Analysis Overview
SHA256
d50c18e056a3c90b312b78c6b2ba54d7e20a9eaf4bc2bba24ee9e874b4b37311
Threat Level: Known bad
The file 2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
xmrig
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:24
Reported
2024-06-01 02:27
Platform
win7-20240221-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\cusrzAq.exe | N/A |
| N/A | N/A | C:\Windows\System\fuOAqHw.exe | N/A |
| N/A | N/A | C:\Windows\System\UJPTpfz.exe | N/A |
| N/A | N/A | C:\Windows\System\RvLFjJU.exe | N/A |
| N/A | N/A | C:\Windows\System\IHQRjGv.exe | N/A |
| N/A | N/A | C:\Windows\System\MbKGhXK.exe | N/A |
| N/A | N/A | C:\Windows\System\CHooSsD.exe | N/A |
| N/A | N/A | C:\Windows\System\hjTKQRv.exe | N/A |
| N/A | N/A | C:\Windows\System\jhYwaqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DTKwMMT.exe | N/A |
| N/A | N/A | C:\Windows\System\nFMYavN.exe | N/A |
| N/A | N/A | C:\Windows\System\JpWatoj.exe | N/A |
| N/A | N/A | C:\Windows\System\ipzSUIH.exe | N/A |
| N/A | N/A | C:\Windows\System\pRukAJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\SKyjBRY.exe | N/A |
| N/A | N/A | C:\Windows\System\XNuiYTO.exe | N/A |
| N/A | N/A | C:\Windows\System\nQjqyUb.exe | N/A |
| N/A | N/A | C:\Windows\System\JErmZRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\FYFXpVS.exe | N/A |
| N/A | N/A | C:\Windows\System\zDZFTKq.exe | N/A |
| N/A | N/A | C:\Windows\System\wliKoKl.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\cusrzAq.exe
C:\Windows\System\cusrzAq.exe
C:\Windows\System\fuOAqHw.exe
C:\Windows\System\fuOAqHw.exe
C:\Windows\System\UJPTpfz.exe
C:\Windows\System\UJPTpfz.exe
C:\Windows\System\RvLFjJU.exe
C:\Windows\System\RvLFjJU.exe
C:\Windows\System\IHQRjGv.exe
C:\Windows\System\IHQRjGv.exe
C:\Windows\System\MbKGhXK.exe
C:\Windows\System\MbKGhXK.exe
C:\Windows\System\CHooSsD.exe
C:\Windows\System\CHooSsD.exe
C:\Windows\System\hjTKQRv.exe
C:\Windows\System\hjTKQRv.exe
C:\Windows\System\jhYwaqQ.exe
C:\Windows\System\jhYwaqQ.exe
C:\Windows\System\DTKwMMT.exe
C:\Windows\System\DTKwMMT.exe
C:\Windows\System\nFMYavN.exe
C:\Windows\System\nFMYavN.exe
C:\Windows\System\ipzSUIH.exe
C:\Windows\System\ipzSUIH.exe
C:\Windows\System\JpWatoj.exe
C:\Windows\System\JpWatoj.exe
C:\Windows\System\SKyjBRY.exe
C:\Windows\System\SKyjBRY.exe
C:\Windows\System\pRukAJJ.exe
C:\Windows\System\pRukAJJ.exe
C:\Windows\System\XNuiYTO.exe
C:\Windows\System\XNuiYTO.exe
C:\Windows\System\nQjqyUb.exe
C:\Windows\System\nQjqyUb.exe
C:\Windows\System\JErmZRZ.exe
C:\Windows\System\JErmZRZ.exe
C:\Windows\System\FYFXpVS.exe
C:\Windows\System\FYFXpVS.exe
C:\Windows\System\zDZFTKq.exe
C:\Windows\System\zDZFTKq.exe
C:\Windows\System\wliKoKl.exe
C:\Windows\System\wliKoKl.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2948-0-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2948-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\cusrzAq.exe
| MD5 | d1549a42f9a3ac32737ecea9a20a1374 |
| SHA1 | 798618366d8682f636ed2b0b3956bc5785fec1af |
| SHA256 | c2da210f7ba460a7ae13c3008e44201285602af68b079a6692826962d0cff03f |
| SHA512 | c8917a0b2d4f0af72238c8bae6beb84a53528a41d0781236947cc7492a880496c34a2db38a08a4682543e418fe9f192e19e0d1fa65c7642d1abed20c200c5334 |
C:\Windows\system\fuOAqHw.exe
| MD5 | 6ae7738a521d8f74694cc110b1ceeb68 |
