Analysis Overview
SHA256
2b2261edd39720358e5c9ab42bbd27af769ae3262824bdb0ed2c34fe651ec3fb
Threat Level: Known bad
The file 2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
XMRig Miner payload
UPX dump on OEP (original entry point)
xmrig
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
Cobaltstrike family
Xmrig family
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
XMRig Miner payload
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:54
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:54
Reported
2024-06-06 13:57
Platform
win7-20240221-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jtClFWA.exe | N/A |
| N/A | N/A | C:\Windows\System\feZNVKu.exe | N/A |
| N/A | N/A | C:\Windows\System\QzdIWEH.exe | N/A |
| N/A | N/A | C:\Windows\System\KXBoQoY.exe | N/A |
| N/A | N/A | C:\Windows\System\yfYffoa.exe | N/A |
| N/A | N/A | C:\Windows\System\YwbNGmw.exe | N/A |
| N/A | N/A | C:\Windows\System\vTiIGXk.exe | N/A |
| N/A | N/A | C:\Windows\System\ApEnsyj.exe | N/A |
| N/A | N/A | C:\Windows\System\DOwtQMz.exe | N/A |
| N/A | N/A | C:\Windows\System\XGCJuZP.exe | N/A |
| N/A | N/A | C:\Windows\System\DrqeuYE.exe | N/A |
| N/A | N/A | C:\Windows\System\sBiVzJL.exe | N/A |
| N/A | N/A | C:\Windows\System\mzpZzsa.exe | N/A |
| N/A | N/A | C:\Windows\System\gIESsnu.exe | N/A |
| N/A | N/A | C:\Windows\System\ddspjdh.exe | N/A |
| N/A | N/A | C:\Windows\System\wyrSFQl.exe | N/A |
| N/A | N/A | C:\Windows\System\ovadjxs.exe | N/A |
| N/A | N/A | C:\Windows\System\GNmFcxV.exe | N/A |
| N/A | N/A | C:\Windows\System\qiVdGbk.exe | N/A |
| N/A | N/A | C:\Windows\System\aCNqHQl.exe | N/A |
| N/A | N/A | C:\Windows\System\qTCvSgJ.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jtClFWA.exe
C:\Windows\System\jtClFWA.exe
C:\Windows\System\feZNVKu.exe
C:\Windows\System\feZNVKu.exe
C:\Windows\System\QzdIWEH.exe
C:\Windows\System\QzdIWEH.exe
C:\Windows\System\KXBoQoY.exe
C:\Windows\System\KXBoQoY.exe
C:\Windows\System\yfYffoa.exe
C:\Windows\System\yfYffoa.exe
C:\Windows\System\YwbNGmw.exe
C:\Windows\System\YwbNGmw.exe
C:\Windows\System\vTiIGXk.exe
C:\Windows\System\vTiIGXk.exe
C:\Windows\System\ApEnsyj.exe
C:\Windows\System\ApEnsyj.exe
C:\Windows\System\DOwtQMz.exe
C:\Windows\System\DOwtQMz.exe
C:\Windows\System\XGCJuZP.exe
C:\Windows\System\XGCJuZP.exe
C:\Windows\System\DrqeuYE.exe
C:\Windows\System\DrqeuYE.exe
C:\Windows\System\sBiVzJL.exe
C:\Windows\System\sBiVzJL.exe
C:\Windows\System\mzpZzsa.exe
C:\Windows\System\mzpZzsa.exe
C:\Windows\System\gIESsnu.exe
C:\Windows\System\gIESsnu.exe
C:\Windows\System\ddspjdh.exe
C:\Windows\System\ddspjdh.exe
C:\Windows\System\wyrSFQl.exe
C:\Windows\System\wyrSFQl.exe
C:\Windows\System\ovadjxs.exe
C:\Windows\System\ovadjxs.exe
C:\Windows\System\GNmFcxV.exe
C:\Windows\System\GNmFcxV.exe
C:\Windows\System\qiVdGbk.exe
C:\Windows\System\qiVdGbk.exe
C:\Windows\System\aCNqHQl.exe
C:\Windows\System\aCNqHQl.exe
C:\Windows\System\qTCvSgJ.exe
C:\Windows\System\qTCvSgJ.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1196-0-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/1196-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\jtClFWA.exe
| MD5 | ac3b160f0e93fedc84234555f7d65e10 |
| SHA1 | 31a1a6b1b1618de05679296d2da1bc7bd50c7dd3 |
| SHA256 | 58a9a73d02ef5a4185fb0f6a7ab0c1a755b4691a66e575cd62df30ec8fa78921 |
