Analysis Overview
SHA256
55d03d48cd050dc88739c520514c649046b38b4573fc1dde9ec4a0d180a52ada
Threat Level: Known bad
The file 2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
xmrig
UPX dump on OEP (original entry point)
Xmrig family
XMRig Miner payload
Cobaltstrike
Cobalt Strike reflective loader
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-27 18:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-27 18:11
Reported
2024-05-27 18:14
Platform
win10v2004-20240426-en
Max time kernel
140s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eAkOuky.exe | N/A |
| N/A | N/A | C:\Windows\System\AWtwYgB.exe | N/A |
| N/A | N/A | C:\Windows\System\nlDPfHI.exe | N/A |
| N/A | N/A | C:\Windows\System\AAVfAVv.exe | N/A |
| N/A | N/A | C:\Windows\System\LKBqiuz.exe | N/A |
| N/A | N/A | C:\Windows\System\xMRhQCs.exe | N/A |
| N/A | N/A | C:\Windows\System\nwwPTHV.exe | N/A |
| N/A | N/A | C:\Windows\System\HaVOptC.exe | N/A |
| N/A | N/A | C:\Windows\System\FuFnSJa.exe | N/A |
| N/A | N/A | C:\Windows\System\URneELu.exe | N/A |
| N/A | N/A | C:\Windows\System\zwMUkrD.exe | N/A |
| N/A | N/A | C:\Windows\System\bEreGKp.exe | N/A |
| N/A | N/A | C:\Windows\System\MOmSpLW.exe | N/A |
| N/A | N/A | C:\Windows\System\eDnuyfI.exe | N/A |
| N/A | N/A | C:\Windows\System\RMQxwuK.exe | N/A |
| N/A | N/A | C:\Windows\System\yAuAxVq.exe | N/A |
| N/A | N/A | C:\Windows\System\HqGvonj.exe | N/A |
| N/A | N/A | C:\Windows\System\MUcVsFC.exe | N/A |
| N/A | N/A | C:\Windows\System\NpyRNKN.exe | N/A |
| N/A | N/A | C:\Windows\System\qqEdNBJ.exe | N/A |
| N/A | N/A | C:\Windows\System\nvAhfaW.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eAkOuky.exe
C:\Windows\System\eAkOuky.exe
C:\Windows\System\AWtwYgB.exe
C:\Windows\System\AWtwYgB.exe
C:\Windows\System\nlDPfHI.exe
C:\Windows\System\nlDPfHI.exe
C:\Windows\System\AAVfAVv.exe
C:\Windows\System\AAVfAVv.exe
C:\Windows\System\LKBqiuz.exe
C:\Windows\System\LKBqiuz.exe
C:\Windows\System\xMRhQCs.exe
C:\Windows\System\xMRhQCs.exe
C:\Windows\System\nwwPTHV.exe
C:\Windows\System\nwwPTHV.exe
C:\Windows\System\HaVOptC.exe
C:\Windows\System\HaVOptC.exe
C:\Windows\System\FuFnSJa.exe
C:\Windows\System\FuFnSJa.exe
C:\Windows\System\URneELu.exe
C:\Windows\System\URneELu.exe
C:\Windows\System\zwMUkrD.exe
C:\Windows\System\zwMUkrD.exe
C:\Windows\System\bEreGKp.exe
C:\Windows\System\bEreGKp.exe
C:\Windows\System\MOmSpLW.exe
C:\Windows\System\MOmSpLW.exe
C:\Windows\System\eDnuyfI.exe
C:\Windows\System\eDnuyfI.exe
C:\Windows\System\RMQxwuK.exe
C:\Windows\System\RMQxwuK.exe
C:\Windows\System\yAuAxVq.exe
C:\Windows\System\yAuAxVq.exe
C:\Windows\System\HqGvonj.exe
C:\Windows\System\HqGvonj.exe
C:\Windows\System\MUcVsFC.exe
C:\Windows\System\MUcVsFC.exe
C:\Windows\System\NpyRNKN.exe
C:\Windows\System\NpyRNKN.exe
C:\Windows\System\qqEdNBJ.exe
C:\Windows\System\qqEdNBJ.exe
C:\Windows\System\nvAhfaW.exe
C:\Windows\System\nvAhfaW.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2816-0-0x00007FF6A76F0000-0x00007FF6A7A44000-memory.dmp
memory/2816-1-0x00000265CCF20000-0x00000265CCF30000-memory.dmp
C:\Windows\System\eAkOuky.exe
| MD5 | 0792c7c68cac01ceeb010d5f3a4b3fab |
