Analysis Overview
SHA256
2dca2e8cf5dd6fc063d4dc31d399a827c7ea0e47ec656b2e0b8bd806b8d92889
Threat Level: Known bad
The file 2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
Cobaltstrike family
xmrig
Cobaltstrike
Detects Reflective DLL injection artifacts
XMRig Miner payload
XMRig Miner payload
UPX dump on OEP (original entry point)
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:48
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:47
Reported
2024-06-07 01:51
Platform
win7-20240221-en
Max time kernel
132s
Max time network
142s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pBcFozo.exe | N/A |
| N/A | N/A | C:\Windows\System\pejAGaK.exe | N/A |
| N/A | N/A | C:\Windows\System\sQnLggh.exe | N/A |
| N/A | N/A | C:\Windows\System\KNBuwDC.exe | N/A |
| N/A | N/A | C:\Windows\System\xYEhFcf.exe | N/A |
| N/A | N/A | C:\Windows\System\cuudpeR.exe | N/A |
| N/A | N/A | C:\Windows\System\KssUXHo.exe | N/A |
| N/A | N/A | C:\Windows\System\aeYsMzY.exe | N/A |
| N/A | N/A | C:\Windows\System\HupOEJI.exe | N/A |
| N/A | N/A | C:\Windows\System\toLRptS.exe | N/A |
| N/A | N/A | C:\Windows\System\jaZbkpe.exe | N/A |
| N/A | N/A | C:\Windows\System\kLIuTHN.exe | N/A |
| N/A | N/A | C:\Windows\System\YkIknQD.exe | N/A |
| N/A | N/A | C:\Windows\System\KHzrnIM.exe | N/A |
| N/A | N/A | C:\Windows\System\Lnrlcyn.exe | N/A |
| N/A | N/A | C:\Windows\System\GakQuKf.exe | N/A |
| N/A | N/A | C:\Windows\System\yfwVZbR.exe | N/A |
| N/A | N/A | C:\Windows\System\vYbRskT.exe | N/A |
| N/A | N/A | C:\Windows\System\jTXhOjc.exe | N/A |
| N/A | N/A | C:\Windows\System\rhZLlrm.exe | N/A |
| N/A | N/A | C:\Windows\System\OiVNvFh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pBcFozo.exe
C:\Windows\System\pBcFozo.exe
C:\Windows\System\pejAGaK.exe
C:\Windows\System\pejAGaK.exe
C:\Windows\System\sQnLggh.exe
C:\Windows\System\sQnLggh.exe
C:\Windows\System\KNBuwDC.exe
C:\Windows\System\KNBuwDC.exe
C:\Windows\System\xYEhFcf.exe
C:\Windows\System\xYEhFcf.exe
C:\Windows\System\cuudpeR.exe
C:\Windows\System\cuudpeR.exe
C:\Windows\System\KssUXHo.exe
C:\Windows\System\KssUXHo.exe
C:\Windows\System\Lnrlcyn.exe
C:\Windows\System\Lnrlcyn.exe
C:\Windows\System\aeYsMzY.exe
C:\Windows\System\aeYsMzY.exe
C:\Windows\System\GakQuKf.exe
C:\Windows\System\GakQuKf.exe
C:\Windows\System\HupOEJI.exe
C:\Windows\System\HupOEJI.exe
C:\Windows\System\yfwVZbR.exe
C:\Windows\System\yfwVZbR.exe
C:\Windows\System\toLRptS.exe
C:\Windows\System\toLRptS.exe
C:\Windows\System\vYbRskT.exe
C:\Windows\System\vYbRskT.exe
C:\Windows\System\jaZbkpe.exe
C:\Windows\System\jaZbkpe.exe
C:\Windows\System\jTXhOjc.exe
C:\Windows\System\jTXhOjc.exe
C:\Windows\System\kLIuTHN.exe
C:\Windows\System\kLIuTHN.exe
C:\Windows\System\rhZLlrm.exe
C:\Windows\System\rhZLlrm.exe
C:\Windows\System\YkIknQD.exe
C:\Windows\System\YkIknQD.exe
C:\Windows\System\OiVNvFh.exe
C:\Windows\System\OiVNvFh.exe
C:\Windows\System\KHzrnIM.exe
C:\Windows\System\KHzrnIM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2904-0-0x000000013FAD0000-0x000000013FE24000-memory.dmp
C:\Windows\system\pBcFozo.exe
| MD5 | ba3d9aa69fe53304dd9ca64e09b21d68 |
| SHA1 | 0bebf7693de82cbe42b3f53a7c5f71932aaa648c |
| SHA256 | e99b1fe33dd9d830986edaafe0f2b38910ab19e422713d07d58ed3f52e8cf924 |
