Analysis Overview
SHA256
1c636cc611ad32eb2e65a0b5d75bea3410638e6f6e2b49661e650eae9a501413
Threat Level: Known bad
The file 2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
XMRig Miner payload
Xmrig family
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 02:56
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 02:55
Reported
2024-06-09 02:59
Platform
win7-20240220-en
Max time kernel
133s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vUCbbsh.exe | N/A |
| N/A | N/A | C:\Windows\System\IwNGDxb.exe | N/A |
| N/A | N/A | C:\Windows\System\embgdRH.exe | N/A |
| N/A | N/A | C:\Windows\System\kMINxzr.exe | N/A |
| N/A | N/A | C:\Windows\System\bGuAJWW.exe | N/A |
| N/A | N/A | C:\Windows\System\gSflHYg.exe | N/A |
| N/A | N/A | C:\Windows\System\slEDbeo.exe | N/A |
| N/A | N/A | C:\Windows\System\VaBiJiS.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFlVXfA.exe | N/A |
| N/A | N/A | C:\Windows\System\CrTKOmt.exe | N/A |
| N/A | N/A | C:\Windows\System\RkfqrrM.exe | N/A |
| N/A | N/A | C:\Windows\System\WiBbcTU.exe | N/A |
| N/A | N/A | C:\Windows\System\RpwIcPT.exe | N/A |
| N/A | N/A | C:\Windows\System\EpdTDyo.exe | N/A |
| N/A | N/A | C:\Windows\System\SzQlZlv.exe | N/A |
| N/A | N/A | C:\Windows\System\fAZiJBd.exe | N/A |
| N/A | N/A | C:\Windows\System\RVXQEol.exe | N/A |
| N/A | N/A | C:\Windows\System\POixSfg.exe | N/A |
| N/A | N/A | C:\Windows\System\rHeWrji.exe | N/A |
| N/A | N/A | C:\Windows\System\bRiWySn.exe | N/A |
| N/A | N/A | C:\Windows\System\TYQAnDb.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vUCbbsh.exe
C:\Windows\System\vUCbbsh.exe
C:\Windows\System\IwNGDxb.exe
C:\Windows\System\IwNGDxb.exe
C:\Windows\System\embgdRH.exe
C:\Windows\System\embgdRH.exe
C:\Windows\System\kMINxzr.exe
C:\Windows\System\kMINxzr.exe
C:\Windows\System\gSflHYg.exe
C:\Windows\System\gSflHYg.exe
C:\Windows\System\bGuAJWW.exe
C:\Windows\System\bGuAJWW.exe
C:\Windows\System\slEDbeo.exe
C:\Windows\System\slEDbeo.exe
C:\Windows\System\VaBiJiS.exe
C:\Windows\System\VaBiJiS.exe
C:\Windows\System\ZFlVXfA.exe
C:\Windows\System\ZFlVXfA.exe
C:\Windows\System\CrTKOmt.exe
C:\Windows\System\CrTKOmt.exe
C:\Windows\System\RkfqrrM.exe
C:\Windows\System\RkfqrrM.exe
C:\Windows\System\WiBbcTU.exe
C:\Windows\System\WiBbcTU.exe
C:\Windows\System\RpwIcPT.exe
C:\Windows\System\RpwIcPT.exe
C:\Windows\System\EpdTDyo.exe
C:\Windows\System\EpdTDyo.exe
C:\Windows\System\SzQlZlv.exe
C:\Windows\System\SzQlZlv.exe
C:\Windows\System\fAZiJBd.exe
C:\Windows\System\fAZiJBd.exe
C:\Windows\System\RVXQEol.exe
C:\Windows\System\RVXQEol.exe
C:\Windows\System\POixSfg.exe
C:\Windows\System\POixSfg.exe
C:\Windows\System\rHeWrji.exe
C:\Windows\System\rHeWrji.exe
C:\Windows\System\bRiWySn.exe
C:\Windows\System\bRiWySn.exe
C:\Windows\System\TYQAnDb.exe
C:\Windows\System\TYQAnDb.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1976-0-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/1976-1-0x00000000002F0000-0x0000000000300000-memory.dmp
\Windows\system\vUCbbsh.exe
| MD5 | 7a477c404ee368391e14ae96ab800c2c |
| SHA1 | f43314c0bad197c27485e3455487a1e77aef08ad |
| SHA256 | c38f785c2478951eb90930859297fe92a185f7fe6503e101389997f5ed79b9af |
| SHA512 | ae5e3a4dbb63bf65bc3e9da3d58d7b07f203205e7a6569616bad0538e7a9275305eb91949de9872e711fff136d102dd5f43e2a1cb32bf873e0a95d83054cd0d2 |
\Windows\system\IwNGDxb.exe
