Analysis Overview
SHA256
6931c38c3fd5ea1cfd632c0c300d81e346294bc9d6fd131358ad5ad5750da7c4
Threat Level: Known bad
The file 2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
UPX dump on OEP (original entry point)
Cobaltstrike family
Cobalt Strike reflective loader
Xmrig family
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
UPX packed file
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-01 17:01
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-01 17:01
Reported
2024-06-01 17:04
Platform
win7-20240221-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\RRdfeur.exe | N/A |
| N/A | N/A | C:\Windows\System\CDarvbm.exe | N/A |
| N/A | N/A | C:\Windows\System\yOqkvlw.exe | N/A |
| N/A | N/A | C:\Windows\System\GyukSRm.exe | N/A |
| N/A | N/A | C:\Windows\System\eqvfHqJ.exe | N/A |
| N/A | N/A | C:\Windows\System\CjiBsUh.exe | N/A |
| N/A | N/A | C:\Windows\System\jNWVScM.exe | N/A |
| N/A | N/A | C:\Windows\System\WYBsIEk.exe | N/A |
| N/A | N/A | C:\Windows\System\AGSljae.exe | N/A |
| N/A | N/A | C:\Windows\System\dHxxwyH.exe | N/A |
| N/A | N/A | C:\Windows\System\xUNuTFF.exe | N/A |
| N/A | N/A | C:\Windows\System\exqhdMm.exe | N/A |
| N/A | N/A | C:\Windows\System\HXoLwnv.exe | N/A |
| N/A | N/A | C:\Windows\System\klHDXHp.exe | N/A |
| N/A | N/A | C:\Windows\System\pXSBCNE.exe | N/A |
| N/A | N/A | C:\Windows\System\TGMUpkp.exe | N/A |
| N/A | N/A | C:\Windows\System\RPoPUao.exe | N/A |
| N/A | N/A | C:\Windows\System\sfVYZEj.exe | N/A |
| N/A | N/A | C:\Windows\System\gzIjdFh.exe | N/A |
| N/A | N/A | C:\Windows\System\lqDVDNQ.exe | N/A |
| N/A | N/A | C:\Windows\System\oOeAIlh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\RRdfeur.exe
C:\Windows\System\RRdfeur.exe
C:\Windows\System\CDarvbm.exe
C:\Windows\System\CDarvbm.exe
C:\Windows\System\yOqkvlw.exe
C:\Windows\System\yOqkvlw.exe
C:\Windows\System\GyukSRm.exe
C:\Windows\System\GyukSRm.exe
C:\Windows\System\eqvfHqJ.exe
C:\Windows\System\eqvfHqJ.exe
C:\Windows\System\dHxxwyH.exe
C:\Windows\System\dHxxwyH.exe
C:\Windows\System\CjiBsUh.exe
C:\Windows\System\CjiBsUh.exe
C:\Windows\System\HXoLwnv.exe
C:\Windows\System\HXoLwnv.exe
C:\Windows\System\jNWVScM.exe
C:\Windows\System\jNWVScM.exe
C:\Windows\System\pXSBCNE.exe
C:\Windows\System\pXSBCNE.exe
C:\Windows\System\WYBsIEk.exe
C:\Windows\System\WYBsIEk.exe
C:\Windows\System\RPoPUao.exe
C:\Windows\System\RPoPUao.exe
C:\Windows\System\AGSljae.exe
C:\Windows\System\AGSljae.exe
C:\Windows\System\sfVYZEj.exe
C:\Windows\System\sfVYZEj.exe
C:\Windows\System\xUNuTFF.exe
C:\Windows\System\xUNuTFF.exe
C:\Windows\System\gzIjdFh.exe
C:\Windows\System\gzIjdFh.exe
C:\Windows\System\exqhdMm.exe
C:\Windows\System\exqhdMm.exe
C:\Windows\System\lqDVDNQ.exe
C:\Windows\System\lqDVDNQ.exe
C:\Windows\System\klHDXHp.exe
C:\Windows\System\klHDXHp.exe
C:\Windows\System\oOeAIlh.exe
C:\Windows\System\oOeAIlh.exe
C:\Windows\System\TGMUpkp.exe
C:\Windows\System\TGMUpkp.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2180-0-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2180-1-0x00000000001F0000-0x0000000000200000-memory.dmp
C:\Windows\system\RRdfeur.exe
| MD5 | 6bd33f93d2d2d3f6096f9d4b9688f2b8 |
| SHA1 | 96de9bb2bafeb5d278032e4cfdaf14529c749231 |
| SHA256 | eac0dd48ca92b743cccb1b3fbd2fdcd5561addcc1bafb06c229b352537e40c59 |
