Analysis Overview
SHA256
e89cd7dda6ecdd7bd19c4d2842496f84be58d445d2655f25d9b306b33a5fc1ca
Threat Level: Known bad
The file 2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
XMRig Miner payload
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike family
Cobaltstrike
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:06
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:06
Reported
2024-06-01 08:09
Platform
win7-20240221-en
Max time kernel
138s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\umUrwdv.exe | N/A |
| N/A | N/A | C:\Windows\System\ekySttF.exe | N/A |
| N/A | N/A | C:\Windows\System\AnevNxg.exe | N/A |
| N/A | N/A | C:\Windows\System\UpWMNLT.exe | N/A |
| N/A | N/A | C:\Windows\System\xfqabcO.exe | N/A |
| N/A | N/A | C:\Windows\System\aUxtpEX.exe | N/A |
| N/A | N/A | C:\Windows\System\mtnAHMy.exe | N/A |
| N/A | N/A | C:\Windows\System\PSyzFCA.exe | N/A |
| N/A | N/A | C:\Windows\System\NRTadtI.exe | N/A |
| N/A | N/A | C:\Windows\System\KMgFVtf.exe | N/A |
| N/A | N/A | C:\Windows\System\PWXNiyn.exe | N/A |
| N/A | N/A | C:\Windows\System\DBFJSis.exe | N/A |
| N/A | N/A | C:\Windows\System\BAfkwYh.exe | N/A |
| N/A | N/A | C:\Windows\System\OGIBefu.exe | N/A |
| N/A | N/A | C:\Windows\System\rTEpnJQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ucxvKpZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kUTwgDV.exe | N/A |
| N/A | N/A | C:\Windows\System\LmlXkpy.exe | N/A |
| N/A | N/A | C:\Windows\System\bZCnDek.exe | N/A |
| N/A | N/A | C:\Windows\System\UWaZxql.exe | N/A |
| N/A | N/A | C:\Windows\System\yzKJLeP.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\umUrwdv.exe
C:\Windows\System\umUrwdv.exe
C:\Windows\System\ekySttF.exe
C:\Windows\System\ekySttF.exe
C:\Windows\System\AnevNxg.exe
C:\Windows\System\AnevNxg.exe
C:\Windows\System\UpWMNLT.exe
C:\Windows\System\UpWMNLT.exe
C:\Windows\System\xfqabcO.exe
C:\Windows\System\xfqabcO.exe
C:\Windows\System\aUxtpEX.exe
C:\Windows\System\aUxtpEX.exe
C:\Windows\System\mtnAHMy.exe
C:\Windows\System\mtnAHMy.exe
C:\Windows\System\PSyzFCA.exe
C:\Windows\System\PSyzFCA.exe
C:\Windows\System\NRTadtI.exe
C:\Windows\System\NRTadtI.exe
C:\Windows\System\KMgFVtf.exe
C:\Windows\System\KMgFVtf.exe
C:\Windows\System\PWXNiyn.exe
C:\Windows\System\PWXNiyn.exe
C:\Windows\System\DBFJSis.exe
C:\Windows\System\DBFJSis.exe
C:\Windows\System\BAfkwYh.exe
C:\Windows\System\BAfkwYh.exe
C:\Windows\System\OGIBefu.exe
C:\Windows\System\OGIBefu.exe
C:\Windows\System\rTEpnJQ.exe
C:\Windows\System\rTEpnJQ.exe
C:\Windows\System\ucxvKpZ.exe
C:\Windows\System\ucxvKpZ.exe
C:\Windows\System\kUTwgDV.exe
C:\Windows\System\kUTwgDV.exe
C:\Windows\System\LmlXkpy.exe
C:\Windows\System\LmlXkpy.exe
C:\Windows\System\bZCnDek.exe
C:\Windows\System\bZCnDek.exe
C:\Windows\System\UWaZxql.exe
C:\Windows\System\UWaZxql.exe
C:\Windows\System\yzKJLeP.exe
C:\Windows\System\yzKJLeP.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/3048-0-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/3048-1-0x00000000000F0000-0x0000000000100000-memory.dmp
C:\Windows\system\umUrwdv.exe
| MD5 | c0c3628d1146792688a5c802b55b4dae |
| SHA1 | 4e19c0dcee3ed839a4fa874007f373c3d7f33402 |
| SHA256 | 12aed708a173b52b382e2c60d40d0647b01d7e49449d532082d327a853bdcc3c |
