Analysis Overview
SHA256
658bb064a71cdeed04bacab4a98e00228b3252097af2775470dcbea194ff0beb
Threat Level: Known bad
The file 2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 15:44
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 15:44
Reported
2024-06-01 15:47
Platform
win7-20240221-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\SVmYDKc.exe | N/A |
| N/A | N/A | C:\Windows\System\KZTikVi.exe | N/A |
| N/A | N/A | C:\Windows\System\eGcWAnI.exe | N/A |
| N/A | N/A | C:\Windows\System\LZvcqqV.exe | N/A |
| N/A | N/A | C:\Windows\System\XmEdtDP.exe | N/A |
| N/A | N/A | C:\Windows\System\NSWEnfq.exe | N/A |
| N/A | N/A | C:\Windows\System\PiEIIpt.exe | N/A |
| N/A | N/A | C:\Windows\System\tuQtNjv.exe | N/A |
| N/A | N/A | C:\Windows\System\oADsMrp.exe | N/A |
| N/A | N/A | C:\Windows\System\CbGBqYo.exe | N/A |
| N/A | N/A | C:\Windows\System\mNzwjnS.exe | N/A |
| N/A | N/A | C:\Windows\System\ETueuDE.exe | N/A |
| N/A | N/A | C:\Windows\System\VKxqRIA.exe | N/A |
| N/A | N/A | C:\Windows\System\NnCeTDQ.exe | N/A |
| N/A | N/A | C:\Windows\System\CjZBfMz.exe | N/A |
| N/A | N/A | C:\Windows\System\thWdDUG.exe | N/A |
| N/A | N/A | C:\Windows\System\QbgLdiy.exe | N/A |
| N/A | N/A | C:\Windows\System\vUJXcAk.exe | N/A |
| N/A | N/A | C:\Windows\System\dgxWphE.exe | N/A |
| N/A | N/A | C:\Windows\System\OTcOmsH.exe | N/A |
| N/A | N/A | C:\Windows\System\wEAalbW.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\SVmYDKc.exe
C:\Windows\System\SVmYDKc.exe
C:\Windows\System\KZTikVi.exe
C:\Windows\System\KZTikVi.exe
C:\Windows\System\eGcWAnI.exe
C:\Windows\System\eGcWAnI.exe
C:\Windows\System\LZvcqqV.exe
C:\Windows\System\LZvcqqV.exe
C:\Windows\System\XmEdtDP.exe
C:\Windows\System\XmEdtDP.exe
C:\Windows\System\NSWEnfq.exe
C:\Windows\System\NSWEnfq.exe
C:\Windows\System\PiEIIpt.exe
C:\Windows\System\PiEIIpt.exe
C:\Windows\System\oADsMrp.exe
C:\Windows\System\oADsMrp.exe
C:\Windows\System\tuQtNjv.exe
C:\Windows\System\tuQtNjv.exe
C:\Windows\System\ETueuDE.exe
C:\Windows\System\ETueuDE.exe
C:\Windows\System\CbGBqYo.exe
C:\Windows\System\CbGBqYo.exe
C:\Windows\System\QbgLdiy.exe
C:\Windows\System\QbgLdiy.exe
C:\Windows\System\mNzwjnS.exe
C:\Windows\System\mNzwjnS.exe
C:\Windows\System\vUJXcAk.exe
C:\Windows\System\vUJXcAk.exe
C:\Windows\System\VKxqRIA.exe
C:\Windows\System\VKxqRIA.exe
C:\Windows\System\dgxWphE.exe
C:\Windows\System\dgxWphE.exe
C:\Windows\System\NnCeTDQ.exe
C:\Windows\System\NnCeTDQ.exe
C:\Windows\System\OTcOmsH.exe
C:\Windows\System\OTcOmsH.exe
C:\Windows\System\CjZBfMz.exe
C:\Windows\System\CjZBfMz.exe
C:\Windows\System\wEAalbW.exe
C:\Windows\System\wEAalbW.exe
C:\Windows\System\thWdDUG.exe
C:\Windows\System\thWdDUG.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2812-100-0x000000013F0C0000-0x000000013F414000-memory.dmp
\Windows\system\wEAalbW.exe
| MD5 | 602b48e9eb19e8d414c1d7cdb1cdd207 |
| SHA1 | 9c05495a066ec79735c6ce6d3cbb4d51b188e670 |
| SHA256 | 871415aa691150f1caae76a2a45434bb2b37cb83a6c6eb380c710fda50048a18 |
| SHA512 | 8f0615b55da4d5c5269cc5224fe37a5b7e5ddbff439142b7aed4f01733bdcbc52ec84171245a27008fe0e9c60eef3b1fe688fc172a274bb2c65f61fe07718d46 |
\Windows\system\OTcOmsH.exe
| MD5 | a1b96ae0c6073330c8caa1cbe3f0305e |
| SHA1 | 9737077a09c37aa70f6353ee3a47d7738a68306c |
| SHA256 | 1921652161a9aefd8973d47713f3ce5186c846349c0a0740ebf6c9cad57f748b |
