Analysis Overview
SHA256
06a63e434ad133556c169e9ad28a4ca9f253f2d4651bae8829c0db074c98f72b
Threat Level: Known bad
The file 2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
XMRig Miner payload
Xmrig family
xmrig
Cobaltstrike
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 08:04
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 08:04
Reported
2024-06-11 08:07
Platform
win7-20240508-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ZwinbeJ.exe | N/A |
| N/A | N/A | C:\Windows\System\wZSaQDu.exe | N/A |
| N/A | N/A | C:\Windows\System\pohvIrZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WcMoIVR.exe | N/A |
| N/A | N/A | C:\Windows\System\xAVYKKd.exe | N/A |
| N/A | N/A | C:\Windows\System\lrPzJsl.exe | N/A |
| N/A | N/A | C:\Windows\System\RecBPsS.exe | N/A |
| N/A | N/A | C:\Windows\System\CnEYeBC.exe | N/A |
| N/A | N/A | C:\Windows\System\cOexwJO.exe | N/A |
| N/A | N/A | C:\Windows\System\GhujyLL.exe | N/A |
| N/A | N/A | C:\Windows\System\WDJFeeS.exe | N/A |
| N/A | N/A | C:\Windows\System\RGTZvwl.exe | N/A |
| N/A | N/A | C:\Windows\System\ZUxuJDe.exe | N/A |
| N/A | N/A | C:\Windows\System\kmMFCke.exe | N/A |
| N/A | N/A | C:\Windows\System\ITjoKvT.exe | N/A |
| N/A | N/A | C:\Windows\System\ELEDODX.exe | N/A |
| N/A | N/A | C:\Windows\System\JVyEuXo.exe | N/A |
| N/A | N/A | C:\Windows\System\bUoKUjf.exe | N/A |
| N/A | N/A | C:\Windows\System\qftaGxy.exe | N/A |
| N/A | N/A | C:\Windows\System\YEzpenb.exe | N/A |
| N/A | N/A | C:\Windows\System\suhKJvH.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ZwinbeJ.exe
C:\Windows\System\ZwinbeJ.exe
C:\Windows\System\wZSaQDu.exe
C:\Windows\System\wZSaQDu.exe
C:\Windows\System\pohvIrZ.exe
C:\Windows\System\pohvIrZ.exe
C:\Windows\System\WcMoIVR.exe
C:\Windows\System\WcMoIVR.exe
C:\Windows\System\xAVYKKd.exe
C:\Windows\System\xAVYKKd.exe
C:\Windows\System\lrPzJsl.exe
C:\Windows\System\lrPzJsl.exe
C:\Windows\System\RecBPsS.exe
C:\Windows\System\RecBPsS.exe
C:\Windows\System\CnEYeBC.exe
C:\Windows\System\CnEYeBC.exe
C:\Windows\System\GhujyLL.exe
C:\Windows\System\GhujyLL.exe
C:\Windows\System\cOexwJO.exe
C:\Windows\System\cOexwJO.exe
C:\Windows\System\WDJFeeS.exe
C:\Windows\System\WDJFeeS.exe
C:\Windows\System\RGTZvwl.exe
C:\Windows\System\RGTZvwl.exe
C:\Windows\System\kmMFCke.exe
C:\Windows\System\kmMFCke.exe
C:\Windows\System\ZUxuJDe.exe
C:\Windows\System\ZUxuJDe.exe
C:\Windows\System\ITjoKvT.exe
C:\Windows\System\ITjoKvT.exe
C:\Windows\System\ELEDODX.exe
C:\Windows\System\ELEDODX.exe
C:\Windows\System\bUoKUjf.exe
C:\Windows\System\bUoKUjf.exe
C:\Windows\System\JVyEuXo.exe
C:\Windows\System\JVyEuXo.exe
C:\Windows\System\YEzpenb.exe
C:\Windows\System\YEzpenb.exe
C:\Windows\System\qftaGxy.exe
C:\Windows\System\qftaGxy.exe
C:\Windows\System\suhKJvH.exe
C:\Windows\System\suhKJvH.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/848-0-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/848-1-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\ZwinbeJ.exe
| MD5 | 10eccdb676ea224d281a56ca9b81b1bd |
| SHA1 | 0045556bdf094df52ea6b2f6df002ae12f1c240b |
| SHA256 | 362f0efa8172c4053e6aa5983571646c55ee93aabe052c89c152c691d4e9afe5 |
| SHA512 | 45dc5bdb72bdb9b78ea8cb37cd9e6a2f1620598b87db2f3f10cef4361b2b4977e650e2e32c05ebbcdfdf1c14c72c4a9209785ac26611ad8bead6fbe0d134332b |
memory/848-8-0x000000013F450000-0x000000013F7A4000-memory.dmp
\Windows\system\wZSaQDu.exe
| MD5 | c8a32d70c724baa593c331baf554b69b |
| SHA1 | 1b491f48e1e1914cd1ee41d3a8608e5571ade5f7 |
