Analysis Overview
SHA256
c0f7a107794476afd64e4f9999299f0d8b747fb2a8090b6d914fbb66468bcf64
Threat Level: Known bad
The file 2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
xmrig
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 05:42
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 05:42
Reported
2024-06-10 05:45
Platform
win7-20240508-en
Max time kernel
144s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\qtCkGFT.exe | N/A |
| N/A | N/A | C:\Windows\System\ORZxVie.exe | N/A |
| N/A | N/A | C:\Windows\System\KaaOuUd.exe | N/A |
| N/A | N/A | C:\Windows\System\RAabGwG.exe | N/A |
| N/A | N/A | C:\Windows\System\phluZHd.exe | N/A |
| N/A | N/A | C:\Windows\System\VHCgQim.exe | N/A |
| N/A | N/A | C:\Windows\System\uNHjTTy.exe | N/A |
| N/A | N/A | C:\Windows\System\cLRpNXW.exe | N/A |
| N/A | N/A | C:\Windows\System\DarVDWZ.exe | N/A |
| N/A | N/A | C:\Windows\System\ofhjbxc.exe | N/A |
| N/A | N/A | C:\Windows\System\BpeRmOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\xzvpMEh.exe | N/A |
| N/A | N/A | C:\Windows\System\HWrpaDa.exe | N/A |
| N/A | N/A | C:\Windows\System\wvbaixL.exe | N/A |
| N/A | N/A | C:\Windows\System\GUrqGiH.exe | N/A |
| N/A | N/A | C:\Windows\System\NDWFkdv.exe | N/A |
| N/A | N/A | C:\Windows\System\DqnbQDP.exe | N/A |
| N/A | N/A | C:\Windows\System\AYWETFM.exe | N/A |
| N/A | N/A | C:\Windows\System\kUNjVVC.exe | N/A |
| N/A | N/A | C:\Windows\System\rcuORUV.exe | N/A |
| N/A | N/A | C:\Windows\System\sRzHWzx.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\qtCkGFT.exe
C:\Windows\System\qtCkGFT.exe
C:\Windows\System\ORZxVie.exe
C:\Windows\System\ORZxVie.exe
C:\Windows\System\KaaOuUd.exe
C:\Windows\System\KaaOuUd.exe
C:\Windows\System\RAabGwG.exe
C:\Windows\System\RAabGwG.exe
C:\Windows\System\phluZHd.exe
C:\Windows\System\phluZHd.exe
C:\Windows\System\VHCgQim.exe
C:\Windows\System\VHCgQim.exe
C:\Windows\System\uNHjTTy.exe
C:\Windows\System\uNHjTTy.exe
C:\Windows\System\cLRpNXW.exe
C:\Windows\System\cLRpNXW.exe
C:\Windows\System\DarVDWZ.exe
C:\Windows\System\DarVDWZ.exe
C:\Windows\System\ofhjbxc.exe
C:\Windows\System\ofhjbxc.exe
C:\Windows\System\BpeRmOQ.exe
C:\Windows\System\BpeRmOQ.exe
C:\Windows\System\xzvpMEh.exe
C:\Windows\System\xzvpMEh.exe
C:\Windows\System\HWrpaDa.exe
C:\Windows\System\HWrpaDa.exe
C:\Windows\System\wvbaixL.exe
C:\Windows\System\wvbaixL.exe
C:\Windows\System\GUrqGiH.exe
C:\Windows\System\GUrqGiH.exe
C:\Windows\System\NDWFkdv.exe
C:\Windows\System\NDWFkdv.exe
C:\Windows\System\DqnbQDP.exe
C:\Windows\System\DqnbQDP.exe
C:\Windows\System\AYWETFM.exe
C:\Windows\System\AYWETFM.exe
C:\Windows\System\kUNjVVC.exe
C:\Windows\System\kUNjVVC.exe
C:\Windows\System\rcuORUV.exe
C:\Windows\System\rcuORUV.exe
C:\Windows\System\sRzHWzx.exe
C:\Windows\System\sRzHWzx.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1192-2-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1192-0-0x0000000000080000-0x0000000000090000-memory.dmp
\Windows\system\qtCkGFT.exe
| MD5 | c98aa2fa499340c8ef2be4535656217a |
| SHA1 | 607118c48a3bacab88276975583723fa0d28319f |
| SHA256 | 8eb0960515cdb47f5680881e8a081e00bf041a02d6fa64c19b61b4747394fcde |
| SHA512 | 249d5c3c57aee0d5170668fe8be23031c13ae55c202abc693f5eef57435de1dda84998ba3d6ba30b86c0dd9a756f0091a4b9feb2cec1170b483a63850cb0ef59 |
