Analysis Overview
SHA256
a48d7c8a78659022868be8ba2b2565127f2cf7447c5fc211c7d614c3829a45f3
Threat Level: Known bad
The file 2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 02:31
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 02:31
Reported
2024-06-01 02:33
Platform
win7-20240508-en
Max time kernel
140s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\slZzVoQ.exe | N/A |
| N/A | N/A | C:\Windows\System\wRiOMVH.exe | N/A |
| N/A | N/A | C:\Windows\System\WDKPSgT.exe | N/A |
| N/A | N/A | C:\Windows\System\rZSKLXU.exe | N/A |
| N/A | N/A | C:\Windows\System\Ywtyzhc.exe | N/A |
| N/A | N/A | C:\Windows\System\soNXsCo.exe | N/A |
| N/A | N/A | C:\Windows\System\nEfclhl.exe | N/A |
| N/A | N/A | C:\Windows\System\dfpDJpm.exe | N/A |
| N/A | N/A | C:\Windows\System\UHREWJs.exe | N/A |
| N/A | N/A | C:\Windows\System\XSpYeIY.exe | N/A |
| N/A | N/A | C:\Windows\System\IsPzvkj.exe | N/A |
| N/A | N/A | C:\Windows\System\nvMnggY.exe | N/A |
| N/A | N/A | C:\Windows\System\zNHhdkO.exe | N/A |
| N/A | N/A | C:\Windows\System\NPREScH.exe | N/A |
| N/A | N/A | C:\Windows\System\LlTWFCn.exe | N/A |
| N/A | N/A | C:\Windows\System\QMnDjLr.exe | N/A |
| N/A | N/A | C:\Windows\System\dMUBLor.exe | N/A |
| N/A | N/A | C:\Windows\System\QTiCpUy.exe | N/A |
| N/A | N/A | C:\Windows\System\oNLHQoE.exe | N/A |
| N/A | N/A | C:\Windows\System\fuKSzrK.exe | N/A |
| N/A | N/A | C:\Windows\System\naDRJWX.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\slZzVoQ.exe
C:\Windows\System\slZzVoQ.exe
C:\Windows\System\wRiOMVH.exe
C:\Windows\System\wRiOMVH.exe
C:\Windows\System\WDKPSgT.exe
C:\Windows\System\WDKPSgT.exe
C:\Windows\System\zNHhdkO.exe
C:\Windows\System\zNHhdkO.exe
C:\Windows\System\rZSKLXU.exe
C:\Windows\System\rZSKLXU.exe
C:\Windows\System\NPREScH.exe
C:\Windows\System\NPREScH.exe
C:\Windows\System\Ywtyzhc.exe
C:\Windows\System\Ywtyzhc.exe
C:\Windows\System\LlTWFCn.exe
C:\Windows\System\LlTWFCn.exe
C:\Windows\System\soNXsCo.exe
C:\Windows\System\soNXsCo.exe
C:\Windows\System\QMnDjLr.exe
C:\Windows\System\QMnDjLr.exe
C:\Windows\System\nEfclhl.exe
C:\Windows\System\nEfclhl.exe
C:\Windows\System\dMUBLor.exe
C:\Windows\System\dMUBLor.exe
C:\Windows\System\dfpDJpm.exe
C:\Windows\System\dfpDJpm.exe
C:\Windows\System\QTiCpUy.exe
C:\Windows\System\QTiCpUy.exe
C:\Windows\System\UHREWJs.exe
C:\Windows\System\UHREWJs.exe
C:\Windows\System\oNLHQoE.exe
C:\Windows\System\oNLHQoE.exe
C:\Windows\System\XSpYeIY.exe
C:\Windows\System\XSpYeIY.exe
C:\Windows\System\fuKSzrK.exe
C:\Windows\System\fuKSzrK.exe
C:\Windows\System\IsPzvkj.exe
C:\Windows\System\IsPzvkj.exe
C:\Windows\System\naDRJWX.exe
C:\Windows\System\naDRJWX.exe
C:\Windows\System\nvMnggY.exe
C:\Windows\System\nvMnggY.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3016-0-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/3016-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\wRiOMVH.exe
| MD5 | f02d62dd10e87c54433f594e4a588e5a |
| SHA1 | 9a03d3c95d9219fc55855f5a0f9909c7c92b1946 |
| SHA256 | 3136481af596a2ec8e678768cbe0359708e3cc8a1c698758cd8fb95c92aa4c60 |
| SHA512 | 93a6ad7237d563b83a5c890a94112f8d945eda07aff45c1dc12e76751712624a1eb60ad877901721c0107c58b68f0394432494f3e37c17a70b5a5804af5196d9 |
C:\Windows\system\slZzVoQ.exe
| MD5 | 90ca7ed7d762f54c3e4bfd74c74bf66a |
