Analysis Overview
SHA256
521e02eb3fa8e32014a9c2f0fcbd5bf91d3a1755824b7c32d5306c5b6ae241c2
Threat Level: Known bad
The file 2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:04
Reported
2024-06-01 02:07
Platform
win7-20240215-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\djWQOJD.exe | N/A |
| N/A | N/A | C:\Windows\System\vJfrsxm.exe | N/A |
| N/A | N/A | C:\Windows\System\MswDvQR.exe | N/A |
| N/A | N/A | C:\Windows\System\gKQFtYE.exe | N/A |
| N/A | N/A | C:\Windows\System\IKRViOs.exe | N/A |
| N/A | N/A | C:\Windows\System\bdvzykv.exe | N/A |
| N/A | N/A | C:\Windows\System\JbJcTYM.exe | N/A |
| N/A | N/A | C:\Windows\System\QTpTOyC.exe | N/A |
| N/A | N/A | C:\Windows\System\cKzYILC.exe | N/A |
| N/A | N/A | C:\Windows\System\TBnVtEL.exe | N/A |
| N/A | N/A | C:\Windows\System\TEazTfk.exe | N/A |
| N/A | N/A | C:\Windows\System\YGRwUJw.exe | N/A |
| N/A | N/A | C:\Windows\System\MdZIYhY.exe | N/A |
| N/A | N/A | C:\Windows\System\kVgSBNe.exe | N/A |
| N/A | N/A | C:\Windows\System\yGZCCyj.exe | N/A |
| N/A | N/A | C:\Windows\System\zkXQfzP.exe | N/A |
| N/A | N/A | C:\Windows\System\QkPtSbx.exe | N/A |
| N/A | N/A | C:\Windows\System\eOBzpOz.exe | N/A |
| N/A | N/A | C:\Windows\System\YWWxhZP.exe | N/A |
| N/A | N/A | C:\Windows\System\wXgEYYx.exe | N/A |
| N/A | N/A | C:\Windows\System\iHZcopM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\djWQOJD.exe
C:\Windows\System\djWQOJD.exe
C:\Windows\System\vJfrsxm.exe
C:\Windows\System\vJfrsxm.exe
C:\Windows\System\MswDvQR.exe
C:\Windows\System\MswDvQR.exe
C:\Windows\System\gKQFtYE.exe
C:\Windows\System\gKQFtYE.exe
C:\Windows\System\IKRViOs.exe
C:\Windows\System\IKRViOs.exe
C:\Windows\System\bdvzykv.exe
C:\Windows\System\bdvzykv.exe
C:\Windows\System\JbJcTYM.exe
C:\Windows\System\JbJcTYM.exe
C:\Windows\System\QTpTOyC.exe
C:\Windows\System\QTpTOyC.exe
C:\Windows\System\cKzYILC.exe
C:\Windows\System\cKzYILC.exe
C:\Windows\System\TBnVtEL.exe
C:\Windows\System\TBnVtEL.exe
C:\Windows\System\TEazTfk.exe
C:\Windows\System\TEazTfk.exe
C:\Windows\System\YGRwUJw.exe
C:\Windows\System\YGRwUJw.exe
C:\Windows\System\MdZIYhY.exe
C:\Windows\System\MdZIYhY.exe
C:\Windows\System\kVgSBNe.exe
C:\Windows\System\kVgSBNe.exe
C:\Windows\System\yGZCCyj.exe
C:\Windows\System\yGZCCyj.exe
C:\Windows\System\zkXQfzP.exe
C:\Windows\System\zkXQfzP.exe
C:\Windows\System\QkPtSbx.exe
C:\Windows\System\QkPtSbx.exe
C:\Windows\System\eOBzpOz.exe
C:\Windows\System\eOBzpOz.exe
C:\Windows\System\YWWxhZP.exe
C:\Windows\System\YWWxhZP.exe
C:\Windows\System\wXgEYYx.exe
C:\Windows\System\wXgEYYx.exe
C:\Windows\System\iHZcopM.exe
C:\Windows\System\iHZcopM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1304-0-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1304-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\djWQOJD.exe
| MD5 | 3ebdcf9bbe462cb4d2929daf55a55ef2 |
| SHA1 | e5f7020f652dee966131c12175280510db777ad4 |
| SHA256 | fe67f4ff1cb9638c003fbb01e58a6e86cd085053d16a218fa2204327994e6b42 |
| SHA512 | c0a742c939d1ca4f30a4d71a6e53430604672bede474c2e8d3ad6bdc5a7c12e14566f60ea32ed07edacedca797cfe46079cfe3f39fbaf7a02b8c108f60b63c1d |
\Windows\system\vJfrsxm.exe
| MD5 | b02c8f6df90339c93ff372a94b9c7830 |
| SHA1 | fa33660f768d7e84c4b38506afd0e427f7d9f264 |