| SHA512 | 94c2186c1e96d4437afd567f1bb8b2282b464ae2c0dfd271b9dfc42f797ab2c6fe73182fa8b7db8db0524e1aa7ce70556998f076b670b5eacc6a4b03b2a82f52 |
C:\Windows\system\pejAGaK.exe
| MD5 | 10c143471c4880e216dbc792bdb0d743 |
| SHA1 | a74fc8636fdf29dfa29c69a8d4cd7008d1785363 |
| SHA256 | 0852b8ef449070e31a624a65c53d27bc01ac75ea8563f25b1f94f12333d8230c |
| SHA512 | bf3aaf6bd95e84bd2c612b98b7b03e64b31f01cb8e822a9f2558352577fa952d7ad5f46fea3efa97dfdc83482be3af758c23a17b45ca8410fb14ba5a2b3fef41 |
memory/2208-19-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
C:\Windows\system\KNBuwDC.exe
| MD5 | d0620ff9a8055ceb4fe534006bdbbab6 |
| SHA1 | e0ab7da50a91428a1977c9865daaa894968de9a6 |
| SHA256 | eac2c8890610ac783f50d6ed027ae7699811672c1baf27f0ea88f8a9935975aa |
| SHA512 | 5c453037f4d3e033be0bd64e56509927d32391111912059d5dff1a1f421f995f2dcc960c28e1e5d38dfc2d214603f35a4f627bd9d779b8b45ea5e5397034c94b |
memory/2904-112-0x000000013F3A0000-0x000000013F6F4000-memory.dmp
memory/876-111-0x000000013F170000-0x000000013F4C4000-memory.dmp
\Windows\system\yfwVZbR.exe
| MD5 | 98f208871c52ae60578ac7e13b438cbf |
| SHA1 | 057f87fb08aaf9a527b956a8ca1ae9c7915ac6b1 |
| SHA256 | a066aba08d3ac632c65aba757e963f657ccf7915b875a88d5bad4e8210b26b2a |
| SHA512 | 1f5f783d2f21d859fea4ed696562b1a5fbb8e3cb38e818f79897eaa3e7eb62d26f453b2e166f5d7f8b31b27b3de6ad35ea75cf308199ab7c9d57c23219c2cc0e |
C:\Windows\system\OiVNvFh.exe
| MD5 | aa7276424b22bd506d9e49f4a1f004dc |
| SHA1 | b267f48e25b143c6b59251672b605d92190682d3 |
| SHA256 | b740bbd030b332b83bc971b28be45ab32870142be670aa0d606db95797b184a6 |
| SHA512 | 128566ed56abcc6caa761e208215cc4ccc4ea3668dfe94ea669cf41cf0fe442b07819430baded1978cef448ea4b4887162beef47135338f7fe7f9a0820fae472 |
C:\Windows\system\rhZLlrm.exe
| MD5 | 514212617b306b179fddbec0f2e871ce |
| SHA1 | db33c9cfce662f9a5c92fc9a4c5606cae816fa00 |
| SHA256 | e35bcbf45215a83f0aff789346075978e1d045ee1e7597a327ee45d3f34b9c4d |
| SHA512 | afae7a35641041b425471a489fedfe2f0e7349e91868606282e277830dd18da7ed767e51fad638f422134f1e3b366bdcc6240ac7e161681244760484a1e0f684 |
C:\Windows\system\jTXhOjc.exe
| MD5 | 9eba0dd7f139129ca693c1320143b19a |
| SHA1 | aceb77914d12f5352ed148355a1890b4a77e1254 |
| SHA256 | ac0aca614ee48804b2967ae66b60fe6533545c6b067b1aa54ff416b4dfd28c53 |
| SHA512 | b2e8aca9a74525f08703713e3ee0c85b81f9853a2ae0a9a98dc4de1d50f501289937f8832a3b5736e3728311ba0779f547e3b5f24c8c5783d671d3f012cf8ec8 |
C:\Windows\system\vYbRskT.exe
| MD5 | 4b85f29ca8660cbc56b8ce79158b522d |
| SHA1 | 9e56eb0ad5c6034582ef98c40761a647269323d4 |
| SHA256 | d2fafe1098681c01e3b9c43bcf3a8dbfcc7430f745756a961d949cd09f706cce |
| SHA512 | d834246a508d1494295cae7742c65db0cdeaa041428502e4a771ff9946126407d11b4e9e7908267584c4218fb0d5011fc27f12c51e028710cfdbdacf17bac862 |
C:\Windows\system\GakQuKf.exe
| MD5 | b7ae8586c7c3ca8017843e24dcdd5840 |
| SHA1 | f14325444837f22c447597c61d14f41dc333d608 |
| SHA256 | 393065f03389936526f6684094df6aeac11b27164ae192ad92e68943597f8da7 |
| SHA512 | f26911be8a3a10d82f3c21125ac74b4b8f10d6087caca3452fe4dea1c30c12a143757e8a317bea814a07a96ee8f8025b5c002fdd1c3f2e044a2e4d9ee847dc2e |
C:\Windows\system\jaZbkpe.exe
| MD5 | 77f2b54b52c95fd8ff636efe585b2dae |
| SHA1 | 1ff3b41e4ac582bb68c94ae61a86b9c505342f1f |
| SHA256 | 7ac327ae5348e0e0a0d174fe0798bfa1e88cb1e7c71f3f914780cb86777a210b |
