Analysis Overview
SHA256
b31b2a4d38fd6dd946f48d4d19b21d49dfcc0642dc07cae2a08a64082b9c90f3
Threat Level: Known bad
The file 2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
xmrig
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:43
Reported
2024-06-01 08:46
Platform
win7-20231129-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yDYaYNf.exe | N/A |
| N/A | N/A | C:\Windows\System\cxVATkh.exe | N/A |
| N/A | N/A | C:\Windows\System\AQkuaDB.exe | N/A |
| N/A | N/A | C:\Windows\System\UMzfgjU.exe | N/A |
| N/A | N/A | C:\Windows\System\KwQPaPW.exe | N/A |
| N/A | N/A | C:\Windows\System\dqzEJoq.exe | N/A |
| N/A | N/A | C:\Windows\System\kgpJXTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ixUWkTl.exe | N/A |
| N/A | N/A | C:\Windows\System\TAdgTEk.exe | N/A |
| N/A | N/A | C:\Windows\System\blWjmTf.exe | N/A |
| N/A | N/A | C:\Windows\System\JOROrYz.exe | N/A |
| N/A | N/A | C:\Windows\System\QoPMCzt.exe | N/A |
| N/A | N/A | C:\Windows\System\CTYwAJz.exe | N/A |
| N/A | N/A | C:\Windows\System\FtxDCRK.exe | N/A |
| N/A | N/A | C:\Windows\System\AxKuEBi.exe | N/A |
| N/A | N/A | C:\Windows\System\ksoeEmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\SxKUXWN.exe | N/A |
| N/A | N/A | C:\Windows\System\RDOgMaN.exe | N/A |
| N/A | N/A | C:\Windows\System\lJtiIJG.exe | N/A |
| N/A | N/A | C:\Windows\System\XpInwej.exe | N/A |
| N/A | N/A | C:\Windows\System\sxETcai.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yDYaYNf.exe
C:\Windows\System\yDYaYNf.exe
C:\Windows\System\cxVATkh.exe
C:\Windows\System\cxVATkh.exe
C:\Windows\System\AQkuaDB.exe
C:\Windows\System\AQkuaDB.exe
C:\Windows\System\UMzfgjU.exe
C:\Windows\System\UMzfgjU.exe
C:\Windows\System\KwQPaPW.exe
C:\Windows\System\KwQPaPW.exe
C:\Windows\System\dqzEJoq.exe
C:\Windows\System\dqzEJoq.exe
C:\Windows\System\kgpJXTZ.exe
C:\Windows\System\kgpJXTZ.exe
C:\Windows\System\ixUWkTl.exe
C:\Windows\System\ixUWkTl.exe
C:\Windows\System\TAdgTEk.exe
C:\Windows\System\TAdgTEk.exe
C:\Windows\System\blWjmTf.exe
C:\Windows\System\blWjmTf.exe
C:\Windows\System\JOROrYz.exe
C:\Windows\System\JOROrYz.exe
C:\Windows\System\QoPMCzt.exe
C:\Windows\System\QoPMCzt.exe
C:\Windows\System\CTYwAJz.exe
C:\Windows\System\CTYwAJz.exe
C:\Windows\System\FtxDCRK.exe
C:\Windows\System\FtxDCRK.exe
C:\Windows\System\RDOgMaN.exe
C:\Windows\System\RDOgMaN.exe
C:\Windows\System\AxKuEBi.exe
C:\Windows\System\AxKuEBi.exe
C:\Windows\System\lJtiIJG.exe
C:\Windows\System\lJtiIJG.exe
C:\Windows\System\ksoeEmQ.exe
C:\Windows\System\ksoeEmQ.exe
C:\Windows\System\XpInwej.exe
C:\Windows\System\XpInwej.exe
C:\Windows\System\SxKUXWN.exe
C:\Windows\System\SxKUXWN.exe
C:\Windows\System\sxETcai.exe
C:\Windows\System\sxETcai.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2356-0-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2356-1-0x0000000000090000-0x00000000000A0000-memory.dmp
\Windows\system\yDYaYNf.exe
| MD5 | aae767c47690ddae334784316c1f4b5a |
| SHA1 | 710b87b2bcbc5cbb30eee6245840add37a303011 |
| SHA256 | 629e6d26b735fede060ec822c3aa2269b2d4a51ba909e867f9a2ccc3c9b11547 |
| SHA512 | 2573383cd16dc6ba026806b36f3d854e32b2fba8a0d39801276f0ba2d44681ba2614ed40754182bfd26f4e15f6b51739c0d51e8599f531390ed418fe0b18979a |
\Windows\system\cxVATkh.exe
| MD5 | 987b05bdf5481ec52c74a303386176ed |
