Analysis Overview
SHA256
b65b7af14ff62a5b4943785c3f139c9b23c68e19356840c9144ad3bedf3b40c7
Threat Level: Known bad
The file 2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 07:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 07:34
Reported
2024-06-01 07:37
Platform
win7-20240221-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\QcdjHIn.exe | N/A |
| N/A | N/A | C:\Windows\System\BclHVGt.exe | N/A |
| N/A | N/A | C:\Windows\System\eGQAUmn.exe | N/A |
| N/A | N/A | C:\Windows\System\PtEBxIU.exe | N/A |
| N/A | N/A | C:\Windows\System\NlIVGjj.exe | N/A |
| N/A | N/A | C:\Windows\System\HIKZdSN.exe | N/A |
| N/A | N/A | C:\Windows\System\pGoYkLA.exe | N/A |
| N/A | N/A | C:\Windows\System\uDTfnMq.exe | N/A |
| N/A | N/A | C:\Windows\System\YEYjzhI.exe | N/A |
| N/A | N/A | C:\Windows\System\FOkezlw.exe | N/A |
| N/A | N/A | C:\Windows\System\UYsBRyI.exe | N/A |
| N/A | N/A | C:\Windows\System\OgzzDAv.exe | N/A |
| N/A | N/A | C:\Windows\System\hcGxqYK.exe | N/A |
| N/A | N/A | C:\Windows\System\SxOtOqC.exe | N/A |
| N/A | N/A | C:\Windows\System\nuUqQtT.exe | N/A |
| N/A | N/A | C:\Windows\System\huJvoPv.exe | N/A |
| N/A | N/A | C:\Windows\System\rbANYjy.exe | N/A |
| N/A | N/A | C:\Windows\System\Fkueppw.exe | N/A |
| N/A | N/A | C:\Windows\System\sRBkjSL.exe | N/A |
| N/A | N/A | C:\Windows\System\ZIQTDkj.exe | N/A |
| N/A | N/A | C:\Windows\System\YSMkvHT.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\QcdjHIn.exe
C:\Windows\System\QcdjHIn.exe
C:\Windows\System\BclHVGt.exe
C:\Windows\System\BclHVGt.exe
C:\Windows\System\eGQAUmn.exe
C:\Windows\System\eGQAUmn.exe
C:\Windows\System\PtEBxIU.exe
C:\Windows\System\PtEBxIU.exe
C:\Windows\System\NlIVGjj.exe
C:\Windows\System\NlIVGjj.exe
C:\Windows\System\HIKZdSN.exe
C:\Windows\System\HIKZdSN.exe
C:\Windows\System\pGoYkLA.exe
C:\Windows\System\pGoYkLA.exe
C:\Windows\System\uDTfnMq.exe
C:\Windows\System\uDTfnMq.exe
C:\Windows\System\FOkezlw.exe
C:\Windows\System\FOkezlw.exe
C:\Windows\System\YEYjzhI.exe
C:\Windows\System\YEYjzhI.exe
C:\Windows\System\UYsBRyI.exe
C:\Windows\System\UYsBRyI.exe
C:\Windows\System\OgzzDAv.exe
C:\Windows\System\OgzzDAv.exe
C:\Windows\System\hcGxqYK.exe
C:\Windows\System\hcGxqYK.exe
C:\Windows\System\SxOtOqC.exe
C:\Windows\System\SxOtOqC.exe
C:\Windows\System\nuUqQtT.exe
C:\Windows\System\nuUqQtT.exe
C:\Windows\System\huJvoPv.exe
C:\Windows\System\huJvoPv.exe
C:\Windows\System\rbANYjy.exe
C:\Windows\System\rbANYjy.exe
C:\Windows\System\Fkueppw.exe
C:\Windows\System\Fkueppw.exe
C:\Windows\System\sRBkjSL.exe
C:\Windows\System\sRBkjSL.exe
C:\Windows\System\ZIQTDkj.exe
C:\Windows\System\ZIQTDkj.exe
C:\Windows\System\YSMkvHT.exe
C:\Windows\System\YSMkvHT.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2032-1-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2032-0-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\QcdjHIn.exe
| MD5 | d1c5c63a156f4ce14c6790bb5c580507 |
| SHA1 | c450f9aff7b1f060afcf2a5963e9103c92e4ab4f |
| SHA256 | 2644e4b05cb618e89722468a3f91e884b7c725a857efb9b9ce709a4b07fc4de0 |
| SHA512 | d9d9f093a5b07f16480ee8827c68b88d259a999b29c012fa5c082a8e2d45b17112261c62c35e1f77da49964f1c5503c69ad0383f4328652d5a10df8a0764753b |
memory/2032-7-0x000000013FD30000-0x0000000140084000-memory.dmp
\Windows\system\eGQAUmn.exe
| MD5 | 9925944a3fd26d955463a9ff240ec871 |