| SHA512 | 5a9d94b616833fc700ba46df23cf912c790a7b418f6e13767276c0553c29e43740d2dfd40d32ea192b1fcba5c0cfc05ce70c59cd877282c643062c0bef690f2f |
C:\Windows\system\toLRptS.exe
| MD5 | 30c944bbca6340e2d2f4b9fd41bcf883 |
| SHA1 | f2141818e7c5114bef314d97d77f813a4ac2dbd1 |
| SHA256 | 0391ac3b8e055e9fe8b1da6d94162564b1729f342822b313304804545b54d21b |
| SHA512 | 5b908322ea98b9dc855bf0f1232de60d24e2519f25e7ac6b20febccc80d97113230c1303325bd9d860d11fccd44f45bf86ceff860647ad6d4559722da8e7e04b |
memory/2904-89-0x00000000021D0000-0x0000000002524000-memory.dmp
C:\Windows\system\HupOEJI.exe
| MD5 | b5bc3a1113c117b8b9b43988ec039549 |
| SHA1 | eab0f7801e679d32d407c9d281e220d876af8b30 |
| SHA256 | fe296d1c788609c968848db668af99f1151ff3d51717153744bbc8bdb4fd8f75 |
| SHA512 | a24f8e2b89eee68c77f7c9ba8517026e06fef7dcc4cdc010612de3d77ef068788422072e3e5a158a7728a9c17a74a067c0fd03175de00c524d87735cc5d93c04 |
memory/2904-79-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2904-117-0x000000013FFA0000-0x00000001402F4000-memory.dmp
memory/2488-115-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2904-45-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2904-114-0x000000013FE50000-0x00000001401A4000-memory.dmp
\Windows\system\Lnrlcyn.exe
| MD5 | 5145daeb233da2307ae96af2901140a8 |
| SHA1 | 60c5538e2688642a1798d4e1523ec8fb7a822826 |
| SHA256 | e24f73c3fd91523acbd5cd690b8deafe224aaf9b328080f7ac1dcb70729be2f7 |
| SHA512 | 22e1a90e1b00a44a56e5d5446609bf0ff997552a7c3fb866a5d4a3e75991bb890495255c1ae95d5a8f91ec42031fd531b9bce00d55066cb15fe232b37e4cdb80 |
C:\Windows\system\KHzrnIM.exe
| MD5 | dd5b8c5921966d6fa586f9ddbd460a88 |
| SHA1 | abaa7d99db91b82d6658f62a7c92030cbb5883fa |
| SHA256 | 9f70391f601068632cc989f0ae1c6c6e6d7691608828fb0afef5c4d9e8d2283d |
| SHA512 | edc06bc74d861514aa6e6eadc83149d843bad1a9358bcf750d07cad0d7ffa71d977ecd8a1e098e27be066f74310de29c592b32324b68653b0afb1df70fb813bc |
memory/2904-107-0x000000013FFC0000-0x0000000140314000-memory.dmp
C:\Windows\system\YkIknQD.exe
| MD5 | 5d6762e701c398fd5c356b9a98705537 |
| SHA1 | 5e1bdfc55cd1f2ca59355515cad5a966cdee1e7a |
| SHA256 | 90d3c1aaaec600759715a54a28c68bb9e55f3517b04b6f2e9c9e068427399397 |
| SHA512 | 42cf279bee0d6d2f807cef8732116cd34c18380de7d50f50ca04b921000e4f12647a5e959161b2cab2eef46efc0ae3c5fb906ebda7d781bfcd0a0cbed19ac9b9 |
memory/2904-104-0x00000000021D0000-0x0000000002524000-memory.dmp
C:\Windows\system\kLIuTHN.exe
| MD5 | f44fd02b30dea5e263ee5ac6cc65442e |
| SHA1 | d6c6a43a055a27fe2e7f461ff2e7e9fc6ed56ae0 |
| SHA256 | 3bb508d0f77ecb18a62432dfe522235eab6a74952ff03998d656eba7e523e065 |
| SHA512 | 6cbee548ab004dda8e23b0b8c7cb378ce150f22a60d872a24694b354a11f3d32c453032e7e3eb29b30fcd3baf4597063db98594257983089b53f91d245906b1b |
memory/2904-94-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2736-84-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2904-73-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/2532-67-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2556-58-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2656-53-0x000000013F7D0000-0x000000013FB24000-memory.dmp
C:\Windows\system\aeYsMzY.exe
| MD5 | a324b2d7fecd648356bda65b799a6b4d |
| SHA1 | 23cb0e65d476c1bf07fc04897fc61f6153054e0f |
