Analysis Overview
SHA256
f1e11b8a88c3a69f98cafe4c1d1b4476c17f12e9bf0c028e4cdb545291cab9de
Threat Level: Known bad
The file 2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Detects Reflective DLL injection artifacts
Xmrig family
XMRig Miner payload
Cobaltstrike family
xmrig
UPX dump on OEP (original entry point)
Cobaltstrike
Cobalt Strike reflective loader
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
Loads dropped DLL
UPX packed file
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 21:43
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 21:43
Reported
2024-06-08 21:46
Platform
win7-20240221-en
Max time kernel
132s
Max time network
144s
Command Line
Signatures
xmrig
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\kSRMgEM.exe | N/A |
| N/A | N/A | C:\Windows\System\HSCTHvB.exe | N/A |
| N/A | N/A | C:\Windows\System\ZCiMwrI.exe | N/A |
| N/A | N/A | C:\Windows\System\WRiPcvL.exe | N/A |
| N/A | N/A | C:\Windows\System\qkaAYEm.exe | N/A |
| N/A | N/A | C:\Windows\System\vlsTMGv.exe | N/A |
| N/A | N/A | C:\Windows\System\WuTSdyc.exe | N/A |
| N/A | N/A | C:\Windows\System\uibHlBe.exe | N/A |
| N/A | N/A | C:\Windows\System\KNwfySR.exe | N/A |
| N/A | N/A | C:\Windows\System\faeCEoD.exe | N/A |
| N/A | N/A | C:\Windows\System\knllakV.exe | N/A |
| N/A | N/A | C:\Windows\System\JCCxDHe.exe | N/A |
| N/A | N/A | C:\Windows\System\LTPprxh.exe | N/A |
| N/A | N/A | C:\Windows\System\axyrVxp.exe | N/A |
| N/A | N/A | C:\Windows\System\znlPPXA.exe | N/A |
| N/A | N/A | C:\Windows\System\EbSOoWF.exe | N/A |
| N/A | N/A | C:\Windows\System\YIpYbwP.exe | N/A |
| N/A | N/A | C:\Windows\System\ukeeNSN.exe | N/A |
| N/A | N/A | C:\Windows\System\vslijfQ.exe | N/A |
| N/A | N/A | C:\Windows\System\EzvMjfE.exe | N/A |
| N/A | N/A | C:\Windows\System\vFWIPRp.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\kSRMgEM.exe
C:\Windows\System\kSRMgEM.exe
C:\Windows\System\HSCTHvB.exe
C:\Windows\System\HSCTHvB.exe
C:\Windows\System\ZCiMwrI.exe
C:\Windows\System\ZCiMwrI.exe
C:\Windows\System\WRiPcvL.exe
C:\Windows\System\WRiPcvL.exe
C:\Windows\System\qkaAYEm.exe
C:\Windows\System\qkaAYEm.exe
C:\Windows\System\vlsTMGv.exe
C:\Windows\System\vlsTMGv.exe
C:\Windows\System\WuTSdyc.exe
C:\Windows\System\WuTSdyc.exe
C:\Windows\System\uibHlBe.exe
C:\Windows\System\uibHlBe.exe
C:\Windows\System\KNwfySR.exe
C:\Windows\System\KNwfySR.exe
C:\Windows\System\knllakV.exe
C:\Windows\System\knllakV.exe
C:\Windows\System\faeCEoD.exe
C:\Windows\System\faeCEoD.exe
C:\Windows\System\JCCxDHe.exe
C:\Windows\System\JCCxDHe.exe
C:\Windows\System\LTPprxh.exe
C:\Windows\System\LTPprxh.exe
C:\Windows\System\axyrVxp.exe
C:\Windows\System\axyrVxp.exe
C:\Windows\System\znlPPXA.exe
C:\Windows\System\znlPPXA.exe
C:\Windows\System\EbSOoWF.exe
C:\Windows\System\EbSOoWF.exe
C:\Windows\System\YIpYbwP.exe
C:\Windows\System\YIpYbwP.exe
