Analysis Overview
SHA256
b0228468d33910af67d116cc66154616a55ba5376e41ac9a37b714ae266b0292
Threat Level: Known bad
The file 2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
xmrig
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 11:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 11:44
Reported
2024-06-09 11:47
Platform
win7-20240221-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\CtQqhNx.exe | N/A |
| N/A | N/A | C:\Windows\System\xPXsIgR.exe | N/A |
| N/A | N/A | C:\Windows\System\QrvlhJg.exe | N/A |
| N/A | N/A | C:\Windows\System\kTyClEM.exe | N/A |
| N/A | N/A | C:\Windows\System\NAtautY.exe | N/A |
| N/A | N/A | C:\Windows\System\KIbxNno.exe | N/A |
| N/A | N/A | C:\Windows\System\wTWhXOz.exe | N/A |
| N/A | N/A | C:\Windows\System\KlcLayo.exe | N/A |
| N/A | N/A | C:\Windows\System\ygjdSsP.exe | N/A |
| N/A | N/A | C:\Windows\System\FpgJmRF.exe | N/A |
| N/A | N/A | C:\Windows\System\xchlKMy.exe | N/A |
| N/A | N/A | C:\Windows\System\ZfAwMLF.exe | N/A |
| N/A | N/A | C:\Windows\System\BablODT.exe | N/A |
| N/A | N/A | C:\Windows\System\aYHxkeS.exe | N/A |
| N/A | N/A | C:\Windows\System\njzUhgf.exe | N/A |
| N/A | N/A | C:\Windows\System\zwFSPsT.exe | N/A |
| N/A | N/A | C:\Windows\System\GiiTHQP.exe | N/A |
| N/A | N/A | C:\Windows\System\YFzadpM.exe | N/A |
| N/A | N/A | C:\Windows\System\CJkVAPD.exe | N/A |
| N/A | N/A | C:\Windows\System\lwSdIgP.exe | N/A |
| N/A | N/A | C:\Windows\System\jGqxrGH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\CtQqhNx.exe
C:\Windows\System\CtQqhNx.exe
C:\Windows\System\xPXsIgR.exe
C:\Windows\System\xPXsIgR.exe
C:\Windows\System\QrvlhJg.exe
C:\Windows\System\QrvlhJg.exe
C:\Windows\System\kTyClEM.exe
C:\Windows\System\kTyClEM.exe
C:\Windows\System\NAtautY.exe
C:\Windows\System\NAtautY.exe
C:\Windows\System\wTWhXOz.exe
C:\Windows\System\wTWhXOz.exe
C:\Windows\System\KIbxNno.exe
C:\Windows\System\KIbxNno.exe
C:\Windows\System\njzUhgf.exe
C:\Windows\System\njzUhgf.exe
C:\Windows\System\KlcLayo.exe
C:\Windows\System\KlcLayo.exe
C:\Windows\System\zwFSPsT.exe
C:\Windows\System\zwFSPsT.exe
C:\Windows\System\ygjdSsP.exe
C:\Windows\System\ygjdSsP.exe
C:\Windows\System\GiiTHQP.exe
C:\Windows\System\GiiTHQP.exe
C:\Windows\System\FpgJmRF.exe
C:\Windows\System\FpgJmRF.exe
C:\Windows\System\YFzadpM.exe
C:\Windows\System\YFzadpM.exe
C:\Windows\System\xchlKMy.exe
C:\Windows\System\xchlKMy.exe
C:\Windows\System\CJkVAPD.exe
C:\Windows\System\CJkVAPD.exe
C:\Windows\System\ZfAwMLF.exe
C:\Windows\System\ZfAwMLF.exe
C:\Windows\System\lwSdIgP.exe
C:\Windows\System\lwSdIgP.exe
C:\Windows\System\BablODT.exe
C:\Windows\System\BablODT.exe
C:\Windows\System\jGqxrGH.exe
C:\Windows\System\jGqxrGH.exe
C:\Windows\System\aYHxkeS.exe
C:\Windows\System\aYHxkeS.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
\Windows\system\jGqxrGH.exe
| MD5 | ef79bf7b257a62a43c24fa346e4e82c4 |
| SHA1 | 192acee4093f206c14edcdcbee32672bc1c31619 |
| SHA256 | 390c27a618435f2746929b66ebe61f60f72f2b46e8513a90729ac245711e8940 |
| SHA512 | f0cea7d3a1985d31b62aafabd0c9833799c5c671093856adab68067f53aed0adef6f1fee7ae8e02d65ab4d34c63a074625c1b2da9584be6b3d599106371d493a |
C:\Windows\system\ZfAwMLF.exe
| MD5 | 09c2a25b9a2437d95bc4c98565ad0db7 |
| SHA1 | 5de02f27e29d0cb41a26afbe3b43954860f7db42 |
