Analysis Overview
SHA256
f0c2c5a291a0eef2b7c9ba64bc7709db43bff9d84eef5fc3fc7c5bfbc54ca5b3
Threat Level: Known bad
The file 2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
Xmrig family
Cobaltstrike family
xmrig
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-06 16:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-06 16:42
Reported
2024-08-06 16:45
Platform
win10v2004-20240802-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mqKJzvy.exe | N/A |
| N/A | N/A | C:\Windows\System\gVLDaho.exe | N/A |
| N/A | N/A | C:\Windows\System\vUGlsrn.exe | N/A |
| N/A | N/A | C:\Windows\System\xiHiUZo.exe | N/A |
| N/A | N/A | C:\Windows\System\apOudxx.exe | N/A |
| N/A | N/A | C:\Windows\System\Umusmmr.exe | N/A |
| N/A | N/A | C:\Windows\System\JiMdntY.exe | N/A |
| N/A | N/A | C:\Windows\System\YIwWVsG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZVrlzHT.exe | N/A |
| N/A | N/A | C:\Windows\System\ppGOuvb.exe | N/A |
| N/A | N/A | C:\Windows\System\xDxOKPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MJiNklc.exe | N/A |
| N/A | N/A | C:\Windows\System\BQYMXSE.exe | N/A |
| N/A | N/A | C:\Windows\System\NAFOCYy.exe | N/A |
| N/A | N/A | C:\Windows\System\BkODxJD.exe | N/A |
| N/A | N/A | C:\Windows\System\FmjStOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\SEvcmBa.exe | N/A |
| N/A | N/A | C:\Windows\System\uAKdPah.exe | N/A |
| N/A | N/A | C:\Windows\System\UyjYjxL.exe | N/A |
| N/A | N/A | C:\Windows\System\TTgJglE.exe | N/A |
| N/A | N/A | C:\Windows\System\HxPwZmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mqKJzvy.exe
C:\Windows\System\mqKJzvy.exe
C:\Windows\System\gVLDaho.exe
C:\Windows\System\gVLDaho.exe
C:\Windows\System\vUGlsrn.exe
C:\Windows\System\vUGlsrn.exe
C:\Windows\System\xiHiUZo.exe
C:\Windows\System\xiHiUZo.exe
C:\Windows\System\apOudxx.exe
C:\Windows\System\apOudxx.exe
C:\Windows\System\Umusmmr.exe
C:\Windows\System\Umusmmr.exe
C:\Windows\System\JiMdntY.exe
C:\Windows\System\JiMdntY.exe
C:\Windows\System\YIwWVsG.exe
C:\Windows\System\YIwWVsG.exe
C:\Windows\System\ZVrlzHT.exe
C:\Windows\System\ZVrlzHT.exe
C:\Windows\System\ppGOuvb.exe
C:\Windows\System\ppGOuvb.exe
C:\Windows\System\xDxOKPQ.exe
C:\Windows\System\xDxOKPQ.exe
C:\Windows\System\MJiNklc.exe
C:\Windows\System\MJiNklc.exe
C:\Windows\System\BQYMXSE.exe
C:\Windows\System\BQYMXSE.exe
C:\Windows\System\NAFOCYy.exe
C:\Windows\System\NAFOCYy.exe
C:\Windows\System\BkODxJD.exe
C:\Windows\System\BkODxJD.exe
C:\Windows\System\FmjStOZ.exe
C:\Windows\System\FmjStOZ.exe
C:\Windows\System\SEvcmBa.exe
C:\Windows\System\SEvcmBa.exe
C:\Windows\System\uAKdPah.exe
C:\Windows\System\uAKdPah.exe
C:\Windows\System\UyjYjxL.exe
C:\Windows\System\UyjYjxL.exe
C:\Windows\System\TTgJglE.exe
C:\Windows\System\TTgJglE.exe
C:\Windows\System\HxPwZmd.exe
C:\Windows\System\HxPwZmd.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1216-0-0x00007FF61BE60000-0x00007FF61C1B4000-memory.dmp
memory/1216-1-0x000001D3C3CA0000-0x000001D3C3CB0000-memory.dmp
C:\Windows\System\mqKJzvy.exe
| MD5 | 7f17b6a891961e9369fdd4a78f8d74de |
| SHA1 | 426646bf0aff96445e8f6583fa8f90b2539a3536 |
| SHA256 | 7762b5b9a3ef1dd08a2a90460ad635ee4a3a13f0af07e54a4333387b34086303 |