memory/2872-8-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/1192-9-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\KaaOuUd.exe
| MD5 | 0627e582cad3613b36750c660513eb5c |
| SHA1 | 39b51c5ae1b21501dec75a64d2aa8118c7dc8409 |
| SHA256 | e929a119adeff943a809f2805f90a82778bc59af88ffc110187d5b2815a73689 |
| SHA512 | cc1be97162188eb97fb07ec42b6fad6cb682529456554290bb5ea1f142684afe6234ddf0be789f1e4e12b85c18015d9f24a1f5e97a3162ce8024cf95ca03ede4 |
C:\Windows\system\ORZxVie.exe
| MD5 | 55fa3cee9db19c9e3913ef69e4b1ed26 |
| SHA1 | 137687ad99ad3e765b11c5009f431b24b1f852a6 |
| SHA256 | f77d101aa842143bf2f2babeb4b3f2d1494178525e8a5ef4c4f84505c2d38968 |
| SHA512 | 80555d6f19b84c925d77639c6f6a709b15a3464ff944f15bac8515339912e1b6551a0270369b0ac8d1f2cc64f57f206a8603b019da856f4b91bcb5375134a94c |
memory/2576-23-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/1192-22-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\RAabGwG.exe
| MD5 | 65b4888989ac4fd0e62f7e1be3a55c0d |
| SHA1 | 252f10b927235100182df4d2943117ea1c5c2842 |
| SHA256 | 8c4e1e88b7d51374156961b973350543477d053c05cd51914a7c7cb6a07dadfe |
| SHA512 | d905b849148fb845b0dc6fbaf89b2a3f5fca28f239ab7998c416ae1f83dd2bf49b8954da5d2ca7aef11d2688a1f1528617b84b063d2589d17157937d3a72d145 |
C:\Windows\system\phluZHd.exe
| MD5 | 52ef8425890d780c6c2e4960c37e51c1 |
| SHA1 | e8d61a55ecb607324961c78392d30a34b452eb1a |
| SHA256 | 9c7c5a66887f54ce0861ce5b47cfc9cd50abe58bf6aee920a730116f59fb9edd |
| SHA512 | 38273d65fc5ed50ba8c82b44d15de8ecf94ab4bf5f08c23ad199f238c28b71a2dab3a706a0efa068caf540a8a1b86b0c21a71edf4e7e48208b9de20d0bf288de |
memory/2628-37-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/1192-43-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\uNHjTTy.exe
| MD5 | 7260dcbb683f3ba0f0e8ba54e993f4df |
| SHA1 | 9a945230f272babadc9d8c2efca9838da312a850 |
| SHA256 | 5d952449453781745f756c5a898d12afb3cc6a1a462a9c35e5ba5b2aacbe88f9 |
| SHA512 | 383d3559c502f3f5bb3888c23998b8bedeba3a7a12ff850f3b4ea6a400555b48065914ab63dc2cdc81b2bd2e6acdd8cf098f85921ca4643edac50a43192dc06c |
memory/2504-51-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/1192-64-0x000000013FED0000-0x0000000140224000-memory.dmp
\Windows\system\BpeRmOQ.exe
| MD5 | 3c3581179faeab449739dadb1cc832ce |
| SHA1 | 62673b2b0515e792677d08b9d66de2239263dddb |
| SHA256 | fd80d1fa24c332fcf3506dfaa00e9768cb5f92f597ea3b7c9ff6629a4c5622d2 |
| SHA512 | 74d4b69375a617499790085755765646ca00c9be6ce06bcb25efaecf7d680f79bdb3c57daecb66197188cfcba28458e4f5882f693df4a1f4d1310fa098e3a4d6 |
C:\Windows\system\ofhjbxc.exe
| MD5 | cc674c5e5ff64f94b6d6b3655f003da6 |
| SHA1 | 6f20c081ecd79df9d035bc68b5b913c79dac9472 |
| SHA256 | 9a4de7b16de63e60e8c001740fcc7ab4f66d2c42ad17e9024c545ab616935af2 |
| SHA512 | 632d91471a8e7c7300ad8efec245089424af51ce20df681eebf6a9083008d3abcb5b1607b9d8572bc01b1071c2771d4140b2a04aed5650f3b13509a13e3fa247 |
memory/1192-88-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2328-95-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/1192-108-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\DqnbQDP.exe
| MD5 | da2e1929c5ef3fba6e6c4eafaf239236 |
| SHA1 | 0e464df5e073b969ffa316eb1f7ba6c05953975d |
| SHA256 | 311cc5fe11aece0b972a0629993172654c2fc4c25cbbe598535ccb205bd84404 |
| SHA512 | 605569eddbd3b60b720127eb82421d697bff52724d7ddaadf4e9a0b8786bfb04765e2f0e354b29e5b245a959cea9682672a33ab8c8eb227e3236f914bb0e3114 |
