Analysis Overview
SHA256
f46f94f88649139805ddbefd1fb1fe21f1a57d9c49e64d5f1a3d093262151d72
Threat Level: Known bad
The file 2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike family
Detects Reflective DLL injection artifacts
Xmrig family
UPX dump on OEP (original entry point)
Cobaltstrike
xmrig
Cobalt Strike reflective loader
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 01:33
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 01:32
Reported
2024-06-07 01:35
Platform
win7-20240221-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\AxEHrDS.exe | N/A |
| N/A | N/A | C:\Windows\System\huITLBA.exe | N/A |
| N/A | N/A | C:\Windows\System\wCyNZFR.exe | N/A |
| N/A | N/A | C:\Windows\System\watqKHK.exe | N/A |
| N/A | N/A | C:\Windows\System\gCNIVJw.exe | N/A |
| N/A | N/A | C:\Windows\System\tEUiHEb.exe | N/A |
| N/A | N/A | C:\Windows\System\QVAtAqh.exe | N/A |
| N/A | N/A | C:\Windows\System\ZTroHHb.exe | N/A |
| N/A | N/A | C:\Windows\System\REyxMGV.exe | N/A |
| N/A | N/A | C:\Windows\System\UgBMrXT.exe | N/A |
| N/A | N/A | C:\Windows\System\dPtRfHI.exe | N/A |
| N/A | N/A | C:\Windows\System\ATWejPI.exe | N/A |
| N/A | N/A | C:\Windows\System\JKeGUUC.exe | N/A |
| N/A | N/A | C:\Windows\System\NiAPHNt.exe | N/A |
| N/A | N/A | C:\Windows\System\zwElSMx.exe | N/A |
| N/A | N/A | C:\Windows\System\oUqyfHP.exe | N/A |
| N/A | N/A | C:\Windows\System\COHydri.exe | N/A |
| N/A | N/A | C:\Windows\System\wBLvgrw.exe | N/A |
| N/A | N/A | C:\Windows\System\mSGcvNs.exe | N/A |
| N/A | N/A | C:\Windows\System\tHwAFJm.exe | N/A |
| N/A | N/A | C:\Windows\System\knnyXHh.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\AxEHrDS.exe
C:\Windows\System\AxEHrDS.exe
C:\Windows\System\huITLBA.exe
C:\Windows\System\huITLBA.exe
C:\Windows\System\wCyNZFR.exe
C:\Windows\System\wCyNZFR.exe
C:\Windows\System\gCNIVJw.exe
C:\Windows\System\gCNIVJw.exe
C:\Windows\System\watqKHK.exe
C:\Windows\System\watqKHK.exe
C:\Windows\System\tEUiHEb.exe
C:\Windows\System\tEUiHEb.exe
C:\Windows\System\QVAtAqh.exe
C:\Windows\System\QVAtAqh.exe
C:\Windows\System\ZTroHHb.exe
C:\Windows\System\ZTroHHb.exe
C:\Windows\System\REyxMGV.exe
C:\Windows\System\REyxMGV.exe
C:\Windows\System\UgBMrXT.exe
C:\Windows\System\UgBMrXT.exe
C:\Windows\System\dPtRfHI.exe
C:\Windows\System\dPtRfHI.exe
C:\Windows\System\ATWejPI.exe
C:\Windows\System\ATWejPI.exe
C:\Windows\System\JKeGUUC.exe
C:\Windows\System\JKeGUUC.exe
C:\Windows\System\NiAPHNt.exe
C:\Windows\System\NiAPHNt.exe
C:\Windows\System\zwElSMx.exe
C:\Windows\System\zwElSMx.exe
C:\Windows\System\oUqyfHP.exe
C:\Windows\System\oUqyfHP.exe
C:\Windows\System\COHydri.exe
C:\Windows\System\COHydri.exe
C:\Windows\System\wBLvgrw.exe
C:\Windows\System\wBLvgrw.exe
C:\Windows\System\mSGcvNs.exe
C:\Windows\System\mSGcvNs.exe
C:\Windows\System\tHwAFJm.exe
C:\Windows\System\tHwAFJm.exe
C:\Windows\System\knnyXHh.exe
C:\Windows\System\knnyXHh.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2016-0-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2016-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\AxEHrDS.exe
