Analysis Overview
SHA256
e7b597e2f3f9af63796e37df453192b6f6ff4635f6dff807b200fd62319839c3
Threat Level: Known bad
The file 2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Xmrig family
XMRig Miner payload
Cobaltstrike family
xmrig
Cobaltstrike
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 22:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 22:44
Reported
2024-08-07 22:46
Platform
win7-20240705-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\TjYPply.exe | N/A |
| N/A | N/A | C:\Windows\System\LzDEnvS.exe | N/A |
| N/A | N/A | C:\Windows\System\VzGpsvF.exe | N/A |
| N/A | N/A | C:\Windows\System\MieIMoE.exe | N/A |
| N/A | N/A | C:\Windows\System\MtxDFkg.exe | N/A |
| N/A | N/A | C:\Windows\System\dhBOXiR.exe | N/A |
| N/A | N/A | C:\Windows\System\XjDaehx.exe | N/A |
| N/A | N/A | C:\Windows\System\NVJzjry.exe | N/A |
| N/A | N/A | C:\Windows\System\LOpvKgV.exe | N/A |
| N/A | N/A | C:\Windows\System\NbIaYnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ZHesqMr.exe | N/A |
| N/A | N/A | C:\Windows\System\FeuwWXx.exe | N/A |
| N/A | N/A | C:\Windows\System\bqCpuZC.exe | N/A |
| N/A | N/A | C:\Windows\System\qppGWcB.exe | N/A |
| N/A | N/A | C:\Windows\System\SZXHHwX.exe | N/A |
| N/A | N/A | C:\Windows\System\AMplHAr.exe | N/A |
| N/A | N/A | C:\Windows\System\kVlRxiV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZoiXgQG.exe | N/A |
| N/A | N/A | C:\Windows\System\gWvEkXz.exe | N/A |
| N/A | N/A | C:\Windows\System\SDIKXLA.exe | N/A |
| N/A | N/A | C:\Windows\System\aNrVtNs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\TjYPply.exe
C:\Windows\System\TjYPply.exe
C:\Windows\System\LzDEnvS.exe
C:\Windows\System\LzDEnvS.exe
C:\Windows\System\VzGpsvF.exe
C:\Windows\System\VzGpsvF.exe
C:\Windows\System\MtxDFkg.exe
C:\Windows\System\MtxDFkg.exe
C:\Windows\System\MieIMoE.exe
C:\Windows\System\MieIMoE.exe
C:\Windows\System\dhBOXiR.exe
C:\Windows\System\dhBOXiR.exe
C:\Windows\System\XjDaehx.exe
C:\Windows\System\XjDaehx.exe
C:\Windows\System\NVJzjry.exe
C:\Windows\System\NVJzjry.exe
C:\Windows\System\LOpvKgV.exe
C:\Windows\System\LOpvKgV.exe
C:\Windows\System\NbIaYnQ.exe
C:\Windows\System\NbIaYnQ.exe
C:\Windows\System\ZHesqMr.exe
C:\Windows\System\ZHesqMr.exe
C:\Windows\System\FeuwWXx.exe
C:\Windows\System\FeuwWXx.exe
C:\Windows\System\bqCpuZC.exe
C:\Windows\System\bqCpuZC.exe
C:\Windows\System\qppGWcB.exe
C:\Windows\System\qppGWcB.exe
C:\Windows\System\SZXHHwX.exe
C:\Windows\System\SZXHHwX.exe
C:\Windows\System\AMplHAr.exe
C:\Windows\System\AMplHAr.exe
C:\Windows\System\kVlRxiV.exe
C:\Windows\System\kVlRxiV.exe
C:\Windows\System\ZoiXgQG.exe
C:\Windows\System\ZoiXgQG.exe
C:\Windows\System\gWvEkXz.exe
C:\Windows\System\gWvEkXz.exe
C:\Windows\System\SDIKXLA.exe
C:\Windows\System\SDIKXLA.exe
C:\Windows\System\aNrVtNs.exe
C:\Windows\System\aNrVtNs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2488-0-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2488-1-0x00000000003F0000-0x0000000000400000-memory.dmp
\Windows\system\TjYPply.exe
| MD5 | 316657e7ae0bab82e412c618e7f48ee7 |
| SHA1 | f04929cc4d4adb70e108c35236e31106fb998809 |
| SHA256 | df79f6cc1f26a6cb16ee16965cf6699b32ff4b320b0be9432075737ee8898f1c |
| SHA512 | 9e9555a47a6a32cbd5bc357509d9e294256cd2f71083e28e8984e8ace575b6e28f6cb5179af8c9e679c75fb75c85cf39c8844a5357318e0b48d5e71e32ff78d9 |
memory/2488-7-0x000000013F050000-0x000000013F3A1000-memory.dmp
\Windows\system\LzDEnvS.exe
| MD5 | d9d851825dacb0fa989f10f7b26e3fd6 |