| SHA256 | 1b052ed4ccdfcb7fea92e9543d89a356eb34dc7e1ad38976152443f788741dfc |
| SHA512 | 19733413b96b128797ffd8634f6fbb5ea999083ec6215e7466c25895b5ed007404fa971df141f262531923ba922854256bd36637ee70cd7bb71220e091775871 |
memory/2904-50-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/2636-46-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2904-41-0x00000000021D0000-0x0000000002524000-memory.dmp
C:\Windows\system\KssUXHo.exe
| MD5 | 59b706dbb0262b17a7941698ce60993a |
| SHA1 | db3af5ee2b78dee9423dc8982fed8171eb8bac59 |
| SHA256 | 6e37c04efeda03ed9c32dea1be046e82f44634175b6ed8a86b12020e92d194ed |
| SHA512 | 2864d996b7294d50af061673d5e90273490ec04b9d472a93b6b2f8aab9ace8d3b6f3fb4140f715e617389d9b7ee0a24bd63919edfdd4448db3399cea751dc599 |
C:\Windows\system\cuudpeR.exe
| MD5 | d45afabd9b01eb461b33fe8359a0a1e7 |
| SHA1 | a03c7ebbf8740ad7ed1de9e7178e9d8ffe6c88f9 |
| SHA256 | d70753f6fd07fc178b650d5f6e4b9e98f1e52d8e1648ec6799c6c806203a241f |
| SHA512 | 35520ee49e39b3c9b34722f30064a941966ac831a160205c91d2ab3698f9bf5567b17d619470c03445e080f76a65474bb5ef314664aa6bcf079092565f53cd7a |
C:\Windows\system\xYEhFcf.exe
| MD5 | d25a964a9e60ab9f15fc0052b3298ee2 |
| SHA1 | d29e1f775175bf41ed6e4e09e1147704b9f3ef88 |
| SHA256 | 1c9577b53a6ecdc8bf4b2105b8657c94f485c6d7a3b3c44eaa87c6e56126fa4b |
| SHA512 | f977d3583e0b8bb6809d0724ba346dd90845c6da161ec211aedfbd3c1d8cc2f54b550bc2c0d0f615d1a0abd6d39aa6681e3c10ea28a56abccabea8c9945c2b3b |
memory/2988-22-0x000000013F9D0000-0x000000013FD24000-memory.dmp
C:\Windows\system\sQnLggh.exe
| MD5 | a69d522edc097b92b7f262cec4d37390 |
| SHA1 | 1e1716a2281f4e21b055d9280c1fa4bdcb4b547a |
| SHA256 | 455f4d620c571e74ecf2f11c5af7c301a03e3af237c1355a6b8b7b3d7509b56e |
| SHA512 | 231adb24cd3b571782c5e1f08ccbe755cc6a0ea03d43372264bf6897b2cc7f9a163a4220991e03a36570cd48902bc7888fa6f41d09217186cbc7d78f535bf5fa |
memory/2388-14-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2904-9-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/2904-130-0x000000013FAD0000-0x000000013FE24000-memory.dmp
memory/2904-1-0x0000000001B20000-0x0000000001B30000-memory.dmp
memory/2904-131-0x00000000021D0000-0x0000000002524000-memory.dmp
memory/2388-132-0x000000013FC70000-0x000000013FFC4000-memory.dmp
memory/2208-133-0x000000013F9A0000-0x000000013FCF4000-memory.dmp
memory/2988-134-0x000000013F9D0000-0x000000013FD24000-memory.dmp
memory/2636-137-0x000000013FF90000-0x00000001402E4000-memory.dmp
memory/2656-136-0x000000013F7D0000-0x000000013FB24000-memory.dmp
memory/2556-138-0x000000013F850000-0x000000013FBA4000-memory.dmp
memory/2736-139-0x000000013F130000-0x000000013F484000-memory.dmp
memory/2488-141-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/876-140-0x000000013F170000-0x000000013F4C4000-memory.dmp
memory/2532-135-0x000000013FDF0000-0x0000000140144000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:47
Reported
2024-06-07 01:51
Platform
win10v2004-20240508-en
Max time kernel
145s
Max time network
148s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\pBcFozo.exe | N/A |
| N/A | N/A | C:\Windows\System\pejAGaK.exe | N/A |
| N/A | N/A | C:\Windows\System\sQnLggh.exe | N/A |
| N/A | N/A | C:\Windows\System\KNBuwDC.exe | N/A |
| N/A | N/A | C:\Windows\System\xYEhFcf.exe | N/A |
| N/A | N/A | C:\Windows\System\cuudpeR.exe | N/A |