| MD5 | 1e2fa26a0bdb80c9f51db7f223b1d934 |
| SHA1 | b24928cf63ed334707dd03329a92fb1c516a7d08 |
| SHA256 | 82406e12deac8d9b42bc6d21b7e1286ac90761d01e5a0532b59e91d85678f5cf |
| SHA512 | 56c4b19417e417efbcfd458823cac8b1443d6d75ed8eb1f64899af3c10ea93285946af3e4c3b92549c41f2781a0fa6607bf826e339174ea9bf03a5a5dbe4d65c |
\Windows\system\huITLBA.exe
| MD5 | b282207d94a4bfe78b80ce9bab86f40b |
| SHA1 | d52c5a6a8200e5dc04e94904ec4c618b41bfa6b9 |
| SHA256 | a4e5841ee20393217580204a858570f47c2f89857c032c83a47660a57b950228 |
| SHA512 | c6d7f002d3500225ac635fc05b1d651449ca57c32347170da2f4e65d7aabb537c0ad77db76a7f14c8db72f6e71c6d7e04d54ee723b3e78a0f9272a57e9a66006 |
memory/2016-6-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/1532-15-0x000000013F090000-0x000000013F3E4000-memory.dmp
C:\Windows\system\wCyNZFR.exe
| MD5 | 1cf5151ba8f728f3872f83a75207b136 |
| SHA1 | ced2423cc6d032d93a1fd4ced600547698410cfe |
| SHA256 | 316f988345a7b5675b0d84d3c397f610bb20b3b852ec0a87fd8bc9272a0d7be5 |
| SHA512 | a7699232d204949aa41553aad4e2079da92b76461fff3df38f3151bec9e5067696df7a01036d487414ef1238784f3061e4e89ab1381ca24c72818c6808e2760e |
memory/2016-23-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\tEUiHEb.exe
| MD5 | 8eae66ff6eb8f3b2c19e77ec55a5bcc2 |
| SHA1 | 1c083e5de90581022a39684bc059628e2f8fd661 |
| SHA256 | 21182fdc945ba77cd4cdbc6f0ba3dea29c385632d50d78db488583cb9c4de0e9 |
| SHA512 | e410d97c9e46e963bbf4669e951c153dc81082655d612f697c9ac0e699b62712b211c10b93a50e10380cdc9a7d2424de6931345490f14aa690b71f99c50ec9b6 |
memory/2592-40-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2584-39-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2016-45-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2016-54-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2824-55-0x000000013F810000-0x000000013FB64000-memory.dmp
C:\Windows\system\REyxMGV.exe
| MD5 | 3f0d8010a2fd12896ede491b3c442c1c |
| SHA1 | 293a36b531ddd1e7ec6692dfeb27040ecc7efb9b |
| SHA256 | 9a4fccc778f22b3af6337b6afe9e432269906d2dbcaf0dec232412f6f3c8bfa8 |
| SHA512 | b0b22b36b635c9729788352f1f00fdedd52f5cbd43bf16c0436293aad5cd819fdd1db6d9f90ee5fdcc17fd9c3b1c404f1f6fd07aa5c31363acb91bc8890378a8 |
memory/2480-62-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1768-82-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\dPtRfHI.exe
| MD5 | c9ddb2738533bc3d53756adae66f7177 |
| SHA1 | e0c105e34f79f5da6a9c27ea17ecacdb4d590f27 |
| SHA256 | 82e28bad40d03a540cef9492b96f05b923c4d82c0f30307765295d581d44a15c |
| SHA512 | adc7f4c4287886ac83bb3272d93a366d1f89a06f35a5af60acfbcc7a40870187d3e0642dcfabb8af4e7bdab81ab1b9fc3884867a8a4e18d2c3eed83589da7502 |
memory/2032-102-0x000000013F6C0000-0x000000013FA14000-memory.dmp
C:\Windows\system\oUqyfHP.exe
| MD5 | ab1bb5c6d8831a39a6b8feac38d9b41d |
| SHA1 | f825c70db33925f5bdf26fc70ddf41d6e86c2869 |
| SHA256 | 706205d2dc1f1927a543c805ebf718d24f438b6378f0ca25bdc72edea6b107d6 |
| SHA512 | cc1d441726066637c524af945c4a0be45c229e45eec6bb7914011a7876cbaab8b87320929f5d3bbb6a7f9df2437510e609efd919b8728c00213da5c6a1cc86ae |
C:\Windows\system\wBLvgrw.exe
| MD5 | 9d775d51a510618cb995b6c88d08b05a |
