Analysis Overview
SHA256
78fcbd8cbefe908d6c6f73a0b8e7829af328edeb872d0401d791b57c52a370ab
Threat Level: Known bad
The file 2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
xmrig
Xmrig family
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 22:58
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 22:57
Reported
2024-06-08 23:00
Platform
win7-20240508-en
Max time kernel
142s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lsfOWFQ.exe | N/A |
| N/A | N/A | C:\Windows\System\HMwOZKS.exe | N/A |
| N/A | N/A | C:\Windows\System\FnSjCJZ.exe | N/A |
| N/A | N/A | C:\Windows\System\mSpXwwS.exe | N/A |
| N/A | N/A | C:\Windows\System\UhilpgV.exe | N/A |
| N/A | N/A | C:\Windows\System\wAoaaAc.exe | N/A |
| N/A | N/A | C:\Windows\System\mwUsmsu.exe | N/A |
| N/A | N/A | C:\Windows\System\HlHgsqQ.exe | N/A |
| N/A | N/A | C:\Windows\System\WfQeQSX.exe | N/A |
| N/A | N/A | C:\Windows\System\QgrikdM.exe | N/A |
| N/A | N/A | C:\Windows\System\klKvZIR.exe | N/A |
| N/A | N/A | C:\Windows\System\KdOPoZZ.exe | N/A |
| N/A | N/A | C:\Windows\System\qnJVCYb.exe | N/A |
| N/A | N/A | C:\Windows\System\NJUXlze.exe | N/A |
| N/A | N/A | C:\Windows\System\SiZsUHe.exe | N/A |
| N/A | N/A | C:\Windows\System\pFeorvu.exe | N/A |
| N/A | N/A | C:\Windows\System\agtEfcE.exe | N/A |
| N/A | N/A | C:\Windows\System\AsZScSZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BtcNOie.exe | N/A |
| N/A | N/A | C:\Windows\System\cPlOvMM.exe | N/A |
| N/A | N/A | C:\Windows\System\PwGDnEk.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lsfOWFQ.exe
C:\Windows\System\lsfOWFQ.exe
C:\Windows\System\HMwOZKS.exe
C:\Windows\System\HMwOZKS.exe
C:\Windows\System\FnSjCJZ.exe
C:\Windows\System\FnSjCJZ.exe
C:\Windows\System\mSpXwwS.exe
C:\Windows\System\mSpXwwS.exe
C:\Windows\System\UhilpgV.exe
C:\Windows\System\UhilpgV.exe
C:\Windows\System\mwUsmsu.exe
C:\Windows\System\mwUsmsu.exe
C:\Windows\System\wAoaaAc.exe
C:\Windows\System\wAoaaAc.exe
C:\Windows\System\HlHgsqQ.exe
C:\Windows\System\HlHgsqQ.exe
C:\Windows\System\WfQeQSX.exe
C:\Windows\System\WfQeQSX.exe
C:\Windows\System\QgrikdM.exe
C:\Windows\System\QgrikdM.exe
C:\Windows\System\klKvZIR.exe
C:\Windows\System\klKvZIR.exe
C:\Windows\System\agtEfcE.exe
C:\Windows\System\agtEfcE.exe
C:\Windows\System\KdOPoZZ.exe
C:\Windows\System\KdOPoZZ.exe
C:\Windows\System\AsZScSZ.exe
C:\Windows\System\AsZScSZ.exe
C:\Windows\System\qnJVCYb.exe
C:\Windows\System\qnJVCYb.exe
C:\Windows\System\BtcNOie.exe
C:\Windows\System\BtcNOie.exe
C:\Windows\System\NJUXlze.exe
C:\Windows\System\NJUXlze.exe
C:\Windows\System\cPlOvMM.exe
C:\Windows\System\cPlOvMM.exe
C:\Windows\System\SiZsUHe.exe
C:\Windows\System\SiZsUHe.exe
C:\Windows\System\PwGDnEk.exe
C:\Windows\System\PwGDnEk.exe
C:\Windows\System\pFeorvu.exe
C:\Windows\System\pFeorvu.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1684-0-0x000000013F240000-0x000000013F594000-memory.dmp
memory/1684-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\lsfOWFQ.exe
| MD5 | 0161c02e29aaa37126e9f49c7cc256a8 |
| SHA1 | 183080b4a6ca192c4f2b6705f683441c8ac53c53 |
| SHA256 | d80631dc2c8580acb520a6615c8d36ff15885774c94325d51ca6063c5b4b63bd |
| SHA512 | 810b4822e7824d90eee3680066217399dee3c00cb8f58dca99646deffdc38a354f755ac4e3900522e8acec1714728dc38c6e5709911016799d24330cbcb9b8bb |
C:\Windows\system\HMwOZKS.exe
| MD5 | f86fa47acd0c7111789e1994a0da66ac |
| SHA1 | 9adbe746ef5d779c4c3253f3b141de8985575496 |