| SHA1 | f989693051623c0539f7c625e43e97bb14ec0226 |
| SHA256 | 71bf069e766647aee39f1e272cd6f9b43d3616217e6b90445ec90987cae30730 |
| SHA512 | 9b6c91e56c57d91ce0a23cf6029dc73be400bd193d269c0ce9ba77b0641957a40f8917267cb9cc9e583a72c4061533239aea9423a802736fe06c8a0fae47662f |
memory/4480-8-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp
C:\Windows\System\AWtwYgB.exe
| MD5 | f70768c1efb0e9095346d8d5b12e47e2 |
| SHA1 | 80cc446ae7118a9ebc4680a977ba12bcb4b3ca0d |
| SHA256 | c612bac4438effafd40eddc25a6a04eaee6b3f8fb4e085df2fa19dea7956ed8a |
| SHA512 | 49fb731442c37bbdf5b02899875bf63da872c843689bd6b9ba97460a52f712d67fb4d08a8eed45c478845cdaeaa0e2aecf9c60423e7af7a42fea301cdea31e83 |
C:\Windows\System\nlDPfHI.exe
| MD5 | 3045196588cd63bd11654b2be79420c8 |
| SHA1 | 85d79ac27186d4f67507701d46652bea09168c4a |
| SHA256 | fa6b9e9514fe3a34c713125ff6f2b525e232801db4010899e800fb1d56cfd752 |
| SHA512 | e48cffb3f15a1a2f32cc5a5ef8a0ff306eb0546f1504d22174c241822dba39cf5c71948b441284eceab8905a60daaae35a4adebeedc6e0223a24483e5fa92059 |
memory/1164-20-0x00007FF7D8380000-0x00007FF7D86D4000-memory.dmp
C:\Windows\System\AAVfAVv.exe
| MD5 | 0ab87eee8b9916ead741341fce78ba73 |
| SHA1 | 01bcb916a8f8c479a9bf7f1d41e5a4d4ecc0bdf0 |
| SHA256 | b59343b562ea21c236d618632f629e098d78a96b3f14a81a38106e610116cfb8 |
| SHA512 | 75b3254666b0c62daec0982c82d8ad699a4f114a42af9891c3fb37771e439c8c7a1970e0573de1e340be00a322544726a7f7ef178bb078da9d094ada4cc324c7 |
memory/4844-25-0x00007FF74B220000-0x00007FF74B574000-memory.dmp
C:\Windows\System\LKBqiuz.exe
| MD5 | b07494cc89db25b13ab7e9a63b6ee6ff |
| SHA1 | 6b922f0de01f7a028e3d86852583de240a56a7fb |
| SHA256 | d762c179a648009829ffc9ebbe9e9a2d0b8bef92656860b6a7db02618b1d4aba |
| SHA512 | 332cdbdc6fcbb0d966ab500100f7715929f0bb9f80e1e3e6a2aebc2e07ac42bca50062b9feebff7f000a75047b7c5fa87ed6f6065527e5c19c4f47b6617c23bd |
memory/5068-33-0x00007FF628230000-0x00007FF628584000-memory.dmp
C:\Windows\System\nwwPTHV.exe
| MD5 | 4bcbb136158e779eac6798f9713e6cde |
| SHA1 | 5d3068989e8d457d4065cb712ef020adddb79a31 |
| SHA256 | fe9f9285184312cf5f3a9bee928122006285ef40c74fbf26069a552e38bbdddf |
| SHA512 | 7955b07294e09274fe859371483a046ccd6eca058d4c69729ada6b439e5f003ee6dca7486b3b0218ed865b263c6757b6004cea6a03c1cecad714fcb60b272ee4 |
memory/3200-41-0x00007FF6277B0000-0x00007FF627B04000-memory.dmp
memory/2232-42-0x00007FF7B1A00000-0x00007FF7B1D54000-memory.dmp
C:\Windows\System\xMRhQCs.exe
| MD5 | 660fd2ae070474a24737676342d32932 |
| SHA1 | 4d26e61542f280094d79c7f6a1b1a16bfa4ba5d4 |
| SHA256 | 2672815eee8375bb24aab6ed815e46db61cbb78c2128e60858f5c7f047c140d1 |
| SHA512 | aa9a9386141f121cb87eeeae0389042edc6f23b62902dcc8d4d6188468e656f7692c83c6386d5676b813a2129dfec91558493f2c86ee697dfdf2930580aa58e0 |
memory/2812-13-0x00007FF63A080000-0x00007FF63A3D4000-memory.dmp
C:\Windows\System\HaVOptC.exe
| MD5 | b33d0e6285d39bd685732c6e727ae216 |
| SHA1 | 8eab1078170d0fe77d05c7440dfa1efec433171a |
| SHA256 | 3a2785c2ecfd57d546d0a6fdaa456dc70e79a5866f9f6c2176711488b49f9ed4 |
| SHA512 | acd2d526d479ba8d16b03318991f97b2fde74f48ecd52b80cdb85f137ff6e0844e6862046360e1fe58708021ae52aa81377765af5df1cf49118364090158f5a2 |
C:\Windows\System\FuFnSJa.exe
