Analysis Overview
SHA256
ec6a7e7199b886763c8cd0e06570dfd130b8a80087d2d76ed9590b3209f2b1ec
Threat Level: Known bad
The file 2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobalt Strike reflective loader
Cobaltstrike family
Detects Reflective DLL injection artifacts
Cobaltstrike
XMRig Miner payload
Xmrig family
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Loads dropped DLL
Executes dropped EXE
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 08:28
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 08:28
Reported
2024-06-01 08:31
Platform
win7-20240215-en
Max time kernel
134s
Max time network
143s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\KNOxXVc.exe | N/A |
| N/A | N/A | C:\Windows\System\wavHHHM.exe | N/A |
| N/A | N/A | C:\Windows\System\DSTgAEz.exe | N/A |
| N/A | N/A | C:\Windows\System\wfrBUgn.exe | N/A |
| N/A | N/A | C:\Windows\System\eRlnBGQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EHCWPQv.exe | N/A |
| N/A | N/A | C:\Windows\System\cQnBNyW.exe | N/A |
| N/A | N/A | C:\Windows\System\pjZtzXI.exe | N/A |
| N/A | N/A | C:\Windows\System\KvNAnrg.exe | N/A |
| N/A | N/A | C:\Windows\System\bpXsRDF.exe | N/A |
| N/A | N/A | C:\Windows\System\wNVtzjX.exe | N/A |
| N/A | N/A | C:\Windows\System\uyYdzjF.exe | N/A |
| N/A | N/A | C:\Windows\System\AMdaUlN.exe | N/A |
| N/A | N/A | C:\Windows\System\rhPYTBR.exe | N/A |
| N/A | N/A | C:\Windows\System\kAmYZie.exe | N/A |
| N/A | N/A | C:\Windows\System\KQNqVmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\CEcfktf.exe | N/A |
| N/A | N/A | C:\Windows\System\VPKrpnB.exe | N/A |
| N/A | N/A | C:\Windows\System\nkcaEmb.exe | N/A |
| N/A | N/A | C:\Windows\System\PcNIFdT.exe | N/A |
| N/A | N/A | C:\Windows\System\kfGazVB.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\KNOxXVc.exe
C:\Windows\System\KNOxXVc.exe
C:\Windows\System\wavHHHM.exe
C:\Windows\System\wavHHHM.exe
C:\Windows\System\DSTgAEz.exe
C:\Windows\System\DSTgAEz.exe
C:\Windows\System\wfrBUgn.exe
C:\Windows\System\wfrBUgn.exe
C:\Windows\System\eRlnBGQ.exe
C:\Windows\System\eRlnBGQ.exe
C:\Windows\System\EHCWPQv.exe
C:\Windows\System\EHCWPQv.exe
C:\Windows\System\cQnBNyW.exe
C:\Windows\System\cQnBNyW.exe
C:\Windows\System\pjZtzXI.exe
C:\Windows\System\pjZtzXI.exe
C:\Windows\System\KvNAnrg.exe
C:\Windows\System\KvNAnrg.exe
C:\Windows\System\bpXsRDF.exe
C:\Windows\System\bpXsRDF.exe
C:\Windows\System\wNVtzjX.exe
C:\Windows\System\wNVtzjX.exe
C:\Windows\System\uyYdzjF.exe
C:\Windows\System\uyYdzjF.exe
C:\Windows\System\AMdaUlN.exe
C:\Windows\System\AMdaUlN.exe
C:\Windows\System\rhPYTBR.exe
C:\Windows\System\rhPYTBR.exe
C:\Windows\System\kAmYZie.exe
C:\Windows\System\kAmYZie.exe
C:\Windows\System\KQNqVmZ.exe
C:\Windows\System\KQNqVmZ.exe
C:\Windows\System\CEcfktf.exe
C:\Windows\System\CEcfktf.exe
C:\Windows\System\VPKrpnB.exe
C:\Windows\System\VPKrpnB.exe
C:\Windows\System\nkcaEmb.exe
C:\Windows\System\nkcaEmb.exe
C:\Windows\System\PcNIFdT.exe
C:\Windows\System\PcNIFdT.exe
C:\Windows\System\kfGazVB.exe
C:\Windows\System\kfGazVB.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2836-1-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/2836-0-0x0000000000100000-0x0000000000110000-memory.dmp
\Windows\system\KNOxXVc.exe
| MD5 | 5b1645d42dd83888a2476a0e323d381c |