| SHA1 | 5de77dc8d318ac2f00517541bba842e532d1e8a1 |
| SHA256 | aa7f936146d52d2ac0de32a7f46c8b1ab579ec00d4d3f0ce4276c0a0ec3a8162 |
| SHA512 | f9ba19e83f5cf96eda0141ea838f7736ffb232fccc491c0497485db0fa53ed2933d6ab99265df4faa3ac57b3cbe8cf74220aa96acec77842b1898e307d8048a9 |
C:\Windows\system\UJPTpfz.exe
| MD5 | f8bc8402a2b699720e90a0ecdc396c10 |
| SHA1 | 8df85ec05865ae88a73541523c9d6da1d93aa037 |
| SHA256 | 34a4e53d7bd9e4f50e8502073ec007862cc572ed78b0aac14a425abf84bcc04e |
| SHA512 | 23225bde9ccde414e06a7c4b2bf11dc890f5014a89ae666d6d9d0857adbcd977581ac2c554d748bef0a28efad519512f8a28c203076e8852b1b47f5bb777b1c3 |
memory/2948-15-0x000000013F330000-0x000000013F684000-memory.dmp
\Windows\system\RvLFjJU.exe
| MD5 | f23cf980f67c27cdbfc57115d640353b |
| SHA1 | ead5df4025c19233442ba30adddd2addc2808cf3 |
| SHA256 | ffa1a88ac9a3499fceefae743e153b56150adc2ed8ba15e4e427afd83f5fd707 |
| SHA512 | 4a93c0ea347f80fc006a0c797b02fd332dce1b965469aeeae8403620019f5aa37086be1bbed59d071e4ca47bec2fece2ce6eeed8ada9a3195b2d62c8d7964aed |
memory/2036-22-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2948-33-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2948-32-0x000000013F4B0000-0x000000013F804000-memory.dmp
C:\Windows\system\IHQRjGv.exe
| MD5 | d7ed0db92754ce34c59cd8a4cdf656eb |
| SHA1 | a0ca307139ffe7bf019c0a647585d002be881873 |
| SHA256 | 409db0700bbfa230d8fb94f9684d1c7184bd7bf67d18cc90c7c7ec3dab63a100 |
| SHA512 | d7fbfd89d97553c2e412230a41e31252ed86eb2b9bac6ebbac74af362a7d6c0be9ea4c1c65e396ded4ffec93f708ac73bc705290d2c4172b4e4908823c7bd8c2 |
\Windows\system\MbKGhXK.exe
| MD5 | 2de1fd25117589c5128c8d4b79a1ca45 |
| SHA1 | 5bb87046be75a03c77a2d80012f1cbe449152b52 |
| SHA256 | 8d84ea2c3b2eae09d4a2147a21d10690ae8e6d00728e5df830b430e64f3c064b |
| SHA512 | e3ad86426cd94d02431c40d497dc529c1be5756f5f1e5ca5c797bb905e2c537dbce2a334f48089fd7f4faf6a0eaa4df7e9c025f74ed9e1d934aa56ae47670053 |
memory/2152-30-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2948-27-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2612-26-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2576-41-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2948-39-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2628-42-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\CHooSsD.exe
| MD5 | 6af876edf2e3389ee3282f3c81d1ec96 |
| SHA1 | bebb16f0f48c5f08d94f5fd99ad429253619e798 |
| SHA256 | 415eecf3987e343cf8217242ec19784afc1a66b8887460246e16f7acde459440 |
| SHA512 | d2d56073c5012fa8b155853d9d5e75ab14a08af317adc35e6967f19744c7ef662d22977d1b73683a9965d8d97b91ca5b141603a0d8fc92a574061798044bee33 |
\Windows\system\hjTKQRv.exe
| MD5 | 84dcef74c2a3c56bbde8dbdc73222ff7 |
| SHA1 | c7873cdba290bb67adc672c40d04da33466d27e8 |
| SHA256 | ac79e4f05339a25222d4f57544f0e92cd9c28c227654f351ccaeed1414047cf3 |
| SHA512 | c9fd1aebd3445ec69332677e25f04a359a865b293848cee5c73c78bea5407ade5142086ff2f5e793f54b3877d95fca2e33eda783919a6fa2858058d8c3f7db61 |
memory/2948-55-0x00000000021E0000-0x0000000002534000-memory.dmp
C:\Windows\system\jhYwaqQ.exe
| MD5 | 69b9c5154c5435a9a003281d0d5a90e0 |
| SHA1 | b6c65028a9efee4952bc3518679f2b4751b2512d |
| SHA256 | b52567e5fbdd19463826113020b4e885c14b3d140b58272883e8e7d889bf14d1 |
| SHA512 | 35c14f0c6f8c977e43581acff81204b9b5e9483c793018656132b6b6534ea49a951bed7fab30a6ed5965a473f0b83eaabb27001728bef0f6f202c472eb64f4a3 |