| SHA256 | 678f84fd1908ee9456f93a503c7bf8bb8af4795c441b65d5f3ba25027337b8ec |
| SHA512 | 853aea3c51c455275c2cc30f9cbbd752e645308e5e40a074a6f3fc36334738912cd370b73553b1725ebb87b8715a965b0fac8587f7f8ffc20fd84ce2e9ddf8a1 |
memory/848-13-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2088-9-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2248-16-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\pohvIrZ.exe
| MD5 | e497f32979a3937ef2634aef86202c8f |
| SHA1 | d391d9c33f0222bcd7cca8efe73e01f528947306 |
| SHA256 | 422c434059ca382ad25118220eec176ac64c1ad25e2e0f7b5f0d83a517bd02d2 |
| SHA512 | 22cbdbfbdbd9a2390ecbd41e100473bb0f3bff71e0c789a170a7264aa4d6596366f733213542c8d51b117dcb1c2515d830374573311df6135f1f7bab5e4dc674 |
\Windows\system\xAVYKKd.exe
| MD5 | 0528757f31ff55f7bb57d2fb89a35976 |
| SHA1 | 905f606d216f9788ef2a266ef55abb620b288859 |
| SHA256 | f073de08ab00d760b87533d446b35b9422ba8736a3b19673ba6b56e2a575c210 |
| SHA512 | 3718acf4fa2d56c7f036d5ac3377ab3ea7d0f47a10bc1b67a0e444360e0f465ff9b4060b3236ecc9b6954bbd9700ee0e7e6e4bb39ec71b9de85aa56fa7c7fced |
\Windows\system\lrPzJsl.exe
| MD5 | b6bd84812175eb01a58db50640258dfa |
| SHA1 | 5c58006752491d2b679967f015c066d6d3bd2648 |
| SHA256 | 948f60533021e399a541ce0a830108f77068385964e869cc1776bb50e659099e |
| SHA512 | 043d5189762152b84c2433cea22c29fed90f2b3e4b27e5b5bc560665b1d9bdaf2bad41ab312371d9d63e00a7ae0281181a3702fffd913146db2a2463b24969b9 |
\Windows\system\GhujyLL.exe
| MD5 | a30104f707247ddc9ea6fc229cfdd6d3 |
| SHA1 | b5ad405110a48aff9ae539bca484a0840bb5bc32 |
| SHA256 | b8a7413b30d35d58b2c65aa0f88a1e05268ef85c140ab50a675d810f1c47c767 |
| SHA512 | c71cda39c46f937590fa5165d7a0233b3ed2cc9dc26f5d73acbf72c8812736a20b7505067c57b2899172f53c807db543ac04e5edbb7b89954088316f8af49d7c |
\Windows\system\WDJFeeS.exe
| MD5 | 6eb8f616e46a81253954857e0bae2d7d |
| SHA1 | 2a3362d2755dc944bbbf409885040fe0109649cf |
| SHA256 | 024a52a12f1c0570f43f7794122a0357edde36d76c1adf90df77a7ba55e86294 |
| SHA512 | 0ff02abfe12826f18caeb234a98790db88b2f28420a99ac18ca737d503d38897fcb84762238137b7475afc9b4332557949a81e33e25bdc7382fd1786bb40891f |
memory/848-62-0x0000000002410000-0x0000000002764000-memory.dmp
C:\Windows\system\CnEYeBC.exe
| MD5 | ab17c023ea89cc49dd897311c05d04b4 |
| SHA1 | 477ab59eda8b1aa98eb49e910e275d901c3a78ef |
| SHA256 | 7e97316810e9abb7adfa6151d0368d1435ecd0c3f79265ab9ddd89bac4af71ed |
| SHA512 | 6651d39bd6a1942a050ec3c91fcfdc6ad3bf8402d93f1e0363970d81a9925144d26ac8d083742b0d6b05bfc0aff8e9b0ad65a9f7f4d3008b3e6ee754964444b7 |
C:\Windows\system\RecBPsS.exe
| MD5 | 2955ce7139da4bbc68b28507edf0c185 |
| SHA1 | cd28cf6691dcf6855ecd03d9102947e07b7f66d0 |
| SHA256 | 17435be2c18d85b698caa954124c9bb0efa6e79cc3714e450a3f1eb9e1b1f463 |
| SHA512 | 702da8a3f713da925907cd149b5d2fa2cab87cfb08a2f482f21909b93ce9d94dcc0b284db12a7fde0ebfcde5904d1eed8ef1cf96c2b7b72fa79318f8933b3a9c |
memory/2496-77-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2528-76-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2548-74-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/848-73-0x000000013F970000-0x000000013FCC4000-memory.dmp
C:\Windows\system\RGTZvwl.exe
| MD5 | 6d4efe4e53d76f35aac6896909a7a646 |
| SHA1 | 2be96ac2336802453c21ca0133894d86eb6fe400 |
| SHA256 | 09c98064a84c45a46a86aef2c2ba9dffd772dd8140723676c74505bfa598ea24 |
| SHA512 | 87e8392e042d8f8c151191aff0e09979016357f99795a714fee3795390d075c6fc5f5b8c5ebbbde5e04ff6c8dfdbf59b892ebd555679df4ba4b2cfbd23c54cc5 |
