0f39c1a017c3a61de3d39bccd4fed9b04 |
C:\Windows\System\TyldNye.exe
| MD5 | 4ed25f84cc8b0e3fa1a54d1e0a4712a9 |
| SHA1 | c34006adc41255a5a7ad9e7c4a2809f751057e31 |
| SHA256 | 69dc32a723d6d397f6ca73f8a4fc23dbd37a74e7aa3f6830e5d21bbbd5c3a76c |
| SHA512 | bad8ed3d31786311bb06a71ce685a1c0c23249d97f181aca119d26da6a1c887ef91f014041dc048699b52f5df02ebc0590d34141f69f2b3298e4e62575d803e6 |
C:\Windows\System\EfPJwBy.exe
| MD5 | 25d8df08c3993f5287f1e10423657f27 |
| SHA1 | 1297eb95ac5361a1f1a3956165ed585334de3ed3 |
| SHA256 | b5e0827e3bae58fe2565fba58dd7e630caf8310b3eec246a9e57ccbaaddf513f |
| SHA512 | 5aa08d3e788b5637254fe986348b92dacf4dab6f246fd9c0fff5c1ae6cb294315b3c9b22026d7d36929785781bba6bf9c0bdba9594953f2ef779b13d19b3a0d0 |
C:\Windows\System\BqgSehE.exe
| MD5 | c3c10b73828e24b8cd2a6a9ff44999e0 |
| SHA1 | f1936cb88a3c9703289189791332bf881cee2621 |
| SHA256 | cee96a127b5b8fade65fc3dee6cf5d5456fb103d3d03756f04c2bf4001b89a22 |
| SHA512 | 58f2997a08cb4d7b715cf6cbd9ed8120eb7a4f3e4e8265643e4585d35b360876495ca763474a3d737fd22af2b6ac7673130861c499ce28e3a8b9a59c14709b9c |
C:\Windows\System\JlzRJbf.exe
| MD5 | 23cc262e4193cf679284a68984397bfc |
| SHA1 | cfa3a925c26c86dd6f166033dae69d118703a6ec |
| SHA256 | 6f5e3cb1174cef0b99dc7a218b5373e01b5066996f14caf2a39e525f03095581 |
| SHA512 | db65ac05be1b6e143b0409c2e6b2ecee6f6a9738b7d69c332da53d5ea825a2533ae6d1e7bfc14c607f02ca07c0245d1a872161740b872631691728f9bcd6bf37 |
C:\Windows\System\MJbwsGS.exe
| MD5 | fc08050aba5938e14185dd12951c7f78 |
| SHA1 | ec7f118b7f7be6560c38a75d16fe737588c2018d |
| SHA256 | 47d47cf9e4aaef04422bfb580b599927d34c47ce7ccc4538ef243187eb58912f |
| SHA512 | ad432ac813419b358b61a6aaa4eb4642dff04fb188a712d156d4440e4c09c9e1301d8e20a5158cb069e092f895e3f8f9efcae11fcfeb82cb1757218b3505b4b3 |
memory/552-110-0x00007FF6D9880000-0x00007FF6D9BD1000-memory.dmp
memory/3716-107-0x00007FF7E3470000-0x00007FF7E37C1000-memory.dmp
C:\Windows\System\VtIwufQ.exe
| MD5 | 79edc490d7b98e694752b6981a7eeec0 |
| SHA1 | 4295b48d269fb3024093cdca660de07e1558fa1b |
| SHA256 | 44c0e13d92aa4eb62e762f70e3be2124b85513c28821e34956a37bf412b8b376 |
| SHA512 | 7c87c11097de1a6b57ba75c45e25e491c694796f9f19ee22240893bf1abc54218eb17f8599d8eb18ba427a5fc0114133dd23fd7bfb2f6a7d5a5ec176477aa02b |
memory/2708-104-0x00007FF62BCD0000-0x00007FF62C021000-memory.dmp
C:\Windows\System\uESQSRM.exe
| MD5 | 24b2034b04dac4929f4f4d5f96bf337e |
| SHA1 | 784e2777a72b031d3e11f880b50b92a0330db702 |
| SHA256 | d667dd3b3a4f256a34a2a74f22afeca19bea9b6e8085456e466e3aeb7e311daf |
| SHA512 | 4f499e1ac24e91d9c315236f97fd8b4c4df02a4003fdf779ec1c6cc94c12bdda843b414d1cf14a0ddd27ebea961337c3c025c198db4a6e0fc16dbe846f3034b7 |
memory/3476-98-0x00007FF70E7A0000-0x00007FF70EAF1000-memory.dmp
memory/2060-97-0x00007FF727540000-0x00007FF727891000-memory.dmp
C:\Windows\System\YuzaDIo.exe
| MD5 | 3b625106de90881a449a9b346b21c134 |
| SHA1 | 8a883f19c98e4b97d601c36569136e5915bf6e7c |
| SHA256 | cc62eeea44c3360b96c5add4771071dfd158e677affe1536e4dcd1321fbcf889 |
