Analysis Overview
SHA256
9c899a4621504a0811e371db791b93fe031ade33bc88b11f5315a990fbd4bd4f
Threat Level: Known bad
The file 2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
Xmrig family
UPX dump on OEP (original entry point)
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 21:24
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 21:24
Reported
2024-06-11 21:27
Platform
win7-20231129-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\ystyBXV.exe | N/A |
| N/A | N/A | C:\Windows\System\YRCFQIv.exe | N/A |
| N/A | N/A | C:\Windows\System\cMOuHUG.exe | N/A |
| N/A | N/A | C:\Windows\System\yabXUWv.exe | N/A |
| N/A | N/A | C:\Windows\System\OPACvzB.exe | N/A |
| N/A | N/A | C:\Windows\System\JJJksuN.exe | N/A |
| N/A | N/A | C:\Windows\System\udXlgKi.exe | N/A |
| N/A | N/A | C:\Windows\System\OQBlEfo.exe | N/A |
| N/A | N/A | C:\Windows\System\axxyExt.exe | N/A |
| N/A | N/A | C:\Windows\System\MXEbKIQ.exe | N/A |
| N/A | N/A | C:\Windows\System\MgqDDcE.exe | N/A |
| N/A | N/A | C:\Windows\System\gDmXMaq.exe | N/A |
| N/A | N/A | C:\Windows\System\FGShpqt.exe | N/A |
| N/A | N/A | C:\Windows\System\FRYNwhY.exe | N/A |
| N/A | N/A | C:\Windows\System\zoZpwwF.exe | N/A |
| N/A | N/A | C:\Windows\System\NYukXjL.exe | N/A |
| N/A | N/A | C:\Windows\System\XwffCHP.exe | N/A |
| N/A | N/A | C:\Windows\System\hsBoUlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\gxwVrdQ.exe | N/A |
| N/A | N/A | C:\Windows\System\NkesqdD.exe | N/A |
| N/A | N/A | C:\Windows\System\ZOcaWPh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\ystyBXV.exe
C:\Windows\System\ystyBXV.exe
C:\Windows\System\YRCFQIv.exe
C:\Windows\System\YRCFQIv.exe
C:\Windows\System\yabXUWv.exe
C:\Windows\System\yabXUWv.exe
C:\Windows\System\cMOuHUG.exe
C:\Windows\System\cMOuHUG.exe
C:\Windows\System\OPACvzB.exe
C:\Windows\System\OPACvzB.exe
C:\Windows\System\JJJksuN.exe
C:\Windows\System\JJJksuN.exe
C:\Windows\System\udXlgKi.exe
C:\Windows\System\udXlgKi.exe
C:\Windows\System\axxyExt.exe
C:\Windows\System\axxyExt.exe
C:\Windows\System\OQBlEfo.exe
C:\Windows\System\OQBlEfo.exe
C:\Windows\System\MXEbKIQ.exe
C:\Windows\System\MXEbKIQ.exe
C:\Windows\System\MgqDDcE.exe
C:\Windows\System\MgqDDcE.exe
C:\Windows\System\gDmXMaq.exe
C:\Windows\System\gDmXMaq.exe
C:\Windows\System\FGShpqt.exe
C:\Windows\System\FGShpqt.exe
C:\Windows\System\FRYNwhY.exe
C:\Windows\System\FRYNwhY.exe
C:\Windows\System\zoZpwwF.exe
C:\Windows\System\zoZpwwF.exe
C:\Windows\System\NYukXjL.exe
C:\Windows\System\NYukXjL.exe
C:\Windows\System\XwffCHP.exe
C:\Windows\System\XwffCHP.exe
C:\Windows\System\hsBoUlJ.exe
C:\Windows\System\hsBoUlJ.exe
C:\Windows\System\gxwVrdQ.exe
C:\Windows\System\gxwVrdQ.exe
C:\Windows\System\NkesqdD.exe
C:\Windows\System\NkesqdD.exe
C:\Windows\System\ZOcaWPh.exe
C:\Windows\System\ZOcaWPh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3000-0-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/3000-1-0x00000000001F0000-0x0000000000200000-memory.dmp
\Windows\system\ystyBXV.exe
| MD5 | 78998098bc3b3e80bdd678082439a64e |
| SHA1 | cbb1c58afcf53aef24d140169974b661a792e7d9 |
| SHA256 | 75e950bcc762d4352e2f814f1bf7d991a6e7adb350fb1f538c53c8716c48fb80 |
| SHA512 | f60bcc2c313f597883748bade21992b221393118aeb88a8200e3375d861e01b5307d3e86b0b76fa7344114b1d77897bb4c6a22e9eb43cfc5623c38f7d0540411 |
C:\Windows\system\yabXUWv.exe
| MD5 | 5e065ddd6200450ae7925f919ce52131 |