C:\Windows\System\ukeeNSN.exe
C:\Windows\System\ukeeNSN.exe
C:\Windows\System\vslijfQ.exe
C:\Windows\System\vslijfQ.exe
C:\Windows\System\EzvMjfE.exe
C:\Windows\System\EzvMjfE.exe
C:\Windows\System\vFWIPRp.exe
C:\Windows\System\vFWIPRp.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/2868-0-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/2868-1-0x00000000003F0000-0x0000000000400000-memory.dmp
memory/2072-24-0x000000013FFF0000-0x0000000140344000-memory.dmp
memory/2680-32-0x000000013FDF0000-0x0000000140144000-memory.dmp
C:\Windows\system\vlsTMGv.exe
| MD5 | fbb6a602f644dbf57142122f30692c9a |
| SHA1 | 8158aaa7168744874ea387599d6d2cead21e28a3 |
| SHA256 | 3ededef3bd2586830b0a8597cb8ce36b4909b0421f6d3ed699083dfd6f8c0a7d |
| SHA512 | 594ad340712d040831c50ecaffbc2dabd957ed3d1d45fbdcb2c0a001df0ecad88502ea7ae79d922d80e7ca9a296427129145281a618e70a75857e869e5c45bfe |
memory/2064-45-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2548-81-0x000000013F760000-0x000000013FAB4000-memory.dmp
C:\Windows\system\znlPPXA.exe
| MD5 | ce95ecfd82cad989d07f01bb5a4e0e62 |
| SHA1 | 9c404e62c6a147d88e2c4214a4a0c1206972e9c1 |
| SHA256 | 593e7bd118d819d8e39ef2651ab132601260307c705634ada0a2db317b292576 |
| SHA512 | c2ff795a22229b7c15805b1e961a5dfe271dec3d9731c58be06511c88be95cff0caaac2a29a6db9c14604bb11c8d799f874a0f83a490e055a4995d26515db084 |
C:\Windows\system\EbSOoWF.exe
| MD5 | 7ca4c7d08ec840a69d3101c638d4b72f |
| SHA1 | 9a0bd3c709f755b63121fadc936f446aec1e7ee6 |
| SHA256 | ad375c6a067690acfdb9ba070a3a7e26450ca7423af526c703ce192d7173f7e7 |
| SHA512 | 93ae69558c6397f1d10b68fc7e156b1c23dffe4348c43264d4d2484e88db3346ef1d13b6b607cc291558edc2cbc35a0667021d52c5cf7e17eeb41ed495e23c3b |
memory/2868-107-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2868-130-0x000000013FC30000-0x000000013FF84000-memory.dmp
memory/1456-126-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2904-120-0x000000013F5E0000-0x000000013F934000-memory.dmp
C:\Windows\system\ukeeNSN.exe
| MD5 | d872631fef320bcfe95799f5b4c466cb |
| SHA1 | 451a1400f207f69d35ba907e243aed76879dcd2c |
| SHA256 | 2c35d06862247b330fc3f8d9e6af582fea555fda1909ac568685a45fc440b438 |
| SHA512 | 2386867492e72b11ef633226d6bd8e4694f30ef287e4120da56c256823abf746800962069c455536682137d30dfdae1f3be9dfc70d5390788973809462de138d |
memory/2456-110-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2868-103-0x000000013F140000-0x000000013F494000-memory.dmp
memory/2868-100-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2868-99-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2868-93-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2892-92-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2516-89-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2208-85-0x000000013FF70000-0x00000001402C4000-memory.dmp
C:\Windows\system\axyrVxp.exe
| MD5 | 182702f8c189f2105671b3b193ea01bd |
