Analysis Overview
SHA256
3df9f79354d14edf3f142b7916aa887cb9e7b8e9be6c249c3a92517ec8d291c9
Threat Level: Known bad
The file 2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
xmrig
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-15 10:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-15 10:50
Reported
2024-08-15 10:53
Platform
win7-20240708-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bvIILoP.exe | N/A |
| N/A | N/A | C:\Windows\System\xAvSkNE.exe | N/A |
| N/A | N/A | C:\Windows\System\VEaFlxJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jvVkJJr.exe | N/A |
| N/A | N/A | C:\Windows\System\XsUKqCn.exe | N/A |
| N/A | N/A | C:\Windows\System\NZsVCAT.exe | N/A |
| N/A | N/A | C:\Windows\System\kcrfOYj.exe | N/A |
| N/A | N/A | C:\Windows\System\bFUKoOs.exe | N/A |
| N/A | N/A | C:\Windows\System\kWNxjAS.exe | N/A |
| N/A | N/A | C:\Windows\System\rWRkYCj.exe | N/A |
| N/A | N/A | C:\Windows\System\FHDqhwE.exe | N/A |
| N/A | N/A | C:\Windows\System\iaHRSYm.exe | N/A |
| N/A | N/A | C:\Windows\System\sCiDdEJ.exe | N/A |
| N/A | N/A | C:\Windows\System\HhITiOL.exe | N/A |
| N/A | N/A | C:\Windows\System\nZWHXVh.exe | N/A |
| N/A | N/A | C:\Windows\System\ygSdwee.exe | N/A |
| N/A | N/A | C:\Windows\System\YCsQBkJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sapVoDx.exe | N/A |
| N/A | N/A | C:\Windows\System\iuZZrWB.exe | N/A |
| N/A | N/A | C:\Windows\System\yIVHZxI.exe | N/A |
| N/A | N/A | C:\Windows\System\hlsPdgK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\bvIILoP.exe
C:\Windows\System\bvIILoP.exe
C:\Windows\System\xAvSkNE.exe
C:\Windows\System\xAvSkNE.exe
C:\Windows\System\XsUKqCn.exe
C:\Windows\System\XsUKqCn.exe
C:\Windows\System\VEaFlxJ.exe
C:\Windows\System\VEaFlxJ.exe
C:\Windows\System\bFUKoOs.exe
C:\Windows\System\bFUKoOs.exe
C:\Windows\System\jvVkJJr.exe
C:\Windows\System\jvVkJJr.exe
C:\Windows\System\FHDqhwE.exe
C:\Windows\System\FHDqhwE.exe
C:\Windows\System\NZsVCAT.exe
C:\Windows\System\NZsVCAT.exe
C:\Windows\System\HhITiOL.exe
C:\Windows\System\HhITiOL.exe
C:\Windows\System\kcrfOYj.exe
C:\Windows\System\kcrfOYj.exe
C:\Windows\System\ygSdwee.exe
C:\Windows\System\ygSdwee.exe
C:\Windows\System\kWNxjAS.exe
C:\Windows\System\kWNxjAS.exe
C:\Windows\System\YCsQBkJ.exe
C:\Windows\System\YCsQBkJ.exe
C:\Windows\System\rWRkYCj.exe
C:\Windows\System\rWRkYCj.exe
C:\Windows\System\sapVoDx.exe
C:\Windows\System\sapVoDx.exe
C:\Windows\System\iaHRSYm.exe
C:\Windows\System\iaHRSYm.exe
C:\Windows\System\iuZZrWB.exe
C:\Windows\System\iuZZrWB.exe
C:\Windows\System\sCiDdEJ.exe
C:\Windows\System\sCiDdEJ.exe
C:\Windows\System\yIVHZxI.exe
C:\Windows\System\yIVHZxI.exe
C:\Windows\System\nZWHXVh.exe
C:\Windows\System\nZWHXVh.exe
C:\Windows\System\hlsPdgK.exe
C:\Windows\System\hlsPdgK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2568-0-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2568-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\bvIILoP.exe
| MD5 | 995405e24965a49772353ee26dda6cc6 |
| SHA1 | b6d69ceb65c40455f41d710846dcf30eb5e14a17 |
| SHA256 | cc00807e8d8c9f119587219ecd6c0df6c667f5eb4422ee55a630dfa09e134fda |
| SHA512 | ee73fb71b8512572589f579e911e017a41eb74d3e6df747231c14539cb10455b4ed3a494387eb56ef7c1590a921724a6c7305221d78884af6c0e26313870c3f8 |
memory/2440-8-0x000000013FFA0000-0x00000001402F1000-memory.dmp
\Windows\system\xAvSkNE.exe
| MD5 | 42c333cfde20e070f35b8793ade68cdc |
| SHA1 | 4549db539617f5cb5bc8ba4464003f5c610e05f8 |
