Analysis Overview
SHA256
c3e0edc380ba1652971834f4c15b72f2e9f5db0441cafdcb351438179cc4e4fe
Threat Level: Known bad
The file 2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:18
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:18
Reported
2024-06-08 04:21
Platform
win7-20240508-en
Max time kernel
135s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\FkJoAIP.exe | N/A |
| N/A | N/A | C:\Windows\System\ONSAprv.exe | N/A |
| N/A | N/A | C:\Windows\System\XmjLCtc.exe | N/A |
| N/A | N/A | C:\Windows\System\vCAuASS.exe | N/A |
| N/A | N/A | C:\Windows\System\BoQnfab.exe | N/A |
| N/A | N/A | C:\Windows\System\EojtsyN.exe | N/A |
| N/A | N/A | C:\Windows\System\OwcDVnK.exe | N/A |
| N/A | N/A | C:\Windows\System\FkBjZBp.exe | N/A |
| N/A | N/A | C:\Windows\System\PcPUFQq.exe | N/A |
| N/A | N/A | C:\Windows\System\yRatOOi.exe | N/A |
| N/A | N/A | C:\Windows\System\Vnmsqqi.exe | N/A |
| N/A | N/A | C:\Windows\System\QthkMUu.exe | N/A |
| N/A | N/A | C:\Windows\System\nnQmUNj.exe | N/A |
| N/A | N/A | C:\Windows\System\MvKbPSV.exe | N/A |
| N/A | N/A | C:\Windows\System\UWHDCPJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UekdhIj.exe | N/A |
| N/A | N/A | C:\Windows\System\JTwtSgq.exe | N/A |
| N/A | N/A | C:\Windows\System\tiQiMtm.exe | N/A |
| N/A | N/A | C:\Windows\System\IDPlxFk.exe | N/A |
| N/A | N/A | C:\Windows\System\NyJxBgm.exe | N/A |
| N/A | N/A | C:\Windows\System\UwIAHwQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\FkJoAIP.exe
C:\Windows\System\FkJoAIP.exe
C:\Windows\System\ONSAprv.exe
C:\Windows\System\ONSAprv.exe
C:\Windows\System\XmjLCtc.exe
C:\Windows\System\XmjLCtc.exe
C:\Windows\System\vCAuASS.exe
C:\Windows\System\vCAuASS.exe
C:\Windows\System\BoQnfab.exe
C:\Windows\System\BoQnfab.exe
C:\Windows\System\EojtsyN.exe
C:\Windows\System\EojtsyN.exe
C:\Windows\System\OwcDVnK.exe
C:\Windows\System\OwcDVnK.exe
C:\Windows\System\FkBjZBp.exe
C:\Windows\System\FkBjZBp.exe
C:\Windows\System\PcPUFQq.exe
C:\Windows\System\PcPUFQq.exe
C:\Windows\System\yRatOOi.exe
C:\Windows\System\yRatOOi.exe
C:\Windows\System\Vnmsqqi.exe
C:\Windows\System\Vnmsqqi.exe
C:\Windows\System\QthkMUu.exe
C:\Windows\System\QthkMUu.exe
C:\Windows\System\nnQmUNj.exe
C:\Windows\System\nnQmUNj.exe
C:\Windows\System\MvKbPSV.exe
C:\Windows\System\MvKbPSV.exe
C:\Windows\System\UWHDCPJ.exe
C:\Windows\System\UWHDCPJ.exe
C:\Windows\System\UekdhIj.exe
C:\Windows\System\UekdhIj.exe
C:\Windows\System\JTwtSgq.exe
C:\Windows\System\JTwtSgq.exe
C:\Windows\System\tiQiMtm.exe
C:\Windows\System\tiQiMtm.exe
C:\Windows\System\IDPlxFk.exe
C:\Windows\System\IDPlxFk.exe
C:\Windows\System\UwIAHwQ.exe
C:\Windows\System\UwIAHwQ.exe
C:\Windows\System\NyJxBgm.exe
C:\Windows\System\NyJxBgm.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1508-0-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1508-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\FkJoAIP.exe
| MD5 | e1752158b755a05e70e46991ef769488 |
| SHA1 | 4e5632b376b920d8ddb1f7341ac1247d3f632d4d |
| SHA256 | 6d9ef2daa7b90b8d6352fc80d2c38b7d013fd0122ca035eca57b32e84039bd72 |
| SHA512 | f3d872404bd46a0b271264ce70caaf05274e22bae623899d0e5d609185df32639e8f3cce42a3478cc4e8f8bad5aec586e2a32bcc3611ee1d857f2fe4bbac2110 |
C:\Windows\system\ONSAprv.exe
