Analysis Overview
SHA256
a06c2ba756a1b9b97c23bd01bf3b1f31c145ca088937cded4bcca7a3a9a76c25
Threat Level: Known bad
The file 2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike was found to be: Known bad.
Malicious Activity Summary
Xmrig family
Detects Reflective DLL injection artifacts
Cobaltstrike
Cobaltstrike family
UPX dump on OEP (original entry point)
Cobalt Strike reflective loader
xmrig
XMRig Miner payload
UPX dump on OEP (original entry point)
XMRig Miner payload
Detects Reflective DLL injection artifacts
UPX packed file
Loads dropped DLL
Executes dropped EXE
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-06-08 21:46
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Cobaltstrike family
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xmrig family
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-08 21:46
Reported
2024-06-08 21:48
Platform
win7-20240508-en
Max time kernel
142s
Max time network
151s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\sZVZpjA.exe | N/A |
| N/A | N/A | C:\Windows\System\yEDrLnA.exe | N/A |
| N/A | N/A | C:\Windows\System\LNIhQiV.exe | N/A |
| N/A | N/A | C:\Windows\System\eGAotxT.exe | N/A |
| N/A | N/A | C:\Windows\System\vetqunu.exe | N/A |
| N/A | N/A | C:\Windows\System\UHkGdTv.exe | N/A |
| N/A | N/A | C:\Windows\System\mgKygoY.exe | N/A |
| N/A | N/A | C:\Windows\System\WsmVkbh.exe | N/A |
| N/A | N/A | C:\Windows\System\GDqBmsZ.exe | N/A |
| N/A | N/A | C:\Windows\System\BEeyIRz.exe | N/A |
| N/A | N/A | C:\Windows\System\klnPSyj.exe | N/A |
| N/A | N/A | C:\Windows\System\yyROZKH.exe | N/A |
| N/A | N/A | C:\Windows\System\hmYGqUE.exe | N/A |
| N/A | N/A | C:\Windows\System\ArDAfPa.exe | N/A |
| N/A | N/A | C:\Windows\System\WSdsLgZ.exe | N/A |
| N/A | N/A | C:\Windows\System\oJmTejv.exe | N/A |
| N/A | N/A | C:\Windows\System\vQgNOuz.exe | N/A |
| N/A | N/A | C:\Windows\System\hGikHtz.exe | N/A |
| N/A | N/A | C:\Windows\System\YhWFlJy.exe | N/A |
| N/A | N/A | C:\Windows\System\grTBVrl.exe | N/A |
| N/A | N/A | C:\Windows\System\VwWoZsM.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\sZVZpjA.exe
C:\Windows\System\sZVZpjA.exe
C:\Windows\System\yEDrLnA.exe
C:\Windows\System\yEDrLnA.exe
C:\Windows\System\LNIhQiV.exe
C:\Windows\System\LNIhQiV.exe
C:\Windows\System\eGAotxT.exe
C:\Windows\System\eGAotxT.exe
C:\Windows\System\vetqunu.exe
C:\Windows\System\vetqunu.exe
C:\Windows\System\UHkGdTv.exe
C:\Windows\System\UHkGdTv.exe
C:\Windows\System\mgKygoY.exe
C:\Windows\System\mgKygoY.exe
C:\Windows\System\WsmVkbh.exe
C:\Windows\System\WsmVkbh.exe
C:\Windows\System\GDqBmsZ.exe
C:\Windows\System\GDqBmsZ.exe
C:\Windows\System\BEeyIRz.exe
C:\Windows\System\BEeyIRz.exe
C:\Windows\System\klnPSyj.exe
C:\Windows\System\klnPSyj.exe
C:\Windows\System\yyROZKH.exe
C:\Windows\System\yyROZKH.exe
C:\Windows\System\hmYGqUE.exe
C:\Windows\System\hmYGqUE.exe
C:\Windows\System\ArDAfPa.exe
C:\Windows\System\ArDAfPa.exe
C:\Windows\System\WSdsLgZ.exe
C:\Windows\System\WSdsLgZ.exe
C:\Windows\System\vQgNOuz.exe
C:\Windows\System\vQgNOuz.exe
C:\Windows\System\oJmTejv.exe
C:\Windows\System\oJmTejv.exe
C:\Windows\System\YhWFlJy.exe
C:\Windows\System\YhWFlJy.exe
C:\Windows\System\hGikHtz.exe
C:\Windows\System\hGikHtz.exe
C:\Windows\System\grTBVrl.exe
C:\Windows\System\grTBVrl.exe
C:\Windows\System\VwWoZsM.exe
C:\Windows\System\VwWoZsM.exe
Network
