Analysis Overview
SHA256
3f46d690b502b2d9722d1cef7d0f0e4e6ecace8fc7e113892281dec598e9f04e
Threat Level: Known bad
The file 2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Xmrig family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-14 15:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-14 15:28
Reported
2024-08-14 15:30
Platform
win7-20240705-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oopaTKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\KKrmbvw.exe | N/A |
| N/A | N/A | C:\Windows\System\MmhJOxc.exe | N/A |
| N/A | N/A | C:\Windows\System\GZjCRMR.exe | N/A |
| N/A | N/A | C:\Windows\System\JIAsgLe.exe | N/A |
| N/A | N/A | C:\Windows\System\wiOLEQJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dwsYmqU.exe | N/A |
| N/A | N/A | C:\Windows\System\USifVwp.exe | N/A |
| N/A | N/A | C:\Windows\System\xuNIhCJ.exe | N/A |
| N/A | N/A | C:\Windows\System\vEqPpCa.exe | N/A |
| N/A | N/A | C:\Windows\System\VuTTDSn.exe | N/A |
| N/A | N/A | C:\Windows\System\eOMAdvi.exe | N/A |
| N/A | N/A | C:\Windows\System\SrpikmA.exe | N/A |
| N/A | N/A | C:\Windows\System\fKaneGh.exe | N/A |
| N/A | N/A | C:\Windows\System\PlEPIkf.exe | N/A |
| N/A | N/A | C:\Windows\System\IyKdaNy.exe | N/A |
| N/A | N/A | C:\Windows\System\LkfpfcO.exe | N/A |
| N/A | N/A | C:\Windows\System\CGbJlbS.exe | N/A |
| N/A | N/A | C:\Windows\System\mHZPSqY.exe | N/A |
| N/A | N/A | C:\Windows\System\UKbJXOU.exe | N/A |
| N/A | N/A | C:\Windows\System\SKKaqjC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\oopaTKQ.exe
C:\Windows\System\oopaTKQ.exe
C:\Windows\System\KKrmbvw.exe
C:\Windows\System\KKrmbvw.exe
C:\Windows\System\MmhJOxc.exe
C:\Windows\System\MmhJOxc.exe
C:\Windows\System\GZjCRMR.exe
C:\Windows\System\GZjCRMR.exe
C:\Windows\System\JIAsgLe.exe
C:\Windows\System\JIAsgLe.exe
C:\Windows\System\wiOLEQJ.exe
C:\Windows\System\wiOLEQJ.exe
C:\Windows\System\dwsYmqU.exe
C:\Windows\System\dwsYmqU.exe
C:\Windows\System\USifVwp.exe
C:\Windows\System\USifVwp.exe
C:\Windows\System\PlEPIkf.exe
C:\Windows\System\PlEPIkf.exe
C:\Windows\System\xuNIhCJ.exe
C:\Windows\System\xuNIhCJ.exe
C:\Windows\System\IyKdaNy.exe
C:\Windows\System\IyKdaNy.exe
C:\Windows\System\vEqPpCa.exe
C:\Windows\System\vEqPpCa.exe
C:\Windows\System\LkfpfcO.exe
C:\Windows\System\LkfpfcO.exe
C:\Windows\System\VuTTDSn.exe
C:\Windows\System\VuTTDSn.exe
C:\Windows\System\CGbJlbS.exe
C:\Windows\System\CGbJlbS.exe
C:\Windows\System\eOMAdvi.exe
C:\Windows\System\eOMAdvi.exe
C:\Windows\System\mHZPSqY.exe
C:\Windows\System\mHZPSqY.exe
C:\Windows\System\SrpikmA.exe
C:\Windows\System\SrpikmA.exe
C:\Windows\System\UKbJXOU.exe
C:\Windows\System\UKbJXOU.exe
C:\Windows\System\fKaneGh.exe
C:\Windows\System\fKaneGh.exe
C:\Windows\System\SKKaqjC.exe
C:\Windows\System\SKKaqjC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2164-0-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2164-1-0x0000000000580000-0x0000000000590000-memory.dmp
\Windows\system\oopaTKQ.exe
| MD5 | 46bebd3a20d86c932a68c7dd02f4a05e |
| SHA1 | f1ccef195dd9235f21c9351514ba5cc9d67103e2 |
| SHA256 | 0300ecbf42418e5e9ac9fa4dfdf819b95f9e35ba0832d693a849dc3fd73f491d |
| SHA512 | 31ff9246ba8b585e488bda4c633804b483bd6308a6671ea9be66ddad79149d1551c553f9de493594c700f0cb1740d785ff13799ca999f15f1f1a4f68751055ff |
\Windows\system\KKrmbvw.exe
| MD5 | 40c735640a0b1b9f7f4f02d93a7c75d4 |
