Analysis Overview
SHA256
41c13b1f50c3f339f302ebe3d44ec01dde56b4ce95730f1b6992aa25e616ca40
Threat Level: Known bad
The file 2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobalt Strike reflective loader
Xmrig family
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-09 15:52
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 15:52
Reported
2024-06-09 15:55
Platform
win7-20240508-en
Max time kernel
137s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\yCDeRtO.exe | N/A |
| N/A | N/A | C:\Windows\System\xpgTDll.exe | N/A |
| N/A | N/A | C:\Windows\System\qRHbzHl.exe | N/A |
| N/A | N/A | C:\Windows\System\mCpuqNl.exe | N/A |
| N/A | N/A | C:\Windows\System\eGTLXts.exe | N/A |
| N/A | N/A | C:\Windows\System\OPGGvqH.exe | N/A |
| N/A | N/A | C:\Windows\System\gprOgTA.exe | N/A |
| N/A | N/A | C:\Windows\System\oCcQSJL.exe | N/A |
| N/A | N/A | C:\Windows\System\ulxezRu.exe | N/A |
| N/A | N/A | C:\Windows\System\qouaAeE.exe | N/A |
| N/A | N/A | C:\Windows\System\IYydmjq.exe | N/A |
| N/A | N/A | C:\Windows\System\QiILWhM.exe | N/A |
| N/A | N/A | C:\Windows\System\TSeAxSb.exe | N/A |
| N/A | N/A | C:\Windows\System\iTJKLjH.exe | N/A |
| N/A | N/A | C:\Windows\System\EneNKbd.exe | N/A |
| N/A | N/A | C:\Windows\System\sUfzTZf.exe | N/A |
| N/A | N/A | C:\Windows\System\dORBaEY.exe | N/A |
| N/A | N/A | C:\Windows\System\dLsfdKO.exe | N/A |
| N/A | N/A | C:\Windows\System\TdjuLCy.exe | N/A |
| N/A | N/A | C:\Windows\System\YraLmst.exe | N/A |
| N/A | N/A | C:\Windows\System\hLkcpiM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\yCDeRtO.exe
C:\Windows\System\yCDeRtO.exe
C:\Windows\System\xpgTDll.exe
C:\Windows\System\xpgTDll.exe
C:\Windows\System\qRHbzHl.exe
C:\Windows\System\qRHbzHl.exe
C:\Windows\System\mCpuqNl.exe
C:\Windows\System\mCpuqNl.exe
C:\Windows\System\eGTLXts.exe
C:\Windows\System\eGTLXts.exe
C:\Windows\System\OPGGvqH.exe
C:\Windows\System\OPGGvqH.exe
C:\Windows\System\gprOgTA.exe
C:\Windows\System\gprOgTA.exe
C:\Windows\System\oCcQSJL.exe
C:\Windows\System\oCcQSJL.exe
C:\Windows\System\ulxezRu.exe
C:\Windows\System\ulxezRu.exe
C:\Windows\System\qouaAeE.exe
C:\Windows\System\qouaAeE.exe
C:\Windows\System\IYydmjq.exe
C:\Windows\System\IYydmjq.exe
C:\Windows\System\QiILWhM.exe
C:\Windows\System\QiILWhM.exe
C:\Windows\System\TSeAxSb.exe
C:\Windows\System\TSeAxSb.exe
C:\Windows\System\iTJKLjH.exe
C:\Windows\System\iTJKLjH.exe
C:\Windows\System\sUfzTZf.exe
C:\Windows\System\sUfzTZf.exe
C:\Windows\System\EneNKbd.exe
C:\Windows\System\EneNKbd.exe
C:\Windows\System\dORBaEY.exe
C:\Windows\System\dORBaEY.exe
C:\Windows\System\dLsfdKO.exe
C:\Windows\System\dLsfdKO.exe
C:\Windows\System\TdjuLCy.exe
C:\Windows\System\TdjuLCy.exe
C:\Windows\System\YraLmst.exe
C:\Windows\System\YraLmst.exe
C:\Windows\System\hLkcpiM.exe
C:\Windows\System\hLkcpiM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1688-0-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/1688-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\yCDeRtO.exe
| MD5 | f05c3e3579eaefab1efeedc9b56e08cc |
| SHA1 | 9722c2551205a9040e752215c8c4f4b35a67a652 |
| SHA256 | 48a310b91492729e1aa25bb78da6e81147c1ca2dec22949f76ede2bfea3e02a1 |
| SHA512 | 181f7d4f81d4beac3834111291a4c4eacbf7df83655424f5b83866e2a825f34f3f03556293148468361016c3d495d755f1a319c2aecc98f29ad03ea1d50644ff |
C:\Windows\system\qRHbzHl.exe
| MD5 | f0a4c6e3d02d05c4f764a78fbd82aa9b |
| SHA1 | 92adf3865d6b86116a1ebb8b8327931e4c5b33b4 |
| SHA256 | b1f59402f49f3ba7daa448d327f48990d43e66460e331479b9c2c264a09e0190 |
