Analysis Overview
SHA256
99f7856d5e1c4ec54f6db1ca97b18f6ed1e6145d8ac5c277631b9e8a4e75fe49
Threat Level: Known bad
The file 2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
xmrig
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 02:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 02:04
Reported
2024-05-27 02:07
Platform
win7-20240419-en
Max time kernel
140s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UBtOTzX.exe | N/A |
| N/A | N/A | C:\Windows\System\QCasUEf.exe | N/A |
| N/A | N/A | C:\Windows\System\TbSGCbN.exe | N/A |
| N/A | N/A | C:\Windows\System\hsVojtx.exe | N/A |
| N/A | N/A | C:\Windows\System\StVXWiR.exe | N/A |
| N/A | N/A | C:\Windows\System\lOMJiAi.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhQLdeZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ofAcnjB.exe | N/A |
| N/A | N/A | C:\Windows\System\fQnWLGR.exe | N/A |
| N/A | N/A | C:\Windows\System\HlZfMDX.exe | N/A |
| N/A | N/A | C:\Windows\System\TWufyTw.exe | N/A |
| N/A | N/A | C:\Windows\System\NXKGpHg.exe | N/A |
| N/A | N/A | C:\Windows\System\ZAToOOB.exe | N/A |
| N/A | N/A | C:\Windows\System\JlDETXk.exe | N/A |
| N/A | N/A | C:\Windows\System\MkBVDDo.exe | N/A |
| N/A | N/A | C:\Windows\System\rPJrhzl.exe | N/A |
| N/A | N/A | C:\Windows\System\qgRksHa.exe | N/A |
| N/A | N/A | C:\Windows\System\yDQsgsG.exe | N/A |
| N/A | N/A | C:\Windows\System\qxrqEKh.exe | N/A |
| N/A | N/A | C:\Windows\System\HiItscM.exe | N/A |
| N/A | N/A | C:\Windows\System\NTyJYav.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UBtOTzX.exe
C:\Windows\System\UBtOTzX.exe
C:\Windows\System\QCasUEf.exe
C:\Windows\System\QCasUEf.exe
C:\Windows\System\TbSGCbN.exe
C:\Windows\System\TbSGCbN.exe
C:\Windows\System\hsVojtx.exe
C:\Windows\System\hsVojtx.exe
C:\Windows\System\StVXWiR.exe
C:\Windows\System\StVXWiR.exe
C:\Windows\System\lOMJiAi.exe
C:\Windows\System\lOMJiAi.exe
C:\Windows\System\ZhQLdeZ.exe
C:\Windows\System\ZhQLdeZ.exe
C:\Windows\System\ofAcnjB.exe
C:\Windows\System\ofAcnjB.exe
C:\Windows\System\fQnWLGR.exe
C:\Windows\System\fQnWLGR.exe
C:\Windows\System\HlZfMDX.exe
C:\Windows\System\HlZfMDX.exe
C:\Windows\System\TWufyTw.exe
C:\Windows\System\TWufyTw.exe
C:\Windows\System\NXKGpHg.exe
C:\Windows\System\NXKGpHg.exe
C:\Windows\System\ZAToOOB.exe
C:\Windows\System\ZAToOOB.exe
C:\Windows\System\JlDETXk.exe
C:\Windows\System\JlDETXk.exe
C:\Windows\System\MkBVDDo.exe
C:\Windows\System\MkBVDDo.exe
C:\Windows\System\rPJrhzl.exe
C:\Windows\System\rPJrhzl.exe
C:\Windows\System\qgRksHa.exe
C:\Windows\System\qgRksHa.exe
C:\Windows\System\yDQsgsG.exe
C:\Windows\System\yDQsgsG.exe
C:\Windows\System\qxrqEKh.exe
C:\Windows\System\qxrqEKh.exe
C:\Windows\System\HiItscM.exe
C:\Windows\System\HiItscM.exe
C:\Windows\System\NTyJYav.exe
C:\Windows\System\NTyJYav.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2248-0-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2248-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\UBtOTzX.exe
| MD5 | 86506870a8977f37ed2cf5d6a911f010 |
| SHA1 | 47d6aabcb3e6f1641e6cd68935a80f6cb8d86db4 |
| SHA256 | 44043f8d9ecd075eb85e4dc095a885010522ad6564352f673e7ab95cf55d363c |
| SHA512 | 6c739a23e6917763196a8d798544ba9eca95cce6b890efbb6f416c366f8c352321d431ba92724d7484d9f07a32d8c61421eea89e0195f95083146660bf2321d6 |
memory/2028-10-0x000000013F560000-0x000000013F8B1000-memory.dmp
\Windows\system\QCasUEf.exe
| MD5 | 1322b26d90eceb13bbd98b9fb1e88710 |
