Analysis Overview
SHA256
86d45530a1be1dc8460e81ea7210484b464b44cf3d13e9ea7f91256655583d25
Threat Level: Known bad
The file 2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Cobaltstrike family
XMRig Miner payload
Xmrig family
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-13 11:57
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-13 11:57
Reported
2024-08-13 11:59
Platform
win7-20240704-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XMBzkYc.exe | N/A |
| N/A | N/A | C:\Windows\System\qvSrBEU.exe | N/A |
| N/A | N/A | C:\Windows\System\sWBuCMw.exe | N/A |
| N/A | N/A | C:\Windows\System\oDMqSBO.exe | N/A |
| N/A | N/A | C:\Windows\System\rkFPlqb.exe | N/A |
| N/A | N/A | C:\Windows\System\IicdiXE.exe | N/A |
| N/A | N/A | C:\Windows\System\YvIpkUr.exe | N/A |
| N/A | N/A | C:\Windows\System\quXMtmf.exe | N/A |
| N/A | N/A | C:\Windows\System\cmnuYoX.exe | N/A |
| N/A | N/A | C:\Windows\System\WNJSYLd.exe | N/A |
| N/A | N/A | C:\Windows\System\iQTjLMH.exe | N/A |
| N/A | N/A | C:\Windows\System\JerpdmK.exe | N/A |
| N/A | N/A | C:\Windows\System\GerZKib.exe | N/A |
| N/A | N/A | C:\Windows\System\CCmkdRY.exe | N/A |
| N/A | N/A | C:\Windows\System\TLDDgLY.exe | N/A |
| N/A | N/A | C:\Windows\System\eSCUahq.exe | N/A |
| N/A | N/A | C:\Windows\System\bqNnbEG.exe | N/A |
| N/A | N/A | C:\Windows\System\thGkFMU.exe | N/A |
| N/A | N/A | C:\Windows\System\dpwLGKT.exe | N/A |
| N/A | N/A | C:\Windows\System\oHDwbaz.exe | N/A |
| N/A | N/A | C:\Windows\System\OWgltwu.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\XMBzkYc.exe
C:\Windows\System\XMBzkYc.exe
C:\Windows\System\qvSrBEU.exe
C:\Windows\System\qvSrBEU.exe
C:\Windows\System\sWBuCMw.exe
C:\Windows\System\sWBuCMw.exe
C:\Windows\System\quXMtmf.exe
C:\Windows\System\quXMtmf.exe
C:\Windows\System\oDMqSBO.exe
C:\Windows\System\oDMqSBO.exe
C:\Windows\System\cmnuYoX.exe
C:\Windows\System\cmnuYoX.exe
C:\Windows\System\rkFPlqb.exe
C:\Windows\System\rkFPlqb.exe
C:\Windows\System\CCmkdRY.exe
C:\Windows\System\CCmkdRY.exe
C:\Windows\System\IicdiXE.exe
C:\Windows\System\IicdiXE.exe
C:\Windows\System\eSCUahq.exe
C:\Windows\System\eSCUahq.exe
C:\Windows\System\YvIpkUr.exe
C:\Windows\System\YvIpkUr.exe
C:\Windows\System\bqNnbEG.exe
C:\Windows\System\bqNnbEG.exe
C:\Windows\System\WNJSYLd.exe
C:\Windows\System\WNJSYLd.exe
C:\Windows\System\thGkFMU.exe
C:\Windows\System\thGkFMU.exe
C:\Windows\System\iQTjLMH.exe
C:\Windows\System\iQTjLMH.exe
C:\Windows\System\dpwLGKT.exe
C:\Windows\System\dpwLGKT.exe
C:\Windows\System\JerpdmK.exe
C:\Windows\System\JerpdmK.exe
C:\Windows\System\oHDwbaz.exe
C:\Windows\System\oHDwbaz.exe
C:\Windows\System\GerZKib.exe
C:\Windows\System\GerZKib.exe
C:\Windows\System\OWgltwu.exe
C:\Windows\System\OWgltwu.exe
C:\Windows\System\TLDDgLY.exe
C:\Windows\System\TLDDgLY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2224-0-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2224-1-0x0000000000200000-0x0000000000210000-memory.dmp
\Windows\system\XMBzkYc.exe
| MD5 | a21c201e74edc1b56f46ce552d13b573 |
| SHA1 | 44403174dbb6c880f6cda57e17311da4a65d6cbf |
| SHA256 | b561c1e228deb22ec8e33e1511c55e704c630730882e3645e5d3cfb01b4e4795 |
| SHA512 | a97e419449e8c7173c44d0773fc13848df0800c6cd244f052a5098d118e55662a847f98f6314b37aa42cf9dd3144cbc21cfc4444aeafe70c67448fc59d126718 |
\Windows\system\sWBuCMw.exe
| MD5 | 2e12a818a83d987ad35d6f1d1883104d |
