Analysis Overview
SHA256
d4c3b14e61b5be8b392b9a5a1cd77b0db1cec5c26ab5dd764397edf76cdde1c0
Threat Level: Known bad
The file 2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
xmrig
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 00:39
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 00:39
Reported
2024-06-01 00:42
Platform
win7-20240221-en
Max time kernel
139s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ScVCuJM.exe | N/A |
| N/A | N/A | C:\Windows\System\nDiunfl.exe | N/A |
| N/A | N/A | C:\Windows\System\hxnNsGA.exe | N/A |
| N/A | N/A | C:\Windows\System\PRnQhWP.exe | N/A |
| N/A | N/A | C:\Windows\System\xvjbeWV.exe | N/A |
| N/A | N/A | C:\Windows\System\jTeqcoB.exe | N/A |
| N/A | N/A | C:\Windows\System\gMAxsWi.exe | N/A |
| N/A | N/A | C:\Windows\System\DOQwChJ.exe | N/A |
| N/A | N/A | C:\Windows\System\KWoYXEH.exe | N/A |
| N/A | N/A | C:\Windows\System\cvFLhhI.exe | N/A |
| N/A | N/A | C:\Windows\System\NhoieqA.exe | N/A |
| N/A | N/A | C:\Windows\System\psRIsAr.exe | N/A |
| N/A | N/A | C:\Windows\System\ElEldFX.exe | N/A |
| N/A | N/A | C:\Windows\System\CxVBvOs.exe | N/A |
| N/A | N/A | C:\Windows\System\JBEMKfc.exe | N/A |
| N/A | N/A | C:\Windows\System\kqZUnML.exe | N/A |
| N/A | N/A | C:\Windows\System\likSIQu.exe | N/A |
| N/A | N/A | C:\Windows\System\QDMGUBN.exe | N/A |
| N/A | N/A | C:\Windows\System\lpbPeXt.exe | N/A |
| N/A | N/A | C:\Windows\System\CldDUaz.exe | N/A |
| N/A | N/A | C:\Windows\System\dMLCyfh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ScVCuJM.exe
C:\Windows\System\ScVCuJM.exe
C:\Windows\System\nDiunfl.exe
C:\Windows\System\nDiunfl.exe
C:\Windows\System\hxnNsGA.exe
C:\Windows\System\hxnNsGA.exe
C:\Windows\System\PRnQhWP.exe
C:\Windows\System\PRnQhWP.exe
C:\Windows\System\xvjbeWV.exe
C:\Windows\System\xvjbeWV.exe
C:\Windows\System\jTeqcoB.exe
C:\Windows\System\jTeqcoB.exe
C:\Windows\System\gMAxsWi.exe
C:\Windows\System\gMAxsWi.exe
C:\Windows\System\DOQwChJ.exe
C:\Windows\System\DOQwChJ.exe
C:\Windows\System\KWoYXEH.exe
C:\Windows\System\KWoYXEH.exe
C:\Windows\System\cvFLhhI.exe
C:\Windows\System\cvFLhhI.exe
C:\Windows\System\NhoieqA.exe
C:\Windows\System\NhoieqA.exe
C:\Windows\System\psRIsAr.exe
C:\Windows\System\psRIsAr.exe
C:\Windows\System\ElEldFX.exe
C:\Windows\System\ElEldFX.exe
C:\Windows\System\JBEMKfc.exe
C:\Windows\System\JBEMKfc.exe
C:\Windows\System\CxVBvOs.exe
C:\Windows\System\CxVBvOs.exe
C:\Windows\System\kqZUnML.exe
C:\Windows\System\kqZUnML.exe
C:\Windows\System\likSIQu.exe
C:\Windows\System\likSIQu.exe
C:\Windows\System\QDMGUBN.exe
C:\Windows\System\QDMGUBN.exe
C:\Windows\System\lpbPeXt.exe
C:\Windows\System\lpbPeXt.exe
C:\Windows\System\CldDUaz.exe
C:\Windows\System\CldDUaz.exe
C:\Windows\System\dMLCyfh.exe
C:\Windows\System\dMLCyfh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2004-0-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2004-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\ScVCuJM.exe
| MD5 | b7321dcce58cb41439907245e71f7945 |
| SHA1 | b5521453cbda084afe82d30ddbb4855846422792 |
| SHA256 | 732a371512ed3a73dddffa420a08aa67a41610509dc1a71b3f1dd93588df3098 |
| SHA512 | 435027b3990e06161708e66d3acc41874a83e058f28cf8962c5d9109443169a32a5df36a5c2f8fd2ded841ea53955a8f7598ff0ae61183240cd2a8c4df5aa53a |
C:\Windows\system\nDiunfl.exe
