Analysis Overview
SHA256
13a1afd56709420c6d782487d80580262d5ae8cad8d7c7602e3c186fcb35f41d
Threat Level: Known bad
The file 2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike
XMRig Miner payload
xmrig
Xmrig family
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 04:19
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 04:19
Reported
2024-06-08 04:22
Platform
win7-20240215-en
Max time kernel
133s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jjOVfUF.exe | N/A |
| N/A | N/A | C:\Windows\System\kGPmRrQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qoaSPpE.exe | N/A |
| N/A | N/A | C:\Windows\System\wbIDIoe.exe | N/A |
| N/A | N/A | C:\Windows\System\DLZmUVg.exe | N/A |
| N/A | N/A | C:\Windows\System\RdJrTeN.exe | N/A |
| N/A | N/A | C:\Windows\System\SHTXxME.exe | N/A |
| N/A | N/A | C:\Windows\System\QocMVKi.exe | N/A |
| N/A | N/A | C:\Windows\System\rXmBzdq.exe | N/A |
| N/A | N/A | C:\Windows\System\GAXeJAB.exe | N/A |
| N/A | N/A | C:\Windows\System\UtQYtZy.exe | N/A |
| N/A | N/A | C:\Windows\System\krpOTSF.exe | N/A |
| N/A | N/A | C:\Windows\System\UBRVuUZ.exe | N/A |
| N/A | N/A | C:\Windows\System\zsRCtxR.exe | N/A |
| N/A | N/A | C:\Windows\System\CMaNwpR.exe | N/A |
| N/A | N/A | C:\Windows\System\MUVgyng.exe | N/A |
| N/A | N/A | C:\Windows\System\rQZqyah.exe | N/A |
| N/A | N/A | C:\Windows\System\ihmocof.exe | N/A |
| N/A | N/A | C:\Windows\System\BKnQNrF.exe | N/A |
| N/A | N/A | C:\Windows\System\msVUAgy.exe | N/A |
| N/A | N/A | C:\Windows\System\sTjnbyq.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jjOVfUF.exe
C:\Windows\System\jjOVfUF.exe
C:\Windows\System\kGPmRrQ.exe
C:\Windows\System\kGPmRrQ.exe
C:\Windows\System\qoaSPpE.exe
C:\Windows\System\qoaSPpE.exe
C:\Windows\System\wbIDIoe.exe
C:\Windows\System\wbIDIoe.exe
C:\Windows\System\DLZmUVg.exe
C:\Windows\System\DLZmUVg.exe
C:\Windows\System\RdJrTeN.exe
C:\Windows\System\RdJrTeN.exe
C:\Windows\System\SHTXxME.exe
C:\Windows\System\SHTXxME.exe
C:\Windows\System\QocMVKi.exe
C:\Windows\System\QocMVKi.exe
C:\Windows\System\rXmBzdq.exe
C:\Windows\System\rXmBzdq.exe
C:\Windows\System\GAXeJAB.exe
C:\Windows\System\GAXeJAB.exe
C:\Windows\System\UtQYtZy.exe
C:\Windows\System\UtQYtZy.exe
C:\Windows\System\krpOTSF.exe
C:\Windows\System\krpOTSF.exe
C:\Windows\System\UBRVuUZ.exe
C:\Windows\System\UBRVuUZ.exe
C:\Windows\System\zsRCtxR.exe
C:\Windows\System\zsRCtxR.exe
C:\Windows\System\CMaNwpR.exe
C:\Windows\System\CMaNwpR.exe
C:\Windows\System\MUVgyng.exe
C:\Windows\System\MUVgyng.exe
C:\Windows\System\rQZqyah.exe
C:\Windows\System\rQZqyah.exe
C:\Windows\System\ihmocof.exe
C:\Windows\System\ihmocof.exe
C:\Windows\System\BKnQNrF.exe
C:\Windows\System\BKnQNrF.exe
C:\Windows\System\msVUAgy.exe
C:\Windows\System\msVUAgy.exe
C:\Windows\System\sTjnbyq.exe
C:\Windows\System\sTjnbyq.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2900-0-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2900-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\jjOVfUF.exe
| MD5 | dd8a8c19339bea558d40547fb8096f1f |
| SHA1 | f47d7f15d87852a2cd05f9cc6a637c27a929d780 |
| SHA256 | 5415f582d79e9f9b35df04ca8e9f705962ca06ea7a9afd7cf0517b078255b909 |
| SHA512 | 016ece14a4bb9b8d35403e4394867675f27115a95c52be0f4553ba00bc8e500893ecdb57ca2f497b09e606328025553eb957fd5ac3de0afffde5d67b05c7231c |
