Analysis Overview
SHA256
cba075263c7ade39c144e71cb254b428e68dea102f13ca91e5bad6f1d7d03178
Threat Level: Known bad
The file 2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 09:32
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 09:32
Reported
2024-05-30 09:35
Platform
win7-20240221-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qaNhIpX.exe | N/A |
| N/A | N/A | C:\Windows\System\NujhpZW.exe | N/A |
| N/A | N/A | C:\Windows\System\FGvFrih.exe | N/A |
| N/A | N/A | C:\Windows\System\nmMYMqD.exe | N/A |
| N/A | N/A | C:\Windows\System\PfEJrfK.exe | N/A |
| N/A | N/A | C:\Windows\System\tojrtXD.exe | N/A |
| N/A | N/A | C:\Windows\System\FeWeEof.exe | N/A |
| N/A | N/A | C:\Windows\System\VbmQMKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\AQlUctw.exe | N/A |
| N/A | N/A | C:\Windows\System\uVPyjjI.exe | N/A |
| N/A | N/A | C:\Windows\System\rXvTUOR.exe | N/A |
| N/A | N/A | C:\Windows\System\JDjYznP.exe | N/A |
| N/A | N/A | C:\Windows\System\jkxresb.exe | N/A |
| N/A | N/A | C:\Windows\System\zDhKJmd.exe | N/A |
| N/A | N/A | C:\Windows\System\AwfHkiA.exe | N/A |
| N/A | N/A | C:\Windows\System\fKtEpVO.exe | N/A |
| N/A | N/A | C:\Windows\System\qDJwbWw.exe | N/A |
| N/A | N/A | C:\Windows\System\bKAwCZl.exe | N/A |
| N/A | N/A | C:\Windows\System\bKziTKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QAbeXut.exe | N/A |
| N/A | N/A | C:\Windows\System\ESbYbbW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qaNhIpX.exe
C:\Windows\System\qaNhIpX.exe
C:\Windows\System\NujhpZW.exe
C:\Windows\System\NujhpZW.exe
C:\Windows\System\nmMYMqD.exe
C:\Windows\System\nmMYMqD.exe
C:\Windows\System\FGvFrih.exe
C:\Windows\System\FGvFrih.exe
C:\Windows\System\PfEJrfK.exe
C:\Windows\System\PfEJrfK.exe
C:\Windows\System\tojrtXD.exe
C:\Windows\System\tojrtXD.exe
C:\Windows\System\FeWeEof.exe
C:\Windows\System\FeWeEof.exe
C:\Windows\System\VbmQMKJ.exe
C:\Windows\System\VbmQMKJ.exe
C:\Windows\System\JDjYznP.exe
C:\Windows\System\JDjYznP.exe
C:\Windows\System\AQlUctw.exe
C:\Windows\System\AQlUctw.exe
C:\Windows\System\jkxresb.exe
C:\Windows\System\jkxresb.exe
C:\Windows\System\uVPyjjI.exe
C:\Windows\System\uVPyjjI.exe
C:\Windows\System\zDhKJmd.exe
C:\Windows\System\zDhKJmd.exe
C:\Windows\System\rXvTUOR.exe
C:\Windows\System\rXvTUOR.exe
C:\Windows\System\AwfHkiA.exe
C:\Windows\System\AwfHkiA.exe
C:\Windows\System\fKtEpVO.exe
C:\Windows\System\fKtEpVO.exe
C:\Windows\System\qDJwbWw.exe
C:\Windows\System\qDJwbWw.exe
C:\Windows\System\bKAwCZl.exe
C:\Windows\System\bKAwCZl.exe
C:\Windows\System\bKziTKQ.exe
C:\Windows\System\bKziTKQ.exe
C:\Windows\System\QAbeXut.exe
C:\Windows\System\QAbeXut.exe
C:\Windows\System\ESbYbbW.exe
C:\Windows\System\ESbYbbW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2880-0-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/2880-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\qaNhIpX.exe
| MD5 | 58fc977d61f8005c04eb7ab4f74ff984 |
| SHA1 | ab2ee01e23593efe3410f9ddb6b072c35b8cf00a |
| SHA256 | 69e8d887de1019eb76334e7885ed5c03d1f1e2a244e24b29c30ec0672dd82ef6 |
| SHA512 | 30ebdcfaaa475030dd8f3b48f6370119ec49f6a56ef3604f05564312bd4289d867cda2c076bb300fa3cd8022eb12bafadde17d94bd3000848facedbde9fcec43 |
memory/2892-9-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2880-7-0x0000000002330000-0x0000000002681000-memory.dmp
C:\Windows\system\NujhpZW.exe
| MD5 | 0258e2728b68c35b9f3ab3c2bacd4dd7 |
