Analysis Overview
SHA256
ec1d1ce88ab03dd9cc86add87383fa41f82ca65f66d6aff4c8e91e75e1457ae1
Threat Level: Known bad
The file 2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:23
Reported
2024-06-01 07:26
Platform
win7-20240220-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qeOxzXo.exe | N/A |
| N/A | N/A | C:\Windows\System\IEQZxGh.exe | N/A |
| N/A | N/A | C:\Windows\System\IKzuxxs.exe | N/A |
| N/A | N/A | C:\Windows\System\aJCvoyQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fVSPQwc.exe | N/A |
| N/A | N/A | C:\Windows\System\ELHQrss.exe | N/A |
| N/A | N/A | C:\Windows\System\UIEmbSq.exe | N/A |
| N/A | N/A | C:\Windows\System\mGoYKzR.exe | N/A |
| N/A | N/A | C:\Windows\System\GSwbHfF.exe | N/A |
| N/A | N/A | C:\Windows\System\NnHxMMo.exe | N/A |
| N/A | N/A | C:\Windows\System\dEbdXGz.exe | N/A |
| N/A | N/A | C:\Windows\System\AvXVapN.exe | N/A |
| N/A | N/A | C:\Windows\System\OnWzDiS.exe | N/A |
| N/A | N/A | C:\Windows\System\VpdLTGA.exe | N/A |
| N/A | N/A | C:\Windows\System\nRBnuCT.exe | N/A |
| N/A | N/A | C:\Windows\System\IWyeWTz.exe | N/A |
| N/A | N/A | C:\Windows\System\yrzbtNS.exe | N/A |
| N/A | N/A | C:\Windows\System\uoLcJiF.exe | N/A |
| N/A | N/A | C:\Windows\System\KpceKKC.exe | N/A |
| N/A | N/A | C:\Windows\System\uNLbGBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\tGmSUYt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qeOxzXo.exe
C:\Windows\System\qeOxzXo.exe
C:\Windows\System\IEQZxGh.exe
C:\Windows\System\IEQZxGh.exe
C:\Windows\System\IKzuxxs.exe
C:\Windows\System\IKzuxxs.exe
C:\Windows\System\aJCvoyQ.exe
C:\Windows\System\aJCvoyQ.exe
C:\Windows\System\fVSPQwc.exe
C:\Windows\System\fVSPQwc.exe
C:\Windows\System\ELHQrss.exe
C:\Windows\System\ELHQrss.exe
C:\Windows\System\UIEmbSq.exe
C:\Windows\System\UIEmbSq.exe
C:\Windows\System\mGoYKzR.exe
C:\Windows\System\mGoYKzR.exe
C:\Windows\System\GSwbHfF.exe
C:\Windows\System\GSwbHfF.exe
C:\Windows\System\NnHxMMo.exe
C:\Windows\System\NnHxMMo.exe
C:\Windows\System\dEbdXGz.exe
C:\Windows\System\dEbdXGz.exe
C:\Windows\System\OnWzDiS.exe
C:\Windows\System\OnWzDiS.exe
C:\Windows\System\AvXVapN.exe
C:\Windows\System\AvXVapN.exe
C:\Windows\System\VpdLTGA.exe
C:\Windows\System\VpdLTGA.exe
C:\Windows\System\IWyeWTz.exe
C:\Windows\System\IWyeWTz.exe
C:\Windows\System\nRBnuCT.exe
C:\Windows\System\nRBnuCT.exe
C:\Windows\System\KpceKKC.exe
C:\Windows\System\KpceKKC.exe
C:\Windows\System\yrzbtNS.exe
C:\Windows\System\yrzbtNS.exe
C:\Windows\System\uNLbGBJ.exe
C:\Windows\System\uNLbGBJ.exe
C:\Windows\System\uoLcJiF.exe
C:\Windows\System\uoLcJiF.exe
C:\Windows\System\tGmSUYt.exe
C:\Windows\System\tGmSUYt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2968-0-0x0000000000080000-0x0000000000090000-memory.dmp
memory/2968-1-0x000000013FC80000-0x000000013FFD4000-memory.dmp
\Windows\system\qeOxzXo.exe
| MD5 | 1bb2dfaafcb53f6370d352040108cb97 |
| SHA1 | e96c9b9330a777562249bd1f19ec5c973e669cdc |
| SHA256 | c187990e77f0c05a20accbcc992e1b177909b2c2fc933cd4aae1d09a3fe5b723 |
| SHA512 | 9ecd2db47a1ea8eafadf52020c999dc75d13d5d747952de42ada5ccee9869f33477a271bd3fce4efc8b0f111c84761664ca038359622cbe3ce724dea2b09a905 |
memory/2964-9-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2968-8-0x000000013F450000-0x000000013F7A4000-memory.dmp
