Analysis Overview
SHA256
01e3cf22bd114a497ceb52897d54fe8bccc7bf701e8ea108db17fad28f426a2a
Threat Level: Known bad
The file 2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Xmrig family
Cobaltstrike
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike family
XMRig Miner payload
Cobalt Strike reflective loader
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 13:40
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 13:40
Reported
2024-06-06 13:43
Platform
win7-20240508-en
Max time kernel
142s
Max time network
146s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\stsNZCT.exe | N/A |
| N/A | N/A | C:\Windows\System\LPfparq.exe | N/A |
| N/A | N/A | C:\Windows\System\UtkCAsd.exe | N/A |
| N/A | N/A | C:\Windows\System\XuHHsVB.exe | N/A |
| N/A | N/A | C:\Windows\System\AwGQqYl.exe | N/A |
| N/A | N/A | C:\Windows\System\ssSRkvk.exe | N/A |
| N/A | N/A | C:\Windows\System\IsyTiWu.exe | N/A |
| N/A | N/A | C:\Windows\System\ZPkWfnd.exe | N/A |
| N/A | N/A | C:\Windows\System\nkHYLYA.exe | N/A |
| N/A | N/A | C:\Windows\System\LKMLfnY.exe | N/A |
| N/A | N/A | C:\Windows\System\AkxKWTX.exe | N/A |
| N/A | N/A | C:\Windows\System\sgSRCiP.exe | N/A |
| N/A | N/A | C:\Windows\System\tyXFxAw.exe | N/A |
| N/A | N/A | C:\Windows\System\TPuwYLG.exe | N/A |
| N/A | N/A | C:\Windows\System\XSKqKip.exe | N/A |
| N/A | N/A | C:\Windows\System\ilHtwQR.exe | N/A |
| N/A | N/A | C:\Windows\System\ifXJFoG.exe | N/A |
| N/A | N/A | C:\Windows\System\ysvBiTa.exe | N/A |
| N/A | N/A | C:\Windows\System\TJXHSeB.exe | N/A |
| N/A | N/A | C:\Windows\System\BmZvnBB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZULYpBh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\stsNZCT.exe
C:\Windows\System\stsNZCT.exe
C:\Windows\System\LPfparq.exe
C:\Windows\System\LPfparq.exe
C:\Windows\System\UtkCAsd.exe
C:\Windows\System\UtkCAsd.exe
C:\Windows\System\XuHHsVB.exe
C:\Windows\System\XuHHsVB.exe
C:\Windows\System\AwGQqYl.exe
C:\Windows\System\AwGQqYl.exe
C:\Windows\System\ssSRkvk.exe
C:\Windows\System\ssSRkvk.exe
C:\Windows\System\IsyTiWu.exe
C:\Windows\System\IsyTiWu.exe
C:\Windows\System\ZPkWfnd.exe
C:\Windows\System\ZPkWfnd.exe
C:\Windows\System\nkHYLYA.exe
C:\Windows\System\nkHYLYA.exe
C:\Windows\System\LKMLfnY.exe
C:\Windows\System\LKMLfnY.exe
C:\Windows\System\sgSRCiP.exe
C:\Windows\System\sgSRCiP.exe
C:\Windows\System\AkxKWTX.exe
C:\Windows\System\AkxKWTX.exe
C:\Windows\System\tyXFxAw.exe
C:\Windows\System\tyXFxAw.exe
C:\Windows\System\TPuwYLG.exe
C:\Windows\System\TPuwYLG.exe
C:\Windows\System\XSKqKip.exe
C:\Windows\System\XSKqKip.exe
C:\Windows\System\ilHtwQR.exe
C:\Windows\System\ilHtwQR.exe
C:\Windows\System\ifXJFoG.exe
C:\Windows\System\ifXJFoG.exe
C:\Windows\System\ysvBiTa.exe
C:\Windows\System\ysvBiTa.exe
C:\Windows\System\TJXHSeB.exe
C:\Windows\System\TJXHSeB.exe
C:\Windows\System\BmZvnBB.exe
C:\Windows\System\BmZvnBB.exe
C:\Windows\System\ZULYpBh.exe
C:\Windows\System\ZULYpBh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1796-0-0x000000013F500000-0x000000013F854000-memory.dmp
memory/1796-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\stsNZCT.exe
| MD5 | 3dc5b5db48b16012afa27e17a57d6a3e |
| SHA1 | 5f9cd444d94443c0db48feb51132b0d474a2a15c |
| SHA256 | 164c1cfdcffa03baca591a8986b7034a58a69f1d84374113c66f42737b5e9ade |