| SHA1 | a7e43176403ff582587bf931cd60fc683332296e |
| SHA256 | 4e3f46c6b5fd707e9dd77408f151e2604f2d748a26aa1fca0c2adb09128bbaea |
| SHA512 | abf34e03ea145ff078b2f5d3bf5c1d4e377f26463f9b45bd8306fc188479a8e291f39a4121bace7a4298149ebb97a19a1e122f8276f95735c425ebfd4e16d3b0 |
C:\Windows\system\nmMYMqD.exe
| MD5 | 9bfb4af410379f65ad8f44abd7a22df7 |
| SHA1 | 8647dc21ac906f10d3d563d8e089284869b31b09 |
| SHA256 | 82380874bcea64d8f7f308ec0c8bb992b03c09a0928806cb31970f46d2aade93 |
| SHA512 | e2261ff37ef48f3c9f4680e8b6cafb01446e8b5e15acfdede37215a9fcf010d6ab9e14029a1712ac54963ca9f878aedf9020d287ef62528ec42671c471e05505 |
memory/1984-22-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2880-25-0x000000013F050000-0x000000013F3A1000-memory.dmp
C:\Windows\system\FGvFrih.exe
| MD5 | 1e26c8a222dcbe3cddbf5aa39e183dbd |
| SHA1 | 9591b4ddc0c086d2c79f61a28298d84ce4cc4e8a |
| SHA256 | eb7c18190e7a7f6d91d548f3b95d2dc2db26707508862170b2cf3e412c94fe90 |
| SHA512 | e8f4d275920f3f95e8096bf90c3be18251647dba9543201480b231a03ab606236fd047f73b1b3452fade73bbfc5c0d6c616b62c788c00f8f598a7e4d319637bb |
\Windows\system\PfEJrfK.exe
| MD5 | 4fe866ebda96c9ae26a1c479b04b6def |
| SHA1 | 5c1c184ba8174304d6c0919884379dd552400268 |
| SHA256 | 13ca563d1ab50a02abfb763fa3e8b8732487ff2a2031c715f21823c173e0b0d5 |
| SHA512 | d24218612bc10f0a6a148bfdfafe008ae81f31875608050023702d54ce1f85800783fdb8a9575b7404aa8578fc2d77f20eb644f86fed1ca422dfe5ab22f5da6e |
memory/2880-18-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2880-38-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2172-58-0x000000013FB40000-0x000000013FE91000-memory.dmp
\Windows\system\zDhKJmd.exe
| MD5 | 92cd4934dad4432705e0da1882fcba7c |
| SHA1 | 67eb80a67a75aeee56e074769827e250ad1939c6 |
| SHA256 | eab2be7d7ed164d3f42922a95e132c4f19fdd7156c63ce7383cfe35dc24b3c31 |
| SHA512 | b7bf40254df9c1789f6cdb8f3487ec60bca3cbaff322acd86e753a1dde7b54e1fa392d6851b2d5677f1e0d8e5d821e2834b164ee357f6edd9f3880e5e26eb0d7 |
C:\Windows\system\rXvTUOR.exe
| MD5 | 08aae75a6ca92183ddd26a718b8aa7f7 |
| SHA1 | 1e4320a4e4b2beb7c8e846bc90665b1a474d895b |
| SHA256 | 767aa4a9733b7c020632a9d489e3e3a395ba00a5d3a8bc934b950751f4e100b9 |
| SHA512 | b60b8276acb02f3a4feed0d0a6eb15239aa44b1c90b2a40601c5feb990374e25b11848dd81beb977056fe05acfe67bb133ac5c7acccdcf0938ab97dd3248e4fb |
C:\Windows\system\JDjYznP.exe
| MD5 | 734f05b73c736221a31a3a698d8f2c1b |
| SHA1 | b0dc8685fd39a37d18ba1e897760d8ce1aa1f0e6 |
| SHA256 | a097f987fb2de47a77b1f4f721fc2a5e495c2b26044325bb38e6d057fd76f09b |
| SHA512 | 90d6b46f0e036fb2bf862bf653378a4b423b8eb061bec734a23685d65f53a891338d144bfae0745f24d5cf0895f28f4d336bf21452007036b7a7e9c918e80c9a |
memory/2880-78-0x000000013F2B0000-0x000000013F601000-memory.dmp
C:\Windows\system\uVPyjjI.exe
| MD5 | e3402a5b68735880a66269438781612f |
| SHA1 | 23bdadc6c3f5b9b150e0970ce679829c66de21b6 |
| SHA256 | 91807182cabf2ce06a5e5189f78b64b335a2964ff8a83b9347f708d65621004e |
| SHA512 | 120319024d27ca89f3469264619644e50cc6a849c104d109caeaa5b7a134c2b1dd255531e5d5e2f7f4c5f47aea4ee93dc4cd70f9e4345360119056e087065650 |
memory/2496-103-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2616-102-0x000000013F220000-0x000000013F571000-memory.dmp
C:\Windows\system\fKtEpVO.exe
| MD5 | e31d242b0c1b96e5ad8ab98874cfa306 |
| SHA1 | bafac5665e09ddee4a86a6f71aee2a58d5172a99 |
| SHA256 | 19bdf0f02beef0e635c78a40b3fa21df927e44a03d43809cadd72265a348c39f |