| SHA1 | 30d17b2b494aa172a2a7048ae819d31080b5f405 |
| SHA256 | 87d7f009afde6118d247642fbc966682cb5ecec5121b3403518fe118a218ad4a |
| SHA512 | 4747701ab24e76a47cdeae89d4a72fdf0463f86591223c1d833f59908dc0fd060a5163a84eca46a338f7333af9767942ffb9a4e08c9c95ed9587739d87b5d3d5 |
C:\Windows\system\MieIMoE.exe
| MD5 | 117ecf8589169cb63daff81be62bfe9f |
| SHA1 | ab4db155a21d9d862fa6811359351d8c53b71ff7 |
| SHA256 | 1d1261739cdb86482201e1db8ab2301624804e3b5259e2cbaec83972f035abfc |
| SHA512 | c04ae094944ca05825f0b19c6085bd2aba224304d72203b6007ca6cfc4c25e5a59ef9dc8f3faa76ae927af540a5006fc4f71360aae5b9fc361ecf735b49af7db |
C:\Windows\system\VzGpsvF.exe
| MD5 | 082572d4c9180acd3dca7e56db1542e8 |
| SHA1 | 1f07f666eca467bdfa37c70b5de9923373735c0a |
| SHA256 | c0640f76c259e697e8b5a698fb95c0a6b050dccbe4f33bbe0885dd536339f3a0 |
| SHA512 | fded7ab323fc0e5ceb4476848e040d1817fe98493fd3c634ef8d83de19824b358623c56e0f5895906b1c11f0487ae85f337885a90383131e6d502b71c0fc71fd |
\Windows\system\MtxDFkg.exe
| MD5 | 4a6c887e38516af9dc322a9194bb993c |
| SHA1 | d4fd01e47c4f7949b2f2d1ea06c95be2928376c3 |
| SHA256 | 071fdb8002bece913556519a3d5c654fe8bcf70ee27ebf883c67d7ffffded4cd |
| SHA512 | 8aeb85d30857354beea5d514cdf10aa07499044cfab1f3462d8bed475691e79b5dd0a989d918f1a6471d3f22093d54f91ad05d1b470574a02a9d60c3a8d2411d |
C:\Windows\system\dhBOXiR.exe
| MD5 | f93f08f4136c52ac8d3e59485e59de41 |
| SHA1 | 4d9e9d49856ccf897c4521270b2c92b5fd86d626 |
| SHA256 | 9bda99ce6ceca676298ef330bb7160ca24f3b4f82b6c5e6b5685492567183ac9 |
| SHA512 | 9429774fdfbd857b0e1fb3bd08ac508bfdd0735a2eca84383634490153241d337495c9b8e70bd1dee1a6db566a2676e64bb817fe3c563aa930070d448feabd27 |
C:\Windows\system\XjDaehx.exe
| MD5 | f51a34eb4047d1b9dc9fae0b1649fb8a |
| SHA1 | 1ab4d367f37fc3e899c83ca065f5dd2c8afc7062 |
| SHA256 | 686e1fc756e2d5088eacbdbaf09fdf84931db04138ce3f2856f39c5fe7c63031 |
| SHA512 | da679addc292b2f14de9778d53f9d20320f2922af3662b4c03c75b7ebe011c95f03410296098a33bf750dcf8ce689335130448d7186a3968477ccb90e8859fa9 |
C:\Windows\system\qppGWcB.exe
| MD5 | a127639a27b3479c393f73624cde5e39 |
| SHA1 | 2ad3c74b2799864f10aa5cb3cb4bcc4d405b48c1 |
| SHA256 | 445e67dff08f3e1b4af640ec230a558f6e9b01cd5649394743018125654bf1fd |
| SHA512 | c8d17e30b87fc681cc6ca6d1baff9c6b75afa6ab48858554f3c860fbf1162ce0e9c2480a64175d8238da9babafcff55bd9b9fcd9b663bf6079d32f086c3671f5 |
C:\Windows\system\AMplHAr.exe
| MD5 | 8b97794ad99ff970b8556fd4cde15f33 |
| SHA1 | f5eec45afa81c1770ac3ce5582bbeddba94b1662 |
| SHA256 | 7c9f0737a9b3536cd734fc4ca9fa3d5c361277dc2107a4479fecec60ca1c05cf |
| SHA512 | 6715518ae87d373311bc01383b0deca86ca43631a725ac0204729aa4ff82000a0877589b2946bca08f0160eb8df99f64196835a5b7a2ad9b41c476b96eaef695 |
C:\Windows\system\ZoiXgQG.exe
| MD5 | aee5642d4c3071eb227a2e7f7be76ef2 |
| SHA1 | 36b21f58f99accebb1803fa4f990168d8efbcce4 |
| SHA256 | 4e0e2668f00836e62f57e1602eed0834c9a4a51ad8a561bd813a927a13475dec |
| SHA512 | 2dc0ed191fe2b07c0c0127f74f7664a8d0fee1b9b2da41af581c44a3a010cc62ad624d501ed5d51ad1d5b8e6131f97d56420e952a67142e08cee1a4918a0a6bd |
C:\Windows\system\SDIKXLA.exe
| MD5 | 49cc05481b101da5dc978af3d7a4e011 |
| SHA1 | 3f5c7cf26cfc34affd31fc3469a69f1689e096d9 |
| SHA256 | 5995f7812192fce5c081a85db1bd57c663cde8a3c6de42d9a8cf359661b7d0c3 |
| SHA512 | d754acd6e02ebefb21d849af7726c0e77f1c221ef7224fb29a5e5b7fe5f0b56d742af5c65adc6f9033ab011c56059cea9f15b679e7f424e37a633ed698e61761 |
C:\Windows\system\aNrVtNs.exe
| MD5 | 481993c6cf495a186ba15b7982af0706 |