| SHA1 | d4783676179957eab87e0a3a1fc41a46e39ff51b |
| SHA256 | de5a83e4365bbf3d984d75c8886a81976b5884cedffc6b2d70b80359966d11c9 |
| SHA512 | 1de7f7b52e281ffa0d65e23a7d21a9f53e3e4a9efe514a46f4e1ff21c8230eaa6a7bc932ea1ac175a2e7e87f344cbb4bb5c524f811c6203811ff29773d2fc6d7 |
C:\Windows\system\qvSrBEU.exe
| MD5 | 1d5cedb9690fb85892481ed781636993 |
| SHA1 | 61596104535e0b16b9f40c1fb3b285101d1be9f1 |
| SHA256 | b749627373167fbeba2c77c28f8c323f8518c730e868b90bd153465280b5eb63 |
| SHA512 | c6f298171533b7b02d79ca75fcb441028b89d01fdd4823785bf302dd1ec2a95124d8680ce9d98c0afbdeac9a8be86b40844432b710b18118fc6fa1586afd0288 |
memory/2224-117-0x000000013F540000-0x000000013F891000-memory.dmp
C:\Windows\system\dpwLGKT.exe
| MD5 | 56869f078350edaff2e9fc3aa0ea2b05 |
| SHA1 | 2650f8e91aa4b07254f954c0a86781770d9f9a31 |
| SHA256 | 2198c63790c28ec4a620643eb33c5d651218240623498ca188105e4a0e44fdbc |
| SHA512 | e17cafcf1659aa58bea9a814ff25d2e90b1bb17a9a66c6dbd332acf5c586d66efb49777b89073249d83b67e95031821af5f199a5bc237efa43133e2978dba89f |
memory/2224-83-0x000000013F640000-0x000000013F991000-memory.dmp
\Windows\system\OWgltwu.exe
| MD5 | d8c91db9cdca850ad7ce02de9257a266 |
| SHA1 | 1ca1785668a097812e3586f3cf766c664748c1d9 |
| SHA256 | b973702b5d8d2c52cb69a9a38e4dacb049ade73306dab1560f3d94f20d7d4f67 |
| SHA512 | 58960ecd17a9668b39bfa0acfb7d9ad90a4a7981526d7bcd21b18e2445601bce0b07f29f8b921e634b9a3e993e9cc565c368baa2809eb3f55ad532f024448c01 |
C:\Windows\system\cmnuYoX.exe
| MD5 | ade5c90b011c624e8613cd3133148f2a |
| SHA1 | 0f3c8969cebdb7482e5fd44e184c69dc0013b957 |
| SHA256 | e28ae7d9626fb067b23b1d03d4a5fcbaf8e6fe6b582ec6c6671533897cbac29c |
| SHA512 | 68e136b0dba68b4b43f04ce59dfcfa62a5d52ef4e0d836578ac65d948e85e44ac5cae4d05f9a5eb79be1344cdef24a8f8dba136253512812d2863d0da6bcf2cb |
\Windows\system\oHDwbaz.exe
| MD5 | 1b4d65862ab2b7c5623bdc9d8d6c10f6 |
| SHA1 | e354f67a525fae6273d3aced4bda6756ba26688f |
| SHA256 | 14a844324efa2ca443d994e452fb03ad76c661abb2e8a66711667fd535d1249b |
| SHA512 | 64af7fdfbf0884b6128dd3fcfc8fa1e0231fb33945666b0c9c5b1ff8581287a3b058cf56b15f2ec9b12820086c3e6c87565e23923b7ced94bbd6d67cdfe80504 |
memory/2224-70-0x000000013FFD0000-0x0000000140321000-memory.dmp
\Windows\system\thGkFMU.exe
| MD5 | e6fbdde19d5dc5715fbd07ad9b2f93e2 |
| SHA1 | 794a95ccf9feb3b4f0cffcd0cd0ea42671bc769f |
| SHA256 | 8ae7ca1bb98bf102bf6bef0875e6f314415bc249b239d8e84c04f3e93e2247d6 |
| SHA512 | 9cc483b95266d3a58d08e59e4e9a1fc61aee5e87ffa13063663636f84a4a4cd16aaead12b26625e842a125566053c85f26d60e99208ba1d9555bd49ef56c8892 |
C:\Windows\system\quXMtmf.exe
| MD5 | 1809b6e16980cd93e7123f0e99882fdc |
| SHA1 | 3b50b155d8c2ceb3551d77a995b012d227853aac |
| SHA256 | 21ef6a8e23e4d94dcad6d06e30cb9bf52fad22f695c9fd201ec8219d43d1d648 |
| SHA512 | f6f1b1b295f1c9cac3a7fcae7f1a542a212abb2c696ef54fa07ebbd6d593f97775889f90fdbdcdd329522172ba869db103e63b8b123c3b20f690f4aaac590ee7 |
\Windows\system\bqNnbEG.exe
| MD5 | 3eec7493c0f4743c9586f525791acde8 |
| SHA1 | 0224450fd0156a5a02756b1bce06f81e0e1ec51c |
| SHA256 | d03bcf6e80ea97cb321f2584333a000d75fb5485e65bac8d7844f2970a77dc3f |
| SHA512 | 793da045cec3b668f8774c3d487a464c75833b5eacf21ed1785305bc8a806888014a216bfcc669c09c6436e68e29682dd399d72436f5f0f00d8172473f9ef2aa |
\Windows\system\eSCUahq.exe
| MD5 | a9c37c3c1e2feb6e1ec58fdcf9fa8cc1 |
| SHA1 | c35170ab33fc21f799ecc293a254e97cac452d74 |
| SHA256 | 169d4d9061ffde75e8fafa492ec53fe251d45b434f51553dbd0af8335aa8f8b4 |