| SHA512 | c466a3f612e13f09c23b7f37497cc17414f60b367b71850e79b9f7f9ad341417e0774f78f979d3c4545ba16c9afeb01017d44221769a50e3a9a9e84117b2f287 |
C:\Windows\system\QAbeXut.exe
| MD5 | f13f8d34e27df501d4228987ef78fbd2 |
| SHA1 | 9e058db8f9e4275db2a2452eb3ad60ae9a4f39f8 |
| SHA256 | cfeb20483ef8dfed3edf2b8dd33ffeac21a7ef05014fd85846d175caf5e6c780 |
| SHA512 | de0a40ef6ed5bd040a45f7cda29b8675865d0db3399b256c9459d6940d13aab107de2925ae6bf977fdf3367e2e9b1408dc58d856f2552d24618354a0f3a4c08d |
\Windows\system\ESbYbbW.exe
| MD5 | 242db20e8094aae4e7c7a279631eaf42 |
| SHA1 | 897d314bc8ff71ba660ad18a1dc4fc047a409725 |
| SHA256 | 98ff86ca035231e1ee48686d7c91fe3586b760d814108dbfb25f16c6e0a6fbc8 |
| SHA512 | 989a3dde1aca2ce7d0bec0ad17ac29b1d8f9a91e810228d4d1c01be3cbe42c7b0c96344d0a879e936f219c5e94b6e12986fab9d4281510cd8919b8fceb088659 |
C:\Windows\system\bKziTKQ.exe
| MD5 | 77181b69fa2154c95cc215174d4b3f88 |
| SHA1 | 6eb3ab7071542c37bbfa0599307ff1aa0909d2ab |
| SHA256 | a8327b82f3944a032270b7cf746123a444e468c563efa0a0f1b975ded459cf0d |
| SHA512 | 21f8b20feb3ca17afb945bc1c34fc1db643d1fc7755e4272331e8b05418ac15b36f9f6f02b741e24820334c893085a479794d782179d3514abb2d1d4bd098600 |
C:\Windows\system\bKAwCZl.exe
| MD5 | 6154e8a300e1a3ab0a5eab50da99b3c5 |
| SHA1 | e3b16074a8f1d0dcd93f199d7f15bbc9a330e213 |
| SHA256 | 3940fa23fdd9bfa79cdb93a43c21960fdbb0a0895d701a31855985cab2f41e55 |
| SHA512 | 51ad8b53e6b39af429da2a2589b901847fa0f8d9485b4ed0aa2bf5e875a6e6f19dbc5b19a05d956b2e9785dee9aa486a3c6cadc5a1ee7667051ee431978e1e59 |
C:\Windows\system\qDJwbWw.exe
| MD5 | d8a04f6642a93fe058707de5fc49af4d |
| SHA1 | ad9f87c495254e9a1bf376c084b2ce1e2456545d |
| SHA256 | 871295d9b9e3c7be56b15b37af81af27f8b4276fcbbedaf48f94d497a1b8150b |
| SHA512 | e43ee56a197bdba890796b92ceb52e7fd764de6bda571d84767519e8547be5b7e0ff8e502b6dfc86c203336c8c316ae1cce88b7f690a51f5a6443deed8e33231 |
memory/2880-101-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2880-100-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2880-99-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2880-97-0x0000000002330000-0x0000000002681000-memory.dmp
memory/2456-96-0x000000013F2B0000-0x000000013F601000-memory.dmp
C:\Windows\system\AwfHkiA.exe
| MD5 | 3ceef367c3a86981d5032eb71944ec4c |
| SHA1 | 1024125a703535e0c390ea6f57e286c957ba3c82 |
| SHA256 | f18d5387fcbb3a7dd44a0e35b7d1130bf4cac58ebd7129fb6679a6ae4b966844 |
| SHA512 | 27744e230806b8e26a7d9d92337cd32ab22be5b2dd77a3c2998743860bec842e17342a633639dcb7ec58e167a2251a5f0d5338212a1d6fab8418f60bbed51560 |
memory/2920-94-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2564-93-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2880-91-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2880-90-0x0000000002330000-0x0000000002681000-memory.dmp
memory/548-88-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2544-86-0x000000013FE60000-0x00000001401B1000-memory.dmp
C:\Windows\system\jkxresb.exe
| MD5 | fca9572d77c76695a637c959f95cd00c |
| SHA1 | 99d755fa50d806112d94a017671ead6111a1bc09 |
| SHA256 | 15c5449df5614980f132d688b45bc329194c4746fa28cdb8acdcc45aeb50ae3e |
| SHA512 | 25cbb1a60e3382d95355498c2951da549399da2f7c5f68facd66332247c69e950507d7571c7a1bef24e4ac0257f4c3cad16e107b5def6c0c3593cc788e3de132 |
memory/2880-74-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2728-72-0x000000013F630000-0x000000013F981000-memory.dmp
C:\Windows\system\AQlUctw.exe
