Analysis Overview
SHA256
2f4372d72cfa1becdfd9a66c22bcdede56633dd2de9dc2a0bbb625c0270f9f72
Threat Level: Known bad
The file 2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 16:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 16:56
Reported
2024-06-01 16:58
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pWaCjuc.exe | N/A |
| N/A | N/A | C:\Windows\System\BasXHHP.exe | N/A |
| N/A | N/A | C:\Windows\System\zxXsPLO.exe | N/A |
| N/A | N/A | C:\Windows\System\HFBErsU.exe | N/A |
| N/A | N/A | C:\Windows\System\sglOgJh.exe | N/A |
| N/A | N/A | C:\Windows\System\wsxEreu.exe | N/A |
| N/A | N/A | C:\Windows\System\FMLIPQd.exe | N/A |
| N/A | N/A | C:\Windows\System\zvngCiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\Ayvcffu.exe | N/A |
| N/A | N/A | C:\Windows\System\cwexuUh.exe | N/A |
| N/A | N/A | C:\Windows\System\kXEiVWE.exe | N/A |
| N/A | N/A | C:\Windows\System\yQOakjf.exe | N/A |
| N/A | N/A | C:\Windows\System\OrIkreF.exe | N/A |
| N/A | N/A | C:\Windows\System\guMaJFa.exe | N/A |
| N/A | N/A | C:\Windows\System\iRdZYIo.exe | N/A |
| N/A | N/A | C:\Windows\System\oFQVtYi.exe | N/A |
| N/A | N/A | C:\Windows\System\aCdNqlV.exe | N/A |
| N/A | N/A | C:\Windows\System\DvuCSFw.exe | N/A |
| N/A | N/A | C:\Windows\System\pNPlEhB.exe | N/A |
| N/A | N/A | C:\Windows\System\DIBusxG.exe | N/A |
| N/A | N/A | C:\Windows\System\pqoqwEV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pWaCjuc.exe
C:\Windows\System\pWaCjuc.exe
C:\Windows\System\BasXHHP.exe
C:\Windows\System\BasXHHP.exe
C:\Windows\System\zxXsPLO.exe
C:\Windows\System\zxXsPLO.exe
C:\Windows\System\HFBErsU.exe
C:\Windows\System\HFBErsU.exe
C:\Windows\System\sglOgJh.exe
C:\Windows\System\sglOgJh.exe
C:\Windows\System\wsxEreu.exe
C:\Windows\System\wsxEreu.exe
C:\Windows\System\FMLIPQd.exe
C:\Windows\System\FMLIPQd.exe
C:\Windows\System\zvngCiZ.exe
C:\Windows\System\zvngCiZ.exe
C:\Windows\System\Ayvcffu.exe
C:\Windows\System\Ayvcffu.exe
C:\Windows\System\cwexuUh.exe
C:\Windows\System\cwexuUh.exe
C:\Windows\System\kXEiVWE.exe
C:\Windows\System\kXEiVWE.exe
C:\Windows\System\yQOakjf.exe
C:\Windows\System\yQOakjf.exe
C:\Windows\System\guMaJFa.exe
C:\Windows\System\guMaJFa.exe
C:\Windows\System\OrIkreF.exe
C:\Windows\System\OrIkreF.exe
C:\Windows\System\oFQVtYi.exe
C:\Windows\System\oFQVtYi.exe
C:\Windows\System\iRdZYIo.exe
C:\Windows\System\iRdZYIo.exe
C:\Windows\System\aCdNqlV.exe
C:\Windows\System\aCdNqlV.exe
C:\Windows\System\DvuCSFw.exe
C:\Windows\System\DvuCSFw.exe
C:\Windows\System\pNPlEhB.exe
C:\Windows\System\pNPlEhB.exe
C:\Windows\System\DIBusxG.exe
C:\Windows\System\DIBusxG.exe
C:\Windows\System\pqoqwEV.exe
C:\Windows\System\pqoqwEV.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2264-0-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2264-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\pWaCjuc.exe
| MD5 | 16714e42e4e8440ba80772599cce3079 |
| SHA1 | ab0a43d5efeb0e42506dcce5bd32b33e074f4f23 |
| SHA256 | 56e89b66b6a3fac76b49f6964f006d83fa00511937898da2b3b52903e29ab04a |
| SHA512 | ec70e90abe84395f92a8e3ffbdcac70372a840946533db507edefe745f70bdb7604cbf60ff4144421e8899f41022440496264773d6f7884bfc7bcb0817584a24 |
memory/2740-8-0x000000013F330000-0x000000013F684000-memory.dmp
C:\Windows\system\BasXHHP.exe
| MD5 | 8648b9d4bff1e828d4d7cfc27fcfa507 |
| SHA1 | da77270345c130bad68a7a8105fdd95d864c0998 |
