Analysis Overview
SHA256
180b178cb5b146e1930ec8a0223238a54c862a63c41b644eb96ca3c14305fd9d
Threat Level: Known bad
The file 2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-05 09:45
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-05 09:45
Reported
2024-08-05 09:48
Platform
win7-20240729-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SuQpmXj.exe | N/A |
| N/A | N/A | C:\Windows\System\NahRwIr.exe | N/A |
| N/A | N/A | C:\Windows\System\MrBcZFa.exe | N/A |
| N/A | N/A | C:\Windows\System\rUFbNXu.exe | N/A |
| N/A | N/A | C:\Windows\System\ibRhUiP.exe | N/A |
| N/A | N/A | C:\Windows\System\wrLHpxD.exe | N/A |
| N/A | N/A | C:\Windows\System\kjkXHNY.exe | N/A |
| N/A | N/A | C:\Windows\System\JvufBYd.exe | N/A |
| N/A | N/A | C:\Windows\System\doZCyUF.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbjjteR.exe | N/A |
| N/A | N/A | C:\Windows\System\ChpNDZV.exe | N/A |
| N/A | N/A | C:\Windows\System\LgxxUKV.exe | N/A |
| N/A | N/A | C:\Windows\System\NkrJsQy.exe | N/A |
| N/A | N/A | C:\Windows\System\UUDImcH.exe | N/A |
| N/A | N/A | C:\Windows\System\XvOEmdD.exe | N/A |
| N/A | N/A | C:\Windows\System\OvUeLAr.exe | N/A |
| N/A | N/A | C:\Windows\System\aviyzaE.exe | N/A |
| N/A | N/A | C:\Windows\System\ykfqJPF.exe | N/A |
| N/A | N/A | C:\Windows\System\IiiLJrs.exe | N/A |
| N/A | N/A | C:\Windows\System\jIXqBxg.exe | N/A |
| N/A | N/A | C:\Windows\System\aEExSSn.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SuQpmXj.exe
C:\Windows\System\SuQpmXj.exe
C:\Windows\System\NahRwIr.exe
C:\Windows\System\NahRwIr.exe
C:\Windows\System\MrBcZFa.exe
C:\Windows\System\MrBcZFa.exe
C:\Windows\System\rUFbNXu.exe
C:\Windows\System\rUFbNXu.exe
C:\Windows\System\ibRhUiP.exe
C:\Windows\System\ibRhUiP.exe
C:\Windows\System\wrLHpxD.exe
C:\Windows\System\wrLHpxD.exe
C:\Windows\System\kjkXHNY.exe
C:\Windows\System\kjkXHNY.exe
C:\Windows\System\doZCyUF.exe
C:\Windows\System\doZCyUF.exe
C:\Windows\System\JvufBYd.exe
C:\Windows\System\JvufBYd.exe
C:\Windows\System\ZbjjteR.exe
C:\Windows\System\ZbjjteR.exe
C:\Windows\System\ChpNDZV.exe
C:\Windows\System\ChpNDZV.exe
C:\Windows\System\LgxxUKV.exe
C:\Windows\System\LgxxUKV.exe
C:\Windows\System\NkrJsQy.exe
C:\Windows\System\NkrJsQy.exe
C:\Windows\System\UUDImcH.exe
C:\Windows\System\UUDImcH.exe
C:\Windows\System\XvOEmdD.exe
C:\Windows\System\XvOEmdD.exe
C:\Windows\System\OvUeLAr.exe
C:\Windows\System\OvUeLAr.exe
C:\Windows\System\aviyzaE.exe
C:\Windows\System\aviyzaE.exe
C:\Windows\System\IiiLJrs.exe
C:\Windows\System\IiiLJrs.exe
C:\Windows\System\ykfqJPF.exe
C:\Windows\System\ykfqJPF.exe
C:\Windows\System\jIXqBxg.exe
C:\Windows\System\jIXqBxg.exe
C:\Windows\System\aEExSSn.exe
C:\Windows\System\aEExSSn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2716-0-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2716-1-0x0000000000100000-0x0000000000110000-memory.dmp
C:\Windows\system\SuQpmXj.exe
| MD5 | 1d7125a80eed76acb1a00e67ce09f8cc |
| SHA1 | f615191d7fa3c31095be7a6951848d5fee0fba58 |
| SHA256 | a484cd7facc316e41f68cb8b9b229e79cf1e9595580e07559a55b5c41d72e7d9 |
| SHA512 | f6fdf1bf7ab35c78efd5a1b0bf66e4d8fdd3de12e1f573f0cb76cbe20756188a04ca1c1b0b40d45e32a51e794e55503cdc0745a789577bb3adf6a88d16dc9d02 |
\Windows\system\NahRwIr.exe
| MD5 | dd226d744e8f9b9cda6f3bb150e05aa2 |
| SHA1 | 46658032f74a49d03bf3d0780dbe1bb46588eb1e |
| SHA256 | 38c50a895019836a45b659cffd3899b5798983c078a1d57aab1424890e8dde72 |
