Analysis Overview
SHA256
fae1f25f55159205bddb8c2d4ffd715e56096118fbb99801abed4d8930be60c4
Threat Level: Known bad
The file 2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
Cobaltstrike family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:46
Reported
2024-06-01 15:48
Platform
win7-20240221-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gagksvh.exe | N/A |
| N/A | N/A | C:\Windows\System\OSHbKcX.exe | N/A |
| N/A | N/A | C:\Windows\System\ilqaUWE.exe | N/A |
| N/A | N/A | C:\Windows\System\uOdukgO.exe | N/A |
| N/A | N/A | C:\Windows\System\wTzqaHL.exe | N/A |
| N/A | N/A | C:\Windows\System\lkrmtdz.exe | N/A |
| N/A | N/A | C:\Windows\System\etvVpwj.exe | N/A |
| N/A | N/A | C:\Windows\System\qAvxrFU.exe | N/A |
| N/A | N/A | C:\Windows\System\roaTzEn.exe | N/A |
| N/A | N/A | C:\Windows\System\maSxhUq.exe | N/A |
| N/A | N/A | C:\Windows\System\IRofdaI.exe | N/A |
| N/A | N/A | C:\Windows\System\QweDVWB.exe | N/A |
| N/A | N/A | C:\Windows\System\dlwufFf.exe | N/A |
| N/A | N/A | C:\Windows\System\FDZRwPg.exe | N/A |
| N/A | N/A | C:\Windows\System\fMKZYBv.exe | N/A |
| N/A | N/A | C:\Windows\System\qxFzdvI.exe | N/A |
| N/A | N/A | C:\Windows\System\MGiHwhD.exe | N/A |
| N/A | N/A | C:\Windows\System\GGmDkgk.exe | N/A |
| N/A | N/A | C:\Windows\System\QrtpjJe.exe | N/A |
| N/A | N/A | C:\Windows\System\jUUNAlD.exe | N/A |
| N/A | N/A | C:\Windows\System\XBgvxVO.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gagksvh.exe
C:\Windows\System\gagksvh.exe
C:\Windows\System\OSHbKcX.exe
C:\Windows\System\OSHbKcX.exe
C:\Windows\System\ilqaUWE.exe
C:\Windows\System\ilqaUWE.exe
C:\Windows\System\etvVpwj.exe
C:\Windows\System\etvVpwj.exe
C:\Windows\System\uOdukgO.exe
C:\Windows\System\uOdukgO.exe
C:\Windows\System\qAvxrFU.exe
C:\Windows\System\qAvxrFU.exe
C:\Windows\System\wTzqaHL.exe
C:\Windows\System\wTzqaHL.exe
C:\Windows\System\IRofdaI.exe
C:\Windows\System\IRofdaI.exe
C:\Windows\System\lkrmtdz.exe
C:\Windows\System\lkrmtdz.exe
C:\Windows\System\QweDVWB.exe
C:\Windows\System\QweDVWB.exe
C:\Windows\System\roaTzEn.exe
C:\Windows\System\roaTzEn.exe
C:\Windows\System\dlwufFf.exe
C:\Windows\System\dlwufFf.exe
C:\Windows\System\maSxhUq.exe
C:\Windows\System\maSxhUq.exe
C:\Windows\System\FDZRwPg.exe
C:\Windows\System\FDZRwPg.exe
C:\Windows\System\fMKZYBv.exe
C:\Windows\System\fMKZYBv.exe
C:\Windows\System\qxFzdvI.exe
C:\Windows\System\qxFzdvI.exe
C:\Windows\System\MGiHwhD.exe
C:\Windows\System\MGiHwhD.exe
C:\Windows\System\GGmDkgk.exe
C:\Windows\System\GGmDkgk.exe
C:\Windows\System\QrtpjJe.exe
C:\Windows\System\QrtpjJe.exe
C:\Windows\System\jUUNAlD.exe
C:\Windows\System\jUUNAlD.exe
C:\Windows\System\XBgvxVO.exe
C:\Windows\System\XBgvxVO.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1040-0-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1040-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\gagksvh.exe
| MD5 | f96c4c4c95d2491053819b3dffdd411a |
| SHA1 | cc336663ae6d8a622a7a0fafbbd6351f58a2a7bd |
| SHA256 | 3287cfe2f369ddd59bc8ea10ba26a0b8aae185c41f52e1c5b18901d1083abc92 |
| SHA512 | 14fbbc647a4e7e545ab2e44b86340dad10d527ebaf2597dd9411ae5c9d1c43ae2a1b2031f2553e9352dafca5f9042c956e608694e04487627d092c028a4baedf |
\Windows\system\OSHbKcX.exe
| MD5 | 10dd3d6e18c0d2b03175cae22a21aa12 |