| SHA1 | e1c991d61b45808fd192b6c4a620c12d911996d1 |
| SHA256 | c3749761cd318838da22c9e4c67fb23765ba7506967913ce201cb983159880ca |
| SHA512 | 3f3d075a507fd0aa33c13c06209558b8115218d52616f9fefecc05cdc24e5b64b010080ceb5be0006dc1ce9e4233686da59b8d7ad2e3512cade901898cfbc2a3 |
C:\Windows\system\AQkuaDB.exe
| MD5 | 7515b6de61001508960c145ff04634b8 |
| SHA1 | cfc4a4c30ff83e6d8337931cc1ff9891bb5244d5 |
| SHA256 | f5ef1ace039562d07b1ee49b85c4efa4c0bfdbca2186dd73662317cf5334ad90 |
| SHA512 | f69cb4830642fc9799dbefc066b0481bc00f66e964c39bdfa6adfa685c05600bca6184f16502631c7891329a15fabc6c04d4114fa1d9a04f53aa4c423783a393 |
memory/2356-18-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\UMzfgjU.exe
| MD5 | a9929c082e1abf63e8c58edc136cca71 |
| SHA1 | 50bfd3f7baa6d32e2d86e10dfbcecc5556e40d5d |
| SHA256 | 1c96b5c205e7c00632ce710ad67b9778057ce9dc0a0ba66e3cc873ec5b675158 |
| SHA512 | 0fd973f94292cdba34fa6373c70f2dc45ad3bb54741f0beed9f26f8b027e6efa92982d9dd495af23649b96f9837b7dc0642ea2c27f9d3e015420aa61f45d5998 |
memory/1840-29-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2356-28-0x000000013F690000-0x000000013F9E4000-memory.dmp
C:\Windows\system\KwQPaPW.exe
| MD5 | 09eb32c1be0aa9711a5a86171476a95e |
| SHA1 | 79716b8926af2dd735da8a15ada96fd945b0d9ab |
| SHA256 | 56eed499156557a25f2a9e52de8e986a47c026deef272387480ec1484555b5d6 |
| SHA512 | 4f4b1a45a470ab3793090acc12b3e81cc3cbc8c1bb261212cbdf566a75a81315afaee5d071858f46f86624cad34a51c0374080c2fe0f4717ea2fc21a26c25184 |
memory/2644-39-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2716-41-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2356-40-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2356-38-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
C:\Windows\system\dqzEJoq.exe
| MD5 | 03a6bd763b7dc848c9bd4252ff11fd7a |
| SHA1 | d405bf4f64be7c195222d6a9b0474a5bcc42d573 |
| SHA256 | 9357beb5878379a6d9bdc6a1fe6b099fbde5f6608434b6a27a84e3c0ceae1c81 |
| SHA512 | d267c7168ccbca287df7f014485753ff7456f52afa66d0b7bcd8e887369acfd772aa4c572839dff57f36adff2a4ca928afac75d7749a301fcefc727cc09b4596 |
memory/1716-22-0x000000013F110000-0x000000013F464000-memory.dmp
memory/2212-21-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2356-9-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/804-15-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\kgpJXTZ.exe
| MD5 | 0d22683bf007be653a1d1297474ba5fa |
| SHA1 | 999fd28df620383518eb98461b3d631288063f0f |
| SHA256 | c2071d6e3cc3d613e1216f7ac51a6d8ed9213d566d99499d00acb183a7b7cfa1 |
| SHA512 | 0a5cab7697cbf836ce5ae831b83e592763e86cdc09fc94a9aef8f902e95cede289d04518a1dd364c9146d84e205683299c526fcf092c9e0a62212d54fbe578c2 |
memory/3032-49-0x000000013F370000-0x000000013F6C4000-memory.dmp
\Windows\system\ixUWkTl.exe
| MD5 | ee5b0b8b34b96948b287ef16bf9b215c |
| SHA1 | f7d344f165699658fa22edaec26b441c702dbcbf |
| SHA256 | 48a17edb3dc3258c19a7f43015812459a3ae095afde23bc26e5de4fdefe09faf |
| SHA512 | 41ceba8e3bd75e2b9da51c14da15f8e8d301cd2c57a6ddfb12a4f62dfd56cc5a1b9a88c57f5384d92638f4162d9da0e38fb7deb4a98e530b8b955252f094b727 |
memory/2356-55-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2564-62-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2356-63-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2488-61-0x000000013F100000-0x000000013F454000-memory.dmp
