Analysis Overview
SHA256
aaeb92e3ec269fdda5b3500930acf618f19bf5d79489239a5be1abb5efc7ffc7
Threat Level: Known bad
The file 2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Cobaltstrike family
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 11:59
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 11:59
Reported
2024-08-06 12:02
Platform
win7-20240708-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kwlXzWj.exe | N/A |
| N/A | N/A | C:\Windows\System\IOBxvwE.exe | N/A |
| N/A | N/A | C:\Windows\System\SExJQGX.exe | N/A |
| N/A | N/A | C:\Windows\System\MIsNPbg.exe | N/A |
| N/A | N/A | C:\Windows\System\SnmwhRs.exe | N/A |
| N/A | N/A | C:\Windows\System\SFZrIAU.exe | N/A |
| N/A | N/A | C:\Windows\System\VKtGsdZ.exe | N/A |
| N/A | N/A | C:\Windows\System\fofhzGr.exe | N/A |
| N/A | N/A | C:\Windows\System\jsaEjPm.exe | N/A |
| N/A | N/A | C:\Windows\System\txOUaLf.exe | N/A |
| N/A | N/A | C:\Windows\System\sRxnPHw.exe | N/A |
| N/A | N/A | C:\Windows\System\FctkfEU.exe | N/A |
| N/A | N/A | C:\Windows\System\WcgnomB.exe | N/A |
| N/A | N/A | C:\Windows\System\SyoFojA.exe | N/A |
| N/A | N/A | C:\Windows\System\RukXppH.exe | N/A |
| N/A | N/A | C:\Windows\System\RMJkBih.exe | N/A |
| N/A | N/A | C:\Windows\System\eOMHEWB.exe | N/A |
| N/A | N/A | C:\Windows\System\txdRAcD.exe | N/A |
| N/A | N/A | C:\Windows\System\obMTmDS.exe | N/A |
| N/A | N/A | C:\Windows\System\YkRVgAK.exe | N/A |
| N/A | N/A | C:\Windows\System\BeitdUX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\kwlXzWj.exe
C:\Windows\System\kwlXzWj.exe
C:\Windows\System\IOBxvwE.exe
C:\Windows\System\IOBxvwE.exe
C:\Windows\System\MIsNPbg.exe
C:\Windows\System\MIsNPbg.exe
C:\Windows\System\SExJQGX.exe
C:\Windows\System\SExJQGX.exe
C:\Windows\System\SnmwhRs.exe
C:\Windows\System\SnmwhRs.exe
C:\Windows\System\SFZrIAU.exe
C:\Windows\System\SFZrIAU.exe
C:\Windows\System\VKtGsdZ.exe
C:\Windows\System\VKtGsdZ.exe
C:\Windows\System\fofhzGr.exe
C:\Windows\System\fofhzGr.exe
C:\Windows\System\jsaEjPm.exe
C:\Windows\System\jsaEjPm.exe
C:\Windows\System\txOUaLf.exe
C:\Windows\System\txOUaLf.exe
C:\Windows\System\sRxnPHw.exe
C:\Windows\System\sRxnPHw.exe
C:\Windows\System\FctkfEU.exe
C:\Windows\System\FctkfEU.exe
C:\Windows\System\WcgnomB.exe
C:\Windows\System\WcgnomB.exe
C:\Windows\System\SyoFojA.exe
C:\Windows\System\SyoFojA.exe
C:\Windows\System\RukXppH.exe
C:\Windows\System\RukXppH.exe
C:\Windows\System\RMJkBih.exe
C:\Windows\System\RMJkBih.exe
C:\Windows\System\eOMHEWB.exe
C:\Windows\System\eOMHEWB.exe
C:\Windows\System\txdRAcD.exe
C:\Windows\System\txdRAcD.exe
C:\Windows\System\obMTmDS.exe
C:\Windows\System\obMTmDS.exe
C:\Windows\System\YkRVgAK.exe
C:\Windows\System\YkRVgAK.exe
C:\Windows\System\BeitdUX.exe
C:\Windows\System\BeitdUX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1724-0-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1724-1-0x0000000001B20000-0x0000000001B30000-memory.dmp
\Windows\system\kwlXzWj.exe
| MD5 | b077c63916047bbf834397c4bee18690 |
| SHA1 | 39179b8fbf0fef65ebee8c1bbd32e3ff8bbfe47d |
| SHA256 | c7fb2409546aac0cae678debd97d33b2e6a7db228622e103ec33036d0ea92133 |
| SHA512 | 85b628c96f7b49d238a4a054d33a549fbf0460c36213734cfab8649b3044c60f7084762d92c0e157b2283dba43a6720371186095cd19def3142f9eba2f413b74 |
\Windows\system\SnmwhRs.exe