| SHA256 | 13571409ad3f69c363f468afa5d93d383118ce26ee59cb6a73f2615b58547543 |
| SHA512 | ac5fd2ee710d4a592d9c4a701cd851062a457b6cfeecde573f245fee4a9463b06497fce0a1927fae7fb5b4a8fd373c9603a5a87d0648c1d588a72b866a1c4d71 |
\Windows\system\zxXsPLO.exe
| MD5 | 5a94b9191cdf21c6f94f46ec9a0f9ea6 |
| SHA1 | 7c15a044355aa50edf7d28ee3197b9ad231278c2 |
| SHA256 | 32624bf4faefb2fd9c2ebaf75102a3baa893aa2650eeb7a7396ad0eb8c66ee1e |
| SHA512 | 8e44b09760162581df6fc86189862139d0b24ca8e7a5558112d36030843ba2c2b6dee9cc30af79876eaaec817a8c861021ace54b3b17365af861f7834c539bce |
memory/2264-16-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2512-22-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2264-27-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2656-29-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2264-28-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2516-25-0x000000013F080000-0x000000013F3D4000-memory.dmp
C:\Windows\system\HFBErsU.exe
| MD5 | fc46dd1332b4d9ff60be3698de3e580c |
| SHA1 | 32e1459a73b6d8404a15ce209c5e37c6093505be |
| SHA256 | f28390b5f0c42ce16d04585c4f1ac46e22549d86ac694ffb404d226881b002b1 |
| SHA512 | 282294a1a310b22765b1fc7501d5f83a275b04db9a990ca956a843b09c7f874a67dde5e55c00787969a0306a7427da62303d670b3ee66c47b3682eeb100cac18 |
C:\Windows\system\sglOgJh.exe
| MD5 | ec01262052597357df7ee48a73cdaa88 |
| SHA1 | 5e09949a1cf218f0beed89e79281e0c65505f16c |
| SHA256 | 4ec280db15f03a71b20255319d5c7fa31b4c326362e4b232466c26e77fd4441c |
| SHA512 | d99edab375118bb9715512aea11b712ddeb5da832c28309ad1d8ae9a77bdce17b1572651012b2ced9cf97e0a84775ed641ec11e67ec0c517b6666b34cfeec49e |
memory/2588-34-0x000000013FFE0000-0x0000000140334000-memory.dmp
C:\Windows\system\wsxEreu.exe
| MD5 | d957ebc36fb9169b2cadc2f126648c64 |
| SHA1 | efefac4ca18d62b41f72a9f1b418dd6f9ebea87e |
| SHA256 | 250d7aceec512acc016a3cac55fecc77fcee6458a41a3f0569e5fedddfe5f607 |
| SHA512 | e86101390f66cca63d74c696d62ffd538c2e36b35ed3ac4743f7c107ad572e793c278ad5c1457aa6c8732153b1ecb3ff8d0213842ea1a4ffd724913109092cf6 |
\Windows\system\FMLIPQd.exe
| MD5 | f171a3e828258900f73dabee38b5ebc6 |
| SHA1 | 096318fe6d6740fbec58003b4b7ed60e6c72c6f5 |
| SHA256 | 2bd65a238931c1a07302a70ab725af5d72a6d74a8b08fd3cf5a314eef1a7a2c0 |
| SHA512 | a8432c3d386fd4dd55a2ad6df6a7806019af5dbe3bde1d5c9acbf01fe601d134f7eac044ba54f161c18ccfc145c6e74698197ac7aa8be0ccd7c105c9f772ca15 |
memory/2432-47-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2264-46-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2568-48-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2264-49-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
\Windows\system\zvngCiZ.exe
| MD5 | 751b2165aacbcccc5638db94a2048e1d |
| SHA1 | ea944fc5f2646f8e5d70b2da2e693532d64a435c |
| SHA256 | f6d221b1f5dd05750f8b16f79b6f0690a194e2235505e341936e1016f2f61f9b |
| SHA512 | 5cf0a0316cbe7760998d251afd347d69a1133c323814ae3a5303ff4d8a36916893c06a081f1d6e6eaa3958e8bbae8ccc18f552bd5ec057e73b8860c33deeef05 |
memory/2636-56-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2264-55-0x000000013F190000-0x000000013F4E4000-memory.dmp
C:\Windows\system\Ayvcffu.exe
| MD5 | f03f1102e4a880f7bd6325fd303f13b6 |
| SHA1 | ec226f33b69a998dc4baf08867720de32634854f |
| SHA256 | 93c397454552f214e65f876c6830b74816c52766297549c730d3dc775df59e65 |