| SHA512 | 6eac23032800098027cd23cabe8ca0f30cb9949a94bba43abc6859d95f91199d701752742cf8ceabd7967329d9d34d15738d8754e16325f211a421dbb69726dc |
memory/2616-21-0x000000013FBD0000-0x000000013FF24000-memory.dmp
\Windows\system\eGTLXts.exe
| MD5 | 53fb838e431b817a5ac918f6c8fb3632 |
| SHA1 | 9700d777726e234cd3641aecf51f373c10b1e3e9 |
| SHA256 | a2fe99a4b2b27eaa629e57402cf56262ba0a4ceee3de502b5a144de4ee4f898d |
| SHA512 | bfbbfb8315871dd23e3c96487e87bf5216fe1a6813938ab38bfc3129ddb50ec932a8c5e8754152fb9f969d3af01c53781684e041f063bfc268431f52a30f70b9 |
memory/1688-26-0x000000013FBD0000-0x000000013FF24000-memory.dmp
C:\Windows\system\mCpuqNl.exe
| MD5 | b8cb0f6fdd4385e04865b122d56b8847 |
| SHA1 | cf4b5f3f2ac56dfd8083cebd6d7502e88907f03a |
| SHA256 | 022e7579b63e40c7fb997d4d2f1e95cd724a568163dbc1fc615377c18225afdb |
| SHA512 | d16a6d3333548fee61e1b454abcd9fdf873298caee0552b4e6ced10c10e083b9ccad04bb5a12bdc7150ebf0e2426a20439722048e73de74fdf5a3a9e07c930dc |
\Windows\system\mCpuqNl.exe
| MD5 | 007fbbe519b8a25a7d9c8d86f81af200 |
| SHA1 | 8caca67be52577a657bbe9605f093b41b609d78f |
| SHA256 | 21af0194a7fa89968abeb429bac5fe8152a1f0a83cfb9f2f7580d122e4fd4c8c |
| SHA512 | 136201c3a5243b8bfcf80147a2d03a74b0b99a35be184a1835b47808dd31503e129c3d4fbfb7e72d99422c12965af7e18c25d3d07c113b12434d0d8d6e181e57 |
memory/1688-22-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1872-20-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2028-18-0x000000013F320000-0x000000013F674000-memory.dmp
memory/1688-12-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2668-33-0x000000013F740000-0x000000013FA94000-memory.dmp
C:\Windows\system\OPGGvqH.exe
| MD5 | 41f546b7f0e3fdac4d9524b9a81587fe |
| SHA1 | 02c93d56fb62f53204631b89eddbc2493cb4e37d |
| SHA256 | 0777c0e4a780b2cf2a026c2e10e682bac19682a068b7886642811bb734b3980c |
| SHA512 | 9062de0244ebc5d7923ad9d7db7de51bb0597fa83a3b3f6e00859c31edb9e8dfe0a005fbd787120283f9b2aeca632e5ac66ef596ea346d494e3887fcf7d7712a |
memory/1688-42-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1688-40-0x0000000002330000-0x0000000002684000-memory.dmp
\Windows\system\gprOgTA.exe
| MD5 | 19ba58b6626e9ce42f5e0a324b6ade73 |
| SHA1 | ca8da14dabb6a03dc48841971144dc583d18e404 |
| SHA256 | c5694061f5fa41b2cee55606b3551c29850e74f4c644c1e9ca270f95ce4329d0 |
| SHA512 | 18ac3e3352f974068022d0fbde1f8174e16e69e5382a723e389442dd89d7fdb20aa7e741f0f415b26756781c412d29f6fb525ffdc7a37d2b0e8650521b17ad5e |
memory/2652-44-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/1688-43-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2748-38-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\xpgTDll.exe
| MD5 | f265580d3e7271569b1ba835520cd149 |
| SHA1 | 68db4fae3d7b4863c9c72e9023beb87581fe2a59 |
| SHA256 | 50da8cceb6b91d5bfca105a8c0609b2609128c1f179ee16bc32094c086c9a666 |
| SHA512 | b91cd932804facb8c4340f2278af32df1801dd6bef8dd1aeb43f1c084ad977717ade42129e3e88a1f9058d9b6af6bd363ae4add9b59b7f7a623ba7395bc8faba |
C:\Windows\system\oCcQSJL.exe
| MD5 | e86c90187ad4a57cf1b3a5c9358ad123 |
| SHA1 | ee532b9ab56ab80d28dc6f4c1bd167d267975c4d |
| SHA256 | f5113e894512931289068231c90ad17522619495a62243f03fe4a8d6ddc4bb5c |
| SHA512 | cab337b1841ce5c7548426a9982dbb7e8c7b413512375c38efb9119b05a490702e201516eab286bfb7d9a57369d5e32e3f8f2155a1c12db36312ae89f664b8df |
memory/2636-56-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\qouaAeE.exe
| MD5 | edec9e573ff6af17f405c7f89ece9c75 |
| SHA1 | 4894e6a78deb59ef9378ece87e7a1b3acf611ad1 |
