Analysis Overview
SHA256
2b2b37fe4f08e1f66f92b43439ff953bd8649984bd03abfec5f015f9a56372e7
Threat Level: Known bad
The file 2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
xmrig
Cobaltstrike
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:52
Reported
2024-08-13 11:55
Platform
win7-20240729-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FrlcZig.exe | N/A |
| N/A | N/A | C:\Windows\System\rFUhTtV.exe | N/A |
| N/A | N/A | C:\Windows\System\hcaGbrm.exe | N/A |
| N/A | N/A | C:\Windows\System\YEoNTRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SPaRWzM.exe | N/A |
| N/A | N/A | C:\Windows\System\DiHhCJc.exe | N/A |
| N/A | N/A | C:\Windows\System\AqqYsYh.exe | N/A |
| N/A | N/A | C:\Windows\System\zfkKZeq.exe | N/A |
| N/A | N/A | C:\Windows\System\FqJlPyi.exe | N/A |
| N/A | N/A | C:\Windows\System\dxDyjSH.exe | N/A |
| N/A | N/A | C:\Windows\System\PuxTHjd.exe | N/A |
| N/A | N/A | C:\Windows\System\MTDUmYF.exe | N/A |
| N/A | N/A | C:\Windows\System\negLpRC.exe | N/A |
| N/A | N/A | C:\Windows\System\BPDJTBH.exe | N/A |
| N/A | N/A | C:\Windows\System\gMTpWeH.exe | N/A |
| N/A | N/A | C:\Windows\System\ZWSDSYj.exe | N/A |
| N/A | N/A | C:\Windows\System\pKllESA.exe | N/A |
| N/A | N/A | C:\Windows\System\rjpMsfB.exe | N/A |
| N/A | N/A | C:\Windows\System\cFJBxpv.exe | N/A |
| N/A | N/A | C:\Windows\System\SlymYIi.exe | N/A |
| N/A | N/A | C:\Windows\System\fMXMWmA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\FrlcZig.exe
C:\Windows\System\FrlcZig.exe
C:\Windows\System\rFUhTtV.exe
C:\Windows\System\rFUhTtV.exe
C:\Windows\System\hcaGbrm.exe
C:\Windows\System\hcaGbrm.exe
C:\Windows\System\YEoNTRJ.exe
C:\Windows\System\YEoNTRJ.exe
C:\Windows\System\SPaRWzM.exe
C:\Windows\System\SPaRWzM.exe
C:\Windows\System\DiHhCJc.exe
C:\Windows\System\DiHhCJc.exe
C:\Windows\System\AqqYsYh.exe
C:\Windows\System\AqqYsYh.exe
C:\Windows\System\zfkKZeq.exe
C:\Windows\System\zfkKZeq.exe
C:\Windows\System\FqJlPyi.exe
C:\Windows\System\FqJlPyi.exe
C:\Windows\System\dxDyjSH.exe
C:\Windows\System\dxDyjSH.exe
C:\Windows\System\PuxTHjd.exe
C:\Windows\System\PuxTHjd.exe
C:\Windows\System\MTDUmYF.exe
C:\Windows\System\MTDUmYF.exe
C:\Windows\System\negLpRC.exe
C:\Windows\System\negLpRC.exe
C:\Windows\System\BPDJTBH.exe
C:\Windows\System\BPDJTBH.exe
C:\Windows\System\gMTpWeH.exe
C:\Windows\System\gMTpWeH.exe
C:\Windows\System\ZWSDSYj.exe
C:\Windows\System\ZWSDSYj.exe
C:\Windows\System\pKllESA.exe
C:\Windows\System\pKllESA.exe
C:\Windows\System\rjpMsfB.exe
C:\Windows\System\rjpMsfB.exe
C:\Windows\System\cFJBxpv.exe
C:\Windows\System\cFJBxpv.exe
C:\Windows\System\SlymYIi.exe
C:\Windows\System\SlymYIi.exe
C:\Windows\System\fMXMWmA.exe
C:\Windows\System\fMXMWmA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2012-1-0x0000000000100000-0x0000000000110000-memory.dmp
memory/2012-0-0x000000013F320000-0x000000013F671000-memory.dmp
\Windows\system\FrlcZig.exe
| MD5 | 70566d1c9b5f53b37d5ddbef32445fb2 |
| SHA1 | 82c46d7a74cb3d72c1df8f2bba6ef9deb00decb5 |
| SHA256 | ca3e79e10e9c676dbbac7d3b1aabdbb46db8eac68c022a474ece13444792b9b6 |
| SHA512 | 9b8471fa59f32d985237014c337f2fee4584e91358f2d9f5f53339d76a0c2c58df1d121e5be9cd1a76581bd820ab09b59cfcba9614971b055a664c4d40ea22fc |
memory/2012-8-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/1404-9-0x000000013F7E0000-0x000000013FB31000-memory.dmp
C:\Windows\system\rFUhTtV.exe
| MD5 | f099b082dd82db29ada53922f75b2a0f |
