Analysis Overview
SHA256
b76ccab94aaedf42871dc838e02025ee5534ef9773fe6741059379fb0aaf8032
Threat Level: Known bad
The file 2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
xmrig
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 16:15
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 16:15
Reported
2024-06-11 16:17
Platform
win7-20240220-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\badLJYs.exe | N/A |
| N/A | N/A | C:\Windows\System\BlKbFhL.exe | N/A |
| N/A | N/A | C:\Windows\System\nUpeuNX.exe | N/A |
| N/A | N/A | C:\Windows\System\qodRgCe.exe | N/A |
| N/A | N/A | C:\Windows\System\XgPQWmH.exe | N/A |
| N/A | N/A | C:\Windows\System\RHRMSJN.exe | N/A |
| N/A | N/A | C:\Windows\System\YdiodNK.exe | N/A |
| N/A | N/A | C:\Windows\System\DwmbsMQ.exe | N/A |
| N/A | N/A | C:\Windows\System\tOYSQkt.exe | N/A |
| N/A | N/A | C:\Windows\System\xzWpqAo.exe | N/A |
| N/A | N/A | C:\Windows\System\vtiLdxo.exe | N/A |
| N/A | N/A | C:\Windows\System\vXLFIFx.exe | N/A |
| N/A | N/A | C:\Windows\System\mwZoinU.exe | N/A |
| N/A | N/A | C:\Windows\System\rbAbcrp.exe | N/A |
| N/A | N/A | C:\Windows\System\ApfXhmC.exe | N/A |
| N/A | N/A | C:\Windows\System\oJVaiRi.exe | N/A |
| N/A | N/A | C:\Windows\System\dRLQwHW.exe | N/A |
| N/A | N/A | C:\Windows\System\jplSibW.exe | N/A |
| N/A | N/A | C:\Windows\System\KbKCfwg.exe | N/A |
| N/A | N/A | C:\Windows\System\kQKBnVB.exe | N/A |
| N/A | N/A | C:\Windows\System\xecsUti.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\badLJYs.exe
C:\Windows\System\badLJYs.exe
C:\Windows\System\BlKbFhL.exe
C:\Windows\System\BlKbFhL.exe
C:\Windows\System\nUpeuNX.exe
C:\Windows\System\nUpeuNX.exe
C:\Windows\System\XgPQWmH.exe
C:\Windows\System\XgPQWmH.exe
C:\Windows\System\qodRgCe.exe
C:\Windows\System\qodRgCe.exe
C:\Windows\System\RHRMSJN.exe
C:\Windows\System\RHRMSJN.exe
C:\Windows\System\YdiodNK.exe
C:\Windows\System\YdiodNK.exe
C:\Windows\System\ApfXhmC.exe
C:\Windows\System\ApfXhmC.exe
C:\Windows\System\DwmbsMQ.exe
C:\Windows\System\DwmbsMQ.exe
C:\Windows\System\oJVaiRi.exe
C:\Windows\System\oJVaiRi.exe
C:\Windows\System\tOYSQkt.exe
C:\Windows\System\tOYSQkt.exe
C:\Windows\System\dRLQwHW.exe
C:\Windows\System\dRLQwHW.exe
C:\Windows\System\xzWpqAo.exe
C:\Windows\System\xzWpqAo.exe
C:\Windows\System\jplSibW.exe
C:\Windows\System\jplSibW.exe
C:\Windows\System\vtiLdxo.exe
C:\Windows\System\vtiLdxo.exe
C:\Windows\System\KbKCfwg.exe
C:\Windows\System\KbKCfwg.exe
C:\Windows\System\vXLFIFx.exe
C:\Windows\System\vXLFIFx.exe
C:\Windows\System\kQKBnVB.exe
C:\Windows\System\kQKBnVB.exe
C:\Windows\System\mwZoinU.exe
C:\Windows\System\mwZoinU.exe
C:\Windows\System\xecsUti.exe
C:\Windows\System\xecsUti.exe
C:\Windows\System\rbAbcrp.exe
C:\Windows\System\rbAbcrp.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2252-0-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2252-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\badLJYs.exe
| MD5 | 92fbf9102740d412fb556f0a38709966 |
| SHA1 | 423f3c2095b3c35a35193bac747640e39222247d |
| SHA256 | e51cf75fe8d7ff0d6203a699e267dc4b17f8a53d7a34d1ce9352fcdae82be13a |
| SHA512 | 202945cddb58b05e01c8cdcb1111eac5dabacb43982660918e74fd14e32592ed39105b082b02b0273b884672ad31692faec09b186212c66299571b4e21e4223f |
\Windows\system\BlKbFhL.exe