| SHA512 | 6474f7c83c03ea29cec78ea907b2f4f600a6005d7a464190a1ed94f0b5495abd1e2764530852f820fed57a0c372af90bb0819e1aaaf8cb92c454c9942b7b554a |
memory/1796-6-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\LPfparq.exe
| MD5 | 9816b8cc5cdd7a65eb8b89ef98826d11 |
| SHA1 | 0363f60850bdd6c88799bbc45001e17010df0d87 |
| SHA256 | 6b1a7539689e86b26290d47762c7298627d07b2c4ca78a73c36d4ce112cdc4c9 |
| SHA512 | 43c28ce67b1bb29c38c39f80d6404a2e6f7268de5f39b08bb000925a699685a5acc0d65829687305b9421a98646acb7228ba1af2d96d97dd78df2b94b1a8c370 |
memory/2236-13-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2004-16-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1796-15-0x000000013FB50000-0x000000013FEA4000-memory.dmp
C:\Windows\system\UtkCAsd.exe
| MD5 | cc2cbefd688894b23cb3e6f34c25f21c |
| SHA1 | 5466d1e91136b9e96c50f8a2d208b4fdea1413ab |
| SHA256 | 2ea746daf90c97b0e3a04a78cace32e07044dc6f30a6cdc124df8f2b11e91cb8 |
| SHA512 | 7a4044e26634f4e414f9f7d574ecb88e5279b38ab3252839452417f8a03051454c63887d5ce0eee3e635334d03b9a882994abc02af7386dea72de340539c1725 |
memory/1992-22-0x000000013F3D0000-0x000000013F724000-memory.dmp
C:\Windows\system\XuHHsVB.exe
| MD5 | 84a0325dfa6ae96fc46b698c5b5a3aa1 |
| SHA1 | e0c801d8134857676741f1c6405a9b2352ba542d |
| SHA256 | ceabf20c4b4eebaee9e0c40c446f71f056cb1c0bce378c802547927f0368e5ce |
| SHA512 | f97721d02e019b1514e559c7cb6af90bf0118700e82b7a07a112a343262930b04c5b76bc3c7a085bc077642059fad5c9370e9fb3af4ea55548fa1a5e180dcbb4 |
memory/1796-28-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2724-29-0x000000013F830000-0x000000013FB84000-memory.dmp
\Windows\system\AwGQqYl.exe
| MD5 | d1954a63b3d9a6a0d6dcaa196e40f316 |
| SHA1 | 4ca0fd5dbbc36652d6ef9711848231e8fd62ee8d |
| SHA256 | 9e141e5c445e2bfc5ac643e0a0910ed0f8f34213030e40c7f46d897a8e7d88eb |
| SHA512 | ef28da11f7ac02af7ab503228482f56a4f09dfb8498c4b61f31fc8def2df177a3b9183559c16dbbeb6fec2d56b2b535f63a642d72d914c76bc1b38a67a3545d3 |
memory/2636-36-0x000000013F600000-0x000000013F954000-memory.dmp
memory/1796-33-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\ssSRkvk.exe
| MD5 | 89f9c382cda4d76059ec7f8d21a27986 |
| SHA1 | e9b619f78f3707bb1ac5419f5b7d2adfe530a130 |
| SHA256 | b56ff2fbb12cd66765c9228eecc8eebfb51056ce7eb45c1a9942c15f8c95eb0b |
| SHA512 | e165b0455d73cd9baa5942846f9c02c81ff49d6a002b309db7bb2eee0e9602a755cd99a788ad8207dd7aca9f8f4fddb9e81d417b40682c00d70c802ed7cf32ce |
memory/1796-41-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\IsyTiWu.exe
| MD5 | 870cbd2ca13366137bd6dca72095742c |
| SHA1 | acfeae3a7dea3a627db0c39a42dcc9bbe3c6f1a7 |
| SHA256 | cf9da6e877c578b22f776ed5a2a9eecbd4abf0b6235b3eed48219f9c3f062857 |
| SHA512 | a68962809626f53274d8fea2b8a084d7772981968e063e65642e3e6b1851bbbafe7cb4e2277924639e913d4bbcd29ae19b3c18e112057659f85fc09cc66886e2 |
memory/2648-49-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1796-48-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\ZPkWfnd.exe
| MD5 | 5a436a91f1640ab06c82a90481a4297d |
| SHA1 | cf0f06c8a89accb1918ad4d9968af5d7eada02be |
| SHA256 | bbd0142fbe6a3b6b41b312f4cc4b1b185e42dedf0f38a17f6901279e13b44dc3 |
| SHA512 | 0a06ca12e0b270964104cc12d88e96a7f2e30357d3dec7bebf4b0f8f3dea12edbb4487b72f5f2d969a0e57d12245eab4a4b6823df73a7fa3106c0425e5c304ea |
