Analysis Overview
SHA256
de20716705db13864f1e21e4a396d74c1f4428079b21242ee6974105571818dc
Threat Level: Known bad
The file 2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobaltstrike
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 23:34
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 23:32
Reported
2024-06-06 23:38
Platform
win7-20240508-en
Max time kernel
133s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jdnHLBQ.exe | N/A |
| N/A | N/A | C:\Windows\System\zLbOkMZ.exe | N/A |
| N/A | N/A | C:\Windows\System\otDKcUl.exe | N/A |
| N/A | N/A | C:\Windows\System\FxzYHdM.exe | N/A |
| N/A | N/A | C:\Windows\System\ApmiJWE.exe | N/A |
| N/A | N/A | C:\Windows\System\TIjJvUa.exe | N/A |
| N/A | N/A | C:\Windows\System\RnMVTTn.exe | N/A |
| N/A | N/A | C:\Windows\System\axeFXdR.exe | N/A |
| N/A | N/A | C:\Windows\System\AtpunYQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HuesdXT.exe | N/A |
| N/A | N/A | C:\Windows\System\AvoUJqk.exe | N/A |
| N/A | N/A | C:\Windows\System\Diejsbs.exe | N/A |
| N/A | N/A | C:\Windows\System\eGOqVUF.exe | N/A |
| N/A | N/A | C:\Windows\System\vSGewvQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wmVzTCP.exe | N/A |
| N/A | N/A | C:\Windows\System\SoRKhLi.exe | N/A |
| N/A | N/A | C:\Windows\System\zXlHyXU.exe | N/A |
| N/A | N/A | C:\Windows\System\CpFBDrT.exe | N/A |
| N/A | N/A | C:\Windows\System\FnhpuAq.exe | N/A |
| N/A | N/A | C:\Windows\System\dDZopqM.exe | N/A |
| N/A | N/A | C:\Windows\System\UhVBaJt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jdnHLBQ.exe
C:\Windows\System\jdnHLBQ.exe
C:\Windows\System\zLbOkMZ.exe
C:\Windows\System\zLbOkMZ.exe
C:\Windows\System\otDKcUl.exe
C:\Windows\System\otDKcUl.exe
C:\Windows\System\FxzYHdM.exe
C:\Windows\System\FxzYHdM.exe
C:\Windows\System\ApmiJWE.exe
C:\Windows\System\ApmiJWE.exe
C:\Windows\System\TIjJvUa.exe
C:\Windows\System\TIjJvUa.exe
C:\Windows\System\RnMVTTn.exe
C:\Windows\System\RnMVTTn.exe
C:\Windows\System\axeFXdR.exe
C:\Windows\System\axeFXdR.exe
C:\Windows\System\AtpunYQ.exe
C:\Windows\System\AtpunYQ.exe
C:\Windows\System\HuesdXT.exe
C:\Windows\System\HuesdXT.exe
C:\Windows\System\AvoUJqk.exe
C:\Windows\System\AvoUJqk.exe
C:\Windows\System\Diejsbs.exe
C:\Windows\System\Diejsbs.exe
C:\Windows\System\eGOqVUF.exe
C:\Windows\System\eGOqVUF.exe
C:\Windows\System\vSGewvQ.exe
C:\Windows\System\vSGewvQ.exe
C:\Windows\System\wmVzTCP.exe
C:\Windows\System\wmVzTCP.exe
C:\Windows\System\SoRKhLi.exe
C:\Windows\System\SoRKhLi.exe
C:\Windows\System\zXlHyXU.exe
C:\Windows\System\zXlHyXU.exe
C:\Windows\System\CpFBDrT.exe
C:\Windows\System\CpFBDrT.exe
C:\Windows\System\FnhpuAq.exe
C:\Windows\System\FnhpuAq.exe
C:\Windows\System\dDZopqM.exe
C:\Windows\System\dDZopqM.exe
C:\Windows\System\UhVBaJt.exe
C:\Windows\System\UhVBaJt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2244-0-0x000000013F220000-0x000000013F574000-memory.dmp
C:\Windows\system\zLbOkMZ.exe
| MD5 | 5e7e0c8991a5e52d168a18430d4f0683 |
| SHA1 | eca04bc7a7b52646f69f764e068ed7df631957b9 |
| SHA256 | dd7d35bb1a47b99d9029da4e191412454c79ebbb990f656c04adc9cd68c8c9d1 |
