Analysis Overview
SHA256
a6b2bec4ef3cb07d405fd89a87e27ee8ff3fa3210959fe7f4d44b727bf072156
Threat Level: Known bad
The file 2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
Cobaltstrike family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 16:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 16:48
Reported
2024-06-08 16:50
Platform
win7-20240221-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\WrTyYPh.exe | N/A |
| N/A | N/A | C:\Windows\System\pjiHoVg.exe | N/A |
| N/A | N/A | C:\Windows\System\HpAZDdo.exe | N/A |
| N/A | N/A | C:\Windows\System\kLVMqlC.exe | N/A |
| N/A | N/A | C:\Windows\System\PLmCBDN.exe | N/A |
| N/A | N/A | C:\Windows\System\HUMexTU.exe | N/A |
| N/A | N/A | C:\Windows\System\xpRdYdK.exe | N/A |
| N/A | N/A | C:\Windows\System\MQjqkOs.exe | N/A |
| N/A | N/A | C:\Windows\System\vZjEVOI.exe | N/A |
| N/A | N/A | C:\Windows\System\fgmdRFy.exe | N/A |
| N/A | N/A | C:\Windows\System\zSxvTed.exe | N/A |
| N/A | N/A | C:\Windows\System\xcXdOru.exe | N/A |
| N/A | N/A | C:\Windows\System\MUMXQDL.exe | N/A |
| N/A | N/A | C:\Windows\System\xRsoahj.exe | N/A |
| N/A | N/A | C:\Windows\System\jnTZKod.exe | N/A |
| N/A | N/A | C:\Windows\System\UUjPKoq.exe | N/A |
| N/A | N/A | C:\Windows\System\MisVPUk.exe | N/A |
| N/A | N/A | C:\Windows\System\zwoNMyD.exe | N/A |
| N/A | N/A | C:\Windows\System\gIZplgE.exe | N/A |
| N/A | N/A | C:\Windows\System\MGCXSra.exe | N/A |
| N/A | N/A | C:\Windows\System\QfmKXTe.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\WrTyYPh.exe
C:\Windows\System\WrTyYPh.exe
C:\Windows\System\pjiHoVg.exe
C:\Windows\System\pjiHoVg.exe
C:\Windows\System\HpAZDdo.exe
C:\Windows\System\HpAZDdo.exe
C:\Windows\System\kLVMqlC.exe
C:\Windows\System\kLVMqlC.exe
C:\Windows\System\HUMexTU.exe
C:\Windows\System\HUMexTU.exe
C:\Windows\System\PLmCBDN.exe
C:\Windows\System\PLmCBDN.exe
C:\Windows\System\xpRdYdK.exe
C:\Windows\System\xpRdYdK.exe
C:\Windows\System\zSxvTed.exe
C:\Windows\System\zSxvTed.exe
C:\Windows\System\MQjqkOs.exe
C:\Windows\System\MQjqkOs.exe
C:\Windows\System\xcXdOru.exe
C:\Windows\System\xcXdOru.exe
C:\Windows\System\vZjEVOI.exe
C:\Windows\System\vZjEVOI.exe
C:\Windows\System\MUMXQDL.exe
C:\Windows\System\MUMXQDL.exe
C:\Windows\System\fgmdRFy.exe
C:\Windows\System\fgmdRFy.exe
C:\Windows\System\xRsoahj.exe
C:\Windows\System\xRsoahj.exe
C:\Windows\System\jnTZKod.exe
C:\Windows\System\jnTZKod.exe
C:\Windows\System\UUjPKoq.exe
C:\Windows\System\UUjPKoq.exe
C:\Windows\System\MisVPUk.exe
C:\Windows\System\MisVPUk.exe
C:\Windows\System\zwoNMyD.exe
C:\Windows\System\zwoNMyD.exe
C:\Windows\System\gIZplgE.exe
C:\Windows\System\gIZplgE.exe
C:\Windows\System\MGCXSra.exe
C:\Windows\System\MGCXSra.exe
C:\Windows\System\QfmKXTe.exe
C:\Windows\System\QfmKXTe.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1936-0-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1936-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\WrTyYPh.exe
| MD5 | 4a311c089a5ac2560ca324c6a13ccb57 |
| SHA1 | 76b8ca83d0b1c584bac3e3d0e15c9e32bff328ce |
| SHA256 | c509d87d244cf377d7ffcbf372875e8ff5bf68a362fe76ede4becdc8e6080a1c |
| SHA512 | f0a18e522c76f882f5e20569ed380d8b6c49d17f7bd0a422eb5d0a90170eeaa3c7f7d68b2ac5ea33a374b3440b52679046928d90b949cc78fb9b63d34069fa41 |
memory/2708-16-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\kLVMqlC.exe