| SHA1 | 49de0cf1ff4208738fd6fbd1de0e505de2b99211 |
| SHA256 | 6898877353cdb7ad79b8c1029d324ab1e5cd2639d1a3b2f0bb25426f95574fdf |
| SHA512 | f82cc6fa0deb46837311bc0f33214af88c359719ea192f1424a037099d602bf3df75c34333011554f48fc4f4ab3445da6aa78fd0cd9c15aad7989aa70ff78cb6 |
memory/2164-10-0x000000013F120000-0x000000013F474000-memory.dmp
C:\Windows\system\GZjCRMR.exe
| MD5 | b77aa891097823c45ef236141e9fb5a9 |
| SHA1 | 521fb028013978fdc4824421f253dd3b79f4dabe |
| SHA256 | 24a18c9124fc9e10ba4ce259033736b04f1c62402e585c79da739b1a3ef5ab11 |
| SHA512 | af9b58cf135e935bb623416e4ed6070eaacd727ffcbcfcbee648a29f296d38d2ca80356374684a1f9b4550e47120d46ea32cb3d49aa055682cad8a654546f76a |
\Windows\system\wiOLEQJ.exe
| MD5 | c9c60dcd680f96752532ab66d97eb6da |
| SHA1 | 3487f337312a9d8930274bfc39f23f153690c611 |
| SHA256 | 6aa7183cbfd58d8ef2db36afac2014965bde88c777d3baf68447eff7b35d948d |
| SHA512 | 3e4ae9c7bf015ee5de5fe356ef04338cf4195caa686c381f705d0860f5fbae8ac70b2c7851db4c255b57e295ed5e851db483d5366312f8dc8bb33d60bdaea0ba |
C:\Windows\system\JIAsgLe.exe
| MD5 | 5ac93ce2ef2402924498bc12071fca87 |
| SHA1 | b4080a01be47697fa6a397f2f6dd3463532801df |
| SHA256 | c597d355c547031dfd9dcccb53c22c7658206692ef752b57e31768c540b74d8c |
| SHA512 | 626630379b8236ab39d7830f968841e407ff4e6a0295ba57472030613ad9136910df36fcdc90fa54d0e4f0121d5b8a7e99970d7ac7e41896f83c7d5539170154 |
memory/2656-40-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2164-39-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2812-38-0x000000013FAC0000-0x000000013FE14000-memory.dmp
C:\Windows\system\dwsYmqU.exe
| MD5 | 83da9030535ff0813dbf24e629c2b2a4 |
| SHA1 | 54ad7c05d231cdcfe69ffd7ef7cb6f5370d827a9 |
| SHA256 | 64c8426caf71ba8d4a73833983eb51c0b6cdf5f1e8aeadd29f9ae315585a3cfd |
| SHA512 | 35899bcec6040ea9b49c9736427ff629689e824e203f12966fecfc97a1364aee7bf6e2e7de5ba1418a7bee44a20b8ba1ca981d99a2ebe3ffcf276492a83e7e98 |
memory/2164-49-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2164-105-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\IyKdaNy.exe
| MD5 | 936c80a3d8be912601420e9bd5ef69c9 |
| SHA1 | 1da14df15477ecb1854fd5bf3f08a104f56ed195 |
| SHA256 | 068c891b586751cb7e633af8891c72255e1ca0218296e34c1a82aadfa17bd278 |
| SHA512 | 3700cad49067f945c674936f273cfa7199a9df3da02e6aa058e8443dcf8e3b5b88f8beecc1ba21e7241d9bd9d853fbb97b07845c30791e05b116e2679fd94fbc |
C:\Windows\system\SKKaqjC.exe
| MD5 | 2ce6740f45fe67cd560bfdfdab891aef |
| SHA1 | 1da880e49b2249a6ca9dae4ef2a9c291624cbab4 |
| SHA256 | c258c17ef703eb412db7f33c677eb378fb7e601a8adfac7533ed4d333605dc95 |
| SHA512 | 82506848e6d85a1d61e5bfec50ec1699247a7bd0b1e1b0ea167e1ded7a2f24826ca70079138903ed581b6dd23b9f801b7e68291f2cd79860b3ac6da377b29f0b |
memory/2164-97-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2164-96-0x000000013F210000-0x000000013F564000-memory.dmp
memory/2164-95-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
\Windows\system\UKbJXOU.exe
| MD5 | 939d5ef6851b2bbeb00e60dd0a9443c9 |
| SHA1 | 67470ec01324d3cc6a83130e8cdf4c936bfcac07 |
| SHA256 | 4cc3b225c79ab8b583fd6e5eff68d26c162291c0ca620fb0560424e79db6c4a3 |
| SHA512 | 0f957ddce24f8080d67d655414bad81b2188cbb46110f20c57a4f8df2fa62d5ad144b72dd71c4302c71e640f5815f26f896462a9bf6c500ccb4d58a09671434a |
\Windows\system\mHZPSqY.exe
| MD5 | e7eb35b0c49ca9e17adb07b55305a64a |