| MD5 | f505e9632fbd4a5d58adc9e4173d1271 |
| SHA1 | 1bde162a3fb4ccb17e2151f596876ce0481e68a3 |
| SHA256 | 470c9e84848117759613eb687b446759f7d07a7f41d04dc436b012f7f509e2e6 |
| SHA512 | e198372dce29bd351d9034837bc88bf336ab45518f945c233b0df8303eb7db6dfe81aa40e79300136ac6bc7ee0344b1f19f04eb515a02bbb33d814e047faaccf |
C:\Windows\system\IwNGDxb.exe
| MD5 | 2c71960793488b638ad0c9c1e8da1378 |
| SHA1 | 4ef43f39dbc6792c6fdf021639668e76fa9fecad |
| SHA256 | f461ceb92df665d0d703f1cab87307d7a1b22fb8aae1777eb9625e8f083de726 |
| SHA512 | 0d0662996e778c9fbfbd5df1577a283eab6295e68d2c64b5e15cff68e6b4fd86c90a2b46e79bb77978b8b561ee20bfd993b7a98f95697d0cd20101e1afd66a38 |
C:\Windows\system\vUCbbsh.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\system\embgdRH.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
\Windows\system\embgdRH.exe
| MD5 | 378d650191fa42a503a6d000e70c049c |
| SHA1 | 2101b33a2643c5e6f0d1f93c815a32ff82bcade1 |
| SHA256 | 336ca01f9971cc9847ba1c0b15b9f3253cf4bef083bcb8031e5ed06146fd0730 |
| SHA512 | 4f5614d7e1039eadf842e4b99f89ab12b24fbf17898e497cb1915ee819e9dda4b5c0bfee3f6aad8a8f565e5d191ab5482fb91d71208410e6f71c5fc19c00db29 |
C:\Windows\system\embgdRH.exe
| MD5 | 6fc1d2a6aa4e5fec1598640195150caa |
| SHA1 | 163971d08fea512c74e8dc6194438875b3a4e2dd |
| SHA256 | c7702a558c524dcd71e1b49a725b4d00424bcfa78922fa47fa3df7ad8780489b |
| SHA512 | 32242bb3972b6c84fe04251d691d74728217a6789799a7b9b70417f9c92fed40204f2a0597f504eb1e15f95e5fdd6bfa9b9cbc89671f004164b2844ac1ca4ae4 |
memory/2892-19-0x000000013FF60000-0x00000001402B4000-memory.dmp
C:\Windows\system\kMINxzr.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
C:\Windows\system\bGuAJWW.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/1976-39-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/1976-41-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2576-43-0x000000013F370000-0x000000013F6C4000-memory.dmp
C:\Windows\system\slEDbeo.exe
| MD5 | e7046aead433b65a5b7848898cc1c597 |
| SHA1 | ec137b58d48f1bb1c80e719cf108cd820f61d91c |
| SHA256 | 484bdf1b695ada73dce73634e788796e5aaf79f06fce3e8a654abbeb15338285 |
| SHA512 | f9de9aa529e039714651d19c39ae5a7b7a5f59dad3570ef24c8bca7b7c66e161467af663106f4035640d035f72a6449b0931152d016f15f1884be5f963af4b1e |
C:\Windows\system\VaBiJiS.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
C:\Windows\system\ZFlVXfA.exe
| MD5 | 1d3a027708a48a3c73a911f7d1532fca |
| SHA1 | f960fd40bf0cf951600c386a6a9501a01e54ab51 |
| SHA256 | f4e703d98029a56b7200ca63aefb85a455d5792cd9407b54a0dc1c4762419eda |
| SHA512 | 4c0f2e25c98d407f27d4b0d85d2fe06ea754e657bc939feb907f00109c3d9db11707e7ca2d3e02171201afd527ee2b1673e434c274c030dde555dbb27b53e539 |
C:\Windows\system\CrTKOmt.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
\Windows\system\TYQAnDb.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
memory/2580-118-0x000000013FAF0000-0x000000013FE44000-memory.dmp
C:\Windows\system\bRiWySn.exe
| MD5 | 968a7e053a9ff2f65fb0d430878c056f |
| SHA1 | 5f9bf70d967f6c88c2561445b0ac59deabc4c2e4 |
| SHA256 | 46270d8caf30ce42b3d4ca5e7f52c493abfc28460ca624e179641d7702530c43 |
| SHA512 | 166ea6d8b6a5c04a9ff1c49130fa4ff49bc1251eb2190c57be0a30ebce6a606be5a4b449a52a2479a02a07b7e49776fb533303da5f1499084dca57c520bdfbac |
\Windows\system\bRiWySn.exe
| MD5 | c5f33c208b8352c92ff94fbc2b599111 |