\Windows\system\kGPmRrQ.exe
| MD5 | 5394fd7188086831ed0cc982ae66b8b0 |
| SHA1 | 21a17dd1c30912259ce681ff0b38ae9719ae1bb2 |
| SHA256 | 7c8f56a1a2a96761d9da03f6c845f62ee7d69068c44255472398ae6caf0810f8 |
| SHA512 | 9f9a1cdf03f04ab5a1efffd46b5611f2fb1f6b679e1bda2ce783ce19851a925454ff99ecb9069b3493ad852cac71b4aae39b7fbd80c78f72428647aae9681a2d |
\Windows\system\qoaSPpE.exe
| MD5 | b71d3afd619f90b25ac48d6d6f146905 |
| SHA1 | b78a6baef21a088641e4b60cdbca37de2a254a99 |
| SHA256 | e219681a3ed295bde054ee5923ecd33b3cc55066f35ae7cfc871d0252f9a7fde |
| SHA512 | 534da935e8cb8723e6dac323303c1dd5467d2192f105c81ab20e3ba1a3230dde20b5a6f0c3fdb116899cee3e6b2891a66ae6393dda595eaf4c49ff3f46efc404 |
C:\Windows\system\DLZmUVg.exe
| MD5 | d8453d9cf906b9422efc3eb25d791049 |
| SHA1 | 08864d461890f5d396470039aabaad3632ed1946 |
| SHA256 | b74725df3aebff6b06cffd94514bb2cdd7993a0031a01cf96da2460e29384ffa |
| SHA512 | f063bb00e31fc41015dc67a2e22e8dd6cf5264e944e204b99bcb0a01286abcc5e84faa49a289373550534b26e3f3c48203a2e46dc0cfbe47494c51f2cbafadff |
C:\Windows\system\RdJrTeN.exe
| MD5 | 45755a83d42e6cc9e7596506ca0e8e65 |
| SHA1 | 123f83a995d403c37a36a1405d3e36f5f4fbc0d4 |
| SHA256 | 709ffde88d65cf4877e1d0e7ae9873aa3a21c2836f0a37973da9bb1a8654532b |
| SHA512 | 23582313ddfed28c44c496c68bdab3bb85ab6c8b3fbfc0e3ef6c34b178985b6aa9ce7a06d5d81f13ec137678f9dde301ba2584da6c1a6106a81b5aac4656d5df |
C:\Windows\system\SHTXxME.exe
| MD5 | d861f558c45b5d3a18a6d58ebe0413bd |
| SHA1 | 6527549433f0a0c4df09cfe8c2d75ddfb0d76f04 |
| SHA256 | d905d56bb81184da0bb93bc1d8355c3a638038c91444da1f1f68ab0ce72d8a8a |
| SHA512 | 9670609c7d6e53808ee076a18ba2767c746197203f1a13b487daba860874c5dfa28da7c02dfb34f85b95f903e45cca66b88cf24bb01a0964ba4e21a0a1846b43 |
C:\Windows\system\GAXeJAB.exe
| MD5 | d4529ee937b6394cb0f8ea3f3c43dac5 |
| SHA1 | 9ef350f7cf9630d02307b5349ff0c9f01ad294db |
| SHA256 | a28da776b4a7c506a8a0d499fa17f940189ce9f86fb9c1d1f86d99ae1210f04c |
| SHA512 | bed3584906953ebba529c0fad5cf50d2ab1aea3d365f2a1512cf78548c1a1e120a5449f88ce3f6bf5dbc7aa7a088464234f2c3ff79e4cc68831446420c1dd478 |
C:\Windows\system\UtQYtZy.exe
| MD5 | 86a5c01196f191815bc2dd5c3e87735d |
| SHA1 | 22263ac793ba5cf9212fa55a75d47d0f5476e095 |
| SHA256 | de4908d9a748c6c791e296c30be13cd9361644d969edec6d1918669c20fbb68f |
| SHA512 | e99e36bb8a7262081f4e142ec31255d149320cf6336515c0b533b477aa8bc95ed12d70bf92ceac29a306a4f79aadeea45bb8a417e73bc70687811c2c8025cc28 |
C:\Windows\system\zsRCtxR.exe
| MD5 | 205ff0000d6bc785f1d196a5ab3e96d3 |
| SHA1 | 5ab0b576df51e595940084300f9b9c2d469859ff |
| SHA256 | 72115f86c213ff75fe6b6433b25320f46fd4bde14d1b8f0f55f25482872f97db |
| SHA512 | 4e076a9e365e4571d77cf11affbf65b02ad0bb60917c28be535b5417812fff8ece10900bf4a01c59066534c9b52efadda3f83f36e5bb0eba5ab78b54ff499af7 |
C:\Windows\system\rQZqyah.exe
| MD5 | 20b0be5c3e45bad080c4749d3c656a6c |
| SHA1 | 47c6e3f6fdda56f0315842717b875041d36b5135 |
| SHA256 | 712981de822dd51c0d3a85c353c2f6cd80badfed70c6a5e51f4c130be28c949f |
| SHA512 | 9b6b388cf95b5a2ed6878487d1364a242dd950018a427c7b5b016dde097cdf4390e739d60a449619225eeb79880c400b04860f2d1a1153dffcaf175af4be5510 |
C:\Windows\system\msVUAgy.exe
| MD5 | e69ce8049e9c03613037e4beb2e68654 |