| SHA1 | 3a5693d6fbb14a6bac64e0980d8249855e402f6a |
| SHA256 | 7d6b2cc6e816776208e8780a3741cdaad3fcb924b8ad3297ef1dc700b3a5e1b5 |
| SHA512 | 378b481131fafcfce1c4321bc3597e502c024813a2ca4512d66c4c6dbf76f239df74d4e5a7741403f477d71998f247e1fd2d195909d7f5de9f6c15444645aa96 |
C:\Windows\system\PtEBxIU.exe
| MD5 | 45a46c3b5667481220ad40cd8a42b02e |
| SHA1 | fa7c2fd5bbf920284b9c9fcb087736d71fe732f4 |
| SHA256 | ff288c8498afec76ac48648258ff5724716d21fb2b4cd2e833c004ae04e70bd3 |
| SHA512 | fbf0356e8caf59d70dcff7cea22a6e00e21d760c9b27fd1e01ea59c89ecde828a4be28b40ba25bcbf0525b8a4cdb40f34e195263c66a402d7846a5a1a35f0b2c |
memory/2032-29-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\BclHVGt.exe
| MD5 | dd3fa5b33f40ed02ec10343b0b025e87 |
| SHA1 | b37392a9f2c83244d3189e75cb53243c9bf5bacd |
| SHA256 | 738e69e6b8f31d61557655c1a3fb587c51633dde2a9c433feabfae38a90be8c7 |
| SHA512 | 948c5d767cafa329df09e2563310493d5b8b5707568b9fba4bc8ad1d9ee33597a0ebbb9d6037b0299c6b20556904eeb5aba88ed30b3c4827bd62350969ae07f2 |
memory/1948-30-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2032-28-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2292-26-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2308-15-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/3052-24-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2032-22-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2032-36-0x0000000002460000-0x00000000027B4000-memory.dmp
C:\Windows\system\NlIVGjj.exe
| MD5 | 9ba9ecbeecb00a0151e61dc87be01b5d |
| SHA1 | 11ed426e1845c247138e28adb142fc383c7c786d |
| SHA256 | 04cdf4d529b6a4fae5d7a17f2c78c102c29d5c159c95bd1d687020a331e58fb8 |
| SHA512 | 666628fbe610f86c131a8d4efcf4c4c36a9623467123e95c8263f42db7807fb799254a04730c8a3b8b7ef07ad9d99c7e7bf36c6923a368a03f288733998e8f5a |
C:\Windows\system\HIKZdSN.exe
| MD5 | 93aabf81b35b459238c8f48742fa7cf6 |
| SHA1 | 5616f7b6b5d76c5340e367bd91b7c97f8712e125 |
| SHA256 | 827099dd62ca67d3ca10e94b3d3b5aa62579f97c27c79c47b11c7878731f4335 |
| SHA512 | 5e62fc09eb7d8c7547c77aab8c1d60d32e3671e42e7b75650b0284f71fd0dcd7a48ee18e848c77e46a30a7fb729a6c75dfc422d6a558b0f71170698b21f8d132 |
memory/2612-37-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2032-42-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2576-44-0x000000013F150000-0x000000013F4A4000-memory.dmp
C:\Windows\system\pGoYkLA.exe
| MD5 | 7e85c3e211fcaeb05edbac378287c238 |
| SHA1 | ba8066e514190a6cab03eebc0e142836b18a8953 |
| SHA256 | 7cc07ff96659515bff34f098e258fbf8c6a562f49b6737ac9076cc2a5f818b8a |
| SHA512 | a7f40b34eceda9e37a6bd15764e4f5d041e73d5e8f12eda3db09ba4aef0214564eae239097fc2811d496e6f93be0be57880dfa5035c2f1151703aff8da5d3337 |
C:\Windows\system\uDTfnMq.exe
| MD5 | 4281a4a31e44be08fa1a975540a187c7 |
| SHA1 | 0a6abe24f37d6ebd1fddecc7d7ee06d99a70c5cb |
| SHA256 | 7dbf38b74e350e71766a60f71112d2400fd9c7a9a97318890aa11540605dab33 |
| SHA512 | 317647fc7cb277fc79cc0a386f9dc7d68f204272bf95fb069904e514c6dbb6e85f83480177d53441d6103a29e48f0655047a9f09b9264aff0a580f573501a6d7 |
memory/2032-56-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\YEYjzhI.exe
| MD5 | 120423817be1f1e7ad75ce271ed96e63 |
| SHA1 | 62b60830399c174b5c0da1482a861abf4c739f89 |
| SHA256 | bccb8604bbe563493ca7fb808fc29191713b300fb0cdcada2f3cbfad31968a43 |
| SHA512 | 4642d8641cd4b44a37a40e1135e96c3a9ba1afab7b060e00f2f869941d1d1a7f9a8bf55ef93fd42ed6d45865ed8543f8b9a1056af000af006bc3adb95395469c |