| SHA256 | cb6d317e1d2de35ae83348e61c764ff9871cbe2d19a4879bee76bb1a70ba85e4 |
| SHA512 | ae2ec3bb8c74e2283adeaf86dd87c839d697577122312474c65643771c739a5310a52fee7358d2c86bfd724f08570b5d42f321802609774e5849f9936fea2e4d |
memory/2976-93-0x000000013F020000-0x000000013F374000-memory.dmp
\Windows\system\lwSdIgP.exe
| MD5 | 32355a823180f66ff211b999e4a039f1 |
| SHA1 | 98c40b186eea5b27d340c0b6a967a94bdd34ae43 |
| SHA256 | 36bbceed0242c08244b61967a6ad0a8a6e77baaf29a8a1e710ec591bb45cb096 |
| SHA512 | b47fcc984b8195f3ebd3efb55d005e30d252a2f71ab4f8e8ab857a8b8df1d81a426a34479896b3e23c6a382e4c0dec853d99ce2088185d8581972566802ea9e8 |
\Windows\system\CJkVAPD.exe
| MD5 | 6a62936acea650e7169076de1cf80cbd |
| SHA1 | 1c924b385882cb9e31d087a6f5572f115fd249b0 |
| SHA256 | f799bb8d04039e7a15e00aab08992902b58be78be870a3aa6fbed82aa9b6f489 |
| SHA512 | d0d413a963a5cf8623155c678f2318f5156069e1237db5fa9caae19af26ad50ddd7978e0a3f4b8a78eff427067920a93674878cfe37f87132f4f59ead715f88c |
\Windows\system\YFzadpM.exe
| MD5 | 6857ab67ad3c368ba43575cdc4a2761e |
| SHA1 | 5f412beea5aca8c730cfce572114baf1e577a487 |
| SHA256 | fdd61599446bb0925a83b658a0fc604ad603ddb268ca8a668f3675620050dd3f |
| SHA512 | 67c925261178b58aaaef03d37dc9f7eec1a686837556750e259106f1788cb738310eb10b4f1671b421963082b217e919bf0e39670361c42beb65bdfed33037b4 |
memory/1540-64-0x000000013F430000-0x000000013F784000-memory.dmp
\Windows\system\GiiTHQP.exe
| MD5 | 8b8109ca8a49d8b4eda6d04ccfa78eec |
| SHA1 | 6dd4aa6650be416d708c201544af9969ffa049e0 |
| SHA256 | 3bcf22bc7690af05b4460c9cad7daaa1a4ace193633395f2b65a8752ec621321 |
| SHA512 | 7d6ac5c125c8287080d563d20e5e056589f7a0f7e2859a28e30f98c33f2122395477b12a58b317f788a5012ffe237a004c60d3525ee316a682f926fbd06f2fdb |
\Windows\system\zwFSPsT.exe
| MD5 | d5536e736cf5d2b9896ca282dda39a55 |
| SHA1 | a4ac80f88881a8c6371eb74871549a62dd2536d1 |
| SHA256 | 537aa0877cd705af723c8b4e05937be2f75aa343ca354da2825321ccf8cd82a1 |
| SHA512 | f93e72b0559f813958c5d04d81fbfb5dc09676eae792495c3ec91f035498642cddcb8d96e357c73fece658ff2b3eb8d4056b4c67974a61dab0de5f37e5e43f1c |
\Windows\system\njzUhgf.exe
| MD5 | d423e2ff19f1df529bc515ff9475dd33 |
| SHA1 | 8719ccd1310eaf8a82360d2f80c1cbdbb7d9ab3e |
| SHA256 | ce1ee91de2aed615678879b1fdb159d7135dc9ac6bb3e45591eae9a374768b6b |
| SHA512 | 207112374e6274f85e2164eb15a787b05040d772fae72ed3185f87a1a897edb7add46c11d76171aec99f6988ed9d06a7c73ba01d43753375eda4ed5c8117c27a |
memory/1540-37-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/1540-115-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/1540-114-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/776-113-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/380-112-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/1540-111-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2736-110-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2884-109-0x000000013F430000-0x000000013F784000-memory.dmp
memory/1540-123-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/2144-124-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/1540-108-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1540-107-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\aYHxkeS.exe
| MD5 | 6327ef4c0d2dc59de30ff7f40ea1c339 |
| SHA1 | 855c22040fdf5e8bce1ef44da743cf266546d617 |
