Analysis Overview
SHA256
1f9909a3a2f29fbfa912809ab13d5a7caf2556e1fd53516e819947a94cbb4e25
Threat Level: Known bad
The file 2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 03:41
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 03:41
Reported
2024-06-01 03:43
Platform
win7-20240215-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LnkPzPw.exe | N/A |
| N/A | N/A | C:\Windows\System\sjASYCb.exe | N/A |
| N/A | N/A | C:\Windows\System\nqdWEBv.exe | N/A |
| N/A | N/A | C:\Windows\System\SpFEpLI.exe | N/A |
| N/A | N/A | C:\Windows\System\hrzaQqS.exe | N/A |
| N/A | N/A | C:\Windows\System\ndJPLgn.exe | N/A |
| N/A | N/A | C:\Windows\System\LgyNIwO.exe | N/A |
| N/A | N/A | C:\Windows\System\GsaLehY.exe | N/A |
| N/A | N/A | C:\Windows\System\FzAOeWh.exe | N/A |
| N/A | N/A | C:\Windows\System\cxffbOG.exe | N/A |
| N/A | N/A | C:\Windows\System\DeCxccn.exe | N/A |
| N/A | N/A | C:\Windows\System\pJRwQQq.exe | N/A |
| N/A | N/A | C:\Windows\System\xgqBBRe.exe | N/A |
| N/A | N/A | C:\Windows\System\jQfQtzn.exe | N/A |
| N/A | N/A | C:\Windows\System\XPsCwEl.exe | N/A |
| N/A | N/A | C:\Windows\System\bYzYFew.exe | N/A |
| N/A | N/A | C:\Windows\System\ZlVmkPT.exe | N/A |
| N/A | N/A | C:\Windows\System\rXJnuZg.exe | N/A |
| N/A | N/A | C:\Windows\System\xDmgDMO.exe | N/A |
| N/A | N/A | C:\Windows\System\AcqjjYg.exe | N/A |
| N/A | N/A | C:\Windows\System\oYjrtom.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LnkPzPw.exe
C:\Windows\System\LnkPzPw.exe
C:\Windows\System\sjASYCb.exe
C:\Windows\System\sjASYCb.exe
C:\Windows\System\nqdWEBv.exe
C:\Windows\System\nqdWEBv.exe
C:\Windows\System\SpFEpLI.exe
C:\Windows\System\SpFEpLI.exe
C:\Windows\System\ndJPLgn.exe
C:\Windows\System\ndJPLgn.exe
C:\Windows\System\hrzaQqS.exe
C:\Windows\System\hrzaQqS.exe
C:\Windows\System\LgyNIwO.exe
C:\Windows\System\LgyNIwO.exe
C:\Windows\System\GsaLehY.exe
C:\Windows\System\GsaLehY.exe
C:\Windows\System\FzAOeWh.exe
C:\Windows\System\FzAOeWh.exe
C:\Windows\System\cxffbOG.exe
C:\Windows\System\cxffbOG.exe
C:\Windows\System\DeCxccn.exe
C:\Windows\System\DeCxccn.exe
C:\Windows\System\pJRwQQq.exe
C:\Windows\System\pJRwQQq.exe
C:\Windows\System\jQfQtzn.exe
C:\Windows\System\jQfQtzn.exe
C:\Windows\System\xgqBBRe.exe
C:\Windows\System\xgqBBRe.exe
C:\Windows\System\ZlVmkPT.exe
C:\Windows\System\ZlVmkPT.exe
C:\Windows\System\XPsCwEl.exe
C:\Windows\System\XPsCwEl.exe
C:\Windows\System\rXJnuZg.exe
C:\Windows\System\rXJnuZg.exe
C:\Windows\System\bYzYFew.exe
C:\Windows\System\bYzYFew.exe
C:\Windows\System\xDmgDMO.exe
C:\Windows\System\xDmgDMO.exe
C:\Windows\System\AcqjjYg.exe
C:\Windows\System\AcqjjYg.exe
C:\Windows\System\oYjrtom.exe
C:\Windows\System\oYjrtom.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2028-0-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/2028-1-0x0000000000300000-0x0000000000310000-memory.dmp
\Windows\system\LnkPzPw.exe
| MD5 | 0b1a450a816c241743ccf8cd82e46c12 |
| SHA1 | 6890203b82c54abf497bb8d9b314e60d038273f3 |
| SHA256 | a99f1285372f4cfef4b396ddc33309ff5cef770518e49ba3d3ceafbc522b27d1 |
| SHA512 | 94c9cd423ccad71c2a5dda3f988bc40782b60facbd59eaa60d0f897d0b9012cb81b84575b899cd6a5a684ba68c4384ed921492b0a67fe28759fe02201debf37e |
C:\Windows\system\sjASYCb.exe
| MD5 | 662e382b553fa02fc43e3066633daf96 |
| SHA1 | 3510c9f8d1e098bb75ad9d9cc934c2369832a733 |