| SHA1 | 92c52832f084d1fb78dc69bf09f9d3e88519a28d |
| SHA256 | e48480b2d19205baefe11cc86932f2e303ccf6a081ec34e50d775b66326bd3ad |
| SHA512 | 5e9cc3b974937888d7936087a8d3f1a1c98367c6ebe3b3649b74882ca3064b917f4d2de3804afde451c168015b675c44fa62b000897ee1478c140198e237b3e7 |
\Windows\system\CGbJlbS.exe
| MD5 | 1cd66e1be22bbc98c81ea4835872f0cd |
| SHA1 | 455bb5e1a4ef64bd3b4654b46ebe05b053d0a926 |
| SHA256 | 67e98cd33eab8a35d3e07114dc684309a4706597e9928767147c783198d6c133 |
| SHA512 | 2e384602124de2dfa9833569915783e41b2b8360adb00a36be45e4fec3d58b09cca7b8a37e4ec9690eb5e970a666fc01d1ad6e991e827cfeb7518eabb52aae12 |
\Windows\system\LkfpfcO.exe
| MD5 | 6006ce7d8f3ab8beb36b67b586566410 |
| SHA1 | 44d450df614ffdcec8d28e6284e5baeb116df985 |
| SHA256 | 8536cb3719ba264a38ad14c928884d2747eb503c41e63924225db5ff0137bce2 |
| SHA512 | 7067de905fd3ee97dd108d83f1b096151eb1329f483512e4ea3cc18f6924362bc9b4c26465ed8890b30ddef88e8944e4755f1ad97ca0e7251bb9d26f5423cdf5 |
memory/2164-53-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\PlEPIkf.exe
| MD5 | 72365b896d9180c758473139a06ce888 |
| SHA1 | 4e28593c1452f17b38f46e2b850a43ec8a0fc968 |
| SHA256 | 3a0ea68371860bd049810bd39a085186c23aa48e82823fd43fb9ad10365879c1 |
| SHA512 | e1b982fe495b87f21433938f3092c754f29406376f7ae590e6fec8a80dd3f0cc0a04547f4152ce7ef5dfdeb764eff251dc9fc62968c25970919ef23755071743 |
memory/2364-119-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2552-118-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2164-117-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2164-116-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1860-127-0x000000013F120000-0x000000013F474000-memory.dmp
memory/1500-108-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2164-106-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\fKaneGh.exe
| MD5 | 1619e4efcfeb177932e12a4441a29509 |
| SHA1 | a549d045cb87f35aac7906926a77d03d6ea393d1 |
| SHA256 | 9060d435bb65793012bfb9989ad3424551b8d19daf26b46be291e6f7d59fc2c6 |
| SHA512 | 71d858bde3a5b022e58f287f771d2465db25a59deb4f6987b819f02b53d72ff04ab2e6f737f5c66ae17b3b58cfc70fdc2c753e77dac062e3b5ce08415e208afc |
C:\Windows\system\SrpikmA.exe
| MD5 | 25858a3d68ca7870bae674cf3242b5cc |
| SHA1 | 91abbafc550600fd23cf5a6f52f6c06675180a37 |
| SHA256 | 124c1ae6d9a8b9e9753c4860e3b8ba3f350dc9dd1e1ac1bf9fa45c936b10e1c6 |
| SHA512 | 68202659e45fecc0fd985825e65a421efce444ac21cf88093d939ffa104109223143a1b5ce65090aa108f65a35b97fa98c992858a9665aeca1bef615ddf30b0f |
C:\Windows\system\eOMAdvi.exe
| MD5 | 46d2cbad4b8f9c1a0646c345e18eb2bb |
| SHA1 | 8b4eb599539bac72b1b67f33fa0ceec90937cd6d |
| SHA256 | ee9c86cf691da7a06c88328c36ed13aae2f824859e124ff7c0620bb77d41c167 |
| SHA512 | 69d6e878bd1e3040e4c378d431ed6a0a6131f6ecee3777b8ca8331dd21aff7826774655fea26d47611c526f470b18c3a02831cd2b6133d9c17d535bb0567ff67 |
C:\Windows\system\VuTTDSn.exe
| MD5 | d5e5d275274011b89ffa5d17c48139b1 |
| SHA1 | c37fa58fa046a00f09fd3b971ada7f3eea736ede |
| SHA256 | 5feeab88c1c684d4c4ab2e1bf02b4d125c5d3b7e0599f985b6312c802a5d20d7 |
| SHA512 | 2e981e4bf9dec11446136f0b6ce5b03276ed49461e45c29a0f50e47cdbe8b5d93059d4ca4d505d58768e9f95c9395f3b7c87dbcb4945a280cbc23f1f4910bc31 |
C:\Windows\system\vEqPpCa.exe
| MD5 | 4552f0230a9d2de971cf0929890d6657 |
| SHA1 | f6f53fc87642fbe5ae5b92b2b6506fa7ac044f87 |
| SHA256 | a4536cabf3d3c7788e0adb7f9374c0da01853c7e8ec47277285125b006881b9c |