| SHA1 | 227ebcb59ea1cbff34d40b1b06c54fd500bbcc43 |
| SHA256 | 1be2615186b4a367a8f8db0ffec2447da8df8dc4a4e546425be57f1ba4c5d062 |
| SHA512 | 93b898ad1fe778e06de68233b4916152913fff142641c838f5feb748398c3e0f0f6214498b87793e80597c8a81aadc74d1f8f57661947351e33165319167b407 |
C:\Windows\system\tHwAFJm.exe
| MD5 | 0f60ef2f8deda7139ed6127bd2b36b59 |
| SHA1 | 8acfe14ece63d2205606d5be74f35dca5a01524c |
| SHA256 | 9da6e7e2ef597a3b493894ccfcf133aa321fea7dfe3829efa31126e7033bc92b |
| SHA512 | 510a4455cf674e70c5ace338e841d17ceba0cc2dbd0143b734e37917deea032ab57ae0beaa818ffae264cafdc66ea6d0b20042ecda4aa5638ae83cee889b9ca9 |
\Windows\system\knnyXHh.exe
| MD5 | d6b0d405ef112ca8a6a8240adc18230a |
| SHA1 | 0a52951ca8e4803f314355b2b46a2b50c8d27d89 |
| SHA256 | 76d5cade0474365c8e5141da26e1684c16c6e9160f153d2a5987b40ec8f58e56 |
| SHA512 | f8e35957f41da78d7d03f3f377a8e4d6694ca0814ffd91ca54b07923fe2dc3eaf13e46b55e0b04026b156d40a1ff91620aa7bae33bc708b6530f95be6fe4edb6 |
C:\Windows\system\mSGcvNs.exe
| MD5 | 9ebbb3ac7ea27bb42f3f4c46b353d37c |
| SHA1 | 4c3a8bfd0b92f6ca75c906f6eb5328e2e601b63f |
| SHA256 | e19c90fef98642be1ad711cf21cc86bb5d318604019ea18be86f9689dc696ba0 |
| SHA512 | 006d08c45f80e2969688010aa0ed928b92d9311d48fc2c61cf02b020132833893ab3ab0285a3c660341144a333fd51a3681f0bcf28e2890ee236c6dba400ae0f |
C:\Windows\system\COHydri.exe
| MD5 | 38e1b7b0b9aa649f5c14f03127a6d132 |
| SHA1 | 3917ca36707cd2c4dba6b6926d34a14a7bb117b1 |
| SHA256 | ddb3f57945f3929208b2b32e9fb1bc992b84f62c9f6d825404b952bbb20eee72 |
| SHA512 | 47f8cf2986d63387cdc2751aeb8271afa2f9ce56ab0a21337ea9677985ff041ab00a0daf7ea6b9731948111f864f618de503be2edb6c7c0b58599566140c22a0 |
\Windows\system\COHydri.exe
| MD5 | a8020fde75bc781e29fe9163124e8892 |
| SHA1 | d4b0ae5ad2ce4c0ec3a5afa2d36b21249c6cfef7 |
| SHA256 | 62dedc723d589a17cb1b0769420311188d010af638323d4d7bf074019b57c1dd |
| SHA512 | 019d92ac7ecebf6d386da7837916780a7425e7838678cd773a19f5e6b3cc5d1f53da24dca8fdc8585007d7d3521062334b4178eb8b71ee7fea9b8ad607587408 |
memory/2852-140-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2016-108-0x0000000002420000-0x0000000002774000-memory.dmp
C:\Windows\system\zwElSMx.exe
| MD5 | 553c5b307d5e446477417dc73cb98d6a |
| SHA1 | 98df8869cd007195431c083e32c90f3bd40d44e2 |
| SHA256 | 007931fd2f35e7cca7666cc5a3a03cab80cf03b9ba9845861eb15ea0431f6683 |
| SHA512 | acfab804e321955a08e23408169333bbf38acf8efad50c4ef9c96eb24d551bf561fd03d309e3819041a30695977ec594b4732f3446ddb5819fdb769987061e1f |
memory/2016-101-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2592-100-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2584-99-0x000000013FE50000-0x00000001401A4000-memory.dmp
C:\Windows\system\NiAPHNt.exe
| MD5 | 356b0a8c98dc90cf3571a7c28beba034 |
| SHA1 | 4cbc5601053762f293e796ad327b4495ab9e3399 |
| SHA256 | 35cfdfcb9763028a62a5b86f555956c693f00205509486b4e0b605439dff1936 |
| SHA512 | fc8c7ddc3d486232de1187ea354682ad3431358c410f7b4148ca7e41589377a400eb0a188b89bfa814685be998ef91992440ffa625311c08d0439c6e2bda2e81 |
\Windows\system\NiAPHNt.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/2932-93-0x000000013FB20000-0x000000013FE74000-memory.dmp