| MD5 | adf38dd5ced0b3255c6d1352d8e92928 |
| SHA1 | 04a0d8a60911e873e7a5b4a015b1f329d432aa52 |
| SHA256 | 7a90d699b8f513f3eb38d38498dc63249f0f47a3e5f152e58b55030bae73b715 |
| SHA512 | 556c15e26b52c669a89e440d16ed6c9740c521595ead71fde46071f55f8c41f3cb8a19a054ddb37f76d72d3721a952399d155ca5e4b7a80f04de6816c4152caf |
memory/4024-50-0x00007FF6A2990000-0x00007FF6A2CE4000-memory.dmp
memory/3324-56-0x00007FF73C440000-0x00007FF73C794000-memory.dmp
C:\Windows\System\URneELu.exe
| MD5 | 64eaaa5dfde7a0826ef62bb8aa34dade |
| SHA1 | 652e0344e1fcb0457ba2a522c4ca757cd3331b6d |
| SHA256 | 569d81f57b46a7c1d9f0ef7af1b1ad10c7cfbb16b28a47bce9edd6b6f5359488 |
| SHA512 | 30a6369f3f233c514a6c4d694adc47c7e9c3adec2290bda871d9df7ddddeabeae421aba4aaf2860092a12a6da65421f071a57c652cf6935430a4cc0d8a09a60c |
C:\Windows\System\zwMUkrD.exe
| MD5 | c2742a3f6fee026fe51c340cab144264 |
| SHA1 | 0a99e04f2a0a33022189fdcca92c7d5904aace75 |
| SHA256 | 8a9cf878ba7ff80bada6624fbc39a25ab69a54522fd3832f56f17aa5f882fe6b |
| SHA512 | ed537dcdd709acd161fe3ec0f9f158259c7538931ff4a92331549ab4b19f7115f095698cd24c844cbc4d477a2857e874361aaa4ffd99be8775e780a90f4da47a |
C:\Windows\System\bEreGKp.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
C:\Windows\System\MOmSpLW.exe
| MD5 | ac4dcc893c14516cc3ef012cd135db17 |
| SHA1 | 039449f9eb420ed6bd1cfed9185ef1ead0c516aa |
| SHA256 | 91b2c5e6ad6954e7dfe185481c2e6a6e2f4c5850ecd38ff3ea784526ff8e72f8 |
| SHA512 | d4e940a2bcfce484a3f554ae61b4332519f2d8c624f944ddc307aa111f1efef5e60e97107e3c74a237098baeb8430732c8084cd1387cc4e659f71c7fba34ce1a |
C:\Windows\System\HqGvonj.exe
| MD5 | 2faf106a7781bcc286cba30ebec44c1c |
| SHA1 | cf5a352da50c4e81ce1bade8d1108e85f5884db1 |
| SHA256 | 179b6abaf8f66d39651ec0c0b5cf2b596081d11cad54de032997c1bcacfddb7a |
| SHA512 | dabd3b53ec7be2dbf9bd9466bd356612b61a869c1017c09670b4a6525813465eae03e5f91005e5df8a055de921549c06c15e5d395a5c8d0894700d497189aaeb |
C:\Windows\System\MUcVsFC.exe
| MD5 | 9a5474c96c071c7ee44833767db9e5df |
| SHA1 | a27276ccdf68403bdc1a31826f539c961599357b |
| SHA256 | 632e8d5c97ab67faa2a2f3e5f4465b63aa1d572f7c41dacd9fba986e88b76de7 |
| SHA512 | 32a6bf80f501b0787f0dcb66b06517ecc6058b4788c18a57eb11f397ed3f8db9c0f54bca569254a4efdcde45f42b1df97b508298856943d693c2f58e9886bc76 |
C:\Windows\System\nvAhfaW.exe
| MD5 | 926b9ef42bc5ed0f2fec5dd6cc3f31a9 |
| SHA1 | e18a9345c14cf085311b03de4c3588dd023b63f1 |
| SHA256 | c77abf3f191f0782730b65b156d2de24c5106d4979ffa95f1d10a8f8c565a3c5 |
| SHA512 | d15083d38d1f807c45fa8e194b952489b0dc805db09c00e3238e4704a95986ec29644755a0a31ae8c7d83b4b65f2916f39b683911250269bf434e8569c41a4f2 |
C:\Windows\System\qqEdNBJ.exe
| MD5 | 64756dbbc530faf6a619f186accab27c |
| SHA1 | cf85e33c4b25e4210368e746e08a1ca86039c14f |
| SHA256 | 1e350890d2bfb293be97f889fd5e9057d9c9cdeecb64d448ed110485e136297b |
| SHA512 | 24919cee0c7c90c371c1073990b8da62f1498b7d2b62fc90f5807ffb342031f1d2bf3e166ed9ba4ba313c903301ce1ad2afc307ebf44c4c82222a8896690a7a9 |
C:\Windows\System\NpyRNKN.exe
| MD5 | b3a9b01df1ada81ff93c1626f1d35d68 |
| SHA1 | 45433a24dceb6e171558e553d2ccb5b9774a50a9 |
| SHA256 | e4a36798ceb00b27e240a388486f9538ff46c70866be5783694c29f408757e2b |