| SHA256 | e39bb702bc35a20cdec1dadaed673c108a5ed0006ff6ee8de1039ccd8830f4cf |
| SHA512 | f4c63a597bff8eb7c17b506928ab68a3f988218ec88f40097e335c603e0bc5a576a58f85d20cf006293fe0d283bd6c508ff1afdf4002e91d48b77cb2cae77e24 |
C:\Windows\system\MswDvQR.exe
| MD5 | 7faef159d2b795a084961fd40457a0f2 |
| SHA1 | 5bf80e6af38bc9f3578504ffc29e96e98bff05a9 |
| SHA256 | 5482cc64a4d3b633d73b3781d6bf31990df4e5dd37dc052c1b0d2ecb7ef7a85c |
| SHA512 | e0091cd35abfbc9735afe1b16ebc6703a9bd4655153683fae66d82de944bc6d3ac4d12e6c1c989d90322f3edc5689e320e9721c95bf6598a541ccea6cc49f88c |
memory/2228-19-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/1928-14-0x000000013F1E0000-0x000000013F534000-memory.dmp
\Windows\system\gKQFtYE.exe
| MD5 | 5edc95c41352df745d11fc94215cccfb |
| SHA1 | 2d5eac6a417b9d161d4b98c943da4482fb44c209 |
| SHA256 | f08339f6b698f0ea12652886a37d9b6bcb0782cc203777509688b3af33795a75 |
| SHA512 | ec478228b7341659edfc422f421539720bd750ce809c0d869f8c9a8379dd2fcddbe2cce6fec75286465ce3bb4619ee4657954c590685332124a8b1a54fdd633d |
C:\Windows\system\bdvzykv.exe
| MD5 | 159d6aa695450505cce18401e180fb51 |
| SHA1 | 024219211a650c09a26d6a21f92da6361a114d42 |
| SHA256 | e6344ad7fd57b243bc88ad6961bcae0ae6c5cd7d29547878ad58161a0b5e7f83 |
| SHA512 | 9442ef38edf91a8c6c12c7fad00a77ceaa2514673d2e23c2357b9bd79ea8a45d2c0beae482fdb8c3707efd64a943c23c7cd9dd6aa1f6baeba6d2c79f087e06f3 |
C:\Windows\system\IKRViOs.exe
| MD5 | 212d5697787befa685d0f6ce5f1e15f4 |
| SHA1 | 967f62ba8e1beaf7331ed4b09d30e5bac576a20b |
| SHA256 | 2125fd05c52e50554edb79cc9329568747ccbb62c9d0295b56853bf1a7f247db |
| SHA512 | 5565e5197c265b6f5ee8326a0f0126ef99aafdcf5008d0259a0802f87d524ca1e8bae1a71abdfdc3fee08066d0dae14e62dac1d89e1b0a80e1bb8e4375e90f23 |
C:\Windows\system\JbJcTYM.exe
| MD5 | a235a6cbf0d20548dc5474d08a90a7c5 |
| SHA1 | b98e459849f312132ff7c0946dbd47ffdda7bc29 |
| SHA256 | 4747ec6a9cccb1d4390d88dd6d88eaaf7e2ddfc5ef64995c8d76d04fbae125ad |
| SHA512 | d8062fb7aa3aab5f167d225213450a6b63af287a0b04c9f9371358c5c4295c869bfa6a0d7bb7c7e824a9b31e16254afb78383cd2a602f20f7826ac11872c2de3 |
C:\Windows\system\QTpTOyC.exe
| MD5 | c62f9ed1721aad55df458ceb6c561117 |
| SHA1 | f8c7628e40ea386299f0fe3eb1f8616573c099c8 |
| SHA256 | 5260706293ec8f25759447b85e036a1dd0c1f1d244fad04bbec74ba0a29b743e |
| SHA512 | 4762d833df310cebdd5e73101f0603e74ee58cc27841fcf65df9d2520956945d868791fe4e5b7863366d173cefae5b8c019018a0246fdeaa24c02cb13ed120a6 |
C:\Windows\system\YGRwUJw.exe
| MD5 | 13b9829a63721d108f227331e42c2677 |
| SHA1 | 4b72e1f3f307b37c959dc9dd7c6c18592217478b |
| SHA256 | 15b10a7ad6123786bf3524cba3b38415b9d041c65ccf562d35ad1229495e3e81 |
| SHA512 | b53ea19e967e7819d9344b3c08c6ea64035d51df9ae6764fc0a98ed090496b30f9e1a1a90b756e4a0e3139f38ca8bbbbd335ce633d7bf31c9968aec354afdf51 |
C:\Windows\system\zkXQfzP.exe
| MD5 | f7fef8a24cb21a9a2fe16ac61a792297 |
| SHA1 | 221b7d9949c6c4cb1f22e010ce4675598cf0a5ce |
| SHA256 | dfd57cdd1533da7cb5992e2baeca8d1c4612d31df913ff20134c9b2531ea6c10 |
| SHA512 | f1c1d99fc49e3206548eb92b0be2b4009edfb0cbd7dd31f2749d805163b8e53220e76911219b97f186eaf379cb1a417b18e361306862101866457dea34a2383a |
C:\Windows\system\wXgEYYx.exe
| MD5 | 25b5646c577b367706a039cff906d39c |
| SHA1 | 8db28faa3a4dfbb5dba9ba6f9420a5f956f9570f |