| SHA512 | f918ba0b451782d4bce7e3b0720aeb6c4e6ae6a19ff2b8d7b75c0c899bfb5c9b12025d1251a5390fa9a20f0d2751f34a1f77e710b5f13e16be9afcc7f0412607 |
C:\Windows\system\MrBcZFa.exe
| MD5 | c0dbf8b777bea029bdaefe49fe22fdaa |
| SHA1 | fe2614de3bad639479727bec66fc884e85c6b5e3 |
| SHA256 | 73ea61e0bc2293ae50e5b73ba28d2c0caa67d60619ced5af98885fdec22bc0d0 |
| SHA512 | b8c3f8bf85d8c5a24a06d2c2c54c5a273161f783e335b881918ba60f7e2af55594c407bcdefe8be7c46e2373ec8635016571e242dc2575cf9f8acf83d556103a |
memory/1924-19-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2740-20-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2716-23-0x00000000022B0000-0x0000000002601000-memory.dmp
\Windows\system\rUFbNXu.exe
| MD5 | 2379e6c1fea894ce7812a28d74272967 |
| SHA1 | b5b48ccbc9d14c92481059dc8abd3a446227f2c6 |
| SHA256 | 5656944fd37c6f43c22c08bf959b7fcfa619a5d60cf5e7d57307ada48a3d3574 |
| SHA512 | cee9f30d6aa892bae67958baf54cb9cf45984321b93e031b4e1c91d358db84d9bd549cb603332a4569078f8110ebdc683230c0dc62cccaac0e891fb985c1e566 |
memory/2792-22-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2716-25-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2716-21-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2716-17-0x000000013F990000-0x000000013FCE1000-memory.dmp
\Windows\system\ibRhUiP.exe
| MD5 | 62d3b4b8974313570bf759bb644a196e |
| SHA1 | 1a92d408790f5c91a7acc22484fe9615659bbbdb |
| SHA256 | dbc61904c291dbafeebcb6da55eb03cbb4b19699621b21dda51b0a9944c2ceee |
| SHA512 | 4f8efecfd405091ac3971c76b7b4869af560e453d85abe396ec812944694f834504967455d246a3f8ff42ef5b98883f6f452f193a7c04ae9b6330d488447a7f5 |
memory/2628-29-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2692-36-0x000000013F790000-0x000000013FAE1000-memory.dmp
\Windows\system\doZCyUF.exe
| MD5 | fb23325bf06c737047917e317e113d91 |
| SHA1 | d87fb69248fedb3f44c52eb3d9dee0fd7bb52542 |
| SHA256 | 5c569b7ae960b2d9bcbf48526d08d95ca947e0773f169d64378cb5d70917f94a |
| SHA512 | 95f7e7689a044ba3417eec0a8acbcef5ca756b56118e5148e2a48352271a4ff1864714c10de8ef5bea3fdd5d48e1971f3bb0edd257e03ca1041e2640ee8fc5a3 |
C:\Windows\system\wrLHpxD.exe
| MD5 | 0f1850909e0014fa435be386ed3b70d0 |
| SHA1 | cd65c6eea7d45405a8c7aebc42571666079ae928 |
| SHA256 | 6d7e2ee7cdebeb4e03a7af0b54242556a125ba3c13b091e6145bd31bb0bc3308 |
| SHA512 | 24b4aef09f80f34829eba3036858dbf5f6406b6e7b5dbd1fb3730035d43bffbb12462de8d2ec4983d2050180b4a32c747f1cf668f490d8ba6b7bfe80faff6fdd |
memory/2716-52-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2544-51-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2776-64-0x000000013F1B0000-0x000000013F501000-memory.dmp
C:\Windows\system\ChpNDZV.exe
| MD5 | 20e0ffe9b8f663c3ceb15117890f1211 |
| SHA1 | f402d3fbc4b353ed2283193120408a774d8cded2 |
| SHA256 | 631d041cda9807b7cd7d5121e2c82283bfea06574c11b32215a756a27587ec37 |
| SHA512 | 728e4bb582494343cf01a241d8b528d2c010f24c7d7b67e781353b40f7ff06ce12ab754cb3eefc48d9c208fea912c0f37fe8925b5b1f5cf30f693f1d4856925b |
memory/572-78-0x000000013FE70000-0x00000001401C1000-memory.dmp
\Windows\system\LgxxUKV.exe
| MD5 | c057cc2ad9b6431cd6c5ba4cd0bad554 |
| SHA1 | 119a8a82ef9c106219d29922bb47cb724272d83b |
| SHA256 | e3c8c62fc898a6438f85a1437fcd5c40c6080e414eef99d61f004e25fd32211c |
| SHA512 | 499891936bff9f1ed8c04483ea4fa95573ae3cf25ff2278f1ada091360b089c62f6a1af865277e2636fd1fbca242ce9df9a69a36bc1e86c00f4d3de0494a3e04 |
