Analysis Overview
SHA256
f3a0c739cc0c5978c1dae2a0e57e9274dd4882c49e0769050dba3acd402d149f
Threat Level: Known bad
The file 2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 08:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 08:44
Reported
2024-06-08 08:47
Platform
win7-20240508-en
Max time kernel
144s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rgQOmyj.exe | N/A |
| N/A | N/A | C:\Windows\System\JPyIRct.exe | N/A |
| N/A | N/A | C:\Windows\System\cKVZCVf.exe | N/A |
| N/A | N/A | C:\Windows\System\YRJraxu.exe | N/A |
| N/A | N/A | C:\Windows\System\AbgjHLv.exe | N/A |
| N/A | N/A | C:\Windows\System\EJUjQJK.exe | N/A |
| N/A | N/A | C:\Windows\System\TAJnwRO.exe | N/A |
| N/A | N/A | C:\Windows\System\TngTAtl.exe | N/A |
| N/A | N/A | C:\Windows\System\VrQawxO.exe | N/A |
| N/A | N/A | C:\Windows\System\YRUBbFq.exe | N/A |
| N/A | N/A | C:\Windows\System\wWANIoT.exe | N/A |
| N/A | N/A | C:\Windows\System\WLIMOdD.exe | N/A |
| N/A | N/A | C:\Windows\System\RoNpfKD.exe | N/A |
| N/A | N/A | C:\Windows\System\CtAIKVs.exe | N/A |
| N/A | N/A | C:\Windows\System\bipqyst.exe | N/A |
| N/A | N/A | C:\Windows\System\SSyrYwQ.exe | N/A |
| N/A | N/A | C:\Windows\System\AagTaed.exe | N/A |
| N/A | N/A | C:\Windows\System\dmigPRO.exe | N/A |
| N/A | N/A | C:\Windows\System\BNgmcjV.exe | N/A |
| N/A | N/A | C:\Windows\System\hDqbDDb.exe | N/A |
| N/A | N/A | C:\Windows\System\yNIYiDW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rgQOmyj.exe
C:\Windows\System\rgQOmyj.exe
C:\Windows\System\JPyIRct.exe
C:\Windows\System\JPyIRct.exe
C:\Windows\System\cKVZCVf.exe
C:\Windows\System\cKVZCVf.exe
C:\Windows\System\YRJraxu.exe
C:\Windows\System\YRJraxu.exe
C:\Windows\System\AbgjHLv.exe
C:\Windows\System\AbgjHLv.exe
C:\Windows\System\EJUjQJK.exe
C:\Windows\System\EJUjQJK.exe
C:\Windows\System\TAJnwRO.exe
C:\Windows\System\TAJnwRO.exe
C:\Windows\System\TngTAtl.exe
C:\Windows\System\TngTAtl.exe
C:\Windows\System\VrQawxO.exe
C:\Windows\System\VrQawxO.exe
C:\Windows\System\YRUBbFq.exe
C:\Windows\System\YRUBbFq.exe
C:\Windows\System\wWANIoT.exe
C:\Windows\System\wWANIoT.exe
C:\Windows\System\WLIMOdD.exe
C:\Windows\System\WLIMOdD.exe
C:\Windows\System\RoNpfKD.exe
C:\Windows\System\RoNpfKD.exe
C:\Windows\System\CtAIKVs.exe
C:\Windows\System\CtAIKVs.exe
C:\Windows\System\bipqyst.exe
C:\Windows\System\bipqyst.exe
C:\Windows\System\SSyrYwQ.exe
C:\Windows\System\SSyrYwQ.exe
C:\Windows\System\AagTaed.exe
C:\Windows\System\AagTaed.exe
C:\Windows\System\dmigPRO.exe
C:\Windows\System\dmigPRO.exe
C:\Windows\System\BNgmcjV.exe
C:\Windows\System\BNgmcjV.exe
C:\Windows\System\hDqbDDb.exe
C:\Windows\System\hDqbDDb.exe
C:\Windows\System\yNIYiDW.exe
C:\Windows\System\yNIYiDW.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2052-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2052-1-0x000000013F2B0000-0x000000013F604000-memory.dmp
\Windows\system\rgQOmyj.exe
| MD5 | fbdeffe992bc218bd51321390167dbd2 |
| SHA1 | 7f6dc1cd32fd184d43e5c8ecd0aab266b786b189 |
| SHA256 | ccf7748d577f68cc2ecb23669fdf1c9709eed01a0d6f3132ef3dc75e697b24da |
| SHA512 | 113a4387c76aa2ba0db08604eb922e1dbf2d9662a44fd4fade8b0ac51849a7eb872f1693025d8280effe591ed7232a39ac875a352c260f1e86da169fbccf1990 |
\Windows\system\JPyIRct.exe
| MD5 | 61aa4bc553149f2d6c69d3193e762893 |