| SHA256 | 0438abd88b5f30f621dee9fb6599ee158fcffac3d3efe2670de18bd8abc6e690 |
| SHA512 | aee4cfe2e258aebf95df1626e1760b8c91e31782cfbeab2c3883a439f961b064eb8d95b4086ecb2c56dc66320b18eb388061a4a219e202199ce67e5bbc7b604e |
memory/2948-69-0x000000013FBB0000-0x000000013FF04000-memory.dmp
\Windows\system\IYydmjq.exe
| MD5 | eb9aecb34dda9d0ef47b4083674b2156 |
| SHA1 | 00492bccc45c5ee019fdffbf849f77aacb1608f1 |
| SHA256 | 785f822bc38a64ee15bf63852491b87eb091a7fe14a632f44273e40489ca6a99 |
| SHA512 | d0376560921d291dc01e877a1158ed38655b9725279ac89f409342ff98cf31d93b8fb4dfcb600f14808c2672aab6c260c54ae140f77655a86982976aeb818ff1 |
memory/1252-78-0x000000013F640000-0x000000013F994000-memory.dmp
memory/1688-77-0x0000000002330000-0x0000000002684000-memory.dmp
memory/1688-76-0x000000013F5D0000-0x000000013F924000-memory.dmp
C:\Windows\system\QiILWhM.exe
| MD5 | f75564539a83b376903c5ecfa5901e06 |
| SHA1 | 860909f2131254f5457375c9de8cb6e8e7533a93 |
| SHA256 | a25c9e54e4ac4fb130d0aaa541a8a5b2dedfb1d619c1e147022de971b177da82 |
| SHA512 | d714b2231a9eda4a9f476c29532e558ef6354d4c3b2a94db233eac1109e70cc17fff62ea890eb23a55dae53b722fad41b241ad0f437f20912c6925b0f568206c |
memory/2668-85-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2412-88-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1688-87-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2748-86-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1688-84-0x000000013FBD0000-0x000000013FF24000-memory.dmp
\Windows\system\QiILWhM.exe
| MD5 | 08335df7103abc2469c627c6ab490b75 |
| SHA1 | 663318a93774d93d6095a04cf5494b48eb7d64be |
| SHA256 | 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08 |
| SHA512 | 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7 |
memory/2540-61-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1688-68-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1688-55-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2760-49-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1688-111-0x000000013F020000-0x000000013F374000-memory.dmp
C:\Windows\system\sUfzTZf.exe
| MD5 | c90d608fd7c1070c4f3c8638c6d954be |
| SHA1 | 159205bfd06d6c8f031165fa57addb113562e8d7 |
| SHA256 | 73e92f22a97bc74dc99692ac6accfc66c1ab29220bfa97f7b49d66991fc6801f |
| SHA512 | 3f48b113ae7193dd4271ab3d33f4c6fd28d0d34cbcc851818e6c509eab0a9a64239893a8bf6c5de26b5a3c93229fdc6e6fe5f1be64e6a73b6dbb37e1f7b7e138 |
\Windows\system\dORBaEY.exe
| MD5 | 0efe2132089d67be19e319bd8ab99dcc |
| SHA1 | 99764cb9f025284f205d1b7bdd84340af4a9e736 |
| SHA256 | 344357a886efa1dfd12e31852ad53c80234701fba86d3c04cabf7c80bcc5eea4 |
| SHA512 | d3f35db5f79cb21aa9eed92136d5194226e61d85ce5ce3a43c7de01f8ca5a3a1f843a3b9bfc1a9ad45571fc73d9f11f63855d195b720149c10eaae943330fd2c |
memory/2708-104-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1508-100-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
C:\Windows\system\iTJKLjH.exe
| MD5 | 5e2fd070ce2d434f6b165e8ddbea2852 |
| SHA1 | 0bc86e5f6bd589cdbf40e8c2a5467c2e1874e0aa |
| SHA256 | b45751a385242bdf1e09aaa03f8a342a23dceff7d17d43ecb42330eaa494af6b |
| SHA512 | 2c85b93d297501ea5aa15c7ce4eea1113477cc3a906400328069cc1ad1c379c05b2eea314bb7001feb6b9a998618a7d56c6b688bed8f3886e730ec88f1de0d32 |
memory/1688-110-0x000000013FD10000-0x0000000140064000-memory.dmp
C:\Windows\system\EneNKbd.exe
| MD5 | e3596ba790245ff6536ce113764f2a0e |
| SHA1 | 258b30eb9817179eed053ecb59efcde544ebb787 |
| SHA256 | b4e2e4a941414489e78eff1755014e7e68ade8bb2b056d581c865122496361c6 |
