Analysis Overview
SHA256
fe97a61e987af51c87a6457d9a95f39a1293bcc5fd040531e48dc04f7b474a79
Threat Level: Known bad
The file 2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike family
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 19:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 19:05
Reported
2024-05-29 19:08
Platform
win7-20240220-en
Max time kernel
138s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lqXiyNd.exe | N/A |
| N/A | N/A | C:\Windows\System\UsXRIoD.exe | N/A |
| N/A | N/A | C:\Windows\System\cQVNgQa.exe | N/A |
| N/A | N/A | C:\Windows\System\lAPJrxd.exe | N/A |
| N/A | N/A | C:\Windows\System\apqmRmT.exe | N/A |
| N/A | N/A | C:\Windows\System\SjVWKFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\AKPNuOK.exe | N/A |
| N/A | N/A | C:\Windows\System\zbhnkYv.exe | N/A |
| N/A | N/A | C:\Windows\System\aTmfVIR.exe | N/A |
| N/A | N/A | C:\Windows\System\mGYqyRP.exe | N/A |
| N/A | N/A | C:\Windows\System\cOXlLZk.exe | N/A |
| N/A | N/A | C:\Windows\System\oNnTBiC.exe | N/A |
| N/A | N/A | C:\Windows\System\IxXMLEp.exe | N/A |
| N/A | N/A | C:\Windows\System\RtkdXqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EBKxzgp.exe | N/A |
| N/A | N/A | C:\Windows\System\lfvPjCc.exe | N/A |
| N/A | N/A | C:\Windows\System\ZkDrUMS.exe | N/A |
| N/A | N/A | C:\Windows\System\HsnfVRU.exe | N/A |
| N/A | N/A | C:\Windows\System\EtBUdkE.exe | N/A |
| N/A | N/A | C:\Windows\System\xWxtNuh.exe | N/A |
| N/A | N/A | C:\Windows\System\yOgSimH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lqXiyNd.exe
C:\Windows\System\lqXiyNd.exe
C:\Windows\System\UsXRIoD.exe
C:\Windows\System\UsXRIoD.exe
C:\Windows\System\cQVNgQa.exe
C:\Windows\System\cQVNgQa.exe
C:\Windows\System\lAPJrxd.exe
C:\Windows\System\lAPJrxd.exe
C:\Windows\System\apqmRmT.exe
C:\Windows\System\apqmRmT.exe
C:\Windows\System\SjVWKFZ.exe
C:\Windows\System\SjVWKFZ.exe
C:\Windows\System\cOXlLZk.exe
C:\Windows\System\cOXlLZk.exe
C:\Windows\System\AKPNuOK.exe
C:\Windows\System\AKPNuOK.exe
C:\Windows\System\oNnTBiC.exe
C:\Windows\System\oNnTBiC.exe
C:\Windows\System\zbhnkYv.exe
C:\Windows\System\zbhnkYv.exe
C:\Windows\System\IxXMLEp.exe
C:\Windows\System\IxXMLEp.exe
C:\Windows\System\aTmfVIR.exe
C:\Windows\System\aTmfVIR.exe
C:\Windows\System\RtkdXqQ.exe
C:\Windows\System\RtkdXqQ.exe
C:\Windows\System\mGYqyRP.exe
C:\Windows\System\mGYqyRP.exe
C:\Windows\System\EBKxzgp.exe
C:\Windows\System\EBKxzgp.exe
C:\Windows\System\lfvPjCc.exe
C:\Windows\System\lfvPjCc.exe
C:\Windows\System\ZkDrUMS.exe
C:\Windows\System\ZkDrUMS.exe
C:\Windows\System\HsnfVRU.exe
C:\Windows\System\HsnfVRU.exe
C:\Windows\System\EtBUdkE.exe
C:\Windows\System\EtBUdkE.exe
C:\Windows\System\xWxtNuh.exe
C:\Windows\System\xWxtNuh.exe
C:\Windows\System\yOgSimH.exe
C:\Windows\System\yOgSimH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1856-0-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1856-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\lqXiyNd.exe
| MD5 | 197e5d2b32846fcfaf0064e744c257f0 |
| SHA1 | 2d7f52beb507a1651df012a41c91be3a28ca7870 |
| SHA256 | 54501932cc2c20d9ffba1e38c379d3490ae619a5cdbee5bec2d8596d68c3a0b9 |
| SHA512 | 7361150f95f5114767cfe718575a6072162d511b87b01b2d366de5f2964860b2f58a64c5b5202600b62d2a5b5e37319ac60736bd5ddbc7cf58834b1dba369cb0 |
memory/2252-8-0x000000013F470000-0x000000013F7C4000-memory.dmp