| SHA512 | 239a8011be9b6f06f192576504381e8ea061fc6ba8ebf211eea3af2fbeda5999adf3c3970f0f9315db3e0507f9132a8b6ec38075eabe016a3110f988d2191e9f |
memory/2244-17-0x00000000022C0000-0x0000000002614000-memory.dmp
C:\Windows\system\TIjJvUa.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/2092-35-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\axeFXdR.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
C:\Windows\system\AtpunYQ.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
\Windows\system\AtpunYQ.exe
| MD5 | ca837987b19c09dd4fdcd3ecb06f1c71 |
| SHA1 | 39d9e7567271cf504193180ffb6b445f1be37749 |
| SHA256 | efa96d6c11ed1d7df8e761a39e4bc078f44c3ddee43475b94cfed2b55fb2a50a |
| SHA512 | 8745b8f0b151d3dc1d06b3538c6b3eabb640e493c65a999217c769dda7a476fe354f352dba4a487b8f34bc1d2a98a4a24305a4e9b8273b47aac66a4114c87bca |
memory/2624-58-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2384-54-0x000000013F0F0000-0x000000013F444000-memory.dmp
C:\Windows\system\AvoUJqk.exe
| MD5 | b6c8330b212428ba3b976b411c0fd89b |
| SHA1 | aeca8db08117bc77c6fe3b514eb636461b5ac34c |
| SHA256 | 6ee0e48f1efec4ef7508c4c8b0731907c27b82e9ba6fea6609ea7bc92eec4f72 |
| SHA512 | 8e6ec6225dcf28d26b059b3c9ded7758ba4e48acab788ebe94c4d4fde62746c46841fb4c59603023e7dbf23f66c0dcb05025cc64efebf40f3cf9405c74f26408 |
\Windows\system\eGOqVUF.exe
| MD5 | 1168d7a7c8a53346155a339dcc9ac198 |
| SHA1 | b873dbf11bef334e338ad028f647b52afb5a5aba |
| SHA256 | 6df0d1e987ccf5e8fa9d4cde12ef36f08adbf8373c0c9bbf499c0233861322ab |
| SHA512 | 88b89f64554ef23ea7c5067d22feb205e4d0e9ff16679ab4149f96421afc0bef5958e9997818db794e3ef6d8bb72cc78ea2cdf25812c8073fb45b8766fff4806 |
\Windows\system\wmVzTCP.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\system\wmVzTCP.exe
| MD5 | 72bc30ac90ae016c5b7db4f14524fb61 |
| SHA1 | 1c65e3bdb866c6b5476e931f704089c39709d80c |
| SHA256 | f42bea1c82f6412516882e964fea23ee498f5b707431bbee55238ba83456ab67 |
| SHA512 | dbc849bfc1e347a962f93e9a5e7b6f49bed26ac2f48fcd8d2f5cea4c52b43b6ff567be23b261be00cb6cfe388ebb8e4909b28c5f8ea4a4fd3ac515f136d27d88 |
memory/3032-77-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2244-82-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\vSGewvQ.exe
| MD5 | 964e1fc64de5e65dc575c38ef635ca8c |
| SHA1 | 394de598753b25c838907073444d2ac56e72cbf8 |
| SHA256 | 121f9a0ed0605caef34e4810d7de7095a4f08c3de591e3ab1c52681a399e09be |
| SHA512 | 494cc8029a4e4a7df7829914ba4ea657e7fa5d2545cd79e5543692dd47dd1241daf5528f473bb4d44f925bb7c0712dec5e17435445a721587a2a8c431bbfde8e |
C:\Windows\system\SoRKhLi.exe
| MD5 | 71dddc318bc3ee51172400d2edd07fc7 |
| SHA1 | ce7eabe5977a385550e809b9515e59d423999149 |
| SHA256 | a7182d589906b0006d06d288c3c97dea73e9315525340248bbe2752f94fdbc1b |
| SHA512 | 46c9dfefa48cfbeb722f44a28efedfd209efaec9cea683374c003d0e6f9ef42bd833ccad2e5f5e5d65a1f649cab167c657466a7a4474d9d88c81c44e564dfee7 |
C:\Windows\system\FnhpuAq.exe
| MD5 | 9dd345cc3894de467bb2316a3e156eb1 |
| SHA1 | 38999412f8d01748770f00d889fe9b293331dfc5 |
| SHA256 | ffa42779cdf00f5a34dae26dca4b54f84e602f34dcdd6519f4a54657db528d93 |
