Analysis Overview
SHA256
73c0ff2cba8d8d646ea9782acf4da254bbfa48aac60efcafc09d8da6a87a59d2
Threat Level: Known bad
The file 2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike family
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:28
Reported
2024-06-01 03:30
Platform
win7-20240221-en
Max time kernel
146s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FDBhfkT.exe | N/A |
| N/A | N/A | C:\Windows\System\dnWoPfp.exe | N/A |
| N/A | N/A | C:\Windows\System\UwXWWsJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WkVwaGl.exe | N/A |
| N/A | N/A | C:\Windows\System\jMmKOHk.exe | N/A |
| N/A | N/A | C:\Windows\System\inELLjQ.exe | N/A |
| N/A | N/A | C:\Windows\System\SdrJQFE.exe | N/A |
| N/A | N/A | C:\Windows\System\vXbKGHn.exe | N/A |
| N/A | N/A | C:\Windows\System\wcUQtrO.exe | N/A |
| N/A | N/A | C:\Windows\System\LiAXgFs.exe | N/A |
| N/A | N/A | C:\Windows\System\zwMUrhp.exe | N/A |
| N/A | N/A | C:\Windows\System\BJLLOem.exe | N/A |
| N/A | N/A | C:\Windows\System\DTHtdzq.exe | N/A |
| N/A | N/A | C:\Windows\System\AUGDyMP.exe | N/A |
| N/A | N/A | C:\Windows\System\nwZeEzz.exe | N/A |
| N/A | N/A | C:\Windows\System\KPXJxvU.exe | N/A |
| N/A | N/A | C:\Windows\System\qYbtAMl.exe | N/A |
| N/A | N/A | C:\Windows\System\CsVgYBd.exe | N/A |
| N/A | N/A | C:\Windows\System\FhFsAyq.exe | N/A |
| N/A | N/A | C:\Windows\System\JxbCjjD.exe | N/A |
| N/A | N/A | C:\Windows\System\PPxEWNK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FDBhfkT.exe
C:\Windows\System\FDBhfkT.exe
C:\Windows\System\dnWoPfp.exe
C:\Windows\System\dnWoPfp.exe
C:\Windows\System\UwXWWsJ.exe
C:\Windows\System\UwXWWsJ.exe
C:\Windows\System\WkVwaGl.exe
C:\Windows\System\WkVwaGl.exe
C:\Windows\System\jMmKOHk.exe
C:\Windows\System\jMmKOHk.exe
C:\Windows\System\inELLjQ.exe
C:\Windows\System\inELLjQ.exe
C:\Windows\System\SdrJQFE.exe
C:\Windows\System\SdrJQFE.exe
C:\Windows\System\vXbKGHn.exe
C:\Windows\System\vXbKGHn.exe
C:\Windows\System\LiAXgFs.exe
C:\Windows\System\LiAXgFs.exe
C:\Windows\System\wcUQtrO.exe
C:\Windows\System\wcUQtrO.exe
C:\Windows\System\zwMUrhp.exe
C:\Windows\System\zwMUrhp.exe
C:\Windows\System\BJLLOem.exe
C:\Windows\System\BJLLOem.exe
C:\Windows\System\DTHtdzq.exe
C:\Windows\System\DTHtdzq.exe
C:\Windows\System\AUGDyMP.exe
C:\Windows\System\AUGDyMP.exe
C:\Windows\System\nwZeEzz.exe
C:\Windows\System\nwZeEzz.exe
C:\Windows\System\KPXJxvU.exe
C:\Windows\System\KPXJxvU.exe
C:\Windows\System\qYbtAMl.exe
C:\Windows\System\qYbtAMl.exe
C:\Windows\System\CsVgYBd.exe
C:\Windows\System\CsVgYBd.exe
C:\Windows\System\FhFsAyq.exe
C:\Windows\System\FhFsAyq.exe
C:\Windows\System\JxbCjjD.exe
C:\Windows\System\JxbCjjD.exe
C:\Windows\System\PPxEWNK.exe
C:\Windows\System\PPxEWNK.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/640-0-0x000000013F200000-0x000000013F554000-memory.dmp
memory/640-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\FDBhfkT.exe
| MD5 | 2e4f7ca272c332f76211663954e60227 |
| SHA1 | be77d0bdd41a4f8acb0370b3e729255af842785b |
| SHA256 | 2c4baeb752a4bc6702d5ecbff1247e8381d641e9c58c68311527997ee6a68073 |
| SHA512 | 0dcaf7fcd63070584b591b519a6d719c883a9f2b2557f5c454056986cf132a65771eaeb31cbcc2a9c3a799748371065785a88a04f021efc368b395f1bb6ddd43 |