memory/1796-54-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2568-56-0x000000013F410000-0x000000013F764000-memory.dmp
\Windows\system\nkHYLYA.exe
| MD5 | 6fe5b3464666935105209ce57d57fcac |
| SHA1 | ecc78cfb715eb25a119e2c078a414dba781fac94 |
| SHA256 | 61445a7d5d7094637ddd1cead767c6eff636edbca9ad1ebf93e240e32605d7b6 |
| SHA512 | 2f72033d04bc2d382ae1e0eba6d097eb9a18f4a2ebf3f4b343730211dd19a65c2ca479f28d579f72f86305ec7ad3e7d135af142c73b3f4afd3da3a905aaa1ae3 |
memory/2576-63-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/1796-62-0x000000013F500000-0x000000013F854000-memory.dmp
\Windows\system\LKMLfnY.exe
| MD5 | a914e26892b025486abb31a18b2f8aec |
| SHA1 | d05f9f674bf16897f7d28f688ff96733a79d1e78 |
| SHA256 | ed60aad90a9094535f7ef259eec1f18d5264074f9294de5c6f4b15ecba448459 |
| SHA512 | 7a0383a2f76cb67e6fc89dbaa6265d9c7c5bce809cab96447d8155252c5263a3c27249b88c6dda9502bd82b399f8bb05a9f690a2d2fbbe8092c1f413ac389aa2 |
C:\Windows\system\AkxKWTX.exe
| MD5 | 1aca1d85a423ead488b749ce232225ff |
| SHA1 | f0cea1ebfd051f488d3dde756e3ad33e7f6983e1 |
| SHA256 | a4f41c4cb6102e0cc1a7828025b85909b026d06f757c03fa6dabe6f77f9bf702 |
| SHA512 | 6c3a774c750154c2913d3189ed743f06305b9df5a1534885d02b9d13648a3c7448e06b3b764a0862d7d34a8c1f12009a5141ec7a7027728a494efad47b98c4f7 |
memory/1796-77-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2236-79-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/1652-80-0x000000013F650000-0x000000013F9A4000-memory.dmp
C:\Windows\system\sgSRCiP.exe
| MD5 | cb58d94d9dfeae4c319f8e4f9d3d1d35 |
| SHA1 | 7133a952f15c46286d28c0dd3343fc1a11e119f6 |
| SHA256 | 74a9a0a45343dc8bd15059d7c6ec3a60c1db0a30430a5e3d5a765dc7b37e1c4c |
| SHA512 | 7bf70b21d392ced63b9fecd45b6bbc1def173ca87e3577af2f1b10a4d949a1d40937c5ee53502db4c88431748ed339bb61ad349aaa6261e178cb85f161592fc5 |
memory/1992-82-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2108-84-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/3036-78-0x000000013F510000-0x000000013F864000-memory.dmp
\Windows\system\tyXFxAw.exe
| MD5 | ea73d2f9647662be744a917da561e750 |
| SHA1 | 03abb6161db56d98fe377461d23f6408b3e8be5d |
| SHA256 | 6716ff65e9446f8bfb4c34774cf911b984de9c191c02fe09f8430e14559a5d72 |
| SHA512 | b2daa9f07a95c146f7073d72bdc47a793c091a30100bfdc37a319285d394b48b4e585e6eafa8971a465ea61543acd66801b7a7452d78872ff905346c69b2874f |
memory/2900-91-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/1796-90-0x00000000022A0000-0x00000000025F4000-memory.dmp
C:\Windows\system\TPuwYLG.exe
| MD5 | f7d858dc8fe898246ae4a22ccabbae98 |
| SHA1 | e27e3e0c5b80a61076ce56e08ab8ca882b100e41 |
| SHA256 | a468810f06f8c4b4e98247a7db49ed183ed5092490d5676bac827f6f9c00ca27 |
| SHA512 | ce0ffffa991d46dc618bbe2ebee77e4b9ac36d9217d7c3fb2fdbb38cac822b0c3d94ef62964ee8078050fd9201a2a80a22f1b53a0985ea2d0686d8566246680d |
memory/2476-98-0x000000013F610000-0x000000013F964000-memory.dmp
memory/1796-97-0x00000000022A0000-0x00000000025F4000-memory.dmp
\Windows\system\XSKqKip.exe
| MD5 | 3e4aa9448e419a1b0c78cf41ef6ff784 |
| SHA1 | 16457008a264e611ea8386886726ffdf1f5c8507 |
| SHA256 | 565799724f1d0a8709ccf1aa083500a1aae00da83a1c8351a8dce7320bec61ca |
| SHA512 | e8a1f176b674e56bdf94fb0c8d0c9b995da8c3228fb8aa4b437f837500771d59aa6bb03d80292b0ff4fe3bb696f68bc058b378e202b695e351e270c0d5a4910b |
\Windows\system\ilHtwQR.exe
| MD5 | babe325dd7d52907435a4c50060b482e |