| SHA256 | fe38779d2ee22cb1849df83a74ac7e43a97d61a73fcc14dfed0a244620eec553 |
| SHA512 | 16fb896b506ea58efe18f79db67fddfd7fcb5ac2bb18fc488eaec59a149e50bb93e14a49f9528241268fcf0d25e6664d2e74bfe90b97f0ade5d206a282d6330b |
\Windows\system\FnSjCJZ.exe
| MD5 | 776bcdfbc39c30efb953ad4f4ea686b4 |
| SHA1 | d80ff38ebf4e8405803b274a157dbcbceffdd2a0 |
| SHA256 | c32a76fb8d87796013ec6c5653163994bbdd16d3434a29968938daff22e98715 |
| SHA512 | 8b4f3705114711d9114d4c495775d217cee0fdee44d47f19664d857786f0bb529406e757b6520769315a4a232bc40c323997834f367e533e49d5b2f1957c95a8 |
\Windows\system\mSpXwwS.exe
| MD5 | e3343a4359a25f17ac1b447b991b1e14 |
| SHA1 | d23d75509e642bab72c9f8de028950bc78a82493 |
| SHA256 | 1aaa15013216b9f27f7f0fce70bfb149f88d7594258765e74a5926e8b299cf8d |
| SHA512 | b652f4be270a420f62ff8f81be336b03780fc2213ba2dabd6e3d6e2ce1cd9a4ee315f236525763d36231d387c4d6f9808e8d32888a646dffba29585e52ffd627 |
memory/2148-21-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2128-28-0x000000013F020000-0x000000013F374000-memory.dmp
\Windows\system\wAoaaAc.exe
| MD5 | 368ea77c28b28ffc6f6c91bb282a7504 |
| SHA1 | 232dba8cec47d983ad396b41713bb5eac77b7082 |
| SHA256 | e5921cc1afc15cb9c5905770b69cc90d97e75159a1da5a92d91d6f2876654ec4 |
| SHA512 | 878c2b8a3f0778202a3087865802fd02a0bd9063997129431883b862ff6828e38482aa15a103609f32afd5db154c08684d2f50115804ea3b6d1c80dde0c160fc |
C:\Windows\system\WfQeQSX.exe
| MD5 | 91102aa4b066f5aa2bb58c2da2222b9d |
| SHA1 | 5e74951e958a96fcccfbe5c7c6b0d1df03237bd4 |
| SHA256 | 0739a0138e3a03cb9b999f64c0e1957b17b43532a2ebd7bda2b0d4030c05713e |
| SHA512 | d799506b1f2a66b0a6b287ca103a10558cf6b2423d66a81294f2a762b7a2e510c6bb4839fbaffaa034d5c7bff086bea7ad6c92fd5f59b46c5d75799d1088f0d9 |
\Windows\system\SiZsUHe.exe
| MD5 | f51376e041cda28100d1814e5b2d4eb4 |
| SHA1 | 36cd09b34fa887f21baf8f9d08f2813544050608 |
| SHA256 | 6f10055b4f6b1360ef622ae838566d5e82880e9eac4bdecd713a797b2fcb1e5f |
| SHA512 | a93b2e8aac3ffe76e639e79015de52bce7e3d21e24a0b3698e6b95a77688b1fe3b877de5a06dde649780d4f811dfd3461cf6420bb8ad33a7fb296f320c37d30a |
C:\Windows\system\QgrikdM.exe
| MD5 | 28192e0987d8fa7dd1788afc3727b55e |
| SHA1 | dc26b93fa11b0fbab748d9ac9d7165ffdf977ca5 |
| SHA256 | 20f96a548047378384ad5c41d925f3810f960025ad9a3bfce19513b523610cf6 |
| SHA512 | 9a4220cd59d3099cef61098513dec07423e5bd5fe34f6a8271368634d73211af8d6632a375e33979c1a601abd8bc413ad3b2ea11a10a4bc406acda257bcae8c5 |
\Windows\system\PwGDnEk.exe
| MD5 | e59f4b7fe10c2d2b6a6a5f149aad3cb0 |
| SHA1 | 82cccb0fbe70fc62400be6375500a882c57e741f |
| SHA256 | 7780f5415ed29f66fff79e3596455f2bdf6fb5c2c4315f478049d74f9fbe783f |
| SHA512 | bce99248b9d537238fd149df0686762a879426da857afd6a1c9dad5b6c55179b36fa6a269023fb87eab524e3e7ed1dec2ce881f396e504924bc82407ec6ee7e3 |
C:\Windows\system\NJUXlze.exe
| MD5 | 1f5e7dceaaf3c995f6e79ebd7990f121 |
| SHA1 | c5954f64063e8d3f286bda17aa623d44b7c2fa42 |
| SHA256 | c69d464347fbb31284edf45597388d3116d06825c02a893321c0328dd1543724 |
| SHA512 | 473ce0329d41944cdbc23b0da2309c32a62879119419aae990d66ab4a5dee2d35744bd4c3011030ad489e6ee043e0f6b88b48d7672f75bb3ec5601f23e39bf9f |
\Windows\system\cPlOvMM.exe
| MD5 | 44ce388f66972e1af9015f4dfbfc6fc7 |
| SHA1 | b4b36aff7271ca13daa29921c528d801ecfbb559 |
| SHA256 | 1e01a7719fe3848a48a8ff11e5107bf39eb7cac8f306696a595475652e05195b |
| SHA512 | 9797fff76d0eb5342fdafc1d94850dc406bd458f714129c694414629051e667addcd436b9776c784fc43cc0c6a0693f9bf1e1781bde3d04e86dab23de7ee1b82 |