C:\Windows\system\sRzHWzx.exe
| MD5 | d3b932dcc59603f789407c01382ad5e2 |
| SHA1 | 9ab68a24fc9e3ca5ee0f19c6fc915c7c0809e83d |
| SHA256 | 348665d024e38965d9234f010c2d871647c1df9aee0669e81a069986fc31f7ff |
| SHA512 | 1fc5310701693317e60abef43bb78dd4ff3c9421ea8f5b45e2f80a83f5b846510e52f31b0a4acde9f437bfe357593db16e6cc225faa7516f201fdee7f9e1c73b |
C:\Windows\system\rcuORUV.exe
| MD5 | 792ebaf8b083792a667076f341db71dd |
| SHA1 | e2871b6ca7ff79bd0eb7ffb09288314b2b75ba89 |
| SHA256 | 2fae1590bb7d017f1025a832261429abd044a6ecb0c4541fb1df07b1f1648152 |
| SHA512 | edd6f489b73314a08b9bf146f208a577cbd83359318f0fb4c6cfa22998cecf13820593266b18a09f3f9921fb1f61ec1d1b20722c7e75b81087e3c83cf86f9d54 |
C:\Windows\system\kUNjVVC.exe
| MD5 | 07dca5e6580575a8a6f1173643f6d9d9 |
| SHA1 | 00de09251a772166be94a4097fa8526fa398ce5d |
| SHA256 | 86273869384c3b1ec6f1be70d12043ccb0950eb494dd696507b2cbd395e08254 |
| SHA512 | 7ba3f6577363877e033d94bd01c1ff24183b7a881ae87cd4a4100df1a48642f684e86691a8403b349dacf164cb78a41408f87da1a725c7a7656a70490de66cd7 |
C:\Windows\system\AYWETFM.exe
| MD5 | ced1b628422f7aad25b2f66ee9adb33b |
| SHA1 | 37f6cc99f8cfb3c149894dc775ed002e6be76dae |
| SHA256 | 6847a36b3094b1b9a740eec908118582ef922e8a52ae7b6648cd6e0ecee6f807 |
| SHA512 | 43e2b040439f1c234ef387d1442edf4573b8fe64fc455794010d296ab12828bcd1ee0b848fc3ad6a777d43bff8b9076d22d7f52b361e1e9dc1f51ccb79c76455 |
C:\Windows\system\NDWFkdv.exe
| MD5 | 9f9b472e83a1d6c9bf7e3e7a356637d2 |
| SHA1 | e292d2e2b8a14395c0aa4f1c75d8d9ff75ab81ea |
| SHA256 | 272bd8bb326c359439974a02bdfa0910a17f8269e34e5d6c538ea0039a2e3429 |
| SHA512 | b0d0d6e3d6e52698e646af9362fae8c63d347092efd300d95f51e5bfcf7d6285e44ad4e80fb876e119b2c7730801869e7cf05807483e9c1e0264f27d0a6cd49d |
C:\Windows\system\GUrqGiH.exe
| MD5 | e0b3e54336c5a4770bd9df5ec2b018fb |
| SHA1 | ae9f8a23a3a8bdff3ea72426add901c88bea9ed7 |
| SHA256 | 553b19cd5151a120f51d9c846368e49825b604150abe77585c33bf5781f8ffcf |
| SHA512 | 728e7e4ae869e0e55fe50f07b07059ad8e5d97ef02c08695c2818a43a79fdb9dca10007e6bc317f225bbc2aaf32aa215cb70593bbb70a752ab04b8e031a7f7be |
memory/1772-100-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1192-99-0x00000000023A0000-0x00000000026F4000-memory.dmp
C:\Windows\system\wvbaixL.exe
| MD5 | 15ab84f567572f0e271e0849f4fbd92f |
| SHA1 | 03bbbda62fb459199fcf3bcb5c8a3e098fd6eae4 |
| SHA256 | b9f43f4f0d932b43047260a8deab1838f8df2536ec1836a5a66a8af6052fc00e |
| SHA512 | 39daf88c213050df778f6c49a1252ac129cd2217ea09be84cf9fc6bdebfd6c1f59b13f5884d6d422dd782bc86aa5a9838857338dbd1f3543166d3581d7866e54 |
C:\Windows\system\HWrpaDa.exe
| MD5 | 91b46dd8a46a5d995819f1eb664c7db1 |
| SHA1 | 94e8bbad810edf274ae879bf76a00bdc19a74424 |
| SHA256 | 70954e926577f7124411644b244b71a208fdc9d4c05f2592303ee9d92002b11c |
| SHA512 | 3470da31e81eaa0fa333ad603992a5a2ea32e4e8006e81a25ab84e29b25ffd2bdc8076e8f40c4dd6c94414292bee0affbe56366eae44016dbf623f56e68a3680 |
memory/1192-90-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/2900-89-0x000000013F300000-0x000000013F654000-memory.dmp
C:\Windows\system\xzvpMEh.exe
| MD5 | bd522959fc9a352329c759fc1b02d7e0 |
| SHA1 | 0ca43329da019f8bb38196b7546bbf8f10c9871c |
| SHA256 | 08607ad05ef7206491066f9de1191e373259b6754c6a293fa94cba25135041e9 |
