Analysis Overview
SHA256
08a737956ced15ab1dbf6f4139b8e06b18ce2b38dbba50c2353cc6d4657288ff
Threat Level: Known bad
The file 2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 16:23
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 16:23
Reported
2024-06-08 16:25
Platform
win7-20240220-en
Max time kernel
133s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\fqwzRwA.exe | N/A |
| N/A | N/A | C:\Windows\System\pGpCbji.exe | N/A |
| N/A | N/A | C:\Windows\System\xUqulQO.exe | N/A |
| N/A | N/A | C:\Windows\System\PLMQnkx.exe | N/A |
| N/A | N/A | C:\Windows\System\QlPFgLN.exe | N/A |
| N/A | N/A | C:\Windows\System\umugkmY.exe | N/A |
| N/A | N/A | C:\Windows\System\MZlqEQi.exe | N/A |
| N/A | N/A | C:\Windows\System\nhTxPSd.exe | N/A |
| N/A | N/A | C:\Windows\System\dqKRuYB.exe | N/A |
| N/A | N/A | C:\Windows\System\xeoDMaw.exe | N/A |
| N/A | N/A | C:\Windows\System\XoVUTlO.exe | N/A |
| N/A | N/A | C:\Windows\System\LrJuACe.exe | N/A |
| N/A | N/A | C:\Windows\System\USetOJB.exe | N/A |
| N/A | N/A | C:\Windows\System\RhVpHCR.exe | N/A |
| N/A | N/A | C:\Windows\System\JGlobpx.exe | N/A |
| N/A | N/A | C:\Windows\System\Xfkdtdk.exe | N/A |
| N/A | N/A | C:\Windows\System\ScxhFnj.exe | N/A |
| N/A | N/A | C:\Windows\System\zGRcZcO.exe | N/A |
| N/A | N/A | C:\Windows\System\xnEzBjl.exe | N/A |
| N/A | N/A | C:\Windows\System\VIjYqYZ.exe | N/A |
| N/A | N/A | C:\Windows\System\miXKmTt.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\fqwzRwA.exe
C:\Windows\System\fqwzRwA.exe
C:\Windows\System\pGpCbji.exe
C:\Windows\System\pGpCbji.exe
C:\Windows\System\xUqulQO.exe
C:\Windows\System\xUqulQO.exe
C:\Windows\System\PLMQnkx.exe
C:\Windows\System\PLMQnkx.exe
C:\Windows\System\QlPFgLN.exe
C:\Windows\System\QlPFgLN.exe
C:\Windows\System\umugkmY.exe
C:\Windows\System\umugkmY.exe
C:\Windows\System\MZlqEQi.exe
C:\Windows\System\MZlqEQi.exe
C:\Windows\System\nhTxPSd.exe
C:\Windows\System\nhTxPSd.exe
C:\Windows\System\dqKRuYB.exe
C:\Windows\System\dqKRuYB.exe
C:\Windows\System\XoVUTlO.exe
C:\Windows\System\XoVUTlO.exe
C:\Windows\System\xeoDMaw.exe
C:\Windows\System\xeoDMaw.exe
C:\Windows\System\LrJuACe.exe
C:\Windows\System\LrJuACe.exe
C:\Windows\System\RhVpHCR.exe
C:\Windows\System\RhVpHCR.exe
C:\Windows\System\USetOJB.exe
C:\Windows\System\USetOJB.exe
C:\Windows\System\zGRcZcO.exe
C:\Windows\System\zGRcZcO.exe
C:\Windows\System\JGlobpx.exe
C:\Windows\System\JGlobpx.exe
C:\Windows\System\xnEzBjl.exe
C:\Windows\System\xnEzBjl.exe
C:\Windows\System\Xfkdtdk.exe
C:\Windows\System\Xfkdtdk.exe
C:\Windows\System\VIjYqYZ.exe
C:\Windows\System\VIjYqYZ.exe
C:\Windows\System\ScxhFnj.exe
C:\Windows\System\ScxhFnj.exe
C:\Windows\System\miXKmTt.exe
C:\Windows\System\miXKmTt.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1720-0-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/1720-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\fqwzRwA.exe
| MD5 | 7beac341bb22e7c700c99f1272187113 |
| SHA1 | 632885de395dafc1a66dc4eba2b95dd8718f6aae |
| SHA256 | 887a454b5a46d67e94f2b0273d30386a210acffc32de041692f91959ee651661 |
| SHA512 | bf500f8380aeea717c16561461726d4a57fdd5e107fcc124fa1dd8cd5168501c95ad85b5915bc36e9af9f5ba85927299f8efbf63903306c9bebe79eb0ec60b39 |