| SHA1 | c0252d0faebdb50115ddd14da2740e08dbea1264 |
| SHA256 | 832fc954f419d7a28224a588229b78fe80e19957d65b661c9f7f774b63863a60 |
| SHA512 | da1b4607247f1f16cca4139804cc24cb433cb916d4b0451f1fe10045641e0f5de1cb49267cd05febf8eb36e9887eb3ef6626b90a280fc2016222e7bba3b1b4d8 |
memory/3048-19-0x000000013F150000-0x000000013F4A1000-memory.dmp
C:\Windows\system\TbSGCbN.exe
| MD5 | bc85c63a59294f12715edcce97330c5b |
| SHA1 | 8366b4dd2ac7b4957aae6740297909bd887f09f7 |
| SHA256 | 2cb933fef40998acf33cbe170783c9aed13c85c39677ea6b8f456b54c5f810f0 |
| SHA512 | 394569870a79bd55d2a091069f15a5f2fa7a392c7158a79ffddb0f8099c4b5b929dc0797fca655aed0d80bbbc328dc3327fd6eed838d033bbfaaad4d6ca92308 |
memory/2248-18-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2248-16-0x0000000002430000-0x0000000002781000-memory.dmp
memory/2196-21-0x000000013F7E0000-0x000000013FB31000-memory.dmp
\Windows\system\hsVojtx.exe
| MD5 | 9830f50ae1892cc920563dd96b56a483 |
| SHA1 | 169a12dde45422a4164c42abeb388992def55211 |
| SHA256 | 1e80fe19d243c5597abe16d0ed51e5f9f75cdcbb2625921b9dbc7269c1421053 |
| SHA512 | 35241b9bf2aaaf27e3e0f0c6d03453dfc4356cf36beebfcd3cea8ecb78486a96daa227f5fb8a2e04ecaf035f2e98e3a462d9d8bb9d83c6d464b5001a127e8170 |
C:\Windows\system\lOMJiAi.exe
| MD5 | 00556f0b4a814fab62e1d1c77b5c96c0 |
| SHA1 | cea21cd51189bd78670036a4f90261c2c7ef0182 |
| SHA256 | 4dab1e7aae3329f10b3bbd207c982340c5fa2746bbae0d74f6cc66111a091ffc |
| SHA512 | 988ed162d0ad19430d427e204889390508fe0e207e53e0e12a1eba112a11822c553134b3795f63a49c0b7644aad5c7810a619ac4ce70beb181ac58111bac3c9a |
C:\Windows\system\StVXWiR.exe
| MD5 | d1f27b3bcd6251c710dc03762f862411 |
| SHA1 | bbe8162348d24605327e655b459c44766e621b46 |
| SHA256 | 3eda8fd26972e07b85bbbf431302f761bbe85900cbc82af8de68e420aaa195c8 |
| SHA512 | a3684e9cf08dd4e8952b46a01517e095e304ca342241558a32d178a292985da3a47e5d1e727ec27bb1f6d2b032e107d93cc645bc4b7909e8e2285856e3767cf3 |
C:\Windows\system\ofAcnjB.exe
| MD5 | dc4e3a5891c22102e77e34a6634bbbdf |
| SHA1 | 1b23e7562afa8a9df5d7cd66e35eeb8958a57ab6 |
| SHA256 | 2df69c677094b337e20f8f139fe8cc0278c8c8a44e73b9717415d7a36c07bca9 |
| SHA512 | 31602e6d47bc09f18cdb7d47520e0846ac3b62292005bac1779cc3dc362a1109bc6671548729aa38e1fca4f35a64fbfb08a3b8ef8c3bb80c62bd381011711299 |
C:\Windows\system\HlZfMDX.exe
| MD5 | 0ca683652a03c58de413989b35d3d0f6 |
| SHA1 | 0f26871079d1456933e232cab1f9eed253df5bcd |
| SHA256 | 5daf33677997ddf86e03b36c8c94db24900eb290e4c620f5c2a83f207b9ae27c |
| SHA512 | 35b7b49587d693ec7eb638802ad8722a8a480712affa812d67810cbbbdb362832afac7290bfcd49a9410d5279dfef6aae298359841ff7a5431bec39a6dbcb614 |
C:\Windows\system\fQnWLGR.exe
| MD5 | c94a8c20889d418f4a771513fafb5003 |
| SHA1 | 779cebe7579c1d9f865b87c6c15101a64f315ff4 |
| SHA256 | c59f1926f7c76178b0070ec2c231cebc1680bb8fae46bfb68981ec9137d4ca7c |
| SHA512 | e4daaeca699218d60a9ab85ab03ac213ccd69b1b2511994acded070ac175eb133192961dfcdcd1902a5e581d809305890d82bbbe5951e3d9ce3620d49f9b1f72 |
memory/2756-58-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2692-61-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2248-64-0x0000000002430000-0x0000000002781000-memory.dmp
memory/2248-68-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2248-70-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2752-69-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2532-76-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2800-82-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2812-90-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/1504-97-0x000000013FA60000-0x000000013FDB1000-memory.dmp