| SHA512 | ee305da246322f9f1adb77e20151989569beafde34a261c69fbe18a4f4db127b2b0920ad55201c302c04eb9e467d690ba6a0b377e8754af7ec34deb8c99deb6c |
memory/2264-62-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2264-63-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2920-64-0x000000013F8E0000-0x000000013FC34000-memory.dmp
\Windows\system\cwexuUh.exe
| MD5 | 06c50c8b605b7a4b48714262b24ca63b |
| SHA1 | 9a99a9eedc5604b3035ce385e809f0abaab24ceb |
| SHA256 | 22dd8b43f8e597944b6d0b6d544e165b045e7b6553ad66bafde6b7c88d9d0da9 |
| SHA512 | cb91cc147567a7b082a0e270f555bbdff50d0d54d79ae030bf286b2edbb8465163aef5c08d7aa8e01ff12a1b6fec1448816c51c47fcdba4aeafb01863a5a433a |
memory/2740-74-0x000000013F330000-0x000000013F684000-memory.dmp
C:\Windows\system\yQOakjf.exe
| MD5 | 036ed2e0f899d95db525b84ef4781a41 |
| SHA1 | 45522eed5d025783b085a321f99461c4b32a7821 |
| SHA256 | 3b28cd16b20ec63c9256b30594789036782f322b402cbb9a28a630792a30c703 |
| SHA512 | 013ba8eda846b38bbcc15a94703112fb6984e3ebb30a814ba97b2f18955e5dc59d5bc25bdb966d2004bad1bc00264d2ad73667c0662d358d7740cd2f46f912a4 |
memory/2264-85-0x0000000002490000-0x00000000027E4000-memory.dmp
C:\Windows\system\guMaJFa.exe
| MD5 | b0bc4d45216e98babefbb8d985f87458 |
| SHA1 | f1019775404c3ea4057668c20673e4c686396cc2 |
| SHA256 | eaf771fd77576a08c1ddb8261e1fe7daab9c28724f50c62a6f2995afc2c10ea4 |
| SHA512 | 75a087653a659e8c4f95ccffd1600184794e7dfa9548d3664d7e5e1cc0e65fc858141ab7b64c129f0c561261f9c966930e4abe951249513b81f8d6b6967fa663 |
memory/2340-102-0x000000013FF40000-0x0000000140294000-memory.dmp
\Windows\system\iRdZYIo.exe
| MD5 | 784f6fa904eab8bd13f40795bb98edec |
| SHA1 | 43a507f8f0020e61784799a9b81b9d1636678c4d |
| SHA256 | adacd12ca42085a1b1e5060b8c039a65e43fe9aeb2441ca80388cd6c03502d87 |
| SHA512 | ff7e54dcca6a8087bd5cf41e4736cbf0e86a389ef39bc9271d96c80d6f30dc988589226b1f47df43b08c2a00b345c3ed277f5dcde5541367dec41cfa8886c71f |
\Windows\system\oFQVtYi.exe
| MD5 | f7fab6af4a4bf9d0181e62ac6f3b1cd1 |
| SHA1 | 7b913f708ab403ec5faecf6bd84d17876952b9fd |
| SHA256 | 1491bad951265383abb7972950bec3823ad0b86d403b416e4ba6d3740a13e77d |
| SHA512 | ecceb22fe2d8397f9323f97be825003b1eb17da0a72637c2389d05207da3a3a52480978c21d97f2b57fe9770c3e1beda7fda7e6cf11efa6c3d751095e0a1e81d |
C:\Windows\system\DvuCSFw.exe
| MD5 | 74f0959f6ba21cd0ec869e59962e5a76 |
| SHA1 | a672b45840de80d8907197cd6270684aa44e4ef7 |
| SHA256 | 0d92587612dbc9f25e0379c8f971d3b40a8b3bff960e344fa96cd28a58ee3059 |
| SHA512 | 7698030fa5eec1feed141b6cdb0997330e91b0ed323fa3d0d5b6cff7be62c4ff32e4ea6555772fc3880d33577fbebdaf284f771b9fa314d7ca37732f79e21753 |
\Windows\system\pqoqwEV.exe
| MD5 | 0068275152acf3d65e8f94121d26a32c |
| SHA1 | 23f3c7d8f6b53fa2e6318a933c3749909182b786 |
| SHA256 | 78adb2a11a396778ea14caa239037c6752cc5a46272d5aad5b143d2f70a377eb |
| SHA512 | 17352692fd51803a9901da38314089e5feb098c6f3d90ffb73260e9233566224d625ba32ad9fe00456036d71a120f7bf8333d8d02aba81f5fb78e3b3a53f87ec |
C:\Windows\system\DIBusxG.exe
| MD5 | e72b17212b262316491821e7d35d128a |
| SHA1 | 9232213afc780a1fd3d83f89286a0b7d6be31117 |
| SHA256 | b0f8d31ef6c0d8a3e979b0e290d5bc64d2280cde3a9a9c0ca9007c5f1154cb61 |
| SHA512 | a088125315823cd7f127bc7951cca555717bcb2c31403090f76493f3e52cf4c14e0608dff3be4cf1bd8ea8571d3e3bb6b6876ac32de37ba920759b5867d2af37 |
C:\Windows\system\pNPlEhB.exe
| MD5 | df116aa6ba8ef62e6ab5c1ef80ecc6b4 |
| SHA1 | f55dcb5048e302776e9e2955122592a539d27810 |