| SHA1 | f9270c50bf552fd38d23ea541aed7100e5ff5f41 |
| SHA256 | d47db7b7c11c693e97a72d5f0f89332b198e4dce2ae79bd34f06e6a2e1296812 |
| SHA512 | 7a2ada38fe4c8ba9c56458b17b7388f76aaa651ee7699627c011f269e4fefef19d8614572360a4d889ce3e543e873b44a398703ea7c4cb5639994f7fdbab20be |
\Windows\system\wavHHHM.exe
| MD5 | 2e1f88b930bc7d8f71911c1c6616a0a2 |
| SHA1 | feff66ab8952986a161ebe3823b46926a9b35815 |
| SHA256 | e3a26d731eedebfea459ad3dc29fae01bc9e29f90b36189baa56243f0ffe31b5 |
| SHA512 | 494e362c2c963a4bde79b577b9298034489f2d8b4945f136ecc76ee9135c205510c131b580607330defcec7bdc0192140b7a0dcd3451d3408ae915dc01695619 |
\Windows\system\wfrBUgn.exe
| MD5 | 0724f8e609711d383dcebf3b3a30beab |
| SHA1 | 4335e23684b2dacd41b3289b5522ac0e266bd0d4 |
| SHA256 | f5c004e7ad69f0e6853f0e6cb7c70d19a65683c1a244fd915dab4901d969e178 |
| SHA512 | 80063a3f236594bda309f9079c5d0f80c682a16fe40ade41d6b5a5fa3db7aa2f00ef3db0c2dd4300cf91e529310ce663381d66cc961f38db2cbe676b97704649 |
C:\Windows\system\cQnBNyW.exe
| MD5 | fe89e8b0b3086dabf067d89f2e10ca95 |
| SHA1 | 670c8a8eb0f98616cc0dff2204181813ddeb90a6 |
| SHA256 | 23fb6512d337fd2724dc8858d79d3bb49fd9e6a18effa3159d59741bd500e0e2 |
| SHA512 | 07ad58d5dc928192f764bcad45fea7edcf7e971f557e60ace95be1cc0aa8dadcf2da4f1f07c80c17db5a690ab01d9b1ea2c1f2fa81d59893e617466a4ef182fd |
C:\Windows\system\bpXsRDF.exe
| MD5 | 6b37e7dac374a18b39cb38884b1d9e76 |
| SHA1 | d0f484706cf0512ea7799d11048b3511742e8b67 |
| SHA256 | e8a93179d614c01301ca0ec095e5a14351e1453a801a1cc39294dc7660c76201 |
| SHA512 | 07cd0c72e43909bf9702869521afccf4c8009edd8bfae8d1ad6a59dd27508027e1dd8a5826df24944015298098041203cc6f2d71a53c0b08886c3ef2edb561c3 |
C:\Windows\system\AMdaUlN.exe
| MD5 | 1ad8e10142ff40f0fd73898145311c53 |
| SHA1 | d251e094dbed2b0a977b7dd2632b21c1d1ff8365 |
| SHA256 | 3faa365a0c37d37b5295895a7886133ba22256ada28896a55b06e56f0ad89306 |
| SHA512 | ce3b24c8d03b0c26cb83ffe57f40fff6dca69e04817ece1d0d193a0002b574e9de7ca383f690b6e27ab8a046571b9ea06e4a9a90272266eae7fd276aef1c0a7e |
C:\Windows\system\VPKrpnB.exe
| MD5 | 203a95c9349c2ebe9d6c08e9399b650f |
| SHA1 | 05d17ad3b1ca8a61954c94df83e01e467d7dc952 |
| SHA256 | 09212c28326e05150eba6ef4dedf66ed0d04b6e41ea44a3a2f53d490ebb2b0ea |
| SHA512 | 57d32291b0ca393fff1bd0a4981969567a4286aa0421d71d289fd56f44822eb5cfa0db2188e98a9e111a46841c014177c0f64a0e8668f08af352b27f71882ae8 |
C:\Windows\system\PcNIFdT.exe
| MD5 | ee2e60536866916c974110550b349702 |
| SHA1 | 34a0411e47e3c1df458a98aa6f315a1433f7bba4 |
| SHA256 | 680949a97d92c5e19b1a29986b841327c8f6748b503027d33fee4624d5e4966a |
| SHA512 | 3d864082941826e31dead80e4d048ee72b179c6d71a200e34c788ffbab925c303ed57ff594ac7cfbb7f310c994b53e5b6c69d71a8628d461db49f40a7cd58616 |
C:\Windows\system\kfGazVB.exe
| MD5 | d430772508d09afb830336ac99099fb5 |
| SHA1 | fa135ee94ccab63dbbec8555f623a6d615a81681 |
| SHA256 | 26d4bf6ce1a411655adc72e70c84d9183b2af8e1c28edd3d0d87484e4f4a7a96 |
| SHA512 | 77745c5fa6aaeb15856a40ec64d4aa1942ebd1293b5e62350982b9fcafca069f383d352d9660d2878bb2120752927307f5aa22d432865ae8d44c4883d5fd5c21 |
C:\Windows\system\nkcaEmb.exe
| MD5 | 289bb31f4d344f46c65e7018a70fe15b |
| SHA1 | ac28b2304e59746106a197387e1b1ed3b6a3cbff |
| SHA256 | 28b30efb663fbf01a94f94e1c68764e20a694db8d06fc36423eef5f98be8bff2 |
| SHA512 | a1fddab388ad87481c3682630aa0c55a35d54939c534d12946959fc93c1ada0bae144f18679cc43c4dd6be2e4cbbe5f14f713183d1f9e7cceb4b1e3e80333f1b |