| MD5 | 3369fa81f1170dd435dde9c3a931374b |
| SHA1 | a3dac950494cd1048333944e3fefaaedd7f9b897 |
| SHA256 | bbec17fc6047cb593eed0604aba90d076778783f1b724ca5094083a19c2075da |
| SHA512 | f3d11bbd5f5fcb7d21a5a50d69e2ad27df8959428c7826dc0683366acad02f5e0a1d1b5fd9148719272236acb179454a4cbf9e98d8f67c02ad4c34460d0bf39b |
C:\Windows\system\VbmQMKJ.exe
| MD5 | 95a308ab20a66b5a96fd6e0d55d8e9a5 |
| SHA1 | e58381e2c9579036477c33dde547b1fc4c96ddcf |
| SHA256 | 048b0866bbfa17e7ce6136fb40483184ee792f42fbfa602b9fcf82ab2105ea7a |
| SHA512 | 60c5e459dfa0a8af9463fe441acc2d957c97394695f639141d4f8437d298f23a37d63bf76c9ab310a15d0924eb06f48249d01e254dcf91dc09a968d8bcfd24d9 |
memory/2740-47-0x000000013F770000-0x000000013FAC1000-memory.dmp
C:\Windows\system\FeWeEof.exe
| MD5 | 117f167fb3030d96c2a1a39c9f64b3a7 |
| SHA1 | b5f0760069d343393d9aeced25b67445bf781c67 |
| SHA256 | 5fd09d1995c409a291e6deb5c4f765864c97ae377164e8df97f1d967d88838de |
| SHA512 | 413cfb70e098f72897963c20edd5c5fd04d2afa2b10e1665e748fbee4d3dfb34e80fc73ecd781db1c5d37dcba573f3d5ae3f03b75d605c997e85961a351466fd |
C:\Windows\system\tojrtXD.exe
| MD5 | bbec9b8f1dcbd38dae46de5ad594bbb3 |
| SHA1 | f1f87877a8338198332bb911eb16a04b5165ada4 |
| SHA256 | c35117237642ac365b54637de5affd83e0869e1dda332167a9b84e9dfc4bb59d |
| SHA512 | a5d25137de42cca8d16697fd31af207f3ec942a3a9ba56844cb4db441e3c5c6f89b4c732596af401c3e4427ce64ca9482131f40e982a5b3a1c4f8d17bc5b0a01 |
memory/2548-34-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2652-32-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/2880-133-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/2892-134-0x000000013F500000-0x000000013F851000-memory.dmp
memory/2652-137-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/376-151-0x000000013F950000-0x000000013FCA1000-memory.dmp
memory/1412-154-0x000000013F310000-0x000000013F661000-memory.dmp
memory/2404-153-0x000000013FBE0000-0x000000013FF31000-memory.dmp
memory/2880-155-0x0000000002330000-0x0000000002681000-memory.dmp
memory/1540-150-0x000000013FAF0000-0x000000013FE41000-memory.dmp
memory/1444-149-0x000000013F1B0000-0x000000013F501000-memory.dmp
memory/1340-148-0x000000013FEC0000-0x0000000140211000-memory.dmp
memory/1536-152-0x000000013FFE0000-0x0000000140331000-memory.dmp
memory/2880-156-0x000000013F6F0000-0x000000013FA41000-memory.dmp
memory/2880-178-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2880-179-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2892-203-0x000000013F500000-0x000000013F851000-memory.dmp
memory/1984-205-0x000000013F5D0000-0x000000013F921000-memory.dmp
memory/2548-207-0x000000013F130000-0x000000013F481000-memory.dmp
memory/2740-222-0x000000013F770000-0x000000013FAC1000-memory.dmp
memory/2652-227-0x000000013F050000-0x000000013F3A1000-memory.dmp
memory/548-233-0x000000013F890000-0x000000013FBE1000-memory.dmp
memory/2728-231-0x000000013F630000-0x000000013F981000-memory.dmp
memory/2544-235-0x000000013FE60000-0x00000001401B1000-memory.dmp
memory/2172-230-0x000000013FB40000-0x000000013FE91000-memory.dmp
memory/2616-239-0x000000013F220000-0x000000013F571000-memory.dmp
memory/2564-243-0x000000013FE00000-0x0000000140151000-memory.dmp
memory/2496-245-0x000000013F9A0000-0x000000013FCF1000-memory.dmp
memory/2456-242-0x000000013F2B0000-0x000000013F601000-memory.dmp
memory/2920-238-0x000000013F2B0000-0x000000013F601000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 09:32
Reported
2024-05-30 09:35