| SHA256 | fc9eadd0ea695918298b2fea73833030077329b6e978603238bfaef59dd33fc6 |
| SHA512 | d0c8da9f51da8285eee9d1f1cbee6e1eea436eb128b6da4f127a44fdbb3281e6de3bc12e4779c49b4e18ed48089a83fc2ea76d705487dc12cf5976accbd8ae84 |
\Windows\system\bFUKoOs.exe
| MD5 | 7e6d369e812f8bfa53140bceedc271b9 |
| SHA1 | 635974a06bc9405278111f699da4b396fc431fbc |
| SHA256 | e548249640befaeb779d122e8ae6cd2cd79b7e25f72012e816685a096a885295 |
| SHA512 | 6bae779c0a75262e1e1a5b7ccf219b601cd322a74f4de78cb1f02688bc26126f501196cf1a7ff5f47bf24d417d0592787be0baa11808dc790b5db9d5d24d3fe2 |
\Windows\system\FHDqhwE.exe
| MD5 | 97c9628fbce4e9ea53ac50a074ea92d8 |
| SHA1 | b7c14af30a36226984f1c1c99a2307c64d350fb1 |
| SHA256 | dca3065a2b7013dacc2bfa47a2e979783c970723f0cbd23ad441bf434f44eeb8 |
| SHA512 | 4870c74766c13d2c31ca8976f0adde2cf14c51aa532cdbb97e0bfb8e012163f1dc9aab7f57971738bc32bbd6b0becf3b4b6f6bf6d63d7e65b81ef4d05207f536 |
\Windows\system\sCiDdEJ.exe
| MD5 | d5024bc247b10d8ae9ca3ddc6939516b |
| SHA1 | 460152eb18c8cfc088c8a68f9410d329e0cbf88c |
| SHA256 | 2073b1f49bbdc6de7eb434d4a575441b9cde67f3569edc7c231417f554833eb2 |
| SHA512 | 09f71fd3622d4aaf1ea9176351effb2e4003435406410f5648d1366fdbc532d3dbb69f0ab5b47718ed001dc8193133a26d49a697fde7fe60c2f7d4b020a0018b |
memory/2732-96-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2568-106-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2416-17-0x000000013F580000-0x000000013F8D1000-memory.dmp
C:\Windows\system\iuZZrWB.exe
| MD5 | c509500f8e7189bb102ccec44cfe9750 |
| SHA1 | 2bd7f22fc1cb94bba1a938e836f58a7b06db8fe4 |
| SHA256 | bf1d02d1f94cfb9d5ca3d25df48c0811951439ab8fbd87f69f7e40b16d28c378 |
| SHA512 | d1a48f99934e6a80d65721c887453824ccb8b080d8bf72970eadd90e2da9417373fd37552258d7897c9aba7ee30f5f21a5acda56de9c98f0683292a3a9c2b930 |
\Windows\system\hlsPdgK.exe
| MD5 | 223ac886e4c56a2095f07038c9ddb363 |
| SHA1 | b1a0aed4d705c6fae322df1d5f6bde12b639d051 |
| SHA256 | d88e5496189ae6eb57ab8f8eac21ce0788aac0e3cefee8d556b64fac5d83a0de |
| SHA512 | aa40354db4ff599d235f65744e6fd4272fa39d1e803d7982e8f3868cea8dbe07c053f406bf7eccd6ad5f7339af64540b0376bb3ffbaf5c992fecdefda17765f0 |
C:\Windows\system\HhITiOL.exe
| MD5 | 6aeed203cf1cc2e9999f00117925218f |
| SHA1 | 9766689d1f98488897858cb7f4dc64c2ac7e3a7c |
| SHA256 | fb3344371af2b37b34402078d2bb732e10b6e28e9892f276cf48669684d4c985 |
| SHA512 | 73d5e74f500b82857dd308141ed91b3be28a3da51868648a739ce5872ed97a9e430e99890013378ef79edea051e155fb1c488e71d038256e62878eec8f4e2011 |
\Windows\system\yIVHZxI.exe
| MD5 | d2aa8367433f6e7ed458c0177c8c6068 |
| SHA1 | 7ffdadcb57cf897e9f11181ac242799fe2242be2 |
| SHA256 | 1a852d71546f61c04211912cab42b89eedfbb6b02beab5b67525fb31bc200bcb |
| SHA512 | 11d387de8f9911b3ea026ef9b18f4a55e04a46c14e6d6c244d8194122e5e3dfc3f970b09eab68e2aab3f2dc285241abc75b93b295c23dbde874dc5f94ff03f80 |
\Windows\system\sapVoDx.exe
| MD5 | 63830a1ed506c837f5bf60bfdd3486da |
| SHA1 | 09c287087a43fff02cd06168bc7b181bc83d3749 |
| SHA256 | 5a4c541c50e743bde2c02e549472f642778e6581218361eea6f2e4ac5a83e665 |
| SHA512 | a8c1cc09b44aebdcfced6f184c63902758ebf78a586255f5205b82a48e0e8473a7ac5a0acd7c25331e35cd6665abb2b3a53f3376e2ba37f90b6f328993aeebba |
\Windows\system\YCsQBkJ.exe
| MD5 | 5b7d358c27d06c7f45c97e8949ac8f2b |
| SHA1 | 9412178f9686b3a841132a48c5094fc7eb827105 |
| SHA256 | d9f6cbcc89968784774d2bfbc01bfb703d7ac538ef4c6b79b229521b4a7ce98c |
| SHA512 | e33bdd974de65d713bf9cdeaed801cf6d5c0a3110e66ae5b6a436e1031758c66408eef02f9633a6ccd4ff867665ef672e221d59e14eebb633a2bcb45fe577080 |
C:\Windows\system\kcrfOYj.exe
