Analysis Overview
SHA256
05066aa15d65559b5c818aae121963f180fcaf7c92b2ae8731c5595b2dedab32
Threat Level: Known bad
The file 2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-25 11:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 11:52
Reported
2024-10-25 11:55
Platform
win7-20240903-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SgaMIyb.exe | N/A |
| N/A | N/A | C:\Windows\System\wwuXLfG.exe | N/A |
| N/A | N/A | C:\Windows\System\UQiTfuI.exe | N/A |
| N/A | N/A | C:\Windows\System\mFaQImn.exe | N/A |
| N/A | N/A | C:\Windows\System\izCZMsm.exe | N/A |
| N/A | N/A | C:\Windows\System\rvooWnR.exe | N/A |
| N/A | N/A | C:\Windows\System\kDvNguq.exe | N/A |
| N/A | N/A | C:\Windows\System\NYGhZuw.exe | N/A |
| N/A | N/A | C:\Windows\System\cbuVYEi.exe | N/A |
| N/A | N/A | C:\Windows\System\pUWcUrb.exe | N/A |
| N/A | N/A | C:\Windows\System\yYLuOja.exe | N/A |
| N/A | N/A | C:\Windows\System\EbgwMhx.exe | N/A |
| N/A | N/A | C:\Windows\System\uhDTbXy.exe | N/A |
| N/A | N/A | C:\Windows\System\Nrwktlg.exe | N/A |
| N/A | N/A | C:\Windows\System\IkOxmuX.exe | N/A |
| N/A | N/A | C:\Windows\System\bypQvlN.exe | N/A |
| N/A | N/A | C:\Windows\System\fNjIMJU.exe | N/A |
| N/A | N/A | C:\Windows\System\vSWSlpR.exe | N/A |
| N/A | N/A | C:\Windows\System\muHxujU.exe | N/A |
| N/A | N/A | C:\Windows\System\xbbTrNC.exe | N/A |
| N/A | N/A | C:\Windows\System\HtaNNkL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\SgaMIyb.exe
C:\Windows\System\SgaMIyb.exe
C:\Windows\System\wwuXLfG.exe
C:\Windows\System\wwuXLfG.exe
C:\Windows\System\UQiTfuI.exe
C:\Windows\System\UQiTfuI.exe
C:\Windows\System\mFaQImn.exe
C:\Windows\System\mFaQImn.exe
C:\Windows\System\izCZMsm.exe
C:\Windows\System\izCZMsm.exe
C:\Windows\System\kDvNguq.exe
C:\Windows\System\kDvNguq.exe
C:\Windows\System\rvooWnR.exe
C:\Windows\System\rvooWnR.exe
C:\Windows\System\NYGhZuw.exe
C:\Windows\System\NYGhZuw.exe
C:\Windows\System\cbuVYEi.exe
C:\Windows\System\cbuVYEi.exe
C:\Windows\System\pUWcUrb.exe
C:\Windows\System\pUWcUrb.exe
C:\Windows\System\yYLuOja.exe
C:\Windows\System\yYLuOja.exe
C:\Windows\System\EbgwMhx.exe
C:\Windows\System\EbgwMhx.exe
C:\Windows\System\uhDTbXy.exe
C:\Windows\System\uhDTbXy.exe
C:\Windows\System\Nrwktlg.exe
C:\Windows\System\Nrwktlg.exe
C:\Windows\System\IkOxmuX.exe
C:\Windows\System\IkOxmuX.exe
C:\Windows\System\vSWSlpR.exe
C:\Windows\System\vSWSlpR.exe
C:\Windows\System\bypQvlN.exe
C:\Windows\System\bypQvlN.exe
C:\Windows\System\muHxujU.exe
C:\Windows\System\muHxujU.exe
C:\Windows\System\fNjIMJU.exe
C:\Windows\System\fNjIMJU.exe
C:\Windows\System\xbbTrNC.exe
C:\Windows\System\xbbTrNC.exe
C:\Windows\System\HtaNNkL.exe
C:\Windows\System\HtaNNkL.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1968-0-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1968-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\SgaMIyb.exe
| MD5 | cbc42684cf664355a9eb2b178ab550fa |
| SHA1 | 545c35e80b58dc75a4d0497794832b974861ac38 |
| SHA256 | 1d1490d6096532cb190b3fdd7c465c2d0ead4811dbdf8bc7aecf1ea946e5ea10 |
| SHA512 | 377d4403fef1c216b2cbd8a897b61b2c46c098dd8404ebdd75308639371b1667cd27c4657f4f0e26c4775293fecc6fbf1e378efca3f1a183b3985c064c696e04 |
C:\Windows\system\wwuXLfG.exe
| MD5 | cb46fd4cdc102047a4dc26aaedb3df29 |
| SHA1 | 03c3d1cb16030eae134af993e74e2c944e178055 |
| SHA256 | 238b3677df86a5fbae905f17e06f03613b994de21550933b0efcda3fb538bd83 |
| SHA512 | 2133b6dcbcb3d08cd11638a25079aba76544a05f950e9a245a9008c80f4ccfe60dda9380a589422be545921c0078f82270090a926e212f2c2b2da469082204bb |
\Windows\system\UQiTfuI.exe
| MD5 | 8a886087d8c96cd1d91a86328a86903c |