\Windows\system\BtcNOie.exe
| MD5 | 3ab63152b2c900b2f899fb0891537f1b |
| SHA1 | 3966090ce466b642bbf8efad43eb3aa7acf51d5c |
| SHA256 | 637b193887a99af2a47ced42ea04f151048f6d4be7ef3bb34f6018f5d3ab9ecc |
| SHA512 | 241bcba13496269ae885864fe78b3ad425e3fbad1dd0e5d886d71b27186b8203833f01abdcd14b6caa43841126474b9b558b1835173fef978c076310f9a2e28f |
\Windows\system\AsZScSZ.exe
| MD5 | 28964b676fbc088a42a7f11cd3acfbeb |
| SHA1 | c60a542cef263d96441a813a9da06cc37347ce60 |
| SHA256 | 02b0863a4b7b7de13e9a125459cdb2f5019d05879d8effbd94f86dbde7568fbd |
| SHA512 | 4331ccb07106efd4f1260f0903db197c9c6938a97358ec30a358f242c8a85cbae8090805eb8c500aa26cf36ed5d6ce9a84cd28a07eb29283caa1898490921314 |
\Windows\system\agtEfcE.exe
| MD5 | 2b280d1ccbc0be1152c8e9ce881565f1 |
| SHA1 | 92a08e354ced5c522f25d349ff2ca7f9af1f4abf |
| SHA256 | 2ffe8804171f075362ba25811b1e9c3fb9088715cb30c597a488c02aaa616560 |
| SHA512 | 508d758a8b8db9c34aceaf16250aa39d08ac6971d7e32eba08940c890c85278010107565291407c018991739c23bb691f3a0c0b7418a773bf30678c0a71738e7 |
memory/1684-122-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2776-121-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1684-120-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1684-119-0x000000013FA40000-0x000000013FD94000-memory.dmp
memory/2044-118-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1684-117-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1684-116-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/3040-115-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\pFeorvu.exe
| MD5 | 3bc1e9134a1519ff2bfd067c6dabd273 |
| SHA1 | 54c349f4f0ad30dfb2082bba74348ee81e838910 |
| SHA256 | ade3c600669e2cb40835e51f83d2b8cdf238d0297adaa856ea992990aa03784e |
| SHA512 | 592f629ab0b62ff72c5b4137a111c8613596a03d7e67ecd803d32a97ac097eeda0bf84aa6ef1a27d36be8d452755848720e21d5532144b0181e17e542d133554 |
memory/1684-113-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2580-112-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1684-111-0x000000013FE00000-0x0000000140154000-memory.dmp
C:\Windows\system\qnJVCYb.exe
| MD5 | 88b45e9fe12548341e737d53d28e1beb |
| SHA1 | 3f640187e5ceaf25b5966380e20165c00aa10d2a |
| SHA256 | 5ad54c09e5f1597722aef69ea2a4c58b8c66a2bc7ce429346f3ff2f96f2b4658 |
| SHA512 | 73c1d48e970a128a12bb002e0a7398ff5c7d8857d047b5bb99d012614d91abc4351b6c454d00ba70107f1c4a1f3c0d5fcba5e97861bd888b9302b3c649519f01 |
memory/1684-135-0x000000013F240000-0x000000013F594000-memory.dmp
C:\Windows\system\KdOPoZZ.exe
| MD5 | 1a37a6dcd045b1102bf253959d45437d |
| SHA1 | bcad682ee8bf8f0f3cd60750f7ceab6f0758b4ef |
| SHA256 | 6a125340e7cd3f9d8ef83ac3221e98950c681c16e381307fc0dcc9417c1cffd5 |
| SHA512 | 5f479e131cb5a3d40baa52bc5139fb0b685219bbdb88e0ff1283da178e585d9f97e84c04dac8623709aebfa53af0d270bdae452cfc97fba688a777bdfcf53b94 |
C:\Windows\system\klKvZIR.exe
| MD5 | d62805b7748fe925ad5feea84d5c1fcc |
| SHA1 | b7a4ec8c33c0705b46fea6061a3334739de6dacc |
| SHA256 | 9d2597b831899fa007bb4160570a061e1e7692e64fc072ddb417a5c6ea34bee0 |
| SHA512 | f5ef5042e1bb0be08321d9f260cb1e9c04fa36fb7eae832ab28a3341ed2f8ef4dc1a4f0c79f6a398f9b8ffa5f56ef3710d12a0d40118f474e69fa4e7a70f5cb2 |
memory/2508-63-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/1684-62-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2772-57-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2936-56-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2724-55-0x000000013F8B0000-0x000000013FC04000-memory.dmp