C:\Windows\system\TAdgTEk.exe
| MD5 | 00e2517f420913614d290cf285100818 |
| SHA1 | fa2790de80f69e5370b9fecf8a2560fa58deffea |
| SHA256 | 5ac5dd5630364035eb4242dbcab6d80204dec0c3edad5d71daaa866e7a1caa1f |
| SHA512 | f1223d1d47ab94b016dfafd75977e5c01a4bb7e62cdd38f64f130d28b2db9efca37ec4efe1fa294a1e6d42ffbe4d57a3678d72dc99b1916d731b1de159eeb1e5 |
\Windows\system\blWjmTf.exe
| MD5 | 39b0d25cd57cd2c2db37ba262fffd27e |
| SHA1 | 3b7125296f498d0984f71a89ef390dbf4fe2510a |
| SHA256 | 4a7890c2f2942b260531e5e96f478e2af1325f373d539f5f6250d3576af9d77e |
| SHA512 | 54f64c72ff050af1adccab988cbea3ac2d8f7b065949b1d50aa9130ba930541d87c0c9ae517dcfd4446ce0d9489f715f7907bcf83cf00eae74a88cbe98ec5f33 |
memory/2356-69-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2508-70-0x000000013FBB0000-0x000000013FF04000-memory.dmp
C:\Windows\system\JOROrYz.exe
| MD5 | e9aaa42e1bcdedb7047e9053e8536c0f |
| SHA1 | c5f61d22196563507ef4b40ee5877dab18fa156c |
| SHA256 | a8987703097cd088127396b1cd08da9ea7c7e5227eacbddd0d9b462ec1db9bf8 |
| SHA512 | 6ee8b70513e536d40beb902dbaa4e60a9f3304d88905c149f0deecdf5066f0f68d301fd5471eb93d7d7b6fe95d7a7f2e30042eb5db66eabbf379c629053e18ef |
memory/2356-76-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2492-77-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\QoPMCzt.exe
| MD5 | c9850b5e2d789523f4291236f2e67c19 |
| SHA1 | 4a91c74d29d0a9b3a9fd327d0e86660cc920a5df |
| SHA256 | 10e15ab56ce1a19874521fabe6fc62f9cbf410b18ede9c34db7a6d39b237516b |
| SHA512 | 50f8fdf010dec4e49ae4fc046cc531280ac498d269d8c2acdad1fe6936089b50a06b8f5b333cf84e449ef3054b5d6d64513565ff7861dbc093ab3e2943e2660e |
memory/2088-84-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2356-83-0x0000000002420000-0x0000000002774000-memory.dmp
\Windows\system\RDOgMaN.exe
| MD5 | cbdeb598a5aad59ebe5e9a324ea83477 |
| SHA1 | 35e5283227f3ec1a46f30c28b22f35100b91aa88 |
| SHA256 | 4040c3a4a11582f94373a44e76aa06b07ec7848307a8514a0164513ef06568e5 |
| SHA512 | 4093100c608c72bd77a0cdaba880efe34f43920f7c47a937c6e8edf40787e76f9c540f6e261695f4cc3fa143442e2e4a9e19b41682f51475e071e811ebdad0d6 |
C:\Windows\system\lJtiIJG.exe
| MD5 | 70ab189ea0b705d72ee0914f87d24708 |
| SHA1 | c2a3d42b5fd2f6b7b8f7b8ae4451179cbdd28826 |
| SHA256 | 47e90dc9aa49c84cb094d6293d7bc5ab7549adf5757beaa04bc4d5476ff0815f |
| SHA512 | cb79693ac527b7d6c6f2a6d9103dcf6ced3ddeb07968811b370e86af329e5a5604469c199779d7ae3acd80de5df1ee54ff36116c417ca7bf75d6417177fcb5d9 |
\Windows\system\sxETcai.exe
| MD5 | 8c195eab496b9f3f23aff7e0e17ea915 |
| SHA1 | 6011041d19a9206de516c0de5f858d64ec3c64c6 |
| SHA256 | 0f746dad550dc3cc72f1e29e87775d9d5e3ad6ec94c0ea1164d127e6bc7ffa3e |
| SHA512 | af9eb53b286e96e8b6e7b71075966735f8d39491600790bbf83aedc9f55bf2fbba848f0f1f163b1353066e558a6a047adaba89f615e7d1a72bbc15df272c1fbf |
\Windows\system\XpInwej.exe
| MD5 | 9adc8e2fd0b70b58f22df66039784743 |
| SHA1 | 70f3c9c33c5c988a4289e5e0701e9abfad8ea96e |
| SHA256 | a9457ee68091f70d8ed66c2fe994cfb47f216ebb88030e5efeefd53cbc642829 |
| SHA512 | b4e809d3412efdc2cd00a71c2b4c52a0467ef772a3dd1d18a7678a70d5d55d56ba4450a936540e54742959e153d744d5620a3b511af23c05067c3ff259fabd69 |
memory/2356-129-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2356-126-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\SxKUXWN.exe