| SHA1 | 1676a36658c697aa2bc751d60a275a349c9fed26 |
| SHA256 | 64d0d41cdc8150f8701d5a93b7792e88d6a35b3a195e2506cf2faaca2b8a2795 |
| SHA512 | 48168f4b46fd9b855c65dff181307844cb8d455830e2e05b623ca9dfd9153ac1b5a6dcdcaefd2b9069638c85e8e37b8d903459ace2dacc4c3ce6352cba3677ca |
C:\Windows\system\gWvEkXz.exe
| MD5 | 74bfcb72902ab477d5157ddbc7753f6c |
| SHA1 | b882b5f26f5b57c9037f88d8536c04b6d40960fe |
| SHA256 | 21ff480ec4e3b720a1090764cef4f19de88e8635f25b6b123de512fc1a18b6b9 |
| SHA512 | 157a4d80ff15aaacf45f4385f0caf315d62f131e7ceffd93fa95af6ed99d0d7cf3abc9f0f7736cb9e294d78d63a219ced8ca4696a1d2c30bd5fe81b1b892647c |
C:\Windows\system\kVlRxiV.exe
| MD5 | 36862da966ba4b5411f889ea6410c1a3 |
| SHA1 | cec01c11cc3b0164ee4d193381a70ec873fb5a70 |
| SHA256 | c1369212e3782a84b09b738497f01dafe6357ebb49f7bc2c01bd11a270f380db |
| SHA512 | 837fdafdc1a976619909e90e22a9d2f9eb6e6153157814d7b599b12a97815ea4de92d2732a5fbda7a0c5a7cb2ae8078aafa3f168138d1c0fcd3f909eee63431f |
C:\Windows\system\SZXHHwX.exe
| MD5 | 7f08998f8bf82688754da0e07b660b8e |
| SHA1 | 48040f9595af767471d11bc22cc6949191676879 |
| SHA256 | 5c2d9da8f97c8694d66d0a6246e6ae8f0b9dc0c2f8d90337ae82b09585cec2ea |
| SHA512 | 1ebd27fd20362cd2e5e2d3fa3f3430cb672a015e672032ad5efef2158de58820aeca1637c0e1f29cfbbc492abe76a1f98951a436a32b7fc658511b7c6fdb7c02 |
memory/2700-113-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2488-112-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/1660-111-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2488-110-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2844-108-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2488-105-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2712-103-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2488-101-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/264-99-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2488-97-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2488-95-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2004-94-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2488-93-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/1008-91-0x000000013FA90000-0x000000013FDE1000-memory.dmp
C:\Windows\system\bqCpuZC.exe
| MD5 | 7d4361497728b576878431168f6062b3 |
| SHA1 | a24c0cbbc367059ec591288d52dd8ee62ec3a56b |
| SHA256 | 06df7c2fa1866d1952cd7d064a2ea79a3dffba589e7d3d99b940c779d6c0da56 |
| SHA512 | 80a1751c9b4b73985129238fbd6822a05d60be4c9cd3daace0bc9ee5f57cdd7f257797f17905b722267626f1b61f4a2c40f99caaf289e2eb47f77ecd1f24170d |
C:\Windows\system\FeuwWXx.exe
| MD5 | d9578fdae0e53dc446385e77ba0ec6b0 |
| SHA1 | 668775fa1912e6faaaf47e4dd2165718fefe67fa |
| SHA256 | 1c67d660e1d4ab1126c23e631f3f1c2436cc31ccf0cc0e7aa375e8cd985945a8 |
| SHA512 | 4296e84e96d4c4314fb5ba5515670341a3c0355c6c2d47b925256eda82ecb705d27fabba38b96560e7dec798e7f97495d4edeae01283129db746f483bbaf3d91 |
C:\Windows\system\ZHesqMr.exe
| MD5 | 344263a634723991eb90f1109e5e8d6f |
| SHA1 | 79bb6ff12f4a013ab853898dee7151e2f84bbf54 |
| SHA256 | 81b432f811c4db2722fea3017e98e955f87e0985ab0cd334683a78deb19d2899 |
| SHA512 | e0004412a8b5f7d3245944868ef8cb5e9fc98bc49b13cde18379f3bd3089302e533e5978f475b2e73204f02799a07f79ffc1a57045a78c96019bd7fa030c62d9 |
C:\Windows\system\NbIaYnQ.exe
| MD5 | 6a925f674b9522edec356f58d1a23caa |
| SHA1 | 244bc7fd6502b07c1d4fd217dd88647611bcf041 |
| SHA256 | 78c1703c6a5891dd36f3c122ba58e41237e49ae63d00b1b2a0f7b98f8de44ddf |