memory/2716-80-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2716-77-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/3020-70-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2716-69-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/540-93-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2804-100-0x000000013F4B0000-0x000000013F801000-memory.dmp
\Windows\system\ykfqJPF.exe
| MD5 | 483fb52ca679a8df2fe0c4ad0d574eed |
| SHA1 | 8ba6f6ad3fbebedfe32f75c001120b09eb2a926e |
| SHA256 | 3513b9bc07e05a0b3c8658756a7146bffd1c2237d354088cff6b5733a8ad0da7 |
| SHA512 | ca54706a3ea15eb2189613586ad80c8e18897c4c9929c795e808f3c4ed1234f74d85c30e03202837854c77e3b37b5b241fb80ff9c72eb10d28ae63b0b5ed8f9e |
\Windows\system\IiiLJrs.exe
| MD5 | 45df1188e13f6eef184d25ee5840ed3c |
| SHA1 | 76280fad5f3715abba085c1625e7596e61928d1d |
| SHA256 | a786795d457bc220d2126260b3c18557ed83139fd98a0e414143a579e6b9aec5 |
| SHA512 | c4d5d79f3ffa472b68b1d65d570573917903d327d9add92653ce78e58fa158328939e1f12a6c7821de494bc4f06f3249121833ac80519ce07539f416d666215a |
C:\Windows\system\jIXqBxg.exe
| MD5 | 466b88309f873dacfef4fe3a778382fe |
| SHA1 | be8bc88643dcb938cac6d7f59338f24b92b80cb6 |
| SHA256 | 2ad74eb7efe8fede1f0c54772391f8bb5da8f3a777d8b3bc938f62106a06bfcc |
| SHA512 | 7711d9a9fd5a73ededd6eff5ae9140d06d96f39e9db03aa6464c3461e156f01b82f854ebd4f05d141bae70a56f44cef023bd35d4ec963f9bec584ea9d632bb1b |
C:\Windows\system\aEExSSn.exe
| MD5 | 9fb7bb9ae5961697adf20806908322dc |
| SHA1 | 8f0c4e80efeb5553d455d2773ba24887424e7ee8 |
| SHA256 | 3a3b52d19c8eb2af6bef8df3a0b5dcda0a0c707721652cf23919114bac2674bf |
| SHA512 | ef229d7ea618bb62dd9f8431590f53873554d6c3d6c31e0ab9471e25f9261b70294a732abb39aac7cca0dc15df5b7c7d69a9c9670431fca11eb75cb6a6cff649 |
C:\Windows\system\OvUeLAr.exe
| MD5 | 55dd3db75b755da295e885cdeccc5284 |
| SHA1 | a639711fe802819e08f7863bbb423410cd66e848 |
| SHA256 | b10fbc11535a79b07b47dfe9292443195a6fe19427c0ebd2d78fe5ee190b82eb |
| SHA512 | 97658c9cb6cd3504a1c48c6ab13623e88677cf6b6351f60981b633f6e8c1dfda6f2f40898533cac705396f036fa24ab3933a543035a76bbe04b99e99c4fc9ce9 |
C:\Windows\system\aviyzaE.exe
| MD5 | 41095d24f50481a1504175b4833e319e |
| SHA1 | d4d72705b60a81942726f7a001e792010e5b7f72 |
| SHA256 | caa30dea9e2e573fa69928d1060aa0e336c09e06bb8323d2f41d17d776a39593 |
| SHA512 | 4e657c9bac53f84dada46de3db47707bedbe271cf4ab1be1552b7e001acbf1eedcbbe26f20e0d55c39f876a49b24076d1e9464b17c2acaef9115362eced632b0 |
memory/2716-108-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2544-107-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2692-106-0x000000013F790000-0x000000013FAE1000-memory.dmp
C:\Windows\system\XvOEmdD.exe
| MD5 | bf95a84338626f53e2ccf2de4b12fa11 |
| SHA1 | ff1df333c036d03601113dcd168d68b4311a9f04 |
| SHA256 | a93e467bf5755f480173764143dae27d10920c3cfc4ab90a0826ccf329629bb8 |
| SHA512 | 69238a7af5411b35916603feed0cd0b8dab4b6015c839e3f39b597b08f5861ed7f80cd41aa2b54663c30276498a71062159b7437bca333194391f4fc6b895aef |
memory/2716-99-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\UUDImcH.exe
| MD5 | 711e26ee4a36602a9424bdefe6dc9e09 |
| SHA1 | ca22d21ff7d33793747d902dd392ea36d78da3fd |
| SHA256 | e67c120431b6bb3c8661885b16ece7187f826e1a7837a5692e9fee1cf00af735 |
| SHA512 | c52d2fc21fd5dea9030bae2e217ec1e55cdd5e99cca73f8dd3b1312e3e7e6704af02a57c3c2818ec116ed9a320b90736e7f7866cac516595986d28e76403be2e |
memory/2716-92-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2628-91-0x000000013FE00000-0x0000000140151000-memory.dmp