| SHA256 | 388eadbd9beb30957a27a74cfa8f8cb43f9e8ad885ca8c22335d87bd5f8f0f21 |
| SHA512 | 3c144c7ac6b676c7813a94ad2b84a8bd1907bd8b85a068e78b0d7f7e3ac7dd7a41b9a239feca6233e31f5b2b4a919be97fb543675f090de5dcb0793f85da7362 |
C:\Windows\system\aCdNqlV.exe
| MD5 | 25cb439087e9dfff05c515906dce47fd |
| SHA1 | ebc021161816972fc897a570831fa01018b6b708 |
| SHA256 | f4742452c87e90e041ced7782f4ea52e7b154f5448910a03b262f3e4041874de |
| SHA512 | bfdea8332fcc15f99f01505a2d3c8c017dbe4a021288a141c72254087ff65241c576ff33b56c31de99501a53874447b4e62b635a95508aa6dff54dff2b6dd7e3 |
memory/2264-117-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2588-116-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2264-115-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/2692-112-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2264-90-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2516-89-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2264-97-0x0000000002490000-0x00000000027E4000-memory.dmp
C:\Windows\system\OrIkreF.exe
| MD5 | 3851b1084242624df5a2559b36dc6358 |
| SHA1 | 3e95c856faac6afc572663b8692e0c3d76eac932 |
| SHA256 | d156d8d478195ec95ae9e17545145339813357007654aab7c2f0f709d9c2aa96 |
| SHA512 | 23419d7f3f2cbbc8b11cdc7bdb25adffd9542d9b5b7c1be710e1155952509c0ee08458d9ff0b29b20a81e1886db6671d61ec58be3c73e5db6b5c63d3aadbcb91 |
memory/2264-94-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1364-84-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/1552-83-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1456-82-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2264-79-0x000000013F670000-0x000000013F9C4000-memory.dmp
C:\Windows\system\kXEiVWE.exe
| MD5 | e07957adbc3b5fd17e963b9730076c6f |
| SHA1 | 4776b54461626725056b91bac45b380262b5caec |
| SHA256 | 24239e2f076f128aa94fe763b6f368b0554cac733716a34c2cfe01230d3d7c3b |
| SHA512 | fd831defe8e229f4749da9738a2c0426dd9a2dc0ae10f255309a207f9322b34113492edde5c984f901060d703b1cfba807c5ca4d41b2837c7a768355711b5cc8 |
memory/2264-139-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2264-140-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/2264-141-0x0000000002490000-0x00000000027E4000-memory.dmp
memory/2264-142-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2264-143-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2740-144-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2512-145-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2516-146-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2656-147-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2588-148-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2568-149-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/2432-150-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2636-151-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2920-152-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1456-153-0x000000013F670000-0x000000013F9C4000-memory.dmp
memory/1552-154-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1364-155-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2340-156-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2692-157-0x000000013F500000-0x000000013F854000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 16:56
Reported
2024-06-01 16:58
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
149s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pWaCjuc.exe | N/A |
