Analysis Overview
SHA256
773c34cc7ad11814dee4ff2e4155ad3f08918b408bc2333ae68863a1394e4f2f
Threat Level: Known bad
The file 2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
xmrig
Cobaltstrike family
Cobaltstrike
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-10 09:05
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 09:05
Reported
2024-06-10 09:08
Platform
win7-20231129-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tFbSYBW.exe | N/A |
| N/A | N/A | C:\Windows\System\QuODLzJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sXsoteO.exe | N/A |
| N/A | N/A | C:\Windows\System\nGsGpsR.exe | N/A |
| N/A | N/A | C:\Windows\System\yZRPOhC.exe | N/A |
| N/A | N/A | C:\Windows\System\fQBxSZe.exe | N/A |
| N/A | N/A | C:\Windows\System\kbPadkh.exe | N/A |
| N/A | N/A | C:\Windows\System\qXBGnSv.exe | N/A |
| N/A | N/A | C:\Windows\System\wAOUoCf.exe | N/A |
| N/A | N/A | C:\Windows\System\BqnzgQx.exe | N/A |
| N/A | N/A | C:\Windows\System\YSaiCOP.exe | N/A |
| N/A | N/A | C:\Windows\System\wNozmvD.exe | N/A |
| N/A | N/A | C:\Windows\System\LoEPehK.exe | N/A |
| N/A | N/A | C:\Windows\System\MYrapkQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ifhbkRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YSPITfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EFrfOFj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcfjcvU.exe | N/A |
| N/A | N/A | C:\Windows\System\IYwoZvi.exe | N/A |
| N/A | N/A | C:\Windows\System\jbHGITa.exe | N/A |
| N/A | N/A | C:\Windows\System\DswgjXQ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tFbSYBW.exe
C:\Windows\System\tFbSYBW.exe
C:\Windows\System\QuODLzJ.exe
C:\Windows\System\QuODLzJ.exe
C:\Windows\System\sXsoteO.exe
C:\Windows\System\sXsoteO.exe
C:\Windows\System\nGsGpsR.exe
C:\Windows\System\nGsGpsR.exe
C:\Windows\System\yZRPOhC.exe
C:\Windows\System\yZRPOhC.exe
C:\Windows\System\fQBxSZe.exe
C:\Windows\System\fQBxSZe.exe
C:\Windows\System\kbPadkh.exe
C:\Windows\System\kbPadkh.exe
C:\Windows\System\qXBGnSv.exe
C:\Windows\System\qXBGnSv.exe
C:\Windows\System\wAOUoCf.exe
C:\Windows\System\wAOUoCf.exe
C:\Windows\System\BqnzgQx.exe
C:\Windows\System\BqnzgQx.exe
C:\Windows\System\YSaiCOP.exe
C:\Windows\System\YSaiCOP.exe
C:\Windows\System\wNozmvD.exe
C:\Windows\System\wNozmvD.exe
C:\Windows\System\LoEPehK.exe
C:\Windows\System\LoEPehK.exe
C:\Windows\System\MYrapkQ.exe
C:\Windows\System\MYrapkQ.exe
C:\Windows\System\ifhbkRZ.exe
C:\Windows\System\ifhbkRZ.exe
C:\Windows\System\YSPITfZ.exe
C:\Windows\System\YSPITfZ.exe
C:\Windows\System\EFrfOFj.exe
C:\Windows\System\EFrfOFj.exe
C:\Windows\System\ZcfjcvU.exe
C:\Windows\System\ZcfjcvU.exe
C:\Windows\System\IYwoZvi.exe
C:\Windows\System\IYwoZvi.exe
C:\Windows\System\jbHGITa.exe
C:\Windows\System\jbHGITa.exe
C:\Windows\System\DswgjXQ.exe
C:\Windows\System\DswgjXQ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1848-0-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1848-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\tFbSYBW.exe
| MD5 | a0a032b7de2efacc478206e6f2cc2659 |
| SHA1 | d54fdf3c58be2e67ebd1ac91caea8003ac639efa |
| SHA256 | 13147fdc22b8807aef1ac697ed90a8039be5df83b74541461c694e79a8ca429f |
| SHA512 | bc231b33f528c65f17412955731d279a68e111a85f6e8254c7d84e45a69d1900679d6abf8be9a5190c84105f5ade16619261b0adad1e73f12229b906d32610fd |
memory/1848-7-0x00000000022F0000-0x0000000002644000-memory.dmp