| MD5 | 3f50af427bbf5a19deeb58de53be5df3 |
| SHA1 | 66a412e78d08f5f828e79201e68b37fdd0e930f5 |
| SHA256 | 04e5e5905eb4308a6c03059502adec481a0f30117ae5d518cadcef1aa609b695 |
| SHA512 | db75c69b984cdb4d5a60f092e2d1a147c23d7ccf600a29ede5e4b836b95054142a512b2ad9b587009a73cd61c8ba6936504f635b285df0db1923af825db151f0 |
\Windows\system\HpAZDdo.exe
| MD5 | 8b90137e05a7cd165160852360c4f894 |
| SHA1 | 3f2bf5e00de3ee5faab7390b6ca87eb3e713e911 |
| SHA256 | 812743b4b8aba1208c0a7cfe821d0b88222faf37d78ad701a8fa559564838232 |
| SHA512 | 5d95f2af53b6bd2672e48988fb5cd8b7fb901a758a6febd8e5c979dfb389abc42bf6e3cec8076525f14361e75d44b5f48876667bd0be2e28d742e56a1e727609 |
C:\Windows\system\PLmCBDN.exe
| MD5 | 230c489f048e37b00d42cc5142411cdf |
| SHA1 | 99dfe239b0960ef229e9e5aa8972a8d8032ce297 |
| SHA256 | 958931a659c320681a1277e64fdec493557c1f7652a66bdabda5b35c169fb4ca |
| SHA512 | ab226487c05765b7ec6e8876b7a631978744e3c03754b96a68a4b8158d872c9e74f0a62871ca0c63a92943d652cd2ae8b46ff41095fb825139ced228effd46c1 |
C:\Windows\system\pjiHoVg.exe
| MD5 | 92195936e5c18ed8a011dc9c964f6586 |
| SHA1 | dd58151bd9656267f513bb1ef12a003fb247c436 |
| SHA256 | 52fc20a7b10e6b63618a2d75df4e4aeaeee5c9b6b12c9affbd165a14d9b59b4f |
| SHA512 | 0dd193d11612c6f231830319408b19c34b22d9fd5a1b2d59ef675d0cb63e1da7016dc6455c603abd3cdee76712dbbc5deba8dc170e24077e0460589014e7699e |
memory/1936-8-0x0000000002390000-0x00000000026E4000-memory.dmp
\Windows\system\MUMXQDL.exe
| MD5 | 9ccc82321f219b1f9e0c1c0f21af84ca |
| SHA1 | 0319bdd0a129cb773707e74b4c99e2d356dbb876 |
| SHA256 | dd9e3dfc560ba4c9a15202c71726491c73e3c32b9e1b7ef794e84515cddfccdd |
| SHA512 | 4ce397452abf29edcb4b11515edb04453b1f22958ec0f22bf2abb3edf0b68892501c394fdb37376f904ec8d1e54a4428164a6bb29644a5820275ec97fe217f09 |
memory/2532-96-0x000000013F8D0000-0x000000013FC24000-memory.dmp
C:\Windows\system\QfmKXTe.exe
| MD5 | 5285f2d6b2a0835c4923de5502c2bd3b |
| SHA1 | cb068444c72c4d7c8cf215df49ea727806caf010 |
| SHA256 | 7f26b166fe681b2012706285a8e9408edea9c2018f071390ca708de050d3510f |
| SHA512 | 2b2925fdf44a7950f6a21565f6c3a143ae189e589212ec0bafa055b972be043e4b6cfc5250f2332b657226f6e4acc5d828db7db14c3f41ab0509f0d8595d4ea6 |
C:\Windows\system\MGCXSra.exe
| MD5 | a6df8841b0a382c40c27797f5a109132 |
| SHA1 | 52256ea7bddcc4d9d31fbb31581589756cdb74d1 |
| SHA256 | 4bef775c16ba1c709a53e83158b05f81a39a9f192050e69602007aecc8172b0d |
| SHA512 | e51f1284a067dc6330accb28756baa6203446207cba8f81253534880eb96640a7caad4bd3fb571b3f894e5a0014ada2631fe70211bd42a3f31c09cb95a865a50 |
C:\Windows\system\gIZplgE.exe
| MD5 | 6b31ee19909eb886c6294725677e2c74 |
| SHA1 | e157f27d9b78a618f6e90ad9af41de7942a0fbd4 |
| SHA256 | 49b27036e5c85f06d6c1dd6281eef822d78eefc44ad2f78dfec2746e7851fd2c |
| SHA512 | 188788405078f73a95fe059c7856b269b34ea80e393738d004b430fdd265f165b9cb22e46e1df0339a4f540ee5fd410daa529d82ad5649a1e24a4bce31c31314 |
C:\Windows\system\zwoNMyD.exe
| MD5 | 8e00a6ffb00e95d53ec1e2e9f4ffb2ae |
| SHA1 | d8ec97437cd69c5522c69c09abc183ae4c43cbf5 |
| SHA256 | 3e643ff73634fada9c34a60685192f818fa2266c55187ea4f9e4628f7e150431 |
| SHA512 | 780f5166ac1893f51763d362b7aa6a6f2b2d95daa1d040ada8f473cb5e9777ec702ac565195c2d8448fb92f6c7de35172fa697d523b3e80e799da328ef957866 |
C:\Windows\system\MisVPUk.exe
| MD5 | 3cd8e81130935ce69afa288e41c345c6 |
| SHA1 | b5ad5e7938a2afbd531d672e6fd78a7b07d666dc |