| N/A | N/A | C:\Windows\System\BasXHHP.exe | N/A |
| N/A | N/A | C:\Windows\System\zxXsPLO.exe | N/A |
| N/A | N/A | C:\Windows\System\HFBErsU.exe | N/A |
| N/A | N/A | C:\Windows\System\sglOgJh.exe | N/A |
| N/A | N/A | C:\Windows\System\wsxEreu.exe | N/A |
| N/A | N/A | C:\Windows\System\FMLIPQd.exe | N/A |
| N/A | N/A | C:\Windows\System\zvngCiZ.exe | N/A |
| N/A | N/A | C:\Windows\System\Ayvcffu.exe | N/A |
| N/A | N/A | C:\Windows\System\cwexuUh.exe | N/A |
| N/A | N/A | C:\Windows\System\kXEiVWE.exe | N/A |
| N/A | N/A | C:\Windows\System\yQOakjf.exe | N/A |
| N/A | N/A | C:\Windows\System\guMaJFa.exe | N/A |
| N/A | N/A | C:\Windows\System\OrIkreF.exe | N/A |
| N/A | N/A | C:\Windows\System\oFQVtYi.exe | N/A |
| N/A | N/A | C:\Windows\System\iRdZYIo.exe | N/A |
| N/A | N/A | C:\Windows\System\aCdNqlV.exe | N/A |
| N/A | N/A | C:\Windows\System\DvuCSFw.exe | N/A |
| N/A | N/A | C:\Windows\System\pNPlEhB.exe | N/A |
| N/A | N/A | C:\Windows\System\DIBusxG.exe | N/A |
| N/A | N/A | C:\Windows\System\pqoqwEV.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_6b463bdf06017baad0f2fff679d279b9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pWaCjuc.exe
C:\Windows\System\pWaCjuc.exe
C:\Windows\System\BasXHHP.exe
C:\Windows\System\BasXHHP.exe
C:\Windows\System\zxXsPLO.exe
C:\Windows\System\zxXsPLO.exe
C:\Windows\System\HFBErsU.exe
C:\Windows\System\HFBErsU.exe
C:\Windows\System\sglOgJh.exe
C:\Windows\System\sglOgJh.exe
C:\Windows\System\wsxEreu.exe
C:\Windows\System\wsxEreu.exe
C:\Windows\System\FMLIPQd.exe
C:\Windows\System\FMLIPQd.exe
C:\Windows\System\zvngCiZ.exe
C:\Windows\System\zvngCiZ.exe
C:\Windows\System\Ayvcffu.exe
C:\Windows\System\Ayvcffu.exe
C:\Windows\System\cwexuUh.exe
C:\Windows\System\cwexuUh.exe
C:\Windows\System\kXEiVWE.exe
C:\Windows\System\kXEiVWE.exe
C:\Windows\System\yQOakjf.exe
C:\Windows\System\yQOakjf.exe
C:\Windows\System\guMaJFa.exe
C:\Windows\System\guMaJFa.exe
C:\Windows\System\OrIkreF.exe
C:\Windows\System\OrIkreF.exe
C:\Windows\System\oFQVtYi.exe
C:\Windows\System\oFQVtYi.exe
C:\Windows\System\iRdZYIo.exe
C:\Windows\System\iRdZYIo.exe
C:\Windows\System\aCdNqlV.exe
C:\Windows\System\aCdNqlV.exe
C:\Windows\System\DvuCSFw.exe
C:\Windows\System\DvuCSFw.exe
C:\Windows\System\pNPlEhB.exe
C:\Windows\System\pNPlEhB.exe
C:\Windows\System\DIBusxG.exe
C:\Windows\System\DIBusxG.exe
C:\Windows\System\pqoqwEV.exe
C:\Windows\System\pqoqwEV.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1348-0-0x00007FF75B5B0000-0x00007FF75B904000-memory.dmp
memory/1348-1-0x000001E7DC930000-0x000001E7DC940000-memory.dmp
C:\Windows\System\pWaCjuc.exe
| MD5 | 16714e42e4e8440ba80772599cce3079 |
| SHA1 | ab0a43d5efeb0e42506dcce5bd32b33e074f4f23 |
| SHA256 | 56e89b66b6a3fac76b49f6964f006d83fa00511937898da2b3b52903e29ab04a |
| SHA512 | ec70e90abe84395f92a8e3ffbdcac70372a840946533db507edefe745f70bdb7604cbf60ff4144421e8899f41022440496264773d6f7884bfc7bcb0817584a24 |
C:\Windows\System\BasXHHP.exe
| MD5 | 8648b9d4bff1e828d4d7cfc27fcfa507 |
| SHA1 | da77270345c130bad68a7a8105fdd95d864c0998 |
| SHA256 | 13571409ad3f69c363f468afa5d93d383118ce26ee59cb6a73f2615b58547543 |
| SHA512 | ac5fd2ee710d4a592d9c4a701cd851062a457b6cfeecde573f245fee4a9463b06497fce0a1927fae7fb5b4a8fd373c9603a5a87d0648c1d588a72b866a1c4d71 |
C:\Windows\System\zxXsPLO.exe
| MD5 | 5a94b9191cdf21c6f94f46ec9a0f9ea6 |
