Analysis Overview
SHA256
526894f7a28e9b70adecbb468844df42b7e50e76686332ba7bb1412344e1105f
Threat Level: Known bad
The file 2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
xmrig
Cobaltstrike family
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix
Analysis: static1
Detonation Overview
Reported
2024-06-11 20:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 20:44
Reported
2024-06-11 20:47
Platform
win7-20240508-en
Max time kernel
135s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\aOuHJyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\VxhxdTi.exe | N/A |
| N/A | N/A | C:\Windows\System\yyGARqL.exe | N/A |
| N/A | N/A | C:\Windows\System\mMZqvCY.exe | N/A |
| N/A | N/A | C:\Windows\System\GBeVnGH.exe | N/A |
| N/A | N/A | C:\Windows\System\uhLqJQs.exe | N/A |
| N/A | N/A | C:\Windows\System\JxSOVyF.exe | N/A |
| N/A | N/A | C:\Windows\System\LjvBfHZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kgZojWE.exe | N/A |
| N/A | N/A | C:\Windows\System\ydHSLZw.exe | N/A |
| N/A | N/A | C:\Windows\System\bIOjEcs.exe | N/A |
| N/A | N/A | C:\Windows\System\LkvOZDM.exe | N/A |
| N/A | N/A | C:\Windows\System\LALWsbz.exe | N/A |
| N/A | N/A | C:\Windows\System\AXnrXXs.exe | N/A |
| N/A | N/A | C:\Windows\System\kamtwrO.exe | N/A |
| N/A | N/A | C:\Windows\System\gbulHPG.exe | N/A |
| N/A | N/A | C:\Windows\System\DoOIIGJ.exe | N/A |
| N/A | N/A | C:\Windows\System\DMNfqRx.exe | N/A |
| N/A | N/A | C:\Windows\System\FbjyKUI.exe | N/A |
| N/A | N/A | C:\Windows\System\WarIUep.exe | N/A |
| N/A | N/A | C:\Windows\System\nDwrTOs.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\aOuHJyJ.exe
C:\Windows\System\aOuHJyJ.exe
C:\Windows\System\VxhxdTi.exe
C:\Windows\System\VxhxdTi.exe
C:\Windows\System\yyGARqL.exe
C:\Windows\System\yyGARqL.exe
C:\Windows\System\mMZqvCY.exe
C:\Windows\System\mMZqvCY.exe
C:\Windows\System\GBeVnGH.exe
C:\Windows\System\GBeVnGH.exe
C:\Windows\System\uhLqJQs.exe
C:\Windows\System\uhLqJQs.exe
C:\Windows\System\JxSOVyF.exe
C:\Windows\System\JxSOVyF.exe
C:\Windows\System\LjvBfHZ.exe
C:\Windows\System\LjvBfHZ.exe
C:\Windows\System\kgZojWE.exe
C:\Windows\System\kgZojWE.exe
C:\Windows\System\ydHSLZw.exe
C:\Windows\System\ydHSLZw.exe
C:\Windows\System\bIOjEcs.exe
C:\Windows\System\bIOjEcs.exe
C:\Windows\System\LkvOZDM.exe
C:\Windows\System\LkvOZDM.exe
C:\Windows\System\LALWsbz.exe
C:\Windows\System\LALWsbz.exe
C:\Windows\System\AXnrXXs.exe
C:\Windows\System\AXnrXXs.exe
C:\Windows\System\kamtwrO.exe
C:\Windows\System\kamtwrO.exe
C:\Windows\System\gbulHPG.exe
C:\Windows\System\gbulHPG.exe
C:\Windows\System\DoOIIGJ.exe
C:\Windows\System\DoOIIGJ.exe
C:\Windows\System\DMNfqRx.exe
C:\Windows\System\DMNfqRx.exe
C:\Windows\System\FbjyKUI.exe
C:\Windows\System\FbjyKUI.exe
C:\Windows\System\WarIUep.exe
C:\Windows\System\WarIUep.exe
C:\Windows\System\nDwrTOs.exe
C:\Windows\System\nDwrTOs.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2880-0-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2880-1-0x000000013FFA0000-0x00000001402F4000-memory.dmp
C:\Windows\system\aOuHJyJ.exe
| MD5 | e9e748c1490b9c2f1e1c89ae1e437666 |
| SHA1 | 09b742d2ec896025271ed50b3742d38efd8f0f74 |
| SHA256 | 6fadf25e13bb60ee23ede91f1f2234fe7961ee5d06ed905f3dd74ce6cce9cbd2 |