| SHA512 | 55fe1b2dee29432d0a80b6eeb2d1621fccd441b656facc7990e9d3944401f1016102fc77c9e89b332c7a8d0d737c8b38384d2616c2c4602d23de40890151218f |
C:\Windows\system\LOpvKgV.exe
| MD5 | 92a6cdcc753d593f1149b4a4bc856d71 |
| SHA1 | cc1cc34bcd62666a28d28ed307968e9fc3cabeba |
| SHA256 | 702a8bad9dbd2b43103f9079564889f148c4268cd4cdcc6941779ad626c2c60a |
| SHA512 | 2035a860888669eee283625cc0603a42557445e14ef188080ac09e84a8aeb61ca54bc7a08d6a6d0e94945e261bcf281dc7ed6000730aac6eb1a31a668c5cfeb7 |
C:\Windows\system\NVJzjry.exe
| MD5 | 6acf404ebab14cc52752b27662f7eb3f |
| SHA1 | e83f0bce79010993218be8482924a9cc3e40b838 |
| SHA256 | 22213c26f63b1bcfd20af674eb7aae5f36a16a4a5c30ce32f252ebc3755c0625 |
| SHA512 | 17e86f013896a472ed8932c8ed23230ee7c90e940b993170d5727bd8e3cbf5e0d653efae4b6707b770304e2fe98f6edf895a2c310ad6b9454e6949d5fd906c10 |
memory/1968-22-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2692-117-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2488-116-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2584-115-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2488-114-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2392-119-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2616-121-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2488-120-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2488-118-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2668-129-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2488-127-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2772-124-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2488-134-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/264-138-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/1008-136-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/1968-135-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2712-140-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2392-146-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/560-151-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2132-155-0x000000013F660000-0x000000013F9B1000-memory.dmp
memory/2900-154-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2744-153-0x000000013F3C0000-0x000000013F711000-memory.dmp
memory/2536-152-0x000000013F140000-0x000000013F491000-memory.dmp
memory/2608-150-0x000000013F450000-0x000000013F7A1000-memory.dmp
memory/2872-149-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2772-148-0x000000013FB60000-0x000000013FEB1000-memory.dmp
memory/2584-144-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1660-142-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2488-156-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2488-178-0x000000013F840000-0x000000013FB91000-memory.dmp
memory/2488-179-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2488-180-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/1968-204-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/1008-208-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2004-207-0x000000013FD20000-0x0000000140071000-memory.dmp
memory/2668-229-0x000000013F430000-0x000000013F781000-memory.dmp
memory/2700-233-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2844-232-0x000000013FFD0000-0x0000000140321000-memory.dmp
memory/2616-237-0x000000013FAC0000-0x000000013FE11000-memory.dmp
memory/2692-235-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/264-243-0x000000013F690000-0x000000013F9E1000-memory.dmp
memory/2712-245-0x000000013F800000-0x000000013FB51000-memory.dmp