| SHA1 | 7c15a044355aa50edf7d28ee3197b9ad231278c2 |
| SHA256 | 32624bf4faefb2fd9c2ebaf75102a3baa893aa2650eeb7a7396ad0eb8c66ee1e |
| SHA512 | 8e44b09760162581df6fc86189862139d0b24ca8e7a5558112d36030843ba2c2b6dee9cc30af79876eaaec817a8c861021ace54b3b17365af861f7834c539bce |
memory/4688-12-0x00007FF6029F0000-0x00007FF602D44000-memory.dmp
memory/4800-18-0x00007FF776DF0000-0x00007FF777144000-memory.dmp
memory/4936-7-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp
C:\Windows\System\HFBErsU.exe
| MD5 | fc46dd1332b4d9ff60be3698de3e580c |
| SHA1 | 32e1459a73b6d8404a15ce209c5e37c6093505be |
| SHA256 | f28390b5f0c42ce16d04585c4f1ac46e22549d86ac694ffb404d226881b002b1 |
| SHA512 | 282294a1a310b22765b1fc7501d5f83a275b04db9a990ca956a843b09c7f874a67dde5e55c00787969a0306a7427da62303d670b3ee66c47b3682eeb100cac18 |
memory/1896-26-0x00007FF730090000-0x00007FF7303E4000-memory.dmp
C:\Windows\System\sglOgJh.exe
| MD5 | ec01262052597357df7ee48a73cdaa88 |
| SHA1 | 5e09949a1cf218f0beed89e79281e0c65505f16c |
| SHA256 | 4ec280db15f03a71b20255319d5c7fa31b4c326362e4b232466c26e77fd4441c |
| SHA512 | d99edab375118bb9715512aea11b712ddeb5da832c28309ad1d8ae9a77bdce17b1572651012b2ced9cf97e0a84775ed641ec11e67ec0c517b6666b34cfeec49e |
memory/4344-32-0x00007FF7C9AE0000-0x00007FF7C9E34000-memory.dmp
C:\Windows\System\wsxEreu.exe
| MD5 | d957ebc36fb9169b2cadc2f126648c64 |
| SHA1 | efefac4ca18d62b41f72a9f1b418dd6f9ebea87e |
| SHA256 | 250d7aceec512acc016a3cac55fecc77fcee6458a41a3f0569e5fedddfe5f607 |
| SHA512 | e86101390f66cca63d74c696d62ffd538c2e36b35ed3ac4743f7c107ad572e793c278ad5c1457aa6c8732153b1ecb3ff8d0213842ea1a4ffd724913109092cf6 |
memory/1568-36-0x00007FF769480000-0x00007FF7697D4000-memory.dmp
C:\Windows\System\FMLIPQd.exe
| MD5 | f171a3e828258900f73dabee38b5ebc6 |
| SHA1 | 096318fe6d6740fbec58003b4b7ed60e6c72c6f5 |
| SHA256 | 2bd65a238931c1a07302a70ab725af5d72a6d74a8b08fd3cf5a314eef1a7a2c0 |
| SHA512 | a8432c3d386fd4dd55a2ad6df6a7806019af5dbe3bde1d5c9acbf01fe601d134f7eac044ba54f161c18ccfc145c6e74698197ac7aa8be0ccd7c105c9f772ca15 |
memory/2208-44-0x00007FF6CB540000-0x00007FF6CB894000-memory.dmp
C:\Windows\System\zvngCiZ.exe
| MD5 | 751b2165aacbcccc5638db94a2048e1d |
| SHA1 | ea944fc5f2646f8e5d70b2da2e693532d64a435c |
| SHA256 | f6d221b1f5dd05750f8b16f79b6f0690a194e2235505e341936e1016f2f61f9b |
| SHA512 | 5cf0a0316cbe7760998d251afd347d69a1133c323814ae3a5303ff4d8a36916893c06a081f1d6e6eaa3958e8bbae8ccc18f552bd5ec057e73b8860c33deeef05 |
memory/5096-50-0x00007FF692200000-0x00007FF692554000-memory.dmp
C:\Windows\System\Ayvcffu.exe
| MD5 | f03f1102e4a880f7bd6325fd303f13b6 |
| SHA1 | ec226f33b69a998dc4baf08867720de32634854f |
| SHA256 | 93c397454552f214e65f876c6830b74816c52766297549c730d3dc775df59e65 |
| SHA512 | ee305da246322f9f1adb77e20151989569beafde34a261c69fbe18a4f4db127b2b0920ad55201c302c04eb9e467d690ba6a0b377e8754af7ec34deb8c99deb6c |
memory/2612-54-0x00007FF62F420000-0x00007FF62F774000-memory.dmp
memory/1348-62-0x00007FF75B5B0000-0x00007FF75B904000-memory.dmp
memory/1100-63-0x00007FF6698E0000-0x00007FF669C34000-memory.dmp
C:\Windows\System\cwexuUh.exe
| MD5 | 06c50c8b605b7a4b48714262b24ca63b |
| SHA1 | 9a99a9eedc5604b3035ce385e809f0abaab24ceb |
| SHA256 | 22dd8b43f8e597944b6d0b6d544e165b045e7b6553ad66bafde6b7c88d9d0da9 |
| SHA512 | cb91cc147567a7b082a0e270f555bbdff50d0d54d79ae030bf286b2edbb8465163aef5c08d7aa8e01ff12a1b6fec1448816c51c47fcdba4aeafb01863a5a433a |