\Windows\system\cQVNgQa.exe
| MD5 | d769ef11758ab5bb49c28e9ce5c533ea |
| SHA1 | cc39aa928faba7f636a1c259bf470a7ea464b164 |
| SHA256 | b88d12b4b707357e7f682c5665f99cb0dbf840471626f3e4620b88afacbd31d7 |
| SHA512 | e8fcbecd7bf591472277343bf9e8cc9d7eaca82b7629cd5f6aec7d9961c1391e5c9fe08efac7f57f94125ca6e38b9c6365a1e7d0ef75b2ee5e28fe64a1182714 |
memory/1856-13-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2220-20-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2216-19-0x000000013F310000-0x000000013F664000-memory.dmp
C:\Windows\system\UsXRIoD.exe
| MD5 | 0a21fbff72396cab789dfc8e2f820ddc |
| SHA1 | 4dfec5da260f6f88f34333842868476661c55cbc |
| SHA256 | 96769250a52af645477a91dd5e0de48b7f3dcd5749e7262f7ceb083ef1c0e1ec |
| SHA512 | c44f826d6ba0e1664bee5bf8e6a69b3a78833a3f918e986d19a61c83d4d614f45db364aa3b4b9a337a5e332d6a1d5b7911160b8b8d346e77a58c818aa996f363 |
C:\Windows\system\lAPJrxd.exe
| MD5 | 24f5b4075d9e04be378311cba719be1f |
| SHA1 | a4b66d524d8fc0723f98cae7e35fa11782c6fc1b |
| SHA256 | 78ce2952c8cfbce8587c35c67a298c6537fb4787c5bad1ee7b2002384762cea9 |
| SHA512 | cbe3a9f312b394ca9c10ed7bc3784de1ee064205d923b54ee6a1a721be367e8939b90cd755f36afc469bd2ccfb4f37ab5fceb0bc3f6c09645c18ca86f3d32825 |
\Windows\system\apqmRmT.exe
| MD5 | 628b45324e6288d4a06cb9427e44676f |
| SHA1 | d3b4fadc0918bb32ee468dc0b6a118a6c08021ed |
| SHA256 | 315c9c552f24448a9d1d3640dc144c66503b25b4bd29396e5c8efd295210799f |
| SHA512 | 0bb0e877804b968c62d6fb8b7ea2e3e11d690e500de797a2fefdce668f64880f34384bddeee5cd62aef62f056a545325dbd599912e6c925cfee813f342b8dbdd |
memory/2644-63-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\mGYqyRP.exe
| MD5 | b97ddf9ae388645514f85a8787085d2c |
| SHA1 | 97b7782f249d9efa2aca1cb4b3593b7afc36d318 |
| SHA256 | 5d4fc89bcd919979673d452ab03b4b3ea40c91baca511a9cd97afd6ea9f34ea8 |
| SHA512 | 365e7ac63527fd9b563fc1f445359c3d7ba9d2fb273abe52a51c0cca45639f783f9eaaf26397a8907df8a935868a703a092c738a454f14598428e11eb333652f |
\Windows\system\cOXlLZk.exe
| MD5 | 51898746ab6d16a9dcfe8063871d7e65 |
| SHA1 | 93a9d75ae49e10c74d9e3a34b7176c3822db84a3 |
| SHA256 | 6e9c13e4321539bc70980c1708f2f7f7c4464b4fefbed05c18586acbae80c50d |
| SHA512 | e1d9f2b65b36f31964a58ad4771c11daa1b0ec54df09685a5eec91eeb2306b8df986b7f1e7dc5e9e423821f9a18b3e4013e2cff364d967e09fad5730ee48a311 |
memory/1856-80-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2544-41-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1856-84-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2856-85-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2692-87-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/1856-89-0x000000013FB30000-0x000000013FE84000-memory.dmp
C:\Windows\system\IxXMLEp.exe
| MD5 | 6daa6988bcc1d415072c921f0866d0f4 |
| SHA1 | c5c041e1db173d7e4e6ade5905df995a3ac9873d |
| SHA256 | 67a3f6299f7cf2b68112918e3d84a1ce7d3ff4387d5e980d34859e44e5e8574c |
| SHA512 | e21f34b35e53c289863cb562e2a9efd6e217868c64f25fac3d30a0f05e7a74f33f71d23484841a745847e8a96a57af011693e958bc21fd68cad3962c8640821e |
memory/2252-93-0x000000013F470000-0x000000013F7C4000-memory.dmp
C:\Windows\system\lfvPjCc.exe
| MD5 | 05a041ef731b32217459b3fb8f1a808d |
| SHA1 | 3c097967f4efb8d558e829e5ae7451aed43213c0 |
| SHA256 | b9c7fd61827fba7dcc26eda881b94777d8a6e78acce7ecd1fda731ee30e915b4 |