| SHA512 | 370d0e600bbe246cdfbe58d109780176dcef1478e77337c8e9007775da67d0dfa821789c87055e0b984427bbbbf754a665e3582bcda1122fc21b8816d6256b06 |
memory/2524-80-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\VKxqRIA.exe
| MD5 | e7639dde0775c87b28fe06afba2a5d48 |
| SHA1 | 766b135a0134680c6a22f9a49d4d1e768ca59209 |
| SHA256 | ebba1ed0a2f6ae99867f54f01673e5730198e10d5c9b095ba3d8744dc97a345b |
| SHA512 | d8cd623d2eab8859c446e1494c3c6538f5185118b97ed0005b579be6679500a696fe019ba4d35e5b44bd333ca67eb7846555cd86f0f873eeb7cd2baf0b43dd1f |
\Windows\system\dgxWphE.exe
| MD5 | 9559f2bab0e4fcdd776af89df79f2915 |
| SHA1 | e8e553e575570213f933c1778a28e75d54b798f7 |
| SHA256 | 8a0badfae3f6bd2f119bcbfffd99f849c665b22d3153ce8281fd127334942f1a |
| SHA512 | 822a43efdb2d03e600ad292ce00964735d4ddce6d9ec8d13bf126623b99f4485ed15120dc1413587cee2f1bfbcecce69a637c82d7bfedc7dd50fbabdc7b9a942 |
C:\Windows\system\ETueuDE.exe
| MD5 | d5dfdf6ae0df82a8f958baee3b9a262a |
| SHA1 | 863762adcedf1ef6d642bedd245214838d6f5552 |
| SHA256 | 62eb70d722ddca4468d3070fbe44fbad4c1ae8d093d3b0cbd9c4701b8ecfef9c |
| SHA512 | 8d9682d4994d56f0d82378c74148788bf7caa348a94dfe91cb45b73c45904d0e110ef9673e477e4653a8e31ca76d9c640d8a51255e52d0ad9fe4f108fdd8b2cd |
\Windows\system\vUJXcAk.exe
| MD5 | c3ead84f56b44323c3c65f6e08c8e0a8 |
| SHA1 | 851e28e92275a17bf74256b5fc852f351c5ab018 |
| SHA256 | 5240257908e43e7502b28c3f1a5b8a7e7850adc146209169b8f9b703e919579e |
| SHA512 | 8c76c82ed698393f7bcd90f4e906b92a9c21e29c52f7ff634d6bef108f1f66c6d4613c012c8e9d439aec4007f502306615f1ec58cdcae800d62e576266cfa26f |
\Windows\system\QbgLdiy.exe
| MD5 | ca3b719414faa82c1d5bc5ef8a286c59 |
| SHA1 | bc3929c94d4bcda57087fa4340f61aa14bd1f3d1 |
| SHA256 | e0872c121c8d0b7126694f1ca4b36dc2aaf5ac4f57e8779fe665a36fb17cdaba |
| SHA512 | 6004ceae9870de82d362e063005e8ea7b9b58ac1e256d4a05cd6c6216a6ce6b21783e614b07f814cdbab95749c329171c802d1a10efc2437905e677d2353d942 |
memory/2812-119-0x000000013FC60000-0x000000013FFB4000-memory.dmp
memory/2372-118-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2624-117-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2812-116-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2812-115-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2228-114-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1856-113-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2812-112-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2640-111-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2328-110-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2812-109-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2812-108-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2872-107-0x000000013FBE0000-0x000000013FF34000-memory.dmp
C:\Windows\system\thWdDUG.exe
| MD5 | 837efcf40c972c6b740b59aa57072228 |
| SHA1 | d3e1e124a1ad6e4e131fb18a9abb0a22989b6d74 |
| SHA256 | 8480c276942c643aa93676df8a5437acd1b79dd46a495701dd75d136da06f783 |
| SHA512 | 211c7dd68adf81910f1544f04e0873942c8c1556cad4940ac450b6ced46186d9a6d4cee554e97bf2c1483ba95e11735c0b4abae2e020987988d877a1403710d5 |
memory/2812-104-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2620-94-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\CjZBfMz.exe
| MD5 | d04713d9cb735e0d39bb347c042458a9 |
| SHA1 | 4549de79ac84bb98b9df7d712e9d70f69ff54454 |
