Analysis Overview
SHA256
72fcdebb5fa68790bca3e7b1b45d6de95c2a1c060b59f0f76d164dbd45d46dac
Threat Level: Known bad
The file 2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Cobaltstrike family
Xmrig family
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 19:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 19:24
Reported
2024-06-08 19:26
Platform
win7-20240215-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\UtVDFgQ.exe | N/A |
| N/A | N/A | C:\Windows\System\GrMncTu.exe | N/A |
| N/A | N/A | C:\Windows\System\exhoPYr.exe | N/A |
| N/A | N/A | C:\Windows\System\mxUtNGp.exe | N/A |
| N/A | N/A | C:\Windows\System\bQMjejV.exe | N/A |
| N/A | N/A | C:\Windows\System\hmOPFMi.exe | N/A |
| N/A | N/A | C:\Windows\System\nHmCPFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VGwxAEp.exe | N/A |
| N/A | N/A | C:\Windows\System\WNNdAkh.exe | N/A |
| N/A | N/A | C:\Windows\System\SYtKmrx.exe | N/A |
| N/A | N/A | C:\Windows\System\AdVRsFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kvelMvi.exe | N/A |
| N/A | N/A | C:\Windows\System\PqBVGiR.exe | N/A |
| N/A | N/A | C:\Windows\System\UPDfpCH.exe | N/A |
| N/A | N/A | C:\Windows\System\bopoNbf.exe | N/A |
| N/A | N/A | C:\Windows\System\UmvhodP.exe | N/A |
| N/A | N/A | C:\Windows\System\ncnsrNo.exe | N/A |
| N/A | N/A | C:\Windows\System\GtILghu.exe | N/A |
| N/A | N/A | C:\Windows\System\uTOqQrb.exe | N/A |
| N/A | N/A | C:\Windows\System\rdzaPmK.exe | N/A |
| N/A | N/A | C:\Windows\System\asZUvdj.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\UtVDFgQ.exe
C:\Windows\System\UtVDFgQ.exe
C:\Windows\System\GrMncTu.exe
C:\Windows\System\GrMncTu.exe
C:\Windows\System\exhoPYr.exe
C:\Windows\System\exhoPYr.exe
C:\Windows\System\mxUtNGp.exe
C:\Windows\System\mxUtNGp.exe
C:\Windows\System\bQMjejV.exe
C:\Windows\System\bQMjejV.exe
C:\Windows\System\hmOPFMi.exe
C:\Windows\System\hmOPFMi.exe
C:\Windows\System\nHmCPFJ.exe
C:\Windows\System\nHmCPFJ.exe
C:\Windows\System\VGwxAEp.exe
C:\Windows\System\VGwxAEp.exe
C:\Windows\System\WNNdAkh.exe
C:\Windows\System\WNNdAkh.exe
C:\Windows\System\SYtKmrx.exe
C:\Windows\System\SYtKmrx.exe
C:\Windows\System\AdVRsFZ.exe
C:\Windows\System\AdVRsFZ.exe
C:\Windows\System\kvelMvi.exe
C:\Windows\System\kvelMvi.exe
C:\Windows\System\PqBVGiR.exe
C:\Windows\System\PqBVGiR.exe
C:\Windows\System\UPDfpCH.exe
C:\Windows\System\UPDfpCH.exe
C:\Windows\System\UmvhodP.exe
C:\Windows\System\UmvhodP.exe
C:\Windows\System\bopoNbf.exe
C:\Windows\System\bopoNbf.exe
C:\Windows\System\ncnsrNo.exe
C:\Windows\System\ncnsrNo.exe
C:\Windows\System\GtILghu.exe
C:\Windows\System\GtILghu.exe
C:\Windows\System\uTOqQrb.exe
C:\Windows\System\uTOqQrb.exe
C:\Windows\System\rdzaPmK.exe
C:\Windows\System\rdzaPmK.exe
C:\Windows\System\asZUvdj.exe
C:\Windows\System\asZUvdj.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2108-0-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2108-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\UtVDFgQ.exe
| MD5 | ad61650fc0e0b15197c1c2bed9ca7e6b |
| SHA1 | 769cd06187695d76c648dc9a8a2d877b5459f6d9 |
| SHA256 | cb634cf808cae68a32c764ec2476b70008e98800ec1d5e4e723c4fbcfa4d1abf |
| SHA512 | f9ce76619e9d4d4825a9ba19e6aba9575a020545d341c10b69cb9b11f7f36101d1d2923d1124a0555f77c1e71c01ebb6820bb2e1d63ac2e61647185907d4ab0f |