| MD5 | 7396d5f014cfd259d9cebfc7c05ee9d5 |
| SHA1 | 590aa19fdff84cedf1e4c69840c5b95a4b178531 |
| SHA256 | 62b7ec99ea1a2479504746e5aa201999e5cbdbbf9b24c41dcfe7f3420d9dd4d0 |
| SHA512 | d82b6b630f644e42d26ec748d79e349b4a840545752574be6a90839eb0d003ce68f610832849df1cf501c57b5ede81cd5ea710a75224ebdfb38dd58164d723f1 |
C:\Windows\system\ksoeEmQ.exe
| MD5 | b745e05321da38d9d8d1320f46ca8385 |
| SHA1 | 8f9b579a54a79ac887e8c2914f7f5a9eb020a629 |
| SHA256 | da651199b539c1ba75b2b7a1b9db4682e1e928dfe3ccca894f585e949fc8efc4 |
| SHA512 | 6180b96bd1a0fdfe99c03362dbddde7b597bb3dfafaab75f927ac5a722615601fd66ab5548ab1ca66664b12f12ee057ea7ad6e3d732abfe4d63a52293a258261 |
memory/2788-117-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2356-104-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\AxKuEBi.exe
| MD5 | 62e43212443fc0020b4a19a80faf1755 |
| SHA1 | 265611f37a32d3e040e6bfef34ac52b116c6c480 |
| SHA256 | 6b294f06e6246dd5021671878a749ed96bed1ad86401b9c0d9fde70e9cf03c56 |
| SHA512 | 369a20b0c34d353398391288fa0cf411b63417c11c79979f95e2b1a2360adaa512dd041a193ca3250d4738387fc95b7aaac1e2b64cc0b5303a6b252c65f1c230 |
C:\Windows\system\FtxDCRK.exe
| MD5 | cdbb0e9d8835c1674001811a4232a262 |
| SHA1 | ffc8d606e4b3346cf9e93364cae5af4f96c7ccfc |
| SHA256 | 6e4bd1323d248cc522da06d30f042f1f11f78c2c4e298301bb254bdb608fcfa1 |
| SHA512 | 57844d46f683e2238e9eeabf743c9b527dc32d17191147a05ec66cc1d5a571c9f9a2fa7b1e6e6ff13c49d4870167fa9ac8a92c0b4dae7a3e84001ccedf17cc4a |
memory/2356-97-0x000000013FB00000-0x000000013FE54000-memory.dmp
C:\Windows\system\CTYwAJz.exe
| MD5 | 743c728e67ff45da2e7e193e3655186c |
| SHA1 | 02f954684ecd05f2285d140320b048da8da3d1b8 |
| SHA256 | 537e7f22c59a90c278f2a32cd0c7530cc09eb44e03cba138a378d6fcd2163b20 |
| SHA512 | 1a073af85c0481f5818aa92c6b508db28a50bc938f2a2ae21aefd1758cd90089f4c8fd2e5998e11ec4ff3d9a0cfb31be1ef4145426f537d58ac0f95a2a7d0619 |
memory/2716-134-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2356-135-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2788-136-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2356-137-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/804-138-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2212-139-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1716-140-0x000000013F110000-0x000000013F464000-memory.dmp
memory/1840-141-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2644-142-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2716-143-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/3032-144-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2488-145-0x000000013F100000-0x000000013F454000-memory.dmp
memory/2564-146-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2508-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2492-148-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2088-149-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2788-150-0x000000013FB00000-0x000000013FE54000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:43
Reported
2024-06-01 08:46
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yDYaYNf.exe | N/A |
| N/A | N/A | C:\Windows\System\cxVATkh.exe | N/A |
| N/A | N/A | C:\Windows\System\AQkuaDB.exe | N/A |
| N/A | N/A | C:\Windows\System\UMzfgjU.exe | N/A |