| SHA1 | 32efc2e2d98576bead6519b3e1fcbfda7250fbd2 |
| SHA256 | efa462afc6a97d7869668606674329386aae8cfc9c9adbac6bfcc7de5df1bda0 |
| SHA512 | ca9bad4a931b37d03bb406e3bc71d17ffc71c82b55cf25b61cea0874cbfe37bf558c9c9f88bf0452ae961a60e86872c6d85645e1c2d39d0f820e0c1b06e790de |
memory/1040-8-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\ilqaUWE.exe
| MD5 | 248d69889deecbb8515a3ee7e675e3c8 |
| SHA1 | 4007980431787b87247e573cc6d2cfe75c469247 |
| SHA256 | 03406571b09e87b831bf899edbfe5bf991762292836ebeff3f23fc354f5d5bfc |
| SHA512 | fbd0752e8131adb50c301a902e2b7cdcf575c5bb63ac71a79cf119a78f3b0590267d6b434d76bc9d5a43cb8df309e93566486cf44085bf2198e1c2f12c2caa40 |
memory/1040-43-0x0000000002400000-0x0000000002754000-memory.dmp
\Windows\system\lkrmtdz.exe
| MD5 | 7db7165b7a85b38f65fa137e18a4d532 |
| SHA1 | 216d9259859e744b1479a592fe515b32afdf8758 |
| SHA256 | 8f98e7a3c3868ba5eb5a117d5d14028662fa37d7e3de8159a66e49416a72bd3c |
| SHA512 | 00ada74ad259327e4079b5b7d047771329c1226c59e28b38ae25c1287a60f3ceb1b48953e235cfb78df196aaa8119fed2748ddfa7b4f07145953a6816336223a |
memory/2516-36-0x000000013F4E0000-0x000000013F834000-memory.dmp
\Windows\system\wTzqaHL.exe
| MD5 | 5bae5f4ec9316b40aa3fff3feb0d6e8d |
| SHA1 | e468892e7fea79681f349bf2ae67ff27c238f65b |
| SHA256 | 0af04f2a87e4cafc691797a03dacb5048573e90bd6fc71abea43999d47a266d4 |
| SHA512 | dfae42a7945dd3a1b92ce19b8035e9a2a4dde2b0e7752e0461228027de5b87bc2e705b35d18c5c68e340aac4f00172f751e2bbd37760dbebf8b57104b8d96c54 |
\Windows\system\qAvxrFU.exe
| MD5 | b12c685b982b478cf01a72e1561e9a5b |
| SHA1 | 745990a8946bb209d25ef76da94eb75358c92f31 |
| SHA256 | 49d33af8d26ba39c6d7173562923a4e693e4d0bc262d6012f025bef950614e6b |
| SHA512 | 5bf8fa423fd5763cae1c6ad4b24fc6c654517b036e650957ef28c32963df4ff1f47d46f61f41aefb417db71349b80db52d24640713bb57921e3aaf37f64422ce |
\Windows\system\etvVpwj.exe
| MD5 | f5b1d3b30d653e8f2b75ae948c9ba82c |
| SHA1 | b34fdd073ae20dfb0ecf1dc9549e4554851a1919 |
| SHA256 | 29a0c9a43a1f42928d20b8b46f6e4ab9aedfdeeb80c9770a68fd2d9680de1b9c |
| SHA512 | a4f4b1aa3846d3d25dd50f76d37d303ed78db6e663cea8e24bcc5fe8f8c8ee02b9c4c23056473552c438399ac1f9650b132930efb4c4c03286ef09044f64f5f3 |
memory/2476-28-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2176-25-0x000000013F360000-0x000000013F6B4000-memory.dmp
C:\Windows\system\uOdukgO.exe
| MD5 | dbe4a0fec373a91e2f64170c6d35bdaa |
| SHA1 | 6b911d0f7a7e490d3219cf3d3c6b00316f6e5a11 |
| SHA256 | 9a09ba110c3d280a19796b247e16aaf1c373a70551d6cffeb17d2723a52dac2b |
| SHA512 | 40fb804c18cd2de43a688728a7c2854a5029b60f9d8c338cb9bfa7f16f3d9935ea7862c2175cd018b5bca15c17e6356463bd670b3f44933d1d09fa0a5f5b9b49 |
memory/2356-89-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2608-98-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\qxFzdvI.exe
| MD5 | e4b5e5c1dae360fc7e9ca2d3e5894d4e |
| SHA1 | 9f34e1c6041e2b9e2a28e937963a2b4f54fefe38 |
| SHA256 | da4a8ad2c6d6f933a1d378f8f3850b8e43e65d97953a7cdb91e88a33fbacfb8d |
| SHA512 | db5d374e88ac414adcaf6c4d6a2c499e66a2f036ad7c1ff6e0834a346ab29eeac322cb28be7a617d2a47be810285838c804dd34863f3adce10b4dbae6c82244c |
C:\Windows\system\XBgvxVO.exe
| MD5 | 45814a84be03e7e2c4759e46a06cfea4 |
| SHA1 | 20c3a08c2d8dae292297fcf23ccf3fecaf8ca333 |
| SHA256 | e799ffe111475c4d31823984eb2a40932582e4252749c4772b1f3bed3a05df5b |