| MD5 | d7c0995011a1deff1b4554d304e00276 |
| SHA1 | 09a83cc14f12084171470ef57d13499dd033d990 |
| SHA256 | ac9413ff3357fec200520127d818c099fc5a3ec888a712391e57d09e88ff3c89 |
| SHA512 | 63fc9d73afd1354935750a830a9fe592ed24ec5dc85ec8fdd21b17b1c3b56cb7cc0b25c7bf53e9f0e86468907cdce6420bd0186be383fa5aed999bdee4770fe8 |
C:\Windows\system\hxnNsGA.exe
| MD5 | 81045693089ee4d9636d8478c73f9e6e |
| SHA1 | 269073f32ca5d7b97c77f752834daa6033c02e94 |
| SHA256 | ef2b6a1ac2dba2a3fc7659fe658ecc6bca0e48ee15be1aeb8b83b1856ec784bd |
| SHA512 | 80423f78247d1fb99e3e0646a09e40da20f4503918805d59160e8a75e9dc93c2ed9b86c73acc6e7adb69d51777b06e8f0b58c98c2fdeb9c8b54c13b2374f15fe |
memory/2532-19-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2004-17-0x000000013F160000-0x000000013F4B4000-memory.dmp
C:\Windows\system\PRnQhWP.exe
| MD5 | 9e915b42a87a704db2de965a385eee61 |
| SHA1 | 0a98f7d40b82b3ba462e88da29fbbb79f6d5b775 |
| SHA256 | 2bfe39ce3fb75ef1c1836eb2ee8506aca8d5c4adfcdf2b8a7d3934e7c0f5e2c7 |
| SHA512 | ee04bb356a4fa9a7134dc2560bfc239ab5c8de94de2fb004ea2178ec4d7190ab31474efc98c6364b02c2af467c3b491c8552a6ba9a77a7ff497e53a4df3ccdca |
C:\Windows\system\xvjbeWV.exe
| MD5 | 2641ff83249b98c053ed4b89b402f574 |
| SHA1 | 9bf851172c16df9e12ed1d74943d7da72fe51ad8 |
| SHA256 | 5f9f534c9657c3bd1f43739fe96c21b3d35a3a186c604d57b23793aaa29919fe |
| SHA512 | 6bbf13d67973e79134d41d5385745171d369f4a3f3ba17dd0aa2b3088fad137b3efe41910f106f79447a07fe0d7202ca57ae2afc9d00f8507932681e0200db93 |
C:\Windows\system\jTeqcoB.exe
| MD5 | be304976d6a481f016e85185a8dd3997 |
| SHA1 | c241f899b1aeaa949637ec7884128dbd078eeebc |
| SHA256 | 53c1bb4496140123a823f8101269e0b047412bebdb3f94e7b9cc8e08735b3f1e |
| SHA512 | 047a2a65ce5c6eece2bcde5c65542fda341f7878131a32b4297b0a571a6e2a59a6f3755e73264a539a5e7979210ef540c353481fe4d4140987792689572bedaf |
C:\Windows\system\gMAxsWi.exe
| MD5 | 95d81d140d516013fd9a0fc1a0353d0d |
| SHA1 | 068a3184d80937aff2493ec172f318f6283851f1 |
| SHA256 | 959f8940af7d4ad22e228b52aaf3c21b904abe24bcf9332cb4db03008542aaba |
| SHA512 | f5aac21b21d4b279cccb771bf2a6c6c2f9dd3e7bebb73e1a16789a081feb4b957947b0cfea71525aab5872f10d6d3e125d527c4171c258589b5429946e360863 |
C:\Windows\system\DOQwChJ.exe
| MD5 | 02a71ecfc1af5a7890d8f139c7e4efd5 |
| SHA1 | d4cd87b9f34a254bba02bee2653bae037d2d252a |
| SHA256 | 372ba59b4003ce71d41750ef4baa905f37d0a64709d294fa32e8e38b274db7ea |
| SHA512 | dcd41b7b6372132bcc6929d8c1f9e52dd2c70e1b47428159ef2567d58ba85ae23aea06a7e616b615fa6f1c73a81e47bf9a3c99a5b8cd3b80c051d4277f0226ed |
C:\Windows\system\KWoYXEH.exe
| MD5 | 6dce9b6d9d3a49f65892a647fbe903af |
| SHA1 | 02bb6e4c04460cfde396136f4147aac4b9017b1e |
| SHA256 | 4c983e9852549817fc63b2f994b8648c5a34e14fdd94a43569827a1c4c6bfa77 |
| SHA512 | dc89fc8d4a971e34fd78f6eab9cf798269f34f9dc6fe458d5b5b56545a2df3d5802c5b0836e5adcd427390a4ca45f5b8d23b9f87a329fa6f59a2bd7760ad8ef3 |
memory/2724-53-0x000000013F620000-0x000000013F974000-memory.dmp
C:\Windows\system\ElEldFX.exe
| MD5 | 6810005bfe94c0f770d53ba6efd5043e |
| SHA1 | 9befa670b424ce9d91f5aad7f194710dd9d8baff |
| SHA256 | bc0f96b8b6c4ac9117e5a6eee1d70446687043381e0466273010950f09bfb33d |
| SHA512 | 2848ea3ab28606483eab9a5ebc384524fcdfb2e2c843a695e9d1e43cecb3b4e23457ed15e9ab2d46f2a0cf11dc8f4e203a0626b9ab37ceb8a854cde2755c4ab3 |