| SHA512 | 5dbd68400dca42c1da6b7f50b81e33b85b4f605d1e053281f86c3253297875dbf88034e10b3b099d0a5c5316aec4c3fcff4417ce5828b10cca58225f122f365a |
\Windows\system\yyGARqL.exe
| MD5 | 5b57b7ba6dc5330e293a3f63d27633c3 |
| SHA1 | 76bb8a4e5f3ccd2d3671dae1107cee8d435704ca |
| SHA256 | 54000e6f58e0b7b4b0cdd9ccd1616e05846b2a50902d89c56854c9ff0fa556f4 |
| SHA512 | e57c3b63ce067e0d7fd3065a576c0fa659cc7a92c06e7b3054b300be478e2df089c25e55644f7fdf7192ea0801dd3cb2bf1d3eec09f1c997965d872b4b1f6a1e |
memory/2880-13-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/1212-18-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2700-26-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2880-27-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\GBeVnGH.exe
| MD5 | 822dc3abb884851c376e35f31f8f4c30 |
| SHA1 | 877fdaea89325f69c239298adcca432af89814ce |
| SHA256 | 3b41f55ce8218ebe2eac46bc6902ce0fc3a2a524ae1133926496ebf183473050 |
| SHA512 | ad651963707a64d3bba790f52f878605e018e3a0975a8b88bb35a5582e43fbb178e65afc5c99230137c342591667bc49c319c22e7fce73144b0223d1d8841ea8 |
C:\Windows\system\uhLqJQs.exe
| MD5 | 338c55fbe0d72a9e05bafd0dc724146c |
| SHA1 | c9f46faf993185aa393592c0d34d4b33be9bc995 |
| SHA256 | 9c3b5b0a94ace7ffb419231a7e40ab5fe2635d4e1898a4ad8be53677971f9c33 |
| SHA512 | 4384f16954a1e7c4492f491c64dde96a91e51ecad4002da06a7b8d5db2e42818c9fffb0bbd1f3edb928e35d14c212780b1bacd87323fde07b33f99cc4dd7166a |
C:\Windows\system\ydHSLZw.exe
| MD5 | 46d1ad3d8b733cdfe48cb35049c8dad1 |
| SHA1 | 8fd3929b047619bab818a5ebb2be29ecc41c0e7e |
| SHA256 | c3cfcf9c1b4d44b9eb72ef92931fe660e5af511ea6936a367f5b4cd730f5396b |
| SHA512 | faf01798171f93a12ada0bc0ad625ff934e7c943eb1e42a87ffbcf1ddf7764c3150449cb922ce776e3402750f44dcbbcc92fc7f298abe48cc137a91acc127f17 |
C:\Windows\system\WarIUep.exe
| MD5 | ea6a2ed2973aaa66a80cb59fc2db16ed |
| SHA1 | a7bff63801f06ea8da931707505b40ac0bd8097c |
| SHA256 | 89a6e82bb62fdd88c95916fe71367fc4521c73f98718490da8c7e2aaba9e6e2d |
| SHA512 | 4793edde5ec2268e4f25141a543bfbd4ff11db55db987facf260d1c1f7c6a74da5aee5f935efcb35fc9837da9c5cd24be9d9ff05a05f0c04b84fcfbb13e47807 |
C:\Windows\system\nDwrTOs.exe
| MD5 | c6839ae50d1a52a504cfd325fabcf478 |
| SHA1 | 7eac4074f30d74dba0c2e2354ba60083e64fa805 |
| SHA256 | 9a5b9e5a48ea9ce1b95b2469525c28dc053eeef6415571e99baded6744a23a12 |
| SHA512 | 61c9680c2a65769ff91c47fcffded60ed188ea2934cb8df4ecaa4525fb089fdff57fda5e04bfdc962062209c6307f741bfc3de7e3cbb9c1765ad4c68442746c6 |
memory/2880-115-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2880-123-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2880-129-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2712-133-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2880-132-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1028-131-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/860-130-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/3012-128-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2880-127-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/2584-126-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2880-125-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2516-124-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2676-122-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2880-121-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2696-120-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2880-119-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2548-118-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2880-117-0x0000000002290000-0x00000000025E4000-memory.dmp
