Analysis Overview
SHA256
8ac8284327f888240ceea0fdc99a712f94a6f11b9cac8e60eff78799705fc23c
Threat Level: Known bad
The file 2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Cobaltstrike
Xmrig family
Detects Reflective DLL injection artifacts
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
Cobaltstrike family
xmrig
XMRig Miner payload
Detects Reflective DLL injection artifacts
XMRig Miner payload
UPX dump on OEP (original entry point)
Executes dropped EXE
UPX packed file
Loads dropped DLL
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-07 02:14
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 02:14
Reported
2024-06-07 02:17
Platform
win7-20240419-en
Max time kernel
134s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\gwkfyIX.exe | N/A |
| N/A | N/A | C:\Windows\System\eWdYlck.exe | N/A |
| N/A | N/A | C:\Windows\System\rRrCwOc.exe | N/A |
| N/A | N/A | C:\Windows\System\bcPscmw.exe | N/A |
| N/A | N/A | C:\Windows\System\ZvWkFKz.exe | N/A |
| N/A | N/A | C:\Windows\System\WgchHzx.exe | N/A |
| N/A | N/A | C:\Windows\System\UXOBgKQ.exe | N/A |
| N/A | N/A | C:\Windows\System\TdMWKIo.exe | N/A |
| N/A | N/A | C:\Windows\System\TCGAhCs.exe | N/A |
| N/A | N/A | C:\Windows\System\JSKbIFg.exe | N/A |
| N/A | N/A | C:\Windows\System\EOyzXcJ.exe | N/A |
| N/A | N/A | C:\Windows\System\DUmYMRW.exe | N/A |
| N/A | N/A | C:\Windows\System\lRGJBHz.exe | N/A |
| N/A | N/A | C:\Windows\System\avJvisO.exe | N/A |
| N/A | N/A | C:\Windows\System\mylcZeG.exe | N/A |
| N/A | N/A | C:\Windows\System\QHlpmFJ.exe | N/A |
| N/A | N/A | C:\Windows\System\cHROgXV.exe | N/A |
| N/A | N/A | C:\Windows\System\YZxnvfh.exe | N/A |
| N/A | N/A | C:\Windows\System\ohQmimU.exe | N/A |
| N/A | N/A | C:\Windows\System\ncHarem.exe | N/A |
| N/A | N/A | C:\Windows\System\SWYGisA.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\gwkfyIX.exe
C:\Windows\System\gwkfyIX.exe
C:\Windows\System\eWdYlck.exe
C:\Windows\System\eWdYlck.exe
C:\Windows\System\rRrCwOc.exe
C:\Windows\System\rRrCwOc.exe
C:\Windows\System\bcPscmw.exe
C:\Windows\System\bcPscmw.exe
C:\Windows\System\ZvWkFKz.exe
C:\Windows\System\ZvWkFKz.exe
C:\Windows\System\WgchHzx.exe
C:\Windows\System\WgchHzx.exe
C:\Windows\System\UXOBgKQ.exe
C:\Windows\System\UXOBgKQ.exe
C:\Windows\System\TdMWKIo.exe
C:\Windows\System\TdMWKIo.exe
C:\Windows\System\avJvisO.exe
C:\Windows\System\avJvisO.exe
C:\Windows\System\TCGAhCs.exe
C:\Windows\System\TCGAhCs.exe
C:\Windows\System\mylcZeG.exe
C:\Windows\System\mylcZeG.exe
C:\Windows\System\JSKbIFg.exe
C:\Windows\System\JSKbIFg.exe
C:\Windows\System\QHlpmFJ.exe
C:\Windows\System\QHlpmFJ.exe
C:\Windows\System\EOyzXcJ.exe
C:\Windows\System\EOyzXcJ.exe
C:\Windows\System\YZxnvfh.exe
C:\Windows\System\YZxnvfh.exe
C:\Windows\System\DUmYMRW.exe
C:\Windows\System\DUmYMRW.exe
C:\Windows\System\ohQmimU.exe
C:\Windows\System\ohQmimU.exe
C:\Windows\System\lRGJBHz.exe
C:\Windows\System\lRGJBHz.exe
C:\Windows\System\ncHarem.exe
C:\Windows\System\ncHarem.exe
C:\Windows\System\cHROgXV.exe
C:\Windows\System\cHROgXV.exe
C:\Windows\System\SWYGisA.exe
C:\Windows\System\SWYGisA.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2100-0-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2100-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\gwkfyIX.exe
| MD5 | f4711f1aa8a0d8585a9b76ca54211a1f |
| SHA1 | 81905097b1cb32a0a371ce46f760b59a1f9ffd52 |
| SHA256 | b7c0d95fe4f41991d24014f2b2b5b5c66b64c646e7bce141fda667cebcaa10d1 |
| SHA512 | 483c24a30770d22047bb3e9abdd4215133283a360a22d0585c59190e93f6b538a9a3d9bd82fd8ba0b2427fac7eaa66861d90d142db58a2a12994c460969a7fe9 |