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qaNhIpX.exe | N/A |
| N/A | N/A | C:\Windows\System\NujhpZW.exe | N/A |
| N/A | N/A | C:\Windows\System\nmMYMqD.exe | N/A |
| N/A | N/A | C:\Windows\System\FGvFrih.exe | N/A |
| N/A | N/A | C:\Windows\System\PfEJrfK.exe | N/A |
| N/A | N/A | C:\Windows\System\tojrtXD.exe | N/A |
| N/A | N/A | C:\Windows\System\FeWeEof.exe | N/A |
| N/A | N/A | C:\Windows\System\VbmQMKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JDjYznP.exe | N/A |
| N/A | N/A | C:\Windows\System\AQlUctw.exe | N/A |
| N/A | N/A | C:\Windows\System\uVPyjjI.exe | N/A |
| N/A | N/A | C:\Windows\System\zDhKJmd.exe | N/A |
| N/A | N/A | C:\Windows\System\jkxresb.exe | N/A |
| N/A | N/A | C:\Windows\System\rXvTUOR.exe | N/A |
| N/A | N/A | C:\Windows\System\fKtEpVO.exe | N/A |
| N/A | N/A | C:\Windows\System\qDJwbWw.exe | N/A |
| N/A | N/A | C:\Windows\System\AwfHkiA.exe | N/A |
| N/A | N/A | C:\Windows\System\bKAwCZl.exe | N/A |
| N/A | N/A | C:\Windows\System\bKziTKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\QAbeXut.exe | N/A |
| N/A | N/A | C:\Windows\System\ESbYbbW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_71667115618f013078b800d9ae1cfd05_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qaNhIpX.exe
C:\Windows\System\qaNhIpX.exe
C:\Windows\System\NujhpZW.exe
C:\Windows\System\NujhpZW.exe
C:\Windows\System\nmMYMqD.exe
C:\Windows\System\nmMYMqD.exe
C:\Windows\System\FGvFrih.exe
C:\Windows\System\FGvFrih.exe
C:\Windows\System\PfEJrfK.exe
C:\Windows\System\PfEJrfK.exe
C:\Windows\System\tojrtXD.exe
C:\Windows\System\tojrtXD.exe
C:\Windows\System\FeWeEof.exe
C:\Windows\System\FeWeEof.exe
C:\Windows\System\VbmQMKJ.exe
C:\Windows\System\VbmQMKJ.exe
C:\Windows\System\JDjYznP.exe
C:\Windows\System\JDjYznP.exe
C:\Windows\System\AQlUctw.exe
C:\Windows\System\AQlUctw.exe
C:\Windows\System\jkxresb.exe
C:\Windows\System\jkxresb.exe
C:\Windows\System\uVPyjjI.exe
C:\Windows\System\uVPyjjI.exe
C:\Windows\System\zDhKJmd.exe
C:\Windows\System\zDhKJmd.exe
C:\Windows\System\rXvTUOR.exe
C:\Windows\System\rXvTUOR.exe
C:\Windows\System\AwfHkiA.exe
C:\Windows\System\AwfHkiA.exe
C:\Windows\System\fKtEpVO.exe
C:\Windows\System\fKtEpVO.exe
C:\Windows\System\qDJwbWw.exe
C:\Windows\System\qDJwbWw.exe
C:\Windows\System\bKAwCZl.exe
C:\Windows\System\bKAwCZl.exe
C:\Windows\System\bKziTKQ.exe
C:\Windows\System\bKziTKQ.exe
C:\Windows\System\QAbeXut.exe
C:\Windows\System\QAbeXut.exe
C:\Windows\System\ESbYbbW.exe
C:\Windows\System\ESbYbbW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.251.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4988-0-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp
memory/4988-1-0x0000026EE22F0000-0x0000026EE2300000-memory.dmp
C:\Windows\System\qaNhIpX.exe
| MD5 | 58fc977d61f8005c04eb7ab4f74ff984 |
| SHA1 | ab2ee01e23593efe3410f9ddb6b072c35b8cf00a |
| SHA256 | 69e8d887de1019eb76334e7885ed5c03d1f1e2a244e24b29c30ec0672dd82ef6 |
| SHA512 | 30ebdcfaaa475030dd8f3b48f6370119ec49f6a56ef3604f05564312bd4289d867cda2c076bb300fa3cd8022eb12bafadde17d94bd3000848facedbde9fcec43 |
memory/752-9-0x00007FF76A1E0000-0x00007FF76A531000-memory.dmp
C:\Windows\System\nmMYMqD.exe
| MD5 | 9bfb4af410379f65ad8f44abd7a22df7 |
| SHA1 | 8647dc21ac906f10d3d563d8e089284869b31b09 |
| SHA256 | 82380874bcea64d8f7f308ec0c8bb992b03c09a0928806cb31970f46d2aade93 |