C:\Windows\system\IKzuxxs.exe
| MD5 | 791c7ef214f4650627e6028f868d24df |
| SHA1 | 3c3779c8e6c803d5a28c81aaf3e7d8c0ec0cd0ff |
| SHA256 | 455c447ae7446763563b9c35884485451a1537b6dd3ea3ea098836cc6847347c |
| SHA512 | 15ea958bdaddd848aed4131f731d0a2c39b936e6974558945c2a6fc6f7fe13f875dde90a2891b8470e14054784a564f58454c32ec81fa8ecd5bba9c36d6111e1 |
\Windows\system\aJCvoyQ.exe
| MD5 | cf3722c2cf87b9b6dbf4211056df3212 |
| SHA1 | 80c48d8e4c2e8d8b70d233ab7721f4667ddb4fbc |
| SHA256 | 73e6eea458de3d4c6b8e38182e08cb5bdd2e74bb6f1462552bb1ed1bd751bdc2 |
| SHA512 | fbe0ee0697660a655338792bafaa9406e51680f34660c990a95d83c8ccd3a13edf9aaca8900d4e6540dbdbafe6f08718e38a64be20108474f4d5f030cd5c4912 |
memory/2968-25-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2560-34-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2548-32-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2968-31-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2968-36-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2696-35-0x000000013F710000-0x000000013FA64000-memory.dmp
C:\Windows\system\fVSPQwc.exe
| MD5 | ba7162288f1fc22675a55ca27fde9827 |
| SHA1 | eb0aa01f405d92695403b188e202508dda6d17ef |
| SHA256 | bf56f9055080c5fbe7aba6753a136c6ecd10d57a392fb4e7881f474739130f18 |
| SHA512 | d562c98384730aa574b9be1ed8d354a24035e885e46673ae8cb68d9d9117db566d0c62c28903bbf7f2af39eca2590b2fe6e7c992220bc0ccca962277051b7148 |
memory/2112-23-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\IEQZxGh.exe
| MD5 | 2e0fd17186d0f95146ce865685b66a53 |
| SHA1 | 68d9f6b7471dd85bdab554aca7b288c2105b6290 |
| SHA256 | fdb52666b543731a6fc39bdc04dec4af206ac39c6d2bcafb1a0ddd8ab60ec608 |
| SHA512 | a9be8a88d3f6091c4b647bc3bdfb7e083df6e0e67deaa866697b0a65045a287a0f6dee264cba7ae7ded90db4b6c74bb5ba76c78700679df4a2849c5a52ce655c |
C:\Windows\system\ELHQrss.exe
| MD5 | f7196241cca181b8e44de721c1a75f2f |
| SHA1 | c252e504492cd9087895d5fa65d785d17cb6f221 |
| SHA256 | 1906c3e746da4870ab53871bdf1ee7272ac166a823aa9a096c135492a3e02497 |
| SHA512 | ac96939f69abdcf5238756ec8a30ea195822ec59e99b4d07806be2934420bed3a0c66172275b06e110837a22533c3e11094bce09f4d2c84b088aead5fae4d750 |
memory/2464-43-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2968-42-0x0000000002410000-0x0000000002764000-memory.dmp
C:\Windows\system\UIEmbSq.exe
| MD5 | c83fa854faf6592fc9faaa12da308508 |
| SHA1 | 9e4e37161cfec7b5ccec7373afb18ff899c952f1 |
| SHA256 | 6a16770a99734b96c0438683edada0ce5e880f7efd7e5ee2331e07788db9197b |
| SHA512 | dc34894a2b2b05a643bcb31ff9b51fe0ca80f95db1978b06265bc12ffa1f23cdde3e7c5016a16a846e7f4b93a7471bd792499612d0647b1293e1a8485355433b |
memory/2968-49-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2752-50-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\mGoYKzR.exe
| MD5 | b02cf6d808bbfe7aaff0c3a7e1a3b66f |
| SHA1 | 9cd06b0982d6c6e4e4addba1f61f90710fd20461 |
| SHA256 | 9c001988ec581ee1719f343d29dc9f56f58ede714a639b9b04b8d0c278fea142 |
| SHA512 | 9bb8c4c19ec87a9960c8d0a7f1cf2cd90b852055faf29cb3ea87b8fe2d14c51c06cb09047c6239d78ac31d5b10912a170a3cea680fb19ccd0947e42506739c6e |
memory/2372-56-0x000000013FC60000-0x000000013FFB4000-memory.dmp
C:\Windows\system\GSwbHfF.exe
| MD5 | d535d7c692333593022bd06667a4d011 |
| SHA1 | 59bcfcf1685217af1012e5504545f7ef9ee92aa4 |