| SHA512 | b2c814fcbfa9cac66695bc003f299cd7efe096f770afa1054106f8734226b3e2b2de015fc7d93c44b6d7ad2ca007d790d561a86a7dff1a48d629b663d065b243 |
memory/2244-119-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2696-120-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2676-118-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2544-121-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2516-122-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2548-123-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2956-125-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2304-126-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2244-124-0x00000000022C0000-0x0000000002614000-memory.dmp
memory/2244-127-0x000000013F660000-0x000000013F9B4000-memory.dmp
C:\Windows\system\dDZopqM.exe
| MD5 | 93a11e34b3d240e5d1f4435d8fa78818 |
| SHA1 | 46d60bed44f50e436c0ed359c36194d6ef20833f |
| SHA256 | 00ab91d9658c88a0c446f17d875f4bd5beb898216246b7339218b6bf5113050a |
| SHA512 | c30b532550e0b273bfd75c59bf4d2ccf7b689c80683643d44f7fc0db8e4be36ab855e1fbc9dbf02b9bb3feb2e7386b72cab7a74269a0865937f1b00188aa14b6 |
memory/2244-131-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/2244-130-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2244-129-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2244-128-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\CpFBDrT.exe
| MD5 | 64608890dcd212091a87599b2f0612b4 |
| SHA1 | 642cba6fdd06687bf7b84652d1d79a4e1e6a2442 |
| SHA256 | b0713465db08a043a2fc63565826669db6692aab975c0e29a5185ae16112322b |
| SHA512 | 9bdeddb8d2b5d212ce44eb56a90491fbba59fad54bddc0d8b4b8bf820f02cd20cd341a5b8d7dee63bec0cc37a66e5649ab2d3fa0a94759da8902674545d3a347 |
memory/2832-69-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\Diejsbs.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
memory/2244-60-0x00000000022C0000-0x0000000002614000-memory.dmp
memory/2760-59-0x000000013FAB0000-0x000000013FE04000-memory.dmp
C:\Windows\system\HuesdXT.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
\Windows\system\axeFXdR.exe
| MD5 | a916afd25420d97a52be2f221c6e49bf |
| SHA1 | a8249c4c427a78b140972f6f68ccf48896a49946 |
| SHA256 | 49cdb5f88f50a9f9257bb8da5720fef63842f710f304d050dd5a6c8c790175a9 |
| SHA512 | f084d8d36d704b5514d3b4286190ad3e538f6d47e8b873a4709b28efa3a877ac23074ada682550cf833ac62c62c6a13419959faba64a0b817335d0fb1d6531cd |
C:\Windows\system\RnMVTTn.exe
| MD5 | 8086157261764dfbd7a3397cf9dc9022 |
| SHA1 | 2198a9203bdd117d0d1452b678acf1bbb73bf3d2 |
| SHA256 | a69b11dddc952f49bae29b47d3304949686e2cff2e8a200ef69d0ac628a7ef0e |
| SHA512 | 18c482e8c43feacbb63ddca8e0158f2fcaf37e3ab8aa02487914adfe1a7e761eb36c5b9eaf79671f642c73568c8db1292066ceda67a77978ac4e46761ae38268 |
memory/2244-36-0x00000000022C0000-0x0000000002614000-memory.dmp
memory/1708-30-0x000000013F330000-0x000000013F684000-memory.dmp
\Windows\system\ApmiJWE.exe
| MD5 | 230aaddc382e26cc96d357c3ba4ce2cc |
| SHA1 | 417be44275b8175fd4896fac8d3d0b7a82dc9bc7 |
| SHA256 | 8ed4745c8d63c760e2830952dee05bbe81225ac8a1df73d34be525314860b658 |
| SHA512 | d40ab4ed2822698ee969070688599a4f32c5cdecfe249440791a8e5102b62d0beb3d8769f0b678470f1d335abd24008ff7df37b42c9741242c75d58b896c94a7 |
