Analysis Overview
SHA256
7d7a08fa42441addadf380179bcf5a3002e8f0652d5faa6d9505d533e5e6728f
Threat Level: Known bad
The file 2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:13
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:13
Reported
2024-06-01 07:16
Platform
win7-20231129-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tJjYYKU.exe | N/A |
| N/A | N/A | C:\Windows\System\HNrhRDD.exe | N/A |
| N/A | N/A | C:\Windows\System\PHBLOUM.exe | N/A |
| N/A | N/A | C:\Windows\System\gNbOaUH.exe | N/A |
| N/A | N/A | C:\Windows\System\eHNBlrS.exe | N/A |
| N/A | N/A | C:\Windows\System\FpRrzMb.exe | N/A |
| N/A | N/A | C:\Windows\System\SNVlZCf.exe | N/A |
| N/A | N/A | C:\Windows\System\CGgjztT.exe | N/A |
| N/A | N/A | C:\Windows\System\avMpoOW.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPvjeXB.exe | N/A |
| N/A | N/A | C:\Windows\System\lUfKAVi.exe | N/A |
| N/A | N/A | C:\Windows\System\AWRQdgm.exe | N/A |
| N/A | N/A | C:\Windows\System\qAAgtDV.exe | N/A |
| N/A | N/A | C:\Windows\System\hGDomNT.exe | N/A |
| N/A | N/A | C:\Windows\System\JOJDrjq.exe | N/A |
| N/A | N/A | C:\Windows\System\fLvDBGs.exe | N/A |
| N/A | N/A | C:\Windows\System\NQnAuns.exe | N/A |
| N/A | N/A | C:\Windows\System\teqBPnN.exe | N/A |
| N/A | N/A | C:\Windows\System\QLxwsNP.exe | N/A |
| N/A | N/A | C:\Windows\System\vCPSsSb.exe | N/A |
| N/A | N/A | C:\Windows\System\aFgiwvh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tJjYYKU.exe
C:\Windows\System\tJjYYKU.exe
C:\Windows\System\HNrhRDD.exe
C:\Windows\System\HNrhRDD.exe
C:\Windows\System\PHBLOUM.exe
C:\Windows\System\PHBLOUM.exe
C:\Windows\System\gNbOaUH.exe
C:\Windows\System\gNbOaUH.exe
C:\Windows\System\eHNBlrS.exe
C:\Windows\System\eHNBlrS.exe
C:\Windows\System\FpRrzMb.exe
C:\Windows\System\FpRrzMb.exe
C:\Windows\System\SNVlZCf.exe
C:\Windows\System\SNVlZCf.exe
C:\Windows\System\CGgjztT.exe
C:\Windows\System\CGgjztT.exe
C:\Windows\System\avMpoOW.exe
C:\Windows\System\avMpoOW.exe
C:\Windows\System\ZPvjeXB.exe
C:\Windows\System\ZPvjeXB.exe
C:\Windows\System\lUfKAVi.exe
C:\Windows\System\lUfKAVi.exe
C:\Windows\System\AWRQdgm.exe
C:\Windows\System\AWRQdgm.exe
C:\Windows\System\hGDomNT.exe
C:\Windows\System\hGDomNT.exe
C:\Windows\System\qAAgtDV.exe
C:\Windows\System\qAAgtDV.exe
C:\Windows\System\JOJDrjq.exe
C:\Windows\System\JOJDrjq.exe
C:\Windows\System\fLvDBGs.exe
C:\Windows\System\fLvDBGs.exe
C:\Windows\System\NQnAuns.exe
C:\Windows\System\NQnAuns.exe
C:\Windows\System\teqBPnN.exe
C:\Windows\System\teqBPnN.exe
C:\Windows\System\vCPSsSb.exe
C:\Windows\System\vCPSsSb.exe
C:\Windows\System\QLxwsNP.exe
C:\Windows\System\QLxwsNP.exe
C:\Windows\System\aFgiwvh.exe
C:\Windows\System\aFgiwvh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/624-0-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/624-1-0x0000000000180000-0x0000000000190000-memory.dmp
\Windows\system\tJjYYKU.exe
| MD5 | 51436be37dc7b632b49d12afbb3955a9 |
| SHA1 | 3bfb63f9ae79d105db699bbb82159760574d2f52 |
| SHA256 | 609d74d066fe5b8f01fa51118b1b137275b0c6be99490bdd5da15dbbd259a927 |
| SHA512 | 0e913da4c9abf5d7c9ea50358fe15120d15f59648e56e11d9a7d4e3aa201a1bfd50407c0a9441eb34cbed689a11697087782da90ac2f1290e95dfcd8a00aa06c |
memory/1996-9-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/624-8-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\HNrhRDD.exe