| SHA1 | 1b1b951d357a71232a508de964da8ddee11d8ab6 |
| SHA256 | 1973fa27d8a8bf238f3c0a5ecbd4e910b6a740bc619d19a33af043d6b29d6815 |
| SHA512 | 32d098123bb3fd5089b22e8d5de774d28fac7a45529b183522c94df4cf5077e4ecc50d1bd4e58da5fd05218ebb78240d7d6634e77b3f4964f6b964d9ee85a316 |
C:\Windows\system\sTjnbyq.exe
| MD5 | c626761e1d577fdaf9e112990b38ba3f |
| SHA1 | 4b93f07233acb3bcb6309a162ba1e4956de71caa |
| SHA256 | 6b08222c13ba11201a8d7fe816548950640e231052ccef9702a69484c9b72074 |
| SHA512 | 0fdae435fa4eb3f3c9f4d8f1939e7dc0e634e500bc752b92d175dda13e218c150495923758f29cd24ae17c83740d499d6174515acc15395e75940fbac69b25a9 |
C:\Windows\system\BKnQNrF.exe
| MD5 | b72f17ebac4deacef8dab10c97a1ebf5 |
| SHA1 | 51492033a8188d36f30d76ddb60b887938c55bcd |
| SHA256 | eda93d627f4c46379e2417a931e6b55f3d1a790418a09fe88af1d380aefdb76e |
| SHA512 | 98db3a675dc78a32280669f0e4b725228d8878cddc8f813a1ce6afef0353439b9aa6e8d92bbca1e11009797ee3dabc50f61ea655502980a8d205ea1080d5c245 |
C:\Windows\system\ihmocof.exe
| MD5 | 972c7649823b555dc93d6371b017f9a4 |
| SHA1 | 20569662be3db488a5085d9f0f39a03101622a2b |
| SHA256 | a04989d0c4e63ac30bb9e89697ad0e5c00be3af18c8ff20a7cd24eebb2ba6846 |
| SHA512 | b52eea6342676b61f6dd257a1107c0fda4107ac460666f9abe140bc5f85580dd986573fa43c1c45681b83f3d33a8b306f9f085834dbc753f6fa727828c13fbc5 |
C:\Windows\system\MUVgyng.exe
| MD5 | 5a6b6301601488c89aa1549faecac857 |
| SHA1 | a80f7c837a454878cf5c61268a821b72f47645ea |
| SHA256 | cfc774fce3c02815f74bcae837497bf02833889022c37665090efa539441bcbc |
| SHA512 | 4cfb2c103a08183feb6a26504f9a18886a4be2982cfcc6e4d8118826ddc1cb29d1205083b3465942617fd1ddee969735334241c87aad88b0e0901c7595e69daa |
C:\Windows\system\CMaNwpR.exe
| MD5 | a67716974c262b247d177f286469cdc9 |
| SHA1 | 8f1df6852a89b303b03bce6d611a151a67ed28a3 |
| SHA256 | 83f9437b554a0c054db0f05c169ff4ed191d2d7fead02a95bac64bcc1c2a91a2 |
| SHA512 | 24be6a76a6855e3cf6aebf715b3867234b7f7b26ab513f96718cc101bb8611fb9c8bdc179761ea72dd1b9b15356393394cf5815bf35333d5cb7d4f7acc9c9a5e |
C:\Windows\system\UBRVuUZ.exe
| MD5 | e22599c39d2d16f9053f295386d1503c |
| SHA1 | 0ba2ebb9befff64e13abe821e41392edb7350f98 |
| SHA256 | 92d483699e2c7e0b3c1d55582942b76f2f043fa727e94d54e86d276eb75a9d25 |
| SHA512 | 276b28d0983eac13da3e4f4734f948e2854f28bdb70086a8435b5329ab8ecf71450f6993f84842ec99b8c155c28e7c96aee7e014b700d27affa2d19ddb57e1ab |
C:\Windows\system\krpOTSF.exe
| MD5 | 773a535aab7a4b5458b9c3980a86384e |
| SHA1 | f2f77953f4512e5827c444bb53f813dc09c5f8bc |
| SHA256 | 8d0a2e44d547e82dc529871b040069307563e9bf680acd2b288c2f8384096a2b |
| SHA512 | a9b858d52acd0c302f8e9c92fefd05dda284cdba457f49cfe974fa48e8578a5293784c1f4ac990bb1d2a80f1ef9861100df6b9bb677dfb1207d4024fadd83429 |
C:\Windows\system\rXmBzdq.exe
| MD5 | 54553a7dec5a0661a0a74623c4344596 |
| SHA1 | 6745ca4f9a50e22ca0e01cfc8faa6561940146f0 |
| SHA256 | c8a0fc88b84e6811032d82352636dc0119f55c793f77dcfbb1b1b4d29196f41c |
| SHA512 | 9f887a8c49516f1bddc851dcc310d59b58a49d01372743661735e8b1869d4861c61c7d1924e4781ed61bcf61531ccb5f2af6944b98c65168a36d24d1c29ca931 |
memory/2900-109-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\QocMVKi.exe
| MD5 | 9be007984a8d6416dc56dba3e4be99ca |
| SHA1 | ab589b6dbae59a21b714f0dc2a0d12a41cf512ef |
