Analysis Overview
SHA256
32bea1a93568beea3d28a9a57cb7c625f7aa8a84d756670959a8b37f6a8f066b
Threat Level: Known bad
The file 2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobaltstrike family
xmrig
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 12:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 12:06
Reported
2024-08-06 12:08
Platform
win7-20240705-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ASvRXOq.exe | N/A |
| N/A | N/A | C:\Windows\System\EhUYiGb.exe | N/A |
| N/A | N/A | C:\Windows\System\PtQZTzm.exe | N/A |
| N/A | N/A | C:\Windows\System\ukNtExt.exe | N/A |
| N/A | N/A | C:\Windows\System\olIanOK.exe | N/A |
| N/A | N/A | C:\Windows\System\JfKcxEW.exe | N/A |
| N/A | N/A | C:\Windows\System\yrHxEXD.exe | N/A |
| N/A | N/A | C:\Windows\System\GkcZDwI.exe | N/A |
| N/A | N/A | C:\Windows\System\cmERpLK.exe | N/A |
| N/A | N/A | C:\Windows\System\VsyWXoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jlQPmhF.exe | N/A |
| N/A | N/A | C:\Windows\System\RVfEpwi.exe | N/A |
| N/A | N/A | C:\Windows\System\IENcHmi.exe | N/A |
| N/A | N/A | C:\Windows\System\wegBSYA.exe | N/A |
| N/A | N/A | C:\Windows\System\utVCfwk.exe | N/A |
| N/A | N/A | C:\Windows\System\mtrflqS.exe | N/A |
| N/A | N/A | C:\Windows\System\PZqwSKC.exe | N/A |
| N/A | N/A | C:\Windows\System\ddEVjBV.exe | N/A |
| N/A | N/A | C:\Windows\System\garHjPg.exe | N/A |
| N/A | N/A | C:\Windows\System\CtaXGKo.exe | N/A |
| N/A | N/A | C:\Windows\System\hnyOhwM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ASvRXOq.exe
C:\Windows\System\ASvRXOq.exe
C:\Windows\System\EhUYiGb.exe
C:\Windows\System\EhUYiGb.exe
C:\Windows\System\PtQZTzm.exe
C:\Windows\System\PtQZTzm.exe
C:\Windows\System\ukNtExt.exe
C:\Windows\System\ukNtExt.exe
C:\Windows\System\olIanOK.exe
C:\Windows\System\olIanOK.exe
C:\Windows\System\JfKcxEW.exe
C:\Windows\System\JfKcxEW.exe
C:\Windows\System\yrHxEXD.exe
C:\Windows\System\yrHxEXD.exe
C:\Windows\System\GkcZDwI.exe
C:\Windows\System\GkcZDwI.exe
C:\Windows\System\cmERpLK.exe
C:\Windows\System\cmERpLK.exe
C:\Windows\System\VsyWXoJ.exe
C:\Windows\System\VsyWXoJ.exe
C:\Windows\System\jlQPmhF.exe
C:\Windows\System\jlQPmhF.exe
C:\Windows\System\RVfEpwi.exe
C:\Windows\System\RVfEpwi.exe
C:\Windows\System\IENcHmi.exe
C:\Windows\System\IENcHmi.exe
C:\Windows\System\wegBSYA.exe
C:\Windows\System\wegBSYA.exe
C:\Windows\System\utVCfwk.exe
C:\Windows\System\utVCfwk.exe
C:\Windows\System\mtrflqS.exe
C:\Windows\System\mtrflqS.exe
C:\Windows\System\PZqwSKC.exe
C:\Windows\System\PZqwSKC.exe
C:\Windows\System\ddEVjBV.exe
C:\Windows\System\ddEVjBV.exe
C:\Windows\System\garHjPg.exe
C:\Windows\System\garHjPg.exe
C:\Windows\System\CtaXGKo.exe
C:\Windows\System\CtaXGKo.exe
C:\Windows\System\hnyOhwM.exe
C:\Windows\System\hnyOhwM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/580-0-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/580-1-0x00000000002F0000-0x0000000000300000-memory.dmp
C:\Windows\system\ASvRXOq.exe
| MD5 | 7c83f353d6dc5058ca5ddae197b470f9 |
| SHA1 | e362d2f3f21deabbf3a2206cb2d08145a9ef0908 |
| SHA256 | e5f4c4d7a7c8096bbdbc727c1b2828264b78ced1ddf0d138961f6d8deae926f5 |
| SHA512 | 6778a27113b8090b6211c7a32d17ace17fbd85adf4ca6cd21f84870740050e27f1cd7e6bf59934727054dfba6a0e2b130bddace2b61fcb5d29b31be4bfe5f36c |