| SHA512 | 62fe2d09021347e8847c5a94a87dc7690522321c94cf6ff7eaeb7433d89fdfb3d586dfa4dd3149b0ce0d4e07dad679e4ee480dd5895370727768cd33df4037ce |
C:\Windows\system\xuNIhCJ.exe
| MD5 | 4ec48494b63fea156f91b8e8a73cc89e |
| SHA1 | 72004315c0e91d6bf4e8f911983f943680e977fc |
| SHA256 | 6b18ad2c8b59028f1e8daeab51214abad70aeb29a2b94f55da3df58953728c57 |
| SHA512 | 40ddd47b1d57de91041bcc068b0db75df76114acd8ae50534b2e597bf06495214f9d7aa3a3b0a82506d3e1784d3086b3460f3a94ded1e3a25ccdbf8eab33a3cc |
C:\Windows\system\USifVwp.exe
| MD5 | 929207d49a42108de26ae05992ecf8bb |
| SHA1 | fc5015e2e9cec86cf10df72f48a960645adef859 |
| SHA256 | b93bcbae9be8501bd811e8a0609d87074a77e3a3d911b23cf54368b12007e1ed |
| SHA512 | 5d09b772ab0df08382bccdee815272245442edab40645ba53a33e4050ba212ca9a2b4a0a8464f56b16bfbdebb67275483330bed3af1b07b20397522fa649949a |
memory/2164-92-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2164-84-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2164-75-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2164-69-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2792-45-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2164-128-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2164-6-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1860-27-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2364-26-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2164-25-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1344-24-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/1500-23-0x000000013F050000-0x000000013F3A4000-memory.dmp
C:\Windows\system\MmhJOxc.exe
| MD5 | 4eec8afae8bcee2246b2f7f49d10602d |
| SHA1 | 421475a60f0dd6d772b7918194951e53d57e6020 |
| SHA256 | 2595e082d1ce5e90462eb97bfc3ae53c85b9a595515c7d1969cecb50020c60b2 |
| SHA512 | df6d406fac5fcf013f83008e02254bbd3790775111062324ddcf1e17f78aa76daa2f026bc272082b6663af342b11e86edefc0d8788df5fa7423c9beb1b4242f6 |
memory/2656-130-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2812-129-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2792-138-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2164-139-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2164-140-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2164-141-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1500-143-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1344-142-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2364-144-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/1860-145-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2812-146-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2792-147-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2552-149-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2656-148-0x000000013FC20000-0x000000013FF74000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-14 15:28
Reported
2024-08-14 15:30
Platform
win10v2004-20240802-en
Max time kernel
143s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uBmtEEB.exe | N/A |
| N/A | N/A | C:\Windows\System\rbeufGi.exe | N/A |
| N/A | N/A | C:\Windows\System\WWjTwSi.exe | N/A |
| N/A | N/A | C:\Windows\System\OZzfzPw.exe | N/A |
| N/A | N/A | C:\Windows\System\pKmiXSU.exe | N/A |
| N/A | N/A | C:\Windows\System\JJXmggp.exe | N/A |
| N/A | N/A | C:\Windows\System\wKnkONf.exe | N/A |
