Analysis Overview
SHA256
92ff9883488ebb5eaeb4acd8f90214547790e6a76dfd0c82ec676cc332271b62
Threat Level: Known bad
The file 2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
xmrig
UPX dump on OEP (original entry point)
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
Cobaltstrike family
Xmrig family
Cobaltstrike
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
Executes dropped EXE
Loads dropped DLL
UPX packed file
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:30
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:29
Reported
2024-06-06 13:33
Platform
win7-20240221-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\OhYBvuD.exe | N/A |
| N/A | N/A | C:\Windows\System\aTRmiLd.exe | N/A |
| N/A | N/A | C:\Windows\System\WVPlBWu.exe | N/A |
| N/A | N/A | C:\Windows\System\ypHrebj.exe | N/A |
| N/A | N/A | C:\Windows\System\YZHeBXq.exe | N/A |
| N/A | N/A | C:\Windows\System\xtNqppy.exe | N/A |
| N/A | N/A | C:\Windows\System\YZIZCqf.exe | N/A |
| N/A | N/A | C:\Windows\System\JJQeqUK.exe | N/A |
| N/A | N/A | C:\Windows\System\uZdUygO.exe | N/A |
| N/A | N/A | C:\Windows\System\iQXeAlN.exe | N/A |
| N/A | N/A | C:\Windows\System\wWWNCPi.exe | N/A |
| N/A | N/A | C:\Windows\System\bvAjVGQ.exe | N/A |
| N/A | N/A | C:\Windows\System\ofvFKMk.exe | N/A |
| N/A | N/A | C:\Windows\System\FXFzYLR.exe | N/A |
| N/A | N/A | C:\Windows\System\wxoWAnj.exe | N/A |
| N/A | N/A | C:\Windows\System\cvBTvqq.exe | N/A |
| N/A | N/A | C:\Windows\System\jkVcovc.exe | N/A |
| N/A | N/A | C:\Windows\System\ZFWbUTS.exe | N/A |
| N/A | N/A | C:\Windows\System\mtLgHGd.exe | N/A |
| N/A | N/A | C:\Windows\System\afPjNFU.exe | N/A |
| N/A | N/A | C:\Windows\System\CXqrmvg.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\OhYBvuD.exe
C:\Windows\System\OhYBvuD.exe
C:\Windows\System\aTRmiLd.exe
C:\Windows\System\aTRmiLd.exe
C:\Windows\System\WVPlBWu.exe
C:\Windows\System\WVPlBWu.exe
C:\Windows\System\ypHrebj.exe
C:\Windows\System\ypHrebj.exe
C:\Windows\System\YZHeBXq.exe
C:\Windows\System\YZHeBXq.exe
C:\Windows\System\xtNqppy.exe
C:\Windows\System\xtNqppy.exe
C:\Windows\System\YZIZCqf.exe
C:\Windows\System\YZIZCqf.exe
C:\Windows\System\JJQeqUK.exe
C:\Windows\System\JJQeqUK.exe
C:\Windows\System\uZdUygO.exe
C:\Windows\System\uZdUygO.exe
C:\Windows\System\iQXeAlN.exe
C:\Windows\System\iQXeAlN.exe
C:\Windows\System\wWWNCPi.exe
C:\Windows\System\wWWNCPi.exe
C:\Windows\System\bvAjVGQ.exe
C:\Windows\System\bvAjVGQ.exe
C:\Windows\System\ofvFKMk.exe
C:\Windows\System\ofvFKMk.exe
C:\Windows\System\FXFzYLR.exe
C:\Windows\System\FXFzYLR.exe
C:\Windows\System\wxoWAnj.exe
C:\Windows\System\wxoWAnj.exe
C:\Windows\System\cvBTvqq.exe
C:\Windows\System\cvBTvqq.exe
C:\Windows\System\jkVcovc.exe
C:\Windows\System\jkVcovc.exe
C:\Windows\System\ZFWbUTS.exe
C:\Windows\System\ZFWbUTS.exe
C:\Windows\System\mtLgHGd.exe
C:\Windows\System\mtLgHGd.exe
C:\Windows\System\afPjNFU.exe
C:\Windows\System\afPjNFU.exe
C:\Windows\System\CXqrmvg.exe
C:\Windows\System\CXqrmvg.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2792-1-0x0000000000180000-0x0000000000190000-memory.dmp
memory/2792-0-0x000000013F700000-0x000000013FA54000-memory.dmp
C:\Windows\system\OhYBvuD.exe
| MD5 | f884944d9ab024998642e1533971353f |
| SHA1 | d44aa2e31dc4a2c49069ca62a9ddc93154fbaea0 |