| SHA256 | df52e41e2532388d11908bd93835fb44ebd28715dd05e86e0c1739fd21275c61 |
| SHA512 | 48a7940fcf5547a86ade3b3a5072ca8f4371a24b820841793c78e5f29f4474ce90eb9ed66778ee443cec66e7574662c13f252a5945c7914ca5e391b59682dc5f |
memory/2812-88-0x000000013F1B0000-0x000000013F504000-memory.dmp
C:\Windows\system\NnCeTDQ.exe
| MD5 | 368cdd1d043afa6c8f51af156838b334 |
| SHA1 | 2eab6c112d6ddbc96faba6bfbb286ed1570f7e75 |
| SHA256 | 9657be0e1ffad702d07f56f18a19de1eb3e992846cc9c8d49c633a1d0b640c9e |
| SHA512 | 380c2ce417a99a781085694973589f56da1f2f54c64fea7475a3eeb2b8fe293d2bfc8893517dc69eb87002be1e08f1e2d17a546bfc22164f72d68c5f54889292 |
memory/2700-84-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2812-68-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2436-66-0x000000013FF00000-0x0000000140254000-memory.dmp
C:\Windows\system\mNzwjnS.exe
| MD5 | 489ab0c2b618198c26c367a627365b4e |
| SHA1 | e6770ad9964604824cb7f31d08f382b8a613a955 |
| SHA256 | a4d2ebc649cd420d1a8d0e493f36a9eef53e231c38f4be1f447e2ab01fb3ac6f |
| SHA512 | 75ade5313ed4dd1124c22a5971bfaa4320e9b36d5cf9f76e3649d14f885393b4fe473ef929b472c970ea4e7f4acd50ffb16c9353e983c125a19cf4ac336fc65f |
C:\Windows\system\CbGBqYo.exe
| MD5 | cf3a268d12d3848e97a9557e76c528e5 |
| SHA1 | b6a24c843ee3108c1391cdd2da134a799b8ba5c9 |
| SHA256 | bba12122134faec278ab0d91feb498bfc3977fa50fab8769019e514462e2d273 |
| SHA512 | 0ff342a4665526ef201ed727aa69b78e36dfc536162e5cb18514657620e326f06b1f01f06349554c626462cf0d633d03b44f5a654844fa0ec99a977fa8f9cdeb |
memory/2424-61-0x000000013F950000-0x000000013FCA4000-memory.dmp
C:\Windows\system\oADsMrp.exe
| MD5 | 22b579f2a4f58053f53acbc54d06eabb |
| SHA1 | f8c89e523d5978c51ce8228624d3bfb348cfc273 |
| SHA256 | c11ff34308137e01d376af68b041c13722636bffce105ad37a9960724ca382ed |
| SHA512 | 14d7f4d634026ba5e8112d30db995907fa8832a227d1bc594f8aede053c8782a7009a9f85c4d0bbefd4e73acd2d54ccdc03098d81a2f1879b7f93c24f73128f1 |
C:\Windows\system\tuQtNjv.exe
| MD5 | c80adb28155129411cda60066758f6df |
| SHA1 | 336f28b8b1a7a1670f939fb840a9a3d28eadde35 |
| SHA256 | e652e08227f9e6a104c016692ffe302ead4ef575c9af4b0e3cd21c1b8be1db2a |
| SHA512 | 7462e03fad53d95553761971a182704e87142a5474bdb143ee083faa11bae5d9006e537bec8065179a95729e5c3d57e295f13b4ea47fa6875518d17f649407e9 |
C:\Windows\system\NSWEnfq.exe
| MD5 | cb315404fce91eb3f46d51354e391254 |
| SHA1 | 32eaa9e9fe64afd266c25ddb0ef3126f6f50c717 |
| SHA256 | 21f0db38236cf6035ab039a3e993f48dc3d8015b28096b9a0c280ad3e8e981d5 |
| SHA512 | c120bdbba705e7a0a6d655708ba7ccc9c6aca08afa5b3e83dc57eec0e046af6d1311fc3c26f8776cbfbcbb90593d8cfa54221cfcb77b83d31ec0d40739f2a1ab |
C:\Windows\system\PiEIIpt.exe
| MD5 | 07d224cf70e7066237080f4bc9afa910 |
| SHA1 | 1b801e0dda721cd638b3091ca5461f44fda51c2f |
| SHA256 | aa434ca0b50b9fc6723447c6e4b0efda392f20a3b9ed0c479cb49d248bcca9d8 |
| SHA512 | a326229abc018cb5eaff23567173e799e5a9fa8c5bf8a9815d2a54e1125d1e224e07d85ec48056111ecfa886c16bb95ba291f1ac1f62d13aa009085ba5fea767 |
memory/2812-29-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\XmEdtDP.exe
| MD5 | c7d01b3f25948bca4ab178bf90c6231c |
| SHA1 | adc6bbb4a523a46af0be205ee67e6695fc5db1ea |
| SHA256 | 8cb554f15a18064fc3d332bbbbf55d29edbe1b9ed319dda8fb8ee899a4f900ba |
| SHA512 | 9c0025cb26642ff30e3feada8c9c1f1f5f9a3b7c0c235764bdd5bcaa3593e6c09cd6b4add1b660cb30561bea0e9b019fe68b5852afd930566c3916641c7347f2 |