| SHA256 | 29d4c02aa15bc5d117d0207b8efe01e3ca4f83ef58141107462bce739a34310d |
| SHA512 | edcb165ed87c3c0e21bc8135fea95d775bb098aa1937954f3cd1cb8e1edfee3b14329565fdd3d0a3120666fb39cd66d910bf91840eeb7ae6da0ae87f528592e9 |
memory/2968-62-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2520-63-0x000000013FDE0000-0x0000000140134000-memory.dmp
C:\Windows\system\NnHxMMo.exe
| MD5 | 3d06ea9b3393cca3e134bd012bdea8be |
| SHA1 | a41817cfb461e2651b1152e6e89fca376b262842 |
| SHA256 | 54c00ebfbc6c98b0613104267743b91c96dfd81e8e27210e360996593a68c8e7 |
| SHA512 | caa906f27ebd5b306c91ce9bc704c25fac831c85e505d619bcc7b39f9c279f3de4217b076a29a28bfb5de5732266c032da7840f9f944a5c5c0ace2b05a1986db |
memory/2968-69-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2136-70-0x000000013F4C0000-0x000000013F814000-memory.dmp
C:\Windows\system\dEbdXGz.exe
| MD5 | c759f437950e354ee9e6be73362bc534 |
| SHA1 | 612a0aac25de011dde34756856c7eaa41415a61b |
| SHA256 | c3f525330e90a0147bc8e9b973911d14940ef91624c40cdef9741b141d4ed8e6 |
| SHA512 | 7522aa9f1a7a5da8d339345dc5a9e482629ca23b3e2c8b17185f6e6e0657e3d98a0efd99579701109741c2d936bf93961adc91d362e2ad70590a41e1e0fdbed8 |
\Windows\system\OnWzDiS.exe
| MD5 | 0c8b8f0a22094e8a2e2d9bf5dfee6968 |
| SHA1 | 596bcd9a5a0c015f053af7e6665638c31ac7ca4f |
| SHA256 | f6cda5325c5c4373a5517d8c082d36b25328e33bbaf47b68327029e7dfa8ed91 |
| SHA512 | cb33686573df0dd6b9ddf1d2fec9150fe259b25cc0961931b8f0ef23a2c46d8d5f56537db564cb5a4d25baa9a8ea116ca1d03954a644cb9a8f3212ecbc84bd10 |
\Windows\system\KpceKKC.exe
| MD5 | 9fdde5067f13dd8bb7fdded00668384c |
| SHA1 | 36188759d73915ff1a3eae8cc3b35ea85d647045 |
| SHA256 | b822eb68995f301205e3cea10944f39d2d080ddd038dd64f5518cc9547db0d6d |
| SHA512 | 2e0bbb8fb74293b4a10af25b0e6223b19da660abf4f373777088b94fd783bd736d11643dc33fffdaf1e4cfea1a240123ad6f228f92947491f6a5035fca3af7ca |
memory/2968-125-0x000000013F8E0000-0x000000013FC34000-memory.dmp
C:\Windows\system\uNLbGBJ.exe
| MD5 | c49e5b4e0a0eb63f8a4e2c80598bb837 |
| SHA1 | 94776bb6ba62cf5972d328b28623168d56d57a8e |
| SHA256 | 877afef1395ec3a477aaf306a9327fbd9d52390ebb5b6731cbb3457d025c8aa0 |
| SHA512 | 21b1386ad78630fbdbb9aac3f228a226da341f77db8748ba7c81eafb642339191e0180574a57501beb837c87f7ca1a1ce70e20d1ad1acacc4bed6214712102a0 |
\Windows\system\tGmSUYt.exe
| MD5 | 5a69f5dbf16bcb32a957c1ffd23644d3 |
| SHA1 | f7b0f5a8beb5e5e9a43418fc6b897a44719b5aba |
| SHA256 | d4a43012783b4e3cd5e34ff98c813514642e7862c1b66eeb81e5fa0f517ccbc6 |
| SHA512 | ee87a3ac0688dd054ee1716ef9057bbbc2735cb7a77aa3d9c92b28c05983f274d9e56ae0081cea8b285fc7e1c105179dd11c6a09e985d1af3d8221fd8538d799 |
memory/2968-100-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\nRBnuCT.exe
| MD5 | 3497fa2cf67576bf1d81ebf9c5d83327 |
| SHA1 | 31f7567504bbda55ab95584ac4e0569b7cf87608 |
| SHA256 | 377d134565cb373fa6747e71d3d6b762b0efa0d295fb86e7dbdc039aa5f20d7e |
| SHA512 | 0828b27adbd1e40125aa0efb8ca16427a0403941237173c4edfdf84e8ca988199c1562c4e46c0564c83a4812e9a5538c3e767239b2f228a932be4137f97dece3 |
C:\Windows\system\VpdLTGA.exe
| MD5 | 552d3b414a03ae066b4b36d10f72468b |
| SHA1 | 74287a0953ae646774eeebc565970b0392ec558e |
| SHA256 | 7ff9614c92900d50045b38f8f796560c20ce49867def1a00d7993e765a0a0edc |