C:\Windows\system\NkrJsQy.exe
| MD5 | fcb1abe9abd088b5f03c882b194735ce |
| SHA1 | aabb773fc4a1257dde81686777b46d96e70b2748 |
| SHA256 | 3b046082c5126a22b42e3ca1788a076b5dcf3ffef134e49c5734218d4f825f63 |
| SHA512 | c3bb91739cac0f7e3b5d4af7d17a3edca06d27c4eb2f73b3c06c056250aa109565f720db77a8c836179ef2ffc44044bc6ce21bf5f302a46973425b2a4c4f44ac |
memory/1732-85-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\ZbjjteR.exe
| MD5 | 685b868278eaa494be38ffd6fa5cf61c |
| SHA1 | bcba9e742ae73a21779741fbc1ae14af6c78ee08 |
| SHA256 | ccd2037f27b7ad4f25460974a1824e99b0977472867b5b5d00c4bab492849eaf |
| SHA512 | 6ec4dbe85a5485f50f31f13ec7dd0c6c2b65af98557f9133bbb6c8e3af27de8e25297f36bb3b4d4e3a0d294c8365ccd9ab876e941dd1bd00ce72ecc65fdc954b |
memory/1096-63-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2540-62-0x000000013F230000-0x000000013F581000-memory.dmp
memory/2716-61-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2716-57-0x00000000022B0000-0x0000000002601000-memory.dmp
C:\Windows\system\JvufBYd.exe
| MD5 | 7e949e6fc5bf770cde85f70472c8548c |
| SHA1 | e63c7cb39d9fd9c26d9936ab1aee9766756a1e54 |
| SHA256 | ca9e13a5897eafb0f10488a9d257f58114c42d9015fc551614fbec0f171612fd |
| SHA512 | d435079b8f95ae35a88ead27a45b9d458b224a86bbc4fd71f65c4d2931a1de01a474a6220ccf7b6f64945861e3dec94dd7f4e3ad6d52d64b0162e37b6a68c546 |
C:\Windows\system\kjkXHNY.exe
| MD5 | ea4ebc3dd6d634d509f50dced9f3ad21 |
| SHA1 | 2d95a687dfc03bead04347fdd223d5d100d475c9 |
| SHA256 | 1ac9140a62f1d3ac5c729003743388a34301fc71ed66268bbb01d8f2ad4cec32 |
| SHA512 | f65b6e95f63ca0cb30b42d0fe2a52fcc345f291c7ac0b89bbce1fd9bc70adb2ff144298b26d8494d390d396a8876050472f54b0d93ff748ebe2582111bf99653 |
memory/2716-34-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2716-138-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/3020-151-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/444-156-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2488-159-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2824-154-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2024-160-0x000000013F3D0000-0x000000013F721000-memory.dmp
memory/2352-158-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2332-157-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/1948-155-0x000000013F980000-0x000000013FCD1000-memory.dmp
memory/2716-161-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/2716-162-0x00000000022B0000-0x0000000002601000-memory.dmp
memory/2716-163-0x000000013F4B0000-0x000000013F801000-memory.dmp
memory/2716-185-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/1924-210-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/2740-214-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2792-213-0x000000013FE90000-0x00000001401E1000-memory.dmp
memory/2628-216-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2692-218-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2544-220-0x000000013F080000-0x000000013F3D1000-memory.dmp
memory/2540-222-0x000000013F230000-0x000000013F581000-memory.dmp
memory/1096-224-0x000000013F680000-0x000000013F9D1000-memory.dmp
memory/2776-226-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/3020-228-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/572-230-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/1732-242-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/540-244-0x000000013F570000-0x000000013F8C1000-memory.dmp
