Analysis Overview
SHA256
9c64f82c801eaa0edbb092815390d434c8b8ff76e75d7b531ebc1b78119f44ea
Threat Level: Known bad
The file 2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike family
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-05-30 07:03
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 07:03
Reported
2024-05-30 07:06
Platform
win7-20240221-en
Max time kernel
140s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sjJtJaJ.exe | N/A |
| N/A | N/A | C:\Windows\System\bFzTnty.exe | N/A |
| N/A | N/A | C:\Windows\System\FsgKKIh.exe | N/A |
| N/A | N/A | C:\Windows\System\quCmsni.exe | N/A |
| N/A | N/A | C:\Windows\System\muqJaJN.exe | N/A |
| N/A | N/A | C:\Windows\System\hvyTrLN.exe | N/A |
| N/A | N/A | C:\Windows\System\ULKAQIT.exe | N/A |
| N/A | N/A | C:\Windows\System\cCsRvlf.exe | N/A |
| N/A | N/A | C:\Windows\System\IngKjeu.exe | N/A |
| N/A | N/A | C:\Windows\System\KIvWhsB.exe | N/A |
| N/A | N/A | C:\Windows\System\EHTrkQt.exe | N/A |
| N/A | N/A | C:\Windows\System\TyrJkAe.exe | N/A |
| N/A | N/A | C:\Windows\System\VrukYJq.exe | N/A |
| N/A | N/A | C:\Windows\System\NwsACSJ.exe | N/A |
| N/A | N/A | C:\Windows\System\UeIRLaZ.exe | N/A |
| N/A | N/A | C:\Windows\System\QhvlIHw.exe | N/A |
| N/A | N/A | C:\Windows\System\MOkJLKd.exe | N/A |
| N/A | N/A | C:\Windows\System\IbntLAp.exe | N/A |
| N/A | N/A | C:\Windows\System\jAroieR.exe | N/A |
| N/A | N/A | C:\Windows\System\lNuxVce.exe | N/A |
| N/A | N/A | C:\Windows\System\RGoLSdC.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sjJtJaJ.exe
C:\Windows\System\sjJtJaJ.exe
C:\Windows\System\bFzTnty.exe
C:\Windows\System\bFzTnty.exe
C:\Windows\System\FsgKKIh.exe
C:\Windows\System\FsgKKIh.exe
C:\Windows\System\quCmsni.exe
C:\Windows\System\quCmsni.exe
C:\Windows\System\muqJaJN.exe
C:\Windows\System\muqJaJN.exe
C:\Windows\System\hvyTrLN.exe
C:\Windows\System\hvyTrLN.exe
C:\Windows\System\ULKAQIT.exe
C:\Windows\System\ULKAQIT.exe
C:\Windows\System\cCsRvlf.exe
C:\Windows\System\cCsRvlf.exe
C:\Windows\System\IngKjeu.exe
C:\Windows\System\IngKjeu.exe
C:\Windows\System\KIvWhsB.exe
C:\Windows\System\KIvWhsB.exe
C:\Windows\System\EHTrkQt.exe
C:\Windows\System\EHTrkQt.exe
C:\Windows\System\TyrJkAe.exe
C:\Windows\System\TyrJkAe.exe
C:\Windows\System\UeIRLaZ.exe
C:\Windows\System\UeIRLaZ.exe
C:\Windows\System\VrukYJq.exe
C:\Windows\System\VrukYJq.exe
C:\Windows\System\MOkJLKd.exe
C:\Windows\System\MOkJLKd.exe
C:\Windows\System\NwsACSJ.exe
C:\Windows\System\NwsACSJ.exe
C:\Windows\System\IbntLAp.exe
C:\Windows\System\IbntLAp.exe
C:\Windows\System\QhvlIHw.exe
C:\Windows\System\QhvlIHw.exe
C:\Windows\System\jAroieR.exe
C:\Windows\System\jAroieR.exe
C:\Windows\System\lNuxVce.exe
C:\Windows\System\lNuxVce.exe
C:\Windows\System\RGoLSdC.exe
C:\Windows\System\RGoLSdC.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2172-0-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2172-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\sjJtJaJ.exe
| MD5 | 9d017b1da7202bef5226975d012c4a34 |
| SHA1 | 066d9f7f096d63540a87c19ab9897b0297031716 |
| SHA256 | 4eb387c271bf6d5f5e7ad172969f908704e06e0e587db549c88f090d0e7dba08 |
| SHA512 | 122bb7ae3b00030738c37b55cdeed3bd4f7a19101ee5891afbf59beec4fe1e926755febeb3fa0342b3fd0a60d0b68073a03fe1c21006e2311f60a18aecab92b8 |
\Windows\system\FsgKKIh.exe
| MD5 | 58114ec17d10682c665da42738aeebdf |
| SHA1 | 4d3e3bb6d118079d62c9d5ba33c11b24f0d9a605 |