| MD5 | 9b2d6d4a9c9ba9d1df2a547f6c84394c |
| SHA1 | 7e99258f9895c57645ff56ab50ed46a4814fa308 |
| SHA256 | c15d7fc428fd7474f71cf4268f9f263620a46440c36076f79db069cc716c707b |
| SHA512 | f563386de6d9681378bcac49945fb4fe81b7203944df3c50931fe590a5b79084f6d78775b5796b28867267f00f8dc26132c471c4a026246c6a7f4d8ebdbbd2fc |
C:\Windows\system\nUpeuNX.exe
| MD5 | 0c73328956ad95f5fea60c56a22cfb39 |
| SHA1 | d3dbb71d2e49414e820eb82282a7873522d0e7d6 |
| SHA256 | bc9385f05fc80617963ec0ea05e7d25a3334c602796106e6d2f191354f34d44c |
| SHA512 | 8bf5bb15829f8e882d88ab3cedcee818f1151349ce25a8bc9fb1ccbde6777580c4635ee9e5479367c66c3fe4a2f7a0825f64f51e0a61fefabe638c76ec847137 |
\Windows\system\qodRgCe.exe
| MD5 | 7a066cb2b5babbdedabb9b883bb65215 |
| SHA1 | a120450718e83b78018039de8cbeff3762990335 |
| SHA256 | 1688ebb49cc9e45ca19305c1a5566187e46d09434ae7825b766edd7bb4dfd0e8 |
| SHA512 | 8fc235879e3d9fe53a87368d8f1183ca4c27ad068f981e59f503b827107214f40bb507d21046f8d9dae3250cc5f9ee1fa76d8f0b70feb394c388bfac88c80339 |
\Windows\system\XgPQWmH.exe
| MD5 | 064643f32b2ba0706192452565a7bf8e |
| SHA1 | 4b77dca8809c16228b959ec494b10a6349fcdc93 |
| SHA256 | 1e5daebf732e597e337d8887e65a6ba67980db44482aa0f5b24e28928ccb4bb4 |
| SHA512 | 7248c67765e9d0c48f658be47b9574d6bfd059f7a87acc8a792d7452412a881d1924388031ab7ac71c13f3de1426a816601e1350690fe46e072899c70956409b |
memory/2932-25-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2252-24-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2252-33-0x000000013FE70000-0x00000001401C4000-memory.dmp
\Windows\system\YdiodNK.exe
| MD5 | ef4d6e087f183c371c1c47d33c228f7e |
| SHA1 | 6309ece66daf1e64d5f9677d7490bf4c41a9da5c |
| SHA256 | 4d0558423072d771d34eeebdd25b8bf20567cfbc2bdd77bc35e60aa8f98e7c7e |
| SHA512 | edf3d7ebb14fa51f1247307476347a7a5ff203c4e29dd62ca7ff378c6f93f401f0f2197eeb50a3ff4b969e130ada1a592dc83cca40370331b58c1a4077483486 |
memory/2252-46-0x000000013F400000-0x000000013F754000-memory.dmp
memory/3048-43-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2252-42-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\RHRMSJN.exe
| MD5 | f70ba99be7d013f84d63a12f4874220d |
| SHA1 | fc075e3db0b9a34cb201ed65aa2de79abf0e2806 |
| SHA256 | 97026c5ab4263fdd8ba936f55a238dc32a0d77eb9017fa7b8ee7e82f130ea6ad |
| SHA512 | d966f4cf441522c7c9124af79b1b5527c727e3e0aab5d9356f0aa6c1dd00e85dfc18a5ac2a0566ff201814cb4a1d5c51612d5647bdfec456d4d6cf4f05fc90bc |
memory/2420-37-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2252-36-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2632-35-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2252-34-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/2648-32-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2252-31-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2748-29-0x000000013FBC0000-0x000000013FF14000-memory.dmp
\Windows\system\mwZoinU.exe
| MD5 | 61b4d69c8a6592aa12a5cadbec08aa67 |
| SHA1 | b1b02e1162d7293ad15708a1d50b80870c1b7894 |
| SHA256 | f83647bae3ac05df8f8ebdd22b1b70881b6c67c9d6a41c07bdf8f28df9bd7b91 |
| SHA512 | 963725c260057af2c472f01bf50a322d9b16e67193b858b1c5db7a6f3030f6c7f7691a302be8f8d4d50ef516a014410164b6c70e05c8ca592282dbfe674ec096 |
memory/2252-119-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\vXLFIFx.exe