memory/2936-83-0x000000013F490000-0x000000013F7E4000-memory.dmp
C:\Windows\system\ZUxuJDe.exe
| MD5 | 152fc81e9220247a8f53aafce973a9a8 |
| SHA1 | 4704e10831b5508feff0f05611469f8f7da9c933 |
| SHA256 | 2a0407830ac1f619c51734f8a9ca1e6e6f369714e5480ba1c191a275c78c5233 |
| SHA512 | b313ea440326248edaeb2fde616cde411354ce4b245002044536216ecfa9206009db825eec703e357b77d9bcd43d01388e9c60a2533bd88cc9c70f6bdcb5f38a |
memory/2788-93-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/876-96-0x000000013FE90000-0x00000001401E4000-memory.dmp
C:\Windows\system\ELEDODX.exe
| MD5 | aeb4cb17e24f3533b9f66dcfcf808686 |
| SHA1 | 2c12dadfb855515f3ddc31f2afffb014d0ffcfb0 |
| SHA256 | 2797fc82d7da6dbf72bc6611e38ccb66ac55724732b6996f2c76b8dbc3d96ebe |
| SHA512 | 1947d1562f9c3c7fa33d79ff761fb38d6257f168d3a38ad161074713500b75142670f45d0b41c96a3a628eb3ca66c22f8e5d8e7ec86774fd63f235825b0f1d78 |
C:\Windows\system\ITjoKvT.exe
| MD5 | 8e67432b9f25770f184e2632c866d8bb |
| SHA1 | 74d7fc133c88c8da6bdf7f023751729aadc4bc97 |
| SHA256 | 73d5e2416dcea14b4f98a278093fb470fe5703db818d53726c5d70ac8bb55ba5 |
| SHA512 | ac7d1f9cdd0a42ae992ede89b540fc035cf9ddd81bfcb21ed9480d9da05048fe6febf247171efab720cf4e09ef66a9c99be294c2195dca4fc9f89041afe6ed86 |
C:\Windows\system\suhKJvH.exe
| MD5 | b168039337c6a36eeccb4f5a66c1a1ed |
| SHA1 | a6b2822c13b555f2ff81ae1d79ca1c68eecbdb50 |
| SHA256 | 2252706f852b41108c1c865dff855bc7c6a00791d1a5e398f28fae31305d3794 |
| SHA512 | aef46070c4cda1caf7a05d6cfce388999f0b025f502c4e6a16a8d32039cd449048899c57e356a5d4a7353e5279c57fd308fc009ac51fdf60c77275f6ccc459c2 |
C:\Windows\system\bUoKUjf.exe
| MD5 | eccb960f931f0db47739670c65de9531 |
| SHA1 | 2adbe473e74ac6559bd8e4a4d4a116ead16761e4 |
| SHA256 | 11df454d50c51f9b2eceeefbe0f673ccf6567538362d95342d60512f02dd91cc |
| SHA512 | 42767c5ae118051b15a69550fa950e750e5b8e742a09d944c362b19f75d9f0f3cb330a5210055f13d9d02510464c79ce8cebf02b9194fefcc83ce46f098e4b07 |
\Windows\system\YEzpenb.exe
| MD5 | 761520f2f7cc7087e16b7d91ce344bb5 |
| SHA1 | fb83cb6e8083d92381bde2162014659c138c2166 |
| SHA256 | 4f79f07c1012dfcdf003c3a223c918a42458332664a959b1e9dc49e13b380c32 |
| SHA512 | 69f8bf52dfb960a580bf8f75f948fbe8ea079fd99795bd1b29b35e47b867ca92399a191c1cc01d2b887083dea78563fd99b891028233d518ca11a1eeed243703 |
C:\Windows\system\qftaGxy.exe
| MD5 | e88143bac9a663f46b5931cf3f15c4be |
| SHA1 | fc4b8ad2daac183fbe15d54176d7fbaa5f4d5aea |
| SHA256 | 9a22d0ffc193f9ab82806bfa8455dd49fc6f8d9c518cb77d59559b8b97e41b15 |
| SHA512 | 7ba53378a811dd3745858685794f85490dc7dafd3e87586679760a15baa270a637b6f80f847a331888fc91027292762219082bc02dfc34dcb1a31add6b0f04f2 |
memory/848-100-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\JVyEuXo.exe
| MD5 | 31efd37d2fd406bea1c235301ef3cc0b |
| SHA1 | 9f53fcc5b48b142e4cae6b8ee93e8449537acec3 |
| SHA256 | 141da5b8cf68b8f762db41fbd07b30321d47e80f14d073b48cb86d61958971f5 |
| SHA512 | a608df75c885c974c0be56a53f02ea015e3e5db1362d2293e38fab89180329c19f624a197d0681a66a1f60cbd790dea19ac2492e0812097e51244fa311e77f28 |
memory/848-88-0x000000013FD80000-0x00000001400D4000-memory.dmp
\Windows\system\kmMFCke.exe
| MD5 | 1228bf7ab65be74deb514eb319f7d6ed |
| SHA1 | 78e70b0f86a27cf8cf19432865b7f7bed7e4379a |
| SHA256 | 84b4c4bf1abddde0a65a8a07df066e8807aafbf42250426c4aef7b197ea86df8 |
| SHA512 | c130714f40ea0e480df8aaa612a1fc14da9237c23acfbcefcbe6be0293c57411099a034eb85559eceacde55fe56bbcdab1cf3b9ef4f9e64708c075a2dd006b63 |