| MD5 | 6d2842244c407ddd62da1519406a72a3 |
| SHA1 | fb5ac52419866b7ee6ff6c98be7aea1b7c691c84 |
| SHA256 | 785714788992af2946a497b9112fc3237bbb8f26ed7889fa210ba329996a788e |
| SHA512 | 10c7846c920d5b7e3e4d1602cf1affb9ceacfc9575e3d8369a58c71000cb6d34aade63a22c2b24067a8bef61b2405a00cdd4eab55d3095de2de1d7872a0595a1 |
memory/1724-8-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\SExJQGX.exe
| MD5 | bcdb0399f3df1a5e54876b55571a1b1e |
| SHA1 | b9a0f838afc0e84cb3b6cad55f26b9f5067e8d2f |
| SHA256 | 8c45f2f4582f8decab5cce37528d590ceaf2f129674830c4b22af8f5bd7327a3 |
| SHA512 | 39eae82aee544888ad8300a48039cb52be2f8e0bc8de0dbba0d4338e84ccf267dd0e13babb347ebc5e57b7da9191b489f699ce2c056d1e3d81fb3671cd7d7090 |
memory/2404-12-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\MIsNPbg.exe
| MD5 | 61374f17c62690acad555dafba6853d1 |
| SHA1 | 8d811092b0416e1ee6822a4ad444ddeccea1691c |
| SHA256 | 65b8e681b14fc870c326643c7c3b5a233d12b56bef228fc5fcb8c9d07526c5ee |
| SHA512 | 40cbd6b0a2e991f333f7e0aaedd15c202eacd933bd8d163e9080fd3c8392baae850996e63dc12cb151c878ea40e8d6251d1fb847b9d9cf3cfefdd8f09ace83c3 |
\Windows\system\IOBxvwE.exe
| MD5 | c9b4c10a7b1395ab884928d05e84d794 |
| SHA1 | 839f1f4100a4b79eb1ea67ce5a034e78f2b41dc0 |
| SHA256 | 72f6d33057ddbc8b40fcc2606f222c06f7270cd3053f983912ff8b030f9facb8 |
| SHA512 | dea7196aef058343aaa7dbc57dbd5935ff269cb0f1f25990e4b93adf1ca3450a4c113fde1e97dda181001d41a4ff6d45bf3f650f749f0eb09935b10f904eba9f |
memory/2068-33-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1848-36-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\SFZrIAU.exe
| MD5 | d1e62d16277aa8ebb6134f03b1d0d548 |
| SHA1 | 166ee3823c9811f528d26ac899a1732958193ef3 |
| SHA256 | ee53ec5838feb69984875b64796097c6273810c8551155e4bbbf83a665b802c0 |
| SHA512 | 9812767719f0af91df1f483df8128809b846d1ea22cdaaa1eedbed2e7fdaee94775c45d0bcf915a53af178857abca8a64aa077beb8e705f82c437eaa234ea484 |
memory/1724-38-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/1724-35-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/1836-34-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2348-32-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1724-31-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2788-57-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
\Windows\system\txOUaLf.exe
| MD5 | 0757507c12de75255842e15cf94fdbe6 |
| SHA1 | f030d6a0676a4702b718771ac5031d5eeff2ba48 |
| SHA256 | 4f88934c870198928e78b46eeab057e0027ed4c85e1441c5e3093409031854dc |
| SHA512 | 31f36e81a1223be0e6a23cd2dd15935bf57812e0053bebe97f2f07218765f6cb617bc1646d17eed6161c8a3f274b62878e99067b898033306b8b990deaa20a6e |
memory/2808-72-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
\Windows\system\FctkfEU.exe
| MD5 | a58bb251e72e1c9b3a05a35cf8a61c9c |
| SHA1 | 4fc6001e64e691f5a9461aa107447b578c0c2f4e |
| SHA256 | 9d088691d4fd5a1e38167d0246a88d38b6435aad23e05be0cf2e4ad70dcd752e |
| SHA512 | b86df42bf520be8c186565603e7cccd93a9021029fa6c411fb63d05dcd0308a3afbb8471e4b1a47f94b2635f54ca01da17f89026c50df7f15570644cf722a5db |
memory/3056-85-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\SyoFojA.exe
| MD5 | 2753e10624764e4d381bc296f95a56e3 |
| SHA1 | 7f8a2e5e550992d1d4a975e503e6e62336b753c8 |
| SHA256 | 2a49217223a756c37477cea9ecbb21de9c195ba47ec3ccc8b12122fd0121bf48 |