memory/2108-8-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\GrMncTu.exe
| MD5 | a251e619a6c412b70d9aa67224c9d3e6 |
| SHA1 | 5f5b76dd39fdd5a02841bb0cf0ca52769566f865 |
| SHA256 | 73cc348a2cad1baba6b19229d8376366e41261003b62c522ddd8bc33dee1b78e |
| SHA512 | b77512ceb8b4d63b2327c9e4a77b59a6b0ce17f7a761757192b5de3caee9ff6afcd88ebb39eeb9838935a5feca1a2640b5098775f20b9e1f1c71edf60c39496c |
memory/2108-15-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2024-16-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/2632-12-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\exhoPYr.exe
| MD5 | 719b80bb272cf78ea0dda1fb41fb47e6 |
| SHA1 | f13516b45c51e414508421a7110441eee9e898b3 |
| SHA256 | a181d11c4cbb065a85f5d6b33674ff5414827b46dfdbee58f9efc0b07ed89d67 |
| SHA512 | 131ef20579e0f3a542341424fa748ec3d7e60b71da7e4874736e0721a7a90f4c292fb31623a1087cfd4300b86a4ab022de54f919fa8080aff0f82cb24aae5ff2 |
memory/1256-22-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\mxUtNGp.exe
| MD5 | 6cd7450660dac660df23a2242f591d16 |
| SHA1 | 368e8d1e901b41cd679b4bde7a87bc1e66122ede |
| SHA256 | b07c4f0274341fccc562b9c0044d65341ad5e82c367de4e9b81287cd7f4b8de9 |
| SHA512 | df924929cc67a9d0184883b4f10807f2b55ec18fb274855498c2f59d8eaf3b8ecdf923d6f7e82f59bd8240087a844d601bc92d6500b0dd37abbcefbba2466150 |
memory/2588-29-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2108-27-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\bQMjejV.exe
| MD5 | f39cb9cd31d31c9482eb335feb6fa328 |
| SHA1 | 0a28bd1a09a9d8a5dd44fcc9959bb7d41093f274 |
| SHA256 | 776426646c9fa9710f4e87a7c841add177ae64b63b7254bf35107c93296a20c7 |
| SHA512 | c18c1d783bb42b112df5aadd6efa786ecf444ea46cb8a566cd408808ea6d0873e7d44683162e91ffab63bc8a35ba7f29b26b393a5c9cec2f9e4be2d34922eaf2 |
memory/2172-36-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2108-35-0x000000013F520000-0x000000013F874000-memory.dmp
\Windows\system\hmOPFMi.exe
| MD5 | e074cc878d8733149e847659ed5a9c09 |
| SHA1 | 02dfbbd4a8cc927efb87940b287e0db90534c00d |
| SHA256 | 4397e983f6d577674b258bb6f1b8882f3040ed05bae0d85a7f21120c314410bd |
| SHA512 | 8600c68db9ee4cd79b17f3954d31989f300115b769ba50f72e508d680c5f16833893f5262dd103a7d599a1abb402b332e7b6b76a352a9d07da120a2bcd524b8c |
memory/2612-42-0x000000013F620000-0x000000013F974000-memory.dmp
C:\Windows\system\nHmCPFJ.exe
| MD5 | 9b8c97be5730a16715b0ea7d0c816396 |
| SHA1 | 0a2c5ed123ef0fea06861ba6b7210dba5dab0b5f |
| SHA256 | bf925a83a61e887a9aeb4cbc9bd27ab81162540b65c542878f3c73f439543b18 |
| SHA512 | 9216263258a224aa5af4fcba142e2578a0c8dbb89ab5cccc95248a207a9f522b05ba1950400166ad68289278f33d149cd5576822de8b0d761de10addb419a587 |
memory/2624-48-0x000000013FD10000-0x0000000140064000-memory.dmp
\Windows\system\VGwxAEp.exe
| MD5 | e51b31cec89b5d22870701daf2aed846 |
| SHA1 | 997226b6ed3b834f5a82293632eff03b77922b1a |
| SHA256 | 31d9046259e4c3ebf303ff1e30257c8af488f530ae1e4910d19cb793147217c5 |
| SHA512 | 97777df3127a75dc2ffc5914439ffdfc65d583df50293ae3ebbdb8909b097c42363b55f5cf8dd7ac42bc29a380b498050f8dfea59ee6850cf1f1014e1a479acc |
memory/2108-52-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\WNNdAkh.exe
| MD5 | c53157a76f797fc019eeb75bce1bc233 |
| SHA1 | d798e3c01bf736e71bea7f881eb50f6bc3f43c56 |