| SHA512 | e2261ff37ef48f3c9f4680e8b6cafb01446e8b5e15acfdede37215a9fcf010d6ab9e14029a1712ac54963ca9f878aedf9020d287ef62528ec42671c471e05505 |
C:\Windows\System\NujhpZW.exe
| MD5 | 0258e2728b68c35b9f3ab3c2bacd4dd7 |
| SHA1 | a7e43176403ff582587bf931cd60fc683332296e |
| SHA256 | 4e3f46c6b5fd707e9dd77408f151e2604f2d748a26aa1fca0c2adb09128bbaea |
| SHA512 | abf34e03ea145ff078b2f5d3bf5c1d4e377f26463f9b45bd8306fc188479a8e291f39a4121bace7a4298149ebb97a19a1e122f8276f95735c425ebfd4e16d3b0 |
C:\Windows\System\FGvFrih.exe
| MD5 | 1e26c8a222dcbe3cddbf5aa39e183dbd |
| SHA1 | 9591b4ddc0c086d2c79f61a28298d84ce4cc4e8a |
| SHA256 | eb7c18190e7a7f6d91d548f3b95d2dc2db26707508862170b2cf3e412c94fe90 |
| SHA512 | e8f4d275920f3f95e8096bf90c3be18251647dba9543201480b231a03ab606236fd047f73b1b3452fade73bbfc5c0d6c616b62c788c00f8f598a7e4d319637bb |
C:\Windows\System\tojrtXD.exe
| MD5 | bbec9b8f1dcbd38dae46de5ad594bbb3 |
| SHA1 | f1f87877a8338198332bb911eb16a04b5165ada4 |
| SHA256 | c35117237642ac365b54637de5affd83e0869e1dda332167a9b84e9dfc4bb59d |
| SHA512 | a5d25137de42cca8d16697fd31af207f3ec942a3a9ba56844cb4db441e3c5c6f89b4c732596af401c3e4427ce64ca9482131f40e982a5b3a1c4f8d17bc5b0a01 |
C:\Windows\System\PfEJrfK.exe
| MD5 | 4fe866ebda96c9ae26a1c479b04b6def |
| SHA1 | 5c1c184ba8174304d6c0919884379dd552400268 |
| SHA256 | 13ca563d1ab50a02abfb763fa3e8b8732487ff2a2031c715f21823c173e0b0d5 |
| SHA512 | d24218612bc10f0a6a148bfdfafe008ae81f31875608050023702d54ce1f85800783fdb8a9575b7404aa8578fc2d77f20eb644f86fed1ca422dfe5ab22f5da6e |
C:\Windows\System\VbmQMKJ.exe
| MD5 | 95a308ab20a66b5a96fd6e0d55d8e9a5 |
| SHA1 | e58381e2c9579036477c33dde547b1fc4c96ddcf |
| SHA256 | 048b0866bbfa17e7ce6136fb40483184ee792f42fbfa602b9fcf82ab2105ea7a |
| SHA512 | 60c5e459dfa0a8af9463fe441acc2d957c97394695f639141d4f8437d298f23a37d63bf76c9ab310a15d0924eb06f48249d01e254dcf91dc09a968d8bcfd24d9 |
C:\Windows\System\zDhKJmd.exe
| MD5 | 92cd4934dad4432705e0da1882fcba7c |
| SHA1 | 67eb80a67a75aeee56e074769827e250ad1939c6 |
| SHA256 | eab2be7d7ed164d3f42922a95e132c4f19fdd7156c63ce7383cfe35dc24b3c31 |
| SHA512 | b7bf40254df9c1789f6cdb8f3487ec60bca3cbaff322acd86e753a1dde7b54e1fa392d6851b2d5677f1e0d8e5d821e2834b164ee357f6edd9f3880e5e26eb0d7 |
memory/5008-79-0x00007FF70B6D0000-0x00007FF70BA21000-memory.dmp
memory/4812-91-0x00007FF7FABC0000-0x00007FF7FAF11000-memory.dmp
C:\Windows\System\fKtEpVO.exe
| MD5 | e31d242b0c1b96e5ad8ab98874cfa306 |
| SHA1 | bafac5665e09ddee4a86a6f71aee2a58d5172a99 |
| SHA256 | 19bdf0f02beef0e635c78a40b3fa21df927e44a03d43809cadd72265a348c39f |
| SHA512 | c466a3f612e13f09c23b7f37497cc17414f60b367b71850e79b9f7f9ad341417e0774f78f979d3c4545ba16c9afeb01017d44221769a50e3a9a9e84117b2f287 |
memory/4352-111-0x00007FF66FE80000-0x00007FF6701D1000-memory.dmp
memory/4628-117-0x00007FF7482D0000-0x00007FF748621000-memory.dmp
memory/3280-116-0x00007FF793EA0000-0x00007FF7941F1000-memory.dmp
memory/1516-115-0x00007FF7C0E20000-0x00007FF7C1171000-memory.dmp
C:\Windows\System\bKziTKQ.exe
| MD5 | 77181b69fa2154c95cc215174d4b3f88 |
| SHA1 | 6eb3ab7071542c37bbfa0599307ff1aa0909d2ab |
| SHA256 | a8327b82f3944a032270b7cf746123a444e468c563efa0a0f1b975ded459cf0d |
| SHA512 | 21f8b20feb3ca17afb945bc1c34fc1db643d1fc7755e4272331e8b05418ac15b36f9f6f02b741e24820334c893085a479794d782179d3514abb2d1d4bd098600 |
memory/4988-112-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp
C:\Windows\System\bKAwCZl.exe
| MD5 | 6154e8a300e1a3ab0a5eab50da99b3c5 |
