Analysis Overview
SHA256
64e444e4fc45a6b5c7ca256d89cd9cab814b1a53117449cdcc03e58305e68444
Threat Level: Known bad
The file 2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 00:50
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 00:50
Reported
2024-05-30 00:53
Platform
win7-20231129-en
Max time kernel
140s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LfNWWxw.exe | N/A |
| N/A | N/A | C:\Windows\System\rPrRTzm.exe | N/A |
| N/A | N/A | C:\Windows\System\ycTtMSh.exe | N/A |
| N/A | N/A | C:\Windows\System\EgfNaVn.exe | N/A |
| N/A | N/A | C:\Windows\System\TtSinwb.exe | N/A |
| N/A | N/A | C:\Windows\System\DspnMWB.exe | N/A |
| N/A | N/A | C:\Windows\System\Jlfvvvj.exe | N/A |
| N/A | N/A | C:\Windows\System\xkMZaik.exe | N/A |
| N/A | N/A | C:\Windows\System\IQUjlDE.exe | N/A |
| N/A | N/A | C:\Windows\System\eZzFXID.exe | N/A |
| N/A | N/A | C:\Windows\System\wOxcwbS.exe | N/A |
| N/A | N/A | C:\Windows\System\olVUuIM.exe | N/A |
| N/A | N/A | C:\Windows\System\JrQxnRd.exe | N/A |
| N/A | N/A | C:\Windows\System\aVzzSpY.exe | N/A |
| N/A | N/A | C:\Windows\System\lGhEZSQ.exe | N/A |
| N/A | N/A | C:\Windows\System\sDagGRW.exe | N/A |
| N/A | N/A | C:\Windows\System\GQkRqcM.exe | N/A |
| N/A | N/A | C:\Windows\System\TxwKpbt.exe | N/A |
| N/A | N/A | C:\Windows\System\qiNbWUD.exe | N/A |
| N/A | N/A | C:\Windows\System\bIsekyS.exe | N/A |
| N/A | N/A | C:\Windows\System\EqAVjWg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LfNWWxw.exe
C:\Windows\System\LfNWWxw.exe
C:\Windows\System\rPrRTzm.exe
C:\Windows\System\rPrRTzm.exe
C:\Windows\System\ycTtMSh.exe
C:\Windows\System\ycTtMSh.exe
C:\Windows\System\EgfNaVn.exe
C:\Windows\System\EgfNaVn.exe
C:\Windows\System\TtSinwb.exe
C:\Windows\System\TtSinwb.exe
C:\Windows\System\DspnMWB.exe
C:\Windows\System\DspnMWB.exe
C:\Windows\System\Jlfvvvj.exe
C:\Windows\System\Jlfvvvj.exe
C:\Windows\System\xkMZaik.exe
C:\Windows\System\xkMZaik.exe
C:\Windows\System\eZzFXID.exe
C:\Windows\System\eZzFXID.exe
C:\Windows\System\IQUjlDE.exe
C:\Windows\System\IQUjlDE.exe
C:\Windows\System\wOxcwbS.exe
C:\Windows\System\wOxcwbS.exe
C:\Windows\System\olVUuIM.exe
C:\Windows\System\olVUuIM.exe
C:\Windows\System\JrQxnRd.exe
C:\Windows\System\JrQxnRd.exe
C:\Windows\System\aVzzSpY.exe
C:\Windows\System\aVzzSpY.exe
C:\Windows\System\lGhEZSQ.exe
C:\Windows\System\lGhEZSQ.exe
C:\Windows\System\sDagGRW.exe
C:\Windows\System\sDagGRW.exe
C:\Windows\System\GQkRqcM.exe
C:\Windows\System\GQkRqcM.exe
C:\Windows\System\TxwKpbt.exe
C:\Windows\System\TxwKpbt.exe
C:\Windows\System\qiNbWUD.exe
C:\Windows\System\qiNbWUD.exe
C:\Windows\System\bIsekyS.exe
C:\Windows\System\bIsekyS.exe
C:\Windows\System\EqAVjWg.exe
C:\Windows\System\EqAVjWg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1936-0-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1936-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\LfNWWxw.exe
| MD5 | b3449e41ee8d63991cbb53605f735ba7 |
| SHA1 | 5d74b8ac942433b51372e50d8299f923944a452a |
| SHA256 | b53f7e3e013bfe7e9c5538dc01e1fbabc2ded1b5b7439984cc1e1c2b6fd12ff4 |
| SHA512 | a532d8a14b75a408b446ef36bb7293d32332bf831414e4bac1fda724e06a326ad7b41737920b878c838377dc204cab7b25413e7a1d45259fa839d1dfa90061bb |
memory/2284-13-0x000000013FC50000-0x000000013FFA1000-memory.dmp
C:\Windows\system\ycTtMSh.exe
| MD5 | ad861b70628101c879eac125c000445c |
| SHA1 | 1106232a06397ae1c14ccd6220ebb673a786a7ef |