C:\Windows\system\CldDUaz.exe
| MD5 | 696e07869951064160d5e8e5dbf67d42 |
| SHA1 | 80f8422aef7251c9fc82bf577ca6f869f8edda2a |
| SHA256 | 765b14ee9ca1aae4548280328becc965d8214efe5861a46ef284ac230089cfcc |
| SHA512 | 4520654fefdd88f64a0e753b67eed84de1fb86af1cf52364d24402d5642c909f2ccc8301a0723e60b1b36fc4e1c7dec58b19c0ec8875fd89344540ace5202498 |
C:\Windows\system\dMLCyfh.exe
| MD5 | d11d96fa6766348a25cb4cc1182204c1 |
| SHA1 | eff7612fcce26880a1de78072285ca47d3da0e6c |
| SHA256 | cf3875fde9ee410c2c48f9a37b89cf455e5e25336852a1b01159d0f8c3c128f4 |
| SHA512 | 5bcd2c674b1978c14fd20742d9a4d9db6c1aa72b4655a9fe90a43c43ab55eaa4d67ab086d00fbf528447e03d96c2b020a3fba5fe17cd3d50220eb1b1bc7acb70 |
C:\Windows\system\lpbPeXt.exe
| MD5 | 8aeeab14130482eda54dbb935b4798dd |
| SHA1 | 4d0fdf3894e7a7e5a712f5b3929d0cf9a1304fc0 |
| SHA256 | fba009b3dd7e5f0e432bc1b7eb212ac1514e43e8ef8fa925c0cd7fc6abed5df4 |
| SHA512 | 092447cbe29c199c5667891602486194a37b57edcf4211200d30db6e56369f80639b0a1f18728ae6e8829087b3045510f3e245aedcff69510d868393ca15a2b2 |
C:\Windows\system\QDMGUBN.exe
| MD5 | c50cf4efe8753634573a388fb3314f75 |
| SHA1 | 4a2fc9f22d45cbfc0d6ece08b7e790ca4262c77f |
| SHA256 | 27f370c5fd6063c45b471cf58857d3273d4365a3e84455bbb465e76a0b1ba33c |
| SHA512 | 40e7bdc5f404c788b084985ac75410b1bd0202227f88a6c5167c5187146d9bbb94d7668dec3ca86ba1f3bda05d81210231275c60e18d4a8921109cee08963446 |
C:\Windows\system\likSIQu.exe
| MD5 | 2d826f0e499158275a87c280e7fb5027 |
| SHA1 | 307610ae5d8964fd3e47c92a84d6b649c70e47aa |
| SHA256 | 5729b8a15224bac4ee819231225f55fc0078819e0dfcccc7a3889b9abcd022ab |
| SHA512 | 5ba453845d302c839a60411b37aadbff4189e3cc9eace964959b48b8084fb9131782e0ebcc6aa96546030d55c88a6686da058d9585291518e45ed2d9d7586fe4 |
C:\Windows\system\kqZUnML.exe
| MD5 | 025cb4942d3482e791fcd2efa45ba632 |
| SHA1 | ec3f1578af8115445a9f785c94d227cb803f8e73 |
| SHA256 | 743cf3286e90ccef7bb9fa07e933eaf9bb3d059e6425a6a49c3e10d814b44642 |
| SHA512 | 354b1eb3a4a9dd99c49a6ea9ca25dabab6321fbb9292668f5f6bee30935ceb0e54bc0fe0d0482aef1d25bacbbebb34c279d5ff1fe8a4be353055bc48e134fded |
\Windows\system\JBEMKfc.exe
| MD5 | e3cffac21d15b849cabd0120eb819530 |
| SHA1 | 5b7679400f3f09b507e2a494f3b3b5712639d4d2 |
| SHA256 | 0b9d3489439706c9600a4bd18a8a7cdbd8e842f23f51789476268df62e7bd0ea |
| SHA512 | d9f9bc3483faea2e43a15764fb7be460a3de725de56059dd0ab1c4b14ccf8b50a14e3334f9e80676a720c254fc48271ea75fd32c002a33cd048b09212858318a |
C:\Windows\system\CxVBvOs.exe
| MD5 | ea9ce001866b93565d02f736fd053f36 |
| SHA1 | 5a9b5b7d0ea842a17621a8d50d6d5590e367ea9e |
| SHA256 | 258a9d4eec0245204f5651e6527b9b8c68d1d499d7ccf977b254bb8cf4146e3b |
| SHA512 | 8e8ccbb7b19750278ebf1d8fac84be3573a5d93bd23d947ca7691eac175ceaecc5d7924595a6e78803eeb927790088fe9a72c46e99c9141bb69a3744a316991b |
C:\Windows\system\psRIsAr.exe
| MD5 | fbbf662f2fc7c852a5e6d817b04f2243 |
| SHA1 | 4d08b95da8fe047566579cd5c52d1a4a45e2d670 |
| SHA256 | e54e61e0dc727e7492bc5d48a1b113b1dc5e00801ec1b5f6e0cca0973c47d73b |
| SHA512 | d303e721eb832cee322e4fab73367992245c46bd2e35e0a3a12b2e7aadc762cdb98cf4beb2acbe7cce4d46ea8b04d8356c202982e26c22814eee4b273cfa60bd |
C:\Windows\system\NhoieqA.exe
| MD5 | 8ab0fba82cf7af5b2202b8bf949455fc |
| SHA1 | 7e62238e601a1f79798baedf3fe87b209412f604 |
| SHA256 | 4f6aa4d067cd49bb6a50e7173e84ffde64cb187240f6fd00a86764a7c09b0900 |