| SHA1 | 5cbe4a492c7f661166b4ece7955c0ec73fadc31d |
| SHA256 | a26e7690e7bc3ea344b69a7055744b04ab0a6a6f5efc215cd98698c2786c3f7f |
| SHA512 | 81af6029078315813c434ae562db848bfccfd0ce021093ded729c0431bbbdfab770bb5cf5e5e10bac76b9afc8886a0732e92ae0912c9dff147628a2530f045d1 |
\Windows\system\axyrVxp.exe
| MD5 | ffafad94c04d076c16e861ff07a4cb57 |
| SHA1 | c3501d64aef8c1b093200710a06e749c69db782a |
| SHA256 | 8937d79446003663139b48fb488b397b86db6056b10f97b4b51376a75074f295 |
| SHA512 | 64f6a6b1b0b877c82172b2c14c03c94dd8e19ddfeb29793c31f8e0d87bb2bb2fc63432b7cfddd5451417062117de8a69817c2cc596bd537558b9b01636a48700 |
memory/2868-75-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2868-64-0x000000013F980000-0x000000013FCD4000-memory.dmp
C:\Windows\system\KNwfySR.exe
| MD5 | ca2c8fc23ac2c4dd58545d16927e5bef |
| SHA1 | b94b35150eb75787af3ce6aea401e04f2ec70fc4 |
| SHA256 | 51b2f421412d1c153d42b830056e97b87fc530680dc92b4e38ffc670147a2fef |
| SHA512 | 1d2438ad0849ebaa3adb73c2fd279bcc7d191070217788022edef321689dfafee2b67a7644710d778788f25a062e16a16f37020f5aabaf59a89fd5b4e304a9ce |
C:\Windows\system\uibHlBe.exe
| MD5 | 0642442db4acbbfb6037e06789624264 |
| SHA1 | 923aee440a6887c7a7a8a78085aa492b2cdcee65 |
| SHA256 | 5d6249e3d37c32c515e6f20e0771180c7b51c791102dfffe39e4510d623eda85 |
| SHA512 | 7fc8231c299b64743a966130c519362217b11d421c0ccc65ca7c97570221449b6e5bd90caefa97b416470db36fac07c3f48ea41836b395ab190e6121598e88a1 |
memory/2868-46-0x00000000023D0000-0x0000000002724000-memory.dmp
C:\Windows\system\WuTSdyc.exe
| MD5 | 0b1dc771469fa6753e7aace834956918 |
| SHA1 | ab392eb1cb5fc16a55a2c41b7c5a6d56cfdeced7 |
| SHA256 | 60a5948084400707991c40b4413636168d0f0501efbc67fab461d4937de55fb6 |
| SHA512 | 6ff29d03eaaae06a15e3efe1ea402940d3f7a6e2ebae2266481a1a80576dd91702b1cbddedd5f74c67cdfdf217582f180323fa66c29c2525747039f60c34ba60 |
memory/1152-41-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2616-36-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/2964-31-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2740-25-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2868-17-0x000000013FFF0000-0x0000000140344000-memory.dmp
C:\Windows\system\HSCTHvB.exe
| MD5 | 6b5887af4274a78686a788865765637c |
| SHA1 | 5afc15e6fcbc11377bbabbda47ff43f6ebedd369 |
| SHA256 | ecdfed9bc02368fefbebe0d02090e93826b7e5cc1043e339dd245299c8b23006 |
| SHA512 | 4f563e539f8ec68bbc27d4cc59c42ea4897bb131085e08433f745cc558ab7a030701a601ddb711cda19dfa6cd9086b458fb74762092be15aaa4190c05134d077 |
C:\Windows\system\kSRMgEM.exe
| MD5 | 711965c0ed770375b388ea9b5ea57c70 |
| SHA1 | 21f7ffc0c96b29ee6bc8176dc97f6fd049d110a2 |
| SHA256 | c07d701eb04ab4f8699484a3bd23da869373ffe5abb89855dad47bf019625666 |
| SHA512 | 1805d8628649a043140bc3aafe1e7909e2e2c4d13967ba772fc49046b58f359c9204953c678c902e0a7afe7ca922f35fcfea6266309db91efb45c72ff619c428 |