| SHA512 | 6e05c7ca969a0c6a533cdbfd2b80eef8755f949cbcc090bcccf7242bad8640205258290f38dcff7860806aba453c78de8bdd0e62b7352e47cb412f05978220e2 |
memory/2224-120-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2136-119-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2224-118-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/1916-116-0x000000013F640000-0x000000013F991000-memory.dmp
memory/2224-115-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2224-114-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/2224-113-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2224-112-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2224-111-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2388-110-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2224-109-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/1204-108-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2256-107-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/2224-105-0x0000000002250000-0x00000000025A1000-memory.dmp
memory/2224-104-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/2224-103-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
C:\Windows\system\TLDDgLY.exe
| MD5 | 563c3ce55a2304674de902342caf8eaf |
| SHA1 | 58374bac1d9491fbf8e4024031004deca6bbd416 |
| SHA256 | c083df831b869bb3947d85d3fd6cf81300b434acec4fa701e3e2aea7015d41d8 |
| SHA512 | b52a28b56aeaddd1f592b3b73c26020047a253074d9511560cf307cde043d44306243e7d7bef7c278c8264b24d8fa79641e19771fcda812c5b334c1c5805104f |
memory/2224-99-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/1920-98-0x000000013F7B0000-0x000000013FB01000-memory.dmp
C:\Windows\system\CCmkdRY.exe
| MD5 | 978c8e734a7b24c2321d064dfbbeb838 |
| SHA1 | d3a7064c3337a9e3553ec315b5815b60421e439f |
| SHA256 | e7ba9785a27de23cc76a95b0246cabcaf7b6a2fe8891333ba1aa984ee441af0f |
| SHA512 | e2b955073dacdec77f1cf0c1fb04b165fcb229b8572a3c9cd252d0cbc2b8020638c7c51ec50766f1ef4a9c4512084fca8dfdcb5d25f19a1966e0b940bda7211b |
memory/672-94-0x000000013F0E0000-0x000000013F431000-memory.dmp
C:\Windows\system\GerZKib.exe
| MD5 | e5005322fc1bf280308c14a76f0ef006 |
| SHA1 | 5ad2035cf079f24eddf3e538bb530c911cfe2379 |
| SHA256 | e172252fb5ae901dce54e1a2eb1fa38b2f1eace86f007766481a3b24024bfe08 |
| SHA512 | 43547397ec9c8c08b1ba5bd4fb16352c4ad7dc62da2c4d292780490f593547a8502e18434f89248dd6c2808914c68f6be4fa5b7c20a0f5c1f598075f67ab1434 |
C:\Windows\system\JerpdmK.exe
| MD5 | 8bf42fd6283c7b202fbe9671b92d8f9e |
| SHA1 | 4304527101787930f90e57698b5a3dc64264a569 |
| SHA256 | 18f86791c2934d36f62859a2aaddeafe78de52724a8bcbce4b0782beea8466f9 |
| SHA512 | 82a15252dc5af138c0af98d183d7402a39ba0dc994edd3545ce72a8d6746f9d9b1cb0f1f04f5778ae3c1b773c13f273a0220ec924710273f2d8c4e45422b7f94 |
C:\Windows\system\iQTjLMH.exe
| MD5 | ab07ce3a7906bc18484647a47e99e0fb |
| SHA1 | e136eef2c895f2107c274b504bda3fa4d8dabd56 |
| SHA256 | 4394a4962fcaf5ca5bb278b0af391687b631fc2e5a29d962ed4544fcf915e073 |
| SHA512 | 401e31635ed9021ce5f75444bafe85d21c4be488bcd5831d19c4204ef1a584a25b25339e558f929c242ba3b0be088d5d04a53b5abc2112434b58580714ee2230 |
C:\Windows\system\WNJSYLd.exe
| MD5 | 66f6bce2941ec57b0a5b858579d4df3e |
| SHA1 | 8ed262ff7e169fed019528c244b9472c9eedd401 |
| SHA256 | 44cc3c086bd5ca1b5a876f8b48961c3df9e3974a3b5ca3434081b6b2d0b925b3 |
| SHA512 | fc6e32d2fd27b815f60c3a2e2e8e5f34c86e69900bbb0682c5e44bfc1d3d54c61167f0cf924271dc321b70353de5420db2535cef59d067c4d387ef72f51e4e1d |
