Analysis Overview
SHA256
f6ead074c05299d334deca323435b92987862f1efef747ab2011a9277ccf3545
Threat Level: Known bad
The file 2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike family
xmrig
Xmrig family
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-08-07 20:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-07 20:43
Reported
2024-08-07 20:46
Platform
win7-20240705-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZzPSRcg.exe | N/A |
| N/A | N/A | C:\Windows\System\SBvxVzx.exe | N/A |
| N/A | N/A | C:\Windows\System\MavSWKs.exe | N/A |
| N/A | N/A | C:\Windows\System\CxnqFUB.exe | N/A |
| N/A | N/A | C:\Windows\System\GRmvVFW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaucKlA.exe | N/A |
| N/A | N/A | C:\Windows\System\qwZzDJI.exe | N/A |
| N/A | N/A | C:\Windows\System\gWRLvBM.exe | N/A |
| N/A | N/A | C:\Windows\System\cPxjvPy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZZvxHgC.exe | N/A |
| N/A | N/A | C:\Windows\System\POfRPmH.exe | N/A |
| N/A | N/A | C:\Windows\System\qZaMLRC.exe | N/A |
| N/A | N/A | C:\Windows\System\NfRRmLS.exe | N/A |
| N/A | N/A | C:\Windows\System\zdlaUun.exe | N/A |
| N/A | N/A | C:\Windows\System\zOHapuq.exe | N/A |
| N/A | N/A | C:\Windows\System\iqPzFti.exe | N/A |
| N/A | N/A | C:\Windows\System\WliOoEU.exe | N/A |
| N/A | N/A | C:\Windows\System\MWuEwkR.exe | N/A |
| N/A | N/A | C:\Windows\System\jBtWjPs.exe | N/A |
| N/A | N/A | C:\Windows\System\okGEKLi.exe | N/A |
| N/A | N/A | C:\Windows\System\CXjTJmS.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZzPSRcg.exe
C:\Windows\System\ZzPSRcg.exe
C:\Windows\System\SBvxVzx.exe
C:\Windows\System\SBvxVzx.exe
C:\Windows\System\CxnqFUB.exe
C:\Windows\System\CxnqFUB.exe
C:\Windows\System\MavSWKs.exe
C:\Windows\System\MavSWKs.exe
C:\Windows\System\GRmvVFW.exe
C:\Windows\System\GRmvVFW.exe
C:\Windows\System\ZaucKlA.exe
C:\Windows\System\ZaucKlA.exe
C:\Windows\System\qwZzDJI.exe
C:\Windows\System\qwZzDJI.exe
C:\Windows\System\gWRLvBM.exe
C:\Windows\System\gWRLvBM.exe
C:\Windows\System\cPxjvPy.exe
C:\Windows\System\cPxjvPy.exe
C:\Windows\System\ZZvxHgC.exe
C:\Windows\System\ZZvxHgC.exe
C:\Windows\System\POfRPmH.exe
C:\Windows\System\POfRPmH.exe
C:\Windows\System\qZaMLRC.exe
C:\Windows\System\qZaMLRC.exe
C:\Windows\System\NfRRmLS.exe
C:\Windows\System\NfRRmLS.exe
C:\Windows\System\zOHapuq.exe
C:\Windows\System\zOHapuq.exe
C:\Windows\System\zdlaUun.exe
C:\Windows\System\zdlaUun.exe
C:\Windows\System\WliOoEU.exe
C:\Windows\System\WliOoEU.exe
C:\Windows\System\iqPzFti.exe
C:\Windows\System\iqPzFti.exe
C:\Windows\System\MWuEwkR.exe
C:\Windows\System\MWuEwkR.exe
C:\Windows\System\jBtWjPs.exe
C:\Windows\System\jBtWjPs.exe
C:\Windows\System\CXjTJmS.exe
C:\Windows\System\CXjTJmS.exe
C:\Windows\System\okGEKLi.exe
C:\Windows\System\okGEKLi.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2124-0-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2124-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ZzPSRcg.exe
| MD5 | 565f05945debf33abc80126e0e2cbd42 |
| SHA1 | 07146e6d88252aab96b0a50e1b2291ba0a5578f7 |
| SHA256 | 9ecad043ca27e533e411e944d0ad7e849227d154e66c9eea7cb8861848c7278f |
| SHA512 | 160bba0f07577d69ab3b1fe6239310fdfd1c2b6ce653b17d94c5495f3273fb58d5972466400b7d6bea5262dc2900b2d897513cf7b85d8b0634a74374b083ee92 |
\Windows\system\SBvxVzx.exe
| MD5 | d339586cf47263de70ac981286b78bcf |