| SHA512 | 3648ba55175cb9efe7fcbebd175c55339fb11f1a6f6e9e83a94003dcebaf1077d4307c959bbd84f48cd6278736b765172c607f60ca2f9cef8875493bad0fcd23 |
memory/2968-87-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2512-80-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1192-75-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2612-74-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2312-73-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2872-67-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2520-65-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2744-58-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/1192-57-0x000000013F910000-0x000000013FC64000-memory.dmp
C:\Windows\system\cLRpNXW.exe
| MD5 | 9cac380d5d100c3a5f89871eb2050174 |
| SHA1 | 428c3637050a1233efe2d8bb05bb09a0cd8d08ce |
| SHA256 | 05b8a1767e8722057db908380243f6037ae84b422808a2d1f426b59de1dc92d2 |
| SHA512 | f806142df912404c1caa0176edaa4f5a127e05ace565fa2495ad1858001fdb97a0da9d61633b399e415f2eafb139d85f81a9b9ba0d085a1990e59c4d34a0ec3e |
C:\Windows\system\DarVDWZ.exe
| MD5 | f2989c1a18f13a62cc11c12b66ab9acf |
| SHA1 | 69769d6fb17b9d9ca0e39ad5cd781d7a42d29d6d |
| SHA256 | 81f993db3ba3bf7a26e976124e3cddf6d85207595aeb6c55eaa9fd5dea7fe73f |
| SHA512 | 7255b78af8748559f3102976c24421b621808a2a42f1447ec1e00aad6271d19b74003575cf351dc61bf9cc1745726525bb2caf38a85c32d0166cdb210d296d42 |
memory/1192-50-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2832-44-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\VHCgQim.exe
| MD5 | 8466fd1c3a1b44ba2820909beba4ec89 |
| SHA1 | 70b3af49b45176465acd55daa4c38109980d3310 |
| SHA256 | b9f93bb5852617df9f866dd3e43f349d4bfc8db478fd1c45e113f88200168b65 |
| SHA512 | 4fded91a435a9668708a649bc444299750917172591891069793b42712249448ee40d81399716baa72977b86894c3996786e2870aa671983cb6898dd86715050 |
memory/1192-36-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2968-29-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1192-28-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2312-19-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1192-17-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1192-138-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/1192-139-0x000000013F300000-0x000000013F654000-memory.dmp
memory/1192-140-0x00000000023A0000-0x00000000026F4000-memory.dmp
memory/1772-141-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1192-142-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2872-143-0x000000013FD60000-0x00000001400B4000-memory.dmp
memory/2312-145-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2576-144-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2968-146-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2628-147-0x000000013F1D0000-0x000000013F524000-memory.dmp
memory/2832-148-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2504-149-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2744-150-0x000000013F910000-0x000000013FC64000-memory.dmp
memory/2520-151-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2612-152-0x000000013F660000-0x000000013F9B4000-memory.dmp
memory/2512-153-0x000000013FAC0000-0x000000013FE14000-memory.dmp
memory/2900-154-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2328-155-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/1772-156-0x000000013FEA0000-0x00000001401F4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 05:42