| MD5 | bd6f636a24861b5fee493bcb3ebacf3b |
| SHA1 | d0be33e63d43d5da09f1f39eb67cdb1f96233215 |
| SHA256 | 159ba02662847d91fd5841db7e8e7ca29d4bc31a21252f0e896aa5de53286062 |
| SHA512 | ea5e52f2e3e60e0fa32d63a71b29f87349f547cfa2914d1c5fb35876a5413fa38d568e796af3ab0c0a46bc77609637fa8504eda57e1a82dcacb28f31110cc6db |
C:\Windows\system\NZsVCAT.exe
| MD5 | 2fb812dd742f53b13cfab12b87176679 |
| SHA1 | 5db7e39f53be2b910934f09acbdde89cbf600b57 |
| SHA256 | c98dcdbbc5a73c0b816cb6012c9a51d9fb49c7fc644d6b0a5e257f67aeaa6a1d |
| SHA512 | d0bcc2743e36c8f2917a3fe4cd396b999838e5cd15e2c340a67b46f581b6c60a92793b3dc9c875c68af0ceb6ddd7b83b0c0507460833b701fcc73525edd06f18 |
memory/2824-51-0x000000013F940000-0x000000013FC91000-memory.dmp
\Windows\system\ygSdwee.exe
| MD5 | c102cb9d32bb911233f75481243d54a5 |
| SHA1 | a7f90d6a8624b68251a6f729879a14ac8223b04e |
| SHA256 | 843197dc711c8161e74332134cef10eea1de6e1a1322a404d59ce3e34583429b |
| SHA512 | 97b5c97d629f6a03133b8ff391761e3cd63b96b1ab0cda8cf88e38c7fe0b822dc6bfd17f066a853e4b72143dd7be6f0980b056ca6493f0665a0d57714645ce2e |
C:\Windows\system\XsUKqCn.exe
| MD5 | 0d72fd2f621ccc4c0a371343237531da |
| SHA1 | 5efd5bee3a092dd77a156ef6e5fd1b30c2f753a4 |
| SHA256 | 0f18e9feb8060f6069f60e4fc172bcb76b0a9b035c79011edae02037d333fcb2 |
| SHA512 | 73dfe621654ce6a1b7a9779b4b1fc1f878e163371d4bf51d5586bb38e7111b643f5ae84e4404e8931b20e577d5e56e0362a9fe6c6371db7e651670e668d2775d |
memory/2568-41-0x0000000002340000-0x0000000002691000-memory.dmp
C:\Windows\system\jvVkJJr.exe
| MD5 | 14bc3fbc268768fac36597b6d8ab48e2 |
| SHA1 | 9857e5372369850e1fd709042760e7153fae3a91 |
| SHA256 | e81f3cff131a6af26d7c94c66121524cbfcf1082bb6747582d9b8a2ca2a12bec |
| SHA512 | a4254dbf4bc6ab1406350fa41a54503f76f3017144ea70032c9ce45ad729d8ad4dbae092f74e76b2387ada1ce24b581f156a2888789b704a2cdb5f16ae8e104e |
memory/2568-133-0x000000013F820000-0x000000013FB71000-memory.dmp
C:\Windows\system\VEaFlxJ.exe
| MD5 | f26efb93fb29ed1345e6bb5a2c1329d6 |
| SHA1 | 1f07cca5e04ead39d7ef3326d4ab5948631428d3 |
| SHA256 | 1d7568f7fb2f44cb1dfd3b5591670074e3f2b05050c05d4f8f652ca7876fff57 |
| SHA512 | 0a2a0ce92de782b2cfa31bb6cde9f573049f0f7903b5157b912e9a92bceee65eb68ccc330ea88f2ed3933f3cd51b2ed64ae69abca270e45080cd143d059f5916 |
C:\Windows\system\nZWHXVh.exe
| MD5 | 78754dece7c3201e580dc12f25fb2b4a |
| SHA1 | 0b62cc348730c74ab248358d3c665a7d14add36a |
| SHA256 | d2b7ffb466999ff704b2bdae73b464d540136cdf1c77e0a985df162b41f8df98 |
| SHA512 | 71b0de212ff2b4f939e411ca4740907e4eab2f691e8e7e7cfd4a87324c92a687d6891e750d6e3e1cd1dfe95625e17924f8f704d9ccaf04cda4a23b520504611d |
memory/2568-105-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2568-104-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2568-103-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2852-102-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/2808-101-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/320-100-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2568-95-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2388-94-0x000000013F120000-0x000000013F471000-memory.dmp
C:\Windows\system\iaHRSYm.exe
| MD5 | b4b3160cfb60fd48612f7c440c18e987 |
| SHA1 | 75570fe1a4922ac6991ae41b9fd2a9185a5d66d3 |
| SHA256 | 76aab64af81e1ebb26dfe0af62f24144665d5f3da9cf333a4cec9ddd306d21f3 |
| SHA512 | 394323e7e4f690090aa5c41b18d34ede2172565a7dd7cae081effa3e140e987f581d4accb902785aa26ea1aed6f54a7d95a7215d876ff3368f24690ad987c26a |