| N/A | N/A | C:\Windows\System\KwQPaPW.exe | N/A |
| N/A | N/A | C:\Windows\System\dqzEJoq.exe | N/A |
| N/A | N/A | C:\Windows\System\kgpJXTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ixUWkTl.exe | N/A |
| N/A | N/A | C:\Windows\System\TAdgTEk.exe | N/A |
| N/A | N/A | C:\Windows\System\blWjmTf.exe | N/A |
| N/A | N/A | C:\Windows\System\JOROrYz.exe | N/A |
| N/A | N/A | C:\Windows\System\QoPMCzt.exe | N/A |
| N/A | N/A | C:\Windows\System\CTYwAJz.exe | N/A |
| N/A | N/A | C:\Windows\System\FtxDCRK.exe | N/A |
| N/A | N/A | C:\Windows\System\RDOgMaN.exe | N/A |
| N/A | N/A | C:\Windows\System\AxKuEBi.exe | N/A |
| N/A | N/A | C:\Windows\System\lJtiIJG.exe | N/A |
| N/A | N/A | C:\Windows\System\ksoeEmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\XpInwej.exe | N/A |
| N/A | N/A | C:\Windows\System\SxKUXWN.exe | N/A |
| N/A | N/A | C:\Windows\System\sxETcai.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_29ed2c534b7f9f784fc0ef07193caa2f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yDYaYNf.exe
C:\Windows\System\yDYaYNf.exe
C:\Windows\System\cxVATkh.exe
C:\Windows\System\cxVATkh.exe
C:\Windows\System\AQkuaDB.exe
C:\Windows\System\AQkuaDB.exe
C:\Windows\System\UMzfgjU.exe
C:\Windows\System\UMzfgjU.exe
C:\Windows\System\KwQPaPW.exe
C:\Windows\System\KwQPaPW.exe
C:\Windows\System\dqzEJoq.exe
C:\Windows\System\dqzEJoq.exe
C:\Windows\System\kgpJXTZ.exe
C:\Windows\System\kgpJXTZ.exe
C:\Windows\System\ixUWkTl.exe
C:\Windows\System\ixUWkTl.exe
C:\Windows\System\TAdgTEk.exe
C:\Windows\System\TAdgTEk.exe
C:\Windows\System\blWjmTf.exe
C:\Windows\System\blWjmTf.exe
C:\Windows\System\JOROrYz.exe
C:\Windows\System\JOROrYz.exe
C:\Windows\System\QoPMCzt.exe
C:\Windows\System\QoPMCzt.exe
C:\Windows\System\CTYwAJz.exe
C:\Windows\System\CTYwAJz.exe
C:\Windows\System\FtxDCRK.exe
C:\Windows\System\FtxDCRK.exe
C:\Windows\System\RDOgMaN.exe
C:\Windows\System\RDOgMaN.exe
C:\Windows\System\AxKuEBi.exe
C:\Windows\System\AxKuEBi.exe
C:\Windows\System\lJtiIJG.exe
C:\Windows\System\lJtiIJG.exe
C:\Windows\System\ksoeEmQ.exe
C:\Windows\System\ksoeEmQ.exe
C:\Windows\System\XpInwej.exe
C:\Windows\System\XpInwej.exe
C:\Windows\System\SxKUXWN.exe
C:\Windows\System\SxKUXWN.exe
C:\Windows\System\sxETcai.exe
C:\Windows\System\sxETcai.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 52.111.227.11:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3924-0-0x00007FF72ADE0000-0x00007FF72B134000-memory.dmp
memory/3924-1-0x00000251AFBD0000-0x00000251AFBE0000-memory.dmp
C:\Windows\System\yDYaYNf.exe
| MD5 | aae767c47690ddae334784316c1f4b5a |
| SHA1 | 710b87b2bcbc5cbb30eee6245840add37a303011 |
| SHA256 | 629e6d26b735fede060ec822c3aa2269b2d4a51ba909e867f9a2ccc3c9b11547 |
| SHA512 | 2573383cd16dc6ba026806b36f3d854e32b2fba8a0d39801276f0ba2d44681ba2614ed40754182bfd26f4e15f6b51739c0d51e8599f531390ed418fe0b18979a |
C:\Windows\System\AQkuaDB.exe
| MD5 | 7515b6de61001508960c145ff04634b8 |
| SHA1 | cfc4a4c30ff83e6d8337931cc1ff9891bb5244d5 |
| SHA256 | f5ef1ace039562d07b1ee49b85c4efa4c0bfdbca2186dd73662317cf5334ad90 |
| SHA512 | f69cb4830642fc9799dbefc066b0481bc00f66e964c39bdfa6adfa685c05600bca6184f16502631c7891329a15fabc6c04d4114fa1d9a04f53aa4c423783a393 |
C:\Windows\System\cxVATkh.exe
| MD5 | 987b05bdf5481ec52c74a303386176ed |