| SHA1 | 7d0cc1461a0ff9177760a625940b8479591c5a6e |
| SHA256 | e457f196164e87a734c5b40fcd48e8aeff4c82b6c7bed06ded28848ad1e5f6be |
| SHA512 | 5bd2f40b72d20d46ed10dca4dddf24447dcdfda131416eec47e860031d5e5f2225843ccaa801d112255a765fe3a3ba1e2f12e37358bef44e82023e28607a0f26 |
memory/2788-30-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/3000-29-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/3000-35-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2680-37-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\OQBlEfo.exe
| MD5 | abdc8d1c4a20ad7f59f85f7f3b7cece4 |
| SHA1 | 1d8295024cbc3819333d7bf5c450ce03b5f83753 |
| SHA256 | fe177c01116f3754a1b6e63c674ecfe7a9ac8835422e342e38b388c61afa00c9 |
| SHA512 | 5d1b31ddcafd9001fe9c81a55e26e50694414b1d1735594ab5569063e747f6778a58fe70a6beed701111e3be530b474c2410657b1818a768365b73eb71a1dda9 |
\Windows\system\axxyExt.exe
| MD5 | a8a109383af271fd4fbd1738a6930d28 |
| SHA1 | c5d935d6e7f379430ad3234ab4d2ac5e0a23b384 |
| SHA256 | 88e599ce397e547f554cc0fd3588345ed9d2ad1280bc688a60431e3f6dc27c65 |
| SHA512 | e48ddf11b661a9bbb13105cd6bce374eb8809504867e026623fb8d76809d2f7195d294bcaa05756fa8b323c63a08866e475c81aeb84eab5fba08cc4846476fbc |
memory/2844-62-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/3000-69-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2072-76-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3000-90-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/592-92-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/3000-98-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/3000-107-0x000000013FF10000-0x0000000140264000-memory.dmp
C:\Windows\system\hsBoUlJ.exe
| MD5 | 29ae1ab8b005e24ff768e080256a9e93 |
| SHA1 | 766959f1c7c403e10e6196c1d28e6d97e6a5e6bc |
| SHA256 | b3955ea0991c143638d6bccb4c7766eea99fb631e527f84a3c67aa66f9329fb9 |
| SHA512 | fe8490fee122d325609d84c5e07d041c7394c5e67f1454794236056c8722911d68ae69953d1d2aae9173b9c5eaeda183f89fc86786b4ea7691be1253094fa55f |
C:\Windows\system\NkesqdD.exe
| MD5 | 9f39183d3d0e8c684bdaed9b255f45c8 |
| SHA1 | 1e0289707f4670cea22ac49cde7f02e345199234 |
| SHA256 | 781c4dd6fd9172aa3a64493ac649be9df337136a2d68c00a5550bbcb68bf74f3 |
| SHA512 | 471219481ca1914619e813b2fee570a1754ef4e91d99bd8bdf26ef000949738b838841bc17357de56e9aa385f86e7c1476802aa88425682d56a7bc8d5d7a38ad |
C:\Windows\system\ZOcaWPh.exe
| MD5 | b839d77127de4612ab37b2ed6f0ebdfe |
| SHA1 | 0ef172fd65a0feff9ceb3f3da922119dc50c0740 |
| SHA256 | ad86292f194cb5488edf71354fdafaefca5341ee1ccf49065a8c23f123f6a0ce |
| SHA512 | 1a36d92fe6b654d7988ce84a0346718c4fa89db68d2831fe1ffd615c425000755e0d6681dbc89da1092b641468b04e418a8fdf4da2f7aa418a8de421eb3aa5d5 |
C:\Windows\system\gxwVrdQ.exe
| MD5 | 4e325f9727bd9e611c4939e038d6e7a2 |
| SHA1 | b8b66333d6576e11a14fe3f4d517b4ef7fae4992 |
| SHA256 | f311fa7de48941831aa4b3b29606873734cbe3dcc266053fb09a3b3b18ff0051 |
| SHA512 | b546d49f9fb8a7b2c9b46adf7a4411d5b83541d4db4ad93a229591787b9c008a59dfddc3c46b672c703f890cd76c8dda3c0572b1391d985122b4ba962bde885d |
C:\Windows\system\XwffCHP.exe
| MD5 | 87018bdadf0382e910ca0e761edea635 |
| SHA1 | b365e9ca44f589c30de426ba783bb548ca0641a1 |
| SHA256 | 791704aef405bd356204e880b07c22107f3ccf429527c09fedf40c757ff1820f |
| SHA512 | fde0eac2c7912d6977e9033d300d85351b1f9e3c5c2ee25bb226a40f1a31debeedc710805a2b86970407ae339e2f33799d8c8d3f496717cc25f2a5a405205098 |
C:\Windows\system\NYukXjL.exe
| MD5 | 201b918f19fb42f07f43c1afb0c2663e |
