Analysis Overview
SHA256
49c290d36105bc1b692bc5161866e963c6210b67b6787f6ba34e0ac303b6a80c
Threat Level: Known bad
The file 2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:27
Reported
2024-06-07 01:34
Platform
win7-20240221-en
Max time kernel
135s
Max time network
151s
Command Line
Signatures
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\plnbMBN.exe | N/A |
| N/A | N/A | C:\Windows\System\qlWioWI.exe | N/A |
| N/A | N/A | C:\Windows\System\aPMoWoQ.exe | N/A |
| N/A | N/A | C:\Windows\System\viqZqXT.exe | N/A |
| N/A | N/A | C:\Windows\System\xZKUoEO.exe | N/A |
| N/A | N/A | C:\Windows\System\bgacZLK.exe | N/A |
| N/A | N/A | C:\Windows\System\kVCvaOY.exe | N/A |
| N/A | N/A | C:\Windows\System\YJzyvhe.exe | N/A |
| N/A | N/A | C:\Windows\System\brWaMmK.exe | N/A |
| N/A | N/A | C:\Windows\System\cejEZIz.exe | N/A |
| N/A | N/A | C:\Windows\System\SONQKWN.exe | N/A |
| N/A | N/A | C:\Windows\System\nbumVaJ.exe | N/A |
| N/A | N/A | C:\Windows\System\PxjSrtP.exe | N/A |
| N/A | N/A | C:\Windows\System\nEqzteT.exe | N/A |
| N/A | N/A | C:\Windows\System\fbTAGhe.exe | N/A |
| N/A | N/A | C:\Windows\System\liWZxVO.exe | N/A |
| N/A | N/A | C:\Windows\System\UEoFWja.exe | N/A |
| N/A | N/A | C:\Windows\System\ALYGqcZ.exe | N/A |
| N/A | N/A | C:\Windows\System\JsmAhjn.exe | N/A |
| N/A | N/A | C:\Windows\System\RMlvkRq.exe | N/A |
| N/A | N/A | C:\Windows\System\UcKimEK.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\plnbMBN.exe
C:\Windows\System\plnbMBN.exe
C:\Windows\System\qlWioWI.exe
C:\Windows\System\qlWioWI.exe
C:\Windows\System\aPMoWoQ.exe
C:\Windows\System\aPMoWoQ.exe
C:\Windows\System\viqZqXT.exe
C:\Windows\System\viqZqXT.exe
C:\Windows\System\xZKUoEO.exe
C:\Windows\System\xZKUoEO.exe
C:\Windows\System\bgacZLK.exe
C:\Windows\System\bgacZLK.exe
C:\Windows\System\kVCvaOY.exe
C:\Windows\System\kVCvaOY.exe
C:\Windows\System\YJzyvhe.exe
C:\Windows\System\YJzyvhe.exe
C:\Windows\System\brWaMmK.exe
C:\Windows\System\brWaMmK.exe
C:\Windows\System\cejEZIz.exe
C:\Windows\System\cejEZIz.exe
C:\Windows\System\SONQKWN.exe
C:\Windows\System\SONQKWN.exe
C:\Windows\System\nbumVaJ.exe
C:\Windows\System\nbumVaJ.exe
C:\Windows\System\PxjSrtP.exe
C:\Windows\System\PxjSrtP.exe
C:\Windows\System\nEqzteT.exe
C:\Windows\System\nEqzteT.exe
C:\Windows\System\fbTAGhe.exe
C:\Windows\System\fbTAGhe.exe
C:\Windows\System\liWZxVO.exe
C:\Windows\System\liWZxVO.exe
C:\Windows\System\UEoFWja.exe
C:\Windows\System\UEoFWja.exe
C:\Windows\System\ALYGqcZ.exe
C:\Windows\System\ALYGqcZ.exe
C:\Windows\System\JsmAhjn.exe
C:\Windows\System\JsmAhjn.exe
C:\Windows\System\UcKimEK.exe
C:\Windows\System\UcKimEK.exe
C:\Windows\System\RMlvkRq.exe
C:\Windows\System\RMlvkRq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2240-0-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2240-1-0x0000000000300000-0x0000000000310000-memory.dmp
\Windows\system\plnbMBN.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
\Windows\system\qlWioWI.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/1072-13-0x000000013F540000-0x000000013F894000-memory.dmp