| SHA512 | 4ad3d6fcc87a6cae8d5a1e0d1cc9e9adbbb15253e0f4cf02ffc3ba7631b76eff205d321c4ca946632211c91ecbae019aa6ae9558346ed110d6d8f984fc3884c2 |
memory/3048-8-0x00000000023F0000-0x0000000002744000-memory.dmp
C:\Windows\system\ekySttF.exe
| MD5 | bfd30d2d74e9b1ddc03f15c5295cd4dd |
| SHA1 | ff53bf3bb4424551eb58c44daa7c0686793b690b |
| SHA256 | a7f362e7e9ea2c818e6b8e63532f42376d0019cb6c0af691da56109540899245 |
| SHA512 | 3e82d426fc9a02a24047196971d3e0359a80a9b1098b6b21c238085700a3c58f38b1159ecee34978c9f6850fbd5ab4ec0f1ea647fa72a9f9055371d07d933ab8 |
C:\Windows\system\AnevNxg.exe
| MD5 | 8e174b46f493186f632843dd7a11febf |
| SHA1 | f6f50a4d9c5bf5a232350078450acb6f692ead49 |
| SHA256 | 55c176faefb3288adc2b915fe844b3addc22b78ed3e9d20589872fab149e8cdb |
| SHA512 | 51ae74dfd49cbacf4bf3b6f7a534502471efabf65f8e299c48b1b5abe7127e92d450c521e61b22586347dcfb904d376bce31da85ed6456bd7c7ebfd71f59e152 |
\Windows\system\UpWMNLT.exe
| MD5 | ccc1b2e1d4be41c4db45c6d2daa6226e |
| SHA1 | 67be4e878ae4118ade81776d7092ac5871c40ff8 |
| SHA256 | 80c6531c26aecc0bc7f47502477b1e76e27906f6f14f539131c608ea58a7aa35 |
| SHA512 | accd17e7e5fae17f8672f12005d9b4941047b495a0737f989095fdc1d9cfe9391cd5fb96c13671eb5ddfcbbada091b65585bdd40635f5374ce368442321ff141 |
C:\Windows\system\xfqabcO.exe
| MD5 | cc37a8f286ec0dcdbafd37a66d21e713 |
| SHA1 | 6151b45eb89d069f3c07fc30163873570a7a6a2f |
| SHA256 | 92db22fcdc9b1045c8fc91a8d121e9af905c07a852638336bd8c1fa4e977438a |
| SHA512 | bcbc933d477e7864b5cae5df9068ed9a773b52e2d3c7f659ab9bb9e9d3745fc839c7f84ebf7ac3ad83010a98ae99ef0390f1d502f239aec57171705a29644b38 |
C:\Windows\system\aUxtpEX.exe
| MD5 | a7b8138929762d027165899c5c4d7e63 |
| SHA1 | 54a1464ddbd804c4b81f94c80172ad0b898b746a |
| SHA256 | d77593f5810ce53926cd9f29142326946b48c8c973a53a72991726339f7a7eb1 |
| SHA512 | 5cd15a5ae848a3cad3fe66a83883df75c0c02822817b9f6e8077ae537bb54b6c839d3e98f59e993363dfbb8f30ad6e127a82995ae99cfc35414863d6ea4f993a |
C:\Windows\system\PSyzFCA.exe
| MD5 | 245ea5e5e8cffd773a313d94a51d7ccb |
| SHA1 | db9abc509f0a7bda358d923011eaaa0d1aaf6bd5 |
| SHA256 | 705a0e213b67cc47161f2a46a0dbafaa499a0bc32589b468e5d1e67f31b044ef |
| SHA512 | 915dbbe453c5d19e75fe582d43a02c43354da64f0e1aa63f37a48554727608b9c199fe829c8fef17a395022a82d865993ee71717154bdb7123774ff5d7513493 |
C:\Windows\system\KMgFVtf.exe
| MD5 | f2c1c601fb262a847c5dae46edee46fc |
| SHA1 | 11b081ad0a31d11cc3f094ef04b7da43d6bd7a37 |
| SHA256 | 1582912961821b575b627afc79cc31ba8e06bf4f3fe8061205d2cfb62c6916ac |
| SHA512 | 95bb14c1f8033f1028a96136ec954c22323c32eb0a5f9b82b228897f755252d62c20d413f6574b9f81000a9366a46a8fe203f90e675e5ad1b4d87c24302a259b |
C:\Windows\system\DBFJSis.exe
| MD5 | 416c246f075d4a487846d823ac95ced4 |
| SHA1 | e654ae93b1c9ca49c4fd00e2a34821bffc322e40 |
| SHA256 | be40326312a00a70a13b374664f8541a09c088fea46f51a6cc6d6be6e156633e |
| SHA512 | 3bf084526b25085abb234593a8acc2cc1c76be1091f8a20a2753230ab9f3668b53e5bd12148a9352f3b9d2c2eeb15f7564fcfe17ca6fd1283af2408ebd483810 |
C:\Windows\system\bZCnDek.exe
| MD5 | ced11c088a513d14247873e368d42335 |
| SHA1 | 414f42e5c30e61d0799aba4812b9984dfdf6309b |
| SHA256 | ae86aeab54c54a9e52dfa791e6fc6d7517fa37cb30513bfe0c3a3250343ab190 |
| SHA512 | fcdeca9517e5f7153c159b4a655b7468c271c0acb9a551cd6151cec0881bbe0998709c1043622548f0dec67f37124fe71a23d2d1f9e6814d564d00f409847bcf |