memory/2804-246-0x000000013F4B0000-0x000000013F801000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-05 09:45
Reported
2024-08-05 09:48
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SuQpmXj.exe | N/A |
| N/A | N/A | C:\Windows\System\NahRwIr.exe | N/A |
| N/A | N/A | C:\Windows\System\MrBcZFa.exe | N/A |
| N/A | N/A | C:\Windows\System\rUFbNXu.exe | N/A |
| N/A | N/A | C:\Windows\System\ibRhUiP.exe | N/A |
| N/A | N/A | C:\Windows\System\wrLHpxD.exe | N/A |
| N/A | N/A | C:\Windows\System\doZCyUF.exe | N/A |
| N/A | N/A | C:\Windows\System\kjkXHNY.exe | N/A |
| N/A | N/A | C:\Windows\System\JvufBYd.exe | N/A |
| N/A | N/A | C:\Windows\System\ZbjjteR.exe | N/A |
| N/A | N/A | C:\Windows\System\ChpNDZV.exe | N/A |
| N/A | N/A | C:\Windows\System\LgxxUKV.exe | N/A |
| N/A | N/A | C:\Windows\System\NkrJsQy.exe | N/A |
| N/A | N/A | C:\Windows\System\UUDImcH.exe | N/A |
| N/A | N/A | C:\Windows\System\XvOEmdD.exe | N/A |
| N/A | N/A | C:\Windows\System\OvUeLAr.exe | N/A |
| N/A | N/A | C:\Windows\System\aviyzaE.exe | N/A |
| N/A | N/A | C:\Windows\System\IiiLJrs.exe | N/A |
| N/A | N/A | C:\Windows\System\ykfqJPF.exe | N/A |
| N/A | N/A | C:\Windows\System\jIXqBxg.exe | N/A |
| N/A | N/A | C:\Windows\System\aEExSSn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-05_58fe92e924adb7b8b3b58fe9377cf21c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SuQpmXj.exe
C:\Windows\System\SuQpmXj.exe
C:\Windows\System\NahRwIr.exe
C:\Windows\System\NahRwIr.exe
C:\Windows\System\MrBcZFa.exe
C:\Windows\System\MrBcZFa.exe
C:\Windows\System\rUFbNXu.exe
C:\Windows\System\rUFbNXu.exe
C:\Windows\System\ibRhUiP.exe
C:\Windows\System\ibRhUiP.exe
C:\Windows\System\wrLHpxD.exe
C:\Windows\System\wrLHpxD.exe
C:\Windows\System\kjkXHNY.exe
C:\Windows\System\kjkXHNY.exe
C:\Windows\System\doZCyUF.exe
C:\Windows\System\doZCyUF.exe
C:\Windows\System\JvufBYd.exe
C:\Windows\System\JvufBYd.exe
C:\Windows\System\ZbjjteR.exe
C:\Windows\System\ZbjjteR.exe
C:\Windows\System\ChpNDZV.exe
C:\Windows\System\ChpNDZV.exe
C:\Windows\System\LgxxUKV.exe
C:\Windows\System\LgxxUKV.exe
C:\Windows\System\NkrJsQy.exe
C:\Windows\System\NkrJsQy.exe
C:\Windows\System\UUDImcH.exe
C:\Windows\System\UUDImcH.exe
C:\Windows\System\XvOEmdD.exe
C:\Windows\System\XvOEmdD.exe
C:\Windows\System\OvUeLAr.exe
C:\Windows\System\OvUeLAr.exe
C:\Windows\System\aviyzaE.exe
C:\Windows\System\aviyzaE.exe
C:\Windows\System\IiiLJrs.exe
C:\Windows\System\IiiLJrs.exe
C:\Windows\System\ykfqJPF.exe
C:\Windows\System\ykfqJPF.exe
C:\Windows\System\jIXqBxg.exe
C:\Windows\System\jIXqBxg.exe
C:\Windows\System\aEExSSn.exe
C:\Windows\System\aEExSSn.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/372-0-0x00007FF696A10000-0x00007FF696D61000-memory.dmp
memory/372-1-0x000002B2025F0000-0x000002B202600000-memory.dmp
C:\Windows\System\SuQpmXj.exe
| MD5 | 1d7125a80eed76acb1a00e67ce09f8cc |
| SHA1 | f615191d7fa3c31095be7a6951848d5fee0fba58 |
| SHA256 | a484cd7facc316e41f68cb8b9b229e79cf1e9595580e07559a55b5c41d72e7d9 |
| SHA512 | f6fdf1bf7ab35c78efd5a1b0bf66e4d8fdd3de12e1f573f0cb76cbe20756188a04ca1c1b0b40d45e32a51e794e55503cdc0745a789577bb3adf6a88d16dc9d02 |
C:\Windows\System\NahRwIr.exe
| MD5 | dd226d744e8f9b9cda6f3bb150e05aa2 |
| SHA1 | 46658032f74a49d03bf3d0780dbe1bb46588eb1e |
| SHA256 | 38c50a895019836a45b659cffd3899b5798983c078a1d57aab1424890e8dde72 |