C:\Windows\system\FOkezlw.exe
| MD5 | 1903df7d9fb2c3d38dcebe2f2a4d6a80 |
| SHA1 | 59850838f51511ae0ef58686a9b25545a70a1347 |
| SHA256 | 94d5b7d1da9f783e6e6a116a164398f08eaad46041fcdaa9702e692e4b0f48e4 |
| SHA512 | 21e82bf5041dd5bc84a7b37b9ca7fa3fa2c9f8f6b8e18bf9d1ca270dfe812153e6ca62ce22fb0a5ae0d072c6ad5eb7a8ed0d838bf7c52531bff467516bbf4514 |
C:\Windows\system\UYsBRyI.exe
| MD5 | a52ae52ef4a305c11cfc8bd2611b51ad |
| SHA1 | 9f3fbe44e8758050733cf2c0e5fa140c706b0dc5 |
| SHA256 | fe8a712e043f8b7bfe7203036133c4adc70b548dcc4c13dbdf2b9d17c3803cdc |
| SHA512 | c5476b4c23c628b3dfbd63bd8df6bd803e28eff6be463bba426777511f67085b8bb4f221a74ddd074bd554c788fd7b21b164e28d46bcd3d4101f345cc7400ee6 |
memory/1888-81-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2032-80-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/2032-79-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2092-78-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2032-77-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2508-76-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2032-75-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2032-61-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2648-59-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2852-50-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2032-49-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\hcGxqYK.exe
| MD5 | 405dcf88680a8d97819cac59fd1831a3 |
| SHA1 | 8766df17911e7186f438a0ff3345d9658acb3922 |
| SHA256 | 79f29580341b8aa68c33448cca2d3ea6046a064b15fb97133e9e113cdb395739 |
| SHA512 | ced496ebb66db9d13bbdf24776cf24d87d90843fdf37fa262b4d2d3b4b6d4f965b9b6a3c9410e9251a36e528f1a06a2a0f8da810cafc175a257fe5be6860eca7 |
C:\Windows\system\SxOtOqC.exe
| MD5 | 09b7e3bcb79aba2545177c92ec3fbc3c |
| SHA1 | a744e85e72aec6e05842f32154b521504bff0e17 |
| SHA256 | 553416d05518eb7184d5d4a81ff5600d65c491c7ece25610e9eba83b8f3290a5 |
| SHA512 | 8ed0fc77ea689b22296b8a5c47284a772d0ed61f4a5f35bc601710ea22c774b25f1696674a68debd3b7d841945ac302e806b0cbd79cafce43e5caabbf88d3939 |
\Windows\system\huJvoPv.exe
| MD5 | 906d98b55ddc5811d72f5aea60c351ce |
| SHA1 | 7b3a0d605014f9702315c3bf4c380946157bd738 |
| SHA256 | b8b7f4d6834143e436c374d9fd876db7500210a6ad398f8b731cfc803b93822e |
| SHA512 | e59fdab14fbe8753e4903d53d412dfaec5cfd204312598f4c9c69b68d396a6a6c7c8ac51afc7d87b2ec0b080f23e131f1eef6b7dec179002dac82ad2b3d8c782 |
\Windows\system\Fkueppw.exe
| MD5 | 7562a9f555968c0992d8cbddf4d123c2 |
| SHA1 | 154986e04670f14636b3e2869825bf2e5a79ad71 |
| SHA256 | 67cbc1b33a107a9d0b9375b55497ecf340b777f43c90de1b52de56cd8fa34c3c |
| SHA512 | 9e03d25564a2a2b070527ba9759537ddcceef226617494919be61b1227c202e91ac8e580584a0b04f07e1252a6333715e659b477575a33291a55ffc5c0903f83 |
C:\Windows\system\rbANYjy.exe
| MD5 | 59763d6bb3065d35945b683be5a3df4a |
| SHA1 | 25bb19bbe347f5a45b3afde1e6a300ecae622867 |
| SHA256 | a340484c9272018e01f6f84831a1447cc220c8e8802471d46ccd7996df38db37 |
| SHA512 | 29c23527865212dc0ae6923553cb1bfedd5164f7e8b8185f6e9d4d63fedfc09db0e3ad4577dfa111090d36891a193d299cb0e41f9f9113ce15d289d4a03336cc |
C:\Windows\system\sRBkjSL.exe
| MD5 | 95c8e780974f7230ebab9aac223e2e83 |
| SHA1 | 09c54c4e2cde3e0033a4105f84ee225c4bd36ad7 |
| SHA256 | 1a9ea97d22bb378a9f3ae2947d7164ef74413553771c382f32b18907bf2d7c60 |