| SHA1 | f25bfbad87611fb63f9fc5ff2866ae7ca2ac7dd4 |
| SHA256 | 99203576285266f6f230d58b789b0684b4cb877f254407c4c8e9f2fa920c5470 |
| SHA512 | 53968d80320bcdcf0fee5c37d0be16d7aadae2938b9b9002cf56c0eb3c403b76f74dff6ea2ae44a37616cc307c97fb20f75a0537fe38a93afa435d77ff51fe04 |
C:\Windows\system\ifXJFoG.exe
| MD5 | 5a65fb49bdf331b72398cd5ffad2500e |
| SHA1 | c902379c158f9dc61a3443f36164838b0bbac041 |
| SHA256 | 3962cec8b6e5ac72389f162901a4aa228d74a340cfdf909a1484b801dbb9b70d |
| SHA512 | f30e93088e773ad1f3e7bea8270016e46d79dde67d887a080377c970e6cc289bfed2b195f45dbd4f7a9f1daa647e4eeed39834c0edc95fcc3af4f76c1984ab47 |
C:\Windows\system\ysvBiTa.exe
| MD5 | c0bc1d06a5dfa2c7f51abdec1311f48c |
| SHA1 | eabb89d4b59b9be94dfdc78d66015ee88e8b192a |
| SHA256 | 7ddb947b4285e8209ecb32f81e8c0a20332f9162332dab1ec84fc00442352fe2 |
| SHA512 | 61cc421d07fa57f12d2c36cd58507b004dba880f3753d41a33136da80cf20b86a732aa323be903530855cdcda126652703430225b5b24357ff228d46a6ac3c6a |
\Windows\system\TJXHSeB.exe
| MD5 | ef163fb6261345a5d1511d938e28406b |
| SHA1 | 51f91004c35aff8971a23a37ca5c89a8eb2c6c3c |
| SHA256 | e9ec6813e4f6a008b0f1791f31681f6e72c8bd7b9457eb2b4df5d91ab797e27f |
| SHA512 | 6ba82108f558c421b85660b898fe48349cb94cc6bd85074c49bc5bd48844d1b684e352a28002da315a5c2ea5da1fb175d9558c7b33c0daf26350198a11dceec7 |
\Windows\system\BmZvnBB.exe
| MD5 | 5542509da3ea7192615c3fcd57d5dc09 |
| SHA1 | e5b3cd83b307d98c6563f8d0bfd9e5d60de9e0f9 |
| SHA256 | 675d893e887cd51095107bd84e9bb1c0fd1754b642a59a1b71fdda0d549222ac |
| SHA512 | f7b2cbeca577886832c60d35937a6ae29c36ee6d1039d0c9e01ec390db498f5b5ebbf8881e95d46aef92d4e8aad208b5c42aa095f2e84cbe428abe5712ac6288 |
C:\Windows\system\ZULYpBh.exe
| MD5 | 5824adffb437c8b8af60082d79376d88 |
| SHA1 | 4c7ecec1bac4128d886028711b7a7c88b5a64d30 |
| SHA256 | d1091bfd4ec2935e4daa9b044ba35eaa92422ed537d0ea74a3df2d5dfdbcff64 |
| SHA512 | 092d476e651421e358e05ead147cf979b34d1dd908dc8a81ce4dd7bfc55aeb555652b055cb079512e2964fd731c6fee7df02384c60e4bb7363bb75b61953922e |
memory/2800-134-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/1796-133-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/1796-135-0x00000000022A0000-0x00000000025F4000-memory.dmp
memory/2568-136-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2108-137-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1796-138-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2236-139-0x000000013F1E0000-0x000000013F534000-memory.dmp
memory/2004-140-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/1992-141-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2724-142-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2636-143-0x000000013F600000-0x000000013F954000-memory.dmp
memory/2800-144-0x000000013F3D0000-0x000000013F724000-memory.dmp
memory/2648-145-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/2568-146-0x000000013F410000-0x000000013F764000-memory.dmp
memory/2576-147-0x000000013F800000-0x000000013FB54000-memory.dmp
memory/3036-148-0x000000013F510000-0x000000013F864000-memory.dmp
memory/1652-149-0x000000013F650000-0x000000013F9A4000-memory.dmp
memory/2108-150-0x000000013FB50000-0x000000013FEA4000-memory.dmp
memory/2900-151-0x000000013FEA0000-0x00000001401F4000-memory.dmp
memory/2476-152-0x000000013F610000-0x000000013F964000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 13:40