| N/A | N/A | C:\Windows\System\NoMXPJo.exe | N/A |
| N/A | N/A | C:\Windows\System\LyvuVTj.exe | N/A |
| N/A | N/A | C:\Windows\System\dDnZrKP.exe | N/A |
| N/A | N/A | C:\Windows\System\BWWbIvo.exe | N/A |
| N/A | N/A | C:\Windows\System\nwinJSz.exe | N/A |
| N/A | N/A | C:\Windows\System\QBLUTnt.exe | N/A |
| N/A | N/A | C:\Windows\System\aMedXUP.exe | N/A |
| N/A | N/A | C:\Windows\System\zKpEkwe.exe | N/A |
| N/A | N/A | C:\Windows\System\wJhIzNn.exe | N/A |
| N/A | N/A | C:\Windows\System\TJkqRhj.exe | N/A |
| N/A | N/A | C:\Windows\System\UkrpBkM.exe | N/A |
| N/A | N/A | C:\Windows\System\yZcjMzK.exe | N/A |
| N/A | N/A | C:\Windows\System\JfpvXGq.exe | N/A |
| N/A | N/A | C:\Windows\System\hxaMFFk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-14_7ea4fb1b3dea6f8306912a29e03982e3_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\uBmtEEB.exe
C:\Windows\System\uBmtEEB.exe
C:\Windows\System\rbeufGi.exe
C:\Windows\System\rbeufGi.exe
C:\Windows\System\WWjTwSi.exe
C:\Windows\System\WWjTwSi.exe
C:\Windows\System\OZzfzPw.exe
C:\Windows\System\OZzfzPw.exe
C:\Windows\System\pKmiXSU.exe
C:\Windows\System\pKmiXSU.exe
C:\Windows\System\JJXmggp.exe
C:\Windows\System\JJXmggp.exe
C:\Windows\System\wKnkONf.exe
C:\Windows\System\wKnkONf.exe
C:\Windows\System\NoMXPJo.exe
C:\Windows\System\NoMXPJo.exe
C:\Windows\System\LyvuVTj.exe
C:\Windows\System\LyvuVTj.exe
C:\Windows\System\dDnZrKP.exe
C:\Windows\System\dDnZrKP.exe
C:\Windows\System\BWWbIvo.exe
C:\Windows\System\BWWbIvo.exe
C:\Windows\System\nwinJSz.exe
C:\Windows\System\nwinJSz.exe
C:\Windows\System\QBLUTnt.exe
C:\Windows\System\QBLUTnt.exe
C:\Windows\System\aMedXUP.exe
C:\Windows\System\aMedXUP.exe
C:\Windows\System\zKpEkwe.exe
C:\Windows\System\zKpEkwe.exe
C:\Windows\System\wJhIzNn.exe
C:\Windows\System\wJhIzNn.exe
C:\Windows\System\TJkqRhj.exe
C:\Windows\System\TJkqRhj.exe
C:\Windows\System\UkrpBkM.exe
C:\Windows\System\UkrpBkM.exe
C:\Windows\System\yZcjMzK.exe
C:\Windows\System\yZcjMzK.exe
C:\Windows\System\JfpvXGq.exe
C:\Windows\System\JfpvXGq.exe
C:\Windows\System\hxaMFFk.exe
C:\Windows\System\hxaMFFk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3804-0-0x00007FF78F6F0000-0x00007FF78FA44000-memory.dmp
memory/3804-1-0x0000020826270000-0x0000020826280000-memory.dmp
C:\Windows\System\uBmtEEB.exe
| MD5 | 694c4890d033da50e9b07ef71b63d13d |
| SHA1 | 811e2c0d85d8b097646c98251e2142477fd0495e |
| SHA256 | d8687e2029e3e7919c30ecb2ee5c210444e92cebfb4a1dd1ff872e4961ea24e7 |
| SHA512 | 8c672b9387c08acd27169cb28cc21f197fde558390b5a86641fc7a38a9d325496b87e6e47aed3d4bafa8812e188adc681afa176d549bb3c961df6e38ca670fcc |
memory/3028-6-0x00007FF682A30000-0x00007FF682D84000-memory.dmp
C:\Windows\System\rbeufGi.exe
| MD5 | 917fe94c830c389d2844abf875eb57ac |
| SHA1 | fa874842a6deed1efcafc45eee99d2b5b798b1cd |
| SHA256 | 7701e67547ffb6f9e799fe58ff8e7100e3e0d267173bcbacaa51793b66906870 |
| SHA512 | 9ead65c29a5bd83be276da66327723cdce3f026ef01377c37cb380ae190138041e1c93d27d8ac70d5911196af7450d93ce733489d6afca852676cdad573afbe7 |
C:\Windows\System\WWjTwSi.exe
| MD5 | 687077cc451ec3b547a49ec0f434995d |
| SHA1 | 120493591b5d4d86a393017b410511517d14f16b |
| SHA256 | 362310fc2d92299b0c2ca897d8a88c251802c6b2e1004cb16821973feae29af7 |
| SHA512 | df49888b20fe9f6b551351030cc7d705e9f903ced131e01a2b508763768cd630326c9a532ac77229199a26b3b5a26c549017ccbd9bc026618a445340626c7598 |