| SHA512 | 99f511f4cb5868df33b195a2dc641da36db2605dc85255d0e37a442cac7b471d332311191ddba7fb9e43e6c1ab7b0edcaa9ee0f6ab8dbf8d55b68b8a52768f4e |
C:\Windows\System\yAuAxVq.exe
| MD5 | 531a107221be1dc1134dcc9ac52e31d3 |
| SHA1 | 291d11a94c323c08846e83e02f1cb3599f55e614 |
| SHA256 | c1ebee1c7ba54645d693d87534f25fb6026158419d8ed7f09c4e03d377344dab |
| SHA512 | e3227d86e2c298872218e427f44101768b405c0eb666e3c6a4873af0122c115ed29ac518375c242169d62ee8e302ea489e2d861018cb483e5c59ec2e4248da73 |
C:\Windows\System\RMQxwuK.exe
| MD5 | f26da651101f7f276ca820a43b852ce1 |
| SHA1 | 8e03fdaedf7fb487cae50a1be1b5f62fc93a3d4b |
| SHA256 | 5f35f2960e65f9d526441442b7c0ffd3ed52c2ffbd0317f7b09f43170fd629c1 |
| SHA512 | 384ed8e88f23a656a08c677f42e2cb3fdc04980e291d40df6fc1c79f7f890442af69b29f95841294688ffc29b95e153e7053cba3452a771f27baa99f82f19f6b |
C:\Windows\System\eDnuyfI.exe
| MD5 | 5c4a29d457cb68fcec070129b78890ad |
| SHA1 | f37cf2c1fd37dd8a96e1ee1411168e6b051687cd |
| SHA256 | 8a674397c23563e19c171f04e067ac77b04bb609a081776c96bb39ca5f7f8775 |
| SHA512 | 3631c8307419465a50087e778168c69d461addcce56c26a7a37827372fad7e18d5e24f917e811047ccafea52e64b35b3561bd7d3c85583df53f0a4958d37d6b9 |
memory/2816-75-0x00007FF6A76F0000-0x00007FF6A7A44000-memory.dmp
C:\Windows\System\bEreGKp.exe
| MD5 | 010981bc84eafb09f4e4436e0570e1da |
| SHA1 | eeda0fa404ab7224557f9f91c5e5057e1e234961 |
| SHA256 | 27c2fcf60f084aba973fdedd323e08590a3c4a6d9866f1db2346f15337a2660d |
| SHA512 | 4fb357a27bd4702de446c939b58b8620ed4286d7bafe4c7d60de3e19990c2c4f7d8129571a39e0d849a4f9ce8304e90d0413871cc635f357860a6c7aa3af4e05 |
memory/1680-64-0x00007FF657560000-0x00007FF6578B4000-memory.dmp
memory/4280-119-0x00007FF7D9140000-0x00007FF7D9494000-memory.dmp
memory/4404-121-0x00007FF72E980000-0x00007FF72ECD4000-memory.dmp
memory/2584-123-0x00007FF740F30000-0x00007FF741284000-memory.dmp
memory/620-122-0x00007FF76D370000-0x00007FF76D6C4000-memory.dmp
memory/396-120-0x00007FF78E900000-0x00007FF78EC54000-memory.dmp
memory/2716-118-0x00007FF6AC5E0000-0x00007FF6AC934000-memory.dmp
memory/5104-124-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp
memory/4740-125-0x00007FF63E7F0000-0x00007FF63EB44000-memory.dmp
memory/1064-126-0x00007FF75AF80000-0x00007FF75B2D4000-memory.dmp
memory/4480-128-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp
memory/2124-127-0x00007FF6DC770000-0x00007FF6DCAC4000-memory.dmp
memory/4836-129-0x00007FF6CDCB0000-0x00007FF6CE004000-memory.dmp
memory/2812-130-0x00007FF63A080000-0x00007FF63A3D4000-memory.dmp
memory/1164-131-0x00007FF7D8380000-0x00007FF7D86D4000-memory.dmp
memory/4844-132-0x00007FF74B220000-0x00007FF74B574000-memory.dmp
memory/5068-133-0x00007FF628230000-0x00007FF628584000-memory.dmp
memory/3200-134-0x00007FF6277B0000-0x00007FF627B04000-memory.dmp
memory/2232-135-0x00007FF7B1A00000-0x00007FF7B1D54000-memory.dmp
memory/4480-136-0x00007FF6FC1B0000-0x00007FF6FC504000-memory.dmp
memory/2812-137-0x00007FF63A080000-0x00007FF63A3D4000-memory.dmp
memory/1164-138-0x00007FF7D8380000-0x00007FF7D86D4000-memory.dmp
memory/4844-139-0x00007FF74B220000-0x00007FF74B574000-memory.dmp
memory/5068-140-0x00007FF628230000-0x00007FF628584000-memory.dmp
memory/3200-141-0x00007FF6277B0000-0x00007FF627B04000-memory.dmp