\Windows\system\QuODLzJ.exe
| MD5 | 73ad9e2b727d078d306ee3070eb2fa7e |
| SHA1 | a1cb2b02487e53ee9c04975de8f7b16748c64f33 |
| SHA256 | 47865061cc9641e4ffe334a1129de9c30686a1f6b56269a3c0f159f878cabbc8 |
| SHA512 | 6cf7cd82c709f17b1056006b25abda28b2b302329a1eb9bec8857bfe26a42f8cbfc722b6b9962ba87923fe772255b3cded288220f9e496b1be5252adfe7668ec |
memory/2288-13-0x000000013F1E0000-0x000000013F534000-memory.dmp
C:\Windows\system\nGsGpsR.exe
| MD5 | cf563126ac9919e4171cefe69de27ec8 |
| SHA1 | 7825d3ec0007074aa96a4b02ab314a55b71e9c50 |
| SHA256 | 5d2ab58207d1f3b216ed0d1bcaec76069f72da01c2418a425106a4a50234f1dc |
| SHA512 | 36e71ff994406818736fd5d5ed3ae107687b68fa42a7ac7f070fb64cdbed992945ffcb4a3252622785db99c81edd1c5f63cc356198726ad2fd7c4a86622d50e1 |
memory/1848-23-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2552-21-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2844-27-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2576-28-0x000000013FC80000-0x000000013FFD4000-memory.dmp
C:\Windows\system\sXsoteO.exe
| MD5 | f62ea7ed3cefebbdbf7198487651d0a0 |
| SHA1 | c5e1abaf60bf2fd3a5e96f7833635d08ebc35f58 |
| SHA256 | c63b84194b827cd412eabaa7373c49e68c8ccafa60d212e87b17c67030e30d59 |
| SHA512 | 5e85813e9ae7bd09b5cb53a2ab0952fc233644f6ef5d87dbfcc809f2e84d07df4c4d5da495d5e45505f6360cbf84f6abaec4e36d6de17421b6c097805c1149de |
\Windows\system\yZRPOhC.exe
| MD5 | 7d742915d0b44d85b949d95d7827b0d0 |
| SHA1 | e61835c258a1e69f3286a0ab523f092df09b1dc2 |
| SHA256 | b209d3cf41c9d61911b9df4e2fd02e74f5972408fdcba4b46d29c58d514d4882 |
| SHA512 | 47f80e0a7b8f9f246732a46dd86c77135fc7e70c12df3d7705c0cc5d7b5484ad331fca465e4a1fdcc5cab434eb955b1544e4ca875a9edd682b43fa185cd8a7f3 |
memory/1848-33-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2752-35-0x000000013F830000-0x000000013FB84000-memory.dmp
C:\Windows\system\fQBxSZe.exe
| MD5 | d8ec7bb41ed0919e6ed30a65e51141e7 |
| SHA1 | 407611d086d8b61644ef0641672df175b86b560d |
| SHA256 | 8a44d0a03cb7879774986a8de7bd1b269905096e31a0fc0409da1193e5f5fdc4 |
| SHA512 | b9b287a86a412e348474973e9d792a00c97379a2035912c5526efb2a0a86d72a385ebfade94b50be19d5a4210256d7113cc80b9e514722aae9af71545b6d67cb |
memory/2824-49-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2160-52-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2504-56-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1848-55-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1848-54-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\qXBGnSv.exe
| MD5 | dfe527d0c980072fc58b447c0e7a470c |
| SHA1 | 000350f416f6b44fe7313014d639dd68b506e9db |
| SHA256 | d04b772df3cb8ea8673aa15c44b6dcea3892ea478427544d0ce680f6cac26177 |
| SHA512 | f2b4e5e65e23ae88accc38ed33ac43b36bc5e93dd136a9fd11137b17f0bdbf094b06d4968a9b017768e6ee3dc93af2b67aab324109450630e787687c4119907c |
C:\Windows\system\kbPadkh.exe
| MD5 | 1e1df53037fa2cc99fa51e671427c5b8 |
| SHA1 | 43ed4c24275111523984bce13cca1bc38831a11f |
| SHA256 | 0c4292fe6a9a86cac406740846fe2f7b31d669b3a3e36ad657775f1d1fbd6235 |
| SHA512 | 1db61197359481263ca3ccdfbbd39b71acf95b7d5ac809ed8880e5b32d841de09beebf534b616c905e11b00bd1eb24e365f0f9eb19dbc5b90d726ea662487b64 |
memory/1848-43-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/1832-62-0x000000013FC70000-0x000000013FFC4000-memory.dmp
C:\Windows\system\wAOUoCf.exe
| MD5 | 72496f2bf18ffcd4b79df5ad6e36dbeb |
