Analysis Overview
SHA256
66b140dff70a948ff0b19a98f4203027ab6f7dd438bd58d4ae496c3052eef466
Threat Level: Known bad
The file 2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
XMRig Miner payload
Xmrig family
Cobalt Strike reflective loader
Cobaltstrike
Detects Reflective DLL injection artifacts
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
XMRig Miner payload
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-06 18:11
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-06 18:11
Reported
2024-06-06 18:13
Platform
win7-20240221-en
Max time kernel
129s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\unAxgmQ.exe | N/A |
| N/A | N/A | C:\Windows\System\twHMAbG.exe | N/A |
| N/A | N/A | C:\Windows\System\tLibuNc.exe | N/A |
| N/A | N/A | C:\Windows\System\MNUtlmi.exe | N/A |
| N/A | N/A | C:\Windows\System\zMcOtHs.exe | N/A |
| N/A | N/A | C:\Windows\System\QjDbiWw.exe | N/A |
| N/A | N/A | C:\Windows\System\IKXAikR.exe | N/A |
| N/A | N/A | C:\Windows\System\oWRHBPn.exe | N/A |
| N/A | N/A | C:\Windows\System\wjVNZPg.exe | N/A |
| N/A | N/A | C:\Windows\System\LuqgSpy.exe | N/A |
| N/A | N/A | C:\Windows\System\AhVUJXU.exe | N/A |
| N/A | N/A | C:\Windows\System\XUKTBsM.exe | N/A |
| N/A | N/A | C:\Windows\System\dyyzQHb.exe | N/A |
| N/A | N/A | C:\Windows\System\uWUCTFz.exe | N/A |
| N/A | N/A | C:\Windows\System\gfslCyH.exe | N/A |
| N/A | N/A | C:\Windows\System\oakhJCr.exe | N/A |
| N/A | N/A | C:\Windows\System\uuyyZLN.exe | N/A |
| N/A | N/A | C:\Windows\System\ZBnpwUI.exe | N/A |
| N/A | N/A | C:\Windows\System\ohIeUcm.exe | N/A |
| N/A | N/A | C:\Windows\System\zRrOWmZ.exe | N/A |
| N/A | N/A | C:\Windows\System\thSTxtV.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\unAxgmQ.exe
C:\Windows\System\unAxgmQ.exe
C:\Windows\System\twHMAbG.exe
C:\Windows\System\twHMAbG.exe
C:\Windows\System\tLibuNc.exe
C:\Windows\System\tLibuNc.exe
C:\Windows\System\MNUtlmi.exe
C:\Windows\System\MNUtlmi.exe
C:\Windows\System\zMcOtHs.exe
C:\Windows\System\zMcOtHs.exe
C:\Windows\System\IKXAikR.exe
C:\Windows\System\IKXAikR.exe
C:\Windows\System\QjDbiWw.exe
C:\Windows\System\QjDbiWw.exe
C:\Windows\System\wjVNZPg.exe
C:\Windows\System\wjVNZPg.exe
C:\Windows\System\oWRHBPn.exe
C:\Windows\System\oWRHBPn.exe
C:\Windows\System\AhVUJXU.exe
C:\Windows\System\AhVUJXU.exe
C:\Windows\System\LuqgSpy.exe
C:\Windows\System\LuqgSpy.exe
C:\Windows\System\uuyyZLN.exe
C:\Windows\System\uuyyZLN.exe
C:\Windows\System\XUKTBsM.exe
C:\Windows\System\XUKTBsM.exe
C:\Windows\System\ZBnpwUI.exe
C:\Windows\System\ZBnpwUI.exe
C:\Windows\System\dyyzQHb.exe
C:\Windows\System\dyyzQHb.exe
C:\Windows\System\ohIeUcm.exe
C:\Windows\System\ohIeUcm.exe
C:\Windows\System\uWUCTFz.exe
C:\Windows\System\uWUCTFz.exe
C:\Windows\System\zRrOWmZ.exe
C:\Windows\System\zRrOWmZ.exe
C:\Windows\System\gfslCyH.exe
C:\Windows\System\gfslCyH.exe
C:\Windows\System\thSTxtV.exe
C:\Windows\System\thSTxtV.exe
C:\Windows\System\oakhJCr.exe
C:\Windows\System\oakhJCr.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1284-0-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1284-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\unAxgmQ.exe
| MD5 | d395fffd015945c47627ac0397d54a3c |
| SHA1 | 2599579159f4f31266e100993b8e3bf5a492b87a |
| SHA256 | 2aaa945e7ad782b78917fec7a33ba0c22619bd3497cc2edf26d30ab1ec783d89 |