memory/2144-9-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/1720-8-0x0000000002350000-0x00000000026A4000-memory.dmp
\Windows\system\pGpCbji.exe
| MD5 | 6e4660190ab4cf3097fa97db95752f40 |
| SHA1 | 3b55110bedc527fec7f358a2da169d30e20d169c |
| SHA256 | b31f7a949069a8bc8cca36b9bf522d56a041c36d635ce10a87e4d482e29526e3 |
| SHA512 | 7646d74c916cf2c37cf2ccef4db9e96b535ff4e694e751b99e77f3a496a8bb35e70bd43e2946346228c6365e44cf56128c0ea1b314417ac4caabe2ef50e24558 |
C:\Windows\system\xUqulQO.exe
| MD5 | a844587417616594885316b3fa5add02 |
| SHA1 | 8d8a8d1fe843502648b87090ccc0cc6573fc4d6e |
| SHA256 | e42a4bc590daa07e0d4f35949197e93efdb80992ff0b014ea43fb108a5081066 |
| SHA512 | c2d2ab0c34eb10bec248398912f26fa83506a55fed1894468fe4e4d625bd2e965097d1fbfcf32faccdbda2aac934bbcd4580e0c952e4fcd68415c7679d754b90 |
memory/2540-20-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2640-21-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/1720-22-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\PLMQnkx.exe
| MD5 | 516927d4f9fa54382e612631d4786ff4 |
| SHA1 | 5feaa985646af17d94de258da4c3ea2bf4040676 |
| SHA256 | 4a4577ef388c5cc3b5c4faf2028d828d662abc4ebb586f321b861117a04b2915 |
| SHA512 | 32bd4cef9b67431b918a4193de245d614f6cdab8faea76c0540cf18a4fe534615cb05ecad64a0e39434452fd12a7ce314c34bd8d0a337955f9ad9711c7b3f6c7 |
C:\Windows\system\umugkmY.exe
| MD5 | 6144a4f4febbf34d517936a0eb9035f8 |
| SHA1 | 076d48ce32c622d936e3fbf741749ded2dc18d58 |
| SHA256 | 5eaefe6b6b95f8fe0987c4e2fcfafb4f169ec0ec822a2b266e9bca36eefc7e1e |
| SHA512 | cd6c80c72083d6d85cc64c20fc5f504f014786a50b568a2c9023d78d18753465c3bb542e593a9b2f2fbc06bc3c515c923dbe3711e588327b768bb01f7b4f9831 |
memory/2516-45-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2808-36-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1720-48-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2716-47-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1720-50-0x0000000002350000-0x00000000026A4000-memory.dmp
C:\Windows\system\nhTxPSd.exe
| MD5 | d224b683437c21d237ded85e6aff4156 |
| SHA1 | 0501ea80a852d74e59ba36441d2c44079ccef1da |
| SHA256 | 9fdd9e0986d7602c25e5e2959c150c0400c06252dc6f4764ec0662408cf7d5cd |
| SHA512 | f2fb592934fb9dc8324f1863eb44465e5552d6fa79330e9d74c7951a156d0f7c17749197868829503dbc641b5fe78b7a4d9e9cd6a4a054251e573d45bb886731 |
memory/2588-57-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1720-56-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1720-49-0x0000000002350000-0x00000000026A4000-memory.dmp
C:\Windows\system\MZlqEQi.exe
| MD5 | 7d6570cae76f0a6a1ce99ce70b66b86f |
| SHA1 | 40abd40a8be97f46a91816963c68fc4af059fbde |
| SHA256 | 28b06bf6d41f6e307d79485456a6e60c0fe304f399cffba7f68de148cd691b84 |
| SHA512 | 53ab56bf25c55c8b799b19699aa499845d72f240c7e04e9498bc0954c0f77ad76db3b944a06cb75ed80d7e2621e6d7bc650515a8907b6793a928f45c34e64a86 |
memory/2696-42-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/1720-32-0x0000000002350000-0x00000000026A4000-memory.dmp
C:\Windows\system\QlPFgLN.exe
| MD5 | d1e8feb13566e124767d4cd82eadb897 |
| SHA1 | 4de3eabaca461af2cdfde1c34a2653e2816bb6bb |
| SHA256 | 6b031888255942440b226f8318f79fdfbfe088095447695de265fe67d5d5fe71 |
| SHA512 | 9de8a2e6de377fc466ef145897e6cdcd681dc741d2105e7b0c9f7fd4c1b69087bbc9cb57fe51cbe4e8a69a88dc93a2cc41cbfbcfda6ece464d1e6d0dcbe44f3f |