C:\Windows\system\LZvcqqV.exe
| MD5 | f58eaac99555aeb6b0e06561dc1133ac |
| SHA1 | 0f7408d362515e5ec0df8193c2fa9a64fcf97d92 |
| SHA256 | 652ce6ec63dfeaa9ad5e5ac2e8083340b533c2ff8766625a85bb5982d63f028d |
| SHA512 | 2ae4147c963987c0bc99a08dc5552b1bf1d19e460c34b9dcb9724a68d32335f77d87d23eec3a1c1721d43e7504f2e79136ffee1271f38a20a459b4d2edbafadb |
memory/2812-131-0x000000013F860000-0x000000013FBB4000-memory.dmp
C:\Windows\system\eGcWAnI.exe
| MD5 | ff539277909ce930a817053771dbfa40 |
| SHA1 | c5a3b06801d89616bb4a66e4ef934977aa7128c0 |
| SHA256 | 74df70996e5a4cebdb93bdc40d5d4c64263c66a0300f16a4e3cf312de1543273 |
| SHA512 | 53f35ab8f3727e086e7965d098ce096227679b0f0cb35fd6e0230e15c42f8f31aab6773d7d019db0dd4d698f7880c33a148bfddda5fe84d4423b7374830dc300 |
C:\Windows\system\KZTikVi.exe
| MD5 | 773ce3453a1edc2ed67e074f6ff3fe5a |
| SHA1 | d504f5c60b7cafb6c1a7616c3720bca966afcef6 |
| SHA256 | 8cd31d60238a1de7e6cc6c4d23b6081c971f20b5907c5a68e1a66a4dd153923d |
| SHA512 | 9a6c84ab82c9bf97bd86e6b3cc202d0494bce421917b5522a85638e052bede22f55e0d7a15fa85b8780b68b38772e2b0635f406b679d8fb090eba52594395740 |
memory/1896-11-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\SVmYDKc.exe
| MD5 | 749159174fb92fa703e2fccbd242f548 |
| SHA1 | 4ca865e5ac5d524ae65b8f88bfdab0a63f01e3b1 |
| SHA256 | b741aac1dcecf514150c0b56dca6561efabc21308b6757e929573e266c924f41 |
| SHA512 | 572979f74a7f795218d233d37516c9ce27b2b3d6e12d4168f5a9a00e6c34ca61c0e9076f4faa1b86f0ee2db5093162d57b25de61fa575ba2fafdd74725e7ce6f |
memory/2812-1-0x00000000000F0000-0x0000000000100000-memory.dmp
memory/2812-0-0x000000013F860000-0x000000013FBB4000-memory.dmp
memory/2812-133-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2812-132-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2812-134-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1856-135-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1896-136-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2228-138-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2424-137-0x000000013F950000-0x000000013FCA4000-memory.dmp
memory/2436-139-0x000000013FF00000-0x0000000140254000-memory.dmp
memory/2524-140-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2620-141-0x000000013F1B0000-0x000000013F504000-memory.dmp
memory/2624-142-0x000000013F0C0000-0x000000013F414000-memory.dmp
memory/2700-143-0x000000013F340000-0x000000013F694000-memory.dmp
memory/2328-145-0x000000013FA60000-0x000000013FDB4000-memory.dmp
memory/2872-144-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2372-146-0x000000013F690000-0x000000013F9E4000-memory.dmp
memory/2640-147-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1856-148-0x000000013FD10000-0x0000000140064000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 15:44
Reported
2024-06-01 15:47
Platform
win10v2004-20240508-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\IYWbHqy.exe | N/A |
| N/A | N/A | C:\Windows\System\JQmaebP.exe | N/A |
| N/A | N/A | C:\Windows\System\lfrhIHq.exe | N/A |
| N/A | N/A | C:\Windows\System\dSBofDE.exe | N/A |
| N/A | N/A | C:\Windows\System\StNAhPX.exe | N/A |
| N/A | N/A | C:\Windows\System\Gaioxiy.exe | N/A |
| N/A | N/A | C:\Windows\System\lsVMocZ.exe | N/A |
| N/A | N/A | C:\Windows\System\kWnwVcV.exe | N/A |
| N/A | N/A | C:\Windows\System\vxhsMZx.exe | N/A |
| N/A | N/A | C:\Windows\System\NjDEbqV.exe | N/A |