| Country | Destination | Domain | Proto |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/1368-0-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1368-1-0x00000000000F0000-0x0000000000100000-memory.dmp
\Windows\system\sZVZpjA.exe
| MD5 | 35f665ec35e811277a6b46001a7c5cf0 |
| SHA1 | 571b496d5cf5d36634e1578685a876bfd6f2c77d |
| SHA256 | f4cc52063603c730a6f36ee379d17941aa1640945662e43c15f470bfdd3b9ff1 |
| SHA512 | 9ba48f116dd30a36f0c4c47c7643946d50010612d2f264966046928b1d699497c860469eea3f70c99730bbd4395db497ec91624d1fa11534588d871ed7a57cb8 |
C:\Windows\system\eGAotxT.exe
| MD5 | abd25403c195d1b5988669c2d4b0ff24 |
| SHA1 | 1f15187830b68ddea3c66416aac3c175c60c5638 |
| SHA256 | 66d3fe285696e95dea47087a5e82e4a2b971e67ce185bfdc68b4f53ed8b8a398 |
| SHA512 | 864d00f2991610d46451ca6b5a64e13632800cdb3455efe7ae7a0d9e86e30d059c9f2d9dc2f1dc21d2acfda539cfbb0d2c33ed66f0c9f1e68e4a716580377f07 |
C:\Windows\system\LNIhQiV.exe
| MD5 | 4541c5ca1018bd1e7bffaac23e7648c9 |
| SHA1 | be158d16e415e0cc65f5d1cbe597db884152f59b |
| SHA256 | b377dfd928dd02e839abe91cbfcf4c3f8c51b02fbc19c1d0459add4c4bfce374 |
| SHA512 | 1815af87898d2945dd320a2ddbd1b00437cd0f261bcf7e1cc65b58f0b8d86ef471e546137f5403f4b1fd7da2ee0028c526e2f9015853b023ef78fb1e76505887 |
C:\Windows\system\vetqunu.exe
| MD5 | f6beed8914622616a13633181462a418 |
| SHA1 | abc60960871b5ab10bdec29b560983690ea7ca4c |
| SHA256 | ebd59ab80b6b6d08449b1f31fcb3013836ee4d4afc8d323a143a3143f796639f |
| SHA512 | f1a6ff1cb562272f364021299bb572bbd4063ba8637db3dda94065b9633f8ba76b5fc12242c36592ad69889be3129cde47cf0133340b0fbb294073c0a558afb2 |
C:\Windows\system\mgKygoY.exe
| MD5 | 11ffad1f03f95e12bd591681e10094bf |
| SHA1 | 88dad4bf59f99bbb6c6f8b7717ed48ab5b601a3a |
| SHA256 | e5717e51ed8f0865533c00d5f800c89e26b575606afd435d7a589e60dda8b783 |
| SHA512 | fde5c610784d9b80a000148530bef245e876679d5b6467b6c67cdeecceced9f4f701c94941a5d5cc976e34767cf25f4a2842ede15663e63dd2b145a1d8945519 |
C:\Windows\system\GDqBmsZ.exe
| MD5 | 7e400828642807ed2e50fe5d50310fcc |
| SHA1 | ac585d408af15e10c8de64a67329ce2e1ecb5101 |
| SHA256 | 87312b396a4a20d3820575abd7ffa74a31b130a5f1ebe38998db3cbed2ae597c |
| SHA512 | fce774bc6d72c9c193f5121e43cff77a55d0ac0dac8f8178ccb926780f427c5be91a34680338827c1db9387a301223886b19ad391c6dfb1efa3348d0027f9fbe |
\Windows\system\BEeyIRz.exe
| MD5 | 54c1bfe55318a8a3a809c3a4ea9c0f3e |
| SHA1 | 22875a7959ea4b1abc645f9ffe351b055ca7fdb9 |
| SHA256 | 510476ea43ce0c25ef4b491f9f98a7344dac9a70e1805094418a09042c7a6942 |
| SHA512 | 41e37df9752708790a4564e636a610965d5db742b8c14affae7e515897ec918bf3ee067daa36d90c91d364cfefea9a1da9f17e55ceddf6e6e463b6b6fd9548fa |
C:\Windows\system\yyROZKH.exe
| MD5 | 673fbb1ec1c75932e792b34dddd2b911 |
| SHA1 | 0c28188a6f1636e8aa24c46a7021b339cc91c826 |
| SHA256 | 52406be79f44c7d0200f258d5f546b20ada9067d6d481ae1f0fa981332a7fe5a |
| SHA512 | c32c8234ef8cb9671f3e04e6e6f5ccd2d91ceb7da087d158a87cc18ea9be3e0c5d148f1538836b7f23a61ba03b86c2a87758803bc6ebeeddc35f91bbfe064fdf |
C:\Windows\system\ArDAfPa.exe
| MD5 | 8e2ec35eb4882e2f57636d3d7ac0950b |
| SHA1 | 2ac349ea0e39d06af254b3a179774553f40e4683 |
| SHA256 | 557e3c58d8483b2222d493b418dfc48a54027b1e042b1586d567ac23cfa5ed40 |
| SHA512 | b2e74053aac293185c793b68afe95a167e5fba2ab85adc16ce97aa39e0234e415e49e116c8265418a591591053c1506ee89b25df80e90d63aa3b9cab4c70622b |
\Windows\system\hGikHtz.exe
| MD5 | 88363164f8756b977edd83b066063e3c |