| SHA1 | 8e78c2841d265606da957168b41e1e537dd539e6 |
| SHA256 | b0081e3b05b363bdefce81de371e7319e152f9482756eace8f6629a751394b51 |
| SHA512 | c7aa8756d022336abcb1629aa46ab32e9c5d2e5ea8d83fc515165317572d1f4d8ff383851571669136f82a42eda3ead18a10f46699b6357947dbace0dbe762fc |
memory/2124-20-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2124-17-0x000000013FEA0000-0x00000001401F4000-memory.dmp
\Windows\system\MavSWKs.exe
| MD5 | 4fdf8aaad2b8e872efbbec9c915eed0d |
| SHA1 | 73eaa5a67f72e84c7e60588245771d86c7063edd |
| SHA256 | f410d2bdb532a3ed333118e92add5fae0e8031dc338526051896e7861cb3795b |
| SHA512 | dd068f14afeafde6aebeae4741814231efd82a316205034f625e6da37686de9e0c152f5e855af1717111e07f5cc54cbe9232a7380f85ee5646063f4de68a3e29 |
\Windows\system\GRmvVFW.exe
| MD5 | 17a689f0b16ab658553e969cb0c0ae9c |
| SHA1 | 5b163fd229338ab6960513459e0d20f507b5caa1 |
| SHA256 | 425452af2b79391dcdbfdb9b76665ecb68101bb9a69c31836678a0def30a8737 |
| SHA512 | 0224e981f207011fbd7881df837a70c81bdd00f39cee404feb0ba4f95a580abc41e8cf48ac60645487fa689b4cba40e82b121ff17dcac935d8780ab51883bf55 |
\Windows\system\ZaucKlA.exe
| MD5 | 944f346559d13277befc4dc34efdf29f |
| SHA1 | 98519aea1a7b0c7b17a22f2581c988378e68e1b1 |
| SHA256 | 38470fef086830ae5faa5ef483cca3e4ae4cfc8c61cf7fb2c099f5390790565b |
| SHA512 | c1b06a59ee152bc2a2f101626b9b2a2621983485a9e9b9aaa0f680d9fbee49fa7ffe894cd90b1735d1c5d97595bca8844d9c336a8b7eee32d710d4657f0db294 |
memory/2980-34-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2640-40-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2124-39-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2208-30-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2976-29-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2084-28-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2124-26-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\CxnqFUB.exe
| MD5 | 1fe2ea021e732f64efe50f960b79ec7b |
| SHA1 | 92ffff05445ab732658736387bb978d658618337 |
| SHA256 | cb186c7ffd677c6946cb9264037f4931f0dc83e49bb3ca9c0d6fbc42d53ef094 |
| SHA512 | 02400bc7c170c97c7a1427672e7d4944d798dcc5629a6812b32bbf1bb360d9dfb9646b4d99e4f4ff183eb4b52f24eecb523fa34face7e546abf0a902b9d3bd28 |
memory/1576-13-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\gWRLvBM.exe
| MD5 | 1f31b4338984cb3a3fd99cb979fe8b37 |
| SHA1 | f2d24060bfaa87e09195c1fd07ebf9939a36a438 |
| SHA256 | ec61a414fac26859afe62a93febcb4215e0f36ba0ba75faee5330b467e008464 |
| SHA512 | 5abb2fda26bc39a1a895903eba683d44ed980c54658068a52975427e974c49f443b34c59e78af8a5ba082bbba30b9aed205e7922651863f64e1f5c697e8b4f95 |
memory/2160-61-0x000000013FEC0000-0x0000000140214000-memory.dmp
C:\Windows\system\cPxjvPy.exe
| MD5 | a7fe8b816071c093c840d3e8acf02626 |
| SHA1 | 7682860f305d617aa6623b512ccb97bed1ec3ee8 |
| SHA256 | fd44920cafd3792ee98a87b1ba908fde26a1e5d2019c31d9015b2919ce0f46a8 |
| SHA512 | 820612064eefa9a828e3b248d5e5e1762aa02a285b8ce172929dd1fa974aba88f925cdd21edb6a00500443d15c5c6217af7ade3079eba9c2bb0441f9acb944b3 |
memory/2124-62-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2644-63-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2124-57-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2760-52-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\ZZvxHgC.exe
| MD5 | 7164cd980c3fb8707e14150fac8d4f56 |
| SHA1 | 04cd4db8d25b075a988b961e94d01bddb5f9db8d |
