Analysis Overview
SHA256
8d086dd0efdd5882981c13ae122518b7b944b875dc662e04974586923ce544b7
Threat Level: Known bad
The file 2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
Cobaltstrike family
Cobaltstrike
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 16:49
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 16:49
Reported
2024-06-08 16:51
Platform
win7-20240220-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UOrGxjK.exe | N/A |
| N/A | N/A | C:\Windows\System\marOvxA.exe | N/A |
| N/A | N/A | C:\Windows\System\VlriSPd.exe | N/A |
| N/A | N/A | C:\Windows\System\DNkvFjX.exe | N/A |
| N/A | N/A | C:\Windows\System\wBQchfB.exe | N/A |
| N/A | N/A | C:\Windows\System\wOKJjbn.exe | N/A |
| N/A | N/A | C:\Windows\System\OjAPjZw.exe | N/A |
| N/A | N/A | C:\Windows\System\fXAxcVs.exe | N/A |
| N/A | N/A | C:\Windows\System\csOLEXw.exe | N/A |
| N/A | N/A | C:\Windows\System\DgTIfnk.exe | N/A |
| N/A | N/A | C:\Windows\System\WrxdicW.exe | N/A |
| N/A | N/A | C:\Windows\System\xZLaruX.exe | N/A |
| N/A | N/A | C:\Windows\System\QORpaBt.exe | N/A |
| N/A | N/A | C:\Windows\System\VhoUodD.exe | N/A |
| N/A | N/A | C:\Windows\System\rHygUxe.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBwNaBs.exe | N/A |
| N/A | N/A | C:\Windows\System\AWnEreT.exe | N/A |
| N/A | N/A | C:\Windows\System\jAjAEtJ.exe | N/A |
| N/A | N/A | C:\Windows\System\qWoGSDc.exe | N/A |
| N/A | N/A | C:\Windows\System\CgMxDXm.exe | N/A |
| N/A | N/A | C:\Windows\System\BFtSFvF.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UOrGxjK.exe
C:\Windows\System\UOrGxjK.exe
C:\Windows\System\marOvxA.exe
C:\Windows\System\marOvxA.exe
C:\Windows\System\VlriSPd.exe
C:\Windows\System\VlriSPd.exe
C:\Windows\System\DNkvFjX.exe
C:\Windows\System\DNkvFjX.exe
C:\Windows\System\wBQchfB.exe
C:\Windows\System\wBQchfB.exe
C:\Windows\System\wOKJjbn.exe
C:\Windows\System\wOKJjbn.exe
C:\Windows\System\OjAPjZw.exe
C:\Windows\System\OjAPjZw.exe
C:\Windows\System\fXAxcVs.exe
C:\Windows\System\fXAxcVs.exe
C:\Windows\System\csOLEXw.exe
C:\Windows\System\csOLEXw.exe
C:\Windows\System\DgTIfnk.exe
C:\Windows\System\DgTIfnk.exe
C:\Windows\System\WrxdicW.exe
C:\Windows\System\WrxdicW.exe
C:\Windows\System\xZLaruX.exe
C:\Windows\System\xZLaruX.exe
C:\Windows\System\QORpaBt.exe
C:\Windows\System\QORpaBt.exe
C:\Windows\System\VhoUodD.exe
C:\Windows\System\VhoUodD.exe
C:\Windows\System\rHygUxe.exe
C:\Windows\System\rHygUxe.exe
C:\Windows\System\ZBwNaBs.exe
C:\Windows\System\ZBwNaBs.exe
C:\Windows\System\jAjAEtJ.exe
C:\Windows\System\jAjAEtJ.exe
C:\Windows\System\AWnEreT.exe
C:\Windows\System\AWnEreT.exe
C:\Windows\System\CgMxDXm.exe
C:\Windows\System\CgMxDXm.exe
C:\Windows\System\qWoGSDc.exe
C:\Windows\System\qWoGSDc.exe
C:\Windows\System\BFtSFvF.exe
C:\Windows\System\BFtSFvF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2908-0-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2908-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\UOrGxjK.exe
| MD5 | bb07f5b648c08b1570536023ac66b2c5 |
| SHA1 | bb7201eb73e020a9e2d26bb2a55d631e22cbf135 |
| SHA256 | 57b0dd0ef3d8d055514c43339bcd78e2474f15f84fab041984c7121f5d68afb2 |
| SHA512 | ace20c5d7275897c2c67860eaf188c8bc42ef1bb15c23296f19b980caff77255821c143bd1bfed06bcc34f35f470448e08be3b98df32a5687d69a98427b61c0c |