memory/2228-57-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
\Windows\system\ipzSUIH.exe
| MD5 | 41e74014fba2de1de441046bb1b52d9b |
| SHA1 | 7e87f45fefdfb39eddcdea1013ef301aba65732b |
| SHA256 | 980dc1405ad5d793d882472cfd74301698ac5f6533c79c489b57baeacecd6692 |
| SHA512 | c43d297b0b556b455881c0388359c5a278ad705c44da14273681049fe2068ec34a2972bf6e00e67724f0920e5a1cedec3ad40f70ad33693264f1c2746944bc76 |
C:\Windows\system\JpWatoj.exe
| MD5 | 760e217683024f02ae961a7aedc7cb33 |
| SHA1 | 97f295b0e1e8a505ac7a641cf6ec35fac1ce9ef1 |
| SHA256 | 4b271dd701a92bba58831481ad002231836803592a15a6d3989e9eb8511fa4fc |
| SHA512 | 6c1351f86a09ad956e16536bcf17a32d07dfc6c4563712f4c3570ff79f34c9ac522fcde70d5fab4dc1cb2c519b1f923145cec2f617a05958ce71a794b7b6dd3d |
\Windows\system\pRukAJJ.exe
| MD5 | 9dccb4dca0b9e481af30f9616e473a37 |
| SHA1 | d121df276186f97e1cc1f4349f25486bf14d2409 |
| SHA256 | 37cbc33edd3ddb7f33aa71dcdba661f0f137d5b42568cdb11c49797c1ff3f785 |
| SHA512 | 480f377352c089f5074dc0c545a5da533234655abfe2dbc9ed9458448aa874ed0bdc86f040dcc7ff7355047ff81ee0c17a5d83a72e6cfbcfccff5791e9c3067a |
C:\Windows\system\nQjqyUb.exe
| MD5 | ad4f30a4c4d80800200350c2a0c51afd |
| SHA1 | 7743dbbda868fa4231b321f6360149ed9dafce87 |
| SHA256 | 4379ffc9b2e94c6fb8911ccc8c0a7b43e6f2e0b8608b6335e23ae506b57db393 |
| SHA512 | 9247667f64eda9a7602c38078fac067be73652a8832abbfc2b15f716a3b7815cf2eeedeb3ea5f0ddd1b8c9996877352ff9020dc5e809030d34ae89fd39bc3abe |
C:\Windows\system\JErmZRZ.exe
| MD5 | 5930237ef41b3c0ba52da5095231b538 |
| SHA1 | 5621f743b7dd6f652ee3fd507e8f0dbb080e563e |
| SHA256 | 3ef0e296d8cf8878bc2de9c8e20677d01a2c68130d44e8c279031fad400e1acd |
| SHA512 | f15494000d66294a7c5296526a678feb90ee1c275d843f8573369da530234f53b28122a5cb567f4e16b011ee6867f4083e5bbee5b03b34ca64bb3da4da4e73c9 |
C:\Windows\system\FYFXpVS.exe
| MD5 | 00fe820041e4c26b0a1f3162602de5ba |
| SHA1 | acddef5c6d1ba13d9050221eb177d5b7730c320a |
| SHA256 | c2e6c29d3a5264a32182dfabdc1aa8e9358f38078b397b029cab6f002cfb4d9d |
| SHA512 | 3e1dc5feeb1eab6d62eab1a6604419b68e5c7f6bcee76a8771a9813477f6906783a9ed61a75b5681ebfa0b5aa449aaefebdb2f3c63ed3c553c54e9a91aab96e5 |
C:\Windows\system\zDZFTKq.exe
| MD5 | 622856842b4229b3545d544426ca0845 |
| SHA1 | 90928d10e481efbe69e84134295b82c83fce12d6 |
| SHA256 | 533c84ba70dfb6d50a02637516f4a8732595104cfcf76806ee3507dc89030801 |
| SHA512 | 8c40c2e8ba469ac19915644191709ee7fb01d9584348dd1bce0ef1abbdb5f265e1385fac49c47b330b9209d36117350dc4cd2a620a1143a63687e6b8e1bd46ec |
C:\Windows\system\wliKoKl.exe
| MD5 | 7e5709311e2f3395f4d06fdef6280dd8 |
| SHA1 | a506a6d86300fd0bc29549ae0b0ed64c0b8271b8 |
| SHA256 | b8b94d985bc6053ed9028f9f4dc2d4514f150ab590dcfecbd28620a451717916 |
| SHA512 | f61d0bf9ab87195ab6b45264622c76b7bc39baeed9c6f9504c0e2c8f54334b8de7a2df56913baf4edb6a0a1a580688682b2f37b778a591dfcc8ba6967e83bc70 |
C:\Windows\system\XNuiYTO.exe
| MD5 | f6d73ec1a179f6abb8b98deb71c2ad0a |
| SHA1 | 54a346d52c87e37614b8ae6a0cbf8a3b807ca961 |
| SHA256 | 0f0ef53e9534f11c7f3993e456d36109d987d7da81862f5dcbac3b8d20b90c7f |
| SHA512 | 812756c4badf9a3101261f26c0c6f477e0af8500354855895ff38133cbac53886602a4f4d6d8800ec569afdbff26f7c8161895b612831939bf69c03ffb800095 |
C:\Windows\system\SKyjBRY.exe
| MD5 | 4bc94add27a2e298fc1004124e21c8f2 |