memory/2868-131-0x000000013F5F0000-0x000000013F944000-memory.dmp
memory/1152-132-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2868-133-0x00000000023D0000-0x0000000002724000-memory.dmp
memory/2064-134-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2680-138-0x000000013FDF0000-0x0000000140144000-memory.dmp
memory/2616-139-0x000000013F8B0000-0x000000013FC04000-memory.dmp
memory/1152-140-0x000000013F980000-0x000000013FCD4000-memory.dmp
memory/2064-141-0x000000013FA90000-0x000000013FDE4000-memory.dmp
memory/2548-142-0x000000013F760000-0x000000013FAB4000-memory.dmp
memory/2456-145-0x000000013F140000-0x000000013F494000-memory.dmp
memory/1456-148-0x000000013FD70000-0x00000001400C4000-memory.dmp
memory/2904-147-0x000000013F5E0000-0x000000013F934000-memory.dmp
memory/2892-146-0x000000013F820000-0x000000013FB74000-memory.dmp
memory/2516-144-0x000000013FA50000-0x000000013FDA4000-memory.dmp
memory/2208-143-0x000000013FF70000-0x00000001402C4000-memory.dmp
memory/2964-137-0x000000013F7F0000-0x000000013FB44000-memory.dmp
memory/2740-136-0x000000013F570000-0x000000013F8C4000-memory.dmp
memory/2072-135-0x000000013FFF0000-0x0000000140344000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 21:43
Reported
2024-06-08 21:46
Platform
win10v2004-20240508-en
Max time kernel
142s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\uQiBcgq.exe | N/A |
| N/A | N/A | C:\Windows\System\IbjbNpU.exe | N/A |
| N/A | N/A | C:\Windows\System\SdTBnfZ.exe | N/A |
| N/A | N/A | C:\Windows\System\EQUDfic.exe | N/A |
| N/A | N/A | C:\Windows\System\nVJlkte.exe | N/A |
| N/A | N/A | C:\Windows\System\KdgiKvn.exe | N/A |
| N/A | N/A | C:\Windows\System\AtKPFLw.exe | N/A |
| N/A | N/A | C:\Windows\System\xMrDkXy.exe | N/A |
| N/A | N/A | C:\Windows\System\IKfYzcX.exe | N/A |
| N/A | N/A | C:\Windows\System\jXdTBwD.exe | N/A |
| N/A | N/A | C:\Windows\System\BReRRRn.exe | N/A |
| N/A | N/A | C:\Windows\System\BUpMDFm.exe | N/A |
| N/A | N/A | C:\Windows\System\ekLYzOz.exe | N/A |
| N/A | N/A | C:\Windows\System\GVOfoeo.exe | N/A |
| N/A | N/A | C:\Windows\System\wPjIRHo.exe | N/A |
| N/A | N/A | C:\Windows\System\fKbaSQF.exe | N/A |
| N/A | N/A | C:\Windows\System\WSOhwQN.exe | N/A |
| N/A | N/A | C:\Windows\System\mZKmuge.exe | N/A |
| N/A | N/A | C:\Windows\System\DhdUPjQ.exe | N/A |
| N/A | N/A | C:\Windows\System\qMsxQVS.exe | N/A |
| N/A | N/A | C:\Windows\System\dumJeqv.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_2573fdfcd160ab4cd9ecdcb30d0867df_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\uQiBcgq.exe
C:\Windows\System\uQiBcgq.exe
C:\Windows\System\IbjbNpU.exe
C:\Windows\System\IbjbNpU.exe
C:\Windows\System\SdTBnfZ.exe
C:\Windows\System\SdTBnfZ.exe
C:\Windows\System\EQUDfic.exe
C:\Windows\System\EQUDfic.exe
C:\Windows\System\nVJlkte.exe
C:\Windows\System\nVJlkte.exe
C:\Windows\System\KdgiKvn.exe
C:\Windows\System\KdgiKvn.exe