Reported
2024-06-10 05:45
Platform
win10v2004-20240426-en
Max time kernel
137s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\teeQZgL.exe | N/A |
| N/A | N/A | C:\Windows\System\jATxYRT.exe | N/A |
| N/A | N/A | C:\Windows\System\tSKtLeg.exe | N/A |
| N/A | N/A | C:\Windows\System\rIMuSYs.exe | N/A |
| N/A | N/A | C:\Windows\System\FIapuog.exe | N/A |
| N/A | N/A | C:\Windows\System\XZhUeQy.exe | N/A |
| N/A | N/A | C:\Windows\System\EyETLIH.exe | N/A |
| N/A | N/A | C:\Windows\System\CTCtSZz.exe | N/A |
| N/A | N/A | C:\Windows\System\xKikjob.exe | N/A |
| N/A | N/A | C:\Windows\System\AFyzcBF.exe | N/A |
| N/A | N/A | C:\Windows\System\YJKqZBK.exe | N/A |
| N/A | N/A | C:\Windows\System\xZrgAmP.exe | N/A |
| N/A | N/A | C:\Windows\System\NeIBuJM.exe | N/A |
| N/A | N/A | C:\Windows\System\YJhEodi.exe | N/A |
| N/A | N/A | C:\Windows\System\FAcoBxr.exe | N/A |
| N/A | N/A | C:\Windows\System\WaLJrEy.exe | N/A |
| N/A | N/A | C:\Windows\System\MrtSmYD.exe | N/A |
| N/A | N/A | C:\Windows\System\yVBEbea.exe | N/A |
| N/A | N/A | C:\Windows\System\WuFvLnb.exe | N/A |
| N/A | N/A | C:\Windows\System\GUksFQa.exe | N/A |
| N/A | N/A | C:\Windows\System\ETHeeKW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_4dc41e6f388de033cd821f1cb79dfe31_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\teeQZgL.exe
C:\Windows\System\teeQZgL.exe
C:\Windows\System\jATxYRT.exe
C:\Windows\System\jATxYRT.exe
C:\Windows\System\tSKtLeg.exe
C:\Windows\System\tSKtLeg.exe
C:\Windows\System\rIMuSYs.exe
C:\Windows\System\rIMuSYs.exe
C:\Windows\System\FIapuog.exe
C:\Windows\System\FIapuog.exe
C:\Windows\System\XZhUeQy.exe
C:\Windows\System\XZhUeQy.exe
C:\Windows\System\EyETLIH.exe
C:\Windows\System\EyETLIH.exe
C:\Windows\System\CTCtSZz.exe
C:\Windows\System\CTCtSZz.exe
C:\Windows\System\xKikjob.exe
C:\Windows\System\xKikjob.exe
C:\Windows\System\AFyzcBF.exe
C:\Windows\System\AFyzcBF.exe
C:\Windows\System\YJKqZBK.exe
C:\Windows\System\YJKqZBK.exe
C:\Windows\System\xZrgAmP.exe
C:\Windows\System\xZrgAmP.exe
C:\Windows\System\NeIBuJM.exe
C:\Windows\System\NeIBuJM.exe
C:\Windows\System\YJhEodi.exe
C:\Windows\System\YJhEodi.exe
C:\Windows\System\FAcoBxr.exe
C:\Windows\System\FAcoBxr.exe
C:\Windows\System\WaLJrEy.exe
C:\Windows\System\WaLJrEy.exe
C:\Windows\System\MrtSmYD.exe
C:\Windows\System\MrtSmYD.exe
C:\Windows\System\yVBEbea.exe
C:\Windows\System\yVBEbea.exe
C:\Windows\System\WuFvLnb.exe
C:\Windows\System\WuFvLnb.exe
C:\Windows\System\GUksFQa.exe
C:\Windows\System\GUksFQa.exe
C:\Windows\System\ETHeeKW.exe
C:\Windows\System\ETHeeKW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4904-0-0x00007FF7185E0000-0x00007FF718934000-memory.dmp
memory/4904-1-0x000001D981170000-0x000001D981180000-memory.dmp
C:\Windows\System\teeQZgL.exe
| MD5 | 64f7f7d60341fa724fd8c37fd0fbb639 |
| SHA1 | af8dad5a181c0bc39b64a45f995b27b1877b50f4 |
| SHA256 | 2ef81828a9c7f63efb274bf452bb23f478e95da2295dfc5c930974869ba82589 |
| SHA512 | 090c9b9cd2689d1ab22dece0257a6f5dce73260e11cfa99217f5a5806b79033535bec9617937710d29a1516bd16b5367ea92143679bbdab53f3e0fc5a5787acf |
memory/4420-8-0x00007FF6FEF70000-0x00007FF6FF2C4000-memory.dmp
C:\Windows\System\jATxYRT.exe
| MD5 | 5f215b05b3ed868c5974b3faef81b0fe |
| SHA1 | 10b0466e06dbd8ef51376885c049bd583b38e37b |