| SHA512 | 5c14ef0bad2239d656c697bacf77a1cc9a02c4bd791f7d5e34eb8a547bc1f27fd0e9a5a4a2c52ecf651412ebed3d79d34b20e4cfd96b8eea1e3a8108aed452f9 |
memory/1196-6-0x00000000023C0000-0x0000000002714000-memory.dmp
\Windows\system\feZNVKu.exe
| MD5 | 342143ad763fa7f7727f0ce8ff099146 |
| SHA1 | 5c5f78539e92aed862ececb6ee83705ce567ae34 |
| SHA256 | 556e6a2feae89ec70a802df952209181bd12903562e384249020158236bc34b6 |
| SHA512 | 581e158ec96eb6c408d8ae8d75f052596f1132e27d8cb502059fbe7784115771621710fa78bd65902e878f4cd45e4e7c6e10bdb55ec9356ba56cf46a4127935e |
memory/1196-15-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2792-16-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2956-14-0x000000013FC90000-0x000000013FFE4000-memory.dmp
C:\Windows\system\QzdIWEH.exe
| MD5 | ae9c360936df8b961b0266d9dc08a3ed |
| SHA1 | f51e7e792a1460472b321399405f0c4534c1f8ac |
| SHA256 | 448fe072d8e2ea27c76d0f1c50177fbb5a183fee865573751265c74a9fbf62ad |
| SHA512 | 0af0d01ace737068cf7be4e738b1ab50e87ffc386af6a7d30b02a1ac6f786a4cf9c64567729f684f7fb6cf72ce5fd7164a2b663951fb169a30156ba83051b222 |
memory/1196-23-0x00000000023C0000-0x0000000002714000-memory.dmp
C:\Windows\system\KXBoQoY.exe
| MD5 | bd67652ddec5a987850dff0b27e58e23 |
| SHA1 | f9837b0c911f1e6b45912a2701986cf896045d22 |
| SHA256 | b97b7befbc81d1093ff1b874b165a2a412a6b6804448bb53a3308f5c4e6a9476 |
| SHA512 | 625886b8643a3f1b0cbad09e14f3e015a21a3ed1b913564577edf37a8f643eee9aed88c09bb119fa86aeafa93e819f3713b6c2349ea7197cf69e7d6205961004 |
C:\Windows\system\yfYffoa.exe
| MD5 | 6199a73d9d554fa82363c928e9925ef6 |
| SHA1 | 6c86738eddbf95d1135e53d45c7eca9424b98543 |
| SHA256 | 0f5482a84c09f30578e0d3c5d098d7cd1600b301e66f58440f4a99f99d62852e |
| SHA512 | 9fa40f052b0d565fedf0f2afdec3b6fa21b1655cdfc88d4ca99fd7c202006273754919e6621278e52806e4aa725dbd84e4ca68a16035123a08ad68c4fd7cad57 |
C:\Windows\system\YwbNGmw.exe
| MD5 | 49dadf434c66b060acf5edc4e01dc822 |
| SHA1 | 9c426da465215930bb4bf8560e87efe0f84d34a1 |
| SHA256 | 1761d81f968302bd95cd5783414627cf5430767de1c975310911213327136284 |
| SHA512 | 36b5cd2da378bd3266937904ad4eb3a0cf5670272e84cf4095d448e2a211d5765849959070ae99ccec6e3345587c55fb38e4865a40870834aaa5167ea4df019d |
C:\Windows\system\vTiIGXk.exe
| MD5 | ef496d45eff454fbecbf3312cb734061 |
| SHA1 | 2fe602769afcc0535519ec9c269947264d28da48 |
| SHA256 | a2fa54fda4124db0db2771d7cc36c739ca4d9a83dbcc5a3096519674b4952c4e |
| SHA512 | c12194701263b5b65054c243b3a401b864cb0eb085b302443651e7c48299894efca25ff6f251be5b199ad50d9ee073b3a96c56599bbd182bd258e473de245770 |
\Windows\system\ApEnsyj.exe
| MD5 | 9608eb1a1e2a43113c6b8e152a5e09cf |
| SHA1 | 340dfb7f7708b5dc0e7419b2b06d22101a2dbfc8 |
| SHA256 | 4f389e0fc78d10ed0c5a1ec5bd1e5360a54f55ba7335921f5208c924b41b5499 |
| SHA512 | e154165cd20df80eba0877bbb65be5e182f96939d5b513ea9477342d0b379ce088cd7ac0fbe272ebf21ebc18fa8715b9d04f121be54f9e2a229b30cd600a4fde |
C:\Windows\system\XGCJuZP.exe
| MD5 | 244344f25ac3ca30192426157f95a13c |
| SHA1 | 19677cb6665c2e6d7e6d80156a76953b29a4bedb |
| SHA256 | bc8cea31a23e3a318d89e92fae78da0a0f70eeec01afd3697b1557b514d0644f |
| SHA512 | 784f85383b83c94eca174b81938077dca13e8075f98dbd2c820c42491ecd8abf92b0ae9927ffd0adf1a0bc90484b386e4576c084189928fed81f0e49d2481c3e |
C:\Windows\system\GNmFcxV.exe
| MD5 | 0bca5ddf2d6465205fa8f203fad764a5 |
| SHA1 | 2ab4ecc0e3277715029f45eb7cceac1ddbb0e854 |