| MD5 | 09fec72bef4893f24cc52730737c8f00 |
| SHA1 | dbf4fbdf47d828d86e71f74a52c71ba86b967b0d |
| SHA256 | 469c41ce6bce78f79ba456052e7958501566009db936299992bf19c6ec673cae |
| SHA512 | bc857c85ffb09e3f9fe84d9999cb93493a8d403c3ab93c4925f7c68e51399f7c3f088f85e36b08215746c5b8946c31d86df636eeacf2d9c2167fb9ce614fd1b9 |
\Windows\system\xecsUti.exe
| MD5 | 5114ea28774d5d905a58e3fbdc540a42 |
| SHA1 | 0521f67f367aa1a0fbf41982db6662a2306f21ae |
| SHA256 | 7fb22953670f3a2e27b47d5e5c1845be47a7444229dee48f7106091311c7108d |
| SHA512 | bab1eb24de32592b4a0daa5bf927b2b4af7b54725b1d325d7a71d87132c65ab0af46f3c3969c0f3b08ad1143f949f562fa1754761d564c55e3d52cf721ec39cb |
\Windows\system\kQKBnVB.exe
| MD5 | c7899691c5531a7303d00b37f1220cde |
| SHA1 | 5322a05918626bef37cbbcaaf42a557342da460c |
| SHA256 | 744de2d8bf898835779a604cb1fc790a4f6813968521cd6a2a6eb22392288036 |
| SHA512 | 08d7f607c1bf60d7c800e7e344c50e6b82bb0cabf592b09fadbd94ac0e3824385d5c2d8cf5edb60f1df4bf6cac48fcec92899ee200245741c352272ff656db21 |
\Windows\system\KbKCfwg.exe
| MD5 | 01fb7552b826f28fd6871b80539baeff |
| SHA1 | c4e08b80f0745cca02c91f7673a1d72e79b815d1 |
| SHA256 | da39171f7e29bb16392b1c5a20cd3a53ab309014eb3c10b78bdc3130475921f1 |
| SHA512 | 1d98499867abc9bb8376437c6a6947f5c80dff82c3e10db2ea551bb2b8c184b3ff25c51e7b4eee921dde9729fb3cca7e8019736821066ba0d3497338041e5c10 |
\Windows\system\jplSibW.exe
| MD5 | d142f89dd82bfdc6a67f455e790f3829 |
| SHA1 | 3728fb5c8a9bc9055120d70f15f64c2322517101 |
| SHA256 | 2ceeedd362f672afd619d34c61f7bf6b96f04ce1ca149a5beb2c21271970cdbd |
| SHA512 | eea83f1a8b0088913fab1a802a55134e4bbb7c13336768422c08235dffce09cdeb88822f71367ea4b95661511d7df4682853d45a62a09c1383365c2b41e4dabf |
\Windows\system\dRLQwHW.exe
| MD5 | 9a90d4ba2d3e0f6b09e7713a936be253 |
| SHA1 | 9fa2ed8e8296ad1fbc4df5cf7b151d8057dab107 |
| SHA256 | 88ec55e0c48c7e6a027679e29558ec97a2c1ea17cbe4cdebc7c940d7feea57cb |
| SHA512 | 446a03120f64a775e484c857afa768e253534e76dc181008e84fa1231fe5df9189c20bdd3afc164ed4cb2e1d79193975071722fb947be79e8395e55432103eef |
\Windows\system\oJVaiRi.exe
| MD5 | 22c76d50592cbd37ac89898d9933907c |
| SHA1 | fa4b5dd329541d061195652c3c669e7b32845541 |
| SHA256 | 27549dd3f4d37405af9e7601721c90aba399b10c95f9e3f5fbeb96f1416bc8d2 |
| SHA512 | edc47e722daa8fcfcfec055236fda3bb1a9b1cf773fa77de558b8b6c13cefd873025185b551776c4b444495292d17bed86c97806fea19b93dccaf6752a95ab65 |
\Windows\system\ApfXhmC.exe
| MD5 | 7226e0e62773f7878f4f44629fc68c7c |
| SHA1 | b2d9c81bb7c102fceee18093a8c0570ff2a24d62 |
| SHA256 | c44ad7598ed6310a8d06bed397b6df000b46f3ee2729ce66b74b3079cea8c3be |
| SHA512 | f6a37e890e74694ec3da6234da43c529a892c0c0c1cebd1a4d978147c6b18e0e83ac63e43232a28558f8cb329390194bce7a45e4fea36dce54a846d5ca800624 |
memory/2252-120-0x000000013FB30000-0x000000013FE84000-memory.dmp
memory/2252-118-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/1612-117-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2252-116-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/2252-115-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/1464-114-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2252-113-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/2252-112-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2304-111-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2928-110-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/292-109-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2252-108-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2252-107-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2252-106-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2252-105-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\rbAbcrp.exe