memory/2584-249-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/1660-248-0x000000013F810000-0x000000013FB61000-memory.dmp
memory/2392-251-0x000000013F270000-0x000000013F5C1000-memory.dmp
memory/2772-255-0x000000013FB60000-0x000000013FEB1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 22:44
Reported
2024-08-07 22:46
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\PywkeKF.exe | N/A |
| N/A | N/A | C:\Windows\System\qQJElLd.exe | N/A |
| N/A | N/A | C:\Windows\System\mHfKjkC.exe | N/A |
| N/A | N/A | C:\Windows\System\mtUtkAv.exe | N/A |
| N/A | N/A | C:\Windows\System\wHpNzGK.exe | N/A |
| N/A | N/A | C:\Windows\System\bQXaJAE.exe | N/A |
| N/A | N/A | C:\Windows\System\NGGpmso.exe | N/A |
| N/A | N/A | C:\Windows\System\uNXvmhV.exe | N/A |
| N/A | N/A | C:\Windows\System\JexgdGT.exe | N/A |
| N/A | N/A | C:\Windows\System\BBqROin.exe | N/A |
| N/A | N/A | C:\Windows\System\CvyTDZw.exe | N/A |
| N/A | N/A | C:\Windows\System\FEyFqpO.exe | N/A |
| N/A | N/A | C:\Windows\System\VqldaTQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NkjbIxm.exe | N/A |
| N/A | N/A | C:\Windows\System\TAmSMpo.exe | N/A |
| N/A | N/A | C:\Windows\System\TVfibMi.exe | N/A |
| N/A | N/A | C:\Windows\System\rpBhAZo.exe | N/A |
| N/A | N/A | C:\Windows\System\csDXYsA.exe | N/A |
| N/A | N/A | C:\Windows\System\vovrmFi.exe | N/A |
| N/A | N/A | C:\Windows\System\DKbgiPv.exe | N/A |
| N/A | N/A | C:\Windows\System\PTkylCb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_b00c27e66bc18dc83015ee120e75f4d5_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\PywkeKF.exe
C:\Windows\System\PywkeKF.exe
C:\Windows\System\qQJElLd.exe
C:\Windows\System\qQJElLd.exe
C:\Windows\System\mHfKjkC.exe
C:\Windows\System\mHfKjkC.exe
C:\Windows\System\mtUtkAv.exe
C:\Windows\System\mtUtkAv.exe
C:\Windows\System\wHpNzGK.exe
C:\Windows\System\wHpNzGK.exe
C:\Windows\System\bQXaJAE.exe
C:\Windows\System\bQXaJAE.exe
C:\Windows\System\NGGpmso.exe
C:\Windows\System\NGGpmso.exe
C:\Windows\System\uNXvmhV.exe
C:\Windows\System\uNXvmhV.exe
C:\Windows\System\JexgdGT.exe
C:\Windows\System\JexgdGT.exe
C:\Windows\System\BBqROin.exe
C:\Windows\System\BBqROin.exe
C:\Windows\System\CvyTDZw.exe
C:\Windows\System\CvyTDZw.exe
C:\Windows\System\FEyFqpO.exe
C:\Windows\System\FEyFqpO.exe
C:\Windows\System\VqldaTQ.exe
C:\Windows\System\VqldaTQ.exe
C:\Windows\System\NkjbIxm.exe
C:\Windows\System\NkjbIxm.exe
C:\Windows\System\TAmSMpo.exe
C:\Windows\System\TAmSMpo.exe
C:\Windows\System\rpBhAZo.exe
C:\Windows\System\rpBhAZo.exe
C:\Windows\System\TVfibMi.exe
C:\Windows\System\TVfibMi.exe
C:\Windows\System\csDXYsA.exe
C:\Windows\System\csDXYsA.exe
C:\Windows\System\vovrmFi.exe
C:\Windows\System\vovrmFi.exe
C:\Windows\System\DKbgiPv.exe
C:\Windows\System\DKbgiPv.exe
C:\Windows\System\PTkylCb.exe
C:\Windows\System\PTkylCb.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 45.19.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2772-0-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp
memory/2772-1-0x0000022272510000-0x0000022272520000-memory.dmp
C:\Windows\System\PywkeKF.exe
| MD5 | 6b72b504f71c15d354c845d6f2122e0c |
| SHA1 | eedf720714cb39dfddd2a49da0e0786059f035db |
| SHA256 | ba939f3ec5bb59423de7b232035e58de58816205031a0872e0c732440d2a02db |
| SHA512 | 6eb676695c887ad2056c23c53a5a9a48605b3b5c2b8d3730615010f16f47c2b5e23a5e8f69efac3b238f17e43e8993b585d38c877e8367d8913c9cfce95f590b |
C:\Windows\System\mHfKjkC.exe
| MD5 | 1b06510e3ae1cdaeae3b6f88f7cb998d |
| SHA1 | 7a505681b569a5ab997eab41eb6956f28f87cf25 |
