Analysis Overview
SHA256
434934aa10f7e60b341728a5afbc4e87c7ab49225c98be02e5fb5966fa1f8c77
Threat Level: Known bad
The file 2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:34
Reported
2024-06-01 15:37
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\mScQBTO.exe | N/A |
| N/A | N/A | C:\Windows\System\BJOGPVI.exe | N/A |
| N/A | N/A | C:\Windows\System\nObuiaz.exe | N/A |
| N/A | N/A | C:\Windows\System\QkVvcvz.exe | N/A |
| N/A | N/A | C:\Windows\System\GTUhRmm.exe | N/A |
| N/A | N/A | C:\Windows\System\qHVOVvj.exe | N/A |
| N/A | N/A | C:\Windows\System\BBHhSKL.exe | N/A |
| N/A | N/A | C:\Windows\System\BspqvTK.exe | N/A |
| N/A | N/A | C:\Windows\System\QpHoIUG.exe | N/A |
| N/A | N/A | C:\Windows\System\ogIXFjx.exe | N/A |
| N/A | N/A | C:\Windows\System\RGXlPyy.exe | N/A |
| N/A | N/A | C:\Windows\System\BUGYXYr.exe | N/A |
| N/A | N/A | C:\Windows\System\rFYWHuV.exe | N/A |
| N/A | N/A | C:\Windows\System\AbUvely.exe | N/A |
| N/A | N/A | C:\Windows\System\uVHpphp.exe | N/A |
| N/A | N/A | C:\Windows\System\vaHkYqO.exe | N/A |
| N/A | N/A | C:\Windows\System\oMWvlTO.exe | N/A |
| N/A | N/A | C:\Windows\System\XFdHwyj.exe | N/A |
| N/A | N/A | C:\Windows\System\gADwCui.exe | N/A |
| N/A | N/A | C:\Windows\System\CEBuFWv.exe | N/A |
| N/A | N/A | C:\Windows\System\pJAnuop.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\mScQBTO.exe
C:\Windows\System\mScQBTO.exe
C:\Windows\System\BJOGPVI.exe
C:\Windows\System\BJOGPVI.exe
C:\Windows\System\nObuiaz.exe
C:\Windows\System\nObuiaz.exe
C:\Windows\System\QkVvcvz.exe
C:\Windows\System\QkVvcvz.exe
C:\Windows\System\GTUhRmm.exe
C:\Windows\System\GTUhRmm.exe
C:\Windows\System\qHVOVvj.exe
C:\Windows\System\qHVOVvj.exe
C:\Windows\System\BBHhSKL.exe
C:\Windows\System\BBHhSKL.exe
C:\Windows\System\BspqvTK.exe
C:\Windows\System\BspqvTK.exe
C:\Windows\System\QpHoIUG.exe
C:\Windows\System\QpHoIUG.exe
C:\Windows\System\ogIXFjx.exe
C:\Windows\System\ogIXFjx.exe
C:\Windows\System\RGXlPyy.exe
C:\Windows\System\RGXlPyy.exe
C:\Windows\System\BUGYXYr.exe
C:\Windows\System\BUGYXYr.exe
C:\Windows\System\rFYWHuV.exe
C:\Windows\System\rFYWHuV.exe
C:\Windows\System\uVHpphp.exe
C:\Windows\System\uVHpphp.exe
C:\Windows\System\AbUvely.exe
C:\Windows\System\AbUvely.exe
C:\Windows\System\XFdHwyj.exe
C:\Windows\System\XFdHwyj.exe
C:\Windows\System\vaHkYqO.exe
C:\Windows\System\vaHkYqO.exe
C:\Windows\System\CEBuFWv.exe
C:\Windows\System\CEBuFWv.exe
C:\Windows\System\oMWvlTO.exe
C:\Windows\System\oMWvlTO.exe
C:\Windows\System\pJAnuop.exe
C:\Windows\System\pJAnuop.exe
C:\Windows\System\gADwCui.exe
C:\Windows\System\gADwCui.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2008-0-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2008-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\mScQBTO.exe
| MD5 | 1c25676daa3fd9931483b6a9958cf6d4 |
| SHA1 | b49855c8616ef9919c0f092fb201d1a2ebe64f3f |
| SHA256 | 322729e6b7603859b94f5a138dcd51e89594a410ed0218483ba8063f83c6b205 |
| SHA512 | bcac67d93cb8f3ec4da47495936a8ef871cb8a3111fae89f5b7e0bb42fee4d11daaa2834a355d7b08170bf3ccaabf599255ba019061b7907bb4cfa4d9ca43fb8 |
C:\Windows\system\BJOGPVI.exe
| MD5 | f2d09c3cfe62f30f8124b793498bb5c6 |
| SHA1 | 5edb40899c9b47457b9d180e2c69827edfc34e16 |
| SHA256 | ea28bdd5e8d85d0209dbb5c7697d7f6962e94cc4a19cc002409fb55b3e11450f |