| SHA512 | 798106118b0872624521ecda29e50a4883eff782aefe2a4f1cd4af1b85173c79d484748950dbc5f1e617e5b3cee8aaf392391eff7f0e39301e8efe3893d73546 |
memory/1688-97-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
\Windows\system\TSeAxSb.exe
| MD5 | 847ab44b35baa66ae495daf4f0cc00a5 |
| SHA1 | 1b672ccb0826201a9a455254ad06eae895c2fe9e |
| SHA256 | 6b529fc282b65328c7b037fa98c41299e48b3cc384486b794148e3183bacdbc6 |
| SHA512 | fde6bffbb7d14aae20dd39fe8b0bc8de03405e703835ce3846d0a3360da0418b0e8573ad559b3ec3f81bfcdc5e750406ca6eb13dc9d9e73678cc108bdc4bc821 |
C:\Windows\system\dLsfdKO.exe
| MD5 | 7b72a9a33d81f808dffcb90db9d722de |
| SHA1 | e620e4c24c5f6463144735081b9bf7cde1bdeeb0 |
| SHA256 | 5c79b833c0ee69bb59477b5960b0482cb584f737679fea7ada893f7a4b8eb74c |
| SHA512 | 5f40bf86324f82c47b3e3e3e77779446b9a72ae4e44784cf116b7b3fcd03a0324f1d4a4b846e17cacf03adfe4d7eb3c93ea71ca3c8e667ac7d5839b9fcff3031 |
C:\Windows\system\hLkcpiM.exe
| MD5 | 7577b6effbc6d17a5a97e756ac2ea7a8 |
| SHA1 | f14ea7f89401a2203377068fe6797f642acefd13 |
| SHA256 | 1b43fef364d745dd7b93c5df9acdd60da10243b58663b7a4e5cf422a855c433f |
| SHA512 | 51145969e46d0821371b88992ae25d542ae62a647d80433891f6d02d97c1fb70431ec8c9dedabcb58047f1d32e00747c51d277513a0052d1698e1eba481ff9aa |
\Windows\system\TdjuLCy.exe
| MD5 | 8d646e924fd0d1b8f2b6032bf921c68b |
| SHA1 | 77143c80f89669f1e640229b6197871994aedd23 |
| SHA256 | e35136f6ac4e5d25610db8b767a0f545fd9fe553bb2b7afaf2ded18cac30d498 |
| SHA512 | ec7c5a3e370172a6cb8c08d4d14c7c9dfcb67c2875d66b2b75ccefa87b0e450630c685404597ccd6d097f7b105f7bdc76ee9b759b8cea8acda23d945bc5149c3 |
memory/2760-138-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2636-139-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/1688-140-0x0000000002330000-0x0000000002684000-memory.dmp
memory/2540-141-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2948-142-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1688-143-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2708-145-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1688-144-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/1688-147-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1688-146-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1872-149-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2616-150-0x000000013FBD0000-0x000000013FF24000-memory.dmp
memory/2668-151-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2028-148-0x000000013F320000-0x000000013F674000-memory.dmp
memory/2748-152-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2652-153-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2760-154-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2540-155-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2636-156-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2948-157-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/1252-158-0x000000013F640000-0x000000013F994000-memory.dmp
memory/2412-159-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/1508-160-0x000000013FCA0000-0x000000013FFF4000-memory.dmp
memory/2708-161-0x000000013FD10000-0x0000000140064000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 15:52
Reported
2024-06-09 15:55
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rhGMgsd.exe | N/A |
| N/A | N/A | C:\Windows\System\QPtLyTH.exe | N/A |
| N/A | N/A | C:\Windows\System\gixRZmW.exe | N/A |
| N/A | N/A | C:\Windows\System\mvaRACG.exe | N/A |
| N/A | N/A | C:\Windows\System\qEZVomD.exe | N/A |
| N/A | N/A | C:\Windows\System\JoxfLbi.exe | N/A |