| MD5 | eb8d25cfbfee160c651521be7b369792 |
| SHA1 | ac1115fa3ac40b34e300da9f0f5f5dc287e55cc4 |
| SHA256 | f970be617c70fe881b7e554c59839dc812bcd3967b8c9e0ad064ea07014b42c8 |
| SHA512 | c516bd883615ac4b03011c2a438179a299759e74b1f8b9703b3872085b866c3e05dbcc8171903ec4af90f541149f25684417c8e1fbc5f2c3fb02f296228d1b1a |
C:\Windows\system\XmjLCtc.exe
| MD5 | b2791449fcefcc0688c4943fcf189ac8 |
| SHA1 | 81508589ad6ea2d41ae6c08c103f0a29369fbacf |
| SHA256 | a58bb1f41f07a0b6d30e3806775cde237901e11917ab99dd149f44bae436a8e5 |
| SHA512 | 78ac63fe8b43478775fdcbbc6d59930c605f697f5ba0e1b27b5af6950ab7b89f0e76a49e4484611070494313c33be03e69dc97740633dc6468f0aa393ed69e40 |
\Windows\system\vCAuASS.exe
| MD5 | 2da8fe4f730d09f46b8faeab20ef7640 |
| SHA1 | 1aa02a21ffd289352ab2a7a9da629a22683b0574 |
| SHA256 | 88fde3655637a75387c176465ee780a673438d53941e14e44ad53b526a4b0300 |
| SHA512 | 75aee4fd38baab40d9d1f77335215e244698a7a91eb8c85f777885c5f2e7c17469885bb8a0f129c2a683b3b12ed538d99393e5a002c2e6ad5c859e1470d457da |
C:\Windows\system\BoQnfab.exe
| MD5 | d7014d19b7692664a5ee9ce70f5b614e |
| SHA1 | d8a04573fb0ecfce1a13b322f45f53075960046c |
| SHA256 | 7574dacd0048dabd01f7970bc07f423b9ddc2b2b7d39f66aafb12e1fc5303dc6 |
| SHA512 | 21e98b1facfe2378d2d4a37aaa920fbb7e2c44e60da212e929ab4880a1d3921b564ef55d7c632c2e15cbf3fea678ec78fe07f31eac459b921f96ea79597eaf3c |
C:\Windows\system\EojtsyN.exe
| MD5 | b7f4d19383c9bbd79070d36503d82c7b |
| SHA1 | ab3169fd3f1067a11e0a5186bb41b925cbe00b60 |
| SHA256 | bb56d4f19f2d4fcde214d6d2666fc5ae04ba5daf655a121246d7db4363ed8e6a |
| SHA512 | cbaf12a27f3b0b702a17fb6b00285556e937f1712c7a6c4bfe26162cf4a4d39bb2d779a65e909219dbf79f07c13cf6b83f96e5a26ebeaf4d3d4d7783e526e1b2 |
C:\Windows\system\OwcDVnK.exe
| MD5 | 08a0340dea2fb9dec723d4ddd7ed8aa1 |
| SHA1 | 68c84322e05be3b0681824492a3af773f0e6e77b |
| SHA256 | 3e453bf91eb253db5a9b38c744fffaeaf88a533aafae4f853562ff70e0d587a4 |
| SHA512 | 6e124151938be1d5de24c78ba002820e5e7dee055fb4a7dffac5224205200564e428c5bdeb6bda1f7744ada3bb2298869a7cbdbb7d78c08fc2e786e967749315 |
C:\Windows\system\FkBjZBp.exe
| MD5 | 99d129b02e64f1ce33df8b60e6daa4e8 |
| SHA1 | 7da94f816176d0b0812c2bb9e2a635694ba3d0ec |
| SHA256 | ca96f72e4beee81847192529b95f3f11882ebd66a7135a2a2324b89de0867520 |
| SHA512 | d9eecde2124eddd2820a2d977b09fbebc19ce12226a367c560d1fc9907e881abcc63ce2f7e420b122f63f6aa54c75f55a126fd4463923b4586908964770382ba |
C:\Windows\system\PcPUFQq.exe
| MD5 | 7fd945f0f1a41e7f160e219e2d3e55e7 |
| SHA1 | d7e0b3189bbcd1c7235566ad45be0d4416ec20e1 |
| SHA256 | db2e29c77d718b524c4515969d65d7fa39746cb1aab0a69e0819ecabbfb34d29 |
| SHA512 | e4f081efc221f49a4f660f4914949924b0a93643f59a51b6aae0ae378501205822d66e00e2296e302ea23f9208f1a464ee719898af9d09658b973eb43bb25ac8 |
C:\Windows\system\Vnmsqqi.exe
| MD5 | 20ddcf1e5ca51acae88ca9cee4bfb787 |
| SHA1 | 292dcd916ad31ae37388d897238e4ad2fcf8ff0f |
| SHA256 | d79d01e90bfe323e786d6feb8a0dfa42d70de34cfa16c96c754f81720795577b |
| SHA512 | ff4ab42f58739769ad45725b0942a0ab13c0b9dd62c9ddd025c138ad8388e5ee9f2a4a94ce49711de36009803652f311268a153b63e193e307ac58a50a8590ac |
C:\Windows\system\tiQiMtm.exe
| MD5 | 3ef93bac881ba4431c5aef7b6c78614e |
| SHA1 | dee96033e0075e487cbc8dc05ff918cb03cf9184 |
| SHA256 | e0cb57410a2cc146c5432453feb72787d18653a191410c664d1f14e84c05d98c |