C:\Windows\system\yzKJLeP.exe
| MD5 | 063c1fcb2564a304751f9c6990455cab |
| SHA1 | d0272d773116c281c3a2df42c336c4828500083b |
| SHA256 | 937a61c2baae7151a44f34464780e786aaa0c9164822c98417919de382a26ab8 |
| SHA512 | 9662c00159139e02a82d1b7763777fed907a7c084e8c3ad992a4b2327fce06e9d7fb86a815962872dba0540d812b5ab77aac6201c847800a00c4bbd425499073 |
C:\Windows\system\UWaZxql.exe
| MD5 | 9903f9ea269d5490d4379054ec9983e3 |
| SHA1 | b59199429da670cc0ca8bfa0f642f108d862f14b |
| SHA256 | 9633900cfe3f576f98ee956f6a225f20e9b478fe8e433dc3c96b3f4833812b66 |
| SHA512 | 0d789ffe699ac82205e39f7b8226afaa163de3a138d79bf4231857add3ebc320e09cc9998c11fc152b01faffd9a99eb2edd97e9f47210a2c88c9db867ea8fcbf |
memory/772-133-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/3048-135-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/3048-134-0x000000013FCE0000-0x0000000140034000-memory.dmp
memory/3048-132-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/592-131-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3048-130-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2212-129-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/3048-128-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2540-127-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/3048-126-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2440-125-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/3048-124-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/2532-123-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/3048-122-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2556-121-0x000000013F510000-0x000000013F864000-memory.dmp
memory/3048-120-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2804-119-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/3048-118-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2720-117-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/3048-116-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2776-115-0x000000013F610000-0x000000013F964000-memory.dmp
memory/3048-114-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2524-113-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/3048-112-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2740-111-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/3048-110-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/2692-109-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/3056-108-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\LmlXkpy.exe
| MD5 | 56ee56920f6b78a7d635f72e6a85d424 |
| SHA1 | dac75213082a7a6ff69512621cfb116e514f9830 |
| SHA256 | c05feaef550037108f1216c6b9525e6f1c574fca20ae98039455d5fe869cf7f0 |
| SHA512 | c41553a2d1672b51e9b59bba8f1e9f145b16d3ecda475f22428a934f826a0712bea6dd6024784d166cc4cf7786abb5fee9a7a397b639dbb4b14976fd6d1c21e0 |
C:\Windows\system\kUTwgDV.exe
| MD5 | 9231c22b9d519a52318c3e9f62c6a547 |
| SHA1 | 2d0e4c432984b2496fda7bcf6edef4b168f230b2 |
| SHA256 | 5fd198553e29066edf5260144cfcd247dfb2d6de4090374767cdf910dada9ca5 |
| SHA512 | 092daa28a34ea75b7297e324d0f119b55dd5201f5d1696440a1fb81eeaf4e2727c8e925dd33acc04261ee6f245d8692bce2f6616171b5883da4a860486f106f4 |
C:\Windows\system\ucxvKpZ.exe
| MD5 | df9e28b2cbc6ce3574b1e36e1fec3422 |
| SHA1 | ecffd654da2fbceb6c38bbf0a4608680244dec09 |