| SHA1 | c72e5d28d961c5b5f40f48a2e2f2430f922498b2 |
| SHA256 | 367d5483f7583cb54fd0f7f22e04a85474f1de5cc475e74a042b27dec560ed1e |
| SHA512 | 02be75a5e34cb25d6456fd9fb7aed226490b4341cb7d689f61edf0996a8ca1e3e5f88f0a03ca396213e1d1abe988486da9b76c125a8f37fffea98aff9a52303b |
memory/2856-106-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2948-105-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2948-104-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2948-103-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2908-98-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2948-97-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2324-90-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\nFMYavN.exe
| MD5 | a2ff0929c9e0815afef395b42a4553ee |
| SHA1 | addd8a853f4a4926639d897812519130b7dfae56 |
| SHA256 | 61a6b25d5314b9d94041b9fb1de98845cf30dbd8376ba28aff8c1b0108666b3e |
| SHA512 | 8b836d25843d47177b733775c2538e1a645967789eb206e51776b84076b2172fb37328ad980f49bb7cda9ac8e730229fe870bdb00a95c2f86897489cae69321e |
memory/2948-73-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2948-72-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2492-70-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2948-69-0x000000013FDD0000-0x0000000140124000-memory.dmp
C:\Windows\system\DTKwMMT.exe
| MD5 | 357daffc23ee1379168632a963e831ef |
| SHA1 | 12128a79fef5837d3cc251432597eb28edf1b220 |
| SHA256 | 272faf68eaa806e90d1d13680bfdcd4f874a1611cba6d83d08770b04fa402953 |
| SHA512 | 18c7dc0b29d14a93d2a4e9933959b05124be67fda22916c6c2eb0abd39b493c421f9d97e44225ee4ae138e274f487eda968febaa1ba992bf532e769a40f2d06c |
memory/2624-64-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2752-51-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2948-48-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2948-44-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2664-43-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2752-135-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2948-136-0x00000000021E0000-0x0000000002534000-memory.dmp
memory/2228-137-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2492-138-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2948-139-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/2948-140-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2036-141-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2612-142-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2152-143-0x000000013FE80000-0x00000001401D4000-memory.dmp
memory/2576-144-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2664-145-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2628-146-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2752-147-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2624-149-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2228-148-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2492-150-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2908-151-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2324-152-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2856-153-0x000000013F570000-0x000000013F8C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:24
Reported
2024-06-01 02:27
Platform
win10v2004-20240426-en
Max time kernel
142s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\geUXSbj.exe | N/A |