\Windows\system\aPMoWoQ.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
C:\Windows\system\viqZqXT.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/2240-25-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2896-28-0x000000013F340000-0x000000013F694000-memory.dmp
\Windows\system\kVCvaOY.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
memory/2240-51-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2240-61-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2240-74-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2240-77-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/1760-76-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2528-81-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2240-85-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2240-86-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2240-90-0x000000013FF30000-0x0000000140284000-memory.dmp
\Windows\system\nEqzteT.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
C:\Windows\system\UEoFWja.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
\Windows\system\RMlvkRq.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2240-124-0x000000013F6F0000-0x000000013FA44000-memory.dmp
\Windows\system\ALYGqcZ.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/2640-111-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2240-97-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/456-91-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/1672-89-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2240-88-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2368-87-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2724-80-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2240-67-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\SONQKWN.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/2148-70-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2656-65-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2628-60-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\YJzyvhe.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
C:\Windows\system\brWaMmK.exe
| MD5 | cefe7ebbcbdc6a5e5023e2ad8530b25b |
| SHA1 | 6e0d7ab1a6ddd7ee739d050791a70816c80e15a8 |
| SHA256 | 6ab2207c199b9f50a07b7695194b47a621541e0d37d9b22f0438e67dcb93d475 |
| SHA512 | 93f98af6631d01c751345fac9f47be26cfbc75dd9db0dd1fbd6fa2e5834aa5211f8d199ade4392a702dd45e08ec6d96b6b5fac0e6e70a1f9a03484c2b65fa844 |
\Windows\system\cejEZIz.exe
| MD5 | 182702f8c189f2105671b3b193ea01bd |
| SHA1 | 5cbe4a492c7f661166b4ece7955c0ec73fadc31d |
| SHA256 | a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f |
| SHA512 | 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1 |
\Windows\system\YJzyvhe.exe
| MD5 | 6b5887af4274a78686a788865765637c |
| SHA1 | 5afc15e6fcbc11377bbabbda47ff43f6ebedd369 |
| SHA256 | ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006 |
| SHA512 | 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077 |