| SHA1 | 88459c1ad9d57b592a939b2a209b6013f93a468c |
| SHA256 | f2695668e1c4f0d2110c9d828db3b90affa63c889805dad207475d16d40a7eaf |
| SHA512 | 8420aa9c997d76ffb2663c6ef86b59bb1c614ac9ae3c82c7e92b3f095f5efe630636defc9bc686fe868caad0958f9691d5fc14d2ecc7d103a40a32869ae4ea0c |
\Windows\system\WDKPSgT.exe
| MD5 | d21a37cfe6652c786aecbe0f99762707 |
| SHA1 | 1dad8f88d0630124d897bfa237673ba7324aea14 |
| SHA256 | 5d680305b141e3f9a6ba5e4442dcce06df85a4ff321271e7c124dc0c374b47a7 |
| SHA512 | 5811963185c8dfeca98be42fd7a09e78d18ce409d7715945203f95163b16d970c626c1158115e8e3e53f171e251e899e42bea52db6e5cf6b03ebb32e02b7c23b |
memory/3016-100-0x000000013F030000-0x000000013F384000-memory.dmp
C:\Windows\system\nvMnggY.exe
| MD5 | 256f593306bb10e3457d023f36df6fc1 |
| SHA1 | a38a283f614ebb3caa43f88f50017317f7c8f4bd |
| SHA256 | 220a03c1e9d72f8e7a1732c4e61539f7e6654aa3c46de38fafdbc7171e6488e0 |
| SHA512 | 1ee049bb66d9138a72ec9924a0ea5afb804d476af3108f6dd7f88d3ad31064718a8e6e945cf1bc68b02ac52b3357555bc1034e41c5a7bf718430976a23661045 |
memory/3016-105-0x0000000002320000-0x0000000002674000-memory.dmp
\Windows\system\naDRJWX.exe
| MD5 | 4c4c8fd129d0b774a343411a2cdfc729 |
| SHA1 | 9008c607c2fc0901f801b80d47e0036940ce1fc0 |
| SHA256 | 022afad50dde9978733a39c882c1be77c3a7caf8ff336593fed1786b9e488a85 |
| SHA512 | 7daa95f321274d6a31715ab71740925b0afd1d53d1f1a87a8097885003ceed1b443d639e107f351dd344e8fcbf450b9c0e84f5de69c988cbdff439e2823ebec6 |
memory/3016-94-0x000000013F090000-0x000000013F3E4000-memory.dmp
\Windows\system\fuKSzrK.exe
| MD5 | 04fe9814c587c1de9aaec8d828607a98 |
| SHA1 | f37107e85d2178154775ca90819d06dbeb8d38b4 |
| SHA256 | 1d37d70fecb340b93f6ea73193aafa2ed3367787b8e7662286e2b6ebff3a118b |
| SHA512 | 5207e528e461123a6e20819f8632fdedc5ed1a1ab47b0e41da907facd401e3dffc9eed368e068cdc7f578fd47194a1bf61e7e11be3553868a7a5e56cb44b999d |
memory/3016-85-0x000000013FBF0000-0x000000013FF44000-memory.dmp
\Windows\system\oNLHQoE.exe
| MD5 | 31509d782b104b1bac7eff95f4210327 |
| SHA1 | 1931e58fbbc73543415346569ef7c40f73bb3db2 |
| SHA256 | 1b5bfd46c838e92aa4ce2da088ce0a2d04b63811c8e290585ba8deebb7000a98 |
| SHA512 | ea8b8269911ed6b1d920e5bbcb783eabc0903716b82febcfe0400ae953486c98b5f7ef13e77ba44a95b430e9cf23a0d477b79114146a2cdbb4639eec308ab8c3 |
\Windows\system\QTiCpUy.exe
| MD5 | 8dc70fa039a93f13009be8ccbc5b0c45 |
| SHA1 | 77cf43eba9b5c5cdaba075ffc83d4c18c7c3bbb7 |
| SHA256 | 8e9e5e3187d054c19401223f9921211b01119544cc602b6578d8e4bf93d908c7 |
| SHA512 | 067e0871fa53df9b003f0c10d5817d51dc47500cc62e771a5f0c58517d7d36cf8737e4108bc56b42bf591e6da9e60a6810fd5911f0ac3466d362863fee1b070b |
memory/2532-68-0x000000013F840000-0x000000013FB94000-memory.dmp
\Windows\system\dMUBLor.exe
| MD5 | d9e005599eeff195997f9a6af0977b30 |
| SHA1 | 9e0a8b8d2a7cada0b6173b1f2b8f84e3f69d77b8 |
| SHA256 | 270d15debf7a3af217d8139cdff335b1c05a9a3b399a08475b27c5a84403fab4 |
| SHA512 | ffe757539f868583a9bc2c5ddee85e1257a323249ccb15c3edc0481b4a1313fccabf2b4d70f8845767546706b4f72c885931f1ab22cb3595e4e5e0a9fb5ca30d |
memory/3016-56-0x000000013F340000-0x000000013F694000-memory.dmp
\Windows\system\QMnDjLr.exe
| MD5 | c487e03ef6bdd82942bdae92cb3af22a |
| SHA1 | ea0eee02ff6ddd258e23706117d04a8275293d55 |
| SHA256 | e37048b184c61a581ddd08257feda46dd92f87e452713556a57fcaaf212dc584 |