memory/2232-142-0x00007FF7B1A00000-0x00007FF7B1D54000-memory.dmp
memory/4024-143-0x00007FF6A2990000-0x00007FF6A2CE4000-memory.dmp
memory/3324-144-0x00007FF73C440000-0x00007FF73C794000-memory.dmp
memory/1680-145-0x00007FF657560000-0x00007FF6578B4000-memory.dmp
memory/2716-146-0x00007FF6AC5E0000-0x00007FF6AC934000-memory.dmp
memory/4280-147-0x00007FF7D9140000-0x00007FF7D9494000-memory.dmp
memory/396-148-0x00007FF78E900000-0x00007FF78EC54000-memory.dmp
memory/4836-149-0x00007FF6CDCB0000-0x00007FF6CE004000-memory.dmp
memory/4404-150-0x00007FF72E980000-0x00007FF72ECD4000-memory.dmp
memory/620-151-0x00007FF76D370000-0x00007FF76D6C4000-memory.dmp
memory/2584-152-0x00007FF740F30000-0x00007FF741284000-memory.dmp
memory/5104-153-0x00007FF6996B0000-0x00007FF699A04000-memory.dmp
memory/4740-154-0x00007FF63E7F0000-0x00007FF63EB44000-memory.dmp
memory/1064-156-0x00007FF75AF80000-0x00007FF75B2D4000-memory.dmp
memory/2124-155-0x00007FF6DC770000-0x00007FF6DCAC4000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-27 18:11
Reported
2024-05-27 18:14
Platform
win7-20240221-en
Max time kernel
139s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\lVgZfmj.exe | N/A |
| N/A | N/A | C:\Windows\System\hvgEdyf.exe | N/A |
| N/A | N/A | C:\Windows\System\wUNZGcP.exe | N/A |
| N/A | N/A | C:\Windows\System\IAkIqhS.exe | N/A |
| N/A | N/A | C:\Windows\System\rUvgYBx.exe | N/A |
| N/A | N/A | C:\Windows\System\KnbJsKR.exe | N/A |
| N/A | N/A | C:\Windows\System\HKqcDeg.exe | N/A |
| N/A | N/A | C:\Windows\System\BGwanBV.exe | N/A |
| N/A | N/A | C:\Windows\System\swsOrNB.exe | N/A |
| N/A | N/A | C:\Windows\System\ASNwXTz.exe | N/A |
| N/A | N/A | C:\Windows\System\AcYKSht.exe | N/A |
| N/A | N/A | C:\Windows\System\YfaqlWC.exe | N/A |
| N/A | N/A | C:\Windows\System\TEiCaTO.exe | N/A |
| N/A | N/A | C:\Windows\System\PQekvXV.exe | N/A |
| N/A | N/A | C:\Windows\System\hraVomt.exe | N/A |
| N/A | N/A | C:\Windows\System\kwrruvE.exe | N/A |
| N/A | N/A | C:\Windows\System\KiITmwD.exe | N/A |
| N/A | N/A | C:\Windows\System\iWGESqs.exe | N/A |
| N/A | N/A | C:\Windows\System\QDXITov.exe | N/A |
| N/A | N/A | C:\Windows\System\ONmcIDO.exe | N/A |
| N/A | N/A | C:\Windows\System\UTTlyuL.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-27_b8fcda374af72ad2161f20e6ba7503d9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\lVgZfmj.exe
C:\Windows\System\lVgZfmj.exe
C:\Windows\System\hvgEdyf.exe
C:\Windows\System\hvgEdyf.exe
C:\Windows\System\wUNZGcP.exe
C:\Windows\System\wUNZGcP.exe
C:\Windows\System\IAkIqhS.exe
C:\Windows\System\IAkIqhS.exe
C:\Windows\System\rUvgYBx.exe
C:\Windows\System\rUvgYBx.exe
C:\Windows\System\KnbJsKR.exe
C:\Windows\System\KnbJsKR.exe
C:\Windows\System\HKqcDeg.exe
C:\Windows\System\HKqcDeg.exe
C:\Windows\System\swsOrNB.exe
C:\Windows\System\swsOrNB.exe
C:\Windows\System\BGwanBV.exe
C:\Windows\System\BGwanBV.exe
C:\Windows\System\ASNwXTz.exe
C:\Windows\System\ASNwXTz.exe
C:\Windows\System\AcYKSht.exe
C:\Windows\System\AcYKSht.exe
C:\Windows\System\TEiCaTO.exe
C:\Windows\System\TEiCaTO.exe
C:\Windows\System\YfaqlWC.exe
C:\Windows\System\YfaqlWC.exe
C:\Windows\System\iWGESqs.exe