| SHA512 | 93d8ad4176133ea5900f17225ba669d5eec56f5b101df0b4468d66abd7d4fa80b03297b77dfa8e11c2ae4a435ec28be7cbdd4d8f160119069eec66094dd63c5b |
C:\Windows\system\HsnfVRU.exe
| MD5 | 405f76b87df8fce1e20a48677e1255f0 |
| SHA1 | 76a9dadc8bd85e977a401d95aebdc559617747c5 |
| SHA256 | 4d77c5113098d6aed6ccb69846829f5e587c1adc19b0c780de64632d056e8817 |
| SHA512 | ee8b134a6ad66e6568a5ecb1fcad756c5f855682dc6f262b540d65d7c5135acfa5e3983af88d00bacc247203fa08d7e15696b79cb93ba64be06dea4d80b2a965 |
C:\Windows\system\ZkDrUMS.exe
| MD5 | c096fa6c5b754e68c968060d84ab9d8c |
| SHA1 | de258a32f0b882305c840f17b96a2c0c6450e27b |
| SHA256 | c8c3a2dbb82e0c86d05c733781b1109e5005e369747c7755122553d5d1fc90ff |
| SHA512 | 2679fa11bdc9442e3f17393169a012d34de7fa0a52bb339c1bd8b138dc4255b6fe84a5940a32e79854d793a457ce8b4f963937923451b99a0125e4a472bdc651 |
C:\Windows\system\yOgSimH.exe
| MD5 | 26e3e18a6cf378f429157bd66410c7e5 |
| SHA1 | aee71dbd5100d9c1118d9bbd81fbabcc34dfb80c |
| SHA256 | 689f1c119b72cae099ff3aed285ce13e4017cd33c3e2c1c24764a395286af2a2 |
| SHA512 | f3d2b84c9321ece1ac798af004744aab5838caa5bd02046370bc33ac62374f67aafcea372487bf654552febd11a870478f3b0beddc9d1ec93365f08c6c46f92a |
C:\Windows\system\EtBUdkE.exe
| MD5 | c10beefb156f569bb36c91ffb955c059 |
| SHA1 | 05e4ab691f63e79dfe76a7874537850ccba0d2b0 |
| SHA256 | d15858412f6b6c56781d357066e568a0d2efbf28187642f0fe870584fe873cb0 |
| SHA512 | 25370fd0781388079a1fee452a7b3d161d56b78d89b0f79855603a1fb2e4cc5ea84dc149872cfb5ed788dd88e902e77dea5cdc64b88d38ecc77a6d2962d60d32 |
C:\Windows\system\xWxtNuh.exe
| MD5 | 3236a8708c26ba6048cffb16af31ce2f |
| SHA1 | 000db81ddff865959780d1c497e4eaec82fd6e99 |
| SHA256 | bf893dd17e95e1c1bafbcb0ef1840c305252a736fd6d1557ba44a88658a4f1d2 |
| SHA512 | 9a2d77e7b680d7e24355cede89def60e88d3f4b53dbf6d980feb44b10475b6c0877a718161977e2eb423a2be122f4d9f827d6c544f17acc302dafa663e7dfa04 |
C:\Windows\system\EBKxzgp.exe
| MD5 | 0840d46ab644def5fb23d35e8d2a3d70 |
| SHA1 | 87c663094448431b52e379b85e82d997ab9d5767 |
| SHA256 | 6b571e997f8a674792b7450ad6c37d1d7cba02c91c9c9637559b26599a406f12 |
| SHA512 | 63eca6887e1d72cfbd04e31dc171e518263cea3978f2a0120287760b8ddf58332ef5b568bcec194c6cdf70661255a3cb3f222b381d123e183fd8c4d7b5b22ca1 |
memory/1856-102-0x0000000002340000-0x0000000002694000-memory.dmp
C:\Windows\system\aTmfVIR.exe
| MD5 | f7683e4af1d2208e829d9fb0cc1c2e9c |
| SHA1 | 71c09f02c0cdcdb975064596bad93e7b4b57cf7b |
| SHA256 | a608237dc53f3962cc668c7f453c5182c16a2fa9b6b1f5cce6e54a9ac45dae2a |
| SHA512 | 80045c86dc9fbbbb11936454c567605bb120d09811cb8fd860f71901e5325969edbaef3ebabd8fa5e9e3fd6b9ee79d995c1c0036e1038a95ccbb54a1a4edfe78 |
\Windows\system\RtkdXqQ.exe
| MD5 | d5dcf85edc56bb03cbe490078032fe7a |
| SHA1 | d2dc5f71a6ed2267b56f6098e63d9d0279058333 |
| SHA256 | f9f0aab77f4cebd6f3f952bcd3897de087152ae8d95d3d2bb6213e588ce13dad |
| SHA512 | da306a4dd2595b67e6d361919a353d09bd9f1862732776c014d85997fe553c75b6c46b96145b18dc069d9c25eb17a764a199ae959db8b28f1d6d687f6f18a4de |
C:\Windows\system\zbhnkYv.exe
| MD5 | 5aa1f69e14d7b7f500328326eb2b8406 |
| SHA1 | b7031dbd60eb7c8a195e67b4e763adf49019c62e |
| SHA256 | 9da3ec45f0fd2f8d56c07522b6ceff341acd9a722259476350204ec109c51e76 |
| SHA512 | 1544aacffa86cb95222e329245b5f0adaf1f0ba89648e6ba1eebe55bae4f8aa3ba151228f86caf44bf2c0e4426706a79d3642eccf08bad84b22b8a346c9a336b |
memory/1856-56-0x0000000002340000-0x0000000002694000-memory.dmp