| N/A | N/A | C:\Windows\System\sdIAsql.exe | N/A |
| N/A | N/A | C:\Windows\System\DBqyGqC.exe | N/A |
| N/A | N/A | C:\Windows\System\rvpPElN.exe | N/A |
| N/A | N/A | C:\Windows\System\YiFMFnq.exe | N/A |
| N/A | N/A | C:\Windows\System\XspuvEW.exe | N/A |
| N/A | N/A | C:\Windows\System\MslYKZM.exe | N/A |
| N/A | N/A | C:\Windows\System\zqMGNTR.exe | N/A |
| N/A | N/A | C:\Windows\System\lRYLGIS.exe | N/A |
| N/A | N/A | C:\Windows\System\PCbFVQw.exe | N/A |
| N/A | N/A | C:\Windows\System\KZsoNqI.exe | N/A |
| N/A | N/A | C:\Windows\System\iPuAAqq.exe | N/A |
| N/A | N/A | C:\Windows\System\QpumNuV.exe | N/A |
| N/A | N/A | C:\Windows\System\uQEOIwn.exe | N/A |
| N/A | N/A | C:\Windows\System\gyfavYs.exe | N/A |
| N/A | N/A | C:\Windows\System\gtamfCR.exe | N/A |
| N/A | N/A | C:\Windows\System\ERohUpG.exe | N/A |
| N/A | N/A | C:\Windows\System\OAWlhif.exe | N/A |
| N/A | N/A | C:\Windows\System\zFGknos.exe | N/A |
| N/A | N/A | C:\Windows\System\OwGjHGv.exe | N/A |
| N/A | N/A | C:\Windows\System\IeqhwUK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ca981df9780aa4016873a2dd82f249f9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\geUXSbj.exe
C:\Windows\System\geUXSbj.exe
C:\Windows\System\sdIAsql.exe
C:\Windows\System\sdIAsql.exe
C:\Windows\System\DBqyGqC.exe
C:\Windows\System\DBqyGqC.exe
C:\Windows\System\rvpPElN.exe
C:\Windows\System\rvpPElN.exe
C:\Windows\System\YiFMFnq.exe
C:\Windows\System\YiFMFnq.exe
C:\Windows\System\XspuvEW.exe
C:\Windows\System\XspuvEW.exe
C:\Windows\System\MslYKZM.exe
C:\Windows\System\MslYKZM.exe
C:\Windows\System\zqMGNTR.exe
C:\Windows\System\zqMGNTR.exe
C:\Windows\System\lRYLGIS.exe
C:\Windows\System\lRYLGIS.exe
C:\Windows\System\PCbFVQw.exe
C:\Windows\System\PCbFVQw.exe
C:\Windows\System\KZsoNqI.exe
C:\Windows\System\KZsoNqI.exe
C:\Windows\System\iPuAAqq.exe
C:\Windows\System\iPuAAqq.exe
C:\Windows\System\QpumNuV.exe
C:\Windows\System\QpumNuV.exe
C:\Windows\System\uQEOIwn.exe
C:\Windows\System\uQEOIwn.exe
C:\Windows\System\gyfavYs.exe
C:\Windows\System\gyfavYs.exe
C:\Windows\System\gtamfCR.exe
C:\Windows\System\gtamfCR.exe
C:\Windows\System\ERohUpG.exe
C:\Windows\System\ERohUpG.exe
C:\Windows\System\OAWlhif.exe
C:\Windows\System\OAWlhif.exe
C:\Windows\System\zFGknos.exe
C:\Windows\System\zFGknos.exe
C:\Windows\System\OwGjHGv.exe
C:\Windows\System\OwGjHGv.exe
C:\Windows\System\IeqhwUK.exe
C:\Windows\System\IeqhwUK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1884-0-0x00007FF6F4D80000-0x00007FF6F50D4000-memory.dmp
memory/1884-1-0x0000017EE3710000-0x0000017EE3720000-memory.dmp
C:\Windows\System\geUXSbj.exe
| MD5 | 5ffc7a39033756df9967835c8e105a86 |
| SHA1 | 81b765ba811907609ca6657fb0f6f310f2f7d9c5 |
| SHA256 | 50eb72472b7242b6f25f766dbdfab069b0971aabd8f4d6bffe6f3745c2e5bf23 |
| SHA512 | dd6947cf9a509f14d9eca38f2c4497e6f44e9f6608782610316a5fdcd703e6cf5db96d4ed85cc91a8c26e8062671ba185894289f7031393df2f4cf6c85271406 |
memory/3164-8-0x00007FF665440000-0x00007FF665794000-memory.dmp
C:\Windows\System\sdIAsql.exe
| MD5 | c29d295470ca5c81c7920d2aad3de8e4 |
| SHA1 | 4c6446e93a8e46dba243682e9408cb73af0f00b5 |
| SHA256 | 57abff8ca4d8074cc33d76d73bf1724fe267dcf1c2446493d63b97649bdaf648 |
| SHA512 | 9b5e0a8ec56acf923fa6a0986e1ba92744c82d0b226bf50e5f9ef32247faeff7d1bedc50a5873c60ba71eea078371fc56c9d06d5f14c714cab57818ee3002780 |