| SHA256 | b63a8eb0913e5384e3e1dd9ace5680059f52ce339c8b644dfbeaeb3f79b796c1 |
| SHA512 | 878bcdc952a93704e715e7a4ce495e7932fefe76913262644d15717cfc8f0fff67d7d18392d75b00a71b125a3c7a296402366708070381f840eaad85c7355a71 |
C:\Windows\system\rTEpnJQ.exe
| MD5 | 12b6e76fc935ec64a9334e07f0a3ea9c |
| SHA1 | d03f0530cf84892f4691e5b93f20567e72bab4ef |
| SHA256 | 0b95c942e9da970dfd5753b28918290233d1c5ee76a72aa37dbee4166adb9b8f |
| SHA512 | a4604d146546a33085bd2cfdbc5924dc19aef757d34d491b8ae3863ea1a8bd488a1c7a57b51b0bc0cdcfb2938b202ad72f9c7083ba63843ca3e49b2e58f437c3 |
C:\Windows\system\OGIBefu.exe
| MD5 | d7ba98b607dd9398661601e233eedb05 |
| SHA1 | 4f99cbf83d1b49c296d8b65db676726c0b994ddf |
| SHA256 | f0903f9e24e4cf12378bc4493de19cc955ba95e33fb07b9c0c37cb69966f7a46 |
| SHA512 | c708f2b7ba2da4e0cc69b56d6c110654a4851caf8cf52ed9979c387439ef806667aae980736aeae0896666cb83a0c8e585826a4afcc41e690cc8c5d1be867899 |
C:\Windows\system\BAfkwYh.exe
| MD5 | 6e965bb3d5bd26a7eaccde005a29d044 |
| SHA1 | f6914cc7fbcabb05e681a92c72c34794c801a6a6 |
| SHA256 | 23ac4e46eb441f41bb206035b0186511c8b98063ef88d376b23bf1c8ca266924 |
| SHA512 | 7bdb27bfbcf96292a9791d5034eb26280733584fe8cde3b770f6aa5ad79589390df42820967559904bc5e8b4a849d992e4020bb725ee4203da770269983391af |
C:\Windows\system\PWXNiyn.exe
| MD5 | 41e47b76509728835fe5e90fb3b7d644 |
| SHA1 | cb2f568cbc2511f3dedd917c682ee431f9c312fe |
| SHA256 | 7c37f93f00e553a98df7d77aca6354d48a1ffaa2d84c1fbe3071732b76b421b3 |
| SHA512 | ac814c6ee174116ff5c2e117bf3e76d2135e0d8474341178c5a031d64c263b162745998a0109c4f391b80dbf5fde3925fff8f8342c73649b9f85d883ae362746 |
C:\Windows\system\NRTadtI.exe
| MD5 | 2e86ca7b42a2cf2c342f78aaf8c6d7f9 |
| SHA1 | 870ccc84f0c5c70ed7a12e917fa6bcea8fe67454 |
| SHA256 | 40dbae79cb111e1a8eebad0c12a3e6122470520c199aaf9f0e15a03141c6c431 |
| SHA512 | f5468a1604528429f70fa76d095a167938a27831a16c182709e708ecf51a755e17fa7e41bba9c5976a9a60a917ebc80f3a19a950bb194da716b4f8b2d37daa4d |
C:\Windows\system\mtnAHMy.exe
| MD5 | b5e6b9e15588e47b371a2ab2d51f3ac3 |
| SHA1 | 6b69aca3dc86e137c37da0a1bf7d07699f876be5 |
| SHA256 | 8b9ced8d1f8552a668b1e02d497071e49f5aba94e935ea526cd74ba504045b97 |
| SHA512 | d7ddf7f3e37867f316617f6d9e4d7ed252bc46bbd7bb46e41709a0540ce619583140b156803315bff62f9b09b5ef43865322bb585f41ef1d08e20add79ae89fb |
memory/3048-136-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/3048-137-0x00000000023F0000-0x0000000002744000-memory.dmp
memory/3048-138-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/3056-139-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2740-141-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2692-140-0x000000013FA10000-0x000000013FD64000-memory.dmp
memory/2524-142-0x000000013FDD0000-0x0000000140124000-memory.dmp
memory/2776-143-0x000000013F610000-0x000000013F964000-memory.dmp
memory/2720-144-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2804-145-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2440-148-0x000000013FE60000-0x00000001401B4000-memory.dmp
memory/592-151-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2540-150-0x000000013F870000-0x000000013FBC4000-memory.dmp
memory/2212-149-0x000000013F6E0000-0x000000013FA34000-memory.dmp
memory/2532-147-0x000000013FBB0000-0x000000013FF04000-memory.dmp
memory/2556-146-0x000000013F510000-0x000000013F864000-memory.dmp