C:\Windows\system\JKeGUUC.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
memory/2016-90-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2824-141-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2652-89-0x000000013F180000-0x000000013F4D4000-memory.dmp
\Windows\system\JKeGUUC.exe
| MD5 | ab0ac1bfd008107af73d163b6b489f0a |
| SHA1 | 99f00f75f6bce227747ebc4fc683d04a4878e57a |
| SHA256 | af0916cc45844dc12decdf67b06d0b5d60e04a02b0a7ca3314b05167fed59af7 |
| SHA512 | 9975d86cbb71b0e6e036fd86393902701e296c051f97e1a455a55f240bf0afd8a538a95e1a5719ef212b62c28e2067d5a40ec92997cff292b2a5114cac100b5a |
memory/2016-77-0x0000000002420000-0x0000000002774000-memory.dmp
memory/2524-76-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/1532-75-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2000-74-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2924-84-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2016-83-0x000000013FD90000-0x00000001400E4000-memory.dmp
C:\Windows\system\ATWejPI.exe
| MD5 | 9aabda20e2264e96d4e96a461410906f |
| SHA1 | a9de12328554a35584637654d993c63e7f972d27 |
| SHA256 | 8656737a2dc4d59bcebb3b853e4c2062c6a18636cd18dd85aa7076184a20a689 |
| SHA512 | bacdda90a01cb85a9dc067e60f7e0524540febda7585dc88db3f9c7bb54ed68b46952749e0b50c4b3c393aee4af36d3e7f5c7c1058c73f09c94da39c1f0becb8 |
memory/2608-70-0x000000013FB40000-0x000000013FE94000-memory.dmp
C:\Windows\system\UgBMrXT.exe
| MD5 | 31736e5e406768d3f219895d09dcee72 |
| SHA1 | 33c8f0818c4ff58e50e4f6717304f39516c713bb |
| SHA256 | 22b0130beefcf21e8ed4d551cfe2ba2ba54437f7c32a8b147d9ae097c53f5fec |
| SHA512 | 7e04de2d560e7d3533103dfa523d60114285f6f4161caabf3059ab8cffaf1e06b908b393a398cf831916bd51563912e625df893e0e76dbd8a4165cc15a21dff7 |
memory/2016-61-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2852-49-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2480-142-0x000000013F140000-0x000000013F494000-memory.dmp
C:\Windows\system\QVAtAqh.exe
| MD5 | 91c5dd3401561ef107bb07080a4fdc3f |
| SHA1 | e3a939f3e75f851fd312db57e70f1378bdc5e3b3 |
| SHA256 | 5a71aaac83ec92de05d2c6a06ecfe60f32ed26f128b1a9ccd917a3313df67f38 |
| SHA512 | 26821f65b2d6b727d3fecf19f88be09f1d8a7d0cb98de9662976a4e253ec3baba98e5a7c12f6c3137e1cfb954163559eacc138ecc041a723ff9a07bca9cc9f11 |
C:\Windows\system\ZTroHHb.exe
| MD5 | 4bcb6d54b9cb8a7782feb41c56843c0f |
| SHA1 | a418946b9fd440df06c2e5092d2a8e5f30291ddb |
| SHA256 | 472b42d43fa35a92f12ef510533e136402936560ce7f1b2aeda383a54cae6b27 |
| SHA512 | 91654dd2d21ad47f67f86f8a271442b1864154356f47b7105a869394b01ff65a61c53235f8eb5f4de89b07e256dfa5cdf444233b65eba8d7b375ae1ccc191476 |
C:\Windows\system\gCNIVJw.exe
| MD5 | 451c1548c332fdde11e4cfa87c3f4546 |
| SHA1 | 66d5345d867f52c15ff763833bd91ba3ac74b931 |
| SHA256 | ee40af941783a41a79f80bf8e1ad0ea3fb92d2d6c8d26a681129cb8c814f80e6 |
| SHA512 | 137bd72cc2cb97d6289847d94f8203c5497dd1aca5a51d6e3a464b1f0c2735cb2e6f08a227d9797e910561a7755156eeeb8d32dca78af5b35656649c108c8574 |
memory/2016-36-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2652-35-0x000000013F180000-0x000000013F4D4000-memory.dmp