| SHA1 | aae02ebeffe0ec02018f510b547b35868fb40c95 |
| SHA256 | de819b02bd895fe0199b889a1b296f0b671cb73cfaa883c4c49925b6b93acc4e |
| SHA512 | a85fccaa9f7c9f2452156b0b80f8ccfcb141a4908216a0608b681e28299d6aee1d9cdef4d6868e8b9957f38804b603111198b02430df867f6474add3cc03434b |
\Windows\system\grTBVrl.exe
| MD5 | 464a915005ba053c36ed207338245409 |
| SHA1 | 8115408ad65c9969aed87f91f2ca4f14e8d3a8dc |
| SHA256 | 63fdfeef8944e50588389b619b068d66f99941ec7a418517fc5c0cd7bd653c7f |
| SHA512 | e82b8d93f3e12326a86e2758bf3c64ffc083fd9c7d919f5912681fe7d2721a07c3b16cb188e7a7ed79ddc97809c965249205abe6844b80c545100378131116d7 |
C:\Windows\system\VwWoZsM.exe
| MD5 | 03de81f873311f9e5716c68a46b6530a |
| SHA1 | 70dc1da1d97f57ac3a36d14159d1997977df41c2 |
| SHA256 | 7abcea3345f688f9757ded292f5d8cad0dec2678a736bfcb94f448c86a22e4a1 |
| SHA512 | 100cea0017c721eea973ee9dd16fdfbc30c3e879416ab9f1d4d0b7009c660ef4cd84d1b2095ff27ec78ebfb92b86f7d004bca32cc50fcc290b694ce31b156fe8 |
\Windows\system\YhWFlJy.exe
| MD5 | ea831433df3eab359e8a1a54b7e2245f |
| SHA1 | 93612e5f0dee953a8b1ee64c72228088fd8f21e4 |
| SHA256 | 223179a7882f67f3880f33c4b1f6de1c2ceaf1a6b71f97cfd7c267ae1cdca33a |
| SHA512 | 3df91e9302f9f532f9cf4da98d032ec9c4f3ae9ebc9641222a1d5424952cc87f283ecd91ed5382bcb507d22ccc4b217bf6ed7a889f36d9e75bef61ec1f47b4be |
\Windows\system\vQgNOuz.exe
| MD5 | 5ef53ffdbabe16ea4fbfd20fe795c74c |
| SHA1 | 6b12897e0dc0175e3dcafbc6853bddb9d22726d6 |
| SHA256 | a3b13fa96350d4acccfc321550afd91140ad7617bacd60e58e1757c26ec919d9 |
| SHA512 | cfcf76658cdd3e25997cde751784950faeb830e306696ed45e0466e69e70ede08a7656ea7f344f8e5727ccb471e6040f2dd0864f6bc73d815cc8872a15d0da10 |
C:\Windows\system\oJmTejv.exe
| MD5 | 929beaec6555c839d42a927ba55d6b99 |
| SHA1 | f7d8e348b602320111d92cf4018d117498173b73 |
| SHA256 | 98ec0ebbebc6997a67180d177d95cfcf83afd6b06b969dd76bdcf8de0848e185 |
| SHA512 | cda8662d05c5d530b713ffbbffe850b303dadb4fabd85087a0ccb1155fa3aeec28352c83e8bc0e8cf8de429225a57645d6642972f2d56a710e7fecb0849243dd |
C:\Windows\system\WSdsLgZ.exe
| MD5 | da1c1a1ece14982c73ad7d070ada38ea |
| SHA1 | 8898ce1bcb8e16414172ac62db09e56a5a1d0add |
| SHA256 | 8bba2058cf8de54523285766304d788dd05273fd8e35509ded7b5be527f52348 |
| SHA512 | 8870a6f5834403391aec7d46de2e44aa856987e9a96750edc5f8889f604d992bb6d5925ab95e0586d469bb614b30db7ae884734295103ea6f7ab0c7544171097 |
C:\Windows\system\hmYGqUE.exe
| MD5 | d677acabad86c08ff2c8c5b49566f24f |
| SHA1 | fa63332160b6d73a31ce19299be2044387c7e31d |
| SHA256 | 3123eb1716d2493d8b208e122fe7050429fcc40bc5d944474a0e36a82006eee9 |
| SHA512 | 8b410a40658600deb98ea8ec51c97c91f7038630929842bbf1e0f8270894b0fa50c9a7784e0d082e1bceb353652750401014fa5ec2cd5414272280df4684b7c2 |
C:\Windows\system\klnPSyj.exe
| MD5 | 9ed233250e3538c3ad0aebabe5707c03 |
| SHA1 | 9273b275648432fa9f20936c8382cd0a792272b0 |
| SHA256 | f2df9eed3a6ff3241c2fe8b695d589e571b72ba94c0b450b7254e13246b1cc1f |
| SHA512 | 88b1c8601bab01da389829d109cb18e1b8707d885b8cf496c1c271fd3512075ca8e2b19e18e0708c2fd9ac90619c891062b0203e17ac44187e818de65351d2f4 |
C:\Windows\system\WsmVkbh.exe
| MD5 | 9aa3469346b163c77e1d1de586c92373 |
| SHA1 | fdd60db07fdbb2b98cb1b79b2f4815bfe16a0be0 |
| SHA256 | 4cab1c00f968c21e72fbd9a787242d5b35a2ecbd7801e0e93565d9bae5b184b5 |
| SHA512 | 95e3e405d85882f24bf2bbd69e4f3ee99e1cc46005d4f709c9a03d0f14f12405b02aabf9a2c45683fb8474d17eb6d81e7b403dd8e4002633ac32386c530ae27c |