| SHA512 | ecfa5d5cac9e5b43339f6aa6a36c45939f6b8a66eeb7d3a320b499215b60f41c43c2098a689d0c21e8ab484a791bf434afb3dfa302b68bb5d14e26854515a73e |
C:\Windows\System\gVLDaho.exe
| MD5 | 7756ccdab60a4530372d4b7946425ed0 |
| SHA1 | 06163d8df161c4cf681ecdf8369fa4cc4d5f3185 |
| SHA256 | a8a98f77ac8b1730a4475bd941fc034693ee2ee9adab53677643cb7535956753 |
| SHA512 | 4ebb0bf682ef20d33605fc4d9d83399f18e1d4323d10ac23509e05da4d9042ad5acd3ae36905a6a9bea55091e946c62a4cba8c66029dc6ecc1e586a8ca224dc9 |
C:\Windows\System\vUGlsrn.exe
| MD5 | 89db5c441d948ace3ee2ca6c6803f177 |
| SHA1 | 0c803250d6ece90267e68fd682074a3a9390bfa5 |
| SHA256 | 21d5568751ea0a77f6da9c2ab8c91c5c793dddfee5b0fc8357ca7e0d2d5f2ccf |
| SHA512 | 567534fe37e340119e2727ff4a10c53e09fd3c12ded11464e4bd69432a54665e0a4d6676f8d94152d5ab7eafb5db3d0a60975174d4e47bbd2f84791a6b05d8c5 |
memory/2800-17-0x00007FF78DF40000-0x00007FF78E294000-memory.dmp
memory/3596-18-0x00007FF7974E0000-0x00007FF797834000-memory.dmp
memory/2092-15-0x00007FF731CB0000-0x00007FF732004000-memory.dmp
memory/3144-26-0x00007FF65E030000-0x00007FF65E384000-memory.dmp
C:\Windows\System\xiHiUZo.exe
| MD5 | 87b48a38039548be22da200457663a3b |
| SHA1 | 998b73a3f4b6da419085720ce29cf6f992bcb341 |
| SHA256 | 20109d09661221f3d66a484bf8be0575310295893b2bbff1d8f82597f7b36bef |
| SHA512 | da64a17d23caa11ac0df7054d077db8a5706a6221db0834f123fc1ca3fd90a80931c86815e01aa15c56cade62960a1aaffe16aa937c66e9343bc23faf5158d7a |
C:\Windows\System\apOudxx.exe
| MD5 | 391299884784b540eb7c6581a3d1e544 |
| SHA1 | 4f9a958344584c2763bc2d1d1111c76282a7cd4b |
| SHA256 | a09704477041e556184cce1c482cfefd1562d1d0abc5994d9edf3ce7e643145e |
| SHA512 | 26df3914048822b7a6967092518d4e50669e947e477a327a90971151a50cc194cd731d688f7de0792eca58efba64cdc01fcf8837b5e4c090616bdbdd2c9532dd |
memory/3692-32-0x00007FF67B900000-0x00007FF67BC54000-memory.dmp
C:\Windows\System\Umusmmr.exe
| MD5 | c1d313862ed45b2eb541a1ec97b7bc0e |
| SHA1 | f5e64ebb5b67cf4896b4edf4d003e18b4475d0a2 |
| SHA256 | c4c0be30ab03be8187333db743e91e330731bf27b029af23211a2452c1f765e7 |
| SHA512 | 3b1de4dcc897d880b612ae6529de28f9f935410fcac7bf7953d8c582020b21565a1603d93751c6b320edb53e00f49e493dfdd6bf8b7d90dc4b5419049b04ce4f |
memory/3536-38-0x00007FF6F8900000-0x00007FF6F8C54000-memory.dmp
C:\Windows\System\JiMdntY.exe
| MD5 | 96e3e606f11c98e7bda853171f721e9b |
| SHA1 | 30a2923ab12f347c0ad3a0a708b191258180ad5b |
| SHA256 | 8d234b7df7d5712875bc3c1f171c7f26a272545732efebd47eed27c61d02a15f |
| SHA512 | aae3b2454c8ccf042a4a7e1b48c7b06e395843795a78b1812583c085a1cd4651bb8fbc33b5734e6803a78acfa5a3f06c4ecc8541dc7b6be990bb8bcdfcb10082 |
memory/4736-42-0x00007FF6C21A0000-0x00007FF6C24F4000-memory.dmp
C:\Windows\System\YIwWVsG.exe
| MD5 | 2af3168450d031883db494eab577eae7 |
| SHA1 | 828ff4f810a94d28ba459529d1816ef5d49409b6 |
| SHA256 | da7e71ee1361c9ce2ef525c99e2a88c59ed3641606a532d283349a988d498aab |
| SHA512 | 68c41d5c9ed66d6b513a51b7bb23c6cf0761668269fd82b99167124eb2a7098cb49d22b4e799c7c63cc32262debb9597f5f8d904107be3a1829c5ac4cb29d510 |
C:\Windows\System\ZVrlzHT.exe
| MD5 | 9290b2cea8d5b0c95f6d8ef8d1b2e0f4 |
| SHA1 | 8ab364c82de46cba77039be4fc90649b0805b842 |
| SHA256 | 0c87b2ce759ff83eb91858df6146f9fb596a1bacdd450e760cf3b1c6c762d4a9 |
| SHA512 | 10bf8057601293dd4429776ea032d1574a06db95e187f98ae8db07c96bdc66b36276c43839212ff2c97645e5df4954d376b26d586a4dea27ab13b0f428618d5c |