| SHA512 | ed132f4d1c8cab3e7350277fdbe0c8d22b5c3e246df601773e3e088ce8ac285f23f639be04b5b4dffc14baf4f9d9c7839f3e7784ea5277cd54d9f2709392bf16 |
C:\Windows\system\ZIQTDkj.exe
| MD5 | 2413f00314fdb96eadd4e723370d059b |
| SHA1 | d0607782b11c36080b062b8df571240673a8258e |
| SHA256 | 3e4fc6bc3b03ec0498a700d87e833703f598e2a784195bace7b0c75b72300837 |
| SHA512 | 716119fc29404292cefd7909e60bf6f5658007f4f929f33f7de539d8dcfc70022bd653a4d2eb90c4792dbc1aaf7cb71759530fd6b374d753c0307f9f61803942 |
\Windows\system\YSMkvHT.exe
| MD5 | a2da3ed02c42a52615854aeea4c31f0a |
| SHA1 | e2db795e0c46f2437ddf4bd1cb6cbc2f97a11a90 |
| SHA256 | 3b02e380bfaa5ae7e40496ffb3eed4c985cbcfbfe4383561a3ce632252895cd4 |
| SHA512 | 5fb06dc3822bfe7d07b17587cf9e56f70f1cdb6394e9f32ba176722df4fae7aca0c0cdc70c7a6980bf0f4d8d55b1176122f2b9b16a7a8ad32f548abc835ac3da |
C:\Windows\system\nuUqQtT.exe
| MD5 | 7922df03355836ca712de5f73243ff5f |
| SHA1 | 97bf643a92c49985e3d0482b4ef714d667b86e55 |
| SHA256 | 5a0a9193919cd7ce6e8e2b84c6b46d8b6eed3e87d1fcb0e375715c1e82c9e2a7 |
| SHA512 | c4a619a7ecd6d87ee9fed996935aa717b7207f6f8b29ac6a2e6e64b77b8fc0385cd1e3e27f8e168dba12493cceda5f5575a13f729572f3d32c5fabc0d6fb86fc |
memory/2308-94-0x000000013FD30000-0x0000000140084000-memory.dmp
C:\Windows\system\OgzzDAv.exe
| MD5 | cde70140cfd5053b5462b89746b9c31a |
| SHA1 | e212350bc0191c2f9ead5754e9f2171f9a03b509 |
| SHA256 | d630b21e0e4db87768c32e12dd9f5fb4dc3f4fa85892f45bef6604afb986e18e |
| SHA512 | 2b36163f9a25ae825895b08eed42c5862f479349f3e3576638da4773c6504364daa82ed20bccbd81ec5638e8eec077290e3e22c7a0a64e79cb6fe96f3052dbad |
memory/2864-133-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2032-134-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2120-137-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2956-136-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2032-135-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2032-132-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2576-138-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2852-139-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2308-140-0x000000013FD30000-0x0000000140084000-memory.dmp
memory/3052-141-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2292-142-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/1948-143-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2612-144-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2576-145-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2648-146-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2508-147-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/1888-148-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2092-149-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2852-150-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2864-151-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2956-152-0x000000013FC00000-0x000000013FF54000-memory.dmp
memory/2120-153-0x000000013F340000-0x000000013F694000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 07:34
Reported
2024-06-01 07:37
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XpZtsJY.exe | N/A |
| N/A | N/A | C:\Windows\System\iuYPaZX.exe | N/A |
| N/A | N/A | C:\Windows\System\ohaKvPt.exe | N/A |
| N/A | N/A | C:\Windows\System\XAMWmLr.exe | N/A |
| N/A | N/A | C:\Windows\System\uvCLxqg.exe | N/A |