| N/A | N/A | C:\Windows\System\KssUXHo.exe | N/A |
| N/A | N/A | C:\Windows\System\Lnrlcyn.exe | N/A |
| N/A | N/A | C:\Windows\System\GakQuKf.exe | N/A |
| N/A | N/A | C:\Windows\System\aeYsMzY.exe | N/A |
| N/A | N/A | C:\Windows\System\HupOEJI.exe | N/A |
| N/A | N/A | C:\Windows\System\yfwVZbR.exe | N/A |
| N/A | N/A | C:\Windows\System\toLRptS.exe | N/A |
| N/A | N/A | C:\Windows\System\vYbRskT.exe | N/A |
| N/A | N/A | C:\Windows\System\jaZbkpe.exe | N/A |
| N/A | N/A | C:\Windows\System\jTXhOjc.exe | N/A |
| N/A | N/A | C:\Windows\System\kLIuTHN.exe | N/A |
| N/A | N/A | C:\Windows\System\rhZLlrm.exe | N/A |
| N/A | N/A | C:\Windows\System\YkIknQD.exe | N/A |
| N/A | N/A | C:\Windows\System\OiVNvFh.exe | N/A |
| N/A | N/A | C:\Windows\System\KHzrnIM.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_9629ebd4c3799641329f3d9dcce524d7_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\pBcFozo.exe
C:\Windows\System\pBcFozo.exe
C:\Windows\System\pejAGaK.exe
C:\Windows\System\pejAGaK.exe
C:\Windows\System\sQnLggh.exe
C:\Windows\System\sQnLggh.exe
C:\Windows\System\KNBuwDC.exe
C:\Windows\System\KNBuwDC.exe
C:\Windows\System\xYEhFcf.exe
C:\Windows\System\xYEhFcf.exe
C:\Windows\System\cuudpeR.exe
C:\Windows\System\cuudpeR.exe
C:\Windows\System\KssUXHo.exe
C:\Windows\System\KssUXHo.exe
C:\Windows\System\Lnrlcyn.exe
C:\Windows\System\Lnrlcyn.exe
C:\Windows\System\aeYsMzY.exe
C:\Windows\System\aeYsMzY.exe
C:\Windows\System\GakQuKf.exe
C:\Windows\System\GakQuKf.exe
C:\Windows\System\HupOEJI.exe
C:\Windows\System\HupOEJI.exe
C:\Windows\System\yfwVZbR.exe
C:\Windows\System\yfwVZbR.exe
C:\Windows\System\toLRptS.exe
C:\Windows\System\toLRptS.exe
C:\Windows\System\vYbRskT.exe
C:\Windows\System\vYbRskT.exe
C:\Windows\System\jaZbkpe.exe
C:\Windows\System\jaZbkpe.exe
C:\Windows\System\jTXhOjc.exe
C:\Windows\System\jTXhOjc.exe
C:\Windows\System\kLIuTHN.exe
C:\Windows\System\kLIuTHN.exe
C:\Windows\System\rhZLlrm.exe
C:\Windows\System\rhZLlrm.exe
C:\Windows\System\YkIknQD.exe
C:\Windows\System\YkIknQD.exe
C:\Windows\System\OiVNvFh.exe
C:\Windows\System\OiVNvFh.exe
C:\Windows\System\KHzrnIM.exe
C:\Windows\System\KHzrnIM.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/764-0-0x00007FF64DC30000-0x00007FF64DF84000-memory.dmp
memory/764-1-0x0000016563D20000-0x0000016563D30000-memory.dmp
C:\Windows\System\pBcFozo.exe
| MD5 | ba3d9aa69fe53304dd9ca64e09b21d68 |
| SHA1 | 0bebf7693de82cbe42b3f53a7c5f71932aaa648c |
| SHA256 | e99b1fe33dd9d830986edaafe0f2b38910ab19e422713d07d58ed3f52e8cf924 |
| SHA512 | 94c2186c1e96d4437afd567f1bb8b2282b464ae2c0dfd271b9dfc42f797ab2c6fe73182fa8b7db8db0524e1aa7ce70556998f076b670b5eacc6a4b03b2a82f52 |
memory/756-8-0x00007FF7BD640000-0x00007FF7BD994000-memory.dmp
C:\Windows\System\pejAGaK.exe
| MD5 | 10c143471c4880e216dbc792bdb0d743 |
| SHA1 | a74fc8636fdf29dfa29c69a8d4cd7008d1785363 |
| SHA256 | 0852b8ef449070e31a624a65c53d27bc01ac75ea8563f25b1f94f12333d8230c |
| SHA512 | bf3aaf6bd95e84bd2c612b98b7b03e64b31f01cb8e822a9f2558352577fa952d7ad5f46fea3efa97dfdc83482be3af758c23a17b45ca8410fb14ba5a2b3fef41 |
memory/1228-16-0x00007FF690020000-0x00007FF690374000-memory.dmp
C:\Windows\System\sQnLggh.exe
| MD5 | a69d522edc097b92b7f262cec4d37390 |
| SHA1 | 1e1716a2281f4e21b055d9280c1fa4bdcb4b547a |