memory/848-82-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/848-71-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2768-69-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2536-66-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/848-65-0x000000013F6F0000-0x000000013FA44000-memory.dmp
C:\Windows\system\cOexwJO.exe
| MD5 | 1801ecf43016c3c1360cb3e845bf585e |
| SHA1 | 15e5746c39d56d109364dfc198a640b27bfb9eff |
| SHA256 | 7853ca3c033ba3dd4bdd8e7ff4d7ceede04af7af60afe7ff2c6c549202d7c743 |
| SHA512 | ae20190b3bf4bcb9351885c52c2f6c7afdfe441904813fbc641998b566d3542aec9cf55ca08ec7b4aff66603445790c751b082db18a503324f713e9e336d53ab |
memory/848-58-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2628-48-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2248-133-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/848-46-0x000000013F330000-0x000000013F684000-memory.dmp
memory/848-134-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2720-43-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2644-39-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/3064-32-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/848-26-0x000000013F820000-0x000000013FB74000-memory.dmp
C:\Windows\system\WcMoIVR.exe
| MD5 | b2e155540edbceafdf625bf07c645d38 |
| SHA1 | 9392d69a332e062b202b4fc778601f38d3791221 |
| SHA256 | 4baa3eaa9ce750e941ee902c7f8462a5a4ef0b3737b069cdd33731cfd1a6b021 |
| SHA512 | 1fafc9e8e30f873b5e0a40437759b3d19bc8561000b1f696cad0734c255165764e01b75550fdf6aaec6ee114a7792f4eadc05eadbafb9ef2aff88813606542d9 |
memory/848-135-0x0000000002410000-0x0000000002764000-memory.dmp
memory/2936-136-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2788-138-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/848-137-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/876-139-0x000000013FE90000-0x00000001401E4000-memory.dmp
memory/848-140-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2088-141-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2248-142-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/3064-143-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2720-145-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2644-144-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/2628-146-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2536-147-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2768-148-0x000000013FA80000-0x000000013FDD4000-memory.dmp
memory/2548-149-0x000000013FC20000-0x000000013FF74000-memory.dmp
memory/2528-150-0x000000013F6F0000-0x000000013FA44000-memory.dmp
memory/2496-151-0x000000013F970000-0x000000013FCC4000-memory.dmp
memory/2936-152-0x000000013F490000-0x000000013F7E4000-memory.dmp
memory/2788-153-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/876-154-0x000000013FE90000-0x00000001401E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 08:04
Reported
2024-06-11 08:07
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
161s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ConhODl.exe | N/A |
| N/A | N/A | C:\Windows\System\AjMxssH.exe | N/A |
| N/A | N/A | C:\Windows\System\UJyOqyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\dykDgSP.exe | N/A |
| N/A | N/A | C:\Windows\System\uPmfmTF.exe | N/A |
| N/A | N/A | C:\Windows\System\WEetvbz.exe | N/A |
| N/A | N/A | C:\Windows\System\uKvzogZ.exe | N/A |
| N/A | N/A | C:\Windows\System\WYrDbJK.exe | N/A |
| N/A | N/A | C:\Windows\System\IYvfsxN.exe | N/A |
| N/A | N/A | C:\Windows\System\LKOuKvO.exe | N/A |
| N/A | N/A | C:\Windows\System\emlwhFZ.exe | N/A |