C:\Windows\system\EhUYiGb.exe
| MD5 | ae69e6aa8225c49404439e691027c83d |
| SHA1 | 4f6bd4fccc6aaedcfa7817c16caac94f30322976 |
| SHA256 | 7d7e861fbb6e39dab5e81187228fe8bb9e757c052f195bb1bf33276b9defda37 |
| SHA512 | f95a555564d37db7eafb71815882fa474e95ec154092a76e618428d14beda37f26f61ca623e64d38b553d0c6cca7fe369e4eb544d41bd1272c59532ba9373e99 |
\Windows\system\PtQZTzm.exe
| MD5 | 50b70111e3dbe93d51a2416346b5e21a |
| SHA1 | 14733ab9b1ca2ac9cde946b23ced833d96c48b3c |
| SHA256 | f941c35e7ffb960c95783f38f7366c3943c90397b95a5ab79c56425eec37712b |
| SHA512 | bd04cfa61ad1e98d9e6e1b4fda4ebde8dbb297c8d1bf605dbd0d38e3f0ebe98592caa93f3c15cb988e0734d6bbc4d38feb343ee86b4d9138ac4579af769c6392 |
C:\Windows\system\ukNtExt.exe
| MD5 | 2f7787620b9f92d80e4e2d7666f8ee8c |
| SHA1 | add5f2427b10b823e04c4bfdfaef2058e40deffb |
| SHA256 | 9a42abf7afc2ed18b797fab03e50c3bcee4afdd10b4f2704f7b9e0cca1ffed66 |
| SHA512 | 92ab0043b6f49895bda68a7cd2461fe59e18065f443b7d28e72d3fb9d7dc7bc846482c0b61b4086e363164f42e914154c31be9343ec9b03208cdbe7c559a5391 |
C:\Windows\system\olIanOK.exe
| MD5 | 2cb5a8e79f1dca0403b47c884f58a7f9 |
| SHA1 | 9d7937e461eddbf19d9342d85f025c01a36cb042 |
| SHA256 | 3c363f36cfbe60fadce8b2aba6795925c0e81c114b5fb7ffb7ef80add356d2af |
| SHA512 | 68969ddedb67420c323c23b849f5a8555db5c63638d64ef359ed89d9df2853746361a6c5a5dde1f1ce6b7eed78596faf2e4a996b5d78ac49afcbaa33d327cebe |
C:\Windows\system\JfKcxEW.exe
| MD5 | 93ca485934cbc377bbd92ec2654623bb |
| SHA1 | 475bc6d013d367c3eb1ebb433b79f8a76b5106bd |
| SHA256 | f82a770dea355660e9d08ff45de4929673da45760270565ca5ac7aaff24507cb |
| SHA512 | b1b3f02a810959865312fac706e305df1552933d0202e1e486925507d2754540f936a211166df4c96a1a3431658c062373545f93ff678597ef0c909a670641c1 |
C:\Windows\system\yrHxEXD.exe
| MD5 | 6f07594b617371f3c99c6aa9a7eeb9bf |
| SHA1 | 6b6821936856d719cc3b3710f818f6ebff149812 |
| SHA256 | 751e6d7985c1e120356f0beb3075bd297e41305bf040e46f9211110a116b7275 |
| SHA512 | 5fe8bc1a7f0c59cda145b0cc6786f490e3dfdc16087fac6714d87fa279a6bfcacfb267b7cc25913ffe231ee0c712cb35f3b5889bc718705639a6b975e1776008 |
C:\Windows\system\cmERpLK.exe
| MD5 | c0ca1cb139a08d15bbae934e8e725735 |
| SHA1 | ba62cfaa25621ae2c5cee34172cd722b695d30b1 |
| SHA256 | eb4689c6ac6fce946308d9b6a3f48d79c6600dc111da578c2a2b124ca23fed99 |
| SHA512 | 008b2f6f9dd668202610e92e8aa2af68ecf1d340bb27ec13dc9765e45cd1f54f55ba11fd26fd747d8bf85dbafd0fb3feff819c56c8b9430e3b9c5f341af7d909 |
\Windows\system\RVfEpwi.exe
| MD5 | 657f677173fa13dd31f89eee55db4753 |
| SHA1 | fc99fd7cb52d69675f3d659b4bdc1ccbb873087a |
| SHA256 | 948b76066a31d3b2ae077a667dbc292fb99e5309c6622e4cda3888deaaf89dd3 |
| SHA512 | b647b8ef39a1ea165cfb00e6f9fb7e1f2ee9ea32accde697981a0247be6ce003dacec9c2ca41d006bbc0240c89f0d9e5b9ce1cbc7f09a27c793cb74d324fbda0 |
C:\Windows\system\wegBSYA.exe
| MD5 | 29a658535231f3d16a4b0c88de809d50 |
| SHA1 | 7ef6db8ec6ce0368c174f6821554709eb6334e64 |
| SHA256 | d369992c76f9742aa4ee432561b83297a998a46e1c2045187f625ac8066bd300 |
| SHA512 | 99b3e64b23e374508c1bc85018796701762b2241aa96ce123c935fd760c42f24b26d59be2c8a60a5bafae8e0c38d1e542eaa9f37b994853d10f69ad6bb530fbd |
C:\Windows\system\mtrflqS.exe
| MD5 | 4b68e6f3144dba8b8498a107b8ed37e9 |
| SHA1 | 62f61955d691e7eb4199fb3468f1799a6646bb76 |