memory/2888-116-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2664-114-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2880-113-0x0000000002290000-0x00000000025E4000-memory.dmp
C:\Windows\system\FbjyKUI.exe
| MD5 | d839d6c417dcabd56c236fed23815b0b |
| SHA1 | 4d92a15a090792c2482a80b6b86d28e8e4e655b6 |
| SHA256 | a38b936fb5aa53e8c864e76b11c5b6ea40b37f35088517bade22494bf5521bf1 |
| SHA512 | 75a43a93e51cee32aa593b8039cbe5c7beca81031efa30901a31f1d6494fa22b89c466d0de049dbb75c0aed71f79ce15f325aced4622afdf5b921d6756cb4daa |
C:\Windows\system\DMNfqRx.exe
| MD5 | 7e131e786848d38c66776d7d49cf2781 |
| SHA1 | 0f1bdeba36cf53b60ae71ef34582bc2908376a44 |
| SHA256 | e5eadfe6314371ad94ee96ee1354dbe51673f4f3aef5a67fc0d49aed04a50b45 |
| SHA512 | 562c19a2951b63722aac5d7ff02e101f6a93c6099cea9457300b56a289d1405296b4f7649ae3b4c7ab40ee45aaef2f4285dccd42a43b9c7e5e74909ca492db94 |
C:\Windows\system\DoOIIGJ.exe
| MD5 | 39d5c2c83e0e64152b21dcefcf2d27eb |
| SHA1 | 0ca7e887ec6b7678a17991226c6d510e74657b22 |
| SHA256 | 6865f1bdd3844b6490738a7d1b8c5114e6f94d7736380f3bba641728fddca0cd |
| SHA512 | cb53eeb837b8cca05b29c1e2adebc08de3c68b1c744f57537403db49cae5c25d10adec0d4c2701d7791afe0d7aa69638889fb1bf5e3cdc319a2d5d2211f26fbd |
C:\Windows\system\gbulHPG.exe
| MD5 | a51a990d146cd291814ac293cf21fd89 |
| SHA1 | 21422879d33b646a502d9fb99a848b118a340eb5 |
| SHA256 | 5cd56b62600459dd2743e09d74301d12a63d958cf326e8960cd710621b76c3d1 |
| SHA512 | 6ffdf12f6ea259bf2f058b9f7d6fb478dc457aeb1fc8894999fdd56601567689cfb97d3bad24be3d6c1f098ff46d45fae63f0b267778337b42045e739050d291 |
C:\Windows\system\kamtwrO.exe
| MD5 | abc1a63d9d9b22e861fd9ba385c72637 |
| SHA1 | 5043affb3d2a68b800851eda9a20daa22554b541 |
| SHA256 | 7bb51b51a017816a15a4e6903b9dc4f361ced594755caf454f030025edb96b12 |
| SHA512 | f20952857187fc2c66e1cc9b2c555a06dba8a0968a60e894c07c6d561e77f9654d5882f32141de2122a5b01198317f246963d38af79b4b447750ded6e3eb41c3 |
C:\Windows\system\AXnrXXs.exe
| MD5 | 9311b7be7c896d4e4af7e58d31b86e00 |
| SHA1 | 5598089dfcdcf89caed13200da8d740fca8bbacd |
| SHA256 | 5b77ff26034c4a15ae90ad8ef18c23c0392541fa7476e7ca858b265250df1ccf |
| SHA512 | dbf368b797dde7c0b2242b1168bf50d9750fe2843e417643a621d7c8b876cf81f01869519ad81f3717234f3cacf20319760800481b7a5058a79e3fcc06bb2964 |
C:\Windows\system\LALWsbz.exe
| MD5 | f6fac150843c7d73a58401eb51da5d9a |
| SHA1 | a0696128f98fe5e53911c76b63c719602ea95c7d |
| SHA256 | d68ab1022a466edbcb09c3cc6876837c554830c1c9d216169c0804944c220607 |
| SHA512 | fba9ff4425ad5b3a3afefa6599f3cd89509a3f9b68685ff65fa0f88a6c96f32b65a0044d2de70331b99e25b8e90076140b2697943a05f0eb05299d4a11ccafa6 |
C:\Windows\system\LkvOZDM.exe
| MD5 | f8c95a8af2b2a29d2bd67fe723f05f4a |
| SHA1 | 50da74547a7b49a8cb1d76cb3e9206858572a2ee |
| SHA256 | 0aa08c6371a72649ce471ef6b506220384f0b048723a5d25effec8481f90eacd |
| SHA512 | 134c0f470f0dde687f5e3c4974f42d9696cfb80cc979a7e18bd3d6ee9378af20547030fb070b2d23ca582122e56e8f59e5b73e0d74b5222791aff33a55d2810a |