| SHA512 | cf6a1beae46244213f46fe239c2a50e69baf5cdd1926c367e490cd52ca54279e55b0933e871467a3d1d7eb3e3c48e03dd85b0f28694a847e656ee0be711adc67 |
C:\Windows\system\jUUNAlD.exe
| MD5 | bef84db28792f01304b82832549579e7 |
| SHA1 | 9e8bd0701b9f0a6f10a513c26d5a85e76cd1fd0f |
| SHA256 | 11af87cb694403125c6f635770a5587909c475e3ecd5513c42b861a4b3733354 |
| SHA512 | ac42a9d342f5aa9fc3375d5d5822459ab7e93fb3203a36269d0974a7729a03134cf0393764368b2a6ae7ab536ea08aac9fc40e5aebe882a76446a5ab989415d5 |
C:\Windows\system\QrtpjJe.exe
| MD5 | 7f2ed0bebde9c5737251ce60b2a848e6 |
| SHA1 | 810edbef9a01be89978c02e2722cb3194a23fb25 |
| SHA256 | ba73d0db475a1255bcc600e6fd7e519635728ae460bb92bfcfe26fcb2ccf8380 |
| SHA512 | 7093e53e507d17d031657490985e8619c803a37b8031a42582a05a45dbd732db3d4d314ac629d8a4b0838d2abf526483516282424460d9ad00fa5216445f0924 |
C:\Windows\system\GGmDkgk.exe
| MD5 | 9f5c31067a735863cc83254002bc42d6 |
| SHA1 | 748124b641b3518994f4e860f7ce1ac0c1e639cc |
| SHA256 | 466577e0b239ea828625b5c73dc29ce8b5c36aa36c413bb91bba41e560da4ed9 |
| SHA512 | 6b101872ac5a60cd6fdfa42e66d0169771e895ae7428f7ec299e31bcb6f4fe2b5bab941fff723ea76f4f977d47baa8eac28a7c96eb04b234eea7639f14ab4208 |
C:\Windows\system\MGiHwhD.exe
| MD5 | 75288d9b261bc4eceb73817274f01f4d |
| SHA1 | 717ad0c613f33a3e9feb00ab776ac733211be02f |
| SHA256 | bfcb88bad9eaceccef1a9400829ee2c836a8716e715f603e8f1068216d3a83a9 |
| SHA512 | 06f993a6cbf100a70ea5e7d11142daf45d41bd25b84f92ff024c65c32055f58ee56d4ed8ef8502060d8a7a74d05e8947da68eb41542442948adfbd53f4e9183c |
memory/1040-103-0x000000013FD80000-0x00000001400D4000-memory.dmp
C:\Windows\system\fMKZYBv.exe
| MD5 | e2046c72d782c876c4fee2557aa34cdb |
| SHA1 | 254d163b175726603915811b1696ece77954ecd0 |
| SHA256 | cf763a0b53df35ebd3dd440eb45cf1846ad858a0e8c367b7ca6ded513d09c593 |
| SHA512 | 54f20af881e825b98fd8ec3042d1075219cff4d197c802ef18baf1756dd1e172700f58472ef70a15ee6733893b973af1a7b22c1c17853fd402bfa57ab45afed5 |
C:\Windows\system\FDZRwPg.exe
| MD5 | 3d28da75a2d028debe41f8c2c1284b8a |
| SHA1 | 8d21e010d94f6f355a24fcc9d68a3f464396a1c6 |
| SHA256 | 5a3723d5af8058fb4390e924a2a44d15eb33754aaf662934c1b0253e3ecef473 |
| SHA512 | 206907406dea85a14882cbfd813a502041e37584e7f7089baea174b948c4e10c9089a6cd369912f11cecaf53d99b61f88286093e77509fc8ba0b6aa645a6d13f |
memory/1040-96-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2392-92-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2480-91-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2468-90-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2484-88-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1040-87-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1040-86-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/1040-85-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1040-84-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2800-83-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2368-82-0x000000013F5B0000-0x000000013F904000-memory.dmp
C:\Windows\system\dlwufFf.exe
| MD5 | d15be0a4573ec4d4366e7f9098c41c20 |
| SHA1 | c5b2db009d6c98f0c576c6daa894725ed3ba4d22 |
| SHA256 | d94008010ccffc6a62988af4cd3e56f58a285a56702481af558751d740fd3e33 |
| SHA512 | e8160c004f28afb4c86780dd2f4b58d4a07bceec27c39b5a6e8f9a73176b58c6f15faf12bf1be7ee70a8b3414dfeac6b8f73710360bc5819e9a4b6af9932cb9a |
