Analysis Overview
SHA256
a2ec239fca9800c766df2f42903f4511bc495df019b3bf0bbc3a2d708275a1d8
Threat Level: Known bad
The file 2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
xmrig
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-29 20:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 20:03
Reported
2024-05-29 20:06
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fOnxuri.exe | N/A |
| N/A | N/A | C:\Windows\System\LtKYhlb.exe | N/A |
| N/A | N/A | C:\Windows\System\SLgqoSK.exe | N/A |
| N/A | N/A | C:\Windows\System\ojEzgJO.exe | N/A |
| N/A | N/A | C:\Windows\System\GvEvrLx.exe | N/A |
| N/A | N/A | C:\Windows\System\MMikwcx.exe | N/A |
| N/A | N/A | C:\Windows\System\eGIcIGS.exe | N/A |
| N/A | N/A | C:\Windows\System\mAGebnH.exe | N/A |
| N/A | N/A | C:\Windows\System\PHwughQ.exe | N/A |
| N/A | N/A | C:\Windows\System\uqEyYKA.exe | N/A |
| N/A | N/A | C:\Windows\System\NtOlwmb.exe | N/A |
| N/A | N/A | C:\Windows\System\CLQZGTa.exe | N/A |
| N/A | N/A | C:\Windows\System\FINKrVS.exe | N/A |
| N/A | N/A | C:\Windows\System\GmOUSEm.exe | N/A |
| N/A | N/A | C:\Windows\System\inAkJoE.exe | N/A |
| N/A | N/A | C:\Windows\System\hkmtpFz.exe | N/A |
| N/A | N/A | C:\Windows\System\GuIbCia.exe | N/A |
| N/A | N/A | C:\Windows\System\MfHLxkn.exe | N/A |
| N/A | N/A | C:\Windows\System\wurkJxN.exe | N/A |
| N/A | N/A | C:\Windows\System\BomeBqD.exe | N/A |
| N/A | N/A | C:\Windows\System\jyVEmqb.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fOnxuri.exe
C:\Windows\System\fOnxuri.exe
C:\Windows\System\LtKYhlb.exe
C:\Windows\System\LtKYhlb.exe
C:\Windows\System\SLgqoSK.exe
C:\Windows\System\SLgqoSK.exe
C:\Windows\System\ojEzgJO.exe
C:\Windows\System\ojEzgJO.exe
C:\Windows\System\GvEvrLx.exe
C:\Windows\System\GvEvrLx.exe
C:\Windows\System\MMikwcx.exe
C:\Windows\System\MMikwcx.exe
C:\Windows\System\eGIcIGS.exe
C:\Windows\System\eGIcIGS.exe
C:\Windows\System\PHwughQ.exe
C:\Windows\System\PHwughQ.exe
C:\Windows\System\mAGebnH.exe
C:\Windows\System\mAGebnH.exe
C:\Windows\System\uqEyYKA.exe
C:\Windows\System\uqEyYKA.exe
C:\Windows\System\NtOlwmb.exe
C:\Windows\System\NtOlwmb.exe
C:\Windows\System\CLQZGTa.exe
C:\Windows\System\CLQZGTa.exe
C:\Windows\System\FINKrVS.exe
C:\Windows\System\FINKrVS.exe
C:\Windows\System\GuIbCia.exe
C:\Windows\System\GuIbCia.exe
C:\Windows\System\GmOUSEm.exe
C:\Windows\System\GmOUSEm.exe
C:\Windows\System\MfHLxkn.exe
C:\Windows\System\MfHLxkn.exe
C:\Windows\System\inAkJoE.exe
C:\Windows\System\inAkJoE.exe
C:\Windows\System\wurkJxN.exe
C:\Windows\System\wurkJxN.exe
C:\Windows\System\hkmtpFz.exe
C:\Windows\System\hkmtpFz.exe
C:\Windows\System\BomeBqD.exe
C:\Windows\System\BomeBqD.exe
C:\Windows\System\jyVEmqb.exe
C:\Windows\System\jyVEmqb.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2136-0-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2136-1-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\fOnxuri.exe
| MD5 | 55944352cffeeb84468dad8113071cce |
| SHA1 | 69c56d0de5dec2012c1a3f801940ade9a7c3196b |
| SHA256 | 96e3ce12e9818e82a5ffa056430d6341893083ad95a4dc3e11a065ca7cbbb024 |
| SHA512 | de21996003e871a7b3d630f9f8e95ba2fe6cbfc91f76649f412bc5a2c14c2c139b97b7813a15f4c4be37ecdc0ec8becc74a9c494e17c291a6d2f677c3b820a9e |
\Windows\system\LtKYhlb.exe
| MD5 | c64cf151779083aa787d577c024ac1be |
| SHA1 | ac74b13d0eb136e1407ba4a93898b986ad0a3989 |
| SHA256 | a69d4664e0d68870d503e3f6a123080be0f781a05a768aed21262a2d99817cba |