| SHA512 | f918ba0b451782d4bce7e3b0720aeb6c4e6ae6a19ff2b8d7b75c0c899bfb5c9b12025d1251a5390fa9a20f0d2751f34a1f77e710b5f13e16be9afcc7f0412607 |
C:\Windows\System\MrBcZFa.exe
| MD5 | c0dbf8b777bea029bdaefe49fe22fdaa |
| SHA1 | fe2614de3bad639479727bec66fc884e85c6b5e3 |
| SHA256 | 73ea61e0bc2293ae50e5b73ba28d2c0caa67d60619ced5af98885fdec22bc0d0 |
| SHA512 | b8c3f8bf85d8c5a24a06d2c2c54c5a273161f783e335b881918ba60f7e2af55594c407bcdefe8be7c46e2373ec8635016571e242dc2575cf9f8acf83d556103a |
C:\Windows\System\rUFbNXu.exe
| MD5 | 2379e6c1fea894ce7812a28d74272967 |
| SHA1 | b5b48ccbc9d14c92481059dc8abd3a446227f2c6 |
| SHA256 | 5656944fd37c6f43c22c08bf959b7fcfa619a5d60cf5e7d57307ada48a3d3574 |
| SHA512 | cee9f30d6aa892bae67958baf54cb9cf45984321b93e031b4e1c91d358db84d9bd549cb603332a4569078f8110ebdc683230c0dc62cccaac0e891fb985c1e566 |
C:\Windows\System\wrLHpxD.exe
| MD5 | 0f1850909e0014fa435be386ed3b70d0 |
| SHA1 | cd65c6eea7d45405a8c7aebc42571666079ae928 |
| SHA256 | 6d7e2ee7cdebeb4e03a7af0b54242556a125ba3c13b091e6145bd31bb0bc3308 |
| SHA512 | 24b4aef09f80f34829eba3036858dbf5f6406b6e7b5dbd1fb3730035d43bffbb12462de8d2ec4983d2050180b4a32c747f1cf668f490d8ba6b7bfe80faff6fdd |
C:\Windows\System\doZCyUF.exe
| MD5 | fb23325bf06c737047917e317e113d91 |
| SHA1 | d87fb69248fedb3f44c52eb3d9dee0fd7bb52542 |
| SHA256 | 5c569b7ae960b2d9bcbf48526d08d95ca947e0773f169d64378cb5d70917f94a |
| SHA512 | 95f7e7689a044ba3417eec0a8acbcef5ca756b56118e5148e2a48352271a4ff1864714c10de8ef5bea3fdd5d48e1971f3bb0edd257e03ca1041e2640ee8fc5a3 |
C:\Windows\System\kjkXHNY.exe
| MD5 | ea4ebc3dd6d634d509f50dced9f3ad21 |
| SHA1 | 2d95a687dfc03bead04347fdd223d5d100d475c9 |
| SHA256 | 1ac9140a62f1d3ac5c729003743388a34301fc71ed66268bbb01d8f2ad4cec32 |
| SHA512 | f65b6e95f63ca0cb30b42d0fe2a52fcc345f291c7ac0b89bbce1fd9bc70adb2ff144298b26d8494d390d396a8876050472f54b0d93ff748ebe2582111bf99653 |
C:\Windows\System\JvufBYd.exe
| MD5 | 7e949e6fc5bf770cde85f70472c8548c |
| SHA1 | e63c7cb39d9fd9c26d9936ab1aee9766756a1e54 |
| SHA256 | ca9e13a5897eafb0f10488a9d257f58114c42d9015fc551614fbec0f171612fd |
| SHA512 | d435079b8f95ae35a88ead27a45b9d458b224a86bbc4fd71f65c4d2931a1de01a474a6220ccf7b6f64945861e3dec94dd7f4e3ad6d52d64b0162e37b6a68c546 |
C:\Windows\System\LgxxUKV.exe
| MD5 | c057cc2ad9b6431cd6c5ba4cd0bad554 |
| SHA1 | 119a8a82ef9c106219d29922bb47cb724272d83b |
| SHA256 | e3c8c62fc898a6438f85a1437fcd5c40c6080e414eef99d61f004e25fd32211c |
| SHA512 | 499891936bff9f1ed8c04483ea4fa95573ae3cf25ff2278f1ada091360b089c62f6a1af865277e2636fd1fbca242ce9df9a69a36bc1e86c00f4d3de0494a3e04 |
memory/4408-76-0x00007FF66F8E0000-0x00007FF66FC31000-memory.dmp
C:\Windows\System\UUDImcH.exe
| MD5 | 711e26ee4a36602a9424bdefe6dc9e09 |
| SHA1 | ca22d21ff7d33793747d902dd392ea36d78da3fd |
| SHA256 | e67c120431b6bb3c8661885b16ece7187f826e1a7837a5692e9fee1cf00af735 |
| SHA512 | c52d2fc21fd5dea9030bae2e217ec1e55cdd5e99cca73f8dd3b1312e3e7e6704af02a57c3c2818ec116ed9a320b90736e7f7866cac516595986d28e76403be2e |
C:\Windows\System\OvUeLAr.exe
| MD5 | 55dd3db75b755da295e885cdeccc5284 |
| SHA1 | a639711fe802819e08f7863bbb423410cd66e848 |
| SHA256 | b10fbc11535a79b07b47dfe9292443195a6fe19427c0ebd2d78fe5ee190b82eb |
| SHA512 | 97658c9cb6cd3504a1c48c6ab13623e88677cf6b6351f60981b633f6e8c1dfda6f2f40898533cac705396f036fa24ab3933a543035a76bbe04b99e99c4fc9ce9 |
C:\Windows\System\IiiLJrs.exe
| MD5 | 45df1188e13f6eef184d25ee5840ed3c |
| SHA1 | 76280fad5f3715abba085c1625e7596e61928d1d |