C:\Windows\system\eWdYlck.exe
| MD5 | fb93b6951f4bd763c13942d38c5cb5a2 |
| SHA1 | 4eeb2a90dd49fbebcfa0d577cc886d6c6875d018 |
| SHA256 | 08364b9e2b8a4ad2b206ecad0c657f63dab46b5e4a41e8da0de9f7c9cdaa4edc |
| SHA512 | bc6df6eede3d1d41265f4987dd60001ee3724cfb341e39a80658f172023227b5f53884f67cc2c72ea3c9c5d763d28eb06ff5f32b9a884cd3c269688362724a1b |
memory/2100-10-0x000000013FFB0000-0x0000000140304000-memory.dmp
C:\Windows\system\bcPscmw.exe
| MD5 | 9c2e235bee5fea01b034d6a1011ebdde |
| SHA1 | d560c06b99d88d8435ee8d27471fe1af1a1b175e |
| SHA256 | 8c53287aea13f20bc0064a44bf26ba6c643d0d0f52e1e481cbe1a451cacf4dcc |
| SHA512 | 4d6b3371d3e1ed35231025dfabd603ce593982d5c9378bb80d733edf4347b9e1c7da90cb3a3e667b7c600ee5b551c83561a74a9f4374d4d3960c06af9a3e8533 |
memory/2956-30-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2904-29-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2100-27-0x000000013F0F0000-0x000000013F444000-memory.dmp
C:\Windows\system\ZvWkFKz.exe
| MD5 | 1f120c960f2affbbde43d9ecf7d65c32 |
| SHA1 | 628a98241c18ba9eebedcae5eca2dd569acad288 |
| SHA256 | 78e93df1a1fab1fa79387e1506782c8866e23988ae8f24761d8716cd0ac1ec34 |
| SHA512 | e44cddabeffebe9681a3756b7f4a67e49a77c3fbdf3cc7e20e798b08bb29026bf041dde29daaa92c266acad28d536b653ed4ae05f3cc742802897db6f79b559e |
memory/2624-36-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2100-35-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2840-25-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2100-21-0x0000000002320000-0x0000000002674000-memory.dmp
C:\Windows\system\rRrCwOc.exe
| MD5 | 8c99e7e7dfd85a01db10c6ece0504fc6 |
| SHA1 | 6d1230fb870d8d165ef43c0ef640802d8041c89e |
| SHA256 | 45cdbef961ab83176ce1c80a2b9762df5c0832f52aa0bf8540012f9fd9f4d602 |
| SHA512 | b214d5644f3b115f6983146cb8574bdebfc28b32ea38bed7e095c246e5da5249013ee6f0f0285bbbab93aa62d9118dcb7bf1fee8ad8af0537f2496745fde0c2c |
memory/2100-18-0x0000000002320000-0x0000000002674000-memory.dmp
memory/1676-15-0x000000013FFB0000-0x0000000140304000-memory.dmp
C:\Windows\system\WgchHzx.exe
| MD5 | aa1b9bdb89973da31ab225ab77b258ee |
| SHA1 | 6f8ca40a6cbc804d483c06144420452149b427b3 |
| SHA256 | 558a19e0fc3814dd9877fbd9d5bd4df13515d4be5dd089e350a51fd5fcff7c91 |
| SHA512 | 8c86600e39567ddfdfb3aa8444136175703f3f439c1c06cf5b5058c0e5c81245c8602fbcdf4d3cfcfd81720e80a28e9b85cb4f1a31b7a49ebf5b25cd95e8dcd7 |
\Windows\system\TCGAhCs.exe
| MD5 | 3564319bfe597b1f16a90ee1e8404dac |
| SHA1 | b72555c56d356761be946ec9cf42670a7da8cb6a |
| SHA256 | 3f8dfe045644a8cd438e201467793d2a52e9ea65ec0236a6733122a2e1c97b47 |
| SHA512 | 7850b931d572534275813296c20e0420105a47158770f93f1791b8b03063d1301d894de2345b94539139497edd92d09460d40d4da480cb2a15b5c3dac82ad6bd |
\Windows\system\lRGJBHz.exe
| MD5 | 61aa63c7817bb605cc1505199b9fdb51 |
| SHA1 | 35bf3067ff2750f7a9fcfaa9c45af074dd2780ec |
| SHA256 | b62372430947ce14c602c39a36f98d1d91b868f3bd925afde14fcd567c73f364 |
| SHA512 | 4eb44fd921ed9d92cda495f1061c78298a23a4a79e7142fbc9af72aa8be4c75e4a5e712e7d9e9a5cd58e696e714ac5bdeddc1f61e69b6cd4fcdb0ac57217b811 |
C:\Windows\system\cHROgXV.exe
| MD5 | f4639319d82c37aadb1257bebcdbd3e7 |
| SHA1 | 052f57eb8061529382bafca62329d371022a147c |
| SHA256 | 62562b2b913a0294d4774f16cbcead14da8a1db684304d044f663acb2616cd7f |
| SHA512 | 784bca4d5d25b5c2d4ddf5a6b334fdd2037342d6c2f15dee8108aaa9feb97ba02db3bd99cd8bf9dd7de658ca43090cebea0bb115e53460f5518065be56029a28 |
memory/2812-115-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2100-120-0x000000013F170000-0x000000013F4C4000-memory.dmp