| SHA256 | 4a09608f08770757451ed348ab01bcde0c095f1c00f2548bde831058062b9acb |
| SHA512 | 71463e6ad7d6a1a178c8237a80eebe06d8a68b735d1b4ea5a3bd9018464435e3e949b95737565202c7964ecdadf6534453f08825d922c3beac2e1d3122c22095 |
C:\Windows\system\bFzTnty.exe
| MD5 | ba7677d6b9ed19254cef504cea222b0b |
| SHA1 | 2f3af5c7fb7c8f519bc59d20cb7ce8226c887f79 |
| SHA256 | 1f8c7dd7abd72085f21d14293fe82b7a38862e853ab6416d026bcaa492497a8f |
| SHA512 | 23b275dbc91f4f9885b9260de9475d8c2232a7c0f2f0178cf494f28e6b871c91243f36a56cbc6aa219adceae2b84e02ec6e0814207324c048e55b8dd5028d2ac |
memory/2528-28-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2172-27-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2672-29-0x000000013FAE0000-0x000000013FE31000-memory.dmp
C:\Windows\system\quCmsni.exe
| MD5 | c5c01a2bff9a247c6c8c4d02dc70fa26 |
| SHA1 | cf1a11c1b0c0c9cc1f0b915aae7e2fd6aff4bbd6 |
| SHA256 | 592a0deabe3d421fc1a9c155327bd2058c9a87af243fbb56af1a944b3d044b05 |
| SHA512 | 7d315aed812db7ee9fda440ffbc898335b14d261aba9fe4a327438bfa032426519ce5fb2d7f462cad76bf352f380f482c74515a7d344ad3920045fee6f5d9522 |
memory/2172-24-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/3064-22-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/2172-20-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/1032-12-0x000000013FE40000-0x0000000140191000-memory.dmp
C:\Windows\system\muqJaJN.exe
| MD5 | f2467d644b90962bb51e0437632df263 |
| SHA1 | 2bf22b3e12bf1fc466e15fb11b816ede496a5655 |
| SHA256 | 7a0cb9067713cfaac173f48467692285d49ce2b4b82e9d38780c97e250a996b6 |
| SHA512 | 97c4c6f33df96eab94f3eeda44ccece00492f533110b06bef402fccc3dd68846f20c2c0aaeddec47a34484a99c36c45d42d2a494c0847ce8601cdfdd28062cdf |
memory/2404-36-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2172-35-0x00000000023E0000-0x0000000002731000-memory.dmp
\Windows\system\hvyTrLN.exe
| MD5 | 45c380a88a27125ff8981fdf25ca52f2 |
| SHA1 | cb241f85bd5be0d3b2e6a123dbf84b570a763881 |
| SHA256 | 7e40c2f0d74bfd7064aeecf0a91ac5038b3df6ce9d2002fc593ed4c402bcc42b |
| SHA512 | bc2777b1e685b68c17705c1304b254101c9f7bc4cf00099cb081ec165e9b44a8200372dfb31daecf010d64ae3a323f1da88ed58016a928795e8e236847238fcb |
memory/2172-41-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2536-49-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2432-47-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2172-50-0x000000013F7F0000-0x000000013FB41000-memory.dmp
\Windows\system\cCsRvlf.exe
| MD5 | 065fc4c7bd6df5d4e5fb10522ac37725 |
| SHA1 | 6a94bba6ac092c8894b938bcf05ea090e0357a7c |
| SHA256 | bafeac6ee47a42547cbeb40cdf31d9ba9a089671a73c8be98a5ee4b47384eefa |
| SHA512 | 2efeda7fa4eb16d152a9c783eaf30ec541ddb39972f0de2d7ad12d037d9e2d0b2357d5ce98dd06a432cc2158e3072b972fc5f06c327ffd2fbd9cf8cc7ae70eaa |
C:\Windows\system\IngKjeu.exe
| MD5 | 785e7042be1751685dca5ccfcaa22157 |
| SHA1 | cf2061dc9be97f5243d09ed95e8ea00a9fa80859 |
| SHA256 | eede21d0177a8d240a10008bfe9b450b8f1c77377280a36b491e5dc78136dc64 |
| SHA512 | 29ad0d6e27b8c9bfc7ff1a65bf724abb6f22b681cab8646fa462361aa84485d57a5d6f92a006ade03ede3fe8c188550476900b44985f1db3fed5d14f62386ebb |
memory/2172-61-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2448-57-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1200-64-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2172-56-0x000000013F590000-0x000000013F8E1000-memory.dmp
C:\Windows\system\ULKAQIT.exe
