Analysis Overview
SHA256
43066b7f544a52df663693f265e6881bc8f5cafd7a7bea69bbc173bac4b695df
Threat Level: Known bad
The file 2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
xmrig
Xmrig family
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:38
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:38
Reported
2024-06-11 12:40
Platform
win7-20240508-en
Max time kernel
137s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\oDlorub.exe | N/A |
| N/A | N/A | C:\Windows\System\aFtXEtw.exe | N/A |
| N/A | N/A | C:\Windows\System\WwftAmu.exe | N/A |
| N/A | N/A | C:\Windows\System\BotMlgX.exe | N/A |
| N/A | N/A | C:\Windows\System\sNvXWrm.exe | N/A |
| N/A | N/A | C:\Windows\System\VAQQdjT.exe | N/A |
| N/A | N/A | C:\Windows\System\MWtWSwY.exe | N/A |
| N/A | N/A | C:\Windows\System\UydxTKp.exe | N/A |
| N/A | N/A | C:\Windows\System\gTfKczO.exe | N/A |
| N/A | N/A | C:\Windows\System\HyflIue.exe | N/A |
| N/A | N/A | C:\Windows\System\fxIfjLt.exe | N/A |
| N/A | N/A | C:\Windows\System\MwBUuvD.exe | N/A |
| N/A | N/A | C:\Windows\System\PmNRAFO.exe | N/A |
| N/A | N/A | C:\Windows\System\uMuHajF.exe | N/A |
| N/A | N/A | C:\Windows\System\umBBzsy.exe | N/A |
| N/A | N/A | C:\Windows\System\dssePQo.exe | N/A |
| N/A | N/A | C:\Windows\System\OedoADs.exe | N/A |
| N/A | N/A | C:\Windows\System\XVXLsEo.exe | N/A |
| N/A | N/A | C:\Windows\System\QhbqCHy.exe | N/A |
| N/A | N/A | C:\Windows\System\cJqfDPF.exe | N/A |
| N/A | N/A | C:\Windows\System\rMqJHAv.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\oDlorub.exe
C:\Windows\System\oDlorub.exe
C:\Windows\System\aFtXEtw.exe
C:\Windows\System\aFtXEtw.exe
C:\Windows\System\WwftAmu.exe
C:\Windows\System\WwftAmu.exe
C:\Windows\System\BotMlgX.exe
C:\Windows\System\BotMlgX.exe
C:\Windows\System\sNvXWrm.exe
C:\Windows\System\sNvXWrm.exe
C:\Windows\System\VAQQdjT.exe
C:\Windows\System\VAQQdjT.exe
C:\Windows\System\MWtWSwY.exe
C:\Windows\System\MWtWSwY.exe
C:\Windows\System\UydxTKp.exe
C:\Windows\System\UydxTKp.exe
C:\Windows\System\gTfKczO.exe
C:\Windows\System\gTfKczO.exe
C:\Windows\System\HyflIue.exe
C:\Windows\System\HyflIue.exe
C:\Windows\System\fxIfjLt.exe
C:\Windows\System\fxIfjLt.exe
C:\Windows\System\MwBUuvD.exe
C:\Windows\System\MwBUuvD.exe
C:\Windows\System\PmNRAFO.exe
C:\Windows\System\PmNRAFO.exe
C:\Windows\System\uMuHajF.exe
C:\Windows\System\uMuHajF.exe
C:\Windows\System\umBBzsy.exe
C:\Windows\System\umBBzsy.exe
C:\Windows\System\dssePQo.exe
C:\Windows\System\dssePQo.exe
C:\Windows\System\OedoADs.exe
C:\Windows\System\OedoADs.exe
C:\Windows\System\XVXLsEo.exe
C:\Windows\System\XVXLsEo.exe
C:\Windows\System\QhbqCHy.exe
C:\Windows\System\QhbqCHy.exe
C:\Windows\System\cJqfDPF.exe
C:\Windows\System\cJqfDPF.exe
C:\Windows\System\rMqJHAv.exe
C:\Windows\System\rMqJHAv.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1732-0-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1732-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\oDlorub.exe
| MD5 | 657c7b16bd0dbf1a35e2f19bcfb9284f |
| SHA1 | ab06093e25606ef487c85f8159f26d222fb24e38 |
| SHA256 | 97c549e10de938530319a834350647b5cb09a16d1abc02cc10270d8cafedb90b |
| SHA512 | 412faca307470ce7731a32256981a3e8aacd996cb0372c56c092283e842d0834e6abc60885ea7f64a8669eb7e1854624abd604497a9aba9e44e08cb381cd4041 |