C:\Windows\system\UHkGdTv.exe
| MD5 | 6ef663838a108250177869580e572ce7 |
| SHA1 | 70c95d039ebf4fd1770b44ddee3f7b00994ce957 |
| SHA256 | f252383af3d8ec41f1739f8cd600c810b7823f0f7c0d46816db68bea6727f451 |
| SHA512 | 1e92013a8ce6408e4c5ba39695a7f33eda3660cc46747669841a102f1d1c5a5b3d3b4087cfdabc9f17957f079c99ea07b3a85d7824a57e49057749819b1bfa52 |
memory/1368-16-0x000000013F070000-0x000000013F3C4000-memory.dmp
C:\Windows\system\yEDrLnA.exe
| MD5 | 039eaf6da51072b56ef53a629672670f |
| SHA1 | 935e47e07a2c4707b7504c609c9882e8265f10c8 |
| SHA256 | 119c307f875d8767f95fa478c69e80e15941a07ce1b1c164cfa3450b9968fb2b |
| SHA512 | 69de1a78d4e7f1caae224e74ed77590b3fb98a63d2f03843bdb21bf8b9ca8e9f611a9abf5d0cb2a00cbf27497dec9722b80c99ff5836b1ed0e20878eaacdfef6 |
memory/2688-8-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3044-109-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/1368-110-0x00000000023E0000-0x0000000002734000-memory.dmp
memory/2756-111-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2640-113-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/1368-112-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2392-114-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2792-115-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/1368-116-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2832-117-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/2636-118-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/1368-120-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2500-119-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/1552-123-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/1368-122-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2548-121-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/1724-124-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/2216-125-0x000000013FAF0000-0x000000013FE44000-memory.dmp
memory/2628-127-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1368-126-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/1368-128-0x000000013F9B0000-0x000000013FD04000-memory.dmp
memory/1368-129-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2688-130-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/3044-131-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2688-132-0x000000013F0D0000-0x000000013F424000-memory.dmp
memory/2628-133-0x000000013F580000-0x000000013F8D4000-memory.dmp
memory/3044-134-0x000000013F070000-0x000000013F3C4000-memory.dmp
memory/2640-135-0x000000013F3F0000-0x000000013F744000-memory.dmp
memory/2756-136-0x000000013F740000-0x000000013FA94000-memory.dmp
memory/2392-137-0x000000013F720000-0x000000013FA74000-memory.dmp
memory/2792-138-0x000000013F7A0000-0x000000013FAF4000-memory.dmp
memory/2636-140-0x000000013F6B0000-0x000000013FA04000-memory.dmp
memory/2548-142-0x000000013FDB0000-0x0000000140104000-memory.dmp
memory/2500-141-0x000000013FBE0000-0x000000013FF34000-memory.dmp
memory/2832-139-0x000000013FD50000-0x00000001400A4000-memory.dmp
memory/1724-144-0x000000013F990000-0x000000013FCE4000-memory.dmp
memory/1552-143-0x000000013F0E0000-0x000000013F434000-memory.dmp
memory/2216-145-0x000000013FAF0000-0x000000013FE44000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-08 21:46
Reported
2024-06-08 21:48
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
157s
Command Line
Signatures