C:\Windows\system\watqKHK.exe
| MD5 | 1272729b1eda1ce23d22b78d031e4212 |
| SHA1 | 41c07783cbca3bcfe6ced907f7e2fa0993631574 |
| SHA256 | 65b9e2315f61b70089062117547a434dfad65d1eef6100ebf5d636d12cccd55c |
| SHA512 | 31e1292c68c89d7b47484649b5d69abb564610087579f4c336890dc27b16e89c702f5b2e0c57bc30f8ab98554047332fcad08d04854d9e96086519f03079eb3b |
memory/2016-29-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2524-27-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2016-14-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2000-12-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2016-143-0x0000000002420000-0x0000000002774000-memory.dmp
memory/1768-144-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2924-145-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/2932-146-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2032-147-0x000000013F6C0000-0x000000013FA14000-memory.dmp
memory/2000-148-0x000000013F270000-0x000000013F5C4000-memory.dmp
memory/2524-149-0x000000013FBC0000-0x000000013FF14000-memory.dmp
memory/2652-150-0x000000013F180000-0x000000013F4D4000-memory.dmp
memory/1532-151-0x000000013F090000-0x000000013F3E4000-memory.dmp
memory/2852-154-0x000000013FEF0000-0x0000000140244000-memory.dmp
memory/2592-153-0x000000013F370000-0x000000013F6C4000-memory.dmp
memory/2824-155-0x000000013F810000-0x000000013FB64000-memory.dmp
memory/2584-152-0x000000013FE50000-0x00000001401A4000-memory.dmp
memory/2480-156-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2608-157-0x000000013FB40000-0x000000013FE94000-memory.dmp
memory/2924-158-0x000000013FD90000-0x00000001400E4000-memory.dmp
memory/1768-159-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2932-160-0x000000013FB20000-0x000000013FE74000-memory.dmp
memory/2032-161-0x000000013F6C0000-0x000000013FA14000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 01:32
Reported
2024-06-07 01:36
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
167s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\xjypVYA.exe | N/A |
| N/A | N/A | C:\Windows\System\hXQyAWz.exe | N/A |
| N/A | N/A | C:\Windows\System\MamSpXd.exe | N/A |
| N/A | N/A | C:\Windows\System\DgPyPZb.exe | N/A |
| N/A | N/A | C:\Windows\System\BLkKKmW.exe | N/A |
| N/A | N/A | C:\Windows\System\AuKPpYK.exe | N/A |
| N/A | N/A | C:\Windows\System\sztkdEc.exe | N/A |
| N/A | N/A | C:\Windows\System\AKCMuzg.exe | N/A |
| N/A | N/A | C:\Windows\System\XpRwATS.exe | N/A |
| N/A | N/A | C:\Windows\System\uvURIqk.exe | N/A |
| N/A | N/A | C:\Windows\System\PZNcYgl.exe | N/A |
| N/A | N/A | C:\Windows\System\jXBDidm.exe | N/A |
| N/A | N/A | C:\Windows\System\lYsjqPm.exe | N/A |
| N/A | N/A | C:\Windows\System\FyvILwF.exe | N/A |
| N/A | N/A | C:\Windows\System\DzEVCqL.exe | N/A |
| N/A | N/A | C:\Windows\System\kPlYftQ.exe | N/A |
| N/A | N/A | C:\Windows\System\kFlAZWH.exe | N/A |
| N/A | N/A | C:\Windows\System\ePYZOUS.exe | N/A |
| N/A | N/A | C:\Windows\System\vGkCFFd.exe | N/A |
| N/A | N/A | C:\Windows\System\wVjfYQj.exe | N/A |