| SHA256 | e5c52bef88e2f3f8aaf591b75d62886a3ddc01d19b9cf0ac7a06942b28b0165f |
| SHA512 | 55d2ff0c99cf2f0065933f78e65aa0170b45e1b5b3a4b23c89e6a6f1225b7caeddaf6d2acdb1f555ccf575ed004b91ff6ac587bdfe82a61f403bb09d7e482358 |
C:\Windows\system\BablODT.exe
| MD5 | d1aaa0c79a30b80a3d4bf0328be5f5f5 |
| SHA1 | b4bb03506e5f32ca64444d70b90f848c054a19ad |
| SHA256 | 8b5a747943517dd13d2fcce59ed2e560da2f592ad1014c224b05c94d23bb4e2e |
| SHA512 | cb8d262f32cae55f8cf7555964230b485421bfec952de1cf2bac604ee485a0e9a04d92550419954f26957b1f1df373f6a47c79db046cbb072757a584ea9c85fa |
memory/1540-91-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2436-83-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1540-82-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\xchlKMy.exe
| MD5 | a74177d7a6b766104d26b5095ceb1e2d |
| SHA1 | c92c45f5af72d7aee4ee37a482cca17adaba9097 |
| SHA256 | 3dd6d6f2d67da9f56ed0978600d2c3e77a4bcd0854f0ea1a771f93e82b3fab60 |
| SHA512 | e1fd8387daaf868593fa4e61ad72d51a9f5aa4e9c62f9cd7c9f92863dbdaf648b2e09e79a62eefc2202a1d5572a89e572e9a74fcfe1b59957e121753513f4d9d |
memory/1540-80-0x000000013F440000-0x000000013F794000-memory.dmp
C:\Windows\system\FpgJmRF.exe
| MD5 | 906f2931cdae358dd16c029d51af5301 |
| SHA1 | 3c96cdcfb145c32480a179cff33402e1af85f39c |
| SHA256 | 21815fe0c870bc877ee3ebb9d23bcd7410d67d8b70fd7d6e8e167e6ae686fd53 |
| SHA512 | dc2bfed1acf2f6f1223ba60399af3d367dea36b799d8192881e846f8a1388fbe101130b1fcc39706818f49badbdd36f63dcad209c573c617b8d3791357d20734 |
memory/1540-69-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/1540-68-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
C:\Windows\system\ygjdSsP.exe
| MD5 | 52165105d0ae7f24fd26cf19579fe45a |
| SHA1 | 74bbd9f058c3170333c1732a6b422c8f7eed235d |
| SHA256 | d9ee68e534bfcc5eed2ab183e81ad496533c56d293764b5c2c4fe85179c31c68 |
| SHA512 | 1ae3b636b4c1c9ab244ed27e01b20d5fc26c5c5974cbc1383dbf5884ca5f7237cd72fbb8a9133f209ff96b72eaf335541e071a062c81e82eed76e0241feb5171 |
C:\Windows\system\KlcLayo.exe
| MD5 | 96e5a8b8c9ef24286a3c643fadf2c590 |
| SHA1 | 5b89bc725962f3ae9b007efe13a63f87de8bc864 |
| SHA256 | 2d4bd8cbb2128440ebe2c99e66d8062b2923a4f1eec58cc5dd3c1f69434efed5 |
| SHA512 | 69076d510d1549a0b6072f1ed039eb9d716345fe09eb0df50459c4cb7f572141a7fea5f87e63a7c5585ecdc4c64f503468b93f9bbabc62c2ac829ec5f2d0e09d |
C:\Windows\system\wTWhXOz.exe
| MD5 | 8b739e2230d7a0d68e1391767edd4304 |
| SHA1 | 4de1a46835d98878a02c350d86ce946a7d52353a |
| SHA256 | bfe2510fb7e037eea6d9fe33413d3e4f5ae5213eeb1ad4ab32ad87600bc6fb77 |
| SHA512 | 495fbdafc78c38b6ea948715aea9bd4b8039949fa6ce8b502e063c25b11df8e850cce13766151e238c0c855978977f638668ef16718ca9feb2996b729fdd7b18 |
memory/1540-43-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\KIbxNno.exe
| MD5 | 7e35ddf193759c1cffdb0030c5efa3d8 |
| SHA1 | c63e4f44e2743da11ea4e725254025cd4e38db6e |
| SHA256 | c046f0a10cd5048de6481bb3a6713dd6391aac8b904abc222cdfd16155b2e753 |
| SHA512 | 627fd56c8467aeb2d11206867d64c990eeb730961d01fa08de9bf2ee49d151c354e1130d7afd72c600b629db28df3eb93deb8fc0ab05115da95327134b213edb |
memory/2256-39-0x000000013FB70000-0x000000013FEC4000-memory.dmp
C:\Windows\system\NAtautY.exe
| MD5 | 5dc5aa41ae75458c4c15b741cb8cd0f8 |
| SHA1 | e98829d23eeeee5ddc6f0fefa0f4998c77d1c934 |