| SHA1 | c6b65fe494929637ecc69342be96e9e408e74713 |
| SHA256 | 96c1fc1830b27ae96b8538c39737058aca7977ab4c3a870cf69eefd74fba5eda |
| SHA512 | f0400db71840c038b0057cb139ebda29fabfddf8321f8979851b50986ac560b20ff689626525a69b32a3a5e61fa06e1c1dc08e60d1319d3250dcad54b862df98 |
memory/2012-14-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2140-16-0x000000013F8C0000-0x000000013FC11000-memory.dmp
C:\Windows\system\hcaGbrm.exe
| MD5 | 30ea3a087c8c982a3dc47178d0ad6a6a |
| SHA1 | f5a52fd164a285e0cd800a14a0c99adaaeed3194 |
| SHA256 | 44bc5355f1f0cd5c1c715b8f3c1c0d2bf89bf1488d38878c368cf8fd0d47629b |
| SHA512 | 1afe0f2d8816ca57af2b07f120868724e94529851294730922a841aa96efdad1ae9198d37acfa3b4518a5207c571907b30ebd88a44602201bd36c375df9d1e9f |
memory/2716-23-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2012-21-0x00000000022E0000-0x0000000002631000-memory.dmp
C:\Windows\system\YEoNTRJ.exe
| MD5 | 39a508fe12b7aa31ebed8a1a68118e05 |
| SHA1 | 14919890ad3979209cb62983c6617f3ec0af10c2 |
| SHA256 | cb7b46b7134a26f8a9ca905bd34dd54fa99a1541bcaacc8c90e17543f4afbe21 |
| SHA512 | 0d6f31a95df567326d9ae2670f6365bfcb681d848989bf44a749f9904654688937d86c5c34482a3263941c2cc7254da1efdd0d87289b8f5d7aa73d21f81f1020 |
\Windows\system\SPaRWzM.exe
| MD5 | fd14b8ed43592fdf99104fb994efa457 |
| SHA1 | 478b946f9cda9c59ce346536c39d6f13320619ec |
| SHA256 | 47b7506ece756a67a066ee2e31ca79bbd0c4cc639d6c930771819a4d359a15a1 |
| SHA512 | ce00e31b680fddb4252668128099013a8d3cd44a0fdade0813f68d2c5dc3341402dcb7cbb641ad17e742717a4f91ef74414556e3f7d0b6c8f7efea69dc486a4a |
memory/2012-31-0x00000000022E0000-0x0000000002631000-memory.dmp
memory/2800-29-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2012-28-0x000000013F760000-0x000000013FAB1000-memory.dmp
\Windows\system\DiHhCJc.exe
| MD5 | a6cd48026ad6a9f8f8cca95411c13abc |
| SHA1 | f80d2425631d4888f2ad2f2b3e480b9fe578addf |
| SHA256 | 5a53bda370ff3f2c08666ab6619f568fab5d64055fd950dd1bd69ee0394ca019 |
| SHA512 | d0744baa149cbb1e302b9dea5ac4efb3eb3d30934ed6a1f01b2cc4b22855012b29d6002f65dd29dade31f0e4d529d4b4cc88c2183a64a9192ff9856284e717cd |
\Windows\system\AqqYsYh.exe
| MD5 | 4dec9a236c0a1afb905625a6257aff9c |
| SHA1 | 3483577b04bd60b4abc8b057dfa63470e3383902 |
| SHA256 | a44daaf71d1947603a32f82778f0ac0898b3aecafbf27618f2801fb6c4c1dccb |
| SHA512 | 78c44f345dc10a013dd8f03228270719914c7fd7d8c9819cde671e634265fb3d364495904320df3477845533c76188eded1dc16d65a1cc5bf68c07c46ec8a574 |
C:\Windows\system\zfkKZeq.exe
| MD5 | 23f22f9993df2c72ab4a3cc78347fce8 |
| SHA1 | b435b9d5ce58a3622017bf7f58bafd6b7df2c347 |
| SHA256 | a7ea7513f97241383264778c7639e2cacb843494a07431e268ccb58d378fd65f |
| SHA512 | 2f241bd70b76878a3f5092a2638a27fd69b8cb07e4c95bab6145d563c9929a0090f15e5cb0981e42ed5c4fea0f38de532e1dbb7b261f11e66bf97d696775a270 |
memory/2744-63-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2600-64-0x000000013F3B0000-0x000000013F701000-memory.dmp
C:\Windows\system\dxDyjSH.exe
| MD5 | 55da92ad849aac3f1d4fe998e033617c |
| SHA1 | 193a68f28202fb2ef7cd7791bda4db117e114ee8 |
| SHA256 | 9f96467e5060d3101335dc11ad5a9426067384af1eb4dfd87054333f787b1378 |
| SHA512 | 3286811767b353e9578e3d81f1aeaec90ff15a26317329971aa9631c96934f261fe6856b024dace5f7044d436f3c19449115a542dc62c4d81d7041c9e767b68d |
memory/2012-77-0x000000013F320000-0x000000013F671000-memory.dmp
memory/1604-78-0x000000013FA00000-0x000000013FD51000-memory.dmp
\Windows\system\MTDUmYF.exe