| SHA512 | 363eda0b283b2a94108163fcd111b00bb7a277b06ef4bdd3e2f7f03c6ebb7a33ea9da339ab93129ce9fad7cddf650edb2513048200e130668be4ac16384ca67f |
memory/2136-17-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2936-22-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2872-21-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2656-20-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2136-30-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\ojEzgJO.exe
| MD5 | f3fd5d10cd3b64dd3ae2c952e2cc6f4e |
| SHA1 | 21cc9fb079671e0f48ce03b699c550b6a2d35598 |
| SHA256 | a9b98756f4f360d2bade3e55d928f06e3711dfbe4c5bc42e0f9d187fa8ebbfe7 |
| SHA512 | a496ca414cb9dd86f69b26131dd8eefcafc4f628739423d632e0ad01db42df2398ebf0367b86051c0ffcade1fb73e6edff9fc19075c652ea4a1df08b4061dc3a |
memory/2748-74-0x000000013FA60000-0x000000013FDB1000-memory.dmp
C:\Windows\system\uqEyYKA.exe
| MD5 | d303a7f664837f83106c82cbce4cd3f9 |
| SHA1 | 15428fb7daace6856142e65fd8ee3a2871d159e7 |
| SHA256 | e6129b8a2b03a5879a6c23bf24a1be94879a1bd238dd6724333f34badb3bae77 |
| SHA512 | c031ba9cf1235644a28867b0d654ff3d752b583d624f96c2bc2b08cb2656bc0bd87741048b4e78ef5c4e9c1261c8c11191eb1ec1f920e6e875c27dc972af67e2 |
C:\Windows\system\CLQZGTa.exe
| MD5 | c4d300c1ebf1388f9c9f5690649f3df3 |
| SHA1 | e3685f3ce949edc00cac2d6e9d46b65dd6ba83ab |
| SHA256 | 6a931d4cdec7cbaefbd0fabcec130620c85f1c32f15138f539c7893313f88b0f |
| SHA512 | efff5ab93b332be5089060c146c7e6b38603216116ccd36c6ea0bba37e5b728fcf6b6d274f885ef5e44758851a86afe025a2af568b72b5005e8afdf20ae2c7d3 |
C:\Windows\system\MfHLxkn.exe
| MD5 | d734894ab15f17b89dd11df12a3e92db |
| SHA1 | b8fdab96e9662325ae2635d3a2c25c560c9c47d1 |
| SHA256 | 8aecaf59d5cc98c50182878a5dffbbee298a675b180c938abca14db92b8a5d22 |
| SHA512 | f340528131e8adc77230930a81c464e1008085ff59378859984b8fb441240adade60c90fc7d3f473038d95bb11ef6c9d0c9e3bdd1d91c7f5ee7e1111194ff27f |
C:\Windows\system\BomeBqD.exe
| MD5 | 5684fc0695dffca40560634b310fe102 |
| SHA1 | 3e77eaf253dbeae710075adb93c29fbd88f23ce8 |
| SHA256 | 3b33bd8901d118aba89451da9fead8c297fb889cc7371832809cb952942f5425 |
| SHA512 | 786f8ac90370b38b709d13e336274fe4e2e9da9e9eb462b8f6ebe513797a167d10c6fa3e3a9ec40b62d6c1c7ff37770a4704aaa1017dad0a7cd8b7aa0d7463e5 |
C:\Windows\system\wurkJxN.exe
| MD5 | 6b2d86c72a840c81ed78f9d172e8ce57 |
| SHA1 | 008a110f565253e760504d2f8a1875305c535881 |
| SHA256 | 267ddaf1e84d6b2903a9ab08329e6b62b671a911c0096958a4ff2de980497856 |
| SHA512 | 489496dc59143f4bff15840d2f72b7f650fa38216ac2a331dbdbe97bc2f6e46cc8dec963c98dccd35947f5d055aed6c86359589f300c4ce129271cec4d220399 |
C:\Windows\system\jyVEmqb.exe
| MD5 | 79a4da586c556154e4409b23393a4c0c |
| SHA1 | a5113b0329a972f8d4b706c91fb98f15961f9cb4 |
| SHA256 | 10e8fe3096c5465e072a89636ecc6672be64ca12bad8c4a16e49f0399d841a4a |
| SHA512 | ef1b08131105d18d8da1662ad46c7c4a2963ceeae8b1dc3e4d10a8b21cba69162f4e8957bbd046179f4b9be9436feec5d9bd69dbd230a40772bfa68d8c0e397d |
\Windows\system\GuIbCia.exe
| MD5 | fa9edc91a6c19cb67debff3b1e685680 |
| SHA1 | 5bab5da7656c2ad5aef4cc3cb4350b748a0ac06a |
| SHA256 | dd9b60fa390eee2d52e0e72d64336735a4cbe643bc98e78f913942aed23242d7 |
| SHA512 | 3270e67af9dfef9d7a5d689823a29d0d851681bf8dc18237fc6bb678c43f678dd72a6d9d59c7f9fe47d54ef8cc55af71a785d9ecfcafc959bd4b567834aed71a |