| SHA256 | 9472874cc1c30abfb7812d40f1e68284c49a940dad53af68a0a56ddb2af870d3 |
| SHA512 | 46b69499f2a2ecee5d04c5b336a020ae8f05b56083cc4beaf883edb4e0451c8de04470e01fb9a52fb4cf8d677608886a0a39621c468d6f5d34fab9b1fb6a9640 |
memory/1936-19-0x0000000002320000-0x0000000002671000-memory.dmp
\Windows\system\EgfNaVn.exe
| MD5 | 4ec52e6d0472fd8b6cc635ab77839e07 |
| SHA1 | 4c5d5b465fb0163088e3d19e55289c5d0c8810cd |
| SHA256 | 03ae4c81fb22a1954bb853acbdcf3d549ac5f6a58afe47698c0627a073ee7d20 |
| SHA512 | 0d5f833813a064676650d2e5bd69b5c916d03c1366d7d057fb98f85110572bb8ab297524f21367654ccc1f47a276424855643bd5b4ab5af336a1e74c4a0dbdcf |
C:\Windows\system\rPrRTzm.exe
| MD5 | b534143d5a4f96bc5878094eb4bbf5d0 |
| SHA1 | f34e344436360546bc400dec8631fb0ef4b078df |
| SHA256 | 97ca0b9a399f9e679f32e7cbd5ce9ddfc5a04da8a0ff98541c2b81ee2b149170 |
| SHA512 | 67c25093f0a865b9f205e7fe0cd23ecde2c3644bdc6a5a72291d983de238d232e35e5f49bd1483a2b2e82b8bffd5b17cf48a9c54a9533aa15e215379509a2233 |
memory/1936-9-0x000000013FC50000-0x000000013FFA1000-memory.dmp
\Windows\system\TtSinwb.exe
| MD5 | 1c5d7f776e0c7d03dc178526942fff43 |
| SHA1 | 55731ff8687706bd4d3f8fe7fcc1844df283bb6f |
| SHA256 | 3aac904c35202395262dff8b5bbec9e3abb2902cdb9dc6add5b0f1f048c3a48e |
| SHA512 | 19e827516cd52643e222c5f3a6459e13f9d6022a00dd4523885de5b1679d1097fcc57997251a369da13308a453b07080b12e2645191a37f0f6c36999a4fb2b55 |
memory/2552-32-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/1936-30-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/1608-33-0x000000013F370000-0x000000013F6C1000-memory.dmp
C:\Windows\system\DspnMWB.exe
| MD5 | 0f038550346496d93b9e54bde16c8dd2 |
| SHA1 | 948fdd8358ffbe20a521e773ed837e7deae16650 |
| SHA256 | f381c9bf99e051a6c41d116e4c175ecb53addc89553e57aba2dd94d0b65861cc |
| SHA512 | 86812b7dba44e3018c3c64f4b1a82094cfa39c4f117fe024bc58cb4ba19b96d19422dff2b627415cfb00c4c3ac9a1b4d8c95afc94455b37af16ce32acdeac5c3 |
memory/2744-39-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2596-38-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/1936-43-0x0000000002320000-0x0000000002671000-memory.dmp
memory/1936-42-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2836-41-0x000000013F400000-0x000000013F751000-memory.dmp
\Windows\system\Jlfvvvj.exe
| MD5 | 741ae8a229cc392afe1ff85a41cd93bf |
| SHA1 | 0c54d77c1a45ac453e2cc5c608fe19f7a65272ab |
| SHA256 | e03c6700025d3597313465ded1044b1e3209483d174367f8ab30cf9fe997445a |
| SHA512 | c0390d9527db3fa405eb4cf87f1029c3bf74b969e36be4bae02876b8e83c7e05743723eed5330a9149950f07ad2bc5a554a6131bb736a320028fac9bc6b47315 |
memory/1936-49-0x0000000002320000-0x0000000002671000-memory.dmp
\Windows\system\xkMZaik.exe
| MD5 | 667b3730c50e929e7352834dc65ee417 |
| SHA1 | 4bfa929397357c8f792d70bb051923ea0fcf6141 |
| SHA256 | ca5ac6adc6438acadf5ff5519bbf671b0dffa2f60dcf1239ab46f5f9a50441fc |
| SHA512 | dfe2ccc9e6dc03b7d5f531289c7e9836b0b18ca6c7f4ca47be623df51592847bdc1feaa1ee6439981746cb0827ab1cf94d6578989fcfbd139f1b545c570d977e |
\Windows\system\IQUjlDE.exe
| MD5 | d18eae195eaf09960afe5ffb6f87fe6b |
| SHA1 | 8d780e59132394e2957c94c99b6a660598f6c582 |
| SHA256 | daf4d020f1ec5922d6b9dda56b6750b22866ced33ea99373f3be186c00f569e9 |
| SHA512 | f0d164396efcc60db86456662c2eda40e591dafc2afc27e691b407c9266a7e2ae84d435e59f66accb5f121e95c91230f911a703dccfef5686eb3734b6ecf3190 |
memory/1936-74-0x0000000002320000-0x0000000002671000-memory.dmp