| SHA256 | 6cf3defd61e53a6d15bd2225d437ff14e79462e9a778fa7a5f313d8de48748a1 |
| SHA512 | aaecc4c3883de0a3ba9312303362658da87330754d5fb8ea8d77abbd95dea3c5b0652e88e2edc9f0f9e2f7053df0da836b7f17c16d2ad311d9ac907125577aa0 |
memory/2792-11-0x000000013FC50000-0x000000013FFA4000-memory.dmp
\Windows\system\aTRmiLd.exe
| MD5 | 39d4e9b468d878f6408ddcbc43bd6738 |
| SHA1 | 67aff5149a084b91951c37657248384b91f8371f |
| SHA256 | 78cb6553bc60ede55b3806c6057c1b720af1e0c2b46b92e586b4dff7dd9eb63b |
| SHA512 | 98a4d3bf98d63d8988ab4277d35939bbec25d0a30c91cccd01aca7d3e0204a38bf9a86014ed77c65a4bfcee13219469653a2702a0ae3b0b7868528e67995b3f6 |
memory/2792-14-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2396-12-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1444-16-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2792-21-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2052-23-0x000000013F750000-0x000000013FAA4000-memory.dmp
C:\Windows\system\YZHeBXq.exe
| MD5 | 16a52d6c3e2cbb536a47b5dd00887f28 |
| SHA1 | f0ea2bd0aa012e12a56cb21612ac780987862e6f |
| SHA256 | d758b06b9c3b909e92335db508b7cdc08929e7be79fa722651f9b81d234ed786 |
| SHA512 | f0b8033e34f15834d43934d12e7174569b225582cb01a857827ab5d6eca35e70e4455d3ac77e4c66c7b628d35987655dd05e3a184c4ea593c0536336e30b213e |
memory/2600-34-0x000000013F420000-0x000000013F774000-memory.dmp
C:\Windows\system\xtNqppy.exe
| MD5 | 62668dbcc5f1e421e1d254c2422868d0 |
| SHA1 | 6651f5e0fc0063edceb6d07f215fcabf39657282 |
| SHA256 | a15f96bf2a384a091b5e68f38ce778408dc7b893776a3e033af0f77a9273c4b4 |
| SHA512 | 5dc1197c96a6bc547764052f0c7ea328eb8936c9629338c744521cea0e180b7358f2d98da4c439dd3a14b5ed8d42af3c98478c4520fb21f3a2ff9a8d25695485 |
C:\Windows\system\iQXeAlN.exe
| MD5 | 965a1e9879b557329fc1f4a780fefd1d |
| SHA1 | abbf1488b7503a117910ef3b27fe2f86ea16ccfe |
| SHA256 | 91cbdcd246b52296d53c4908b22be727711988ed2e0be531f58de256e1d169c6 |
| SHA512 | 0e7cb4f047155395dccbdc755b89dec9aa5580e1b7281cb59bb153030b3ffbcd670a6578a6fc8de42b3fbc5f359adfabf086cfe6cccde421bd5a9bbd9275afc2 |
C:\Windows\system\wxoWAnj.exe
| MD5 | 5a645b35810e1225996b4c5b3ed2a247 |
| SHA1 | 0af022898732e57feba6b41c8effbbc2591c2265 |
| SHA256 | 81a7093472604140a53241542e14c1f07c2819ca115bfa5ebcbad05b6d125762 |
| SHA512 | ac076a82aae445303000a3b605286b5efb2792292356dab72cdc828a37f699f7f46231b57200d90640b0b4440cc72fef35aea030e72319b11b1de91c5cfedd0c |
C:\Windows\system\afPjNFU.exe
| MD5 | 4e7b39f08aa3676682f54ea64fcce94f |
| SHA1 | db50481cb131e5c3d481406d92bb33f03738ac8c |
| SHA256 | 2ec67e00595f0ba2396917a1451cd927491bd05df8b9cd7855ee5f0eb2374b9f |
| SHA512 | 18cbbb2cbdc35a9704cdd46378200c2eeba7ebedb2a00a779248cabe09fe90277443197a22b744a7ce1a19a7d3a7910f7ae5fc0431b7f9af9278e43e29316d15 |
\Windows\system\CXqrmvg.exe
| MD5 | 3dd38b46144db5ed1b1621040fe00a39 |
| SHA1 | 76b410f78d5507c3544a1bca7c3d7ad77a54fd1f |
| SHA256 | 340a856cd8c2e1678e55cad016b9d7493d72c328f05fa08cf65a05bb386098ad |
| SHA512 | 1387ccdac05b11bfdd431a475f1462c7734fc8b9f36d87ff2b59a7e6a03ae67f49d0d1faaffd10ad4d8bbdddd9dd7a6ff351622a52ddc6acc2564ab3e2654672 |
C:\Windows\system\mtLgHGd.exe
| MD5 | bf5313a34910094da95c05b52364ddf5 |
| SHA1 | 5a56509ac3ce529f627a1eec00ba3112aa9871ea |
| SHA256 | a9693f9d025a19963f2f4f75954ea93f677297506f80d478d3daf9b4a559ceae |