| SHA512 | cc8d3452553b174787e35f07268c591e220fa0787b5094d07f1d3439aa0a276141a1efaa63127727d566787c55fd593f01a23996927a61e800eaae21c60f39fc |
C:\Windows\system\cvFLhhI.exe
| MD5 | 3febff843e49dc7a581083760a53fcbf |
| SHA1 | 3f50daced093f1295c0ad24547810ee37009d348 |
| SHA256 | e147d016a686000b44f0529c6e44bc6566288bce5cccad90b6085dda1f0181db |
| SHA512 | 3ef167a7f9efb6c73f69dfa7a9b10f4333446d17252886a7ab847617b2f2d1a175ffb13af31e0d780fbe2d24f6c54c16efa541706f73062349198ba9f5a5ad95 |
memory/2160-52-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2004-51-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2540-44-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2696-114-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2004-113-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2004-115-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2580-116-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2716-120-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2004-119-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2656-121-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2764-118-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2004-125-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2004-127-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2896-131-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2004-130-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2004-129-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2828-128-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/3068-126-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2752-124-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2004-123-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/560-122-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2004-117-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2004-132-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2532-133-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2160-134-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2540-135-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2656-139-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2724-140-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2580-141-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2716-138-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2764-137-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2696-136-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2752-142-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2828-143-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/3068-144-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2896-145-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/560-146-0x000000013FC00000-0x000000013FF54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 00:39
Reported
2024-06-01 00:42
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\VNphNkF.exe | N/A |
| N/A | N/A | C:\Windows\System\zucupGb.exe | N/A |
| N/A | N/A | C:\Windows\System\QpPsBRD.exe | N/A |
| N/A | N/A | C:\Windows\System\pRYaCxA.exe | N/A |
| N/A | N/A | C:\Windows\System\NegWAvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\tlJeqON.exe | N/A |
| N/A | N/A | C:\Windows\System\pxyZkLj.exe | N/A |