C:\Windows\system\NTyJYav.exe
| MD5 | 08590ec876dfac6ecbbcff517f922945 |
| SHA1 | 81d483cb2b07208dc9d35ce69ab9adf6d2749b8d |
| SHA256 | 9e97511f704c1b5ae4c73775d9bb466535eb21aa6a51c1c140422c8740a8fdf9 |
| SHA512 | b46c875049493f112571352d58b07c5047ca31f446e93b673e55701a4cc2db2bb7ba4177c9b4bf463afa23630f969951a2b48ed62ecc73e6ff4d0f3b2765de56 |
C:\Windows\system\qxrqEKh.exe
| MD5 | 1f899e27faa8239d048f7f4e20794793 |
| SHA1 | 3eb7f5922fb194afdc59a0d421c840e413b219e7 |
| SHA256 | 618e5a24b80be2b9a6cc5a27f3ed89220ac141337a6aef9731bca3d749fd74f4 |
| SHA512 | ae5eccf8f9646698f75bbd94e5471e9e131e71eb1c31108e2147bc67d22d8c9ad1c7f64fb59cf24d9703c675ffd1c26a363053f6d2427620ca1e696fbb893498 |
C:\Windows\system\HiItscM.exe
| MD5 | ffe3bbba6db3b924956b00e8141a3b4f |
| SHA1 | 4987c68dbe016d989603885f957b68c3245af107 |
| SHA256 | be6886bba4bba6a6dc17be56bcb69878a06699cdd38c0497b27fd3283413ab89 |
| SHA512 | 337e983e9d0b16f450a3f425b4fa5441deac32f4e2340f5d3d6e7fd16abdc820151758c441190b2cb039d4e99277769e3f9a87b3f0f9bb3fd77e83fa64d4e7c2 |
C:\Windows\system\qgRksHa.exe
| MD5 | f44c8af3ea82c0739d682446145bfd66 |
| SHA1 | 3d6dfe40891e28de9785d70bfd22f7a97eab1f44 |
| SHA256 | a0e3b86d1196633c87950460b78922bfc761f6e6f08a34aa5d3dc721668edd98 |
| SHA512 | 9abf088695f6986cc749fd337c9295f6d9d3c733bd68cdbb600b1aefc6720e28b8974265d14049d430fe154282ee404fdbe48426bb7640822aa1416a77e949c8 |
C:\Windows\system\yDQsgsG.exe
| MD5 | 11260c2c93bea6b7a263a507a30024c4 |
| SHA1 | 5dfc5db3eb090969da774e8cc53813035cc7884b |
| SHA256 | b63392a202db2a80591892b843248427beae257b6a59807d659dc88db82e653e |
| SHA512 | f9efb2cc6e87a50a5ca98e84ea145df061dd25a985d5006ce8639f8c5e45005f9e61cc7554c7d0d6b2388321a31f16d8da46bb95af9cd7c5e42d161abb40f0ae |
memory/2248-102-0x000000013F530000-0x000000013F881000-memory.dmp
C:\Windows\system\rPJrhzl.exe
| MD5 | d5fb97234af10797b011ae514f6912e2 |
| SHA1 | df47ef95262792b92144b5cec2e9abb7e9f3c7e3 |
| SHA256 | 998f1a99f48d5ea6d47dfcfa3ab5e360b160c4fe90bcb847a9b23cfb4c27a5cd |
| SHA512 | d3ca191f3000bdd1f2372474627f0dd9121382ed32d31f780e6648dc4904e91827a314fc50e225c01caab3f4c3bfb0d9c7ddf1382ae6b674e9e90ca71f342ec3 |
C:\Windows\system\MkBVDDo.exe
| MD5 | 51192d328bc0af800b9fc93bdd1d2002 |
| SHA1 | afacfcbff9778c3dc65406310c65b587ae8a79c9 |
| SHA256 | 176132a4fec136ec3fa5f37567380f1e843268fa77759af73047590a3ebf8eed |
| SHA512 | da7096b3ee354d08dec5b4eb777b3b8c09d3c38e635f5edfa96a5896f4a31f9113cfbb7f0f5f552f773b394f0be0f11e6a96330519d71eb40b76fd2353375001 |
memory/2028-89-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2248-88-0x000000013F9D0000-0x000000013FD21000-memory.dmp
C:\Windows\system\ZAToOOB.exe
| MD5 | 046a45ce5da95ac7ca7d06a2d3e2e948 |
| SHA1 | ddc8bf2f9dc82d1c7304fe759f53fb550fad5942 |
| SHA256 | 32cd3c092583b25b76acf63cc28c3e8fd026c7aeec7d99375e94e8b0cf5c6f98 |
| SHA512 | 78ab81cc03743f540ee88d8540a2c64074d2ad7c1cbc78d0c01cbc8d3997f80c1d427aaae75451432118065bc126a33d26fec7cdacfc92e641f4a223427746ff |
memory/2196-133-0x000000013F7E0000-0x000000013FB31000-memory.dmp
C:\Windows\system\JlDETXk.exe
| MD5 | d1c85805b83d96223e1875518e15ff31 |
| SHA1 | 11eebd73971b222d3b2027ea8a059239cd7d7630 |
| SHA256 | c39f404d28b33bd19750ba0b485c629c0bc2547c9a3df200c6b043c951fec8f6 |
| SHA512 | 57574772316659ff41855d75f5fa013b0e39bbdb69ac565b43a62a3b1c19d5e1aa63de6d34b2e74110595d3f2dc65b70ec23d72aca65265fc0500e433d41a88a |