| SHA256 | 65e3cdae711fc09cc8fd3df9fcd036096d09450499b847ccaa5edea03661dec4 |
| SHA512 | 232b301094795770d06ec79c88bf045176664333150c9424d7a597eeb1d3e1f91560f9b93ed69a37b83ec88f495be33667eccb99362ff6caf7bd417317a9c49e |
memory/2392-13-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2252-15-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2028-8-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\nqdWEBv.exe
| MD5 | 40529dbeb86399e7c1a473669e8e901a |
| SHA1 | 26e1933821cbe3c1061a73e566b6f400eaae50f0 |
| SHA256 | f640322e0a55b34a5a73a8cfcf048c3f2e810edbdad2bcd4d9fd1a775ba909cc |
| SHA512 | 43a142d6eb5037601f65ba4834d98c9c8621edd6c008095f7456d5f1e1a229ed6e51ff7e0d44edc276949e001ae9cbbff435252a59f38bbc72c19a94f05012e3 |
memory/2028-21-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2568-22-0x000000013FAB0000-0x000000013FE04000-memory.dmp
\Windows\system\SpFEpLI.exe
| MD5 | d9353505f693e6f5abc464f5ec680e97 |
| SHA1 | f4cf3345461082e10c7e758be9661a40fe391a70 |
| SHA256 | 9f3479add24ee252245cd52ddac0bd2e4f1d612da343f3b22e37b8309a40dea3 |
| SHA512 | d649e3785a863bc361a5a9c1f15218a5a5e4cb7a8872d391be0d41d8557ada9f09504166896d53d5dcd115d668c47feb0d62d13edd79eb3395198acbd346cd9b |
memory/2028-26-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2652-29-0x000000013F610000-0x000000013F964000-memory.dmp
\Windows\system\ndJPLgn.exe
| MD5 | 5ed6278c03bced2ec22ca0064d2a5c52 |
| SHA1 | 375e9342f4a0ff1e5cb89ae6f358bd814411c91e |
| SHA256 | f7b73b52e51654da2b6b2c4aa079a0a4c02bee1c14307690148871f2b7c89f9b |
| SHA512 | c738301f9284959f573ebaf531c25a53d5d32ce295feecdc3f2303ca062eb85de4f8f30249fcf4a264a99f30145fc8d1fb10a00067bd2602b848ed2f918ed8ae |
C:\Windows\system\hrzaQqS.exe
| MD5 | f21d87e611ae25c08addf5815832a78f |
| SHA1 | c322014ea000a45620d3ce64449e76f6831e810e |
| SHA256 | e078ec7779d17b29481f8b2469626f82536f6c427e79655f01c9363f01e5a998 |
| SHA512 | 2292d2f39ac287835bf1da1f69a7121b7eea01f21e976ec4cbc892cd36049c45c1e30e99a734b991216d9be082b2063179eb4c6d09a3a71a62888d3a3b50bca9 |
memory/2580-40-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2744-42-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2028-41-0x000000013FCE0000-0x0000000140034000-memory.dmp
C:\Windows\system\LgyNIwO.exe
| MD5 | 13bd02d9e40ee6137db45786c04ccf7a |
| SHA1 | e6abeed7e8c3da13a78b7ecbbe76f575d536526f |
| SHA256 | ee2918bdacf82cc76aa02c06f8beea72e748cbd61d7f1a67819fedb4740607b5 |
| SHA512 | 0dc4d8e18d7269eb78808a5b5fc1c1312f0c7bd2c639da7e3f2c7c909e08424d982e16f4885eb9249c920e8810c279434d89659acf160d0bc30cfbbf61974f00 |
memory/2028-48-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2752-49-0x000000013F850000-0x000000013FBA4000-memory.dmp
C:\Windows\system\GsaLehY.exe
| MD5 | 1f54b943f35fd1a9bb3cb74a9cc2d083 |
| SHA1 | c971326f83f3aaf8d4707b13b3ea32d378e6a1ef |
| SHA256 | 78b30ff1ff8ae2812e76a6eb2a769c8f75489976b6a6f9aa66c6cbb98123a5bc |
| SHA512 | adb6c7ed389152575a2b8d47da590aa4ddf052c8bd173a6b64a08130c8b51cc4bfff3b81aa08b64bc4eb950d6b7a5e1a508b98a39c73370f1e4dbad5e8a46391 |
memory/2444-56-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2028-55-0x000000013F480000-0x000000013F7D4000-memory.dmp
\Windows\system\FzAOeWh.exe
| MD5 | c7376725f442f42b7772ce2c76024886 |
| SHA1 | beea8ca615db5f601749ad5e2976d998fa10b32d |
| SHA256 | d49544e625bb02126e92b565ed0f07facc072c4ff85ad6ee08be77a6292627ef |