| SHA512 | 39d37e8904ca31403897990797ce422ad2c428feacd50202f45ee588ba50059c2f4eb8880631ce20b179cd403a31e957631bfc1e9838dc6171c980a453b630cd |
memory/2780-123-0x000000013F1C0000-0x000000013F514000-memory.dmp
C:\Windows\system\uoLcJiF.exe
| MD5 | fa338d7cd13c26f588222e4ce34fc46d |
| SHA1 | bf6cb85d30cb64bf01bf336453b7f521ee4dfe53 |
| SHA256 | 56f3c09a532895e2d4335cec3d4ceba0ff87cc2528a8fb3d949d065fab3ff188 |
| SHA512 | ebeaa505ad3d33741290c31125765840d713e1b506fe1be522e1bd3838704b474e464b4ef25cd63fda18b243142680a4b40abe138b26f99d153b70a18e78ab6d |
C:\Windows\system\yrzbtNS.exe
| MD5 | 7ae813ed58146cc05df068f3c3b70f8d |
| SHA1 | bc834f1861d6b26fe59d65f05ed309f749e60ea5 |
| SHA256 | c1379cd5c4803d02b1f499a4710549739c18f84b7080605aaa4c4832c6d012b7 |
| SHA512 | c3c8b579a869aa78ebf98e50623fc5764b7654dac3a7e5417fa3cd9656227d36c06de6c19e8b9964cc107a270d4d9e991c60641e2bc906b04f63d63f23418ae2 |
C:\Windows\system\IWyeWTz.exe
| MD5 | 4a72fa5b8a0b7740edb5a63221243112 |
| SHA1 | 8022148a0a3c006656d198312cc87b5e376d1fa7 |
| SHA256 | 467ee9cbd8a4cde5a68d31988cfdb05c79ce77295639987915c2115cba2538a6 |
| SHA512 | 202706f1c4a1608ed8e888fb87b566196a2e2ed9f902b0233544a92a44967231e7412038dbedd5f251f322ba0f59312a8f22d8979894ff71f3079624c4227eb2 |
memory/2968-108-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2968-90-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2968-88-0x000000013F880000-0x000000013FBD4000-memory.dmp
C:\Windows\system\AvXVapN.exe
| MD5 | 90ea43c71382dad6eb1350b9a883d1ac |
| SHA1 | 58aaba066e573d724fb11e4ce151c127d881f071 |
| SHA256 | 5b3b55e0d1e69c35e32a2036dfe6d228dc78d92512e12eb631180e78b2cc750b |
| SHA512 | bf6eb637e73c7e4a7193c54d6222ba7d077424b5fa8f6ffafef40c6c17d42a306916a07210ad194a91078e20fb9ffa442896a2cf12bcc0143909d5784fc92790 |
memory/1960-82-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2968-132-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2968-134-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2968-133-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2968-135-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2964-136-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2112-137-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2560-139-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2548-138-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2696-140-0x000000013F710000-0x000000013FA64000-memory.dmp
memory/2464-141-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2752-142-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2372-143-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2520-144-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2136-145-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/1960-146-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2780-147-0x000000013F1C0000-0x000000013F514000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:23
Reported
2024-06-01 07:26
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qeOxzXo.exe | N/A |
| N/A | N/A | C:\Windows\System\IEQZxGh.exe | N/A |
| N/A | N/A | C:\Windows\System\IKzuxxs.exe | N/A |
| N/A | N/A | C:\Windows\System\aJCvoyQ.exe | N/A |
| N/A | N/A | C:\Windows\System\fVSPQwc.exe | N/A |
| N/A | N/A | C:\Windows\System\ELHQrss.exe | N/A |
| N/A | N/A | C:\Windows\System\UIEmbSq.exe | N/A |
| N/A | N/A | C:\Windows\System\mGoYKzR.exe | N/A |