memory/772-152-0x000000013FD90000-0x00000001400E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:06
Reported
2024-06-01 08:09
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\eUHjQHh.exe | N/A |
| N/A | N/A | C:\Windows\System\vJfCbhI.exe | N/A |
| N/A | N/A | C:\Windows\System\xcawopQ.exe | N/A |
| N/A | N/A | C:\Windows\System\didwMdY.exe | N/A |
| N/A | N/A | C:\Windows\System\MkNzghZ.exe | N/A |
| N/A | N/A | C:\Windows\System\HJACPAO.exe | N/A |
| N/A | N/A | C:\Windows\System\ooKjDbU.exe | N/A |
| N/A | N/A | C:\Windows\System\SSMMMTh.exe | N/A |
| N/A | N/A | C:\Windows\System\LHAvQrG.exe | N/A |
| N/A | N/A | C:\Windows\System\fbGGcYr.exe | N/A |
| N/A | N/A | C:\Windows\System\zyTJnvU.exe | N/A |
| N/A | N/A | C:\Windows\System\EiaNybT.exe | N/A |
| N/A | N/A | C:\Windows\System\dKndjwk.exe | N/A |
| N/A | N/A | C:\Windows\System\dPgEsnK.exe | N/A |
| N/A | N/A | C:\Windows\System\EnkJwwI.exe | N/A |
| N/A | N/A | C:\Windows\System\tyLTKlU.exe | N/A |
| N/A | N/A | C:\Windows\System\MIaNSsM.exe | N/A |
| N/A | N/A | C:\Windows\System\REvIncN.exe | N/A |
| N/A | N/A | C:\Windows\System\pdJbigu.exe | N/A |
| N/A | N/A | C:\Windows\System\FgNfXIU.exe | N/A |
| N/A | N/A | C:\Windows\System\tfXOpjb.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_f7f8cfc60ac172228b3fcee2240aabcc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\eUHjQHh.exe
C:\Windows\System\eUHjQHh.exe
C:\Windows\System\vJfCbhI.exe
C:\Windows\System\vJfCbhI.exe
C:\Windows\System\xcawopQ.exe
C:\Windows\System\xcawopQ.exe
C:\Windows\System\didwMdY.exe
C:\Windows\System\didwMdY.exe
C:\Windows\System\MkNzghZ.exe
C:\Windows\System\MkNzghZ.exe
C:\Windows\System\HJACPAO.exe
C:\Windows\System\HJACPAO.exe
C:\Windows\System\ooKjDbU.exe
C:\Windows\System\ooKjDbU.exe
C:\Windows\System\SSMMMTh.exe
C:\Windows\System\SSMMMTh.exe
C:\Windows\System\LHAvQrG.exe
C:\Windows\System\LHAvQrG.exe
C:\Windows\System\fbGGcYr.exe
C:\Windows\System\fbGGcYr.exe
C:\Windows\System\zyTJnvU.exe
C:\Windows\System\zyTJnvU.exe
C:\Windows\System\EiaNybT.exe
C:\Windows\System\EiaNybT.exe
C:\Windows\System\dKndjwk.exe
C:\Windows\System\dKndjwk.exe
C:\Windows\System\dPgEsnK.exe
C:\Windows\System\dPgEsnK.exe
C:\Windows\System\EnkJwwI.exe
C:\Windows\System\EnkJwwI.exe
C:\Windows\System\tyLTKlU.exe
C:\Windows\System\tyLTKlU.exe
C:\Windows\System\MIaNSsM.exe
C:\Windows\System\MIaNSsM.exe
C:\Windows\System\REvIncN.exe
C:\Windows\System\REvIncN.exe
C:\Windows\System\pdJbigu.exe
C:\Windows\System\pdJbigu.exe
C:\Windows\System\FgNfXIU.exe
C:\Windows\System\FgNfXIU.exe
C:\Windows\System\tfXOpjb.exe
C:\Windows\System\tfXOpjb.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| IE | 52.111.236.23:443 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2528-0-0x00007FF7DBAA0000-0x00007FF7DBDF4000-memory.dmp
memory/2528-1-0x00000275C0960000-0x00000275C0970000-memory.dmp
C:\Windows\System\eUHjQHh.exe
| MD5 | 93424194bf6013c3e8c148cc89ba7476 |
| SHA1 | 73fd5b74a501aa5285008e18e4dddc87e560ea5f |
| SHA256 | 87813054f7d3a827bbde5f11dc081680e335a9598c98a1612492e37aa4c80623 |
| SHA512 | fac010f2b73ecde0091388c88f3409fddc8a002baf61016cb2760c208cd0c156444a903a3ee624bdf245f70dcd4ab57d7562771589b81515916970b450c1aba1 |
C:\Windows\System\xcawopQ.exe
| MD5 | af49093705990ebb7594012abeee0f02 |