| SHA256 | 3c47a531cb89a203c682c6bf8047f14bfd5a7072e26a2386ec4630dd0bd6fadb |
| SHA512 | 9f40e4b428914db0482002a7373e57dbe08e1eb6ebacec74f3cd98b744d27da2d1b85caf1ae469149f114f26fea0ea4dc388f85d0d40df997f84bf957d6b64d8 |
\Windows\system\iHZcopM.exe
| MD5 | cba6520b92fd9f1cc4443ae12d812598 |
| SHA1 | bbe48566e6c38cac0d087a38c560c4c6628a71b2 |
| SHA256 | e116c773ff05d59a0c6d45bf27480f4636804e371ef2228515712b2785701485 |
| SHA512 | 574089e9ebfb639e2bea2a9af2f3d5e55b97db937333bbdfb9474b9f6fd327ceae2fc43b7b9ee04ee8baaebc04c7f277b4c17a0401b7b5956d604470359eb78b |
C:\Windows\system\YWWxhZP.exe
| MD5 | f38699f49bf012c3d04ff7e1c3d2fabc |
| SHA1 | 03d67e5e117d79bdf6fc43040cbe3a581633cf33 |
| SHA256 | a5ba8f66551a6ad132ac905937350de5b66a514f1ac36a7929dfeffc3f9a7da9 |
| SHA512 | d027f8dbe342f83c79378788ee712a96949db75d6f4a57be8ebeeeee13c4dc1b20ef86958eda72d963fde99afc8b7d742a73861162ae271131555825163f15e1 |
C:\Windows\system\eOBzpOz.exe
| MD5 | 43b7cd297590145213522a668f5ffda7 |
| SHA1 | 18625fc647217a6af15dfd5be57051b707df9945 |
| SHA256 | 981c608f02b824b2d3d4552cf0556aee5460e01bd7e5de162f24598a0121a32f |
| SHA512 | c942bf16ea0848f75ffc7608fa5827a2f2c8ad6f560cb28cc0136c455eb39647a9e3e038e5daa421be696bd743637422f64c29c5cf80535325ffb1323d4d5564 |
C:\Windows\system\QkPtSbx.exe
| MD5 | 625d29df2ca2feaae507df058bf330a9 |
| SHA1 | a1f918c0cf6ea0259964029250dec00b610eb93e |
| SHA256 | 6bb6b7382107a68f3109361f55c30359be0073ee7df439b8df24631f05965a5e |
| SHA512 | 9fd9d11fa6006cc9f687494f7bc293db8ee7ed203a68df7490d9051c5993d18f9161aabba7aea5ec5e292f056cbac171f985d91d6a994453b9f24da83bdc09a6 |
C:\Windows\system\yGZCCyj.exe
| MD5 | 1d4b43a6ccebf2efa629e67385639f2d |
| SHA1 | 641e49c8b439a28d49fa1577db85d4a6135a56fb |
| SHA256 | 610d0d55336581ae703ef2da131605f765073242f04eb4fbeeb87e214c32958f |
| SHA512 | 10dab65133b99ea892528c6ad875f5a826ae873c4a010d492febda795f19c4d41b0f46a5b1d09f364866d93dec2445fca3a973d9d3743a4aa368003f6d9ca995 |
C:\Windows\system\kVgSBNe.exe
| MD5 | 094974cca21c67a71157a6935ebc2f92 |
| SHA1 | 4b3a8ddf8b2b8981f3c87f5d6247928a3d7018e4 |
| SHA256 | 987bdb929630af6657a475ef49df21143d23f0a4edcd6718e9cb95b23250caa8 |
| SHA512 | a8e3fcb2dedc22841dd67bd38d2b653d5023876d7893704efd7a2a9b11b2974c78549eda849a67e65d3ad7cef0312b45a13f68f3689b208b96cc2642d5c004c3 |
C:\Windows\system\MdZIYhY.exe
| MD5 | fb3617a50710325925bb5a0619a0b629 |
| SHA1 | ec09c899a9c8d1fcb952c01cfdf884f0c5543219 |
| SHA256 | 9154da2af1d927d97ea08397c99bc536811f6e557200b87d1fec606aa7eb4d69 |
| SHA512 | 64eaa633af831840af703e5e8c29ecd8891e2d987a4a579d3b0585fdedfcfa3fa09f4b4eba2e1897fc2adca20e923e7446e2e39b72cc6afb6c7a04bd894ed65c |
C:\Windows\system\TEazTfk.exe
| MD5 | 6cdd8fe2c466e526bd98dbce0e839c34 |
| SHA1 | 350332dbc6de128298b340bf43ab72cd5ff90aaf |
| SHA256 | 42bb33c91334043bd10fad66624718ea8ea8f18987a1d274d7e98d76bab90c4f |
| SHA512 | 3465061b2150e839b2f54f9f4a001cfe7b766697e747766f8906ef0bd322661e9724416f812afcd47f9e6a1adfd4ce47594a72df83f9a9ee545cd516a98e687b |
memory/1304-113-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1304-112-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/280-111-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1304-110-0x0000000002330000-0x0000000002684000-memory.dmp