| N/A | N/A | C:\Windows\System\MbxCvwh.exe | N/A |
| N/A | N/A | C:\Windows\System\DoGYQwU.exe | N/A |
| N/A | N/A | C:\Windows\System\qYFznZy.exe | N/A |
| N/A | N/A | C:\Windows\System\KnTJhVz.exe | N/A |
| N/A | N/A | C:\Windows\System\ItmoEBA.exe | N/A |
| N/A | N/A | C:\Windows\System\YiReKQn.exe | N/A |
| N/A | N/A | C:\Windows\System\HCqdBzv.exe | N/A |
| N/A | N/A | C:\Windows\System\eIyAzhW.exe | N/A |
| N/A | N/A | C:\Windows\System\uQKEcEU.exe | N/A |
| N/A | N/A | C:\Windows\System\mjJFoRX.exe | N/A |
| N/A | N/A | C:\Windows\System\vMxbiNO.exe | N/A |
| N/A | N/A | C:\Windows\System\jKjfNVu.exe | N/A |
| N/A | N/A | C:\Windows\System\wOjUWRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CWLDtzs.exe | N/A |
| N/A | N/A | C:\Windows\System\KYUqiUX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-09_1c8cbf561aaa9f96c968c808cd9c6875_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rhGMgsd.exe
C:\Windows\System\rhGMgsd.exe
C:\Windows\System\QPtLyTH.exe
C:\Windows\System\QPtLyTH.exe
C:\Windows\System\gixRZmW.exe
C:\Windows\System\gixRZmW.exe
C:\Windows\System\mvaRACG.exe
C:\Windows\System\mvaRACG.exe
C:\Windows\System\qEZVomD.exe
C:\Windows\System\qEZVomD.exe
C:\Windows\System\JoxfLbi.exe
C:\Windows\System\JoxfLbi.exe
C:\Windows\System\MbxCvwh.exe
C:\Windows\System\MbxCvwh.exe
C:\Windows\System\DoGYQwU.exe
C:\Windows\System\DoGYQwU.exe
C:\Windows\System\qYFznZy.exe
C:\Windows\System\qYFznZy.exe
C:\Windows\System\KnTJhVz.exe
C:\Windows\System\KnTJhVz.exe
C:\Windows\System\ItmoEBA.exe
C:\Windows\System\ItmoEBA.exe
C:\Windows\System\YiReKQn.exe
C:\Windows\System\YiReKQn.exe
C:\Windows\System\HCqdBzv.exe
C:\Windows\System\HCqdBzv.exe
C:\Windows\System\eIyAzhW.exe
C:\Windows\System\eIyAzhW.exe
C:\Windows\System\uQKEcEU.exe
C:\Windows\System\uQKEcEU.exe
C:\Windows\System\mjJFoRX.exe
C:\Windows\System\mjJFoRX.exe
C:\Windows\System\vMxbiNO.exe
C:\Windows\System\vMxbiNO.exe
C:\Windows\System\jKjfNVu.exe
C:\Windows\System\jKjfNVu.exe
C:\Windows\System\wOjUWRQ.exe
C:\Windows\System\wOjUWRQ.exe
C:\Windows\System\CWLDtzs.exe
C:\Windows\System\CWLDtzs.exe
C:\Windows\System\KYUqiUX.exe
C:\Windows\System\KYUqiUX.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.251.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 26.173.189.20.in-addr.arpa | udp |
Files
memory/4608-0-0x00007FF690C00000-0x00007FF690F54000-memory.dmp
memory/4608-1-0x000002AA85F40000-0x000002AA85F50000-memory.dmp
C:\Windows\System\rhGMgsd.exe
| MD5 | 87475ad902de0e99f2619a314be51c9f |
| SHA1 | 64dd0568e587467b35cf984d2749b75223046d7d |
| SHA256 | d7c8d76df5fa4fcc3e98d45b98d65b39e9eb60c1b75e6cbaeb6b6c0e2bfb9f54 |
| SHA512 | d13c2320cb6c080d016a1694310fc47a91a00a585688bbe2f1402f833b29ad2b576aff6597eebec5506974c2f18116ea4a970c43ccd8cd71df1eb1535b9d2501 |
memory/2796-8-0x00007FF799220000-0x00007FF799574000-memory.dmp
C:\Windows\System\QPtLyTH.exe
| MD5 | 197176af98dd8937518663a18bfcf6e2 |
| SHA1 | 895861a731ad5dc5f14eaafe08fdbb830a837f7a |
| SHA256 | 53c963f3dad7110e7628a42a4f995a9c988e7c3b59f79a12e85a394754469755 |
| SHA512 | c3e017cc2389c926df08572e1903314d6cc968f04faed609eccd9eeef577056aa931d4baa435796038f8acf615968f5ac6b76fc5e9405ccb29c34879f4000005 |
C:\Windows\System\gixRZmW.exe
| MD5 | 25e0a244f32fad028b6f8cee4f7289e2 |
| SHA1 | 4e1f98dff6e41a209d43a26034230717ec902742 |
| SHA256 | 923fe26d05cc99d83ce9153be38c3f7aa8e7128b9ec27a115c7130560b5c1cd5 |
| SHA512 | 4468556fc5a3686d26874bc840d11752f9e390b49d00e58d5f3afea89b9d8ebbafd1cfaed559dc4965401cc41133f83fbbf59334f0f2545954b34008e7cdd951 |