memory/1732-8-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2672-9-0x000000013F820000-0x000000013FB74000-memory.dmp
\Windows\system\aFtXEtw.exe
| MD5 | 8cbba29d6b70e49b9ab4f1d0f4aa1433 |
| SHA1 | ab1ef63e698431bb5c406e6d80897f797348540f |
| SHA256 | c31d7762b86b80b6d48fa3477dff3fa89fcaf34bf3d073df58f0fa1dfd46c2b9 |
| SHA512 | 2cd865c81f615b5fd21a7c20ab1811aacb2788930f49acf80cf8b4a86f9f4641a2c561cb0973cdfd65bf560dda20978ab5c619c02687f94f6b59629e75ed3914 |
\Windows\system\WwftAmu.exe
| MD5 | a7139046724fbb25fe18d17c25e90c26 |
| SHA1 | b9d2eaf1f83794f104d60b54cfa41d175ec4e29f |
| SHA256 | d0f13f6fab4333d5c1391cbda3edf747448a8a47d2b65a7a80875072ff43638f |
| SHA512 | bc5cd072383cb07f0a7e57dba5a65667e34de8273e403fedfbca620c0426c43138c34cae10b7567dcb01a7c646dabb6af36d091e6b097993b6c91ab653d0a199 |
memory/1732-21-0x000000013FF50000-0x00000001402A4000-memory.dmp
\Windows\system\BotMlgX.exe
| MD5 | 53745802350f392db5e3eb06daecbd33 |
| SHA1 | 2c3a241d3ed023f0a6450588df586436e7540495 |
| SHA256 | ce25cbef51e402db530f0da3f473365c69c7148669c15e8ebbfb428d1d7fd8b9 |
| SHA512 | 88ccfe815931ffb618cc7b21d6a14c6edd40a0ad6a1650dbf8d058b9e332e5d8875fb31caf63c094ef4759bf227333256ad230cdea7af2e65b67ae0364f89b74 |
C:\Windows\system\sNvXWrm.exe
| MD5 | 000b657afde68166232f66e2af82d636 |
| SHA1 | afaed10b957f87072412a1b50afe727e2cf95fb6 |
| SHA256 | d5202e39df7f5cda384c4c331f328fcde925262c0e53362c0a800446e3d314d7 |
| SHA512 | 98dad7226ea1593c88c9e898ddb7d8892929fcadd297c71296ede4a105cab114eeca4c5216467be45575435010620a34136927eaa94892c27fdcedbf968b7748 |
memory/2636-33-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2684-28-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2292-18-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/1732-13-0x0000000002460000-0x00000000027B4000-memory.dmp
C:\Windows\system\VAQQdjT.exe
| MD5 | c1c7e7a359e699b968c138675c395174 |
| SHA1 | 14bfb88b8cfd44de9c151a7b8775b8e2b0f071fd |
| SHA256 | 849a7810e6c38359c4f3b664209fe848c345f518ccfc2a9dd2642eb1b3910a49 |
| SHA512 | cf6eaef32372739107a94824756aeaf276b82b2d815443dfdbe7e41d60c5162737096ae9ccd81d27e3fe9f6b3db90ea0411f15fca81bedc2bb8c528e45c39e21 |
memory/3024-42-0x000000013F4E0000-0x000000013F834000-memory.dmp
\Windows\system\MWtWSwY.exe
| MD5 | 714f9d5d2a93aeecab457011d3dab89d |
| SHA1 | 150befa31034a72431feae4b793b4c0dc6044155 |
| SHA256 | c649a50a5a7b276f8cd2dcb24ddb6a9701acd3c951762b8f01fafead8dd297df |
| SHA512 | 804118f4126582e09f80c278c926e192cf9fc23486b8e3b7d1c78fa59d53ae92ff679406e4dee61b8ef93fbf1eddc1e1bbe89a148045d51a56aa609b637693e8 |
memory/2380-54-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1732-55-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2520-56-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/1732-53-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\UydxTKp.exe
| MD5 | 5d13e154acfa5f6faf6ef9a25b547d82 |
| SHA1 | 4cf03101f3529ddd6aa09aff3d735fe4b96d1232 |
| SHA256 | fce172ea9c8ed3e1a1fd894a873560bc5e19fd3bea7e021b2726cee4cdf54612 |
| SHA512 | 035e307bbd5d6154ccc6c504aed6377b4dc025cd570b4f13c115b5d9ad662f2283853e080683f0c814851ec0fb1c0934f1975679a086517e15a0b52cb39261a6 |
memory/1732-48-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1732-39-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1600-67-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1732-66-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\HyflIue.exe