C:\Windows\system\TBnVtEL.exe
| MD5 | c5001616004d4390ac3ffc0fe072d7ea |
| SHA1 | 1dbd9915564cbfd40b2febf0bb75753a38c1d5cb |
| SHA256 | 5f5c774438ed1373acfa1331d809f911f23475c36594167ccbb65ee27c1d0309 |
| SHA512 | 392a4c3dfa9f0eb9587a8fa35138ad7ca407577947152f3182bd3ab291649fd49be8f48e386372c157d5394539d61794688e05d134dc05051a892fb6d95ee01a |
C:\Windows\system\cKzYILC.exe
| MD5 | d28bf9db159ae8e51b5783192f7428b9 |
| SHA1 | 7de6eada86a8c0da46e1b473be4508e41a69e090 |
| SHA256 | 4c47a484dd552d335562421aa6b3b3c60894a39fc18f4e5520f1b32c58bdb873 |
| SHA512 | d10e3ca445a33a506ebb473399c60afd929fc9ba513fd206b007a2898f2500642422055d6ed78f8fb814e963c50aef6ac8de7807ccbfcb83668c46046f5658fc |
memory/1304-12-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2136-114-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2652-115-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1304-118-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1304-122-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2704-125-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2256-127-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2464-129-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/1304-130-0x000000013F4A0000-0x000000013F7F4000-memory.dmp
memory/2012-131-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2564-128-0x000000013F040000-0x000000013F394000-memory.dmp
memory/1304-126-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/1304-124-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2612-123-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2584-121-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/1304-120-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2556-119-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2684-117-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1304-116-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/1304-132-0x000000013F100000-0x000000013F454000-memory.dmp
memory/1928-133-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2228-134-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2136-136-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/280-135-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2012-137-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2556-140-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2584-141-0x000000013F900000-0x000000013FC54000-memory.dmp
memory/2652-139-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2612-142-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2684-138-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2256-144-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2704-143-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2564-145-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2464-146-0x000000013F2D0000-0x000000013F624000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:04
Reported
2024-06-01 02:07
Platform
win10v2004-20240426-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qIOtdLR.exe | N/A |
| N/A | N/A | C:\Windows\System\JBFzBau.exe | N/A |
| N/A | N/A | C:\Windows\System\oLRXEGe.exe | N/A |
| N/A | N/A | C:\Windows\System\xanDRnO.exe | N/A |
| N/A | N/A | C:\Windows\System\cWxtIcm.exe | N/A |