| SHA256 | 0ad78996a376d8ed2764b19ff86b025374cf4453bf2ad0106b8a79d5dc408b9a |
| SHA512 | 57e7ed3182bc3adfd723dd9a28506fadf24cad3278b2e3ae682e2e076cbeac79fbe3f1a279be731001c2b3537ba9a99b9b7117020111feb9332cc965428f18b1 |
C:\Windows\system\UUjPKoq.exe
| MD5 | 19c5cc28c2fb195d38f5f6a1309ee37c |
| SHA1 | a0f8ea9b308e9273f43500ab8a4f4b6f45c84d9e |
| SHA256 | c1cf712deb03d650350a88c78c61caf6dfafb4b0c49ff1f0118eb07a62ebfaa4 |
| SHA512 | 3f48109ef5da2656ab370a726562098ccb1b863c13e62b2400fda4bb5ee22611d6353a304778a77985e931030af6466920caff396e9b02d057c0374dd2ff6551 |
memory/1936-106-0x000000013FE10000-0x0000000140164000-memory.dmp
C:\Windows\system\jnTZKod.exe
| MD5 | 2e9f0920caa65366510b4c80a038e38c |
| SHA1 | 384347f0195ca774d6a9e2c7fd3b82856bc2b662 |
| SHA256 | b61ae8454263954d7bbf7a92247e00252d0eca0eb695fd83854a2aef6baeec3a |
| SHA512 | bacc034ad868737b193cf73601574418fd47780c13ec9a44b63583419ae549aae8ed54f8d4dcbf0db03a46544cd2a5d5e080f2b40f950b7cbcb21032160d8f32 |
memory/1248-99-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2376-98-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/1936-97-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2528-95-0x000000013F6B0000-0x000000013FA04000-memory.dmp
C:\Windows\system\xRsoahj.exe
| MD5 | 286adc7cfe97e97aa996c5e770284ed2 |
| SHA1 | 06345fcb263c3a1f998301d67b952eaafe9b659d |
| SHA256 | e0e93e9f588fb10f7629da757c36320a5d24a48ec158d425282f76283418f9e5 |
| SHA512 | a8e23e1b420b1bb62c21587b15b5cf1405a7833196337bc11394f97e698701a405547599356c42d6470b27966071e1991fa6801321e0b4ca38ce226126945d96 |
\Windows\system\xcXdOru.exe
| MD5 | f58aaea1323de22e1aadd1421ec6cb08 |
| SHA1 | aedc75cd5a4c425342a7534d44b1ffe576101672 |
| SHA256 | f34b57410ce8902e60f90907c4a9612fe90d135dda748e9fa4f5026c8f4d4d0f |
| SHA512 | b864df1a6d698e4738ae903f01bd18efc031490b0b740c50b54a35bfc2da0028ca79a20de8208b436a51df3a813f63e5deff16ff7620d64556dc99aba9862dea |
memory/1936-39-0x000000013FB50000-0x000000013FEA4000-memory.dmp
\Windows\system\zSxvTed.exe
| MD5 | 593a26b77f1bae911d419b798719144e |
| SHA1 | de37a11b39a84400ac0875e19014109322861950 |
| SHA256 | 0a1fa42f1f8991d40443f6c1106a6efd86d0b7591fc8c67cc082f3701ed6ccea |
| SHA512 | 1ae264708bdaa2572d378037b3b9cdce26671db449552e3e8586f10fde58e751dbd2a3e8010e19faca3bccd1dd88cd491eb7772286ce340b85bfc7f10371562c |
memory/2636-84-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1936-83-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1936-82-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1936-81-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1936-80-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2580-79-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2508-78-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/1936-77-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2428-76-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2416-75-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2552-74-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2548-73-0x000000013F440000-0x000000013F794000-memory.dmp
memory/1936-72-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1936-71-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/1936-64-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\fgmdRFy.exe
| MD5 | dc2ec1367e3e0a28166f8ea648e3c2ab |
| SHA1 | e213250491c94e521c54eae5e22a13c2cc8d4ffb |