| SHA1 | e1c991d61b45808fd192b6c4a620c12d911996d1 |
| SHA256 | c3749761cd318838da22c9e4c67fb23765ba7506967913ce201cb983159880ca |
| SHA512 | 3f3d075a507fd0aa33c13c06209558b8115218d52616f9fefecc05cdc24e5b64b010080ceb5be0006dc1ce9e4233686da59b8d7ad2e3512cade901898cfbc2a3 |
memory/1448-13-0x00007FF7B3430000-0x00007FF7B3784000-memory.dmp
memory/4364-20-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp
memory/1616-19-0x00007FF7EFE50000-0x00007FF7F01A4000-memory.dmp
C:\Windows\System\UMzfgjU.exe
| MD5 | a9929c082e1abf63e8c58edc136cca71 |
| SHA1 | 50bfd3f7baa6d32e2d86e10dfbcecc5556e40d5d |
| SHA256 | 1c96b5c205e7c00632ce710ad67b9778057ce9dc0a0ba66e3cc873ec5b675158 |
| SHA512 | 0fd973f94292cdba34fa6373c70f2dc45ad3bb54741f0beed9f26f8b027e6efa92982d9dd495af23649b96f9837b7dc0642ea2c27f9d3e015420aa61f45d5998 |
memory/3468-27-0x00007FF7B1B90000-0x00007FF7B1EE4000-memory.dmp
C:\Windows\System\KwQPaPW.exe
| MD5 | 09eb32c1be0aa9711a5a86171476a95e |
| SHA1 | 79716b8926af2dd735da8a15ada96fd945b0d9ab |
| SHA256 | 56eed499156557a25f2a9e52de8e986a47c026deef272387480ec1484555b5d6 |
| SHA512 | 4f4b1a45a470ab3793090acc12b3e81cc3cbc8c1bb261212cbdf566a75a81315afaee5d071858f46f86624cad34a51c0374080c2fe0f4717ea2fc21a26c25184 |
C:\Windows\System\dqzEJoq.exe
| MD5 | 03a6bd763b7dc848c9bd4252ff11fd7a |
| SHA1 | d405bf4f64be7c195222d6a9b0474a5bcc42d573 |
| SHA256 | 9357beb5878379a6d9bdc6a1fe6b099fbde5f6608434b6a27a84e3c0ceae1c81 |
| SHA512 | d267c7168ccbca287df7f014485753ff7456f52afa66d0b7bcd8e887369acfd772aa4c572839dff57f36adff2a4ca928afac75d7749a301fcefc727cc09b4596 |
memory/368-41-0x00007FF6D1910000-0x00007FF6D1C64000-memory.dmp
C:\Windows\System\kgpJXTZ.exe
| MD5 | 0d22683bf007be653a1d1297474ba5fa |
| SHA1 | 999fd28df620383518eb98461b3d631288063f0f |
| SHA256 | c2071d6e3cc3d613e1216f7ac51a6d8ed9213d566d99499d00acb183a7b7cfa1 |
| SHA512 | 0a5cab7697cbf836ce5ae831b83e592763e86cdc09fc94a9aef8f902e95cede289d04518a1dd364c9146d84e205683299c526fcf092c9e0a62212d54fbe578c2 |
memory/396-50-0x00007FF736210000-0x00007FF736564000-memory.dmp
C:\Windows\System\ixUWkTl.exe
| MD5 | ee5b0b8b34b96948b287ef16bf9b215c |
| SHA1 | f7d344f165699658fa22edaec26b441c702dbcbf |
| SHA256 | 48a17edb3dc3258c19a7f43015812459a3ae095afde23bc26e5de4fdefe09faf |
| SHA512 | 41ceba8e3bd75e2b9da51c14da15f8e8d301cd2c57a6ddfb12a4f62dfd56cc5a1b9a88c57f5384d92638f4162d9da0e38fb7deb4a98e530b8b955252f094b727 |
memory/3100-45-0x00007FF7862C0000-0x00007FF786614000-memory.dmp
memory/5016-38-0x00007FF7FAA10000-0x00007FF7FAD64000-memory.dmp
C:\Windows\System\TAdgTEk.exe
| MD5 | 00e2517f420913614d290cf285100818 |
| SHA1 | fa2790de80f69e5370b9fecf8a2560fa58deffea |
| SHA256 | 5ac5dd5630364035eb4242dbcab6d80204dec0c3edad5d71daaa866e7a1caa1f |
| SHA512 | f1223d1d47ab94b016dfafd75977e5c01a4bb7e62cdd38f64f130d28b2db9efca37ec4efe1fa294a1e6d42ffbe4d57a3678d72dc99b1916d731b1de159eeb1e5 |
C:\Windows\System\blWjmTf.exe
| MD5 | 39b0d25cd57cd2c2db37ba262fffd27e |
| SHA1 | 3b7125296f498d0984f71a89ef390dbf4fe2510a |
| SHA256 | 4a7890c2f2942b260531e5e96f478e2af1325f373d539f5f6250d3576af9d77e |
| SHA512 | 54f64c72ff050af1adccab988cbea3ac2d8f7b065949b1d50aa9130ba930541d87c0c9ae517dcfd4446ce0d9489f715f7907bcf83cf00eae74a88cbe98ec5f33 |
C:\Windows\System\JOROrYz.exe
| MD5 | e9aaa42e1bcdedb7047e9053e8536c0f |