memory/2520-83-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2136-82-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2136-116-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2136-115-0x000000013F2D0000-0x000000013F621000-memory.dmp
C:\Windows\system\hkmtpFz.exe
| MD5 | 5600e3f2f22235531347b2dacf219c0c |
| SHA1 | 3e2fbb85fdf7c7f38df0183a821b01f8f50d85cc |
| SHA256 | 55a95625b34199b2c4751ae09ad556c27395584a554c7a641b3d3e9bbe8f618e |
| SHA512 | 5c8ebc9552c1127fc6792e8864180fbdb47dcaa24b34bdda2c1f4bd38a0c39d5ab65afac46e956f055c6a8f23fd228db6bef015eb48ef7374b97c41915f95c87 |
memory/2136-113-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2136-112-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/496-111-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2136-134-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
C:\Windows\system\inAkJoE.exe
| MD5 | 2736f2cc9ee2a4d16d22c029c0010cf8 |
| SHA1 | 1186adf1a6d05a2084982e3819721c90e6efb7fe |
| SHA256 | 1565adca1eebbd3d76b02b58af1a6deb902401e17f6a7b8c847a9d5586a3590a |
| SHA512 | 91002b83c7c6a7cb5001476f5bd67dfecdd834d8928396f886edf31d59af158b587d9e7e9010a62662cf0292998f6ce21e3268b57f08191457cf6f3503f10735 |
C:\Windows\system\GmOUSEm.exe
| MD5 | eb4178ee2dd934eb09af232f5954cd4f |
| SHA1 | f8ab71bbf8178815f18492c5dc39311a5a837942 |
| SHA256 | 39776347e0d81eee2f00117e9128690261cd1bf257309d9e28f97a8c20e53a1e |
| SHA512 | 9056f40d60d597c79ad087bddb18006064f4c05c688cf731037ee2793dc008f2d37ea75b64c625895480a99ebfc7fcd5d424c80e729250b7be11dfd070eed021 |
C:\Windows\system\FINKrVS.exe
| MD5 | 824ab35206a2a147642894e7e4fa7c0b |
| SHA1 | 72d4a71d2d7ac5bb16bc722a9ed8ce22ca3ec5f3 |
| SHA256 | 36cd8054e3d5944c8fa92a1fed60452e79f427ab3727f6ab024d3a8d2c56c24e |
| SHA512 | 5980e09ce6166031015f6a297e82e9b96e0e186e7c73cb0936cb1cf5b27c7d1da4971f206c5f8b9a89a9478ca28ec2462a6d9478a2a7d98f74cacb433b13ecdc |
C:\Windows\system\PHwughQ.exe
| MD5 | 4e5d1764a893dadcaa35d4af1fc7d993 |
| SHA1 | cfb35c4b4c3bebfa45b09df151021112cae15f39 |
| SHA256 | e56ea60995e664f70e5b5e4fa5fb788bbc7ecfb4d3a4bb5bc6a36074a5bae400 |
| SHA512 | d40b6b59629b5a4dd40961c132f75bdbf0414963b7b390e1dbd4e325c76874b6e43367694a148f5142a46aa76e7bf6239a54917ce2afe9d9aa53c175cb4b00b5 |
memory/2596-135-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2500-77-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2136-76-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2980-75-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2136-63-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2780-62-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2708-51-0x000000013FF10000-0x0000000140261000-memory.dmp
C:\Windows\system\NtOlwmb.exe
| MD5 | cf14d8a0a70b8a4b822ef89c8efb7831 |
| SHA1 | 98ff7a62851d653a31d2469e670bba697d1ee071 |
| SHA256 | 538c5910263f7dfef60050173cc30df03d53893ea4e17e022ce9da257a620d61 |
| SHA512 | fd03515ff951ee5dada9b88c6b57cda18f0abaef5a5da7d8e0cb8727ca8077372fdad650427dfc4e5121324c268028055527b831532b29f4486a50a82d134d48 |
C:\Windows\system\MMikwcx.exe
| MD5 | 070e5ec5f2f2b306ecabcc45f2ef684e |
| SHA1 | 00e5512a95af692e0da12a74735b2ffe7b8bc160 |
| SHA256 | 736eb1d7131a5da7031bf768be4a06ceb573ac57144117c4e6d836d70949ef3a |
| SHA512 | 11931a6b65e972e9d814ac70386d0f7dd2f7b040ca0848b00b1e7a01c461143584225e10b0231d61bd313559475509f9b7cbf5c6ad6b24f6f460caf075b4b2fc |
memory/2136-37-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2136-36-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2692-35-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2596-34-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