| SHA256 | dc676628c15ed520f8824824a33ef8eec5c14d6f040cc0f544de05b6ebcacaf4 |
| SHA512 | 9915870f623ae7b94d1e4f6896258330babd395f26bb653ef52cd2f3a3ab941a5335a86cc11f1c0d9ea8c34953ea323988246576cb3982591fd2513f3c7264ca |
memory/3608-13-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp
C:\Windows\System\qQJElLd.exe
| MD5 | 8034cf26d5f7e15d35db81d88f2e766a |
| SHA1 | bf6391f7f42d42659f0ceb41b4cdf89bdc2605cc |
| SHA256 | befe586438cf0571b77ae94d900c430ef07559a409dd20dd8baa324e052a50ea |
| SHA512 | 892e7bcac5177a7688e08d8524f0eb3928796fe5bc1e3e0f60da35756d3cd7587c5c118bae0007672cd12ef83b038f5fade7f758d22661b2bbb943472ad82c8f |
C:\Windows\System\mtUtkAv.exe
| MD5 | d7d903027a756803a493254535c5ad80 |
| SHA1 | 2efbae273c25dc730d2f23e068b93e2096654b62 |
| SHA256 | 272adadd94245af8243f2533853fb0b2b5f0cd0934ce023d3bdccbaad31c8897 |
| SHA512 | 8ea444aee488bd2ec8092abeb233ed018c8e4cc01da4bba0c12fa54888f0ed98f2fbc65243899316c3bc1c16e525071b469cff2385b0a4ba72fe6a352a91fa28 |
C:\Windows\System\bQXaJAE.exe
| MD5 | 1cefa2f1b8d2f271cd0e3eaa361bf1b3 |
| SHA1 | b99811310dba9f90bbf9ee81efc9f5e4be7c08aa |
| SHA256 | f5c140e25540e60fd8383b89552378387f2b3004ef5eefb8e358c016bd479b30 |
| SHA512 | 5547fd42d11169fc49007ff37ba8650a5fe1a373c1894865af74b8b4e5688bd4295d5722f5e9a90e08f1cc5b7d30cc508c0791bef935984249f63208596647a3 |
C:\Windows\System\NGGpmso.exe
| MD5 | 7346ced0479497a7a107b52cb6845f7b |
| SHA1 | 57f14df2387ae66602c99f2ea573c05823c8a1ec |
| SHA256 | be8f3ed90e0029164d324e7b4d5ea4b9a06d1783585224232210010b89273ac0 |
| SHA512 | 8fd82575c7bcfaf0d8c71c04ed15966da79e5f37fa45e418bd2c00eb6f37214b73f64bf390d7ec2d0ffb5e37c156227017ee3c57fe11eb208f76a0df4a72f017 |
C:\Windows\System\uNXvmhV.exe
| MD5 | de25170e1fddcb630273f6256bc5fba6 |
| SHA1 | 63b43aaec1160decb1ff59545e9f97d63cf9fb59 |
| SHA256 | 55a8389912715e1de1c021589dd6dfb80c798cf1f0010b3e8b1b234ed5f74ba8 |
| SHA512 | cd557cf52986bca82632d4f54aacceeafe56e3a952f6794abc56ba539ad840e70a86d26253a30aee8d65c987fbee878ddde850474f0d640815b1bbe3ddfd0275 |
C:\Windows\System\wHpNzGK.exe
| MD5 | fb2eb9cb20fe008544dc43b582caa1ae |
| SHA1 | d450d6a4c2092a1b222563e862f506d82ba64150 |
| SHA256 | 8182f0158b1dad29645e701a890304ff9f547394d6ec6eeb62c903fb73365cb2 |
| SHA512 | 82a931ccc4f5be8aec1a14b9cb9a25bf4df46245211797e117ae3e52832d1d89f876c4a949c0b6e4d4c731fef783645d7160e8acc8f0c53c497a9cee86cf3ed8 |
memory/2760-49-0x00007FF736790000-0x00007FF736AE1000-memory.dmp
C:\Windows\System\JexgdGT.exe
| MD5 | 65d1aa973c0da8e492c1ee7db226005a |
| SHA1 | 189e1e4f8be59f4f4773226235c9f4f957d58c8a |
| SHA256 | 10a7e9c94cb23896212acfb04e4a5c009650db74366a1d543519b722ef3b5a42 |
| SHA512 | ce5c0f4644e3684fd433827e38146dcfebe33d08c311a1c04d8235a7fc50d8885c17e59665bddaea1ced15365a50cc4efdeae470d1116df178efe772efb3ecb1 |
memory/5096-28-0x00007FF726370000-0x00007FF7266C1000-memory.dmp
memory/4844-16-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp
memory/2568-11-0x00007FF7921B0000-0x00007FF792501000-memory.dmp
memory/1472-60-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp
C:\Windows\System\CvyTDZw.exe
| MD5 | ee07c5d0cc50153572b5d61e6696f527 |
| SHA1 | a4d03879ab002bd5c18f974354ff23c7fb004172 |
| SHA256 | 0cd42ccf224ba49cda56cf74b9b2afc12c12417c569a62f2a405029f9437e226 |
| SHA512 | b9b99bdd174c5545f35184cf386a8ea5700ef2c384b220c7e53f4c7917a8510f6d79c222759da0470dc17d4f24e69e5fabf936f7880d2a3e1a95ab8f2d4216cd |
C:\Windows\System\BBqROin.exe
| MD5 | 3448327b47470edc9c7d6017dffc27f1 |