| SHA512 | 0e4ff7632e7c7acfda649762771c5547ce7c5ead21d75e7d618c1a845b1a6095fbc43a91043b950b8f2bd0149e1bb2d150038cb9d61307a318de2d7e66318d76 |
memory/2516-8-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2552-18-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\twHMAbG.exe
| MD5 | 7d71821d6c6a73b1944ac22677e86868 |
| SHA1 | 15bad1070c1b4f510cc867ed6c8e233f16fd6aa0 |
| SHA256 | 4faf2f7c29eca0f27518bb8d5b42249bdde32a71018149370519cac4266a27da |
| SHA512 | 1cf4395d0f49d85123646b45786a7fb2e134314e0b10939dc2991aba507107e7aee3a20907e4ea3bdcf377badcf44d712f496f43a7c9e3719edf80f4d116044b |
\Windows\system\tLibuNc.exe
| MD5 | a8cd32f506afb6ab2d23579b20212fa0 |
| SHA1 | d7c3106b02bbb7e648926c245935e403a3846433 |
| SHA256 | 777fbcca4222169f4600cc4a48deb175cb6a34b57453ef862588ee7c249a4e59 |
| SHA512 | da6ffe133d2a441af285e8ebed4530863d8d6936ab3e6f9f858c33b5339286d25b66321eda82a7c454c7440cff2fd30e18d1ebd9a9a2a8b80914ae95976a8fa9 |
memory/2528-28-0x000000013FEF0000-0x0000000140244000-memory.dmp
C:\Windows\system\zMcOtHs.exe
| MD5 | b27a7a2c77eb8a422f252a22e5afa95c |
| SHA1 | 6a8c3903d30eb44d42ed2659d18f1ed2af68ab15 |
| SHA256 | 70ba9aa4f0b74b8e12eb2d6162ed61280d97c19c10cd8c5eed1e88e96f2f81fd |
| SHA512 | 61090444432a7b5e3f88a1102ee6449ddcc1912813ec780ecba794d593da86c1dc1b53ef5f79a22124c2c4798a9afbb0a3564f34a322dcf264efea43df29093f |
C:\Windows\system\MNUtlmi.exe
| MD5 | 20c10423bdef58d4cf057ecb4c52b025 |
| SHA1 | 1ad7dd4e5f96d3a65421da5887a4cbb3a76fe946 |
| SHA256 | b3d47ad83e35f38d2ff60664e674168e1a95772b605f346faff0b4556999b426 |
| SHA512 | dda409a4f11c3f65f528e0d21120c55dfe844c4c4847466056b7d3031120212a91cf5a7e8abe80d23eaf9578056d16177401b8f9376d685a7a4e8d9c694f47a6 |
memory/1284-26-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2688-25-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1284-24-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/1284-13-0x000000013F0D0000-0x000000013F424000-memory.dmp
C:\Windows\system\oWRHBPn.exe
| MD5 | a6617e6ea626ee868f10eafdaf180574 |
| SHA1 | 3fc754665fefdf7c41dcd5862ae5e71f45af0772 |
| SHA256 | 30aa3f3a074660ef2df7b49cfdf90ba12432ab68667881fdfa7b262505f884b9 |
| SHA512 | fd0160e0c322360e211c38f850c234e10400ec2e113d4dc8a0a57ab7fa897899919440e27efbb3787b221d786cdfca8c979eac7abbf30d2aa7b749b8871e83f6 |
\Windows\system\IKXAikR.exe
| MD5 | ac8e155ba35a1b190ce5afbfaaeea79a |
| SHA1 | 04447efb24f748ddb176525f4287fc57627c18b3 |
| SHA256 | 94823ef483510b4cbeecc3d33197b6ee85b667c74ad15fe6327aa1fe0157d336 |
| SHA512 | 44dcd765460cc511441a166387555bd42b1988d2a7e8105bbaa667d0ff9268be6c9491899444de5718d774b1689a1cf0945bd613b6e90b4e15a0170317d78641 |
\Windows\system\AhVUJXU.exe
| MD5 | 31907902a6a8d1ef89dceeef332a6cac |
| SHA1 | fb685b6495b7c3ffb175eb3eb332a2f79a18af90 |
| SHA256 | 66c2ad00a3701b9fdbfb88b5118dab37f2101415afa5e9a5efb1bb601d4b51ca |
| SHA512 | 4d9b7938519e6581c5933312c32de8e37c35a352cd2322999ff1ecfb2dc65a33b2cbe11152da5908c22c04d6ed309f3fe738158f347c5c3ff62185ac0004b7fc |
\Windows\system\uuyyZLN.exe
| MD5 | f3f4aa1de186c78b39163ada8b410a3d |
| SHA1 | deb1e90a112242b382f503b8972a7cba4e78307e |
| SHA256 | 86dbc9070d76b6a4e646f9868b1fdb0f1b4e904189c8ea1b140465896efaa9eb |
| SHA512 | bff636e29481e583d5a772e104e6070d8e16420a9d0f28d20606f9dfd9bafb1cd9de7734adb1afe8d2cd932bfd8a099e23224d8f8fa397078e59a6bbebaa12da |