C:\Windows\system\GvEvrLx.exe
| MD5 | 955d6a9ef996620d0ed2aacc9fe45643 |
| SHA1 | 22dbda25d1cbf5829b15f0787ba78b83983c63f1 |
| SHA256 | 8a99afa3c0440740f0624cc74ea851b5e7868bb75e8c950980cbfd9a6478d42a |
| SHA512 | 5e4b184fd5dce7ed39b719b7ce3a82f45e58699365b419ae0a4fade0de96f0257ded2971be8cb4799e0983e59a71240eb17b134ff29e0c9a53c53f07d43338e4 |
memory/2136-58-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/2824-57-0x000000013FB70000-0x000000013FEC1000-memory.dmp
C:\Windows\system\mAGebnH.exe
| MD5 | a4c6efb00e0d08318d3d2bda11222d07 |
| SHA1 | b0b05287f5bb5fa62dd49f2a46aff7a8690a8af4 |
| SHA256 | 37e4536c51c1100b8dd2468282be5314198ddb952f01cc4329d7e9f3b278c055 |
| SHA512 | d7af2da5cd56862834393ee4d76d71dd02e10bec3404e536b55fb94fbcb0bd334a9d57b3deae43d3f9f9b9acbff4556043175ff8336e0fc2207074c4b2dd02b9 |
memory/2136-53-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2692-136-0x000000013FDE0000-0x0000000140131000-memory.dmp
C:\Windows\system\eGIcIGS.exe
| MD5 | 8c150cf9916725f5aea33f49c1cc750b |
| SHA1 | b5519d22c696cc24260dec194757c59e69e9b57d |
| SHA256 | 70c426f06950dc1549dabddbe7dff33116dd78569c2e82aee7442777a445facb |
| SHA512 | 7683554f89d8efc7e86f02064ff56e825723ad317138219edded2f5d9b0b58d9edfcd44e351dcd4490435ef40a855e0a02c30fc2945fdca27f392a69d4381ea5 |
memory/2136-19-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
C:\Windows\system\SLgqoSK.exe
| MD5 | e375740051c7065de1328d170abe498c |
| SHA1 | a2d9b4d289e768eaff646b9afca50726781e2704 |
| SHA256 | 2211df76313f8d32a4ae85eb5fe380129e60b5724803ec3961d0a5b5325300c4 |
| SHA512 | 38cb2ba047f93a490d36f9975ea7599d857c9162bc1aeeddffdd14c83f316905dc34812d417704a9b14e0b4d2d687186dfef4a9451564e2a0329c9c6e6e64cab |
memory/2136-137-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2780-146-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2444-152-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/280-158-0x000000013F630000-0x000000013F981000-memory.dmp
memory/1928-157-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/1976-156-0x000000013FB80000-0x000000013FED1000-memory.dmp
memory/2652-154-0x000000013FCB0000-0x0000000140001000-memory.dmp
memory/2764-153-0x000000013FE10000-0x0000000140161000-memory.dmp
memory/2124-151-0x000000013F710000-0x000000013FA61000-memory.dmp
memory/2520-149-0x000000013FC30000-0x000000013FF81000-memory.dmp
memory/2568-155-0x000000013F060000-0x000000013F3B1000-memory.dmp
memory/2136-159-0x0000000002260000-0x00000000025B1000-memory.dmp
memory/2136-160-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2136-182-0x000000013F2D0000-0x000000013F621000-memory.dmp
memory/2872-207-0x000000013F760000-0x000000013FAB1000-memory.dmp
memory/2656-209-0x000000013F2A0000-0x000000013F5F1000-memory.dmp
memory/2936-211-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2692-213-0x000000013FDE0000-0x0000000140131000-memory.dmp
memory/2824-215-0x000000013FB70000-0x000000013FEC1000-memory.dmp
memory/2596-217-0x000000013F1A0000-0x000000013F4F1000-memory.dmp
memory/2708-219-0x000000013FF10000-0x0000000140261000-memory.dmp
memory/2780-221-0x000000013FB20000-0x000000013FE71000-memory.dmp
memory/2980-225-0x000000013FCA0000-0x000000013FFF1000-memory.dmp
memory/2500-227-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2748-223-0x000000013FA60000-0x000000013FDB1000-memory.dmp