| SHA512 | 10c4dcc9d372f96a1d140f641e4d9365b8dd38b5d3dc799e527b9d52e3b2f3ebf2f146111d9c1f2fd6e95004e589e6a37979fb00515f3f446aaf8c03fe188923 |
C:\Windows\system\nObuiaz.exe
| MD5 | c54c684a9f41aefdb1b66df4345bde7b |
| SHA1 | 63842b0dad05cbcabdb09f38bce66a33704db7ca |
| SHA256 | c652756b1c5644ebc5366c3fff2ea51ec248cbf48926b206ad478588b50fb9ef |
| SHA512 | 9adfd409e404cd25b257e3caeb52e3d1e1037a397e496f6e0a25718b7c01f43aaa7f651d1ef4abdf217187873e959497bc1d195f4152e703dafd6096a79194d0 |
memory/2008-15-0x000000013FF20000-0x0000000140274000-memory.dmp
\Windows\system\QkVvcvz.exe
| MD5 | 17bf992a6b1776985701daad1a6ac737 |
| SHA1 | d61b65a41cb27324cc456220a9dd51b82133c09a |
| SHA256 | ad8a3551b94741e1a28817d5207c212d53aea65cabafeb373c588e47c38f2219 |
| SHA512 | 469223cd870670894cf10c52b5d108c7d07563624970b79b1e0fa6c76e244ed642cc5a3574d2dfb875f17f16879d8812fb73a260c54890d61cc7d4ea9af7d479 |
C:\Windows\system\GTUhRmm.exe
| MD5 | f58422586bc3dc224773c2b35f7a9c2b |
| SHA1 | 7005c4b7f2b4c210261fbe5d1ece331a48bc6070 |
| SHA256 | 52cb104d957c7b6e86dabbd73e756d8771175c376b72015654a3e8a275379d2b |
| SHA512 | 60cd335c1b562f989a34686114e174293d3bcd156c7074d565a73921c3f4e3a3056ef38486ebff7b805b4021a35134064694dfc21910dc2e790cd5ccfc63ba81 |
\Windows\system\qHVOVvj.exe
| MD5 | 499314ddff7c1fc3a86ccfd07dbb8331 |
| SHA1 | a4c1f421575d29748ede1219ee00feecf6206f59 |
| SHA256 | 428834348c7c8965fadfd94de06c89360e88d2f9878a1e15a615da77ba7a499e |
| SHA512 | c4fbba9a63364dd18882c326884059d1557ac0ffd82acbb2909bac3c9c9fa620512576b009f522c746cf048a58cc45f4cecc5b3ecb61f54f15b0282978051c15 |
memory/2476-29-0x000000013FF80000-0x00000001402D4000-memory.dmp
\Windows\system\BBHhSKL.exe
| MD5 | 3b19e46520febbbc64a04aa192f73e97 |
| SHA1 | 202480729addf47c1f2be8b0cc1ed557404049b2 |
| SHA256 | be0a77d8f998756f5dd19b0f232f892980d1f559a9ad48b7e457e65b392ad8d9 |
| SHA512 | f824ce13009947b4f7f25a5bca140e7b50180526ad1b637508024d339769179e9e6bf97d1c3cb689fbeff384ee7761cea43e7eb56b06c5b44b9bc80f5c40d68e |
\Windows\system\BspqvTK.exe
| MD5 | d67d6e8793197f964655b27a4e0794b0 |
| SHA1 | f381c59194acb620b1eac060bd8d3b73a57b1344 |
| SHA256 | 8633277b61ec34cf8f8dceb6f436b4b945b2a1758824a2a1735ead16e5be75f4 |
| SHA512 | 174b0ab441f3a346e510dfe98be9e870f69cc94fa0c0277fe4d8b83c755c5228a1ec140390805312fbfc168aa62efec1826d0ac49e7c3270e343b42c711e3f4d |
memory/2008-40-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\QpHoIUG.exe
| MD5 | 04949db1b21347a621983e277a755335 |
| SHA1 | b1bf634ac9c6ef368b68e1448efe5287a55f5fa6 |
| SHA256 | 84c67e4149d4792266ce1b05443952f54f9d786b4f1e596b22ea79c0eab4fc8a |
| SHA512 | 8eea845870f99e9ae1f315db7127ca0b8833b55d09da35362d3bd0d5dbabe8dde4f3fd07fecfe39636d04a4ebd5b67bc65694a4ea5cbe53210675a7361dddcb0 |
memory/2460-49-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2008-48-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2008-47-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2544-46-0x000000013FDF0000-0x0000000140144000-memory.dmp
\Windows\system\ogIXFjx.exe
| MD5 | a52c2514842299b1237ff8c21cdf772f |
| SHA1 | 90626e71e004a2fb90e133bb06853d36ca2fea00 |
| SHA256 | 07055e14263bcf59fdbebd485415b695a0f4b39a6c5322925770abce41c6d2c2 |