| SHA1 | 0842e8833ca026da14c777f19216ac8823767900 |
| SHA256 | 6fd2df6d3131682515e5fc159d81918ada218168622149be278bff78e6839f6f |
| SHA512 | 62f9100bcb029dacf5e5850ff2c364497a0db747c663dacd840839ef6bb501ef0b8fddc8b075af9a33043a07665b866db4f1c551c78513d6efa407abe8c56db5 |
C:\Windows\system\rHeWrji.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\system\POixSfg.exe
| MD5 | 96abd1f04d2ad74b6c669a05b9c07c59 |
| SHA1 | 9b9b2bc96df84cdfe768934b33e87abe3d45de1f |
| SHA256 | 50dcfdfff4fc2e88212e9e4176aab9884e9ed04e443cde4e9cf2d27a02c259bb |
| SHA512 | fbf35803710db649ccf41a43b628ba040fa195e722672e71b3494beee885384fa717235cb1a53e6065b72eab2e9db6ae66b817c94ecd902c6d08c2cf687945a5 |
\Windows\system\RVXQEol.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/1976-119-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2624-120-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2300-122-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1976-125-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/2540-131-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/1976-132-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/1276-130-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1976-129-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1656-128-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/1976-127-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2456-124-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1448-126-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1976-123-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2444-121-0x000000013F430000-0x000000013F784000-memory.dmp
C:\Windows\system\fAZiJBd.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
\Windows\system\fAZiJBd.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
C:\Windows\system\SzQlZlv.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
\Windows\system\RkfqrrM.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
\Windows\system\CrTKOmt.exe
| MD5 | 2c29c56557704a5af675ac862b6acadc |
| SHA1 | 8095e9a472d534a6ef5dc3ab384273149ae12d48 |
| SHA256 | ad78076137bb51fd4326f7a646d70c5d984effb3c1176184b92e2481afe8ee9d |
| SHA512 | f76c7cafe7089612bd2c5136e03dfbe423618b3b68e64692820e5dfa2eb3d816fbca1bfa4bd5be14823ba5172f77c777b526463c4d46646574bc76ae1535f049 |
memory/1976-42-0x0000000002300000-0x0000000002654000-memory.dmp
memory/1976-40-0x0000000002300000-0x0000000002654000-memory.dmp
C:\Windows\system\gSflHYg.exe
| MD5 | 59bc2da882352bbbeaccd9b8ea365bfe |
| SHA1 | 97686320dd0efc49fdf6beb64701031918994485 |
| SHA256 | 2c61721dbf26b445473bc380fecd89ffaf1d3b6d34e4d4152a99584fba9b560a |
| SHA512 | ede6d82a6254ed24eae36fcc532b59ee4a6cb9bfb80c72bb571a1fe77de0136bedb77288e56ffa56656936b233795d5bc335ab00c317628a760e6a31c2e8b7d3 |
memory/1976-35-0x0000000002300000-0x0000000002654000-memory.dmp
memory/2620-28-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2616-31-0x000000013F5E0000-0x000000013F934000-memory.dmp
\Windows\system\bGuAJWW.exe
| MD5 | 4b7216d89e20f49e9c16c0253cc47511 |
| SHA1 | 2897390157f4ddd1aa5b6b0434e8fd2685151896 |
| SHA256 | 04a2e3581379ca63394646169e2f7cb8764608261eb5b43957d0130fd0e5013f |
| SHA512 | f54f6e029123d95222d09bc2138897f709e3650dbd2270183df96ad9e927ef303c0844f40a0b5cc26ee82536f2274eb38af1088d33729d685b4f9415ecb7be84 |
memory/2888-23-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