C:\Windows\system\bIOjEcs.exe
| MD5 | 52c6ef4c2df1cd4a3550fb901ceef235 |
| SHA1 | 4954979e6bea71bfb5998ef45e374f60795a0947 |
| SHA256 | d6901280c734aa583b23ced6696f7c46dad3010896ed0af6c92f713bad79ea7c |
| SHA512 | e57b1e285aabd26e6210dd417c2bc7b0ffed4a500db1f8ef4a5539c53936f95a875a12638de524fbf5b7e7b126c66d96e3201f745601599108299611e2805786 |
C:\Windows\system\kgZojWE.exe
| MD5 | d183a861cf969d29b5369f8a540b7dbc |
| SHA1 | 2b17c9ac729fa65772ee54eda8869a69f143a973 |
| SHA256 | 5cdd5f6740e33272a38ef23cbe724b0c6aa7db7104235f86064dab858ab6ae53 |
| SHA512 | 3f51b48d6a6921bdd485f7edaab789533038f715d6acb456837836de6520e442bd30b828b5c6ca7e8a14be827b40c159d28675029f94f4f7091becbf219d31ae |
C:\Windows\system\LjvBfHZ.exe
| MD5 | c994ee438ab72cbf339346d06675fe76 |
| SHA1 | 38791d449794886bf7e740393917511114cdeffb |
| SHA256 | 15643527c48e86e6e6f2f9ea0c234bd78fb3c274dd37f9b527a105a01c04903f |
| SHA512 | 2562edd509a683c2d061aab325e288f9f91c74348448c903ba4848a7f71a7696970da4a90bb8b762ba126f1b8aa055930cfeb28ef0f5ffa737e48b8361df0d81 |
C:\Windows\system\JxSOVyF.exe
| MD5 | 7b97d1c26542745e7d99fd2408200532 |
| SHA1 | fa321b21e4f5154de1ab3012e9bc690232c4f3b7 |
| SHA256 | 746256e752320b33614e71fdb5badd18c7af76854a22017948ed07d1ce27ee2f |
| SHA512 | c96ce1f60ab040e94b9e65d3df17c902edc567517244556c99e2268e5619fd3aabf98031908c1ab3d9dff41d0249a9d185624db665a8f0135c367aec13fe6e04 |
C:\Windows\system\mMZqvCY.exe
| MD5 | b6c70f4e7688fddd7d0c0c528190be67 |
| SHA1 | 26106bcd24d6fb6e55882e011f65b46ba5f10dd0 |
| SHA256 | 78f63e6fe2608277b9ffdde3d961b71e103696b8ef854a03663fa55ac9ca7712 |
| SHA512 | e82709f79a044038bc051431ad25ca63b3fa0b6631a7a008171020daf98aaf13f15de51a956c1a9bd412031a86b08b3ddef33e207d7d8dda0062e4f9a4ca7bf6 |
memory/2880-24-0x000000013F510000-0x000000013F864000-memory.dmp
memory/2620-21-0x000000013FEA0000-0x00000001401F4000-memory.dmp
C:\Windows\system\VxhxdTi.exe
| MD5 | fda9b1c45cfb93439ebdbeeea0019c3a |
| SHA1 | 6a8f980bdcba28300388a92820be0031f6e3e7d1 |
| SHA256 | 1086a4b4b95293f12f912cc914ef36860d7ca7a32a4f1e80bfd866faf33e22d5 |
| SHA512 | caa2ae556ecfe3f7e94779c1edbfad76d6ff9dff95848cfd73cfe0c0b789d5ef922f001c2ff5293775a862e5fed43d2389c29e7cf465cdfdefefe748f020877d |
memory/2880-134-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2620-135-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2700-137-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1212-136-0x000000013F150000-0x000000013F4A4000-memory.dmp
memory/2620-138-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2712-139-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2664-140-0x000000013FD80000-0x00000001400D4000-memory.dmp
memory/2888-141-0x000000013F1A0000-0x000000013F4F4000-memory.dmp
memory/2548-142-0x000000013FD20000-0x0000000140074000-memory.dmp
memory/2696-143-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2676-144-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2516-145-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2584-146-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/3012-147-0x000000013F050000-0x000000013F3A4000-memory.dmp
memory/1028-148-0x000000013FE10000-0x0000000140164000-memory.dmp
memory/860-149-0x000000013FC30000-0x000000013FF84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 20:44