\Windows\system\marOvxA.exe
| MD5 | 0082bd9d6cb71e667c65f3244e9b8e2b |
| SHA1 | 2f9a301a5829c4ea4b531ffe232bb44aedbe5d1e |
| SHA256 | ed332d8cc5548900d6fe88a06ceed2b66146082ff5b3cea47afc63f1b58aa620 |
| SHA512 | c8e1d62cc1ed42bab77b7a9859b1f04380b7fe943d33a6c72422a192b370a6597072c20c12ec70f298013cb3b159c6ca508713cf772344a247231383b958c4db |
memory/2908-6-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2900-14-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\VlriSPd.exe
| MD5 | cff4c3af45ae45c83f9f53f305359d31 |
| SHA1 | 511e0530a8ef1007a63fe4bc025baf6ebb365ceb |
| SHA256 | f51e396022df19287a7ff7a323c6949dda0b0c2027251893f2c990c4a9b610f0 |
| SHA512 | d882786bf8adea93622ffc15bdc03bcda2d9296ad2093e39eb284cfd9b22df0a49b7db9b36284df58315b783d91b37f6dfef949c4759746913038c12dccb4a8d |
memory/2540-21-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2908-19-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/3024-18-0x000000013F940000-0x000000013FC94000-memory.dmp
C:\Windows\system\DNkvFjX.exe
| MD5 | 0ae0c8af50d66e9f5172006e1b3272e5 |
| SHA1 | c08de10e6c3421501eb4f926f9acdaf4d4489a52 |
| SHA256 | ac8173bae01792c4a44100caf8f9631402cab636d5d3f6b6916ff3d558e3678e |
| SHA512 | 73dd18f3a325e0182100765019be31e5e4afc14eebd90003b5568dc1d17c339f92923873693cfb50f129cf309b771adebe2df9024efd3300ac08a204e7b992ec |
memory/2908-32-0x000000013F270000-0x000000013F5C4000-memory.dmp
C:\Windows\system\OjAPjZw.exe
| MD5 | 279a100d1450a0b8367a19ff7beed97e |
| SHA1 | 7510bb65bf13398195de8647ba5b9d06fb639383 |
| SHA256 | 9d7c3ee73d7f772e44aba95a2a1ce3f84ae0c1cb03c86d2b1bd0ba0f91f89c15 |
| SHA512 | cfdc0c9bc759c381f3838dee111d8bf45b08af842f804e525dba0e6520a8bfe46f1eb7ae36ff832e2df3062e522118797c9236e53eb195b0a0d1517315c550c4 |
memory/2908-46-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2712-37-0x000000013F270000-0x000000013F5C4000-memory.dmp
\Windows\system\wOKJjbn.exe
| MD5 | ec39c1ee7128cd40217664b6775ed549 |
| SHA1 | f554cffc4427207d2b9fa4c6bdbe8d537bf7a7c7 |
| SHA256 | aa1ed8fa91dab62db9545dc9cd6a59c8d707664c4a28ca467cf96b92cda16fa2 |
| SHA512 | 3fc179f6839a582198114e19bf5ef82ae3df01daa104afebe22ef40ec50d54ccf1a736ea8af026114da38b0a14184ad63969d93c50cb997e5a361917b997607e |
memory/2432-49-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2908-48-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2724-47-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2524-39-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\wBQchfB.exe
| MD5 | e264c947e55ff374c2d94d0990ba12c2 |
| SHA1 | 5e4ba7579051283a8b8d00e0f03baf4da4e892df |
| SHA256 | 8bb5707954630c30aeef0ab59510ec1b31ef98f1b57e345e7200c3f5a7f41f1f |
| SHA512 | 018b0446ae16729d70c301476fe75e49aaae894539492ec8cd19a00878554c5402027e876721170c909b28fdc367fa2582498e0c4dba41206bc9e7893c33552b |
C:\Windows\system\fXAxcVs.exe
| MD5 | eec6708159c91b2e2cdfd8af4327d0e3 |
| SHA1 | eb56c9f8f6a71e480aa55d2a22fd01dbc10c4f2b |
| SHA256 | 980d91e391f82d803194e39442ec76f066f2b38f5ba528638b2712fb4c29552b |
| SHA512 | 56d5f91e7826b8a68017abbd59c317d4105aeff439c24df2f1ce0e72962cf2a640463d2148aceb12812b5e853e2bd7280dcd4ea4782631dc04087488917c7c82 |
memory/2908-54-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2504-56-0x000000013FD20000-0x0000000140074000-memory.dmp
C:\Windows\system\csOLEXw.exe