C:\Windows\system\AKPNuOK.exe
| MD5 | 8e7a75854a310fe790ad812771711cd9 |
| SHA1 | bc29f5faafca64a5518ca11d853c5c77506b768b |
| SHA256 | fb6040cb797832131072ae97b20e8c4558797444ab4e0c85cd3a6167694a2428 |
| SHA512 | 497dc40827871c661fc5d29eb99802eec2460d1f9ab083282591b1ff4dcfec3f0e523370a14dfd05b0cc30532511f03eb4793fae778fa5b64a811a760deec192 |
memory/2776-48-0x000000013FFE0000-0x0000000140334000-memory.dmp
\Windows\system\oNnTBiC.exe
| MD5 | f09dc623acf9561bdf8dddfae27a019d |
| SHA1 | ce38993345f60a80a0493a93b2711292653ce78e |
| SHA256 | 6babbe5ac49c64849e6f12157daaf015442f6646bcf89b17c732a91cc5d89719 |
| SHA512 | 5b9cd15056a86e67031b5d0594f7ad1d8f9d18cdfc16901e6dfec09fb934ecd389cca1282d24ab1023127738de1ef2b2028d1249799d7888c6617febaaf50dd7 |
memory/2564-98-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2420-94-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2556-90-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1060-86-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2388-83-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1856-82-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1856-81-0x000000013F540000-0x000000013F894000-memory.dmp
C:\Windows\system\SjVWKFZ.exe
| MD5 | edb32c94caecb35b9a1765c381fdf565 |
| SHA1 | 1e3d7c7beb5d655998bb695f0ba65133327a35fc |
| SHA256 | a8c098e0bf40412d1a95943170726bd524f117aa9303fe443d7f5761de4071fd |
| SHA512 | af4bb22b3a4f1300ea9764eb749006e53f8c1e6db550d9a882adde8bef7bded89b5d1a877c745e7ad04f72374f72555a9eba8b8f6341c907d5e6b3b681e684a3 |
memory/1856-79-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1856-75-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1856-72-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2604-36-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/1856-31-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2216-134-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2776-136-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1856-135-0x0000000002340000-0x0000000002694000-memory.dmp
memory/2556-137-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2252-138-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2220-139-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2216-140-0x000000013F310000-0x000000013F664000-memory.dmp
memory/2604-141-0x000000013FDC0000-0x0000000140114000-memory.dmp
memory/2544-142-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2776-143-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2644-144-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2388-145-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2856-146-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1060-147-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2692-148-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2420-149-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2564-150-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2556-151-0x000000013FBC0000-0x000000013FF14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 19:05
Reported
2024-05-29 19:08
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oarNIoW.exe | N/A |
| N/A | N/A | C:\Windows\System\obQZKXs.exe | N/A |
| N/A | N/A | C:\Windows\System\LAscMZP.exe | N/A |
| N/A | N/A | C:\Windows\System\LIwsxae.exe | N/A |
| N/A | N/A | C:\Windows\System\qQnhmTO.exe | N/A |