\Windows\system\dqKRuYB.exe
| MD5 | 0fb72da0429077d88e5d18ba7f2903ae |
| SHA1 | 68cfa7812ffd1715f26722a78d8b18d2f0afe362 |
| SHA256 | aefa7cb972cfb0be3248fec7625f7ca6ed3f48c4baeda51a8a25fc75238ac995 |
| SHA512 | 2fb6532593c9adf547fe5cb426bfc93f483347d3b79729ea43ab0e6dfeb9d0ceb02ceb858e37a502163b91b84916937131f8516fa822130a5608bb39fb39b1d9 |
C:\Windows\system\XoVUTlO.exe
| MD5 | c52528fb12954efc777dbc193030db4e |
| SHA1 | cca9156417a5569cecc93fb485f81108d08d92d8 |
| SHA256 | 564ff0dfaad521088ac5d6b1680cb56f4b9933c04d18792b3e4ec02013460357 |
| SHA512 | d319d6c4a074b008ba4a53fd0b6bb917e522c39d80c1e01c545dd18737ded06b2db7c29968580949b6c8ccd44b627a7927f7f5cde122dfb0e7fddb0d57fbefb6 |
C:\Windows\system\LrJuACe.exe
| MD5 | d76926cfe28b568401a0f6af7ff22186 |
| SHA1 | 6b7b9255895926bd12e2e7659fb8449a66a4717e |
| SHA256 | bc947171f4ddbd9e6da3808b9d79459cc78beb4ba6486be3759b075cef42b815 |
| SHA512 | ce96faeb7eed7fbd9f877a87ee2a4e6b2ff154007e37e19fd21e634e7aef696fb0a2d996c967245776afc797548634357fe2742882ed650fefe5be4280126544 |
\Windows\system\JGlobpx.exe
| MD5 | 03f01943b5db40acafeefc76da491a47 |
| SHA1 | 324a1d80bf45b6630c20fb0cff920874f67ca893 |
| SHA256 | b6ec3bebb344b841671145cc46fe84615283e133edfdb9fcf3ce87dd767abbb5 |
| SHA512 | 91149731caa86c77818d536b96a5bc1a268bb7c3ac54cb0eee1f9b9c67c38cad995ec5bd262653ccad7363ae9edd8458514e4db82297fe05c87cf52c56399dfd |
memory/240-103-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\ScxhFnj.exe
| MD5 | af0a2f1beb584aa9fc03cbd6257da347 |
| SHA1 | 2ca7510e283df62474cdf849ce0333bd0afab79f |
| SHA256 | 8056398ee5ab2a229f5456e6e8ef6db4f4ef358bb8c015df2e302a95126b09f7 |
| SHA512 | d3eca40e3f28cbfbec503225fa0358f8620451beeb81083e02042c8ee5c3c47a74ea234ff024abfec1bb51426c6ac9378be7e2d5150a9d70d90e8e64129a11b2 |
memory/1720-122-0x000000013FDA0000-0x00000001400F4000-memory.dmp
C:\Windows\system\zGRcZcO.exe
| MD5 | 39358a2372fdd4c7171901e5f0cd8891 |
| SHA1 | 8f689d932f7c712030bc32415cbdecc0f445e177 |
| SHA256 | 8b50b311bbacebdc2fb627448baa56b370865831444397d451935c8430917a19 |
| SHA512 | 5f7cac7ddb85bfb6883bd4be8f23e6ea4377a2f93f911c312ef3b7a10be827a2d206789d620e7fd2c5dabc4ddb82349ee00bebed66dc762b032eba6e6e73a3e6 |
\Windows\system\miXKmTt.exe
| MD5 | 22564d78f7afb2afba62e32162a8127a |
| SHA1 | 981875db193201b8819845dc9cf4925d1b8c9e76 |
| SHA256 | a4a706e5b7c3a72d84f33e5709c2f841e3930ff5925e73208170857c419ce87e |
| SHA512 | cd5b925caa34aee763e299186d645981b198eaec4ae8f5d5b5e8010463969a1540541aa7aeb80281488fd426fcabe0b113745cbd2528f90db7002d1bcf2f7f57 |
C:\Windows\system\Xfkdtdk.exe
| MD5 | 30f76a3293b4d7cc45bc9e4883061e74 |
| SHA1 | 43366f0a28763b1bfce5fa21eb1b497d25a98ab5 |
| SHA256 | a56344e442e5b5c6c6e27be5c546ae1e54bde60db9da8196f850e8bfbaf96acd |
| SHA512 | 27fd94ea8e0ae83523b4e4e9981dae888c5ebbfc6922359385b23899f3576ce13e6e1d64317400390d7ec2a4e11ff3e7c332afe7630bc85e0438976fd7c90db5 |
\Windows\system\VIjYqYZ.exe
| MD5 | 528ef36165b459b51ac9d0e1b00402c1 |
| SHA1 | 2cfa71775aea0cd01bf4824b44722216fb479bca |
| SHA256 | ef816747fc10cd5ef638ae1e5b66c6653c91f91cc7869b77930156b0e16e0ead |
| SHA512 | ac5bf7cc69ec1cae5a5e0009f1212123c68b152ae48737e9b99d3735604366eaa5bb381ee94b6f339900e421fe81021a73e890b1fcca689084f0828d34c86434 |