| SHA256 | 37fe13fdf3cbc59a010e37b702d28b0d05e00ea245befb28f105ce7be4aae163 |
| SHA512 | 52785e2cc12af5b548c4398e69105bda74ab26304ef39934deb2e2d2e6dc3d67a529900957702693a497974f59916a0ca246a06c36513d7c4a51677a112c720b |
memory/2560-27-0x000000013F620000-0x000000013F974000-memory.dmp
C:\Windows\system\kTyClEM.exe
| MD5 | 86d04f18b48f939f8ea68de9bc668784 |
| SHA1 | e0c1141a93a1b42db2154361d945c9b6c834c7b3 |
| SHA256 | 50d8b4d2276425a05cdd8d2b74358b056d13f4d9524092ed99905e309f88af51 |
| SHA512 | d73c220f7c38d44f58b1500f3c99fc7b16617d056a5b0f68d21eb8e07321496875fe9ae7f91e644898538212837d10e35516145cdfe740bda9db02769799608d |
memory/1540-25-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2592-24-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2496-12-0x000000013FBC0000-0x000000013FF14000-memory.dmp
C:\Windows\system\xPXsIgR.exe
| MD5 | 9a8c09d68a3dbcce23c04b019e7017a2 |
| SHA1 | 077abc12c1d28de06c9ffdcc717779c76d2c89ae |
| SHA256 | 2c83d02736625ab18ba37a75432198d1211f379606882ff0f839aafe294b46b5 |
| SHA512 | 0e1e310269d42d43d97fdf6b7a9ef3be30531c07cd4f5d7f02cfad44dafd045bfc439c2dbfff90227d03e0a221e4a7090b2333839ad585edaf7e65d3d1409ba8 |
memory/1540-19-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\QrvlhJg.exe
| MD5 | 32e2c89ba8f4b8f2898a79673992abbb |
| SHA1 | 54b8633c727f2ba66da98cbc48a314334e9d5471 |
| SHA256 | cc852356529ce6f20d2d15a3491b93765e476be969f03b72faadcf4bf60b40e6 |
| SHA512 | 8d26ec1685660876c36f26db586101532fa3107f03c8ff196a1d37b9236199fb2a451187af1eec4643c54a60d3437ff6fe2b7a90d0ae96ced0ff66934b46e5c6 |
memory/2144-14-0x000000013FFD0000-0x0000000140324000-memory.dmp
C:\Windows\system\CtQqhNx.exe
| MD5 | 80438ebb1f2cff9e039879cd648ecd00 |
| SHA1 | 76e09945689149e1e2b310a92fea711fcfd241a3 |
| SHA256 | 34db7b039ca27957a8124560d7fc95c82994a1ad00c37e8341c5ef3c864f416c |
| SHA512 | 0aff155de276e08c9ce944fa10e2b8591e617f419773bce9f04d716b0a0d64804d3433631ecfedca12aefaccf59e2fc6dac73005a9ba99952c1de0707b8b7ace |
memory/1540-1-0x0000000000080000-0x0000000000090000-memory.dmp
memory/1540-0-0x000000013F880000-0x000000013FBD4000-memory.dmp
memory/1540-135-0x0000000002470000-0x00000000027C4000-memory.dmp
memory/2560-136-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2496-137-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2144-138-0x000000013FFD0000-0x0000000140324000-memory.dmp
memory/2592-139-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2560-140-0x000000013F620000-0x000000013F974000-memory.dmp
memory/2256-141-0x000000013FB70000-0x000000013FEC4000-memory.dmp
memory/2884-143-0x000000013F430000-0x000000013F784000-memory.dmp
memory/2736-142-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2436-144-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/380-146-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2976-145-0x000000013F020000-0x000000013F374000-memory.dmp
memory/776-147-0x000000013FFD0000-0x0000000140324000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 11:44
Reported
2024-06-09 11:47
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vgcXwMM.exe | N/A |
| N/A | N/A | C:\Windows\System\QxksDWn.exe | N/A |
| N/A | N/A | C:\Windows\System\yIkbHoa.exe | N/A |
| N/A | N/A | C:\Windows\System\jMihvBh.exe | N/A |
| N/A | N/A | C:\Windows\System\hqzkEma.exe | N/A |
| N/A | N/A | C:\Windows\System\jsNFnHb.exe | N/A |