memory/2248-81-0x0000000002430000-0x0000000002781000-memory.dmp
C:\Windows\system\TWufyTw.exe
| MD5 | 7b1ddc88ff5af845aefa16f552e67105 |
| SHA1 | af0627398fefadf13c6a78d75994e63458e1bb99 |
| SHA256 | 28aab2e3d1fedbc153bd1c97ec5c806456af14d3cb95e060627c7a80406af37a |
| SHA512 | 6f8fc938ae1ae4d71cf4ab2f587888c60cb4f426f086125313580921e0d64d6133c51495f6f9ac1e7c3d1cbee1cdb1de15b084d87a68a68b3ba7c09769bf65bc |
memory/2248-72-0x0000000002430000-0x0000000002781000-memory.dmp
C:\Windows\system\NXKGpHg.exe
| MD5 | 373453e966ac0f86bce1ac3f4df0f228 |
| SHA1 | 30bdb698d210c03b935677a14bac855d8536d384 |
| SHA256 | 0440f96974205c58b22e780c34c027175f056037c86b452877ae78ddcc339a26 |
| SHA512 | 6d93ef0bd7255aa267fb0b52b04a89040ad23f2936b1c5e03829c2ccf68d2549e7202cda6fc3fc34ee8353ad96bcfb0db126f3ab6cb9a20327b50b9753c35a97 |
memory/2604-67-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2248-66-0x0000000002430000-0x0000000002781000-memory.dmp
memory/2856-65-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2764-63-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2248-62-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2248-60-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2612-59-0x000000013F030000-0x000000013F381000-memory.dmp
C:\Windows\system\ZhQLdeZ.exe
| MD5 | b9b8bcaf29d2432f2988817048f707a9 |
| SHA1 | a71c499b6186d44c9ae2416737bd22695450966e |
| SHA256 | ebbc9c6c59c1734e049bd21da227d2476ea49a350131ccfe610d37833016f04f |
| SHA512 | 3b88a1f7d1c5d13c77647826836af1dfecd38a5945457e4006403c6de023cfc91770d5bac5a1e76f62b81e5242e875adda8c914af0665ea9caf0f46dc77b42ee |
memory/2756-134-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2248-136-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2532-147-0x000000013F8D0000-0x000000013FC21000-memory.dmp
memory/2800-148-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/1772-151-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2248-158-0x0000000002430000-0x0000000002781000-memory.dmp
memory/2836-157-0x000000013F3F0000-0x000000013F741000-memory.dmp
memory/1248-156-0x000000013F920000-0x000000013FC71000-memory.dmp
memory/1348-155-0x000000013F140000-0x000000013F491000-memory.dmp
memory/1760-154-0x000000013F990000-0x000000013FCE1000-memory.dmp
memory/108-153-0x000000013FAD0000-0x000000013FE21000-memory.dmp
memory/2812-149-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2284-152-0x000000013F790000-0x000000013FAE1000-memory.dmp
memory/2248-159-0x000000013F9D0000-0x000000013FD21000-memory.dmp
memory/2248-181-0x000000013F530000-0x000000013F881000-memory.dmp
memory/2028-205-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/3048-207-0x000000013F150000-0x000000013F4A1000-memory.dmp
memory/2196-209-0x000000013F7E0000-0x000000013FB31000-memory.dmp
memory/2756-211-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2692-213-0x000000013F120000-0x000000013F471000-memory.dmp
memory/2764-215-0x000000013FF90000-0x00000001402E1000-memory.dmp
memory/2856-217-0x000000013FC60000-0x000000013FFB1000-memory.dmp
memory/2604-219-0x000000013F9C0000-0x000000013FD11000-memory.dmp
memory/2752-221-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2612-236-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2800-238-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2812-240-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/1504-242-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2532-251-0x000000013F8D0000-0x000000013FC21000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 02:04