C:\Windows\system\HlHgsqQ.exe
| MD5 | e78f41432ba19925d021746529dd75a3 |
| SHA1 | 17324759f4e8a5c8de8320dcff8edc8238ff6fcd |
| SHA256 | 98c4916ab02a4ef284768ba401d9050a90ba7622a89717559a3e6050eee19843 |
| SHA512 | 363dfcb863d5276f4a2ac026410ab7e25f33aee6b69d98cb6dbae140c7f15f6e80f75c57732e38bcf3fbbdf88fffa1a136660e9fc99b5f9359181a54ffcf1000 |
C:\Windows\system\mwUsmsu.exe
| MD5 | 470f503fdacf95aaa0381d08e76350b8 |
| SHA1 | 8689df4da12ea71d195f7a0b86883034954f2ec3 |
| SHA256 | 6880f96b4e4a0f9fbf5cac206552b03de32a54457d9250a5b3c804c210083813 |
| SHA512 | fd64655365e3e1bf51d0c46c5b9b05651a88882aac2d04f384308b75efd19be841f1aef5eab9336be338a7e392345fff03f72b4a3a832bb7191d529c69cbbdcf |
memory/1684-48-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1684-47-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1684-46-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2612-39-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1684-27-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/1684-26-0x0000000002220000-0x0000000002574000-memory.dmp
memory/3068-25-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1684-34-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\UhilpgV.exe
| MD5 | dd43b2d0b92be2f9ed4e43c04199a70c |
| SHA1 | 30181a4a5892bd4eb8fc926f8e47162ec32145cb |
| SHA256 | 4b940748395cd26fbada154e0876b104df4a56bc130e590bc55e1cd564472841 |
| SHA512 | 6ebbb8a5a54c08eaa84594c5a287019fe0861f2071ab94b259eeab6dbd64b7ed97fdb690fa9fd8f1e3c08a966186cd73ffd121679107c91834e8aa3be7d8c6a6 |
memory/1684-24-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2332-23-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2128-137-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1684-136-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/1684-138-0x0000000002220000-0x0000000002574000-memory.dmp
memory/2508-139-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2148-140-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/3068-141-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2332-142-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2612-143-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2128-144-0x000000013F020000-0x000000013F374000-memory.dmp
memory/2936-145-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2724-147-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2772-146-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/3040-150-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2508-149-0x000000013F3E0000-0x000000013F734000-memory.dmp
memory/2044-152-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2776-151-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2580-148-0x000000013FE00000-0x0000000140154000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 22:57
Reported
2024-06-08 23:01
Platform
win10v2004-20240426-en
Max time kernel
136s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\BCAXvaW.exe | N/A |
| N/A | N/A | C:\Windows\System\qmQejWP.exe | N/A |
| N/A | N/A | C:\Windows\System\HyXiURx.exe | N/A |
| N/A | N/A | C:\Windows\System\cZqgwfG.exe | N/A |
| N/A | N/A | C:\Windows\System\xkLLsbK.exe | N/A |
| N/A | N/A | C:\Windows\System\FHQjMxD.exe | N/A |
| N/A | N/A | C:\Windows\System\tNSrmtG.exe | N/A |
| N/A | N/A | C:\Windows\System\xltclRj.exe | N/A |
| N/A | N/A | C:\Windows\System\YpiSdUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nZShWGB.exe | N/A |