| SHA512 | dbd107ee11547a364386078ca40093eb7a2fcd87221c14681b44c02f4016ca8d5afddc2d6b34507ce3ffc1cfe34d26d7160f20fa3ef8db6f5759a23cc8542749 |
\Windows\system\UwIAHwQ.exe
| MD5 | 30386e5f405dffd2de7481daed73c1c8 |
| SHA1 | b2f3fd3c41fe2dbe4856e9a51459729f51d61547 |
| SHA256 | 481686b8977069b65e7176eeb30d15f23e5237869d0f3c1f69a298dccf85b503 |
| SHA512 | 0fadd3f1e57cf17b8af340b1caf18f12484013c2b540290c4cd40a6b0740d4fd0128cc6b0ca45b519badd96bea28b278d7183d8242431ee56a4cda8ddb7b49c5 |
C:\Windows\system\NyJxBgm.exe
| MD5 | 49aee70bf267e7d2f41a0ecc07fa1aed |
| SHA1 | 4b1d9cc705e5f97f0853df6d01035c3b80bec186 |
| SHA256 | 366e9142de354d90b46cd5c36efde492dba63551c0dac17326004f1c3d8d4ec3 |
| SHA512 | d49f185e784a8876b64f43985af96860768bef94e424822e7820a0b4fff04447657c4df1621cb1008c2377a4a2cbd77d207bee6a35c29bab6185e0c44bf2b3ca |
C:\Windows\system\IDPlxFk.exe
| MD5 | 5e88c76a15631fa85da79a1940d70b2d |
| SHA1 | b48581de432b58d62c010044e2f596482f02f703 |
| SHA256 | fbd33763c0889f60c798414b9bd4b19b2f1f9cf8d2d8497810c723e407da2e18 |
| SHA512 | 21cd851e12bbad16edccf5724b0873cb30956e90b08f03ede0ed5fd00083cc49591397ebc7d1663c6acf4df687c02fbcb723fbd380a87451e5d146d3b31dcd0f |
memory/2700-125-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1508-128-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1508-127-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2532-126-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2684-124-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2696-123-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1508-122-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2540-121-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1508-120-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2808-119-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1508-118-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2276-117-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1508-116-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2660-115-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2916-114-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2736-113-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2652-112-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2604-111-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1508-110-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2116-109-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/1864-108-0x000000013F520000-0x000000013F874000-memory.dmp
memory/1508-107-0x000000013F520000-0x000000013F874000-memory.dmp
C:\Windows\system\JTwtSgq.exe
| MD5 | 14eda6ae283eb82dac772ad02ce668aa |
| SHA1 | 40cc899ac6e2809fe9d516c6e15e28dbe0278590 |
| SHA256 | 79f782b615ae7ab35ddb17da0dde99dd1d86a3d6b9aff3698f330415c3b064ba |
| SHA512 | 7b118fe1e5b384eeab96bb99ee4e37ca98c027be57102f38650855a0afcdf01338cea66ae50cdd658eafcc3b49744674c3485a94945f5fb4cb913dc439c82aef |
C:\Windows\system\UekdhIj.exe
| MD5 | 58a1c099f109d8754c6bd915152ca134 |
| SHA1 | 7365cf14a6c03de0c4d1e97fa00040a1c9ad9f86 |
| SHA256 | f0a825b759734c117024ebe451bd69dd2d82d8e80a7e68ef788b517d810d99f1 |
| SHA512 | d6c92607f4a4148932cf657e40706819d7a928192f0ee7e80610e8e3a7db2482f96289da7503ee4be59f3ad581cbe90e4e547a2262d1fde10e543fa92148d40b |