| SHA512 | e2d2f717332b0b8dfc43ad3ad7de35fc4f070a2e1e83230892782a197e69be6521d22b7de1d82795f4740fbf8014910825ed973039d816b428263b9c2547fbd9 |
memory/324-8-0x000000013F350000-0x000000013F6A4000-memory.dmp
C:\Windows\system\CDarvbm.exe
| MD5 | 1dd6cc7cf6fb5a0a21689c0732674219 |
| SHA1 | 2a5662dce415876aaa91acc48e170dd482280931 |
| SHA256 | fc213dec94a64004a9e6945a90d9551dc6d931c372f475a0145af74935dd3efb |
| SHA512 | 93c10141cc9cb47ee0a0a27ba40316d0cf802c71989b98dfa294f7351738e81661d3f9538d5679d2258e0a29c6878c135126f197b91c99ba546411c0216376e6 |
C:\Windows\system\yOqkvlw.exe
| MD5 | 67203355aeb0738da1b35fa90adb084d |
| SHA1 | 80a778b6b423e0e9510966ac436fae27be47c173 |
| SHA256 | 96f95fd09a1e5ffb5230368eee1db968dc30ec5002d079f0c0f44320d7c36d7b |
| SHA512 | 0b967a44541e5f557ef9edae16b348c719e3835472f533d2200493fe47b7649026285fd445ade517307dcb02a03bf229e1fb353b541ffe4756cc149bf12a3277 |
memory/2956-14-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2180-21-0x000000013F6D0000-0x000000013FA24000-memory.dmp
C:\Windows\system\GyukSRm.exe
| MD5 | 10a5997c78dead6dfe92ed69e3dacfec |
| SHA1 | 52e379a605600db3e4ad9af210bcc51353cba661 |
| SHA256 | 9e264017447c01a4789b0f1bc8214dd9c6393e60f9b72ad5b32352a03f86d560 |
| SHA512 | a213b38fdc72ab86ca339929543adcff544ea70ae570d392a85f8b7da55d46d1cf0b0baaead748a505182e8fc856c3cb2a228d57646339791546c670b1144c54 |
memory/1720-28-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/3012-109-0x000000013F460000-0x000000013F7B4000-memory.dmp
C:\Windows\system\sfVYZEj.exe
| MD5 | 44709ee073c7585ae2f3ca253872bc68 |
| SHA1 | 03d2504144f07cd7e3d6a69bcbabd921233c266d |
| SHA256 | f92c6be81b4c2fe9d04ece0266f2d3058011358e8f7d615bd05cd8016376440d |
| SHA512 | c52f6b470d63d291a8bb00137de9c2f649fb2805ae2fc1366a1b2097408416040cd5f5f8d0c9256e585da8b61d86006a71c1dbcd15a6e028d81faa397294f6f2 |
\Windows\system\oOeAIlh.exe
| MD5 | cfc748eaa4cc190822bf006b1e785804 |
| SHA1 | b2deb798b20b04a031c0e68a28c57a464af92809 |
| SHA256 | d59e39374c145abf36c7a8c79e7734f36037b9b76f3549a7e59a988de952d2ad |
| SHA512 | b31ec562caad68ff000c05ee11b76c302e2ef71469fd6e8dd35db9aa42d76d196d54e3778746cfb5d614435652eade6274e0f2d873a434fc71b0a443e440aa64 |
memory/2180-97-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\HXoLwnv.exe
| MD5 | 70999bdafe61208705cfccc5929e728b |
| SHA1 | f213be038393d4eeb1d2342390e0991e9f0fed5a |
| SHA256 | 11bd480245c7e3a70c77a6122243e530d901f084a9ea357bff8ea2d2fa8077ee |
| SHA512 | 11abd2de3c9a44ace2bbb5d08c13ff1e4a20a5cd47d4e51c7236621b9ee46162cacdb72dfb80b28a3524bfa35552f2bc1bf3e8b82aab737a0b63fdc890ab9a28 |
C:\Windows\system\exqhdMm.exe
| MD5 | 828b59124cca2ec4066179dc742f2c5f |
| SHA1 | 7fc4e111e5613c6032636a1db81b7733ef4cee5e |
| SHA256 | d0afc1a89bac8c8741f2d5361a9478001f9b3786884334a211b95c0d6deda3d4 |
| SHA512 | 476b48f8db97945d3c6cdf4533b484218638e4ad7ceb8c9967866722b1a5995f9d6ec14a06accf8f6f8ceb745309aee256043984fbb299adbe1d1b661ae6e9e7 |
memory/1872-93-0x000000013FF70000-0x00000001402C4000-memory.dmp
\Windows\system\lqDVDNQ.exe
| MD5 | 7ab3f611ac2ac52c8003723a36ddf28c |
| SHA1 | 6d24a484508091107f44c50e8da3f97d84c4474b |
| SHA256 | 03d587d4501ee55950472f4e909240b596e8c2fa13b1ea5eb0e988e158896c77 |
| SHA512 | 34b75c7259d6500e2495e4330c2871c4c1449b6bc0decf1d7d0bc926341ed5eacc0134220691aeb191a4c2f52771e313c6dd5dbb8bbbfde36039037f7eda60d1 |