| MD5 | e72cea6c55becc0dcdc737b553f03eef |
| SHA1 | 862e557575714f3c42a6e39ed8f0f11358d37957 |
| SHA256 | bf40d7eb97a713c1547105c31cc611e08860eee0911ec1df0fd576842d2dd7b8 |
| SHA512 | 6c914326d37b89c914fb56ef6e82f13b4bf5fa8bb006f9989b2f7d38e1f5f7c37f016c977845ea73f8bf9d201d6ae159d8e6f295bc5eddc693e1bfdd8fc11218 |
C:\Windows\system\fxIfjLt.exe
| MD5 | 6501205e24333b4a11fcd28c545f9d36 |
| SHA1 | 6897c0011d96c1a7fbb40bcc1cca24d0db1fbcc3 |
| SHA256 | a7066a4d8b567dd9e6fe25c043d991a74e2e4cc12eee2d17e46a71d0337b2733 |
| SHA512 | ef211ab2bfd302ac4aea5e3be70f1cdcc6975a527896f6c635acf70fae2fd819471d48fd28047eb015dd58c490a87ec18a009e8e859986da8f1dec59202d96af |
memory/2468-76-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1732-75-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/2292-74-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2504-61-0x000000013F2C0000-0x000000013F614000-memory.dmp
C:\Windows\system\gTfKczO.exe
| MD5 | 749191961ace039a1f6b81a1656b779d |
| SHA1 | 70e00f3e33abcbe72f40d796f1f1eef8e2bf8685 |
| SHA256 | d398be694397536e3f94a4ea49f02bee64499bcd9df80cfe1e798f79ff3c3183 |
| SHA512 | 0ead39fe0451ea1aa92ace1568db9f496b85050389655ffa87edabdebd07e62a4c91b653f818baa5fac51aa075e828d456fa1169da9a8a29f8e2d2c79b2d6b6b |
\Windows\system\MwBUuvD.exe
| MD5 | 3fe8c40adcdc247f3aee20b6a213ab57 |
| SHA1 | 82c839d2dc4a0f71c5c3b3beee24e9b1e2c01a8c |
| SHA256 | 885479a7e25e70a300f3e8b877b1cf59029e147e558dbcb87c94ce13f4a4979c |
| SHA512 | d713758c5ac93bcef028d3dc6a6867eaa8c566227d98fb53b3d2624436394fb94d32fdf004782622410009bd263154accc4a1ee2ae5efd13b71b4de10e96cfc3 |
\Windows\system\PmNRAFO.exe
| MD5 | d68be436e4282b34d47d5337f8c1b742 |
| SHA1 | a5f340bdebbb001f5e69b45a96a5d6502950d2c1 |
| SHA256 | 8483461360bc75582b69fe886822b8461e51f3abd83a502f3c6cdeb25e9c99de |
| SHA512 | 635339920526975b61b73f56e6aa8dc19df4fbf7c8f0ddf73c4712c762a51a47163753e317aed18169b1092c85ce39f8344d9db9fa69f57e5f18f7b5ea2baee7 |
C:\Windows\system\uMuHajF.exe
| MD5 | 83c586adc19b174fb8715e73ba54c84a |
| SHA1 | 90eddb793f32987fe347bd782672906cee88070b |
| SHA256 | 92df75b06149ca40aa95dd18fe3843b7283209721f1e8b8307d7a9d777498bbb |
| SHA512 | b860d72a19411b84368274b031a59541a17d98156ce466ea5e0f173c5f2dc292917c3eccaaf9b0fa55fe9b1141097971a95277a9afa647eaa4d458425b61ddc6 |
memory/1732-90-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/2668-95-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\dssePQo.exe
| MD5 | db7543a755a068d21c8d08d8a55dba94 |
| SHA1 | 6a09081ed1693b81777e7a2fb8da55eb2dbccc8f |
| SHA256 | d3285dd5cfdaf14eeb11dab572477850cafd4b0ddfe5ab1b85811e8ef8727807 |
| SHA512 | 6893b070d267120df05d750b68960866f50ef50cb5ffb3f43a484645d61720af221c643b57716edf998a998eb9fc6e0843f50e08037aa6cdf34002e53d23e372 |
\Windows\system\XVXLsEo.exe
| MD5 | a0ec7a31d0ec71b71ba60e44c164dc15 |
| SHA1 | 1d4e9d184fa4a090c9153b0e44ca487442deee1e |
| SHA256 | c4512afc62dd5f9a2a92131ec79dabd1fb07eaf5b3509e05c9283fbdab535655 |
| SHA512 | 90240dc0f3e9419a89e1a8ccec97d5c1e42806ebd68999744ebb9d4edf31be517e6b0debd331605a19c183c67058bc0ee9da58cb219ec5863c0a884e06e664cc |
C:\Windows\system\OedoADs.exe
| MD5 | e7ef0567d3c842b7b313b3e798b2f644 |
| SHA1 | 9e88eb1cf19e7352e6a9df18b58fc440cc76ac9a |
| SHA256 | 4ee74b2eb7cc78ac69f7eefe09d0f00c009356087acbe7f2f1c0642d99046db7 |