| MD5 | fea1e5af67d898ac469bc95c1edce1b0 |
| SHA1 | 1c7b5157efbb1560d75f086477a210c2718ac053 |
| SHA256 | e3a1ee40697d1db8afc9c0208af1ffec8fbedbd44a50299de263a27cc52b13f6 |
| SHA512 | 600b3d75b220396ccbc7daeba947020cae00aad0d586dc42390c3a71542146521629c5f0602d81024bcc4017a480de152a65708386aa279eef74fcfe97e9c727 |
C:\Windows\system\vtiLdxo.exe
| MD5 | cf2217617f94c5a8957b1496abdc95a1 |
| SHA1 | 33d510f60d5525ea07d8295adc8d40d88fe3ac0d |
| SHA256 | 434552459d0421c589456a079f1d76af148cb9a734331e8c0b3f436c3a60ff40 |
| SHA512 | 9adb1a01bbbc90517c830e4178f332e9492de591e3ad8b49a9b41f9062779aa8a68b48187918584b953a6677fbcc95e8b7e5a75fc2507256163472c4b18224b1 |
C:\Windows\system\xzWpqAo.exe
| MD5 | 6b7171d8029c79172f7a17bccdfe2917 |
| SHA1 | f2d17073f11ae392ef7467025a33c79da1472a6c |
| SHA256 | e82fdddd0ab990019cd827070634b29a75bde7cdc3a73bf2e04866fe44db1081 |
| SHA512 | b7f091ba5a3c2f7cb42061a93d0083fc2e58d98757e4c5c56a2c74299a6548668017f2eaff27c6f2707656a7184fcd77e7b59a42d2bdb8b3cf701518cb1b1999 |
C:\Windows\system\tOYSQkt.exe
| MD5 | 1b098a28ccf54b400a7e37bc5b8fddd1 |
| SHA1 | 2ba9f9a5031507e88e3f751ebb51db6881f345ae |
| SHA256 | 0e1c6877163dd77bc142018edb78945d089567fa05dd06ddc483cbdb2dd67b46 |
| SHA512 | c27c70d05961570c7a7e0d80c0cb5715c729cd079f455da34d1859c776f9f1774a4e17547b20e3a1d2686188b8cede66bb507c4e0b562c1df88c2fbfd0f2cc85 |
C:\Windows\system\DwmbsMQ.exe
| MD5 | 12f483ed75ab298e6c601750f4bcf4d1 |
| SHA1 | 8e6ec809307d8e8f7e96da4a5553528ab8efb6c1 |
| SHA256 | 66f9dff2879b2c6d6b5339add278736ca61aed283b3b234e2141447b0071a107 |
| SHA512 | 43d2c4e7b89f64991fd4e759bec8209d1cf8f709c3d01e51534f245cfc277b96069e8a381edfc96741ebd2ed86a8db5157a11abbb6621ed2f4ae72053ec7ada3 |
memory/2252-136-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/3048-137-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2932-138-0x000000013F450000-0x000000013F7A4000-memory.dmp
memory/2648-139-0x000000013F400000-0x000000013F754000-memory.dmp
memory/2748-140-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2632-141-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2420-142-0x000000013F2A0000-0x000000013F5F4000-memory.dmp
memory/3048-143-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2928-144-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2304-145-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1464-146-0x000000013FB90000-0x000000013FEE4000-memory.dmp
memory/1612-147-0x000000013FD40000-0x0000000140094000-memory.dmp
memory/292-148-0x000000013F400000-0x000000013F754000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 16:15
Reported
2024-06-11 16:18
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eLxqczl.exe | N/A |
| N/A | N/A | C:\Windows\System\WUDbHIA.exe | N/A |
| N/A | N/A | C:\Windows\System\WLYJLXa.exe | N/A |
| N/A | N/A | C:\Windows\System\xgtarNt.exe | N/A |
| N/A | N/A | C:\Windows\System\GPaMCch.exe | N/A |