memory/4912-14-0x00007FF6B5480000-0x00007FF6B57D4000-memory.dmp
C:\Windows\System\mvaRACG.exe
| MD5 | f9a6671976f2eb670616b2c454f62912 |
| SHA1 | 641883856ce8fa000fa735497de137803b6458ed |
| SHA256 | 26a2a8e393ecc374d51adb749dbef1ef2a8583e88cc28f685a06ffc736d1dfdc |
| SHA512 | 2cfb1b693e6472a0ac464b7a7e0635cbdba68f37eba431c84012d9d8ad04632b5c5fd6b320396e56cc774bd36ebb141994ab131fe403d4f6da4950234774f259 |
memory/3636-22-0x00007FF786B50000-0x00007FF786EA4000-memory.dmp
memory/1984-27-0x00007FF68E840000-0x00007FF68EB94000-memory.dmp
C:\Windows\System\qEZVomD.exe
| MD5 | a7ef7caf104d09ef8a9388f296880c3c |
| SHA1 | 5e1b0e7ebecb30cbd4e6ddbebf4101fc23595f3e |
| SHA256 | 44f7de4021e2026ce9819b3b44d2e1529c6e736d182c5dc691b66f6a8172abdb |
| SHA512 | fed356230f16a9bd41f8d7d82b87f336d39f0a3d691a5cc70dde54e53abe5f54beac02c4facc15971adbca9bbd52110e108828dde2594bcd580a953a436440d4 |
C:\Windows\System\JoxfLbi.exe
| MD5 | 22d607cb9c24bd7a46aec5a736724aa7 |
| SHA1 | 619dff0f32fe51860c9b27ff1d1093665a2fc8b3 |
| SHA256 | c577ea3a3078284c8b6c6fac505a22a125a3da7607762c84391468eb333fcc7f |
| SHA512 | 676af6d233a04f6b235755478d3f30fc89ff22802ead6eee3905fc8b6d9cf4e88ce632edc7596244e3ccf6cda4291a508f23b88ab5eefeb45c717e6165b4e9e4 |
memory/2132-30-0x00007FF62DC40000-0x00007FF62DF94000-memory.dmp
C:\Windows\System\MbxCvwh.exe
| MD5 | 7a9ee83296db6e1ea58bede6be4cc0ae |
| SHA1 | 90cd2515ad0e17216c7600e8cab3a353fa8ecc6f |
| SHA256 | 2f2256565f2e8bb27dd87a7b2790d270970405445af27009ad409b394560e174 |
| SHA512 | 9c832b2ab22bc138b566ffb19d581bb827726b3e4be021e04de78b11d827c46850e54f1f602c8fb0a73bd71d9bcd65ff1f79d6ae526e10f9c72e60e237546583 |
memory/640-36-0x00007FF7B7660000-0x00007FF7B79B4000-memory.dmp
memory/1940-44-0x00007FF6D1760000-0x00007FF6D1AB4000-memory.dmp
C:\Windows\System\DoGYQwU.exe
| MD5 | 6bf286b9f20408b51f61b35f7d8d56a3 |
| SHA1 | 512c7b5c93b54301e31f7aa375460591a1231d34 |
| SHA256 | 497ab3e70c99c59683f0f305140f19d4e0203143a1f39f0150609d75a7f63bd5 |
| SHA512 | 5bebd1e2b1f2db65a3cb9bd3b227dc9d8fd385c0527742ee6d7f80f7cc99cdab6be07e4efcc3e4cb5d39d88e6c0b3507c72fdf6b134ae28901e4fa756c96d2ef |
memory/1380-51-0x00007FF660100000-0x00007FF660454000-memory.dmp
C:\Windows\System\qYFznZy.exe
| MD5 | a4b4fd208732cfdfd172a43dd8f92e12 |
| SHA1 | ecc167afec791ae567429430b4b3b2d419d94263 |
| SHA256 | 21cffe1b63a16e62fafb33bff95da164065d3f9ac7ece4c88977a9b4b68e53cc |
| SHA512 | 4ca04bd73735433193352d69242bc18c73ffe759f441dcd196e07999b10ccded598f8421220dd81016ac8354314936bf3fc6ec6097a2c92b60d521887fa5e4ce |
C:\Windows\System\qYFznZy.exe
| MD5 | 87c493a6b81be5902fc5875fa2aecb98 |
| SHA1 | c44601c11508ea710b6ae8245ac85c15be95866b |
| SHA256 | 318e626f8e62df9cb49323a5029878aeb2413985d792fae91b8f2a8ec630b505 |
| SHA512 | a1bda353e94f6fc19d86c9495a4e3f5b6139076fc038036bf380359c32c58a90d8e4c5d0407b6cbda1be3074c8c3e9da69d4d82253bc46d491e40493aa27d270 |
memory/2472-56-0x00007FF7A88D0000-0x00007FF7A8C24000-memory.dmp
memory/2420-69-0x00007FF6AD270000-0x00007FF6AD5C4000-memory.dmp
C:\Windows\System\YiReKQn.exe
| MD5 | 08335df7103abc2469c627c6ab490b75 |
| SHA1 | 663318a93774d93d6095a04cf5494b48eb7d64be |
| SHA256 | 58df3e0732ea3099d265f1cebcc12671ec8cd599b805e002740e15fb8f518f08 |
| SHA512 | 8f7208f2a7c23589362de25aa76773ad075a6272ad2246f1bcd66d82f26b8b4ae6a99af20bcf359a45f35c2492e458ab92be86502fcd38ae1b4f2c4222058ff7 |
C:\Windows\System\YiReKQn.exe
| MD5 | bd78e538b4df43d0f413c82bce32c2fc |