| N/A | N/A | C:\Windows\System\njOnVvD.exe | N/A |
| N/A | N/A | C:\Windows\System\YItwdjz.exe | N/A |
| N/A | N/A | C:\Windows\System\boDNTOA.exe | N/A |
| N/A | N/A | C:\Windows\System\WvkjKTd.exe | N/A |
| N/A | N/A | C:\Windows\System\YarFXZE.exe | N/A |
| N/A | N/A | C:\Windows\System\uxoCLfM.exe | N/A |
| N/A | N/A | C:\Windows\System\PldVxsa.exe | N/A |
| N/A | N/A | C:\Windows\System\OewGOei.exe | N/A |
| N/A | N/A | C:\Windows\System\vuhXzAs.exe | N/A |
| N/A | N/A | C:\Windows\System\KrDoDmI.exe | N/A |
| N/A | N/A | C:\Windows\System\LsyUovz.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_ae2aed25a1d4e3559547fbd25c8c9288_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\IYWbHqy.exe
C:\Windows\System\IYWbHqy.exe
C:\Windows\System\JQmaebP.exe
C:\Windows\System\JQmaebP.exe
C:\Windows\System\lfrhIHq.exe
C:\Windows\System\lfrhIHq.exe
C:\Windows\System\dSBofDE.exe
C:\Windows\System\dSBofDE.exe
C:\Windows\System\StNAhPX.exe
C:\Windows\System\StNAhPX.exe
C:\Windows\System\Gaioxiy.exe
C:\Windows\System\Gaioxiy.exe
C:\Windows\System\lsVMocZ.exe
C:\Windows\System\lsVMocZ.exe
C:\Windows\System\kWnwVcV.exe
C:\Windows\System\kWnwVcV.exe
C:\Windows\System\vxhsMZx.exe
C:\Windows\System\vxhsMZx.exe
C:\Windows\System\NjDEbqV.exe
C:\Windows\System\NjDEbqV.exe
C:\Windows\System\njOnVvD.exe
C:\Windows\System\njOnVvD.exe
C:\Windows\System\YItwdjz.exe
C:\Windows\System\YItwdjz.exe
C:\Windows\System\boDNTOA.exe
C:\Windows\System\boDNTOA.exe
C:\Windows\System\WvkjKTd.exe
C:\Windows\System\WvkjKTd.exe
C:\Windows\System\YarFXZE.exe
C:\Windows\System\YarFXZE.exe
C:\Windows\System\uxoCLfM.exe
C:\Windows\System\uxoCLfM.exe
C:\Windows\System\PldVxsa.exe
C:\Windows\System\PldVxsa.exe
C:\Windows\System\OewGOei.exe
C:\Windows\System\OewGOei.exe
C:\Windows\System\vuhXzAs.exe
C:\Windows\System\vuhXzAs.exe
C:\Windows\System\KrDoDmI.exe
C:\Windows\System\KrDoDmI.exe
C:\Windows\System\LsyUovz.exe
C:\Windows\System\LsyUovz.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 98.56.20.217.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4528-0-0x00007FF685DB0000-0x00007FF686104000-memory.dmp
memory/4528-1-0x0000022ED6A00000-0x0000022ED6A10000-memory.dmp
C:\Windows\System\IYWbHqy.exe
| MD5 | d9dea36648f68cc4e250f9c3c41026a5 |
| SHA1 | 65fe9ccec7a9ebedb7f495af059dda329a3e0cc9 |
| SHA256 | f6df7f7ceb0a99bf33f320a5d9fe4efe4cf3825b34d83c12dfb3b04ded5278f5 |
| SHA512 | c4cc67389e830345c0ec611ca94b3783fdfafb3715bf3ecb7d30064d651fc1153a5bdf31d6e17eb3658968cba385b8a1f786bd0a77dff46a4e14371ecec476cc |
C:\Windows\System\lfrhIHq.exe
| MD5 | 53f2404f924a72af125ec2cc68c13710 |
| SHA1 | cd46f30a8fce1a4ac545330562f2d9999d707ca4 |
| SHA256 | d8ab6defc0b0df29f616b37e648c7233aae7950afdcafcf7f4246f043a4b032f |
| SHA512 | 9dd68ec0cb0c5527db3a1faeb2ba0ae3db1a36a076a76cbaa7eede274df8cb2a1d91031ca93304e55fde7e5ad699fb357747b56a21e431a248edf62c5da53aa4 |
C:\Windows\System\dSBofDE.exe
| MD5 | 11d4b827aa1241aa9fd4d9f32ae41a8f |
| SHA1 | 1ed1c66b48b2d474822dd5074e1e18f10a515a7a |
| SHA256 | aac0ce5ee3450098426a74524d2051a3bbf53a207a036b94f63d70f054e76609 |
| SHA512 | 5d52e7caf8e885a02606933c36cc893591025307af077eac841e2753e1fc50717391e9db88b547a2ba8f41e5c7f0e88632236d5c22b44d1721612b1c3fd12b41 |
memory/1820-22-0x00007FF64D270000-0x00007FF64D5C4000-memory.dmp
memory/2684-17-0x00007FF685C30000-0x00007FF685F84000-memory.dmp