| N/A | N/A | C:\Windows\System\WVBsHjm.exe | N/A |
| N/A | N/A | C:\Windows\System\MHonMeB.exe | N/A |
| N/A | N/A | C:\Windows\System\wWXcqll.exe | N/A |
| N/A | N/A | C:\Windows\System\rBUGRlv.exe | N/A |
| N/A | N/A | C:\Windows\System\pSNyYiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\KtUwFKJ.exe | N/A |
| N/A | N/A | C:\Windows\System\mGJrQKq.exe | N/A |
| N/A | N/A | C:\Windows\System\BdGzqdc.exe | N/A |
| N/A | N/A | C:\Windows\System\BNNYCwO.exe | N/A |
| N/A | N/A | C:\Windows\System\CjpBeuZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NAjGcZS.exe | N/A |
| N/A | N/A | C:\Windows\System\WWccVqK.exe | N/A |
| N/A | N/A | C:\Windows\System\RdLhJWE.exe | N/A |
| N/A | N/A | C:\Windows\System\pGTZFiy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4930557623effb1a35293b5670f499e1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\VNphNkF.exe
C:\Windows\System\VNphNkF.exe
C:\Windows\System\zucupGb.exe
C:\Windows\System\zucupGb.exe
C:\Windows\System\QpPsBRD.exe
C:\Windows\System\QpPsBRD.exe
C:\Windows\System\pRYaCxA.exe
C:\Windows\System\pRYaCxA.exe
C:\Windows\System\NegWAvQ.exe
C:\Windows\System\NegWAvQ.exe
C:\Windows\System\tlJeqON.exe
C:\Windows\System\tlJeqON.exe
C:\Windows\System\pxyZkLj.exe
C:\Windows\System\pxyZkLj.exe
C:\Windows\System\WVBsHjm.exe
C:\Windows\System\WVBsHjm.exe
C:\Windows\System\MHonMeB.exe
C:\Windows\System\MHonMeB.exe
C:\Windows\System\wWXcqll.exe
C:\Windows\System\wWXcqll.exe
C:\Windows\System\rBUGRlv.exe
C:\Windows\System\rBUGRlv.exe
C:\Windows\System\pSNyYiZ.exe
C:\Windows\System\pSNyYiZ.exe
C:\Windows\System\KtUwFKJ.exe
C:\Windows\System\KtUwFKJ.exe
C:\Windows\System\mGJrQKq.exe
C:\Windows\System\mGJrQKq.exe
C:\Windows\System\BdGzqdc.exe
C:\Windows\System\BdGzqdc.exe
C:\Windows\System\BNNYCwO.exe
C:\Windows\System\BNNYCwO.exe
C:\Windows\System\CjpBeuZ.exe
C:\Windows\System\CjpBeuZ.exe
C:\Windows\System\NAjGcZS.exe
C:\Windows\System\NAjGcZS.exe
C:\Windows\System\WWccVqK.exe
C:\Windows\System\WWccVqK.exe
C:\Windows\System\RdLhJWE.exe
C:\Windows\System\RdLhJWE.exe
C:\Windows\System\pGTZFiy.exe
C:\Windows\System\pGTZFiy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2200-0-0x00007FF6C01D0000-0x00007FF6C0524000-memory.dmp
memory/2200-1-0x000001CFA1D30000-0x000001CFA1D40000-memory.dmp
C:\Windows\System\VNphNkF.exe
| MD5 | 15b84986c0bdc2ad032bc750e92130b8 |
| SHA1 | f10eee3a36245bb21222bb4be0fdd312d5df19d9 |
| SHA256 | d682566929882d7ce28c955307400175df9a064a5a3f3ef83b51f92ef03af359 |
| SHA512 | 54bcb1a388074149d4c69b20292dc6a0ce75c2501810890e3ad2def41c8d6a1fad915dc38e2f594bb390e8e83f083f48bc0fd8d132435a7e5cf0ef26b2b78fcd |
memory/3924-7-0x00007FF7064D0000-0x00007FF706824000-memory.dmp
C:\Windows\System\zucupGb.exe
| MD5 | 75417884525d4f4bd9b890d3fa7e2dde |
| SHA1 | 7a09537ae56403ddb3bf6760cde2397430c5b228 |
| SHA256 | 5d0d1da7526c14bf8540bff8ff5b27d45549df550280048f776a215c8bb60f4a |
| SHA512 | d3264ac1b02e98266c8ae5449888e94ea9192465f14a50bf537ace93a3e3d88c13460740d28177dacb94cd9a4962ea211fae7ce32d8562728179621f40853fd0 |
C:\Windows\System\QpPsBRD.exe
| MD5 | dff190dcef9e3ca28e3d0b7acfc45011 |
| SHA1 | 22580bd031bda9fc22b1852c9a079633bce55b6d |
| SHA256 | c04b23b80104e5e40d673dfc9a32f2e7693e431afd957076e73912a3954e65c9 |
| SHA512 | 8040f0cea8e2a3789ba0b4ce494cf61b4f903d82535c94024107e1d4288041a10470aec715f837e55bc6f9e9d9d77ab013c9814a802e26bef69fe45bdd1cf612 |
