Analysis Overview
SHA256
135b5adf75a2385b655369f95dfbc995ef9afe247cc4dbd888580e2316c33be7
Threat Level: Known bad
The file 2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Cobaltstrike family
Xmrig family
XMRig Miner payload
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:46
Reported
2024-10-25 11:48
Platform
win7-20240903-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tOzTglr.exe | N/A |
| N/A | N/A | C:\Windows\System\ycCoRbI.exe | N/A |
| N/A | N/A | C:\Windows\System\QDZKkql.exe | N/A |
| N/A | N/A | C:\Windows\System\QIxSCzc.exe | N/A |
| N/A | N/A | C:\Windows\System\TSZsKQA.exe | N/A |
| N/A | N/A | C:\Windows\System\lPiJhfb.exe | N/A |
| N/A | N/A | C:\Windows\System\elWNuBD.exe | N/A |
| N/A | N/A | C:\Windows\System\hzutVqL.exe | N/A |
| N/A | N/A | C:\Windows\System\OpesDuH.exe | N/A |
| N/A | N/A | C:\Windows\System\sQHMBya.exe | N/A |
| N/A | N/A | C:\Windows\System\CfnIxGa.exe | N/A |
| N/A | N/A | C:\Windows\System\ctpHZxL.exe | N/A |
| N/A | N/A | C:\Windows\System\sLAMOpg.exe | N/A |
| N/A | N/A | C:\Windows\System\pgSvtGz.exe | N/A |
| N/A | N/A | C:\Windows\System\rAfaCEq.exe | N/A |
| N/A | N/A | C:\Windows\System\AKeLOff.exe | N/A |
| N/A | N/A | C:\Windows\System\semRLeX.exe | N/A |
| N/A | N/A | C:\Windows\System\LZtmuod.exe | N/A |
| N/A | N/A | C:\Windows\System\PZDhaty.exe | N/A |
| N/A | N/A | C:\Windows\System\iFVgjGS.exe | N/A |
| N/A | N/A | C:\Windows\System\ADnjmkX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\tOzTglr.exe
C:\Windows\System\tOzTglr.exe
C:\Windows\System\ycCoRbI.exe
C:\Windows\System\ycCoRbI.exe
C:\Windows\System\QDZKkql.exe
C:\Windows\System\QDZKkql.exe
C:\Windows\System\TSZsKQA.exe
C:\Windows\System\TSZsKQA.exe
C:\Windows\System\QIxSCzc.exe
C:\Windows\System\QIxSCzc.exe
C:\Windows\System\elWNuBD.exe
C:\Windows\System\elWNuBD.exe
C:\Windows\System\lPiJhfb.exe
C:\Windows\System\lPiJhfb.exe
C:\Windows\System\hzutVqL.exe
C:\Windows\System\hzutVqL.exe
C:\Windows\System\ctpHZxL.exe
C:\Windows\System\ctpHZxL.exe
C:\Windows\System\OpesDuH.exe
C:\Windows\System\OpesDuH.exe
C:\Windows\System\sLAMOpg.exe
C:\Windows\System\sLAMOpg.exe
C:\Windows\System\sQHMBya.exe
C:\Windows\System\sQHMBya.exe
C:\Windows\System\pgSvtGz.exe
C:\Windows\System\pgSvtGz.exe
C:\Windows\System\CfnIxGa.exe
C:\Windows\System\CfnIxGa.exe
C:\Windows\System\rAfaCEq.exe
C:\Windows\System\rAfaCEq.exe
C:\Windows\System\AKeLOff.exe
C:\Windows\System\AKeLOff.exe
C:\Windows\System\semRLeX.exe
C:\Windows\System\semRLeX.exe
C:\Windows\System\LZtmuod.exe
C:\Windows\System\LZtmuod.exe
C:\Windows\System\PZDhaty.exe
C:\Windows\System\PZDhaty.exe
C:\Windows\System\iFVgjGS.exe
C:\Windows\System\iFVgjGS.exe
C:\Windows\System\ADnjmkX.exe
C:\Windows\System\ADnjmkX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1868-0-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/1868-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\tOzTglr.exe
| MD5 | e531c914053f64aa4a33ce996f5cd762 |
| SHA1 | c5c01f66eea88db3bd1e52f41c1d53d6e2847575 |
| SHA256 | 58a06146ae33041c177c8cb373872f2f09b6d168d6dd50a9f545f967b59b4f72 |
| SHA512 | 22d2a5470cf32d76232179099be7ac825e74333b1a5353c38a83035c55b079261bb631a05e8b47f2f1be193be41bee4a5286058c072d8b3e5f729c6e7e853a72 |
C:\Windows\system\ycCoRbI.exe
| MD5 | 111f4ab6f9e707109c2f0ce1101d34fa |
| SHA1 | 724347f553e6ab4cdaa3a777ca91ce83e8ea9dd8 |
| SHA256 | 71f39e052410906a5aa626f20d851c4439f84744ff9633f8a17f760b667ba997 |