| SHA1 | a566f10e16a6eaa48cf67b8186cf24ea2565970e |
| SHA256 | b3cf3515d16bb80dfc87ad153d24be36603638064e8e676268cf227d7c2730a8 |
| SHA512 | 65680dffd9bd264d2313318f46d3f8ee9281d6716a314c4be2b2d5317365c04ece6ad19a19cf29f309a0a6f873b4374080fde15e92377cd334d6d83600610983 |
memory/2052-6-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\cKVZCVf.exe
| MD5 | 2972e592128d7758659440fd03e249b2 |
| SHA1 | 2fed66c9d1fcb16ce97fd4ac1c7020b379a96e5e |
| SHA256 | 2229755d4ddc726f572f25a8cbad6612787eca5c11ab46e936f8b0dfa2899b9b |
| SHA512 | 2941f419306c5d586a58215e1d0abb6291ad8eae99980c3ae2e37ad83f0dee2dace4a1d63a24a80b7a23900d81f5b0e0d2dd3a25798724216f7be6b2756b9000 |
memory/2620-18-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2564-27-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2052-29-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2052-30-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2660-28-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2996-26-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2052-23-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\YRJraxu.exe
| MD5 | 43323a5ca8f856845010f18dbce4bde6 |
| SHA1 | 87a278c3b4808564b6e66aae366d4902b3a06054 |
| SHA256 | a8027315b9f92224c99919257aed09069da8fe4610c24957f30d87eeddf42157 |
| SHA512 | c15397389382cd67233caa0480b1db68f79362074a4c8052a8a25870f998a351e925705df398b30b3889fc3e8cea54bde750aff7bf422f6b71ac18cb4196a54b |
memory/2744-36-0x000000013F680000-0x000000013F9D4000-memory.dmp
C:\Windows\system\AbgjHLv.exe
| MD5 | 0ad23cc2f24a7ac49296002681355a87 |
| SHA1 | 4be2c44b3dea65e1f5c1682cbb7f6934faa15873 |
| SHA256 | 37cbd88699fd502a7084d2529dbce34950b1280cf4dfaac4c0377b057f8aed29 |
| SHA512 | 971d18d250c10632fe8ac11fbac379dfa3a3f55333b28552ffee832132a7383298e938adaae9279c47afc14809e1c76ace85ccc47595460d04fb1a63c749bd15 |
C:\Windows\system\EJUjQJK.exe
| MD5 | 6053f6b20a734d76cd4e18430e3a88c7 |
| SHA1 | 2dd87fbebb5239a63060340f3b5186bf19e6db6c |
| SHA256 | 4bb164698dd1333cf0850309d3f33ffc40ae976e017589c4b4dbc4c61703cd35 |
| SHA512 | ccab6ee08ea84eba685717d3f833fdcca64bd0684f6b40d2b036e695bbcd093e83bf62d7b9637099a9ef0f3c4eec5a23b1a5db41ec5010cd7ffd9d6bda1dcf27 |
memory/2052-41-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2460-43-0x000000013F920000-0x000000013FC74000-memory.dmp
\Windows\system\TAJnwRO.exe
| MD5 | 20ba7e1c1d2b40dffcfc81f173ad5bc7 |
| SHA1 | 71f4d89e3c07b8fed9719107c27f324b717157d8 |
| SHA256 | 4407c4eaa3efef91542073779edc5e8341518ba3441f10a8bcd3ade65020c419 |
| SHA512 | 8ce742d075a53dad0bea43fd6ec66cee9f9af57b158e0ec79c1826fb2c84a8e0ae52d8f66c5bed1b112fd0c4576a9b0eae67bcb19d1fdabff781d67126f4aa86 |
memory/2072-50-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2052-48-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
C:\Windows\system\TngTAtl.exe
| MD5 | fb98ab03a904a0baf377c59b1074f655 |
| SHA1 | 38729c268f41a1450b82e19f0416a90658df9076 |
| SHA256 | 2c9c39b30cf81e49f483ac9637d9ed28117063dd2f807cc5ec00b56d46dd1450 |
| SHA512 | f6a5cfd474f325fa023b4911a9049342bced1b3f0ee6b82427a6781f2327ab114c635c4daf62e5855103648774e8ba676917d641e43af9a33b40c4bdace57c31 |
memory/2052-56-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2456-57-0x000000013FF30000-0x0000000140284000-memory.dmp
\Windows\system\YRUBbFq.exe
| MD5 | eecea3304bbb16ebad9bb30f8cc00de0 |