| SHA256 | c977344e9dad091a3a806e15682b6aa75bd6f220d593105d233b7025a9db50fd |
| SHA512 | 4632a74ad9f67e385ffbc7bc15d9654865e536bcb5cf10f7426496c227d67e3ae109a5f2a56d4ceb2c402d47835b4cbb544b8c210c8674e92ced3344d00abb21 |
memory/2336-115-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2548-116-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2900-114-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2520-113-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2524-112-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2900-111-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2432-110-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\wbIDIoe.exe
| MD5 | aed576d34a20611b6647bcc0eb21b59c |
| SHA1 | 94dec300dcbb294dbc040f70a6fa14cac2c5cde6 |
| SHA256 | a852200334765b78cd1ef858edc80777f525f77c37d03be965213f312062c6da |
| SHA512 | 15c376dab95fbf93fa43628a90b97da71652a693142afaeaee1c45dd10d2bc0ba3b2e197d50a25318d0e3df4e8ba55dc61ef4cfc6e8321e396d3592467ec53a5 |
memory/2944-21-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2900-11-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2680-117-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2544-121-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2900-120-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2344-123-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2900-122-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2004-130-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2900-129-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2900-128-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/1008-127-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2900-126-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2560-125-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2400-124-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2572-119-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2900-118-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2900-131-0x000000013F290000-0x000000013F5E4000-memory.dmp
memory/2900-132-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2900-133-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2900-134-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2944-135-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2004-136-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2432-137-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2524-138-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2520-139-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/2548-141-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2680-142-0x000000013F4C0000-0x000000013F814000-memory.dmp
memory/2336-140-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2572-143-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2544-144-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2400-146-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2560-147-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1008-148-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2344-145-0x000000013F630000-0x000000013F984000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 04:19
Reported
2024-06-08 04:22
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AtjdExT.exe | N/A |