C:\Windows\system\ncHarem.exe
| MD5 | 209652d04f145c4ab64e34d687b5594e |
| SHA1 | 716079b4949d4922b5ff2e761005a609f0a7d295 |
| SHA256 | a3a6dce60793239f68f7675b40f8d2a01d4c9ffc5ade37c9959df2f0b09dca09 |
| SHA512 | 415386f0e93c86a7e0d497b0e63134a835a920ae0fdaafdcfa81f2b23e5fc4d642d1d4aa81485a225e2c323d490b2201ec52fbd24f73feed9bf915ba1142d261 |
\Windows\system\SWYGisA.exe
| MD5 | a60d0f1995b2fcdc415515fe89bebfbe |
| SHA1 | 7dba5fa974f44a4d19010e6d9e931676b8224468 |
| SHA256 | 1fa10e136c26049b83e7e9112366b23ef0c8e6d1d37c67fd6ddcac8765b200dd |
| SHA512 | 5ccb7371b34523f3700e829ac6db87053f9ae90faa571eb2bfcc09281db4a955939c0d682234f896affdcd1f80514b3931aa7b9b4339753be3284a7f313af7fe |
C:\Windows\system\avJvisO.exe
| MD5 | 72202a1b8e211616ec627ebcad1d238c |
| SHA1 | ba2b66fdf2b9a533e110ac193170790c424d6344 |
| SHA256 | 951f83f521c39cdce3bb4c755374a57f9036930507b4e13bd105fe6a97c5fbf4 |
| SHA512 | e0919eef66413d57fb8ea696962d7acadd92cf02d19b80c73d60c1f303f836e0ec67fa20bd1f74b5afb0c8baa18a60671c3e3bc1f358bc57070c73c6f058e948 |
memory/2100-95-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\DUmYMRW.exe
| MD5 | ae74e5ff8013bd682f119e62321bbcc7 |
| SHA1 | 623ee45240ae2b832e019e61ba3a00cdb58f53df |
| SHA256 | 0dbbc31a411e052fb193cf86a9d6b7f10dda273363494a9db93bdddab726b765 |
| SHA512 | d10f037f2a0369724768f0fbebaf87758f8ca02ef9bc21b883694628b21cd031958fa370f50fa9d23d246e00ca97091a20aba6b72f31f2ae4362cf9fc383d99f |
C:\Windows\system\EOyzXcJ.exe
| MD5 | 810f453581e5643c1af42da99eddd354 |
| SHA1 | fc635be01443640fd204dffeaaaa9b0fb2e8032a |
| SHA256 | 91e18631ceaf2cacc9306b289343d4814b3ca79f3d5ebe941c8d4758a0aa5b10 |
| SHA512 | 3ec84af2ae11d557c2328a3318ba397a133c26d9f114f3b79751423b5ebff4c70ed7c03dcbf987e6ece8b68bd4f5a3008f9871fad5898332244ef9e06e5cda44 |
C:\Windows\system\JSKbIFg.exe
| MD5 | 04317a88aaec0315bcc8d331c5c9c028 |
| SHA1 | 9552df9a5b4c08bea4cc6ab406748ffb61e94c82 |
| SHA256 | 72945f518d6bb0a2ce6ea28f40feae0b7263b875b1a7085af9f140b2887c200b |
| SHA512 | ff045214483d9766ca6420becb75500e0c2706a85e0be38dd691d7a4f2341e9197fc4a7f535853f75e7e9dfa360cfa29c9028a41b69c218dfc2bc83f709cac15 |
C:\Windows\system\TdMWKIo.exe
| MD5 | 9ae907e7be48b1782ba2887ee4e03ec3 |
| SHA1 | 64024f0e3c4f715f10202701f3d5bcadd315ecef |
| SHA256 | bd69a67973579eb926054b0ca82d2c7a7156dccee8e183fa98656e3708f8ac28 |
| SHA512 | ee802fd11ea106e180ae870a9811de4de05714164ede5263ee2a988a7309e5ec135768b7f0b6e279952cb4429aa64b9eea89a55506e0d072a02c5a4237260344 |
\Windows\system\ohQmimU.exe
| MD5 | 3cfdb205761a77afa4296842a24f2dac |
| SHA1 | 265a72f0874fafb5a4954468d6dc35a0f0db327a |
| SHA256 | cd90ae3ca3de960ceb5002f0827b249a73b4ff79231888a283aee63c19e1de48 |
| SHA512 | cc5d0f9ddb50754d3936f211c18cc426450efa9b901ada7ecb7c49bce4d99a776f154b6afedf3b141f636340df6cba50b43202d55992614793f9557e7abad46e |
\Windows\system\YZxnvfh.exe
| MD5 | 480d3635c567e74d095293bfd86db640 |
| SHA1 | 6079058b710bd07a6c4d38ee8705ab5895e00695 |
| SHA256 | 06ba5767e4dd7ebe411f8afc3f4a9625c4f36c4b6cdbe638042c06b634231763 |
| SHA512 | 2f0eb3c693ea9037661108c4df855984d13f61895ebd3a7b8d4d3ea02a9207e98b95d870075ba7eddc9f61fdf5247b0bc7dbc37b90db3451435fb5cd65aeea4c |
memory/2100-121-0x000000013F2B0000-0x000000013F604000-memory.dmp
memory/2100-119-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2100-118-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/2776-114-0x000000013FC30000-0x000000013FF84000-memory.dmp
C:\Windows\system\QHlpmFJ.exe
| MD5 | 0502f277e39492a525239eeb04ad4911 |
| SHA1 | b30a344b3b21cc737ed11a1cbf16283676275a33 |