| MD5 | 5842c20e061a5e685c815861832a0326 |
| SHA1 | 42cae1d5c22e0851767522b1da1ea0dfff39abfd |
| SHA256 | 6ae20fefb9ad869c22def329c42b5863e1cb29663275c5fccbd8d944401babf0 |
| SHA512 | b772279ddebb84d988ce6108e2b637a2fd8b8070758ebc2c44f73deef99d6d04787b20d764439abb6607eabb783a9989cdfb02de6430debc93bb75f2b216233c |
memory/2720-63-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/2908-62-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2908-69-0x0000000002390000-0x00000000026E4000-memory.dmp
C:\Windows\system\WrxdicW.exe
| MD5 | fd8de8b57bcab4730e7ba92292cc54a2 |
| SHA1 | 654d9b5b95506824da18af4940c65cb6a3d04788 |
| SHA256 | df0ad07a0d1771f87374c60701b25d68a3f67b01e5d32c7b3cf575cd55b7e7fd |
| SHA512 | 3831c5bedc70b0199c9dffd6ecc6b006e718044871667cd7945f90faf302665214048650bfcba9c11e738ad9227aae577f8b651022c6608a883a6ae96c78f103 |
memory/1556-70-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2900-82-0x000000013F2E0000-0x000000013F634000-memory.dmp
C:\Windows\system\xZLaruX.exe
| MD5 | 61f5ec32e4b3613e38dc6866a72a868a |
| SHA1 | 2cdfe885cc54dafce4f9a983189badfd49841147 |
| SHA256 | 8404e7b094b79862a79e308bd01b1c89f62e9c999bc6bee507d04e3b6cd06261 |
| SHA512 | 182eef9651b4b09ece0a8a0a1e0e5139dfd9ce05447148a9251318d2d3a801e14bb4d560afc094b771da37059eb7700d1e63d63c32f9c4d498c5aa3f50924b66 |
memory/1356-78-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\DgTIfnk.exe
| MD5 | 9c53c405aa34504cdcfddc1a055f9959 |
| SHA1 | 22b3a49eec7c890c69ae2409336627b692e41c94 |
| SHA256 | c98b8933e8b7d58719af490a75d377905a0939a784113a54cc2601d604542f7f |
| SHA512 | eb339d7f4e8be45618ccf2e2e71e6c97ce77d209305080a986940a704593c0d0dc1fa2e2152658e557e4c206350a6f1cac40777dce6fa30c3408afbc1b512ae6 |
C:\Windows\system\QORpaBt.exe
| MD5 | cc20c06e3c2a5c0e7cd2a108c236ed91 |
| SHA1 | 2249fc698b14de5fd8798b0e5abb4b1d67ed8ec6 |
| SHA256 | 4e0c1809a77502ba51340e04e6487a34d81c2b1cb156e5c7f70c7eff547fc1b5 |
| SHA512 | eddffc63d0bebe9a0ab05bf4fd9ff108fdaaceed11f37fb3cdad99ea400db402811d53a8bbc9dc9388b6c8b66634f3d0a76ae28cbfaf189fb3800c0bfa73101c |
memory/2696-90-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2908-91-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2596-89-0x000000013F430000-0x000000013F784000-memory.dmp
\Windows\system\VhoUodD.exe
| MD5 | b1add670de7722249346e3c8a51ca3b1 |
| SHA1 | 42a7fad4333b7faa01374b064c5b96ea4829dce9 |
| SHA256 | eb69d138ed2a125e83aa8ca6f4aec1b10c13f1056e9b0681ed9af6e4a0188418 |
| SHA512 | 235113825b8c384501559ad4b2c04e3dd3406e654c99313de1c107ec8fe54ea366c503da5fd1e34227c261fca3394149506289ce6aba84bd82a6ebab8d109697 |
memory/2908-88-0x000000013FEB0000-0x0000000140204000-memory.dmp
\Windows\system\ZBwNaBs.exe
| MD5 | 6c76e58780cc01d1077189d0582af726 |
| SHA1 | cdbe086380920cae49143661dc1ef53c22c0f512 |
| SHA256 | 2c4c8d1a37f989031b3fcbec7f1c62afa50b68cf5e7df16ff77c065d3523adff |
| SHA512 | a221e788f4ca102c09c519615507ed83978a8f36a629af6238367548c8eefa0b60ebefe251767e8d735c2666bdcd75416c1310bb1e1a4727e4d8a29079146b1a |
C:\Windows\system\AWnEreT.exe
| MD5 | 07ff2cc5ff859b409f1ebebf36adec21 |
| SHA1 | 9ef0c583b02a589524187df78d29ebd01592dd96 |
| SHA256 | 076fe92fb154422aac0d5155f39c389bb97fc76f28ed426b6f43e8962d3ea498 |
| SHA512 | e7fe1e4550843dd2446b298f32bed697acff4ee0464611094a3edd8a046f7832fe44076a4d0b3fbd6b72f9cd85c6e58f4b85f6b5163b308349471021eacc5780 |