memory/640-6-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2088-9-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\UwXWWsJ.exe
| MD5 | cd701b09557da359ce8f35551f6ef9e8 |
| SHA1 | 49c2332dfae95d6aefacb0427af37847b59e2343 |
| SHA256 | 27776d8873384c104f6d268b79fe5f14928c16a6791cee5350193b34653bc737 |
| SHA512 | e378ecbfbeedf972787074fcf5e07ba6c11fe30a8d99e50584250967a7c395cbbb235982f18ccec3777c2662fc450278e307b33622f569f8145dfa1928209951 |
C:\Windows\system\WkVwaGl.exe
| MD5 | 7d988542faa4d6fe11c99f8308678121 |
| SHA1 | 2a2e9e3f2bc4fa002a3a0a84c597b4ef24f80219 |
| SHA256 | 978e5a598f29939671c0c96d82616ac954ef81203f7fa56b27b915314e05af4e |
| SHA512 | fd12e92bf34602d5fbefb3d594d43da525086eb46de37b67b8a5109e4d37d4c2b2dd19a1fe36164d5d9f54b2d55666f2169cc9b4be26d711b35682188567a82e |
memory/2496-27-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2588-28-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
C:\Windows\system\jMmKOHk.exe
| MD5 | c4dd6e0d953f53aed54a58c6662b74c2 |
| SHA1 | c6a9568747b5d3b9e3b4198f2f78b3ba2487ae3d |
| SHA256 | c49fdce9fd9467f0935a81aa2c6c0db915084d97363f9c876c68f0299773f254 |
| SHA512 | 9b98b5387edf3bca7ff0c09f3de0744e13700c26a88fa93f2f444815310471e9566009a2f38fd3723f860b2998f5a8c3b5eb8148446be3541becbf220dad5448 |
\Windows\system\inELLjQ.exe
| MD5 | eb6ad9369defa90f741e956aff49b541 |
| SHA1 | 54e07fa345ddf4911124af690d9124f31650d904 |
| SHA256 | e688c2688ec94c8509fce1c33053fa021f60e7cc6ee166f6daf693174676535b |
| SHA512 | 01efaf7c1bfedc019c14f8405f80c0790ef11ae4073e47628bf05c9257c09a8f0fca18fc7da2cc9f0c65d14d9de39f3542f3a3d4f7e2d249bfc72d7db58127cd |
C:\Windows\system\SdrJQFE.exe
| MD5 | 01deb48e49d803d8d9f4f59e02f8bcdf |
| SHA1 | e11ea1a340c1007a8e5f43f510fc88cb526d549b |
| SHA256 | 8d685dcb984e3d10e3d8709c0f4db15b06fc9060247a7d61dd4bc193874231c0 |
| SHA512 | b1b76f7293fcfb4c8c64ccb530fd563e7931e072a445428b1a5ac337ef42ed12a6a54bb92ed99ee0c324bc9c74ada76ae1814aa27321bb7d96c6f1b4182bb01a |
\Windows\system\wcUQtrO.exe
| MD5 | 16a2abdad12ea3576525c5fa468c4e92 |
| SHA1 | 2cf16a2510edada866f4e26ca99a00e5f3ec3843 |
| SHA256 | 144a46315dbf92e9fa480dfb7104982bc089997bd9911236aa21a1d6f4763bd5 |
| SHA512 | 515e567c60bb9476536ad5718dbe77c9ed74a79d25586e79727f2503b5e5586741a5b410b9cde15e9f90e2df9851152fb0a19698e2353bdec536722e0379335a |
memory/2712-56-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/640-65-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2524-68-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/640-69-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2232-70-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2612-73-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/640-76-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2356-78-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2876-82-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\AUGDyMP.exe
| MD5 | 58d26233c99e0350fca6638cdbfa81af |
| SHA1 | 099d72a8cab39d1a82ab2dbc69dd6455a2aa73fc |
| SHA256 | b3aad025cc583a4610180f1457c56ce88602f63212f5e66eb28b5bfe690a3a7c |
| SHA512 | f6bef4aec93e6e776029ff62878391650cd3f18602e6bf8be67358faaae623603254c107462cce51ea135be52e4c51204c6a9cf603f2d28fdd5749a255aeeb06 |
memory/372-98-0x000000013FDD0000-0x0000000140124000-memory.dmp
C:\Windows\system\PPxEWNK.exe
| MD5 | a8c634d41f96144526b72a7750b10a74 |