| SHA512 | d59f3962b3c034a869f980c20e0532d60b1fee5ae3cb4d417a5ba38e0f711c849e8e510c42ac5c45e42d18a9165f8d03bb1855c27384bf7532709108c50a6663 |
\Windows\system\LlTWFCn.exe
| MD5 | a24188447ec4d45fd30a3bac56aa3985 |
| SHA1 | abb6b6ecc39d664c81731f48c8f1001e869bb10d |
| SHA256 | 3e33f2bc5886e37181ed92f67ebc0b70d42a1dd6cf8768f91a7f88ccf405aceb |
| SHA512 | 5aa4fc43c9ec769ed9381baa2f7ec0e2f13ed6ba61b3c0d57692d692a9dfe23c7d09b3f8e6e9ac59b58862e2ff494b1073e1de47cd304eccdf5dae68af8d8511 |
memory/3016-119-0x0000000002320000-0x0000000002674000-memory.dmp
memory/3016-118-0x000000013F7E0000-0x000000013FB34000-memory.dmp
memory/2844-34-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1136-33-0x000000013F340000-0x000000013F694000-memory.dmp
memory/3016-30-0x000000013F340000-0x000000013F694000-memory.dmp
C:\Windows\system\rZSKLXU.exe
| MD5 | 9473e631d8ba2da3fc66d57d83c9a688 |
| SHA1 | 28a550d3c5b5d984609c67959561c1a4fc234955 |
| SHA256 | fb554b30441a39e8ffcd527d2f7f789bc28be941b732bcb4167d5e771fe710ae |
| SHA512 | de8e2209c52e70c7998e0ac520aaa24554e43a57b2df3ff46e2265b7a09b4cec578d570384f44d6b8ae33f32f256c72584b0ee0099a60553a8bf698ff905e5ce |
\Windows\system\NPREScH.exe
| MD5 | 1379c6d29052fd6461ae110e8f47eed6 |
| SHA1 | 8f3d4e694ff6282aa3a1109ac3c61dd56e1b9840 |
| SHA256 | a0a04b2b4620c72a5ae22289dc338d6f5f46c0863f58e6dcb6a3515c887dbc70 |
| SHA512 | 86c339f5ab9f69f47dab6620b8e861fc20e8d992188fa80d32924708560612d3548d8647d38cec1ba2c5b8ac0842ed9fae54e1e4c5d000d0c3088ab2bcfcdd83 |
memory/3016-22-0x0000000002320000-0x0000000002674000-memory.dmp
\Windows\system\zNHhdkO.exe
| MD5 | 7c199128b828d0cb6437daf227a73e6d |
| SHA1 | cc10c12894bf11acdc2d7efa7cb354f6d6d0e52d |
| SHA256 | 547811cc53132758525d39c81b730edc1e6e23a882f9d2caf2409c7f0aeaa49a |
| SHA512 | aaf5a0155133ee6368ffd4f6cbd3f1ac1e2ec6d3cac7ddc99bb3799651b39979ca4d8509599b142a91e3f6189abb7ed5646f974a7426a4eac593b661562a2c8b |
memory/2856-101-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
C:\Windows\system\IsPzvkj.exe
| MD5 | 6b7df199847e793e8cf13308987c4945 |
| SHA1 | 54cde6ea6a12f62d741dd6e75e27ddfef767d2f2 |
| SHA256 | 3da56836e67548b370040622a959b8a131baa36eb8ad361cc991d55f53b1de67 |
| SHA512 | 88b7bb3b00c71713603c9e87adee10a8ceec34d55aaeafe04b209bf6d633ff9fb4ddc7a2637859fbf18e064a3edd999547ba6ce88ab01dd3c8e1f30bf7063927 |
memory/3016-98-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\XSpYeIY.exe
| MD5 | 1954389bd5f3df3ae71dd5ca282769e2 |
| SHA1 | db542bfa237dd33ad72d977e41e9620281638c80 |
| SHA256 | a641dc0698379595e0c64cf660434b93f8b35580b5ad3ad7fd8f08b81558b946 |
| SHA512 | 48b2cf7bac908e4894ab284afd62361fd66cb754140678d4ff94b1f32cd51b919cc4cdc292f5cec0349e65afd651e4a4ce4ffe1afe7cd73fcc274345c1f4d1c9 |
memory/2764-89-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2396-81-0x000000013FED0000-0x0000000140224000-memory.dmp
C:\Windows\system\UHREWJs.exe
| MD5 | 6d4da2ba36bde288149a4d662ae13b4c |
| SHA1 | 13954d5e99b405c741cb1356dc20e3eb1f0d074d |
| SHA256 | f33889867c568f932d6d075c3a0e0a79a088bdae1d1f898f1dc1409aa0cdeb05 |
| SHA512 | 9300ad6a1b0e5944592c70c74c3415d9a3c53e29624f3eded7b647276ccdb4ea5ad52027837c4543eda8c9987c1260d4e893a7faefb1dfc6760c5b19c16691a5 |
C:\Windows\system\dfpDJpm.exe
| MD5 | d36cc8d8d21e740162e5cc10590a591d |