\Windows\system\xnEzBjl.exe
| MD5 | ab9e75426f608e9c9bfa85715ac5fa78 |
| SHA1 | 3835870e8c85fee1ba3347430864b62a3746f4e3 |
| SHA256 | bca08d37271dccad08f02f9a18cc1fb11b51b4cb09549a8ca0b2543b8495b628 |
| SHA512 | 96552d93f7f08526073593ece3490ffe34af910f22a78ca9a375d525e6e3c167f7663fc639607cbd200b0751161bfa5860cde73af37f101d64fddc2231027327 |
memory/2268-90-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/1720-121-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/1720-119-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2708-115-0x000000013FBB0000-0x000000013FF04000-memory.dmp
C:\Windows\system\RhVpHCR.exe
| MD5 | 46e550a303741f225f82de15344fa5b1 |
| SHA1 | 032981fdee81ef783a956a317c7b92f8e28b1484 |
| SHA256 | adf59e7073fa741e2c4bfb6e9c86caedbbd0ecadcc9a368c426bc3442a37dcd9 |
| SHA512 | c063621ad58233fc2d0fdcdd1493b7f318840201c7d56890e9a1e72b06925e7a56586d8518cae523feb90b0ac669e6ae56b8c0b3108b14178ec69322d70d6889 |
memory/2924-93-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\USetOJB.exe
| MD5 | 4639eaa8382a399a1d474b80197c204f |
| SHA1 | 85b9d405b2c6c0bc7ceb9f3c94f548ec01a6941b |
| SHA256 | f5483d4cf281fa01af55bd359830f122c10fcbac3cef4e3a94d13a4f0385792f |
| SHA512 | ff0527e866394d2712a3d1cf33a75e513171a59568a8eaff6f27a065045fe3b8182fef775db790b069b28f31fdc13d29593a1f5e81fb28cf33ffe15706610385 |
memory/1720-75-0x0000000002350000-0x00000000026A4000-memory.dmp
C:\Windows\system\xeoDMaw.exe
| MD5 | cac45141597a4d7159293084c466bfac |
| SHA1 | 864614110d5adccc976e53c699d80798db75661b |
| SHA256 | 7070d67809b2d30b1de69f598e8eae89ba85ac98983b8c8034ae4536854df984 |
| SHA512 | f128c6e0110efc4c67bdd2c69b4d12c5cba74423ec3948f3798b9186e27d1990fd01dc6f3519ce76e2b65f6370de0708698749473beed2cfbf9bf463c82e01e7 |
memory/2444-71-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1720-66-0x0000000002350000-0x00000000026A4000-memory.dmp
memory/2696-132-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2516-133-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2144-134-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2640-135-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2540-136-0x000000013F2D0000-0x000000013F624000-memory.dmp
memory/2808-137-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2716-138-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2696-139-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2516-140-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2588-141-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2444-142-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2924-143-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/240-145-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2268-144-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2708-146-0x000000013FBB0000-0x000000013FF04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 16:23
Reported
2024-06-08 16:25
Platform
win10v2004-20240508-en
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jaZebXk.exe | N/A |
| N/A | N/A | C:\Windows\System\JpjCdKX.exe | N/A |
| N/A | N/A | C:\Windows\System\gEZZDaR.exe | N/A |
| N/A | N/A | C:\Windows\System\pTybALj.exe | N/A |
| N/A | N/A | C:\Windows\System\gUMACkI.exe | N/A |
| N/A | N/A | C:\Windows\System\xwYUyTl.exe | N/A |