| N/A | N/A | C:\Windows\System\MiUANhl.exe | N/A |
| N/A | N/A | C:\Windows\System\JUisUiT.exe | N/A |
| N/A | N/A | C:\Windows\System\gaqXpYp.exe | N/A |
| N/A | N/A | C:\Windows\System\JjbIUds.exe | N/A |
| N/A | N/A | C:\Windows\System\EGHASpO.exe | N/A |
| N/A | N/A | C:\Windows\System\NEErzoy.exe | N/A |
| N/A | N/A | C:\Windows\System\OZqXPRV.exe | N/A |
| N/A | N/A | C:\Windows\System\usudejq.exe | N/A |
| N/A | N/A | C:\Windows\System\WQZDiAm.exe | N/A |
| N/A | N/A | C:\Windows\System\kyqdOOf.exe | N/A |
| N/A | N/A | C:\Windows\System\zyeDKas.exe | N/A |
| N/A | N/A | C:\Windows\System\QcTnXZQ.exe | N/A |
| N/A | N/A | C:\Windows\System\IdveGfH.exe | N/A |
| N/A | N/A | C:\Windows\System\XYBJYDB.exe | N/A |
| N/A | N/A | C:\Windows\System\vlfbodt.exe | N/A |
| N/A | N/A | C:\Windows\System\vFcWKdI.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_7677edf4c01baec6091547318302844d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XpZtsJY.exe
C:\Windows\System\XpZtsJY.exe
C:\Windows\System\iuYPaZX.exe
C:\Windows\System\iuYPaZX.exe
C:\Windows\System\ohaKvPt.exe
C:\Windows\System\ohaKvPt.exe
C:\Windows\System\XAMWmLr.exe
C:\Windows\System\XAMWmLr.exe
C:\Windows\System\uvCLxqg.exe
C:\Windows\System\uvCLxqg.exe
C:\Windows\System\MiUANhl.exe
C:\Windows\System\MiUANhl.exe
C:\Windows\System\JUisUiT.exe
C:\Windows\System\JUisUiT.exe
C:\Windows\System\gaqXpYp.exe
C:\Windows\System\gaqXpYp.exe
C:\Windows\System\JjbIUds.exe
C:\Windows\System\JjbIUds.exe
C:\Windows\System\EGHASpO.exe
C:\Windows\System\EGHASpO.exe
C:\Windows\System\NEErzoy.exe
C:\Windows\System\NEErzoy.exe
C:\Windows\System\OZqXPRV.exe
C:\Windows\System\OZqXPRV.exe
C:\Windows\System\usudejq.exe
C:\Windows\System\usudejq.exe
C:\Windows\System\WQZDiAm.exe
C:\Windows\System\WQZDiAm.exe
C:\Windows\System\kyqdOOf.exe
C:\Windows\System\kyqdOOf.exe
C:\Windows\System\zyeDKas.exe
C:\Windows\System\zyeDKas.exe
C:\Windows\System\QcTnXZQ.exe
C:\Windows\System\QcTnXZQ.exe
C:\Windows\System\IdveGfH.exe
C:\Windows\System\IdveGfH.exe
C:\Windows\System\XYBJYDB.exe
C:\Windows\System\XYBJYDB.exe
C:\Windows\System\vlfbodt.exe
C:\Windows\System\vlfbodt.exe
C:\Windows\System\vFcWKdI.exe
C:\Windows\System\vFcWKdI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5032-0-0x00007FF62FB60000-0x00007FF62FEB4000-memory.dmp
memory/5032-1-0x00000201D0600000-0x00000201D0610000-memory.dmp
C:\Windows\System\XpZtsJY.exe
| MD5 | 7f5e47de49a804a3a368618ee1f353a5 |
| SHA1 | 516b6d98beffe30a823e495548dafe193187b2f8 |
| SHA256 | 639cf91809f5ab0269931b60d2ed24d342baa1646d047e89050c9d5130e0e66e |
| SHA512 | 75e5ba733cb34d21bec1a2621d2040afbd6914b56af55a63193a8ccb6c0f02c1762cd6a5d4bd3804a2b7cf55f538023590fead3d0a32c1da9fcead72b576a310 |
memory/3960-7-0x00007FF679260000-0x00007FF6795B4000-memory.dmp
C:\Windows\System\iuYPaZX.exe
| MD5 | a4b3ecb49345bbd554e4b525e2c457ad |
| SHA1 | ff85345d2f8a6eeeab13ec0035fc93d8beef1368 |
| SHA256 | a4b1ef238950f20fead0c7a87e91ac5038e40f59e67dd7b7325e4586cb18cbd7 |
| SHA512 | 040ba6a57b56ef717acae135e86fa0f6ed6fe94ea7fe6e4162896e502074d4aa407df7f01833c8a13cedb2a0838cf28a37de140c5a648e21012c31c677946cae |
memory/4520-12-0x00007FF673440000-0x00007FF673794000-memory.dmp
C:\Windows\System\ohaKvPt.exe
| MD5 | 365aad327ae875da2854bc5c0f17aeaa |
| SHA1 | 48ecfa27ffb48b7b35dff43f125e809897fd13af |
| SHA256 | eb7f05461b1a10c60a1650d2b08faa7118e2bfdc4c1ef2eb13b2c92813595acb |