| SHA512 | 2de97f42f4d76b76facc2fde32ff07cbc97cd2a8ba1f386fb6af23475688c38c9b17726a8807ae444a548a957054ec8b980f88ece804a502fd928bed29703acf |
\Windows\system\eOMHEWB.exe
| MD5 | dfc90b15e325138fa3b3f3059b18d4d0 |
| SHA1 | ccaf193ae3e3a6a5bb169919e65f4e0ca2baf395 |
| SHA256 | 3171804cb4c4da1cc6c11b4bf893fea9b0e9fa0c1bb7707c38f9da974266ea6c |
| SHA512 | 9471b6c8f878e070d3252bf43f8a74343aca41aa3736de31da0311a992c6149f90f4046356f7c9e0b625208f14d1e172c241a70b701560c7109d6fcd506c0889 |
C:\Windows\system\RMJkBih.exe
| MD5 | a5f26c48053509f7492d4198cb9ac4b2 |
| SHA1 | 6fde3a3ebfe76648579f6d29c3256fdbdd0d2b46 |
| SHA256 | 566615b6fb26a467c0d82360692c8441612b6de12a16860f206387d2e881561f |
| SHA512 | 459c2cc9bfa850d58ca097092dba1df6a867ef43ee6f524d034a8772981262f81c5ac5f339f38fd74f0c17b9227df3d87115d676b64994fa039d28f2bc2899dc |
\Windows\system\BeitdUX.exe
| MD5 | b611e2ba11240492148efa8d867b1a1f |
| SHA1 | 19d6eed3f58d093c3deff512f1a9e3b9d1437b82 |
| SHA256 | 5bea161cf97ec0b8a3d122c503e203b7f5c751239566a61b061af88e250e00bb |
| SHA512 | 891e76c068e9d7f20768699b0701844703cdba8914c5cbdf305883a41530d4b1fee3a2758ce9ed7bba467edd7c30e4f7625a993f305fbce03d333fbf555c79b4 |
C:\Windows\system\YkRVgAK.exe
| MD5 | 8a979be17ae1336fad4e8f1e9e33d8e6 |
| SHA1 | 312c79f9bf393e126486ff443ef53034d45fffef |
| SHA256 | 573eb71dfdaaa27a7bdd6775a49383e778639fae3ccc15d5001f66b87690f53d |
| SHA512 | 32d05f54da7243ab95e56ffcf0f3eb2d7757a6045e404d1223dfec2d55ba985f41fe31380ba5cf1e020a82add7ce9571c439a55db00a0608ace1963d32cbe75e |
C:\Windows\system\obMTmDS.exe
| MD5 | 68b03f92ddeeb199522aee9a911c9559 |
| SHA1 | 3c0960231ef993d1f8e3da6b64b42502bc2a102d |
| SHA256 | 335d1b151caba25f5edcd457c72ccaf5a70b7cc73e4d2e98e902e475be8eed84 |
| SHA512 | fe24d46bba2edb254c4ead8fed6b1f2f1c36619f642b9f41eab3905e2b953700a9e326e2b703929227e4d92d445130a49a6857f97ce19d6734c652cd23d20f7b |
C:\Windows\system\txdRAcD.exe
| MD5 | d5bc41d227d93a5fd4be107ceb9bda65 |
| SHA1 | 0b0712b6b3e5b27f4304528565208a8978d05ca1 |
| SHA256 | 38b3191e57ca2d4fcecd3637acd3f0f4ae062a6dacc3bd8de748b7183f7db227 |
| SHA512 | c920f5e226a632f0a0c510ac362e078e5300c9399f6d28d886e4f70b53a344fab86d60fe63ab90e1fb9aca26cf68d2725a58d0249eb264829577d5c2a418cb74 |
C:\Windows\system\RukXppH.exe
| MD5 | 8d0a30237663b29002c29aabe3a73af1 |
| SHA1 | 42a79da21426aef4b0161fbaf683e0ff406d00fd |
| SHA256 | 81bd9744563a71a287cfc9be16091cc167b4446972de07ff485bec4b943ffdae |
| SHA512 | d91ff480eba000a942a671200b16601462f6e8072ff8909a998d9b27472890cdea391bb281d32752e5c81f4fee66548e61f490e3acf4049f5716d4b1cc2bdb6d |
memory/1724-101-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1648-100-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1724-99-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1808-92-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1724-91-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\WcgnomB.exe
| MD5 | 82f6c343180dbea581bfd185c59eebd5 |
| SHA1 | e2d08b7971932111a8564c6ad9e50c992e4d5a28 |
| SHA256 | 77acc30979e07ca6e2f6d049ecd9fe9351c49195b432e5ce231aa088ad493f77 |
| SHA512 | 871f4fe3e3aa7e6639e52cad0adb02b861ca9de3462db5214fa0b229314e4ba798644d2bcb828372e0befc5659d6c688e18fac81c9d41363b95c1d4abae7a6af |
memory/1724-80-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2684-79-0x000000013F330000-0x000000013F684000-memory.dmp