| MD5 | edbcf9e4ab8986625892631468336128 |
| SHA1 | 69df1f76e6e19bbf8e963f3bde6c20f3dafdf49a |
| SHA256 | 9103eb4b09b42af932951711a5efa4354b7e6749d71c9c6f6eaff966de523d8a |
| SHA512 | 024070ea06b42ec8f5839b16e9224db24d6c8e8e1fc3ee3f46d26c05eb54b4effec014046a07ac56238fb0ec1eb3178a412c93677436eda9abdf28a043474ba8 |
C:\Windows\system\PHBLOUM.exe
| MD5 | 5e27284d8a15c38c43ec4b48915fd4b6 |
| SHA1 | 47faeae6c4aa1d20a086f300c846d72bbee8fa83 |
| SHA256 | 7f396cc4c9a1dc351455f802436c4da07bce7c477fb4313f20caa47f779865f2 |
| SHA512 | a57d00f5a9cd10092f5fd5a5fb5fb5f2fa47f39e52cd88996d81b2055508c617fbad0ebf2e742390ff8dc6ee2857b8505557d9ab9d3b267b5edf3b1adf0994e0 |
memory/624-24-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1072-29-0x000000013F300000-0x000000013F654000-memory.dmp
memory/624-28-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2316-27-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\gNbOaUH.exe
| MD5 | a434904ea16aa5066f24aae5d10f6b44 |
| SHA1 | 1708e17bcabc7ee5aa938ee094e5b3224a8a7fb9 |
| SHA256 | d0d91e3c8c538c862336f886e0a441cb3bbe04ed8fe5b91a2a920cf3850c9a6a |
| SHA512 | 11b18dee084781a68c4aa2d513205131098c172461db7e8d6ae1de047bb5e1de09fd897bfd3e8aca45fdbac344c2e786c0910e68d7bd42625b9d4cd06a14b9ae |
memory/2140-20-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/624-35-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\eHNBlrS.exe
| MD5 | 27acdc20786d6b259b0745e68c7ace78 |
| SHA1 | 3a312df1cc70c22fa6af09eb15c9ba17fb98dbbe |
| SHA256 | cce2b6e578701e6df9e28ce8749e2bae64488f348167f72b71e3bd1fb6db76c1 |
| SHA512 | f18f02a51e60353a0e1e8b6b989257efdcb2d7d94779e26eca398b49ea398ce7d66da857dd71053ddf93219a531f9b59a582202a53a54456bdb74bec6999cad1 |
C:\Windows\system\FpRrzMb.exe
| MD5 | 3662584eb2fa50ae4e826332292a7284 |
| SHA1 | 056d4c95a3e54fac9181fb5b4f05fb17c9b45e4e |
| SHA256 | 12a8c68c982cb95cb160d198a057d139471f5554f8da24b4d5337cae044b7569 |
| SHA512 | e75528f89dd36fd6080563d39b061356884a26307ec40aa752bcc7cc677174d9293748f81ce3e79a90d5b8526fd7c2c72c893e4d11cd5742ec1aabc3cbd5d409 |
memory/2608-41-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/624-40-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\SNVlZCf.exe
| MD5 | 284442e6f1cd53b1ef58ff7a5ee92e2e |
| SHA1 | 4c8d82a9cfd41f16efa1bd5dd3fcf8519b91c0be |
| SHA256 | 245053a1c3f0bdadf07904bfa248fb9ed23aa2d10f2359b1e243a31d50de60a3 |
| SHA512 | 8cf748b85520d6957d6c8a8bc9199366a393c7960bdbee958d6f2a278311eab442cae12607959e542eb31e2b6ae48c7c7832f6180d93788b486b770dca99e6b6 |
C:\Windows\system\CGgjztT.exe
| MD5 | 9327f342668bd03e9c7d9ad7a35865e9 |
| SHA1 | 3924ea954fef21b04373dddb39f5a3edadb92ce0 |
| SHA256 | 75607f590a4dc67716eee1780095a82d807e0858cfa387b19c329e92de7e75c3 |
| SHA512 | fbe8d38f0395be5e7c79c2bd5d4d9d298df06137d3247b58c3cadb2c8d2274113293d3ab66e827d720474ba488ff984a9a14944fe3bb186103c3a3bac0b306b5 |
memory/2488-55-0x000000013F470000-0x000000013F7C4000-memory.dmp
\Windows\system\avMpoOW.exe
| MD5 | 01aad594c3ec7dde5eccd9053fe117be |
| SHA1 | 138dd51b22d62fb2a3b49069b47e670043623c1a |
| SHA256 | f037a8111c711875fe96dc4e7c634b8015a7f8e6c9d88f0620fbd4ced3c6ab5d |
| SHA512 | e4a7b51ca6a2fcb4a9fef1dc18cd68bd83e3d7214a51c52bb551ccb975ed70f05cd0b5f8b0909cc5899f75642c40c4b338f766b785edc90601dd3416881bb5be |