| SHA256 | 239792bc3f29aac690e750dfd6d6de47c8bc9fa385753e435008a0677d00ac8a |
| SHA512 | 28bb9aeb1737d56e8c0293f30a3fbf5ee03c3626f57a10c95088d6ef1fc3fbbabae1ebb5c2a6d67f9d0225882e3c3a3fb680635901a1446211b92f2e97e64164 |
memory/2124-69-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2124-48-0x000000013F040000-0x000000013F394000-memory.dmp
C:\Windows\system\POfRPmH.exe
| MD5 | 73b6d199861f613913af0ffcc13fd8ba |
| SHA1 | 9ccd41b439901e95a9df7ed207ccfd40b1df899a |
| SHA256 | 4ba541fa40b6745f5d56bd7563639aac8cad32c1628092ffddf68e4db402fca6 |
| SHA512 | 19a2a2a5c2bacf261c9ee9f8b722c9a1df580ea2e36345af064ea7ec8c481c2abbace0580611ba2a5db6ac0176f7ecd109a0386ca514cb8fff93e7dd89ec79fa |
C:\Windows\system\NfRRmLS.exe
| MD5 | 99996ea791ee926cb30f47f8f40304fb |
| SHA1 | 2e353f4f5c9c6e91724c5657dcd78ee6be5b3bac |
| SHA256 | 2982d15bdefa85b0190d3ef158b3230965f3c9e9af16a1df598f00ca0e5b4310 |
| SHA512 | fd97b1db74df270c270ff30028b331543611eb25ebd790b4aceb3a6b0a1d02bb8ee94d72b8d156d8ba0abd456c1942f7184b3e2e97bf64552c7db14b0ee6ff0d |
memory/2124-92-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2124-104-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2188-85-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\zOHapuq.exe
| MD5 | 3a2b52cc1fedef0ff4689b4187f18e40 |
| SHA1 | 2d01d5db9ac05803bccac2a60ee75c2b0be27534 |
| SHA256 | 8b22c150927a8987862e2eb53ffb1fc5311cc7adf6671f5cfea8be38245efcc8 |
| SHA512 | af6ec30d45597b177c69622e411202f72d23f169bb30182a009eef1958408dc7f775e2bdc78f7461d1c9fa308d52de4a2a2806aa2df95745587937aeb012995e |
\Windows\system\CXjTJmS.exe
| MD5 | 138e96df12b20b3546137d50afeebd8c |
| SHA1 | 679c73708bf4af7089dcb5e22c722fdb7e86b227 |
| SHA256 | 94cad01dc9ab07af258d591fdb1b1543704620fb0cc4fae1aba7ba10d88f1cb8 |
| SHA512 | 58d923b4f2fee21c1c51f4bb51b4ff324aad2d8c4b2dfc4771a271df4bb59a3bb1977423745d86ed6984d6710d9732f8bfeff39444a098c46e02b4900623ab54 |
C:\Windows\system\okGEKLi.exe
| MD5 | f7c67aa61a1eca01758afce1aa088a7e |
| SHA1 | 89eb9c81df6afbd63858e73bc0755d4f40ac6a64 |
| SHA256 | 68e3642f52b74e1b17d7786da4d7aa7d4c528c548b2841b93c2df3057fa3308f |
| SHA512 | fa5b38b1e4b6ef816d7699b9aeb13e8e8d9575e552c4b969d4b288bc3c149ce3f8672796ca393f06a0a433b7b1a69398b5d144bab92679b01e944951d6cc8792 |
C:\Windows\system\MWuEwkR.exe
| MD5 | fe74d98a260a45c6c7a9ed9cd528a83d |
| SHA1 | af58b131174ddbe39fc0d4a5226689e5ace88bc1 |
| SHA256 | 2851b205962f1fde2da47c0aa7d97da9502fcdde9795d7e6ae1b78ed99da1eeb |
| SHA512 | 730b48206f25c27304fbbf2edf238ba94d90b78a2eb62fadc9a3e41036cd4652ca2b745436e56f504ab142711423584e93343d78c59b68a93f6372330da9d6aa |
C:\Windows\system\jBtWjPs.exe
| MD5 | 5a01847bf0175084cd886354fe94e986 |
| SHA1 | 277b52dd74eac983de217ba6ff90356f7ee49789 |
| SHA256 | e018fbe87b3f439492f23854d03bfcc2896cccc2e8e5a4549af628b682378766 |
| SHA512 | d8ba853d97df9d3547e522b91372a294fe5ee9ceecdbfb933a0984715842722aa998c1380e8e704327204b589743d60a1296fd85f600d680fcd9f6f5369f9fc8 |
C:\Windows\system\WliOoEU.exe
| MD5 | 4099993801c402206690b85eb6c5bee5 |
| SHA1 | 0dfac6aa0f5ff0df497c7f21aea3b8d43ae1b5cf |
| SHA256 | d0e2a955c7cfc8fa5f9536f8fea08338552db0a5beab4eec2169ede8e67924cf |
| SHA512 | 728219553651af4851f8d7d68f8c0dd89ef51880d225f1224a81bcd4b129edddccb04da3890aa5f0c8e24c07a124842d620e6289e557ccaa30b9acf0b4b0413a |
memory/2124-97-0x000000013FCB0000-0x0000000140004000-memory.dmp