memory/2568-88-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2640-81-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2568-80-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2568-78-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2568-75-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2896-74-0x000000013FE30000-0x0000000140181000-memory.dmp
C:\Windows\system\rWRkYCj.exe
| MD5 | 5966bc098f0b3ed51bf2b210a70371a6 |
| SHA1 | d83f2c76a6d71f88ad5a6374a11fbe37e07524d7 |
| SHA256 | 40bf8830a1eb82140b4757bc13a5b0bfcdd2744ee03c72aae775f1b56b70fd41 |
| SHA512 | 02b67f446c624107a7f6315e0f74300ec41599dbb9e10c3e420ec5966a43b4f3b33fd4c18ba42f11e245f64761b40a1371c848ee3baa7964347fa5d548c7ced8 |
C:\Windows\system\kWNxjAS.exe
| MD5 | d471648ff8c5805b22c928fe47ebffc2 |
| SHA1 | c80c869604e307f9879ad9c2a187cc97e7f36cdf |
| SHA256 | 7e1a5f7160d6ec21e4773676902ec1d7e70357142aabac2e3bdb365d75e6b8c7 |
| SHA512 | 1927e39021d261685373b6d77831dd4104c9a7f0238a791fe1257e915d27e53bd5729ef64e94ffa368a06a743d6b040126d8760c030c86f9f48e5ed2f2960c4a |
memory/2568-70-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2568-69-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2568-67-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2568-25-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2440-134-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2500-48-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2568-29-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2416-136-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2568-135-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2568-12-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2568-138-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2568-139-0x0000000002340000-0x0000000002691000-memory.dmp
memory/2568-140-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2568-141-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2852-143-0x000000013F8E0000-0x000000013FC31000-memory.dmp
memory/1804-158-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/1500-160-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/576-163-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/1240-162-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2148-161-0x000000013F410000-0x000000013F761000-memory.dmp
memory/600-159-0x000000013F5B0000-0x000000013F901000-memory.dmp
memory/1932-157-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2740-155-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2656-153-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/2348-151-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2568-164-0x000000013F820000-0x000000013FB71000-memory.dmp
memory/2440-231-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2416-233-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2824-235-0x000000013F940000-0x000000013FC91000-memory.dmp
memory/2500-237-0x000000013F880000-0x000000013FBD1000-memory.dmp
memory/2388-243-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2896-239-0x000000013FE30000-0x0000000140181000-memory.dmp
memory/2732-242-0x000000013FD50000-0x00000001400A1000-memory.dmp
memory/320-245-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2808-249-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2640-247-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2852-261-0x000000013F8E0000-0x000000013FC31000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-15 10:50
Reported
2024-08-15 10:53
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\iHEboqA.exe | N/A |