| N/A | N/A | C:\Windows\System\AIPzULs.exe | N/A |
| N/A | N/A | C:\Windows\System\RzXszbd.exe | N/A |
| N/A | N/A | C:\Windows\System\iLGWsBX.exe | N/A |
| N/A | N/A | C:\Windows\System\ejAIPSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\ccdBudi.exe | N/A |
| N/A | N/A | C:\Windows\System\CXGiOvk.exe | N/A |
| N/A | N/A | C:\Windows\System\kUNGGKm.exe | N/A |
| N/A | N/A | C:\Windows\System\WFTWrZE.exe | N/A |
| N/A | N/A | C:\Windows\System\LeSExwU.exe | N/A |
| N/A | N/A | C:\Windows\System\fmTxNuA.exe | N/A |
| N/A | N/A | C:\Windows\System\mZJjVqq.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_b77dc70f4184bd2cb80b83c725a9b290_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\BCAXvaW.exe
C:\Windows\System\BCAXvaW.exe
C:\Windows\System\qmQejWP.exe
C:\Windows\System\qmQejWP.exe
C:\Windows\System\HyXiURx.exe
C:\Windows\System\HyXiURx.exe
C:\Windows\System\cZqgwfG.exe
C:\Windows\System\cZqgwfG.exe
C:\Windows\System\xkLLsbK.exe
C:\Windows\System\xkLLsbK.exe
C:\Windows\System\FHQjMxD.exe
C:\Windows\System\FHQjMxD.exe
C:\Windows\System\tNSrmtG.exe
C:\Windows\System\tNSrmtG.exe
C:\Windows\System\xltclRj.exe
C:\Windows\System\xltclRj.exe
C:\Windows\System\YpiSdUZ.exe
C:\Windows\System\YpiSdUZ.exe
C:\Windows\System\nZShWGB.exe
C:\Windows\System\nZShWGB.exe
C:\Windows\System\AIPzULs.exe
C:\Windows\System\AIPzULs.exe
C:\Windows\System\RzXszbd.exe
C:\Windows\System\RzXszbd.exe
C:\Windows\System\iLGWsBX.exe
C:\Windows\System\iLGWsBX.exe
C:\Windows\System\ejAIPSJ.exe
C:\Windows\System\ejAIPSJ.exe
C:\Windows\System\ccdBudi.exe
C:\Windows\System\ccdBudi.exe
C:\Windows\System\CXGiOvk.exe
C:\Windows\System\CXGiOvk.exe
C:\Windows\System\kUNGGKm.exe
C:\Windows\System\kUNGGKm.exe
C:\Windows\System\WFTWrZE.exe
C:\Windows\System\WFTWrZE.exe
C:\Windows\System\LeSExwU.exe
C:\Windows\System\LeSExwU.exe
C:\Windows\System\fmTxNuA.exe
C:\Windows\System\fmTxNuA.exe
C:\Windows\System\mZJjVqq.exe
C:\Windows\System\mZJjVqq.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1452-0-0x00007FF623990000-0x00007FF623CE4000-memory.dmp
memory/1452-1-0x0000017F229D0000-0x0000017F229E0000-memory.dmp
C:\Windows\System\BCAXvaW.exe
| MD5 | 95c7b08890678ef3487c6d9a1b2919da |
| SHA1 | 5d7dc3f123030b243ac89a67e530be3fe371f65e |
| SHA256 | 0f3a46434d3312a1494342329d2ab659a099a333e5214ad21e591c5a203e2de5 |
| SHA512 | 0063f14a4d8432a0825cc03dcdd6f2a770d3327dc0990760d7438503c100623cee8ccf16b193f0f4385f6d906da35354ea80c6b7e0f8fc3ceef861ceb1c159d0 |
memory/760-7-0x00007FF697860000-0x00007FF697BB4000-memory.dmp
C:\Windows\System\qmQejWP.exe
| MD5 | 0ff2c64b7e9e6475c703eb2aa38a7371 |
| SHA1 | 5ad0f723337d5aa68ef23c2d8377ed826556451e |
| SHA256 | d0428b1d16d48388d07c80b89a549f3bb01be93420c9a37c942d7ca5174af1b7 |
| SHA512 | ca149fcfacf00a8b25e380bb5fe636ccfbd57c5dad4ef587483199ae6c82e74007499d1e81a41bf1feef7f4df1a3c36b1dc90f453bcc883b8d09fec1d02d5d3c |
memory/3968-15-0x00007FF73C110000-0x00007FF73C464000-memory.dmp
memory/3152-22-0x00007FF70D020000-0x00007FF70D374000-memory.dmp
memory/2308-25-0x00007FF7EC1E0000-0x00007FF7EC534000-memory.dmp
C:\Windows\System\cZqgwfG.exe
| MD5 | 366568313d2761295f4beb70c8ed5269 |
| SHA1 | abe7c8071dd95a765c13d397eb3b45786fd95eb5 |
| SHA256 | 3faf68a15b98929554b55ecc3f2e5c6fb66f1d71c71763f7b065dd1f7680aa2d |
| SHA512 | 788acfb73a40fab31c6f0cf43190026a1e81cb1a90dd1960ec239c2e4e9a0f82d8523b79d3a3a118a3daee178984269135d8b04c3a75a16a6ff886400ff9ab58 |