| SHA1 | 2b78cc74396616287b7519a1ebb5706eb1cad821 |
| SHA256 | cd41142cb90f821ff0071396a29f2dc002e49142a2459618379dadddbd1105ba |
| SHA512 | c847d67e8953ca6f88b6a20e754556205729a4e165c032d53b7db017c9881aafbd94c61b09bac7d94e3d47a3f3d55d8a9103786fb762c5dbfb17740c8d04eb49 |
memory/2052-71-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2896-64-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2620-63-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2248-72-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\VrQawxO.exe
| MD5 | 80d3e267682eea3e7e6806c1f27a747d |
| SHA1 | 59cf6ef47ed87c08c37ee5c8576380176b5ef17e |
| SHA256 | 795b23c9ed1324c81328757377667c6a67269e7dc6f3866340647e22375581c1 |
| SHA512 | f6defed3f09a01e0149865a3d13930f0eef210622368ad3301e09a2243c0bf79e13f00f540642ae05538b84233b78749ef2363c8e185a5717c1a3d847a0cbd82 |
memory/2052-61-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\WLIMOdD.exe
| MD5 | 0b4fa423e4ccadf0cd766f883be57723 |
| SHA1 | be1f58bd2bdd8fd651ea05d36ce368f0d903796b |
| SHA256 | a5e74b6c7bc30c5f3f7af9b069da9066a5477c588b2da83c1437575dd6ffb78d |
| SHA512 | f81d6aa0211a4feaad983fe0a8d2dbb7bc5d763757af17864a478b828f100cbda2216ea57ebea97d7d67777a98cda7a4602e3d65cf56667100d23843d1f8bc6d |
memory/2052-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2412-86-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/848-78-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2052-76-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\wWANIoT.exe
| MD5 | 4b962652000161543f99a0b7682a9216 |
| SHA1 | 16f51ee0844457ba2c92c71aca83458dc3f5eb5f |
| SHA256 | bfa4720827693108168e458265efe191108afaf2c09cf5bb2ab8c236a3adbbec |
| SHA512 | 317100dafa4ef9f0d686e4027464312757b76bc12c1dbe1dd5d57485fd29ec0f227c0fb866a56242d22a5204d99b28d2dac4a26261a55571d907415f213f673c |
C:\Windows\system\CtAIKVs.exe
| MD5 | ba1533bf953ff387b30d5c5848cb1672 |
| SHA1 | b4e056363198d4e8cb689d97a135f2c2b775f394 |
| SHA256 | fdde31206417be709c4d48b1d445eb70606db11f48c9f8d94547cf2c8cc13758 |
| SHA512 | c8c5b4c0d948c76d514f736c996322d379f1292a318d57c7cd445f99fa95a1d7e59b4cfd2309a876dd4eab0966a1f0e549cf20348199cb2bc23e5dece5a61576 |
memory/1484-97-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2536-92-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\bipqyst.exe
| MD5 | 792a12e569bcebed0797d01a0b70d70a |
| SHA1 | b8662b1643bb34e190b7defe839715de1796dc98 |
| SHA256 | 12bdb9d21cb1a50c08320f6ffd77af1124f2067f00b2b4ac3985e3dc53f5e313 |
| SHA512 | f4fd33d4a05cd4f006ea20470269f9e35c00a2e04db2a3945ade8498651c60d91c16f403008c5b50f37cbf5feace98fcde104aac64f0c841bb02f04715e9e06c |
C:\Windows\system\dmigPRO.exe
| MD5 | c4dd2c25db28d2e6cb0b9912cc2aeb3d |
| SHA1 | e15176c92e45e41206462e53342d66b8966ed48f |
| SHA256 | 12bf72f27b703edfc9d760fb27bed8f7876d411ce99bb961189d8881912aa10a |
| SHA512 | 4470161103a8081fc1adada07daae298ed46388aa80db264bdc8e8e0cb92c9867fc28092b2c0c8cd3ea0ffad630c61a5686b97f1017b2a59478170011252d3fd |
C:\Windows\system\BNgmcjV.exe
| MD5 | 95bfbd29ef5e90df1716fa50971af1c4 |
| SHA1 | 82d9c36aedff610fa6fc39c6706ab7e4b9c896fa |
| SHA256 | 12df9c3c554bfd60a7c74bdcfff3c04c08d254f497ba1d4fb4cd925b0cece880 |
| SHA512 | 16613fca2bf1ed7752893f40f150a32a073990cfd64fdb2197d98210e96652dd2f7c5a9f4658d4ab73ec3153757dd859edf2f1927ce1516fb7ec892dd4c58b9a |