| SHA256 | caa401b20d419d6b9937ef04c578d4fa93f76ebfe852df06b3cad638f625a1d8 |
| SHA512 | 871f6dea1b2f436314142ca7e94cbc28fb680e9217fa7390d286c05ad204b3a677ee71c7eac9ac35faca6cfc5973d4bda274680147c1c7b2213266ac17a0f586 |
memory/3592-16-0x00007FF731DC0000-0x00007FF732114000-memory.dmp
C:\Windows\System\tSKtLeg.exe
| MD5 | 89adb504a9dde8c043329e5d701f9ef0 |
| SHA1 | 789a32227eb06f0937e639aab6bd06bb3d7079a6 |
| SHA256 | 0c1aa59c3d4b7442bf3073baf140d4108eb487f0c9bb7d15fb00190746b7d0bd |
| SHA512 | b4c02f6f014e14bb090b486ddd6e56e05f64e3d7b68b3ca2de0639d1cb7fdb5d68c0cdbc562fd04fd418fc162162f0e400d2831b8bcfb82052b9a39aa69cd8cf |
C:\Windows\System\rIMuSYs.exe
| MD5 | d177625671944b2951da31ad8068ca6e |
| SHA1 | 51a87cbd680948a162940a742bfd5764092411e3 |
| SHA256 | 5680a6319fccc34cce374d3007be99d6a32ad14390737f589f37a6509e70ca0c |
| SHA512 | 5665c436754bf5a4f7e642648ce8419b10d9a98d2bcb4f2f1071d404172fac8e7e395ae7a7db38d49333df51d33feebae6cb34e69c2f62f82b77f14109e0b8e9 |
C:\Windows\System\FIapuog.exe
| MD5 | b0d85a5b81ec04486b8394a1fb9e44aa |
| SHA1 | b4383abe73f81d107aec2459ddaa6fcfcf1f210e |
| SHA256 | 416dafcacdd02d8878d2a869a688496ceecfafec91e63be057306001d2e07925 |
| SHA512 | 2fdb5aa133d0d015db339e0fa898f7b3c94dc9a14be426c895a2faab51baf5b0963cf767fb35cebbb2b28a54483c6f1db6fa276b67ae6a75162a20933edff0fd |
C:\Windows\System\EyETLIH.exe
| MD5 | a3cfe0ca1fceacf8e01fad5f83040c53 |
| SHA1 | eea7990b5b3d6133e44f54296a8032a85f2c8fcc |
| SHA256 | 953e90a42df361e8ad6bc35a79293f9ffe832d89fdcae1f7a78cdfb130cb3acf |
| SHA512 | 0990cb4f3731b59d19399ff15b8528a95f8160e18cf6d5b927ad03a8652ac9b342f3bbf2b3250c1189c85a958124bc6a114359ea5dd1f8773addc81d63184170 |
C:\Windows\System\CTCtSZz.exe
| MD5 | 7f6910b1b2ce821ee07584a8e3045978 |
| SHA1 | 42c68df82452236b446e19d753056a4014a0ccd2 |
| SHA256 | ecaddb75f4a597225c41595055cc72dbf75cea52b855f327aa7729c0cb75a251 |
| SHA512 | f75d769d5e4a85a6b7d548df4d23eec29360e27e834a8f19debc660e6444a4562ab46aa7f06cb6e2567c75570720b112d7ac637dabdaa40263119771e6e3595c |
memory/2064-47-0x00007FF61B990000-0x00007FF61BCE4000-memory.dmp
C:\Windows\System\AFyzcBF.exe
| MD5 | fd9b2a2104ef2910ba18f368c5862624 |
| SHA1 | 96186cc308bd01889645a9c31476aa5fcf08e51f |
| SHA256 | 4f466ad041364fcb6f44d18fa2df8c19fac208fceb9fd542f52e7da3504be94d |
| SHA512 | 56aad11ad08091d13e2d67c03af30bec684b13cfb1e9fd57c89a66a8e7b1530092f2b2df1b6c6b9a64803155bfdcc3a3000e2c9ad1cf3941b87979dce01a6894 |
memory/2604-59-0x00007FF674E00000-0x00007FF675154000-memory.dmp
memory/2552-60-0x00007FF79A4A0000-0x00007FF79A7F4000-memory.dmp
memory/4084-61-0x00007FF6A17D0000-0x00007FF6A1B24000-memory.dmp
memory/3764-54-0x00007FF6844B0000-0x00007FF684804000-memory.dmp
C:\Windows\System\xKikjob.exe
| MD5 | 24fc3f864a8def52fa8967e9aefb2d19 |
| SHA1 | 530ae0893dc6bd5e7ed6115e2d2bdaa4492d9b26 |
| SHA256 | 6d9f3aaf4fa81d2ae591206ecc509a8c5ab97045c3f2982bb5f6256cd8ce0341 |
| SHA512 | 14654b2d1230435bcc961fe5fb1cc81c4332002b2d0896dbef39de80ab7489988b7b111be66c84a19145abc1a2259615b0d272d785542daf1665d66b7dd88117 |
C:\Windows\System\XZhUeQy.exe
| MD5 | 1d54c1bf0b7a03f5dba03d5a7d316fff |
| SHA1 | 4429ecebbf360f885ef8d37a04ee211d0b5960cb |
| SHA256 | 8a5fa9728f81b99eda1d418819581bd7990e6150a63bfd7a4a8497facf32e535 |
| SHA512 | 69693038aba13c6e6a59d86e684b53e76d8dc23a6fd32975ca6066472849e40777ae5710b7c7b29a76ac2d4c54bc797753f9b2b6f4db77bf651cd8ea5b1a1b22 |