| SHA1 | e3b16074a8f1d0dcd93f199d7f15bbc9a330e213 |
| SHA256 | 3940fa23fdd9bfa79cdb93a43c21960fdbb0a0895d701a31855985cab2f41e55 |
| SHA512 | 51ad8b53e6b39af429da2a2589b901847fa0f8d9485b4ed0aa2bf5e875a6e6f19dbc5b19a05d956b2e9785dee9aa486a3c6cadc5a1ee7667051ee431978e1e59 |
C:\Windows\System\AwfHkiA.exe
| MD5 | 3ceef367c3a86981d5032eb71944ec4c |
| SHA1 | 1024125a703535e0c390ea6f57e286c957ba3c82 |
| SHA256 | f18d5387fcbb3a7dd44a0e35b7d1130bf4cac58ebd7129fb6679a6ae4b966844 |
| SHA512 | 27744e230806b8e26a7d9d92337cd32ab22be5b2dd77a3c2998743860bec842e17342a633639dcb7ec58e167a2251a5f0d5338212a1d6fab8418f60bbed51560 |
C:\Windows\System\qDJwbWw.exe
| MD5 | d8a04f6642a93fe058707de5fc49af4d |
| SHA1 | ad9f87c495254e9a1bf376c084b2ce1e2456545d |
| SHA256 | 871295d9b9e3c7be56b15b37af81af27f8b4276fcbbedaf48f94d497a1b8150b |
| SHA512 | e43ee56a197bdba890796b92ceb52e7fd764de6bda571d84767519e8547be5b7e0ff8e502b6dfc86c203336c8c316ae1cce88b7f690a51f5a6443deed8e33231 |
memory/4536-104-0x00007FF7C0ED0000-0x00007FF7C1221000-memory.dmp
memory/1296-100-0x00007FF6B7D90000-0x00007FF6B80E1000-memory.dmp
memory/3900-99-0x00007FF768C60000-0x00007FF768FB1000-memory.dmp
C:\Windows\System\uVPyjjI.exe
| MD5 | e3402a5b68735880a66269438781612f |
| SHA1 | 23bdadc6c3f5b9b150e0970ce679829c66de21b6 |
| SHA256 | 91807182cabf2ce06a5e5189f78b64b335a2964ff8a83b9347f708d65621004e |
| SHA512 | 120319024d27ca89f3469264619644e50cc6a849c104d109caeaa5b7a134c2b1dd255531e5d5e2f7f4c5f47aea4ee93dc4cd70f9e4345360119056e087065650 |
C:\Windows\System\rXvTUOR.exe
| MD5 | 08aae75a6ca92183ddd26a718b8aa7f7 |
| SHA1 | 1e4320a4e4b2beb7c8e846bc90665b1a474d895b |
| SHA256 | 767aa4a9733b7c020632a9d489e3e3a395ba00a5d3a8bc934b950751f4e100b9 |
| SHA512 | b60b8276acb02f3a4feed0d0a6eb15239aa44b1c90b2a40601c5feb990374e25b11848dd81beb977056fe05acfe67bb133ac5c7acccdcf0938ab97dd3248e4fb |
C:\Windows\System\jkxresb.exe
| MD5 | fca9572d77c76695a637c959f95cd00c |
| SHA1 | 99d755fa50d806112d94a017671ead6111a1bc09 |
| SHA256 | 15c5449df5614980f132d688b45bc329194c4746fa28cdb8acdcc45aeb50ae3e |
| SHA512 | 25cbb1a60e3382d95355498c2951da549399da2f7c5f68facd66332247c69e950507d7571c7a1bef24e4ac0257f4c3cad16e107b5def6c0c3593cc788e3de132 |
C:\Windows\System\AQlUctw.exe
| MD5 | 3369fa81f1170dd435dde9c3a931374b |
| SHA1 | a3dac950494cd1048333944e3fefaaedd7f9b897 |
| SHA256 | bbec17fc6047cb593eed0604aba90d076778783f1b724ca5094083a19c2075da |
| SHA512 | f3d11bbd5f5fcb7d21a5a50d69e2ad27df8959428c7826dc0683366acad02f5e0a1d1b5fd9148719272236acb179454a4cbf9e98d8f67c02ad4c34460d0bf39b |
memory/4708-66-0x00007FF67C750000-0x00007FF67CAA1000-memory.dmp
C:\Windows\System\JDjYznP.exe
| MD5 | 734f05b73c736221a31a3a698d8f2c1b |
| SHA1 | b0dc8685fd39a37d18ba1e897760d8ce1aa1f0e6 |
| SHA256 | a097f987fb2de47a77b1f4f721fc2a5e495c2b26044325bb38e6d057fd76f09b |
| SHA512 | 90d6b46f0e036fb2bf862bf653378a4b423b8eb061bec734a23685d65f53a891338d144bfae0745f24d5cf0895f28f4d336bf21452007036b7a7e9c918e80c9a |
memory/4940-54-0x00007FF6D95E0000-0x00007FF6D9931000-memory.dmp
memory/4220-48-0x00007FF76E660000-0x00007FF76E9B1000-memory.dmp
C:\Windows\System\FeWeEof.exe
| MD5 | 117f167fb3030d96c2a1a39c9f64b3a7 |
| SHA1 | b5f0760069d343393d9aeced25b67445bf781c67 |
| SHA256 | 5fd09d1995c409a291e6deb5c4f765864c97ae377164e8df97f1d967d88838de |
| SHA512 | 413cfb70e098f72897963c20edd5c5fd04d2afa2b10e1665e748fbee4d3dfb34e80fc73ecd781db1c5d37dcba573f3d5ae3f03b75d605c997e85961a351466fd |