memory/2768-114-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\gfslCyH.exe
| MD5 | 1c9c874b06e64c12ac8c5322b1ee5ecf |
| SHA1 | 7f61ada66d373c953e86323e1a330ac5ca4df618 |
| SHA256 | 681cb8853249a59830a6628ed467337be0230679829c16a3319962734f9bcd4c |
| SHA512 | c861994ee6f578a406557ddcee25f726ce2e89cd4049dba4b68d6a92a03638eb92a3358d3d715c3dbfbb344965342ed3f1402eff76434b641f2a74c59a708beb |
\Windows\system\thSTxtV.exe
| MD5 | 388e8b40cc72c94403965550662fc5a1 |
| SHA1 | e99b0dc8434bafaeb3eed0e271870d9e3f9be7ad |
| SHA256 | de8d45cb1a6bdaa0a8b0a762545521ea16b295e39ee2bc6cdc030fd05bc301ce |
| SHA512 | 8ce73449bae8ff5d40468eb2f7c1ddbe111415843b6961aa95dab31c36b41c313246d4ec0dda23f1dda74475985dd6abb7dc6b0fea905581cef524b678c4e8d3 |
C:\Windows\system\uWUCTFz.exe
| MD5 | 55c3ea18e81b2badd872f78faf62d685 |
| SHA1 | 383c21976638b9d16adb2d59fcda16b9d32437f7 |
| SHA256 | ab99fc486a62b6baaab9c0d82fdd9faadd90f372cc243da6c57eb366abb2f4b9 |
| SHA512 | 6176036adfa8031d2fc602ae420d0cc28bbc2f14e45b013712c75120b9ae2133059576114eeaa02c6b5e180394530d39a39e585b39cb533ad7d8411a6e124f7c |
\Windows\system\zRrOWmZ.exe
| MD5 | 9ff61c62be195be0c7792f210fb892da |
| SHA1 | 6c40e4e5929d3b45551757f2c5cd20376e8c35c2 |
| SHA256 | 2b2b090e5e03c4c13ce88a4f9372911530f930d4135aee53b064c0cab61b7572 |
| SHA512 | a3abec03f7d5c43d5af41f373ed7e2f6259b1822746e0b52d61f4ce2208606b71709e7cf206508540964974748994ce54d549cc0f6fe371b3f6615bfe302a94a |
memory/1284-99-0x0000000002360000-0x00000000026B4000-memory.dmp
\Windows\system\ohIeUcm.exe
| MD5 | 98ca18b715f8be868333b97ded6de3c3 |
| SHA1 | 536ae771615219c2413f4e60513fb48df21c01d9 |
| SHA256 | 1b01ba360ef69179522dbbd07611065cf13c8b45e841c8ba6b2888e52c11df12 |
| SHA512 | 3b8d36f9ed368b23b80ff284b51da4cabf55ce95c34001db0f7eb555ba81c969bc1d3b45ea71e7f39808db4f068e8daf7ea80a9606da9ec812b0a2f8e990756b |
memory/2552-135-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/1284-90-0x000000013F470000-0x000000013F7C4000-memory.dmp
memory/1284-89-0x000000013FAE0000-0x000000013FE34000-memory.dmp
\Windows\system\ZBnpwUI.exe
| MD5 | c7122385f564e62e4ab63b95781263d6 |
| SHA1 | 2b9280431b28befa09b989e01c3e54170f632c7a |
| SHA256 | 60693c91410a78bd94c23e554199a4996ab2550d4c5c92e25065c385fcadc386 |
| SHA512 | 0ec537e8d52bc62add8650eaa5939678c763d4a4c537ff7a471e6dc35da16f37ada640672715f6af489d3503bb614200ea207f32cad9946438da9087b7ac9a35 |
memory/1284-136-0x000000013F0D0000-0x000000013F424000-memory.dmp
\Windows\system\wjVNZPg.exe
| MD5 | a07dad34e2f955735717ec03d33d1e89 |
| SHA1 | 8f3c9547ba3e0094d29e77d57f7e282247897dab |
| SHA256 | 5272c4e836d75efefcab1b0905be40ff6c5ada79ebe13d8d8d3ccc04545c7347 |
| SHA512 | 807fa1ca4072a66a406d4add9dfd6e27e0ada40ddef0c516ac58c6541533559e3ffcb20184db5bfdbb08c62b4291971ee0df9413e0c902c784b9cd35d4bd1e0b |
memory/2516-119-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/1284-118-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\oakhJCr.exe
| MD5 | e9c078181afee71bd348ac33c28dd54d |
| SHA1 | 41e11e3d8dcabd01407eff13056abfd8ea040ea0 |
| SHA256 | d383ed5b04bb55d4c6a902c2b28ed167ffbec9554eb67b0d2c7c86d5068ec8be |
| SHA512 | 73e0fc7485f0374d798e7cda943e59761f01784945c25d140ad9a33e99bbbebbf8ee2dd5846bfc43152cb26dcb312a74652411ed738032befc9e28f4373e56c5 |