\Windows\system\kMINxzr.exe
| MD5 | 14810b70aa2af5c3bf4e7b0e6fef632e |
| SHA1 | 84c74e2c73aae7f90a03ce5c313016ad83d854c0 |
| SHA256 | 6c5a5578deac5ba7c4ae098a24c67d5c93c3a459ff83769e9808b908635457f0 |
| SHA512 | b0ec81c92cde61cfabd4c5d97fdaa84d46b1b6f378b33b5b06a3ab866a01696ea5726db2a0328107d45918ff4d5953769f748b8a4ac51112027bd1d71cb0be56 |
memory/1976-13-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2616-133-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1976-134-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2888-136-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/2620-137-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2892-135-0x000000013FF60000-0x00000001402B4000-memory.dmp
memory/2576-139-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2540-140-0x000000013FE40000-0x0000000140194000-memory.dmp
memory/2616-138-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2580-141-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2624-142-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2444-143-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2300-144-0x000000013F220000-0x000000013F574000-memory.dmp
memory/2456-145-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1448-146-0x000000013F8E0000-0x000000013FC34000-memory.dmp
memory/1276-148-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1656-147-0x000000013FF00000-0x0000000140254000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 02:55
Reported
2024-06-09 02:59
Platform
win10v2004-20240426-en
Max time kernel
134s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yxePtTa.exe | N/A |
| N/A | N/A | C:\Windows\System\VnHGFgQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NdDLmbS.exe | N/A |
| N/A | N/A | C:\Windows\System\KLmYSac.exe | N/A |
| N/A | N/A | C:\Windows\System\xtcgUxb.exe | N/A |
| N/A | N/A | C:\Windows\System\eYYoXDi.exe | N/A |
| N/A | N/A | C:\Windows\System\uWCnTUx.exe | N/A |
| N/A | N/A | C:\Windows\System\oqumGkv.exe | N/A |
| N/A | N/A | C:\Windows\System\bqklLxC.exe | N/A |
| N/A | N/A | C:\Windows\System\WRlTXqW.exe | N/A |
| N/A | N/A | C:\Windows\System\nwLHeeH.exe | N/A |
| N/A | N/A | C:\Windows\System\WIxJIBD.exe | N/A |
| N/A | N/A | C:\Windows\System\XyMUwUF.exe | N/A |
| N/A | N/A | C:\Windows\System\gDjyJVL.exe | N/A |
| N/A | N/A | C:\Windows\System\RXBidsf.exe | N/A |
| N/A | N/A | C:\Windows\System\oYFmYcg.exe | N/A |
| N/A | N/A | C:\Windows\System\ieczhKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MLFxaEt.exe | N/A |
| N/A | N/A | C:\Windows\System\cpejiCz.exe | N/A |
| N/A | N/A | C:\Windows\System\jJQAvPk.exe | N/A |
| N/A | N/A | C:\Windows\System\fSYXvOA.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_a7c2405d5f47369e61ee22827e3334b2_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yxePtTa.exe
C:\Windows\System\yxePtTa.exe
C:\Windows\System\VnHGFgQ.exe
C:\Windows\System\VnHGFgQ.exe
C:\Windows\System\NdDLmbS.exe
C:\Windows\System\NdDLmbS.exe
C:\Windows\System\KLmYSac.exe
C:\Windows\System\KLmYSac.exe
C:\Windows\System\xtcgUxb.exe
C:\Windows\System\xtcgUxb.exe
C:\Windows\System\eYYoXDi.exe
C:\Windows\System\eYYoXDi.exe
C:\Windows\System\uWCnTUx.exe
C:\Windows\System\uWCnTUx.exe
C:\Windows\System\oqumGkv.exe
C:\Windows\System\oqumGkv.exe
C:\Windows\System\bqklLxC.exe
C:\Windows\System\bqklLxC.exe