| SHA512 | fe2b8eb3837c7973d5917dbb6adef1b6a0365d8e19172d507113453b5bee8d4ff9e65b254113378b0250bc548a5d51d41d8368461d55461e09932ff3f2616b15 |
C:\Windows\System\XAMWmLr.exe
| MD5 | 3b352e6ea4b397cb5d47d736a19fb5fd |
| SHA1 | 275c617e971711b521d9032ac07cb898255ffd1c |
| SHA256 | 022f8d89c6f95c8e327d82ce6d1dd63dd0396ecfe70daf9e4377c579993db037 |
| SHA512 | fc52d4b0ef2c9e1713953e2baa10387bb7a16daa38b1b7761cd1cb3c275172058e6ce627a37a858b0961c94825fa9cb348884654fb4aeea90d2b4afa150a8fd1 |
memory/2344-26-0x00007FF7BD080000-0x00007FF7BD3D4000-memory.dmp
C:\Windows\System\uvCLxqg.exe
| MD5 | 34b680adadddfa80345e08ed115298d2 |
| SHA1 | f34146a8ae7703b92d8bae3305b75b933c33c466 |
| SHA256 | 21e3d1e4e590ae73fefda82b9a1875e5ffb3c73007937b0396a0948cdcb8a2f3 |
| SHA512 | 2d3600c2d74226202745ad59b6c6af443b5d634e7965eeb7b52096d463dc664a36870dd84da68f808884e031de52b1eef88ff8db2476f7e4f76a183ceb16df47 |
C:\Windows\System\MiUANhl.exe
| MD5 | 51c23dcf6b27ce20e727f3a786c04dc5 |
| SHA1 | ccea09efc1a799ddc2d29a1497e34f34bfe96aaa |
| SHA256 | bb0656a8920f295c6b52f2546fce4a552b0037a8989c28107c553987e262d961 |
| SHA512 | a69513e0a7afd5d67d019e5f0896b72774201d9d5d597e29a46b5282ac835e78deb51168897f126de8bc48fbcd0b914e5e86dd61cac21ecf9f1fd0601e0033c2 |
memory/4452-32-0x00007FF6BD910000-0x00007FF6BDC64000-memory.dmp
memory/3248-19-0x00007FF77E4B0000-0x00007FF77E804000-memory.dmp
memory/1104-38-0x00007FF776650000-0x00007FF7769A4000-memory.dmp
C:\Windows\System\gaqXpYp.exe
| MD5 | aed26ea43f6bf71ca90d12d2ca108c0d |
| SHA1 | 0f9f58c45b0ac7d96a74845ddb926a39bb4c8c41 |
| SHA256 | 3825ce21b8f1e45aa7b120e1be5ea22af658f78593f0d018d07445c570b32cab |
| SHA512 | adcf5be77f41a6821da3a33c4f5273802ef59f71e467b0faad6fa0db5d170e9479b3e9ed0d606f4e320a0b03cc2f28db322ee3f357e68344511df1fbda8ca5cc |
memory/5056-45-0x00007FF6188E0000-0x00007FF618C34000-memory.dmp
memory/1712-50-0x00007FF715A90000-0x00007FF715DE4000-memory.dmp
C:\Windows\System\JjbIUds.exe
| MD5 | 24aa833e5fbe54f62126700f29d84b48 |
| SHA1 | 74412851142ceea8d367de3bea1116dab3f7fc5b |
| SHA256 | 4fa84b78bc33103f229ac881bd1cb8518a450622a02c3dc6bc30117162ab9274 |
| SHA512 | 04fec20e0c8b9ee61d949539e257a1e1174c1947020dd53a6a9477143c6eaa31731404f74e01744484d4e58fd7d26c55b0a4217f3ab26692d66000d42c04cae2 |
memory/4940-54-0x00007FF6177A0000-0x00007FF617AF4000-memory.dmp
C:\Windows\System\EGHASpO.exe
| MD5 | c41a406791c772bac8cc93c8e65c85d3 |
| SHA1 | 35fe9e006ec8ef45d825f7039850727e42e5c575 |
| SHA256 | 50364acb49491c0233bfeb94df36605be15526e8ba657b3c3f3f8361236116a6 |
| SHA512 | de17bdb00d3fb94eabaa631e61ad3a9fdba484461d004a4c9c175e88050376610c51a6a0b16f4bdef1960baf7001aaae6c09ff57217f00d679f97cb3fd2c76f9 |
memory/4680-65-0x00007FF7A3560000-0x00007FF7A38B4000-memory.dmp
C:\Windows\System\OZqXPRV.exe
| MD5 | 548a272e64ec13bfe627f00c751c816e |
| SHA1 | 82b051de3fc65047927558f0127eb61d543866af |
| SHA256 | d57a85b4f5a9c327054b9741855a735944555c894d9e4be014ebfaa8d9d21c77 |
| SHA512 | 83dbb89beffd822777381caced9163919ceb147d5f6782f74746629a4674e745a386f66f229d235aa5e1cae1012b9d63f36e311580d33c5480d0a024a91d1626 |
C:\Windows\System\NEErzoy.exe
| MD5 | 2c7bad89c1384e3f95df63a560433cbd |
| SHA1 | 9c19d1055532c21f7dcb38a577a04905d3020a01 |
| SHA256 | 9916fddf6f5f23bb75256a39b9463bd1d9afbe1d4d8f2b13c2da981acb300a20 |