C:\Windows\System\xkLLsbK.exe
| MD5 | 69628d43bf2d4448671e3cd1f33591bb |
| SHA1 | 97b878f33780c7b1cef79040471ecfcb8f49803b |
| SHA256 | 1e1cb4545bc0688805a7fdd23dccc31fc7a7ca2073c86c998cad4b1b0e1dd9ea |
| SHA512 | 7a9e261c69fec03036eb8488a90e65c945df2a8e4a40cdd1fba33e143bd5826c2c577ac1b3fae34a8d655ea37aada6549c624c44d9821ea963250c040044c677 |
memory/1412-38-0x00007FF7227B0000-0x00007FF722B04000-memory.dmp
C:\Windows\System\FHQjMxD.exe
| MD5 | 792cf92512a40fbba88808bc12d458fd |
| SHA1 | a9afa3e25850aad33e7d8429629433e27dd1bca1 |
| SHA256 | ae677fc187a0b3235903051fdf33d270edf14fb15ee85d01ab26c8cf35d8a248 |
| SHA512 | 55f6a7217aaf63a1347c43b0f8e77e29d6036a65c5254f19417aa1b03d194c63867ab0da4e3b7d2d20c87cc4ea1d17c76a0f9e7c3ac7584c4ebe9738bfd087c9 |
memory/2480-32-0x00007FF73B250000-0x00007FF73B5A4000-memory.dmp
C:\Windows\System\HyXiURx.exe
| MD5 | 5b73c7883aca7c7f22d93a7549f14a96 |
| SHA1 | 2b2dd082faf2b22c04707b29f415578ea6bd8538 |
| SHA256 | 5abcebe77a7b0bfe1319e1b3d252bf22bc2d79de0b6c3c090dec8e5b4db710b6 |
| SHA512 | 16ae8e57247e4201c816e2d12bdf1e7c17985b11413b5e8c7deca8f0545c148756b8af81ba1c6199c8edc59094d5601415f022dffd2ca61006b4a1ed5cb80c03 |
C:\Windows\System\tNSrmtG.exe
| MD5 | 56ab41bc574fdc887c17f1aca1c4767d |
| SHA1 | 4c2b92a6eaa00ad925f6abce879453ec5560b8ac |
| SHA256 | 0d7323f1103fbd4f6eadb8c1429707d058703db787e17a48557263ae8006cc8e |
| SHA512 | f3e451e224a7c80f6c37dffe9c432f365075e12617bee3dfe6a7cd9932967c07cf703edf388358165fed9c45adca0a2b35b34f2f5a73c8bb2c4e3760466cd4f1 |
C:\Windows\System\xltclRj.exe
| MD5 | 9bba1f6dec15a8bc96eb88a9828f4ab1 |
| SHA1 | 4d26ae195ce5ae88db7f1d6d6a53d40603e9e1e6 |
| SHA256 | 3c5d57ef30d75b984f6a0b388967cbba65ec27fd2a1b13296c4aeb6a510e1622 |
| SHA512 | 749f81be2eefc5f932c3c198317098874aace1c8c2449d44f9d99e25eca751644d665fdf592827b7c7433f8f2ebeed959ca0645fcb2ef6f6149e011ed4f2764c |
C:\Windows\System\YpiSdUZ.exe
| MD5 | ddf8da26b0b21508dc64d4864501d760 |
| SHA1 | 0236a4728e30977de1121f83cc6321b28c5e6a31 |
| SHA256 | 32137fe60a1e8f6e55182c74de545cb951c3157cb37d305cc553ce72d82ddd3a |
| SHA512 | 7be354c1fca9c0d81bb531f6163e4b3bf52719f2c6614f3915b09685757150acbaf6691b5ca06933dce98ceb6ef7ea68a890f98fdfaffd3c40b68bda137f6eb2 |
memory/1728-56-0x00007FF777AB0000-0x00007FF777E04000-memory.dmp
memory/1016-52-0x00007FF7966B0000-0x00007FF796A04000-memory.dmp
memory/1008-46-0x00007FF7B4290000-0x00007FF7B45E4000-memory.dmp
C:\Windows\System\nZShWGB.exe
| MD5 | e1841de9adc3d5a75cd7ee653779188d |
| SHA1 | b4eb2abd7768286163e810a1436d6b3b8c1e938a |
| SHA256 | 5bc364588ed0b7ee648bbab9a04dfa32affcc3497274eb845afbcb9e4a633f71 |
| SHA512 | ab3b9449acbeda476e60a5d45e40da2e8bfd080ccbc9921918661359c28c950dfe37eb0cff143c0df6dd4f0c8a29674bcbe30736f4f87847053e29c38d3e0cd2 |
C:\Windows\System\RzXszbd.exe
| MD5 | 91937a045f1752b390236ec63d8d6b66 |
| SHA1 | 8e7fe3b9cea82921e8240eabbe439eb11c31e0e0 |
| SHA256 | bd86403b49c1819392f7248398a48208ade8692b7809fc1fc938d053ea17838d |
| SHA512 | 1bbaf65beefb8b13aea0b720f4b33e5c370be467424b6cf1f9b1b66e7c786eac7054848f9317cf97b46070628848af0a5bcbf407ee8314f7ac6df4d1c4921520 |
memory/3096-72-0x00007FF672BF0000-0x00007FF672F44000-memory.dmp
memory/2116-74-0x00007FF62AC00000-0x00007FF62AF54000-memory.dmp
memory/760-73-0x00007FF697860000-0x00007FF697BB4000-memory.dmp
memory/440-71-0x00007FF72E460000-0x00007FF72E7B4000-memory.dmp
memory/1452-66-0x00007FF623990000-0x00007FF623CE4000-memory.dmp