| SHA256 | cae79c3036042a00261c3b99869d72a3fef99bab2b340bd26c37990eae60e12c |
| SHA512 | cfdd6ee154de7b58e6ebc3f4959c8258b6f2b008e5f464b50f400d1e98ab5ea1823b48840dc57c806f7e21f2c584968955fb33dba96c4ebc2756495d0ddb2c16 |
memory/2856-109-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
C:\Windows\system\mylcZeG.exe
| MD5 | 1c4b312da0df50ec18d06293197e54c5 |
| SHA1 | c6c3feb18f435800c545c11ac55b7de11ca4cffe |
| SHA256 | d5b2f0ec763ee0ef452c380d11bdabf324a2776b9141daade8366db619015abe |
| SHA512 | 4bef741d00f8a96e57a4451818fe3bab12d656f36e97d7f31294fe86972a7db1095cef9a3293539a4cc79aaeb6af5ec8d3cc432cc86db1d18c344bcaabb7a0c4 |
memory/2100-78-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2100-72-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2100-63-0x0000000002320000-0x0000000002674000-memory.dmp
memory/2100-130-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2768-51-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2716-47-0x000000013F480000-0x000000013F7D4000-memory.dmp
C:\Windows\system\UXOBgKQ.exe
| MD5 | b69979f5dc8390499099cd8e8a99f5bf |
| SHA1 | e7562538f58dfb3f3bae63f087de029bdcbbf322 |
| SHA256 | 1c615521ef445d7ff0e76836e51012eba72ecd53ee28efc6caf6c152f58d10b6 |
| SHA512 | 47fe55cedbb1fe79da2ecfbf7a24f53f9c332c01b09df0947c0f8afcaeee1572037e14c9424906cfdae73a792274c4d0cc54b5988af65c231287337eeb1155f7 |
memory/2716-131-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2768-133-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2624-132-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2100-134-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/2856-135-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2100-136-0x000000013F460000-0x000000013F7B4000-memory.dmp
memory/1676-137-0x000000013FFB0000-0x0000000140304000-memory.dmp
memory/2840-138-0x000000013F930000-0x000000013FC84000-memory.dmp
memory/2904-139-0x000000013FB10000-0x000000013FE64000-memory.dmp
memory/2956-140-0x000000013F0F0000-0x000000013F444000-memory.dmp
memory/2624-141-0x000000013FB80000-0x000000013FED4000-memory.dmp
memory/2716-142-0x000000013F480000-0x000000013F7D4000-memory.dmp
memory/2768-143-0x000000013F770000-0x000000013FAC4000-memory.dmp
memory/2856-146-0x000000013F8A0000-0x000000013FBF4000-memory.dmp
memory/2812-145-0x000000013FEB0000-0x0000000140204000-memory.dmp
memory/2776-144-0x000000013FC30000-0x000000013FF84000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 02:14
Reported
2024-06-07 02:17
Platform
win10v2004-20240426-en
Max time kernel
135s
Max time network
144s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\NmhRBDT.exe | N/A |
| N/A | N/A | C:\Windows\System\XjSjywS.exe | N/A |
| N/A | N/A | C:\Windows\System\DnPcUHn.exe | N/A |
| N/A | N/A | C:\Windows\System\NlxJkDw.exe | N/A |
| N/A | N/A | C:\Windows\System\HNIAYNk.exe | N/A |
| N/A | N/A | C:\Windows\System\TRjkLJS.exe | N/A |
| N/A | N/A | C:\Windows\System\BEVDKaT.exe | N/A |
| N/A | N/A | C:\Windows\System\IchQhdJ.exe | N/A |
| N/A | N/A | C:\Windows\System\fkLVcUR.exe | N/A |
| N/A | N/A | C:\Windows\System\IXrTmOH.exe | N/A |
| N/A | N/A | C:\Windows\System\hPuULMX.exe | N/A |
| N/A | N/A | C:\Windows\System\ThDacIz.exe | N/A |
| N/A | N/A | C:\Windows\System\vttztRb.exe | N/A |
| N/A | N/A | C:\Windows\System\nSJSxaM.exe | N/A |
| N/A | N/A | C:\Windows\System\zdegSql.exe | N/A |
| N/A | N/A | C:\Windows\System\CwlPVEN.exe | N/A |
| N/A | N/A | C:\Windows\System\pDexjHh.exe | N/A |
| N/A | N/A | C:\Windows\System\EAeIdhD.exe | N/A |
| N/A | N/A | C:\Windows\System\ViXkhcc.exe | N/A |