memory/4624-18-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp
memory/1136-20-0x00007FF6D06F0000-0x00007FF6D0A44000-memory.dmp
C:\Windows\System\OZzfzPw.exe
| MD5 | dcd89d960461c47c64acb23093d8dff0 |
| SHA1 | d4a34ad5c02191d93c8cf56fca9e8946a1cb7c0b |
| SHA256 | 5f7b27a02eb11c0c4dd4ad8a5c45a3ec06d15db6be5b520cdf1cc36ae5c6a8e6 |
| SHA512 | 7aa6e3ec7513e1f01cd28edf415d1e830f798382e458560e105dbf5bfad2d02dbe9d87c95287f53713007105d827f1e1fc5703d91dafdee079fdccad0727b3ee |
memory/1540-26-0x00007FF7EB390000-0x00007FF7EB6E4000-memory.dmp
C:\Windows\System\pKmiXSU.exe
| MD5 | d07b3c9d92a4c7df80bd1ec774a016a9 |
| SHA1 | 1fa6352b952ec19e7748870e15457e5e656be72b |
| SHA256 | fe0b8c544f296e377858b23126b8edd820a41ca65c3a18ffde21e865c9a5c268 |
| SHA512 | 870c0dba52a9e2a87aaa662b4d980e1660dea864fd75cc7c5e38eb39c1c87c7e4df2080669f30247bfc6e84d6bfaee8d6ee5fbcad263aadb7902bf5f3ecbfd83 |
memory/440-32-0x00007FF623770000-0x00007FF623AC4000-memory.dmp
C:\Windows\System\JJXmggp.exe
| MD5 | 2fe7ae4602cefc4d4696875e32d8869d |
| SHA1 | 79814e0f9abf4e36ffdcb2a58b49ed954f09c766 |
| SHA256 | d8b932cc069bf6c02095c27832677e0771a8d1456811a5387fb947b43774bfa2 |
| SHA512 | 53f270a898bc84c5d91d9557446e53da637c37e29d01a5ca2ed52f416033465955281072d795d60ff77d6aacd8beee08f7d59f39b8e65395e97955564f263ea1 |
C:\Windows\System\wKnkONf.exe
| MD5 | 23b02376fb2e29ebf892425d0e2b0b4e |
| SHA1 | 24160a2ba4ef462626f13875c83b9e1ff80956bc |
| SHA256 | 417cfdc03830d5a10ce19c7ceb364bf79226214fafe8db8544c16ceaf5468134 |
| SHA512 | 92176a516b71533ab4bb7c6139227a92e019eb0d1340c0e2b7c0f17d44dbc8e8fc0e728f5d2f412c86b78a3c5e63362b7eb3fef5bbee6ec26c8b82bc81a3757b |
memory/5048-43-0x00007FF740600000-0x00007FF740954000-memory.dmp
memory/3164-38-0x00007FF7D6F50000-0x00007FF7D72A4000-memory.dmp
C:\Windows\System\NoMXPJo.exe
| MD5 | 66f023a21ff779f2fafc1ae2837742b3 |
| SHA1 | bcef1d332d346b0db7bc0bbaedc0a72297cb02b3 |
| SHA256 | d78e33e7e2b5762f2062fb4aca58efa7cb8a14337e5c5463ed685084a560b5fa |
| SHA512 | 018d8a192b20fc8c561c6bafc0afb4bd53f0df793907fb32fe8436485821b219b228b4f0d83842bff3754e3b073bd35e35d7e847cbe6da6310e511c17be2bdb8 |
C:\Windows\System\LyvuVTj.exe
| MD5 | 95b060f1b50028b09c5e9ee6b84f8362 |
| SHA1 | 5f414bee175ed2f469a4a8d6adafe9f956c28498 |
| SHA256 | 50dd4f38c03319c3e6ee01157ec70d74233563657ec09f4a5c79e3edd2e8ebc1 |
| SHA512 | 9c735cad02ded7b300cdf4711d8278b135bb2622b69f6ea793f091a5e12d97aa1245f9fe8d757e27dab01f6684eb02795d9da2c4f35854a4d6de8829ed65accb |
memory/3524-48-0x00007FF62C1D0000-0x00007FF62C524000-memory.dmp
memory/3944-55-0x00007FF6D72B0000-0x00007FF6D7604000-memory.dmp
C:\Windows\System\dDnZrKP.exe
| MD5 | c067a453d3d1105580ad697d53979ca9 |
| SHA1 | fdbdce2f86b7d5e88c1cfaa92183e5f275c34da9 |
| SHA256 | 2b9fa27a8ed2c54b0f84d625395fec89f2d89f426aa35a3f42d8937c81342550 |
| SHA512 | 8ea0d8c62f20c64a59f2833df549c624ffc1663a01f2612f13ed36d6305a0d9c81d5cebc31e3be018877f23dd9538e26d5a581dbf0237910d25e17a0ca4a6008 |
memory/3804-60-0x00007FF78F6F0000-0x00007FF78FA44000-memory.dmp
memory/3924-61-0x00007FF747610000-0x00007FF747964000-memory.dmp
C:\Windows\System\nwinJSz.exe
| MD5 | 4a62fd8f62ac12ff423e22d423cca0c5 |
| SHA1 | 07a1d25baaa162bb95e9d7adad318512694e601a |
| SHA256 | d18ff487d239c4a26b53e536fe5718d77a0c0723abd6f7f21e1a9c6a9e803d89 |