memory/2540-76-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2484-77-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2940-78-0x000000013F400000-0x000000013F751000-memory.dmp
memory/1936-75-0x0000000002320000-0x0000000002671000-memory.dmp
memory/1936-72-0x0000000002320000-0x0000000002671000-memory.dmp
C:\Windows\system\wOxcwbS.exe
| MD5 | 327fce6c32b06ac71d7cd539a3cea894 |
| SHA1 | 5f67661f0282a58deb6e05feff1fe93ab4deee9a |
| SHA256 | 291b5249e757cced8794743e0a7a69ae4f47e8b7338f242aaf5a6a183221cc6c |
| SHA512 | 39d07cb0e75333f95b42af159d4debb6cf1d879a5935159fea48f21a9819c0d9d2c4f96afb86dc593c9f59ed838d257625178bfe671219068eb8365d1aaa9555 |
memory/2524-69-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/1936-68-0x0000000002320000-0x0000000002671000-memory.dmp
C:\Windows\system\eZzFXID.exe
| MD5 | df277b4babd3c9f1bcc0902081437745 |
| SHA1 | 9f3b7119146a37ab3289140909135be96783ec81 |
| SHA256 | fe2a832e01b15733ef2ecce8f323c5a7103b69af99bb7f77e9f2de06e5f5508e |
| SHA512 | f51f9a3693f17b50110439b386dab413fd9c910f1f5b26aebce9967f61afbe05d2896991d8807daff86963829bf411a78a7c9bb191fca75543265f20beaddda3 |
C:\Windows\system\olVUuIM.exe
| MD5 | 5015321cf28ee441eecf06c7e803a333 |
| SHA1 | 5cb7cfca812f975cdca2a21b20a5dba6145af2a4 |
| SHA256 | c2452edd5e69ead0c07f87d6f5b86071c4754402afc3dae39bae1d9e54cceb13 |
| SHA512 | ea69c39948ff8279b8f6ee2c6c0705594f238cd27979e1c716cd811690aead53479dc8041cf5e28dd3c4d0394a9fc2cccc33a82b0950ee9beb6e5bae9f34c147 |
memory/2792-85-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/1936-82-0x0000000002320000-0x0000000002671000-memory.dmp
\Windows\system\JrQxnRd.exe
| MD5 | c4de067b0d2e6ac4fd44e8d59619e1a1 |
| SHA1 | 2617aa23b4f1345092d79e5a09465b35a71a7147 |
| SHA256 | 57b86cd6a32b017259a73041a165690de273f056678bcd8047d04d8c914edade |
| SHA512 | 1ba42178c5c4e1abd64dd1596f208a90bd678d5d79f5553f1f19fc22eeb08c195d356d98897e3a4696f611f8789fdcb48140d2e850d63148bf862b83b5f13654 |
memory/1936-91-0x0000000002320000-0x0000000002671000-memory.dmp
C:\Windows\system\aVzzSpY.exe
| MD5 | 6c2b51d9046d15bae86b8afbffa37129 |
| SHA1 | 9d7a868c5335bf5870bded16ba65a880d6fa4feb |
| SHA256 | acc07fe7ef118eab04d5a4cfc4d5c6d14283ff245b2c6bac925d24d98cc8b8e1 |
| SHA512 | 4f1649aec3260f106043ad8266fefa1ba8877edba955111049b6ddb4bc96179fccd9ce138c34c2ecc14286f4a115202bc9edf793967ff9338c4d2e6a266cbba3 |
\Windows\system\lGhEZSQ.exe
| MD5 | 67324dfaa5c658a25d2325dbc71cf657 |
| SHA1 | 0cca571c4d0f06e8eb2753fd41f4483923ccc51f |
| SHA256 | 60cb49bdf16bcb930be6b61ce399c3e8655a80e47629b2f74c13cc7e7b0bd4c5 |
| SHA512 | 3076d62cbdec840f49afb4b974f42e830eced86859d60b79ebd04ed4f41e0aa529696acdf4583804755be111f61daa30aea3c5eaa4e000477c4f5081c8a08b0e |
memory/1936-102-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/2784-106-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1936-107-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2284-105-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/1936-103-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/2804-92-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2768-50-0x000000013F260000-0x000000013F5B1000-memory.dmp
C:\Windows\system\sDagGRW.exe
| MD5 | ee6e482ff8cbf668005295e79815d938 |
| SHA1 | d183364996eebce41154542eec94e562fd4d2148 |
| SHA256 | 425a6df4e0df69f72fafc85fdd2b775aba20f02d32f8b7c52d3de2856fcc48a7 |
| SHA512 | 847d89c02166fce9e2958ad426600300d20549bb34c684b7d433fee8097a4e9e17a2836797bcdf8549a9670d9b95416608fb4378d4a0aab91483e3b9ad8580b6 |