memory/1288-52-0x00007FF6056F0000-0x00007FF605A44000-memory.dmp
memory/2952-54-0x00007FF725760000-0x00007FF725AB4000-memory.dmp
C:\Windows\System\ppGOuvb.exe
| MD5 | 63c4bcf99e88796d5bacb536f98582fb |
| SHA1 | e322e076da4eaf25ae703ef3c46afe086c8e44e6 |
| SHA256 | e8fc68d728743e4586660dd4935e37bf03c3363d01826cdab6264c95f9dc4fa4 |
| SHA512 | 69d40871b604399d35f6bc37627e290473f57b1f14b9dcf4386432931513c2d09585451a5d765828a00493c1e38c08d72f67b3e7129629f5e9fa8f9c1fe14ca6 |
C:\Windows\System\xDxOKPQ.exe
| MD5 | ca4871dad3230711090338ab051d4a99 |
| SHA1 | ad38395f35aee3de2453fec055a30e792a2095c7 |
| SHA256 | 18c98a97b08472039c7081823c434787074bd0b33e6680f3e21633a1a2480d42 |
| SHA512 | 0a465da2e74d5781f5be10f584dfdfb7f2d51ddd300b0da7d8f9990c5eadbafc175f409721ed9bb390e547d4203d697bf0b5d25aee45f8f264ad3602188dd50c |
memory/2052-60-0x00007FF693A90000-0x00007FF693DE4000-memory.dmp
memory/3920-69-0x00007FF6EC880000-0x00007FF6ECBD4000-memory.dmp
memory/1216-68-0x00007FF61BE60000-0x00007FF61C1B4000-memory.dmp
C:\Windows\System\MJiNklc.exe
| MD5 | e64fdda55fececf93782a3b997425a37 |
| SHA1 | 9807ce360b46be91ec97434f0699454fb1586d42 |
| SHA256 | 2c16b3b5bc68421fe67a9b6a87d3d00c2da1fe2b9d26c597f0deffd9b5ddada1 |
| SHA512 | 9918f983f3ec0345a418d79002ff5e4319ddbf76deb649d02c56c2520d4e08e11fa4aa99d2c4706490cc059400c4fe4abf9fab10f592315ded8fa0318f6ec7f7 |
C:\Windows\System\BQYMXSE.exe
| MD5 | d11790cfa10e8751c9660e8d01b907ca |
| SHA1 | ca11bddf3298a49f107276f78c11b21632dc4473 |
| SHA256 | 5075226a4dfc2c6f66afbdd31b900b6b8146fdc1faa2cc49bc99414bb707376f |
| SHA512 | 8819175aac9c6b944afb1b561cacc21f2b558c723d4273e800a4f344bdf2dc06222bab416ea768570ba34d48a9759c0ca4606218ba402b08be6bfe063342ad32 |
memory/4064-79-0x00007FF7112C0000-0x00007FF711614000-memory.dmp
memory/4920-78-0x00007FF79F6A0000-0x00007FF79F9F4000-memory.dmp
memory/2800-75-0x00007FF78DF40000-0x00007FF78E294000-memory.dmp
C:\Windows\System\NAFOCYy.exe
| MD5 | e18c2960c6712e498364d88b59758a87 |
| SHA1 | b1fda43833408596a7b2841156f9b7327dfde470 |
| SHA256 | a237c6d610d3b2b5973a742faa857b548598d27bb4647d54886222b12c1f22df |
| SHA512 | 5fc1ad06c489f73b2345cbb34a8aa15546ba1978e7e38dac4d2feb3523cc4e5ad14638a97f2b83a5c3fa415257ca6c61791721c1b2f8112d236d9e59a305f9f2 |
memory/4148-89-0x00007FF6F72E0000-0x00007FF6F7634000-memory.dmp
C:\Windows\System\BkODxJD.exe
| MD5 | cec9b2329b08672bbdad2f779f147bfe |
| SHA1 | cba7242c18df0604db1a3ec9ec2084c4908eb6cd |
| SHA256 | bff25a4453243332619fc61ad4d8dd696e8748353181bd36d2d52862fa7636bc |
| SHA512 | 631f898d22b9b38a639cc2c4e4e5b68f05456edcd39ba927fc8e9831235710320320d7574c0c3a8f727e0dd95f02b494933ca7d7936d03446d29f45a6b085ccc |
memory/692-96-0x00007FF67C0C0000-0x00007FF67C414000-memory.dmp
C:\Windows\System\FmjStOZ.exe
| MD5 | 9cfa32fa3d7dd4f0ade60b8102e7ec3b |
| SHA1 | 5b2a9bb98c3a071687ef614bdebab920f306fb46 |
| SHA256 | fb12751ed7d5d4925ce1e67dc2e6162b554451100a5ff56b17ee0c95c5c79b0e |
| SHA512 | 537239e725544844b78c1a76c3d1e08f0d17449e5710352084e114c19cc7cea776567d8b60eeb0a64f13390fc26754c1f9935e13b0f44f539659852693e27a0d |
C:\Windows\System\SEvcmBa.exe
| MD5 | b8f302f55a133cf53dded5abc02c6a36 |
| SHA1 | 40d70527f7c3aef29e1da16a5b7beecf1843232d |