| SHA1 | 4244ca669ecd978cf146667eeafc2fc31fffe4f7 |
| SHA256 | 71a01dbd4c2df2d04d79f63c7018a7251dd4a7251790479c39b70544261cbd9d |
| SHA512 | cd34e5d182e4bfdc56b9090d861aaf4880eabc9fde6f2fcd82eea6081ad9368abb4430fd47176dd5ee61c06aa4967c47cb454fd64d9d6b4ee6fdc95643a30ccd |
memory/1848-58-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1848-70-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/2172-71-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2552-68-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2288-78-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1848-77-0x000000013F020000-0x000000013F374000-memory.dmp
memory/1660-79-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\YSaiCOP.exe
| MD5 | 8213cedfe1387a703114012f82b10000 |
| SHA1 | 0572f0d19176c0759cb3de9e627125af81330165 |
| SHA256 | 221ea3dc207f3629ea3c414657c296ed0cde983ffda007bcb2566292c209cbbe |
| SHA512 | 55f81c30f34a2333079166320fa851b8b0205b03a8bf36c4f70ee4562d96f256fddd0f3675d5275e9efbfbbc4d6a87ea127325290182914eea603b5d199dde09 |
C:\Windows\system\BqnzgQx.exe
| MD5 | 743a99fc539ad3eca1599447908a66a7 |
| SHA1 | fae178418c4cd8fc858e26907f814849fb8b2af1 |
| SHA256 | 037cd8d56066bdde3e131072abbee8a6eeb568b373bfb2a5ecc155994f07c007 |
| SHA512 | 9e2476118f05225b173f0848a436b40bb647d2c336050428aebf0ecea1d64ca0356eebefe55ff1715543722fc7014f5caa3c949d145bb2639ef5397bf6835410 |
C:\Windows\system\wNozmvD.exe
| MD5 | 4a8b134e17c59afd155ea7ac77adc183 |
| SHA1 | 6ccff72fe2fd08d65943911ab6da411fe9b318c4 |
| SHA256 | 2b279f4256910a35c78281112bfa06c035f8ba0a4b49fe9f1aa5e26a6cf7d81e |
| SHA512 | 5eef6ab5a2e829d0c855bb2b94d59c3474cd2558d99b469d2aac0eb44150ac9e214b526681c7101ecb82c030940ed1fb2af9d98ee186b4c4dd1b5927edf090fd |
\Windows\system\LoEPehK.exe
| MD5 | 0127e9950bbf34697c74e5d88ebec6f7 |
| SHA1 | cb3ac6c9bb3b916bf3447a2363104314229a457b |
| SHA256 | a3e08ce4ea4e662766e74ac2ef25143126db25360183bddaac8b8af2cf0da6a3 |
| SHA512 | d3465f02ba569ca873e0dfe09b2bebf3060ef62dde6a9e67a248308888880a25ba41b7be03b6a0e8f0dad60b37fbf05008267f527bbd86965b10e6b9a58cc4d5 |
memory/2652-92-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/1848-91-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2648-85-0x000000013FCD0000-0x0000000140024000-memory.dmp
C:\Windows\system\MYrapkQ.exe
| MD5 | 0cf6d6c2c5770d8fdd84d72c8d264d83 |
| SHA1 | f6727613a7c2a8dd52d546a74290538734aa6194 |
| SHA256 | 9387c8cd8619bf7ce17c5e7d42e202ea2041578dfead493b025f7cd6ed898a2c |
| SHA512 | fa7ebc6a382d8c1a7a4df9a78c80c6b0e0ca5703ea981cd10928db0b6365a1b0294f1033608d7592045a7548f6d0b775eada71157c6b9a1ba31a00e993863268 |
C:\Windows\system\ifhbkRZ.exe
| MD5 | 71563e5d1e40d8bc52af9994ac46511d |
| SHA1 | 83dea50e1c05826ee1d3c9fe131677e755ed7713 |
| SHA256 | ebe7c7dd2aa5d4ab324ddfe9dc9bbdc2d34f2e712ee53303881571ddea83028a |
| SHA512 | 5423e8c7705dd9d4b556eab88e33f43f7f336b2e27b6e240df475a48a528c6b5101352aad38e766e1f1458324b95f4215f911bacd17cf69b91b3657d3ad2bf1a |
C:\Windows\system\YSPITfZ.exe
| MD5 | acf523568515a43adb3a1e5cbac1afb0 |
| SHA1 | 4aaf7fab2599e90f0323dc6b715e26e78e4aac22 |
| SHA256 | 49b35d77d8c90e5117acbaa178b5ddbb0db9c2674122b691abbb6d77a5b132d1 |
| SHA512 | fed7c2eaa99d007a102715023d8353f170bcf110cf4e9240b58c719051a319dbc5858f001f9de85cd9deae623b4562a18cdd312cc86156d475e873ab43db01c5 |
C:\Windows\system\ZcfjcvU.exe
| MD5 | bca958a51ecd1ce982e613f5a050cadf |