C:\Windows\system\YvIpkUr.exe
| MD5 | a5b14997566b4eeb0378e81b3c206a3b |
| SHA1 | da1ca67caca246304772113af4b1104369b09b7b |
| SHA256 | e38213811181d4302d0286d3c99a262d13675c194e20a73cd70434f609c55418 |
| SHA512 | ff80e231ff26eb8da8da0f6ced764e21e9285114aaf0292e3c1d483c2237a1d0a78be78427f29e625398ef6d31632667a044e0811cbbc6788614ca95e5159ab6 |
C:\Windows\system\IicdiXE.exe
| MD5 | 21ba07279c080aec43ab9f06f8fba70b |
| SHA1 | 2d42b171c0bd5dd4e266cbb712cb7c7d5bb9f850 |
| SHA256 | f0ee6b280ad503566090a5240afa9338eb785f5d491de6a03f175a82970da2ac |
| SHA512 | 9d32c5aeccc7bcc409606111a65c3710f2099b2017cb616beae461c072b425dada8854eb9d579dcb6c6152f935819edc71a614ab104e6f10c70997574d16eb94 |
C:\Windows\system\rkFPlqb.exe
| MD5 | 2d20c66401a9540fa51e56d00716b3d9 |
| SHA1 | a981a40b18275e1cebe021784332a759f82c2b0d |
| SHA256 | bbe32ce326b32fd475822fd3e3a1d72e05c2e3d8b82b5f3497228c68cebf4ae2 |
| SHA512 | 78db423befce9e142762bbdbf66b8321e77956b6616dc049e061e59061ca9a867b4f68937780fe13956dc81cc713feda39a67e3380e2e24a1473ad0e1fd5ec52 |
memory/2276-23-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2164-45-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/2224-44-0x000000013F6C0000-0x000000013FA11000-memory.dmp
C:\Windows\system\oDMqSBO.exe
| MD5 | 53cd3f67a7519cd26977cd9458b9244b |
| SHA1 | ac466ae8c62920e56f2473290a9d3dac7b2049e1 |
| SHA256 | 66c4d9771833fb333eea2db4aa067b78ce960b497013c83f17116a60be0f8eb1 |
| SHA512 | d91b13695c105f92d41486646fda758ce99d5155a81a2a85572e1f0f0ee23bf93962585e31b0cd359d07e8e4108943748bab7c7553a0f4be0083cbc69fe67830 |
memory/2224-132-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2720-146-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/1960-153-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2556-152-0x000000013F0A0000-0x000000013F3F1000-memory.dmp
memory/2144-150-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/2764-149-0x000000013F410000-0x000000013F761000-memory.dmp
memory/2772-147-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2664-145-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2544-151-0x000000013F540000-0x000000013F891000-memory.dmp
memory/2640-148-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1048-144-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/564-142-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/1896-140-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2224-154-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2224-155-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2276-200-0x000000013F240000-0x000000013F591000-memory.dmp
memory/2164-202-0x000000013F6C0000-0x000000013FA11000-memory.dmp
memory/1920-204-0x000000013F7B0000-0x000000013FB01000-memory.dmp
memory/672-206-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2136-210-0x000000013FEB0000-0x0000000140201000-memory.dmp
memory/2256-208-0x000000013F6A0000-0x000000013F9F1000-memory.dmp
memory/1204-212-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2388-214-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/1916-222-0x000000013F640000-0x000000013F991000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-13 11:57
Reported
2024-08-13 11:59
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XMBzkYc.exe | N/A |
| N/A | N/A | C:\Windows\System\qvSrBEU.exe | N/A |
| N/A | N/A | C:\Windows\System\sWBuCMw.exe | N/A |