C:\Windows\System\AtKPFLw.exe
C:\Windows\System\AtKPFLw.exe
C:\Windows\System\xMrDkXy.exe
C:\Windows\System\xMrDkXy.exe
C:\Windows\System\IKfYzcX.exe
C:\Windows\System\IKfYzcX.exe
C:\Windows\System\jXdTBwD.exe
C:\Windows\System\jXdTBwD.exe
C:\Windows\System\BReRRRn.exe
C:\Windows\System\BReRRRn.exe
C:\Windows\System\BUpMDFm.exe
C:\Windows\System\BUpMDFm.exe
C:\Windows\System\ekLYzOz.exe
C:\Windows\System\ekLYzOz.exe
C:\Windows\System\GVOfoeo.exe
C:\Windows\System\GVOfoeo.exe
C:\Windows\System\wPjIRHo.exe
C:\Windows\System\wPjIRHo.exe
C:\Windows\System\fKbaSQF.exe
C:\Windows\System\fKbaSQF.exe
C:\Windows\System\WSOhwQN.exe
C:\Windows\System\WSOhwQN.exe
C:\Windows\System\mZKmuge.exe
C:\Windows\System\mZKmuge.exe
C:\Windows\System\DhdUPjQ.exe
C:\Windows\System\DhdUPjQ.exe
C:\Windows\System\qMsxQVS.exe
C:\Windows\System\qMsxQVS.exe
C:\Windows\System\dumJeqv.exe
C:\Windows\System\dumJeqv.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/4556-0-0x00007FF7D1590000-0x00007FF7D18E4000-memory.dmp
memory/4556-1-0x000001AFC4460000-0x000001AFC4470000-memory.dmp
C:\Windows\System\uQiBcgq.exe
| MD5 | 61417d8bdb05c74838f6dadddfacb912 |
| SHA1 | 6e5dbd29f806f492d31335f75ca4abb49835317b |
| SHA256 | 2c63cc36548a012a80a6ff380d2cd0ce4b3225713c9f736d961bd52abf82cecd |
| SHA512 | 0200720868f9525edba68a6648819af660b4fcc1a68f27e445649dcbd546e71ece469f80a32f2d155f891f978fd8684f6d187baa9c844cbd6aaeaa7ae3ce0e83 |
memory/412-8-0x00007FF685440000-0x00007FF685794000-memory.dmp
memory/212-13-0x00007FF6BDDC0000-0x00007FF6BE114000-memory.dmp
C:\Windows\System\IbjbNpU.exe
| MD5 | 86b5431da16a8ac038ef5f437acb15e5 |
| SHA1 | 4daf4dc22156e8a6e87fb9a91520e223328b9bb1 |
| SHA256 | 46d7e576e6885eb292c197f8af1840ea8bbe54b280302b68159f95eebaa2509e |
| SHA512 | 448d9b9ec8190ba0624eb227e498bcb915caa0d0ad34e0ad3011499fc01d1b68afd8760673a3299647952278b5bc897bee3b4e68a6f92585effd33a9a718df7e |
C:\Windows\System\SdTBnfZ.exe
| MD5 | e3351379961bab5333c4177ba47d4970 |
| SHA1 | e0475ed9b0b8ad298a1d78635ac689c46d796982 |
| SHA256 | 12490bbfcbf4b0a2725cc2fc2d36bd563e55865800e9493b250111b3112e3f54 |
| SHA512 | 7e34a0d22be6b92fc508c78842df84105f6e4eedb711313b35c7b4cbb41daf84c0b737cf08383fe8de7002294edc31244cb11cc235a598560632978e61f4a7e2 |
memory/388-20-0x00007FF676D30000-0x00007FF677084000-memory.dmp
C:\Windows\System\EQUDfic.exe
| MD5 | 8ab0195ea49d9cc01f9112ee773bfe4c |
| SHA1 | c3086f16a0e4b237b83d256090db4d8dbf302c8f |
| SHA256 | 8a36840b8934bddbc0f291afc784723c200854097831233c0fba366db89a797e |
| SHA512 | ea5b7fd138c3d16df87d9558cb70fb7b38edc7211f9bafb2276ad01b537aaef609734fb0f0d221c48f0525499251431e35a771648a81e5eb4f81a4869f3d163b |
C:\Windows\System\nVJlkte.exe
| MD5 | 9b1d5c74954e4bfcd7545c5117742f98 |
| SHA1 | 390db9b2906e07b95672a49d523c6896e3e2b126 |
| SHA256 | 1f6c0579f17db30d2f989f09851715be10676a81b9aa259fd1fafeeb32cfea28 |