| SHA256 | 455f4d620c571e74ecf2f11c5af7c301a03e3af237c1355a6b8b7b3d7509b56e |
| SHA512 | 231adb24cd3b571782c5e1f08ccbe755cc6a0ea03d43372264bf6897b2cc7f9a163a4220991e03a36570cd48902bc7888fa6f41d09217186cbc7d78f535bf5fa |
C:\Windows\System\KNBuwDC.exe
| MD5 | d0620ff9a8055ceb4fe534006bdbbab6 |
| SHA1 | e0ab7da50a91428a1977c9865daaa894968de9a6 |
| SHA256 | eac2c8890610ac783f50d6ed027ae7699811672c1baf27f0ea88f8a9935975aa |
| SHA512 | 5c453037f4d3e033be0bd64e56509927d32391111912059d5dff1a1f421f995f2dcc960c28e1e5d38dfc2d214603f35a4f627bd9d779b8b45ea5e5397034c94b |
C:\Windows\System\xYEhFcf.exe
| MD5 | d25a964a9e60ab9f15fc0052b3298ee2 |
| SHA1 | d29e1f775175bf41ed6e4e09e1147704b9f3ef88 |
| SHA256 | 1c9577b53a6ecdc8bf4b2105b8657c94f485c6d7a3b3c44eaa87c6e56126fa4b |
| SHA512 | f977d3583e0b8bb6809d0724ba346dd90845c6da161ec211aedfbd3c1d8cc2f54b550bc2c0d0f615d1a0abd6d39aa6681e3c10ea28a56abccabea8c9945c2b3b |
memory/3476-28-0x00007FF60B190000-0x00007FF60B4E4000-memory.dmp
memory/2776-18-0x00007FF7E2E40000-0x00007FF7E3194000-memory.dmp
C:\Windows\System\cuudpeR.exe
| MD5 | d45afabd9b01eb461b33fe8359a0a1e7 |
| SHA1 | a03c7ebbf8740ad7ed1de9e7178e9d8ffe6c88f9 |
| SHA256 | d70753f6fd07fc178b650d5f6e4b9e98f1e52d8e1648ec6799c6c806203a241f |
| SHA512 | 35520ee49e39b3c9b34722f30064a941966ac831a160205c91d2ab3698f9bf5567b17d619470c03445e080f76a65474bb5ef314664aa6bcf079092565f53cd7a |
C:\Windows\System\KssUXHo.exe
| MD5 | 59b706dbb0262b17a7941698ce60993a |
| SHA1 | db3af5ee2b78dee9423dc8982fed8171eb8bac59 |
| SHA256 | 6e37c04efeda03ed9c32dea1be046e82f44634175b6ed8a86b12020e92d194ed |
| SHA512 | 2864d996b7294d50af061673d5e90273490ec04b9d472a93b6b2f8aab9ace8d3b6f3fb4140f715e617389d9b7ee0a24bd63919edfdd4448db3399cea751dc599 |
memory/3960-51-0x00007FF6B51B0000-0x00007FF6B5504000-memory.dmp
C:\Windows\System\Lnrlcyn.exe
| MD5 | 5145daeb233da2307ae96af2901140a8 |
| SHA1 | 60c5538e2688642a1798d4e1523ec8fb7a822826 |
| SHA256 | e24f73c3fd91523acbd5cd690b8deafe224aaf9b328080f7ac1dcb70729be2f7 |
| SHA512 | 22e1a90e1b00a44a56e5d5446609bf0ff997552a7c3fb866a5d4a3e75991bb890495255c1ae95d5a8f91ec42031fd531b9bce00d55066cb15fe232b37e4cdb80 |
memory/3796-56-0x00007FF6ACDF0000-0x00007FF6AD144000-memory.dmp
memory/2312-62-0x00007FF6969A0000-0x00007FF696CF4000-memory.dmp
C:\Windows\System\toLRptS.exe
| MD5 | 30c944bbca6340e2d2f4b9fd41bcf883 |
| SHA1 | f2141818e7c5114bef314d97d77f813a4ac2dbd1 |
| SHA256 | 0391ac3b8e055e9fe8b1da6d94162564b1729f342822b313304804545b54d21b |
| SHA512 | 5b908322ea98b9dc855bf0f1232de60d24e2519f25e7ac6b20febccc80d97113230c1303325bd9d860d11fccd44f45bf86ceff860647ad6d4559722da8e7e04b |
C:\Windows\System\vYbRskT.exe
| MD5 | 4b85f29ca8660cbc56b8ce79158b522d |
| SHA1 | 9e56eb0ad5c6034582ef98c40761a647269323d4 |
| SHA256 | d2fafe1098681c01e3b9c43bcf3a8dbfcc7430f745756a961d949cd09f706cce |
| SHA512 | d834246a508d1494295cae7742c65db0cdeaa041428502e4a771ff9946126407d11b4e9e7908267584c4218fb0d5011fc27f12c51e028710cfdbdacf17bac862 |
memory/4584-88-0x00007FF6D8290000-0x00007FF6D85E4000-memory.dmp
memory/448-87-0x00007FF7B27D0000-0x00007FF7B2B24000-memory.dmp
memory/2408-86-0x00007FF70CFF0000-0x00007FF70D344000-memory.dmp
memory/1136-81-0x00007FF7A82A0000-0x00007FF7A85F4000-memory.dmp
memory/756-80-0x00007FF7BD640000-0x00007FF7BD994000-memory.dmp