| N/A | N/A | C:\Windows\System\mzUVDPt.exe | N/A |
| N/A | N/A | C:\Windows\System\VAzKYnl.exe | N/A |
| N/A | N/A | C:\Windows\System\TRIJrQo.exe | N/A |
| N/A | N/A | C:\Windows\System\qpmihIE.exe | N/A |
| N/A | N/A | C:\Windows\System\LBqvtcY.exe | N/A |
| N/A | N/A | C:\Windows\System\eRDcyrk.exe | N/A |
| N/A | N/A | C:\Windows\System\auiVBiA.exe | N/A |
| N/A | N/A | C:\Windows\System\YBAprwC.exe | N/A |
| N/A | N/A | C:\Windows\System\OTdVEwe.exe | N/A |
| N/A | N/A | C:\Windows\System\DZvvuuR.exe | N/A |
| N/A | N/A | C:\Windows\System\uLjTzde.exe | N/A |
| N/A | N/A | C:\Windows\System\qlIaqix.exe | N/A |
| N/A | N/A | C:\Windows\System\FoRfdia.exe | N/A |
| N/A | N/A | C:\Windows\System\xaBhTDV.exe | N/A |
| N/A | N/A | C:\Windows\System\MPfWJrm.exe | N/A |
| N/A | N/A | C:\Windows\System\KIopqxY.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_a8084bae6970d84ba910a2e6a06f83d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\oarNIoW.exe
C:\Windows\System\oarNIoW.exe
C:\Windows\System\obQZKXs.exe
C:\Windows\System\obQZKXs.exe
C:\Windows\System\LIwsxae.exe
C:\Windows\System\LIwsxae.exe
C:\Windows\System\LAscMZP.exe
C:\Windows\System\LAscMZP.exe
C:\Windows\System\qQnhmTO.exe
C:\Windows\System\qQnhmTO.exe
C:\Windows\System\VAzKYnl.exe
C:\Windows\System\VAzKYnl.exe
C:\Windows\System\mzUVDPt.exe
C:\Windows\System\mzUVDPt.exe
C:\Windows\System\TRIJrQo.exe
C:\Windows\System\TRIJrQo.exe
C:\Windows\System\qpmihIE.exe
C:\Windows\System\qpmihIE.exe
C:\Windows\System\LBqvtcY.exe
C:\Windows\System\LBqvtcY.exe
C:\Windows\System\eRDcyrk.exe
C:\Windows\System\eRDcyrk.exe
C:\Windows\System\auiVBiA.exe
C:\Windows\System\auiVBiA.exe
C:\Windows\System\YBAprwC.exe
C:\Windows\System\YBAprwC.exe
C:\Windows\System\OTdVEwe.exe
C:\Windows\System\OTdVEwe.exe
C:\Windows\System\DZvvuuR.exe
C:\Windows\System\DZvvuuR.exe
C:\Windows\System\uLjTzde.exe
C:\Windows\System\uLjTzde.exe
C:\Windows\System\qlIaqix.exe
C:\Windows\System\qlIaqix.exe
C:\Windows\System\FoRfdia.exe
C:\Windows\System\FoRfdia.exe
C:\Windows\System\xaBhTDV.exe
C:\Windows\System\xaBhTDV.exe
C:\Windows\System\MPfWJrm.exe
C:\Windows\System\MPfWJrm.exe
C:\Windows\System\KIopqxY.exe
C:\Windows\System\KIopqxY.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
Files
memory/3004-0-0x00007FF76C5E0000-0x00007FF76C934000-memory.dmp
memory/3004-1-0x0000016522DC0000-0x0000016522DD0000-memory.dmp
C:\Windows\System\oarNIoW.exe
| MD5 | 9db95aa340c427cae86e72e7a70200d6 |
| SHA1 | e323a06b08a3e2943fc792c07cb0379c351b2fb3 |
| SHA256 | 9bd8375c08bcf5eef0a15297331a0e991ae772f0d793f9456d10a594147eb0b6 |
| SHA512 | 417dd31217c1f992224741aa0af7ab482870bd673ed68c50ed41e79b87efdf627b3c213f6538197dd5e9a647bbd9119e9e5d9b4ee89ab9b15a4ef28379b8cd02 |
memory/4940-9-0x00007FF626870000-0x00007FF626BC4000-memory.dmp
C:\Windows\System\obQZKXs.exe
| MD5 | be43e4cfb003446dfcbf27255c9078d3 |
| SHA1 | d520003d3de10a726b0418b36def2630893aa04f |
| SHA256 | 3795342b8bf68dd3e718acb33314715e90052e796e8f331244e3cbd01ee6e95a |
| SHA512 | 2df7c76d766a7335c9da5027ed5e3f01a0fd164902c816fc2e76d93fc035038dd0f39636c712e8fc1e12893c289f32d0b726f03f88367214757bb47eac5e37c5 |
memory/4500-14-0x00007FF726410000-0x00007FF726764000-memory.dmp
C:\Windows\System\LIwsxae.exe
| MD5 | b0eefe2f90f587f06a65d71193ee976d |
| SHA1 | 09e49703797bdc9be68f3407bed3cee55b415007 |