C:\Windows\system\qiNbWUD.exe
| MD5 | 0692029c2910572e765a41895f659a52 |
| SHA1 | fd133150b05a98afa784d7f5f39bb88c5acd4acf |
| SHA256 | e5f65e240b8756a3a01a2e6dddd5d4e4a1a9809771dbc0439990aee1676846da |
| SHA512 | bfd1b6dd97989a35fbe3f78b12779bfe556f027d72e87aa501f691e222f5ba7a9473625057cf5508f7fe1cac13badc19f03caa0eceb3afa55d104b9da9f0d8c9 |
\Windows\system\EqAVjWg.exe
| MD5 | d4f8c659508054d9b9279117b8bbb227 |
| SHA1 | 13030d69c306d1aa2c4211aa106793e49c83de7b |
| SHA256 | c493b8818b23ba2d3ece8a23f15f1952bd592ddf2b1201d4ca7e4b3a26425fce |
| SHA512 | a2363b9ccb3b55c1c15374c607e336ddcd05dde57945b6ff220ab0bf907e196552b3f95d993cda4c63609880c7cd2909f4bb2dc177693c8e1dd8c740c2a91bfc |
C:\Windows\system\bIsekyS.exe
| MD5 | b97a4e5614f7ef9f784edf13a22a06b8 |
| SHA1 | 120c427b460d3b6424299addc8dc5e389df1a66b |
| SHA256 | 8d99f6907356c7ca079bde6140d1eafa6fb20812a8c1149f9fc871cb70437389 |
| SHA512 | a3e6d373d48afab04ef516755045c8c31e941bcac5d6abd51440d09892ec389ae5782e1c42ea8f7531c615c87e6a117b9518624f683113bd7623dd368145ca5e |
C:\Windows\system\TxwKpbt.exe
| MD5 | b0e0d7e4ceeb0b16f6441a433fd275e8 |
| SHA1 | c5b9b5eeb86c640f5166934f11277297f6a5245a |
| SHA256 | 250d49b2ef942e4091fc32875ce4471b4382bd839e7ccfd8f1a579865adcb4fa |
| SHA512 | 3fd2161ee7d3b5daa1335c99bf654653ffe1f088ddf1e4fa33bbbec28d3cbaacc116e42a6d524ab65dfeea6ea87933537cee4dc047559e53acf1ca786d57ffa7 |
C:\Windows\system\GQkRqcM.exe
| MD5 | 67fb3bd0ccd83fbfaeb85553b48e8016 |
| SHA1 | 977bcc6bd776111a783a32493ff052afe51da329 |
| SHA256 | d262b5b832a30297ba6b7a0d0ceb0a5220335e1eb1f5be55a7666984170048d7 |
| SHA512 | 35d7ad2ffd28a8dd2046351ef66518fe2e410135c5239ee02c32b70e798f1586698fbbbc3e682e5ffffd404565a8b913c5acd3a19c8b9fc8ece8e8e1004113ea |
memory/1936-137-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1936-144-0x0000000002320000-0x0000000002671000-memory.dmp
memory/3048-156-0x000000013FE80000-0x00000001401D1000-memory.dmp
memory/2352-158-0x000000013F7C0000-0x000000013FB11000-memory.dmp
memory/2904-157-0x000000013F670000-0x000000013F9C1000-memory.dmp
memory/2876-155-0x000000013FD00000-0x0000000140051000-memory.dmp
memory/3068-159-0x000000013F470000-0x000000013F7C1000-memory.dmp
memory/2728-154-0x000000013FF30000-0x0000000140281000-memory.dmp
memory/2788-153-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/1936-160-0x000000013F190000-0x000000013F4E1000-memory.dmp
memory/1936-172-0x000000013F850000-0x000000013FBA1000-memory.dmp
memory/1936-183-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2284-207-0x000000013FC50000-0x000000013FFA1000-memory.dmp
memory/2552-209-0x000000013FDC0000-0x0000000140111000-memory.dmp
memory/1608-211-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2596-213-0x000000013F0E0000-0x000000013F431000-memory.dmp
memory/2744-215-0x000000013FCE0000-0x0000000140031000-memory.dmp
memory/2836-220-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2768-222-0x000000013F260000-0x000000013F5B1000-memory.dmp
memory/2524-224-0x000000013F370000-0x000000013F6C1000-memory.dmp
memory/2540-226-0x000000013F0D0000-0x000000013F421000-memory.dmp
memory/2484-228-0x000000013F030000-0x000000013F381000-memory.dmp
memory/2940-230-0x000000013F400000-0x000000013F751000-memory.dmp
memory/2792-232-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2804-237-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2784-239-0x000000013F850000-0x000000013FBA1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 00:50