C:\Windows\System\yfwVZbR.exe
| MD5 | 98f208871c52ae60578ac7e13b438cbf |
| SHA1 | 057f87fb08aaf9a527b956a8ca1ae9c7915ac6b1 |
| SHA256 | a066aba08d3ac632c65aba757e963f657ccf7915b875a88d5bad4e8210b26b2a |
| SHA512 | 1f5f783d2f21d859fea4ed696562b1a5fbb8e3cb38e818f79897eaa3e7eb62d26f453b2e166f5d7f8b31b27b3de6ad35ea75cf308199ab7c9d57c23219c2cc0e |
C:\Windows\System\HupOEJI.exe
| MD5 | b5bc3a1113c117b8b9b43988ec039549 |
| SHA1 | eab0f7801e679d32d407c9d281e220d876af8b30 |
| SHA256 | fe296d1c788609c968848db668af99f1151ff3d51717153744bbc8bdb4fd8f75 |
| SHA512 | a24f8e2b89eee68c77f7c9ba8517026e06fef7dcc4cdc010612de3d77ef068788422072e3e5a158a7728a9c17a74a067c0fd03175de00c524d87735cc5d93c04 |
C:\Windows\System\aeYsMzY.exe
| MD5 | a324b2d7fecd648356bda65b799a6b4d |
| SHA1 | 23cb0e65d476c1bf07fc04897fc61f6153054e0f |
| SHA256 | 1b052ed4ccdfcb7fea92e9543d89a356eb34dc7e1ad38976152443f788741dfc |
| SHA512 | 19733413b96b128797ffd8634f6fbb5ea999083ec6215e7466c25895b5ed007404fa971df141f262531923ba922854256bd36637ee70cd7bb71220e091775871 |
C:\Windows\System\GakQuKf.exe
| MD5 | b7ae8586c7c3ca8017843e24dcdd5840 |
| SHA1 | f14325444837f22c447597c61d14f41dc333d608 |
| SHA256 | 393065f03389936526f6684094df6aeac11b27164ae192ad92e68943597f8da7 |
| SHA512 | f26911be8a3a10d82f3c21125ac74b4b8f10d6087caca3452fe4dea1c30c12a143757e8a317bea814a07a96ee8f8025b5c002fdd1c3f2e044a2e4d9ee847dc2e |
memory/764-57-0x00007FF64DC30000-0x00007FF64DF84000-memory.dmp
memory/968-49-0x00007FF761CC0000-0x00007FF762014000-memory.dmp
memory/1340-40-0x00007FF78B610000-0x00007FF78B964000-memory.dmp
memory/1452-37-0x00007FF7CCF10000-0x00007FF7CD264000-memory.dmp
C:\Windows\System\jaZbkpe.exe
| MD5 | 77f2b54b52c95fd8ff636efe585b2dae |
| SHA1 | 1ff3b41e4ac582bb68c94ae61a86b9c505342f1f |
| SHA256 | 7ac327ae5348e0e0a0d174fe0798bfa1e88cb1e7c71f3f914780cb86777a210b |
| SHA512 | 5a9d94b616833fc700ba46df23cf912c790a7b418f6e13767276c0553c29e43740d2dfd40d32ea192b1fcba5c0cfc05ce70c59cd877282c643062c0bef690f2f |
C:\Windows\System\rhZLlrm.exe
| MD5 | 514212617b306b179fddbec0f2e871ce |
| SHA1 | db33c9cfce662f9a5c92fc9a4c5606cae816fa00 |
| SHA256 | e35bcbf45215a83f0aff789346075978e1d045ee1e7597a327ee45d3f34b9c4d |
| SHA512 | afae7a35641041b425471a489fedfe2f0e7349e91868606282e277830dd18da7ed767e51fad638f422134f1e3b366bdcc6240ac7e161681244760484a1e0f684 |
C:\Windows\System\YkIknQD.exe
| MD5 | 5d6762e701c398fd5c356b9a98705537 |
| SHA1 | 5e1bdfc55cd1f2ca59355515cad5a966cdee1e7a |
| SHA256 | 90d3c1aaaec600759715a54a28c68bb9e55f3517b04b6f2e9c9e068427399397 |
| SHA512 | 42cf279bee0d6d2f807cef8732116cd34c18380de7d50f50ca04b921000e4f12647a5e959161b2cab2eef46efc0ae3c5fb906ebda7d781bfcd0a0cbed19ac9b9 |
C:\Windows\System\YkIknQD.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\OiVNvFh.exe
| MD5 | aa7276424b22bd506d9e49f4a1f004dc |
| SHA1 | b267f48e25b143c6b59251672b605d92190682d3 |
| SHA256 | b740bbd030b332b83bc971b28be45ab32870142be670aa0d606db95797b184a6 |
| SHA512 | 128566ed56abcc6caa761e208215cc4ccc4ea3668dfe94ea669cf41cf0fe442b07819430baded1978cef448ea4b4887162beef47135338f7fe7f9a0820fae472 |
memory/5076-126-0x00007FF726550000-0x00007FF7268A4000-memory.dmp
memory/2368-131-0x00007FF650C40000-0x00007FF650F94000-memory.dmp
memory/4976-130-0x00007FF680150000-0x00007FF6804A4000-memory.dmp