C:\Windows\system\FxzYHdM.exe
| MD5 | 9e21c93f4d64f0aa066841c9ed4defbd |
| SHA1 | 740ba9b813566c2fde9f22baf9e735a043a058e9 |
| SHA256 | 3bc04c2873689a46a2172390b93f540782ac76e54b195598ad842dd72ab046d4 |
| SHA512 | 15d976bca7ba2dec01ed492248d0ba3354cdb563c8071b8e358b5bfcb01909557b4f53b6c8e02a5c31b084dca1a9b8ec3347eff72225123cc5ce788c3bf249ab |
C:\Windows\system\otDKcUl.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
\Windows\system\jdnHLBQ.exe
| MD5 | 2c4fa504db3a8cc77d63b0df49ad1149 |
| SHA1 | b95039a9f77c5bb7c4cf958380418a348cf0f047 |
| SHA256 | de16c80a6b45b8be31ff559d4d96fc2b6ee58ca6641821e78652125fe251e0a5 |
| SHA512 | b9d9ca8bb261ef4fa0d6c386eb6940a2801cfc58dafdf84a9bb14b99d07516ad81188eeb5fc689d0d38c73bf0b7804c9eae5b875b651602ae458f24c32a3167e |
memory/2244-1-0x00000000002F0000-0x0000000000300000-memory.dmp
memory/2244-132-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2244-133-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1708-134-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2832-139-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3032-140-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2696-141-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2544-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2676-142-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2548-146-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2304-147-0x000000013F8F0000-0x000000013FC44000-memory.dmp
memory/2956-145-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2516-144-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2760-138-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2624-137-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2384-136-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2092-135-0x000000013F660000-0x000000013F9B4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 23:32
Reported
2024-06-06 23:38
Platform
win10v2004-20240426-en
Max time kernel
133s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pqkZpCt.exe | N/A |
| N/A | N/A | C:\Windows\System\glOOoXL.exe | N/A |
| N/A | N/A | C:\Windows\System\xVNUCxs.exe | N/A |
| N/A | N/A | C:\Windows\System\NxGtxgj.exe | N/A |
| N/A | N/A | C:\Windows\System\ozgXAdu.exe | N/A |
| N/A | N/A | C:\Windows\System\XislXjy.exe | N/A |
| N/A | N/A | C:\Windows\System\kBHiDrx.exe | N/A |
| N/A | N/A | C:\Windows\System\ULAxRpQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EGghzQM.exe | N/A |
| N/A | N/A | C:\Windows\System\nvFRvgZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BbAJrYa.exe | N/A |
| N/A | N/A | C:\Windows\System\DaVIMkR.exe | N/A |
| N/A | N/A | C:\Windows\System\rXCWSfl.exe | N/A |
| N/A | N/A | C:\Windows\System\AcRnJGB.exe | N/A |
| N/A | N/A | C:\Windows\System\mqrmRfb.exe | N/A |
| N/A | N/A | C:\Windows\System\ssuSveo.exe | N/A |
| N/A | N/A | C:\Windows\System\hYFhyOn.exe | N/A |
| N/A | N/A | C:\Windows\System\EiHJTpn.exe | N/A |
| N/A | N/A | C:\Windows\System\bCZOjlY.exe | N/A |
| N/A | N/A | C:\Windows\System\zYpwijO.exe | N/A |