| N/A | N/A | C:\Windows\System\tXNCKPs.exe | N/A |
| N/A | N/A | C:\Windows\System\xDyJnap.exe | N/A |
| N/A | N/A | C:\Windows\System\uMqKLXA.exe | N/A |
| N/A | N/A | C:\Windows\System\lrZppvC.exe | N/A |
| N/A | N/A | C:\Windows\System\fUwMWcX.exe | N/A |
| N/A | N/A | C:\Windows\System\MIymbDQ.exe | N/A |
| N/A | N/A | C:\Windows\System\YzACIjm.exe | N/A |
| N/A | N/A | C:\Windows\System\mDuMJMc.exe | N/A |
| N/A | N/A | C:\Windows\System\lyClhaA.exe | N/A |
| N/A | N/A | C:\Windows\System\lOIkzwG.exe | N/A |
| N/A | N/A | C:\Windows\System\krUoYdK.exe | N/A |
| N/A | N/A | C:\Windows\System\fvuuKQa.exe | N/A |
| N/A | N/A | C:\Windows\System\TzMHeCe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZlPwDvw.exe | N/A |
| N/A | N/A | C:\Windows\System\EdLTCKR.exe | N/A |
| N/A | N/A | C:\Windows\System\UpEALZr.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_90047872f2c0969d6b491d0868202ed4_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qIOtdLR.exe
C:\Windows\System\qIOtdLR.exe
C:\Windows\System\JBFzBau.exe
C:\Windows\System\JBFzBau.exe
C:\Windows\System\oLRXEGe.exe
C:\Windows\System\oLRXEGe.exe
C:\Windows\System\xanDRnO.exe
C:\Windows\System\xanDRnO.exe
C:\Windows\System\cWxtIcm.exe
C:\Windows\System\cWxtIcm.exe
C:\Windows\System\tXNCKPs.exe
C:\Windows\System\tXNCKPs.exe
C:\Windows\System\xDyJnap.exe
C:\Windows\System\xDyJnap.exe
C:\Windows\System\uMqKLXA.exe
C:\Windows\System\uMqKLXA.exe
C:\Windows\System\lrZppvC.exe
C:\Windows\System\lrZppvC.exe
C:\Windows\System\fUwMWcX.exe
C:\Windows\System\fUwMWcX.exe
C:\Windows\System\MIymbDQ.exe
C:\Windows\System\MIymbDQ.exe
C:\Windows\System\YzACIjm.exe
C:\Windows\System\YzACIjm.exe
C:\Windows\System\mDuMJMc.exe
C:\Windows\System\mDuMJMc.exe
C:\Windows\System\lyClhaA.exe
C:\Windows\System\lyClhaA.exe
C:\Windows\System\lOIkzwG.exe
C:\Windows\System\lOIkzwG.exe
C:\Windows\System\krUoYdK.exe
C:\Windows\System\krUoYdK.exe
C:\Windows\System\fvuuKQa.exe
C:\Windows\System\fvuuKQa.exe
C:\Windows\System\TzMHeCe.exe
C:\Windows\System\TzMHeCe.exe
C:\Windows\System\ZlPwDvw.exe
C:\Windows\System\ZlPwDvw.exe
C:\Windows\System\EdLTCKR.exe
C:\Windows\System\EdLTCKR.exe
C:\Windows\System\UpEALZr.exe
C:\Windows\System\UpEALZr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1164-0-0x00007FF61C6B0000-0x00007FF61CA04000-memory.dmp
memory/1164-1-0x000001C82E3A0000-0x000001C82E3B0000-memory.dmp
C:\Windows\System\qIOtdLR.exe
| MD5 | c96fda308b100c2cdcf4f57b1f29ae75 |
| SHA1 | 41d44c381ebe2516a33f9bb04a1f3ea8028197c2 |
| SHA256 | efa5eb0b687138c6bb09d321b1113eca024a052220d54dd40d241a7a0dab6d1a |
| SHA512 | 50365b7ce8c45541f61ca1a0cfef01b6e15305f99d7f04921b0d9332238f5d135a1a9d92434bba37bf193bec75d42932dd5378c89ab0588275327955a49b9b81 |
memory/1280-8-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp
C:\Windows\System\JBFzBau.exe
| MD5 | a9d8ff8800a40a402e2e8ca9418b6b98 |
| SHA1 | 595a6f50c33025693bd5247ad0ca05c64eb277a5 |
| SHA256 | 82508a753347412e5f709a29bca9e36c969bae150cd922acfae3988de3c0925b |
| SHA512 | 06cf4df22152d1e67cf7cc7a544ad049ea0aab213c62020cd6ecbbffce72b18a3840e3573f78a4c230ab136ee453abf87826382cc6e34f90e9c20517120e8928 |
memory/1960-12-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp
C:\Windows\System\oLRXEGe.exe