| SHA1 | 73f24e0a7e25b36a5b8dfe812c23a7d54574a2fa |
| SHA256 | 5ba2afac0ee407d0cce5ef27ff00b26823e00b99cfafd06bafa2c8c751e7f121 |
| SHA512 | 8782eeb64e31bc4cf52b7a3716b1f98e1d2f9d074faef6dfa8d2bf1c9c6421c511f2aa388a906ed94367e55a42b3af4d593d6ddb6b2a18fb0875cf66cfa7ccab |
C:\Windows\system\JxbCjjD.exe
| MD5 | 42829c0390cda4b80ba6b7cb9f4a244b |
| SHA1 | a9674fb5ece359e510e34bcec6436f7450cde524 |
| SHA256 | 4ea096502c78cb02720db49498433d990868da735af97880fa2b8744e02e58b2 |
| SHA512 | 1b39611d5a418f6c3f60bd7aa68deb096cba6652fee50fabef91f70418f4433b4010f70b84c776d6e952f96c4452e09344adb1caa9bce2fc09f190fe5de28f87 |
C:\Windows\system\FhFsAyq.exe
| MD5 | 8f92708ce209058e559324d1168f2699 |
| SHA1 | 0a86fe35f3f63ce470f8b2d0efd8bc61cdee5fc8 |
| SHA256 | 7e07e7e54ed5bf89aca9742dfaba7624327bc6b17bc6ded842c044e1e993d340 |
| SHA512 | 1337e6e657df2fe8712700bf0bd048703d680876353bcca3f9713cad55c3a48cbd6fc66235af5be47c057c63916361576f3db703103c98931c12cbec6ae06ece |
C:\Windows\system\CsVgYBd.exe
| MD5 | ade000cb4555b43b1d29916e7f393120 |
| SHA1 | 6d77d13fb88a9294207da2e15e9e87c4cc4830b3 |
| SHA256 | 00dba35949e0a68f5deb89201378017bd488f324ad2f2bfbae88b2d2287f02a3 |
| SHA512 | e734e91da8582c5d46be74f913b2832b5ad11340553ced72607cca9108e14dc5607a715a96089f6751915440e47bb77f6df99500e3efc9681cbcc966c81bea63 |
C:\Windows\system\qYbtAMl.exe
| MD5 | a42c6205ebd93cb14b423aaec7fb41cb |
| SHA1 | 99a98200470ea2f07ddab4574c204ef3046d451e |
| SHA256 | bfffcfd1cbf63fff634e78bc8093e68ebfd25649a6b0d9c1cf9d88522a81a757 |
| SHA512 | 31c2610d7fa98f96469898b554671500fb953e569aee83507fe663583f52fce59059db6a761b1e6160725d8604f9df4d4302896b360348048c99c5556183e0aa |
C:\Windows\system\KPXJxvU.exe
| MD5 | 21384b67dc80db9209f6e9e73ae7b446 |
| SHA1 | 18859ba6577c292891ea0356e42439b83ec09614 |
| SHA256 | 1821656b98766eb7cd6b9a1da7da339596f2b9a4ce66b4dec18489353b0ab90d |
| SHA512 | f953992f7d36319748095dd874e9fe41296d574c2150b589088c652d6effd6d1e3723874f931f803c4d1c245f515978c40cba702cbb156dc6b9d34e9e6495531 |
memory/640-103-0x0000000002480000-0x00000000027D4000-memory.dmp
C:\Windows\system\nwZeEzz.exe
| MD5 | c6d7f801ec22ed2608a7067c379be689 |
| SHA1 | cb6440130728d6a3894ee2e2fe8a8eb1ec9f9b67 |
| SHA256 | a31173ada79646ad30258fc488c9d82a3ed7f0799ddcc98bd34a72e95a933284 |
| SHA512 | 07ff053788bb4f8d81623a014f0ab4927e9b3d2aad933fff2134f40dd9cc7017a1bbddac9119dea130a337cbe1a98be48f55ea705610bc5e6924c096b0701c74 |
memory/584-91-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\DTHtdzq.exe
| MD5 | 3c7dc9b004a7625e73225e769f536e89 |
| SHA1 | 56ff725818e4f3bb9fef91f2586a51f0f9586ea0 |
| SHA256 | da7f29596edc1a2e7b375d1b5cf9db0def633ca559cb1180b68de59ad877de86 |
| SHA512 | 1875855b6ceaef92b77b63e1f7d42a42e8e14d077a99d602c9e0f3ae76400afca38b85302b215cc334384fa21fa77edc4e024626f158333977456767ab12f14a |
memory/640-86-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/640-85-0x000000013F200000-0x000000013F554000-memory.dmp
memory/2088-94-0x000000013F570000-0x000000013F8C4000-memory.dmp
C:\Windows\system\BJLLOem.exe
| MD5 | 113d0a0977ab2f4736cd9b79d06c0581 |
| SHA1 | 468725296d8e9e7069b9a048441f9ca1f0a94a26 |
| SHA256 | 636a7a5bb931af741350f782dffa557db89efbefc15369347606dd742df5e117 |
| SHA512 | f15acaf10a20abf9e9eeb5ecdc63055e238d3c9852500b75a26b9fdabddf6df7a5c413b609c9df4978066c2fa9dca51572cbd6f6b777bc82d3db24e9a5790796 |