memory/1724-71-0x000000013F310000-0x000000013F664000-memory.dmp
memory/1724-66-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\sRxnPHw.exe
| MD5 | 7b7df619ce4dd6019233698960e47682 |
| SHA1 | 6ffb67ed7fa6b168b5c47beee3081b167155ef9b |
| SHA256 | 8b3167f583e2ed3cc8a69dd98a4079f3170c8b12e82e7e2dbaf2411e17eb2e4c |
| SHA512 | 3b42d4d3fa855d06d757fb8deaa19aff84ba5cba9367bd7293f7fc3dce51384bfad2e1e3c0d0fcc1d926a89a547e4d730a847aaa301206e1aed6a1fd6013bb03 |
memory/1956-64-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1724-63-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1724-56-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\jsaEjPm.exe
| MD5 | 4c3ce5c051f6a7cf9353a50fd74f4b1e |
| SHA1 | b5044c4b830481e9f5932eff1dc7b47497a4ca80 |
| SHA256 | 9985d7b50a5e76421c12a8ca85fc7d78cde70ec60ae0ba3007bb697846021ec7 |
| SHA512 | 85696273fc4fc52306cf9aac63c8964eb8d787d8d61ec3dcd7a145673e7368b620938acd7dc3becf7f7f80e5a2e99f2df7e2a8fa2b440c418e6d2d8a197a72ec |
C:\Windows\system\fofhzGr.exe
| MD5 | e0c7f9e02073c1d0928daaa71dde9f72 |
| SHA1 | d98fbcad3b36bd0a49f87dc69b9a6491f3220986 |
| SHA256 | db652b160ba3e24c1eda60a9ccd6631e78019f9dd59ff8a302828c5b4d199024 |
| SHA512 | 1f2e0ec5365e0e28a53f8ad5baed7c1bdbd57f65e4f4df5465848bb4a87177fa9a6a79c4de18ae41a3a6254010e7410f09918b5a25dc9d383c6ddb356453e666 |
memory/2984-43-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2176-50-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1724-49-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\VKtGsdZ.exe
| MD5 | 5aa3f82d0219a87fc831c877499a92b0 |
| SHA1 | cbe831acd878b2cc8e8b84206719e41cfd3d8875 |
| SHA256 | f7d2fd505a09869dfa85e14d673ea199754d55fab20fd9171e9531d0f19b01df |
| SHA512 | 5768501840121e8e5c5ec0bd5c1b6290126b8c56cb90ed86430c2407c4fd1f5324893db2fc0a7db4355f8f217eed1a3a5131430c46623de67cbc92fb32bd2ea6 |
memory/1724-30-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1724-135-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1724-136-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2404-137-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1836-138-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2068-139-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2348-141-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1848-140-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2984-142-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2176-143-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2788-144-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/1956-145-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2808-146-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2684-147-0x000000013F330000-0x000000013F684000-memory.dmp
memory/3056-148-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1808-149-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1648-150-0x000000013F020000-0x000000013F374000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 11:59
Reported
2024-08-06 12:02
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ohFCRwU.exe | N/A |
| N/A | N/A | C:\Windows\System\Vxvxxft.exe | N/A |
| N/A | N/A | C:\Windows\System\nzTsgls.exe | N/A |
| N/A | N/A | C:\Windows\System\sEjTlhQ.exe | N/A |
| N/A | N/A | C:\Windows\System\iOjrDrn.exe | N/A |
| N/A | N/A | C:\Windows\System\UODfWio.exe | N/A |