C:\Windows\System\JQmaebP.exe
| MD5 | 03581e2289b485462a1b595ef25827d1 |
| SHA1 | b619e73faecaa40a52cce34238d754b3932c78ae |
| SHA256 | 312bfb222e53ae1391267bac9f6d64357dd0588f5420c5b2dea9066cf6fa5a8e |
| SHA512 | 2f9859a928fa99404f26567ac9c77fa6025c9b5e2e1aaef4f60944e61d1d4227deaf8ecfa0b33f007f56568b5545b9356d142c1a95df203ef8a4f983905ad33d |
memory/4212-10-0x00007FF7AD690000-0x00007FF7AD9E4000-memory.dmp
memory/4720-29-0x00007FF61C1C0000-0x00007FF61C514000-memory.dmp
C:\Windows\System\StNAhPX.exe
| MD5 | 51972d6a072c514ac680d84047d21fbe |
| SHA1 | dfc87a009b40a8976c10cc31836045648927ac69 |
| SHA256 | 1b17e4a2b9c1f06f9d1b701b7fea53be6094fd362424d497e31a063525361aec |
| SHA512 | f09553aed2dd43dbbcbf6de64e710e28e5da2b1ec38e3f859d3ad4f0c7658d9f4db8e6a280d2ce3a4d852cab39092a04364705becad186a5581b038ce21bb8d2 |
memory/4740-45-0x00007FF633220000-0x00007FF633574000-memory.dmp
memory/3512-51-0x00007FF74CE20000-0x00007FF74D174000-memory.dmp
C:\Windows\System\vxhsMZx.exe
| MD5 | a51bc24c34431e64cea87b205dc0c55e |
| SHA1 | a57235717c5bb62022749d3272b6e98f14e4a6be |
| SHA256 | bcafb06b316a73a98544852df42bdbd84eb7f974ac76b70ea600a89de4c73406 |
| SHA512 | 516b9a2304101c6c9e595f3b8faab4bdd4abc47a237510fc85ef9edb01f7ec51c1d7e5dddabea0cb604fe9884943d0fac6f4e8545c9eb3b71a68f6ea0b402fe4 |
C:\Windows\System\kWnwVcV.exe
| MD5 | e0b74196415c1d77a5cc03a0a879998b |
| SHA1 | 56fcce11811714694917020fc6776b5af5b046c9 |
| SHA256 | 0325f71eb320cd2782ba7af9f0dafd3c898633e23a0464f1249402f3f4eeb297 |
| SHA512 | 05d47fcf920ade330556d6068c2ab897e67d342a1fffbd06d98ab1cf19d3f9016c22ec679ae447b8761ffaf1126e1fd813344c961dda0ab8e8c486aadaaccf39 |
memory/3356-52-0x00007FF766560000-0x00007FF7668B4000-memory.dmp
memory/2084-50-0x00007FF73B0B0000-0x00007FF73B404000-memory.dmp
C:\Windows\System\lsVMocZ.exe
| MD5 | 16f8c4f36a1eb13fac45feb24b6ff31a |
| SHA1 | 0508f361cbda222d43ad21c0faa9ad57cf803f8c |
| SHA256 | 3a78ec15f44f537b4c5cdc9fee5478cd3d2bda4f00f196c849976b472b7eed35 |
| SHA512 | daa73c5a847126a0dfb2d0e7d5f8fbbd9b37c8975c1b8528e1b68ddca47c162cd6f2876de67375c0958de78ae3dfcc9790c66751f995d85a4a5b3f7ab36455f1 |
C:\Windows\System\Gaioxiy.exe
| MD5 | 4e011b34ccc6c0f38377eb4cd9ce2b9f |
| SHA1 | f6585e5f89c3bdf25a24630e605472dd296905c4 |
| SHA256 | ad10a626c2cf6a484a1086ba3d4dc7f1273190635b20247697006043a5c3e185 |
| SHA512 | f19ecda9b1b50b467a058f80c56e43bf2c39ab2137ec2d123aa6563ef2c244a9e93f54d986f7338a5ec09e3c2a8d6282d81084417dae34946e108129b30f18bb |
memory/3048-32-0x00007FF6C57E0000-0x00007FF6C5B34000-memory.dmp
C:\Windows\System\NjDEbqV.exe
| MD5 | 7ccc69b7ccd45ee983e704040763a4ef |
| SHA1 | 494922cd48754143184207922dd4e9031924c4f1 |
| SHA256 | 675d63ca290df0b4c8f77b96008a3a6cd3dca11331cf7462786132f5db44b20c |
| SHA512 | cdac545cb3c2b65d7fb18035a6fab3b9a4c7cd8024d87362f9792e84def29e6dc0b5476d00c3dda6adf57ef276ddbc9381944c702600966c8753e88d2a471ae8 |
memory/4460-62-0x00007FF604450000-0x00007FF6047A4000-memory.dmp
C:\Windows\System\njOnVvD.exe
| MD5 | 5f12d7a7cd10b11921baade753c5a732 |
| SHA1 | da639f98f2dbdd19bd3082a606f528a62ade85c2 |
| SHA256 | 5babe8e8d9407711b569be6e23d9acea02c4cafc389fa70968e65ebbfa9b857e |
| SHA512 | 9cd9ab3f458dd25b77126839ce4c989d51c40fd7e40228e76c1eca90ec272c79f4acf36f6d9604b64f3f09032980fa15143445dac0c262def498a43700f7452a |