| N/A | N/A | C:\Windows\System\zuhdcQe.exe | N/A |
| N/A | N/A | C:\Windows\System\GQkgOGk.exe | N/A |
| N/A | N/A | C:\Windows\System\CUUdfUg.exe | N/A |
| N/A | N/A | C:\Windows\System\TnWtFkV.exe | N/A |
| N/A | N/A | C:\Windows\System\xIXokKZ.exe | N/A |
| N/A | N/A | C:\Windows\System\OhrunHy.exe | N/A |
| N/A | N/A | C:\Windows\System\sZAmyGa.exe | N/A |
| N/A | N/A | C:\Windows\System\UugRRfc.exe | N/A |
| N/A | N/A | C:\Windows\System\HXUyLrm.exe | N/A |
| N/A | N/A | C:\Windows\System\kFHFdEy.exe | N/A |
| N/A | N/A | C:\Windows\System\rdgWNMn.exe | N/A |
| N/A | N/A | C:\Windows\System\qDJWkqv.exe | N/A |
| N/A | N/A | C:\Windows\System\fTaMZSd.exe | N/A |
| N/A | N/A | C:\Windows\System\FdapGFF.exe | N/A |
| N/A | N/A | C:\Windows\System\ElsDdQc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_ce7cd839ffcff9ee6b217ff850fda4d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vgcXwMM.exe
C:\Windows\System\vgcXwMM.exe
C:\Windows\System\QxksDWn.exe
C:\Windows\System\QxksDWn.exe
C:\Windows\System\yIkbHoa.exe
C:\Windows\System\yIkbHoa.exe
C:\Windows\System\jMihvBh.exe
C:\Windows\System\jMihvBh.exe
C:\Windows\System\hqzkEma.exe
C:\Windows\System\hqzkEma.exe
C:\Windows\System\jsNFnHb.exe
C:\Windows\System\jsNFnHb.exe
C:\Windows\System\zuhdcQe.exe
C:\Windows\System\zuhdcQe.exe
C:\Windows\System\CUUdfUg.exe
C:\Windows\System\CUUdfUg.exe
C:\Windows\System\GQkgOGk.exe
C:\Windows\System\GQkgOGk.exe
C:\Windows\System\TnWtFkV.exe
C:\Windows\System\TnWtFkV.exe
C:\Windows\System\xIXokKZ.exe
C:\Windows\System\xIXokKZ.exe
C:\Windows\System\OhrunHy.exe
C:\Windows\System\OhrunHy.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4404 /prefetch:8
C:\Windows\System\sZAmyGa.exe
C:\Windows\System\sZAmyGa.exe
C:\Windows\System\UugRRfc.exe
C:\Windows\System\UugRRfc.exe
C:\Windows\System\HXUyLrm.exe
C:\Windows\System\HXUyLrm.exe
C:\Windows\System\kFHFdEy.exe
C:\Windows\System\kFHFdEy.exe
C:\Windows\System\rdgWNMn.exe
C:\Windows\System\rdgWNMn.exe
C:\Windows\System\qDJWkqv.exe
C:\Windows\System\qDJWkqv.exe
C:\Windows\System\fTaMZSd.exe
C:\Windows\System\fTaMZSd.exe
C:\Windows\System\FdapGFF.exe
C:\Windows\System\FdapGFF.exe
C:\Windows\System\ElsDdQc.exe
C:\Windows\System\ElsDdQc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3592-0-0x00007FF7B3150000-0x00007FF7B34A4000-memory.dmp
memory/3592-1-0x00000237799F0000-0x0000023779A00000-memory.dmp
C:\Windows\System\vgcXwMM.exe
| MD5 | ed2ed169b9b0dccf6c048ad509651d2b |
| SHA1 | f3487c028ecdcd2111525572a3a0b7e1344faea5 |
| SHA256 | 3175fa30ee84ef60c612274fb09c8d68bbcced8ccade915cfda4c4ab7b718c3f |
| SHA512 | 3fcb20bf24ee6c29ce3a3b48e350a1ecd790f3ef1eb19e53ab4d9e6463fb7bd1be2a6f2a985dc3ddfadfaae4a5adb147f69ec3899448104d08dd0e07618952d3 |
memory/2924-6-0x00007FF6C9EA0000-0x00007FF6CA1F4000-memory.dmp
C:\Windows\System\QxksDWn.exe
| MD5 | a12c1a0ff361b489a43b48b1740d948b |
| SHA1 | 625b13dac0425d26691dd4cf3d273908860a820a |
| SHA256 | 5dccc895102ba58192b33139a9941177a7f5b593bcce41fdc431aff23fa782b7 |
| SHA512 | 2271961c366447d2edab2481bb91754fb0c957af3f17f8f1e1267a4051f107412ffe482a81c4a1a47fd046f899571e8846d8411d2e4a2bc35cad3ec4c625dcdb |
C:\Windows\System\yIkbHoa.exe
| MD5 | eb6399e0fd2757f6e5e1c0a0d9c2dae2 |
| SHA1 | 58f1cf619d2596e5665b7a927e51074b26581f90 |