| SHA512 | 35e094e8c7ce200d5725b2d38b6b3f6f7caafdc30b468e7b35825228ba13c2829ec3fdf3245bf40590f43060a30969aaea28f7f91374a9ae3feb9d0dff98141d |
memory/2720-115-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2792-117-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2792-116-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2480-120-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2924-121-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2884-127-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2608-131-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2792-130-0x000000013F390000-0x000000013F6E4000-memory.dmp
memory/2896-129-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2792-128-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2512-126-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2792-125-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2440-124-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2792-123-0x000000013F2E0000-0x000000013F634000-memory.dmp
memory/2736-122-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2792-119-0x0000000002210000-0x0000000002564000-memory.dmp
memory/2972-118-0x000000013F550000-0x000000013F8A4000-memory.dmp
C:\Windows\system\ZFWbUTS.exe
| MD5 | ae73653a20a8d28db75ff988ed83423c |
| SHA1 | 0148365f30e4c8197514916847ad3e23c6dd7092 |
| SHA256 | 7ff6b80f9eeb9b3ab368d5eb2398f471670a3f6b6a8467bea778d18dcda43f36 |
| SHA512 | 59b2be41bf85e991ff3833ef48ab580b9b85322a9c260ae1f4d1e76e8e734b329beef8ac8e3baad84708eb474166ad6bff64d9cdfb0b091aeecc15c1338f159a |
C:\Windows\system\jkVcovc.exe
| MD5 | e5e36a356926e86cc641781e19ee4be4 |
| SHA1 | 6b0b369b9ad10f8e0a87e63db8c05adb9f4887b3 |
| SHA256 | 79caa475cb140cf5212287ca00724cf716aeb5cfe0f4c68b6fa8280b4aa0fb40 |
| SHA512 | 7d712f9c2776e1194c94a7d249d5bb23a4ada4e3fd7bbef98cbcf1fc09643fc01d1d1741b119bdb6ca0f74f0ea82781186bab7b5ca7b16252aa515bc45da69fe |
C:\Windows\system\cvBTvqq.exe
| MD5 | 1bc6395adc900a9dd0be6a45fbe6b43b |
| SHA1 | 7f26a3fb8032a88defed3c9978fee42ba0b92ee0 |
| SHA256 | bdc09ae9d8979cd664ccf762c4345913296ce1ecca19325e35617a5d4aa5b836 |
| SHA512 | 8aa2cf9ec8e508934a50e9c81952e71b3fbca186992683f793fb86bd2353f8e21d8b1f2f466edec4c12b3db65cd48038b076b53089269865365b1d614d5a42ea |
C:\Windows\system\FXFzYLR.exe
| MD5 | 851a7f688ded2c31049ad58d6f76b74f |
| SHA1 | f73a0c5e240a3c00da94a4a1e5f53a5878808f45 |
| SHA256 | 8024dd09ecf447a1edaa2374b11537500bfdcaaf71b6c4015c3956c110fe75fa |
| SHA512 | f455746afe139628ba0b30a7f0c5636f0c143d25391cddd8d9e680aaddf2dabae6f6344b7d08ea206a7187d20486dd00af6c79f16b8085c0bc2ac901d0e74aad |
C:\Windows\system\ofvFKMk.exe
| MD5 | ccd916bc8395b118a58b6cbb6eb99359 |
| SHA1 | d830a8d76b5cf481a591174b132e0b651f15345e |
| SHA256 | 288b3871131e2d1af18082de4c60051abf12d936c75beb18af770ec814086d67 |
| SHA512 | 96f4ac0dac64beb1f0ef1392a3a9cc06eb5328db1dfbe9df38d315297e74ba2a271437149cfafc06d791295ffeb8f2e4aa0357f050fccaaaf0a7f5f395d55b32 |
C:\Windows\system\bvAjVGQ.exe
| MD5 | 722c5c907993eaf24e364a0cac271297 |
| SHA1 | 8bb9c10fdf98b450ae97b8a7c14a5a69e39fedfe |
| SHA256 | 6fe6783de60591343d51719e8e863b670646af640e3034b3b280fde5b9530fc4 |
| SHA512 | 3b8ebf031493ff095028acc9512d495d499c437f81844c419e8b17a52d05ac6eee72ad775728379a2e3ed438964360de986dffeaf8e17430de6f45d6e5c0fd90 |