memory/636-95-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\dyyzQHb.exe
| MD5 | a234e9a932930c5b261e943a13185868 |
| SHA1 | ed53a655d64ebfdbdb3dbc9681bd6e0a8a161dc2 |
| SHA256 | aeffa67db1eadd293d0b2de54877aced7cdda419bbc7c8cb767fbd1347903260 |
| SHA512 | 091c8a78f02a8a488e894bcfc4a8ce911c208d35413b3bcdc3b774a95c359e2096c3023c7897afe92bb1c5e1c498f03ead680ab3952db582e628421933894536 |
memory/2928-85-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\XUKTBsM.exe
| MD5 | 94fa0a84a61a5e64fa6909f729888bbe |
| SHA1 | 337fcf64d1f8e1d00ae388482f3bd1b60d77c06f |
| SHA256 | 6128e3a3f99b29dc6b751b330fec85089705efb7bad8b9344ff8e3044aeba392 |
| SHA512 | 649ec69ad31a58616a43b705df050f93da3e658f529cee84aa02ab96e4e9948845e78adff8ecefa43bcf60e365ee32554947e13c48ead20bf1464c391517d22d |
memory/1336-83-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2696-80-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/1284-39-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2584-38-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/1284-37-0x0000000002360000-0x00000000026B4000-memory.dmp
C:\Windows\system\LuqgSpy.exe
| MD5 | 7c9b3a14b56eb83ca0b9007e865f1127 |
| SHA1 | 5fdf055e8f0657b336238f9b0b73df39d36d5654 |
| SHA256 | 1c3b288ab82ec8c5b2b2cbf23bfa1e8e1f84fdf8f08519efe90528a649af587a |
| SHA512 | b1878be6fa0595dc59e5ed4ff89714a3b8ee0ea99294ddabf0cb7ae37ff35d573e4c4c1af1939bb2dc24af0db4f0beb06103cdce3492741792b74678a73dc246 |
memory/1284-67-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/1284-66-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2456-65-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/1284-64-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2452-63-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/1284-62-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2560-61-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2528-137-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/1284-60-0x000000013FD50000-0x00000001400A4000-memory.dmp
C:\Windows\system\QjDbiWw.exe
| MD5 | dc0a9a5a861146552f70970044d717ce |
| SHA1 | 2212a8fbe31caed61dff9237df1df588b63a318e |
| SHA256 | 3306fb16e6a8ae0aec3d7953505d497832f0e816f4c04752458e4fdbe44545e3 |
| SHA512 | b20a6759bdc1cd8b0ef70b2fbf08bbace999642487dd89b0d57f53808fb0528eda878fb070741180c32f4b759087b300c4a511dba566e94ec11f66571fc5ede0 |
memory/636-138-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2768-139-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1284-140-0x0000000002360000-0x00000000026B4000-memory.dmp
memory/2516-141-0x000000013F830000-0x000000013FB84000-memory.dmp
memory/2552-142-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2688-143-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2528-144-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2584-145-0x000000013F4E0000-0x000000013F834000-memory.dmp
memory/2452-146-0x000000013F7B0000-0x000000013FB04000-memory.dmp
memory/2456-148-0x000000013F0A0000-0x000000013F3F4000-memory.dmp
memory/2560-147-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1336-150-0x000000013F0B0000-0x000000013F404000-memory.dmp
memory/2928-151-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2696-149-0x000000013F730000-0x000000013FA84000-memory.dmp
memory/636-153-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2768-152-0x000000013FD90000-0x00000001400E4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-06 18:11