memory/624-54-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/624-62-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2732-63-0x000000013F510000-0x000000013F864000-memory.dmp
memory/624-59-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2704-49-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/624-48-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/624-68-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/624-67-0x000000013F730000-0x000000013FA84000-memory.dmp
\Windows\system\ZPvjeXB.exe
| MD5 | 565ce84c04fb5d70290d0cd163d953a3 |
| SHA1 | f73691a790334bc737b6410df963a0289ae9e283 |
| SHA256 | 13f8e7a7ba224d95dca4a8b8a5569c747690989d6aec8d1c36ce33de552a05db |
| SHA512 | 82c0c1e54eace10d352030a8a3db2eb52c5dacd2fedfdd6436078818b63f2883040422e4fd67d70e0b63d7ba033c449d5a44501f2394701c6fab87b1a870309a |
memory/2660-36-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
C:\Windows\system\AWRQdgm.exe
| MD5 | af7e0b4c6250b555e814091f074fcca3 |
| SHA1 | 1b9944752e4935711d1f04eb81f170568e9a5a6d |
| SHA256 | f4a868d010e1b884de5538ea7777eb3386e3f3e3fed7db48a80e5d24d18b9ab2 |
| SHA512 | 46d824149df8466983d3b3bb2e3aeabafa41757799b48fbd4adefabd4d19451b014d45e8740e2b2daab2c21e5c42be2fc261eda91a1d95e54b608250a3ed3ca9 |
C:\Windows\system\lUfKAVi.exe
| MD5 | afbac5431b14aefe8383337c4bd9f79f |
| SHA1 | 48789eee2428ca2943add13b15fd88a0b7d5978d |
| SHA256 | 23b9506e460054ae22024d15a40cbaa6a1fe18a809dc98af69bb5b511c0ae7d5 |
| SHA512 | 8e9f4066b229bd81462d54be785a0b69292920dc5c321861191590cc650ae87c10a1851f7dcd33e0d79fa43054337d1443938b278c9dd53eb9123858f0959bd2 |
memory/624-115-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2316-126-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/624-133-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\aFgiwvh.exe
| MD5 | 21b9c51e14b75959c9ccbfd5bb863011 |
| SHA1 | 060a7227a4183902ac0635873d19e2679f7b6fca |
| SHA256 | af6133e559e47fa821bc9ff9aa39092d2cb4032496c9e0998862acba38a57299 |
| SHA512 | 8a3d7d99f8e593d6a894190b22c22a5ec1ba6fc97013d6f218e85b6bd0eaa88cc32c8d8b6d166b3610f0e31fc7d97e72bed44e37dc4fb001c922ac56efe6f9ea |
memory/624-122-0x00000000022E0000-0x0000000002634000-memory.dmp
memory/2168-119-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\teqBPnN.exe
| MD5 | 5d23e8566b35ff051e0bb7989cd32eb6 |
| SHA1 | 96f26e79a319c169dc02ede32b69830ad4cbaebc |
| SHA256 | e4af7bf59a145907017b07fedc17dbbb77354956ca8d306cbde1ad1620d24c5d |
| SHA512 | 1326dae9d6a9c7f0f5aa8b15e25f956da8697ffe2302eb25c2df19fa406e28f9d0b8d4a37627d2275e9c0d21654827b34f54d0bedaf57d42e79b4b6c75234455 |
\Windows\system\vCPSsSb.exe
| MD5 | 5891d7af204ba2d7d176a54fd9fe4c30 |
| SHA1 | 59458432c8244718c6334cbfb128d8813ffc4ad2 |
| SHA256 | fe794f603d1e8e7649a778fc2b792768bf60d9eade24b05498bec972ef4bb99b |
| SHA512 | a7f2a15253e64478d7804d5d0972332e449c625a1d411b8ec9fd522f3032ff02aadaa53c4809a29072b9f8ec16d2fb8059719bfe8592589c3e630dfdbb8054e0 |
memory/624-135-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/624-134-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/624-131-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/624-130-0x00000000022E0000-0x0000000002634000-memory.dmp
C:\Windows\system\QLxwsNP.exe
| MD5 | 976c6eb7e92f6fd79a0ee3845b1f8a6f |
| SHA1 | 91dee0a97fedff24f4dc3e0f9a79329727b35a3e |