| SHA1 | 6bcf39518163a7a35f5cb653dccec4d508e6c2e6 |
| SHA256 | b5e518ebf234492bd89424956c945b44c7aa2ef5f5f43eebffb4ec0ea90b2ab7 |
| SHA512 | af41abef0721db24200f551202ffc15ed1af387a0ff778aca134b38460683184d8e42185dfd6f1d2f92d47a71817a4d82b3ddf7fdd6c61140feea375d3874706 |
C:\Windows\system\zoZpwwF.exe
| MD5 | 5ea7f6f4081e93dd843dd7f5eafb4e38 |
| SHA1 | b8912aeb92e72861ef46d4b20b56158bf7702ac1 |
| SHA256 | 7618931f47a23d9ff00eb82e66875d7f20c2ba5d4090bce899f5100536bc7d1b |
| SHA512 | 48d4c818c1782267fe056190b72241e7b012a88bb0d0057de506ff5655e53fff0c9973c788f532c084c49944214a2d1b3f26f3f440938e1f5d0e074aa47cac08 |
memory/1332-101-0x000000013F790000-0x000000013FAE4000-memory.dmp
memory/3000-100-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2600-99-0x000000013F380000-0x000000013F6D4000-memory.dmp
C:\Windows\system\FRYNwhY.exe
| MD5 | bbdb6d70c341420bf5f00f7f3ea43651 |
| SHA1 | 205c93757479767cb5f953f33640742a9f5d8be3 |
| SHA256 | 8a73800ed42baafc64b32eec2f7e64a6ebeec46d28fb3f65e669212a3b1c137e |
| SHA512 | fa9dd75d5b8ddea3d2e0a36fddfb049ce2812dc515d21ce70033352e15d9ab9243210db5f9aff7a292a63ee5cefbf2e5e489e4460f547952b19c2092b864750c |
memory/3000-91-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1884-84-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/3000-83-0x000000013FCB0000-0x0000000140004000-memory.dmp
C:\Windows\system\FGShpqt.exe
| MD5 | fdf3f933ec7c46279bd9f6cdce8531a1 |
| SHA1 | eb168d83a467d42fa6ac974a7fda9202cc11b326 |
| SHA256 | 6c62ebd77515be61d1de9431be8782730df08ded23e4a7c66045822c5edd2da2 |
| SHA512 | 9fb561de8cea0850c658a7332fecb87dcbf653ea79478db389bc06ad6e5edb3a5f2d550c3f9ccea48bd48f4a4a6a4bc7392f1567448ee1ec2d62d01eda3a62b8 |
C:\Windows\system\gDmXMaq.exe
| MD5 | 5bbf00444e767794d6b9f334daebed51 |
| SHA1 | bfa972b6a9e0376fa9a2d0ccb8a2ea74c0ad4651 |
| SHA256 | ae5ea24f058cf5487f91694fa4c9dede1df6a77b5e67fb2c740be3ea2b6095d7 |
| SHA512 | 267a723661a40eac65c02e2e49f5903e03db492f4b29beaceed9067768940aa88f8cd9e3dddc2492f109c06daf22b96174f9505bddd9a5dba35cbfa1586e631f |
memory/3000-75-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2464-70-0x000000013F770000-0x000000013FAC4000-memory.dmp
C:\Windows\system\MXEbKIQ.exe
| MD5 | 04302fffb3554baac5477e7b98c53ad5 |
| SHA1 | 149f78e5440d4be89932edc654a808eda91a5612 |
| SHA256 | a653e5b882cc4f1b6d6b7a8f9763bb42f92c18d01e5f12f75316f23abde94ef0 |
| SHA512 | 2764f3f1ea47e0944e0c031168e81217d952c1f7b202edc32e01235abde6c30cb8f4c1a210c5598b545544c3860fa0319186bbea7273436a0494f36f539a042f |
C:\Windows\system\MgqDDcE.exe
| MD5 | 744fcc45d7f66aea38876857f9d3d25e |
| SHA1 | d273311bbdc43d46e99a404b45e308d7c6dc00e4 |
| SHA256 | 5ceeecfdc7d5c8d9c41afd210cd06ae779f06eeff703d2777d335e432c2e49be |
| SHA512 | ebd6241facb5e7edbb0b2b5a477d15e894c47a2b2bb57cf891c392ced3dd10877cc9c0f0cbfb39c692e48901ca0b3b6e9a2240552bd0637dff0f0153d2f1aca1 |
memory/2508-60-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/3000-58-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/3000-56-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2780-55-0x000000013FF40000-0x0000000140294000-memory.dmp
C:\Windows\system\udXlgKi.exe
| MD5 | 869c835c0d3fd8157010efb10a8198af |
| SHA1 | 65099d3ee6d04b67c1c70ec569c967383828d271 |
| SHA256 | c0548ae905e2036e04a3579c1b3271a51a5077580f8e85257bf07349b1802e05 |
| SHA512 | eed9d773a0b0fcef0aafa742f489f91195dec9726b333b53b817a19af66adf7d51719d77fd091acbfa1fb0b09877031dca3fefe08add0b33fee03af5f91ef4e3 |