| N/A | N/A | C:\Windows\System\ahjCcvN.exe | N/A |
| N/A | N/A | C:\Windows\System\syWRhxc.exe | N/A |
| N/A | N/A | C:\Windows\System\mqJTBXS.exe | N/A |
| N/A | N/A | C:\Windows\System\oGCEORV.exe | N/A |
| N/A | N/A | C:\Windows\System\koGiBie.exe | N/A |
| N/A | N/A | C:\Windows\System\IUxoBxq.exe | N/A |
| N/A | N/A | C:\Windows\System\NoOAWtB.exe | N/A |
| N/A | N/A | C:\Windows\System\tpEpMfr.exe | N/A |
| N/A | N/A | C:\Windows\System\elxdvVh.exe | N/A |
| N/A | N/A | C:\Windows\System\jIUcokZ.exe | N/A |
| N/A | N/A | C:\Windows\System\cKUKnZd.exe | N/A |
| N/A | N/A | C:\Windows\System\sjJbyDW.exe | N/A |
| N/A | N/A | C:\Windows\System\dbtzgpB.exe | N/A |
| N/A | N/A | C:\Windows\System\otutvCZ.exe | N/A |
| N/A | N/A | C:\Windows\System\NzzJqze.exe | N/A |
| N/A | N/A | C:\Windows\System\PjSaLkp.exe | N/A |
| N/A | N/A | C:\Windows\System\cPcDRAX.exe | N/A |
| N/A | N/A | C:\Windows\System\nGgciov.exe | N/A |
| N/A | N/A | C:\Windows\System\BaiNaOX.exe | N/A |
| N/A | N/A | C:\Windows\System\xvXiGtm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_5606ac542901f5629cf4ccfb2c948a81_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AtjdExT.exe
C:\Windows\System\AtjdExT.exe
C:\Windows\System\ahjCcvN.exe
C:\Windows\System\ahjCcvN.exe
C:\Windows\System\syWRhxc.exe
C:\Windows\System\syWRhxc.exe
C:\Windows\System\mqJTBXS.exe
C:\Windows\System\mqJTBXS.exe
C:\Windows\System\oGCEORV.exe
C:\Windows\System\oGCEORV.exe
C:\Windows\System\koGiBie.exe
C:\Windows\System\koGiBie.exe
C:\Windows\System\IUxoBxq.exe
C:\Windows\System\IUxoBxq.exe
C:\Windows\System\NoOAWtB.exe
C:\Windows\System\NoOAWtB.exe
C:\Windows\System\tpEpMfr.exe
C:\Windows\System\tpEpMfr.exe
C:\Windows\System\elxdvVh.exe
C:\Windows\System\elxdvVh.exe
C:\Windows\System\jIUcokZ.exe
C:\Windows\System\jIUcokZ.exe
C:\Windows\System\cKUKnZd.exe
C:\Windows\System\cKUKnZd.exe
C:\Windows\System\sjJbyDW.exe
C:\Windows\System\sjJbyDW.exe
C:\Windows\System\dbtzgpB.exe
C:\Windows\System\dbtzgpB.exe
C:\Windows\System\otutvCZ.exe
C:\Windows\System\otutvCZ.exe
C:\Windows\System\NzzJqze.exe
C:\Windows\System\NzzJqze.exe
C:\Windows\System\PjSaLkp.exe
C:\Windows\System\PjSaLkp.exe
C:\Windows\System\cPcDRAX.exe
C:\Windows\System\cPcDRAX.exe
C:\Windows\System\nGgciov.exe
C:\Windows\System\nGgciov.exe
C:\Windows\System\BaiNaOX.exe
C:\Windows\System\BaiNaOX.exe
C:\Windows\System\xvXiGtm.exe
C:\Windows\System\xvXiGtm.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.173.189.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2332-0-0x00007FF785CB0000-0x00007FF786004000-memory.dmp
memory/2332-1-0x0000022936570000-0x0000022936580000-memory.dmp
C:\Windows\System\AtjdExT.exe
| MD5 | f1c68204511f30eaaafc44d5bdf0e498 |
| SHA1 | f84d3847e0a6f340c1b6bfbf246a7f326f064769 |
| SHA256 | b776c441f893621878df4defd078315e61a9b7b415b35e246ea918ff46c0a7cd |
| SHA512 | eaec09e04c75d51f0e09b0f57501642e0b69a6a9b76dde662820d1a0baafc5f0d9b8838dee46eda4e1a6bc93556a8dc97a84be47872afb48f75530e11486904c |
memory/4992-8-0x00007FF7B32A0000-0x00007FF7B35F4000-memory.dmp
C:\Windows\System\ahjCcvN.exe
| MD5 | e0053fc9a37182ef29d9bf84e30c24bc |
| SHA1 | c806645a611365c6cdbcd59b9cd9302220a353f2 |
| SHA256 | 89346802e27be485f78a524a30df124c42782bbc36ebded7b095b4431263400a |