| SHA256 | 885fa01736ec6e7c8ce33590aa4792c6342c3b214cb08f9f96164c9eb2721374 |
| SHA512 | b4aedf12eb6cbecfdbedfaf48743211728c14805b79616331c50358756030122d104de3d410306857c67dec126f243b635c8a4b6f551d232bb4de1611e29c96c |
C:\Windows\system\vZjEVOI.exe
| MD5 | 7c88392fedc9e62158ef533897c3da79 |
| SHA1 | 5113a3079bd34baf0c7c74490cba66048c6b9739 |
| SHA256 | 13b97fa7402e10d75de9981f9ff0343b80210428455c234b2e21e0ba228fcd69 |
| SHA512 | f313bc87e4deffe1afaa8118a32729f3a4c64a9d866c878275db8e025741f39242985fa35d0dfb1240ce6a514c9eb11c424c30258fecf5806b6e9da9276628a0 |
C:\Windows\system\MQjqkOs.exe
| MD5 | ee3a7d932ea84f4ee65fb4c55699e05f |
| SHA1 | 400ff4db4e6c38cc08d85921b1b6a0f71bb14443 |
| SHA256 | 91f7a7c4a408ac937106a3713cbcda66d026bbb12606b47f36f92bf62ca43a35 |
| SHA512 | 69a5f978b3f11dee2f43c8d932bc0ccb73112df78abc3a79ef84713091dde6ffa170dc6a5bb65a662d2dab1046a1d5e1796017efb82c99f8121af55895888b4f |
C:\Windows\system\xpRdYdK.exe
| MD5 | 37653264959983231dba393fce002506 |
| SHA1 | 3694bc65daef043c6efc1ff61a44473fda84c04b |
| SHA256 | c220768795ae650a704e3a42716754db91af4e3599f284acab9bcf7210cd6ca2 |
| SHA512 | 1b05edcb7ad0ac620f13095134273eae08be950b06afe60cc8b5666cb76d134a83c64bad26cfb574877b5a8bde447f3e9196ae11d627ebc7fe3b91b8f2d1ae5a |
C:\Windows\system\HUMexTU.exe
| MD5 | 5c10ffc706214d10dca5ee4f7e75b1a6 |
| SHA1 | f3626f27b0f69d2ca50c6709c8d865acd160a9db |
| SHA256 | 7ed42346e399e2b7bd5c10cc94cd428d11471547cf3be9b7061d895719c3969a |
| SHA512 | 5ed9b3313a8464f0eea069bd074d1eaaade47470a39d73795426ef76e121c8d1ae68d1273be0a0c78d17f680d417ec876a3c2628185d1a229995e49b452f4676 |
memory/2496-58-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1936-51-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/1936-44-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1936-34-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2936-25-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/1936-136-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2936-137-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/1936-138-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2528-139-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2708-140-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2936-141-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2580-142-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2496-143-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2508-144-0x000000013F590000-0x000000013F8E4000-memory.dmp
memory/2416-149-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2428-148-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2552-147-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2636-146-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2548-145-0x000000013F440000-0x000000013F794000-memory.dmp
memory/2532-150-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1248-151-0x000000013FA20000-0x000000013FD74000-memory.dmp
memory/2376-152-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2528-153-0x000000013F6B0000-0x000000013FA04000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 16:48
Reported
2024-06-08 16:50
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gokoUrK.exe | N/A |
| N/A | N/A | C:\Windows\System\rsOHvPz.exe | N/A |
| N/A | N/A | C:\Windows\System\AQtOuRx.exe | N/A |
| N/A | N/A | C:\Windows\System\SSPsBQT.exe | N/A |
| N/A | N/A | C:\Windows\System\MNvPJIM.exe | N/A |