memory/2600-42-0x000000013F380000-0x000000013F6D4000-memory.dmp
C:\Windows\system\JJJksuN.exe
| MD5 | 7e6a9900262403222c6dbb32a7836359 |
| SHA1 | 06c7f15c21d4440f7725d42f40dcd43f6f43747a |
| SHA256 | a27caf913e1435be98f510b9ff02aa37490eced5d3621490a36c8c280de7e688 |
| SHA512 | 9bf2893467aac580d9bc38efd19923caece5d1553bb49332bded11c97cd0f855a08bc00645a1b06a6c3d2e9817a7ef3423e997570b034d12ab928edb1635a16b |
memory/848-36-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/3000-34-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/3000-33-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\OPACvzB.exe
| MD5 | 9781718aaebca4651fba03de820f2ef6 |
| SHA1 | 3c2e4df93faa794e12b30cc1a1d5540f70a25a7e |
| SHA256 | 26b15fd441e23cb712249d3df7cc73ca402d83991e982e093c6c89e119ba4b64 |
| SHA512 | 698dc07aff70edda7a0b9278a170ab7a3a0281d892ecec7031e2f0ef189b6f6264f5ba88d2e93dea5828ce27b256b137080d1e183b7b9dfeab6f7b407e198934 |
C:\Windows\system\cMOuHUG.exe
| MD5 | ea3afabbb3f67199ca2ec51ff022f77d |
| SHA1 | 67cd8e0af4ac8d1e5a171f8324887e880f9e7418 |
| SHA256 | c03fe625b1c00bfafc0b5104ecce427e73128b9265741e6754832246dcf2a7cf |
| SHA512 | aef0210ade5d71e050984f237c1de3c63bf9610a0cf93086e08aa6af89d3921d48d388e8d4cfb030b8d356ae9f89d744e15f3824002b82c94789711bd69d7ca5 |
memory/3068-16-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/3020-21-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/3000-8-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\YRCFQIv.exe
| MD5 | 5d4296448065b82c7b2dee016a682f5e |
| SHA1 | ad83478ff5511aed2c300c1fa0ca0519d3bfdf5f |
| SHA256 | 4da838a521c323907f715dc41686b7174ad0fea30cbdf11520bb793ea9072ef0 |
| SHA512 | ab91058822ae60feddcc845072e54701c0a3c1a81d611b5740a8e787182973b7e7d9c2e1f56cf0f07413e0cd61966383336be26892fb4cd0c362c6124bd7ab64 |
memory/2508-137-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2844-138-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/3000-139-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2072-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3000-141-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/3000-142-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/3068-143-0x000000013FFC0000-0x0000000140314000-memory.dmp
memory/3020-144-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2788-146-0x000000013F5B0000-0x000000013F904000-memory.dmp
memory/848-145-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/2680-147-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2780-148-0x000000013FF40000-0x0000000140294000-memory.dmp
memory/2600-149-0x000000013F380000-0x000000013F6D4000-memory.dmp
memory/2508-150-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2072-153-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2844-152-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2464-151-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/1884-154-0x000000013FCB0000-0x0000000140004000-memory.dmp
memory/592-155-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1332-156-0x000000013F790000-0x000000013FAE4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 21:24
Reported
2024-06-11 21:27
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\EEpJmQy.exe | N/A |
| N/A | N/A | C:\Windows\System\FjpMVTZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QCmhCrB.exe | N/A |
| N/A | N/A | C:\Windows\System\lUWXxfd.exe | N/A |