| SHA1 | 86fc91ce26c95574654204fb3555d3399a7e4358 |
| SHA256 | e5c7b39ae7657058bf148af36cbee960c3a13552426e7ccbdcd504e32d0f5fd6 |
| SHA512 | af60c8348cec628caf7f4b65632e449658a5beb1a3bfc118df2ffa35964d825552835a16912544826881b7eb1299d3f520b8266d80c3641ec9840ef4d82fb35d |
memory/640-71-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp
C:\Windows\System\TAmSMpo.exe
| MD5 | 0686d0bbe59af3e28e81c44c3de80ccc |
| SHA1 | 666530a047d4ab89e1b110feeab08eab754ac7f1 |
| SHA256 | f75d1ad6f974d8287fbeee4d6d7d5a50b4970aaccc300e191639c167c61e27e1 |
| SHA512 | ea98cf313e03db1ee4230d85a721b28d2c6696aad17c03f53e0015631baff0b9d193839d9a2226e390123caaddf229bd26b170db3db1576b38fb56a0fc47492f |
C:\Windows\System\NkjbIxm.exe
| MD5 | 7338d41d663562f7909195352a98e475 |
| SHA1 | 477e7649f831f3cec6854908e27662df85bc84f2 |
| SHA256 | 291d7fb4f1f95541bc5540ed5182933bcdd2e4b391da07d47f874b7ed0766dd1 |
| SHA512 | 5b921b5abf23f784ab32b4a9f1c165c97c23c26f46f5986a9aec958d2c97bcd33538fa36c486b86f9631c4c564558574bfb1fefd0f2ef18892c8e026878ce17e |
C:\Windows\System\TVfibMi.exe
| MD5 | 57f2ad5d71a5a3de4a2b07e8bc50cd18 |
| SHA1 | 2caf349350c57167b66b8355271ab74438ce16e0 |
| SHA256 | 51cfb8d8283c909aedbab2627195d4f438819c2abf4af0aca415f61eca2eaa36 |
| SHA512 | 2f32d3aa85a4f4e3a7d8d619e625f64df975ebcd0a229bbafdd9d2c70432666943803388c73c8f465f1509c0822adbf51cae107533d4da1783f78d49af5fcba1 |
memory/4400-104-0x00007FF684170000-0x00007FF6844C1000-memory.dmp
memory/4552-106-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp
memory/1584-108-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp
memory/4148-110-0x00007FF791520000-0x00007FF791871000-memory.dmp
memory/4016-112-0x00007FF793740000-0x00007FF793A91000-memory.dmp
C:\Windows\System\csDXYsA.exe
| MD5 | 52e83168137301672caf0e73a5829c0e |
| SHA1 | e3f6a5dd04c4b5b8d8a871fe08273fc683f738b2 |
| SHA256 | 2b58128fc553499f80a8c42068de13780f19f251fce59b49b3b43ea7b84e21e4 |
| SHA512 | b3c6fe6c978714c8e1e90369852056702c681b9d1c3b31608ed7f3698217eefb0e7327763b71960cc74b54736f8bcbd4f40ac19473d4e196a96730f1564ce7e2 |
C:\Windows\System\PTkylCb.exe
| MD5 | e148aa85ac3ec35d0c543d5010f2b170 |
| SHA1 | 73dd8927b62c954122db9d6cfa9a1258e1a9743f |
| SHA256 | 7537dc7be1bb124e24fa0f2eb95532e9a81b9cd054aec5cf67b0e61d676f620a |
| SHA512 | 72bc93cbae37b7364a93ccea107d5014e6efd8de319d7c96454b81e3b84ecac500c9afa024643a4d759fe2ae73c0b21a60a8b5a076560e684974f7462512d75e |
memory/2780-125-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp
C:\Windows\System\rpBhAZo.exe
| MD5 | 325284a047f63f563f9348c52917c115 |
| SHA1 | 7ad0b4d0d03a380bfba3e9b9c5d94dcfde31b4f3 |
| SHA256 | 6212b8b895abf7bbc5897ce3252dd9892ccd96bcd964d94f17dce6b5caae4eb4 |
| SHA512 | c5a5ef92faa33c3c63757d29f1f56ced87234fa17ba7abf3c023da5a4bf116dfd180c01ecba531ca4db206e658dce0664284190dcd4bbff7f4255e04d58fd4a2 |
C:\Windows\System\DKbgiPv.exe
| MD5 | 45605b672574c3be59ecc00d3f92cd78 |
| SHA1 | f1ce093603798c59830adede009ca05d5c9eef0c |
| SHA256 | b40b1547af3d8d76b4892008ef2281f21c589497a3468c29a9ddd48cfab9f666 |
| SHA512 | bb50b5d2922c703db25cad11777d7406d0188a11ba353e1c24369aba4edb08c4e7eb9d6022427f0454acf17a9d0d9df8e7c3eedd0a30234d4ff88bdb44fe8335 |
C:\Windows\System\vovrmFi.exe
| MD5 | 0abfa0fd58fa989ff6b33d519007201a |
| SHA1 | 75c4165c2ea30871934d14f35656d62b152c672e |
| SHA256 | a8bc53c8079b83feaa7f47e9a2b40a86ed41e3eeb8b41aa2601f9360f5e65c79 |
| SHA512 | f8168fc439a6a74eea996e8a029e67f6c68f7f60af5a8e0196500c5b983daa3257b86246b0747feed0f94f8128195fbe51ab9128d0b12b10e0ccf4c51b5e19bb |