memory/496-229-0x000000013FFA0000-0x00000001402F1000-memory.dmp
memory/2520-233-0x000000013FC30000-0x000000013FF81000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-29 20:03
Reported
2024-05-29 20:06
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jqQcFRa.exe | N/A |
| N/A | N/A | C:\Windows\System\fcDgjMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\tDHVxdV.exe | N/A |
| N/A | N/A | C:\Windows\System\OriKtlA.exe | N/A |
| N/A | N/A | C:\Windows\System\WetiNls.exe | N/A |
| N/A | N/A | C:\Windows\System\WWNYKKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ojFEAwb.exe | N/A |
| N/A | N/A | C:\Windows\System\iOhqdrt.exe | N/A |
| N/A | N/A | C:\Windows\System\ocytHNB.exe | N/A |
| N/A | N/A | C:\Windows\System\FYVHhWd.exe | N/A |
| N/A | N/A | C:\Windows\System\jFuKjhW.exe | N/A |
| N/A | N/A | C:\Windows\System\ClLPmBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\LRdVLbM.exe | N/A |
| N/A | N/A | C:\Windows\System\iAOGINo.exe | N/A |
| N/A | N/A | C:\Windows\System\FTzSNSW.exe | N/A |
| N/A | N/A | C:\Windows\System\VCvPETq.exe | N/A |
| N/A | N/A | C:\Windows\System\ynOTnJk.exe | N/A |
| N/A | N/A | C:\Windows\System\BzVkZVS.exe | N/A |
| N/A | N/A | C:\Windows\System\SKnFgYQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QYTHxmI.exe | N/A |
| N/A | N/A | C:\Windows\System\vrUTuBs.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-29_95e21600abfc2540ddcab08ce009e36e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jqQcFRa.exe
C:\Windows\System\jqQcFRa.exe
C:\Windows\System\fcDgjMQ.exe
C:\Windows\System\fcDgjMQ.exe
C:\Windows\System\tDHVxdV.exe
C:\Windows\System\tDHVxdV.exe
C:\Windows\System\OriKtlA.exe
C:\Windows\System\OriKtlA.exe
C:\Windows\System\WetiNls.exe
C:\Windows\System\WetiNls.exe
C:\Windows\System\WWNYKKJ.exe
C:\Windows\System\WWNYKKJ.exe
C:\Windows\System\ojFEAwb.exe
C:\Windows\System\ojFEAwb.exe
C:\Windows\System\iOhqdrt.exe
C:\Windows\System\iOhqdrt.exe
C:\Windows\System\ocytHNB.exe
C:\Windows\System\ocytHNB.exe
C:\Windows\System\FYVHhWd.exe
C:\Windows\System\FYVHhWd.exe
C:\Windows\System\jFuKjhW.exe
C:\Windows\System\jFuKjhW.exe
C:\Windows\System\ClLPmBJ.exe
C:\Windows\System\ClLPmBJ.exe
C:\Windows\System\LRdVLbM.exe
C:\Windows\System\LRdVLbM.exe
C:\Windows\System\iAOGINo.exe
C:\Windows\System\iAOGINo.exe
C:\Windows\System\FTzSNSW.exe
C:\Windows\System\FTzSNSW.exe
C:\Windows\System\VCvPETq.exe
C:\Windows\System\VCvPETq.exe
C:\Windows\System\ynOTnJk.exe
C:\Windows\System\ynOTnJk.exe
C:\Windows\System\BzVkZVS.exe
C:\Windows\System\BzVkZVS.exe
C:\Windows\System\SKnFgYQ.exe
C:\Windows\System\SKnFgYQ.exe
C:\Windows\System\QYTHxmI.exe
C:\Windows\System\QYTHxmI.exe
C:\Windows\System\vrUTuBs.exe
C:\Windows\System\vrUTuBs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3624-0-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp
memory/3624-1-0x00000197B00B0000-0x00000197B00C0000-memory.dmp
C:\Windows\System\jqQcFRa.exe
| MD5 | 6138ecdcf63004344e647701b5c57108 |
| SHA1 | 851a384076b14be937a3fd9ac3975dd1b3aba894 |
| SHA256 | 7c18c3ff0189ea504a76c9b6b69f7f1e198b1f1d5031391ce07ae54d5ba47c17 |
| SHA512 | dbcd9f0797b5145c2dd99747849ded702857b005c07c93f341672a3eb1e78d4281f1295bf3708d07d92562c83cace2d80990c8a78db0d0a1f2249877f16b7d6b |
memory/464-6-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp
C:\Windows\System\fcDgjMQ.exe
| MD5 | a79e0ed8a0d4a0c56c0ed364a58c845f |