| SHA512 | fbceb400e5666ea6393b55e2a409b942634db70eea444f587a37ee5e412625b9e40773af75d65ace0a7572c4e61590f1b15fe30bcfb036aecbd714e91377c27d |
\Windows\system\RGXlPyy.exe
| MD5 | c941071465503833774f93d976994f7c |
| SHA1 | 24250c121c5797bb949fb9e8f4e2fa4827c7d503 |
| SHA256 | 98df3d0ee29b282b7e88fecf6679ff612c2dfb4cfb9bd9790e4ad1d6eb7b21e5 |
| SHA512 | cb794a80ae469bf0385fab3619729f4fff48851fb22af8757f5a46686dfb1beb547ecb57c2aa25e1ba097ebc4b79035531670f2f48e84eed8389b3ddc4623d3f |
memory/2008-57-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2604-64-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
\Windows\system\BUGYXYr.exe
| MD5 | 61773f0276bec5f2359dab937ccae4ee |
| SHA1 | f7ab407588477cf0a1ab9eb07e038a7659732b26 |
| SHA256 | 7abe16e3d5436284d04fd56f3f0434553cb81fa8bece5efb1f30ead23902dcf3 |
| SHA512 | e87fbc1a6cab20af8a6210fe09ad96b56394649cd4ddb1e62c7726f88cad28b5dfa5136643c79bb58334ae28d20fb9c07684f500742df8652813d1f09a6c8d01 |
memory/2008-71-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2788-70-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2008-79-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2008-81-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2756-84-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2008-88-0x000000013F030000-0x000000013F384000-memory.dmp
\Windows\system\rFYWHuV.exe
| MD5 | c38ab1a5542d6215cfdd0032255dcf3a |
| SHA1 | 961e45d172e1963cc64d9166938260adf865fe1a |
| SHA256 | 0969f736736f0a6f3e63f2d930faf8b251b4abd8ab808b5c4188ed457b985e25 |
| SHA512 | a16874df4e367899afc7ad35af5d3a1ae8b7e2b7fd3ae1fdf3ca4a65570b402e98dcf38caa2c38b02855768d7f6950b521be9e6b6ffaead3a07f5e231cd4502b |
memory/772-86-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2008-85-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2008-83-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2448-82-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2488-80-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2948-78-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1912-77-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2008-76-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2008-74-0x0000000002400000-0x0000000002754000-memory.dmp
memory/2524-72-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2008-127-0x000000013FBC0000-0x000000013FF14000-memory.dmp
\Windows\system\pJAnuop.exe
| MD5 | c37a8eec2865e30a401afbd538b1b24e |
| SHA1 | 8593d03ea81008479e2fb5e2781281038070e801 |
| SHA256 | e93dce7c17b43c43e08e3e40ce159f9fb89969256fbdade656b8f751989ca52a |
| SHA512 | 9c9c45596b5da3e0d94b5ffb636c648b2c171c0e1e0654529543c4feafa5db1a1f4429d5ffd874acd3190793747eb1fcd4cfa7667b287a70148d0958a2c31605 |
C:\Windows\system\vaHkYqO.exe
| MD5 | f6ec695fa45369b650771729bdfe3d78 |
| SHA1 | be24a6fd08b208eb0b2cca83a98d818aaee6ad48 |
| SHA256 | 4798e17535fab21242f5399311c557f2d3d1e6884bfca6dce19db47bbd85947b |
| SHA512 | 25768a2122cb529481b5f6858994317dd92b46fced7fc9300f3f449bb7e83af246296a70056ea4eabca49f9ff872aacbef0704e9cc41348a64ab05e0c01cc888 |
C:\Windows\system\uVHpphp.exe
| MD5 | b1732dc547d331fe08eedb16e15e715e |
| SHA1 | 6c99d96f1f2c4f477a1e007c7a42c5b7c69240ef |
| SHA256 | 2d3c81b848b7a2b766917c48604c65d8f27bd6dff4efc943dd05008c7ef3815f |
| SHA512 | 027c11bf72ce792fece756c140202ff59f539e585366a2b36d863d12e537f55481661be33e955e9f7bb518d18770ff844812aae28cb41910da8da5943dd942cf |