| SHA256 | 11b44e2b944c25fb49a5cbf063504937255530c96da9f944ee67fc5ab8ba5ce9 |
| SHA512 | a8c98aac5e18d598d66860dc5f2aa047271203fa48abc977885b006986b68dcfc41302c04bfdfeb7d654e563d5cd37f2db6849c6a69e761e858f1e6397b225bd |
memory/2436-65-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2956-69-0x000000013F600000-0x000000013F954000-memory.dmp
C:\Windows\system\AdVRsFZ.exe
| MD5 | dd3892e1ed02b098cd98b9e95b1adad2 |
| SHA1 | 51cdba3e5876c2ecb4400ddf4f4965c02bb135d6 |
| SHA256 | e7b6890408d7f371dc6899e56ee89891cf07b334dd4a586eb3cf88b774714175 |
| SHA512 | e3f8debbb0b87c0f759cad4f3f8798c469b3b1a4885cc9f8469732973e1a0ba645c963ff1148a02ac250832a76bf4d741e8d81dc94642d61be6b59ad72cc1921 |
C:\Windows\system\kvelMvi.exe
| MD5 | f1c09fa2feeb344f1a19c7df75e92276 |
| SHA1 | 5a685c5009daa7d0384c2ac5e45fd8b088c5ac23 |
| SHA256 | a68009e5856148e2a1a35d93a951c36ef792d49a86153acc5ece92d7e583fad3 |
| SHA512 | 00da5ae1c116aad7011a9ed79c1a2636d434b7f080fa28e750cf381566b249411d997ee86c12b66a881e0fb4ee3645cf4a3318071d6652b0298fdc8718747b1e |
memory/2700-83-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2108-80-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2244-76-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2108-75-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2108-68-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2360-66-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\SYtKmrx.exe
| MD5 | 11456ce27f3f184907fdae2ec0ffc23c |
| SHA1 | 9c0bb44f7e5edcaf1bbabcf44e9661f352f66a65 |
| SHA256 | 5958c4dc1c9ee24fe16c767d296a15fc1345b5fe27c08f186b24d594979036d5 |
| SHA512 | 2d415bb7055eb096604227edf441d2840c6e08f2fec3ad984b7a806b827a63c01a345c47918140df29d785cbcb28b067da82289e23d8c697edc9b756d91f0631 |
memory/2108-63-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\PqBVGiR.exe
| MD5 | 36dbec0520357452131c947c1f6af662 |
| SHA1 | 3e5a8f031ada201a2a743a086ba272252cc2851b |
| SHA256 | 60bd95ced5d18520f35c83783c3284af75c5e69ab6592bbe055b0b2265b54b87 |
| SHA512 | 3ba2dd465ca44f1fa18064af7a432f9323788b9663b078e6b4534d5b303c2de2968670f423413611dfc367fba76210a7ab3d2fff404bfc02285e34a1b5a78ca7 |
C:\Windows\system\UPDfpCH.exe
| MD5 | e6771c5f610e978cdddfc5f49b491928 |
| SHA1 | db8e90aa291668d8a45a41d662cfe70a9ac81b3b |
| SHA256 | 7f7102d26ba116d00e3d5edb086f8cf78eaea4d68eced6eed154d461c6947393 |
| SHA512 | 50d9dbbbe75c1ca87cedbb98b8f0ee9fbe6fc080d10669627ab882a2e59a9735d7f95cdb82f85fc37e0c761af2201795b5e56fbfbf18ee809c85bed51ee11886 |
memory/2108-96-0x0000000002430000-0x0000000002784000-memory.dmp
C:\Windows\system\uTOqQrb.exe
| MD5 | 90c809df1d8c8f855e90b01b159c0566 |
| SHA1 | b60e19524dd9c433686d52852584b1477096e051 |
| SHA256 | d581e2b12f008e5ff730da7715594601ea7653e9b92e8d184a7aadbe6f3e7bd4 |
| SHA512 | b100bf9056f8ff6f5c56ee95cca4402147ced3a742de92e10a3131dfb0cb212cdfb097b00a26a05d03bc577f7a4f1870eb04b2cac97a253860adbc5265748983 |
\Windows\system\asZUvdj.exe
| MD5 | b6edb93a712b196165117172ef4616e4 |
| SHA1 | 39830a8a39df309a0bbe515ee97ff9a65bbd9140 |
| SHA256 | 52ca7f4d061fb30bd48433f611db0df59921b1f041992704502b49aa20a7e95e |
| SHA512 | 961f378221bb4c5e86496a70bb9153c928094dee86998d4f9898bfd4762ba0fd7167d8ff28612e89cec43b96d4d4a9e8ac59b0a9d5a9afe7c7865f5cee2ca41d |
C:\Windows\system\rdzaPmK.exe