C:\Windows\system\qWoGSDc.exe
| MD5 | 9a528b9b8e1a8e0e04c7b5af82ce92a4 |
| SHA1 | 9cbaa8eb5373f693e0774d678a6e275f2faaf12b |
| SHA256 | f8361cd8d5352f4fd8ea70ad947a71e51fe9aeb16452c6b46236c012e9f52ab0 |
| SHA512 | 1a98a383db625c3168f74141364609a98567fe991602d79261a83319598de6255caf4ce13e4298d95ef2746da968a7f1340f06a15b8661e3376439e83ff874b8 |
\Windows\system\BFtSFvF.exe
| MD5 | e70daa33f8214b5157f5261827bb3c93 |
| SHA1 | aca0274e16883e5157af026049dfd884baa325e5 |
| SHA256 | c46f327143cf92217811de61c588ef690a8d58fdb11b36fec49aa4afd56db6e8 |
| SHA512 | cc076040b3b8368759ff759fa6f2a6e5815b60129dd708cb196176b6ac552564aeece208d036d79c29849f7d04e82d4acaee7ff425484728533cb33419b035ef |
C:\Windows\system\jAjAEtJ.exe
| MD5 | 689e62f76653424755448915fa6e0e07 |
| SHA1 | 9f07f0ec8889b545cbf96753dbabad1b9f5b24c7 |
| SHA256 | 647265d99fa5665cbd9349ec926544732d9c1096e1e8b12d45c89b78bf927be7 |
| SHA512 | 53ebd4a438c6f5419c49e72184cf6385af36c761470245ae004fd3b0a39cf92a14aed220e75da64a20e1bca15d673387b5c10e02716cd89fca20c643df38cab6 |
\Windows\system\CgMxDXm.exe
| MD5 | 025e7c9c67cb066b0a1ca55078bfdddb |
| SHA1 | 32940229cea8efd5168bd2cf13da853e8a9fd4c4 |
| SHA256 | cc3be1f36df98aaec78b26fb08ab7d3d53921bf3e05a88cd7312f1a7cd55fd53 |
| SHA512 | 901ff59b98c5d012be3f82abd640f83bc2a1971c17e44b01042b5ad9d68587d963c16c8cb92d76c791b2182b359379645221731ef200c9b31b5c5a0f5eeacfa9 |
C:\Windows\system\rHygUxe.exe
| MD5 | 93c724daaa04db830326217e04d47c8b |
| SHA1 | 2aeff7be448213daccc748d6dabd17c9111e3b32 |
| SHA256 | deb3c513a7cac2f83c7d1d9835d696eac5cdbbfe35c4de72680820e74db5d56f |
| SHA512 | ac73ed528b5653fd7d836835393f6a65683a1c41e8ec5424a1b71f3d44513983b43d131eb48bdc93f8e5d6d88cde8c37f15d29e0b3cc9becebd879e72193e9d5 |
memory/2908-132-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2540-130-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/1872-134-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2908-133-0x0000000002390000-0x00000000026E4000-memory.dmp
memory/2504-135-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2908-136-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2908-137-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2900-139-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/3024-138-0x000000013F940000-0x000000013FC94000-memory.dmp
memory/2540-140-0x000000013F890000-0x000000013FBE4000-memory.dmp
memory/2712-141-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2524-142-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2724-143-0x000000013FAB0000-0x000000013FE04000-memory.dmp
memory/2432-144-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2504-145-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2720-146-0x000000013F060000-0x000000013F3B4000-memory.dmp
memory/1556-147-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/1356-148-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2696-149-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2596-150-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1872-151-0x000000013F770000-0x000000013FAC4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 16:49
Reported
2024-06-08 16:51
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\XzTlQCC.exe | N/A |
| N/A | N/A | C:\Windows\System\GJkWxgp.exe | N/A |