Reported
2024-06-11 20:47
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\dqOmbZB.exe | N/A |
| N/A | N/A | C:\Windows\System\qoawfuf.exe | N/A |
| N/A | N/A | C:\Windows\System\ZqpfjBO.exe | N/A |
| N/A | N/A | C:\Windows\System\ULDIQeS.exe | N/A |
| N/A | N/A | C:\Windows\System\WcbQJfC.exe | N/A |
| N/A | N/A | C:\Windows\System\xrqeXyE.exe | N/A |
| N/A | N/A | C:\Windows\System\TaPyNfO.exe | N/A |
| N/A | N/A | C:\Windows\System\eygxcJu.exe | N/A |
| N/A | N/A | C:\Windows\System\mJQDPoy.exe | N/A |
| N/A | N/A | C:\Windows\System\SDYjUdZ.exe | N/A |
| N/A | N/A | C:\Windows\System\yUuIzXn.exe | N/A |
| N/A | N/A | C:\Windows\System\LKqwNlD.exe | N/A |
| N/A | N/A | C:\Windows\System\RJbiMht.exe | N/A |
| N/A | N/A | C:\Windows\System\cctWduG.exe | N/A |
| N/A | N/A | C:\Windows\System\jyXirGq.exe | N/A |
| N/A | N/A | C:\Windows\System\pzbqPyJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UpTrmbo.exe | N/A |
| N/A | N/A | C:\Windows\System\IIsmziD.exe | N/A |
| N/A | N/A | C:\Windows\System\yIjLAvZ.exe | N/A |
| N/A | N/A | C:\Windows\System\lKZmRau.exe | N/A |
| N/A | N/A | C:\Windows\System\rwwGbRR.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_88d2586582ea92d3102a7c1329812e1e_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\dqOmbZB.exe
C:\Windows\System\dqOmbZB.exe
C:\Windows\System\qoawfuf.exe
C:\Windows\System\qoawfuf.exe
C:\Windows\System\ZqpfjBO.exe
C:\Windows\System\ZqpfjBO.exe
C:\Windows\System\ULDIQeS.exe
C:\Windows\System\ULDIQeS.exe
C:\Windows\System\WcbQJfC.exe
C:\Windows\System\WcbQJfC.exe
C:\Windows\System\xrqeXyE.exe
C:\Windows\System\xrqeXyE.exe
C:\Windows\System\TaPyNfO.exe
C:\Windows\System\TaPyNfO.exe
C:\Windows\System\eygxcJu.exe
C:\Windows\System\eygxcJu.exe
C:\Windows\System\mJQDPoy.exe
C:\Windows\System\mJQDPoy.exe
C:\Windows\System\SDYjUdZ.exe
C:\Windows\System\SDYjUdZ.exe
C:\Windows\System\yUuIzXn.exe
C:\Windows\System\yUuIzXn.exe
C:\Windows\System\LKqwNlD.exe
C:\Windows\System\LKqwNlD.exe
C:\Windows\System\RJbiMht.exe
C:\Windows\System\RJbiMht.exe
C:\Windows\System\cctWduG.exe
C:\Windows\System\cctWduG.exe
C:\Windows\System\jyXirGq.exe
C:\Windows\System\jyXirGq.exe
C:\Windows\System\pzbqPyJ.exe
C:\Windows\System\pzbqPyJ.exe
C:\Windows\System\UpTrmbo.exe
C:\Windows\System\UpTrmbo.exe
C:\Windows\System\IIsmziD.exe
C:\Windows\System\IIsmziD.exe
C:\Windows\System\yIjLAvZ.exe
C:\Windows\System\yIjLAvZ.exe
C:\Windows\System\lKZmRau.exe
C:\Windows\System\lKZmRau.exe
C:\Windows\System\rwwGbRR.exe
C:\Windows\System\rwwGbRR.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4344-0-0x00007FF679860000-0x00007FF679BB4000-memory.dmp
memory/4344-1-0x000001DE68070000-0x000001DE68080000-memory.dmp
C:\Windows\System\dqOmbZB.exe
| MD5 | d5231faad83a050dc489cf80dfc451fb |
| SHA1 | 97686a48cd604bfe4ea0416ee8b93a1e8435164d |
| SHA256 | 7189a07cd90694e356cfa8e282575a2f1eca7ec9737f51a7dca466794204ae8f |
| SHA512 | 6de2f52603177c4c6f774b09894666d52deee17d77d2c778ceca7991d31d522a41b36f78d99515302369d5d885a2d374455a800777247edff34ab98bfcae9cc1 |
memory/4760-8-0x00007FF6F3870000-0x00007FF6F3BC4000-memory.dmp
C:\Windows\System\qoawfuf.exe
| MD5 | 61e2e0b9192b47f0857dd85e3a0f6198 |
| SHA1 | d29557e7097173b6d1aacded01ff87d83124c5c4 |