| SHA256 | 868c6a3afa74aeb4edadd00fd12afa3c44a80730c92c7429de632285bfc42275 |
| SHA512 | 54924d644ced1c6e2ecae674c6f2ff878ab69fba5a4effce0c5816783a42e75612a871f3a74667386b535ccc5751cfb81e68bee007087ba72466000717098b97 |
C:\Windows\system\aCNqHQl.exe
| MD5 | 7597555d7c5385ebd0c89f3e69a57c59 |
| SHA1 | 7c504dac46bc12cb1a0058cb33eb8be9155092a3 |
| SHA256 | b23e1ca5d06945cd9ae5a3df1639db0b432d6eb093b686fc17d1c611b006df03 |
| SHA512 | c952abe001d70d2a9f8812db038185259d4e261553167a6508d9b8a20e5958d6672dade8a7fdd6abaa7225e587d8019be89fc60d39dc27cebef410f1fc466b8c |
\Windows\system\qTCvSgJ.exe
| MD5 | 173a4831d15c4d837a81e6d5b0187940 |
| SHA1 | 0e9b6353f89d8a5aab582edb2c64232d13cef9f8 |
| SHA256 | 2383acc8252cbed3b3bdfcddab6aa612a42bb6ca70a18037bf42a58c1114641e |
| SHA512 | 2adc51e129db20b4d9327391e2a69cab0c278e4d9f623d93ab43f8193b6598660c70906874a3723426c2d0e03344e3b353dd5e127bb19b924fc1eca604eacd9b |
C:\Windows\system\qiVdGbk.exe
| MD5 | ab059148e4a8469808bd1910e7ccddb3 |
| SHA1 | 285d001442e8fac1c782f9cc934a7a0c8e79a6f5 |
| SHA256 | fefdeed1e9c0f7bb98e0717c293b8cac9cb6218ec2df14ffa97854f3390c4da5 |
| SHA512 | 70ce847564b9b47417931d0cf3ebc1a06f280c532c2ea69711516045e49a01cda17a13de721cd1a2f2b6853979af3f289d87b4e8863ac01935771b026fbdd6e3 |
C:\Windows\system\ovadjxs.exe
| MD5 | 64f9d1c3277576de1fe9214fd53e314e |
| SHA1 | ea6ca9ad6ad828bec4cafc452ebfcd83df4656ea |
| SHA256 | 11185e0120f42a8a8d0c732779f92d95afeb41a6bdff2812a136b4be681401a4 |
| SHA512 | c3bf7bc569555dc52815a1b683cf528d60e721a73e53cb225a2ab79dd9a5b49a29a1b978f9ec8697465a2c5b6e1f214702bf99ff014cb7995661f9e190494170 |
C:\Windows\system\wyrSFQl.exe
| MD5 | 403f6138b6928dae4ccc8b71857da99f |
| SHA1 | b5ffd46d8baf78b695ff386002596370f0522091 |
| SHA256 | be701643e5d823742008395e3b93a3fef45fe0bcea12384bb4d79ba5686dc87d |
| SHA512 | 100cfcef32d2f07108b5de680f212214fc0e0c59e5712c35b6e5121faa3495b0b136b313145d75952e805cb883a1f95b49f280cac44fdf63ba0b59e425f0ee21 |
C:\Windows\system\ddspjdh.exe
| MD5 | 0c7acf0eca61a14cf355d1bfa4b7b6f8 |
| SHA1 | 3f7d6f67c00650421a1c2dc9d58b88078fb6c192 |
| SHA256 | 68efc12372b6d9c8873d3344b0c79643023aa1ff5ca940cb23f520a21164a023 |
| SHA512 | 785b6ea371806f7e5ce0e9291bacdb585b566076498da588cf1f4a1f8e23833fbb9250850175e8c216fb879087045db07cd361be3e0aed70c3f344eb9ee20af6 |
C:\Windows\system\gIESsnu.exe
| MD5 | 2b153ddd62f386554b1b9261991eb639 |
| SHA1 | 627d95d6b281f4ab944bb8592925c06a14074d07 |
| SHA256 | 75ad8f2b0d2d168a67e7b5eddb5f9c08e222eb74af7060c87913f81c9d57deac |
| SHA512 | 8f667a73c689427c57a042de408a7b740c67ad876228d9ccdc77997c3ae02f77e2c1edcaec8ec3e405d63e72b0dee2e03d3733b08ab956d3ffa845e0aa56e1a0 |
memory/1196-117-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2996-120-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/1196-119-0x00000000023C0000-0x0000000002714000-memory.dmp
memory/2528-118-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2552-116-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/1196-115-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2604-114-0x000000013F630000-0x000000013F984000-memory.dmp
memory/1196-113-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2488-112-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\mzpZzsa.exe
| MD5 | 71831d1cefa7112155d1ae6824c9df9d |
| SHA1 | 15163968c6f1c60bf5af8150b40660420f5f0795 |
| SHA256 | 3890db041dd5be703f2a3af80145d083fd70515e9492dcb8da5bd14248b77c59 |