| MD5 | b9c908f33d2bceb0f705297f9c27b430 |
| SHA1 | 81d2509e5f6bd8d459008a2a1fa7142f5b287c9e |
| SHA256 | 601465db9f1e63a23b69e26031a4e4e068f3f80e8587c3e4d7ac8e3d87730abc |
| SHA512 | 091a8c83669c309d92f30d5ad32b65751bbb6aa7665991bc86e6e884f7ed3949516cff6167113de330d502b96ce9ec9efab3abb91b813710e0698bf7ec086ddc |
C:\Windows\system\PuxTHjd.exe
| MD5 | 4d5fb8eb3347eb710349c799691e45b1 |
| SHA1 | 75b67e0db2272afce87a2eff15319669b7d024f5 |
| SHA256 | 7762adc24a281cb123b80242b18b61472a673f1dfb11ea85fea158965a134a10 |
| SHA512 | 6bcec92f32dca4dbce15958752b1c46fda4b8f321f0349cf5beaf24853a8a7243dcaa1a5fbfea0e263055014a8c44aefbe8987b2f9202e2de8401f481a6a6429 |
memory/1016-70-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2012-69-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2012-61-0x00000000022E0000-0x0000000002631000-memory.dmp
memory/2012-60-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2608-58-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2012-57-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2944-56-0x000000013F970000-0x000000013FCC1000-memory.dmp
\Windows\system\FqJlPyi.exe
| MD5 | 9e2981adc3cd94521f0782def6e3e7ce |
| SHA1 | f8f2abda06afc676bd27a1d0c3bf142637082888 |
| SHA256 | 5e793bf6760dc4ebcfa498181a797dbd944911a98f47f93771a59b7b024b6375 |
| SHA512 | fef3e1fbf40b11e5fbbc179875e87f2358d2b68d8b200559e80cda9551ac4b28fb0740dbee92272b39cf62fc36c2f9bea51279cd634a34b3bb10371ebe1535d0 |
memory/3012-36-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2140-82-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2716-94-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2800-91-0x000000013F760000-0x000000013FAB1000-memory.dmp
C:\Windows\system\negLpRC.exe
| MD5 | 63c092ed3874a52655364e6d75661896 |
| SHA1 | a30090056ee0bd6aa432e2d8a29d44d1cd7eea03 |
| SHA256 | b04e311d329e00209c8bb6c38a93cc22c71ea22e0797385b7565eb263a3cb763 |
| SHA512 | 28ff3d3d99f6bcee627b96330955d32cbfc9c01bee858cbad33b80981fbd0eeb49fab3d669ab8c628f000f6057dd8d02e1575aeb5bda906cbf41176aceb2a7ec |
\Windows\system\BPDJTBH.exe
| MD5 | 2402688db30d31a3c56188135691ad78 |
| SHA1 | ceac992ba6457591a1bcbe7d491ebc305cee91ce |
| SHA256 | c219f684525391da6b627a71cb4e712f038dd8c4c4ed2473c69e556366aef495 |
| SHA512 | f6b1865d0cba9b20c8e5da6d9b0eaa06a5bc7501fc2a1ee8cabdbfe80dd06d52c2fefb9e6e2bfb25f72bc7c718736480883c95c5f988260de2c9d08c0f23e584 |
memory/1280-97-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2136-101-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2012-103-0x00000000022E0000-0x0000000002631000-memory.dmp
\Windows\system\gMTpWeH.exe
| MD5 | 051981c482c1dd9f3a2e51511f5a3115 |
| SHA1 | ea1e9394585b9b2196465812c275b661960908df |
| SHA256 | 3f8bf0315bbc7ec9537ea44a65863ea970c84331cc0d17de659d7130089db6e0 |
| SHA512 | ac460e0dcf5fd8105ca3dac02b636355217c3d999f4976bc27ec73d04c95e0ab64f6d39358eb54e618ff91e4869a651477914238ed18f09e65f189f9b2632fba |
memory/1968-100-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2012-98-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2012-95-0x00000000022E0000-0x0000000002631000-memory.dmp
\Windows\system\ZWSDSYj.exe
| MD5 | 216fb34e5b47b366fe3391e4221a833f |
| SHA1 | d63c69fe1e8fcf06dde5bdb96231ac9b8501d2fc |
| SHA256 | f860af7ef4e7a8a2974e48ca3df82a2485ba465392a5f0f46f11ea2d646cc14e |
| SHA512 | 217702f7d989cf9974091c6c3d561ea1323e353b0a17fb92f2a1f5929c4607d9bc6f1b5e26273072fe49af3755b9e05e512aef3597f1c0c1a7ec4dfde82858c1 |