memory/1040-79-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2612-78-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/1040-77-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\QweDVWB.exe
| MD5 | 2dbdeede53f76a241774b4aa10970a1b |
| SHA1 | 8f28a5d5b842fa70686c1b189615b4f4432e272b |
| SHA256 | e5f46d078d8b19d79f9283181f5afe49dc669d1f049f8fc31ab6b125f0cca2c4 |
| SHA512 | 8686e3cd5c1b48be401d617386a5d3b1c3f3938c98d4d494d20734d536e05fd7f3c76f1bef0d30f6430789b2f49141d7bab5a16031f83b8ace338acc64050a1b |
memory/1040-74-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2836-73-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/1040-72-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\IRofdaI.exe
| MD5 | 3f77c66fc4b81c9e2658d6e867c92773 |
| SHA1 | 2ceb38027761bdfae36a0b21f752057eb561f251 |
| SHA256 | 42c4f7b67ba67c0afbbafbc499720551f74bf20a082ed69f482c111bc57d9c8d |
| SHA512 | 48da80d070a4b897986b5b426bbcba9b51194a66117a5a5634b9650f6f95610d937ea2a24eee576e2674ada05f2977bb9325c9db13355bc9aa398b75ad401665 |
memory/1040-69-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\maSxhUq.exe
| MD5 | 65e54df9418ed46201e7f7b5c524ddc2 |
| SHA1 | a09e43e985aa371eb9814c26cf10f8fd1970ba6f |
| SHA256 | 5103edd965f4ef1db6a71f5edf776aebfc2d04f74908e2ac948882785a20f014 |
| SHA512 | 2090505498d77163607cfc33167bafebbfb8cd634a4656c7a7f94a6dd46d4425c6a34b826fe18a59b7845a9b8e68ada149a660fb8698021b4abbf42fb96fb22d |
C:\Windows\system\roaTzEn.exe
| MD5 | c1bc018f1261b5efba7b5526f5f8d15e |
| SHA1 | 535b66fd9a7b515f2800f108d467a401df557f79 |
| SHA256 | 0027a1a594644e841e50a826b71ffe89e4881a294933c749c5cfa7c4f3910759 |
| SHA512 | 4b6bef134db1585521d1c34490301af153930c01edc1a653e46eb5e9cec66d6714719a89f96a81e3f403ada31906292f57d6200fe2715671c85ea74ebea1ea2b |
memory/2520-65-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1040-63-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1040-32-0x0000000002400000-0x0000000002754000-memory.dmp
memory/1040-136-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/1040-138-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2476-137-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2392-139-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2608-140-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2176-141-0x000000013F360000-0x000000013F6B4000-memory.dmp
memory/2516-142-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2520-144-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2476-143-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2836-145-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2484-146-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2612-147-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2368-148-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2800-149-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2356-150-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2468-151-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2480-152-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2608-154-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2392-153-0x000000013FAD0000-0x000000013FE24000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:46
Reported
2024-06-01 15:48
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