C:\Windows\System\WRlTXqW.exe
C:\Windows\System\WRlTXqW.exe
C:\Windows\System\nwLHeeH.exe
C:\Windows\System\nwLHeeH.exe
C:\Windows\System\WIxJIBD.exe
C:\Windows\System\WIxJIBD.exe
C:\Windows\System\XyMUwUF.exe
C:\Windows\System\XyMUwUF.exe
C:\Windows\System\gDjyJVL.exe
C:\Windows\System\gDjyJVL.exe
C:\Windows\System\RXBidsf.exe
C:\Windows\System\RXBidsf.exe
C:\Windows\System\oYFmYcg.exe
C:\Windows\System\oYFmYcg.exe
C:\Windows\System\ieczhKQ.exe
C:\Windows\System\ieczhKQ.exe
C:\Windows\System\MLFxaEt.exe
C:\Windows\System\MLFxaEt.exe
C:\Windows\System\cpejiCz.exe
C:\Windows\System\cpejiCz.exe
C:\Windows\System\jJQAvPk.exe
C:\Windows\System\jJQAvPk.exe
C:\Windows\System\fSYXvOA.exe
C:\Windows\System\fSYXvOA.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3528-0-0x00007FF6EF390000-0x00007FF6EF6E4000-memory.dmp
memory/3528-1-0x0000026AB2690000-0x0000026AB26A0000-memory.dmp
C:\Windows\System\yxePtTa.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
C:\Windows\System\yxePtTa.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/2448-14-0x00007FF6A4AC0000-0x00007FF6A4E14000-memory.dmp
C:\Windows\System\NdDLmbS.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/4036-26-0x00007FF637C10000-0x00007FF637F64000-memory.dmp
C:\Windows\System\xtcgUxb.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
memory/3180-32-0x00007FF6FC8A0000-0x00007FF6FCBF4000-memory.dmp
C:\Windows\System\eYYoXDi.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2028-38-0x00007FF6BBD90000-0x00007FF6BC0E4000-memory.dmp
C:\Windows\System\uWCnTUx.exe
| MD5 | 69d7ee9b0d716abad2eff7cee9da48af |
| SHA1 | 52dd695f69c3116199894ecce623629213d32a22 |
| SHA256 | 8bf48befa7dd1a7272e8581723a78645da5b0ddf1480ef983b48c0e8336c1d82 |
| SHA512 | 66e510f0eb1d39c82516e4145dfd273984b91a1f5eb768ce542b6731d69925bdd8d2d75aeeb0f6dff09164d9adb7e1cc6a4ff94270bb5527273c77fd7a1e5ffa |
memory/1936-44-0x00007FF746D70000-0x00007FF7470C4000-memory.dmp
C:\Windows\System\oqumGkv.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\XyMUwUF.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/2512-90-0x00007FF7E9A30000-0x00007FF7E9D84000-memory.dmp
memory/1936-110-0x00007FF746D70000-0x00007FF7470C4000-memory.dmp
memory/1312-117-0x00007FF77A6A0000-0x00007FF77A9F4000-memory.dmp
memory/4360-119-0x00007FF625040000-0x00007FF625394000-memory.dmp
memory/4900-125-0x00007FF6BA780000-0x00007FF6BAAD4000-memory.dmp
C:\Windows\System\fSYXvOA.exe
| MD5 | e8c4508a392ccf08590d3627a36cc3c3 |
| SHA1 | 3a57dd6c92ebc54582acaafd15cc9311eb0d15a2 |
| SHA256 | cea51cc96156d8e8255e2ccada29ae7300a3315f995e7ba6d44446f87dc9a09d |
| SHA512 | f92387e78f5fe98543d9e60ae371868a188c86c9137b7d0a0d3bf28026dbd3fc59a4eb30687c1a9721f81959fcdee80d280162f492d355d2ec0e6a7c5d939410 |
memory/1188-116-0x00007FF6ADE70000-0x00007FF6AE1C4000-memory.dmp
memory/2920-131-0x00007FF666EA0000-0x00007FF6671F4000-memory.dmp
C:\Windows\System\ieczhKQ.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
memory/1916-99-0x00007FF77F230000-0x00007FF77F584000-memory.dmp
memory/1772-94-0x00007FF6B0C90000-0x00007FF6B0FE4000-memory.dmp
C:\Windows\System\RXBidsf.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
memory/3180-91-0x00007FF6FC8A0000-0x00007FF6FCBF4000-memory.dmp
memory/3424-78-0x00007FF68EF10000-0x00007FF68F264000-memory.dmp
memory/2488-76-0x00007FF7F3E00000-0x00007FF7F4154000-memory.dmp