| SHA1 | 5c442d9ff7f1a1923a600c6cc0b371886509509c |
| SHA256 | 5efd46203f7b543475d4c0ea5853de66f77300157c91eb7da29bd4fe26f19b7f |
| SHA512 | 8d5adbe450c9943fd30a963f0080bc40dd2939636ec635ad9899e768f5e3901223686abe7e81480cd6362fd9dfd32b6030d1b4702d2dec7329b5582ecfdf68c1 |
memory/2052-18-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/1968-22-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2312-21-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/1968-20-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2520-19-0x000000013F500000-0x000000013F851000-memory.dmp
C:\Windows\system\mFaQImn.exe
| MD5 | 8eb05d222c60a2969dd1830044954526 |
| SHA1 | de10bd1c7668bdc6a8784a7f24c0450466c1f4e6 |
| SHA256 | b4c80f55c2873a097a224477096974e8bc247cf5fe217db97e0cd2eed76a8961 |
| SHA512 | eba8b214184bbd15c106dfd91f0aecd9d06251e9d3b5d68e0ee7afc7f51282c9f4aaa96309baa8a6e8f2cdc6b40885f1aa54d4c97d0b894f8f1aaa923ff31ae2 |
C:\Windows\system\rvooWnR.exe
| MD5 | d5323b0fc88ff2f3be69f157c6a525ba |
| SHA1 | cd75e9a77e830c605451fb3b2798ffd50b0be3a0 |
| SHA256 | 0fc64f71de31de81c1e4384fde9593447a51e294e7891306443a63f3a02a8621 |
| SHA512 | ae49d2556d5d00ee3cece43fea13e0f8fece5ccd72d0df2dcbdc05679d16aec9d1d8dc3630f968ae1be51b38906da5ba00bcaac518a63b2e4017c5090a6d169e |
\Windows\system\kDvNguq.exe
| MD5 | 85a8cedba5afe3f08639cf6ea4452807 |
| SHA1 | d52f70c4fad78a20fd68a626db8f41982f6b2dc8 |
| SHA256 | 0bd1c6d05e7dc3bec43325a7794b2c8e985e6c3cad1720584ec65338b620dfb7 |
| SHA512 | 353b7aa3128ff32f860d22bff6e0da8cd347c31d945a892c2438401ec8f62ae066b127b8c4d2e0d80e5fa7bade5f0bdb53f7e00c7b2680b9dc01d3ec64dafd0b |
C:\Windows\system\NYGhZuw.exe
| MD5 | 136c2ba8617edf0c6533f7d203ed9c66 |
| SHA1 | 7807b09353a9af93e8c0c7903946c0c96f21df4d |
| SHA256 | 1c5173e186150bda15461dc39519662d938b86473d365a962e48d1b365edae32 |
| SHA512 | 4e270ab7c0c76c01427d40a716724c4bb02b0dc7ccc588c4e1884af9933047719cbf96577212b7ad5d582273a9cc38cc65a7685870772fc9d47703bd93d4c647 |
memory/2608-64-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\pUWcUrb.exe
| MD5 | 66f502175b4423f24a6f5f28fa91bb28 |
| SHA1 | 020f9b4c5a4c16ce41fb17ed6a730e15114c630b |
| SHA256 | 23e204cee1a3bb47fddf22b54e54fecb7cb8329c1933721b77ce5f306ada6c23 |
| SHA512 | aa60a203d32a4d414c720a74181d721bcdedac7d61db12ddbed833dda32d3223ca232bdeaf22aa1e0c794f3f8238e94023360bdb4822d8096f26e055402c8226 |
memory/2848-79-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1968-85-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1444-96-0x000000013F320000-0x000000013F671000-memory.dmp
memory/620-103-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1960-114-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\xbbTrNC.exe
| MD5 | e41fd6f2cac962ef694117f017fd6392 |
| SHA1 | 485e01704d3bc5309b87941ee1853b00926647a5 |
| SHA256 | c866081489af3d012d1853e60aab0b6ac6ccbd68cf8b34dddb7ff44bcad27c91 |
| SHA512 | bb5cd7a841965f148e253979fe2c3a5762d10652613cc2ddaf14a407303dc321da000e2a51ea89df78db5d4c45f5ed093a284a0309e1786e93f5ed66c7c8404e |
C:\Windows\system\HtaNNkL.exe
| MD5 | 9dfccee05509e85c6991de8fbb4f1479 |
| SHA1 | 312c9b49cb075ae3dee531f002768b76ffc2ee8b |
| SHA256 | d87495ac6823b62442dc0783df97f5ab303d2870500d935a55282820b1f6329e |
| SHA512 | f74db84c76047a590da05a832ff7f1b20eeabd9f5482a39229882e8e6304ce10f00a11cc2b1fdc5d928216ad104f2b9cee1ade356e1355fcdc0dafe089467609 |
C:\Windows\system\muHxujU.exe
| MD5 | 588a6b77af6955a59d7a27ec87c44b23 |
| SHA1 | bead06a1f95df5ed4f2f0928a425f15271ba6886 |
| SHA256 | 3cfb9d079bc5fc54fc44227dc90cd88227f0f7bab7de9e405395f886daaae38a |