memory/3744-16-0x00007FF743BA0000-0x00007FF743EF4000-memory.dmp
C:\Windows\System\pRYaCxA.exe
| MD5 | db8cef28ce644e5c6fd155b65d10957d |
| SHA1 | e6c60fa0185f2fc72ff9f027f136a426687f4cb0 |
| SHA256 | 9650c6811fa5f9740033db216ed17ae5360d14072e4a84f05c32c9a5a995b232 |
| SHA512 | 1e21fef7a2692391c9dedaecf062d65b71e5dc7323ca35444b0c737321eba403fba1d5393fd148d00eab4ab0cf46a7596c0908e902c3a8e34e6f1beae6fefc2f |
memory/3664-24-0x00007FF680340000-0x00007FF680694000-memory.dmp
C:\Windows\System\tlJeqON.exe
| MD5 | 2eee7a3a8b7f6c11991e68caa98e2636 |
| SHA1 | c6862c6c6e3705db40851fa92da8315d9ff9fe14 |
| SHA256 | cd069b17d8399912a292a60f863a5afc32d5025c4f2a6d26a2d1e1e71f3818f9 |
| SHA512 | e39707bcd6cb1102f42e9d53ffcc58bb8b75fd8dd77227a3f222afac493f3dc625f375ea34dc1f3b0f05c0d5380191f709bc59b6e8e53dfbe42a90de8b0bf079 |
C:\Windows\System\pxyZkLj.exe
| MD5 | efe3867ae8bf47a5638042e890dadd78 |
| SHA1 | 97bd856f0152f214ff47ae513c5d88dc891aa922 |
| SHA256 | 9cb251c29791cf03f8b9ae64731287181a8925cf664c2acbe4cf5b564e95aa87 |
| SHA512 | 3350f4bee28331d93abe990ce4683cb1348814035f6aa6254fed8b11fe92336b2e7462c434dcedd6fac661b2411eb2c39b4455684d145f7dfd189c80756287bc |
memory/3624-43-0x00007FF7FFAE0000-0x00007FF7FFE34000-memory.dmp
memory/4796-45-0x00007FF6A59E0000-0x00007FF6A5D34000-memory.dmp
C:\Windows\System\WVBsHjm.exe
| MD5 | 08ee50ad887f4bda3428f63d916c6585 |
| SHA1 | 60ae51a09b0d625ed81847c2e0cb6461b61a7015 |
| SHA256 | 827c98d2671dbd8f1ccd6b150be0e2510d7b4aafa332fa316527bd04a6c2f8d3 |
| SHA512 | aaab80a24a2b72281490188696ce0aa60075f2a6edab59d91d5fb26294f650d8a18524654f9b78c7d695697a9aacb9b68457c53ff8eb45a07467ceeb5ff3349a |
C:\Windows\System\wWXcqll.exe
| MD5 | 45a27921c0d78d331c25ab58846c64e5 |
| SHA1 | 964c5ffecd98332e5af37cbcc36f18feba8c5234 |
| SHA256 | c0274536766f49c20bf447c78a2698cd48657fd5b1a5caf23d20dba68848ec4c |
| SHA512 | 934a8dae2e7f6f01a13ce0c4eb19e5df6170cc05b12953e07e1e843af2f8098dbc426edc36a1acd2138273e4d3ab587db414c4ef857fc0f62477a06be9753266 |
C:\Windows\System\rBUGRlv.exe
| MD5 | 29d079a97150bc577336688c92d21d11 |
| SHA1 | 02f7a5e4b041ef6ee333d8c7bd1cc5c33b2d8154 |
| SHA256 | 89333e52b63469713f89273ef2cda0289f161c23a326ca69dde6d3e4bac00a7d |
| SHA512 | 69ece8e3c755bb248e93e9fdcb0487552dcfbfb907302a8909c782ef1029632ab81ee1b08d01b35df9ce07f2de09726c558cea8738096dbf668a145dd2de5f16 |
C:\Windows\System\mGJrQKq.exe
| MD5 | ee4840f86bfad812cf9d8853bacd40fa |
| SHA1 | 616f3bde61540da774b2128bae743ab21dcbead5 |
| SHA256 | b3ea258d92c33ab3b30b1e260cfb2ea98f7b80150406e645ba6898ddee377644 |
| SHA512 | 871681cea55f9703db63fc8437c7434345f22e069432d2ff19d050e5fef5e852d1616e3767f9428ae97cdfb31887a3efef6e80edd9d8259b204d6e95df99c562 |
C:\Windows\System\CjpBeuZ.exe
| MD5 | 9d25b8d8f2b50a500644e039b7845436 |
| SHA1 | 6df496df6c0034abcb379e9a31de851382970634 |
| SHA256 | 6e9426d3c6d507036997017dc33f74777800df7007a94086b5fcb13a0dd60c0b |
| SHA512 | aa7bcbecdc5850cd89d2a4a97a8b68781eb89352d2c88633bff2d8560b40475b1e9b8cbf12839c3a38f5355f5f66893122dadde27e07df8761d33d99a22f253a |
C:\Windows\System\pGTZFiy.exe
| MD5 | 546dd070e4b4082b43850c64a99f2353 |
| SHA1 | 2754cb44ae01cff430f13cca9fe6553007ab291e |
| SHA256 | 23eb989e3a25b2e7c347cb7f93b4634a87720241fd2e133fd73598b93c3a6a6b |