Reported
2024-05-27 02:07
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dyJMObA.exe | N/A |
| N/A | N/A | C:\Windows\System\RCHAbyy.exe | N/A |
| N/A | N/A | C:\Windows\System\MCDvtHW.exe | N/A |
| N/A | N/A | C:\Windows\System\QzOcmYO.exe | N/A |
| N/A | N/A | C:\Windows\System\AHAYYxS.exe | N/A |
| N/A | N/A | C:\Windows\System\OeMziPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\DgHIFrs.exe | N/A |
| N/A | N/A | C:\Windows\System\sIIYexW.exe | N/A |
| N/A | N/A | C:\Windows\System\eNWXLQO.exe | N/A |
| N/A | N/A | C:\Windows\System\HVRNoPG.exe | N/A |
| N/A | N/A | C:\Windows\System\NqxVpyn.exe | N/A |
| N/A | N/A | C:\Windows\System\iNmtTwh.exe | N/A |
| N/A | N/A | C:\Windows\System\kZXYffT.exe | N/A |
| N/A | N/A | C:\Windows\System\hJTtmEr.exe | N/A |
| N/A | N/A | C:\Windows\System\JUHGFnk.exe | N/A |
| N/A | N/A | C:\Windows\System\aqaDLtm.exe | N/A |
| N/A | N/A | C:\Windows\System\oiytObP.exe | N/A |
| N/A | N/A | C:\Windows\System\yAwzEHf.exe | N/A |
| N/A | N/A | C:\Windows\System\GmrckWp.exe | N/A |
| N/A | N/A | C:\Windows\System\svFehRb.exe | N/A |
| N/A | N/A | C:\Windows\System\wAWSnHB.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_778418f0e5bedc2f927370e2938780bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dyJMObA.exe
C:\Windows\System\dyJMObA.exe
C:\Windows\System\RCHAbyy.exe
C:\Windows\System\RCHAbyy.exe
C:\Windows\System\MCDvtHW.exe
C:\Windows\System\MCDvtHW.exe
C:\Windows\System\QzOcmYO.exe
C:\Windows\System\QzOcmYO.exe
C:\Windows\System\OeMziPJ.exe
C:\Windows\System\OeMziPJ.exe
C:\Windows\System\AHAYYxS.exe
C:\Windows\System\AHAYYxS.exe
C:\Windows\System\DgHIFrs.exe
C:\Windows\System\DgHIFrs.exe
C:\Windows\System\sIIYexW.exe
C:\Windows\System\sIIYexW.exe
C:\Windows\System\eNWXLQO.exe
C:\Windows\System\eNWXLQO.exe
C:\Windows\System\HVRNoPG.exe
C:\Windows\System\HVRNoPG.exe
C:\Windows\System\iNmtTwh.exe
C:\Windows\System\iNmtTwh.exe
C:\Windows\System\NqxVpyn.exe
C:\Windows\System\NqxVpyn.exe
C:\Windows\System\kZXYffT.exe
C:\Windows\System\kZXYffT.exe
C:\Windows\System\hJTtmEr.exe
C:\Windows\System\hJTtmEr.exe
C:\Windows\System\JUHGFnk.exe
C:\Windows\System\JUHGFnk.exe
C:\Windows\System\aqaDLtm.exe
C:\Windows\System\aqaDLtm.exe
C:\Windows\System\oiytObP.exe
C:\Windows\System\oiytObP.exe
C:\Windows\System\yAwzEHf.exe
C:\Windows\System\yAwzEHf.exe
C:\Windows\System\GmrckWp.exe
C:\Windows\System\GmrckWp.exe
C:\Windows\System\svFehRb.exe
C:\Windows\System\svFehRb.exe
C:\Windows\System\wAWSnHB.exe
C:\Windows\System\wAWSnHB.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2956-0-0x00007FF7ADC10000-0x00007FF7ADF61000-memory.dmp
memory/2956-1-0x000001CB8C9F0000-0x000001CB8CA00000-memory.dmp
C:\Windows\System\dyJMObA.exe
| MD5 | e4a789661e4138f8e065ddc974131dfa |
| SHA1 | ad7b86c58f6a0dd06eecd3da137ca9a20a1c1d04 |
| SHA256 | 5b182f0429fe717c7a8658477c20bdbaaec64bc01ed7875424ec81e6d15543ae |
| SHA512 | fb2ccd56c059c811212b171991c00dfd73a463afd73e08a51cc5ffd69706aa824e0f890ca06d8ad0c35d8e0dbcb7b181f18a84b20f9f2e3be05deda46f44183e |
C:\Windows\System\MCDvtHW.exe
| MD5 | d06205210451633e592ead9d8d821605 |
| SHA1 | af81e8171cd167caa54db484a2fd327d0eb23d15 |
| SHA256 | eafe0d0dbb947987e7d9754e7a9c1a2f4e9638655b447a3a098b5759ae761514 |
| SHA512 | 5eb37f14fa46c1fe3d71ed12b5428e6c865c163cfe598bad5f3bfbeb17feb2934f013bb51278b7dfdc11d7cd47825ce573f62a501e568c8b989f6148d6cfa445 |