| N/A | N/A | C:\Windows\System\maiaofq.exe | N/A |
| N/A | N/A | C:\Windows\System\gbfUQft.exe | N/A |
| N/A | N/A | C:\Windows\System\HPOAXVh.exe | N/A |
| N/A | N/A | C:\Windows\System\oWeLtQQ.exe | N/A |
| N/A | N/A | C:\Windows\System\dEqibIo.exe | N/A |
| N/A | N/A | C:\Windows\System\ZVxCRTX.exe | N/A |
| N/A | N/A | C:\Windows\System\GvWVEMS.exe | N/A |
| N/A | N/A | C:\Windows\System\MtzFDGP.exe | N/A |
| N/A | N/A | C:\Windows\System\QlSEghp.exe | N/A |
| N/A | N/A | C:\Windows\System\qEeSeMU.exe | N/A |
| N/A | N/A | C:\Windows\System\kPEeDQr.exe | N/A |
| N/A | N/A | C:\Windows\System\lTYoxvp.exe | N/A |
| N/A | N/A | C:\Windows\System\npcukMT.exe | N/A |
| N/A | N/A | C:\Windows\System\pfDImYI.exe | N/A |
| N/A | N/A | C:\Windows\System\QDtzrMU.exe | N/A |
| N/A | N/A | C:\Windows\System\uvrLutd.exe | N/A |
| N/A | N/A | C:\Windows\System\cXNhOiy.exe | N/A |
| N/A | N/A | C:\Windows\System\KCuPINj.exe | N/A |
| N/A | N/A | C:\Windows\System\AdkZojk.exe | N/A |
| N/A | N/A | C:\Windows\System\EYIJkus.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-15_a555dad139cf57c035aedc927c5cafcf_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\iHEboqA.exe
C:\Windows\System\iHEboqA.exe
C:\Windows\System\maiaofq.exe
C:\Windows\System\maiaofq.exe
C:\Windows\System\gbfUQft.exe
C:\Windows\System\gbfUQft.exe
C:\Windows\System\dEqibIo.exe
C:\Windows\System\dEqibIo.exe
C:\Windows\System\HPOAXVh.exe
C:\Windows\System\HPOAXVh.exe
C:\Windows\System\oWeLtQQ.exe
C:\Windows\System\oWeLtQQ.exe
C:\Windows\System\ZVxCRTX.exe
C:\Windows\System\ZVxCRTX.exe
C:\Windows\System\GvWVEMS.exe
C:\Windows\System\GvWVEMS.exe
C:\Windows\System\MtzFDGP.exe
C:\Windows\System\MtzFDGP.exe
C:\Windows\System\QlSEghp.exe
C:\Windows\System\QlSEghp.exe
C:\Windows\System\qEeSeMU.exe
C:\Windows\System\qEeSeMU.exe
C:\Windows\System\kPEeDQr.exe
C:\Windows\System\kPEeDQr.exe
C:\Windows\System\lTYoxvp.exe
C:\Windows\System\lTYoxvp.exe
C:\Windows\System\npcukMT.exe
C:\Windows\System\npcukMT.exe
C:\Windows\System\pfDImYI.exe
C:\Windows\System\pfDImYI.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4072,i,1828333185976713750,7918646547767660928,262144 --variations-seed-version --mojo-platform-channel-handle=4432 /prefetch:8
C:\Windows\System\AdkZojk.exe
C:\Windows\System\AdkZojk.exe
C:\Windows\System\QDtzrMU.exe
C:\Windows\System\QDtzrMU.exe
C:\Windows\System\uvrLutd.exe
C:\Windows\System\uvrLutd.exe
C:\Windows\System\cXNhOiy.exe
C:\Windows\System\cXNhOiy.exe
C:\Windows\System\KCuPINj.exe
C:\Windows\System\KCuPINj.exe
C:\Windows\System\EYIJkus.exe
C:\Windows\System\EYIJkus.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2316-0-0x00007FF631CB0000-0x00007FF632001000-memory.dmp
memory/2316-1-0x000001EBEBBE0000-0x000001EBEBBF0000-memory.dmp
C:\Windows\System\iHEboqA.exe
| MD5 | c7c4daba696ccfc4715787ce1e23c760 |
| SHA1 | ecb0720a16107b602ca18c62f80dd28b1ec91d46 |
| SHA256 | 0048c18392a9642d2e46e73f0760e5f7bfcaaa8d517a7091422ee806ba444829 |
| SHA512 | e58cc4dad496fdde7bbdc183f0b8a231ac6efc8ec3b1cd364f2db2840ce5baa43f86ad3edb3f4772ad7ef7d765bbe355834f04e8ff7394344884230421ec2323 |
C:\Windows\System\gbfUQft.exe
| MD5 | 9d2a554a38a58a7c56f94af914152fce |
| SHA1 | 6fe58ba05768901eabfcdbaaf725e11fd59a5b52 |
| SHA256 | cafc4b47805c1b5f02dcba150d57097c8170ed3ceacf4a1d23e2983763601b8f |
| SHA512 | 575b53b22f461b0dab29f1236db4dfeac875f8ec1f3edd80eee09b95b1e123e76fd4c560dcd62cc30efb83822b19a029d61d1c96e25a5b55dddc17a15983a1a5 |
C:\Windows\System\maiaofq.exe