| SHA256 | 0f21c85d8d6495f57652acee946e2517eeae7ccc6a2e30c8cac5cb0ba257d413 |
| SHA512 | 38b05fa562c6115c78974f8813d99fc58ca958bce006a3db1842bd20b93ae0d96ff70b58e8b93e38faeab1ba772d27cbcced6459a330f0aa19293fddfdec0a5d |
memory/3536-103-0x00007FF6F8900000-0x00007FF6F8C54000-memory.dmp
memory/2256-110-0x00007FF7E5440000-0x00007FF7E5794000-memory.dmp
C:\Windows\System\UyjYjxL.exe
| MD5 | ae1ee25bc9b182c1b5cfd8f0ccb50d51 |
| SHA1 | 0ca269c7ee7ae4e208fb4a28eec525de6dc8738d |
| SHA256 | 16aded408dd3b0e2f04ac95c6b3ac23d03b8e162da3ee64a301c16c3b3fab0b4 |
| SHA512 | 4f42b6389de1da15a5c560719431c06f8c1c78c4e9238e510673c8776c0eaaa1564e50dc7678f5cee2107125926ce8da1e5588efe0ee5fd3db3067de16a074ec |
C:\Windows\System\uAKdPah.exe
| MD5 | 262af9a28c0b50e8e3b6ea964f21e42b |
| SHA1 | d64486a76b4c69378164321a85af993e1c076ecd |
| SHA256 | d35af4a3154cae85dfe3b56419eb9cf0f0bba8264bdb0ba69b3ed3499064edaf |
| SHA512 | af7396b45d4e744a14eb8be73e9eb4b4007b0d412fe00948d5cfee5e0d91a870ae6572e981ee23dc7c7d856e434affa521a6b1394a623b4ba65451f61ed8acb5 |
memory/4736-111-0x00007FF6C21A0000-0x00007FF6C24F4000-memory.dmp
C:\Windows\System\TTgJglE.exe
| MD5 | f930ba27f75af7e050273a980b822a7a |
| SHA1 | 487fd37faf28884350b894d890e5832637f8cc82 |
| SHA256 | 4fb47d372c40d439703f08f5c0809f64ec9b240bf40735473e62cb22d7eef7cc |
| SHA512 | 563937e2204f944399ca2132dc3ad6d9be8de35dff66bcc34ee57caed047b6f1af00ccb441926dd4d50f3a23429d9d00facfdaa687499481af5ab5c0f5f08c65 |
C:\Windows\System\HxPwZmd.exe
| MD5 | 107acf16443e5fa2bbb8ad2d4ed6ac11 |
| SHA1 | 3468474fdfc7e9cdc39e22176cbb2e493338f7de |
| SHA256 | 2e766fe21ff3743ebec57c24e42377c811724b3639b725888b6c3e2b7c17f70d |
| SHA512 | e3ebe7c20b58c611c74c60d41b41623a545994c4093e270fe77fcdee96868e0c7842be8e02fbe025b7215b02403f5074dc7cb83ddc4e36572d1e93a4e6a49dd0 |
memory/4072-109-0x00007FF791DD0000-0x00007FF792124000-memory.dmp
memory/2220-128-0x00007FF7AF130000-0x00007FF7AF484000-memory.dmp
memory/4952-130-0x00007FF7D2520000-0x00007FF7D2874000-memory.dmp
memory/3196-129-0x00007FF604A00000-0x00007FF604D54000-memory.dmp
memory/4768-131-0x00007FF6A2CA0000-0x00007FF6A2FF4000-memory.dmp
memory/2952-132-0x00007FF725760000-0x00007FF725AB4000-memory.dmp
memory/2052-133-0x00007FF693A90000-0x00007FF693DE4000-memory.dmp
memory/4064-134-0x00007FF7112C0000-0x00007FF711614000-memory.dmp
memory/2092-135-0x00007FF731CB0000-0x00007FF732004000-memory.dmp
memory/3596-136-0x00007FF7974E0000-0x00007FF797834000-memory.dmp
memory/2800-137-0x00007FF78DF40000-0x00007FF78E294000-memory.dmp
memory/3144-138-0x00007FF65E030000-0x00007FF65E384000-memory.dmp
memory/3692-139-0x00007FF67B900000-0x00007FF67BC54000-memory.dmp
memory/3536-140-0x00007FF6F8900000-0x00007FF6F8C54000-memory.dmp
memory/4736-141-0x00007FF6C21A0000-0x00007FF6C24F4000-memory.dmp
memory/1288-142-0x00007FF6056F0000-0x00007FF605A44000-memory.dmp
memory/2952-143-0x00007FF725760000-0x00007FF725AB4000-memory.dmp
memory/3920-144-0x00007FF6EC880000-0x00007FF6ECBD4000-memory.dmp
memory/2052-145-0x00007FF693A90000-0x00007FF693DE4000-memory.dmp
memory/4920-146-0x00007FF79F6A0000-0x00007FF79F9F4000-memory.dmp
memory/4064-147-0x00007FF7112C0000-0x00007FF711614000-memory.dmp
memory/4148-148-0x00007FF6F72E0000-0x00007FF6F7634000-memory.dmp