C:\Windows\System\QzOcmYO.exe
| MD5 | c9b03ad39356ec2e1e0067076aea901c |
| SHA1 | 90ef32dba862a8b861416c25918ba69c2aaaa9d8 |
| SHA256 | 2d7be55828d6291f525470f6c5d6a97a67d47a7b3379432f94c95747b87441e8 |
| SHA512 | e060ada63829fd4fbd511fdc04816c8cb65e3304cd17a75218303ae86ccc25c59caea113d650a75645f9296dce7be5d640f967c12fd9875a426e94505a4914d2 |
memory/3828-17-0x00007FF7B5360000-0x00007FF7B56B1000-memory.dmp
memory/1320-11-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp
C:\Windows\System\RCHAbyy.exe
| MD5 | 9b7826ec6b3591b30c9afc1ebc3f380f |
| SHA1 | 66e594b81d8aa5511b91f850831b75da6219d985 |
| SHA256 | d1a57b00e7260797042bb9393fd019fa9e8993affd2becf975ea450e28c431ab |
| SHA512 | 67a1205e62a0d2f787c021d050856f3bb75e28ecd137dc0b179dfbc74c7d2a46a6a3853ac7c2aac74e21744096a2a993e81d723c80a622114890c2b556a7653f |
C:\Windows\System\OeMziPJ.exe
| MD5 | f004959ab9373cf65ca84fa7e0813eb3 |
| SHA1 | 823e65f9d5954158e56427cda03567efed581750 |
| SHA256 | 3c39d6b5a957dfc9a379e71ba01f7e3e19b1a7fdb8628c248a1dd903a709d584 |
| SHA512 | ebfdd1c70e1310f132231536ba70bd2c1fa19fd6d0c2aace545eb945361bbe7390af96f0902519d5d0cc5294bc83e5ca3ab7c656e68551f50fb72c24e23ba366 |
C:\Windows\System\eNWXLQO.exe
| MD5 | d55722a0ca4e3dcdcf61a91cfdff9f71 |
| SHA1 | 4ea9d569beb7ebcf174abde95dc420c5503ddb47 |
| SHA256 | e11dd423420ae5f6b3bb78fe7bcdec9f5fa1702b3aff252e51135e8dc2af2370 |
| SHA512 | d26fb8722801d4084bb837015f98f2a410674dbf30955e48b2f4e4a985662386fa6e92470188921221fb711801061379dc410cffbd37ffdc9b673cb2e71f824d |
C:\Windows\System\DgHIFrs.exe
| MD5 | 3d0cca9938bcdf7e813fa31901dec1d0 |
| SHA1 | f9cb5a48869fd7a60c9a14bd369e35282242d5de |
| SHA256 | a03bc8d5fd29e8212483912648333c3c17adb8de705ddb295b7a611d4b93fb05 |
| SHA512 | 88c182c593a1f0b9ee8088e23b130ea5f95dc056ff31aecec42fe6530407f5c6ce453d0f6a64ca406e146eed24d16e0d7569894a9df6248f874aadf73f6b7d06 |
C:\Windows\System\NqxVpyn.exe
| MD5 | 2f3f032848f8d1be097551e17d5847d2 |
| SHA1 | a32b260d00f160f0c9c7a7ae85d2682ca9ac237b |
| SHA256 | 1d8de5a27773a718e8b7c1d6e031b067dbd8c3f929b24ebd07a7e280ce155f42 |
| SHA512 | 9888c8d12317bac1197bbf7c839ea0aca55cd012c6d250f655d7f6dab4a470f8c715967c51d62f0e13793886eb7becc09ca9a1670adb822c9d7544333d187f0e |
C:\Windows\System\iNmtTwh.exe
| MD5 | 39eabb711fd383d89f0adc1e3146ab96 |
| SHA1 | 14f2e78d711f0d3f5156ad39ebcf4fd75a1efd49 |
| SHA256 | 23fc5e858c8e8e4f45eb896f14bd9568cc004b1e93608390d05e966b7054fe22 |
| SHA512 | 3c8a27b3c9e2d0d26ef3a4e566aa02927b1c9005c83292745c4550ca9ce878867f76b6eae168ecda197118b37385a0ecdeb523b539c21460dc0b29775104a9c2 |
C:\Windows\System\kZXYffT.exe
| MD5 | 2355db2e5a881eb745794d4312c4432d |
| SHA1 | 7c876ca4e85556c9e4d68348c62f0f454c496730 |
| SHA256 | 3575341f26ef7a996dd47cac25bc3ff211da701c22f752954c342b4abdb9b029 |
| SHA512 | fe485d37592298a037a77c4bfb139369ad422d8b2d5df8ee15dbfc55bdce931965c92b266a0109b8c17a387a1fdd9597ae9ff57292100793af6dbe8550c4aa72 |
C:\Windows\System\aqaDLtm.exe
| MD5 | 06c91056edf2be5c5cc59e03ec276632 |
| SHA1 | b9f142023fb4369f9c4f5b0664e80a7a729be96d |
| SHA256 | 351c64c6d9f7f95239fb17b91735109c5400f96c188e0583b3769a02a0e10da4 |
| SHA512 | 5272e3bd7261f5a015aafb3427e47130ffc20a1e23d88eb9a2c40b5809cf7c121cae27e34befd5c4e9bf98bbbae5a585a2c38f61a5b4c714cff33465775c7c2b |
memory/5624-110-0x00007FF72BF30000-0x00007FF72C281000-memory.dmp
memory/3392-113-0x00007FF6BFE80000-0x00007FF6C01D1000-memory.dmp
C:\Windows\System\wAWSnHB.exe