C:\Windows\system\kVCvaOY.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
\Windows\system\xZKUoEO.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
memory/2512-27-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\aPMoWoQ.exe
| MD5 | 9d367348bc2b0a338371873ab92b5ce0 |
| SHA1 | 7f656575ff1e475fc391f43341a8d5f4ac819b19 |
| SHA256 | 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309 |
| SHA512 | 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454 |
memory/2744-15-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2240-8-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2240-134-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2744-135-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2240-136-0x0000000002230000-0x0000000002584000-memory.dmp
memory/2512-137-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/1072-138-0x000000013F540000-0x000000013F894000-memory.dmp
memory/2744-139-0x000000013F4B0000-0x000000013F804000-memory.dmp
memory/2896-140-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2512-141-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2628-142-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2656-143-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2724-147-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2368-148-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1672-149-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1760-144-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2528-146-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2148-145-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/456-150-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2640-151-0x000000013FED0000-0x0000000140224000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:27
Reported
2024-06-07 01:34
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yiDRIVq.exe | N/A |
| N/A | N/A | C:\Windows\System\ruDiuXb.exe | N/A |
| N/A | N/A | C:\Windows\System\TqylNUh.exe | N/A |
| N/A | N/A | C:\Windows\System\dqjNBCk.exe | N/A |
| N/A | N/A | C:\Windows\System\tKBFBkG.exe | N/A |
| N/A | N/A | C:\Windows\System\qQNrXAC.exe | N/A |
| N/A | N/A | C:\Windows\System\OMusCTs.exe | N/A |
| N/A | N/A | C:\Windows\System\cmHtvEG.exe | N/A |
| N/A | N/A | C:\Windows\System\hoFUNEQ.exe | N/A |
| N/A | N/A | C:\Windows\System\UObdAVh.exe | N/A |
| N/A | N/A | C:\Windows\System\hGFffrx.exe | N/A |
| N/A | N/A | C:\Windows\System\mBhBVQR.exe | N/A |
| N/A | N/A | C:\Windows\System\aXoBHJh.exe | N/A |
| N/A | N/A | C:\Windows\System\McHoTLT.exe | N/A |
| N/A | N/A | C:\Windows\System\cESlIRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\UJgmbXO.exe | N/A |
| N/A | N/A | C:\Windows\System\SONOrvY.exe | N/A |
| N/A | N/A | C:\Windows\System\AIMNOry.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhfmMnu.exe | N/A |
| N/A | N/A | C:\Windows\System\OpIUUtR.exe | N/A |
| N/A | N/A | C:\Windows\System\rtAEzqx.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_43e581d2add9eafd3d8e055b1642febe_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yiDRIVq.exe