| SHA512 | 76513bb84516ad983709a8f4013719cce546c5b9538849532b4a4a1171f5e4b968740dfb6499b84079dad57dd39937d17e86c38c348ee572518242a362f29b3f |
memory/4028-14-0x00007FF60A3D0000-0x00007FF60A724000-memory.dmp
C:\Windows\System\syWRhxc.exe
| MD5 | 6cee01d8e8c57c0608adba7e18a9ccb0 |
| SHA1 | 7551c4d82a55fa2b4c19749c2bfe6b02a6e7e1a8 |
| SHA256 | 77d8718eaa8667de014d8f3813f3445d27d869658fb643139d5891db430cc12a |
| SHA512 | 29d699ecbaf3cfb492f0d1957f64aa0aff5721fa3750ee8b5e2d620fbdac9ed1ce675e8e9fe199cd2074b938f4df9fe9090f298052e6c3e691069035357064af |
memory/2472-18-0x00007FF79FFB0000-0x00007FF7A0304000-memory.dmp
C:\Windows\System\mqJTBXS.exe
| MD5 | fba3e3583458a782440762b33a176311 |
| SHA1 | 0aff62602559baba7b7c4623ab871c49e6045838 |
| SHA256 | 772d8edbc9028f38072880722508e1b4cf4166566029fa5c29cd438bc5e2e78c |
| SHA512 | d0369c818862e64f6fa0590af368866f72b8a11cfcb3bd02583169df696aae09460f37c930220100eebc867a8506b229fe95113563fb1449be69f664b2648a5b |
memory/3372-25-0x00007FF7C72D0000-0x00007FF7C7624000-memory.dmp
C:\Windows\System\oGCEORV.exe
| MD5 | 63034bee832a6a33415889b48543b732 |
| SHA1 | 0c4de24d189cec5650b77a690879d4f68173e8e1 |
| SHA256 | c006c68739a8823f6d95c39d24ebe24549dbd6fba4b7817c7d32cea0d8a7d0aa |
| SHA512 | 047d4cef37c3702ee450d45935ae73071bcc0d03650cc89c836422979101550ec93a003a573746b87f220c046cb55ef2d811b382a9e7bd22f8406644ab4e214f |
C:\Windows\System\koGiBie.exe
| MD5 | 6a44e17e5704102d8d66161cafb3ea3c |
| SHA1 | 608752fc80460902ce9948f4cb9a7872d170e217 |
| SHA256 | 7b0cd5d975b977561d60effd18a0e0ed9bc2ff7f682bd779302521c069d65140 |
| SHA512 | 5b60982e1e28751f0a123f8ba4033ec02bdfdc2be76e295e4ed7fafe987139c0ecaa184be5aa033c164cfe34458f6e5b2c6df53c6c6d49f9ba3e90b40b33e316 |
C:\Windows\System\IUxoBxq.exe
| MD5 | 604e87b9513a48da5fd593994a7971ac |
| SHA1 | f73de05d482fcfd7076e2c2cea3564cbef8dd97a |
| SHA256 | 009ace16426ebd6d3bb1650edc50382e46e577d9d593aaeb4fa4cc3eff3c2986 |
| SHA512 | 105b9a8b37ad07bf787cc5fef24110af92f8bc4c21af28a2cd34a02b007bc7d8ef38325527ff15b45a5b065107bd87cc6e718aa43fd18021487363e2a749f735 |
C:\Windows\System\NoOAWtB.exe
| MD5 | a5a4cceb385000d40330d6dc14b9193f |
| SHA1 | ebf82c03438782348c90241772bee7e0bc98451d |
| SHA256 | e8c35bf03ad95d899768311d0e3297a5a05f8192f92e2a8522388ca21e5ea171 |
| SHA512 | 9c8d0402580f0d1936e0d955aa726cb58f5932a53d5131a200bee3d0998defd8ab0bc08c6a4e213576c729b2e99fea8f2cf0030fd168379122d9e3c531320b58 |
C:\Windows\System\tpEpMfr.exe
| MD5 | a0ec793d5f0ddc62f96d051d06810f5b |
| SHA1 | 343872acf3a6f7cf1b1436235dfdc5f56d9e3e11 |
| SHA256 | bdff727029c6bfbc03579fa62ed96a0a40268f4a1fdcea97e4ef418dc6a8d67a |
| SHA512 | 5b05c97f0446899405eef64f5e745dace9ae835e83aec5752365f5bcdc431b76ad6953fe15b2f64f379744717b28e1da0cfed9d1b0990b74fa4c486576ffc303 |
memory/464-53-0x00007FF667190000-0x00007FF6674E4000-memory.dmp
memory/4020-55-0x00007FF665250000-0x00007FF6655A4000-memory.dmp
memory/2068-56-0x00007FF62BA00000-0x00007FF62BD54000-memory.dmp
memory/1176-54-0x00007FF748390000-0x00007FF7486E4000-memory.dmp
memory/216-52-0x00007FF6DF480000-0x00007FF6DF7D4000-memory.dmp
C:\Windows\System\elxdvVh.exe
| MD5 | e1752c96e36b638a515c86627017c100 |
| SHA1 | 5b28769ede6de8da3b7b25b2c7eb694bb617fa37 |
| SHA256 | dff8fbdc01a337b27e1a3e46634561bd98782871f315e162453b3666f82b5e84 |