| SHA256 | a786795d457bc220d2126260b3c18557ed83139fd98a0e414143a579e6b9aec5 |
| SHA512 | c4d5d79f3ffa472b68b1d65d570573917903d327d9add92653ce78e58fa158328939e1f12a6c7821de494bc4f06f3249121833ac80519ce07539f416d666215a |
C:\Windows\System\ykfqJPF.exe
| MD5 | 483fb52ca679a8df2fe0c4ad0d574eed |
| SHA1 | 8ba6f6ad3fbebedfe32f75c001120b09eb2a926e |
| SHA256 | 3513b9bc07e05a0b3c8658756a7146bffd1c2237d354088cff6b5733a8ad0da7 |
| SHA512 | ca54706a3ea15eb2189613586ad80c8e18897c4c9929c795e808f3c4ed1234f74d85c30e03202837854c77e3b37b5b241fb80ff9c72eb10d28ae63b0b5ed8f9e |
memory/1520-116-0x00007FF701FE0000-0x00007FF702331000-memory.dmp
memory/60-115-0x00007FF771150000-0x00007FF7714A1000-memory.dmp
memory/1660-114-0x00007FF6D5C60000-0x00007FF6D5FB1000-memory.dmp
memory/3784-110-0x00007FF64A560000-0x00007FF64A8B1000-memory.dmp
memory/1532-109-0x00007FF65F060000-0x00007FF65F3B1000-memory.dmp
memory/3184-108-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp
C:\Windows\System\aviyzaE.exe
| MD5 | 41095d24f50481a1504175b4833e319e |
| SHA1 | d4d72705b60a81942726f7a001e792010e5b7f72 |
| SHA256 | caa30dea9e2e573fa69928d1060aa0e336c09e06bb8323d2f41d17d776a39593 |
| SHA512 | 4e657c9bac53f84dada46de3db47707bedbe271cf4ab1be1552b7e001acbf1eedcbbe26f20e0d55c39f876a49b24076d1e9464b17c2acaef9115362eced632b0 |
memory/4476-103-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp
C:\Windows\System\XvOEmdD.exe
| MD5 | bf95a84338626f53e2ccf2de4b12fa11 |
| SHA1 | ff1df333c036d03601113dcd168d68b4311a9f04 |
| SHA256 | a93e467bf5755f480173764143dae27d10920c3cfc4ab90a0826ccf329629bb8 |
| SHA512 | 69238a7af5411b35916603feed0cd0b8dab4b6015c839e3f39b597b08f5861ed7f80cd41aa2b54663c30276498a71062159b7437bca333194391f4fc6b895aef |
memory/2408-94-0x00007FF6F5C70000-0x00007FF6F5FC1000-memory.dmp
memory/4560-87-0x00007FF6E0B00000-0x00007FF6E0E51000-memory.dmp
C:\Windows\System\NkrJsQy.exe
| MD5 | fcb1abe9abd088b5f03c882b194735ce |
| SHA1 | aabb773fc4a1257dde81686777b46d96e70b2748 |
| SHA256 | 3b046082c5126a22b42e3ca1788a076b5dcf3ffef134e49c5734218d4f825f63 |
| SHA512 | c3bb91739cac0f7e3b5d4af7d17a3edca06d27c4eb2f73b3c06c056250aa109565f720db77a8c836179ef2ffc44044bc6ce21bf5f302a46973425b2a4c4f44ac |
memory/3096-84-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp
C:\Windows\System\ChpNDZV.exe
| MD5 | 20e0ffe9b8f663c3ceb15117890f1211 |
| SHA1 | f402d3fbc4b353ed2283193120408a774d8cded2 |
| SHA256 | 631d041cda9807b7cd7d5121e2c82283bfea06574c11b32215a756a27587ec37 |
| SHA512 | 728e4bb582494343cf01a241d8b528d2c010f24c7d7b67e781353b40f7ff06ce12ab754cb3eefc48d9c208fea912c0f37fe8925b5b1f5cf30f693f1d4856925b |
C:\Windows\System\ZbjjteR.exe
| MD5 | 685b868278eaa494be38ffd6fa5cf61c |
| SHA1 | bcba9e742ae73a21779741fbc1ae14af6c78ee08 |
| SHA256 | ccd2037f27b7ad4f25460974a1824e99b0977472867b5b5d00c4bab492849eaf |
| SHA512 | 6ec4dbe85a5485f50f31f13ec7dd0c6c2b65af98557f9133bbb6c8e3af27de8e25297f36bb3b4d4e3a0d294c8365ccd9ab876e941dd1bd00ce72ecc65fdc954b |
memory/1464-65-0x00007FF63B4F0000-0x00007FF63B841000-memory.dmp
memory/3384-60-0x00007FF77AF50000-0x00007FF77B2A1000-memory.dmp
memory/512-53-0x00007FF714EC0000-0x00007FF715211000-memory.dmp
memory/3020-52-0x00007FF61A1D0000-0x00007FF61A521000-memory.dmp
C:\Windows\System\ibRhUiP.exe
| MD5 | 62d3b4b8974313570bf759bb644a196e |
| SHA1 | 1a92d408790f5c91a7acc22484fe9615659bbbdb |
| SHA256 | dbc61904c291dbafeebcb6da55eb03cbb4b19699621b21dda51b0a9944c2ceee |