| N/A | N/A | C:\Windows\System\UQwAgqa.exe | N/A |
| N/A | N/A | C:\Windows\System\hGfYWCL.exe | N/A |
| N/A | N/A | C:\Windows\System\bFZTepg.exe | N/A |
| N/A | N/A | C:\Windows\System\GhmqYmS.exe | N/A |
| N/A | N/A | C:\Windows\System\IsnjrVL.exe | N/A |
| N/A | N/A | C:\Windows\System\QaFrDfo.exe | N/A |
| N/A | N/A | C:\Windows\System\djHGkpF.exe | N/A |
| N/A | N/A | C:\Windows\System\EHmBKFa.exe | N/A |
| N/A | N/A | C:\Windows\System\LuzxoGk.exe | N/A |
| N/A | N/A | C:\Windows\System\mRTJYDP.exe | N/A |
| N/A | N/A | C:\Windows\System\THyGmfj.exe | N/A |
| N/A | N/A | C:\Windows\System\LYRwead.exe | N/A |
| N/A | N/A | C:\Windows\System\hMoBwuO.exe | N/A |
| N/A | N/A | C:\Windows\System\XeZBgOl.exe | N/A |
| N/A | N/A | C:\Windows\System\MOKNJxn.exe | N/A |
| N/A | N/A | C:\Windows\System\DVIqkCF.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_d6bb97aaad7abc8004d6ecf01cab4a28_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eLxqczl.exe
C:\Windows\System\eLxqczl.exe
C:\Windows\System\WUDbHIA.exe
C:\Windows\System\WUDbHIA.exe
C:\Windows\System\WLYJLXa.exe
C:\Windows\System\WLYJLXa.exe
C:\Windows\System\xgtarNt.exe
C:\Windows\System\xgtarNt.exe
C:\Windows\System\GPaMCch.exe
C:\Windows\System\GPaMCch.exe
C:\Windows\System\UQwAgqa.exe
C:\Windows\System\UQwAgqa.exe
C:\Windows\System\hGfYWCL.exe
C:\Windows\System\hGfYWCL.exe
C:\Windows\System\bFZTepg.exe
C:\Windows\System\bFZTepg.exe
C:\Windows\System\GhmqYmS.exe
C:\Windows\System\GhmqYmS.exe
C:\Windows\System\IsnjrVL.exe
C:\Windows\System\IsnjrVL.exe
C:\Windows\System\QaFrDfo.exe
C:\Windows\System\QaFrDfo.exe
C:\Windows\System\djHGkpF.exe
C:\Windows\System\djHGkpF.exe
C:\Windows\System\EHmBKFa.exe
C:\Windows\System\EHmBKFa.exe
C:\Windows\System\LuzxoGk.exe
C:\Windows\System\LuzxoGk.exe
C:\Windows\System\mRTJYDP.exe
C:\Windows\System\mRTJYDP.exe
C:\Windows\System\THyGmfj.exe
C:\Windows\System\THyGmfj.exe
C:\Windows\System\LYRwead.exe
C:\Windows\System\LYRwead.exe
C:\Windows\System\hMoBwuO.exe
C:\Windows\System\hMoBwuO.exe
C:\Windows\System\XeZBgOl.exe
C:\Windows\System\XeZBgOl.exe
C:\Windows\System\MOKNJxn.exe
C:\Windows\System\MOKNJxn.exe
C:\Windows\System\DVIqkCF.exe
C:\Windows\System\DVIqkCF.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3116-0-0x00007FF662730000-0x00007FF662A84000-memory.dmp
memory/3116-1-0x000001FEC5610000-0x000001FEC5620000-memory.dmp
C:\Windows\System\eLxqczl.exe
| MD5 | 3e7be10a8f27ca26fb6af30bfeb6d360 |
| SHA1 | 8c80902b9408a808cf268488a4cfaae4f18b93aa |
| SHA256 | c1f894001139ea447a96b6d9754534523d965e88f74847f835d4731ff128da21 |
| SHA512 | 3127a8dfff7a634eb9530505fb010b2ac45605ebd426aa36536a7349d112be742ee454e1aabf497dafc964ba4a1421ecce80ba63f5179ccac89e868f627fb7fb |
memory/3776-8-0x00007FF6BCC20000-0x00007FF6BCF74000-memory.dmp
C:\Windows\System\WLYJLXa.exe
| MD5 | ab28082f909a262738ef72d0c2a54cd8 |
| SHA1 | 444e140364846499a6028c77fa1e7382c0091d24 |
| SHA256 | 730d1183c58b651b049a6b51c8e40be86d24bb778606f7d5e84cb4c7983be95f |
| SHA512 | cecadca1ef2bfa14c4537be2fae7bba87b05449948ebf4e3d402ca38ff0cc6463b3ad65c4e639eadce62febf9c7a0d4c4784cff15091fa2c9f187944be1998fc |
C:\Windows\System\WUDbHIA.exe
| MD5 | 99ecb5666c1de8d751571ced6fa8eed9 |
| SHA1 | 1349d0f844d9a21e6088c3add8ebeb59fd06232e |