Cobalt Strike reflective loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Cobaltstrike
xmrig
Detects Reflective DLL injection artifacts
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX dump on OEP (original entry point)
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
XMRig Miner payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System\poBuXIH.exe | N/A |
| N/A | N/A | C:\Windows\System\lVKrJEL.exe | N/A |
| N/A | N/A | C:\Windows\System\cVhCGXS.exe | N/A |
| N/A | N/A | C:\Windows\System\wGWeYVi.exe | N/A |
| N/A | N/A | C:\Windows\System\fvwwYNA.exe | N/A |
| N/A | N/A | C:\Windows\System\SpGSPmj.exe | N/A |
| N/A | N/A | C:\Windows\System\cvNWoyX.exe | N/A |
| N/A | N/A | C:\Windows\System\DdsZnRD.exe | N/A |
| N/A | N/A | C:\Windows\System\EbylySX.exe | N/A |
| N/A | N/A | C:\Windows\System\peNqzNW.exe | N/A |
| N/A | N/A | C:\Windows\System\OZHyfLo.exe | N/A |
| N/A | N/A | C:\Windows\System\yYWXtkZ.exe | N/A |
| N/A | N/A | C:\Windows\System\adIuOOS.exe | N/A |
| N/A | N/A | C:\Windows\System\XexVZkE.exe | N/A |
| N/A | N/A | C:\Windows\System\XmsuISx.exe | N/A |
| N/A | N/A | C:\Windows\System\mksJHLw.exe | N/A |
| N/A | N/A | C:\Windows\System\XIgkIOQ.exe | N/A |
| N/A | N/A | C:\Windows\System\Tlzxdls.exe | N/A |
| N/A | N/A | C:\Windows\System\ohiXRai.exe | N/A |
| N/A | N/A | C:\Windows\System\QzlXgvg.exe | N/A |
| N/A | N/A | C:\Windows\System\KCPZSho.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-08_62cf4c476401ddcc83ec58fa9e9bed5a_cobalt-strike_cobaltstrike.exe"
C:\Windows\System\poBuXIH.exe
C:\Windows\System\poBuXIH.exe
C:\Windows\System\lVKrJEL.exe
C:\Windows\System\lVKrJEL.exe
C:\Windows\System\cVhCGXS.exe
C:\Windows\System\cVhCGXS.exe
C:\Windows\System\wGWeYVi.exe
C:\Windows\System\wGWeYVi.exe
C:\Windows\System\fvwwYNA.exe
C:\Windows\System\fvwwYNA.exe
C:\Windows\System\SpGSPmj.exe
C:\Windows\System\SpGSPmj.exe
C:\Windows\System\cvNWoyX.exe
C:\Windows\System\cvNWoyX.exe
C:\Windows\System\DdsZnRD.exe
C:\Windows\System\DdsZnRD.exe
C:\Windows\System\EbylySX.exe
C:\Windows\System\EbylySX.exe
C:\Windows\System\peNqzNW.exe
C:\Windows\System\peNqzNW.exe
C:\Windows\System\OZHyfLo.exe
C:\Windows\System\OZHyfLo.exe
C:\Windows\System\yYWXtkZ.exe
C:\Windows\System\yYWXtkZ.exe
C:\Windows\System\adIuOOS.exe
C:\Windows\System\adIuOOS.exe
C:\Windows\System\XexVZkE.exe
C:\Windows\System\XexVZkE.exe
C:\Windows\System\XmsuISx.exe
C:\Windows\System\XmsuISx.exe
C:\Windows\System\mksJHLw.exe
C:\Windows\System\mksJHLw.exe
C:\Windows\System\XIgkIOQ.exe
C:\Windows\System\XIgkIOQ.exe
C:\Windows\System\Tlzxdls.exe
C:\Windows\System\Tlzxdls.exe
C:\Windows\System\ohiXRai.exe
C:\Windows\System\ohiXRai.exe
C:\Windows\System\QzlXgvg.exe
C:\Windows\System\QzlXgvg.exe
C:\Windows\System\KCPZSho.exe
C:\Windows\System\KCPZSho.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp | |
| DE | 3.120.209.58:8080 | tcp |
Files
memory/5040-0-0x00007FF78B9B0000-0x00007FF78BD04000-memory.dmp
memory/5040-1-0x000002465C520000-0x000002465C530000-memory.dmp
C:\Windows\System\poBuXIH.exe
| MD5 | 6c7c54fc7596ac36ebabe616e1acab74 |
| SHA1 | 609056fd3693ef7fd7e9f1e8c10aa181281d16e7 |
| SHA256 | e4db06a59fd3cc9514e59878fe9b09d31917ad1a7e375db7e06641a21fc8c8fd |
| SHA512 | 76e2c9e6de5d7c4e7e0c8db64320202d88658e96d928a0b556a9ed4ae17d19cbe05a75206683a348ad04cdfdbba3ef35a09d7d39d9d16b4d3396e1006ea30c52 |
memory/3952-7-0x00007FF7BF700000-0x00007FF7BFA54000-memory.dmp