| SHA512 | 170f536718bd89e19dd7769df16601e8c2b75059b50cfb57b3654286e9f562be21b9f0a4e372b60210b381be2a13ad3f25744c8255bd0fe2f76316a59e1ca1f4 |
memory/5040-80-0x00007FF74DED0000-0x00007FF74E224000-memory.dmp
C:\Windows\System\WQZDiAm.exe
| MD5 | 3cbc20ad710ae20cda836cdd5e6d0f67 |
| SHA1 | 0fd3031cbc1eb37084dc82d7528bba1be10900c3 |
| SHA256 | 7df6465fcdf6b4bf7fd562c9a11924677eecc296f8dbb0470d63d1cf5aeb9b79 |
| SHA512 | e7eca429f9273ac35965f194ea23942c281a702a5b1de09a6fb5f18f0a84d95cfa7b9da1f8d6b925870a84724bf4817a034fb7c22d020a9d3133a7436edbd09f |
C:\Windows\System\usudejq.exe
| MD5 | 8e5a9a7f5bc6ab847b270103e5a1b90a |
| SHA1 | 116a804d0628328c771b9397b1aca3a607eb4e4f |
| SHA256 | f6a7abce2517a3622f356906d629dc424678ff4911801901c5a0d01e0ab688fe |
| SHA512 | 66188db436ad57a4030603482f6841a0a58fd71e2e1e98405d54d164443bde1e50eb2b65621eb473edc5df3e6dfeb3bc7a3bce7ac4bc92c944d79cc39abd42a3 |
memory/3224-83-0x00007FF6527C0000-0x00007FF652B14000-memory.dmp
memory/3960-82-0x00007FF679260000-0x00007FF6795B4000-memory.dmp
memory/2536-81-0x00007FF7796B0000-0x00007FF779A04000-memory.dmp
memory/5032-77-0x00007FF62FB60000-0x00007FF62FEB4000-memory.dmp
memory/3128-67-0x00007FF6D6020000-0x00007FF6D6374000-memory.dmp
C:\Windows\System\JUisUiT.exe
| MD5 | 1074e7fd8a28207c2f971c643e32e321 |
| SHA1 | b7bce7df2b48b9d77281dccb873d1cea1a29c6d3 |
| SHA256 | f320b78f9c2032db8546b6fa5019395dd589dbb85e93bd65ea6f9b1d56fc332e |
| SHA512 | cda8cdb2320068995f8291ef9607673fd9362106346940324b02a15f1cf21d2521cc3920d6202df05f28e443c58b12bd62819bb198c12add72322ae692cfa854 |
C:\Windows\System\kyqdOOf.exe
| MD5 | 5a3ae66b2e551eb0722fe9f31ecf9f73 |
| SHA1 | 88a14e0f189f72e35947bb9e2193b2f929ba7efb |
| SHA256 | 2c1369e5c814d2a88deab94650c6b352a2b407a9336dc137a59f1886a88f600c |
| SHA512 | f322f8b220694aab020b0fb517af670319b0c7b583c161e20a168fcc8bb5f99edeba628bd10e1dd2c550c3259e71f231ec5367951c576a32fe4da246d84231ba |
memory/4520-91-0x00007FF673440000-0x00007FF673794000-memory.dmp
memory/2476-92-0x00007FF611AB0000-0x00007FF611E04000-memory.dmp
C:\Windows\System\zyeDKas.exe
| MD5 | 19bcb0cb52a1a9ce4cada3ee41b87a5b |
| SHA1 | 9c5a4188c37c7a457662874d5333c8f3fa1abbba |
| SHA256 | 920c3e0727dc8a91c348594ade98fbd0e6fc687b768b3157be40d67576fc4705 |
| SHA512 | 78cb547866357aa726efed49467fd4af1a4058d2362db5e8e36b98457ad453f6bccb761aee5fbb3c2961ff394a3a7e532c3108096d51b0f1c2a8e8d04e520aed |
C:\Windows\System\IdveGfH.exe
| MD5 | 399c0751c24fc18cccf75b7750de4966 |
| SHA1 | 7ac870796499d213fc753d783ebad0d670b56ef8 |
| SHA256 | 46805bbd9e83bafed069a29eaf4a55c5a7140f391ba0d1e49154b83b2fe9a8fb |
| SHA512 | d86ef2e17fc8f567bfc2d837173cb424850cf71ad66e24be79b5652f632c434a180c87a5e42e0a96f92a405bffd7d8449673880f9a20904efd56d6d48a5d3010 |
C:\Windows\System\QcTnXZQ.exe
| MD5 | ce62272065d93c232a68e404f68af60d |
| SHA1 | 62e07e074f14fb57d9cd17b6a4e99af440607f42 |
| SHA256 | c7b5a755664708e1ec08c60d378ba75b387089859d250a69198629abc71dae18 |
| SHA512 | 29cd8192bd596c5ae6fed02acaf3313d7231614713bd8cb2bc3215fed551aee2d1db5200089d06b006cc668a717bd14430faa41f32e9be4e3fa7b309956458e0 |
memory/1320-118-0x00007FF77C680000-0x00007FF77C9D4000-memory.dmp
C:\Windows\System\XYBJYDB.exe
| MD5 | 6ab6c427b4a6118b0b2dd227b3540d34 |
| SHA1 | 1f134623e129521254d54aae7ceb8aa719623203 |
| SHA256 | 52b3c26c96c3b041f89575812b27fc4bac10f45a6e5813e24ea87fca808c2de7 |