| SHA512 | eab6471ea153accb69e0e2342553afa885ea78d3636b60d781dfcf33db60838c0193cc7c59b4c826fd29115ac27a6bdeba02e7c389709b7aed2ed3dba50e4a0c |
memory/1868-15-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2216-14-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/1868-6-0x0000000002240000-0x0000000002591000-memory.dmp
C:\Windows\system\QDZKkql.exe
| MD5 | cd4faeba48db1387b3d824e8026545e7 |
| SHA1 | 2ced960985dac5dd191c720ecd2158a16fb7f361 |
| SHA256 | 70771adb36dddae91e34292817cdb9491dae02d5ccb804f3d2b579965606bd8b |
| SHA512 | 153eaae7a7161a57d79f51a9ebba8d22a97bb740adb51873a14cbbc2be718d8f728753745b6cb1356657ee651c879c8322985710e3755364820b0c7cabc14fe1 |
\Windows\system\QIxSCzc.exe
| MD5 | a20cb17982e51a4bbf35e59540b32ca9 |
| SHA1 | e71289aaa21130db2b22010ba1650475b48f72eb |
| SHA256 | 76fd8821bf1b772c67b405ecb4b38f5399305af40b765ccd9fab5ed9026a1931 |
| SHA512 | a3f27ae89b0270039544bb6bd282cd4bdf674b29b108bfd1a220c6579dddcb381e8e80a3bde47676c6a949d00153ce90b76c6d95d2a7accb6cce52ede040d8a3 |
\Windows\system\TSZsKQA.exe
| MD5 | f0e13f056b68a3f7f1ca3ce5eecd8277 |
| SHA1 | dc6cb4aa2e74b9f2827d04104772e3aa31a3a311 |
| SHA256 | 74b029d2419df53939fd338dacc17ad8087c91bfe96f0b7a1c0adbf5bd901f14 |
| SHA512 | 72239fb36ac081d548423a64a47d189aa978301c02c664dc59a1507c1790e5d8f834a2ee66773fd4b2bdf1c86216bc668d84312eb585163bff955c77dc6bda0d |
C:\Windows\system\CfnIxGa.exe
| MD5 | 29aafe434109ae374ffe92888d0dd610 |
| SHA1 | 8c31e5d3298065ca25d72369275409c75b724f90 |
| SHA256 | 32e50780e5d9da8ae058cedffa88f48690a9a291b4079719c59d80f62574f48d |
| SHA512 | e3c336628a1b8dad2ebde9d9e07e8e871165abd5b6531a9db157aa9b62c3ace40b22b16c2fe9fec617c70e48a5a52f390e41e7fde05736614ecf89c23b698482 |
memory/2756-85-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2244-88-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2572-91-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2776-93-0x000000013F980000-0x000000013FCD1000-memory.dmp
C:\Windows\system\lPiJhfb.exe
| MD5 | 6047c1da5c9e818399a1baac814012a8 |
| SHA1 | ee229501579a4e3195ca70c607318d1746a87358 |
| SHA256 | 2761912ed5ad9a3264033274ad68f4a341357aa778a305c84014d3cc3ef79604 |
| SHA512 | c841cd6f124de003e405bc2c94037d6a7ab81b328fc51dbd6e4b482ee116bad642e94fe6d3accb58ed444eedfe083d6bf2f2b1957130c6dc217a2a8f12073155 |
memory/2720-101-0x000000013F480000-0x000000013F7D1000-memory.dmp
C:\Windows\system\ADnjmkX.exe
| MD5 | fb65b4e5de88b6a0b864e0d0b8b3973a |
| SHA1 | 8912c8e69e146e6183002c76243e2cfa68670fa6 |
| SHA256 | 6e228deb06d71fdb34b291fb473faaf5bd482ca24ba4354fd743fd914347861e |
| SHA512 | aa7538e384916d8d6d59e29b265ab222980eee38632ad98f456050c476c5bf0519c7e0ea1273a2d108d4cc1aca15b8e2e82daa3e8cd5ecac4c02a26e714367fb |
C:\Windows\system\iFVgjGS.exe
| MD5 | 6fbb3ed4e7eb82204ec74fc066ea6639 |
| SHA1 | e7d4f2e588d98ee60f3d68d6722ce06a7ffc1d1e |
| SHA256 | dc88b937c08d90ae6b74de0dd0a5037439329396fa72bb2e7977ae238af6f5f4 |
| SHA512 | c4a54a152a06994c51a19e1ca418d4b7cc5ef5bff9c0d23f7a77c77511ec1520472a8ce2cfd67d9ad5ebebb292a8f4b239f8bf58bcf7ddf0859bf84f3a2e529a |
C:\Windows\system\PZDhaty.exe
| MD5 | 17a79e6abf93fecaccd9eb8268fb3a01 |
| SHA1 | 4619d4fbe3180ac335341402fcafbf93e466e01b |
| SHA256 | 790ed8a9468c41ff1344f9110ed5d6ee2ee9dbe3e7feaab259ad98faf7dd1255 |
| SHA512 | 34e7d7c0c810ba913fe16b5ee389bd8442a858d1e8fe395b5d8674ad5827159b93ad303d982479b3385d24376637b1828c4a32f9f5c671b017f9e536eb6d6fa1 |
C:\Windows\system\LZtmuod.exe
| MD5 | 31ed77359378d33115ecbd6f88313cca |
| SHA1 | 321950704e6677b10cc5ed3f2a8dbd3c15c27878 |