| SHA1 | 62316af19447ff0031d741e04441b4a0a2cc677a |
| SHA256 | f1180717a7c2be1eee4ed5dfa9a0f708760ed0d4844d515e8c089b8dc71d796a |
| SHA512 | 10201915f03aabbb8b885987ae58d2fcbf4a52ca7bb43330778dc21870b5ab4f111878861547e52185099980be90edab0201c7a54b42a7cecbf1e1c58aeb6597 |
\Windows\system\DswgjXQ.exe
| MD5 | 6c9a638768de1f227904511549b75cf8 |
| SHA1 | eeb8ce6ac42d54fb8e7c2d240c98a3fb4a978f85 |
| SHA256 | 74f55ced4b40f634da0603d5980db0c7a9e1697d633df0c2d5be0899c776b9b1 |
| SHA512 | dfeea52d2eddd27243254245de07cbd1509b0cbeb0d70845b0527b2bb4d1876867df4d5ae7e2d7b6f12259b31b1141e4a3c995c1f9525040dfedd7c02e8645a8 |
C:\Windows\system\IYwoZvi.exe
| MD5 | 38d17d36d11e945515bd857b7bb094bb |
| SHA1 | 6d0b845b0cc03f221e06040d38d2dc585b385c2c |
| SHA256 | 9c89bab40497ada1586cae46ca7bffea9c03a59d15718fe848e449f7fb02c4c7 |
| SHA512 | efa79e559065c096a018ab9fd0aad9c1b7d38e53a86149a83661251de902f8239bee85d952dca0daf98fd9c5f1611681d233ed478df23726a8de99e1ebd4e389 |
C:\Windows\system\jbHGITa.exe
| MD5 | e06b81cecad195469df86100f1f8a4d3 |
| SHA1 | 7b078190bb002f73ab11d6153c8a60f4fa132c2d |
| SHA256 | 4e4e3db77005f6488a0b336adbf4980036d22f44422e42b14dd6932469eb0453 |
| SHA512 | 177a9dfabb6fda578c3cb37cb2f82186c16327d7ca7a8958f02902f504bb5b4879df8a0580eaa91d01c218aec11ce8a7c2017b19d1a16d715426f3f40b741e9c |
C:\Windows\system\EFrfOFj.exe
| MD5 | 9e2de334379ba34ddf0bc81be6d44df1 |
| SHA1 | 8588ed66a52b9a03857ce44770dc3eb4ac564713 |
| SHA256 | b0d94199a85ea5649d827e3c74df4762dc00f3dc84856922dbc5105f9acb0a7f |
| SHA512 | 68c7578e6205beeb8c979c565c558829c0657d17fd678558f3a1b6392c822c4c2db001f9c1b9f744d03e34b8267f0745d5385768e01194a51f3dc05d40fec3e6 |
memory/1848-133-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1848-135-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2160-136-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2568-134-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/1848-131-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/1832-137-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1848-138-0x00000000022F0000-0x0000000002644000-memory.dmp
memory/1848-139-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/1848-140-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2288-141-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2844-142-0x000000013F500000-0x000000013F854000-memory.dmp
memory/2552-143-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2576-144-0x000000013FC80000-0x000000013FFD4000-memory.dmp
memory/2752-145-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2824-146-0x000000013F8D0000-0x000000013FC24000-memory.dmp
memory/2160-147-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2504-148-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/1832-149-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2172-150-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/1660-151-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2648-152-0x000000013FCD0000-0x0000000140024000-memory.dmp
memory/2652-153-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/2568-154-0x000000013FF40000-0x0000000140294000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 09:05
Reported
2024-06-10 09:08
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\tFbSYBW.exe | N/A |
| N/A | N/A | C:\Windows\System\QuODLzJ.exe | N/A |
| N/A | N/A | C:\Windows\System\sXsoteO.exe | N/A |