| N/A | N/A | C:\Windows\System\IZgTvUA.exe | N/A |
| N/A | N/A | C:\Windows\System\hBRPzqf.exe | N/A |
| N/A | N/A | C:\Windows\System\EoDLUIk.exe | N/A |
| N/A | N/A | C:\Windows\System\iInDzyy.exe | N/A |
| N/A | N/A | C:\Windows\System\qwgEHtX.exe | N/A |
| N/A | N/A | C:\Windows\System\NqMthaI.exe | N/A |
| N/A | N/A | C:\Windows\System\AxrSgPL.exe | N/A |
| N/A | N/A | C:\Windows\System\KOlrdHx.exe | N/A |
| N/A | N/A | C:\Windows\System\OSlbLYa.exe | N/A |
| N/A | N/A | C:\Windows\System\jwrlCaa.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_f331dd85b89422d342110e49bf45601c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ConhODl.exe
C:\Windows\System\ConhODl.exe
C:\Windows\System\AjMxssH.exe
C:\Windows\System\AjMxssH.exe
C:\Windows\System\UJyOqyJ.exe
C:\Windows\System\UJyOqyJ.exe
C:\Windows\System\dykDgSP.exe
C:\Windows\System\dykDgSP.exe
C:\Windows\System\uPmfmTF.exe
C:\Windows\System\uPmfmTF.exe
C:\Windows\System\WEetvbz.exe
C:\Windows\System\WEetvbz.exe
C:\Windows\System\uKvzogZ.exe
C:\Windows\System\uKvzogZ.exe
C:\Windows\System\WYrDbJK.exe
C:\Windows\System\WYrDbJK.exe
C:\Windows\System\IYvfsxN.exe
C:\Windows\System\IYvfsxN.exe
C:\Windows\System\LKOuKvO.exe
C:\Windows\System\LKOuKvO.exe
C:\Windows\System\emlwhFZ.exe
C:\Windows\System\emlwhFZ.exe
C:\Windows\System\IZgTvUA.exe
C:\Windows\System\IZgTvUA.exe
C:\Windows\System\hBRPzqf.exe
C:\Windows\System\hBRPzqf.exe
C:\Windows\System\EoDLUIk.exe
C:\Windows\System\EoDLUIk.exe
C:\Windows\System\iInDzyy.exe
C:\Windows\System\iInDzyy.exe
C:\Windows\System\qwgEHtX.exe
C:\Windows\System\qwgEHtX.exe
C:\Windows\System\NqMthaI.exe
C:\Windows\System\NqMthaI.exe
C:\Windows\System\AxrSgPL.exe
C:\Windows\System\AxrSgPL.exe
C:\Windows\System\KOlrdHx.exe
C:\Windows\System\KOlrdHx.exe
C:\Windows\System\OSlbLYa.exe
C:\Windows\System\OSlbLYa.exe
C:\Windows\System\jwrlCaa.exe
C:\Windows\System\jwrlCaa.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 136.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 198.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 131.72.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 172.217.169.42:443 | chromewebstore.googleapis.com | tcp |
Files
memory/5020-0-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp
memory/5020-1-0x000001570E280000-0x000001570E290000-memory.dmp
C:\Windows\System\ConhODl.exe
| MD5 | 9490f9d7b3ea7a251aa3973258adf4bb |
| SHA1 | e912af415f5e94d159ceb7c8a48f41b07d47f057 |
| SHA256 | 72d75bf2813655fdd8e7e35fe3f1ef16cd81737a2a71bab167525cbfb7eacac4 |
| SHA512 | 8c93371817e6ccc4ab435a005654f4ccb6c8876c4cd326b923b8b181dcb31b3eafd04e0e287ce7caa45c8a89248a2e7792c736bca86574041f0d9edc0f5bd23a |
memory/3480-8-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp
C:\Windows\System\AjMxssH.exe
| MD5 | 64a038543757b11441e422483903ec93 |
| SHA1 | b2e66bd945325594f96c5e6a57a72a23fbdc2910 |
| SHA256 | 2ca086933acaa6ae6c0dd2897aaa426bca4b96d3b7b287164b77e8bef14b92ec |
| SHA512 | f755ce3af17a38865b84367b64ee3d915ce2080124a9ab3e0bf22f799dc7ac007109776475e990028019a45609ac6dcd73991743bc2a4d6e7539710637b4a2bf |
memory/5016-14-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp
C:\Windows\System\UJyOqyJ.exe
| MD5 | 8cfcc19b6b1dd9517b393a722c34ed17 |
| SHA1 | aa3b70cd4a2c112f6df9602a726b6ddd783b29f0 |
| SHA256 | 4e9f7a36ed265d261d72fb83afbcf59e3b42880dc6b623d5c73930113f117f85 |
| SHA512 | 32421e0bffdd5148ef2cbe169288524124236a6c3b5f25599414d9c9e5d2fd1a2e0196d3755cef4af4971e4e8e50bc70b4aa0e06995472ea555233ccc78e0b99 |