\Windows\system\CEBuFWv.exe
| MD5 | cf91153025284aaf2a0a4eb376fc75ce |
| SHA1 | c624b1bc4b21fda0e30c6484749c2761fef5d75f |
| SHA256 | 481a82f034212bae606f9f4643022064b853ecb8dab1b16d8574578995c5c6eb |
| SHA512 | 55ed723d070272c8396f4149bc8a1b5893135e8de5a8d11ef0bb45801908077fe8e52dad4564af69a54814d294bf4af5553e498142c00f5697208a0441f4adbc |
C:\Windows\system\gADwCui.exe
| MD5 | 2391cf2ecfe1ed5421065198f4380abb |
| SHA1 | 48781e3aa42304f2623f6c5bded459a11599dc0c |
| SHA256 | 7ef1eeacc53016fc2f6ae50e63ba3bbb921f28deb4dfafdf4c5760e7f2840d7d |
| SHA512 | 935345ca3e65f771b9feea006551f2e9ab64e35819a8e3b5b3fb9b3983debe42a4121fd60006c7bd4abdca320619e742a5eb2e8e7992eefcd15f9f8135e5c721 |
memory/1216-129-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\XFdHwyj.exe
| MD5 | 4a4b0dda5fb3d5a4161ecd1caaab6d4a |
| SHA1 | 02ad61dcbf765957c2d1aa0a376656c3c2191fb5 |
| SHA256 | 73582387cfb2114433272b95a38dee423dfd4828e3295b4d9dd24edb7b824c1a |
| SHA512 | f6dd7212478d64593054aa1da1136556372c9e5021e02223fe08ba3dbc2f832ad60836d2893764fff7ffc73340b81426ef07729653362a1b3c1833ecb2224895 |
memory/2008-125-0x0000000002400000-0x0000000002754000-memory.dmp
C:\Windows\system\oMWvlTO.exe
| MD5 | 4f6a7d430593a4115387876c86fa3858 |
| SHA1 | c9976c3db10326335c73fb3ed44976c777cc6e9a |
| SHA256 | e92e9f7a4334a767096602da5b80a5cd5f2f0cafdfcf7260ef78247ce3dbf163 |
| SHA512 | 3e32f120c540f29a208fe1cfcd1cc821912e4c42dad735eeb7c3f2d87319c3821c033b43283750e1fcb95898a1fa9108283d5212665e14ff9214f38a0cb89d25 |
C:\Windows\system\AbUvely.exe
| MD5 | 6cf2289a984480d52046b3d7384d33e3 |
| SHA1 | f4147bf8481aef883770c5c7f5903d39c697f4de |
| SHA256 | 824c002eee79b30c4bd3138f1ac4fa094b3ec8417b4d2c43a70d861f6264bf85 |
| SHA512 | 0cbfe5868cdc957faa354ce9906520b9c080f13f98b20cdea8e1fbb5db0b665eaec4c4229ff2d811e467994509b2a36d0873496459098fff863e1aa4e14913af |
memory/1924-92-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2008-136-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2008-137-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1924-138-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2476-139-0x000000013FF80000-0x00000001402D4000-memory.dmp
memory/2948-140-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2544-141-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2488-142-0x000000013F530000-0x000000013F884000-memory.dmp
memory/2460-143-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/2604-144-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2788-145-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2448-146-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2524-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2756-148-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1912-149-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/772-150-0x000000013F420000-0x000000013F774000-memory.dmp
memory/1924-151-0x000000013F030000-0x000000013F384000-memory.dmp
memory/1216-152-0x000000013FBC0000-0x000000013FF14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:34
Reported
2024-06-01 15:37
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jiAcqsV.exe | N/A |
| N/A | N/A | C:\Windows\System\gaUGNuT.exe | N/A |
| N/A | N/A | C:\Windows\System\MWsPRHw.exe | N/A |