| SHA512 | f6d4bd5bd74af46bd9014fb3b32c97f340ddd4050422e8c757c3043918de1fc8cd7e4db83b2fc74f7ea76bf5f66b1588d76de6e31510a98919ff296459fa46fb |
memory/3608-86-0x00007FF74AF00000-0x00007FF74B251000-memory.dmp
memory/2728-78-0x00007FF6FAA40000-0x00007FF6FAD91000-memory.dmp
C:\Windows\System\sgwAYiM.exe
| MD5 | 313306a66202fb5b48e80c494523448f |
| SHA1 | 15f759bbbbc1a33eca172d29e966b3f821760ac5 |
| SHA256 | 3a477f71df4f1ff9c0de9f63be292cfec254f1c7b163ef2eb4d7dbb340398ed6 |
| SHA512 | 4da53277bbff21b03ed23fc6c47da0955d2c4a7c9a14caeeae64aff106deb2bc80f0ce2f1c0850bd4d99a86150a2071f4d8bb07ac706d32846a34285081f107e |
memory/652-70-0x00007FF7DB030000-0x00007FF7DB381000-memory.dmp
memory/1516-64-0x00007FF61D910000-0x00007FF61DC61000-memory.dmp
C:\Windows\System\SuLgBuE.exe
| MD5 | 3d155ec1ae53d788d37e9c4900dc55d7 |
| SHA1 | 141e447ccdc5c7e2eaddbbd658691ff7ad30e61b |
| SHA256 | c97c6215d4c2400ba71c9c82464900188c3471ab22c1cf45cc5d6b5204836c83 |
| SHA512 | 03b5aa47aca3512a4a1d52b4dcf64cad16aac949881c36013786da5d9a86f1239ae7206dadde7f53d54926d29c15a61b5bd0967e10fa1d935bbde7a7d1d715df |
memory/720-56-0x00007FF692260000-0x00007FF6925B1000-memory.dmp
memory/4696-47-0x00007FF787050000-0x00007FF7873A1000-memory.dmp
memory/1744-45-0x00007FF782D60000-0x00007FF7830B1000-memory.dmp
memory/100-40-0x00007FF709790000-0x00007FF709AE1000-memory.dmp
memory/3484-34-0x00007FF785840000-0x00007FF785B91000-memory.dmp
memory/1964-28-0x00007FF7454C0000-0x00007FF745811000-memory.dmp
memory/436-23-0x00007FF77E0B0000-0x00007FF77E401000-memory.dmp
memory/3404-125-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp
memory/2064-126-0x00007FF700190000-0x00007FF7004E1000-memory.dmp
memory/2104-127-0x00007FF689990000-0x00007FF689CE1000-memory.dmp
memory/388-128-0x00007FF7ABC80000-0x00007FF7ABFD1000-memory.dmp
memory/1964-133-0x00007FF7454C0000-0x00007FF745811000-memory.dmp
memory/1744-136-0x00007FF782D60000-0x00007FF7830B1000-memory.dmp
memory/2060-144-0x00007FF727540000-0x00007FF727891000-memory.dmp
memory/3476-146-0x00007FF70E7A0000-0x00007FF70EAF1000-memory.dmp
memory/3608-142-0x00007FF74AF00000-0x00007FF74B251000-memory.dmp
memory/1516-140-0x00007FF61D910000-0x00007FF61DC61000-memory.dmp
memory/552-147-0x00007FF6D9880000-0x00007FF6D9BD1000-memory.dmp
memory/2728-139-0x00007FF6FAA40000-0x00007FF6FAD91000-memory.dmp
memory/652-141-0x00007FF7DB030000-0x00007FF7DB381000-memory.dmp
memory/4696-137-0x00007FF787050000-0x00007FF7873A1000-memory.dmp
memory/720-138-0x00007FF692260000-0x00007FF6925B1000-memory.dmp
memory/100-135-0x00007FF709790000-0x00007FF709AE1000-memory.dmp
memory/3404-129-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp
memory/3872-131-0x00007FF6FA8D0000-0x00007FF6FAC21000-memory.dmp
memory/468-130-0x00007FF63E380000-0x00007FF63E6D1000-memory.dmp
memory/3404-151-0x00007FF76B650000-0x00007FF76B9A1000-memory.dmp
memory/468-196-0x00007FF63E380000-0x00007FF63E6D1000-memory.dmp
memory/3872-198-0x00007FF6FA8D0000-0x00007FF6FAC21000-memory.dmp
memory/436-213-0x00007FF77E0B0000-0x00007FF77E401000-memory.dmp