| SHA512 | 7832562d9296f4bf087ec42393c0ccda7fabf08483679d14a3881f779485d96c323ab481f46539dcccc75f9a3b589a372fcd4962537043b298acd8d7335afd96 |
memory/2516-62-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2252-61-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2028-67-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/1736-71-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\pJRwQQq.exe
| MD5 | 85d20d8d8f7a69843ceba02e47160755 |
| SHA1 | 4df0d2c33484b6dc2da547887e60dbb637a7a2d8 |
| SHA256 | 69ede140877abe5f72c373d4077aa2c7dab95b14d8a6b8a38ede26370d937217 |
| SHA512 | 7b592ced19e40b74e90450de44952f6455afb059067bfcae2db0c9fb7abc9221e41d4b115f04f37eed21bc83666720af3b3ad3f742848bd3e4fe4fd0d931e39f |
C:\Windows\system\xgqBBRe.exe
| MD5 | 46bf8c59265e48a0c10cddf80850b3db |
| SHA1 | ee5fc316eb4f493e76fa6b246f8a70106ce0a95d |
| SHA256 | bc540eb8ff45339b07228321019c2547259041bd1646eda3cfb9f561aea90806 |
| SHA512 | 287d92cb051ea324c100c0b8137a2b830437ac8700108db86dc4f365ca614f79626aea37f87f1e854c4f09880a852919cef3fd2e3280d2e12dbf413614212541 |
C:\Windows\system\XPsCwEl.exe
| MD5 | 030f75f48414a785d16c187fff86ac06 |
| SHA1 | a10a886350f3599b9c1a43c0596f3ebde0402f10 |
| SHA256 | cf393277d4b4cb1f9559bfcb7e6eb8b87687dddb9615e7e2d1eef7ec19571446 |
| SHA512 | 67908d192478389821ae7f5807f3036b765cfabb47333c383bfd0d95de1647631c6f0c74933f7965b326c9eec6a6da9a1252cbb3695f3b82b456d40308562eac |
memory/2028-114-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\oYjrtom.exe
| MD5 | b9d7aa6ddf652ec3495b2901d7797ce6 |
| SHA1 | 1c77562230d1d02425c4d5f1ae362938c9becec4 |
| SHA256 | 0177371624571e5c51415820c617a8754ed5dbe5a5156cabc46eed137812ad36 |
| SHA512 | 217c1beb0d962aac2ec0434ab379b07c6cd411a4b1e84ff6d3b0aac9efbf0946cd675e8c357184ed54f0b1eb8ce593a840614d56b6a056a9c14cef70ba743cca |
C:\Windows\system\AcqjjYg.exe
| MD5 | 79873bd949eac9c6d14565c7d6bf3fb1 |
| SHA1 | 8a9f6c9c7975e46bcfb4ae3f8ecc6a102aaf2098 |
| SHA256 | 431368d4f20e56ec06046e7375d184657fd2badda7c3068c2a68fc58f5587df8 |
| SHA512 | daa934eb9c942a3ed397b63b960459a6c21ebeabe190ca992ef0fbf54ea4c1c1b784f6cec1d518c9e1b92569dbeab79642b89c5ec320b1fc1978fe90eec6cc0c |
C:\Windows\system\xDmgDMO.exe
| MD5 | aaee8fa38867db9df89778dec487a630 |
| SHA1 | 8abc387b1326e3d37e574aac186ed969428ede2e |
| SHA256 | 8d722ace2d7e37963e2326721354606679c2cbe853494c533a21bf2c87224f0f |
| SHA512 | 5e8c66117c1b9045e1e1b3d2021700c3d298470314fc50606b0de747a0583819e45249c2fb3a9efc9dd833f219edb728efa2d5b7df127ce2d4774e46080890e4 |
memory/2652-105-0x000000013F610000-0x000000013F964000-memory.dmp
C:\Windows\system\jQfQtzn.exe
| MD5 | 9c313195b971c371e285fcbf1effee23 |
| SHA1 | 5c4ae6f62cd5c20776c9780949c8db2248cbbf0b |
| SHA256 | 8f3880338bea72efbba654129f83227c5fda6ff6492fc90bfa6dddb6883f5090 |
| SHA512 | 96f276e4b75e97aceff40a6b95ff98be0a47e33f2614efa69fa852b866e4e0d7a9af148a5af385bd748c4f51a72aae05b64c007a80e3886d61624aa1272e465e |
memory/2028-102-0x0000000002290000-0x00000000025E4000-memory.dmp
\Windows\system\rXJnuZg.exe
| MD5 | 20300dcaaae701a4aaf7a2dda1de39f3 |
| SHA1 | b75d52172a8e8852165ad1f52902f6445260ba4e |
| SHA256 | af3f7560bab3f4a67c3d21ea190187927019d8f4c34e4a09c96ec4295e598385 |
| SHA512 | 9aeea2a1f8ee5d670154bce37f1522b1488530d20c0760e485ca3819095aa693da15359baff83acd1f59a04376f1097c355df8a25892152e2283c27d33c6135c |
memory/2848-94-0x000000013FCC0000-0x0000000140014000-memory.dmp
\Windows\system\ZlVmkPT.exe