C:\Windows\system\CEcfktf.exe
| MD5 | 6ec038fc70abb270d00a143d3de95f4f |
| SHA1 | e8fccb10b74c7ae75d5707c1adbe41d4ca4168f0 |
| SHA256 | 317e40ff5ed589dcdb4145e43235d5763332a23054ce3accfe7e476880959244 |
| SHA512 | cce6de9abdb243bda64c4eb10a93cfe95f7ef176d92187abbb7f415645cb8cd317918a77fcddb01c9d9be47dac213844f1fb528abdf83d7196eca751111f53b0 |
C:\Windows\system\KQNqVmZ.exe
| MD5 | a83dfc730cabef31239edf431370ab4d |
| SHA1 | 70eb21935490a227cbc6c0352bb396061b547691 |
| SHA256 | 3e8802c9550f068f75a23fe50bbf776271d922e33318973da555a100d8ed6990 |
| SHA512 | 287040085e8e3002df649875205a08315d028835ba003c416d1b5a60fd5eb02a5fab317521bd334f607694348ce6d8725c7e6150233187ab96ba45ab24916501 |
C:\Windows\system\kAmYZie.exe
| MD5 | 5bfec3d0e9c90088d1de928124b5bd54 |
| SHA1 | e65cfe32a1cecb6258358ce0dbf8b287bcf702fb |
| SHA256 | 240ea7df9c45798b038f870db237b84b1ec9243a1fbd5e202bcb64a37dfb1ce9 |
| SHA512 | d48e28509bb62dd45751ceeda623aa22bc100d6aa0bdf6bd54378d8202890fb914a4b44b9599dc0cc1d6f9abbbd6f2e8b4b5e0d03a8d1871d6123f66f7e0d406 |
C:\Windows\system\rhPYTBR.exe
| MD5 | ca5ca002627886362458a30d68f41a8e |
| SHA1 | 6baca9efc8d9a228e6e785084bd92c269043570b |
| SHA256 | 66aefbb619b05cda3663a382597a658f7c43ec18b748bbb04a982f924946a293 |
| SHA512 | d83fe78dabb74431f059b6d4c6da972610e6a5fc5d87348a0a05d9431cac935c9196f30dd4c7c0ac7da7c5293f011635027d9a771b4cc0ddae42d7d6f30bb51a |
C:\Windows\system\uyYdzjF.exe
| MD5 | 06226d09ab3b4f26502c1dd199eb1ea3 |
| SHA1 | 7a46ee8ed3cac1c94d48f978dafe74d4adb154a0 |
| SHA256 | daf0f741a9b66b3a560e57801e8447907a0821f2d1e3d77a10cae82915f8f0fb |
| SHA512 | f0e117d285af6af2cd879b51e36113a452486ab3d0d66956a4bad40f9890854c62dfd1068784161acc9d3458fa31d6c7e4a36ae441054019dee0b840dfb2972a |
C:\Windows\system\wNVtzjX.exe
| MD5 | 656e1b2919cc3dccec56b420eaac7161 |
| SHA1 | c84e6ea7da8b024843952f81b5699fb218b7e9e5 |
| SHA256 | d5123a7daaf51370372fde48f21d1e6490530950be4d3991a764396351054441 |
| SHA512 | 4babbf60f6d00128a29f7b052484a0b1aafc73d596e54a99c05ae08943f20becea2663110f44b5e919c6259cbdb7a85140be8efb098aebc4886e38931e695636 |
memory/2956-111-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2836-110-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/1564-109-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2540-88-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2836-87-0x0000000002240000-0x0000000002594000-memory.dmp
memory/2484-113-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2836-112-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2480-117-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2768-120-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2836-121-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2836-119-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2460-118-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2836-116-0x000000013F5D0000-0x000000013F924000-memory.dmp
memory/2556-115-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2836-114-0x0000000002240000-0x0000000002594000-memory.dmp
C:\Windows\system\KvNAnrg.exe
| MD5 | daf98f875f1fdeb526cf917149e68fc1 |
| SHA1 | 6736c1a3ae58f7e089376d416b2a472561578157 |
| SHA256 | acd564756bbb12d69bdad4cbc8d261741e978bd291505a2aa3ea171287de7247 |