memory/3484-215-0x00007FF785840000-0x00007FF785B91000-memory.dmp
memory/1964-217-0x00007FF7454C0000-0x00007FF745811000-memory.dmp
memory/100-219-0x00007FF709790000-0x00007FF709AE1000-memory.dmp
memory/1744-221-0x00007FF782D60000-0x00007FF7830B1000-memory.dmp
memory/4696-223-0x00007FF787050000-0x00007FF7873A1000-memory.dmp
memory/720-225-0x00007FF692260000-0x00007FF6925B1000-memory.dmp
memory/3608-228-0x00007FF74AF00000-0x00007FF74B251000-memory.dmp
memory/2728-231-0x00007FF6FAA40000-0x00007FF6FAD91000-memory.dmp
memory/1516-229-0x00007FF61D910000-0x00007FF61DC61000-memory.dmp
memory/2708-234-0x00007FF62BCD0000-0x00007FF62C021000-memory.dmp
memory/652-235-0x00007FF7DB030000-0x00007FF7DB381000-memory.dmp
memory/3716-237-0x00007FF7E3470000-0x00007FF7E37C1000-memory.dmp
memory/2060-240-0x00007FF727540000-0x00007FF727891000-memory.dmp
memory/552-241-0x00007FF6D9880000-0x00007FF6D9BD1000-memory.dmp
memory/3476-243-0x00007FF70E7A0000-0x00007FF70EAF1000-memory.dmp
memory/2104-248-0x00007FF689990000-0x00007FF689CE1000-memory.dmp
memory/2064-249-0x00007FF700190000-0x00007FF7004E1000-memory.dmp
memory/388-246-0x00007FF7ABC80000-0x00007FF7ABFD1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 12:02
Reported
2024-08-13 12:05
Platform
win7-20240704-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ILqAgJS.exe | N/A |
| N/A | N/A | C:\Windows\System\lzKXKNC.exe | N/A |
| N/A | N/A | C:\Windows\System\wKftVLp.exe | N/A |
| N/A | N/A | C:\Windows\System\mSsOWyN.exe | N/A |
| N/A | N/A | C:\Windows\System\UWpfJHg.exe | N/A |
| N/A | N/A | C:\Windows\System\yYtUiKW.exe | N/A |
| N/A | N/A | C:\Windows\System\djdKJYH.exe | N/A |
| N/A | N/A | C:\Windows\System\SuLgBuE.exe | N/A |
| N/A | N/A | C:\Windows\System\gESmabV.exe | N/A |
| N/A | N/A | C:\Windows\System\LhGXCAO.exe | N/A |
| N/A | N/A | C:\Windows\System\sgwAYiM.exe | N/A |
| N/A | N/A | C:\Windows\System\rGQOsCx.exe | N/A |
| N/A | N/A | C:\Windows\System\sODbcEy.exe | N/A |
| N/A | N/A | C:\Windows\System\YuzaDIo.exe | N/A |
| N/A | N/A | C:\Windows\System\TyldNye.exe | N/A |
| N/A | N/A | C:\Windows\System\uESQSRM.exe | N/A |
| N/A | N/A | C:\Windows\System\VtIwufQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EfPJwBy.exe | N/A |
| N/A | N/A | C:\Windows\System\MJbwsGS.exe | N/A |
| N/A | N/A | C:\Windows\System\JlzRJbf.exe | N/A |
| N/A | N/A | C:\Windows\System\BqgSehE.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_e36638f177b4ba4e5b295107a88c33f0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ILqAgJS.exe
C:\Windows\System\ILqAgJS.exe
C:\Windows\System\wKftVLp.exe
C:\Windows\System\wKftVLp.exe
C:\Windows\System\lzKXKNC.exe
C:\Windows\System\lzKXKNC.exe
C:\Windows\System\UWpfJHg.exe
C:\Windows\System\UWpfJHg.exe
C:\Windows\System\mSsOWyN.exe
C:\Windows\System\mSsOWyN.exe
C:\Windows\System\yYtUiKW.exe
C:\Windows\System\yYtUiKW.exe
C:\Windows\System\djdKJYH.exe
C:\Windows\System\djdKJYH.exe
C:\Windows\System\SuLgBuE.exe
C:\Windows\System\SuLgBuE.exe