Reported
2024-06-06 18:13
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kpbHcJn.exe | N/A |
| N/A | N/A | C:\Windows\System\rnaEuin.exe | N/A |
| N/A | N/A | C:\Windows\System\AjomDaS.exe | N/A |
| N/A | N/A | C:\Windows\System\eGiGaHS.exe | N/A |
| N/A | N/A | C:\Windows\System\DbtlhSA.exe | N/A |
| N/A | N/A | C:\Windows\System\BSjksng.exe | N/A |
| N/A | N/A | C:\Windows\System\vlLeGJd.exe | N/A |
| N/A | N/A | C:\Windows\System\sFNRaAM.exe | N/A |
| N/A | N/A | C:\Windows\System\pZiOBxh.exe | N/A |
| N/A | N/A | C:\Windows\System\BxVmiKl.exe | N/A |
| N/A | N/A | C:\Windows\System\pCqZFUN.exe | N/A |
| N/A | N/A | C:\Windows\System\uULiZUF.exe | N/A |
| N/A | N/A | C:\Windows\System\MDGjlbv.exe | N/A |
| N/A | N/A | C:\Windows\System\AdWBefJ.exe | N/A |
| N/A | N/A | C:\Windows\System\oVAOXXn.exe | N/A |
| N/A | N/A | C:\Windows\System\FGyJiat.exe | N/A |
| N/A | N/A | C:\Windows\System\EMvtxlJ.exe | N/A |
| N/A | N/A | C:\Windows\System\AcKGpPA.exe | N/A |
| N/A | N/A | C:\Windows\System\RrzzWuI.exe | N/A |
| N/A | N/A | C:\Windows\System\AUViPwP.exe | N/A |
| N/A | N/A | C:\Windows\System\FtNhmVt.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-06_3c4788f882575db322912b2062f5b356_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kpbHcJn.exe
C:\Windows\System\kpbHcJn.exe
C:\Windows\System\rnaEuin.exe
C:\Windows\System\rnaEuin.exe
C:\Windows\System\AjomDaS.exe
C:\Windows\System\AjomDaS.exe
C:\Windows\System\eGiGaHS.exe
C:\Windows\System\eGiGaHS.exe
C:\Windows\System\DbtlhSA.exe
C:\Windows\System\DbtlhSA.exe
C:\Windows\System\BSjksng.exe
C:\Windows\System\BSjksng.exe
C:\Windows\System\vlLeGJd.exe
C:\Windows\System\vlLeGJd.exe
C:\Windows\System\sFNRaAM.exe
C:\Windows\System\sFNRaAM.exe
C:\Windows\System\pZiOBxh.exe
C:\Windows\System\pZiOBxh.exe
C:\Windows\System\BxVmiKl.exe
C:\Windows\System\BxVmiKl.exe
C:\Windows\System\pCqZFUN.exe
C:\Windows\System\pCqZFUN.exe
C:\Windows\System\uULiZUF.exe
C:\Windows\System\uULiZUF.exe
C:\Windows\System\MDGjlbv.exe
C:\Windows\System\MDGjlbv.exe
C:\Windows\System\AdWBefJ.exe
C:\Windows\System\AdWBefJ.exe
C:\Windows\System\oVAOXXn.exe
C:\Windows\System\oVAOXXn.exe
C:\Windows\System\FGyJiat.exe
C:\Windows\System\FGyJiat.exe
C:\Windows\System\EMvtxlJ.exe
C:\Windows\System\EMvtxlJ.exe
C:\Windows\System\AcKGpPA.exe
C:\Windows\System\AcKGpPA.exe
C:\Windows\System\RrzzWuI.exe
C:\Windows\System\RrzzWuI.exe
C:\Windows\System\AUViPwP.exe
C:\Windows\System\AUViPwP.exe
C:\Windows\System\FtNhmVt.exe
C:\Windows\System\FtNhmVt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 131.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 145.83.221.88.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 153.141.79.40.in-addr.arpa | udp |
Files
memory/4432-0-0x00007FF6C6C80000-0x00007FF6C6FD4000-memory.dmp
memory/4432-1-0x0000023120320000-0x0000023120330000-memory.dmp
C:\Windows\System\kpbHcJn.exe
| MD5 | 7ca45ec490a76c358752f0956b6fd367 |
| SHA1 | cdc5e495967bfa700a80e7375f5e3bf444226212 |
| SHA256 | 2cfe0e8d60d25afda78ca87540085e9622c2c9f93ba7a7c89e212a9ec08ea0e5 |
| SHA512 | 8cdc363de0fede693e68bb8d930ba2372596718707eb5ffb91ff391803f00b94b5a6810f4b8a7be187dfc70299700b087dfb43c40ce7debd3605d08a02e4df8d |
memory/336-7-0x00007FF75E500000-0x00007FF75E854000-memory.dmp