| SHA1 | 13713c29fd4bb5bb44d674e45266e580cf8eefa1 |
| SHA256 | f3740ded2644c875d9a2bc8e9c000efd365de8f9fafab47ae3e9886609351c56 |
| SHA512 | 3a1a0530ba1103df8ecb5455cdde83454d8469e8d1d6b69867a96838f98e5a2a02e3fce7a00d2a37e2689d89e7184e8cf99755404f9027ad7f467aa59b661c71 |
memory/3016-70-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/3016-63-0x0000000002320000-0x0000000002674000-memory.dmp
memory/3016-62-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\nEfclhl.exe
| MD5 | edd882e02430714a1ea0b92ea0270198 |
| SHA1 | d3c4a6ba65b1842f21dc934a067d6d4cb0222313 |
| SHA256 | b4bb17bc83ef33e43a56af51d2ab7cf48428c736f599dfda29a9e3f1b5d33ee9 |
| SHA512 | 4d0c369e104e763635f2b1170b274c453caee0c0c24c2b97785acddc2b74bf0080efc80570b84aa94762cf9918c916d8c3a5c3894b684b4fd12f1a2d9f8a3b44 |
memory/2900-60-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2724-52-0x000000013F040000-0x000000013F394000-memory.dmp
memory/3016-51-0x000000013F040000-0x000000013F394000-memory.dmp
memory/3016-48-0x0000000002320000-0x0000000002674000-memory.dmp
memory/3016-47-0x000000013FE30000-0x0000000140184000-memory.dmp
C:\Windows\system\soNXsCo.exe
| MD5 | 749284d2bf8ec98c46465db583dd39d2 |
| SHA1 | b3b7f2300758443dd459f073aa77651f20a6d5fb |
| SHA256 | 8456dddfe2227fc7e20003df6a4deffd4b0506233baaf6437ec7ff2186fe821c |
| SHA512 | 7c08cee5fba43045b9c5c73dd1620984a86f924a11b357d789e582f6611f78708a6c1e75fe4e9a26b86ca5f33d23d9ce8c928069958abaea68d23b37e025d26a |
C:\Windows\system\Ywtyzhc.exe
| MD5 | c81048f086f19e8986faf9ae80e4e852 |
| SHA1 | 3324b8264f0854d944bf472477305cd6322e10c4 |
| SHA256 | 011715c89ca665cf3ea100b52deba4fd4ecec23ffb9b116033bf14cbc9776ca6 |
| SHA512 | 447b1df49897cf65b8829151b1d9917beb1fe575e65a6e1878de0bcb5fe39e9a8ed029987cabf00e82c4d10698dd3394a9064f6676a3a3908caac0d5093cd3e9 |
memory/3016-42-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2852-26-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/1712-18-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/3016-134-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2532-135-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2396-136-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2764-137-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2856-138-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/1712-139-0x000000013F3B0000-0x000000013F704000-memory.dmp
memory/1136-140-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2852-141-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2844-142-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2724-144-0x000000013F040000-0x000000013F394000-memory.dmp
memory/2900-143-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2532-145-0x000000013F840000-0x000000013FB94000-memory.dmp
memory/2764-146-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2396-148-0x000000013FED0000-0x0000000140224000-memory.dmp
memory/2856-147-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 02:31
Reported
2024-06-01 02:33
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\wWtenHI.exe | N/A |
| N/A | N/A | C:\Windows\System\QAcOOEE.exe | N/A |
| N/A | N/A | C:\Windows\System\FulujqX.exe | N/A |
| N/A | N/A | C:\Windows\System\ZNkAyTA.exe | N/A |
| N/A | N/A | C:\Windows\System\HAPFgwO.exe | N/A |