| SHA256 | ddef1f0931206cd09ee1397e754a7388596bc27f5b3680583620d10a836dd52c |
| SHA512 | 1e00b3c11c97da87e4beb39eb2375eb97159450316927de1e12a3559805a572c3443aec5ab64ae920c9df9ca3ffab2e9d9a1ec8c6a438fbee34a6ab12f3558cf |
C:\Windows\system\NQnAuns.exe
| MD5 | f89614c2acf45c5efbeb92453ab2241b |
| SHA1 | 5e50f16098143fe6b5bda0c03fa2d9a54f3b78a0 |
| SHA256 | a2498f997b99410aed86c7a28b2fdcac56467e4f0da3410ec43adbb94ab8ce3e |
| SHA512 | 428b4bdfae8761c6b1e6c49d55c69b62b2150b9158a0be681d0b9ce7154825c4a8d6ec92bcd9af002ff1e8bb1982d6a9be6c3a6016575aaa315fc5a83c5c8ef5 |
memory/2120-109-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\fLvDBGs.exe
| MD5 | 0ae90a91eadbee46d866cf9580ff9657 |
| SHA1 | 2352d7f3663621760b002fc47f99d4e60ec3f0c3 |
| SHA256 | 6c6e2e89e6e81c248228531092bf2293ebfb99df31c377d166a3aed6cc3b5d99 |
| SHA512 | 383893f8ff00fa232f6b3eaed77c61cd1cfdacc0e2728cd5efec652297f91b00a8c4b12c5e65d45b57754aa85c763604cd63fea376b2a87010a71be8d6eb8cc8 |
C:\Windows\system\JOJDrjq.exe
| MD5 | 95502979f4c5e3c760e6c04364656ae8 |
| SHA1 | 98c3f1b357195b69b471b4e5906bb2f20d23f531 |
| SHA256 | 1c5ec67cb8dde0ae3e386ad742ab1a7fed54f74e681c5b3136860c287c61c106 |
| SHA512 | 5c351c9e450afbf1d68baf2e3c5104bcd02b4b1bd78238f739c65d847d94a95c4c7ad501995b16554ad0e8a87cdd3c1457f2b1bf100ab4807db09dd14811e4c1 |
C:\Windows\system\hGDomNT.exe
| MD5 | 73471e86d7fcd8b1f481db47fb4cf1d7 |
| SHA1 | cfbfff66cab22e92d3227cc551b4b2cab52b5c1a |
| SHA256 | 9eee60bb7afa4375554781026382daf5d810b34d0414f0bd2bcfc5b275ea6f79 |
| SHA512 | f0743d0495e39a33cecef72202e8f50c140339584e98d761610666ba36bc0fa4d5b317fa145b9a456ee2a3ac9c145ff4e6a805f3c97eb6f6fe292cf4258ceab9 |
C:\Windows\system\qAAgtDV.exe
| MD5 | e6e62261d430b74a6820de4d536d8241 |
| SHA1 | e75a26e8a3fb1c761f785273bbb31c2b025de027 |
| SHA256 | 3ccf23214164ba71d3d3e4172954023648bbd93d2744728e5b9dced3c12988ad |
| SHA512 | 7d0b18ed3df0e118b451d4a0b7ad2c5d6be29d0a308e747a27308f1dc188a47a0e8062ff0b32e5c8916d7f76ee7fdd6b1814f9ae5ef5ecb28c253f9629a99eee |
memory/2412-101-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2140-84-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/624-82-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2608-140-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2488-141-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2732-142-0x000000013F510000-0x000000013F864000-memory.dmp
memory/624-143-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1996-144-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2140-145-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2316-147-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1072-146-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2660-148-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2704-149-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2488-150-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2608-151-0x000000013FCF0000-0x0000000140044000-memory.dmp
memory/2732-152-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2412-153-0x000000013F250000-0x000000013F5A4000-memory.dmp
memory/2168-154-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2120-155-0x000000013FEF0000-0x0000000140244000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:13
Reported
2024-06-01 07:16