| SHA512 | 7b066d594a631e48b67e1f1346133530c8bb4f7ec1bfe41617d22d8857daa0e63347a666fcf6851f93ed06035a36307e79f8d0482c044d7d5f21f19c5bc52b30 |
C:\Windows\system\vSWSlpR.exe
| MD5 | 450d578f1f6d9fb578ce5b707a3c77b3 |
| SHA1 | 2e39149ce46adba90a730ea36ab37066a810d5f8 |
| SHA256 | ffd169d67da5991b1778f105201004ff4348fa01d07a237c8251085f2853b5cb |
| SHA512 | 2d745272087a9140b6d9f13c078e4bf35f5d6a3eff8c3d772134f2735e2e9c5548de3643134412f7ac3426bed901489985cb428d60ef0144cfdfb0933317f6c1 |
C:\Windows\system\fNjIMJU.exe
| MD5 | ad1484d9b4eca25978da34e84bfb13bc |
| SHA1 | 599788ec0842752b412b8bab67b396ca820797e8 |
| SHA256 | 0d92082e26b3c56c6894a83b0171d86b5f2a001f8cd9cf2f8c45ef623b9f3181 |
| SHA512 | 7d726f76efe9d7ff06b4e080ac07f81622990cbf397c0cee32e97e3587dced4cc103c74bdd9c45a42a7ae7cf3d3ab8267e88a0a7bf889a2099c468180ed39ea0 |
memory/1968-119-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/2468-144-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1968-143-0x000000013F750000-0x000000013FAA1000-memory.dmp
C:\Windows\system\bypQvlN.exe
| MD5 | bb9ea8b3d0f8555ded8c97a84db6c744 |
| SHA1 | 3b15ae12a23f0ec20511d7777cbaead66497ea4e |
| SHA256 | 978bf47cd74973eeb4254fb7b5d11d47623a8cefd1f58252f6a95e2fd4db80aa |
| SHA512 | b40f588e1f69ec45974c6dd1289820d119b80baa6561b1cf8eb4fd5a31becf22330f3d4a2a520a68c59828dabcbf236ac0972f6c86e1aac2a5c58d7aff47011f |
memory/1968-110-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/1968-102-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/2608-101-0x000000013FD30000-0x0000000140081000-memory.dmp
C:\Windows\system\Nrwktlg.exe
| MD5 | f7ffc246f246462b25768cc6acb30d6d |
| SHA1 | 646648a085d15a2dace928e3a3026ec69b3f6ceb |
| SHA256 | 2c82350af3cd30bf457e0e993be9e257d73190a83addf036f7ba6450d2c61f6f |
| SHA512 | eda5ad683a4111507599164c068033e868ac1e7592ee64fa19a4d170047cfd3c5e6f347edf5bdf1fe5f3e951ab9b84a1f45e63fad67ba18752724e837440a98f |
C:\Windows\system\IkOxmuX.exe
| MD5 | badb60d76f13bc8fa1084486fba315bd |
| SHA1 | a08eb8112d2a7ef7408faf5aa4a19f89b113c8c7 |
| SHA256 | a5b929fa61b9319702d78a947a663824d430a37fafeef627c190ccd4b1a77a0e |
| SHA512 | affa579ef281b30493db35b1454dbd97bf38f4a3e02a27706fdd8351f65f5285ca98a00410a3792c690c59a6541ae1356ceda91e744d60985d74f2fe734ca7bd |
memory/1968-95-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2096-94-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/1632-146-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1968-145-0x000000013F7B0000-0x000000013FB01000-memory.dmp
C:\Windows\system\uhDTbXy.exe
| MD5 | ec86b75bd3c93ceee97b392dea4a032a |
| SHA1 | 24cc0ea7ec49e6a9174273767fd478d61b07f638 |
| SHA256 | ef7c2bc20f5b01f7ff4cd9a9b5029938c677120f8470eedc5b008a9552dd4aea |
| SHA512 | aa89d459c56898b7f6b25f18072b6ffc40eb9c3d676e8289d2e17cb77956a9067224fc9e56f4a968ee804f19387d9cae39a64cb1856b90026a8635d22ee44ec7 |
memory/2840-87-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/1632-86-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/2816-84-0x000000013F750000-0x000000013FAA1000-memory.dmp
C:\Windows\system\EbgwMhx.exe
| MD5 | 864801ef498e802017e001cf0259ca43 |
| SHA1 | 53a58c1a55d877afb228e9513707efc3b0c0a668 |
| SHA256 | 7c32fe53132304a35e7dac7f7697696c018d2f9ebc049a55245d4b202a49c8c0 |
| SHA512 | da641845eb21ce8a35eff5f262710ebe734a305c769ce08922a8285fba2251dc3b3e9230d2e07e0da5ee90089be7b1f11374b8adbb883e6c53b8e810db96e2f4 |
memory/2468-78-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1968-77-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2188-69-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/1960-68-0x000000013FAB0000-0x000000013FE01000-memory.dmp