\Windows\system\yNIYiDW.exe
| MD5 | 615cf43c0105249bbebf7aa5344ea56f |
| SHA1 | 2035804cfe178628ffd7c7b0e4a28fde0cbf22bc |
| SHA256 | 1b3f7519fa35f0fee826030b19e6d2174825f4dfc5340333c41ec58c8ac4979d |
| SHA512 | 597ba3c35c65a773f93fd6af32588bfe5701c8fca5c39c946e82b81987ce0768d05d03fbcd11bfd1790338c4bcbc70f852340f09044f2338d5afc2e0731faa09 |
C:\Windows\system\hDqbDDb.exe
| MD5 | 9a4f12f8e123264204ff987332941130 |
| SHA1 | 8a5b6a37ad82650e8681e7a4a62c1aef53e837ec |
| SHA256 | afa43acf66a6b41a27cc88e249e5fa8fa813233be7de83ba1a8529a953bf0c42 |
| SHA512 | a56ac49bb50d9b2410ef0849f0b07939c08661f93a81b9675321add5e4d3cc6c4eef30e00be7644da8cd4b657654ace35da6d18dadb8ddb58190a26fa8207f93 |
C:\Windows\system\AagTaed.exe
| MD5 | aca8f4929e1321f287dded701c3be3bd |
| SHA1 | 0786812166a1c1c5da048397f29c6496782abba3 |
| SHA256 | de6fbcb7b0a6199774bc45b23a7a206c8bca42f4ba88c3291db10c6447e03b60 |
| SHA512 | 7008f6ffde6fccd2f430452344c48a920fd457b008d351c6e40cbf200934609cda9083fd2e24ddf3fe37737a070653b860553a05b3beb5537a6e2d5a29ea1a3e |
memory/2052-101-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\SSyrYwQ.exe
| MD5 | c8032e1300debcab1d2cd3772b6b5008 |
| SHA1 | 2f7cd9bffab3c7c19985b48f56739ef2a9d34d8c |
| SHA256 | ff482b53044556684d134e41e5ba84a2fc0316a7aeab724c7f38b5b24c6d9a98 |
| SHA512 | 517bb774f676d005933861c0a10b9024fb019238c170ee34e8e36bad1962947027f209c19d2d25fed99c33fc8cf300026b6d244afba0185e25758806a63172ed |
memory/2460-91-0x000000013F920000-0x000000013FC74000-memory.dmp
C:\Windows\system\RoNpfKD.exe
| MD5 | d04d5c638b841a589412a8a85cf09c10 |
| SHA1 | 4e92c76c632ec24b1e556ad3c9d4c72126ba5205 |
| SHA256 | 6cefd90254f1f2f74e83b7469c81f3d882a7e0d0afced01d7b8f2d081d642103 |
| SHA512 | 903e2ed350c79c8668f97ac86b8ac03df047336c392412d1cf920a9b509c354058bfa24c79d03198853c90ff683c3c52160fc194c36ccd9a2cbec5a017c1583f |
memory/2896-135-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2052-136-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/848-137-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2052-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2536-139-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/1484-140-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2052-141-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2996-142-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2620-143-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2660-144-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2564-145-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2744-146-0x000000013F680000-0x000000013F9D4000-memory.dmp
memory/2460-147-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2072-148-0x000000013F6A0000-0x000000013F9F4000-memory.dmp
memory/2456-149-0x000000013FF30000-0x0000000140284000-memory.dmp
memory/2248-150-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2896-151-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/848-152-0x000000013F240000-0x000000013F594000-memory.dmp
memory/2412-153-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1484-154-0x000000013F1F0000-0x000000013F544000-memory.dmp
memory/2536-155-0x000000013FC90000-0x000000013FFE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 08:44
Reported
2024-06-08 08:47
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hjsQqWG.exe | N/A |