memory/1760-79-0x000000013F140000-0x000000013F494000-memory.dmp
\Windows\system\zwMUrhp.exe
| MD5 | 6d815a6147654a8cb8ae840bccda3d3a |
| SHA1 | cc52a77a417bd63c29742d6dfff46c8629f329c3 |
| SHA256 | 0ebe1a39fef56232ef39fe9cb6ea299aaa6f9dbae7fa8c01ef1518a9e1a992dc |
| SHA512 | f7b5fa072b4a8708794081d8a08d764619f918bf174cc99524acc539e02f708de928aa0837617bdc9b13233899c8db897e29b561c473e9d43b5701d13b9f22e0 |
memory/640-74-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\vXbKGHn.exe
| MD5 | 47df4a8592fc118c0d203abe977fd980 |
| SHA1 | 642ea7c953b56417db6eb8fc33f353f7537504f4 |
| SHA256 | 6c08f12ac8140b2ff0dc50f0d683a44873de47f4dec788bc5f239d9956013d88 |
| SHA512 | 5eccdc4fc4a06b820755a3d041799909901bd4d646cf99b4e2f9bf2dff4ff723248e714c9878e94538036166aab64d67d2e20dcd32956edc89ffec322cd6e48e |
memory/640-72-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/640-67-0x0000000002480000-0x00000000027D4000-memory.dmp
\Windows\system\LiAXgFs.exe
| MD5 | f51536fab7b10cf9ff17ffc621f990f5 |
| SHA1 | 14327da1a7fe789640f068119e8c4d7f2eb11764 |
| SHA256 | 82a905d6f4d6ec5efb493efc490cac4faee998a0eeba095443d45481fbdc49c9 |
| SHA512 | bc9e678481b75fc46e664f6c66198b8668c89cb187a35442247dd07fcef91f1fc1f456279bbb19f99eacca7565c8faafcd4dbc54b85647b6b10691f06c653285 |
memory/2636-66-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/640-63-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/640-46-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/640-26-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2884-20-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\dnWoPfp.exe
| MD5 | c0f156991e3897ef242cfd047e98a6ec |
| SHA1 | 2927bd3db27945c2dcf4b0e1a9218d9efc3c21f5 |
| SHA256 | 15511c080f3341f499ea7a0ac06427e26c7961104c0c3e0f77528157925a489f |
| SHA512 | cdc82d290eabaf99a14a58d428fb707053953ee4c28d83b6de8fb894c1e7da4a10fb514bdad476646bb25822934b1bb441d738ff6f14a24572cdd18950fc35c6 |
memory/2876-135-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/584-136-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/372-137-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/640-138-0x0000000002480000-0x00000000027D4000-memory.dmp
memory/2088-139-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2884-140-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2588-141-0x000000013FAA0000-0x000000013FDF4000-memory.dmp
memory/2612-143-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2496-144-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2636-145-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2712-142-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2524-146-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2232-147-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/1760-148-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2356-149-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2876-150-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/584-151-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/372-152-0x000000013FDD0000-0x0000000140124000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:28
Reported
2024-06-01 03:30
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sWIDQhx.exe | N/A |
| N/A | N/A | C:\Windows\System\PvwgHKh.exe | N/A |