| SHA256 | 0ec1e7514f3d7469ada5e22bd7373c68d3b78022c8dd093ae985548a33d87a8f |
| SHA512 | cea462f2813bad8e4116628df86516a1b1293963ddf1b4dbbca6b0aa549c69fc1ecf6930c3bfb9f415d05e4cefe9fda5d96547252344fe1583d117f1d5f5d94c |
C:\Windows\System\ZqpfjBO.exe
| MD5 | f30ff04eaf47a288d7ac51522d9ea718 |
| SHA1 | 6e65eed65d9ac339c5c7af672f1e9bed12f8ba63 |
| SHA256 | 8996bfe89234f0e6c22540baede910f6a37fcf99de73fae459f97580aae46978 |
| SHA512 | 1a8e0f08ce672f48fae6e6484f5b12e7f1b0876b0b0c1008c8d845b7cb288ff5167e2eabed713dc61dd26090b51bd0bf7a29a63220fe95ffd2c93e9c5feda473 |
memory/232-14-0x00007FF7C40E0000-0x00007FF7C4434000-memory.dmp
memory/4520-20-0x00007FF7AF390000-0x00007FF7AF6E4000-memory.dmp
C:\Windows\System\ULDIQeS.exe
| MD5 | 04b6366e6d3e62a2f2ce9b4c16f7327b |
| SHA1 | d78e0a9695c91c6fcd69c6253214fb9a37385d66 |
| SHA256 | bf36188e73ebc25622d6f8257e36ead8f8b032fc37d743d482394f8c06010452 |
| SHA512 | 4ccf94c34ebf156c5e1faab1a993643aa1e181a434258289759bc98f10f93f18e155dbb6ddaed02f30c237d1da67443228102e9d9b4ce45ba82d3937357007f8 |
memory/1728-26-0x00007FF7204B0000-0x00007FF720804000-memory.dmp
C:\Windows\System\WcbQJfC.exe
| MD5 | ec0fa155bbfc045f33f9f18357f92a06 |
| SHA1 | 12b952e94ac81e90c94c665b707743c27ad446ca |
| SHA256 | 618a654d66713a8d3d8af4d08f0971dfa4ebfd1f4a7b0aef95d51aeedf8ffae0 |
| SHA512 | 46686e7b56aefe31df797f834cb827dc1b5f4348c271183f6b5d72011e1ccfe2bd8cd76a650e21a80e556a04291c84d0d41c01ffb08995e8fd99f10347cd02d8 |
memory/3860-32-0x00007FF67CD00000-0x00007FF67D054000-memory.dmp
C:\Windows\System\xrqeXyE.exe
| MD5 | f0409c5f97e8d76f6f1040099b40122a |
| SHA1 | 0947450247c9085a830112bebfb2bc81a748e1b2 |
| SHA256 | cb93124045e2c7ad57916d991f49bb9e411aa53a811e1e8d33157305c4f23505 |
| SHA512 | 7c3bd038a3660472d5fff23d2d8fca2ad19573735341f81baabf457c96950a575b1a6fab671504f9a5e97227fb27e528abc50495c475f4e9242049f2b00e13b0 |
C:\Windows\System\TaPyNfO.exe
| MD5 | ce3338fa3e475d305c966238e2b4216f |
| SHA1 | 66906ac8b5cbce4022f3c66e96902ccc504791f7 |
| SHA256 | f48500eb7a2077b977d144a57a7bd66a0bb77efe30cab074cb95be186fda7d28 |
| SHA512 | 640e3e6fb45ca372531197f454070b76186b5d7f73161f05a15e096b19cee5086080bd193f1a95d3da8781543338f67a7480754e8187321e9a77c43913be7e6b |
C:\Windows\System\eygxcJu.exe
| MD5 | 67d22f09a75d1cf91dc55cb80b3a3879 |
| SHA1 | b563970fe45a87137089b6dbf36df10ac625e157 |
| SHA256 | fd97bfc7d7e79d4a0001652b1aa0fbe9167e73746a78b9a2fa450247b2f91d23 |
| SHA512 | bce37cdd23e06e1f420a88ea0378fdbedec5e266704281debc5bd58072efa8151d941b9c9b0c0caa0ad132a88dd20cbf21f9c2d6d2c3919dddb0e99f71108923 |
memory/1200-46-0x00007FF6D9A00000-0x00007FF6D9D54000-memory.dmp
memory/4212-39-0x00007FF78C580000-0x00007FF78C8D4000-memory.dmp
C:\Windows\System\mJQDPoy.exe
| MD5 | 852d9da921a8c1cb5007c8dee7548cbf |
| SHA1 | 8f2fa4e8c99d637f7220f8ddf520911b8b883fe6 |
| SHA256 | 2269d9da7c669bb79dd21ee1aec4c743605f76a463e0599caa67294cd1572c71 |
| SHA512 | b117998904fe7031ace91ea2b4aef6ff5deae1bbcf31755eb693fef1c64f4712b13fcb3e9b132cc8d3802a42bf482faddb5e17a86589bbca845998681daf8bb3 |
memory/2620-55-0x00007FF707880000-0x00007FF707BD4000-memory.dmp
memory/2000-57-0x00007FF6A8C00000-0x00007FF6A8F54000-memory.dmp
C:\Windows\System\SDYjUdZ.exe
| MD5 | 19db2a0f7f792cdb75fb8d9ec168e33d |
| SHA1 | dc658a7adcf8199e859d736bac6eea5282caf79f |