C:\Windows\system\xUNuTFF.exe
| MD5 | d4e6be526537dd1981681ccf5b1e5551 |
| SHA1 | 1120de6bdc1139d7d7071a4fb245c8ae02ec0675 |
| SHA256 | a48197c6bb6f7243c781652f9f884249605c654c0a982f0c60a11e17d3b0d407 |
| SHA512 | a5447cffc864a5de47f4f5a4289a37a3a018d1ba47cafdd4392b172b26944865c08637d66b80d82f274ece900a34dd4f745453ecd472d528e72e6f0ecd5346c8 |
C:\Windows\system\dHxxwyH.exe
| MD5 | 26091a67d07a4ca7ee723077addcfb07 |
| SHA1 | b527f3b4ad5c8dce189d22063976bc44cb89093e |
| SHA256 | 410c77258b7ae83a27a11a29863c25d7b2d06d38a14884101246fd54625196ba |
| SHA512 | 84e1cdd237fba283413f55ad59116e7171b91e1311b71fc12d25b40dc12010d860162de78c3254c8b026fe5a08a0c0a8ab64220f5bf3d7f56270fe987d738038 |
\Windows\system\gzIjdFh.exe
| MD5 | e8746e9984439b6f894a6df54baec353 |
| SHA1 | 45fc0be8045b407da75bafeb982b0c18277a46fc |
| SHA256 | bf2b50ba60e4cd0e5e9e5925d6ea76e6fa25fd83e60a2d04bf4a8c15d75b672f |
| SHA512 | d419f6c5f252728fa7b92ac6c460153e108453164ec928b65b2a28a18daecd2624c0f41451d334fb67fe897260ca03dff293f3696d8c6aa64b85a88fc4436895 |
memory/2180-133-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2180-74-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\AGSljae.exe
| MD5 | 90f6ce316cba85bd3f44fb9bc3f323ee |
| SHA1 | 71a7a36bc9c9e5978bf6d1d20a7f08190ebc4ea2 |
| SHA256 | ae0f5acc63aad33b94ebda63bbad1970b69f583fba235911eb108618f9471d5f |
| SHA512 | de2a86a60a931a946649bb7b09a44138454f7bac9f5d417a162a40ba149502ac3754600d78850572029b65629ad2255359936b85e26d929cb06476a24198d520 |
memory/2992-65-0x000000013FD90000-0x00000001400E4000-memory.dmp
\Windows\system\RPoPUao.exe
| MD5 | 19fd6e74cdde69344cbc403967c76220 |
| SHA1 | e5fb3724392574ec92fb1f5f256dbb3c81f9bbd5 |
| SHA256 | c170acc11001311da68ef205f99d2994d892c702c05195793a9f3246b2a1dc8f |
| SHA512 | d24b97da6796ec0334b795176c56ac02a24b48cfd27f0cace82976c38a3b93cef97bd2c9cbc80bc10a3bcdba2a34808b749143be45ade670fce0af29b9d56724 |
memory/2180-122-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2180-121-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2180-120-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2180-119-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2180-134-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2180-118-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2180-117-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2904-116-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\TGMUpkp.exe
| MD5 | b5bdc12efda685ea402f57e0ef1b26d8 |
| SHA1 | 8f9de694139689cd3424321e32e77fce59eb99e9 |
| SHA256 | 19980ac78ae73366675bf388ec63add4f0690ebc365ac81eac8e2bd79e93a296 |
| SHA512 | 7ca4bd6dc3dc1e2716da634eb90f31842820b58461ce8345584f63130f1234623780c17d1026a42ea845e20313894338473a343cae9f0db7ded44d14fd46e3af |
C:\Windows\system\pXSBCNE.exe
| MD5 | b0e80db814bdbeef75095218f82c5364 |
| SHA1 | c1e064f02f9e8ab5915407406aadcdb81eda4b18 |
| SHA256 | 5ec79c29a343b0ea5ec8f9ca334b27ae9bb4c5e4addeb79e80e9dd997a041425 |
| SHA512 | 6e69d2d791d1dad7b22cf31940ed29162649eeaa9d69836b38f610a3a7e425098ae06a4227c121290d8d04a6e1fde757773628a42b44fa5a722af35ddb87048c |
C:\Windows\system\klHDXHp.exe
| MD5 | feefd32d839f6cb6df9630c382c0d800 |
| SHA1 | 7faff234224678c49b0801d2fac06068eec95013 |
| SHA256 | e3f8a005def19c08b7af99bb4479e84b77e5f91a3bb8c981d8b8238f0d90fdb0 |