Reported
2024-06-06 13:43
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
147s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\vdUssdL.exe | N/A |
| N/A | N/A | C:\Windows\System\gxYpcSf.exe | N/A |
| N/A | N/A | C:\Windows\System\DlThRDh.exe | N/A |
| N/A | N/A | C:\Windows\System\xutRNxm.exe | N/A |
| N/A | N/A | C:\Windows\System\YfDDMFg.exe | N/A |
| N/A | N/A | C:\Windows\System\vJwFGdw.exe | N/A |
| N/A | N/A | C:\Windows\System\SVvDaMD.exe | N/A |
| N/A | N/A | C:\Windows\System\sWVScqy.exe | N/A |
| N/A | N/A | C:\Windows\System\pVyvryu.exe | N/A |
| N/A | N/A | C:\Windows\System\fseTprB.exe | N/A |
| N/A | N/A | C:\Windows\System\PsyppdK.exe | N/A |
| N/A | N/A | C:\Windows\System\sKtACtG.exe | N/A |
| N/A | N/A | C:\Windows\System\sHoQRGi.exe | N/A |
| N/A | N/A | C:\Windows\System\vVAberV.exe | N/A |
| N/A | N/A | C:\Windows\System\WqvoNwZ.exe | N/A |
| N/A | N/A | C:\Windows\System\rJvxEAU.exe | N/A |
| N/A | N/A | C:\Windows\System\zgdAbJm.exe | N/A |
| N/A | N/A | C:\Windows\System\vwaBqsg.exe | N/A |
| N/A | N/A | C:\Windows\System\ErXTJxS.exe | N/A |
| N/A | N/A | C:\Windows\System\QeGZkxG.exe | N/A |
| N/A | N/A | C:\Windows\System\lOTvxMy.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_4ef732014f3960208622c83e02a5c0b9_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\vdUssdL.exe
C:\Windows\System\vdUssdL.exe
C:\Windows\System\gxYpcSf.exe
C:\Windows\System\gxYpcSf.exe
C:\Windows\System\DlThRDh.exe
C:\Windows\System\DlThRDh.exe
C:\Windows\System\xutRNxm.exe
C:\Windows\System\xutRNxm.exe
C:\Windows\System\YfDDMFg.exe
C:\Windows\System\YfDDMFg.exe
C:\Windows\System\vJwFGdw.exe
C:\Windows\System\vJwFGdw.exe
C:\Windows\System\SVvDaMD.exe
C:\Windows\System\SVvDaMD.exe
C:\Windows\System\sWVScqy.exe
C:\Windows\System\sWVScqy.exe
C:\Windows\System\pVyvryu.exe
C:\Windows\System\pVyvryu.exe
C:\Windows\System\fseTprB.exe
C:\Windows\System\fseTprB.exe
C:\Windows\System\PsyppdK.exe
C:\Windows\System\PsyppdK.exe
C:\Windows\System\sKtACtG.exe
C:\Windows\System\sKtACtG.exe
C:\Windows\System\sHoQRGi.exe
C:\Windows\System\sHoQRGi.exe
C:\Windows\System\vVAberV.exe
C:\Windows\System\vVAberV.exe
C:\Windows\System\WqvoNwZ.exe
C:\Windows\System\WqvoNwZ.exe
C:\Windows\System\rJvxEAU.exe
C:\Windows\System\rJvxEAU.exe
C:\Windows\System\zgdAbJm.exe
C:\Windows\System\zgdAbJm.exe
C:\Windows\System\vwaBqsg.exe
C:\Windows\System\vwaBqsg.exe
C:\Windows\System\ErXTJxS.exe
C:\Windows\System\ErXTJxS.exe
C:\Windows\System\QeGZkxG.exe
C:\Windows\System\QeGZkxG.exe
C:\Windows\System\lOTvxMy.exe
C:\Windows\System\lOTvxMy.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4460-0-0x00007FF6E4140000-0x00007FF6E4494000-memory.dmp
memory/4460-1-0x00000191388F0000-0x0000019138900000-memory.dmp
C:\Windows\System\vdUssdL.exe
| MD5 | fa561f4311db50a7e2045731e8cee63b |
| SHA1 | 6ee1998cad8a129e5fc2dea46fd6e8f5ebc55800 |
| SHA256 | b0fb8cd28fba2aa91f62f2924ed28aecc4ff3c5741bf0a723c611b8f0aea2bcd |
| SHA512 | 1745a28d577cbcd57bde07e6744e133d8cc081eac5b29296ca19def804efbfd7913da5000eda739476645fd57459fb38100fe5c345af1f0fb93aa131de7adb30 |
memory/3172-6-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp
C:\Windows\System\DlThRDh.exe
| MD5 | 2231597e57feb8a233fbb968d57f3720 |
| SHA1 | 425fdeb23a0256b978cc500ae5f3b74ebe160d3d |