| N/A | N/A | C:\Windows\System\quXMtmf.exe | N/A |
| N/A | N/A | C:\Windows\System\oDMqSBO.exe | N/A |
| N/A | N/A | C:\Windows\System\cmnuYoX.exe | N/A |
| N/A | N/A | C:\Windows\System\rkFPlqb.exe | N/A |
| N/A | N/A | C:\Windows\System\CCmkdRY.exe | N/A |
| N/A | N/A | C:\Windows\System\IicdiXE.exe | N/A |
| N/A | N/A | C:\Windows\System\eSCUahq.exe | N/A |
| N/A | N/A | C:\Windows\System\YvIpkUr.exe | N/A |
| N/A | N/A | C:\Windows\System\bqNnbEG.exe | N/A |
| N/A | N/A | C:\Windows\System\WNJSYLd.exe | N/A |
| N/A | N/A | C:\Windows\System\thGkFMU.exe | N/A |
| N/A | N/A | C:\Windows\System\iQTjLMH.exe | N/A |
| N/A | N/A | C:\Windows\System\dpwLGKT.exe | N/A |
| N/A | N/A | C:\Windows\System\JerpdmK.exe | N/A |
| N/A | N/A | C:\Windows\System\oHDwbaz.exe | N/A |
| N/A | N/A | C:\Windows\System\GerZKib.exe | N/A |
| N/A | N/A | C:\Windows\System\OWgltwu.exe | N/A |
| N/A | N/A | C:\Windows\System\TLDDgLY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-13_b0a11663315e3a25c717790b4f68ce7c_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\XMBzkYc.exe
C:\Windows\System\XMBzkYc.exe
C:\Windows\System\qvSrBEU.exe
C:\Windows\System\qvSrBEU.exe
C:\Windows\System\sWBuCMw.exe
C:\Windows\System\sWBuCMw.exe
C:\Windows\System\quXMtmf.exe
C:\Windows\System\quXMtmf.exe
C:\Windows\System\oDMqSBO.exe
C:\Windows\System\oDMqSBO.exe
C:\Windows\System\cmnuYoX.exe
C:\Windows\System\cmnuYoX.exe
C:\Windows\System\rkFPlqb.exe
C:\Windows\System\rkFPlqb.exe
C:\Windows\System\CCmkdRY.exe
C:\Windows\System\CCmkdRY.exe
C:\Windows\System\IicdiXE.exe
C:\Windows\System\IicdiXE.exe
C:\Windows\System\eSCUahq.exe
C:\Windows\System\eSCUahq.exe
C:\Windows\System\YvIpkUr.exe
C:\Windows\System\YvIpkUr.exe
C:\Windows\System\bqNnbEG.exe
C:\Windows\System\bqNnbEG.exe
C:\Windows\System\WNJSYLd.exe
C:\Windows\System\WNJSYLd.exe
C:\Windows\System\thGkFMU.exe
C:\Windows\System\thGkFMU.exe
C:\Windows\System\iQTjLMH.exe
C:\Windows\System\iQTjLMH.exe
C:\Windows\System\dpwLGKT.exe
C:\Windows\System\dpwLGKT.exe
C:\Windows\System\JerpdmK.exe
C:\Windows\System\JerpdmK.exe
C:\Windows\System\oHDwbaz.exe
C:\Windows\System\oHDwbaz.exe
C:\Windows\System\GerZKib.exe
C:\Windows\System\GerZKib.exe
C:\Windows\System\OWgltwu.exe
C:\Windows\System\OWgltwu.exe
C:\Windows\System\TLDDgLY.exe
C:\Windows\System\TLDDgLY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 192.142.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1172-0-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp
memory/1172-1-0x000001D6129A0000-0x000001D6129B0000-memory.dmp
C:\Windows\System\XMBzkYc.exe
| MD5 | a21c201e74edc1b56f46ce552d13b573 |
| SHA1 | 44403174dbb6c880f6cda57e17311da4a65d6cbf |
| SHA256 | b561c1e228deb22ec8e33e1511c55e704c630730882e3645e5d3cfb01b4e4795 |
| SHA512 | a97e419449e8c7173c44d0773fc13848df0800c6cd244f052a5098d118e55662a847f98f6314b37aa42cf9dd3144cbc21cfc4444aeafe70c67448fc59d126718 |
C:\Windows\System\sWBuCMw.exe
| MD5 | 2e12a818a83d987ad35d6f1d1883104d |
| SHA1 | d4783676179957eab87e0a3a1fc41a46e39ff51b |
| SHA256 | de5a83e4365bbf3d984d75c8886a81976b5884cedffc6b2d70b80359966d11c9 |
| SHA512 | 1de7f7b52e281ffa0d65e23a7d21a9f53e3e4a9efe514a46f4e1ff21c8230eaa6a7bc932ea1ac175a2e7e87f344cbb4bb5c524f811c6203811ff29773d2fc6d7 |
memory/2220-10-0x00007FF7D7690000-0x00007FF7D79E1000-memory.dmp
memory/516-27-0x00007FF778120000-0x00007FF778471000-memory.dmp
memory/4436-35-0x00007FF62AFF0000-0x00007FF62B341000-memory.dmp