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QoszihL.exe | N/A |
| N/A | N/A | C:\Windows\System\XGyxgZm.exe | N/A |
| N/A | N/A | C:\Windows\System\jtIUNxq.exe | N/A |
| N/A | N/A | C:\Windows\System\fcsAIGa.exe | N/A |
| N/A | N/A | C:\Windows\System\vMkKetx.exe | N/A |
| N/A | N/A | C:\Windows\System\ljXKBgJ.exe | N/A |
| N/A | N/A | C:\Windows\System\lUxXuol.exe | N/A |
| N/A | N/A | C:\Windows\System\jotXVKU.exe | N/A |
| N/A | N/A | C:\Windows\System\gZWIWIU.exe | N/A |
| N/A | N/A | C:\Windows\System\dJEHhBn.exe | N/A |
| N/A | N/A | C:\Windows\System\tPEDdOy.exe | N/A |
| N/A | N/A | C:\Windows\System\shnlJok.exe | N/A |
| N/A | N/A | C:\Windows\System\SEcanHo.exe | N/A |
| N/A | N/A | C:\Windows\System\YBunsxq.exe | N/A |
| N/A | N/A | C:\Windows\System\mzrWiRJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ytCoXmv.exe | N/A |
| N/A | N/A | C:\Windows\System\ZdAKHwT.exe | N/A |
| N/A | N/A | C:\Windows\System\pNhQcpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\DFIuCBH.exe | N/A |
| N/A | N/A | C:\Windows\System\KWZwEoh.exe | N/A |
| N/A | N/A | C:\Windows\System\CMbXiML.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_2414837c0707a74c9f88a6228216014d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\QoszihL.exe
C:\Windows\System\QoszihL.exe
C:\Windows\System\XGyxgZm.exe
C:\Windows\System\XGyxgZm.exe
C:\Windows\System\jtIUNxq.exe
C:\Windows\System\jtIUNxq.exe
C:\Windows\System\fcsAIGa.exe
C:\Windows\System\fcsAIGa.exe
C:\Windows\System\vMkKetx.exe
C:\Windows\System\vMkKetx.exe
C:\Windows\System\ljXKBgJ.exe
C:\Windows\System\ljXKBgJ.exe
C:\Windows\System\jotXVKU.exe
C:\Windows\System\jotXVKU.exe
C:\Windows\System\lUxXuol.exe
C:\Windows\System\lUxXuol.exe
C:\Windows\System\gZWIWIU.exe
C:\Windows\System\gZWIWIU.exe
C:\Windows\System\dJEHhBn.exe
C:\Windows\System\dJEHhBn.exe
C:\Windows\System\tPEDdOy.exe
C:\Windows\System\tPEDdOy.exe
C:\Windows\System\shnlJok.exe
C:\Windows\System\shnlJok.exe
C:\Windows\System\SEcanHo.exe
C:\Windows\System\SEcanHo.exe
C:\Windows\System\YBunsxq.exe
C:\Windows\System\YBunsxq.exe
C:\Windows\System\mzrWiRJ.exe
C:\Windows\System\mzrWiRJ.exe
C:\Windows\System\ytCoXmv.exe
C:\Windows\System\ytCoXmv.exe
C:\Windows\System\ZdAKHwT.exe
C:\Windows\System\ZdAKHwT.exe
C:\Windows\System\pNhQcpZ.exe
C:\Windows\System\pNhQcpZ.exe
C:\Windows\System\DFIuCBH.exe
C:\Windows\System\DFIuCBH.exe
C:\Windows\System\KWZwEoh.exe
C:\Windows\System\KWZwEoh.exe
C:\Windows\System\CMbXiML.exe
C:\Windows\System\CMbXiML.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.24.18.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3500-0-0x00007FF603180000-0x00007FF6034D4000-memory.dmp
memory/3500-1-0x00000248C8200000-0x00000248C8210000-memory.dmp
C:\Windows\System\QoszihL.exe
| MD5 | 383320d26906bc6bf89ca0c59c44830c |
| SHA1 | b7cadf8faa88d099cc7a2f98096db959d863ac5f |
| SHA256 | 79eb820c017c9113864c7ecf9c729535c1cc077208bf560be237c9cdd5f2a89e |
| SHA512 | 2004cb5b3c7caf0852af8d9e7d1275b605a32756df5c4d32a902690661c163e527640bfe8da4549f1e96e8b788e85534789f522c554194cc7924ddec4834da82 |
C:\Windows\System\XGyxgZm.exe
| MD5 | 1e75202bde1b2da8964f3a0f4bee0d20 |
| SHA1 | 01c10ab63963257b6eef8526dbffef67330a20b5 |
| SHA256 | e620f337a07bd05568a61510ab67f19c1b6b84d241e4ed3fb88b6c624d956ede |