| N/A | N/A | C:\Windows\System\wdaNjag.exe | N/A |
| N/A | N/A | C:\Windows\System\lNOGaKI.exe | N/A |
| N/A | N/A | C:\Windows\System\NcNXCEw.exe | N/A |
| N/A | N/A | C:\Windows\System\yfpxxJz.exe | N/A |
| N/A | N/A | C:\Windows\System\YUxzbOF.exe | N/A |
| N/A | N/A | C:\Windows\System\yeltZfN.exe | N/A |
| N/A | N/A | C:\Windows\System\eUFikpq.exe | N/A |
| N/A | N/A | C:\Windows\System\XHkRgsN.exe | N/A |
| N/A | N/A | C:\Windows\System\tDduVPR.exe | N/A |
| N/A | N/A | C:\Windows\System\xzHQXcG.exe | N/A |
| N/A | N/A | C:\Windows\System\PWhBuOf.exe | N/A |
| N/A | N/A | C:\Windows\System\ymtyuIa.exe | N/A |
| N/A | N/A | C:\Windows\System\qniVQLO.exe | N/A |
| N/A | N/A | C:\Windows\System\iZkRikm.exe | N/A |
| N/A | N/A | C:\Windows\System\AIpjiOp.exe | N/A |
| N/A | N/A | C:\Windows\System\xTJEzvY.exe | N/A |
| N/A | N/A | C:\Windows\System\nFMKupL.exe | N/A |
| N/A | N/A | C:\Windows\System\GOWkOzh.exe | N/A |
| N/A | N/A | C:\Windows\System\NyBhMGW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_133355696e30a3cc297fb56903755cd1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\XzTlQCC.exe
C:\Windows\System\XzTlQCC.exe
C:\Windows\System\GJkWxgp.exe
C:\Windows\System\GJkWxgp.exe
C:\Windows\System\wdaNjag.exe
C:\Windows\System\wdaNjag.exe
C:\Windows\System\lNOGaKI.exe
C:\Windows\System\lNOGaKI.exe
C:\Windows\System\NcNXCEw.exe
C:\Windows\System\NcNXCEw.exe
C:\Windows\System\yfpxxJz.exe
C:\Windows\System\yfpxxJz.exe
C:\Windows\System\YUxzbOF.exe
C:\Windows\System\YUxzbOF.exe
C:\Windows\System\yeltZfN.exe
C:\Windows\System\yeltZfN.exe
C:\Windows\System\eUFikpq.exe
C:\Windows\System\eUFikpq.exe
C:\Windows\System\XHkRgsN.exe
C:\Windows\System\XHkRgsN.exe
C:\Windows\System\tDduVPR.exe
C:\Windows\System\tDduVPR.exe
C:\Windows\System\xzHQXcG.exe
C:\Windows\System\xzHQXcG.exe
C:\Windows\System\PWhBuOf.exe
C:\Windows\System\PWhBuOf.exe
C:\Windows\System\ymtyuIa.exe
C:\Windows\System\ymtyuIa.exe
C:\Windows\System\qniVQLO.exe
C:\Windows\System\qniVQLO.exe
C:\Windows\System\iZkRikm.exe
C:\Windows\System\iZkRikm.exe
C:\Windows\System\AIpjiOp.exe
C:\Windows\System\AIpjiOp.exe
C:\Windows\System\xTJEzvY.exe
C:\Windows\System\xTJEzvY.exe
C:\Windows\System\nFMKupL.exe
C:\Windows\System\nFMKupL.exe
C:\Windows\System\GOWkOzh.exe
C:\Windows\System\GOWkOzh.exe
C:\Windows\System\NyBhMGW.exe
C:\Windows\System\NyBhMGW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 98.58.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1796-0-0x00007FF7D9210000-0x00007FF7D9564000-memory.dmp
memory/1796-1-0x00000275E7780000-0x00000275E7790000-memory.dmp
C:\Windows\System\XzTlQCC.exe
| MD5 | e03e2a8a1af02917d5a17987559b238c |
| SHA1 | 9e906a8eb117d2c4396547505bf6ca108bc14791 |
| SHA256 | 4704580b1e6ab40563636dcaa062a268ec2a711b80a2a45a841ee30b26b3daec |
| SHA512 | 10b52608d42a16287fe8b37c4b376f027f1373b7dec44b8d5dfe65698c32ecbac3d0322e0bcd8ca1220d901d77752c9642e9ff36aaedd97abaae7afab3431144 |
memory/4576-8-0x00007FF672780000-0x00007FF672AD4000-memory.dmp
C:\Windows\System\GJkWxgp.exe
| MD5 | 403fe9b5c6f381add36165fa888c8f1f |
| SHA1 | bd528a3c4ab98808c7bb69bd2080d78ffc651718 |
| SHA256 | 9ee1de7e16bf066d56c07d9b4e4907ad12e84efdad777e736197fb05a6993f56 |
| SHA512 | e5b3db7773f809f2b5921aafeb7f7118cbd21a32f7e89db0d63fce977abe4a1dc19f75ff51bd5e1a88e88954a1ff96ad7c5c7a629f9ecc9b311ca9b6eda64066 |