C:\Windows\system\iqPzFti.exe
| MD5 | 0438ae7cf080131d4b8c8e42cf9a102c |
| SHA1 | 27c1fcc2a9a6b3c5a06ebf515fffbd69e9fd741a |
| SHA256 | b854834865a9b4241f60b1ed96f2ab4e919bd01c613d6193814a6d9d78abf5a3 |
| SHA512 | 992fa6b34aa405937a62cbb4cdb9a53e6591cf92e5394b8c19c6a74d9e59236ba0024e03bafc31fcb3005237a4b65e6e60b630d8111f21bca65f29b5efdc11e6 |
memory/2124-84-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2300-105-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
memory/2640-137-0x000000013F840000-0x000000013FB94000-memory.dmp
C:\Windows\system\qZaMLRC.exe
| MD5 | 192089e3adcaaa6cd4886b20dca09f8a |
| SHA1 | 6709121b981f2b1b4216a8782a43cd7c5ddea1fe |
| SHA256 | 6434fc3129ad56134a7186a74d48787c27748c41b704f6205543b955d9fc411e |
| SHA512 | f1f6d32d7435619c231987d9029c0dac80f994874d6e021cb3cc425b53f9008014d7544652cbfd3ddd72139a43ac60976ca6557ffc905fb5bde099734276986a |
memory/2980-103-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\zdlaUun.exe
| MD5 | 0027d873ab2f7d8afd194cbfa0feb5bd |
| SHA1 | ca739d2961a7ef5c8b9e7704d32d5e68f4d17614 |
| SHA256 | bbbfce947708db221a0f1b0ec6322117003fafb94614e04fa16962081f7b5a5d |
| SHA512 | ebb2f905bdce382c0e5dbfd88a9988c043e3b6958e9c97dfa97e913e2a02b32334286d4f6987165fa31eba17e47ced018ebef3bc3d61f616310c455822b3dec1 |
memory/1060-93-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2436-79-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2124-78-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2536-72-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2124-71-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1576-70-0x000000013FBD0000-0x000000013FF24000-memory.dmp
\Windows\system\qwZzDJI.exe
| MD5 | d939a1ea8cb4a1da88f882caf5c2c94f |
| SHA1 | ac047a6b8a36fae31ebc1dd09a4a7b44d6308e59 |
| SHA256 | a3e075ee0fbd3ccd9ef88518fe32b5e0f2c4e24e72ebf77254a040d3658e1520 |
| SHA512 | d98cfeca180b0c265e8f87e5794834ece642e1f16ac1af115eb6122d140e1d753bf889a7fe7b953406ed367826b760e13b44eef78d1d4fb5b953e4c83448c0bc |
memory/2160-139-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2124-138-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2124-140-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2124-141-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2188-142-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2124-143-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/1576-144-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2208-145-0x000000013F120000-0x000000013F474000-memory.dmp
memory/2084-147-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2976-146-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2980-148-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2640-149-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2760-150-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2160-151-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2536-153-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2644-152-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2436-154-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2188-155-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1060-156-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2300-157-0x000000013F5A0000-0x000000013F8F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-07 20:43
Reported
2024-08-07 20:46
Platform