C:\Windows\System\iWGESqs.exe
C:\Windows\System\PQekvXV.exe
C:\Windows\System\PQekvXV.exe
C:\Windows\System\QDXITov.exe
C:\Windows\System\QDXITov.exe
C:\Windows\System\hraVomt.exe
C:\Windows\System\hraVomt.exe
C:\Windows\System\ONmcIDO.exe
C:\Windows\System\ONmcIDO.exe
C:\Windows\System\kwrruvE.exe
C:\Windows\System\kwrruvE.exe
C:\Windows\System\UTTlyuL.exe
C:\Windows\System\UTTlyuL.exe
C:\Windows\System\KiITmwD.exe
C:\Windows\System\KiITmwD.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1712-0-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/1712-1-0x0000000000480000-0x0000000000490000-memory.dmp
C:\Windows\system\lVgZfmj.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\system\IAkIqhS.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2684-28-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/1712-29-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\KnbJsKR.exe
| MD5 | 875adb05ca7978a782a422eae0e659d5 |
| SHA1 | 62ff05ff43b62454b0d2de31a6d3e5ab5b20078e |
| SHA256 | 37dd63fa608e19033cbf1d6fe95b6c7cae69d9504fa48e33d41d5ec13ee264fc |
| SHA512 | a52ebf1339c0fe55188b04cd82a747d77ad57139865b9b75fdf3b9fdf3c02e03688e0ddf137cf4743af68901034727d33ac639825cb8b6403a17b8673a4dfd6f |
C:\Windows\system\swsOrNB.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\system\KiITmwD.exe
| MD5 | 6fb6863d9548f3879b1ba1b64fc45a68 |
| SHA1 | 0dc40616de903c417cc9a8b581f9078af09ea60a |
| SHA256 | b26b72ca0ef6d18aef032253470a78a13f48dcd486b2eb6e1570c96324293e82 |
| SHA512 | cf09c13915872b96dcf1f62eac8174c1c1dfa4aabd64fb9272008df1f24e451a988f1edb48cb6ca8b7ef84d58508cf13cc3d0e709b84acf2687dd5617c6c3a61 |
\Windows\system\UTTlyuL.exe
| MD5 | 1d51a6f9f8f706d40a78f27cac287065 |
| SHA1 | 981c2096ede4558d1ebc91ef5d6ea849a5e05a26 |
| SHA256 | 15b21f96ab3bc949c328ae89ca4b8971cb600187d8a414a03ad62deea81f4ef1 |
| SHA512 | f88e4c79c055461a937a826fa6bbc551f208f7399466fa47521581ae4db3bc5d256e1bf01ae134b570a11c9d09f89930e6add7d4c8135ba334d8b29af2c44c97 |
C:\Windows\system\UTTlyuL.exe
| MD5 | f6ff13f5b74581b4d693140d7ed15d42 |
| SHA1 | b5f72d745d10b4b9c5938885364efade2590a6ab |
| SHA256 | 0632369166c9bc5c9b434ffd89ec9c9f265e35db5f9f6e8b7957c45b2c7683c7 |
| SHA512 | 39ddedcd48f0afefef8b6d9f4c6350246031d6adffaa23199754b30948665cbedbf8af674f3d181d1c85403f8709c1fd9ff92429b133ea7e8be126dcdcc115dd |
memory/1712-99-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\ONmcIDO.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
C:\Windows\system\ONmcIDO.exe
| MD5 | a3e64e88a07b7e80502dfe1579d5d47b |
| SHA1 | c1b22e9359a8042dd76aa237120934d7bc9224ef |
| SHA256 | 09f9d78b52041a781342402d5c596c3ea15577e11a90bea7dbf6b09a0ab8af29 |
| SHA512 | 4f345d7911b229531b4dea096be7f6908f7ff86206d60722d0ce4952fd1b7ca4b74ad647ef1165c7c4f85972d89af1c752eeea38f8c629aaad23d945089333cf |
memory/1712-78-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\QDXITov.exe
| MD5 | 4d0cad39a14fefa3a36e7a39d8c35b44 |
| SHA1 | cb1f54abf2c4e73d9a1920ce0edcf56fa54b7a3c |
| SHA256 | f3acd82830976bea178f2395f729a89691bb342cb7aab598203c377d531ec3af |
| SHA512 | 78160df1bbd3ba274124e4c2c1a406f76d100e9e65eeff7f72fe47b51a804384df4db4cbd67c58a9ede32bdb508c250fef39076c978a16f29a25c83aa27faf2c |