| SHA256 | 298d21c2aaf8afdafe5225ec7b2ddb5288be0c1ce5cdf41c2e42aa546cfdd4a2 |
| SHA512 | 66087a61b36d2b6b9c51fa9749037fcadb917867ea01830560984f2453442fef83833f1c7a48f40439e9626e7899e06b22f3b489dd7c1b51b9d7243e8666c4a7 |
C:\Windows\system\ddEVjBV.exe
| MD5 | 734b98f4d4998854eb433f8a24c6e1b0 |
| SHA1 | d4cbad53cd4dd966665597461080de0e36010af4 |
| SHA256 | f46d7734af46456ae89f3d3a22f1b4bb2cc260134984e8edfe01453c0867fb61 |
| SHA512 | 0083a58495f94b63fe6456f0cf7c9187ddcbf12022fbe723f3952d4b74f2c308d5c50139c5b5206767fb869eaeb05dfe46b5504abf277e404679c0ef8b6dd931 |
C:\Windows\system\hnyOhwM.exe
| MD5 | 569419634d0be927c0cfb8b80fcf5cb3 |
| SHA1 | dfbe0b2858d4aedff9d49fe54f75b25d69dac5f7 |
| SHA256 | d97c199b5b1e0228f60226666cd75fbc8ca4245247c14c23f9ade9ab3c7b8544 |
| SHA512 | 6b8473f18585928aef31e177a88df20effecab7b2596a2498fc1f6ece87e852903c1c2444d9d6f4a7e973087b527ceab70b6c6aef52abae599720d0b38caa86b |
C:\Windows\system\CtaXGKo.exe
| MD5 | 52ad15e1e582efcc301a18a922f4119b |
| SHA1 | d20229daffca6c56a9b977ba037afc71075fa6c0 |
| SHA256 | cf6ee595cef2fc141df9c127ee56b6fbe5d2d74cdfab44d721d19699773dda2c |
| SHA512 | 2ba7bf9bcfcf0aaef698cdddcf0edff360bd724b96235db73c30eeb4cc02ebc970132215f80f28e891e7c772d707a224368187c43ab0eedc7076fc812b95148e |
C:\Windows\system\garHjPg.exe
| MD5 | c5bb27618f206066ce0061259a68ad23 |
| SHA1 | bd03e9c41747688c726105e1fd8f31fc0e361bcd |
| SHA256 | 98cf7ec8b457cc4388406fbe174f2cf3392d15566bdca33d83a53b4680b8aed1 |
| SHA512 | 8d48653beed9b16aac0cbc4dbdb15af2a2b055632031fcc9c43e87e506b265dc8dc8803bd60ecd3f04f3148a7c57b475ac41e4ac572a79aa92ca407510758eee |
C:\Windows\system\PZqwSKC.exe
| MD5 | a72f851113baac2b17a2364dcddd3fc6 |
| SHA1 | 07e693ee433466b5ea4fe23c3f1f10a691cbd35b |
| SHA256 | 30022aeb2839ccb3422204ce06acc337a5155a97f55031116c78a40a46818951 |
| SHA512 | 592e06c267dac3f585e32453b6f70807c74b21821cba07f511e1dd8de9409960cfcd2d764e043021894f14d74b37d3836e87b1bc4f34dd7a284ff3b03319f4a5 |
memory/2208-111-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/580-110-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/1204-109-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2444-108-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/580-107-0x000000013FE80000-0x00000001401D4000-memory.dmp
C:\Windows\system\utVCfwk.exe
| MD5 | 7b5d27a6e78f149d973b6bf2fb59fb63 |
| SHA1 | 2a4e3c72ac223e651b0cce47dac6ac52c4a9673e |
| SHA256 | d10b92570141431b66d8a7880c874e69578f9362a8c0ba5d78605ea7cc296ab9 |
| SHA512 | 875d1cc0c28b35945f69e88e6a63d15819609155f2b3a99810bf059ce5cf3a0e89f198d0141282fdedc5a3b61d8b1c8797bd91ac8ed469f3e2366ab610f619a6 |
C:\Windows\system\IENcHmi.exe
| MD5 | 7a6025f2e07abd5c1882cb4230576d27 |
| SHA1 | ef59ce8576611562a3af74a0474c956fbf82f202 |
| SHA256 | f593f9ab5ad44c57cefde3810afbd376804c8e7cf981b57cba0595b5d57c1d27 |
| SHA512 | cf24b70636e279c88569d9b8dc3b93ba06bc472b3931a0ed1a695cfabe78e090201d01fe5ca5f721b8c4b6f6943a43142ff5fc936a2e62c881339fc95858b688 |
C:\Windows\system\jlQPmhF.exe
| MD5 | 1cf70adec0dbf8f532de4ca496e7eaa5 |
| SHA1 | b15f28382dbbc1e93738505b46576e4c86dec30b |
| SHA256 | d839ec372cf53208bc0a06af07cd318bd9b246c6cc9570d527d15aa0c8e8129a |
| SHA512 | 551bf6211e9c2899c41c51fa9daa8dfe21a8b4bf293e03451ef664963c93f52ba6d4d4afda1f71b7882096fe6c6bac176f92f72be493363d20b9a8b2005f34e6 |