C:\Windows\System\cVhCGXS.exe
| MD5 | f67e7ec5ee2cf2822c516358ffc30898 |
| SHA1 | 89464b8465e2c4d98839ce961ddd21a114e918fc |
| SHA256 | 87cedcba39ce902ca0e54c424e977360e18f698dd9ceb5322f90c8fd537ea643 |
| SHA512 | ca93407bcc0dcc5723b6178e310f8721148fc364433cb232e18aff41f0080bdd07dc953653b02e81649358631d6dff8717fbf408b9eb4b85274c290af8f38788 |
C:\Windows\System\lVKrJEL.exe
| MD5 | a05094a827954988c46f8b24a0995497 |
| SHA1 | 6c63b4e2f23504d322e28189ba9c047495d32c65 |
| SHA256 | 4eb2e24cc0eac430b187f1753e6b51f2a4919aad592ec55269f280fedb3379fa |
| SHA512 | 660bc0fd405fd38693ad489ed2acdc6e1b59ea5690fac3a095e57e249a2f2643bc3a35f0e9b4f6c2c5f82031d9a64a7a9735ef97aa9da659c30181d8576b8ffb |
memory/2180-19-0x00007FF7C67E0000-0x00007FF7C6B34000-memory.dmp
memory/4820-25-0x00007FF6D2830000-0x00007FF6D2B84000-memory.dmp
C:\Windows\System\wGWeYVi.exe
| MD5 | 2074e717177d2e10031f90fad1a4f11e |
| SHA1 | 6df61141c4256e5b6690008c411f25f89d8db376 |
| SHA256 | 7de7618b67f5e0ed4862ed8269779b0f197505771872999dbd779a1acb338fa0 |
| SHA512 | 473e52f9736900cb3164c604fd3391cb5e2245e6d327450abd7ec4526ea3f7ce9d8ee3f7f6054cefb17f872168f09e9021f49cf46c619f411e2b2f6859fb9606 |
C:\Windows\System\fvwwYNA.exe
| MD5 | 12f6fc3ad9968d1ed33dac050d797fc9 |
| SHA1 | c0c7d858bf97d66d106878fcf866b7608b422b4e |
| SHA256 | 088f5011d5f33a2662a76523350a9c1cbecf6dd32be6cda4c594becf94a1a24a |
| SHA512 | 73849ed2f4686791610146f38dc89eccccab49cf7016a36028f46864a046774272e653d593631c1fac2bf02e333ae81d65b5e62697638c827d717a18e6bbc8be |
C:\Windows\System\cvNWoyX.exe
| MD5 | 54fea8a3e237007fe4619e41e80123a3 |
| SHA1 | 5cfe8e4defe0e1aa39277d51daf68e0aa6413f24 |
| SHA256 | 14da0d381389ce7cdb276b6cdb1f634bfa015dc90b4f504e356ff794a4ca451c |
| SHA512 | 66592f3ee46d3f20cf55c84cac81e25f57d9760d419c3941dd4660651976a55cb24d1a66c61f3eb165274cd2eaea48a8cf4471d47326562e04d07ec6c362a91f |
C:\Windows\System\SpGSPmj.exe
| MD5 | fc411931e25866f9df62ee848f39cbb8 |
| SHA1 | 37041617f3dea5763b37ea72cf656f4e3d566267 |
| SHA256 | e1283259f2f18bad05da2e6df83eff8213fae9d0d83183829a559cdae2dd74da |
| SHA512 | ad6a5c9c2f6456b45b63b84af478d1348380e4fe7a0c273b3d0e149968b1e96a46d1c8247bb7bcf6978e5627f230e5ccc68727e023458884d969841487d4fab5 |
C:\Windows\System\EbylySX.exe
| MD5 | 0a912f24c43ca8a7eff2a3ac82796af9 |
| SHA1 | 73138a4c3847a5c8afdf6430e6d2dca1c7c8075b |
| SHA256 | 59dd6e03058485f95610dbc4e74873aae378189a0e3301a0883dc888993b0b38 |
| SHA512 | 6501d5816a10b5b5a6fbe9d0e6b1fca9bba47098ccd686c4435450a9cc3bbc9e78613371ba46fdb6e70c6afdff95a8e30a50e65d0a4e7d0b4f5d8b49c96ac18a |
memory/224-55-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp
memory/1468-60-0x00007FF6C0DF0000-0x00007FF6C1144000-memory.dmp
memory/3680-61-0x00007FF750D70000-0x00007FF7510C4000-memory.dmp
C:\Windows\System\peNqzNW.exe
| MD5 | 1f4d06f1978e5494b038bbdfb8101d29 |
| SHA1 | 11b6600a28ccf5e02bdae13d31d2d8e21c4c62f7 |
| SHA256 | 3a08f83dcb2269d396a0f01e24d7b7b8fd9cf0e9116de2bd1caaf5c3def16764 |
| SHA512 | 5b8b1b7ad77f2ef05f6562a136d88c15c6a2d17715df183b0b91a85ff1cf4dbcdd897eb94f2c26ec6c00e693b4232715f769b844595c939148c81d2e1fb1e029 |
memory/1176-53-0x00007FF797B30000-0x00007FF797E84000-memory.dmp
C:\Windows\System\DdsZnRD.exe
| MD5 | af5799954cb0e6f08c53f806f0f79fdc |
| SHA1 | 85038ce28daa2ab43c22087b2f58d40abb6003a0 |
| SHA256 | 63009dded9d4b8b1adeb935f2b1fee8fe60fa61e65837cea7d73c2a325d321fa |