C:\Windows\System\wdaNjag.exe
| MD5 | 8ebea5bcf997cf509f9b8dd0e37fed2f |
| SHA1 | 4af0048160a226837e0a58f0de4c52cf7c22f018 |
| SHA256 | b6eeb9837a52372b1687e24cf2d9592bae0cf3b2f01d45ac54985b9a679bf81e |
| SHA512 | 562fcd7a1621acd59881674351b4b8d02ea0d0bb0a6823dae44bc3a2b6821a631c52f72fe2bd005a8b881edee231da6c379e4bafb59f64cc62ecbf102a29a376 |
memory/4944-14-0x00007FF795D90000-0x00007FF7960E4000-memory.dmp
memory/1096-20-0x00007FF74BA50000-0x00007FF74BDA4000-memory.dmp
C:\Windows\System\lNOGaKI.exe
| MD5 | a2a999c4de6d50d6971c5e19b53cee0b |
| SHA1 | a1660af639bd9ebc413b2338fa65b034e906427c |
| SHA256 | da38fa560cd3031503233f8cedb7b29ff4b725ce5de8ffea6851cd42922d82e0 |
| SHA512 | 9be84faec70672c418d9afb4e8b72cada2cfdb4e0225e23a081026d6e6a9a03bdc07c75d52b2cb02dd890d85c458805883584e817439d7d965b9f61a35ce92e7 |
memory/3204-26-0x00007FF62EF90000-0x00007FF62F2E4000-memory.dmp
C:\Windows\System\NcNXCEw.exe
| MD5 | 98c61f93152d82cddb872052ffbf2d1f |
| SHA1 | 1e9532abe7e75feaf0a9ab332ca58c9e6679f56e |
| SHA256 | d9ce219106b3393bf822f4b0d3c80e55f0e796a9cf299554cc3f52144b5720c2 |
| SHA512 | f0a209c1a92e156b1f59e87b393ec4941df2066b234b93b2fc4dcc4b07f5e8738f799ca3529852f2ed8a9219ede668037fdb24f71fcd38df04d6704333d07358 |
memory/3512-32-0x00007FF746590000-0x00007FF7468E4000-memory.dmp
C:\Windows\System\yfpxxJz.exe
| MD5 | 021ad7d8044f7c748da37929b04e30f3 |
| SHA1 | 5fb984510c607d1fca674cc7e2dfd089fa84e2e2 |
| SHA256 | ec9f18bb3f67c7692f0915140f0cfa8e464d589fe00a8fc39901fcb73d732523 |
| SHA512 | 0a0c82e2845835454e7f7835712510393e412daf599145fc042df26b579404e0e84fb33e3c99e005cf1cea340db4ae1a6a5289751ac165ea1b3d2d6989a6fd91 |
memory/2000-37-0x00007FF680A80000-0x00007FF680DD4000-memory.dmp
C:\Windows\System\YUxzbOF.exe
| MD5 | 67a424fe644ffdf590cab7088c26ee03 |
| SHA1 | 686babe407d99d1e4820a1771ee18dab41ea2d0a |
| SHA256 | 32b8317c72eaa795c700ad3589a6fa20a1222770b6c395edc14d5d8152029dd0 |
| SHA512 | 56db9431ae83b94f6e3fb0edf3f5151c7c5159e4715f051724abfaf2a2f9159060eaec7a7dc611c01ac5b8b12c0859d628be8ff29cdf2378780c87993934a71c |
C:\Windows\System\yeltZfN.exe
| MD5 | 1a6e63d04e7a5da05a75e0274717d896 |
| SHA1 | 6bc2e9f5199f989a6733a948356bde0589a95a7b |
| SHA256 | dd0316d8e417daf002042536f52c06e099935c8a21568cbbca0c7c0bb766dbfc |
| SHA512 | 4d503dd2e22139fc2c7f8de8d749b19b62e1381f98e6dd25fe574aa095660ee05b9be5caaacf5894f7c592676ad2ddced9f3cb9922eaafd4bdd7f9e14fe63e1c |
memory/1056-44-0x00007FF67C450000-0x00007FF67C7A4000-memory.dmp
memory/228-52-0x00007FF622290000-0x00007FF6225E4000-memory.dmp
C:\Windows\System\XHkRgsN.exe
| MD5 | 65f297156825a4bc0b2683bb90951441 |
| SHA1 | 70d19f5169708494f538768cca082ed456fd067c |
| SHA256 | 226f5f528eb990cc3f6b88db856d44946c2b1b5b9071e9a9fbd4e08bc751af32 |
| SHA512 | 826d67f8064464e969f69701815d81e848a9a2fad90f56e9492116d07045fca75e3d009e1e2d405d2f50634ae2d1a264fb87b6323a98a1404ed3364e1ef92e72 |
C:\Windows\System\eUFikpq.exe
| MD5 | 4d6e176365f8af102acf872399eec203 |
| SHA1 | ab9e87ab335041078491451b1e04fef14dc7303b |
| SHA256 | 9560fc1da0a7a6a35e663a7dcbe12919b39231b09c3e0de2a2a148e463fe2c25 |
| SHA512 | 71d154f8479c94866ec80c892ad750c59a47b3fdc685010aad7392c20a18361f44b742b7d0cac8615249eeed03278019da78f59b44a90e7ba6cc1adb680007c9 |
C:\Windows\System\xzHQXcG.exe