| MD5 | ca9e74e8f41bc5ec375658773c49e2f3 |
| SHA1 | ef1c8beea94dd915de03bd495fcace0704b7f706 |
| SHA256 | 47da0b788252362ad91db0d553b196f80229137e1d0f9e3c12b21fca6297228c |
| SHA512 | 0b30a99602a37e057e60a1ff6e690fd39196144d648d54ebc6dd310c1099e430b889e662f81a76f2783467098fccb928fd616edcbd5ec93b182c05c11e27840f |
C:\Windows\system\KIvWhsB.exe
| MD5 | 3aa804843afcb61ddf276a4586600527 |
| SHA1 | e2dca2ff4b559aa590a025ed0b062669473acdea |
| SHA256 | c90d9534118da0397aff9c3c99ad3037d5f6f7c46b619c72ec4c8704c4412453 |
| SHA512 | 7cb414fbef5eb45194433c6e122b98d93096f9ee9701daf486b7fd78e5ee5b4a06ab3bd5812d4cfaa08687c996b41ee54fc48addd5556775a403b47c8594ccfc |
C:\Windows\system\EHTrkQt.exe
| MD5 | 455062f579bd8f68761ab5051421dfb7 |
| SHA1 | 41d66b3f3e772eafaab3e64a2aabee321c597043 |
| SHA256 | 5c0fa12017891959b8dc6ed07b07e69ded1d2185d90c3ba1c686a5a286611bf3 |
| SHA512 | 2bb0414f879376bf5703397ff8f2e7821c365b05cbb2f130a5cdc4c9fa94ba5cc34813074e14387b1a3e4abe9967335a8056f0e1fba12064f138cea6b6f74b72 |
\Windows\system\NwsACSJ.exe
| MD5 | 7c8913e435b9ac02cea840607a278f8c |
| SHA1 | c5606ce2d545e0a16e258a6e8ab7b1274438b724 |
| SHA256 | 95fce04536491d520296653652d07d775d3a49ab953cb632ecd2b75001711b35 |
| SHA512 | 1cb189c431c175b72e640908cc8a0393ee731ffb22fbe7a7b3362b8d767670222cf3d40869060ede74e894b0e1a5ac00649b1bc69061f651f9d04c66511a7fc9 |
\Windows\system\QhvlIHw.exe
| MD5 | 556d671ff147ed1b5a90368571c3b7a4 |
| SHA1 | 0b21ab77abde88409c0dec51eb6162aa4d3bf967 |
| SHA256 | e02c0e3a885b3a02eb662ddfa1dc10fa4f9f33940e65838e28aac6ffcc64c630 |
| SHA512 | e83e9678ef5e82fe20ae9608ed136618df0b946e02cbd3bf88633f706e4656fffdf9e188774a0df87b761b18b6cfcba0f07a9e4f9427fdc7fa974d2a7e062740 |
memory/2748-111-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2172-121-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2172-120-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2932-119-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2172-117-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/1032-116-0x000000013FE40000-0x0000000140191000-memory.dmp
C:\Windows\system\IbntLAp.exe
| MD5 | 4c3b3a477283ee6ed8e5cdc50bd004e3 |
| SHA1 | 3daff3a8b64f63836cd3c788c0693abea33293d4 |
| SHA256 | d55ef387b94fbe7a8c45b5013f2675a2584f2a6956c3f2c41f01eb28d22c85e2 |
| SHA512 | b5889a6c1929bfc6dcca034f5a180a8f42ae00c104b0f938155b950083537f6ec7bf2b78e085f098a6b3cd5d5a89658619db767e4a1feb23352a045af23d692d |
C:\Windows\system\MOkJLKd.exe
| MD5 | c0eb3b924afd1b8bbf2bda4eaad53ac7 |
| SHA1 | 197b648a51f8b26dd7013a173e6b69da6e586394 |
| SHA256 | 3e834cbf4c8be0894ed889e669c54880a993eee8d8027f5c9b0319c9f02d7867 |
| SHA512 | 13b47b0fc1b1ccaea833cb2a3d9248165065ad37aa3af6c0927602c86fc44ace46e0795b8a99b93a7e2bfda7317652181e1ce749f2a8731c2cdef4af04e334b4 |
memory/2172-108-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
C:\Windows\system\UeIRLaZ.exe
| MD5 | 8c2d90efd6f653f05eafbf100742e323 |
| SHA1 | 09be5c6d4ebff8e369ff58125a83c473504aefbd |
| SHA256 | 4365be60e5cf44881dfa7f0a99d1f640e5cc1ac546d3ddcc5fd854b7bcf049db |
| SHA512 | 7627e0f7fffbd50f3b699d12b06517e5c274dc5eb9ca2f0300b21a2ae6c721155a0b7477c4c5a8238d09617585ff636c82934e21c832e655e5d668addc9f20a1 |
memory/2172-106-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2172-105-0x00000000023E0000-0x0000000002731000-memory.dmp
C:\Windows\system\VrukYJq.exe
| MD5 | 5752704ffaa3295038492e27f877c711 |