| MD5 | 66ea8b85a375006a05c3b289c42c4c28 |
| SHA1 | c75e549cd7efe9f1ffd113841f7c458e9033675b |
| SHA256 | 597aabe7972e9da113af5059071e5746dceb9d9a6548912129319aa068324922 |
| SHA512 | 861704487e61919eca4b4f67041bad523dfc8f1e4fbf3fd3342d1975b19c674e582277f93588ebfad5ca5e2d9077723f36c11e50368a270df9dfe7df518b52f6 |
memory/2028-118-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2860-117-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2028-113-0x000000013F5C0000-0x000000013F914000-memory.dmp
C:\Windows\system\bYzYFew.exe
| MD5 | 5e7c6c28a06bde81187bd5ed99cc76fe |
| SHA1 | de8dcb1cb18833165519e762829cfbbdb8bd72fe |
| SHA256 | 959eb434bebfcc94021e8733e2ba05bc00a3fa656b564f0044e9c98f751ec565 |
| SHA512 | 2b40db68e61ed4ac7b6753c1371391e53763e41ed12d027c2a90e5c8aa3e667671249c819b3207a9dfc948d7d150bf3488347b05a3091797b4916913f92ba148 |
memory/2028-110-0x000000013F300000-0x000000013F654000-memory.dmp
memory/772-87-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2028-86-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\DeCxccn.exe
| MD5 | 0cb6af21a5f423932f1ff57c12ada6ac |
| SHA1 | 6cc7e9060b23b07c1aa87b231b0902422dd11d49 |
| SHA256 | c90d11ead7d2801b7b562eb2a137cbc086feb016fc2637250e65ee29a03a431d |
| SHA512 | 9644b6795d9d14776a5ee6b51d6b67d2bef3126753e5f8f1ba08acdd17bb63eeccb7ecf64490c946d0b19b46eee163f49eb75361090372794eddcbb66eb1aba0 |
memory/2028-80-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2028-70-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\cxffbOG.exe
| MD5 | db99a1b782d4de3add291bf5123447d7 |
| SHA1 | 4dad3dc28966d2eb329c3190698b88740b90ec60 |
| SHA256 | 51200d3408d7c761d6fca143ef063c3c6e312abdb68f6f5c52aff8302029b9fa |
| SHA512 | a8a54fd768cb2704cf7109fd1dd4a7b2be212081db68001120981969f7931896ddaaab8f8d3d32bd3d8fdd5c0a5dc4b1ec9b501b9252491ddf79e6ff9666011a |
memory/2028-137-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2516-138-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2028-139-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2028-140-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2028-141-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2028-142-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2028-143-0x000000013F5C0000-0x000000013F914000-memory.dmp
memory/2392-144-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2252-145-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2568-146-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2652-147-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2580-148-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2744-149-0x000000013FA70000-0x000000013FDC4000-memory.dmp
memory/2752-150-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2444-151-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/1736-152-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2516-153-0x000000013F500000-0x000000013F854000-memory.dmp
memory/772-154-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2848-155-0x000000013FCC0000-0x0000000140014000-memory.dmp
memory/2860-156-0x000000013F5C0000-0x000000013F914000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 03:41
Reported
2024-06-01 03:43
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UkBFCja.exe | N/A |
| N/A | N/A | C:\Windows\System\mrgafwu.exe | N/A |
| N/A | N/A | C:\Windows\System\gJPLEoE.exe | N/A |