| SHA512 | 5516a1041ca0bece4e42c9aa384b478ea50c02f1eea39ca0aa13efbfe8976802074023558268b0382ca9a1e2934a14679f541b3bb68ee52f3e5810312bd79fb6 |
C:\Windows\system\umBBzsy.exe
| MD5 | 0ea158b6ce56c9a60ad98e91006832bd |
| SHA1 | e740c78d63e03cadc6b66bf91b9f618486c83d34 |
| SHA256 | ab481c20f26c597c4761c8668f1ba137c740a1d24f9917635daab0f57174a26b |
| SHA512 | c81e22e40f6e135ecd6c3fa97bb917c0241ec694452c84fe7c9df7653e6b3ed9f4cb8af27116d59c8f7d9fd3ac5fb1374d9401583b2c6a9143617263a51dc692 |
memory/1732-109-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/1212-102-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1732-100-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2712-106-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1732-97-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2808-96-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1732-94-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\rMqJHAv.exe
| MD5 | c28ed95aaae7c0fd609401024a4647da |
| SHA1 | 345f5fe221329ba24f902d10511cb19fcdd403f5 |
| SHA256 | 4c8883337f2c4a53ffbeff495c02408b2d442256794d710b83e26ac26954cdcc |
| SHA512 | 0f9caf153467cd950627f4fcf264ba357331f84ad96430fd0a1c503dca55819d75f3e2423f2db8c2d6c15b2e5c13b71f5196749c6b7ddc89a6585ded137c0885 |
C:\Windows\system\cJqfDPF.exe
| MD5 | 5fc2e94d767632beb7e122786c2e1904 |
| SHA1 | c0e5da7f88ef58eb6ea38eb8b43a2d0aabe6af43 |
| SHA256 | fd998b0af83cd5764866a9092c50787a72c0a14548389b4f8b0caa4d535b0a03 |
| SHA512 | d4c8997bdf69dbbd3dd46ed00796a2ff159b05e359dceda2d31ea79eca702091b58acf4f4c2aac47cd0622590fe034ac216ba0a40835cedc9f40a3fb51c6804f |
C:\Windows\system\QhbqCHy.exe
| MD5 | f4e6be55ecf27f457f51ff2ee1ab3d5c |
| SHA1 | e4ad83b7f81351ccf237e9a4c88842f0ae56b9b4 |
| SHA256 | 6f22943fade5e324742f3e7568d40bd98b396e12de70591c4dc13c5cc2392a58 |
| SHA512 | 54446174b69452b61d6379598222d39fbec5c05b8fb2938f76d5a19007394d5525d286339e2423fb0fc841233655e988385da84d9cf23a9d69152ae59ed16a29 |
memory/2636-136-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/1732-137-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2504-138-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1600-140-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1732-139-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2468-142-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/1732-141-0x0000000002460000-0x00000000027B4000-memory.dmp
memory/1732-143-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/1732-144-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/1732-145-0x000000013FF20000-0x0000000140274000-memory.dmp
memory/2672-146-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2684-147-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/2292-148-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2712-149-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2636-151-0x000000013F4F0000-0x000000013F844000-memory.dmp
memory/3024-150-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2520-153-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2380-152-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2504-154-0x000000013F2C0000-0x000000013F614000-memory.dmp
memory/1600-155-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2468-156-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2668-157-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/1212-158-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/2808-159-0x000000013F760000-0x000000013FAB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:38