| N/A | N/A | C:\Windows\System\GSwbHfF.exe | N/A |
| N/A | N/A | C:\Windows\System\NnHxMMo.exe | N/A |
| N/A | N/A | C:\Windows\System\dEbdXGz.exe | N/A |
| N/A | N/A | C:\Windows\System\OnWzDiS.exe | N/A |
| N/A | N/A | C:\Windows\System\AvXVapN.exe | N/A |
| N/A | N/A | C:\Windows\System\VpdLTGA.exe | N/A |
| N/A | N/A | C:\Windows\System\IWyeWTz.exe | N/A |
| N/A | N/A | C:\Windows\System\nRBnuCT.exe | N/A |
| N/A | N/A | C:\Windows\System\KpceKKC.exe | N/A |
| N/A | N/A | C:\Windows\System\yrzbtNS.exe | N/A |
| N/A | N/A | C:\Windows\System\uNLbGBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\uoLcJiF.exe | N/A |
| N/A | N/A | C:\Windows\System\tGmSUYt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_3c768fcc801df77140a0da71a5887262_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qeOxzXo.exe
C:\Windows\System\qeOxzXo.exe
C:\Windows\System\IEQZxGh.exe
C:\Windows\System\IEQZxGh.exe
C:\Windows\System\IKzuxxs.exe
C:\Windows\System\IKzuxxs.exe
C:\Windows\System\aJCvoyQ.exe
C:\Windows\System\aJCvoyQ.exe
C:\Windows\System\fVSPQwc.exe
C:\Windows\System\fVSPQwc.exe
C:\Windows\System\ELHQrss.exe
C:\Windows\System\ELHQrss.exe
C:\Windows\System\UIEmbSq.exe
C:\Windows\System\UIEmbSq.exe
C:\Windows\System\mGoYKzR.exe
C:\Windows\System\mGoYKzR.exe
C:\Windows\System\GSwbHfF.exe
C:\Windows\System\GSwbHfF.exe
C:\Windows\System\NnHxMMo.exe
C:\Windows\System\NnHxMMo.exe
C:\Windows\System\dEbdXGz.exe
C:\Windows\System\dEbdXGz.exe
C:\Windows\System\OnWzDiS.exe
C:\Windows\System\OnWzDiS.exe
C:\Windows\System\AvXVapN.exe
C:\Windows\System\AvXVapN.exe
C:\Windows\System\VpdLTGA.exe
C:\Windows\System\VpdLTGA.exe
C:\Windows\System\IWyeWTz.exe
C:\Windows\System\IWyeWTz.exe
C:\Windows\System\nRBnuCT.exe
C:\Windows\System\nRBnuCT.exe
C:\Windows\System\KpceKKC.exe
C:\Windows\System\KpceKKC.exe
C:\Windows\System\yrzbtNS.exe
C:\Windows\System\yrzbtNS.exe
C:\Windows\System\uNLbGBJ.exe
C:\Windows\System\uNLbGBJ.exe
C:\Windows\System\uoLcJiF.exe
C:\Windows\System\uoLcJiF.exe
C:\Windows\System\tGmSUYt.exe
C:\Windows\System\tGmSUYt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.24.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2880-0-0x00007FF62C4F0000-0x00007FF62C844000-memory.dmp
memory/2880-1-0x0000028E0C8B0000-0x0000028E0C8C0000-memory.dmp
C:\Windows\System\qeOxzXo.exe
| MD5 | 1bb2dfaafcb53f6370d352040108cb97 |
| SHA1 | e96c9b9330a777562249bd1f19ec5c973e669cdc |
| SHA256 | c187990e77f0c05a20accbcc992e1b177909b2c2fc933cd4aae1d09a3fe5b723 |
| SHA512 | 9ecd2db47a1ea8eafadf52020c999dc75d13d5d747952de42ada5ccee9869f33477a271bd3fce4efc8b0f111c84761664ca038359622cbe3ce724dea2b09a905 |
memory/3160-8-0x00007FF775240000-0x00007FF775594000-memory.dmp
C:\Windows\System\IEQZxGh.exe
| MD5 | 2e0fd17186d0f95146ce865685b66a53 |
| SHA1 | 68d9f6b7471dd85bdab554aca7b288c2105b6290 |
| SHA256 | fdb52666b543731a6fc39bdc04dec4af206ac39c6d2bcafb1a0ddd8ab60ec608 |
| SHA512 | a9be8a88d3f6091c4b647bc3bdfb7e083df6e0e67deaa866697b0a65045a287a0f6dee264cba7ae7ded90db4b6c74bb5ba76c78700679df4a2849c5a52ce655c |
C:\Windows\System\IKzuxxs.exe
| MD5 | 791c7ef214f4650627e6028f868d24df |
| SHA1 | 3c3779c8e6c803d5a28c81aaf3e7d8c0ec0cd0ff |
| SHA256 | 455c447ae7446763563b9c35884485451a1537b6dd3ea3ea098836cc6847347c |