| N/A | N/A | C:\Windows\System\WKibwxj.exe | N/A |
| N/A | N/A | C:\Windows\System\GoEtMUz.exe | N/A |
| N/A | N/A | C:\Windows\System\fSCgaqD.exe | N/A |
| N/A | N/A | C:\Windows\System\jPndcpr.exe | N/A |
| N/A | N/A | C:\Windows\System\bqUczVr.exe | N/A |
| N/A | N/A | C:\Windows\System\LJFlokN.exe | N/A |
| N/A | N/A | C:\Windows\System\XptBbHD.exe | N/A |
| N/A | N/A | C:\Windows\System\xgjYUoX.exe | N/A |
| N/A | N/A | C:\Windows\System\yeCZcqy.exe | N/A |
| N/A | N/A | C:\Windows\System\SlaBiQz.exe | N/A |
| N/A | N/A | C:\Windows\System\NoKqXER.exe | N/A |
| N/A | N/A | C:\Windows\System\VcPdBCy.exe | N/A |
| N/A | N/A | C:\Windows\System\Ghjlgqq.exe | N/A |
| N/A | N/A | C:\Windows\System\hVfLCjo.exe | N/A |
| N/A | N/A | C:\Windows\System\xbehudK.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_4898b7432900a31c159573d25011f5ca_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jaZebXk.exe
C:\Windows\System\jaZebXk.exe
C:\Windows\System\JpjCdKX.exe
C:\Windows\System\JpjCdKX.exe
C:\Windows\System\gEZZDaR.exe
C:\Windows\System\gEZZDaR.exe
C:\Windows\System\pTybALj.exe
C:\Windows\System\pTybALj.exe
C:\Windows\System\gUMACkI.exe
C:\Windows\System\gUMACkI.exe
C:\Windows\System\xwYUyTl.exe
C:\Windows\System\xwYUyTl.exe
C:\Windows\System\WKibwxj.exe
C:\Windows\System\WKibwxj.exe
C:\Windows\System\GoEtMUz.exe
C:\Windows\System\GoEtMUz.exe
C:\Windows\System\fSCgaqD.exe
C:\Windows\System\fSCgaqD.exe
C:\Windows\System\jPndcpr.exe
C:\Windows\System\jPndcpr.exe
C:\Windows\System\bqUczVr.exe
C:\Windows\System\bqUczVr.exe
C:\Windows\System\LJFlokN.exe
C:\Windows\System\LJFlokN.exe
C:\Windows\System\XptBbHD.exe
C:\Windows\System\XptBbHD.exe
C:\Windows\System\xgjYUoX.exe
C:\Windows\System\xgjYUoX.exe
C:\Windows\System\yeCZcqy.exe
C:\Windows\System\yeCZcqy.exe
C:\Windows\System\SlaBiQz.exe
C:\Windows\System\SlaBiQz.exe
C:\Windows\System\NoKqXER.exe
C:\Windows\System\NoKqXER.exe
C:\Windows\System\VcPdBCy.exe
C:\Windows\System\VcPdBCy.exe
C:\Windows\System\Ghjlgqq.exe
C:\Windows\System\Ghjlgqq.exe
C:\Windows\System\hVfLCjo.exe
C:\Windows\System\hVfLCjo.exe
C:\Windows\System\xbehudK.exe
C:\Windows\System\xbehudK.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4960-0-0x00007FF6299B0000-0x00007FF629D04000-memory.dmp
memory/4960-1-0x000001D1BE750000-0x000001D1BE760000-memory.dmp
C:\Windows\System\jaZebXk.exe
| MD5 | f9fd7086b172f6ea992cd1ba25e906f8 |
| SHA1 | 483986ee9ce535a706fdb9590552d522cf1c18c0 |
| SHA256 | 510972ad2b5b1ea51f8095fa303117ee06b254d794a71f1d11fe2c1b387a4ad6 |
| SHA512 | 1ff48589d712862e3f9537492bd203354f568b53fa28ca138e18195ea54ec451845cbcc615565fdd7edba8847d82e8c8c84bf419b96b14425d3c04b1f57a0317 |
memory/4804-7-0x00007FF70E020000-0x00007FF70E374000-memory.dmp
C:\Windows\System\JpjCdKX.exe
| MD5 | 671fa7316d4859ec5e5d1eddf429b50c |
| SHA1 | a6ca412d05bc1fe75298fc98eaeddf63ed66f34c |
| SHA256 | b01bc239e86af01248dee559fe00f6d3d8841b23abf20b4068281db55c066476 |
| SHA512 | c1bf377cef4fbeac6be8151f9d11f7b909e3e7fee5168a9cd48e5a4475eeba8dd68e1d05df5e141852586ace54492e34ce9cdc6ef73d2593993c64a4592eff3c |
C:\Windows\System\gEZZDaR.exe
| MD5 | 2b75add19ed9fde292c5d14f2881f93a |
| SHA1 | 11ede25ce1a5adffe03f806baabb7c0e3ba0c067 |
| SHA256 | 64a7382e5a50002ac494bed98820a4528820fd95a97d5d7913bba0202cd55275 |