| MD5 | 8e03bf1f8c60cdb2396090e6567c19cf |
| SHA1 | 8cfdacad918420e1389b33f75e3b4de20b7dc144 |
| SHA256 | 48e694e3693d4e8d516396b3610fdfceeece9771bbafe845732e5fee5e2bff87 |
| SHA512 | e3fc87322b315eb163096ab800f547a9d5013a1d7061b93858cce31f65f80bb2f8224a643fad868eb8023de7d8a2565597075c7a382899b2fdb89386b4c073b5 |
memory/440-20-0x00007FF738FF0000-0x00007FF739344000-memory.dmp
C:\Windows\System\xanDRnO.exe
| MD5 | efdde6babf1b66668635aab3341b2416 |
| SHA1 | ef4ef910c99ce54c06350e9681f7696b414657ea |
| SHA256 | 2b07a3f60dc76dc38fc99fa90ed298e6847a34efaf0aebc0008d99faaa105c32 |
| SHA512 | 33aef3e830dfafec094accad70b2058af1726fd0139c4c6be6edca5f896476a5437488bd07a00639966b23559ff463279ea59d00c9081fa0db9430a04868bd04 |
memory/3068-26-0x00007FF74D280000-0x00007FF74D5D4000-memory.dmp
C:\Windows\System\cWxtIcm.exe
| MD5 | bc0ede90b798c35a516a21964670236c |
| SHA1 | 0b9f8b3d2e563221d06ae4f12c9cfc944f768972 |
| SHA256 | ad856135592cdc6230e7b362d06277057bb6dfc5b0753c022732031888632fe4 |
| SHA512 | 85d6b4f0311e2997fcfce559e4abc1daa2723d02d2ab2fc9674bddf80a341af567224d0aff173914b98d83fd2207eabde3309912128f3cd94c43725e87be08a6 |
C:\Windows\System\tXNCKPs.exe
| MD5 | 46d9b68f3f6bc2761f0def51e0553fc2 |
| SHA1 | a948eccb4301593eb420d089dfde6123d3611c93 |
| SHA256 | fbce5acf0c681247d8155b7ac3519b7de2cfdd404cac31404513e928c858d7fb |
| SHA512 | c551e8b3a0301147030f151da0541b6658be9582da4735490584daf6cbc4f086ac238a90e805750dd77079033fee792a786c0116c8d5c73adcd696cbf734c8ea |
C:\Windows\System\xDyJnap.exe
| MD5 | cab3a51afebff338b6d2d23c3ebcaf88 |
| SHA1 | a30a612f21729962a6fe32bf1b2e53cf631bba9a |
| SHA256 | e1e8a1b32edf3bb71a171f412d3a4116bc38857bd9e9f4a48f6cc8ee37c8fe03 |
| SHA512 | 14eb22eec7a1b6f750028929f95e7f860f1dcfa704a691dd1677d6c5272b9c67bfc30e09f2621a67e7ee9cb533f150b4b5703ee1217e48d44aa346f2a0e0a105 |
C:\Windows\System\uMqKLXA.exe
| MD5 | db85d91f87fe8dfadab46603f00cbdac |
| SHA1 | 1c5fab9ad894e9ceeb11fecbf38098f332d01ab1 |
| SHA256 | 6ce83122dcb370cce6e387788373f4407f11cb06daf2262686b3e3e9086d8016 |
| SHA512 | 879ba2af4f54d0b59cf08530abab79ab632ab444a380d888d457996b26189c03b245a58d62d292369768e39e2e04d3da2728074ed7e03a05e7b591d092e1e5ec |
memory/4584-46-0x00007FF798000000-0x00007FF798354000-memory.dmp
memory/4116-36-0x00007FF659B20000-0x00007FF659E74000-memory.dmp
memory/3700-31-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp
memory/3964-50-0x00007FF655180000-0x00007FF6554D4000-memory.dmp
C:\Windows\System\lrZppvC.exe
| MD5 | 517ecc25db1408227d63448e3f109b50 |
| SHA1 | 7c6f7b3a50dfe12cf469d2ea7d60b0068f466911 |
| SHA256 | 7a1f7a9bdc1f71d7c95fc48b75c513c86ad625868358355fbe3b3835df731b94 |
| SHA512 | d06da86a33400ca0c13e81c716fdf725eecf2b8fa834ddc5272e4891ef04dd26cb726c81a1c60dc67c287e6de6113160e4dbd27e32f400f91ca1073cbc373e40 |
memory/3492-56-0x00007FF7D4A10000-0x00007FF7D4D64000-memory.dmp
C:\Windows\System\fUwMWcX.exe
| MD5 | 35e6869f514b905ed83a0b7999cb4c94 |
| SHA1 | 207c13318089616b81c73729c01ca328c7175aaa |
| SHA256 | c636c535318ff4c286d2e510a2cce1955b2e7e461c48b781e40034773f6d093c |
| SHA512 | 46c5ad107f5009ae84f9bdb32064ea1bf15a88ba7bbe12192f7a98d57b9f8a7c230ef4e3c075a0f7292dc6869c694a22aa6161f147f03f9acdeab31e60417d88 |
C:\Windows\System\MIymbDQ.exe