| N/A | N/A | C:\Windows\System\fnqrkLa.exe | N/A |
| N/A | N/A | C:\Windows\System\xvRlwIV.exe | N/A |
| N/A | N/A | C:\Windows\System\ddZTXpo.exe | N/A |
| N/A | N/A | C:\Windows\System\FYXdjQI.exe | N/A |
| N/A | N/A | C:\Windows\System\OcdMCCr.exe | N/A |
| N/A | N/A | C:\Windows\System\FDpaTmC.exe | N/A |
| N/A | N/A | C:\Windows\System\dkwzQrn.exe | N/A |
| N/A | N/A | C:\Windows\System\vEBkuOX.exe | N/A |
| N/A | N/A | C:\Windows\System\QSVNsEj.exe | N/A |
| N/A | N/A | C:\Windows\System\asxoIRj.exe | N/A |
| N/A | N/A | C:\Windows\System\uPSyarg.exe | N/A |
| N/A | N/A | C:\Windows\System\qCIRIBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAEfcWj.exe | N/A |
| N/A | N/A | C:\Windows\System\nUzycwP.exe | N/A |
| N/A | N/A | C:\Windows\System\NXqQkfo.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_9af25504b4722937c6ab8341f959f322_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ohFCRwU.exe
C:\Windows\System\ohFCRwU.exe
C:\Windows\System\Vxvxxft.exe
C:\Windows\System\Vxvxxft.exe
C:\Windows\System\nzTsgls.exe
C:\Windows\System\nzTsgls.exe
C:\Windows\System\sEjTlhQ.exe
C:\Windows\System\sEjTlhQ.exe
C:\Windows\System\iOjrDrn.exe
C:\Windows\System\iOjrDrn.exe
C:\Windows\System\UODfWio.exe
C:\Windows\System\UODfWio.exe
C:\Windows\System\fnqrkLa.exe
C:\Windows\System\fnqrkLa.exe
C:\Windows\System\xvRlwIV.exe
C:\Windows\System\xvRlwIV.exe
C:\Windows\System\ddZTXpo.exe
C:\Windows\System\ddZTXpo.exe
C:\Windows\System\FYXdjQI.exe
C:\Windows\System\FYXdjQI.exe
C:\Windows\System\OcdMCCr.exe
C:\Windows\System\OcdMCCr.exe
C:\Windows\System\FDpaTmC.exe
C:\Windows\System\FDpaTmC.exe
C:\Windows\System\dkwzQrn.exe
C:\Windows\System\dkwzQrn.exe
C:\Windows\System\vEBkuOX.exe
C:\Windows\System\vEBkuOX.exe
C:\Windows\System\QSVNsEj.exe
C:\Windows\System\QSVNsEj.exe
C:\Windows\System\asxoIRj.exe
C:\Windows\System\asxoIRj.exe
C:\Windows\System\uPSyarg.exe
C:\Windows\System\uPSyarg.exe
C:\Windows\System\qCIRIBJ.exe
C:\Windows\System\qCIRIBJ.exe
C:\Windows\System\ZAEfcWj.exe
C:\Windows\System\ZAEfcWj.exe
C:\Windows\System\nUzycwP.exe
C:\Windows\System\nUzycwP.exe
C:\Windows\System\NXqQkfo.exe
C:\Windows\System\NXqQkfo.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4560-0-0x00007FF6A1E30000-0x00007FF6A2184000-memory.dmp
memory/4560-1-0x000001DF9D340000-0x000001DF9D350000-memory.dmp
C:\Windows\System\ohFCRwU.exe
| MD5 | 9242d7334153eeacfa5ddf0165e41e83 |
| SHA1 | ed3dc1f0f7f68ccb00a8c672c15fd3e00c942ebd |
| SHA256 | 2d18930236b0df202c6e01586c37869bac9d6f278dd3dcbad4e309b95beb67c4 |
| SHA512 | 8910d021811bc890ac127fd2a7d79f0cc1c301e7879e5cb99528bedfd0c7f1aa350edfa051861084a111eadc0b9f7c851c491a5776c38de8b24f23c655052a79 |
memory/1508-6-0x00007FF6BDD30000-0x00007FF6BE084000-memory.dmp
C:\Windows\System\nzTsgls.exe
| MD5 | 236be2cef6cc50f6a9d011c981399f6c |
| SHA1 | e69150fdfd004c55d848bc5453b329b9736c0314 |
| SHA256 | 47ba7c8918fd4f0b54a60bdf00e54629141fb73734b0e1adfd54c8e998bca042 |
| SHA512 | 19072c0a36144f2f6236776461a25906ac5322ee0ee7bbc82eee2c9c3b746d3fd048be47b61bb3c5efd8b426f392d9435afbb3ad21937120218dd73612047864 |
C:\Windows\System\Vxvxxft.exe
| MD5 | 47e6bf1ff77518216c264bd016aa0075 |
| SHA1 | 6f7d852ec0a640be905cf5685554c8e1635895cd |
| SHA256 | 5a56269e2bd48ae5062f5d8f5d247631dd9d83f01826e970da927855bc9c3421 |