| SHA512 | 09eb6e561e8e227c95270b60b76eab22384f6c9f1db0b82d2d6339c9b82300b4782f58866feb2f99371a4c7add48c3c3f41f45463e192ca458b876fb8e2130d1 |
memory/2304-25-0x00007FF76BA40000-0x00007FF76BD94000-memory.dmp
C:\Windows\System\pTybALj.exe
| MD5 | 58c64e4b04de01327fcdbbc6a61a57b8 |
| SHA1 | 844d770c1f4b3cc72520ce040ea926a2bf0848e4 |
| SHA256 | b87756ba966fb410e303d24c3a31cf5f64dab17718728aa2aaa82a0bd817e0b2 |
| SHA512 | cbb91eadcff801cfecd298e69f4b1d66cab2cd850e0b9f5e8c50f4f3f29655f093b9000c526da3014b5333b91192ae35948bcf44c162838f6e365578b402dbc3 |
C:\Windows\System\gUMACkI.exe
| MD5 | 15d6956810c43eb87b784bd8c71d9d8d |
| SHA1 | 0ef6ed912163f8b82039f51f7b9f08440f09d130 |
| SHA256 | 75c1ce31d066d1295fd3ac5638f41bfd01c4a46d931601e0f11a6673f04aaae6 |
| SHA512 | dd0d23e6110119488df990c256978b95ffe6dc34d4189efe78af520d2656b718bc06063302ba5dc024fc6aa3b53992d4c133e903fbdbdf5690471b83f47c8094 |
memory/5108-28-0x00007FF6CB200000-0x00007FF6CB554000-memory.dmp
memory/3600-20-0x00007FF6161F0000-0x00007FF616544000-memory.dmp
memory/4436-34-0x00007FF684B90000-0x00007FF684EE4000-memory.dmp
C:\Windows\System\xwYUyTl.exe
| MD5 | 477c52e153f4f4443579289afa45398a |
| SHA1 | 61eac336fc24a16b4291c60888e0c4ce6fe4f5b5 |
| SHA256 | b67e7ebf3d30d9e23831ae42235663a2fff4c067694f2894aca9170236467fd0 |
| SHA512 | 129e308c2faf9d77d2e2b33aa3f95af4ba43dca8985ac1cdf78c4629a83572018581c771b95f5c591d4454b5645b40195d32e9f672bfd3fda59a08cffd279890 |
C:\Windows\System\WKibwxj.exe
| MD5 | 68973d2e0d477b663958c4c1cb5dd4e6 |
| SHA1 | 9193a92a6514e796d6b35fe46969d1cad8935c7a |
| SHA256 | e21b765799458d4279d31201b3c9b6b170e477b303bf63e7f5717ce669224be1 |
| SHA512 | cc81e7417adf016ee84fb74931a775399416ea85ae5e1d7b88afe6ec26d5ea98ec68ec8fad78c6573e44be687f13aed8ef5e970562115fe696a27c5d0ded4997 |
C:\Windows\System\GoEtMUz.exe
| MD5 | 3b2e4663daad01f1436e363493c3e5b0 |
| SHA1 | 9c4542b5fe0b0f9110632aeea5e2681514280f71 |
| SHA256 | c2e5515d6b3eabed096a2eed162f6ba85b35676dfb585d8e7f126385beac4d0e |
| SHA512 | e3e4947cfc47f985f6abb777b1cffba3d11cb02534441c3f1f908b612ddecd648c9247f0092fe2f9212c2a861c7b9bc09c21b93a4fd653313f671a579218e1a4 |
memory/2020-47-0x00007FF701070000-0x00007FF7013C4000-memory.dmp
C:\Windows\System\LJFlokN.exe
| MD5 | 3b6151eee8a52652107169331a411dc7 |
| SHA1 | a9ad860fee0594fd9ea403aa1c02bdaed6d74f06 |
| SHA256 | 4dc4183e03ff5cc55538feb2504d1cb1ab6371a3fadff04f603b382ef0340cb0 |
| SHA512 | 5661a0425d7c3674cea7bde55b330b2c306aea9034b2ec918d169d201ae7316317498b3aaafa9b7cbb51e309a58efd2d4f0fc58bc059e38fe3bd105689c8d228 |
C:\Windows\System\xgjYUoX.exe
| MD5 | 343d9d0dcec3fcbf65453960bdbd3d2a |
| SHA1 | 97fb28b22efd3227649d6ad2baf24014621c020b |
| SHA256 | cb9b3f04a0db8431fcb555d194f587aee032c1c35bce9f4a1a66709f56aa8218 |
| SHA512 | 101376c6b1113f2736fd17d58d11bc9b7aa303a9a7e9d569893b1d5c8496299ebea9375a766fabaec47a4fa98c05951b54bdb9742ce4bdfe355b35bbd4ee6dbc |
memory/2728-77-0x00007FF72D700000-0x00007FF72DA54000-memory.dmp
C:\Windows\System\XptBbHD.exe
| MD5 | 30aefc0874884399990bf856e62719ac |
| SHA1 | 528a8927075834f5c6f5089de784efd04667a061 |
| SHA256 | 143aee5c13531e3756521e461ec17614436c3b9b3a3b9ce6c7686e320a18c80e |