| SHA512 | cc043da7158f0df2de184003dbec5584decd22725e66bfaea7e72141e625a16f269c42c4a65499ae212ec16f27cbc4ae8a29b773275a2a0aab75100299bf54f7 |
C:\Windows\system\pjZtzXI.exe
| MD5 | 129e94a8e6834e141c4875cb19f51144 |
| SHA1 | 99fbb0f2f0bf353b1a6314c6ddc612d6305f1e61 |
| SHA256 | b4167895fcc91c0830523867de64568c8dae90319d193a384cde8fd4c7855d99 |
| SHA512 | c56daad34b1ecbf03c20dd64bd689e20f642fc15900a0a9a1dda5301f26176ec4d8e4f47b24938fded2b89184a057757ab1d43ae9405a98e28ced0204dd4ddd6 |
C:\Windows\system\EHCWPQv.exe
| MD5 | 1ad808b538db96e5f262eaae6aae6301 |
| SHA1 | 785b2c381a0ca9abfd75f7579ced743e797ead05 |
| SHA256 | d8b9429b3ab1531a7477e7c7068bf339bdfcbcf10a26973cc31671e93c77b0da |
| SHA512 | 6360aa91c077cfe14ce25279e7e84f1e6bb8f198d7640a97ec2c595057cfd918de2ec6526b74ca024cc9677d564356d5776c8a7ef3058283e782b808d6a3b965 |
C:\Windows\system\eRlnBGQ.exe
| MD5 | fdc283f9a117e0ee1a4a2fb0f1112d54 |
| SHA1 | 8596a40f9e192af8cd90c116b7ab1e54448502f3 |
| SHA256 | 928c3aeed1d42f96d8fbc5c3276692a814c153036bdc7c2b959c2afebbb8d3df |
| SHA512 | 32dfaf55f786cad245aef1fbf41df79d56aeef276a579cc3e1da51f8a78a86580d0cd8d0edccd358bd8e177c39eff639d4efa08c2bf24fa27dff179ccc6e20d0 |
C:\Windows\system\DSTgAEz.exe
| MD5 | 241efc2e23d684a64b1311467ddfdbb0 |
| SHA1 | 4565b93507cb42cbf866305b321c0a107a41f66f |
| SHA256 | 9b197a2990d2398d76511b1e17a673e0902b8ae823b149b2b897fa9cf1d346cb |
| SHA512 | a02d71f8868a712981ae3b7c15a6142a906da2c0581938f2f69af57da6251a5860a862d5c7199bbf0731c5bc0690d3e5b0dc65c2cd4e2e3087ea3fcab1fcf083 |
memory/2836-123-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2916-124-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2364-122-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2500-125-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2836-126-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/1652-127-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2344-129-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2112-130-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2836-128-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2836-131-0x000000013F9E0000-0x000000013FD34000-memory.dmp
memory/1564-132-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2836-133-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2540-134-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2556-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2112-145-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/1652-144-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2484-143-0x000000013F330000-0x000000013F684000-memory.dmp
memory/2768-142-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/1564-141-0x000000013FBA0000-0x000000013FEF4000-memory.dmp
memory/2344-140-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/2364-139-0x000000013FDE0000-0x0000000140134000-memory.dmp
memory/2500-138-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2460-137-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2956-136-0x000000013FFE0000-0x0000000140334000-memory.dmp
memory/2916-146-0x000000013F4D0000-0x000000013F824000-memory.dmp
memory/2480-147-0x000000013F5D0000-0x000000013F924000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 08:28
Reported
2024-06-01 08:31
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\hsXYZsb.exe | N/A |