| SHA1 | 79ef154605b98efdea67cc63ff3206f56e4c193f |
| SHA256 | 34d507a3b1783d5076632faf9884a49f99205ce2f5af3a3f8087fa709a466c5c |
| SHA512 | dd8962b8cdc88c63b05063498c8d94bde2ff4304e31fa36720296242423a63795b575923bc39412a368dd0a777bd94522bf934a1e798e6c4a27dfe380c07a20f |
memory/2172-82-0x000000013F360000-0x000000013F6B1000-memory.dmp
C:\Windows\system\TyrJkAe.exe
| MD5 | 32b2e23069370a61439f7279b0e6813f |
| SHA1 | 0acfa5e832a30a88191d2028ef69224e2404578d |
| SHA256 | 05c92da23c3274b7f62e5d66f5d69246bf48747a770ea34b7b70a7b8c56a8b36 |
| SHA512 | 97435673cdec0432f2d5423a372212a2fb83aeccd08b4fc4e119e707b1394a0474c5b9d07268da46f2f329d91759d4f81a9f170e2214113d7f0ea3424c022be9 |
memory/2784-94-0x000000013FC40000-0x000000013FF91000-memory.dmp
memory/2172-76-0x000000013FBC0000-0x000000013FF11000-memory.dmp
C:\Windows\system\jAroieR.exe
| MD5 | 6f144699f24038eca2455bd2e8fe0339 |
| SHA1 | eaf134980014872106d32a734d12abc4f14c9ad2 |
| SHA256 | 524adc9da18c00c00a81230c85330fe1c36783e94d878c7d9b45ad48d617e8ac |
| SHA512 | 04dd603b1abbd1aff2a196b6b4add314395d495a1a1c77477819b3cb872aca6855b6c32cf0541e070ccd503daaa2cd3eef00345091ccd626d1d75973b9626957 |
C:\Windows\system\lNuxVce.exe
| MD5 | a8dc164ba411b7b7abb622c326988598 |
| SHA1 | 720b97de197e05398d03cde04fa021caea94446c |
| SHA256 | 799278b215ac8f027ab65995363ca90a07e054b63c4865913db5cd20b28e2db8 |
| SHA512 | 67fab48d526a76c63f47cce4e481604ec61ab14a5ace151b1b61f9e2d774bdc91d333d7a086794abef502fbb88e6a19bd4ebbcfaeffad1a3de14e26fab7471e8 |
C:\Windows\system\RGoLSdC.exe
| MD5 | 289f0f72f1031279e89f16a969b6d010 |
| SHA1 | f3c533ed18db506efbc4edd7352523e48b3c7f6a |
| SHA256 | 7211dcc0e5fe05b43d6665217483a3d93e6de2a4905127eb183221829b286124 |
| SHA512 | 5ea54a89bcf8f7f04f8c618ba2ca98fd71525c0ace01cd6783cc0f024d2f38727d6db085eeae91d659db322e4e4c9ee38de4c1317f36c6b35e4b3f01dc40c671 |
memory/2172-136-0x00000000023E0000-0x0000000002731000-memory.dmp
memory/2536-137-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2172-138-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/1588-152-0x000000013FB10000-0x000000013FE61000-memory.dmp
memory/1256-156-0x000000013FF70000-0x00000001402C1000-memory.dmp
memory/2280-154-0x000000013F5A0000-0x000000013F8F1000-memory.dmp
memory/852-155-0x000000013F560000-0x000000013F8B1000-memory.dmp
memory/2736-153-0x000000013F490000-0x000000013F7E1000-memory.dmp
memory/2896-151-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/2776-157-0x000000013F3E0000-0x000000013F731000-memory.dmp
memory/1028-159-0x000000013FD60000-0x00000001400B1000-memory.dmp
memory/1504-158-0x000000013F620000-0x000000013F971000-memory.dmp
memory/2172-160-0x000000013FBC0000-0x000000013FF11000-memory.dmp
memory/2172-179-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2172-183-0x000000013F580000-0x000000013F8D1000-memory.dmp
memory/3064-209-0x000000013FC70000-0x000000013FFC1000-memory.dmp
memory/1032-208-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2528-211-0x000000013FE40000-0x0000000140191000-memory.dmp
memory/2672-213-0x000000013FAE0000-0x000000013FE31000-memory.dmp
memory/2404-215-0x000000013FEE0000-0x0000000140231000-memory.dmp
memory/2432-217-0x000000013F4E0000-0x000000013F831000-memory.dmp
memory/2536-219-0x000000013F7F0000-0x000000013FB41000-memory.dmp
memory/2448-221-0x000000013F590000-0x000000013F8E1000-memory.dmp
memory/1200-234-0x000000013FF20000-0x0000000140271000-memory.dmp