| SHA256 | 21063b829a0f3e79306f6a21458614e11089384cf6d56cb99deeb1f0a9f5deb2 |
| SHA512 | bc5738ea2ccb40ce46833327bf08b7c44b22521943b1f95f8447da5812c70529c04b66af6348c8183fca46d9ede740418513b5f616e3fc7e198a65336ba1557f |
memory/2564-14-0x00007FF617D50000-0x00007FF6180A4000-memory.dmp
C:\Windows\System\jMihvBh.exe
| MD5 | ad655481219fb42420a16288cb086e42 |
| SHA1 | 2bc150c91233b64fb8ad0eb2b287807892cbe2ca |
| SHA256 | 22199b37fc7c387929cf3fddfc1284f90fc53ba4a6132dbc647610cd6531db63 |
| SHA512 | 7c77f1cf99ab28bec785da056a2305814fcd38c4e3e5575316f2cea824b711460ff989f474cd5dcda7c871bf173efe287a9fd308890d9cedddf898a0d74f37a6 |
memory/4156-25-0x00007FF6D0C10000-0x00007FF6D0F64000-memory.dmp
memory/4192-20-0x00007FF618E90000-0x00007FF6191E4000-memory.dmp
C:\Windows\System\hqzkEma.exe
| MD5 | 515c7131833c3c33c515a017aa96eabb |
| SHA1 | 6d82cbb0041d929c88585471c9a6c921bcacbf88 |
| SHA256 | 308f4925ebdce23bbb2b5191e3b9feb3312b7062426f70ff5d72b788ebbb20ef |
| SHA512 | 258ec00d45ca87179649fc212ef44f9accbc7be0f8a5944b265c1d984bd81a183b5080f7766b16b5b25a261763ead02debe91b2673b55e866506c96f9ab7f18d |
C:\Windows\System\jsNFnHb.exe
| MD5 | 574c0d3e6a244fb5d2079945dd7b4d1f |
| SHA1 | cbb94b6b3fb29f16b91b428acefd5a9706505420 |
| SHA256 | 2ba28f89f507c93c6659bbeee2a926e2a5dc8d44fdec5058203d0bba0d15754d |
| SHA512 | 08916029c5bb276d79eb5b16d805a7e925228f44603f7e86d2ba3b654d92e81382ed0449055669178add08d34b1e634ee0074eb2f9762bb52eb4c1930926f6db |
C:\Windows\System\zuhdcQe.exe
| MD5 | bc2550dd899c7fb30dd5437e1e9c0595 |
| SHA1 | 3d8e689d69a376583af7b6639a16a9e8f6bae22a |
| SHA256 | c92428cbb9ed325e2d1ae05592f80170b58ef0cc69cc12f86576f356b2c03b92 |
| SHA512 | 9ff8fdc0803943ddabb0621f8232170b172dc81966066725fb825c9c8df173f2137e0a6bd6d2a7053e0a1a775f782a8af7020547db6fbfc6b532e455f7296780 |
C:\Windows\System\CUUdfUg.exe
| MD5 | 3201d8300fa69ccc9c9ea7d2021fb027 |
| SHA1 | 0cf629317ae43e4826cd018ca1ed7b832c13135a |
| SHA256 | 923af6eb0ec67687d508030648cf2f7c1a6e4226cbfce806c9596b4c24c95e59 |
| SHA512 | 1b97bbfea1ecb01bb6365463226fdef43c56894769baf6ee6b33321f1b623939fd395dd4033252371bb4dddb9607bb13e066ceb753b235c7b6603327261d4ce7 |
C:\Windows\System\GQkgOGk.exe
| MD5 | 7bb8c6de257816d9b9205f153f7ad0ed |
| SHA1 | ee9cd0dc1757f8514023881b0f781d671796af43 |
| SHA256 | 1266c1421263e371bd339ea0f6ada48ad6fec0ef9d39c9fdba5f5ffc9299b16b |
| SHA512 | aca657d44c9231543da5c625f9de33809c811393b5f0ed58afd02821328df29bad630f6daffe0bbb6074393522f41dd9b9781c8112ddc4f74a7cd8f3810105d3 |
memory/4416-55-0x00007FF6E9780000-0x00007FF6E9AD4000-memory.dmp
C:\Windows\System\TnWtFkV.exe
| MD5 | 166a1796b54f4c550134b975699bceb5 |
| SHA1 | 6339b7f81fdaea40882b47feae0f3cdb23c2a4d4 |
| SHA256 | 90696a484beb7c6801f36c30fcd9c5d2447be47da71a75b679ecad8fecdd6dc4 |
| SHA512 | 8ebeb4a634b8ac408d82af5d20b8ecf0de878111c7b7ca481a5f07e3951e9ad39e451a2e2b561420f48ac864c531276b25e2c1c691f57dc8e627dc4a42c657e8 |
memory/3692-63-0x00007FF79CDD0000-0x00007FF79D124000-memory.dmp
memory/3592-66-0x00007FF7B3150000-0x00007FF7B34A4000-memory.dmp
memory/3760-69-0x00007FF6065A0000-0x00007FF6068F4000-memory.dmp
C:\Windows\System\OhrunHy.exe
| MD5 | a7dad024903f036f931f311c35fd82ca |
| SHA1 | a181ff7de9780db2dcb22e207935fda36fc86c66 |
| SHA256 | 11c1aeaa9e9192df4ba04cdccaa1bcdb2eac655be6d329f76ad106263a4c47f2 |