| N/A | N/A | C:\Windows\System\MSCWeen.exe | N/A |
| N/A | N/A | C:\Windows\System\PEZpzpd.exe | N/A |
| N/A | N/A | C:\Windows\System\vuAnCaG.exe | N/A |
| N/A | N/A | C:\Windows\System\uWIDuBu.exe | N/A |
| N/A | N/A | C:\Windows\System\ctAoZjk.exe | N/A |
| N/A | N/A | C:\Windows\System\trMmJOL.exe | N/A |
| N/A | N/A | C:\Windows\System\YFihuSa.exe | N/A |
| N/A | N/A | C:\Windows\System\RSeSNle.exe | N/A |
| N/A | N/A | C:\Windows\System\mkYQUhA.exe | N/A |
| N/A | N/A | C:\Windows\System\EIunccn.exe | N/A |
| N/A | N/A | C:\Windows\System\mRvyfzD.exe | N/A |
| N/A | N/A | C:\Windows\System\lKCEVgq.exe | N/A |
| N/A | N/A | C:\Windows\System\ZiJfRDm.exe | N/A |
| N/A | N/A | C:\Windows\System\MlTrQQx.exe | N/A |
| N/A | N/A | C:\Windows\System\dyUbsRU.exe | N/A |
| N/A | N/A | C:\Windows\System\GZogxuy.exe | N/A |
| N/A | N/A | C:\Windows\System\KyBFCpF.exe | N/A |
| N/A | N/A | C:\Windows\System\DwVLNVH.exe | N/A |
| N/A | N/A | C:\Windows\System\JmqBQEu.exe | N/A |
| N/A | N/A | C:\Windows\System\EuBGlmf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_b1ad8f3ab7a101dbeea8736cb7eafb6c_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\hsXYZsb.exe
C:\Windows\System\hsXYZsb.exe
C:\Windows\System\MSCWeen.exe
C:\Windows\System\MSCWeen.exe
C:\Windows\System\PEZpzpd.exe
C:\Windows\System\PEZpzpd.exe
C:\Windows\System\vuAnCaG.exe
C:\Windows\System\vuAnCaG.exe
C:\Windows\System\uWIDuBu.exe
C:\Windows\System\uWIDuBu.exe
C:\Windows\System\ctAoZjk.exe
C:\Windows\System\ctAoZjk.exe
C:\Windows\System\trMmJOL.exe
C:\Windows\System\trMmJOL.exe
C:\Windows\System\YFihuSa.exe
C:\Windows\System\YFihuSa.exe
C:\Windows\System\RSeSNle.exe
C:\Windows\System\RSeSNle.exe
C:\Windows\System\mkYQUhA.exe
C:\Windows\System\mkYQUhA.exe
C:\Windows\System\EIunccn.exe
C:\Windows\System\EIunccn.exe
C:\Windows\System\mRvyfzD.exe
C:\Windows\System\mRvyfzD.exe
C:\Windows\System\lKCEVgq.exe
C:\Windows\System\lKCEVgq.exe
C:\Windows\System\ZiJfRDm.exe
C:\Windows\System\ZiJfRDm.exe
C:\Windows\System\MlTrQQx.exe
C:\Windows\System\MlTrQQx.exe
C:\Windows\System\dyUbsRU.exe
C:\Windows\System\dyUbsRU.exe
C:\Windows\System\GZogxuy.exe
C:\Windows\System\GZogxuy.exe
C:\Windows\System\KyBFCpF.exe
C:\Windows\System\KyBFCpF.exe
C:\Windows\System\DwVLNVH.exe
C:\Windows\System\DwVLNVH.exe
C:\Windows\System\JmqBQEu.exe
C:\Windows\System\JmqBQEu.exe
C:\Windows\System\EuBGlmf.exe
C:\Windows\System\EuBGlmf.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3876 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| GB | 142.250.187.202:443 | tcp | |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 15.173.189.20.in-addr.arpa | udp |
Files
memory/2260-0-0x00007FF6E0910000-0x00007FF6E0C64000-memory.dmp
memory/2260-1-0x000002467FFB0000-0x000002467FFC0000-memory.dmp
C:\Windows\System\hsXYZsb.exe
| MD5 | 56dc83ae4858ffcc36adb7ab21131052 |
| SHA1 | f977c211774626bb24ef11018a96af3c59b774a6 |
| SHA256 | f55a10e1cf5f17bb0dbb3abba1a8fd85428c0dcab4da0b658e37d4b984ba8035 |
| SHA512 | cc05da3f99443027e124e58899ab3e6695481f3d52f0ee62d5ab552474fa2a83e738a2b99b793f6f650975d9693281e0c0e2ef240212fd4ec229def64b12fd02 |
memory/2056-7-0x00007FF72CA50000-0x00007FF72CDA4000-memory.dmp
C:\Windows\System\MSCWeen.exe
| MD5 | 49206c8c8da5729d462e87039e50c803 |
| SHA1 | cc29a15219efca84917d61b01deece64a5889267 |