Reported
2024-06-11 12:40
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\rfFTJVU.exe | N/A |
| N/A | N/A | C:\Windows\System\uonfHVl.exe | N/A |
| N/A | N/A | C:\Windows\System\FoOYJwx.exe | N/A |
| N/A | N/A | C:\Windows\System\joefGHJ.exe | N/A |
| N/A | N/A | C:\Windows\System\IwsSrYg.exe | N/A |
| N/A | N/A | C:\Windows\System\XRuErRg.exe | N/A |
| N/A | N/A | C:\Windows\System\WyqHKmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\nFOtQMS.exe | N/A |
| N/A | N/A | C:\Windows\System\iEXhIRQ.exe | N/A |
| N/A | N/A | C:\Windows\System\bhwtRyH.exe | N/A |
| N/A | N/A | C:\Windows\System\BRoEWGo.exe | N/A |
| N/A | N/A | C:\Windows\System\LWwDaVl.exe | N/A |
| N/A | N/A | C:\Windows\System\WuddcLA.exe | N/A |
| N/A | N/A | C:\Windows\System\XRImhOb.exe | N/A |
| N/A | N/A | C:\Windows\System\tSlrvHa.exe | N/A |
| N/A | N/A | C:\Windows\System\mXgiWzj.exe | N/A |
| N/A | N/A | C:\Windows\System\efjfeYX.exe | N/A |
| N/A | N/A | C:\Windows\System\URCLAdu.exe | N/A |
| N/A | N/A | C:\Windows\System\KGcCAaP.exe | N/A |
| N/A | N/A | C:\Windows\System\rtYIAMK.exe | N/A |
| N/A | N/A | C:\Windows\System\DFyYHLM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_673d8b4bc5c4ae22db5852a3b922a1f5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\rfFTJVU.exe
C:\Windows\System\rfFTJVU.exe
C:\Windows\System\uonfHVl.exe
C:\Windows\System\uonfHVl.exe
C:\Windows\System\FoOYJwx.exe
C:\Windows\System\FoOYJwx.exe
C:\Windows\System\joefGHJ.exe
C:\Windows\System\joefGHJ.exe
C:\Windows\System\IwsSrYg.exe
C:\Windows\System\IwsSrYg.exe
C:\Windows\System\XRuErRg.exe
C:\Windows\System\XRuErRg.exe
C:\Windows\System\WyqHKmZ.exe
C:\Windows\System\WyqHKmZ.exe
C:\Windows\System\nFOtQMS.exe
C:\Windows\System\nFOtQMS.exe
C:\Windows\System\iEXhIRQ.exe
C:\Windows\System\iEXhIRQ.exe
C:\Windows\System\bhwtRyH.exe
C:\Windows\System\bhwtRyH.exe
C:\Windows\System\BRoEWGo.exe
C:\Windows\System\BRoEWGo.exe
C:\Windows\System\LWwDaVl.exe
C:\Windows\System\LWwDaVl.exe
C:\Windows\System\WuddcLA.exe
C:\Windows\System\WuddcLA.exe
C:\Windows\System\XRImhOb.exe
C:\Windows\System\XRImhOb.exe
C:\Windows\System\tSlrvHa.exe
C:\Windows\System\tSlrvHa.exe
C:\Windows\System\mXgiWzj.exe
C:\Windows\System\mXgiWzj.exe
C:\Windows\System\efjfeYX.exe
C:\Windows\System\efjfeYX.exe
C:\Windows\System\URCLAdu.exe
C:\Windows\System\URCLAdu.exe
C:\Windows\System\KGcCAaP.exe
C:\Windows\System\KGcCAaP.exe
C:\Windows\System\rtYIAMK.exe
C:\Windows\System\rtYIAMK.exe
C:\Windows\System\DFyYHLM.exe
C:\Windows\System\DFyYHLM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4352-0-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp
memory/4352-1-0x0000018F02920000-0x0000018F02930000-memory.dmp
C:\Windows\System\rfFTJVU.exe
| MD5 | 9f87cc4730b344ee0a5a0baf3819e3b5 |
| SHA1 | 6ea3cefd6d695667bbafdd875dcb1f6d337cef5e |
| SHA256 | 91b654f5bdf4f876c1bb93ea2c1c91fc08c579bdf8355eabaead88a7ad956da4 |
| SHA512 | 024a1a27f45447a636a405cce15d004dbb648c37ba5aaff320eb942f48d8cc9815f79cdb7ff0547261de907ada2918eff48685cb34934f988a10dcf2b5c3a132 |
memory/1492-8-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp
C:\Windows\System\uonfHVl.exe
| MD5 | 5bb55459adfe47c53454033beed6d9c5 |