| N/A | N/A | C:\Windows\System\jDliCsO.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_8e35823e8117c85255225df826c30dc5_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\xjypVYA.exe
C:\Windows\System\xjypVYA.exe
C:\Windows\System\hXQyAWz.exe
C:\Windows\System\hXQyAWz.exe
C:\Windows\System\MamSpXd.exe
C:\Windows\System\MamSpXd.exe
C:\Windows\System\DgPyPZb.exe
C:\Windows\System\DgPyPZb.exe
C:\Windows\System\BLkKKmW.exe
C:\Windows\System\BLkKKmW.exe
C:\Windows\System\AuKPpYK.exe
C:\Windows\System\AuKPpYK.exe
C:\Windows\System\sztkdEc.exe
C:\Windows\System\sztkdEc.exe
C:\Windows\System\AKCMuzg.exe
C:\Windows\System\AKCMuzg.exe
C:\Windows\System\XpRwATS.exe
C:\Windows\System\XpRwATS.exe
C:\Windows\System\uvURIqk.exe
C:\Windows\System\uvURIqk.exe
C:\Windows\System\PZNcYgl.exe
C:\Windows\System\PZNcYgl.exe
C:\Windows\System\jXBDidm.exe
C:\Windows\System\jXBDidm.exe
C:\Windows\System\lYsjqPm.exe
C:\Windows\System\lYsjqPm.exe
C:\Windows\System\FyvILwF.exe
C:\Windows\System\FyvILwF.exe
C:\Windows\System\DzEVCqL.exe
C:\Windows\System\DzEVCqL.exe
C:\Windows\System\kPlYftQ.exe
C:\Windows\System\kPlYftQ.exe
C:\Windows\System\kFlAZWH.exe
C:\Windows\System\kFlAZWH.exe
C:\Windows\System\ePYZOUS.exe
C:\Windows\System\ePYZOUS.exe
C:\Windows\System\vGkCFFd.exe
C:\Windows\System\vGkCFFd.exe
C:\Windows\System\wVjfYQj.exe
C:\Windows\System\wVjfYQj.exe
C:\Windows\System\jDliCsO.exe
C:\Windows\System\jDliCsO.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3488 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 144.107.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 13.107.253.67:443 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 11.179.89.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.187.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 202.187.250.142.in-addr.arpa | udp |
Files
memory/792-0-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp
memory/792-1-0x000001B0F1760000-0x000001B0F1770000-memory.dmp
C:\Windows\System\xjypVYA.exe
| MD5 | 0628374c349921c969043e8b725a574d |
| SHA1 | d4d4b61d7abb11c25e423140f9a833a035819e3d |
| SHA256 | 6f83751bb7dc13a49d7ca6c6a874635ca4829b15e2d7e8a8c8ddaf2890ac09c0 |
| SHA512 | 2db578fa7a962b14aae5c857e6974664cd647108bf44f83523c1fc47be8f0f23756b21e5f42a2231cc51d1daf9889177945ad8eab23827274ef49200ad4dd7a1 |
memory/3304-8-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp
C:\Windows\System\xjypVYA.exe
| MD5 | ffafad94c04d076c16e861ff07a4cb57 |
| SHA1 | c3501d64aef8c1b093200710a06e749c69db782a |
| SHA256 | 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295 |
| SHA512 | 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700 |
C:\Windows\System\hXQyAWz.exe
| MD5 | 2543c4760bd9af7f70b7834411ab61af |
| SHA1 | ed963cb76a076b222f6cdae99e8563d4444f6351 |
| SHA256 | c5992c95fef0e281d0ce0d741b02048e13663a833b3e0a3351e4871cc0042001 |
| SHA512 | 37d8c491a184de94728c08add4a199f5cd8ae60d7cd02c39ad185a2859dd5e731e72c9b8cd0fd70525b0b413284ba12790037144a49d111203eb80cb9afcba56 |
memory/5036-14-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp
C:\Windows\System\hXQyAWz.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/4048-20-0x00007FF606360000-0x00007FF6066B4000-memory.dmp