| SHA256 | 4a843bc8d39595d72c52c0daa8598d530b0e37dfe7458186cc65b7f87877a2d6 |
| SHA512 | c28590887e688c1d0004d0fd414352022e4c762bbde24b23e9120f72117529ccc729d60ecfec3e8461e1773e6922026e8c90fdc89a53185725f6b24860ad3d17 |
C:\Windows\System\xgtarNt.exe
| MD5 | 69f385559be2293a5e3db20169f80a62 |
| SHA1 | 03bb8c51bb871f4498ae0461bb6248659b831f6c |
| SHA256 | c74f7682c894ec500e6160e4ffbed1ee7791a9dc51535a2f2fe67fe64f3aef7c |
| SHA512 | bda53a356269e0c45bd8572ce2b7598bc329b023738ab6709166e5910d17d8ff9f2e8e26b99d90e76459f1ae7f9667c3a7be5ad7c08dd7fb4794c330f5b9d82c |
C:\Windows\System\GPaMCch.exe
| MD5 | ac0b5fb63adbf9bc10b9ae6628b69e89 |
| SHA1 | 009fd94147472c6d2435a131c9ca94e5494ebaae |
| SHA256 | 98036a4ac55cd76201a150f80384f230d85aa293dbb0071e42136844adf0ea8d |
| SHA512 | 14cbf44d67b09b133301cf32e0a38af49dad105714ba9ad11a86987745145173132aa22c88013d3733284d8c0e333215ed93e76d698946d03e476094f6235d6d |
memory/624-34-0x00007FF678650000-0x00007FF6789A4000-memory.dmp
memory/4868-39-0x00007FF6DA760000-0x00007FF6DAAB4000-memory.dmp
memory/1368-43-0x00007FF788990000-0x00007FF788CE4000-memory.dmp
memory/3144-46-0x00007FF7EB3D0000-0x00007FF7EB724000-memory.dmp
C:\Windows\System\GhmqYmS.exe
| MD5 | 4db7735f5ae44d060b31782a532832e4 |
| SHA1 | a310b7a1eee83bff31291a1bf0b52643d7ac2314 |
| SHA256 | ecb082b07c041cc778bb45ff57398476711dee5834e91f11c43cc1b2215278ad |
| SHA512 | e7c6e79528fde2362df0c5a5cb3bcc5c7da22a8eb1ab14c3e9cb9b92aeaf3d40dbab9be42bef006bcd183c21ce99e6b7e2a25ca6ab79c0019a215f247961002b |
memory/2768-47-0x00007FF707160000-0x00007FF7074B4000-memory.dmp
C:\Windows\System\bFZTepg.exe
| MD5 | 5ee573790a2d1269d977c1b19b392962 |
| SHA1 | 573622c15aef10d29bbaddc2a9830061b839663d |
| SHA256 | 872d39cda9f491c06ed83d9bda47217dfdc5176659073426bbeadf132dc70f8b |
| SHA512 | 124bf5261f18495cb859509ed249294ae14ce35b7006a6ecababe2b5a505ce0b080ebd1c44f22b49594e9362f3bd69d6c12b777a818951161edd24ff17d0b6f6 |
C:\Windows\System\hGfYWCL.exe
| MD5 | 53c8a0dcbbd7d2a022760f68da192fb9 |
| SHA1 | 8fe56ca1a5254fd167055e39ab1c8b22da442992 |
| SHA256 | f0aec6c1e644d323ca152f34718c82707370150efbd9651de31c6a754cc4b142 |
| SHA512 | 0d4397faa11c86c7139e6fe25c597be2c9a56d5f79be984c281f13d2a720a0348d0291040452141b8496b8934ded3dce8753685f9c2b65b6f8d0f153e851ebc9 |
C:\Windows\System\UQwAgqa.exe
| MD5 | ea8a6a7870274dc3a02e72d89f508d7e |
| SHA1 | 1504bcd031468f648dd8184c5fe2a681b00da572 |
| SHA256 | ad239f9ce73b3a0f320233407d91ccc2940838c34a625cf70a5992e67e0f0b3a |
| SHA512 | fda88694eb0be4b6635d531b3b66fb0ce64b40d7519163879587ae9c063aeb56d43cdce03252d2d32725af25a6342332b9d4f783407074676beef03575422319 |
memory/2040-32-0x00007FF6BB910000-0x00007FF6BBC64000-memory.dmp
memory/3672-14-0x00007FF67FB60000-0x00007FF67FEB4000-memory.dmp
memory/632-56-0x00007FF725880000-0x00007FF725BD4000-memory.dmp
C:\Windows\System\IsnjrVL.exe
| MD5 | 6fd33d1a6f3f450f50f86b56c949c650 |
| SHA1 | a2b29cf829955097a0aab9112613708829c78f7b |
| SHA256 | fd4bcef9eb62143d428ff43a5fa35144714ea0a38a56d871d845d4ddf499a0bb |
| SHA512 | 6800c9a27b09bba3325893c227bdadef90f65be75e8bba8e0678d54989d12ddf9bf8aeedb17af47b5455111a0fb8a025bffaa0a2c28a96909dc00f859a1f5406 |
memory/1092-62-0x00007FF720530000-0x00007FF720884000-memory.dmp
C:\Windows\System\QaFrDfo.exe
| MD5 | a97f80440639d244fd65569d4736ffeb |