| N/A | N/A | C:\Windows\System\qkskHTO.exe | N/A |
| N/A | N/A | C:\Windows\System\qkXuwMs.exe | N/A |
| N/A | N/A | C:\Windows\System\fyqaHOX.exe | N/A |
| N/A | N/A | C:\Windows\System\sQKwaUC.exe | N/A |
| N/A | N/A | C:\Windows\System\jlwvyRh.exe | N/A |
| N/A | N/A | C:\Windows\System\OFPYUCM.exe | N/A |
| N/A | N/A | C:\Windows\System\cFrGEfU.exe | N/A |
| N/A | N/A | C:\Windows\System\vurNcLD.exe | N/A |
| N/A | N/A | C:\Windows\System\BCLhryI.exe | N/A |
| N/A | N/A | C:\Windows\System\lxHKnoj.exe | N/A |
| N/A | N/A | C:\Windows\System\RQBLbKT.exe | N/A |
| N/A | N/A | C:\Windows\System\BDsxbXW.exe | N/A |
| N/A | N/A | C:\Windows\System\GZpDgOg.exe | N/A |
| N/A | N/A | C:\Windows\System\eZBBvVj.exe | N/A |
| N/A | N/A | C:\Windows\System\FIeuxyh.exe | N/A |
| N/A | N/A | C:\Windows\System\vmWjnAp.exe | N/A |
| N/A | N/A | C:\Windows\System\aYSJysk.exe | N/A |
| N/A | N/A | C:\Windows\System\cHvZDjR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_4b5aba2a666d1101bbfc892eb4435f2c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jiAcqsV.exe
C:\Windows\System\jiAcqsV.exe
C:\Windows\System\gaUGNuT.exe
C:\Windows\System\gaUGNuT.exe
C:\Windows\System\MWsPRHw.exe
C:\Windows\System\MWsPRHw.exe
C:\Windows\System\qkskHTO.exe
C:\Windows\System\qkskHTO.exe
C:\Windows\System\qkXuwMs.exe
C:\Windows\System\qkXuwMs.exe
C:\Windows\System\fyqaHOX.exe
C:\Windows\System\fyqaHOX.exe
C:\Windows\System\sQKwaUC.exe
C:\Windows\System\sQKwaUC.exe
C:\Windows\System\jlwvyRh.exe
C:\Windows\System\jlwvyRh.exe
C:\Windows\System\OFPYUCM.exe
C:\Windows\System\OFPYUCM.exe
C:\Windows\System\cFrGEfU.exe
C:\Windows\System\cFrGEfU.exe
C:\Windows\System\vurNcLD.exe
C:\Windows\System\vurNcLD.exe
C:\Windows\System\BCLhryI.exe
C:\Windows\System\BCLhryI.exe
C:\Windows\System\lxHKnoj.exe
C:\Windows\System\lxHKnoj.exe
C:\Windows\System\RQBLbKT.exe
C:\Windows\System\RQBLbKT.exe
C:\Windows\System\BDsxbXW.exe
C:\Windows\System\BDsxbXW.exe
C:\Windows\System\GZpDgOg.exe
C:\Windows\System\GZpDgOg.exe
C:\Windows\System\eZBBvVj.exe
C:\Windows\System\eZBBvVj.exe
C:\Windows\System\FIeuxyh.exe
C:\Windows\System\FIeuxyh.exe
C:\Windows\System\vmWjnAp.exe
C:\Windows\System\vmWjnAp.exe
C:\Windows\System\aYSJysk.exe
C:\Windows\System\aYSJysk.exe
C:\Windows\System\cHvZDjR.exe
C:\Windows\System\cHvZDjR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 33.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5080-0-0x00007FF6560D0000-0x00007FF656424000-memory.dmp
memory/5080-1-0x00000265227C0000-0x00000265227D0000-memory.dmp
C:\Windows\System\jiAcqsV.exe
| MD5 | a9b669a4c0307ec40164a4cd60ec4d46 |
| SHA1 | 26978867e95c5ca4b5b6e41f386f2920586559a6 |
| SHA256 | 508f5822c94a3fb43aa6cc5deb53abbf91223d4b13c734840d72d98ba2289089 |
| SHA512 | 90411f1703d815b165fbbcb9b67a5fdc26a304d45e55956ea619a49664059a89f6ed29749762abd09a93ffdf63d37c600bb4588c891e0386db30093154a85b33 |
memory/4536-8-0x00007FF722930000-0x00007FF722C84000-memory.dmp
C:\Windows\System\MWsPRHw.exe
| MD5 | 84fef257f4511d9cc2bb7b88a15aced2 |
| SHA1 | 8731f9dd664e6dbe1328c50dfc5ab221a60f1d24 |
| SHA256 | 9583240fd17358299967e6225f3b9b42bea2be4a50dcd7987621bbad5d59d38f |
| SHA512 | 2e48b5fbb71e6a6a777ea1137359d204241f7a18eba0e960e3d0dfbd4c6c981568e074e752c2ea450708b0f5f234ac77ea5d0a05f435c4f4bebe682da3ad6cb2 |