| N/A | N/A | C:\Windows\System\hkVCxqM.exe | N/A |
| N/A | N/A | C:\Windows\System\fTwDGdh.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_be80b41afb6b4c0a81b0617bd0c2ef71_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\NmhRBDT.exe
C:\Windows\System\NmhRBDT.exe
C:\Windows\System\XjSjywS.exe
C:\Windows\System\XjSjywS.exe
C:\Windows\System\DnPcUHn.exe
C:\Windows\System\DnPcUHn.exe
C:\Windows\System\NlxJkDw.exe
C:\Windows\System\NlxJkDw.exe
C:\Windows\System\HNIAYNk.exe
C:\Windows\System\HNIAYNk.exe
C:\Windows\System\TRjkLJS.exe
C:\Windows\System\TRjkLJS.exe
C:\Windows\System\BEVDKaT.exe
C:\Windows\System\BEVDKaT.exe
C:\Windows\System\IchQhdJ.exe
C:\Windows\System\IchQhdJ.exe
C:\Windows\System\fkLVcUR.exe
C:\Windows\System\fkLVcUR.exe
C:\Windows\System\IXrTmOH.exe
C:\Windows\System\IXrTmOH.exe
C:\Windows\System\hPuULMX.exe
C:\Windows\System\hPuULMX.exe
C:\Windows\System\ThDacIz.exe
C:\Windows\System\ThDacIz.exe
C:\Windows\System\vttztRb.exe
C:\Windows\System\vttztRb.exe
C:\Windows\System\nSJSxaM.exe
C:\Windows\System\nSJSxaM.exe
C:\Windows\System\zdegSql.exe
C:\Windows\System\zdegSql.exe
C:\Windows\System\CwlPVEN.exe
C:\Windows\System\CwlPVEN.exe
C:\Windows\System\pDexjHh.exe
C:\Windows\System\pDexjHh.exe
C:\Windows\System\EAeIdhD.exe
C:\Windows\System\EAeIdhD.exe
C:\Windows\System\ViXkhcc.exe
C:\Windows\System\ViXkhcc.exe
C:\Windows\System\hkVCxqM.exe
C:\Windows\System\hkVCxqM.exe
C:\Windows\System\fTwDGdh.exe
C:\Windows\System\fTwDGdh.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4984-0-0x00007FF73BD80000-0x00007FF73C0D4000-memory.dmp
memory/4984-1-0x0000021046DD0000-0x0000021046DE0000-memory.dmp
C:\Windows\System\XjSjywS.exe
| MD5 | 67629d342ff7050b3735222d9c78d14b |
| SHA1 | 2deae3ae6621a236959d28eab33ffc05d026a79b |
| SHA256 | 4d55f08b352bc99e822ab868a92b140c08b743c551a0c216af5ad49bfdda47c4 |
| SHA512 | 35f372461dfe2748b38aeed9b718219fa0d20d2c907d47d784877bf2236449be00d2534f7b49c92ccf3f2b840bb2cc8c31659b7047e5d4bad529cfa879ce6994 |
C:\Windows\System\DnPcUHn.exe
| MD5 | 7891e24f2609f4256ee6c9f758a6432a |
| SHA1 | b8ae70840bc4adda356a87a10442a90a60b0a4dd |
| SHA256 | 5c75c76b2c66582718f42887ce71f51442f397053751eba7cc65a70ff7a46a23 |
| SHA512 | fe3b98af74328f69a091a6541c63069ef2169bae2ac7f69065f3208faa062cb86001acbff8d834dc38bd0bc02e3f9ffc47a343c777bd033c6b471366677f0bcc |
memory/2148-20-0x00007FF79E610000-0x00007FF79E964000-memory.dmp
memory/3612-26-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp
C:\Windows\System\HNIAYNk.exe
| MD5 | 8accae566aab9da58b4aeef107d02918 |
| SHA1 | 8f1ee777b03b99a2a9c8c11ed933af38b11b781e |
| SHA256 | edca7de1352fe84bb1bd9722e1413faaf8b35b7cedc1ba327920f9e59975158a |
| SHA512 | f3c7803cf64b5f9beae533f515cd6139eabb8f04ce793fddb846f1c9e8726961189b98f27622f3b18ffa48dedbcb311c4b4229d63fb5a0ec2c0133a304766511 |
C:\Windows\System\TRjkLJS.exe
| MD5 | 303f172fb69b585c09f8a12cc3eb00a3 |
| SHA1 | 32a233f25cbc21b1259f8e217cd146bea4a0893c |
| SHA256 | 2c92f40b35257e94bc90f2ea1b389ce06441cff6558f91aa686638d32e4a2ccb |
| SHA512 | ddb36057801834080e75b28e1b04000362d5d0fcb5a3aa24fe8e2fd2319ba25ab3e726b4adb851a76472cd7c883f682cdfcbd5027916229478ef5fd778cec439 |
memory/4108-38-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp
C:\Windows\System\BEVDKaT.exe
| MD5 | 8b92fefd22e99b2d4222337bd53e7487 |
| SHA1 | ae2ec85efaff2167728da9a570e7922a7e993994 |
| SHA256 | ebba6cf8c8f66975b88b010dcba635e9c7b192dcdfeeb44ef5c7f3aed7301230 |
| SHA512 | 9673f3b79587d09dd0fef764df4703a9d1a1d91adac6e19c1439ee374782829d79b475ccf7f9bcde6e2163697e016d8751d2cfdf7f8e83b8b9a0dee79b1034ab |