| SHA512 | 0692baa44b32c8fb1d7160e75fd24b1f3b4cbf75ae62de15c57b97159019615599eeeeb75f3403b421b39f57675395f4873097162daa08e3f616437538e57e80 |
C:\Windows\system\sBiVzJL.exe
| MD5 | 010fb2677f24dbd66cde4e0d76bb31e7 |
| SHA1 | b993e1859ef552e7259d149bea350e5374a7a23c |
| SHA256 | 6c3934719acfc91135448c999897e84ae586d074ce457c832066fa67cf54492f |
| SHA512 | efa0f1fd62aab94d82e246a14ef1fa5fb528c0e7f4332bae11c10be2010c86b4c89b3f8d45f1888da052a68f2ca03b65e693e1df2d422f10090d683009c7abeb |
C:\Windows\system\DrqeuYE.exe
| MD5 | 94523ecf655c8ae8c8f92dc54a4b649b |
| SHA1 | 60f2c1fff8c38f20f6d5e8dddfe734b5f2c2c752 |
| SHA256 | 0dd524784910a9c4fc57f68f94ab24715c845902babf703f078b8165f2fe98ba |
| SHA512 | ddba88ed1014b78e3c97500705645beeb7b5447d8d02c6c52baf0693b828193e11f6bf4b10a692cbb2dd431a34d26fe1f9ace2c0a1170d55d79feedd38be7c2b |
C:\Windows\system\DOwtQMz.exe
| MD5 | 361b6218a3eea3ef7865c8ea90cad96f |
| SHA1 | 14d471249c1efb6aeb682e44c03c46724d8ca452 |
| SHA256 | bcfdc46da6dbc8dc06d543036e4033f00ae691fbae6cafe69ed4cf49365c89b8 |
| SHA512 | d42f839d1e9aa337ac4fa0c2e76bac2833e34f4c9eb324eae40d7c629e4b70fea4973c78520a68210794ed0458b399dc3e968fbec734b6639ee737dd975e00dc |
memory/2432-121-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2772-122-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2396-125-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2444-127-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1196-126-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/1196-130-0x000000013F1C0000-0x000000013F514000-memory.dmp
memory/1196-128-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2536-131-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2904-129-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2568-124-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1196-123-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/1196-132-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2956-133-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2488-134-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2792-135-0x000000013F300000-0x000000013F654000-memory.dmp
memory/2956-136-0x000000013FC90000-0x000000013FFE4000-memory.dmp
memory/2536-137-0x000000013FB00000-0x000000013FE54000-memory.dmp
memory/2552-138-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2528-140-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2604-139-0x000000013F630000-0x000000013F984000-memory.dmp
memory/2996-141-0x000000013FD10000-0x0000000140064000-memory.dmp
memory/2432-142-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2772-143-0x000000013FAE0000-0x000000013FE34000-memory.dmp
memory/2568-144-0x000000013F7C0000-0x000000013FB14000-memory.dmp
memory/2396-145-0x000000013F960000-0x000000013FCB4000-memory.dmp
memory/2444-146-0x000000013F080000-0x000000013F3D4000-memory.dmp
memory/2904-147-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/2488-148-0x000000013FC30000-0x000000013FF84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:54
Reported
2024-06-06 13:57
Platform
win10v2004-20240508-en
Max time kernel
139s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\jtClFWA.exe | N/A |
| N/A | N/A | C:\Windows\System\feZNVKu.exe | N/A |
| N/A | N/A | C:\Windows\System\QzdIWEH.exe | N/A |
| N/A | N/A | C:\Windows\System\KXBoQoY.exe | N/A |