| MD5 | 250768877b481165be3c9148ec20b7e5 |
| SHA1 | a9d9e34bd1c9d218000804b25806cc88aff4f355 |
| SHA256 | cae054a367700b9cbeafcb6bdb61f342fbfd0530a18084a2f3d4cefe254a7b1d |
| SHA512 | fe64c2c0119192c11a6ccc304ee54588c0e0efa6763717db3fb18ebcb96469d640191c749b0ebf9ba3baec826072fa7f66987b07aaa5e40edf0fc0e540b8d51f |
C:\Windows\system\ncnsrNo.exe
| MD5 | 78daa90b615759b96a390ea242517258 |
| SHA1 | 21bc540988540215ec6b18d43a5c6734f37553cf |
| SHA256 | 09d6088af389b1072e1a97387a9ba5c6c3365155656282792344c2dd38c8f9ef |
| SHA512 | b520bcfe1897308d430c98f64c0d7906218ca3c97600b00da51fdf57aa873af65dcee4b380da357cbbc1ca8eefcd804b7f698b8b1b233c3579f21827717ad229 |
C:\Windows\system\UmvhodP.exe
| MD5 | ef061c2f278886d23011b85ba764fe96 |
| SHA1 | 43a77ea839500e4cc034c8782f30eed43fe61595 |
| SHA256 | 098931530ec1a6119bb5c06d83d36b3bc50f915be4a3a618122f8a60d1bae162 |
| SHA512 | 8701076790f96389365514b65b786845427b9a7c5397335c8f13956386fb5e042db95ebe74aa650e3df27f528afab7db46a5821001bf166defce7b669a9110ce |
C:\Windows\system\GtILghu.exe
| MD5 | 82bee3613615d7266fad865cb107adeb |
| SHA1 | 1221a4209f6d33b585d4a13e5345cff23bef6daa |
| SHA256 | 73becfe04634e2d5b69bc6d7684b2da143ce4beb58d5b0eb963321e74aaaa743 |
| SHA512 | 012fb14ac53cef46efa959e137db6a0ca0a4921f3142c138305eabeea6e6cf2f1282206341a093f8391a1428cf2d17f9e8bb4babb1e7cf9c1b591a7b03be8971 |
memory/2748-100-0x000000013F7C0000-0x000000013FB14000-memory.dmp
C:\Windows\system\bopoNbf.exe
| MD5 | 2cc683a1497f64001b5ba47d2162df0e |
| SHA1 | bd571ea62784233ddf8634ef354a0e778fa43014 |
| SHA256 | 3dcb621de170d4612b74fa670d8d1fe881e791cea8070bd7feaa4767fe0eec8e |
| SHA512 | 817fa1d017ea4e8bb9cd5bd9bacb4023ecd48d5b3eccd3f052e6186a39cc10b2bf297ab356579bbaf4c91f459a8d4dd0c54b4ea2d3b8d264a69619e2637c817f |
memory/2108-104-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2692-95-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2108-93-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2588-91-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2108-134-0x0000000002430000-0x0000000002784000-memory.dmp
memory/2108-135-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2108-136-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2108-137-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2632-138-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2024-139-0x000000013FEC0000-0x0000000140214000-memory.dmp
memory/1256-140-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2588-141-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2172-142-0x000000013F520000-0x000000013F874000-memory.dmp
memory/2612-143-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2624-144-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2360-146-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2436-145-0x000000013F8C0000-0x000000013FC14000-memory.dmp
memory/2956-147-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2244-148-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2700-149-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2692-150-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2748-151-0x000000013F7C0000-0x000000013FB14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 19:24
Reported
2024-06-08 19:26
Platform
win10v2004-20240426-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\bGRWrht.exe | N/A |