| SHA512 | 936be2d0dc4a6288567b0894b330c342c63f3f07d14c78e3e001070238e286b7e8fbef75dc6060b60dc4cab58b5aeb46e437dd8060080009c4e80c2da479d6e9 |
memory/3648-48-0x00007FF7A3730000-0x00007FF7A3A84000-memory.dmp
memory/3136-30-0x00007FF68B5A0000-0x00007FF68B8F4000-memory.dmp
memory/2940-29-0x00007FF7AA230000-0x00007FF7AA584000-memory.dmp
C:\Windows\System\OZHyfLo.exe
| MD5 | 16e8180c5f3c22dd67a81ae5cb87ffc8 |
| SHA1 | 6b9586d7bffd482ef445f720e638d271a8cb6876 |
| SHA256 | ddb86af11ad81dce14df5d94a66d22bfb76284864bd0a0b273d2b21fff0392af |
| SHA512 | db3549dbdc52ad2d70b6321164a56a0b43d7a54bbed3940e27b9534bf3e20cff9bb0f7b1577532b77abb3fd6e926168c5c4ff97b1828e88bd2748be227745a0d |
memory/1704-70-0x00007FF7F8100000-0x00007FF7F8454000-memory.dmp
C:\Windows\System\yYWXtkZ.exe
| MD5 | 31bc6db4ab0d212af9b267734f9a596a |
| SHA1 | 274a4c5dc55995249d3ded97e324fde8f650973b |
| SHA256 | 9bd10c5afedcc43c3d39c98ce1ff46fa42a97adb808dafd9d5509f6d09d809f3 |
| SHA512 | 7f3d40f871ab4e0408a679ca385f9cdceec3ff8a045f233024ebf9c1b8d4e3e299b7e73448d9d8922d21b87550acda1310b1f93846e17640303d2aa90417b461 |
memory/3256-72-0x00007FF6CFB00000-0x00007FF6CFE54000-memory.dmp
C:\Windows\System\adIuOOS.exe
| MD5 | 909865b2425a92f99dcd3ea26f196ca2 |
| SHA1 | d3c960c2310adda17f91aeeeffd0ea0990eb0523 |
| SHA256 | 3af8b9b119789eb0f38a3c15366484097d65181c4734b9228beecf7b49bd834d |
| SHA512 | e057d879373d8129206f71c6f5278d2179280d3ad31c227d44e0abfc309924b8b7862737bb7269beb02307aa45ca22342e113492e19c5bed93ad2df9f55fc803 |
memory/3952-80-0x00007FF7BF700000-0x00007FF7BFA54000-memory.dmp
C:\Windows\System\mksJHLw.exe
| MD5 | 2edf846e9574015709e403870bdc4635 |
| SHA1 | 396f9cd1d9b4bcc33a78119f961527c755f81cc3 |
| SHA256 | a981f5bff3a2ac3040d02387409f8eff0bf343ea828f9b8a186559db5f27a021 |
| SHA512 | b5e63c185ee3c307ec908c0fdee1626073546f219693b1f9bc6c21a34aec29c42ac913480eb585562b9541d3c42a20d43683fbe850262afc51bb44ca7234f266 |
C:\Windows\System\XmsuISx.exe
| MD5 | beb7924e83c0f8128849eb367d44bc06 |
| SHA1 | 7cf7962a7f6c34451f41f16e27278eebe2ba920b |
| SHA256 | f9fb2282d64bbf6bf547047823153ea73ab3844fc7f836a6cdfe10446769b98f |
| SHA512 | 5d5d9a3b1ccd7482ade2393a825e9005ca8be95fd4abe3defb8e3b06ebc9023f6d33717edff5e7d46dd42dff879af356ebe8de4b4bc7a5b0249e879a538cb963 |
memory/5040-96-0x00007FF78B9B0000-0x00007FF78BD04000-memory.dmp
memory/2180-106-0x00007FF7C67E0000-0x00007FF7C6B34000-memory.dmp
C:\Windows\System\Tlzxdls.exe
| MD5 | 49acb00e15228ca264dad06bcae33de9 |
| SHA1 | d7b874ba7a8a11f0d60b614e2e43692e7e859ac1 |
| SHA256 | 39340cec9fd66e5e8be95d67a048258dddd05caed84740e0162d647300760ca1 |
| SHA512 | b2fd4781ce365e5e399b88b7ad81f8d583af26d1a3159c5bcffa351da8982baf1831b448fba373f3b665861504d01ff56924413ccbea4f3df9450649aa211cf2 |
memory/1416-109-0x00007FF6571F0000-0x00007FF657544000-memory.dmp
C:\Windows\System\XIgkIOQ.exe
| MD5 | ac7f0a6f4337572c6bc1c0733778b89a |
| SHA1 | 549034a92bf310f28b25cb7ce4d9ddc1e55adc8f |
| SHA256 | 32484918e9a497c34dabcd0cfc3de396196eda82b999af2a848dfa3041177535 |
| SHA512 | 365721c5ac9ca3ae2711a57dc607d425314b51d65bc307c9a211081de4f6622865cbe40071b27365ac5ce1ce0b7e06c23d7f8f2f3f82917dbd5ce53baac3aac0 |
memory/3304-99-0x00007FF626D10000-0x00007FF627064000-memory.dmp
memory/3348-98-0x00007FF7815F0000-0x00007FF781944000-memory.dmp
memory/1820-91-0x00007FF6886E0000-0x00007FF688A34000-memory.dmp
C:\Windows\System\XexVZkE.exe