| SHA1 | c5f61d22196563507ef4b40ee5877dab18fa156c |
| SHA256 | a8987703097cd088127396b1cd08da9ea7c7e5227eacbddd0d9b462ec1db9bf8 |
| SHA512 | 6ee8b70513e536d40beb902dbaa4e60a9f3304d88905c149f0deecdf5066f0f68d301fd5471eb93d7d7b6fe95d7a7f2e30042eb5db66eabbf379c629053e18ef |
C:\Windows\System\QoPMCzt.exe
| MD5 | c9850b5e2d789523f4291236f2e67c19 |
| SHA1 | 4a91c74d29d0a9b3a9fd327d0e86660cc920a5df |
| SHA256 | 10e15ab56ce1a19874521fabe6fc62f9cbf410b18ede9c34db7a6d39b237516b |
| SHA512 | 50f8fdf010dec4e49ae4fc046cc531280ac498d269d8c2acdad1fe6936089b50a06b8f5b333cf84e449ef3054b5d6d64513565ff7861dbc093ab3e2943e2660e |
memory/4748-75-0x00007FF681850000-0x00007FF681BA4000-memory.dmp
memory/2164-84-0x00007FF6518E0000-0x00007FF651C34000-memory.dmp
memory/4936-88-0x00007FF60ECB0000-0x00007FF60F004000-memory.dmp
memory/2956-94-0x00007FF63D270000-0x00007FF63D5C4000-memory.dmp
memory/4104-99-0x00007FF664010000-0x00007FF664364000-memory.dmp
C:\Windows\System\AxKuEBi.exe
| MD5 | 62e43212443fc0020b4a19a80faf1755 |
| SHA1 | 265611f37a32d3e040e6bfef34ac52b116c6c480 |
| SHA256 | 6b294f06e6246dd5021671878a749ed96bed1ad86401b9c0d9fde70e9cf03c56 |
| SHA512 | 369a20b0c34d353398391288fa0cf411b63417c11c79979f95e2b1a2360adaa512dd041a193ca3250d4738387fc95b7aaac1e2b64cc0b5303a6b252c65f1c230 |
C:\Windows\System\RDOgMaN.exe
| MD5 | cbdeb598a5aad59ebe5e9a324ea83477 |
| SHA1 | 35e5283227f3ec1a46f30c28b22f35100b91aa88 |
| SHA256 | 4040c3a4a11582f94373a44e76aa06b07ec7848307a8514a0164513ef06568e5 |
| SHA512 | 4093100c608c72bd77a0cdaba880efe34f43920f7c47a937c6e8edf40787e76f9c540f6e261695f4cc3fa143442e2e4a9e19b41682f51475e071e811ebdad0d6 |
C:\Windows\System\FtxDCRK.exe
| MD5 | cdbb0e9d8835c1674001811a4232a262 |
| SHA1 | ffc8d606e4b3346cf9e93364cae5af4f96c7ccfc |
| SHA256 | 6e4bd1323d248cc522da06d30f042f1f11f78c2c4e298301bb254bdb608fcfa1 |
| SHA512 | 57844d46f683e2238e9eeabf743c9b527dc32d17191147a05ec66cc1d5a571c9f9a2fa7b1e6e6ff13c49d4870167fa9ac8a92c0b4dae7a3e84001ccedf17cc4a |
C:\Windows\System\CTYwAJz.exe
| MD5 | 743c728e67ff45da2e7e193e3655186c |
| SHA1 | 02f954684ecd05f2285d140320b048da8da3d1b8 |
| SHA256 | 537e7f22c59a90c278f2a32cd0c7530cc09eb44e03cba138a378d6fcd2163b20 |
| SHA512 | 1a073af85c0481f5818aa92c6b508db28a50bc938f2a2ae21aefd1758cd90089f4c8fd2e5998e11ec4ff3d9a0cfb31be1ef4145426f537d58ac0f95a2a7d0619 |
memory/1168-69-0x00007FF69F2A0000-0x00007FF69F5F4000-memory.dmp
memory/1240-66-0x00007FF7E1D00000-0x00007FF7E2054000-memory.dmp
memory/3924-64-0x00007FF72ADE0000-0x00007FF72B134000-memory.dmp
memory/4212-62-0x00007FF7EC400000-0x00007FF7EC754000-memory.dmp
C:\Windows\System\ksoeEmQ.exe
| MD5 | b745e05321da38d9d8d1320f46ca8385 |
| SHA1 | 8f9b579a54a79ac887e8c2914f7f5a9eb020a629 |
| SHA256 | da651199b539c1ba75b2b7a1b9db4682e1e928dfe3ccca894f585e949fc8efc4 |
| SHA512 | 6180b96bd1a0fdfe99c03362dbddde7b597bb3dfafaab75f927ac5a722615601fd66ab5548ab1ca66664b12f12ee057ea7ad6e3d732abfe4d63a52293a258261 |
memory/3680-108-0x00007FF661740000-0x00007FF661A94000-memory.dmp
memory/3100-105-0x00007FF7862C0000-0x00007FF786614000-memory.dmp
C:\Windows\System\lJtiIJG.exe
| MD5 | 70ab189ea0b705d72ee0914f87d24708 |
| SHA1 | c2a3d42b5fd2f6b7b8f7b8ae4451179cbdd28826 |
| SHA256 | 47e90dc9aa49c84cb094d6293d7bc5ab7549adf5757beaa04bc4d5476ff0815f |