| SHA512 | 7f9d744608347fe6aa93e524fa8ec64b8584c89138183391b962792339090ff1e9f43d951007361b2b6d23a3d5c867537def6a1de1debca4eacd49116b2f2727 |
memory/3972-74-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp
memory/2924-73-0x00007FF6C9EA0000-0x00007FF6CA1F4000-memory.dmp
C:\Windows\System\xIXokKZ.exe
| MD5 | 482aa33d69ba29dd251c24cb1b7c3659 |
| SHA1 | 1a3728fb490c4f508d2ce48c542da68ba6b5556e |
| SHA256 | 2e900822f4a41ee41ccbaaab64a0edf7762a94b70a9cbc52d4e493f046647459 |
| SHA512 | 6504b04aa1f298b16659e125828a21e5b6c12d070b7863b8fe88fbadf225ef7275a184274e67b0f8798f42817d4b15759e487cbf41739a8756a67eaa7c4bab8a |
memory/4372-56-0x00007FF71B620000-0x00007FF71B974000-memory.dmp
memory/4752-44-0x00007FF7C3390000-0x00007FF7C36E4000-memory.dmp
memory/2840-37-0x00007FF6CB440000-0x00007FF6CB794000-memory.dmp
memory/1892-31-0x00007FF7C81C0000-0x00007FF7C8514000-memory.dmp
C:\Windows\System\sZAmyGa.exe
| MD5 | f7a1bec47c6e53b60bcb416a27fd8bbb |
| SHA1 | 3714e399622deffaf162a7bac86362eab41916b6 |
| SHA256 | 36b05497e58022e829b8215525c5192199d51865bf2e9596e62fe7d0e945dbc0 |
| SHA512 | 007ec3fa95c05c4475dc41b6ee66a7f5f0bbfabadd831c2a201159a87a5c45157b048baf3bae0a26f7316946408f3e330ce899d6aba6777541046665c96d72d2 |
memory/4836-84-0x00007FF6F68A0000-0x00007FF6F6BF4000-memory.dmp
C:\Windows\System\UugRRfc.exe
| MD5 | 0ab46096c933b06967bc67b2407a8e65 |
| SHA1 | e84c39197dcdfcd861638613e3716c617687d5d6 |
| SHA256 | 2361bd29b4ffff555c9ee7946d61c069c0422cee95c52d9ba12a0747326a09af |
| SHA512 | 3cd90ea9ba7e0efcdaa5d71c2d4b69becf8937645e53b99043df2bce4094e3aae7281e32b681877d10798abc23f31e7997653be23d7b50584036d11ab622bb78 |
memory/2628-88-0x00007FF7800F0000-0x00007FF780444000-memory.dmp
memory/4156-92-0x00007FF6D0C10000-0x00007FF6D0F64000-memory.dmp
C:\Windows\System\HXUyLrm.exe
| MD5 | 7be75634e4018bbe1aa7707c0f070153 |
| SHA1 | 69d572475b620647752cea380080efafc6363c87 |
| SHA256 | da2ffec989b91e3e0ac776796a17569d2821f83516e4f47d04d309d0c5482744 |
| SHA512 | 0f95fb49f1b3a61b1f2936ad14fb1ccbcb74fb8ac1603f425f6d0faccc3e3f1e170e3f4747f43cc215c5fdec7c6821d34790f4699a5b62fd4345c7fc6ecee7d5 |
memory/2692-95-0x00007FF7768B0000-0x00007FF776C04000-memory.dmp
C:\Windows\System\kFHFdEy.exe
| MD5 | 21d85fd4e9bbb9ae619d9cdedb2e5605 |
| SHA1 | 049846234e336b9d4cbf8bc05148d3e2d3ce8e76 |
| SHA256 | 040f8a1b5a460acf6d4743f80d6fe1c43e4474228a2b34c90440170978674a16 |
| SHA512 | 6d95bf9c9b0ee604d390ea1d959e1bd1d64af61cab045bed6992fd7fbc4142f1819065cc7597e33dc591145942d9f7bedf8c0a1f7ac5a17226cce5435fb05c6b |
memory/1268-103-0x00007FF713AB0000-0x00007FF713E04000-memory.dmp
memory/2840-102-0x00007FF6CB440000-0x00007FF6CB794000-memory.dmp
memory/1892-101-0x00007FF7C81C0000-0x00007FF7C8514000-memory.dmp
C:\Windows\System\rdgWNMn.exe
| MD5 | 94b891c377d964e117cc4afcad561533 |
| SHA1 | a2d8658b336b42791bb3e48c3783f8acb2fe9b61 |
| SHA256 | da188863977ac327cf37af4710785fb84cb6787159e2c744b46441c374bda67f |
| SHA512 | 23c88131875045e66ec3d3f3f601efaafadc9a95c953610eed8080c5bc8e5d6626e514b50272711ff7406a6677a5355dd82b74fc20261fa6e86b42e5f510d26b |
memory/4560-107-0x00007FF781910000-0x00007FF781C64000-memory.dmp
C:\Windows\System\qDJWkqv.exe
| MD5 | a7f3b5fa483c9cc39efeea05f194c9b4 |
| SHA1 | 86ceb8fb0e1033d6ad91c9737c1de1df6d9cf31a |