C:\Windows\System\gaUGNuT.exe
| MD5 | d81cd64591b936ca25e6483da07bdb36 |
| SHA1 | 1910c49e1803b99f620c3d6cf0fdf839e25d9a49 |
| SHA256 | 74d15b31b0c668086bb8a51393f8fb75f5d2c99c5b0822b6d2591a172935293e |
| SHA512 | cea767df6c0a9f252e1d426f071cf1cc99d4c6531b2789da8a44bccd03fd70087d1b679f9bae5f1e550c73bc2869c996bd5b7f54746e0a301ad8e5498f7e65d4 |
memory/2772-14-0x00007FF77E4A0000-0x00007FF77E7F4000-memory.dmp
memory/3148-20-0x00007FF6D03C0000-0x00007FF6D0714000-memory.dmp
C:\Windows\System\qkskHTO.exe
| MD5 | 73262aec8f5dc200233471fc449a25d0 |
| SHA1 | 1c139dde957b7c751e10717616c1eb965c11efea |
| SHA256 | 4ee6c4a0b9ae91e4a0b37b17cae2a9d003f4d6a20d07bce1fee67626affb0720 |
| SHA512 | f603e4e50261e20bf45065833935fffc92ef9374d77bf5a744e1ead0cbfd98a43633d74a03990672923037b6239d6f2e4364ef2fc6207ffc1aac520b714180f8 |
C:\Windows\System\qkXuwMs.exe
| MD5 | d153dbc749e60cc9fb5a0031d98a34c4 |
| SHA1 | 66035ab2eefa1d6ac7c007d3cce0409956d2a89e |
| SHA256 | 96a7ff26c14ccbe80a0da203f364e4711e0626a0aebca997d69f05f15bc5758a |
| SHA512 | 2afc3364af0368bc4911c68b8d62372b35ef71daf3390d80884304a6257bbda6883ddd6c7c98592137e1401a024b9328516fb9b9fb175d9419cb70f48e14b23e |
memory/4560-27-0x00007FF6D53A0000-0x00007FF6D56F4000-memory.dmp
memory/4868-32-0x00007FF699550000-0x00007FF6998A4000-memory.dmp
C:\Windows\System\fyqaHOX.exe
| MD5 | bc49593d84c3b11d88e8c06bd3ca4bfa |
| SHA1 | b5a5ebd8d036102d5a6d08b3daa116e70b30e3c7 |
| SHA256 | 0e11ef4308e523ae2c78bb4fc15f020c9b245f031319134e4111c6988623d8f7 |
| SHA512 | c456bb3ad7029184d6c73df76b10e651fc7d100c3843fb739d34d71871dba87b2f5871b60812425b57f6d4bc2e1636c1989373018a2c429c8f8fbe5103e5f795 |
memory/1912-38-0x00007FF73E490000-0x00007FF73E7E4000-memory.dmp
C:\Windows\System\sQKwaUC.exe
| MD5 | 99a76330f8e675f3ebb537dd766b89e2 |
| SHA1 | 47a5fe210d19afe806b2152f67770a0278bd5215 |
| SHA256 | df0a3f4ac844723686b1581a42d034fddfcd3567817c02b554081ee69d5efd25 |
| SHA512 | 3b2b249e6befaf80ef3c951e4157b4039a1664ad322a898e874405843108a333d18fd3aa71bec953e1c8616cc32ca059dadb635d380cf6dc3ddb0aee63a43643 |
C:\Windows\System\jlwvyRh.exe
| MD5 | 71601f91c0c514a502f72c1a38b7ab03 |
| SHA1 | 7e34c2c1744347c30afbdac89d77e79ba93baef2 |
| SHA256 | 12febf2d1593fdf0b0e55ac00d937ec837444d91855aac3bc442e2fb5e9f8a93 |
| SHA512 | a5a4269e328c4cb066a47634887f3400aa75afc987eaa1d09e6947334f3cc8a89189b7dc03f93e515314624ef9e510c1771be95595b5fe590467789e082f2fcf |
C:\Windows\System\OFPYUCM.exe
| MD5 | 656f2bdc52e3322cf487ce4d1c2eda54 |
| SHA1 | 6d67803abe5f1e08cf9376f3987560824b33a215 |
| SHA256 | 2759313c8c96a0f521f41c47e610f467ce5467821d1c74d1f5b1baef75f24924 |
| SHA512 | 080edd161584cf3aa0ec5d59ffa6250ec3179fa155e1699570247cc64f60aa4544d759ad1281d10bbeb36c3c882fe82e2f01499f15752e73f7deab34b0d7be17 |
C:\Windows\System\cFrGEfU.exe
| MD5 | 389b212e17b57c4097fab11ad3b7b114 |
| SHA1 | f4aa2107faf003786159b12244ddf45e6f0517c8 |
| SHA256 | 0fdc1edd4e31d5081febfea5bef26f3cbd03f4d2420bbf1286b5f32c1866121e |
| SHA512 | 3a3bc6917054f325078251a1e3c9729319aba4094547f79c19a226f93ea705ba68514f27680126073b27e32e312d745c53a2b6c8685b650d17f8d17974a682ca |
C:\Windows\System\BCLhryI.exe
| MD5 | ba4eab81a04237f4a06967581367ed20 |
| SHA1 | f906bb717c3c43855ca52e066e5793df99098e9c |
| SHA256 | 6e501abc97c88517560bf43f7b672df7af608ec4a2c3ceabc24d45659c9e2325 |