C:\Windows\system\UWHDCPJ.exe
| MD5 | 7e6821f0b20efc8b97b7e602fd22eafd |
| SHA1 | 55cdcd25dc4e131706819ac5d6adeeb791f2f2ba |
| SHA256 | 7206dbb6450cdd1feaedaee5c9180e9f1570e1b6f76c25a1f39fb7c4c82ad5ef |
| SHA512 | 9fd32d2ca2be007ca9ecb5dd060bef091bef7089a3cf1883e9ff3ac2fac6232c5ddb41e99821f4d5eceda72e25a971bf0eff527318832a1cfd73089e57a77b61 |
C:\Windows\system\MvKbPSV.exe
| MD5 | 2e0cd6d01e96e9b8472bf8de03ecff78 |
| SHA1 | d336674034c8f1a394333ec74e5e43ec141e279f |
| SHA256 | fae0ac8781602b880279bb4b6ef08d55f48a0d5060c917556a7c1375f76a90ab |
| SHA512 | d0bad42be8f180d228244a4ef46021a3b34f3faafe12ff70375d9ece079026c2f451f166fdec0f7ee75c84526480140008812904e133d0577528cfbebe0f09d8 |
C:\Windows\system\nnQmUNj.exe
| MD5 | ee9fce39e6cd086497b820fab6383484 |
| SHA1 | 97dd1aedeb6f77dd08b2f1e65693217236c40e1e |
| SHA256 | 34739d73fac1c69b194721d75ee48f1d5ed2db5176b6534cee79fb4f40a09bdd |
| SHA512 | ca3644ac94a66f62a4cad308d1059db00225de0f90780aeed1325e2dc1e6f80e8f6f4b6b60ec31b34821e5f70e5dbf10a5deb2ef9b710a4d15b2537a21966eb8 |
C:\Windows\system\QthkMUu.exe
| MD5 | c82595569818b027c8a811fac388c474 |
| SHA1 | 8684c0bec76447d34b2d7366ddc590e5fc21c4b1 |
| SHA256 | c8f1671b09b7fcd21a7b9f2291a184541d0d15bde7bcd8f34a634bb219e558cb |
| SHA512 | 645691618b2eeaa0c9d1407907419f5dea788c7642f4fa8f3d0f9458f0271c7a39be7acafef423dbad9a5dd051c0030dce4c5f1734e218d6e9994a31cfeecae8 |
C:\Windows\system\yRatOOi.exe
| MD5 | 2e5cadb7f4f4b82440d04ac810e2280c |
| SHA1 | d034a3702f6ea2952b6a7ab205ca625eceaf38d9 |
| SHA256 | d1f86deef991d650c729a38eb1d21510b97f27d1906dabe12562d2eea1a333f0 |
| SHA512 | f62c5556c4b42a2e33929dfc2ee15191f303a096c3e5f65947f0e09112de29c05b1383a6d4227d02daa286d7e3df246623cd42883ddc353b25643658eb041e22 |
memory/1508-129-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1508-130-0x000000013F520000-0x000000013F874000-memory.dmp
memory/1864-131-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2700-137-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2696-136-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2808-135-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2660-134-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2604-133-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2532-144-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2684-143-0x000000013FB60000-0x000000013FEB4000-memory.dmp
memory/2540-142-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2276-141-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2916-140-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2652-139-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2116-138-0x000000013F2F0000-0x000000013F644000-memory.dmp
memory/2736-132-0x000000013F830000-0x000000013FB84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:18
Reported
2024-06-08 04:21
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IMlTLjz.exe | N/A |
| N/A | N/A | C:\Windows\System\jwMIrak.exe | N/A |
| N/A | N/A | C:\Windows\System\yeKqTEf.exe | N/A |
| N/A | N/A | C:\Windows\System\VKdFNtM.exe | N/A |
| N/A | N/A | C:\Windows\System\RPFiAHW.exe | N/A |
| N/A | N/A | C:\Windows\System\HFNhGgh.exe | N/A |
| N/A | N/A | C:\Windows\System\YZRnNdL.exe | N/A |
| N/A | N/A | C:\Windows\System\YrmfWDK.exe | N/A |