C:\Windows\system\pKllESA.exe
| MD5 | a95943fb167eddd75e5de976a6818cef |
| SHA1 | fd889370cfe40d4217ffa5da7251fba92e8618ee |
| SHA256 | d5d63f3156e97669e616677cef7ebb9f3389ba336452b3d761108ac1843eaaf6 |
| SHA512 | 1f3a9a5cc17fbebd5f30206722264c1b117a9d21d7a0bbc14df7453fc906231eacb79761199a158cdce502a82cb36bf4766b4303f4b237365f6846cc71a022dc |
C:\Windows\system\cFJBxpv.exe
| MD5 | ca9cda74ed3cddd211e1c05a322d4730 |
| SHA1 | e549ce158ddb94421551e8bd612af32e7d6986e8 |
| SHA256 | 9d2ec7bf2cebe0e5259a5056a7ff4f2883f0629abc32e4d248787ef4fd1138a9 |
| SHA512 | 92814e875f3599888f2de0e487b04f3f0f79cb912fe5b537fb7c3a92158d2770f30f0ec1d120e1dc426e241b16d26225f899af01b5ecbfe7572e7e678e1d352a |
C:\Windows\system\fMXMWmA.exe
| MD5 | 12b8cb80f5eedfbce2fad815f0fd88c0 |
| SHA1 | c2b5846446be02c8b81f44df3a527bc1cb916958 |
| SHA256 | 759ee949a011a2ade15c164d23386516a26fe07bfc9e28a02b749af3947bf6ef |
| SHA512 | ea9c9e55c007f65c5acd46c9c1aa37bbaebf585d1e1628bcee6a935ac6df0c240c0d759573c657c74f5985c6910eace08084cdfdf6aa99443f0bef6e025f0910 |
C:\Windows\system\SlymYIi.exe
| MD5 | f4e1315b960aa1984f0d2a0b85a36c16 |
| SHA1 | 1d11553a287db209b62194af52d22f84887e7fee |
| SHA256 | bdef4ba8c2fc00fa9e1417214ba89e590446372a08871d0cdc55c94c89b5b412 |
| SHA512 | 760363a6491221a71731ba94f9db24479c95bfdf78cb4debe6ccc8dfa02079afaa4a683f038c3cf55ac84b516ccd71fca71cd5adfe5d6d30501b03f8eb2d93d4 |
C:\Windows\system\rjpMsfB.exe
| MD5 | c1d055bc866eb218fd3daf5972d9fcbd |
| SHA1 | 7464a329676c2d60b7d4f0d0e4fde27ee5901728 |
| SHA256 | bfe1e18e9760e3ee51127e810964c0f7822b9f0c62ef7018cf4297f05667590e |
| SHA512 | 4d7ae0ed5b0fe4e537a0d578b7944a5fc63513e5532a76b2733b4d3c66f0d3c3ed583819e4a5bbf26b2f19582234c31e7427d43dc002912db5ad9fbd3a081da5 |
memory/3012-137-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2012-138-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2012-147-0x00000000022E0000-0x0000000002631000-memory.dmp
memory/1016-149-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2208-154-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2888-157-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2236-160-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2952-158-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2864-156-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2256-159-0x000000013F5F0000-0x000000013F941000-memory.dmp
memory/2900-155-0x000000013F2F0000-0x000000013F641000-memory.dmp
memory/2012-161-0x000000013F320000-0x000000013F671000-memory.dmp
memory/2012-177-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/1404-207-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2140-209-0x000000013F8C0000-0x000000013FC11000-memory.dmp
memory/2716-211-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2800-223-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2944-225-0x000000013F970000-0x000000013FCC1000-memory.dmp
memory/3012-227-0x000000013F2E0000-0x000000013F631000-memory.dmp
memory/2608-229-0x000000013FBB0000-0x000000013FF01000-memory.dmp
memory/2744-231-0x000000013FC10000-0x000000013FF61000-memory.dmp
memory/2600-233-0x000000013F3B0000-0x000000013F701000-memory.dmp
memory/1016-235-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/1604-237-0x000000013FA00000-0x000000013FD51000-memory.dmp