| SHA1 | b560679fdd4e1917b00786fc06ef26e01487d6cd |
| SHA256 | c0bf27037df18fc94b4fef1b11f3232a9b0389f0f277fba00301d8aed21b2262 |
| SHA512 | dbbe6d568f48ed352aff12877b557dae3e6fcc68e81da2e63bb118063fefd049207593476272f50108f6a18b4fdb67b7fa163a152efaa61930b2ef1724ac637e |
C:\Windows\System\FoOYJwx.exe
| MD5 | 47038c17802787e52748c7e1d1e53e75 |
| SHA1 | 0967cd007fbbbe0cc9c5027ff994ae1d464add97 |
| SHA256 | 2f8b380a2d5a4eadf4ce26b741e6825875d3c19a822e06163dd221c5d6e708e4 |
| SHA512 | a3beafd9784e223997ddda94eb4f2fcfc30361d14986172aa3ca49134d1a3ca19895369b6a7b5a010432b3d29739dae59797a4df42e776ab78c11e9b6573b97f |
memory/4520-14-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp
C:\Windows\System\joefGHJ.exe
| MD5 | 3a050b2b66492744ce12f01ca09e0437 |
| SHA1 | 3e8bbc6057f87a7a93803434a5de1002e3e37ab1 |
| SHA256 | 9029724521579cda25a910db09efeeb3db989a88ed241704d4cc77abe0d50482 |
| SHA512 | 33d61e034fadb5074862720c7ec4ab44c57236fba8081ac23becc29eb56f71a5513b2bd50a8a89985c99fc42c848b268e381855ed2991b9a2afb12e548b7954d |
memory/2956-26-0x00007FF77E630000-0x00007FF77E984000-memory.dmp
memory/544-22-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp
C:\Windows\System\IwsSrYg.exe
| MD5 | 2470f8bb6dd710bf16ea3797ece674eb |
| SHA1 | 8e559368ed6f1560d5abbc31d19794e436ee9586 |
| SHA256 | 5b9bfa80dbaacdaf1d99b3f83ed6e41dfee8688b4a2eab02c311198266bf442d |
| SHA512 | cc8c94038b34e34cc6a23cb86bbfa0195dfbc4bad76a0e7ca769cd4ffe2e24d4d29cbe014eb7eb1267870d2c157e9c17c8ee5fc24b5222e0ff5f9d5504a0c932 |
memory/3716-32-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp
C:\Windows\System\WyqHKmZ.exe
| MD5 | 2f7e550f1bb529f03f2f721960dc48ce |
| SHA1 | de3001b483682af15b47944909f5376a22ce6f88 |
| SHA256 | eae3deaa4d1483b17f8252424238e7940922818962fe579ae5af20e07f98f704 |
| SHA512 | b060d48d5171719fdc58a3396b219937f96cd72ce3920f3f1410df5ea8e2473179c0a07cde751e38ef05abc71bd11af3468bdd1a0d8c13abe0c24eaec8c957c1 |
memory/4676-43-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp
memory/4648-44-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp
C:\Windows\System\XRuErRg.exe
| MD5 | 48a96244ab8b90784b5ce8e20339920d |
| SHA1 | 30039da8c49389deb5d8e6d777c7b8fc69f28fa4 |
| SHA256 | f93c5226dff407dbb9dfb5aa77b772e6eaf19765bf6ea4ffb76f05be69318709 |
| SHA512 | 1b39f8763b466a38a1fea73d7cc1a77d7b9551830c401418f4c189817e4b02b5317d18d24aebdad16262d504d55a18efe16a23130a562f3ad90715063aeadd2f |
C:\Windows\System\nFOtQMS.exe
| MD5 | 206e9dae120b1c2c5c5670dada5f13f4 |
| SHA1 | 57a007c7a7aeaf4712a572e4f4959a1c63752fd2 |
| SHA256 | f6e3624de13b1a0bb3f6234cf0d4356b66cff84d1f0bb724acdccc0dfe2dce17 |
| SHA512 | 2e609be3e849d9ba60be95d94d3c69bfe32c3b2a14b48eaa081c1fd75eeb58cde678d401d5dd9ea18b81870170307bf3f240874cb5371741208ce31b87148ff1 |
memory/808-50-0x00007FF676120000-0x00007FF676474000-memory.dmp
C:\Windows\System\iEXhIRQ.exe
| MD5 | 2ad850fea8ff3c9519bebbd0f6a8c703 |
| SHA1 | f97b71fe1cdc7bf520f1e4f315382821027893fc |
| SHA256 | 5c16754a0b70bfc4c709cc550a6c352f62ebc827838db8bc6a9d61ac098108b3 |
| SHA512 | ff15afec9394d5b52d4adf2a5c2e27fb558765c657989eade1fe53dcaffcc193150170647e17148445ca1e79c7f976160c0c33e82c96554d6823d2167724f2b9 |
memory/3092-54-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp
C:\Windows\System\bhwtRyH.exe
| MD5 | 15a85f22055d6a5c4bc10a677656ce7e |
| SHA1 | 6017323dff95a4a2d37024e5fef521843c4e4cb8 |