| N/A | N/A | C:\Windows\System\rUknhfi.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_9a0a429de81083e449c612161a63b84b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pqkZpCt.exe
C:\Windows\System\pqkZpCt.exe
C:\Windows\System\glOOoXL.exe
C:\Windows\System\glOOoXL.exe
C:\Windows\System\xVNUCxs.exe
C:\Windows\System\xVNUCxs.exe
C:\Windows\System\NxGtxgj.exe
C:\Windows\System\NxGtxgj.exe
C:\Windows\System\ozgXAdu.exe
C:\Windows\System\ozgXAdu.exe
C:\Windows\System\XislXjy.exe
C:\Windows\System\XislXjy.exe
C:\Windows\System\kBHiDrx.exe
C:\Windows\System\kBHiDrx.exe
C:\Windows\System\ULAxRpQ.exe
C:\Windows\System\ULAxRpQ.exe
C:\Windows\System\EGghzQM.exe
C:\Windows\System\EGghzQM.exe
C:\Windows\System\nvFRvgZ.exe
C:\Windows\System\nvFRvgZ.exe
C:\Windows\System\BbAJrYa.exe
C:\Windows\System\BbAJrYa.exe
C:\Windows\System\DaVIMkR.exe
C:\Windows\System\DaVIMkR.exe
C:\Windows\System\rXCWSfl.exe
C:\Windows\System\rXCWSfl.exe
C:\Windows\System\AcRnJGB.exe
C:\Windows\System\AcRnJGB.exe
C:\Windows\System\mqrmRfb.exe
C:\Windows\System\mqrmRfb.exe
C:\Windows\System\ssuSveo.exe
C:\Windows\System\ssuSveo.exe
C:\Windows\System\hYFhyOn.exe
C:\Windows\System\hYFhyOn.exe
C:\Windows\System\EiHJTpn.exe
C:\Windows\System\EiHJTpn.exe
C:\Windows\System\bCZOjlY.exe
C:\Windows\System\bCZOjlY.exe
C:\Windows\System\zYpwijO.exe
C:\Windows\System\zYpwijO.exe
C:\Windows\System\rUknhfi.exe
C:\Windows\System\rUknhfi.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5068-0-0x00007FF7668E0000-0x00007FF766C34000-memory.dmp
C:\Windows\System\pqkZpCt.exe
| MD5 | f2c1e8b326b04f066100adb28a99bd76 |
| SHA1 | acf98c45deb3d9f9e6a933d83b28a34890c081e9 |
| SHA256 | d84dd4bab41ee73fddffd8b0a98054503cfcfcbb66d7459668fc46b567fac6c5 |
| SHA512 | d3550f6ecd502e3f17eb4a9556727135fea6c99c052c6700977102309fbaefeef9f00935230341ac9bc0e1d0318670e9e42590893dfa0b7bd022bbf9f7870185 |
C:\Windows\System\glOOoXL.exe
| MD5 | 3cfad51315f9230512e0a59bf68e7370 |
| SHA1 | 9de79a1fd9a390e77899e920c495b404146228f2 |
| SHA256 | f3aecf8b98ed1da7db0c0395bd2c57a57091a2b8069a9df43bb22ef40430a8dc |
| SHA512 | 1f5a1cbf2ef543e8899be469201c3ae0151e83f2e1dc37f1d4611ddcb4a05f1d4b4252b030f0e84b574684cfaa59c3d4a4d2545b6de7e5e06bb42d0f4fc03cf7 |
C:\Windows\System\xVNUCxs.exe
| MD5 | 9dfa4ac4a6af75db29a3d0e67d7f0e1d |
| SHA1 | 6e2556c27f66f64c79d4c10d263193d91aa77306 |
| SHA256 | 7ae1d7986363758de4082747333c18d5316fd49c711356caf1d43e986c4328c0 |
| SHA512 | 45f7e8a7bfd2e3847c0cd1796e7c06dc1bd735ab963b730ff732ebe83a4280da86056f1c07562e52b9cb04e5d25549b7c73ed41b2c9a77f4db49ad5ddbe8caea |
C:\Windows\System\NxGtxgj.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2436-30-0x00007FF76A790000-0x00007FF76AAE4000-memory.dmp
C:\Windows\System\ozgXAdu.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/1728-44-0x00007FF611C10000-0x00007FF611F64000-memory.dmp
C:\Windows\System\kBHiDrx.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\kBHiDrx.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2640-38-0x00007FF6951A0000-0x00007FF6954F4000-memory.dmp
memory/4204-48-0x00007FF7615C0000-0x00007FF761914000-memory.dmp
memory/3564-56-0x00007FF61AD00000-0x00007FF61B054000-memory.dmp
C:\Windows\System\EGghzQM.exe