memory/424-34-0x00007FF7D2EB0000-0x00007FF7D3204000-memory.dmp
memory/1592-26-0x00007FF792FC0000-0x00007FF793314000-memory.dmp
memory/1588-25-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp
memory/4860-67-0x00007FF6D5870000-0x00007FF6D5BC4000-memory.dmp
C:\Windows\System\xZrgAmP.exe
| MD5 | 3c6b1b75a7962e0804b42b62868b5a55 |
| SHA1 | fb09238aecf796e5c1fe2ac6c20974e7f400083a |
| SHA256 | 0cfa23a3a57d75cbe4e666d1ba4ffbf83d04436f266d0ba0efad40c283bb7905 |
| SHA512 | 9fd394730f1a699959ce952afa3ca6d88bf30097f24c0db9041b8f23e8efece13c39c298314e6b8d87d9b182082e02251badf18a4fa4f5a1db3fb0498b2aabd4 |
C:\Windows\System\NeIBuJM.exe
| MD5 | f3ad0755e07e9690993c0e3e03060826 |
| SHA1 | 61fc93bc2571b95c845a372a9caf88a4b69a914d |
| SHA256 | 92a40c99469a47c6dfed59194a605fac281595e3fd28a2a277750edf6541ae54 |
| SHA512 | a4e9da827024668a3052b9e35ab5551eb2e1171d547a64a259585dc27ca5911c2073ab4e8713728a5f2c783d2b999f1e6471c56454153d40912f1297341e39f5 |
memory/5112-73-0x00007FF693450000-0x00007FF6937A4000-memory.dmp
C:\Windows\System\YJKqZBK.exe
| MD5 | 3e5e36635a109ad85289742fb91b1ed8 |
| SHA1 | 9bf9c9b01b96f36e69fd9dffe8327ff7ea986fde |
| SHA256 | 0a77787778f2819e7789388c83e1e12bc9c1309983125dbfaaa48f87dbd34b5a |
| SHA512 | da831bdc34cf1be626ec7dadbaefd4ca8137778f152dd5107584fb8f0807ec4ffc3ef6b7a5ff6db397080dc7259276ffd3402cd2038e11b2a7c307561ff86c21 |
C:\Windows\System\YJhEodi.exe
| MD5 | 2e7bcc96e5bd98dfa44646a26325f3d7 |
| SHA1 | bf80dffb91689a594303c2080645ac8d3b34706d |
| SHA256 | b55ba00d9bc3cda67f9c441fe6634b215c8d0280d9e42880f6da1426b3ea4e28 |
| SHA512 | cdca1b8efee60f53e3107ebfcdf78481460a68d83b92ecbc7ecd9624d6ab490c7a5768b6ca394c43c5058ea6b9d842da8dc7fd03f71fd73869eaae08bd6384eb |
C:\Windows\System\FAcoBxr.exe
| MD5 | ddf169cfa4dab25891f106f5ed7c9417 |
| SHA1 | 99732bdce0bbeef11348aec3a5ca39f541622fc6 |
| SHA256 | d3aaa49576e6d9c527fc594a5a0f891d66a7b118668291514ed900634ee58d3c |
| SHA512 | 0f7c2d5e65459a7f0b942dd275a671b73d5ae6b9da7c4211708d93c407ee9c2e19b72c954ac8f18bd3918160b8bbf05dc269efabb66ad915e14ae31cd48b1a2d |
memory/676-90-0x00007FF74CA50000-0x00007FF74CDA4000-memory.dmp
memory/4420-92-0x00007FF6FEF70000-0x00007FF6FF2C4000-memory.dmp
memory/588-91-0x00007FF720610000-0x00007FF720964000-memory.dmp
memory/4904-88-0x00007FF7185E0000-0x00007FF718934000-memory.dmp
memory/2560-82-0x00007FF656460000-0x00007FF6567B4000-memory.dmp
C:\Windows\System\WaLJrEy.exe
| MD5 | 9baeb8461892bec9ee81d968e9729f70 |
| SHA1 | c6094a4874c300afd7503ee720e9d2fb17e7b52b |
| SHA256 | e4b190ea43c6907ffb2a686e5fe0fde965c05536ddf43bd1a61229f18dd73fd3 |
| SHA512 | 312c6843a0e655c37d16094e7a1509706f2508e571bace356e0c7e1060bef9c7161d739dd4e810a282d3603a32c3c2452dd505b8a19eab2ca638368069c0d606 |
C:\Windows\System\MrtSmYD.exe
| MD5 | 50e305d55f76d13a8ba5d01eadcaa8d3 |
| SHA1 | 58ff79013730f0de2b9eb260c17fe51a5793d24e |
| SHA256 | 5afef8cd2b5585b13ab6c16b918648301a383e232e44a190676abb03809162e4 |
| SHA512 | 9bde1b2456672cf90ce1c667f030d2eb098f7ddd414465663ddea995760d7f510c6a596f6c914d3d9eb675621dbe04a05cf934010b0d03e51d543dfbce924953 |
memory/3592-105-0x00007FF731DC0000-0x00007FF732114000-memory.dmp
memory/3496-108-0x00007FF7C8F50000-0x00007FF7C92A4000-memory.dmp
memory/2604-116-0x00007FF674E00000-0x00007FF675154000-memory.dmp