| SHA512 | e51574914e1d30217067c25acaf5b8161de45f41f99fc98f16bd191ce773e1ce579798c89ef8f653b352845f3db5782b86aae15a85ee88f83c99e69987cc6863 |
memory/1308-14-0x00007FF7B20E0000-0x00007FF7B2434000-memory.dmp
memory/3016-20-0x00007FF77EED0000-0x00007FF77F224000-memory.dmp
C:\Windows\System\sEjTlhQ.exe
| MD5 | 6b2de3396f11b61a3c00521dcffe3807 |
| SHA1 | 89d0cab4ffac08fec82e488608c0b14c72556f36 |
| SHA256 | c3cf61653a843ab3add70710fe77d6f11c01e4a43409bf08c8f22186238b6740 |
| SHA512 | 720c7054eaf06563d488f0ab10ec34275d05e8291073824c874ab3188da95c4ae5cef20e6b669d1596c35e46a9dc7aba32f9b3a3a11d6fa7a7005595ac87f4d0 |
C:\Windows\System\iOjrDrn.exe
| MD5 | 443eaf10338d31ac8c9638404604533b |
| SHA1 | c7a4942da504f346b6544647b3a6b438aa980d07 |
| SHA256 | 1c88b98d0c0df0c70e5f46968c4793333cd1f2cf2e32e247945dae15c8dc6e6e |
| SHA512 | 0db37dadf07ced148c9566d96e465278313524721039702b24ff0783df9b51f1d47a62e55ffaadc251347cb91df63056a1aedfc202dfa4a25a591b1460260eec |
memory/2220-26-0x00007FF6E30E0000-0x00007FF6E3434000-memory.dmp
C:\Windows\System\UODfWio.exe
| MD5 | 5bd8a8563df95bda5c9b3ec1716ef2c6 |
| SHA1 | 61afc98fa711d0be9e1be07ed38bc22da7a914ef |
| SHA256 | 1c4649974366696642cc5a587baea2a794d0b5196b7e570a4a17754ab3583b2f |
| SHA512 | f31ebf0a8a74cfc99754359daf7da577d05aaf68319f67daa8cc757925c6fe85b433c8378622af81788db7b21c5a01734b8f6f4f436d92fdd1f023197e18b709 |
C:\Windows\System\fnqrkLa.exe
| MD5 | 535129b9d3cc4b502ff4a04fbb360b7c |
| SHA1 | 7e264ccd091b160bae6a30c05ae6170997510f3b |
| SHA256 | 838fb954a5d0093bbe37f39ab215526b738bfa0957eb279b734e781fbb0645fe |
| SHA512 | c18a0484a3a96390e95b99bec1c235633eaed4b022999fad5ae5447f21f30cbaf8c89e2b5167a6b99c87f05f5c0244c785ca4cc43b4a687c9a087aad7fb3b374 |
C:\Windows\System\xvRlwIV.exe
| MD5 | 88310f6835f2c59f2f6b3510d6ee8275 |
| SHA1 | 480a59090443b7d98bf40568dc2d36236dbc42f4 |
| SHA256 | f386996513c5494866ccc52a0104dad0f5f46e973dddc71b7b4a6c7d19ccbba0 |
| SHA512 | 8ea3971bb983b645c9c08f85f318b27717c537dcaeeede1c65b0e6e5588fae90c0d7f857c697d766ceda57e291e0043e7b4bc0c6e9204a47e6b832b2058aeb27 |
C:\Windows\System\FYXdjQI.exe
| MD5 | cbbe942b444b3875b00c44cec614370f |
| SHA1 | 94dfb76ef75294bdbfd7de946823d150c8a96d74 |
| SHA256 | a745e3204d66cf57bd6c294a06dac6c79e92d266da0e595368aa3ba6a0790533 |
| SHA512 | 0de0d630fd13ff016f910a9effb6ec88d040e7386d2b24223252acbdf2bb26395071f2c4a680aa59f4ecd3ea24046f5c38ccdcf7d842f5d36262ead92d8c8c95 |
memory/4796-58-0x00007FF791F90000-0x00007FF7922E4000-memory.dmp
C:\Windows\System\FDpaTmC.exe
| MD5 | 1c9cd85fdca8f64533d451429acb4111 |
| SHA1 | 23db6830c86fa7c934bc836e907afc6211e9cd95 |
| SHA256 | 859dd468d177628e3c47a40984d209807e69830c99084ef17b61e0145979a974 |
| SHA512 | facc28bdf078a88008bed6a490a975413055891d581558ac5796c34bf28435ea40276ccb8cc5edef5c1a5e520240527a707e35cad0461f0332d34bde17c8c0cd |
memory/1508-77-0x00007FF6BDD30000-0x00007FF6BE084000-memory.dmp
C:\Windows\System\dkwzQrn.exe
| MD5 | c8df9717d0f17ef43c7bb77e853f006f |
| SHA1 | 1ca9e8a599fa5936f62e605e9708da015b2680ab |
| SHA256 | b04409ee3e1ac0497b158070b997ae78d841734c25f0af9f376280dcb1b84590 |
| SHA512 | 42705394dff6a05eb09e38610e3e1fd404e53a5d4a7c5ee09d5629e9c5bb121268f7df5f0a71d5ad263906bf530728033e5bd641ed19012a1635b6eaadebb886 |
memory/764-80-0x00007FF62B870000-0x00007FF62BBC4000-memory.dmp
memory/4964-76-0x00007FF756880000-0x00007FF756BD4000-memory.dmp