memory/3512-42-0x00007FF7EF2D0000-0x00007FF7EF621000-memory.dmp
C:\Windows\System\CCmkdRY.exe
| MD5 | 978c8e734a7b24c2321d064dfbbeb838 |
| SHA1 | d3a7064c3337a9e3553ec315b5815b60421e439f |
| SHA256 | e7ba9785a27de23cc76a95b0246cabcaf7b6a2fe8891333ba1aa984ee441af0f |
| SHA512 | e2b955073dacdec77f1cf0c1fb04b165fcb229b8572a3c9cd252d0cbc2b8020638c7c51ec50766f1ef4a9c4512084fca8dfdcb5d25f19a1966e0b940bda7211b |
C:\Windows\System\IicdiXE.exe
| MD5 | 21ba07279c080aec43ab9f06f8fba70b |
| SHA1 | 2d42b171c0bd5dd4e266cbb712cb7c7d5bb9f850 |
| SHA256 | f0ee6b280ad503566090a5240afa9338eb785f5d491de6a03f175a82970da2ac |
| SHA512 | 9d32c5aeccc7bcc409606111a65c3710f2099b2017cb616beae461c072b425dada8854eb9d579dcb6c6152f935819edc71a614ab104e6f10c70997574d16eb94 |
memory/4792-60-0x00007FF6D8E30000-0x00007FF6D9181000-memory.dmp
memory/716-62-0x00007FF6530C0000-0x00007FF653411000-memory.dmp
C:\Windows\System\YvIpkUr.exe
| MD5 | a5b14997566b4eeb0378e81b3c206a3b |
| SHA1 | da1ca67caca246304772113af4b1104369b09b7b |
| SHA256 | e38213811181d4302d0286d3c99a262d13675c194e20a73cd70434f609c55418 |
| SHA512 | ff80e231ff26eb8da8da0f6ced764e21e9285114aaf0292e3c1d483c2237a1d0a78be78427f29e625398ef6d31632667a044e0811cbbc6788614ca95e5159ab6 |
memory/2724-66-0x00007FF70D3F0000-0x00007FF70D741000-memory.dmp
C:\Windows\System\eSCUahq.exe
| MD5 | a9c37c3c1e2feb6e1ec58fdcf9fa8cc1 |
| SHA1 | c35170ab33fc21f799ecc293a254e97cac452d74 |
| SHA256 | 169d4d9061ffde75e8fafa492ec53fe251d45b434f51553dbd0af8335aa8f8b4 |
| SHA512 | 6e05c7ca969a0c6a533cdbfd2b80eef8755f949cbcc090bcccf7242bad8640205258290f38dcff7860806aba453c78de8bdd0e62b7352e47cb412f05978220e2 |
memory/2264-63-0x00007FF70B800000-0x00007FF70BB51000-memory.dmp
memory/4452-61-0x00007FF7B8F30000-0x00007FF7B9281000-memory.dmp
C:\Windows\System\cmnuYoX.exe
| MD5 | ade5c90b011c624e8613cd3133148f2a |
| SHA1 | 0f3c8969cebdb7482e5fd44e184c69dc0013b957 |
| SHA256 | e28ae7d9626fb067b23b1d03d4a5fcbaf8e6fe6b582ec6c6671533897cbac29c |
| SHA512 | 68e136b0dba68b4b43f04ce59dfcfa62a5d52ef4e0d836578ac65d948e85e44ac5cae4d05f9a5eb79be1344cdef24a8f8dba136253512812d2863d0da6bcf2cb |
C:\Windows\System\rkFPlqb.exe
| MD5 | 2d20c66401a9540fa51e56d00716b3d9 |
| SHA1 | a981a40b18275e1cebe021784332a759f82c2b0d |
| SHA256 | bbe32ce326b32fd475822fd3e3a1d72e05c2e3d8b82b5f3497228c68cebf4ae2 |
| SHA512 | 78db423befce9e142762bbdbf66b8321e77956b6616dc049e061e59061ca9a867b4f68937780fe13956dc81cc713feda39a67e3380e2e24a1473ad0e1fd5ec52 |
C:\Windows\System\quXMtmf.exe
| MD5 | 1809b6e16980cd93e7123f0e99882fdc |
| SHA1 | 3b50b155d8c2ceb3551d77a995b012d227853aac |
| SHA256 | 21ef6a8e23e4d94dcad6d06e30cb9bf52fad22f695c9fd201ec8219d43d1d648 |
| SHA512 | f6f1b1b295f1c9cac3a7fcae7f1a542a212abb2c696ef54fa07ebbd6d593f97775889f90fdbdcdd329522172ba869db103e63b8b123c3b20f690f4aaac590ee7 |
C:\Windows\System\oDMqSBO.exe
| MD5 | 53cd3f67a7519cd26977cd9458b9244b |
| SHA1 | ac466ae8c62920e56f2473290a9d3dac7b2049e1 |
| SHA256 | 66c4d9771833fb333eea2db4aa067b78ce960b497013c83f17116a60be0f8eb1 |
| SHA512 | d91b13695c105f92d41486646fda758ce99d5155a81a2a85572e1f0f0ee23bf93962585e31b0cd359d07e8e4108943748bab7c7553a0f4be0083cbc69fe67830 |
memory/4772-25-0x00007FF60ADD0000-0x00007FF60B121000-memory.dmp
memory/4152-19-0x00007FF62A7A0000-0x00007FF62AAF1000-memory.dmp
C:\Windows\System\qvSrBEU.exe
| MD5 | 1d5cedb9690fb85892481ed781636993 |