| SHA1 | 5417a9f65964d909c04d76b5515aa9ea70d0e8e2 |
| SHA256 | edf2b09d8268c40795f3963d4497c4e427571017958149a88106ac2bab9d3419 |
| SHA512 | abd2a654b47262f3e1a31ec1ae14a78bfc910e9b0209107b118a6e7cc85c8c283f3a7d7bea35694d285ed2bad26c785ca9787ac80af9a3f0834ebc18d655cc85 |
C:\Windows\System\tDHVxdV.exe
| MD5 | fba2a00362a8f6a802f56bbe710c07d6 |
| SHA1 | 0cb82569a42a49277f38c57cc5d387879d018a17 |
| SHA256 | 2850c303bf154750658f389efa27b4d2264ddcdf619f7504b93f98e1dadc20a7 |
| SHA512 | 3176f1a45c88c10c48debd559c00231dad5005c6fe5c985837f90509f15d9f8850a494e681aea799939293580f608378f689b0c5d5f344f91c166b998a19bb15 |
C:\Windows\System\OriKtlA.exe
| MD5 | 8af30f277b431cd125301b271d6284f4 |
| SHA1 | 9fa103c19703789e5fe5e13c319f215585a06ff4 |
| SHA256 | 6a4f54deecc06b987f7b16e27108f8c0e983293837aa57503a1f119427bcd946 |
| SHA512 | b7d3ee0e2b7ce738ab9d54b6fb8427b02656a57dfdd2e0090c5ef957072a4c32607f750a0d49ac033b4c6c71d2dd75d26e6f567d0ee5248eb190967dccc3a8b2 |
C:\Windows\System\WetiNls.exe
| MD5 | d1156f2cbe611e2ce7fc593c75f20ac6 |
| SHA1 | a25fddea16b5e4b0bf3288aa2448af41988afc1e |
| SHA256 | 36cd486643c8e824af1d3e695802aa0ce5723fda69af08329d45c34e5a16fa5a |
| SHA512 | 91c8bcc7958f9a8e7afb3c9226cbdbbb1f1cf7f3de18a44c06ed0011741eabb886403c76c1923bb03656cd965f2bc9aaef9769c8b36dc053b419f2de8df6097a |
C:\Windows\System\WWNYKKJ.exe
| MD5 | 4996c2c329d7233d39a5118f9067bebd |
| SHA1 | a3307fe8cd56cb01b5559f3467a5485fa8f8a498 |
| SHA256 | 4a9f63c0db5a5429a4ce563d269e7635aa10ffcca58b14706cea5b607e42536f |
| SHA512 | cf5828e19bccc09bd3b683d54e99c53333f8e5abe959e47f592c80fa9fd374144053ca4cc8fd9c11857189ffc70ffdb1182972f46f837ed4f30bc42c9d08996c |
memory/916-30-0x00007FF79BCA0000-0x00007FF79BFF1000-memory.dmp
C:\Windows\System\ojFEAwb.exe
| MD5 | 56feadd66a65c5187af5baa087806957 |
| SHA1 | 36137a80285fc12b9999fb79bcba7ef7d1a63784 |
| SHA256 | 3a7cf798ff4b4b7ad6857146a77cb9ba756ee52b9b49e6981c12e5df04364bae |
| SHA512 | 6d6958e63c5dbc4197416e5e932363177a76d68590755c662c809955c18b07799477e338bc6ac4c585f54a5c30b0ca06f00f527c519c913de2953f3cb6947dff |
C:\Windows\System\iOhqdrt.exe
| MD5 | 4831ab69082defda0e61a0f549657d36 |
| SHA1 | 3caed877f0c71ff1ea43c3a3e7c8ba1bef672a4a |
| SHA256 | 1489b93c8ab552e0632235a759672828c41f2826a18a72a84cd009cb9496c8e1 |
| SHA512 | 1c56e4d1acc3964bfb6de642ab160e02584afcd1cc136e08a06c6dd70fb100b54d42a1c8de8957c394c4450e1f34af4592160179b6c3707d3f14dea6a9a4055b |
memory/2932-22-0x00007FF6B2F20000-0x00007FF6B3271000-memory.dmp
memory/4868-17-0x00007FF6A6950000-0x00007FF6A6CA1000-memory.dmp
memory/2532-21-0x00007FF7F2B80000-0x00007FF7F2ED1000-memory.dmp
memory/3768-48-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp
memory/5104-51-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp
C:\Windows\System\ocytHNB.exe
| MD5 | 58aff8185df5efee3cff2cd3a98631d0 |
| SHA1 | e6badc82d29a06d167ca50e67963031a7819def0 |
| SHA256 | 8aebf82191e29c38ff0e88935761d90a272c493f22312acf914937144e565c10 |
| SHA512 | dda1d9a94efb5058ba9bc44e02d61d62093eef6d45a2c6dbbd372b1e54e85e76b0197a84862ef45d4d04fa3aeac09a2c63087ae510aefa9aa8c59aaa4fccc553 |
C:\Windows\System\FYVHhWd.exe
| MD5 | ea339ca63922fe7ad2906adabc3d43d2 |
| SHA1 | 5732269de6a7b38218617871d626a51dc6877138 |
| SHA256 | e09fbf0c87abb8b445301659df2d125ef2ed7de4645608d171baa79d392028d4 |
| SHA512 | ba02ffd35799d3b4dceebd6277a52eeb5e5b6a5b9b4a9e91516f49e85915dc7df3549c4ab44cbbbd8c171479b66b002debab9654ff09c3429906f5a71f5fe119 |