C:\Windows\System\UJyOqyJ.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2228-20-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp
C:\Windows\System\dykDgSP.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\dykDgSP.exe
| MD5 | b770806e36199997912b9f88447357fa |
| SHA1 | d5569b5b34841ced5935f203b25892543d2220ee |
| SHA256 | 3eb567f9c446a3c046a6bd410f2e8d35cc94a0099fc612c1b46771650a2d24d0 |
| SHA512 | c053b0a02b6fc2b6b2fd970db2d59d78b714525df0ea7a6345bb5a9e289cf145b04306fb906d15bcd973500a0541d980d7fb2b8a9c503355be415254b92c6fca |
memory/2348-26-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp
C:\Windows\System\uPmfmTF.exe
| MD5 | 80309fb805c8dabb81a8dcbd68ba3158 |
| SHA1 | e86c9da40977f4cd9af82800c0efc6657e769cee |
| SHA256 | f656faf24bfeca768a1e8f324bd771b78f5b7b9102be0b5ee19510f6c0249bee |
| SHA512 | 2e44c63abd771e1f204f50d37ee5f891a5ac30d311e0a074efeae1d3d59314af9ae14fb8ac397b8f3b02be51b765432e47ee7a88725fa6df1622f65246c55018 |
memory/4272-32-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp
C:\Windows\System\WEetvbz.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
memory/4596-42-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp
C:\Windows\System\uKvzogZ.exe
| MD5 | 03686cfd6bbb43c8ac4dc50889b137b9 |
| SHA1 | 6800d5588f6a43ca169ee2c40a9fceeb5a54e5ee |
| SHA256 | ca47b446aecd91112038d34e552b47a5f46c4644080b07ddbdc37007b9159471 |
| SHA512 | 529d5e858f06c4743cb789c3a961b0d51ebcf4e4349ad70aece2c30ac43062a7b4932080525c55fc8af3690ae2760c5e4efdce79b5b27264e9b359474abc77a2 |
C:\Windows\System\uKvzogZ.exe
| MD5 | 22a9fa2b1630a97ed5d62a5891280c11 |
| SHA1 | 625f8fef9f8da1f1a43003acb6f8fbf92f87f574 |
| SHA256 | b16543db8e2fbd174f55c84709cba152ba58e15677abe10703277463e592aff4 |
| SHA512 | 8939e83a1c4428cc85b97de8cdb7668c4146a0c4be053e14b326ca24408b92fec81e755f3f40a487bbe52c6cb92294080e27614c944856aa41b247ed5051cddf |
memory/4648-38-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp
C:\Windows\System\WYrDbJK.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/1376-50-0x00007FF763F20000-0x00007FF764274000-memory.dmp
C:\Windows\System\IYvfsxN.exe
| MD5 | 32a8bb1921aefd3c0ed7458ba16b58e5 |
| SHA1 | 41a6e99bb67c1d706027a69e2849cbaa2ef6d6b4 |
| SHA256 | 85d94db272f4ca07fc7f7ddfc8dead334f8d437e269294dd0bf82ded8780e983 |
| SHA512 | a7fd61a36e0a520af4182e495f23b61941686657a59ef40d3bb36dadd9e0bba99e1ff3ae639b62da0e6701b08158f3fed6c2f8d5186679eb7cde9229cafd4768 |
C:\Windows\System\IYvfsxN.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/5020-56-0x00007FF67ACB0000-0x00007FF67B004000-memory.dmp
memory/2076-57-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp
C:\Windows\System\LKOuKvO.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
memory/1556-65-0x00007FF77F470000-0x00007FF77F7C4000-memory.dmp
C:\Windows\System\emlwhFZ.exe
| MD5 | 180ec18cff675908ea09fb02b8edeae7 |
| SHA1 | 908a0fde6e66598e819044f800d2fb12a2c2d5e4 |
| SHA256 | 35e0571c2720559fc2e392ef1ac01a4890a7f5a52de790fe0560ba1ddb8b0978 |
| SHA512 | f4efca4f8c80307ac309f06271cca1b553bd93330b442aaa71749f3ce5f3d47dab778dbee66162c088762bb8f4726a65ed8e5313f9bd8da09d951b910b9f8e49 |
C:\Windows\System\emlwhFZ.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
C:\Windows\System\IZgTvUA.exe
| MD5 | 2e820f8af7aa3bf225d37608a0a87341 |
| SHA1 | b813ceb09756bee341a57c9525bd3abdbe863ab8 |
| SHA256 | de3ecb3b5fcb41244e0ad238c42dbdcdb420cd69a0a9fd4969c3c2c21a4688aa |
| SHA512 | 94100e338184f7a3ae15a222a1475fa5698953edd851085d3fd0ba1cff9c8ac4fea1d0ffc946527b9efc401e37d9d7afc7e865918e1dcb595782d3b4242cf2f4 |