C:\Windows\system\yYLuOja.exe
| MD5 | 5cb04d47d2f6e6b3cd4f9fefab80e30a |
| SHA1 | 0b8a8fd2b9dd3809e1b763b4c7d6fa3d6a91a3a4 |
| SHA256 | dda3e036ce6d478f9a3ee46668e40a551c80e184d9a185753a11ea7be9b2822e |
| SHA512 | 097a257fe54edf6594bac0d8b4ae2331624005839feae6a45c0fba12cc6ddbda77a961852af188b48f9981ba5a9cd6c62021ba705f2f68aaf9fcaf0709a9e4e2 |
memory/2052-63-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/1968-62-0x000000013F390000-0x000000013F6E1000-memory.dmp
C:\Windows\system\cbuVYEi.exe
| MD5 | 586d8690616d8d9411dfb3e50c701159 |
| SHA1 | 4a56ec116d0d194a8154057379630e5251d5d081 |
| SHA256 | 9c4262d33206a47fcebfc2bc6477a7ae38d0bf3414cdc88f55adcf3f38dfee5b |
| SHA512 | 0211bf29552541a73050fbcc53d286dcbca3c3242a1714ba8147ce30c1e2ef2c257712863d03d753a9fa7a6924d9380051334ab8ff5993d2b7d795747db36f53 |
memory/2096-54-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/1968-53-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/1444-148-0x000000013F320000-0x000000013F671000-memory.dmp
memory/1968-147-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2840-49-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2816-47-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1968-45-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1968-44-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2848-42-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1968-40-0x000000013F9C0000-0x000000013FD11000-memory.dmp
C:\Windows\system\izCZMsm.exe
| MD5 | d54f80a23e9bc31c5e58a8f57328cbdc |
| SHA1 | aa08fd7efc06e7c1101eb4d3ef0f6c68f19e7a84 |
| SHA256 | c9a884ec294695845a89c36d847e484fa2d8c49a47cc108be6c4784e57d9b7aa |
| SHA512 | 2d871492c6fda64b34758c48de19a9b523cb16937cec45f7cae62f16378ced65a160e3ee589a8c87e437159d47546fda86ac9841548ab79b26123dfbc82b2450 |
memory/2188-28-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/1968-27-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/620-150-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1968-149-0x000000013F930000-0x000000013FC81000-memory.dmp
memory/1968-151-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/1888-167-0x000000013F440000-0x000000013F791000-memory.dmp
memory/1656-170-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2156-172-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/1788-171-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2788-169-0x000000013FE70000-0x00000001401C1000-memory.dmp
memory/1796-168-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2028-166-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/1968-173-0x000000013FB00000-0x000000013FE51000-memory.dmp
memory/1968-174-0x000000013F390000-0x000000013F6E1000-memory.dmp
memory/2052-223-0x000000013F180000-0x000000013F4D1000-memory.dmp
memory/2312-225-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2520-227-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2188-238-0x000000013F8F0000-0x000000013FC41000-memory.dmp
memory/2848-240-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2816-242-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/2096-244-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2840-246-0x000000013F780000-0x000000013FAD1000-memory.dmp
memory/2608-250-0x000000013FD30000-0x0000000140081000-memory.dmp
memory/1960-249-0x000000013FAB0000-0x000000013FE01000-memory.dmp
memory/2468-252-0x000000013F750000-0x000000013FAA1000-memory.dmp
memory/1632-257-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1444-265-0x000000013F320000-0x000000013F671000-memory.dmp
memory/620-267-0x000000013F930000-0x000000013FC81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 11:52