| SHA512 | cb79693ac527b7d6c6f2a6d9103dcf6ced3ddeb07968811b370e86af329e5a5604469c199779d7ae3acd80de5df1ee54ff36116c417ca7bf75d6417177fcb5d9 |
memory/396-116-0x00007FF736210000-0x00007FF736564000-memory.dmp
C:\Windows\System\SxKUXWN.exe
| MD5 | 7396d5f014cfd259d9cebfc7c05ee9d5 |
| SHA1 | 590aa19fdff84cedf1e4c69840c5b95a4b178531 |
| SHA256 | 62b7ec99ea1a2479504746e5aa201999e5cbdbbf9b24c41dcfe7f3420d9dd4d0 |
| SHA512 | d82b6b630f644e42d26ec748d79e349b4a840545752574be6a90839eb0d003ce68f610832849df1cf501c57b5ede81cd5ea710a75224ebdfb38dd58164d723f1 |
C:\Windows\System\sxETcai.exe
| MD5 | 8c195eab496b9f3f23aff7e0e17ea915 |
| SHA1 | 6011041d19a9206de516c0de5f858d64ec3c64c6 |
| SHA256 | 0f746dad550dc3cc72f1e29e87775d9d5e3ad6ec94c0ea1164d127e6bc7ffa3e |
| SHA512 | af9eb53b286e96e8b6e7b71075966735f8d39491600790bbf83aedc9f55bf2fbba848f0f1f163b1353066e558a6a047adaba89f615e7d1a72bbc15df272c1fbf |
memory/220-127-0x00007FF69CDA0000-0x00007FF69D0F4000-memory.dmp
memory/228-120-0x00007FF61BC10000-0x00007FF61BF64000-memory.dmp
C:\Windows\System\XpInwej.exe
| MD5 | 9adc8e2fd0b70b58f22df66039784743 |
| SHA1 | 70f3c9c33c5c988a4289e5e0701e9abfad8ea96e |
| SHA256 | a9457ee68091f70d8ed66c2fe994cfb47f216ebb88030e5efeefd53cbc642829 |
| SHA512 | b4e809d3412efdc2cd00a71c2b4c52a0467ef772a3dd1d18a7678a70d5d55d56ba4450a936540e54742959e153d744d5620a3b511af23c05067c3ff259fabd69 |
memory/3252-112-0x00007FF7500B0000-0x00007FF750404000-memory.dmp
memory/3844-130-0x00007FF6101E0000-0x00007FF610534000-memory.dmp
memory/1168-131-0x00007FF69F2A0000-0x00007FF69F5F4000-memory.dmp
memory/2164-132-0x00007FF6518E0000-0x00007FF651C34000-memory.dmp
memory/4936-133-0x00007FF60ECB0000-0x00007FF60F004000-memory.dmp
memory/2956-134-0x00007FF63D270000-0x00007FF63D5C4000-memory.dmp
memory/4104-135-0x00007FF664010000-0x00007FF664364000-memory.dmp
memory/228-136-0x00007FF61BC10000-0x00007FF61BF64000-memory.dmp
memory/220-137-0x00007FF69CDA0000-0x00007FF69D0F4000-memory.dmp
memory/1448-138-0x00007FF7B3430000-0x00007FF7B3784000-memory.dmp
memory/1616-139-0x00007FF7EFE50000-0x00007FF7F01A4000-memory.dmp
memory/4364-140-0x00007FF7AD590000-0x00007FF7AD8E4000-memory.dmp
memory/3468-141-0x00007FF7B1B90000-0x00007FF7B1EE4000-memory.dmp
memory/5016-142-0x00007FF7FAA10000-0x00007FF7FAD64000-memory.dmp
memory/368-143-0x00007FF6D1910000-0x00007FF6D1C64000-memory.dmp
memory/3100-145-0x00007FF7862C0000-0x00007FF786614000-memory.dmp
memory/396-144-0x00007FF736210000-0x00007FF736564000-memory.dmp
memory/4212-146-0x00007FF7EC400000-0x00007FF7EC754000-memory.dmp
memory/1240-147-0x00007FF7E1D00000-0x00007FF7E2054000-memory.dmp
memory/1168-148-0x00007FF69F2A0000-0x00007FF69F5F4000-memory.dmp
memory/4748-149-0x00007FF681850000-0x00007FF681BA4000-memory.dmp
memory/2164-150-0x00007FF6518E0000-0x00007FF651C34000-memory.dmp
memory/4936-151-0x00007FF60ECB0000-0x00007FF60F004000-memory.dmp
memory/2956-152-0x00007FF63D270000-0x00007FF63D5C4000-memory.dmp
memory/4104-153-0x00007FF664010000-0x00007FF664364000-memory.dmp
memory/3680-154-0x00007FF661740000-0x00007FF661A94000-memory.dmp
memory/3252-155-0x00007FF7500B0000-0x00007FF750404000-memory.dmp
memory/228-156-0x00007FF61BC10000-0x00007FF61BF64000-memory.dmp
memory/220-157-0x00007FF69CDA0000-0x00007FF69D0F4000-memory.dmp
memory/3844-158-0x00007FF6101E0000-0x00007FF610534000-memory.dmp