memory/692-149-0x00007FF67C0C0000-0x00007FF67C414000-memory.dmp
memory/4072-150-0x00007FF791DD0000-0x00007FF792124000-memory.dmp
memory/2256-151-0x00007FF7E5440000-0x00007FF7E5794000-memory.dmp
memory/2220-152-0x00007FF7AF130000-0x00007FF7AF484000-memory.dmp
memory/4768-153-0x00007FF6A2CA0000-0x00007FF6A2FF4000-memory.dmp
memory/4952-154-0x00007FF7D2520000-0x00007FF7D2874000-memory.dmp
memory/3196-155-0x00007FF604A00000-0x00007FF604D54000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 16:42
Reported
2024-08-06 16:45
Platform
win7-20240708-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mqKJzvy.exe | N/A |
| N/A | N/A | C:\Windows\System\gVLDaho.exe | N/A |
| N/A | N/A | C:\Windows\System\vUGlsrn.exe | N/A |
| N/A | N/A | C:\Windows\System\xiHiUZo.exe | N/A |
| N/A | N/A | C:\Windows\System\apOudxx.exe | N/A |
| N/A | N/A | C:\Windows\System\Umusmmr.exe | N/A |
| N/A | N/A | C:\Windows\System\JiMdntY.exe | N/A |
| N/A | N/A | C:\Windows\System\YIwWVsG.exe | N/A |
| N/A | N/A | C:\Windows\System\ZVrlzHT.exe | N/A |
| N/A | N/A | C:\Windows\System\ppGOuvb.exe | N/A |
| N/A | N/A | C:\Windows\System\xDxOKPQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MJiNklc.exe | N/A |
| N/A | N/A | C:\Windows\System\BQYMXSE.exe | N/A |
| N/A | N/A | C:\Windows\System\NAFOCYy.exe | N/A |
| N/A | N/A | C:\Windows\System\BkODxJD.exe | N/A |
| N/A | N/A | C:\Windows\System\FmjStOZ.exe | N/A |
| N/A | N/A | C:\Windows\System\SEvcmBa.exe | N/A |
| N/A | N/A | C:\Windows\System\uAKdPah.exe | N/A |
| N/A | N/A | C:\Windows\System\UyjYjxL.exe | N/A |
| N/A | N/A | C:\Windows\System\TTgJglE.exe | N/A |
| N/A | N/A | C:\Windows\System\HxPwZmd.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-06_049cb65f111d79f0813d414b313b5675_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\mqKJzvy.exe
C:\Windows\System\mqKJzvy.exe
C:\Windows\System\gVLDaho.exe
C:\Windows\System\gVLDaho.exe
C:\Windows\System\vUGlsrn.exe
C:\Windows\System\vUGlsrn.exe
C:\Windows\System\xiHiUZo.exe
C:\Windows\System\xiHiUZo.exe
C:\Windows\System\apOudxx.exe
C:\Windows\System\apOudxx.exe
C:\Windows\System\Umusmmr.exe
C:\Windows\System\Umusmmr.exe
C:\Windows\System\JiMdntY.exe
C:\Windows\System\JiMdntY.exe
C:\Windows\System\YIwWVsG.exe
C:\Windows\System\YIwWVsG.exe
C:\Windows\System\ZVrlzHT.exe
C:\Windows\System\ZVrlzHT.exe
C:\Windows\System\ppGOuvb.exe
C:\Windows\System\ppGOuvb.exe
C:\Windows\System\xDxOKPQ.exe
C:\Windows\System\xDxOKPQ.exe
C:\Windows\System\MJiNklc.exe
C:\Windows\System\MJiNklc.exe
C:\Windows\System\BQYMXSE.exe
C:\Windows\System\BQYMXSE.exe
C:\Windows\System\NAFOCYy.exe
C:\Windows\System\NAFOCYy.exe
C:\Windows\System\BkODxJD.exe
C:\Windows\System\BkODxJD.exe
C:\Windows\System\FmjStOZ.exe
C:\Windows\System\FmjStOZ.exe
C:\Windows\System\SEvcmBa.exe
C:\Windows\System\SEvcmBa.exe
C:\Windows\System\uAKdPah.exe
C:\Windows\System\uAKdPah.exe
C:\Windows\System\UyjYjxL.exe
C:\Windows\System\UyjYjxL.exe
C:\Windows\System\TTgJglE.exe
C:\Windows\System\TTgJglE.exe
C:\Windows\System\HxPwZmd.exe
C:\Windows\System\HxPwZmd.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2000-0-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2000-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\mqKJzvy.exe