| MD5 | cf2e29731c287373bd170f01b05d997b |
| SHA1 | b0d51c9dab7c4d32fe742266590ffa0660fb6815 |
| SHA256 | 80e0256dae0cf484f07f90d5305e2f1407ad2b476a9be673e66f73bb342551c3 |
| SHA512 | b74c0805c94ff3a8cdfd4016117a9497c2d4a3e6c081f36e725b0000d79686c0b6b896241969f44efc8dd3b20d2e8f58686965269857e1e070c9597ab9c84d5f |
memory/896-63-0x00007FF7A11C0000-0x00007FF7A1514000-memory.dmp
C:\Windows\System\BbAJrYa.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/3560-70-0x00007FF720250000-0x00007FF7205A4000-memory.dmp
C:\Windows\System\rXCWSfl.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
C:\Windows\System\AcRnJGB.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
C:\Windows\System\rXCWSfl.exe
| MD5 | 5d0b5e7ecff3937b97e65e37059d5f63 |
| SHA1 | 1ca91f93f364b2a6d5c2b538c2c35daaac59cb0d |
| SHA256 | 96346869d9dc55e98d2f0f2f123ad998380676a3b1955b700b1bd911cfb8890a |
| SHA512 | e93c97ccbb6bdfbb5269773813deace70d3cb873a66561e1426d2a19d5b74aa780c0eb3dab1998e3334ad5433078f0b59144615a35cb08007f5874131c57b6f4 |
memory/2784-81-0x00007FF602DF0000-0x00007FF603144000-memory.dmp
memory/4084-92-0x00007FF7CE7D0000-0x00007FF7CEB24000-memory.dmp
memory/4248-102-0x00007FF75BB20000-0x00007FF75BE74000-memory.dmp
C:\Windows\System\bCZOjlY.exe
| MD5 | 7eb810ab3e29af35f749d0bb7818773d |
| SHA1 | 78b08e870d58674b2898ed4c7269de47428e5499 |
| SHA256 | 09c1ff0f09e3bac84b3a3eb487ddf091b25f7f3ae622ca9aaec95483f8d9b0ec |
| SHA512 | 97ece0dc5266cb1ff5f5dd92ed13f4bc91e6f629dbda292642c3f95038c9b65db7afcc1d82c25f227f742cecc79a988c8a6dd15b1b26c3e1fa4290d48c3ab88b |
C:\Windows\System\EiHJTpn.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/2984-110-0x00007FF64E660000-0x00007FF64E9B4000-memory.dmp
memory/4204-109-0x00007FF7615C0000-0x00007FF761914000-memory.dmp
memory/4612-119-0x00007FF6BF020000-0x00007FF6BF374000-memory.dmp
memory/3560-118-0x00007FF720250000-0x00007FF7205A4000-memory.dmp
memory/3660-103-0x00007FF746290000-0x00007FF7465E4000-memory.dmp
memory/4832-98-0x00007FF607DA0000-0x00007FF6080F4000-memory.dmp
C:\Windows\System\ssuSveo.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\System\ssuSveo.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
C:\Windows\System\mqrmRfb.exe
| MD5 | 536ccffc9fb54ccaa170d80cb4661ca1 |
| SHA1 | 20db858b752256e3ce00036fe9344fc329d2019e |
| SHA256 | ef008b0990da31f5ab9fbc017836ae2b30216bbb76cea57f1ebc3bce95918af5 |
| SHA512 | 87bfc1293db20aa77928cb0876bbced62cc17751634101b46bd18be9043ef234da425b36026c33f4dec7325f64f661557cae7bf5ded005fe818c37915925b6f8 |
C:\Windows\System\zYpwijO.exe
| MD5 | 48ee306c3e30f678cbb2d54b3d468754 |
| SHA1 | e089368be338f8a28f56c70a0cc3f139cf1f76e9 |
| SHA256 | f1a35a28dbcce99eb23bd8124438d47bbdf5d5e60fe656fdcf989560f7bf1915 |
| SHA512 | 0ccb8d9875f8c1b65b5fec19ef1e9510b56f8673d5085fbbcea25f25af6d7bb5f5ef246f47e177585a6e673ceee8a36fd5b1164606e0ce905c9d5495f597dfc2 |
memory/3044-75-0x00007FF76A5E0000-0x00007FF76A934000-memory.dmp
C:\Windows\System\DaVIMkR.exe
| MD5 | 12290e241ed2e6c4adafa5d04e2f138d |
| SHA1 | 97fda7e552fddea3ac07f6c05616044e41cce11e |
| SHA256 | a6a2cb6fb3598d051d13929a0f67262c880cfb448e462285e50b61837564dadf |