| N/A | N/A | C:\Windows\System\yfYffoa.exe | N/A |
| N/A | N/A | C:\Windows\System\YwbNGmw.exe | N/A |
| N/A | N/A | C:\Windows\System\vTiIGXk.exe | N/A |
| N/A | N/A | C:\Windows\System\ApEnsyj.exe | N/A |
| N/A | N/A | C:\Windows\System\DOwtQMz.exe | N/A |
| N/A | N/A | C:\Windows\System\XGCJuZP.exe | N/A |
| N/A | N/A | C:\Windows\System\DrqeuYE.exe | N/A |
| N/A | N/A | C:\Windows\System\sBiVzJL.exe | N/A |
| N/A | N/A | C:\Windows\System\mzpZzsa.exe | N/A |
| N/A | N/A | C:\Windows\System\ddspjdh.exe | N/A |
| N/A | N/A | C:\Windows\System\gIESsnu.exe | N/A |
| N/A | N/A | C:\Windows\System\wyrSFQl.exe | N/A |
| N/A | N/A | C:\Windows\System\ovadjxs.exe | N/A |
| N/A | N/A | C:\Windows\System\GNmFcxV.exe | N/A |
| N/A | N/A | C:\Windows\System\qiVdGbk.exe | N/A |
| N/A | N/A | C:\Windows\System\aCNqHQl.exe | N/A |
| N/A | N/A | C:\Windows\System\qTCvSgJ.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_81abc7c1fe19a16f8f8b37c3d34ca4bc_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\jtClFWA.exe
C:\Windows\System\jtClFWA.exe
C:\Windows\System\feZNVKu.exe
C:\Windows\System\feZNVKu.exe
C:\Windows\System\QzdIWEH.exe
C:\Windows\System\QzdIWEH.exe
C:\Windows\System\KXBoQoY.exe
C:\Windows\System\KXBoQoY.exe
C:\Windows\System\yfYffoa.exe
C:\Windows\System\yfYffoa.exe
C:\Windows\System\YwbNGmw.exe
C:\Windows\System\YwbNGmw.exe
C:\Windows\System\vTiIGXk.exe
C:\Windows\System\vTiIGXk.exe
C:\Windows\System\ApEnsyj.exe
C:\Windows\System\ApEnsyj.exe
C:\Windows\System\DOwtQMz.exe
C:\Windows\System\DOwtQMz.exe
C:\Windows\System\XGCJuZP.exe
C:\Windows\System\XGCJuZP.exe
C:\Windows\System\DrqeuYE.exe
C:\Windows\System\DrqeuYE.exe
C:\Windows\System\sBiVzJL.exe
C:\Windows\System\sBiVzJL.exe
C:\Windows\System\mzpZzsa.exe
C:\Windows\System\mzpZzsa.exe
C:\Windows\System\gIESsnu.exe
C:\Windows\System\gIESsnu.exe
C:\Windows\System\ddspjdh.exe
C:\Windows\System\ddspjdh.exe
C:\Windows\System\wyrSFQl.exe
C:\Windows\System\wyrSFQl.exe
C:\Windows\System\ovadjxs.exe
C:\Windows\System\ovadjxs.exe
C:\Windows\System\GNmFcxV.exe
C:\Windows\System\GNmFcxV.exe
C:\Windows\System\qiVdGbk.exe
C:\Windows\System\qiVdGbk.exe
C:\Windows\System\aCNqHQl.exe
C:\Windows\System\aCNqHQl.exe
C:\Windows\System\qTCvSgJ.exe
C:\Windows\System\qTCvSgJ.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2064-0-0x00007FF627CB0000-0x00007FF628004000-memory.dmp
memory/2064-1-0x000001CD00ED0000-0x000001CD00EE0000-memory.dmp
C:\Windows\System\jtClFWA.exe
| MD5 | ac3b160f0e93fedc84234555f7d65e10 |
| SHA1 | 31a1a6b1b1618de05679296d2da1bc7bd50c7dd3 |
| SHA256 | 58a9a73d02ef5a4185fb0f6a7ab0c1a755b4691a66e575cd62df30ec8fa78921 |
| SHA512 | 5c14ef0bad2239d656c697bacf77a1cc9a02c4bd791f7d5e34eb8a547bc1f27fd0e9a5a4a2c52ecf651412ebed3d79d34b20e4cfd96b8eea1e3a8108aed452f9 |
C:\Windows\System\feZNVKu.exe
| MD5 | 342143ad763fa7f7727f0ce8ff099146 |
| SHA1 | 5c5f78539e92aed862ececb6ee83705ce567ae34 |
| SHA256 | 556e6a2feae89ec70a802df952209181bd12903562e384249020158236bc34b6 |
| SHA512 | 581e158ec96eb6c408d8ae8d75f052596f1132e27d8cb502059fbe7784115771621710fa78bd65902e878f4cd45e4e7c6e10bdb55ec9356ba56cf46a4127935e |
C:\Windows\System\QzdIWEH.exe
| MD5 | ae9c360936df8b961b0266d9dc08a3ed |
| SHA1 | f51e7e792a1460472b321399405f0c4534c1f8ac |
| SHA256 | 448fe072d8e2ea27c76d0f1c50177fbb5a183fee865573751265c74a9fbf62ad |