| MD5 | 7f17b6a891961e9369fdd4a78f8d74de |
| SHA1 | 426646bf0aff96445e8f6583fa8f90b2539a3536 |
| SHA256 | 7762b5b9a3ef1dd08a2a90460ad635ee4a3a13f0af07e54a4333387b34086303 |
| SHA512 | ecfa5d5cac9e5b43339f6aa6a36c45939f6b8a66eeb7d3a320b499215b60f41c43c2098a689d0c21e8ab484a791bf434afb3dfa302b68bb5d14e26854515a73e |
C:\Windows\system\gVLDaho.exe
| MD5 | 7756ccdab60a4530372d4b7946425ed0 |
| SHA1 | 06163d8df161c4cf681ecdf8369fa4cc4d5f3185 |
| SHA256 | a8a98f77ac8b1730a4475bd941fc034693ee2ee9adab53677643cb7535956753 |
| SHA512 | 4ebb0bf682ef20d33605fc4d9d83399f18e1d4323d10ac23509e05da4d9042ad5acd3ae36905a6a9bea55091e946c62a4cba8c66029dc6ecc1e586a8ca224dc9 |
C:\Windows\system\vUGlsrn.exe
| MD5 | 89db5c441d948ace3ee2ca6c6803f177 |
| SHA1 | 0c803250d6ece90267e68fd682074a3a9390bfa5 |
| SHA256 | 21d5568751ea0a77f6da9c2ab8c91c5c793dddfee5b0fc8357ca7e0d2d5f2ccf |
| SHA512 | 567534fe37e340119e2727ff4a10c53e09fd3c12ded11464e4bd69432a54665e0a4d6676f8d94152d5ab7eafb5db3d0a60975174d4e47bbd2f84791a6b05d8c5 |
\Windows\system\xiHiUZo.exe
| MD5 | 87b48a38039548be22da200457663a3b |
| SHA1 | 998b73a3f4b6da419085720ce29cf6f992bcb341 |
| SHA256 | 20109d09661221f3d66a484bf8be0575310295893b2bbff1d8f82597f7b36bef |
| SHA512 | da64a17d23caa11ac0df7054d077db8a5706a6221db0834f123fc1ca3fd90a80931c86815e01aa15c56cade62960a1aaffe16aa937c66e9343bc23faf5158d7a |
C:\Windows\system\apOudxx.exe
| MD5 | 391299884784b540eb7c6581a3d1e544 |
| SHA1 | 4f9a958344584c2763bc2d1d1111c76282a7cd4b |
| SHA256 | a09704477041e556184cce1c482cfefd1562d1d0abc5994d9edf3ce7e643145e |
| SHA512 | 26df3914048822b7a6967092518d4e50669e947e477a327a90971151a50cc194cd731d688f7de0792eca58efba64cdc01fcf8837b5e4c090616bdbdd2c9532dd |
C:\Windows\system\JiMdntY.exe
| MD5 | 96e3e606f11c98e7bda853171f721e9b |
| SHA1 | 30a2923ab12f347c0ad3a0a708b191258180ad5b |
| SHA256 | 8d234b7df7d5712875bc3c1f171c7f26a272545732efebd47eed27c61d02a15f |
| SHA512 | aae3b2454c8ccf042a4a7e1b48c7b06e395843795a78b1812583c085a1cd4651bb8fbc33b5734e6803a78acfa5a3f06c4ecc8541dc7b6be990bb8bcdfcb10082 |
C:\Windows\system\YIwWVsG.exe
| MD5 | 2af3168450d031883db494eab577eae7 |
| SHA1 | 828ff4f810a94d28ba459529d1816ef5d49409b6 |
| SHA256 | da7e71ee1361c9ce2ef525c99e2a88c59ed3641606a532d283349a988d498aab |
| SHA512 | 68c41d5c9ed66d6b513a51b7bb23c6cf0761668269fd82b99167124eb2a7098cb49d22b4e799c7c63cc32262debb9597f5f8d904107be3a1829c5ac4cb29d510 |
C:\Windows\system\ZVrlzHT.exe
| MD5 | 9290b2cea8d5b0c95f6d8ef8d1b2e0f4 |
| SHA1 | 8ab364c82de46cba77039be4fc90649b0805b842 |
| SHA256 | 0c87b2ce759ff83eb91858df6146f9fb596a1bacdd450e760cf3b1c6c762d4a9 |
| SHA512 | 10bf8057601293dd4429776ea032d1574a06db95e187f98ae8db07c96bdc66b36276c43839212ff2c97645e5df4954d376b26d586a4dea27ab13b0f428618d5c |
C:\Windows\system\ppGOuvb.exe
| MD5 | 63c4bcf99e88796d5bacb536f98582fb |
| SHA1 | e322e076da4eaf25ae703ef3c46afe086c8e44e6 |
| SHA256 | e8fc68d728743e4586660dd4935e37bf03c3363d01826cdab6264c95f9dc4fa4 |
| SHA512 | 69d40871b604399d35f6bc37627e290473f57b1f14b9dcf4386432931513c2d09585451a5d765828a00493c1e38c08d72f67b3e7129629f5e9fa8f9c1fe14ca6 |
C:\Windows\system\xDxOKPQ.exe
| MD5 | ca4871dad3230711090338ab051d4a99 |
| SHA1 | ad38395f35aee3de2453fec055a30e792a2095c7 |
| SHA256 | 18c98a97b08472039c7081823c434787074bd0b33e6680f3e21633a1a2480d42 |