| SHA512 | ebdca2f16713d1b541e980ea9eb0264fe7bef86b616888347127f313901687d7c18602f8b4d9945a497440485e4c7409a40b70953a3b0442b9130e85dc1896bc |
memory/2772-70-0x00007FF77E4A0000-0x00007FF77E7F4000-memory.dmp
C:\Windows\System\lxHKnoj.exe
| MD5 | eaa99260767cc8e069f1b2c810d7aa02 |
| SHA1 | b06e53a47403664f4bfbdbdac0ee0b967f4a8c91 |
| SHA256 | 93e150d700a797a711aeff750dd81de2779713148a9c11ed09578f63f8f0f8d1 |
| SHA512 | 7b50dd7ce30fbee56f4fc2007ad3959b8b6543ce547f6771ac4bd05a4877f7ba1146e413a9b0c831cd6bb4cd09f247c9891672ba4bce9a8177a3f71aa531a50e |
C:\Windows\System\vurNcLD.exe
| MD5 | b1d0a10de3e0064ca01d54ee413a7f96 |
| SHA1 | 9a686d8605f5fa4604391aaf3b8e5d0bde6df395 |
| SHA256 | 927d64e4da27fb3155990b5205416c69b1304b2dfbe977f610ad0019d690bffa |
| SHA512 | d9a026b26b5b7136b4c6bd9fd8bc338d6b92237c9218bc2c4e7afa556c132ebd55abeb6f31be43b518c923250f7868fb490cb4a50b0a877c4db29c1d4551b283 |
memory/3148-82-0x00007FF6D03C0000-0x00007FF6D0714000-memory.dmp
memory/4640-83-0x00007FF76ACF0000-0x00007FF76B044000-memory.dmp
memory/4472-73-0x00007FF6D0DC0000-0x00007FF6D1114000-memory.dmp
memory/916-65-0x00007FF68C100000-0x00007FF68C454000-memory.dmp
memory/1988-64-0x00007FF7F0D10000-0x00007FF7F1064000-memory.dmp
memory/5080-62-0x00007FF6560D0000-0x00007FF656424000-memory.dmp
memory/4208-56-0x00007FF7FBDE0000-0x00007FF7FC134000-memory.dmp
memory/4516-50-0x00007FF6CD880000-0x00007FF6CDBD4000-memory.dmp
memory/3168-44-0x00007FF726C90000-0x00007FF726FE4000-memory.dmp
memory/1860-87-0x00007FF788FC0000-0x00007FF789314000-memory.dmp
C:\Windows\System\RQBLbKT.exe
| MD5 | 5a877d4898b874e76920ec9b558c4f1f |
| SHA1 | ad0a36128ff0c8e907e0d7099751d05161c86a9a |
| SHA256 | 7e3b3048c970a30dad412ca99c0fb3bd7e932a7d16ca199bc875a319c6b658ff |
| SHA512 | fdeb880ee84b295469ed5061c4da9090eaf2e06cab1c49024ee1fef99fd2ca53680781d65d737d5d000cdc83d02f49a4e40aca17f55be2f0be87f2ce74638223 |
C:\Windows\System\BDsxbXW.exe
| MD5 | b7fc4e223828e0da4a3043384c0ccd4e |
| SHA1 | cbefde1f6b70f01a3bc169820f048fa33e96460e |
| SHA256 | 27139fac178e71715ed4ad7b8bc5a36023a3e1dc7aef2ed27184e92503214750 |
| SHA512 | a62246a662f34654df9e6fdbbd71508b5b2d66121aca527288debb99979e82c33bc3cfaa3a9de990237da568237e99cde35878f8f222dc24b721927e8546a12c |
C:\Windows\System\GZpDgOg.exe
| MD5 | aefd5d031ae7d74ced7ac1468d271bbb |
| SHA1 | ca699895dd5b458cd5e0e5cfe17b7ac0ef9dc926 |
| SHA256 | b005b79cfa46b8d02bf2e6928afaef32b79ee8357dfd064546d4d4e3d6be0516 |
| SHA512 | 0083d1c65896ac5f38537065252b683b695cb9c8992f034539d88794dcd6e4466eb262d924379e8319450d4d06bbc751d7b1320dd5f493d73e34fd935e29cdea |
memory/4548-101-0x00007FF611CB0000-0x00007FF612004000-memory.dmp
C:\Windows\System\eZBBvVj.exe
| MD5 | 748fd6e5c4cfdd8c1fb51d72df5a161a |
| SHA1 | 82cd9d8d8957a2e9c98b8b99d7407dee9b6f3585 |
| SHA256 | a30d6599b03d625c936cb5f1451b7477765aa983ac20a9c6d851aeaf7ca3d43c |
| SHA512 | 5553401b019d259ef701e3211023e59754356556fb3cb942f575552b355326d5c3b15e8520c18171b73cdf6fd5461b89502da6d1d6112aaf1747159a1e43caf5 |
memory/1596-95-0x00007FF616070000-0x00007FF6163C4000-memory.dmp
memory/4192-107-0x00007FF714CE0000-0x00007FF715034000-memory.dmp
C:\Windows\System\FIeuxyh.exe
| MD5 | 04004bb73ccdec31c79e8809b56945c1 |
| SHA1 | f0c32a8969ccd6bb6a5bf983826cc03b371f2c4b |