| SHA256 | bcb341c038a260723b11a2bb077b006a4f07b2bcb77f8592f2693d23a061d42e |
| SHA512 | d4b85b809830bc708318b6fbd5ff20ee78a66fe034557014bd1dfbd9706993504c11308e24818d3c8e802e945ddb2a94ce89530215fc677615b8f2896fccd310 |
C:\Windows\system\semRLeX.exe
| MD5 | 8f08b0537e14557a73a322b6476246d9 |
| SHA1 | 7db3397375502100fb5a933fc3d156e561b067ea |
| SHA256 | a4ce68bdb051f4e6b3a28c6cdbae497f886bb5c3d03504df7cab61491d1b4502 |
| SHA512 | 6a8cc9cba59cb5e67ce74259f3b767b02b37714c6879a73121f463daea191602894e738dca5a060c85200065bb050488616b698a32e1168eb976ccdfba83ef9f |
C:\Windows\system\rAfaCEq.exe
| MD5 | a82c9b5b27d19046ee069acab7e8e111 |
| SHA1 | 6ca71219a3da97a9ae0c7c0056c573e83469e469 |
| SHA256 | 0b5ced242173d4145f5084b118e8178b58ecd9a4862b8d1c20686dabc7164053 |
| SHA512 | 149d0539e9232ae896eecdcea159e7f7a6c3cae79f633e97ab2d6ff8f657adf602e90e292d58c43f9772b73c5706a013d9279cf5804a7e41ecae4b614270df5a |
memory/1868-102-0x000000013F3F0000-0x000000013F741000-memory.dmp
C:\Windows\system\AKeLOff.exe
| MD5 | e7cae8da166f910000ebc8e94eb21b8b |
| SHA1 | e90dd16d57e6ad9cf6060ba53dcb68349f7dde75 |
| SHA256 | 25ed4536f2d1af6fac6ddecc4c7884533468fc178a7f91f4730696e3706e4c81 |
| SHA512 | b92e99f44c71caae6bb1fbd87f61f8405deb794c89d124f8ed88c822f2f5f4e7006f626d47a4fe7ce5c770bd0ea5d1b5bfa6fc5ac21512f88600f45870d29b43 |
memory/1868-100-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1868-68-0x000000013FD90000-0x00000001400E1000-memory.dmp
C:\Windows\system\sQHMBya.exe
| MD5 | 46afdf19369fb9945efb88b75a9fbc24 |
| SHA1 | 11034b5da14b617f856b8412c916074154731db2 |
| SHA256 | 262adce2acae2caa379e71df50f14af961cb27209b7987b2b7d26baa4f3fed8e |
| SHA512 | 77653341bfa62a5236ac69714679ce46b8464ba34d28e80f20a2c4ff7e5082af66d931f73289ac125db438b074997c0eebedd55db87156e1e1e5f9eb601ac6a8 |
C:\Windows\system\OpesDuH.exe
| MD5 | cd928bb41133664d21c5e834ffff4043 |
| SHA1 | d67bdacb77ad3093183eafd394e5742c519a599c |
| SHA256 | eed9e9dd6fbb453dbb7388650b1b7a5292adea80b487b4f47727f92db4a2dbaa |
| SHA512 | bd61f986dc917fdd0f39d96183ef9187248873ec6bf58b1648b289c0629b50ac43c61fa4dd058b211844b036663472a9436631ce1c92ad8e1bc7a11a6830840b |
\Windows\system\pgSvtGz.exe
| MD5 | 4bb2d0e3dbe0a311ea8a860922703f0a |
| SHA1 | 702b97478ff1e4c83cc4ec432f9ca51f0e0aece7 |
| SHA256 | 1dbafba11e0baa6235af8f87f3a8328ece43659288c19386f3e88e39a93776f8 |
| SHA512 | be11bead6748be1a8d727115e05d02c6c6ce66ac4af57a0c362c362d8bb7361a3cfe60f24bff40d5f9f708a4d20ded9b469acaf4b4fd7a0f11abff949d0b630c |
memory/2612-95-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1868-51-0x000000013F870000-0x000000013FBC1000-memory.dmp
\Windows\system\sLAMOpg.exe
| MD5 | aa43aacce55a02fe0a1cedb19412bad8 |
| SHA1 | 8b31b9333f7ee028cfd8760af07940579bbdf6f1 |
| SHA256 | 8e4544837ef67e86e2aa9cd8fa53e633fc5365fc462fedfc9eb21911714696c9 |
| SHA512 | 6827d19b086d483d13dc61466f97f645d83867c468cd8e17522475dfee5c523ef08e5c726fef09606b93d371bd46d0e3c38376cc25dd51c3d9a1db19ffec9428 |
memory/1868-136-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2204-90-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2680-89-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/1868-87-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2764-86-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2560-84-0x000000013F870000-0x000000013FBC1000-memory.dmp
C:\Windows\system\ctpHZxL.exe
| MD5 | 3d4a989ae72b37062799a4201c434c47 |
| SHA1 | 8835dfb94be51fef63100274c9fb04ef7a16ff87 |
| SHA256 | 84769a269b6e29f9f31d64f1865ab5ba899429aa819648b33dbabe12e7b2fd3d |