memory/812-74-0x00007FF6826D0000-0x00007FF682A24000-memory.dmp
memory/4560-73-0x00007FF6A1E30000-0x00007FF6A2184000-memory.dmp
C:\Windows\System\ddZTXpo.exe
| MD5 | 719da2687fb2bf419f5d0e84d76bd1b3 |
| SHA1 | 549597dc88c79d490da98944e167e927836a0ecd |
| SHA256 | 50562fb5bb40db192e819edbc624858844d1b86d88938479307c4818372b5225 |
| SHA512 | a52582bfcd105a02683b40b075b1d54509d74b0dc48f0a2ca659ed8310cf4034ce3e828e31361b4c4e489919ebfbdc8c3ca7b8577184b811ac06b1e4326bb8e0 |
C:\Windows\System\OcdMCCr.exe
| MD5 | 487be1f6aa69aa625e158d2532a8df98 |
| SHA1 | 70a0e7e20ace4133e4c8967bdcdf8875de78ba09 |
| SHA256 | 66c4fdcf4c09e07867c30ebe4a92b6dd48fe020a29b1fc63071b8f72454f3eee |
| SHA512 | 77e069401f1af78f6e79f42d499480e86019e4ec9c0d04282781c4137b2677bd12be803f089bc275c974a69b21c6b9c9a757b1cd727ecbfb204115eecabb3c66 |
memory/1928-55-0x00007FF66C480000-0x00007FF66C7D4000-memory.dmp
memory/1064-54-0x00007FF7F22E0000-0x00007FF7F2634000-memory.dmp
memory/2256-46-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp
memory/5064-41-0x00007FF6B2260000-0x00007FF6B25B4000-memory.dmp
memory/4812-32-0x00007FF62E660000-0x00007FF62E9B4000-memory.dmp
C:\Windows\System\vEBkuOX.exe
| MD5 | 56007edcbb761e90858f733004640e06 |
| SHA1 | bac4479596a5279baca6e33643cc32cee772022f |
| SHA256 | 21dc82de43bd5003780e080dcd346efe5c3b87e49e4c963e223eaeadbf1c0044 |
| SHA512 | 3484388b5e1c7fb6d9a0ec8c970b14899d1e98edf27413a409199156e2c11b6362ca94c4182624ba1fe40724e3d504a5c55a736a34a471f0a5713727a7a5ab3c |
memory/3016-91-0x00007FF77EED0000-0x00007FF77F224000-memory.dmp
memory/3028-98-0x00007FF7339C0000-0x00007FF733D14000-memory.dmp
memory/1112-107-0x00007FF69D2B0000-0x00007FF69D604000-memory.dmp
C:\Windows\System\qCIRIBJ.exe
| MD5 | 8c0949e797d4733488df1e1df3ad9e9a |
| SHA1 | 0d594cda7be66225747ba4457e9ea567e34316c4 |
| SHA256 | 01715c3fd9a9022d7a47dc650eb5e2e5f0112fabd35a82d89a885b897710646a |
| SHA512 | 66844bbaa59d958ee1939624040054e931873c6f73c32baac74aac84235c6857ca245d254ba38bb7ba77c4f3f1d204a9ea0160687598ad82ee0baeb5b01b930e |
C:\Windows\System\ZAEfcWj.exe
| MD5 | f4c45f579cf33e137ae9a881836d79e1 |
| SHA1 | 37fd374f98f69be505511d3017a469a491dd6ef8 |
| SHA256 | 246da814c0c89077b0568d5316ba4a9f1de899179f878eac8b25f738fb5795ad |
| SHA512 | 0d777b1c2dadaad124dc639e167be2985c33744474158453aef02b7996ad5df298b2623b05b565f5976008f8516815cc9fc0d1628cf7a8dae65f4388d7a4b7a5 |
memory/4076-118-0x00007FF69BFB0000-0x00007FF69C304000-memory.dmp
memory/1928-117-0x00007FF66C480000-0x00007FF66C7D4000-memory.dmp
memory/1064-111-0x00007FF7F22E0000-0x00007FF7F2634000-memory.dmp
C:\Windows\System\uPSyarg.exe
| MD5 | 3196b09d7b0b404564e151ff3e27586e |
| SHA1 | 77eba251f10dd2fd125890fb340026e690f08e0a |
| SHA256 | 6341ed6a4257fa5885894a8c842cd08b82370fbda47c7751dc006261485a45bb |
| SHA512 | c2e765ec4d68940113fca371ac393f62f8c64967775b9f3345b0b675c356ecfdefc306999e6e17ff17cf8bdce0f2af39b9c1e53e66bcab31e14bc2751158fc68 |
memory/2256-106-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp
memory/4812-104-0x00007FF62E660000-0x00007FF62E9B4000-memory.dmp
C:\Windows\System\asxoIRj.exe
| MD5 | a4bcac3f0c44ba25cfb3c83e172a3e3b |
| SHA1 | b66dc31a92d82da505c96ecf4a9a48701a3eca8e |
| SHA256 | 6f08d42ce93b26e1bd0850d8b3e8570eebf93f7649a2fe64cf9fc18efa664d78 |