| SHA1 | 61596104535e0b16b9f40c1fb3b285101d1be9f1 |
| SHA256 | b749627373167fbeba2c77c28f8c323f8518c730e868b90bd153465280b5eb63 |
| SHA512 | c6f298171533b7b02d79ca75fcb441028b89d01fdd4823785bf302dd1ec2a95124d8680ce9d98c0afbdeac9a8be86b40844432b710b18118fc6fa1586afd0288 |
C:\Windows\System\bqNnbEG.exe
| MD5 | 3eec7493c0f4743c9586f525791acde8 |
| SHA1 | 0224450fd0156a5a02756b1bce06f81e0e1ec51c |
| SHA256 | d03bcf6e80ea97cb321f2584333a000d75fb5485e65bac8d7844f2970a77dc3f |
| SHA512 | 793da045cec3b668f8774c3d487a464c75833b5eacf21ed1785305bc8a806888014a216bfcc669c09c6436e68e29682dd399d72436f5f0f00d8172473f9ef2aa |
C:\Windows\System\thGkFMU.exe
| MD5 | e6fbdde19d5dc5715fbd07ad9b2f93e2 |
| SHA1 | 794a95ccf9feb3b4f0cffcd0cd0ea42671bc769f |
| SHA256 | 8ae7ca1bb98bf102bf6bef0875e6f314415bc249b239d8e84c04f3e93e2247d6 |
| SHA512 | 9cc483b95266d3a58d08e59e4e9a1fc61aee5e87ffa13063663636f84a4a4cd16aaead12b26625e842a125566053c85f26d60e99208ba1d9555bd49ef56c8892 |
memory/4080-88-0x00007FF654F40000-0x00007FF655291000-memory.dmp
C:\Windows\System\iQTjLMH.exe
| MD5 | ab07ce3a7906bc18484647a47e99e0fb |
| SHA1 | e136eef2c895f2107c274b504bda3fa4d8dabd56 |
| SHA256 | 4394a4962fcaf5ca5bb278b0af391687b631fc2e5a29d962ed4544fcf915e073 |
| SHA512 | 401e31635ed9021ce5f75444bafe85d21c4be488bcd5831d19c4204ef1a584a25b25339e558f929c242ba3b0be088d5d04a53b5abc2112434b58580714ee2230 |
C:\Windows\System\dpwLGKT.exe
| MD5 | 56869f078350edaff2e9fc3aa0ea2b05 |
| SHA1 | 2650f8e91aa4b07254f954c0a86781770d9f9a31 |
| SHA256 | 2198c63790c28ec4a620643eb33c5d651218240623498ca188105e4a0e44fdbc |
| SHA512 | e17cafcf1659aa58bea9a814ff25d2e90b1bb17a9a66c6dbd332acf5c586d66efb49777b89073249d83b67e95031821af5f199a5bc237efa43133e2978dba89f |
C:\Windows\System\oHDwbaz.exe
| MD5 | 1b4d65862ab2b7c5623bdc9d8d6c10f6 |
| SHA1 | e354f67a525fae6273d3aced4bda6756ba26688f |
| SHA256 | 14a844324efa2ca443d994e452fb03ad76c661abb2e8a66711667fd535d1249b |
| SHA512 | 64af7fdfbf0884b6128dd3fcfc8fa1e0231fb33945666b0c9c5b1ff8581287a3b058cf56b15f2ec9b12820086c3e6c87565e23923b7ced94bbd6d67cdfe80504 |
C:\Windows\System\TLDDgLY.exe
| MD5 | 563c3ce55a2304674de902342caf8eaf |
| SHA1 | 58374bac1d9491fbf8e4024031004deca6bbd416 |
| SHA256 | c083df831b869bb3947d85d3fd6cf81300b434acec4fa701e3e2aea7015d41d8 |
| SHA512 | b52a28b56aeaddd1f592b3b73c26020047a253074d9511560cf307cde043d44306243e7d7bef7c278c8264b24d8fa79641e19771fcda812c5b334c1c5805104f |
C:\Windows\System\OWgltwu.exe
| MD5 | d8c91db9cdca850ad7ce02de9257a266 |
| SHA1 | 1ca1785668a097812e3586f3cf766c664748c1d9 |
| SHA256 | b973702b5d8d2c52cb69a9a38e4dacb049ade73306dab1560f3d94f20d7d4f67 |
| SHA512 | 58960ecd17a9668b39bfa0acfb7d9ad90a4a7981526d7bcd21b18e2445601bce0b07f29f8b921e634b9a3e993e9cc565c368baa2809eb3f55ad532f024448c01 |
C:\Windows\System\GerZKib.exe
| MD5 | e5005322fc1bf280308c14a76f0ef006 |
| SHA1 | 5ad2035cf079f24eddf3e538bb530c911cfe2379 |
| SHA256 | e172252fb5ae901dce54e1a2eb1fa38b2f1eace86f007766481a3b24024bfe08 |
| SHA512 | 43547397ec9c8c08b1ba5bd4fb16352c4ad7dc62da2c4d292780490f593547a8502e18434f89248dd6c2808914c68f6be4fa5b7c20a0f5c1f598075f67ab1434 |
C:\Windows\System\JerpdmK.exe
| MD5 | 8bf42fd6283c7b202fbe9671b92d8f9e |
| SHA1 | 4304527101787930f90e57698b5a3dc64264a569 |
| SHA256 | 18f86791c2934d36f62859a2aaddeafe78de52724a8bcbce4b0782beea8466f9 |
| SHA512 | 82a15252dc5af138c0af98d183d7402a39ba0dc994edd3545ce72a8d6746f9d9b1cb0f1f04f5778ae3c1b773c13f273a0220ec924710273f2d8c4e45422b7f94 |