| SHA512 | b275d9d32b1c3aa399a46ed5ef80affc7a0f8c0a74f6f822211f963734181be681b447f61e2fa5196f9d51f5840667a8cc78e14fd0c619fd490eb8b44e791baa |
memory/1868-80-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1868-43-0x0000000002240000-0x0000000002591000-memory.dmp
memory/2912-78-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2816-77-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2660-76-0x000000013F110000-0x000000013F461000-memory.dmp
C:\Windows\system\hzutVqL.exe
| MD5 | e5ffcd1a7afc0c62c9ee132fd74e9ce2 |
| SHA1 | 0bf0522fb0a1b57d98148a6a79eb1ab913c779cc |
| SHA256 | 95e950d077fc6dc41cffb776096a71155ab451efe9d628ba82d51297eabb059b |
| SHA512 | 728abaf09fd6f33453eb99729fbf51af4795ba264013a9c8db00c380411ab0d11705defd34b056abf385d5f783b738c29051b8b9c5063ecb8882f15f1403a93b |
C:\Windows\system\elWNuBD.exe
| MD5 | 187e559809525051c68a959905846632 |
| SHA1 | d238f3d9a1f5c5cc4e1178ef48e0ed75d0e97c19 |
| SHA256 | e98e60f20c5a73c1fa5809b1d89326d80f1038db10caefe8ed2ac9cea7dfa832 |
| SHA512 | b32f15b19838bdacdd039291671867d1c0e3afd4648ab05caff63b5d21205c7ad1ca6735b937ad8b51e3ce04271549784071eb7444ae2a2697831e34509eec97 |
memory/1868-40-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1868-56-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1868-47-0x0000000002240000-0x0000000002591000-memory.dmp
memory/1868-38-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2720-29-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/1868-34-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2660-138-0x000000013F110000-0x000000013F461000-memory.dmp
memory/1868-137-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/1868-139-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2776-140-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2612-144-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2464-156-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1868-163-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1624-161-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2332-160-0x000000013F720000-0x000000013FA71000-memory.dmp
memory/552-159-0x000000013F020000-0x000000013F371000-memory.dmp
memory/1500-158-0x000000013F7D0000-0x000000013FB21000-memory.dmp
memory/1732-157-0x000000013FBA0000-0x000000013FEF1000-memory.dmp
memory/1592-162-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/1868-164-0x000000013FD90000-0x00000001400E1000-memory.dmp
memory/2244-213-0x000000013FB50000-0x000000013FEA1000-memory.dmp
memory/2216-214-0x000000013FF80000-0x00000001402D1000-memory.dmp
memory/2720-228-0x000000013F480000-0x000000013F7D1000-memory.dmp
memory/2764-230-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2680-232-0x000000013FC20000-0x000000013FF71000-memory.dmp
memory/2816-234-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2560-236-0x000000013F870000-0x000000013FBC1000-memory.dmp
memory/2756-240-0x000000013F090000-0x000000013F3E1000-memory.dmp
memory/2912-239-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2204-242-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2572-244-0x000000013FD80000-0x00000001400D1000-memory.dmp
memory/2612-254-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/2776-256-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2660-257-0x000000013F110000-0x000000013F461000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:46
Reported
2024-10-25 11:48
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tOzTglr.exe | N/A |
| N/A | N/A | C:\Windows\System\ycCoRbI.exe | N/A |