| N/A | N/A | C:\Windows\System\RMGjlir.exe | N/A |
| N/A | N/A | C:\Windows\System\SsrKXSL.exe | N/A |
| N/A | N/A | C:\Windows\System\rzSIdld.exe | N/A |
| N/A | N/A | C:\Windows\System\QTdasCd.exe | N/A |
| N/A | N/A | C:\Windows\System\mwgyoSd.exe | N/A |
| N/A | N/A | C:\Windows\System\pAQGVpj.exe | N/A |
| N/A | N/A | C:\Windows\System\TCsAxdk.exe | N/A |
| N/A | N/A | C:\Windows\System\dBYpokm.exe | N/A |
| N/A | N/A | C:\Windows\System\aUKkoBW.exe | N/A |
| N/A | N/A | C:\Windows\System\zfviUJA.exe | N/A |
| N/A | N/A | C:\Windows\System\tdPyoYB.exe | N/A |
| N/A | N/A | C:\Windows\System\jgqdDsV.exe | N/A |
| N/A | N/A | C:\Windows\System\ZARMArD.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_542b3fdb559f2ce2afbb8bf0a94d2310_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IMlTLjz.exe
C:\Windows\System\IMlTLjz.exe
C:\Windows\System\jwMIrak.exe
C:\Windows\System\jwMIrak.exe
C:\Windows\System\yeKqTEf.exe
C:\Windows\System\yeKqTEf.exe
C:\Windows\System\VKdFNtM.exe
C:\Windows\System\VKdFNtM.exe
C:\Windows\System\RPFiAHW.exe
C:\Windows\System\RPFiAHW.exe
C:\Windows\System\HFNhGgh.exe
C:\Windows\System\HFNhGgh.exe
C:\Windows\System\YZRnNdL.exe
C:\Windows\System\YZRnNdL.exe
C:\Windows\System\YrmfWDK.exe
C:\Windows\System\YrmfWDK.exe
C:\Windows\System\RMGjlir.exe
C:\Windows\System\RMGjlir.exe
C:\Windows\System\SsrKXSL.exe
C:\Windows\System\SsrKXSL.exe
C:\Windows\System\rzSIdld.exe
C:\Windows\System\rzSIdld.exe
C:\Windows\System\QTdasCd.exe
C:\Windows\System\QTdasCd.exe
C:\Windows\System\mwgyoSd.exe
C:\Windows\System\mwgyoSd.exe
C:\Windows\System\pAQGVpj.exe
C:\Windows\System\pAQGVpj.exe
C:\Windows\System\TCsAxdk.exe
C:\Windows\System\TCsAxdk.exe
C:\Windows\System\dBYpokm.exe
C:\Windows\System\dBYpokm.exe
C:\Windows\System\aUKkoBW.exe
C:\Windows\System\aUKkoBW.exe
C:\Windows\System\zfviUJA.exe
C:\Windows\System\zfviUJA.exe
C:\Windows\System\tdPyoYB.exe
C:\Windows\System\tdPyoYB.exe
C:\Windows\System\jgqdDsV.exe
C:\Windows\System\jgqdDsV.exe
C:\Windows\System\ZARMArD.exe
C:\Windows\System\ZARMArD.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1168-0-0x00007FF6DD380000-0x00007FF6DD6D4000-memory.dmp
memory/1168-1-0x000001E750AD0000-0x000001E750AE0000-memory.dmp
C:\Windows\System\IMlTLjz.exe
| MD5 | 92b2be58e354baf918b1fb0b4d8064e6 |
| SHA1 | de267289ad7821a3f2c31822e464ca3bd53996bf |
| SHA256 | eb6bbd4fb2274f598995a6eac25deee9ccfa854e7679986c68fa30bc369b551d |
| SHA512 | cb66d81da9e5f6b45f07e3c8a25a2fb440b22bde0e94b8cf8d844d0196eece86fb3c6e9a28bdfd22b900ed85049eca3920e5aafb8d47f001b47d50aa3ab1cdab |
memory/5312-8-0x00007FF7071F0000-0x00007FF707544000-memory.dmp
C:\Windows\System\jwMIrak.exe
| MD5 | ca72f189eb3433ee2d6dc4ab5440ccad |
| SHA1 | ee79994330f98365860eb452bc603957eb1d2e24 |
| SHA256 | b9e2269c4d947e0681cfba3d9994346e83374379676c557a72e5d27aec9ec233 |
| SHA512 | 1ec24d2aeaf305677a6a091b3f3c390e52bb1249d23f0edc396025df435c227a3c20fb6e07c049dfd8b1e53144208f33233c079bda262435999d1a4e82ec664c |
C:\Windows\System\yeKqTEf.exe
| MD5 | b3bd384ba76ea9762ff50304d4c6e9e0 |
| SHA1 | bf651e2a66ff6dffd464e8bf2bfa685b3974bfd6 |
| SHA256 | 2b28d6671be232dbed5d92005be8c3dabf98423a0e88621d4f44c04b70ad2abd |
| SHA512 | 7d29711bf301283c9030a564ec485d0e2b315c49245fe6483c2825d3fd514380a19d8c0ab2119fe11bc89d64861072da8cbcfdc62859cfdceec411383a2e795d |