| N/A | N/A | C:\Windows\System\AorrAyZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rOAAXVf.exe | N/A |
| N/A | N/A | C:\Windows\System\wkmqOnD.exe | N/A |
| N/A | N/A | C:\Windows\System\hfhKkJh.exe | N/A |
| N/A | N/A | C:\Windows\System\KWqzdvt.exe | N/A |
| N/A | N/A | C:\Windows\System\LwjQfgn.exe | N/A |
| N/A | N/A | C:\Windows\System\bgeMDbo.exe | N/A |
| N/A | N/A | C:\Windows\System\aWuExFY.exe | N/A |
| N/A | N/A | C:\Windows\System\hcEMQHy.exe | N/A |
| N/A | N/A | C:\Windows\System\CpkHKQF.exe | N/A |
| N/A | N/A | C:\Windows\System\eEHpcye.exe | N/A |
| N/A | N/A | C:\Windows\System\OVbWmzO.exe | N/A |
| N/A | N/A | C:\Windows\System\yqJWayl.exe | N/A |
| N/A | N/A | C:\Windows\System\hZiwQlW.exe | N/A |
| N/A | N/A | C:\Windows\System\bNfgltV.exe | N/A |
| N/A | N/A | C:\Windows\System\NseSjQW.exe | N/A |
| N/A | N/A | C:\Windows\System\mpoVQVv.exe | N/A |
| N/A | N/A | C:\Windows\System\WFyAIVs.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f00200d632c1950d7cf9e7652d1305fa_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UkBFCja.exe
C:\Windows\System\UkBFCja.exe
C:\Windows\System\mrgafwu.exe
C:\Windows\System\mrgafwu.exe
C:\Windows\System\gJPLEoE.exe
C:\Windows\System\gJPLEoE.exe
C:\Windows\System\AorrAyZ.exe
C:\Windows\System\AorrAyZ.exe
C:\Windows\System\rOAAXVf.exe
C:\Windows\System\rOAAXVf.exe
C:\Windows\System\wkmqOnD.exe
C:\Windows\System\wkmqOnD.exe
C:\Windows\System\hfhKkJh.exe
C:\Windows\System\hfhKkJh.exe
C:\Windows\System\KWqzdvt.exe
C:\Windows\System\KWqzdvt.exe
C:\Windows\System\LwjQfgn.exe
C:\Windows\System\LwjQfgn.exe
C:\Windows\System\bgeMDbo.exe
C:\Windows\System\bgeMDbo.exe
C:\Windows\System\aWuExFY.exe
C:\Windows\System\aWuExFY.exe
C:\Windows\System\hcEMQHy.exe
C:\Windows\System\hcEMQHy.exe
C:\Windows\System\CpkHKQF.exe
C:\Windows\System\CpkHKQF.exe
C:\Windows\System\eEHpcye.exe
C:\Windows\System\eEHpcye.exe
C:\Windows\System\OVbWmzO.exe
C:\Windows\System\OVbWmzO.exe
C:\Windows\System\yqJWayl.exe
C:\Windows\System\yqJWayl.exe
C:\Windows\System\hZiwQlW.exe
C:\Windows\System\hZiwQlW.exe
C:\Windows\System\bNfgltV.exe
C:\Windows\System\bNfgltV.exe
C:\Windows\System\NseSjQW.exe
C:\Windows\System\NseSjQW.exe
C:\Windows\System\mpoVQVv.exe
C:\Windows\System\mpoVQVv.exe
C:\Windows\System\WFyAIVs.exe
C:\Windows\System\WFyAIVs.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.193.132.51.in-addr.arpa | udp |
Files
memory/3064-0-0x00007FF61DFB0000-0x00007FF61E304000-memory.dmp
memory/3064-1-0x0000023DC17F0000-0x0000023DC1800000-memory.dmp
C:\Windows\System\UkBFCja.exe
| MD5 | 60cedd9baa3e2e3734ec8e077a1fa9db |
| SHA1 | da2154152c94911b76772917ca7ddaf15b90a4aa |
| SHA256 | 03cbba4e7c23793ebd1b0bb809ffd0a5fbfc17c52c8e709e7330054efed61af6 |
| SHA512 | 5ea53bedd71af593d9b87e0d3f44e73c8948e398faf1fc1b916b54596526d0b05704afef011dfe0fea90a9f85e440339d48b1c1e52969ccf839229004846b027 |
memory/3616-8-0x00007FF797360000-0x00007FF7976B4000-memory.dmp
C:\Windows\System\mrgafwu.exe
| MD5 | b26601fb208ce14f6ae3c2047decefbc |
| SHA1 | 9be44a670c4f6af416c9de38a48177ebbefbc1ca |
| SHA256 | 9261ea2d70aca11aacc7543119ca5f49c7e0e48002aa3bc1375dbd7fdbbb4bc8 |
| SHA512 | 7532d6015e391bd22bb3221a77f3531c367d1a1649b601ef78a83ac856e926c86c77b6c903d300a3f36804b59b260f86d243749070ef72c2569c6c1299566895 |
memory/2908-13-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp
C:\Windows\System\gJPLEoE.exe