win10v2004-20240802-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZzPSRcg.exe | N/A |
| N/A | N/A | C:\Windows\System\SBvxVzx.exe | N/A |
| N/A | N/A | C:\Windows\System\CxnqFUB.exe | N/A |
| N/A | N/A | C:\Windows\System\MavSWKs.exe | N/A |
| N/A | N/A | C:\Windows\System\GRmvVFW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZaucKlA.exe | N/A |
| N/A | N/A | C:\Windows\System\qwZzDJI.exe | N/A |
| N/A | N/A | C:\Windows\System\gWRLvBM.exe | N/A |
| N/A | N/A | C:\Windows\System\cPxjvPy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZZvxHgC.exe | N/A |
| N/A | N/A | C:\Windows\System\POfRPmH.exe | N/A |
| N/A | N/A | C:\Windows\System\qZaMLRC.exe | N/A |
| N/A | N/A | C:\Windows\System\NfRRmLS.exe | N/A |
| N/A | N/A | C:\Windows\System\zOHapuq.exe | N/A |
| N/A | N/A | C:\Windows\System\zdlaUun.exe | N/A |
| N/A | N/A | C:\Windows\System\WliOoEU.exe | N/A |
| N/A | N/A | C:\Windows\System\iqPzFti.exe | N/A |
| N/A | N/A | C:\Windows\System\MWuEwkR.exe | N/A |
| N/A | N/A | C:\Windows\System\jBtWjPs.exe | N/A |
| N/A | N/A | C:\Windows\System\CXjTJmS.exe | N/A |
| N/A | N/A | C:\Windows\System\okGEKLi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-07_3b8afb3ebab0e9c3dae938153cfe0de0_cobalt-strike_cobaltstrike_poet-rat.exe"
C:\Windows\System\ZzPSRcg.exe
C:\Windows\System\ZzPSRcg.exe
C:\Windows\System\SBvxVzx.exe
C:\Windows\System\SBvxVzx.exe
C:\Windows\System\CxnqFUB.exe
C:\Windows\System\CxnqFUB.exe
C:\Windows\System\MavSWKs.exe
C:\Windows\System\MavSWKs.exe
C:\Windows\System\GRmvVFW.exe
C:\Windows\System\GRmvVFW.exe
C:\Windows\System\ZaucKlA.exe
C:\Windows\System\ZaucKlA.exe
C:\Windows\System\qwZzDJI.exe
C:\Windows\System\qwZzDJI.exe
C:\Windows\System\gWRLvBM.exe
C:\Windows\System\gWRLvBM.exe
C:\Windows\System\cPxjvPy.exe
C:\Windows\System\cPxjvPy.exe
C:\Windows\System\ZZvxHgC.exe
C:\Windows\System\ZZvxHgC.exe
C:\Windows\System\POfRPmH.exe
C:\Windows\System\POfRPmH.exe
C:\Windows\System\qZaMLRC.exe
C:\Windows\System\qZaMLRC.exe
C:\Windows\System\NfRRmLS.exe
C:\Windows\System\NfRRmLS.exe
C:\Windows\System\zOHapuq.exe
C:\Windows\System\zOHapuq.exe
C:\Windows\System\zdlaUun.exe
C:\Windows\System\zdlaUun.exe
C:\Windows\System\WliOoEU.exe
C:\Windows\System\WliOoEU.exe
C:\Windows\System\iqPzFti.exe
C:\Windows\System\iqPzFti.exe
C:\Windows\System\MWuEwkR.exe
C:\Windows\System\MWuEwkR.exe
C:\Windows\System\jBtWjPs.exe
C:\Windows\System\jBtWjPs.exe
C:\Windows\System\CXjTJmS.exe
C:\Windows\System\CXjTJmS.exe
C:\Windows\System\okGEKLi.exe
C:\Windows\System\okGEKLi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3252-0-0x00007FF682390000-0x00007FF6826E4000-memory.dmp
memory/3252-1-0x000001CE2FEA0000-0x000001CE2FEB0000-memory.dmp
C:\Windows\System\ZzPSRcg.exe
| MD5 | 565f05945debf33abc80126e0e2cbd42 |
| SHA1 | 07146e6d88252aab96b0a50e1b2291ba0a5578f7 |
| SHA256 | 9ecad043ca27e533e411e944d0ad7e849227d154e66c9eea7cb8861848c7278f |
| SHA512 | 160bba0f07577d69ab3b1fe6239310fdfd1c2b6ce653b17d94c5495f3273fb58d5972466400b7d6bea5262dc2900b2d897513cf7b85d8b0634a74374b083ee92 |
C:\Windows\System\SBvxVzx.exe
| MD5 | d339586cf47263de70ac981286b78bcf |
| SHA1 | 8e78c2841d265606da957168b41e1e537dd539e6 |
| SHA256 | b0081e3b05b363bdefce81de371e7319e152f9482756eace8f6629a751394b51 |
| SHA512 | c7aa8756d022336abcb1629aa46ab32e9c5d2e5ea8d83fc515165317572d1f4d8ff383851571669136f82a42eda3ead18a10f46699b6357947dbace0dbe762fc |