C:\Windows\System\jFuKjhW.exe
| MD5 | a6ee03f4521f83825754ba8cd72598a9 |
| SHA1 | c5830df868618dc897797801eb4127c0ca84c2ca |
| SHA256 | cb40991401546085bd46561009eee68592c760f3ce30d9c7cc81aa97c4e4fc41 |
| SHA512 | dc85d63df44e6c46e34e7408abb7e749f497785186d6fa10b3741b312a57363ee24e856ef9f1be4432a35d8bfe1d12472106f50cbe2aa9ab0ead53dcf2bdbcb8 |
memory/2224-63-0x00007FF7364A0000-0x00007FF7367F1000-memory.dmp
memory/1900-66-0x00007FF63B480000-0x00007FF63B7D1000-memory.dmp
memory/3228-70-0x00007FF7527E0000-0x00007FF752B31000-memory.dmp
memory/3624-72-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp
C:\Windows\System\ClLPmBJ.exe
| MD5 | f44f6e89115098495f02134c791b1ed9 |
| SHA1 | d278b9ddd48d6253d9635001b960d5395cff2ea8 |
| SHA256 | 14afbf4ff42b21a2248da26b9e26fc4f844425146e2d4e3026ca3fd606d18f73 |
| SHA512 | 2dbc61e1624a70e038afabc9ac92d0fa54867da2d03fe1cce2f4fef09c1cdaef15bd75f0ff506669ac0f0d0884d2d09ecdc7871d2a60ec8d3814e94baa7d58d3 |
memory/3176-73-0x00007FF795170000-0x00007FF7954C1000-memory.dmp
C:\Windows\System\iAOGINo.exe
| MD5 | 47be084254ae532b7993dbba7cd1a72e |
| SHA1 | a5fe701936a8068a1927ab053fb467f058228b99 |
| SHA256 | 5793c8d7ffd2731b4989b496effd560c770884513a31fe02d176580b8a62ed66 |
| SHA512 | 8c922907e62ae03cb0d2895b2794dd88f336a8bf22282081dcccaac3a35a6d9d2432e78856fb8974cba45df96f122fb1c0dfff349a2fc83a28fcea89beab463c |
memory/4868-88-0x00007FF6A6950000-0x00007FF6A6CA1000-memory.dmp
C:\Windows\System\VCvPETq.exe
| MD5 | f864675dd7f00857aed671ecee46fa81 |
| SHA1 | fa18ab5375e94523f9242414b9cd6b48179b0986 |
| SHA256 | b25b03ab4c28be7720ece51acb7028931cfd420f7c59fde0062289134d6edb7b |
| SHA512 | ce531b8b71f259ea43e92c5f942445baaa193b3d72c59750fd64826fda8b7b28c2a5bb6290d520807772296d225c507e990a2ffb84057a79137bb98009881de4 |
C:\Windows\System\ynOTnJk.exe
| MD5 | 31ede688966bcee0c2c8caae231b7a8d |
| SHA1 | 00048c2ce00c9ff2fcc35825fb82e36e198f6bc9 |
| SHA256 | 45a13f224353686ea3dad3c34be4e773157488dd47beb0550897d3f1bf5591fc |
| SHA512 | b0a5f0cd96147a9c9206b56c6029ce659c2ae6648049608791593d8c02ac43b8f4fa26a43435b55e9a02f2363c2a030db18ee323d2e525d4b03780ae905e8c75 |
memory/3756-108-0x00007FF7F8B60000-0x00007FF7F8EB1000-memory.dmp
memory/4340-112-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp
memory/2304-114-0x00007FF78A5A0000-0x00007FF78A8F1000-memory.dmp
memory/2216-113-0x00007FF633DC0000-0x00007FF634111000-memory.dmp
C:\Windows\System\BzVkZVS.exe
| MD5 | f62f1f0a5c491c45866d86a8e69716c2 |
| SHA1 | 7c3c9d95b789f9b0e432a73c804c8c36ce89fb1c |
| SHA256 | c871b3f9998385ffcaafb644bc28d6661e20fc7ec9457d828ecd292daa6c311f |
| SHA512 | b77484c7435e205833b48fbf4fd8d883c0afc4905c45fda6254a1e4a4faac2cccfd4fd1c5f61d5ba0f15f5fb4b67e6372972efd16962c03a0860693a02d0ad0a |
memory/2532-109-0x00007FF7F2B80000-0x00007FF7F2ED1000-memory.dmp
memory/4316-96-0x00007FF69B900000-0x00007FF69BC51000-memory.dmp
memory/2280-95-0x00007FF7AEAE0000-0x00007FF7AEE31000-memory.dmp
C:\Windows\System\FTzSNSW.exe
| MD5 | fd0dd119c3cb3acc18e2093713437f59 |
| SHA1 | 778581f641eeb9cfa8eb6bb8fd8c4eb6eeaa46a5 |
| SHA256 | 73d4dbac20d2a4719ed1e832f0ba257728ea79e7cf65787ee08bcdee8f1252e1 |
| SHA512 | 8a26ac74eb1524cc1616f5cafba8dfbf553482e901094518869ca2505e531e62c0423dde3095fad054e20673fb5bcd2f0ae1487ebfceb331ed17902be8fd4b04 |
memory/464-86-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp
C:\Windows\System\LRdVLbM.exe
| MD5 | a5ed552d92e24470882a9b7bead66945 |