| N/A | N/A | C:\Windows\System\QDZKkql.exe | N/A |
| N/A | N/A | C:\Windows\System\TSZsKQA.exe | N/A |
| N/A | N/A | C:\Windows\System\QIxSCzc.exe | N/A |
| N/A | N/A | C:\Windows\System\elWNuBD.exe | N/A |
| N/A | N/A | C:\Windows\System\lPiJhfb.exe | N/A |
| N/A | N/A | C:\Windows\System\hzutVqL.exe | N/A |
| N/A | N/A | C:\Windows\System\ctpHZxL.exe | N/A |
| N/A | N/A | C:\Windows\System\OpesDuH.exe | N/A |
| N/A | N/A | C:\Windows\System\sLAMOpg.exe | N/A |
| N/A | N/A | C:\Windows\System\sQHMBya.exe | N/A |
| N/A | N/A | C:\Windows\System\CfnIxGa.exe | N/A |
| N/A | N/A | C:\Windows\System\pgSvtGz.exe | N/A |
| N/A | N/A | C:\Windows\System\AKeLOff.exe | N/A |
| N/A | N/A | C:\Windows\System\rAfaCEq.exe | N/A |
| N/A | N/A | C:\Windows\System\semRLeX.exe | N/A |
| N/A | N/A | C:\Windows\System\LZtmuod.exe | N/A |
| N/A | N/A | C:\Windows\System\PZDhaty.exe | N/A |
| N/A | N/A | C:\Windows\System\iFVgjGS.exe | N/A |
| N/A | N/A | C:\Windows\System\ADnjmkX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_2482ca548318dc88278059bd29f3139c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\tOzTglr.exe
C:\Windows\System\tOzTglr.exe
C:\Windows\System\ycCoRbI.exe
C:\Windows\System\ycCoRbI.exe
C:\Windows\System\QDZKkql.exe
C:\Windows\System\QDZKkql.exe
C:\Windows\System\TSZsKQA.exe
C:\Windows\System\TSZsKQA.exe
C:\Windows\System\QIxSCzc.exe
C:\Windows\System\QIxSCzc.exe
C:\Windows\System\elWNuBD.exe
C:\Windows\System\elWNuBD.exe
C:\Windows\System\lPiJhfb.exe
C:\Windows\System\lPiJhfb.exe
C:\Windows\System\hzutVqL.exe
C:\Windows\System\hzutVqL.exe
C:\Windows\System\ctpHZxL.exe
C:\Windows\System\ctpHZxL.exe
C:\Windows\System\OpesDuH.exe
C:\Windows\System\OpesDuH.exe
C:\Windows\System\sLAMOpg.exe
C:\Windows\System\sLAMOpg.exe
C:\Windows\System\sQHMBya.exe
C:\Windows\System\sQHMBya.exe
C:\Windows\System\pgSvtGz.exe
C:\Windows\System\pgSvtGz.exe
C:\Windows\System\CfnIxGa.exe
C:\Windows\System\CfnIxGa.exe
C:\Windows\System\rAfaCEq.exe
C:\Windows\System\rAfaCEq.exe
C:\Windows\System\AKeLOff.exe
C:\Windows\System\AKeLOff.exe
C:\Windows\System\semRLeX.exe
C:\Windows\System\semRLeX.exe
C:\Windows\System\LZtmuod.exe
C:\Windows\System\LZtmuod.exe
C:\Windows\System\PZDhaty.exe
C:\Windows\System\PZDhaty.exe
C:\Windows\System\iFVgjGS.exe
C:\Windows\System\iFVgjGS.exe
C:\Windows\System\ADnjmkX.exe
C:\Windows\System\ADnjmkX.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3968-0-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp
memory/3968-1-0x0000022155AF0000-0x0000022155B00000-memory.dmp
C:\Windows\System\tOzTglr.exe
| MD5 | e531c914053f64aa4a33ce996f5cd762 |
| SHA1 | c5c01f66eea88db3bd1e52f41c1d53d6e2847575 |
| SHA256 | 58a06146ae33041c177c8cb373872f2f09b6d168d6dd50a9f545f967b59b4f72 |
| SHA512 | 22d2a5470cf32d76232179099be7ac825e74333b1a5353c38a83035c55b079261bb631a05e8b47f2f1be193be41bee4a5286058c072d8b3e5f729c6e7e853a72 |
C:\Windows\System\QDZKkql.exe
| MD5 | cd4faeba48db1387b3d824e8026545e7 |
| SHA1 | 2ced960985dac5dd191c720ecd2158a16fb7f361 |
| SHA256 | 70771adb36dddae91e34292817cdb9491dae02d5ccb804f3d2b579965606bd8b |
| SHA512 | 153eaae7a7161a57d79f51a9ebba8d22a97bb740adb51873a14cbbc2be718d8f728753745b6cb1356657ee651c879c8322985710e3755364820b0c7cabc14fe1 |
C:\Windows\System\ycCoRbI.exe
| MD5 | 111f4ab6f9e707109c2f0ce1101d34fa |
| SHA1 | 724347f553e6ab4cdaa3a777ca91ce83e8ea9dd8 |
| SHA256 | 71f39e052410906a5aa626f20d851c4439f84744ff9633f8a17f760b667ba997 |
| SHA512 | eab6471ea153accb69e0e2342553afa885ea78d3636b60d781dfcf33db60838c0193cc7c59b4c826fd29115ac27a6bdeba02e7c389709b7aed2ed3dba50e4a0c |