| N/A | N/A | C:\Windows\System\evZRzAy.exe | N/A |
| N/A | N/A | C:\Windows\System\SgIZAqe.exe | N/A |
| N/A | N/A | C:\Windows\System\DvFrSsx.exe | N/A |
| N/A | N/A | C:\Windows\System\LNSrlYq.exe | N/A |
| N/A | N/A | C:\Windows\System\xMPLiDd.exe | N/A |
| N/A | N/A | C:\Windows\System\SQbLqjt.exe | N/A |
| N/A | N/A | C:\Windows\System\MnznQuS.exe | N/A |
| N/A | N/A | C:\Windows\System\qxqMhdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\epRdAOq.exe | N/A |
| N/A | N/A | C:\Windows\System\XXSKMYQ.exe | N/A |
| N/A | N/A | C:\Windows\System\DDsboiq.exe | N/A |
| N/A | N/A | C:\Windows\System\KkSelga.exe | N/A |
| N/A | N/A | C:\Windows\System\ztVUtNU.exe | N/A |
| N/A | N/A | C:\Windows\System\wxZbQkL.exe | N/A |
| N/A | N/A | C:\Windows\System\FTAJzgh.exe | N/A |
| N/A | N/A | C:\Windows\System\zMBTmAk.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_12408368b56de052fc02dafe48becfa0_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gokoUrK.exe
C:\Windows\System\gokoUrK.exe
C:\Windows\System\rsOHvPz.exe
C:\Windows\System\rsOHvPz.exe
C:\Windows\System\AQtOuRx.exe
C:\Windows\System\AQtOuRx.exe
C:\Windows\System\SSPsBQT.exe
C:\Windows\System\SSPsBQT.exe
C:\Windows\System\MNvPJIM.exe
C:\Windows\System\MNvPJIM.exe
C:\Windows\System\evZRzAy.exe
C:\Windows\System\evZRzAy.exe
C:\Windows\System\SgIZAqe.exe
C:\Windows\System\SgIZAqe.exe
C:\Windows\System\DvFrSsx.exe
C:\Windows\System\DvFrSsx.exe
C:\Windows\System\LNSrlYq.exe
C:\Windows\System\LNSrlYq.exe
C:\Windows\System\xMPLiDd.exe
C:\Windows\System\xMPLiDd.exe
C:\Windows\System\SQbLqjt.exe
C:\Windows\System\SQbLqjt.exe
C:\Windows\System\MnznQuS.exe
C:\Windows\System\MnznQuS.exe
C:\Windows\System\qxqMhdQ.exe
C:\Windows\System\qxqMhdQ.exe
C:\Windows\System\epRdAOq.exe
C:\Windows\System\epRdAOq.exe
C:\Windows\System\XXSKMYQ.exe
C:\Windows\System\XXSKMYQ.exe
C:\Windows\System\DDsboiq.exe
C:\Windows\System\DDsboiq.exe
C:\Windows\System\KkSelga.exe
C:\Windows\System\KkSelga.exe
C:\Windows\System\ztVUtNU.exe
C:\Windows\System\ztVUtNU.exe
C:\Windows\System\wxZbQkL.exe
C:\Windows\System\wxZbQkL.exe
C:\Windows\System\FTAJzgh.exe
C:\Windows\System\FTAJzgh.exe
C:\Windows\System\zMBTmAk.exe
C:\Windows\System\zMBTmAk.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 85.65.42.20.in-addr.arpa | udp |
Files
memory/2412-0-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp
memory/2412-1-0x000002ABF8580000-0x000002ABF8590000-memory.dmp
C:\Windows\System\gokoUrK.exe
| MD5 | 62f811cd35066a4c38f7d28d0d628e31 |
| SHA1 | 382348b3ad4f07dd15d75765ead564a4361f97a0 |
| SHA256 | de969c809bd5604176f0d6065f0c7ed9a4447c515ed86d9623d67cad44052a61 |
| SHA512 | d4731eedd2b693cfb776527132714e6e6491f0dbe53501fb871a2cb48396e3753b20650526b94f32a9471293c05f6051b7e6effd58701979ec09cc571fb1c337 |
memory/3192-8-0x00007FF7D1AA0000-0x00007FF7D1DF4000-memory.dmp
C:\Windows\System\rsOHvPz.exe
| MD5 | 6578db8d29f1497248ffb3c052fcffb6 |
| SHA1 | 861af2528c1d22a9a6e6ed2fcb35f66fd4a4b5ff |
| SHA256 | d513698c32d443dfc486c88524eb52ffd6d09a225ae256ecd951a527cead17d2 |
| SHA512 | 20586875ac61593c15f23f6d9e1b0d3d8aedb911abab35c63fdc146c2cf62b91d886239d8437511cff6b76e0f291b86f2f1d17f1737c9fd85b0904626770d4ec |
C:\Windows\System\AQtOuRx.exe
| MD5 | cf332c290779a0ad90338aec41158ff8 |
| SHA1 | ae0b4c2df9158c76e938e2f3903bc9ea045e1b26 |