| SHA1 | a66427a047457634a94fe617c59fce04b027faa5 |
| SHA256 | f00d2835a90ac1c577bcee9197fe1f13b9f00ab79e9719f82083f7ef1e451d5b |
| SHA512 | b22c147e66ae1bd7c9c36266f66a65ea08b78ca5d036a3b4229eac8d2b990b5de599acace3b65bc1d267c8a40e58460606fa8e1b09cd20e7ce9b449655fcf69a |
C:\Windows\System\vJfCbhI.exe
| MD5 | 76267452c148d6d20429e60b21527cd0 |
| SHA1 | a48717daaa6a1d044d830e6ce97295678f6920f8 |
| SHA256 | 3141a461cbe93779e2c583f5a39e0b155203cdfd7e1affbc7a3f4489145a7946 |
| SHA512 | 2649de6f097daa8498865a4047c34baca8f638b32370eca39e621eb95ab12cc6047e036c8fe11da3d9c609b472a6677b7393773d55fb0fc54d1b6cdf332b0a42 |
memory/2692-16-0x00007FF7480C0000-0x00007FF748414000-memory.dmp
memory/1456-8-0x00007FF659DB0000-0x00007FF65A104000-memory.dmp
memory/3320-20-0x00007FF74AC60000-0x00007FF74AFB4000-memory.dmp
C:\Windows\System\didwMdY.exe
| MD5 | 959613a542e33a2f3670452ecf11ae03 |
| SHA1 | b50cca84bd5d2f33aa86aca5d58d152cbe097e32 |
| SHA256 | fa00a5ff1945634faee04f3324dda351684e0b62da94c76c996874b20c681c2d |
| SHA512 | ff8b9a9792ca77060a8a92253bdbf25e06455bdda6bd5f529fea90ddeb88726264cdf57349f62def30a91827cb0135f757071d6eeb8af9ea5eede05421d886aa |
memory/744-26-0x00007FF728260000-0x00007FF7285B4000-memory.dmp
memory/1924-32-0x00007FF74EA90000-0x00007FF74EDE4000-memory.dmp
C:\Windows\System\MkNzghZ.exe
| MD5 | e49a515cd149a0e45a8701cce43beba2 |
| SHA1 | 3379bc8446cd5e7642e522261618c3bc3ba05e2d |
| SHA256 | c486daa081ac8967317f2959a6e285850087c419c959b468c2cdc71f06c47704 |
| SHA512 | 8e43c773be9fd49cc56ea953f9d473ea135a6c94c8ab80afd8eb4ae662a7151a15841fc89de36d138725e2241f2066d8f2f21d1c2f4a1d9bb42ac7b436235971 |
C:\Windows\System\HJACPAO.exe
| MD5 | be99a067ebf67101b1d6d63ed6a27a58 |
| SHA1 | 6cc243a64d255e48820de84524a640cd0e1bea8d |
| SHA256 | c5c121a6498ca1350ea9f3e4ac6e25e2267a88811dc7664298f4d1ccb12026c4 |
| SHA512 | 08d625dc97528e176af1084b1a6aa7952b3e79a1950061b7d1366d90f0aeaad8a7250bcc36ae9cd4f70c35cb5dab33b173576e3b179ae9c9bfd7eab1c2df664c |
memory/1988-39-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp
C:\Windows\System\ooKjDbU.exe
| MD5 | 1d8e40f84f07e4977a83084aa490edb1 |
| SHA1 | 3d28f7c39d9c473be59a7e34a2622e58856a217e |
| SHA256 | 6ede3da5f94bcb600bae14b6a9005e7505383c96470e7371ce616c491a87e0df |
| SHA512 | b30ef85dafe49c996f164350d48d758b434beae5386da6aa07a31b42a12ccf1cdb3648129b93344b8d4458c4b17814db5b8bd6cfa8f1847828fd6cef0ec4f4d5 |
memory/3700-44-0x00007FF604F20000-0x00007FF605274000-memory.dmp
C:\Windows\System\LHAvQrG.exe
| MD5 | 2d3bc2f57043345a2856611f4d4a73fc |
| SHA1 | 10c7d29ba785453ebcf0b73829cc39fe3f8908c2 |
| SHA256 | bd0b5231341eece78040f1a71345a042f52b87bab6889176b3b40d51e1bb5e73 |
| SHA512 | b8536e4f06e25cdcbfae82ac31eccaccd30b0963af460a35c94a59ce74dfd00adfe372eab2cbf4693a2b6eab755e7c8849d797e8f5242daf8def4b891bd9efc1 |
C:\Windows\System\SSMMMTh.exe
| MD5 | 76b1b71a32b97602ee3dac249d30fbb0 |
| SHA1 | 2ce759c297d8010f82872565851eeaa33104ad93 |
| SHA256 | e6cf0eca6b31a6c9085ab4718f1a4510e239b44c6d2018f862854bdd89991239 |
| SHA512 | f0966f4fac3080ee3a849fe79a0c92e7c4958cf8f97423cab234dc9a4743223954b487724f8c589fe55db6e93a8449e088498acf97f6f0eb30310a79750a3e63 |
C:\Windows\System\fbGGcYr.exe
| MD5 | 200c873db5bd52da0ece22c3060e94b7 |
| SHA1 | 0c0db058d00e1caad2054a2316f5b6b02bd42606 |