C:\Windows\System\gESmabV.exe
C:\Windows\System\gESmabV.exe
C:\Windows\System\LhGXCAO.exe
C:\Windows\System\LhGXCAO.exe
C:\Windows\System\sgwAYiM.exe
C:\Windows\System\sgwAYiM.exe
C:\Windows\System\rGQOsCx.exe
C:\Windows\System\rGQOsCx.exe
C:\Windows\System\sODbcEy.exe
C:\Windows\System\sODbcEy.exe
C:\Windows\System\YuzaDIo.exe
C:\Windows\System\YuzaDIo.exe
C:\Windows\System\TyldNye.exe
C:\Windows\System\TyldNye.exe
C:\Windows\System\uESQSRM.exe
C:\Windows\System\uESQSRM.exe
C:\Windows\System\VtIwufQ.exe
C:\Windows\System\VtIwufQ.exe
C:\Windows\System\EfPJwBy.exe
C:\Windows\System\EfPJwBy.exe
C:\Windows\System\MJbwsGS.exe
C:\Windows\System\MJbwsGS.exe
C:\Windows\System\JlzRJbf.exe
C:\Windows\System\JlzRJbf.exe
C:\Windows\System\BqgSehE.exe
C:\Windows\System\BqgSehE.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2568-0-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2568-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ILqAgJS.exe
| MD5 | 93de91ede08cb2df8bcfc2c6f30ae560 |
| SHA1 | 0963910b27e06235495bc40bb524565670c983d5 |
| SHA256 | f46e43d8986750dd64837b130eccb4b6dd2e1179d83f69e2d8e0d3564d5e2fed |
| SHA512 | 0368a74483ae407e43f9aed0152ac63fb030e4ae521160e684a168b5748be25f7d6c7d7f46106059141792e2a13bc80b380ae3bd65814533f5b0bcfca59f2387 |
C:\Windows\system\mSsOWyN.exe
| MD5 | bfad4f7a0bc678c5fedb339de8f9cfa6 |
| SHA1 | ceed3e63a9819556c06ced86e662c65e2c8beed5 |
| SHA256 | 93be91679fe8b11e6f70480908dbdee5e963f66d3403a8c2d973e16dadb0f924 |
| SHA512 | fb733b5e4f8fd1ee3e62decba79373d08dc644e5b068b3a2f5901dda88719c04577be6d37b6119e8c3a4a4ed642bdfcd9c02eefe5066dd8c73852a2f25ae6b1b |
C:\Windows\system\wKftVLp.exe
| MD5 | 1ed7c6b4895d623ccc63b362a536004d |
| SHA1 | dffd6dca689626541cde8b0e243e24df85051478 |
| SHA256 | 1aa4c699f738ab29ddfcc09dbded2ae2fb99688955d2ae3d36b62bb08b84d465 |
| SHA512 | a81694ba4db9e80f1edec5fbb9c4d1113bc4e358c039fd57e6ca025ea4a7cbae62b07fada64e4ebe5613057ad07e2e459d4bde4b0dbeedf965ed7b60fce58d13 |
C:\Windows\system\lzKXKNC.exe
| MD5 | 46fb0017c6d844df79e29bc68e048477 |
| SHA1 | da59586feea49900b435477e3c7a44ba612393e7 |
| SHA256 | 17e78ee6a90007b9acab5490b825ff62985346cb1488e5eea71e10e8565e8ced |
| SHA512 | 73cbe14dcf02ec6658c12efd34b89c9627cadefdd064cd3a115a4fe5662f1037f2b197ceb36a585b8d9b0e63b46e2874a4ed3b5f8e7949d17c33235a2796bfea |
memory/2092-17-0x000000013FFD0000-0x0000000140321000-memory.dmp
\Windows\system\UWpfJHg.exe
| MD5 | 52af2ddcb2d50cbfb9ccdebafcfea19e |
| SHA1 | 794ef3353dff058e76d923b2c534cc4df52db764 |
| SHA256 | 0bf063df19d971873b5de52049cb98b35c271208aa8d0bbcf48fefb2c289d94d |
| SHA512 | 0c4a6f2fe362485cd6880ba705616e1f173c4faa672b106de7aa3ab4dd05b588487eb9ca5a27d258370a468fe0bc6485c28664f4f39cd706da707b8fb9e933bb |
C:\Windows\system\yYtUiKW.exe
| MD5 | f6281fa62c14ddc27978c4e455fb3bc7 |
| SHA1 | 62565d651941cc4a5f726bedcd4326d23f872f40 |
| SHA256 | 0f19405f8214cd00eeb91a2dd7ae7bfcc3da27297abbef4c73a54090f79d0df1 |
| SHA512 | f2ebc4883ff628efc60c07fac1f0c617f5f7b29b76359ca4a00bc41e47be26b3acc613e10a24f38b90ebe66d533db932c1ee2446c4f6304112d9412097d4625b |