| N/A | N/A | C:\Windows\System\nGsGpsR.exe | N/A |
| N/A | N/A | C:\Windows\System\yZRPOhC.exe | N/A |
| N/A | N/A | C:\Windows\System\fQBxSZe.exe | N/A |
| N/A | N/A | C:\Windows\System\kbPadkh.exe | N/A |
| N/A | N/A | C:\Windows\System\qXBGnSv.exe | N/A |
| N/A | N/A | C:\Windows\System\wAOUoCf.exe | N/A |
| N/A | N/A | C:\Windows\System\BqnzgQx.exe | N/A |
| N/A | N/A | C:\Windows\System\YSaiCOP.exe | N/A |
| N/A | N/A | C:\Windows\System\wNozmvD.exe | N/A |
| N/A | N/A | C:\Windows\System\LoEPehK.exe | N/A |
| N/A | N/A | C:\Windows\System\MYrapkQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ifhbkRZ.exe | N/A |
| N/A | N/A | C:\Windows\System\YSPITfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EFrfOFj.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcfjcvU.exe | N/A |
| N/A | N/A | C:\Windows\System\IYwoZvi.exe | N/A |
| N/A | N/A | C:\Windows\System\jbHGITa.exe | N/A |
| N/A | N/A | C:\Windows\System\DswgjXQ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-10_ff1aee65bb41508976b2284dbd6db10f_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\tFbSYBW.exe
C:\Windows\System\tFbSYBW.exe
C:\Windows\System\QuODLzJ.exe
C:\Windows\System\QuODLzJ.exe
C:\Windows\System\sXsoteO.exe
C:\Windows\System\sXsoteO.exe
C:\Windows\System\nGsGpsR.exe
C:\Windows\System\nGsGpsR.exe
C:\Windows\System\yZRPOhC.exe
C:\Windows\System\yZRPOhC.exe
C:\Windows\System\fQBxSZe.exe
C:\Windows\System\fQBxSZe.exe
C:\Windows\System\kbPadkh.exe
C:\Windows\System\kbPadkh.exe
C:\Windows\System\qXBGnSv.exe
C:\Windows\System\qXBGnSv.exe
C:\Windows\System\wAOUoCf.exe
C:\Windows\System\wAOUoCf.exe
C:\Windows\System\BqnzgQx.exe
C:\Windows\System\BqnzgQx.exe
C:\Windows\System\YSaiCOP.exe
C:\Windows\System\YSaiCOP.exe
C:\Windows\System\wNozmvD.exe
C:\Windows\System\wNozmvD.exe
C:\Windows\System\LoEPehK.exe
C:\Windows\System\LoEPehK.exe
C:\Windows\System\MYrapkQ.exe
C:\Windows\System\MYrapkQ.exe
C:\Windows\System\ifhbkRZ.exe
C:\Windows\System\ifhbkRZ.exe
C:\Windows\System\YSPITfZ.exe
C:\Windows\System\YSPITfZ.exe
C:\Windows\System\EFrfOFj.exe
C:\Windows\System\EFrfOFj.exe
C:\Windows\System\ZcfjcvU.exe
C:\Windows\System\ZcfjcvU.exe
C:\Windows\System\IYwoZvi.exe
C:\Windows\System\IYwoZvi.exe
C:\Windows\System\jbHGITa.exe
C:\Windows\System\jbHGITa.exe
C:\Windows\System\DswgjXQ.exe
C:\Windows\System\DswgjXQ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.15.31.184.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4952-0-0x00007FF612180000-0x00007FF6124D4000-memory.dmp
memory/4952-1-0x00000158C1EE0000-0x00000158C1EF0000-memory.dmp
C:\Windows\System\tFbSYBW.exe
| MD5 | a0a032b7de2efacc478206e6f2cc2659 |
| SHA1 | d54fdf3c58be2e67ebd1ac91caea8003ac639efa |
| SHA256 | 13147fdc22b8807aef1ac697ed90a8039be5df83b74541461c694e79a8ca429f |
| SHA512 | bc231b33f528c65f17412955731d279a68e111a85f6e8254c7d84e45a69d1900679d6abf8be9a5190c84105f5ade16619261b0adad1e73f12229b906d32610fd |
memory/4092-8-0x00007FF6C6A60000-0x00007FF6C6DB4000-memory.dmp
C:\Windows\System\QuODLzJ.exe
| MD5 | 73ad9e2b727d078d306ee3070eb2fa7e |
| SHA1 | a1cb2b02487e53ee9c04975de8f7b16748c64f33 |
| SHA256 | 47865061cc9641e4ffe334a1129de9c30686a1f6b56269a3c0f159f878cabbc8 |
| SHA512 | 6cf7cd82c709f17b1056006b25abda28b2b302329a1eb9bec8857bfe26a42f8cbfc722b6b9962ba87923fe772255b3cded288220f9e496b1be5252adfe7668ec |
C:\Windows\System\sXsoteO.exe