memory/2748-236-0x000000013F360000-0x000000013F6B1000-memory.dmp
memory/2932-240-0x000000013FA90000-0x000000013FDE1000-memory.dmp
memory/2784-239-0x000000013FC40000-0x000000013FF91000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-30 07:03
Reported
2024-05-30 07:06
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wTdgcAC.exe | N/A |
| N/A | N/A | C:\Windows\System\vosTpcn.exe | N/A |
| N/A | N/A | C:\Windows\System\okHpTSk.exe | N/A |
| N/A | N/A | C:\Windows\System\YugENOU.exe | N/A |
| N/A | N/A | C:\Windows\System\CdnEvrI.exe | N/A |
| N/A | N/A | C:\Windows\System\kNdGFtZ.exe | N/A |
| N/A | N/A | C:\Windows\System\eoHkIxd.exe | N/A |
| N/A | N/A | C:\Windows\System\DReVsvA.exe | N/A |
| N/A | N/A | C:\Windows\System\LPYZPEw.exe | N/A |
| N/A | N/A | C:\Windows\System\drEnqxe.exe | N/A |
| N/A | N/A | C:\Windows\System\aTzQfDo.exe | N/A |
| N/A | N/A | C:\Windows\System\TZnzYiN.exe | N/A |
| N/A | N/A | C:\Windows\System\SmgcfgT.exe | N/A |
| N/A | N/A | C:\Windows\System\xFAPeoF.exe | N/A |
| N/A | N/A | C:\Windows\System\LvNHGZF.exe | N/A |
| N/A | N/A | C:\Windows\System\WUgEJBM.exe | N/A |
| N/A | N/A | C:\Windows\System\ZcBkhdU.exe | N/A |
| N/A | N/A | C:\Windows\System\NdRlQYC.exe | N/A |
| N/A | N/A | C:\Windows\System\UhrAZxj.exe | N/A |
| N/A | N/A | C:\Windows\System\AxcbSYa.exe | N/A |
| N/A | N/A | C:\Windows\System\dznaaob.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-30_8bca5576c30cece39776b84a571fb9d1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wTdgcAC.exe
C:\Windows\System\wTdgcAC.exe
C:\Windows\System\vosTpcn.exe
C:\Windows\System\vosTpcn.exe
C:\Windows\System\okHpTSk.exe
C:\Windows\System\okHpTSk.exe
C:\Windows\System\YugENOU.exe
C:\Windows\System\YugENOU.exe
C:\Windows\System\CdnEvrI.exe
C:\Windows\System\CdnEvrI.exe
C:\Windows\System\kNdGFtZ.exe
C:\Windows\System\kNdGFtZ.exe
C:\Windows\System\eoHkIxd.exe
C:\Windows\System\eoHkIxd.exe
C:\Windows\System\DReVsvA.exe
C:\Windows\System\DReVsvA.exe
C:\Windows\System\LPYZPEw.exe
C:\Windows\System\LPYZPEw.exe
C:\Windows\System\drEnqxe.exe
C:\Windows\System\drEnqxe.exe
C:\Windows\System\aTzQfDo.exe
C:\Windows\System\aTzQfDo.exe
C:\Windows\System\TZnzYiN.exe
C:\Windows\System\TZnzYiN.exe
C:\Windows\System\SmgcfgT.exe
C:\Windows\System\SmgcfgT.exe
C:\Windows\System\xFAPeoF.exe
C:\Windows\System\xFAPeoF.exe
C:\Windows\System\LvNHGZF.exe
C:\Windows\System\LvNHGZF.exe
C:\Windows\System\WUgEJBM.exe
C:\Windows\System\WUgEJBM.exe
C:\Windows\System\ZcBkhdU.exe
C:\Windows\System\ZcBkhdU.exe
C:\Windows\System\NdRlQYC.exe
C:\Windows\System\NdRlQYC.exe
C:\Windows\System\UhrAZxj.exe
C:\Windows\System\UhrAZxj.exe
C:\Windows\System\AxcbSYa.exe
C:\Windows\System\AxcbSYa.exe
C:\Windows\System\dznaaob.exe
C:\Windows\System\dznaaob.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| BE | 88.221.83.201:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 201.83.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/220-0-0x00007FF764420000-0x00007FF764771000-memory.dmp
memory/220-1-0x000001AA46F50000-0x000001AA46F60000-memory.dmp
C:\Windows\System\wTdgcAC.exe
| MD5 | 63ec0784f950532d7735358e2a6526ec |
| SHA1 | 3a59faff51c996c99e767f6de033b5784edd0735 |
| SHA256 | b480d8eff388ec2415c534ce8d349081feceeb4bd992daf21d5413fbd633d3e7 |
| SHA512 | 6bb44f47dd0329f3ec4ba8ddb3cbc91a23928ef11680a5e07b02cff71f9b46108c067fe0d39a7ef4076aa6fd94fdfdf30c189230ea4d9375a1b9596857135aa8 |