C:\Windows\System\kXEiVWE.exe
| MD5 | e07957adbc3b5fd17e963b9730076c6f |
| SHA1 | 4776b54461626725056b91bac45b380262b5caec |
| SHA256 | 24239e2f076f128aa94fe763b6f368b0554cac733716a34c2cfe01230d3d7c3b |
| SHA512 | fd831defe8e229f4749da9738a2c0426dd9a2dc0ae10f255309a207f9322b34113492edde5c984f901060d703b1cfba807c5ca4d41b2837c7a768355711b5cc8 |
memory/2620-73-0x00007FF662B40000-0x00007FF662E94000-memory.dmp
memory/4688-75-0x00007FF6029F0000-0x00007FF602D44000-memory.dmp
C:\Windows\System\OrIkreF.exe
| MD5 | 3851b1084242624df5a2559b36dc6358 |
| SHA1 | 3e95c856faac6afc572663b8692e0c3d76eac932 |
| SHA256 | d156d8d478195ec95ae9e17545145339813357007654aab7c2f0f709d9c2aa96 |
| SHA512 | 23419d7f3f2cbbc8b11cdc7bdb25adffd9542d9b5b7c1be710e1155952509c0ee08458d9ff0b29b20a81e1886db6671d61ec58be3c73e5db6b5c63d3aadbcb91 |
memory/2844-94-0x00007FF799C50000-0x00007FF799FA4000-memory.dmp
C:\Windows\System\oFQVtYi.exe
| MD5 | f7fab6af4a4bf9d0181e62ac6f3b1cd1 |
| SHA1 | 7b913f708ab403ec5faecf6bd84d17876952b9fd |
| SHA256 | 1491bad951265383abb7972950bec3823ad0b86d403b416e4ba6d3740a13e77d |
| SHA512 | ecceb22fe2d8397f9323f97be825003b1eb17da0a72637c2389d05207da3a3a52480978c21d97f2b57fe9770c3e1beda7fda7e6cf11efa6c3d751095e0a1e81d |
memory/1896-104-0x00007FF730090000-0x00007FF7303E4000-memory.dmp
memory/2976-105-0x00007FF7ABAB0000-0x00007FF7ABE04000-memory.dmp
C:\Windows\System\aCdNqlV.exe
| MD5 | 25cb439087e9dfff05c515906dce47fd |
| SHA1 | ebc021161816972fc897a570831fa01018b6b708 |
| SHA256 | f4742452c87e90e041ced7782f4ea52e7b154f5448910a03b262f3e4041874de |
| SHA512 | bfdea8332fcc15f99f01505a2d3c8c017dbe4a021288a141c72254087ff65241c576ff33b56c31de99501a53874447b4e62b635a95508aa6dff54dff2b6dd7e3 |
memory/1568-109-0x00007FF769480000-0x00007FF7697D4000-memory.dmp
memory/4344-108-0x00007FF7C9AE0000-0x00007FF7C9E34000-memory.dmp
memory/1924-107-0x00007FF6C5AA0000-0x00007FF6C5DF4000-memory.dmp
C:\Windows\System\iRdZYIo.exe
| MD5 | 784f6fa904eab8bd13f40795bb98edec |
| SHA1 | 43a507f8f0020e61784799a9b81b9d1636678c4d |
| SHA256 | adacd12ca42085a1b1e5060b8c039a65e43fe9aeb2441ca80388cd6c03502d87 |
| SHA512 | ff7e54dcca6a8087bd5cf41e4736cbf0e86a389ef39bc9271d96c80d6f30dc988589226b1f47df43b08c2a00b345c3ed277f5dcde5541367dec41cfa8886c71f |
memory/1640-101-0x00007FF77A580000-0x00007FF77A8D4000-memory.dmp
memory/1944-95-0x00007FF63C390000-0x00007FF63C6E4000-memory.dmp
memory/4800-91-0x00007FF776DF0000-0x00007FF777144000-memory.dmp
memory/4180-90-0x00007FF69A570000-0x00007FF69A8C4000-memory.dmp
C:\Windows\System\yQOakjf.exe
| MD5 | 036ed2e0f899d95db525b84ef4781a41 |
| SHA1 | 45522eed5d025783b085a321f99461c4b32a7821 |
| SHA256 | 3b28cd16b20ec63c9256b30594789036782f322b402cbb9a28a630792a30c703 |
| SHA512 | 013ba8eda846b38bbcc15a94703112fb6984e3ebb30a814ba97b2f18955e5dc59d5bc25bdb966d2004bad1bc00264d2ad73667c0662d358d7740cd2f46f912a4 |
C:\Windows\System\guMaJFa.exe
| MD5 | b0bc4d45216e98babefbb8d985f87458 |
| SHA1 | f1019775404c3ea4057668c20673e4c686396cc2 |
| SHA256 | eaf771fd77576a08c1ddb8261e1fe7daab9c28724f50c62a6f2995afc2c10ea4 |
| SHA512 | 75a087653a659e8c4f95ccffd1600184794e7dfa9548d3664d7e5e1cc0e65fc858141ab7b64c129f0c561261f9c966930e4abe951249513b81f8d6b6967fa663 |
memory/4936-70-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp
C:\Windows\System\DvuCSFw.exe