| N/A | N/A | C:\Windows\System\IORALia.exe | N/A |
| N/A | N/A | C:\Windows\System\jjkkKqV.exe | N/A |
| N/A | N/A | C:\Windows\System\pKQDPSe.exe | N/A |
| N/A | N/A | C:\Windows\System\EqxyvWD.exe | N/A |
| N/A | N/A | C:\Windows\System\xRhUSMR.exe | N/A |
| N/A | N/A | C:\Windows\System\pJSqUDv.exe | N/A |
| N/A | N/A | C:\Windows\System\HJYXBXR.exe | N/A |
| N/A | N/A | C:\Windows\System\PuiYEnQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ghcTItH.exe | N/A |
| N/A | N/A | C:\Windows\System\hfHHnLi.exe | N/A |
| N/A | N/A | C:\Windows\System\WsVxOnw.exe | N/A |
| N/A | N/A | C:\Windows\System\FXIGPll.exe | N/A |
| N/A | N/A | C:\Windows\System\dVkcjgl.exe | N/A |
| N/A | N/A | C:\Windows\System\mFrGFIx.exe | N/A |
| N/A | N/A | C:\Windows\System\rrpWvuQ.exe | N/A |
| N/A | N/A | C:\Windows\System\KYGKEKf.exe | N/A |
| N/A | N/A | C:\Windows\System\dxBhjvw.exe | N/A |
| N/A | N/A | C:\Windows\System\mYnAxXN.exe | N/A |
| N/A | N/A | C:\Windows\System\wqspVOM.exe | N/A |
| N/A | N/A | C:\Windows\System\QgkPTWP.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_ea8606c4c6a83ed429de9245aa2d63df_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hjsQqWG.exe
C:\Windows\System\hjsQqWG.exe
C:\Windows\System\IORALia.exe
C:\Windows\System\IORALia.exe
C:\Windows\System\jjkkKqV.exe
C:\Windows\System\jjkkKqV.exe
C:\Windows\System\pKQDPSe.exe
C:\Windows\System\pKQDPSe.exe
C:\Windows\System\EqxyvWD.exe
C:\Windows\System\EqxyvWD.exe
C:\Windows\System\xRhUSMR.exe
C:\Windows\System\xRhUSMR.exe
C:\Windows\System\pJSqUDv.exe
C:\Windows\System\pJSqUDv.exe
C:\Windows\System\HJYXBXR.exe
C:\Windows\System\HJYXBXR.exe
C:\Windows\System\PuiYEnQ.exe
C:\Windows\System\PuiYEnQ.exe
C:\Windows\System\ghcTItH.exe
C:\Windows\System\ghcTItH.exe
C:\Windows\System\hfHHnLi.exe
C:\Windows\System\hfHHnLi.exe
C:\Windows\System\WsVxOnw.exe
C:\Windows\System\WsVxOnw.exe
C:\Windows\System\FXIGPll.exe
C:\Windows\System\FXIGPll.exe
C:\Windows\System\dVkcjgl.exe
C:\Windows\System\dVkcjgl.exe
C:\Windows\System\mFrGFIx.exe
C:\Windows\System\mFrGFIx.exe
C:\Windows\System\rrpWvuQ.exe
C:\Windows\System\rrpWvuQ.exe
C:\Windows\System\KYGKEKf.exe
C:\Windows\System\KYGKEKf.exe
C:\Windows\System\dxBhjvw.exe
C:\Windows\System\dxBhjvw.exe
C:\Windows\System\mYnAxXN.exe
C:\Windows\System\mYnAxXN.exe
C:\Windows\System\wqspVOM.exe
C:\Windows\System\wqspVOM.exe
C:\Windows\System\QgkPTWP.exe
C:\Windows\System\QgkPTWP.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
memory/2284-0-0x00007FF63E450000-0x00007FF63E7A4000-memory.dmp
memory/2284-1-0x00000210F7460000-0x00000210F7470000-memory.dmp
C:\Windows\System\hjsQqWG.exe
| MD5 | 15c3c86811c1a018ea9c474bbe1d730c |
| SHA1 | c73b8174b08c3bfd46c98d0610df01e63b3a58a4 |
| SHA256 | a6468322518ae3b9a04a305e206ed6877c916d9195b4cdc22c370686dd682432 |
| SHA512 | 68281a2b2ee2cc3f57975a07d3f56bad576ff64f6bc48c5f9ffc5ddd2f14d41e6e91de73492b2e3e3477b8a703782c8bde409acb5c9c5edd2793bf0242fa852d |
C:\Windows\System\IORALia.exe
| MD5 | 98577eda0e7c3132bd47962932f8e918 |
| SHA1 | f50c863052cfda182f0973dafe95b549cd2d417a |
| SHA256 | 35b046710efa0080996a5db8f9d97119f36936aea2fe2aabb1c962c4f0c4186c |
| SHA512 | 568a406af673b7841f52f21672460eb27d4b8c54396545ad8b38ed1ae570e9be13c934a4fafea96a517647b01984a70d1990f53482c474f0e1bdf809804e3499 |