C:\Windows\System\AIPzULs.exe
| MD5 | 15530965d2cf01c2d1d175e3db759fb6 |
| SHA1 | 2a79f23a19bcd35bde065aae7ba79346f1cd6df1 |
| SHA256 | 92d56f4432f4345ae465489ca5e13b6d2c8a5229094fae152ec4a3647033b135 |
| SHA512 | 9a48664fcb0e11d177c7d44777535fd2bdb03a00893ae30ee2a50d6fc1e379d0b02a6999cc06717435a20a3ba93b65eb6f310d16fba425adf5cfa32e59fcc6a9 |
memory/3968-84-0x00007FF73C110000-0x00007FF73C464000-memory.dmp
C:\Windows\System\ejAIPSJ.exe
| MD5 | 9a15c356e98789abfc34c3e0ae1b883a |
| SHA1 | 0d6ffb36469635e9ac5db4c1fa460d172e025b44 |
| SHA256 | fbb5466335fc71d64ce548958c3aa2599587ac502fb9dbd36b52ec436c9cfa7a |
| SHA512 | ebabbd56c95d7cdb07de0dc83807fbf3394ee0f6f31ea15ed87013d5ead98e6e34e46e440eec47b4410129de85a94f02e0ab36c14aa45688b100ce6e6a431cae |
C:\Windows\System\ccdBudi.exe
| MD5 | 941a427ae9f0bc0b49a780a6d2ee2730 |
| SHA1 | 051d81a822bd4dab22fd6310e72abf706b67ef5f |
| SHA256 | aa0610d4e4a5835a092d70c35503b8eb9b664a573374f6179cc7d9b5f71a34eb |
| SHA512 | 02b5db70e64f8799c4476b0c2c281059182d363919897de527992d54ca9c2415d8c55a36aebfe2a4303dacb520f7699f7f2e953791a2101a91bb249722223e46 |
memory/2988-91-0x00007FF7F9F70000-0x00007FF7FA2C4000-memory.dmp
memory/2308-90-0x00007FF7EC1E0000-0x00007FF7EC534000-memory.dmp
memory/4652-87-0x00007FF7BF080000-0x00007FF7BF3D4000-memory.dmp
memory/3152-85-0x00007FF70D020000-0x00007FF70D374000-memory.dmp
C:\Windows\System\iLGWsBX.exe
| MD5 | b197abe43df5488fc52cdba0fec952d0 |
| SHA1 | af43ca114d1c7dcf96a945d0e76aee48c15f0160 |
| SHA256 | b4da76d33578678d6c51c15788ee0b70042b0598b1626668425cbcb865df0b0a |
| SHA512 | 9b58491e11787e8737550fef06ad4f650aa86ba5eff71f8854258459db13e11f9f73d5441032e3b7f8f2649b2993d99f6d8accda11262ea512c1a615561d0941 |
C:\Windows\System\CXGiOvk.exe
| MD5 | 3841d3131bdc70a1cf74942213460680 |
| SHA1 | e066ede4ce1cfdb2ea8111ae73f718eb8b157bd9 |
| SHA256 | b4d269eec56539100336c47edcf07ade25ee028ddd2f468b5ccafc2495eaa0a4 |
| SHA512 | 77b6c9843e542c6ef34515300b738e90e6b505a929acee13a482482161e043ddee1028dddba920c8c9ca07a42160a603ae89b3ec75270ab6e028949695a5b7fe |
C:\Windows\System\CXGiOvk.exe
| MD5 | ddf1ed73b9403678fb76d893152912d5 |
| SHA1 | e3f0c5585eb013ee7e86e7e59e665d6494cbc7b9 |
| SHA256 | 777128d5472c29c07089a948f8e09ec3428363543775a541ff05067c892c8974 |
| SHA512 | aa6b8921324dae635b68de5d393daf5de48b8f9955094a5044c26bd8aa77e32a5a9b0c082f708aedc074137e3fa1c13005430fa7133f4254cf86c79f4f76bbee |
C:\Windows\System\WFTWrZE.exe
| MD5 | 6581aebb54c9ccf3aaf9c03af0320fd3 |
| SHA1 | dbd2b49e32876cc4390f1036fab524e4722a75fe |
| SHA256 | f00a8f1554106511760a97bdefd81236d00006f2964fd75756f00d4959f764a0 |
| SHA512 | 9fc3158eec502ed07f26f2aa9f7e27a2a06c116033c7e7ac321bd44bb6789bfa5bb3469ec4c9453c8bbcf9707b6d0753bc65ab5758ef4244b774f594984f7359 |
C:\Windows\System\mZJjVqq.exe
| MD5 | a30309fab83eaa4a0c44e47c883f646f |
| SHA1 | dd2d41e93a97a2f2a379142bd7b77878a1cabdb1 |
| SHA256 | 01e09cbf813ead4fbce1b8fc54072249be65d4d5b98bf3361ee866f607c85ece |
| SHA512 | d0001fc28c9ce59101ab06ca39249a48e6fea1d5fc61476d1ecf0984a379073408e2ccfd5c7e35345eef338af16498be76c31198bc892a27a28616249c194468 |
C:\Windows\System\fmTxNuA.exe
| MD5 | 0c52b043d74b54e4c2f15cd415f302c6 |
| SHA1 | f21234df7543c8a5cfbe527506ed59c37afb7d97 |
| SHA256 | 155eb5cd60e4a57edde50394ecc5c6ee542aa60d14c70472bf1552aa23f41e08 |
| SHA512 | 6958fe215ff20bdb18027407cadb7270ce8e7e9223896db495e9bf5a907cb7c4d414990090c61b6774675d1d81008ffc7eb399c8e6b233338374ada7780d0253 |