| SHA256 | 45485556f5cce516d08d28e02155177199dbba0c62ad72fa01a7a08817449db5 |
| SHA512 | 2df395ff12c88f43b5e6a03af938c19ad10d3d55177796142d1c0144cd4623238740956f3511a186bf01fbd72ceeeb5a9cea4b4f73c8630c4213f492b85f24d6 |
memory/3480-29-0x00007FF69B970000-0x00007FF69BCC4000-memory.dmp
C:\Windows\System\qQnhmTO.exe
| MD5 | 7a8290a8a8531c8ada0d28d20e15c398 |
| SHA1 | 654653a901b0f943004da66cd295ec92d4181f35 |
| SHA256 | 0792d33ee42d43ae67774c9c22da8dac50e391952bace22d064325ccf092add1 |
| SHA512 | 107117cd11f79998acbacaf70077a06f6aa3738c52b9d801621af73e5d1210e08b4b53ebff1cb27a00768998b44dc69773a7139497514aa1d1081da25c97283d |
C:\Windows\System\mzUVDPt.exe
| MD5 | e54348ca3ba39e897a2114bb74eb2d05 |
| SHA1 | 4492b468f55c18e44e54e9acf05f1763cc8c1174 |
| SHA256 | 9913f76a8a5740babb343c0b72e7d643d2fb62744fdf0ab504363264a472c3cc |
| SHA512 | 81f09daaa88e50dfe198996e89496cc3fdabc2cbfaf0bdc28c1bc9a50b0bf29ea09c17247b8ae0189c60c7879869cc51fff7dd4c4955e921dffc0364f9e3a279 |
C:\Windows\System\VAzKYnl.exe
| MD5 | d385119242e219ad1804ebdc99cd78d5 |
| SHA1 | 9b315c432de15acb55cbb8a0a04c5407c834b968 |
| SHA256 | fa0b957d2c9e8a6fcc56b8cc75cb68806fefc60d7383f740104c6e5600243942 |
| SHA512 | 2ba04771ce59cd07ecfb8ca8cd0d617c6d0a9036c5dd89d61d19486b0fbaaafa9c2e53c5e95bfe354c6ff7c59aee730704c697c9ea7429a2982f06d5a9b030b2 |
C:\Windows\System\qpmihIE.exe
| MD5 | 78930d4fb61c47a9abe5b27a0a093aef |
| SHA1 | 67333c0262c2801d5b0d02d7548b7a4fd2bda0e3 |
| SHA256 | 63dfe603de531d6f6d6c80f585cb587d9cbe81e3abf8cc1be9fd0904e3bfc37b |
| SHA512 | 3811675f4442fa6608818533162f32c1c3311c172ea7b314ab0d3401819a3a7f566d34c05af109a7af43edd850c206ab51937da30f9b90a7039c9149d778d5fc |
memory/3900-52-0x00007FF65B5F0000-0x00007FF65B944000-memory.dmp
memory/4808-56-0x00007FF727030000-0x00007FF727384000-memory.dmp
memory/4232-53-0x00007FF6750B0000-0x00007FF675404000-memory.dmp
memory/2492-51-0x00007FF7ABC10000-0x00007FF7ABF64000-memory.dmp
C:\Windows\System\TRIJrQo.exe
| MD5 | a1c7764d31884faf31a83833f78dc900 |
| SHA1 | 985dddab57a7b5cc81d5e27ec0c45e37e5c3a32d |
| SHA256 | e975372220b9ead8019a66a241bed093ab4ff3ea2bc98e7270948a6abcca18ad |
| SHA512 | 7476a6237addfd99aa2905829749074ec547bfc5d58360a987ea59f8a124879b38a1fc4b43ec24b6b283042ff6c0d650e0874e7ac3fdf6c6a974f75410531864 |
memory/4740-35-0x00007FF73FAE0000-0x00007FF73FE34000-memory.dmp
memory/2240-21-0x00007FF77A320000-0x00007FF77A674000-memory.dmp
C:\Windows\System\LAscMZP.exe
| MD5 | 24e166f62ca43938265529f1a1a29921 |
| SHA1 | 0888ca1348e2e1c0643d16525670d92c5f5d015a |
| SHA256 | eb521d6e8d2501e6079aa28b1a1baf2fd7859219c7628f7131e911ea9b861716 |
| SHA512 | 28e9f8dc0fb911f511acc2a8cbacfcc537c04d547093584aff9386edf0d9054e5a38518ffd2edaeb4e71a2055676f515832b40d1a9aa6b8ac1a20389561466cc |
C:\Windows\System\LBqvtcY.exe
| MD5 | d3b934c2eab2b7ce64126aca94dcff29 |
| SHA1 | 18ded9ed1551baf8188c31494416fa5081ce791f |
| SHA256 | 3b00ef9c57bd1a8c39c59e1d9c7010d710ec068609ffb340c9f7aea4dcccc62e |
| SHA512 | 10a6f0ee94a7b05f0e9373a80cfe2e8926b20664b4baad1a6cd6aa3bdcd2c46f71869a8b0840dddf461b95b6f7bf3efd57f03cfac948416b393fdbc2c869761f |
memory/4764-62-0x00007FF71C8C0000-0x00007FF71CC14000-memory.dmp
C:\Windows\System\eRDcyrk.exe
| MD5 | 48f531b5c1dd0602fb5697d825cf0e19 |
| SHA1 | 1873725522b49999237f70a6d055f5ac9117635a |
| SHA256 | bfe822ccf4da284b90a83c826d53b2d7c145877ff7f740459aa97f72e44c80b2 |