Reported
2024-10-25 11:55
Platform
win10v2004-20241007-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WRCrTZM.exe | N/A |
| N/A | N/A | C:\Windows\System\IfoXNPv.exe | N/A |
| N/A | N/A | C:\Windows\System\DAJywEL.exe | N/A |
| N/A | N/A | C:\Windows\System\UFEadOY.exe | N/A |
| N/A | N/A | C:\Windows\System\zazUhRg.exe | N/A |
| N/A | N/A | C:\Windows\System\nUaBubK.exe | N/A |
| N/A | N/A | C:\Windows\System\BYlYOda.exe | N/A |
| N/A | N/A | C:\Windows\System\onrdWxS.exe | N/A |
| N/A | N/A | C:\Windows\System\eMukEVk.exe | N/A |
| N/A | N/A | C:\Windows\System\BvgkdvE.exe | N/A |
| N/A | N/A | C:\Windows\System\ckrSBeV.exe | N/A |
| N/A | N/A | C:\Windows\System\vBUmsPf.exe | N/A |
| N/A | N/A | C:\Windows\System\Aibevck.exe | N/A |
| N/A | N/A | C:\Windows\System\pwBOzQv.exe | N/A |
| N/A | N/A | C:\Windows\System\HIzvhJz.exe | N/A |
| N/A | N/A | C:\Windows\System\EqKWsQU.exe | N/A |
| N/A | N/A | C:\Windows\System\szvHRHA.exe | N/A |
| N/A | N/A | C:\Windows\System\rqewCzZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QvjVCbl.exe | N/A |
| N/A | N/A | C:\Windows\System\MTJxnJH.exe | N/A |
| N/A | N/A | C:\Windows\System\SmicNvk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-25_d33b7b6e1fe0157278f9d593267e2d83_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\WRCrTZM.exe
C:\Windows\System\WRCrTZM.exe
C:\Windows\System\IfoXNPv.exe
C:\Windows\System\IfoXNPv.exe
C:\Windows\System\DAJywEL.exe
C:\Windows\System\DAJywEL.exe
C:\Windows\System\UFEadOY.exe
C:\Windows\System\UFEadOY.exe
C:\Windows\System\zazUhRg.exe
C:\Windows\System\zazUhRg.exe
C:\Windows\System\nUaBubK.exe
C:\Windows\System\nUaBubK.exe
C:\Windows\System\BYlYOda.exe
C:\Windows\System\BYlYOda.exe
C:\Windows\System\onrdWxS.exe
C:\Windows\System\onrdWxS.exe
C:\Windows\System\eMukEVk.exe
C:\Windows\System\eMukEVk.exe
C:\Windows\System\BvgkdvE.exe
C:\Windows\System\BvgkdvE.exe
C:\Windows\System\ckrSBeV.exe
C:\Windows\System\ckrSBeV.exe
C:\Windows\System\vBUmsPf.exe
C:\Windows\System\vBUmsPf.exe
C:\Windows\System\Aibevck.exe
C:\Windows\System\Aibevck.exe
C:\Windows\System\pwBOzQv.exe
C:\Windows\System\pwBOzQv.exe
C:\Windows\System\HIzvhJz.exe
C:\Windows\System\HIzvhJz.exe
C:\Windows\System\EqKWsQU.exe
C:\Windows\System\EqKWsQU.exe
C:\Windows\System\szvHRHA.exe
C:\Windows\System\szvHRHA.exe
C:\Windows\System\rqewCzZ.exe
C:\Windows\System\rqewCzZ.exe
C:\Windows\System\QvjVCbl.exe
C:\Windows\System\QvjVCbl.exe
C:\Windows\System\MTJxnJH.exe
C:\Windows\System\MTJxnJH.exe
C:\Windows\System\SmicNvk.exe
C:\Windows\System\SmicNvk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4756-0-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp
memory/4756-1-0x00000187A51B0000-0x00000187A51C0000-memory.dmp
C:\Windows\System\WRCrTZM.exe
| MD5 | 2a9d3c25d58f53e71529a30712a7da5c |
| SHA1 | 4dba39333b183840a78af07e5f6b39e2815066cf |
| SHA256 | 91ba557101cbb8e8944524609658fef9c37a65c6273dc235a713b7721939289f |
| SHA512 | 465a4904e58e576e05bbe07d141514b42d748e68089cda10f897e676f9d311a8a151adfbfe4d34eee889749ffd8b8f73678caae37c6c9aee0b434db1b61d9959 |
memory/4764-9-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp
C:\Windows\System\IfoXNPv.exe
| MD5 | d7e7603ecc1017ca6159ccc2e5062079 |
| SHA1 | e327647005b9f9f9b8efd7b5da5134cc3b99b9b3 |
| SHA256 | c87fa5562d24cc2608a75befaabe0b9fc88ffce9643a1c13f55b0e26c6acafb6 |
| SHA512 | 4cfcd014b32bc6bbe54c92e4a72d93fbff319aa40182d5a4ac88aa1c3c61c58fb2c12436d3c32e0cde722de31ffd3d70736e67493228bc124d0223bc2fc5c528 |
C:\Windows\System\DAJywEL.exe
| MD5 | 496b17b255960d2c0154780c52244585 |