| SHA512 | 0c026ea53fbc4d8d297f674826647438910d95890a3055a2dbf3ce7261a6355d5518fa42e7d31bf6a764931617c95a65c50cebb64d9d19ae77fdb95a1cae44b7 |
C:\Windows\System\KdgiKvn.exe
| MD5 | 90d232670d7f0b2c7bfa93fc8d018e38 |
| SHA1 | 7b6ccce15ddd708fa6a21b98aea7cef9abe94277 |
| SHA256 | d4507fa8e0bc55687a9e44a8e286e8e7568c584392b04a7327be525067ced312 |
| SHA512 | 9a672de740430cb2da77a750508db69869359f7de175c978bb087dd3c75c5dba6ec7c32407df0bae6bdbff049e5aa3c16334a4c00053b476ca9387ba7bd77850 |
memory/588-41-0x00007FF78F800000-0x00007FF78FB54000-memory.dmp
memory/3416-43-0x00007FF7F9A20000-0x00007FF7F9D74000-memory.dmp
C:\Windows\System\xMrDkXy.exe
| MD5 | d5c119b9f139a294613834b872933b88 |
| SHA1 | a1a9eb7b87411c86255aa3d33aae4cfdc2b48fe4 |
| SHA256 | 326c2aabcd865a129bb778835976b259be4a0e838042a89c38b44c604c9c5b84 |
| SHA512 | 5e102f21b7d3b9e05deb93ddcfe2500381d5eeec2f3b5503b85946c188b2bf6c34e88fb92a7ceaf6a2daeb57af24e3f33ce728d5cb681033a6513a95e27643ad |
C:\Windows\System\IKfYzcX.exe
| MD5 | 03cb6cafbcd14f879d8012c3920467d8 |
| SHA1 | 6015d1fcabbd3208a570449ce43c8f470432fcfc |
| SHA256 | e9efa1a57e875fc0ce1c0c89cd314933851f8c7597ec54ff6d7973a147c2af81 |
| SHA512 | 284f5004ba69dab4a096195946e7b2186b06bda066f74e20c527d2c3c83a720e3737788ef0988034184f3cfb6d3414bcf4c254f8a8e41e4813905232ecce9054 |
C:\Windows\System\jXdTBwD.exe
| MD5 | 5fe832aad1000e71003c2889237c24f0 |
| SHA1 | 7fed0cec68e97f00937797b6f15403286e797308 |
| SHA256 | f14a12d25fed145d440cc63c4068467e2a360a6d50110caae96e89ebe421f7d1 |
| SHA512 | 17a0e3d2228e1e06de1a96d7e411c0db16edf1f13361e4edcd32126b97b03efdea90ef146407cbc90de83812fdfe27c5ba4261231b4665ab049466815f178a43 |
C:\Windows\System\BReRRRn.exe
| MD5 | fd9678fe8a937d94418ffb950495fe6a |
| SHA1 | 9a993f4a4ceba84419725951ae5203395facc1e5 |
| SHA256 | f6e4085687ba7019bc209af1456c7437bfe7136a867025846cba61ebb0f477a4 |
| SHA512 | 1d64e2c0301346bdd80334add3ff6533e3d03a5a337ed53a6c8b76a69d04097dc2219172759f2e834efe1e9ec2cdab49810872bbfa503f4f7b16603cd7180bba |
C:\Windows\System\BUpMDFm.exe
| MD5 | 8665fb019c8c4e10eac6e31743736e90 |
| SHA1 | bf5e740cc607ccdffff4fb4043d7e72f4cd7d6d9 |
| SHA256 | 700e414671c51f69554e920299dc16465630c9c6cb2d1047236261469bd22d30 |
| SHA512 | d7a4fb6ab9b2d63107e5f36144121635e1861017ea3d4b72eee75096f4777154737be205865bcf3dc583e6fa55a18f75e1939e98e76248e45bed3d7f52aeb96d |
C:\Windows\System\wPjIRHo.exe
| MD5 | 5de921193358e5eee68867614656deaf |
| SHA1 | f8af5052de3536f9340b5fdfaf857d0e4b242be5 |
| SHA256 | 376ac12c5cf75c788d9946379c336b1a15c401c0dc85d2963d3dd082251fb938 |
| SHA512 | 5358c903920d6610daa51e2393a4a13c959a79e0538f140d33212ade9648324c2f38f455c1fcd339ef9e5e7924122c77ee892d724167449d1ecec7c2fc1f185b |
C:\Windows\System\mZKmuge.exe
| MD5 | e160d59e4128b83f38ca4c65a2dbf9c5 |
| SHA1 | 04089e8b5c9c18a73059c2906f43e327c6c552f0 |
| SHA256 | c020ac99b8b9affc75f601ab787732ceeb6fc8560e0505fec4f8b1a78bc923c8 |