| MD5 | 0894ce9d6bec28b5b1c41e08c7d511d7 |
| SHA1 | e51c0aa1df2adb2eed01f7e0575b215e94f61b3f |
| SHA256 | f8505e9a97887f627ff3b268885b940049a38f9c908d715a296dee34c4130c89 |
| SHA512 | 4adb9e090a4a3ae2c2454984f890053ffb44e4849d41c45cd88a09cb5d632df00cad741ab65ed12b975dd12658d027eb205062300b35eb9bda1fd69959158ba4 |
memory/4000-20-0x00007FF7B29E0000-0x00007FF7B2D34000-memory.dmp
C:\Windows\System\AorrAyZ.exe
| MD5 | 866f684b2162a71f17c9bf3b3ef81bb2 |
| SHA1 | 2941067abd07d7cd24ce442441c8a666dfde215c |
| SHA256 | 6a17dfce2cf9a8cd4fae138c3f348b83c5d9d78650ba9ac010874da42a9304fc |
| SHA512 | 6c733c654e36f235d824727f50367e9c49f20435a9e1b07e4aa05e219ddcb41cbb3f7726283e52a35da468b32e117755115d9144f67f37f72679b035de2465ef |
memory/1860-26-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp
C:\Windows\System\rOAAXVf.exe
| MD5 | e06d6a94d27fa3c2b4bd4b545b3b81dc |
| SHA1 | 086a7d6be2757884a88d826ec62aedff8385115e |
| SHA256 | 6de12742eaf4c14eefddd76c0f6fb8c56bd98a8ce561049175bfab352d0ec762 |
| SHA512 | 1cd541814e0cd4004ad1ef2223eed35568c7da05e818fac19a36f3bf8126e721d51b90c056bd78838c2b2889b399b0923a6617d6d1738a3db9f5144c99378151 |
memory/3352-32-0x00007FF754890000-0x00007FF754BE4000-memory.dmp
C:\Windows\System\wkmqOnD.exe
| MD5 | c89070583acd5c0a87b6d6aaebbd70ff |
| SHA1 | 4f1f67f4eafd26afe5da2d7c1e8e701ebd926190 |
| SHA256 | c333cc7e15da842fbded61e78143b53747fe16148c1eb501f115c3f804e04c92 |
| SHA512 | c4a925c3fece476fdd5193616cbe5017ef1331bbb3f7ff49bca27bf0d830fa4e48908cb2c8b2f58a347f757ec3f6a43e56c5e027f969b7ebb0021bbff9bb371b |
memory/4588-38-0x00007FF7757D0000-0x00007FF775B24000-memory.dmp
C:\Windows\System\hfhKkJh.exe
| MD5 | 3c540c7f0a9e42e8a219756bb2711e15 |
| SHA1 | 0d09fb911a2ea63c03be6ac158a5346828384668 |
| SHA256 | 85eeb9df2e1713b3663a63b71b8eaed1c15b89dbd2a38ac8f5381bad9b038d70 |
| SHA512 | 63e0dd315aecfde4507e581936e394c91c2c0c471a8aecef1232fb28688bca9835fc64333e6f9cf6fa52068830616af1e250e26a07a371b75356292031442e37 |
C:\Windows\System\KWqzdvt.exe
| MD5 | 2f640df748fcc87c11dc7b99ad3bcc78 |
| SHA1 | 853b953bb686a9647fd121722b2f088ed701520a |
| SHA256 | c87d909581b26b77e35c29165fa44484ba6ab30570acb5be64492452a097116b |
| SHA512 | 56a72601dae3fddd442d82d325d838f4e16daf7960b3b3adec1372eee684a734ffa6419f0b2dbf815e945fd3e3d0d8cab95fb0ae7b073739fd073b7ceff93795 |
memory/3984-50-0x00007FF654500000-0x00007FF654854000-memory.dmp
memory/1188-42-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp
C:\Windows\System\LwjQfgn.exe
| MD5 | 8ecb008a810880ab341d703629a4543a |
| SHA1 | e33eeb5917ed4aecb08f5db0666d0504e833bf4b |
| SHA256 | 4b422613fb6a13ee72fb2144bd541545d9a8e15e7963360695d0e98b5336aa63 |
| SHA512 | fb38ab4619c9c2b2cac42869066af04e5961cc6ff86539aeed6e159159a98d7e486c3a982a1df5f027cf144880635bfae450fde63f4f5ae6451158c16a7c381a |
memory/1772-56-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp
C:\Windows\System\bgeMDbo.exe
| MD5 | afb2c4c7a63f33151ce858ed80ed76cd |
| SHA1 | be746d3f3b446bd2b9406fc8cd1fb048dd322562 |
| SHA256 | ed4315d5285d2e44c70a1064f16c47178460b218b506a78bdba015072cd8f3fd |
| SHA512 | b0284e229a8a3841ba5a2363ac844682e801bc5228359396e36621fb10fecece83f3bb108f5a74f1b95a847575f254ac42e821144e080c63111895d5fb48766d |
memory/5032-69-0x00007FF70ADC0000-0x00007FF70B114000-memory.dmp
memory/2908-75-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp
C:\Windows\System\hcEMQHy.exe
| MD5 | 3b2ea452999f095ce15fad591d391921 |
| SHA1 | b4b5b0f282935af3029436cc3a5e65580cf99514 |
| SHA256 | 25bb3b9a4d4a324a8ce337349df44c3da451947814b956ead27c5bff39edd124 |
| SHA512 | d13aa6cb6a2e03d60bb0bab923a4016e58383598406388832a9f38059369008048f7229f35864b970a23f7b8d40dfadc1333ec11fa886bbbc5dff19ffa4a2e89 |
memory/3836-74-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp
memory/3616-73-0x00007FF797360000-0x00007FF7976B4000-memory.dmp
memory/4960-72-0x00007FF71EA00000-0x00007FF71ED54000-memory.dmp
memory/3064-67-0x00007FF61DFB0000-0x00007FF61E304000-memory.dmp
C:\Windows\System\aWuExFY.exe
| MD5 | 9cca80c762346b7a9090a103eb2acd94 |
| SHA1 | e078fd4db1bd73c4889f3e9f6eb379a87b257adf |
| SHA256 | 1ead1ec34f543bd08ed7492c86bbf98bfc28b35cc4cc582eda61befbfa07dd8d |
| SHA512 | 1d65645c330a3b47187f4af0c443f75e47cac17ce0fe95906c85c903ba78caea8305d6cf15c0fbc8471cd532db5a3b51ae1fd243aac151735df5904b78ed5e01 |
C:\Windows\System\CpkHKQF.exe
| MD5 | 9b893823981d689417498b7684c71ed3 |
| SHA1 | 1da0537ae7b130b9e5bb03784a03af85a47773e9 |
| SHA256 | ede7b5c981506144b0c54ed72531f5b50c5541b3a038150d75ad47d9e6bd6b06 |
| SHA512 | 71f91e7c5b3801c4874ff19ec1f87528b3d6582960c1721eb0199ee53bf12020e9bd5db17c84d6136458056f3300af2c74329b6a29d0f3ee7aff9c5398df0ef7 |
memory/1056-83-0x00007FF75ADC0000-0x00007FF75B114000-memory.dmp
C:\Windows\System\eEHpcye.exe
| MD5 | 02285cfbb760f6088440b4231bc88c31 |
| SHA1 | ee50ab697facd057cd6c44acc23e83a79041851d |
| SHA256 | 35bc5f6da5840511d04ba4b5eb4769af65e885189768aee8da5f00e031912b08 |
| SHA512 | a593cbd867ff6383dfc26d6ac5e9addf8ca7e0171ed1d882b975b3c00354c746014dc902789316ef3c180d5f5b1719fdeb1a81789a292c84de7cba753392a25a |
C:\Windows\System\OVbWmzO.exe
| MD5 | 74838fc9ca0a1dd4b19c670ff6fb6fa3 |
| SHA1 | 23a55a1f51e10412608334bebbdbf35b9b50d10e |
| SHA256 | b395932e8b88b92bb03e9cf2ec2365bc2e066b0a6c869fda0b1103e46e859fc4 |
| SHA512 | c24698e0ac5d5a765dd26e075a37fa0dc95e315b4bd7fc366655596fb0944e06591db50b988c28e3d60ba5a7ca96211217e345c71b958ba96f679a6c57de2671 |
memory/3692-94-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp
memory/1456-88-0x00007FF743A30000-0x00007FF743D84000-memory.dmp
memory/1860-87-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp
C:\Windows\System\yqJWayl.exe
| MD5 | 6a8c8174574a5fc420c809a5577f54fc |
| SHA1 | 31a6985e7c901221b43cfda69986adf7330c31dd |
| SHA256 | 95976b7df46241e9df5e4c78600d65a22bfc4f40453c6d66c145180208998a44 |
| SHA512 | eee5c5767e6f524633f1be2006b9c6b0ce520f6f17a2b74b6badb22aef934eeb3cd7902e12e0265f43ab69e3eb3fec6f059554679082075e711fe376eff9728e |
C:\Windows\System\hZiwQlW.exe
| MD5 | e8835c32ba7523af40953e6d532fba24 |
| SHA1 | 11ccab4b1ce7cdf4c095d0d7b8f58fde2392e385 |
| SHA256 | 3db9d7efb7342573bf36bf50c897575e968b2847d04d808f762a6a27bebdaf38 |
| SHA512 | 80107b79bf89daa834932ccadd0abdfdf460b2f2444be2a070dbf659ff51eae4e0219cc6595eec45fe61644e6f0561cd0ae14d309d37a6f390ecab1c05a1e46e |
C:\Windows\System\bNfgltV.exe
| MD5 | c4ebe12fc5337027356af5fdf173fdd8 |
| SHA1 | e28c17cc8ba539be8eb00c90d77d00118832cf53 |
| SHA256 | e76d19ca2318661ee6eed141f8a2ea83ba1135174e88a4b0db650f9420912915 |
| SHA512 | ee74fdf8315f48f9e5a0575ac214b23698ae02578735a9432d23d323d49539d67a4f9d25c8ca1c925389968807c5f86cfa31c9e8eeeff5aafa9675d926564052 |
C:\Windows\System\mpoVQVv.exe
| MD5 | 403746b09524bacc4dad0886fb6df1db |