memory/4688-113-0x00007FF766090000-0x00007FF7663E1000-memory.dmp
memory/2380-111-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp
memory/3964-109-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp
memory/3584-107-0x00007FF705260000-0x00007FF7055B1000-memory.dmp
memory/4044-105-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp
memory/4540-103-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp
memory/1620-92-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp
C:\Windows\System\VqldaTQ.exe
| MD5 | 46aaf48d5d11e26e440ed786c311f5cf |
| SHA1 | c305b65b0d26b99f39ae44e37b9b83843338c5c2 |
| SHA256 | 3d3423cf7b8e162b5bda2386d6970018d7e1e3ebfdf1d5fe636cec2e09e1dbc0 |
| SHA512 | 3c1aa73851389796e19891943845e5741a4d3c7a3cbd5623f14f5ddb232fb4e213e42b48ee8c3744ec1e1b1bc27eac866a8c43c1ade9cf9eb2bf7857050b4ae2 |
C:\Windows\System\FEyFqpO.exe
| MD5 | 0f5a6d3c51427c2b7b70e6600fc3d9b9 |
| SHA1 | 32115465d41503cba40809d707df5baf4fb00b2e |
| SHA256 | ac281f23007115181d5054a36bef2efd0bc72e56ae85a3de12d0febf7ec1ee5d |
| SHA512 | b7b1d0f0b0def9c6cb4a2b0a69a76d0bdbd13528a89386040a7926320cc2800fa8143cb74a09042839cff4601b3456847f1e91351e76ef9083829a2831c4945f |
memory/4308-68-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp
memory/3608-130-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp
memory/2760-133-0x00007FF736790000-0x00007FF736AE1000-memory.dmp
memory/4688-144-0x00007FF766090000-0x00007FF7663E1000-memory.dmp
memory/4844-131-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp
memory/2772-128-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp
memory/3584-148-0x00007FF705260000-0x00007FF7055B1000-memory.dmp
memory/4552-147-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp
memory/2780-149-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp
memory/4044-146-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp
memory/4016-145-0x00007FF793740000-0x00007FF793A91000-memory.dmp
memory/2772-150-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp
memory/2772-151-0x00007FF78FE50000-0x00007FF7901A1000-memory.dmp
memory/2568-196-0x00007FF7921B0000-0x00007FF792501000-memory.dmp
memory/3608-198-0x00007FF6A4CA0000-0x00007FF6A4FF1000-memory.dmp
memory/4844-200-0x00007FF7D9400000-0x00007FF7D9751000-memory.dmp
memory/5096-202-0x00007FF726370000-0x00007FF7266C1000-memory.dmp
memory/1472-204-0x00007FF6908F0000-0x00007FF690C41000-memory.dmp
memory/4308-206-0x00007FF62C8A0000-0x00007FF62CBF1000-memory.dmp
memory/640-208-0x00007FF63AF60000-0x00007FF63B2B1000-memory.dmp
memory/1584-210-0x00007FF711FA0000-0x00007FF7122F1000-memory.dmp
memory/2760-212-0x00007FF736790000-0x00007FF736AE1000-memory.dmp
memory/1620-214-0x00007FF73D4F0000-0x00007FF73D841000-memory.dmp
memory/4540-228-0x00007FF73ACD0000-0x00007FF73B021000-memory.dmp
memory/3964-230-0x00007FF63F2C0000-0x00007FF63F611000-memory.dmp
memory/2380-234-0x00007FF7DBA40000-0x00007FF7DBD91000-memory.dmp
memory/4400-236-0x00007FF684170000-0x00007FF6844C1000-memory.dmp
memory/4148-232-0x00007FF791520000-0x00007FF791871000-memory.dmp
memory/4016-238-0x00007FF793740000-0x00007FF793A91000-memory.dmp
memory/4688-243-0x00007FF766090000-0x00007FF7663E1000-memory.dmp
memory/4552-246-0x00007FF79D5F0000-0x00007FF79D941000-memory.dmp
memory/2780-248-0x00007FF72AFF0000-0x00007FF72B341000-memory.dmp
memory/3584-245-0x00007FF705260000-0x00007FF7055B1000-memory.dmp
memory/4044-240-0x00007FF6BFC30000-0x00007FF6BFF81000-memory.dmp