C:\Windows\system\djdKJYH.exe
| MD5 | ccef002f6ad31e44bc94ddc6f3814571 |
| SHA1 | ea3e720af992485d1ff09ac9735e60db8fe6ca11 |
| SHA256 | 44570e119c7b62fd830867bf129ad32d21ed31157d19bff830c1fec089aa1fd8 |
| SHA512 | 74d1b84831e5e9d64e9a6e66251863a6136654b1587e6aaada0f8565089d2a9bc44e0fec278ec1ec99f265e3f4d07eaf691871c66be25b115e60ad3ec7243148 |
C:\Windows\system\LhGXCAO.exe
| MD5 | 0f6f379ff51a316acf5b236a8fe4b76d |
| SHA1 | 8ac047477b1dec874145f6359e0ac25152b59355 |
| SHA256 | b169faa3205ccf046a53f6c9ef17805ae8e588f1b521b0b4a4b111d3a7c609d7 |
| SHA512 | 8362863a139d7f4806c167f7e7422f06918765bb55f2f76b1223cd5862f5d915f8b4dc045cf6bf28ffdaa4b83e1e09e456a1048dedde0b5703e905b84b22feae |
C:\Windows\system\YuzaDIo.exe
| MD5 | 3b625106de90881a449a9b346b21c134 |
| SHA1 | 8a883f19c98e4b97d601c36569136e5915bf6e7c |
| SHA256 | cc62eeea44c3360b96c5add4771071dfd158e677affe1536e4dcd1321fbcf889 |
| SHA512 | f6d4bd5bd74af46bd9014fb3b32c97f340ddd4050422e8c757c3043918de1fc8cd7e4db83b2fc74f7ea76bf5f66b1588d76de6e31510a98919ff296459fa46fb |
C:\Windows\system\VtIwufQ.exe
| MD5 | 79edc490d7b98e694752b6981a7eeec0 |
| SHA1 | 4295b48d269fb3024093cdca660de07e1558fa1b |
| SHA256 | 44c0e13d92aa4eb62e762f70e3be2124b85513c28821e34956a37bf412b8b376 |
| SHA512 | 7c87c11097de1a6b57ba75c45e25e491c694796f9f19ee22240893bf1abc54218eb17f8599d8eb18ba427a5fc0114133dd23fd7bfb2f6a7d5a5ec176477aa02b |
C:\Windows\system\JlzRJbf.exe
| MD5 | 23cc262e4193cf679284a68984397bfc |
| SHA1 | cfa3a925c26c86dd6f166033dae69d118703a6ec |
| SHA256 | 6f5e3cb1174cef0b99dc7a218b5373e01b5066996f14caf2a39e525f03095581 |
| SHA512 | db65ac05be1b6e143b0409c2e6b2ecee6f6a9738b7d69c332da53d5ea825a2533ae6d1e7bfc14c607f02ca07c0245d1a872161740b872631691728f9bcd6bf37 |
C:\Windows\system\BqgSehE.exe
| MD5 | c3c10b73828e24b8cd2a6a9ff44999e0 |
| SHA1 | f1936cb88a3c9703289189791332bf881cee2621 |
| SHA256 | cee96a127b5b8fade65fc3dee6cf5d5456fb103d3d03756f04c2bf4001b89a22 |
| SHA512 | 58f2997a08cb4d7b715cf6cbd9ed8120eb7a4f3e4e8265643e4585d35b360876495ca763474a3d737fd22af2b6ac7673130861c499ce28e3a8b9a59c14709b9c |
C:\Windows\system\MJbwsGS.exe
| MD5 | fc08050aba5938e14185dd12951c7f78 |
| SHA1 | ec7f118b7f7be6560c38a75d16fe737588c2018d |
| SHA256 | 47d47cf9e4aaef04422bfb580b599927d34c47ce7ccc4538ef243187eb58912f |
| SHA512 | ad432ac813419b358b61a6aaa4eb4642dff04fb188a712d156d4440e4c09c9e1301d8e20a5158cb069e092f895e3f8f9efcae11fcfeb82cb1757218b3505b4b3 |
C:\Windows\system\EfPJwBy.exe
| MD5 | 25d8df08c3993f5287f1e10423657f27 |
| SHA1 | 1297eb95ac5361a1f1a3956165ed585334de3ed3 |
| SHA256 | b5e0827e3bae58fe2565fba58dd7e630caf8310b3eec246a9e57ccbaaddf513f |
| SHA512 | 5aa08d3e788b5637254fe986348b92dacf4dab6f246fd9c0fff5c1ae6cb294315b3c9b22026d7d36929785781bba6bf9c0bdba9594953f2ef779b13d19b3a0d0 |
C:\Windows\system\uESQSRM.exe
| MD5 | 24b2034b04dac4929f4f4d5f96bf337e |
| SHA1 | 784e2777a72b031d3e11f880b50b92a0330db702 |
| SHA256 | d667dd3b3a4f256a34a2a74f22afeca19bea9b6e8085456e466e3aeb7e311daf |