| N/A | N/A | C:\Windows\System\XYvsgKT.exe | N/A |
| N/A | N/A | C:\Windows\System\dAESCMI.exe | N/A |
| N/A | N/A | C:\Windows\System\ihqarPl.exe | N/A |
| N/A | N/A | C:\Windows\System\mYFmgcq.exe | N/A |
| N/A | N/A | C:\Windows\System\knEUtPU.exe | N/A |
| N/A | N/A | C:\Windows\System\SQLsgcg.exe | N/A |
| N/A | N/A | C:\Windows\System\cmQkrWa.exe | N/A |
| N/A | N/A | C:\Windows\System\knFPdvg.exe | N/A |
| N/A | N/A | C:\Windows\System\sZwhvzU.exe | N/A |
| N/A | N/A | C:\Windows\System\TfBuRPU.exe | N/A |
| N/A | N/A | C:\Windows\System\FlsLfXy.exe | N/A |
| N/A | N/A | C:\Windows\System\nTCHIdD.exe | N/A |
| N/A | N/A | C:\Windows\System\cqhSHQY.exe | N/A |
| N/A | N/A | C:\Windows\System\taPLtDB.exe | N/A |
| N/A | N/A | C:\Windows\System\CKkuFTc.exe | N/A |
| N/A | N/A | C:\Windows\System\zpTKfjp.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_d7991a869d049b239be76602eb92b116_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\wWtenHI.exe
C:\Windows\System\wWtenHI.exe
C:\Windows\System\QAcOOEE.exe
C:\Windows\System\QAcOOEE.exe
C:\Windows\System\FulujqX.exe
C:\Windows\System\FulujqX.exe
C:\Windows\System\ZNkAyTA.exe
C:\Windows\System\ZNkAyTA.exe
C:\Windows\System\HAPFgwO.exe
C:\Windows\System\HAPFgwO.exe
C:\Windows\System\XYvsgKT.exe
C:\Windows\System\XYvsgKT.exe
C:\Windows\System\ihqarPl.exe
C:\Windows\System\ihqarPl.exe
C:\Windows\System\dAESCMI.exe
C:\Windows\System\dAESCMI.exe
C:\Windows\System\mYFmgcq.exe
C:\Windows\System\mYFmgcq.exe
C:\Windows\System\knEUtPU.exe
C:\Windows\System\knEUtPU.exe
C:\Windows\System\SQLsgcg.exe
C:\Windows\System\SQLsgcg.exe
C:\Windows\System\cmQkrWa.exe
C:\Windows\System\cmQkrWa.exe
C:\Windows\System\knFPdvg.exe
C:\Windows\System\knFPdvg.exe
C:\Windows\System\sZwhvzU.exe
C:\Windows\System\sZwhvzU.exe
C:\Windows\System\TfBuRPU.exe
C:\Windows\System\TfBuRPU.exe
C:\Windows\System\FlsLfXy.exe
C:\Windows\System\FlsLfXy.exe
C:\Windows\System\nTCHIdD.exe
C:\Windows\System\nTCHIdD.exe
C:\Windows\System\cqhSHQY.exe
C:\Windows\System\cqhSHQY.exe
C:\Windows\System\taPLtDB.exe
C:\Windows\System\taPLtDB.exe
C:\Windows\System\CKkuFTc.exe
C:\Windows\System\CKkuFTc.exe
C:\Windows\System\zpTKfjp.exe
C:\Windows\System\zpTKfjp.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2096-0-0x00007FF7D20F0000-0x00007FF7D2444000-memory.dmp
memory/2096-1-0x000001B589490000-0x000001B5894A0000-memory.dmp
C:\Windows\System\wWtenHI.exe
| MD5 | 22154fa58e31d66283310a883746b8aa |
| SHA1 | b2d42f821228412cdb738e9981f05cb920505dad |
| SHA256 | 71ce7d971d9c12534e37ea097d34b3d3e7c9bba2325051d8f8ab5bd466388b0d |
| SHA512 | 78ebe3c727514035886a32629f4de37bbe22a4cc04d983263990d6fe9bbcd207a27893b7fa0f4f6149afa886e2dd3b9d81f530c81174fd9aa64a68ce57bdd342 |
memory/2120-8-0x00007FF6A2560000-0x00007FF6A28B4000-memory.dmp
C:\Windows\System\QAcOOEE.exe
| MD5 | 55e9ff6feef13e1a509be7241737062c |
| SHA1 | 63c95164867a98c08a35f38539d406397410293d |
| SHA256 | d2bc37274362c31ebab9b48fbf718ac66199c5e4333488ca00494094f475cce9 |
| SHA512 | c974f70e51c8350db33b11fa092ee9698defe754c2cc93fde3473f32dae09620b3a5679fda2f40ee5edc85c7389c0711815facf4fec2858d1aa99daedd12c2c9 |
C:\Windows\System\FulujqX.exe
| MD5 | d7238683546e5079979b4415fc37b152 |
| SHA1 | 05c53ffcd66537d62d13602aecaad6e10f5d0873 |