| N/A | N/A | C:\Windows\System\uZusmGy.exe | N/A |
| N/A | N/A | C:\Windows\System\WjSUcJl.exe | N/A |
| N/A | N/A | C:\Windows\System\OzSFQpt.exe | N/A |
| N/A | N/A | C:\Windows\System\LUcyyJs.exe | N/A |
| N/A | N/A | C:\Windows\System\KdsQYXs.exe | N/A |
| N/A | N/A | C:\Windows\System\sYfAcRW.exe | N/A |
| N/A | N/A | C:\Windows\System\NMDtlKu.exe | N/A |
| N/A | N/A | C:\Windows\System\YwewYjH.exe | N/A |
| N/A | N/A | C:\Windows\System\SXGEmJR.exe | N/A |
| N/A | N/A | C:\Windows\System\JbjWIrJ.exe | N/A |
| N/A | N/A | C:\Windows\System\otvcvRR.exe | N/A |
| N/A | N/A | C:\Windows\System\fcPstCQ.exe | N/A |
| N/A | N/A | C:\Windows\System\FyyxCGa.exe | N/A |
| N/A | N/A | C:\Windows\System\jlDvkad.exe | N/A |
| N/A | N/A | C:\Windows\System\LEwugOy.exe | N/A |
| N/A | N/A | C:\Windows\System\kNuAbWN.exe | N/A |
| N/A | N/A | C:\Windows\System\wBrUelX.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_cf23c250b2ef30f5af61c3cf8a8be666_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\EEpJmQy.exe
C:\Windows\System\EEpJmQy.exe
C:\Windows\System\FjpMVTZ.exe
C:\Windows\System\FjpMVTZ.exe
C:\Windows\System\QCmhCrB.exe
C:\Windows\System\QCmhCrB.exe
C:\Windows\System\lUWXxfd.exe
C:\Windows\System\lUWXxfd.exe
C:\Windows\System\uZusmGy.exe
C:\Windows\System\uZusmGy.exe
C:\Windows\System\WjSUcJl.exe
C:\Windows\System\WjSUcJl.exe
C:\Windows\System\OzSFQpt.exe
C:\Windows\System\OzSFQpt.exe
C:\Windows\System\LUcyyJs.exe
C:\Windows\System\LUcyyJs.exe
C:\Windows\System\KdsQYXs.exe
C:\Windows\System\KdsQYXs.exe
C:\Windows\System\sYfAcRW.exe
C:\Windows\System\sYfAcRW.exe
C:\Windows\System\NMDtlKu.exe
C:\Windows\System\NMDtlKu.exe
C:\Windows\System\YwewYjH.exe
C:\Windows\System\YwewYjH.exe
C:\Windows\System\SXGEmJR.exe
C:\Windows\System\SXGEmJR.exe
C:\Windows\System\JbjWIrJ.exe
C:\Windows\System\JbjWIrJ.exe
C:\Windows\System\otvcvRR.exe
C:\Windows\System\otvcvRR.exe
C:\Windows\System\fcPstCQ.exe
C:\Windows\System\fcPstCQ.exe
C:\Windows\System\FyyxCGa.exe
C:\Windows\System\FyyxCGa.exe
C:\Windows\System\jlDvkad.exe
C:\Windows\System\jlDvkad.exe
C:\Windows\System\LEwugOy.exe
C:\Windows\System\LEwugOy.exe
C:\Windows\System\kNuAbWN.exe
C:\Windows\System\kNuAbWN.exe
C:\Windows\System\wBrUelX.exe
C:\Windows\System\wBrUelX.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4748-0-0x00007FF608990000-0x00007FF608CE4000-memory.dmp
memory/4748-1-0x000001DF8D6B0000-0x000001DF8D6C0000-memory.dmp
C:\Windows\System\EEpJmQy.exe
| MD5 | 3a82d7cc49648d8e77e89cc8223dead8 |
| SHA1 | c46cd92d7bbd827efa099c5df94b2ced4d68021c |
| SHA256 | 016012d55362f90d63ea434803c7226e811e5cdc3422a99bc7f7c90ff7b7f1ca |
| SHA512 | b03d99c92ce8adfed85067cf75dafad93f75b1a6b213017e88edcc7ca9d9a9dbf03aeffc274410f9a826b71d5508328248da53ba649d0d6f93be0fc85a994293 |
C:\Windows\System\QCmhCrB.exe
| MD5 | a624b8c887c65684dbac2fa01aaea606 |
| SHA1 | 5f2e90e0a143698b41a38f2266abe72cb837b038 |
| SHA256 | 1f40d47f8fc91f149ec29163f11647560d8c75136dcdbb255771af6adfffc713 |
| SHA512 | e848dc65cf40496d5b726a88dc4b3808fe0ac31a041ee8218fa91e1c6ee53b42da84e419fa9c4a488fe5cb6146042455e7f9599a0e3954a6e54fc465fe7426d6 |
C:\Windows\System\FjpMVTZ.exe
| MD5 | fe8682dc1ab0178eb90bbe7d5ad8359b |
| SHA1 | 1409cb1d2decd0f489226900dec62e4a039e067e |
| SHA256 | b75e4917c6f2a0ba8300d1b097b0bfa0f80feb1b15b213de61677f68ae63ad1f |
| SHA512 | ce713d840f2816371375b9f5eb3d977f7361137b421e9e8606c92b3967773e175a379dfb93f72921cfff3118faf89a92c552482ec41877d95d727a0247fd5bca |