memory/1236-14-0x00007FF6D3620000-0x00007FF6D3974000-memory.dmp
C:\Windows\System\VKdFNtM.exe
| MD5 | 74e5936d0e1cc34246142bdcf9c4938d |
| SHA1 | 33e9687791d50ddb12e95ddb8ea392662fc645ca |
| SHA256 | fc03508191960c9097d23b924401f0b77991faa3dc3e498d253f631d88bc221f |
| SHA512 | 757f709e1d16756ef34fe864b31630a15f04e8bf979c5e15d49609f34deb5bcdf5c302edf1e4dc3b2bb9a0ad5fdb2b3d631dffc2edee35cfd8d134917c375071 |
memory/5364-25-0x00007FF604A10000-0x00007FF604D64000-memory.dmp
C:\Windows\System\RPFiAHW.exe
| MD5 | 6e721f2ac4558d7f46d4118213e230b5 |
| SHA1 | 70db4e044848f8b38fd39daa0ce7172703dc2cb4 |
| SHA256 | 9510f1e9bedc9d131149738021d2c816eaebc0aaf5cc70980d458fcce21fcaeb |
| SHA512 | 8a6d0d22cf5f80d194890d35cd5abb118ce109674a79b0ba8704e2b54ba2f2eb0188ed42709d0c78cea49c7b5ec98982ce55eb195ad37de08e2adde2ee51761b |
memory/3808-22-0x00007FF7FA6C0000-0x00007FF7FAA14000-memory.dmp
memory/2656-32-0x00007FF663160000-0x00007FF6634B4000-memory.dmp
C:\Windows\System\HFNhGgh.exe
| MD5 | ba61fd9d0ef86c46b79a20c7926fb7c8 |
| SHA1 | 0b153edeab08f5e5e186f42c6f1b971215208ee5 |
| SHA256 | 60e97f3acce2b28aa81c39f83b426ff7d9cd8c355af4e544ed80612b17fddfe7 |
| SHA512 | 216aca381325834cff1645d1bd195242b38356abb4e416d0d2f3d8cde948f90b10e44381e07849397fcf587bb7d70584ad10b8644302066de4f92c8ddcfb0179 |
C:\Windows\System\YZRnNdL.exe
| MD5 | 9321947a1d266c97bf646889f33f054a |
| SHA1 | d18d9a75f33892a18d0b3b7abb12059bae8998f6 |
| SHA256 | befb3b296e4239322fadd37e26cf55c8da1460f41bb0389388168b639b89601d |
| SHA512 | 77a2e5cb949a745cc334e40c79d81389c9c360df8f028626a3f5cbfdce407e5306c51c067ff05a0fc8b88a21e588cf719474935e32f13b2a31f8a409840b1389 |
memory/3912-45-0x00007FF64A800000-0x00007FF64AB54000-memory.dmp
memory/5764-41-0x00007FF784540000-0x00007FF784894000-memory.dmp
C:\Windows\System\YrmfWDK.exe
| MD5 | d3e89294aae854d5c3e8cb28c32807a6 |
| SHA1 | fd12dca46b3834056077810946b999fe72cea8fc |
| SHA256 | 45daab2300c33a64cc2417050246735cc53060dcc0e99b9bb4b05018e6f35ccd |
| SHA512 | 09e049b8c1f130450e1166bce7742b2795242c48ebc2519f3df7b4bc2dd83836d323c7d1c714d6aeb540612567feb0ea3762156a67d1f72308937652d8ba3fd1 |
C:\Windows\System\SsrKXSL.exe
| MD5 | 5bbaa0e4f530147b31609d142d9c2505 |
| SHA1 | ea2e0ece1687d0e158582d68b983802b3c4402cb |
| SHA256 | c43d8833cb03e5ac7396771cbc95395bc3da6ef2f9988f44fed0f428aad8f236 |
| SHA512 | f63be0c4bba5c47269327dabf7dc7c5be5fc5889a58f0cdbe69da7707f7c76f06be8282cf1a0eb1f775235f3b4045688db4600b652338961ad1ea70fa50bee3d |
memory/1964-68-0x00007FF7A8650000-0x00007FF7A89A4000-memory.dmp
C:\Windows\System\QTdasCd.exe
| MD5 | 19bc3ca42f4bd7306bfed7b42f812ab1 |
| SHA1 | 56b9fec5b69e12835399d1ce3a666dd9df513b2b |
| SHA256 | 4ba25f848141ef5b4c0f7fbf71f38863452847d06705db88243f1d1a37179b09 |
| SHA512 | 423348a6c8a0cced0296550709e4151cd43b54eed044d470b802be47742987c66259d4dd8a71fc09c717ca56f98b35ba4b188bc3bbbdbbf2cc8ff30bacd13b4a |
C:\Windows\System\mwgyoSd.exe
| MD5 | f3952202723ee28509b98cdfc4ca6f81 |
| SHA1 | b3b7a87bc25b13026d5c15607f135c6cd716ba7b |
| SHA256 | 9ea7153d935067aa0e6a12d8dc59e579c76b58028706a8f16bf29ab2661102d7 |
| SHA512 | 12fb0345266cd68dea180bdae096c90f43572e07c3832d294dd1161f4ed0c022de7217ec9dc339cd20545862269eb378e4ca2f12e74f197987de76071253db16 |