| SHA512 | 6d363ada344f4d8173c3a45277c1fd1134840fad55bc96490c5fdff79d1d1e1d152c769d6113471dbec654795cec1ffa4c4262877df62dd9ad084f31132651f1 |
memory/2096-61-0x00007FF7CB3A0000-0x00007FF7CB6F4000-memory.dmp
C:\Windows\System\jIUcokZ.exe
| MD5 | 6f289cca8f2857312551fc01c359177f |
| SHA1 | bd2b3095d6d97689da1d244030531fe5ec554967 |
| SHA256 | 05ef33d8af64c7139db3dc172026259088ba95f56feccada94cfe6b89f75aaca |
| SHA512 | 03904239faed8f2d0ba8c17a549aef002827d62f55c51948f05b712175e32914262e2f4d729698765504bde54b81f590210d6d10254a2de892b82070478fb147 |
memory/3780-68-0x00007FF6CD960000-0x00007FF6CDCB4000-memory.dmp
C:\Windows\System\cKUKnZd.exe
| MD5 | 8908fc6efff3bc910786122d7f9d63ab |
| SHA1 | 0cc97943c7947e94eacc22cc710582a81cbe6f1d |
| SHA256 | a7212c2dabd1ba6b153498001e8de21fcd1822a84db1651c99a75657f5f77200 |
| SHA512 | 02a0dfc0ed7432c1231922ef9e9e5099947a17517eaa1fdae3e8d902f60e11de5444b76510d7fefe466c10499d042fc71cd174ef7b097530c869d74bd5ac9c13 |
memory/2168-74-0x00007FF6342D0000-0x00007FF634624000-memory.dmp
C:\Windows\System\sjJbyDW.exe
| MD5 | e0828ae8b235551927e08571b398abe4 |
| SHA1 | bf633f96870cf114b4f45c803c9dc42ef2ea8438 |
| SHA256 | 02b3b4646ff64959a0b1203932869b085e6144ceb48be5e8bcc5713c3de70193 |
| SHA512 | f0785edf137fb41563a75b7cb8951ba752d0add33b303b819950207cf7fa2d898921d7d1d0830142a00c74d76fb72fe79f9171e5641b1fefb11a68e8041fc50b |
memory/2332-80-0x00007FF785CB0000-0x00007FF786004000-memory.dmp
memory/3592-81-0x00007FF6DF550000-0x00007FF6DF8A4000-memory.dmp
C:\Windows\System\dbtzgpB.exe
| MD5 | af188886983e3270969a61212cd817c7 |
| SHA1 | 48028a84748f73fae976480bf8157fa6d9acd05d |
| SHA256 | 342916ca541e16753da7238fbbeae1154bf0ebe4acb5cc04d3eeb9827e3519ee |
| SHA512 | e9c5c28fcec2326419d8eaace53d7fb39443fee9168d5165c85146c6f678854c30a2db9df6d3b806bb5a2d307be2e1a59cf0c38546377c7bcbead308e82e9b5e |
memory/4992-93-0x00007FF7B32A0000-0x00007FF7B35F4000-memory.dmp
memory/3672-94-0x00007FF60DC40000-0x00007FF60DF94000-memory.dmp
C:\Windows\System\otutvCZ.exe
| MD5 | 4ae3de9c97d81d1ea2a5eacfbbfb8e02 |
| SHA1 | 1c91779ec40ff3e7a5314121fb3d6185f3add744 |
| SHA256 | 33fb3b4b4fe076c40b07f5717cc2c151e51d9502ae5e77f9e139bf31266a95fe |
| SHA512 | d8f78d6e366fe90c138ddf71685d340b9dca29abf8152bdc7636639304ad1173b3387bc9cf5e648a100ccf16621af471d1a36ca6661597697d983f448f343d22 |
C:\Windows\System\NzzJqze.exe
| MD5 | ec7d279391f2e74c9248defbb153fa6a |
| SHA1 | 119eefd6a9f99d4b7f59eb1121e1ecc6a3eada66 |
| SHA256 | f29dfb9309eb501b9cc5b66e8e44451d48d18274d93a37e5a8bd17f64de60ae5 |
| SHA512 | 92cea30cedbf90f377bb6da5f217056597a3dab3464d51ddfa0956ccbcc8e5f71206448e07818a752b2a5fe9d27311e53dc695526821d08e6e682c53956d5d43 |
memory/1076-87-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp
C:\Windows\System\PjSaLkp.exe
| MD5 | 937b2d75dacc826cebf0092a7277a660 |
| SHA1 | 80fafe48cfa8361f91f7cef1925c97c4d97f1a31 |
| SHA256 | 9d65c026113c2aa0395e669d02c1042feb595f5b970932f57c3d94e7d99f8d83 |
| SHA512 | 8c6b818ecc29114e0b7e16fdff741be279863d5eedb562b33b1dc45b2a811328dea9f479eb8b43654b8df7fd49328bd31974d7ca8077af5738499feca13c7b6a |
C:\Windows\System\cPcDRAX.exe
| MD5 | 79869fcad0710304b8e23074095fea16 |
| SHA1 | e6c89cff18824ee4bb12fbe32f2061ebd4cb0028 |