| SHA512 | 0af0d01ace737068cf7be4e738b1ab50e87ffc386af6a7d30b02a1ac6f786a4cf9c64567729f684f7fb6cf72ce5fd7164a2b663951fb169a30156ba83051b222 |
memory/4688-21-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp
C:\Windows\System\KXBoQoY.exe
| MD5 | bd67652ddec5a987850dff0b27e58e23 |
| SHA1 | f9837b0c911f1e6b45912a2701986cf896045d22 |
| SHA256 | b97b7befbc81d1093ff1b874b165a2a412a6b6804448bb53a3308f5c4e6a9476 |
| SHA512 | 625886b8643a3f1b0cbad09e14f3e015a21a3ed1b913564577edf37a8f643eee9aed88c09bb119fa86aeafa93e819f3713b6c2349ea7197cf69e7d6205961004 |
memory/1436-22-0x00007FF7DDE00000-0x00007FF7DE154000-memory.dmp
memory/1772-16-0x00007FF70A7F0000-0x00007FF70AB44000-memory.dmp
memory/4756-7-0x00007FF7E35B0000-0x00007FF7E3904000-memory.dmp
C:\Windows\System\yfYffoa.exe
| MD5 | 6199a73d9d554fa82363c928e9925ef6 |
| SHA1 | 6c86738eddbf95d1135e53d45c7eca9424b98543 |
| SHA256 | 0f5482a84c09f30578e0d3c5d098d7cd1600b301e66f58440f4a99f99d62852e |
| SHA512 | 9fa40f052b0d565fedf0f2afdec3b6fa21b1655cdfc88d4ca99fd7c202006273754919e6621278e52806e4aa725dbd84e4ca68a16035123a08ad68c4fd7cad57 |
memory/5008-31-0x00007FF72A4F0000-0x00007FF72A844000-memory.dmp
C:\Windows\System\YwbNGmw.exe
| MD5 | 49dadf434c66b060acf5edc4e01dc822 |
| SHA1 | 9c426da465215930bb4bf8560e87efe0f84d34a1 |
| SHA256 | 1761d81f968302bd95cd5783414627cf5430767de1c975310911213327136284 |
| SHA512 | 36b5cd2da378bd3266937904ad4eb3a0cf5670272e84cf4095d448e2a211d5765849959070ae99ccec6e3345587c55fb38e4865a40870834aaa5167ea4df019d |
C:\Windows\System\vTiIGXk.exe
| MD5 | ef496d45eff454fbecbf3312cb734061 |
| SHA1 | 2fe602769afcc0535519ec9c269947264d28da48 |
| SHA256 | a2fa54fda4124db0db2771d7cc36c739ca4d9a83dbcc5a3096519674b4952c4e |
| SHA512 | c12194701263b5b65054c243b3a401b864cb0eb085b302443651e7c48299894efca25ff6f251be5b199ad50d9ee073b3a96c56599bbd182bd258e473de245770 |
C:\Windows\System\ApEnsyj.exe
| MD5 | 9608eb1a1e2a43113c6b8e152a5e09cf |
| SHA1 | 340dfb7f7708b5dc0e7419b2b06d22101a2dbfc8 |
| SHA256 | 4f389e0fc78d10ed0c5a1ec5bd1e5360a54f55ba7335921f5208c924b41b5499 |
| SHA512 | e154165cd20df80eba0877bbb65be5e182f96939d5b513ea9477342d0b379ce088cd7ac0fbe272ebf21ebc18fa8715b9d04f121be54f9e2a229b30cd600a4fde |
C:\Windows\System\DOwtQMz.exe
| MD5 | 361b6218a3eea3ef7865c8ea90cad96f |
| SHA1 | 14d471249c1efb6aeb682e44c03c46724d8ca452 |
| SHA256 | bcfdc46da6dbc8dc06d543036e4033f00ae691fbae6cafe69ed4cf49365c89b8 |
| SHA512 | d42f839d1e9aa337ac4fa0c2e76bac2833e34f4c9eb324eae40d7c629e4b70fea4973c78520a68210794ed0458b399dc3e968fbec734b6639ee737dd975e00dc |
C:\Windows\System\XGCJuZP.exe
| MD5 | 244344f25ac3ca30192426157f95a13c |
| SHA1 | 19677cb6665c2e6d7e6d80156a76953b29a4bedb |
| SHA256 | bc8cea31a23e3a318d89e92fae78da0a0f70eeec01afd3697b1557b514d0644f |
| SHA512 | 784f85383b83c94eca174b81938077dca13e8075f98dbd2c820c42491ecd8abf92b0ae9927ffd0adf1a0bc90484b386e4576c084189928fed81f0e49d2481c3e |
memory/4104-56-0x00007FF6D66B0000-0x00007FF6D6A04000-memory.dmp
memory/4548-53-0x00007FF6CB130000-0x00007FF6CB484000-memory.dmp
memory/4256-50-0x00007FF6A5440000-0x00007FF6A5794000-memory.dmp
memory/3552-40-0x00007FF7ADA60000-0x00007FF7ADDB4000-memory.dmp
memory/1736-61-0x00007FF6C9850000-0x00007FF6C9BA4000-memory.dmp
C:\Windows\System\DrqeuYE.exe
| MD5 | 94523ecf655c8ae8c8f92dc54a4b649b |
| SHA1 | 60f2c1fff8c38f20f6d5e8dddfe734b5f2c2c752 |
| SHA256 | 0dd524784910a9c4fc57f68f94ab24715c845902babf703f078b8165f2fe98ba |