| SHA512 | 15ea958bdaddd848aed4131f731d0a2c39b936e6974558945c2a6fc6f7fe13f875dde90a2891b8470e14054784a564f58454c32ec81fa8ecd5bba9c36d6111e1 |
memory/2324-14-0x00007FF703620000-0x00007FF703974000-memory.dmp
C:\Windows\System\aJCvoyQ.exe
| MD5 | cf3722c2cf87b9b6dbf4211056df3212 |
| SHA1 | 80c48d8e4c2e8d8b70d233ab7721f4667ddb4fbc |
| SHA256 | 73e6eea458de3d4c6b8e38182e08cb5bdd2e74bb6f1462552bb1ed1bd751bdc2 |
| SHA512 | fbe0ee0697660a655338792bafaa9406e51680f34660c990a95d83c8ccd3a13edf9aaca8900d4e6540dbdbafe6f08718e38a64be20108474f4d5f030cd5c4912 |
C:\Windows\System\fVSPQwc.exe
| MD5 | ba7162288f1fc22675a55ca27fde9827 |
| SHA1 | eb0aa01f405d92695403b188e202508dda6d17ef |
| SHA256 | bf56f9055080c5fbe7aba6753a136c6ecd10d57a392fb4e7881f474739130f18 |
| SHA512 | d562c98384730aa574b9be1ed8d354a24035e885e46673ae8cb68d9d9117db566d0c62c28903bbf7f2af39eca2590b2fe6e7c992220bc0ccca962277051b7148 |
C:\Windows\System\ELHQrss.exe
| MD5 | f7196241cca181b8e44de721c1a75f2f |
| SHA1 | c252e504492cd9087895d5fa65d785d17cb6f221 |
| SHA256 | 1906c3e746da4870ab53871bdf1ee7272ac166a823aa9a096c135492a3e02497 |
| SHA512 | ac96939f69abdcf5238756ec8a30ea195822ec59e99b4d07806be2934420bed3a0c66172275b06e110837a22533c3e11094bce09f4d2c84b088aead5fae4d750 |
memory/1516-35-0x00007FF62C720000-0x00007FF62CA74000-memory.dmp
C:\Windows\System\UIEmbSq.exe
| MD5 | c83fa854faf6592fc9faaa12da308508 |
| SHA1 | 9e4e37161cfec7b5ccec7373afb18ff899c952f1 |
| SHA256 | 6a16770a99734b96c0438683edada0ce5e880f7efd7e5ee2331e07788db9197b |
| SHA512 | dc34894a2b2b05a643bcb31ff9b51fe0ca80f95db1978b06265bc12ffa1f23cdde3e7c5016a16a846e7f4b93a7471bd792499612d0647b1293e1a8485355433b |
C:\Windows\System\mGoYKzR.exe
| MD5 | b02cf6d808bbfe7aaff0c3a7e1a3b66f |
| SHA1 | 9cd06b0982d6c6e4e4addba1f61f90710fd20461 |
| SHA256 | 9c001988ec581ee1719f343d29dc9f56f58ede714a639b9b04b8d0c278fea142 |
| SHA512 | 9bb8c4c19ec87a9960c8d0a7f1cf2cd90b852055faf29cb3ea87b8fe2d14c51c06cb09047c6239d78ac31d5b10912a170a3cea680fb19ccd0947e42506739c6e |
C:\Windows\System\GSwbHfF.exe
| MD5 | d535d7c692333593022bd06667a4d011 |
| SHA1 | 59bcfcf1685217af1012e5504545f7ef9ee92aa4 |
| SHA256 | 29d4c02aa15bc5d117d0207b8efe01e3ca4f83ef58141107462bce739a34310d |
| SHA512 | edcb165ed87c3c0e21bc8135fea95d775bb098aa1937954f3cd1cb8e1edfee3b14329565fdd3d0a3120666fb39cd66d910bf91840eeb7ae6da0ae87f528592e9 |
memory/2068-53-0x00007FF76F340000-0x00007FF76F694000-memory.dmp
memory/2864-54-0x00007FF7DE860000-0x00007FF7DEBB4000-memory.dmp
memory/1968-51-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp
memory/4092-36-0x00007FF6606D0000-0x00007FF660A24000-memory.dmp
memory/4872-28-0x00007FF724DF0000-0x00007FF725144000-memory.dmp
memory/3672-21-0x00007FF73E6D0000-0x00007FF73EA24000-memory.dmp
C:\Windows\System\NnHxMMo.exe
| MD5 | 3d06ea9b3393cca3e134bd012bdea8be |
| SHA1 | a41817cfb461e2651b1152e6e89fca376b262842 |
| SHA256 | 54c00ebfbc6c98b0613104267743b91c96dfd81e8e27210e360996593a68c8e7 |
| SHA512 | caa906f27ebd5b306c91ce9bc704c25fac831c85e505d619bcc7b39f9c279f3de4217b076a29a28bfb5de5732266c032da7840f9f944a5c5c0ace2b05a1986db |
memory/4348-64-0x00007FF6D2F00000-0x00007FF6D3254000-memory.dmp
C:\Windows\System\OnWzDiS.exe
| MD5 | 0c8b8f0a22094e8a2e2d9bf5dfee6968 |
| SHA1 | 596bcd9a5a0c015f053af7e6665638c31ac7ca4f |