C:\Windows\system\wWWNCPi.exe
| MD5 | ec1b1b84b17d436bc3ab6e051b270c77 |
| SHA1 | dfd44671446dcb2b0937311f5811c9853df02244 |
| SHA256 | 4383acd4ec8893869b87bf46d0fbd256b2cbba1c58b03c4dcd87b85acd32c9a7 |
| SHA512 | 5c5ee511e2e0b1ab1f969ffdfd71c800fdc9f5183fdfb694480752c6f7f1e164ca0cde31fa38a8191e7461f7583b25f3f611bbd3a1563761e01d00c30398fb12 |
C:\Windows\system\uZdUygO.exe
| MD5 | 1cdd86d55d8bbe46c3d2865e6d6a80cd |
| SHA1 | 48c77562b07aaf3d3d22d480dc2d0e677e8cf655 |
| SHA256 | f25536a3d2ba06bac8bfe0532e7f197a25a7b2d06bd7aa726479b3b804e2729c |
| SHA512 | d1384f5c714a4b2d996c83d195ac9aca1e84a3f615525610e17c7f64c0432cb973087e6e83367c2f492965efb008aa620ca0290eb15203c69e0a0920359f6345 |
C:\Windows\system\JJQeqUK.exe
| MD5 | 003bcc1f5b067574814c91fa08ee3ada |
| SHA1 | ad9111a896f6c3451c8fae13a5781029a04199ae |
| SHA256 | e1c857ebe8261921d7c8e7faffccf683136aa79b06a8d901fb3ad0f0d37afc9e |
| SHA512 | 7ca2b30425d0a9edbe1778be9c64382004ca56884015fac2f5d313ab789e988486557f1be8adc510d7d0bd8eeaf90ac53653e81eadfe652845cc9087dc03375b |
C:\Windows\system\YZIZCqf.exe
| MD5 | a3814d48a5fa3c2443ceb6288cbc0975 |
| SHA1 | ed18cf2d861e30b0a3adbedba50738303f5bee65 |
| SHA256 | ad632c049960ef3d0c200f1b133a2c0f6dd0673f438191686b2a5d1f201022c5 |
| SHA512 | 640721346ae8b7df8a4d7aa2a54010effd38aa139781b9b76c5a63bb340f39b0403874d74ee528608855cba8e53c5e1d953dd83181d0911b5bee24a811c0588e |
memory/2792-28-0x0000000002210000-0x0000000002564000-memory.dmp
C:\Windows\system\ypHrebj.exe
| MD5 | bc7abb3ff9927945973096955d11f4d8 |
| SHA1 | da87ea12a84e6662cbc411bc7e404bdc67dcace4 |
| SHA256 | 4a93dc45c7bd78db149416878d8f88a14f6c9152aad2da225ff9b1f9ccdd1450 |
| SHA512 | 40f5226de365ded72a426e04ca3af2ab54ce9f370931bcc7082f8ca03b3c92153b0528fbec462876d415df02e5a83e056792a99d57a88c1ff191f6969bbc0aa3 |
C:\Windows\system\WVPlBWu.exe
| MD5 | 4eb945a3020db7c62c129aab9eee57ce |
| SHA1 | a7a6d437fa6e623d7df934e20af76ba020a4d1e6 |
| SHA256 | db59650b61c975033d4af6483fc0c2691b30261dc778a1e3d78da5d927e6d2e0 |
| SHA512 | 9b1012e62464152aabd60185e8a46e6815bf6f7bb828d8685318a7708dbe5006f39cdfcc0cc699de0be8f9233d663dc7a35652d109ddedf3011816112155cc52 |
memory/2792-132-0x000000013F700000-0x000000013FA54000-memory.dmp
memory/2600-133-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2720-134-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2396-135-0x000000013FC50000-0x000000013FFA4000-memory.dmp
memory/1444-136-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2052-137-0x000000013F750000-0x000000013FAA4000-memory.dmp
memory/2600-138-0x000000013F420000-0x000000013F774000-memory.dmp
memory/2720-139-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2972-141-0x000000013F550000-0x000000013F8A4000-memory.dmp
memory/2608-140-0x000000013FBF0000-0x000000013FF44000-memory.dmp
memory/2480-142-0x000000013F780000-0x000000013FAD4000-memory.dmp
memory/2924-143-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2736-144-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2512-146-0x000000013FF10000-0x0000000140264000-memory.dmp
memory/2884-147-0x000000013F3C0000-0x000000013F714000-memory.dmp
memory/2896-148-0x000000013FE00000-0x0000000140154000-memory.dmp
memory/2440-145-0x000000013F2E0000-0x000000013F634000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:29
Reported
2024-06-06 13:33