| SHA512 | cc22db9d63224fd55dbbf76613af6491dd4d112c58719c88ebef6b8fea59544ff7bc760840fd0c24ec0f2786a684fcab157d463a366039f7ed7159e1f0f489a3 |
C:\Windows\system\jNWVScM.exe
| MD5 | ae76b303065d71f7fa6bc957f0fbc891 |
| SHA1 | 9f215fb0b444355d0f6882cc8e573eae3ee73bcf |
| SHA256 | 5eb78aedad8db92af7ae5bc1bf13a220cb7fe1778d368ae5af1f988bf59b8533 |
| SHA512 | 0d06e896e9f19137c5a5fcce726026b137b0533deed59cc0a3806d47c88d890ded7db1d5a9b82b6117e8fbb9d0a1945b6938f666c1bf4f6e1ddc889be36d0409 |
memory/2764-100-0x000000013FE70000-0x00000001401C4000-memory.dmp
memory/2180-99-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\CjiBsUh.exe
| MD5 | cfd80e3a11330b1a1bfa0069c8686694 |
| SHA1 | c085d1d63f68d8662ff1692b5f120804bed532d9 |
| SHA256 | b3c378e8d1a41462a9ec51747ef184ca3c71a7a93a4877a9aee9983cea92b72f |
| SHA512 | 2d55fc60a3aff99177d598698405059d9ea5aed15700f81b61c9f19499b6050d6c4b880b2f7ba8981c1d4cc73a71126def0d4aac1cea4245eea69681b8d0ffae |
memory/2180-43-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2180-78-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2956-135-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2100-69-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2180-60-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\WYBsIEk.exe
| MD5 | 4c4c703a464e81c929b35de99cc56c79 |
| SHA1 | ebad8d1a48d9e60bbfb06b7a4e5bf6262b559996 |
| SHA256 | 560240d63acea6b3819a0efeac388781673353c93516cfa1f7850476ef93e5bd |
| SHA512 | 2c96159958ef7706f4c68ef7f2957b506d209dae6eb7008086cd7aa9d7934715cb63e8524b483cbd250e41854706f8f7bbb8c9dee9024c49f0bf3dc6f31816c2 |
memory/2860-41-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\eqvfHqJ.exe
| MD5 | 7d6cae4194bc506378dff116d30f8d8a |
| SHA1 | f459c442ba6e0c6dacf414d55273a5b477617371 |
| SHA256 | 3c00a13197e121b0a20547f58224aaa0c8bdec7d833ebb09f25cb21425b29fc9 |
| SHA512 | e71dc6f7c9e79708ef86f803577fa7e684a015f468ec8b53a25671a325792ee43f1eaf7e47f094406810357ad0ef03f4404398172072555f0c359b36de16a0e0 |
memory/2180-26-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/1028-25-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2180-13-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1720-136-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2180-137-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/324-138-0x000000013F350000-0x000000013F6A4000-memory.dmp
memory/1028-140-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2956-139-0x000000013FD00000-0x0000000140054000-memory.dmp
memory/2860-141-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1720-142-0x000000013F6D0000-0x000000013FA24000-memory.dmp
memory/2100-143-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2992-145-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1872-144-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2904-148-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/3012-147-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2764-146-0x000000013FE70000-0x00000001401C4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-01 17:01
Reported
2024-06-01 17:04
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\LxhUttG.exe | N/A |
| N/A | N/A | C:\Windows\System\VlnjqRI.exe | N/A |
| N/A | N/A | C:\Windows\System\oefaNQi.exe | N/A |
| N/A | N/A | C:\Windows\System\yrnHkGP.exe | N/A |