| SHA512 | 75e5440c53ae4b45e3333032e6a7cb7f33e7d14aeb86a4b0ba5e7d6361e904ab11384cad3b1cf7ffa93b205961bd6cc66e1f35a5361f3ea657fafbcb20e76e7c |
memory/1640-10-0x00007FF76D760000-0x00007FF76DAB4000-memory.dmp
memory/2436-16-0x00007FF662F20000-0x00007FF663274000-memory.dmp
C:\Windows\System\fcsAIGa.exe
| MD5 | 82478fa92285450308f79d7543aed660 |
| SHA1 | e122572726349fc971c5828f9ff35c1edee571a0 |
| SHA256 | ed78acc1339153ef3d104d90d99d4cf091bd4a2a956fa2b0bf573c09278aa42f |
| SHA512 | 7aa918dd971e22a91be5ed915f9cd9c6a6eba67a5c8cd2ebfc741781e1536c5795fa68a57d1eeadb80ab9d6a5fb06108fc6ded744871fd0c450c77ac4d612aa4 |
memory/2772-26-0x00007FF736310000-0x00007FF736664000-memory.dmp
memory/3504-25-0x00007FF706F50000-0x00007FF7072A4000-memory.dmp
C:\Windows\System\jtIUNxq.exe
| MD5 | d3c85769aa8b4f9722da0c0bee079280 |
| SHA1 | 34139849152658a5980b03b407cf71aefdf55a7a |
| SHA256 | 4de461f2a81728de27d98448bfbf2b74c30f2b1ba2b7f0a5378820f3bb884d77 |
| SHA512 | 5846f7ef3a0b5c449177e13a09495d27a55cdb49a64da4617d350e5e5fb127e3020dc057ee613dc21aba65524ccd0eb87993b3bfc66245bb5dd1c7080f02275e |
C:\Windows\System\vMkKetx.exe
| MD5 | b2cb4cd51f9d7b01daef0f05c5c77a95 |
| SHA1 | 4d970e11d1acdf7baee211423df6c0ca516dd940 |
| SHA256 | 4da2e5bfffcd7b46ff8f2deb51b469a4c82b5864222f2367981e6a1e0915d6c4 |
| SHA512 | 18d9b6d5729fdc54669effd2871dd0d52d05f31fdba83327d1cc0164179f599539dada1d57657a5d258df49bb6224aab65c3d1aae5f08c8e701cb3ec8fc51969 |
memory/3116-32-0x00007FF646850000-0x00007FF646BA4000-memory.dmp
C:\Windows\System\ljXKBgJ.exe
| MD5 | 3aa53d0f9b459f3e1660c9cba258a119 |
| SHA1 | 3ca5772c8eff8b44e1d925cc03c519e706adf470 |
| SHA256 | fcd20c51688bdc9e6766d5dab5a65e83f357780526055738ab70da8205a71189 |
| SHA512 | dd7c08b1f6bb927c0e10b12bb39c6df0b10fa0356eb774405c2ca7d219f3d0aea8f370df6053234869ca680714ccf4c7ed773eb3384f6627a7db977e0f56dbd2 |
C:\Windows\System\lUxXuol.exe
| MD5 | 6279182b6bc72dc3d337447b04c0d1eb |
| SHA1 | f73f5b48a2ce65294f288a66f028440dcaecf185 |
| SHA256 | da91f30fbd5c964d75ecdb523b6556a62c02283540fab5e70e432ffba9d27a21 |
| SHA512 | d81bc20e15e7255f508aae052ade670ec8ca4be413f6cdea85ea03bf2b5ea6913013c5b3280f7da4f33ca18c350466f6ab62949c2c7f0f4e4985297938d03433 |
memory/2964-51-0x00007FF676FE0000-0x00007FF677334000-memory.dmp
C:\Windows\System\jotXVKU.exe
| MD5 | 6433c8c181ea7f4dcaf0dfd18166a52b |
| SHA1 | 68159ecf3eb3a7a16ba3b7941cc2067ec62da1b5 |
| SHA256 | c0b01a2fa70f74e0636c905830fb9fc0095ec47d959ed19b8a6e0d458520b0a5 |
| SHA512 | 8334e9aa8407f976e6bb086835de6e406d4fc10136a8749788cbd80c5f7fa30b4bd4bef9088c3a5c54c72ddc049143414fda36fd55bf2d4541c7750ccf3213fa |
C:\Windows\System\dJEHhBn.exe
| MD5 | b3060b47dfd2cd3888461987f30a29cf |
| SHA1 | 36a5f876cd5e163924f37afea47f5e89fc3971f7 |
| SHA256 | b376ba7682e6ecc2b3e780d53f0a29a0e25927ee187141ce9610c55f8d152cc0 |
| SHA512 | 9f148b2c9d9f751141ed91f4b403c2a663824ebb9d2022a3210f3c5902efe8bda1d25cf9ffdc01bf99c8e735b10700d029b4e08e8eea79f0d9e2c083d48a8102 |
C:\Windows\System\gZWIWIU.exe
| MD5 | d52316bce07d5dae579b6c773a4839a5 |
| SHA1 | 52e79ac97d98d4dd4a4dc22acdbe65bc1304d4df |
| SHA256 | 3038eaeaafbfd9d62d584065cd2d22d74770418126fc7fe7eeca38b07eec25f8 |
| SHA512 | d78abb6cf143ddffe21b9e62e3646203b112fe9fc0a862071202dec358caac83491dbc0625b27dfd0af39fd35619ac320269171771d5f6c504513f5b6159f679 |