| SHA512 | 0a661b8e109d6e2b7c646b6a2744b6a74c31688124953ece584b471d50c157f4e8ba3250910556bd6ee1023f54d6d297fc5383654c8f4713f6779f483eb76c47 |
memory/2420-129-0x00007FF69DD70000-0x00007FF69E0C4000-memory.dmp
C:\Windows\System\vFcWKdI.exe
| MD5 | 478857d68fd049185d30177988a2c4b5 |
| SHA1 | ef5e2d564c4171dcf331c46d0f89f60847440640 |
| SHA256 | ff29712b4544749708b8e723ee6506f5dd7e87b8f28a05df5fea12800c80d4b3 |
| SHA512 | a8f6f5843ac59850fe4eb91d08bf2861b9226e50efa3350e66b501503125cebbd6c48cfe473463b9dfc201cfdaa9cf9f303c80fa8db57feb26b4729ad1b4abd5 |
C:\Windows\System\vlfbodt.exe
| MD5 | 23d4ab547ab15024fd1f834435c450bc |
| SHA1 | c69707c22e6991c5de2ef1dbaed0ebdaa02eba65 |
| SHA256 | 2fe2f823e39f79b04e91a169b5c93b0999421bdd0717c6b2ec84902762ecf23e |
| SHA512 | 97cc986c0721487ed0855c2d1355f8fd03f68915ae48722ea5dc01099f444783635ea306b40ebfb65b29975d233854058cb70b73301b5ee0d01dfdbd1fdea7b7 |
memory/1712-121-0x00007FF715A90000-0x00007FF715DE4000-memory.dmp
memory/4000-119-0x00007FF737680000-0x00007FF7379D4000-memory.dmp
memory/2248-108-0x00007FF79ECA0000-0x00007FF79EFF4000-memory.dmp
memory/4804-100-0x00007FF713400000-0x00007FF713754000-memory.dmp
memory/3248-99-0x00007FF77E4B0000-0x00007FF77E804000-memory.dmp
memory/5056-132-0x00007FF6188E0000-0x00007FF618C34000-memory.dmp
memory/4448-133-0x00007FF6D6620000-0x00007FF6D6974000-memory.dmp
memory/4940-134-0x00007FF6177A0000-0x00007FF617AF4000-memory.dmp
memory/3128-135-0x00007FF6D6020000-0x00007FF6D6374000-memory.dmp
memory/2536-136-0x00007FF7796B0000-0x00007FF779A04000-memory.dmp
memory/3224-137-0x00007FF6527C0000-0x00007FF652B14000-memory.dmp
memory/2476-138-0x00007FF611AB0000-0x00007FF611E04000-memory.dmp
memory/4804-139-0x00007FF713400000-0x00007FF713754000-memory.dmp
memory/2248-140-0x00007FF79ECA0000-0x00007FF79EFF4000-memory.dmp
memory/1320-141-0x00007FF77C680000-0x00007FF77C9D4000-memory.dmp
memory/4000-142-0x00007FF737680000-0x00007FF7379D4000-memory.dmp
memory/2420-143-0x00007FF69DD70000-0x00007FF69E0C4000-memory.dmp
memory/3960-144-0x00007FF679260000-0x00007FF6795B4000-memory.dmp
memory/4520-145-0x00007FF673440000-0x00007FF673794000-memory.dmp
memory/3248-146-0x00007FF77E4B0000-0x00007FF77E804000-memory.dmp
memory/2344-147-0x00007FF7BD080000-0x00007FF7BD3D4000-memory.dmp
memory/4452-148-0x00007FF6BD910000-0x00007FF6BDC64000-memory.dmp
memory/1104-149-0x00007FF776650000-0x00007FF7769A4000-memory.dmp
memory/5056-150-0x00007FF6188E0000-0x00007FF618C34000-memory.dmp
memory/1712-151-0x00007FF715A90000-0x00007FF715DE4000-memory.dmp
memory/4940-152-0x00007FF6177A0000-0x00007FF617AF4000-memory.dmp
memory/4680-153-0x00007FF7A3560000-0x00007FF7A38B4000-memory.dmp
memory/5040-154-0x00007FF74DED0000-0x00007FF74E224000-memory.dmp
memory/3128-155-0x00007FF6D6020000-0x00007FF6D6374000-memory.dmp
memory/3224-156-0x00007FF6527C0000-0x00007FF652B14000-memory.dmp
memory/2536-157-0x00007FF7796B0000-0x00007FF779A04000-memory.dmp
memory/2476-158-0x00007FF611AB0000-0x00007FF611E04000-memory.dmp
memory/4804-159-0x00007FF713400000-0x00007FF713754000-memory.dmp
memory/2248-160-0x00007FF79ECA0000-0x00007FF79EFF4000-memory.dmp
memory/1320-161-0x00007FF77C680000-0x00007FF77C9D4000-memory.dmp
memory/4000-162-0x00007FF737680000-0x00007FF7379D4000-memory.dmp
memory/4448-164-0x00007FF6D6620000-0x00007FF6D6974000-memory.dmp
memory/2420-163-0x00007FF69DD70000-0x00007FF69E0C4000-memory.dmp