C:\Windows\system\VsyWXoJ.exe
| MD5 | 3787967d1659281201d717f9b89c193b |
| SHA1 | dfa2fbc728ad81cb79fe49dbb705b157f4dcb399 |
| SHA256 | 5ef97ebd77d883f2a1a26327d2fd617b74dd664746c1ef4ee10e0f27f1e7b401 |
| SHA512 | edc52f57e3455486a1de3284b7f780cd18a5fa3ff54380bb34e1528946f3a95834e8b216991384994f16c8939a617a77c0e10181aa53af712dc773be7e9a5656 |
C:\Windows\system\GkcZDwI.exe
| MD5 | 1cfdeaf77c5e6a0a577ecdeda629914e |
| SHA1 | 61a7b08e6158348a04e78c285173c705468b24c2 |
| SHA256 | 43150abccf42a17fa5835d110df78087b406e471d54e0a4c1fcb48c60bff0d94 |
| SHA512 | 664e54d8df9cb820c118cbd0707b8e3e4227c088f8ff660c848cef396da2da0305c82d9e816e2127f19f4ab8ad407f07d71c3260efd8e4b77299b1b43e96f354 |
memory/580-112-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1388-113-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2380-114-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2344-115-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/580-116-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/580-118-0x0000000002270000-0x00000000025C4000-memory.dmp
memory/2628-121-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/580-124-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2652-123-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/580-132-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2796-131-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/580-130-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2672-129-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/580-128-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2756-127-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/580-126-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2996-125-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/580-122-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/580-120-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2232-119-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2156-117-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/580-133-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2444-134-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2796-146-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2756-145-0x000000013FC40000-0x000000013FF94000-memory.dmp
memory/2652-144-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2344-143-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1388-142-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1204-141-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2672-140-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2996-139-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2628-138-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2208-137-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2156-136-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2380-135-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2232-147-0x000000013F0C0000-0x000000013F414000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 12:06
Reported
2024-08-06 12:08
Platform
win10v2004-20240802-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ASvRXOq.exe | N/A |
| N/A | N/A | C:\Windows\System\EhUYiGb.exe | N/A |
| N/A | N/A | C:\Windows\System\PtQZTzm.exe | N/A |
| N/A | N/A | C:\Windows\System\ukNtExt.exe | N/A |