| SHA256 | 39845203d1e6dbc622bf0d5c4fcf781155343780824ee89bb13a96e348327c25 |
| SHA512 | 4cf51f3f273b9433136fd5474c8888d27e91e6e9218e66507493f12b163a8aaf989f573bb9a0bd5863d3b733cb405de68951976161a63f8a085a4863d19637bc |
C:\Windows\System\gxYpcSf.exe
| MD5 | 8af1fd4c70955bdec1e762c443223a4b |
| SHA1 | 3ba404c1b8266d8495796230d56ae14e7774a122 |
| SHA256 | 29708cd2a9dfd7e30642eeb5de364bdb220805d2b0f5b6ab363e7adb158c2d17 |
| SHA512 | 2b589f01bb01ed86fcc8e0f77d79b0075185f5b132fae6c1aa320ed2ecc84d0db919d8336c37488610c0b4e201db465a26f586c9c7c1a6dd6a8117ed8cb70536 |
C:\Windows\System\xutRNxm.exe
| MD5 | 2bf782fccfd1a0f6b8a204008084ebed |
| SHA1 | cb345f7dd0bbcd9ae3dc8391e2a437b0aed55c41 |
| SHA256 | 01e29a0031b505e9977f670c42f3f60c5d48de2c0f3de78d37a7d65c371f6ca3 |
| SHA512 | c6ed1945381d237794e254133fe8476a11c6a35fe9e5efb3a15b811cce938a802f960e409e2f436d4a58533c51fe77ccfb1bc0f6204d733fcad88f45e097dcd5 |
C:\Windows\System\YfDDMFg.exe
| MD5 | 3a462c499b2cf535427aeb772b5369d3 |
| SHA1 | f663af86d1f2d5ce8dd6a88daacdadf5e92a8581 |
| SHA256 | 61a36703b45465a949b65881c5502216057db680c3eec9e6424078f32195336c |
| SHA512 | 5c1d8bdcf7164391b47ebfee6e90055e000c376e009eb7fd2d71390fafc63fc6b98542ebcea69a2818d403d42689c5fc1211fd7911626cd0c77bb97baab2f1a0 |
memory/2888-28-0x00007FF6DAA00000-0x00007FF6DAD54000-memory.dmp
memory/4760-30-0x00007FF7C25E0000-0x00007FF7C2934000-memory.dmp
memory/4012-22-0x00007FF7A5A70000-0x00007FF7A5DC4000-memory.dmp
memory/2188-16-0x00007FF60B480000-0x00007FF60B7D4000-memory.dmp
C:\Windows\System\vJwFGdw.exe
| MD5 | 19a6d52673402f36a3b3d09d2e7344f9 |
| SHA1 | 58ffea198a82fe12418572e720766ddb97d91096 |
| SHA256 | 1c84acfc6606fef09441740f2812cde7dd59189b072f691cf66971de6350d9ed |
| SHA512 | c686f5aa6173f4bbcb2849e7b8a6e6730018166028cea37e65a66c15ddcd1dab94d776987449f0f08cf0fa8025235ed8dc42d8a97718877fa782e220abee96ee |
C:\Windows\System\SVvDaMD.exe
| MD5 | 9a00210335ac0033fa88110510a3fbf8 |
| SHA1 | 70d2738cbe422787c3da2b6b1af78961a3d090b9 |
| SHA256 | e9df31aabec2e8b0084a678db1d38ffe7049a3bcfcd4acddf4678ce66cfcfb9d |
| SHA512 | ae7817c8e152dcb03577616ec1be3ed19a41b1ec209d67a1c4f455cb1ef2b9fc8e6d68e30073be70ba23062c36a41eead02eee5724fdd740e084cc56a57d3384 |
memory/1576-44-0x00007FF7B6910000-0x00007FF7B6C64000-memory.dmp
memory/1200-38-0x00007FF7C6C00000-0x00007FF7C6F54000-memory.dmp
C:\Windows\System\sWVScqy.exe
| MD5 | 09dadc8f391e26ad032ad944b27a6221 |
| SHA1 | 647374df394c87709e716ed644be479168bd2f44 |
| SHA256 | 7a993fe4a6f4c733c28e8bef405e65d501fe38ee29bca327dcf30dd15c24fcba |
| SHA512 | 0333f8376dc987e54765a29674651afeaf359315f91a34b2e809037a87241ba6831fb4bbf3cdacd8a71e3ca2044979601fdc862da54002c0ac4bf48c313209a4 |
C:\Windows\System\fseTprB.exe
| MD5 | 3abb5219d003fcb03bac0efb04a675f2 |
| SHA1 | 612a040853b7e4f86cfe986c7e1bc4d9f874dad7 |
| SHA256 | fdbeb7b7c338a85511af0e0c7a4dd4900db25ded716bd33327459ca84e44d3b7 |
| SHA512 | caecd961864b6641e6d4f4c47fdd0248887b6e51b51c8eb81db6d05c388df7d8d5ec473480e83394976f9aa4c69c8854f350dcd12b72964ef73d799ad6343ff6 |
C:\Windows\System\vVAberV.exe
| MD5 | 1f50b63a2f39d14f30f59ffa57c06d0e |
| SHA1 | 5978b2bf6928796d41d5c00e2bc5485b83db31f0 |
| SHA256 | 761da31816d532e40a6532bbf574204ae148f5d0bccaa9bdbc595a8fa061ca2d |
| SHA512 | 5b4b40986ea7b94f16735b3ac1e8b21c2530e90024604f3fd8e1545eed7aec51253e7cace323db18d99623ca1a517986f688f123eb471e93f3b82df4a85ff951 |