C:\Windows\System\QIxSCzc.exe
| MD5 | a20cb17982e51a4bbf35e59540b32ca9 |
| SHA1 | e71289aaa21130db2b22010ba1650475b48f72eb |
| SHA256 | 76fd8821bf1b772c67b405ecb4b38f5399305af40b765ccd9fab5ed9026a1931 |
| SHA512 | a3f27ae89b0270039544bb6bd282cd4bdf674b29b108bfd1a220c6579dddcb381e8e80a3bde47676c6a949d00153ce90b76c6d95d2a7accb6cce52ede040d8a3 |
C:\Windows\System\hzutVqL.exe
| MD5 | e5ffcd1a7afc0c62c9ee132fd74e9ce2 |
| SHA1 | 0bf0522fb0a1b57d98148a6a79eb1ab913c779cc |
| SHA256 | 95e950d077fc6dc41cffb776096a71155ab451efe9d628ba82d51297eabb059b |
| SHA512 | 728abaf09fd6f33453eb99729fbf51af4795ba264013a9c8db00c380411ab0d11705defd34b056abf385d5f783b738c29051b8b9c5063ecb8882f15f1403a93b |
memory/3316-39-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp
C:\Windows\System\lPiJhfb.exe
| MD5 | 6047c1da5c9e818399a1baac814012a8 |
| SHA1 | ee229501579a4e3195ca70c607318d1746a87358 |
| SHA256 | 2761912ed5ad9a3264033274ad68f4a341357aa778a305c84014d3cc3ef79604 |
| SHA512 | c841cd6f124de003e405bc2c94037d6a7ab81b328fc51dbd6e4b482ee116bad642e94fe6d3accb58ed444eedfe083d6bf2f2b1957130c6dc217a2a8f12073155 |
memory/3000-60-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp
memory/1876-62-0x00007FF708E10000-0x00007FF709161000-memory.dmp
C:\Windows\System\OpesDuH.exe
| MD5 | cd928bb41133664d21c5e834ffff4043 |
| SHA1 | d67bdacb77ad3093183eafd394e5742c519a599c |
| SHA256 | eed9e9dd6fbb453dbb7388650b1b7a5292adea80b487b4f47727f92db4a2dbaa |
| SHA512 | bd61f986dc917fdd0f39d96183ef9187248873ec6bf58b1648b289c0629b50ac43c61fa4dd058b211844b036663472a9436631ce1c92ad8e1bc7a11a6830840b |
C:\Windows\System\sLAMOpg.exe
| MD5 | aa43aacce55a02fe0a1cedb19412bad8 |
| SHA1 | 8b31b9333f7ee028cfd8760af07940579bbdf6f1 |
| SHA256 | 8e4544837ef67e86e2aa9cd8fa53e633fc5365fc462fedfc9eb21911714696c9 |
| SHA512 | 6827d19b086d483d13dc61466f97f645d83867c468cd8e17522475dfee5c523ef08e5c726fef09606b93d371bd46d0e3c38376cc25dd51c3d9a1db19ffec9428 |
memory/4700-64-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp
memory/5060-63-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp
memory/3828-61-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp
C:\Windows\System\elWNuBD.exe
| MD5 | 187e559809525051c68a959905846632 |
| SHA1 | d238f3d9a1f5c5cc4e1178ef48e0ed75d0e97c19 |
| SHA256 | e98e60f20c5a73c1fa5809b1d89326d80f1038db10caefe8ed2ac9cea7dfa832 |
| SHA512 | b32f15b19838bdacdd039291671867d1c0e3afd4648ab05caff63b5d21205c7ad1ca6735b937ad8b51e3ce04271549784071eb7444ae2a2697831e34509eec97 |
memory/3220-50-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp
C:\Windows\System\ctpHZxL.exe
| MD5 | 3d4a989ae72b37062799a4201c434c47 |
| SHA1 | 8835dfb94be51fef63100274c9fb04ef7a16ff87 |
| SHA256 | 84769a269b6e29f9f31d64f1865ab5ba899429aa819648b33dbabe12e7b2fd3d |
| SHA512 | b275d9d32b1c3aa399a46ed5ef80affc7a0f8c0a74f6f822211f963734181be681b447f61e2fa5196f9d51f5840667a8cc78e14fd0c619fd490eb8b44e791baa |
C:\Windows\System\TSZsKQA.exe
| MD5 | f0e13f056b68a3f7f1ca3ce5eecd8277 |
| SHA1 | dc6cb4aa2e74b9f2827d04104772e3aa31a3a311 |
| SHA256 | 74b029d2419df53939fd338dacc17ad8087c91bfe96f0b7a1c0adbf5bd901f14 |
| SHA512 | 72239fb36ac081d548423a64a47d189aa978301c02c664dc59a1507c1790e5d8f834a2ee66773fd4b2bdf1c86216bc668d84312eb585163bff955c77dc6bda0d |
memory/1532-27-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp
memory/1680-24-0x00007FF695490000-0x00007FF6957E1000-memory.dmp
memory/1484-14-0x00007FF63F220000-0x00007FF63F571000-memory.dmp