C:\Windows\System\mZJjVqq.exe
| MD5 | e8e2c7d4940db305f2e2c3aa9e70de3b |
| SHA1 | a427c715f2f5d3f4634f8ad03fcbf1e3afb1961c |
| SHA256 | de2668cd3fb6085f7643a8d9aedc2205b4122fe842bbcb60b9de094281ff5157 |
| SHA512 | a0de6b918179206bccecf25ee037c7060d724d35e6213109ff80aaefd25225ab1ecdaf0b2f7a40c8fd67a00694b5788392b94fb4a0d7e0b1b83abebd34fdde17 |
C:\Windows\System\LeSExwU.exe
| MD5 | aabe5dffdfecb8d2bdc128c9795ed991 |
| SHA1 | cdc278cf1a3d3a036b94d7ecc0319705df19a311 |
| SHA256 | 69bd823d7d2d1bde169c5502e9e49466e049c48dc9e80b4ab5cd3bfa9cb6d082 |
| SHA512 | a7f57b740477bc77efa780db1a068ebb12ea6ce9a4fee903525c94846f6d7bb8d8724164ace4620e19c4051efe0e7bc2797aa7290deefddb26af26c0eefbdeda |
memory/3216-124-0x00007FF714940000-0x00007FF714C94000-memory.dmp
memory/5080-120-0x00007FF666B70000-0x00007FF666EC4000-memory.dmp
memory/3080-117-0x00007FF78E310000-0x00007FF78E664000-memory.dmp
memory/1412-115-0x00007FF7227B0000-0x00007FF722B04000-memory.dmp
C:\Windows\System\kUNGGKm.exe
| MD5 | 21547154e771af6da85392dde8ea1992 |
| SHA1 | 72df5acd5cecc72873fc41992e526e6b67e31ed9 |
| SHA256 | 0fbc7af09b3865925425657f371b37b4d07c651ed28f0f1d721c2ed2d4c0b3b4 |
| SHA512 | 2c796da96b3b31f4218248eb10220502cf5d42701518b3b18f558fd42e755c8bc8f5423911d575c8fde236e46ddde0dcc7e324c955765efbe267c6e08ef79ea4 |
memory/1272-106-0x00007FF77E2B0000-0x00007FF77E604000-memory.dmp
memory/2480-101-0x00007FF73B250000-0x00007FF73B5A4000-memory.dmp
memory/2260-99-0x00007FF755D60000-0x00007FF7560B4000-memory.dmp
memory/4020-136-0x00007FF7A04F0000-0x00007FF7A0844000-memory.dmp
memory/2424-135-0x00007FF7D0A90000-0x00007FF7D0DE4000-memory.dmp
memory/1016-134-0x00007FF7966B0000-0x00007FF796A04000-memory.dmp
memory/1008-133-0x00007FF7B4290000-0x00007FF7B45E4000-memory.dmp
memory/2116-137-0x00007FF62AC00000-0x00007FF62AF54000-memory.dmp
memory/2988-138-0x00007FF7F9F70000-0x00007FF7FA2C4000-memory.dmp
memory/3216-140-0x00007FF714940000-0x00007FF714C94000-memory.dmp
memory/5080-139-0x00007FF666B70000-0x00007FF666EC4000-memory.dmp
memory/760-141-0x00007FF697860000-0x00007FF697BB4000-memory.dmp
memory/3968-142-0x00007FF73C110000-0x00007FF73C464000-memory.dmp
memory/2308-143-0x00007FF7EC1E0000-0x00007FF7EC534000-memory.dmp
memory/1412-146-0x00007FF7227B0000-0x00007FF722B04000-memory.dmp
memory/2480-145-0x00007FF73B250000-0x00007FF73B5A4000-memory.dmp
memory/3152-144-0x00007FF70D020000-0x00007FF70D374000-memory.dmp
memory/1008-147-0x00007FF7B4290000-0x00007FF7B45E4000-memory.dmp
memory/1016-149-0x00007FF7966B0000-0x00007FF796A04000-memory.dmp
memory/1728-148-0x00007FF777AB0000-0x00007FF777E04000-memory.dmp
memory/440-151-0x00007FF72E460000-0x00007FF72E7B4000-memory.dmp
memory/3096-150-0x00007FF672BF0000-0x00007FF672F44000-memory.dmp
memory/2116-152-0x00007FF62AC00000-0x00007FF62AF54000-memory.dmp
memory/4652-153-0x00007FF7BF080000-0x00007FF7BF3D4000-memory.dmp
memory/2260-155-0x00007FF755D60000-0x00007FF7560B4000-memory.dmp
memory/2988-154-0x00007FF7F9F70000-0x00007FF7FA2C4000-memory.dmp
memory/1272-156-0x00007FF77E2B0000-0x00007FF77E604000-memory.dmp
memory/3080-157-0x00007FF78E310000-0x00007FF78E664000-memory.dmp
memory/4020-161-0x00007FF7A04F0000-0x00007FF7A0844000-memory.dmp
memory/3216-160-0x00007FF714940000-0x00007FF714C94000-memory.dmp
memory/2424-159-0x00007FF7D0A90000-0x00007FF7D0DE4000-memory.dmp
memory/5080-158-0x00007FF666B70000-0x00007FF666EC4000-memory.dmp