memory/2368-71-0x00007FF7A23F0000-0x00007FF7A2744000-memory.dmp
memory/4212-73-0x00007FF7AD690000-0x00007FF7AD9E4000-memory.dmp
C:\Windows\System\YItwdjz.exe
| MD5 | 351498bb7a418347eaf211af64cbeee5 |
| SHA1 | 63cfa7ac0307060146612f14795b68851fc2ce03 |
| SHA256 | 06779319118c638ffdebc02b46b463e4ec3d73763f2cdbe5970e66d3e18bcbd5 |
| SHA512 | fd311f529e0c3aec247755074f212355ea8390dc29237e6496fea9c94f7bf32d5f77c5a8340e646a3a8ee03adbb37f1cb4958418a264dd8352c1896c073fbf9b |
memory/4420-74-0x00007FF6518D0000-0x00007FF651C24000-memory.dmp
C:\Windows\System\boDNTOA.exe
| MD5 | b51657c366236640ebd57032c98cc2a8 |
| SHA1 | 5c2762337a66d5be67993a65b45c475666459c60 |
| SHA256 | f131e6e02de94073ea9d2f53a674941d95f15c04cb9c28570560590d78c34068 |
| SHA512 | 4f4699c549b5233517f6c0d6938f47b54f5cba86567b5cabb005735d177b071f5dafbacf97c66b1d078ed42c6706cc455c9599fcee0c5bec1c44edb0462efc07 |
C:\Windows\System\YarFXZE.exe
| MD5 | 51c62903824a938f3d2545899c0fdb7f |
| SHA1 | 5c2586d8cb8acbe1d9e70492721abea6f5e20fe6 |
| SHA256 | 1a1704548cae72d042e206ea7a26766219434a91d6109da702f63f3bbf97db2b |
| SHA512 | af56f2e8e67dfc60795080c159ddebb0ed8147a9aaa3bca101e517365902912ad14a090b21ecd5ae4d46e8de7631fa2ed452c709fb85bab097b2d1bb367ed04d |
C:\Windows\System\uxoCLfM.exe
| MD5 | ed0508f20ed63c4fcbbc3e1704f5f7d5 |
| SHA1 | 32c7b2f7b28c675051ec0580e3893bbc47735b5d |
| SHA256 | 6dc38ea46626ec2bd10ed409df57d252da720cfab0ae5857e4b4823ad880b1af |
| SHA512 | ee26229df23991f6c023979151d09f81e6a6f02a140297d952b8508074603e683696f90bfd33d278e3d8398f934e2d678e0470fe33636630d54e25184594bbd2 |
memory/1740-101-0x00007FF7E95F0000-0x00007FF7E9944000-memory.dmp
C:\Windows\System\PldVxsa.exe
| MD5 | 1c8a3389420360f3424879e1c75db82a |
| SHA1 | 3ca65691a8d10e2c8cfb26eee804a8f7838fde00 |
| SHA256 | 2e4122efb51c3c663e6ef76aebbdc7a26ff778473e02cbd428390dcfe01a6d4d |
| SHA512 | 5077639635331d5806173f8ded12db94bf3a836650f6685030be9995dc7be526d0b70ae4fb73eaa163d2b34e43ed08a7473cdebf044ed7f4bfcc148d4582141b |
memory/332-103-0x00007FF7E6C60000-0x00007FF7E6FB4000-memory.dmp
memory/4944-102-0x00007FF68F1B0000-0x00007FF68F504000-memory.dmp
memory/3048-100-0x00007FF6C57E0000-0x00007FF6C5B34000-memory.dmp
C:\Windows\System\WvkjKTd.exe
| MD5 | a966cc57bcfe705c16747cc3af958b15 |
| SHA1 | e617ed52b01efa79ef6590b437bd848df44fec1c |
| SHA256 | fb40218e5677c3f20c1fca7f7d6f9fc1fd2f36fd5ac72415a94fbbaec795faac |
| SHA512 | 92dd47e7e4ee6a22481b0cc57afe3ebec6f1b67ac3e8d7f842b5a8de539b16827b2bebfcbc2cbbec5449167d4450e52f9f8f10aa9f70021fcfff092594186304 |
memory/2948-90-0x00007FF695690000-0x00007FF6959E4000-memory.dmp
memory/4720-87-0x00007FF61C1C0000-0x00007FF61C514000-memory.dmp
memory/1820-86-0x00007FF64D270000-0x00007FF64D5C4000-memory.dmp
memory/4512-80-0x00007FF6586C0000-0x00007FF658A14000-memory.dmp
memory/4528-69-0x00007FF685DB0000-0x00007FF686104000-memory.dmp
C:\Windows\System\OewGOei.exe
| MD5 | 7eaffc70a799a8c373d48b64b2b3283c |
| SHA1 | 96b0b81f17ca5a92a77de9a5d0cc84c2312392ec |
| SHA256 | a9444e1ae87c28e8dbacce5fd33334daef9195f3fb120609087d4685d2f84c93 |
| SHA512 | eaf64972cadbd09160d62054c67fa0f6d85862ebd98a024d79c20e762363bf37263169bba66d3a5a8eeb7caa6d581989227239dfe158f30dc561cc3510731509 |
C:\Windows\System\KrDoDmI.exe
| MD5 | 95192ef64b3986a6b5d712d3200f3435 |
| SHA1 | f84b8e860c077b23d20db4c6d5b544244f806586 |
| SHA256 | 81ca36ce60e272a4eef7a12d846721fd3d2833dfaa098cd485244d6d4bdd11db |