\Windows\system\iWGESqs.exe
| MD5 | 9d367348bc2b0a338371873ab92b5ce0 |
| SHA1 | 7f656575ff1e475fc391f43341a8d5f4ac819b19 |
| SHA256 | 54a48f3a9df4f2d2df5308f04d9bbc5bfb754b7f4236b7d31d49f71134f2b309 |
| SHA512 | 8ea158cb453b86b762270e2cebce91cbe9a0e8b60ddc4e0fb3c531068e04df9f568fe69f34e169c5bdf6255c4c79c801e5f4b3c040f45ef12c24211a5d1dd454 |
\Windows\system\KiITmwD.exe
| MD5 | 7d9f1099f6b47550fd37adb914ba896f |
| SHA1 | 73597804426883357ebb880f6c0164793f40ad60 |
| SHA256 | 66cd4cd4af8f630e7f196e1d09756e078751dfa9bcc54e0d14fae0ccbe492285 |
| SHA512 | e8add13893f4c014a42f0f57f95da110b546828bbf0b90c6e45d275710a9847ff130353175caa02a22132a7aec183fbbcda6a7a954c359f2b63e3b3f4a4cba77 |
\Windows\system\kwrruvE.exe
| MD5 | aea466b9d11f003266238669d01140de |
| SHA1 | 03f26cf832ef53654251e13c14952fa7acda4591 |
| SHA256 | 1cc51492361df0409c34002146ed0cbc18c78ed806e3e39994c74ac9a95fb2ce |
| SHA512 | 0dec6a7f832a055996449cf674d3e49feb4c26f31f74d35c218ec63a629f3439b4eca9937dd36dd05824bfc88d10046f8bb1ce5271284b8ef5b5197814c9c7bd |
memory/2424-95-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2028-82-0x000000013F160000-0x000000013F4B4000-memory.dmp
\Windows\system\PQekvXV.exe
| MD5 | 74aaf47b8b79abc5b6aefbd53c40fc17 |
| SHA1 | 7f73daf1eb53239eac1227fec61f04b311a3db3d |
| SHA256 | 7ffc7610319036669a6e39401e49cc6408a3fc3cd52ac5f59e888f0860a60c06 |
| SHA512 | ec48fe0260fd833bb13cfa9ff607ae52e1a30b4735746f7e17876cc971abe45895b17d54370d58e4151b373ec744fd420b680e66b51d37445f9704182b7787f6 |
\Windows\system\TEiCaTO.exe
| MD5 | e8aa03d37a73cd8b872c5e7991025b56 |
| SHA1 | 87c6132a0e939eceee7dda5a16f08157866f7753 |
| SHA256 | ef11b636fa48a677d5e28d45df64d29790a2b31560b2909879b4fd5734d1d692 |
| SHA512 | b578c8110c70705115d8150545580acff01598970b964979ce15e6aaf00d4e36b41a360fb01d41f0790d9b625a3cf9fa992a50f207a931cfd35f346263215ad8 |
memory/1712-74-0x000000013F160000-0x000000013F4B4000-memory.dmp
\Windows\system\YfaqlWC.exe
| MD5 | 37bb4a68c9b7852b67cbef8040f1a3d0 |
| SHA1 | 84545600d16d7710d88f82db8e5c041b18c43e42 |
| SHA256 | 2302e88ae0a54b7163f93a4e54e4ffdb91b7cef3d88634803f6a543259a6216d |
| SHA512 | 3619a978fc76c6cc24d18b230b104be1111d4ad43ac133bcfde882331c55b5a237430a955ecc517bdbe831a58e3cb7ca0ddf690a867102fca701b9ce07203f50 |
memory/2664-65-0x000000013F2B0000-0x000000013F604000-memory.dmp
C:\Windows\system\AcYKSht.exe
| MD5 | 06ba3dda744dbe1471ef19e45d9b2e77 |
| SHA1 | 7342e2c5a474faf8deea3e2473a126336791f28d |
| SHA256 | 8ed39dab3f47832a751492036af8301f4885862d29803cf620a1ceac220c4d43 |
| SHA512 | 3311373b89420cf2f6eefe429e2d919c05463b5b856bcf4c931b6b8fe727cf4667ee320cb957d424a518c7d5059190a8c0058345de9006d90a139d0cf37de0ed |
C:\Windows\system\ASNwXTz.exe
| MD5 | 2b405c074ad1fde3f6aa9b2a77fd52bb |
| SHA1 | cc979480a1a6e223d3859d1a83010ac7b4a5d9a7 |
| SHA256 | 53da465f75c8bf713a60e5fa061be37f64eb73c888f1acde22ec4ea269649786 |
| SHA512 | 47ee7a0c0f73230e78d657ab4d64818e65b74623fa13bc09b88c7cf31d5bef912b833cdab14d80ed93e27fcc9b7ed03dc7fb6b72ec8cf8620c51e60d92c9a365 |
C:\Windows\system\BGwanBV.exe
| MD5 | 5fda5d3fca5acc1c9bb1f863a223af15 |
| SHA1 | 54302c11e9fcd93af99cdbbb5995b393c3880be3 |