| SHA256 | 87ae0989d693976cb7d30303dc6b52b691fa22beee64d18ba192b5c62ce26de3 |
| SHA512 | 3a24717aa24c2ccbf2770e77dd3a75a0eb2950485cee8e271d6c1a495875c7c93157243f595073c33cc680604ccd8d9a1ef3bccf4d7394b137d446b79be6ebd9 |
memory/616-117-0x00007FF7E1DD0000-0x00007FF7E2124000-memory.dmp
C:\Windows\System\vmWjnAp.exe
| MD5 | 885ef28a17e8ec5f025ab8f42313663e |
| SHA1 | 8b91d28e419d8f42e0f29d12d5ede4ee41b9fec1 |
| SHA256 | 1f4f1af7103b907e6c36325e65c60c399b8651fcfe1adadbe15a04fe6d60099e |
| SHA512 | 20a788ec0ade1e56447b4c25e61a238aefa614fcc4ae90c02587d6ab7f147001a7a27ae05ec4d819f0e6697910e5ba8991be8b71fbcbe547386d1e86593d2256 |
memory/3584-126-0x00007FF7DC320000-0x00007FF7DC674000-memory.dmp
C:\Windows\System\aYSJysk.exe
| MD5 | c82817e361cb2c86f24e8f419fa2f304 |
| SHA1 | 04737f3a6e4f4df4e8832e74bada51d54bf7dd41 |
| SHA256 | d269fc299624aa30ca31c8180ae0ac05c2e3833cd6a3b9d179b2e626500e9b7a |
| SHA512 | d0fef634d045829fcb40430de6eb4ac23d4b9446f2712fd471286b07393b29efdb990002206e26548d577587df49248a1307ac5cd69b91bc721c02103e5f6173 |
C:\Windows\System\cHvZDjR.exe
| MD5 | c64dab19d9ad30b3fd4c13d2e0b84784 |
| SHA1 | dedee006f5bd32bb86078981b677c0f56503f6ee |
| SHA256 | d0f82fb3a75d5cbb3ae6e452f74ac53e34389fe37280fa5664da1147acfd436c |
| SHA512 | 986d13edd0305035e7390deb9f165903c4e23e03897e5cbb0566dd4bba8b1ea4b128f311a61feb5fd3939ed7abe30a955b92d910c2593baea73164feaec19daa |
memory/1988-124-0x00007FF7F0D10000-0x00007FF7F1064000-memory.dmp
memory/4208-122-0x00007FF7FBDE0000-0x00007FF7FC134000-memory.dmp
memory/1656-131-0x00007FF6DF9C0000-0x00007FF6DFD14000-memory.dmp
memory/1464-132-0x00007FF75BF80000-0x00007FF75C2D4000-memory.dmp
memory/916-133-0x00007FF68C100000-0x00007FF68C454000-memory.dmp
memory/4472-134-0x00007FF6D0DC0000-0x00007FF6D1114000-memory.dmp
memory/1860-135-0x00007FF788FC0000-0x00007FF789314000-memory.dmp
memory/1656-136-0x00007FF6DF9C0000-0x00007FF6DFD14000-memory.dmp
memory/4536-137-0x00007FF722930000-0x00007FF722C84000-memory.dmp
memory/2772-138-0x00007FF77E4A0000-0x00007FF77E7F4000-memory.dmp
memory/3148-139-0x00007FF6D03C0000-0x00007FF6D0714000-memory.dmp
memory/4560-140-0x00007FF6D53A0000-0x00007FF6D56F4000-memory.dmp
memory/4868-141-0x00007FF699550000-0x00007FF6998A4000-memory.dmp
memory/1912-142-0x00007FF73E490000-0x00007FF73E7E4000-memory.dmp
memory/3168-143-0x00007FF726C90000-0x00007FF726FE4000-memory.dmp
memory/4516-144-0x00007FF6CD880000-0x00007FF6CDBD4000-memory.dmp
memory/4208-145-0x00007FF7FBDE0000-0x00007FF7FC134000-memory.dmp
memory/1988-146-0x00007FF7F0D10000-0x00007FF7F1064000-memory.dmp
memory/916-148-0x00007FF68C100000-0x00007FF68C454000-memory.dmp
memory/4640-149-0x00007FF76ACF0000-0x00007FF76B044000-memory.dmp
memory/4472-147-0x00007FF6D0DC0000-0x00007FF6D1114000-memory.dmp
memory/1596-150-0x00007FF616070000-0x00007FF6163C4000-memory.dmp
memory/1860-151-0x00007FF788FC0000-0x00007FF789314000-memory.dmp
memory/4548-152-0x00007FF611CB0000-0x00007FF612004000-memory.dmp
memory/4192-153-0x00007FF714CE0000-0x00007FF715034000-memory.dmp
memory/616-154-0x00007FF7E1DD0000-0x00007FF7E2124000-memory.dmp
memory/3584-155-0x00007FF7DC320000-0x00007FF7DC674000-memory.dmp
memory/1656-156-0x00007FF6DF9C0000-0x00007FF6DFD14000-memory.dmp
memory/1464-157-0x00007FF75BF80000-0x00007FF75C2D4000-memory.dmp