| MD5 | 74f0959f6ba21cd0ec869e59962e5a76 |
| SHA1 | a672b45840de80d8907197cd6270684aa44e4ef7 |
| SHA256 | 0d92587612dbc9f25e0379c8f971d3b40a8b3bff960e344fa96cd28a58ee3059 |
| SHA512 | 7698030fa5eec1feed141b6cdb0997330e91b0ed323fa3d0d5b6cff7be62c4ff32e4ea6555772fc3880d33577fbebdaf284f771b9fa314d7ca37732f79e21753 |
memory/2808-115-0x00007FF722780000-0x00007FF722AD4000-memory.dmp
C:\Windows\System\pNPlEhB.exe
| MD5 | df116aa6ba8ef62e6ab5c1ef80ecc6b4 |
| SHA1 | f55dcb5048e302776e9e2955122592a539d27810 |
| SHA256 | 388eadbd9beb30957a27a74cfa8f8cb43f9e8ad885ca8c22335d87bd5f8f0f21 |
| SHA512 | 3c144c7ac6b676c7813a94ad2b84a8bd1907bd8b85a068e78b0d7f7e3ac7dd7a41b9a239feca6233e31f5b2b4a919be97fb543675f090de5dcb0793f85da7362 |
C:\Windows\System\DIBusxG.exe
| MD5 | e72b17212b262316491821e7d35d128a |
| SHA1 | 9232213afc780a1fd3d83f89286a0b7d6be31117 |
| SHA256 | b0f8d31ef6c0d8a3e979b0e290d5bc64d2280cde3a9a9c0ca9007c5f1154cb61 |
| SHA512 | a088125315823cd7f127bc7951cca555717bcb2c31403090f76493f3e52cf4c14e0608dff3be4cf1bd8ea8571d3e3bb6b6876ac32de37ba920759b5867d2af37 |
memory/3652-128-0x00007FF6C18D0000-0x00007FF6C1C24000-memory.dmp
memory/3424-129-0x00007FF6B8AC0000-0x00007FF6B8E14000-memory.dmp
C:\Windows\System\pqoqwEV.exe
| MD5 | 0068275152acf3d65e8f94121d26a32c |
| SHA1 | 23f3c7d8f6b53fa2e6318a933c3749909182b786 |
| SHA256 | 78adb2a11a396778ea14caa239037c6752cc5a46272d5aad5b143d2f70a377eb |
| SHA512 | 17352692fd51803a9901da38314089e5feb098c6f3d90ffb73260e9233566224d625ba32ad9fe00456036d71a120f7bf8333d8d02aba81f5fb78e3b3a53f87ec |
memory/3136-135-0x00007FF7940A0000-0x00007FF7943F4000-memory.dmp
memory/2612-133-0x00007FF62F420000-0x00007FF62F774000-memory.dmp
memory/2620-136-0x00007FF662B40000-0x00007FF662E94000-memory.dmp
memory/1640-137-0x00007FF77A580000-0x00007FF77A8D4000-memory.dmp
memory/2976-138-0x00007FF7ABAB0000-0x00007FF7ABE04000-memory.dmp
memory/1924-139-0x00007FF6C5AA0000-0x00007FF6C5DF4000-memory.dmp
memory/2808-140-0x00007FF722780000-0x00007FF722AD4000-memory.dmp
memory/4936-141-0x00007FF7128D0000-0x00007FF712C24000-memory.dmp
memory/4688-142-0x00007FF6029F0000-0x00007FF602D44000-memory.dmp
memory/4800-143-0x00007FF776DF0000-0x00007FF777144000-memory.dmp
memory/1896-144-0x00007FF730090000-0x00007FF7303E4000-memory.dmp
memory/4344-145-0x00007FF7C9AE0000-0x00007FF7C9E34000-memory.dmp
memory/1568-146-0x00007FF769480000-0x00007FF7697D4000-memory.dmp
memory/2208-147-0x00007FF6CB540000-0x00007FF6CB894000-memory.dmp
memory/5096-148-0x00007FF692200000-0x00007FF692554000-memory.dmp
memory/2612-149-0x00007FF62F420000-0x00007FF62F774000-memory.dmp
memory/1100-150-0x00007FF6698E0000-0x00007FF669C34000-memory.dmp
memory/1944-151-0x00007FF63C390000-0x00007FF63C6E4000-memory.dmp
memory/2620-152-0x00007FF662B40000-0x00007FF662E94000-memory.dmp
memory/4180-153-0x00007FF69A570000-0x00007FF69A8C4000-memory.dmp
memory/2844-155-0x00007FF799C50000-0x00007FF799FA4000-memory.dmp
memory/1640-154-0x00007FF77A580000-0x00007FF77A8D4000-memory.dmp
memory/2976-156-0x00007FF7ABAB0000-0x00007FF7ABE04000-memory.dmp
memory/1924-157-0x00007FF6C5AA0000-0x00007FF6C5DF4000-memory.dmp
memory/2808-158-0x00007FF722780000-0x00007FF722AD4000-memory.dmp
memory/3652-160-0x00007FF6C18D0000-0x00007FF6C1C24000-memory.dmp
memory/3424-159-0x00007FF6B8AC0000-0x00007FF6B8E14000-memory.dmp
memory/3136-161-0x00007FF7940A0000-0x00007FF7943F4000-memory.dmp