memory/3168-82-0x00007FF686470000-0x00007FF6867C4000-memory.dmp
memory/2404-88-0x00007FF764920000-0x00007FF764C74000-memory.dmp
C:\Windows\System\rJvxEAU.exe
| MD5 | cae22c5f2640020437c8ba554be44d14 |
| SHA1 | e0aa3ada2b3f3d661725189821d946b9325cbe4d |
| SHA256 | eaa6103f27f69fc188e245812760eb5ece3edf5dbdcb9db36dd970b7fe58f344 |
| SHA512 | 0cf72a70710c9f08403e8b78050c224cb4512a22cd4796fa3da89413f7dfa26a4207751a4f48aa0e7fecb272de1ed375901baae2d3cbd19b5669aeb718ccc869 |
memory/2972-99-0x00007FF78A530000-0x00007FF78A884000-memory.dmp
memory/3172-98-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp
memory/2248-97-0x00007FF623360000-0x00007FF6236B4000-memory.dmp
C:\Windows\System\WqvoNwZ.exe
| MD5 | d3bd0aa58444d424c46589e62072c4a4 |
| SHA1 | 226f403d3b1b8f862f56b0b704fd0e930d55098b |
| SHA256 | e9aa4301591a0c612d5cba38cd13ae7b8ae5a2dd028cce5acc5087ffa8c213c1 |
| SHA512 | 95dbca750a1f5f57e326d5cc81b024bcea533e960b8ea4b3d8b2ea9b357ca278f66c3888f26141db8c74d61bdfbcf0307cf02b90ec8cb0c6e0b4b3a8cb245f69 |
memory/4220-91-0x00007FF7B6130000-0x00007FF7B6484000-memory.dmp
memory/4540-90-0x00007FF754010000-0x00007FF754364000-memory.dmp
memory/860-87-0x00007FF7A1870000-0x00007FF7A1BC4000-memory.dmp
C:\Windows\System\zgdAbJm.exe
| MD5 | a767f9c18fc537734a1e80d5524e9844 |
| SHA1 | 380236d7d155d7387ca355b03e53f505b1cdd367 |
| SHA256 | 174ce41f0e317c97e9a160421f61aaeb287fc18c725b06f22d26ca841bd64ac3 |
| SHA512 | f815fa4e06c8ec62c292b749966b997c8f3a5270d191023ab4c71aca964cbd22c8a4bec4def95bba7213a0723c7dd0cbf8e8a9c788e85ce3503a1fa4c654ebac |
C:\Windows\System\ErXTJxS.exe
| MD5 | c08aa019a190b5279287200a275baac4 |
| SHA1 | d54badf8bf9a2776e70415fec251360bd29989a7 |
| SHA256 | 1960a31afe0916146f5697da283025a6833c61e7b0c9a6876c167ed88092f404 |
| SHA512 | d0ca2d525296a6923db909426e9b951f0f17b7faac1bd40d4c4a1dae717cb4630132a66c42d0b4ff75b5d687be0d6b4cd61e60abb15643320360c39bef577572 |
C:\Windows\System\lOTvxMy.exe
| MD5 | 0ca86e25339c832a5e9b310dd5d38a35 |
| SHA1 | 2ff2fee6305cbfe77f90d1c33d0103330afdb99d |
| SHA256 | f693291509ca5553527585a957f8990adda13453bd9471d19b88fa5c851c75ad |
| SHA512 | 3405e33e5014022f07c64702c446c258f7f93e7729c70013051ece5df6d02464eac3dd1cd921e4ae76cbb183c6d1e89595ad7caad5a10691e5733e924c8c5b9b |
C:\Windows\System\QeGZkxG.exe
| MD5 | 7259a135a0e49abed350859f8caab80e |
| SHA1 | 91d224f92c6f505fc3ce655b2aec129cadc555ab |
| SHA256 | f13928f35178e211481742970c65a98f4f6f2e67695c512acccc82286fc137d6 |
| SHA512 | 1a014ab1cd8d4bc78dc691e96f57b5ac407949b645908fb06c65fb56b09977975f839ff32a86129a735e98724a476696ff648b9b7e0081b3a6e9930872203331 |
C:\Windows\System\vwaBqsg.exe
| MD5 | 327db16860d02f743d88a49cc5edec78 |
| SHA1 | 19aa5bd5274c77d4f9cbcd8bb1716b4712a3d5b5 |
| SHA256 | a3ad12e213ceb4e608b1a01ad7bbdbcd3effbb67fc91eafe04640ff6ae478c05 |
| SHA512 | 166a9da2181dbdf4d827df27250cf6ea1740ed97a88a52653f065c80ed826a79c676aff0d67f71453564d146c4046a84ded6d930ee3b5484ef2679c445b71fc1 |
C:\Windows\System\sHoQRGi.exe
| MD5 | bbbe14287bb54ae1d4d8492148479910 |
| SHA1 | ff5550f813b3b0f6f261cba3cce095f7e0978903 |
| SHA256 | df69d2416adacd8791cbeb70c66234d2b66cc2b556ae88f2b7b7eeb6b60af35b |
| SHA512 | efaf942cfc593459a7f57b91f2a0c701c4d8f7e43573e8258718143b13d6b1e4effb49a424ed327986185edc2b6b875f52b9e18943b03d11062aace3a2cdd929 |