| SHA512 | 356f97746ca220ab7014138e26c3fbf63cebaa72dfb7dc06793c00af156ab3d6a37edbef0e4e6549d475e8ff4ec4c578680c1e65a442629400bd755783b06429 |
C:\Windows\System\jPndcpr.exe
| MD5 | 31abda858db42888633d9b714c39ba56 |
| SHA1 | eda9e0eca2d62f7cfae5e11eecfa5705dad5c5d0 |
| SHA256 | 83bce1dac341e1bd872d0ff541c3a9e3f107fcf74a81470b2995d563478e3b99 |
| SHA512 | be91fa71be5b570bdf97cd7de6cb9ca540908dba60d518d69c2d7d5154f6bd557a1ea34c4adc88119fcefd5c4fea8f42312666c5617725cb10493efa90e8b2c2 |
memory/4532-80-0x00007FF61D3B0000-0x00007FF61D704000-memory.dmp
memory/4804-79-0x00007FF70E020000-0x00007FF70E374000-memory.dmp
memory/512-78-0x00007FF7515F0000-0x00007FF751944000-memory.dmp
C:\Windows\System\bqUczVr.exe
| MD5 | fbd5aaa653dc55054ceba13fbcc5ae85 |
| SHA1 | 8159ae9ad9affa0eabf58654eae521f98d6c5ea7 |
| SHA256 | 0b241da0f2e9853ca06844655c1996eff7e72d021e118d3268a957fea08ff3db |
| SHA512 | fb90d08052ce6416e777aa6fe09f102137810729c9e68899740a9a83ff1eab5cf110e20941c7381f1010e65a565c776ca6953a3f564b0a102b6f6c043dd93df1 |
memory/3972-72-0x00007FF6B4500000-0x00007FF6B4854000-memory.dmp
memory/4960-71-0x00007FF6299B0000-0x00007FF629D04000-memory.dmp
memory/1276-64-0x00007FF6FF670000-0x00007FF6FF9C4000-memory.dmp
memory/2696-60-0x00007FF6D55F0000-0x00007FF6D5944000-memory.dmp
C:\Windows\System\fSCgaqD.exe
| MD5 | 31953b0ef659ed41f7cee4b2210901b3 |
| SHA1 | bcee48f50231618e730168fdc11ceb56affa071e |
| SHA256 | 6c453932aeb7d7eec94467ce7f9dd125f875d0682ab868059b1ede9420e65adb |
| SHA512 | 326b2673fec9150f8f3ab2e750f908282f1befb5763550f28dd5a2ad4bbc8c6f19f3692deb5ca749445fa9a3f48ee5aaa97e1e3c0be6eeddef05b49f3419beaa |
memory/3316-55-0x00007FF68C930000-0x00007FF68CC84000-memory.dmp
memory/968-43-0x00007FF6B0570000-0x00007FF6B08C4000-memory.dmp
C:\Windows\System\yeCZcqy.exe
| MD5 | 2782605f2c8a17c1ee07354121d50d36 |
| SHA1 | f08e849efdf4fee0b5cba07b9da7b81c34e2b146 |
| SHA256 | dfeb8729c7563323bfdced26b65c0a36e00767207524993a1f1ebe7420fa99c1 |
| SHA512 | 733253712816a0d20c683e93072ddefbb37ef72c26dddf18b37de64824978fde1e75f20e7ec84fa4ffa3928a592fbfbe667c4070b1e013f9842250b2d9c5488c |
memory/4988-94-0x00007FF7886D0000-0x00007FF788A24000-memory.dmp
C:\Windows\System\SlaBiQz.exe
| MD5 | 9227087f7b1ae422e512103f83c7d228 |
| SHA1 | d525e63ff96fc5d95fee815e1d332a971477076b |
| SHA256 | af7a43de2707083fbf36090af8ea8c713be10982a1d265bcd10e6c8204e202e2 |
| SHA512 | 6d0050685df97c13a7dd0e1d1f7cd8d4653b27a7b99434c6cca37898885fe80280c8cf32b401513541b1f20df1cf11387df19057f020050c008eeed50d71d30b |
memory/4500-103-0x00007FF614210000-0x00007FF614564000-memory.dmp
C:\Windows\System\NoKqXER.exe
| MD5 | 8bd9bb050a0c54be7642f50b907ae995 |
| SHA1 | 1606d3673cbbdc7a37f4637e7d90ba7f407140bd |
| SHA256 | ab1186131f011090881d61d1328951d61ae789e950b9ecb47c6ac2f5c8118493 |
| SHA512 | 94ce325dcdaf39ace3619f30515e22b077789bd847eb681e1b08b55b1cffd9b63081b9306800edb40bbc8f18421e9c3b4565dd0a874c960511cfc1d14186383c |
memory/1812-113-0x00007FF68BD50000-0x00007FF68C0A4000-memory.dmp
C:\Windows\System\VcPdBCy.exe
| MD5 | b0dc8a6e9aa5117ba8da9614c2553315 |
| SHA1 | 4dd83164aaee55015adbdc0ff7bfdc432581f23a |
| SHA256 | c674e38dee80bf611d8b49984ba355149d9dd518c723f998f33cedbb0a847ef7 |
| SHA512 | dea2961bc95b1e0ab5028ee0ecca0e3acc44ff779b48caa089b470d2e8e5ce41650a3f99236bb8f481dade51df4e8d0bee6d95135381afd6fbcd5fe4a825962e |