156s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AUVgssg.exe | N/A |
| N/A | N/A | C:\Windows\System\RcUiXPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UnVECpf.exe | N/A |
| N/A | N/A | C:\Windows\System\vAawDOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MdWcfrp.exe | N/A |
| N/A | N/A | C:\Windows\System\usDPIBy.exe | N/A |
| N/A | N/A | C:\Windows\System\DJajXhq.exe | N/A |
| N/A | N/A | C:\Windows\System\XgLWTLw.exe | N/A |
| N/A | N/A | C:\Windows\System\peJinwD.exe | N/A |
| N/A | N/A | C:\Windows\System\zIVTQvK.exe | N/A |
| N/A | N/A | C:\Windows\System\dXKvpCJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VeWZenv.exe | N/A |
| N/A | N/A | C:\Windows\System\QYbPNBa.exe | N/A |
| N/A | N/A | C:\Windows\System\LzGuhle.exe | N/A |
| N/A | N/A | C:\Windows\System\JRPCTVe.exe | N/A |
| N/A | N/A | C:\Windows\System\sAYglrA.exe | N/A |
| N/A | N/A | C:\Windows\System\AShhnUq.exe | N/A |
| N/A | N/A | C:\Windows\System\ysySpJi.exe | N/A |
| N/A | N/A | C:\Windows\System\nMlNCZs.exe | N/A |
| N/A | N/A | C:\Windows\System\OuXkPQY.exe | N/A |
| N/A | N/A | C:\Windows\System\gPbNcbb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_bc767b7f6802ebda04d666123eb7add8_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AUVgssg.exe
C:\Windows\System\AUVgssg.exe
C:\Windows\System\RcUiXPJ.exe
C:\Windows\System\RcUiXPJ.exe
C:\Windows\System\UnVECpf.exe
C:\Windows\System\UnVECpf.exe
C:\Windows\System\vAawDOQ.exe
C:\Windows\System\vAawDOQ.exe
C:\Windows\System\usDPIBy.exe
C:\Windows\System\usDPIBy.exe
C:\Windows\System\MdWcfrp.exe
C:\Windows\System\MdWcfrp.exe
C:\Windows\System\DJajXhq.exe
C:\Windows\System\DJajXhq.exe
C:\Windows\System\XgLWTLw.exe
C:\Windows\System\XgLWTLw.exe
C:\Windows\System\peJinwD.exe
C:\Windows\System\peJinwD.exe
C:\Windows\System\zIVTQvK.exe
C:\Windows\System\zIVTQvK.exe
C:\Windows\System\dXKvpCJ.exe
C:\Windows\System\dXKvpCJ.exe
C:\Windows\System\VeWZenv.exe
C:\Windows\System\VeWZenv.exe
C:\Windows\System\QYbPNBa.exe
C:\Windows\System\QYbPNBa.exe
C:\Windows\System\LzGuhle.exe
C:\Windows\System\LzGuhle.exe
C:\Windows\System\JRPCTVe.exe
C:\Windows\System\JRPCTVe.exe
C:\Windows\System\sAYglrA.exe
C:\Windows\System\sAYglrA.exe
C:\Windows\System\AShhnUq.exe
C:\Windows\System\AShhnUq.exe
C:\Windows\System\ysySpJi.exe
C:\Windows\System\ysySpJi.exe
C:\Windows\System\nMlNCZs.exe
C:\Windows\System\nMlNCZs.exe
C:\Windows\System\OuXkPQY.exe
C:\Windows\System\OuXkPQY.exe
C:\Windows\System\gPbNcbb.exe
C:\Windows\System\gPbNcbb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/4556-0-0x00007FF797C00000-0x00007FF797F54000-memory.dmp
memory/4556-1-0x0000021328C60000-0x0000021328C70000-memory.dmp
C:\Windows\System\AUVgssg.exe
| MD5 | ffa1d555f8061e94d4858c916bf26490 |
| SHA1 | 774ceab6cf30922a4cd8edd8a9a3af5086df8ec0 |
| SHA256 | 65ac88bc9ab0d2888d14d105006bffd08aec3faf1f94b6991c8e00715e1e0896 |
| SHA512 | 57e2e593f75c87e5d5723699da016ec3cd6afb9f43bc7f6655982062fb462a99fbedc75d0e5a49df3fd7fc088f95a1fa517d068c59f882ca63daa13428754d14 |
memory/2104-8-0x00007FF717750000-0x00007FF717AA4000-memory.dmp
C:\Windows\System\RcUiXPJ.exe
| MD5 | e3954c990835b212bfeda0784cfde775 |
| SHA1 | 0658b8ccf17a829a20efcf3f3a3664b9c2535101 |
| SHA256 | 1bb08e3b0cd8679f6dd56b3adae901d7c007a752eab0db556e19a11fd9a7e3f0 |