| SHA1 | 7063d1eb709ac8c4b3697fc0669f86ff518ea6bb |
| SHA256 | db097fdc5c475710be140643724263023220e7c39d8aa9fcbd745fbd93996ee7 |
| SHA512 | 1df2dee4ceed298bc7f6c1fb97122a825ef5cf8321700bc47259ebbf3150d7495e0d641dd4147f9c0c1a91187c037bd1e7d47659db3cb5d18b9f063cc520643d |
memory/740-68-0x00007FF62AF70000-0x00007FF62B2C4000-memory.dmp
C:\Windows\System\djHGkpF.exe
| MD5 | ff246f240ee8ad074a7672cb1f4aaa49 |
| SHA1 | a0cad146aeed6c845215a68f15fe6612a02316cb |
| SHA256 | 1badf2c0c7ae98ad06cd1ce945f20b11a23dadd2d3cfdf11eda6704aeaa85332 |
| SHA512 | 0ee11a611f3313c6f46004a9c2636986e1e0f897d0ab04f13fe5bee8bbddd03ad57d853e576f052230ef89ad22870a6e239ebb1ec42e726bf0116d193840b695 |
memory/3116-74-0x00007FF662730000-0x00007FF662A84000-memory.dmp
C:\Windows\System\EHmBKFa.exe
| MD5 | 627b24c982e03a2fb1327d2c3b13126c |
| SHA1 | d8def4a0efccded8fa4c443f86900e769209fda5 |
| SHA256 | 0a84de30ae0d033278b6f1a937392e9b9f50ac1f3ff9b53b105515cbd2305bc7 |
| SHA512 | 7867ad39c3d1e8e0d718650a1ecf5b4805f2cc2fcd30374c638ff4df2b259e249d3e0af7d4c86e4eed80ae3f9ab90bf21fa13468655e3a3802999da3f207ff66 |
memory/4204-76-0x00007FF628460000-0x00007FF6287B4000-memory.dmp
memory/4020-81-0x00007FF7DE220000-0x00007FF7DE574000-memory.dmp
C:\Windows\System\LuzxoGk.exe
| MD5 | 3b5c2d236c2c462da605c4ac3efb0497 |
| SHA1 | ffe70dbfb1b1b7d244d31cabd9420a86b7791854 |
| SHA256 | 6c31d47d50e01cb38f57aa31520bb6e5dee1efb24d5c7effc231350abb379a7a |
| SHA512 | 74a53d1c130fec83a12802cc6f47685ce80f84a0359e646455cdb00f2296ab1498753050092840e2a3cc6fa8340e04d93b37bf08a3871a2529388f84dc6a9e9e |
memory/464-88-0x00007FF6FB310000-0x00007FF6FB664000-memory.dmp
C:\Windows\System\mRTJYDP.exe
| MD5 | 7a61c9a89e2d248a21e49e20c3a1aa7e |
| SHA1 | 169c21ce8e3fe64468f99929e8131a0646f9d8cb |
| SHA256 | 99985a093b4e7516f0e6ec227d0bddb7f34ac1543c46384880016cc855f1fc70 |
| SHA512 | e909e2f5ea321fc1aef6456e6b47b4eb466ecd4feaae87ba52fc201573617adaaf47eefe629a3d20971f4d12937c1036abece9c7310c96cf45d518b35e9e8b8f |
memory/3144-97-0x00007FF7EB3D0000-0x00007FF7EB724000-memory.dmp
memory/5048-98-0x00007FF7D1100000-0x00007FF7D1454000-memory.dmp
C:\Windows\System\LYRwead.exe
| MD5 | b7011be149c217295d93a0cc093da9be |
| SHA1 | 59be6a3384b18407375b3df7574c330b96c7cf7e |
| SHA256 | 3a37293c71b6bb2c52115b143a74396ea4c70404cde90f282314e1999d6d7cf1 |
| SHA512 | 0ac8571eab3b4a0b500c19834e9f3ce5ca0075a4802c10f5c121699788999ac93ecf733fe765947790b8d233004c1ef64a8718d8ed5e7ad4405274414bcf166c |
C:\Windows\System\hMoBwuO.exe
| MD5 | 8ca9c03d04a5324cd789cd8e3fca363c |
| SHA1 | 6a490d306e6121088df5a10c4fcfb3bc6c9419a7 |
| SHA256 | 2bcc2471a8168a059e207fcb639735db2de3921fb2261bf2c5c0930c90f56556 |
| SHA512 | 8c703275c3393e0d708201cd8fd68fdc2557f07c89da6ddf2e192fc12ee36818e7cee1e30c3380e4962cc26c9e16efd7ae53c41ce124beb98dfa740a86f458eb |
C:\Windows\System\XeZBgOl.exe
| MD5 | 99392bd27e3b6dd8ff4bb0d9764b1b44 |
| SHA1 | feb50bceade7c79fb7d619e58833fc53fadab5c6 |
| SHA256 | 763b0e98e3e619620aedabaeec9b74a0ae5c4c8242afbea07b1f6c7fece96c5b |
| SHA512 | b3e742ed00d1a0b8402dd4022f39e405dbad24a2bdaec9e4621bbbb92ef0768b13b1fb6b4cdf9d8aba3c98fb9d18be6ecee4f913a8fab0f9852d16b7094e6fd9 |
memory/3440-114-0x00007FF7BE0F0000-0x00007FF7BE444000-memory.dmp
memory/2136-115-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp
memory/2768-113-0x00007FF707160000-0x00007FF7074B4000-memory.dmp
memory/2748-104-0x00007FF71CC00000-0x00007FF71CF54000-memory.dmp
C:\Windows\System\THyGmfj.exe
| MD5 | 0d780d1f8fc80fedb9ab3693cd0ec1be |
| SHA1 | 9c566c8fabf6767b7acf259f6aafc8d9ba3455e7 |
| SHA256 | 2344a5a5bb5886064a9153cf909a38d576e92e0eae93d12d2556305f9d0b29f5 |
| SHA512 | db184fba2656f04ce15846db6aea506a1f96b5c7d7639a7b0f5a2c8e7c28e2a08ada8efd94e8d544d81c99f5ab79e38caac0c6594ece15acf9dbe0612cb24bcf |
memory/4892-89-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp
C:\Windows\System\MOKNJxn.exe
| MD5 | 00aa55729bdda36276bd659362661f5b |
| SHA1 | f49f998814cc3505777c3b7c2721c4816a9ac73f |
| SHA256 | 3b538cde4511e22edf68e4a41e9bcc37579d9fa5a92bc421f6ff72b123d28d70 |
| SHA512 | 41e766ee589bc6e1552ab2ac22b1485adfc722cc853acb08956ca4b0a7b63baa89930f4c43d5edceb801e4ef1aadab4717417aff23d0b8ce5e31ae2a52ef0364 |
C:\Windows\System\DVIqkCF.exe
| MD5 | 3a7da809892542177e9be5794e7ff62e |
| SHA1 | 85b034efb10cabbe960b88b58708f27c01cb0f47 |
| SHA256 | 26de024c67a21dac2271f404a4972cae89f44ea6ed6a5498fd929f414016766b |
| SHA512 | e164d5063bc513a62caa7fccda9b13344216f3bb85f7a79e2578a9edc46e27cad863642bbccc3297709d77e2e321e15a08db35780a2d7ba1c9b2c3dd011a823d |
memory/5064-126-0x00007FF719770000-0x00007FF719AC4000-memory.dmp
memory/632-125-0x00007FF725880000-0x00007FF725BD4000-memory.dmp
memory/1092-131-0x00007FF720530000-0x00007FF720884000-memory.dmp
memory/1192-132-0x00007FF787CB0000-0x00007FF788004000-memory.dmp
memory/464-133-0x00007FF6FB310000-0x00007FF6FB664000-memory.dmp
memory/4892-134-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp
memory/5048-135-0x00007FF7D1100000-0x00007FF7D1454000-memory.dmp
memory/2748-136-0x00007FF71CC00000-0x00007FF71CF54000-memory.dmp
memory/3440-137-0x00007FF7BE0F0000-0x00007FF7BE444000-memory.dmp
memory/2136-138-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp
memory/3776-139-0x00007FF6BCC20000-0x00007FF6BCF74000-memory.dmp
memory/3672-140-0x00007FF67FB60000-0x00007FF67FEB4000-memory.dmp
memory/2040-141-0x00007FF6BB910000-0x00007FF6BBC64000-memory.dmp
memory/624-142-0x00007FF678650000-0x00007FF6789A4000-memory.dmp
memory/4868-143-0x00007FF6DA760000-0x00007FF6DAAB4000-memory.dmp
memory/1368-144-0x00007FF788990000-0x00007FF788CE4000-memory.dmp
memory/3144-146-0x00007FF7EB3D0000-0x00007FF7EB724000-memory.dmp
memory/2768-145-0x00007FF707160000-0x00007FF7074B4000-memory.dmp
memory/632-147-0x00007FF725880000-0x00007FF725BD4000-memory.dmp
memory/1092-148-0x00007FF720530000-0x00007FF720884000-memory.dmp
memory/740-149-0x00007FF62AF70000-0x00007FF62B2C4000-memory.dmp
memory/4204-150-0x00007FF628460000-0x00007FF6287B4000-memory.dmp
memory/4020-151-0x00007FF7DE220000-0x00007FF7DE574000-memory.dmp
memory/464-152-0x00007FF6FB310000-0x00007FF6FB664000-memory.dmp
memory/4892-153-0x00007FF686C60000-0x00007FF686FB4000-memory.dmp
memory/5048-154-0x00007FF7D1100000-0x00007FF7D1454000-memory.dmp
memory/2748-155-0x00007FF71CC00000-0x00007FF71CF54000-memory.dmp
memory/2136-156-0x00007FF66E5C0000-0x00007FF66E914000-memory.dmp
memory/3440-157-0x00007FF7BE0F0000-0x00007FF7BE444000-memory.dmp
memory/5064-158-0x00007FF719770000-0x00007FF719AC4000-memory.dmp
memory/1192-159-0x00007FF787CB0000-0x00007FF788004000-memory.dmp