| N/A | N/A | C:\Windows\System\tdCCNCw.exe | N/A |
| N/A | N/A | C:\Windows\System\Odyquzb.exe | N/A |
| N/A | N/A | C:\Windows\System\PsGmgtx.exe | N/A |
| N/A | N/A | C:\Windows\System\QmmIzNT.exe | N/A |
| N/A | N/A | C:\Windows\System\mBKdDKj.exe | N/A |
| N/A | N/A | C:\Windows\System\QmaTKip.exe | N/A |
| N/A | N/A | C:\Windows\System\LBZGzVs.exe | N/A |
| N/A | N/A | C:\Windows\System\lRLaRbC.exe | N/A |
| N/A | N/A | C:\Windows\System\NsohjJJ.exe | N/A |
| N/A | N/A | C:\Windows\System\JQkFiFv.exe | N/A |
| N/A | N/A | C:\Windows\System\elnytdm.exe | N/A |
| N/A | N/A | C:\Windows\System\zqkkaAC.exe | N/A |
| N/A | N/A | C:\Windows\System\AopvIAc.exe | N/A |
| N/A | N/A | C:\Windows\System\SRZtESR.exe | N/A |
| N/A | N/A | C:\Windows\System\bNwAJfI.exe | N/A |
| N/A | N/A | C:\Windows\System\FGJZrNz.exe | N/A |
| N/A | N/A | C:\Windows\System\FLMuWUS.exe | N/A |
| N/A | N/A | C:\Windows\System\BAwmNps.exe | N/A |
| N/A | N/A | C:\Windows\System\VoaYzdn.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d6b0bb02a0be1bdb6f5b13603a93e19c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sWIDQhx.exe
C:\Windows\System\sWIDQhx.exe
C:\Windows\System\PvwgHKh.exe
C:\Windows\System\PvwgHKh.exe
C:\Windows\System\tdCCNCw.exe
C:\Windows\System\tdCCNCw.exe
C:\Windows\System\Odyquzb.exe
C:\Windows\System\Odyquzb.exe
C:\Windows\System\PsGmgtx.exe
C:\Windows\System\PsGmgtx.exe
C:\Windows\System\QmmIzNT.exe
C:\Windows\System\QmmIzNT.exe
C:\Windows\System\mBKdDKj.exe
C:\Windows\System\mBKdDKj.exe
C:\Windows\System\QmaTKip.exe
C:\Windows\System\QmaTKip.exe
C:\Windows\System\LBZGzVs.exe
C:\Windows\System\LBZGzVs.exe
C:\Windows\System\lRLaRbC.exe
C:\Windows\System\lRLaRbC.exe
C:\Windows\System\NsohjJJ.exe
C:\Windows\System\NsohjJJ.exe
C:\Windows\System\JQkFiFv.exe
C:\Windows\System\JQkFiFv.exe
C:\Windows\System\elnytdm.exe
C:\Windows\System\elnytdm.exe
C:\Windows\System\zqkkaAC.exe
C:\Windows\System\zqkkaAC.exe
C:\Windows\System\AopvIAc.exe
C:\Windows\System\AopvIAc.exe
C:\Windows\System\SRZtESR.exe
C:\Windows\System\SRZtESR.exe
C:\Windows\System\bNwAJfI.exe
C:\Windows\System\bNwAJfI.exe
C:\Windows\System\FGJZrNz.exe
C:\Windows\System\FGJZrNz.exe
C:\Windows\System\FLMuWUS.exe
C:\Windows\System\FLMuWUS.exe
C:\Windows\System\BAwmNps.exe
C:\Windows\System\BAwmNps.exe
C:\Windows\System\VoaYzdn.exe
C:\Windows\System\VoaYzdn.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2240-0-0x00007FF718300000-0x00007FF718654000-memory.dmp
memory/2240-1-0x000001A4759B0000-0x000001A4759C0000-memory.dmp
C:\Windows\System\sWIDQhx.exe
| MD5 | 6b02ca5fb697db2de21c4aab62acd466 |
| SHA1 | 429764ee88c96e0372afce507aad9404d8375b3d |
| SHA256 | 4877c3a3bc48b23934684860cbf5dee44841b2c2a8a7ff48e35b566252fd0134 |
| SHA512 | 921da7853832de17b0213be83c41997347adf20ee3aeaa315fbb9b0bdd2cb01205c79944df7700178da01170e374de16e636501c24ffa012fd453062d9ef2cee |
C:\Windows\System\PvwgHKh.exe
| MD5 | 7c5d0726052a5a84ef5bebed83b85798 |
| SHA1 | 4a826767b5f1e3cda59bc8cc44e75974263b2281 |
| SHA256 | b01d4af7d65ccc81315ae6aa213d455ba6c21ffe93c26e7922ba28ac1e5ce124 |
| SHA512 | e126f3acaa98afa7c77d32801a92a0cbf1789d16f554ca8fdd832a9f0cfdea35fc7c61c73de2a68dba065924e371b53d8eef9037acec6c3c0856f8e92b4b2f8e |