Reported
2024-05-30 00:53
Platform
win10v2004-20240426-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OHpKhYo.exe | N/A |
| N/A | N/A | C:\Windows\System\MylRVab.exe | N/A |
| N/A | N/A | C:\Windows\System\YUCYdck.exe | N/A |
| N/A | N/A | C:\Windows\System\enJfvxZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rUPdJVW.exe | N/A |
| N/A | N/A | C:\Windows\System\FCTbawN.exe | N/A |
| N/A | N/A | C:\Windows\System\TWdgodt.exe | N/A |
| N/A | N/A | C:\Windows\System\QrFdXtF.exe | N/A |
| N/A | N/A | C:\Windows\System\gJrVDix.exe | N/A |
| N/A | N/A | C:\Windows\System\bzmzuHh.exe | N/A |
| N/A | N/A | C:\Windows\System\SadBjWN.exe | N/A |
| N/A | N/A | C:\Windows\System\oLRCaqv.exe | N/A |
| N/A | N/A | C:\Windows\System\QAoIQXX.exe | N/A |
| N/A | N/A | C:\Windows\System\ubEeYUv.exe | N/A |
| N/A | N/A | C:\Windows\System\BiHkVAZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cmStUgs.exe | N/A |
| N/A | N/A | C:\Windows\System\XQqAUxr.exe | N/A |
| N/A | N/A | C:\Windows\System\QtbSGAG.exe | N/A |
| N/A | N/A | C:\Windows\System\jINoMnU.exe | N/A |
| N/A | N/A | C:\Windows\System\qAaIguX.exe | N/A |
| N/A | N/A | C:\Windows\System\QjIkrhw.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_4783f04d19b4ee0556d36574e4c0f8fb_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OHpKhYo.exe
C:\Windows\System\OHpKhYo.exe
C:\Windows\System\MylRVab.exe
C:\Windows\System\MylRVab.exe
C:\Windows\System\YUCYdck.exe
C:\Windows\System\YUCYdck.exe
C:\Windows\System\enJfvxZ.exe
C:\Windows\System\enJfvxZ.exe
C:\Windows\System\rUPdJVW.exe
C:\Windows\System\rUPdJVW.exe
C:\Windows\System\FCTbawN.exe
C:\Windows\System\FCTbawN.exe
C:\Windows\System\TWdgodt.exe
C:\Windows\System\TWdgodt.exe
C:\Windows\System\QrFdXtF.exe
C:\Windows\System\QrFdXtF.exe
C:\Windows\System\gJrVDix.exe
C:\Windows\System\gJrVDix.exe
C:\Windows\System\bzmzuHh.exe
C:\Windows\System\bzmzuHh.exe
C:\Windows\System\SadBjWN.exe
C:\Windows\System\SadBjWN.exe
C:\Windows\System\oLRCaqv.exe
C:\Windows\System\oLRCaqv.exe
C:\Windows\System\QAoIQXX.exe
C:\Windows\System\QAoIQXX.exe
C:\Windows\System\ubEeYUv.exe
C:\Windows\System\ubEeYUv.exe
C:\Windows\System\cmStUgs.exe
C:\Windows\System\cmStUgs.exe
C:\Windows\System\BiHkVAZ.exe
C:\Windows\System\BiHkVAZ.exe
C:\Windows\System\XQqAUxr.exe
C:\Windows\System\XQqAUxr.exe
C:\Windows\System\QtbSGAG.exe
C:\Windows\System\QtbSGAG.exe
C:\Windows\System\jINoMnU.exe
C:\Windows\System\jINoMnU.exe
C:\Windows\System\qAaIguX.exe
C:\Windows\System\qAaIguX.exe
C:\Windows\System\QjIkrhw.exe
C:\Windows\System\QjIkrhw.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2104-0-0x00007FF651130000-0x00007FF651481000-memory.dmp
memory/2104-1-0x000002181EE90000-0x000002181EEA0000-memory.dmp
C:\Windows\System\OHpKhYo.exe
| MD5 | 3069e63fb9bf93b31942213dbe8bed73 |
| SHA1 | 1042fc48ed0d15db6689a35d7f63a93a6c290d03 |
| SHA256 | 3e9922bf5ca740b3fec74ea8de7923d04adfdbe85cc3528947a9644fec59be31 |
| SHA512 | 3d052eba3df223455751a5e944b24ede9b4ed09ac6a9d6d79748e7da23240dcc88f12cf5217691a15821b50f7e22b4dace82572c210a0a975324a640824e669d |
memory/2172-8-0x00007FF7C9940000-0x00007FF7C9C91000-memory.dmp
C:\Windows\System\YUCYdck.exe
| MD5 | a4b4e1bf5143b5d955d21ef5c4285e2e |
| SHA1 | a5e2de1b81f190085a477681bb797adcbbaa7549 |
| SHA256 | f1473fc801a861019cc4445adcf1116f73ae66c194adc67824401bbd838f0c51 |