| SHA512 | 6155d95e22e328beff18e90cee8481600a0f620c28363dbc19cb85081033e9cc5752116bea7f28d42c7239a3eaf0520d20c82beb86d22293109b21d88f55bfdd |
C:\Windows\System\WWccVqK.exe
| MD5 | 87a5d324e273f41cfa12afed1e396f97 |
| SHA1 | 00dc613ce4f6065b926fe54fc77534c1148919d8 |
| SHA256 | 11f7950b124fc104d11bd696ea0e3b8b9418cff7838935a298dfdc6b3872b9a2 |
| SHA512 | 4d791331ed0d46f2186f7898c79fc0c0da80ea22e3aaf2b28d0c8f3c07cb57eebc2edad1ef0e157c2b74b119cf8571187b5d1325528435489261c08ff5ed20a6 |
memory/5072-118-0x00007FF7BD820000-0x00007FF7BDB74000-memory.dmp
memory/3540-122-0x00007FF78D6F0000-0x00007FF78DA44000-memory.dmp
memory/4240-127-0x00007FF7788D0000-0x00007FF778C24000-memory.dmp
memory/4072-126-0x00007FF71A070000-0x00007FF71A3C4000-memory.dmp
memory/3924-125-0x00007FF7064D0000-0x00007FF706824000-memory.dmp
memory/2200-124-0x00007FF6C01D0000-0x00007FF6C0524000-memory.dmp
memory/5052-123-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp
memory/3340-121-0x00007FF733AD0000-0x00007FF733E24000-memory.dmp
memory/5092-120-0x00007FF613C70000-0x00007FF613FC4000-memory.dmp
C:\Windows\System\RdLhJWE.exe
| MD5 | 5cf96fbefae11dfce518be67ee0b29fc |
| SHA1 | fe1d4b637d1bc8246a8672c2a255a27a7c625360 |
| SHA256 | 10020d80ec0d82a37398f1c2ea6025d5ba273340c4dd359ad9873df18d4aebf2 |
| SHA512 | bd6943e590cd822a93cb4f06226680a3039c0a82bb6e013faa2400f49045149eb74bd4b72bf61954c65d54d9f3755b084e15b3628a8cef863f0145b80af459f0 |
memory/1496-116-0x00007FF68D020000-0x00007FF68D374000-memory.dmp
memory/5096-113-0x00007FF60D260000-0x00007FF60D5B4000-memory.dmp
C:\Windows\System\NAjGcZS.exe
| MD5 | bc84cb434e076c3fc1f11c40c52fe6b5 |
| SHA1 | d6059ff23c5175cb9ab4494b1afd36f8716937b9 |
| SHA256 | 827c9408a0a2b76aaaa51f1e90c9bac080cbeed4db8ff37f828e55ae193784ab |
| SHA512 | bde828dfcfffc064a88aad96fac04b5cc37e7637deb2f5e1d6ec31bc04113d193addd576a9f63298bf12d480213f791111dd9482600c94fa665b1cd37de47aea |
memory/2572-109-0x00007FF622840000-0x00007FF622B94000-memory.dmp
memory/1956-105-0x00007FF7C4E50000-0x00007FF7C51A4000-memory.dmp
C:\Windows\System\BNNYCwO.exe
| MD5 | eb040bd9a74ad4262408d039e2a75f58 |
| SHA1 | 0d86c3ee7ff0299c88fa6d79d8f3a48fe4ce4e32 |
| SHA256 | 2b4aca42795fc87d3db8b515680045735f967a613d669b31b16e4902719d9177 |
| SHA512 | 801e61fa239c76e58dd83990229676acfdbb8903a127352ae79469ccdd6eaf98345e6ee862e486a4b5d3f4c7f49c41752b72e27928c17e0361a32683cf74d17c |
C:\Windows\System\BdGzqdc.exe
| MD5 | 55f42acef3ec86a7b1401e9d2e85a486 |
| SHA1 | 9821df35114f63dbed70cb0232792929dfe6d29a |
| SHA256 | e6abaed2b9ecf0195db256bec90b5303088712a9b5ed126cfd108e337ed9da0b |
| SHA512 | 3ab9842f3489db2fa7690304ea598c2cbae563c567f0b7d7b7d1552b8a64d0238bdab5ac2cafe5c685839a21eb0e64a340307cc0c1ddc0b5a25952dfe1145af7 |
C:\Windows\System\KtUwFKJ.exe
| MD5 | cb08dc976ba1ce87dd6ea7a7613f1fa0 |
| SHA1 | 0f6622688e0e260b3c5b07b5ba62fec8c8a83696 |
| SHA256 | 75d417e37dc2ab57092eed6b7f687ca07c4d8642a152706af9942f0a04f65d37 |
| SHA512 | b1b38bbb3d7ee9bc55e43f05d9260805a9958b93e5e4b0a15402872c49058be16b4faf57198cdb1733cf303be78db91da76ab5184367853a79802b3758f16cfc |
C:\Windows\System\pSNyYiZ.exe
| MD5 | 35ec7dc9ce508279474aed39de735ea0 |
| SHA1 | 60c4ab4d938e75b82f03357d5c9029eec356b1a2 |
| SHA256 | 944d662b23d6f51e66b02389813273258cadabaf05e3fcabb52778274e025fcc |