C:\Windows\System\rnaEuin.exe
| MD5 | 6628f6aa1de870ee9e8ad4d28f8bced0 |
| SHA1 | ca4c073df3c6e4202277bb58b03adfd57aaf8300 |
| SHA256 | fcc6c4b0ed028d1dd638347b2508a93113ef108887f2e84438804ce368531193 |
| SHA512 | 8a134a0e1d812209033075d561f95bb6a7801b09fea1bc57160346f0630207b296d1d6c476bd11a43b775762a2e909f67f8c7a0c0eb0d9c78bbe15aa3c86181b |
memory/4480-12-0x00007FF6A26A0000-0x00007FF6A29F4000-memory.dmp
C:\Windows\System\AjomDaS.exe
| MD5 | c89e14cac475c51a4525dafdb1039fbe |
| SHA1 | c548c51341df456252c27bf58eed9feb10b3e68e |
| SHA256 | 921a4e180c5af32e69bf00fd8d626c295fc4ba894b30a1c83319bc72802db912 |
| SHA512 | 0e1a1277d7f85cf1e236a2ecbf5d5cfd9217ed93b8d02efec2532ed7270a59acb82607a9a4543ec8aa6c96267a698d4344b40970afce914cafcf2d89d506ec29 |
memory/3916-29-0x00007FF690910000-0x00007FF690C64000-memory.dmp
memory/4656-34-0x00007FF6E6C30000-0x00007FF6E6F84000-memory.dmp
C:\Windows\System\BSjksng.exe
| MD5 | 51f588afbcac235e83f01d011c730175 |
| SHA1 | 69c596e9b916ad7fca72c04fdd88c538f892ec8b |
| SHA256 | 2ccbe866ba596ca867509e08a6bb2131f568f6a50d647cf5512b3da21f8226d8 |
| SHA512 | 41c6e1f82633e9a8159024dd6fd08636697ae218af2112b951c66275be8da35ecfc0688871195a56f717e2cc89bff8b7d7d430e089b3b01eb782f0c7afb9fae7 |
C:\Windows\System\vlLeGJd.exe
| MD5 | dfb907d299da94e5ce4722c22ee999c7 |
| SHA1 | c73399ab2f00c3b54fa8f64897e2dccb0a7938e7 |
| SHA256 | 634b90a2b9327af64c1860578a00dc21c8d460c0b556d15a89e621312d5bb05a |
| SHA512 | abb520b2a2160b35db093a0860fc61f87a08bd2587be09744f18eda6e457ae74f254a02555455674eb6341ffffb1fffc9eea4547064aba9744bf66efe9e9091f |
C:\Windows\System\sFNRaAM.exe
| MD5 | d40eacb322280a0622fbcb606bd9a80a |
| SHA1 | 33e89f604521acb77d9dcf2ca368893fc112ebbb |
| SHA256 | aa5130e74bf6121f283faaffd43327ed2381cf007f703e0d07a0bdd01c38d38c |
| SHA512 | 8b95591769a41c6d7c183a6630d8ad102f071aac4bc8eaec32e622ba55f1c69eef46582f39db41f381e3d1e905ed5b83a2a3a3c6d60c76dfce0dd632484fbcd0 |
C:\Windows\System\BxVmiKl.exe
| MD5 | 7d7f07035175516870b4c8bbdfbfe0a8 |
| SHA1 | 8083d82c31e38d1aaf618af3edd0a5f2afc6bb59 |
| SHA256 | bf8bf190c7052d95df7282faa8030f282a9bb9a8787d4be0d455681218f4431c |
| SHA512 | 4fab3d566595216c4afcdbe8bf22395b7610b16fe4c310124603959fb313b2317849eecef8ed2f8dea6b1a17c093239c536a691f183aea1f26c42046ac8eee6c |
C:\Windows\System\MDGjlbv.exe
| MD5 | 1479bd001aadd7672febe55dd8d1409b |
| SHA1 | fa4a364db516dbcb1e3b589938ffb921ea6faa85 |
| SHA256 | 181e783a352ff2828c7dfe0c275726030064c8a64e54000035fb57977e3c1601 |
| SHA512 | e657e3a75f8afbb5964638cfe266a0ba7f5c41b276115b1717e942e4d07e4133e9eb2cecd0b1a5ca182f93738d5383dae1af2526a813d2af809eb0c98125024b |
C:\Windows\System\AdWBefJ.exe
| MD5 | 12a07f66a03a77f6fb58d63f00e21e48 |
| SHA1 | 04774c1539b1348c8150a591b6a1a6f863289e1b |
| SHA256 | 1b4cc24c8f15eac8bc3d46164ede69c130a9c948f252b86a513c82b9a780c7af |
| SHA512 | 57319df51d8f2ca0225ff01db43ed883b82e4ecbb03ca0a20dfdc2a1cb4f65a4c244decc7c8ab83f1a0e18b1bcfc9b3613c1271a33e8c3fe0abfe92703e5c045 |
C:\Windows\System\oVAOXXn.exe
| MD5 | cce4d17c324b6e3ee9741a7914fd7bea |
| SHA1 | e294bd65e9fdd28a985d92e2bc6891424f38b6bd |
| SHA256 | 6c294bfacc95b6856a75f18d7eacf17e09f541ad6920910f2cd4075ab54276c9 |
| SHA512 | 3c3eac632e7ea2a53c735d24ffbea4c449c85704c6d76f8da36428699fe2db5a31ac6572b11bb43433cad327c42d7f6318b29db685c4875db95dc5862bc6c66d |