memory/4460-81-0x00007FF6E4140000-0x00007FF6E4494000-memory.dmp
C:\Windows\System\sKtACtG.exe
| MD5 | 8b97a488fa03a806567f0b178a29e103 |
| SHA1 | 6f85dfe57f16c25d3f8d6b4dcc258671405e4e8e |
| SHA256 | 8caf01a2f08a3bfe5f9996ce9d0c2bf6e8b6ef0551b36d4151682c143d826a2f |
| SHA512 | fae4b46c34e6e4f4f7c90ddaea16ce94e0d93db3ec14d347128b2cd599b17aa636a164f313bb890482d4fb3cd27c6b9c403ebc578a5cd80857078ddc5784ee9f |
C:\Windows\System\PsyppdK.exe
| MD5 | 073f9740f714f4aefc53b1b9ac659dc0 |
| SHA1 | 28f0d4eba7567576f0001fc0537075cf1a9f08ef |
| SHA256 | 10474bca45e442d4abefcd03f49dc837612254f8396cffac2050f034289e8a28 |
| SHA512 | c82436465892d4409245be314c56ff8936b7d39766eada0b60c869f041739ac8ea2c9b346e1171d2c0b46eb92a8664ac12e33b9dbcb06a40db9e617d8c7a19e3 |
C:\Windows\System\pVyvryu.exe
| MD5 | 9208b32cca0e3d4335ef7ccd2d83c671 |
| SHA1 | 9c28d1b24a68293531766dfe031365bfc1847036 |
| SHA256 | 2b9f8bb4c88bb541727d09d7c0601696dbf00629aa68c1a54fdd481cbfa81cb3 |
| SHA512 | 290735ffc381f435f544848c0943e5b0b6c4d6094196af94997bc40c45b6749d22a13706bdd9090bf9974af33cb0d255f1fb8eb89549034362d013c04881b728 |
memory/2516-52-0x00007FF7D88E0000-0x00007FF7D8C34000-memory.dmp
memory/2964-48-0x00007FF77CBF0000-0x00007FF77CF44000-memory.dmp
memory/4904-124-0x00007FF75C110000-0x00007FF75C464000-memory.dmp
memory/4996-127-0x00007FF7AF920000-0x00007FF7AFC74000-memory.dmp
memory/2916-128-0x00007FF7E1D30000-0x00007FF7E2084000-memory.dmp
memory/1048-126-0x00007FF6AD6C0000-0x00007FF6ADA14000-memory.dmp
memory/4944-125-0x00007FF67E270000-0x00007FF67E5C4000-memory.dmp
memory/2888-130-0x00007FF6DAA00000-0x00007FF6DAD54000-memory.dmp
memory/4760-131-0x00007FF7C25E0000-0x00007FF7C2934000-memory.dmp
memory/2964-132-0x00007FF77CBF0000-0x00007FF77CF44000-memory.dmp
memory/2516-133-0x00007FF7D88E0000-0x00007FF7D8C34000-memory.dmp
memory/2404-134-0x00007FF764920000-0x00007FF764C74000-memory.dmp
memory/4540-135-0x00007FF754010000-0x00007FF754364000-memory.dmp
memory/3172-136-0x00007FF7AAC30000-0x00007FF7AAF84000-memory.dmp
memory/2188-137-0x00007FF60B480000-0x00007FF60B7D4000-memory.dmp
memory/4012-138-0x00007FF7A5A70000-0x00007FF7A5DC4000-memory.dmp
memory/2888-139-0x00007FF6DAA00000-0x00007FF6DAD54000-memory.dmp
memory/4760-140-0x00007FF7C25E0000-0x00007FF7C2934000-memory.dmp
memory/1200-141-0x00007FF7C6C00000-0x00007FF7C6F54000-memory.dmp
memory/1576-142-0x00007FF7B6910000-0x00007FF7B6C64000-memory.dmp
memory/2964-143-0x00007FF77CBF0000-0x00007FF77CF44000-memory.dmp
memory/2516-144-0x00007FF7D88E0000-0x00007FF7D8C34000-memory.dmp
memory/3168-145-0x00007FF686470000-0x00007FF6867C4000-memory.dmp
memory/860-146-0x00007FF7A1870000-0x00007FF7A1BC4000-memory.dmp
memory/4220-147-0x00007FF7B6130000-0x00007FF7B6484000-memory.dmp
memory/2248-148-0x00007FF623360000-0x00007FF6236B4000-memory.dmp
memory/2972-149-0x00007FF78A530000-0x00007FF78A884000-memory.dmp
memory/4540-150-0x00007FF754010000-0x00007FF754364000-memory.dmp
memory/4904-151-0x00007FF75C110000-0x00007FF75C464000-memory.dmp
memory/4944-152-0x00007FF67E270000-0x00007FF67E5C4000-memory.dmp
memory/1048-153-0x00007FF6AD6C0000-0x00007FF6ADA14000-memory.dmp
memory/4996-154-0x00007FF7AF920000-0x00007FF7AFC74000-memory.dmp
memory/2916-155-0x00007FF7E1D30000-0x00007FF7E2084000-memory.dmp
memory/2404-156-0x00007FF764920000-0x00007FF764C74000-memory.dmp