| SHA512 | 0a465da2e74d5781f5be10f584dfdfb7f2d51ddd300b0da7d8f9990c5eadbafc175f409721ed9bb390e547d4203d697bf0b5d25aee45f8f264ad3602188dd50c |
C:\Windows\system\TTgJglE.exe
| MD5 | f930ba27f75af7e050273a980b822a7a |
| SHA1 | 487fd37faf28884350b894d890e5832637f8cc82 |
| SHA256 | 4fb47d372c40d439703f08f5c0809f64ec9b240bf40735473e62cb22d7eef7cc |
| SHA512 | 563937e2204f944399ca2132dc3ad6d9be8de35dff66bcc34ee57caed047b6f1af00ccb441926dd4d50f3a23429d9d00facfdaa687499481af5ab5c0f5f08c65 |
C:\Windows\system\HxPwZmd.exe
| MD5 | 107acf16443e5fa2bbb8ad2d4ed6ac11 |
| SHA1 | 3468474fdfc7e9cdc39e22176cbb2e493338f7de |
| SHA256 | 2e766fe21ff3743ebec57c24e42377c811724b3639b725888b6c3e2b7c17f70d |
| SHA512 | e3ebe7c20b58c611c74c60d41b41623a545994c4093e270fe77fcdee96868e0c7842be8e02fbe025b7215b02403f5074dc7cb83ddc4e36572d1e93a4e6a49dd0 |
C:\Windows\system\UyjYjxL.exe
| MD5 | ae1ee25bc9b182c1b5cfd8f0ccb50d51 |
| SHA1 | 0ca269c7ee7ae4e208fb4a28eec525de6dc8738d |
| SHA256 | 16aded408dd3b0e2f04ac95c6b3ac23d03b8e162da3ee64a301c16c3b3fab0b4 |
| SHA512 | 4f42b6389de1da15a5c560719431c06f8c1c78c4e9238e510673c8776c0eaaa1564e50dc7678f5cee2107125926ce8da1e5588efe0ee5fd3db3067de16a074ec |
memory/2932-107-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2872-121-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2740-124-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2772-123-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2000-122-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2744-120-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2000-119-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1912-118-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2000-117-0x00000000023B0000-0x0000000002704000-memory.dmp
memory/2508-116-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2000-115-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2332-114-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2000-113-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2560-112-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2000-111-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2324-110-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2000-109-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2132-108-0x000000013F0F0000-0x000000013F444000-memory.dmp
C:\Windows\system\uAKdPah.exe
| MD5 | 262af9a28c0b50e8e3b6ea964f21e42b |
| SHA1 | d64486a76b4c69378164321a85af993e1c076ecd |
| SHA256 | d35af4a3154cae85dfe3b56419eb9cf0f0bba8264bdb0ba69b3ed3499064edaf |
| SHA512 | af7396b45d4e744a14eb8be73e9eb4b4007b0d412fe00948d5cfee5e0d91a870ae6572e981ee23dc7c7d856e434affa521a6b1394a623b4ba65451f61ed8acb5 |
C:\Windows\system\SEvcmBa.exe
| MD5 | b8f302f55a133cf53dded5abc02c6a36 |
| SHA1 | 40d70527f7c3aef29e1da16a5b7beecf1843232d |
| SHA256 | 0f21c85d8d6495f57652acee946e2517eeae7ccc6a2e30c8cac5cb0ba257d413 |
| SHA512 | 38b05fa562c6115c78974f8813d99fc58ca958bce006a3db1842bd20b93ae0d96ff70b58e8b93e38faeab1ba772d27cbcced6459a330f0aa19293fddfdec0a5d |
C:\Windows\system\FmjStOZ.exe
| MD5 | 9cfa32fa3d7dd4f0ade60b8102e7ec3b |
| SHA1 | 5b2a9bb98c3a071687ef614bdebab920f306fb46 |
| SHA256 | fb12751ed7d5d4925ce1e67dc2e6162b554451100a5ff56b17ee0c95c5c79b0e |