| SHA1 | 899474c32dfff3c3797353376c085b7449b5c6cd |
| SHA256 | 425fc793a67373c39bf48b75316deea637f9daf0dec382cda576d6e152292d08 |
| SHA512 | c33420b165d9d4101fbcafa4a25ad4a422e5ddb46278fb0dbfce92414255d2723074ddabfc4a6f276ce9a0f955002755434b8bbbbd75d490b092382c86c9c49c |
memory/548-123-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp
memory/3276-121-0x00007FF72D680000-0x00007FF72D9D4000-memory.dmp
memory/2052-120-0x00007FF6723E0000-0x00007FF672734000-memory.dmp
memory/4640-113-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp
C:\Windows\System\NseSjQW.exe
| MD5 | 6cbabaa0c7e70d577bfc2b37f361b4c4 |
| SHA1 | 2359c57aff0a11568f2f8c53ff077833d9c821a0 |
| SHA256 | a8cdb08a4c9fdf7986aaf817c29a7c454ace6685bbbb2b74cf9b9d3600e47380 |
| SHA512 | 547fb1c3b50d7e1b40eae11327ade6e0d8a4a3834d0b1b85112e3d8e2daeb0baa597570a07ca2be61a230a975086cac09538e0c2aea7ecd66871baa9b2666b2c |
memory/1188-109-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp
memory/1828-102-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp
C:\Windows\System\WFyAIVs.exe
| MD5 | 77187a09043c04865b2ac0c9724cfa0a |
| SHA1 | 523f687eb4b2d2290217f2ffb873cdfc50aa1748 |
| SHA256 | 36ee5fbb4178c9417a2b9e38bdaabdb2a6eb9c80ff716104a6c491cd3a2671ff |
| SHA512 | a058abf514ba4d435488419b0c49ad37028c70903ccbb2ff25bd8bfbdad57456da693ec1d18e61a5ccf88a38c3f938f2ec2ce3dd3165b58c2ee328b1989933cf |
memory/1772-132-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp
memory/1496-133-0x00007FF62E8F0000-0x00007FF62EC44000-memory.dmp
memory/3836-134-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp
memory/1456-135-0x00007FF743A30000-0x00007FF743D84000-memory.dmp
memory/3692-136-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp
memory/1828-137-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp
memory/2052-138-0x00007FF6723E0000-0x00007FF672734000-memory.dmp
memory/4640-139-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp
memory/548-140-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp
memory/3616-141-0x00007FF797360000-0x00007FF7976B4000-memory.dmp
memory/2908-142-0x00007FF7827C0000-0x00007FF782B14000-memory.dmp
memory/4000-143-0x00007FF7B29E0000-0x00007FF7B2D34000-memory.dmp
memory/1860-144-0x00007FF6D9C70000-0x00007FF6D9FC4000-memory.dmp
memory/3352-145-0x00007FF754890000-0x00007FF754BE4000-memory.dmp
memory/4588-146-0x00007FF7757D0000-0x00007FF775B24000-memory.dmp
memory/1188-147-0x00007FF6187C0000-0x00007FF618B14000-memory.dmp
memory/3984-148-0x00007FF654500000-0x00007FF654854000-memory.dmp
memory/1772-149-0x00007FF6B1F20000-0x00007FF6B2274000-memory.dmp
memory/4960-150-0x00007FF71EA00000-0x00007FF71ED54000-memory.dmp
memory/5032-151-0x00007FF70ADC0000-0x00007FF70B114000-memory.dmp
memory/3836-152-0x00007FF78F260000-0x00007FF78F5B4000-memory.dmp
memory/1056-153-0x00007FF75ADC0000-0x00007FF75B114000-memory.dmp
memory/3692-154-0x00007FF6FBE60000-0x00007FF6FC1B4000-memory.dmp
memory/1456-155-0x00007FF743A30000-0x00007FF743D84000-memory.dmp
memory/3276-156-0x00007FF72D680000-0x00007FF72D9D4000-memory.dmp
memory/1828-157-0x00007FF6F0C80000-0x00007FF6F0FD4000-memory.dmp
memory/548-158-0x00007FF6ED260000-0x00007FF6ED5B4000-memory.dmp
memory/4640-160-0x00007FF7D5D80000-0x00007FF7D60D4000-memory.dmp
memory/2052-159-0x00007FF6723E0000-0x00007FF672734000-memory.dmp
memory/1496-161-0x00007FF62E8F0000-0x00007FF62EC44000-memory.dmp