| N/A | N/A | C:\Windows\System\nQzvgdY.exe | N/A |
| N/A | N/A | C:\Windows\System\ogryxty.exe | N/A |
| N/A | N/A | C:\Windows\System\uFcOCKU.exe | N/A |
| N/A | N/A | C:\Windows\System\HaGYNqT.exe | N/A |
| N/A | N/A | C:\Windows\System\mNYrpTH.exe | N/A |
| N/A | N/A | C:\Windows\System\HVgPzcb.exe | N/A |
| N/A | N/A | C:\Windows\System\HUTpuQo.exe | N/A |
| N/A | N/A | C:\Windows\System\ShEINcl.exe | N/A |
| N/A | N/A | C:\Windows\System\pZbjwAD.exe | N/A |
| N/A | N/A | C:\Windows\System\sJhHSnP.exe | N/A |
| N/A | N/A | C:\Windows\System\kwVKYDz.exe | N/A |
| N/A | N/A | C:\Windows\System\cHpsCtp.exe | N/A |
| N/A | N/A | C:\Windows\System\ZhOpBMs.exe | N/A |
| N/A | N/A | C:\Windows\System\KjJUmyb.exe | N/A |
| N/A | N/A | C:\Windows\System\VlHSqMy.exe | N/A |
| N/A | N/A | C:\Windows\System\BsKwkud.exe | N/A |
| N/A | N/A | C:\Windows\System\AmJSwfG.exe | N/A |
| N/A | N/A | C:\Windows\System\YiHPFdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\WGPhAmU.exe | N/A |
| N/A | N/A | C:\Windows\System\xfpGKzR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_fcae04d553ee642e6a08b4ca7df6e26b_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\bGRWrht.exe
C:\Windows\System\bGRWrht.exe
C:\Windows\System\nQzvgdY.exe
C:\Windows\System\nQzvgdY.exe
C:\Windows\System\ogryxty.exe
C:\Windows\System\ogryxty.exe
C:\Windows\System\uFcOCKU.exe
C:\Windows\System\uFcOCKU.exe
C:\Windows\System\HaGYNqT.exe
C:\Windows\System\HaGYNqT.exe
C:\Windows\System\mNYrpTH.exe
C:\Windows\System\mNYrpTH.exe
C:\Windows\System\HVgPzcb.exe
C:\Windows\System\HVgPzcb.exe
C:\Windows\System\HUTpuQo.exe
C:\Windows\System\HUTpuQo.exe
C:\Windows\System\ShEINcl.exe
C:\Windows\System\ShEINcl.exe
C:\Windows\System\pZbjwAD.exe
C:\Windows\System\pZbjwAD.exe
C:\Windows\System\sJhHSnP.exe
C:\Windows\System\sJhHSnP.exe
C:\Windows\System\kwVKYDz.exe
C:\Windows\System\kwVKYDz.exe
C:\Windows\System\cHpsCtp.exe
C:\Windows\System\cHpsCtp.exe
C:\Windows\System\ZhOpBMs.exe
C:\Windows\System\ZhOpBMs.exe
C:\Windows\System\KjJUmyb.exe
C:\Windows\System\KjJUmyb.exe
C:\Windows\System\BsKwkud.exe
C:\Windows\System\BsKwkud.exe
C:\Windows\System\VlHSqMy.exe
C:\Windows\System\VlHSqMy.exe
C:\Windows\System\AmJSwfG.exe
C:\Windows\System\AmJSwfG.exe
C:\Windows\System\YiHPFdJ.exe
C:\Windows\System\YiHPFdJ.exe
C:\Windows\System\WGPhAmU.exe
C:\Windows\System\WGPhAmU.exe
C:\Windows\System\xfpGKzR.exe
C:\Windows\System\xfpGKzR.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/4212-0-0x00007FF63FC10000-0x00007FF63FF64000-memory.dmp
memory/4212-1-0x000001CD469A0000-0x000001CD469B0000-memory.dmp
C:\Windows\System\bGRWrht.exe
| MD5 | a921dafa4f54fbeb60256b64a5ea3d10 |
| SHA1 | 27804f5874445e6925a3a3e208421dbd2f4f0785 |
| SHA256 | 89b4175783f2d3741e4b6f95bee5be60e3f73d3e23c83973dc51af17c347aa34 |
| SHA512 | db3f96ceba45c58d89c0031554ae93451a7dae446ff3135c5c4750ab15f950aa18a326e6d2588a98d534c8b2d573cd7ba42916e461d0be8d2ea480272ccef710 |
memory/3328-6-0x00007FF607E40000-0x00007FF608194000-memory.dmp
C:\Windows\System\ogryxty.exe
| MD5 | 02fab6c854632ec54c9300479bc6244f |
| SHA1 | 2cdeb7e382d376115cc577baf6249e98c8099706 |
| SHA256 | aeabd24e57e4f8f900e24971d6af74bfceaa460c90ce768ac7a54f0c9063ed4e |