| SHA512 | 94fdea3cfc646bf951547414f77aa283d5443649c73ad0fd29c38cc2e27de41c0d1b612efbc40e7b22f1a8ec0214d32dd94b65ca628f7ad8ca61f430a9464ee6 |
memory/4676-101-0x00007FF624F40000-0x00007FF625294000-memory.dmp
memory/228-93-0x00007FF7F9B90000-0x00007FF7F9EE4000-memory.dmp
C:\Windows\System\QSVNsEj.exe
| MD5 | bd03df8c383ab49bbff63b91d511d5f5 |
| SHA1 | bf16405176a425458a6dd5adb3385e2495dc70e9 |
| SHA256 | ea01c63d32a7b8867d3e3da8fc79aedd4b0febaa0a200142806f7894a7cb64a6 |
| SHA512 | f6b6af1fbc510064f95030512f68c9f370f3ce2963e8c014341a0e9993a06938f096693db596085aa6712e9d71b8166931c6e1300e7bfc3e38a1d285dce8f2f9 |
C:\Windows\System\nUzycwP.exe
| MD5 | 4f4dfc5282b60f2da299b3f666cf36c5 |
| SHA1 | 2039beb7927bc15c287cdc883ab02070237a893e |
| SHA256 | a6e15def425552829ad5a35b909f7dc199bc7fa8326e8c8cfe9f0a681552f39a |
| SHA512 | 993268ba0b3a798958f77a0ed13f32927ea9863c8c961da9821e915ce633a755c76ce2c67a6547cd631e61af425688810cb7e5f1dc078dae1f3f0ae20752d98b |
C:\Windows\System\NXqQkfo.exe
| MD5 | f39f3deb14b2bbc01bc24877ba5efc0f |
| SHA1 | 3ce3f1413952ae2bc52bae75874b68b81c3cc264 |
| SHA256 | f915b01c8bdbba43a63fd7dea5d3550faec220a4209802006f4cd2bb5be1e4a4 |
| SHA512 | 7ed7541544b2382c0c2d4f90f5e8992afd0b4a5ab11c8ced5722a9315c3da76a9c05628b6ebdc4814c50de913ae9cdd7ba2e538bb3b8f7fcc5ec8d12b93f1a67 |
memory/3356-128-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp
memory/2816-126-0x00007FF668BF0000-0x00007FF668F44000-memory.dmp
memory/3744-135-0x00007FF634E50000-0x00007FF6351A4000-memory.dmp
memory/4796-134-0x00007FF791F90000-0x00007FF7922E4000-memory.dmp
memory/4964-136-0x00007FF756880000-0x00007FF756BD4000-memory.dmp
memory/764-137-0x00007FF62B870000-0x00007FF62BBC4000-memory.dmp
memory/228-138-0x00007FF7F9B90000-0x00007FF7F9EE4000-memory.dmp
memory/4676-139-0x00007FF624F40000-0x00007FF625294000-memory.dmp
memory/1112-140-0x00007FF69D2B0000-0x00007FF69D604000-memory.dmp
memory/3356-141-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp
memory/1508-142-0x00007FF6BDD30000-0x00007FF6BE084000-memory.dmp
memory/1308-143-0x00007FF7B20E0000-0x00007FF7B2434000-memory.dmp
memory/3016-144-0x00007FF77EED0000-0x00007FF77F224000-memory.dmp
memory/2220-145-0x00007FF6E30E0000-0x00007FF6E3434000-memory.dmp
memory/4812-146-0x00007FF62E660000-0x00007FF62E9B4000-memory.dmp
memory/5064-147-0x00007FF6B2260000-0x00007FF6B25B4000-memory.dmp
memory/2256-148-0x00007FF6F4570000-0x00007FF6F48C4000-memory.dmp
memory/1064-149-0x00007FF7F22E0000-0x00007FF7F2634000-memory.dmp
memory/812-150-0x00007FF6826D0000-0x00007FF682A24000-memory.dmp
memory/1928-151-0x00007FF66C480000-0x00007FF66C7D4000-memory.dmp
memory/4796-152-0x00007FF791F90000-0x00007FF7922E4000-memory.dmp
memory/764-154-0x00007FF62B870000-0x00007FF62BBC4000-memory.dmp
memory/4964-153-0x00007FF756880000-0x00007FF756BD4000-memory.dmp
memory/3028-155-0x00007FF7339C0000-0x00007FF733D14000-memory.dmp
memory/228-156-0x00007FF7F9B90000-0x00007FF7F9EE4000-memory.dmp
memory/4676-157-0x00007FF624F40000-0x00007FF625294000-memory.dmp
memory/1112-158-0x00007FF69D2B0000-0x00007FF69D604000-memory.dmp
memory/4076-159-0x00007FF69BFB0000-0x00007FF69C304000-memory.dmp
memory/2816-160-0x00007FF668BF0000-0x00007FF668F44000-memory.dmp
memory/3356-161-0x00007FF7CBAA0000-0x00007FF7CBDF4000-memory.dmp
memory/3744-162-0x00007FF634E50000-0x00007FF6351A4000-memory.dmp