| SHA512 | 1cb301c409397aee6f08f69d551778ddad16e93e66c5a7a30c538d9593103caf535b1172042b90412de8524f991555545cba49143a167ef52ca1c21026e14a08 |
memory/4532-68-0x00007FF766550000-0x00007FF7668A4000-memory.dmp
C:\Windows\System\auiVBiA.exe
| MD5 | 3e5a65ee3d94b2237bd8c34d8f575bfe |
| SHA1 | 14a2b7a5a50943643dccdee8aca05e6ca9dacf24 |
| SHA256 | 3598485654f417f394ef2f47daf14d73f2e8e27d3335a9db511c2712e88c7423 |
| SHA512 | c61b8bcbabf06d890cd3356210b8b276487561d32b13d1b41e211b6d0825f15b499de181763436a5afc878b0e6bf2cd14d03b3864105b54d52c13efb17cab3e9 |
memory/4940-72-0x00007FF626870000-0x00007FF626BC4000-memory.dmp
memory/940-73-0x00007FF77C990000-0x00007FF77CCE4000-memory.dmp
C:\Windows\System\YBAprwC.exe
| MD5 | 6a51e5795eead7ffd18a65b83904e505 |
| SHA1 | dbecc5c1ae71886f380356345b5dfd0e97bb2fab |
| SHA256 | da1b6efd0e09694106ddeb945ecacb936c02e7e90eced7fc7ebff97cfa5a3836 |
| SHA512 | be01fae8be70061110c7fa587dbaf536abc7212bc4d2223e7e950b48a03cd21d3742a5afb06ad91865bde25225e86b314950dc0acfe17c1a270403dc63f7d72f |
C:\Windows\System\OTdVEwe.exe
| MD5 | 0ef487bc7e5ef1228f6036d4bba321d7 |
| SHA1 | a247e7a8fa6f25e13b45c693192aa250a2ae80f2 |
| SHA256 | aabc57c0b15357b137fde4db3e372629bad08502d131b50665597fdab5c718ca |
| SHA512 | 441309053a71c02ae3d97f870f9897792463b059a4910ab6fab25c32cc66bb39cc22dcf22151a2b9a555351c03cabb4daff7b9d42da01b6f8b77fd0f0c53c8ff |
C:\Windows\System\DZvvuuR.exe
| MD5 | 0b71b67d5bd02f0917d2bd8fedc88932 |
| SHA1 | d536fbc8a1ad1d1ba2a5f28e6477fe85ecbe4c22 |
| SHA256 | 6ff2185c8e4229b067ce4c9c6e18b76b00b14b7ba15dcefdd4344891231a382f |
| SHA512 | 23760f4247ed24167d71ca99825b9ac2e099e06eaf600736b0536ccef074c2bb0184035311917ff1e89f1959cf30eb003903fde478b9212147955c1afec94a10 |
memory/4500-92-0x00007FF726410000-0x00007FF726764000-memory.dmp
C:\Windows\System\uLjTzde.exe
| MD5 | a186f846094cf46d8ec111e95dba4351 |
| SHA1 | fa5bf78ff766728bb5dbbecbe9756cc9e2b36f19 |
| SHA256 | 2325c80867351feea2d59ed98ba81966ee5a263cc2a19363bf7680a2bc4c5993 |
| SHA512 | 3dd71e69e412b03ffb12238aa9f7baa5499917e17ab5912d20a7012b3d9b448ae8d89f157abf96a4ee0d96f031e04dc23738f775d217242bb0f347c6bbe5b85b |
C:\Windows\System\FoRfdia.exe
| MD5 | a4f063f3bfb44c90a458cc6e3fcb7f97 |
| SHA1 | 7ebbafd8ea326d122db12ee034fd2beefc75300b |
| SHA256 | aa676182cee5f6986ef92865355a10e6a040906a42fd9a30e84fc57ea655d7d2 |
| SHA512 | bb69727304a1b6c30a360ab79336b3c92c93dbca941801de88402c3618bcc22b27190f394bf44cb5d549c8467055ef5c5ec3fe3fa01769d1f5679e2d9b4ad428 |
memory/4740-107-0x00007FF73FAE0000-0x00007FF73FE34000-memory.dmp
C:\Windows\System\MPfWJrm.exe
| MD5 | b66e872ffb52a8443541ef00ef782a39 |
| SHA1 | a33565e095108d37fd5d18b6ec13d5e26870fe3f |
| SHA256 | aa449f2b7d5d78d27496222e0ec8d6074ddc110e29ce3d216b7dd3c2071ea63d |
| SHA512 | 917602176e2b2ab800c168729fcaf8d4101dc0076df66757d10e68c36416522264a5dd4f7ebbe084a251484562bd40678ae1cb57da6973cae115816c73f4cefe |
memory/4536-125-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp
memory/1804-130-0x00007FF77B340000-0x00007FF77B694000-memory.dmp
memory/2676-132-0x00007FF6393A0000-0x00007FF6396F4000-memory.dmp
C:\Windows\System\KIopqxY.exe
| MD5 | 7c4bf6ef85d03010670c7406e4fe1693 |
| SHA1 | 9cacbdeb11a53f45d30a8c14f86ae548a0d62ebf |
| SHA256 | 223d0b9943b7f0463ef80fdc1285cbed1da6906777b289f98aadbf81c06bd44f |