C:\Windows\System\CxnqFUB.exe
| MD5 | 1fe2ea021e732f64efe50f960b79ec7b |
| SHA1 | 92ffff05445ab732658736387bb978d658618337 |
| SHA256 | cb186c7ffd677c6946cb9264037f4931f0dc83e49bb3ca9c0d6fbc42d53ef094 |
| SHA512 | 02400bc7c170c97c7a1427672e7d4944d798dcc5629a6812b32bbf1bb360d9dfb9646b4d99e4f4ff183eb4b52f24eecb523fa34face7e546abf0a902b9d3bd28 |
memory/2476-14-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp
C:\Windows\System\MavSWKs.exe
| MD5 | 4fdf8aaad2b8e872efbbec9c915eed0d |
| SHA1 | 73eaa5a67f72e84c7e60588245771d86c7063edd |
| SHA256 | f410d2bdb532a3ed333118e92add5fae0e8031dc338526051896e7861cb3795b |
| SHA512 | dd068f14afeafde6aebeae4741814231efd82a316205034f625e6da37686de9e0c152f5e855af1717111e07f5cc54cbe9232a7380f85ee5646063f4de68a3e29 |
memory/1800-26-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp
memory/2196-22-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp
memory/4716-7-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp
C:\Windows\System\GRmvVFW.exe
| MD5 | 17a689f0b16ab658553e969cb0c0ae9c |
| SHA1 | 5b163fd229338ab6960513459e0d20f507b5caa1 |
| SHA256 | 425452af2b79391dcdbfdb9b76665ecb68101bb9a69c31836678a0def30a8737 |
| SHA512 | 0224e981f207011fbd7881df837a70c81bdd00f39cee404feb0ba4f95a580abc41e8cf48ac60645487fa689b4cba40e82b121ff17dcac935d8780ab51883bf55 |
memory/2492-32-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp
C:\Windows\System\ZaucKlA.exe
| MD5 | 944f346559d13277befc4dc34efdf29f |
| SHA1 | 98519aea1a7b0c7b17a22f2581c988378e68e1b1 |
| SHA256 | 38470fef086830ae5faa5ef483cca3e4ae4cfc8c61cf7fb2c099f5390790565b |
| SHA512 | c1b06a59ee152bc2a2f101626b9b2a2621983485a9e9b9aaa0f680d9fbee49fa7ffe894cd90b1735d1c5d97595bca8844d9c336a8b7eee32d710d4657f0db294 |
memory/3092-36-0x00007FF660F30000-0x00007FF661284000-memory.dmp
C:\Windows\System\qwZzDJI.exe
| MD5 | d939a1ea8cb4a1da88f882caf5c2c94f |
| SHA1 | ac047a6b8a36fae31ebc1dd09a4a7b44d6308e59 |
| SHA256 | a3e075ee0fbd3ccd9ef88518fe32b5e0f2c4e24e72ebf77254a040d3658e1520 |
| SHA512 | d98cfeca180b0c265e8f87e5794834ece642e1f16ac1af115eb6122d140e1d753bf889a7fe7b953406ed367826b760e13b44eef78d1d4fb5b953e4c83448c0bc |
memory/220-43-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp
C:\Windows\System\gWRLvBM.exe
| MD5 | 1f31b4338984cb3a3fd99cb979fe8b37 |
| SHA1 | f2d24060bfaa87e09195c1fd07ebf9939a36a438 |
| SHA256 | ec61a414fac26859afe62a93febcb4215e0f36ba0ba75faee5330b467e008464 |
| SHA512 | 5abb2fda26bc39a1a895903eba683d44ed980c54658068a52975427e974c49f443b34c59e78af8a5ba082bbba30b9aed205e7922651863f64e1f5c697e8b4f95 |
C:\Windows\System\cPxjvPy.exe
| MD5 | a7fe8b816071c093c840d3e8acf02626 |
| SHA1 | 7682860f305d617aa6623b512ccb97bed1ec3ee8 |
| SHA256 | fd44920cafd3792ee98a87b1ba908fde26a1e5d2019c31d9015b2919ce0f46a8 |
| SHA512 | 820612064eefa9a828e3b248d5e5e1762aa02a285b8ce172929dd1fa974aba88f925cdd21edb6a00500443d15c5c6217af7ade3079eba9c2bb0441f9acb944b3 |
memory/388-50-0x00007FF708010000-0x00007FF708364000-memory.dmp
memory/3252-61-0x00007FF682390000-0x00007FF6826E4000-memory.dmp
memory/2184-62-0x00007FF692620000-0x00007FF692974000-memory.dmp
C:\Windows\System\POfRPmH.exe
| MD5 | 73b6d199861f613913af0ffcc13fd8ba |
| SHA1 | 9ccd41b439901e95a9df7ed207ccfd40b1df899a |
| SHA256 | 4ba541fa40b6745f5d56bd7563639aac8cad32c1628092ffddf68e4db402fca6 |