C:\Windows\System\DBqyGqC.exe
| MD5 | d16167bac74c853e1f6b8f9b035af733 |
| SHA1 | a6135e62415a66a2c10590f0ed9bb86bdbd8a170 |
| SHA256 | 6fc5ffa4d8fadf41b5b6095c58860872f311d6d893686f73ff6aad82d31e616d |
| SHA512 | dc1d3f1dc759bb297487daa0a0562c0a63fc639db27b65a752392a764e05c692b51b20f1877d849952a2dc4b580f60ef9a5c1567e937b8188e78bc686254a527 |
memory/3536-13-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp
memory/1016-20-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp
C:\Windows\System\rvpPElN.exe
| MD5 | aa35f8045eacf08cb365d6e4ab7e34cb |
| SHA1 | b93dd70d59c19e81abeb577404c7f137fd72d5ad |
| SHA256 | 6a2977bdc99e934ef9bf259d43a570997da2126b3b929d5b942075acd648d8c0 |
| SHA512 | 53c018998c4d92ac127548a22eabf94dcf7b1880ee582e154bb655a8f068c1de9749eceb7ebd804ed1f8758166ea0e5690b66e48df132527fb4fdb0c16d2da28 |
memory/2344-25-0x00007FF639380000-0x00007FF6396D4000-memory.dmp
C:\Windows\System\YiFMFnq.exe
| MD5 | 21b8ff43ebea489a5b3581dee1f692bc |
| SHA1 | dd4e29e704e0822d078891d2a77a948692be24a8 |
| SHA256 | eb52c51fc469c82b473c8b312b71d5ae7656b307bdfe5c00be0b768da3c847f8 |
| SHA512 | d160bf2829fc92e0dabe32442fa516e71493c48a449698a3ef38eb2e3b2ae395678e117e0f944105a3352862d3920a9a492ee7e4fd194a437fe3a85a63d3786e |
memory/2912-30-0x00007FF721360000-0x00007FF7216B4000-memory.dmp
C:\Windows\System\XspuvEW.exe
| MD5 | 5ce07daf8823ae874b703e1e8de1f121 |
| SHA1 | bcc02b0859ecda712f363a2a4c3a599c15c45bd3 |
| SHA256 | 7f42cc29e84349081d0ada8ec7332f29f6b1e1df79ca093863a7db31fa8fdcb1 |
| SHA512 | c6e2113d428a73729e4203e0fbea2023b8c12e45d6129133d8d486cc5c02b335b4fd1ed7219f9f53cbf21750b9cd4fd7595833d9c8c085349012b80399aa24a3 |
memory/2068-38-0x00007FF707800000-0x00007FF707B54000-memory.dmp
C:\Windows\System\MslYKZM.exe
| MD5 | 12b98003a054791b541abcd70fcc3267 |
| SHA1 | f1d0c26ceb5378d3d51afab04fa499dbdb7b70ca |
| SHA256 | d37d81dd3540349656ab7e4d5aef9d67039b9f8516f8cd73e6b0ded6b9b41bf7 |
| SHA512 | b1504d1910f7d0898b8a8c90182f8752e420a6155d18e7566632a7855b3f6d2d2a05007e15d222b191748e05be92f030592d686c33579c268646910266dd40a5 |
C:\Windows\System\zqMGNTR.exe
| MD5 | 904309278f3bbe5412ab052bf9f0bb64 |
| SHA1 | c5576b0bd626876d209977c01a8fbcd93d32ad31 |
| SHA256 | e1e71aaa5a2d008886fe87bee0b682cdf91487c0bae28a192c48df6f4d31e81c |
| SHA512 | 01c90861822f1873b3f454ef761aa67917f54c0c74ac73124ca458f0c3ab4aa66cc6745dcc2724d57a0b24e163a802744530fe49be386ec5a33e583fe8fe771b |
C:\Windows\System\lRYLGIS.exe
| MD5 | f5ab822e229d8bed6cb07848ce8b4cc8 |
| SHA1 | 47d42f5cf6a2d64aea2c3ba8c1fb1ce0b7679895 |
| SHA256 | 4ac6c974c0913da281b7f8778870f909dc2406643c911fa621d8dcd0bbaec3f9 |
| SHA512 | ca39668674efa8d3c4490418b3b4c110b4a6fcb05b937a0d6655991a5bf2b611f2019fc341d3a093a4cc9a0cee325c52fe6b4dbb97e5ad8f883b989e5a064461 |
C:\Windows\System\PCbFVQw.exe
| MD5 | 3ce9f67f1305d7858d70b7307b83d354 |
| SHA1 | 98daf5f6398b90237b2a46d2b305f8e1e9a04527 |
| SHA256 | 895ba6ce32d92dea506eda83c0964265dace57917772c844e397486f6aafbd40 |
| SHA512 | 79f0bcb2f6353ce4c279e835eb5298a8badd762ec26f06ff8e3d4ec798dfea7f0ec722f2617105d59a33502b7e84bc836ba4ee4130484bb765e4291b42aea8dd |
memory/3184-69-0x00007FF7520E0000-0x00007FF752434000-memory.dmp
C:\Windows\System\QpumNuV.exe
| MD5 | 032fb72921ce2f5ce409cae2a9b4044f |