| SHA256 | c239446a0389d8075fe9e69f4365e0894c0498be8aa8cedebd6c2a11d1d0382c |
| SHA512 | 6f80eb9446600c570ffd43be74d2fda8a4abcfaf38860b4dc3ada6ebc52483ea572c396371cf4a9e4292ae40f553f1a344b89594f86e14dc9bf70903c1e088d2 |
memory/3292-14-0x00007FF671560000-0x00007FF6718B4000-memory.dmp
memory/2324-20-0x00007FF7BB790000-0x00007FF7BBAE4000-memory.dmp
C:\Windows\System\ZNkAyTA.exe
| MD5 | 8ca0e28306d023276f47386d658540ec |
| SHA1 | a8c17d08ea45351da178a52269e6650a527cebab |
| SHA256 | eb1de26f7130512b3401f2559cbadb86433379e856ab29ae2a9c10bfe23e1111 |
| SHA512 | 4cfa4d80ae16da895e96d480e94765f35591666605c071a1fb62d3cb5920697678c8fa315377a30361e15fba481c17ddd52ec769a689e04131de9f6459fcd893 |
C:\Windows\System\HAPFgwO.exe
| MD5 | 9af4ee1c8553a535770c4d100252f172 |
| SHA1 | a13cc2d1095b4397d22e1da3fd25bd1d7610fb03 |
| SHA256 | 5c7a1931a4c82e434e86f898819b1c180cda016dd53da152eee9621e77ab0c2a |
| SHA512 | bc9c62da1178fd3ca17a326821163c1294dceb1041a277598b4dd68c256f66d2a57cfbd6ba86514c3bcbf08830273618722cf80de0d4355ccd64d28ad0a88e2e |
memory/512-31-0x00007FF77FE90000-0x00007FF7801E4000-memory.dmp
C:\Windows\System\XYvsgKT.exe
| MD5 | ddeb00954814d68466c2da924be386f1 |
| SHA1 | 1ba869265a930f3ed07a392a5e604dd0331a091a |
| SHA256 | 9d069ee33302b8dfa5815cb56229e9952537431ee0ee3c3bca77774d742dcbb9 |
| SHA512 | 5342ed27bab9b30ff308dfc7d2e30b5c459768deb0c043ba3edee01d226cc2e6f05ea8a34bcb842b88e2b31b15439e5e41887e3e67f0e385f549198f84c6dea1 |
C:\Windows\System\dAESCMI.exe
| MD5 | ddca099f80222048f513fe7b617daa92 |
| SHA1 | 0f2ab73750980e51dd665ebac5e8a779ab589063 |
| SHA256 | 669282c7e1aa9913aa8bae7d23cbdff70c1de479a0bfedababe2af5b16042018 |
| SHA512 | 1744324e701d02a28d16a5af17b3c5d0fb7d109204b6141abbf0a5fe6f30ad04b681d32aa3c24591cd65f39e47269366a3e591ab0770c708366b4c49681e9104 |
memory/2168-45-0x00007FF749810000-0x00007FF749B64000-memory.dmp
memory/3068-54-0x00007FF74EF70000-0x00007FF74F2C4000-memory.dmp
C:\Windows\System\knEUtPU.exe
| MD5 | e47b367bfcc7fd28ee90669f76293a13 |
| SHA1 | c6db05f21a1ce154dffecdc7f3b620a656f7492c |
| SHA256 | 8488b43c4c328123da53968a5b81171371903173e97a03f30a51ff94042c223b |
| SHA512 | f743e1deafb8f416b2b210786f884214fae6640a23b7e8b0fde1949f781e751f3fed40cab27dcdecae559e1ca317f9e011ba4a0e92d996ed1e95cafe9523404b |
memory/1548-61-0x00007FF6FFA20000-0x00007FF6FFD74000-memory.dmp
memory/2096-60-0x00007FF7D20F0000-0x00007FF7D2444000-memory.dmp
memory/3036-59-0x00007FF620650000-0x00007FF6209A4000-memory.dmp
C:\Windows\System\mYFmgcq.exe
| MD5 | 6e643e90d3aceee6f2ebed3243d4dfe6 |
| SHA1 | 804658221f15fd747ba0d3ec50af8abbf6791749 |
| SHA256 | b666b8f2876a3aba3777d36c1c7a99d93d1080cbd9cc51ad7c79c11c5560d8ca |
| SHA512 | 67ba8219ceec5c02901a296dd7445e75a6a7005a85385f5de43082ae3b010edf6d5177f8d441e8032374f22792595764164f5f8117b3c763056cb322df3e80d6 |
C:\Windows\System\ihqarPl.exe
| MD5 | 48af29b8e8c275fabd5628105bcca2b6 |
| SHA1 | 5604ccc2ed51507b3ce6c1a280a328a698adf1dd |
| SHA256 | e0a91f9e812b86d0335df29c7c2449a8c37e7209167369d9b508cf7b31936018 |
| SHA512 | 51d18b30f7fceb90e273979902603b844cad2790466c11dce9bf90160e02e91e1f9e6cc8a8214670973cb14708cb6c1eaa89eabe1344d2436deeb0bafb305235 |
memory/3692-42-0x00007FF6DF7F0000-0x00007FF6DFB44000-memory.dmp
memory/3772-39-0x00007FF652E90000-0x00007FF6531E4000-memory.dmp