memory/3312-57-0x00007FF6C8160000-0x00007FF6C84B4000-memory.dmp
C:\Windows\System\tPEDdOy.exe
| MD5 | c3c493ee937fc4eab7672a9e621fccfc |
| SHA1 | 7d4a4c4ed53cfa8df753e0d908a35b45d2ec8d93 |
| SHA256 | 7b2123dd1fdc4d9da2aa91053dc50a3cfa9da9d05f98d30d4bc7d4d863ad7b88 |
| SHA512 | c9a9c11ea6fe990f4ed076350be3296d4ca96666830ea0ecd02adc752a2d2110d9fdbbd55d95d442af4937df7671df03c3b8ecf26a75ffc37d43200bbfcaa091 |
C:\Windows\System\SEcanHo.exe
| MD5 | 23e13dcb33f33544dc3626c0ba0ffbae |
| SHA1 | daf5910d1c04c0cff501225384746e50d5c756d5 |
| SHA256 | 444d2cc49eca65f0727b26a6c8a2c2273479c12ff7a53fdbe5d6e69b05bfe211 |
| SHA512 | d30d9fadcb0012d0c96557b0af52174f2d88b1c4887255180a1c1aca07a9da097f725378a7dbf9efeddbaed4ccbc19cedf098514bb52fb4b1d26b01bb40d60da |
C:\Windows\System\ytCoXmv.exe
| MD5 | b3e20c9a4613e61abe92aced890cec13 |
| SHA1 | 878ef5d4a8d1e35d2a22651643d912a9c4d64226 |
| SHA256 | e5625f633100be0d5a29943b79cf849bb8b80e0dc6f32748988e939c96ed046b |
| SHA512 | ffa8972735a89b0dac31c5261e73191c09c0bc612d5c9d379e4b1f25ad63687e40339343735e898962e6478433651044948598cc7e07ac1e81731acedfdadf6c |
C:\Windows\System\pNhQcpZ.exe
| MD5 | d940c2a5ba8c9e2ee4a337ec9e210a65 |
| SHA1 | 49fbb9493d2d561a762a4def2ca218989c6b1043 |
| SHA256 | 7a83173d3ba3d2727cf9b5ac7ca646347f3782bbc19286b691fd3c0ef6a19cc5 |
| SHA512 | d1b395b6a012eda3406af9244ce18d99f22c0ca0a4181be941b1fcecb99535c121fdb62ae68531d277427c9e744557605ddb48afe0c16030c5e7557d1bd9d6a7 |
C:\Windows\System\CMbXiML.exe
| MD5 | 4544d18ac0a3754bdac6f74e02db7ddc |
| SHA1 | 3ebdf0c81fcf7a8f8fee4631e3189cdfa5766aad |
| SHA256 | 3108d61a701d0c3575c5b474c4d9d92719dd13859bdb81f5414738a8d310910e |
| SHA512 | f86e32fb6a92eb9a118b1c2113e60d6e84b1e3fd0a5c23035243d4bed6dc38c4f12ac4531240f11f7366fa05ca8912d84b0fd2334361107069403206964a5fa2 |
C:\Windows\System\KWZwEoh.exe
| MD5 | 46005f27db5f5d4c9b8ba7744cf97de1 |
| SHA1 | 41dba6eb7a43edd339e103b5cf48cf165002df1a |
| SHA256 | 347db79a9a964ceda0eb098dcfff0cb944a1911b4931cbc3170d3dd8b9c0d6a0 |
| SHA512 | 5ebb9e27e24a9986a4775c39d03c8a41c822c3e8a482c4d7120d63a1f3e284e698bdaa072b90b855fd0118d50c6524bb1eb88e29571b4f542c2619aa8b6686a1 |
C:\Windows\System\DFIuCBH.exe
| MD5 | 666b10ae040e2fc840c0c79e40079ea3 |
| SHA1 | 7439fdc5015a118023ab3eaf351f39d3dda6ea2c |
| SHA256 | ac0bce2373144542196a3fd57a34ffe6a7dd95f140d1f0b5eed04b002b466d7f |
| SHA512 | c9ef8071012b5b25c72c67d383484409137f08ad6b333e745879a295bcc055169ceeb23235a04e1bc9cdb72ba74fa1e7c651b81eea84652a502538d5d41eb1d8 |
C:\Windows\System\ZdAKHwT.exe
| MD5 | e4c8961f8c22bf4ef76732641be63b0f |
| SHA1 | c61205e3dbaed8cfdd7dd5c3c526fdddfceb2194 |
| SHA256 | a24887632c64fe6aab2011fc33b2cb6b2e321d40b1feea2e69992bb16259df35 |
| SHA512 | a1321819d4e96ef54a5b9ce2c21756ac604df1cba7304fb5b411270c946ddc23773ca4408c986f05a5fb6490a10f322e6d65b9e38b842f131c3dd1e87eb2fd10 |
C:\Windows\System\mzrWiRJ.exe
| MD5 | cf1230b52d43e812214a025a646e7f36 |
| SHA1 | 03be1d46a1c933852f11b437ec8b55e595e705e2 |
| SHA256 | 5bf52bfbdbda88d3673b4c4ff2f6c1418e9f2f6cffa0e3939efe1baa1ba5f72d |
| SHA512 | d89b8216e4abd642264cd5848ad25bc32e199d85eae5be85c12cec7ecb9a13c8586f636fbc542d87223d55ff109b95baadfe263381b29de1da1889bf52487bdd |
C:\Windows\System\YBunsxq.exe
| MD5 | 6a19d0acc037324bc067b0e50988f223 |
| SHA1 | 87e0879df912f8859a3ad311109867ec56837d64 |