| SHA256 | 76212da7cdfaeda212ac1a568745f9255df49ff1d06400bfafae0e33891604a3 |
| SHA512 | 0540fc467698277fe15e989aa02da50356d0d4471632466ad36a64e1c1f6f79ce3331c101687c21bda0d521ce9f941e794e536a401a760526f5d4da9a8ec92f4 |
C:\Windows\System\zyTJnvU.exe
| MD5 | 45ce6d4d3f9d5046bc470098fedeb096 |
| SHA1 | 3197564ba24d7862d423d5f781235eba1bf2a0f4 |
| SHA256 | 8558cf94c14a99a98f16b3c15dc3a206be6d713dfa8278560974cfeaea50916e |
| SHA512 | 28be56632594ae78bb66a807b5d1db28fb6c0ec1f21be699fb3a9c87e912e7ffcbe7a5fe5aea54ed9dd26c38a6546937b1b6f57c6726911ce10227fa2fe560e0 |
memory/2528-68-0x00007FF7DBAA0000-0x00007FF7DBDF4000-memory.dmp
C:\Windows\System\EiaNybT.exe
| MD5 | 320ed5e37fda62da798c52b2aa1e7c8f |
| SHA1 | 0a383cef553531756182f25e0791057bce40acb8 |
| SHA256 | 8d350f6f2ab43567d21621bd035051842ca7979b1e5969ebf6cb0e6778bb215c |
| SHA512 | 5c95e5c6b20f58c6f8051b603ca5192c96a612c96fa2e9a6ca8b9ba8b27d6954cba6b00279c21f82f1b6cef8d2bd6a123f1e662f8e8a1cc62e5565292f38294d |
C:\Windows\System\dKndjwk.exe
| MD5 | b0a7dcd3b4d20689a59be1cc64eefb1c |
| SHA1 | 0f0a97e744765ddeb1a4d966d2aec236f003d9de |
| SHA256 | d1659ec77746c528b125efda46274ee510a0b8f57b79fffd4b5f6872b690f70f |
| SHA512 | fe59eb2f0d4be702e9715554be3894e99668f6ae8a1968aef7e2f897a070ccf46b813dd6cace279bf375610717e63dcdfdd5b4e466a9b8f1d507260649b9ce5b |
C:\Windows\System\dPgEsnK.exe
| MD5 | 4f8ecfb1fb6294b9e18f987b429c0013 |
| SHA1 | dbda51f4a8f88062e60f770b4a1d5a31bc23ea2c |
| SHA256 | 2285a4c6af4ce588b8ef179c92779a002d1625e764a4f4556ce5106e48dc7de7 |
| SHA512 | fb79e1eec2dbf9b6af64b27513eeb6247fa5f6208875c890e160c0ac4bd593e60ef00aef39e34f6c08e95d659812b18512ba603a11c073dc7b9bb9832f2a2350 |
memory/1456-87-0x00007FF659DB0000-0x00007FF65A104000-memory.dmp
C:\Windows\System\EnkJwwI.exe
| MD5 | c562704f48cf5db792c5bac0856aa6c9 |
| SHA1 | 2cfd3a859b1fb4f4fa8c01d366d6375a8902008e |
| SHA256 | ea794d2679f15f4d85815c64939a1891d6753969cba9e38033f909c106581fb0 |
| SHA512 | bf3d8b22126017364074a2d7204266b346b02cbd68fe8eeb41ee7bfa1ba54e47e25776ab84d50685725a5783edc4eaef255f9689c92db8958394555f20a262c4 |
memory/1656-94-0x00007FF7590A0000-0x00007FF7593F4000-memory.dmp
memory/4500-93-0x00007FF6D8580000-0x00007FF6D88D4000-memory.dmp
memory/3740-90-0x00007FF7AA2A0000-0x00007FF7AA5F4000-memory.dmp
memory/1136-89-0x00007FF6021C0000-0x00007FF602514000-memory.dmp
memory/1284-69-0x00007FF6F0BB0000-0x00007FF6F0F04000-memory.dmp
memory/4636-60-0x00007FF6F28F0000-0x00007FF6F2C44000-memory.dmp
memory/2508-56-0x00007FF7DA800000-0x00007FF7DAB54000-memory.dmp
memory/2252-55-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp
C:\Windows\System\tyLTKlU.exe
| MD5 | 520ab79b8bde6882c98eed88b3054765 |
| SHA1 | fd15eefd47768b7906e17b5617ce642bb30c11f5 |
| SHA256 | d0a3289cec746bd95be9e8092b29ff16d827d1580401677b2c85911a6fd88a21 |
| SHA512 | 3ac419a3b7c5f09516ff216774e831cf7554d3e5babfb6bf638647c19e696d6dd7d36112f5cfdafcadb505263941e98b87b6631d2fa9e278833d17ac38b42c8d |
C:\Windows\System\MIaNSsM.exe
| MD5 | c58058bee8240e1d8ddbc437ba648a74 |
| SHA1 | f956558cf3893991c6f48e6abf4799920920cf4d |
| SHA256 | cacc6b482984f1f0f1173d4add46789aaaf689bfb11231082b179d9368a5a047 |
| SHA512 | a8e2815715864a1ba0e0c2f6807478aa43e32e7cf575fceaa7a36dfb0f89688946dbfc8cf789f321bf64f30b74925da2383178c24cb56a2efa8850480f32d436 |