| SHA512 | 4f499e1ac24e91d9c315236f97fd8b4c4df02a4003fdf779ec1c6cc94c12bdda843b414d1cf14a0ddd27ebea961337c3c025c198db4a6e0fc16dbe846f3034b7 |
C:\Windows\system\TyldNye.exe
| MD5 | 4ed25f84cc8b0e3fa1a54d1e0a4712a9 |
| SHA1 | c34006adc41255a5a7ad9e7c4a2809f751057e31 |
| SHA256 | 69dc32a723d6d397f6ca73f8a4fc23dbd37a74e7aa3f6830e5d21bbbd5c3a76c |
| SHA512 | bad8ed3d31786311bb06a71ce685a1c0c23249d97f181aca119d26da6a1c887ef91f014041dc048699b52f5df02ebc0590d34141f69f2b3298e4e62575d803e6 |
C:\Windows\system\sODbcEy.exe
| MD5 | 3edeb04ed7f33db749f37bff9a495767 |
| SHA1 | 59b05c054a1e2e2d0e7622fcf551e0dc3455a0e6 |
| SHA256 | fa545a18da686a981b13e3c03006684cc12c968f93aea4c0bccf3d9a116818ea |
| SHA512 | 6c93f12fcfd30939188b1caf5b275b080ab8f37de7ec978a28e551552a7a1100caa8523f1f5c065e19ac212c91a9b42273b49d8c71baa3619ef5c24f22da7e4b |
C:\Windows\system\rGQOsCx.exe
| MD5 | ef6209178f7fbeff4c5e765231e37653 |
| SHA1 | ce4f86a288af9f7fc141a73254bf035662d8dba4 |
| SHA256 | 525f76b36ff9c36d6f273ce86949c20d0c0d2256b4a530f9051846848c136014 |
| SHA512 | 90c67aacbe2bae7574471bf14bf6582749a9b17404f35071db95e9131846f96831dc3be6b4aae92c69c2525d35258dd0f39c1a017c3a61de3d39bccd4fed9b04 |
memory/2568-59-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1696-58-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2568-55-0x0000000002120000-0x0000000002471000-memory.dmp
memory/1480-53-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2016-50-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
C:\Windows\system\sgwAYiM.exe
| MD5 | 313306a66202fb5b48e80c494523448f |
| SHA1 | 15f759bbbbc1a33eca172d29e966b3f821760ac5 |
| SHA256 | 3a477f71df4f1ff9c0de9f63be292cfec254f1c7b163ef2eb4d7dbb340398ed6 |
| SHA512 | 4da53277bbff21b03ed23fc6c47da0955d2c4a7c9a14caeeae64aff106deb2bc80f0ce2f1c0850bd4d99a86150a2071f4d8bb07ac706d32846a34285081f107e |
C:\Windows\system\gESmabV.exe
| MD5 | e335235826b8b147a413ad2523464fc2 |
| SHA1 | dfd12a777dee710676a4bfde1cfaff7dc91c0881 |
| SHA256 | b70cadb3f2df22e8196f56b5627cc13d58fefe1756c32bccc53c6c0e2c665f54 |
| SHA512 | 4242fb5c38e4b4677c19232098e3e35da5dbef78b88f2cc840c007035bd89fd09e726d97bb83e31715082dcd824e8a451376fb727f2ca2a704adf8f1a40f2a1e |
C:\Windows\system\SuLgBuE.exe
| MD5 | 3d155ec1ae53d788d37e9c4900dc55d7 |
| SHA1 | 141e447ccdc5c7e2eaddbbd658691ff7ad30e61b |
| SHA256 | c97c6215d4c2400ba71c9c82464900188c3471ab22c1cf45cc5d6b5204836c83 |
| SHA512 | 03b5aa47aca3512a4a1d52b4dcf64cad16aac949881c36013786da5d9a86f1239ae7206dadde7f53d54926d29c15a61b5bd0967e10fa1d935bbde7a7d1d715df |
memory/2568-12-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2192-115-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2640-140-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2568-148-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/932-147-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2568-146-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2568-145-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/1540-144-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2692-143-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2628-142-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2568-138-0x0000000002120000-0x0000000002471000-memory.dmp
memory/2176-135-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2568-133-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2892-131-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2568-129-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2908-127-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2568-125-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2780-124-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2568-122-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/1560-119-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1928-118-0x000000013F030000-0x000000013F381000-memory.dmp
memory/1484-117-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2176-111-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2224-106-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1696-104-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2016-103-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2092-101-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2568-100-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2224-99-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1480-151-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/2568-149-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1696-153-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2908-157-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2224-155-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1028-165-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/1560-170-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/3056-169-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/1928-168-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2024-167-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2568-171-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/2568-193-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2092-208-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2016-210-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/932-212-0x000000013F280000-0x000000013F5D1000-memory.dmp
memory/2640-218-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2892-216-0x000000013F160000-0x000000013F4B1000-memory.dmp
memory/2780-214-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2692-233-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1480-239-0x000000013FDB0000-0x0000000140101000-memory.dmp
memory/1696-241-0x000000013F1F0000-0x000000013F541000-memory.dmp
memory/2908-246-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/1540-251-0x000000013F6E0000-0x000000013FA31000-memory.dmp
memory/2628-250-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2176-247-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2224-243-0x000000013FBA0000-0x000000013FEF1000-memory.dmp