| N/A | N/A | C:\Windows\System\olIanOK.exe | N/A |
| N/A | N/A | C:\Windows\System\JfKcxEW.exe | N/A |
| N/A | N/A | C:\Windows\System\yrHxEXD.exe | N/A |
| N/A | N/A | C:\Windows\System\GkcZDwI.exe | N/A |
| N/A | N/A | C:\Windows\System\cmERpLK.exe | N/A |
| N/A | N/A | C:\Windows\System\VsyWXoJ.exe | N/A |
| N/A | N/A | C:\Windows\System\jlQPmhF.exe | N/A |
| N/A | N/A | C:\Windows\System\RVfEpwi.exe | N/A |
| N/A | N/A | C:\Windows\System\IENcHmi.exe | N/A |
| N/A | N/A | C:\Windows\System\wegBSYA.exe | N/A |
| N/A | N/A | C:\Windows\System\utVCfwk.exe | N/A |
| N/A | N/A | C:\Windows\System\mtrflqS.exe | N/A |
| N/A | N/A | C:\Windows\System\PZqwSKC.exe | N/A |
| N/A | N/A | C:\Windows\System\ddEVjBV.exe | N/A |
| N/A | N/A | C:\Windows\System\garHjPg.exe | N/A |
| N/A | N/A | C:\Windows\System\CtaXGKo.exe | N/A |
| N/A | N/A | C:\Windows\System\hnyOhwM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_e3d81217357916083233352bd36d5758_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ASvRXOq.exe
C:\Windows\System\ASvRXOq.exe
C:\Windows\System\EhUYiGb.exe
C:\Windows\System\EhUYiGb.exe
C:\Windows\System\PtQZTzm.exe
C:\Windows\System\PtQZTzm.exe
C:\Windows\System\ukNtExt.exe
C:\Windows\System\ukNtExt.exe
C:\Windows\System\olIanOK.exe
C:\Windows\System\olIanOK.exe
C:\Windows\System\JfKcxEW.exe
C:\Windows\System\JfKcxEW.exe
C:\Windows\System\yrHxEXD.exe
C:\Windows\System\yrHxEXD.exe
C:\Windows\System\GkcZDwI.exe
C:\Windows\System\GkcZDwI.exe
C:\Windows\System\cmERpLK.exe
C:\Windows\System\cmERpLK.exe
C:\Windows\System\VsyWXoJ.exe
C:\Windows\System\VsyWXoJ.exe
C:\Windows\System\jlQPmhF.exe
C:\Windows\System\jlQPmhF.exe
C:\Windows\System\RVfEpwi.exe
C:\Windows\System\RVfEpwi.exe
C:\Windows\System\IENcHmi.exe
C:\Windows\System\IENcHmi.exe
C:\Windows\System\wegBSYA.exe
C:\Windows\System\wegBSYA.exe
C:\Windows\System\utVCfwk.exe
C:\Windows\System\utVCfwk.exe
C:\Windows\System\mtrflqS.exe
C:\Windows\System\mtrflqS.exe
C:\Windows\System\PZqwSKC.exe
C:\Windows\System\PZqwSKC.exe
C:\Windows\System\ddEVjBV.exe
C:\Windows\System\ddEVjBV.exe
C:\Windows\System\garHjPg.exe
C:\Windows\System\garHjPg.exe
C:\Windows\System\CtaXGKo.exe
C:\Windows\System\CtaXGKo.exe
C:\Windows\System\hnyOhwM.exe
C:\Windows\System\hnyOhwM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 37.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2076-0-0x00007FF6728A0000-0x00007FF672BF4000-memory.dmp
memory/2076-1-0x000001D267C70000-0x000001D267C80000-memory.dmp
C:\Windows\System\ASvRXOq.exe
| MD5 | 7c83f353d6dc5058ca5ddae197b470f9 |
| SHA1 | e362d2f3f21deabbf3a2206cb2d08145a9ef0908 |
| SHA256 | e5f4c4d7a7c8096bbdbc727c1b2828264b78ced1ddf0d138961f6d8deae926f5 |
| SHA512 | 6778a27113b8090b6211c7a32d17ace17fbd85adf4ca6cd21f84870740050e27f1cd7e6bf59934727054dfba6a0e2b130bddace2b61fcb5d29b31be4bfe5f36c |
C:\Windows\System\PtQZTzm.exe
| MD5 | 50b70111e3dbe93d51a2416346b5e21a |
| SHA1 | 14733ab9b1ca2ac9cde946b23ced833d96c48b3c |
| SHA256 | f941c35e7ffb960c95783f38f7366c3943c90397b95a5ab79c56425eec37712b |
| SHA512 | bd04cfa61ad1e98d9e6e1b4fda4ebde8dbb297c8d1bf605dbd0d38e3f0ebe98592caa93f3c15cb988e0734d6bbc4d38feb343ee86b4d9138ac4579af769c6392 |
C:\Windows\System\EhUYiGb.exe
| MD5 | ae69e6aa8225c49404439e691027c83d |