| MD5 | 1339f635c94f37ff7af48305643fce84 |
| SHA1 | c2d7aa902992a563b177588ee5522359b54650c2 |
| SHA256 | 03e6b0b413bafae370b34bfba1e10775e41551548c557b6ca4d0ae8f97260452 |
| SHA512 | f3b237fa041766a366501af963b0d7bbb32b6b46fa9201ed7312bd4233fa994c96b195ca3f25829a410b96cf9d422f7463d0dbf5dd679c4b051fbf6f4145c516 |
memory/2948-85-0x00007FF69C9F0000-0x00007FF69CD44000-memory.dmp
C:\Windows\System\ohiXRai.exe
| MD5 | f0cb0eb24a12de035e05a7c76a6ab31f |
| SHA1 | e4d073c069cae9ef9cccaad8b3c55132f9dfceac |
| SHA256 | 7edcec4b39c9794b68a9b8209105e9ced2ffaa3b0ccb4c1c7389cb958d8923a8 |
| SHA512 | a30a093df36eef61a833812fb2ca752fbe8bb4e1f6f1cf60a62f34bf6c8bcd2e1b6af42991862a86f7153e0effd77af7b9de90ff8bd6195b0703c8655f5ff6ed |
C:\Windows\System\QzlXgvg.exe
| MD5 | 314886c33da669835c4193c7a0b8357c |
| SHA1 | c48b93aa29fc9d3df77c31dedbfd263efa243588 |
| SHA256 | 41a5211356a3f6e2eb0bfd1c78a844b961f8571383dde9d8318af82b8765d972 |
| SHA512 | 906149e6f2b92e988a0443ff8d32b66042895b4834c97af551f4b92242f8684a4b4b5f8e03f22d562053e248acf9ac1082f801d91af79b83a34c102b3ce4580d |
memory/4820-123-0x00007FF6D2830000-0x00007FF6D2B84000-memory.dmp
C:\Windows\System\KCPZSho.exe
| MD5 | 70d7393fbc8bc3579915a73d25f9bb38 |
| SHA1 | 9af8f983065150f09ae9d11c3afebd9c3dceb26f |
| SHA256 | 36967c88bd53308585a607ca860050bddecad5e9e9bc7692d2e5a61c231ba6ac |
| SHA512 | 52933c8ad1a52411e26cc88bfb661d47dde150acaa43fac4f494864c91cf1a0a938981661fb17e6b86c04c85a401061339214e9f21e8704eb38c026c4e054944 |
memory/3760-126-0x00007FF62C000000-0x00007FF62C354000-memory.dmp
memory/4828-124-0x00007FF602AF0000-0x00007FF602E44000-memory.dmp
memory/1240-130-0x00007FF782650000-0x00007FF7829A4000-memory.dmp
memory/2940-131-0x00007FF7AA230000-0x00007FF7AA584000-memory.dmp
memory/2104-132-0x00007FF7DF230000-0x00007FF7DF584000-memory.dmp
memory/3256-133-0x00007FF6CFB00000-0x00007FF6CFE54000-memory.dmp
memory/1820-134-0x00007FF6886E0000-0x00007FF688A34000-memory.dmp
memory/3304-135-0x00007FF626D10000-0x00007FF627064000-memory.dmp
memory/3952-136-0x00007FF7BF700000-0x00007FF7BFA54000-memory.dmp
memory/2180-137-0x00007FF7C67E0000-0x00007FF7C6B34000-memory.dmp
memory/4820-138-0x00007FF6D2830000-0x00007FF6D2B84000-memory.dmp
memory/3136-139-0x00007FF68B5A0000-0x00007FF68B8F4000-memory.dmp
memory/2940-142-0x00007FF7AA230000-0x00007FF7AA584000-memory.dmp
memory/224-140-0x00007FF70F3D0000-0x00007FF70F724000-memory.dmp
memory/3648-141-0x00007FF7A3730000-0x00007FF7A3A84000-memory.dmp
memory/1176-143-0x00007FF797B30000-0x00007FF797E84000-memory.dmp
memory/1468-144-0x00007FF6C0DF0000-0x00007FF6C1144000-memory.dmp
memory/3680-145-0x00007FF750D70000-0x00007FF7510C4000-memory.dmp
memory/1704-146-0x00007FF7F8100000-0x00007FF7F8454000-memory.dmp
memory/3256-147-0x00007FF6CFB00000-0x00007FF6CFE54000-memory.dmp
memory/2948-148-0x00007FF69C9F0000-0x00007FF69CD44000-memory.dmp
memory/1820-150-0x00007FF6886E0000-0x00007FF688A34000-memory.dmp
memory/3348-149-0x00007FF7815F0000-0x00007FF781944000-memory.dmp
memory/1416-152-0x00007FF6571F0000-0x00007FF657544000-memory.dmp
memory/3304-151-0x00007FF626D10000-0x00007FF627064000-memory.dmp
memory/4828-153-0x00007FF602AF0000-0x00007FF602E44000-memory.dmp
memory/3760-154-0x00007FF62C000000-0x00007FF62C354000-memory.dmp
memory/1240-155-0x00007FF782650000-0x00007FF7829A4000-memory.dmp
memory/2104-156-0x00007FF7DF230000-0x00007FF7DF584000-memory.dmp