| SHA256 | 7083d3f6799060b5c3634f160ce300c83e87bc000c63bfbfc640f1e08c542ee5 |
| SHA512 | acf699a0b4cfded1eb6940e5366e79fcad44973a201836452c853b777fcd71a5586a1b57a34e222d767d88f7371d9892f3c084afe9688937e9989504f056fa54 |
memory/4344-60-0x00007FF679860000-0x00007FF679BB4000-memory.dmp
C:\Windows\System\yUuIzXn.exe
| MD5 | 79b72824a4b3ada04131d06988a1dcbe |
| SHA1 | 340e70b392805e3057e6781746d67dcf74ff9b72 |
| SHA256 | 1517672cdbc21e66dad26677be5ec5348de8fb674e2752c9869704b00a2dd488 |
| SHA512 | e3353bbfb0cf8fe3a237a9931db82d0ec1511f718ef206e43ab17da0ce3810fadd789a36217873e8a16f3e33a54576fcc9f306f9c6dc79abf5ca4360cbea52fb |
C:\Windows\System\LKqwNlD.exe
| MD5 | 6c12aefeca34ac3815a6f6e4334ee908 |
| SHA1 | 192890b79fcec7341d62e1b8029ae9bf57e692eb |
| SHA256 | 3dc4682fe40aaad6a848e7c9f7aca4f098ee1482cf15375011fde6b2f8da7b69 |
| SHA512 | 09a1311cc56ae8a684821818a76eb669ec4f31d6c1aa595fdace943b863605aca5454c5709f59e0e3fa83b80688d773e32eb4a952da9f1e3c1bf6262d8296995 |
C:\Windows\System\cctWduG.exe
| MD5 | 3cde49cdcf9610e9e64f0628e3667421 |
| SHA1 | 5b7de9e41d287493d93860508e0bb67b5ad88cf4 |
| SHA256 | d1d3c4814ce645b788a7d12a2773d18961401a7af3083839aea9ea11b9f1bfd0 |
| SHA512 | 1a339ea9b991a747e7e86501bdd3772aa034d3de2f16a1864e330b7290af007732740927130e39c3ad647096bc05e437fcd49c265f33e5921d501aaa6014d066 |
C:\Windows\System\jyXirGq.exe
| MD5 | 724d8e019c5ec0de1b6eb365fd8bc577 |
| SHA1 | 48cc1f66ecf395b79bba4d06fe45ea7d4524f1d9 |
| SHA256 | 31d898137fd479d1f61738376626d9496aa4e0372ab94741614ef891861aa1fe |
| SHA512 | 24712db72d4ae6da25bb38db32d9dda47b1b6bd342bd95d10e4ea8f14a2c62e5729a4233d8410d7197577cc949e1e85a7ea9047cf719eca77b98ca15beef4487 |
C:\Windows\System\pzbqPyJ.exe
| MD5 | 5fb9a8cd0c403cc4d5d32a9888853667 |
| SHA1 | b286557afbbb31c840a7301dee6e8e196941c4d6 |
| SHA256 | bc62d6b06d63aaa5d7159e51c5e2d4ddedb278d56d527a6901d9b777f15f6b90 |
| SHA512 | bdb8e6e31267ee91bb91ac166c40fd7467fc3bb8fd6a62f4f69fa6a0223c23a61b52ea022c218b94f17243954f2c963d00d46e5b516958ba19cb6f4aff754d25 |
C:\Windows\System\UpTrmbo.exe
| MD5 | 2f24140b783e2083990c7bf210de49e6 |
| SHA1 | d3c4e5ea7b973f6fea4d8a076d4e2f7181c18ff3 |
| SHA256 | 8244ee7a4c0625fe4c59a9eb5084121a4a2537b423f8b022ec9fb38dd211e64a |
| SHA512 | df3f90802cfd979f43a2725362ae163d674c6f557668c8c7645ff33a322006349a4bf28058732953c264daff26a36a0ef830e5876612ec5b6a83f02c805acf8d |
C:\Windows\System\lKZmRau.exe
| MD5 | 431976d73acea6d8eacc8842719a95cb |
| SHA1 | 692ca2be8e54891ea63ce6ce9a66e5e6ff5951b9 |
| SHA256 | b084b07cdb9629d6b72067c46f9ad6e9070c9ab090ce4351daadc0296e800307 |
| SHA512 | dc51fcabb29ec00760d8d45caa9bafb51825e5b450d8519cce1d458cd35cc07d4d96c825ede4cd1777e66bbce798718a4c47497d19b64f3f8aa96b4d593393d5 |
C:\Windows\System\rwwGbRR.exe
| MD5 | a7ac1a91707ade91b45b127649c476b1 |
| SHA1 | abf1af43b588d912b36e481a7a9d924d2de32e00 |
| SHA256 | b140410e4961a25f7a1be11b99ee94322a80dbdb0bc606ce6103565e41480ea2 |
| SHA512 | 165d935c7cfe5f78078a18b63098b839ef001c495835b8c8aa7aef16f30ed0978f02419dafe897fdaf9864a8c00cae39680e44514f5d687b95861dc7d024254f |
C:\Windows\System\yIjLAvZ.exe
| MD5 | d16da95d6119148eeec0c3d5f522f706 |
| SHA1 | 938a7ec3e69a569c62aad1bdc586d9fe375e40fb |
| SHA256 | 4adb4fe7257d9a03a59104c4490429180c447fdccfae40bc0459d363348303cf |