| SHA1 | 35d376139e3ed2c10b8f0ed8d33b1a899d348aa7 |
| SHA256 | 3ea26660b4eea6ad08a45bedf40db4c9de5ea295b80614d101935b0af3e8ff9b |
| SHA512 | bea58f7d58c6741e847209ee153410fb42a86a1ca717160d4c87a57071bed0f51402d37ab019eae9298705649f3b3c9c9e5c70ef4fd06230ab66b334758d2e05 |
C:\Windows\System\ERohUpG.exe
| MD5 | ce959b9acdf6ca36634ec94d6ec318ee |
| SHA1 | 07a28c4926f673a8b387b22ffeece3b0a3915642 |
| SHA256 | 31d208fff92e22ea4ef5fe19f0c04f6beae5be826e3191ecbdffb94415e3de50 |
| SHA512 | 8e9312ea72c4bba18b5699e1ec3f8aebcdd73a93df67fd44912ec057b373de59f9f8a1856abd3964a4bfd78a2d11a1daffa74e72403baa559b796ceae75f1804 |
C:\Windows\System\OwGjHGv.exe
| MD5 | 9cbdce18cc2e9a10cdf4f226fb545de7 |
| SHA1 | b667784da3e107a2488f322864d28c4bd748c65d |
| SHA256 | 0669f5953aa77fd009ad5cd5de2a6d438b0bf0167d640301cc906cfa4b3f0f99 |
| SHA512 | c8cc7e29eb3abc1603c18002a4fd5f7efcf5a3651a5a0a4a4e9bffcbc0130a6fe8b6fbd0ba34ba593b1a7ef89aed5d6e9982845f9a35a69cc46da7486b96809b |
C:\Windows\System\IeqhwUK.exe
| MD5 | b430b37fbf95fd227fdaf9c256d035ec |
| SHA1 | 2c62f1bac519a435786628468723d31db039a670 |
| SHA256 | 3ea8ccf8f252d59de27c454cdc538e55f234498465d22a89682e129cc97c77b9 |
| SHA512 | 35a8c7bd3c84c220189bf82931dd2742c89f21a333d25e1e36bebc4156a2378998fc6516f730694a69e9b4a694b1e65652f02dff5ef68ce9db4cfeada0f269dc |
C:\Windows\System\zFGknos.exe
| MD5 | 324bd5130c750908ade8256fb1ce3a5c |
| SHA1 | a2b277d8eb508a78db9b1248c6938cd4cdc911f3 |
| SHA256 | ccff3d6d9d2e19d43601c6963489c2313909eb023f1ba7054558df8f6dcd83cc |
| SHA512 | a0c0249bd2d9aeef8c38378ba0c00ee293e1193707da45bc5df4af36a872f69b3ab309d476eefdf7d90c708ae4a50fe20fc3238fb89f889e1fd1e5b46902d526 |
C:\Windows\System\OAWlhif.exe
| MD5 | 2d347204cf5597253aadeffe386c8014 |
| SHA1 | 08250634a3e30bf2a777878f2fa730ab41443fc3 |
| SHA256 | 948f33d8370ae07f0b6e985b3fe489927207b366934c5f3ac6747f335b78636b |
| SHA512 | a5e421442b81bb4419dfd5f8671c68de0c8586694106bce778a2ab1da9e98e3be2ba625fd9cd16955eaa9cdb0ab798ecdb5ac6ddb1f0accac0b6b711301fee99 |
C:\Windows\System\gtamfCR.exe
| MD5 | 9387116000c2123c060176f9de38155b |
| SHA1 | d6dd94811c3da1404186765d9d0476e6eaa245d3 |
| SHA256 | 6d1978464bc886e71cef1966e30f60294074f6338d16c634c4ddd7741ec7ddbf |
| SHA512 | 63cf2bcac4fbd082aff986e704eaa4cb80da3d73437904865756f2daf7969d26c120c6f367eb8ba1eb82fe99f0b8a941708f3d7ee2efe4dfc1a00da79eb14be6 |
C:\Windows\System\gyfavYs.exe
| MD5 | c000e4ccfb9b53a0986e8600e12f5a2b |
| SHA1 | c061d8e1f01200147b9e4c14d0cd1e4cada8f8fc |
| SHA256 | 20264c7ad4a159f36bd7de28581c35be143ce50201e8dbdfdd17da84fa51a0a6 |
| SHA512 | 123121e55ac6f2a783b34101a96198a899d6b2a31953945b767214c519d08b3aea41d0bf0d2efb2c11ce08c8159213271b8712ea5d29219e8b643267e28ab31b |
C:\Windows\System\uQEOIwn.exe
| MD5 | 823a571e3a4a58a6936d5b212aa0260c |
| SHA1 | 5f204aa49261b6187fb7db2dee3dd4a2d61fcf93 |
| SHA256 | 7a6d32c8ce244d46a0938497b7d3e8f9485a4c681ddf70789e156df7f763d289 |
| SHA512 | 01ee7e0ba486b811790c499de265b759a9be0bdf1a10d791e63bf40dc0c0e0a05a9bc6612a1dc1037123e9fc27026dba119ceb5e23402fb147675c0b3a840f38 |
C:\Windows\System\KZsoNqI.exe
| MD5 | f9d9dc791d5e09edbbbd8234f3ca76cf |
| SHA1 | 56a5710eb0be9f291cd128b553be87fcd37df1a5 |
| SHA256 | b3cd6503e1dc3d3ff92b4db4a64d0d14147b56b08c86e50ba415288487204f89 |
| SHA512 | 713c574edac11b47fcbe9b50c0ef93b6f5d34bad05831142e26881abe060c425726ebe389168551dc440d2ee79b1888d3d6ec378d9476c84c2dc42dd5b3b8b3d |