C:\Windows\System\MamSpXd.exe
| MD5 | 4ebd1901e669a14d40cee031fd206e82 |
| SHA1 | 48b4d9303ce77228a3ead5a9a71386291542a98f |
| SHA256 | 877be2224a2b649da5f78203ecb3453feb6fa6bbbc2d6c8d511c50eacb8915e1 |
| SHA512 | c4c64ecded98a2388cd280fbf03b1c4943ae108cca32936b19ec1dc9b1e2275f8c7fb5cb86b3ef39ae05d629ddb91ee9822452b1bc6582399603f35642ecf087 |
memory/2184-26-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp
C:\Windows\System\BLkKKmW.exe
| MD5 | c665d55523745ebd550a2c4296ad8ec9 |
| SHA1 | 43f72a8e93454ded742dbec7a7c84f59cb0d6520 |
| SHA256 | 4ce197747d9fbeeec8496c26db012627d7ce7e6aa1a732a7c731d6ef8431204b |
| SHA512 | 57b316ce017c765c9f224c8ed85aafffadf3e3509d0b9d8b28c09b7a506bf84dd5216ab3d5048ad1f637628cef7585aca82701224766df2dd48aff33618c1454 |
C:\Windows\System\BLkKKmW.exe
| MD5 | 8003c8ca1c6255c4a9df50b61d369786 |
| SHA1 | ef521c59d5519424152618453d9a1ec413a267cf |
| SHA256 | caa068826195e26df36f4f536e4c6574635de1b7a9a02c85ee8ca5d8d8224bf8 |
| SHA512 | 0384a1e885e5629a148689a8b4027e18c5b2d083fe94b00bac0956a112bba29ab292c390c9a09436cf2e74109a83853e787b70a1e1be9d9ef015a376f3eba795 |
memory/4696-32-0x00007FF761930000-0x00007FF761C84000-memory.dmp
memory/3820-38-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp
C:\Windows\System\sztkdEc.exe
| MD5 | 3ee04f109da47a1ec064d84e674f1c93 |
| SHA1 | 644e873cc5a86065097d9d560d0304443e10d64c |
| SHA256 | 47d2b26167d01487e92054b74706d3bb25cfa0aef4e9803e369f3581631dce9f |
| SHA512 | 9c1889d4f1db6f15c9ccdb0cc3595e9e8bef5c6661b045295c1ca732b72cf3d8471e82ed02a643342a0e821733243b7d4452a48031e235b596a8367158163fa4 |
memory/2440-44-0x00007FF795470000-0x00007FF7957C4000-memory.dmp
C:\Windows\System\AKCMuzg.exe
| MD5 | 3c4936ba91eaa69f7fdbfccc9b857022 |
| SHA1 | d97c8ba6655ec64594f86192c6bdb9c832040c3a |
| SHA256 | f647e481490f98c412386808e010fe7c22bcbe8d3cebe4c6aae38fd2d6003c10 |
| SHA512 | 327dd607eb26134ae7933735d6de926b79e86a7c2a97c4f64919c1cdded613dd5e13b9c7b209f5d7e94d70772d16c0aa412b8bf1f7d9435384a504f194d13cc9 |
memory/1460-50-0x00007FF663200000-0x00007FF663554000-memory.dmp
C:\Windows\System\XpRwATS.exe
| MD5 | aa84df2aa4d3e405cfa711ea45f76832 |
| SHA1 | f9d4c6b07df318263e7c10c93fe5aee7c1ed449f |
| SHA256 | 35f254698cefc343a5afa8e1f4afbd2f4e15c9dea7be1bc9d3cdc9a25b594ef4 |
| SHA512 | 40f8b842b8711e2a819c83c44eea2c12af01ba9972546d0cb7e21121b875f8bed7da028e78b61c94b16de95a951cf536d7b2db14fba809cc0242849570fa0f9d |
C:\Windows\System\XpRwATS.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/3308-56-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp
memory/792-62-0x00007FF77BA50000-0x00007FF77BDA4000-memory.dmp
memory/1676-63-0x00007FF64D220000-0x00007FF64D574000-memory.dmp
memory/3304-69-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp
memory/432-70-0x00007FF6552F0000-0x00007FF655644000-memory.dmp
memory/4104-77-0x00007FF724160000-0x00007FF7244B4000-memory.dmp
memory/5036-76-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp
memory/4048-82-0x00007FF606360000-0x00007FF6066B4000-memory.dmp
memory/4044-84-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp
C:\Windows\System\FyvILwF.exe