| SHA512 | 47f06ab1faa30ff5c5f8dce38d2f8c7c516f88d841b1565a1f8b7b8dfb89f657f556029d031992ccf7bdec6f78e46edd216493a31af15dc6d92ad216c9b87490 |
C:\Windows\System\UnVECpf.exe
| MD5 | e30bdd061dd80f4d4c2d0c59e13a8eff |
| SHA1 | c3dc49300a0fbc1b7fd19716c2f807a908f27a92 |
| SHA256 | 9e606e5ee8ac2d935a770e8c41c59dab35d0a370c02e91e4603895ed52a45b8a |
| SHA512 | c58336c00c50690e086924983a162a0ded901b8f082fb08f178d8f310f525a9d419ef84a5519b9e6d2e70c16b8c6bd3a73264d1ca42e340128a5a2f5b462ca0f |
memory/3592-14-0x00007FF794420000-0x00007FF794774000-memory.dmp
memory/3932-25-0x00007FF6C7E60000-0x00007FF6C81B4000-memory.dmp
memory/1716-26-0x00007FF6FE6D0000-0x00007FF6FEA24000-memory.dmp
C:\Windows\System\usDPIBy.exe
| MD5 | 83cc3db8cbbe155a9224ac7a4d069ab3 |
| SHA1 | b0ac0906d7e55af0eb11ce7aa295ed9a3940b0d8 |
| SHA256 | 7e393af83a3d2485f4cc90aa86d32abc38029b439a7f3acd4e167108bb888303 |
| SHA512 | e76159d55e7539d2cfc31f11d4e691ebe034bfd85cbd0dbd81ba0cf845f70a5d37e87217f3887be07034c6a52597b89ff759e4387941824eb4440ed8974619e5 |
memory/1280-40-0x00007FF75D050000-0x00007FF75D3A4000-memory.dmp
C:\Windows\System\XgLWTLw.exe
| MD5 | 8b93fdd9babbb3cd8a11d5dbbdf23ba5 |
| SHA1 | 44786c076fc300a259d2820fc0c7dd333f51eb68 |
| SHA256 | 6727fa8f7de75fc161f40791026ce1e6d363dee9fefbb3113e9d2708a295f417 |
| SHA512 | f08cc2bbf1ce526ff3ee8f2f81a2b056e4c7802d24cfd1ed030e79e8bca39324c59e48689f1943dad099c37b5d6e06e332bffa27cae768e185780ee8fe6888d6 |
memory/920-51-0x00007FF7CC720000-0x00007FF7CCA74000-memory.dmp
C:\Windows\System\peJinwD.exe
| MD5 | 4b0d6426a8c81a3f575afa4653b2fb67 |
| SHA1 | 591391d355ef75d3378eb3b88a0a3a9a269dd3cf |
| SHA256 | 973cc5e702bd87b0e1b472756ed7ff42c04bd6ea2a33a221a00ee3c67d6a3c33 |
| SHA512 | fb5f0bfacc56b2596892225b10e37f050edd1ec81ed40f73129e0a8afb0eab66903babc356785150a1f45b288f6659ce06b42f89910394fd82bd81622c2cf237 |
C:\Windows\System\dXKvpCJ.exe
| MD5 | ab1cd754d9bf651e00d158d001cf23e4 |
| SHA1 | 7c5afe944125ae318a49a9da6d3df2bad691fa6b |
| SHA256 | 5aa508b18c87cee9e7d82ef1055ba5a1f793f8a240f24f71e577c036e459862f |
| SHA512 | c72ef1731163ea9e37cdf50b4d30b84bc2e00d341eee4b3f4bc80565caac415f311e85097cc89eaa46dbbe844514ec35f31b209ab780afe6348715f2685f206d |
C:\Windows\System\VeWZenv.exe
| MD5 | 726bb16216bdde8b98c2d17d7aea4cf8 |
| SHA1 | b356d7a5dc29ae3100d2e942d7e594b44aac5294 |
| SHA256 | e1e04b223d1a62cfc53a3816020a91bd2e4c38f61836bb18b1d0669a21fff170 |
| SHA512 | c6bf37407eb0f33ab47099542242011975fa8ac4930f4e119a33cb58fafb402e62ff702852927f27d5c18643b0567c64c35266ddbdd9f203e92e038b581fe8b3 |
C:\Windows\System\QYbPNBa.exe
| MD5 | 2249395465a62e82f52a23a1274dec85 |
| SHA1 | ebe3db65ca799e49bd0b8ef6c37871445fe00b24 |
| SHA256 | 642dd174c99a3294d3751befc7345185693d346b9093dc98ba6eab7a67bb99da |
| SHA512 | a01c9f8f6a538b9798a0edfb565560841757735711ad532697186ccce636bffd7cb1d25e911edbf001fccb1429af47b713e5722664b37690e5da9a9682432a6d |
C:\Windows\System\ysySpJi.exe
| MD5 | 0ae4b7d1a100c0fcab6f634540345a29 |
| SHA1 | 7090bb47b9901e82bf44906650fea02aea30c88a |
| SHA256 | b4380f292442bae520c22e5f234c87931e43569488252a93456d108ef60d017c |
| SHA512 | 15cf3fb1be5e0e4411b37d092f46b334b831fa05cff659450811e7e39a01ef3d9ac8cc8c425fc062087fd2b38b0727bd687a20dcae09678b169668a081376de2 |
C:\Windows\System\OuXkPQY.exe
| MD5 | 4b77ba11a33f54f88bd46f63e477634d |