| SHA512 | 4cce7cf2227deeeb7442a9ba09a6c6fac7c39d722f6d4ec48718090b4be70c30d169f18b03c77f66212d7dfbd3761cb936e347def2fbebe218c9f5ace97d3d55 |
C:\Windows\System\QBLUTnt.exe
| MD5 | 8ee9e1f0c8d1c0774aefce72a5319965 |
| SHA1 | 5c3078cf68c4a79dc9db69dcac6cdfb2d51eed32 |
| SHA256 | 6c507b682600ad56f02c47dcfc58137049084a92431a1beea78a144a028ddf36 |
| SHA512 | a044693a6f2ddbe70f2144d8be8b94e7736cd2beba97a3b1fd0f6e5a81a136644195c8009ac88d8008d0316a0d8224f1361fb5edefe75bd9a3ec7533647245dc |
C:\Windows\System\aMedXUP.exe
| MD5 | d4095aa548baa1053b8b33a44c0afe67 |
| SHA1 | 994cb1488513ef9643ad8faa0b38abdc920dcde0 |
| SHA256 | 5ff43054643e833c3560042ce6f6b02fe6612e6d9bf7632becf9c1653724ffe0 |
| SHA512 | c9e03b297b798d8dd5a1b7535665e079c0ad8b3bfff75e8a5ea4bebd7a7cf62980c77886f455171e7d0c37b055604fe0750e2d6ff9d9f2d315f867192b9d979c |
C:\Windows\System\zKpEkwe.exe
| MD5 | 661c320e85c0aa4c46f155d2f509c7a6 |
| SHA1 | 0fcc97855cfb24b0902aed8d45ec38f9f9c5dcb7 |
| SHA256 | 5315d08ed5c67083959273a0c529dc693d4d3af125e57f191e9db43a2f55f773 |
| SHA512 | be4f2bb36dfada4303df6610cccbb07c988799f830dfaa7087360367951631e3d4d4ea057f153abb75636aeb2c1e5f9e5330b7bbd1be8bf7e4f93c24e20310eb |
C:\Windows\System\TJkqRhj.exe
| MD5 | bfda7496583c5859265ecfb6dd545b60 |
| SHA1 | dfed2b6bd072f6392dc71143104325875126ba8f |
| SHA256 | 22b063d4d14fb7f701e60ae8f3ff3984c3c480c369ebd0cccf32f18a7669dde3 |
| SHA512 | 47fbb14a1a49bc0bdc3cd93e71f1c37ee0295df339b66f2ed5dc3b0d129db68515c1e33d21cdb156e3c972cb86638b6be1f88aa8e6f78549eb82693e78de2a2d |
C:\Windows\System\wJhIzNn.exe
| MD5 | bd8fdda6f38aa61979b98af54018fe89 |
| SHA1 | 41b19e26bdfd3896d0fdae09d537cfc7d3d67211 |
| SHA256 | 6cb7dbc201822671b0302912f2de7c96fe03d57843328a06eedfa735442459ce |
| SHA512 | d4a771574bb540be53ff2607867a486891d2fdb754723ac9eeec4734c5b691b5dde8cc7745ce5e75eae805a304cadb70ead2bdfa7689d64aa9c88897c1b35b0f |
memory/1972-109-0x00007FF7CDE60000-0x00007FF7CE1B4000-memory.dmp
memory/3240-104-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp
memory/3936-101-0x00007FF74BD30000-0x00007FF74C084000-memory.dmp
memory/440-97-0x00007FF623770000-0x00007FF623AC4000-memory.dmp
memory/1340-96-0x00007FF7D6E20000-0x00007FF7D7174000-memory.dmp
memory/1540-92-0x00007FF7EB390000-0x00007FF7EB6E4000-memory.dmp
memory/4752-80-0x00007FF69D860000-0x00007FF69DBB4000-memory.dmp
memory/1136-79-0x00007FF6D06F0000-0x00007FF6D0A44000-memory.dmp
C:\Windows\System\BWWbIvo.exe
| MD5 | e236152a33d81d88961cedaf6b01db86 |
| SHA1 | c0329c6f95b2d7e176543f6051527f2e27271d1a |
| SHA256 | a6fad9f3dbc595ff159b692b36e5238f61539195c1700769af8eb795d460bca9 |
| SHA512 | 2a0f5313e4a23a25ec206e05d21247c5cde69b90fa3415f3c53f21ecca4caa1c3c60e0ed9df87c9a8e78ec6b0c0e81daaef9756466f00de5ed0ebd489af6efd4 |
memory/3544-73-0x00007FF6E2710000-0x00007FF6E2A64000-memory.dmp
memory/4524-72-0x00007FF7EC7A0000-0x00007FF7ECAF4000-memory.dmp
memory/4624-68-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp
memory/3028-67-0x00007FF682A30000-0x00007FF682D84000-memory.dmp
C:\Windows\System\UkrpBkM.exe
| MD5 | 654ece55cacc9861a25698ec8232a929 |
| SHA1 | e6010344d2b8a7917d563afb924d96ed8d5d63a0 |
| SHA256 | 0f7707217e0bbde93c63426fb5794e95e2fc327ea24b4343704bfb37ac641700 |
| SHA512 | 0c9a40c6319f06abe52cb39bbb5bafa7b850d497cc2fb0a836178eece75656a22d9b6955e6a89c68753f7f06b84bc1d6819564ceae2b8cca3edecda23cab2141 |
memory/448-117-0x00007FF7E3E80000-0x00007FF7E41D4000-memory.dmp