| SHA512 | e7e3db80d987aa321cb691248b343574e4e990387b35b2f184879be815f846fc9383a547495482fc15f41486d62bb00de08c6ffcb96ad910d342d65dcd9ffb01 |
C:\Windows\System\MylRVab.exe
| MD5 | 8b8f7b0a0bc30162c95c9956e73b43ed |
| SHA1 | 74f2df46c1b8494cac5c98369cb32fc1146c4764 |
| SHA256 | 2bb4ac37cccd844cb75bd90590d8fe75b21e011a6b26293d89337f7bee16e36d |
| SHA512 | 20b33e6a9af38e8b119bb7515c9ef60fbf25ba2294e422556c77f662d7cd9feffc948a18263e84f1c85eb3e5066189c03c33faa3c25a131370ae8c84d9403b10 |
memory/4164-12-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp
C:\Windows\System\rUPdJVW.exe
| MD5 | e07d6c9a62d6e8128057aa838fe5fd74 |
| SHA1 | 96e9b5a7fc3447a03b75d7a780718998775d2e45 |
| SHA256 | 28934a685b109ad66a0fa69d2e2020d6f7e2daf82f9d2e552fd72d6835da1f9e |
| SHA512 | d827386ba3144700547670254569a8bd780a152e722ee263580a1f807120a6e800959f79554fadc15374a9d34390d6cd8845f11e7030a71d643829a6d64bc0a6 |
C:\Windows\System\enJfvxZ.exe
| MD5 | e4299da31f96d01fc034e6251e981766 |
| SHA1 | 622bc61e92a3c5c6e7ed5148d3588cc5f4f4e23d |
| SHA256 | be6ce148101a1f96e7f8e03832b77e9886078e67c631b4f9e284d20133843da2 |
| SHA512 | 57a0474b535dff6d49edc661384495832d9eaea33e27b5a26b7d426188a95cc8bc8be02e96a479a2cad0016c741fbb9632f4817511ef99732afb6b25ee45662d |
C:\Windows\System\FCTbawN.exe
| MD5 | 7bf2afb13dcd95c71475ec2c5844c867 |
| SHA1 | cf827f5bd029ffe8264b6d79e8f0de1b7ddcd112 |
| SHA256 | eeef61ce8d83c131b34e2d84c233017b3e48c49cdea05a84ca4be8a23ec4374a |
| SHA512 | 4b866ad6f70aae300b0ee9d74e88f9a41e7027681c5288cb2f0b6eae6fe27b3f6eadc149cb55b2fb3f6a2fdd92c9dc7535eabadb4dd840c5f3a413d4f867da2b |
C:\Windows\System\QrFdXtF.exe
| MD5 | 1e55f62cb0f7150a7d8c6337f9cf826d |
| SHA1 | f3860aa81d6f8fbd5e2b4603f6535adb4b9d18ec |
| SHA256 | 1256ac9cb048734a57a918950350b243704018e583e66f431e3fc7c00176f483 |
| SHA512 | aacd9d89579cca083a1ae8c765219babefb4beb91722b55b95f444327af724c7e6f39b2fdb9517c8e5f60d65e7e0c32179542b3b74c5053b32278e6ea5817862 |
memory/5044-51-0x00007FF650EC0000-0x00007FF651211000-memory.dmp
memory/3936-54-0x00007FF705740000-0x00007FF705A91000-memory.dmp
C:\Windows\System\SadBjWN.exe
| MD5 | 10d738a9eac1eac1b006e45c1dc6020a |
| SHA1 | bd5ff8df6f523290787f1b1830f5c23cb76138cd |
| SHA256 | 1fdf6a04d7e63cb3585158e6218a53891d5b3e04c7f4e5772520c49028c15f28 |
| SHA512 | 5febcb2ff88f65304a1cc54084bd61b71e2cc116abbb70328f891d4cb6f49e61ca6fd4dd739da071bd08aa85a759e2540d7f3b76ac7f4d551f35f8d7cb138702 |
C:\Windows\System\oLRCaqv.exe
| MD5 | 202303174d2d1b3e9db3d0f7cbff6926 |
| SHA1 | 187e8596ec83f0afae3236782c88c84118eb0d70 |
| SHA256 | da5f6c747a7e904452ac84846a76453fafd76f80430ee2140e958686dfa8781a |
| SHA512 | 5fc0836ac30017f2fc5ef8b249c8df8a55f4585090ae70b528e1b8ad208ca2bcac735a0c8d4ee2976b7795f8eba9f987b16108c4c7640805063de7516bf191bf |
C:\Windows\System\QAoIQXX.exe
| MD5 | 050048049aa6ccbf94248cafc596af1d |
| SHA1 | c63def68b8a81829c60d56f5146d9e3fdb2826c8 |
| SHA256 | 81bb56f7ce5f95906d07355ac8cab6d818f09e624d533aab5e95ed92f919e081 |
| SHA512 | 3af71ec19c3ae3f5b81c33e6adc4380b45a430a0f27606fdd83417da9b6399aa9a7601e2dc58f0185dc39771cd03b2827b20648780951acbd96ae6a9191b7f4e |
C:\Windows\System\ubEeYUv.exe
| MD5 | 547bd8140faa53e6a45952b4e32dded8 |
| SHA1 | 8161592381e3716faf329b2f6766da3c811d88f6 |
| SHA256 | 0833bd4b54e722352f03acbac80814a6328670409254ff4188fadc2c69087bd9 |