memory/4184-14-0x00007FF7A9C00000-0x00007FF7A9F54000-memory.dmp
C:\Windows\System\jjkkKqV.exe
| MD5 | 8c75ec4bd1a54b1d324dec558e6b10aa |
| SHA1 | e085fa2de61686c28e793755cb0976e5d82bdd85 |
| SHA256 | afbca9175a5c58ae39f2d579e211e2d2f6680674a6f72e61d51e731962bfa60d |
| SHA512 | b59212d2e2a875f348c43b04a1c3a08dba4982680a81543494a065b650a00b6aca1a61ed051ea5a850f2004c83ef9c9982a23401b6db64ee35bf9cbaad7462fe |
memory/436-20-0x00007FF7E4E10000-0x00007FF7E5164000-memory.dmp
memory/1472-8-0x00007FF773F80000-0x00007FF7742D4000-memory.dmp
C:\Windows\System\pKQDPSe.exe
| MD5 | 9830984b0bfa32d32ab00c00f1a471ca |
| SHA1 | dfc41aa66dccdf230cfd892268fd3796c53031eb |
| SHA256 | 78cdaf6734e3ee050f0f1b50a69cbcc64e2de9d986d932bbbca83f6759cb1b46 |
| SHA512 | 0253f2b3cab4de6eb02dfe4559556f0ab1d336f3ced723f7809bceda46733f243e053873ec14760d0f138e0de6c7b0a2e383424cca85c6d2d732fbb8fa91f9db |
memory/2448-26-0x00007FF76B550000-0x00007FF76B8A4000-memory.dmp
C:\Windows\System\EqxyvWD.exe
| MD5 | 6c34ee28c1475d6ca9ee2ff93ebee425 |
| SHA1 | c23f8db2f1538cc4d9e2f4d235fdf3281ee91054 |
| SHA256 | 4a5a20fed867baa11137f26c7b3e43ac1f227f5d944ac4662268037111cd5de5 |
| SHA512 | 07d21503ad226b7498e912520b106478201c53dfbfaf10e496df98b4b1e41b16514d9689347884df44def1a39bf936d6961436c6b1adf716d36e9c9a520bd9ef |
C:\Windows\System\xRhUSMR.exe
| MD5 | a037fa2d3d0facb3b3c879dc532f69d8 |
| SHA1 | 109e298aa42258623e4c7bb6a6099c1aa286684d |
| SHA256 | 8738775d426f280e34403bb262f38878e0c6d8fca3e0971b4507837628faf077 |
| SHA512 | b9f1581e70d5255116196073554e735a65f7845b6ae8a447e92cd2368a77471c201e967a0aa2649146da92262b0b7b63106961cc50cf579c2646ba7d0692bc9f |
memory/3084-42-0x00007FF6CECA0000-0x00007FF6CEFF4000-memory.dmp
memory/4008-45-0x00007FF7A47B0000-0x00007FF7A4B04000-memory.dmp
C:\Windows\System\HJYXBXR.exe
| MD5 | 9b2c9e733be43af2c9f44a987d304ff1 |
| SHA1 | b792d2f2ae9da62f446eb6b20a3f0859fdee317f |
| SHA256 | d95c15cc0234db0c775eaad993558734f445ee2d204c23cf0db18f426f4cef48 |
| SHA512 | 072cd077194a70f292c830be7e4dac4f1d64441cf139f419a0e7401a5fceca267b218f5cd68bf867f1f3a041c185d389089d0467b5c98e342e3f1b652629d98f |
memory/3260-48-0x00007FF659680000-0x00007FF6599D4000-memory.dmp
C:\Windows\System\pJSqUDv.exe
| MD5 | 6a737dc7787c75e756d8fe63a58145db |
| SHA1 | b5f882e54150a3ad8c1d3249ddff7e0b5e19eeeb |
| SHA256 | 146f9780a2e59b1a1d7b4b6a97cc20e8bd9e95a218fc6a847e8f7718211c787f |
| SHA512 | 89f9eeb79a75471c981664fcd128b2bbf713b0f1afeffef56d2929f231c53fb4bd91843372d5d366d53412d55051caf76eab1fac1cfed34727ade0e5a6b69256 |
memory/464-32-0x00007FF67EB80000-0x00007FF67EED4000-memory.dmp
C:\Windows\System\PuiYEnQ.exe
| MD5 | 187178b44f32857631effccc027f7c7b |
| SHA1 | 1e58f22420b71e96df97831b9e79bb91239a65c7 |
| SHA256 | e973a31de8188f6676970abeda1563bad9d07a9f18d923906b1670b387f14807 |
| SHA512 | 2144f33e00edefb4df86d1b306f7933ba92c44865fe18bd2e6754ee5de7eb1120ac61e4e2f7eefb35cafcc2b05b481083a97e52666081bfa5decf2b335572a75 |
memory/2284-62-0x00007FF63E450000-0x00007FF63E7A4000-memory.dmp
memory/2168-64-0x00007FF6DAFB0000-0x00007FF6DB304000-memory.dmp
C:\Windows\System\hfHHnLi.exe
| MD5 | a9e58c43b40305fe46d891f6b2f77fc5 |
| SHA1 | 8e14bf0190a22222674f443c831fd6b8182e3360 |
| SHA256 | 4f3184cedf2e172e9a720b04c1cfbbdda14814f1859ee4531a16b17db4c4d68d |