memory/704-49-0x00007FF6E2140000-0x00007FF6E2491000-memory.dmp
memory/1216-45-0x00007FF774630000-0x00007FF774981000-memory.dmp
memory/3192-44-0x00007FF63BC20000-0x00007FF63BF71000-memory.dmp
memory/4228-28-0x00007FF74F410000-0x00007FF74F761000-memory.dmp
memory/1548-18-0x00007FF76C830000-0x00007FF76CB81000-memory.dmp
memory/3340-17-0x00007FF737910000-0x00007FF737C61000-memory.dmp
memory/752-123-0x00007FF76A1E0000-0x00007FF76A531000-memory.dmp
memory/704-133-0x00007FF6E2140000-0x00007FF6E2491000-memory.dmp
memory/4812-137-0x00007FF7FABC0000-0x00007FF7FAF11000-memory.dmp
memory/2644-145-0x00007FF609010000-0x00007FF609361000-memory.dmp
C:\Windows\System\ESbYbbW.exe
| MD5 | 242db20e8094aae4e7c7a279631eaf42 |
| SHA1 | 897d314bc8ff71ba660ad18a1dc4fc047a409725 |
| SHA256 | 98ff86ca035231e1ee48686d7c91fe3586b760d814108dbfb25f16c6e0a6fbc8 |
| SHA512 | 989a3dde1aca2ce7d0bec0ad17ac29b1d8f9a91e810228d4d1c01be3cbe42c7b0c96344d0a879e936f219c5e94b6e12986fab9d4281510cd8919b8fceb088659 |
memory/440-146-0x00007FF7DAEC0000-0x00007FF7DB211000-memory.dmp
memory/4352-143-0x00007FF66FE80000-0x00007FF6701D1000-memory.dmp
memory/4536-140-0x00007FF7C0ED0000-0x00007FF7C1221000-memory.dmp
memory/4708-134-0x00007FF67C750000-0x00007FF67CAA1000-memory.dmp
memory/4940-132-0x00007FF6D95E0000-0x00007FF6D9931000-memory.dmp
memory/4220-131-0x00007FF76E660000-0x00007FF76E9B1000-memory.dmp
memory/4228-128-0x00007FF74F410000-0x00007FF74F761000-memory.dmp
memory/1548-127-0x00007FF76C830000-0x00007FF76CB81000-memory.dmp
memory/5008-136-0x00007FF70B6D0000-0x00007FF70BA21000-memory.dmp
C:\Windows\System\QAbeXut.exe
| MD5 | f13f8d34e27df501d4228987ef78fbd2 |
| SHA1 | 9e058db8f9e4275db2a2452eb3ad60ae9a4f39f8 |
| SHA256 | cfeb20483ef8dfed3edf2b8dd33ffeac21a7ef05014fd85846d175caf5e6c780 |
| SHA512 | de0a40ef6ed5bd040a45f7cda29b8675865d0db3399b256c9459d6940d13aab107de2925ae6bf977fdf3367e2e9b1408dc58d856f2552d24618354a0f3a4c08d |
memory/4988-149-0x00007FF78C570000-0x00007FF78C8C1000-memory.dmp
memory/440-193-0x00007FF7DAEC0000-0x00007FF7DB211000-memory.dmp
memory/752-197-0x00007FF76A1E0000-0x00007FF76A531000-memory.dmp
memory/3340-199-0x00007FF737910000-0x00007FF737C61000-memory.dmp
memory/1548-201-0x00007FF76C830000-0x00007FF76CB81000-memory.dmp
memory/4228-204-0x00007FF74F410000-0x00007FF74F761000-memory.dmp
memory/3192-205-0x00007FF63BC20000-0x00007FF63BF71000-memory.dmp
memory/1216-207-0x00007FF774630000-0x00007FF774981000-memory.dmp
memory/4220-209-0x00007FF76E660000-0x00007FF76E9B1000-memory.dmp
memory/4940-211-0x00007FF6D95E0000-0x00007FF6D9931000-memory.dmp
memory/704-213-0x00007FF6E2140000-0x00007FF6E2491000-memory.dmp
memory/4708-215-0x00007FF67C750000-0x00007FF67CAA1000-memory.dmp
memory/4812-218-0x00007FF7FABC0000-0x00007FF7FAF11000-memory.dmp
memory/5008-221-0x00007FF70B6D0000-0x00007FF70BA21000-memory.dmp
memory/3900-219-0x00007FF768C60000-0x00007FF768FB1000-memory.dmp
memory/3280-229-0x00007FF793EA0000-0x00007FF7941F1000-memory.dmp
memory/1516-231-0x00007FF7C0E20000-0x00007FF7C1171000-memory.dmp
memory/4536-228-0x00007FF7C0ED0000-0x00007FF7C1221000-memory.dmp
memory/4352-225-0x00007FF66FE80000-0x00007FF6701D1000-memory.dmp
memory/4628-224-0x00007FF7482D0000-0x00007FF748621000-memory.dmp
memory/1296-233-0x00007FF6B7D90000-0x00007FF6B80E1000-memory.dmp
memory/2644-238-0x00007FF609010000-0x00007FF609361000-memory.dmp
memory/440-240-0x00007FF7DAEC0000-0x00007FF7DB211000-memory.dmp