C:\Windows\System\AUViPwP.exe
| MD5 | 2865a26deb01597fa1e8475fee06d7a0 |
| SHA1 | fb9fb5af0a38bba96519601b7cb81fe1d2438257 |
| SHA256 | c345215f34e6ac35e5bc67ca3e62a058e4a527f1760cc4338c9ad37f56a6d33f |
| SHA512 | 2884044c9311178c3b211877a3f2f81d2782d385dacceea2c7ee54a7b09c87e424f384330f8c1f18e0000138821e36511a801dbb364463b1bf5b19718b1a2609 |
C:\Windows\System\FtNhmVt.exe
| MD5 | 30275ea3d48110bad72e1a29cbd3015d |
| SHA1 | d7136a7753e8a23f8e603a539ec638295059877e |
| SHA256 | ccec41b45584ee904056f67fc8bd7492b94d3db644e8eb36f6d30ceb684fb5a0 |
| SHA512 | 0bbb2bb82263a2fba4c5aec3dfaaa46c474cc79a156f3c740e2c685f61ab5ea6fd2203a62605155fd7fbf76597fb10240d97cef21d580bc6b83d9cbd17970f42 |
C:\Windows\System\RrzzWuI.exe
| MD5 | c0fc9c5436fe1ecdf310b8dcb87c71c9 |
| SHA1 | f85c5cdd9888a01c78f6b3c3f7f8f3044ccb88c7 |
| SHA256 | e3e888cad3fa78e572051a3d25b385259c64a6fa9b7253dcfdc0cc4977ad34cb |
| SHA512 | 72489dcca044720bd0d90bcd26cdb485f5afeea84adb984ab84cb26b428c82451dcfe58cc0d4d23ad5fc7ce880ab6a11fa160ace89fb587ff5a8dc836f58a609 |
C:\Windows\System\AcKGpPA.exe
| MD5 | 287845873f0123d375a8b6e2d8070f18 |
| SHA1 | 69a246d4fb99c3bd383c8c9eadb425031690f660 |
| SHA256 | b98db241186e3e2288c2d065c25b21266194a48caef9305bcfeb00854d354ed0 |
| SHA512 | 67064395d3827100e370d99ed3b2f0bea888ab6d25ffd8d39317455a594d5791efef5749a586c0705270251763ee41e0acc147ecba1edde28431c2e96c688da5 |
C:\Windows\System\EMvtxlJ.exe
| MD5 | 91beec4ca5c65766144ac3a211923382 |
| SHA1 | ec3a3eeed57d17ae4ef0ac8978e3692c42007167 |
| SHA256 | 2c79492356a0fd51b04fc9dd304d849243797b7b6773d2066811f659212ac99c |
| SHA512 | 3c5e7278107d0b11dbe4068b7b46cfbb3082a1d47fc2857f691e8bbcef3bbe818bf267d4e71a2899a26648b827eea19e9671f85fc932f783e1555d4c147bfc4b |
C:\Windows\System\FGyJiat.exe
| MD5 | 7c852ff83df3e75ab0fc3c2874c260f0 |
| SHA1 | 56fb98d5453767987fede589c389aa4fae009bd6 |
| SHA256 | 8c2966bb0d5e92d4fa451d6f6e692e7cedd0bbfe5b5117203bbb103cc8115238 |
| SHA512 | bfcb99acf626d45988f67eafe37ba5b945f93914e8b81218aa03239700e790e81f056f9eef72dc17edea5864990d06cb0b3fe7f522cec36dbcdff9e4e3f14b7d |
C:\Windows\System\uULiZUF.exe
| MD5 | 3bd74f9b610ddb0ebe2680e728dcd34f |
| SHA1 | 545a8e067a866072b4abb50f1edea5931f2a61d3 |
| SHA256 | d2862500664bc614b64ea06d2209fd899f404474f9629e008e45bcd5e42e9f9f |
| SHA512 | 97637efbee0722f117203b6e4253d7035ac91f253ea43b508442ff7fe84d361203e3b416579d9a32f3885102f91b53bd81f9ee1ff52b1cc1069760e6227143f2 |
C:\Windows\System\pCqZFUN.exe
| MD5 | bed6bd34a85dfaefc6a3cc4c13dbe20e |
| SHA1 | 41d8c3282109b7f03e3c83289ef7cf4a03e695f4 |
| SHA256 | bd4619e52c8a4f9780edaab844c1fa077d80a1db692158333fe51cc5a55311e0 |
| SHA512 | 3b0c1e9f83de1457829af207efc57e71cf68dd925506b3e22e5ce8bc5895480f8eb11adf168d46a02a25f37b84775c89062dbf875b77a10a7f7e0c49c8f4b836 |
C:\Windows\System\pZiOBxh.exe
| MD5 | 8cfbe95fd8992ae64e9c25d86a341996 |
| SHA1 | 4c3ce017d0b16da126c668b3bb2bc5e010028ab5 |
| SHA256 | 037f5abe8bfc0e254132782b0d3236fa62883b4ca67cd25dbddf51cffa5fa09f |
| SHA512 | 71ee9c751c2715e9691a72eb7dfcbbd9e4eab2ca055f221fe45ba2e356aa6ac9c4b3ff0db959447514eb77face58c05ed06e79e74b2f9bde5699e248095eb18c |
C:\Windows\System\DbtlhSA.exe
| MD5 | a83e72e451bd9d4b45cd93aff92e56a6 |
| SHA1 | 9b59f29d09f1c76846c060d04216bef5c4426aa9 |
| SHA256 | 031cc44aa4d9ca61d37f34e66a5cd6790c86ef3da82c0d8f98802da816b72d1b |