| SHA512 | 1cb8cbcf94a2dea5a71ac644ffd967a6cc38489360072538b14e9bacbafcb48e035a6b5783e69cb3d611e05319c9f177b93a361954d06c4b0e7f88f843815ea5 |
memory/2708-68-0x00007FF6616B0000-0x00007FF661A04000-memory.dmp
memory/1656-63-0x00007FF602010000-0x00007FF602364000-memory.dmp
C:\Windows\System\MHonMeB.exe
| MD5 | 2c65f78b21c2a65e14130e65d2bfed15 |
| SHA1 | b46d94d4795117f5a022377bee162fbbfa53287d |
| SHA256 | cad02de7b6aa66fb032d1287926896674243544476a9d57ef76cae4826452919 |
| SHA512 | 0fdd5bc2bd69ac36ada433c3c0a0bb06f641151457f73ac0b8daa9e72ebd64fe38fdc3eeb9708483344f701ae3a29ef33ab23946fafcf9808bbf6fc5c865719d |
memory/2652-38-0x00007FF680380000-0x00007FF6806D4000-memory.dmp
C:\Windows\System\NegWAvQ.exe
| MD5 | c1e5f626f430bf72f68df1e3f93109ae |
| SHA1 | cb9243b42dffc44f4d71faaf7ff3e1cde055e8a2 |
| SHA256 | af8a5a4be28b9ae3fd3664e53c44a54712546b70f0d3c6c66e16735e68e8c86e |
| SHA512 | f6c02e56deb11352174a7f0b27c65a7b5b49e504f35bcade8f4d014564b5b91b77b54978476b4a78f5279712b1b9873df10875a24772753172cda61ea36bb935 |
memory/2304-30-0x00007FF6CAF90000-0x00007FF6CB2E4000-memory.dmp
memory/1484-28-0x00007FF7F88E0000-0x00007FF7F8C34000-memory.dmp
memory/3744-130-0x00007FF743BA0000-0x00007FF743EF4000-memory.dmp
memory/3664-131-0x00007FF680340000-0x00007FF680694000-memory.dmp
memory/1484-132-0x00007FF7F88E0000-0x00007FF7F8C34000-memory.dmp
memory/2304-133-0x00007FF6CAF90000-0x00007FF6CB2E4000-memory.dmp
memory/2652-134-0x00007FF680380000-0x00007FF6806D4000-memory.dmp
memory/3624-135-0x00007FF7FFAE0000-0x00007FF7FFE34000-memory.dmp
memory/4796-136-0x00007FF6A59E0000-0x00007FF6A5D34000-memory.dmp
memory/1656-137-0x00007FF602010000-0x00007FF602364000-memory.dmp
memory/2708-138-0x00007FF6616B0000-0x00007FF661A04000-memory.dmp
memory/1956-139-0x00007FF7C4E50000-0x00007FF7C51A4000-memory.dmp
memory/5052-140-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp
memory/4240-141-0x00007FF7788D0000-0x00007FF778C24000-memory.dmp
memory/3924-142-0x00007FF7064D0000-0x00007FF706824000-memory.dmp
memory/3744-143-0x00007FF743BA0000-0x00007FF743EF4000-memory.dmp
memory/3664-144-0x00007FF680340000-0x00007FF680694000-memory.dmp
memory/1484-145-0x00007FF7F88E0000-0x00007FF7F8C34000-memory.dmp
memory/2304-146-0x00007FF6CAF90000-0x00007FF6CB2E4000-memory.dmp
memory/2652-147-0x00007FF680380000-0x00007FF6806D4000-memory.dmp
memory/3624-148-0x00007FF7FFAE0000-0x00007FF7FFE34000-memory.dmp
memory/1656-150-0x00007FF602010000-0x00007FF602364000-memory.dmp
memory/4796-149-0x00007FF6A59E0000-0x00007FF6A5D34000-memory.dmp
memory/2708-151-0x00007FF6616B0000-0x00007FF661A04000-memory.dmp
memory/1956-152-0x00007FF7C4E50000-0x00007FF7C51A4000-memory.dmp
memory/2572-154-0x00007FF622840000-0x00007FF622B94000-memory.dmp
memory/5096-155-0x00007FF60D260000-0x00007FF60D5B4000-memory.dmp
memory/4072-153-0x00007FF71A070000-0x00007FF71A3C4000-memory.dmp
memory/1496-156-0x00007FF68D020000-0x00007FF68D374000-memory.dmp
memory/5072-157-0x00007FF7BD820000-0x00007FF7BDB74000-memory.dmp
memory/5092-158-0x00007FF613C70000-0x00007FF613FC4000-memory.dmp
memory/3540-160-0x00007FF78D6F0000-0x00007FF78DA44000-memory.dmp
memory/3340-159-0x00007FF733AD0000-0x00007FF733E24000-memory.dmp
memory/5052-162-0x00007FF7B49D0000-0x00007FF7B4D24000-memory.dmp
memory/4240-161-0x00007FF7788D0000-0x00007FF778C24000-memory.dmp