C:\Windows\System\SQLsgcg.exe
| MD5 | d3ac3c79bd8df2be245f02ae4a6044b3 |
| SHA1 | 09bbdd9c47a65d7a836c06c5b3560ab6da2f5c35 |
| SHA256 | f554d048154be3ab2986067acb5c2a143bcad61d521242d87c0b4ee7f1042353 |
| SHA512 | bec21e196eb1908c7712e202bfc87bdf53b4e539c8162d52c2f6d7d743f1c8e720f8a39a428e0912549645edebb47b92a2dcce8d1aad638469bb5b999b3f12e2 |
memory/2120-72-0x00007FF6A2560000-0x00007FF6A28B4000-memory.dmp
C:\Windows\System\knFPdvg.exe
| MD5 | 16f4ca8e6e62c3bc0d6e1ef09507e926 |
| SHA1 | 0f62d94ef66f39a5b8b9937fff529acfb3bdef35 |
| SHA256 | fd1dc214f974265f6d5e59001e81b9529ee338e366a7348829246d6e512b01c6 |
| SHA512 | d762befdbd654809829c33fbdb95d5882a04eb1668f63e633422325bf687b84789aad4c5b657f0fca363a5fb16b0aa730337b0b7297a259d3c6d4cc9a42d43b7 |
memory/3212-87-0x00007FF6400F0000-0x00007FF640444000-memory.dmp
C:\Windows\System\taPLtDB.exe
| MD5 | bac55ca4bcbf5ddf8c6d285662c77874 |
| SHA1 | 15f176c448ecc2d741080f213f05b6320a5f41cb |
| SHA256 | 333264e8cd469084abb177e9847ba6d3cbb3680efa3f536bc36a0f689bf03512 |
| SHA512 | 5d5f93fe95887937954b69d37d92aeaa437c8a8599354f673b9f9dbc844addc77b128931d618111c0fb18fdfc0464b5d850bf583df3c54b97644a0fc30337dd6 |
C:\Windows\System\CKkuFTc.exe
| MD5 | 144cc04832a582bbcacc10ee7d41c0d2 |
| SHA1 | bd7c59e8ea55d7947fffbcc5d5b7fd89f2112394 |
| SHA256 | 5e941b69f6eaf54a0adfc7b9c9eccbdb6afcebe8619ceed75204094872bd383b |
| SHA512 | 8dadcbd8641863b034d7366cbf46bbd7be222c4ee26e1daa75f7fee5b1be55ee95de9c97ec5d8d814bcbd308c902424bbaa11374946b9b667ee5940f98e2831f |
C:\Windows\System\sZwhvzU.exe
| MD5 | 37a90e1b95f27920f0ccd362779868f8 |
| SHA1 | 03275196dba2139f4f7ac2d380f6cbe9466c086d |
| SHA256 | 407b556d6bb974c2bcd75a44dc81a1a1172f64a04e79a09f30b590363961d269 |
| SHA512 | a01ba748e4001a5ee71ed44eda827aefc61bf6eca6e72d8f89d021e389fdf5833cf009da4c767567d68a64391a96362fd351f7462c9ae582b5135eecf53f7844 |
C:\Windows\System\zpTKfjp.exe
| MD5 | 2eace3b488c22e2dfb968bf1579f7b9a |
| SHA1 | 780ff1c2509e9e09108c8f95e05fcaee6f2ab779 |
| SHA256 | 6e174d5264aedb89a371b5ab5416553b0ab1746403b3ab9ac54eb1757ae6bbef |
| SHA512 | 8574e29dfbcff61694c9fcdf9dd7a7e62bb795754f443ba4c6f54c9e7590224e8ff5d3aa6952398b05d500b75ba4d3bb4f6638c4c7e6bcd890f523902bd21a06 |
C:\Windows\System\cqhSHQY.exe
| MD5 | 74cf5477ad8bd8e920b000ca690944e6 |
| SHA1 | 78508f519efdf099dd509eb43a4c307545acdb3f |
| SHA256 | fd74d9edd414ead32d71734d3a8a1703a3aca713aab2fad15d78f0533533af38 |
| SHA512 | f06c83817a24e7d16f94ab9bcf9b1f9df77179a4bc5e752a923f4af21aec95dd285be8fc9ff3c9f0ea3bfcae4bcc9d18788c1cd0deb103805b15fbfb2428923b |
C:\Windows\System\nTCHIdD.exe
| MD5 | 1dc882c5745f4745a3ca9f1463cde93b |
| SHA1 | 27c8a9dac28324c703bfbc445cdd1aca66786fa8 |
| SHA256 | f70cd7232c6c98e22ea0fbe355d71219344b3051816425d9202025fe7dcdc554 |
| SHA512 | 7ce41e4b50b1f85a4220217924a367ac738bc2335339d326a0781725680f92bba540030de2fee51f4415bdb47f24757c50271e894fb7316d36e95989be6309c6 |
C:\Windows\System\FlsLfXy.exe
| MD5 | 459871764208a20daa24f79caaca7a3a |
| SHA1 | 7a07014efc9c4149f9ba1c361162e586c312235e |
| SHA256 | 0aac65a92080c4b516e8170785caf4b7e4c561594a12165ae33f8a5c8e80bcaf |
| SHA512 | 1ff809471cdfcae8e253ca279ff6870f2907e30188679634020b001ccec6e61073ebd09b47284c056f8591c4af930fed764cc92082abe16b14df525ec09c590b |
C:\Windows\System\TfBuRPU.exe