C:\Windows\System\yiDRIVq.exe
C:\Windows\System\ruDiuXb.exe
C:\Windows\System\ruDiuXb.exe
C:\Windows\System\TqylNUh.exe
C:\Windows\System\TqylNUh.exe
C:\Windows\System\dqjNBCk.exe
C:\Windows\System\dqjNBCk.exe
C:\Windows\System\tKBFBkG.exe
C:\Windows\System\tKBFBkG.exe
C:\Windows\System\qQNrXAC.exe
C:\Windows\System\qQNrXAC.exe
C:\Windows\System\OMusCTs.exe
C:\Windows\System\OMusCTs.exe
C:\Windows\System\cmHtvEG.exe
C:\Windows\System\cmHtvEG.exe
C:\Windows\System\hoFUNEQ.exe
C:\Windows\System\hoFUNEQ.exe
C:\Windows\System\UObdAVh.exe
C:\Windows\System\UObdAVh.exe
C:\Windows\System\hGFffrx.exe
C:\Windows\System\hGFffrx.exe
C:\Windows\System\mBhBVQR.exe
C:\Windows\System\mBhBVQR.exe
C:\Windows\System\aXoBHJh.exe
C:\Windows\System\aXoBHJh.exe
C:\Windows\System\McHoTLT.exe
C:\Windows\System\McHoTLT.exe
C:\Windows\System\cESlIRZ.exe
C:\Windows\System\cESlIRZ.exe
C:\Windows\System\UJgmbXO.exe
C:\Windows\System\UJgmbXO.exe
C:\Windows\System\SONOrvY.exe
C:\Windows\System\SONOrvY.exe
C:\Windows\System\AIMNOry.exe
C:\Windows\System\AIMNOry.exe
C:\Windows\System\ZhfmMnu.exe
C:\Windows\System\ZhfmMnu.exe
C:\Windows\System\OpIUUtR.exe
C:\Windows\System\OpIUUtR.exe
C:\Windows\System\rtAEzqx.exe
C:\Windows\System\rtAEzqx.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4148 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 142.250.187.234:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 17.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2548-0-0x00007FF7237B0000-0x00007FF723B04000-memory.dmp
memory/2548-1-0x000001862B880000-0x000001862B890000-memory.dmp
C:\Windows\System\yiDRIVq.exe
| MD5 | d6271b0d7805859f395bab87a91a13f3 |
| SHA1 | a1ddaeca909cafc6a6e49e917af9e0e70fd64de9 |
| SHA256 | 332dfb5650858e59184d365fe040049e1a11c47ba8880fabb94ad029a542f81b |
| SHA512 | 07811a98c3d481dddeb34bfd2164b1be90f6006d2666f38d374c1e8c23d612d5ccb99da7a1d68d2d5662bfc9e928b3bd704608855b745e8310ebb63928d54ff5 |
memory/2724-8-0x00007FF7160F0000-0x00007FF716444000-memory.dmp
C:\Windows\System\ruDiuXb.exe
| MD5 | 271b9118192265c9a6fa41c86829c113 |
| SHA1 | 891a46439683c65e78583c61be890b400c88d079 |
| SHA256 | 008ff0a4b5ab0a4730cadc7cee7f4c4ca566dae3ee44669261b48dec4e414d57 |
| SHA512 | d98aa8ff55d9450ec64d2d59c4bb0a2bae361c616114ca17c29113c36e5405cd3572ba609bcfb81a15ff0bdcf853a054bd41d4b9446d73ba061daff6720e65ed |
memory/4120-12-0x00007FF71AEA0000-0x00007FF71B1F4000-memory.dmp
C:\Windows\System\TqylNUh.exe
| MD5 | 8300ffaffdf5efde8a4aa67d47455db1 |
| SHA1 | c3eb9db5e562a6efdfcc59d1475daa0aa6503a42 |
| SHA256 | 10883a3048b2e7c5c95be476d5da319df6f4d9088b558ce58c05d85fa9158250 |
| SHA512 | 36d8cddfdeec49a01c84b0cffb8b2b1d6d927f653bce01fb04f04f168576fd3ac27c29f36608b56af678c800db4befb3dbea83d544f774769cddd2dc9f4270ad |
memory/2424-20-0x00007FF7D31E0000-0x00007FF7D3534000-memory.dmp
C:\Windows\System\dqjNBCk.exe
| MD5 | 08aafdf0aef322be1faf22254d35d96b |
| SHA1 | 1c4c9477954e02a138c1ad2b48c65263cb4adade |
| SHA256 | cd17f908c9e52afa9f174362bd8ae5a15a0b5c0616e5911cbe367c584365c131 |