| SHA256 | d473ba5cd86a8b7080238d659f136ab7535616ace0f53366ecc1b7f57910eb19 |
| SHA512 | d86c2bb9dfcb5fa556a7093979cb4009b90fdcda21e7eae39211bfde62ac4f5bccfbfa6a4c3981398ec3f1c970ad83f0eeb852e215e4ca8ba37a05838e0abc20 |
C:\Windows\System\PEZpzpd.exe
| MD5 | a679b8d3b1b8afa449b13b7989f687c2 |
| SHA1 | 5bc52607f764cdbeb4923351fa2774a68836b6dc |
| SHA256 | d3fe55f1b8f9a2e040985b283efc6658912382adafff0fb0f2cf2a588c5e6577 |
| SHA512 | b1e19784a9643deba641ce8602cdcef59cdfecdb662f9299483c612512546961b2bd9b20090d55c9e13b26dfbce0ae01fd8a040b20bd6c92a75aa4b6737c6925 |
memory/532-16-0x00007FF78E810000-0x00007FF78EB64000-memory.dmp
memory/4972-20-0x00007FF77C5A0000-0x00007FF77C8F4000-memory.dmp
C:\Windows\System\vuAnCaG.exe
| MD5 | 913cbbca1a207a61b2924a2149651946 |
| SHA1 | c0511861e16b8fbef33ba7b0658ce45a44b74d33 |
| SHA256 | 66ec85494b9ddf113e7937211ebdf56d92fcbd09d3288d54ba6cf53282bdba3e |
| SHA512 | 90553c4e77ac871fc76e06825b02463e16972315531aadcfff17e0603ab59e36fa50ad1f00d8592f4be04a5fb2dcf28806a9d5b786b662471b2b4169d50a387e |
memory/4148-26-0x00007FF775480000-0x00007FF7757D4000-memory.dmp
C:\Windows\System\uWIDuBu.exe
| MD5 | 0a305d61bd5c7fe8324260ce4aaff5ea |
| SHA1 | c0c18d19cbb8faa421e1f8e3a5d36f74af3a0ba2 |
| SHA256 | e41a33734d0a7e5f60269cb3f9d935aa7425fc88377f78a81c8ccbcceeb2ef08 |
| SHA512 | 8caf7c969732427bbd9cf3302fbda97aabe5cddbe12ada71c115cfbcbb5206ec70d122374b8fec1778d64ab7b38ca6cefd773810a5db6228985388470a5e259c |
C:\Windows\System\ctAoZjk.exe
| MD5 | fab7ee471010ca83bf504a65cbf5e261 |
| SHA1 | 52c8d5d232c8f9bdd2c25ef0c2e73d9ed9358dee |
| SHA256 | e89c5da9c70dc9528e1241f363dab8d028e9a46bff6363df3ab52977998048c7 |
| SHA512 | 5b84c5a3dc48e97d00799f6e0fbe578765a924c410067b9e9ee61af00da1d70b751e47b83303f9df6cbdec9c9ca3020cc1bfb9988bf4cce1f1aa01c997de4beb |
memory/2016-38-0x00007FF6432B0000-0x00007FF643604000-memory.dmp
memory/1204-34-0x00007FF66B720000-0x00007FF66BA74000-memory.dmp
C:\Windows\System\trMmJOL.exe
| MD5 | 906eeb99cb8d6f2b08ee1085bfbb63ce |
| SHA1 | 7bee22c8d5ab65a769b82cef32f1c57d05534dda |
| SHA256 | e35440003b07502816bca07c47b96ba96a611ac76b8f8d346837d8e4d7bdcf7a |
| SHA512 | c30e343cab624265a7cead411fd4991703583f3dc414d627fe7f29c20220fb26119325fdfce7145274720df93c9a583de9e3f4ec5ecce7d688a96193656acf84 |
C:\Windows\System\YFihuSa.exe
| MD5 | 9f6dea95c3ba863606a600620fa180bd |
| SHA1 | bb17752af32d3cc45c5d281a7749e3d9276caaff |
| SHA256 | dc8e89d9e726218c028c54d34dc9f1cb666ef66484450f00f219c95089e3253f |
| SHA512 | 223f5b8c4c85b456fe9b4c59f1f90299f32c177656be53056b7080e4427767229bb6ac863213924435cd245b9387429a5d839b7d2531f4cf1ef0ac12a7270b09 |
memory/5152-46-0x00007FF797190000-0x00007FF7974E4000-memory.dmp
C:\Windows\System\RSeSNle.exe
| MD5 | f19b43a5eb0efada14a3e87db7ae90d4 |
| SHA1 | a2d6a04a5c26b31d6e7e44849f58ffd0b9daf976 |
| SHA256 | 46029e57b149651a2c01e230829141fd40459f79efc6d756a0e594c264e7c971 |
| SHA512 | 57265ad72fcca6dceadd00625ef4f60e8209e83ac6cb03d63fb2d5cc630694cccba3078971afe57c490a4000d9ce3c9f8becf605fc44399df39a747b1c63dfae |
memory/5452-49-0x00007FF69A380000-0x00007FF69A6D4000-memory.dmp
memory/5756-56-0x00007FF6CE860000-0x00007FF6CEBB4000-memory.dmp
C:\Windows\System\mkYQUhA.exe
| MD5 | c90497eaec691fa5b51010f6c26af189 |
| SHA1 | 4889b0bd649b0e63c775216ff98c0cb868452229 |