| SHA512 | 19a2a2a5c2bacf261c9ee9f8b722c9a1df580ea2e36345af064ea7ec8c481c2abbace0580611ba2a5db6ac0176f7ecd109a0386ca514cb8fff93e7dd89ec79fa |
C:\Windows\System\qZaMLRC.exe
| MD5 | 192089e3adcaaa6cd4886b20dca09f8a |
| SHA1 | 6709121b981f2b1b4216a8782a43cd7c5ddea1fe |
| SHA256 | 6434fc3129ad56134a7186a74d48787c27748c41b704f6205543b955d9fc411e |
| SHA512 | f1f6d32d7435619c231987d9029c0dac80f994874d6e021cb3cc425b53f9008014d7544652cbfd3ddd72139a43ac60976ca6557ffc905fb5bde099734276986a |
memory/4980-73-0x00007FF713A10000-0x00007FF713D64000-memory.dmp
memory/3724-74-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp
memory/4716-72-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp
C:\Windows\System\ZZvxHgC.exe
| MD5 | 7164cd980c3fb8707e14150fac8d4f56 |
| SHA1 | 04cd4db8d25b075a988b961e94d01bddb5f9db8d |
| SHA256 | 239792bc3f29aac690e750dfd6d6de47c8bc9fa385753e435008a0677d00ac8a |
| SHA512 | 28bb9aeb1737d56e8c0293f30a3fbf5ee03c3626f57a10c95088d6ef1fc3fbbabae1ebb5c2a6d67f9d0225882e3c3a3fb680635901a1446211b92f2e97e64164 |
memory/3744-57-0x00007FF770A20000-0x00007FF770D74000-memory.dmp
C:\Windows\System\NfRRmLS.exe
| MD5 | 99996ea791ee926cb30f47f8f40304fb |
| SHA1 | 2e353f4f5c9c6e91724c5657dcd78ee6be5b3bac |
| SHA256 | 2982d15bdefa85b0190d3ef158b3230965f3c9e9af16a1df598f00ca0e5b4310 |
| SHA512 | fd97b1db74df270c270ff30028b331543611eb25ebd790b4aceb3a6b0a1d02bb8ee94d72b8d156d8ba0abd456c1942f7184b3e2e97bf64552c7db14b0ee6ff0d |
C:\Windows\System\zOHapuq.exe
| MD5 | 3a2b52cc1fedef0ff4689b4187f18e40 |
| SHA1 | 2d01d5db9ac05803bccac2a60ee75c2b0be27534 |
| SHA256 | 8b22c150927a8987862e2eb53ffb1fc5311cc7adf6671f5cfea8be38245efcc8 |
| SHA512 | af6ec30d45597b177c69622e411202f72d23f169bb30182a009eef1958408dc7f775e2bdc78f7461d1c9fa308d52de4a2a2806aa2df95745587937aeb012995e |
C:\Windows\System\zdlaUun.exe
| MD5 | 0027d873ab2f7d8afd194cbfa0feb5bd |
| SHA1 | ca739d2961a7ef5c8b9e7704d32d5e68f4d17614 |
| SHA256 | bbbfce947708db221a0f1b0ec6322117003fafb94614e04fa16962081f7b5a5d |
| SHA512 | ebb2f905bdce382c0e5dbfd88a9988c043e3b6958e9c97dfa97e913e2a02b32334286d4f6987165fa31eba17e47ced018ebef3bc3d61f616310c455822b3dec1 |
memory/4504-94-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp
memory/1172-98-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp
C:\Windows\System\iqPzFti.exe
| MD5 | 0438ae7cf080131d4b8c8e42cf9a102c |
| SHA1 | 27c1fcc2a9a6b3c5a06ebf515fffbd69e9fd741a |
| SHA256 | b854834865a9b4241f60b1ed96f2ab4e919bd01c613d6193814a6d9d78abf5a3 |
| SHA512 | 992fa6b34aa405937a62cbb4cdb9a53e6591cf92e5394b8c19c6a74d9e59236ba0024e03bafc31fcb3005237a4b65e6e60b630d8111f21bca65f29b5efdc11e6 |
C:\Windows\System\MWuEwkR.exe
| MD5 | fe74d98a260a45c6c7a9ed9cd528a83d |
| SHA1 | af58b131174ddbe39fc0d4a5226689e5ace88bc1 |
| SHA256 | 2851b205962f1fde2da47c0aa7d97da9502fcdde9795d7e6ae1b78ed99da1eeb |
| SHA512 | 730b48206f25c27304fbbf2edf238ba94d90b78a2eb62fadc9a3e41036cd4652ca2b745436e56f504ab142711423584e93343d78c59b68a93f6372330da9d6aa |
memory/1112-107-0x00007FF7663E0000-0x00007FF766734000-memory.dmp
memory/3092-105-0x00007FF660F30000-0x00007FF661284000-memory.dmp
C:\Windows\System\WliOoEU.exe
| MD5 | 4099993801c402206690b85eb6c5bee5 |
| SHA1 | 0dfac6aa0f5ff0df497c7f21aea3b8d43ae1b5cf |
| SHA256 | d0e2a955c7cfc8fa5f9536f8fea08338552db0a5beab4eec2169ede8e67924cf |