| N/A | N/A | C:\Windows\System\poJpYjU.exe | N/A |
| N/A | N/A | C:\Windows\System\QhoVUrj.exe | N/A |
| N/A | N/A | C:\Windows\System\iVnhIwW.exe | N/A |
| N/A | N/A | C:\Windows\System\VASTubw.exe | N/A |
| N/A | N/A | C:\Windows\System\fAnjykQ.exe | N/A |
| N/A | N/A | C:\Windows\System\JNkckEy.exe | N/A |
| N/A | N/A | C:\Windows\System\WtpCaWu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZXxiIKX.exe | N/A |
| N/A | N/A | C:\Windows\System\nqeOnPy.exe | N/A |
| N/A | N/A | C:\Windows\System\wNKPNCy.exe | N/A |
| N/A | N/A | C:\Windows\System\zQAzdct.exe | N/A |
| N/A | N/A | C:\Windows\System\OvfaHnb.exe | N/A |
| N/A | N/A | C:\Windows\System\EoWHdWT.exe | N/A |
| N/A | N/A | C:\Windows\System\qxBOnXE.exe | N/A |
| N/A | N/A | C:\Windows\System\OWHeiVz.exe | N/A |
| N/A | N/A | C:\Windows\System\StOsPsf.exe | N/A |
| N/A | N/A | C:\Windows\System\wTwiaPI.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_9939fa0286d6eec50d899d5064baf15d_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\LxhUttG.exe
C:\Windows\System\LxhUttG.exe
C:\Windows\System\VlnjqRI.exe
C:\Windows\System\VlnjqRI.exe
C:\Windows\System\oefaNQi.exe
C:\Windows\System\oefaNQi.exe
C:\Windows\System\yrnHkGP.exe
C:\Windows\System\yrnHkGP.exe
C:\Windows\System\poJpYjU.exe
C:\Windows\System\poJpYjU.exe
C:\Windows\System\QhoVUrj.exe
C:\Windows\System\QhoVUrj.exe
C:\Windows\System\iVnhIwW.exe
C:\Windows\System\iVnhIwW.exe
C:\Windows\System\VASTubw.exe
C:\Windows\System\VASTubw.exe
C:\Windows\System\fAnjykQ.exe
C:\Windows\System\fAnjykQ.exe
C:\Windows\System\JNkckEy.exe
C:\Windows\System\JNkckEy.exe
C:\Windows\System\WtpCaWu.exe
C:\Windows\System\WtpCaWu.exe
C:\Windows\System\ZXxiIKX.exe
C:\Windows\System\ZXxiIKX.exe
C:\Windows\System\nqeOnPy.exe
C:\Windows\System\nqeOnPy.exe
C:\Windows\System\wNKPNCy.exe
C:\Windows\System\wNKPNCy.exe
C:\Windows\System\zQAzdct.exe
C:\Windows\System\zQAzdct.exe
C:\Windows\System\OvfaHnb.exe
C:\Windows\System\OvfaHnb.exe
C:\Windows\System\EoWHdWT.exe
C:\Windows\System\EoWHdWT.exe
C:\Windows\System\qxBOnXE.exe
C:\Windows\System\qxBOnXE.exe
C:\Windows\System\OWHeiVz.exe
C:\Windows\System\OWHeiVz.exe
C:\Windows\System\StOsPsf.exe
C:\Windows\System\StOsPsf.exe
C:\Windows\System\wTwiaPI.exe
C:\Windows\System\wTwiaPI.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4336-0-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp
memory/4336-1-0x000001C02E880000-0x000001C02E890000-memory.dmp
C:\Windows\System\LxhUttG.exe
| MD5 | 16a85ff0d9706bd0ee65c57ea3d90790 |
| SHA1 | 9ee6280627fa7d63c1503d7141b677eee319d577 |
| SHA256 | 831a2c99efa4aeeb71d5299fbb4b2c38c492f70c4aee2f44c0ae335b7f84eb5e |
| SHA512 | 3f6e90792e35bfb631ac0b2916be2ace978b8c2d9ce9722f9691123199e87a77136d0d823dc02c03dba70184078f17de3a1d7562dae6ea781fe8a20a1683dd09 |
memory/1008-6-0x00007FF657700000-0x00007FF657A54000-memory.dmp
C:\Windows\System\VlnjqRI.exe
| MD5 | 0d96c57ecf30830330f774739120a337 |
| SHA1 | ef177a28ce0ce8ade992550561b95607641336bc |
| SHA256 | 0b8904884aeee4eafbcfa99ffd06c50001c93fb89e4657ab4f09a40d5977b362 |
| SHA512 | fcaa47e3f15ef55217f89ca4759c1c4fd9c59893e34563fb365df4f6c5258079c9668d3024ff32f45bec49a835a356da40b4d70de614f8d54c205ced74d124e9 |
C:\Windows\System\oefaNQi.exe
| MD5 | d1942ee8668d940112d49f8ab8d18297 |
| SHA1 | 60eefcadc3fc90a5b86d74bf90b7c64eae3fadd2 |