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\YeozrOY.exe | N/A |
| N/A | N/A | C:\Windows\System\bTyuoFw.exe | N/A |
| N/A | N/A | C:\Windows\System\PwAisJM.exe | N/A |
| N/A | N/A | C:\Windows\System\hwAfhGA.exe | N/A |
| N/A | N/A | C:\Windows\System\UKqPNMi.exe | N/A |
| N/A | N/A | C:\Windows\System\MdAFfmj.exe | N/A |
| N/A | N/A | C:\Windows\System\CPzVfEy.exe | N/A |
| N/A | N/A | C:\Windows\System\Nngapqm.exe | N/A |
| N/A | N/A | C:\Windows\System\sWMOzqM.exe | N/A |
| N/A | N/A | C:\Windows\System\aAPLcGw.exe | N/A |
| N/A | N/A | C:\Windows\System\TOOTXsT.exe | N/A |
| N/A | N/A | C:\Windows\System\TVnyVxY.exe | N/A |
| N/A | N/A | C:\Windows\System\AxApTlC.exe | N/A |
| N/A | N/A | C:\Windows\System\mvVnqsQ.exe | N/A |
| N/A | N/A | C:\Windows\System\thuPBWX.exe | N/A |
| N/A | N/A | C:\Windows\System\LfKnZkr.exe | N/A |
| N/A | N/A | C:\Windows\System\huulBGZ.exe | N/A |
| N/A | N/A | C:\Windows\System\RCCjAir.exe | N/A |
| N/A | N/A | C:\Windows\System\uaMSmKk.exe | N/A |
| N/A | N/A | C:\Windows\System\TsNVvui.exe | N/A |
| N/A | N/A | C:\Windows\System\cEGzBUm.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_17cc9bb06b41a935528ed6fda72c02e1_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\YeozrOY.exe
C:\Windows\System\YeozrOY.exe
C:\Windows\System\bTyuoFw.exe
C:\Windows\System\bTyuoFw.exe
C:\Windows\System\PwAisJM.exe
C:\Windows\System\PwAisJM.exe
C:\Windows\System\hwAfhGA.exe
C:\Windows\System\hwAfhGA.exe
C:\Windows\System\UKqPNMi.exe
C:\Windows\System\UKqPNMi.exe
C:\Windows\System\MdAFfmj.exe
C:\Windows\System\MdAFfmj.exe
C:\Windows\System\CPzVfEy.exe
C:\Windows\System\CPzVfEy.exe
C:\Windows\System\Nngapqm.exe
C:\Windows\System\Nngapqm.exe
C:\Windows\System\sWMOzqM.exe
C:\Windows\System\sWMOzqM.exe
C:\Windows\System\aAPLcGw.exe
C:\Windows\System\aAPLcGw.exe
C:\Windows\System\TOOTXsT.exe
C:\Windows\System\TOOTXsT.exe
C:\Windows\System\TVnyVxY.exe
C:\Windows\System\TVnyVxY.exe
C:\Windows\System\AxApTlC.exe
C:\Windows\System\AxApTlC.exe
C:\Windows\System\mvVnqsQ.exe
C:\Windows\System\mvVnqsQ.exe
C:\Windows\System\thuPBWX.exe
C:\Windows\System\thuPBWX.exe
C:\Windows\System\LfKnZkr.exe
C:\Windows\System\LfKnZkr.exe
C:\Windows\System\huulBGZ.exe
C:\Windows\System\huulBGZ.exe
C:\Windows\System\RCCjAir.exe
C:\Windows\System\RCCjAir.exe
C:\Windows\System\uaMSmKk.exe
C:\Windows\System\uaMSmKk.exe
C:\Windows\System\TsNVvui.exe
C:\Windows\System\TsNVvui.exe
C:\Windows\System\cEGzBUm.exe
C:\Windows\System\cEGzBUm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1664-0-0x00007FF786330000-0x00007FF786684000-memory.dmp
memory/1664-1-0x000001F8F4FD0000-0x000001F8F4FE0000-memory.dmp
C:\Windows\System\bTyuoFw.exe
| MD5 | 418f83ae5ea2e0b5fe4c811829b8f062 |
| SHA1 | 01fdeded798820cb872dab13620a5bcb5840cbbe |
| SHA256 | d31bf225864e29f96c9525831eae8f38203a523dcae1fc1e928d26934deb9f57 |
| SHA512 | 5796456dd4b8a0a44001ec63fa1ecdea6edf836182f94b3e0a666548aab7f3381ae3b6ea721420ec68846bb27bd15c4cfc1eced37646c2700b3b301054c7d80e |
memory/1172-8-0x00007FF632F40000-0x00007FF633294000-memory.dmp
memory/3208-14-0x00007FF6EA560000-0x00007FF6EA8B4000-memory.dmp
memory/2116-20-0x00007FF6E4470000-0x00007FF6E47C4000-memory.dmp
memory/3532-26-0x00007FF6979A0000-0x00007FF697CF4000-memory.dmp
C:\Windows\System\UKqPNMi.exe