C:\Windows\System\vosTpcn.exe
| MD5 | 622cbd292e09ceb32d85855efdda8438 |
| SHA1 | 22146e0e5ede5b419d7dd1261f1c4d876d7c6295 |
| SHA256 | 5cb4683cbc3c0a176d4c33e91f48bb262581f71d78979c08cee83838591ff6cc |
| SHA512 | cf885ea56dc601367d9acb7892e82da46316122c529e7e002a7b7f40eafe054419cd5cf1f2f7318268946fb035c4d83223d25ed9013c013a53bba5d5f2e20756 |
C:\Windows\System\okHpTSk.exe
| MD5 | 052d8430f110756623292d27f4d66550 |
| SHA1 | 9cf91909cfda9718496db0adbb6d4fd82041e2d6 |
| SHA256 | 423f45b95fe943eea3375266ea9b3c608967c09cfde82efea6808b3325edc5e6 |
| SHA512 | c4124f2c37142c7ab9252fa43e08668cb827dc860d22fd79c8396ae239e0897af18d4f29d1d855b12b7631ee1c146cf485886d0bbe66ae65c02c0ab7260e212a |
memory/1992-10-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp
memory/536-17-0x00007FF617040000-0x00007FF617391000-memory.dmp
C:\Windows\System\YugENOU.exe
| MD5 | 716ed8b66bb49cee272faf505e44d97c |
| SHA1 | 4ace856adfeb3ebeaba4c00194c972d559ba6419 |
| SHA256 | cb4334cffd6c7c0020ee09fbde07366afea46ff3fa11ee287b751ab6a7e5a70f |
| SHA512 | 6a6ab92efad9800f71127f6ccd5509d2ec6577f077defe7d2e8ac520f44b1de1bdf1e683b3953457bd7bb236c049a31b3d69f08a1497e945550085695acc959f |
C:\Windows\System\CdnEvrI.exe
| MD5 | 03a56f6a72c64e152b003356a41e59ec |
| SHA1 | f038b03446f09bf145fb29fa999141b69ffc7120 |
| SHA256 | 01d5e3a0aebd1dd3aefe1cc0784ec34183ce286804969747bd492bcfcb6f550e |
| SHA512 | 4458be17a320a6b93cfcfb13371b84d6403f7d7742446b492d3f754b3aabc41ddcd4caeb8616a46a04c76ad3928f0d331433286d04c2df6efb86fced258980ea |
C:\Windows\System\kNdGFtZ.exe
| MD5 | 95885ac8f483eea638fcbb019812e8ac |
| SHA1 | 4319924c41cdb7b8e9525b89b5e4538ea0984645 |
| SHA256 | a9a3ac977588ca065b74189dbd67ffda07bd27aa19b1bf914fe68f931ff9acbb |
| SHA512 | e3900f3391fbe3125de1344e3a771d3aa6040d6ac973633000a8eab29dd28640faa5fb18d0f42e802582bc37d8de5d97abf53228b604c8422971e9d053f88e22 |
memory/1404-36-0x00007FF672D80000-0x00007FF6730D1000-memory.dmp
memory/4596-35-0x00007FF638890000-0x00007FF638BE1000-memory.dmp
memory/4000-32-0x00007FF6DF770000-0x00007FF6DFAC1000-memory.dmp
C:\Windows\System\eoHkIxd.exe
| MD5 | 9fff466030adfe1d3e0a4ab439b0edae |
| SHA1 | 48321d82e5f47c17484a1e5cd42329517962e847 |
| SHA256 | 07faf38ff5162ccdd1e27c489430bd28f99dddcb5fd52ae61fed58a60383e7f7 |
| SHA512 | 14babe37b20c4f9a2581b141660fa529352818301725c9cede06b8216c04ba5d2476e3d03a647346f4619cac4db9e088e70b85cfa9d6541b47bdcbe595689e81 |
C:\Windows\System\DReVsvA.exe
| MD5 | 245d0209bfec0e770d2bd7477e7d42db |
| SHA1 | f0d4e20b70b758dc54bb1d21a551f8697bde692a |
| SHA256 | e3afae7dc03ad6281f2c525e71e9b907b655070125063da64c6eb9f02c5f2cae |
| SHA512 | d21886b663a28059cacc19cb18d4991d4d6531d70e8cfeeebf46752e3588c41387fd6b07093077fe87486284d5fca238867607429d3e187c42768ea05d476d1b |
C:\Windows\System\drEnqxe.exe
| MD5 | 2a07f2c6e96f025dfb566d97370e1946 |
| SHA1 | c3745e11ce71d7329e8317e8d571343846441e26 |
| SHA256 | beb52d66fc5b2c3fbb1f638e2c7515efad3a03585e5a7cd3739ce1285ab44b76 |
| SHA512 | 2cf8bca55d7b0cdcff12a328ddd35005d0fba5775fc726a2d917a8bd8168a2af1cd695bbdfae2b2bc0febe6937f37dd639fcc5a2d6fbcb1255d5c6da307faeb2 |
C:\Windows\System\aTzQfDo.exe
| MD5 | 647df141c272880d3a3af3be22270f8f |
| SHA1 | 1cc4d670d84007b40f81b7266ee9af6d0557ef04 |
| SHA256 | 0b628724f0f302035b02af93e598be88511ead008922bb0bcdd4a93359d8d165 |
| SHA512 | 61bc5e8dae9cb04280bd019940c9371abe78f9aeff88ad98d3ffdd7867c2bcdc00fb5dadf3167ad758da9c05a839af6f415b0c27fdef12de6492554c46cb56cc |