| SHA256 | e9098c929a21ca9d6802359a3509763dc42fb4804bd7234e20f9a482b1bc179e |
| SHA512 | 72b34d437d590c08839d24812344fa0533909e9fcb61eaba4272faebed85dac59a2d76e3182dc7571c30c526895f8efdf9a8a9635b65f8101a552bfbf06313f6 |
memory/3860-116-0x00007FF7C9D50000-0x00007FF7CA0A4000-memory.dmp
memory/4752-115-0x00007FF7C3390000-0x00007FF7C36E4000-memory.dmp
C:\Windows\System\fTaMZSd.exe
| MD5 | f65e11e45a1d46881fc6ded1f727c361 |
| SHA1 | 01131e73e6f5b39350f844e66344f0bb6fd2ea3b |
| SHA256 | e3e70f73e60fe1052d74115a54ce8e2d0f84ee997fb97ef874860305caee9002 |
| SHA512 | f2d8e1d0ddedc5887b2934f2a7848caeaa9ea6ea2a9becd1db84f2256ccf3ff3e741d389ae83450f5d2491fc3c812edd6dff2055a4141ad6f6afc19d5b87077b |
C:\Windows\System\FdapGFF.exe
| MD5 | b91a1b32bc3221ab6761e85a5344ab44 |
| SHA1 | 122be09778d24a3093b381a8534cbdba43a79a67 |
| SHA256 | 9766b6317f52a79be5299d6621b0dfd6addcbe16909cc02bced7d4fbc56b5041 |
| SHA512 | 428096b75babef109aed9ab652b25c9c8fa2b28c3f7c42edd2b8964d227dbb5cd1a80d36cfd02aa9a73b5badcb1392507806a228f8c3f543e05b739777d3cd15 |
memory/2368-124-0x00007FF7B0270000-0x00007FF7B05C4000-memory.dmp
memory/4344-129-0x00007FF7724D0000-0x00007FF772824000-memory.dmp
memory/3760-133-0x00007FF6065A0000-0x00007FF6068F4000-memory.dmp
C:\Windows\System\ElsDdQc.exe
| MD5 | ddc4a45ad9ec13a2185d2251fc64b9f9 |
| SHA1 | 6dc6e43bbeb9d4afb1b7e8bd627952bea54178f7 |
| SHA256 | a6bf396e16c060f2ffa7c42285a5c532b91c9f2bae08c5a197c9d33720553ebc |
| SHA512 | ea402f3b38f239cfc3f761bb6648a173729612046525f95d5f5b087f75d8689b1e2be1f7531b45b5eaa94113a6b0634f323d64cb05a1f1968820e8c70a08e4ba |
memory/228-134-0x00007FF65C540000-0x00007FF65C894000-memory.dmp
memory/3972-135-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp
memory/4836-136-0x00007FF6F68A0000-0x00007FF6F6BF4000-memory.dmp
memory/2692-137-0x00007FF7768B0000-0x00007FF776C04000-memory.dmp
memory/4560-138-0x00007FF781910000-0x00007FF781C64000-memory.dmp
memory/2924-139-0x00007FF6C9EA0000-0x00007FF6CA1F4000-memory.dmp
memory/2564-140-0x00007FF617D50000-0x00007FF6180A4000-memory.dmp
memory/4192-141-0x00007FF618E90000-0x00007FF6191E4000-memory.dmp
memory/4156-142-0x00007FF6D0C10000-0x00007FF6D0F64000-memory.dmp
memory/1892-143-0x00007FF7C81C0000-0x00007FF7C8514000-memory.dmp
memory/2840-144-0x00007FF6CB440000-0x00007FF6CB794000-memory.dmp
memory/4416-146-0x00007FF6E9780000-0x00007FF6E9AD4000-memory.dmp
memory/4752-145-0x00007FF7C3390000-0x00007FF7C36E4000-memory.dmp
memory/4372-147-0x00007FF71B620000-0x00007FF71B974000-memory.dmp
memory/3692-149-0x00007FF79CDD0000-0x00007FF79D124000-memory.dmp
memory/3760-148-0x00007FF6065A0000-0x00007FF6068F4000-memory.dmp
memory/3972-150-0x00007FF7C8E20000-0x00007FF7C9174000-memory.dmp
memory/4836-151-0x00007FF6F68A0000-0x00007FF6F6BF4000-memory.dmp
memory/2628-152-0x00007FF7800F0000-0x00007FF780444000-memory.dmp
memory/1268-153-0x00007FF713AB0000-0x00007FF713E04000-memory.dmp
memory/2692-154-0x00007FF7768B0000-0x00007FF776C04000-memory.dmp
memory/4560-155-0x00007FF781910000-0x00007FF781C64000-memory.dmp
memory/3860-156-0x00007FF7C9D50000-0x00007FF7CA0A4000-memory.dmp
memory/2368-157-0x00007FF7B0270000-0x00007FF7B05C4000-memory.dmp
memory/4344-158-0x00007FF7724D0000-0x00007FF772824000-memory.dmp
memory/228-159-0x00007FF65C540000-0x00007FF65C894000-memory.dmp