| SHA1 | 5abc43f03c3a5cc73b92eaf78baa1ff484ece05d |
| SHA256 | 0ff5a8161357bc1adb1038dd37c00d02fa054c6e899be05728f9d278d1de4646 |
| SHA512 | b495b6254f50ae6c0a54fbf5f06ab3d0358b6d7e3a05bc2c0e680dfef649f8aab234fe0f089b7dd0cf31170b6de3fb004b354ddce411cfd827c54701a73304cd |
memory/3000-14-0x00007FF782F30000-0x00007FF783281000-memory.dmp
memory/2716-18-0x00007FF779790000-0x00007FF779AE1000-memory.dmp
C:\Windows\System\UFEadOY.exe
| MD5 | 2293bb4b6a3971b4f4c458899c2b194b |
| SHA1 | 878b8888aaa637e2ad2e96fc723892c12395a039 |
| SHA256 | b99589a1126c52149f9eb546d8797a280eb9d71a888d6fc4a2393210864ebd01 |
| SHA512 | 8156c70edc6b6f2ae81875edfc1fd0f3af502e7e0c56068621d987694ddd932c90d0f41c0bb1af6d71c25f9759efc04fd9565c0bb722c6e38739912373a43598 |
C:\Windows\System\zazUhRg.exe
| MD5 | 3dc7b841075983cf7b28651dfa946bf8 |
| SHA1 | 266195a29b025cb34ddbce60d90ece7ea7ea3849 |
| SHA256 | 9a26e46568676c2126895689940d16bceb38a80c61752e25423c074627922635 |
| SHA512 | b682f249f9ff5742bf4a9e98f8aec2bc5b1af784a56195ccc47927e00607b026ce8d8708726bc25b0893d600941489181cb11729ff49652896d8a292211e006e |
memory/1236-30-0x00007FF7911E0000-0x00007FF791531000-memory.dmp
memory/4028-34-0x00007FF71D030000-0x00007FF71D381000-memory.dmp
memory/3764-39-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp
C:\Windows\System\onrdWxS.exe
| MD5 | 5bf3ecb47da7af8b90bfa63b59ceac67 |
| SHA1 | c0a98e367d9c9e17a95c1337e57bdd20574a8a25 |
| SHA256 | 1c74ba63945e604077fe225976d638c14e34870c07853ce4abb724cac56fbb88 |
| SHA512 | c6a67914543f714c7f8d526a5ce3fabe4857a69b6fca96b58988cbd708327fd82ad5609c9510656ba721ac6a6159f6ce10de4d58810b5002b0312c2f127a3615 |
memory/2360-47-0x00007FF7215B0000-0x00007FF721901000-memory.dmp
C:\Windows\System\BvgkdvE.exe
| MD5 | c0e53197663531b8a997711b327dcb11 |
| SHA1 | 83a601b0cc8de324f48777c9221fecb79bb48a91 |
| SHA256 | f3369068f4a9d15333c1f389ede8520cdeb94de02d91852437116e1805c9ab0e |
| SHA512 | b6dbf0becfe2c31b6f1e030b9aecd7a805a646b8c54deaece1703418345d29cb77e21145ec77dbc64009d6a31d747234333e2f725c5ef72c7099f5c4d13295a4 |
C:\Windows\System\eMukEVk.exe
| MD5 | 434d351eea9a1397dda6157c8b37b2b6 |
| SHA1 | bef27e60423fdcf1e3fca5ba8ed6e70377f32663 |
| SHA256 | be52405ba8362e2e5f41f5192ba8ee81c68fa5071902e767bfd199b7886f8052 |
| SHA512 | 5d5c6018efa9b12c356759c8988b25e068cd9307d7a00dc067b46f19fcaee4251902decadb42436913603a196fea9551a78377e486550147aa9821b28d26b943 |
C:\Windows\System\ckrSBeV.exe
| MD5 | 43cbee0d0fafd641511ca5588fb06080 |
| SHA1 | 7d5634537373ae9a33f7659bd16f63519466a726 |
| SHA256 | 5f87a6f28ac3f62092891f391f8ce56bc28a2c4cfd9108a35fb0e0d0dfddd8ca |
| SHA512 | 1a3d97181e1b59149de6c135bdd1546ff9b7687c164683ef50fd9bd61395f990c9f8a98cd959f5aa98582662109a1fbf03b2d052a4f3d46e69554eb9f95dc03a |
C:\Windows\System\vBUmsPf.exe
| MD5 | 43642a3f965c7043c0d267783141c507 |
| SHA1 | 15706fd02738dec99d7232b2b3bed7b431dc3a89 |
| SHA256 | 2b390360fec2ae653c3b6e54ed82fa0c988333eeceb0707cfc8d977e8e047aca |
| SHA512 | ef9f62c8b8fda9cfe69f662a65d6c4a0784b7b28ea63a95b6c7171b375e8567a19557153429000465cbf7498a8d00fdfd52751866890f8ad6f42626c77aecb82 |
memory/3752-73-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp
memory/2716-72-0x00007FF779790000-0x00007FF779AE1000-memory.dmp
memory/1776-70-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp
memory/3000-66-0x00007FF782F30000-0x00007FF783281000-memory.dmp
memory/208-65-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp
memory/4764-63-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp
memory/3468-57-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp
memory/4756-54-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp
C:\Windows\System\BYlYOda.exe
| MD5 | 1b15a58e83fc1c148b03de638712b0fa |
| SHA1 | f44812e37fb4b5c9887039f2d855aae3b1fa54f9 |
| SHA256 | 2d608cbb4d928089d6f8a41121a457d1dd84686b07bae0f2376a6409580cee1f |
| SHA512 | 52bfd8b1bf6ad1f77317206713ceca5022ff72f5a648852f9513a7b75243563173e379208727c815d235608cba7e28b89ee9771193c75b63a5473f10d5bf310e |
C:\Windows\System\nUaBubK.exe
| MD5 | 9124d618f93ab8ef7b2556b3644bcc23 |
| SHA1 | 569da2255fc2ed8aba6d2af8e9c586bdc6755bbb |
| SHA256 | 334a292b7c2ed2f325b05f553dd9867ba8711a800f01d16cecceab7652bf3e01 |
| SHA512 | 1207d6219e698e02a887bcdde1c7f20c90b54a2c0fe58ce0e7699332c099e32b6b5169988559cb1bf84a2bec16182da5f01407476548e37f0497ed83ab9fd681 |
memory/3804-40-0x00007FF642350000-0x00007FF6426A1000-memory.dmp
C:\Windows\System\Aibevck.exe
| MD5 | d103042c8f0210620305b9797c055cfd |
| SHA1 | de9ac4cbcea0fff593c56fdc914b641b23476490 |
| SHA256 | adec7bab2d1b37fc5ff8d3b3dc6680aa5e3408e60a9647b1478b4686398cd4a2 |
| SHA512 | d029fab067b5c7fcd73046eeef304a435408097d5282acabe420dfd7d8bbe95a7cb4bbc1fa4201f0d6ba75837184fa06e28ec8d84a7c74ebf1fc7974ff172fcf |
memory/3764-85-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp
memory/3856-92-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp
memory/3804-96-0x00007FF642350000-0x00007FF6426A1000-memory.dmp
C:\Windows\System\HIzvhJz.exe
| MD5 | e79023d6c905ec09cb9b70941a36ae36 |
| SHA1 | 96e36e5c848ac48af1e5c30d322c9f5a8afb799e |
| SHA256 | 3eae3e8cebc52c0c6cbb82bb68cd13b1e43c9c1c72a1c4e76741416a17e45e11 |
| SHA512 | 2448d83be3d2c3a47469580f58aea6d7f9fe7d8fc2d9150cee1dd066e251bf43cdf04641529a3208c5315a661b293ccf6e3da8aa2317a028d227f6c399813903 |
C:\Windows\System\EqKWsQU.exe
| MD5 | 6cdb8f380c0a0163e9967b6a8478e04a |
| SHA1 | f7d34ef43a7273680cb31645d634839d815ee54f |
| SHA256 | 064fcaf1e8af7da83f70788f3e9ffffdcbe23eda486788908b58f862e3c0e804 |
| SHA512 | 1b607d21c9b7a3b84d07c7fa3cee8fc2cb8d82148b351f1817ac6436dd0e1a2f87d2ab8cdcaa5bd51f41cfff69c308c30402d39a1544ccb7bc45f9904a1a7cdd |
memory/208-113-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp
C:\Windows\System\szvHRHA.exe
| MD5 | 065ff471c444ffe026bcdc2134c88d16 |
| SHA1 | aa6ffacb0db804f25dc1537a0a10bd5107bc1e32 |
| SHA256 | ae8f62e1fadb0c5c43756ad2c41d6ebdebc0bdb14f4e947b2142583d2ee544fe |
| SHA512 | 09bf4fd95c757b8586f351684cafc1a39914e3d8377d38b92e18802ab4422b4da2020aadbca0ec49e5c2aa0aed103142362b7e68dcf421c5f707e3b1e00f348b |
C:\Windows\System\MTJxnJH.exe
| MD5 | 1830477be1ffd84727037558535ea630 |
| SHA1 | 4faadb4e222e062ba1ed1e121ae0d8d008977801 |
| SHA256 | 72bd094ad9cfa69e45b6aee2a3e12d723688b47ab681d4369c659cbaab75f74b |
| SHA512 | 8d43193b355d05efdc6a63897c5e965d4093d9a05ebec0bd2b0c4026e59a695ceab658ea1478544792405c8e8c546003b57fa5bcfd92e55ff9ed92501a2180e2 |
C:\Windows\System\SmicNvk.exe
| MD5 | 2fc40aed2432a24d5d0cf2e967cb740d |
| SHA1 | 9c195c05bf50569fd7f792096b8ae25abb8ce9b7 |
| SHA256 | d5a249d4063262f852db3b168c551db9efecadb328e3ee8509d422fb6fc2dbf8 |
| SHA512 | 0be5f65b8f3dccb0747ed78a92c0cb7d6eceda0a2c1d5d1f4498606df6fec9bb160b44ceb1e981925ce4b8a4d1e535fa3c31d52487ca74a26f2d27837babbc87 |
memory/3648-135-0x00007FF797260000-0x00007FF7975B1000-memory.dmp
memory/3752-134-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp
memory/3080-133-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp
C:\Windows\System\QvjVCbl.exe
| MD5 | 13cba1e97417690f79ea0f7ac74a582c |
| SHA1 | 41ac0f876647fac78e20ac88501dafc860a734a6 |
| SHA256 | 410f3ec0e9d04ee699d4cd6336b3097f8721ffdb4a0c34bc2bbc9a15ce7008a3 |