| MD5 | 7f952d444a487085c3bc6c14178a084c |
| SHA1 | cf6991f9bb64566c3083c8ddd4e2911368c078e8 |
| SHA256 | 0735a7b204a6eaac7ed78cc6d1388f4a89df61ffda2bf45e500ac3e0f0600e85 |
| SHA512 | 277d0e30cdf7574c429bf3e239b51d711dfe8cbd475280b1634c3e4f64a2f7af64cb9deb4fc6cc20808a3906bb4b72e80ae47425c463d7ae612e600064d2887e |
memory/1852-125-0x00007FF751640000-0x00007FF751991000-memory.dmp
memory/5532-122-0x00007FF7BD0B0000-0x00007FF7BD401000-memory.dmp
memory/2644-121-0x00007FF6A4370000-0x00007FF6A46C1000-memory.dmp
C:\Windows\System\yAwzEHf.exe
| MD5 | 19a5d162929a691e2aab3a73e619e255 |
| SHA1 | 71c7851a949341d6f95ff967bcd7929ccd3beabc |
| SHA256 | 835c305b5182fccc70d8cd57e151e52449738b7be5ad8b6d8e996f588fc5a548 |
| SHA512 | 39553ef9cab35defda900a9ac283f68d6dfe5e296bc991e09395e4d623c8032a8ab92000fec9b44477921f2d20ea0c201c59a7a019d7799cff8309fca804aa44 |
C:\Windows\System\oiytObP.exe
| MD5 | 822678c96b99c2187a8b4b5a3d99ea9e |
| SHA1 | 22fe5139da940042e97441cfa74ec69036374778 |
| SHA256 | e593fdb0c7072beead1d0d344eb22695d3d057e0d4eeb9d9c09ff0cc6d82bfa1 |
| SHA512 | 60d31ae7049a97fefadf9a46f7d28179a18a713fbd1f0cdf88a4cbd56142e97f953d9e0143fb5d8338b0773ac8ed05ec3f949df53dbae6f1e0ebd98651460709 |
C:\Windows\System\GmrckWp.exe
| MD5 | 2bb0256fc47cd8ec45b951c4b6ed0b13 |
| SHA1 | db34d289724914f353106c3f30058c66d0b3585f |
| SHA256 | 517b81248b6f38d479177343c73cd284d8e1d475a3b9399fff0302a341834bbc |
| SHA512 | baed824f9e093375c3751b670e2e7ab728d7e898bd0fbd13342db6563e81f910494572216d2e29be9dc47a4b4a5494b468a4fb6f162724ae68f49bf7c9e8040b |
memory/2440-112-0x00007FF6EDA90000-0x00007FF6EDDE1000-memory.dmp
memory/4536-111-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp
memory/512-109-0x00007FF6140F0000-0x00007FF614441000-memory.dmp
C:\Windows\System\svFehRb.exe
| MD5 | 8b055fb3624491d1a2976c5b7c85025f |
| SHA1 | e06df9dd7feaa2c20e1d1390b5b609424e5e8c5d |
| SHA256 | 91c0114c9ed757a18cfbd28323ab79f260d96dbfeec5d17f9f941eb2f92b3dc4 |
| SHA512 | 44b205d6d0a0ae458ab0518b02981e5f7d9f963dfa210d61796ffee89fdc71f897cfc8f8faadc088a76d936b7f7acec7b487e8c0ab4d2681fd62e879e7a60a70 |
memory/1488-107-0x00007FF74A0D0000-0x00007FF74A421000-memory.dmp
memory/4548-106-0x00007FF74CDE0000-0x00007FF74D131000-memory.dmp
C:\Windows\System\JUHGFnk.exe
| MD5 | 0420ac024e496c1019f877a536c569d8 |
| SHA1 | ac733e4629db6adb4b25ed8ad37f95bcfd710e00 |
| SHA256 | 5335a3b7f523641ad81564e2e236650830f07f48de776f19bba440014f546044 |
| SHA512 | 6d9554271bbef73fb0169fb0984c322f9aac0794944f1bc7acd8fd5e7901741b2fd994b5297a2c232f2649d33321404728a11e11a1327843f8f2adf1020a4db0 |
memory/5376-95-0x00007FF6D6690000-0x00007FF6D69E1000-memory.dmp
C:\Windows\System\hJTtmEr.exe
| MD5 | bbf175f89483ded976b4f598627992bb |
| SHA1 | 90ef5523ed1f7e9854f0f361ac45dd0a17eca8d3 |
| SHA256 | cb6febe26443f2d6f57612f2ca7814f6effbe59a40ad23ca292ccfb851210b36 |
| SHA512 | 84ebd90e32db38173618a5550877d26b2806a2ba0894de0b35f2dd7424f65df3b530c9fa99c67694f358efa19afc187ce0ea822c5e37d507ff629e7c6f711283 |
memory/1304-81-0x00007FF717BB0000-0x00007FF717F01000-memory.dmp
memory/3648-73-0x00007FF7D17B0000-0x00007FF7D1B01000-memory.dmp
memory/2372-70-0x00007FF7F3B90000-0x00007FF7F3EE1000-memory.dmp
memory/4544-80-0x00007FF70DF80000-0x00007FF70E2D1000-memory.dmp
C:\Windows\System\HVRNoPG.exe
| MD5 | c8c6729cea9d8724e5d227b0342e959d |
| SHA1 | 65933bd5ff309963314a58162990dd47a6e4f30c |
| SHA256 | 2385a083f5ec301a93f195dfaa538c27837a0c5330d8c6d2539dad7f059819e2 |