| SHA256 | 8397e4df574c96ed0bf61ab8d7494e7b1191428d6a2f6ac4247c800378e43c36 |
| SHA512 | fa9d39686e35b3b54b882c3a6d6998cdaf01dcda64f3e011d1f907b7fdea0e2d335fee2d30d6c948e616772fcbde052d812cfc9f409ef2e0e9aa5cf25b8091af |
memory/2724-35-0x000000013F560000-0x000000013F8B4000-memory.dmp
\Windows\system\rUvgYBx.exe
| MD5 | 198264203bf80d452763737fda3171d1 |
| SHA1 | e8aedb403a9ff70d66d79bfd353e10ffafd671af |
| SHA256 | 84fa29facf1797205a948863e1063e652e34263872f2062c48883aeb4ed50c85 |
| SHA512 | d87b837857a56514bff46b09134591bcc80f597124d1c95345d2bece7c0639227c4a6492c3ade055c1db41519251db795db8cee7bebc8e50c2414631a8259e35 |
memory/2864-26-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/1712-21-0x000000013F170000-0x000000013F4C4000-memory.dmp
\Windows\system\IAkIqhS.exe
| MD5 | f6276feb65ff3a9e57e997fb7cdd9ed0 |
| SHA1 | a4284a49fd100dc060e25a3cadb7f792fb608b91 |
| SHA256 | cadaec1ba090c1a37fd0dcb191aa0b8f6b77d91b4395e860abf5b57c3d338ccb |
| SHA512 | a1d77762facadc56d589c66c2be16c6e77e033854b882a46fe0fa6d182968c5280dacfdee104881c4c5021152a373b7144e69effe529e213a027330414792645 |
memory/2616-18-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\wUNZGcP.exe
| MD5 | 735084bb3a85018fc8f80a621b4ed0de |
| SHA1 | f1fe27ed98cd499b3967beec1f2c42dea8913b4d |
| SHA256 | 822a9a0f7461db5401647fe28394a2038422fffbca2ea477c5d945633efff057 |
| SHA512 | 8746015022485b3bb0f8d904b89b9895ae84ebd713db45df75715ec7aa26ef7de71073bc1dbf09a44eb3b3b70dc844b7dd0ba122ce3e064593d510a6ac01cd86 |
memory/2836-12-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1712-8-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2588-121-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2472-123-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2496-122-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/1392-124-0x000000013F220000-0x000000013F574000-memory.dmp
memory/1172-125-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1712-126-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/1712-127-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1712-128-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/1712-129-0x000000013FF50000-0x00000001402A4000-memory.dmp
memory/1712-130-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2616-131-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2724-132-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2836-133-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2616-134-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2864-135-0x000000013F190000-0x000000013F4E4000-memory.dmp
memory/2684-136-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2724-137-0x000000013F560000-0x000000013F8B4000-memory.dmp
memory/2664-138-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2588-141-0x000000013F030000-0x000000013F384000-memory.dmp
memory/2496-142-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2472-143-0x000000013F920000-0x000000013FC74000-memory.dmp
memory/2424-140-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/2028-139-0x000000013F160000-0x000000013F4B4000-memory.dmp
memory/1172-145-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1392-144-0x000000013F220000-0x000000013F574000-memory.dmp