| MD5 | 27f1ae58c0e7ea96c463a8f0329d13e3 |
| SHA1 | a5352f33f2a7ec676e07aa36bd587f2a910b1502 |
| SHA256 | 570ef729e78067f9e824a09ee84a0b44c24671dfe07947eaca970f453f235334 |
| SHA512 | 51c2e61154a9cf7b8c51728bee23d084e40467a64fc74544ed07917de5c42cd2c4f093dc4dba57e475be140334b7f9d2f8c2784d353f9bec4fe5fc6098f5ad70 |
memory/3936-91-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp
memory/2184-90-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp
C:\Windows\System\DzEVCqL.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
C:\Windows\System\DzEVCqL.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
memory/4652-97-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp
memory/2956-103-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp
memory/2440-108-0x00007FF795470000-0x00007FF7957C4000-memory.dmp
memory/4572-110-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp
C:\Windows\System\kFlAZWH.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
C:\Windows\System\ePYZOUS.exe
| MD5 | 7ce4ba1725e83a50f64ba525f8815dcf |
| SHA1 | b1714a2d23cfc42c18c37e1546ac0908d8252c04 |
| SHA256 | 9f7e171000696500dfb6a966f2c3ddf12dc1a77b8276ef660f14f7b7188d2908 |
| SHA512 | 2dff777f276295d96892e5749316e2e8892ba50f8398f9972ecc2f6e5378213e3cdd31c7c6ab8360d3490d1ec9e77be4e73ac137e108b2eddff2feaaf600be19 |
memory/4384-116-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp
memory/3412-128-0x00007FF7040B0000-0x00007FF704404000-memory.dmp
memory/928-125-0x00007FF6693F0000-0x00007FF669744000-memory.dmp
memory/4128-133-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp
memory/4044-134-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp
memory/4652-135-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp
memory/3304-136-0x00007FF6CDCF0000-0x00007FF6CE044000-memory.dmp
memory/5036-137-0x00007FF60A270000-0x00007FF60A5C4000-memory.dmp
memory/4048-138-0x00007FF606360000-0x00007FF6066B4000-memory.dmp
memory/2184-139-0x00007FF6DB7A0000-0x00007FF6DBAF4000-memory.dmp
memory/4696-140-0x00007FF761930000-0x00007FF761C84000-memory.dmp
memory/3820-141-0x00007FF60BBC0000-0x00007FF60BF14000-memory.dmp
memory/2440-142-0x00007FF795470000-0x00007FF7957C4000-memory.dmp
memory/1460-143-0x00007FF663200000-0x00007FF663554000-memory.dmp
memory/3308-144-0x00007FF77BA60000-0x00007FF77BDB4000-memory.dmp
memory/1676-145-0x00007FF64D220000-0x00007FF64D574000-memory.dmp
memory/432-146-0x00007FF6552F0000-0x00007FF655644000-memory.dmp
memory/4104-147-0x00007FF724160000-0x00007FF7244B4000-memory.dmp
memory/4044-148-0x00007FF7C7320000-0x00007FF7C7674000-memory.dmp
memory/3936-149-0x00007FF636C70000-0x00007FF636FC4000-memory.dmp
memory/4652-150-0x00007FF66E6F0000-0x00007FF66EA44000-memory.dmp
memory/2956-151-0x00007FF77D5D0000-0x00007FF77D924000-memory.dmp
memory/4572-152-0x00007FF62A1A0000-0x00007FF62A4F4000-memory.dmp
memory/4384-153-0x00007FF7BACF0000-0x00007FF7BB044000-memory.dmp
memory/928-154-0x00007FF6693F0000-0x00007FF669744000-memory.dmp
memory/3412-155-0x00007FF7040B0000-0x00007FF704404000-memory.dmp
memory/4128-156-0x00007FF660FA0000-0x00007FF6612F4000-memory.dmp