| MD5 | f62ea7ed3cefebbdbf7198487651d0a0 |
| SHA1 | c5e1abaf60bf2fd3a5e96f7833635d08ebc35f58 |
| SHA256 | c63b84194b827cd412eabaa7373c49e68c8ccafa60d212e87b17c67030e30d59 |
| SHA512 | 5e85813e9ae7bd09b5cb53a2ab0952fc233644f6ef5d87dbfcc809f2e84d07df4c4d5da495d5e45505f6360cbf84f6abaec4e36d6de17421b6c097805c1149de |
memory/3764-14-0x00007FF725560000-0x00007FF7258B4000-memory.dmp
memory/3488-22-0x00007FF7D4880000-0x00007FF7D4BD4000-memory.dmp
C:\Windows\System\nGsGpsR.exe
| MD5 | cf563126ac9919e4171cefe69de27ec8 |
| SHA1 | 7825d3ec0007074aa96a4b02ab314a55b71e9c50 |
| SHA256 | 5d2ab58207d1f3b216ed0d1bcaec76069f72da01c2418a425106a4a50234f1dc |
| SHA512 | 36e71ff994406818736fd5d5ed3ae107687b68fa42a7ac7f070fb64cdbed992945ffcb4a3252622785db99c81edd1c5f63cc356198726ad2fd7c4a86622d50e1 |
memory/3152-30-0x00007FF63F2D0000-0x00007FF63F624000-memory.dmp
C:\Windows\System\yZRPOhC.exe
| MD5 | 7d742915d0b44d85b949d95d7827b0d0 |
| SHA1 | e61835c258a1e69f3286a0ab523f092df09b1dc2 |
| SHA256 | b209d3cf41c9d61911b9df4e2fd02e74f5972408fdcba4b46d29c58d514d4882 |
| SHA512 | 47f80e0a7b8f9f246732a46dd86c77135fc7e70c12df3d7705c0cc5d7b5484ad331fca465e4a1fdcc5cab434eb955b1544e4ca875a9edd682b43fa185cd8a7f3 |
C:\Windows\System\fQBxSZe.exe
| MD5 | d8ec7bb41ed0919e6ed30a65e51141e7 |
| SHA1 | 407611d086d8b61644ef0641672df175b86b560d |
| SHA256 | 8a44d0a03cb7879774986a8de7bd1b269905096e31a0fc0409da1193e5f5fdc4 |
| SHA512 | b9b287a86a412e348474973e9d792a00c97379a2035912c5526efb2a0a86d72a385ebfade94b50be19d5a4210256d7113cc80b9e514722aae9af71545b6d67cb |
C:\Windows\System\qXBGnSv.exe
| MD5 | dfe527d0c980072fc58b447c0e7a470c |
| SHA1 | 000350f416f6b44fe7313014d639dd68b506e9db |
| SHA256 | d04b772df3cb8ea8673aa15c44b6dcea3892ea478427544d0ce680f6cac26177 |
| SHA512 | f2b4e5e65e23ae88accc38ed33ac43b36bc5e93dd136a9fd11137b17f0bdbf094b06d4968a9b017768e6ee3dc93af2b67aab324109450630e787687c4119907c |
memory/2204-46-0x00007FF709C00000-0x00007FF709F54000-memory.dmp
C:\Windows\System\wAOUoCf.exe
| MD5 | 72496f2bf18ffcd4b79df5ad6e36dbeb |
| SHA1 | 4244ca669ecd978cf146667eeafc2fc31fffe4f7 |
| SHA256 | 71a01dbd4c2df2d04d79f63c7018a7251dd4a7251790479c39b70544261cbd9d |
| SHA512 | cd34e5d182e4bfdc56b9090d861aaf4880eabc9fde6f2fcd82eea6081ad9368abb4430fd47176dd5ee61c06aa4967c47cb454fd64d9d6b4ee6fdc95643a30ccd |
C:\Windows\System\kbPadkh.exe
| MD5 | 1e1df53037fa2cc99fa51e671427c5b8 |
| SHA1 | 43ed4c24275111523984bce13cca1bc38831a11f |
| SHA256 | 0c4292fe6a9a86cac406740846fe2f7b31d669b3a3e36ad657775f1d1fbd6235 |
| SHA512 | 1db61197359481263ca3ccdfbbd39b71acf95b7d5ac809ed8880e5b32d841de09beebf534b616c905e11b00bd1eb24e365f0f9eb19dbc5b90d726ea662487b64 |
C:\Windows\System\BqnzgQx.exe
| MD5 | 743a99fc539ad3eca1599447908a66a7 |
| SHA1 | fae178418c4cd8fc858e26907f814849fb8b2af1 |
| SHA256 | 037cd8d56066bdde3e131072abbee8a6eeb568b373bfb2a5ecc155994f07c007 |
| SHA512 | 9e2476118f05225b173f0848a436b40bb647d2c336050428aebf0ecea1d64ca0356eebefe55ff1715543722fc7014f5caa3c949d145bb2639ef5397bf6835410 |
C:\Windows\System\YSaiCOP.exe
| MD5 | 8213cedfe1387a703114012f82b10000 |
| SHA1 | 0572f0d19176c0759cb3de9e627125af81330165 |
| SHA256 | 221ea3dc207f3629ea3c414657c296ed0cde983ffda007bcb2566292c209cbbe |
| SHA512 | 55f81c30f34a2333079166320fa851b8b0205b03a8bf36c4f70ee4562d96f256fddd0f3675d5275e9efbfbbc4d6a87ea127325290182914eea603b5d199dde09 |
C:\Windows\System\wNozmvD.exe