| SHA256 | cd2e46f3c23146dc586490ad991345b4eb4aa3d7f303b0afd42dae00f4043dc1 |
| SHA512 | 98b65ca898d8b418572a2f9ddd3506c473abec33b89fea739a1230ac79e50d2ba761b2c53b2e2f44916d9b6fa6bbc0b1106e53175abfb1312f821794781e0c65 |
memory/4352-62-0x00007FF700F70000-0x00007FF7012C4000-memory.dmp
C:\Windows\System\BRoEWGo.exe
| MD5 | 5defc89c837c8ecfa40047e9e4ba991c |
| SHA1 | 2cf51484a9f041e67c3cf5edfddea4eeaf07b4b2 |
| SHA256 | cab5433a7aa9488b5ef06c1c28e5d8dd6f2ca801a2185b8a5d087cbed8b3b70c |
| SHA512 | 0fe0c7dc963a6ffcac1948aa55b89456d16ad72af31cba475937612dc08a43bc2f7aa5f9227453ced753d2f742ba104a28d131714a76a980bc1f6d3053eb54fc |
C:\Windows\System\WuddcLA.exe
| MD5 | dc9dba19cb551b6e3bbda5748af3f87a |
| SHA1 | b8a23e7e657d08635483bbd1e1849e7b6e7f2481 |
| SHA256 | 9e77d176a7a8742adc5b2723f998fbbef50b2bcd40148bb6dd7c0fb5b73107d8 |
| SHA512 | 4a85c86435730970c7bc26c1f2cf3a150589d57e73add2bd74f64619e355b65f02e007fb6c177f89212047b2e555ae4dfbe4df14220fb04c4f0902fb0d0fc624 |
memory/3224-79-0x00007FF701270000-0x00007FF7015C4000-memory.dmp
memory/4744-80-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp
memory/324-77-0x00007FF60D100000-0x00007FF60D454000-memory.dmp
memory/1492-75-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp
C:\Windows\System\LWwDaVl.exe
| MD5 | c341bd24e3073fd103e0f85de02aac10 |
| SHA1 | 09c77c0770a42f73b2e0356ecb071dadc8fc6cf6 |
| SHA256 | ee4b9f94e4d7220687cc6235987d3fe97b04947a345ecf31ea39589bb4c10d18 |
| SHA512 | bd2865c6068bd74a465741555dbc9104f7303f92e9dbc99dd77890b63374b041019e748998b46dd91fe4709a7511aba90e2f0a96036b139a1a0e478650f14d3a |
memory/1560-64-0x00007FF63B420000-0x00007FF63B774000-memory.dmp
C:\Windows\System\XRImhOb.exe
| MD5 | df963e0034ff99d86bd96f8f01139e0a |
| SHA1 | 1451a0a61a4f008264bf6f0ba32ffe601960418a |
| SHA256 | e0e3d805b1900f8ddfde51cfd21a016670fa9875eb7a1e07e5ce0dfb6d38bab6 |
| SHA512 | 392833ba1a0b49e068a3991ff10170668edaaaa45dd6918b92b814846e7db5101c544ba3235b447f7da37c04a08788221c579e579b7dcd82ca7190f412c013d4 |
memory/4028-88-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp
C:\Windows\System\tSlrvHa.exe
| MD5 | 6fc5a4046d2f9e3bb2025a84f3b1355a |
| SHA1 | 47539b5ad33bba3c4764d3eee79096d5e72a14ba |
| SHA256 | 188084104de0d0953c9dba0827da1f6c704379f664a758bc00fb1857b3c21bfb |
| SHA512 | 60534643fae195784df4eec28801538e15a0a36d9d1e7a64bca37ea239a44e28bb223081d6e9c01cc9c1907889559f260913c54c757265d37df501614a35b241 |
C:\Windows\System\mXgiWzj.exe
| MD5 | aee7802d4c98ed0cbc8383c329acb782 |
| SHA1 | ad1c25b4a03484d60430af19f8ce99b3a13eb498 |
| SHA256 | 62123f1d62374b9dd8bbe0c55dcb7590688347c616ac13bcad447a1da27643fa |
| SHA512 | 57dead9cc7f963d4188c2e242158d8d47e1afbca4ff28a3d9ff17e70a45aaa852886adae1e6688642b103a592eb2a0154148943962b0981f381692c8a3a79df5 |
memory/2196-105-0x00007FF708020000-0x00007FF708374000-memory.dmp
C:\Windows\System\efjfeYX.exe
| MD5 | c290096be14b7938e4bcde72cd651e23 |
| SHA1 | dc077ba0438f1afebe685a616cc2ebbae7f4b9f1 |
| SHA256 | 61183a35011f6fc127b823d81f9a96882185ebb2faaeb8167c561960d547e132 |
| SHA512 | 8134f8b8878c85b27a5f6ac539dcf678ccba155bb71cfe89c2007ac222bda00e91dce5aa912d91f319cb70e9ce967a89d79a177303b8c72b501b88ce95e85e3b |
C:\Windows\System\URCLAdu.exe
| MD5 | 69fff7c3a79eb5a955c09e9fb7a4261b |
| SHA1 | 84d5ebf19686546a859ee3e87b49afd5d9d86c22 |