memory/4596-11-0x00007FF7383B0000-0x00007FF738704000-memory.dmp
C:\Windows\System\lUWXxfd.exe
| MD5 | 1d113ed87c19245360fb105206f0412d |
| SHA1 | 70ae768bac06b90aadd8a8dc5bdd15856d050a21 |
| SHA256 | 22bd8ca1c4788a6be796d87a7feb2ac59609f0c33b56a680192d884b5bbc3ed2 |
| SHA512 | 8d9ae2ad65a641259f1ec31db46accca9c8b7f916f3faea5c8c74035b79d8c37099e94d800322c9201c3df850da088710f47381e6c7a0af54851afec730a3a5e |
C:\Windows\System\uZusmGy.exe
| MD5 | d75116134bdf8419613cc7c6e5ddc1fb |
| SHA1 | 10d901ac615437392379b8bf9cf69b9cce5e7c8a |
| SHA256 | b1f3a157ed5c4428b7ae3bfd5aa690603e3a88d831e82270f83317620bb9c79c |
| SHA512 | e7340d00b471282015bd6d29471b0f4f75122e196c8eb8e45395b9d9ac14cc41f11fba58042ff0da075f03415121934c933b1e97584e24fdff576c17c546357b |
C:\Windows\System\WjSUcJl.exe
| MD5 | 9743edf25205deb4d18cd5d721bcff18 |
| SHA1 | 4579e450ffa40cfff5d0ce0743a52820dcc792c2 |
| SHA256 | 7933443ac93dac1facef75a003413e2473a927f7cc461a085247169fe3074e7d |
| SHA512 | 542140272c03aae2f72d06ad33b758d34eef19cb190860dc61d52c5324a83bf13c0f0126d03966de0cabb92e89edfb39da04129a19a73ac09fa818677fee704b |
C:\Windows\System\OzSFQpt.exe
| MD5 | d6c8de100d16cb352b51335a0fe38100 |
| SHA1 | 08bea1a069c9a82533531c4bff52355e650809a3 |
| SHA256 | 1f212c349e1edace1798680857e3e3b9958af26cc4b1ad395d488679d6e262e7 |
| SHA512 | 9e9a7607750681cd6343da1f4e875d503dc9ecf2bbbc0e10dfd12d0e463a80b0b01e59e219802c1f377901287eaaf699e52a1bc5e8f0775509e947e134b9d165 |
memory/2904-42-0x00007FF6557A0000-0x00007FF655AF4000-memory.dmp
C:\Windows\System\KdsQYXs.exe
| MD5 | d8ada6be70b1719f2c22ede8101c2580 |
| SHA1 | 09d843fe7aee6b6b3ab03e1cbfdd177083362202 |
| SHA256 | a31508426be96ca129a2c98b2e92b938123e169bbec7a6a76cd2341c7d64a269 |
| SHA512 | 8f6f9ca118703d5b758eb407250ebff1b8ef50ae0b16e55dc648a0f5fc0c86dca87c44b7aaf02ccaf116647758655ced559282380eda9f0a1a142dc01af1ee88 |
memory/3016-54-0x00007FF78B3F0000-0x00007FF78B744000-memory.dmp
C:\Windows\System\LUcyyJs.exe
| MD5 | 6727f3cd8be8f0cdc1ddd2f690caebff |
| SHA1 | 2d413f92f9ab807399ad071972e239d2c74131a6 |
| SHA256 | 9c23047048ad3fde4d7e25bedc16fc380bb3c13273f0aaf2a5212adfa8a300ad |
| SHA512 | ec805b46416b43b0cc0261fd015acc496222fe7874d2011c3556d5d793bc82d792cae55cc3793e2cff1a6fdaedb27ad39c5aab94f20e1c0c05fd65b5472ab1ad |
memory/3572-47-0x00007FF702450000-0x00007FF7027A4000-memory.dmp
memory/3464-46-0x00007FF6F6460000-0x00007FF6F67B4000-memory.dmp
memory/1556-37-0x00007FF7FA930000-0x00007FF7FAC84000-memory.dmp
memory/4644-26-0x00007FF6C3EB0000-0x00007FF6C4204000-memory.dmp
memory/4496-16-0x00007FF76B640000-0x00007FF76B994000-memory.dmp
memory/1072-15-0x00007FF630D10000-0x00007FF631064000-memory.dmp
C:\Windows\System\sYfAcRW.exe
| MD5 | 3851d1717f5b5f66d2c036810406c77b |
| SHA1 | ddeb521be91aafcd6e1e9e823f254975bbd64bf5 |
| SHA256 | dae87ab29102ad498e46fc842463a447e5d74e529f938a8f8d3e8fea0824eced |
| SHA512 | ed0507e6c0e37bca51389bb83af7cde505ae00ebcb9f9562c9db38f67c80c79ffe8da5b19f5eab2d0ba5dcdeee688ff9425c2c802a627e80572abe513f6e3312 |
memory/3508-60-0x00007FF65BC80000-0x00007FF65BFD4000-memory.dmp
C:\Windows\System\NMDtlKu.exe
| MD5 | 89aa848e975bf1706b43ea110b6b48b3 |
| SHA1 | d4402b45f9c5f952cb702629860007efa0b483f2 |
| SHA256 | 5325749e42bd7f7a83e2d0bebc3a473deef733b002cb095cdd92f5d4a9ebedec |
| SHA512 | d9e4648f53fbcf62c56377010ecdf25f060d2f2ffe111332f296b5548770599730f27101c7b6a92ba88cae3215cc26c0ec1819b38be51631cd848704ca8435b3 |