| SHA512 | cb5396b694aeae8a78096b78a7bc2006df9064eba3d21f86ae10f97e498a5cc73947340fbf2d67cf213a05834067fc4416c92c4cb681eac6ea540ef043e1908e |
memory/3928-24-0x00007FF6806F0000-0x00007FF680A44000-memory.dmp
C:\Windows\System\tKBFBkG.exe
| MD5 | c34c7488c7677dacf0cab3f56a3b6a8f |
| SHA1 | fe6050b1086e6e374a0c3b4f44f6a0c602a686e3 |
| SHA256 | 8346f9baa5e93d5740b9c769af34232b40ebf5ca408bd45fb16eb3e843e5a32b |
| SHA512 | 65c4a2f2b6cc2861f97cf50bc8e45c4bdbc59751708424ebec9c57b958d46593b0d114031d026607a61959e60c3a1dce0cb7cbdab6ff02d022316708d52ec9f4 |
memory/228-32-0x00007FF7BFE90000-0x00007FF7C01E4000-memory.dmp
C:\Windows\System\qQNrXAC.exe
| MD5 | 949f3e69e2fdf4c5a1a48c6ad60eb348 |
| SHA1 | 5f098b3f877ce2829480dea0a4c904a7602edf6f |
| SHA256 | 81fa99c8dae86460f7049490060060964e96eed4b2c5de84ade5eacf35290cb7 |
| SHA512 | 7d26c530369e984a5cb4a8994ab6e8ca6ad41cb7003c8390a1e501d7b225c88b2d34bfb67ca649672d8a1599d049432530e89dd2bfa0a12be8168ae3d237299e |
memory/4148-38-0x00007FF6393D0000-0x00007FF639724000-memory.dmp
C:\Windows\System\OMusCTs.exe
| MD5 | c95fab30932a9f224e5f8229600299d0 |
| SHA1 | d7a17abf40c4ebba93875441edfbe5fde39f95d1 |
| SHA256 | ef066ce533c84fafecafed9b4c9bbb7a019d8c6f136159498774aeed44ff6b16 |
| SHA512 | 749b97fb14bf81f5b747f616f222a78c559e4ca903d5f0a97876f09cfdffb7d49ae324350e84ecda625486b62ae8064b7998465488a2a852c728d2a12e49c4bb |
memory/3908-42-0x00007FF7078D0000-0x00007FF707C24000-memory.dmp
C:\Windows\System\cmHtvEG.exe
| MD5 | c8df57d0006e5bb8375dc34905aee865 |
| SHA1 | 4e9c94d8102188f2653fdd2d82b9697fcdc0b49b |
| SHA256 | 61bb79eb175a2ec6f53e622580f620a99064d19a2ac8611edac2cfdb7d696cdb |
| SHA512 | 4de5fa8ec1c3175dbc520c6a5c26ff5f6a07bc160398baf93af5ef2417c24937fea64c5a13c7832bd9741b076225d58d79a6bb7c201d4b87013bceee5f1fac59 |
memory/4812-52-0x00007FF667C10000-0x00007FF667F64000-memory.dmp
C:\Windows\System\hoFUNEQ.exe
| MD5 | c5d01e14a6c3a223b549fcc26f8ede46 |
| SHA1 | 63da8ad6cb170a67a6fdef2c648d31804f126a7f |
| SHA256 | 5766f694477cd184f2ceba517739022176a8e89af6ffbcc4e848e89947842a09 |
| SHA512 | cc649914d88239235100a29ab8ec1675b7fae41e71ef96e354f13b52ee0f8c732afc13e0fbb0e1ff6c8706119fe8dfd15161cbddbdd563455856d90d42bc697f |
C:\Windows\System\UObdAVh.exe
| MD5 | bd8ccc2c3f300b1918397fd5ba637c66 |
| SHA1 | 7df58faa762134bcb9e13b80239e9fa60682b9d9 |
| SHA256 | 9376c1c9476bec592bc8be445d8f701fed0b5a8066bc688eb4b74d81a143b25a |
| SHA512 | e6d317927539078d6dec8d8b9b85924e12f0e04547a3aad1dff7e30aca084daf0255e88daab51f8f6a6389a492cfb342b5dea87a549f7ad1c563d1b7c7ceec70 |
C:\Windows\System\hGFffrx.exe
| MD5 | 2354e14ef6dfd8efec78107eb34fc3f6 |
| SHA1 | 46dad8ac664325f5e67d0a9845dd2d1fc1d512db |
| SHA256 | b9ff637e1590bdf81d4ba14aa94be5f977276c44c48dc01b8ffcad0afbfe8d1a |
| SHA512 | 03e26239542e8e34cb5e36715250003f46827dfdb97c48056500ce1e916c8000bed01f9178de15aacc7b32c7ecee8be9e5a3f6b16edca5e7540572e98abfaf7b |
memory/2320-66-0x00007FF70BED0000-0x00007FF70C224000-memory.dmp
memory/748-71-0x00007FF6F90F0000-0x00007FF6F9444000-memory.dmp