| SHA512 | 51e49231d6037e820e35074bb3404af1fceb7e7470df654194a7aa2f07884c91c76e9aefd5db9ddf452de6011af4030993c1d142de611443370af538b3498760 |
C:\Windows\System\ghcTItH.exe
| MD5 | e9730f9a915949bce9ce20c45f65ec67 |
| SHA1 | f57485c6973783334edcf652d2845554e81c23fd |
| SHA256 | 44ce656d66b35261ffb87c11b7b328f5ab974aad1f3e02700b0becbd39936dc0 |
| SHA512 | e8976177408af55598494dfa9ec2cf989ecc6807618b47a80fa39ff1df2a78a4a20e9b7b5f33a58c4ef556d90bda99107cf9479f6dc962a2f81fe155d78e11fc |
memory/3292-54-0x00007FF72CDD0000-0x00007FF72D124000-memory.dmp
memory/1472-69-0x00007FF773F80000-0x00007FF7742D4000-memory.dmp
memory/3236-70-0x00007FF77AE70000-0x00007FF77B1C4000-memory.dmp
C:\Windows\System\WsVxOnw.exe
| MD5 | f8c8edd8d81ee224b00cee0fa39ea718 |
| SHA1 | 1868aa26eb9d2f2ecf9763d6e4ec27c9429d723d |
| SHA256 | 1da97fbb8686cf83acf70109031f5713f5c4eb5966fe269e8e2b332ed0f1f214 |
| SHA512 | ab54c85b2b19b2cc1e9aa9faf8f2a4d11032818c77f2ef6abc2ea4ba80f036e8fba81d1bd4f381b3d6739b5ca81d6e4daed96b83da0a10cf446554c6850006a1 |
C:\Windows\System\FXIGPll.exe
| MD5 | 370be38f869a1626c08b43242b9f21ae |
| SHA1 | 93770fcc480aba007f1a94aab024c037eb7c1538 |
| SHA256 | 6f3ae2d4acc7cc93db7f98ec1202532b21fa8a80e7c6b0d26e61bbe821a2562e |
| SHA512 | 699bd1dce7404115c52e61f8e01f7cda0e7f63c6e2e8cb7d53871bd8da46101938dcca3aaa39f2b570baa48f31f9837a9d37656bc346c22196193651d53ea58d |
memory/3596-74-0x00007FF6FECE0000-0x00007FF6FF034000-memory.dmp
C:\Windows\System\dVkcjgl.exe
| MD5 | d4174cfa55bac41b538f56498306cc19 |
| SHA1 | ca3cbf79f5ffc9fcd541d2f9aff541092c5dafa1 |
| SHA256 | 6681a7d30b775f4ecfd2c9ada339a9df05be34a397df7c145da30166832813d4 |
| SHA512 | b1f1763fd358b4ad534566b65f68c2346a42f11df8ac979c588560cd02f8b007d9ae4fbb7af2c125f9e325709b32120c46ba6c3149c1e0210d77d469939383fd |
C:\Windows\System\mFrGFIx.exe
| MD5 | 37f96b2f359084a6f09670c564564928 |
| SHA1 | ded314a57ec3f5116868a35ce9f9230bb083ab92 |
| SHA256 | 322317ea0a4a44dcf8aaf65170b62bf35690c609e124635c4ce00969a7eea63e |
| SHA512 | 53dada7635290a76c0da69588248f4714943550dfa5e82d87d1c6d354573d6fa718ba5caa9a36386ec5daf3c409863970857b0afbd97aa7408f33292f36c1496 |
memory/3204-91-0x00007FF6B2100000-0x00007FF6B2454000-memory.dmp
memory/2448-90-0x00007FF76B550000-0x00007FF76B8A4000-memory.dmp
C:\Windows\System\rrpWvuQ.exe
| MD5 | 05f26f25135561f62423b26add1067cc |
| SHA1 | 66f32fb134e53f66b3cfc27f8a8a6f77b830f609 |
| SHA256 | 7221959604558899b76de17b7adb69ef145b2b0f1b473a4efb41a20bf5015b90 |
| SHA512 | 019d8aa7e33c812a7c94056e008750e6743d27dfef0e3229c2b032582282df544356ed00065c0fc6f4f82340986c705f2b5416ed8eab3adae93ef0b0c62cb1ed |
memory/4132-97-0x00007FF706BE0000-0x00007FF706F34000-memory.dmp
memory/1116-82-0x00007FF7614C0000-0x00007FF761814000-memory.dmp
memory/4008-101-0x00007FF7A47B0000-0x00007FF7A4B04000-memory.dmp
memory/3320-102-0x00007FF65B4A0000-0x00007FF65B7F4000-memory.dmp
C:\Windows\System\KYGKEKf.exe
| MD5 | 4023285ea9878208a881ab83582dbdcd |
| SHA1 | 9f5dac1dea96d5108cbce2e2d8cc31a39541682f |
| SHA256 | 699b5763c2ea7b3daff25451d2ec85a6d54fae9894290f56f89b741bcce19302 |
| SHA512 | 5c6ac3147c65cc88583a49140d9e8ed9a855ad9be4cf45a909d4e57c3ca160d3328596584e89a947a9557c2280b7849fdb7cc900d40f4430e9d9e48a92c196ba |
C:\Windows\System\dxBhjvw.exe
| MD5 | 7b8cffc313464a37701b372f13b1d0f0 |
| SHA1 | b15d1d76b1ed07b510aaf5dd3a29ea0b255452c5 |