| SHA512 | 728219553651af4851f8d7d68f8c0dd89ef51880d225f1224a81bcd4b129edddccb04da3890aa5f0c8e24c07a124842d620e6289e557ccaa30b9acf0b4b0413a |
memory/684-93-0x00007FF7A6F90000-0x00007FF7A72E4000-memory.dmp
memory/4460-85-0x00007FF71F8A0000-0x00007FF71FBF4000-memory.dmp
memory/2476-82-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp
memory/4008-116-0x00007FF628490000-0x00007FF6287E4000-memory.dmp
C:\Windows\System\CXjTJmS.exe
| MD5 | 138e96df12b20b3546137d50afeebd8c |
| SHA1 | 679c73708bf4af7089dcb5e22c722fdb7e86b227 |
| SHA256 | 94cad01dc9ab07af258d591fdb1b1543704620fb0cc4fae1aba7ba10d88f1cb8 |
| SHA512 | 58d923b4f2fee21c1c51f4bb51b4ff324aad2d8c4b2dfc4771a271df4bb59a3bb1977423745d86ed6984d6710d9732f8bfeff39444a098c46e02b4900623ab54 |
C:\Windows\System\okGEKLi.exe
| MD5 | f7c67aa61a1eca01758afce1aa088a7e |
| SHA1 | 89eb9c81df6afbd63858e73bc0755d4f40ac6a64 |
| SHA256 | 68e3642f52b74e1b17d7786da4d7aa7d4c528c548b2841b93c2df3057fa3308f |
| SHA512 | fa5b38b1e4b6ef816d7699b9aeb13e8e8d9575e552c4b969d4b288bc3c149ce3f8672796ca393f06a0a433b7b1a69398b5d144bab92679b01e944951d6cc8792 |
memory/3060-124-0x00007FF69B830000-0x00007FF69BB84000-memory.dmp
C:\Windows\System\jBtWjPs.exe
| MD5 | 5a01847bf0175084cd886354fe94e986 |
| SHA1 | 277b52dd74eac983de217ba6ff90356f7ee49789 |
| SHA256 | e018fbe87b3f439492f23854d03bfcc2896cccc2e8e5a4549af628b682378766 |
| SHA512 | d8ba853d97df9d3547e522b91372a294fe5ee9ceecdbfb933a0984715842722aa998c1380e8e704327204b589743d60a1296fd85f600d680fcd9f6f5369f9fc8 |
memory/220-114-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp
memory/4848-131-0x00007FF7797D0000-0x00007FF779B24000-memory.dmp
memory/2184-133-0x00007FF692620000-0x00007FF692974000-memory.dmp
memory/4484-132-0x00007FF6CF2E0000-0x00007FF6CF634000-memory.dmp
memory/3724-134-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp
memory/4504-135-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp
memory/1172-136-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp
memory/1112-137-0x00007FF7663E0000-0x00007FF766734000-memory.dmp
memory/4716-138-0x00007FF6A10D0000-0x00007FF6A1424000-memory.dmp
memory/2476-139-0x00007FF7237A0000-0x00007FF723AF4000-memory.dmp
memory/2196-140-0x00007FF79B370000-0x00007FF79B6C4000-memory.dmp
memory/1800-141-0x00007FF66AE20000-0x00007FF66B174000-memory.dmp
memory/2492-142-0x00007FF6D9570000-0x00007FF6D98C4000-memory.dmp
memory/3092-143-0x00007FF660F30000-0x00007FF661284000-memory.dmp
memory/220-144-0x00007FF757FA0000-0x00007FF7582F4000-memory.dmp
memory/388-145-0x00007FF708010000-0x00007FF708364000-memory.dmp
memory/3744-146-0x00007FF770A20000-0x00007FF770D74000-memory.dmp
memory/2184-147-0x00007FF692620000-0x00007FF692974000-memory.dmp
memory/4980-148-0x00007FF713A10000-0x00007FF713D64000-memory.dmp
memory/3724-149-0x00007FF685C80000-0x00007FF685FD4000-memory.dmp
memory/4460-150-0x00007FF71F8A0000-0x00007FF71FBF4000-memory.dmp
memory/684-151-0x00007FF7A6F90000-0x00007FF7A72E4000-memory.dmp
memory/4504-152-0x00007FF6F6C60000-0x00007FF6F6FB4000-memory.dmp
memory/1172-153-0x00007FF74AF50000-0x00007FF74B2A4000-memory.dmp
memory/1112-154-0x00007FF7663E0000-0x00007FF766734000-memory.dmp
memory/4008-155-0x00007FF628490000-0x00007FF6287E4000-memory.dmp
memory/3060-156-0x00007FF69B830000-0x00007FF69BB84000-memory.dmp
memory/4848-157-0x00007FF7797D0000-0x00007FF779B24000-memory.dmp
memory/4484-158-0x00007FF6CF2E0000-0x00007FF6CF634000-memory.dmp