| SHA512 | ddba88ed1014b78e3c97500705645beeb7b5447d8d02c6c52baf0693b828193e11f6bf4b10a692cbb2dd431a34d26fe1f9ace2c0a1170d55d79feedd38be7c2b |
C:\Windows\System\mzpZzsa.exe
| MD5 | 71831d1cefa7112155d1ae6824c9df9d |
| SHA1 | 15163968c6f1c60bf5af8150b40660420f5f0795 |
| SHA256 | 3890db041dd5be703f2a3af80145d083fd70515e9492dcb8da5bd14248b77c59 |
| SHA512 | 0692baa44b32c8fb1d7160e75fd24b1f3b4cbf75ae62de15c57b97159019615599eeeeb75f3403b421b39f57675395f4873097162daa08e3f616437538e57e80 |
C:\Windows\System\gIESsnu.exe
| MD5 | 2b153ddd62f386554b1b9261991eb639 |
| SHA1 | 627d95d6b281f4ab944bb8592925c06a14074d07 |
| SHA256 | 75ad8f2b0d2d168a67e7b5eddb5f9c08e222eb74af7060c87913f81c9d57deac |
| SHA512 | 8f667a73c689427c57a042de408a7b740c67ad876228d9ccdc77997c3ae02f77e2c1edcaec8ec3e405d63e72b0dee2e03d3733b08ab956d3ffa845e0aa56e1a0 |
memory/1880-88-0x00007FF644300000-0x00007FF644654000-memory.dmp
memory/1436-93-0x00007FF7DDE00000-0x00007FF7DE154000-memory.dmp
C:\Windows\System\ovadjxs.exe
| MD5 | 64f9d1c3277576de1fe9214fd53e314e |
| SHA1 | ea6ca9ad6ad828bec4cafc452ebfcd83df4656ea |
| SHA256 | 11185e0120f42a8a8d0c732779f92d95afeb41a6bdff2812a136b4be681401a4 |
| SHA512 | c3bf7bc569555dc52815a1b683cf528d60e721a73e53cb225a2ab79dd9a5b49a29a1b978f9ec8697465a2c5b6e1f214702bf99ff014cb7995661f9e190494170 |
memory/4948-105-0x00007FF7FC840000-0x00007FF7FCB94000-memory.dmp
C:\Windows\System\GNmFcxV.exe
| MD5 | 0bca5ddf2d6465205fa8f203fad764a5 |
| SHA1 | 2ab4ecc0e3277715029f45eb7cceac1ddbb0e854 |
| SHA256 | 868c6a3afa74aeb4edadd00fd12afa3c44a80730c92c7429de632285bfc42275 |
| SHA512 | 54924d644ced1c6e2ecae674c6f2ff878ab69fba5a4effce0c5816783a42e75612a871f3a74667386b535ccc5751cfb81e68bee007087ba72466000717098b97 |
C:\Windows\System\aCNqHQl.exe
| MD5 | 7597555d7c5385ebd0c89f3e69a57c59 |
| SHA1 | 7c504dac46bc12cb1a0058cb33eb8be9155092a3 |
| SHA256 | b23e1ca5d06945cd9ae5a3df1639db0b432d6eb093b686fc17d1c611b006df03 |
| SHA512 | c952abe001d70d2a9f8812db038185259d4e261553167a6508d9b8a20e5958d6672dade8a7fdd6abaa7225e587d8019be89fc60d39dc27cebef410f1fc466b8c |
memory/3064-128-0x00007FF6DC750000-0x00007FF6DCAA4000-memory.dmp
memory/2504-131-0x00007FF6739B0000-0x00007FF673D04000-memory.dmp
memory/2140-134-0x00007FF64F770000-0x00007FF64FAC4000-memory.dmp
C:\Windows\System\qTCvSgJ.exe
| MD5 | 173a4831d15c4d837a81e6d5b0187940 |
| SHA1 | 0e9b6353f89d8a5aab582edb2c64232d13cef9f8 |
| SHA256 | 2383acc8252cbed3b3bdfcddab6aa612a42bb6ca70a18037bf42a58c1114641e |
| SHA512 | 2adc51e129db20b4d9327391e2a69cab0c278e4d9f623d93ab43f8193b6598660c70906874a3723426c2d0e03344e3b353dd5e127bb19b924fc1eca604eacd9b |
C:\Windows\System\qiVdGbk.exe
| MD5 | ab059148e4a8469808bd1910e7ccddb3 |
| SHA1 | 285d001442e8fac1c782f9cc934a7a0c8e79a6f5 |
| SHA256 | fefdeed1e9c0f7bb98e0717c293b8cac9cb6218ec2df14ffa97854f3390c4da5 |
| SHA512 | 70ce847564b9b47417931d0cf3ebc1a06f280c532c2ea69711516045e49a01cda17a13de721cd1a2f2b6853979af3f289d87b4e8863ac01935771b026fbdd6e3 |
memory/3212-124-0x00007FF676670000-0x00007FF6769C4000-memory.dmp
memory/4548-123-0x00007FF6CB130000-0x00007FF6CB484000-memory.dmp
C:\Windows\System\wyrSFQl.exe
| MD5 | 403f6138b6928dae4ccc8b71857da99f |
| SHA1 | b5ffd46d8baf78b695ff386002596370f0522091 |
| SHA256 | be701643e5d823742008395e3b93a3fef45fe0bcea12384bb4d79ba5686dc87d |