C:\Windows\System\WuFvLnb.exe
| MD5 | e905d7d9187596527f0d6ad3aa0e2583 |
| SHA1 | 5a040947bdd90b4250dfbea88b37b50bffade5d5 |
| SHA256 | db570419d8c1a509b376b354377c259c4dfad46c298530b1167b98abba323c17 |
| SHA512 | 5d4f16999bfec7e4ff900becfa9b0b328a51cf77784482054b3bca6d7b7bd268676228309d91e12152005d974e920dec2849fcf15fca95033c32c97d03cc5f9b |
C:\Windows\System\GUksFQa.exe
| MD5 | b4f078e7bbee5b45381d000fdbb06f58 |
| SHA1 | f33cbb4a50ba772a48669614fb8446f4c19489fb |
| SHA256 | 248b6168f8d2d5077dd439ec46c7f1056665e4c4cdd17a76516c27f141e8d19e |
| SHA512 | 29d0840730ce95eb67c66cb65f78d9e16e76cb321a683b9f762bd29700d90b60012ada9fa58388fa6107cd8f3d66dc52e31be992c152498dac5626f654d1dc28 |
memory/696-124-0x00007FF7DF450000-0x00007FF7DF7A4000-memory.dmp
C:\Windows\System\ETHeeKW.exe
| MD5 | 1dada9ef837d9cdbcbbdda4243ef55df |
| SHA1 | 315b2c3459e8d48343dd8298e2c3259dbf52f02b |
| SHA256 | 50502f7fcaff9e7caa72125ea291998e52d2125074bed64dfabac206e196e54c |
| SHA512 | a1f17f3bbbe65ff04caa6a1b591d9377cb4b7c23488d177f32df5a5fb1707baa2ac3292c157304b1d1da7762e705293414f3c5034f0cf2db88e9230917386e9a |
memory/4448-117-0x00007FF7A3DA0000-0x00007FF7A40F4000-memory.dmp
C:\Windows\System\yVBEbea.exe
| MD5 | 7febca8ab9fee9abf1b5327b5bb27cda |
| SHA1 | 04e1682d191cf9e6ad571829d1f0e4b263da0278 |
| SHA256 | b1369e9140fb243cbae8725d68f78d0dc57857373fe7775c941ba1578aa553e9 |
| SHA512 | 533d0e221008e3afe8b134aa1af773860fb67a5d8e13024e99e9c43285a60736e0d199807c5f061fc939fcc7693f3557fb93053a3dd76721f988172d2b5fc2eb |
memory/3580-106-0x00007FF76E950000-0x00007FF76ECA4000-memory.dmp
memory/2932-130-0x00007FF6E0210000-0x00007FF6E0564000-memory.dmp
memory/4860-132-0x00007FF6D5870000-0x00007FF6D5BC4000-memory.dmp
memory/4508-131-0x00007FF76ED70000-0x00007FF76F0C4000-memory.dmp
memory/5112-133-0x00007FF693450000-0x00007FF6937A4000-memory.dmp
memory/588-134-0x00007FF720610000-0x00007FF720964000-memory.dmp
memory/696-135-0x00007FF7DF450000-0x00007FF7DF7A4000-memory.dmp
memory/4420-136-0x00007FF6FEF70000-0x00007FF6FF2C4000-memory.dmp
memory/3592-137-0x00007FF731DC0000-0x00007FF732114000-memory.dmp
memory/1588-138-0x00007FF73C8E0000-0x00007FF73CC34000-memory.dmp
memory/1592-139-0x00007FF792FC0000-0x00007FF793314000-memory.dmp
memory/424-140-0x00007FF7D2EB0000-0x00007FF7D3204000-memory.dmp
memory/2064-142-0x00007FF61B990000-0x00007FF61BCE4000-memory.dmp
memory/3764-141-0x00007FF6844B0000-0x00007FF684804000-memory.dmp
memory/2552-143-0x00007FF79A4A0000-0x00007FF79A7F4000-memory.dmp
memory/4084-144-0x00007FF6A17D0000-0x00007FF6A1B24000-memory.dmp
memory/2604-145-0x00007FF674E00000-0x00007FF675154000-memory.dmp
memory/4860-146-0x00007FF6D5870000-0x00007FF6D5BC4000-memory.dmp
memory/5112-147-0x00007FF693450000-0x00007FF6937A4000-memory.dmp
memory/2560-148-0x00007FF656460000-0x00007FF6567B4000-memory.dmp
memory/676-149-0x00007FF74CA50000-0x00007FF74CDA4000-memory.dmp
memory/588-150-0x00007FF720610000-0x00007FF720964000-memory.dmp
memory/3580-151-0x00007FF76E950000-0x00007FF76ECA4000-memory.dmp
memory/3496-152-0x00007FF7C8F50000-0x00007FF7C92A4000-memory.dmp
memory/4448-153-0x00007FF7A3DA0000-0x00007FF7A40F4000-memory.dmp
memory/2932-154-0x00007FF6E0210000-0x00007FF6E0564000-memory.dmp
memory/4508-156-0x00007FF76ED70000-0x00007FF76F0C4000-memory.dmp
memory/696-155-0x00007FF7DF450000-0x00007FF7DF7A4000-memory.dmp