| SHA256 | 09f28022ec1922ff725292e96e30f7cf47170c75058384643d9a0d6ac3ac048a |
| SHA512 | 66ef31ee541cb04794536aaef76555a35c34ccf3b0d7b7f83fe87cbbfae879f3cd95f318db6737fcd847c5e753a44db16345e7f2f3e7deb7982405c4c9e40443 |
C:\Windows\System\yrnHkGP.exe
| MD5 | 52e2beebbeef4baf00fb7baafff8382b |
| SHA1 | a03f317690c3f99b6c435a63376cc2c638e2dd42 |
| SHA256 | 0ec9531c3f196291fecfcf638ee2b4cdf2c1082c39fc84c770ad165af6354369 |
| SHA512 | a028e3dc3d921ab75672a61006d57a1975eba44c8960057d4a4ff60a400d791395113d903efd7a4f050dbef0b78ddd53b0af02af392049c3849622bff96aee7b |
C:\Windows\System\poJpYjU.exe
| MD5 | 354839f93bd9e786310e94ef0cf794df |
| SHA1 | c6d042b6a6ab34f23da44e16275a31431105c510 |
| SHA256 | 7551e3def202845dba562c7a9fc7465d207555e13154a99a47f3f9acc92fae53 |
| SHA512 | ea6b1c3a2d2573173fe6d24257b6fa46b0022fc079bbb986b99753c3a561143b8577251cdc945d58cf5082cf66e029ac4c201fe9eaa68e1a7dba8be6770b60d1 |
C:\Windows\System\QhoVUrj.exe
| MD5 | 129bea8fb3ff6ab89963ef4cee5eaa7f |
| SHA1 | 59919f1a972bb2f13adb5dbd7233b31b6c4c8d45 |
| SHA256 | ac166069a65cab2e532389191942b586585b474387af6a288e0f67fef50e61e2 |
| SHA512 | b4d79e0eb16edb3a9693a199937126344a8ddf0337305fa4e5a0816762be6d0da4d876bbae5fcf0b31dc8e123c26bf6dca1a59a669b1758818e085e5114f1ebd |
memory/4612-37-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp
C:\Windows\System\VASTubw.exe
| MD5 | 6d4573bc294fe073ef868abdd64e81bf |
| SHA1 | dedf5cc1cea2b35050327b59c1843fa149e4783a |
| SHA256 | bce9dea9b744d1132c5505e8891e00af779fb483a3861c32838e0c19513b39f3 |
| SHA512 | 1815f0b74d4f7548044262ab2af50bfe3fd052b73f21cba379a1965ae6eab6328afdc68ec90bca6e9a244d9dd5e3421ffbd79c4c33d155a8884048429073fa93 |
C:\Windows\System\fAnjykQ.exe
| MD5 | 2d45900d20a72011898ff51b9cf86b05 |
| SHA1 | 4103734f742a794183ed11bda2add3097d88ee12 |
| SHA256 | 0b1afbcb3f2486da350476187cbaa74a3d988e55f2dc69fe61f7458684d8928d |
| SHA512 | ed2d5c0332075a023e43ca3a6c709c945563201c80bf47e0506e68d77704e172ff9d4014bf2c1d579ccd45d5ea9bc926741dc3e2409cd8330a58f396ae9965be |
C:\Windows\System\JNkckEy.exe
| MD5 | 7cf36fd15442985d3fe7f3d9124eed94 |
| SHA1 | f871dedf2a470e7c76dfd9cf7e3810c72188ab65 |
| SHA256 | d6d58c56798afd6309d27d81ca5bde1225867e0626a8a2e5d02b76745532d365 |
| SHA512 | ee9cc460b323b2f3dd952fa8cdb05d7ae9ca56a192cf2c1b8191efca3daf8042046ba9259eb9de65d45efa9eea709af51d1891c4af4418737b31df91ec7040fe |
memory/1432-60-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp
memory/2596-59-0x00007FF632CE0000-0x00007FF633034000-memory.dmp
memory/3644-55-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp
C:\Windows\System\iVnhIwW.exe
| MD5 | 6d4d8245e36c451039c2d9afea11b162 |
| SHA1 | 03d1b0890f48ce6a719c2d36b018169ea9e2d176 |
| SHA256 | a017be663220fa9dde124e6bade8f438abd4ef92ec4ffdfe72420fec1bd1a680 |
| SHA512 | 72991ab00a0828b2543a0476d33ecca0930fb258ff048833a79e4b1b1fc6d3f58da9e1852b24f8cce75b6fb301020ec4e95af9429bbbe942cfdec6e7487b2431 |
memory/3188-43-0x00007FF700730000-0x00007FF700A84000-memory.dmp
memory/4212-41-0x00007FF798360000-0x00007FF7986B4000-memory.dmp
C:\Windows\System\WtpCaWu.exe
| MD5 | b48aca958b0f06783258bf07bc346a70 |
| SHA1 | 2d013fb95b9abb4be128baf676b76ee11e41fa62 |
| SHA256 | 5698c2ae3b6ab6e80d206662ba943c4e955ad0986fc9edde0f71344f7062de29 |