| SHA256 | 11f003cf06c1689a352e9de16b234f6cea0f9c69be12285aa2491b1f8ddab55e |
| SHA512 | fca41531df52aaf7e5c932bba5e38d7e781bd5d05b1c2fdf505e92c5406bdd191aa8f1ebc64104930387375bb95282ff528bd4afedb7abc97cbd593af90ed041 |
C:\Windows\System\nGgciov.exe
| MD5 | 3caba44eb4ef3c15af2d511bc09eb5bb |
| SHA1 | 584f065ba3f536ad9afd158a7396da3e8efb92c5 |
| SHA256 | bbb3d6242ee6644bf6ad3f081c98089314c1e9ee175913e039da4bae84fc9e42 |
| SHA512 | d35112f95ebb7471cc8da684da52f6530bdff349db2e12da47f818b6378a5d521e5479e4b4f9a40292ce891131a4dd745d16848258781fc846cd7a87fe5aa0cc |
memory/2928-117-0x00007FF6700B0000-0x00007FF670404000-memory.dmp
memory/3084-119-0x00007FF6FF7D0000-0x00007FF6FFB24000-memory.dmp
memory/2472-120-0x00007FF79FFB0000-0x00007FF7A0304000-memory.dmp
memory/928-118-0x00007FF7DEF80000-0x00007FF7DF2D4000-memory.dmp
memory/4660-116-0x00007FF77A880000-0x00007FF77ABD4000-memory.dmp
memory/4028-112-0x00007FF60A3D0000-0x00007FF60A724000-memory.dmp
C:\Windows\System\BaiNaOX.exe
| MD5 | 9f920a634f9fead3e550b41e284a69a3 |
| SHA1 | 75db05920c69b9160bd436cafc9b514b2e0456d5 |
| SHA256 | 959220d53f4b81e1c44e17f86d1ce469ee81915ec3b0f3af2294093bf45f6545 |
| SHA512 | 8b84fe7b3b87e1eb96f4564bfba764bed2154efdc18fea5193950574a45937dd2a16ace64036d630aec9ac8973953b50ad96ea950a60f0a8a88d5e130e8fd6c5 |
C:\Windows\System\xvXiGtm.exe
| MD5 | cfdc2b653db939f3137047d4f89ed28b |
| SHA1 | b9d1fbff77f3a4522980fec1ea3d74923913927f |
| SHA256 | 6a97b6c53c17f5ba6ceddc6bb3a5d50b543ca70314259a9129c3264bf98db2f9 |
| SHA512 | 6d738ea3b91ebf1517aa4b753e551b6c7ad8e896e8e65384f08e7d3c30fface71245bc81348039a0ca8df9c1f827d7c2764268de0624ad8f9a42bd9ff7c225cb |
memory/3372-130-0x00007FF7C72D0000-0x00007FF7C7624000-memory.dmp
memory/3740-132-0x00007FF76AB30000-0x00007FF76AE84000-memory.dmp
memory/4604-131-0x00007FF7BD390000-0x00007FF7BD6E4000-memory.dmp
memory/2096-133-0x00007FF7CB3A0000-0x00007FF7CB6F4000-memory.dmp
memory/4992-134-0x00007FF7B32A0000-0x00007FF7B35F4000-memory.dmp
memory/4028-135-0x00007FF60A3D0000-0x00007FF60A724000-memory.dmp
memory/2472-136-0x00007FF79FFB0000-0x00007FF7A0304000-memory.dmp
memory/3372-137-0x00007FF7C72D0000-0x00007FF7C7624000-memory.dmp
memory/216-138-0x00007FF6DF480000-0x00007FF6DF7D4000-memory.dmp
memory/464-139-0x00007FF667190000-0x00007FF6674E4000-memory.dmp
memory/1176-140-0x00007FF748390000-0x00007FF7486E4000-memory.dmp
memory/4020-141-0x00007FF665250000-0x00007FF6655A4000-memory.dmp
memory/2068-142-0x00007FF62BA00000-0x00007FF62BD54000-memory.dmp
memory/2096-143-0x00007FF7CB3A0000-0x00007FF7CB6F4000-memory.dmp
memory/3780-144-0x00007FF6CD960000-0x00007FF6CDCB4000-memory.dmp
memory/2168-145-0x00007FF6342D0000-0x00007FF634624000-memory.dmp
memory/3592-146-0x00007FF6DF550000-0x00007FF6DF8A4000-memory.dmp
memory/1076-147-0x00007FF6269E0000-0x00007FF626D34000-memory.dmp
memory/3672-148-0x00007FF60DC40000-0x00007FF60DF94000-memory.dmp
memory/4660-149-0x00007FF77A880000-0x00007FF77ABD4000-memory.dmp
memory/3084-150-0x00007FF6FF7D0000-0x00007FF6FFB24000-memory.dmp
memory/2928-151-0x00007FF6700B0000-0x00007FF670404000-memory.dmp
memory/928-152-0x00007FF7DEF80000-0x00007FF7DF2D4000-memory.dmp
memory/4604-153-0x00007FF7BD390000-0x00007FF7BD6E4000-memory.dmp
memory/3740-154-0x00007FF76AB30000-0x00007FF76AE84000-memory.dmp