| SHA256 | 7fc8cc91333ea056241dc73d86f29e0367ca756f37086eadaacdfe77f3d1de47 |
| SHA512 | 9405980e93f3807518ea2073dc973f3598bd83a4475d32c8d1641a4d51c34a5006649b0db5ebcd82a4089e74c417dc474936b948096194783d292f2f8c4f5dd9 |
C:\Windows\System\mYnAxXN.exe
| MD5 | 7334040c775f9fd2e489b3613084c923 |
| SHA1 | 04a5a0fde362bbf37f342e8427a1d0a729f3882d |
| SHA256 | 716ab8f380139ff1596e9cfd57533f9392ff310ea39762164cb08f86bdd70cbc |
| SHA512 | fbc7fc0572006c5497b7629b02c0359ee695935798790ec535b1a120d0189250883cf11481403dec368d285d2126c9adf1cd72bcf0ec21b13b8eca5c0c81bfb4 |
memory/1896-117-0x00007FF627080000-0x00007FF6273D4000-memory.dmp
memory/3260-116-0x00007FF659680000-0x00007FF6599D4000-memory.dmp
memory/2852-107-0x00007FF66AAD0000-0x00007FF66AE24000-memory.dmp
C:\Windows\System\wqspVOM.exe
| MD5 | b6d0284ed89fd9ca2dd81e70c5c34339 |
| SHA1 | a4e42c3c5583d28842480b92f33cf0ea7cbe31df |
| SHA256 | 29012109323c5c24d8e566d5ff1f5b251911acfad8f2421b7e24510bb9fdad5e |
| SHA512 | 1d136158de60f7b437359ccbc6c81e48442d2b4c7b51628ad00d5c102528cae56e90e384f2a9b6f039d0bb84f1db07c1d2aefdab8a925691e0c5cad4dd4f54a7 |
memory/2144-126-0x00007FF66FAC0000-0x00007FF66FE14000-memory.dmp
C:\Windows\System\QgkPTWP.exe
| MD5 | b0d841f29cbc0abd6e74d18f18650bd1 |
| SHA1 | 7186b141d95458eec4816834e0fde41fc178c1f4 |
| SHA256 | a6d7b669f99630fd8adfbe30d29cea9c556344b8c598ba5383673eb34aa09e59 |
| SHA512 | 9a07ddefdd62b1dc6e02c4e3e23e8c6c7f4bbb9d6a66c975240d7118e9a0754f22b823b4f8d2a75a96e620eddc33b10178e1f402844d1128522330b3b05f4f9a |
memory/4088-125-0x00007FF6CCCA0000-0x00007FF6CCFF4000-memory.dmp
memory/3292-124-0x00007FF72CDD0000-0x00007FF72D124000-memory.dmp
memory/4304-133-0x00007FF65FEB0000-0x00007FF660204000-memory.dmp
memory/3596-134-0x00007FF6FECE0000-0x00007FF6FF034000-memory.dmp
memory/1116-135-0x00007FF7614C0000-0x00007FF761814000-memory.dmp
memory/2852-136-0x00007FF66AAD0000-0x00007FF66AE24000-memory.dmp
memory/2144-137-0x00007FF66FAC0000-0x00007FF66FE14000-memory.dmp
memory/1472-138-0x00007FF773F80000-0x00007FF7742D4000-memory.dmp
memory/4184-139-0x00007FF7A9C00000-0x00007FF7A9F54000-memory.dmp
memory/436-140-0x00007FF7E4E10000-0x00007FF7E5164000-memory.dmp
memory/2448-141-0x00007FF76B550000-0x00007FF76B8A4000-memory.dmp
memory/464-142-0x00007FF67EB80000-0x00007FF67EED4000-memory.dmp
memory/3084-143-0x00007FF6CECA0000-0x00007FF6CEFF4000-memory.dmp
memory/4008-144-0x00007FF7A47B0000-0x00007FF7A4B04000-memory.dmp
memory/3260-145-0x00007FF659680000-0x00007FF6599D4000-memory.dmp
memory/3292-146-0x00007FF72CDD0000-0x00007FF72D124000-memory.dmp
memory/2168-147-0x00007FF6DAFB0000-0x00007FF6DB304000-memory.dmp
memory/3236-148-0x00007FF77AE70000-0x00007FF77B1C4000-memory.dmp
memory/3596-149-0x00007FF6FECE0000-0x00007FF6FF034000-memory.dmp
memory/1116-150-0x00007FF7614C0000-0x00007FF761814000-memory.dmp
memory/3204-151-0x00007FF6B2100000-0x00007FF6B2454000-memory.dmp
memory/4132-152-0x00007FF706BE0000-0x00007FF706F34000-memory.dmp
memory/3320-153-0x00007FF65B4A0000-0x00007FF65B7F4000-memory.dmp
memory/2852-154-0x00007FF66AAD0000-0x00007FF66AE24000-memory.dmp
memory/1896-155-0x00007FF627080000-0x00007FF6273D4000-memory.dmp
memory/4088-156-0x00007FF6CCCA0000-0x00007FF6CCFF4000-memory.dmp
memory/2144-157-0x00007FF66FAC0000-0x00007FF66FE14000-memory.dmp
memory/4304-158-0x00007FF65FEB0000-0x00007FF660204000-memory.dmp