| SHA1 | 5643af55c009031ad204482ce394b41c969de46d |
| SHA256 | 27f02a6479895d8ef351bd0d7afb3b68388e59792e2eccf1801e09e3a24077ab |
| SHA512 | 3c0bc902862ce2da564b2908d9ef1d32c409387289cc02d584898380df3753db46378a9e1f56daed1eba40cff4b15210ed9135d93d0518fc719d1301d2b06d26 |
C:\Windows\System\gPbNcbb.exe
| MD5 | f71362d87081caaf964403a1ed53a811 |
| SHA1 | a504a05127e1f75384343264857a2b5eba1ea061 |
| SHA256 | a8bc193b59906e8d5e2703f107621882f87b8333a6e1eb837141a0e16a4434ca |
| SHA512 | e3e7f06a6c977a78218d6a7561e2dcbe5a146202ba52508cd40c7b6636ec1af502d679fd04048ce6339f36361190d3034cd5733a74d3f01425f1777016f792f4 |
C:\Windows\System\nMlNCZs.exe
| MD5 | 6733c8d6828908e29075e9282788543d |
| SHA1 | 73b6c6209ad488d98d14e7006f4a2e7826f4bc32 |
| SHA256 | ce899a153498ad415f3755645d2c2dabad59152d50a92a5a0cf1002c7c1f3a2c |
| SHA512 | 6eaed27ac56485a3c55d4fd5e2586b18f6f81bcbfdc28a205b5b8f67c49d6ddf14d24cab330ebfe1b36c96ae965bc68db2bc42fc72b9475b541fe80c979291c2 |
C:\Windows\System\AShhnUq.exe
| MD5 | 837e44a635329d5d83f2edc3d1da1789 |
| SHA1 | 03b0e30965c8085e1a7063bb044bf8839c3e2616 |
| SHA256 | f7716fae41b5b54b2b2745cae84fde9fb1d912bf352a755fd2e6223d66c3c4ef |
| SHA512 | f47a8a7a8f3234624d565f7f332c2044c739ced8d03a3d85609904a0eed483643465051d8832da5cdfb940fe792524f8d9c7dc09b1c283bfa9b095d2fc6d954f |
C:\Windows\System\sAYglrA.exe
| MD5 | 376934bb8fdfaf9ef196779ca2688550 |
| SHA1 | fa4eb13d1c1b12be6de6e59124ef891d5290dcea |
| SHA256 | caaad13d1192861afb891c07dd658b87550b01589612011ea96492e3e0e0516e |
| SHA512 | c2156c9f2c1ef1c0c4036ba3c410b28e8e831bbfac99ce1db1cf6efe989ca3bfa005489c3d1dbb6ec4d9e5b2cf4185699e37daa40aa2c9856eff12bd10c03c47 |
C:\Windows\System\JRPCTVe.exe
| MD5 | 300e7aa5b3dc5da22b6278a481de821a |
| SHA1 | 54a9fefbba0cbf790e1dab4b3c284cadf64caecf |
| SHA256 | 729c40a80d415e11e163e0f6cbacaf8103a6800d96187db037a076c5bed64c95 |
| SHA512 | 03ab6121a3bec916bbcda858a950a78e0e1dba2e889389f3e1d7ea4586cd050e5f994357775ff1276f17bc44d6046d48b5c5c5c95554c8e1b268c342c2dcd7b8 |
C:\Windows\System\LzGuhle.exe
| MD5 | edd7e95bd83a9792bdad1f0a504a2e9c |
| SHA1 | 6c29ba84d50bdfce298cfae87874b107a4c191a6 |
| SHA256 | bb8936d306955437c9955d35bea14d183e76cffe0ed0f0b0e7e59f076242923f |
| SHA512 | 33b33db8d841a098f63a2786b3b6b1c96abf8df492d5059782a350be570ee7e3774edcf7484e103ff7023f5281de19972a9be2251ae20f85047decccec0076bb |
memory/3868-66-0x00007FF61FC70000-0x00007FF61FFC4000-memory.dmp
C:\Windows\System\zIVTQvK.exe
| MD5 | 3930e87d2a327a51e228af54f2435bed |
| SHA1 | 64ff5b4cca483bb80fabac1cc4f583a2e3d5652c |
| SHA256 | d11f9a853db0947a1d0764c58d9128e9a5d27f21b1a98213e970773692098fb7 |
| SHA512 | 229ba4b8d42c94df0e78040c88df126281145974ecd3023dc444149f5024a8df888b9fd10a28cd25ca1770d7d2ae52b5b6670541b529e9d595602e9233fa935f |
memory/2200-62-0x00007FF7A8D60000-0x00007FF7A90B4000-memory.dmp
memory/2476-56-0x00007FF72DC30000-0x00007FF72DF84000-memory.dmp
memory/1112-46-0x00007FF77A8E0000-0x00007FF77AC34000-memory.dmp
C:\Windows\System\DJajXhq.exe
| MD5 | f18cfa34338edcd8d9e1b30d45a9b379 |
| SHA1 | 7e92c3934c00e6aeb5b55f2ae01316ba0a49c501 |
| SHA256 | eda458d230fa721149f3945d8b8e173aecb84ffd03d6bf99c4e9498d4c9b3516 |
| SHA512 | a39135cb460008658e9b9712cb8794748df99a37ba98fc6059336a513290c562e58b1da84e1d120e11e02019fe3c1a20ff6ab4327105944344d61302b37e740e |