| SHA1 | 4f6bd4fccc6aaedcfa7817c16caac94f30322976 |
| SHA256 | 7d7e861fbb6e39dab5e81187228fe8bb9e757c052f195bb1bf33276b9defda37 |
| SHA512 | f95a555564d37db7eafb71815882fa474e95ec154092a76e618428d14beda37f26f61ca623e64d38b553d0c6cca7fe369e4eb544d41bd1272c59532ba9373e99 |
memory/3100-14-0x00007FF721290000-0x00007FF7215E4000-memory.dmp
memory/4148-7-0x00007FF6EA280000-0x00007FF6EA5D4000-memory.dmp
memory/3736-20-0x00007FF69FDD0000-0x00007FF6A0124000-memory.dmp
C:\Windows\System\ukNtExt.exe
| MD5 | 2f7787620b9f92d80e4e2d7666f8ee8c |
| SHA1 | add5f2427b10b823e04c4bfdfaef2058e40deffb |
| SHA256 | 9a42abf7afc2ed18b797fab03e50c3bcee4afdd10b4f2704f7b9e0cca1ffed66 |
| SHA512 | 92ab0043b6f49895bda68a7cd2461fe59e18065f443b7d28e72d3fb9d7dc7bc846482c0b61b4086e363164f42e914154c31be9343ec9b03208cdbe7c559a5391 |
C:\Windows\System\olIanOK.exe
| MD5 | 2cb5a8e79f1dca0403b47c884f58a7f9 |
| SHA1 | 9d7937e461eddbf19d9342d85f025c01a36cb042 |
| SHA256 | 3c363f36cfbe60fadce8b2aba6795925c0e81c114b5fb7ffb7ef80add356d2af |
| SHA512 | 68969ddedb67420c323c23b849f5a8555db5c63638d64ef359ed89d9df2853746361a6c5a5dde1f1ce6b7eed78596faf2e4a996b5d78ac49afcbaa33d327cebe |
C:\Windows\System\JfKcxEW.exe
| MD5 | 93ca485934cbc377bbd92ec2654623bb |
| SHA1 | 475bc6d013d367c3eb1ebb433b79f8a76b5106bd |
| SHA256 | f82a770dea355660e9d08ff45de4929673da45760270565ca5ac7aaff24507cb |
| SHA512 | b1b3f02a810959865312fac706e305df1552933d0202e1e486925507d2754540f936a211166df4c96a1a3431658c062373545f93ff678597ef0c909a670641c1 |
C:\Windows\System\yrHxEXD.exe
| MD5 | 6f07594b617371f3c99c6aa9a7eeb9bf |
| SHA1 | 6b6821936856d719cc3b3710f818f6ebff149812 |
| SHA256 | 751e6d7985c1e120356f0beb3075bd297e41305bf040e46f9211110a116b7275 |
| SHA512 | 5fe8bc1a7f0c59cda145b0cc6786f490e3dfdc16087fac6714d87fa279a6bfcacfb267b7cc25913ffe231ee0c712cb35f3b5889bc718705639a6b975e1776008 |
C:\Windows\System\cmERpLK.exe
| MD5 | c0ca1cb139a08d15bbae934e8e725735 |
| SHA1 | ba62cfaa25621ae2c5cee34172cd722b695d30b1 |
| SHA256 | eb4689c6ac6fce946308d9b6a3f48d79c6600dc111da578c2a2b124ca23fed99 |
| SHA512 | 008b2f6f9dd668202610e92e8aa2af68ecf1d340bb27ec13dc9765e45cd1f54f55ba11fd26fd747d8bf85dbafd0fb3feff819c56c8b9430e3b9c5f341af7d909 |
memory/3912-58-0x00007FF6AF350000-0x00007FF6AF6A4000-memory.dmp
memory/100-67-0x00007FF757A10000-0x00007FF757D64000-memory.dmp
C:\Windows\System\RVfEpwi.exe
| MD5 | 657f677173fa13dd31f89eee55db4753 |
| SHA1 | fc99fd7cb52d69675f3d659b4bdc1ccbb873087a |
| SHA256 | 948b76066a31d3b2ae077a667dbc292fb99e5309c6622e4cda3888deaaf89dd3 |
| SHA512 | b647b8ef39a1ea165cfb00e6f9fb7e1f2ee9ea32accde697981a0247be6ce003dacec9c2ca41d006bbc0240c89f0d9e5b9ce1cbc7f09a27c793cb74d324fbda0 |
memory/4212-74-0x00007FF6CB9F0000-0x00007FF6CBD44000-memory.dmp
memory/4100-78-0x00007FF60F7F0000-0x00007FF60FB44000-memory.dmp
C:\Windows\System\IENcHmi.exe
| MD5 | 7a6025f2e07abd5c1882cb4230576d27 |
| SHA1 | ef59ce8576611562a3af74a0474c956fbf82f202 |
| SHA256 | f593f9ab5ad44c57cefde3810afbd376804c8e7cf981b57cba0595b5d57c1d27 |
| SHA512 | cf24b70636e279c88569d9b8dc3b93ba06bc472b3931a0ed1a695cfabe78e090201d01fe5ca5f721b8c4b6f6943a43142ff5fc936a2e62c881339fc95858b688 |
memory/4692-77-0x00007FF632CC0000-0x00007FF633014000-memory.dmp
memory/4548-70-0x00007FF61E0A0000-0x00007FF61E3F4000-memory.dmp