C:\Windows\System\iPuAAqq.exe
| MD5 | 693027f2ac8873a84e483116eb79fa5f |
| SHA1 | bf32c902e32c9b02e41fda4825ea79afa5e9abee |
| SHA256 | b01e44a8da46ef47ce302dd45cdf9aa868b6c68e6c498c5679de055c9a753803 |
| SHA512 | ddde55e932eec9246e65aa10dd5ee256b167f735caee10d284adebf6fdb92d270a19af188039813e176d12860d58f00f57112c2e5f69d6c75d6f547f7521ab4e |
memory/4820-72-0x00007FF673AB0000-0x00007FF673E04000-memory.dmp
memory/4468-60-0x00007FF7C6D50000-0x00007FF7C70A4000-memory.dmp
memory/4660-59-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp
memory/2220-57-0x00007FF716FD0000-0x00007FF717324000-memory.dmp
memory/3852-54-0x00007FF711BE0000-0x00007FF711F34000-memory.dmp
memory/1884-119-0x00007FF6F4D80000-0x00007FF6F50D4000-memory.dmp
memory/4032-121-0x00007FF607F10000-0x00007FF608264000-memory.dmp
memory/4460-120-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp
memory/1588-122-0x00007FF7D2AD0000-0x00007FF7D2E24000-memory.dmp
memory/4840-123-0x00007FF7D35E0000-0x00007FF7D3934000-memory.dmp
memory/3196-124-0x00007FF6F8D20000-0x00007FF6F9074000-memory.dmp
memory/2356-125-0x00007FF7180F0000-0x00007FF718444000-memory.dmp
memory/2280-127-0x00007FF6C50B0000-0x00007FF6C5404000-memory.dmp
memory/4636-128-0x00007FF75D210000-0x00007FF75D564000-memory.dmp
memory/4092-126-0x00007FF6ADE00000-0x00007FF6AE154000-memory.dmp
memory/3164-129-0x00007FF665440000-0x00007FF665794000-memory.dmp
memory/3536-130-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp
memory/1016-131-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp
memory/2344-132-0x00007FF639380000-0x00007FF6396D4000-memory.dmp
memory/2912-133-0x00007FF721360000-0x00007FF7216B4000-memory.dmp
memory/4468-134-0x00007FF7C6D50000-0x00007FF7C70A4000-memory.dmp
memory/3184-135-0x00007FF7520E0000-0x00007FF752434000-memory.dmp
memory/4820-136-0x00007FF673AB0000-0x00007FF673E04000-memory.dmp
memory/3164-137-0x00007FF665440000-0x00007FF665794000-memory.dmp
memory/3536-138-0x00007FF79CA00000-0x00007FF79CD54000-memory.dmp
memory/1016-139-0x00007FF6BC4C0000-0x00007FF6BC814000-memory.dmp
memory/2344-140-0x00007FF639380000-0x00007FF6396D4000-memory.dmp
memory/2912-141-0x00007FF721360000-0x00007FF7216B4000-memory.dmp
memory/2068-142-0x00007FF707800000-0x00007FF707B54000-memory.dmp
memory/3852-143-0x00007FF711BE0000-0x00007FF711F34000-memory.dmp
memory/4660-144-0x00007FF7377A0000-0x00007FF737AF4000-memory.dmp
memory/2220-145-0x00007FF716FD0000-0x00007FF717324000-memory.dmp
memory/4468-146-0x00007FF7C6D50000-0x00007FF7C70A4000-memory.dmp
memory/4820-147-0x00007FF673AB0000-0x00007FF673E04000-memory.dmp
memory/3184-148-0x00007FF7520E0000-0x00007FF752434000-memory.dmp
memory/4460-149-0x00007FF7316B0000-0x00007FF731A04000-memory.dmp
memory/4636-150-0x00007FF75D210000-0x00007FF75D564000-memory.dmp
memory/4032-152-0x00007FF607F10000-0x00007FF608264000-memory.dmp
memory/1588-151-0x00007FF7D2AD0000-0x00007FF7D2E24000-memory.dmp
memory/4840-153-0x00007FF7D35E0000-0x00007FF7D3934000-memory.dmp
memory/2356-155-0x00007FF7180F0000-0x00007FF718444000-memory.dmp
memory/3196-154-0x00007FF6F8D20000-0x00007FF6F9074000-memory.dmp
memory/2280-157-0x00007FF6C50B0000-0x00007FF6C5404000-memory.dmp
memory/4092-156-0x00007FF6ADE00000-0x00007FF6AE154000-memory.dmp