| MD5 | cd5720d9c25ab356baf78c156e0d990b |
| SHA1 | bd844f405a87ec8f93ce00dc134827f5de23592b |
| SHA256 | 8978d429750fd2e489cc1dcce4994e865f818e7c56fe4ef73303fbee6b563b42 |
| SHA512 | 00997b98263ce104c6a68b431ffab558eda862c1a83e382aba44c35fdddde38e114b03fb527a4f35a9ed694be8e5af367237c3c691b224a78c16e6b8d86e9a3b |
C:\Windows\System\ymtyuIa.exe
| MD5 | a8417fee54d733d3aa3ceb21d08aab69 |
| SHA1 | 5adcb561fd8f595c7ecac82c8d0adc779ee71456 |
| SHA256 | f9bb8cef5e0894f8077521dc182f26ac53dc53620bfcef8fd97dfa3d05e0ec96 |
| SHA512 | f9abbbebdd06dcdb6c6a2b5d219f6f5c8d5ec02fa7200de141e3ac801a376b15e11ce5137304c5e3af316ff0ca949f32a343960d8cc431f1e05c3e5afb2cf8cd |
C:\Windows\System\qniVQLO.exe
| MD5 | 72bb5a9c4f85d9c592f5b292bb0fc735 |
| SHA1 | 2f85aa2a0dc118edcccda974dffdfef83751b30e |
| SHA256 | 6e3e883252112e2a1237dae1f43f95c3095c65ff7f8c749764828000105b6b14 |
| SHA512 | 11930923f66641810036b9179211415a48931f2a195aaf21da690c925c97ffa13e04faa70d88b8ed61fbd60ca73494c5f6ce6679d0870d2bef87023d449f54d5 |
C:\Windows\System\AIpjiOp.exe
| MD5 | 7c5b521f2e5170328d029545b341c90a |
| SHA1 | 3b5eca36d2d34a5c070aee452319c35052d0bf0e |
| SHA256 | a327acbd6c5400deb9342cf0fe4f0b7153d7c613c2b6910ffbd6150fbec9f9de |
| SHA512 | 331951350c8588e49967b026e08c0a300467696a347bfb33e2ff1733b82129f0a7a4a119e91e075a0a706e21bcb7b6040324355a3a609e8572c0932a9350dc29 |
memory/1596-100-0x00007FF6FC850000-0x00007FF6FCBA4000-memory.dmp
memory/2792-105-0x00007FF699110000-0x00007FF699464000-memory.dmp
memory/2532-106-0x00007FF74DC10000-0x00007FF74DF64000-memory.dmp
C:\Windows\System\nFMKupL.exe
| MD5 | 337ee9fbe79d29ae222048a1d0640bbc |
| SHA1 | 1bcd55d3f10f14f8264e8056fb5dd0a85774b942 |
| SHA256 | f4036021b8dff62f12b38eba7684372d67d251d75ede1a1dca3a25a000ad6807 |
| SHA512 | c7de05a32b15154942d511e45fef71ada591af02b4709b10114e2d1da6ae79708c03c256549750b46144abdf6167860e33ffc325840e33ff05db14c56c71b3a8 |
C:\Windows\System\GOWkOzh.exe
| MD5 | 667a74f8021c84a8de1eec58d9e4dabe |
| SHA1 | 3f8108d75bbb2c8f657927a9f49086715009cd47 |
| SHA256 | 8e2dab14422463b02d140462da43fe070b6e40703de21d3305c27ffeef82d48e |
| SHA512 | 2dcb6fdf695b3e25b0fc32b077a38d307c4399ff803e997afcd2b86f5486a3253ed1c83302812542ced920c634f69d7bafd431a9b38c105d7272db4d5e0d983c |
C:\Windows\System\NyBhMGW.exe
| MD5 | b8fcfa2d18764593d68e6a2d816e7424 |
| SHA1 | 743783a0822f9b0a4da462c84e2b6b6e48fd9112 |
| SHA256 | b169ff32f69664183031b579d9e7fcc66959e97b75718e5778a00063549b4e4d |
| SHA512 | f32a8180034fd8c1361d6f874837ad59f2823f781011fe51b2460ee6acdffdd82d15acb4ff1d9863a70627d950e196aec936a0fee1af046708eb5822e7a914b7 |
C:\Windows\System\xTJEzvY.exe
| MD5 | f7332c20e6d45c7f0d2154f7bc9abb32 |
| SHA1 | 1a6a234946cca1e42cd82db31257cf19e3fb591b |
| SHA256 | a1d32257516b0ca995f6037737c7a28bf48436ce4cc8e9e4b0c30dc06f8473f8 |
| SHA512 | 18cf6ca2fc10455ceb6dad971df69ecfc966c3d826e67686e6da08124788d1321b62fad1dcc9dc341f6362a686f532a54036b9f9087492ffa56d8c49043c4aab |
memory/992-104-0x00007FF73F720000-0x00007FF73FA74000-memory.dmp
memory/1072-101-0x00007FF7DC360000-0x00007FF7DC6B4000-memory.dmp
memory/2328-99-0x00007FF6301F0000-0x00007FF630544000-memory.dmp
C:\Windows\System\iZkRikm.exe
| MD5 | ba99f3710bc066bab748c7c1e2136b76 |
| SHA1 | 340c1e7f0be1497add38b731718ce62b8c283b5e |