| SHA512 | 3decb04c57067b1cbb721c51b01e61dfe87bfd5f36478e57ddd57d8cd4e41a3ebbd98660813a8caf2000e4723b0187a749d29ca676f0da83f9d16d35dd82ee65 |
C:\Windows\System\nQzvgdY.exe
| MD5 | 77f93469007e5ccc00b6942c754b7de6 |
| SHA1 | 0a3690364ec844ce11e89c22329d1f984cd3ad97 |
| SHA256 | db365be615caf10742ebf0adad20cc03d7f729c38651dc4e19cc9dab3303ff4c |
| SHA512 | 67e9e49e07046439698edd6ac29115a40844801b29c717629587939355ffab5d78e3550c46abdd648dab16a96bb07a65c040c884a6fd97f11787ac347ee4e89a |
C:\Windows\System\uFcOCKU.exe
| MD5 | 04533548d1bd33bc736778037507bbfa |
| SHA1 | bf309f32878c9c02247ab1f5a9952ebad1dbfd9f |
| SHA256 | ac87fdd82697045ca40d87124a9679cfeb7a0665da560fc3957278fa4ed862bf |
| SHA512 | 6aca18143781e053c2b00aac4d54c9c42282812360a70113f4c16c04881c1bbc69c1968ef281c3b213c42d10e7626a9ab0bd5cf0f3f32cec01374530123369db |
C:\Windows\System\mNYrpTH.exe
| MD5 | aee7ed2edeb70297c7d783161789d821 |
| SHA1 | d3207567cf6386934f3b92146e9e1d410fffdbb6 |
| SHA256 | 6f49690719b2c7d9ee294326402ec5593d97dc4cb6f0bde202f18ea3f4472846 |
| SHA512 | 1e4aa9ad1589208dc504d5735db37504b38edd261ab49e537e06afb7574d225bcdd6fa77fddf5422d2ad69a55908d06f63c66e503186694980facda584e9edbb |
C:\Windows\System\HUTpuQo.exe
| MD5 | 9e4e75220ad81f880a51ed7110c00ee2 |
| SHA1 | 6ff1c6bba19d14c1c317de1d2fc80e9ca4d07c26 |
| SHA256 | c780f43e77421dca831aa101ab16dacc1ff3d1a0d1cb2ff498a783753a6cc97f |
| SHA512 | 473df34ab707eec22e1d303698d5214038035aa682144ddc357c4d6a1470979197d18f886d0d22de8aa31ca75686dc53c4aae781ef6f4a22cd80ac59b3227340 |
C:\Windows\System\ShEINcl.exe
| MD5 | 182939a9a832f1ae9420d150a15f4ff6 |
| SHA1 | 1bcc740c33a7dd6fc6c771f5f510ecc72e5b27cf |
| SHA256 | 591cacbe7c4752926b93b29638cba8dd2f2c06fd6cf43e894c9f67a66675e81d |
| SHA512 | 69ea7ef86fae8984f233bd624665a4e3c505d80c791b7b0dfa9cbc9c419d645e1eac0d18d25eeb1d6870bf6b89a8154b9138ea1695a43731b0664582966aa0c6 |
C:\Windows\System\kwVKYDz.exe
| MD5 | b418e25e61b3b973dc49a9510c3d29e9 |
| SHA1 | 8c786d3d8ab87e2cdd82aa6f0ec42ac27410acaf |
| SHA256 | 6fe171f5d8be12ae749e73ecb8db93f0cf4acffbb70f8845cefb92e110a36316 |
| SHA512 | f56de11196588eaa7dce59375bdcbbc6d1668680fbf6cd54dde8c2cea9ff50bec254bc537bfb442a2e81dde3e8ece6be6b9010f66b6993092832f847368b3e19 |
C:\Windows\System\KjJUmyb.exe
| MD5 | e34057d8d80040b5a5c8469c5da83360 |
| SHA1 | d23a666ebee18ee606ae431b24176212a15258ed |
| SHA256 | 37eb774c96b9c4e51818719ff949167b6d19ebf27f04c504f10d095313ee0693 |
| SHA512 | 338b5943c6902acb574a06093753554dae102987471255eb6524eb0d484988cf426bc0f9fc9b21cfebae77158f8050895fa864a7b38e3164ebd5b466aa10918e |
C:\Windows\System\ZhOpBMs.exe
| MD5 | 983fc613c3993fa83c31d34f3712b8a0 |
| SHA1 | 5bf7585d2e2d5129f08bcb66c78f8883a8406a18 |
| SHA256 | 785508702fc817ea8aad309997af758e8c85716e6a2b2d8845e6feb2a9cdba91 |
| SHA512 | 0934f491e306eb2543bf5a91e685bd90696a25d52882bb0fda4a4fb97ac75745591f0d2914d370cfad888cacba2bf55d3e0aaad1f6f432dcbb26b34a83f34e93 |
C:\Windows\System\cHpsCtp.exe
| MD5 | 4f27405c32743c05158bdced2ee007a8 |
| SHA1 | 9deca0994fabe02af35f4fd2611e3121e0758ce5 |
| SHA256 | 8c6906bd772da8e51a821810653bd58d541fa6c75e285714929a5d80a9fd93ba |
| SHA512 | 56408a3e3e65954a89edd4c7754fbc920b457f924e5257c3b9e47f9fcea1224dffa2073b4016026d32557c49069fdf0c2c2791dc619c455b757cc69992d17d6d |
C:\Windows\System\sJhHSnP.exe