memory/4528-6-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp
C:\Windows\System\sQHMBya.exe
| MD5 | 46afdf19369fb9945efb88b75a9fbc24 |
| SHA1 | 11034b5da14b617f856b8412c916074154731db2 |
| SHA256 | 262adce2acae2caa379e71df50f14af961cb27209b7987b2b7d26baa4f3fed8e |
| SHA512 | 77653341bfa62a5236ac69714679ce46b8464ba34d28e80f20a2c4ff7e5082af66d931f73289ac125db438b074997c0eebedd55db87156e1e1e5f9eb601ac6a8 |
C:\Windows\System\CfnIxGa.exe
| MD5 | 29aafe434109ae374ffe92888d0dd610 |
| SHA1 | 8c31e5d3298065ca25d72369275409c75b724f90 |
| SHA256 | 32e50780e5d9da8ae058cedffa88f48690a9a291b4079719c59d80f62574f48d |
| SHA512 | e3c336628a1b8dad2ebde9d9e07e8e871165abd5b6531a9db157aa9b62c3ace40b22b16c2fe9fec617c70e48a5a52f390e41e7fde05736614ecf89c23b698482 |
memory/2284-78-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp
C:\Windows\System\pgSvtGz.exe
| MD5 | 4bb2d0e3dbe0a311ea8a860922703f0a |
| SHA1 | 702b97478ff1e4c83cc4ec432f9ca51f0e0aece7 |
| SHA256 | 1dbafba11e0baa6235af8f87f3a8328ece43659288c19386f3e88e39a93776f8 |
| SHA512 | be11bead6748be1a8d727115e05d02c6c6ce66ac4af57a0c362c362d8bb7361a3cfe60f24bff40d5f9f708a4d20ded9b469acaf4b4fd7a0f11abff949d0b630c |
memory/3608-89-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp
C:\Windows\System\AKeLOff.exe
| MD5 | e7cae8da166f910000ebc8e94eb21b8b |
| SHA1 | e90dd16d57e6ad9cf6060ba53dcb68349f7dde75 |
| SHA256 | 25ed4536f2d1af6fac6ddecc4c7884533468fc178a7f91f4730696e3706e4c81 |
| SHA512 | b92e99f44c71caae6bb1fbd87f61f8405deb794c89d124f8ed88c822f2f5f4e7006f626d47a4fe7ce5c770bd0ea5d1b5bfa6fc5ac21512f88600f45870d29b43 |
memory/3924-84-0x00007FF669A10000-0x00007FF669D61000-memory.dmp
memory/1028-95-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp
C:\Windows\System\rAfaCEq.exe
| MD5 | a82c9b5b27d19046ee069acab7e8e111 |
| SHA1 | 6ca71219a3da97a9ae0c7c0056c573e83469e469 |
| SHA256 | 0b5ced242173d4145f5084b118e8178b58ecd9a4862b8d1c20686dabc7164053 |
| SHA512 | 149d0539e9232ae896eecdcea159e7f7a6c3cae79f633e97ab2d6ff8f657adf602e90e292d58c43f9772b73c5706a013d9279cf5804a7e41ecae4b614270df5a |
C:\Windows\System\semRLeX.exe
| MD5 | 8f08b0537e14557a73a322b6476246d9 |
| SHA1 | 7db3397375502100fb5a933fc3d156e561b067ea |
| SHA256 | a4ce68bdb051f4e6b3a28c6cdbae497f886bb5c3d03504df7cab61491d1b4502 |
| SHA512 | 6a8cc9cba59cb5e67ce74259f3b767b02b37714c6879a73121f463daea191602894e738dca5a060c85200065bb050488616b698a32e1168eb976ccdfba83ef9f |
memory/4088-101-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp
memory/3968-98-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp
memory/4416-109-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp
memory/2640-116-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp
memory/624-122-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp
memory/4508-126-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp
C:\Windows\System\ADnjmkX.exe
| MD5 | fb65b4e5de88b6a0b864e0d0b8b3973a |
| SHA1 | 8912c8e69e146e6183002c76243e2cfa68670fa6 |
| SHA256 | 6e228deb06d71fdb34b291fb473faaf5bd482ca24ba4354fd743fd914347861e |
| SHA512 | aa7538e384916d8d6d59e29b265ab222980eee38632ad98f456050c476c5bf0519c7e0ea1273a2d108d4cc1aca15b8e2e82daa3e8cd5ecac4c02a26e714367fb |
C:\Windows\System\iFVgjGS.exe
| MD5 | 6fbb3ed4e7eb82204ec74fc066ea6639 |
| SHA1 | e7d4f2e588d98ee60f3d68d6722ce06a7ffc1d1e |
| SHA256 | dc88b937c08d90ae6b74de0dd0a5037439329396fa72bb2e7977ae238af6f5f4 |
| SHA512 | c4a54a152a06994c51a19e1ca418d4b7cc5ef5bff9c0d23f7a77c77511ec1520472a8ce2cfd67d9ad5ebebb292a8f4b239f8bf58bcf7ddf0859bf84f3a2e529a |