| MD5 | 996ca642f106d3f39dc8c9c447be3a2c |
| SHA1 | 79b3f249a5a7e05e8d883b7eb2fb96433e4459a9 |
| SHA256 | 08ccd51de91657d19083f71077ec5bc44598093a7772a9a59b8432bd969fd569 |
| SHA512 | 84d508a0ca1fd61bf49cc096acccb2154450db315dfe7ff87e755e02cde4925f2742aa1bdd5a66ff1b0f726425f8a60ac5321479659329c5e49fd31a589ad615 |
C:\Windows\System\MdAFfmj.exe
| MD5 | cd51c98f09683184e40180290458a855 |
| SHA1 | 8415a01525d9de9f4cb96e99a8a78587cfa3b086 |
| SHA256 | 4aca49a110eb96b26f22f348a56d06d746f8956acd60515a192172da92ef0173 |
| SHA512 | 0dab0363d5e81df8c4b6a07ba8575e9bf7bf3804a274a8e434a205367b35135edf5f4c9f50352efb461ed368de2eaf6d0301e62fca3a379d6109358a11d220f0 |
C:\Windows\System\CPzVfEy.exe
| MD5 | 7dce3258873d161bddf3f746c48390f9 |
| SHA1 | 27385fabb41618fe9117928df30992057dcd0f55 |
| SHA256 | e80412530699c84949bb573527b75a64dd130520f8efe873ab27d68fa81c2efa |
| SHA512 | a607529d1303f376222996a0b99f0db99311eb50994703566f069680f48366d17ea47d9b8730b96681b889e559f37707fb6b81c4cddc2799b38c764056c16223 |
memory/1968-43-0x00007FF6A56B0000-0x00007FF6A5A04000-memory.dmp
memory/4636-50-0x00007FF72C0D0000-0x00007FF72C424000-memory.dmp
C:\Windows\System\sWMOzqM.exe
| MD5 | 00def45e72e8de6d94de222aa8e1ddda |
| SHA1 | 9c576db47b82ee26dfc810ce19dc82b10e74d93f |
| SHA256 | 17e4518d28f933e0bb511e8f21830a85e0e384c30837b5806227d7e013512f01 |
| SHA512 | 560db6fbd785f03cd532245ea36cf985752e316a1ce1c73fe6a94c3ae72f20f15be7d1e4be20a5a749d15123560b432b6c67f22a3d28dece8b48779aaadcc937 |
memory/4152-56-0x00007FF694FF0000-0x00007FF695344000-memory.dmp
C:\Windows\System\aAPLcGw.exe
| MD5 | 4f1cfc8762f13b9a710424a7e13c8bee |
| SHA1 | 7ef8e407fdefc1d8008fe4c2760d27e2bbcb7927 |
| SHA256 | b54363f238da4f84b6a14f04047e6c88d643ce5ad582d8561ddb5f895369474d |
| SHA512 | 85db06fef6685dfd807e722338374ea05bf218b7ebf06cbee54dba66793634a2bb4816877bd05dc8540e0093fa25f8b3ad05bf9389e5056bcd68d7fdfd93bd9c |
memory/1580-63-0x00007FF7B94E0000-0x00007FF7B9834000-memory.dmp
memory/1664-62-0x00007FF786330000-0x00007FF786684000-memory.dmp
C:\Windows\System\Nngapqm.exe
| MD5 | e3092809317c8557f3c3e09fa68d2e26 |
| SHA1 | 8eabcdca8b20c3cf06e0f9c93b88bdd948bcf834 |
| SHA256 | a0b4632b8710865a348aa785b35ebccfddd34276f9167403a934fe39c6a9834f |
| SHA512 | 4dbe98fe03a00ea5b5fa063b70c1b2db7fcba1c413044c24580e34e08625b91974e2d5a906738b4ac3fbc5ac0d98e12ebee57a73d2e9c5bc810c2c4cfd6ebed2 |
memory/4416-38-0x00007FF6217C0000-0x00007FF621B14000-memory.dmp
memory/4116-32-0x00007FF6CD0B0000-0x00007FF6CD404000-memory.dmp
C:\Windows\System\hwAfhGA.exe
| MD5 | 5d8522491923d7f1a3a71e6567360226 |
| SHA1 | 3d419bb67ee9d1c4b3e865dfabad7888b6e405ee |
| SHA256 | 237409a5344197e2303d8bc2d90ec0214c2f0a04a3e32b2515295ab19481cd06 |
| SHA512 | ba613d6a1997bf1ea5aabed54df96dcb4795b0a7e48516ef89b81229e5e257aa4282a5bd1a4276bb7ed9576996b450deff8c581240ac9a4517670c52ee39ef1a |
C:\Windows\System\PwAisJM.exe
| MD5 | 3a422427c8758714c40de0f192c85f55 |
| SHA1 | c1d65e43585d15e72a4a9d4a8d0872d453b1a423 |
| SHA256 | 6cdf6848f4604642c3c56aefbef8f162a4f9830f1249b838f06fd6913d585575 |
| SHA512 | b095bd155dd0177b794de4e3cd3643891a734d1f7fd4beb9d0fc6e801097b759c04b633ce0b194eed22f92a432c483a07d60b3ff62bdae66f3d665ba4055e48e |
C:\Windows\System\YeozrOY.exe
| MD5 | 930ef3893b2f446a7394ac856c6fa925 |
| SHA1 | 255f13c61f4a247fec16d7dfe6d4053c4051a96f |