| SHA256 | b1e6278649a533b8ef2198196313f22eb3b307828e9d826cc9cd502f3ce51ef7 |
| SHA512 | cac5b2108c2dc43f711c9370bb9418eb295a699105333f79d603a85c3fc11944dd3614a67e182326948f2852348e3598d08aa1be10c4a1d49f83292b0e26e43f |
memory/3564-106-0x00007FF793890000-0x00007FF793BE4000-memory.dmp
memory/3392-94-0x00007FF7345C0000-0x00007FF734914000-memory.dmp
C:\Windows\System\KGcCAaP.exe
| MD5 | 177fe385553b9b8c3a7eaa07273aae95 |
| SHA1 | 1b09e5b4f9a5d75c107dad1b0fd9fbd6e2e8c5b1 |
| SHA256 | 8276a28efafe0e28e3778e1310411cad54ff149036a67dbeb9019d9fd7ab4db1 |
| SHA512 | 9cc1a9089f4e3237eff555a28e242da25e6584750e190fdebb4e914c93a0528d36286a3f8306ff137c63349ac5edd1454d13afaaee4c5aa56bce458413898677 |
memory/3492-114-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp
C:\Windows\System\rtYIAMK.exe
| MD5 | 7c911f7a09ae6469a7089606fd4e9c42 |
| SHA1 | 0d1100148fe7c114358ffae499ffddf5808d383f |
| SHA256 | c8120b8c45875f6f4103de7dd19decc53637617db0b4686e122247f67d0581d7 |
| SHA512 | acddfe8d992bb7337ec2bb3884194fe1f70d4b673b44c6e0fdf5f9c7fc3b3a55775e6dbb5c52a5b3d914a1a29f199bf2728077fb0786df3bea9a4a3ec5d1cfab |
memory/5032-119-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp
memory/3092-124-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp
C:\Windows\System\DFyYHLM.exe
| MD5 | 7da4567e816f0c3d450e730dfc88f1bd |
| SHA1 | 0a3e40f4900f83dab2a52b70f08e9444ee4128b5 |
| SHA256 | 19ee3667e2973024ad6ab80979d94256bc9bc7d7b3635515867bc1883d292c62 |
| SHA512 | d556827c470b617543dcbc4cc87039599c84efe1b4a4d2319927d9778a1d87f76b8e86d963b607f1350d6a1a1a67a73df1b548dd6ba125a61c463df7047a24f9 |
memory/1724-130-0x00007FF73C420000-0x00007FF73C774000-memory.dmp
memory/2372-127-0x00007FF747550000-0x00007FF7478A4000-memory.dmp
memory/4744-131-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp
memory/2196-132-0x00007FF708020000-0x00007FF708374000-memory.dmp
memory/3564-133-0x00007FF793890000-0x00007FF793BE4000-memory.dmp
memory/1724-134-0x00007FF73C420000-0x00007FF73C774000-memory.dmp
memory/1492-135-0x00007FF786E90000-0x00007FF7871E4000-memory.dmp
memory/4520-136-0x00007FF7DB830000-0x00007FF7DBB84000-memory.dmp
memory/544-137-0x00007FF7AEE60000-0x00007FF7AF1B4000-memory.dmp
memory/2956-138-0x00007FF77E630000-0x00007FF77E984000-memory.dmp
memory/3716-139-0x00007FF68DDE0000-0x00007FF68E134000-memory.dmp
memory/4676-140-0x00007FF7B3850000-0x00007FF7B3BA4000-memory.dmp
memory/4648-141-0x00007FF6ACBA0000-0x00007FF6ACEF4000-memory.dmp
memory/3092-143-0x00007FF7DE270000-0x00007FF7DE5C4000-memory.dmp
memory/808-142-0x00007FF676120000-0x00007FF676474000-memory.dmp
memory/1560-144-0x00007FF63B420000-0x00007FF63B774000-memory.dmp
memory/324-145-0x00007FF60D100000-0x00007FF60D454000-memory.dmp
memory/3224-146-0x00007FF701270000-0x00007FF7015C4000-memory.dmp
memory/4744-147-0x00007FF7B8A50000-0x00007FF7B8DA4000-memory.dmp
memory/4028-148-0x00007FF7218C0000-0x00007FF721C14000-memory.dmp
memory/3392-149-0x00007FF7345C0000-0x00007FF734914000-memory.dmp
memory/2196-150-0x00007FF708020000-0x00007FF708374000-memory.dmp
memory/3564-151-0x00007FF793890000-0x00007FF793BE4000-memory.dmp
memory/3492-152-0x00007FF70BCA0000-0x00007FF70BFF4000-memory.dmp
memory/5032-153-0x00007FF7CD350000-0x00007FF7CD6A4000-memory.dmp
memory/2372-154-0x00007FF747550000-0x00007FF7478A4000-memory.dmp
memory/1724-155-0x00007FF73C420000-0x00007FF73C774000-memory.dmp