| SHA256 | 40378e43143f44610ce9b8672f2bb3d7f46d10edc3a2ef50153e8879d98008ab |
| SHA512 | 935a30abf1fde73cfab36b233b723176fa5ba80aad8f7d97c8f62054f8bc576a7b129d02cebaa9b71dd7104497ca2791c1d30132cab4a61c1e9640672b44d67c |
C:\Windows\System\PWhBuOf.exe
| MD5 | 7ed8c3ba659f1d18bd01b7cc1827cdba |
| SHA1 | dcf3d6d108c281d0b677ec0a354964e380412aee |
| SHA256 | b5f322c8a54fe3c6f962ea409602ed6add40691ec9a7575bdbaeecdb7cdb2d4c |
| SHA512 | 7e816f7c877d3b76e6c176a56f944107bba7724db3242ea167ee7ea0f849886221ca6f9e571909a5ff98fa4a626d3e509a6f516025d34828050cca70ca4673c6 |
memory/2184-72-0x00007FF690FB0000-0x00007FF691304000-memory.dmp
memory/4576-71-0x00007FF672780000-0x00007FF672AD4000-memory.dmp
C:\Windows\System\tDduVPR.exe
| MD5 | 4b35b2f6cdcfd3bab0fced0308617f72 |
| SHA1 | 1d3316c9b93c7a914297b193b24daa8dfe46d4ff |
| SHA256 | fc82cfb3b9aa7f16455ce20d6adf7cf3c013e77d8726912a9d3797d03f54fb51 |
| SHA512 | 2bf5fd83eb0f585c5e91f529f98d27de08da05346c7ae59d65b7e86864998a0d602cc4d43f450a0ee65fd9cd787cf65dcc6640f276df55c32e18accb2699c16b |
memory/4240-60-0x00007FF7D1AD0000-0x00007FF7D1E24000-memory.dmp
memory/1796-58-0x00007FF7D9210000-0x00007FF7D9564000-memory.dmp
memory/4348-57-0x00007FF643FE0000-0x00007FF644334000-memory.dmp
memory/464-128-0x00007FF7AA030000-0x00007FF7AA384000-memory.dmp
memory/4464-127-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp
memory/1096-126-0x00007FF74BA50000-0x00007FF74BDA4000-memory.dmp
memory/4048-130-0x00007FF673E80000-0x00007FF6741D4000-memory.dmp
memory/4588-129-0x00007FF6F1F90000-0x00007FF6F22E4000-memory.dmp
memory/3512-131-0x00007FF746590000-0x00007FF7468E4000-memory.dmp
memory/2000-132-0x00007FF680A80000-0x00007FF680DD4000-memory.dmp
memory/4348-133-0x00007FF643FE0000-0x00007FF644334000-memory.dmp
memory/4240-134-0x00007FF7D1AD0000-0x00007FF7D1E24000-memory.dmp
memory/2328-135-0x00007FF6301F0000-0x00007FF630544000-memory.dmp
memory/2184-136-0x00007FF690FB0000-0x00007FF691304000-memory.dmp
memory/4576-137-0x00007FF672780000-0x00007FF672AD4000-memory.dmp
memory/4944-138-0x00007FF795D90000-0x00007FF7960E4000-memory.dmp
memory/1096-139-0x00007FF74BA50000-0x00007FF74BDA4000-memory.dmp
memory/3204-140-0x00007FF62EF90000-0x00007FF62F2E4000-memory.dmp
memory/3512-141-0x00007FF746590000-0x00007FF7468E4000-memory.dmp
memory/2000-142-0x00007FF680A80000-0x00007FF680DD4000-memory.dmp
memory/1056-143-0x00007FF67C450000-0x00007FF67C7A4000-memory.dmp
memory/228-144-0x00007FF622290000-0x00007FF6225E4000-memory.dmp
memory/4240-145-0x00007FF7D1AD0000-0x00007FF7D1E24000-memory.dmp
memory/4348-146-0x00007FF643FE0000-0x00007FF644334000-memory.dmp
memory/2184-147-0x00007FF690FB0000-0x00007FF691304000-memory.dmp
memory/2328-148-0x00007FF6301F0000-0x00007FF630544000-memory.dmp
memory/2532-149-0x00007FF74DC10000-0x00007FF74DF64000-memory.dmp
memory/1596-150-0x00007FF6FC850000-0x00007FF6FCBA4000-memory.dmp
memory/992-151-0x00007FF73F720000-0x00007FF73FA74000-memory.dmp
memory/1072-152-0x00007FF7DC360000-0x00007FF7DC6B4000-memory.dmp
memory/2792-153-0x00007FF699110000-0x00007FF699464000-memory.dmp
memory/4464-154-0x00007FF670BE0000-0x00007FF670F34000-memory.dmp
memory/464-155-0x00007FF7AA030000-0x00007FF7AA384000-memory.dmp
memory/4588-156-0x00007FF6F1F90000-0x00007FF6F22E4000-memory.dmp
memory/4048-157-0x00007FF673E80000-0x00007FF6741D4000-memory.dmp