| SHA256 | 7ea62af3854f8f38054ef4653ae4d5b55bbbe18ad12e4f7475b23815aff7c68c |
| SHA512 | 938e09dda8eb42db4f9e746204016b11d5119d4e59f1f3830d27ff7f947174d14b3f7412eb9fc7e2b3ba0d2f27a25d57005b78987511be45bef1dc408eea10d5 |
memory/1544-14-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp
C:\Windows\System\SSPsBQT.exe
| MD5 | e9eaedc136477e23bca2ec50e8a51fc2 |
| SHA1 | ae57da36b6e8f9d8b9a8d8db5d4071930fc17d84 |
| SHA256 | 869e31c5ecbd31c8160f6a3b371886b1835e9d78ee626e73158db99c497feaef |
| SHA512 | 996e8a2163fd9fc7b53fa6ac4234c51eb16614e4b03819802c1deed111cc6c8b4ac0001c6a7f8ed398902fee14333f917a51b58f3bcbaeb3cfee47f912f43dd8 |
memory/1268-18-0x00007FF7D9FB0000-0x00007FF7DA304000-memory.dmp
C:\Windows\System\MNvPJIM.exe
| MD5 | 0deefb9c870a034434d35c408c69333e |
| SHA1 | 0df5bd9a76a9613c06dae551e73b0c1549d785e9 |
| SHA256 | 59b72fc6cc84fc7dddeaef7c31deb20d1d428d31dc4422eeb5f2a8eb49637803 |
| SHA512 | ec392802023bc6d9715df71e4543b194a4a7efda04d838f96219c7bfeb0d7b36013155d1e1d539d8c5522941ff60efebed422a94127c586d9ababed81f6b7670 |
C:\Windows\System\evZRzAy.exe
| MD5 | 839ef7d67d1ec0758837b1726c5db098 |
| SHA1 | c7f56205c8b52ca3f6293b6dcfc515da1854912a |
| SHA256 | 7ed31769bdf175b204a1ebf425286e7acc9cde881122f8653b5d0dbfdaddab42 |
| SHA512 | 06126cd69dfe3dd5ccc8f20e218db7a7432860263a1ae1b57832867dabff492564131d1a6ec87a1c2b8592821ba9993227b47b4e2abf17a5ffb9746e5c032f84 |
memory/3284-36-0x00007FF7FA610000-0x00007FF7FA964000-memory.dmp
memory/60-35-0x00007FF612600000-0x00007FF612954000-memory.dmp
memory/1388-26-0x00007FF7E5330000-0x00007FF7E5684000-memory.dmp
C:\Windows\System\SgIZAqe.exe
| MD5 | f871dfd423b4f114803531aa83a73b3c |
| SHA1 | 36238d3a270b33d4adcd5601a115f8021a6b204e |
| SHA256 | 729e7fc0c400026142dab57e69c8fac880d3f1450a3484951b235ba3db2cab5f |
| SHA512 | 5c33d18a063bc83d0e61251a70daa110a1c67ded194129c440af808d24bdb40b69a58901f251d62c1ee9612639d07f4c297efdeb69dbfa6cb0c0ae056fcf684d |
C:\Windows\System\DvFrSsx.exe
| MD5 | b6d18370b5a4e18a6cf7df46ca581063 |
| SHA1 | 369c6011a7e128c1a757e603e9ae1ed98237440e |
| SHA256 | 2ccd104eceae8d2b8996ba70d604e421002f229b947582e369c008ddc2e9232e |
| SHA512 | 440c4e94981189237ec24290d80f3a4f38b3ebf74aa0e396dd343a3eb6e51f6df5f68ccd2eea618cafd15d95eb9e718cb668d636e3d5bc67bd82d7dad20cb8b5 |
memory/2344-50-0x00007FF76B570000-0x00007FF76B8C4000-memory.dmp
memory/4160-44-0x00007FF649A80000-0x00007FF649DD4000-memory.dmp
C:\Windows\System\LNSrlYq.exe
| MD5 | c75450e13075867da71ff514fcbd1242 |
| SHA1 | 916af68ffca64555a0a3ba286e44e4e882c532e4 |
| SHA256 | 4ec055d37442c175604d7c88532a1ab5ba6ccd090e5416f10e94ce59f13246fc |
| SHA512 | 11a2caf9fd9ef06f04b764ba060e88a43d1f45638bfe1fe012c0f2d7216839bd1d2ce1bc38db6d4b8b9ffcb1dede6964a034a05942ba27cfa3c3d50464756a7a |
memory/4840-54-0x00007FF7EB530000-0x00007FF7EB884000-memory.dmp
C:\Windows\System\xMPLiDd.exe
| MD5 | 6a9c4c0f0196620f1298af6e1bea5c43 |
| SHA1 | e4e1555c3026b5b67b01222ee8ff0c50b92d6950 |
| SHA256 | 048cb7accb150e1f7e7e9dc25a45e39212c687e4bf3b462d0b28972b3d9766c7 |
| SHA512 | 190a1a63b6a07b1ec17d878ee809fdc7e0f5485f48d1ee7e7cb83854609e8af1be05fee93d872d2fa6704ade1a209036c8166c01de52d99b0dd5f8c301a8341a |
C:\Windows\System\SQbLqjt.exe
| MD5 | b159a42f6783965e56cb4615ee5dee15 |
| SHA1 | 75d05428dab6c271ee000121d9accc6923d283a8 |
| SHA256 | 62bda1132329f29317e249a09e2e17ce8662781de400c0f96c318d7348ec3b65 |