C:\Windows\System\BEVDKaT.exe
| MD5 | f6cdfb3d88537b367792cbd894bd98ed |
| SHA1 | 3d3f99c94c72c456dffcf949bc5d30603a7e936c |
| SHA256 | 05dd3d926d8f7a6b3411e38a31ef4f8229eb7d780b830e3fca3bbab5124eef86 |
| SHA512 | 0da483abd45f0fc31271e46184ea3a074b58fa3e0dc6bb0072318eee13b5c0ffc1280f1aa582bb4e78cf8a2c355408182d9725282b3a73e6e2dadc9f4f43faa3 |
C:\Windows\System\IchQhdJ.exe
| MD5 | 992e15ebc2245cf970acce9948576d6c |
| SHA1 | 3322f50d4aebf915abc8a5277cd07a23adf5f127 |
| SHA256 | 34aca34b8538d4e7f9b5ca1806b2281a0382769188fd9d2c13b1e312e96b00f5 |
| SHA512 | 2299491ec9c9bd4a6ac0a40bf192f660f0f17c74b61aa4e0097b4c4f83a6d479f7a76f02af36d33e9826debb7591943213a22619c67db9751ef075d87dd44bf7 |
memory/4568-44-0x00007FF601C40000-0x00007FF601F94000-memory.dmp
C:\Windows\System\fkLVcUR.exe
| MD5 | 5ae4eed7a593ff3f56c7ac5fcd00c4d1 |
| SHA1 | 730b300cd0e998f81f52135b21d6a265749b0964 |
| SHA256 | db05b8b2745ae97ba68460cc47d128fcef999301332723637869245dea3b2412 |
| SHA512 | 74006c05616848350bc7f837ba2005f90328b33943b7b71b03b501e5ba8a7cbd1ec2a7b295e5b39132194d8cc4a1642cb02a9234d02f3b75da738ce2cfd6dcc5 |
memory/4984-61-0x00007FF73BD80000-0x00007FF73C0D4000-memory.dmp
memory/4860-75-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp
C:\Windows\System\nSJSxaM.exe
| MD5 | 56711c7cc945116d3533f8f0f0f92b6d |
| SHA1 | 4ccf479a2b798fd0d6569aa05b82252b9e6af619 |
| SHA256 | 7903e96ed230aa6d4c6a7e2e44bcd4791553379e3e66dedbd0a3e56ec094ed61 |
| SHA512 | 47fd5466efc0c61ff0f92e47c46f75e47067e3a9a43e39cf191aaebd72cc818463b7b06a3993ff20837b514ef41fa91ae9461c176f5f1304820b137dc7bc9b41 |
memory/1312-92-0x00007FF6CF080000-0x00007FF6CF3D4000-memory.dmp
memory/2316-99-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp
C:\Windows\System\CwlPVEN.exe
| MD5 | 984a8cf637fc9f46a5be1646493a183b |
| SHA1 | eff3045fcb5d0b4a9321004fdd3e94f3f336f5af |
| SHA256 | 0d4a824efda706db87b77805c320758f4772451fa0404efc091a4e3040c61068 |
| SHA512 | f10e98d33b97922d86b629662f92ca9b0747603db9cee26627e84885ca9797232c0f5349bf7b35b6812a24bc6e60bd825c6020365d2a762c823adc6158a78b7d |
memory/3464-98-0x00007FF7221E0000-0x00007FF722534000-memory.dmp
memory/768-97-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp
C:\Windows\System\CwlPVEN.exe
| MD5 | 14c0c501202ef989c5e7ec4e03c61323 |
| SHA1 | bded9d69e53fc3aafaf4dbc8c7e12d37782f30cd |
| SHA256 | 863491417c6ea22f4ce0af6ebd9081316de139748a1b9684de1179cf6e3ee774 |
| SHA512 | c496d7265307736640a049a4e8ba3b6dea75632dec5e76b5b8bac98718eb58b8e1e6548afba6d72407b5102640ed12ac193b6e207185d5a58095c625dbcd077c |
C:\Windows\System\zdegSql.exe
| MD5 | 355e2d36947e57df747f1e4763dae2c8 |
| SHA1 | 19f41a82de4663509860b79c4acd4e364984aed1 |
| SHA256 | c35688fe448ffa0531b5b00249296c75825be9754157e8738f8b70c4a98d3c19 |
| SHA512 | 324ae2be6738ad3113643aa7dbc16128544774a231033254428a55d7472c8b172ffce6f34c480cbda31e11d060a56997be8ff935b495e099fb85126330b54492 |
memory/4108-110-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp
C:\Windows\System\EAeIdhD.exe
| MD5 | d087d60bee972482ba414dde57d94064 |
| SHA1 | 0e58102d75409e85387c950e86f4cc96da371515 |
| SHA256 | 1ee51685b7af314df3c8f01c4b39b91c739a420b0c8968c9cd986b716fd08dc9 |
| SHA512 | 500b3e00dc02005c17b03b8494021fddbab5916723a913433d6ef89aa2cf4e6e68fc4172636b2bd68c73de2d44f0d00b4e792d1f453e109ae727ef66e97b6e2b |
C:\Windows\System\hkVCxqM.exe
| MD5 | 20885a1e82b980e480bdd9a1297b7d54 |
| SHA1 | ba4bfd697c59fd05587a0be77065afb5673a5fac |
| SHA256 | 9fdb8e352bd8da8a72baf57e250c6670ce46c29c7a9bd055bb8a040728707d2c |