| MD5 | d2e6e085a9b463b53dac57cbb2c7166b |
| SHA1 | 161d35fe2aac2b1edef0036c77aecb56f6cb6c99 |
| SHA256 | f2ad287d4e6e4a8bd6a426c1f7a45aa8c0a7e4471f1308b9ed9d1237cbfb5a02 |
| SHA512 | 4e01dd5f6e9d894aa77d053dfc5cd01212cde5876f4c19db652f09dfff5da8853a1e893e82aa62d5d985197067220484324cc793d369332f1026923c3732aa99 |
memory/4956-67-0x00007FF6ACDA0000-0x00007FF6AD0F4000-memory.dmp
C:\Windows\System\mDuMJMc.exe
| MD5 | ab38304fc9c20e4b86ab0194732d046f |
| SHA1 | 21d90ab70b60c8c1f86c96c9722f420948dfe2ae |
| SHA256 | e53b090858d65bec5be5a1b4acf0e46f63023119f21b85a6c8aba328b414edcb |
| SHA512 | 2c4bb4e7e57e63dd7bc3e1f1dcd78566ee7989731f062b917751066cb1595b9f3ca2669ded5d8b280a1690ff5876d5ce79cfbadf08e11b8756a4cc6e2354dbdf |
C:\Windows\System\YzACIjm.exe
| MD5 | b368bc9ec7471d9b934b8d3c0c52fbeb |
| SHA1 | 162c0ce7bfe9ef6196b7944eb0233b73d29493e6 |
| SHA256 | 849f397ba9ac3a064a3be0dd127517b81b78669d39821c5d299c2b7a346a319e |
| SHA512 | 4d2570255c46543a91d8d46ff76fc0401c905ccac24799511465e5d57389841d89d99393b2f22c8510986bc60db5625d887e62c1eff846d7997f031b0850f2f0 |
memory/1280-81-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp
memory/1304-82-0x00007FF674890000-0x00007FF674BE4000-memory.dmp
C:\Windows\System\lyClhaA.exe
| MD5 | cdbb9db60f39383239b2dbdd8b7f7147 |
| SHA1 | 28c3aff6a2a6c06fa490ab8cee38c2238f77c8e8 |
| SHA256 | 1ab2b461867f7ff0576e7b94d6372a0057bcd0821a76521791304b952d0a3020 |
| SHA512 | c9c98a7edd5756fce84dd22e6d6376968ff5bfa9eea00a203198e7dfa37739331100333fea522fe5501ab39e5056dac9b48ed4f10501d027f44f5bf6e6ac51c9 |
memory/4452-88-0x00007FF702410000-0x00007FF702764000-memory.dmp
memory/1464-85-0x00007FF6E0AC0000-0x00007FF6E0E14000-memory.dmp
memory/1104-69-0x00007FF756FA0000-0x00007FF7572F4000-memory.dmp
memory/1164-66-0x00007FF61C6B0000-0x00007FF61CA04000-memory.dmp
C:\Windows\System\lOIkzwG.exe
| MD5 | c74ba07d3e2c5e6aea0a3211b39a3bb2 |
| SHA1 | 582a4d790c74e22d91670c6fac9cff0cdaf4c6e6 |
| SHA256 | e9ca328fbdd3c453e19ea3e521ab57ea226866239d3d1e3aca739684da931d27 |
| SHA512 | 07975343c023e5c58b76ab2f58507a2fcd3f301f5afc8235d77887f77a02f1269a1e669c531cfdc94408055e3c0077ea5487b976a3024961cfd7848fdbf1839f |
memory/1960-92-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp
memory/876-95-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp
C:\Windows\System\krUoYdK.exe
| MD5 | 5f6b6369a522b7f6c460cc5996cb6969 |
| SHA1 | bf0617e3a1ae8c9a1442cf68979aa4a1da50e0a4 |
| SHA256 | 4e3e14f6cddf35780070532de9bf3752452de2ae6abbc24300fd521e84be7f5c |
| SHA512 | 978fe8af9d3afeb563043872f4c3b2eeb9dbdb8fe77d1eb63228252daed32d27e10b2aab55144df90887b8aaf370e48827875670d75b36505d8b0b0b0949a581 |
memory/4676-99-0x00007FF66D400000-0x00007FF66D754000-memory.dmp
C:\Windows\System\fvuuKQa.exe
| MD5 | bbd5b2ef9f02f4fe684bd8de4f5ad9e6 |
| SHA1 | 200bc677b6f86067c7bca0ce168c08f9e2650775 |
| SHA256 | 66fa6a2b19ab4e26a33ab3613b08379019134440a7bd7acae00d140b1d6af315 |
| SHA512 | c59b9363594a9ff644fd1da25e39834cade7c2f5888819419bc5c31d9369a6da849aff6a72a5463f13ecae07bcf7ad043199eac24577383096aff77c4820ee2f |
memory/3300-107-0x00007FF768B00000-0x00007FF768E54000-memory.dmp
C:\Windows\System\TzMHeCe.exe
| MD5 | 9701861d0834556b62382f6c2cb44623 |
| SHA1 | 6cbf15a1c1a0c363cfa44e102664aa3ddfe505b3 |