| SHA512 | 946f1e12334968aea63e85de5902eb0421b17fc956c4b2f7d9804d757bc7d9966500f8104715b28486023e7aabd5484c313e2d6999d9024281ae8985169d576b |
C:\Windows\System\eGiGaHS.exe
| MD5 | ab89976b5efabf959d7f2df10f69e930 |
| SHA1 | be0704c77b8f7ffa6cb695a53328ab8a4a42c374 |
| SHA256 | 2c5ac81e4b78056de8eb26becd439b4794f6863977fa21de3b0ebc428886daaa |
| SHA512 | 4d1bda787468bf6108ad493cd300a5295cd5dc7f0f5e11a04a418cdbac34a153573f0c31d3dda962bdb905733bf60fd22b74bfdc7008a0382c42cb4db1be4bf1 |
memory/3564-20-0x00007FF72B9D0000-0x00007FF72BD24000-memory.dmp
memory/4012-112-0x00007FF6F1E30000-0x00007FF6F2184000-memory.dmp
memory/4356-113-0x00007FF6067E0000-0x00007FF606B34000-memory.dmp
memory/4700-114-0x00007FF690A60000-0x00007FF690DB4000-memory.dmp
memory/940-115-0x00007FF611F10000-0x00007FF612264000-memory.dmp
memory/1952-116-0x00007FF708FD0000-0x00007FF709324000-memory.dmp
memory/2268-119-0x00007FF62DC50000-0x00007FF62DFA4000-memory.dmp
memory/4088-118-0x00007FF6B4440000-0x00007FF6B4794000-memory.dmp
memory/1568-121-0x00007FF7AF9F0000-0x00007FF7AFD44000-memory.dmp
memory/3048-120-0x00007FF6B6BF0000-0x00007FF6B6F44000-memory.dmp
memory/4380-117-0x00007FF7B1CD0000-0x00007FF7B2024000-memory.dmp
memory/4872-123-0x00007FF78B650000-0x00007FF78B9A4000-memory.dmp
memory/3116-125-0x00007FF64E3A0000-0x00007FF64E6F4000-memory.dmp
memory/548-127-0x00007FF7BFB10000-0x00007FF7BFE64000-memory.dmp
memory/2468-126-0x00007FF7AE130000-0x00007FF7AE484000-memory.dmp
memory/4420-124-0x00007FF6168C0000-0x00007FF616C14000-memory.dmp
memory/4976-122-0x00007FF755960000-0x00007FF755CB4000-memory.dmp
memory/4432-128-0x00007FF6C6C80000-0x00007FF6C6FD4000-memory.dmp
memory/336-129-0x00007FF75E500000-0x00007FF75E854000-memory.dmp
memory/4480-130-0x00007FF6A26A0000-0x00007FF6A29F4000-memory.dmp
memory/3564-131-0x00007FF72B9D0000-0x00007FF72BD24000-memory.dmp
memory/4656-132-0x00007FF6E6C30000-0x00007FF6E6F84000-memory.dmp
memory/336-133-0x00007FF75E500000-0x00007FF75E854000-memory.dmp
memory/4480-134-0x00007FF6A26A0000-0x00007FF6A29F4000-memory.dmp
memory/3564-135-0x00007FF72B9D0000-0x00007FF72BD24000-memory.dmp
memory/3916-136-0x00007FF690910000-0x00007FF690C64000-memory.dmp
memory/4656-137-0x00007FF6E6C30000-0x00007FF6E6F84000-memory.dmp
memory/4012-138-0x00007FF6F1E30000-0x00007FF6F2184000-memory.dmp
memory/548-139-0x00007FF7BFB10000-0x00007FF7BFE64000-memory.dmp
memory/4700-141-0x00007FF690A60000-0x00007FF690DB4000-memory.dmp
memory/940-140-0x00007FF611F10000-0x00007FF612264000-memory.dmp
memory/4356-142-0x00007FF6067E0000-0x00007FF606B34000-memory.dmp
memory/2468-144-0x00007FF7AE130000-0x00007FF7AE484000-memory.dmp
memory/2268-151-0x00007FF62DC50000-0x00007FF62DFA4000-memory.dmp
memory/4380-153-0x00007FF7B1CD0000-0x00007FF7B2024000-memory.dmp
memory/4088-152-0x00007FF6B4440000-0x00007FF6B4794000-memory.dmp
memory/3048-150-0x00007FF6B6BF0000-0x00007FF6B6F44000-memory.dmp
memory/1568-149-0x00007FF7AF9F0000-0x00007FF7AFD44000-memory.dmp
memory/4976-148-0x00007FF755960000-0x00007FF755CB4000-memory.dmp
memory/4872-147-0x00007FF78B650000-0x00007FF78B9A4000-memory.dmp
memory/4420-146-0x00007FF6168C0000-0x00007FF616C14000-memory.dmp
memory/3116-145-0x00007FF64E3A0000-0x00007FF64E6F4000-memory.dmp
memory/1952-143-0x00007FF708FD0000-0x00007FF709324000-memory.dmp