C:\Windows\System\hVfLCjo.exe
| MD5 | 4be673f5fb58c14a5e4ac28c823ee852 |
| SHA1 | 4d4d41c6a25082ab87cf5eeb0b577874f9e89040 |
| SHA256 | 51e5b42727e80a82cab8f2146af5b00fbfe575696a07ca73e0fccb425223cddd |
| SHA512 | c160bbe0e5941ad8ab8c4b8e91a1e9e35861a2d011866b7af3dffeb1701f4f4567ab8fa4c72103ec11e74cd13f2d892cadd340f59d96a6a1851193cfc2b7d955 |
C:\Windows\System\Ghjlgqq.exe
| MD5 | 1f7866c2c226f3a4a654214b80ce2220 |
| SHA1 | 822bd3c37a520c24e3c73100f31593dd07d8ffeb |
| SHA256 | fdc708ee6491f6e4bdb27af92337ac949e7f2173bc0c19f3a28e2955d02b6f3a |
| SHA512 | 42e77740572277ceb3cb35209d2cdd59ae7faf80edf18a1a6d93b010b93295c864bc5f291328ee6bc6ba2b76260ef501014be9dafc05687b3995e803b1b89878 |
memory/968-110-0x00007FF6B0570000-0x00007FF6B08C4000-memory.dmp
memory/5000-107-0x00007FF7C6550000-0x00007FF7C68A4000-memory.dmp
C:\Windows\System\xbehudK.exe
| MD5 | ac38912bacd44ba1fbc4180852fa2f4c |
| SHA1 | e33a21ce2c0bcf36c8d338103bf0afa5e0a350e4 |
| SHA256 | b93a42c544614096c2ac7abb908de2b60f77173ea67959e33ea68a8353ffe142 |
| SHA512 | a3c28347304e6f40cd3d37f34d3b60736336791e8b40d0a8923956dc2783f386eff14766f0dde9ee2c474e0454c591b5c37a530c8b344661023c300b270a26d2 |
memory/2504-126-0x00007FF6111D0000-0x00007FF611524000-memory.dmp
memory/1072-124-0x00007FF75FD80000-0x00007FF7600D4000-memory.dmp
memory/1904-130-0x00007FF6ACF30000-0x00007FF6AD284000-memory.dmp
memory/1276-131-0x00007FF6FF670000-0x00007FF6FF9C4000-memory.dmp
memory/3972-132-0x00007FF6B4500000-0x00007FF6B4854000-memory.dmp
memory/512-134-0x00007FF7515F0000-0x00007FF751944000-memory.dmp
memory/2728-133-0x00007FF72D700000-0x00007FF72DA54000-memory.dmp
memory/4532-135-0x00007FF61D3B0000-0x00007FF61D704000-memory.dmp
memory/4988-136-0x00007FF7886D0000-0x00007FF788A24000-memory.dmp
memory/5000-137-0x00007FF7C6550000-0x00007FF7C68A4000-memory.dmp
memory/1812-138-0x00007FF68BD50000-0x00007FF68C0A4000-memory.dmp
memory/3600-139-0x00007FF6161F0000-0x00007FF616544000-memory.dmp
memory/4804-140-0x00007FF70E020000-0x00007FF70E374000-memory.dmp
memory/5108-142-0x00007FF6CB200000-0x00007FF6CB554000-memory.dmp
memory/2304-141-0x00007FF76BA40000-0x00007FF76BD94000-memory.dmp
memory/4436-143-0x00007FF684B90000-0x00007FF684EE4000-memory.dmp
memory/2020-144-0x00007FF701070000-0x00007FF7013C4000-memory.dmp
memory/968-145-0x00007FF6B0570000-0x00007FF6B08C4000-memory.dmp
memory/3316-146-0x00007FF68C930000-0x00007FF68CC84000-memory.dmp
memory/2696-147-0x00007FF6D55F0000-0x00007FF6D5944000-memory.dmp
memory/3972-148-0x00007FF6B4500000-0x00007FF6B4854000-memory.dmp
memory/2728-149-0x00007FF72D700000-0x00007FF72DA54000-memory.dmp
memory/4532-150-0x00007FF61D3B0000-0x00007FF61D704000-memory.dmp
memory/1276-151-0x00007FF6FF670000-0x00007FF6FF9C4000-memory.dmp
memory/512-152-0x00007FF7515F0000-0x00007FF751944000-memory.dmp
memory/4988-153-0x00007FF7886D0000-0x00007FF788A24000-memory.dmp
memory/4500-154-0x00007FF614210000-0x00007FF614564000-memory.dmp
memory/1812-155-0x00007FF68BD50000-0x00007FF68C0A4000-memory.dmp
memory/1072-157-0x00007FF75FD80000-0x00007FF7600D4000-memory.dmp
memory/2504-156-0x00007FF6111D0000-0x00007FF611524000-memory.dmp
memory/5000-158-0x00007FF7C6550000-0x00007FF7C68A4000-memory.dmp
memory/1904-159-0x00007FF6ACF30000-0x00007FF6AD284000-memory.dmp