memory/880-8-0x00007FF6ED2F0000-0x00007FF6ED644000-memory.dmp
C:\Windows\System\tdCCNCw.exe
| MD5 | b869f234b288849801863930f303f154 |
| SHA1 | fdcddf3a8374531031273833c83032cb9f391b72 |
| SHA256 | 326f5d401c8d5555cbd45b0e3cc1349c929210e525e9cc01674ea77a07a953f7 |
| SHA512 | 25db2db8d5aa7b07eee8e4ffd7aa96f9d00013e6152ed753535ad1229a11932ff7ea9abe0384e840f74fd68f251154c8e833e7d69cd7747e4ceeaf51cd0b68b0 |
memory/4424-20-0x00007FF74A000000-0x00007FF74A354000-memory.dmp
memory/688-16-0x00007FF72EF70000-0x00007FF72F2C4000-memory.dmp
C:\Windows\System\Odyquzb.exe
| MD5 | 0f3bcf4670792e8b6efe533d86170665 |
| SHA1 | ec97e14b5c8f2642b209f7ac09821568fec25110 |
| SHA256 | a4aad3ba6be511728d1a83507b3bc615a6a6f6f6f5efc5404489b056d8ecaf52 |
| SHA512 | ab853c81e36a8e4b4cc788c2317644b1e76ec00b2efd90fe72c53dc330ff25e875bb02a81da7607fc1acc6f522960349cb057d77796b866150d9feb89dad907b |
C:\Windows\System\PsGmgtx.exe
| MD5 | d6f91c46d3f349827761adc79eb7bf5c |
| SHA1 | 87bf4998031367762ff9295fd575019d887aee37 |
| SHA256 | 9b213fd79a84b6fa3747f71761d2ca62f9ee98e8264ebd81dad7bd5d47e468ac |
| SHA512 | 28b7abca2956ce64dac7c63070231761e9e75c7c2808436d616abb3d4ffa265d94ab59c499d5025a164f6f8119ef53f61fcec9fa0e4a33a7d4feb7e3300bcf07 |
memory/1364-31-0x00007FF7F9620000-0x00007FF7F9974000-memory.dmp
memory/3156-34-0x00007FF7D6E00000-0x00007FF7D7154000-memory.dmp
memory/3628-36-0x00007FF7B5FF0000-0x00007FF7B6344000-memory.dmp
C:\Windows\System\mBKdDKj.exe
| MD5 | 95df2872bb41d03d22c8c32c9e99b6b8 |
| SHA1 | d3956d09fb19c9ca3b245719be0b090b416b7203 |
| SHA256 | c51a833ab976f6e8b1562bffe7f3eb9e7aeea16be6376e122d248813b65174a8 |
| SHA512 | 91fb63d671c7ddb5e883374c8fa260ace486ff8f80ccf7207d213b21a7a662bed97c95fcb317695afbf40c319c7e440f8eb093f3f4fe647d379b20402c5d8707 |
C:\Windows\System\QmmIzNT.exe
| MD5 | ec2902cfc9060c78f94d4be2650d810e |
| SHA1 | 50cf44e2b2f483e6fe88c4d53892337f569ce36f |
| SHA256 | 2cfcfc66e6ce727acdb8c32f27f60dba21dbaa3e6aa388b5893ad6eda94d8a9e |
| SHA512 | afd5c5e8ef64d28554c91a6ede30dd6e4a9f1b5752f0159432ff0fe53f0661ab952c62dd295bfca94bd6736ba1ea6d05d45cc2d15560dad61478577797d6b1ad |
C:\Windows\System\QmaTKip.exe
| MD5 | 62c003995e86debf105623c930da5910 |
| SHA1 | 8e766c03f457ebd10f97862976968d1d53afd9f5 |
| SHA256 | b791757238fdd998008ce54751d445ab50d41616db0ac34ca9e20b7b2e782535 |
| SHA512 | 49ee9d6b7883f31edbb9124fdc039764925a78fca0dc10e95b5e9bfd94fa5a75e61a13d0aa9b0433604f40d306a76e83713fc6737a1094b6f683e91fbb432114 |
memory/2976-50-0x00007FF75F700000-0x00007FF75FA54000-memory.dmp
memory/1724-42-0x00007FF64B330000-0x00007FF64B684000-memory.dmp
C:\Windows\System\LBZGzVs.exe
| MD5 | 96e4ffd915dc77b03c8db80b81437a1d |
| SHA1 | 62e3c21ca1c2366ce0434a226b252c9854c52dcc |
| SHA256 | 6c96b30674ee113f3d56f4b19c3622fb121030afc823952bd778d1b0617c72d7 |
| SHA512 | 10a74fb1d37f378f1de113942c6c46a665c2610a439765ae03e3525317807dd3f38b8f3b2bf3345c48cee1889d6d69bcf82594058204e75450fa7925d63cda73 |
memory/808-56-0x00007FF658A00000-0x00007FF658D54000-memory.dmp
memory/2240-61-0x00007FF718300000-0x00007FF718654000-memory.dmp
C:\Windows\System\lRLaRbC.exe
| MD5 | 0a652e6d4e404732fc29e3b50a811b91 |
| SHA1 | 3909d9e916001e27a5fb563982ad66e00966ace0 |
| SHA256 | 354ae0d56a09ef9878e8d0f7fa1289cdfea7c2db9727271dfe1279beb3938e54 |