| SHA512 | 65805553996c87e4f2643ba35e890f4e0ad886e597ff3d42b028fece4b1bfef2624310d34b9a5af434789b813199f27329c2b422ffb21b18b0191139c295db02 |
C:\Windows\System\MnznQuS.exe
| MD5 | 895733e95744ac790442643c1003fc0c |
| SHA1 | 3e801790e3b690eece5400c89ac2970f57a4b53f |
| SHA256 | 94d1d541711ff641d1f847964782636cee91c378e25a68f2dca29c0e43ebaaeb |
| SHA512 | cc5449abb9ce1c841766a7fe145a8b8bff1309270409721a233936d06fffd5c7043870f905da722217c398e19b393bccb71b9d8cbc27b7fcdce783fff4ee90fb |
C:\Windows\System\qxqMhdQ.exe
| MD5 | 39551b697b7881d4155a80ec71e0f844 |
| SHA1 | fbb3af21cad56c264a636ea3de4529a74f6654c6 |
| SHA256 | d3298f4c836d3f20b58e03e2b9b6ed7d750a90cd8c23ca17316c2807bb841937 |
| SHA512 | 73ba089290af46e32a1c95a9cc7067525455b16cc04d7fcf0d3cf08ccf474304b5d9f43bc528a8c0f00917be84667ea665f26012b26452d9d03931d64c5255d2 |
memory/1848-78-0x00007FF65A5B0000-0x00007FF65A904000-memory.dmp
C:\Windows\System\epRdAOq.exe
| MD5 | 909dd8da55733ef239af3b098bf911a0 |
| SHA1 | fb358972023c88db392a148549e49daa0b5256b7 |
| SHA256 | f645b74d4be03f715c9c4c8943e3063c8f55bdb9f0b67e73724dd35a9e5dd0e5 |
| SHA512 | 257a71c2c437e7a500d991117d660daf36069604f1910b766f1cedf8022fc208b698dd682c76ab12a5a25ab0504b07b9964f404bfc9d233a2e7e18599d952d61 |
memory/2452-88-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp
C:\Windows\System\XXSKMYQ.exe
| MD5 | 9ae9fd50a5ceda3d84cbd0eaad0c027c |
| SHA1 | 452afda80a2743477c4b457eafa307c07a37b22a |
| SHA256 | 4a313e99684b18a428e56d8ad8d6aad77106fdb6b1c553d1f455b96809c56fa7 |
| SHA512 | 49be1bfd5867081eafcb4eb8239a8475ac816d28ed6eb98e2190534b7361f4a0d3e5549c50fbd8df245900d0ab88ed0c95e01771aba3f47e108bcabe9d409255 |
C:\Windows\System\DDsboiq.exe
| MD5 | de58e334b13502bf9664a52018c99575 |
| SHA1 | 2f72a27119fc36b52fa318a0a21d1cd4411ed54a |
| SHA256 | e271581d6de71eb4d6b617278e0906df1c086518bf984bc192c461a2f51f19ec |
| SHA512 | a185aaa42649d1bfd108c29e6e7e12f229bce6bd5f9ee5ee577121d2cbf13537cef56f036ffc15eda455514872e633615c313c7c0d8f7225838cb23d493eedb6 |
C:\Windows\System\ztVUtNU.exe
| MD5 | c9b3efc82d88b3edca7386f897200ba3 |
| SHA1 | af40df76196878f66d779b08c13f942f83502707 |
| SHA256 | 6b25529f7bb8148ed42aae2278c8422358d1d89a83914adf47555e81b3624881 |
| SHA512 | c9a031a7d2bf7a9934395e0587bd93e982398e11e4f39fa038562082a9704b4ba6b93bd55c3498b5c65702624022f357ce6a926717ad19191d85d35a4b10ca8a |
memory/4492-110-0x00007FF7A0A60000-0x00007FF7A0DB4000-memory.dmp
memory/3284-119-0x00007FF7FA610000-0x00007FF7FA964000-memory.dmp
memory/220-124-0x00007FF705180000-0x00007FF7054D4000-memory.dmp
memory/1952-125-0x00007FF73A8A0000-0x00007FF73ABF4000-memory.dmp
C:\Windows\System\FTAJzgh.exe
| MD5 | 543a902a91c1595d65c58ab30e980fe1 |
| SHA1 | dfc3258be383900bc4fc29fe119a8de662aef235 |
| SHA256 | 271301db3b556e50719eff818802a320cf861acd90fc4f4d2876ec72f137fc1e |
| SHA512 | f13d1a52c7de8115181bb3b43a078f8ba57f74f4bb362d21a5c77c89c2ded4a126613935a64001c76b16badd425a83aa65db74d2c2542fe0a5e1deef39cf76d1 |
C:\Windows\System\zMBTmAk.exe
| MD5 | 91116043da05ee7599ec161619cc19c1 |
| SHA1 | 4707c150935852ceddb284e3edf57fbc70d8e99f |
| SHA256 | 7def9b182cb375a2b9749bd62aa65c001398a5e46ade4f367bba9c796614eb8a |
| SHA512 | bd243e7e7b1c4239d1a23e86417aacb22fc960224eeb898b53c103d46d2638ae342fc9627fbefc4e9a87a3526373c819439e7a95e0402e8ba89f7e4eb025c6f6 |
C:\Windows\System\wxZbQkL.exe
| MD5 | 24cfec77a20ff0acd40cd4afabafecdd |