| SHA512 | 15c5dff7f689f68ed8283d741baed4dc43f87c1fbc3cb1589334652cc23fed3866f1436ec1230354a7cef8543569ab2c66d2d996115542d7ed5d9f35679fb1b9 |
memory/1432-129-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp
memory/1776-128-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp
C:\Windows\System\rqewCzZ.exe
| MD5 | 6c3e621ec6e4228e7f1994e2743a3c85 |
| SHA1 | 7a97532bbc76cc25844bec695d4415d455728716 |
| SHA256 | 3e93393d9cbf89f919a576632a8d43512679877f5e7a7dee883e16d9b86d6089 |
| SHA512 | 3710213e69216af4e3c2903e354d38982d67b45ee69ad0be81535b0acf82b87cd50d730429de50e87cb0676540ab24e6d54090e9b57a3f784d1cad6d33f85281 |
memory/4404-120-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp
memory/3376-114-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp
memory/3468-112-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp
memory/2284-103-0x00007FF635450000-0x00007FF6357A1000-memory.dmp
memory/2360-102-0x00007FF7215B0000-0x00007FF721901000-memory.dmp
memory/2420-98-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp
C:\Windows\System\pwBOzQv.exe
| MD5 | 04c371aca299b2c8dc64bee20cc050f9 |
| SHA1 | 4957578b11fd55eb6ed5472267c9931303206b11 |
| SHA256 | c25d26e41792ae0b08b35d60c2e425169e4f409c53d4cc2f5220a6cac92c9a67 |
| SHA512 | 778c09a309008d1a1845ad0a3a611384557d67c9764ecbcc6494b5d9be4c2f01c44fa4fbfc9faca4a5e68cd466a61e7a64c4c65e93d82ea155059277e3e80a97 |
memory/1696-91-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp
memory/4028-82-0x00007FF71D030000-0x00007FF71D381000-memory.dmp
memory/1696-144-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp
memory/4756-140-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp
memory/3856-154-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp
memory/2420-155-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp
memory/2284-156-0x00007FF635450000-0x00007FF6357A1000-memory.dmp
memory/3376-161-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp
memory/3080-165-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp
memory/3648-166-0x00007FF797260000-0x00007FF7975B1000-memory.dmp
memory/4404-167-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp
memory/1432-164-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp
memory/4756-168-0x00007FF7A9690000-0x00007FF7A99E1000-memory.dmp
memory/4764-217-0x00007FF648E90000-0x00007FF6491E1000-memory.dmp
memory/3000-220-0x00007FF782F30000-0x00007FF783281000-memory.dmp
memory/2716-222-0x00007FF779790000-0x00007FF779AE1000-memory.dmp
memory/1236-232-0x00007FF7911E0000-0x00007FF791531000-memory.dmp
memory/4028-234-0x00007FF71D030000-0x00007FF71D381000-memory.dmp
memory/3804-236-0x00007FF642350000-0x00007FF6426A1000-memory.dmp
memory/3764-238-0x00007FF6EC0D0000-0x00007FF6EC421000-memory.dmp
memory/2360-240-0x00007FF7215B0000-0x00007FF721901000-memory.dmp
memory/3468-242-0x00007FF75CFF0000-0x00007FF75D341000-memory.dmp
memory/208-244-0x00007FF75EB20000-0x00007FF75EE71000-memory.dmp
memory/1776-248-0x00007FF7EE0B0000-0x00007FF7EE401000-memory.dmp
memory/3752-247-0x00007FF6BBBA0000-0x00007FF6BBEF1000-memory.dmp
memory/1696-256-0x00007FF63ABC0000-0x00007FF63AF11000-memory.dmp
memory/3856-258-0x00007FF79FCB0000-0x00007FF7A0001000-memory.dmp
memory/2420-260-0x00007FF744B60000-0x00007FF744EB1000-memory.dmp
memory/2284-262-0x00007FF635450000-0x00007FF6357A1000-memory.dmp
memory/3376-267-0x00007FF639F90000-0x00007FF63A2E1000-memory.dmp
memory/4404-269-0x00007FF6FCD40000-0x00007FF6FD091000-memory.dmp
memory/1432-271-0x00007FF667BE0000-0x00007FF667F31000-memory.dmp
memory/3080-273-0x00007FF6A1CC0000-0x00007FF6A2011000-memory.dmp
memory/3648-275-0x00007FF797260000-0x00007FF7975B1000-memory.dmp