| SHA512 | 4a27265895c40b775f196148a011890e73fca5778fd4079964348d7dcd7d745fe22bbef2e21f21460c3a9d7132f1440b3f285a4c4c66d16374f492afe88c570e |
C:\Windows\System\NsohjJJ.exe
| MD5 | 306ecae17a16bcbc080f1debd368f58b |
| SHA1 | 64f316d66777aef097082e6c0f951a2dbf1c1ca8 |
| SHA256 | 5f60eb97862d5ed67d5d4978f1a11f10d39334c8fb2cb2e0a9eb3d4d812b1274 |
| SHA512 | a899b12dd82ee0fa7a4474e71786f7ab79fa54f9bc17ee751dabde47036a80aa401d08142e8bca57773c9ce4daabe6da2174a0c4144ad5fa7360ff5353e26a40 |
C:\Windows\System\JQkFiFv.exe
| MD5 | 6ce8946faa602cd26704538288bd45c9 |
| SHA1 | fc7cb8a95081b5be1d349f63394a41a939793cef |
| SHA256 | 69975980135a0ac2d28da0fcefe78ed08160cb9aceaa83a35cfa794ad474b1f4 |
| SHA512 | 7f90fc3c9fca078feb50269c837e9021942cb77095c88bad91048aff1e727e610f67f52a0c05891faf9c71caabd7416a43764b15de025a8dbbe3b053e168b364 |
memory/2916-70-0x00007FF6DEE00000-0x00007FF6DF154000-memory.dmp
memory/880-69-0x00007FF6ED2F0000-0x00007FF6ED644000-memory.dmp
memory/1992-62-0x00007FF76EAA0000-0x00007FF76EDF4000-memory.dmp
C:\Windows\System\elnytdm.exe
| MD5 | 1c3b30bdce9080f04323253eab216ccf |
| SHA1 | f1f32e0c50fd71f129db7f06e9dd855bd9fa3ac9 |
| SHA256 | c5ba76fdbe0c518b35769c9efcd2dbe24e1994ab1962caa1da4af7434f14dfb7 |
| SHA512 | 72874f29bfb77aabc3cc7356809285ad7a43344d7564bfc2fa281af50e8cfe4815a469a277f415dd8a43167c93bce6d47370e3534e643905f41094605ab80b91 |
memory/3108-78-0x00007FF6DD430000-0x00007FF6DD784000-memory.dmp
C:\Windows\System\zqkkaAC.exe
| MD5 | 5eb64f70260d25148f8f564fa33d4344 |
| SHA1 | dabe3c976cdbe7b3fbd49e8f6a1bf1d0f6ca537f |
| SHA256 | 05549446001bd940967e94f81e40e418cd6c2b584b1729aabec3d78f9f2c9373 |
| SHA512 | 96ccc61def1b818f51a2a47e6a2051c756852e1891f85abbb7321777d9a8d232f6602afccc791e25f52ecbc9999652c29c7c338ab22306f669128f52b9fbfe10 |
memory/3768-84-0x00007FF7A4A90000-0x00007FF7A4DE4000-memory.dmp
memory/4404-83-0x00007FF6BF810000-0x00007FF6BFB64000-memory.dmp
C:\Windows\System\AopvIAc.exe
| MD5 | 102d37023418d1db47daaa5f10afa6ab |
| SHA1 | 298dfaba3339747cae5380642674f7f11bd9c1d3 |
| SHA256 | a7eb15de80e780ac5ac8a350b012e721bac4f96139c1e2fdb02ad79a04947ff8 |
| SHA512 | 8355a408555b09a49c9f20c7eaf45a0aa19ea6323dc45e096f653684220e57d668c6df1f69eca7444cc60c7ab4453e96a46280572c40e4b03ec898bff971a907 |
memory/1284-94-0x00007FF74C030000-0x00007FF74C384000-memory.dmp
C:\Windows\System\SRZtESR.exe
| MD5 | cef7b3f11ae00930a8d2ee2e44a5eab8 |
| SHA1 | 287b9ba81de1f22948410a47cc0fedb55b17ccca |
| SHA256 | 34e731437b2a5e2f11298344e73daa3e160e673c5877cfffc002ea7e06f0e822 |
| SHA512 | 2796209349f5cc8bf487157dd666b6f9d649373cf8861d566445b13990cb077ba0dc704fccaa8583325b4c78b7baf66991097165471fc94c91ca21c85a7ddbce |
C:\Windows\System\bNwAJfI.exe
| MD5 | b4a69e455e2af9b4ee04798d983464d8 |
| SHA1 | dae22661ab54d1adf24bc5a31631d88890bba307 |
| SHA256 | eec53169d5bf4496e9fa9f832f3253f3cc8b3e0c29a11a20b3a28b7b0ae81f82 |
| SHA512 | cea2ea2cfe126f7413c3aad8ebc82056ec9164863400d120c11e4e613d0c723bce9a793dba63ef88c9bbdbd42fca991f7a1998d724cf2abd4ad36e41ed08d1fb |
memory/828-102-0x00007FF6C2E70000-0x00007FF6C31C4000-memory.dmp
memory/228-108-0x00007FF6F0380000-0x00007FF6F06D4000-memory.dmp
memory/1724-107-0x00007FF64B330000-0x00007FF64B684000-memory.dmp
memory/3628-99-0x00007FF7B5FF0000-0x00007FF7B6344000-memory.dmp
C:\Windows\System\FGJZrNz.exe
| MD5 | 8da6da70c3650a1b677d9143eac3220e |