| SHA512 | 537239e725544844b78c1a76c3d1e08f0d17449e5710352084e114c19cc7cea776567d8b60eeb0a64f13390fc26754c1f9935e13b0f44f539659852693e27a0d |
C:\Windows\system\BkODxJD.exe
| MD5 | cec9b2329b08672bbdad2f779f147bfe |
| SHA1 | cba7242c18df0604db1a3ec9ec2084c4908eb6cd |
| SHA256 | bff25a4453243332619fc61ad4d8dd696e8748353181bd36d2d52862fa7636bc |
| SHA512 | 631f898d22b9b38a639cc2c4e4e5b68f05456edcd39ba927fc8e9831235710320320d7574c0c3a8f727e0dd95f02b494933ca7d7936d03446d29f45a6b085ccc |
C:\Windows\system\NAFOCYy.exe
| MD5 | e18c2960c6712e498364d88b59758a87 |
| SHA1 | b1fda43833408596a7b2841156f9b7327dfde470 |
| SHA256 | a237c6d610d3b2b5973a742faa857b548598d27bb4647d54886222b12c1f22df |
| SHA512 | 5fc1ad06c489f73b2345cbb34a8aa15546ba1978e7e38dac4d2feb3523cc4e5ad14638a97f2b83a5c3fa415257ca6c61791721c1b2f8112d236d9e59a305f9f2 |
C:\Windows\system\BQYMXSE.exe
| MD5 | d11790cfa10e8751c9660e8d01b907ca |
| SHA1 | ca11bddf3298a49f107276f78c11b21632dc4473 |
| SHA256 | 5075226a4dfc2c6f66afbdd31b900b6b8146fdc1faa2cc49bc99414bb707376f |
| SHA512 | 8819175aac9c6b944afb1b561cacc21f2b558c723d4273e800a4f344bdf2dc06222bab416ea768570ba34d48a9759c0ca4606218ba402b08be6bfe063342ad32 |
C:\Windows\system\MJiNklc.exe
| MD5 | e64fdda55fececf93782a3b997425a37 |
| SHA1 | 9807ce360b46be91ec97434f0699454fb1586d42 |
| SHA256 | 2c16b3b5bc68421fe67a9b6a87d3d00c2da1fe2b9d26c597f0deffd9b5ddada1 |
| SHA512 | 9918f983f3ec0345a418d79002ff5e4319ddbf76deb649d02c56c2520d4e08e11fa4aa99d2c4706490cc059400c4fe4abf9fab10f592315ded8fa0318f6ec7f7 |
C:\Windows\system\Umusmmr.exe
| MD5 | c1d313862ed45b2eb541a1ec97b7bc0e |
| SHA1 | f5e64ebb5b67cf4896b4edf4d003e18b4475d0a2 |
| SHA256 | c4c0be30ab03be8187333db743e91e330731bf27b029af23211a2452c1f765e7 |
| SHA512 | 3b1de4dcc897d880b612ae6529de28f9f935410fcac7bf7953d8c582020b21565a1603d93751c6b320edb53e00f49e493dfdd6bf8b7d90dc4b5419049b04ce4f |
memory/2000-125-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2636-130-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2000-129-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2788-128-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2000-127-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/3020-126-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2000-131-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2000-132-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2932-133-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2132-134-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2560-136-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2332-135-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2508-137-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/1912-138-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2744-139-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2872-140-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2772-141-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2740-142-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2636-145-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2788-144-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/3020-143-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2324-146-0x000000013FE60000-0x00000001401B4000-memory.dmp