memory/3468-41-0x00007FF7B45A0000-0x00007FF7B48F4000-memory.dmp
C:\Windows\System\MdWcfrp.exe
| MD5 | 9317eb88cd3e47d911ca86f056014caf |
| SHA1 | f69538e8e7f75b9af5f05d004c4445c37b52c387 |
| SHA256 | 90bc643246467f6fa0ca14341c68bf9a5da4cec84bdcdbb00e1f4439b11ac81a |
| SHA512 | 22cb6a82b3d50d7208ac3e5a644c3f47c750245777111926530d373f92240ce8e5742647b16bcf9be7aff7f43d319366561f895268db06f534397b908840f5f6 |
C:\Windows\System\vAawDOQ.exe
| MD5 | 1b588d81629f07d1a862ba5a014c4a55 |
| SHA1 | 4721d5365e1724043c5e48d3dfa672d20e75810d |
| SHA256 | 087b289dcb063c2420322e048fbb9a467a8f3aff3cfd76c23848ba2c3426a44c |
| SHA512 | 3e47c56f03cc1c00ea3205c6ffa312be325bccb0b1349c644e5ee1706a43c4ca591dd24e613361bd9970562f182c4b55a719e83f812edb596224eaf7b1b5b913 |
memory/4992-119-0x00007FF6F49F0000-0x00007FF6F4D44000-memory.dmp
memory/2896-121-0x00007FF6005D0000-0x00007FF600924000-memory.dmp
memory/3796-122-0x00007FF6E40F0000-0x00007FF6E4444000-memory.dmp
memory/1372-123-0x00007FF784AC0000-0x00007FF784E14000-memory.dmp
memory/5108-124-0x00007FF7AEE80000-0x00007FF7AF1D4000-memory.dmp
memory/1608-120-0x00007FF693EC0000-0x00007FF694214000-memory.dmp
memory/3660-126-0x00007FF64BE70000-0x00007FF64C1C4000-memory.dmp
memory/2980-127-0x00007FF716A40000-0x00007FF716D94000-memory.dmp
memory/4148-125-0x00007FF72EF10000-0x00007FF72F264000-memory.dmp
memory/2232-118-0x00007FF61FF50000-0x00007FF6202A4000-memory.dmp
memory/4556-128-0x00007FF797C00000-0x00007FF797F54000-memory.dmp
memory/2104-129-0x00007FF717750000-0x00007FF717AA4000-memory.dmp
memory/3592-130-0x00007FF794420000-0x00007FF794774000-memory.dmp
memory/1112-131-0x00007FF77A8E0000-0x00007FF77AC34000-memory.dmp
memory/920-132-0x00007FF7CC720000-0x00007FF7CCA74000-memory.dmp
memory/2476-133-0x00007FF72DC30000-0x00007FF72DF84000-memory.dmp
memory/2200-134-0x00007FF7A8D60000-0x00007FF7A90B4000-memory.dmp
memory/3868-135-0x00007FF61FC70000-0x00007FF61FFC4000-memory.dmp
memory/2104-136-0x00007FF717750000-0x00007FF717AA4000-memory.dmp
memory/3592-137-0x00007FF794420000-0x00007FF794774000-memory.dmp
memory/3932-138-0x00007FF6C7E60000-0x00007FF6C81B4000-memory.dmp
memory/1716-139-0x00007FF6FE6D0000-0x00007FF6FEA24000-memory.dmp
memory/1280-140-0x00007FF75D050000-0x00007FF75D3A4000-memory.dmp
memory/3468-141-0x00007FF7B45A0000-0x00007FF7B48F4000-memory.dmp
memory/1112-142-0x00007FF77A8E0000-0x00007FF77AC34000-memory.dmp
memory/920-143-0x00007FF7CC720000-0x00007FF7CCA74000-memory.dmp
memory/2476-144-0x00007FF72DC30000-0x00007FF72DF84000-memory.dmp
memory/2200-145-0x00007FF7A8D60000-0x00007FF7A90B4000-memory.dmp
memory/2232-146-0x00007FF61FF50000-0x00007FF6202A4000-memory.dmp
memory/2896-148-0x00007FF6005D0000-0x00007FF600924000-memory.dmp
memory/1608-147-0x00007FF693EC0000-0x00007FF694214000-memory.dmp
memory/4992-149-0x00007FF6F49F0000-0x00007FF6F4D44000-memory.dmp
memory/2980-150-0x00007FF716A40000-0x00007FF716D94000-memory.dmp
memory/5108-154-0x00007FF7AEE80000-0x00007FF7AF1D4000-memory.dmp
memory/3796-155-0x00007FF6E40F0000-0x00007FF6E4444000-memory.dmp
memory/1372-153-0x00007FF784AC0000-0x00007FF784E14000-memory.dmp
memory/4148-152-0x00007FF72EF10000-0x00007FF72F264000-memory.dmp
memory/3660-151-0x00007FF64BE70000-0x00007FF64C1C4000-memory.dmp
memory/3868-156-0x00007FF61FC70000-0x00007FF61FFC4000-memory.dmp