| MD5 | a154adf1682c1924502c548a6944d3ea |
| SHA1 | 910f3509be3a32628d8e872dc4fdb1c473f6fea1 |
| SHA256 | 78e7c1662b61d5c92f6b5f04399e53e7d541228851b3712404e568e3badbf184 |
| SHA512 | 2974ea98566e0c454133a001a8c8400dba39cb982ff094fdaaa8ad5dc2d7f2ab85e3fa271f13e2369471537646e4cbf84eb2ba08e54676c013bac8192404de03 |
memory/1840-7-0x00007FF732D30000-0x00007FF733081000-memory.dmp
C:\Windows\System\oWeLtQQ.exe
| MD5 | 4b53a5bdb3e58618168dc1e22efaf294 |
| SHA1 | a8e4b151951eb8ef183a3651d09d628823dbafe9 |
| SHA256 | ef66d8a07cbb5260f9764322ab13d1704a861792925c4ec7a259871593eab022 |
| SHA512 | 186d22a36be4a0925125a0bad04419914635d2a3e88f0df9d19f176889be746f709ccd26bde749566f5a7b4dbdb2cf0f1ec73f16db36e8d67288a58ffc536315 |
C:\Windows\System\HPOAXVh.exe
| MD5 | 166058ddc3d4d2ce9b4c9988a37fd2bf |
| SHA1 | e2dde234e65b6e4a678caf1f2c477f8eed75b392 |
| SHA256 | 416a667a53d2a902eb8f897927cfeffaee6624b7251499965f2fb00379514bcb |
| SHA512 | 57e34a95d44ea168c09ec1ef7bea474ca955fd1d7ac307e1f43507d1360f4c61fb1f605307f41ea10826f2bf315940626fd8d8e4c6415e6355cb185974ddfe7a |
memory/2336-34-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp
C:\Windows\System\GvWVEMS.exe
| MD5 | fa938132e20dcd1e66192f7c4c6b4363 |
| SHA1 | edb11a2542f7e3a71e30e4af5b8b02fa1dd64b8b |
| SHA256 | d34cec2c6d4f65066eb86654d4d07084c4429bfeb10b906cebd1a70c59e49b52 |
| SHA512 | 4dd18e35b175c78f5592b1b2210e7f0a7d4e22a5cd7ddf952c0bdef29966a0586b498f90b13b623723c6d8de3bfb2cb93fbb81417652848f14dc807607d716d2 |
C:\Windows\System\ZVxCRTX.exe
| MD5 | 92ffe3b510cf16117764266390a08e57 |
| SHA1 | 2ff4c4b511b5c430f80e553ce74ee42041c6adf0 |
| SHA256 | 18dd848816389f0a9f6c42f6fd44287bb9189166debfc76f9a5afb27a309458e |
| SHA512 | 730f7c9e31946d3343790de478e7a7e05c5f6c1f4d23f0943cc3064af04711d464318940fa5b023cebd9ff4cdd03b53861c5a9e2a09409af4c7af5692b88f110 |
C:\Windows\System\MtzFDGP.exe
| MD5 | 0ae2d026903c2ae76cc5c691e58fd6b8 |
| SHA1 | fe5ff750e1e61038ff797ed699ba1d1b131c9567 |
| SHA256 | bb0fd9c1ea93e4f3638adaff709477a00811edd6d588a02e167e7dcc675081c2 |
| SHA512 | 673eb350f946c0d1e94aa9cebf6282eea8a2293c93a7db121054d60149f4067996aaaa68c73dcf98db68dab0128457b251aaff4988b50ef029cf6f9c3f90a261 |
memory/2212-66-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp
C:\Windows\System\QlSEghp.exe
| MD5 | 48baf9ac42e6a94a42e58a293a845bed |
| SHA1 | 0e6586d0873e4acc479b3320b63790f07f599b08 |
| SHA256 | c183bbdc5bd25da6741008c5391b817a8d37e966ceec59e89ac7fe29b20accc5 |
| SHA512 | a76cd18ff3cc474e4ec9130a2fa9f891f420a09a05db654c36ab50a631253d159210e1db777713cac9f4ec63fce111b1bb4adb16490402abd83be24c5034613f |
C:\Windows\System\lTYoxvp.exe
| MD5 | 97aa840fa89d23deb7311c0e9a80d47f |
| SHA1 | 5efc3bb3c3e7d0aaed1a956cd87c0a54b885f145 |
| SHA256 | f37a2ec1fe7efbdba6aa6f9668069e9f4ced772d677edf0e55a65d1da7b5a9aa |
| SHA512 | 49706aa5ec158c8a30c8d0c909a8903c9754528fb54db0385b1ff6c44fe9d090ee7959353752f09c340abe662809cc0df3bda3a3a2d3ab575a704fd65fd64025 |
C:\Windows\System\npcukMT.exe
| MD5 | 8904f371cd5ceaa227c32251a0a432c5 |
| SHA1 | 2008ba624a1363b088d478fec095e8bd128f2ee5 |
| SHA256 | b0aca9b4d73361f473f9e820c30765a5a8cb193f6e49c85f4866cb169f2c9ea5 |
| SHA512 | 1b7a51894e1177f2d3acef19ae8324cca9df1127a06d0e5d8209d87674e994acdebc30d41f9b4833e590fb72dd65bea6b72e56ae1f28d92e6e84c6c5ed3c5c4f |
memory/1904-86-0x00007FF676440000-0x00007FF676791000-memory.dmp
memory/1840-85-0x00007FF732D30000-0x00007FF733081000-memory.dmp
memory/2316-84-0x00007FF631CB0000-0x00007FF632001000-memory.dmp