memory/1280-242-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/1968-244-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2136-246-0x000000013FB20000-0x000000013FE71000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:52
Reported
2024-08-13 11:55
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\JcFIkJY.exe | N/A |
| N/A | N/A | C:\Windows\System\EwNpWcK.exe | N/A |
| N/A | N/A | C:\Windows\System\IMBtsBp.exe | N/A |
| N/A | N/A | C:\Windows\System\GERYotu.exe | N/A |
| N/A | N/A | C:\Windows\System\FAlVQqo.exe | N/A |
| N/A | N/A | C:\Windows\System\qqXMrgP.exe | N/A |
| N/A | N/A | C:\Windows\System\SmWGWhL.exe | N/A |
| N/A | N/A | C:\Windows\System\KTnIkOi.exe | N/A |
| N/A | N/A | C:\Windows\System\HSJAvQk.exe | N/A |
| N/A | N/A | C:\Windows\System\pgUGsek.exe | N/A |
| N/A | N/A | C:\Windows\System\lFdsueY.exe | N/A |
| N/A | N/A | C:\Windows\System\MtzKSHn.exe | N/A |
| N/A | N/A | C:\Windows\System\umEXRWo.exe | N/A |
| N/A | N/A | C:\Windows\System\dVInZgV.exe | N/A |
| N/A | N/A | C:\Windows\System\fsEmStr.exe | N/A |
| N/A | N/A | C:\Windows\System\iuHHZIe.exe | N/A |
| N/A | N/A | C:\Windows\System\GLyUanf.exe | N/A |
| N/A | N/A | C:\Windows\System\ogUMADG.exe | N/A |
| N/A | N/A | C:\Windows\System\VmJNoHU.exe | N/A |
| N/A | N/A | C:\Windows\System\hVgQUNe.exe | N/A |
| N/A | N/A | C:\Windows\System\qFfbWpR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_7b0e3445d4e02a082a9786922b8701c2_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\JcFIkJY.exe
C:\Windows\System\JcFIkJY.exe
C:\Windows\System\EwNpWcK.exe
C:\Windows\System\EwNpWcK.exe
C:\Windows\System\IMBtsBp.exe
C:\Windows\System\IMBtsBp.exe
C:\Windows\System\GERYotu.exe
C:\Windows\System\GERYotu.exe
C:\Windows\System\qqXMrgP.exe
C:\Windows\System\qqXMrgP.exe
C:\Windows\System\FAlVQqo.exe
C:\Windows\System\FAlVQqo.exe
C:\Windows\System\KTnIkOi.exe
C:\Windows\System\KTnIkOi.exe
C:\Windows\System\SmWGWhL.exe
C:\Windows\System\SmWGWhL.exe
C:\Windows\System\HSJAvQk.exe
C:\Windows\System\HSJAvQk.exe
C:\Windows\System\pgUGsek.exe
C:\Windows\System\pgUGsek.exe
C:\Windows\System\lFdsueY.exe
C:\Windows\System\lFdsueY.exe
C:\Windows\System\MtzKSHn.exe
C:\Windows\System\MtzKSHn.exe
C:\Windows\System\umEXRWo.exe
C:\Windows\System\umEXRWo.exe
C:\Windows\System\dVInZgV.exe
C:\Windows\System\dVInZgV.exe
C:\Windows\System\fsEmStr.exe
C:\Windows\System\fsEmStr.exe
C:\Windows\System\iuHHZIe.exe
C:\Windows\System\iuHHZIe.exe
C:\Windows\System\GLyUanf.exe
C:\Windows\System\GLyUanf.exe
C:\Windows\System\ogUMADG.exe
C:\Windows\System\ogUMADG.exe
C:\Windows\System\VmJNoHU.exe
C:\Windows\System\VmJNoHU.exe
C:\Windows\System\hVgQUNe.exe
C:\Windows\System\hVgQUNe.exe
C:\Windows\System\qFfbWpR.exe
C:\Windows\System\qFfbWpR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4804-0-0x00007FF724310000-0x00007FF724661000-memory.dmp
memory/4804-1-0x0000017850A50000-0x0000017850A60000-memory.dmp
C:\Windows\System\JcFIkJY.exe
| MD5 | 00eb0704e235dbb1c88684ad0b768e21 |
| SHA1 | 83296e8ba83255b631d611d2e0c835c56bbf4da9 |
| SHA256 | 5a1c3609e33edcb217cebc9f98ceb67ea526a5deae65ba727d45a38221566c72 |
| SHA512 | d0f582e3e712acba685b2b5906d1c29a685745f4821058732a3f6d2e3243b2c720846d4e5142912de00f1863bd662da0009ba0ff94d0e7883438c77bcfce5c32 |
C:\Windows\System\EwNpWcK.exe
| MD5 | 937e967edc3f1f19bc478c17ca3c174c |
| SHA1 | 8045d352cffe49ddc0dbdbb217eeee746caebc8f |
| SHA256 | 20e2789a6df932f4d2292afc3ca39b01a59092cac029152a73f054fad58cef18 |