C:\Windows\System\hBRPzqf.exe
| MD5 | 9a0d01c6e389b01a8296100ed127da0a |
| SHA1 | c9412b36d795472d04c4f9c7a57b73542df027fb |
| SHA256 | 0670ffd1bd4ff923f5d7be87c361b016bf995a8eb377cdb4c4f5b7b3e51960a6 |
| SHA512 | e7c3ed851ec2a3b0a93121dfbf21ba1cb13b39993aa70cb85ad1c2c4f13ea3eb268dcc33d4c0b84af545de6add593a08466984c2a4af6ebae62e57f4ed2394ca |
C:\Windows\System\iInDzyy.exe
| MD5 | 4cf8952abd6b021a9820a2ef9addf575 |
| SHA1 | ff68bdf1c692e671585b1ed088509d14090c6a34 |
| SHA256 | f0f3c9b385a4d05d91b774fa727568f66df7ece6a2431c05b1fb9ecc473f4a81 |
| SHA512 | 2724b6ef705dbb65fe5dd3b4a43c1e409e81f1d8f35c1eef985144d6f0940eef9a1d3e4b941827a0079297f1ce605c8d91c8d8ceef9687d98d6daedf92092e0a |
C:\Windows\System\KOlrdHx.exe
| MD5 | bf4ff823726c77f50f927dd893d30c75 |
| SHA1 | 4901c596d03492fd5b9429bbca0fdbc1640ac3d0 |
| SHA256 | 10533bfcb38bd8c015ada46548bb3979866777c40d716074bd30968f8805f6e4 |
| SHA512 | 5916bce0ddb110758678c9d48b36f6c30454e985a7f4c0e19512af2ebbed3251ba1d162cb3b139bb7e0eff1e745843e639d66b36950b58610d274eaacf7ab01d |
C:\Windows\System\OSlbLYa.exe
| MD5 | 0783b3b28ba90cc7856f369d2be9c3c7 |
| SHA1 | 652c770cd2fba5fb2a49dcb29d7f26b77aff61b2 |
| SHA256 | 095ed1a49d60002aec92213f47d28502275cfda8092b43aa6fead2cc2924d94c |
| SHA512 | 639a05515d748569f172a66582a26012c71555182d87a4960a96c1cfaf7ede05ed58d06ae026147cf25da3668f9e91728f3d9a57ebf9c24cb63e62ebc7baa443 |
C:\Windows\System\jwrlCaa.exe
| MD5 | 026ea13872fc04c177d4b92226038799 |
| SHA1 | 0c9a5da8cb017adf9d5182e85bf8a4195683bb04 |
| SHA256 | 9d1477100effde3432ac0d189173c8f78615613ba44042f1c911eefe461e0d69 |
| SHA512 | 1f1d0d8b04e5e4fb39538d8c403f29c544ea9435cf9ce0fa91b5eb8f6e8444c4545db2df079761f32b0e684dba64ec7a0ac0543464f075b0ebf2d9f67a7dd303 |
C:\Windows\System\OSlbLYa.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
C:\Windows\System\KOlrdHx.exe
| MD5 | 93bacfc3d845f374627b012c3a61a1e5 |
| SHA1 | f08219d5f19196fbc7a3a1e7ffbfb44e344c21ae |
| SHA256 | 4fd1d5231f529c0710d6a6cd40036ebe10563700b5f25c50aacacf0ccbeb0b9d |
| SHA512 | 63e909e0f694f7072b09c22815e6279a7448ff3ee9b219e1f03fa23b70411a9de5cd54205f2b9fac218aee1fe5bb1761b1d6308bcade318f7b85c7b720112b83 |
C:\Windows\System\AxrSgPL.exe
| MD5 | 1fbb254910d663dc7082aa5583d1245a |
| SHA1 | 65d9cebf3057c4a9be1ef9a72574e53bfe4acd9b |
| SHA256 | e8ae4be318545fe127f51d5a78fedc6fbd6040df16bee7561152fd0dadfe832f |
| SHA512 | 1f0de5061b5fb73262baf2874710d7937b06cfe133e9e44d4abd8ea9e91e7c1bc7fe467739eebb1f300dbf82e7afda705ee5bda9e21b3f178f4a9116ae58cbb7 |
C:\Windows\System\AxrSgPL.exe
| MD5 | c2630368f2b0f1676e4f1cfe1abe40fe |
| SHA1 | 1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb |
| SHA256 | ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952 |
| SHA512 | 0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0 |
C:\Windows\System\NqMthaI.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\System\NqMthaI.exe
| MD5 | 47960b34aac461d46c5cfe709bbf201c |
| SHA1 | 814c9fd6874e6133667a71a323d009060ff93ed8 |
| SHA256 | eb9c79a1c1428661ffbec1d4e0bdf10ad3c4de3d97f2348bfc791528fd4e13b7 |
| SHA512 | 623975850b2068cd617805c85749f4c281afb1d5a6f26f56cb894ad621af8aa09cb79dd23e81a791413e7fe5fe485f7d48dc097599b3f8cc5ec632abf8a77760 |
C:\Windows\System\qwgEHtX.exe
| MD5 | 0003cb25d8e5fcf51d1ea8407b9410fc |
| SHA1 | fc0940ac8a56e45a19f31c325aba00f814dae439 |
| SHA256 | f5fa7230c7358dee6dd18f92cbc76b430b9f4ae3743c5a87ae43ab57b0f17dc2 |