memory/5112-80-0x00007FF781F10000-0x00007FF782261000-memory.dmp
memory/1412-79-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp
C:\Windows\System\kPEeDQr.exe
| MD5 | 8d3172dec2efe1399a97bb5297e93429 |
| SHA1 | dbf6cba53ea0fb823a2c98125039ab5953f2faa1 |
| SHA256 | f48e742098a6055d11bc3b03199f09ab871ef8d1ec760a9ab7766b2c4781be9b |
| SHA512 | 9d24925fe11b5480826f356b30abbce8f62bd3c0eeae5a231b66c64c2f5fc76d0fde1ad359f139e19e1579c5177c3d7bbd0a748b1f2a00731dee7781fed223ef |
C:\Windows\System\qEeSeMU.exe
| MD5 | 241dd1e23c823d561c349d9ffa890a16 |
| SHA1 | 4df3786ced40b77c1ffee0528168c5515bbca3d8 |
| SHA256 | ba833d00a45a254efaa5b82f07579898be98d9421f2d71bd088c570b0fb72173 |
| SHA512 | 39f6ec450f38134186d36fc1dec659687b9258ecce55309ad46d23a138e4b865e642b998073c2dff5201522d99c34b78f5aeeb7e0de6833524834bcedfa9d867 |
memory/908-69-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp
memory/1180-58-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp
memory/3936-46-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp
memory/4660-45-0x00007FF698770000-0x00007FF698AC1000-memory.dmp
memory/2196-42-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp
C:\Windows\System\dEqibIo.exe
| MD5 | d4c01c995e534ee44aa5c77237bf39f9 |
| SHA1 | 1d9629efef4e54d491f3e49e72e77041629bb9bb |
| SHA256 | 3a215cebf3836a5c4de0ef71d5db5db2813a5ffbe20eb47cfeea9f4fbb645d12 |
| SHA512 | 90de4ae97bbed6714ebc1a232fb36288cd6ab1d71f8edcdd6fe398d4edc4df1f1aa5283ba37e623cbc79b286b429c4d0c37b929a7cda3e972de6560434cc6410 |
memory/3332-28-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp
memory/5056-27-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp
memory/1488-19-0x00007FF641080000-0x00007FF6413D1000-memory.dmp
memory/1412-103-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp
C:\Windows\System\pfDImYI.exe
| MD5 | 43110caf8a03a2e68c253dce7d18a853 |
| SHA1 | 1b59978034b3a9e0379ce76b87a6f696491d2ec7 |
| SHA256 | fa580b083e1f70684b1fdc75704b0f64ea42b9da1413404274557cd2f4cd799e |
| SHA512 | 3a8ac2ca00afae0d6d41314f4e1164f70d7c7bd4148bb70e08f1ba48697832315f497bdb307dd0ada888ca947d5210d9df9b2bca80d5e3eb5572d48de6fb7fe0 |
C:\Windows\System\EYIJkus.exe
| MD5 | 847eec894d5b8aa3ac1b514f7e4afbd8 |
| SHA1 | c3089b6167a77be46c8a4e6fdc2263c882c0b95a |
| SHA256 | 5908638aedf9d2047cb5d4b5463500d17f1528e503fdf27a82c0d0e1b5fd14ce |
| SHA512 | 7d0927d077441178b9fc03e9149dbe7857c37af0272b7e2faacd44a8fa255a5b7e64644b73f04140bb5401525a521f84c7844f6cf395a8cb2582ef6dea770dc8 |
C:\Windows\System\QDtzrMU.exe
| MD5 | f6760f2133d03a852d97cd657f64db65 |
| SHA1 | 9c593b25c069944d2e2caca60e898d46a84e695b |
| SHA256 | 86b1fd26671c36ab433cd743385060b8ff2199390fa867b12d77b12ef572d4ab |
| SHA512 | 5b0a93789591f09d75f88f5167b2e28652574f809d2c9a6dd3163b6a019c3a2b8e565dfa275b8ad5dae1ca01a1a94dd400a5ed58607c87c4200203fb4de66080 |
C:\Windows\System\uvrLutd.exe
| MD5 | 2fc0bc8b96730619352409d491f7f2f2 |
| SHA1 | fc4e6dadfd7246f6bcc5b6ba04872395091f1e6f |
| SHA256 | 3d9a3eedc8baff1058a11cb0de5966edd13fc9c56c872c510e1078e48e5d46ea |
| SHA512 | b89d2a6469a2e73574ce31a672ca227aec35bc8f69e288d8ee05f68573007f8f165d5eac742da139d44254301c1dfaeb68070995b73fabdf3002742282073fb1 |
memory/3092-145-0x00007FF769410000-0x00007FF769761000-memory.dmp
memory/2924-144-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp
memory/1912-143-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp
memory/1116-140-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp
memory/3212-139-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp
memory/2164-136-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp
memory/752-131-0x00007FF7781B0000-0x00007FF778501000-memory.dmp
C:\Windows\System\AdkZojk.exe
| MD5 | 544009f68c1b4a66a17e1b86d08b5742 |
| SHA1 | c16ed7481cf27fe27a128265ec1134c50e564c99 |
| SHA256 | 231b6cae839bea172661e6faf4928ee049a33538d38f7422f3d893a0afeb1c07 |
| SHA512 | a66643d503d7b3df377fa1608bee30a7ef97283a6cc3508144ad462d4f4b9ab2b81be95b651ee4cc2227d1e1b87fb34a02aecacf3f253f75ab4e774c128db87b |
C:\Windows\System\KCuPINj.exe
| MD5 | ef518ae3154a79c6b7a6816810493081 |
| SHA1 | 651a561aafbdabd990db4eea2f3f2bef2baa73a2 |
| SHA256 | 02c056054e6daaf2faba4de620685cc9bcc01b8f60612bb171867109fada064b |
| SHA512 | 776ad50ee3e51dd1b5989204ea81dfd32fda90a144a7e9e63148ccb2bb04aec459dae545e23487d727f6f7d0f1259ff4e70083c6c0f394e887e0677d2d679561 |
C:\Windows\System\cXNhOiy.exe
| MD5 | 2a99407f2f5ec56599e49d318010429a |
| SHA1 | 9a77a3e5e10bb8577b1d96b56c41075f85d5310d |
| SHA256 | 803e8fc643aa32358ae65b93b003e2e16836fae4cf6757339062dfe2fde7fe6b |
| SHA512 | ffd403bfe2b902386fbfccf14ce67b8448a959a75556fede5d42f83bd53cd12534677c41f297934b289d1b0b8e7888371088e834d4be81b3755f0b9fb897e232 |
memory/1904-117-0x00007FF676440000-0x00007FF676791000-memory.dmp
memory/5112-116-0x00007FF781F10000-0x00007FF782261000-memory.dmp
memory/908-102-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp
memory/2212-101-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp
memory/1180-100-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp
memory/3936-99-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp
memory/5056-94-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp
memory/3332-95-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp
memory/1488-106-0x00007FF641080000-0x00007FF6413D1000-memory.dmp
memory/4660-98-0x00007FF698770000-0x00007FF698AC1000-memory.dmp
memory/2316-146-0x00007FF631CB0000-0x00007FF632001000-memory.dmp
memory/2164-163-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp
memory/752-161-0x00007FF7781B0000-0x00007FF778501000-memory.dmp
memory/2316-168-0x00007FF631CB0000-0x00007FF632001000-memory.dmp
memory/1840-207-0x00007FF732D30000-0x00007FF733081000-memory.dmp
memory/1488-215-0x00007FF641080000-0x00007FF6413D1000-memory.dmp
memory/2336-217-0x00007FF7C8B70000-0x00007FF7C8EC1000-memory.dmp
memory/5056-219-0x00007FF68A960000-0x00007FF68ACB1000-memory.dmp
memory/2196-221-0x00007FF7ED590000-0x00007FF7ED8E1000-memory.dmp
memory/3332-225-0x00007FF75AB10000-0x00007FF75AE61000-memory.dmp
memory/4660-224-0x00007FF698770000-0x00007FF698AC1000-memory.dmp
memory/3936-227-0x00007FF669D80000-0x00007FF66A0D1000-memory.dmp
memory/1412-234-0x00007FF79AFA0000-0x00007FF79B2F1000-memory.dmp
memory/2212-238-0x00007FF667BC0000-0x00007FF667F11000-memory.dmp
memory/1180-239-0x00007FF67A7B0000-0x00007FF67AB01000-memory.dmp
memory/908-236-0x00007FF780E50000-0x00007FF7811A1000-memory.dmp
memory/5112-232-0x00007FF781F10000-0x00007FF782261000-memory.dmp
memory/1904-229-0x00007FF676440000-0x00007FF676791000-memory.dmp
memory/3212-251-0x00007FF68F4A0000-0x00007FF68F7F1000-memory.dmp
memory/1116-250-0x00007FF72B450000-0x00007FF72B7A1000-memory.dmp
memory/752-261-0x00007FF7781B0000-0x00007FF778501000-memory.dmp
memory/1912-259-0x00007FF66C870000-0x00007FF66CBC1000-memory.dmp
memory/3092-258-0x00007FF769410000-0x00007FF769761000-memory.dmp
memory/2924-256-0x00007FF6F6B90000-0x00007FF6F6EE1000-memory.dmp
memory/2164-254-0x00007FF70E1A0000-0x00007FF70E4F1000-memory.dmp