| SHA1 | c007fb66261d410dc1c19bb5f9568c392bfd7d9c |
| SHA256 | 7f3e74c8623ea74d108e9759e4db83a3674443e0816f2d896c674bb6c6a09183 |
| SHA512 | 5ee1fecbbf72210db5429449a36d769f6193c0cbc38bcfa35446a96e97f9fe0030bc926149947cb520e8e1cb4f5cbfb64eb0e18d9fd967bb29ea4d4a20984909 |
memory/1076-112-0x00007FF7864A0000-0x00007FF7867F4000-memory.dmp
memory/3164-122-0x00007FF77C740000-0x00007FF77CA94000-memory.dmp
memory/1992-126-0x00007FF76EAA0000-0x00007FF76EDF4000-memory.dmp
C:\Windows\System\VoaYzdn.exe
| MD5 | d59e73609a4e46cc9db534cec7e726cc |
| SHA1 | 99f8e7788b452e82e1e7b39545381e79fc4473b9 |
| SHA256 | 0836cd01c64e981b719776a55e0e42ef5de5eeb289a024cecbc434e1f09bc5b6 |
| SHA512 | 7059d888798bf8b0ad4bb5fe7382c7163dd52a4a923bcec9766e1806318eff2c7bfb7f96ad848e6e4d5ddefc8a72806381bb234b6baa7faf0d44bc133cae487b |
C:\Windows\System\BAwmNps.exe
| MD5 | f4dbe909ea6013ca7de7d0783e145a2f |
| SHA1 | f5db34b6d8580c9e33d4428034624436a7c75878 |
| SHA256 | 2d005d9f230f7a5e20bee861f918cb0f70a33ac0e1d225d5daf8890c2931666c |
| SHA512 | b028fc119546e0af2f2012abc389aa18b278b9729c4c7e4bc9bf1aa5328ddfce35363b0a36b0794dd9a09b2cb3bf84c129c856add486ed37639e989ea59368b1 |
C:\Windows\System\FLMuWUS.exe
| MD5 | 6711b3961c5339b4d855b35ecf744c82 |
| SHA1 | fc059d24e650985d1e4062aacc9196b8eb4ff128 |
| SHA256 | a784f4015d612f725bab34dcd0e670eb66edc736dc9e5b8840c95fa4455ae200 |
| SHA512 | 423be7b2f358a1e513586a2d6fdade43ade0eb4a4c989da473f8196214b49c82b2305d503076adce0fb2b2f882f9541df7a43822303e157625d2774988ca0bb9 |
memory/2320-131-0x00007FF7F8830000-0x00007FF7F8B84000-memory.dmp
memory/884-132-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp
memory/4404-133-0x00007FF6BF810000-0x00007FF6BFB64000-memory.dmp
memory/3768-134-0x00007FF7A4A90000-0x00007FF7A4DE4000-memory.dmp
memory/828-135-0x00007FF6C2E70000-0x00007FF6C31C4000-memory.dmp
memory/1076-136-0x00007FF7864A0000-0x00007FF7867F4000-memory.dmp
memory/880-137-0x00007FF6ED2F0000-0x00007FF6ED644000-memory.dmp
memory/688-138-0x00007FF72EF70000-0x00007FF72F2C4000-memory.dmp
memory/4424-139-0x00007FF74A000000-0x00007FF74A354000-memory.dmp
memory/1364-140-0x00007FF7F9620000-0x00007FF7F9974000-memory.dmp
memory/3156-141-0x00007FF7D6E00000-0x00007FF7D7154000-memory.dmp
memory/3628-142-0x00007FF7B5FF0000-0x00007FF7B6344000-memory.dmp
memory/1724-143-0x00007FF64B330000-0x00007FF64B684000-memory.dmp
memory/2976-144-0x00007FF75F700000-0x00007FF75FA54000-memory.dmp
memory/808-145-0x00007FF658A00000-0x00007FF658D54000-memory.dmp
memory/1992-146-0x00007FF76EAA0000-0x00007FF76EDF4000-memory.dmp
memory/2916-147-0x00007FF6DEE00000-0x00007FF6DF154000-memory.dmp
memory/3108-148-0x00007FF6DD430000-0x00007FF6DD784000-memory.dmp
memory/4404-149-0x00007FF6BF810000-0x00007FF6BFB64000-memory.dmp
memory/3768-150-0x00007FF7A4A90000-0x00007FF7A4DE4000-memory.dmp
memory/1284-151-0x00007FF74C030000-0x00007FF74C384000-memory.dmp
memory/228-152-0x00007FF6F0380000-0x00007FF6F06D4000-memory.dmp
memory/828-153-0x00007FF6C2E70000-0x00007FF6C31C4000-memory.dmp
memory/1076-154-0x00007FF7864A0000-0x00007FF7867F4000-memory.dmp
memory/3164-155-0x00007FF77C740000-0x00007FF77CA94000-memory.dmp
memory/2320-156-0x00007FF7F8830000-0x00007FF7F8B84000-memory.dmp
memory/884-157-0x00007FF7637F0000-0x00007FF763B44000-memory.dmp