| SHA1 | 2f03d24540cc14d701b461630c502121437b6f9e |
| SHA256 | d7237ed1f488fc3dc5d925d8921100e1c9e0e6ba7aeea1f13cbc0d2542ca5acb |
| SHA512 | 901b6d5e826619fa0245d80cb786904a536cb27fd58edc5b4df618e4c83ec2bfc3adee2576e5a94ecb1b1760bd7de5ecd52513c83d3afe76c5c8a32127f03e24 |
memory/3040-73-0x00007FF612060000-0x00007FF6123B4000-memory.dmp
C:\Windows\System\ItmoEBA.exe
| MD5 | b471ccaa37742c86c61ebdd2499b82d5 |
| SHA1 | 21cd2f3129a154f879c7d6e86c9bf9ed02261545 |
| SHA256 | 738c3d2a60b74bd2a7507e1e2237709679c496849c3b536533117ffccde95fa3 |
| SHA512 | a8ae7999e196da99dd00e4be6efde21d9a750ae3507b13bd183451d36bb50aa242c183e0a8d718680ccbcd9bb33ebbea4fdbaf1fe6a830c02b9788a22aba22a5 |
memory/4488-63-0x00007FF65FE40000-0x00007FF660194000-memory.dmp
memory/4608-62-0x00007FF690C00000-0x00007FF690F54000-memory.dmp
C:\Windows\System\KnTJhVz.exe
| MD5 | 9e455e7102bb84e783afe18c42b50505 |
| SHA1 | a54be3eb91d39f751babfe971835c1b15d411c95 |
| SHA256 | d75a63d72e14b094d475e79bade403a3dae13ca7b635f6b88530364317b9fb59 |
| SHA512 | 42c3b6c1a6ca5054a75a7c30f5ab2bf883b419dd307e839f73e514faa5697104779df6aedb3cdaa603b4871de4f90996bdb9c6e6cb30c97138bd515f2fd3fff1 |
C:\Windows\System\KnTJhVz.exe
| MD5 | 83eda0227bfdf9548f649e964affc14b |
| SHA1 | d3c2152e494e8256c82bd97106ccb9bd81e6a05b |
| SHA256 | 20953582709f779d8a6bdc1b67d78f8ab91fe4901b96f4cb0e5b710f5c76ffbf |
| SHA512 | fe457f45e9eabe660dd62a9f2753fde3e1f0cd31fe659ae583e0141c64598f9938b6eb32a04d6c486f39d33871a796a6b476db70476a4af83218cfdbda070a9c |
C:\Windows\System\HCqdBzv.exe
| MD5 | 72a24ffcf585f314bf31bb25abce05b5 |
| SHA1 | 777a71e1b2e482764d7730bc0a2eb8b5d4971ba3 |
| SHA256 | 4bb1824dcb07f00123c3c3dd13a344763ce8c30fc271cf43922e52666a71bafc |
| SHA512 | a2e097cf09664f82b2fa0f51f896ad7b862db997ee1a00b4634dc9bf08bdb0e95cc4935ba6f0e642a1e331aa01bef1897377238495ce238ac8b216e117db830c |
memory/2132-93-0x00007FF62DC40000-0x00007FF62DF94000-memory.dmp
memory/640-99-0x00007FF7B7660000-0x00007FF7B79B4000-memory.dmp
C:\Windows\System\mjJFoRX.exe
| MD5 | 58057327a3ad0ac8d515a2b6b6bb4c8c |
| SHA1 | 1210833e3ff916f462f30c2d1a18101a07cc0be6 |
| SHA256 | cc5f87af5675ae74db6ffb8fbc490679396fae1243b4d0b5f2ed2c7ddfa65f9d |
| SHA512 | c538792483adccaf3052ce0ec9839580f6b5fcc91776667a302efb27645a5eeb13697f3368bd7b70cf3077aa13de1f4e64b7c08bd1d32b37cf74ac8e72c14296 |
C:\Windows\System\jKjfNVu.exe
| MD5 | fce36e7a127a9c45d54e1b8d90fdd7dd |
| SHA1 | 8542d25e949a7392da2a93826107eaa40ecc4cc5 |
| SHA256 | b444293ba0ec99638690f826a0742a8768937b49529c8a6756d6366ed24a602f |
| SHA512 | 305798c3491a2a73389f1d7751402c6a23f5215075ba486c290c2f789dc31a38e03eddcf5f70014163a4339376b4bec87bf7595b275ac3d6efe0ee4cac2b7a79 |
C:\Windows\System\wOjUWRQ.exe
| MD5 | b8cb0f6fdd4385e04865b122d56b8847 |
| SHA1 | cf4b5f3f2ac56dfd8083cebd6d7502e88907f03a |
| SHA256 | 022e7579b63e40c7fb997d4d2f1e95cd724a568163dbc1fc615377c18225afdb |
| SHA512 | d16a6d3333548fee61e1b454abcd9fdf873298caee0552b4e6ced10c10e083b9ccad04bb5a12bdc7150ebf0e2426a20439722048e73de74fdf5a3a9e07c930dc |
C:\Windows\System\CWLDtzs.exe
| MD5 | 129f3d64cbeca05a53ef528b3290734c |
| SHA1 | 71740da16ce0c6c904ccb37e278a6ad593c1a480 |
| SHA256 | 8bff8690eaf4a5e3f573418a963622e185f8d501862caf038cd51f7fb5a2debe |
| SHA512 | 678c5888d6fd5cfe6ce1594083820c6bdb4991f848b7bf64517b2c7aae2761350709aee9fa7ba71fac788e0eaf0979bc249996e90211dac6917778ab1bc5ebbe |
memory/4332-121-0x00007FF64DE60000-0x00007FF64E1B4000-memory.dmp
C:\Windows\System\wOjUWRQ.exe
| MD5 | f643883f259de01dd5329353aba9e3bc |