C:\Windows\System\YwewYjH.exe
| MD5 | 636f50dcae58cf7c2bf89604ff01266a |
| SHA1 | 16c9357427b1d2537059432bb052fa8939cf22c9 |
| SHA256 | 87ae84190c696c8d33b0c356bcaaeb7ccb4a516f840fd211b2f40474e1487225 |
| SHA512 | eaeb95ae636bc21e3686fe3fdb08867d5b208b3854d2c3e63d10796e8194f8554646f24d12db831a4a818bd4a971dd06f6eaa8aba731d66609ceec44295c5e15 |
C:\Windows\System\SXGEmJR.exe
| MD5 | 6230a4fef1700e829a4c390de96daa1e |
| SHA1 | 9076bd17cb2bc0a4931db1741d03237fc8f7c095 |
| SHA256 | d502f5989ba94787c1ec020ac34476d040a2b94ec1d1f4e6d66d84afcaf06994 |
| SHA512 | e59596186575c2164358f489bcfdcc2b15b5ad6594b046d69343dfc6294b1f8df9d2d7d7f166d59dcf06c97f382acc31f89e87ea965b7e98c11899c34e217ff4 |
memory/1540-74-0x00007FF624660000-0x00007FF6249B4000-memory.dmp
memory/2156-66-0x00007FF6BD4D0000-0x00007FF6BD824000-memory.dmp
memory/4748-78-0x00007FF608990000-0x00007FF608CE4000-memory.dmp
memory/1072-89-0x00007FF630D10000-0x00007FF631064000-memory.dmp
C:\Windows\System\JbjWIrJ.exe
| MD5 | eb203f1b5899e30bd2070330107ad03a |
| SHA1 | f6dce1eab40fffcdcc7e07e94094cf6bda605742 |
| SHA256 | 90366d1a96eeb1f8dcea4977a2ebfd3122d451f1f758afaba42788c8e801a723 |
| SHA512 | 409b31a3be7d90fdf199f7e7c51976d1724260caa74d4b210bc5ec036398db83aaac30e28263b2b7f5a0eedf77fb4e3e9f0c1025c5b12c66500a4389e9425b00 |
memory/1892-81-0x00007FF697B40000-0x00007FF697E94000-memory.dmp
C:\Windows\System\FyyxCGa.exe
| MD5 | e852bb0912c7b12bc79f76dee36a53c2 |
| SHA1 | 49bcde9b6033c9828a58bff08837693c3a49e08f |
| SHA256 | d281609c3ad3a507874332f67a653c6a2d9e036d85d83a836f04cb2c16b5ca95 |
| SHA512 | 2f53f958d3ef1aea01a5101ca31536258fe6daca52c6803f13379c1bf8356847c3484b15f0249945dea17ed82ec05e45965cdfd2cb8948391ef68e629c567e0f |
C:\Windows\System\fcPstCQ.exe
| MD5 | 4d4f7d5b365a17301c47e1e8b3960b59 |
| SHA1 | f0ff9b8decd75497749b86c2c3f9f75bfa6bbd8c |
| SHA256 | 5364e16c94f2e388e37fcf072685dca4440c229f3ff17cd9eadba432bbc1f8dc |
| SHA512 | 1e26f68d16d7457b5b4a3f0e1fa482d7317d16afee898a14b35985a63e3941e9b03a26715485f370a1adbb465571d3580930342b5789eeca26735c408e0a9192 |
memory/4496-105-0x00007FF76B640000-0x00007FF76B994000-memory.dmp
C:\Windows\System\LEwugOy.exe
| MD5 | 884fcf3cc9731e0c8b49a188319860d3 |
| SHA1 | ff4b16a28130366cdb4cc0a1923ffbbd60ac3d04 |
| SHA256 | 442b3749dd8b2f86cae0e5aa01666d1b3239d95107700431d5ee48765fde0ef7 |
| SHA512 | 16a9a5ad2d99d8d7f036197f67a0b37cd6fa8761d571c3424d992ca90abd2d04eda6fcb2ac55cd3f2f513ee0d48393c2432acde656ac4c1f609bbfa6cc9ea03d |
memory/2628-125-0x00007FF718A90000-0x00007FF718DE4000-memory.dmp
memory/4388-129-0x00007FF6A2EB0000-0x00007FF6A3204000-memory.dmp
memory/4936-131-0x00007FF61DB60000-0x00007FF61DEB4000-memory.dmp
memory/1556-130-0x00007FF7FA930000-0x00007FF7FAC84000-memory.dmp
C:\Windows\System\wBrUelX.exe
| MD5 | 089d30d565b23e8f997412f7cd8932f8 |
| SHA1 | c29444e60225440e9eff2e2d9e9dafceba0b2c5a |
| SHA256 | 3f0afd9dc910925d0a10a6062cbcd839fd40124282506a5409a99398d849b4ec |
| SHA512 | aaae63eb6df8fc4634c5323182bb00563ea8f3fbcd02e14ddd46460b37e581c260df8d8b789dc202b74d3850197b9ca061e6a4a67bffc729d22e03b4b806313b |
C:\Windows\System\kNuAbWN.exe
| MD5 | 148a0ba4f4023fac7c643a6dcdf772d8 |
| SHA1 | b35731264ee637f5a4d56ce7dfd3b6b7ba4b0b49 |
| SHA256 | 58c9d3cdf3b8e6317fafda273e0f2aecbd618944017013b3140b8810082d66f3 |
| SHA512 | 21e8662414170fa4cf5db21884b3dd5df4316f45a6ea387b9dea07b592446a6fbdd3d4a511f7bcae494325ff0d031d7f9925ec97edb88b3d08b87916982ca823 |