| SHA512 | 3e0a7f0919968a398f15d36d7bf5f20d80e4d21e13f2a12bc61387d700f7223beda84fce19bb9725494efe691fdd480b4475f6cce34df5d279cf37a6a2663e87 |
C:\Windows\System\EoDLUIk.exe
| MD5 | 0fdfb9aa1d683604451f093ae844b48b |
| SHA1 | ac2f38897e9d002b90fb2266d2ae08ab0c0b6306 |
| SHA256 | bfc698e6020173dbf7fdd84bbecc961c7057d1c6b1e4d741fe064b053949b583 |
| SHA512 | 58575cc0bacc832ff14ff436a0b69db01ace7597ca6032681e9061298559b162c7d64b9e8e53083bcdf9086c362438e05fa4f3cbecb91d7acd04ee0600ae1bca |
C:\Windows\System\EoDLUIk.exe
| MD5 | 3ed5a609fc99609f477b127cb1075f8e |
| SHA1 | efbe9eae011603d0818e0ea87d848f4505a8ca00 |
| SHA256 | f5c7ed548f4ba98079252e02c14f981d3b1b5468313f0be262b25ccc06a1f939 |
| SHA512 | adf3c7526c8d008f32ef1391728203330e532d5ab3157f9a2a7fe21b8a1324527c1ba05f5b2198a9d7b1cc621dddfe091207ec334b309442cd5608fc15d0fd18 |
memory/3480-118-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp
memory/1748-119-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp
memory/3008-122-0x00007FF730CE0000-0x00007FF731034000-memory.dmp
memory/1708-121-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp
memory/1776-123-0x00007FF73B320000-0x00007FF73B674000-memory.dmp
memory/4336-124-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp
memory/4548-125-0x00007FF705230000-0x00007FF705584000-memory.dmp
memory/400-126-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp
memory/4148-128-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp
memory/1980-129-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp
memory/4572-127-0x00007FF646E40000-0x00007FF647194000-memory.dmp
memory/4876-120-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp
memory/5016-130-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp
memory/2228-131-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp
memory/2348-132-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp
memory/4272-133-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp
memory/4648-134-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp
memory/4596-135-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp
memory/1376-136-0x00007FF763F20000-0x00007FF764274000-memory.dmp
memory/3480-137-0x00007FF68DE30000-0x00007FF68E184000-memory.dmp
memory/5016-138-0x00007FF7EB750000-0x00007FF7EBAA4000-memory.dmp
memory/2228-139-0x00007FF6F2A00000-0x00007FF6F2D54000-memory.dmp
memory/2348-140-0x00007FF7AAC90000-0x00007FF7AAFE4000-memory.dmp
memory/4272-141-0x00007FF65A990000-0x00007FF65ACE4000-memory.dmp
memory/4648-142-0x00007FF6BD5A0000-0x00007FF6BD8F4000-memory.dmp
memory/4596-143-0x00007FF6D1D00000-0x00007FF6D2054000-memory.dmp
memory/1376-144-0x00007FF763F20000-0x00007FF764274000-memory.dmp
memory/2076-145-0x00007FF7F86D0000-0x00007FF7F8A24000-memory.dmp
memory/1556-146-0x00007FF77F470000-0x00007FF77F7C4000-memory.dmp
memory/1748-147-0x00007FF612E50000-0x00007FF6131A4000-memory.dmp
memory/4876-148-0x00007FF6605A0000-0x00007FF6608F4000-memory.dmp
memory/1708-149-0x00007FF7DFF00000-0x00007FF7E0254000-memory.dmp
memory/3008-150-0x00007FF730CE0000-0x00007FF731034000-memory.dmp
memory/1776-151-0x00007FF73B320000-0x00007FF73B674000-memory.dmp
memory/4336-152-0x00007FF6AFFF0000-0x00007FF6B0344000-memory.dmp
memory/4548-153-0x00007FF705230000-0x00007FF705584000-memory.dmp
memory/400-154-0x00007FF7EC520000-0x00007FF7EC874000-memory.dmp
memory/4572-155-0x00007FF646E40000-0x00007FF647194000-memory.dmp
memory/4148-156-0x00007FF7AA6E0000-0x00007FF7AAA34000-memory.dmp
memory/1980-157-0x00007FF746C90000-0x00007FF746FE4000-memory.dmp