| SHA512 | 9da153b66f616a6d5df57d156faf8a16a72679d5192113b0915127000b1754f13d093a6a5a0c05ae8c2549c342ed404d061b749078b05b165a844e484ab38d88 |
C:\Windows\System\fTwDGdh.exe
| MD5 | 4e1978304498602f375c7f0171779b3b |
| SHA1 | 3f64a9376490cb8e749f4c335dc53ed55eca9b0c |
| SHA256 | edb1772978ddefe11a3f0c3498a5da99df960a1b2a343f95ae14b7338132033a |
| SHA512 | 99cfd972f5a031ab61c109393f974f36973cfda4b92f7e156fbbec6acc42f2a0d468be1e617b3ababd78e41ff4e90649116e5069423bf48758e21db3576efa5d |
C:\Windows\System\fTwDGdh.exe
| MD5 | c2630368f2b0f1676e4f1cfe1abe40fe |
| SHA1 | 1a1ea934cad8c04d2d7cb52f6d24efa72171b9bb |
| SHA256 | ba2b6ec7283487518598a85cf876bd237f0f22469f9ddb98503daa3b393dd952 |
| SHA512 | 0aab36dba19a00b9153d667bd13a12f0f52c3bc100eb4b39808efd5f028076649453c97409b4e3cd94bf4c0fd01aceb1a9a9bb93111ac83c147c79b204a0dec0 |
C:\Windows\System\ViXkhcc.exe
| MD5 | 3626572e37bdbe37a41abf8c766599ed |
| SHA1 | 919cc1b646d8c5784b042a10078664d2a727f49f |
| SHA256 | 6e433e31caf2e450acd96df5f6315c69c3e4b693f3d3175e4af89da5c8d975ad |
| SHA512 | de8a8dbe563771ab659ccf4476c498a766734ead5843f323f35fd299b2eefc1aad2cbf99797786c1a7fe4d827fdba82f366c064cb5b6de9212622081bb7a6067 |
memory/2172-112-0x00007FF603550000-0x00007FF6038A4000-memory.dmp
C:\Windows\System\EAeIdhD.exe
| MD5 | c2e2eb364720d85a13441b7c7e657e04 |
| SHA1 | 2e4e5c515e17c9fb6d5d5edcc92a1b6b2344e1bb |
| SHA256 | a3dfa0af332c6e533bb22dc8421e15479f3f51af46ad432958e9ce07d4f23233 |
| SHA512 | c79c3c1c985e774222ef73ccd8cbebe61ad4e40c7162d1387609b781797f4f020e2c6ee6c5069c39c4faa0c9a6d7b349697535f2eeb4d97169926869e4247041 |
C:\Windows\System\pDexjHh.exe
| MD5 | a3a1d1007fc84146c8a69ec68d283ebf |
| SHA1 | 177b59e56c09073a63fc5fb5b5af33faa4959d2f |
| SHA256 | 2c18046c2f46105b5d36a80b4a12814cd02e1826c9ee753e096ce0a2cdbed6da |
| SHA512 | a8c08fc18b1354053fa2a6ba96847d27ba0c064fd8ef962a7edc27773bec68c600ad831c8790c73f32d083ace40b9267c5e0f5242dccc25a3bbf5d5eea49785d |
C:\Windows\System\vttztRb.exe
| MD5 | ee29a6b53cfbe9ed13da73058af639d1 |
| SHA1 | 57b7d190b7c70f98c15a3dfac9fc14d0037c5087 |
| SHA256 | 5a0aca84eb58f9165eaf307a1beaddbc8d551115f8deaa587c8acafd07d33da3 |
| SHA512 | 680a8c498af2bd5f11ec7e361d64cd83f667fdc49fc50a6dcd639f2fdb98af8617f7b587c1e152c13e53eae082e36f63a93e41aaa728bf58b59cb6a098ed752c |
C:\Windows\System\nSJSxaM.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
memory/3600-82-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp
memory/3824-79-0x00007FF7845E0000-0x00007FF784934000-memory.dmp
C:\Windows\System\ThDacIz.exe
| MD5 | 67a5ae984b7db2ab866e1943e34e183a |
| SHA1 | b0e5dae93649604f7669893db8061c37bbdce562 |
| SHA256 | 05ba064117846a4368ff545dad29f2640f4fdc3ccbfc79f79745d7e94d30d69c |
| SHA512 | 9349a1dfaaad966bb41f0b86570dc632e26eb4249ada7495571a94101fcf4af707520ee99c47dbd83d3742dd615b6f1e13ab003c53354883b331e091839b6398 |
memory/4236-69-0x00007FF71C430000-0x00007FF71C784000-memory.dmp
memory/4844-68-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp
C:\Windows\System\hPuULMX.exe
| MD5 | 64090638d2c164401be64511b1653920 |
| SHA1 | 7a389409960d17f335325014339f50d0231114a7 |
| SHA256 | 191bc44a70b8757cb053ed2a0218a11355b3a26b7171c721e65df4aa87a920fc |
| SHA512 | b7a0fb72e3c1bb073454386153fe7e4fa392c9556e511a3c206500bbbbd46efe0038a625c4ce3886bee483f5064b7ec3873e70d5fa43cc2290ef612ef6c0b9dd |
memory/2188-63-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp
C:\Windows\System\IXrTmOH.exe
| MD5 | 250d8db05b6cb6049b338f6b383fbfd9 |
| SHA1 | ce2c6ab8465d0b9041cc8de957bbbed6a93833e0 |
| SHA256 | 0b4bb40b19e9a25ea181d530f014e0e44beb08e1438e0855ff223fe7992a403a |