| SHA512 | 100cfcef32d2f07108b5de680f212214fc0e0c59e5712c35b6e5121faa3495b0b136b313145d75952e805cb883a1f95b49f280cac44fdf63ba0b59e425f0ee21 |
memory/3552-108-0x00007FF7ADA60000-0x00007FF7ADDB4000-memory.dmp
memory/5008-104-0x00007FF72A4F0000-0x00007FF72A844000-memory.dmp
memory/4624-101-0x00007FF781970000-0x00007FF781CC4000-memory.dmp
memory/3208-99-0x00007FF761640000-0x00007FF761994000-memory.dmp
C:\Windows\System\ddspjdh.exe
| MD5 | 0c7acf0eca61a14cf355d1bfa4b7b6f8 |
| SHA1 | 3f7d6f67c00650421a1c2dc9d58b88078fb6c192 |
| SHA256 | 68efc12372b6d9c8873d3344b0c79643023aa1ff5ca940cb23f520a21164a023 |
| SHA512 | 785b6ea371806f7e5ce0e9291bacdb585b566076498da588cf1f4a1f8e23833fbb9250850175e8c216fb879087045db07cd361be3e0aed70c3f344eb9ee20af6 |
memory/1612-91-0x00007FF615260000-0x00007FF6155B4000-memory.dmp
memory/4020-82-0x00007FF682A40000-0x00007FF682D94000-memory.dmp
memory/4688-81-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp
C:\Windows\System\sBiVzJL.exe
| MD5 | 010fb2677f24dbd66cde4e0d76bb31e7 |
| SHA1 | b993e1859ef552e7259d149bea350e5374a7a23c |
| SHA256 | 6c3934719acfc91135448c999897e84ae586d074ce457c832066fa67cf54492f |
| SHA512 | efa0f1fd62aab94d82e246a14ef1fa5fb528c0e7f4332bae11c10be2010c86b4c89b3f8d45f1888da052a68f2ca03b65e693e1df2d422f10090d683009c7abeb |
memory/4756-74-0x00007FF7E35B0000-0x00007FF7E3904000-memory.dmp
memory/1996-72-0x00007FF6F92F0000-0x00007FF6F9644000-memory.dmp
memory/2064-66-0x00007FF627CB0000-0x00007FF628004000-memory.dmp
memory/1996-135-0x00007FF6F92F0000-0x00007FF6F9644000-memory.dmp
memory/1612-136-0x00007FF615260000-0x00007FF6155B4000-memory.dmp
memory/3208-137-0x00007FF761640000-0x00007FF761994000-memory.dmp
memory/4624-138-0x00007FF781970000-0x00007FF781CC4000-memory.dmp
memory/4948-139-0x00007FF7FC840000-0x00007FF7FCB94000-memory.dmp
memory/3064-140-0x00007FF6DC750000-0x00007FF6DCAA4000-memory.dmp
memory/2504-141-0x00007FF6739B0000-0x00007FF673D04000-memory.dmp
memory/2140-142-0x00007FF64F770000-0x00007FF64FAC4000-memory.dmp
memory/4756-143-0x00007FF7E35B0000-0x00007FF7E3904000-memory.dmp
memory/1772-144-0x00007FF70A7F0000-0x00007FF70AB44000-memory.dmp
memory/4688-145-0x00007FF7FCF20000-0x00007FF7FD274000-memory.dmp
memory/1436-146-0x00007FF7DDE00000-0x00007FF7DE154000-memory.dmp
memory/5008-147-0x00007FF72A4F0000-0x00007FF72A844000-memory.dmp
memory/3552-148-0x00007FF7ADA60000-0x00007FF7ADDB4000-memory.dmp
memory/4256-149-0x00007FF6A5440000-0x00007FF6A5794000-memory.dmp
memory/4104-150-0x00007FF6D66B0000-0x00007FF6D6A04000-memory.dmp
memory/4548-151-0x00007FF6CB130000-0x00007FF6CB484000-memory.dmp
memory/1736-152-0x00007FF6C9850000-0x00007FF6C9BA4000-memory.dmp
memory/4020-153-0x00007FF682A40000-0x00007FF682D94000-memory.dmp
memory/1996-154-0x00007FF6F92F0000-0x00007FF6F9644000-memory.dmp
memory/1880-155-0x00007FF644300000-0x00007FF644654000-memory.dmp
memory/1612-156-0x00007FF615260000-0x00007FF6155B4000-memory.dmp
memory/3208-157-0x00007FF761640000-0x00007FF761994000-memory.dmp
memory/4948-158-0x00007FF7FC840000-0x00007FF7FCB94000-memory.dmp
memory/4624-159-0x00007FF781970000-0x00007FF781CC4000-memory.dmp
memory/3212-160-0x00007FF676670000-0x00007FF6769C4000-memory.dmp
memory/2504-161-0x00007FF6739B0000-0x00007FF673D04000-memory.dmp
memory/3064-162-0x00007FF6DC750000-0x00007FF6DCAA4000-memory.dmp
memory/2140-163-0x00007FF64F770000-0x00007FF64FAC4000-memory.dmp