| MD5 | 76bd56670aeaaf0973428a8a2bf567bd |
| SHA1 | ab5941e9b8132eea6d8e7e17cf68612a75452055 |
| SHA256 | 41508f6d2d8e057d2968476a4fbcb8edd43e80907ad5017b2e804c65b1553c95 |
| SHA512 | c8e007949ed6121710712bf4b2adbb30fa7a100913b409e6f527e08c0af3e29c98b64dcbf3cb3998af2665901d9293dc4c679a7fd7892720150512e4114e60bc |
memory/3420-81-0x00007FF7636D0000-0x00007FF763A24000-memory.dmp
memory/2244-77-0x00007FF625910000-0x00007FF625C64000-memory.dmp
C:\Windows\System\cmQkrWa.exe
| MD5 | ec39302d4011077c6e674f6db7800662 |
| SHA1 | bc09db79f987f80099410c6fbc8473b08d11788e |
| SHA256 | 372afb9c19954c93a5b708122b7d43ccec2023386cc4f273717249dbb0c09ab5 |
| SHA512 | fd66424072aa40098f6f18259846a61b00f65733af2aa2fe83f227a1bf698c8244f4446a9ccce0c2d004b4cd59ea06c1d3d04f7f0d57e3792d493549c5a284bf |
memory/3288-122-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp
memory/2324-123-0x00007FF7BB790000-0x00007FF7BBAE4000-memory.dmp
memory/512-124-0x00007FF77FE90000-0x00007FF7801E4000-memory.dmp
memory/2328-126-0x00007FF71A2B0000-0x00007FF71A604000-memory.dmp
memory/3584-125-0x00007FF6EC060000-0x00007FF6EC3B4000-memory.dmp
memory/4256-129-0x00007FF6B0F70000-0x00007FF6B12C4000-memory.dmp
memory/4224-128-0x00007FF7E2180000-0x00007FF7E24D4000-memory.dmp
memory/3616-130-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp
memory/3732-131-0x00007FF61BC20000-0x00007FF61BF74000-memory.dmp
memory/1520-127-0x00007FF6C0B30000-0x00007FF6C0E84000-memory.dmp
memory/2168-132-0x00007FF749810000-0x00007FF749B64000-memory.dmp
memory/3068-133-0x00007FF74EF70000-0x00007FF74F2C4000-memory.dmp
memory/3036-134-0x00007FF620650000-0x00007FF6209A4000-memory.dmp
memory/1548-135-0x00007FF6FFA20000-0x00007FF6FFD74000-memory.dmp
memory/2244-136-0x00007FF625910000-0x00007FF625C64000-memory.dmp
memory/3212-137-0x00007FF6400F0000-0x00007FF640444000-memory.dmp
memory/3288-138-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp
memory/2120-139-0x00007FF6A2560000-0x00007FF6A28B4000-memory.dmp
memory/3292-140-0x00007FF671560000-0x00007FF6718B4000-memory.dmp
memory/2324-141-0x00007FF7BB790000-0x00007FF7BBAE4000-memory.dmp
memory/512-142-0x00007FF77FE90000-0x00007FF7801E4000-memory.dmp
memory/3772-143-0x00007FF652E90000-0x00007FF6531E4000-memory.dmp
memory/3692-144-0x00007FF6DF7F0000-0x00007FF6DFB44000-memory.dmp
memory/3068-146-0x00007FF74EF70000-0x00007FF74F2C4000-memory.dmp
memory/2168-145-0x00007FF749810000-0x00007FF749B64000-memory.dmp
memory/1548-148-0x00007FF6FFA20000-0x00007FF6FFD74000-memory.dmp
memory/3036-147-0x00007FF620650000-0x00007FF6209A4000-memory.dmp
memory/3420-149-0x00007FF7636D0000-0x00007FF763A24000-memory.dmp
memory/2244-150-0x00007FF625910000-0x00007FF625C64000-memory.dmp
memory/3288-151-0x00007FF7CF5A0000-0x00007FF7CF8F4000-memory.dmp
memory/3584-152-0x00007FF6EC060000-0x00007FF6EC3B4000-memory.dmp
memory/3732-153-0x00007FF61BC20000-0x00007FF61BF74000-memory.dmp
memory/2328-155-0x00007FF71A2B0000-0x00007FF71A604000-memory.dmp
memory/3212-154-0x00007FF6400F0000-0x00007FF640444000-memory.dmp
memory/4224-158-0x00007FF7E2180000-0x00007FF7E24D4000-memory.dmp
memory/4256-157-0x00007FF6B0F70000-0x00007FF6B12C4000-memory.dmp
memory/1520-159-0x00007FF6C0B30000-0x00007FF6C0E84000-memory.dmp
memory/3616-156-0x00007FF7451A0000-0x00007FF7454F4000-memory.dmp