| SHA256 | 59f97b291a7574487501093f22d11d8ada5e687ea76dac621d59991e56742f60 |
| SHA512 | b94551755c5bbf96b1174f8fc5a40069917a299db547dacff5631f53efd3aa5533987c4438c325b2864eeef67ceb1d3f233e7391d48b87e73bc9da5b14ccadad |
memory/2260-60-0x00007FF6E0910000-0x00007FF6E0C64000-memory.dmp
memory/5352-62-0x00007FF6B6F80000-0x00007FF6B72D4000-memory.dmp
C:\Windows\System\EIunccn.exe
| MD5 | d91f5758684814e85524be26f9422353 |
| SHA1 | 9bb7c92f8a8f3399fa15646a30d54d9770c49d40 |
| SHA256 | c3efd9886c54ca294bf8812db52937080fbeba12986f2a24fafab70ee753bbfd |
| SHA512 | f7bab13a31069adcb66d105d9e2a201c43fd1cda10fc6c1a568025b81b37af11c23d45ac60c9d0302e616bae9309b0f182e9e48d358def0c1ebf45dab5827ab6 |
memory/2056-73-0x00007FF72CA50000-0x00007FF72CDA4000-memory.dmp
C:\Windows\System\lKCEVgq.exe
| MD5 | 40e7d49fdbcdc24181c16e3f56df09f2 |
| SHA1 | f7ab5354a0a7e5a990aa9b18aa70198a17bc7b64 |
| SHA256 | 985d94294e6200dce4577f14842b75dea7ca933e638e5eda7240bb4ddbd2a814 |
| SHA512 | ff60fb7c5cdf187bf9382980e04fa8583a3936b09d36369e81fc0e32ab395db7eb8b58522c1427264af42542659f6a008f65addef6db73b044bc28076ac1cfdb |
C:\Windows\System\mRvyfzD.exe
| MD5 | 416b41033ffa76ee038c226e0310edf8 |
| SHA1 | cc8aacc2de2e4e03ff90920f012a244129692f7b |
| SHA256 | 3166bd688def2fd43e02395762228ab7b1721b7042c2f10232e46a85e2fec99a |
| SHA512 | 63408e938113e785f5f7e0dfa2632ef826d1253c1ac9a43850a00b2d23f8421eac961854e042ecbbba5a197236fa91b5dee6268871f4e614a6c439e677f4a661 |
C:\Windows\System\ZiJfRDm.exe
| MD5 | 591a8a6f5d79bc519587bdd6f75e6888 |
| SHA1 | 99be38489401fae1a842c2e9e3cb57dcca9d5ca1 |
| SHA256 | 0a46ea57fe8c91c7d5fa2260f39fae2118a3b08f79a4d95d8f1073dae0b7acb5 |
| SHA512 | 30860950718e6f16fdf804e8d4690487c2022d9b6c753ce70e2fbae76d0ffa65483e6b929e5017905e7a1e27cecd43395acb183375168a3e828e7c040150e607 |
C:\Windows\System\MlTrQQx.exe
| MD5 | 00149eec631e9f45176f3ba791c88620 |
| SHA1 | fbaf6e7b255a4620323f45169fe19103c85f3b7c |
| SHA256 | 7c8ede9e7ca493b8fe2a6485fddd58874942a292b63eadb7263dc586d2747c42 |
| SHA512 | 6a23a2f813f6bc51fef7d2c9be331fad4c63f6956b0dd7232893adaf0c3d3d0d0cd92fc016bb45ecda2aa102b8cf9c8a2c77e69cc7c3d28d033adf0db2340538 |
C:\Windows\System\dyUbsRU.exe
| MD5 | 72e6d22bd94ae075129e192c0defa1d5 |
| SHA1 | b2d9c6dfa8a9865096adf344353e8935b671b11a |
| SHA256 | 4ba9894d386cbdd262617edfc9c45877c4e60ec182a8804ef6d7b8f4c774e47e |
| SHA512 | 4ad963ef50496cb479aac5d2fe3fdc1c8a607e0d4bb46f6982b3ffe112b370be4d9f395570d786a9fb5928494f922fd8683bc10e80f25707ff8c4f8ae1a2d746 |
C:\Windows\System\GZogxuy.exe
| MD5 | 2c4382d51a5f9b34473a01775d605bfc |
| SHA1 | 47ec08b4b10fb15b01074860727ca3c06441fed7 |
| SHA256 | 9cfbc5854a2b99e1f67e1c3c76322decb75d9f3db2e73d8442f6055a396fa6b8 |
| SHA512 | a82664776588cdc87e6d710bb43c6d1be4b279a5d62cfc849b931036a3007ffdab4f5e56bb39792286d3610f7d0787a445172a66a6c13c3e8b5374c5f04ee74d |
C:\Windows\System\KyBFCpF.exe
| MD5 | 233e4c99d42e42bfa94652a3674f3f37 |
| SHA1 | 1969ed93c25b37ea7eda7895e2d9b3c6021797ab |
| SHA256 | a662c592cea0c5e538f26c60882311c5526142d37c5c7bded4118969468defdc |
| SHA512 | 31d5dc3f2aa39d955493d35cd3b643c88511d1b74e8ee8dffb1491a1a8ff8e7434c191b53d0a67067afa069b32618d0bc89656343f0a163e3938ee382ebb2826 |
C:\Windows\System\DwVLNVH.exe
| MD5 | b7e4f6a37431a8de8a8b126b3651b6fb |
| SHA1 | 7efc3658513201bf7418e00276263d37bed49ecc |