| SHA256 | f6cda5325c5c4373a5517d8c082d36b25328e33bbaf47b68327029e7dfa8ed91 |
| SHA512 | cb33686573df0dd6b9ddf1d2fec9150fe259b25cc0961931b8f0ef23a2c46d8d5f56537db564cb5a4d25baa9a8ea116ca1d03954a644cb9a8f3212ecbc84bd10 |
C:\Windows\System\dEbdXGz.exe
| MD5 | c759f437950e354ee9e6be73362bc534 |
| SHA1 | 612a0aac25de011dde34756856c7eaa41415a61b |
| SHA256 | c3f525330e90a0147bc8e9b973911d14940ef91624c40cdef9741b141d4ed8e6 |
| SHA512 | 7522aa9f1a7a5da8d339345dc5a9e482629ca23b3e2c8b17185f6e6e0657e3d98a0efd99579701109741c2d936bf93961adc91d362e2ad70590a41e1e0fdbed8 |
C:\Windows\System\AvXVapN.exe
| MD5 | 90ea43c71382dad6eb1350b9a883d1ac |
| SHA1 | 58aaba066e573d724fb11e4ce151c127d881f071 |
| SHA256 | 5b3b55e0d1e69c35e32a2036dfe6d228dc78d92512e12eb631180e78b2cc750b |
| SHA512 | bf6eb637e73c7e4a7193c54d6222ba7d077424b5fa8f6ffafef40c6c17d42a306916a07210ad194a91078e20fb9ffa442896a2cf12bcc0143909d5784fc92790 |
C:\Windows\System\VpdLTGA.exe
| MD5 | 552d3b414a03ae066b4b36d10f72468b |
| SHA1 | 74287a0953ae646774eeebc565970b0392ec558e |
| SHA256 | 7ff9614c92900d50045b38f8f796560c20ce49867def1a00d7993e765a0a0edc |
| SHA512 | 39d37e8904ca31403897990797ce422ad2c428feacd50202f45ee588ba50059c2f4eb8880631ce20b179cd403a31e957631bfc1e9838dc6171c980a453b630cd |
C:\Windows\System\IWyeWTz.exe
| MD5 | 4a72fa5b8a0b7740edb5a63221243112 |
| SHA1 | 8022148a0a3c006656d198312cc87b5e376d1fa7 |
| SHA256 | 467ee9cbd8a4cde5a68d31988cfdb05c79ce77295639987915c2115cba2538a6 |
| SHA512 | 202706f1c4a1608ed8e888fb87b566196a2e2ed9f902b0233544a92a44967231e7412038dbedd5f251f322ba0f59312a8f22d8979894ff71f3079624c4227eb2 |
memory/3160-90-0x00007FF775240000-0x00007FF775594000-memory.dmp
memory/432-94-0x00007FF61B400000-0x00007FF61B754000-memory.dmp
memory/1552-91-0x00007FF75E7F0000-0x00007FF75EB44000-memory.dmp
memory/2936-89-0x00007FF6501F0000-0x00007FF650544000-memory.dmp
memory/3872-79-0x00007FF63C460000-0x00007FF63C7B4000-memory.dmp
memory/2880-74-0x00007FF62C4F0000-0x00007FF62C844000-memory.dmp
memory/2900-73-0x00007FF697ED0000-0x00007FF698224000-memory.dmp
C:\Windows\System\nRBnuCT.exe
| MD5 | 3497fa2cf67576bf1d81ebf9c5d83327 |
| SHA1 | 31f7567504bbda55ab95584ac4e0569b7cf87608 |
| SHA256 | 377d134565cb373fa6747e71d3d6b762b0efa0d295fb86e7dbdc039aa5f20d7e |
| SHA512 | 0828b27adbd1e40125aa0efb8ca16427a0403941237173c4edfdf84e8ca988199c1562c4e46c0564c83a4812e9a5538c3e767239b2f228a932be4137f97dece3 |
memory/2668-103-0x00007FF710260000-0x00007FF7105B4000-memory.dmp
C:\Windows\System\KpceKKC.exe
| MD5 | 9fdde5067f13dd8bb7fdded00668384c |
| SHA1 | 36188759d73915ff1a3eae8cc3b35ea85d647045 |
| SHA256 | b822eb68995f301205e3cea10944f39d2d080ddd038dd64f5518cc9547db0d6d |
| SHA512 | 2e0bbb8fb74293b4a10af25b0e6223b19da660abf4f373777088b94fd783bd736d11643dc33fffdaf1e4cfea1a240123ad6f228f92947491f6a5035fca3af7ca |
memory/3672-105-0x00007FF73E6D0000-0x00007FF73EA24000-memory.dmp
memory/4684-112-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp
memory/4936-111-0x00007FF71B230000-0x00007FF71B584000-memory.dmp
C:\Windows\System\yrzbtNS.exe
| MD5 | 7ae813ed58146cc05df068f3c3b70f8d |
| SHA1 | bc834f1861d6b26fe59d65f05ed309f749e60ea5 |
| SHA256 | c1379cd5c4803d02b1f499a4710549739c18f84b7080605aaa4c4832c6d012b7 |