memory/5048-116-0x00007FF740600000-0x00007FF740954000-memory.dmp
C:\Windows\System\yZcjMzK.exe
| MD5 | 534971ff0dfb67464f1d17e0158738ca |
| SHA1 | 7111f0e8f1280eac1a6e7e5163c84c29109fff7d |
| SHA256 | c947eb5af506ac9fdfc9328eedc30e6efac2ef2a09b3addc80355c9eed31dfa0 |
| SHA512 | 54a7dd324f8f290b3179a848eca1b88f0511f790ed75872edcfdca3e3274887de227e68ac05c48d7d65d228d2f35ff43d694ef20f9e2b946a5324b8240e0b55c |
memory/3524-121-0x00007FF62C1D0000-0x00007FF62C524000-memory.dmp
memory/3808-128-0x00007FF6AB170000-0x00007FF6AB4C4000-memory.dmp
memory/1660-127-0x00007FF619F40000-0x00007FF61A294000-memory.dmp
C:\Windows\System\JfpvXGq.exe
| MD5 | 7bd3850775493290677bb0d6c4438db6 |
| SHA1 | 0e06b7b143bca50260773f969bbce51b88af9340 |
| SHA256 | 14e287e88be8a1a6bb5ace7d94727ddffce4531dc3caee39678be9fccdff7c1e |
| SHA512 | 26c8aeca712b8fcc79b8a421f03d9a71b8085d89ba1c2dadc37bf823dd0aaa4f17d72f8ad46bbf92d1cf91be63c75d0f913d9d649c5950953008fd61915ebe61 |
C:\Windows\System\hxaMFFk.exe
| MD5 | 38c7ad9bfd04c4442c5da56f7a340fc2 |
| SHA1 | 9a2dceab91555ca8be098c554e7c88bce63d1e49 |
| SHA256 | 7cba32f144becbf4fadcb7e0b2cb7fb417456358f68cfb89babd18a9cac2ae77 |
| SHA512 | 7c38020b495a6edc85dcddf36758fbd9187a7f17c9dc9cec3e89a230e6cd2e4abbe04833bb701f8aa08ccd659087c035c520a24b45e2b8b637329cfdc10320db |
memory/3924-135-0x00007FF747610000-0x00007FF747964000-memory.dmp
memory/64-137-0x00007FF717A90000-0x00007FF717DE4000-memory.dmp
memory/4524-136-0x00007FF7EC7A0000-0x00007FF7ECAF4000-memory.dmp
memory/3544-138-0x00007FF6E2710000-0x00007FF6E2A64000-memory.dmp
memory/4752-139-0x00007FF69D860000-0x00007FF69DBB4000-memory.dmp
memory/3936-140-0x00007FF74BD30000-0x00007FF74C084000-memory.dmp
memory/3240-141-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp
memory/1972-142-0x00007FF7CDE60000-0x00007FF7CE1B4000-memory.dmp
memory/1660-143-0x00007FF619F40000-0x00007FF61A294000-memory.dmp
memory/3808-144-0x00007FF6AB170000-0x00007FF6AB4C4000-memory.dmp
memory/3028-145-0x00007FF682A30000-0x00007FF682D84000-memory.dmp
memory/4624-146-0x00007FF7D8E50000-0x00007FF7D91A4000-memory.dmp
memory/1136-147-0x00007FF6D06F0000-0x00007FF6D0A44000-memory.dmp
memory/1540-148-0x00007FF7EB390000-0x00007FF7EB6E4000-memory.dmp
memory/440-149-0x00007FF623770000-0x00007FF623AC4000-memory.dmp
memory/3164-150-0x00007FF7D6F50000-0x00007FF7D72A4000-memory.dmp
memory/5048-151-0x00007FF740600000-0x00007FF740954000-memory.dmp
memory/3524-152-0x00007FF62C1D0000-0x00007FF62C524000-memory.dmp
memory/3944-153-0x00007FF6D72B0000-0x00007FF6D7604000-memory.dmp
memory/3924-154-0x00007FF747610000-0x00007FF747964000-memory.dmp
memory/4524-155-0x00007FF7EC7A0000-0x00007FF7ECAF4000-memory.dmp
memory/3544-156-0x00007FF6E2710000-0x00007FF6E2A64000-memory.dmp
memory/4752-158-0x00007FF69D860000-0x00007FF69DBB4000-memory.dmp
memory/1340-157-0x00007FF7D6E20000-0x00007FF7D7174000-memory.dmp
memory/1972-159-0x00007FF7CDE60000-0x00007FF7CE1B4000-memory.dmp
memory/3936-160-0x00007FF74BD30000-0x00007FF74C084000-memory.dmp
memory/3240-161-0x00007FF77E0C0000-0x00007FF77E414000-memory.dmp
memory/448-162-0x00007FF7E3E80000-0x00007FF7E41D4000-memory.dmp
memory/1660-163-0x00007FF619F40000-0x00007FF61A294000-memory.dmp
memory/3808-164-0x00007FF6AB170000-0x00007FF6AB4C4000-memory.dmp
memory/64-165-0x00007FF717A90000-0x00007FF717DE4000-memory.dmp