memory/856-102-0x00007FF73B380000-0x00007FF73B6D4000-memory.dmp
memory/2532-106-0x00007FF7BB5D0000-0x00007FF7BB924000-memory.dmp
C:\Windows\System\REvIncN.exe
| MD5 | 216fd4706d29d2e95c1f4cb03c4404f5 |
| SHA1 | cbb5f0948bcbf27f803bbc89f5d3708f068cc852 |
| SHA256 | 7428634ddf2d962b8448d217e95a0e7b3ec3b85ad9976173c2e217903aa7cefa |
| SHA512 | 28d6486c82ab64c4b7b0ffb61b0c06e8898265a6cb9c2a6a8d1b2bacea11d696fdc06651066289d60f24cc52e4182b7e6c9d61947178b4428689308d23a25d71 |
C:\Windows\System\pdJbigu.exe
| MD5 | 303b3c385572f9e9027f5e42f3d404f0 |
| SHA1 | a359a9d2b32fffa5f84afa8811c45351ebc55815 |
| SHA256 | ccfe8e8edb4a981719b89719c7aa02136835b8f6c97544131f3a9d871616f822 |
| SHA512 | 153f6579687b074e7d6eee794463850150ebf3107e322c83942c307eedaa003c8f2cf2ec4be81d794508614ca97c9bfafc87e8037b3c2d2239c46dfe9741c543 |
C:\Windows\System\FgNfXIU.exe
| MD5 | e15f4bc272f5a10bfe722b171882eb38 |
| SHA1 | 13634ad4a8b99f7c9177a5ef7ddec83f9470d547 |
| SHA256 | a34028aaa5bf0ef24548faf256d4a8ecc86bbf4f71ea8f94f95300b0a2aa43c3 |
| SHA512 | 1ada4995860ec1ac6aa6b55fc1ac1e92f8e30b143047ec8277056b3ae6fa3a105e8806fdff1455e5fafdadf2e3b95c959f7b2b24040c89daf70b462e35c9103a |
memory/3764-114-0x00007FF7405B0000-0x00007FF740904000-memory.dmp
C:\Windows\System\tfXOpjb.exe
| MD5 | d69f780882d289e6fd79823023a322ae |
| SHA1 | 04b2e4793f118b42da5a6cca9119bdcf3759f906 |
| SHA256 | c0e8e313340a8a45fd67ee903cea49935304baf5afa78a746e403eb56f6fb44e |
| SHA512 | a71a6cd57c7ac67a523e578d636324cface910144088ea18cf84e21d69c81ed2bd64402ed4048a97d93f45b8b399325fc6d3d0f8fba7183433014a20806cb4bb |
memory/4176-127-0x00007FF78E160000-0x00007FF78E4B4000-memory.dmp
memory/1228-128-0x00007FF72BD20000-0x00007FF72C074000-memory.dmp
memory/1988-129-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp
memory/1976-130-0x00007FF6FDA90000-0x00007FF6FDDE4000-memory.dmp
memory/4636-131-0x00007FF6F28F0000-0x00007FF6F2C44000-memory.dmp
memory/1456-132-0x00007FF659DB0000-0x00007FF65A104000-memory.dmp
memory/2692-133-0x00007FF7480C0000-0x00007FF748414000-memory.dmp
memory/3320-134-0x00007FF74AC60000-0x00007FF74AFB4000-memory.dmp
memory/744-135-0x00007FF728260000-0x00007FF7285B4000-memory.dmp
memory/1924-136-0x00007FF74EA90000-0x00007FF74EDE4000-memory.dmp
memory/1988-137-0x00007FF7C50F0000-0x00007FF7C5444000-memory.dmp
memory/3700-138-0x00007FF604F20000-0x00007FF605274000-memory.dmp
memory/2508-140-0x00007FF7DA800000-0x00007FF7DAB54000-memory.dmp
memory/2252-139-0x00007FF7AE2E0000-0x00007FF7AE634000-memory.dmp
memory/4636-141-0x00007FF6F28F0000-0x00007FF6F2C44000-memory.dmp
memory/1284-142-0x00007FF6F0BB0000-0x00007FF6F0F04000-memory.dmp
memory/1136-143-0x00007FF6021C0000-0x00007FF602514000-memory.dmp
memory/3740-144-0x00007FF7AA2A0000-0x00007FF7AA5F4000-memory.dmp
memory/4500-145-0x00007FF6D8580000-0x00007FF6D88D4000-memory.dmp
memory/1656-146-0x00007FF7590A0000-0x00007FF7593F4000-memory.dmp
memory/856-147-0x00007FF73B380000-0x00007FF73B6D4000-memory.dmp
memory/2532-148-0x00007FF7BB5D0000-0x00007FF7BB924000-memory.dmp
memory/3764-149-0x00007FF7405B0000-0x00007FF740904000-memory.dmp
memory/4176-150-0x00007FF78E160000-0x00007FF78E4B4000-memory.dmp
memory/1976-151-0x00007FF6FDA90000-0x00007FF6FDDE4000-memory.dmp
memory/1228-152-0x00007FF72BD20000-0x00007FF72C074000-memory.dmp