| SHA512 | 86a58e20cca2a353d73e89362f29517df62675ac5d55753a3f5ba7fcc72040d635f62c55998b0797030f07ab4ccd572a65f6652d5e01125b26aa608b6e0c43d0 |
C:\Windows\System\cmStUgs.exe
| MD5 | 0ad062551db6acdbabde6425dd94d120 |
| SHA1 | 9853e3c09cd79a666a15d5a6e31b7ee89ee14372 |
| SHA256 | eb1e09c023f5e07bf004e0c9c3e75a51aeb77fec9bffead7af36c23f2d880c9c |
| SHA512 | 23c4c8b5efa1fb9aa1f3cede78fe7f433a0a405c4eb83771b60670964b59e671c7e514c0166255df34854f5ba476e8145aa6e4b828d42a4267173458f6181e05 |
memory/2036-113-0x00007FF75C750000-0x00007FF75CAA1000-memory.dmp
memory/2104-120-0x00007FF651130000-0x00007FF651481000-memory.dmp
memory/3244-127-0x00007FF636A30000-0x00007FF636D81000-memory.dmp
memory/3336-126-0x00007FF6BC390000-0x00007FF6BC6E1000-memory.dmp
memory/4572-125-0x00007FF648DF0000-0x00007FF649141000-memory.dmp
C:\Windows\System\QjIkrhw.exe
| MD5 | eac2a455da96e33d695da84972b6a8c8 |
| SHA1 | 0f94cb0587293928237c7bda57a2544276bc1844 |
| SHA256 | 06a8a0a655e64cba8d8774a070ca45bc2aa1c431948e6084488d2fa686d04596 |
| SHA512 | f654db5b4d3ba2bb6fc0d8759718dfc6edec2b50e038ac0ef837e518684c4fc1827f60e881015fbaa1ba1a88ee1102888d5d56643165bafd5eb5a2990e56504c |
C:\Windows\System\qAaIguX.exe
| MD5 | 47ae967e14ec48bd67fb6ec7f7b825ca |
| SHA1 | 3f65c3eb43214d414199771b51549bca9db91636 |
| SHA256 | 413148491aa1f7ac59763e46ae0f2a9489bab92eec9262a8d2ede1bea5f22489 |
| SHA512 | 12ea7e86b2c9de4706e9e7f54ca3a37ebf619df03d79d1fac826bbf02e058ad928466c0a0d942d9d2cf02dd0aa89d2b6f534f95ea86b5dd546f3d1daf2cf4658 |
memory/4728-121-0x00007FF724EA0000-0x00007FF7251F1000-memory.dmp
C:\Windows\System\jINoMnU.exe
| MD5 | b6a18f970653995113706444f5831663 |
| SHA1 | 571d2873bbf0ec9d0c26532e836d88c9303140e5 |
| SHA256 | af10063d1d0d9f7f26ce7a6cec68c0e4c0cc441bd9f5c15aa3cdef9eeb55f523 |
| SHA512 | 4d6a33576b592e8251454c403c31201a104b33cf6a449954761ab687b8823df90c613e2f8c84e6c20ae8014261060452662717db10796c69c48885ea4c9aea47 |
memory/3704-117-0x00007FF776300000-0x00007FF776651000-memory.dmp
memory/3248-111-0x00007FF635280000-0x00007FF6355D1000-memory.dmp
C:\Windows\System\XQqAUxr.exe
| MD5 | fdefe058f5dc6e98a3a9ff4860900fa8 |
| SHA1 | efcaa8249b4e51817fc7100cd7d1f175df7aafdf |
| SHA256 | 3df9ed7848f4473244e1495aa2b891ea6bde5e54c897afa1e5387875eb503dde |
| SHA512 | 8d1dbb86fc017e3dbcf213cb6431626232d2195f34bee4b5507c958608c2b9ae5156523a74a429fc0e671834d9f99d10ea01347d610576b663d711bef8c81343 |
C:\Windows\System\QtbSGAG.exe
| MD5 | 24645852debb58fd050769d53a1763d6 |
| SHA1 | 92efac9b8f7270055e97fc31457d0a580db7a26f |
| SHA256 | f3ab57a01838a4fc25d89ab22ab916289a0a9a83e056fd0fa3a405d4d3a7b7ea |
| SHA512 | 923bc0ca9e6ba7f0a259a1373058d7660add5fcb2520a9fa631e9af2f789c60f3829d7cfe1a4cdb2f960cc0c73af06f5a30cd77db735df7759979b03b7bc707a |
memory/208-100-0x00007FF6522D0000-0x00007FF652621000-memory.dmp
C:\Windows\System\BiHkVAZ.exe
| MD5 | 1dc378ce919203de132b44ecab5381f7 |
| SHA1 | 571b372b440888d98ea325e00a25f7d59ccc24d8 |
| SHA256 | a98020511ef46f64b1e06ee73b86707d8a7a73dc81d8d1e8a6c4402eae583260 |
| SHA512 | 79af165d3546e0b35ef3ee04827c21c23ec5a1cb9a0b61e25637dc3cc77b2755b20d790b872c5fe1c52251871a66097bdb8b22db49cf49d81ba4b4291ab2dfbb |
memory/2816-88-0x00007FF6B93E0000-0x00007FF6B9731000-memory.dmp
memory/1992-81-0x00007FF7FEA60000-0x00007FF7FEDB1000-memory.dmp
memory/4304-74-0x00007FF77CE90000-0x00007FF77D1E1000-memory.dmp
C:\Windows\System\gJrVDix.exe
| MD5 | adc46cd18d86c323b4a9a36095dffa99 |
| SHA1 | b97f5c7a231f366f1a0e8aa03ee051ca1ba3bb33 |