| MD5 | 72ec0ee885c77245becc00576ce1957e |
| SHA1 | 6f8e26d9ff8e6cd9515387625b6fd11e35cc15e7 |
| SHA256 | 87d047a3f5ed840d7b4a805b9965b2403f115c9374730da8cb6f5e1fcda2c4b7 |
| SHA512 | 43a6c66609133d353490f5512da9c351e344ce26e6f8f8ce517a53acb1a67b2975bc76b009d8c2bee20cf4337000f5472cfc9a85aae278cd4481dd4ecc651215 |
C:\Windows\System\pZbjwAD.exe
| MD5 | ab3e36f9f834154431f3f9968cbe2623 |
| SHA1 | 3eaab31eaa10ca670f148ddfbd5eb5f218dd2c3c |
| SHA256 | b96063293d3ecf4072bd10da58ecbe7377bd9753596fdb803ebf4127d15f58fc |
| SHA512 | 8b756cfe1836901dcfe60ea322588b140e28e5c8d37331977fab756b9b902afb079c40e985c96abcda6ccbbc892dec3460abfc0b650bc99c9aec4bca370ee94e |
C:\Windows\System\HVgPzcb.exe
| MD5 | e89bf72de1d06a24470917666b8f754d |
| SHA1 | 803480e399e47cc7f0cb0babaee89a0c39c19a4d |
| SHA256 | b696ff9bfad18811bb5fcc360ce755efaddbb133319d448806b78ba837ff9e3d |
| SHA512 | 7dadb644bbf54e032181f0390bc7534ea947a3441fe06509275e4a34541581db7451d90b99f4f4af1f042a37423bcfbef30ec501eda2e9fe96c9f9b2fa267860 |
memory/2436-38-0x00007FF6EEBE0000-0x00007FF6EEF34000-memory.dmp
memory/912-33-0x00007FF622180000-0x00007FF6224D4000-memory.dmp
memory/3216-28-0x00007FF6E4690000-0x00007FF6E49E4000-memory.dmp
C:\Windows\System\HaGYNqT.exe
| MD5 | d317c170f3e45bb952f8e558da43c800 |
| SHA1 | 5928cc03cfb0fa36bddc1f7c1823470ebb1b4a47 |
| SHA256 | 421178ab4dea8287dcaf7fd26933bfbb23e455d2ef70f934b9447837d5c42052 |
| SHA512 | 455f0c1de6f0eb159a6a879346e464b5684db8c0bb813ebfcbe217c8aec46841618b56559cd8263c3d3d8711e9d4a5b1ef10a9ea8f9bda16d729fbcf39cc2b24 |
memory/4192-20-0x00007FF6B9AF0000-0x00007FF6B9E44000-memory.dmp
memory/4412-12-0x00007FF684640000-0x00007FF684994000-memory.dmp
memory/3596-86-0x00007FF706EA0000-0x00007FF7071F4000-memory.dmp
C:\Windows\System\VlHSqMy.exe
| MD5 | b7eb4593cc96faabd382e9284bb746e2 |
| SHA1 | 3fcd12fef425d9e36b6c8e761a80156c50ed3fe4 |
| SHA256 | 55a1269705a6191d6a13e59deb28dc7467cb6ae417dc0df0c9a419afd51b55d7 |
| SHA512 | c8b40ff1a7aa4e633759578b7fd7afefc659626908206e789239f48dd95354688279b63ec6fbe5e464448d6af2b6e8686783a0352921bd593e2ca9e81225351f |
memory/548-91-0x00007FF71E0E0000-0x00007FF71E434000-memory.dmp
memory/1908-94-0x00007FF61D5B0000-0x00007FF61D904000-memory.dmp
memory/4648-104-0x00007FF70DE80000-0x00007FF70E1D4000-memory.dmp
C:\Windows\System\AmJSwfG.exe
| MD5 | 63446fd1425a2ac9b80bbd08c417c039 |
| SHA1 | 653eab47e65aa2b7f562f14f423a5577e1bb293c |
| SHA256 | d688bbea528a81ec9fb4376bc87ed1a39d9b640b25572a494f4b849f02dc4c70 |
| SHA512 | b2d51318cc23acebc365386d55fd0dadc0515bec5c6aaeaa19267c22cf2535355a56624b7c1693e791d5e8ce2ebb8f5fda599bb39929749932a03b7148c57da6 |
C:\Windows\System\BsKwkud.exe
| MD5 | db8b1ee3e32a9bab920c567d87debc21 |
| SHA1 | 96b4116533069260755640aede3b69c5799d4391 |
| SHA256 | 0605fbbc51bafbfe4851b557c580035067a47ef349e3f783bf41a3779a96ce8a |
| SHA512 | cf912df3a46383f022aa2fcfaf182a1d7fb8c5c819eb2690b490ac73d41c1e19a50a54db525fef4a41b3f18159b6a7ee9d926f2895324d57b774d39cde77ccdb |
C:\Windows\System\WGPhAmU.exe
| MD5 | 70294df36fc52fb797a096ff725b0e19 |
| SHA1 | 3a26ca71f69b9c364e652104446dbe2e0ee0a6c8 |
| SHA256 | 61946b167cf6e5f2a8d4618707e03ac33bd7bfbb0e3c938def908005e57d17ce |
| SHA512 | a53d8b7ec1d2247d8e3737315fbe46752178590068bdb6128d29e2ac25974220202960559f33bbb1d44b40166a019263f6f83000a9c46ff2a3b10ced59dc2075 |