| SHA256 | c56289d65b6fc7f0e1e94d9b6065f92594456132b677169f459976bb803ec5e0 |
| SHA512 | cb8776b1cc2ecd602037c75dca5f66eb51e18e9bb1e5ee2c4bf044c99071174ff71e2ac17e664d06838354fa07817b00020940b921a29e945f79b23380b0c803 |
C:\Windows\System\shnlJok.exe
| MD5 | a97d48b7de5f62ce7c7ce4f451e1d16f |
| SHA1 | 51b9eeee364b6a4dadcdf86f43165b3d4a54b7e4 |
| SHA256 | cbfe4ec6a2f54120e097a9b6f5f47e88a4073256be00a57367e57aee9d2870ec |
| SHA512 | 52a36c89fc0f3ecfcbda5c2c118d614ef78bca0c8e427443617e18a2f5f1133c9e41fdc5af172a62560abca64b5ca27f7a4bb30034fbd25bf4bcb3d14bdba812 |
memory/5040-50-0x00007FF75B750000-0x00007FF75BAA4000-memory.dmp
memory/1812-43-0x00007FF637420000-0x00007FF637774000-memory.dmp
memory/3436-116-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp
memory/2224-117-0x00007FF7C1490000-0x00007FF7C17E4000-memory.dmp
memory/3044-118-0x00007FF71AE20000-0x00007FF71B174000-memory.dmp
memory/1112-119-0x00007FF70AC80000-0x00007FF70AFD4000-memory.dmp
memory/3096-120-0x00007FF744390000-0x00007FF7446E4000-memory.dmp
memory/3888-121-0x00007FF67D5D0000-0x00007FF67D924000-memory.dmp
memory/1708-122-0x00007FF693FE0000-0x00007FF694334000-memory.dmp
memory/4776-123-0x00007FF7E1900000-0x00007FF7E1C54000-memory.dmp
memory/2444-124-0x00007FF7FF360000-0x00007FF7FF6B4000-memory.dmp
memory/1372-125-0x00007FF74BA80000-0x00007FF74BDD4000-memory.dmp
memory/3948-126-0x00007FF7022F0000-0x00007FF702644000-memory.dmp
memory/3500-127-0x00007FF603180000-0x00007FF6034D4000-memory.dmp
memory/3064-128-0x00007FF684170000-0x00007FF6844C4000-memory.dmp
memory/2436-129-0x00007FF662F20000-0x00007FF663274000-memory.dmp
memory/3504-130-0x00007FF706F50000-0x00007FF7072A4000-memory.dmp
memory/3116-131-0x00007FF646850000-0x00007FF646BA4000-memory.dmp
memory/1812-132-0x00007FF637420000-0x00007FF637774000-memory.dmp
memory/2964-133-0x00007FF676FE0000-0x00007FF677334000-memory.dmp
memory/3312-134-0x00007FF6C8160000-0x00007FF6C84B4000-memory.dmp
memory/1640-135-0x00007FF76D760000-0x00007FF76DAB4000-memory.dmp
memory/2436-136-0x00007FF662F20000-0x00007FF663274000-memory.dmp
memory/3504-137-0x00007FF706F50000-0x00007FF7072A4000-memory.dmp
memory/2772-138-0x00007FF736310000-0x00007FF736664000-memory.dmp
memory/3116-139-0x00007FF646850000-0x00007FF646BA4000-memory.dmp
memory/1812-140-0x00007FF637420000-0x00007FF637774000-memory.dmp
memory/5040-141-0x00007FF75B750000-0x00007FF75BAA4000-memory.dmp
memory/3436-142-0x00007FF7F0460000-0x00007FF7F07B4000-memory.dmp
memory/3312-143-0x00007FF6C8160000-0x00007FF6C84B4000-memory.dmp
memory/2964-144-0x00007FF676FE0000-0x00007FF677334000-memory.dmp
memory/2224-145-0x00007FF7C1490000-0x00007FF7C17E4000-memory.dmp
memory/3064-146-0x00007FF684170000-0x00007FF6844C4000-memory.dmp
memory/3044-147-0x00007FF71AE20000-0x00007FF71B174000-memory.dmp
memory/3888-152-0x00007FF67D5D0000-0x00007FF67D924000-memory.dmp
memory/1708-151-0x00007FF693FE0000-0x00007FF694334000-memory.dmp
memory/4776-150-0x00007FF7E1900000-0x00007FF7E1C54000-memory.dmp
memory/1112-149-0x00007FF70AC80000-0x00007FF70AFD4000-memory.dmp
memory/3096-148-0x00007FF744390000-0x00007FF7446E4000-memory.dmp
memory/1372-154-0x00007FF74BA80000-0x00007FF74BDD4000-memory.dmp
memory/3948-153-0x00007FF7022F0000-0x00007FF702644000-memory.dmp
memory/2444-155-0x00007FF7FF360000-0x00007FF7FF6B4000-memory.dmp