| SHA512 | ec3cb252d1e41935985071f20af3056159b28b87bcd465b27be5f3d81d062b5fdaaa9924c4c28a62740f9e4f952a1a45f3087064dfc83f891f5904d8e101bb06 |
memory/4336-70-0x00007FF64FB60000-0x00007FF64FEB4000-memory.dmp
C:\Windows\System\nqeOnPy.exe
| MD5 | d8e3d3f209f2eca1083c5cdba5218827 |
| SHA1 | ba236b554be802ebf38af63915511b4b892eed21 |
| SHA256 | c5e117712117fb898d84aa47891132efe6a3a2791e2df34842d083184faa5e18 |
| SHA512 | 55edd656337272684ce0518b2f7a4ecdf3bbff46a375bd152a2e7eed71df32dd14debdd7ab476e2722e0a368b7503caf75b8dfa76370637f61cce845bdaabb8a |
C:\Windows\System\wNKPNCy.exe
| MD5 | ac8c6464442ad0119178a03a541b3e5c |
| SHA1 | ac329b506ff5f31643fb62c17d8979fabb1b5b7a |
| SHA256 | 5d98f3f3d18c19efc41edc0f708c4d223cbffdaeb015b55bb4baf42ce23dc075 |
| SHA512 | 476402e4f76cd394b3ded12f7b6ee5bf43122fcb48bcf929c33c032117c0cd21b89800d724b5fb929d3c9b08d6f06d7daf53794a176ee46ca17f5de49bd6f43b |
memory/2932-83-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp
C:\Windows\System\OvfaHnb.exe
| MD5 | 81618df808ca932766bd5f344bb62f39 |
| SHA1 | 1d7b25e04a01446eab4d77d2f213009ff3827ffc |
| SHA256 | ec938b767788a0a19fd694654d9d62daf19b44c5358cec44a4539b1740302b7e |
| SHA512 | e68b6546281af63d3c5386361ec84f7d84c67894fa36526363db1039803a6589a2a023d277c6a0bcff75039492b3549f8116310e4f65ffbd102870bbef2520ca |
memory/4848-87-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp
memory/2656-91-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp
memory/228-105-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp
C:\Windows\System\EoWHdWT.exe
| MD5 | 6508efde9138bb2693a0a6df8e6811ff |
| SHA1 | 1b4ab92d6caf5b242c8ca83cd7a012a383e7361f |
| SHA256 | c0250860bfd098544032d416b77c373725a42a5dd1a7506e4ad0a86cb8c28415 |
| SHA512 | 7af0524646cf241992a2d1c81bf3f76f70a66cfca6847353a4ec0924f3577fd0a3a218fc1934279a04ca21ab0c4a601544a625749551b906d7e745b4264cf742 |
memory/4792-106-0x00007FF67F110000-0x00007FF67F464000-memory.dmp
memory/1660-104-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp
C:\Windows\System\zQAzdct.exe
| MD5 | 68489055f481cbfbe0c3afa8acd1ed0a |
| SHA1 | 9490a22fd89c9da952fa7215e9ab9758c30de1ce |
| SHA256 | f442646d5527858b35f3df840352bc51d4d983922a15a0ce169543064ac6a233 |
| SHA512 | 8e743fcb305adeb814ffc4bb7718055b645e2fae7f5106e020b492a69f9e09fe0c28be582d9543f5f7f1e906cbb5ad3cb2d4762b9920f6ed4728f46af7f33329 |
memory/3884-98-0x00007FF67E610000-0x00007FF67E964000-memory.dmp
memory/1172-97-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp
memory/1008-84-0x00007FF657700000-0x00007FF657A54000-memory.dmp
memory/2824-80-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp
C:\Windows\System\ZXxiIKX.exe
| MD5 | 14bfd67506cc8ae625e0123635622d14 |
| SHA1 | 238f4f9a098f862a069437b9f95b8cac1dc8adbd |
| SHA256 | 898f5ce0693c056215e340fea0e0ad417c7772db87f5ea8a6cf5788d4b6fbad7 |
| SHA512 | 82ede701166ba9a31d3c970940886d47dfed201862a0541e2c6835f1fb8c31d159fd01f241489732200b042c8e53f99e38397610768768bb17fd4c79111b3517 |
memory/228-24-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp
memory/3884-20-0x00007FF67E610000-0x00007FF67E964000-memory.dmp
memory/4552-17-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp
C:\Windows\System\qxBOnXE.exe
| MD5 | b6fbe26a34d603dc8875f4c5ac2fcdfb |
| SHA1 | 5c7240a071db785f350a692481503293940c638b |
| SHA256 | ad4697bd2733fb5522b656a4e2ebfeedb213d77effe5e0d799e666838ce8327d |