| SHA512 | 2c59420b16b5e86af90389f468a33ed0f40b1f66cb0d57182a39459e02ac518a06f4aed7da191d89cf11fc03f59f1ad5788d5a2e796164b2023e9aa09764155d |
memory/4132-59-0x00007FF7CF1A0000-0x00007FF7CF4F1000-memory.dmp
C:\Windows\System\AHAYYxS.exe
| MD5 | 91b5ec652db17d1212dbf9a75fb166e0 |
| SHA1 | b6ac80b1b00f6ed45540b076b72122b9653dbc27 |
| SHA256 | 427ed22bf282a077c77690961ed25f6ac1d9a74fbe85c18d6a45f2cd0f56aa3a |
| SHA512 | 7b27c1d0c01360551da79d0d9ca8b1e7e6b5b277a585a3fe8b35b74fad5e9f5c141567132f10fb3edd4d8161c78b48b4c3b874c954d9b18549206659c248098a |
C:\Windows\System\sIIYexW.exe
| MD5 | 5be8dcbbd84628ca74104970ec4640f1 |
| SHA1 | f2231773c1d3a978d1bec40b0687c6d6f49aa287 |
| SHA256 | 6b97ebabfa2592d0822a9e295ef5524bbc35408ebc4c8296d4845301c7711da2 |
| SHA512 | 31f5c147d257fc489398c19d90f036a3ce3ba96b91c67dafe75624451a1c0158ba80680a45375848737d9f1f9cec9e2fb5a45baf20df991e57823cee2196151b |
memory/828-45-0x00007FF6E2C60000-0x00007FF6E2FB1000-memory.dmp
memory/332-27-0x00007FF61C330000-0x00007FF61C681000-memory.dmp
memory/4552-24-0x00007FF6D8FB0000-0x00007FF6D9301000-memory.dmp
memory/332-132-0x00007FF61C330000-0x00007FF61C681000-memory.dmp
memory/5376-143-0x00007FF6D6690000-0x00007FF6D69E1000-memory.dmp
memory/5532-148-0x00007FF7BD0B0000-0x00007FF7BD401000-memory.dmp
memory/1852-149-0x00007FF751640000-0x00007FF751991000-memory.dmp
memory/2440-146-0x00007FF6EDA90000-0x00007FF6EDDE1000-memory.dmp
memory/2644-145-0x00007FF6A4370000-0x00007FF6A46C1000-memory.dmp
memory/3392-147-0x00007FF6BFE80000-0x00007FF6C01D1000-memory.dmp
memory/1304-141-0x00007FF717BB0000-0x00007FF717F01000-memory.dmp
memory/4544-140-0x00007FF70DF80000-0x00007FF70E2D1000-memory.dmp
memory/828-134-0x00007FF6E2C60000-0x00007FF6E2FB1000-memory.dmp
memory/4132-133-0x00007FF7CF1A0000-0x00007FF7CF4F1000-memory.dmp
memory/4552-131-0x00007FF6D8FB0000-0x00007FF6D9301000-memory.dmp
memory/3828-130-0x00007FF7B5360000-0x00007FF7B56B1000-memory.dmp
memory/2956-128-0x00007FF7ADC10000-0x00007FF7ADF61000-memory.dmp
memory/2956-150-0x00007FF7ADC10000-0x00007FF7ADF61000-memory.dmp
memory/1320-208-0x00007FF6EB600000-0x00007FF6EB951000-memory.dmp
memory/4552-210-0x00007FF6D8FB0000-0x00007FF6D9301000-memory.dmp
memory/3828-212-0x00007FF7B5360000-0x00007FF7B56B1000-memory.dmp
memory/332-214-0x00007FF61C330000-0x00007FF61C681000-memory.dmp
memory/4548-216-0x00007FF74CDE0000-0x00007FF74D131000-memory.dmp
memory/2372-218-0x00007FF7F3B90000-0x00007FF7F3EE1000-memory.dmp
memory/4132-220-0x00007FF7CF1A0000-0x00007FF7CF4F1000-memory.dmp
memory/828-222-0x00007FF6E2C60000-0x00007FF6E2FB1000-memory.dmp
memory/1488-224-0x00007FF74A0D0000-0x00007FF74A421000-memory.dmp
memory/3648-226-0x00007FF7D17B0000-0x00007FF7D1B01000-memory.dmp
memory/4544-228-0x00007FF70DF80000-0x00007FF70E2D1000-memory.dmp
memory/512-230-0x00007FF6140F0000-0x00007FF614441000-memory.dmp
memory/5624-232-0x00007FF72BF30000-0x00007FF72C281000-memory.dmp
memory/1304-234-0x00007FF717BB0000-0x00007FF717F01000-memory.dmp
memory/4536-238-0x00007FF6A1C50000-0x00007FF6A1FA1000-memory.dmp
memory/3392-241-0x00007FF6BFE80000-0x00007FF6C01D1000-memory.dmp
memory/2644-242-0x00007FF6A4370000-0x00007FF6A46C1000-memory.dmp
memory/2440-244-0x00007FF6EDA90000-0x00007FF6EDDE1000-memory.dmp
memory/5376-237-0x00007FF6D6690000-0x00007FF6D69E1000-memory.dmp
memory/1852-246-0x00007FF751640000-0x00007FF751991000-memory.dmp
memory/5532-249-0x00007FF7BD0B0000-0x00007FF7BD401000-memory.dmp