| SHA1 | 9841aa96b39061158bb63d4317be1fd47e95bee4 |
| SHA256 | 500714dff8ee4240639d512086abe037fee74c62399ba9453d828c39cd0fec6f |
| SHA512 | 30bc07ec93b8151b982a0d12aac0bc44a1272e1deb7758f65c72182c4b746152d1382402a4be5b8677dbc52361e8bce0fbd84d2443c28d2198f3325c8d368d9d |
memory/4264-123-0x00007FF7034A0000-0x00007FF7037F4000-memory.dmp
memory/2592-120-0x00007FF7692C0000-0x00007FF769614000-memory.dmp
C:\Windows\System\KkSelga.exe
| MD5 | 86a249402dce513e1542ce4c172d575e |
| SHA1 | f40fadaede5f876558e37096ae8939039a6c70bf |
| SHA256 | 6853c47df53a3c0bdf651bcc9787df97545905a6e7b8b5a39df502076cdae636 |
| SHA512 | 9c8a8397cbfb150f3beb1809f89b40d7e4b074f3d8be55bbe5df6a28bf55f82fe400958d36503938c714b06090a89fd805f9c91383c50c92df2ae7da6036c821 |
memory/3892-100-0x00007FF733970000-0x00007FF733CC4000-memory.dmp
memory/60-99-0x00007FF612600000-0x00007FF612954000-memory.dmp
memory/4644-93-0x00007FF6A9970000-0x00007FF6A9CC4000-memory.dmp
memory/1268-92-0x00007FF7D9FB0000-0x00007FF7DA304000-memory.dmp
memory/1388-87-0x00007FF7E5330000-0x00007FF7E5684000-memory.dmp
memory/4628-84-0x00007FF7883A0000-0x00007FF7886F4000-memory.dmp
memory/3228-81-0x00007FF7A7B80000-0x00007FF7A7ED4000-memory.dmp
memory/4780-69-0x00007FF7C6BA0000-0x00007FF7C6EF4000-memory.dmp
memory/2412-64-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp
memory/4840-133-0x00007FF7EB530000-0x00007FF7EB884000-memory.dmp
memory/4628-134-0x00007FF7883A0000-0x00007FF7886F4000-memory.dmp
memory/2452-135-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp
memory/4644-136-0x00007FF6A9970000-0x00007FF6A9CC4000-memory.dmp
memory/3892-137-0x00007FF733970000-0x00007FF733CC4000-memory.dmp
memory/4492-138-0x00007FF7A0A60000-0x00007FF7A0DB4000-memory.dmp
memory/4264-139-0x00007FF7034A0000-0x00007FF7037F4000-memory.dmp
memory/2592-140-0x00007FF7692C0000-0x00007FF769614000-memory.dmp
memory/220-141-0x00007FF705180000-0x00007FF7054D4000-memory.dmp
memory/1952-142-0x00007FF73A8A0000-0x00007FF73ABF4000-memory.dmp
memory/3192-143-0x00007FF7D1AA0000-0x00007FF7D1DF4000-memory.dmp
memory/1544-144-0x00007FF7605A0000-0x00007FF7608F4000-memory.dmp
memory/1268-145-0x00007FF7D9FB0000-0x00007FF7DA304000-memory.dmp
memory/1388-146-0x00007FF7E5330000-0x00007FF7E5684000-memory.dmp
memory/60-147-0x00007FF612600000-0x00007FF612954000-memory.dmp
memory/3284-148-0x00007FF7FA610000-0x00007FF7FA964000-memory.dmp
memory/4160-149-0x00007FF649A80000-0x00007FF649DD4000-memory.dmp
memory/2344-150-0x00007FF76B570000-0x00007FF76B8C4000-memory.dmp
memory/4840-151-0x00007FF7EB530000-0x00007FF7EB884000-memory.dmp
memory/4780-152-0x00007FF7C6BA0000-0x00007FF7C6EF4000-memory.dmp
memory/1848-153-0x00007FF65A5B0000-0x00007FF65A904000-memory.dmp
memory/3228-154-0x00007FF7A7B80000-0x00007FF7A7ED4000-memory.dmp
memory/4628-155-0x00007FF7883A0000-0x00007FF7886F4000-memory.dmp
memory/2452-156-0x00007FF71F490000-0x00007FF71F7E4000-memory.dmp
memory/4644-157-0x00007FF6A9970000-0x00007FF6A9CC4000-memory.dmp
memory/4492-158-0x00007FF7A0A60000-0x00007FF7A0DB4000-memory.dmp
memory/3892-159-0x00007FF733970000-0x00007FF733CC4000-memory.dmp
memory/2592-160-0x00007FF7692C0000-0x00007FF769614000-memory.dmp
memory/220-162-0x00007FF705180000-0x00007FF7054D4000-memory.dmp
memory/1952-163-0x00007FF73A8A0000-0x00007FF73ABF4000-memory.dmp
memory/4264-161-0x00007FF7034A0000-0x00007FF7037F4000-memory.dmp