C:\Windows\System\pAQGVpj.exe
| MD5 | 790667ac9ac708ca8f68dee04cb018df |
| SHA1 | d5e3ba6bf7763bb2e33014c69b9621a1154e2769 |
| SHA256 | 7630ad56796a1d9e74427309d7987ad0ecd4f22a72021a4bf521a98af540e7a7 |
| SHA512 | 86c16b125155d23c3c65f348d6edff1948e4a62bffd04f41ee1387f7b143c37914cb0903c8bbcd9c08dc280d579e8931514ff1e67e866a04936ed0c69605c54e |
C:\Windows\System\TCsAxdk.exe
| MD5 | ba4ec592413203ff282011a8279e3f37 |
| SHA1 | 4652104cdda12804b239cb830a1319919a25adfa |
| SHA256 | ce76d7a86a90faf958704f431b6c07970ae70dc0242d22231a85f4baea065ee9 |
| SHA512 | 66102f1be0b7d603fcfb049393e940cc64ad1d7db33710ca159c6dc3110cbfdd249b52cb0f0ee24e29510d1638a82d2ab8fb0b91fed409db912390a8f9b5628e |
C:\Windows\System\aUKkoBW.exe
| MD5 | f1adf94e744db78acf964d96439f37f6 |
| SHA1 | 43889f79d7577bddac5c8074ad5aa1b3c8294601 |
| SHA256 | 8efc9a4230234bfb960e0cee357234a6b9c392fd47cd74a20231efcfdda863d6 |
| SHA512 | 3fd96e5ba575644d91613882e441d1e5d9f05598d098494f818ba026a205d347e5d116aa5f9e5b733fa8a09df335fbe5a5e51d5c469cae9c47f6be47679eb49c |
C:\Windows\System\tdPyoYB.exe
| MD5 | b8b7f6402aada946193bc28803666b18 |
| SHA1 | 76ae1b748519e1b4bf545ced95d879f2c893aac3 |
| SHA256 | 73004624f5036fe9d094375f88fdde6bc80cf61371322fb3d0db92b8886c6fbc |
| SHA512 | c618e62082e3f46cd35708160389075f027f8f1bcd7232b2fe1dc95cca44cb585f3ad27ac58f8ff59f7936bbe6a9ddc0bcfb2d05bf712ced4f23cac60e02b932 |
memory/852-128-0x00007FF6CF2F0000-0x00007FF6CF644000-memory.dmp
memory/3604-131-0x00007FF7C1D50000-0x00007FF7C20A4000-memory.dmp
C:\Windows\System\ZARMArD.exe
| MD5 | ed43655df2ac288c3e12fdadf0a74e4d |
| SHA1 | 837cfef1226df966e40a50b014d78c1544a97a82 |
| SHA256 | 9b976d72c8a6c95cf354705d4ce474912e02c77d1a4b2a6cd12352fff6ee7f2f |
| SHA512 | 0aa59b4af2abd065cbeeb634e6bb8e098ad92b4b5db9ccf58f754b9b139765190eba6f7cda3f54f63869b1cccac21d98b7fb794974ad9ab9233127a1badbce7d |
memory/3912-127-0x00007FF64A800000-0x00007FF64AB54000-memory.dmp
C:\Windows\System\jgqdDsV.exe
| MD5 | f8038ce8b27815aa499d8c518ab0da80 |
| SHA1 | 15eb0bc8c341668204551ea29efdf93e6ba27279 |
| SHA256 | 198693f3d23de3c99441c1b0d82f4cc159d9f9d33048586c60c44e50bc3af44d |
| SHA512 | f6bb23f6297809018cbd13845b6c72e620977003fee622eb3418eb99968cc917c319bcb4d6ad389a6474af8193222dfacb1a15fe527476c6a916356c3a87c6f6 |
memory/1556-124-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp
C:\Windows\System\zfviUJA.exe
| MD5 | 03f4e5387b6d3dcfc6829b63c64c232a |
| SHA1 | 1dc8e7f8acfb2091e7337093da7bedd309603c15 |
| SHA256 | 6e24aefbb53bf4348f4d0035d10d4bf2dfaa2a4efe1a8607930f18a9388a6de8 |
| SHA512 | 3361f7dd0050747f651c27a98eb76acb5d0631664cf5f7491dced1572a202511c89b079bc50955e0c5f74f830ca467ef7485c34a0d91526cbfe23560ee2269e6 |
memory/1708-120-0x00007FF64A740000-0x00007FF64AA94000-memory.dmp
memory/3036-118-0x00007FF7BDFC0000-0x00007FF7BE314000-memory.dmp
memory/3748-109-0x00007FF6CB870000-0x00007FF6CBBC4000-memory.dmp
memory/5364-105-0x00007FF604A10000-0x00007FF604D64000-memory.dmp
memory/2988-104-0x00007FF6C7490000-0x00007FF6C77E4000-memory.dmp
C:\Windows\System\dBYpokm.exe
| MD5 | 5e8c5fbd23eb1f35c12b5b7f8101d562 |
| SHA1 | 1f1ed010c4649051c1691017404b6446103348f9 |
| SHA256 | 17a69f3639e0b04d6ea4884e1352f39258c8b131c681a18600c4ded39bd5abc9 |