| SHA256 | 6c54b0e0e19e52c36fc222a3b5479b909f1648483833802655feee02eef534c8 |
| SHA512 | 3f89bb91d8bdece7df5758f7c6e9bf875dd0847718766ececf5aa022a1e7bc10ea8a7dd4de27ec83c1c47fc3977dda411488545fc0563d919ef6e0f9bef3d10c |
C:\Windows\System\EuBGlmf.exe
| MD5 | 6e6ece0e77cad9daa558aa48a638d24b |
| SHA1 | 709f619a670940a3dfacc7f0d8e92f7a8e4ce6c6 |
| SHA256 | f2856b5af3d96b5405ac90d0fa2fffecedf8bf798e40bb82d100edcaced64e7c |
| SHA512 | 907db96f36b6e88d486aaff1d99e19fecdc718b5e5b05bdce54635b7658f4516a60e45b70b5b53e97c6b3f541a9f00041a1ba0d4e7f644f5b049a899c3e34b0a |
C:\Windows\System\JmqBQEu.exe
| MD5 | 0be961e677d072b6b611113e696b8045 |
| SHA1 | dbd07af5ffda0dc4cf6da4c6b1c289ec765f4eee |
| SHA256 | a96c4c110302a4b464415afb5797f314ff434f3dd0cbeca033fcf3b559d9aab2 |
| SHA512 | b0c8c5e57275efb26f14378ecc68fc7aa78f8e8623aad2447950544495737f450c70d68f79428abac9b03a8372dd26f86b80866c47cc19fbfd2505a985ad48df |
memory/5376-119-0x00007FF605690000-0x00007FF6059E4000-memory.dmp
memory/1716-120-0x00007FF676380000-0x00007FF6766D4000-memory.dmp
memory/4640-121-0x00007FF7CD800000-0x00007FF7CDB54000-memory.dmp
memory/5924-122-0x00007FF7A0DB0000-0x00007FF7A1104000-memory.dmp
memory/5928-123-0x00007FF6A1A70000-0x00007FF6A1DC4000-memory.dmp
memory/5976-124-0x00007FF7384C0000-0x00007FF738814000-memory.dmp
memory/4956-125-0x00007FF672BB0000-0x00007FF672F04000-memory.dmp
memory/5484-126-0x00007FF770700000-0x00007FF770A54000-memory.dmp
memory/5520-127-0x00007FF6EA0C0000-0x00007FF6EA414000-memory.dmp
memory/5324-128-0x00007FF66E9F0000-0x00007FF66ED44000-memory.dmp
memory/532-129-0x00007FF78E810000-0x00007FF78EB64000-memory.dmp
memory/4676-130-0x00007FF7B1F70000-0x00007FF7B22C4000-memory.dmp
memory/4972-131-0x00007FF77C5A0000-0x00007FF77C8F4000-memory.dmp
memory/4148-132-0x00007FF775480000-0x00007FF7757D4000-memory.dmp
memory/5452-133-0x00007FF69A380000-0x00007FF69A6D4000-memory.dmp
memory/5352-134-0x00007FF6B6F80000-0x00007FF6B72D4000-memory.dmp
memory/2056-135-0x00007FF72CA50000-0x00007FF72CDA4000-memory.dmp
memory/532-136-0x00007FF78E810000-0x00007FF78EB64000-memory.dmp
memory/4972-137-0x00007FF77C5A0000-0x00007FF77C8F4000-memory.dmp
memory/1204-138-0x00007FF66B720000-0x00007FF66BA74000-memory.dmp
memory/4148-139-0x00007FF775480000-0x00007FF7757D4000-memory.dmp
memory/2016-140-0x00007FF6432B0000-0x00007FF643604000-memory.dmp
memory/5152-141-0x00007FF797190000-0x00007FF7974E4000-memory.dmp
memory/5452-142-0x00007FF69A380000-0x00007FF69A6D4000-memory.dmp
memory/5756-143-0x00007FF6CE860000-0x00007FF6CEBB4000-memory.dmp
memory/5352-144-0x00007FF6B6F80000-0x00007FF6B72D4000-memory.dmp
memory/5376-145-0x00007FF605690000-0x00007FF6059E4000-memory.dmp
memory/5324-146-0x00007FF66E9F0000-0x00007FF66ED44000-memory.dmp
memory/4676-147-0x00007FF7B1F70000-0x00007FF7B22C4000-memory.dmp
memory/1716-148-0x00007FF676380000-0x00007FF6766D4000-memory.dmp
memory/4640-149-0x00007FF7CD800000-0x00007FF7CDB54000-memory.dmp
memory/5924-150-0x00007FF7A0DB0000-0x00007FF7A1104000-memory.dmp
memory/5928-151-0x00007FF6A1A70000-0x00007FF6A1DC4000-memory.dmp
memory/5976-152-0x00007FF7384C0000-0x00007FF738814000-memory.dmp
memory/4956-153-0x00007FF672BB0000-0x00007FF672F04000-memory.dmp
memory/5484-154-0x00007FF770700000-0x00007FF770A54000-memory.dmp
memory/5520-155-0x00007FF6EA0C0000-0x00007FF6EA414000-memory.dmp