C:\Windows\System\TZnzYiN.exe
| MD5 | 38939ee675cf3c334185ab468dc14354 |
| SHA1 | 85f43afe37063e862d3a929f87d8233ebb747482 |
| SHA256 | c8050e9446c750337a9c9b705c17da23b45fd47767b73f83884f9e221360e122 |
| SHA512 | 9a822e56848eaccc8052b8ac838d15cedde118a482d5b4bdc8de457bcc0784c2c62724f8915b3fd0753b6f8cb3d4fbd60168749988e56c1b7901770a50f2a8ac |
memory/2996-72-0x00007FF6F3270000-0x00007FF6F35C1000-memory.dmp
memory/2456-70-0x00007FF732740000-0x00007FF732A91000-memory.dmp
memory/4664-69-0x00007FF779140000-0x00007FF779491000-memory.dmp
memory/1940-64-0x00007FF75EA60000-0x00007FF75EDB1000-memory.dmp
memory/5048-63-0x00007FF6D2140000-0x00007FF6D2491000-memory.dmp
C:\Windows\System\xFAPeoF.exe
| MD5 | 983f5fab2cd3e08832070d6630920048 |
| SHA1 | f96f3380444425e5707ab8dd02e6d8d76330e132 |
| SHA256 | 34bfeb7cf711c8c0855a42e97948f5e350d34c0faa300b181303dda0c7282f35 |
| SHA512 | 0ebf42fa8689c6d2b1e91fee176a41b9e3abdbd73cead20a901cb214bec2c7fe160a411c482f1077da3b96f7f659fdbadd1436b52ac1c94295121676ef809b54 |
C:\Windows\System\ZcBkhdU.exe
| MD5 | 1798cc81edf7ce11452d4b4db7da3e6f |
| SHA1 | d888716ac9b2f5c1338c10d7409a486242cb1002 |
| SHA256 | ec5f0d30e04cbf93de10a3de70e89b737d63c5a9357c75b45d269fa03a310292 |
| SHA512 | c8aedc5ceae8f88c86f4ca3d7c2fb4697d14f665fc3fd18da2c300b6ccd0a639c8b9326330ead10bc54091c86a67af3b99b3cdad49336bf1f87c838a64bc5b7c |
C:\Windows\System\UhrAZxj.exe
| MD5 | 46cd13da99c282959068c0c9722c5ac0 |
| SHA1 | f9fc256ef20e5dae8d73566aa892c97df4b90998 |
| SHA256 | e036d9440e402e151cfa66ed9164ef1cdbe4e5f991e785134cff5a17112fa1cd |
| SHA512 | 5efd1d86574033d2872e70307cc15cbef23cbe343da120142b17ba2139dcbb54c04fd0f26b0c3bd8d023d983c8bf02f996f108426b59d44822a6e5cd1b8991dd |
C:\Windows\System\dznaaob.exe
| MD5 | 95315df4c36d53ed336978638cf62a7d |
| SHA1 | 09ebe25b591c765ae2cad0261c048a14203ee6d8 |
| SHA256 | 2f033e75122455d53d84824b2c83049a6eba9a150014111b99a92b523edb7438 |
| SHA512 | 75947196cc46437c04ada2313d46e2773e0d645949d2abcf3053810f49b1210ca95d3bb5e05a8332a0cb82bee53acb09dee1c6fbc4384010b84d573b3143bb2c |
C:\Windows\System\AxcbSYa.exe
| MD5 | 55605a204f63165e778553d683a02004 |
| SHA1 | 9bb603d5f7b4aed63b8e66dc5b0a732acc3ed337 |
| SHA256 | 3886ab46aaf1e437db251f73d0dc5cd51321278844a822dd752c6185613977dd |
| SHA512 | 55aec9691063bf4334359bf451f5c445f958bc36750433c0d42fae304468e3852fa9c43fa11841514700c836c0c2ad60bb9972ed94c9217d8a7326cf71c21c93 |
C:\Windows\System\NdRlQYC.exe
| MD5 | 04cfd2521435f80243f66a735552708c |
| SHA1 | 9fcae8e4856ec50cee48c8ca012c29adfa4a425a |
| SHA256 | 57b1538405237e12534b30517966f60552d817d1bdd0898dfd6f3752df6adba0 |
| SHA512 | 423c048e3d94ca9048093d3f027aca3feab30a9b02722b1ad83dd2bc46300c0f1a52c947bef4c5b63f080a601a6dfc1baafc3cb0ee9dd9697fd053fdc331c812 |
C:\Windows\System\WUgEJBM.exe
| MD5 | 0a78b948bdb960d18c7f649489ecc0b5 |
| SHA1 | 95ab8ce805c4f328e8d6e3edbd2d5b250e641959 |
| SHA256 | f2e565a244f68f6ede191045434d96edc132c0e3467edae31c4b05ddd1b66422 |
| SHA512 | 8ed63604b3df54f449ec33678e31db0685c90e422ea37b46e6cc1d582fecb40ac0b9d6aee75f1b16375ea99d57eb387610ea2ed7aa5fb4b64c18291eac2c9e03 |
C:\Windows\System\LvNHGZF.exe
| MD5 | 030b4fdbcc30bf24cb7163e1cd3193c1 |
| SHA1 | bf55b23258d1e3961b319db1d20f13cbf812baec |
| SHA256 | d80ad95a1d407be2900a95711fa01cb0ae7ccc611cfb32c9745929c1ec964c0e |