| SHA512 | 680d0dd9758184d1a86de8726abd786ec182d2bd629c3cf18629994b67458a0fe5455410ce341d4930c721f48e4095e1b010ac689ba3a700799a40fd0d4fe9b7 |
memory/4740-115-0x00007FF633220000-0x00007FF633574000-memory.dmp
memory/2064-121-0x00007FF6D36B0000-0x00007FF6D3A04000-memory.dmp
memory/3512-127-0x00007FF74CE20000-0x00007FF74D174000-memory.dmp
memory/2724-130-0x00007FF769D30000-0x00007FF76A084000-memory.dmp
C:\Windows\System\LsyUovz.exe
| MD5 | 92dd9f64b2298a8eb24155d77fe84cd1 |
| SHA1 | 65fc2bece4843c5279ce9aa99c1cc8f11c6bb511 |
| SHA256 | ecbcf769b780d81cf979a594b526c28d879e44a90931b5f896d3fbc810d3605d |
| SHA512 | 7c6567c3041f00724d686d9cd31ac4165c65c7df4a74e0431f39700c65085aa1482d94da4fe86dd7f0b3c854d4f212fe3422dc523084533e2e5dcf231b6e2180 |
memory/4956-126-0x00007FF7731E0000-0x00007FF773534000-memory.dmp
memory/728-125-0x00007FF77FD10000-0x00007FF780064000-memory.dmp
C:\Windows\System\vuhXzAs.exe
| MD5 | d3dbf6ba367b2905d9a94bbf0007aed1 |
| SHA1 | 2f057304ccc3d1f7754a8e13bd1999815080db40 |
| SHA256 | 3bb0d153b8ba072e5e4ee059cd681bd365072e4ae9e5f943989396699962a9be |
| SHA512 | ed4e3ad3ebcc66dc9cca063db3b4aec72a2067d6e26cc81eec8f5999bb90f8f17e5cf039f25db7fe4fa6836f41b1082617444e044aae2416c57c9226bbe5e57c |
memory/3356-135-0x00007FF766560000-0x00007FF7668B4000-memory.dmp
memory/4420-136-0x00007FF6518D0000-0x00007FF651C24000-memory.dmp
memory/4512-137-0x00007FF6586C0000-0x00007FF658A14000-memory.dmp
memory/2948-138-0x00007FF695690000-0x00007FF6959E4000-memory.dmp
memory/1740-139-0x00007FF7E95F0000-0x00007FF7E9944000-memory.dmp
memory/4944-140-0x00007FF68F1B0000-0x00007FF68F504000-memory.dmp
memory/2064-142-0x00007FF6D36B0000-0x00007FF6D3A04000-memory.dmp
memory/332-141-0x00007FF7E6C60000-0x00007FF7E6FB4000-memory.dmp
memory/728-143-0x00007FF77FD10000-0x00007FF780064000-memory.dmp
memory/4956-144-0x00007FF7731E0000-0x00007FF773534000-memory.dmp
memory/2724-145-0x00007FF769D30000-0x00007FF76A084000-memory.dmp
memory/4212-146-0x00007FF7AD690000-0x00007FF7AD9E4000-memory.dmp
memory/2684-147-0x00007FF685C30000-0x00007FF685F84000-memory.dmp
memory/1820-148-0x00007FF64D270000-0x00007FF64D5C4000-memory.dmp
memory/3048-149-0x00007FF6C57E0000-0x00007FF6C5B34000-memory.dmp
memory/4720-150-0x00007FF61C1C0000-0x00007FF61C514000-memory.dmp
memory/2084-152-0x00007FF73B0B0000-0x00007FF73B404000-memory.dmp
memory/4740-151-0x00007FF633220000-0x00007FF633574000-memory.dmp
memory/3512-153-0x00007FF74CE20000-0x00007FF74D174000-memory.dmp
memory/3356-154-0x00007FF766560000-0x00007FF7668B4000-memory.dmp
memory/4460-155-0x00007FF604450000-0x00007FF6047A4000-memory.dmp
memory/2368-156-0x00007FF7A23F0000-0x00007FF7A2744000-memory.dmp
memory/4420-157-0x00007FF6518D0000-0x00007FF651C24000-memory.dmp
memory/4512-158-0x00007FF6586C0000-0x00007FF658A14000-memory.dmp
memory/2948-159-0x00007FF695690000-0x00007FF6959E4000-memory.dmp
memory/332-160-0x00007FF7E6C60000-0x00007FF7E6FB4000-memory.dmp
memory/4944-162-0x00007FF68F1B0000-0x00007FF68F504000-memory.dmp
memory/1740-161-0x00007FF7E95F0000-0x00007FF7E9944000-memory.dmp
memory/728-163-0x00007FF77FD10000-0x00007FF780064000-memory.dmp
memory/2724-165-0x00007FF769D30000-0x00007FF76A084000-memory.dmp
memory/4956-164-0x00007FF7731E0000-0x00007FF773534000-memory.dmp
memory/2064-166-0x00007FF6D36B0000-0x00007FF6D3A04000-memory.dmp