| SHA1 | 8a0c9acc560b2a903e1249b54de084c27f2f7330 |
| SHA256 | 885d32479d3d931762c4646bd89041e2dc323a00afc74c5ce659e0439525e486 |
| SHA512 | 4fbee57fc43773ceb767e4aa78bc2879a54950d29e94d06ab5acf504f8c6e1b3a52cc3f816f267cfbe746c86e79bc3431149abbf38cd824127a0e4b7532c9af9 |
memory/2156-113-0x00007FF73E4A0000-0x00007FF73E7F4000-memory.dmp
memory/2164-107-0x00007FF70C270000-0x00007FF70C5C4000-memory.dmp
memory/4076-104-0x00007FF70BD00000-0x00007FF70C054000-memory.dmp
C:\Windows\System\vMxbiNO.exe
| MD5 | 0b7f76370362199fe11563e221d6b826 |
| SHA1 | 43b9f8ccbd2066026fc2e9b45b99a59cc419c0d6 |
| SHA256 | c0ffb66d02f8e09cd92a0fd5ae1ab36d134547958f4356f989d98d1cd2541934 |
| SHA512 | 8145dfc8736c3c25155856277c6af89da1b7b7d3306f4d7b41743d0ae6bc257a01dc4367eb8618e0542181fb1bebebea2f2c5300983cd807346c03dbb2f3022f |
memory/5108-96-0x00007FF607730000-0x00007FF607A84000-memory.dmp
C:\Windows\System\mjJFoRX.exe
| MD5 | f75564539a83b376903c5ecfa5901e06 |
| SHA1 | 860909f2131254f5457375c9de8cb6e8e7533a93 |
| SHA256 | a25c9e54e4ac4fb130d0aaa541a8a5b2dedfb1d619c1e147022de971b177da82 |
| SHA512 | d714b2231a9eda4a9f476c29532e558ef6354d4c3b2a94db233eac1109e70cc17fff62ea890eb23a55dae53b722fad41b241ad0f437f20912c6925b0f568206c |
C:\Windows\System\uQKEcEU.exe
| MD5 | e5582ab7e7031da39f15ac28537b46e7 |
| SHA1 | b57ab29bc87adca1d5b4da78bf670588e56f713a |
| SHA256 | 5fd118f73dfda42f66717026359ba16aef0e9002f9fca31396b04751f9d7e57d |
| SHA512 | 3ce9781a48453cfe78fb84b497a606e3a6b078f7a7bcc21d8250dc3b9b2f8ad4e202d80f43a91086de444c537a5c1ca91fe331d41f536a9268af2053510ebd7f |
memory/444-87-0x00007FF7DD5E0000-0x00007FF7DD934000-memory.dmp
memory/3508-81-0x00007FF7C68B0000-0x00007FF7C6C04000-memory.dmp
memory/1548-129-0x00007FF64D750000-0x00007FF64DAA4000-memory.dmp
memory/3288-130-0x00007FF7B8600000-0x00007FF7B8954000-memory.dmp
memory/3040-131-0x00007FF612060000-0x00007FF6123B4000-memory.dmp
memory/4076-132-0x00007FF70BD00000-0x00007FF70C054000-memory.dmp
memory/2156-133-0x00007FF73E4A0000-0x00007FF73E7F4000-memory.dmp
memory/1548-135-0x00007FF64D750000-0x00007FF64DAA4000-memory.dmp
memory/4332-134-0x00007FF64DE60000-0x00007FF64E1B4000-memory.dmp
memory/2796-136-0x00007FF799220000-0x00007FF799574000-memory.dmp
memory/4912-137-0x00007FF6B5480000-0x00007FF6B57D4000-memory.dmp
memory/3636-138-0x00007FF786B50000-0x00007FF786EA4000-memory.dmp
memory/1984-139-0x00007FF68E840000-0x00007FF68EB94000-memory.dmp
memory/2132-140-0x00007FF62DC40000-0x00007FF62DF94000-memory.dmp
memory/1940-142-0x00007FF6D1760000-0x00007FF6D1AB4000-memory.dmp
memory/640-141-0x00007FF7B7660000-0x00007FF7B79B4000-memory.dmp
memory/1380-143-0x00007FF660100000-0x00007FF660454000-memory.dmp
memory/2472-144-0x00007FF7A88D0000-0x00007FF7A8C24000-memory.dmp
memory/4488-145-0x00007FF65FE40000-0x00007FF660194000-memory.dmp
memory/2420-146-0x00007FF6AD270000-0x00007FF6AD5C4000-memory.dmp
memory/3040-147-0x00007FF612060000-0x00007FF6123B4000-memory.dmp
memory/3508-148-0x00007FF7C68B0000-0x00007FF7C6C04000-memory.dmp
memory/444-149-0x00007FF7DD5E0000-0x00007FF7DD934000-memory.dmp
memory/5108-150-0x00007FF607730000-0x00007FF607A84000-memory.dmp
memory/2164-151-0x00007FF70C270000-0x00007FF70C5C4000-memory.dmp
memory/4076-152-0x00007FF70BD00000-0x00007FF70C054000-memory.dmp
memory/2156-153-0x00007FF73E4A0000-0x00007FF73E7F4000-memory.dmp
memory/3288-156-0x00007FF7B8600000-0x00007FF7B8954000-memory.dmp
memory/4332-155-0x00007FF64DE60000-0x00007FF64E1B4000-memory.dmp
memory/1548-154-0x00007FF64D750000-0x00007FF64DAA4000-memory.dmp