memory/2820-126-0x00007FF65A5D0000-0x00007FF65A924000-memory.dmp
memory/3464-124-0x00007FF6F6460000-0x00007FF6F67B4000-memory.dmp
memory/2904-123-0x00007FF6557A0000-0x00007FF655AF4000-memory.dmp
C:\Windows\System\jlDvkad.exe
| MD5 | a24c56a321914ff835139021434016ad |
| SHA1 | dc461d3f45d82c889e065b3d926b7fe2f610e312 |
| SHA256 | a5a2c2fcb7474e75a8598f3579ee12ddcd1fadc2a5b8816187945975da9c429a |
| SHA512 | 2c69e426a86d076dacedf1da95396568093e98aefde58aa95c942efc83e05e6c833617462c9ac212f65d3708927d6d2081bbeb1f1a33a7069428d45a41116c2c |
memory/4644-118-0x00007FF6C3EB0000-0x00007FF6C4204000-memory.dmp
memory/3104-116-0x00007FF60DA10000-0x00007FF60DD64000-memory.dmp
C:\Windows\System\otvcvRR.exe
| MD5 | 5a0f670147aa9df73d858906dcf0e292 |
| SHA1 | 34c37ce9c72c6bd0a28c6da72b19745b47a3858f |
| SHA256 | bec43893ceac3030fd89b8805c2d70b06013f7c3d702f4aa6c9dc8eae93e39dc |
| SHA512 | 6c08f8199f176d4ec5fafacad13c7dc2bedb33503e6eabb40561193ae49f41222abc8f99cdb31e9acc5f53aa072d9584e374fdd04b3c9c27d274c18c1a7a816d |
memory/2924-101-0x00007FF74E050000-0x00007FF74E3A4000-memory.dmp
memory/2084-96-0x00007FF788660000-0x00007FF7889B4000-memory.dmp
memory/2380-92-0x00007FF795880000-0x00007FF795BD4000-memory.dmp
memory/3016-136-0x00007FF78B3F0000-0x00007FF78B744000-memory.dmp
memory/3572-135-0x00007FF702450000-0x00007FF7027A4000-memory.dmp
memory/3508-137-0x00007FF65BC80000-0x00007FF65BFD4000-memory.dmp
memory/2156-138-0x00007FF6BD4D0000-0x00007FF6BD824000-memory.dmp
memory/1540-139-0x00007FF624660000-0x00007FF6249B4000-memory.dmp
memory/1892-140-0x00007FF697B40000-0x00007FF697E94000-memory.dmp
memory/2924-141-0x00007FF74E050000-0x00007FF74E3A4000-memory.dmp
memory/2084-142-0x00007FF788660000-0x00007FF7889B4000-memory.dmp
memory/3104-143-0x00007FF60DA10000-0x00007FF60DD64000-memory.dmp
memory/2628-144-0x00007FF718A90000-0x00007FF718DE4000-memory.dmp
memory/4388-145-0x00007FF6A2EB0000-0x00007FF6A3204000-memory.dmp
memory/4936-146-0x00007FF61DB60000-0x00007FF61DEB4000-memory.dmp
memory/4596-147-0x00007FF7383B0000-0x00007FF738704000-memory.dmp
memory/1072-148-0x00007FF630D10000-0x00007FF631064000-memory.dmp
memory/4496-149-0x00007FF76B640000-0x00007FF76B994000-memory.dmp
memory/4644-150-0x00007FF6C3EB0000-0x00007FF6C4204000-memory.dmp
memory/1556-151-0x00007FF7FA930000-0x00007FF7FAC84000-memory.dmp
memory/3572-152-0x00007FF702450000-0x00007FF7027A4000-memory.dmp
memory/2904-153-0x00007FF6557A0000-0x00007FF655AF4000-memory.dmp
memory/3464-154-0x00007FF6F6460000-0x00007FF6F67B4000-memory.dmp
memory/3016-155-0x00007FF78B3F0000-0x00007FF78B744000-memory.dmp
memory/3508-156-0x00007FF65BC80000-0x00007FF65BFD4000-memory.dmp
memory/2156-157-0x00007FF6BD4D0000-0x00007FF6BD824000-memory.dmp
memory/1540-158-0x00007FF624660000-0x00007FF6249B4000-memory.dmp
memory/1892-159-0x00007FF697B40000-0x00007FF697E94000-memory.dmp
memory/2380-160-0x00007FF795880000-0x00007FF795BD4000-memory.dmp
memory/2084-161-0x00007FF788660000-0x00007FF7889B4000-memory.dmp
memory/2924-162-0x00007FF74E050000-0x00007FF74E3A4000-memory.dmp
memory/2820-163-0x00007FF65A5D0000-0x00007FF65A924000-memory.dmp
memory/3104-164-0x00007FF60DA10000-0x00007FF60DD64000-memory.dmp
memory/4388-165-0x00007FF6A2EB0000-0x00007FF6A3204000-memory.dmp
memory/4936-166-0x00007FF61DB60000-0x00007FF61DEB4000-memory.dmp
memory/2628-167-0x00007FF718A90000-0x00007FF718DE4000-memory.dmp