C:\Windows\System\mBhBVQR.exe
| MD5 | 4bb2dcdd831b7b6fb46e7f7c65a73caa |
| SHA1 | 258bc3cbb331b5aad7a1b3a333ace69df193af12 |
| SHA256 | 0bda434034ecabc87fa8928a3be74833da7cd3628dc4f50092a463b07f2dc157 |
| SHA512 | 0c3575114fde254924c6baac4eaaf7c4557fa32d8a8018057503dd4a5ae5883428ef3f1d0e05fa134cbfd740df47b903b9eb0ca05bf3a71abe2c8606c9f8751f |
memory/4012-73-0x00007FF6F7A20000-0x00007FF6F7D74000-memory.dmp
memory/2548-72-0x00007FF7237B0000-0x00007FF723B04000-memory.dmp
memory/952-69-0x00007FF72D4E0000-0x00007FF72D834000-memory.dmp
C:\Windows\System\aXoBHJh.exe
| MD5 | 588eb34a154af5bf67bb495b4f9c276c |
| SHA1 | 3158c48cbca50057ee28cdd23df129732072a9c8 |
| SHA256 | edc3127aed0980aea7aae790f20239bc8dc3d2de0ef543d9f6cad8ef7339b1d7 |
| SHA512 | 552f5ea59c84b99da44746d84a6dacd343ab37d0eb1e7032030f537ea204848cf4aa1d92b77608f21ce2c2c0d657d9c9bcfd9766eb56afc4952e2eb3f67bc987 |
C:\Windows\System\McHoTLT.exe
| MD5 | 9f193893131a707c44188bb1dcef860e |
| SHA1 | cc7f3172a92c966c9c1985d4265900cee2436188 |
| SHA256 | 2683d25d0d41c8f32b56953e8697b2f6412c56342fbb6dfa0f4efcc969379347 |
| SHA512 | f81b7cc77606c46111a513333e3a0f314e6d2b3bbe8601cc4b62e3103dffb307b7bba4bed1eb96e758474db0be334e4c6530cf73724dc47a443d01cda327b25b |
C:\Windows\System\cESlIRZ.exe
| MD5 | 409dc160234a17be871964577a3961d0 |
| SHA1 | 4160042f568309c2a4a46a45486c9ec99ade1b9d |
| SHA256 | 40876240cd3f15e43d8565d538bedb4d3e7f0edc3f54f828fe09d88663762865 |
| SHA512 | 072f253c8b3d821131e22da29f4011dfaba8be3316c54c8a7f8ed0bab3933a5e0571772dd47b6dacc4d4de4291478f7d64c7629fc2c01b72d977de8afa377671 |
C:\Windows\System\UJgmbXO.exe
| MD5 | e27e8e37029402efbdf8bbde729a3d70 |
| SHA1 | 8bf4dbdad1ff13718512c0021bcfd16e757441e0 |
| SHA256 | bc6d0932fd9c4ab66cad2c88b0c396e10f767f8800c9eafc1858cd82af4e7362 |
| SHA512 | e13d8151a3ad763d21616dc34a298ccb485db4d2b7e5eca4c54d149b571f83e266cf08235cfacdcc262bb197ee7362f1ac1a2f33824e984d67219ce25b696e1e |
C:\Windows\System\SONOrvY.exe
| MD5 | 2113bc336e3a0b423ddf04108702e1ab |
| SHA1 | b8c25a2fc6c3b015b2f0b58dc7aaeb9e1904b705 |
| SHA256 | 4b23f00365ab1478f82ff6092e15a00d0125af357c39bde371dd2fec4c9ed59f |
| SHA512 | d8e03e570c91532976ff5e088feba8f22565bb720c9b949108b75142519c99d8b70b80eca534fee46953923069ded0bbf624da61ab759e6072b226198148a9ed |
C:\Windows\System\AIMNOry.exe
| MD5 | 5c2d796273b803d0b127a022849342d2 |
| SHA1 | c88cd1b18e1cb540f77c474d4e9e11770a8bfdd4 |
| SHA256 | 808d61fc2e4162efdb6cfda4d2041aa4b17f9b871a756bedd14b75bbf0adb44e |
| SHA512 | 9841952aef9c5dede4bc220bf6235781d4c2691e50a72723bc4ca649b4a8cde9b8b9a64235cf0bf1206c861f1814e7b58203ea341e3089ba4a26787b26c2e14f |
C:\Windows\System\ZhfmMnu.exe
| MD5 | 28f66d7d216efc651bd008ad8fe93ef9 |
| SHA1 | 91c6c0300a5ddd343f8b28d0fc213ddab32401fc |
| SHA256 | e7f192548b87f9d0467fdb20f44142619c86cddc4044c1a75ef52e98aa55c848 |
| SHA512 | c10001d888d7657029194778cbc1f7d2fb7a5d53b14a10110fd1d82963aee79a6f29fe9728e245dcf445f0dcf80d953734840332d2db599fbe94f89cd3c1c1dd |
C:\Windows\System\OpIUUtR.exe
| MD5 | ec8293e9792e70e3e631854a32316bcf |