| SHA512 | fae71d067ac9d4c51981eef4a023ab1769a9d86f772d736d45539a848d4b94dbd7576f66dd3096beb22b235b882b5c3844c694e5b535b811419149a3e13ec97d |
C:\Windows\System\qMsxQVS.exe
| MD5 | 9a68c783c88791fe36369890008903cf |
| SHA1 | f4603fe8fc3c4aac2bb06ccad5f63506cbed6dc9 |
| SHA256 | e55c4a12551a18709d33ced008b0288b462a94223def2bf80bb7e64eca642fb8 |
| SHA512 | a3332d2bbaa3a98205dcbbe3da6ff8018e18ed9bcecdef6f4ea6972dde0f98e7f24cd074417c0b7864547aacb4cfb446336b027f40c153310f2d5bdc929984e8 |
C:\Windows\System\dumJeqv.exe
| MD5 | 2fca0fa9c896ca1d80c7afb43a289c1b |
| SHA1 | 22153ce0d37e34f6c44da6f937417e1144dfa951 |
| SHA256 | 7b7dcbc9d13971372fa1cc59d31487aa1857350e722d5b40b9f54d1d74d8ec99 |
| SHA512 | fd9ed069cde27f168fe0a234d03f4f7472b7352a8aa85c9fd54bce070dcaac1dbeac6741003df03a9ac6f805f8931b308653ded88e5b266b767ca5018bb7a693 |
C:\Windows\System\DhdUPjQ.exe
| MD5 | 4cf8b58b7b188df275d4f809318e9a0a |
| SHA1 | 2a5603a8afb36eccab8ce9c7c5093c402fd5ab88 |
| SHA256 | ad9da2fef891b4cc14386a06b2ae25c89eb5cac51cebc729cde6c14e853c2b98 |
| SHA512 | 393519116d8c6dbe76aeada34a3db55f35e31b23905249aa82b6694bad34775c638b81cad0e1237b80b87bf652a5cef3b23a4cddcaf6c9ace11ec2f6dcc2d051 |
C:\Windows\System\WSOhwQN.exe
| MD5 | 184dcbbe12aada8cfbcc9a38a5ead7c4 |
| SHA1 | aa29ca4ef34e61682e73a24272c6da74174baa9a |
| SHA256 | 23582b57d09ca4d2fdac73143031e082f4e28d7471550f6a9f17637e152f8f38 |
| SHA512 | 9fa609d637076dbd668e8dc25298648c359c8c75eef923c4d57ba44fb48b06b0bc9d93a681f4d636381775c568076c38ff11fef7448cf60a9e9c84d45a909f8d |
C:\Windows\System\fKbaSQF.exe
| MD5 | f6be8c656cc712cb597797208519aeeb |
| SHA1 | fb6c4ed57afb1510c161d3f18fdfd3751e28a405 |
| SHA256 | c1e9f049b14c6952785cce893c3dc33cc4aaf040b7e607a1cc5f11cbe64e9cb5 |
| SHA512 | 0b9c3affce1b364c0161ff5dd53ac14ac3f5c0605035142ea0af06f2583cc3320677e394dc334c144310deb0d9219d03fae470eab4d6fba82a9b0f3724c5e82c |
C:\Windows\System\GVOfoeo.exe
| MD5 | 5d7ae4c4677beaf7edfe9770e82e9856 |
| SHA1 | 9becaf8697a1f9856b81fd3e4a03728dd416b2d9 |
| SHA256 | aaaa450c3bc32ffac2917e8aaa9831b4aa74540e060ce6e163c1c53a01bf2cdd |
| SHA512 | 88aeebfa4872036029e4ef3a65b43527032bc6a68fe20ba6d3fc1d3397df7ff301b8472fabf33e0e29fe51edc6bf2f2d57899a3c1c739675ce98f55ee5b268fe |
C:\Windows\System\ekLYzOz.exe
| MD5 | bf90052f5aef888c51198ef04756f787 |
| SHA1 | cc97b6fbb27a565472b45cdb29ffe63a69ed81c2 |
| SHA256 | 4ced666560d730eef7964906cc0c5bd769058c8ab0a8cf9c3446f6254ce5b3da |
| SHA512 | b2858c764885015463e634a0445d53d5a1c46f807c6a2140716aaeefe87ab07e59864712509329a294ea26f5ef563c88da828f419586f030b4950a08b85d004f |
memory/2412-52-0x00007FF611BF0000-0x00007FF611F44000-memory.dmp
C:\Windows\System\AtKPFLw.exe
| MD5 | 5efd1d347fb20ef2be9e1a7a812c558d |
| SHA1 | d085466506680cea9668910ce08261c0aebda9e9 |
| SHA256 | c087d8b23d564a49932585d8d28d414e4c6633701ed1c6fb791bba71f6b0f9bd |