| MD5 | 4a8b134e17c59afd155ea7ac77adc183 |
| SHA1 | 6ccff72fe2fd08d65943911ab6da411fe9b318c4 |
| SHA256 | 2b279f4256910a35c78281112bfa06c035f8ba0a4b49fe9f1aa5e26a6cf7d81e |
| SHA512 | 5eef6ab5a2e829d0c855bb2b94d59c3474cd2558d99b469d2aac0eb44150ac9e214b526681c7101ecb82c030940ed1fb2af9d98ee186b4c4dd1b5927edf090fd |
C:\Windows\System\MYrapkQ.exe
| MD5 | 0cf6d6c2c5770d8fdd84d72c8d264d83 |
| SHA1 | f6727613a7c2a8dd52d546a74290538734aa6194 |
| SHA256 | 9387c8cd8619bf7ce17c5e7d42e202ea2041578dfead493b025f7cd6ed898a2c |
| SHA512 | fa7ebc6a382d8c1a7a4df9a78c80c6b0e0ca5703ea981cd10928db0b6365a1b0294f1033608d7592045a7548f6d0b775eada71157c6b9a1ba31a00e993863268 |
memory/4952-84-0x00007FF612180000-0x00007FF6124D4000-memory.dmp
memory/2592-85-0x00007FF735470000-0x00007FF7357C4000-memory.dmp
memory/2856-83-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp
memory/3768-79-0x00007FF665FF0000-0x00007FF666344000-memory.dmp
C:\Windows\System\LoEPehK.exe
| MD5 | 0127e9950bbf34697c74e5d88ebec6f7 |
| SHA1 | cb3ac6c9bb3b916bf3447a2363104314229a457b |
| SHA256 | a3e08ce4ea4e662766e74ac2ef25143126db25360183bddaac8b8af2cf0da6a3 |
| SHA512 | d3465f02ba569ca873e0dfe09b2bebf3060ef62dde6a9e67a248308888880a25ba41b7be03b6a0e8f0dad60b37fbf05008267f527bbd86965b10e6b9a58cc4d5 |
C:\Windows\System\ifhbkRZ.exe
| MD5 | 71563e5d1e40d8bc52af9994ac46511d |
| SHA1 | 83dea50e1c05826ee1d3c9fe131677e755ed7713 |
| SHA256 | ebe7c7dd2aa5d4ab324ddfe9dc9bbdc2d34f2e712ee53303881571ddea83028a |
| SHA512 | 5423e8c7705dd9d4b556eab88e33f43f7f336b2e27b6e240df475a48a528c6b5101352aad38e766e1f1458324b95f4215f911bacd17cf69b91b3657d3ad2bf1a |
C:\Windows\System\YSPITfZ.exe
| MD5 | acf523568515a43adb3a1e5cbac1afb0 |
| SHA1 | 4aaf7fab2599e90f0323dc6b715e26e78e4aac22 |
| SHA256 | 49b35d77d8c90e5117acbaa178b5ddbb0db9c2674122b691abbb6d77a5b132d1 |
| SHA512 | fed7c2eaa99d007a102715023d8353f170bcf110cf4e9240b58c719051a319dbc5858f001f9de85cd9deae623b4562a18cdd312cc86156d475e873ab43db01c5 |
memory/3764-117-0x00007FF725560000-0x00007FF7258B4000-memory.dmp
C:\Windows\System\DswgjXQ.exe
| MD5 | 6c9a638768de1f227904511549b75cf8 |
| SHA1 | eeb8ce6ac42d54fb8e7c2d240c98a3fb4a978f85 |
| SHA256 | 74f55ced4b40f634da0603d5980db0c7a9e1697d633df0c2d5be0899c776b9b1 |
| SHA512 | dfeea52d2eddd27243254245de07cbd1509b0cbeb0d70845b0527b2bb4d1876867df4d5ae7e2d7b6f12259b31b1141e4a3c995c1f9525040dfedd7c02e8645a8 |
C:\Windows\System\jbHGITa.exe
| MD5 | e06b81cecad195469df86100f1f8a4d3 |
| SHA1 | 7b078190bb002f73ab11d6153c8a60f4fa132c2d |
| SHA256 | 4e4e3db77005f6488a0b336adbf4980036d22f44422e42b14dd6932469eb0453 |
| SHA512 | 177a9dfabb6fda578c3cb37cb2f82186c16327d7ca7a8958f02902f504bb5b4879df8a0580eaa91d01c218aec11ce8a7c2017b19d1a16d715426f3f40b741e9c |
memory/3388-118-0x00007FF7C45C0000-0x00007FF7C4914000-memory.dmp
memory/3360-116-0x00007FF6F8D70000-0x00007FF6F90C4000-memory.dmp
C:\Windows\System\IYwoZvi.exe
| MD5 | 38d17d36d11e945515bd857b7bb094bb |
| SHA1 | 6d0b845b0cc03f221e06040d38d2dc585b385c2c |
| SHA256 | 9c89bab40497ada1586cae46ca7bffea9c03a59d15718fe848e449f7fb02c4c7 |
| SHA512 | efa79e559065c096a018ab9fd0aad9c1b7d38e53a86149a83661251de902f8239bee85d952dca0daf98fd9c5f1611681d233ed478df23726a8de99e1ebd4e389 |
C:\Windows\System\ZcfjcvU.exe
| MD5 | bca958a51ecd1ce982e613f5a050cadf |
| SHA1 | 62316af19447ff0031d741e04441b4a0a2cc677a |
| SHA256 | f1180717a7c2be1eee4ed5dfa9a0f708760ed0d4844d515e8c089b8dc71d796a |