memory/2716-108-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp
memory/1980-100-0x00007FF717010000-0x00007FF717361000-memory.dmp
memory/4820-96-0x00007FF644D00000-0x00007FF645051000-memory.dmp
memory/3496-82-0x00007FF7D01E0000-0x00007FF7D0531000-memory.dmp
C:\Windows\System\WNJSYLd.exe
| MD5 | 66f6bce2941ec57b0a5b858579d4df3e |
| SHA1 | 8ed262ff7e169fed019528c244b9472c9eedd401 |
| SHA256 | 44cc3c086bd5ca1b5a876f8b48961c3df9e3974a3b5ca3434081b6b2d0b925b3 |
| SHA512 | fc6e32d2fd27b815f60c3a2e2e8e5f34c86e69900bbb0682c5e44bfc1d3d54c61167f0cf924271dc321b70353de5420db2535cef59d067c4d387ef72f51e4e1d |
memory/2524-72-0x00007FF641970000-0x00007FF641CC1000-memory.dmp
memory/4492-125-0x00007FF793DF0000-0x00007FF794141000-memory.dmp
memory/3744-124-0x00007FF6CF270000-0x00007FF6CF5C1000-memory.dmp
memory/1172-127-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp
memory/2220-128-0x00007FF7D7690000-0x00007FF7D79E1000-memory.dmp
memory/1448-126-0x00007FF6593A0000-0x00007FF6596F1000-memory.dmp
memory/2592-129-0x00007FF661370000-0x00007FF6616C1000-memory.dmp
memory/1172-130-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp
memory/4436-134-0x00007FF62AFF0000-0x00007FF62B341000-memory.dmp
memory/3512-137-0x00007FF7EF2D0000-0x00007FF7EF621000-memory.dmp
memory/2264-141-0x00007FF70B800000-0x00007FF70BB51000-memory.dmp
memory/716-140-0x00007FF6530C0000-0x00007FF653411000-memory.dmp
memory/516-135-0x00007FF778120000-0x00007FF778471000-memory.dmp
memory/4152-133-0x00007FF62A7A0000-0x00007FF62AAF1000-memory.dmp
memory/3496-143-0x00007FF7D01E0000-0x00007FF7D0531000-memory.dmp
memory/4080-144-0x00007FF654F40000-0x00007FF655291000-memory.dmp
memory/2524-142-0x00007FF641970000-0x00007FF641CC1000-memory.dmp
memory/1980-147-0x00007FF717010000-0x00007FF717361000-memory.dmp
memory/2716-146-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp
memory/4820-145-0x00007FF644D00000-0x00007FF645051000-memory.dmp
memory/1172-152-0x00007FF7E0770000-0x00007FF7E0AC1000-memory.dmp
memory/2220-197-0x00007FF7D7690000-0x00007FF7D79E1000-memory.dmp
memory/4772-199-0x00007FF60ADD0000-0x00007FF60B121000-memory.dmp
memory/4152-201-0x00007FF62A7A0000-0x00007FF62AAF1000-memory.dmp
memory/3512-214-0x00007FF7EF2D0000-0x00007FF7EF621000-memory.dmp
memory/4792-216-0x00007FF6D8E30000-0x00007FF6D9181000-memory.dmp
memory/516-218-0x00007FF778120000-0x00007FF778471000-memory.dmp
memory/4436-213-0x00007FF62AFF0000-0x00007FF62B341000-memory.dmp
memory/2264-222-0x00007FF70B800000-0x00007FF70BB51000-memory.dmp
memory/4452-226-0x00007FF7B8F30000-0x00007FF7B9281000-memory.dmp
memory/716-225-0x00007FF6530C0000-0x00007FF653411000-memory.dmp
memory/2724-221-0x00007FF70D3F0000-0x00007FF70D741000-memory.dmp
memory/2524-233-0x00007FF641970000-0x00007FF641CC1000-memory.dmp
memory/3496-235-0x00007FF7D01E0000-0x00007FF7D0531000-memory.dmp
memory/4820-238-0x00007FF644D00000-0x00007FF645051000-memory.dmp
memory/4080-239-0x00007FF654F40000-0x00007FF655291000-memory.dmp
memory/2716-249-0x00007FF633C90000-0x00007FF633FE1000-memory.dmp
memory/1980-251-0x00007FF717010000-0x00007FF717361000-memory.dmp
memory/3744-248-0x00007FF6CF270000-0x00007FF6CF5C1000-memory.dmp
memory/2592-246-0x00007FF661370000-0x00007FF6616C1000-memory.dmp
memory/1448-242-0x00007FF6593A0000-0x00007FF6596F1000-memory.dmp
memory/4492-244-0x00007FF793DF0000-0x00007FF794141000-memory.dmp