| SHA512 | fdce6330830625c5226714c49297b6c1d63159f79d008aae5157b5bf4781f1a5f0b642c768e7e511f4c7aa6f37ec4fbca6f0ceea0cdb7a9ac05dbea94303964c |
C:\Windows\System\xaBhTDV.exe
| MD5 | 700a48b5e32769adf416d474ce29d201 |
| SHA1 | 1081765613e3c59e8a0e8ad2ef00e4a2165a3a08 |
| SHA256 | d86ffe8c9601760073fb09c06b2977e0c5164f2fd4c126baf7d53dcebc36a209 |
| SHA512 | 042c00d7e4785654269584b60a4b7ce9fb999130295189254a21afcb831d3e7067fb84b89c867016fac51d1dc5e81cb8f3bb963e0cd9136cabf6f4e2d9975617 |
memory/1644-121-0x00007FF7EE9C0000-0x00007FF7EED14000-memory.dmp
memory/4328-116-0x00007FF7A6730000-0x00007FF7A6A84000-memory.dmp
C:\Windows\System\qlIaqix.exe
| MD5 | e6e61354b39490a1202edace0a0fc583 |
| SHA1 | 3bf7a44e520e69331e6d93336c9e8645de8d641c |
| SHA256 | 8e23690a02074364f0f9fbff876e1cac93436c42983fe6eaa24b4678e359a612 |
| SHA512 | 19b31a0c20c802399d1dfc611652f0b9aadfe992a4a3001aeb3ef39fbbe0279bacb88db8116f4a3992a094e0d2d475b9740e55903aad507642cee55448a6d835 |
memory/1948-106-0x00007FF625480000-0x00007FF6257D4000-memory.dmp
memory/3480-101-0x00007FF69B970000-0x00007FF69BCC4000-memory.dmp
memory/2240-100-0x00007FF77A320000-0x00007FF77A674000-memory.dmp
memory/3248-93-0x00007FF69BF50000-0x00007FF69C2A4000-memory.dmp
memory/2168-85-0x00007FF6C7B10000-0x00007FF6C7E64000-memory.dmp
memory/1240-82-0x00007FF686E30000-0x00007FF687184000-memory.dmp
memory/3004-80-0x00007FF76C5E0000-0x00007FF76C934000-memory.dmp
memory/940-134-0x00007FF77C990000-0x00007FF77CCE4000-memory.dmp
memory/1240-135-0x00007FF686E30000-0x00007FF687184000-memory.dmp
memory/2168-136-0x00007FF6C7B10000-0x00007FF6C7E64000-memory.dmp
memory/3248-137-0x00007FF69BF50000-0x00007FF69C2A4000-memory.dmp
memory/1948-138-0x00007FF625480000-0x00007FF6257D4000-memory.dmp
memory/4328-139-0x00007FF7A6730000-0x00007FF7A6A84000-memory.dmp
memory/4536-140-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp
memory/1644-141-0x00007FF7EE9C0000-0x00007FF7EED14000-memory.dmp
memory/2676-142-0x00007FF6393A0000-0x00007FF6396F4000-memory.dmp
memory/4940-143-0x00007FF626870000-0x00007FF626BC4000-memory.dmp
memory/4500-144-0x00007FF726410000-0x00007FF726764000-memory.dmp
memory/2240-145-0x00007FF77A320000-0x00007FF77A674000-memory.dmp
memory/4740-147-0x00007FF73FAE0000-0x00007FF73FE34000-memory.dmp
memory/3480-146-0x00007FF69B970000-0x00007FF69BCC4000-memory.dmp
memory/3900-148-0x00007FF65B5F0000-0x00007FF65B944000-memory.dmp
memory/4232-150-0x00007FF6750B0000-0x00007FF675404000-memory.dmp
memory/2492-149-0x00007FF7ABC10000-0x00007FF7ABF64000-memory.dmp
memory/4808-151-0x00007FF727030000-0x00007FF727384000-memory.dmp
memory/4764-152-0x00007FF71C8C0000-0x00007FF71CC14000-memory.dmp
memory/4532-153-0x00007FF766550000-0x00007FF7668A4000-memory.dmp
memory/940-154-0x00007FF77C990000-0x00007FF77CCE4000-memory.dmp
memory/2168-155-0x00007FF6C7B10000-0x00007FF6C7E64000-memory.dmp
memory/1240-156-0x00007FF686E30000-0x00007FF687184000-memory.dmp
memory/3248-157-0x00007FF69BF50000-0x00007FF69C2A4000-memory.dmp
memory/1948-158-0x00007FF625480000-0x00007FF6257D4000-memory.dmp
memory/4328-159-0x00007FF7A6730000-0x00007FF7A6A84000-memory.dmp
memory/4536-160-0x00007FF7CF890000-0x00007FF7CFBE4000-memory.dmp
memory/1644-161-0x00007FF7EE9C0000-0x00007FF7EED14000-memory.dmp
memory/1804-162-0x00007FF77B340000-0x00007FF77B694000-memory.dmp
memory/2676-163-0x00007FF6393A0000-0x00007FF6396F4000-memory.dmp