| SHA512 | 2aa6c6c92d32641f1317aa228177dcafb710d5bcd844fc86ea65028a70699cf20261d841c804016e594b915a6c9d85e1e9bbcef77ec264ae2915df4e1e546328 |
memory/492-130-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp
memory/468-129-0x00007FF7F7D10000-0x00007FF7F8064000-memory.dmp
memory/2176-131-0x00007FF695B60000-0x00007FF695EB4000-memory.dmp
memory/4164-132-0x00007FF7394F0000-0x00007FF739844000-memory.dmp
memory/1620-54-0x00007FF672560000-0x00007FF6728B4000-memory.dmp
memory/2960-50-0x00007FF6FBDC0000-0x00007FF6FC114000-memory.dmp
C:\Windows\System\IchQhdJ.exe
| MD5 | 1e2459942327eb396bd8cd9cbc885d14 |
| SHA1 | b979cbcb517509c30843efb1d91bef30f1f24a44 |
| SHA256 | 54a03d5d208d751b31e23b71307944c1879786db4797c4e135ceee676e41235a |
| SHA512 | 62534d80e6c8c22bb311b0a7f5fb302c5a153d567d6f207a17c6fee8290718e68d1dc2dc16c134b4032b4de9f3329105695e611408c440b9aa805aa38dc8aaf7 |
memory/3464-32-0x00007FF7221E0000-0x00007FF722534000-memory.dmp
C:\Windows\System\NlxJkDw.exe
| MD5 | d3667e7e04c2ec70f06af63a56f0f789 |
| SHA1 | 33dee0679bcd2fd5d87e1821cdedcceb77405aa0 |
| SHA256 | 4312dde1e624351aaa73110209d80258f6895f112610806b1f90c97c064797fa |
| SHA512 | 2da66b9d78b92a7b8a851f2770634abc95373be6ac7afcd4dc521eddafee56525ad9cd7f99bc35833f7fa90ecd4f51c64703e3b7171f9bf5006c143757cad890 |
memory/4860-14-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp
memory/4844-8-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp
C:\Windows\System\NmhRBDT.exe
| MD5 | a7a6fc3b5ab329e478fd33474d432cf7 |
| SHA1 | 00c235e83978df533a6b54e3672676a472300401 |
| SHA256 | a6edae496b561f21c0e4eab1f9dc940f3480b1107632f6119d43fe1d8f738519 |
| SHA512 | cc66a44a8ee9c4570819910313d769bda8ec8c185c5418c252f894211a3b2365c1e83ffb3f49759c5f2044dbb8c03f188d042c0992c20a97166c13c5e04c0880 |
memory/1620-133-0x00007FF672560000-0x00007FF6728B4000-memory.dmp
memory/3824-135-0x00007FF7845E0000-0x00007FF784934000-memory.dmp
memory/4236-134-0x00007FF71C430000-0x00007FF71C784000-memory.dmp
memory/768-137-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp
memory/3600-136-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp
memory/2316-138-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp
memory/4844-139-0x00007FF6A4940000-0x00007FF6A4C94000-memory.dmp
memory/4860-140-0x00007FF7B5950000-0x00007FF7B5CA4000-memory.dmp
memory/2148-141-0x00007FF79E610000-0x00007FF79E964000-memory.dmp
memory/3612-142-0x00007FF6B2320000-0x00007FF6B2674000-memory.dmp
memory/3464-143-0x00007FF7221E0000-0x00007FF722534000-memory.dmp
memory/4108-144-0x00007FF6DD1A0000-0x00007FF6DD4F4000-memory.dmp
memory/4568-145-0x00007FF601C40000-0x00007FF601F94000-memory.dmp
memory/2960-146-0x00007FF6FBDC0000-0x00007FF6FC114000-memory.dmp
memory/2188-148-0x00007FF6AAEA0000-0x00007FF6AB1F4000-memory.dmp
memory/4236-149-0x00007FF71C430000-0x00007FF71C784000-memory.dmp
memory/1620-147-0x00007FF672560000-0x00007FF6728B4000-memory.dmp
memory/3824-150-0x00007FF7845E0000-0x00007FF784934000-memory.dmp
memory/3600-151-0x00007FF6E0810000-0x00007FF6E0B64000-memory.dmp
memory/768-153-0x00007FF669AC0000-0x00007FF669E14000-memory.dmp
memory/2316-154-0x00007FF6EBCC0000-0x00007FF6EC014000-memory.dmp
memory/1312-152-0x00007FF6CF080000-0x00007FF6CF3D4000-memory.dmp
memory/2172-155-0x00007FF603550000-0x00007FF6038A4000-memory.dmp
memory/4164-157-0x00007FF7394F0000-0x00007FF739844000-memory.dmp
memory/468-156-0x00007FF7F7D10000-0x00007FF7F8064000-memory.dmp
memory/492-158-0x00007FF79EA50000-0x00007FF79EDA4000-memory.dmp
memory/2176-159-0x00007FF695B60000-0x00007FF695EB4000-memory.dmp