| SHA256 | fdef0de4df7d7f4c4a37f300e6c118b972f57bb45874b0761bccd9189437b2b0 |
| SHA512 | 63261d93feaacdffe8985909301ded3b7096cac3f703b4487a4dae8dcc98a7e69e20b666c155a1b12ea83788a6f2b130839a9e0ce0019ef3206072b07e3cc931 |
C:\Windows\System\TOOTXsT.exe
| MD5 | f7f4a7b81b220f89f228578a079455e6 |
| SHA1 | 39f54dc17187673b4e858c14641420b98d459800 |
| SHA256 | 458eb0eca6ab28075d8ed7e36fdde35b74912eec56ad81638244c7ed61933974 |
| SHA512 | 9ea5860be7e85348d0ade0a2f9f7ae261341c3785eefaf018164aab1b8ba9668a4c5862b7b30cf593afac221fb27367dcc332bad646d63cf952b1911586bb6ef |
memory/3120-74-0x00007FF6BD1C0000-0x00007FF6BD514000-memory.dmp
C:\Windows\System\AxApTlC.exe
| MD5 | 7d6366a7a68c94c15a1fe2162ec68982 |
| SHA1 | 28da90a8564c4042e56c7b4b0cf5336ea7a725b4 |
| SHA256 | 9e904f1c7ce84b5fbd32b74c44acdf67947d88b62760fa174cbe846d8408dedb |
| SHA512 | bf0730ea64c2e8492585ccbd272db90cba77c2a80fbaae92f9833f463cb687991aff63e8c62a32518636f2af7b395b1c136dc41a67d594db4ad4a28424a6c99c |
memory/3648-75-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp
memory/808-79-0x00007FF77EE40000-0x00007FF77F194000-memory.dmp
C:\Windows\System\TVnyVxY.exe
| MD5 | 669b055a3045e9c5676235d02a148fa1 |
| SHA1 | ab5de37bb4e5a87795f159377eb1b91d92bb6afe |
| SHA256 | f9c3fb577acd0e6b9c5c1fdc42373023303f9cdb428a23330d22c58a86377179 |
| SHA512 | 049d8af9fd252206238325fe919900ac6b7aaba336445343662454266f764ad5a2f0a3887a26e7d6d1439e9d216449235991bccad9e21461210df8433f8a17dc |
C:\Windows\System\mvVnqsQ.exe
| MD5 | 4f82ae995f3dabd7d253e82e03bf0c80 |
| SHA1 | 291f5e190fa657f3e100b24120f6cbda7c55bbf1 |
| SHA256 | f0f6fcb139005f76f7b5f54d68ced40f76be79bf384b6c0a38eeffe821fb537b |
| SHA512 | 026aa39222a261ac8bde2300f61b84e46e475fe59a46723e9d0a95c6816427d018e003bff233f8ea7c4b7938a7e4dd2a4df9bc1b4aadd8ed44f7a703ac033263 |
memory/3272-85-0x00007FF799200000-0x00007FF799554000-memory.dmp
C:\Windows\System\thuPBWX.exe
| MD5 | cb27915a4f746b00e5461d77bd062c3e |
| SHA1 | ea245aa18094b2544c9f81783cf4e9d4fa323788 |
| SHA256 | 57fc38072cd13eb116c1bf247c7d414d38e5c680c1c33f2ee089c4497184c262 |
| SHA512 | 860d18ea80af7076dba550f1ba16a14c883d7c11dc217c0bc0a588b6082234696f633f91910a07e29be3a9780b4d7ccd8c3fe8cce8257af1e816f526c0cf2b86 |
memory/3832-99-0x00007FF6DDB00000-0x00007FF6DDE54000-memory.dmp
C:\Windows\System\LfKnZkr.exe
| MD5 | e332eda5631d9155dc36ae6017f2d51f |
| SHA1 | f5bc29b97d387713e6ccad845ab40b1e02d2a3e0 |
| SHA256 | 02485e711b0a8d727a9c26d4713e82e0d0f54e4fe481944dff427de987afe76b |
| SHA512 | d3df0e32cdc5cc598b0b5d328bb98efc7c97b05c4cde28ea53e1484461c79607e3735c314bc889ab2ba2b891aaae3771f8249040a64c953462d4c9c3b11e4342 |
memory/3932-93-0x00007FF78FE20000-0x00007FF790174000-memory.dmp
memory/1968-105-0x00007FF6A56B0000-0x00007FF6A5A04000-memory.dmp
C:\Windows\System\RCCjAir.exe
| MD5 | 62a555ee544433e643c4190d7f06d1e8 |
| SHA1 | 85535ab705eec5f5e4bfa797df82a3debe94744e |
| SHA256 | 1b936f472436216bc47d5cbc56db0f27932772030f044894e4cd5273f9275ac8 |
| SHA512 | 840ca7cc11906f2b2f53e2e466c28db221a9fb7cbf5ede87361eb1c578cd29b052e6f6d7afafc01c603f61ba08663a7c5762f7bd3f7eb1e4f58af19da6ad0a08 |
memory/3224-111-0x00007FF6FD080000-0x00007FF6FD3D4000-memory.dmp
memory/4636-112-0x00007FF72C0D0000-0x00007FF72C424000-memory.dmp
memory/2456-113-0x00007FF680C40000-0x00007FF680F94000-memory.dmp