| SHA512 | c3c8b579a869aa78ebf98e50623fc5764b7654dac3a7e5417fa3cd9656227d36c06de6c19e8b9964cc107a270d4d9e991c60641e2bc906b04f63d63f23418ae2 |
memory/4872-100-0x00007FF724DF0000-0x00007FF725144000-memory.dmp
C:\Windows\System\uNLbGBJ.exe
| MD5 | c49e5b4e0a0eb63f8a4e2c80598bb837 |
| SHA1 | 94776bb6ba62cf5972d328b28623168d56d57a8e |
| SHA256 | 877afef1395ec3a477aaf306a9327fbd9d52390ebb5b6731cbb3457d025c8aa0 |
| SHA512 | 21b1386ad78630fbdbb9aac3f228a226da341f77db8748ba7c81eafb642339191e0180574a57501beb837c87f7ca1a1ce70e20d1ad1acacc4bed6214712102a0 |
memory/4852-122-0x00007FF653680000-0x00007FF6539D4000-memory.dmp
C:\Windows\System\tGmSUYt.exe
| MD5 | 5a69f5dbf16bcb32a957c1ffd23644d3 |
| SHA1 | f7b0f5a8beb5e5e9a43418fc6b897a44719b5aba |
| SHA256 | d4a43012783b4e3cd5e34ff98c813514642e7862c1b66eeb81e5fa0f517ccbc6 |
| SHA512 | ee87a3ac0688dd054ee1716ef9057bbbc2735cb7a77aa3d9c92b28c05983f274d9e56ae0081cea8b285fc7e1c105179dd11c6a09e985d1af3d8221fd8538d799 |
memory/4840-129-0x00007FF697ED0000-0x00007FF698224000-memory.dmp
memory/1940-131-0x00007FF7B70F0000-0x00007FF7B7444000-memory.dmp
C:\Windows\System\uoLcJiF.exe
| MD5 | fa338d7cd13c26f588222e4ce34fc46d |
| SHA1 | bf6cb85d30cb64bf01bf336453b7f521ee4dfe53 |
| SHA256 | 56f3c09a532895e2d4335cec3d4ceba0ff87cc2528a8fb3d949d065fab3ff188 |
| SHA512 | ebeaa505ad3d33741290c31125765840d713e1b506fe1be522e1bd3838704b474e464b4ef25cd63fda18b243142680a4b40abe138b26f99d153b70a18e78ab6d |
memory/4092-118-0x00007FF6606D0000-0x00007FF660A24000-memory.dmp
memory/2864-133-0x00007FF7DE860000-0x00007FF7DEBB4000-memory.dmp
memory/2900-134-0x00007FF697ED0000-0x00007FF698224000-memory.dmp
memory/432-135-0x00007FF61B400000-0x00007FF61B754000-memory.dmp
memory/4936-136-0x00007FF71B230000-0x00007FF71B584000-memory.dmp
memory/4684-137-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp
memory/4852-138-0x00007FF653680000-0x00007FF6539D4000-memory.dmp
memory/4840-139-0x00007FF697ED0000-0x00007FF698224000-memory.dmp
memory/3160-140-0x00007FF775240000-0x00007FF775594000-memory.dmp
memory/2324-141-0x00007FF703620000-0x00007FF703974000-memory.dmp
memory/4872-142-0x00007FF724DF0000-0x00007FF725144000-memory.dmp
memory/3672-143-0x00007FF73E6D0000-0x00007FF73EA24000-memory.dmp
memory/1516-144-0x00007FF62C720000-0x00007FF62CA74000-memory.dmp
memory/4092-145-0x00007FF6606D0000-0x00007FF660A24000-memory.dmp
memory/2068-147-0x00007FF76F340000-0x00007FF76F694000-memory.dmp
memory/1968-146-0x00007FF7BEE90000-0x00007FF7BF1E4000-memory.dmp
memory/2864-148-0x00007FF7DE860000-0x00007FF7DEBB4000-memory.dmp
memory/4348-149-0x00007FF6D2F00000-0x00007FF6D3254000-memory.dmp
memory/3872-150-0x00007FF63C460000-0x00007FF63C7B4000-memory.dmp
memory/1552-151-0x00007FF75E7F0000-0x00007FF75EB44000-memory.dmp
memory/2900-152-0x00007FF697ED0000-0x00007FF698224000-memory.dmp
memory/2936-153-0x00007FF6501F0000-0x00007FF650544000-memory.dmp
memory/432-154-0x00007FF61B400000-0x00007FF61B754000-memory.dmp
memory/2668-155-0x00007FF710260000-0x00007FF7105B4000-memory.dmp
memory/4936-156-0x00007FF71B230000-0x00007FF71B584000-memory.dmp
memory/4684-157-0x00007FF6A2690000-0x00007FF6A29E4000-memory.dmp
memory/4852-158-0x00007FF653680000-0x00007FF6539D4000-memory.dmp
memory/1940-159-0x00007FF7B70F0000-0x00007FF7B7444000-memory.dmp
memory/4840-160-0x00007FF697ED0000-0x00007FF698224000-memory.dmp