| SHA512 | 4917ade55c5d1ed859c36affd21355ed1aa8e004308b86bd08a5536f0c0e157b2db3b43ba4d95da2c702629298e5b033347259d7bf9f6c3f5abe43d69897f898 |
memory/5068-62-0x00007FF7668E0000-0x00007FF766C34000-memory.dmp
memory/3928-129-0x00007FF740050000-0x00007FF7403A4000-memory.dmp
memory/3668-130-0x00007FF7D5B10000-0x00007FF7D5E64000-memory.dmp
memory/3044-131-0x00007FF76A5E0000-0x00007FF76A934000-memory.dmp
C:\Windows\System\ULAxRpQ.exe
| MD5 | 37bd5f6d8c71e78ab1a2fdc153f02621 |
| SHA1 | e612e0add7764075283debcf42d5da6a3f59d1b1 |
| SHA256 | 2bd229bc79a89662e2287ea71c114ba09f5f8944fa55ec9f2d31c2a2faf46f2f |
| SHA512 | d183a86f11cac716ab99718059a08ff884a463fd18cb02f03356432701068b372819a7c9f9dc9df20afe7c38d890f2a4804d1288147e1e81abf4d27ad7b12b81 |
memory/4356-32-0x00007FF63D6C0000-0x00007FF63DA14000-memory.dmp
C:\Windows\System\ozgXAdu.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\System\NxGtxgj.exe
| MD5 | 1bb6a05e5a7fad15fc3b308444e8ddc1 |
| SHA1 | 1ae446555655fd5ee36098eaadd5e894b9b17276 |
| SHA256 | a5f360f7ef5657cf163fd4f28b35637c2987df8f9e01eea288e6c788d6fe3439 |
| SHA512 | 64e49d8155be65f328fc33b38ba2e28beb3dd6399da40cb5ca2a11db08a05781e3dc79130eca0a5e9224a5e1cd3cab2e6b4516453b5e5dfe393425b0f9c7c3d3 |
memory/2372-20-0x00007FF759240000-0x00007FF759594000-memory.dmp
memory/4760-14-0x00007FF7AB6F0000-0x00007FF7ABA44000-memory.dmp
memory/2808-8-0x00007FF6C0080000-0x00007FF6C03D4000-memory.dmp
C:\Windows\System\pqkZpCt.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/5068-1-0x0000019ACD280000-0x0000019ACD290000-memory.dmp
memory/2784-132-0x00007FF602DF0000-0x00007FF603144000-memory.dmp
memory/3660-133-0x00007FF746290000-0x00007FF7465E4000-memory.dmp
memory/2984-134-0x00007FF64E660000-0x00007FF64E9B4000-memory.dmp
memory/2808-135-0x00007FF6C0080000-0x00007FF6C03D4000-memory.dmp
memory/4760-136-0x00007FF7AB6F0000-0x00007FF7ABA44000-memory.dmp
memory/2372-137-0x00007FF759240000-0x00007FF759594000-memory.dmp
memory/2436-138-0x00007FF76A790000-0x00007FF76AAE4000-memory.dmp
memory/4356-139-0x00007FF63D6C0000-0x00007FF63DA14000-memory.dmp
memory/2640-140-0x00007FF6951A0000-0x00007FF6954F4000-memory.dmp
memory/1728-141-0x00007FF611C10000-0x00007FF611F64000-memory.dmp
memory/4204-142-0x00007FF7615C0000-0x00007FF761914000-memory.dmp
memory/3564-143-0x00007FF61AD00000-0x00007FF61B054000-memory.dmp
memory/896-144-0x00007FF7A11C0000-0x00007FF7A1514000-memory.dmp
memory/3560-145-0x00007FF720250000-0x00007FF7205A4000-memory.dmp
memory/3044-146-0x00007FF76A5E0000-0x00007FF76A934000-memory.dmp
memory/4084-148-0x00007FF7CE7D0000-0x00007FF7CEB24000-memory.dmp
memory/2784-147-0x00007FF602DF0000-0x00007FF603144000-memory.dmp
memory/4832-149-0x00007FF607DA0000-0x00007FF6080F4000-memory.dmp
memory/4248-150-0x00007FF75BB20000-0x00007FF75BE74000-memory.dmp
memory/3660-151-0x00007FF746290000-0x00007FF7465E4000-memory.dmp
memory/2984-152-0x00007FF64E660000-0x00007FF64E9B4000-memory.dmp
memory/4612-153-0x00007FF6BF020000-0x00007FF6BF374000-memory.dmp
memory/3928-154-0x00007FF740050000-0x00007FF7403A4000-memory.dmp
memory/3668-155-0x00007FF7D5B10000-0x00007FF7D5E64000-memory.dmp