C:\Windows\System\huulBGZ.exe
| MD5 | 01dda483115ff3190fcc9b2b6918a3e1 |
| SHA1 | 94db78f9513f4500a5d58e936c8be7e4beea392c |
| SHA256 | 7c1d489a6ad665225f3500e4ba8a134f119175d1bd5696a3ee2dbe059f324c61 |
| SHA512 | 4762651dc5d2d1f11a862f7cb84c4a7900cbfe4dbafbd80878d1701e73ed30003b80acbb363f55c2cf14a4a72288f8e75d6cd794ea48118bfc3e76317cfbdcc1 |
C:\Windows\System\uaMSmKk.exe
| MD5 | a685a9496e12ef3a1a1054c6392c7ea2 |
| SHA1 | 54eefd81b2e467be375e1ce2f9ac08a475fcc324 |
| SHA256 | f91fef6c39035bdbce1de1eb8c224ac9acb9babda6ebdd5ecdc99246e648fd75 |
| SHA512 | 045688905c89f2a9e7d77703a4b568e072e900fb4b83c4b3750983ddf01c194d33d98c4e0c5cf35653047270299bc4c522a9819d48d49109835f616fefec9f60 |
memory/3212-119-0x00007FF75DE80000-0x00007FF75E1D4000-memory.dmp
memory/4996-128-0x00007FF615F90000-0x00007FF6162E4000-memory.dmp
C:\Windows\System\cEGzBUm.exe
| MD5 | 52f65b5bc3ae53f92851a58d3b45628e |
| SHA1 | 99153942136ee698c1466cc8031cc06ab9481863 |
| SHA256 | c51242544c01d22218eaa8a9a58f4f62507615626611377a01b84262f5ae6478 |
| SHA512 | 283bfe54c42479e1aa4aa79500922cef55f38627223d9180ead942bed6ccc3d56786d0e771422514208c51614948565afcf544d39b50ada8818dbcf234f546d0 |
memory/3120-123-0x00007FF6BD1C0000-0x00007FF6BD514000-memory.dmp
memory/1492-127-0x00007FF71D580000-0x00007FF71D8D4000-memory.dmp
C:\Windows\System\TsNVvui.exe
| MD5 | 5a6632276041a4dea5cca333cbdcd157 |
| SHA1 | 9f10f49e8f053c0056d46a50fb28a5de9c85bca3 |
| SHA256 | 81af32f4fab30d8e6d2f593bb118a1cf8be6bbb0dbdca69529694902ce5e7af0 |
| SHA512 | 20aebd327dd6d12ea3ac779f04d645e4ea7d56033fbe47a58d3a3a763ca9aefa14d83af548578109a53523d5c66980e6204013ac03416431b2d13ac0b309ab66 |
memory/808-132-0x00007FF77EE40000-0x00007FF77F194000-memory.dmp
memory/3272-133-0x00007FF799200000-0x00007FF799554000-memory.dmp
memory/1492-134-0x00007FF71D580000-0x00007FF71D8D4000-memory.dmp
memory/4996-135-0x00007FF615F90000-0x00007FF6162E4000-memory.dmp
memory/1172-136-0x00007FF632F40000-0x00007FF633294000-memory.dmp
memory/3208-137-0x00007FF6EA560000-0x00007FF6EA8B4000-memory.dmp
memory/2116-138-0x00007FF6E4470000-0x00007FF6E47C4000-memory.dmp
memory/3532-139-0x00007FF6979A0000-0x00007FF697CF4000-memory.dmp
memory/4116-140-0x00007FF6CD0B0000-0x00007FF6CD404000-memory.dmp
memory/1968-142-0x00007FF6A56B0000-0x00007FF6A5A04000-memory.dmp
memory/4416-141-0x00007FF6217C0000-0x00007FF621B14000-memory.dmp
memory/4636-143-0x00007FF72C0D0000-0x00007FF72C424000-memory.dmp
memory/4152-144-0x00007FF694FF0000-0x00007FF695344000-memory.dmp
memory/1580-145-0x00007FF7B94E0000-0x00007FF7B9834000-memory.dmp
memory/3120-146-0x00007FF6BD1C0000-0x00007FF6BD514000-memory.dmp
memory/3648-147-0x00007FF6AEE70000-0x00007FF6AF1C4000-memory.dmp
memory/808-148-0x00007FF77EE40000-0x00007FF77F194000-memory.dmp
memory/3272-149-0x00007FF799200000-0x00007FF799554000-memory.dmp
memory/3932-150-0x00007FF78FE20000-0x00007FF790174000-memory.dmp
memory/3832-151-0x00007FF6DDB00000-0x00007FF6DDE54000-memory.dmp
memory/3224-152-0x00007FF6FD080000-0x00007FF6FD3D4000-memory.dmp
memory/2456-153-0x00007FF680C40000-0x00007FF680F94000-memory.dmp
memory/3212-154-0x00007FF75DE80000-0x00007FF75E1D4000-memory.dmp
memory/1492-155-0x00007FF71D580000-0x00007FF71D8D4000-memory.dmp
memory/4996-156-0x00007FF615F90000-0x00007FF6162E4000-memory.dmp