| SHA1 | 4595b8c728cec35f1bf492b49ac481c01b60d8db |
| SHA256 | 2db1e831507b674ee0f6b4b39118ce93ca22550e0bfe5de22e40f1ede827e9d1 |
| SHA512 | 5e1f547507934a1e85ffc59bfd5e6a9b87873933870c589f7ba6c0f3e3f0a3e3b6d561bdcc95ec3e04a50947128c388f20607f6af78d97451f86c42dd8b1b770 |
memory/4512-49-0x00007FF795EA0000-0x00007FF7961F1000-memory.dmp
C:\Windows\System\SKnFgYQ.exe
| MD5 | 9d9bf4d301c91cd74ad3635bbedab058 |
| SHA1 | 5d30d95d260dc50d3186e6a0e66f5b7e0b7c5cff |
| SHA256 | 4325433e0f0fb167a538a5628c1e665e9d672289fd16ebf4714c28a01cb19844 |
| SHA512 | 87a77225737bded5ecf0b00fe15ad3822144446c04b96169a1cfabf07166ad9e89100347cafdccee862131c30e495dc2bcc78b45a8d6caaefa050ee2e01a29a0 |
memory/4652-118-0x00007FF6856A0000-0x00007FF6859F1000-memory.dmp
C:\Windows\System\vrUTuBs.exe
| MD5 | 21dba0eb96c9b3161c5412450c83377d |
| SHA1 | 438f9350cb28dc385e7737c1eaea6ff9e696d269 |
| SHA256 | 4a59f6718ab0063b152d3a35025e340a4c7ac81bb54ef607f60abb83289378a2 |
| SHA512 | 7dfeb1f82a609d329e70f72e1b0321985244a6f8ac03151c35ea9c9ad7d3602d054b416f546beb7e090a0028f49e23715ba720740e2d90c5c090c0d015a94428 |
memory/3232-131-0x00007FF74ACF0000-0x00007FF74B041000-memory.dmp
memory/904-132-0x00007FF624020000-0x00007FF624371000-memory.dmp
memory/916-133-0x00007FF79BCA0000-0x00007FF79BFF1000-memory.dmp
memory/2932-130-0x00007FF6B2F20000-0x00007FF6B3271000-memory.dmp
C:\Windows\System\QYTHxmI.exe
| MD5 | 8fc8eb18a1ed695f5a947582cd8832a8 |
| SHA1 | 43c47a7709b09402887859677f3484c7b181a3ad |
| SHA256 | f25a4b34bca43fc234fc570b9e7959dd822ea8afb6f68975a6fe1a6f98bebab9 |
| SHA512 | 1c208874dbe0aee127c02d897d3a22ea063732e9d5469d0bee1d5c6beb6db023174302b2530b459dd62a25d43144bc4a4a642f1cac8373851a11b1ceda9dfecd |
memory/3624-134-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp
memory/3176-146-0x00007FF795170000-0x00007FF7954C1000-memory.dmp
memory/3228-145-0x00007FF7527E0000-0x00007FF752B31000-memory.dmp
memory/4652-153-0x00007FF6856A0000-0x00007FF6859F1000-memory.dmp
memory/3624-156-0x00007FF6E8970000-0x00007FF6E8CC1000-memory.dmp
memory/464-201-0x00007FF667C80000-0x00007FF667FD1000-memory.dmp
memory/4868-213-0x00007FF6A6950000-0x00007FF6A6CA1000-memory.dmp
memory/2532-215-0x00007FF7F2B80000-0x00007FF7F2ED1000-memory.dmp
memory/2932-217-0x00007FF6B2F20000-0x00007FF6B3271000-memory.dmp
memory/916-219-0x00007FF79BCA0000-0x00007FF79BFF1000-memory.dmp
memory/3768-221-0x00007FF765E50000-0x00007FF7661A1000-memory.dmp
memory/5104-223-0x00007FF6D1660000-0x00007FF6D19B1000-memory.dmp
memory/4512-225-0x00007FF795EA0000-0x00007FF7961F1000-memory.dmp
memory/2224-227-0x00007FF7364A0000-0x00007FF7367F1000-memory.dmp
memory/1900-229-0x00007FF63B480000-0x00007FF63B7D1000-memory.dmp
memory/3228-231-0x00007FF7527E0000-0x00007FF752B31000-memory.dmp
memory/3176-233-0x00007FF795170000-0x00007FF7954C1000-memory.dmp
memory/2280-235-0x00007FF7AEAE0000-0x00007FF7AEE31000-memory.dmp
memory/4316-237-0x00007FF69B900000-0x00007FF69BC51000-memory.dmp
memory/4340-239-0x00007FF704A50000-0x00007FF704DA1000-memory.dmp
memory/2216-241-0x00007FF633DC0000-0x00007FF634111000-memory.dmp
memory/3756-243-0x00007FF7F8B60000-0x00007FF7F8EB1000-memory.dmp
memory/2304-245-0x00007FF78A5A0000-0x00007FF78A8F1000-memory.dmp
memory/4652-248-0x00007FF6856A0000-0x00007FF6859F1000-memory.dmp
memory/3232-250-0x00007FF74ACF0000-0x00007FF74B041000-memory.dmp
memory/904-252-0x00007FF624020000-0x00007FF624371000-memory.dmp