| SHA512 | 10201915f03aabbb8b885987ae58d2fcbf4a52ca7bb43330778dc21870b5ab4f111878861547e52185099980be90edab0201c7a54b42a7cecbf1e1c58aeb6597 |
C:\Windows\System\EFrfOFj.exe
| MD5 | 9e2de334379ba34ddf0bc81be6d44df1 |
| SHA1 | 8588ed66a52b9a03857ce44770dc3eb4ac564713 |
| SHA256 | b0d94199a85ea5649d827e3c74df4762dc00f3dc84856922dbc5105f9acb0a7f |
| SHA512 | 68c7578e6205beeb8c979c565c558829c0657d17fd678558f3a1b6392c822c4c2db001f9c1b9f744d03e34b8267f0745d5385768e01194a51f3dc05d40fec3e6 |
memory/3288-109-0x00007FF684E00000-0x00007FF685154000-memory.dmp
memory/464-106-0x00007FF696E30000-0x00007FF697184000-memory.dmp
memory/64-102-0x00007FF656750000-0x00007FF656AA4000-memory.dmp
memory/4348-73-0x00007FF61EA80000-0x00007FF61EDD4000-memory.dmp
memory/1600-69-0x00007FF763BD0000-0x00007FF763F24000-memory.dmp
memory/4472-67-0x00007FF7798C0000-0x00007FF779C14000-memory.dmp
memory/1304-45-0x00007FF7329A0000-0x00007FF732CF4000-memory.dmp
memory/2128-38-0x00007FF75B160000-0x00007FF75B4B4000-memory.dmp
memory/1392-29-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp
memory/1392-128-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp
memory/2004-130-0x00007FF62FD80000-0x00007FF6300D4000-memory.dmp
memory/1556-129-0x00007FF6328B0000-0x00007FF632C04000-memory.dmp
memory/3152-131-0x00007FF63F2D0000-0x00007FF63F624000-memory.dmp
memory/2128-132-0x00007FF75B160000-0x00007FF75B4B4000-memory.dmp
memory/1304-133-0x00007FF7329A0000-0x00007FF732CF4000-memory.dmp
memory/2204-134-0x00007FF709C00000-0x00007FF709F54000-memory.dmp
memory/3768-135-0x00007FF665FF0000-0x00007FF666344000-memory.dmp
memory/4348-136-0x00007FF61EA80000-0x00007FF61EDD4000-memory.dmp
memory/2856-137-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp
memory/2592-138-0x00007FF735470000-0x00007FF7357C4000-memory.dmp
memory/464-139-0x00007FF696E30000-0x00007FF697184000-memory.dmp
memory/3288-140-0x00007FF684E00000-0x00007FF685154000-memory.dmp
memory/3360-141-0x00007FF6F8D70000-0x00007FF6F90C4000-memory.dmp
memory/4092-142-0x00007FF6C6A60000-0x00007FF6C6DB4000-memory.dmp
memory/3764-143-0x00007FF725560000-0x00007FF7258B4000-memory.dmp
memory/3488-144-0x00007FF7D4880000-0x00007FF7D4BD4000-memory.dmp
memory/1392-145-0x00007FF6E88B0000-0x00007FF6E8C04000-memory.dmp
memory/3152-146-0x00007FF63F2D0000-0x00007FF63F624000-memory.dmp
memory/2128-147-0x00007FF75B160000-0x00007FF75B4B4000-memory.dmp
memory/2204-148-0x00007FF709C00000-0x00007FF709F54000-memory.dmp
memory/1304-149-0x00007FF7329A0000-0x00007FF732CF4000-memory.dmp
memory/1600-151-0x00007FF763BD0000-0x00007FF763F24000-memory.dmp
memory/4472-150-0x00007FF7798C0000-0x00007FF779C14000-memory.dmp
memory/3768-152-0x00007FF665FF0000-0x00007FF666344000-memory.dmp
memory/4348-153-0x00007FF61EA80000-0x00007FF61EDD4000-memory.dmp
memory/2592-155-0x00007FF735470000-0x00007FF7357C4000-memory.dmp
memory/2856-154-0x00007FF64DA20000-0x00007FF64DD74000-memory.dmp
memory/64-156-0x00007FF656750000-0x00007FF656AA4000-memory.dmp
memory/3388-158-0x00007FF7C45C0000-0x00007FF7C4914000-memory.dmp
memory/464-159-0x00007FF696E30000-0x00007FF697184000-memory.dmp
memory/3288-157-0x00007FF684E00000-0x00007FF685154000-memory.dmp
memory/1556-162-0x00007FF6328B0000-0x00007FF632C04000-memory.dmp
memory/2004-161-0x00007FF62FD80000-0x00007FF6300D4000-memory.dmp
memory/3360-160-0x00007FF6F8D70000-0x00007FF6F90C4000-memory.dmp