| SHA512 | 2a08144e6b0dbea6568725cdafc1b45192b529e983bd77acde35ae37cf2a917c484dfa4932b197eb2bb25c27f656d543ca1262b61cefaf9d77ce5aac3a7ee8be |
memory/2256-13-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp
C:\Windows\System\IMBtsBp.exe
| MD5 | 088e5ed643badaf5759fd2c2d7992a38 |
| SHA1 | 9f45dc7c6c0694c4361db7ad35974ea56d719adf |
| SHA256 | 3a37480a81d7448dd54ee8f67c600edf882a0d9b751af88a31f818c9f28e46f8 |
| SHA512 | 5cc397266201ae3bea83bb734124c594c9755c9b9112c7a4ece3954b5d3b145f2d858676a0f4716e7da461fc5141be67b8c418428ece16329f130f315e9bc74e |
C:\Windows\System\GERYotu.exe
| MD5 | 129a2570bdecd0d23cee10f401572622 |
| SHA1 | 43bf489ecfc371f06d7b47727edf35f2057f8975 |
| SHA256 | de44c222e03aa411997cff4581840a18d6e92fdc31d08d6f9d74275a3b6ea4ce |
| SHA512 | 021dd2260f784b8251eea2981e643c6f7c4da691341717731bb11702cba1f6f6d52930bde84d71e584bf4a69241f23bae783791715ca6467e5a31ced4a1f74d9 |
C:\Windows\System\qqXMrgP.exe
| MD5 | 275d77479b33a406c9b784f37221617e |
| SHA1 | 5de5d14f060c46d2312e1343f7378a524bfc939e |
| SHA256 | 69da0170f0d4a3bdf5b1e98794ba69c503b24e2defc7de5ffe7954ded65a53bc |
| SHA512 | 595851a3ab374c73cc8079fda7166d2372f4efd9b8c5589ef0827fc25036f1757fb22bba61ad1a65554a9e67b37f61c3fd6590bcc340f24fcffe3793a2aa6537 |
memory/5000-44-0x00007FF681CE0000-0x00007FF682031000-memory.dmp
C:\Windows\System\SmWGWhL.exe
| MD5 | ad44026df132e084eb57933d11b587c5 |
| SHA1 | 539f036e6c2f773aa3ebe936c70fd12880cf6d62 |
| SHA256 | 4b9f6eb446e32cd6dd6ac526985e3106427e68a9b269edc1db1e49c52b10d103 |
| SHA512 | ffb705394fed5a8d2b8451516d0253fce88691084f6d28a6130be2200b4717ae15e32b2b146cbfba5428885ed8919dd635c1950cfaadf97e7c41e8c262f90931 |
C:\Windows\System\HSJAvQk.exe
| MD5 | 0ad1f9b24ab5d9358b859ed8f25646e4 |
| SHA1 | 75120392eed343210493711ab8024f0e432024a2 |
| SHA256 | 30734776d87282805e42e43d39020872fde0de78d3b579957ec81eaaa75b76b1 |
| SHA512 | 9dcb32345d88ca46b584d584603af351d545afe8a6b81be949a4076e5bf32639220e018a579d59ad840228449d5b22e2add885ad04bac81e48dd23715a80c91d |
C:\Windows\System\KTnIkOi.exe
| MD5 | b7772be43632ec2d2dfc25f2715bfe6e |
| SHA1 | 2f8b41bdf3131bdb7eb5716bd9f4f5508dac882f |
| SHA256 | 769fa8dbd80e6d337bfd0bc43a5e7115178871c996c241cf24c36a48f7c60ce5 |
| SHA512 | db41d53a1c14f21a54075f7b840ef0261922dbf8cd538510acf875d6ed843a1531f10408a5989bec1de90952e96c71f61e473bace83019e85b1ff25ecd10c625 |
C:\Windows\System\lFdsueY.exe
| MD5 | b1f1ea069bcc0c9a1656c0525937cfcd |
| SHA1 | ed4be8313dffdf17610d783cb67815aff0479de8 |
| SHA256 | 865a8bb19d248f8a5d64f19c4496c93f01afeca0b5aa75b731b47cf715919646 |
| SHA512 | 711e4381100ba728af89745cc2cf0c52e293c582f43f70445c8ea201a14a502fb39a2f900dfe898382608e5afe9bc805613f6c8dc960afcaf6a65ebbc29e5644 |
C:\Windows\System\pgUGsek.exe
| MD5 | 2b57ad36978af623bb32848ee3a6e9f9 |
| SHA1 | 64a59b27c322b9fb6a6ec37e5d7e10e0361197a4 |
| SHA256 | 775d17c1440046053e4020c99526770712a2280045a053ee5763fb7a7809e8d3 |
| SHA512 | 190ef9425bb68be138e34c276a57124548706450ca1dd2193f69d6cd4c75cf97aaff21849befe42647b942993add8184f3731bb5c03827da337bf960681efadc |
memory/3284-60-0x00007FF67E100000-0x00007FF67E451000-memory.dmp
memory/5056-54-0x00007FF6CE170000-0x00007FF6CE4C1000-memory.dmp
memory/1076-46-0x00007FF6AE2E0000-0x00007FF6AE631000-memory.dmp
memory/936-45-0x00007FF7BC360000-0x00007FF7BC6B1000-memory.dmp
memory/464-39-0x00007FF78A6A0000-0x00007FF78A9F1000-memory.dmp
C:\Windows\System\FAlVQqo.exe
| MD5 | 1d782fdb6eddaf88f9c544c7ad2c2208 |