| SHA512 | a46a07b426b2ccb8e1b950c286f0578ce232081104f57be0f0456e8da56f2dfad912f71eb7c290fd176b3d2773ae4cba63170a6a1be224f821ee9cce80ab665c |
C:\Windows\System\IIsmziD.exe
| MD5 | 550e8252f967fa9de81185fcc36c8b22 |
| SHA1 | 4a42bb0f858c4149a3d6f9a163526df7cac8f785 |
| SHA256 | e7e9dfc1be4ef03e3991490b408ae506617ff575062c3ec7a0f8121fab0fed92 |
| SHA512 | 74450e0ec89a327cb6bad9263da460b4c9ec902aa8b921ed1c3c51544833df8c8e3e5a9d2ce415cc379870aee02294a7204c1f16358a18ebf43ac66df98d8446 |
C:\Windows\System\RJbiMht.exe
| MD5 | 75751e0edd29c39a28afba66d5e97f73 |
| SHA1 | c7e3838ba898e77289e2baee847dec4b07831b32 |
| SHA256 | a1525a1dec55327f62bbf265c37b7f9e7bede06deb41ae9019fdc0b2b67340f5 |
| SHA512 | e04f443e854edb46fb3541a2a9be82e4192b8f6b9b6c4a5cb126813039c0d05b8ff73ef169faaf1d099ac7a24a72acc4b302652087b0e7d4833ec7357fe4615d |
memory/1240-81-0x00007FF65A480000-0x00007FF65A7D4000-memory.dmp
memory/3744-77-0x00007FF7C7B30000-0x00007FF7C7E84000-memory.dmp
memory/3316-71-0x00007FF748E90000-0x00007FF7491E4000-memory.dmp
memory/2756-66-0x00007FF7B7A30000-0x00007FF7B7D84000-memory.dmp
memory/1728-121-0x00007FF7204B0000-0x00007FF720804000-memory.dmp
memory/3536-123-0x00007FF716D50000-0x00007FF7170A4000-memory.dmp
memory/3660-125-0x00007FF78A5D0000-0x00007FF78A924000-memory.dmp
memory/2244-124-0x00007FF7BB330000-0x00007FF7BB684000-memory.dmp
memory/3956-122-0x00007FF6807D0000-0x00007FF680B24000-memory.dmp
memory/2296-128-0x00007FF628100000-0x00007FF628454000-memory.dmp
memory/1888-127-0x00007FF678330000-0x00007FF678684000-memory.dmp
memory/4356-126-0x00007FF785950000-0x00007FF785CA4000-memory.dmp
memory/1600-129-0x00007FF6B2670000-0x00007FF6B29C4000-memory.dmp
memory/3860-130-0x00007FF67CD00000-0x00007FF67D054000-memory.dmp
memory/2756-131-0x00007FF7B7A30000-0x00007FF7B7D84000-memory.dmp
memory/1240-132-0x00007FF65A480000-0x00007FF65A7D4000-memory.dmp
memory/4760-133-0x00007FF6F3870000-0x00007FF6F3BC4000-memory.dmp
memory/232-134-0x00007FF7C40E0000-0x00007FF7C4434000-memory.dmp
memory/4520-135-0x00007FF7AF390000-0x00007FF7AF6E4000-memory.dmp
memory/1728-136-0x00007FF7204B0000-0x00007FF720804000-memory.dmp
memory/3860-137-0x00007FF67CD00000-0x00007FF67D054000-memory.dmp
memory/4212-138-0x00007FF78C580000-0x00007FF78C8D4000-memory.dmp
memory/1200-139-0x00007FF6D9A00000-0x00007FF6D9D54000-memory.dmp
memory/2620-140-0x00007FF707880000-0x00007FF707BD4000-memory.dmp
memory/2000-141-0x00007FF6A8C00000-0x00007FF6A8F54000-memory.dmp
memory/2756-142-0x00007FF7B7A30000-0x00007FF7B7D84000-memory.dmp
memory/3316-143-0x00007FF748E90000-0x00007FF7491E4000-memory.dmp
memory/3744-144-0x00007FF7C7B30000-0x00007FF7C7E84000-memory.dmp
memory/1240-145-0x00007FF65A480000-0x00007FF65A7D4000-memory.dmp
memory/3956-146-0x00007FF6807D0000-0x00007FF680B24000-memory.dmp
memory/3536-147-0x00007FF716D50000-0x00007FF7170A4000-memory.dmp
memory/2244-148-0x00007FF7BB330000-0x00007FF7BB684000-memory.dmp
memory/3660-149-0x00007FF78A5D0000-0x00007FF78A924000-memory.dmp
memory/4356-150-0x00007FF785950000-0x00007FF785CA4000-memory.dmp
memory/1888-151-0x00007FF678330000-0x00007FF678684000-memory.dmp
memory/2296-152-0x00007FF628100000-0x00007FF628454000-memory.dmp
memory/1600-153-0x00007FF6B2670000-0x00007FF6B29C4000-memory.dmp