| SHA512 | 4f8efecfd405091ac3971c76b7b4869af560e453d85abe396ec812944694f834504967455d246a3f8ff42ef5b98883f6f452f193a7c04ae9b6330d488447a7f5 |
memory/2148-39-0x00007FF743E50000-0x00007FF7441A1000-memory.dmp
memory/2092-27-0x00007FF697E90000-0x00007FF6981E1000-memory.dmp
memory/4028-21-0x00007FF7A4EB0000-0x00007FF7A5201000-memory.dmp
memory/2844-9-0x00007FF72F8B0000-0x00007FF72FC01000-memory.dmp
C:\Windows\System\jIXqBxg.exe
| MD5 | 466b88309f873dacfef4fe3a778382fe |
| SHA1 | be8bc88643dcb938cac6d7f59338f24b92b80cb6 |
| SHA256 | 2ad74eb7efe8fede1f0c54772391f8bb5da8f3a777d8b3bc938f62106a06bfcc |
| SHA512 | 7711d9a9fd5a73ededd6eff5ae9140d06d96f39e9db03aa6464c3461e156f01b82f854ebd4f05d141bae70a56f44cef023bd35d4ec963f9bec584ea9d632bb1b |
C:\Windows\System\aEExSSn.exe
| MD5 | 9fb7bb9ae5961697adf20806908322dc |
| SHA1 | 8f0c4e80efeb5553d455d2773ba24887424e7ee8 |
| SHA256 | 3a3b52d19c8eb2af6bef8df3a0b5dcda0a0c707721652cf23919114bac2674bf |
| SHA512 | ef229d7ea618bb62dd9f8431590f53873554d6c3d6c31e0ab9471e25f9261b70294a732abb39aac7cca0dc15df5b7c7d69a9c9670431fca11eb75cb6a6cff649 |
memory/1432-126-0x00007FF61D540000-0x00007FF61D891000-memory.dmp
memory/3948-121-0x00007FF6C0F80000-0x00007FF6C12D1000-memory.dmp
memory/4028-130-0x00007FF7A4EB0000-0x00007FF7A5201000-memory.dmp
memory/4408-140-0x00007FF66F8E0000-0x00007FF66FC31000-memory.dmp
memory/1532-145-0x00007FF65F060000-0x00007FF65F3B1000-memory.dmp
memory/1464-139-0x00007FF63B4F0000-0x00007FF63B841000-memory.dmp
memory/3948-148-0x00007FF6C0F80000-0x00007FF6C12D1000-memory.dmp
memory/3020-134-0x00007FF61A1D0000-0x00007FF61A521000-memory.dmp
memory/2092-132-0x00007FF697E90000-0x00007FF6981E1000-memory.dmp
memory/2148-131-0x00007FF743E50000-0x00007FF7441A1000-memory.dmp
memory/2844-129-0x00007FF72F8B0000-0x00007FF72FC01000-memory.dmp
memory/372-128-0x00007FF696A10000-0x00007FF696D61000-memory.dmp
memory/372-149-0x00007FF696A10000-0x00007FF696D61000-memory.dmp
memory/1432-150-0x00007FF61D540000-0x00007FF61D891000-memory.dmp
memory/372-151-0x00007FF696A10000-0x00007FF696D61000-memory.dmp
memory/2844-210-0x00007FF72F8B0000-0x00007FF72FC01000-memory.dmp
memory/4028-212-0x00007FF7A4EB0000-0x00007FF7A5201000-memory.dmp
memory/2092-214-0x00007FF697E90000-0x00007FF6981E1000-memory.dmp
memory/2148-216-0x00007FF743E50000-0x00007FF7441A1000-memory.dmp
memory/3096-218-0x00007FF6E82F0000-0x00007FF6E8641000-memory.dmp
memory/3020-220-0x00007FF61A1D0000-0x00007FF61A521000-memory.dmp
memory/3384-222-0x00007FF77AF50000-0x00007FF77B2A1000-memory.dmp
memory/512-224-0x00007FF714EC0000-0x00007FF715211000-memory.dmp
memory/4560-226-0x00007FF6E0B00000-0x00007FF6E0E51000-memory.dmp
memory/4408-237-0x00007FF66F8E0000-0x00007FF66FC31000-memory.dmp
memory/1464-240-0x00007FF63B4F0000-0x00007FF63B841000-memory.dmp
memory/4476-242-0x00007FF7619A0000-0x00007FF761CF1000-memory.dmp
memory/1532-246-0x00007FF65F060000-0x00007FF65F3B1000-memory.dmp
memory/1520-244-0x00007FF701FE0000-0x00007FF702331000-memory.dmp
memory/2408-239-0x00007FF6F5C70000-0x00007FF6F5FC1000-memory.dmp
memory/3784-235-0x00007FF64A560000-0x00007FF64A8B1000-memory.dmp
memory/3184-233-0x00007FF7F7C70000-0x00007FF7F7FC1000-memory.dmp
memory/1660-231-0x00007FF6D5C60000-0x00007FF6D5FB1000-memory.dmp
memory/60-229-0x00007FF771150000-0x00007FF7714A1000-memory.dmp
memory/3948-250-0x00007FF6C0F80000-0x00007FF6C12D1000-memory.dmp
memory/1432-252-0x00007FF61D540000-0x00007FF61D891000-memory.dmp