memory/2448-73-0x00007FF6A4AC0000-0x00007FF6A4E14000-memory.dmp
memory/1660-69-0x00007FF63B7B0000-0x00007FF63BB04000-memory.dmp
C:\Windows\System\nwLHeeH.exe
| MD5 | a49475a019a08da6f6942731e90a6fd0 |
| SHA1 | 182c31693759881d5a23217c3ecf696274718eb3 |
| SHA256 | 02110ff63bc998bf20894ba62460ccdfb4993b8ae08a717410a78d3ef950ff0b |
| SHA512 | 3d5bf2158300ae50fcf1c5c50dbb58594bb8def1f8bf248bf78719b9afb2f1617609d45ec40cd28fa46807fa29d44b06e9f0cafece3e054ddd76c6fdfec2378d |
memory/4248-65-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp
memory/3528-61-0x00007FF6EF390000-0x00007FF6EF6E4000-memory.dmp
memory/3952-56-0x00007FF6CAF10000-0x00007FF6CB264000-memory.dmp
memory/2768-50-0x00007FF7FD8D0000-0x00007FF7FDC24000-memory.dmp
C:\Windows\System\oqumGkv.exe
| MD5 | c83a72fd32d1ea03c4c25e0b40a06534 |
| SHA1 | de2f9cae4aaddd2cc18d23899ecdd1c809f91cc1 |
| SHA256 | c7c33166fb7303a687223dfb582067f939bce709fca5c41b819da2f4a6dcb359 |
| SHA512 | 01b6c66abfddb5df6a71e9a20ac803480a15bd6d8e038d46a607a93dd9ea600234a78f6bd587ad7d5b0616a8419e74ad1e4f1e4566d73f0ec035b67591e1923c |
C:\Windows\System\xtcgUxb.exe
| MD5 | 1d7117e100c84fe148f913c1efd23ea0 |
| SHA1 | 00ae97018ac9c894e11784ee5a7139020bf266fd |
| SHA256 | 0d79b1fe76aff8139b029a14367e5c71c5bee7d3b6cff346c6abdc90f431b846 |
| SHA512 | 53da86cfe634be541c3b3aa1cb10d31f5a00ede620305501a2a532f4c566b640a0610f6a4e4b47b688e9d6868872a5332655fb1dcda61c3178c286912a98cc81 |
memory/2888-20-0x00007FF6C3D30000-0x00007FF6C4084000-memory.dmp
memory/2420-8-0x00007FF7CCCB0000-0x00007FF7CD004000-memory.dmp
memory/2488-132-0x00007FF7F3E00000-0x00007FF7F4154000-memory.dmp
memory/3424-133-0x00007FF68EF10000-0x00007FF68F264000-memory.dmp
memory/2512-134-0x00007FF7E9A30000-0x00007FF7E9D84000-memory.dmp
memory/1772-135-0x00007FF6B0C90000-0x00007FF6B0FE4000-memory.dmp
memory/1916-136-0x00007FF77F230000-0x00007FF77F584000-memory.dmp
memory/4360-137-0x00007FF625040000-0x00007FF625394000-memory.dmp
memory/2420-138-0x00007FF7CCCB0000-0x00007FF7CD004000-memory.dmp
memory/2448-139-0x00007FF6A4AC0000-0x00007FF6A4E14000-memory.dmp
memory/2888-140-0x00007FF6C3D30000-0x00007FF6C4084000-memory.dmp
memory/4036-141-0x00007FF637C10000-0x00007FF637F64000-memory.dmp
memory/2028-143-0x00007FF6BBD90000-0x00007FF6BC0E4000-memory.dmp
memory/1936-144-0x00007FF746D70000-0x00007FF7470C4000-memory.dmp
memory/3180-142-0x00007FF6FC8A0000-0x00007FF6FCBF4000-memory.dmp
memory/2768-145-0x00007FF7FD8D0000-0x00007FF7FDC24000-memory.dmp
memory/3952-146-0x00007FF6CAF10000-0x00007FF6CB264000-memory.dmp
memory/1660-148-0x00007FF63B7B0000-0x00007FF63BB04000-memory.dmp
memory/4248-147-0x00007FF6F92C0000-0x00007FF6F9614000-memory.dmp
memory/3424-150-0x00007FF68EF10000-0x00007FF68F264000-memory.dmp
memory/2488-149-0x00007FF7F3E00000-0x00007FF7F4154000-memory.dmp
memory/1772-152-0x00007FF6B0C90000-0x00007FF6B0FE4000-memory.dmp
memory/2512-151-0x00007FF7E9A30000-0x00007FF7E9D84000-memory.dmp
memory/1188-153-0x00007FF6ADE70000-0x00007FF6AE1C4000-memory.dmp
memory/1916-154-0x00007FF77F230000-0x00007FF77F584000-memory.dmp
memory/1312-155-0x00007FF77A6A0000-0x00007FF77A9F4000-memory.dmp
memory/4360-157-0x00007FF625040000-0x00007FF625394000-memory.dmp
memory/4900-156-0x00007FF6BA780000-0x00007FF6BAAD4000-memory.dmp
memory/2920-158-0x00007FF666EA0000-0x00007FF6671F4000-memory.dmp