| SHA512 | eee320e7af06916fb3a7a6e94026567faf7f300e124319e9030f070693358e9feaea7fcd627d58359e78ccec4b39f0ba48db59ca6c1dd7249ddf369a43055587 |
memory/4212-114-0x00007FF798360000-0x00007FF7986B4000-memory.dmp
C:\Windows\System\OWHeiVz.exe
| MD5 | 1a1c70bed66ee6a1255c4bf07b5ae2a6 |
| SHA1 | 726b7b72845ba373822056010d6fdc9e7863c6b8 |
| SHA256 | 6862a1430bff24a10f22c08e1f117e4149f04ba8f9cf74aa17eba4c2237d5e2a |
| SHA512 | 39a9a6fdc6f47d27a284111855d8df3f7fb4df3cfd1456aa5a89198b63552f7d70288fa64ed9923ea19f057876f752e691bd13d9dfa0a9ff67658707e51ff445 |
C:\Windows\System\StOsPsf.exe
| MD5 | 036a92d96c1836ba84490e43f2011d4d |
| SHA1 | 5b1f80bc506615422decaf5e5211aa7386e5c32c |
| SHA256 | 8dea39e99eb28ac4c13029ad4541bcffae2e8a8de342a3f438d942317dad2df1 |
| SHA512 | f5b31a066f70b8d957c31b449236402c0267c4d9b4b3f5d0075375ae14cc4b362cf4bf627abd546ebd86d0b8dc7d331fc0414f46d462bfe70c1872bf8c58e888 |
memory/4732-122-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp
C:\Windows\System\wTwiaPI.exe
| MD5 | 4428441e9b4fa489faac064005797ba5 |
| SHA1 | 079bacd8d25925f19d161e4da735c6092808cd4a |
| SHA256 | ac09670d469e4055f3b83373fe1eefc8701ed83e8d186c561e27ec527870154e |
| SHA512 | 82a4c1ab3da1a8ac6910c3d08d91de0df8bfee9ee6d7ce5e36f3ce305fbfdb3ce16806b531078af19a121e0abcc547f01a8fc7d214151202c2493711017366b6 |
memory/364-130-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp
memory/3188-131-0x00007FF700730000-0x00007FF700A84000-memory.dmp
memory/1208-132-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp
memory/2596-133-0x00007FF632CE0000-0x00007FF633034000-memory.dmp
memory/2364-134-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp
memory/1432-135-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp
memory/2656-136-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp
memory/1172-137-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp
memory/4792-138-0x00007FF67F110000-0x00007FF67F464000-memory.dmp
memory/1008-139-0x00007FF657700000-0x00007FF657A54000-memory.dmp
memory/4552-140-0x00007FF7CEDB0000-0x00007FF7CF104000-memory.dmp
memory/3884-141-0x00007FF67E610000-0x00007FF67E964000-memory.dmp
memory/228-142-0x00007FF65F860000-0x00007FF65FBB4000-memory.dmp
memory/4612-143-0x00007FF6A7450000-0x00007FF6A77A4000-memory.dmp
memory/4212-144-0x00007FF798360000-0x00007FF7986B4000-memory.dmp
memory/3188-145-0x00007FF700730000-0x00007FF700A84000-memory.dmp
memory/3644-146-0x00007FF7D71B0000-0x00007FF7D7504000-memory.dmp
memory/2596-147-0x00007FF632CE0000-0x00007FF633034000-memory.dmp
memory/1432-148-0x00007FF6A4EE0000-0x00007FF6A5234000-memory.dmp
memory/2824-149-0x00007FF6C5C20000-0x00007FF6C5F74000-memory.dmp
memory/4848-150-0x00007FF7B08D0000-0x00007FF7B0C24000-memory.dmp
memory/2932-151-0x00007FF7D4080000-0x00007FF7D43D4000-memory.dmp
memory/2656-152-0x00007FF622AD0000-0x00007FF622E24000-memory.dmp
memory/1172-153-0x00007FF766BC0000-0x00007FF766F14000-memory.dmp
memory/1660-154-0x00007FF7A9E00000-0x00007FF7AA154000-memory.dmp
memory/4792-155-0x00007FF67F110000-0x00007FF67F464000-memory.dmp
memory/4732-156-0x00007FF7D7120000-0x00007FF7D7474000-memory.dmp
memory/364-157-0x00007FF7366D0000-0x00007FF736A24000-memory.dmp
memory/1208-158-0x00007FF72A070000-0x00007FF72A3C4000-memory.dmp
memory/2364-159-0x00007FF7466F0000-0x00007FF746A44000-memory.dmp