| SHA256 | 3db2fc801534166c97f630b92a2cda14e42c830095da15e285e04fc72a13ff08 |
| SHA512 | 4a29910a1a11d0c256d249afa9ae669ae09be2431d13bcb18584af8230f1bbd95afdde22f10d439f6991f63f475fd92e08823131d2e8a3b1defa8f191a6d7d2e |
memory/1096-114-0x00007FF7BEA50000-0x00007FF7BEDA4000-memory.dmp
memory/3700-113-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp
C:\Windows\System\ZlPwDvw.exe
| MD5 | f3d49e40271062090f7fe504fbc7f267 |
| SHA1 | f5e54e27e2c69238f5fbac7090b4ed6e9854e9e4 |
| SHA256 | c0d7db5370ee09115efdd4f5fe0f44d988765d20f83c05e62e874cc5a676dc10 |
| SHA512 | 84d57abbff487a5635972d305e9a40936ae51dc9753416d50f9a47c57bb78dcebcecef66afc11af15290200ee5a08e00277e186cc6f6e7c48839f91e808045e5 |
C:\Windows\System\EdLTCKR.exe
| MD5 | 27052b12168f4f522e153da35ae8bef9 |
| SHA1 | 199fab6f5682f74346b365059b112e85bd54935d |
| SHA256 | c33d7117d8b3deab24e3fc9579a1459bad40a0569c267ed8ba5552fd22ac3e56 |
| SHA512 | fcbeae439169df4bead7c091d6464ed1d6d07578b8856d2dc216ee3a7243b209a5503a44e9c7bc3d6cdff1243f8846bfd14f1b491a0c4417c9ad00e9190d6577 |
memory/2532-125-0x00007FF70D210000-0x00007FF70D564000-memory.dmp
memory/4780-122-0x00007FF69BA00000-0x00007FF69BD54000-memory.dmp
memory/4116-120-0x00007FF659B20000-0x00007FF659E74000-memory.dmp
C:\Windows\System\UpEALZr.exe
| MD5 | 579cc1f1dcf541603209e769bf35fda5 |
| SHA1 | 6068c37ad72da3279621ea35013e19a08d6254fc |
| SHA256 | 744673dbe1813a95244521bb2924f19a2e3706da8c05c89cfe459d2398b1c855 |
| SHA512 | 28b97eb11c57fdd3461ab7651566e34255bf7f4579435b8b880568f695b003761452fb5643971be6466dc6b02a9bc736adfc83d34fca828cecccef92a6626ec3 |
memory/4304-132-0x00007FF7EFFA0000-0x00007FF7F02F4000-memory.dmp
memory/876-133-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp
memory/4676-134-0x00007FF66D400000-0x00007FF66D754000-memory.dmp
memory/2532-135-0x00007FF70D210000-0x00007FF70D564000-memory.dmp
memory/1280-136-0x00007FF6EEE30000-0x00007FF6EF184000-memory.dmp
memory/1960-137-0x00007FF6E38A0000-0x00007FF6E3BF4000-memory.dmp
memory/440-138-0x00007FF738FF0000-0x00007FF739344000-memory.dmp
memory/3068-139-0x00007FF74D280000-0x00007FF74D5D4000-memory.dmp
memory/3700-140-0x00007FF6E6DE0000-0x00007FF6E7134000-memory.dmp
memory/4116-141-0x00007FF659B20000-0x00007FF659E74000-memory.dmp
memory/4584-142-0x00007FF798000000-0x00007FF798354000-memory.dmp
memory/3964-143-0x00007FF655180000-0x00007FF6554D4000-memory.dmp
memory/3492-144-0x00007FF7D4A10000-0x00007FF7D4D64000-memory.dmp
memory/4956-145-0x00007FF6ACDA0000-0x00007FF6AD0F4000-memory.dmp
memory/1104-146-0x00007FF756FA0000-0x00007FF7572F4000-memory.dmp
memory/1304-147-0x00007FF674890000-0x00007FF674BE4000-memory.dmp
memory/1464-148-0x00007FF6E0AC0000-0x00007FF6E0E14000-memory.dmp
memory/4452-149-0x00007FF702410000-0x00007FF702764000-memory.dmp
memory/876-150-0x00007FF7F7470000-0x00007FF7F77C4000-memory.dmp
memory/4676-151-0x00007FF66D400000-0x00007FF66D754000-memory.dmp
memory/3300-152-0x00007FF768B00000-0x00007FF768E54000-memory.dmp
memory/1096-153-0x00007FF7BEA50000-0x00007FF7BEDA4000-memory.dmp
memory/4780-154-0x00007FF69BA00000-0x00007FF69BD54000-memory.dmp
memory/2532-155-0x00007FF70D210000-0x00007FF70D564000-memory.dmp
memory/4304-156-0x00007FF7EFFA0000-0x00007FF7F02F4000-memory.dmp