| SHA1 | 6159992bd0b057f386cffe7225382042a1f29da1 |
| SHA256 | d3dd859e8bdf2cbb807fb8f47f905b7cd56468742b76c5981ed8f7188d4d2971 |
| SHA512 | ffd52f557f4df0854278f2b1aec8be76e0049754fb63906650af0c5075a13267a3a8d3b086aacc697dffe2235f2e899b938035d959f684317f9aec69b6a6f80a |
memory/552-30-0x00007FF600690000-0x00007FF6009E1000-memory.dmp
memory/1412-20-0x00007FF61C9A0000-0x00007FF61CCF1000-memory.dmp
memory/4008-19-0x00007FF6E63D0000-0x00007FF6E6721000-memory.dmp
memory/3712-68-0x00007FF7646A0000-0x00007FF7649F1000-memory.dmp
C:\Windows\System\MtzKSHn.exe
| MD5 | dc070a8a15a0bca992d6dfb9ae3ed86b |
| SHA1 | 049f02a0cc856036ff2613cb14c806cb7f5a93a0 |
| SHA256 | bba07ede3ec898b9de8e4904b38936d2a5238ce826e4989a7f06beadc1ac6052 |
| SHA512 | edce6c894b9bf6bd9bb45b3837c4709340a6b82080c774d8a669174cfbd03b2dc397768b6aa036c395e388ab1690637f2447394d791cd4970de5374875932149 |
memory/4804-73-0x00007FF724310000-0x00007FF724661000-memory.dmp
C:\Windows\System\umEXRWo.exe
| MD5 | 63d8365938e257f1e50f50c734eeba6e |
| SHA1 | a01e3f8e008bb9775ad166f01b367ef3240d88db |
| SHA256 | 1e5495e77114e32746eecfd905d2bf78da4c97d12c04ac2ff125c3bbab584305 |
| SHA512 | d05fa725115fe2085294de92d1ee62880ebcee25509d9445d62f02c909a3f4677fd1d6732c41371adcece91b9f2d4beaace628d3852d157c830463d7d3a17a58 |
C:\Windows\System\dVInZgV.exe
| MD5 | 60a788fa5498e109b2fd3b1e443e3458 |
| SHA1 | 2b7f46959042f32fc69529fbb1f7cdb727900af5 |
| SHA256 | 77fc0680aff40979322c48359b444c976419ef6f2be55e3b400191dba3dd622d |
| SHA512 | bd9354c529509001351600daaa89779d3fc4de960f7af693408bf546c6fb34950331bb1f3356649966277e4ae3034b077baf04d6f6d0459b6f59b5fcf583fb0f |
C:\Windows\System\fsEmStr.exe
| MD5 | 188044b45797bf681408639d90de6697 |
| SHA1 | 77bdb60614709de730b2c71cfa20665db7727aaa |
| SHA256 | ef5aa4acd7cfcdd9afabbe96254a4380df3a9e25f45fa65f8b2ed66d4effe5d1 |
| SHA512 | d68274e9eba5f989517730322fdb608aaca37f9b386f6a352a0883a401255d63d6ecb13b1aabe4e7490cbe6adfd021854afd9271dd671ed695ad1facacb23ea1 |
memory/5036-90-0x00007FF7C8C40000-0x00007FF7C8F91000-memory.dmp
C:\Windows\System\iuHHZIe.exe
| MD5 | 8b09f378364610e0a668621aaf44895f |
| SHA1 | 18fcab6301d894306021e3fb8d94dbfa9a81a91c |
| SHA256 | 73169f3af567153f7714a0a0fb02ca6b6ef9574cc22e4e498080704e32d5734a |
| SHA512 | acd21be82e41831ab488eb80c297b20b2528cc96c3dee690a43acf3b5e58fe593d2f272963a655c79c8015a67f6c37b4517d8b8882b281d75e447f1ad8ca7648 |
C:\Windows\System\VmJNoHU.exe
| MD5 | 3eab51e29cb7f1879b4d8ccf1d074d6c |
| SHA1 | b94756e9d3a2d82a1db1ee90e9431fdb21bc8705 |
| SHA256 | 1d0ba2546cb273596758997dc5952f434e0743eec19f3eb882ae0be59e4a98a8 |
| SHA512 | 549f9386e3e6aff6c2a98f34011ed6fa80e77d725a75b4d6593950d664c0971faf4504f193eb2559e807d1e9200247dc8895ebe8e9ee38fedf3a25777a617011 |
C:\Windows\System\qFfbWpR.exe
| MD5 | f4b0aa068edbeb6faefd1d810a32e770 |
| SHA1 | 9e58a57b2f5dce2a6c18b4d236b7fa48e386bade |
| SHA256 | f9b21c3c148c731d4c1fa9335552ae5d710300e9780a702afd114bdff4952b46 |
| SHA512 | bc85c2de8665e071279b4dc74f40a3d11c1f3c7ef6be6a9a21d4c52f6c0e362f1e8ce0a48607449b9e469d16dc5a346fc533eb511aa2230f5ac3d1a638b86de1 |
C:\Windows\System\hVgQUNe.exe
| MD5 | bbad2f7a3350055ddde5f106420aa153 |
| SHA1 | 869f5b8dd660b0876e2ac7c5c54248f300b29230 |
| SHA256 | 13713216c32aa60c2c00ec645c5fbbe72665e03dfddf95d535aafee5e90ca122 |
| SHA512 | 085018a4659ef2dcaa268b93fcd545526080c394d68a8353bc711ce99fadcf856a684dd5966e066501b2e1caa1778473bdb703d0cd0109988f4ef2f213f265eb |