memory/1064-68-0x00007FF7698F0000-0x00007FF769C44000-memory.dmp
C:\Windows\System\VsyWXoJ.exe
| MD5 | 3787967d1659281201d717f9b89c193b |
| SHA1 | dfa2fbc728ad81cb79fe49dbb705b157f4dcb399 |
| SHA256 | 5ef97ebd77d883f2a1a26327d2fd617b74dd664746c1ef4ee10e0f27f1e7b401 |
| SHA512 | edc52f57e3455486a1de3284b7f780cd18a5fa3ff54380bb34e1528946f3a95834e8b216991384994f16c8939a617a77c0e10181aa53af712dc773be7e9a5656 |
C:\Windows\System\jlQPmhF.exe
| MD5 | 1cf70adec0dbf8f532de4ca496e7eaa5 |
| SHA1 | b15f28382dbbc1e93738505b46576e4c86dec30b |
| SHA256 | d839ec372cf53208bc0a06af07cd318bd9b246c6cc9570d527d15aa0c8e8129a |
| SHA512 | 551bf6211e9c2899c41c51fa9daa8dfe21a8b4bf293e03451ef664963c93f52ba6d4d4afda1f71b7882096fe6c6bac176f92f72be493363d20b9a8b2005f34e6 |
memory/5056-53-0x00007FF644B00000-0x00007FF644E54000-memory.dmp
C:\Windows\System\GkcZDwI.exe
| MD5 | 1cfdeaf77c5e6a0a577ecdeda629914e |
| SHA1 | 61a7b08e6158348a04e78c285173c705468b24c2 |
| SHA256 | 43150abccf42a17fa5835d110df78087b406e471d54e0a4c1fcb48c60bff0d94 |
| SHA512 | 664e54d8df9cb820c118cbd0707b8e3e4227c088f8ff660c848cef396da2da0305c82d9e816e2127f19f4ab8ad407f07d71c3260efd8e4b77299b1b43e96f354 |
memory/932-36-0x00007FF673C20000-0x00007FF673F74000-memory.dmp
memory/5000-31-0x00007FF7D8070000-0x00007FF7D83C4000-memory.dmp
C:\Windows\System\wegBSYA.exe
| MD5 | 29a658535231f3d16a4b0c88de809d50 |
| SHA1 | 7ef6db8ec6ce0368c174f6821554709eb6334e64 |
| SHA256 | d369992c76f9742aa4ee432561b83297a998a46e1c2045187f625ac8066bd300 |
| SHA512 | 99b3e64b23e374508c1bc85018796701762b2241aa96ce123c935fd760c42f24b26d59be2c8a60a5bafae8e0c38d1e542eaa9f37b994853d10f69ad6bb530fbd |
C:\Windows\System\utVCfwk.exe
| MD5 | 7b5d27a6e78f149d973b6bf2fb59fb63 |
| SHA1 | 2a4e3c72ac223e651b0cce47dac6ac52c4a9673e |
| SHA256 | d10b92570141431b66d8a7880c874e69578f9362a8c0ba5d78605ea7cc296ab9 |
| SHA512 | 875d1cc0c28b35945f69e88e6a63d15819609155f2b3a99810bf059ce5cf3a0e89f198d0141282fdedc5a3b61d8b1c8797bd91ac8ed469f3e2366ab610f619a6 |
memory/2076-90-0x00007FF6728A0000-0x00007FF672BF4000-memory.dmp
memory/804-84-0x00007FF658D70000-0x00007FF6590C4000-memory.dmp
C:\Windows\System\mtrflqS.exe
| MD5 | 4b68e6f3144dba8b8498a107b8ed37e9 |
| SHA1 | 62f61955d691e7eb4199fb3468f1799a6646bb76 |
| SHA256 | 298d21c2aaf8afdafe5225ec7b2ddb5288be0c1ce5cdf41c2e42aa546cfdd4a2 |
| SHA512 | 66087a61b36d2b6b9c51fa9749037fcadb917867ea01830560984f2453442fef83833f1c7a48f40439e9626e7899e06b22f3b489dd7c1b51b9d7243e8666c4a7 |
memory/4148-103-0x00007FF6EA280000-0x00007FF6EA5D4000-memory.dmp
memory/3588-105-0x00007FF67D7C0000-0x00007FF67DB14000-memory.dmp
C:\Windows\System\ddEVjBV.exe
| MD5 | 734b98f4d4998854eb433f8a24c6e1b0 |
| SHA1 | d4cbad53cd4dd966665597461080de0e36010af4 |
| SHA256 | f46d7734af46456ae89f3d3a22f1b4bb2cc260134984e8edfe01453c0867fb61 |
| SHA512 | 0083a58495f94b63fe6456f0cf7c9187ddcbf12022fbe723f3952d4b74f2c308d5c50139c5b5206767fb869eaeb05dfe46b5504abf277e404679c0ef8b6dd931 |
C:\Windows\System\CtaXGKo.exe
| MD5 | 52ad15e1e582efcc301a18a922f4119b |
| SHA1 | d20229daffca6c56a9b977ba037afc71075fa6c0 |
| SHA256 | cf6ee595cef2fc141df9c127ee56b6fbe5d2d74cdfab44d721d19699773dda2c |
| SHA512 | 2ba7bf9bcfcf0aaef698cdddcf0edff360bd724b96235db73c30eeb4cc02ebc970132215f80f28e891e7c772d707a224368187c43ab0eedc7076fc812b95148e |