C:\Windows\System\xfpGKzR.exe
| MD5 | b8733b597451d9ead43502a41785253f |
| SHA1 | a76394b2531562c7b18f6f641075a63156122b66 |
| SHA256 | 2556940d43a076ca835c686eaabb5bded5caaecb8096451e94aca32ad2b8f688 |
| SHA512 | 6b8a78b74ab4bd9f465bb0beb9d18f22d3762b873494140a6074e59f136eddc7159b69baf2200c1529d45b6f377ac39aee3a63620fc79c23894155863aaa2812 |
C:\Windows\System\YiHPFdJ.exe
| MD5 | cb5ec0e278ff06cf44a6316453596d0b |
| SHA1 | e79ab90bd51ea513d8b1f719a2129bb3364682c6 |
| SHA256 | d315046836fbd283368b4379d8f131236b30c9286954d78c56b7fada33eedad6 |
| SHA512 | bf608fef1b0a8cea7bf8a773b20adb4b397fe12de0651e12b43b77c182b1a96519bcc988766acbc3e60f64f51c5917bb23e38c42f8c384bd24db7c7ba9340d2a |
memory/4308-106-0x00007FF7D53F0000-0x00007FF7D5744000-memory.dmp
memory/3716-105-0x00007FF72B5E0000-0x00007FF72B934000-memory.dmp
memory/3860-102-0x00007FF7F4E20000-0x00007FF7F5174000-memory.dmp
memory/4692-96-0x00007FF673A20000-0x00007FF673D74000-memory.dmp
memory/4752-93-0x00007FF622700000-0x00007FF622A54000-memory.dmp
memory/688-89-0x00007FF67B380000-0x00007FF67B6D4000-memory.dmp
memory/4484-85-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp
memory/1132-84-0x00007FF7DCDE0000-0x00007FF7DD134000-memory.dmp
memory/4212-125-0x00007FF63FC10000-0x00007FF63FF64000-memory.dmp
memory/3804-128-0x00007FF6F2C10000-0x00007FF6F2F64000-memory.dmp
memory/3844-127-0x00007FF72F8B0000-0x00007FF72FC04000-memory.dmp
memory/5028-126-0x00007FF75F500000-0x00007FF75F854000-memory.dmp
memory/3328-129-0x00007FF607E40000-0x00007FF608194000-memory.dmp
memory/4412-130-0x00007FF684640000-0x00007FF684994000-memory.dmp
memory/3216-132-0x00007FF6E4690000-0x00007FF6E49E4000-memory.dmp
memory/4192-131-0x00007FF6B9AF0000-0x00007FF6B9E44000-memory.dmp
memory/3716-133-0x00007FF72B5E0000-0x00007FF72B934000-memory.dmp
memory/4308-134-0x00007FF7D53F0000-0x00007FF7D5744000-memory.dmp
memory/3328-135-0x00007FF607E40000-0x00007FF608194000-memory.dmp
memory/4412-136-0x00007FF684640000-0x00007FF684994000-memory.dmp
memory/4192-137-0x00007FF6B9AF0000-0x00007FF6B9E44000-memory.dmp
memory/912-138-0x00007FF622180000-0x00007FF6224D4000-memory.dmp
memory/3216-139-0x00007FF6E4690000-0x00007FF6E49E4000-memory.dmp
memory/2436-140-0x00007FF6EEBE0000-0x00007FF6EEF34000-memory.dmp
memory/1132-141-0x00007FF7DCDE0000-0x00007FF7DD134000-memory.dmp
memory/4484-142-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp
memory/3596-143-0x00007FF706EA0000-0x00007FF7071F4000-memory.dmp
memory/688-144-0x00007FF67B380000-0x00007FF67B6D4000-memory.dmp
memory/548-145-0x00007FF71E0E0000-0x00007FF71E434000-memory.dmp
memory/4752-146-0x00007FF622700000-0x00007FF622A54000-memory.dmp
memory/1908-147-0x00007FF61D5B0000-0x00007FF61D904000-memory.dmp
memory/4692-148-0x00007FF673A20000-0x00007FF673D74000-memory.dmp
memory/3860-149-0x00007FF7F4E20000-0x00007FF7F5174000-memory.dmp
memory/4648-150-0x00007FF70DE80000-0x00007FF70E1D4000-memory.dmp
memory/4308-152-0x00007FF7D53F0000-0x00007FF7D5744000-memory.dmp
memory/3716-151-0x00007FF72B5E0000-0x00007FF72B934000-memory.dmp
memory/5028-153-0x00007FF75F500000-0x00007FF75F854000-memory.dmp
memory/3844-154-0x00007FF72F8B0000-0x00007FF72FC04000-memory.dmp
memory/3804-155-0x00007FF6F2C10000-0x00007FF6F2F64000-memory.dmp