C:\Windows\System\PZDhaty.exe
| MD5 | 17a79e6abf93fecaccd9eb8268fb3a01 |
| SHA1 | 4619d4fbe3180ac335341402fcafbf93e466e01b |
| SHA256 | 790ed8a9468c41ff1344f9110ed5d6ee2ee9dbe3e7feaab259ad98faf7dd1255 |
| SHA512 | 34e7d7c0c810ba913fe16b5ee389bd8442a858d1e8fe395b5d8674ad5827159b93ad303d982479b3385d24376637b1828c4a32f9f5c671b017f9e536eb6d6fa1 |
memory/3220-128-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp
memory/3316-127-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp
memory/1532-125-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp
memory/1680-124-0x00007FF695490000-0x00007FF6957E1000-memory.dmp
memory/1484-123-0x00007FF63F220000-0x00007FF63F571000-memory.dmp
memory/4572-120-0x00007FF686700000-0x00007FF686A51000-memory.dmp
C:\Windows\System\LZtmuod.exe
| MD5 | 31ed77359378d33115ecbd6f88313cca |
| SHA1 | 321950704e6677b10cc5ed3f2a8dbd3c15c27878 |
| SHA256 | bcb341c038a260723b11a2bb077b006a4f07b2bcb77f8592f2693d23a061d42e |
| SHA512 | d4b85b809830bc708318b6fbd5ff20ee78a66fe034557014bd1dfbd9706993504c11308e24818d3c8e802e945ddb2a94ce89530215fc677615b8f2896fccd310 |
memory/4528-115-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp
memory/3828-146-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp
memory/2284-147-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp
memory/4700-145-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp
memory/3968-135-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp
memory/4572-153-0x00007FF686700000-0x00007FF686A51000-memory.dmp
memory/2640-155-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp
memory/4508-156-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp
memory/624-154-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp
memory/4416-152-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp
memory/1028-151-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp
memory/4088-150-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp
memory/3924-148-0x00007FF669A10000-0x00007FF669D61000-memory.dmp
memory/3968-157-0x00007FF745E50000-0x00007FF7461A1000-memory.dmp
memory/4528-215-0x00007FF6C9830000-0x00007FF6C9B81000-memory.dmp
memory/1484-217-0x00007FF63F220000-0x00007FF63F571000-memory.dmp
memory/1680-219-0x00007FF695490000-0x00007FF6957E1000-memory.dmp
memory/1532-221-0x00007FF6269F0000-0x00007FF626D41000-memory.dmp
memory/3316-223-0x00007FF67CFD0000-0x00007FF67D321000-memory.dmp
memory/5060-226-0x00007FF6E8050000-0x00007FF6E83A1000-memory.dmp
memory/1876-231-0x00007FF708E10000-0x00007FF709161000-memory.dmp
memory/3220-230-0x00007FF6B7FD0000-0x00007FF6B8321000-memory.dmp
memory/3000-228-0x00007FF7B8BD0000-0x00007FF7B8F21000-memory.dmp
memory/4700-233-0x00007FF7009F0000-0x00007FF700D41000-memory.dmp
memory/3828-235-0x00007FF73D790000-0x00007FF73DAE1000-memory.dmp
memory/3608-245-0x00007FF6F0FE0000-0x00007FF6F1331000-memory.dmp
memory/2284-247-0x00007FF6739A0000-0x00007FF673CF1000-memory.dmp
memory/4088-250-0x00007FF66C5A0000-0x00007FF66C8F1000-memory.dmp
memory/3924-251-0x00007FF669A10000-0x00007FF669D61000-memory.dmp
memory/4572-256-0x00007FF686700000-0x00007FF686A51000-memory.dmp
memory/4416-259-0x00007FF7257A0000-0x00007FF725AF1000-memory.dmp
memory/1028-260-0x00007FF720FA0000-0x00007FF7212F1000-memory.dmp
memory/624-255-0x00007FF7FD310000-0x00007FF7FD661000-memory.dmp
memory/4508-263-0x00007FF6F0030000-0x00007FF6F0381000-memory.dmp
memory/2640-264-0x00007FF64BAA0000-0x00007FF64BDF1000-memory.dmp