| SHA512 | cb797278003ddddbbb40b7bf261261e29ba28b3d37ef5092939226e4533b523dbcf9d0df0efac508801f28e66ad24b445d25807874dc20730e427a5e55a5c1a8 |
memory/5336-97-0x00007FF622470000-0x00007FF6227C4000-memory.dmp
memory/4484-96-0x00007FF7EF470000-0x00007FF7EF7C4000-memory.dmp
memory/3640-92-0x00007FF7BE870000-0x00007FF7BEBC4000-memory.dmp
memory/5112-91-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp
memory/3808-77-0x00007FF7FA6C0000-0x00007FF7FAA14000-memory.dmp
C:\Windows\System\rzSIdld.exe
| MD5 | 52c0cb829bec8318c982865002405878 |
| SHA1 | 7b01bafbc66e39571526e2eecfad4eff80101928 |
| SHA256 | 5299f8f482c3cec5b1a3db9d931c2d2abf3a36e9aff410e2c71b2d7e54565523 |
| SHA512 | f8d0786140b734ee832085c8b5a9d5df2fbf4cf71b065e71a949fa450ccbcab98a45cf6bca226812064dc7206c5aae3f38a0f9a7d1e0f702dc34b8557a4f870c |
memory/1888-69-0x00007FF6D3300000-0x00007FF6D3654000-memory.dmp
memory/1168-63-0x00007FF6DD380000-0x00007FF6DD6D4000-memory.dmp
memory/4820-61-0x00007FF672E80000-0x00007FF6731D4000-memory.dmp
C:\Windows\System\RMGjlir.exe
| MD5 | bf537357a260f175fcb0f5d3c1c6996d |
| SHA1 | c3f4e2bd821c6c06b76fe58932ef49b6d08350ea |
| SHA256 | 02efc071a2ac1de3f01250716e00c24fd50e000e410bf2f404c4395bf9627d7c |
| SHA512 | e9743445b7afc1222cab7d224c9ffd90250bd55e2b500218de0805c127108dfc1327cb1cd05ea811c3ef8f672f1e2a017c89d360935ef39c6ed6b9d0abd62dba |
memory/3604-51-0x00007FF7C1D50000-0x00007FF7C20A4000-memory.dmp
memory/1964-133-0x00007FF7A8650000-0x00007FF7A89A4000-memory.dmp
memory/4484-135-0x00007FF7EF470000-0x00007FF7EF7C4000-memory.dmp
memory/1888-134-0x00007FF6D3300000-0x00007FF6D3654000-memory.dmp
memory/2988-136-0x00007FF6C7490000-0x00007FF6C77E4000-memory.dmp
memory/3748-137-0x00007FF6CB870000-0x00007FF6CBBC4000-memory.dmp
memory/3036-138-0x00007FF7BDFC0000-0x00007FF7BE314000-memory.dmp
memory/1708-139-0x00007FF64A740000-0x00007FF64AA94000-memory.dmp
memory/852-140-0x00007FF6CF2F0000-0x00007FF6CF644000-memory.dmp
memory/5312-141-0x00007FF7071F0000-0x00007FF707544000-memory.dmp
memory/1236-142-0x00007FF6D3620000-0x00007FF6D3974000-memory.dmp
memory/3808-143-0x00007FF7FA6C0000-0x00007FF7FAA14000-memory.dmp
memory/2656-145-0x00007FF663160000-0x00007FF6634B4000-memory.dmp
memory/5364-144-0x00007FF604A10000-0x00007FF604D64000-memory.dmp
memory/5764-146-0x00007FF784540000-0x00007FF784894000-memory.dmp
memory/3912-147-0x00007FF64A800000-0x00007FF64AB54000-memory.dmp
memory/4820-148-0x00007FF672E80000-0x00007FF6731D4000-memory.dmp
memory/3604-149-0x00007FF7C1D50000-0x00007FF7C20A4000-memory.dmp
memory/1964-150-0x00007FF7A8650000-0x00007FF7A89A4000-memory.dmp
memory/5112-152-0x00007FF65D9F0000-0x00007FF65DD44000-memory.dmp
memory/1888-151-0x00007FF6D3300000-0x00007FF6D3654000-memory.dmp
memory/3640-153-0x00007FF7BE870000-0x00007FF7BEBC4000-memory.dmp
memory/5336-154-0x00007FF622470000-0x00007FF6227C4000-memory.dmp
memory/2988-155-0x00007FF6C7490000-0x00007FF6C77E4000-memory.dmp
memory/1556-157-0x00007FF7AD9F0000-0x00007FF7ADD44000-memory.dmp
memory/3748-156-0x00007FF6CB870000-0x00007FF6CBBC4000-memory.dmp
memory/4484-158-0x00007FF7EF470000-0x00007FF7EF7C4000-memory.dmp
memory/1708-159-0x00007FF64A740000-0x00007FF64AA94000-memory.dmp
memory/852-160-0x00007FF6CF2F0000-0x00007FF6CF644000-memory.dmp
memory/3036-161-0x00007FF7BDFC0000-0x00007FF7BE314000-memory.dmp