C:\Windows\System\hnyOhwM.exe
| MD5 | 569419634d0be927c0cfb8b80fcf5cb3 |
| SHA1 | dfbe0b2858d4aedff9d49fe54f75b25d69dac5f7 |
| SHA256 | d97c199b5b1e0228f60226666cd75fbc8ca4245247c14c23f9ade9ab3c7b8544 |
| SHA512 | 6b8473f18585928aef31e177a88df20effecab7b2596a2498fc1f6ece87e852903c1c2444d9d6f4a7e973087b527ceab70b6c6aef52abae599720d0b38caa86b |
C:\Windows\System\garHjPg.exe
| MD5 | c5bb27618f206066ce0061259a68ad23 |
| SHA1 | bd03e9c41747688c726105e1fd8f31fc0e361bcd |
| SHA256 | 98cf7ec8b457cc4388406fbe174f2cf3392d15566bdca33d83a53b4680b8aed1 |
| SHA512 | 8d48653beed9b16aac0cbc4dbdb15af2a2b055632031fcc9c43e87e506b265dc8dc8803bd60ecd3f04f3148a7c57b475ac41e4ac572a79aa92ca407510758eee |
C:\Windows\System\PZqwSKC.exe
| MD5 | a72f851113baac2b17a2364dcddd3fc6 |
| SHA1 | 07e693ee433466b5ea4fe23c3f1f10a691cbd35b |
| SHA256 | 30022aeb2839ccb3422204ce06acc337a5155a97f55031116c78a40a46818951 |
| SHA512 | 592e06c267dac3f585e32453b6f70807c74b21821cba07f511e1dd8de9409960cfcd2d764e043021894f14d74b37d3836e87b1bc4f34dd7a284ff3b03319f4a5 |
memory/3628-109-0x00007FF6A1380000-0x00007FF6A16D4000-memory.dmp
memory/1392-95-0x00007FF682410000-0x00007FF682764000-memory.dmp
memory/2072-127-0x00007FF6AF190000-0x00007FF6AF4E4000-memory.dmp
memory/2460-128-0x00007FF674E90000-0x00007FF6751E4000-memory.dmp
memory/3876-130-0x00007FF6898A0000-0x00007FF689BF4000-memory.dmp
memory/3144-129-0x00007FF705C10000-0x00007FF705F64000-memory.dmp
memory/3736-126-0x00007FF69FDD0000-0x00007FF6A0124000-memory.dmp
memory/100-131-0x00007FF757A10000-0x00007FF757D64000-memory.dmp
memory/4692-132-0x00007FF632CC0000-0x00007FF633014000-memory.dmp
memory/4100-133-0x00007FF60F7F0000-0x00007FF60FB44000-memory.dmp
memory/804-134-0x00007FF658D70000-0x00007FF6590C4000-memory.dmp
memory/1392-135-0x00007FF682410000-0x00007FF682764000-memory.dmp
memory/3628-136-0x00007FF6A1380000-0x00007FF6A16D4000-memory.dmp
memory/4148-137-0x00007FF6EA280000-0x00007FF6EA5D4000-memory.dmp
memory/3100-138-0x00007FF721290000-0x00007FF7215E4000-memory.dmp
memory/3736-139-0x00007FF69FDD0000-0x00007FF6A0124000-memory.dmp
memory/5000-140-0x00007FF7D8070000-0x00007FF7D83C4000-memory.dmp
memory/932-141-0x00007FF673C20000-0x00007FF673F74000-memory.dmp
memory/5056-142-0x00007FF644B00000-0x00007FF644E54000-memory.dmp
memory/3912-143-0x00007FF6AF350000-0x00007FF6AF6A4000-memory.dmp
memory/1064-144-0x00007FF7698F0000-0x00007FF769C44000-memory.dmp
memory/4548-145-0x00007FF61E0A0000-0x00007FF61E3F4000-memory.dmp
memory/100-146-0x00007FF757A10000-0x00007FF757D64000-memory.dmp
memory/4212-147-0x00007FF6CB9F0000-0x00007FF6CBD44000-memory.dmp
memory/4100-148-0x00007FF60F7F0000-0x00007FF60FB44000-memory.dmp
memory/4692-149-0x00007FF632CC0000-0x00007FF633014000-memory.dmp
memory/804-150-0x00007FF658D70000-0x00007FF6590C4000-memory.dmp
memory/1392-151-0x00007FF682410000-0x00007FF682764000-memory.dmp
memory/3588-152-0x00007FF67D7C0000-0x00007FF67DB14000-memory.dmp
memory/2072-153-0x00007FF6AF190000-0x00007FF6AF4E4000-memory.dmp
memory/3628-154-0x00007FF6A1380000-0x00007FF6A16D4000-memory.dmp
memory/2460-155-0x00007FF674E90000-0x00007FF6751E4000-memory.dmp
memory/3876-156-0x00007FF6898A0000-0x00007FF689BF4000-memory.dmp
memory/3144-157-0x00007FF705C10000-0x00007FF705F64000-memory.dmp