memory/3576-118-0x00007FF75CA30000-0x00007FF75CD81000-memory.dmp
memory/4856-115-0x00007FF7E1AC0000-0x00007FF7E1E11000-memory.dmp
memory/844-114-0x00007FF661130000-0x00007FF661481000-memory.dmp
C:\Windows\System\ogUMADG.exe
| MD5 | 8e2767cfb9742b86bb3032311d2a0398 |
| SHA1 | a0cce5df80fefe66a3322799ee4c3c1c931f859e |
| SHA256 | cac5f3fca28164b215e7e5042d7e1d8a0ad114fa78de4745d0a1e8dab20a8a4f |
| SHA512 | 5444c26caea28c9c078760e616d2836b20c89ba21737e1217670d6ee6f3f0bca86b97a7ccaa4745cac700fe962ce151ad918e9114392d4b7ca32740b5209bbf6 |
C:\Windows\System\GLyUanf.exe
| MD5 | b225aba1c864e7c391ec5ee098a0db97 |
| SHA1 | 0393fa26ee2e8cfd8958c5ed457e9b55ad0d9d69 |
| SHA256 | 01bacaa91632582ab104836a3148bc022d70394018c19ac9d5f78e7bc5ddf686 |
| SHA512 | 29bec3ebc620d2e61fd8013a1e74eb1b1188b715d33ca9e33ec0001048aa72b88cb2ed3e422e5cb2f1c8700387f9f497cec1ad05a5bbeb92e90acc8b563c2b1a |
memory/2624-98-0x00007FF693620000-0x00007FF693971000-memory.dmp
memory/1872-81-0x00007FF711AC0000-0x00007FF711E11000-memory.dmp
memory/1968-80-0x00007FF671DE0000-0x00007FF672131000-memory.dmp
memory/5000-126-0x00007FF681CE0000-0x00007FF682031000-memory.dmp
memory/4764-127-0x00007FF7C0B00000-0x00007FF7C0E51000-memory.dmp
memory/1392-128-0x00007FF60FA70000-0x00007FF60FDC1000-memory.dmp
memory/1092-129-0x00007FF73B550000-0x00007FF73B8A1000-memory.dmp
memory/936-130-0x00007FF7BC360000-0x00007FF7BC6B1000-memory.dmp
memory/1076-131-0x00007FF6AE2E0000-0x00007FF6AE631000-memory.dmp
memory/4804-132-0x00007FF724310000-0x00007FF724661000-memory.dmp
memory/5056-141-0x00007FF6CE170000-0x00007FF6CE4C1000-memory.dmp
memory/3284-142-0x00007FF67E100000-0x00007FF67E451000-memory.dmp
memory/2624-147-0x00007FF693620000-0x00007FF693971000-memory.dmp
memory/844-148-0x00007FF661130000-0x00007FF661481000-memory.dmp
memory/4856-150-0x00007FF7E1AC0000-0x00007FF7E1E11000-memory.dmp
memory/5036-146-0x00007FF7C8C40000-0x00007FF7C8F91000-memory.dmp
memory/1872-145-0x00007FF711AC0000-0x00007FF711E11000-memory.dmp
memory/4804-154-0x00007FF724310000-0x00007FF724661000-memory.dmp
memory/2256-199-0x00007FF6DF650000-0x00007FF6DF9A1000-memory.dmp
memory/4008-208-0x00007FF6E63D0000-0x00007FF6E6721000-memory.dmp
memory/1412-215-0x00007FF61C9A0000-0x00007FF61CCF1000-memory.dmp
memory/552-217-0x00007FF600690000-0x00007FF6009E1000-memory.dmp
memory/464-219-0x00007FF78A6A0000-0x00007FF78A9F1000-memory.dmp
memory/5000-221-0x00007FF681CE0000-0x00007FF682031000-memory.dmp
memory/1076-223-0x00007FF6AE2E0000-0x00007FF6AE631000-memory.dmp
memory/3712-231-0x00007FF7646A0000-0x00007FF7649F1000-memory.dmp
memory/5056-229-0x00007FF6CE170000-0x00007FF6CE4C1000-memory.dmp
memory/936-226-0x00007FF7BC360000-0x00007FF7BC6B1000-memory.dmp
memory/3284-228-0x00007FF67E100000-0x00007FF67E451000-memory.dmp
memory/1968-233-0x00007FF671DE0000-0x00007FF672131000-memory.dmp
memory/1872-235-0x00007FF711AC0000-0x00007FF711E11000-memory.dmp
memory/5036-237-0x00007FF7C8C40000-0x00007FF7C8F91000-memory.dmp
memory/2624-239-0x00007FF693620000-0x00007FF693971000-memory.dmp
memory/844-241-0x00007FF661130000-0x00007FF661481000-memory.dmp
memory/3576-243-0x00007FF75CA30000-0x00007FF75CD81000-memory.dmp
memory/1092-249-0x00007FF73B550000-0x00007FF73B8A1000-memory.dmp
memory/4764-246-0x00007FF7C0B00000-0x00007FF7C0E51000-memory.dmp
memory/1392-251-0x00007FF60FA70000-0x00007FF60FDC1000-memory.dmp
memory/4856-248-0x00007FF7E1AC0000-0x00007FF7E1E11000-memory.dmp