| SHA1 | e6a6e1ea0b3a2b9744a4b698486684fa6bb938c6 |
| SHA256 | 49d139949182b95db2b3771d397a9d73ce2f30c2200c087e110158752cbf05f8 |
| SHA512 | abc6c6d9e71c611dc6a9625243aefb590ab8c084770bfd746030ac5809dc6ab3f2c70010c87370ade5325975712c29afd164e22973b52a14a8c119b82083df61 |
C:\Windows\System\rtAEzqx.exe
| MD5 | 9d0692f158fa4555842640324f507105 |
| SHA1 | 2b7d8994a44132fb9c913241f6a03ea30eb3f8c4 |
| SHA256 | 8db5d1cd11611d72c5e3aae11125deba4cab265a6fa7a8ff4c45ecf46789112c |
| SHA512 | 64d8909008d5575913c7f5d9dff83c288d6c571972bedd4d902439d1f32d1c931f175289e78ec10ba22e4bc195e81a1a6a07c41dfada1fcdb6869353bbb2b484 |
memory/3648-120-0x00007FF7CD670000-0x00007FF7CD9C4000-memory.dmp
memory/2420-121-0x00007FF6FE200000-0x00007FF6FE554000-memory.dmp
memory/1448-122-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp
memory/1808-123-0x00007FF7E7130000-0x00007FF7E7484000-memory.dmp
memory/3236-124-0x00007FF650A30000-0x00007FF650D84000-memory.dmp
memory/2428-125-0x00007FF7D77E0000-0x00007FF7D7B34000-memory.dmp
memory/1172-126-0x00007FF76D190000-0x00007FF76D4E4000-memory.dmp
memory/1516-128-0x00007FF68C1C0000-0x00007FF68C514000-memory.dmp
memory/896-127-0x00007FF738580000-0x00007FF7388D4000-memory.dmp
memory/4120-129-0x00007FF71AEA0000-0x00007FF71B1F4000-memory.dmp
memory/2424-130-0x00007FF7D31E0000-0x00007FF7D3534000-memory.dmp
memory/3928-131-0x00007FF6806F0000-0x00007FF680A44000-memory.dmp
memory/228-132-0x00007FF7BFE90000-0x00007FF7C01E4000-memory.dmp
memory/4148-133-0x00007FF6393D0000-0x00007FF639724000-memory.dmp
memory/3908-134-0x00007FF7078D0000-0x00007FF707C24000-memory.dmp
memory/4012-135-0x00007FF6F7A20000-0x00007FF6F7D74000-memory.dmp
memory/2724-136-0x00007FF7160F0000-0x00007FF716444000-memory.dmp
memory/4120-137-0x00007FF71AEA0000-0x00007FF71B1F4000-memory.dmp
memory/2424-138-0x00007FF7D31E0000-0x00007FF7D3534000-memory.dmp
memory/3928-139-0x00007FF6806F0000-0x00007FF680A44000-memory.dmp
memory/228-140-0x00007FF7BFE90000-0x00007FF7C01E4000-memory.dmp
memory/4148-141-0x00007FF6393D0000-0x00007FF639724000-memory.dmp
memory/3908-142-0x00007FF7078D0000-0x00007FF707C24000-memory.dmp
memory/4812-143-0x00007FF667C10000-0x00007FF667F64000-memory.dmp
memory/2320-144-0x00007FF70BED0000-0x00007FF70C224000-memory.dmp
memory/952-145-0x00007FF72D4E0000-0x00007FF72D834000-memory.dmp
memory/748-146-0x00007FF6F90F0000-0x00007FF6F9444000-memory.dmp
memory/4012-147-0x00007FF6F7A20000-0x00007FF6F7D74000-memory.dmp
memory/3648-148-0x00007FF7CD670000-0x00007FF7CD9C4000-memory.dmp
memory/2420-149-0x00007FF6FE200000-0x00007FF6FE554000-memory.dmp
memory/1448-150-0x00007FF6F8110000-0x00007FF6F8464000-memory.dmp
memory/1808-151-0x00007FF7E7130000-0x00007FF7E7484000-memory.dmp
memory/3236-152-0x00007FF650A30000-0x00007FF650D84000-memory.dmp
memory/2428-153-0x00007FF7D77E0000-0x00007FF7D7B34000-memory.dmp
memory/1172-154-0x00007FF76D190000-0x00007FF76D4E4000-memory.dmp
memory/1516-156-0x00007FF68C1C0000-0x00007FF68C514000-memory.dmp
memory/896-155-0x00007FF738580000-0x00007FF7388D4000-memory.dmp