C:\Windows\System\KHzrnIM.exe
| MD5 | dd5b8c5921966d6fa586f9ddbd460a88 |
| SHA1 | abaa7d99db91b82d6658f62a7c92030cbb5883fa |
| SHA256 | 9f70391f601068632cc989f0ae1c6c6e6d7691608828fb0afef5c4d9e8d2283d |
| SHA512 | edc06bc74d861514aa6e6eadc83149d843bad1a9358bcf750d07cad0d7ffa71d977ecd8a1e098e27be066f74310de29c592b32324b68653b0afb1df70fb813bc |
memory/4784-125-0x00007FF7E2E60000-0x00007FF7E31B4000-memory.dmp
memory/3540-119-0x00007FF650030000-0x00007FF650384000-memory.dmp
memory/4816-114-0x00007FF71A310000-0x00007FF71A664000-memory.dmp
C:\Windows\System\jTXhOjc.exe
| MD5 | 9eba0dd7f139129ca693c1320143b19a |
| SHA1 | aceb77914d12f5352ed148355a1890b4a77e1254 |
| SHA256 | ac0aca614ee48804b2967ae66b60fe6533545c6b067b1aa54ff416b4dfd28c53 |
| SHA512 | b2e8aca9a74525f08703713e3ee0c85b81f9853a2ae0a9a98dc4de1d50f501289937f8832a3b5736e3728311ba0779f547e3b5f24c8c5783d671d3f012cf8ec8 |
C:\Windows\System\kLIuTHN.exe
| MD5 | f44fd02b30dea5e263ee5ac6cc65442e |
| SHA1 | d6c6a43a055a27fe2e7f461ff2e7e9fc6ed56ae0 |
| SHA256 | 3bb508d0f77ecb18a62432dfe522235eab6a74952ff03998d656eba7e523e065 |
| SHA512 | 6cbee548ab004dda8e23b0b8c7cb378ce150f22a60d872a24694b354a11f3d32c453032e7e3eb29b30fcd3baf4597063db98594257983089b53f91d245906b1b |
memory/2776-102-0x00007FF7E2E40000-0x00007FF7E3194000-memory.dmp
C:\Windows\System\jaZbkpe.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/5004-97-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp
memory/1228-94-0x00007FF690020000-0x00007FF690374000-memory.dmp
memory/968-132-0x00007FF761CC0000-0x00007FF762014000-memory.dmp
memory/3960-133-0x00007FF6B51B0000-0x00007FF6B5504000-memory.dmp
memory/3796-134-0x00007FF6ACDF0000-0x00007FF6AD144000-memory.dmp
memory/2312-135-0x00007FF6969A0000-0x00007FF696CF4000-memory.dmp
memory/4816-137-0x00007FF71A310000-0x00007FF71A664000-memory.dmp
memory/5004-136-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp
memory/756-138-0x00007FF7BD640000-0x00007FF7BD994000-memory.dmp
memory/1228-139-0x00007FF690020000-0x00007FF690374000-memory.dmp
memory/3476-141-0x00007FF60B190000-0x00007FF60B4E4000-memory.dmp
memory/1452-142-0x00007FF7CCF10000-0x00007FF7CD264000-memory.dmp
memory/2776-140-0x00007FF7E2E40000-0x00007FF7E3194000-memory.dmp
memory/1340-143-0x00007FF78B610000-0x00007FF78B964000-memory.dmp
memory/968-144-0x00007FF761CC0000-0x00007FF762014000-memory.dmp
memory/3796-145-0x00007FF6ACDF0000-0x00007FF6AD144000-memory.dmp
memory/3960-146-0x00007FF6B51B0000-0x00007FF6B5504000-memory.dmp
memory/1136-148-0x00007FF7A82A0000-0x00007FF7A85F4000-memory.dmp
memory/2408-149-0x00007FF70CFF0000-0x00007FF70D344000-memory.dmp
memory/2312-147-0x00007FF6969A0000-0x00007FF696CF4000-memory.dmp
memory/4584-151-0x00007FF6D8290000-0x00007FF6D85E4000-memory.dmp
memory/448-150-0x00007FF7B27D0000-0x00007FF7B2B24000-memory.dmp
memory/5004-152-0x00007FF65A0F0000-0x00007FF65A444000-memory.dmp
memory/4816-154-0x00007FF71A310000-0x00007FF71A664000-memory.dmp
memory/4784-155-0x00007FF7E2E60000-0x00007FF7E31B4000-memory.dmp
memory/3540-153-0x00007FF650030000-0x00007FF650384000-memory.dmp
memory/5076-156-0x00007FF726550000-0x00007FF7268A4000-memory.dmp
memory/2368-158-0x00007FF650C40000-0x00007FF650F94000-memory.dmp
memory/4976-157-0x00007FF680150000-0x00007FF6804A4000-memory.dmp