| SHA256 | d81e52a0cdb91d5ae6e31d4fc993f17d087d4aa2605486884200f80acf212e0e |
| SHA512 | dee64b0ebfb79a6e1b41c63ff79baa5f6ac1a2c236f9f8635d967494294c63cb14d3747887a3d1526e4830ba85655929be6bedb3fe9071351e39f482655db08b |
C:\Windows\System\bzmzuHh.exe
| MD5 | e4455bcdf264d445087cdf0a84279ea5 |
| SHA1 | 340fd328bef3c8e32bfbfd4c481a5349f9dca90f |
| SHA256 | a8a7266157dd8c7cf282409c176148ea911c1ae7d6ebcf6678c984f2bfdae22b |
| SHA512 | ee6cb95a815480e47fdc8db839fec9e764553c15d2eeb24073b6b496b8fa08f20c8a6e714cd9b93634ad42eb2a1edf955225e1dd6c2065072701f3f24a74cc64 |
memory/3300-55-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp
C:\Windows\System\TWdgodt.exe
| MD5 | 7ad4c7296537bc25dbdafa88fd1eda29 |
| SHA1 | 4c061e8fbbd5f40bfb7d72ed4ddd4cb928f4a7ca |
| SHA256 | d8bb3a6b74670ba0eef443f599313de21a76b0fb306a0cf7b8778ed2c1c2b054 |
| SHA512 | beca11fc5daefccee7dde1643463fd091f0359a9cdd14a7e4d583f85e4e119fec1466f1a7f9c8d598ada73644caa3153b9a47e0ca968d2c57dbcece48f044e4f |
memory/2496-47-0x00007FF7EFE50000-0x00007FF7F01A1000-memory.dmp
memory/2420-46-0x00007FF6023F0000-0x00007FF602741000-memory.dmp
memory/4664-39-0x00007FF7D7A30000-0x00007FF7D7D81000-memory.dmp
memory/4600-32-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp
memory/2696-23-0x00007FF6828E0000-0x00007FF682C31000-memory.dmp
memory/4164-131-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp
memory/3936-139-0x00007FF705740000-0x00007FF705A91000-memory.dmp
memory/2496-137-0x00007FF7EFE50000-0x00007FF7F01A1000-memory.dmp
memory/4728-150-0x00007FF724EA0000-0x00007FF7251F1000-memory.dmp
memory/1992-141-0x00007FF7FEA60000-0x00007FF7FEDB1000-memory.dmp
memory/2816-142-0x00007FF6B93E0000-0x00007FF6B9731000-memory.dmp
memory/3300-138-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp
memory/5044-136-0x00007FF650EC0000-0x00007FF651211000-memory.dmp
memory/4600-133-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp
memory/2104-129-0x00007FF651130000-0x00007FF651481000-memory.dmp
memory/2104-151-0x00007FF651130000-0x00007FF651481000-memory.dmp
memory/2172-211-0x00007FF7C9940000-0x00007FF7C9C91000-memory.dmp
memory/4164-216-0x00007FF6093A0000-0x00007FF6096F1000-memory.dmp
memory/2696-218-0x00007FF6828E0000-0x00007FF682C31000-memory.dmp
memory/4664-220-0x00007FF7D7A30000-0x00007FF7D7D81000-memory.dmp
memory/4600-222-0x00007FF65BFA0000-0x00007FF65C2F1000-memory.dmp
memory/2420-224-0x00007FF6023F0000-0x00007FF602741000-memory.dmp
memory/5044-226-0x00007FF650EC0000-0x00007FF651211000-memory.dmp
memory/3936-230-0x00007FF705740000-0x00007FF705A91000-memory.dmp
memory/3300-232-0x00007FF78F680000-0x00007FF78F9D1000-memory.dmp
memory/4304-234-0x00007FF77CE90000-0x00007FF77D1E1000-memory.dmp
memory/2496-228-0x00007FF7EFE50000-0x00007FF7F01A1000-memory.dmp
memory/208-236-0x00007FF6522D0000-0x00007FF652621000-memory.dmp
memory/1992-239-0x00007FF7FEA60000-0x00007FF7FEDB1000-memory.dmp
memory/2816-244-0x00007FF6B93E0000-0x00007FF6B9731000-memory.dmp
memory/4572-246-0x00007FF648DF0000-0x00007FF649141000-memory.dmp
memory/2036-243-0x00007FF75C750000-0x00007FF75CAA1000-memory.dmp
memory/3704-248-0x00007FF776300000-0x00007FF776651000-memory.dmp
memory/3336-250-0x00007FF6BC390000-0x00007FF6BC6E1000-memory.dmp
memory/3248-240-0x00007FF635280000-0x00007FF6355D1000-memory.dmp
memory/3244-252-0x00007FF636A30000-0x00007FF636D81000-memory.dmp
memory/4728-255-0x00007FF724EA0000-0x00007FF7251F1000-memory.dmp