| SHA512 | 4eef640650fd5529435b40c5b8b4ecd903e100e5c0eebfca4bccdc6cf1689a3bc0c09c4bf03effbee5f17ba9d7dda85aa6e890c67d401670a6ecd6f8fe1fafb4 |
C:\Windows\System\SmgcfgT.exe
| MD5 | d29f0bac5220400c89848dd09e8cbad5 |
| SHA1 | ff89afb05515dae9d60371f92f8cc9d5f932395d |
| SHA256 | 953ec0625935a68ed9bda00fe82c6f8b8da04902929a6e6d6fa415ce735ad99d |
| SHA512 | 9a7a13516dbaae1930467585f79f6cee7fd267bcc0ad0e3008380395654777e211b75b04c13e7a8db6a6c95d7dcb443777899250238a849c8345975cd51be285 |
memory/400-60-0x00007FF726610000-0x00007FF726961000-memory.dmp
C:\Windows\System\LPYZPEw.exe
| MD5 | 35107f1e7e6bc9ce89b08cf912374311 |
| SHA1 | 9273b90f97d17fcac2b15510606d328b90dc5991 |
| SHA256 | 2ffb54f53756d55771d670f3ee7277708aac90fc79e67d1d30bb1b02e555313f |
| SHA512 | 49355877e0ccac7b38d91cfdf672c20c717b68379b59d3db86ead6999530bcd89817704a3695e7c0eb0669000ebecb656f66019a45965f2e6034b8f0a69b4c01 |
memory/1152-14-0x00007FF745AE0000-0x00007FF745E31000-memory.dmp
memory/1152-121-0x00007FF745AE0000-0x00007FF745E31000-memory.dmp
memory/220-119-0x00007FF764420000-0x00007FF764771000-memory.dmp
memory/536-122-0x00007FF617040000-0x00007FF617391000-memory.dmp
memory/1404-125-0x00007FF672D80000-0x00007FF6730D1000-memory.dmp
memory/2996-131-0x00007FF6F3270000-0x00007FF6F35C1000-memory.dmp
memory/3236-133-0x00007FF716820000-0x00007FF716B71000-memory.dmp
memory/3212-135-0x00007FF6DD1E0000-0x00007FF6DD531000-memory.dmp
memory/3760-134-0x00007FF671750000-0x00007FF671AA1000-memory.dmp
memory/4988-132-0x00007FF7A59E0000-0x00007FF7A5D31000-memory.dmp
memory/1992-120-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp
memory/4524-136-0x00007FF7D8FD0000-0x00007FF7D9321000-memory.dmp
memory/4644-142-0x00007FF741DF0000-0x00007FF742141000-memory.dmp
memory/1112-145-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp
memory/944-147-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp
memory/3928-146-0x00007FF730D10000-0x00007FF731061000-memory.dmp
memory/220-148-0x00007FF764420000-0x00007FF764771000-memory.dmp
memory/220-149-0x00007FF764420000-0x00007FF764771000-memory.dmp
memory/1992-197-0x00007FF6BDB00000-0x00007FF6BDE51000-memory.dmp
memory/1152-199-0x00007FF745AE0000-0x00007FF745E31000-memory.dmp
memory/536-201-0x00007FF617040000-0x00007FF617391000-memory.dmp
memory/4596-206-0x00007FF638890000-0x00007FF638BE1000-memory.dmp
memory/4000-207-0x00007FF6DF770000-0x00007FF6DFAC1000-memory.dmp
memory/1404-204-0x00007FF672D80000-0x00007FF6730D1000-memory.dmp
memory/400-209-0x00007FF726610000-0x00007FF726961000-memory.dmp
memory/5048-211-0x00007FF6D2140000-0x00007FF6D2491000-memory.dmp
memory/1940-213-0x00007FF75EA60000-0x00007FF75EDB1000-memory.dmp
memory/4664-215-0x00007FF779140000-0x00007FF779491000-memory.dmp
memory/2456-217-0x00007FF732740000-0x00007FF732A91000-memory.dmp
memory/2996-219-0x00007FF6F3270000-0x00007FF6F35C1000-memory.dmp
memory/4988-230-0x00007FF7A59E0000-0x00007FF7A5D31000-memory.dmp
memory/3236-232-0x00007FF716820000-0x00007FF716B71000-memory.dmp
memory/3760-234-0x00007FF671750000-0x00007FF671AA1000-memory.dmp
memory/4524-238-0x00007FF7D8FD0000-0x00007FF7D9321000-memory.dmp
memory/3212-236-0x00007FF6DD1E0000-0x00007FF6DD531000-memory.dmp
memory/3928-241-0x00007FF730D10000-0x00007FF731061000-memory.dmp
memory/4644-242-0x00007FF741DF0000-0x00007FF742141000-memory.dmp
memory/944-246-0x00007FF6478D0000-0x00007FF647C21000-memory.dmp
memory/1112-244-0x00007FF7EC1F0000-0x00007FF7EC541000-memory.dmp