| SHA512 | 67768253b73ab71f4f9f9a17610f0364ec26f074822fc1b24b460180ba0cf363ab39fd9d89d7369fc53ac55dbbc1eee1b7e2910d76eb5607f9f8cf2bfb3a3d3f |
memory/764-33-0x00007FF742E00000-0x00007FF743154000-memory.dmp
memory/1796-24-0x00007FF690B30000-0x00007FF690E84000-memory.dmp
memory/4832-115-0x00007FF633C50000-0x00007FF633FA4000-memory.dmp
memory/2104-116-0x00007FF746D10000-0x00007FF747064000-memory.dmp
memory/3688-117-0x00007FF73FC90000-0x00007FF73FFE4000-memory.dmp
memory/3588-118-0x00007FF77C240000-0x00007FF77C594000-memory.dmp
memory/2252-119-0x00007FF62B590000-0x00007FF62B8E4000-memory.dmp
memory/2292-122-0x00007FF74E4B0000-0x00007FF74E804000-memory.dmp
memory/1220-120-0x00007FF6E1A10000-0x00007FF6E1D64000-memory.dmp
memory/1696-121-0x00007FF64B400000-0x00007FF64B754000-memory.dmp
memory/2220-123-0x00007FF7D58D0000-0x00007FF7D5C24000-memory.dmp
memory/4616-124-0x00007FF683920000-0x00007FF683C74000-memory.dmp
memory/1132-125-0x00007FF623EB0000-0x00007FF624204000-memory.dmp
memory/1920-126-0x00007FF773020000-0x00007FF773374000-memory.dmp
memory/4068-127-0x00007FF6DAB60000-0x00007FF6DAEB4000-memory.dmp
memory/4556-128-0x00007FF7D1590000-0x00007FF7D18E4000-memory.dmp
memory/212-129-0x00007FF6BDDC0000-0x00007FF6BE114000-memory.dmp
memory/388-130-0x00007FF676D30000-0x00007FF677084000-memory.dmp
memory/1796-131-0x00007FF690B30000-0x00007FF690E84000-memory.dmp
memory/764-132-0x00007FF742E00000-0x00007FF743154000-memory.dmp
memory/3416-133-0x00007FF7F9A20000-0x00007FF7F9D74000-memory.dmp
memory/412-134-0x00007FF685440000-0x00007FF685794000-memory.dmp
memory/212-135-0x00007FF6BDDC0000-0x00007FF6BE114000-memory.dmp
memory/388-136-0x00007FF676D30000-0x00007FF677084000-memory.dmp
memory/1796-137-0x00007FF690B30000-0x00007FF690E84000-memory.dmp
memory/764-138-0x00007FF742E00000-0x00007FF743154000-memory.dmp
memory/588-139-0x00007FF78F800000-0x00007FF78FB54000-memory.dmp
memory/3416-140-0x00007FF7F9A20000-0x00007FF7F9D74000-memory.dmp
memory/2412-141-0x00007FF611BF0000-0x00007FF611F44000-memory.dmp
memory/4832-142-0x00007FF633C50000-0x00007FF633FA4000-memory.dmp
memory/2104-143-0x00007FF746D10000-0x00007FF747064000-memory.dmp
memory/3688-144-0x00007FF73FC90000-0x00007FF73FFE4000-memory.dmp
memory/3588-145-0x00007FF77C240000-0x00007FF77C594000-memory.dmp
memory/2252-146-0x00007FF62B590000-0x00007FF62B8E4000-memory.dmp
memory/1220-147-0x00007FF6E1A10000-0x00007FF6E1D64000-memory.dmp
memory/1696-148-0x00007FF64B400000-0x00007FF64B754000-memory.dmp
memory/2292-149-0x00007FF74E4B0000-0x00007FF74E804000-memory.dmp
memory/2220-150-0x00007FF7D58D0000-0x00007FF7D5C24000-memory.dmp
memory/4616-151-0x00007FF683920000-0x00007FF683C74000-memory.dmp
memory/1132-152-0x00007FF623EB0000-0x00007FF624204000-memory.dmp
memory/1920-153-0x00007FF773020000-0x00007FF773374000-memory.dmp
memory/4068-154-0x00007FF6DAB60000-0x00007FF6DAEB4000-memory.dmp